gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-12548 TFE适配拦截策略的keyring_for_untrusted字段

Browse Source 
* keyring拆分为keyring_for_trusted与keyring_for_untrusted
This commit is contained in:
luwenpeng
2022-11-08 10:53:05 +08:00
parent d63b40db17
commit 87adce7cbf
4 changed files with 49 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
common/include/ssl_stream.h
View File

@@ -28,7 +28,8 @@ enum SSL_STREAM_OPT
SSL_STREAM_OPT_PROTOCOL_MIN_VERSION,
SSL_STREAM_OPT_PROTOCOL_MAX_VERSION,
SSL_STREAM_OPT_ENABLE_ALPN,
SSL_STREAM_OPT_KEYRING_ID,
SSL_STREAM_OPT_KEYRING_FOR_TRUSTED,
SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED,
SSL_STREAM_OPT_SNI, //VALUE is string
SSL_STREAM_OPT_ADDR //VALUE is string
};

21
platform/src/ssl_stream.cpp
View File

@@ -199,7 +199,8 @@ struct ssl_upstream_parts
struct ssl_service_status svc_status;
enum ssl_stream_action action;
int apln_enabled;
int keyring_id;
int keyring_for_trusted;
int keyring_for_untrusted;
struct ssl_chello * client_hello;
int is_server_cert_verify_passed;
};
@@ -2035,7 +2036,16 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed;
key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, upstream->up_parts.keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
int keyring_id = 0;
if (ctx->is_origin_crt_verify_passed)
{
keyring_id = upstream->up_parts.keyring_for_trusted;
}
else
{
keyring_id = upstream->up_parts.keyring_for_untrusted;
}
key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
evbase, dnsbase, evhttp);
return;
}
@@ -2154,8 +2164,11 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
case SSL_STREAM_OPT_ENABLE_ALPN:
upstream->up_parts.apln_enabled=opt_val;
break;
case SSL_STREAM_OPT_KEYRING_ID:
upstream->up_parts.keyring_id=opt_val;
case SSL_STREAM_OPT_KEYRING_FOR_TRUSTED:
upstream->up_parts.keyring_for_trusted=opt_val;
break;
case SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED:
upstream->up_parts.keyring_for_untrusted=opt_val;
break;
default:
assert(0);

34
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -18,7 +18,8 @@ struct intercept_param
{
int policy_id;
int ref_cnt;
int keyring;
int keyring_for_trusted;
int keyring_for_untrusted;
int decryption_profile_id;
};
@@ -99,23 +100,41 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
param->bypass_pinning=1;
param->mirror_client_version=1;
*/
param->keyring=1;
param->keyring_for_trusted=1;
param->keyring_for_untrusted=0;
param->decryption_profile_id=0;
item=cJSON_GetObjectItem(json, "keyring");
item=cJSON_GetObjectItem(json, "keyring_for_trusted");
if(item)
{
if(item->type==cJSON_Number)
{
param->keyring=item->valueint;
param->keyring_for_trusted=item->valueint;
}
else if(item->type==cJSON_String)
{
param->keyring=atoi(item->valuestring);
param->keyring_for_trusted=atoi(item->valuestring);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring format", param->policy_id);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring_for_trusted format", param->policy_id);
}
}
item=cJSON_GetObjectItem(json, "keyring_for_untrusted");
if(item)
{
if(item->type==cJSON_Number)
{
param->keyring_for_untrusted=item->valueint;
}
else if(item->type==cJSON_String)
{
param->keyring_for_untrusted=atoi(item->valuestring);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring_for_untrusted format", param->policy_id);
}
}
@@ -380,7 +399,8 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
{
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
}
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_ID, policy_param->keyring);
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, policy_param->keyring_for_trusted);
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, policy_param->keyring_for_untrusted);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
assert(ret==0);

4
resource/pangu/pangu_http.json
View File

@@ -261,8 +261,8 @@
{
"table_name": "TSG_SECURITY_COMPILE",
"table_content": [
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
"4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2"
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":765,\"keyring_for_untrusted\":10,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
"4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":1,\"keyring_for_untrusted\":10,\"decryption\":0},\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2"
]
},
{