[Oisf-devel] [PATCH 2/3] TLS handshake: decode the SERVER_CERTIFICATE message

Victor Julien victor at inliniac.net
Tue Nov 1 08:37:30 UTC 2011 

On 10/25/2011 02:10 PM, Pierre Chifflier wrote:
> Add a decoder for the SERVER_CERTIFICATE during a TLS handshake, extracts the
> certificates and keep the subject name.
> Add the tls.subject keyword for substring match in rules (TLS layer).
> 
> Signed-off-by: Pierre Chifflier <pierre.chifflier at ssi.gouv.fr>
> ---
>  src/Makefile.am            |    2 +
>  src/app-layer-ssl.c        |   38 ++++++-
>  src/app-layer-ssl.h        |    8 ++
>  src/decode-tls-handshake.c |   90 +++++++++++++++
>  src/decode-tls-handshake.h |   31 +++++

These files should either be named "util-decode-tls-handshake.*" or
"app-layer-tls-handshake.*".

the "decode-" prefix is reserved for the packet decoders, and the tls
decoders don't run on packets but on the reassembled stream.

> +/**
> + * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
> + *
> + * \param idstr Pointer to the user provided id option
> + *
> + * \retval id_d pointer to DetectTlsData on success
> + * \retval NULL on failure
> + */
> +static DetectTlsData *DetectTlsSubjectParse (char *str)
> +{
> +    DetectTlsData *tls = NULL;
> +#define MAX_SUBSTRINGS 30
> +    int ret = 0, res = 0;
> +    int ov[MAX_SUBSTRINGS];
> +
> +    ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
> +                    ov, MAX_SUBSTRINGS);
> +
> +    if (ret < 1 || ret > 3) {
> +        SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.subject option");
> +        goto error;
> +    }
> +
> +    if (ret > 1) {
> +        const char *str_ptr;
> +        char *orig;
> +        char *tmp_str;
> +        res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
> +        if (res < 0) {
> +            SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
> +            goto error;
> +        }
> +
> +        /* We have a correct id option */
> +        tls = SCMalloc(sizeof(DetectTlsData));
> +        if (tls == NULL)
> +            goto error;
> +        tls->subject = NULL;
> +
> +        orig = SCStrdup((char*)str_ptr);
> +        tmp_str=orig;
> +        if (tmp_str == NULL) {
> +            goto error;
> +        }
> +
> +        /* Let's see if we need to escape "'s */
> +        if (tmp_str[0] == '"')
> +        {
> +            tmp_str[strlen(tmp_str) - 1] = '\0';
> +            tmp_str += 1;
> +        }
> +
> +        tls->subject = strdup(tmp_str);

Please use SCStrdup here.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list