tls: adding fingerprint calculation.

Adding a pointer in ssl_state struct and compute fingerprint during certificate decoding.
14 years ago · 644c1b3cad
parent 3df20d0544
commit 644c1b3cad
3 changed files with 34 additions and 0 deletions
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -878,6 +878,8 @@ void SSLStateFree(void *p)
        SCFree(ssl_state->client_connp.cert0_subject);
    if (ssl_state->client_connp.cert0_issuerdn)
        SCFree(ssl_state->client_connp.cert0_issuerdn);
+    if (ssl_state->client_connp.cert0_fingerprint)
+        SCFree(ssl_state->client_connp.cert0_fingerprint);

    if (ssl_state->server_connp.trec)
        SCFree(ssl_state->server_connp.trec);
@ -885,6 +887,8 @@ void SSLStateFree(void *p)
        SCFree(ssl_state->server_connp.cert0_subject);
    if (ssl_state->server_connp.cert0_issuerdn)
        SCFree(ssl_state->server_connp.cert0_issuerdn);
+    if (ssl_state->server_connp.cert0_fingerprint)
+        SCFree(ssl_state->server_connp.cert0_fingerprint);

    SCFree(ssl_state);

--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@ -100,6 +100,7 @@ typedef struct SSLStateConnp_ {

    char *cert0_subject;
    char *cert0_issuerdn;
+    char *cert0_fingerprint;

    /* buffer for the tls record.
     * We use a malloced buffer, if the record is fragmented */
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@ -50,6 +50,8 @@
 #include "util-decode-der.h"
 #include "util-decode-der-get.h"

+#include "util-crypt.h"
+
 #define SSLV3_RECORD_LEN 5

 static void TLSCertificateErrCodeToWarning(SSLState *ssl_state, uint32_t errcode)
@ -143,6 +145,32 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
                }
            }
            DerFree(cert);
+
+            if (i == 0 && ssl_state->server_connp.cert0_fingerprint == NULL) {
+                int msg_len = cur_cert_length;
+                int hash_len = 20;
+                int out_len = 60;
+                char out[out_len];
+                unsigned char* hash;
+                hash = ComputeSHA1((unsigned char*) input, (int) msg_len);
+                char *p = out;
+                int j = 0;
+
+                if (hash == NULL) {
+                    SCLogWarning(SC_ERR_MEM_ALLOC, "Can not allocate fingerprint string");
+                } else {
+
+                    for (j = 0; j < hash_len; j++, p += 3) {
+                        snprintf(p, 4, j == hash_len - 1 ? "%02x" : "%02x:", hash[j]);
+                    }
+                    SCFree(hash);
+                    ssl_state->server_connp.cert0_fingerprint = SCStrdup(out);
+                    if (ssl_state->server_connp.cert0_fingerprint == NULL) {
+                        SCLogWarning(SC_ERR_MEM_ALLOC, "Can not allocate fingerprint string");
+                    }
+                }
+            }
+
        }

        i++;
@ -152,5 +180,6 @@ int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uin
    }

    return parsed;
+
 }