From f896aff1dfc6402bc2797214eba47d132015033e Mon Sep 17 00:00:00 2001 From: "Oleksandr Stepanov -X (ostepano - SOFTSERVE INC at Cisco)" Date: Wed, 27 Aug 2025 19:30:55 +0000 Subject: [PATCH] Pull request #4840: appid: move tls metadata handling into single place Merge in SNORT/snort3 from ~OSTEPANO/snort3:tls_imprv to master Squashed commit of the following: commit 68b50c2c38dc6f372ef7a046f1584b289faeb3d7 Author: Oleksandr Stepanov Date: Sun Jun 22 08:51:42 2025 -0400 appid: move tls metadata handling into single place --- src/network_inspectors/appid/appid_api.cc | 68 ++---- .../appid/appid_discovery.cc | 9 +- .../appid/appid_discovery.h | 2 + .../appid/appid_eve_process_event_handler.cc | 15 +- src/network_inspectors/appid/appid_ha.cc | 2 +- src/network_inspectors/appid/appid_session.cc | 103 +++++++-- src/network_inspectors/appid/appid_session.h | 125 +++++------ .../service_plugins/service_discovery.cc | 2 - .../appid/service_plugins/service_ssl.cc | 15 +- .../appid/test/appid_api_test.cc | 195 +++++++++--------- .../appid/test/appid_discovery_test.cc | 14 +- .../appid_eve_process_event_handler_test.cc | 4 +- .../appid/test/appid_mock_inspector.h | 8 +- .../appid/test/appid_session_api_test.cc | 22 +- .../appid/tp_appid_utils.cc | 47 +++-- 15 files changed, 313 insertions(+), 318 deletions(-) diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index b0d532dfa..5bc73dc8b 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -138,81 +138,49 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, return false; AppidChangeBits change_bits; - HostPatternMatchers& host_matchers = asd->get_odp_ctxt().get_host_matchers(); if (!asd->tsession) asd->tsession = new TlsSession(); - else if (sni_mismatch) + + if (sni_mismatch) { asd->tsession->process_sni_mismatch(); - } - - - if (sni_mismatch) asd->scan_flags |= SCAN_SPOOFED_SNI_FLAG; + } if (org_unit) { asd->tsession->set_tls_org_unit(org_unit, strlen(org_unit)); - if (client_id == APP_ID_NONE and payload_id == APP_ID_NONE) - { - host_matchers.scan_cname((const uint8_t*)org_unit, strlen(org_unit), - client_id, payload_id); - if (client_id != APP_ID_NONE or payload_id != APP_ID_NONE) - asd->tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_ORG_UNIT); - } + asd->scan_flags |= SCAN_SSL_ORG_UNIT_FLAG; } - if (server_name and !sni_mismatch) + if (server_name) { - asd->tsession->set_tls_host(server_name, strlen(server_name), change_bits); - host_matchers.scan_hostname((const uint8_t*)server_name, strlen(server_name), - client_id, payload_id); - if (client_id != APP_ID_NONE or payload_id != APP_ID_NONE) - asd->tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_HOST); + asd->tsession->set_tls_sni(server_name, strlen(server_name)); + if (!sni_mismatch) + asd->scan_flags |= SCAN_SSL_HOST_FLAG; } if (first_alt_name) { - asd->tsession->set_tls_first_alt_name(first_alt_name, strlen(first_alt_name), change_bits); - if (client_id == APP_ID_NONE and payload_id == APP_ID_NONE) - { - host_matchers.scan_hostname((const uint8_t*)first_alt_name, strlen(first_alt_name), - client_id, payload_id); - if (client_id != APP_ID_NONE or payload_id != APP_ID_NONE) - asd->tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_FIRST_SAN); - } + asd->tsession->set_tls_first_alt_name(first_alt_name, strlen(first_alt_name)); + asd->scan_flags |= SCAN_SSL_ALT_NAME; } if (common_name) { - asd->tsession->set_tls_cname(common_name, strlen(common_name), change_bits); - if (client_id == APP_ID_NONE and payload_id == APP_ID_NONE) - { - host_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), - client_id, payload_id); - if (client_id != APP_ID_NONE or payload_id != APP_ID_NONE) - asd->tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_CNAME); - } + asd->tsession->set_tls_cname(common_name, strlen(common_name)); + asd->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; + asd->tsession->set_tls_handshake_done(); } asd->scan_flags |= SCAN_CERTVIZ_ENABLED_FLAG; - service_id = asd->get_api().get_service_app_id(); - - if (asd->use_eve_client_app_id()) - client_id = asd->get_eve_client_app_id(); - else if (client_id == APP_ID_NONE) - client_id = asd->get_api().get_client_app_id(); - else - asd->set_client_id(client_id); - - if (payload_id == APP_ID_NONE) - payload_id = asd->get_api().get_payload_app_id(); - else - asd->set_payload_id(payload_id); - + asd->examine_ssl_metadata(change_bits, true); + service_id = asd->pick_service_app_id(); + client_id = asd->pick_ss_client_app_id(); + payload_id = asd->pick_ss_payload_app_id(); + asd->set_ss_application_ids(client_id, payload_id, change_bits); - asd->set_tls_host(change_bits); Packet* p = DetectionEngine::get_current_packet(); assert(p); diff --git a/src/network_inspectors/appid/appid_discovery.cc b/src/network_inspectors/appid/appid_discovery.cc index 0c8c71b96..f6ef159e0 100644 --- a/src/network_inspectors/appid/appid_discovery.cc +++ b/src/network_inspectors/appid/appid_discovery.cc @@ -796,6 +796,9 @@ bool AppIdDiscovery::do_discovery(Packet* p, AppIdSession& asd, IpProtocol proto asd.set_session_flags(APPID_SESSION_ADDITIONAL_PACKET); } + if (asd.tsession) + asd.examine_ssl_metadata(change_bits, true); + service_id = asd.pick_service_app_id(); // Length-based service detection if no service is found yet @@ -885,12 +888,6 @@ void AppIdDiscovery::do_post_discovery(Packet* p, AppIdSession& asd, asd.set_ss_application_ids(service_id, client_id, payload_id, misc_id, asd.pick_ss_referred_payload_app_id(), change_bits); - asd.set_tls_host(change_bits); - if (asd.tsession and asd.tsession->is_tls_host_unpublished()) - { - change_bits.set(APPID_TLSHOST_BIT); - asd.tsession->set_tls_host_unpublished(false); - } if (asd.is_client_info_unpublished()) { diff --git a/src/network_inspectors/appid/appid_discovery.h b/src/network_inspectors/appid/appid_discovery.h index 07ea3ac26..4f8dee187 100644 --- a/src/network_inspectors/appid/appid_discovery.h +++ b/src/network_inspectors/appid/appid_discovery.h @@ -61,6 +61,8 @@ struct Packet; #define SCAN_CERTVIZ_ENABLED_FLAG (1<<10) #define SCAN_SPOOFED_SNI_FLAG (1<<11) #define SCAN_SSL_VERSION_FLAG (1<<12) +#define SCAN_SSL_ORG_UNIT_FLAG (1<<13) +#define SCAN_SSL_ALT_NAME (1<<14) enum FirstPktAppIdDiscovered { diff --git a/src/network_inspectors/appid/appid_eve_process_event_handler.cc b/src/network_inspectors/appid/appid_eve_process_event_handler.cc index b90603135..626176257 100644 --- a/src/network_inspectors/appid/appid_eve_process_event_handler.cc +++ b/src/network_inspectors/appid/appid_eve_process_event_handler.cc @@ -113,18 +113,15 @@ void AppIdEveProcessEventHandler::handle(DataEvent& event, Flow* flow) if (!server_name.empty()) { - AppId tmp_client_id = APP_ID_NONE; - AppId tmp_payload_id = APP_ID_NONE; - + AppidChangeBits change_bits; if (!asd->tsession) asd->tsession = new TlsSession(); - asd->tsession->set_tls_host(server_name.c_str(), server_name.length()); - asd->set_tls_host(); - - odp_ctxt.get_host_matchers().scan_hostname(reinterpret_cast(server_name.c_str()), - server_name.length(), tmp_client_id, tmp_payload_id); - asd->set_payload_id(tmp_payload_id); + asd->tsession->set_tls_sni(server_name.c_str(), server_name.length()); + if (is_quic) + asd->tsession->set_tls_handshake_done(); + asd->scan_flags |= SCAN_SSL_HOST_FLAG; + asd->examine_ssl_metadata(change_bits, true); } std::string debug_str; diff --git a/src/network_inspectors/appid/appid_ha.cc b/src/network_inspectors/appid/appid_ha.cc index cb693985b..3f23188ae 100644 --- a/src/network_inspectors/appid/appid_ha.cc +++ b/src/network_inspectors/appid/appid_ha.cc @@ -335,7 +335,7 @@ bool AppIdHATlsHostClient::consume(Flow*& flow, const FlowKey* key, HAMessage& m if (!asd) asd = create_appid_session(*flow, key, *inspector); - asd->set_tls_host(appHA->tls_host); + asd->consume_ha_tls_host(appHA->tls_host); asd->set_consumed_ha_data(true); diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc index 3fd686e8c..2058c9cd1 100644 --- a/src/network_inspectors/appid/appid_session.cc +++ b/src/network_inspectors/appid/appid_session.cc @@ -539,39 +539,75 @@ void AppIdSession::update_encrypted_app_id(AppId service_id) } } -void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits) +void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits, bool partial_inspect) { + assert(tsession); AppId client_id = 0; AppId payload_id = 0; - const char* tls_str = tsession->get_tls_org_unit(); + const char* tls_str = nullptr; - if (scan_flags & SCAN_CERTVIZ_ENABLED_FLAG) + if (!partial_inspect and !tsession->get_tls_handshake_done()) + { + return; + } + + if (tsession->is_tls_data_finished()) + { + if (tsession->is_tls_host_published() == false) + { + change_bits.set(APPID_TLSHOST_BIT); + } return; + } - if (tls_str) + + bool match_found = false; + + if ((scan_flags & SCAN_SSL_HOST_FLAG) and !(scan_flags & SCAN_SPOOFED_SNI_FLAG) and (tls_str = tsession->get_tls_sni())) { size_t size = strlen(tls_str); - if (odp_ctxt.get_host_matchers().scan_cname((const uint8_t*)tls_str, size, + if (odp_ctxt.get_host_matchers().scan_hostname((const uint8_t*)tls_str, size, client_id, payload_id)) { - set_client_appid_data(client_id, change_bits); + if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) + set_client_appid_data(client_id, change_bits); set_payload_appid_data(payload_id); + match_found = true; + if (api.get_tls_host() and (strcmp(api.get_tls_host(), tls_str) != 0)) + tsession->set_tls_host_published(false); + tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_SNI); } - tsession->set_tls_org_unit(nullptr, 0); + scan_flags &= ~SCAN_SSL_HOST_FLAG; } - if ((scan_flags & SCAN_SSL_HOST_FLAG) and (tls_str = tsession->get_tls_host())) + if (!match_found and (scan_flags & SCAN_SSL_CERTIFICATE_FLAG) and (tls_str = tsession->get_tls_cname())) { size_t size = strlen(tls_str); - if (odp_ctxt.get_host_matchers().scan_hostname((const uint8_t*)tls_str, size, + if (odp_ctxt.get_host_matchers().scan_cname((const uint8_t*)tls_str, size, client_id, payload_id)) { if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) set_client_appid_data(client_id, change_bits); set_payload_appid_data(payload_id); + match_found = true; + if (api.get_tls_host() and (strcmp(api.get_tls_host(), tls_str) != 0)) + tsession->set_tls_host_published(false); + tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_CNAME); } - scan_flags &= ~SCAN_SSL_HOST_FLAG; + else if (odp_ctxt.get_host_matchers().scan_hostname((const uint8_t*)tls_str, size, + client_id, payload_id)) + { + if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) + set_client_appid_data(client_id, change_bits); + set_payload_appid_data(payload_id); + match_found = true; + if (api.get_tls_host() and (strcmp(api.get_tls_host(), tls_str) != 0)) + tsession->set_tls_host_published(false); + tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_CNAME); + } + scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG; } - if ((scan_flags & SCAN_SSL_CERTIFICATE_FLAG) and (tls_str = tsession->get_tls_cname())) + + if (!match_found and (scan_flags & SCAN_SSL_ORG_UNIT_FLAG) and (tls_str = tsession->get_tls_org_unit()) ) { size_t size = strlen(tls_str); if (odp_ctxt.get_host_matchers().scan_cname((const uint8_t*)tls_str, size, @@ -580,15 +616,43 @@ void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits) if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) set_client_appid_data(client_id, change_bits); set_payload_appid_data(payload_id); + match_found = true; + if (api.get_tls_host() and (strcmp(api.get_tls_host(), tls_str) != 0)) + tsession->set_tls_host_published(false); + tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_ORG_UNIT); } - scan_flags &= ~SCAN_SSL_CERTIFICATE_FLAG; } - if (tsession->get_tls_handshake_done() and - api.payload.get_id() == APP_ID_NONE) + if (!match_found and (scan_flags & SCAN_SSL_ALT_NAME) and (tls_str = tsession->get_tls_first_alt_name())) { - APPID_LOG(CURRENT_PACKET, TRACE_DEBUG_LEVEL, "End of SSL/TLS handshake detected with no payloadAppId, " - "so setting to unknown\n"); - api.payload.set_id(APP_ID_UNKNOWN); + size_t size = strlen(tls_str); + if (odp_ctxt.get_host_matchers().scan_hostname((const uint8_t*)tls_str, size, + client_id, payload_id)) + { + if (api.client.get_id() == APP_ID_NONE or api.client.get_id() == APP_ID_SSL_CLIENT) + set_client_appid_data(client_id, change_bits); + set_payload_appid_data(payload_id); + if (api.get_tls_host() and (strcmp(api.get_tls_host(), tls_str) != 0)) + tsession->set_tls_host_published(false); + tsession->set_matched_tls_type(MatchedTlsType::MATCHED_TLS_FIRST_SAN); + } + scan_flags &= ~SCAN_SSL_HOST_FLAG; + } + + if (!tsession->is_tls_host_published()) + { + if (tsession->get_tls_host()) + { + api.set_tls_host(tsession->get_tls_host()); + api.set_tls_sni(tsession->get_tls_sni()); + change_bits.set(APPID_TLSHOST_BIT); + } + } + else if (tsession->is_tls_host_mismatched() and + (api.get_tls_host() and (strcmp(api.get_tls_host(), tsession->get_tls_host()) != 0))) + { + api.set_tls_host(tsession->get_tls_host()); + api.set_tls_sni(tsession->get_tls_sni()); + change_bits.set(APPID_TLSHOST_BIT); } } @@ -1312,6 +1376,11 @@ void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packe else if (change_bits.none()) return; + if (tsession and change_bits.test(APPID_TLSHOST_BIT)) + { + tsession->set_tls_host_published(true); + } + AppidEvent app_event(change_bits, is_httpx, httpx_stream_index, api, p); DataBus::publish(AppIdInspector::get_pub_id(), AppIdEventIds::ANY_CHANGE, app_event, p.flow); std::string str; diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index e5c4f3546..f694b903b 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -80,7 +80,7 @@ enum APPID_DISCOVERY_STATE enum MatchedTlsType { MATCHED_TLS_NONE = 0, - MATCHED_TLS_HOST, + MATCHED_TLS_SNI, MATCHED_TLS_FIRST_SAN, MATCHED_TLS_CNAME, MATCHED_TLS_ORG_UNIT, @@ -94,55 +94,51 @@ public: ~TlsSession() { - if (tls_host) - snort_free(tls_host); + if (tls_sni) + snort_free(tls_sni); if (tls_first_alt_name) snort_free(tls_first_alt_name); if (tls_cname) snort_free(tls_cname); if (tls_org_unit) snort_free(tls_org_unit); - if (tls_host_mismatch) - snort_free(tls_host_mismatch); } const char* get_tls_host() const { switch (matched_tls_type) { - case MATCHED_TLS_HOST: - return tls_host; + case MATCHED_TLS_SNI: + return tls_sni; case MATCHED_TLS_FIRST_SAN: return tls_first_alt_name; case MATCHED_TLS_CNAME: return tls_cname; + case MATCHED_TLS_ORG_UNIT: default: - if (tls_host) - return tls_host; - else if (tls_first_alt_name) - return tls_first_alt_name; + if (tls_sni and !tls_host_mismatch) + return tls_sni; else if (tls_cname) return tls_cname; + else if (tls_first_alt_name) + return tls_first_alt_name; + + return nullptr; } - return nullptr; } const char* get_tls_sni() const { - return tls_host_mismatch ? tls_host_mismatch : tls_host; + return tls_sni; } void process_sni_mismatch() { - if(tls_host) - { - if(tls_host_mismatch) - snort_free(tls_host_mismatch); - tls_host_mismatch = tls_host; - tls_host = nullptr; - } + tls_host_mismatch = true; } + bool is_tls_host_mismatched() const { return tls_host_mismatch; } + const char* get_tls_first_alt_name() const { return tls_first_alt_name; } const char* get_tls_cname() const { return tls_cname; } @@ -153,30 +149,24 @@ public: uint16_t get_tls_version() const { return tls_version; } - // Duplicate only if len > 0, otherwise simply set (i.e., own the argument) - void set_tls_host(const char* new_tls_host, uint32_t len, bool published=false) + void set_tls_sni(const char* new_tls_sni, uint32_t len) { - if (tls_host) - snort_free(tls_host); - if (!new_tls_host or *new_tls_host == '\0') + if (tls_sni) { - tls_host = nullptr; - return; + snort_free(tls_sni); + } + if (new_tls_sni) + { + tls_sni = len ? snort::snort_strndup(new_tls_sni, len) : + const_cast(new_tls_sni); + } + else + { + tls_sni = nullptr; } - tls_host = len? snort::snort_strndup(new_tls_host,len) : const_cast(new_tls_host); - - if (!published) - tls_host_unpublished = true; - } - - void set_tls_host(const char* new_tls_host, uint32_t len, AppidChangeBits& change_bits) - { - set_tls_host(new_tls_host, len, true); - if (new_tls_host and *new_tls_host != '\0') - change_bits.set(APPID_TLSHOST_BIT); } - void set_tls_first_alt_name(const char* new_tls_first_alt_name, uint32_t len, AppidChangeBits& change_bits) + void set_tls_first_alt_name(const char* new_tls_first_alt_name, uint32_t len) { if (tls_first_alt_name) snort_free(tls_first_alt_name); @@ -187,11 +177,9 @@ public: } tls_first_alt_name = len? snort::snort_strndup(new_tls_first_alt_name, len) : const_cast(new_tls_first_alt_name); - if (!tls_host) - change_bits.set(APPID_TLSHOST_BIT); } - void set_tls_cname(const char* new_tls_cname, uint32_t len, AppidChangeBits& change_bits) + void set_tls_cname(const char* new_tls_cname, uint32_t len) { if (tls_cname) snort_free(tls_cname); @@ -202,8 +190,6 @@ public: } tls_cname = len? snort::snort_strndup(new_tls_cname,len) : const_cast(new_tls_cname); - if (tls_host == nullptr) - change_bits.set(APPID_TLSHOST_BIT); } void set_tls_org_unit(const char* new_tls_org_unit, uint32_t len) @@ -221,14 +207,20 @@ public: void set_tls_handshake_done() { tls_handshake_done = true; } - void set_matched_tls_type(MatchedTlsType type) + MatchedTlsType get_matched_tls_type() const + { + return matched_tls_type; + } + + void set_matched_tls_type(MatchedTlsType type, bool is_tls_data_finished = true) { matched_tls_type = type; + tls_data_finished = is_tls_data_finished; } - void set_tls_host_unpublished(bool val) { tls_host_unpublished = val; } + void set_tls_host_published(bool val) { tls_host_published = val; } - bool is_tls_host_unpublished() const { return tls_host_unpublished; } + bool is_tls_host_published() const { return tls_host_published; } void set_tls_version(const char* value, uint32_t length, AppidChangeBits& change_bits) { @@ -239,14 +231,17 @@ public: } } + bool is_tls_data_finished() const { return tls_data_finished; } + private: - char* tls_host = nullptr; - char* tls_host_mismatch = nullptr; + char* tls_sni = nullptr; char* tls_first_alt_name = nullptr; char* tls_cname = nullptr; char* tls_org_unit = nullptr; bool tls_handshake_done = false; - bool tls_host_unpublished = false; + bool tls_host_published = false; + bool tls_host_mismatch = false; + bool tls_data_finished = false; uint16_t tls_version = 0; MatchedTlsType matched_tls_type = MATCHED_TLS_NONE; }; @@ -386,7 +381,7 @@ public: void set_ss_application_ids_payload(AppId payload, AppidChangeBits& change_bits); void set_application_ids_service(AppId service_id, AppidChangeBits& change_bits); - void examine_ssl_metadata(AppidChangeBits& change_bits); + void examine_ssl_metadata(AppidChangeBits& change_bits, bool partial_inspect = false); void set_client_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); void set_client_appid_data(AppId, char* version = nullptr, bool published=false); void set_service_appid_data(AppId, AppidChangeBits& change_bits, char* version = nullptr); @@ -632,29 +627,6 @@ public: api.service.set_service_port(port); } - void set_tls_host(const AppidChangeBits& change_bits) - { - if (tsession and change_bits[APPID_TLSHOST_BIT]) - { - api.set_tls_host(tsession->get_tls_host()); - api.set_tls_sni(tsession->get_tls_sni()); - } - } - - void set_tls_host(const char* tls_host) - { - api.set_tls_host(tls_host); - } - - void set_tls_host() - { - if (tsession and tsession->is_tls_host_unpublished()) - { - api.set_tls_host(tsession->get_tls_host()); - api.set_tls_sni(tsession->get_tls_sni()); - } - } - void set_netbios_name(AppidChangeBits& change_bits, const char *name) { api.set_netbios_name(change_bits, name); @@ -665,6 +637,11 @@ public: api.set_netbios_domain(change_bits, domain); } + void consume_ha_tls_host(const char* tls_host) + { + api.set_tls_host(tls_host); + } + OdpContext& get_odp_ctxt() const { return odp_ctxt; diff --git a/src/network_inspectors/appid/service_plugins/service_discovery.cc b/src/network_inspectors/appid/service_plugins/service_discovery.cc index 0f0f25858..afda33579 100644 --- a/src/network_inspectors/appid/service_plugins/service_discovery.cc +++ b/src/network_inspectors/appid/service_plugins/service_discovery.cc @@ -769,8 +769,6 @@ bool ServiceDiscovery::do_service_discovery(AppIdSession& asd, Packet* p, } else if (asd.get_service_id() == APP_ID_RTMP) asd.examine_rtmp_metadata(change_bits); - else if (asd.get_session_flags(APPID_SESSION_SSL_SESSION) and asd.tsession) - asd.examine_ssl_metadata(change_bits); } return is_discovery_done; diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc index 1ca43a334..9f2d837c0 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssl.cc +++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc @@ -565,32 +565,33 @@ success: } args.asd.set_session_flags(APPID_SESSION_SSL_SESSION); + if (!args.asd.tsession) + args.asd.tsession = new TlsSession(); if (ss->client_hello.host_name || ss->server_cert.common_name || ss->server_cert.org_unit) { - if (!args.asd.tsession) - args.asd.tsession = new TlsSession(); - /* TLS Host */ if (ss->client_hello.host_name) { - args.asd.tsession->set_tls_host(ss->client_hello.host_name, 0, args.change_bits); + args.asd.tsession->set_tls_sni(ss->client_hello.host_name, 0); args.asd.scan_flags |= SCAN_SSL_HOST_FLAG; } /* TLS Common Name */ if (ss->server_cert.common_name) { - args.asd.tsession->set_tls_cname(ss->server_cert.common_name, 0, args.change_bits); + args.asd.tsession->set_tls_cname(ss->server_cert.common_name, 0); args.asd.scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; - args.asd.scan_flags |= SCAN_SSL_HOST_FLAG; } /* TLS Org Unit */ if (ss->server_cert.org_unit) + { args.asd.tsession->set_tls_org_unit(ss->server_cert.org_unit, 0); + args.asd.scan_flags |= SCAN_SSL_ORG_UNIT_FLAG; + } ss->client_hello.host_name = ss->server_cert.common_name = ss->server_cert.org_unit = nullptr; - args.asd.tsession->set_tls_handshake_done(); } + args.asd.tsession->set_tls_handshake_done(); return add_service(args.change_bits, args.asd, args.pkt, args.dir, getSslServiceAppId(args.pkt->ptrs.sp)); } diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index 074ca4edc..15f42f04a 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -55,11 +55,13 @@ char const* APPID_UT_ORG_UNIT = "Google"; THREAD_LOCAL bool TimeProfilerStats::enabled = false; #define ShadowTraffic_Type_Domain_Fronting 0x00000010 +bool mock_inspector_exist = true; + namespace snort { class Inspector* InspectorManager::get_inspector(const char*, bool, const SnortConfig*) -{ return &dummy_appid_inspector; } +{ return mock_inspector_exist ? &dummy_appid_inspector : nullptr; } Packet::Packet(bool) { } Packet::~Packet() = default; @@ -99,6 +101,16 @@ void AppIdSession::publish_appid_event(AppidChangeBits& change_bits, const Packe DataBus::publish(0, AppIdEventIds::ANY_CHANGE, app_event, p.flow); } +void AppIdSession::examine_ssl_metadata(AppidChangeBits& change_bits, bool partial_inspect) +{ + if (tsession == nullptr) + return; + + set_service_id(APPID_UT_ID, get_odp_ctxt()); + api.client.set_id(APPID_UT_ID); + api.payload.set_id(APPID_UT_ID); +} + bool HostPatternMatchers::scan_hostname(const uint8_t* server_name, size_t, AppId& client_id, AppId& payload_id) { if (((const char*)server_name) == APPID_UT_TLS_HOST) @@ -213,6 +225,7 @@ void AppidCPUProfilingManager::cleanup_appid_cpu_profiler_table() {} AppIdHttpSession* AppIdSession::get_http_session(uint32_t) const { return nullptr; } Flow* flow = nullptr; +Flow* flow_no_session = nullptr; AppIdSession* mock_session = nullptr; TEST_GROUP(appid_api) @@ -244,6 +257,21 @@ TEST_GROUP(appid_api) } }; +TEST_GROUP(appid_api_no_session) +{ + void setup() + { + mock_init_appid_pegs(); + flow_no_session = new Flow; + } + + void teardown() + { + mock_cleanup_appid_pegs(); + delete flow_no_session; + } +}; + TEST(appid_api, get_application_name) { AppIdConfig config; @@ -252,6 +280,20 @@ TEST(appid_api, get_application_name) STRCMP_EQUAL(app_name, test_app_name); } +TEST(appid_api, get_appid_detector_directory_inspector_exist) +{ + auto res = appid_api.get_appid_detector_directory(); + STRCMP_EQUAL("test_dir", res); +} + +TEST(appid_api, get_appid_detector_directory_inspector_does_not_exist) +{ + mock_inspector_exist = false; + auto res = appid_api.get_appid_detector_directory(); + STRCMP_EQUAL("", res); + mock_inspector_exist = true; +} + TEST(appid_api, get_application_id) { AppIdConfig config; @@ -279,119 +321,70 @@ TEST(appid_api, set_ssl_certificate_key) TEST(appid_api, ssl_app_group_id_lookup) { - mock().expectNCalls(7, "publish"); + mock().expectNCalls(1, "publish"); AppId service, client, payload = APP_ID_NONE; bool val = false; AppidChangeBits change_bits; - mock_session->set_ss_application_ids(APPID_UT_ID, APPID_UT_ID, APPID_UT_ID, - APPID_UT_ID, APPID_UT_ID, change_bits); - val = appid_api.ssl_app_group_id_lookup(flow, nullptr, nullptr, nullptr, nullptr, - false, service, client, payload); + + mock_session->set_ss_application_ids(0,0,0,0,0, change_bits); + mock_session->tsession->set_tls_sni(nullptr, 0); + mock_session->tsession->set_tls_cname(nullptr, 0); + mock_session->tsession->set_tls_first_alt_name(nullptr, 0); + mock_session->tsession->set_tls_org_unit(nullptr, 0); + + val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, + (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_ORG_UNIT, false, service, client, payload); + CHECK_TRUE(val); CHECK_EQUAL(service, APPID_UT_ID); CHECK_EQUAL(client, APPID_UT_ID); CHECK_EQUAL(payload, APPID_UT_ID); - STRCMP_EQUAL("Published change_bits == 00000000000000000000000", test_log); - - // Server name based detection - service = APP_ID_NONE; - client = APP_ID_NONE; - payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, - (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); - CHECK_TRUE(val); - CHECK_EQUAL(client, APPID_UT_ID + 1); - CHECK_EQUAL(payload, APPID_UT_ID + 1); - STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); + STRCMP_EQUAL(mock_session->tsession->get_tls_sni(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL(mock_session->tsession->get_tls_sni(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log); - - // Common name based detection - mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); - mock_session->tsession->set_tls_cname("www.cisco.com", 13, change_bits); - mock_session->tsession->set_tls_org_unit("Cisco", 5); - STRCMP_EQUAL(mock_session->tsession->get_tls_host(), "www.cisco.com"); - STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), "www.cisco.com"); - STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); - val = appid_api.ssl_app_group_id_lookup(flow, (const char*)"www.google.com", - nullptr, (const char*)APPID_UT_TLS_HOST, nullptr, false, service, client, payload); - CHECK_TRUE(val); - CHECK_EQUAL(client, APPID_UT_ID + 2); - CHECK_EQUAL(payload, APPID_UT_ID + 2); - STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); - STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); - STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log); - - // First alt name based detection - change_bits.reset(); - mock_session->tsession->set_tls_host("", 0, change_bits); - val = appid_api.ssl_app_group_id_lookup(flow, nullptr, (const char*)APPID_UT_TLS_HOST, - nullptr, nullptr, false, service, client, payload); - CHECK_TRUE(val); - CHECK_EQUAL(client, APPID_UT_ID + 1); - CHECK_EQUAL(payload, APPID_UT_ID + 1); - STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); - STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log); - - // Org unit based detection - string host = ""; - change_bits.reset(); - mock_session->tsession->set_tls_host("", 0, change_bits); - val = appid_api.ssl_app_group_id_lookup(flow, nullptr, nullptr, - nullptr, (const char*)APPID_UT_ORG_UNIT, false, service, client, payload); - CHECK_TRUE(val); - CHECK_EQUAL(client, APPID_UT_ID + 3); - CHECK_EQUAL(payload, APPID_UT_ID + 3); STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), APPID_UT_ORG_UNIT); - STRCMP_EQUAL("Published change_bits == 00000000000000000011000", test_log); + mock().checkExpectations(); +} + +TEST(appid_api, ssl_app_group_id_lookup_sni_mismatch) +{ + mock().expectNCalls(1, "publish"); + AppId service, client, payload = APP_ID_NONE; + bool val = false; + + AppidChangeBits change_bits; + + mock_session->set_ss_application_ids(0,0,0,0,0, change_bits); + mock_session->tsession->set_tls_sni(nullptr, 0); + mock_session->tsession->set_tls_cname(nullptr, 0); + mock_session->tsession->set_tls_first_alt_name(nullptr, 0); + mock_session->tsession->set_tls_org_unit(nullptr, 0); - // Override client id found by SSL pattern matcher with the client id provided by - // Encrypted Visibility Engine if available - service = APP_ID_NONE; - client = APP_ID_NONE; - payload = APP_ID_NONE; - change_bits.reset(); - mock_session->tsession->set_tls_host("", 0, change_bits); - mock_session->set_client_id(APP_ID_NONE); - mock_session->set_eve_client_app_id(APPID_UT_ID + 100); val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, - (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); + (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_ORG_UNIT, true, service, client, payload); + CHECK_TRUE(val); - CHECK_EQUAL(client, APPID_UT_ID + 100); - CHECK_EQUAL(payload, APPID_UT_ID + 1); - STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); + CHECK_TRUE(mock_session->tsession->is_tls_host_mismatched()); + CHECK_EQUAL(service, APPID_UT_ID); + CHECK_EQUAL(client, APPID_UT_ID); + CHECK_EQUAL(payload, APPID_UT_ID); + STRCMP_EQUAL(mock_session->tsession->get_tls_sni(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_first_alt_name(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); - STRCMP_EQUAL("Published change_bits == 00000000000000100011000", test_log); - - //check for sni mismatch being stored in sni field - change_bits.reset(); - mock_session->tsession->set_tls_host("mismatchedsni.com", 17, change_bits); - service = APP_ID_NONE; - client = APP_ID_NONE; - payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, - nullptr, nullptr, true, service, client, payload); - CHECK_TRUE(val); - STRCMP_EQUAL(APPID_UT_TLS_HOST, mock_session->tsession->get_tls_host()); - STRCMP_EQUAL("mismatchedsni.com", mock_session->tsession->get_tls_sni()); - + STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), APPID_UT_ORG_UNIT); mock().checkExpectations(); +} - // When appid session is not existing - // 1. Match based on server name - Flow* f = new Flow; - // This call just sets mock_flow_data pointer to nullptr, so mocks work correctly for the test. - flow->free_flow_data(1); - service = APP_ID_NONE; - client = APP_ID_NONE; - payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(f, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, +TEST(appid_api_no_session, ssl_app_group_id_lookup) +{ + AppId service, client, payload = APP_ID_NONE; + bool val = false; + + AppidChangeBits change_bits; + + flow_no_session->free_flow_data(1); + val = appid_api.ssl_app_group_id_lookup(flow_no_session, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); CHECK_TRUE(val); CHECK_EQUAL(client, APPID_UT_ID + 1); @@ -400,8 +393,8 @@ TEST(appid_api, ssl_app_group_id_lookup) // 2. First alt name match client = APP_ID_NONE; payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(f, nullptr, (const char*)APPID_UT_TLS_HOST, - (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); + val = appid_api.ssl_app_group_id_lookup(flow_no_session, nullptr, (const char*)APPID_UT_TLS_HOST, + nullptr, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); CHECK_TRUE(val); CHECK_EQUAL(client, APPID_UT_ID + 1); CHECK_EQUAL(payload, APPID_UT_ID + 1); @@ -409,7 +402,7 @@ TEST(appid_api, ssl_app_group_id_lookup) // 3. CN match client = APP_ID_NONE; payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(f, nullptr, nullptr, (const char*)APPID_UT_TLS_HOST, + val = appid_api.ssl_app_group_id_lookup(flow_no_session, nullptr, nullptr, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); CHECK_TRUE(val); CHECK_EQUAL(client, APPID_UT_ID + 2); @@ -418,13 +411,11 @@ TEST(appid_api, ssl_app_group_id_lookup) // 4. Org unit match client = APP_ID_NONE; payload = APP_ID_NONE; - val = appid_api.ssl_app_group_id_lookup(f, nullptr, nullptr, nullptr, (const char*)APPID_UT_TLS_HOST, + val = appid_api.ssl_app_group_id_lookup(flow_no_session, nullptr, nullptr, nullptr, (const char*)APPID_UT_TLS_HOST, false, service, client, payload); CHECK_TRUE(val); CHECK_EQUAL(client, APPID_UT_ID + 2); CHECK_EQUAL(payload, APPID_UT_ID + 2); - - delete f; } TEST(appid_api, is_inspection_needed) diff --git a/src/network_inspectors/appid/test/appid_discovery_test.cc b/src/network_inspectors/appid/test/appid_discovery_test.cc index 531a727e6..9ea7aa7cc 100644 --- a/src/network_inspectors/appid/test/appid_discovery_test.cc +++ b/src/network_inspectors/appid/test/appid_discovery_test.cc @@ -229,12 +229,12 @@ void AppIdSession::sync_with_snort_protocol_id(AppId, Packet*,AppidChangeBits&) void AppIdSession::check_app_detection_restart(AppidChangeBits&, ThirdPartyAppIdContext*) {} void AppIdSession::set_client_appid_data(AppId, AppidChangeBits&, char*) {} void AppIdSession::examine_rtmp_metadata(AppidChangeBits&) {} -void AppIdSession::examine_ssl_metadata(AppidChangeBits&) {} void AppIdSession::update_encrypted_app_id(AppId) {} bool AppIdSession::is_tp_processing_done() const {return false;} AppId AppIdSession::pick_ss_payload_app_id(AppId) const { return get_payload_id(); } bool AppIdSession::need_to_delete_tp_conn(ThirdPartyAppIdContext*) const { return true; } void AppIdSession::process_shadow_traffic_appids() {} +void AppIdSession::examine_ssl_metadata(AppidChangeBits&,bool) {} AppIdSession* AppIdSession::allocate_session(const Packet*, IpProtocol, AppidSessionDirection, AppIdInspector&, OdpContext&) @@ -496,18 +496,6 @@ TEST(appid_discovery_tests, change_bits_for_client_version) delete asd; } -TEST(appid_discovery_tests, change_bits_for_tls_host) -{ - // Testing set_tls_host - AppidChangeBits change_bits; - char* host = snort_strdup(APPID_UT_TLS_HOST); - TlsSession tls; - tls.set_tls_host(host, 0, change_bits); - - // Detect changes in tls_host - CHECK_EQUAL(change_bits.test(APPID_TLSHOST_BIT), true); -} - TEST(appid_discovery_tests, change_bits_for_non_http_appid) { // Testing FTP appid diff --git a/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc b/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc index 47895730a..1f1419baf 100644 --- a/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc +++ b/src/network_inspectors/appid/test/appid_eve_process_event_handler_test.cc @@ -90,6 +90,8 @@ void AppIdSession::set_client_appid_data(AppId, char*, bool) return; } +void AppIdSession::examine_ssl_metadata(AppidChangeBits&,bool) {} + void ApplicationDescriptor::set_id(const Packet&, AppIdSession&, AppidSessionDirection, AppId, AppidChangeBits&) { } void AppIdModule::reset_stats() { } @@ -169,7 +171,7 @@ TEST(appid_eve_process_event_handler_tests, eve_server_name_event_handler) AppIdEveProcessEventHandler event_handler(dummy_appid_inspector); Flow* flow = new Flow; event_handler.handle(event, flow); - CHECK(session->get_payload_id() == APPID_UT_ID + 1); + STRCMP_EQUAL(session->tsession->get_tls_sni(),"www.google.com"); delete flow; } diff --git a/src/network_inspectors/appid/test/appid_mock_inspector.h b/src/network_inspectors/appid/test/appid_mock_inspector.h index a2eee1198..057ecacd8 100644 --- a/src/network_inspectors/appid/test/appid_mock_inspector.h +++ b/src/network_inspectors/appid/test/appid_mock_inspector.h @@ -60,16 +60,16 @@ const PegInfo* AppIdModule::get_pegs() const { return nullptr; } PegCount* AppIdModule::get_counts() const { return nullptr; } snort::ProfileStats* AppIdModule::get_profile( unsigned, const char*&, const char*& ) const { return nullptr; } -void AppIdModule::set_trace(const Trace*) const { } -const TraceOption* AppIdModule::get_trace_options() const { return nullptr; } +void AppIdModule::set_trace(const snort::Trace*) const { } +const snort::TraceOption* AppIdModule::get_trace_options() const { return nullptr; } AppIdConfig appid_config; AppIdInspector::AppIdInspector(AppIdModule&) : config(&appid_config), ctxt(appid_config) -{ } +{ appid_config.app_detector_dir = "test_dir"; } AppIdInspector::~AppIdInspector() = default; void AppIdInspector::eval(snort::Packet*) { } bool AppIdInspector::configure(snort::SnortConfig*) { return true; } -void AppIdInspector::show(const SnortConfig*) const { } +void AppIdInspector::show(const snort::SnortConfig*) const { } void AppIdInspector::tinit() { } void AppIdInspector::tterm() { } void AppIdInspector::tear_down(snort::SnortConfig*) { } diff --git a/src/network_inspectors/appid/test/appid_session_api_test.cc b/src/network_inspectors/appid/test/appid_session_api_test.cc index 4a89556e9..13abedd67 100644 --- a/src/network_inspectors/appid/test/appid_session_api_test.cc +++ b/src/network_inspectors/appid/test/appid_session_api_test.cc @@ -72,6 +72,11 @@ void AppIdSession::set_application_ids_service(AppId service_id, AppidChangeBits api.set_application_ids_service(service_id, change_bits, *flow); } +void AppIdSession::examine_ssl_metadata(AppidChangeBits& bits, bool) +{ + api.set_tls_host(tsession->get_tls_sni()); +} + TEST_GROUP(appid_session_api) { void setup() override @@ -379,16 +384,12 @@ TEST(appid_session_api, get_first_stream_appids_for_http2) TEST(appid_session_api, get_tls_host) { AppidChangeBits change_bits; - change_bits.set(APPID_TLSHOST_BIT); - mock_session->tsession->set_tls_host(nullptr, 0, change_bits); - mock_session->set_tls_host(change_bits); - const char* val = mock_session->get_api().get_tls_host(); - STRCMP_EQUAL(val, nullptr); char* host = snort_strdup(APPID_UT_TLS_HOST); - mock_session->tsession->set_tls_host(host, 0, change_bits); - mock_session->set_tls_host(change_bits); - val = mock_session->get_api().get_tls_host(); + mock_session->tsession->set_tls_sni(host, 0); + mock_session->examine_ssl_metadata(change_bits, true); + auto val = mock_session->get_api().get_tls_host(); STRCMP_EQUAL(val, APPID_UT_TLS_HOST); + mock_session->tsession->set_tls_sni(nullptr, 0); } TEST(appid_session_api, get_tls_version) @@ -608,9 +609,8 @@ TEST(appid_session_api, is_http_inspection_done) mock_session->service_disco_state = APPID_DISCO_STATE_STATEFUL; mock_session->set_session_flags(APPID_SESSION_SSL_SESSION); char* host = snort_strdup(APPID_UT_TLS_HOST); - mock_session->tsession->set_tls_host(host, 0, change_bits); - change_bits.set(APPID_TLSHOST_BIT); - mock_session->set_tls_host(change_bits); + mock_session->tsession->set_tls_sni(host, 0); + mock_session->examine_ssl_metadata(change_bits, true); val = mock_session->get_api().is_http_inspection_done(); CHECK_TRUE(val); mock_session->service_disco_state = APPID_DISCO_STATE_FINISHED; diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 975d24a1a..449cbfc76 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -360,41 +360,45 @@ static inline void process_ssl(AppIdSession& asd, reinspect_ssl_appid = check_ssl_appid_for_reinspect(tmpAppId, asd.get_odp_ctxt()); - if (!(asd.scan_flags & SCAN_CERTVIZ_ENABLED_FLAG) and - asd.tsession->get_tls_host() == nullptr and + if (asd.tsession->get_tls_version() == 0 and + (field = attribute_data.tls_version(false)) != nullptr) + { + asd.tsession->set_tls_version(field->c_str(), field->size(), change_bits); + if (reinspect_ssl_appid) + { + asd.scan_flags |= SCAN_SSL_VERSION_FLAG; + } + } + + if (asd.scan_flags & SCAN_CERTVIZ_ENABLED_FLAG) + return; + + if ( asd.tsession->get_tls_sni() == nullptr and (field = attribute_data.tls_host(false)) != nullptr) { - asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits); + asd.tsession->set_tls_sni(field->c_str(), field->size()); if (reinspect_ssl_appid) asd.scan_flags |= SCAN_SSL_HOST_FLAG; } - if (!(asd.scan_flags & SCAN_CERTVIZ_ENABLED_FLAG) and - asd.tsession->get_tls_cname() == nullptr and + if ( asd.tsession->get_tls_cname() == nullptr and (field = attribute_data.tls_cname()) != nullptr) { - asd.tsession->set_tls_cname(field->c_str(), field->size(), change_bits); + asd.tsession->set_tls_cname(field->c_str(), field->size()); if (reinspect_ssl_appid) asd.scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; + + asd.tsession->set_tls_handshake_done(); } if (reinspect_ssl_appid) { - if (!(asd.scan_flags & SCAN_CERTVIZ_ENABLED_FLAG) and - asd.tsession->get_tls_org_unit() == nullptr and + if ( asd.tsession->get_tls_org_unit() == nullptr and (field = attribute_data.tls_org_unit()) != nullptr) { asd.tsession->set_tls_org_unit(field->c_str(), field->size()); - } - } - - if (asd.tsession->get_tls_version() == 0 and - (field = attribute_data.tls_version(false)) != nullptr) - { - asd.tsession->set_tls_version(field->c_str(), field->size(), change_bits); - if (reinspect_ssl_appid) - { - asd.scan_flags |= SCAN_SSL_VERSION_FLAG; + asd.tsession->set_tls_handshake_done(); + asd.scan_flags |= SCAN_SSL_ORG_UNIT_FLAG; } } } @@ -422,10 +426,12 @@ static inline void process_quic(AppIdSession& asd, if ( !asd.tsession ) asd.tsession = new TlsSession(); - if ( !asd.tsession->get_tls_host() and (field=attribute_data.quic_sni()) != nullptr ) + if ( !asd.tsession->get_tls_sni() and (field=attribute_data.quic_sni()) != nullptr ) { APPID_LOG(CURRENT_PACKET, TRACE_DEBUG_LEVEL, "Flow is QUIC\n"); - asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits); + asd.tsession->set_tls_sni(field->c_str(), field->size()); + asd.tsession->set_tls_handshake_done(); + asd.scan_flags |= SCAN_SSL_HOST_FLAG; if ( asd.get_service_id() <= APP_ID_NONE ) asd.set_service_appid_data(APP_ID_QUIC, change_bits); } @@ -693,7 +699,6 @@ bool do_tp_discovery(ThirdPartyAppIdContext& tp_appid_ctxt, AppIdSession& asd, I } else if (asd.get_session_flags(APPID_SESSION_SSL_SESSION) && asd.tsession) { - asd.examine_ssl_metadata(change_bits); uint16_t serverPort; AppId portAppId; serverPort = (direction == APP_ID_FROM_INITIATOR) ? p->ptrs.dp : p->ptrs.sp; -- 2.47.3