decode-mime: compute body md5

This patch is computing the md5 sum of the body of the MIME message. This will allow to detect messages with same content and sent to different people.
10 years ago · d39009ca58
parent e43eb76abd
commit d39009ca58
2 changed files with 31 additions and 0 deletions
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@ -1992,6 +1992,7 @@ static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
 *
 * \return MIME_DEC_OK on success, otherwise < 0 on failure
 */
+
 static int ProcessBodyComplete(MimeDecParseState *state)
 {
    int ret = MIME_DEC_OK;
@ -2180,6 +2181,16 @@ static int ProcessMimeBody(const uint8_t *buf, uint32_t len,
    int body_found = 0;
    uint32_t tlen;

+#ifdef HAVE_NSS
+    if (state->body_begin == 1 && (state->md5_ctx == NULL)) {
+        state->md5_ctx = HASH_Create(HASH_AlgMD5);
+        if (state->md5_ctx != NULL) {
+            HASH_Begin(state->md5_ctx);
+            HASH_Update(state->md5_ctx, buf, len + 2); /* plus 2 to add CRLF */
+        }
+    }
+#endif
+
    /* Ignore empty lines */
    if (len == 0) {
        return ret;
@ -2394,6 +2405,10 @@ void MimeDecDeInitParser(MimeDecParseState *state)
    SCFree(state->hname);
    FreeDataValue(state->hvalue);
    FreeMimeDecStack(state->stack);
+#ifdef HAVE_NSS
+    if (state->md5_ctx)
+        HASH_Destroy(state->md5_ctx);
+#endif
    SCFree(state);
 }

@ -2427,6 +2442,13 @@ int MimeDecParseComplete(MimeDecParseState *state)
        return ret;
    }

+#ifdef HAVE_NSS
+    if (state->md5_ctx) {
+        unsigned int len = 0;
+        HASH_End(state->md5_ctx, state->md5, &len, sizeof(state->md5));
+    }
+#endif
+
    if (state->stack->top == NULL) {
        state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
        SCLogDebug("Error: Message is malformed");
@ -2475,6 +2497,11 @@ int MimeDecParseLine(const uint8_t *line, const uint32_t len,
        SCLogDebug("SMTP LINE - EMPTY");
    }

+#ifdef HAVE_NSS
+    if (state->md5_ctx) {
+        HASH_Update(state->md5_ctx, line, len + 2);
+    }
+#endif
    /* Process the entity */
    ret = ProcessMimeEntity(line, len, state);
    if (ret != MIME_DEC_OK) {
--- a/src/util-decode-mime.h
+++ b/src/util-decode-mime.h
@ -197,6 +197,10 @@ typedef struct MimeDecParseState {
    uint8_t bvremain[B64_BLOCK];  /**< Remainder from base64-decoded line */
    uint8_t bvr_len;  /**< Length of remainder from base64-decoded line */
    uint8_t data_chunk[DATA_CHUNK_SIZE];  /**< Buffer holding data chunk */
+#ifdef HAVE_NSS
+    HASHContext *md5_ctx;
+    uint8_t md5[MD5_LENGTH];
+#endif
    uint8_t state_flag;  /**<  Flag representing current state of parser */
    uint32_t data_chunk_len;  /**< Length of data chunk */
    int found_child;  /**< Flag indicating a child entity was found */