diff options
Diffstat (limited to 'framework/src/suricata/src/app-layer-tls-handshake.c')
-rw-r--r-- | framework/src/suricata/src/app-layer-tls-handshake.c | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/framework/src/suricata/src/app-layer-tls-handshake.c b/framework/src/suricata/src/app-layer-tls-handshake.c new file mode 100644 index 00000000..ca2e7f49 --- /dev/null +++ b/framework/src/suricata/src/app-layer-tls-handshake.c @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2011-2012 ANSSI + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr> + * + * \brief Decode TLS Handshake messages, as described in RFC2246 + * + */ + +#include "suricata-common.h" +#include "debug.h" +#include "decode.h" + +#include "app-layer-parser.h" +#include "decode-events.h" + +#include "app-layer-ssl.h" + +#include "app-layer-tls-handshake.h" + +#include <stdint.h> + +#include "util-decode-der.h" +#include "util-decode-der-get.h" + +#include "util-crypt.h" + +#define SSLV3_RECORD_LEN 5 + +static void TLSCertificateErrCodeToWarning(SSLState *ssl_state, uint32_t errcode) +{ + if (errcode == 0) + return; + + switch (errcode) { + case ERR_DER_ELEMENT_SIZE_TOO_BIG: + case ERR_DER_INVALID_SIZE: + AppLayerDecoderEventsSetEvent(ssl_state->f, + TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH); + break; + case ERR_DER_UNSUPPORTED_STRING: + AppLayerDecoderEventsSetEvent(ssl_state->f, + TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING); + break; + case ERR_DER_UNKNOWN_ELEMENT: + AppLayerDecoderEventsSetEvent(ssl_state->f, + TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT); + break; + case ERR_DER_MISSING_ELEMENT: + AppLayerDecoderEventsSetEvent(ssl_state->f, + TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT); + break; + case ERR_DER_GENERIC: + default: + AppLayerDecoderEventsSetEvent(ssl_state->f, + TLS_DECODER_EVENT_INVALID_CERTIFICATE); + break; + }; +} + +int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len) +{ + uint32_t certificates_length, cur_cert_length; + int i; + Asn1Generic *cert; + char buffer[256]; + int rc; + int parsed; + uint8_t *start_data; + uint32_t errcode = 0; + + if (input_len < 3) + return 1; + + certificates_length = input[0]<<16 | input[1]<<8 | input[2]; + /* check if the message is complete */ + if (input_len < certificates_length + 3) + return 0; + + start_data = input; + input += 3; + parsed = 3; + + i = 0; + while (certificates_length > 0) { + cur_cert_length = input[0]<<16 | input[1]<<8 | input[2]; + input += 3; + parsed += 3; + + if (input - start_data + cur_cert_length > input_len) { + AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE); + return -1; + } + cert = DecodeDer(input, cur_cert_length, &errcode); + if (cert == NULL) { + TLSCertificateErrCodeToWarning(ssl_state, errcode); + } + if (cert != NULL) { + rc = Asn1DerGetSubjectDN(cert, buffer, sizeof(buffer), &errcode); + if (rc != 0) { + TLSCertificateErrCodeToWarning(ssl_state, errcode); + } else { + SSLCertsChain *ncert; + //SCLogInfo("TLS Cert %d: %s\n", i, buffer); + if (i == 0) { + if (ssl_state->server_connp.cert0_subject == NULL) + ssl_state->server_connp.cert0_subject = SCStrdup(buffer); + if (ssl_state->server_connp.cert0_subject == NULL) { + DerFree(cert); + return -1; + } + } + ncert = (SSLCertsChain *)SCMalloc(sizeof(SSLCertsChain)); + if (ncert == NULL) { + DerFree(cert); + return -1; + } + memset(ncert, 0, sizeof(*ncert)); + ncert->cert_data = input; + ncert->cert_len = cur_cert_length; + TAILQ_INSERT_TAIL(&ssl_state->server_connp.certs, ncert, next); + } + rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer), &errcode); + if (rc != 0) { + TLSCertificateErrCodeToWarning(ssl_state, errcode); + } else { + //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer); + if (i == 0) { + if (ssl_state->server_connp.cert0_issuerdn == NULL) + ssl_state->server_connp.cert0_issuerdn = SCStrdup(buffer); + if (ssl_state->server_connp.cert0_issuerdn == NULL) { + DerFree(cert); + return -1; + } + } + } + DerFree(cert); + + if (i == 0 && ssl_state->server_connp.cert0_fingerprint == NULL) { + int msg_len = cur_cert_length; + int hash_len = 20; + int out_len = 60; + char out[out_len]; + unsigned char *hash; + hash = ComputeSHA1((unsigned char *) input, (int) msg_len); + char *p = out; + int j = 0; + + if (hash == NULL) { + SCLogWarning(SC_ERR_MEM_ALLOC, "Can not allocate fingerprint string"); + } else { + for (j = 0; j < hash_len; j++, p += 3) { + snprintf(p, 4, j == hash_len - 1 ? "%02x" : "%02x:", hash[j]); + } + SCFree(hash); + ssl_state->server_connp.cert0_fingerprint = SCStrdup(out); + if (ssl_state->server_connp.cert0_fingerprint == NULL) { + SCLogWarning(SC_ERR_MEM_ALLOC, "Can not allocate fingerprint string"); + } + } + + ssl_state->server_connp.cert_input = input; + ssl_state->server_connp.cert_input_len = cur_cert_length; + } + + } + + i++; + certificates_length -= (cur_cert_length + 3); + parsed += cur_cert_length; + input += cur_cert_length; + } + + return parsed; + +} + |