From: Ashik Thomas (ashiktho) <ashiktho@cisco.com>
Date: Fri, 13 Jun 2025 06:14:18 +0000 (+0000)
Subject: Pull request #4772: binder, flow, framework: add a facility to block binding based... 
X-Git-Tag: 3.9.1.0~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=842a908b896e63786b88082290a451da15cdf335;p=thirdparty%2Fsnort3.git

Pull request #4772: binder, flow, framework: add a facility to block binding based on a do_not_decrypt flow flag and inspector can_decrypt method

Merge in SNORT/snort3 from ~ASHIKTHO/snort3:CSCwo40673_tot_1 to master

Squashed commit of the following:

commit 61177c5e2c7690f33dca5b67dc0bb29dbeece64a
Author: bjandhya <bjandhya@cisco.com>
Date:   Tue Mar 25 10:16:35 2025 -0400

    binder, flow, framework: add a facility to block binding based on a do_not_decrypt flow flag and inspector can_decrypt method
---

diff --git a/src/flow/flow.h b/src/flow/flow.h
index 87d3d1e17..7c21c4578 100644
--- a/src/flow/flow.h
+++ b/src/flow/flow.h
@@ -538,6 +538,7 @@ public:  // FIXIT-M privatize if possible
         bool binder_action_block : 1;
         bool in_allowlist : 1; // Set if the flow is in the allowlist
         bool allowed_on_excess : 1; // Set if the flow is allowed on excess
+        bool do_not_decrypt :1; //set when decided to not to decrypt 
     } flags = {};
 
     int32_t client_intf = 0;
diff --git a/src/framework/inspector.h b/src/framework/inspector.h
index 090c02fa6..80dc95f04 100644
--- a/src/framework/inspector.h
+++ b/src/framework/inspector.h
@@ -188,6 +188,9 @@ public:
     virtual bool supports_no_ips() const
     { return false; }
 
+    virtual bool can_decrypt() const
+    { return false; }
+
     void allocate_thread_storage();
     void set_thread_specific_data(void*);
     void* get_thread_specific_data() const;
diff --git a/src/network_inspectors/binder/binding.cc b/src/network_inspectors/binder/binding.cc
index 58f7e0b53..b3354d97a 100644
--- a/src/network_inspectors/binder/binding.cc
+++ b/src/network_inspectors/binder/binding.cc
@@ -605,6 +605,11 @@ inline bool Binding::check_service() const
     return when.has_criteria(BindWhen::Criteria::BWC_SVC) ? false : true;
 }
 
+inline bool Binding::check_inspector(const Flow& flow) const
+{
+    return !(use.inspector and use.inspector->can_decrypt() and flow.flags.do_not_decrypt);
+}
+
 bool Binding::check_all(const Flow& flow, const char* service) const
 {
     // Do the service check first to optimize service change re-evaluations
@@ -655,6 +660,9 @@ bool Binding::check_all(const Flow& flow, const char* service) const
     if (!check_tenant(flow))
         return false;
 
+    if (!check_inspector(flow))
+        return false;
+
     return true;
 }
 
diff --git a/src/network_inspectors/binder/binding.h b/src/network_inspectors/binder/binding.h
index bd4895e47..e4c552ae2 100644
--- a/src/network_inspectors/binder/binding.h
+++ b/src/network_inspectors/binder/binding.h
@@ -148,6 +148,7 @@ struct Binding
     bool check_service(const snort::Flow&) const;
     bool check_service(const char* service) const;
     bool check_service() const;
+    bool check_inspector(const snort::Flow&) const;
 };
 
 #endif