diff options
| -rw-r--r-- | common/include/ssl_stream.h | 3 | ||||
| -rw-r--r-- | common/include/tfe_cmsg.h | 3 | ||||
| -rw-r--r-- | common/src/tfe_cmsg.cpp | 11 | ||||
| -rw-r--r-- | common/test/test_cmsg.cpp | 104 | ||||
| -rw-r--r-- | platform/include/internal/ssl_stream_core.h | 1 | ||||
| -rw-r--r-- | platform/src/proxy.cpp | 3 | ||||
| -rw-r--r-- | platform/src/ssl_stream.cpp | 1 | ||||
| -rw-r--r-- | plugin/business/ssl-policy/src/ssl_policy.cpp | 58 |
8 files changed, 124 insertions, 60 deletions
diff --git a/common/include/ssl_stream.h b/common/include/ssl_stream.h index a49e3a8..8da3ab0 100644 --- a/common/include/ssl_stream.h +++ b/common/include/ssl_stream.h @@ -1,5 +1,6 @@ #pragma once #include <stdlib.h> +#include <tfe_cmsg.h> struct ssl_stream; enum ssl_stream_action @@ -44,5 +45,7 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val); int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, char* in_buff, size_t sz); +void ssl_stream_set_cmsg_string(struct ssl_stream *stream, enum tfe_cmsg_tlv_type type, const char *value_str); + unsigned int is_ssl_debug(); diff --git a/common/include/tfe_cmsg.h b/common/include/tfe_cmsg.h index 5867cbd..bf0724b 100644 --- a/common/include/tfe_cmsg.h +++ b/common/include/tfe_cmsg.h @@ -1,5 +1,7 @@ #pragma once +#include <stdint.h> + struct tfe_cmsg; struct tfe_cmsg_serialize_header; @@ -87,6 +89,7 @@ enum tfe_cmsg_tlv_type TFE_CMSG_FQDN_CAT_ID_VAL, // max size 8 * sizeof(unsigned int) TFE_CMSG_COMMON_DIRECTION, + TFE_CMSG_SSL_PASSTHROUGH_REASON, // string max size 32 /* Add new cmsg here */ /* Add new cmsg here */ /* Add new cmsg here */ diff --git a/common/src/tfe_cmsg.cpp b/common/src/tfe_cmsg.cpp index 3823c32..1d934f2 100644 --- a/common/src/tfe_cmsg.cpp +++ b/common/src/tfe_cmsg.cpp @@ -62,6 +62,17 @@ int tfe_cmsg_set(struct tfe_cmsg * cmsg, enum tfe_cmsg_tlv_type type, const unsi } struct tfe_cmsg_tlv *tlv = cmsg->tlvs[type]; uint16_t length = sizeof(struct tfe_cmsg_tlv) + size; + + // If the current tlv has been set, the previous value will be overwritten + if (NULL != tlv) + { + cmsg->nr_tlvs--; + cmsg->size -= tlv->length; + cmsg->tlvs[type] = NULL; + free(tlv); + tlv = NULL; + } + if(tlv == NULL) { tlv = (struct tfe_cmsg_tlv*)ALLOC(char, length); diff --git a/common/test/test_cmsg.cpp b/common/test/test_cmsg.cpp index a5a859f..dde3da4 100644 --- a/common/test/test_cmsg.cpp +++ b/common/test/test_cmsg.cpp @@ -10,48 +10,70 @@ int main() { - return 0; -} - -/* -int main(){ - //init - struct tfe_cmsg *cmsg = tfe_cmsg_init(); - - //set - uint32_t value = 0x12345678; - int ret = tfe_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_SEQ, (const unsigned char*)(&value), 4); - printf("tfe_cmsg_set: ret is %d\n", ret); - - //get TCP_RESTORE_INFO_TLV_SEQ - uint16_t size = -1; - unsigned char *value1 = NULL; - ret = tfe_cmsg_get(cmsg, TFE_CMSG_TCP_RESTORE_SEQ, &size, &value1); - printf("tfe_cmsg_get: ret is %d, type is TCP_RESTORE_INFO_TLV_SEQ, value is 0x%02x, value_size is %d\n", ret, ((uint32_t*)value1)[0], size); - - //get_serialize_size - size = tfe_cmsg_serialize_size_get(cmsg); - printf("tfe_cmsg_serialize_size_get: size is %d\n", size); - - //serialize - unsigned char buff[size]; + /////////////////////////////////////////////////////////////////////////// + // Set CMSG (If the current tlv has been set, the previous value will be overwritten) + /////////////////////////////////////////////////////////////////////////// + + struct tfe_cmsg *cmsg_encode = tfe_cmsg_init(); + + // set TFE_CMSG_TCP_RESTORE_SEQ + uint32_t set_number_value = 0x12345678; + uint16_t set_number_length = 4; + int ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_TCP_RESTORE_SEQ, (const unsigned char *)(&set_number_value), set_number_length); + assert(ret == 0); + + // set TFE_CMSG_SSL_PASSTHROUGH_REASON + char set_string_value_tcp[] = "TCP Passthrough"; + char set_string_value_ct[] = "Certificate Transparency"; + char set_string_value_ev[] = "EV Certificate"; + ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&set_string_value_tcp, strlen(set_string_value_tcp)); + assert(ret == 0); + ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&set_string_value_ct, strlen(set_string_value_ct)); + assert(ret == 0); + ret = tfe_cmsg_set(cmsg_encode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&set_string_value_ev, strlen(set_string_value_ev)); + assert(ret == 0); + + // Get buff size + uint16_t buff_size = tfe_cmsg_serialize_size_get(cmsg_encode); + printf("cmsg_encode: buff_size %d\n", buff_size); + + // Serialize + unsigned char *temp_buff = ALLOC(unsigned char, buff_size); uint16_t serialize_len = -1; - ret = tfe_cmsg_serialize(cmsg, buff, size, &serialize_len); - printf("tfe_cmsg_serialize: ret is %d, serialize_len is %d, serialize result is: ", ret, serialize_len); - for(int i = 0; i < serialize_len; i++){ - printf("%02x ", buff[i]); + ret = tfe_cmsg_serialize(cmsg_encode, temp_buff, buff_size, &serialize_len); + assert(ret == 0); + printf("cmsg_encode after serialize, len: %d data: ", serialize_len); + for (int i = 0; i < serialize_len; i++) + { + printf("%02x ", temp_buff[i]); } printf("\n"); - //deserialize - struct tfe_cmsg *cmsg1 = NULL; - ret = tfe_cmsg_deserialize(buff, serialize_len, &cmsg1); - printf("tfe_cmsg_deserialize: ret is %d\n", ret); - - //get TCP_RESTORE_INFO_TLV_SEQ - size = -1; - unsigned char *value2 = NULL; - ret = tfe_cmsg_get(cmsg1, TFE_CMSG_TCP_RESTORE_SEQ, &size, &value2); - printf("tfe_cmsg_get: ret is %d, type is TCP_RESTORE_INFO_TLV_SEQ, value is 0x%02x, value_size is %d\n", ret, ((uint32_t*)value2)[0], size); -} -*/ + tfe_cmsg_destroy(cmsg_encode); + + /////////////////////////////////////////////////////////////////////////// + // Get CMSG + /////////////////////////////////////////////////////////////////////////// + + struct tfe_cmsg *cmsg_decode = NULL; + ret = tfe_cmsg_deserialize(temp_buff, serialize_len, &cmsg_decode); + assert(ret == 0); + + // get TCP_RESTORE_INFO_TLV_SEQ + uint32_t get_number_value = 0; + uint16_t get_number_length = 0; + ret = tfe_cmsg_get_value(cmsg_decode, TFE_CMSG_TCP_RESTORE_SEQ, (unsigned char *)&get_number_value, sizeof(get_number_value), &get_number_length); + assert(ret == 0); + printf("cmsg_decode: TCP_RESTORE_INFO_TLV_SEQ, value is 0x%02x, size is %d\n", get_number_value, get_number_length); + + // get TFE_CMSG_SSL_PASSTHROUGH_REASON + unsigned char get_string_value[32] = {0}; + uint16_t get_string_len = 0; + ret = tfe_cmsg_get_value(cmsg_decode, TFE_CMSG_SSL_PASSTHROUGH_REASON, (unsigned char *)&get_string_value, sizeof(get_string_value), &get_string_len); + assert(ret == 0); + printf("cmsg_decode: TFE_CMSG_SSL_PASSTHROUGH_REASON, value is %s, size is %d\n", get_string_value, get_string_len); + + tfe_cmsg_destroy(cmsg_decode); + + return 0; +}
\ No newline at end of file diff --git a/platform/include/internal/ssl_stream_core.h b/platform/include/internal/ssl_stream_core.h index e2d1601..5f24e60 100644 --- a/platform/include/internal/ssl_stream_core.h +++ b/platform/include/internal/ssl_stream_core.h @@ -26,7 +26,6 @@ void ssl_manager_destroy(struct ssl_mgr * mgr); unsigned long ssl_stream_log_error(struct bufferevent * bev, enum tfe_conn_dir dir, struct ssl_mgr* mgr); void ssl_stream_process_error(struct ssl_stream * s_stream, unsigned long sslerr, struct ssl_mgr* mgr); const char* ssl_stream_get_error_string(enum ssl_stream_error error); -void ssl_stream_set_cmsg_string(struct ssl_stream *stream, enum tfe_cmsg_tlv_type type, const char *value_str); void ssl_stream_process_zero_eof(struct ssl_stream *s_stream, struct ssl_mgr *mgr); enum ssl_stream_action ssl_upstream_create_result_release_action(future_result_t * result); diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp index b485209..b43129f 100644 --- a/platform/src/proxy.cpp +++ b/platform/src/proxy.cpp @@ -192,10 +192,13 @@ int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstr if (unlikely(ctx->tcp_all_passthrough) || tcp_passthrough > 0) { bool __true = true; + uint64_t ssl_intercept_status = SSL_ACTION_PASSTHROUGH; enum tfe_stream_proto __session_type = STREAM_PROTO_PLAIN; tfe_stream_option_set(stream, TFE_STREAM_OPT_PASSTHROUGH, &__true, sizeof(__true)); tfe_stream_option_set(stream, TFE_STREAM_OPT_SESSION_TYPE, &__session_type, sizeof(__session_type)); + tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)"TCP Passthrough", (uint16_t)strlen("TCP Passthrough")); + tfe_cmsg_set(cmsg, TFE_CMSG_SSL_INTERCEPT_STATE, (const unsigned char *)&ssl_intercept_status, (uint16_t)sizeof(ssl_intercept_status)); } TFE_LOG_DEBUG(ctx->logger, "%p: fetch tcp options: cmsg's tcp_passthrough: %d, conf's tcp_passthrough: %d, enalbe passthrough: %d", stream, tcp_passthrough, ctx->tcp_all_passthrough, (ctx->tcp_all_passthrough > 0 || tcp_passthrough > 0) ? 1 : 0); diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index a6baa70..f826129 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -1476,6 +1476,7 @@ static void peek_chello_on_succ(future_result_t * result, void * user) if (ATOMIC_READ(&certstore_is_unavailable) > 3) { s_stream->up_parts.action=SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certstore Unavailable"); TFE_LOG_ERROR(ctx->mgr->logger, "CertStore is unavailable, PASSTHROUGH"); } diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp index 40b0df7..3a41894 100644 --- a/plugin/business/ssl-policy/src/ssl_policy.cpp +++ b/plugin/business/ssl-policy/src/ssl_policy.cpp @@ -5,6 +5,7 @@ #include <openssl/ssl.h> #include <assert.h> #include <tfe_resource.h> +#include <tfe_cmsg.h> struct ssl_policy_enforcer { @@ -343,6 +344,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p if(policy_param==NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", policy_id); + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param"); return SSL_ACTION_PASSTHROUGH; } else @@ -357,6 +359,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p if (profile_param==NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str); + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Decryption Param"); return SSL_ACTION_PASSTHROUGH; } int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, ja3_pinning_status=0; @@ -390,26 +393,45 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error); assert(ret==0); - if ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) || - ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) || - (is_mauth && profile_param->bypass_mutual_auth) || - (is_ev && profile_param->bypass_ev_cert) || - (is_ct && profile_param->bypass_ct_cert) || - (has_error && profile_param->bypass_protocol_errors)) - { - action=SSL_ACTION_PASSTHROUGH; - TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d", - addr_string, sni, policy_param->policy_id, - ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0), - (((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ? 1 : 0), - ((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0), - ((is_ev && profile_param->bypass_ev_cert) ? 1 : 0), - ((is_ct && profile_param->bypass_ct_cert) ? 1 : 0), - ((has_error && profile_param->bypass_protocol_errors) ? 1 : 0)); - } + if (pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) + { + action = SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed"); + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id); + } + else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) + { + action = SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning"); + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id); + } + else if (is_mauth && profile_param->bypass_mutual_auth) + { + action = SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication"); + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id); + } + else if (is_ev && profile_param->bypass_ev_cert) + { + action = SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate"); + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id); + } + else if (is_ct && profile_param->bypass_ct_cert) + { + action = SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency"); + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id); + } + else if (has_error && profile_param->bypass_protocol_errors) + { + action = SSL_ACTION_PASSTHROUGH; + ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors"); + TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id); + } else { - action=SSL_ACTION_INTERCEPT; + action = SSL_ACTION_INTERCEPT; } intercept_param_free(policy_param); |