"Fossies" - the Fresh Open Source Software Archive 
Member "snort-2.9.17/src/dynamic-preprocessors/appid/service_plugins/service_ssl.c" (16 Oct 2020, 35154 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "service_ssl.c" see the
Fossies "Dox" file reference documentation and the latest
Fossies "Diffs" side-by-side code changes report:
2.9.16.1_vs_2.9.17.
1 /*
2 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
3 ** Copyright (C) 2005-2013 Sourcefire, Inc.
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 */
20
21
22 #include <ctype.h>
23 #include <string.h>
24 #include <stdlib.h>
25 #include <stddef.h>
26 #include <sys/types.h>
27 #include <netinet/in.h>
28 #include <openssl/x509.h>
29
30 #include "flow.h"
31 #include "service_base.h"
32 #include "service_ssl.h"
33 #include "fw_appid.h"
34 #include "serviceConfig.h"
35
36 #define SSL_PORT 443
37
38 typedef enum
39 {
40 SSL_CHANGE_CIPHER = 20,
41 SSL_ALERT = 21,
42 SSL_HANDSHAKE = 22,
43 SSL_APPLICATION_DATA = 23
44 } SSLContentType;
45
46 #define SSL_CLIENT_HELLO 1
47 #define SSL_SERVER_HELLO 2
48 #define SSL_CERTIFICATE 11
49 #define SSL_SERVER_KEY_XCHG 12
50 #define SSL_SERVER_CERT_REQ 13
51 #define SSL_SERVER_HELLO_DONE 14
52 #define SSL_CERTIFICATE_STATUS 22
53 #define SSL2_SERVER_HELLO 4
54 #define PCT_SERVER_HELLO 2
55
56 #define FIELD_SEPARATOR "/"
57 #define COMMON_NAME_STR "/CN="
58 #define ORG_NAME_STR "/O="
59
60 /* Extension types. */
61 #define SSL_EXT_SERVER_NAME 0
62
63 typedef struct _MatchedSSLPatterns {
64 SSLCertPattern *mpattern;
65 int index;
66 struct _MatchedSSLPatterns *next;
67 } MatchedSSLPatterns;
68
69 typedef enum
70 {
71 SSL_STATE_INITIATE, /* Client initiates. */
72 SSL_STATE_CONNECTION, /* Server responds... */
73 SSL_STATE_HEADER
74 } SSLState;
75
76 typedef struct _SERVICE_SSL_DATA
77 {
78 SSLState state;
79 int pos;
80 int length;
81 int tot_length;
82 /* From client: */
83 char *host_name;
84 int host_name_strlen;
85 /* While collecting certificates: */
86 int certs_len; /* (Total) length of certificate(s). */
87 uint8_t *certs_data; /* Certificate(s) data (each proceeded by length (3 bytes)). */
88 int in_certs; /* Currently collecting certificates? */
89 int certs_curr_len; /* Current amount of collected certificate data. */
90 /* Data collected from certificates afterwards: */
91 char *common_name;
92 int common_name_strlen;
93 int org_name_strlen;
94 char *org_name;
95 } ServiceSSLData;
96
97 typedef struct _SERVICE_SSL_CERTIFICATE
98 {
99 X509 *cert;
100 uint8_t *common_name_ptr;
101 int common_name_len;
102 uint8_t *org_name_ptr;
103 int org_name_len;
104 struct _SERVICE_SSL_CERTIFICATE *next;
105 } ServiceSSLCertificate;
106
107 #pragma pack(1)
108
109 typedef struct _SERVICE_SSL_V3_HEADER /* Actually a TLS Record. */
110 {
111 uint8_t type;
112 uint16_t version;
113 uint16_t len;
114 } ServiceSSLV3Hdr;
115
116 typedef struct _SERVICE_SSL_V3_RECORD /* Actually a Handshake. */
117 {
118 uint8_t type;
119 uint8_t length_msb;
120 uint16_t length;
121 uint16_t version;
122 struct {
123 uint32_t time;
124 uint8_t data[28];
125 } random;
126 } ServiceSSLV3Record;
127
128 typedef struct _SERVICE_SSL_V3_CERTS_RECORD /* Actually a Certificate(s) Handshake. */
129 {
130 uint8_t type;
131 uint8_t length_msb;
132 uint16_t length;
133 uint8_t certs_len[3]; /* 3-byte length, network byte order. */
134 /* Certificate(s) follow.
135 * For each:
136 * - Length: 3 bytes
137 * - Data : "Length" bytes */
138 } ServiceSSLV3CertsRecord;
139
140 typedef struct _SERVICE_SSL_V3_EXTENSION_SERVER_NAME
141 {
142 uint16_t type;
143 uint16_t length;
144 uint16_t list_length;
145 uint8_t string_length_msb;
146 uint16_t string_length;
147 /* String follows. */
148 } ServiceSSLV3ExtensionServerName;
149
150 typedef struct _SERVICE_SSL_PCT_HEADER
151 {
152 uint8_t len;
153 uint8_t len2;
154 uint8_t type;
155 uint8_t pad;
156 uint16_t version;
157 uint8_t restart;
158 uint8_t auth;
159 uint32_t cipher;
160 uint16_t hash;
161 uint16_t cert;
162 uint16_t exch;
163 uint8_t id[32];
164 uint16_t cert_len;
165 uint16_t c_cert_len;
166 uint16_t c_sig_len;
167 uint16_t resp_len;
168 } ServiceSSLPCTHdr;
169
170 typedef struct _SERVICE_SSL_V2_HEADER
171 {
172 uint8_t len;
173 uint8_t len2;
174 uint8_t type;
175 uint8_t id;
176 uint8_t cert;
177 uint16_t version;
178 uint16_t cert_len;
179 uint16_t cipher_len;
180 uint16_t conn_len;
181 } ServiceSSLV2Hdr;
182
183 #pragma pack()
184
185 /* Convert 3-byte lengths in TLS headers to integers. */
186 #define ntoh3(msb_ptr) ((uint32_t)( (uint32_t)(((uint8_t*)msb_ptr)[0] << 16) \
187 + (uint32_t)(((uint8_t*)msb_ptr)[1] << 8) \
188 + (uint32_t)(((uint8_t*)msb_ptr)[2] ) ))
189
190 static int ssl_cert_pattern_match(void* id, void *unused_tree, int index, void* data, void *unused_neg)
191 {
192 MatchedSSLPatterns *cm;
193 MatchedSSLPatterns **matches = (MatchedSSLPatterns **)data;
194 SSLCertPattern *target = (SSLCertPattern *)id;
195
196 if (!(cm = (MatchedSSLPatterns *)malloc(sizeof(MatchedSSLPatterns))))
197 return 1;
198
199 cm->mpattern = target;
200 cm->index = index;
201 cm->next = *matches;
202 *matches = cm;
203
204 return 0;
205 }
206
207 static int ssl_detector_create_matcher(void **matcher, DetectorSSLCertPattern *list)
208 {
209 size_t *patternIndex;
210 size_t size = 0;
211 DetectorSSLCertPattern *element = NULL;
212
213 if (*matcher)
214 _dpd.searchAPI->search_instance_free(*matcher);
215
216 if (!(*matcher = _dpd.searchAPI->search_instance_new_ex(MPSE_ACF)))
217 return 0;
218
219 patternIndex = &size;
220
221 /* Add patterns from Lua API */
222 for(element = list; element; element = element->next)
223 {
224 _dpd.searchAPI->search_instance_add_ex(*matcher,
225 (char *)element->dpattern->pattern,
226 element->dpattern->pattern_size,
227 element->dpattern,
228 STR_SEARCH_CASE_INSENSITIVE);
229 (*patternIndex)++;
230 }
231
232 _dpd.searchAPI->search_instance_prep(*matcher);
233
234 return 1;
235 }
236 int ssl_detector_process_patterns(tServiceSslConfig *pSslConfig)
237 {
238 int retVal = 1;
239 if (!ssl_detector_create_matcher(&pSslConfig->ssl_host_matcher, pSslConfig->DetectorSSLCertPatternList))
240 retVal = 0;
241 if (!ssl_detector_create_matcher(&pSslConfig->ssl_cname_matcher, pSslConfig->DetectorSSLCnamePatternList))
242 retVal = 0;
243 return retVal;
244 }
245
246 static int ssl_init(const InitServiceAPI * const api);
247 static int ssl_validate(ServiceValidationArgs* args);
248
249 static tRNAServiceElement svc_element =
250 {
251 .next = NULL,
252 .validate = &ssl_validate,
253 .detectorType = DETECTOR_TYPE_DECODER,
254 .name = "ssl",
255 .ref_count = 1,
256 .current_ref_count = 1,
257 };
258
259 static RNAServiceValidationPort pp[] =
260 {
261 {&ssl_validate, 261, IPPROTO_TCP},
262 {&ssl_validate, 261, IPPROTO_UDP},
263 {&ssl_validate, 443, IPPROTO_TCP},
264 {&ssl_validate, 443, IPPROTO_UDP},
265 {&ssl_validate, 448, IPPROTO_TCP},
266 {&ssl_validate, 448, IPPROTO_UDP},
267 {&ssl_validate, 465, IPPROTO_TCP},
268 {&ssl_validate, 563, IPPROTO_TCP},
269 {&ssl_validate, 563, IPPROTO_UDP},
270 {&ssl_validate, 585, IPPROTO_TCP},
271 {&ssl_validate, 585, IPPROTO_UDP},
272 {&ssl_validate, 614, IPPROTO_TCP},
273 {&ssl_validate, 636, IPPROTO_TCP},
274 {&ssl_validate, 636, IPPROTO_UDP},
275 {&ssl_validate, 853, IPPROTO_TCP},
276 {&ssl_validate, 989, IPPROTO_TCP},
277 {&ssl_validate, 990, IPPROTO_TCP},
278 {&ssl_validate, 992, IPPROTO_TCP},
279 {&ssl_validate, 992, IPPROTO_UDP},
280 {&ssl_validate, 993, IPPROTO_TCP},
281 {&ssl_validate, 993, IPPROTO_UDP},
282 {&ssl_validate, 994, IPPROTO_TCP},
283 {&ssl_validate, 994, IPPROTO_UDP},
284 {&ssl_validate, 995, IPPROTO_TCP},
285 {&ssl_validate, 995, IPPROTO_UDP},
286 {&ssl_validate, 3269, IPPROTO_TCP},
287 {&ssl_validate, 8305, IPPROTO_TCP},
288 {NULL, 0, 0}
289 };
290
291 tRNAServiceValidationModule ssl_service_mod =
292 {
293 "ssl",
294 &ssl_init,
295 pp
296 };
297
298 static uint8_t SSL_PATTERN_PCT[] = {0x02, 0x00, 0x80, 0x01};
299 static uint8_t SSL_PATTERN3_0[] = {0x16, 0x03, 0x00};
300 static uint8_t SSL_PATTERN3_1[] = {0x16, 0x03, 0x01};
301 static uint8_t SSL_PATTERN3_2[] = {0x16, 0x03, 0x02};
302 static uint8_t SSL_PATTERN3_3[] = {0x16, 0x03, 0x03};
303
304 static tAppRegistryEntry appIdRegistry[] =
305 {
306 {APP_ID_SSL, APPINFO_FLAG_SERVICE_ADDITIONAL}
307 };
308
309 static int ssl_init(const InitServiceAPI * const init_api)
310 {
311 init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN_PCT, sizeof(SSL_PATTERN_PCT), 2, "ssl", init_api->pAppidConfig);
312 init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_0, sizeof(SSL_PATTERN3_0), 0, "ssl", init_api->pAppidConfig);
313 init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_1, sizeof(SSL_PATTERN3_1), 0, "ssl", init_api->pAppidConfig);
314 init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_2, sizeof(SSL_PATTERN3_2), 0, "ssl", init_api->pAppidConfig);
315 init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_3, sizeof(SSL_PATTERN3_3), 0, "ssl", init_api->pAppidConfig);
316 unsigned i;
317 for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
318 {
319 _dpd.debugMsg(DEBUG_LOG,"registering appId: %d\n",appIdRegistry[i].appId);
320 init_api->RegisterAppId(&ssl_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo, init_api->pAppidConfig);
321 }
322
323 return 0;
324 }
325
326 void ssl_free(void *ss) /* AppIdFreeFCN */
327 {
328 ServiceSSLData *ss_tmp = (ServiceSSLData*)ss;
329 free(ss_tmp->certs_data);
330 free(ss_tmp->host_name);
331 free(ss_tmp->common_name);
332 free(ss_tmp->org_name);
333 free(ss_tmp);
334 }
335
336 void parse_client_initiation(const uint8_t *data, uint16_t size, ServiceSSLData *ss)
337 {
338 const ServiceSSLV3Hdr *hdr3;
339 const ServiceSSLV3Record *rec;
340 int length;
341 uint16_t ver;
342
343 /* Sanity check header stuff. */
344 if (size < sizeof(ServiceSSLV3Hdr)) return;
345 hdr3 = (ServiceSSLV3Hdr *)data;
346 ver = ntohs(hdr3->version);
347 if (hdr3->type != SSL_HANDSHAKE ||
348 (ver != 0x0300 &&
349 ver != 0x0301 &&
350 ver != 0x0302 &&
351 ver != 0x0303))
352 {
353 return;
354 }
355 data += sizeof(ServiceSSLV3Hdr);
356 size -= sizeof(ServiceSSLV3Hdr);
357
358 if (size < sizeof(ServiceSSLV3Record)) return;
359 rec = (ServiceSSLV3Record *)data;
360 ver = ntohs(rec->version);
361 if (rec->type != SSL_CLIENT_HELLO ||
362 (ver != 0x0300 &&
363 ver != 0x0301 &&
364 ver != 0x0302 &&
365 ver != 0x0303) ||
366 rec->length_msb)
367 {
368 return;
369 }
370 length = ntohs(rec->length) + offsetof(ServiceSSLV3Record, version);
371 if (size < length) return;
372 data += sizeof(ServiceSSLV3Record);
373 size -= sizeof(ServiceSSLV3Record);
374
375 /* Session ID (1-byte length). */
376 if (size < 1) return;
377 length = *((uint8_t*)data);
378 data += length + 1;
379 if (size < (length + 1)) return;
380 size -= length + 1;
381
382 /* Cipher Suites (2-byte length). */
383 if (size < 2) return;
384 length = ntohs(*((uint16_t*)data));
385 data += length + 2;
386 if (size < (length + 2)) return;
387 size -= length + 2;
388
389 /* Compression Methods (1-byte length). */
390 if (size < 1) return;
391 length = *((uint8_t*)data);
392 data += length + 1;
393 if (size < (length + 1)) return;
394 size -= length + 1;
395
396 /* Extensions (2-byte length) */
397 if (size < 2) return;
398 length = ntohs(*((uint16_t*)data));
399 data += 2;
400 size -= 2;
401 if (size < length) return;
402
403 // We need at least type (2 bytes) and length (2 bytes) fields in the extension
404 while (length >= 4)
405 {
406 ServiceSSLV3ExtensionServerName *ext = (ServiceSSLV3ExtensionServerName*)data;
407 if (ntohs(ext->type) == SSL_EXT_SERVER_NAME)
408 {
409 /* Found server host name. */
410 if (length < sizeof(ServiceSSLV3ExtensionServerName)) return;
411
412 int len = ntohs(ext->string_length);
413 if ((length - sizeof(ServiceSSLV3ExtensionServerName)) < len) return;
414
415 const uint8_t *str = data
416 + offsetof(ServiceSSLV3ExtensionServerName, string_length)
417 + sizeof(ext->string_length);
418 ss->host_name = malloc(len + 1); /* Plus NULL term. */
419 if (!ss->host_name)
420 {
421 _dpd.errMsg("parse_client_initiation: "
422 "Could not allocate memory for host name in ServiceSSLData\n");
423 return;
424 }
425 else
426 {
427 memcpy(ss->host_name, str, len);
428 ss->host_name[len] = '\0';
429 ss->host_name_strlen = len;
430 }
431 return;
432 }
433 data += ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
434 length -= ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
435 }
436 }
437
438 int parse_certificates(ServiceSSLData *ss)
439 {
440 int success = 0;
441 if (ss->certs_data && ss->certs_len)
442 {
443 char *common_name = 0;
444 char *org_name = 0;
445
446 uint8_t *data = ss->certs_data;
447 int len = ss->certs_len;
448 int common_name_tot_len = 0;
449 int org_name_tot_len = 0;
450
451 success = 1;
452 while (len > 0 && !(common_name && org_name))
453 {
454 X509 *cert = NULL;
455 char *cert_name = NULL;
456 char *start = NULL;
457 char *end = NULL;
458 int length = 0;
459
460 /* Get each certificate. */
461 int cert_len = ntoh3(data);
462 data += 3;
463 len -= 3;
464 if (len < cert_len)
465 {
466 success = 0;
467 break;
468 }
469
470 cert = d2i_X509(NULL, (const unsigned char **)&data, cert_len);
471 len -= cert_len; /* Above call increments data pointer already. */
472 if (!cert)
473 {
474 success = 0;
475 break;
476 }
477
478 /* look for common name or org name if we haven't seen either */
479 if (!common_name || !org_name)
480 {
481 if ((cert_name = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)))
482 {
483 if (!common_name)
484 {
485 if ((start = strstr(cert_name, COMMON_NAME_STR)))
486 {
487 start += strlen(COMMON_NAME_STR);
488 end = strstr(start, FIELD_SEPARATOR);
489 if (end) *end = 0;
490 length = strlen(start);
491 if (length>2 && *start=='*' && *(start+1)=='.')
492 {
493 start += 2; // remove leading .*
494 length -= 2;
495 }
496 common_name = strndup(start, length);
497 common_name_tot_len += length;
498 start = NULL;
499 }
500 }
501 if (!org_name)
502 {
503 if ((start = strstr(cert_name, ORG_NAME_STR)))
504 {
505 start += strlen(ORG_NAME_STR);
506 end = strstr(start, FIELD_SEPARATOR);
507 if (end) *end = 0;
508 length = strlen(start);
509 if (length>2 && *start=='*' && *(start+1)=='.')
510 {
511 start += 2; // remove leading .*
512 length -= 2;
513 }
514 org_name = strndup(start, length);
515 org_name_tot_len += length;
516 }
517 }
518 free(cert_name);
519 cert_name = NULL;
520 }
521 }
522 X509_free(cert);
523 }
524
525 if (common_name)
526 {
527 ss->common_name = common_name;
528 ss->common_name_strlen = common_name_tot_len;
529 }
530
531 if (org_name)
532 {
533 ss->org_name = org_name;
534 ss->org_name_strlen = org_name_tot_len;
535 }
536
537 /* No longer need entire certificates. We have what we came for. */
538 free(ss->certs_data);
539 ss->certs_data = NULL;
540 ss->certs_len = 0;
541 }
542 return success; // could be 1 even though common_name or org_name == 0
543 }
544
545 static int ssl_validate(ServiceValidationArgs* args)
546 {
547 ServiceSSLData *ss;
548 const ServiceSSLPCTHdr *pct;
549 const ServiceSSLV2Hdr *hdr2;
550 const ServiceSSLV3Hdr *hdr3;
551 const ServiceSSLV3Record *rec;
552 const ServiceSSLV3CertsRecord *certs_rec;
553 uint16_t ver;
554 tAppIdData *flowp = args->flowp;
555 const uint8_t *data = args->data;
556 const int dir = args->dir;
557 uint16_t size = args->size;
558
559 if (!size)
560 goto inprocess;
561
562 ss = ssl_service_mod.api->data_get(flowp, ssl_service_mod.flow_data_index);
563 if (!ss)
564 {
565 ss = calloc(1, sizeof(*ss));
566 if (!ss)
567 return SERVICE_ENOMEM;
568 if (ssl_service_mod.api->data_add(flowp, ss, ssl_service_mod.flow_data_index, &ssl_free))
569 {
570 free(ss);
571 return SERVICE_ENOMEM;
572 }
573 ss->state = SSL_STATE_INITIATE;
574 }
575 /* Start off with a Client Hello from client to server. */
576 if (ss->state == SSL_STATE_INITIATE)
577 {
578 ss->state = SSL_STATE_CONNECTION;
579
580 if (dir == APP_ID_FROM_INITIATOR)
581 {
582 parse_client_initiation(data, size, ss);
583 goto inprocess;
584 }
585 }
586
587 if (dir != APP_ID_FROM_RESPONDER)
588 {
589 goto inprocess;
590 }
591
592 switch (ss->state)
593 {
594 case SSL_STATE_CONNECTION:
595 pct = (ServiceSSLPCTHdr *)data;
596 hdr2 = (ServiceSSLV2Hdr *)data;
597 hdr3 = (ServiceSSLV3Hdr *)data;
598 /* SSL PCT header? */
599 if (size >= sizeof(ServiceSSLPCTHdr) && pct->len >= 0x80 &&
600 pct->type == PCT_SERVER_HELLO && ntohs(pct->version) == 0x8001)
601 {
602 goto success;
603 }
604 /* SSL v2 header? */
605 if (size >= sizeof(ServiceSSLV2Hdr) && hdr2->len >= 0x80 &&
606 hdr2->type == SSL2_SERVER_HELLO && !(hdr2->cert & 0xFE))
607 {
608 uint16_t h2v = ntohs(hdr2->version);
609 if ((h2v == 0x0002 || h2v == 0x0300 ||
610 h2v == 0x0301 || h2v == 0x0303) &&
611 !(hdr2->cipher_len % 3))
612 {
613 goto success;
614 }
615 }
616 /* it is probably an SSLv3, TLS 1.2, or TLS 1.3 header.
617 First record must be a handshake (type 22). */
618 if (size < sizeof(ServiceSSLV3Hdr) ||
619 hdr3->type != SSL_HANDSHAKE ||
620 (ntohs(hdr3->version) != 0x0300 &&
621 ntohs(hdr3->version) != 0x0301 &&
622 ntohs(hdr3->version) != 0x0302 &&
623 ntohs(hdr3->version) != 0x0303))
624 {
625 goto fail;
626 }
627 data += sizeof(ServiceSSLV3Hdr);
628 size -= sizeof(ServiceSSLV3Hdr);
629 rec = (ServiceSSLV3Record *)data;
630 if (size < sizeof(ServiceSSLV3Record) ||
631 rec->type != SSL_SERVER_HELLO ||
632 (ntohs(rec->version) != 0x0300 &&
633 ntohs(rec->version) != 0x0301 &&
634 ntohs(rec->version) != 0x0302 &&
635 ntohs(rec->version) != 0x0303) ||
636 rec->length_msb)
637 {
638 goto fail;
639 }
640 ss->tot_length = ntohs(hdr3->len);
641 ss->length = ntohs(rec->length) +
642 offsetof(ServiceSSLV3Record, version);
643 if (ss->tot_length < ss->length) goto fail;
644 ss->tot_length -= ss->length;
645 if (size < ss->length) goto fail;
646 data += ss->length;
647 size -= ss->length;
648 ss->state = SSL_STATE_HEADER;
649 ss->pos = 0;
650 /* fall through */
651 case SSL_STATE_HEADER:
652 while (size > 0)
653 {
654 if (!ss->pos)
655 {
656 /* Need to move onto (and past) next header (i.e., record) if
657 * previous was completely consumed. */
658 if (ss->tot_length == 0)
659 {
660 hdr3 = (ServiceSSLV3Hdr *)data;
661 ver = ntohs(hdr3->version);
662 if (size < sizeof(ServiceSSLV3Hdr) ||
663 (hdr3->type != SSL_HANDSHAKE &&
664 hdr3->type != SSL_CHANGE_CIPHER &&
665 hdr3->type != SSL_APPLICATION_DATA) ||
666 (ver != 0x0300 &&
667 ver != 0x0301 &&
668 ver != 0x0302 &&
669 ver != 0x0303))
670 {
671 goto fail;
672 }
673 data += sizeof(ServiceSSLV3Hdr);
674 size -= sizeof(ServiceSSLV3Hdr);
675 ss->tot_length = ntohs(hdr3->len);
676 if (hdr3->type == SSL_CHANGE_CIPHER ||
677 hdr3->type == SSL_APPLICATION_DATA)
678 {
679 goto success;
680 }
681 }
682
683 rec = (ServiceSSLV3Record *)data;
684 if (size < offsetof(ServiceSSLV3Record, version) ||
685 rec->length_msb)
686 {
687 goto fail;
688 }
689 switch (rec->type)
690 {
691 case SSL_CERTIFICATE:
692 /* Start pulling out certificates. */
693 if (!ss->certs_data)
694 {
695 certs_rec = (ServiceSSLV3CertsRecord *)data;
696 ss->certs_len = ntoh3(certs_rec->certs_len);
697 ss->certs_data = malloc(ss->certs_len);
698 if (!ss->certs_data)
699 return SERVICE_ENOMEM;
700 if ((size - sizeof(ServiceSSLV3CertsRecord)) < ss->certs_len)
701 {
702 /* Will have to get more next time around. */
703 ss->in_certs = 1;
704 ss->certs_curr_len = size - sizeof(ServiceSSLV3CertsRecord); /* Skip over header to data. */
705 memcpy(ss->certs_data, data + sizeof(ServiceSSLV3CertsRecord), ss->certs_curr_len);
706 }
707 else
708 {
709 /* Can get it all this time. */
710 ss->in_certs = 0;
711 ss->certs_curr_len = ss->certs_len;
712 memcpy(ss->certs_data, data + sizeof(ServiceSSLV3CertsRecord), ss->certs_curr_len);
713 break;
714 }
715 }
716 /* fall through */
717 case SSL_CERTIFICATE_STATUS:
718 case SSL_SERVER_KEY_XCHG:
719 case SSL_SERVER_CERT_REQ:
720 ss->length = ntohs(rec->length) +
721 offsetof(ServiceSSLV3Record, version);
722 if (ss->tot_length < ss->length) goto fail;
723 ss->tot_length -= ss->length;
724 if (size < ss->length)
725 {
726 ss->pos = size;
727 size = 0;
728 }
729 else
730 {
731 data += ss->length;
732 size -= ss->length;
733 ss->pos = 0;
734 }
735 break;
736 case SSL_SERVER_HELLO_DONE:
737 if (rec->length) goto fail;
738 if (ss->tot_length != offsetof(ServiceSSLV3Record, version))
739 goto fail;
740 goto success;
741 default:
742 goto fail;
743 }
744 }
745 else
746 {
747 /* See if there's more certificate data to grab. */
748 if (ss->in_certs && ss->certs_data)
749 {
750 if (size < (ss->certs_len - ss->certs_curr_len))
751 {
752 /* Will have to get more next time around. */
753 memcpy(ss->certs_data + ss->certs_curr_len, data, size);
754 ss->in_certs = 1;
755 ss->certs_curr_len += size;
756 }
757 else
758 {
759 /* Can get it all this time. */
760 memcpy(ss->certs_data + ss->certs_curr_len, data, ss->certs_len - ss->certs_curr_len);
761 ss->in_certs = 0;
762 ss->certs_curr_len = ss->certs_len;
763 }
764 }
765
766 if (size+ss->pos < ss->length)
767 {
768 ss->pos += size;
769 size = 0;
770 }
771 else
772 {
773 data += ss->length - ss->pos;
774 size -= ss->length - ss->pos;
775 ss->pos = 0;
776 }
777 }
778 }
779 break;
780 default:
781 goto fail;
782 }
783
784 inprocess:
785 ssl_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element, NULL);
786 return SERVICE_INPROCESS;
787
788 fail:
789 free(ss->certs_data);
790 free(ss->host_name);
791 free(ss->common_name);
792 free(ss->org_name);
793 ss->certs_data = NULL;
794 ss->host_name = ss->common_name = ss->org_name = NULL;
795 ssl_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
796 ssl_service_mod.flow_data_index, args->pConfig, NULL);
797 return SERVICE_NOMATCH;
798
799 success:
800 if (ss->certs_data && ss->certs_len)
801 {
802 if (!parse_certificates(ss))
803 {
804 goto fail;
805 }
806 }
807 setAppIdFlag(flowp, APPID_SESSION_SSL_SESSION);
808 if (ss->host_name || ss->common_name || ss->org_name)
809 {
810 if (!flowp->tsession)
811 {
812 if (!(flowp->tsession = calloc(1, sizeof(*flowp->tsession))))
813 {
814 goto fail;
815 }
816 }
817
818 /* TLS Host */
819 if (ss->host_name)
820 {
821 /* Do not overwrite SSL provided SNI */
822 if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
823 {
824 if (flowp->tsession->tls_host)
825 free(flowp->tsession->tls_host);
826 flowp->tsession->tls_host = ss->host_name;
827 flowp->tsession->tls_host_strlen = ss->host_name_strlen;
828 flowp->scan_flags |= SCAN_SSL_HOST_FLAG;
829 }
830 }
831 else if (ss->common_name) // use common name (from server) if we didn't see host name (from client)
832 {
833 /* Do not overwrite SSL provided SNI */
834 if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
835 {
836 char *common_name = strndup(ss->common_name, ss->common_name_strlen);
837 if (common_name)
838 {
839 if (flowp->tsession->tls_host)
840 free(flowp->tsession->tls_host);
841 flowp->tsession->tls_host = common_name;
842 flowp->tsession->tls_host_strlen = ss->common_name_strlen;
843 flowp->scan_flags |= SCAN_SSL_HOST_FLAG;
844 }
845 }
846 }
847
848 /* TLS Common Name */
849 if (ss->common_name)
850 {
851 /* Do not overwrite SSL provided CN */
852 if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
853 {
854 if (flowp->tsession->tls_cname)
855 free(flowp->tsession->tls_cname);
856 flowp->tsession->tls_cname = ss->common_name;
857 flowp->tsession->tls_cname_strlen = ss->common_name_strlen;
858 flowp->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
859 }
860 }
861
862 /* TLS Org Unit */
863 if (ss->org_name)
864 {
865 /* Do not overwrite SSL provided ORG NAME */
866 if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
867 {
868 if (flowp->tsession->tls_orgUnit)
869 free(flowp->tsession->tls_orgUnit);
870 flowp->tsession->tls_orgUnit = ss->org_name;
871 flowp->tsession->tls_orgUnit_strlen = ss->org_name_strlen;
872 }
873 }
874
875 ss->host_name = ss->common_name = ss->org_name = NULL;
876 flowp->tsession->tls_handshake_done = true;
877 }
878 ssl_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
879 getSslServiceAppId(args->pkt->src_port), NULL, NULL, NULL, NULL);
880 return SERVICE_SUCCESS;
881 }
882
883 tAppId getSslServiceAppId( short srcPort)
884 {
885 switch (srcPort)
886 {
887 case 261:
888 return APP_ID_NSIIOPS;
889 case 443:
890 return APP_ID_HTTPS;
891 case 448:
892 return APP_ID_DDM_SSL;
893 case 465:
894 return APP_ID_SMTPS;
895 case 563:
896 return APP_ID_NNTPS;
897 case 585: /*Currently 585 is de-registered at IANA but old implementation may still use it. */
898 case 993:
899 return APP_ID_IMAPS;
900 case 614:
901 return APP_ID_SSHELL;
902 case 636:
903 return APP_ID_LDAPS;
904 case 853:
905 return APP_ID_DNS_OVER_TLS;
906 case 989:
907 return APP_ID_FTPSDATA;
908 case 990:
909 return APP_ID_FTPS;
910 case 992:
911 return APP_ID_TELNETS;
912 case 994:
913 return APP_ID_IRCS;
914 case 995:
915 return APP_ID_POP3S;
916 case 3269:
917 return APP_ID_MSFT_GC_SSL;
918 case 8305:
919 return APP_ID_SF_APPLIANCE_MGMT;
920 default:
921 return APP_ID_SSL;
922 }
923 }
924
925 bool isSslServiceAppId(tAppId appId)
926 {
927 switch (appId)
928 {
929 case APP_ID_NSIIOPS:
930 case APP_ID_HTTPS:
931 case APP_ID_DDM_SSL:
932 case APP_ID_SMTPS:
933 case APP_ID_NNTPS:
934 case APP_ID_IMAPS:
935 case APP_ID_SSHELL:
936 case APP_ID_LDAPS:
937 case APP_ID_FTPSDATA:
938 case APP_ID_FTPS:
939 case APP_ID_TELNETS:
940 case APP_ID_IRCS:
941 case APP_ID_POP3S:
942 case APP_ID_MSFT_GC_SSL:
943 case APP_ID_SF_APPLIANCE_MGMT:
944 case APP_ID_SSL:
945 return true;
946 }
947
948 return false;
949 }
950
951 static int ssl_scan_patterns(void * matcher, const u_int8_t *pattern, size_t size, tAppId *clientAppId, tAppId *payloadId)
952 {
953 MatchedSSLPatterns *mp = NULL;
954 MatchedSSLPatterns *tmpMp;
955 SSLCertPattern *best_match;
956
957 if (!matcher) return 0;
958
959 _dpd.searchAPI->search_instance_find_all(matcher,
960 (char *)pattern,
961 size, 0,
962 ssl_cert_pattern_match, (void *)&mp);
963
964 if (!mp) return 0;
965
966 best_match = NULL;
967 while (mp)
968 {
969 //only patterns that match start of payload, or patterns starting with '.' or patterns folowing '.' in payload
970 //are considered a match.
971 if (mp->index == 0 || *mp->mpattern->pattern == '.' || pattern[mp->index-1] == '.')
972 {
973 if (!best_match || mp->mpattern->pattern_size > best_match->pattern_size)
974 {
975 best_match = mp->mpattern;
976 }
977 }
978 tmpMp = mp;
979 mp = mp->next;
980 free (tmpMp);
981 }
982 if (!best_match) return 0;
983
984 switch (best_match->type)
985 {
986 /* type 0 means WEB APP */
987 case 0:
988 *clientAppId = APP_ID_SSL_CLIENT;
989 *payloadId = best_match->appId;
990 break;
991 /* type 1 means CLIENT */
992 case 1:
993 *clientAppId = best_match->appId;
994 *payloadId = 0;
995 break;
996 default:
997 return 0;
998 }
999
1000 return 1;
1001 }
1002
1003 int ssl_scan_hostname(const u_int8_t *pattern, size_t size, tAppId *clientAppId, tAppId *payloadId, tServiceSslConfig *pSslConfig)
1004 {
1005 return ssl_scan_patterns(pSslConfig->ssl_host_matcher, pattern, size, clientAppId, payloadId);
1006 }
1007
1008 int ssl_scan_cname(const u_int8_t *pattern, size_t size, tAppId *clientAppId, tAppId *payloadId, tServiceSslConfig *pSslConfig)
1009 {
1010 return ssl_scan_patterns(pSslConfig->ssl_cname_matcher, pattern, size, clientAppId, payloadId);
1011 }
1012
1013 void service_ssl_clean(tServiceSslConfig *pSslConfig)
1014 {
1015 if (pSslConfig->ssl_host_matcher)
1016 {
1017 _dpd.searchAPI->search_instance_free(pSslConfig->ssl_host_matcher);
1018 pSslConfig->ssl_host_matcher = NULL;
1019 }
1020 if (pSslConfig->ssl_cname_matcher)
1021 {
1022 _dpd.searchAPI->search_instance_free(pSslConfig->ssl_cname_matcher);
1023 pSslConfig->ssl_cname_matcher = NULL;
1024 }
1025 }
1026
1027 static int ssl_add_pattern(DetectorSSLCertPattern **list, uint8_t *pattern_str, size_t pattern_size, uint8_t type, tAppId app_id)
1028 {
1029 DetectorSSLCertPattern *new_ssl_pattern;
1030
1031 new_ssl_pattern = calloc(1, sizeof(DetectorSSLCertPattern));
1032 if (!new_ssl_pattern)
1033 {
1034 return 0;
1035 }
1036 new_ssl_pattern->dpattern = calloc(1, sizeof(SSLCertPattern));
1037 if (!new_ssl_pattern->dpattern)
1038 {
1039 free(new_ssl_pattern);
1040 return 0;
1041 }
1042
1043 new_ssl_pattern->dpattern->type = type;
1044 new_ssl_pattern->dpattern->appId = app_id;
1045 new_ssl_pattern->dpattern->pattern = pattern_str;
1046 new_ssl_pattern->dpattern->pattern_size = pattern_size;
1047
1048 new_ssl_pattern->next = *list;
1049 *list = new_ssl_pattern;
1050
1051 return 1;
1052 }
1053 int ssl_add_cert_pattern(uint8_t *pattern_str, size_t pattern_size, uint8_t type, tAppId app_id, tServiceSslConfig *pSslConfig)
1054 {
1055 return ssl_add_pattern(&pSslConfig->DetectorSSLCertPatternList, pattern_str, pattern_size, type, app_id);
1056 }
1057 int ssl_add_cname_pattern(uint8_t *pattern_str, size_t pattern_size, uint8_t type, tAppId app_id, tServiceSslConfig *pSslConfig)
1058 {
1059 return ssl_add_pattern(&pSslConfig->DetectorSSLCnamePatternList, pattern_str, pattern_size, type, app_id);
1060 }
1061
1062 static void ssl_patterns_free(DetectorSSLCertPattern **list)
1063 {
1064 DetectorSSLCertPattern *tmp_pattern;
1065
1066 while ((tmp_pattern = *list))
1067 {
1068 *list = tmp_pattern->next;
1069 if (tmp_pattern->dpattern)
1070 {
1071 if (tmp_pattern->dpattern->pattern)
1072 free(tmp_pattern->dpattern->pattern);
1073 free (tmp_pattern->dpattern);
1074 }
1075 free(tmp_pattern);
1076 }
1077 }
1078
1079 void ssl_detector_free_patterns(tServiceSslConfig *pSslConfig)
1080 {
1081 ssl_patterns_free(&pSslConfig->DetectorSSLCertPatternList);
1082 ssl_patterns_free(&pSslConfig->DetectorSSLCnamePatternList);
1083 }
1084
1085 int setSSLSquelch(SFSnortPacket *p, int type, tAppId appId)
1086 {
1087 sfaddr_t *sip, *dip;
1088 tAppIdData *f;
1089
1090 if (!appInfoEntryFlagGet(appId, APPINFO_FLAG_SSL_SQUELCH, appIdActiveConfigGet()))
1091 return 0;
1092
1093 dip = GET_DST_IP(p);
1094 sip = GET_SRC_IP(p);
1095
1096 if (!(f = AppIdEarlySessionCreate(NULL, p, sip, 0, dip, p->dst_port,
1097 IPPROTO_TCP, appId, 0)))
1098 return 0;
1099
1100 switch (type)
1101 {
1102 case 1:
1103 f->payloadAppId = appId;
1104 break;
1105 case 2:
1106 f->clientAppId = appId;
1107 f->rnaClientState = RNA_STATE_FINISHED;
1108 break;
1109 default:
1110 return 0;
1111 }
1112
1113 return 1;
1114
1115 }