gfwleak/tsg-tsg-diagnose
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1、增加tsg diagnose 执行proxy policy时校验证书 2、修改badssl签发证书的时间

Browse Source
This commit is contained in:
fumingwei
2020-09-07 14:07:11 +08:00
parent 9c3d3bbbf7
commit 2642f4ac56
2 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
badssl.com/certs/Makefile
View File

@@ -14,7 +14,7 @@
D = badssl.com D = badssl.com
MAIN_CERT_TYPE = rsa2048 MAIN_CERT_TYPE = rsa2048
DAYS_DEFAULT = 730 DAYS_DEFAULT = 3650
HASH_DEFAULT = sha256 HASH_DEFAULT = sha256
SIGN_CA_DEFAULTS = 3650 $(HASH_DEFAULT) req_v3_ca SIGN_CA_DEFAULTS = 3650 $(HASH_DEFAULT) req_v3_ca

29
unittest_python/unittest/tsg_diagnose.py
View File

@@ -164,13 +164,32 @@ class SslHttpRequestBuild:
self.conn.setopt(self.conn.ENCODING, "gzip,deflate") self.conn.setopt(self.conn.ENCODING, "gzip,deflate")
self.conn.setopt(self.conn.RESOLVE,wpr_dns_resolve) self.conn.setopt(self.conn.RESOLVE,wpr_dns_resolve)
def _cert_verify(self, pxy_action_info_re,certs):
issuer = ()
for cert_info in certs[0]:
if cert_info[0].lower() == "issuer":
issuer = cert_info
break
if len(issuer) <= 0:
raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer))
if re.search(r'\bCN[\s]*=[\s]*Tango\b',issuer[1],0):
if re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0):
raise Exception( pxy_info_re)
else:
raise Exception("Error: Ssl connection is intercept, cert maybe trust, cert info: %s" % issuer[1])
else:
raise Exception("Error: Got other error certificate information, cert info: %s" % issuer[1])
def http_redirect(self,conTimeout): def http_redirect(self,conTimeout):
self.conn.setopt(self.conn.URL, URLRedirect) self.conn.setopt(self.conn.URL, URLRedirect)
self.conn.setopt(self.conn.TIMEOUT, conTimeout) self.conn.setopt(self.conn.TIMEOUT, conTimeout)
self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write) self.conn.setopt(self.conn.WRITEFUNCTION, BytesIO().write)
self.conn.perform() self.conn.perform()
certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
rescode = self.conn.getinfo(self.conn.RESPONSE_CODE) rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
self.conn.close() self.conn.close()
self._cert_verify(http_redirect_info_re,certs)
if rescode == 301 or rescode == 302: if rescode == 301 or rescode == 302:
raise Exception(http_redirect_info_re) raise Exception(http_redirect_info_re)
else: else:
@@ -181,8 +200,10 @@ class SslHttpRequestBuild:
self.conn.setopt(self.conn.URL, URLReplace) self.conn.setopt(self.conn.URL, URLReplace)
self.conn.setopt(self.conn.TIMEOUT,conTimeout) self.conn.setopt(self.conn.TIMEOUT,conTimeout)
self.conn.perform() self.conn.perform()
certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
body = self.bodyBuf.getvalue().decode('utf-8') body = self.bodyBuf.getvalue().decode('utf-8')
self.conn.close() self.conn.close()
self._cert_verify(http_replace_info_re,certs)
if not re.search(r'EnglishSearchShared', body, 0) and \ if not re.search(r'EnglishSearchShared', body, 0) and \
re.search(r'03C174CD9D809789CCEC18D6F585DF3E', body, 0): re.search(r'03C174CD9D809789CCEC18D6F585DF3E', body, 0):
raise Exception(http_replace_info_re) raise Exception(http_replace_info_re)
@@ -195,7 +216,9 @@ class SslHttpRequestBuild:
self.conn.setopt(self.conn.TIMEOUT,conTimeout) self.conn.setopt(self.conn.TIMEOUT,conTimeout)
self.conn.perform() self.conn.perform()
body = self.bodyBuf.getvalue().decode('utf-8') body = self.bodyBuf.getvalue().decode('utf-8')
certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
self.conn.close() self.conn.close()
self._cert_verify(http_insert_info_re,certs)
if re.search(r'httpSelfcheckInsert', body, 0) and \ if re.search(r'httpSelfcheckInsert', body, 0) and \
re.search(r'5BE3754D1EA8D51E8D993060FA225330', body, 0): re.search(r'5BE3754D1EA8D51E8D993060FA225330', body, 0):
raise Exception(http_insert_info_re) raise Exception(http_insert_info_re)
@@ -207,9 +230,11 @@ class SslHttpRequestBuild:
self.conn.setopt(self.conn.TIMEOUT,conTimeout) self.conn.setopt(self.conn.TIMEOUT,conTimeout)
self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write) self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write)
self.conn.perform() self.conn.perform()
certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
rescode = self.conn.getinfo(self.conn.RESPONSE_CODE) rescode = self.conn.getinfo(self.conn.RESPONSE_CODE)
body = self.bodyBuf.getvalue().decode('utf-8') body = self.bodyBuf.getvalue().decode('utf-8')
self.conn.close() self.conn.close()
self._cert_verify(http_block_info_re,certs)
if re.search(r'E33F01E50AFE043191931DD40190B09B', body, 0) and (rescode == 404 or rescode == 451): if re.search(r'E33F01E50AFE043191931DD40190B09B', body, 0) and (rescode == 404 or rescode == 451):
raise Exception(http_block_info_re) raise Exception(http_block_info_re)
else: else:
@@ -220,7 +245,9 @@ class SslHttpRequestBuild:
self.conn.setopt(self.conn.URL, URLHijack) self.conn.setopt(self.conn.URL, URLHijack)
self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write) self.conn.setopt(self.conn.WRITEFUNCTION, self.bodyBuf.write)
self.conn.perform() self.conn.perform()
certs = self.conn.getinfo(self.conn.INFO_CERTINFO)
self.conn.close() self.conn.close()
self._cert_verify(http_hijack_info_re,certs)
if os.path.exists("/root/http_hijack.out"): if os.path.exists("/root/http_hijack.out"):
os.remove("/root/http_hijack.out") os.remove("/root/http_hijack.out")
cmdtodo = 'curl %s -k -s --resolve cn.bing.com:443:192.0.2.131 -o /root/http_hijack.out' % URLHijack cmdtodo = 'curl %s -k -s --resolve cn.bing.com:443:192.0.2.131 -o /root/http_hijack.out' % URLHijack
@@ -301,7 +328,7 @@ class SSLFileDownloadBuild:
if len(issuer) <= 0: if len(issuer) <= 0:
raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer)) raise Exception("Error: Get certificate info error, certificate's length is %s" % len(issuer))
if not re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0): if not re.search(r'\bCN = Tango[\s\S]*UNTRUST\b',issuer[1],0):
raise Exception("Error: Intercept fail: no Tango cert") raise Exception("Error: Intercept fail: no Tango cert,cert info:%s" % issuer[1])
if int(conninfo["size_download"]) == size: if int(conninfo["size_download"]) == size:
self._write_in_nezha(sizeStr,conninfo) self._write_in_nezha(sizeStr,conninfo)