| 修订版 | 9b16264f78e72d0a9ffbfbc7e67c26830b149e69 (tree) |
|---|---|
| 时间 | 2021-11-21 18:59:29 |
| 作者 |  dyknon <dyknon@user...> |
| Commiter | dyknon |
SNI support inprogress
debian/patches/4debug.patch (diff) debian/patches/Add-SNI-support.patch (diff) debian/patches/series (diff)| @@ -7,7 +7,7 @@ Subject: 4debug | ||
| 7 | 7 | 1 file changed, 31 insertions(+) |
| 8 | 8 | |
| 9 | 9 | diff --git a/certificate/AuthorityCertificateManager.cpp b/certificate/AuthorityCertificateManager.cpp |
| 10 | -index 567367b..e3e8d4e 100644 | |
| 10 | +index d89dafb..4f3afa0 100644 | |
| 11 | 11 | --- a/certificate/AuthorityCertificateManager.cpp |
| 12 | 12 | +++ b/certificate/AuthorityCertificateManager.cpp |
| 13 | 13 | @@ -19,6 +19,8 @@ |
| @@ -19,7 +19,7 @@ index 567367b..e3e8d4e 100644 | ||
| 19 | 19 | |
| 20 | 20 | AuthorityCertificateManager::AuthorityCertificateManager(std::string &file, std::string &chain) { |
| 21 | 21 | path certPath(file); |
| 22 | -@@ -74,6 +76,35 @@ void AuthorityCertificateManager::getCertificateForTarget(boost::asio::ip::tcp:: | |
| 22 | +@@ -133,6 +135,35 @@ void AuthorityCertificateManager::getCertificateForTarget(boost::asio::ip::tcp:: | |
| 23 | 23 | |
| 24 | 24 | X509_sign(request, authority->getKey(), EVP_sha256()); |
| 25 | 25 |
| @@ -0,0 +1,128 @@ | ||
| 1 | +From: dyknon <dyknon@users.osdn.me> | |
| 2 | +Date: Sun, 21 Nov 2021 18:48:30 +0900 | |
| 3 | +Subject: Add SNI support | |
| 4 | + | |
| 5 | +--- | |
| 6 | + SSLBridge.cpp | 52 +++++++++++++++++++++++++++------------------------- | |
| 7 | + SSLBridge.hpp | 3 ++- | |
| 8 | + 2 files changed, 29 insertions(+), 26 deletions(-) | |
| 9 | + | |
| 10 | +diff --git a/SSLBridge.cpp b/SSLBridge.cpp | |
| 11 | +index b9259ad..832adc7 100644 | |
| 12 | +--- a/SSLBridge.cpp | |
| 13 | ++++ b/SSLBridge.cpp | |
| 14 | +@@ -26,15 +26,13 @@ X509* SSLBridge::getServerCertificate() { | |
| 15 | + return SSL_get_peer_certificate(serverSession); | |
| 16 | + } | |
| 17 | + | |
| 18 | +-void SSLBridge::buildClientContext(SSL_CTX *context, Certificate *leaf, std::list<Certificate*> *chain) { | |
| 19 | ++void SSLBridge::useCertkey( | |
| 20 | ++ SSL *ssl, Certificate *leaf, std::list<Certificate*> *chain | |
| 21 | ++){ | |
| 22 | ++ SSL_use_certificate(ssl, leaf->getCert()); | |
| 23 | ++ SSL_use_PrivateKey(ssl, leaf->getKey()); | |
| 24 | + | |
| 25 | +- SSL_CTX_sess_set_new_cb(context, &SessionCache::setNewSessionIdTramp); | |
| 26 | +- SSL_CTX_sess_set_get_cb(context, &SessionCache::getSessionIdTramp); | |
| 27 | +- | |
| 28 | +- SSL_CTX_use_certificate(context, leaf->getCert()); | |
| 29 | +- SSL_CTX_use_PrivateKey(context, leaf->getKey()); | |
| 30 | +- | |
| 31 | +- if (SSL_CTX_check_private_key(context) == 0) { | |
| 32 | ++ if (SSL_check_private_key(ssl) == 0) { | |
| 33 | + std::cerr << "*** Assertion Failed - Generated PrivateKey Doesn't Work." << std::endl; | |
| 34 | + throw SSLConnectionError(); | |
| 35 | + } | |
| 36 | +@@ -43,12 +41,13 @@ void SSLBridge::buildClientContext(SSL_CTX *context, Certificate *leaf, std::lis | |
| 37 | + std::list<Certificate*>::iterator end = chain->end(); | |
| 38 | + | |
| 39 | + for (;i != end; i++) { | |
| 40 | +- SSL_CTX_add_extra_chain_cert(context, (*i)->getCert()); | |
| 41 | ++ SSL_add1_chain_cert(ssl, (*i)->getCert()); | |
| 42 | + } | |
| 43 | ++} | |
| 44 | + | |
| 45 | +- // if (chain != NULL) | |
| 46 | +- // SSL_CTX_add_extra_chain_cert(context, chain->getCert()); | |
| 47 | +- | |
| 48 | ++void SSLBridge::buildClientContext(SSL_CTX *context) { | |
| 49 | ++ SSL_CTX_sess_set_new_cb(context, &SessionCache::setNewSessionIdTramp); | |
| 50 | ++ SSL_CTX_sess_set_get_cb(context, &SessionCache::getSessionIdTramp); | |
| 51 | + SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY); | |
| 52 | + } | |
| 53 | + | |
| 54 | +@@ -71,18 +70,30 @@ void SSLBridge::setServerName() { | |
| 55 | + } | |
| 56 | + | |
| 57 | + void SSLBridge::handshakeWithClient(CertificateManager &manager, bool wildcardOK) { | |
| 58 | ++ ip::address_v4 serverAddress = serverSocket->remote_endpoint().address().to_v4(); | |
| 59 | + Certificate *leaf; | |
| 60 | + std::list<Certificate*> *chain; | |
| 61 | + | |
| 62 | ++ /* Server handshake */ | |
| 63 | ++ if (SSL_connect(serverSession) < 0) { | |
| 64 | ++ Logger::logError("Error on SSL Connect."); | |
| 65 | ++ throw SSLConnectionError(); | |
| 66 | ++ } | |
| 67 | ++ cache->setNewSessionId(serverSession, SSL_get1_session(serverSession), | |
| 68 | ++ serverAddress.to_bytes().data(), | |
| 69 | ++ serverAddress.to_bytes().size()); | |
| 70 | ++ | |
| 71 | ++ /* Client handhake */ | |
| 72 | + ip::tcp::endpoint endpoint = getRemoteEndpoint(); | |
| 73 | + manager.getCertificateForTarget(endpoint, wildcardOK, getServerCertificate(), &leaf, &chain); | |
| 74 | +- | |
| 75 | ++ | |
| 76 | + setServerName(); | |
| 77 | +- | |
| 78 | ++ | |
| 79 | + SSL_CTX *clientContext = SSL_CTX_new(SSLv23_server_method()); | |
| 80 | +- buildClientContext(clientContext, leaf, chain); | |
| 81 | ++ buildClientContext(clientContext); | |
| 82 | + | |
| 83 | + SSL *clientSession = SSL_new(clientContext); | |
| 84 | ++ useCertkey(clientSession, leaf, chain); | |
| 85 | + SSL_set_fd(clientSession, clientSocket->native_handle()); | |
| 86 | + | |
| 87 | + if (SSL_accept(clientSession) == 0) { | |
| 88 | +@@ -93,9 +104,9 @@ void SSLBridge::handshakeWithClient(CertificateManager &manager, bool wildcardOK | |
| 89 | + this->clientSession = clientSession; | |
| 90 | + } | |
| 91 | + | |
| 92 | ++/* Do not start TLS handshake: to support SNI */ | |
| 93 | + void SSLBridge::handshakeWithServer() { | |
| 94 | + int bogus; | |
| 95 | +- | |
| 96 | + ip::address_v4 serverAddress = serverSocket->remote_endpoint().address().to_v4(); | |
| 97 | + SSL_CTX *serverCtx = SSL_CTX_new(SSLv23_client_method());; | |
| 98 | + SSL *serverSession = SSL_new(serverCtx);; | |
| 99 | +@@ -112,15 +123,6 @@ void SSLBridge::handshakeWithServer() { | |
| 100 | + SSL_set_connect_state(serverSession); | |
| 101 | + SSL_set_fd(serverSession, serverSocket->native_handle()); | |
| 102 | + SSL_set_options(serverSession, SSL_OP_ALL); | |
| 103 | +- | |
| 104 | +- if (SSL_connect(serverSession) < 0) { | |
| 105 | +- Logger::logError("Error on SSL Connect."); | |
| 106 | +- throw SSLConnectionError(); | |
| 107 | +- } | |
| 108 | +- | |
| 109 | +- cache->setNewSessionId(serverSession, SSL_get1_session(serverSession), | |
| 110 | +- serverAddress.to_bytes().data(), | |
| 111 | +- serverAddress.to_bytes().size()); | |
| 112 | + | |
| 113 | + this->serverSession = serverSession; | |
| 114 | + } | |
| 115 | +diff --git a/SSLBridge.hpp b/SSLBridge.hpp | |
| 116 | +index 753bd4e..d871c2f 100644 | |
| 117 | +--- a/SSLBridge.hpp | |
| 118 | ++++ b/SSLBridge.hpp | |
| 119 | +@@ -99,7 +99,8 @@ private: | |
| 120 | + std::optional<Lane> lanes[2]; | |
| 121 | + | |
| 122 | + X509* getServerCertificate(); | |
| 123 | +- void buildClientContext(SSL_CTX *context, Certificate *leaf, std::list<Certificate*> *chain); | |
| 124 | ++ void buildClientContext(SSL_CTX *context); | |
| 125 | ++ void useCertkey(SSL *context, Certificate *leaf, std::list<Certificate*> *chain); | |
| 126 | + int forwardData(SSL *from, SSL *to); | |
| 127 | + void setServerName(); | |
| 128 | + |
| @@ -7,3 +7,4 @@ Fix-FTBFS-with-Boost-1.71.patch | ||
| 7 | 7 | fix_FTBFS_boost174.patch |
| 8 | 8 | all-fixs.patch |
| 9 | 9 | 4debug.patch |
| 10 | +Add-SNI-support.patch |
Fork