gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14628 TFE适配TCP Option Profile库表的变更

Browse Source
This commit is contained in:
luwenpeng
2023-04-11 15:19:22 +08:00
committed by luwenpeng
parent 0a3d06eed1
commit f741c3c025
17 changed files with 554 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -16,7 +16,7 @@ struct ssl_policy_enforcer
};
struct intercept_param
{
int policy_id;
uint64_t policy_id;
int ref_cnt;
int keyring_for_trusted;
int keyring_for_untrusted;
@@ -94,7 +94,7 @@ void intercept_param_new_cb(const char *table_name, int table_id, const char* ke
}
param=ALLOC(struct intercept_param, 1);
param->policy_id=atoi(key);
param->policy_id=atoll(key);
param->ref_cnt=1;
/*
param->bypass_mutual_auth=1;
@@ -118,7 +118,7 @@ void intercept_param_new_cb(const char *table_name, int table_id, const char* ke
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring_for_trusted format", param->policy_id);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_trusted format", param->policy_id);
}
}
@@ -135,7 +135,7 @@ void intercept_param_new_cb(const char *table_name, int table_id, const char* ke
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %d invalid keyring_for_untrusted format", param->policy_id);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_untrusted format", param->policy_id);
}
}
@@ -152,11 +152,11 @@ void intercept_param_new_cb(const char *table_name, int table_id, const char* ke
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter:%d invalid decryption format", param->policy_id);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid decryption format", param->policy_id);
}
}
*ad=param;
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", param->policy_id);
error_out:
cJSON_Delete(json);
free(json_str);
@@ -173,7 +173,7 @@ void intercept_param_free_cb(int table_id, void **ad, long argl, void* argp)
if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
{
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %d", param->policy_id);\
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", param->policy_id);
free(param);
*ad=NULL;
}
@@ -351,17 +351,16 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
struct decryption_param *profile_param=NULL;
enum ssl_stream_action action=SSL_ACTION_PASSTHROUGH;
UNUSED int ret=0;
int policy_id=0;
uint64_t policy_id=0;
char policy_id_str[16]={0};
char profile_id_str[16]={0};
char sni[512], addr_string[512];
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_INTERCEPT_POLICY_ID, &policy_id);
assert(ret==0);
snprintf(policy_id_str, sizeof(policy_id_str), "%d", policy_id);
policy_id = ssl_stream_get_policy_id(upstream);
snprintf(policy_id_str, sizeof(policy_id_str), "%lu", policy_id);
policy_param=(struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, policy_id_str);
if(policy_param==NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", policy_id);
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", policy_id);
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param");
return SSL_ACTION_PASSTHROUGH;
}
@@ -369,7 +368,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
{
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %d", addr_string, sni, policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
}
snprintf(profile_id_str, sizeof(profile_id_str), "%u", policy_param->decryption_profile_id);
@@ -416,37 +415,37 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
}
else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
}
else if (is_mauth && profile_param->bypass_mutual_auth)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
}
else if (is_ev && profile_param->bypass_ev_cert)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
}
else if (is_ct && profile_param->bypass_ct_cert)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
}
else if (has_error && profile_param->bypass_protocol_errors)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
}
else
{