vane 0.8.15

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

/* src/layers/l4p/context.rs */

use crate::plugins::protocol::{
	quic::parser::QuicInitialData, tls::clienthello::TlsClientHelloData,
};
use crate::resources::kv::KvStore;
use fancy_log::{LogLevel, log};

pub fn inject_common(kv: &mut KvStore, protocol: &str) {
	log(
		LogLevel::Debug,
		&format!("⚙ Injecting L4+ Context for protocol: {protocol}"),
	);

	kv.insert("conn.layer".to_owned(), "l4p".to_owned());
	kv.insert("conn.proto.carrier".to_owned(), protocol.to_owned());
}

pub fn inject_tls_data(kv: &mut KvStore, data: TlsClientHelloData) {
	log(
		LogLevel::Debug,
		&format!(
			"⚙ Parsed ClientHello -> SNI: {:?}, ALPN: {:?}, LegacyVer: {}",
			data.sni, data.alpn, data.legacy_version
		),
	);

	if let Some(sni) = data.sni {
		// Normalization: Lowercase + Character filtering
		let sanitized = sanitize_sni(&sni);
		if sanitized != sni {
			log(
				LogLevel::Debug,
				&format!("⚙ SNI Normalized: '{sni}' -> '{sanitized}'"),
			);
		}
		kv.insert("tls.sni".to_owned(), sanitized);
	} else {
		log(
			LogLevel::Debug,
			"⚙ Warning: SNI field is empty in parsed data.",
		);
	}

	if !data.alpn.is_empty() {
		kv.insert("tls.alpn".to_owned(), data.alpn.join(","));
	}

	kv.insert("tls.version.legacy".to_owned(), data.legacy_version);
	kv.insert("tls.session_id".to_owned(), data.session_id);

	kv.insert("tls.cipher_suites".to_owned(), data.cipher_suites.join(","));
	kv.insert(
		"tls.compression".to_owned(),
		data.compression_methods.join(","),
	);
	kv.insert(
		"tls.supported_versions".to_owned(),
		data.supported_versions.join(","),
	);
	kv.insert(
		"tls.supported_groups".to_owned(),
		data.supported_groups.join(","),
	);
	kv.insert(
		"tls.signature_algorithms".to_owned(),
		data.signature_algorithms.join(","),
	);
	kv.insert(
		"tls.key_share_groups".to_owned(),
		data.key_share_groups.join(","),
	);
	kv.insert(
		"tls.psk_modes".to_owned(),
		data.psk_key_exchange_modes.join(","),
	);

	kv.insert(
		"tls.has_renegotiation_info".to_owned(),
		data.has_renegotiation_info.to_string(),
	);
	kv.insert("tls.has_grease".to_owned(), data.has_grease.to_string());
}

/// Sanitizes SNI string to prevent injection and enforce standard naming.
/// Converts to lowercase and filters out non-standard domain characters.
fn sanitize_sni(sni: &str) -> String {
	sni
		.to_lowercase()
		.chars()
		.filter(|c| c.is_alphanumeric() || *c == '.' || *c == '-' || *c == '_')
		.collect()
}

pub fn inject_quic_data(kv: &mut KvStore, data: QuicInitialData) {
	log(
		LogLevel::Debug,
		&format!(
			"⚙ Parsed QUIC Initial -> DCID: {}, SCID: {}, Ver: {}, SNI: {:?}",
			data.dcid, data.scid, data.version, data.sni_hint
		),
	);

	kv.insert("quic.dcid".to_owned(), data.dcid);
	kv.insert("quic.scid".to_owned(), data.scid);
	kv.insert("quic.version".to_owned(), data.version);

	if let Some(token) = data.token {
		kv.insert("quic.token".to_owned(), token);
	}

	if let Some(sni) = data.sni_hint {
		kv.insert("quic.sni".to_owned(), sanitize_sni(&sni));
	}
}