1 files changed, 40 insertions, 18 deletions

diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp
index 40b0df7..3a41894 100644
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -5,6 +5,7 @@
 #include <openssl/ssl.h>
 #include <assert.h>
 #include <tfe_resource.h>
+#include <tfe_cmsg.h>
 
 struct ssl_policy_enforcer
 {
@@ -343,6 +344,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	if(policy_param==NULL)
 	{
 		TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", policy_id);
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param");
 		return SSL_ACTION_PASSTHROUGH;
 	}
 	else
@@ -357,6 +359,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	if (profile_param==NULL)
 	{
 		TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Decryption Param");
 		return SSL_ACTION_PASSTHROUGH;
 	}
 	int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0, ja3_pinning_status=0;
@@ -390,26 +393,45 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
 	assert(ret==0);
 
-    if ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ||
-        ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ||
-        (is_mauth && profile_param->bypass_mutual_auth) ||
-        (is_ev && profile_param->bypass_ev_cert) ||
-        (is_ct && profile_param->bypass_ct_cert) ||
-        (has_error && profile_param->bypass_protocol_errors))
-    {
-		action=SSL_ACTION_PASSTHROUGH;
-        TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to uninstall_cert:%d, pinning:%d, mutual_auth:%d, is_ev:%d, is_ct:%d, has_error:%d",
-                      addr_string, sni, policy_param->policy_id,
-                      ((pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic) ? 1 : 0),
-                      (((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning) ? 1 : 0),
-                      ((is_mauth && profile_param->bypass_mutual_auth) ? 1 : 0),
-                      ((is_ev && profile_param->bypass_ev_cert) ? 1 : 0),
-                      ((is_ct && profile_param->bypass_ct_cert) ? 1 : 0),
-                      ((has_error && profile_param->bypass_protocol_errors) ? 1 : 0));
-    }
+	if (pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
+	}
+	else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
+	}
+	else if (is_mauth && profile_param->bypass_mutual_auth)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
+	}
+	else if (is_ev && profile_param->bypass_ev_cert)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
+	}
+	else if (is_ct && profile_param->bypass_ct_cert)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
+	}
+	else if (has_error && profile_param->bypass_protocol_errors)
+	{
+		action = SSL_ACTION_PASSTHROUGH;
+		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors");
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %d, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
+	}
 	else
 	{
-		action=SSL_ACTION_INTERCEPT;
+		action = SSL_ACTION_INTERCEPT;
 	}
 
 	intercept_param_free(policy_param);