From: Shravan Rangarajuvenkata (shrarang) Date: Mon, 20 Apr 2020 15:09:29 +0000 (+0000) Subject: Merge pull request #2171 in SNORT/snort3 from ~SATHIRKA/snort3:cert_viz_api to master X-Git-Tag: 3.0.1-2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1defa688332575224c37576a3380b80401625d1;p=thirdparty%2Fsnort3.git Merge pull request #2171 in SNORT/snort3 from ~SATHIRKA/snort3:cert_viz_api to master Squashed commit of the following: commit 223fb2d6095510a409ad14361e40d9b96adabb8d Author: Sreeja Athirkandathil Narayanan Date: Wed Apr 1 17:45:26 2020 -0400 appid: Support org unit in SSL lookup API and do not overwrite the API provided data --- diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc index 849d3e2b4..df54ff801 100644 --- a/src/network_inspectors/appid/appid_api.cc +++ b/src/network_inspectors/appid/appid_api.cc @@ -189,7 +189,7 @@ uint32_t AppIdApi::consume_ha_state(Flow& flow, const uint8_t* buf, uint8_t, IpP } bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, const char* common_name, - AppId& service_id, AppId& client_id, AppId& payload_id) + AppId& service_id, AppId& client_id, AppId& payload_id, const char* org_unit) { AppIdSession* asd = nullptr; service_id = APP_ID_NONE; @@ -212,6 +212,7 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, cons payload_id); asd->tsession->set_tls_host(server_name, strlen(server_name), change_bits); asd->scan_flags |= SCAN_SSL_HOST_FLAG; + asd->scan_flags |= SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG; } if (common_name) @@ -220,6 +221,15 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, cons payload_id); asd->tsession->set_tls_cname(common_name, strlen(common_name)); asd->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG; + asd->scan_flags |= SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG; + } + + if (org_unit) + { + ssl_matchers.scan_cname((const uint8_t*)org_unit, strlen(org_unit), client_id, + payload_id); + asd->tsession->set_tls_org_unit(org_unit, strlen(org_unit)); + asd->scan_flags |= SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG; } service_id = asd->get_application_ids_service(); @@ -242,6 +252,11 @@ bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, cons if (common_name) ssl_matchers.scan_cname((const uint8_t*)common_name, strlen(common_name), client_id, payload_id); + + if (org_unit) + ssl_matchers.scan_cname((const uint8_t*)org_unit, strlen(org_unit), client_id, + payload_id); + } } diff --git a/src/network_inspectors/appid/appid_api.h b/src/network_inspectors/appid/appid_api.h index 3fb85382f..fd5e175db 100644 --- a/src/network_inspectors/appid/appid_api.h +++ b/src/network_inspectors/appid/appid_api.h @@ -59,7 +59,8 @@ public: uint32_t produce_ha_state(const Flow& flow, uint8_t* buf); uint32_t consume_ha_state(Flow& flow, const uint8_t* buf, uint8_t length, IpProtocol, SfIp*, uint16_t initiatorPort); - bool ssl_app_group_id_lookup(Flow* flow, const char*, const char*, AppId& service_id, AppId& client_id, AppId& payload_id); + bool ssl_app_group_id_lookup(Flow* flow, const char*, const char*, AppId& service_id, + AppId& client_id, AppId& payload_id, const char* org_unit = nullptr); AppIdSessionApi* create_appid_session_api(const Flow& flow); void free_appid_session_api(AppIdSessionApi* api); }; diff --git a/src/network_inspectors/appid/appid_discovery.h b/src/network_inspectors/appid/appid_discovery.h index d1af4b590..f9e23de90 100644 --- a/src/network_inspectors/appid/appid_discovery.h +++ b/src/network_inspectors/appid/appid_discovery.h @@ -57,6 +57,9 @@ struct Packet; #define SCAN_HTTP_XWORKINGWITH_FLAG (1<<7) #define SCAN_HTTP_CONTENT_TYPE_FLAG (1<<8) #define SCAN_HTTP_URI_FLAG (1<<9) +#define SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG (1<<10) +#define SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG (1<<11) +#define SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG (1<<12) class AppIdPatternMatchNode { diff --git a/src/network_inspectors/appid/appid_session.h b/src/network_inspectors/appid/appid_session.h index 866082e71..d83dd7fb0 100644 --- a/src/network_inspectors/appid/appid_session.h +++ b/src/network_inspectors/appid/appid_session.h @@ -143,7 +143,7 @@ struct TlsSession { if (tls_host) snort_free(tls_host); - if (!new_tls_host) + if (!new_tls_host or *new_tls_host == '\0') { tls_host = nullptr; return; @@ -156,6 +156,11 @@ struct TlsSession { if (tls_cname) snort_free(tls_cname); + if (!new_tls_cname or *new_tls_cname == '\0') + { + tls_cname = nullptr; + return; + } tls_cname = len? snort::snort_strndup(new_tls_cname,len) : const_cast(new_tls_cname); } @@ -164,6 +169,11 @@ struct TlsSession { if (tls_org_unit) snort_free(tls_org_unit); + if (!new_tls_org_unit or *new_tls_org_unit == '\0') + { + tls_org_unit = nullptr; + return; + } tls_org_unit = len? snort::snort_strndup(new_tls_org_unit,len) : const_cast(new_tls_org_unit); } diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc index b31553d0f..308452616 100644 --- a/src/network_inspectors/appid/service_plugins/service_ssl.cc +++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc @@ -349,7 +349,7 @@ static void parse_client_initiation(const uint8_t* data, uint16_t size, ServiceS } } -static bool parse_certificates(ServiceSSLData* ss) +static bool parse_certificates(ServiceSSLData* ss, AppIdDiscoveryArgs& args) { bool success = false; if (ss->certs_data and ss->certs_len) @@ -390,7 +390,7 @@ static bool parse_certificates(ServiceSSLData* ss) { if ((cert_name = X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0))) { - if (!common_name) + if (!(args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG) and !common_name) { if ((start = strstr(cert_name, COMMON_NAME_STR))) { @@ -407,7 +407,7 @@ static bool parse_certificates(ServiceSSLData* ss) start = nullptr; } } - if (!org_name) + if (!(args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG) and !org_name) { if ((start = strstr(cert_name, COMMON_NAME_STR))) { @@ -479,7 +479,8 @@ int SslServiceDetector::validate(AppIdDiscoveryArgs& args) { ss->state = SSL_STATE_CONNECTION; - if (args.dir == APP_ID_FROM_INITIATOR) + if (!(args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG) and + args.dir == APP_ID_FROM_INITIATOR) { parse_client_initiation(data, size, ss); goto inprocess; @@ -697,7 +698,9 @@ fail: success: if (ss->certs_data && ss->certs_len) { - if (!parse_certificates(ss)) + if (!((args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG) and + (args.asd.scan_flags & SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG)) and + (!parse_certificates(ss, args))) { goto fail; } diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc index ff19dcf8a..b0ee968d5 100644 --- a/src/network_inspectors/appid/test/appid_api_test.cc +++ b/src/network_inspectors/appid/test/appid_api_test.cc @@ -59,10 +59,18 @@ bool SslPatternMatchers::scan_hostname(unsigned char const*, unsigned long, AppI return true; } -bool SslPatternMatchers::scan_cname(unsigned char const*, unsigned long, AppId& client_id, AppId& payload_id) +bool SslPatternMatchers::scan_cname(unsigned char const* cname, unsigned long, AppId& client_id, AppId& payload_id) { - client_id++; - payload_id++; + if (((const char*)cname) == APPID_UT_TLS_HOST) + { + client_id = APPID_UT_ID + 2;; + payload_id = APPID_UT_ID + 2; + } + else + { + client_id = APPID_UT_ID + 3; + payload_id = APPID_UT_ID + 3; + } return true; } @@ -206,14 +214,27 @@ TEST(appid_api, ssl_app_group_id_lookup) AppidChangeBits change_bits; mock_session->tsession->set_tls_host("www.cisco.com", 13, change_bits); mock_session->tsession->set_tls_cname("www.cisco.com", 13); + mock_session->tsession->set_tls_org_unit("Cisco", 5); STRCMP_EQUAL(mock_session->tsession->get_tls_host(), "www.cisco.com"); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), "www.cisco.com"); - val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, service, client, payload); + STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); + val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, + (const char*)APPID_UT_TLS_HOST, service, client, payload); CHECK_TRUE(val); CHECK_EQUAL(client, APPID_UT_ID + 2); CHECK_EQUAL(payload, APPID_UT_ID + 2); STRCMP_EQUAL(mock_session->tsession->get_tls_host(), APPID_UT_TLS_HOST); STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); + STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Cisco"); + string host = ""; + val = appid_api.ssl_app_group_id_lookup(flow, (const char*)(host.c_str()), + (const char*)APPID_UT_TLS_HOST, service, client, payload, (const char*)("Google")); + CHECK_TRUE(val); + CHECK_EQUAL(client, APPID_UT_ID + 3); + CHECK_EQUAL(payload, APPID_UT_ID + 3); + STRCMP_EQUAL(mock_session->tsession->get_tls_host(), nullptr); + STRCMP_EQUAL(mock_session->tsession->get_tls_cname(), APPID_UT_TLS_HOST); + STRCMP_EQUAL(mock_session->tsession->get_tls_org_unit(), "Google"); } TEST(appid_api, create_appid_session_api) diff --git a/src/network_inspectors/appid/tp_appid_utils.cc b/src/network_inspectors/appid/tp_appid_utils.cc index 81a737d2a..923635b48 100644 --- a/src/network_inspectors/appid/tp_appid_utils.cc +++ b/src/network_inspectors/appid/tp_appid_utils.cc @@ -516,14 +516,18 @@ static inline void process_ssl(AppIdSession& asd, reinspect_ssl_appid = check_ssl_appid_for_reinspect(tmpAppId, asd.ctxt.get_odp_ctxt()); - if (asd.tsession->get_tls_host() == nullptr and ((field = attribute_data.tls_host(false)) != nullptr)) + if (!(asd.scan_flags & SCAN_DO_NOT_OVERRIDE_SERVER_NAME_FLAG) and + asd.tsession->get_tls_host() == nullptr and + (field = attribute_data.tls_host(false)) != nullptr) { asd.tsession->set_tls_host(field->c_str(), field->size(), change_bits); if (reinspect_ssl_appid) asd.scan_flags |= SCAN_SSL_HOST_FLAG; } - if ((asd.tsession->get_tls_cname() == nullptr and (field = attribute_data.tls_cname()) != nullptr)) + if (!(asd.scan_flags & SCAN_DO_NOT_OVERRIDE_COMMON_NAME_FLAG) and + asd.tsession->get_tls_cname() == nullptr and + (field = attribute_data.tls_cname()) != nullptr) { asd.tsession->set_tls_cname(field->c_str(), field->size()); if (reinspect_ssl_appid) @@ -532,7 +536,9 @@ static inline void process_ssl(AppIdSession& asd, if (reinspect_ssl_appid) { - if ((field = attribute_data.tls_org_unit()) != nullptr) + if (!(asd.scan_flags & SCAN_DO_NOT_OVERRIDE_ORG_NAME_FLAG) and + asd.tsession->get_tls_org_unit() == nullptr and + (field = attribute_data.tls_org_unit()) != nullptr) { asd.tsession->set_tls_org_unit(field->c_str(), field->size()); }