}
bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, const char* common_name,
- AppId& service_id, AppId& client_id, AppId& payload_id)
+ AppId& service_id, AppId& client_id, AppId& payload_id, const char* org_unit)
{
AppIdSession* asd = nullptr;
service_id = APP_ID_NONE;
payload_id);
asd->tsession->set_tls_host(server_name, strlen(server_name), change_bits);
asd->scan_flags |= SCAN_SSL_HOST_FLAG;
+ asd->scan_flags |= SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG;
}
if (common_name)
payload_id);
asd->tsession->set_tls_cname(common_name, strlen(common_name));
asd->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
+ asd->scan_flags |= SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG;
+ }
+
+ if (org_unit)
+ {
+ ssl_matchers.scan_cname((const uint8_t*)org_unit, strlen(org_unit), client_id,
+ payload_id);
+ asd->tsession->set_tls_org_unit(org_unit, strlen(org_unit));
+ asd->scan_flags |= SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG;
}
service_id = asd->get_application_ids_service();
if (common_name)
ssl_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), client_id,
payload_id);
+
+ if (org_unit)
+ ssl_matchers.scan_cname((const uint8_t*)org_unit, strlen(org_unit), client_id,
+ payload_id);
+
}
}
uint32_t produce_ha_state(const Flow& flow, uint8_t* buf);
uint32_t consume_ha_state(Flow& flow, const uint8_t* buf, uint8_t length, IpProtocol,
SfIp*, uint16_t initiatorPort);
- bool ssl_app_group_id_lookup(Flow* flow, const char*, const char*, AppId& service_id, AppId& client_id, AppId& payload_id);
+ bool ssl_app_group_id_lookup(Flow* flow, const char*, const char*, AppId& service_id,
+ AppId& client_id, AppId& payload_id, const char* org_unit = nullptr);
AppIdSessionApi* create_appid_session_api(const Flow& flow);
void free_appid_session_api(AppIdSessionApi* api);
};
#define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7)
#define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8)
#define SCAN_HTTP_URI_FLAG (1<<9)
+#define SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG (1<<10)
+#define SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG (1<<11)
+#define SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG (1<<12)
class AppIdPatternMatchNode
{
{
if (tls_host)
snort_free(tls_host);
- if (!new_tls_host)
+ if (!new_tls_host or *new_tls_host == '\0')
{
tls_host = nullptr;
return;
{
if (tls_cname)
snort_free(tls_cname);
+ if (!new_tls_cname or *new_tls_cname == '\0')
+ {
+ tls_cname = nullptr;
+ return;
+ }
tls_cname = len? snort::snort_strndup(new_tls_cname,len) :
const_cast<char*>(new_tls_cname);
}
{
if (tls_org_unit)
snort_free(tls_org_unit);
+ if (!new_tls_org_unit or *new_tls_org_unit == '\0')
+ {
+ tls_org_unit = nullptr;
+ return;
+ }
tls_org_unit = len? snort::snort_strndup(new_tls_org_unit,len) :
const_cast<char*>(new_tls_org_unit);
}
}
}
-static bool parse_certificates(ServiceSSLData* ss)
+static bool parse_certificates(ServiceSSLData* ss, AppIdDiscoveryArgs& args)
{
bool success = false;
if (ss->certs_data and ss->certs_len)
{
if ((cert_name = X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0)))
{
- if (!common_name)
+ if (!(args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG) and !common_name)
{
if ((start = strstr(cert_name, COMMON_NAME_STR)))
{
start = nullptr;
}
}
- if (!org_name)
+ if (!(args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG) and !org_name)
{
if ((start = strstr(cert_name, COMMON_NAME_STR)))
{
{
ss->state = SSL_STATE_CONNECTION;
- if (args.dir == APP_ID_FROM_INITIATOR)
+ if (!(args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG) and
+ args.dir == APP_ID_FROM_INITIATOR)
{
parse_client_initiation(data, size, ss);
goto inprocess;
success:
if (ss->certs_data && ss->certs_len)
{
- if (!parse_certificates(ss))
+ if (!((args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG) and
+ (args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG)) and
+ (!parse_certificates(ss, args)))
{
goto fail;
}
return true;
}
-bool SslPatternMatchers::scan_cname(unsigned char const*, unsigned long, AppId& client_id, AppId& payload_id)
+bool SslPatternMatchers::scan_cname(unsigned char const* cname, unsigned long, AppId& client_id, AppId& payload_id)
{
- client_id++;
- payload_id++;
+ if (((const char*)cname) == APPID_UT_TLS_HOST)
+ {
+ client_id = APPID_UT_ID + 2;;
+ payload_id = APPID_UT_ID + 2;
+ }
+ else
+ {
+ client_id = APPID_UT_ID + 3;
+ payload_id = APPID_UT_ID + 3;
+ }
return true;
}
AppidChangeBits change_bits;
mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits);
mock_session->tsession->set_tls_cname("www.cisco.com", 13);
+ mock_session->tsession->set_tls_org_unit("Cisco", 5);
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), "www.cisco.com");
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), "www.cisco.com");
- val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, service, client, payload);
+ STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco");
+ val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST,
+ (const char*)APPID_UT_TLS_HOST, service, client, payload);
CHECK_TRUE(val);
CHECK_EQUAL(client, APPID_UT_ID + 2);
CHECK_EQUAL(payload, APPID_UT_ID + 2);
STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST);
STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
+ STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco");
+ string host = "";
+ val = appid_api.ssl_app_group_id_lookup(flow, (const char*)(host.c_str()),
+ (const char*)APPID_UT_TLS_HOST, service, client, payload, (const char*)("Google"));
+ CHECK_TRUE(val);
+ CHECK_EQUAL(client, APPID_UT_ID + 3);
+ CHECK_EQUAL(payload, APPID_UT_ID + 3);
+ STRCMP_EQUAL(mock_session->tsession->get_tls_host(), nullptr);
+ STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST);
+ STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Google");
}
TEST(appid_api, create_appid_session_api)
reinspect_ssl_appid = check_ssl_appid_for_reinspect(tmpAppId, asd.ctxt.get_odp_ctxt());
- if (asd.tsession->get_tls_host() == nullptr and ((field = attribute_data.tls_host(false)) != nullptr))
+ if (!(asd.scan_flags & SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG) and
+ asd.tsession->get_tls_host() == nullptr and
+ (field = attribute_data.tls_host(false)) != nullptr)
{
asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits);
if (reinspect_ssl_appid)
asd.scan_flags |= SCAN_SSL_HOST_FLAG;
}
- if ((asd.tsession->get_tls_cname() == nullptr and (field = attribute_data.tls_cname()) != nullptr))
+ if (!(asd.scan_flags & SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG) and
+ asd.tsession->get_tls_cname() == nullptr and
+ (field = attribute_data.tls_cname()) != nullptr)
{
asd.tsession->set_tls_cname(field->c_str(), field->size());
if (reinspect_ssl_appid)
if (reinspect_ssl_appid)
{
- if ((field = attribute_data.tls_org_unit()) != nullptr)
+ if (!(asd.scan_flags & SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG) and
+ asd.tsession->get_tls_org_unit() == nullptr and
+ (field = attribute_data.tls_org_unit()) != nullptr)
{
asd.tsession->set_tls_org_unit(field->c_str(), field->size());
}
projects / thirdparty / snort3.git / commitdiff
