TSG-1719 功能端增加 dynamic bypass 选项 trusted_root_cert_is_not_installed_on_client && TSG-1687 pinning 功能优化
This commit is contained in:
luwenpeng
@@ -127,7 +127,6 @@ struct ssl_mgr
|
||||
unsigned int no_alpn;
|
||||
unsigned int no_cert_verify;
|
||||
unsigned int no_mirror_client_cipher_suite;
|
||||
unsigned int root_cert_not_installed_is_not_pinning;
|
||||
|
||||
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
|
||||
int ssl_min_version, ssl_max_version;
|
||||
@@ -700,8 +699,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
{
|
||||
mgr->down_stek_box = sess_ticket_box_create(ev_base_gc, stek_group_num, stek_rotation_time, logger);
|
||||
}
|
||||
MESA_load_profile_uint_def(ini_profile, section, "root_cert_not_installed_is_not_pinning",
|
||||
&(mgr->root_cert_not_installed_is_not_pinning), 1);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_slots",
|
||||
&(mgr->svc_cache_slots), 4 * 1024 * 1024);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_expire_seconds",
|
||||
@@ -1413,7 +1410,10 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
|
||||
free(addr_string);
|
||||
addr_string=NULL;
|
||||
}
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status);
|
||||
if (svc_status->is_app_not_pinning)
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_NOT_PINNING);
|
||||
else
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status);
|
||||
if(ctx->mgr->on_new_upstream_cb)
|
||||
{
|
||||
s_stream->up_parts.action=ctx->mgr->on_new_upstream_cb(s_stream, ctx->mgr->upstream_cb_param);
|
||||
@@ -2113,15 +2113,10 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
}
|
||||
int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
|
||||
{
|
||||
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
|
||||
char * addr_str=NULL;
|
||||
const char * sni = (upstream->up_parts.client_hello->sni) ? (upstream->up_parts.client_hello->sni) : "null";
|
||||
struct ssl_service_status* svc=&upstream->up_parts.svc_status;
|
||||
struct ssl_mgr* mgr=upstream->mgr;
|
||||
struct tfe_cmsg *cmsg=NULL;
|
||||
UNUSED int ret=0;
|
||||
uint16_t out_size=0;
|
||||
int mod = 0;
|
||||
switch(opt_type)
|
||||
{
|
||||
case SSL_STREAM_OPT_IS_EV_CERT:
|
||||
@@ -2134,22 +2129,10 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
*opt_val=svc->is_mutual_auth;
|
||||
break;
|
||||
case SSL_STREAM_OPT_PINNING_STATUS:
|
||||
if(mgr->root_cert_not_installed_is_not_pinning && svc->is_app_not_pinning)
|
||||
{
|
||||
mod = 1;
|
||||
*opt_val=PINNING_ST_NOT_PINNING;
|
||||
}
|
||||
else
|
||||
{
|
||||
*opt_val=svc->cli_pinning_status;
|
||||
}
|
||||
|
||||
addr_str = tfe_stream_addr_to_str(upstream->tcp_stream->addr);
|
||||
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
|
||||
TFE_LOG_DEBUG(g_default_logger, "c:%s:%s s:%s:%s, root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, %s pinning:%d, sni:%s",
|
||||
sip, sport, dip, dport, mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, (mod == 1) ? "mod" : "set", *opt_val, sni);
|
||||
free(addr_str);
|
||||
|
||||
*opt_val=svc->cli_pinning_status;
|
||||
break;
|
||||
case SSL_STREAM_OPT_APP_STATUS:
|
||||
*opt_val=svc->is_app_not_pinning;
|
||||
break;
|
||||
case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
|
||||
*opt_val=svc->has_protocol_errors;
|
||||
|
||||
Reference in New Issue
Block a user