TSG-4965 功能端通过界面下发的 JA3 Fingerprint 识别 Pinning APP 和未装根证书的 APP
This commit is contained in:
luwenpeng
@@ -18,24 +18,6 @@ struct intercept_param
|
||||
int policy_id;
|
||||
int ref_cnt;
|
||||
int keyring;
|
||||
/*
|
||||
int bypass_ev_cert;
|
||||
int bypass_ct_cert;
|
||||
int bypass_mutual_auth;
|
||||
int bypass_pinning;
|
||||
int bypass_protocol_errors;
|
||||
int no_verify_cn;
|
||||
int no_verify_issuer;
|
||||
int no_verify_self_signed;
|
||||
int no_verify_expry_date;
|
||||
int block_fake_cert;
|
||||
int ssl_min_version;
|
||||
int ssl_max_version;
|
||||
int allow_http2;
|
||||
int mirror_client_version;
|
||||
int decrypt_mirror_enabled;
|
||||
int mirror_profile_id;
|
||||
*/
|
||||
int decryption_profile_id;
|
||||
};
|
||||
|
||||
@@ -136,67 +118,6 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
exclusions=cJSON_GetObjectItem(json, "dynamic_bypass");
|
||||
if(exclusions)
|
||||
{
|
||||
item=cJSON_GetObjectItem(exclusions, "ev_cert");
|
||||
if(item && item->type==cJSON_Number) param->bypass_ev_cert=item->valueint;
|
||||
item=cJSON_GetObjectItem(exclusions, "cert_transparency");
|
||||
if(item && item->type==cJSON_Number) param->bypass_ct_cert=item->valueint;
|
||||
item=cJSON_GetObjectItem(exclusions, "mutual_authentication");
|
||||
if(item && item->type==cJSON_Number) param->bypass_mutual_auth=item->valueint;
|
||||
item=cJSON_GetObjectItem(exclusions, "cert_pinning");
|
||||
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
|
||||
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
|
||||
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
|
||||
|
||||
}
|
||||
cert_verify=cJSON_GetObjectItem(json, "certificate_checks");
|
||||
if(cert_verify)
|
||||
{
|
||||
approach=cJSON_GetObjectItem(cert_verify, "approach");
|
||||
if(approach)
|
||||
{
|
||||
item=cJSON_GetObjectItem(approach, "cn");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;
|
||||
item=cJSON_GetObjectItem(approach, "issuer");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_issuer=1;
|
||||
item=cJSON_GetObjectItem(approach, "self-signed");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_self_signed=1;
|
||||
item=cJSON_GetObjectItem(approach, "expiration");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_expry_date=1;
|
||||
}
|
||||
item=cJSON_GetObjectItem(cert_verify, "fail_action");
|
||||
if(item && item->type==cJSON_String)
|
||||
{
|
||||
if(0==strcasecmp(item->valuestring, "Fail-Close"))
|
||||
{
|
||||
param->block_fake_cert=1;
|
||||
}
|
||||
}
|
||||
}
|
||||
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
|
||||
if(ssl_ver)
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "mirror_client");
|
||||
if(item && item->type==cJSON_Number) param->mirror_client_version=item->valueint;
|
||||
if(!param->mirror_client_version)
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "min");
|
||||
if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->valuestring);
|
||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||
if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
|
||||
if(param->ssl_min_version<0||param->ssl_max_version<0)
|
||||
{
|
||||
param->mirror_client_version=1;
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: ssl version = %s", item->valuestring);
|
||||
}
|
||||
}
|
||||
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||
if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
|
||||
}
|
||||
*/
|
||||
item=cJSON_GetObjectItem(json, "decryption");
|
||||
if(item)
|
||||
{
|
||||
@@ -438,7 +359,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
|
||||
return SSL_ACTION_PASSTHROUGH;
|
||||
}
|
||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, app_staus=0;
|
||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, ja3_pinning_status=0;
|
||||
if(!profile_param->mirror_client_version)
|
||||
{
|
||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
|
||||
@@ -460,7 +381,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
|
||||
assert(ret==0);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &app_staus);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_JA3_PINNING_STATUS, &ja3_pinning_status);
|
||||
assert(ret==0);
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
|
||||
assert(ret==0);
|
||||
@@ -469,23 +390,23 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
|
||||
assert(ret==0);
|
||||
|
||||
if ((pinning_staus==1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ||
|
||||
(pinning_staus==1 && !app_staus && profile_param->bypass_pinning) ||
|
||||
(is_mauth && profile_param->bypass_mutual_auth) ||
|
||||
(is_ev && profile_param->bypass_ev_cert) ||
|
||||
(is_ct && profile_param->bypass_ct_cert) ||
|
||||
(has_error && profile_param->bypass_protocol_errors))
|
||||
{
|
||||
if ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ||
|
||||
((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ||
|
||||
(is_mauth && profile_param->bypass_mutual_auth) ||
|
||||
(is_ev && profile_param->bypass_ev_cert) ||
|
||||
(is_ct && profile_param->bypass_ct_cert) ||
|
||||
(has_error && profile_param->bypass_protocol_errors))
|
||||
{
|
||||
action=SSL_ACTION_PASSTHROUGH;
|
||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
|
||||
addr_string, sni, policy_param->policy_id,
|
||||
((pinning_staus == 1 && app_staus && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
|
||||
((pinning_staus == 1 && !app_staus && profile_param->bypass_pinning) ? 1 : 0),
|
||||
((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
|
||||
((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
|
||||
((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
|
||||
((has_error && profile_param->bypass_protocol_errors) ? 1 : 0));
|
||||
}
|
||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
|
||||
addr_string, sni, policy_param->policy_id,
|
||||
((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
|
||||
(((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ? 1 : 0),
|
||||
((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
|
||||
((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
|
||||
((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
|
||||
((has_error && profile_param->bypass_protocol_errors) ? 1 : 0));
|
||||
}
|
||||
else
|
||||
{
|
||||
action=SSL_ACTION_INTERCEPT;
|
||||
|
||||
Reference in New Issue
Block a user