From b253d1a4994ee04511f6e23dd13bda4357544c07 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 23 Aug 2012 09:25:15 +0200
Subject: [PATCH] tls: store all the certificates chain in the written PEM
 file.

When using the tls.store command, a dump of all certificates in
the chain is now done on the disk.
---
 src/log-tlslog.c | 61 +++++++++++++++++++++++++-----------------------
 1 file changed, 32 insertions(+), 29 deletions(-)

diff --git a/src/log-tlslog.c b/src/log-tlslog.c
index b7514c17b5..a1c9072c65 100644
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@@ -215,6 +215,7 @@ static void LogTlsLogPem(LogTlsLogThread *aft, Packet *p, SSLState *state, LogTl
     unsigned long pemlen;
     unsigned char* pembase64ptr = NULL;
     int ret;
+    SSLCertsChain *cert;
 
     if ((state->server_connp.cert_input == NULL) || (state->server_connp.cert_input_len == 0))
         SCReturn;
@@ -231,42 +232,44 @@ static void LogTlsLogPem(LogTlsLogThread *aft, Packet *p, SSLState *state, LogTl
         SCReturn;
     }
 
-    pemlen = (4 * (state->server_connp.cert_input_len + 2) / 3) +1;
-    if (pemlen > aft->enc_buf_len) {
-        aft->enc_buf = (uint8_t*) SCRealloc(aft->enc_buf, sizeof(uint8_t) * pemlen);
-        if (aft->enc_buf == NULL) {
-            SCLogWarning(SC_ERR_MEM_ALLOC, "Can't allocate data for base64 encoding");
-            goto end_fp;
+    TAILQ_FOREACH(cert, &state->server_connp.certs, next) {
+        pemlen = (4 * (cert->cert_len + 2) / 3) +1;
+        if (pemlen > aft->enc_buf_len) {
+            aft->enc_buf = (uint8_t*) SCRealloc(aft->enc_buf, sizeof(uint8_t) * pemlen);
+            if (aft->enc_buf == NULL) {
+                SCLogWarning(SC_ERR_MEM_ALLOC, "Can't allocate data for base64 encoding");
+                goto end_fp;
+            }
+            aft->enc_buf_len = pemlen;
         }
-        aft->enc_buf_len = pemlen;
-    }
-
-    memset(aft->enc_buf, 0, aft->enc_buf_len);
 
-    ret = Base64Encode((unsigned char*) state->server_connp.cert_input, state->server_connp.cert_input_len, aft->enc_buf, &pemlen);
-    if (ret != SC_BASE64_OK) {
-        SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "Invalid return of Base64Encode function");
-        goto end_fwrite_fp;
-    }
+        memset(aft->enc_buf, 0, aft->enc_buf_len);
 
-    if (fprintf(fp, PEMHEADER) < 0)
-        goto end_fwrite_fp;
+        ret = Base64Encode((unsigned char*) cert->cert_data, cert->cert_len, aft->enc_buf, &pemlen);
+        if (ret != SC_BASE64_OK) {
+            SCLogWarning(SC_ERR_INVALID_ARGUMENTS, "Invalid return of Base64Encode function");
+            goto end_fwrite_fp;
+        }
 
-    pembase64ptr = aft->enc_buf;
-    while (pemlen > 0) {
-        size_t loffset = pemlen >= 64 ? 64 : pemlen;
-        if (fwrite(pembase64ptr, 1, loffset, fp) != loffset)
+        if (fprintf(fp, PEMHEADER)  < 0)
             goto end_fwrite_fp;
-        if (fwrite("\n", 1, 1, fp) != 1)
+
+        pembase64ptr = aft->enc_buf;
+        while (pemlen > 0) {
+            size_t loffset = pemlen >= 64 ? 64 : pemlen;
+            if (fwrite(pembase64ptr, 1, loffset, fp) != loffset)
+                goto end_fwrite_fp;
+            if (fwrite("\n", 1, 1, fp) != 1)
+                goto end_fwrite_fp;
+            pembase64ptr += 64;
+            if (pemlen < 64)
+                break;
+            pemlen -= 64;
+        }
+
+        if (fprintf(fp, PEMFOOTER) < 0)
             goto end_fwrite_fp;
-        pembase64ptr += 64;
-        if (pemlen < 64)
-            break;
-        pemlen -= 64;
     }
-
-    if (fprintf(fp, PEMFOOTER) < 0)
-        goto end_fwrite_fp;
     fclose(fp);
 
     //Logging certificate informations