From: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
Date: Fri, 4 Nov 2011 17:18:46 +0000 (+0100)
Subject: TLS handshake: get TLS ciphersuite and compression
X-Git-Tag: suricata-1.3beta1~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53e5421a24621b5b37bf6c85ca68b903a82006bf;p=thirdparty%2Fsuricata.git

TLS handshake: get TLS ciphersuite and compression

Decode the SERVER_HELLO message to extract the ciphersuite and compression
chosen by the server.

Signed-off-by: Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 9988f8b339..84ff31d3b9 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -128,17 +128,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, uint8_t *input,
         case SSLV3_HS_SERVER_HELLO:
             ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
 
-            switch (ssl_state->bytes_processed) {
-                case 9:
-                    ssl_state->bytes_processed++;
-                    ssl_state->handshake_server_hello_ssl_version = *(input++) << 8;
-                    if (--input_len == 0)
-                        break;
-                case 10:
-                    ssl_state->bytes_processed++;
-                    ssl_state->handshake_server_hello_ssl_version |= *(input++);
-                    if (--input_len == 0)
-                        break;
+            rc = DecodeTLSHandshakeServerHello(ssl_state, input, input_len);
+            if (rc >= 0) {
+                ssl_state->bytes_processed += rc;
+                input += rc;
             }
             break;
 
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 518956cbcb..55ef5a9574 100644
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -93,6 +93,10 @@ typedef struct SSLState_ {
     /* sslv2 client hello session id length */
     uint16_t session_id_length;
 
+    /* the ciphersuite, chosen by the server */
+    uint16_t ciphersuite;
+    uint8_t compressionmethod;
+
     char *cert0_subject;
 
     /* buffer for the tls record.
diff --git a/src/app-layer-tls-handshake.c b/src/app-layer-tls-handshake.c
index 53a4757a3b..fc596f82dd 100644
--- a/src/app-layer-tls-handshake.c
+++ b/src/app-layer-tls-handshake.c
@@ -49,6 +49,45 @@
 
 #define SSLV3_RECORD_LEN 5
 
+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
+{
+    uint32_t version, length, ciphersuite;
+    uint8_t compressionmethod;
+
+    if (input_len < 40)
+        return -1;
+
+    version = input[0]<<8 | input[1];
+    ssl_state->handshake_server_hello_ssl_version = version;
+
+    input += 2;
+    input_len -= 2;
+
+    /* skip the random field */
+    input += 32;
+
+    /* skip the session ID */
+    length = input[0];
+    input += 1 + length;
+
+    ciphersuite = input[0]<<8 | input[1];
+    ssl_state->ciphersuite = ciphersuite;
+
+    input += 2;
+
+    compressionmethod = input[0];
+    ssl_state->compressionmethod = compressionmethod;
+
+    input += 1;
+
+    /* extensions (like renegotiation) */
+
+    SCLogDebug("TLS Handshake Version %.4x Cipher %d Compression %d\n", version, ciphersuite, compressionmethod);
+
+    /* return the message length (TLS record - (handshake type + length)) */
+    return ssl_state->record_length-4;
+}
+
 int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len)
 {
     uint32_t certificates_length, cur_cert_length;
diff --git a/src/app-layer-tls-handshake.h b/src/app-layer-tls-handshake.h
index 6041f7fbc5..fa91c7dbe1 100644
--- a/src/app-layer-tls-handshake.h
+++ b/src/app-layer-tls-handshake.h
@@ -35,6 +35,7 @@
 #ifndef __APP_LAYER_TLS_HANDSHAKE_H__
 #define __APP_LAYER_TLS_HANDSHAKE_H__
 
+int DecodeTLSHandshakeServerHello(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
 int DecodeTLSHandshakeServerCertificate(SSLState *ssl_state, uint8_t *input, uint32_t input_len);
 
 #endif /* __APP_LAYER_TLS_HANDSHAKE_H__ */