suricata
log-tlsstore.c
Go to the documentation of this file.
1 /* Copyright (C) 2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Roliers Jean-Paul <popof.fpn@gmail.co>
22  * \author Eric Leblond <eric@regit.org>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Implements TLS store portion of the engine.
26  *
27  */
28 
29 #include "suricata-common.h"
30 #include "log-tlsstore.h"
31 
32 #include "decode.h"
33 
34 #include "app-layer-parser.h"
35 #include "app-layer-ssl.h"
36 
37 #include "output.h"
38 #include "log-tlslog.h"
39 
40 #include "util-conf.h"
41 #include "util-path.h"
42 #include "util-time.h"
43 
44 #define MODULE_NAME "LogTlsStoreLog"
45 
46 static char tls_logfile_base_dir[PATH_MAX] = "/tmp";
47 SC_ATOMIC_DECLARE(unsigned int, cert_id);
48 static char logging_dir_not_writable;
49 
50 #define LOGGING_WRITE_ISSUE_LIMIT 6
51 
52 typedef struct LogTlsStoreLogThread_ {
53  uint32_t tls_cnt;
54 
55  uint8_t* enc_buf;
56  size_t enc_buf_len;
58 
59 static int CreateFileName(const Packet *p, SSLState *state, char *filename, size_t filename_size)
60 {
61  char path[PATH_MAX];
62  int file_id = SC_ATOMIC_ADD(cert_id, 1);
63 
64  /* Use format : packet time + incremental ID
65  * When running on same pcap it will overwrite
66  * On a live device, we will not be able to overwrite */
67  if (snprintf(path, sizeof(path), "%s/%ld.%ld-%d.pem", tls_logfile_base_dir,
68  (long int)SCTIME_SECS(p->ts), (long int)SCTIME_USECS(p->ts),
69  file_id) == sizeof(path))
70  return 0;
71 
72  strlcpy(filename, path, filename_size);
73  return 1;
74 }
75 
76 static void LogTlsLogPem(LogTlsStoreLogThread *aft, const Packet *p, SSLState *state, int ipproto)
77 {
78 #define PEMHEADER "-----BEGIN CERTIFICATE-----\n"
79 #define PEMFOOTER "-----END CERTIFICATE-----\n"
80  //Logging pem certificate
81  char filename[PATH_MAX] = "";
82  FILE* fp = NULL;
83  FILE* fpmeta = NULL;
84  unsigned long pemlen;
85  unsigned char* pembase64ptr = NULL;
86  int ret;
87  uint8_t *ptmp;
88  SSLCertsChain *cert;
89 
90  if (TAILQ_EMPTY(&state->server_connp.certs))
91  SCReturn;
92 
93  CreateFileName(p, state, filename, sizeof(filename));
94  if (strlen(filename) == 0) {
95  SCLogWarning("Can't create PEM filename");
96  SCReturn;
97  }
98 
99  fp = fopen(filename, "w");
100  if (fp == NULL) {
101  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
102  SCLogWarning(
103  "Can't create PEM file '%s' in '%s' directory", filename, tls_logfile_base_dir);
104  logging_dir_not_writable++;
105  }
106  SCReturn;
107  }
108 
109  TAILQ_FOREACH(cert, &state->server_connp.certs, next) {
110  pemlen = Base64EncodeBufferSize(cert->cert_len);
111  if (pemlen > aft->enc_buf_len) {
112  ptmp = (uint8_t*) SCRealloc(aft->enc_buf, sizeof(uint8_t) * pemlen);
113  if (ptmp == NULL) {
114  SCFree(aft->enc_buf);
115  aft->enc_buf = NULL;
116  aft->enc_buf_len = 0;
117  SCLogWarning("Can't allocate data for base64 encoding");
118  goto end_fp;
119  }
120  aft->enc_buf = ptmp;
121  aft->enc_buf_len = pemlen;
122  }
123 
124  memset(aft->enc_buf, 0, aft->enc_buf_len);
125 
126  ret = Base64Encode((unsigned char*) cert->cert_data, cert->cert_len, aft->enc_buf, &pemlen);
127  if (ret != SC_BASE64_OK) {
128  SCLogWarning("Invalid return of Base64Encode function");
129  goto end_fwrite_fp;
130  }
131 
132  if (fprintf(fp, PEMHEADER) < 0)
133  goto end_fwrite_fp;
134 
135  pembase64ptr = aft->enc_buf;
136  while (pemlen > 0) {
137  size_t loffset = pemlen >= 64 ? 64 : pemlen;
138  if (fwrite(pembase64ptr, 1, loffset, fp) != loffset)
139  goto end_fwrite_fp;
140  if (fwrite("\n", 1, 1, fp) != 1)
141  goto end_fwrite_fp;
142  pembase64ptr += 64;
143  if (pemlen < 64)
144  break;
145  pemlen -= 64;
146  }
147 
148  if (fprintf(fp, PEMFOOTER) < 0)
149  goto end_fwrite_fp;
150  }
151  fclose(fp);
152 
153  //Logging certificate informations
154  memcpy(filename + (strlen(filename) - 3), "meta", 4);
155  fpmeta = fopen(filename, "w");
156  if (fpmeta != NULL) {
157  #define PRINT_BUF_LEN 46
158  char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
159  char timebuf[64];
160  Port sp, dp;
161  CreateTimeString(p->ts, timebuf, sizeof(timebuf));
162  if (!TLSGetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip, PRINT_BUF_LEN, &dp, ipproto))
163  goto end_fwrite_fpmeta;
164  if (fprintf(fpmeta, "TIME: %s\n", timebuf) < 0)
165  goto end_fwrite_fpmeta;
166  if (p->pcap_cnt > 0) {
167  if (fprintf(fpmeta, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt) < 0)
168  goto end_fwrite_fpmeta;
169  }
170  if (fprintf(fpmeta, "SRC IP: %s\n", srcip) < 0)
171  goto end_fwrite_fpmeta;
172  if (fprintf(fpmeta, "DST IP: %s\n", dstip) < 0)
173  goto end_fwrite_fpmeta;
174  if (fprintf(fpmeta, "PROTO: %" PRIu32 "\n", p->proto) < 0)
175  goto end_fwrite_fpmeta;
176  if (PacketIsTCP(p) || PacketIsUDP(p)) {
177  if (fprintf(fpmeta, "SRC PORT: %" PRIu16 "\n", sp) < 0)
178  goto end_fwrite_fpmeta;
179  if (fprintf(fpmeta, "DST PORT: %" PRIu16 "\n", dp) < 0)
180  goto end_fwrite_fpmeta;
181  }
182 
183  if (fprintf(fpmeta, "TLS SUBJECT: %s\n"
184  "TLS ISSUERDN: %s\n"
185  "TLS FINGERPRINT: %s\n",
188  state->server_connp.cert0_fingerprint) < 0)
189  goto end_fwrite_fpmeta;
190 
191  fclose(fpmeta);
192  } else {
193  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
194  SCLogWarning("Can't create meta file '%s' in '%s' directory", filename,
195  tls_logfile_base_dir);
196  logging_dir_not_writable++;
197  }
198  SCReturn;
199  }
200 
201  /* Reset the store flag */
203  SCReturn;
204 
205 end_fwrite_fp:
206  fclose(fp);
207  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
208  SCLogWarning("Unable to write certificate");
209  logging_dir_not_writable++;
210  }
211 end_fwrite_fpmeta:
212  if (fpmeta) {
213  fclose(fpmeta);
214  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
215  SCLogWarning("Unable to write certificate metafile");
216  logging_dir_not_writable++;
217  }
218  }
219  SCReturn;
220 end_fp:
221  fclose(fp);
222  SCReturn;
223 }
224 
225 /** \internal
226  * \brief Condition function for TLS logger
227  * \retval bool true or false -- log now?
228  */
229 static bool LogTlsStoreCondition(
230  ThreadVars *tv, const Packet *p, void *state, void *tx, uint64_t tx_id)
231 {
232  if (p->flow == NULL) {
233  return false;
234  }
235 
236  if (!(PacketIsTCP(p))) {
237  return false;
238  }
239 
240  SSLState *ssl_state = (SSLState *)state;
241  if (ssl_state == NULL) {
242  SCLogDebug("no tls state, so no request logging");
243  goto dontlog;
244  }
245 
246  if ((ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) == 0)
247  goto dontlog;
248 
249  if (ssl_state->server_connp.cert0_issuerdn == NULL ||
250  ssl_state->server_connp.cert0_subject == NULL)
251  goto dontlog;
252 
253  return true;
254 dontlog:
255  return false;
256 }
257 
258 static int LogTlsStoreLogger(ThreadVars *tv, void *thread_data, const Packet *p,
259  Flow *f, void *state, void *tx, uint64_t tx_id)
260 {
261  LogTlsStoreLogThread *aft = (LogTlsStoreLogThread *)thread_data;
262  int ipproto = (PacketIsIPv4(p)) ? AF_INET : AF_INET6;
263 
264  SSLState *ssl_state = (SSLState *)state;
265  if (unlikely(ssl_state == NULL)) {
266  return 0;
267  }
268 
269  if (ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) {
270  LogTlsLogPem(aft, p, ssl_state, ipproto);
271  }
272 
273  return 0;
274 }
275 
276 static TmEcode LogTlsStoreLogThreadInit(ThreadVars *t, const void *initdata, void **data)
277 {
279  if (unlikely(aft == NULL))
280  return TM_ECODE_FAILED;
281 
282  if (initdata == NULL) {
283  SCLogDebug("Error getting context for LogTLSStore. \"initdata\" argument NULL");
284  SCFree(aft);
285  return TM_ECODE_FAILED;
286  }
287 
288  struct stat stat_buf;
289  /* coverity[toctou] */
290  if (stat(tls_logfile_base_dir, &stat_buf) != 0) {
291  int ret;
292  /* coverity[toctou] */
293  ret = SCMkDir(tls_logfile_base_dir, S_IRWXU|S_IXGRP|S_IRGRP);
294  if (ret != 0) {
295  int err = errno;
296  if (err != EEXIST) {
297  SCLogError("Cannot create certs drop directory %s: %s", tls_logfile_base_dir,
298  strerror(err));
299  exit(EXIT_FAILURE);
300  }
301  } else {
302  SCLogInfo("Created certs drop directory %s",
303  tls_logfile_base_dir);
304  }
305 
306  }
307 
308  *data = (void *)aft;
309  return TM_ECODE_OK;
310 }
311 
312 static TmEcode LogTlsStoreLogThreadDeinit(ThreadVars *t, void *data)
313 {
315  if (aft == NULL) {
316  return TM_ECODE_OK;
317  }
318 
319  if (aft->enc_buf != NULL)
320  SCFree(aft->enc_buf);
321 
322  /* clear memory */
323  memset(aft, 0, sizeof(LogTlsStoreLogThread));
324 
325  SCFree(aft);
326  return TM_ECODE_OK;
327 }
328 
329 static void LogTlsStoreLogExitPrintStats(ThreadVars *tv, void *data)
330 {
332  if (aft == NULL) {
333  return;
334  }
335 
336  SCLogInfo("(%s) certificates extracted %" PRIu32 "", tv->name, aft->tls_cnt);
337 }
338 
339 /**
340  * \internal
341  *
342  * \brief deinit the log ctx and write out the waldo
343  *
344  * \param output_ctx output context to deinit
345  */
346 static void LogTlsStoreLogDeInitCtx(OutputCtx *output_ctx)
347 {
348  SCFree(output_ctx);
349 }
350 
351 /** \brief Create a new http log LogFilestoreCtx.
352  * \param conf Pointer to ConfNode containing this loggers configuration.
353  * \return NULL if failure, LogFilestoreCtx* to the file_ctx if succesful
354  * */
355 static OutputInitResult LogTlsStoreLogInitCtx(ConfNode *conf)
356 {
357  OutputInitResult result = { NULL, false };
358  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
359  if (unlikely(output_ctx == NULL))
360  return result;
361 
362  output_ctx->data = NULL;
363  output_ctx->DeInit = LogTlsStoreLogDeInitCtx;
364 
365  /* FIXME we need to implement backward compatibility here */
366  const char *s_default_log_dir = NULL;
367  s_default_log_dir = ConfigGetLogDirectory();
368 
369  const char *s_base_dir = NULL;
370  s_base_dir = ConfNodeLookupChildValue(conf, "certs-log-dir");
371  if (s_base_dir == NULL || strlen(s_base_dir) == 0) {
372  strlcpy(tls_logfile_base_dir,
373  s_default_log_dir, sizeof(tls_logfile_base_dir));
374  } else {
375  if (PathIsAbsolute(s_base_dir)) {
376  strlcpy(tls_logfile_base_dir,
377  s_base_dir, sizeof(tls_logfile_base_dir));
378  } else {
379  snprintf(tls_logfile_base_dir, sizeof(tls_logfile_base_dir),
380  "%s/%s", s_default_log_dir, s_base_dir);
381  }
382  }
383 
384  SCLogInfo("storing certs in %s", tls_logfile_base_dir);
385 
386  /* enable the logger for the app layer */
388 
389  result.ctx = output_ctx;
390  result.ok = true;
391  SCReturnCT(result, "OutputInitResult");
392 }
393 
395 {
397  "tls-store", LogTlsStoreLogInitCtx, ALPROTO_TLS, LogTlsStoreLogger,
398  LogTlsStoreCondition, LogTlsStoreLogThreadInit,
399  LogTlsStoreLogThreadDeinit, LogTlsStoreLogExitPrintStats);
400 
401  SC_ATOMIC_INIT(cert_id);
402  SC_ATOMIC_SET(cert_id, 1);
403 
404  SCLogDebug("registered");
405 }
LogTlsStoreRegister
void LogTlsStoreRegister(void)
Definition: log-tlsstore.c:394
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:250
Packet_::proto
uint8_t proto
Definition: decode.h:504
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:290
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:225
ThreadVars_::name
char name[16]
Definition: threadvars.h:64
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:609
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:309
Flow_
Flow data structure.
Definition: flow.h:356
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:248
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
LogTlsStoreLogThread_
Definition: log-tlsstore.c:52
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:251
OutputCtx_::data
void * data
Definition: tm-modules.h:88
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
OutputCtx_
Definition: tm-modules.h:85
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
decode.h
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
Packet_::ts
SCTime_t ts
Definition: decode.h:530
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:463
SSLCertsChain_
Definition: app-layer-ssl.h:223
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
LogTlsStoreLogThread
struct LogTlsStoreLogThread_ LogTlsStoreLogThread
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
log-tlslog.h
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
LogTlsStoreLogThread_::enc_buf_len
size_t enc_buf_len
Definition: log-tlsstore.c:56
SCReturn
#define SCReturn
Definition: util-debug.h:273
Packet_
Definition: decode.h:482
Port
uint16_t Port
Definition: decode.h:223
TmEcode
TmEcode
Definition: tm-threads-common.h:83
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:224
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
OutputInitResult_
Definition: output.h:46
util-conf.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:521
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:91
PEMFOOTER
#define PEMFOOTER
util-path.h
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:57
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:44
PRINT_BUF_LEN
#define PRINT_BUF_LEN
SCMkDir
#define SCMkDir(a, b)
Definition: util-path.h:45
MODULE_NAME
#define MODULE_NAME
Definition: log-tlsstore.c:44
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SSL_TLS_LOG_PEM
#define SSL_TLS_LOG_PEM
Definition: app-layer-ssl.h:138
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:38
TLSGetIPInformations
int TLSGetIPInformations(const Packet *p, char *srcip, size_t srcip_len, Port *sp, char *dstip, size_t dstip_len, Port *dp, int ipproto)
Definition: log-tlslog.c:94
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
SSLStateConnp_::cert_log_flag
uint32_t cert_log_flag
Definition: app-layer-ssl.h:269
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
LOGGING_WRITE_ISSUE_LIMIT
#define LOGGING_WRITE_ISSUE_LIMIT
Definition: log-tlsstore.c:50
LogTlsStoreLogThread_::enc_buf
uint8_t * enc_buf
Definition: log-tlsstore.c:55
LOGGER_TLS_STORE
@ LOGGER_TLS_STORE
Definition: suricata-common.h:465
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:255
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, cert_id)
log-tlsstore.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
OutputRegisterTxModuleWithCondition
void OutputRegisterTxModuleWithCondition(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, TxLoggerCondition TxLogCondition, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with condition.
Definition: output.c:332
app-layer-ssl.h
PEMHEADER
#define PEMHEADER
CreateTimeString
void CreateTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:272
output.h
SCTIME_USECS
#define SCTIME_USECS(t)
Definition: util-time.h:56
LogTlsStoreLogThread_::tls_cnt
uint32_t tls_cnt
Definition: log-tlsstore.c:53
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:814