From: Shravan Rangarajuvenkata (shrarang) <shrarang@cisco.com>
Date: Wed, 4 Sep 2019 19:15:15 +0000 (-0400)
Subject: Merge pull request #1727 in SNORT/snort3 from ~SATHIRKA/snort3:ssl_api to master
X-Git-Tag: 3.0.0-261~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa794187be6bb30b3160830f8783ba1fa46076aa;p=thirdparty%2Fsnort3.git

Merge pull request #1727 in SNORT/snort3 from ~SATHIRKA/snort3:ssl_api to master

Squashed commit of the following:

commit 9e2b9339305b910ea4c0d7285f1829d5c64716ca
Author: Sreeja Athirkandathil Narayanan <sathirka@cisco.com>
Date:   Fri Aug 30 11:26:03 2019 -0400

    appid: Enabled API for SSL to lookup appid
---

diff --git a/src/network_inspectors/appid/appid_api.cc b/src/network_inspectors/appid/appid_api.cc
index fd6286379..b4d3629b8 100644
--- a/src/network_inspectors/appid/appid_api.cc
+++ b/src/network_inspectors/appid/appid_api.cc
@@ -32,6 +32,7 @@
 #include "appid_session.h"
 #include "appid_session_api.h"
 #include "app_info_table.h"
+#include "service_plugins/service_ssl.h"
 #ifdef ENABLE_APPID_THIRD_PARTY
 #include "tp_appid_session_api.h"
 #endif
@@ -192,6 +193,36 @@ uint32_t AppIdApi::consume_ha_state(Flow& flow, const uint8_t* buf, uint8_t, IpP
     return sizeof(*appHA);
 }
 
+bool AppIdApi::ssl_app_group_id_lookup(Flow* flow, const char* server_name, const char* common_name, AppId& service_id, AppId& client_id, AppId& payload_id)
+{
+    AppIdSession* asd;
+    service_id = APP_ID_NONE;
+    client_id = APP_ID_NONE;
+    payload_id = APP_ID_NONE;
+
+    if (common_name)
+        ssl_scan_cname((const uint8_t*)common_name, strlen(common_name), client_id, payload_id);
+
+    if (server_name)
+        ssl_scan_hostname((const uint8_t*)server_name, strlen(server_name), client_id, payload_id);
+
+    if (flow and (asd = get_appid_session(*flow)))
+    {
+        service_id = asd->get_application_ids_service();
+        if (client_id == APP_ID_NONE)
+            client_id = asd->get_application_ids_client();
+        if (payload_id == APP_ID_NONE)
+            payload_id = asd->get_application_ids_payload();
+    }
+
+    if (service_id != APP_ID_NONE or client_id != APP_ID_NONE or payload_id != APP_ID_NONE)
+    {
+        return true;
+    }
+
+    return false;
+}
+
 AppIdSessionApi* AppIdApi::create_appid_session_api(Flow& flow)
 {
     AppIdSession* asd = (AppIdSession*)flow.get_flow_data(AppIdSession::inspector_id);
diff --git a/src/network_inspectors/appid/appid_api.h b/src/network_inspectors/appid/appid_api.h
index 52110621f..e5b6aa1f7 100644
--- a/src/network_inspectors/appid/appid_api.h
+++ b/src/network_inspectors/appid/appid_api.h
@@ -58,6 +58,7 @@ public:
     uint32_t produce_ha_state(Flow& flow, uint8_t* buf);
     uint32_t consume_ha_state(Flow& flow, const uint8_t* buf, uint8_t length, IpProtocol,
         SfIp*, uint16_t initiatorPort);
+    bool ssl_app_group_id_lookup(Flow* flow, const char*, const char*, AppId& service_id, AppId& client_id, AppId& payload_id);
     AppIdSessionApi* create_appid_session_api(Flow& flow);
     void free_appid_session_api(AppIdSessionApi* api);
 };
diff --git a/src/network_inspectors/appid/appid_inspector.cc b/src/network_inspectors/appid/appid_inspector.cc
index 2473f0294..c325365b5 100644
--- a/src/network_inspectors/appid/appid_inspector.cc
+++ b/src/network_inspectors/appid/appid_inspector.cc
@@ -298,39 +298,3 @@ const BaseApi* nin_appid[] =
     nullptr
 };
 
-// @returns 1 if some appid is found, 0 otherwise.
-//int sslAppGroupIdLookup(void* ssnptr, const char* serverName, const char* commonName,
-//    AppId* service_id, AppId* client_id, AppId* payload_id)
-int sslAppGroupIdLookup(void*, const char*, const char*, AppId*, AppId*, AppId*)
-{
-    // FIXIT-M determine need and proper location for this code when support for ssl is implemented
-    //         also once this is done the call to get the appid config should change to use the
-    //         config assigned to the flow being processed
-#ifdef REMOVED_WHILE_NOT_IN_USE
-    AppIdSession* asd;
-    *service_id = *client_id = *payload_id = APP_ID_NONE;
-
-    if (commonName)
-    {
-        ssl_scan_cname((const uint8_t*)commonName, strlen(commonName), client_id, payload_app_id,
-            &get_appid_config()->serviceSslConfig);
-    }
-    if (serverName)
-    {
-        ssl_scan_hostname((const uint8_t*)serverName, strlen(serverName), client_id,
-            payload_app_id, &get_appid_config()->serviceSslConfig);
-    }
-
-    if (ssnptr && (asd = appid_api.get_appid_session(ssnptr)))
-        asd->get_application_ids(*service_id, *client_id, *payload_id);
-
-    if (*service_id != APP_ID_NONE ||
-        *client_id != APP_ID_NONE ||
-        *payload_id != APP_ID_NONE)
-    {
-        return 1;
-    }
-#endif
-
-    return 0;
-}
diff --git a/src/network_inspectors/appid/appid_inspector.h b/src/network_inspectors/appid/appid_inspector.h
index 69c2a1356..ab1b4704c 100644
--- a/src/network_inspectors/appid/appid_inspector.h
+++ b/src/network_inspectors/appid/appid_inspector.h
@@ -60,7 +60,5 @@ private:
 
 };
 
-int sslAppGroupIdLookup(void*, const char*, const char*, AppId*, AppId*, AppId*);
-
 #endif
 
diff --git a/src/network_inspectors/appid/appid_session.cc b/src/network_inspectors/appid/appid_session.cc
index 2255ee18f..458f5015c 100644
--- a/src/network_inspectors/appid/appid_session.cc
+++ b/src/network_inspectors/appid/appid_session.cc
@@ -413,7 +413,7 @@ void AppIdSession::examine_ssl_metadata(Packet* p, AppidChangeBits& change_bits)
     {
         size_t size = strlen(tls_str);
         if ((ret = ssl_scan_hostname((const uint8_t*)tls_str, size,
-                &client_id, &payload_id)))
+                client_id, payload_id)))
         {
             set_client_appid_data(client_id, nullptr, change_bits);
             set_payload_appid_data((AppId)payload_id, nullptr, change_bits);
@@ -425,7 +425,7 @@ void AppIdSession::examine_ssl_metadata(Packet* p, AppidChangeBits& change_bits)
     {
         size_t size = strlen(tls_str);
         if ((ret = ssl_scan_cname((const uint8_t*)tls_str, size,
-                &client_id, &payload_id)))
+                client_id, payload_id)))
         {
             set_client_appid_data(client_id, nullptr, change_bits);
             set_payload_appid_data((AppId)payload_id, nullptr, change_bits);
@@ -437,7 +437,7 @@ void AppIdSession::examine_ssl_metadata(Packet* p, AppidChangeBits& change_bits)
     {
         size_t size = strlen(tls_str);
         if ((ret = ssl_scan_cname((const uint8_t*)tls_str, size,
-                &client_id, &payload_id)))
+                client_id, payload_id)))
         {
             set_client_appid_data(client_id, nullptr, change_bits);
             set_payload_appid_data((AppId)payload_id, nullptr, change_bits);
diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.cc b/src/network_inspectors/appid/service_plugins/service_ssl.cc
index e6437135c..32b142d55 100644
--- a/src/network_inspectors/appid/service_plugins/service_ssl.cc
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.cc
@@ -975,7 +975,7 @@ bool is_service_over_ssl(AppId appId)
 }
 
 static int ssl_scan_patterns(SearchTool* matcher, const uint8_t* data, size_t size,
-    AppId* ClientAppId, AppId* payloadId)
+    AppId& client_id, AppId& payload_id)
 {
     MatchedSSLPatterns* mp = nullptr;
     SSLCertPattern* best_match;
@@ -1014,13 +1014,13 @@ static int ssl_scan_patterns(SearchTool* matcher, const uint8_t* data, size_t si
     {
     /* type 0 means WEB APP */
     case 0:
-        *ClientAppId = APP_ID_SSL_CLIENT;
-        *payloadId = best_match->appId;
+        client_id = APP_ID_SSL_CLIENT;
+        payload_id = best_match->appId;
         break;
     /* type 1 means CLIENT */
     case 1:
-        *ClientAppId = best_match->appId;
-        *payloadId = 0;
+        client_id = best_match->appId;
+        payload_id = 0;
         break;
     default:
         return 0;
@@ -1029,16 +1029,16 @@ static int ssl_scan_patterns(SearchTool* matcher, const uint8_t* data, size_t si
     return 1;
 }
 
-int ssl_scan_hostname(const uint8_t* hostname, size_t size, AppId* ClientAppId, AppId* payloadId)
+int ssl_scan_hostname(const uint8_t* hostname, size_t size, AppId& client_id, AppId& payload_id)
 {
-    return ssl_scan_patterns(service_ssl_config.ssl_host_matcher, hostname, size, ClientAppId,
-        payloadId);
+    return ssl_scan_patterns(service_ssl_config.ssl_host_matcher, hostname, size, client_id,
+        payload_id);
 }
 
-int ssl_scan_cname(const uint8_t* common_name, size_t size, AppId* ClientAppId, AppId* payloadId)
+int ssl_scan_cname(const uint8_t* common_name, size_t size, AppId& client_id, AppId& payload_id)
 {
-    return ssl_scan_patterns(service_ssl_config.ssl_cname_matcher, common_name, size, ClientAppId,
-        payloadId);
+    return ssl_scan_patterns(service_ssl_config.ssl_cname_matcher, common_name, size, client_id,
+        payload_id);
 }
 
 void service_ssl_clean()
diff --git a/src/network_inspectors/appid/service_plugins/service_ssl.h b/src/network_inspectors/appid/service_plugins/service_ssl.h
index fad937107..31ab767c0 100644
--- a/src/network_inspectors/appid/service_plugins/service_ssl.h
+++ b/src/network_inspectors/appid/service_plugins/service_ssl.h
@@ -38,8 +38,8 @@ AppId getSslServiceAppId(short srcPort);
 bool is_service_over_ssl(AppId);
 void service_ssl_clean();
 int ssl_detector_process_patterns();
-int ssl_scan_hostname(const uint8_t*, size_t, AppId*, AppId*);
-int ssl_scan_cname(const uint8_t*, size_t, AppId*, AppId*);
+int ssl_scan_hostname(const uint8_t*, size_t, AppId&, AppId&);
+int ssl_scan_cname(const uint8_t*, size_t, AppId&, AppId&);
 int ssl_add_cert_pattern(uint8_t*, size_t, uint8_t, AppId);
 int ssl_add_cname_pattern(uint8_t*, size_t, uint8_t, AppId);
 void ssl_detector_free_patterns();
diff --git a/src/network_inspectors/appid/test/appid_api_test.cc b/src/network_inspectors/appid/test/appid_api_test.cc
index 685de0dc5..61fdcb8d2 100644
--- a/src/network_inspectors/appid/test/appid_api_test.cc
+++ b/src/network_inspectors/appid/test/appid_api_test.cc
@@ -162,6 +162,31 @@ TEST(appid_api, produce_ha_state)
     */
 }
 
+TEST(appid_api, ssl_app_group_id_lookup)
+{
+    AppId service, client, payload = APP_ID_NONE;
+    bool val = false;
+    mock_session->common.flow_type = APPID_FLOW_TYPE_IGNORE;
+    val = appid_api.ssl_app_group_id_lookup(flow, nullptr, nullptr, service, client, payload);
+    CHECK_TRUE(!val);
+    CHECK_EQUAL(service, APP_ID_NONE);
+    CHECK_EQUAL(client, APP_ID_NONE);
+    CHECK_EQUAL(payload, APP_ID_NONE);
+    mock_session->common.flow_type = APPID_FLOW_TYPE_NORMAL;
+    val = appid_api.ssl_app_group_id_lookup(flow, nullptr, nullptr, service, client, payload);
+    CHECK_TRUE(val);
+    CHECK_EQUAL(service, APPID_UT_ID);
+    CHECK_EQUAL(client, APPID_UT_ID);
+    CHECK_EQUAL(payload, APPID_UT_ID);
+    service = APP_ID_NONE;
+    client = APP_ID_NONE;
+    payload = APP_ID_NONE;
+    val = appid_api.ssl_app_group_id_lookup(flow, (const char*)APPID_UT_TLS_HOST, (const char*)APPID_UT_TLS_HOST, service, client, payload);
+    CHECK_TRUE(val);
+    CHECK_EQUAL(client, APPID_UT_ID + 1);
+    CHECK_EQUAL(payload, APPID_UT_ID + 1);
+}
+
 TEST(appid_api, create_appid_session_api)
 {
     AppIdSessionApi* appid_session_api = appid_api.create_appid_session_api(*flow);
diff --git a/src/network_inspectors/appid/test/appid_mock_session.h b/src/network_inspectors/appid/test/appid_mock_session.h
index 67ac6f9c6..16d85b69d 100644
--- a/src/network_inspectors/appid/test/appid_mock_session.h
+++ b/src/network_inspectors/appid/test/appid_mock_session.h
@@ -263,5 +263,17 @@ bool AppIdSession::is_tp_appid_available() const
     return true;
 }
 
+int ssl_scan_hostname(const uint8_t*, size_t, AppId& client_id, AppId&)
+{
+    client_id = APPID_UT_ID + 1;
+    return 1;
+}
+
+int ssl_scan_cname(const uint8_t*, size_t, AppId&, AppId& payload_id)
+{
+    payload_id = APPID_UT_ID + 1;
+    return 1;
+}
+
 #endif