gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加异常处理,修复 upstream_ossl_init() 造成的 core dump

Browse Source
This commit is contained in:
luwenpeng
2019-08-28 14:17:21 +08:00
parent 06fe5652c5
commit fe78b7e41f
1 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
platform/src/ssl_stream.cpp
View File

@@ -474,7 +474,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
return;
}
static void downstream_ossl_init(struct ssl_stream* s_stream);
static void upstream_ossl_init(struct ssl_stream* s_stream);
static int upstream_ossl_init(struct ssl_stream* s_stream);
static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr);
@@ -883,7 +883,7 @@ int ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
* Create new SSL context for outgoing connections to the original destination.
* If hostname sni is provided, use it for Server Name Indication.
*/
static void upstream_ossl_init(struct ssl_stream* s_stream)
static int upstream_ossl_init(struct ssl_stream* s_stream)
{
SSL_CTX * sslctx = NULL;
SSL * ssl = NULL;
@@ -891,6 +891,11 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
struct ssl_mgr * mgr = s_stream->mgr;
struct ssl_chello * chello=s_stream->up_parts.client_hello;
sslctx = SSL_CTX_new(mgr->sslmethod());
if (sslctx == NULL)
{
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_new() failed.");
return -1;
}
sslctx_set_opts(sslctx, mgr);
int ret=0;
char common_cipher[TFE_STRING_MAX]={0}, tls13_cipher[TFE_STRING_MAX]={0};
@@ -905,7 +910,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
ret=SSL_CTX_set_cipher_list(sslctx, common_cipher);
if(ret==0)
{
TFE_LOG_ERROR(mgr->logger, "SSL_CTX_set_cipher_list %s failed.", common_cipher);
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_cipher_list %s failed.", common_cipher);
SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers);
}
}
@@ -918,11 +923,17 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
//SSL_CTX_set_ciphersuites(sslctx, tls13_cipher);
}
if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 ||
SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0)
if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0)
{
SSL_CTX_free(sslctx);
return;
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_min_proto_version() failed, ssl min version:%d.", s_stream->ssl_min_version);
return -1;
}
if (SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0)
{
SSL_CTX_free(sslctx);
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_max_proto_version() failed, ssl max version:%d.", s_stream->ssl_max_version);
return -1;
}
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
@@ -950,7 +961,8 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
SSL_CTX_free(sslctx); /* SSL_new() increments refcount */
if (!ssl)
{
return;
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_new() failed.");
return -1;
}
SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_SSLSTREAM, s_stream);
@@ -961,13 +973,14 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
if (chello->alpn && s_stream->up_parts.apln_enabled)
{
ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_set_alpn_protos() failed.");
assert(ret==0);
}
/* lower memory footprint for idle connections */
SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS);
s_stream->ssl=ssl;
return ;
return 0;
}
void ssl_connect_server_ctx_free(struct ssl_connect_server_ctx * ctx)
@@ -1404,7 +1417,13 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
}
else
{
upstream_ossl_init(s_stream);
if (upstream_ossl_init(s_stream))
{
promise_dettach_ctx(p);
promise_failed(p, FUTURE_ERROR_EXCEPTION, "upstream ossl init failed");
wrap_ssl_connect_server_ctx_free(ctx);
return;
}
ctx->bev = bufferevent_openssl_socket_new(evbase, ctx->fd_upstream,
ctx->s_stream->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE );