[Oisf-devel] [PATCH 3/3] TLS handshake: get TLS ciphersuite and compression
Pierre Chifflier
pierre.chifflier at ssi.gouv.fr
Tue Oct 25 12:11:00 UTC 2011
Decode the SERVER_HELLO message to extract the ciphersuite and compression
chosen by the server.
Signed-off-by: Pierre Chifflier <pierre.chifflier at ssi.gouv.fr>
---
src/app-layer-ssl.c | 15 ++++-----------
src/app-layer-ssl.h | 4 ++++
src/decode-tls-handshake.c | 39 +++++++++++++++++++++++++++++++++++++++
src/decode-tls-handshake.h | 1 +
4 files changed, 48 insertions(+), 11 deletions(-)
diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index a1df3ee..76e895b 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -128,17 +128,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,
case SSLV3_HS_SERVER_HELLO:
ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
- switch (ssl_state->bytes_processed) {
- case 9:
- ssl_state->bytes_processed++;
- ssl_state->handshake_server_hello_ssl_version = *(input++) << 8;
- if (--input_len == 0)
- break;
- case 10:
- ssl_state->bytes_processed++;
- ssl_state->handshake_server_hello_ssl_version |= *(input++);
- if (--input_len == 0)
- break;
+ rc = DecodeTLSHandshakeServerHello(ssl_state, input, input_len);
+ if (rc >= 0) {
+ ssl_state->bytes_processed += rc;
+ input += rc;
}
break;
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 9065695..eccc2dd 100644
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -93,6 +93,10 @@ typedef struct SSLState_ {
/* sslv2 client hello session id length */
uint16_t session_id_length;
+ /* the ciphersuite, chosen by the server */
+ uint16_t ciphersuite;
+ uint8_t compressionmethod;
+
char *cert0_subject;
/* buffer for the tls record.
diff --git a/src/decode-tls-handshake.c b/src/decode-tls-handshake.c
index 93a0485..430a133 100644
--- a/src/decode-tls-handshake.c
+++ b/src/decode-tls-handshake.c
@@ -39,6 +39,45 @@
#define SSLV3_RECORD_LEN 5
+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
+{
+ uint32_t version, length, ciphersuite;
+ uint8_t compressionmethod;
+
+ if (input_len < 40)
+ return -1;
+
+ version = input[0]<<8 | input[1];
+ ssl_state->handshake_server_hello_ssl_version = version;
+
+ input += 2;
+ input_len -= 2;
+
+ /* skip the random field */
+ input += 32;
+
+ /* skip the session ID */
+ length = input[0];
+ input += 1 + length;
+
+ ciphersuite = input[0]<<8 | input[1];
+ ssl_state->ciphersuite = ciphersuite;
+
+ input += 2;
+
+ compressionmethod = input[0];
+ ssl_state->compressionmethod = compressionmethod;
+
+ input += 1;
+
+ /* extensions (like renegotiation) */
+
+ SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
+
+ /* return the message length (TLS record - (handshake type + length)) */
+ return ssl_state->record_length-4;
+}
+
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
{
uint32_t certificates_length, cur_cert_length;
diff --git a/src/decode-tls-handshake.h b/src/decode-tls-handshake.h
index 8a8f2c6..7aee447 100644
--- a/src/decode-tls-handshake.h
+++ b/src/decode-tls-handshake.h
@@ -25,6 +25,7 @@
#ifndef __DECODE_TLS_HANDSHAKE_H__
#define __DECODE_TLS_HANDSHAKE_H__
+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
#endif /* __DECODE_TLS_HANDSHAKE_H__ */
--
1.7.7
More information about the Oisf-devel
mailing list