gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14898 TFE适配PXY_INTERCEPT_COMPILE,执行Intercept或No Intercept

Browse Source
This commit is contained in:
luwenpeng
2023-04-25 10:49:36 +08:00
parent 3523e8a951
commit ba64327e2f
7 changed files with 55 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
common/src/intercept_policy.cpp
View File

@@ -8,6 +8,7 @@ struct intercept_param
{
uint64_t rule_id;
int ref_cnt;
int action;
int keyring_for_trusted;
int keyring_for_untrusted;
int decryption_profile;
@@ -23,14 +24,30 @@ struct intercept_policy_enforcer
static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
int action = 0;
size_t len = 0;
size_t offset = 0;
char buffer[8] = {0};
char *json_str = NULL;
cJSON *json = NULL;
cJSON *item = NULL;
struct intercept_param *param = NULL;
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
if (maat_helper_read_column(table_line, 3, &offset, &len) < 0)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line);
goto error_out;
}
memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len));
action = atoi(buffer);
if (action != 2 && action != 3)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line);
goto error_out;
}
if (maat_helper_read_column(table_line, 7, &offset, &len) < 0)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line);
@@ -60,6 +77,7 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c
param = ALLOC(struct intercept_param, 1);
param->rule_id = atoll(key);
param->ref_cnt = 1;
param->action = action;
param->keyring_for_trusted = 1;
param->keyring_for_untrusted = 0;
param->decryption_profile = 0;
@@ -189,16 +207,16 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1);
enforcer->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
enforcer->logger = logger;
enforcer->table_id = maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_INTERCEPT_COMPILE");
if (enforcer->table_id < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register table of TSG_SECURITY_COMPILE, ret = %d", enforcer->table_id);
TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_INTERCEPT_COMPILE, ret = %d", enforcer->table_id);
goto error_out;
}
ret = maat_plugin_table_ex_schema_register(enforcer->maat,
"TSG_SECURITY_COMPILE",
"PXY_INTERCEPT_COMPILE",
intercept_param_new_cb,
intercept_param_free_cb,
intercept_param_dup_cb,
@@ -206,7 +224,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
enforcer);
if (ret != 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of TSG_SECURITY_COMPILE, ret = %d", ret);
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_COMPILE, ret = %d", ret);
goto error_out;
}
@@ -235,9 +253,10 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
uint64_t rule_id = 0;
char buff[16] = {0};
struct intercept_param *param = NULL;
int passthrough = 1;
char reason[] = "Invalid Intercept Param";
uint8_t hit_no_intercept = 0;
int tcp_passthrough = 0;
char reason_hit_no_intercept[] = "Hit No Intercept";
char reason_invalid_intercept_param[] = "Invalid Intercept Param";
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size);
if (ret < 0)
@@ -254,6 +273,22 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
goto error_passthrough;
}
// intercept
if (param->action == 2)
{
tcp_passthrough = 0;
hit_no_intercept = 0;
}
// not intercept
else
{
tcp_passthrough = 1;
hit_no_intercept = 1;
tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason_hit_no_intercept, strlen(reason_hit_no_intercept));
}
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted));
@@ -264,8 +299,9 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
return 0;
error_passthrough:
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&passthrough, sizeof(passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason, strlen(reason));
tcp_passthrough = 1;
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason_invalid_intercept_param, strlen(reason_invalid_intercept_param));
return -1;
}