From: Brian Morris (bmorris2) Date: Fri, 16 Apr 2021 16:45:56 +0000 (+0000) Subject: Merge pull request #2838 in SNORT/snort3 from ~OSIRYI/snort3:osiryi_ips to master X-Git-Tag: 3.1.4.0~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcc8ec0ce929367548056f01160b75deabfb2b33;p=thirdparty%2Fsnort3.git Merge pull request #2838 in SNORT/snort3 from ~OSIRYI/snort3:osiryi_ips to master Squashed commit of the following: commit 82bce21c9a702abec288bd9bebeb62ba1688956b Author: Oleksandr Siryi Date: Thu Apr 15 14:49:52 2021 +0300 ssl: refactoring SSLData out so it can be reused --- diff --git a/src/service_inspectors/ssl/CMakeLists.txt b/src/service_inspectors/ssl/CMakeLists.txt index 3ab23c448..4ab2e345a 100644 --- a/src/service_inspectors/ssl/CMakeLists.txt +++ b/src/service_inspectors/ssl/CMakeLists.txt @@ -1,3 +1,6 @@ +set (SSL_INCLUDES + ssl_flow_data.h +) set( FILE_LIST ips_ssl_state.cc @@ -5,10 +8,12 @@ set( FILE_LIST ssl_config.h ssl_inspector.cc ssl_inspector.h + ssl_flow_data.cc ssl_module.cc ssl_module.h ssl_splitter.cc ssl_splitter.h + ${SSL_INCLUDES} ) # can't be be linked dynamically yet @@ -20,3 +25,6 @@ set( FILE_LIST #endif (STATIC_INSPECTORS) +install(FILES ${SSL_INCLUDES} + DESTINATION "${INCLUDE_INSTALL_PATH}/service_inspectors/ssl/" +) diff --git a/src/service_inspectors/ssl/ips_ssl_state.cc b/src/service_inspectors/ssl/ips_ssl_state.cc index 48032aa38..ffeb0cc7e 100644 --- a/src/service_inspectors/ssl/ips_ssl_state.cc +++ b/src/service_inspectors/ssl/ips_ssl_state.cc @@ -102,7 +102,7 @@ IpsOption::EvalStatus SslStateOption::eval(Cursor&, Packet* pkt) if (!pkt->flow) return NO_MATCH; - SSLData* sd = get_ssl_session_data(pkt->flow); + SSLData* sd = SslBaseFlowData::get_ssl_session_data(pkt->flow); if (!sd) return NO_MATCH; diff --git a/src/service_inspectors/ssl/ips_ssl_version.cc b/src/service_inspectors/ssl/ips_ssl_version.cc index c98575889..57ba78dfa 100644 --- a/src/service_inspectors/ssl/ips_ssl_version.cc +++ b/src/service_inspectors/ssl/ips_ssl_version.cc @@ -102,7 +102,7 @@ IpsOption::EvalStatus SslVersionOption::eval(Cursor&, Packet* pkt) if (!pkt->flow) return NO_MATCH; - SSLData* sd = get_ssl_session_data(pkt->flow); + SSLData* sd = SslBaseFlowData::get_ssl_session_data(pkt->flow); if (!sd) return NO_MATCH; diff --git a/src/service_inspectors/ssl/ssl_flow_data.cc b/src/service_inspectors/ssl/ssl_flow_data.cc new file mode 100644 index 000000000..b57e271a7 --- /dev/null +++ b/src/service_inspectors/ssl/ssl_flow_data.cc @@ -0,0 +1,32 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2015-2021 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include "ssl_flow_data.h" + +unsigned SslBaseFlowData::inspector_id = 0; + +SSLData* SslBaseFlowData::get_ssl_session_data(snort::Flow* flow) +{ + SslBaseFlowData* fd = (SslBaseFlowData*)flow->get_flow_data(SslBaseFlowData::inspector_id); + return fd ? &fd->get_session() : nullptr; +} diff --git a/src/service_inspectors/ssl/ssl_flow_data.h b/src/service_inspectors/ssl/ssl_flow_data.h new file mode 100644 index 000000000..bacad0da2 --- /dev/null +++ b/src/service_inspectors/ssl/ssl_flow_data.h @@ -0,0 +1,60 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2021 Cisco and/or its affiliates. All rights reserved. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- + +#ifndef SSL_FLOW_DATA_H +#define SSL_FLOW_DATA_H + +#include "flow/flow_data.h" + +#define GID_SSL 137 + +#define SSL_INVALID_CLIENT_HELLO 1 +#define SSL_INVALID_SERVER_HELLO 2 +#define SSL_ALERT_HB_REQUEST 3 +#define SSL_ALERT_HB_RESPONSE 4 + +struct SSLData +{ + uint32_t ssn_flags; + uint16_t partial_rec_len[4]; +}; + +namespace snort +{ + class Flow; +} + +class SO_PUBLIC SslBaseFlowData : public snort::FlowData +{ +public: + SslBaseFlowData() : snort::FlowData(inspector_id) {} + + virtual SSLData& get_session() = 0; + +public: + static SSLData* get_ssl_session_data(snort::Flow* flow); + static unsigned get_ssl_inspector_id() { return inspector_id; } + +protected: + static void assign_ssl_inspector_id(unsigned u) { inspector_id = u; } + +private: + static unsigned inspector_id; +}; + +#endif diff --git a/src/service_inspectors/ssl/ssl_inspector.cc b/src/service_inspectors/ssl/ssl_inspector.cc index 3f5fe2811..5af50c355 100644 --- a/src/service_inspectors/ssl/ssl_inspector.cc +++ b/src/service_inspectors/ssl/ssl_inspector.cc @@ -43,11 +43,16 @@ using namespace snort; +#define SSLPP_ENCRYPTED_FLAGS \ + (SSL_HS_SDONE_FLAG | SSL_CLIENT_KEYX_FLAG | \ + SSL_CAPP_FLAG | SSL_SAPP_FLAG) +#define SSLPP_ENCRYPTED_FLAGS2 \ + (SSL_HS_SDONE_FLAG | SSL_CHANGE_CIPHER_FLAG | \ + SSL_CAPP_FLAG | SSL_SAPP_FLAG) + THREAD_LOCAL ProfileStats sslPerfStats; THREAD_LOCAL SslStats sslstats; -unsigned SslFlowData::inspector_id = 0; - const PegInfo ssl_peg_names[] = { { CountType::SUM, "packets", "total packets processed" }, @@ -74,7 +79,7 @@ const PegInfo ssl_peg_names[] = { CountType::END, nullptr, nullptr } }; -SslFlowData::SslFlowData() : FlowData(inspector_id) +SslFlowData::SslFlowData() : SslBaseFlowData() { memset(&session, 0, sizeof(session)); finalize_info = {}; @@ -93,13 +98,7 @@ static SSLData* SetNewSSLData(Packet* p) { SslFlowData* fd = new SslFlowData; p->flow->set_flow_data(fd); - return &fd->session; -} - -SSLData* get_ssl_session_data(Flow* flow) -{ - SslFlowData* fd = (SslFlowData*)flow->get_flow_data(SslFlowData::inspector_id); - return fd ? &fd->session : nullptr; + return &fd->get_session(); } static void SSL_UpdateCounts(const uint32_t new_flags) @@ -287,7 +286,7 @@ static void snort_ssl(SSL_PROTO_CONF* config, Packet* p) Profile profile(sslPerfStats); /* Attempt to get a previously allocated SSL block. */ - SSLData* sd = get_ssl_session_data(p->flow); + SSLData* sd = SslBaseFlowData::get_ssl_session_data(p->flow); if (sd == nullptr) { @@ -449,7 +448,7 @@ public: { FinalizePacketEvent* fp_event = (FinalizePacketEvent*)&e; const Packet* pkt = fp_event->get_packet(); - SslFlowData* fd = (SslFlowData*)pkt->flow->get_flow_data(SslFlowData::inspector_id); + SslFlowData* fd = (SslFlowData*)pkt->flow->get_flow_data(SslBaseFlowData::get_ssl_inspector_id()); if (fd and fd->finalize_info.switch_in) { pkt->flow->flags.trigger_finalize_event = fd->finalize_info.orig_flag; diff --git a/src/service_inspectors/ssl/ssl_inspector.h b/src/service_inspectors/ssl/ssl_inspector.h index edbf5e516..5e5699615 100644 --- a/src/service_inspectors/ssl/ssl_inspector.h +++ b/src/service_inspectors/ssl/ssl_inspector.h @@ -22,41 +22,31 @@ // Implementation header with definitions, datatypes and flowdata class for SSL service inspector. #include "flow/flow.h" +#include "ssl_flow_data.h" -#define SSLPP_ENCRYPTED_FLAGS \ - (SSL_HS_SDONE_FLAG | SSL_CLIENT_KEYX_FLAG | \ - SSL_CAPP_FLAG | SSL_SAPP_FLAG) -#define SSLPP_ENCRYPTED_FLAGS2 \ - (SSL_HS_SDONE_FLAG | SSL_CHANGE_CIPHER_FLAG | \ - SSL_CAPP_FLAG | SSL_SAPP_FLAG) - -struct SSLData -{ - uint32_t ssn_flags; - uint16_t partial_rec_len[4]; -}; - -class SslFlowData : public snort::FlowData +class SslFlowData : public SslBaseFlowData { public: SslFlowData(); ~SslFlowData() override; static void init() - { inspector_id = snort::FlowData::create_flow_data_id(); } + { assign_ssl_inspector_id(snort::FlowData::create_flow_data_id()); } size_t size_of() override { return sizeof(*this); } + SSLData& get_session() override + { return session; } + public: - static unsigned inspector_id; - SSLData session; struct { bool orig_flag : 1; bool switch_in : 1; } finalize_info; + +private: + SSLData session; }; -//Function: API to get the ssl flow data from the packet flow. -SSLData* get_ssl_session_data(snort::Flow* flow); #endif diff --git a/src/service_inspectors/ssl/ssl_module.h b/src/service_inspectors/ssl/ssl_module.h index 2ce9d2764..8ce896ecc 100644 --- a/src/service_inspectors/ssl/ssl_module.h +++ b/src/service_inspectors/ssl/ssl_module.h @@ -25,13 +25,7 @@ #include "framework/module.h" #include "ssl_config.h" - -#define GID_SSL 137 - -#define SSL_INVALID_CLIENT_HELLO 1 -#define SSL_INVALID_SERVER_HELLO 2 -#define SSL_ALERT_HB_REQUEST 3 -#define SSL_ALERT_HB_RESPONSE 4 +#include "ssl_flow_data.h" #define SSL_NAME "ssl" #define SSL_HELP "ssl inspection"