aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ssl parser fix/updates

Browse Source
remotes/origin/HEAD
Anoop Saldanha 13 years ago committed by Victor Julien
parent edb48c1557
commit 270ea253a2
7 changed files with 363 additions and 466 deletions
Show Stats Download Patch File Download Diff File

626
src/app-layer-ssl.c
View File

File diff suppressed because it is too large Load Diff

50
src/app-layer-ssl.h
Unescape Escape View File

@ -75,14 +75,7 @@ enum {
TLS_VERSION_12 = 0x0303,
};
/**
* \brief SSLv[2.0|3.[0|1|2|3]] state structure.
*
* Structure to store the SSL state values.
*/
typedef struct SSLState_ {
Flow *f;
typedef struct SSLStateConnp_ {
/* record length */
uint32_t record_length;
/* record length's length for SSLv2 */
@ -92,34 +85,18 @@ typedef struct SSLState_ {
uint32_t message_start;
uint32_t message_length;
/* holds some state flags we need */
uint32_t flags;
uint16_t client_version;
uint16_t server_version;
uint8_t client_content_type;
uint8_t server_content_type;
/* dummy var. You can replace this if you want to */
uint8_t pad0;
uint16_t version;
uint8_t content_type;
uint8_t cur_content_type;
uint8_t handshake_type;
uint32_t handshake_length;
uint16_t handshake_client_hello_ssl_version;
uint16_t handshake_server_hello_ssl_version;
/* the no of bytes processed in the currently parsed record */
uint16_t bytes_processed;
uint16_t cur_ssl_version;
uint8_t handshake_type;
/* sslv2 client hello session id length */
uint16_t session_id_length;
/* the ciphersuite, chosen by the server */
uint16_t ciphersuite;
uint8_t compressionmethod;
char *cert0_subject;
char *cert0_issuerdn;
@ -128,6 +105,23 @@ typedef struct SSLState_ {
uint8_t *trec;
uint16_t trec_len;
uint16_t trec_pos;
} SSLStateConnp;
/**
* \brief SSLv[2.0|3.[0|1|2|3]] state structure.
*
* Structure to store the SSL state values.
*/
typedef struct SSLState_ {
Flow *f;
/* holds some state flags we need */
uint32_t flags;
SSLStateConnp *curr_connp;
SSLStateConnp client_connp;
SSLStateConnp server_connp;
} SSLState;
void RegisterSSLParsers(void);

46
src/app-layer-tls-handshake.c
Unescape Escape View File

@ -78,44 +78,6 @@ static void TLSCertificateErrCodeToWarning(SSLState *ssl_state, uint32_t errcode
};
}
int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
{
uint32_t version, length, ciphersuite;
uint8_t compressionmethod;
if (input_len < 40)
return -1;
version = input[0]<<8 | input[1];
ssl_state->handshake_server_hello_ssl_version = version;
input += 2;
input_len -= 2;
/* skip the random field */
input += 32;
/* skip the session ID */
length = input[0];
input += 1 + length;
ciphersuite = input[0]<<8 | input[1];
ssl_state->ciphersuite = ciphersuite;
input += 2;
compressionmethod = input[0];
ssl_state->compressionmethod = compressionmethod;
input += 1;
/* extensions (like renegotiation) */
SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
return ssl_state->message_length;
}
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
{
uint32_t certificates_length, cur_cert_length;
@ -160,8 +122,8 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
} else {
//SCLogInfo("TLS Cert %d: %s\n", i, buffer);
if (i==0) {
ssl_state->cert0_subject = SCStrdup(buffer);
if (ssl_state->cert0_subject == NULL) {
ssl_state->curr_connp->cert0_subject = SCStrdup(buffer);
if (ssl_state->curr_connp->cert0_subject == NULL) {
DerFree(cert);
return -1;
}
@ -173,8 +135,8 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
} else {
//SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer);
if (i==0) {
ssl_state->cert0_issuerdn = SCStrdup(buffer);
if (ssl_state->cert0_issuerdn == NULL) {
ssl_state->curr_connp->cert0_issuerdn = SCStrdup(buffer);
if (ssl_state->curr_connp->cert0_issuerdn == NULL) {
DerFree(cert);
return -1;
}

1
src/app-layer-tls-handshake.h
Unescape Escape View File

@ -35,7 +35,6 @@
#ifndef __APP_LAYER_TLS_HANDSHAKE_H__
#define __APP_LAYER_TLS_HANDSHAKE_H__
int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
#endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */

36
src/detect-ssl-version.c
Unescape Escape View File

@ -134,12 +134,12 @@ int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
if (flags & STREAM_TOCLIENT) {
SCLogDebug("server (toclient) version is 0x%02X",
app_state->server_version);
ver = app_state->server_version;
app_state->server_connp.version);
ver = app_state->server_connp.version;
} else if (flags & STREAM_TOSERVER) {
SCLogDebug("client (toserver) version is 0x%02X",
app_state->client_version);
ver = app_state->client_version;
app_state->client_connp.ersion);
ver = app_state->client_connp.version;
}
FLOWLOCK_UNLOCK(f);
@ -482,18 +482,18 @@ static int DetectSslVersionTestDetect01(void)
goto end;
}
if (app_state->client_content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_content_type);
if (app_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type);
goto end;
}
if (app_state->client_version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_version);
if (app_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version);
goto end;
}
SCLogDebug("app_state is at %p, app_state->server_version 0x%02X app_state->client_version 0x%02X",
app_state, app_state->server_version, app_state->client_version);
SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X",
app_state, app_state->server_connp.version, app_state->client_connp.version);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
@ -597,13 +597,13 @@ static int DetectSslVersionTestDetect02(void)
goto end;
}
if (app_state->client_content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_content_type);
if (app_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type);
goto end;
}
if (app_state->client_version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_version);
if (app_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version);
goto end;
}
@ -722,13 +722,13 @@ static int DetectSslVersionTestDetect03(void)
goto end;
}
if (app_state->client_content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_content_type);
if (app_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type);
goto end;
}
if (app_state->client_version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_version);
if (app_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version);
goto end;
}

40
src/detect-tls-version.c
Unescape Escape View File

@ -127,11 +127,11 @@ int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *
if (flags & STREAM_TOCLIENT) {
SCLogDebug("server (toclient) version is 0x%02X", ssl_state->server_version);
if (tls_data->ver == ssl_state->server_version)
if (tls_data->ver == ssl_state->server_connp.version)
ret = 1;
} else if (flags & STREAM_TOSERVER) {
SCLogDebug("client (toserver) version is 0x%02X", ssl_state->client_version);
if (tls_data->ver == ssl_state->client_version)
if (tls_data->ver == ssl_state->client_connp.version)
ret = 1;
}
FLOWLOCK_UNLOCK(f);
@ -387,18 +387,22 @@ static int DetectTlsVersionTestDetect01(void) {
goto end;
}
if (ssl_state->client_content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, ssl_state->client_content_type);
if (ssl_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
0x16, ssl_state->client_connp.content_type);
goto end;
}
if (ssl_state->client_version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, ssl_state->client_version);
if (ssl_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
TLS_VERSION_10, ssl_state->client_connp.version);
goto end;
}
SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X ssl_state->client_version 0x%02X",
ssl_state, ssl_state->server_version, ssl_state->client_version);
SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X "
"ssl_state->client_version 0x%02X",
ssl_state, ssl_state->server_connp.version,
ssl_state->client_connp.version);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
@ -500,13 +504,15 @@ static int DetectTlsVersionTestDetect02(void) {
goto end;
}
if (ssl_state->client_content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, ssl_state->client_content_type);
if (ssl_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
0x16, ssl_state->client_connp.content_type);
goto end;
}
if (ssl_state->client_version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, ssl_state->client_version);
if (ssl_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
TLS_VERSION_10, ssl_state->client_connp.version);
goto end;
}
@ -626,13 +632,15 @@ static int DetectTlsVersionTestDetect03(void) {
goto end;
}
if (ssl_state->client_content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, ssl_state->client_content_type);
if (ssl_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
0x16, ssl_state->client_connp.content_type);
goto end;
}
if (ssl_state->client_version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, ssl_state->client_version);
if (ssl_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
TLS_VERSION_10, ssl_state->client_connp.version);
goto end;
}

30
src/detect-tls.c
Unescape Escape View File

@ -168,10 +168,19 @@ static int DetectTlsSubjectMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
} else {
ret = 0;
}
if (ssl_state->cert0_subject != NULL) {
SCLogDebug("TLS: Subject is [%s], looking for [%s]\n", ssl_state->cert0_subject, tls_data->subject);
if (strstr(ssl_state->cert0_subject, tls_data->subject) != NULL) {
SSLStateConnp *connp = NULL;
if (flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
if (connp->cert0_subject != NULL) {
SCLogDebug("TLS: Subject is [%s], looking for [%s]\n",
connp->cert0_subject, tls_data->subject);
if (strstr(connp->cert0_subject, tls_data->subject) != NULL) {
if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 0;
} else {
@ -362,10 +371,19 @@ static int DetectTlsIssuerDNMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
} else {
ret = 0;
}
if (ssl_state->cert0_issuerdn != NULL) {
SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n", ssl_state->cert0_issuerdn, tls_data->issuerdn);
if (strstr(ssl_state->cert0_issuerdn, tls_data->issuerdn) != NULL) {
SSLStateConnp *connp = NULL;
if (flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
if (connp->cert0_issuerdn != NULL) {
SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n",
connp->cert0_issuerdn, tls_data->issuerdn);
if (strstr(connp->cert0_issuerdn, tls_data->issuerdn) != NULL) {
if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 0;
} else {

Write Preview
Loading…
Cancel
Save