const char *EndpointSelectionInfo::get_server_url(aesm_network_server_enum_type_t type)
{
AESMLogicLock lock(_es_lock);
if (type == SGX_WHITE_LIST_FILE){
if (!_is_white_list_url_valid){
(void)read_aesm_config(_config_urls);
_is_white_list_url_valid = true;
}
return _config_urls.white_list_url;
}
if(!_is_server_url_valid){
(void)get_url_info();
}
if(!_is_server_url_valid){
return NULL;
}
switch(type){
case ENDPOINT_SELECTION:
return _server_urls.endpoint_url;
case REVOCATION_LIST_RETRIEVAL:
return _server_urls.pse_rl_url;
case PSE_OCSP:
return _server_urls.pse_ocsp_url;
default://invalid case
assert(0);
return NULL;
}
}
int main(int argc, char **argv)
{
int fd, rv;
char buf[BUFSIZE];
strcpy(listtype, argv[1]);
if (get_url_info())
{
printf("error during get_url_info()\n");
return 0;
}
memset(buf, 0, sizeof(buf));
/* open a netlink connection to get packet from kernel */
fd = netlink_open_connection(NULL);
while (1)
{
rv = recv(fd, buf, sizeof(buf), 0);
if ( rv >= 0)
{
#ifdef UFD_DEBUG
printf("pkt received\n");
#endif
nfq_handle_packet(h, buf, rv);
memset(buf, 0, sizeof(buf));
}
else
{
nfq_close(h);
#ifdef UFD_DEBUG
printf("nfq close done\n");
#endif
fd = netlink_open_connection(NULL);
#ifdef UFD_DEBUG
printf("need to rebind to netfilter queue 0\n");
#endif
}
}
#ifdef UFD_DEBUG
printf("unbinding from queue 0\n");
#endif
nfq_destroy_queue(qh);
nfq_close(h);
return 0;
}
ae_error_t EndpointSelectionInfo::get_url_info(aesm_server_url_infos_t& server_url)
{
AESMLogicLock lock(_es_lock);
if (!_is_server_url_valid){
(void)get_url_info();
}
if (_is_server_url_valid)
{
if (memcpy_s(&server_url, sizeof(server_url), &_server_urls, sizeof(_server_urls)) != 0){
return AE_FAILURE;
}
}
else
{
return AE_FAILURE;
}
return AE_SUCCESS;
}
int main(int argc, char **argv)
{
int status, i;
unsigned int payload_len, payload_offset;
unsigned char buf[BUFSIZE], listtype[8];
struct ipq_handle *h;
unsigned char *match, *folder, *url;
PURL current;
strcpy (listtype, argv[1]);
get_url_info();
h = ipq_create_handle(0, PF_INET);
if (!h)
{
die(h);
}
status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE);
if (status < 0)
{
die(h);
}
do
{
memset(buf, 0, sizeof(buf));
status = ipq_read(h, buf, BUFSIZE, 0);
if (status < 0)
{
die(h);
}
switch (ipq_message_type(buf))
{
case NLMSG_ERROR:
{
fprintf(stderr, "Received error message %d\n",
ipq_get_msgerr(buf));
break;
}
case IPQM_PACKET:
{
ipq_packet_msg_t *m = ipq_get_packet(buf);
char decision = 'n';
struct iphdr *iph = ((struct iphdr *)m->payload);
struct tcphdr *tcp = (struct tcphdr *)(m->payload + (iph->ihl<<2));
match = folder = url = NULL;
payload_offset = ((iph->ihl)<<2) + (tcp->doff<<2);
payload_len = (unsigned int)ntohs(iph->tot_len) - ((iph->ihl)<<2) + (tcp->doff<<2);
match = (char *)(m->payload + payload_offset);
if(strstr(match, "GET ") == NULL && strstr(match, "POST ") == NULL && strstr(match, "HEAD ") == NULL)
{
status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL);
//printf("****NO HTTP INFORMATION!!!\n");
if (status < 0)
{
die(h);
}
break;
}
for (current = purl; current != NULL; current = current->next)
{
if (current->folder[0] != '\0')
{
folder = strstr(match, current->folder);
}
//printf("####payload = %s\n\n", match);
if ( (url = strstr(match, current->website)) != NULL )
{
if (strcmp(listtype, "Exclude") == 0)
{
if ( (folder != NULL) || (current->folder[0] == '\0') )
{
status = ipq_set_verdict(h, m->packet_id, NF_DROP, 0, NULL);
//printf("####This page is blocked by Exclude list!");
decision = 'y';
}
else
{
status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL);
//printf("###Website hits but folder no hit in Exclude list! packets pass\n");
decision = 'y';
}
if (status < 0)
{
die(h);
}
break;
}
else
{
if ( (folder != NULL) || (current->folder[0] == '\0') )
{
status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL);
//printf("####This page is accepted by Include list!");
decision = 'y';
}
else
{
status = ipq_set_verdict(h, m->packet_id, NF_DROP, 0, NULL);
//printf("####Website hits but folder no hit in Include list!, packets drop\n");
decision = 'y';
}
if (status < 0)
{
die(h);
}
break;
}
}
}
if (url == NULL)
{
if (strcmp(listtype, "Exclude") == 0)
{
status = ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL);
//printf("~~~~No Url hits!! This page is accepted by Exclude list!\n");
decision = 'y';
}
else
{
status = ipq_set_verdict(h, m->packet_id, NF_DROP, 0, NULL);
//printf("~~~~No Url hits!! This page is blocked by Include list!\n");
decision = 'y';
}
if (status < 0)
{
die(h);
}
}
if (decision == 'n')
{
ipq_set_verdict(h, m->packet_id, NF_ACCEPT, 0, NULL);
//printf("~~~None of rules can be applied!! Traffic is allowed!!\n");
}
break;
}
default:
{
fprintf(stderr, "Unknown message type!\n");
break;
}
}
} while (1);
ipq_destroy_handle(h);
return 0;
}
int main(int argc, char **argv)
{
int fd, rv;
char buf[BUFSIZE];
strcpy(listtype, argv[1]);
if (get_url_info())
{
printf("error during get_url_info()\n");
return 0;
}
memset(buf, 0, sizeof(buf));
#if defined(AEI_VDSL_CUSTOMER_NCS)
signal(SIGINT, SIG_IGN);
#endif
#if defined (DMP_CAPTIVEPORTAL_1)
cmsMsg_init(EID_URLFILTERD, &msgHandle);
cmsLog_init(EID_URLFILTERD);
AEI_getCaptiveURLandIPAddr(capURLFile, captiveURL, captiveIPAddr, &flagCaptiveURL);
#if defined(AEI_VDSL_TR098_QWEST)
AEI_getCaptiveURLandIPAddr(oneTimeCapURLFile, oneTimeRedirectURL, oneTimeRedirectIPAdress, &flagOneTimeRedirect);
#endif
#if defined(AEI_VDSL_CAPTIVE_PAGES)
char lan_ip[16] = "\0";
AEI_get_lan_ip(lan_ip);
memset(GlbRedirectUrl, 0, sizeof(GlbRedirectUrl));
sprintf(GlbRedirectUrl, "%s/captiveportal_pageblocked.html", lan_ip);
#endif
AEI_getCaptiveAllowList();
#if defined(AEI_VDSL_CUSTOMER_CENTURYLINK)
AEI_getCaptiveAllowDomain();
#endif
#endif
#if defined(AEI_VDSL_CUSTOMER_WEBACTIVELOG_SWITCH)
AEI_getWebActiveInfo();
#endif
/* open a netlink connection to get packet from kernel */
fd = netlink_open_connection(NULL);
while (1)
{
rv = recv(fd, buf, sizeof(buf), 0);
if ( rv >= 0)
{
#ifdef UFD_DEBUG
printf("pkt received\n");
#endif
nfq_handle_packet(h, buf, rv);
memset(buf, 0, sizeof(buf));
}
else
{
nfq_close(h);
#ifdef UFD_DEBUG
printf("nfq close done\n");
#endif
fd = netlink_open_connection(NULL);
#ifdef UFD_DEBUG
printf("need to rebind to netfilter queue 0\n");
#endif
}
}
#ifdef UFD_DEBUG
printf("unbinding from queue 0\n");
#endif
nfq_destroy_queue(qh);
nfq_close(h);
return 0;
}
//Function to implement the end point selection protocol
ae_error_t EndpointSelectionInfo::start_protocol(endpoint_selection_infos_t& es_info)
{
AESMLogicLock lock(_es_lock);
uint32_t msg_size = 0;
uint8_t *resp = NULL;
uint32_t resp_size = 0;
uint16_t provision_ttl = 0;
uint8_t *msg = NULL;
uint8_t rsa_signature[RSA_3072_KEY_BYTES];
gen_endpoint_selection_output_t enclave_output;
ae_error_t ae_ret = AE_SUCCESS;
uint32_t enclave_lost_count = 0;
AESM_DBG_DEBUG("enter fun");
memset(&es_info, 0, sizeof(es_info));
memset(&enclave_output, 0, sizeof(enclave_output));
if(!_is_server_url_valid){
ae_ret = get_url_info();
if(AE_SUCCESS != ae_ret){//It is not likely happen, only fail when memcpy_s failed
AESM_DBG_ERROR("Fail to initialize server URL information");
goto final_point;
}
}
do{
if((ae_ret = CPVEClass::instance().load_enclave())!=AE_SUCCESS){
AESM_DBG_ERROR("Fail to load PVE enclave:%d", ae_ret);
goto final_point;
}
//call PvE to generate the partition and xid
ae_ret = static_cast<ae_error_t>(CPVEClass::instance().gen_es_msg1_data(&enclave_output));
if(ae_ret == AE_ENCLAVE_LOST&& (++enclave_lost_count)<=MAX_ENCLAVE_LOST_RETRY_TIME ){
CPVEClass::instance().unload_enclave();//unload and reload PvE when enclave lost encountered
continue;
}else if(ae_ret == AE_SUCCESS){
break;
}else{
AESM_DBG_ERROR("fail to generate parition by PvE");
goto final_point;
}
}while(1);
AESM_DBG_TRACE("use parition %d from PvE", (int)enclave_output.selector_id);
AESM_DBG_INFO("Connect to server url \"%s\" for endpoint selection", _server_urls.endpoint_url);
msg_size = estimate_es_msg1_size();
assert(msg_size>0);
msg = static_cast<uint8_t *>(malloc(msg_size));
if(msg == NULL){
AESM_DBG_ERROR("malloc error");
ae_ret = AE_OUT_OF_MEMORY_ERROR;
goto final_point;
}
memset(msg, 0, msg_size);
ae_ret = static_cast<ae_error_t>(CPVEClass::instance().gen_es_msg1(msg, msg_size, enclave_output));//Generate EndPoint Selection Msg1
if(ae_ret != AE_SUCCESS){
AESM_DBG_ERROR("ES msg1 generation failed:%d",ae_ret);
goto final_point;
}
AESM_DBG_TRACE("ES msg1 generated");
ae_ret = AESMNetworkEncoding::aesm_send_recv_msg_encoding(_server_urls.endpoint_url, msg, msg_size, resp, resp_size);//Encoding/send/receive/Decoding
if(ae_ret != AE_SUCCESS){
AESM_DBG_ERROR("fail to send ES msg1 to backend server:%d",ae_ret);
if(OAL_PROXY_SETTING_ASSIST == ae_ret){//when proxy setting assistant required, return directly
goto final_point;
}
if(read_pek(es_info)==AE_SUCCESS){
ae_ret = AE_SUCCESS;//use es_info inside persistent storage and ignore network error
}
goto final_point;
}
assert(resp != NULL);
AESM_DBG_TRACE("start to process ES msg2");
ae_ret = static_cast<ae_error_t>(CPVEClass::instance().proc_es_msg2(resp, resp_size, es_info.provision_url, provision_ttl, enclave_output.xid, rsa_signature , es_info.pek));
if(AE_SUCCESS != ae_ret){
AESM_DBG_WARN("Fail to process ES msg2 from backend server:%d",ae_ret);
goto final_point;
}
AESM_DBG_TRACE("ES Msg2 decoded successfully, ttl %ds",provision_ttl);
ae_ret = verify_signature(es_info, enclave_output.xid, rsa_signature, provision_ttl);
if(AE_SUCCESS != ae_ret){
AESM_DBG_WARN("Signature verification in ES Msg2 failed");
goto final_point;
}
AESM_DBG_TRACE("Signature in ES Msg2 verified");
es_info.aesm_data_type = AESM_DATA_ENDPOINT_SELECTION_INFOS;
es_info.aesm_data_version = AESM_DATA_ENDPOINT_SELECTION_VERSION;
(void)write_pek(es_info);//ignore file writing error
AESM_DBG_TRACE("end point selection succ, provisioning url: %s",es_info.provision_url);
final_point:
if(msg!=NULL)free(msg);
if(resp!=NULL){
AESMNetworkEncoding::aesm_free_response_msg(resp);
}
return ae_ret;
}
