aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ssl parser fix/updates

Browse Source
remotes/origin/master
Anoop Saldanha 13 years ago committed by Victor Julien
parent edb48c1557
commit 270ea253a2
7 changed files with 363 additions and 466 deletions
Show Stats Download Patch File Download Diff File

626
src/app-layer-ssl.c
View File

File diff suppressed because it is too large Load Diff

50
src/app-layer-ssl.h
Unescape Escape View File

@ -75,14 +75,7 @@ enum {
TLS_VERSION_12 = 0x0303, TLS_VERSION_12 = 0x0303,
}; };
/** typedef struct SSLStateConnp_ {
* \brief SSLv[2.0|3.[0|1|2|3]] state structure.
*
* Structure to store the SSL state values.
*/
typedef struct SSLState_ {
Flow *f;
/* record length */ /* record length */
uint32_t record_length; uint32_t record_length;
/* record length's length for SSLv2 */ /* record length's length for SSLv2 */
@ -92,34 +85,18 @@ typedef struct SSLState_ {
uint32_t message_start; uint32_t message_start;
uint32_t message_length; uint32_t message_length;
/* holds some state flags we need */ uint16_t version;
uint32_t flags; uint8_t content_type;
uint16_t client_version;
uint16_t server_version;
uint8_t client_content_type;
uint8_t server_content_type;
/* dummy var. You can replace this if you want to */
uint8_t pad0;
uint8_t cur_content_type; uint8_t handshake_type;
uint32_t handshake_length; uint32_t handshake_length;
uint16_t handshake_client_hello_ssl_version;
uint16_t handshake_server_hello_ssl_version;
/* the no of bytes processed in the currently parsed record */ /* the no of bytes processed in the currently parsed record */
uint16_t bytes_processed; uint16_t bytes_processed;
uint16_t cur_ssl_version;
uint8_t handshake_type;
/* sslv2 client hello session id length */ /* sslv2 client hello session id length */
uint16_t session_id_length; uint16_t session_id_length;
/* the ciphersuite, chosen by the server */
uint16_t ciphersuite;
uint8_t compressionmethod;
char *cert0_subject; char *cert0_subject;
char *cert0_issuerdn; char *cert0_issuerdn;
@ -128,6 +105,23 @@ typedef struct SSLState_ {
uint8_t *trec; uint8_t *trec;
uint16_t trec_len; uint16_t trec_len;
uint16_t trec_pos; uint16_t trec_pos;
} SSLStateConnp;
/**
* \brief SSLv[2.0|3.[0|1|2|3]] state structure.
*
* Structure to store the SSL state values.
*/
typedef struct SSLState_ {
Flow *f;
/* holds some state flags we need */
uint32_t flags;
SSLStateConnp *curr_connp;
SSLStateConnp client_connp;
SSLStateConnp server_connp;
} SSLState; } SSLState;
void RegisterSSLParsers(void); void RegisterSSLParsers(void);

46
src/app-layer-tls-handshake.c
Unescape Escape View File

@ -78,44 +78,6 @@ static void TLSCertificateErrCodeToWarning(SSLState *ssl_state, uint32_t errcode
}; };
} }
int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
{
uint32_t version, length, ciphersuite;
uint8_t compressionmethod;
if (input_len < 40)
return -1;
version = input[0]<<8 | input[1];
ssl_state->handshake_server_hello_ssl_version = version;
input += 2;
input_len -= 2;
/* skip the random field */
input += 32;
/* skip the session ID */
length = input[0];
input += 1 + length;
ciphersuite = input[0]<<8 | input[1];
ssl_state->ciphersuite = ciphersuite;
input += 2;
compressionmethod = input[0];
ssl_state->compressionmethod = compressionmethod;
input += 1;
/* extensions (like renegotiation) */
SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
return ssl_state->message_length;
}
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len) int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
{ {
uint32_t certificates_length, cur_cert_length; uint32_t certificates_length, cur_cert_length;
@ -160,8 +122,8 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
} else { } else {
//SCLogInfo("TLS Cert %d: %s\n", i, buffer); //SCLogInfo("TLS Cert %d: %s\n", i, buffer);
if (i==0) { if (i==0) {
ssl_state->cert0_subject = SCStrdup(buffer); ssl_state->curr_connp->cert0_subject = SCStrdup(buffer);
if (ssl_state->cert0_subject == NULL) { if (ssl_state->curr_connp->cert0_subject == NULL) {
DerFree(cert); DerFree(cert);
return -1; return -1;
} }
@ -173,8 +135,8 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
} else { } else {
//SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer); //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer);
if (i==0) { if (i==0) {
ssl_state->cert0_issuerdn = SCStrdup(buffer); ssl_state->curr_connp->cert0_issuerdn = SCStrdup(buffer);
if (ssl_state->cert0_issuerdn == NULL) { if (ssl_state->curr_connp->cert0_issuerdn == NULL) {
DerFree(cert); DerFree(cert);
return -1; return -1;
} }

1
src/app-layer-tls-handshake.h
Unescape Escape View File

@ -35,7 +35,6 @@
#ifndef __APP_LAYER_TLS_HANDSHAKE_H__ #ifndef __APP_LAYER_TLS_HANDSHAKE_H__
#define __APP_LAYER_TLS_HANDSHAKE_H__ #define __APP_LAYER_TLS_HANDSHAKE_H__
int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len); int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
#endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */ #endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */

36
src/detect-ssl-version.c
Unescape Escape View File

@ -134,12 +134,12 @@ int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
if (flags & STREAM_TOCLIENT) { if (flags & STREAM_TOCLIENT) {
SCLogDebug("server (toclient) version is 0x%02X", SCLogDebug("server (toclient) version is 0x%02X",
app_state->server_version); app_state->server_connp.version);
ver = app_state->server_version; ver = app_state->server_connp.version;
} else if (flags & STREAM_TOSERVER) { } else if (flags & STREAM_TOSERVER) {
SCLogDebug("client (toserver) version is 0x%02X", SCLogDebug("client (toserver) version is 0x%02X",
app_state->client_version); app_state->client_connp.ersion);
ver = app_state->client_version; ver = app_state->client_connp.version;
} }
FLOWLOCK_UNLOCK(f); FLOWLOCK_UNLOCK(f);
@ -482,18 +482,18 @@ static int DetectSslVersionTestDetect01(void)
goto end; goto end;
} }
if (app_state->client_content_type != 0x16) { if (app_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_content_type); printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type);
goto end; goto end;
} }
if (app_state->client_version != TLS_VERSION_10) { if (app_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_version); printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version);
goto end; goto end;
} }
SCLogDebug("app_state is at %p, app_state->server_version 0x%02X app_state->client_version 0x%02X", SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X",
app_state, app_state->server_version, app_state->client_version); app_state, app_state->server_connp.version, app_state->client_connp.version);
/* do detect */ /* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
@ -597,13 +597,13 @@ static int DetectSslVersionTestDetect02(void)
goto end; goto end;
} }
if (app_state->client_content_type != 0x16) { if (app_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_content_type); printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type);
goto end; goto end;
} }
if (app_state->client_version != TLS_VERSION_10) { if (app_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_version); printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version);
goto end; goto end;
} }
@ -722,13 +722,13 @@ static int DetectSslVersionTestDetect03(void)
goto end; goto end;
} }
if (app_state->client_content_type != 0x16) { if (app_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_content_type); printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, app_state->client_connp.content_type);
goto end; goto end;
} }
if (app_state->client_version != TLS_VERSION_10) { if (app_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_version); printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, app_state->client_connp.version);
goto end; goto end;
} }

40
src/detect-tls-version.c
Unescape Escape View File

@ -127,11 +127,11 @@ int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow *
if (flags & STREAM_TOCLIENT) { if (flags & STREAM_TOCLIENT) {
SCLogDebug("server (toclient) version is 0x%02X", ssl_state->server_version); SCLogDebug("server (toclient) version is 0x%02X", ssl_state->server_version);
if (tls_data->ver == ssl_state->server_version) if (tls_data->ver == ssl_state->server_connp.version)
ret = 1; ret = 1;
} else if (flags & STREAM_TOSERVER) { } else if (flags & STREAM_TOSERVER) {
SCLogDebug("client (toserver) version is 0x%02X", ssl_state->client_version); SCLogDebug("client (toserver) version is 0x%02X", ssl_state->client_version);
if (tls_data->ver == ssl_state->client_version) if (tls_data->ver == ssl_state->client_connp.version)
ret = 1; ret = 1;
} }
FLOWLOCK_UNLOCK(f); FLOWLOCK_UNLOCK(f);
@ -387,18 +387,22 @@ static int DetectTlsVersionTestDetect01(void) {
goto end; goto end;
} }
if (ssl_state->client_content_type != 0x16) { if (ssl_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, ssl_state->client_content_type); printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
0x16, ssl_state->client_connp.content_type);
goto end; goto end;
} }
if (ssl_state->client_version != TLS_VERSION_10) { if (ssl_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, ssl_state->client_version); printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
TLS_VERSION_10, ssl_state->client_connp.version);
goto end; goto end;
} }
SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X ssl_state->client_version 0x%02X", SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X "
ssl_state, ssl_state->server_version, ssl_state->client_version); "ssl_state->client_version 0x%02X",
ssl_state, ssl_state->server_connp.version,
ssl_state->client_connp.version);
/* do detect */ /* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
@ -500,13 +504,15 @@ static int DetectTlsVersionTestDetect02(void) {
goto end; goto end;
} }
if (ssl_state->client_content_type != 0x16) { if (ssl_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, ssl_state->client_content_type); printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
0x16, ssl_state->client_connp.content_type);
goto end; goto end;
} }
if (ssl_state->client_version != TLS_VERSION_10) { if (ssl_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, ssl_state->client_version); printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
TLS_VERSION_10, ssl_state->client_connp.version);
goto end; goto end;
} }
@ -626,13 +632,15 @@ static int DetectTlsVersionTestDetect03(void) {
goto end; goto end;
} }
if (ssl_state->client_content_type != 0x16) { if (ssl_state->client_connp.content_type != 0x16) {
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, ssl_state->client_content_type); printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
0x16, ssl_state->client_connp.content_type);
goto end; goto end;
} }
if (ssl_state->client_version != TLS_VERSION_10) { if (ssl_state->client_connp.version != TLS_VERSION_10) {
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", TLS_VERSION_10, ssl_state->client_version); printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
TLS_VERSION_10, ssl_state->client_connp.version);
goto end; goto end;
} }

30
src/detect-tls.c
Unescape Escape View File

@ -168,10 +168,19 @@ static int DetectTlsSubjectMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
} else { } else {
ret = 0; ret = 0;
} }
if (ssl_state->cert0_subject != NULL) {
SCLogDebug("TLS: Subject is [%s], looking for [%s]\n", ssl_state->cert0_subject, tls_data->subject);
if (strstr(ssl_state->cert0_subject, tls_data->subject) != NULL) { SSLStateConnp *connp = NULL;
if (flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
if (connp->cert0_subject != NULL) {
SCLogDebug("TLS: Subject is [%s], looking for [%s]\n",
connp->cert0_subject, tls_data->subject);
if (strstr(connp->cert0_subject, tls_data->subject) != NULL) {
if (tls_data->flags & DETECT_CONTENT_NEGATED) { if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 0; ret = 0;
} else { } else {
@ -362,10 +371,19 @@ static int DetectTlsIssuerDNMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx
} else { } else {
ret = 0; ret = 0;
} }
if (ssl_state->cert0_issuerdn != NULL) {
SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n", ssl_state->cert0_issuerdn, tls_data->issuerdn);
if (strstr(ssl_state->cert0_issuerdn, tls_data->issuerdn) != NULL) { SSLStateConnp *connp = NULL;
if (flags & STREAM_TOSERVER) {
connp = &ssl_state->client_connp;
} else {
connp = &ssl_state->server_connp;
}
if (connp->cert0_issuerdn != NULL) {
SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n",
connp->cert0_issuerdn, tls_data->issuerdn);
if (strstr(connp->cert0_issuerdn, tls_data->issuerdn) != NULL) {
if (tls_data->flags & DETECT_CONTENT_NEGATED) { if (tls_data->flags & DETECT_CONTENT_NEGATED) {
ret = 0; ret = 0;
} else { } else {

Write Preview
Loading…
Cancel
Save