拦截策略支持allow_http2的开关;恢复cmakelist漏掉的HTTP2的编译开关。
This commit is contained in:
zhengchao
@@ -16,14 +16,15 @@ enum SSL_STREAM_OPT
|
|||||||
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_IS_CT_CERT, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_IS_MUTUAL_AUTH, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_PINNING_STATUS, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, //0:FALSE, 1:TRUE.
|
||||||
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||||
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
|
SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:1.
|
||||||
SSL_STREAM_OPT_NO_VERIFY_ISSUER, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
SSL_STREAM_OPT_NO_VERIFY_ISSUER, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||||
SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE, //VALUE is an interger, SIZE=sizeof(int). 1:ON, 0:OFF. DEFAULT:0.
|
||||||
SSL_STREAM_OPT_BLOCK_FAKE_CERT, //VALUE is an interger, SIZE=sizeof(int). 1:PASSTHROUGH, 0:BLOCK. DEFAULT:1.
|
SSL_STREAM_OPT_BLOCK_FAKE_CERT, //VALUE is an interger, SIZE=sizeof(int). 1:PASSTHROUGH, 0:BLOCK. DEFAULT:1.
|
||||||
SSL_STREAM_OPT_PROTOCOL_MIN_VERSION,
|
SSL_STREAM_OPT_PROTOCOL_MIN_VERSION,
|
||||||
SSL_STREAM_OPT_PROTOCOL_MAX_VERSION,
|
SSL_STREAM_OPT_PROTOCOL_MAX_VERSION,
|
||||||
|
SSL_STREAM_OPT_ENABLE_ALPN,
|
||||||
SSL_STREAM_OPT_KEYRING_ID
|
SSL_STREAM_OPT_KEYRING_ID
|
||||||
};
|
};
|
||||||
int sslver_str2num(const char * version_str);
|
int sslver_str2num(const char * version_str);
|
||||||
|
|||||||
@@ -26,6 +26,10 @@ if(ENABLE_PLUGIN_HTTP)
|
|||||||
target_link_libraries(tfe -Wl,--whole-archive http -Wl,--no-whole-archive)
|
target_link_libraries(tfe -Wl,--whole-archive http -Wl,--no-whole-archive)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
if(ENABLE_PLUGIN_HTTP2)
|
||||||
|
target_link_libraries(tfe -Wl,--whole-archive http2 -Wl,--no-whole-archive)
|
||||||
|
endif()
|
||||||
|
|
||||||
if(ENABLE_PLUGIN_DECRYPT_MIRRORING)
|
if(ENABLE_PLUGIN_DECRYPT_MIRRORING)
|
||||||
target_link_libraries(tfe -Wl,--whole-archive decrypt-mirroring -Wl,--no-whole-archive)
|
target_link_libraries(tfe -Wl,--whole-archive decrypt-mirroring -Wl,--no-whole-archive)
|
||||||
endif()
|
endif()
|
||||||
|
|||||||
@@ -182,6 +182,7 @@ struct ssl_upstream_parts
|
|||||||
char block_fake_cert;
|
char block_fake_cert;
|
||||||
struct ssl_service_status svc_status;
|
struct ssl_service_status svc_status;
|
||||||
enum ssl_stream_action action;
|
enum ssl_stream_action action;
|
||||||
|
int apln_enabled;
|
||||||
int keyring_id;
|
int keyring_id;
|
||||||
struct ssl_chello * client_hello;
|
struct ssl_chello * client_hello;
|
||||||
int is_server_cert_verify_passed;
|
int is_server_cert_verify_passed;
|
||||||
@@ -892,7 +893,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
|
|||||||
{
|
{
|
||||||
SSL_set_tlsext_host_name(ssl, chello->sni);
|
SSL_set_tlsext_host_name(ssl, chello->sni);
|
||||||
}
|
}
|
||||||
if (chello->alpn && !mgr->no_alpn)
|
if (chello->alpn && s_stream->up_parts.apln_enabled)
|
||||||
{
|
{
|
||||||
ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
|
ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn));
|
||||||
assert(ret==0);
|
assert(ret==0);
|
||||||
@@ -1603,7 +1604,7 @@ void downstream_ossl_init(struct ssl_stream *s_stream)
|
|||||||
SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
|
SSL_CTX_set_tmp_ecdh(sslctx, ecdh);
|
||||||
EC_KEY_free(ecdh);
|
EC_KEY_free(ecdh);
|
||||||
}
|
}
|
||||||
if(!mgr->no_alpn && selected_alpn)
|
if(s_stream->peer->up_parts.apln_enabled && selected_alpn)
|
||||||
{
|
{
|
||||||
SSL_CTX_set_alpn_select_cb(sslctx, alpn_select_proto_cb, (void*)selected_alpn);
|
SSL_CTX_set_alpn_select_cb(sslctx, alpn_select_proto_cb, (void*)selected_alpn);
|
||||||
}
|
}
|
||||||
@@ -1992,7 +1993,7 @@ void ssl_manager_reset_trust_ca(struct ssl_mgr* mgr)
|
|||||||
int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int opt_val)
|
int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int opt_val)
|
||||||
{
|
{
|
||||||
struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);
|
struct cert_verify_param *verify_param=&(upstream->up_parts.verify_param);
|
||||||
|
assert(upstream->dir==CONN_DIR_UPSTREAM);
|
||||||
switch(opt_type)
|
switch(opt_type)
|
||||||
{
|
{
|
||||||
case SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED:
|
case SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED:
|
||||||
@@ -2016,6 +2017,9 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
|
|||||||
case SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
|
case SSL_STREAM_OPT_PROTOCOL_MAX_VERSION:
|
||||||
upstream->ssl_max_version=opt_val;
|
upstream->ssl_max_version=opt_val;
|
||||||
break;
|
break;
|
||||||
|
case SSL_STREAM_OPT_ENABLE_ALPN:
|
||||||
|
upstream->up_parts.apln_enabled=opt_val;
|
||||||
|
break;
|
||||||
case SSL_STREAM_OPT_KEYRING_ID:
|
case SSL_STREAM_OPT_KEYRING_ID:
|
||||||
upstream->up_parts.keyring_id=opt_val;
|
upstream->up_parts.keyring_id=opt_val;
|
||||||
break;
|
break;
|
||||||
|
|||||||
@@ -29,6 +29,7 @@ struct intercept_param
|
|||||||
int block_fake_cert;
|
int block_fake_cert;
|
||||||
int ssl_min_version;
|
int ssl_min_version;
|
||||||
int ssl_max_version;
|
int ssl_max_version;
|
||||||
|
int allow_http2;
|
||||||
int mirror_client_version;
|
int mirror_client_version;
|
||||||
int decrypt_mirror_enabled;
|
int decrypt_mirror_enabled;
|
||||||
int mirror_profile_id;
|
int mirror_profile_id;
|
||||||
@@ -125,6 +126,8 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
|||||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||||
if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
|
if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
|
||||||
}
|
}
|
||||||
|
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||||
|
if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
|
||||||
}
|
}
|
||||||
*ad=param;
|
*ad=param;
|
||||||
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
|
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
|
||||||
@@ -188,6 +191,10 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
|||||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, param->ssl_min_version);
|
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, param->ssl_min_version);
|
||||||
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, param->ssl_max_version);
|
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, param->ssl_max_version);
|
||||||
}
|
}
|
||||||
|
if(param->allow_http2)
|
||||||
|
{
|
||||||
|
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_ENABLE_ALPN, 1);
|
||||||
|
}
|
||||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, param->no_verify_cn);
|
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, param->no_verify_cn);
|
||||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, param->no_verify_issuer);
|
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, param->no_verify_issuer);
|
||||||
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, param->no_verify_self_signed);
|
ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, param->no_verify_self_signed);
|
||||||
|
|||||||
Reference in New Issue
Block a user