TSG-12548 TFE适配拦截策略的keyring_for_untrusted字段

* keyring拆分为keyring_for_trusted与keyring_for_untrusted
author: luwenpeng <[email protected]> 2022-11-08 10:53:05 +0800
committer: luwenpeng <[email protected]> 2022-11-08 11:18:53 +0800
commit: 87adce7cbf4e2c715776199228ac04ff396d33f7 (patch)
tree: 317a966126a33579218ccd37713799616a0de236
parent: d63b40db172908f429adf36bacb600369ef8ef09 (diff)
4 files changed, 49 insertions, 15 deletions
diff --git a/common/include/ssl_stream.h b/common/include/ssl_stream.h
index 8da3ab0..3fc9957 100644
--- a/common/include/ssl_stream.h
+++ b/common/include/ssl_stream.h
@@ -28,7 +28,8 @@ enum SSL_STREAM_OPT
 	SSL_STREAM_OPT_PROTOCOL_MIN_VERSION,
 	SSL_STREAM_OPT_PROTOCOL_MAX_VERSION,
 	SSL_STREAM_OPT_ENABLE_ALPN,
-	SSL_STREAM_OPT_KEYRING_ID,
+	SSL_STREAM_OPT_KEYRING_FOR_TRUSTED,
+	SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED,
 	SSL_STREAM_OPT_SNI,						//VALUE is string
 	SSL_STREAM_OPT_ADDR						//VALUE is string
 };
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index f826129..f54f585 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -199,7 +199,8 @@ struct ssl_upstream_parts
 	struct ssl_service_status svc_status;
 	enum ssl_stream_action action;
 	int apln_enabled;
-	int keyring_id;
+	int keyring_for_trusted;
+	int keyring_for_untrusted;
 	struct ssl_chello * client_hello;
 	int is_server_cert_verify_passed;
 };
@@ -2035,7 +2036,16 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
 
 	ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
 	ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed;
-	key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni,  upstream->up_parts.keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
+	int keyring_id = 0;
+	if (ctx->is_origin_crt_verify_passed)
+	{
+		keyring_id = upstream->up_parts.keyring_for_trusted;
+	}
+	else
+	{
+		keyring_id = upstream->up_parts.keyring_for_untrusted;
+	}
+	key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
 		evbase, dnsbase, evhttp);
 	return;
 }
@@ -2154,8 +2164,11 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 		case	SSL_STREAM_OPT_ENABLE_ALPN:
 			upstream->up_parts.apln_enabled=opt_val;
 			break;
-		case	SSL_STREAM_OPT_KEYRING_ID:
-			upstream->up_parts.keyring_id=opt_val;
+		case	SSL_STREAM_OPT_KEYRING_FOR_TRUSTED:
+			upstream->up_parts.keyring_for_trusted=opt_val;
+			break;
+		case	SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED:
+			upstream->up_parts.keyring_for_untrusted=opt_val;
 			break;
 		default:
 			assert(0);
diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp
index 3a41894..5ee9b3e 100644
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -18,7 +18,8 @@ struct intercept_param
 {
 	int policy_id;
 	int ref_cnt;
-	int keyring;
+	int keyring_for_trusted;
+	int keyring_for_untrusted;
 	int decryption_profile_id;
 };
 
@@ -99,23 +100,41 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 	param->bypass_pinning=1;
 	param->mirror_client_version=1;
 	*/
-	param->keyring=1;
+	param->keyring_for_trusted=1;
+	param->keyring_for_untrusted=0;
 	param->decryption_profile_id=0;
 
-	item=cJSON_GetObjectItem(json, "keyring");
+	item=cJSON_GetObjectItem(json, "keyring_for_trusted");
 	if(item)
 	{
 		if(item->type==cJSON_Number)
 		{
-			param->keyring=item->valueint;
+			param->keyring_for_trusted=item->valueint;
 		}
 		else if(item->type==cJSON_String)
 		{
-			param->keyring=atoi(item->valuestring);
+			param->keyring_for_trusted=atoi(item->valuestring);
 		}
 		else
 		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring format", param->policy_id);
+			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring_for_trusted format", param->policy_id);
+		}
+	}
+
+	item=cJSON_GetObjectItem(json, "keyring_for_untrusted");
+	if(item)
+	{
+		if(item->type==cJSON_Number)
+		{
+			param->keyring_for_untrusted=item->valueint;
+		}
+		else if(item->type==cJSON_String)
+		{
+			param->keyring_for_untrusted=atoi(item->valuestring);
+		}
+		else
+		{
+			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring_for_untrusted format", param->policy_id);
 		}
 	}
 
@@ -380,7 +399,8 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	{
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
 	}
-	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_ID, policy_param->keyring);
+	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, policy_param->keyring_for_trusted);
+	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, policy_param->keyring_for_untrusted);
 
 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
 	assert(ret==0);
diff --git a/resource/pangu/pangu_http.json b/resource/pangu/pangu_http.json
index 9e21d50..73a5e77 100644
--- a/resource/pangu/pangu_http.json
+++ b/resource/pangu/pangu_http.json
@@ -258,11 +258,11 @@
                 "4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
             ]
         },
-				{
+		{
             "table_name": "TSG_SECURITY_COMPILE",
             "table_content": [
-                "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
-                "4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2"
+                "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":765,\"keyring_for_untrusted\":10,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
+                "4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":1,\"keyring_for_untrusted\":10,\"decryption\":0},\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2"
             ]
         },
         {
author	luwenpeng <[email protected]>	2022-11-08 10:53:05 +0800
committer	luwenpeng <[email protected]>	2022-11-08 11:18:53 +0800
commit	87adce7cbf4e2c715776199228ac04ff396d33f7 (patch)
tree	317a966126a33579218ccd37713799616a0de236
parent	d63b40db172908f429adf36bacb600369ef8ef09 (diff)