suricata
log-tlsstore.c
Go to the documentation of this file.
1 /* Copyright (C) 2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Roliers Jean-Paul <popof.fpn@gmail.co>
22  * \author Eric Leblond <eric@regit.org>
23  * \author Victor Julien <victor@inliniac.net>
24  *
25  * Implements TLS store portion of the engine.
26  *
27  */
28 
29 #include "suricata-common.h"
30 #include "log-tlsstore.h"
31 
32 #include "decode.h"
33 
34 #include "app-layer-parser.h"
35 #include "app-layer-ssl.h"
36 
37 #include "output.h"
38 #include "log-tlslog.h"
39 
40 #include "util-conf.h"
41 #include "util-path.h"
42 #include "util-time.h"
43 
44 #define MODULE_NAME "LogTlsStoreLog"
45 
46 static char tls_logfile_base_dir[PATH_MAX] = "/tmp";
47 SC_ATOMIC_DECLARE(unsigned int, cert_id);
48 static char logging_dir_not_writable;
49 
50 #define LOGGING_WRITE_ISSUE_LIMIT 6
51 
52 typedef struct LogTlsStoreLogThread_ {
53  uint32_t tls_cnt;
54 
55  uint8_t* enc_buf;
56  size_t enc_buf_len;
58 
59 static int CreateFileName(const Packet *p, SSLState *state, char *filename, size_t filename_size)
60 {
61  char path[PATH_MAX];
62  int file_id = SC_ATOMIC_ADD(cert_id, 1);
63 
64  /* Use format : packet time + incremental ID
65  * When running on same pcap it will overwrite
66  * On a live device, we will not be able to overwrite */
67  if (snprintf(path, sizeof(path), "%s/%ld.%ld-%d.pem", tls_logfile_base_dir,
68  (long int)SCTIME_SECS(p->ts), (long int)SCTIME_USECS(p->ts),
69  file_id) == sizeof(path))
70  return 0;
71 
72  strlcpy(filename, path, filename_size);
73  return 1;
74 }
75 
76 static void LogTlsLogPem(LogTlsStoreLogThread *aft, const Packet *p, SSLState *state, int ipproto)
77 {
78 #define PEMHEADER "-----BEGIN CERTIFICATE-----\n"
79 #define PEMFOOTER "-----END CERTIFICATE-----\n"
80  //Logging pem certificate
81  char filename[PATH_MAX] = "";
82  FILE* fp = NULL;
83  FILE* fpmeta = NULL;
84  unsigned long pemlen;
85  unsigned char* pembase64ptr = NULL;
86  int ret;
87  uint8_t *ptmp;
88  SSLCertsChain *cert;
89 
90  if (TAILQ_EMPTY(&state->server_connp.certs))
91  SCReturn;
92 
93  CreateFileName(p, state, filename, sizeof(filename));
94  if (strlen(filename) == 0) {
95  SCLogWarning("Can't create PEM filename");
96  SCReturn;
97  }
98 
99  fp = fopen(filename, "w");
100  if (fp == NULL) {
101  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
102  SCLogWarning(
103  "Can't create PEM file '%s' in '%s' directory", filename, tls_logfile_base_dir);
104  logging_dir_not_writable++;
105  }
106  SCReturn;
107  }
108 
109  TAILQ_FOREACH(cert, &state->server_connp.certs, next) {
110  pemlen = Base64EncodeBufferSize(cert->cert_len);
111  if (pemlen > aft->enc_buf_len) {
112  ptmp = (uint8_t*) SCRealloc(aft->enc_buf, sizeof(uint8_t) * pemlen);
113  if (ptmp == NULL) {
114  SCFree(aft->enc_buf);
115  aft->enc_buf = NULL;
116  aft->enc_buf_len = 0;
117  SCLogWarning("Can't allocate data for base64 encoding");
118  goto end_fp;
119  }
120  aft->enc_buf = ptmp;
121  aft->enc_buf_len = pemlen;
122  }
123 
124  memset(aft->enc_buf, 0, aft->enc_buf_len);
125 
126  ret = Base64Encode((unsigned char*) cert->cert_data, cert->cert_len, aft->enc_buf, &pemlen);
127  if (ret != SC_BASE64_OK) {
128  SCLogWarning("Invalid return of Base64Encode function");
129  goto end_fwrite_fp;
130  }
131 
132  if (fprintf(fp, PEMHEADER) < 0)
133  goto end_fwrite_fp;
134 
135  pembase64ptr = aft->enc_buf;
136  while (pemlen > 0) {
137  size_t loffset = pemlen >= 64 ? 64 : pemlen;
138  if (fwrite(pembase64ptr, 1, loffset, fp) != loffset)
139  goto end_fwrite_fp;
140  if (fwrite("\n", 1, 1, fp) != 1)
141  goto end_fwrite_fp;
142  pembase64ptr += 64;
143  if (pemlen < 64)
144  break;
145  pemlen -= 64;
146  }
147 
148  if (fprintf(fp, PEMFOOTER) < 0)
149  goto end_fwrite_fp;
150  }
151  fclose(fp);
152 
153  //Logging certificate informations
154  memcpy(filename + (strlen(filename) - 3), "meta", 4);
155  fpmeta = fopen(filename, "w");
156  if (fpmeta != NULL) {
157  #define PRINT_BUF_LEN 46
158  char srcip[PRINT_BUF_LEN], dstip[PRINT_BUF_LEN];
159  char timebuf[64];
160  Port sp, dp;
161  CreateTimeString(p->ts, timebuf, sizeof(timebuf));
162  if (!TLSGetIPInformations(p, srcip, PRINT_BUF_LEN, &sp, dstip, PRINT_BUF_LEN, &dp, ipproto))
163  goto end_fwrite_fpmeta;
164  if (fprintf(fpmeta, "TIME: %s\n", timebuf) < 0)
165  goto end_fwrite_fpmeta;
166  if (p->pcap_cnt > 0) {
167  if (fprintf(fpmeta, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt) < 0)
168  goto end_fwrite_fpmeta;
169  }
170  if (fprintf(fpmeta, "SRC IP: %s\n", srcip) < 0)
171  goto end_fwrite_fpmeta;
172  if (fprintf(fpmeta, "DST IP: %s\n", dstip) < 0)
173  goto end_fwrite_fpmeta;
174  if (fprintf(fpmeta, "PROTO: %" PRIu32 "\n", p->proto) < 0)
175  goto end_fwrite_fpmeta;
176  if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) {
177  if (fprintf(fpmeta, "SRC PORT: %" PRIu16 "\n", sp) < 0)
178  goto end_fwrite_fpmeta;
179  if (fprintf(fpmeta, "DST PORT: %" PRIu16 "\n", dp) < 0)
180  goto end_fwrite_fpmeta;
181  }
182 
183  if (fprintf(fpmeta, "TLS SUBJECT: %s\n"
184  "TLS ISSUERDN: %s\n"
185  "TLS FINGERPRINT: %s\n",
188  state->server_connp.cert0_fingerprint) < 0)
189  goto end_fwrite_fpmeta;
190 
191  fclose(fpmeta);
192  } else {
193  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
194  SCLogWarning("Can't create meta file '%s' in '%s' directory", filename,
195  tls_logfile_base_dir);
196  logging_dir_not_writable++;
197  }
198  SCReturn;
199  }
200 
201  /* Reset the store flag */
203  SCReturn;
204 
205 end_fwrite_fp:
206  fclose(fp);
207  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
208  SCLogWarning("Unable to write certificate");
209  logging_dir_not_writable++;
210  }
211 end_fwrite_fpmeta:
212  if (fpmeta) {
213  fclose(fpmeta);
214  if (logging_dir_not_writable < LOGGING_WRITE_ISSUE_LIMIT) {
215  SCLogWarning("Unable to write certificate metafile");
216  logging_dir_not_writable++;
217  }
218  }
219  SCReturn;
220 end_fp:
221  fclose(fp);
222  SCReturn;
223 }
224 
225 /** \internal
226  * \brief Condition function for TLS logger
227  * \retval bool true or false -- log now?
228  */
229 static int LogTlsStoreCondition(ThreadVars *tv, const Packet *p, void *state,
230  void *tx, uint64_t tx_id)
231 {
232  if (p->flow == NULL) {
233  return FALSE;
234  }
235 
236  if (!(PKT_IS_TCP(p))) {
237  return FALSE;
238  }
239 
240  SSLState *ssl_state = (SSLState *)state;
241  if (ssl_state == NULL) {
242  SCLogDebug("no tls state, so no request logging");
243  goto dontlog;
244  }
245 
246  if ((ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) == 0)
247  goto dontlog;
248 
249  if (ssl_state->server_connp.cert0_issuerdn == NULL ||
250  ssl_state->server_connp.cert0_subject == NULL)
251  goto dontlog;
252 
253  return TRUE;
254 dontlog:
255  return FALSE;
256 }
257 
258 static int LogTlsStoreLogger(ThreadVars *tv, void *thread_data, const Packet *p,
259  Flow *f, void *state, void *tx, uint64_t tx_id)
260 {
261  LogTlsStoreLogThread *aft = (LogTlsStoreLogThread *)thread_data;
262  int ipproto = (PKT_IS_IPV4(p)) ? AF_INET : AF_INET6;
263 
264  SSLState *ssl_state = (SSLState *)state;
265  if (unlikely(ssl_state == NULL)) {
266  return 0;
267  }
268 
269  if (ssl_state->server_connp.cert_log_flag & SSL_TLS_LOG_PEM) {
270  LogTlsLogPem(aft, p, ssl_state, ipproto);
271  }
272 
273  return 0;
274 }
275 
276 static TmEcode LogTlsStoreLogThreadInit(ThreadVars *t, const void *initdata, void **data)
277 {
279  if (unlikely(aft == NULL))
280  return TM_ECODE_FAILED;
281  memset(aft, 0, sizeof(LogTlsStoreLogThread));
282 
283  if (initdata == NULL) {
284  SCLogDebug("Error getting context for LogTLSStore. \"initdata\" argument NULL");
285  SCFree(aft);
286  return TM_ECODE_FAILED;
287  }
288 
289  struct stat stat_buf;
290  /* coverity[toctou] */
291  if (stat(tls_logfile_base_dir, &stat_buf) != 0) {
292  int ret;
293  /* coverity[toctou] */
294  ret = SCMkDir(tls_logfile_base_dir, S_IRWXU|S_IXGRP|S_IRGRP);
295  if (ret != 0) {
296  int err = errno;
297  if (err != EEXIST) {
298  SCLogError("Cannot create certs drop directory %s: %s", tls_logfile_base_dir,
299  strerror(err));
300  exit(EXIT_FAILURE);
301  }
302  } else {
303  SCLogInfo("Created certs drop directory %s",
304  tls_logfile_base_dir);
305  }
306 
307  }
308 
309  *data = (void *)aft;
310  return TM_ECODE_OK;
311 }
312 
313 static TmEcode LogTlsStoreLogThreadDeinit(ThreadVars *t, void *data)
314 {
316  if (aft == NULL) {
317  return TM_ECODE_OK;
318  }
319 
320  if (aft->enc_buf != NULL)
321  SCFree(aft->enc_buf);
322 
323  /* clear memory */
324  memset(aft, 0, sizeof(LogTlsStoreLogThread));
325 
326  SCFree(aft);
327  return TM_ECODE_OK;
328 }
329 
330 static void LogTlsStoreLogExitPrintStats(ThreadVars *tv, void *data)
331 {
333  if (aft == NULL) {
334  return;
335  }
336 
337  SCLogInfo("(%s) certificates extracted %" PRIu32 "", tv->name, aft->tls_cnt);
338 }
339 
340 /**
341  * \internal
342  *
343  * \brief deinit the log ctx and write out the waldo
344  *
345  * \param output_ctx output context to deinit
346  */
347 static void LogTlsStoreLogDeInitCtx(OutputCtx *output_ctx)
348 {
349  SCFree(output_ctx);
350 }
351 
352 /** \brief Create a new http log LogFilestoreCtx.
353  * \param conf Pointer to ConfNode containing this loggers configuration.
354  * \return NULL if failure, LogFilestoreCtx* to the file_ctx if succesful
355  * */
356 static OutputInitResult LogTlsStoreLogInitCtx(ConfNode *conf)
357 {
358  OutputInitResult result = { NULL, false };
359  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
360  if (unlikely(output_ctx == NULL))
361  return result;
362 
363  output_ctx->data = NULL;
364  output_ctx->DeInit = LogTlsStoreLogDeInitCtx;
365 
366  /* FIXME we need to implement backward compability here */
367  const char *s_default_log_dir = NULL;
368  s_default_log_dir = ConfigGetLogDirectory();
369 
370  const char *s_base_dir = NULL;
371  s_base_dir = ConfNodeLookupChildValue(conf, "certs-log-dir");
372  if (s_base_dir == NULL || strlen(s_base_dir) == 0) {
373  strlcpy(tls_logfile_base_dir,
374  s_default_log_dir, sizeof(tls_logfile_base_dir));
375  } else {
376  if (PathIsAbsolute(s_base_dir)) {
377  strlcpy(tls_logfile_base_dir,
378  s_base_dir, sizeof(tls_logfile_base_dir));
379  } else {
380  snprintf(tls_logfile_base_dir, sizeof(tls_logfile_base_dir),
381  "%s/%s", s_default_log_dir, s_base_dir);
382  }
383  }
384 
385  SCLogInfo("storing certs in %s", tls_logfile_base_dir);
386 
387  /* enable the logger for the app layer */
389 
390  result.ctx = output_ctx;
391  result.ok = true;
392  SCReturnCT(result, "OutputInitResult");
393 }
394 
396 {
398  "tls-store", LogTlsStoreLogInitCtx, ALPROTO_TLS, LogTlsStoreLogger,
399  LogTlsStoreCondition, LogTlsStoreLogThreadInit,
400  LogTlsStoreLogThreadDeinit, LogTlsStoreLogExitPrintStats);
401 
402  SC_ATOMIC_INIT(cert_id);
403  SC_ATOMIC_SET(cert_id, 1);
404 
405  SCLogDebug("registered");
406 }
PKT_IS_UDP
#define PKT_IS_UDP(p)
Definition: decode.h:248
LogTlsStoreRegister
void LogTlsStoreRegister(void)
Definition: log-tlsstore.c:395
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:252
Packet_::proto
uint8_t proto
Definition: decode.h:450
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:288
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:226
ThreadVars_::name
char name[16]
Definition: threadvars.h:64
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:315
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:594
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:307
Flow_
Flow data structure.
Definition: flow.h:357
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:333
TAILQ_EMPTY
#define TAILQ_EMPTY(head)
Definition: queue.h:248
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
LogTlsStoreLogThread_
Definition: log-tlsstore.c:52
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:253
OutputCtx_::data
void * data
Definition: tm-modules.h:81
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
OutputCtx_
Definition: tm-modules.h:78
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
PKT_IS_TCP
#define PKT_IS_TCP(p)
Definition: decode.h:247
decode.h
OutputInitResult_::ctx
OutputCtx * ctx
Definition: output.h:47
Packet_::ts
SCTime_t ts
Definition: decode.h:471
AppLayerParserRegisterLogger
void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto)
Definition: app-layer-parser.c:477
SSLCertsChain_
Definition: app-layer-ssl.h:224
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
LogTlsStoreLogThread
struct LogTlsStoreLogThread_ LogTlsStoreLogThread
util-time.h
OutputInitResult_::ok
bool ok
Definition: output.h:48
log-tlslog.h
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
app-layer-parser.h
TRUE
#define TRUE
Definition: suricata-common.h:33
LogTlsStoreLogThread_::enc_buf_len
size_t enc_buf_len
Definition: log-tlsstore.c:56
FALSE
#define FALSE
Definition: suricata-common.h:34
SCReturn
#define SCReturn
Definition: util-debug.h:273
Packet_
Definition: decode.h:428
Port
uint16_t Port
Definition: decode.h:229
TmEcode
TmEcode
Definition: tm-threads-common.h:83
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:225
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:224
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
OutputInitResult_
Definition: output.h:46
util-conf.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
suricata-common.h
OutputCtx_::DeInit
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
PEMFOOTER
#define PEMFOOTER
util-path.h
SCTIME_SECS
#define SCTIME_SECS(t)
Definition: util-time.h:51
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition: util-path.c:44
PRINT_BUF_LEN
#define PRINT_BUF_LEN
SCMkDir
#define SCMkDir(a, b)
Definition: util-path.h:29
MODULE_NAME
#define MODULE_NAME
Definition: log-tlsstore.c:44
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
SSL_TLS_LOG_PEM
#define SSL_TLS_LOG_PEM
Definition: app-layer-ssl.h:141
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
ConfigGetLogDirectory
const char * ConfigGetLogDirectory(void)
Definition: util-conf.c:37
TLSGetIPInformations
int TLSGetIPInformations(const Packet *p, char *srcip, size_t srcip_len, Port *sp, char *dstip, size_t dstip_len, Port *dp, int ipproto)
Definition: log-tlslog.c:95
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
ConfNode_
Definition: conf.h:32
SSLStateConnp_::cert_log_flag
uint32_t cert_log_flag
Definition: app-layer-ssl.h:269
SCReturnCT
#define SCReturnCT(x, type)
Definition: util-debug.h:285
LOGGING_WRITE_ISSUE_LIMIT
#define LOGGING_WRITE_ISSUE_LIMIT
Definition: log-tlsstore.c:50
LogTlsStoreLogThread_::enc_buf
uint8_t * enc_buf
Definition: log-tlsstore.c:55
LOGGER_TLS_STORE
@ LOGGER_TLS_STORE
Definition: suricata-common.h:454
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:257
SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(unsigned int, cert_id)
log-tlsstore.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:245
OutputRegisterTxModuleWithCondition
void OutputRegisterTxModuleWithCondition(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, AppProto alproto, TxLogger TxLogFunc, TxLoggerCondition TxLogCondition, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a tx output module with condition.
Definition: output.c:337
app-layer-ssl.h
PEMHEADER
#define PEMHEADER
CreateTimeString
void CreateTimeString(const SCTime_t ts, char *str, size_t size)
Definition: util-time.c:272
output.h
SCTIME_USECS
#define SCTIME_USECS(t)
Definition: util-time.h:50
LogTlsStoreLogThread_::tls_cnt
uint32_t tls_cnt
Definition: log-tlsstore.c:53
ConfNodeLookupChildValue
const char * ConfNodeLookupChildValue(const ConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:808