TSG-3445 修正 TFE 从毕方加载可信证书时，SSL 证书校验不可信的 bug

7 files changed, 98 insertions, 32 deletions

diff --git a/common/include/tfe_proxy.h b/common/include/tfe_proxy.h
index 2f4a7d0..5ed8268 100644
--- a/common/include/tfe_proxy.h
+++ b/common/include/tfe_proxy.h
@@ -17,3 +17,4 @@ int tfe_proxy_ssl_del_trust_ca(const char* pem_file);
 int tfe_proxy_ssl_add_crl(const char* pem_file);
 int tfe_proxy_ssl_del_crl(const char* pem_file);
 void tfe_proxy_ssl_reset_trust_ca();
+void tfe_proxy_ssl_reset_trust_ca_finish(void);
diff --git a/platform/include/internal/ssl_stream_core.h b/platform/include/internal/ssl_stream_core.h
index ae03aa1..6be60e6 100644
--- a/platform/include/internal/ssl_stream_core.h
+++ b/platform/include/internal/ssl_stream_core.h
@@ -50,5 +50,4 @@ int ssl_manager_del_trust_ca(struct ssl_mgr* mgr, const char* pem_file);
 int ssl_manager_add_crl(struct ssl_mgr* mgr, const char* pem_file);
 int ssl_manager_del_crl(struct ssl_mgr* mgr, const char* pem_file);
 void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr);
-
-
+void ssl_manager_reset_trust_ca_finish(struct ssl_mgr *mgr);
diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h
index d85d495..250e3f4 100644
--- a/platform/include/internal/ssl_trusted_cert_storage.h
+++ b/platform/include/internal/ssl_trusted_cert_storage.h
@@ -32,5 +32,4 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename);
 int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename);
 void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage);
-
-
+void ssl_trusted_cert_storage_reset_finish(struct ssl_trusted_cert_storage *storage);
diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp
index 188ad28..9f2d018 100644
--- a/platform/src/proxy.cpp
+++ b/platform/src/proxy.cpp
@@ -934,4 +934,8 @@ void tfe_proxy_ssl_reset_trust_ca(void)
 	return;
 }
 
-
+void tfe_proxy_ssl_reset_trust_ca_finish(void)
+{
+    ssl_manager_reset_trust_ca_finish(g_default_proxy->ssl_mgr_handler);
+    return;
+}
\ No newline at end of file
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index 4b70c8d..e30cc5b 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -2090,6 +2090,11 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
 	ssl_trusted_cert_storage_reset(mgr->trust_CA_store);
 	return;
 }
+void ssl_manager_reset_trust_ca_finish(struct ssl_mgr* mgr)
+{
+    ssl_trusted_cert_storage_reset_finish(mgr->trust_CA_store);
+    return;
+}
 int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT  opt_type, int opt_val)
 {
 	struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);
diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp
index f751579..051ec8d 100644
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -19,6 +19,13 @@ struct ssl_X509_object
 	char* filename;	
 	enum ssl_X509_obj_type type;
 };
+
+enum cert_store_status
+{
+    UPDATING,
+	STABLE,
+};
+
 static void free_ssl_x509_obj(void* data)
 {
 	struct ssl_X509_object* obj=(struct ssl_X509_object*)data;
@@ -28,11 +35,14 @@ static void free_ssl_x509_obj(void* data)
 }
 struct ssl_trusted_cert_storage
 {
+	enum cert_store_status status;
 	struct cert_store_param param;
 	char* pem_bundle, *pem_dir;
     MESA_htable_handle hash_table;
-	pthread_rwlock_t rwlock;
-	X509_STORE* effective_store;
+    MESA_htable_handle temp_table;
+    pthread_rwlock_t rwlock;
+	X509_STORE *effective_store;
+    X509_STORE *temp_store;
 };
  static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type type, const char* filename)
  {
@@ -194,9 +204,8 @@ struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem
 	pthread_rwlock_init(&(storage->rwlock), NULL);
 	assert(SSL_EX_DATA_IDX_VERIFY_PARAM<0);
 	SSL_EX_DATA_IDX_VERIFY_PARAM = X509_STORE_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+    storage->status = STABLE;
 	return storage;
-	
-
 }
 void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage)
 {
@@ -210,14 +219,28 @@ int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum
 	int ret=0;	
 	struct ssl_X509_object* obj=NULL;
 	void* data=NULL;
-	pthread_rwlock_wrlock(&(storage->rwlock));
-	data=MESA_htable_search(storage->hash_table, (const unsigned char*)filename, strlen(filename));
+    MESA_htable_handle hash_table = NULL;
+    X509_STORE *effective_store = NULL;
+
+    pthread_rwlock_wrlock(&(storage->rwlock));
+    if (storage->status == UPDATING)
+	{
+        hash_table = storage->temp_table;
+        effective_store = storage->temp_store;
+    }
+	else
+	{
+        hash_table = storage->hash_table;
+        effective_store = storage->effective_store;
+	}
+
+    data = MESA_htable_search(hash_table, (const unsigned char *)filename, strlen(filename));
 	if(data!=NULL)//duplicated
 	{
 		ret=-1;
 		goto error_out;
 	}
-	ret=_X509_add_cert_or_crl_add(storage->effective_store, type, filename);
+	ret=_X509_add_cert_or_crl_add(effective_store, type, filename);
 	if(ret<0)
 	{
 		ret=-1;
@@ -228,10 +251,11 @@ int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum
 	obj=ALLOC(struct ssl_X509_object, 1);
 	obj->type=SSL_X509_OBJ_CERT;
 	obj->filename=tfe_strdup(filename);
-	ret=MESA_htable_add(storage->hash_table,  (const unsigned char*)obj->filename, strlen(obj->filename), obj);
+	ret=MESA_htable_add(hash_table,  (const unsigned char*)obj->filename, strlen(obj->filename), obj);
 	assert(ret>0);
 	ret=1;
-	
+    TFE_LOG_DEBUG(g_default_logger, "%s %p add %s", storage->status == UPDATING ? "temp store" : "effective store", effective_store, filename);
+
 error_out:	
 	pthread_rwlock_unlock(&(storage->rwlock));
 	return ret;
@@ -249,18 +273,42 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
 {
 	int ret=0;
 	X509_STORE* temp_store=NULL;
-	pthread_rwlock_wrlock(&(storage->rwlock));
-	ret=MESA_htable_del(storage->hash_table,  (const unsigned char*)filename,  strlen(filename), NULL);
+    MESA_htable_handle hash_table = NULL;
+    X509_STORE *effective_store = NULL;
+	
+    pthread_rwlock_wrlock(&(storage->rwlock));
+    if (storage->status == UPDATING)
+    {
+        hash_table = storage->temp_table;
+        effective_store = storage->temp_store;
+    }
+    else
+    {
+        hash_table = storage->hash_table;
+        effective_store = storage->effective_store;
+    }
+
+    ret=MESA_htable_del(hash_table,  (const unsigned char*)filename,  strlen(filename), NULL);
 	if(ret<0)
 	{
 		ret=-1;
 		goto error_out;
 	}
 	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
-	MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store);
-	X509_STORE_free(storage->effective_store);
-	storage->effective_store=temp_store;
-	ret=1;
+	MESA_htable_iterate(hash_table, cert_storage_htable_traverse_cb, temp_store);
+	X509_STORE_free(effective_store);
+    TFE_LOG_DEBUG(g_default_logger, "%s %p->%p del %s", storage->status == UPDATING ? "temp store" : "effective store", effective_store, temp_store, filename);
+
+    if (storage->status == UPDATING)
+    {
+        storage->temp_store = temp_store;
+    }
+    else
+    {
+        storage->effective_store = temp_store;
+    }
+
+    ret=1;
 	
 error_out:
 	pthread_rwlock_unlock(&(storage->rwlock));
@@ -268,19 +316,28 @@ error_out:
 }
 void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
 {
-	
-	X509_STORE* temp_store=NULL;
-	MESA_htable_destroy(storage->hash_table, NULL);
-	
-	storage->hash_table=_create_mesa_htable();
-	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
-
 	pthread_rwlock_wrlock(&(storage->rwlock));
-	X509_STORE_free(storage->effective_store);
-	storage->effective_store=temp_store;
-	pthread_rwlock_unlock(&(storage->rwlock));
-	return;
+    storage->temp_table = _create_mesa_htable();
+    storage->temp_store = _X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param));
+    storage->status = UPDATING;
+    TFE_LOG_DEBUG(g_default_logger, "reset effective store %p, create temp store %p", storage->effective_store, storage->temp_store);
+    pthread_rwlock_unlock(&(storage->rwlock));
 }
+
+void ssl_trusted_cert_storage_reset_finish(struct ssl_trusted_cert_storage *storage)
+{
+    pthread_rwlock_wrlock(&(storage->rwlock));
+    MESA_htable_destroy(storage->hash_table, NULL);
+    X509_STORE_free(storage->effective_store);
+    storage->effective_store = storage->temp_store;
+    storage->hash_table = storage->temp_table;
+    storage->temp_table = NULL;
+    storage->temp_store = NULL;
+    storage->status = STABLE;
+    TFE_LOG_DEBUG(g_default_logger, "change temp store to effective store %p", storage->effective_store);
+    pthread_rwlock_unlock(&(storage->rwlock));
+}
+
 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 {
     int err=0, ret=0;
diff --git a/plugin/business/pangu-http/src/pangu_http.cpp b/plugin/business/pangu-http/src/pangu_http.cpp
index 17b7f17..058fa8e 100644
--- a/plugin/business/pangu-http/src/pangu_http.cpp
+++ b/plugin/business/pangu-http/src/pangu_http.cpp
@@ -288,7 +288,8 @@ void trusted_CA_update_finish_cb(void* u_para)
 		g_pangu_rt->ca_store_reseting--;
 		if(g_pangu_rt->ca_store_reseting==0)
 		{
-			TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish.");
+            tfe_proxy_ssl_reset_trust_ca_finish();
+            TFE_LOG_INFO(g_pangu_rt->local_logger, "Trusted CA Store Reset Finish.");
 		}
 	}
 }