From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Tue, 21 Aug 2018 10:58:44 +0000 (+0200)
Subject: app-layer-ssl: add support for session tickets
X-Git-Tag: suricata-4.1.0-rc2~97
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e0ef578c4681c158e7b19b9513854c09dff4dc4d;p=thirdparty%2Fsuricata.git

app-layer-ssl: add support for session tickets

Add support for logging a session as 'resumed' when using a non-empty
session ticket extension in the client hello record.
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 16ec1a41d1..042c3ca327 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1018,6 +1018,20 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
                 break;
             }
 
+            case SSL_EXTENSION_SESSION_TICKET:
+            {
+                if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
+                        ext_len != 0) {
+                    /* This has to be verified later on by checking if a
+                       certificate record has been sent by the server. */
+                    ssl_state->flags |= SSL_AL_FLAG_SESSION_RESUMED;
+                }
+
+                input += ext_len;
+
+                break;
+            }
+
             default:
             {
                 input += ext_len;
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 398b1a84a8..05087491ab 100644
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -110,6 +110,7 @@ enum {
 #define SSL_EXTENSION_SNI                       0x0000
 #define SSL_EXTENSION_ELLIPTIC_CURVES           0x000a
 #define SSL_EXTENSION_EC_POINT_FORMATS          0x000b
+#define SSL_EXTENSION_SESSION_TICKET            0x0023
 
 /* SNI types */
 #define SSL_SNI_TYPE_HOST_NAME                  0
diff --git a/src/log-tlslog.c b/src/log-tlslog.c
index 590cbabaeb..a75ba4cb3c 100644
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@@ -490,7 +490,12 @@ static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
                                  ssl_state->server_connp.cert0_issuerdn);
         }
         if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
-            MemBufferWriteString(aft->buffer, " Session='resumed'");
+            /* Only log a session as 'resumed' if a certificate has not
+               been seen. */
+            if ((ssl_state->server_connp.cert0_issuerdn == NULL) &&
+                    (ssl_state->server_connp.cert0_subject == NULL)) {
+                MemBufferWriteString(aft->buffer, " Session='resumed'");
+            }
         }
 
         if (hlog->flags & LOG_TLS_EXTENDED) {
diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index bed799fce0..254aa926af 100644
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -133,7 +133,12 @@ static void JsonTlsLogIssuer(json_t *js, SSLState *ssl_state)
 static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
 {
     if (ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) {
-        json_object_set_new(js, "session_resumed", json_boolean(true));
+        /* Only log a session as 'resumed' if a certificate has not
+           been seen. */
+        if (ssl_state->server_connp.cert0_issuerdn == NULL &&
+               ssl_state->server_connp.cert0_subject == NULL) {
+            json_object_set_new(js, "session_resumed", json_boolean(true));
+        }
     }
 }