TLS handshake: get TLS ciphersuite and compression

Decode the SERVER_HELLO message to extract the ciphersuite and compression
chosen by the server.

Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 9988f8b339df87bccba9b1aef4a4e0e75d3f6e32..84ff31d3b9344c89d9a31ca67904338995b6356a 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -128,17 +128,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,
         case SSLV3_HS_SERVER_HELLO:
             ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
 
-            switch (ssl_state->bytes_processed) {
-                case 9:
-                    ssl_state->bytes_processed++;
-                    ssl_state->handshake_server_hello_ssl_version = *(input++) << 8;
-                    if (--input_len == 0)
-                        break;
-                case 10:
-                    ssl_state->bytes_processed++;
-                    ssl_state->handshake_server_hello_ssl_version |= *(input++);
-                    if (--input_len == 0)
-                        break;
+            rc = DecodeTLSHandshakeServerHello(ssl_state, input, input_len);
+            if (rc >= 0) {
+                ssl_state->bytes_processed += rc;
+                input += rc;
             }
             break;
 

diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 518956cbcbd8bf6f4baa57c3344c8add44692320..55ef5a957471965361fc6d0aa21c43d25483f064 100644 (file)
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -93,6 +93,10 @@ typedef struct SSLState_ {
     /* sslv2 client hello session id length */
     uint16_t session_id_length;
 
+    /* the ciphersuite, chosen by the server */
+    uint16_t ciphersuite;
+    uint8_t compressionmethod;
+
     char *cert0_subject;
 
     /* buffer for the tls record.

diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c
index 53a4757a3b0e8082f032145c316b655fe3142666..fc596f82ddd72e802a2fdb233a56ac4a33725ada 100644 (file)
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@@ -49,6 +49,45 @@
 
 #define SSLV3_RECORD_LEN 5
 
+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
+{
+    uint32_t version, length, ciphersuite;
+    uint8_t compressionmethod;
+
+    if (input_len < 40)
+        return -1;
+
+    version = input[0]<<8 | input[1];
+    ssl_state->handshake_server_hello_ssl_version = version;
+
+    input += 2;
+    input_len -= 2;
+
+    /* skip the random field */
+    input += 32;
+
+    /* skip the session ID */
+    length = input[0];
+    input += 1 + length;
+
+    ciphersuite = input[0]<<8 | input[1];
+    ssl_state->ciphersuite = ciphersuite;
+
+    input += 2;
+
+    compressionmethod = input[0];
+    ssl_state->compressionmethod = compressionmethod;
+
+    input += 1;
+
+    /* extensions (like renegotiation) */
+
+    SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
+
+    /* return the message length (TLS record - (handshake type + length)) */
+    return ssl_state->record_length-4;
+}
+
 int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
 {
     uint32_t certificates_length, cur_cert_length;

diff --git a/src/app-layer-tls-handshake.h b/src/app-layer-tls-handshake.h
index 6041f7fbc5ca8f9c5b1c3de2d3511199b6e772b1..fa91c7dbe11312b94603bfed98be61835dea8dc2 100644 (file)
--- a/src/app-layer-tls-handshake.h
+++ b/src/app-layer-tls-handshake.h
@@ -35,6 +35,7 @@
 #ifndef __APP_LAYER_TLS_HANDSHAKE_H__
 #define __APP_LAYER_TLS_HANDSHAKE_H__
 
+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
 int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
 
 #endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */