gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时,不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。

Browse Source
This commit is contained in:
zhengchao
2019-05-21 11:47:09 +08:00
parent 1f73b4832d
commit 4cd42b9f95
5 changed files with 68 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/include/ssl_stream.h
View File

@@ -16,6 +16,7 @@ enum SSL_STREAM_OPT
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
SSL_STREAM_OPT_NO_VERIFY_ISSUER, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.

2
platform/include/internal/ssl_service_cache.h
View File

@@ -13,6 +13,7 @@ struct ssl_service_status
char is_ev;
char is_ct;
char is_mutual_auth;
char has_protocol_errors;
};
struct ssl_service_cache;
@@ -25,6 +26,7 @@ struct ssl_service_cache_statistics
{
long long pinning_cli_cnt;
long long mutual_auth_cli_cnt;
long long proto_err_cli_cnt;
long long ev_srv_cnt;
long long ct_srv_cnt;
};

45
platform/src/ssl_service_cache.cpp
View File

@@ -5,11 +5,13 @@
#include <string.h>
#define FAIL_AS_PINNING_COUNT 4
#define FAIL_AS_PINNING_TIME 30
#define FAIL_TIME_WINDOW 30
#define FAIL_AS_PROTO_ERR_COUNT 5
struct ssl_svc_client_st
{
time_t last_update_time;
unsigned int fail_count;
unsigned int suspect_pinning_count;
unsigned int protocol_error_count;
char is_mutual_auth;
struct ssl_service_cache* ref_svc_cache;
};
@@ -40,7 +42,7 @@ static void ssl_svc_free_client_st(void * data)
{
svc_cache->stat.mutual_auth_cli_cnt--;
}
if(p->fail_count>=FAIL_AS_PINNING_COUNT)
if(p->suspect_pinning_count>=FAIL_AS_PINNING_COUNT)
{
svc_cache->stat.pinning_cli_cnt--;
}
@@ -80,11 +82,11 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use
{
return 0;
}
if(cli_st->fail_count==0)
if(cli_st->suspect_pinning_count==0)
{
result->pinning_status=PINNING_ST_NOT_PINNING;
}
else if(cli_st->fail_count<FAIL_AS_PINNING_COUNT)
else if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)
{
result->pinning_status=PINNING_ST_MAYBE_PINNING;
}
@@ -92,6 +94,10 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use
{
result->pinning_status=PINNING_ST_PINNING;
}
if(cli_st->protocol_error_count>=FAIL_AS_PROTO_ERR_COUNT)
{
result->has_protocol_errors=1;
}
result->is_mutual_auth=cli_st->is_mutual_auth;
return 1;
}
@@ -110,37 +116,44 @@ static long cli_st_write_cb(void * data, const uchar * key, uint size, void * us
ret = MESA_htable_add(cache->cli_st_hash, key, size, cli_st);
assert(ret >= 0);
}
if(cli_st->fail_count<FAIL_AS_PINNING_COUNT && cli_st->last_update_time-now>FAIL_AS_PINNING_TIME)
if(cli_st->last_update_time-now>FAIL_TIME_WINDOW)
{
cli_st->fail_count=0;
if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT) cli_st->suspect_pinning_count=0;
if(cli_st->protocol_error_count<FAIL_AS_PROTO_ERR_COUNT) cli_st->protocol_error_count=0;
}
if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->fail_count<FAIL_AS_PINNING_COUNT)
if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT)
{
if(status->pinning_status==PINNING_ST_PINNING)
{
cli_st->fail_count=FAIL_AS_PINNING_COUNT;
cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT;
}
else
{
cli_st->fail_count++;
cli_st->suspect_pinning_count++;
}
cli_st->last_update_time=now;
if(cli_st->fail_count==FAIL_AS_PINNING_COUNT)
if(cli_st->suspect_pinning_count==FAIL_AS_PINNING_COUNT)
{
cache->stat.pinning_cli_cnt++;
}
}
else if(status->pinning_status==PINNING_ST_PINNING)
{
cli_st->fail_count=FAIL_AS_PINNING_COUNT;
cli_st->last_update_time=now;
cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT;
}
if(status->has_protocol_errors)
{
cli_st->protocol_error_count++;
if(cli_st->protocol_error_count==FAIL_AS_PROTO_ERR_COUNT)
{
cache->stat.proto_err_cli_cnt++;
}
}
if(status->is_mutual_auth==1&&cli_st->is_mutual_auth==0)
{
cache->stat.mutual_auth_cli_cnt++;
cli_st->is_mutual_auth=1;
}
cli_st->last_update_time=now;
return 1;
}
@@ -224,7 +237,7 @@ void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct s
return;
}
struct ssl_service_write_args write_args={svc_cache, status};
if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING)
if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING||status->has_protocol_errors)
{
cli_st_key_sz=ssl_svc_client_st_mk_key(chello, cli_st_key, sizeof(cli_st_key));
MESA_htable_search_cb(svc_cache->cli_st_hash, (unsigned char*)cli_st_key, (unsigned int) cli_st_key_sz, cli_st_write_cb, &write_args, &cli_st_cb_ret);

31
platform/src/ssl_stream.cpp
View File

@@ -1000,10 +1000,10 @@ unsigned long ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir d
default:
fs_id=-1;
}
ret_sslerr=ERR_GET_REASON(sslerr);
if(fs_id>=0)
{
mgr->stat_val[fs_id]++;
ret_sslerr=ERR_GET_REASON(sslerr);
}
if (!errno && !sslerr)
{
@@ -1100,10 +1100,16 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
const char* sni=s_upstream->client_hello->sni?s_upstream->client_hello->sni:"null";
long jiffies_ms;
char* addr_string=NULL;
unsigned long sslerr=0;
if (events & BEV_EVENT_ERROR)
{
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr);
sslerr=ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr);
if(sslerr)
{
s_stream->up_parts.svc_status.has_protocol_errors=1;
ssl_service_cache_write(mgr->svc_cache, s_stream->up_parts.client_hello, &(s_stream->up_parts.svc_status));
}
snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
}
@@ -1229,10 +1235,11 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
ret=ssl_service_cache_read(ctx->mgr->svc_cache, chello, svc_status);
if(ret==1)
{
TFE_LOG_DEBUG(ctx->mgr->logger, "SNI: %s service status pinning:%d, mauth:%d, ct:%d, ev:%d",
TFE_LOG_DEBUG(ctx->mgr->logger, "SNI: %s service status pinning:%d, mauth:%d, err:%d, ct:%d, ev:%d",
chello->sni,
svc_status->pinning_status,
svc_status->is_mutual_auth,
svc_status->has_protocol_errors,
svc_status->is_ct,
svc_status->is_ev);
}
@@ -1672,19 +1679,29 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
{
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
sslerr=ssl_stream_log_error(bev, CONN_DIR_DOWNSTREAM, mgr);
if(sslerr==SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN)
if(sslerr==SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN &&
s_upstream->is_server_cert_verify_passed &&
s_upstream->verify_result.is_hostmatched)
{
s_upstream->svc_status.pinning_status=PINNING_ST_PINNING;
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, &s_upstream->svc_status);
}
else if(sslerr>0 && sslerr!=SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN)
{
s_upstream->svc_status.has_protocol_errors=1;
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, &s_upstream->svc_status);
}
snprintf(error_str, sizeof(error_str), "connect to client failed : sni=%s", sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
}
else if(events & BEV_EVENT_EOF)
{
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
s_stream->peer->up_parts.svc_status.pinning_status=PINNING_ST_MAYBE_PINNING;
if(!s_upstream->verify_result.is_hostmatched || !s_upstream->is_server_cert_verify_passed )
{
s_upstream->svc_status.pinning_status=PINNING_ST_MAYBE_PINNING;
ssl_service_cache_write(mgr->svc_cache, s_stream->peer->up_parts.client_hello, &(s_stream->peer->up_parts.svc_status));
}
snprintf(error_str, sizeof(error_str), "client side closed : sni=%s", sni);
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
}
@@ -2010,6 +2027,10 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
case SSL_STREAM_OPT_PINNING_STATUS:
*opt_val=svc->pinning_status;
break;
case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
*opt_val=svc->has_protocol_errors;
break;
default:
return 0;
}

10
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -21,6 +21,7 @@ struct intercept_param
int bypass_ct_cert;
int bypass_mutual_auth;
int bypass_pinning;
int bypass_protocol_errors;
int no_verify_cn;
int no_verify_issuer;
int no_verify_self_signed;
@@ -84,6 +85,9 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
if(item && item->type==cJSON_Number) param->bypass_mutual_auth=item->valueint;
item=cJSON_GetObjectItem(exclusions, "pinning");
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
}
cert_verify=cJSON_GetObjectItem(json, "cert_verify");
if(cert_verify)
@@ -178,7 +182,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", param->policy_id);
return SSL_ACTION_PASSTHROUGH;
}
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0;
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
if(!param->mirror_client_version)
{
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, SSL3_VERSION);
@@ -200,11 +204,13 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
assert(ret==1);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
assert(ret=1);
if( (pinning_staus==1 && param->bypass_pinning) ||
(is_mauth && param->bypass_mutual_auth) ||
(is_ev && param->bypass_ev_cert) ||
(is_ct && param->bypass_ct_cert) )
(is_ct && param->bypass_ct_cert) ||
(has_error && param->bypass_protocol_errors))
{
action=SSL_ACTION_PASSTHROUGH;
}