From: Eric Leblond <eric@regit.org>
Date: Fri, 24 Apr 2015 14:17:19 +0000 (+0200)
Subject: decode-mime: compute body md5
X-Git-Tag: suricata-3.0RC1~127
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d39009ca582af30a1478934be7259294a7247d09;p=thirdparty%2Fsuricata.git

decode-mime: compute body md5

This patch is computing the md5 sum of the body of the MIME message.
This will allow to detect messages with same content and sent to
different people.
---

diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c
index 3f4affcccf..3b33c548de 100644
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@@ -1992,6 +1992,7 @@ static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
  *
  * \return MIME_DEC_OK on success, otherwise < 0 on failure
  */
+
 static int ProcessBodyComplete(MimeDecParseState *state)
 {
     int ret = MIME_DEC_OK;
@@ -2180,6 +2181,16 @@ static int ProcessMimeBody(const uint8_t *buf, uint32_t len,
     int body_found = 0;
     uint32_t tlen;
 
+#ifdef HAVE_NSS
+    if (state->body_begin == 1 && (state->md5_ctx == NULL)) {
+        state->md5_ctx = HASH_Create(HASH_AlgMD5);
+        if (state->md5_ctx != NULL) {
+            HASH_Begin(state->md5_ctx);
+            HASH_Update(state->md5_ctx, buf, len + 2); /* plus 2 to add CRLF */
+        }
+    }
+#endif
+
     /* Ignore empty lines */
     if (len == 0) {
         return ret;
@@ -2394,6 +2405,10 @@ void MimeDecDeInitParser(MimeDecParseState *state)
     SCFree(state->hname);
     FreeDataValue(state->hvalue);
     FreeMimeDecStack(state->stack);
+#ifdef HAVE_NSS
+    if (state->md5_ctx)
+        HASH_Destroy(state->md5_ctx);
+#endif
     SCFree(state);
 }
 
@@ -2427,6 +2442,13 @@ int MimeDecParseComplete(MimeDecParseState *state)
         return ret;
     }
 
+#ifdef HAVE_NSS
+    if (state->md5_ctx) {
+        unsigned int len = 0;
+        HASH_End(state->md5_ctx, state->md5, &len, sizeof(state->md5));
+    }
+#endif
+
     if (state->stack->top == NULL) {
         state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
         SCLogDebug("Error: Message is malformed");
@@ -2475,6 +2497,11 @@ int MimeDecParseLine(const uint8_t *line, const uint32_t len,
         SCLogDebug("SMTP LINE - EMPTY");
     }
 
+#ifdef HAVE_NSS
+    if (state->md5_ctx) {
+        HASH_Update(state->md5_ctx, line, len + 2);
+    }
+#endif
     /* Process the entity */
     ret = ProcessMimeEntity(line, len, state);
     if (ret != MIME_DEC_OK) {
diff --git a/src/util-decode-mime.h b/src/util-decode-mime.h
index 792fbcc199..69f328e3c6 100644
--- a/src/util-decode-mime.h
+++ b/src/util-decode-mime.h
@@ -197,6 +197,10 @@ typedef struct MimeDecParseState {
     uint8_t bvremain[B64_BLOCK];  /**< Remainder from base64-decoded line */
     uint8_t bvr_len;  /**< Length of remainder from base64-decoded line */
     uint8_t data_chunk[DATA_CHUNK_SIZE];  /**< Buffer holding data chunk */
+#ifdef HAVE_NSS
+    HASHContext *md5_ctx;
+    uint8_t md5[MD5_LENGTH];
+#endif
     uint8_t state_flag;  /**<  Flag representing current state of parser */
     uint32_t data_chunk_len;  /**< Length of data chunk */
     int found_child;  /**< Flag indicating a child entity was found */