suricata
Data Structures | Macros | Typedefs | Enumerations | Functions | Variables
app-layer-ssl.c File Reference
#include "suricata-common.h"
#include "decode.h"
#include "app-layer.h"
#include "app-layer-detect-proto.h"
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "app-layer-frames.h"
#include "app-layer-ssl.h"
#include "conf.h"
#include "feature.h"
#include "util-debug.h"
#include "util-ja3.h"
#include "util-enum.h"
#include "util-validate.h"
Include dependency graph for app-layer-ssl.c:

Go to the source code of this file.

Data Structures

struct  SslConfig_
 
struct  SSLDecoderResult
 

Macros

#define SSL_CONFIG_DEFAULT_JA3   0
 
#define SSL_CONFIG_DEFAULT_JA4   0
 
#define SSLV3_CHANGE_CIPHER_SPEC   20
 
#define SSLV3_ALERT_PROTOCOL   21
 
#define SSLV3_HANDSHAKE_PROTOCOL   22
 
#define SSLV3_APPLICATION_PROTOCOL   23
 
#define SSLV3_HEARTBEAT_PROTOCOL   24
 
#define SSLV3_HS_HELLO_REQUEST   0
 
#define SSLV3_HS_CLIENT_HELLO   1
 
#define SSLV3_HS_SERVER_HELLO   2
 
#define SSLV3_HS_NEW_SESSION_TICKET   4
 
#define SSLV3_HS_CERTIFICATE   11
 
#define SSLV3_HS_SERVER_KEY_EXCHANGE   12
 
#define SSLV3_HS_CERTIFICATE_REQUEST   13
 
#define SSLV3_HS_SERVER_HELLO_DONE   14
 
#define SSLV3_HS_CERTIFICATE_VERIFY   15
 
#define SSLV3_HS_CLIENT_KEY_EXCHANGE   16
 
#define SSLV3_HS_FINISHED   20
 
#define SSLV3_HS_CERTIFICATE_URL   21
 
#define SSLV3_HS_CERTIFICATE_STATUS   22
 
#define SSLV2_MT_ERROR   0
 
#define SSLV2_MT_CLIENT_HELLO   1
 
#define SSLV2_MT_CLIENT_MASTER_KEY   2
 
#define SSLV2_MT_CLIENT_FINISHED   3
 
#define SSLV2_MT_SERVER_HELLO   4
 
#define SSLV2_MT_SERVER_VERIFY   5
 
#define SSLV2_MT_SERVER_FINISHED   6
 
#define SSLV2_MT_REQUEST_CERTIFICATE   7
 
#define SSLV2_MT_CLIENT_CERTIFICATE   8
 
#define SSLV3_RECORD_HDR_LEN   5
 
#define SSLV3_RECORD_MAX_LEN   ((1 << 14) + 1024)
 
#define SSLV3_CLIENT_HELLO_VERSION_LEN   2
 
#define SSLV3_CLIENT_HELLO_RANDOM_LEN   32
 
#define TLS_HB_REQUEST   1
 
#define TLS_HB_RESPONSE   2
 
#define SSL_RECORD_MINIMUM_LENGTH   6
 
#define SHA1_STRING_LENGTH   60
 
#define HAS_SPACE(n)   ((uint64_t)(input - initial_input) + (uint64_t)(n) <= (uint64_t)(input_len))
 
#define SSL_DECODER_ERROR(e)
 
#define SSL_DECODER_OK(c)
 
#define SSL_DECODER_INCOMPLETE(c, n)
 
#define ValidateRecordState(...)
 
#define SSLParserHSReset(connp)
 
#define SSLParserReset(state)
 
#define SSLSetEvent(ssl_state, event)
 

Typedefs

typedef struct SslConfig_ SslConfig
 

Enumerations

enum  {
  ERR_INVALID_CERTIFICATE =1, ERR_INVALID_LENGTH, ERR_INVALID_VERSION, ERR_INVALID_SERIAL,
  ERR_INVALID_ALGORITHMIDENTIFIER, ERR_INVALID_X509NAME, ERR_INVALID_DATE, ERR_INVALID_EXTENSIONS,
  ERR_INVALID_DER, ERR_EXTRACT_SUBJECT, ERR_EXTRACT_ISSUER, ERR_EXTRACT_VALIDITY
}
 
enum  SslConfigEncryptHandling { SSL_CNF_ENC_HANDLE_DEFAULT = 0, SSL_CNF_ENC_HANDLE_BYPASS = 1, SSL_CNF_ENC_HANDLE_FULL = 2 }
 

Functions

void SSLVersionToString (uint16_t version, char *buffer)
 
void RegisterSSLParsers (void)
 Function to register the SSL protocol parser and other functions. More...
 
void SSLEnableJA3 (void)
 if not explicitly disabled in config, enable ja3 support More...
 
void SSLEnableJA4 (void)
 if not explicitly disabled in config, enable ja4 support More...
 
bool SSLJA3IsEnabled (void)
 return whether ja3 is effectively enabled More...
 
bool SSLJA4IsEnabled (void)
 return whether ja4 is effectively enabled More...
 

Variables

SCEnumCharMap tls_frame_table []
 
SCEnumCharMap tls_decoder_event_table []
 
SslConfig ssl_config
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com
Pierre Chifflier pierr.nosp@m.e.ch.nosp@m.iffli.nosp@m.er@s.nosp@m.si.go.nosp@m.uv.f.nosp@m.r
Mats Klepsland mats..nosp@m.klep.nosp@m.sland.nosp@m.@gma.nosp@m.il.co.nosp@m.m

Definition in file app-layer-ssl.c.

Macro Definition Documentation

◆ HAS_SPACE

#define HAS_SPACE (   n)    ((uint64_t)(input - initial_input) + (uint64_t)(n) <= (uint64_t)(input_len))

Definition at line 205 of file app-layer-ssl.c.

◆ SHA1_STRING_LENGTH

#define SHA1_STRING_LENGTH   60

Definition at line 203 of file app-layer-ssl.c.

◆ SSL_CONFIG_DEFAULT_JA3

#define SSL_CONFIG_DEFAULT_JA3   0

Definition at line 136 of file app-layer-ssl.c.

◆ SSL_CONFIG_DEFAULT_JA4

#define SSL_CONFIG_DEFAULT_JA4   0

Definition at line 137 of file app-layer-ssl.c.

◆ SSL_DECODER_ERROR

#define SSL_DECODER_ERROR (   e)
Value:
(struct SSLDecoderResult) \
{ \
(e), 0 \
}

Definition at line 211 of file app-layer-ssl.c.

◆ SSL_DECODER_INCOMPLETE

#define SSL_DECODER_INCOMPLETE (   c,
 
)
Value:
(struct SSLDecoderResult) \
{ \
(uint32_t)(c), (n) \
}

Definition at line 221 of file app-layer-ssl.c.

◆ SSL_DECODER_OK

#define SSL_DECODER_OK (   c)
Value:
(struct SSLDecoderResult) \
{ \
(uint32_t)(c), 0 \
}

Definition at line 216 of file app-layer-ssl.c.

◆ SSL_RECORD_MINIMUM_LENGTH

#define SSL_RECORD_MINIMUM_LENGTH   6

Definition at line 201 of file app-layer-ssl.c.

◆ SSLParserHSReset

#define SSLParserHSReset (   connp)
Value:
do { \
(connp)->handshake_type = 0; \
(connp)->message_length = 0; \
} while (0)

Definition at line 257 of file app-layer-ssl.c.

◆ SSLParserReset

#define SSLParserReset (   state)
Value:
do { \
SCLogDebug("resetting state"); \
(state)->curr_connp->bytes_processed = 0; \
SSLParserHSReset((state)->curr_connp); \
} while(0)

Definition at line 263 of file app-layer-ssl.c.

◆ SSLSetEvent

#define SSLSetEvent (   ssl_state,
  event 
)
Value:
do { \
SCLogDebug("setting event %u", (event)); \
if ((ssl_state) == NULL) { \
SCLogDebug("could not set decoder event %u", event); \
} else { \
AppLayerDecoderEventsSetEventRaw(&(ssl_state)->tx_data.events, (event)); \
(ssl_state)->events++; \
} \
} while (0)

Definition at line 270 of file app-layer-ssl.c.

◆ SSLV2_MT_CLIENT_CERTIFICATE

#define SSLV2_MT_CLIENT_CERTIFICATE   8

Definition at line 188 of file app-layer-ssl.c.

◆ SSLV2_MT_CLIENT_FINISHED

#define SSLV2_MT_CLIENT_FINISHED   3

Definition at line 183 of file app-layer-ssl.c.

◆ SSLV2_MT_CLIENT_HELLO

#define SSLV2_MT_CLIENT_HELLO   1

Definition at line 181 of file app-layer-ssl.c.

◆ SSLV2_MT_CLIENT_MASTER_KEY

#define SSLV2_MT_CLIENT_MASTER_KEY   2

Definition at line 182 of file app-layer-ssl.c.

◆ SSLV2_MT_ERROR

#define SSLV2_MT_ERROR   0

Definition at line 180 of file app-layer-ssl.c.

◆ SSLV2_MT_REQUEST_CERTIFICATE

#define SSLV2_MT_REQUEST_CERTIFICATE   7

Definition at line 187 of file app-layer-ssl.c.

◆ SSLV2_MT_SERVER_FINISHED

#define SSLV2_MT_SERVER_FINISHED   6

Definition at line 186 of file app-layer-ssl.c.

◆ SSLV2_MT_SERVER_HELLO

#define SSLV2_MT_SERVER_HELLO   4

Definition at line 184 of file app-layer-ssl.c.

◆ SSLV2_MT_SERVER_VERIFY

#define SSLV2_MT_SERVER_VERIFY   5

Definition at line 185 of file app-layer-ssl.c.

◆ SSLV3_ALERT_PROTOCOL

#define SSLV3_ALERT_PROTOCOL   21

Definition at line 159 of file app-layer-ssl.c.

◆ SSLV3_APPLICATION_PROTOCOL

#define SSLV3_APPLICATION_PROTOCOL   23

Definition at line 161 of file app-layer-ssl.c.

◆ SSLV3_CHANGE_CIPHER_SPEC

#define SSLV3_CHANGE_CIPHER_SPEC   20

Definition at line 158 of file app-layer-ssl.c.

◆ SSLV3_CLIENT_HELLO_RANDOM_LEN

#define SSLV3_CLIENT_HELLO_RANDOM_LEN   32

Definition at line 195 of file app-layer-ssl.c.

◆ SSLV3_CLIENT_HELLO_VERSION_LEN

#define SSLV3_CLIENT_HELLO_VERSION_LEN   2

Definition at line 194 of file app-layer-ssl.c.

◆ SSLV3_HANDSHAKE_PROTOCOL

#define SSLV3_HANDSHAKE_PROTOCOL   22

Definition at line 160 of file app-layer-ssl.c.

◆ SSLV3_HEARTBEAT_PROTOCOL

#define SSLV3_HEARTBEAT_PROTOCOL   24

Definition at line 162 of file app-layer-ssl.c.

◆ SSLV3_HS_CERTIFICATE

#define SSLV3_HS_CERTIFICATE   11

Definition at line 169 of file app-layer-ssl.c.

◆ SSLV3_HS_CERTIFICATE_REQUEST

#define SSLV3_HS_CERTIFICATE_REQUEST   13

Definition at line 171 of file app-layer-ssl.c.

◆ SSLV3_HS_CERTIFICATE_STATUS

#define SSLV3_HS_CERTIFICATE_STATUS   22

Definition at line 177 of file app-layer-ssl.c.

◆ SSLV3_HS_CERTIFICATE_URL

#define SSLV3_HS_CERTIFICATE_URL   21

Definition at line 176 of file app-layer-ssl.c.

◆ SSLV3_HS_CERTIFICATE_VERIFY

#define SSLV3_HS_CERTIFICATE_VERIFY   15

Definition at line 173 of file app-layer-ssl.c.

◆ SSLV3_HS_CLIENT_HELLO

#define SSLV3_HS_CLIENT_HELLO   1

Definition at line 166 of file app-layer-ssl.c.

◆ SSLV3_HS_CLIENT_KEY_EXCHANGE

#define SSLV3_HS_CLIENT_KEY_EXCHANGE   16

Definition at line 174 of file app-layer-ssl.c.

◆ SSLV3_HS_FINISHED

#define SSLV3_HS_FINISHED   20

Definition at line 175 of file app-layer-ssl.c.

◆ SSLV3_HS_HELLO_REQUEST

#define SSLV3_HS_HELLO_REQUEST   0

Definition at line 165 of file app-layer-ssl.c.

◆ SSLV3_HS_NEW_SESSION_TICKET

#define SSLV3_HS_NEW_SESSION_TICKET   4

Definition at line 168 of file app-layer-ssl.c.

◆ SSLV3_HS_SERVER_HELLO

#define SSLV3_HS_SERVER_HELLO   2

Definition at line 167 of file app-layer-ssl.c.

◆ SSLV3_HS_SERVER_HELLO_DONE

#define SSLV3_HS_SERVER_HELLO_DONE   14

Definition at line 172 of file app-layer-ssl.c.

◆ SSLV3_HS_SERVER_KEY_EXCHANGE

#define SSLV3_HS_SERVER_KEY_EXCHANGE   12

Definition at line 170 of file app-layer-ssl.c.

◆ SSLV3_RECORD_HDR_LEN

#define SSLV3_RECORD_HDR_LEN   5

Definition at line 190 of file app-layer-ssl.c.

◆ SSLV3_RECORD_MAX_LEN

#define SSLV3_RECORD_MAX_LEN   ((1 << 14) + 1024)

max length according to RFC 5246 6.2.2 is 2^14 + 1024

Definition at line 192 of file app-layer-ssl.c.

◆ TLS_HB_REQUEST

#define TLS_HB_REQUEST   1

Definition at line 198 of file app-layer-ssl.c.

◆ TLS_HB_RESPONSE

#define TLS_HB_RESPONSE   2

Definition at line 199 of file app-layer-ssl.c.

◆ ValidateRecordState

#define ValidateRecordState (   ...)

Definition at line 254 of file app-layer-ssl.c.

Typedef Documentation

◆ SslConfig

typedef struct SslConfig_ SslConfig

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
ERR_INVALID_CERTIFICATE 
ERR_INVALID_LENGTH 
ERR_INVALID_VERSION 
ERR_INVALID_SERIAL 
ERR_INVALID_ALGORITHMIDENTIFIER 
ERR_INVALID_X509NAME 
ERR_INVALID_DATE 
ERR_INVALID_EXTENSIONS 
ERR_INVALID_DER 
ERR_EXTRACT_SUBJECT 
ERR_EXTRACT_ISSUER 
ERR_EXTRACT_VALIDITY 

Definition at line 115 of file app-layer-ssl.c.

◆ SslConfigEncryptHandling

enum SslConfigEncryptHandling
Enumerator
SSL_CNF_ENC_HANDLE_DEFAULT 

disable raw content, continue tracking

SSL_CNF_ENC_HANDLE_BYPASS 

skip processing of flow, bypass if possible

SSL_CNF_ENC_HANDLE_FULL 

handle fully like any other proto

Definition at line 138 of file app-layer-ssl.c.

Function Documentation

◆ RegisterSSLParsers()

void RegisterSSLParsers ( void  )

Function to register the SSL protocol parser and other functions.

SSLv2 and SSLv23

Definition at line 3207 of file app-layer-ssl.c.

References ALPROTO_TLS, AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), SC_ATOMIC_INIT, and ssl_config.

Here is the call graph for this function:

◆ SSLEnableJA3()

void SSLEnableJA3 ( void  )

if not explicitly disabled in config, enable ja3 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3340 of file app-layer-ssl.c.

References SslConfig_::disable_ja3, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLEnableJA4()

void SSLEnableJA4 ( void  )

if not explicitly disabled in config, enable ja4 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3357 of file app-layer-ssl.c.

References SslConfig_::disable_ja4, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLJA3IsEnabled()

bool SSLJA3IsEnabled ( void  )

return whether ja3 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values
trueif enabled, false otherwise

Definition at line 3376 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

◆ SSLJA4IsEnabled()

bool SSLJA4IsEnabled ( void  )

return whether ja4 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values
trueif enabled, false otherwise

Definition at line 3389 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

◆ SSLVersionToString()

void SSLVersionToString ( uint16_t  version,
char *  buffer 
)

Definition at line 332 of file app-layer-ssl.c.

References SSL_VERSION_2, SSL_VERSION_3, strlcat(), TLS_VERSION_10, TLS_VERSION_11, TLS_VERSION_12, TLS_VERSION_13, TLS_VERSION_13_DRAFT16, TLS_VERSION_13_DRAFT17, TLS_VERSION_13_DRAFT18, TLS_VERSION_13_DRAFT19, TLS_VERSION_13_DRAFT20, TLS_VERSION_13_DRAFT20_FB, TLS_VERSION_13_DRAFT21, TLS_VERSION_13_DRAFT21_FB, TLS_VERSION_13_DRAFT22, TLS_VERSION_13_DRAFT22_FB, TLS_VERSION_13_DRAFT23, TLS_VERSION_13_DRAFT23_FB, TLS_VERSION_13_DRAFT24, TLS_VERSION_13_DRAFT25, TLS_VERSION_13_DRAFT26, TLS_VERSION_13_DRAFT26_FB, TLS_VERSION_13_DRAFT27, TLS_VERSION_13_DRAFT28, TLS_VERSION_13_PRE_DRAFT16, TLS_VERSION_UNKNOWN, and version.

Here is the call graph for this function:

Variable Documentation

◆ ssl_config

SslConfig ssl_config

Definition at line 154 of file app-layer-ssl.c.

Referenced by RegisterSSLParsers(), SSLEnableJA3(), SSLEnableJA4(), SSLJA3IsEnabled(), and SSLJA4IsEnabled().

◆ tls_decoder_event_table

SCEnumCharMap tls_decoder_event_table[]

Definition at line 78 of file app-layer-ssl.c.

◆ tls_frame_table

SCEnumCharMap tls_frame_table[]

Definition at line 46 of file app-layer-ssl.c.

SSLParserHSReset
#define SSLParserHSReset(connp)
Definition: app-layer-ssl.c:256
SSLDecoderResult
Definition: app-layer-ssl.c:206