TSG-91
* 修改策略编译配置表名称 * 增加对用户自定域协议字段处理 * 修改配置文件,json文件
This commit is contained in:
fengweihao
@@ -60,26 +60,38 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
|
||||
ret=Maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
|
||||
if(ret<0)
|
||||
{
|
||||
{
|
||||
TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
|
||||
return;
|
||||
}
|
||||
}
|
||||
json_str=ALLOC(char, len+1);
|
||||
memcpy(json_str, table_line+intercept_user_region_offset, len);
|
||||
memcpy(json_str, table_line+intercept_user_region_offset, len);
|
||||
json=cJSON_Parse(json_str);
|
||||
if(json==NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
|
||||
goto error_out;
|
||||
}
|
||||
param=ALLOC(struct intercept_param, 1);
|
||||
|
||||
item=cJSON_GetObjectItem(json, "protocol");
|
||||
if(unlikely(!item || !cJSON_IsString(item)))
|
||||
{
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid protocol format", key);
|
||||
goto error_out;
|
||||
}
|
||||
if (0!=strcasecmp(item->valuestring, "SSL/HTTP"))
|
||||
{
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
param=ALLOC(struct intercept_param, 1);
|
||||
param->policy_id=atoi(key);
|
||||
param->ref_cnt=1;
|
||||
param->bypass_mutual_auth=1;
|
||||
param->bypass_pinning=1;
|
||||
param->mirror_client_version=1;
|
||||
param->keyring=1;
|
||||
|
||||
|
||||
item=cJSON_GetObjectItem(json, "keyring");
|
||||
if(item)
|
||||
{
|
||||
@@ -96,7 +108,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring format", param->policy_id);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
exclusions=cJSON_GetObjectItem(json, "dynamic_bypass");
|
||||
if(exclusions)
|
||||
{
|
||||
@@ -119,7 +131,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
if(approach)
|
||||
{
|
||||
item=cJSON_GetObjectItem(approach, "cn");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_cn=1;
|
||||
item=cJSON_GetObjectItem(approach, "issuer");
|
||||
if(item && item->type==cJSON_Number && item->valueint==0) param->no_verify_issuer=1;
|
||||
item=cJSON_GetObjectItem(approach, "self-signed");
|
||||
@@ -138,14 +150,14 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
}
|
||||
ssl_ver=cJSON_GetObjectItem(json, "protocol_version");
|
||||
if(ssl_ver)
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "mirror_client");
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "mirror_client");
|
||||
if(item && item->type==cJSON_Number) param->mirror_client_version=item->valueint;
|
||||
if(!param->mirror_client_version)
|
||||
{
|
||||
item=cJSON_GetObjectItem(ssl_ver, "min");
|
||||
item=cJSON_GetObjectItem(ssl_ver, "min");
|
||||
if(item && item->type==cJSON_String) param->ssl_min_version=sslver_str2num(item->valuestring);
|
||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||
item=cJSON_GetObjectItem(ssl_ver, "max");
|
||||
if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
|
||||
if(param->ssl_min_version<0||param->ssl_max_version<0)
|
||||
{
|
||||
@@ -153,12 +165,12 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
|
||||
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: ssl version = %s", item->valuestring);
|
||||
}
|
||||
}
|
||||
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||
item=cJSON_GetObjectItem(ssl_ver, "allow_http2");
|
||||
if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
|
||||
}
|
||||
*ad=param;
|
||||
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
|
||||
error_out:
|
||||
error_out:
|
||||
cJSON_Delete(json);
|
||||
free(json_str);
|
||||
return;
|
||||
@@ -171,7 +183,7 @@ void intercept_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, v
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
if ((__sync_sub_and_fetch(¶m->ref_cnt, 1) == 0))
|
||||
{
|
||||
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %d", param->policy_id);\
|
||||
@@ -189,10 +201,10 @@ struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
|
||||
struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
|
||||
enforcer->maat=g_business_maat;
|
||||
enforcer->logger=logger;
|
||||
enforcer->table_id=Maat_table_register(enforcer->maat, "PXY_INTERCEPT_COMPILE");
|
||||
UNUSED int ret=Maat_plugin_EX_register(enforcer->maat,
|
||||
enforcer->table_id=Maat_table_register(enforcer->maat, "TSG_SECURITY_COMPILE");
|
||||
UNUSED int ret=Maat_plugin_EX_register(enforcer->maat,
|
||||
enforcer->table_id,
|
||||
intercept_param_new_cb,
|
||||
intercept_param_new_cb,
|
||||
intercept_param_free_cb,
|
||||
intercept_param_dup_cb,
|
||||
NULL,
|
||||
@@ -222,7 +234,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
|
||||
else
|
||||
{
|
||||
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
|
||||
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
|
||||
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
|
||||
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %d", addr_string, sni, policy_id);
|
||||
}
|
||||
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
|
||||
|
||||
Reference in New Issue
Block a user