TSG-4030 Security Event Logs 中的 SSL.Intercept State 为 Passthrough 时，并未说明引起 Passthrough 的原因

(当命中 tcp passthrough 时，将 ssl_intercept_status 设置为 passthrough)

common/include/ssl_stream.h

@@ -1,5 +1,6 @@
 #pragma once
 #include <stdlib.h>
+#include <tfe_cmsg.h>
 struct ssl_stream;
 
 enum ssl_stream_action
@@ -44,5 +45,7 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT  opt_type, int *opt_val);
 int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, char* in_buff, size_t sz);
 
+void ssl_stream_set_cmsg_string(struct ssl_stream *stream, enum tfe_cmsg_tlv_type type, const char *value_str);
+
 unsigned int is_ssl_debug();
 

common/include/tfe_cmsg.h

@@ -1,5 +1,7 @@
 #pragma once
 
+#include <stdint.h>
+
 struct tfe_cmsg;
 struct tfe_cmsg_serialize_header;
 
@@ -87,6 +89,7 @@ enum tfe_cmsg_tlv_type
     TFE_CMSG_FQDN_CAT_ID_VAL, // max size 8 * sizeof(unsigned int)
 
     TFE_CMSG_COMMON_DIRECTION,
+    TFE_CMSG_SSL_PASSTHROUGH_REASON, // string max size 32
     /* Add new cmsg here */
     /* Add new cmsg here */
     /* Add new cmsg here */

common/src/tfe_cmsg.cpp

@@ -62,6 +62,17 @@ int tfe_cmsg_set(struct tfe_cmsg * cmsg, enum tfe_cmsg_tlv_type type, const unsi
 	}
 	struct tfe_cmsg_tlv *tlv = cmsg->tlvs[type];
 	uint16_t length = sizeof(struct tfe_cmsg_tlv) + size;
+
+	// If the current tlv has been set, the previous value will be overwritten
+	if (NULL != tlv)
+	{
+		cmsg->nr_tlvs--;
+		cmsg->size -= tlv->length;
+		cmsg->tlvs[type] = NULL;
+		free(tlv);
+		tlv = NULL;
+	}
+	
 	if(tlv == NULL)
 	{
 		tlv = (struct tfe_cmsg_tlv*)ALLOC(char, length);

common/test/test_cmsg.cpp

@@ -10,48 +10,70 @@
 
 int main()
 {
-    return 0;
+	///////////////////////////////////////////////////////////////////////////
-}
+	// Set CMSG (If the current tlv has been set, the previous value will be overwritten)
+	///////////////////////////////////////////////////////////////////////////
 
-/*
+	struct tfe_cmsg *cmsg_encode = tfe_cmsg_init();
-int main(){
-	//init
-	struct tfe_cmsg *cmsg = tfe_cmsg_init();
 
-	//set
+	// set TFE_CMSG_TCP_RESTORE_SEQ
-	uint32_t value = 0x12345678;
+	uint32_t set_number_value = 0x12345678;
-	int ret = tfe_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_SEQ, (const unsigned char*)(&value), 4);
+	uint16_t set_number_length = 4;
-	printf("tfe_cmsg_set: ret is %d\n", ret);
+	int ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_TCP_RESTORE_SEQ, (const unsigned char *)(&set_number_value), set_number_length);
+	assert(ret == 0);
 
-	//get TCP_RESTORE_INFO_TLV_SEQ
+	// set TFE_CMSG_SSL_PASSTHROUGH_REASON
-	uint16_t size = -1;
+	char set_string_value_tcp[] = "TCP Passthrough";
-	unsigned char *value1 = NULL;
+	char set_string_value_ct[] = "Certificate Transparency";
-	ret = tfe_cmsg_get(cmsg, TFE_CMSG_TCP_RESTORE_SEQ, &size, &value1);
+	char set_string_value_ev[] = "EV Certificate";
-	printf("tfe_cmsg_get: ret is %d, type is TCP_RESTORE_INFO_TLV_SEQ, value is 0x%02x, value_size is %d\n", ret, ((uint32_t*)value1)[0], size);
+	ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&set_string_value_tcp, strlen(set_string_value_tcp));
+	assert(ret == 0);
+	ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&set_string_value_ct, strlen(set_string_value_ct));
+	assert(ret == 0);
+	ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&set_string_value_ev, strlen(set_string_value_ev));
+	assert(ret == 0);
 
-	//get_serialize_size
+	// Get buff size
-	size = tfe_cmsg_serialize_size_get(cmsg);
+	uint16_t buff_size = tfe_cmsg_serialize_size_get(cmsg_encode);
-	printf("tfe_cmsg_serialize_size_get: size is %d\n", size);
+	printf("cmsg_encode: buff_size %d\n", buff_size);
 
-	//serialize
+	// Serialize
-	unsigned char buff[size];
+	unsigned char *temp_buff = ALLOC(unsigned char, buff_size);
 	uint16_t serialize_len = -1;
-	ret = tfe_cmsg_serialize(cmsg, buff, size, &serialize_len);
+	ret = tfe_cmsg_serialize(cmsg_encode, temp_buff, buff_size, &serialize_len);
-	printf("tfe_cmsg_serialize: ret is %d, serialize_len is %d, serialize result is:   ", ret, serialize_len);
+	assert(ret == 0);
-	for(int i = 0; i < serialize_len; i++){
+	printf("cmsg_encode after serialize, len: %d data: ", serialize_len);
-		printf("%02x ", buff[i]);
+	for (int i = 0; i < serialize_len; i++)
+	{
+		printf("%02x ", temp_buff[i]);
 	}
 	printf("\n");
 
-	//deserialize
+	tfe_cmsg_destroy(cmsg_encode);
-	struct tfe_cmsg *cmsg1 = NULL;
-	ret = tfe_cmsg_deserialize(buff, serialize_len, &cmsg1);
-	printf("tfe_cmsg_deserialize: ret is %d\n", ret);
 
-	//get TCP_RESTORE_INFO_TLV_SEQ
+	///////////////////////////////////////////////////////////////////////////
-	size = -1;
+	// Get CMSG
-	unsigned char *value2 = NULL;
+	///////////////////////////////////////////////////////////////////////////
-	ret = tfe_cmsg_get(cmsg1, TFE_CMSG_TCP_RESTORE_SEQ, &size, &value2);
+
-	printf("tfe_cmsg_get: ret is %d, type is TCP_RESTORE_INFO_TLV_SEQ, value is 0x%02x, value_size is %d\n", ret, ((uint32_t*)value2)[0], size);
+	struct tfe_cmsg *cmsg_decode = NULL;
-}
+	ret = tfe_cmsg_deserialize(temp_buff, serialize_len, &cmsg_decode);
-*/
+	assert(ret == 0);
+
+	// get TCP_RESTORE_INFO_TLV_SEQ
+	uint32_t get_number_value = 0;
+	uint16_t get_number_length = 0;
+	ret = tfe_cmsg_get_value(cmsg_decode, TFE_CMSG_TCP_RESTORE_SEQ, (unsigned char *)&get_number_value, sizeof(get_number_value), &get_number_length);
+	assert(ret == 0);
+	printf("cmsg_decode: TCP_RESTORE_INFO_TLV_SEQ, value is 0x%02x, size is %d\n", get_number_value, get_number_length);
+
+	// get TFE_CMSG_SSL_PASSTHROUGH_REASON
+	unsigned char get_string_value[32] = {0};
+	uint16_t get_string_len = 0;
+	ret = tfe_cmsg_get_value(cmsg_decode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (unsigned char *)&get_string_value, sizeof(get_string_value), &get_string_len);
+	assert(ret == 0);
+	printf("cmsg_decode: TFE_CMSG_SSL_PASSTHROUGH_REASON, value is %s, size is %d\n", get_string_value, get_string_len);
+
+	tfe_cmsg_destroy(cmsg_decode);
+
+	return 0;
+}

platform/include/internal/ssl_stream_core.h

@@ -26,7 +26,6 @@ void ssl_manager_destroy(struct ssl_mgr * mgr);
 unsigned long ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir dir, struct ssl_mgr* mgr);
 void ssl_stream_process_error(struct ssl_stream * s_stream, unsigned long sslerr, struct ssl_mgr* mgr);
 const char* ssl_stream_get_error_string(enum ssl_stream_error error);
-void ssl_stream_set_cmsg_string(struct ssl_stream *stream, enum tfe_cmsg_tlv_type type, const char *value_str);
 void ssl_stream_process_zero_eof(struct ssl_stream *s_stream, struct ssl_mgr *mgr);
 
 enum ssl_stream_action ssl_upstream_create_result_release_action(future_result_t * result);

platform/src/proxy.cpp

@@ -192,10 +192,13 @@ int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstr
 	if (unlikely(ctx->tcp_all_passthrough) || tcp_passthrough > 0)
 	{
 		bool __true = true;
+		uint64_t ssl_intercept_status = SSL_ACTION_PASSTHROUGH;
 		enum tfe_stream_proto __session_type = STREAM_PROTO_PLAIN;
 
 		tfe_stream_option_set(stream, TFE_STREAM_OPT_PASSTHROUGH, &__true, sizeof(__true));
 		tfe_stream_option_set(stream, TFE_STREAM_OPT_SESSION_TYPE, &__session_type, sizeof(__session_type));
+		tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)"TCP Passthrough", (uint16_t)strlen("TCP Passthrough"));
+		tfe_cmsg_set(cmsg, TFE_CMSG_SSL_INTERCEPT_STATE, (const unsigned char *)&ssl_intercept_status, (uint16_t)sizeof(ssl_intercept_status));
 	}
     TFE_LOG_DEBUG(ctx->logger, "%p: fetch tcp options: cmsg's tcp_passthrough: %d, conf's tcp_passthrough: %d, enalbe passthrough: %d",
                   stream, tcp_passthrough, ctx->tcp_all_passthrough, (ctx->tcp_all_passthrough > 0 || tcp_passthrough > 0) ? 1 : 0);

platform/src/ssl_stream.cpp

@@ -1476,6 +1476,7 @@ static void peek_chello_on_succ(future_result_t * result, void * user)
 	if (ATOMIC_READ(&certstore_is_unavailable) > 3)
 	{
 		s_stream->up_parts.action=SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certstore Unavailable");
 		TFE_LOG_ERROR(ctx->mgr->logger, "CertStore is unavailable, PASSTHROUGH");
 	}
 	

plugin/business/ssl-policy/src/ssl_policy.cpp

@@ -5,6 +5,7 @@
 #include <openssl/ssl.h>
 #include <assert.h>
 #include <tfe_resource.h>
+#include <tfe_cmsg.h>
 
 struct ssl_policy_enforcer
 {
@@ -343,6 +344,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	if(policy_param==NULL)
 	{
 		TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", policy_id);
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param");
 		return SSL_ACTION_PASSTHROUGH;
 	}
 	else
@@ -357,6 +359,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	if (profile_param==NULL)
 	{
 		TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Decryption Param");
 		return SSL_ACTION_PASSTHROUGH;
 	}
 	int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, ja3_pinning_status=0;
@@ -390,26 +393,45 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
 	assert(ret==0);
 
-    if ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ||
+	if (pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic)
-        ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ||
+	{
-        (is_mauth && profile_param->bypass_mutual_auth) ||
+		action = SSL_ACTION_PASSTHROUGH;
-        (is_ev && profile_param->bypass_ev_cert) ||
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
-        (is_ct && profile_param->bypass_ct_cert) ||
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
-        (has_error && profile_param->bypass_protocol_errors))
+	}
-    {
+	else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
-		action=SSL_ACTION_PASSTHROUGH;
+	{
-        TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
+		action = SSL_ACTION_PASSTHROUGH;
-                      addr_string, sni, policy_param->policy_id,
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
-                      ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
-                      (((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ? 1 : 0),
+	}
-                      ((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
+	else if (is_mauth && profile_param->bypass_mutual_auth)
-                      ((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
+	{
-                      ((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
+		action = SSL_ACTION_PASSTHROUGH;
-                      ((has_error && profile_param->bypass_protocol_errors) ? 1 : 0));
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication");
-    }
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
+	}
+	else if (is_ev && profile_param->bypass_ev_cert)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
+	}
+	else if (is_ct && profile_param->bypass_ct_cert)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
+	}
+	else if (has_error && profile_param->bypass_protocol_errors)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
+	}
 	else
 	{
-		action=SSL_ACTION_INTERCEPT;
+		action = SSL_ACTION_INTERCEPT;
 	}
 
 	intercept_param_free(policy_param);