gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-3445 修正 TFE 从毕方加载可信证书时,SSL 证书校验不可信的 bug

Browse Source
This commit is contained in:
luwenpeng
2020-09-28 14:33:50 +08:00
parent 8de4143d6c
commit fa3e050bb7
7 changed files with 98 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/include/tfe_proxy.h
View File

@@ -17,3 +17,4 @@ int tfe_proxy_ssl_del_trust_ca(const char* pem_file);
int tfe_proxy_ssl_add_crl(const char* pem_file); int tfe_proxy_ssl_add_crl(const char* pem_file);
int tfe_proxy_ssl_del_crl(const char* pem_file); int tfe_proxy_ssl_del_crl(const char* pem_file);
void tfe_proxy_ssl_reset_trust_ca(); void tfe_proxy_ssl_reset_trust_ca();
void tfe_proxy_ssl_reset_trust_ca_finish(void);

3
platform/include/internal/ssl_stream_core.h
View File

@@ -50,5 +50,4 @@ int ssl_manager_del_trust_ca(struct ssl_mgr* mgr, const char* pem_file);
int ssl_manager_add_crl(struct ssl_mgr* mgr, const char* pem_file); int ssl_manager_add_crl(struct ssl_mgr* mgr, const char* pem_file);
int ssl_manager_del_crl(struct ssl_mgr* mgr, const char* pem_file); int ssl_manager_del_crl(struct ssl_mgr* mgr, const char* pem_file);
void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr); void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr);
void ssl_manager_reset_trust_ca_finish(struct ssl_mgr *mgr);

3
platform/include/internal/ssl_trusted_cert_storage.h
View File

@@ -32,5 +32,4 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename); int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename);
int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename); int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename);
void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage); void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage);
void ssl_trusted_cert_storage_reset_finish(struct ssl_trusted_cert_storage *storage);

6
platform/src/proxy.cpp
View File

@@ -934,4 +934,8 @@ void tfe_proxy_ssl_reset_trust_ca(void)
return; return;
} }
void tfe_proxy_ssl_reset_trust_ca_finish(void)
{
ssl_manager_reset_trust_ca_finish(g_default_proxy->ssl_mgr_handler);
return;
}

5
platform/src/ssl_stream.cpp
View File

@@ -2090,6 +2090,11 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
ssl_trusted_cert_storage_reset(mgr->trust_CA_store); ssl_trusted_cert_storage_reset(mgr->trust_CA_store);
return; return;
} }
void ssl_manager_reset_trust_ca_finish(struct ssl_mgr* mgr)
{
ssl_trusted_cert_storage_reset_finish(mgr->trust_CA_store);
return;
}
int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int opt_val) int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int opt_val)
{ {
struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param); struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);

107
platform/src/ssl_trusted_cert_storage.cpp
View File

@@ -19,6 +19,13 @@ struct ssl_X509_object
char* filename; char* filename;
enum ssl_X509_obj_type type; enum ssl_X509_obj_type type;
}; };
enum cert_store_status
{
UPDATING,
STABLE,
};
static void free_ssl_x509_obj(void* data) static void free_ssl_x509_obj(void* data)
{ {
struct ssl_X509_object* obj=(struct ssl_X509_object*)data; struct ssl_X509_object* obj=(struct ssl_X509_object*)data;
@@ -28,11 +35,14 @@ static void free_ssl_x509_obj(void* data)
} }
struct ssl_trusted_cert_storage struct ssl_trusted_cert_storage
{ {
enum cert_store_status status;
struct cert_store_param param; struct cert_store_param param;
char* pem_bundle, *pem_dir; char* pem_bundle, *pem_dir;
MESA_htable_handle hash_table; MESA_htable_handle hash_table;
pthread_rwlock_t rwlock; MESA_htable_handle temp_table;
X509_STORE* effective_store; pthread_rwlock_t rwlock;
X509_STORE *effective_store;
X509_STORE *temp_store;
}; };
static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type type, const char* filename) static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type type, const char* filename)
{ {
@@ -194,9 +204,8 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem
pthread_rwlock_init(&(storage->rwlock), NULL); pthread_rwlock_init(&(storage->rwlock), NULL);
assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0); assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0);
SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
storage->status = STABLE;
return storage; return storage;
} }
void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage) void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage)
{ {
@@ -210,14 +219,28 @@ int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum
int ret=0; int ret=0;
struct ssl_X509_object* obj=NULL; struct ssl_X509_object* obj=NULL;
void* data=NULL; void* data=NULL;
pthread_rwlock_wrlock(&(storage->rwlock)); MESA_htable_handle hash_table = NULL;
data=MESA_htable_search(storage->hash_table, (const unsigned char*)filename, strlen(filename)); X509_STORE *effective_store = NULL;
pthread_rwlock_wrlock(&(storage->rwlock));
if (storage->status == UPDATING)
{
hash_table = storage->temp_table;
effective_store = storage->temp_store;
}
else
{
hash_table = storage->hash_table;
effective_store = storage->effective_store;
}
data = MESA_htable_search(hash_table, (const unsigned char *)filename, strlen(filename));
if(data!=NULL)//duplicated if(data!=NULL)//duplicated
{ {
ret=-1; ret=-1;
goto error_out; goto error_out;
} }
ret=_X509_add_cert_or_crl_add(storage->effective_store, type, filename); ret=_X509_add_cert_or_crl_add(effective_store, type, filename);
if(ret<0) if(ret<0)
{ {
ret=-1; ret=-1;
@@ -228,9 +251,10 @@ int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum
obj=ALLOC(struct ssl_X509_object, 1); obj=ALLOC(struct ssl_X509_object, 1);
obj->type=SSL_X509_OBJ_CERT; obj->type=SSL_X509_OBJ_CERT;
obj->filename=tfe_strdup(filename); obj->filename=tfe_strdup(filename);
ret=MESA_htable_add(storage->hash_table, (const unsigned char*)obj->filename, strlen(obj->filename), obj); ret=MESA_htable_add(hash_table, (const unsigned char*)obj->filename, strlen(obj->filename), obj);
assert(ret>0); assert(ret>0);
ret=1; ret=1;
TFE_LOG_DEBUG(g_default_logger, "%s %p add %s", storage->status == UPDATING ? "temp store" : "effective store", effective_store, filename);
error_out: error_out:
pthread_rwlock_unlock(&(storage->rwlock)); pthread_rwlock_unlock(&(storage->rwlock));
@@ -249,18 +273,42 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
{ {
int ret=0; int ret=0;
X509_STORE* temp_store=NULL; X509_STORE* temp_store=NULL;
pthread_rwlock_wrlock(&(storage->rwlock)); MESA_htable_handle hash_table = NULL;
ret=MESA_htable_del(storage->hash_table, (const unsigned char*)filename, strlen(filename), NULL); X509_STORE *effective_store = NULL;
pthread_rwlock_wrlock(&(storage->rwlock));
if (storage->status == UPDATING)
{
hash_table = storage->temp_table;
effective_store = storage->temp_store;
}
else
{
hash_table = storage->hash_table;
effective_store = storage->effective_store;
}
ret=MESA_htable_del(hash_table, (const unsigned char*)filename, strlen(filename), NULL);
if(ret<0) if(ret<0)
{ {
ret=-1; ret=-1;
goto error_out; goto error_out;
} }
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store); MESA_htable_iterate(hash_table, cert_storage_htable_traverse_cb, temp_store);
X509_STORE_free(storage->effective_store); X509_STORE_free(effective_store);
storage->effective_store=temp_store; TFE_LOG_DEBUG(g_default_logger, "%s %p->%p del %s", storage->status == UPDATING ? "temp store" : "effective store", effective_store, temp_store, filename);
ret=1;
if (storage->status == UPDATING)
{
storage->temp_store = temp_store;
}
else
{
storage->effective_store = temp_store;
}
ret=1;
error_out: error_out:
pthread_rwlock_unlock(&(storage->rwlock)); pthread_rwlock_unlock(&(storage->rwlock));
@@ -268,19 +316,28 @@ error_out:
} }
void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage) void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
{ {
X509_STORE* temp_store=NULL;
MESA_htable_destroy(storage->hash_table, NULL);
storage->hash_table=_create_mesa_htable();
temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
pthread_rwlock_wrlock(&(storage->rwlock)); pthread_rwlock_wrlock(&(storage->rwlock));
X509_STORE_free(storage->effective_store); storage->temp_table = _create_mesa_htable();
storage->effective_store=temp_store; storage->temp_store = _X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
pthread_rwlock_unlock(&(storage->rwlock)); storage->status = UPDATING;
return; TFE_LOG_DEBUG(g_default_logger, "reset effective store %p, create temp store %p", storage->effective_store, storage->temp_store);
pthread_rwlock_unlock(&(storage->rwlock));
} }
void ssl_trusted_cert_storage_reset_finish(struct ssl_trusted_cert_storage *storage)
{
pthread_rwlock_wrlock(&(storage->rwlock));
MESA_htable_destroy(storage->hash_table, NULL);
X509_STORE_free(storage->effective_store);
storage->effective_store = storage->temp_store;
storage->hash_table = storage->temp_table;
storage->temp_table = NULL;
storage->temp_store = NULL;
storage->status = STABLE;
TFE_LOG_DEBUG(g_default_logger, "change temp store to effective store %p", storage->effective_store);
pthread_rwlock_unlock(&(storage->rwlock));
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{ {
int err=0, ret=0; int err=0, ret=0;

3
plugin/business/pangu-http/src/pangu_http.cpp
View File

@@ -288,7 +288,8 @@ void trusted_CA_update_finish_cb(void* u_para)
g_pangu_rt->ca_store_reseting--; g_pangu_rt->ca_store_reseting--;
if(g_pangu_rt->ca_store_reseting==0) if(g_pangu_rt->ca_store_reseting==0)
{ {
TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish."); tfe_proxy_ssl_reset_trust_ca_finish();
TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish.");
} }
} }
} }