diff --git a/src/Makefile.am b/src/Makefile.am index 43e00189cc..6c40e7742a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -50,7 +50,6 @@ app-layer-ikev2.c app-layer-ikev2.h \ app-layer-template.c app-layer-template.h \ app-layer-ssh.c app-layer-ssh.h \ app-layer-ssl.c app-layer-ssl.h \ -app-layer-tls-handshake.c app-layer-tls-handshake.h \ conf.c conf.h \ conf-yaml-loader.c conf-yaml-loader.h \ counters.c counters.h \ diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 4a8c39225a..a340c02ce6 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -38,7 +38,6 @@ #include "app-layer-protos.h" #include "app-layer-parser.h" #include "app-layer-ssl.h" -#include "app-layer-tls-handshake.h" #include "decode-events.h" #include "conf.h" diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c deleted file mode 100644 index 4a27dadec1..0000000000 --- a/src/app-layer-tls-handshake.c +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Copyright (C) 2011-2012 ANSSI - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; - * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - * \brief Decode TLS Handshake messages, as described in RFC2246 - * - */ - -#include "suricata-common.h" -#include "debug.h" -#include "decode.h" - -#include "app-layer-parser.h" -#include "app-layer-ssl.h" -#include "app-layer-tls-handshake.h" -#include "decode-events.h" - -#include "util-decode-der.h" -#include "util-decode-der-get.h" -#include "util-crypt.h" - -#define SSLV3_RECORD_LEN 5 - -static void TLSCertificateErrCodeToWarning(SSLState *ssl_state, - uint32_t errcode) -{ - if (errcode == 0) - return; - - switch (errcode) { - case ERR_DER_ELEMENT_SIZE_TOO_BIG: - case ERR_DER_INVALID_SIZE: - case ERR_DER_RECURSION_LIMIT: - SSLSetEvent(ssl_state, - TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH); - break; - case ERR_DER_UNSUPPORTED_STRING: - SSLSetEvent(ssl_state, - TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING); - break; - case ERR_DER_UNKNOWN_ELEMENT: - SSLSetEvent(ssl_state, - TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT); - break; - case ERR_DER_MISSING_ELEMENT: - SSLSetEvent(ssl_state, - TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT); - break; - case ERR_DER_GENERIC: - default: - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_CERTIFICATE); - break; - }; -} - -int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, - uint32_t input_len) -{ - uint32_t certificates_length, cur_cert_length; - int i; - Asn1Generic *cert; - char buffer[256]; - time_t not_before, not_after; - int rc; - int parsed; - uint8_t *start_data; - uint32_t errcode = 0; - - if (input_len < 3) - return 1; - - certificates_length = input[0]<<16 | input[1]<<8 | input[2]; - /* check if the message is complete */ - if (input_len < certificates_length + 3) - return 0; - - start_data = input; - input += 3; - parsed = 3; - - i = 0; - while (certificates_length > 0) { - if ((uint32_t)(input + 3 - start_data) > (uint32_t)input_len) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_CERTIFICATE); - return -1; - } - - cur_cert_length = input[0]<<16 | input[1]<<8 | input[2]; - input += 3; - parsed += 3; - - /* current certificate length should be greater than zero */ - if (cur_cert_length == 0) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_CERTIFICATE); - return -1; - } - - if (input - start_data + cur_cert_length > input_len) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_CERTIFICATE); - return -1; - } - - cert = DecodeDer(input, cur_cert_length, &errcode); - if (cert == NULL) { - TLSCertificateErrCodeToWarning(ssl_state, errcode); - } - - if (cert != NULL) { - rc = Asn1DerGetSubjectDN(cert, buffer, sizeof(buffer), &errcode); - - if (rc != 0) { - TLSCertificateErrCodeToWarning(ssl_state, errcode); - } else { - SSLCertsChain *ncert; - //SCLogInfo("TLS Cert %d: %s\n", i, buffer); - - if (i == 0) { - if (ssl_state->server_connp.cert0_subject == NULL) - ssl_state->server_connp.cert0_subject = SCStrdup(buffer); - if (ssl_state->server_connp.cert0_subject == NULL) { - DerFree(cert); - return -1; - } - } - - ncert = (SSLCertsChain *)SCMalloc(sizeof(SSLCertsChain)); - if (ncert == NULL) { - DerFree(cert); - return -1; - } - - memset(ncert, 0, sizeof(*ncert)); - ncert->cert_data = input; - ncert->cert_len = cur_cert_length; - TAILQ_INSERT_TAIL(&ssl_state->server_connp.certs, ncert, next); - } - - rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer), &errcode); - if (rc != 0) { - TLSCertificateErrCodeToWarning(ssl_state, errcode); - } else { - //SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer); - if (i == 0) { - if (ssl_state->server_connp.cert0_issuerdn == NULL) - ssl_state->server_connp.cert0_issuerdn = SCStrdup(buffer); - if (ssl_state->server_connp.cert0_issuerdn == NULL) { - DerFree(cert); - return -1; - } - } - } - - rc = Asn1DerGetSerial(cert, buffer, sizeof(buffer), &errcode); - if (rc != 0) { - TLSCertificateErrCodeToWarning(ssl_state, errcode); - } else { - if (i == 0) { - if (ssl_state->server_connp.cert0_serial == NULL) { - ssl_state->server_connp.cert0_serial = SCStrdup(buffer); - } - if (ssl_state->server_connp.cert0_serial == NULL) { - DerFree(cert); - return -1; - } - } - } - - rc = Asn1DerGetValidity(cert, ¬_before, ¬_after, &errcode); - if (rc != 0) { - TLSCertificateErrCodeToWarning(ssl_state, errcode); - } else { - if (i == 0) { - ssl_state->server_connp.cert0_not_before = not_before; - ssl_state->server_connp.cert0_not_after = not_after; - } - } - - DerFree(cert); - - if (i == 0 && ssl_state->server_connp.cert0_fingerprint == NULL) { - int msg_len = cur_cert_length; - unsigned char *hash; - hash = ComputeSHA1((unsigned char *) input, (int) msg_len); - - if (hash == NULL) { - // TODO maybe an event here? - } else { - int hash_len = 20; - int out_len = hash_len * 3 + 1; - char out[out_len]; - memset(out, 0x00, out_len); - - int j = 0; - for (j = 0; j < hash_len; j++) { - char one[4]; - snprintf(one, sizeof(one), j == hash_len - 1 ? "%02x" : "%02x:", hash[j]); - strlcat(out, one, out_len); - } - SCFree(hash); - ssl_state->server_connp.cert0_fingerprint = SCStrdup(out); - if (ssl_state->server_connp.cert0_fingerprint == NULL) { - // TODO do we need an event here? - } - } - - ssl_state->server_connp.cert_input = input; - ssl_state->server_connp.cert_input_len = cur_cert_length; - } - } - - i++; - certificates_length -= (cur_cert_length + 3); - parsed += cur_cert_length; - input += cur_cert_length; - } - - return parsed; -} - diff --git a/src/app-layer-tls-handshake.h b/src/app-layer-tls-handshake.h deleted file mode 100644 index 6041f7fbc5..0000000000 --- a/src/app-layer-tls-handshake.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (C) 2011-2012 ANSSI - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; - * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * \file - * - * \author Pierre Chifflier - * - */ - -#ifndef __APP_LAYER_TLS_HANDSHAKE_H__ -#define __APP_LAYER_TLS_HANDSHAKE_H__ - -int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len); - -#endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */