From: Jason Ish Date: Mon, 8 Jan 2018 19:39:56 +0000 (-0600) Subject: file extract: force sha256 even if truncated X-Git-Tag: suricata-4.1.0-beta1~340 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f631e8cd906d26a9c9ecdc3f5c9e0c3f8d1f05dd;p=thirdparty%2Fsuricata.git file extract: force sha256 even if truncated Even if a file is truncated, force the SHA256 if force sha256 is set to yes. The new file store requires the sha256 regardless of the file state if it is to be logged, as the filename is based on the sha256. --- diff --git a/src/util-file.c b/src/util-file.c index 56d9bd7a32..9797e824b8 100644 --- a/src/util-file.c +++ b/src/util-file.c @@ -79,6 +79,9 @@ static uint32_t g_file_store_reassembly_depth = 0; /* prototypes */ static void FileFree(File *); +#ifdef HAVE_NSS +static void FileEndSha256(File *ff); +#endif void FileForceFilestoreEnable(void) { @@ -879,6 +882,12 @@ static int FileCloseFilePtr(File *ff, const uint8_t *data, if (flags & FILE_NOSTORE) { SCLogDebug("not storing this file"); ff->flags |= FILE_NOSTORE; + } else { +#ifdef HAVE_NSS + if (g_file_force_sha256 && ff->sha256_ctx) { + FileEndSha256(ff); + } +#endif } } else { ff->state = FILE_STATE_CLOSED; @@ -896,9 +905,7 @@ static int FileCloseFilePtr(File *ff, const uint8_t *data, ff->flags |= FILE_SHA1; } if (ff->sha256_ctx) { - unsigned int len = 0; - HASH_End(ff->sha256_ctx, ff->sha256, &len, sizeof(ff->sha256)); - ff->flags |= FILE_SHA256; + FileEndSha256(ff); } #endif } @@ -1285,3 +1292,17 @@ void FileTruncateAllOpenFiles(FileContainer *fc) } } } + +/** + * \brief Finish the SHA256 calculation. + */ +#ifdef HAVE_NSS +static void FileEndSha256(File *ff) +{ + if (!(ff->flags & FILE_SHA256) && ff->sha256_ctx) { + unsigned int len = 0; + HASH_End(ff->sha256_ctx, ff->sha256, &len, sizeof(ff->sha256)); + ff->flags |= FILE_SHA256; + } +} +#endif