Merge branch 'feature-root-cert-not-installed-is-not-pinning' into develop-tfe4a
增加 not install root cert not pinning 功能 当开启 dynamic bypass pinning 时,未安装根证书的客户端会被 bypass
This commit is contained in:
luwenpeng
@@ -104,7 +104,7 @@ enum ssl_stream_stat
|
||||
SSL_SVC_MAUTH,
|
||||
SSL_SVC_CT_CERT,
|
||||
SSL_SVC_EV_CERT,
|
||||
|
||||
SSL_SVC_APP_NOT_PINNING,
|
||||
SSL_STAT_MAX
|
||||
};
|
||||
|
||||
@@ -121,6 +121,7 @@ struct ssl_mgr
|
||||
unsigned int no_alpn;
|
||||
unsigned int no_cert_verify;
|
||||
unsigned int no_mirror_client_cipher_suite;
|
||||
unsigned int root_cert_not_installed_is_not_pinning;
|
||||
|
||||
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
|
||||
int ssl_min_version, ssl_max_version;
|
||||
@@ -133,6 +134,7 @@ struct ssl_mgr
|
||||
unsigned int svc_expire_seconds;
|
||||
unsigned int svc_fail_as_pinning_cnt;
|
||||
unsigned int svc_fail_as_proto_err_cnt;
|
||||
unsigned int svc_succ_as_app_not_pinning_cnt;
|
||||
unsigned int svc_cnt_time_window;
|
||||
|
||||
struct sess_cache * down_sess_cache;
|
||||
@@ -358,7 +360,7 @@ ssl_stream_gc_cb(evutil_socket_t fd, short what, void * arg)
|
||||
mgr->stat_val[SSL_SVC_MAUTH]=svc_stat.mutual_auth_cli_cnt;
|
||||
mgr->stat_val[SSL_SVC_CT_CERT]=svc_stat.ct_srv_cnt;
|
||||
mgr->stat_val[SSL_SVC_EV_CERT]=svc_stat.ev_srv_cnt;
|
||||
|
||||
mgr->stat_val[SSL_SVC_APP_NOT_PINNING]=svc_stat.app_not_pinning_cnt;
|
||||
for(i=0;i<SSL_STAT_MAX;i++)
|
||||
{
|
||||
FS_operate(mgr->fs_handle, mgr->fs_id[i], 0, FS_OP_SET, ATOMIC_READ(&(mgr->stat_val[i])));
|
||||
@@ -414,7 +416,8 @@ void ssl_stat_init(struct ssl_mgr * mgr)
|
||||
spec[SSL_SVC_MAUTH]="ssl_mauth";
|
||||
spec[SSL_SVC_CT_CERT]="ssl_ct_crt";
|
||||
spec[SSL_SVC_EV_CERT]="ssl_ev_crt";
|
||||
|
||||
spec[SSL_SVC_APP_NOT_PINNING]="app_no_pinning";
|
||||
|
||||
|
||||
for(i=0;i<SSL_STAT_MAX;i++)
|
||||
{
|
||||
@@ -682,7 +685,8 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
{
|
||||
mgr->down_stek_box = sess_ticket_box_create(ev_base_gc, stek_group_num, stek_rotation_time, logger);
|
||||
}
|
||||
|
||||
MESA_load_profile_uint_def(ini_profile, section, "root_cert_not_installed_is_not_pinning",
|
||||
&(mgr->root_cert_not_installed_is_not_pinning), 1);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_slots",
|
||||
&(mgr->svc_cache_slots), 4 * 1024 * 1024);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_expire_seconds",
|
||||
@@ -691,12 +695,15 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
&(mgr->svc_fail_as_pinning_cnt), 4);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_fail_as_proto_err_cnt",
|
||||
&(mgr->svc_fail_as_proto_err_cnt), 5);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_succ_as_app_not_pinning_cnt",
|
||||
&(mgr->svc_succ_as_app_not_pinning_cnt), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "service_cache_fail_time_window",
|
||||
&(mgr->svc_cnt_time_window), 30);
|
||||
|
||||
mgr->svc_cache=ssl_service_cache_create(mgr->svc_cache_slots, mgr->svc_expire_seconds,
|
||||
mgr->svc_fail_as_pinning_cnt,
|
||||
mgr->svc_fail_as_proto_err_cnt,
|
||||
mgr->svc_succ_as_app_not_pinning_cnt,
|
||||
mgr->svc_cnt_time_window);
|
||||
|
||||
mgr->key_keeper = key_keeper_init(ini_profile, "key_keeper", logger);
|
||||
@@ -1185,7 +1192,7 @@ void ssl_stream_process_error(struct ssl_stream * s_stream, unsigned long sslerr
|
||||
&& s_upstream->is_server_cert_verify_passed
|
||||
&& s_upstream->verify_result.is_hostmatched)
|
||||
{
|
||||
s_upstream->svc_status.pinning_status=PINNING_ST_PINNING;
|
||||
s_upstream->svc_status.cli_pinning_status=PINNING_ST_PINNING;
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_PINNING);
|
||||
ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &s_upstream->svc_status);
|
||||
}
|
||||
@@ -1217,7 +1224,7 @@ void ssl_stream_process_zero_eof(struct ssl_stream * s_stream, struct ssl_mgr* m
|
||||
s_upstream=&s_stream->peer->up_parts;
|
||||
if(s_upstream->verify_result.is_hostmatched && s_upstream->is_server_cert_verify_passed )
|
||||
{
|
||||
s_upstream->svc_status.pinning_status=PINNING_ST_MAYBE_PINNING;
|
||||
s_upstream->svc_status.cli_pinning_status=PINNING_ST_MAYBE_PINNING;
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, PINNING_ST_MAYBE_PINNING);
|
||||
ssl_service_cache_write(mgr->svc_cache, s_stream->peer->up_parts.client_hello, s_stream->tcp_stream->addr, &(s_stream->peer->up_parts.svc_status));
|
||||
}
|
||||
@@ -1389,7 +1396,7 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
|
||||
TFE_LOG_DEBUG(ctx->mgr->logger, "%s %s service status pinning:%d, mauth:%d, err:%d, ct:%d, ev:%d",
|
||||
addr_string,
|
||||
chello->sni,
|
||||
svc_status->pinning_status,
|
||||
svc_status->cli_pinning_status,
|
||||
svc_status->is_mutual_auth,
|
||||
svc_status->has_protocol_errors,
|
||||
svc_status->is_ct,
|
||||
@@ -1397,7 +1404,7 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
|
||||
free(addr_string);
|
||||
addr_string=NULL;
|
||||
}
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->pinning_status);
|
||||
ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_PINNING_STATE, svc_status->cli_pinning_status);
|
||||
if(ctx->mgr->on_new_upstream_cb)
|
||||
{
|
||||
s_stream->up_parts.action=ctx->mgr->on_new_upstream_cb(s_stream, ctx->mgr->upstream_cb_param);
|
||||
@@ -1851,7 +1858,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
|
||||
}
|
||||
else if(events & BEV_EVENT_EOF)
|
||||
{
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
|
||||
ssl_stream_process_zero_eof(s_stream, mgr);
|
||||
}
|
||||
else if(events & BEV_EVENT_TIMEOUT)
|
||||
@@ -1882,6 +1889,10 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
|
||||
}
|
||||
s_stream->negotiated_version=SSL_version(s_stream->ssl);
|
||||
ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_VERSION, SSL_get_version(s_stream->ssl));
|
||||
// struct ssl_service_status svc_status;
|
||||
// memset(&svc_status, 0, sizeof(svc_status));
|
||||
// svc_status.is_app_not_pinning=1;
|
||||
// ssl_service_cache_write(mgr->svc_cache, s_upstream->client_hello, s_stream->tcp_stream->addr, &svc_status);
|
||||
promise_success(p, ctx);
|
||||
}
|
||||
|
||||
@@ -2117,6 +2128,22 @@ void ssl_stream_free_and_close_fd(struct ssl_stream * s_stream, struct event_bas
|
||||
fd=bufferevent_getfd(bev);
|
||||
assert(fd==s_stream->_do_not_use.fd);
|
||||
unsigned long sslerr=0;
|
||||
|
||||
if (s_stream->dir == CONN_DIR_UPSTREAM)
|
||||
{
|
||||
size_t rx_offset_this_time = 0;
|
||||
int ret = tfe_stream_info_get(s_stream->tcp_stream, INFO_FROM_UPSTREAM_RX_OFFSET, &rx_offset_this_time, sizeof(rx_offset_this_time));
|
||||
if (ret >= 0 && rx_offset_this_time > 100)
|
||||
{
|
||||
struct ssl_service_status svc_status;
|
||||
memset(&svc_status, 0, sizeof(svc_status));
|
||||
svc_status.is_app_not_pinning = 1;
|
||||
ssl_service_cache_write(s_stream->mgr->svc_cache, s_stream->up_parts.client_hello, s_stream->tcp_stream->addr, &svc_status);
|
||||
}
|
||||
const char * sni = (s_stream->up_parts.client_hello && s_stream->up_parts.client_hello->sni) ? s_stream->up_parts.client_hello->sni : "null";
|
||||
TFE_LOG_DEBUG(g_default_logger, "ssl up stream close, rx_offset:%d, sni:%s", rx_offset_this_time, sni);
|
||||
}
|
||||
|
||||
if(errno)
|
||||
{
|
||||
sslerr=ssl_stream_log_error(bev, s_stream->dir, s_stream->mgr);
|
||||
@@ -2205,7 +2232,9 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
}
|
||||
int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
|
||||
{
|
||||
const char * sni = (upstream->up_parts.client_hello->sni) ? (upstream->up_parts.client_hello->sni) : "null";
|
||||
struct ssl_service_status* svc=&upstream->up_parts.svc_status;
|
||||
struct ssl_mgr* mgr=upstream->mgr;
|
||||
struct tfe_cmsg *cmsg=NULL;
|
||||
UNUSED int ret=0;
|
||||
uint16_t out_size=0;
|
||||
@@ -2221,7 +2250,18 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
||||
*opt_val=svc->is_mutual_auth;
|
||||
break;
|
||||
case SSL_STREAM_OPT_PINNING_STATUS:
|
||||
*opt_val=svc->pinning_status;
|
||||
if(mgr->root_cert_not_installed_is_not_pinning && svc->is_app_not_pinning)
|
||||
{
|
||||
TFE_LOG_DEBUG(g_default_logger, "ssl svc client root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, mod pinning:%d, sni:%s",
|
||||
mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, PINNING_ST_NOT_PINNING, sni);
|
||||
*opt_val=PINNING_ST_NOT_PINNING;
|
||||
}
|
||||
else
|
||||
{
|
||||
TFE_LOG_DEBUG(g_default_logger, "ssl svc client root_cert_not_installed_is_not_pinning:%d, is_app_not_pinning:%d, cli_pinning_status:%d, set pinning:%d, sni:%s",
|
||||
mgr->root_cert_not_installed_is_not_pinning, svc->is_app_not_pinning, svc->cli_pinning_status, svc->cli_pinning_status, sni);
|
||||
*opt_val=svc->cli_pinning_status;
|
||||
}
|
||||
break;
|
||||
case SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
|
||||
*opt_val=svc->has_protocol_errors;
|
||||
|
||||
Reference in New Issue
Block a user