From 05c7528bfd26d7ac6c08def1e24a9cddfe0ac2e4 Mon Sep 17 00:00:00 2001 From: luwenpeng Date: Tue, 19 May 2020 18:07:04 +0800 Subject: [PATCH] =?UTF-8?q?TSG-1719=20=E5=8A=9F=E8=83=BD=E7=AB=AF=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0=20dynamic=20bypass=20=E9=80=89=E9=A1=B9=20trusted=5Fr?= =?UTF-8?q?oot=5Fcert=5Fis=5Fnot=5Finstalled=5Fon=5Fclient=20&&=20TSG-1687?= =?UTF-8?q?=20pinning=20=E5=8A=9F=E8=83=BD=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common/include/ssl_stream.h | 1 + platform/src/ssl_stream.cpp | 33 +++++-------------- plugin/business/ssl-policy/src/ssl_policy.cpp | 17 +++++++--- resource/pangu/pangu_http.json | 6 ++-- 4 files changed, 24 insertions(+), 33 deletions(-) diff --git a/common/include/ssl_stream.h b/common/include/ssl_stream.h index f094d4d..8c66892 100644 --- a/common/include/ssl_stream.h +++ b/common/include/ssl_stream.h @@ -17,6 +17,7 @@ enum SSL_STREAM_OPT SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE. SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE. SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE. + SSL_STREAM_OPT_APP_STATUS, //0:FALSE, 1:TRUE. SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE. SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0. SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1. diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index e0cac5f..30ef691 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -127,7 +127,6 @@ struct ssl_mgr unsigned int no_alpn; unsigned int no_cert_verify; unsigned int no_mirror_client_cipher_suite; - unsigned int root_cert_not_installed_is_not_pinning; CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new int ssl_min_version, ssl_max_version; @@ -700,8 +699,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section { mgr->down_stek_box = sess_ticket_box_create(ev_base_gc, stek_group_num, stek_rotation_time, logger); } - MESA_load_profile_uint_def(ini_profile, section, "root_cert_not_installed_is_not_pinning", - &(mgr->root_cert_not_installed_is_not_pinning), 1); MESA_load_profile_uint_def(ini_profile, section, "service_cache_slots", &(mgr->svc_cache_slots), 4 * 1024 * 1024); MESA_load_profile_uint_def(ini_profile, section, "service_cache_expire_seconds", @@ -1413,7 +1410,10 @@ static void peek_chello_on_succ(future_result_t * result, void * user) free(addr_string); addr_string=NULL; } - ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status); + if (svc_status->is_app_not_pinning) + ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_NOT_PINNING); + else + ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status); if(ctx->mgr->on_new_upstream_cb) { s_stream->up_parts.action=ctx->mgr->on_new_upstream_cb(s_stream, ctx->mgr->upstream_cb_param); @@ -2113,15 +2113,10 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT } int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val) { - const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL; - char * addr_str=NULL; - const char * sni = (upstream->up_parts.client_hello->sni) ? (upstream->up_parts.client_hello->sni) : "null"; struct ssl_service_status* svc=&upstream->up_parts.svc_status; - struct ssl_mgr* mgr=upstream->mgr; struct tfe_cmsg *cmsg=NULL; UNUSED int ret=0; uint16_t out_size=0; - int mod = 0; switch(opt_type) { case SSL_STREAM_OPT_IS_EV_CERT: @@ -2134,22 +2129,10 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT *opt_val=svc->is_mutual_auth; break; case SSL_STREAM_OPT_PINNING_STATUS: - if(mgr->root_cert_not_installed_is_not_pinning && svc->is_app_not_pinning) - { - mod = 1; - *opt_val=PINNING_ST_NOT_PINNING; - } - else - { - *opt_val=svc->cli_pinning_status; - } - - addr_str = tfe_stream_addr_to_str(upstream->tcp_stream->addr); - tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport); - TFE_LOG_DEBUG(g_default_logger, "c:%s:%s s:%s:%s, root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, %s pinning:%d, sni:%s", - sip, sport, dip, dport, mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, (mod == 1) ? "mod" : "set", *opt_val, sni); - free(addr_str); - + *opt_val=svc->cli_pinning_status; + break; + case SSL_STREAM_OPT_APP_STATUS: + *opt_val=svc->is_app_not_pinning; break; case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS: *opt_val=svc->has_protocol_errors; diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp index 71a2ea1..2e1f0ad 100644 --- a/plugin/business/ssl-policy/src/ssl_policy.cpp +++ b/plugin/business/ssl-policy/src/ssl_policy.cpp @@ -46,6 +46,7 @@ struct decryption_param int bypass_ct_cert; int bypass_mutual_auth; int bypass_pinning; + int bypass_uninstall_cert_traffic; int bypass_protocol_errors; int no_verify_cn; int no_verify_issuer; @@ -317,7 +318,8 @@ void profile_param_new_cb(int table_id, const char* key, const char* table_line, if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint; item=cJSON_GetObjectItem(exclusions, "protocol_errors"); if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint; - + item=cJSON_GetObjectItem(exclusions, "trusted_root_cert_is_not_installed_on_client"); + if(item && item->type==cJSON_Number) param->bypass_uninstall_cert_traffic=item->valueint; } ssl_ver=cJSON_GetObjectItem(json, "protocol_version"); if(ssl_ver) @@ -436,7 +438,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str); return SSL_ACTION_PASSTHROUGH; } - int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0; + int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, app_staus=0; if(!profile_param->mirror_client_version) { ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version); @@ -458,22 +460,27 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus); assert(ret==0); + ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &app_staus); + assert(ret==0); ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev); assert(ret==0); ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth); ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct); ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error); assert(ret==0); - if( (pinning_staus==1 && profile_param->bypass_pinning) || + + if ((pinning_staus==1 && app_staus && profile_param->bypass_uninstall_cert_traffic) || + (pinning_staus==1 && !app_staus && profile_param->bypass_pinning) || (is_mauth && profile_param->bypass_mutual_auth) || (is_ev && profile_param->bypass_ev_cert) || (is_ct && profile_param->bypass_ct_cert) || (has_error && profile_param->bypass_protocol_errors)) { action=SSL_ACTION_PASSTHROUGH; - TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d", + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d", addr_string, sni, policy_param->policy_id, - ((pinning_staus == 1 && profile_param->bypass_pinning) ? 1 : 0), + ((pinning_staus == 1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0), + ((pinning_staus == 1 && !app_staus && profile_param->bypass_pinning) ? 1 : 0), ((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0), ((is_ev && profile_param->bypass_ev_cert) ? 1 : 0), ((is_ct && profile_param->bypass_ct_cert) ? 1 : 0), diff --git a/resource/pangu/pangu_http.json b/resource/pangu/pangu_http.json index c974e6c..fefd843 100644 --- a/resource/pangu/pangu_http.json +++ b/resource/pangu/pangu_http.json @@ -315,9 +315,9 @@ { "table_name": "TSG_PROFILE_DECRYPTION", "table_content": [ - "0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1", - "3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1", - "4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1" + "0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1", + "3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1", + "4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1" ] }, {