bugfix: TSG-8003 预防证书链投毒

* 中间证书缓存openssl rebuild trust chain中可惜的中间证书, 不缓存服务端发送证书链中的证书
2021-11-02 22:27:56 +08:00
parent f84e993217
commit cb15d3340f
6 changed files with 82 additions and 18 deletions
--- a/common/include/ssl_stream.h
+++ b/common/include/ssl_stream.h
@@ -44,3 +44,5 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT  opt_type, int *opt_val);
 int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, char* in_buff, size_t sz);

+unsigned int is_ssl_debug();
+
--- a/conf/tfe/tfe.conf
+++ b/conf/tfe/tfe.conf
@@ -52,7 +52,7 @@ timeout_cnt_as_fail=3
 timeout_debug=0

 [ssl]
-ssl_ja3_debug=0
+ssl_debug=0
 ssl_ja3_table=PXY_SSL_FINGERPRINT
 # ssl version Not available, configured via TSG website
 # ssl_max_version=tls13
--- a/platform/include/internal/ssl_utils.h
+++ b/platform/include/internal/ssl_utils.h
@@ -180,7 +180,7 @@ int ssl_tls_clienthello_parse(const unsigned char *, ssize_t, int,

 int ssl_dnsname_match(const char *, size_t, const char *, size_t);
 char * ssl_wildcardify(const char *);
-
+void ssl_chain_dump(const char *sni, const char *chain_type, STACK_OF(X509) *chain);

 enum chello_parse_result
 {
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -47,7 +47,7 @@

 static int SSL_CTX_EX_DATA_IDX_SSLMGR;
 static int SSL_EX_DATA_IDX_SSLSTREAM;
-static unsigned int ssl_ja3_debug;
+static unsigned int ssl_debug;

 #define MAX_NET_RETRIES        50
 #define	LATENCY_WARNING_THRESHOLD_MS		1000
@@ -289,6 +289,12 @@ struct fs_spec
 	enum ssl_stream_stat id;
 	const char* name;
 };
+
+unsigned int is_ssl_debug()
+{
+	return ssl_debug;
+}
+
 int sslver_str2num(const char * version_str)
 {
 	int sslversion = -1;
@@ -634,7 +640,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 		goto error_out;
 	}

-    MESA_load_profile_uint_def(ini_profile, section, "ssl_ja3_debug", &(ssl_ja3_debug), 0);
+    MESA_load_profile_uint_def(ini_profile, section, "ssl_debug", &(ssl_debug), 0);
    MESA_load_profile_string_def(ini_profile, section, "ssl_min_version", version_str, sizeof(version_str), "ssl3");
 	mgr->ssl_min_version = sslver_str2num(version_str);

@@ -820,7 +826,7 @@ static void peek_client_hello_cb(evutil_socket_t fd, short what, void * arg)
 	{
 		case CHELLO_PARSE_SUCCESS:
 		{
-            if (ssl_ja3_debug)
+            if (is_ssl_debug())
            {
                char *addr = tfe_string_addr_create_by_fd(fd, CONN_DIR_DOWNSTREAM);
                struct ssl_ja3 *fingerprint = ssl_ja3_generate_fingerprint(buf, n);
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -1,6 +1,7 @@

 #include "ssl_trusted_cert_storage.h"
 #include "ssl_fetch_cert.h"
+#include "ssl_stream.h"
 #include "MESA_htable_aux.h"
 #include <MESA/MESA_htable.h>

@@ -473,23 +474,36 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		ret=1;
 	}

-	TFE_LOG_DEBUG(g_default_logger,
-		"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d",
-		(hostname ? hostname : "NULL"),
-		((param->real_untrust & 0xff) ? 1 : 0),
-		((param->real_untrust & 0x01) ? 1 : 0),
-		((param->real_untrust & 0x02) ? 1 : 0),
-		((param->real_untrust & 0x04) ? 1 : 0),
-		((param->real_untrust & 0x08) ? 1 : 0),
-		((param->real_untrust & 0x10) ? 1 : 0));
+	if (is_ssl_debug())
+	{
+		TFE_LOG_DEBUG(g_default_logger,
+			"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d, verify_other_fail:%d",
+			(hostname ? hostname : "NULL"),
+			((param->real_untrust & 0xff) ? 1 : 0),
+			((param->real_untrust & 0x01) ? 1 : 0),
+			((param->real_untrust & 0x02) ? 1 : 0),
+			((param->real_untrust & 0x04) ? 1 : 0),
+			((param->real_untrust & 0x08) ? 1 : 0),
+			((param->real_untrust & 0x10) ? 1 : 0));
+		ssl_chain_dump(hostname, "server_chain", cert_chain);
+	}

    // case cert verify success 
-	if (param->real_untrust == 0) {
-		ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname);
+	if (param->real_untrust == 0)
+	{
+		STACK_OF(X509) *trust_chain = X509_STORE_CTX_get1_chain(ctx);
+		if (trust_chain)
+		{
+			if (is_ssl_debug())
+			{
+				ssl_chain_dump(hostname, "trust_chain", trust_chain);
+			}
+			ssl_fetch_trusted_cert_from_chain(trust_chain, storage->effective_store, hostname);
+			sk_X509_pop_free(trust_chain, X509_free);
+        }
 	}

 	X509_STORE_CTX_free(ctx);
 	pthread_rwlock_unlock(&(storage->rwlock));
 	return ret;
-}
-
+}
--- a/platform/src/ssl_utils.cpp
+++ b/platform/src/ssl_utils.cpp
@@ -2395,3 +2395,45 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len,
 	}
 }

+void ssl_chain_dump(const char *sni, const char *chain_type, STACK_OF(X509) *chain)
+{
+	int j = 0;
+	char *subj = NULL;
+	char *issuer = NULL;
+	char *fingerprint = NULL;
+	X509 *cert = NULL;
+
+	if (chain == NULL)
+	{
+		return;
+	}
+
+	for (j = 0; j < sk_X509_num(chain); j++)
+	{
+		cert = sk_X509_value(chain, j);
+		if (cert == NULL)
+			continue;
+
+		subj = ssl_x509_subject(cert);
+		issuer = ssl_x509_issuer(cert);
+		fingerprint = ssl_x509_fingerprint(cert, 0);
+
+		TFE_LOG_DEBUG(g_default_logger, "sni:%s chain_type:%s depth=%d: subject:%s issuer:%s fingerprint:%s",
+			sni ? sni : "null", chain_type, j, subj ? subj : "null", issuer ? issuer : "null", fingerprint ? fingerprint : "null");
+		if (subj)
+		{
+			free(subj);
+			subj = NULL;
+		}
+		if (issuer)
+		{
+			free(issuer);
+			issuer = NULL;
+		}
+		if (fingerprint)
+		{
+			free(fingerprint);
+			fingerprint = NULL;
+		}
+	}
+}