TSG-1719 功能端增加 dynamic bypass 选项 trusted_root_cert_is_not_installed_on_client && TSG-1687 pinning 功能优化
This commit is contained in:
luwenpeng
@@ -17,6 +17,7 @@ enum SSL_STREAM_OPT
|
||||
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_APP_STATUS, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
||||
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
|
||||
|
||||
@@ -127,7 +127,6 @@ struct ssl_mgr
|
||||
unsigned int no_alpn;
|
||||
unsigned int no_cert_verify;
|
||||
unsigned int no_mirror_client_cipher_suite;
|
||||
unsigned int root_cert_not_installed_is_not_pinning;
|
||||
|
||||
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
|
||||
int ssl_min_version, ssl_max_version;
|
||||
@@ -700,8 +699,6 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
{
|
||||
mgr->down_stek_box = sess_ticket_box_create(ev_base_gc, stek_group_num, stek_rotation_time, logger);
|
||||
}
|
||||
MESA_load_profile_uint_def(ini_profile, section, "root_cert_not_installed_is_not_pinning",
|
||||
&(mgr->root_cert_not_installed_is_not_pinning), 1);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_slots",
|
||||
&(mgr->svc_cache_slots), 4 * 1024 * 1024);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_expire_seconds",
|
||||
@@ -1413,6 +1410,9 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
|
||||
free(addr_string);
|
||||
addr_string=NULL;
|
||||
}
|
||||
if (svc_status->is_app_not_pinning)
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_NOT_PINNING);
|
||||
else
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status);
|
||||
if(ctx->mgr->on_new_upstream_cb)
|
||||
{
|
||||
@@ -2113,15 +2113,10 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
}
|
||||
int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
|
||||
{
|
||||
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
|
||||
char * addr_str=NULL;
|
||||
const char * sni = (upstream->up_parts.client_hello->sni) ? (upstream->up_parts.client_hello->sni) : "null";
|
||||
struct ssl_service_status* svc=&upstream->up_parts.svc_status;
|
||||
struct ssl_mgr* mgr=upstream->mgr;
|
||||
struct tfe_cmsg *cmsg=NULL;
|
||||
UNUSED int ret=0;
|
||||
uint16_t out_size=0;
|
||||
int mod = 0;
|
||||
switch(opt_type)
|
||||
{
|
||||
case SSL_STREAM_OPT_IS_EV_CERT:
|
||||
@@ -2134,22 +2129,10 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
*opt_val=svc->is_mutual_auth;
|
||||
break;
|
||||
case SSL_STREAM_OPT_PINNING_STATUS:
|
||||
if(mgr->root_cert_not_installed_is_not_pinning && svc->is_app_not_pinning)
|
||||
{
|
||||
mod = 1;
|
||||
*opt_val=PINNING_ST_NOT_PINNING;
|
||||
}
|
||||
else
|
||||
{
|
||||
*opt_val=svc->cli_pinning_status;
|
||||
}
|
||||
|
||||
addr_str = tfe_stream_addr_to_str(upstream->tcp_stream->addr);
|
||||
tfe_stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
|
||||
TFE_LOG_DEBUG(g_default_logger, "c:%s:%s s:%s:%s, root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, %s pinning:%d, sni:%s",
|
||||
sip, sport, dip, dport, mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, (mod == 1) ? "mod" : "set", *opt_val, sni);
|
||||
free(addr_str);
|
||||
|
||||
break;
|
||||
case SSL_STREAM_OPT_APP_STATUS:
|
||||
*opt_val=svc->is_app_not_pinning;
|
||||
break;
|
||||
case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
|
||||
*opt_val=svc->has_protocol_errors;
|
||||
|
||||
@@ -46,6 +46,7 @@ struct decryption_param
|
||||
int bypass_ct_cert;
|
||||
int bypass_mutual_auth;
|
||||
int bypass_pinning;
|
||||
int bypass_uninstall_cert_traffic;
|
||||
int bypass_protocol_errors;
|
||||
int no_verify_cn;
|
||||
int no_verify_issuer;
|
||||
@@ -317,7 +318,8 @@ void profile_param_new_cb(int table_id, const char* key, const char* table_line,
|
||||
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
|
||||
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
|
||||
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
|
||||
|
||||
item=cJSON_GetObjectItem(exclusions, "trusted_root_cert_is_not_installed_on_client");
|
||||
if(item && item->type==cJSON_Number) param->bypass_uninstall_cert_traffic=item->valueint;
|
||||
}
|
||||
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
|
||||
if(ssl_ver)
|
||||
@@ -436,7 +438,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
|
||||
return SSL_ACTION_PASSTHROUGH;
|
||||
}
|
||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
|
||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, app_staus=0;
|
||||
if(!profile_param->mirror_client_version)
|
||||
{
|
||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
|
||||
@@ -458,22 +460,27 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
|
||||
assert(ret==0);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &app_staus);
|
||||
assert(ret==0);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
|
||||
assert(ret==0);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
|
||||
assert(ret==0);
|
||||
if( (pinning_staus==1 && profile_param->bypass_pinning) ||
|
||||
|
||||
if ((pinning_staus==1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ||
|
||||
(pinning_staus==1 && !app_staus && profile_param->bypass_pinning) ||
|
||||
(is_mauth && profile_param->bypass_mutual_auth) ||
|
||||
(is_ev && profile_param->bypass_ev_cert) ||
|
||||
(is_ct && profile_param->bypass_ct_cert) ||
|
||||
(has_error && profile_param->bypass_protocol_errors))
|
||||
{
|
||||
action=SSL_ACTION_PASSTHROUGH;
|
||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
|
||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
|
||||
addr_string, sni, policy_param->policy_id,
|
||||
((pinning_staus == 1 && profile_param->bypass_pinning) ? 1 : 0),
|
||||
((pinning_staus == 1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
|
||||
((pinning_staus == 1 && !app_staus && profile_param->bypass_pinning) ? 1 : 0),
|
||||
((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
|
||||
((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
|
||||
((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
|
||||
|
||||
@@ -315,9 +315,9 @@
|
||||
{
|
||||
"table_name": "TSG_PROFILE_DECRYPTION",
|
||||
"table_content": [
|
||||
"0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1",
|
||||
"3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1",
|
||||
"4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
|
||||
"0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1",
|
||||
"3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1",
|
||||
"4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
|
||||
]
|
||||
},
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user