[Oisf-devel] [PATCH 3/3] TLS handshake: get TLS ciphersuite and compression
Victor Julien
victor at inliniac.net
Tue Nov 1 08:38:25 UTC 2011
On 10/25/2011 02:11 PM, Pierre Chifflier wrote:
> Decode the SERVER_HELLO message to extract the ciphersuite and compression
> chosen by the server.
>
> Signed-off-by: Pierre Chifflier <pierre.chifflier at ssi.gouv.fr>
> ---
> src/app-layer-ssl.c | 15 ++++-----------
> src/app-layer-ssl.h | 4 ++++
> src/decode-tls-handshake.c | 39 +++++++++++++++++++++++++++++++++++++++
> src/decode-tls-handshake.h | 1 +
> 4 files changed, 48 insertions(+), 11 deletions(-)
>
> diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
> index a1df3ee..76e895b 100644
> --- a/src/app-layer-ssl.c
> +++ b/src/app-layer-ssl.c
> @@ -128,17 +128,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,
> case SSLV3_HS_SERVER_HELLO:
> ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
>
> - switch (ssl_state->bytes_processed) {
> - case 9:
> - ssl_state->bytes_processed++;
> - ssl_state->handshake_server_hello_ssl_version = *(input++) << 8;
> - if (--input_len == 0)
> - break;
> - case 10:
> - ssl_state->bytes_processed++;
> - ssl_state->handshake_server_hello_ssl_version |= *(input++);
> - if (--input_len == 0)
> - break;
> + rc = DecodeTLSHandshakeServerHello(ssl_state, input, input_len);
> + if (rc >= 0) {
> + ssl_state->bytes_processed += rc;
> + input += rc;
> }
> break;
>
> diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
> index 9065695..eccc2dd 100644
> --- a/src/app-layer-ssl.h
> +++ b/src/app-layer-ssl.h
> @@ -93,6 +93,10 @@ typedef struct SSLState_ {
> /* sslv2 client hello session id length */
> uint16_t session_id_length;
>
> + /* the ciphersuite, chosen by the server */
> + uint16_t ciphersuite;
> + uint8_t compressionmethod;
> +
> char *cert0_subject;
>
> /* buffer for the tls record.
> diff --git a/src/decode-tls-handshake.c b/src/decode-tls-handshake.c
> index 93a0485..430a133 100644
> --- a/src/decode-tls-handshake.c
> +++ b/src/decode-tls-handshake.c
> @@ -39,6 +39,45 @@
>
> #define SSLV3_RECORD_LEN 5
>
> +int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
> +{
> + uint32_t version, length, ciphersuite;
> + uint8_t compressionmethod;
> +
> + if (input_len < 40)
> + return -1;
> +
> + version = input[0]<<8 | input[1];
> + ssl_state->handshake_server_hello_ssl_version = version;
> +
> + input += 2;
> + input_len -= 2;
> +
> + /* skip the random field */
> + input += 32;
> +
> + /* skip the session ID */
> + length = input[0];
> + input += 1 + length;
> +
> + ciphersuite = input[0]<<8 | input[1];
> + ssl_state->ciphersuite = ciphersuite;
> +
> + input += 2;
> +
> + compressionmethod = input[0];
> + ssl_state->compressionmethod = compressionmethod;
> +
> + input += 1;
> +
> + /* extensions (like renegotiation) */
> +
> + SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
> +
> + /* return the message length (TLS record - (handshake type + length)) */
> + return ssl_state->record_length-4;
> +}
> +
> int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
> {
> uint32_t certificates_length, cur_cert_length;
> diff --git a/src/decode-tls-handshake.h b/src/decode-tls-handshake.h
> index 8a8f2c6..7aee447 100644
> --- a/src/decode-tls-handshake.h
> +++ b/src/decode-tls-handshake.h
> @@ -25,6 +25,7 @@
> #ifndef __DECODE_TLS_HANDSHAKE_H__
> #define __DECODE_TLS_HANDSHAKE_H__
>
> +int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
> int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
>
> #endif /* __DECODE_TLS_HANDSHAKE_H__ */
Looks cool!
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list