TSG-1719 功能端增加 dynamic bypass 选项 trusted_root_cert_is_not_installed_on_client && TSG-1687 pinning 功能优化
This commit is contained in:
luwenpeng
@@ -17,6 +17,7 @@ enum SSL_STREAM_OPT
|
|||||||
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
|
||||||
|
SSL_STREAM_OPT_APP_STATUS, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||||
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
|
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
|
||||||
|
|||||||
@@ -127,7 +127,6 @@ struct ssl_mgr
|
|||||||
unsigned int no_alpn;
|
unsigned int no_alpn;
|
||||||
unsigned int no_cert_verify;
|
unsigned int no_cert_verify;
|
||||||
unsigned int no_mirror_client_cipher_suite;
|
unsigned int no_mirror_client_cipher_suite;
|
||||||
unsigned int root_cert_not_installed_is_not_pinning;
|
|
||||||
|
|
||||||
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
|
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
|
||||||
int ssl_min_version, ssl_max_version;
|
int ssl_min_version, ssl_max_version;
|
||||||
@@ -700,8 +699,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
|||||||
{
|
{
|
||||||
mgr->down_stek_box = sess_ticket_box_create(ev_base_gc, stek_group_num, stek_rotation_time, logger);
|
mgr->down_stek_box = sess_ticket_box_create(ev_base_gc, stek_group_num, stek_rotation_time, logger);
|
||||||
}
|
}
|
||||||
MESA_load_profile_uint_def(ini_profile, section, "root_cert_not_installed_is_not_pinning",
|
|
||||||
&(mgr->root_cert_not_installed_is_not_pinning), 1);
|
|
||||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_slots",
|
MESA_load_profile_uint_def(ini_profile, section, "service_cache_slots",
|
||||||
&(mgr->svc_cache_slots), 4 * 1024 * 1024);
|
&(mgr->svc_cache_slots), 4 * 1024 * 1024);
|
||||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_expire_seconds",
|
MESA_load_profile_uint_def(ini_profile, section, "service_cache_expire_seconds",
|
||||||
@@ -1413,7 +1410,10 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
|
|||||||
free(addr_string);
|
free(addr_string);
|
||||||
addr_string=NULL;
|
addr_string=NULL;
|
||||||
}
|
}
|
||||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status);
|
if (svc_status->is_app_not_pinning)
|
||||||
|
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_NOT_PINNING);
|
||||||
|
else
|
||||||
|
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status);
|
||||||
if(ctx->mgr->on_new_upstream_cb)
|
if(ctx->mgr->on_new_upstream_cb)
|
||||||
{
|
{
|
||||||
s_stream->up_parts.action=ctx->mgr->on_new_upstream_cb(s_stream, ctx->mgr->upstream_cb_param);
|
s_stream->up_parts.action=ctx->mgr->on_new_upstream_cb(s_stream, ctx->mgr->upstream_cb_param);
|
||||||
@@ -2113,15 +2113,10 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
|||||||
}
|
}
|
||||||
int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
|
int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
|
||||||
{
|
{
|
||||||
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
|
|
||||||
char * addr_str=NULL;
|
|
||||||
const char * sni = (upstream->up_parts.client_hello->sni) ? (upstream->up_parts.client_hello->sni) : "null";
|
|
||||||
struct ssl_service_status* svc=&upstream->up_parts.svc_status;
|
struct ssl_service_status* svc=&upstream->up_parts.svc_status;
|
||||||
struct ssl_mgr* mgr=upstream->mgr;
|
|
||||||
struct tfe_cmsg *cmsg=NULL;
|
struct tfe_cmsg *cmsg=NULL;
|
||||||
UNUSED int ret=0;
|
UNUSED int ret=0;
|
||||||
uint16_t out_size=0;
|
uint16_t out_size=0;
|
||||||
int mod = 0;
|
|
||||||
switch(opt_type)
|
switch(opt_type)
|
||||||
{
|
{
|
||||||
case SSL_STREAM_OPT_IS_EV_CERT:
|
case SSL_STREAM_OPT_IS_EV_CERT:
|
||||||
@@ -2134,22 +2129,10 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
|||||||
*opt_val=svc->is_mutual_auth;
|
*opt_val=svc->is_mutual_auth;
|
||||||
break;
|
break;
|
||||||
case SSL_STREAM_OPT_PINNING_STATUS:
|
case SSL_STREAM_OPT_PINNING_STATUS:
|
||||||
if(mgr->root_cert_not_installed_is_not_pinning && svc->is_app_not_pinning)
|
*opt_val=svc->cli_pinning_status;
|
||||||
{
|
break;
|
||||||
mod = 1;
|
case SSL_STREAM_OPT_APP_STATUS:
|
||||||
*opt_val=PINNING_ST_NOT_PINNING;
|
*opt_val=svc->is_app_not_pinning;
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
*opt_val=svc->cli_pinning_status;
|
|
||||||
}
|
|
||||||
|
|
||||||
addr_str = tfe_stream_addr_to_str(upstream->tcp_stream->addr);
|
|
||||||
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
|
|
||||||
TFE_LOG_DEBUG(g_default_logger, "c:%s:%s s:%s:%s, root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, %s pinning:%d, sni:%s",
|
|
||||||
sip, sport, dip, dport, mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, (mod == 1) ? "mod" : "set", *opt_val, sni);
|
|
||||||
free(addr_str);
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
|
case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
|
||||||
*opt_val=svc->has_protocol_errors;
|
*opt_val=svc->has_protocol_errors;
|
||||||
|
|||||||
@@ -46,6 +46,7 @@ struct decryption_param
|
|||||||
int bypass_ct_cert;
|
int bypass_ct_cert;
|
||||||
int bypass_mutual_auth;
|
int bypass_mutual_auth;
|
||||||
int bypass_pinning;
|
int bypass_pinning;
|
||||||
|
int bypass_uninstall_cert_traffic;
|
||||||
int bypass_protocol_errors;
|
int bypass_protocol_errors;
|
||||||
int no_verify_cn;
|
int no_verify_cn;
|
||||||
int no_verify_issuer;
|
int no_verify_issuer;
|
||||||
@@ -317,7 +318,8 @@ void profile_param_new_cb(int table_id, const char* key, const char* table_line,
|
|||||||
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
|
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
|
||||||
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
|
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
|
||||||
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
|
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
|
||||||
|
item=cJSON_GetObjectItem(exclusions, "trusted_root_cert_is_not_installed_on_client");
|
||||||
|
if(item && item->type==cJSON_Number) param->bypass_uninstall_cert_traffic=item->valueint;
|
||||||
}
|
}
|
||||||
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
|
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
|
||||||
if(ssl_ver)
|
if(ssl_ver)
|
||||||
@@ -436,7 +438,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
|||||||
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
|
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
|
||||||
return SSL_ACTION_PASSTHROUGH;
|
return SSL_ACTION_PASSTHROUGH;
|
||||||
}
|
}
|
||||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
|
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, app_staus=0;
|
||||||
if(!profile_param->mirror_client_version)
|
if(!profile_param->mirror_client_version)
|
||||||
{
|
{
|
||||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
|
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
|
||||||
@@ -458,22 +460,27 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
|||||||
|
|
||||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
|
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
|
||||||
assert(ret==0);
|
assert(ret==0);
|
||||||
|
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &app_staus);
|
||||||
|
assert(ret==0);
|
||||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
|
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
|
||||||
assert(ret==0);
|
assert(ret==0);
|
||||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
|
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
|
||||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
|
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
|
||||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
|
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
|
||||||
assert(ret==0);
|
assert(ret==0);
|
||||||
if( (pinning_staus==1 && profile_param->bypass_pinning) ||
|
|
||||||
|
if ((pinning_staus==1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ||
|
||||||
|
(pinning_staus==1 && !app_staus && profile_param->bypass_pinning) ||
|
||||||
(is_mauth && profile_param->bypass_mutual_auth) ||
|
(is_mauth && profile_param->bypass_mutual_auth) ||
|
||||||
(is_ev && profile_param->bypass_ev_cert) ||
|
(is_ev && profile_param->bypass_ev_cert) ||
|
||||||
(is_ct && profile_param->bypass_ct_cert) ||
|
(is_ct && profile_param->bypass_ct_cert) ||
|
||||||
(has_error && profile_param->bypass_protocol_errors))
|
(has_error && profile_param->bypass_protocol_errors))
|
||||||
{
|
{
|
||||||
action=SSL_ACTION_PASSTHROUGH;
|
action=SSL_ACTION_PASSTHROUGH;
|
||||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
|
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
|
||||||
addr_string, sni, policy_param->policy_id,
|
addr_string, sni, policy_param->policy_id,
|
||||||
((pinning_staus == 1 && profile_param->bypass_pinning) ? 1 : 0),
|
((pinning_staus == 1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
|
||||||
|
((pinning_staus == 1 && !app_staus && profile_param->bypass_pinning) ? 1 : 0),
|
||||||
((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
|
((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
|
||||||
((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
|
((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
|
||||||
((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
|
((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
|
||||||
|
|||||||
@@ -315,9 +315,9 @@
|
|||||||
{
|
{
|
||||||
"table_name": "TSG_PROFILE_DECRYPTION",
|
"table_name": "TSG_PROFILE_DECRYPTION",
|
||||||
"table_content": [
|
"table_content": [
|
||||||
"0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1",
|
"0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1",
|
||||||
"3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1",
|
"3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1",
|
||||||
"4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
|
"4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user