gfwleak/tango-tsg-master
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-15163,TSG-15711: 支持ech协议作为安全策略条件

Browse Source
This commit is contained in:
liuxueli
2023-06-27 17:05:49 +08:00
parent 2fda08dc43
commit 3a8041198f
4 changed files with 27 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bin/tsg_l7_protocol.conf
View File

@@ -53,4 +53,5 @@ STRING LDAP 100
STRING RTMP 337 STRING RTMP 337
STRING RTSP 176 STRING RTSP 176
STRING ESNI 8008 STRING ESNI 8008
STRING Stratum 8169 STRING Stratum 8169
STRING ECH 8173

2
inc/tsg_ssl_utils.h
View File

@@ -29,7 +29,7 @@ struct ssl_chello
char* alpn; char* alpn;
char* cipher_suites; char* cipher_suites;
char* cipher_suites_tls13; char* cipher_suites_tls13;
int is_encrypt_sni; int is_encrypt_sni;
int is_encrypt_chello; int is_encrypt_chello;
}; };
struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, enum chello_parse_result* result); struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, enum chello_parse_result* result);

14
src/tsg_bridge.h
View File

@@ -77,12 +77,16 @@ struct hited_app_para
struct session_runtime_process_context struct session_runtime_process_context
{ {
unsigned char is_esni; unsigned char is_esni:1;
unsigned char is_hitted_allow;
unsigned char is_ech:1;
unsigned char is_hitted_allow:1;
unsigned char is_app_link:1;
unsigned char first_origin_pkt:1;
unsigned char padding_bit:3;
unsigned char deal_pkt_num; unsigned char deal_pkt_num;
unsigned char is_app_link;
unsigned char sync_cb_state; unsigned char sync_cb_state;
unsigned char first_origin_pkt; unsigned char padding[3];
unsigned short timeout; unsigned short timeout;
enum TSG_PROTOCOL proto; enum TSG_PROTOCOL proto;
int matched_app_id; // only app int matched_app_id; // only app
@@ -220,5 +224,3 @@ char *srt_action_context_get_l4_protocol(const struct session_runtime_action_con
const struct session_runtime_process_context *session_runtime_process_context_new(const struct streaminfo * a_stream); const struct session_runtime_process_context *session_runtime_process_context_new(const struct streaminfo * a_stream);
void session_runtime_process_context_free(const struct streaminfo *a_stream); void session_runtime_process_context_free(const struct streaminfo *a_stream);

17
src/tsg_entry.cpp
View File

@@ -1420,7 +1420,16 @@ int session_l7_protocol_identify(const struct streaminfo *a_stream, struct sessi
srt_process_context->ssl_sni=malloc_copy_string(chello->sni, strlen(chello->sni), a_stream->threadnum); srt_process_context->ssl_sni=malloc_copy_string(chello->sni, strlen(chello->sni), a_stream->threadnum);
} }
srt_process_context->is_esni=(int)chello->is_encrypt_sni; if(chello->is_encrypt_sni==1)
{
srt_process_context->is_esni=1;
}
if(chello->is_encrypt_chello==1)
{
srt_process_context->is_ech=1;
}
ssl_chello_free(chello); ssl_chello_free(chello);
return 1; return 1;
@@ -2025,6 +2034,12 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess
unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI", 4); unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI", 4);
matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt);
} }
if(srt_process_context->is_ech)
{
unsigned int protocol_id=tsg_l7_protocol_name2id("ECH", 3);
matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt);
}
if(srt_process_context->proto==PROTO_HTTP && srt_process_context->http_url!=NULL) if(srt_process_context->proto==PROTO_HTTP && srt_process_context->http_url!=NULL)
{ {