1. 暴露ssl_stream.h给业务层；2. 将ssl policy功能放到业务层插件目录。

2019-05-20 15:08:42 +08:00
parent 7cbd432a25
commit e4291c0fda
13 changed files with 104 additions and 86 deletions
--- a/platform/src/proxy.cpp
+++ b/platform/src/proxy.cpp
@@ -38,14 +38,16 @@
 #include <MESA/MESA_prof_load.h>
 #include <MESA/field_stat2.h>
 #include <tfe_plugin.h>
-#include <ssl_policy.h>
+
+extern struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger);
+extern enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para);
+

 static int signals[] = {SIGHUP, SIGPIPE, SIGUSR1};

 /* Global Resource */
 void * g_default_logger = NULL;
 struct tfe_proxy * g_default_proxy = NULL;
-extern Maat_feather_t g_business_maat;
 /* Per thread resource */
 thread_local unsigned int __currect_thread_id = 0;
 thread_local void * __currect_default_logger = NULL;
@@ -417,7 +419,7 @@ int main(int argc, char * argv[])
 	}
 	//ugly here. g_business_maat is available after plugin initiate.
 	
-	g_default_proxy->ssl_ply_enforcer=ssl_policy_enforcer_create(g_business_maat, g_default_logger);
+	g_default_proxy->ssl_ply_enforcer=ssl_policy_enforcer_create(g_default_logger);
 	ssl_manager_set_new_upstream_cb(g_default_proxy->ssl_mgr_handler, ssl_policy_enforce, g_default_proxy->ssl_ply_enforcer);
 	ret = tfe_proxy_work_thread_run(g_default_proxy);
 	CHECK_OR_EXIT(ret == 0, "Failed at creating thread. Exit.");
--- a/platform/src/ssl_policy.cpp
+++ b/platform/src/ssl_policy.cpp
@@ -1,216 +0,0 @@
-#include <ssl_stream.h>
-#include <ssl_utils.h>
-#include <tfe_utils.h>
-#include <openssl/ssl.h>
-#include <MESA/Maat_rule.h>
-#include <cjson/cJSON.h>
-
-struct ssl_policy_enforcer
-{
-	Maat_feather_t maat;
-	int table_id;
-	void* logger;
-};
-struct intercept_param
-{
-	int policy_id;
-	int ref_cnt;
-	int keyring;
-	int bypass_ev_cert;
-	int bypass_ct_cert;
-	int bypass_mutual_auth;
-	int bypass_pinning;
-	int no_verify_cn;
-	int no_verify_issuer;
-	int no_verify_self_signed;
-	int no_verify_expry_date;
-	int block_fake_cert;
-	int ssl_min_version;
-	int ssl_max_version;
-	int mirror_client_version;
-	int decrypt_mirror_enabled;
-	int mirror_profile_id;
-};
-
-void intercept_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp)
-{
-	struct intercept_param* param= (struct intercept_param*) *from;
-	param->ref_cnt++;
-	*to = param;
-	return;
-}
-void intercept_param_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
-{
-	int ret=0;
-	size_t intercept_user_region_offset=0, len=0;
-	char* json_str=NULL;
-	cJSON *json=NULL, *exclusions=NULL, *cert_verify=NULL, *approach=NULL, *ssl_ver=NULL, *item=NULL;
-	struct intercept_param* param=NULL;
-
-	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
-	ret=Maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
-	if(ret<0)
-	{	
-		TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
-		return;
-	}	
-	json_str=ALLOC(char, len+1);
-	memcpy(json_str, table_line+intercept_user_region_offset, len);	
-	json=cJSON_Parse(json_str);
-	if(json==NULL)
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
-		goto error_out;
-	}
-	param=ALLOC(struct intercept_param, 1);	
-	param->policy_id=atoi(key);
-	param->ref_cnt=1;
-	param->bypass_mutual_auth=1;
-	param->bypass_pinning=1;
-	
-	item=cJSON_GetObjectItem(json, "keyring");
-	if(item && item->type==cJSON_Number) param->keyring=item->valueint;
-	
-	exclusions=cJSON_GetObjectItem(json, "exclusions");
-	if(exclusions)
-	{
-		item=cJSON_GetObjectItem(exclusions, "ev_cert");
-		if(item && item->type==cJSON_Number) param->bypass_ev_cert=item->valueint;
-		item=cJSON_GetObjectItem(exclusions, "cert_transparency");
-		if(item && item->type==cJSON_Number) param->bypass_ct_cert=item->valueint;
-		item=cJSON_GetObjectItem(exclusions, "client_cert_req");
-		if(item && item->type==cJSON_Number) param->bypass_mutual_auth=item->valueint;
-		item=cJSON_GetObjectItem(exclusions, "pinning");
-		if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
-	}
-	cert_verify=cJSON_GetObjectItem(json, "cert_verify");
-	if(cert_verify)
-	{
-		approach=cJSON_GetObjectItem(cert_verify, "approach");
-		if(approach)
-		{
-			item=cJSON_GetObjectItem(approach, "cn");
-			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;			
-			item=cJSON_GetObjectItem(approach, "issuer");
-			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_issuer=1;
-			item=cJSON_GetObjectItem(approach, "self-signed");
-			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_self_signed=1;
-			item=cJSON_GetObjectItem(approach, "expiration");
-			if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_expry_date=1;
-		}
-		item=cJSON_GetObjectItem(exclusions, "fail_method");
-		if(item && item->type==cJSON_String)
-		{
-			if(0==strcasecmp(item->string, "Fail-Close"))
-			{
-				param->block_fake_cert=1;
-			}
-		}
-	}
-	ssl_ver=cJSON_GetObjectItem(json, "ssl_ver");
-	if(ssl_ver)
-	{		
-		item=cJSON_GetObjectItem(ssl_ver, "mirror_client");	
-		if(item && item->type==cJSON_String) param->mirror_client_version=item->valueint;
-		if(!param->mirror_client_version)
-		{
-			item=cJSON_GetObjectItem(ssl_ver, "min");	
-			if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->string);
-			item=cJSON_GetObjectItem(ssl_ver, "max");	
-			if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->string);
-		}
-	}
-	*ad=param;
-	TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
-error_out:	
-	cJSON_Delete(json);
-	free(json_str);
-	return;
-}
-void intercept_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
-{
-	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
-	struct intercept_param* param= (struct intercept_param*) *ad;
-	param->ref_cnt--;
-	if(param->ref_cnt==0)
-	{
-		free(param);
-		TFE_LOG_INFO(enforcer->logger, "Del intercept policy %d", param->policy_id);
-		free(*ad);
-		*ad=NULL;
-	}
-}
-void intercept_param_free(struct intercept_param* param)
-{
-	intercept_param_free_cb(0, (void**)&param, 0, NULL);
-	return;
-}
-struct ssl_policy_enforcer* ssl_policy_enforcer_create(Maat_feather_t maat, void* logger)
-{
-	struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
-	enforcer->maat=maat;
-	enforcer->logger=logger;
-	enforcer->table_id=Maat_table_register(enforcer->maat, "PXY_INTERCEPT_COMPILE");
-	int ret=Maat_plugin_EX_register(enforcer->maat, 
-							enforcer->table_id,
-							intercept_param_new_cb,							
-							intercept_param_free_cb,
-							intercept_param_dup_cb,
-							NULL,
-							0,
-							enforcer);
-	assert(ret==1);
-	return enforcer;
-}
-enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para)
-{
-	UNUSED struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)u_para;
-	struct intercept_param *param=NULL;
-	enum ssl_stream_action action=SSL_ACTION_PASSTHROUGH;
-	UNUSED int ret=0;
-	int policy_id=0;
-	char policy_id_str[16]={0};
-	snprintf(policy_id_str, sizeof(policy_id_str), "%d", policy_id);
-	param=(struct intercept_param *)Maat_plugin_get_EX_data(enforcer->maat, enforcer->table_id, policy_id_str);
-	if(param==NULL)
-	{
-		TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", param->policy_id);
-		return SSL_ACTION_PASSTHROUGH;
-	}
-	int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0;
- 	if(!param->mirror_client_version)
-	{
-		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, SSL3_VERSION);
-		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, TLS1_3_VERSION);
-	}
-	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, param->no_verify_cn);
-	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, param->no_verify_issuer);
-	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, param->no_verify_self_signed);
-	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE, param->no_verify_expry_date);
-	if(param->block_fake_cert)
-	{
-		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
-	}
-	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
-	assert(ret==1);
-	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
-	assert(ret==1);
-	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
-	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
-	assert(ret=1);
-	if( (pinning_staus>1 && param->bypass_pinning) ||
-		(is_mauth && param->bypass_mutual_auth) ||
-		(is_ev && param->bypass_ev_cert) ||
-		(is_ct && param->bypass_ct_cert) )
-	{
-		action=SSL_ACTION_PASSTHROUGH;
-	}
-	else
-	{
-		action=SSL_ACTION_INTERCEPT;
-	}
-	intercept_param_free(param);
-	param=NULL;
-	return action;
-}
-
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -266,6 +266,46 @@ struct fs_spec
 	enum ssl_stream_stat id;
 	const char* name;
 };
+int sslver_str2num(const char * version_str)
+{
+	int sslversion = -1;
+
+	assert(OPENSSL_VERSION_NUMBER >= 0x10100000L);
+
+	/*
+	 * Support for SSLv2 and the corresponding SSLv2_method(),
+	 * SSLv2_server_method() and SSLv2_client_method() functions were
+	 * removed in OpenSSL 1.1.0.
+	 */
+	if (!strcmp(version_str, "ssl3"))
+	{
+		sslversion = SSL3_VERSION;
+	}
+	else if (!strcmp(version_str, "tls10") || !strcmp(version_str, "tls1"))
+	{
+		sslversion = TLS1_VERSION;
+	}
+	else if (!strcmp(version_str, "tls11"))
+	{
+		sslversion = TLS1_1_VERSION;
+	}
+	else if (!strcmp(version_str, "tls12"))
+	{
+		sslversion = TLS1_2_VERSION;
+	}
+	else if (!strcmp(version_str, "tls13"))
+	{
+		sslversion = TLS1_3_VERSION;
+	}
+
+	else
+	{
+		sslversion = -1;
+	}
+
+	return sslversion;
+}
+
 /*
 * Garbage collection handler.
 */
@@ -411,7 +451,6 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
 {

 	UNUSED int ret = 0;
-	const unsigned char* selected_alpn=peer->alpn_selected;

 	struct ssl_stream * s_stream = ALLOC(struct ssl_stream, 1);
 	s_stream->dir = dir;
@@ -427,7 +466,7 @@ struct ssl_stream * ssl_stream_new(struct ssl_mgr * mgr, evutil_socket_t fd, enu
 			assert(peer!=NULL);
 			ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_DOWN_NEW]));
 			s_stream->down_parts.keyring = kyr;
-			s_stream->ssl = downstream_ssl_create(mgr, kyr, peer->negotiated_version, selected_alpn);
+			s_stream->ssl = downstream_ssl_create(mgr, kyr, peer->negotiated_version, peer->alpn_selected);
 			break;
 		case CONN_DIR_UPSTREAM:
 			ATOMIC_INC(&(s_stream->mgr->stat_val[SSL_UP_NEW]));
--- a/platform/src/ssl_utils.cpp
+++ b/platform/src/ssl_utils.cpp
@@ -151,45 +151,7 @@ void ssl_openssl_version(void)
 #endif /* !SSL_OP_TLS_ROLLBACK_BUG */
 	fprintf(stderr, "\n");
 }
-int sslver_str2num(const char * version_str)
-{
-	int sslversion = -1;

-	assert(OPENSSL_VERSION_NUMBER >= 0x10100000L);
-
-	/*
-	 * Support for SSLv2 and the corresponding SSLv2_method(),
-	 * SSLv2_server_method() and SSLv2_client_method() functions were
-	 * removed in OpenSSL 1.1.0.
-	 */
-	if (!strcmp(version_str, "ssl3"))
-	{
-		sslversion = SSL3_VERSION;
-	}
-	else if (!strcmp(version_str, "tls10") || !strcmp(version_str, "tls1"))
-	{
-		sslversion = TLS1_VERSION;
-	}
-	else if (!strcmp(version_str, "tls11"))
-	{
-		sslversion = TLS1_1_VERSION;
-	}
-	else if (!strcmp(version_str, "tls12"))
-	{
-		sslversion = TLS1_2_VERSION;
-	}
-	else if (!strcmp(version_str, "tls13"))
-	{
-		sslversion = TLS1_3_VERSION;
-	}
-
-	else
-	{
-		sslversion = -1;
-	}
-
-	return sslversion;
-}

 /*
 * 1 if OpenSSL has been initialized, 0 if not.  When calling a _load()