gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加异常处理,修复 upstream_ossl_init() 造成的 core dump

Browse Source
This commit is contained in:
luwenpeng
2019-08-28 14:17:21 +08:00
parent 06fe5652c5
commit fe78b7e41f
1 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
platform/src/ssl_stream.cpp
View File

@@ -474,7 +474,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
return; return;
} }
static void downstream_ossl_init(struct ssl_stream* s_stream); static void downstream_ossl_init(struct ssl_stream* s_stream);
static void upstream_ossl_init(struct ssl_stream* s_stream); static int upstream_ossl_init(struct ssl_stream* s_stream);
static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr); static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr);
@@ -883,7 +883,7 @@ int ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
* Create new SSL context for outgoing connections to the original destination. * Create new SSL context for outgoing connections to the original destination.
* If hostname sni is provided, use it for Server Name Indication. * If hostname sni is provided, use it for Server Name Indication.
*/ */
static void upstream_ossl_init(struct ssl_stream* s_stream) static int upstream_ossl_init(struct ssl_stream* s_stream)
{ {
SSL_CTX * sslctx = NULL; SSL_CTX * sslctx = NULL;
SSL * ssl = NULL; SSL * ssl = NULL;
@@ -891,6 +891,11 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
struct ssl_mgr * mgr = s_stream->mgr; struct ssl_mgr * mgr = s_stream->mgr;
struct ssl_chello * chello=s_stream->up_parts.client_hello; struct ssl_chello * chello=s_stream->up_parts.client_hello;
sslctx = SSL_CTX_new(mgr->sslmethod()); sslctx = SSL_CTX_new(mgr->sslmethod());
if (sslctx == NULL)
{
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_new() failed.");
return -1;
}
sslctx_set_opts(sslctx, mgr); sslctx_set_opts(sslctx, mgr);
int ret=0; int ret=0;
char common_cipher[TFE_STRING_MAX]={0}, tls13_cipher[TFE_STRING_MAX]={0}; char common_cipher[TFE_STRING_MAX]={0}, tls13_cipher[TFE_STRING_MAX]={0};
@@ -905,7 +910,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
ret=SSL_CTX_set_cipher_list(sslctx, common_cipher); ret=SSL_CTX_set_cipher_list(sslctx, common_cipher);
if(ret==0) if(ret==0)
{ {
TFE_LOG_ERROR(mgr->logger, "SSL_CTX_set_cipher_list %s failed.", common_cipher); TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_cipher_list %s failed.", common_cipher);
SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers); SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers);
} }
} }
@@ -918,11 +923,17 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
//SSL_CTX_set_ciphersuites(sslctx, tls13_cipher); //SSL_CTX_set_ciphersuites(sslctx, tls13_cipher);
} }
if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 || if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0)
SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0)
{ {
SSL_CTX_free(sslctx); SSL_CTX_free(sslctx);
return; TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_min_proto_version() failed, ssl min version:%d.", s_stream->ssl_min_version);
return -1;
}
if (SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0)
{
SSL_CTX_free(sslctx);
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_max_proto_version() failed, ssl max version:%d.", s_stream->ssl_max_version);
return -1;
} }
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
@@ -950,7 +961,8 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ SSL_CTX_free(sslctx); /* SSL_new() increments refcount */
if (!ssl) if (!ssl)
{ {
return; TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_new() failed.");
return -1;
} }
SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_SSLSTREAM, s_stream); SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_SSLSTREAM, s_stream);
@@ -961,13 +973,14 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
if (chello->alpn && s_stream->up_parts.apln_enabled) if (chello->alpn && s_stream->up_parts.apln_enabled)
{ {
ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn)); ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_set_alpn_protos() failed.");
assert(ret==0); assert(ret==0);
} }
/* lower memory footprint for idle connections */ /* lower memory footprint for idle connections */
SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS);
s_stream->ssl=ssl; s_stream->ssl=ssl;
return ; return 0;
} }
void ssl_connect_server_ctx_free(struct ssl_connect_server_ctx * ctx) void ssl_connect_server_ctx_free(struct ssl_connect_server_ctx * ctx)
@@ -1404,7 +1417,13 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
} }
else else
{ {
upstream_ossl_init(s_stream); if (upstream_ossl_init(s_stream))
{
promise_dettach_ctx(p);
promise_failed(p, FUTURE_ERROR_EXCEPTION, "upstream ossl init failed");
wrap_ssl_connect_server_ctx_free(ctx);
return;
}
ctx->bev = bufferevent_openssl_socket_new(evbase, ctx->fd_upstream, ctx->bev = bufferevent_openssl_socket_new(evbase, ctx->fd_upstream,
ctx->s_stream->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE ); ctx->s_stream->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE );