diff options
| author | zhengchao <[email protected]> | 2019-05-21 11:47:09 +0800 |
|---|---|---|
| committer | zhengchao <[email protected]> | 2019-05-24 18:55:31 +0800 |
| commit | 4cd42b9f95926c4373d6b582af5414faf3d3a3db (patch) | |
| tree | 5e86d94603c6a816b3a2d93932d601610203f61b /platform/src/ssl_service_cache.cpp | |
| parent | 1f73b4832dda82f4c7828e588a03e905872e072d (diff) | |
1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时,不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。
Diffstat (limited to 'platform/src/ssl_service_cache.cpp')
| -rw-r--r-- | platform/src/ssl_service_cache.cpp | 45 |
1 files changed, 29 insertions, 16 deletions
diff --git a/platform/src/ssl_service_cache.cpp b/platform/src/ssl_service_cache.cpp index f2546a8..ffb3b55 100644 --- a/platform/src/ssl_service_cache.cpp +++ b/platform/src/ssl_service_cache.cpp @@ -5,11 +5,13 @@ #include <string.h> #define FAIL_AS_PINNING_COUNT 4 -#define FAIL_AS_PINNING_TIME 30 +#define FAIL_TIME_WINDOW 30 +#define FAIL_AS_PROTO_ERR_COUNT 5 struct ssl_svc_client_st { time_t last_update_time; - unsigned int fail_count; + unsigned int suspect_pinning_count; + unsigned int protocol_error_count; char is_mutual_auth; struct ssl_service_cache* ref_svc_cache; }; @@ -40,7 +42,7 @@ static void ssl_svc_free_client_st(void * data) { svc_cache->stat.mutual_auth_cli_cnt--; } - if(p->fail_count>=FAIL_AS_PINNING_COUNT) + if(p->suspect_pinning_count>=FAIL_AS_PINNING_COUNT) { svc_cache->stat.pinning_cli_cnt--; } @@ -80,11 +82,11 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use { return 0; } - if(cli_st->fail_count==0) + if(cli_st->suspect_pinning_count==0) { result->pinning_status=PINNING_ST_NOT_PINNING; } - else if(cli_st->fail_count<FAIL_AS_PINNING_COUNT) + else if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT) { result->pinning_status=PINNING_ST_MAYBE_PINNING; } @@ -92,6 +94,10 @@ static long cli_st_read_cb(void * data, const uchar * key, uint size, void * use { result->pinning_status=PINNING_ST_PINNING; } + if(cli_st->protocol_error_count>=FAIL_AS_PROTO_ERR_COUNT) + { + result->has_protocol_errors=1; + } result->is_mutual_auth=cli_st->is_mutual_auth; return 1; } @@ -110,37 +116,44 @@ static long cli_st_write_cb(void * data, const uchar * key, uint size, void * us ret = MESA_htable_add(cache->cli_st_hash, key, size, cli_st); assert(ret >= 0); } - if(cli_st->fail_count<FAIL_AS_PINNING_COUNT && cli_st->last_update_time-now>FAIL_AS_PINNING_TIME) + if(cli_st->last_update_time-now>FAIL_TIME_WINDOW) { - cli_st->fail_count=0; + if(cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT) cli_st->suspect_pinning_count=0; + if(cli_st->protocol_error_count<FAIL_AS_PROTO_ERR_COUNT) cli_st->protocol_error_count=0; } - if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->fail_count<FAIL_AS_PINNING_COUNT) + if(status->pinning_status!=PINNING_ST_NOT_PINNING && cli_st->suspect_pinning_count<FAIL_AS_PINNING_COUNT) { if(status->pinning_status==PINNING_ST_PINNING) { - cli_st->fail_count=FAIL_AS_PINNING_COUNT; + cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT; } else { - cli_st->fail_count++; + cli_st->suspect_pinning_count++; } - cli_st->last_update_time=now; - if(cli_st->fail_count==FAIL_AS_PINNING_COUNT) + if(cli_st->suspect_pinning_count==FAIL_AS_PINNING_COUNT) { cache->stat.pinning_cli_cnt++; } } else if(status->pinning_status==PINNING_ST_PINNING) { - cli_st->fail_count=FAIL_AS_PINNING_COUNT; - cli_st->last_update_time=now; + cli_st->suspect_pinning_count=FAIL_AS_PINNING_COUNT; + } + if(status->has_protocol_errors) + { + cli_st->protocol_error_count++; + if(cli_st->protocol_error_count==FAIL_AS_PROTO_ERR_COUNT) + { + cache->stat.proto_err_cli_cnt++; + } } - if(status->is_mutual_auth==1&&cli_st->is_mutual_auth==0) { cache->stat.mutual_auth_cli_cnt++; cli_st->is_mutual_auth=1; } + cli_st->last_update_time=now; return 1; } @@ -224,7 +237,7 @@ void ssl_service_cache_write(struct ssl_service_cache* svc_cache, const struct s return; } struct ssl_service_write_args write_args={svc_cache, status}; - if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING) + if(status->is_mutual_auth||status->pinning_status!=PINNING_ST_NOT_PINNING||status->has_protocol_errors) { cli_st_key_sz=ssl_svc_client_st_mk_key(chello, cli_st_key, sizeof(cli_st_key)); MESA_htable_search_cb(svc_cache->cli_st_hash, (unsigned char*)cli_st_key, (unsigned int) cli_st_key_sz, cli_st_write_cb, &write_args, &cli_st_cb_ret); |