1、将dynamic bypass 从tsg_entry.cpp 拆分出来 2、使用ja3信息代替chello信息做bypass ssl信息 3、增加获取ja3流标签,通过cmsg发送给tfe 4、增加dynamic bypass 配置文件开关
This commit is contained in:
fumingwei
@@ -19,7 +19,6 @@ bypass: drome: pme_new_fail: destroy_pme
|
||||
#include "tfe_mgr.h"
|
||||
#include <tsg/tsg_rule.h>
|
||||
#include <tsg/tsg_send_log.h>
|
||||
#include "ssl_utils.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
@@ -33,6 +32,7 @@ extern "C" {
|
||||
#include <MESA/stream_inc/stream_control.h>
|
||||
#include "kni_entry.h"
|
||||
#include "kni_pxy_tcp_option.h"
|
||||
#include "kni_dynamic_bypass.h"
|
||||
|
||||
struct kni_handle *g_kni_handle = NULL;
|
||||
struct kni_field_stat_handle *g_kni_fs_handle = NULL;
|
||||
@@ -351,6 +351,10 @@ static int session_attribute_cmsg_set(struct kni_cmsg *cmsg, struct pme_info *pm
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_CITY, (const unsigned char*)session_attribute_label->server_location->city_full, strlen(session_attribute_label->server_location->city_full), pmeinfo);
|
||||
if(ret < 0) break;
|
||||
}
|
||||
if(session_attribute_label->ja3_fingerprint == NULL)
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SSL_CLIENT_JA3_FINGERPRINT, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
|
||||
else
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SSL_CLIENT_JA3_FINGERPRINT, (const unsigned char*)session_attribute_label->ja3_fingerprint, strlen(session_attribute_label->ja3_fingerprint), pmeinfo);
|
||||
}while(0);
|
||||
return ret;
|
||||
}
|
||||
@@ -905,279 +909,9 @@ static int dabloom_add(struct pkt_info *pktinfo, int thread_seq){
|
||||
return ret;
|
||||
}
|
||||
|
||||
int stream_addr_str_split(char* addr_str, const char** sip, const char** sport, const char** dip, const char** dport)
|
||||
{
|
||||
const char* seps=" ";
|
||||
char* saveptr=NULL, *subtoken=NULL, *str=NULL;
|
||||
int i=0;
|
||||
for (str = addr_str, i=0; ; str = NULL, i++)
|
||||
{
|
||||
subtoken = strtok_r(str, seps, &saveptr);
|
||||
if (subtoken == NULL)
|
||||
break;
|
||||
switch(i)
|
||||
{
|
||||
case 0:
|
||||
if(sip!=NULL) *sip=subtoken;
|
||||
break;
|
||||
case 1:
|
||||
if(sport!=NULL) *sport=subtoken;
|
||||
break;
|
||||
case 2:
|
||||
if(dip!=NULL) *dip=subtoken;
|
||||
break;
|
||||
case 3:
|
||||
if(dport!=NULL) *dport=subtoken;
|
||||
break;
|
||||
default:
|
||||
return -1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
char * stream_addr_to_str(struct pme_info *pmeinfo,struct pkt_info *pktinfo)
|
||||
{
|
||||
char * __str_ret = NULL;
|
||||
if(pmeinfo==NULL || pktinfo == NULL) return NULL;
|
||||
if (pmeinfo->addr_type == ADDR_TYPE_IPV4)
|
||||
{
|
||||
char __src_addr[INET_ADDRSTRLEN];
|
||||
char __dst_addr[INET_ADDRSTRLEN];
|
||||
uint16_t __src_port;
|
||||
uint16_t __dst_port;
|
||||
if(pktinfo->iphdr.v4->saddr < pktinfo->iphdr.v4->daddr){
|
||||
__src_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->source);
|
||||
__dst_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->dest);
|
||||
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->saddr), __src_addr, sizeof(__src_addr));
|
||||
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->daddr), __dst_addr, sizeof(__dst_addr));
|
||||
}
|
||||
else
|
||||
{
|
||||
__src_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->dest);
|
||||
__dst_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->source);
|
||||
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->daddr), __src_addr, sizeof(__src_addr));
|
||||
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->saddr), __dst_addr, sizeof(__dst_addr));
|
||||
}
|
||||
asprintf(&__str_ret, "%s %u %s %u", __src_addr, __src_port, __dst_addr, __dst_port);
|
||||
}
|
||||
|
||||
if (pmeinfo->addr_type == ADDR_TYPE_IPV6)
|
||||
{
|
||||
char __src_addr[INET6_ADDRSTRLEN];
|
||||
char __dst_addr[INET6_ADDRSTRLEN];
|
||||
uint16_t __src_port;
|
||||
uint16_t __dst_port;
|
||||
if(memcmp((void*)&(pktinfo->iphdr.v6->ip6_src), (void*)&(pktinfo->iphdr.v6->ip6_dst), IPV6_ADDR_LEN) < 0){
|
||||
__src_port = ntohs((uint16_t) pktinfo->tcphdr->source);
|
||||
__dst_port = ntohs((uint16_t) pktinfo->tcphdr->dest);
|
||||
memcpy(__src_addr, &(pktinfo->iphdr.v6->ip6_src), sizeof(__src_addr));
|
||||
memcpy(__dst_addr, &(pktinfo->iphdr.v6->ip6_dst), sizeof(__dst_addr));
|
||||
}
|
||||
else
|
||||
{
|
||||
__src_port = ntohs((uint16_t) pktinfo->tcphdr->dest);
|
||||
__dst_port = ntohs((uint16_t) pktinfo->tcphdr->source);
|
||||
memcpy(__src_addr, &(pktinfo->iphdr.v6->ip6_dst), sizeof(__src_addr));
|
||||
memcpy(__dst_addr, &(pktinfo->iphdr.v6->ip6_src), sizeof(__dst_addr));
|
||||
}
|
||||
asprintf(&__str_ret, "%s %u %s %u", __src_addr, __src_port, __dst_addr, __dst_port);
|
||||
}
|
||||
|
||||
return __str_ret;
|
||||
}
|
||||
|
||||
|
||||
static size_t ssl_svc_app_st_mk_key(struct ssl_chello* chello, struct pkt_info *pktinfo, struct pme_info *pmeinfo, char* key_buff, size_t sz)
|
||||
{
|
||||
size_t key_len=0;
|
||||
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
|
||||
char * addr_str= stream_addr_to_str(pmeinfo,pktinfo);
|
||||
stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
|
||||
|
||||
key_len=snprintf(key_buff, sz, "%d:%d:%s:%s", chello->min_version.ossl_format,
|
||||
chello->max_version.ossl_format,
|
||||
chello->sni?chello->sni: dip ,
|
||||
chello->alpn?chello->alpn:"null");
|
||||
if(chello->cipher_suites && sz-key_len>chello->cipher_suites_len)
|
||||
{
|
||||
memcpy(key_buff+key_len, chello->cipher_suites, chello->cipher_suites_len);
|
||||
key_len+=chello->cipher_suites_len;
|
||||
}
|
||||
if(chello->sign_algos && sz-key_len > chello->sign_algos_len)
|
||||
{
|
||||
memcpy(key_buff+key_len, chello->sign_algos, chello->sign_algos_len);
|
||||
key_len+=chello->sign_algos_len;
|
||||
}
|
||||
if(chello->supported_groups && sz-key_len > chello->supported_groups_len)
|
||||
{
|
||||
memcpy(key_buff+key_len, chello->supported_groups, chello->supported_groups_len);
|
||||
key_len+=chello->supported_groups_len;
|
||||
}
|
||||
free(addr_str);
|
||||
return key_len;
|
||||
}
|
||||
|
||||
|
||||
static size_t ssl_svc_client_st_mk_key(struct ssl_chello* chello,struct pme_info *pmeinfo, struct pkt_info *pktinfo,char* key_buff, size_t sz)
|
||||
{
|
||||
size_t key_len=0;
|
||||
const char *sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
|
||||
char *addr_str = stream_addr_to_str(pmeinfo,pktinfo);
|
||||
stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
|
||||
char chello_id_buff[sz];
|
||||
size_t chello_id_len=0;
|
||||
|
||||
key_len=snprintf(key_buff, sz, "%s:", sip);
|
||||
chello_id_len=ssl_svc_app_st_mk_key(chello, pktinfo,pmeinfo, chello_id_buff, sizeof(chello_id_buff));
|
||||
memcpy(key_buff+key_len, chello_id_buff, MIN(chello_id_len, sz-key_len));
|
||||
key_len += MIN(chello_id_len, sz-key_len);
|
||||
|
||||
FREE(&addr_str);
|
||||
return key_len;
|
||||
}
|
||||
|
||||
static struct ssl_chello * ssl_get_chello_info(struct streaminfo *stream)
|
||||
{
|
||||
enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
|
||||
struct ssl_chello *chello = NULL;
|
||||
chello = ssl_chello_parse((unsigned char *)stream->ptcpdetail->pdata, (unsigned int)stream->ptcpdetail->datalen, &chello_status);
|
||||
if(chello_status == CHELLO_PARSE_SUCCESS)
|
||||
{
|
||||
return chello;
|
||||
}
|
||||
else
|
||||
{
|
||||
if(chello)
|
||||
ssl_chello_free(chello);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static long sslinfo2bypass_htable_search_cb(void *data, const uchar *key, uint size, void *user_args){
|
||||
if(data != NULL)
|
||||
return 0;
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
static int sslinfo2bypass_htable_search(MESA_htable_handle htable,char *key, int klen, struct pme_info *pmeinfo)
|
||||
{
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
long cb_ret = -1;
|
||||
void *value;
|
||||
value = MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, sslinfo2bypass_htable_search_cb, NULL, &cb_ret);
|
||||
if(cb_ret == 0)
|
||||
{
|
||||
pmeinfo->ssl_pinningst = *((uint64_t *)value);
|
||||
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "MESA_htable:Search result value is null, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
|
||||
}
|
||||
return cb_ret;
|
||||
}
|
||||
|
||||
static int traceid2sslinfo_htable_add(char *key, uint klen, void * value,int thread_seq)
|
||||
{
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
int ret;
|
||||
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[thread_seq].traceid2sslinfo_htable;
|
||||
ret = MESA_htable_add(traceid2sslinfo_htable, (const unsigned char *)key, klen, (const void*)value);
|
||||
if(ret >= 0)
|
||||
{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_ADD_SUCC], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_CNT], 0, FS_OP_ADD, 1);
|
||||
KNI_LOG_DEBUG(logger, "MESA_htable:Success to add, table = traceid2sslinfo_htable,key = %s, key_size = %d, ret =%d , thread_seq=%d", key, klen,ret, thread_seq);
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "MESA_htable:Fail to add, table = traceid2sslinfo_htable,key = %s, key_size = %d, ret =%d , thread_seq=%d", key, klen,ret, thread_seq);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int first_data_ssl_dynamic_bypass(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq)
|
||||
{
|
||||
struct dynamic_bypass_ssl_feature *ssl_feature = NULL;
|
||||
struct ssl_chello *chello = NULL;
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
|
||||
int ret = -1;
|
||||
if(pmeinfo->protocol != PROTO_SSL)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "Dynamic bypass: stream protocol is not ssl: stream traceid = %s, protocol = %d", pmeinfo->stream_traceid,pmeinfo->protocol);
|
||||
return ret;
|
||||
}
|
||||
chello = ssl_get_chello_info(stream);
|
||||
if(!chello)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Dynamic bypass: fail to get ssl stream client hello info, stream traceid = %s", pmeinfo->stream_traceid);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
ssl_feature = ALLOC(struct dynamic_bypass_ssl_feature,1);
|
||||
ssl_feature->vlen = ssl_svc_client_st_mk_key(chello, pmeinfo, pktinfo,ssl_feature->value,SSL_INFO_LEN);
|
||||
|
||||
KNI_LOG_DEBUG(logger, "Dynamic bypass: chello info=%s, info len = %d", ssl_feature->value, ssl_feature->vlen);
|
||||
ssl_chello_free(chello);
|
||||
if(sslinfo2bypass_htable_search(g_kni_handle->sslinfo2bypass_htable,ssl_feature->value, ssl_feature->vlen,pmeinfo) == 0)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "Dynamic bypass: passthrough ok, stream traceid = %s,ssl_pinningst = %d", pmeinfo->stream_traceid, pmeinfo->ssl_pinningst);
|
||||
ret = 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "Dynamic bypass: not passthrough, stream traceid = %s", pmeinfo->stream_traceid);
|
||||
if(traceid2sslinfo_htable_add(pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid),ssl_feature,thread_seq) >=0)
|
||||
{
|
||||
ret = 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
FREE(&ssl_feature);
|
||||
}
|
||||
}
|
||||
if(ret == 0)
|
||||
{
|
||||
//dynamic bypass fs stat
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_STM], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
|
||||
//dynamic bypass ipv4 or ipv6
|
||||
if(stream->addr.addrtype == ADDR_TYPE_IPV6){
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_IPV6_STM], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
else{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_IPV4_STM], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
|
||||
if(pmeinfo->has_dup_traffic == 1){
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DUP_TFC_STM], 0, FS_OP_ADD, 1);
|
||||
KNI_LOG_DEBUG(logger, "stream has dup traffic, traceid = %s", pmeinfo->stream_traceid);
|
||||
}
|
||||
|
||||
pmeinfo->ssl_intercept_state = 0;
|
||||
pmeinfo->is_dynamic_bypass = 1;
|
||||
if(g_kni_handle->dup_traffic_switch == 1){
|
||||
if(pmeinfo->has_dup_traffic == 1){
|
||||
ret = dabloom_add(pktinfo, thread_seq);
|
||||
if(ret < 0){
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
static struct _session_attribute_label_t * kni_pull_session_attribute_results(struct streaminfo *a_stream,struct pme_info *pmeinfo)
|
||||
{
|
||||
@@ -1231,7 +965,10 @@ static struct _session_attribute_label_t * kni_pull_session_attribute_results(st
|
||||
KNI_LOG_DEBUG(logger, "share-session-attribute: destination ip location province is: %s,stream traceid = %s",session_attribute_label->server_location->province_full,pmeinfo->stream_traceid);
|
||||
KNI_LOG_DEBUG(logger, "share-session-attribute: destination ip location city is: %s,stream traceid = %s",session_attribute_label->server_location->city_full,pmeinfo->stream_traceid);
|
||||
}
|
||||
|
||||
if(session_attribute_label->ja3_fingerprint == NULL)
|
||||
KNI_LOG_DEBUG(logger, "share-session-attribute: ja3_fingerprint is NULL,stream traceid = %s",pmeinfo->stream_traceid);
|
||||
else
|
||||
KNI_LOG_DEBUG(logger, "share-session-attribute: ja3_fingerprint is %s,stream traceid = %s",session_attribute_label->ja3_fingerprint,pmeinfo->stream_traceid);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1361,9 +1098,37 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
|
||||
}
|
||||
|
||||
//dynamic bypass
|
||||
if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0)
|
||||
{
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
if(g_kni_handle->ssl_dynamic_bypass_enable == 1){
|
||||
if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0)
|
||||
{
|
||||
//dynamic bypass fs stat
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_STM], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
|
||||
//dynamic bypass ipv4 or ipv6
|
||||
if(stream->addr.addrtype == ADDR_TYPE_IPV6){
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_IPV6_STM], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
else{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_IPV4_STM], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
|
||||
if(pmeinfo->has_dup_traffic == 1){
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DUP_TFC_STM], 0, FS_OP_ADD, 1);
|
||||
KNI_LOG_DEBUG(logger, "stream has dup traffic, traceid = %s", pmeinfo->stream_traceid);
|
||||
}
|
||||
|
||||
pmeinfo->ssl_intercept_state = 0;
|
||||
pmeinfo->is_dynamic_bypass = 1;
|
||||
if(g_kni_handle->dup_traffic_switch == 1){
|
||||
if(pmeinfo->has_dup_traffic == 1){
|
||||
ret = dabloom_add(pktinfo, thread_seq);
|
||||
if(ret < 0){
|
||||
KNI_LOG_DEBUG(logger, "stream add dabloom fail, ret=%d, traceid = %s",ret, pmeinfo->stream_traceid);
|
||||
}
|
||||
}
|
||||
}
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
}
|
||||
|
||||
//add cmsg
|
||||
@@ -1482,12 +1247,6 @@ char* kni_maat_action_trans(enum kni_action action){
|
||||
|
||||
|
||||
|
||||
static void next_data_ssl_dynamic_bypass(struct pkt_info *pktinfo)
|
||||
{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
|
||||
|
||||
}
|
||||
|
||||
char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct pkt_info *pktinfo, int thread_seq){
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
|
||||
int ret, len;
|
||||
@@ -1527,10 +1286,11 @@ char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct
|
||||
pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
return APP_STATE_DROPPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
if(pmeinfo->is_dynamic_bypass)
|
||||
{
|
||||
next_data_ssl_dynamic_bypass(pktinfo);
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
if(g_kni_handle->ssl_dynamic_bypass_enable == 1){
|
||||
if(pmeinfo->is_dynamic_bypass){
|
||||
next_data_ssl_dynamic_bypass(pktinfo);
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
}
|
||||
|
||||
ret = send_to_tfe((char*)a_packet, len, thread_seq, pmeinfo->tfe_id, pmeinfo->addr_type);
|
||||
@@ -1987,93 +1747,6 @@ static int wrapped_kni_cmsg_get(struct pme_info *pmeinfo, struct kni_cmsg *cmsg,
|
||||
}
|
||||
|
||||
|
||||
static int sslinfo2bypass_htable_add(char *key, uint klen, void * value, void *logger)
|
||||
{
|
||||
int ret = -1;
|
||||
MESA_htable_handle sslinfo2bypass_htable = g_kni_handle->sslinfo2bypass_htable;
|
||||
ret = MESA_htable_add(sslinfo2bypass_htable, (const unsigned char *)key, klen, (const void*)value);
|
||||
if(ret < 0)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "MESA_htable: Failed at add, table = sslinfo2bypass_htable, key = %s, key_size = %d, ret = %d",key, klen, ret);
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "MESA_htable: Success at add, table = sslinfo2bypass_htable, key = %s, key_size = %d, ret = %d",key, klen, ret);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_ADD_SUCC], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_CNT], 0, FS_OP_ADD, 1);
|
||||
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
static long traceid2sslinfo_htable_search_cb(void *data, const uchar *key, uint size, void *user_args)
|
||||
{
|
||||
struct dynamic_bypass_ssl_feature * ssl_feature = (struct dynamic_bypass_ssl_feature *)data;
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
uint64_t * p_ssl_pinningst = (uint64_t *)user_args;
|
||||
uint64_t *value = NULL;
|
||||
long cb_ret = -1;
|
||||
|
||||
if(ssl_feature != NULL)
|
||||
{
|
||||
value = ALLOC(uint64_t, 1);
|
||||
*value = *p_ssl_pinningst;
|
||||
if(sslinfo2bypass_htable_add(ssl_feature->value, ssl_feature->vlen, (void *)value, logger) < 0)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Dynamic bypass, fail add to table = sslinfo2bypass_htable, key = %s, key_size = %d",
|
||||
ssl_feature->value, ssl_feature->vlen);
|
||||
}
|
||||
cb_ret = 0;
|
||||
}
|
||||
return cb_ret;
|
||||
}
|
||||
|
||||
|
||||
static int traceid2sslinfo_htable_search(MESA_htable_handle htable,char *key, int klen, int thread_seq,uint64_t ssl_pinningst)
|
||||
{
|
||||
long cb_ret = -1;
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, traceid2sslinfo_htable_search_cb, &ssl_pinningst, &cb_ret);
|
||||
if(cb_ret >= 0)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = traceid2sslinfo_htable,thread_seq = %d,key = %s, key_size = %d, ret = %d",
|
||||
thread_seq, key, klen,cb_ret);
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "MESA_htable: Fail to search, table = traceid2sslinfo_htable,thread_seq = %d,key = %s, key_size = %d, ret = %d",
|
||||
thread_seq, key, klen,cb_ret);
|
||||
}
|
||||
|
||||
return cb_ret;
|
||||
}
|
||||
|
||||
static int ssl_dynamic_bypass_htable_add(struct pme_info *pmeinfo)
|
||||
{
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
long cb_ret;
|
||||
int ret = -1;
|
||||
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[pmeinfo->thread_seq].traceid2sslinfo_htable;
|
||||
if(pmeinfo->ssl_intercept_state == 0)
|
||||
{
|
||||
cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, pmeinfo->ssl_pinningst);
|
||||
if(cb_ret >= 0)
|
||||
{
|
||||
cb_ret = MESA_htable_del(traceid2sslinfo_htable, (const unsigned char *)pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), NULL);
|
||||
if(cb_ret < 0)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Delete traceid2sslinfo_htable fail,key=%s",pmeinfo->stream_traceid);
|
||||
}
|
||||
else
|
||||
{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_DEL_SUCC], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_CNT], 0, FS_OP_ADD, -1);
|
||||
}
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
static long traceid2pme_htable_search_cb(void *data, const uchar *key, uint size, void *user_args){
|
||||
struct traceid2pme_search_cb_args *args = (struct traceid2pme_search_cb_args*)user_args;
|
||||
@@ -2093,7 +1766,9 @@ static long traceid2pme_htable_search_cb(void *data, const uchar *key, uint size
|
||||
KNI_LOG_DEBUG(logger, "recv cmsg from tfe, stream traceid = %s, stream addr = %s, stream ssl intercept state = %d ,pinning state = %d",
|
||||
pmeinfo->stream_traceid, pmeinfo->stream_addr,pmeinfo->ssl_intercept_state,pmeinfo->ssl_pinningst);
|
||||
|
||||
ssl_dynamic_bypass_htable_add(pmeinfo);
|
||||
if(g_kni_handle->ssl_dynamic_bypass_enable == 1){
|
||||
ssl_dynamic_bypass_htable_add(pmeinfo);
|
||||
}
|
||||
|
||||
can_destroy = judge_stream_can_destroy(pmeinfo, CALLER_TFE);
|
||||
if(can_destroy == 1){
|
||||
@@ -2462,27 +2137,6 @@ static void tuple2stream_htable_data_free_cb(void *data){
|
||||
FREE(&data);
|
||||
}
|
||||
|
||||
static void traceid2sslinfo_htable_data_free_cb(void *data){
|
||||
FREE(&data);
|
||||
}
|
||||
|
||||
static void sslinfo2bypass_htable_data_free_cb(void *data){
|
||||
FREE(&data);
|
||||
}
|
||||
|
||||
static int traceid2sslinfo_htable_expire_notify_cb(void *data, int eliminate_type)
|
||||
{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_DEL_SUCC], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_CNT], 0, FS_OP_ADD, -1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int sslinfo2bypass_htable_expire_notify_cb(void *data, int eliminate_type)
|
||||
{
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_DEL_SUCC], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_CNT], 0, FS_OP_ADD, -1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
int dup_traffic_dabloom_init(const char *profile, void *logger){
|
||||
@@ -2546,7 +2200,6 @@ extern "C" int kni_init(){
|
||||
pthread_t thread_id = -1;
|
||||
struct thread_tfe_cmsg_receiver_args *cmsg_receiver_args;
|
||||
MESA_htable_handle traceid2pme_htable = NULL;
|
||||
MESA_htable_handle sslinfo2bypass_htable = NULL;
|
||||
struct tfe_mgr *_tfe_mgr = NULL;
|
||||
char label_buff[MAX_STRING_LEN*4]={0};
|
||||
tfe_cmsg_enum_to_string();
|
||||
@@ -2696,27 +2349,12 @@ extern "C" int kni_init(){
|
||||
}
|
||||
g_kni_handle->threads_handle[i].tuple2stream_htable = tuple2stream_htable;
|
||||
}
|
||||
//init traceid2sslinfo_htable
|
||||
memset(&opt, 0, sizeof(opt));
|
||||
kni_get_htable_opt(&opt, profile, "traceid2sslinfo_htable", (void*)traceid2sslinfo_htable_data_free_cb, (void *)traceid2sslinfo_htable_expire_notify_cb, local_logger);
|
||||
for(int i = 0; i < g_kni_handle->thread_count; i++){
|
||||
MESA_htable_handle traceid2sslinfo_htable = kni_create_htable((char*)"traceid2sslinfo_htable", &opt, local_logger);
|
||||
if(traceid2sslinfo_htable == NULL){
|
||||
KNI_LOG_ERROR(local_logger, "Failed at kni_create_htable, table = traceid2sslinfo_htable");
|
||||
goto error_out;
|
||||
}
|
||||
g_kni_handle->threads_handle[i].traceid2sslinfo_htable = traceid2sslinfo_htable;
|
||||
}
|
||||
|
||||
//init sslinfo2bypass_htable
|
||||
memset(&opt, 0, sizeof(opt));
|
||||
kni_get_htable_opt(&opt, profile, "sslinfo2bypass_htable", (void*)sslinfo2bypass_htable_data_free_cb, (void *)sslinfo2bypass_htable_expire_notify_cb, local_logger);
|
||||
sslinfo2bypass_htable = kni_create_htable((char*)"sslinfo2bypass_htable", &opt, local_logger);
|
||||
if(sslinfo2bypass_htable == NULL){
|
||||
KNI_LOG_ERROR(local_logger, "Failed at create sslinfo2bypass_htable");
|
||||
//init ssl dynamic bypass htable
|
||||
ret = ssl_dynamic_bypass_htable_init(profile, local_logger);
|
||||
if(ret < 0){
|
||||
goto error_out;
|
||||
}
|
||||
g_kni_handle->sslinfo2bypass_htable = sslinfo2bypass_htable;
|
||||
|
||||
//init dabloom_handle
|
||||
ret = dup_traffic_dabloom_init(profile, local_logger);
|
||||
if(ret < 0){
|
||||
|
||||
Reference in New Issue
Block a user