From: Jason Ish <jason.ish@oisf.net>
Date: Wed, 30 Dec 2020 19:32:53 +0000 (-0600)
Subject: mime: postpone md5 calculation to parse complete
X-Git-Tag: suricata-5.0.6~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69bae47b82dd5bce632389b4fbb78600af463ce2;p=thirdparty%2Fsuricata.git

mime: postpone md5 calculation to parse complete

Instead of calculating the MD5 at the end of every part, only
compute it when parsing is complete.

With libnss, the hash never updates after the first HASH_End, so
the md5 of only the first part of the body is logged, rather than
the md5 of all the parts.

Redmine issue:
https://redmine.openinfosecfoundation.org/issues/4245
---

diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c
index 5c0ae1b285..a9afb7623e 100644
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@@ -2094,13 +2094,6 @@ static int ProcessBodyComplete(MimeDecParseState *state)
         }
     }
 
-#ifdef HAVE_NSS
-    if (state->md5_ctx) {
-        unsigned int len = 0;
-        HASH_End(state->md5_ctx, state->md5, &len, sizeof(state->md5));
-    }
-#endif
-
     /* Invoke pre-processor and callback with remaining data */
     ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
     if (ret != MIME_DEC_OK) {
@@ -2547,6 +2540,13 @@ int MimeDecParseComplete(MimeDecParseState *state)
         return ret;
     }
 
+#ifdef HAVE_NSS
+    if (state->md5_ctx) {
+        unsigned int len = 0;
+        HASH_End(state->md5_ctx, state->md5, &len, sizeof(state->md5));
+    }
+#endif
+
     if (state->stack->top == NULL) {
         state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
         SCLogDebug("Error: Message is malformed");