tango-tfe/platform/include/internal/ssl_service_cache.h

#pragma once

#include <tfe_types.h>
#include <ssl_utils.h>
#include <event2/event.h>
#include <MESA/MESA_htable.h>

#define PINNING_ST_NOT_PINNING		0
#define PINNING_ST_PINNING			1
#define PINNING_ST_MAYBE_PINNING	2
struct ssl_service_status
{
	char cli_pinning_status;
	char is_app_not_pinning;
	char is_ev;
	char is_ct;
	char is_mutual_auth;
	char has_protocol_errors;
};
struct ssl_service_cache_statistics
{
	long long pinning_cli_cnt;
	long long mutual_auth_cli_cnt;
	long long proto_err_cli_cnt;
	long long ev_srv_cnt;
	long long ct_srv_cnt;
	long long app_not_pinning_cnt;
	long long trusted_cert_cnt;
};
struct ssl_service_cache
{
	MESA_htable_handle cli_st_hash;
	MESA_htable_handle srv_st_hash;
	MESA_htable_handle app_st_hash;
	
	struct ssl_service_cache_statistics stat;
	unsigned int fail_as_cli_pinning_count;
	unsigned int fail_as_proto_err_count;
	unsigned int fail_time_window;
	unsigned int succ_as_app_not_pinning_count;
};
struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsigned int expire_seconds, int fail_as_pinning_cnt, int fail_as_proto_err_cnt, int succ_as_app_not_pinning_cnt, int fail_time_win);
void ssl_service_cache_destroy(struct ssl_service_cache* cache);

int ssl_service_cache_read(struct ssl_service_cache* svc_cache, const struct ssl_chello* chello, const struct tfe_stream_addr * addr, struct ssl_service_status* result);
void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct ssl_chello* chello, const struct tfe_stream_addr * addr, const struct ssl_service_status* status);
void ssl_service_cache_stat(struct ssl_service_cache* svc_cache, struct ssl_service_cache_statistics* result);
可以检测certificate pinning和mutual authentication。 2019-05-16 20:33:42 +08:00			`#pragma once`

			`#include <tfe_types.h>`
			`#include <ssl_utils.h>`
			`#include <event2/event.h>`
向 tfe 的 FieldStat 中输出可信证书的数量 2020-01-08 14:16:23 +08:00			`#include <MESA/MESA_htable.h>`
可以检测certificate pinning和mutual authentication。 2019-05-16 20:33:42 +08:00
			`#define PINNING_ST_NOT_PINNING 0`
			`#define PINNING_ST_PINNING 1`
			`#define PINNING_ST_MAYBE_PINNING 2`
			`struct ssl_service_status`
			`{`
区分未安装证书的客户端和pinning的客户端。若开启tfe.conf中[SSL]root_cert_not_installed_is_not_pinning=1，则未安装证书的客户端不再视为pinning。 2019-07-26 12:28:17 +06:00			`char cli_pinning_status;`
			`char is_app_not_pinning;`
可以检测certificate pinning和mutual authentication。 2019-05-16 20:33:42 +08:00			`char is_ev;`
			`char is_ct;`
			`char is_mutual_auth;`
1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时，不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。 2019-05-21 11:47:09 +08:00			`char has_protocol_errors;`
可以检测certificate pinning和mutual authentication。 2019-05-16 20:33:42 +08:00			`};`
在ssl policy中处理keyring。 2019-05-20 16:56:37 +08:00			`struct ssl_service_cache_statistics`
			`{`
			`long long pinning_cli_cnt;`
			`long long mutual_auth_cli_cnt;`
1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时，不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。 2019-05-21 11:47:09 +08:00			`long long proto_err_cli_cnt;`
在ssl policy中处理keyring。 2019-05-20 16:56:37 +08:00			`long long ev_srv_cnt;`
			`long long ct_srv_cnt;`
区分未安装证书的客户端和pinning的客户端。若开启tfe.conf中[SSL]root_cert_not_installed_is_not_pinning=1，则未安装证书的客户端不再视为pinning。 2019-07-26 12:28:17 +06:00			`long long app_not_pinning_cnt;`
向 tfe 的 FieldStat 中输出可信证书的数量 2020-01-08 14:16:23 +08:00			`long long trusted_cert_cnt;`
在ssl policy中处理keyring。 2019-05-20 16:56:37 +08:00			`};`
向 tfe 的 FieldStat 中输出可信证书的数量 2020-01-08 14:16:23 +08:00			`struct ssl_service_cache`
			`{`
			`MESA_htable_handle cli_st_hash;`
			`MESA_htable_handle srv_st_hash;`
			`MESA_htable_handle app_st_hash;`

			`struct ssl_service_cache_statistics stat;`
			`unsigned int fail_as_cli_pinning_count;`
			`unsigned int fail_as_proto_err_count;`
			`unsigned int fail_time_window;`
			`unsigned int succ_as_app_not_pinning_count;`
			`};`
			`struct ssl_service_cache* ssl_service_cache_create(unsigned int slot_size, unsigned int expire_seconds, int fail_as_pinning_cnt, int fail_as_proto_err_cnt, int succ_as_app_not_pinning_cnt, int fail_time_win);`
			`void ssl_service_cache_destroy(struct ssl_service_cache* cache);`

			`int ssl_service_cache_read(struct ssl_service_cache* svc_cache, const struct ssl_chello* chello, const struct tfe_stream_addr * addr, struct ssl_service_status* result);`
			`void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct ssl_chello* chello, const struct tfe_stream_addr * addr, const struct ssl_service_status* status);`
在ssl policy中处理keyring。 2019-05-20 16:56:37 +08:00			`void ssl_service_cache_stat(struct ssl_service_cache* svc_cache, struct ssl_service_cache_statistics* result);`