const char *EndpointSelectionInfo::get_server_url(aesm_network_server_enum_type_t type) { AESMLogicLock lock(_es_lock); if (type == SGX_WHITE_LIST_FILE){ if (!_is_white_list_url_valid){ (void)read_aesm_config(_config_urls); _is_white_list_url_valid = true; } return _config_urls.white_list_url; } if(!_is_server_url_valid){ (void)get_url_info(); } if(!_is_server_url_valid){ return NULL; } switch(type){ case ENDPOINT_SELECTION: return _server_urls.endpoint_url; case REVOCATION_LIST_RETRIEVAL: return _server_urls.pse_rl_url; case PSE_OCSP: return _server_urls.pse_ocsp_url; default://invalid case assert(0); return NULL; } }
int main(int argc, char **argv) { int fd, rv; char buf[BUFSIZE]; strcpy(listtype, argv[1]); if (get_url_info()) { printf("error during get_url_info()\n"); return 0; } memset(buf, 0, sizeof(buf)); /* open a netlink connection to get packet from kernel */ fd = netlink_open_connection(NULL); while (1) { rv = recv(fd, buf, sizeof(buf), 0); if ( rv >= 0) { #ifdef UFD_DEBUG printf("pkt received\n"); #endif nfq_handle_packet(h, buf, rv); memset(buf, 0, sizeof(buf)); } else { nfq_close(h); #ifdef UFD_DEBUG printf("nfq close done\n"); #endif fd = netlink_open_connection(NULL); #ifdef UFD_DEBUG printf("need to rebind to netfilter queue 0\n"); #endif } } #ifdef UFD_DEBUG printf("unbinding from queue 0\n"); #endif nfq_destroy_queue(qh); nfq_close(h); return 0; }
ae_error_t EndpointSelectionInfo::get_url_info(aesm_server_url_infos_t& server_url) { AESMLogicLock lock(_es_lock); if (!_is_server_url_valid){ (void)get_url_info(); } if (_is_server_url_valid) { if (memcpy_s(&server_url, sizeof(server_url), &_server_urls, sizeof(_server_urls)) != 0){ return AE_FAILURE; } } else { return AE_FAILURE; } return AE_SUCCESS; }
int main(int argc, char **argv) { int status, i; unsigned int payload_len, payload_offset; unsigned char buf[BUFSIZE], listtype[8]; struct ipq_handle *h; unsigned char *match, *folder, *url; PURL current; strcpy (listtype, argv[1]); get_url_info(); h = ipq_create_handle(0, PF_INET); if (!h) { die(h); } status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE); if (status < 0) { die(h); } do { memset(buf, 0, sizeof(buf)); status = ipq_read(h, buf, BUFSIZE, 0); if (status < 0) { die(h); } switch (ipq_message_type(buf)) { case NLMSG_ERROR: { fprintf(stderr, "Received error message %d\n", ipq_get_msgerr(buf)); break; } case IPQM_PACKET: { ipq_packet_msg_t *m = ipq_get_packet(buf); char decision = 'n'; struct iphdr *iph = ((struct iphdr *)m->payload); struct tcphdr *tcp = (struct tcphdr *)(m->payload + (iph->ihl<<2)); match = folder = url = NULL; payload_offset = ((iph->ihl)<<2) + (tcp->doff<<2); payload_len = (unsigned int)ntohs(iph->tot_len) - ((iph->ihl)<<2) + (tcp->doff<<2); match = (char *)(m->payload + payload_offset); if(strstr(match, "GET ") == NULL && strstr(match, "POST ") == NULL && strstr(match, "HEAD ") == NULL) { status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL); //printf("****NO HTTP INFORMATION!!!\n"); if (status < 0) { die(h); } break; } for (current = purl; current != NULL; current = current->next) { if (current->folder[0] != '\0') { folder = strstr(match, current->folder); } //printf("####payload = %s\n\n", match); if ( (url = strstr(match, current->website)) != NULL ) { if (strcmp(listtype, "Exclude") == 0) { if ( (folder != NULL) || (current->folder[0] == '\0') ) { status = ipq_set_verdict(h, m->packet_id, NF_DROP, 0, NULL); //printf("####This page is blocked by Exclude list!"); decision = 'y'; } else { status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL); //printf("###Website hits but folder no hit in Exclude list! packets pass\n"); decision = 'y'; } if (status < 0) { die(h); } break; } else { if ( (folder != NULL) || (current->folder[0] == '\0') ) { status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL); //printf("####This page is accepted by Include list!"); decision = 'y'; } else { status = ipq_set_verdict(h, m->packet_id, NF_DROP, 0, NULL); //printf("####Website hits but folder no hit in Include list!, packets drop\n"); decision = 'y'; } if (status < 0) { die(h); } break; } } } if (url == NULL) { if (strcmp(listtype, "Exclude") == 0) { status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL); //printf("~~~~No Url hits!! This page is accepted by Exclude list!\n"); decision = 'y'; } else { status = ipq_set_verdict(h, m->packet_id, NF_DROP, 0, NULL); //printf("~~~~No Url hits!! This page is blocked by Include list!\n"); decision = 'y'; } if (status < 0) { die(h); } } if (decision == 'n') { ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL); //printf("~~~None of rules can be applied!! Traffic is allowed!!\n"); } break; } default: { fprintf(stderr, "Unknown message type!\n"); break; } } } while (1); ipq_destroy_handle(h); return 0; }
int main(int argc, char **argv) { int fd, rv; char buf[BUFSIZE]; strcpy(listtype, argv[1]); if (get_url_info()) { printf("error during get_url_info()\n"); return 0; } memset(buf, 0, sizeof(buf)); #if defined(AEI_VDSL_CUSTOMER_NCS) signal(SIGINT, SIG_IGN); #endif #if defined (DMP_CAPTIVEPORTAL_1) cmsMsg_init(EID_URLFILTERD, &msgHandle); cmsLog_init(EID_URLFILTERD); AEI_getCaptiveURLandIPAddr(capURLFile, captiveURL, captiveIPAddr, &flagCaptiveURL); #if defined(AEI_VDSL_TR098_QWEST) AEI_getCaptiveURLandIPAddr(oneTimeCapURLFile, oneTimeRedirectURL, oneTimeRedirectIPAdress, &flagOneTimeRedirect); #endif #if defined(AEI_VDSL_CAPTIVE_PAGES) char lan_ip[16] = "\0"; AEI_get_lan_ip(lan_ip); memset(GlbRedirectUrl, 0, sizeof(GlbRedirectUrl)); sprintf(GlbRedirectUrl, "%s/captiveportal_pageblocked.html", lan_ip); #endif AEI_getCaptiveAllowList(); #if defined(AEI_VDSL_CUSTOMER_CENTURYLINK) AEI_getCaptiveAllowDomain(); #endif #endif #if defined(AEI_VDSL_CUSTOMER_WEBACTIVELOG_SWITCH) AEI_getWebActiveInfo(); #endif /* open a netlink connection to get packet from kernel */ fd = netlink_open_connection(NULL); while (1) { rv = recv(fd, buf, sizeof(buf), 0); if ( rv >= 0) { #ifdef UFD_DEBUG printf("pkt received\n"); #endif nfq_handle_packet(h, buf, rv); memset(buf, 0, sizeof(buf)); } else { nfq_close(h); #ifdef UFD_DEBUG printf("nfq close done\n"); #endif fd = netlink_open_connection(NULL); #ifdef UFD_DEBUG printf("need to rebind to netfilter queue 0\n"); #endif } } #ifdef UFD_DEBUG printf("unbinding from queue 0\n"); #endif nfq_destroy_queue(qh); nfq_close(h); return 0; }
//Function to implement the end point selection protocol ae_error_t EndpointSelectionInfo::start_protocol(endpoint_selection_infos_t& es_info) { AESMLogicLock lock(_es_lock); uint32_t msg_size = 0; uint8_t *resp = NULL; uint32_t resp_size = 0; uint16_t provision_ttl = 0; uint8_t *msg = NULL; uint8_t rsa_signature[RSA_3072_KEY_BYTES]; gen_endpoint_selection_output_t enclave_output; ae_error_t ae_ret = AE_SUCCESS; uint32_t enclave_lost_count = 0; AESM_DBG_DEBUG("enter fun"); memset(&es_info, 0, sizeof(es_info)); memset(&enclave_output, 0, sizeof(enclave_output)); if(!_is_server_url_valid){ ae_ret = get_url_info(); if(AE_SUCCESS != ae_ret){//It is not likely happen, only fail when memcpy_s failed AESM_DBG_ERROR("Fail to initialize server URL information"); goto final_point; } } do{ if((ae_ret = CPVEClass::instance().load_enclave())!=AE_SUCCESS){ AESM_DBG_ERROR("Fail to load PVE enclave:%d", ae_ret); goto final_point; } //call PvE to generate the partition and xid ae_ret = static_cast<ae_error_t>(CPVEClass::instance().gen_es_msg1_data(&enclave_output)); if(ae_ret == AE_ENCLAVE_LOST&& (++enclave_lost_count)<=MAX_ENCLAVE_LOST_RETRY_TIME ){ CPVEClass::instance().unload_enclave();//unload and reload PvE when enclave lost encountered continue; }else if(ae_ret == AE_SUCCESS){ break; }else{ AESM_DBG_ERROR("fail to generate parition by PvE"); goto final_point; } }while(1); AESM_DBG_TRACE("use parition %d from PvE", (int)enclave_output.selector_id); AESM_DBG_INFO("Connect to server url \"%s\" for endpoint selection", _server_urls.endpoint_url); msg_size = estimate_es_msg1_size(); assert(msg_size>0); msg = static_cast<uint8_t *>(malloc(msg_size)); if(msg == NULL){ AESM_DBG_ERROR("malloc error"); ae_ret = AE_OUT_OF_MEMORY_ERROR; goto final_point; } memset(msg, 0, msg_size); ae_ret = static_cast<ae_error_t>(CPVEClass::instance().gen_es_msg1(msg, msg_size, enclave_output));//Generate EndPoint Selection Msg1 if(ae_ret != AE_SUCCESS){ AESM_DBG_ERROR("ES msg1 generation failed:%d",ae_ret); goto final_point; } AESM_DBG_TRACE("ES msg1 generated"); ae_ret = AESMNetworkEncoding::aesm_send_recv_msg_encoding(_server_urls.endpoint_url, msg, msg_size, resp, resp_size);//Encoding/send/receive/Decoding if(ae_ret != AE_SUCCESS){ AESM_DBG_ERROR("fail to send ES msg1 to backend server:%d",ae_ret); if(OAL_PROXY_SETTING_ASSIST == ae_ret){//when proxy setting assistant required, return directly goto final_point; } if(read_pek(es_info)==AE_SUCCESS){ ae_ret = AE_SUCCESS;//use es_info inside persistent storage and ignore network error } goto final_point; } assert(resp != NULL); AESM_DBG_TRACE("start to process ES msg2"); ae_ret = static_cast<ae_error_t>(CPVEClass::instance().proc_es_msg2(resp, resp_size, es_info.provision_url, provision_ttl, enclave_output.xid, rsa_signature , es_info.pek)); if(AE_SUCCESS != ae_ret){ AESM_DBG_WARN("Fail to process ES msg2 from backend server:%d",ae_ret); goto final_point; } AESM_DBG_TRACE("ES Msg2 decoded successfully, ttl %ds",provision_ttl); ae_ret = verify_signature(es_info, enclave_output.xid, rsa_signature, provision_ttl); if(AE_SUCCESS != ae_ret){ AESM_DBG_WARN("Signature verification in ES Msg2 failed"); goto final_point; } AESM_DBG_TRACE("Signature in ES Msg2 verified"); es_info.aesm_data_type = AESM_DATA_ENDPOINT_SELECTION_INFOS; es_info.aesm_data_version = AESM_DATA_ENDPOINT_SELECTION_VERSION; (void)write_pek(es_info);//ignore file writing error AESM_DBG_TRACE("end point selection succ, provisioning url: %s",es_info.provision_url); final_point: if(msg!=NULL)free(msg); if(resp!=NULL){ AESMNetworkEncoding::aesm_free_response_msg(resp); } return ae_ret; }