diff options
| author | liuxueli <[email protected]> | 2023-06-27 17:05:49 +0800 |
|---|---|---|
| committer | liuxueli <[email protected]> | 2023-06-29 18:10:36 +0800 |
| commit | 3a8041198fcbcbecc4cce524dbcd4f9664e027d5 (patch) | |
| tree | 67b0bf1fb1c5059bfca9ef62db9dd97dcbb9f496 | |
| parent | 2fda08dc43e8586855e934a11690ff2b78f5bfa7 (diff) | |
TSG-15163,TSG-15711: 支持ech协议作为安全策略条件
| -rw-r--r-- | bin/tsg_l7_protocol.conf | 3 | ||||
| -rw-r--r-- | inc/tsg_ssl_utils.h | 2 | ||||
| -rw-r--r-- | src/tsg_bridge.h | 14 | ||||
| -rw-r--r-- | src/tsg_entry.cpp | 17 |
4 files changed, 27 insertions, 9 deletions
diff --git a/bin/tsg_l7_protocol.conf b/bin/tsg_l7_protocol.conf index dcc9431..08d168a 100644 --- a/bin/tsg_l7_protocol.conf +++ b/bin/tsg_l7_protocol.conf @@ -53,4 +53,5 @@ STRING LDAP 100 STRING RTMP 337 STRING RTSP 176 STRING ESNI 8008 -STRING Stratum 8169
\ No newline at end of file +STRING Stratum 8169 +STRING ECH 8173
\ No newline at end of file diff --git a/inc/tsg_ssl_utils.h b/inc/tsg_ssl_utils.h index 8d9637a..1d39b47 100644 --- a/inc/tsg_ssl_utils.h +++ b/inc/tsg_ssl_utils.h @@ -29,7 +29,7 @@ struct ssl_chello char* alpn; char* cipher_suites; char* cipher_suites_tls13; - int is_encrypt_sni; + int is_encrypt_sni; int is_encrypt_chello; }; struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len, enum chello_parse_result* result); diff --git a/src/tsg_bridge.h b/src/tsg_bridge.h index 7c460e2..bf017fd 100644 --- a/src/tsg_bridge.h +++ b/src/tsg_bridge.h @@ -77,12 +77,16 @@ struct hited_app_para struct session_runtime_process_context { - unsigned char is_esni; - unsigned char is_hitted_allow; + unsigned char is_esni:1; + + unsigned char is_ech:1; + unsigned char is_hitted_allow:1; + unsigned char is_app_link:1; + unsigned char first_origin_pkt:1; + unsigned char padding_bit:3; unsigned char deal_pkt_num; - unsigned char is_app_link; unsigned char sync_cb_state; - unsigned char first_origin_pkt; + unsigned char padding[3]; unsigned short timeout; enum TSG_PROTOCOL proto; int matched_app_id; // only app @@ -220,5 +224,3 @@ char *srt_action_context_get_l4_protocol(const struct session_runtime_action_con const struct session_runtime_process_context *session_runtime_process_context_new(const struct streaminfo * a_stream); void session_runtime_process_context_free(const struct streaminfo *a_stream); - - diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 57d09cb..37bd5e8 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -1420,7 +1420,16 @@ int session_l7_protocol_identify(const struct streaminfo *a_stream, struct sessi srt_process_context->ssl_sni=malloc_copy_string(chello->sni, strlen(chello->sni), a_stream->threadnum); } - srt_process_context->is_esni=(int)chello->is_encrypt_sni; + if(chello->is_encrypt_sni==1) + { + srt_process_context->is_esni=1; + } + + + if(chello->is_encrypt_chello==1) + { + srt_process_context->is_ech=1; + } ssl_chello_free(chello); return 1; @@ -2025,6 +2034,12 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI", 4); matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); } + + if(srt_process_context->is_ech) + { + unsigned int protocol_id=tsg_l7_protocol_name2id("ECH", 3); + matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt); + } if(srt_process_context->proto==PROTO_HTTP && srt_process_context->http_url!=NULL) { |