From b50d05faceb76d29f1b34e62e57e92a496620c40 Mon Sep 17 00:00:00 2001
From: liuxueli <liuxueli@iieac.cn>
Date: Tue, 11 Jul 2023 14:59:31 +0800
Subject: [PATCH] =?UTF-8?q?TSG-15779:=20app=5Ffull=5Fpath=E4=B8=AD?=
 =?UTF-8?q?=E5=8C=85=E5=90=ABESNI=E5=92=8CECH?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/tsg_entry.cpp         |  68 +++++++++++++++++++-----
 test/bin/gtest_maat.json  |   2 +
 test/src/gtest_master.cpp | 109 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 165 insertions(+), 14 deletions(-)

diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index c910edc..ac0e81b 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -967,7 +967,20 @@ int session_application_metrics_update(const struct streaminfo *a_stream, struct
 	return 1;
 }
 
-int session_app_gather_results_set_l7_protocol(const struct streaminfo *a_stream, enum TSG_PROTOCOL protocol)
+static int check_app_id(unsigned int *new_app_id, int n_new_app_id, unsigned int old_app_id)
+{
+	for(int j=0; j<n_new_app_id; j++)
+	{
+		if(old_app_id==new_app_id[j])
+		{
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+int session_app_gather_results_set_l7_protocol(const struct streaminfo *a_stream, unsigned int *app_id, int n_app_id)
 {
 	struct gather_app_result *gather_result=(struct gather_app_result *)session_gather_app_results_get(a_stream);
 	if(gather_result==NULL)
@@ -977,20 +990,41 @@ int session_app_gather_results_set_l7_protocol(const struct streaminfo *a_stream
 		session_gather_app_results_async(a_stream, (void *)gather_result);
 	}
 
-	if(gather_result->l7_protocol_num>0)
+	int not_combined_flag=0;
+	for(int i=0; i<gather_result->l7_protocol_num; i++)
 	{
-		return 0;
+		not_combined_flag=check_app_id(app_id, n_app_id, gather_result->l7_protocol[i].app_id);
+		if(not_combined_flag==1)
+		{
+			break;
+		}
+	}
+
+	struct app_attributes *l7_protocol=(struct app_attributes *)dictator_malloc(a_stream->threadnum, sizeof(struct app_attributes)*n_app_id);
+	for(int i=0; i<n_app_id; i++)
+	{	
+		l7_protocol[i].app_id=app_id[i];
+		l7_protocol[i].surrogate_id=0;
+		l7_protocol[i].packet_sequence=get_packet_sequence(a_stream);
+	}
+
+	if(not_combined_flag==0 && gather_result->l7_protocol_num>0)
+	{
+		l7_protocol=(struct app_attributes *)dictator_realloc(a_stream->threadnum, l7_protocol, sizeof(struct app_attributes)*(n_app_id+gather_result->l7_protocol_num));
+		memcpy((void *)(l7_protocol+n_app_id), (void *)gather_result->l7_protocol, sizeof(struct app_attributes)*gather_result->l7_protocol_num);
+		gather_result->l7_protocol_num+=n_app_id;
+	}
+	else
+	{
+		gather_result->l7_protocol_num=n_app_id;
+	}
+
+	if(gather_result->l7_protocol!=NULL)
+	{
+		dictator_free(a_stream->threadnum, gather_result->l7_protocol);
 	}
 	
-	int app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name, g_tsg_proto_name2id[protocol].len);
-	if(app_id>0)
-	{
-		gather_result->l7_protocol_num=1;
-		gather_result->l7_protocol=(struct app_attributes *)dictator_malloc(a_stream->threadnum, sizeof(struct app_attributes));
-		gather_result->l7_protocol->app_id=app_id;
-		gather_result->l7_protocol->surrogate_id=0;
-		gather_result->l7_protocol->packet_sequence=get_packet_sequence(a_stream);
-	}
+	gather_result->l7_protocol=l7_protocol;
 
 	return 0;
 }
@@ -2004,7 +2038,9 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess
 	int ret=session_l7_protocol_identify(a_stream, srt_process_context, a_packet);
 	if(ret==1)
 	{
-		session_app_gather_results_set_l7_protocol(a_stream, srt_process_context->proto);
+		int n_offset=0;
+		unsigned int app_id[4]={0,0,0,0};
+		app_id[n_offset++]=tsg_l7_protocol_name2id(g_tsg_proto_name2id[srt_process_context->proto].name, g_tsg_proto_name2id[srt_process_context->proto].len);
 		srt_process_context->is_app_link=FLAG_TRUE;
 		srt_attribute_set_protocol(a_stream, srt_process_context->proto);
 
@@ -2016,8 +2052,8 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess
 				if(ja3_info->fp!=NULL && ja3_info->fp_len>0)
 				{
 					char *ja3_fingerprint=(char *)dictator_malloc(a_stream->threadnum, ja3_info->fp_len+1);
-					memset(ja3_fingerprint, 0, ja3_info->fp_len+1);
 					memcpy(ja3_fingerprint, ja3_info->fp, ja3_info->fp_len);
+					ja3_fingerprint[ja3_info->fp_len]='\0';
 					srt_attribute_set_ja3_fingprint(a_stream, ja3_fingerprint);
 				}
 			}
@@ -2031,12 +2067,14 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess
 		if(srt_process_context->is_esni)
 		{
 			unsigned int protocol_id=tsg_l7_protocol_name2id("ESNI", 4);
+			app_id[n_offset++]=protocol_id;
 			matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt);
 		}
 		
 		if(srt_process_context->is_ech)
 		{
 			unsigned int protocol_id=tsg_l7_protocol_name2id("ECH", 3);
+			app_id[n_offset++]=protocol_id;
 			matched_cnt+=tsg_scan_app_id_policy(a_stream, g_tsg_maat_feather, protocol_id, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt);
 		}
 
@@ -2045,6 +2083,8 @@ size_t session_pending_state_deal(const struct streaminfo *a_stream, struct sess
 			table_idx=tsg_http_url_table_idx_get();
 			matched_cnt+=tsg_scan_shared_policy(a_stream, g_tsg_maat_feather, srt_process_context->http_url, table_idx, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt);
 		}
+
+		session_app_gather_results_set_l7_protocol(a_stream, app_id, n_offset);
 	}
 
 	ret=tsg_scan_nesting_addr(a_stream, g_tsg_maat_feather, srt_process_context->proto, (srt_process_context->mid), matched_rules+matched_cnt, n_matched_rules-matched_cnt);
diff --git a/test/bin/gtest_maat.json b/test/bin/gtest_maat.json
index 295d1cf..c2c3833 100644
--- a/test/bin/gtest_maat.json
+++ b/test/bin/gtest_maat.json
@@ -2312,6 +2312,8 @@
                 "68\thttps\t0\tnull\tnetworking\tinfrastructure\tnetwork-protocol\t3\tused-by-malware,vulnerability,widely-used\tnull\tnull\t{\"method\":\"rate_limit\",\"bps\":1000}\t0\t0\t0\t0\t0\t1",
                 "4\tunknown\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
                 "199\tssl\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
+                "8008\tSSL\\bwith\\bESNI\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
+                "8173\tSSL\\bwith\\bECH\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
                 "2521\tquic\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
                 "240\tyoutube\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
                 "15009\tuser_define_youtube\t0\tnull\tcategory\tsubcategory\ttechnology\trisk\tcharacteristics\tnull\tnull\tnull\t1\t3600\t3600\t1800\t1800\t1",
diff --git a/test/src/gtest_master.cpp b/test/src/gtest_master.cpp
index 91a59a9..e7499d1 100644
--- a/test/src/gtest_master.cpp
+++ b/test/src/gtest_master.cpp
@@ -1010,6 +1010,115 @@ TEST(TSGMaster, SessionApplicationMetrics)
 
 }
 
+extern int session_app_gather_results_set_l7_protocol(const struct streaminfo *a_stream, unsigned int *app_id, int n_app_id);
+TEST(TSGMaster, SessionApplicationFullPathTSG15779_HTTP)
+{
+	const struct streaminfo a_stream={0};
+	char out_full_path[256]={0};
+	int out_full_path_len=sizeof(out_full_path);
+	struct gather_app_result *gather_result=(struct gather_app_result *)calloc(1, sizeof(struct gather_app_result));
+
+	gather_result->l7_protocol_num=1;
+	gather_result->l7_protocol=(struct app_attributes *)calloc(1, sizeof(struct app_attributes));
+	gather_result->l7_protocol->app_id=67;
+	gather_result->l7_protocol->surrogate_id=0;
+	gather_result->l7_protocol->packet_sequence=4;
+	session_gather_app_results_async(&a_stream, (void *)gather_result);
+
+	int n_app_id=1;
+	unsigned int app_id[1]={67};
+	session_app_gather_results_set_l7_protocol(&a_stream, app_id, n_app_id);
+	
+	session_application_full_path_update(&a_stream, out_full_path, out_full_path_len);
+	EXPECT_STREQ("http", out_full_path);
+
+	free(gather_result->l7_protocol);
+	free(gather_result->qm_engine);
+	free(gather_result);
+	session_gather_app_results_async(&a_stream, NULL);
+}
+
+TEST(TSGMaster, SessionApplicationFullPathTSG15779_SSL)
+{
+	const struct streaminfo a_stream={0};
+	char out_full_path[256]={0};
+	int out_full_path_len=sizeof(out_full_path);
+	struct gather_app_result *gather_result=(struct gather_app_result *)calloc(1, sizeof(struct gather_app_result));
+
+	gather_result->l7_protocol_num=1;
+	gather_result->l7_protocol=(struct app_attributes *)calloc(1, sizeof(struct app_attributes));
+	gather_result->l7_protocol->app_id=68;
+	gather_result->l7_protocol->surrogate_id=0;
+	gather_result->l7_protocol->packet_sequence=4;
+	session_gather_app_results_async(&a_stream, (void *)gather_result);
+
+	int n_app_id=1;
+	unsigned int app_id[1]={199};
+	session_app_gather_results_set_l7_protocol(&a_stream, app_id, n_app_id);
+	
+	session_application_full_path_update(&a_stream, out_full_path, out_full_path_len);
+	EXPECT_STREQ("ssl.https", out_full_path);
+
+	free(gather_result->l7_protocol);
+	free(gather_result->qm_engine);
+	free(gather_result);
+	session_gather_app_results_async(&a_stream, NULL);
+}
+
+TEST(TSGMaster, SessionApplicationFullPathTSG15779_ECH)
+{
+	const struct streaminfo a_stream={0};
+	char out_full_path[256]={0};
+	int out_full_path_len=sizeof(out_full_path);
+	struct gather_app_result *gather_result=(struct gather_app_result *)calloc(1, sizeof(struct gather_app_result));
+
+	gather_result->l7_protocol_num=1;
+	gather_result->l7_protocol=(struct app_attributes *)calloc(1, sizeof(struct app_attributes));
+	gather_result->l7_protocol->app_id=68;
+	gather_result->l7_protocol->surrogate_id=0;
+	gather_result->l7_protocol->packet_sequence=4;
+	session_gather_app_results_async(&a_stream, (void *)gather_result);
+
+	int n_app_id=2;
+	unsigned int app_id[2]={199, 8173};
+	session_app_gather_results_set_l7_protocol(&a_stream, app_id, n_app_id);
+	
+	session_application_full_path_update(&a_stream, out_full_path, out_full_path_len);
+	EXPECT_STREQ("ssl.SSL with ECH.https", out_full_path);
+
+	free(gather_result->l7_protocol);
+	free(gather_result->qm_engine);
+	free(gather_result);
+	session_gather_app_results_async(&a_stream, NULL);
+}
+
+TEST(TSGMaster, SessionApplicationFullPathTSG15779_ESNI)
+{
+	const struct streaminfo a_stream={0};
+	char out_full_path[256]={0};
+	int out_full_path_len=sizeof(out_full_path);
+	struct gather_app_result *gather_result=(struct gather_app_result *)calloc(1, sizeof(struct gather_app_result));
+
+	gather_result->l7_protocol_num=1;
+	gather_result->l7_protocol=(struct app_attributes *)calloc(1, sizeof(struct app_attributes));
+	gather_result->l7_protocol->app_id=68;
+	gather_result->l7_protocol->surrogate_id=0;
+	gather_result->l7_protocol->packet_sequence=4;
+	session_gather_app_results_async(&a_stream, (void *)gather_result);
+
+	int n_app_id=2;
+	unsigned int app_id[2]={199, 8008};
+	session_app_gather_results_set_l7_protocol(&a_stream, app_id, n_app_id);
+	
+	session_application_full_path_update(&a_stream, out_full_path, out_full_path_len);
+	EXPECT_STREQ("ssl.SSL with ESNI.https", out_full_path);
+
+	free(gather_result->l7_protocol);
+	free(gather_result->qm_engine);
+	free(gather_result);
+	session_gather_app_results_async(&a_stream, NULL);
+}
+
 extern int session_application_full_path_update(const struct streaminfo *a_stream, char *app_full_path, int app_full_path_len);
 
 TEST(TSGMaster, SessionApplicationFullPathTSG15999)