"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/dynamic-preprocessors/appid/service_plugins/service_ssl.c" (16 Oct 2020, 35154 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "service_ssl.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /*
    2 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    3 ** Copyright (C) 2005-2013 Sourcefire, Inc.
    4 **
    5 ** This program is free software; you can redistribute it and/or modify
    6 ** it under the terms of the GNU General Public License Version 2 as
    7 ** published by the Free Software Foundation.  You may not use, modify or
    8 ** distribute this program under any other version of the GNU General
    9 ** Public License.
   10 **
   11 ** This program is distributed in the hope that it will be useful,
   12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
   13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   14 ** GNU General Public License for more details.
   15 **
   16 ** You should have received a copy of the GNU General Public License
   17 ** along with this program; if not, write to the Free Software
   18 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   19 */
   20 
   21 
   22 #include <ctype.h>
   23 #include <string.h>
   24 #include <stdlib.h>
   25 #include <stddef.h>
   26 #include <sys/types.h>
   27 #include <netinet/in.h>
   28 #include <openssl/x509.h>
   29 
   30 #include "flow.h"
   31 #include "service_base.h"
   32 #include "service_ssl.h"
   33 #include "fw_appid.h"
   34 #include "serviceConfig.h"
   35 
   36 #define SSL_PORT    443
   37 
   38 typedef enum
   39 {
   40     SSL_CHANGE_CIPHER = 20,
   41     SSL_ALERT = 21,
   42     SSL_HANDSHAKE = 22,
   43     SSL_APPLICATION_DATA = 23
   44 } SSLContentType;
   45 
   46 #define SSL_CLIENT_HELLO 1
   47 #define SSL_SERVER_HELLO 2
   48 #define SSL_CERTIFICATE 11
   49 #define SSL_SERVER_KEY_XCHG 12
   50 #define SSL_SERVER_CERT_REQ 13
   51 #define SSL_SERVER_HELLO_DONE 14
   52 #define SSL_CERTIFICATE_STATUS 22
   53 #define SSL2_SERVER_HELLO 4
   54 #define PCT_SERVER_HELLO 2
   55 
   56 #define FIELD_SEPARATOR "/"
   57 #define COMMON_NAME_STR "/CN="
   58 #define ORG_NAME_STR    "/O="
   59 
   60 /* Extension types. */
   61 #define SSL_EXT_SERVER_NAME 0
   62 
   63 typedef struct _MatchedSSLPatterns {
   64     SSLCertPattern *mpattern;
   65     int index;
   66     struct _MatchedSSLPatterns *next;
   67 } MatchedSSLPatterns;
   68 
   69 typedef enum
   70 {
   71     SSL_STATE_INITIATE,      /* Client initiates. */
   72     SSL_STATE_CONNECTION,    /* Server responds... */
   73     SSL_STATE_HEADER
   74 } SSLState;
   75 
   76 typedef struct _SERVICE_SSL_DATA
   77 {
   78     SSLState state;
   79     int pos;
   80     int length;
   81     int tot_length;
   82     /* From client: */
   83     char *host_name;
   84     int   host_name_strlen;
   85     /* While collecting certificates: */
   86     int certs_len;          /* (Total) length of certificate(s). */
   87     uint8_t *certs_data;    /* Certificate(s) data (each proceeded by length (3 bytes)). */
   88     int in_certs;           /* Currently collecting certificates? */
   89     int certs_curr_len;     /* Current amount of collected certificate data. */
   90     /* Data collected from certificates afterwards: */
   91     char *common_name;
   92     int   common_name_strlen;
   93     int   org_name_strlen;
   94     char *org_name;
   95 } ServiceSSLData;
   96 
   97 typedef struct _SERVICE_SSL_CERTIFICATE
   98 {
   99     X509    *cert;
  100     uint8_t *common_name_ptr;
  101     int      common_name_len;
  102     uint8_t *org_name_ptr;
  103     int      org_name_len;
  104     struct _SERVICE_SSL_CERTIFICATE *next;
  105 } ServiceSSLCertificate;
  106 
  107 #pragma pack(1)
  108 
  109 typedef struct _SERVICE_SSL_V3_HEADER    /* Actually a TLS Record. */
  110 {
  111     uint8_t type;
  112     uint16_t version;
  113     uint16_t len;
  114 } ServiceSSLV3Hdr;
  115 
  116 typedef struct _SERVICE_SSL_V3_RECORD    /* Actually a Handshake. */
  117 {
  118     uint8_t type;
  119     uint8_t length_msb;
  120     uint16_t length;
  121     uint16_t version;
  122     struct {
  123         uint32_t time;
  124         uint8_t data[28];
  125     } random;
  126 } ServiceSSLV3Record;
  127 
  128 typedef struct _SERVICE_SSL_V3_CERTS_RECORD    /* Actually a Certificate(s) Handshake. */
  129 {
  130     uint8_t type;
  131     uint8_t length_msb;
  132     uint16_t length;
  133     uint8_t certs_len[3];    /* 3-byte length, network byte order. */
  134     /* Certificate(s) follow.
  135      * For each:
  136      *  - Length: 3 bytes
  137      *  - Data  : "Length" bytes */
  138 } ServiceSSLV3CertsRecord;
  139 
  140 typedef struct _SERVICE_SSL_V3_EXTENSION_SERVER_NAME
  141 {
  142     uint16_t type;
  143     uint16_t length;
  144     uint16_t list_length;
  145     uint8_t  string_length_msb;
  146     uint16_t string_length;
  147     /* String follows. */
  148 } ServiceSSLV3ExtensionServerName;
  149 
  150 typedef struct _SERVICE_SSL_PCT_HEADER
  151 {
  152     uint8_t len;
  153     uint8_t len2;
  154     uint8_t type;
  155     uint8_t pad;
  156     uint16_t version;
  157     uint8_t restart;
  158     uint8_t auth;
  159     uint32_t cipher;
  160     uint16_t hash;
  161     uint16_t cert;
  162     uint16_t exch;
  163     uint8_t id[32];
  164     uint16_t cert_len;
  165     uint16_t c_cert_len;
  166     uint16_t c_sig_len;
  167     uint16_t resp_len;
  168 } ServiceSSLPCTHdr;
  169 
  170 typedef struct _SERVICE_SSL_V2_HEADER
  171 {
  172     uint8_t len;
  173     uint8_t len2;
  174     uint8_t type;
  175     uint8_t id;
  176     uint8_t cert;
  177     uint16_t version;
  178     uint16_t cert_len;
  179     uint16_t cipher_len;
  180     uint16_t conn_len;
  181 } ServiceSSLV2Hdr;
  182 
  183 #pragma pack()
  184 
  185 /* Convert 3-byte lengths in TLS headers to integers. */
  186 #define ntoh3(msb_ptr) ((uint32_t)(   (uint32_t)(((uint8_t*)msb_ptr)[0] << 16)    \
  187                                     + (uint32_t)(((uint8_t*)msb_ptr)[1] <<  8)    \
  188                                     + (uint32_t)(((uint8_t*)msb_ptr)[2]      ) ))
  189 
  190 static int ssl_cert_pattern_match(void* id, void *unused_tree, int index, void* data, void *unused_neg)
  191 {
  192     MatchedSSLPatterns *cm;
  193     MatchedSSLPatterns **matches = (MatchedSSLPatterns **)data;
  194     SSLCertPattern *target = (SSLCertPattern *)id;
  195 
  196     if (!(cm = (MatchedSSLPatterns *)malloc(sizeof(MatchedSSLPatterns))))
  197         return 1;
  198 
  199     cm->mpattern = target;
  200     cm->index = index;
  201     cm->next = *matches;
  202     *matches = cm;
  203 
  204     return 0;
  205 }
  206 
  207 static int ssl_detector_create_matcher(void **matcher, DetectorSSLCertPattern *list)
  208 {
  209     size_t *patternIndex;
  210     size_t size = 0;
  211     DetectorSSLCertPattern *element = NULL;
  212 
  213     if (*matcher)
  214         _dpd.searchAPI->search_instance_free(*matcher);
  215 
  216     if (!(*matcher = _dpd.searchAPI->search_instance_new_ex(MPSE_ACF)))
  217         return 0;
  218 
  219     patternIndex = &size;
  220 
  221     /* Add patterns from Lua API */
  222     for(element = list; element; element = element->next)
  223     {
  224         _dpd.searchAPI->search_instance_add_ex(*matcher,
  225                 (char *)element->dpattern->pattern,
  226                 element->dpattern->pattern_size,
  227                 element->dpattern,
  228                 STR_SEARCH_CASE_INSENSITIVE);
  229         (*patternIndex)++;
  230     }
  231 
  232     _dpd.searchAPI->search_instance_prep(*matcher);
  233 
  234     return 1;
  235 }
  236 int ssl_detector_process_patterns(tServiceSslConfig *pSslConfig)
  237 {
  238     int retVal = 1;
  239     if (!ssl_detector_create_matcher(&pSslConfig->ssl_host_matcher, pSslConfig->DetectorSSLCertPatternList))
  240         retVal = 0;
  241     if (!ssl_detector_create_matcher(&pSslConfig->ssl_cname_matcher, pSslConfig->DetectorSSLCnamePatternList))
  242         retVal = 0;
  243     return retVal;
  244 }
  245 
  246 static int ssl_init(const InitServiceAPI * const api);
  247 static int ssl_validate(ServiceValidationArgs* args);
  248 
  249 static tRNAServiceElement svc_element =
  250 {
  251     .next = NULL,
  252     .validate = &ssl_validate,
  253     .detectorType = DETECTOR_TYPE_DECODER,
  254     .name = "ssl",
  255     .ref_count = 1,
  256     .current_ref_count = 1,
  257 };
  258 
  259 static RNAServiceValidationPort pp[] =
  260 {
  261     {&ssl_validate, 261, IPPROTO_TCP},
  262     {&ssl_validate, 261, IPPROTO_UDP},
  263     {&ssl_validate, 443, IPPROTO_TCP},
  264     {&ssl_validate, 443, IPPROTO_UDP},
  265     {&ssl_validate, 448, IPPROTO_TCP},
  266     {&ssl_validate, 448, IPPROTO_UDP},
  267     {&ssl_validate, 465, IPPROTO_TCP},
  268     {&ssl_validate, 563, IPPROTO_TCP},
  269     {&ssl_validate, 563, IPPROTO_UDP},
  270     {&ssl_validate, 585, IPPROTO_TCP},
  271     {&ssl_validate, 585, IPPROTO_UDP},
  272     {&ssl_validate, 614, IPPROTO_TCP},
  273     {&ssl_validate, 636, IPPROTO_TCP},
  274     {&ssl_validate, 636, IPPROTO_UDP},
  275     {&ssl_validate, 853, IPPROTO_TCP},
  276     {&ssl_validate, 989, IPPROTO_TCP},
  277     {&ssl_validate, 990, IPPROTO_TCP},
  278     {&ssl_validate, 992, IPPROTO_TCP},
  279     {&ssl_validate, 992, IPPROTO_UDP},
  280     {&ssl_validate, 993, IPPROTO_TCP},
  281     {&ssl_validate, 993, IPPROTO_UDP},
  282     {&ssl_validate, 994, IPPROTO_TCP},
  283     {&ssl_validate, 994, IPPROTO_UDP},
  284     {&ssl_validate, 995, IPPROTO_TCP},
  285     {&ssl_validate, 995, IPPROTO_UDP},
  286     {&ssl_validate, 3269, IPPROTO_TCP},
  287     {&ssl_validate, 8305, IPPROTO_TCP},
  288     {NULL, 0, 0}
  289 };
  290 
  291 tRNAServiceValidationModule ssl_service_mod =
  292 {
  293     "ssl",
  294     &ssl_init,
  295     pp
  296 };
  297 
  298 static uint8_t SSL_PATTERN_PCT[] = {0x02, 0x00, 0x80, 0x01};
  299 static uint8_t SSL_PATTERN3_0[] = {0x16, 0x03, 0x00};
  300 static uint8_t SSL_PATTERN3_1[] = {0x16, 0x03, 0x01};
  301 static uint8_t SSL_PATTERN3_2[] = {0x16, 0x03, 0x02};
  302 static uint8_t SSL_PATTERN3_3[] = {0x16, 0x03, 0x03};
  303 
  304 static tAppRegistryEntry appIdRegistry[] =
  305 {
  306     {APP_ID_SSL, APPINFO_FLAG_SERVICE_ADDITIONAL}
  307 };
  308 
  309 static int ssl_init(const InitServiceAPI * const init_api)
  310 {
  311     init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN_PCT, sizeof(SSL_PATTERN_PCT), 2, "ssl", init_api->pAppidConfig);
  312     init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_0, sizeof(SSL_PATTERN3_0), 0, "ssl", init_api->pAppidConfig);
  313     init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_1, sizeof(SSL_PATTERN3_1), 0, "ssl", init_api->pAppidConfig);
  314     init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_2, sizeof(SSL_PATTERN3_2), 0, "ssl", init_api->pAppidConfig);
  315     init_api->RegisterPattern(&ssl_validate, IPPROTO_TCP, SSL_PATTERN3_3, sizeof(SSL_PATTERN3_3), 0, "ssl", init_api->pAppidConfig);
  316     unsigned i;
  317     for (i=0; i < sizeof(appIdRegistry)/sizeof(*appIdRegistry); i++)
  318     {
  319         _dpd.debugMsg(DEBUG_LOG,"registering appId: %d\n",appIdRegistry[i].appId);
  320         init_api->RegisterAppId(&ssl_validate, appIdRegistry[i].appId, appIdRegistry[i].additionalInfo, init_api->pAppidConfig);
  321     }
  322 
  323     return 0;
  324 }
  325 
  326 void ssl_free(void *ss)    /* AppIdFreeFCN */
  327 {
  328     ServiceSSLData *ss_tmp = (ServiceSSLData*)ss;
  329     free(ss_tmp->certs_data);
  330     free(ss_tmp->host_name);
  331     free(ss_tmp->common_name);
  332     free(ss_tmp->org_name);
  333     free(ss_tmp);
  334 }
  335 
  336 void parse_client_initiation(const uint8_t *data, uint16_t size, ServiceSSLData *ss)
  337 {
  338     const ServiceSSLV3Hdr *hdr3;
  339     const ServiceSSLV3Record *rec;
  340     int length;
  341     uint16_t ver;
  342 
  343     /* Sanity check header stuff. */
  344     if (size < sizeof(ServiceSSLV3Hdr)) return;
  345     hdr3 = (ServiceSSLV3Hdr *)data;
  346     ver = ntohs(hdr3->version);
  347     if (hdr3->type != SSL_HANDSHAKE ||
  348         (ver != 0x0300 &&
  349          ver != 0x0301 &&
  350          ver != 0x0302 &&
  351          ver != 0x0303))
  352     {
  353         return;
  354     }
  355     data += sizeof(ServiceSSLV3Hdr);
  356     size -= sizeof(ServiceSSLV3Hdr);
  357 
  358     if (size < sizeof(ServiceSSLV3Record)) return;
  359     rec = (ServiceSSLV3Record *)data;
  360     ver = ntohs(rec->version);
  361     if (rec->type != SSL_CLIENT_HELLO ||
  362         (ver != 0x0300 &&
  363          ver != 0x0301 &&
  364          ver != 0x0302 &&
  365          ver != 0x0303) ||
  366         rec->length_msb)
  367     {
  368         return;
  369     }
  370     length = ntohs(rec->length) + offsetof(ServiceSSLV3Record, version);
  371     if (size < length) return;
  372     data += sizeof(ServiceSSLV3Record);
  373     size -= sizeof(ServiceSSLV3Record);
  374 
  375     /* Session ID (1-byte length). */
  376     if (size < 1) return;
  377     length = *((uint8_t*)data);
  378     data += length + 1;
  379     if (size < (length + 1)) return;
  380     size -= length + 1;
  381 
  382     /* Cipher Suites (2-byte length). */
  383     if (size < 2) return;
  384     length = ntohs(*((uint16_t*)data));
  385     data += length + 2;
  386     if (size < (length + 2)) return;
  387     size -= length + 2;
  388 
  389     /* Compression Methods (1-byte length). */
  390     if (size < 1) return;
  391     length = *((uint8_t*)data);
  392     data += length + 1;
  393     if (size < (length + 1)) return;
  394     size -= length + 1;
  395 
  396     /* Extensions (2-byte length) */
  397     if (size < 2) return;
  398     length = ntohs(*((uint16_t*)data));
  399     data += 2;
  400     size -= 2;
  401     if (size < length) return;
  402 
  403     // We need at least type (2 bytes) and length (2 bytes) fields in the extension
  404     while (length >= 4)
  405     {
  406         ServiceSSLV3ExtensionServerName *ext = (ServiceSSLV3ExtensionServerName*)data;
  407         if (ntohs(ext->type) == SSL_EXT_SERVER_NAME)
  408         {
  409             /* Found server host name. */
  410             if (length < sizeof(ServiceSSLV3ExtensionServerName)) return;
  411 
  412             int len = ntohs(ext->string_length);
  413             if ((length - sizeof(ServiceSSLV3ExtensionServerName)) < len) return;
  414 
  415             const uint8_t *str =   data
  416                                  + offsetof(ServiceSSLV3ExtensionServerName, string_length)
  417                                  + sizeof(ext->string_length);
  418             ss->host_name = malloc(len + 1);    /* Plus NULL term. */
  419             if (!ss->host_name)
  420             {
  421                 _dpd.errMsg("parse_client_initiation: "
  422                         "Could not allocate memory for host name in ServiceSSLData\n");
  423                 return;
  424             }
  425             else
  426             {
  427                 memcpy(ss->host_name, str, len);
  428                 ss->host_name[len] = '\0';
  429                 ss->host_name_strlen = len;
  430             }
  431             return;
  432         }
  433         data   += ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
  434         length -= ntohs(ext->length) + offsetof(ServiceSSLV3ExtensionServerName, list_length);
  435     }
  436 }
  437 
  438 int parse_certificates(ServiceSSLData *ss)
  439 {
  440     int success = 0;
  441     if (ss->certs_data && ss->certs_len)
  442     {
  443         char *common_name = 0;
  444         char *org_name = 0;
  445 
  446         uint8_t *data = ss->certs_data;
  447         int len = ss->certs_len;
  448         int common_name_tot_len = 0;
  449         int org_name_tot_len = 0;
  450 
  451         success = 1;
  452         while (len > 0 && !(common_name && org_name))
  453         {
  454             X509 *cert = NULL;
  455             char *cert_name = NULL;
  456             char *start = NULL;
  457             char *end = NULL;
  458             int length = 0;
  459 
  460             /* Get each certificate. */
  461             int cert_len = ntoh3(data);
  462             data += 3;
  463             len -= 3;
  464             if (len < cert_len) 
  465             {
  466                 success = 0;
  467                 break;
  468             }
  469 
  470             cert = d2i_X509(NULL, (const unsigned char **)&data, cert_len);
  471             len -= cert_len;    /* Above call increments data pointer already. */
  472             if (!cert)
  473             {
  474                 success = 0;
  475                 break;
  476             }
  477 
  478             /* look for common name or org name if we haven't seen either */
  479             if (!common_name || !org_name)
  480             {
  481                 if ((cert_name = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)))
  482                 {
  483                     if (!common_name)
  484                     {
  485                         if ((start = strstr(cert_name, COMMON_NAME_STR)))
  486                         {
  487                             start += strlen(COMMON_NAME_STR);
  488                             end = strstr(start, FIELD_SEPARATOR);
  489                             if (end) *end = 0;
  490                             length = strlen(start);
  491                             if (length>2 && *start=='*' && *(start+1)=='.') 
  492                             {
  493                                 start += 2; // remove leading .*
  494                                 length -= 2;
  495                             }
  496                             common_name = strndup(start, length);
  497                             common_name_tot_len += length;
  498                             start = NULL;
  499                         }
  500                     }
  501                     if (!org_name)
  502                     {
  503                         if ((start = strstr(cert_name, ORG_NAME_STR)))
  504                         {
  505                             start += strlen(ORG_NAME_STR);
  506                             end = strstr(start, FIELD_SEPARATOR);
  507                             if (end) *end = 0;
  508                             length = strlen(start);
  509                             if (length>2 && *start=='*' && *(start+1)=='.')
  510                             {
  511                                 start += 2; // remove leading .*
  512                                 length -= 2;
  513                             }
  514                             org_name = strndup(start, length);
  515                             org_name_tot_len += length;
  516                         }
  517                     }
  518                     free(cert_name);
  519                     cert_name = NULL;
  520                 }
  521             }
  522         X509_free(cert);
  523         }
  524 
  525         if (common_name)
  526         {
  527             ss->common_name = common_name;
  528             ss->common_name_strlen = common_name_tot_len;
  529         }
  530 
  531         if (org_name)
  532         {
  533             ss->org_name = org_name;
  534             ss->org_name_strlen = org_name_tot_len;
  535         }
  536 
  537         /* No longer need entire certificates.  We have what we came for. */
  538         free(ss->certs_data);
  539         ss->certs_data = NULL;
  540         ss->certs_len = 0;
  541     }
  542     return success;  // could be 1 even though common_name or org_name == 0
  543 }
  544 
  545 static int ssl_validate(ServiceValidationArgs* args)
  546 {
  547     ServiceSSLData *ss;
  548     const ServiceSSLPCTHdr *pct;
  549     const ServiceSSLV2Hdr *hdr2;
  550     const ServiceSSLV3Hdr *hdr3;
  551     const ServiceSSLV3Record *rec;
  552     const ServiceSSLV3CertsRecord *certs_rec;
  553     uint16_t ver;
  554     tAppIdData *flowp = args->flowp;
  555     const uint8_t *data = args->data;
  556     const int dir = args->dir;
  557     uint16_t size = args->size;
  558 
  559     if (!size)
  560         goto inprocess;
  561 
  562     ss = ssl_service_mod.api->data_get(flowp, ssl_service_mod.flow_data_index);
  563     if (!ss)
  564     {
  565         ss = calloc(1, sizeof(*ss));
  566         if (!ss)
  567             return SERVICE_ENOMEM;
  568         if (ssl_service_mod.api->data_add(flowp, ss, ssl_service_mod.flow_data_index, &ssl_free))
  569         {
  570             free(ss);
  571             return SERVICE_ENOMEM;
  572         }
  573         ss->state = SSL_STATE_INITIATE;
  574     }
  575     /* Start off with a Client Hello from client to server. */
  576     if (ss->state == SSL_STATE_INITIATE)
  577     {
  578         ss->state = SSL_STATE_CONNECTION;
  579 
  580         if (dir == APP_ID_FROM_INITIATOR)
  581         {
  582             parse_client_initiation(data, size, ss);
  583             goto inprocess;
  584         }
  585     }
  586 
  587     if (dir != APP_ID_FROM_RESPONDER)
  588     {
  589             goto inprocess;
  590     }
  591 
  592     switch (ss->state)
  593     {
  594     case SSL_STATE_CONNECTION:
  595         pct = (ServiceSSLPCTHdr *)data;
  596         hdr2 = (ServiceSSLV2Hdr *)data;
  597         hdr3 = (ServiceSSLV3Hdr *)data;
  598         /* SSL PCT header? */
  599         if (size >= sizeof(ServiceSSLPCTHdr) && pct->len >= 0x80 &&
  600             pct->type == PCT_SERVER_HELLO && ntohs(pct->version) == 0x8001)
  601         {
  602             goto success;
  603         }
  604         /* SSL v2 header? */
  605         if (size >= sizeof(ServiceSSLV2Hdr) && hdr2->len >= 0x80 &&
  606             hdr2->type == SSL2_SERVER_HELLO && !(hdr2->cert & 0xFE))
  607         {
  608             uint16_t h2v = ntohs(hdr2->version);
  609             if ((h2v == 0x0002 || h2v == 0x0300 ||
  610                  h2v == 0x0301 || h2v == 0x0303) &&
  611                 !(hdr2->cipher_len % 3))
  612             {
  613                 goto success;
  614             }
  615         }
  616         /* it is probably an SSLv3, TLS 1.2, or TLS 1.3 header.
  617            First record must be a handshake (type 22). */
  618         if (size < sizeof(ServiceSSLV3Hdr) ||
  619             hdr3->type != SSL_HANDSHAKE ||
  620             (ntohs(hdr3->version) != 0x0300 &&
  621              ntohs(hdr3->version) != 0x0301 && 
  622              ntohs(hdr3->version) != 0x0302 && 
  623              ntohs(hdr3->version) != 0x0303)) 
  624         {
  625             goto fail;
  626         }
  627         data += sizeof(ServiceSSLV3Hdr);
  628         size -= sizeof(ServiceSSLV3Hdr);
  629         rec = (ServiceSSLV3Record *)data;
  630         if (size < sizeof(ServiceSSLV3Record) ||
  631             rec->type != SSL_SERVER_HELLO ||
  632             (ntohs(rec->version) != 0x0300 &&
  633              ntohs(rec->version) != 0x0301 && 
  634              ntohs(rec->version) != 0x0302 && 
  635              ntohs(rec->version) != 0x0303) ||
  636             rec->length_msb)
  637         {
  638             goto fail;
  639         }
  640         ss->tot_length = ntohs(hdr3->len);
  641         ss->length = ntohs(rec->length) +
  642                      offsetof(ServiceSSLV3Record, version);
  643         if (ss->tot_length < ss->length) goto fail;
  644         ss->tot_length -= ss->length;
  645         if (size < ss->length) goto fail;
  646         data += ss->length;
  647         size -= ss->length;
  648         ss->state = SSL_STATE_HEADER;
  649         ss->pos = 0;
  650         /* fall through */
  651     case SSL_STATE_HEADER:
  652         while (size > 0)
  653         {
  654             if (!ss->pos)
  655             {
  656                 /* Need to move onto (and past) next header (i.e., record) if
  657                  * previous was completely consumed. */
  658                 if (ss->tot_length == 0)
  659                 {
  660                     hdr3 = (ServiceSSLV3Hdr *)data;
  661                     ver = ntohs(hdr3->version);
  662                     if (size < sizeof(ServiceSSLV3Hdr) ||
  663                         (hdr3->type != SSL_HANDSHAKE &&
  664                          hdr3->type != SSL_CHANGE_CIPHER &&
  665                          hdr3->type != SSL_APPLICATION_DATA) ||
  666                         (ver != 0x0300 &&
  667                          ver != 0x0301 &&
  668                          ver != 0x0302 &&
  669                          ver != 0x0303))
  670                     {
  671                         goto fail;
  672                     }
  673                     data += sizeof(ServiceSSLV3Hdr);
  674                     size -= sizeof(ServiceSSLV3Hdr);
  675                     ss->tot_length = ntohs(hdr3->len);
  676                     if (hdr3->type == SSL_CHANGE_CIPHER ||
  677                         hdr3->type == SSL_APPLICATION_DATA)
  678                     {
  679                         goto success;
  680                     }
  681                 }
  682 
  683                 rec = (ServiceSSLV3Record *)data;
  684                 if (size < offsetof(ServiceSSLV3Record, version) ||
  685                     rec->length_msb)
  686                 {
  687                     goto fail;
  688                 }
  689                 switch (rec->type)
  690                 {
  691                 case SSL_CERTIFICATE:
  692                     /* Start pulling out certificates. */
  693                     if (!ss->certs_data)
  694                     {
  695                         certs_rec = (ServiceSSLV3CertsRecord *)data;
  696                         ss->certs_len = ntoh3(certs_rec->certs_len);
  697                         ss->certs_data = malloc(ss->certs_len);
  698                         if (!ss->certs_data)
  699                             return SERVICE_ENOMEM;
  700                         if ((size - sizeof(ServiceSSLV3CertsRecord)) < ss->certs_len)
  701                         {
  702                             /* Will have to get more next time around. */
  703                             ss->in_certs       = 1;
  704                             ss->certs_curr_len = size - sizeof(ServiceSSLV3CertsRecord);    /* Skip over header to data. */
  705                             memcpy(ss->certs_data, data + sizeof(ServiceSSLV3CertsRecord), ss->certs_curr_len);
  706                         }
  707                         else
  708                         {
  709                             /* Can get it all this time. */
  710                             ss->in_certs       = 0;
  711                             ss->certs_curr_len = ss->certs_len;
  712                             memcpy(ss->certs_data, data + sizeof(ServiceSSLV3CertsRecord), ss->certs_curr_len);
  713                             break;
  714                         }
  715                     }
  716                     /* fall through */
  717                 case SSL_CERTIFICATE_STATUS:
  718                 case SSL_SERVER_KEY_XCHG:
  719                 case SSL_SERVER_CERT_REQ:
  720                     ss->length = ntohs(rec->length) +
  721                                  offsetof(ServiceSSLV3Record, version);
  722                     if (ss->tot_length < ss->length) goto fail;
  723                     ss->tot_length -= ss->length;
  724                     if (size < ss->length)
  725                     {
  726                         ss->pos = size;
  727                         size = 0;
  728                     }
  729                     else
  730                     {
  731                         data += ss->length;
  732                         size -= ss->length;
  733                         ss->pos = 0;
  734                     }
  735                     break;
  736                 case SSL_SERVER_HELLO_DONE:
  737                     if (rec->length) goto fail;
  738                     if (ss->tot_length != offsetof(ServiceSSLV3Record, version))
  739                         goto fail;
  740                     goto success;
  741                 default:
  742                     goto fail;
  743                 }
  744             }
  745             else
  746             {
  747                 /* See if there's more certificate data to grab. */
  748                 if (ss->in_certs && ss->certs_data)
  749                 {
  750                     if (size < (ss->certs_len - ss->certs_curr_len))
  751                     {
  752                         /* Will have to get more next time around. */
  753                         memcpy(ss->certs_data + ss->certs_curr_len, data, size);
  754                         ss->in_certs        = 1;
  755                         ss->certs_curr_len += size;
  756                     }
  757                     else
  758                     {
  759                         /* Can get it all this time. */
  760                         memcpy(ss->certs_data + ss->certs_curr_len, data, ss->certs_len - ss->certs_curr_len);
  761                         ss->in_certs       = 0;
  762                         ss->certs_curr_len = ss->certs_len;
  763                     }
  764                 }
  765 
  766                 if (size+ss->pos < ss->length)
  767                 {
  768                     ss->pos += size;
  769                     size = 0;
  770                 }
  771                 else
  772                 {
  773                     data += ss->length - ss->pos;
  774                     size -= ss->length - ss->pos;
  775                     ss->pos = 0;
  776                 }
  777             }
  778         }
  779         break;
  780     default:
  781         goto fail;
  782     }
  783 
  784 inprocess:
  785     ssl_service_mod.api->service_inprocess(flowp, args->pkt, dir, &svc_element, NULL);
  786     return SERVICE_INPROCESS;
  787 
  788 fail:
  789     free(ss->certs_data);
  790     free(ss->host_name);
  791     free(ss->common_name);
  792     free(ss->org_name);
  793     ss->certs_data = NULL;
  794     ss->host_name = ss->common_name = ss->org_name = NULL;
  795     ssl_service_mod.api->fail_service(flowp, args->pkt, dir, &svc_element,
  796                                       ssl_service_mod.flow_data_index, args->pConfig, NULL);
  797     return SERVICE_NOMATCH;
  798 
  799 success:
  800     if (ss->certs_data && ss->certs_len)
  801     {
  802         if (!parse_certificates(ss))
  803         {
  804             goto fail;
  805         }
  806     }
  807     setAppIdFlag(flowp, APPID_SESSION_SSL_SESSION);
  808     if (ss->host_name || ss->common_name || ss->org_name)
  809     {
  810         if (!flowp->tsession)
  811         {
  812             if (!(flowp->tsession = calloc(1, sizeof(*flowp->tsession))))
  813             {
  814                 goto fail;
  815             }
  816         }
  817 
  818         /* TLS Host */
  819         if (ss->host_name)
  820         {
  821             /* Do not overwrite SSL provided SNI */
  822             if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
  823             {
  824                 if (flowp->tsession->tls_host)
  825                     free(flowp->tsession->tls_host);
  826                 flowp->tsession->tls_host = ss->host_name;
  827                 flowp->tsession->tls_host_strlen = ss->host_name_strlen;
  828                 flowp->scan_flags |= SCAN_SSL_HOST_FLAG;
  829             }
  830         }
  831         else if (ss->common_name)    // use common name (from server) if we didn't see host name (from client)
  832         {
  833             /* Do not overwrite SSL provided SNI */
  834             if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
  835             {
  836                 char *common_name = strndup(ss->common_name, ss->common_name_strlen);
  837                 if (common_name)
  838                 {
  839                     if (flowp->tsession->tls_host)
  840                         free(flowp->tsession->tls_host);
  841                     flowp->tsession->tls_host = common_name;
  842                     flowp->tsession->tls_host_strlen = ss->common_name_strlen;
  843                     flowp->scan_flags |= SCAN_SSL_HOST_FLAG;
  844                 }
  845             }
  846         }
  847 
  848         /* TLS Common Name */
  849         if (ss->common_name)
  850         {
  851             /* Do not overwrite SSL provided CN */
  852             if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
  853             {
  854                 if (flowp->tsession->tls_cname)
  855                     free(flowp->tsession->tls_cname);
  856                 flowp->tsession->tls_cname = ss->common_name;
  857                 flowp->tsession->tls_cname_strlen = ss->common_name_strlen;
  858                 flowp->scan_flags |= SCAN_SSL_CERTIFICATE_FLAG;
  859             }
  860         }
  861 
  862         /* TLS Org Unit */
  863         if (ss->org_name)
  864         {
  865             /* Do not overwrite SSL provided ORG NAME */
  866             if (!(flowp->scan_flags & SCAN_CERTVIZ_ENABLED_FLAG))
  867             {
  868                 if (flowp->tsession->tls_orgUnit)
  869                     free(flowp->tsession->tls_orgUnit);
  870                 flowp->tsession->tls_orgUnit = ss->org_name;
  871                 flowp->tsession->tls_orgUnit_strlen = ss->org_name_strlen;
  872             }
  873         }
  874 
  875         ss->host_name = ss->common_name = ss->org_name = NULL;
  876         flowp->tsession->tls_handshake_done = true;
  877     }
  878     ssl_service_mod.api->add_service(flowp, args->pkt, dir, &svc_element,
  879                                      getSslServiceAppId(args->pkt->src_port), NULL, NULL, NULL, NULL);
  880     return SERVICE_SUCCESS;
  881 }
  882 
  883 tAppId getSslServiceAppId( short srcPort)
  884 {
  885     switch (srcPort)
  886     {
  887     case 261:
  888         return APP_ID_NSIIOPS;
  889     case 443:
  890         return APP_ID_HTTPS;
  891     case 448:
  892         return APP_ID_DDM_SSL;
  893     case 465:
  894         return APP_ID_SMTPS;
  895     case 563:
  896         return APP_ID_NNTPS;
  897     case 585:  /*Currently 585 is de-registered at IANA but old implementation may still use it. */
  898     case 993:
  899         return APP_ID_IMAPS;
  900     case 614:
  901         return APP_ID_SSHELL;
  902     case 636:
  903         return APP_ID_LDAPS;
  904     case 853:
  905         return APP_ID_DNS_OVER_TLS;
  906     case 989:
  907         return APP_ID_FTPSDATA;
  908     case 990:
  909         return APP_ID_FTPS;
  910     case 992:
  911         return APP_ID_TELNETS;
  912     case 994:
  913         return APP_ID_IRCS;
  914     case 995:
  915         return APP_ID_POP3S;
  916     case 3269:
  917         return APP_ID_MSFT_GC_SSL;
  918     case 8305:
  919         return APP_ID_SF_APPLIANCE_MGMT;
  920     default:
  921         return APP_ID_SSL;
  922     }
  923 }
  924 
  925 bool isSslServiceAppId(tAppId appId)
  926 {
  927     switch (appId)
  928     {
  929     case APP_ID_NSIIOPS:
  930     case APP_ID_HTTPS:
  931     case APP_ID_DDM_SSL:
  932     case APP_ID_SMTPS:
  933     case APP_ID_NNTPS:
  934     case APP_ID_IMAPS:
  935     case APP_ID_SSHELL:
  936     case APP_ID_LDAPS:
  937     case APP_ID_FTPSDATA:
  938     case APP_ID_FTPS:
  939     case APP_ID_TELNETS:
  940     case APP_ID_IRCS:
  941     case APP_ID_POP3S:
  942     case APP_ID_MSFT_GC_SSL:
  943     case APP_ID_SF_APPLIANCE_MGMT:
  944     case APP_ID_SSL:
  945         return true;
  946     }
  947 
  948     return false;
  949 }
  950 
  951 static int ssl_scan_patterns(void * matcher, const u_int8_t *pattern, size_t size, tAppId *clientAppId, tAppId *payloadId)
  952 {
  953     MatchedSSLPatterns *mp = NULL;
  954     MatchedSSLPatterns *tmpMp;
  955     SSLCertPattern *best_match;
  956 
  957     if (!matcher) return 0;
  958 
  959     _dpd.searchAPI->search_instance_find_all(matcher,
  960                (char *)pattern,
  961                size, 0,
  962                ssl_cert_pattern_match, (void *)&mp);
  963 
  964     if (!mp) return 0;
  965 
  966     best_match = NULL;
  967     while (mp)
  968     {
  969         //only patterns that match start of payload, or patterns starting with '.' or patterns folowing '.' in payload
  970         //are considered a match.
  971         if (mp->index == 0 || *mp->mpattern->pattern == '.' || pattern[mp->index-1] == '.')
  972         {
  973             if (!best_match || mp->mpattern->pattern_size > best_match->pattern_size)
  974             {
  975                 best_match = mp->mpattern;
  976             }
  977         } 
  978         tmpMp = mp;
  979         mp = mp->next;
  980         free (tmpMp);
  981     }
  982     if (!best_match) return 0;
  983 
  984     switch (best_match->type)
  985     {
  986     /* type 0 means WEB APP */
  987     case 0:
  988         *clientAppId = APP_ID_SSL_CLIENT;
  989         *payloadId = best_match->appId;
  990         break;
  991     /* type 1 means CLIENT */
  992     case 1:
  993         *clientAppId = best_match->appId;
  994         *payloadId = 0;
  995         break;
  996     default:
  997         return 0;
  998     }
  999 
 1000     return 1;
 1001 }
 1002 
 1003 int ssl_scan_hostname(const u_int8_t *pattern, size_t size, tAppId *clientAppId, tAppId *payloadId, tServiceSslConfig *pSslConfig)
 1004 {
 1005     return ssl_scan_patterns(pSslConfig->ssl_host_matcher, pattern, size, clientAppId, payloadId);
 1006 }
 1007 
 1008 int ssl_scan_cname(const u_int8_t *pattern, size_t size, tAppId *clientAppId, tAppId *payloadId, tServiceSslConfig *pSslConfig)
 1009 {
 1010     return ssl_scan_patterns(pSslConfig->ssl_cname_matcher, pattern, size, clientAppId, payloadId);
 1011 }
 1012 
 1013 void service_ssl_clean(tServiceSslConfig *pSslConfig)
 1014 {
 1015     if (pSslConfig->ssl_host_matcher)
 1016     {
 1017         _dpd.searchAPI->search_instance_free(pSslConfig->ssl_host_matcher);
 1018         pSslConfig->ssl_host_matcher = NULL;
 1019     }
 1020     if (pSslConfig->ssl_cname_matcher)
 1021     {
 1022         _dpd.searchAPI->search_instance_free(pSslConfig->ssl_cname_matcher);
 1023         pSslConfig->ssl_cname_matcher = NULL;
 1024     }
 1025 }
 1026 
 1027 static int ssl_add_pattern(DetectorSSLCertPattern **list, uint8_t *pattern_str, size_t pattern_size, uint8_t type, tAppId app_id)
 1028 {
 1029     DetectorSSLCertPattern *new_ssl_pattern;
 1030 
 1031     new_ssl_pattern = calloc(1, sizeof(DetectorSSLCertPattern));
 1032     if (!new_ssl_pattern)
 1033     {
 1034         return 0;
 1035     }
 1036     new_ssl_pattern->dpattern = calloc(1, sizeof(SSLCertPattern));
 1037     if (!new_ssl_pattern->dpattern)
 1038     {
 1039         free(new_ssl_pattern);
 1040         return 0;
 1041     }
 1042 
 1043     new_ssl_pattern->dpattern->type = type;
 1044     new_ssl_pattern->dpattern->appId = app_id;
 1045     new_ssl_pattern->dpattern->pattern = pattern_str;
 1046     new_ssl_pattern->dpattern->pattern_size = pattern_size;
 1047 
 1048     new_ssl_pattern->next = *list;
 1049     *list = new_ssl_pattern;
 1050 
 1051     return 1;
 1052 }
 1053 int ssl_add_cert_pattern(uint8_t *pattern_str, size_t pattern_size, uint8_t type, tAppId app_id, tServiceSslConfig *pSslConfig)
 1054 {
 1055     return ssl_add_pattern(&pSslConfig->DetectorSSLCertPatternList, pattern_str, pattern_size, type, app_id);
 1056 }
 1057 int ssl_add_cname_pattern(uint8_t *pattern_str, size_t pattern_size, uint8_t type, tAppId app_id, tServiceSslConfig *pSslConfig)
 1058 {
 1059     return ssl_add_pattern(&pSslConfig->DetectorSSLCnamePatternList, pattern_str, pattern_size, type, app_id);
 1060 }
 1061 
 1062 static void ssl_patterns_free(DetectorSSLCertPattern **list)
 1063 {
 1064     DetectorSSLCertPattern *tmp_pattern;
 1065 
 1066     while ((tmp_pattern = *list))
 1067     {
 1068         *list = tmp_pattern->next;
 1069         if (tmp_pattern->dpattern)
 1070         {
 1071             if (tmp_pattern->dpattern->pattern)
 1072                 free(tmp_pattern->dpattern->pattern);
 1073             free (tmp_pattern->dpattern);
 1074         }
 1075         free(tmp_pattern);
 1076     }
 1077 }
 1078 
 1079 void ssl_detector_free_patterns(tServiceSslConfig *pSslConfig)
 1080 {
 1081     ssl_patterns_free(&pSslConfig->DetectorSSLCertPatternList);
 1082     ssl_patterns_free(&pSslConfig->DetectorSSLCnamePatternList);
 1083 }
 1084 
 1085 int setSSLSquelch(SFSnortPacket *p, int type, tAppId appId)
 1086 {
 1087     sfaddr_t *sip, *dip;
 1088     tAppIdData *f;
 1089 
 1090     if (!appInfoEntryFlagGet(appId, APPINFO_FLAG_SSL_SQUELCH, appIdActiveConfigGet()))
 1091         return 0;
 1092 
 1093     dip = GET_DST_IP(p);
 1094     sip = GET_SRC_IP(p);
 1095 
 1096     if (!(f = AppIdEarlySessionCreate(NULL, p, sip, 0, dip, p->dst_port,
 1097                                        IPPROTO_TCP, appId, 0)))
 1098         return 0;
 1099 
 1100     switch (type)
 1101     {
 1102     case 1:
 1103         f->payloadAppId = appId;
 1104         break;
 1105     case 2:
 1106         f->clientAppId = appId;
 1107         f->rnaClientState = RNA_STATE_FINISHED;
 1108         break;
 1109     default:
 1110         return 0;
 1111     }
 1112 
 1113     return 1;
 1114 
 1115 }