gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-22707 Adaptation of DB indicates changes, fixes self-check process testing issues

Browse Source
This commit is contained in:
fengweihao
2024-10-16 16:16:44 +08:00
parent 8e38bbcf48
commit 48cba684fe
9 changed files with 82 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -237,7 +237,7 @@ struct ssl_policy_enforcer *ssl_policy_enforcer_create()
struct ssl_policy_enforcer *enforcer = ALLOC(struct ssl_policy_enforcer, 1);
enforcer->maat = tfe_get_maat_handle();
ret = maat_plugin_table_ex_schema_register(enforcer->maat,
"PXY_PROFILE_DECRYPTION",
"DECRYPTION_PROFILE",
profile_param_new_cb,
profile_param_free_cb,
profile_param_dup_cb,
@@ -272,7 +272,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
uuid_unparse(decrypted_uuid, decrypted_uuid_str);
TFE_LOG_DEBUG(g_default_logger, "%s %s enforce policy %s", addr_string, sni, rule_uuid_str);
struct decryption_param *profile_param = (struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, "PXY_PROFILE_DECRYPTION", (const char *)decrypted_uuid_str, strlen(decrypted_uuid_str));
struct decryption_param *profile_param = (struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, "DECRYPTION_PROFILE", (const char *)decrypted_uuid_str, strlen(decrypted_uuid_str));
if (profile_param == NULL)
{
TFE_LOG_INFO(g_default_logger, "Failed to get decryption parameter of profile %s.", decrypted_uuid_str);
@@ -283,32 +283,32 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
if (!profile_param->mirror_client_version)
{
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
assert(ret == 0);
assert(ret == 1);
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, profile_param->ssl_max_version);
assert(ret == 0);
assert(ret == 1);
}
if (profile_param->allow_http2)
{
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_ENABLE_ALPN, 1);
assert(ret == 0);
assert(ret == 1);
}
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, profile_param->no_verify_cn);
assert(ret == 0);
assert(ret == 1);
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, profile_param->no_verify_issuer);
assert(ret == 0);
assert(ret == 1);
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, profile_param->no_verify_self_signed);
assert(ret == 0);
assert(ret == 1);
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_EXPIRY_DATE, profile_param->no_verify_expry_date);
assert(ret == 0);
assert(ret == 1);
if (profile_param->block_fake_cert)
{
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
assert(ret == 0);
assert(ret == 1);
}
ret = ssl_stream_set_uuid_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, &trusted_keyring_uuid);
assert(ret == 0);
assert(ret == 1);
ret = ssl_stream_set_uuid_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, &untrusted_keyring_uuid);
assert(ret == 0);
assert(ret == 1);
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
assert(ret == 0);
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &is_app_not_pinning);