From 2642f4ac5684e3747926707bc272d87942bc0a7b Mon Sep 17 00:00:00 2001
From: fumingwei <fumingwei@geedgenetworks.com>
Date: Mon, 7 Sep 2020 14:07:11 +0800
Subject: [PATCH] =?UTF-8?q?1=E3=80=81=E5=A2=9E=E5=8A=A0tsg=20diagnose=20?=
 =?UTF-8?q?=E6=89=A7=E8=A1=8Cproxy=20policy=E6=97=B6=E6=A0=A1=E9=AA=8C?=
 =?UTF-8?q?=E8=AF=81=E4=B9=A6=202=E3=80=81=E4=BF=AE=E6=94=B9badssl?=
 =?UTF-8?q?=E7=AD=BE=E5=8F=91=E8=AF=81=E4=B9=A6=E7=9A=84=E6=97=B6=E9=97=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 badssl.com/certs/Makefile                |  2 +-
 unittest_python/unittest/tsg_diagnose.py | 29 +++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/badssl.com/certs/Makefile b/badssl.com/certs/Makefile
index e5de6a7..f7131b8 100644
--- a/badssl.com/certs/Makefile
+++ b/badssl.com/certs/Makefile
@@ -14,7 +14,7 @@
 
 D = badssl.com
 MAIN_CERT_TYPE = rsa2048
-DAYS_DEFAULT = 730
+DAYS_DEFAULT = 3650
 HASH_DEFAULT = sha256
 
 SIGN_CA_DEFAULTS = 3650 $(HASH_DEFAULT) req_v3_ca
diff --git a/unittest_python/unittest/tsg_diagnose.py b/unittest_python/unittest/tsg_diagnose.py
index 99ff595..ec3203d 100644
--- a/unittest_python/unittest/tsg_diagnose.py
+++ b/unittest_python/unittest/tsg_diagnose.py
@@ -164,13 +164,32 @@ class SslHttpRequestBuild:
         self.conn.setopt(self.conn.ENCODING, "gzip,deflate")
         self.conn.setopt(self.conn.RESOLVE,wpr_dns_resolve)
 
+    def _cert_verify(self, pxy_action_info_re,certs):
+        issuer = ()
+        for cert_info in certs[0]:
+            if cert_info[0].lower() == "issuer":
+                issuer = cert_info
+                break
+        if len(issuer) <= 0:
+            raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer))
+        if re.search(r'\bCN[\s]*=[\s]*Tango\b',issuer[1],0):
+            if re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0):
+                raise Exception( pxy_info_re)
+            else:
+                raise Exception("Error: Ssl connection is intercept, cert maybe trust, cert info: %s" % issuer[1])
+        else:
+            raise Exception("Error: Got other error certificate information, cert info: %s" % issuer[1])
+
+
     def http_redirect(self,conTimeout):
         self.conn.setopt(self.conn.URL, URLRedirect)
         self.conn.setopt(self.conn.TIMEOUT, conTimeout)
         self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
         self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
         rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
         self.conn.close()
+        self._cert_verify(http_redirect_info_re,certs)
         if rescode == 301 or rescode == 302:
             raise Exception(http_redirect_info_re)
         else:
@@ -181,8 +200,10 @@ class SslHttpRequestBuild:
         self.conn.setopt(self.conn.URL, URLReplace)
         self.conn.setopt(self.conn.TIMEOUT,conTimeout)
         self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
         body = self.bodyBuf.getvalue().decode('utf-8')
         self.conn.close()
+        self._cert_verify(http_replace_info_re,certs)
         if not re.search(r'EnglishSearchShared', body, 0) and \
                 re.search(r'03C174CD9D809789CCEC18D6F585DF3E', body, 0):
             raise Exception(http_replace_info_re)
@@ -195,7 +216,9 @@ class SslHttpRequestBuild:
         self.conn.setopt(self.conn.TIMEOUT,conTimeout)
         self.conn.perform()
         body = self.bodyBuf.getvalue().decode('utf-8')
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
         self.conn.close()
+        self._cert_verify(http_insert_info_re,certs)
         if re.search(r'httpSelfcheckInsert', body, 0) and \
                 re.search(r'5BE3754D1EA8D51E8D993060FA225330', body, 0):
             raise Exception(http_insert_info_re)
@@ -207,9 +230,11 @@ class SslHttpRequestBuild:
         self.conn.setopt(self.conn.TIMEOUT,conTimeout)
         self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write)
         self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
         rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
         body = self.bodyBuf.getvalue().decode('utf-8')
         self.conn.close()
+        self._cert_verify(http_block_info_re,certs)
         if re.search(r'E33F01E50AFE043191931DD40190B09B', body, 0) and (rescode == 404 or rescode == 451):
             raise Exception(http_block_info_re)
         else:
@@ -220,7 +245,9 @@ class SslHttpRequestBuild:
         self.conn.setopt(self.conn.URL, URLHijack)
         self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write)
         self.conn.perform()
+        certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
         self.conn.close()
+        self._cert_verify(http_hijack_info_re,certs)
         if os.path.exists("/root/http_hijack.out"):
             os.remove("/root/http_hijack.out")
         cmdtodo = 'curl %s -k -s --resolve cn.bing.com:443:192.0.2.131 -o /root/http_hijack.out' % URLHijack
@@ -301,7 +328,7 @@ class SSLFileDownloadBuild:
         if len(issuer) <= 0:
             raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer))
         if not re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0):
-            raise Exception("Error: Intercept fail: no Tango cert")
+            raise Exception("Error: Intercept fail: no Tango cert,cert info:%s" % issuer[1])
         
         if int(conninfo["size_download"])  == size:
             self._write_in_nezha(sizeStr,conninfo)