TLS handshake: get TLS ciphersuite and compression

Decode the SERVER_HELLO message to extract the ciphersuite and compression chosen by the server. Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
14 years ago · 53e5421a24
parent 4be65fd016
commit 53e5421a24
4 changed files with 48 additions and 11 deletions
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -128,17 +128,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,
        case SSLV3_HS_SERVER_HELLO:
            ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;

-            switch (ssl_state->bytes_processed) {
-                case 9:
-                    ssl_state->bytes_processed++;
-                    ssl_state->handshake_server_hello_ssl_version = *(input++) << 8;
-                    if (--input_len == 0)
-                        break;
-                case 10:
-                    ssl_state->bytes_processed++;
-                    ssl_state->handshake_server_hello_ssl_version |= *(input++);
-                    if (--input_len == 0)
-                        break;
+            rc = DecodeTLSHandshakeServerHello(ssl_state, input, input_len);
+            if (rc >= 0) {
+                ssl_state->bytes_processed += rc;
+                input += rc;
            }
            break;

--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@ -93,6 +93,10 @@ typedef struct SSLState_ {
    /* sslv2 client hello session id length */
    uint16_t session_id_length;

+    /* the ciphersuite, chosen by the server */
+    uint16_t ciphersuite;
+    uint8_t compressionmethod;
+
    char *cert0_subject;

    /* buffer for the tls record.
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@ -49,6 +49,45 @@

 #define SSLV3_RECORD_LEN 5

+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
+{
+    uint32_t version, length, ciphersuite;
+    uint8_t compressionmethod;
+
+    if (input_len < 40)
+        return -1;
+
+    version = input[0]<<8 | input[1];
+    ssl_state->handshake_server_hello_ssl_version = version;
+
+    input += 2;
+    input_len -= 2;
+
+    /* skip the random field */
+    input += 32;
+
+    /* skip the session ID */
+    length = input[0];
+    input += 1 + length;
+
+    ciphersuite = input[0]<<8 | input[1];
+    ssl_state->ciphersuite = ciphersuite;
+
+    input += 2;
+
+    compressionmethod = input[0];
+    ssl_state->compressionmethod = compressionmethod;
+
+    input += 1;
+
+    /* extensions (like renegotiation) */
+
+    SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
+
+    /* return the message length (TLS record - (handshake type + length)) */
+    return ssl_state->record_length-4;
+}
+
 int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
 {
    uint32_t certificates_length, cur_cert_length;
--- a/src/app-layer-tls-handshake.h
+++ b/src/app-layer-tls-handshake.h
@ -35,6 +35,7 @@
 #ifndef __APP_LAYER_TLS_HANDSHAKE_H__
 #define __APP_LAYER_TLS_HANDSHAKE_H__

+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
 int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);

 #endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */