From 96a13b6a5170049f679b4baf5a46724aef259ff8 Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Wed, 23 Oct 2019 10:29:30 +0800 Subject: [PATCH 1/5] =?UTF-8?q?#177=20=E5=9C=A8=E7=94=A8=E6=88=B7=E8=AE=BF?= =?UTF-8?q?=E9=97=AE=E7=9A=84=E8=BF=87=E7=A8=8B=E4=B8=AD=EF=BC=8C=E8=8E=B7?= =?UTF-8?q?=E5=8F=96=E6=9C=AA=E8=A7=81=E5=88=B0=E8=BF=87=E3=80=81=E5=8F=AF?= =?UTF-8?q?=E4=BF=A1=E7=9A=84=E4=B8=AD=E9=97=B4=E8=AF=81=E4=B9=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- platform/CMakeLists.txt | 2 +- platform/include/internal/ssl_fetch_cert.h | 11 ++++ platform/src/ssl_fetch_cert.cpp | 58 ++++++++++++++++++++++ platform/src/ssl_trusted_cert_storage.cpp | 8 ++- 4 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 platform/include/internal/ssl_fetch_cert.h create mode 100644 platform/src/ssl_fetch_cert.cpp diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index 2a17698..85a76d7 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -1,6 +1,6 @@ find_package(SYSTEMD REQUIRED) -add_executable(tfe src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/ssl_stream.cpp src/key_keeper.cpp +add_executable(tfe src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/ssl_stream.cpp src/key_keeper.cpp src/ssl_fetch_cert.cpp src/ssl_sess_cache.cpp src/ssl_sess_ticket.cpp src/ssl_service_cache.cpp src/ssl_trusted_cert_storage.cpp src/ev_root_ca_metadata.cpp src/ssl_utils.cpp src/tcp_stream.cpp src/main.cpp src/proxy.cpp src/sender_scm.cpp src/watchdog_kni.cpp) diff --git a/platform/include/internal/ssl_fetch_cert.h b/platform/include/internal/ssl_fetch_cert.h new file mode 100644 index 0000000..750582e --- /dev/null +++ b/platform/include/internal/ssl_fetch_cert.h @@ -0,0 +1,11 @@ +// +// Created by lwp on 2019/10/16. +// + +#ifndef TFE_SSL_FETCH_CERT_H +#define TFE_SSL_FETCH_CERT_H + +void ssl_fetch_cert_url_by_aia(X509 *cert); +void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store); + +#endif //TFE_SSL_FETCH_CERT_H \ No newline at end of file diff --git a/platform/src/ssl_fetch_cert.cpp b/platform/src/ssl_fetch_cert.cpp new file mode 100644 index 0000000..32811e5 --- /dev/null +++ b/platform/src/ssl_fetch_cert.cpp @@ -0,0 +1,58 @@ +// +// Created by lwp on 2019/10/16. +// + +#include "ssl_utils.h" +#include + +typedef struct x509_object_st { + int type; + union { + char *ptr; + X509 *x509; + X509_CRL *crl; + EVP_PKEY *pkey; + } data; +} X509_OBJECT; + + +// test use http://www.360.cn/ +void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *trusted_store) { + // 证书链中的证书下标为 [0, count - 1],下标为 count - 1 的证书不一定在可信证书列表中 + int count = sk_X509_num(cert_chain); + printf("------------------ max depth is : %d\n", count); + + // don`t need call X509_LOOKUP_free(lookup) + X509_LOOKUP *lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir()); + if (lookup == NULL) { + return; + } + + for (int i = 1; i < count; i++) { + // don1t need call X509_FREE(cert) + X509 *cert = sk_X509_value(cert_chain, i); + assert(cert); + + X509_OBJECT stmp; + stmp.type = X509_LU_NONE; + stmp.data.ptr = NULL; + int result = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_issuer_name(cert), &stmp); + char *subj = ssl_x509_subject(cert); + char *issuer = ssl_x509_issuer(cert); + if (result) { + printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:1\n", i, subj, issuer); + // not use continue, case the intermediate certificate is exist and the root certificate is not exist. + /* continue; */ + } else { + printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:0\n", i, subj, issuer); + char *string = ssl_x509_to_str(cert); + if (string) { + // TODO log kafka + printf("%s\n", string); + free(string); + } + } + free(subj); + free(issuer); + } +} \ No newline at end of file diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index aed16d8..ac727a1 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -1,5 +1,6 @@ #include "ssl_trusted_cert_storage.h" +#include "ssl_fetch_cert.h" #include "MESA_htable_aux.h" #include @@ -401,8 +402,13 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag ret=1; } + // case cert verify success + if (ret == 1) { + ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store); + } + X509_STORE_CTX_free(ctx); - pthread_rwlock_unlock(&(storage->rwlock)); + pthread_rwlock_unlock(&(storage->rwlock)); return ret; } From a1d393d719550eb8eb92229f5ceca3d529a309f1 Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Mon, 28 Oct 2019 17:10:38 +0800 Subject: [PATCH 2/5] =?UTF-8?q?=20#177=20=E5=9C=A8=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=AE=BF=E9=97=AE=E7=9A=84=E8=BF=87=E7=A8=8B=E4=B8=AD=EF=BC=8C?= =?UTF-8?q?=E7=BC=93=E5=AD=98=E6=9C=AA=E8=A7=81=E5=88=B0=E8=BF=87=E3=80=81?= =?UTF-8?q?=E5=8F=AF=E4=BF=A1=E7=9A=84=E4=B8=AD=E9=97=B4=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E5=88=B0=20kafka=EF=BC=88TODO=20kafka=20=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E5=BD=95=E5=85=A5=E6=A0=BC=E5=BC=8F=E5=BE=85=E6=B2=9F=E9=80=9A?= =?UTF-8?q?=EF=BC=8C=E5=BE=85=E8=81=94=E8=B0=83=E6=B5=8B=E8=AF=95=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- platform/include/internal/ssl_fetch_cert.h | 4 +- platform/src/ssl_fetch_cert.cpp | 119 +++++++++++++++++++-- platform/src/ssl_stream.cpp | 7 ++ 3 files changed, 123 insertions(+), 7 deletions(-) diff --git a/platform/include/internal/ssl_fetch_cert.h b/platform/include/internal/ssl_fetch_cert.h index 750582e..203c7a6 100644 --- a/platform/include/internal/ssl_fetch_cert.h +++ b/platform/include/internal/ssl_fetch_cert.h @@ -5,7 +5,9 @@ #ifndef TFE_SSL_FETCH_CERT_H #define TFE_SSL_FETCH_CERT_H -void ssl_fetch_cert_url_by_aia(X509 *cert); +// return 0 for success, return -1 for failed +int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section); +void ssl_mid_cert_kafka_logger_destory(void); void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store); #endif //TFE_SSL_FETCH_CERT_H \ No newline at end of file diff --git a/platform/src/ssl_fetch_cert.cpp b/platform/src/ssl_fetch_cert.cpp index 32811e5..d6728e7 100644 --- a/platform/src/ssl_fetch_cert.cpp +++ b/platform/src/ssl_fetch_cert.cpp @@ -3,7 +3,11 @@ // #include "ssl_utils.h" +#include "tfe_utils.h" + #include +#include +#include typedef struct x509_object_st { int type; @@ -15,12 +19,113 @@ typedef struct x509_object_st { } data; } X509_OBJECT; +typedef struct ssl_kafka_logger_s { + int enable; + char brokerlist[TFE_STRING_MAX]; + char topicname[TFE_STRING_MAX]; + + rd_kafka_t *handle; + rd_kafka_topic_t *topic; +} ssl_kafka_logger_t; + +static ssl_kafka_logger_t *g_kafka_logger = NULL; + +static rd_kafka_t *create_kafka_handle(const char *brokerlist) { + char kafka_errstr[1024]; + rd_kafka_t *handle = NULL; + rd_kafka_conf_t *rdkafka_conf = NULL; + + rdkafka_conf = rd_kafka_conf_new(); + rd_kafka_conf_set(rdkafka_conf, "queue.buffering.max.messages", "1000000", kafka_errstr, sizeof(kafka_errstr)); + rd_kafka_conf_set(rdkafka_conf, "topic.metadata.refresh.interval.ms", "600000", kafka_errstr, sizeof(kafka_errstr)); + rd_kafka_conf_set(rdkafka_conf, "security.protocol", "MG", kafka_errstr, sizeof(kafka_errstr)); + + //The conf object is freed by this function and must not be used or destroyed by the application sub-sequently. + handle = rd_kafka_new(RD_KAFKA_PRODUCER, rdkafka_conf, kafka_errstr, sizeof(kafka_errstr)); + rdkafka_conf = NULL; + if (handle == NULL) { + return NULL; + } + if (rd_kafka_brokers_add(handle, brokerlist) == 0) { + rd_kafka_destroy(handle); + return NULL; + } + return handle; +} + +void ssl_mid_cert_kafka_logger_destory(void) { + if (g_kafka_logger) { + if (g_kafka_logger->handle) { + free(g_kafka_logger->handle); + } + free(g_kafka_logger); + } +} + +int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section) { + const char *errstr = "ssl mid cert cache kafka logger create failed"; + + g_kafka_logger = ALLOC(ssl_kafka_logger_t, 1); + assert(g_kafka_logger); + + MESA_load_profile_int_def(profile, section, "mid_cert_cache_kafka_enable", &(g_kafka_logger->enable), 0); + if (!g_kafka_logger->enable) { + return 0; + } + + if (MESA_load_profile_string_def(profile, section, "mid_cert_cache_kafka_brokerlist", g_kafka_logger->brokerlist, + sizeof(g_kafka_logger->brokerlist), NULL) < 0) { + TFE_LOG_ERROR(g_default_logger, "%s, No brokerlist in profile %s section %s.", errstr, profile, section); + goto error; + } + g_kafka_logger->handle = create_kafka_handle(g_kafka_logger->brokerlist); + if (g_kafka_logger->handle == NULL) { + TFE_LOG_ERROR(g_default_logger, "%s, Cannot create kafka handle with brokerlist: %s.", errstr, + g_kafka_logger->brokerlist); + goto error; + } + + + MESA_load_profile_string_def(profile, section, "mid_cert_cache_kafka_topic", g_kafka_logger->topicname, + sizeof(g_kafka_logger->topicname), "MID-CERT-CACHE-LOG"); + g_kafka_logger->topic = rd_kafka_topic_new(g_kafka_logger->handle, g_kafka_logger->topicname, NULL); + if (g_kafka_logger->topic == NULL) { + TFE_LOG_ERROR(g_default_logger, "%s, Cannot create kafka handle with brokerlist: %s.", errstr, + g_kafka_logger->brokerlist); + goto error; + } + + return 0; + + error: + ssl_mid_cert_kafka_logger_destory(); + return -1; +} + +void ssl_mid_cert_kafka_logger_send(char *msg) { + if (g_kafka_logger == NULL || g_kafka_logger->enable == 0) { + return; + } + rd_kafka_produce(g_kafka_logger->topic, RD_KAFKA_PARTITION_UA, RD_KAFKA_MSG_F_COPY, msg, strlen(msg), NULL, 0, + NULL); +} + +int ssl_mid_cert_kafka_logger_enable() { + if (g_kafka_logger && g_kafka_logger->enable) { + return 1; + } else { + return 0; + } +} // test use http://www.360.cn/ void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *trusted_store) { - // 证书链中的证书下标为 [0, count - 1],下标为 count - 1 的证书不一定在可信证书列表中 + if (!ssl_mid_cert_kafka_logger_enable()) { + return; + } + + // range for [0, count - 1] int count = sk_X509_num(cert_chain); - printf("------------------ max depth is : %d\n", count); // don`t need call X509_LOOKUP_free(lookup) X509_LOOKUP *lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir()); @@ -40,15 +145,17 @@ void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *t char *subj = ssl_x509_subject(cert); char *issuer = ssl_x509_issuer(cert); if (result) { - printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:1\n", i, subj, issuer); + TFE_LOG_ERROR(g_default_logger, "[dep:%d/%d] subject:%s; issure:%s; in_trusted_store:1\n", i, count, subj, + issuer); // not use continue, case the intermediate certificate is exist and the root certificate is not exist. /* continue; */ } else { - printf("[dep:%d] subject:%s; issure:%s; in_trusted_store:0\n", i, subj, issuer); + TFE_LOG_ERROR(g_default_logger, "[dep:%d/%d] subject:%s; issure:%s; in_trusted_store:0\n", i, count, subj, + issuer); char *string = ssl_x509_to_str(cert); if (string) { - // TODO log kafka - printf("%s\n", string); + // printf("%s\n", string); + ssl_mid_cert_kafka_logger_send(string); free(string); } } diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 70429ac..ce37fcb 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -31,6 +31,7 @@ #include #include +#include #include #include #include @@ -622,6 +623,12 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section char version_str[TFE_SYMBOL_MAX] = {}; mgr->logger = logger; mgr->ev_base_gc=ev_base_gc; + + if (ssl_mid_cert_kafka_logger_create(ini_profile, section)) + { + goto error_out; + } + MESA_load_profile_string_def(ini_profile, section, "ssl_min_version", version_str, sizeof(version_str), "ssl3"); mgr->ssl_min_version = sslver_str2num(version_str); From f6caf7f3907b306b7d87f19273f3a05289272e93 Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Fri, 6 Dec 2019 15:51:03 +0800 Subject: [PATCH 3/5] =?UTF-8?q?TSG-148=20=E4=BF=AE=E6=94=B9=E5=BD=95?= =?UTF-8?q?=E5=85=A5=20kafka=20=E6=95=B0=E6=8D=AE=E6=A0=BC=E5=BC=8F?= =?UTF-8?q?=EF=BC=8C=E4=BF=AE=E6=AD=A3=E4=BB=A3=E7=A0=81=E6=A0=BC=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- platform/include/internal/ssl_fetch_cert.h | 2 +- platform/src/ssl_fetch_cert.cpp | 202 +++++++++++++-------- platform/src/ssl_trusted_cert_storage.cpp | 2 +- 3 files changed, 131 insertions(+), 75 deletions(-) diff --git a/platform/include/internal/ssl_fetch_cert.h b/platform/include/internal/ssl_fetch_cert.h index 203c7a6..f057f4a 100644 --- a/platform/include/internal/ssl_fetch_cert.h +++ b/platform/include/internal/ssl_fetch_cert.h @@ -8,6 +8,6 @@ // return 0 for success, return -1 for failed int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section); void ssl_mid_cert_kafka_logger_destory(void); -void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store); +void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *trusted_store, const char *hostname); #endif //TFE_SSL_FETCH_CERT_H \ No newline at end of file diff --git a/platform/src/ssl_fetch_cert.cpp b/platform/src/ssl_fetch_cert.cpp index d6728e7..546f90d 100644 --- a/platform/src/ssl_fetch_cert.cpp +++ b/platform/src/ssl_fetch_cert.cpp @@ -6,50 +6,82 @@ #include "tfe_utils.h" #include +#include #include #include typedef struct x509_object_st { int type; union { - char *ptr; - X509 *x509; + char *ptr; + X509 *x509; X509_CRL *crl; EVP_PKEY *pkey; } data; } X509_OBJECT; typedef struct ssl_kafka_logger_s { - int enable; - char brokerlist[TFE_STRING_MAX]; - char topicname[TFE_STRING_MAX]; + int enable; - rd_kafka_t *handle; + char tfe_ip[TFE_SYMBOL_MAX]; + char topic_name[TFE_STRING_MAX]; + char broker_list[TFE_STRING_MAX]; + + rd_kafka_t *handle; rd_kafka_topic_t *topic; } ssl_kafka_logger_t; static ssl_kafka_logger_t *g_kafka_logger = NULL; -static rd_kafka_t *create_kafka_handle(const char *brokerlist) { - char kafka_errstr[1024]; - rd_kafka_t *handle = NULL; - rd_kafka_conf_t *rdkafka_conf = NULL; +static unsigned int get_ip_by_eth(const char *eth) { + int sockfd = -1; + unsigned int ip; + struct ifreq ifr; - rdkafka_conf = rd_kafka_conf_new(); - rd_kafka_conf_set(rdkafka_conf, "queue.buffering.max.messages", "1000000", kafka_errstr, sizeof(kafka_errstr)); - rd_kafka_conf_set(rdkafka_conf, "topic.metadata.refresh.interval.ms", "600000", kafka_errstr, sizeof(kafka_errstr)); - rd_kafka_conf_set(rdkafka_conf, "security.protocol", "MG", kafka_errstr, sizeof(kafka_errstr)); + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + if (-1 == sockfd) { + goto error; + } - //The conf object is freed by this function and must not be used or destroyed by the application sub-sequently. - handle = rd_kafka_new(RD_KAFKA_PRODUCER, rdkafka_conf, kafka_errstr, sizeof(kafka_errstr)); - rdkafka_conf = NULL; + memset(&ifr, 0, sizoef(ifr)); + strcpy(ifr.ifr_name, eth); + if (ioctl(sockfd, SIOCGIFADDR, &ifr) < 0) { + goto error; + } + + ip = ((struct sockaddr_in *)&(ifr.ifr_addr))->sin_addr.s_addr; + + close(sockfd); + return ip; + +error: + if (sockfd > 0) + close(sockfd); + return INADDR_NONE; +} + +static rd_kafka_t *create_kafka_handle(const char *broker_list) { + char errstr[1024]; + rd_kafka_t *handle = NULL; + rd_kafka_conf_t *conf = NULL; + + conf = rd_kafka_conf_new(); + rd_kafka_conf_set(conf, "queue.buffering.max.messages", "1000000", errstr, sizeof(errstr)); + rd_kafka_conf_set(conf, "topic.metadata.refresh.interval.ms", "600000", errstr, sizeof(errstr)); + rd_kafka_conf_set(conf, "security.protocol", "MG", errstr, sizeof(errstr)); + + // The conf object is freed by this function and must not be used or destroyed by the application sub-sequently. + handle = rd_kafka_new(RD_KAFKA_PRODUCER, conf, errstr, sizeof(errstr)); + conf = NULL; if (handle == NULL) { return NULL; } - if (rd_kafka_brokers_add(handle, brokerlist) == 0) { + + if (rd_kafka_brokers_add(handle, broker_list) == 0) { rd_kafka_destroy(handle); return NULL; } + return handle; } @@ -58,108 +90,132 @@ void ssl_mid_cert_kafka_logger_destory(void) { if (g_kafka_logger->handle) { free(g_kafka_logger->handle); } + if (g_kafka_logger->topic) { + free(g_kafka_logger->topic) + } free(g_kafka_logger); } } -int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section) { - const char *errstr = "ssl mid cert cache kafka logger create failed"; +int ssl_mid_cert_kafka_logger_create(const char *profile, const char *section) +{ + unsigned int ip; + char eth[64] = {0}; + const char *errstr = "SSL mid cert cache occer error, "; g_kafka_logger = ALLOC(ssl_kafka_logger_t, 1); assert(g_kafka_logger); - MESA_load_profile_int_def(profile, section, "mid_cert_cache_kafka_enable", &(g_kafka_logger->enable), 0); + MESA_load_profile_int_def(profile, section, "mc_cache_enable", &(g_kafka_logger->enable), 0); if (!g_kafka_logger->enable) { return 0; } - if (MESA_load_profile_string_def(profile, section, "mid_cert_cache_kafka_brokerlist", g_kafka_logger->brokerlist, - sizeof(g_kafka_logger->brokerlist), NULL) < 0) { - TFE_LOG_ERROR(g_default_logger, "%s, No brokerlist in profile %s section %s.", errstr, profile, section); + MESA_load_profile_string_def(profile, section, "mc_cache_eth", eth, sizeof(eth), "eth0"); + ip = get_ip_by_eth(eth); + if (ip == INADDR_NONE) { + TFE_LOG_ERROR(g_default_logger, "%s, Fail to get ip by %s.", errstr, eth); goto error; } - g_kafka_logger->handle = create_kafka_handle(g_kafka_logger->brokerlist); + inet_ntop(AF_INET, &ip, g_kafka_logger->tfe_ip, sizeof(g_kafka_logger->tfe_ip)); + + if (MESA_load_profile_string_def(profile, section, "mc_cache_broker_list", g_kafka_logger->broker_list, sizeof(g_kafka_logger->broker_list), NULL) < 0) { + TFE_LOG_ERROR(g_default_logger, "%s, Fail to get mc_cache_broker_list in profile %s section %s.", errstr, profile, section); + goto error; + } + + g_kafka_logger->handle = create_kafka_handle(g_kafka_logger->broker_list); if (g_kafka_logger->handle == NULL) { - TFE_LOG_ERROR(g_default_logger, "%s, Cannot create kafka handle with brokerlist: %s.", errstr, - g_kafka_logger->brokerlist); + TFE_LOG_ERROR(g_default_logger, "%s, Fail to create kafka handle with broker list: %s.", errstr, g_kafka_logger->broker_list); goto error; } - - MESA_load_profile_string_def(profile, section, "mid_cert_cache_kafka_topic", g_kafka_logger->topicname, - sizeof(g_kafka_logger->topicname), "MID-CERT-CACHE-LOG"); - g_kafka_logger->topic = rd_kafka_topic_new(g_kafka_logger->handle, g_kafka_logger->topicname, NULL); + MESA_load_profile_string_def(profile, section, "mc_cache_topic", g_kafka_logger->topic_name, sizeof(g_kafka_logger->topic_name), "MID-CERT-CACHE-LOG"); + g_kafka_logger->topic = rd_kafka_topic_new(g_kafka_logger->handle, g_kafka_logger->topic_name, NULL); if (g_kafka_logger->topic == NULL) { - TFE_LOG_ERROR(g_default_logger, "%s, Cannot create kafka handle with brokerlist: %s.", errstr, - g_kafka_logger->brokerlist); + TFE_LOG_ERROR(g_default_logger, "%s, Fail to create kafka topic with broker list: %s.", errstr, g_kafka_logger->broker_list); goto error; } return 0; - error: +error: ssl_mid_cert_kafka_logger_destory(); return -1; } -void ssl_mid_cert_kafka_logger_send(char *msg) { - if (g_kafka_logger == NULL || g_kafka_logger->enable == 0) { +void ssl_mid_cert_kafka_logger_send(const char *sni, const char *fingerprint, const char *cert) +{ + if (g_kafka_logger == NULL || g_kafka_logger->enable == 0) + { return; } - rd_kafka_produce(g_kafka_logger->topic, RD_KAFKA_PARTITION_UA, RD_KAFKA_MSG_F_COPY, msg, strlen(msg), NULL, 0, - NULL); -} + cJSON *obj = NULL; + cJSON *dup = NULL; + char *msg = NULL; -int ssl_mid_cert_kafka_logger_enable() { - if (g_kafka_logger && g_kafka_logger->enable) { - return 1; - } else { - return 0; - } + obj = cJSON_CreateObject(); + cJSON_AddNumberToObject(obj, "sni", sni); + cJSON_AddNumberToObject(obj, "fingerprint", fingerprint); + cJSON_AddStringToObject(obj, "cert", cert); + cJSON_AddStringToObject(obj, "tfe_ip", g_kafka_logger->tfe_ip); + dup = cJSON_Duplicate(obj, 1); + msg = cJSON_PrintUnformatted(dup); + TFE_LOG_DEBUG(g_default_logger, "log to [%s] msg:%s", g_kafka_logger->topic_name, msg); + rd_kafka_produce(g_kafka_logger->topic, RD_KAFKA_PARTITION_UA, RD_KAFKA_MSG_F_COPY, msg, strlen(msg), NULL, 0, NULL); + + free(msg); + JSON_Delete(dup); + cJSON_Delete(obj); } // test use http://www.360.cn/ -void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) *cert_chain, X509_STORE *trusted_store) { - if (!ssl_mid_cert_kafka_logger_enable()) { +void ssl_fetch_trusted_cert_from_chain(STACK_OF(X509) * cert_chain, X509_STORE *trusted_store, const char *hostname) { + int ret; + int deep; + char *subj = NULL; + char *issuer = NULL; + char *fingerprint = NULL; + X509 *cert = NULL; + X509_LOOKUP *lookup = NULL; + X509_OBJECT stmp; + + if (!g_kafka_logger || !g_kafka_logger->enable) { return; } - // range for [0, count - 1] - int count = sk_X509_num(cert_chain); - // don`t need call X509_LOOKUP_free(lookup) - X509_LOOKUP *lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir()); + lookup = X509_STORE_add_lookup(trusted_store, X509_LOOKUP_hash_dir()); if (lookup == NULL) { return; } - for (int i = 1; i < count; i++) { - // don1t need call X509_FREE(cert) - X509 *cert = sk_X509_value(cert_chain, i); + deep = sk_X509_num(cert_chain); + for (int i = 1; i < deep; i++) { + // need't call X509_FREE(cert) + cert = sk_X509_value(cert_chain, i); assert(cert); - X509_OBJECT stmp; stmp.type = X509_LU_NONE; stmp.data.ptr = NULL; - int result = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_issuer_name(cert), &stmp); - char *subj = ssl_x509_subject(cert); - char *issuer = ssl_x509_issuer(cert); - if (result) { - TFE_LOG_ERROR(g_default_logger, "[dep:%d/%d] subject:%s; issure:%s; in_trusted_store:1\n", i, count, subj, - issuer); - // not use continue, case the intermediate certificate is exist and the root certificate is not exist. - /* continue; */ - } else { - TFE_LOG_ERROR(g_default_logger, "[dep:%d/%d] subject:%s; issure:%s; in_trusted_store:0\n", i, count, subj, - issuer); - char *string = ssl_x509_to_str(cert); - if (string) { - // printf("%s\n", string); - ssl_mid_cert_kafka_logger_send(string); - free(string); + ret = X509_LOOKUP_by_subject(lookup, X509_LU_X509, X509_get_issuer_name(cert), &stmp); + subj = ssl_x509_subject(cert); + issuer = ssl_x509_issuer(cert); + fingerprint = ssl_x509_fingerprint(cert, 0); + TFE_LOG_DEBUG(g_default_logger, "[dep:%d/%d] subject:%s; issuer:%s; fingerprint:%s; in_trusted_store:%d", i, deep, + subj ? subj : "NULL", issuer ? issuer : "NULL", fingerprint ? fingerprint : "NULL", ret); + if (!ret) { + char *pem = ssl_x509_to_pem(cert); + if (pem) { + ssl_mid_cert_kafka_logger_send(hostname, fingerprint, pem); + free(pem); } } - free(subj); - free(issuer); + if (subj) + free(subj); + if (issuer) + free(issuer); + if (fingerprint) + free(fingerprint); } } \ No newline at end of file diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index ac727a1..ac53ce5 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -404,7 +404,7 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag // case cert verify success if (ret == 1) { - ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store); + ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname); } X509_STORE_CTX_free(ctx); From e430ac47e4556761fc7ddcc1565c374c07753db9 Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Fri, 6 Dec 2019 17:23:21 +0800 Subject: [PATCH 4/5] =?UTF-8?q?TSG-148=20=E4=BF=AE=E5=A4=8D=E7=AC=94?= =?UTF-8?q?=E8=AF=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- platform/src/ssl_fetch_cert.cpp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/platform/src/ssl_fetch_cert.cpp b/platform/src/ssl_fetch_cert.cpp index 546f90d..4703503 100644 --- a/platform/src/ssl_fetch_cert.cpp +++ b/platform/src/ssl_fetch_cert.cpp @@ -6,6 +6,11 @@ #include "tfe_utils.h" #include +#include +#include +#include +#include + #include #include #include @@ -43,7 +48,7 @@ static unsigned int get_ip_by_eth(const char *eth) { goto error; } - memset(&ifr, 0, sizoef(ifr)); + memset(&ifr, 0, sizeof(ifr)); strcpy(ifr.ifr_name, eth); if (ioctl(sockfd, SIOCGIFADDR, &ifr) < 0) { goto error; @@ -91,7 +96,7 @@ void ssl_mid_cert_kafka_logger_destory(void) { free(g_kafka_logger->handle); } if (g_kafka_logger->topic) { - free(g_kafka_logger->topic) + free(g_kafka_logger->topic); } free(g_kafka_logger); } @@ -155,8 +160,8 @@ void ssl_mid_cert_kafka_logger_send(const char *sni, const char *fingerprint, co char *msg = NULL; obj = cJSON_CreateObject(); - cJSON_AddNumberToObject(obj, "sni", sni); - cJSON_AddNumberToObject(obj, "fingerprint", fingerprint); + cJSON_AddStringToObject(obj, "sni", sni); + cJSON_AddStringToObject(obj, "fingerprint", fingerprint); cJSON_AddStringToObject(obj, "cert", cert); cJSON_AddStringToObject(obj, "tfe_ip", g_kafka_logger->tfe_ip); dup = cJSON_Duplicate(obj, 1); @@ -165,7 +170,7 @@ void ssl_mid_cert_kafka_logger_send(const char *sni, const char *fingerprint, co rd_kafka_produce(g_kafka_logger->topic, RD_KAFKA_PARTITION_UA, RD_KAFKA_MSG_F_COPY, msg, strlen(msg), NULL, 0, NULL); free(msg); - JSON_Delete(dup); + cJSON_Delete(dup); cJSON_Delete(obj); } From a3856d20e7f702b74de5173ecf23538eadd0184a Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Fri, 6 Dec 2019 17:40:03 +0800 Subject: [PATCH 5/5] =?UTF-8?q?TSG-148=20=E6=9B=B4=E6=96=B0=20tfe.conf?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- conf/tfe/tfe.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/conf/tfe/tfe.conf b/conf/tfe/tfe.conf index 8314239..0afdabf 100644 --- a/conf/tfe/tfe.conf +++ b/conf/tfe/tfe.conf @@ -23,6 +23,16 @@ stek_group_num=4 stek_rotation_time=3600 service_cache_succ_as_app_not_pinning_cnt=3 +# SSL mid cert cache +# default 0 +mc_cache_enable=1 +# default eth0 +mc_cache_eth=eth0 +# default NULL +mc_cache_broker_list= +# default MID-CERT-CACHE-LOG +mc_cache_topic=MID-CERT-CACHE-LOG + [key_keeper] #Mode: debug - generate cert with ca_path, normal - generate cert with cert store #0 on cache 1 off cache