suricata
app-layer-ssl.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
23  * \author Mats Klepsland <mats.klepsland@gmail.com>
24  *
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "threads.h"
31 
32 #include "stream-tcp-private.h"
33 #include "stream-tcp-reassemble.h"
34 #include "stream-tcp.h"
35 #include "stream.h"
36 
37 #include "app-layer.h"
38 #include "app-layer-protos.h"
39 #include "app-layer-parser.h"
40 #include "app-layer-frames.h"
41 #include "app-layer-ssl.h"
42 
43 #include "decode-events.h"
44 #include "conf.h"
45 
46 #include "util-spm.h"
47 #include "util-unittest.h"
48 #include "util-debug.h"
49 #include "util-print.h"
50 #include "util-pool.h"
51 #include "util-byte.h"
52 #include "util-ja3.h"
53 #include "flow-util.h"
54 #include "flow-private.h"
55 #include "util-validate.h"
56 
58  {
59  "pdu",
61  },
62  {
63  "hdr",
65  },
66  {
67  "data",
69  },
70  {
71  "alert",
73  },
74  {
75  "heartbeat",
77  },
78  {
79  "ssl2.hdr",
81  },
82  {
83  "ssl2.pdu",
85  },
86  { NULL, -1 },
87 };
88 
90  /* TLS protocol messages */
91  { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
92  { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER },
93  { "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION },
94  { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
95  { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
96  { "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT },
97  { "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT },
98  { "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT },
99  { "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH },
100  { "HANDSHAKE_INVALID_LENGTH", TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH },
101  { "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
102  { "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE },
103  { "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
104  { "TOO_MANY_RECORDS_IN_PACKET", TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET },
105  /* certificate decoding messages */
106  { "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE },
107  { "CERTIFICATE_INVALID_LENGTH", TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH },
108  { "CERTIFICATE_INVALID_VERSION", TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION },
109  { "CERTIFICATE_INVALID_SERIAL", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL },
110  { "CERTIFICATE_INVALID_ALGORITHMIDENTIFIER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER },
111  { "CERTIFICATE_INVALID_X509NAME", TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME },
112  { "CERTIFICATE_INVALID_DATE", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE },
113  { "CERTIFICATE_INVALID_EXTENSIONS", TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS },
114  { "CERTIFICATE_INVALID_DER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER },
115  { "CERTIFICATE_INVALID_SUBJECT", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT },
116  { "CERTIFICATE_INVALID_ISSUER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER },
117  { "CERTIFICATE_INVALID_VALIDITY", TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY },
118  { "ERROR_MESSAGE_ENCOUNTERED", TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED },
119  /* used as a generic error event */
120  { "INVALID_SSL_RECORD", TLS_DECODER_EVENT_INVALID_SSL_RECORD },
121  { NULL, -1 },
122 };
123 
124 enum {
125  /* X.509 error codes, returned by decoder
126  * THESE CONSTANTS MUST MATCH rust/src/x509/mod.rs ! */
136 
137  /* error getting data */
141 };
142 
143 /* JA3 fingerprints are disabled by default */
144 #define SSL_CONFIG_DEFAULT_JA3 0
145 
147  SSL_CNF_ENC_HANDLE_DEFAULT = 0, /**< disable raw content, continue tracking */
148  SSL_CNF_ENC_HANDLE_BYPASS = 1, /**< skip processing of flow, bypass if possible */
149  SSL_CNF_ENC_HANDLE_FULL = 2, /**< handle fully like any other proto */
150 };
151 
152 typedef struct SslConfig_ {
154  /** dynamic setting for ja3: can be enabled on demand if not explicitly
155  * disabled. */
156  SC_ATOMIC_DECLARE(int, enable_ja3);
157  bool disable_ja3; /**< ja3 explicitly disabled. Don't enable on demand. */
159 
161 
162 /* SSLv3 record types */
163 #define SSLV3_CHANGE_CIPHER_SPEC 20
164 #define SSLV3_ALERT_PROTOCOL 21
165 #define SSLV3_HANDSHAKE_PROTOCOL 22
166 #define SSLV3_APPLICATION_PROTOCOL 23
167 #define SSLV3_HEARTBEAT_PROTOCOL 24
168 
169 /* SSLv3 handshake protocol types */
170 #define SSLV3_HS_HELLO_REQUEST 0
171 #define SSLV3_HS_CLIENT_HELLO 1
172 #define SSLV3_HS_SERVER_HELLO 2
173 #define SSLV3_HS_NEW_SESSION_TICKET 4
174 #define SSLV3_HS_CERTIFICATE 11
175 #define SSLV3_HS_SERVER_KEY_EXCHANGE 12
176 #define SSLV3_HS_CERTIFICATE_REQUEST 13
177 #define SSLV3_HS_SERVER_HELLO_DONE 14
178 #define SSLV3_HS_CERTIFICATE_VERIFY 15
179 #define SSLV3_HS_CLIENT_KEY_EXCHANGE 16
180 #define SSLV3_HS_FINISHED 20
181 #define SSLV3_HS_CERTIFICATE_URL 21
182 #define SSLV3_HS_CERTIFICATE_STATUS 22
183 
184 /* SSLv2 protocol message types */
185 #define SSLV2_MT_ERROR 0
186 #define SSLV2_MT_CLIENT_HELLO 1
187 #define SSLV2_MT_CLIENT_MASTER_KEY 2
188 #define SSLV2_MT_CLIENT_FINISHED 3
189 #define SSLV2_MT_SERVER_HELLO 4
190 #define SSLV2_MT_SERVER_VERIFY 5
191 #define SSLV2_MT_SERVER_FINISHED 6
192 #define SSLV2_MT_REQUEST_CERTIFICATE 7
193 #define SSLV2_MT_CLIENT_CERTIFICATE 8
194 
195 #define SSLV3_RECORD_HDR_LEN 5
196 #define SSLV3_MESSAGE_HDR_LEN 4
197 
198 #define SSLV3_CLIENT_HELLO_VERSION_LEN 2
199 #define SSLV3_CLIENT_HELLO_RANDOM_LEN 32
200 
201 /* TLS heartbeat protocol types */
202 #define TLS_HB_REQUEST 1
203 #define TLS_HB_RESPONSE 2
204 
205 #define SSL_RECORD_MINIMUM_LENGTH 6
206 
207 #define SHA1_STRING_LENGTH 60
208 
209 #define HAS_SPACE(n) ((uint64_t)(input - initial_input) + (uint64_t)(n) <= (uint64_t)(input_len))
210 
211 static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size,
212  const void *src, size_t src_offset, size_t src_size, size_t src_tocopy) WARN_UNUSED;
213 
214 static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size,
215  const void *src, size_t src_offset, size_t src_size, size_t src_tocopy)
216 {
217  DEBUG_VALIDATE_BUG_ON(dst_offset >= dst_size);
218  DEBUG_VALIDATE_BUG_ON(src_offset >= src_size);
219  DEBUG_VALIDATE_BUG_ON(src_tocopy > (src_size - src_offset));
220  DEBUG_VALIDATE_BUG_ON(src_tocopy > (dst_size - dst_offset));
221 
222  if (dst_offset < dst_size && src_offset < src_size &&
223  src_tocopy <= (src_size - src_offset) &&
224  src_tocopy <= (dst_size - dst_offset)) {
225  memcpy(dst + dst_offset, src + src_offset, src_tocopy);
226  return 0;
227  }
228  return -1;
229 }
230 
231 #ifdef DEBUG_VALIDATION
232 #define ValidateRecordState(connp) \
233  do { \
234  DEBUG_VALIDATE_BUG_ON(((connp)->record_length + SSLV3_RECORD_HDR_LEN) < \
235  (connp)->bytes_processed); \
236  } while(0);
237 #else
238 #define ValidateRecordState(...)
239 #endif
240 
241 #ifdef DEBUG_VALIDATION
242 #define ValidateTrecBuffer(connp) \
243  do { \
244  DEBUG_VALIDATE_BUG_ON((connp)->trec_pos > (connp)->trec_len); \
245  DEBUG_VALIDATE_BUG_ON((connp)->trec == NULL && (connp)->trec_len > 0); \
246  DEBUG_VALIDATE_BUG_ON((connp)->trec == NULL && (connp)->trec_pos > 0); \
247  } while(0)
248 #else
249 #define ValidateTrecBuffer(...)
250 #endif
251 
252 #define SSLParserHSReset(connp) \
253  do { \
254  (connp)->trec_pos = 0; \
255  (connp)->handshake_type = 0; \
256  (connp)->hs_bytes_processed = 0; \
257  (connp)->message_length = 0; \
258  (connp)->message_start = 0; \
259  } while(0)
260 
261 #define SSLParserReset(state) \
262  do { \
263  SCLogDebug("resetting state"); \
264  (state)->curr_connp->bytes_processed = 0; \
265  SSLParserHSReset((state)->curr_connp); \
266  } while(0)
267 
268 void SSLSetEvent(SSLState *ssl_state, uint8_t event)
269 {
270  if (ssl_state == NULL) {
271  SCLogDebug("Could not set decoder event: %u", event);
272  return;
273  }
274 
275  AppLayerDecoderEventsSetEventRaw(&ssl_state->tx_data.events, event);
276  ssl_state->events++;
277 }
278 
279 static void *SSLGetTx(void *state, uint64_t tx_id)
280 {
281  SSLState *ssl_state = (SSLState *)state;
282  return ssl_state;
283 }
284 
285 static uint64_t SSLGetTxCnt(void *state)
286 {
287  /* single tx */
288  return 1;
289 }
290 
291 static int SSLGetAlstateProgress(void *tx, uint8_t direction)
292 {
293  SSLState *ssl_state = (SSLState *)tx;
294 
295  /* we don't care about direction, only that app-layer parser is done
296  and have sent an EOF */
297  if (ssl_state->flags & SSL_AL_FLAG_STATE_FINISHED) {
298  return TLS_STATE_FINISHED;
299  }
300 
301  /* we want the logger to log when the handshake is done, even if the
302  state is not finished */
303  if (ssl_state->flags & SSL_AL_FLAG_HANDSHAKE_DONE) {
304  return TLS_HANDSHAKE_DONE;
305  }
306 
307  if (direction == STREAM_TOSERVER &&
308  (ssl_state->server_connp.cert0_subject != NULL ||
309  ssl_state->server_connp.cert0_issuerdn != NULL))
310  {
311  return TLS_STATE_CERT_READY;
312  }
313 
314  return TLS_STATE_IN_PROGRESS;
315 }
316 
317 static AppLayerTxData *SSLGetTxData(void *vtx)
318 {
319  SSLState *ssl_state = (SSLState *)vtx;
320  return &ssl_state->tx_data;
321 }
322 
323 void SSLVersionToString(uint16_t version, char *buffer)
324 {
325  buffer[0] = '\0';
326 
327  switch (version) {
328  case TLS_VERSION_UNKNOWN:
329  strlcat(buffer, "UNDETERMINED", 13);
330  break;
331  case SSL_VERSION_2:
332  strlcat(buffer, "SSLv2", 6);
333  break;
334  case SSL_VERSION_3:
335  strlcat(buffer, "SSLv3", 6);
336  break;
337  case TLS_VERSION_10:
338  strlcat(buffer, "TLSv1", 6);
339  break;
340  case TLS_VERSION_11:
341  strlcat(buffer, "TLS 1.1", 8);
342  break;
343  case TLS_VERSION_12:
344  strlcat(buffer, "TLS 1.2", 8);
345  break;
346  case TLS_VERSION_13:
347  strlcat(buffer, "TLS 1.3", 8);
348  break;
350  strlcat(buffer, "TLS 1.3 draft-28", 17);
351  break;
353  strlcat(buffer, "TLS 1.3 draft-27", 17);
354  break;
356  strlcat(buffer, "TLS 1.3 draft-26", 17);
357  break;
359  strlcat(buffer, "TLS 1.3 draft-25", 17);
360  break;
362  strlcat(buffer, "TLS 1.3 draft-24", 17);
363  break;
365  strlcat(buffer, "TLS 1.3 draft-23", 17);
366  break;
368  strlcat(buffer, "TLS 1.3 draft-22", 17);
369  break;
371  strlcat(buffer, "TLS 1.3 draft-21", 17);
372  break;
374  strlcat(buffer, "TLS 1.3 draft-20", 17);
375  break;
377  strlcat(buffer, "TLS 1.3 draft-19", 17);
378  break;
380  strlcat(buffer, "TLS 1.3 draft-18", 17);
381  break;
383  strlcat(buffer, "TLS 1.3 draft-17", 17);
384  break;
386  strlcat(buffer, "TLS 1.3 draft-16", 17);
387  break;
389  strlcat(buffer, "TLS 1.3 draft-<16", 18);
390  break;
392  strlcat(buffer, "TLS 1.3 draft-20-fb", 20);
393  break;
395  strlcat(buffer, "TLS 1.3 draft-21-fb", 20);
396  break;
398  strlcat(buffer, "TLS 1.3 draft-22-fb", 20);
399  break;
401  strlcat(buffer, "TLS 1.3 draft-23-fb", 20);
402  break;
404  strlcat(buffer, "TLS 1.3 draft-26-fb", 20);
405  break;
406  default:
407  snprintf(buffer, 7, "0x%04x", version);
408  break;
409  }
410 }
411 
412 static void TlsDecodeHSCertificateErrSetEvent(SSLState *ssl_state, uint32_t err)
413 {
414  switch(err) {
417  break;
418  case ERR_EXTRACT_ISSUER:
420  break;
421  case ERR_EXTRACT_SUBJECT:
423  break;
424  case ERR_INVALID_DER:
426  break;
429  break;
430  case ERR_INVALID_DATE:
432  break;
435  break;
438  break;
439  case ERR_INVALID_SERIAL:
441  break;
442  case ERR_INVALID_VERSION:
444  break;
445  case ERR_INVALID_LENGTH:
447  break;
449  default:
451  break;
452  }
453 }
454 
455 static inline int TlsDecodeHSCertificateFingerprint(SSLState *ssl_state,
456  const uint8_t *input,
457  uint32_t cert_len)
458 {
459  if (unlikely(ssl_state->server_connp.cert0_fingerprint != NULL))
460  return 0;
461 
463  sizeof(char));
464  if (ssl_state->server_connp.cert0_fingerprint == NULL)
465  return -1;
466 
467  uint8_t hash[SC_SHA1_LEN];
468  if (SCSha1HashBuffer(input, cert_len, hash, sizeof(hash)) == 1) {
469  for (int i = 0, x = 0; x < SC_SHA1_LEN; x++) {
470  i += snprintf(ssl_state->server_connp.cert0_fingerprint + i,
471  SHA1_STRING_LENGTH - i, i == 0 ? "%02x" : ":%02x",
472  hash[x]);
473  }
474  }
475  return 0;
476 }
477 
478 static inline int TlsDecodeHSCertificateAddCertToChain(SSLState *ssl_state,
479  const uint8_t *input,
480  uint32_t cert_len)
481 {
482  SSLCertsChain *cert = SCCalloc(1, sizeof(SSLCertsChain));
483  if (cert == NULL)
484  return -1;
485 
486  cert->cert_data = (uint8_t *)input;
487  cert->cert_len = cert_len;
488  TAILQ_INSERT_TAIL(&ssl_state->server_connp.certs, cert, next);
489 
490  return 0;
491 }
492 
493 /** \retval consumed bytes consumed or -1 on error */
494 static int TlsDecodeHSCertificate(SSLState *ssl_state,
495  const uint8_t * const initial_input,
496  const uint32_t input_len)
497 {
498  const uint8_t *input = (uint8_t *)initial_input;
499  uint32_t err_code = 0;
500  X509 *x509 = NULL;
501 
502  if (!(HAS_SPACE(3)))
503  return 0;
504 
505  uint32_t cert_chain_len = *input << 16 | *(input + 1) << 8 | *(input + 2);
506  input += 3;
507 
508  if (!(HAS_SPACE(cert_chain_len)))
509  return 0;
510 
511  uint32_t processed_len = 0;
512  /* coverity[tainted_data] */
513  while (processed_len < cert_chain_len)
514  {
515  err_code = 0;
516  int rc = 0;
517 
518  if (!(HAS_SPACE(3)))
519  goto invalid_cert;
520 
521  uint32_t cert_len = *input << 16 | *(input + 1) << 8 | *(input + 2);
522  input += 3;
523 
524  if (!(HAS_SPACE(cert_len)))
525  goto invalid_cert;
526 
527  /* only store fields from the first certificate in the chain */
528  if (processed_len == 0 &&
529  ssl_state->server_connp.cert0_subject == NULL &&
530  ssl_state->server_connp.cert0_issuerdn == NULL &&
531  ssl_state->server_connp.cert0_serial == NULL)
532  {
533  int64_t not_before, not_after;
534 
535  x509 = rs_x509_decode(input, cert_len, &err_code);
536  if (x509 == NULL) {
537  TlsDecodeHSCertificateErrSetEvent(ssl_state, err_code);
538  goto next;
539  }
540 
541  char *str = rs_x509_get_subject(x509);
542  if (str == NULL) {
543  err_code = ERR_EXTRACT_SUBJECT;
544  goto error;
545  }
546  ssl_state->server_connp.cert0_subject = str;
547 
548  str = rs_x509_get_issuer(x509);
549  if (str == NULL) {
550  err_code = ERR_EXTRACT_ISSUER;
551  goto error;
552  }
553  ssl_state->server_connp.cert0_issuerdn = str;
554 
555  str = rs_x509_get_serial(x509);
556  if (str == NULL) {
557  err_code = ERR_INVALID_SERIAL;
558  goto error;
559  }
560  ssl_state->server_connp.cert0_serial = str;
561 
562  rc = rs_x509_get_validity(x509, &not_before, &not_after);
563  if (rc != 0) {
564  err_code = ERR_EXTRACT_VALIDITY;
565  goto error;
566  }
567  ssl_state->server_connp.cert0_not_before = (time_t)not_before;
568  ssl_state->server_connp.cert0_not_after = (time_t)not_after;
569 
570  rs_x509_free(x509);
571  x509 = NULL;
572 
573  rc = TlsDecodeHSCertificateFingerprint(ssl_state, input, cert_len);
574  if (rc != 0) {
575  SCLogDebug("TlsDecodeHSCertificateFingerprint failed with %d", rc);
576  goto error;
577  }
578  }
579 
580  rc = TlsDecodeHSCertificateAddCertToChain(ssl_state, input, cert_len);
581  if (rc != 0) {
582  SCLogDebug("TlsDecodeHSCertificateAddCertToChain failed with %d", rc);
583  goto error;
584  }
585 
586 next:
587  input += cert_len;
588  processed_len += cert_len + 3;
589  }
590 
591  return (input - initial_input);
592 
593 error:
594  if (err_code != 0)
595  TlsDecodeHSCertificateErrSetEvent(ssl_state, err_code);
596  if (x509 != NULL)
597  rs_x509_free(x509);
598  return -1;
599 
600 invalid_cert:
601  SCLogDebug("TLS invalid certificate");
603  return -1;
604 }
605 
606 /**
607  * \inline
608  * \brief Check if value is GREASE.
609  *
610  * http://tools.ietf.org/html/draft-davidben-tls-grease-00
611  *
612  * \param value Value to check.
613  *
614  * \retval 1 if is GREASE.
615  * \retval 0 if not is GREASE.
616  */
617 static inline int TLSDecodeValueIsGREASE(const uint16_t value)
618 {
619  switch (value)
620  {
621  case 0x0a0a:
622  case 0x1a1a:
623  case 0x2a2a:
624  case 0x3a3a:
625  case 0x4a4a:
626  case 0x5a5a:
627  case 0x6a6a:
628  case 0x7a7a:
629  case 0x8a8a:
630  case 0x9a9a:
631  case 0xaaaa:
632  case 0xbaba:
633  case 0xcaca:
634  case 0xdada:
635  case 0xeaea:
636  case 0xfafa:
637  return 1;
638  default:
639  return 0;
640  }
641 }
642 
643 static inline int TLSDecodeHSHelloVersion(SSLState *ssl_state,
644  const uint8_t * const initial_input,
645  const uint32_t input_len)
646 {
647  uint8_t *input = (uint8_t *)initial_input;
648 
650  SCLogDebug("TLS handshake invalid length");
651  SSLSetEvent(ssl_state,
653  return -1;
654  }
655 
656  uint16_t version = (uint16_t)(*input << 8) | *(input + 1);
657  ssl_state->curr_connp->version = version;
658 
659  /* TLSv1.3 draft1 to draft21 use the version field as earlier TLS
660  versions, instead of using the supported versions extension. */
661  if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
662  ((ssl_state->curr_connp->version == TLS_VERSION_13) ||
663  (((ssl_state->curr_connp->version >> 8) & 0xff) == 0x7f))) {
664  ssl_state->flags |= SSL_AL_FLAG_LOG_WITHOUT_CERT;
665  }
666 
667  /* Catch some early TLSv1.3 draft implementations that does not conform
668  to the draft version. */
669  if ((ssl_state->curr_connp->version >= 0x7f01) &&
670  (ssl_state->curr_connp->version < 0x7f10)) {
672  }
673 
674  /* TLSv1.3 drafts from draft1 to draft15 use 0x0304 (TLSv1.3) as the
675  version number, which makes it hard to accurately pinpoint the
676  exact draft version. */
677  else if (ssl_state->curr_connp->version == TLS_VERSION_13) {
679  }
680 
681  if (SC_ATOMIC_GET(ssl_config.enable_ja3) && ssl_state->curr_connp->ja3_str == NULL) {
682  ssl_state->curr_connp->ja3_str = Ja3BufferInit();
683  if (ssl_state->curr_connp->ja3_str == NULL)
684  return -1;
685 
686  int rc = Ja3BufferAddValue(&ssl_state->curr_connp->ja3_str, version);
687  if (rc != 0)
688  return -1;
689  }
690 
692 
693  return (input - initial_input);
694 }
695 
696 static inline int TLSDecodeHSHelloRandom(SSLState *ssl_state,
697  const uint8_t * const initial_input,
698  const uint32_t input_len)
699 {
700  uint8_t *input = (uint8_t *)initial_input;
701 
703  SCLogDebug("TLS handshake invalid length");
704  SSLSetEvent(ssl_state,
706  return -1;
707  }
708 
709  /* Skip random */
711 
712  return (input - initial_input);
713 }
714 
715 static inline int TLSDecodeHSHelloSessionID(SSLState *ssl_state,
716  const uint8_t * const initial_input,
717  const uint32_t input_len)
718 {
719  uint8_t *input = (uint8_t *)initial_input;
720 
721  if (!(HAS_SPACE(1)))
722  goto invalid_length;
723 
724  uint8_t session_id_length = *input;
725  input += 1;
726 
727  if (!(HAS_SPACE(session_id_length)))
728  goto invalid_length;
729 
730  if (session_id_length != 0 && ssl_state->curr_connp->session_id == NULL) {
731  ssl_state->curr_connp->session_id = SCMalloc(session_id_length);
732 
733  if (unlikely(ssl_state->curr_connp->session_id == NULL)) {
734  return -1;
735  }
736 
737  if (SafeMemcpy(ssl_state->curr_connp->session_id, 0, session_id_length,
738  input, 0, input_len, session_id_length) != 0) {
739  return -1;
740  }
741  ssl_state->curr_connp->session_id_length = session_id_length;
742 
743  if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
744  ssl_state->client_connp.session_id != NULL &&
745  ssl_state->server_connp.session_id != NULL) {
746  if ((ssl_state->client_connp.session_id_length ==
747  ssl_state->server_connp.session_id_length) &&
748  (memcmp(ssl_state->server_connp.session_id,
749  ssl_state->client_connp.session_id, session_id_length) == 0)) {
750  ssl_state->flags |= SSL_AL_FLAG_SESSION_RESUMED;
751  }
752  }
753  }
754 
755  input += session_id_length;
756 
757  return (input - initial_input);
758 
759 invalid_length:
760  SCLogDebug("TLS handshake invalid length");
761  SSLSetEvent(ssl_state,
763  return -1;
764 }
765 
766 static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state,
767  const uint8_t * const initial_input,
768  const uint32_t input_len)
769 {
770  const uint8_t *input = initial_input;
771 
772  if (!(HAS_SPACE(2)))
773  goto invalid_length;
774 
775  uint16_t cipher_suites_length;
776 
778  cipher_suites_length = 2;
779  } else if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
780  cipher_suites_length = (uint16_t)(*input << 8) | *(input + 1);
781  input += 2;
782  } else {
783  return -1;
784  }
785 
786  if (!(HAS_SPACE(cipher_suites_length)))
787  goto invalid_length;
788 
789  /* Cipher suites length should always be divisible by 2 */
790  if ((cipher_suites_length % 2) != 0) {
791  goto invalid_length;
792  }
793 
794  if (SC_ATOMIC_GET(ssl_config.enable_ja3)) {
795  JA3Buffer *ja3_cipher_suites = Ja3BufferInit();
796  if (ja3_cipher_suites == NULL)
797  return -1;
798 
799  uint16_t processed_len = 0;
800  /* coverity[tainted_data] */
801  while (processed_len < cipher_suites_length)
802  {
803  if (!(HAS_SPACE(2))) {
804  Ja3BufferFree(&ja3_cipher_suites);
805  goto invalid_length;
806  }
807 
808  uint16_t cipher_suite = (uint16_t)(*input << 8) | *(input + 1);
809  input += 2;
810 
811  if (TLSDecodeValueIsGREASE(cipher_suite) != 1) {
812  int rc = Ja3BufferAddValue(&ja3_cipher_suites, cipher_suite);
813  if (rc != 0) {
814  return -1;
815  }
816  }
817 
818  processed_len += 2;
819  }
820 
821  int rc = Ja3BufferAppendBuffer(&ssl_state->curr_connp->ja3_str,
822  &ja3_cipher_suites);
823  if (rc == -1) {
824  return -1;
825  }
826 
827  } else {
828  /* Skip cipher suites */
829  input += cipher_suites_length;
830  }
831 
832  return (input - initial_input);
833 
834 invalid_length:
835  SCLogDebug("TLS handshake invalid length");
836  SSLSetEvent(ssl_state,
838  return -1;
839 }
840 
841 static inline int TLSDecodeHSHelloCompressionMethods(SSLState *ssl_state,
842  const uint8_t * const initial_input,
843  const uint32_t input_len)
844 {
845  const uint8_t *input = initial_input;
846 
847  if (!(HAS_SPACE(1)))
848  goto invalid_length;
849 
850  /* Skip compression methods */
852  input += 1;
853  } else {
854  uint8_t compression_methods_length = *input;
855  input += 1;
856 
857  if (!(HAS_SPACE(compression_methods_length)))
858  goto invalid_length;
859 
860  input += compression_methods_length;
861  }
862 
863  return (input - initial_input);
864 
865 invalid_length:
866  SCLogDebug("TLS handshake invalid_length");
867  SSLSetEvent(ssl_state,
869  return -1;
870 }
871 
872 static inline int TLSDecodeHSHelloExtensionSni(SSLState *ssl_state,
873  const uint8_t * const initial_input,
874  const uint32_t input_len)
875 {
876  uint8_t *input = (uint8_t *)initial_input;
877 
878  /* Empty extension */
879  if (input_len == 0)
880  return 0;
881 
882  if (!(HAS_SPACE(2)))
883  goto invalid_length;
884 
885  /* Skip sni_list_length */
886  input += 2;
887 
888  if (!(HAS_SPACE(1)))
889  goto invalid_length;
890 
891  uint8_t sni_type = *input;
892  input += 1;
893 
894  /* Currently the only type allowed is host_name
895  (RFC6066 section 3). */
896  if (sni_type != SSL_SNI_TYPE_HOST_NAME) {
897  SCLogDebug("Unknown SNI type");
898  SSLSetEvent(ssl_state,
900  return -1;
901  }
902 
903  if (!(HAS_SPACE(2)))
904  goto invalid_length;
905 
906  uint16_t sni_len = (uint16_t)(*input << 8) | *(input + 1);
907  input += 2;
908 
909  /* host_name contains the fully qualified domain name,
910  and should therefore be limited by the maximum domain
911  name length. */
912  if (!(HAS_SPACE(sni_len)) || sni_len > 255 || sni_len == 0) {
913  SSLSetEvent(ssl_state,
915  return -1;
916  }
917 
918  /* There must not be more than one extension of the same
919  type (RFC5246 section 7.4.1.4). */
920  if (ssl_state->curr_connp->sni) {
921  SCLogDebug("Multiple SNI extensions");
922  SSLSetEvent(ssl_state,
924  input += sni_len;
925  return (input - initial_input);
926  }
927 
928  const size_t sni_strlen = sni_len + 1;
929  ssl_state->curr_connp->sni = SCMalloc(sni_strlen);
930  if (unlikely(ssl_state->curr_connp->sni == NULL))
931  return -1;
932 
933  const size_t consumed = input - initial_input;
934  if (SafeMemcpy(ssl_state->curr_connp->sni, 0, sni_strlen,
935  initial_input, consumed, input_len, sni_len) != 0) {
936  SCFree(ssl_state->curr_connp->sni);
937  ssl_state->curr_connp->sni = NULL;
938  return -1;
939  }
940  ssl_state->curr_connp->sni[sni_strlen-1] = 0;
941 
942  input += sni_len;
943 
944  return (input - initial_input);
945 
946 invalid_length:
947  SCLogDebug("TLS handshake invalid length");
948  SSLSetEvent(ssl_state,
950 
951 
952  return -1;
953 }
954 
955 static inline int TLSDecodeHSHelloExtensionSupportedVersions(SSLState *ssl_state,
956  const uint8_t * const initial_input,
957  const uint32_t input_len)
958 {
959  const uint8_t *input = initial_input;
960 
961  /* Empty extension */
962  if (input_len == 0)
963  return 0;
964 
966  if (!(HAS_SPACE(1)))
967  goto invalid_length;
968 
969  uint8_t supported_ver_len = *input;
970  input += 1;
971 
972  if (supported_ver_len < 2)
973  goto invalid_length;
974 
975  if (!(HAS_SPACE(supported_ver_len)))
976  goto invalid_length;
977 
978  /* Use the first (and prefered) version as client version */
979  ssl_state->curr_connp->version = (uint16_t)(*input << 8) | *(input + 1);
980 
981  /* Set a flag to indicate that we have seen this extension */
983 
984  input += supported_ver_len;
985  }
986  else if (ssl_state->current_flags & SSL_AL_FLAG_STATE_SERVER_HELLO) {
987  if (!(HAS_SPACE(2)))
988  goto invalid_length;
989 
990  uint16_t ver = (uint16_t)(*input << 8) | *(input + 1);
991 
992  if ((ssl_state->flags & SSL_AL_FLAG_CH_VERSION_EXTENSION) &&
993  (ver > TLS_VERSION_12)) {
994  ssl_state->flags |= SSL_AL_FLAG_LOG_WITHOUT_CERT;
995  }
996 
997  ssl_state->curr_connp->version = ver;
998  input += 2;
999  }
1000 
1001  return (input - initial_input);
1002 
1003 invalid_length:
1004  SCLogDebug("TLS handshake invalid length");
1005  SSLSetEvent(ssl_state,
1007 
1008  return -1;
1009 }
1010 
1011 static inline int TLSDecodeHSHelloExtensionEllipticCurves(SSLState *ssl_state,
1012  const uint8_t * const initial_input,
1013  const uint32_t input_len,
1014  JA3Buffer *ja3_elliptic_curves)
1015 {
1016  const uint8_t *input = initial_input;
1017 
1018  /* Empty extension */
1019  if (input_len == 0)
1020  return 0;
1021 
1022  if (!(HAS_SPACE(2)))
1023  goto invalid_length;
1024 
1025  uint16_t elliptic_curves_len = (uint16_t)(*input << 8) | *(input + 1);
1026  input += 2;
1027 
1028  if (!(HAS_SPACE(elliptic_curves_len)))
1029  goto invalid_length;
1030 
1031  if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
1032  SC_ATOMIC_GET(ssl_config.enable_ja3)) {
1033  uint16_t ec_processed_len = 0;
1034  /* coverity[tainted_data] */
1035  while (ec_processed_len < elliptic_curves_len)
1036  {
1037  if (!(HAS_SPACE(2)))
1038  goto invalid_length;
1039 
1040  uint16_t elliptic_curve = (uint16_t)(*input << 8) | *(input + 1);
1041  input += 2;
1042 
1043  if (TLSDecodeValueIsGREASE(elliptic_curve) != 1) {
1044  int rc = Ja3BufferAddValue(&ja3_elliptic_curves,
1045  elliptic_curve);
1046  if (rc != 0)
1047  return -1;
1048  }
1049 
1050  ec_processed_len += 2;
1051  }
1052 
1053  } else {
1054  /* Skip elliptic curves */
1055  input += elliptic_curves_len;
1056  }
1057 
1058  return (input - initial_input);
1059 
1060 invalid_length:
1061  SCLogDebug("TLS handshake invalid length");
1062  SSLSetEvent(ssl_state,
1064 
1065  return -1;
1066 }
1067 
1068 static inline int TLSDecodeHSHelloExtensionEllipticCurvePF(SSLState *ssl_state,
1069  const uint8_t * const initial_input,
1070  const uint32_t input_len,
1071  JA3Buffer *ja3_elliptic_curves_pf)
1072 {
1073  const uint8_t *input = initial_input;
1074 
1075  /* Empty extension */
1076  if (input_len == 0)
1077  return 0;
1078 
1079  if (!(HAS_SPACE(1)))
1080  goto invalid_length;
1081 
1082  uint8_t ec_pf_len = *input;
1083  input += 1;
1084 
1085  if (!(HAS_SPACE(ec_pf_len)))
1086  goto invalid_length;
1087 
1088  if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
1089  SC_ATOMIC_GET(ssl_config.enable_ja3)) {
1090  uint8_t ec_pf_processed_len = 0;
1091  /* coverity[tainted_data] */
1092  while (ec_pf_processed_len < ec_pf_len)
1093  {
1094  uint8_t elliptic_curve_pf = *input;
1095  input += 1;
1096 
1097  if (TLSDecodeValueIsGREASE(elliptic_curve_pf) != 1) {
1098  int rc = Ja3BufferAddValue(&ja3_elliptic_curves_pf,
1099  elliptic_curve_pf);
1100  if (rc != 0)
1101  return -1;
1102  }
1103 
1104  ec_pf_processed_len += 1;
1105  }
1106 
1107  } else {
1108  /* Skip elliptic curve point formats */
1109  input += ec_pf_len;
1110  }
1111 
1112  return (input - initial_input);
1113 
1114 invalid_length:
1115  SCLogDebug("TLS handshake invalid length");
1116  SSLSetEvent(ssl_state,
1118 
1119  return -1;
1120 }
1121 
1122 static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
1123  const uint8_t * const initial_input,
1124  const uint32_t input_len)
1125 {
1126  const uint8_t *input = initial_input;
1127 
1128  int ret;
1129  int rc;
1130  const bool ja3 = (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1);
1131 
1132  JA3Buffer *ja3_extensions = NULL;
1133  JA3Buffer *ja3_elliptic_curves = NULL;
1134  JA3Buffer *ja3_elliptic_curves_pf = NULL;
1135 
1136  if (ja3) {
1137  ja3_extensions = Ja3BufferInit();
1138  if (ja3_extensions == NULL)
1139  goto error;
1140 
1141  if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
1142  ja3_elliptic_curves = Ja3BufferInit();
1143  if (ja3_elliptic_curves == NULL)
1144  goto error;
1145 
1146  ja3_elliptic_curves_pf = Ja3BufferInit();
1147  if (ja3_elliptic_curves_pf == NULL)
1148  goto error;
1149  }
1150  }
1151 
1152  /* Extensions are optional (RFC5246 section 7.4.1.2) */
1153  if (!(HAS_SPACE(2)))
1154  goto end;
1155 
1156  uint16_t extensions_len = (uint16_t)(*input << 8) | *(input + 1);
1157  input += 2;
1158 
1159  if (!(HAS_SPACE(extensions_len)))
1160  goto invalid_length;
1161 
1162  uint16_t processed_len = 0;
1163  /* coverity[tainted_data] */
1164  while (processed_len < extensions_len)
1165  {
1166  if (!(HAS_SPACE(2)))
1167  goto invalid_length;
1168 
1169  uint16_t ext_type = (uint16_t)(*input << 8) | *(input + 1);
1170  input += 2;
1171 
1172  if (!(HAS_SPACE(2)))
1173  goto invalid_length;
1174 
1175  uint16_t ext_len = (uint16_t)(*input << 8) | *(input + 1);
1176  input += 2;
1177 
1178  if (!(HAS_SPACE(ext_len)))
1179  goto invalid_length;
1180 
1181  switch (ext_type) {
1182  case SSL_EXTENSION_SNI:
1183  {
1184  /* coverity[tainted_data] */
1185  ret = TLSDecodeHSHelloExtensionSni(ssl_state, input,
1186  ext_len);
1187  if (ret < 0)
1188  goto end;
1189 
1190  input += ret;
1191 
1192  break;
1193  }
1194 
1196  {
1197  /* coverity[tainted_data] */
1198  ret = TLSDecodeHSHelloExtensionEllipticCurves(ssl_state, input,
1199  ext_len,
1200  ja3_elliptic_curves);
1201  if (ret < 0)
1202  goto end;
1203 
1204  input += ret;
1205 
1206  break;
1207  }
1208 
1210  {
1211  /* coverity[tainted_data] */
1212  ret = TLSDecodeHSHelloExtensionEllipticCurvePF(ssl_state, input,
1213  ext_len,
1214  ja3_elliptic_curves_pf);
1215  if (ret < 0)
1216  goto end;
1217 
1218  input += ret;
1219 
1220  break;
1221  }
1222 
1224  {
1225  if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
1226  /* Used by 0-RTT to indicate that encrypted data will
1227  be sent right after the ClientHello record. */
1228  ssl_state->flags |= SSL_AL_FLAG_EARLY_DATA;
1229  }
1230 
1231  input += ext_len;
1232 
1233  break;
1234  }
1235 
1237  {
1238  ret = TLSDecodeHSHelloExtensionSupportedVersions(ssl_state, input,
1239  ext_len);
1240  if (ret < 0)
1241  goto end;
1242 
1243  input += ret;
1244 
1245  break;
1246  }
1247 
1249  {
1250  if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
1251  /* This has to be verified later on by checking if a
1252  certificate record has been sent by the server. */
1253  ssl_state->flags |= SSL_AL_FLAG_SESSION_RESUMED;
1254  }
1255 
1256  input += ext_len;
1257 
1258  break;
1259  }
1260 
1261  default:
1262  {
1263  input += ext_len;
1264  break;
1265  }
1266  }
1267 
1268  if (ja3) {
1269  if (TLSDecodeValueIsGREASE(ext_type) != 1) {
1270  rc = Ja3BufferAddValue(&ja3_extensions, ext_type);
1271  if (rc != 0)
1272  goto error;
1273  }
1274  }
1275 
1276  processed_len += ext_len + 4;
1277  }
1278 
1279 end:
1280  if (ja3) {
1281  rc = Ja3BufferAppendBuffer(&ssl_state->curr_connp->ja3_str,
1282  &ja3_extensions);
1283  if (rc == -1)
1284  goto error;
1285 
1286  if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
1287  rc = Ja3BufferAppendBuffer(&ssl_state->curr_connp->ja3_str,
1288  &ja3_elliptic_curves);
1289  if (rc == -1)
1290  goto error;
1291 
1292  rc = Ja3BufferAppendBuffer(&ssl_state->curr_connp->ja3_str,
1293  &ja3_elliptic_curves_pf);
1294  if (rc == -1)
1295  goto error;
1296  }
1297  }
1298 
1299  return (input - initial_input);
1300 
1301 invalid_length:
1302  SCLogDebug("TLS handshake invalid length");
1303  SSLSetEvent(ssl_state,
1305 
1306 error:
1307  if (ja3_extensions != NULL)
1308  Ja3BufferFree(&ja3_extensions);
1309  if (ja3_elliptic_curves != NULL)
1310  Ja3BufferFree(&ja3_elliptic_curves);
1311  if (ja3_elliptic_curves_pf != NULL)
1312  Ja3BufferFree(&ja3_elliptic_curves_pf);
1313 
1314  return -1;
1315 }
1316 
1317 static int TLSDecodeHandshakeHello(SSLState *ssl_state,
1318  const uint8_t * const input,
1319  const uint32_t input_len)
1320 {
1321  int ret;
1322  uint32_t parsed = 0;
1323 
1324  ret = TLSDecodeHSHelloVersion(ssl_state, input, input_len);
1325  if (ret < 0)
1326  goto end;
1327 
1328  parsed += ret;
1329 
1330  ret = TLSDecodeHSHelloRandom(ssl_state, input + parsed, input_len - parsed);
1331  if (ret < 0)
1332  goto end;
1333 
1334  parsed += ret;
1335 
1336  /* The session id field in the server hello record was removed in
1337  TLSv1.3 draft1, but was readded in draft22. */
1338  if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) ||
1340  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) {
1341  ret = TLSDecodeHSHelloSessionID(ssl_state, input + parsed,
1342  input_len - parsed);
1343  if (ret < 0)
1344  goto end;
1345 
1346  parsed += ret;
1347  }
1348 
1349  ret = TLSDecodeHSHelloCipherSuites(ssl_state, input + parsed,
1350  input_len - parsed);
1351  if (ret < 0)
1352  goto end;
1353 
1354  parsed += ret;
1355 
1356  /* The compression methods field in the server hello record was
1357  removed in TLSv1.3 draft1, but was readded in draft22. */
1358  if ((ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) ||
1360  ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0))) {
1361  ret = TLSDecodeHSHelloCompressionMethods(ssl_state, input + parsed,
1362  input_len - parsed);
1363  if (ret < 0)
1364  goto end;
1365 
1366  parsed += ret;
1367  }
1368 
1369  ret = TLSDecodeHSHelloExtensions(ssl_state, input + parsed,
1370  input_len - parsed);
1371  if (ret < 0)
1372  goto end;
1373 
1374  if (SC_ATOMIC_GET(ssl_config.enable_ja3) && ssl_state->curr_connp->ja3_hash == NULL) {
1375  ssl_state->curr_connp->ja3_hash = Ja3GenerateHash(ssl_state->curr_connp->ja3_str);
1376  }
1377 
1378 end:
1379  ssl_state->curr_connp->hs_bytes_processed = 0;
1380  return 0;
1381 }
1382 
1383 /** \internal
1384  * \brief Get Certificates len so we can know now much (more) we need to buffer
1385  * If we already have a few bytes queued up in 'trec' we use those or a mix of
1386  * those with the input.
1387  */
1388 static uint32_t GetCertsLen(SSLStateConnp *curr_connp, const uint8_t *input,
1389  const uint32_t input_len)
1390 {
1391  if (curr_connp->trec != NULL && curr_connp->trec_pos > 0) {
1392  if (curr_connp->trec_pos >= 3) {
1393  const uint8_t * const ptr = curr_connp->trec;
1394  uint32_t len = (*ptr << 16 | *(ptr + 1) << 8 | *(ptr + 2)) + 3;
1395  SCLogDebug("length %u (trec)", len);
1396  return len;
1397  } else if (input_len + curr_connp->trec_pos >= 3) {
1398  uint8_t buf[3] = { 0, 0, 0, }; // init to 0 to make scan-build happy
1399  uint32_t i = 0;
1400  for (uint32_t x = 0; x < curr_connp->trec_pos && i < 3; x++) {
1401  buf[i++] = curr_connp->trec[x];
1402  }
1403  for (uint32_t x = 0; x < input_len && i < 3; x++) {
1404  buf[i++] = input[x];
1405  }
1406  uint32_t len = (buf[0] << 16 | buf[1] << 8 | buf[2]) + 3;
1407  SCLogDebug("length %u (part trec, part input)", len);
1408  return len;
1409  }
1410  return 0;
1411  } else if (input_len >= 3) {
1412  uint32_t len = (*input << 16 | *(input + 1) << 8 | *(input + 2)) + 3;
1413  SCLogDebug("length %u (input)", len);
1414  return len;
1415  } else {
1416  SCLogDebug("length unknown (input len %u)", input_len);
1417  return 0;
1418  }
1419 }
1420 
1421 // For certificates whose size is bigger than this,
1422 // we do not allocate all the required memory straight away,
1423 // to avoid DOS by RAM exhaustion, but we will allocate
1424 // this memory once a consequent part of the certificate has been seen.
1425 #define SSL_CERT_MAX_FIRST_ALLOC 65536 // 0x10000
1427 /** \internal
1428  * \brief setup or grow the `trec` space in the connp
1429  */
1430 static int EnsureRecordSpace(SSLStateConnp *curr_connp, const uint8_t * const input,
1431  const uint32_t input_len)
1432 {
1433  ValidateTrecBuffer(curr_connp);
1434 
1435  uint32_t certs_len = GetCertsLen(curr_connp, input, input_len);
1436  if (certs_len == 0) {
1437  SCLogDebug("cert_len unknown still, create small buffer to start");
1438  certs_len = 256;
1439  }
1440  // Limit in a first time allocation for very large certificates
1441  if (certs_len > SSL_CERT_MAX_FIRST_ALLOC && certs_len > curr_connp->trec_pos + input_len) {
1442  certs_len = SSL_CERT_MAX_FIRST_ALLOC;
1443  }
1444 
1445  if (curr_connp->trec == NULL) {
1446  curr_connp->trec_len = certs_len;
1447  curr_connp->trec = SCMalloc(curr_connp->trec_len);
1448  if (unlikely(curr_connp->trec == NULL))
1449  goto error;
1450  }
1451 
1452  if (certs_len > curr_connp->trec_len) {
1453  curr_connp->trec_len = certs_len;
1454  void *ptmp = SCRealloc(curr_connp->trec, curr_connp->trec_len);
1455  if (unlikely(ptmp == NULL)) {
1456  SCFree(curr_connp->trec);
1457  curr_connp->trec = NULL;
1458  goto error;
1459  }
1460  curr_connp->trec = ptmp;
1461  }
1462  ValidateTrecBuffer(curr_connp);
1463  return 0;
1464 error:
1465  curr_connp->trec_len = 0;
1466  curr_connp->trec_pos = 0;
1467  ValidateTrecBuffer(curr_connp);
1468  return -1;
1469 }
1470 
1471 static inline bool
1472 HaveEntireRecord(const SSLStateConnp *curr_connp, const uint32_t input_len)
1473 {
1474  return (curr_connp->bytes_processed + input_len) >=
1475  (curr_connp->record_length + SSLV3_RECORD_HDR_LEN);
1476 }
1477 
1478 #ifdef DEBUG_VALIDATION
1479 static inline bool
1480 RecordAlreadyProcessed(const SSLStateConnp *curr_connp)
1481 {
1482  return ((curr_connp->record_length + SSLV3_RECORD_HDR_LEN) <
1483  curr_connp->bytes_processed);
1484 }
1485 #endif
1486 
1487 static inline int SSLv3ParseHandshakeTypeCertificate(SSLState *ssl_state,
1488  const uint8_t * const initial_input,
1489  const uint32_t input_len)
1490 {
1491  ValidateTrecBuffer(ssl_state->curr_connp);
1492  const uint32_t certs_len = GetCertsLen(ssl_state->curr_connp, initial_input, input_len);
1493  SCLogDebug("certs_len %u", certs_len);
1494 
1495  if (EnsureRecordSpace(ssl_state->curr_connp, initial_input, input_len) < 0) {
1496  /* error, skip input data */
1497  ssl_state->curr_connp->bytes_processed += input_len;
1498  return -1;
1499  }
1500  ValidateTrecBuffer(ssl_state->curr_connp);
1501 
1502  uint32_t write_len = 0;
1503  if (certs_len != 0 && ssl_state->curr_connp->trec_pos + input_len >= certs_len) {
1504  write_len = certs_len - ssl_state->curr_connp->trec_pos;
1505  /* get data left in this frag. The length field may indicate more
1506  * data than just in this record. */
1507  uint32_t cur_frag_left = ssl_state->curr_connp->record_length +
1509  SCLogDebug("write_len %u cur_frag_left %u", write_len, cur_frag_left);
1510  write_len = MIN(write_len, cur_frag_left);
1511  } else {
1512  uint32_t cur_frag_left = (ssl_state->curr_connp->record_length +
1514  SCLogDebug("cur_frag_left %u", cur_frag_left);
1515  write_len = MIN(input_len, cur_frag_left);
1516  SCLogDebug("write_len %u", write_len);
1517  }
1518  if (write_len == 0) {
1519  /* no (new) data, so we're done */
1520  ValidateTrecBuffer(ssl_state->curr_connp);
1521  return 0;
1522  }
1523  BUG_ON(write_len > input_len);
1524 
1525  if (SafeMemcpy(ssl_state->curr_connp->trec,
1526  ssl_state->curr_connp->trec_pos,
1527  ssl_state->curr_connp->trec_len,
1528  initial_input, 0, input_len, write_len) != 0) {
1529  return -1;
1530  }
1531  ssl_state->curr_connp->trec_pos += write_len;
1532  SCLogDebug("ssl_state->curr_connp->trec_pos %u", ssl_state->curr_connp->trec_pos);
1533  DEBUG_VALIDATE_BUG_ON(certs_len != 0 && certs_len < ssl_state->curr_connp->trec_pos);
1534 
1535  /* if we didn't yet get enough to determine the certs len, or we can
1536  * see we didn't buffer enough for the certs, don't bother trying to
1537  * parse it the data */
1538  if (certs_len == 0 || certs_len > ssl_state->curr_connp->trec_pos) {
1539  ssl_state->curr_connp->bytes_processed += write_len;
1540  SCLogDebug("bytes_processed %u record_len %u",
1541  ssl_state->curr_connp->bytes_processed, ssl_state->curr_connp->record_length);
1542  ValidateTrecBuffer(ssl_state->curr_connp);
1543  return write_len;
1544  }
1545 
1546  int rc = TlsDecodeHSCertificate(ssl_state, ssl_state->curr_connp->trec,
1547  ssl_state->curr_connp->trec_pos);
1548  SCLogDebug("rc %d", rc);
1549  if (rc > 0) {
1550  DEBUG_VALIDATE_BUG_ON(rc != (int)ssl_state->curr_connp->trec_pos);
1551  SSLParserHSReset(ssl_state->curr_connp);
1552  } else if (rc < 0) {
1553  SCLogDebug("error parsing cert, reset state");
1554  SSLParserHSReset(ssl_state->curr_connp);
1555  /* fall through to still consume the cert bytes */
1556  }
1557  ssl_state->curr_connp->bytes_processed += write_len;
1558  ValidateTrecBuffer(ssl_state->curr_connp);
1559  return write_len;
1560 }
1561 
1562 /**
1563  * \retval parsed number of consumed bytes
1564  * \retval < 0 error
1565  */
1566 static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
1567  uint32_t input_len, uint8_t direction)
1568 {
1569  const uint8_t *initial_input = input;
1570  int rc;
1571 
1572  if (input_len == 0) {
1573  return 0;
1574  }
1575  DEBUG_VALIDATE_BUG_ON(RecordAlreadyProcessed(ssl_state->curr_connp));
1576 
1577  switch (ssl_state->curr_connp->handshake_type) {
1578  case SSLV3_HS_CLIENT_HELLO:
1580 
1581  /* Only parse the message if it is complete */
1582  if (input_len >= ssl_state->curr_connp->message_length &&
1583  input_len >= 40) {
1584  rc = TLSDecodeHandshakeHello(ssl_state, input, input_len);
1585  if (rc < 0)
1586  return rc;
1587  }
1588 
1589  break;
1590 
1591  case SSLV3_HS_SERVER_HELLO:
1593 
1594  /* Only parse the message if it is complete */
1595  if (input_len >= ssl_state->curr_connp->message_length &&
1596  input_len >= 40) {
1597  rc = TLSDecodeHandshakeHello(ssl_state, input,
1598  ssl_state->curr_connp->message_length);
1599  if (rc < 0)
1600  return rc;
1601  }
1602 
1603  break;
1604 
1607  break;
1608 
1611  break;
1612 
1613  case SSLV3_HS_CERTIFICATE:
1614  /* For now, only decode the server certificate */
1615  if (direction == 0) {
1616  SCLogDebug("Incorrect SSL Record type sent in the toserver "
1617  "direction!");
1618  break;
1619  }
1620  rc = SSLv3ParseHandshakeTypeCertificate(ssl_state,
1621  initial_input, input_len);
1622  return rc;
1623  break;
1624 
1628  case SSLV3_HS_FINISHED:
1631  break;
1633  SCLogDebug("new session ticket");
1634  break;
1635  default:
1637  return -1;
1638  }
1639 
1640  ssl_state->flags |= ssl_state->current_flags;
1641 
1642  SCLogDebug("message: start %u length %u", ssl_state->curr_connp->message_start, ssl_state->curr_connp->message_length);
1643  SCLogDebug("input_len %u ssl_state->curr_connp->bytes_processed %u", input_len, ssl_state->curr_connp->bytes_processed);
1644 
1645  uint32_t write_len = 0;
1646  if (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length <
1647  ssl_state->curr_connp->bytes_processed + input_len) {
1648  SCLogDebug("msg done");
1649 
1650  // Safety check against integer underflow
1652  ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length <
1653  ssl_state->curr_connp->bytes_processed);
1654  write_len = (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length) -
1655  ssl_state->curr_connp->bytes_processed;
1656  DEBUG_VALIDATE_BUG_ON(write_len > input_len);
1657  ssl_state->curr_connp->bytes_processed += write_len;
1658  SSLParserHSReset(ssl_state->curr_connp);
1659  SCLogDebug("write_len %u", write_len);
1660  return write_len;
1661  } else {
1662  ssl_state->curr_connp->bytes_processed += input_len;
1663  return input_len;
1664  }
1665 }
1666 
1667 static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input,
1668  uint32_t input_len, uint8_t direction)
1669 {
1670  const uint8_t *initial_input = input;
1671 
1672  if (input_len == 0 || ssl_state->curr_connp->bytes_processed ==
1673  (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN)) {
1674  return 0;
1675  }
1676 
1677  SCLogDebug("bytes_processed %u", ssl_state->curr_connp->bytes_processed);
1678  SCLogDebug("ssl_state->curr_connp->hs_bytes_processed %u input %p input_len %u",
1679  ssl_state->curr_connp->hs_bytes_processed, input, input_len);
1680 
1681  switch (ssl_state->curr_connp->hs_bytes_processed) {
1682  case 0:
1683  ssl_state->curr_connp->handshake_type = *(input++);
1684  ssl_state->curr_connp->bytes_processed++;
1685  ssl_state->curr_connp->hs_bytes_processed++;
1686  if (--input_len == 0 || ssl_state->curr_connp->bytes_processed ==
1687  (ssl_state->curr_connp->record_length +
1689  return (input - initial_input);
1690  }
1691 
1692  /* fall through */
1693  case 1:
1694  ssl_state->curr_connp->message_length = *(input++) << 16;
1695  ssl_state->curr_connp->bytes_processed++;
1696  ssl_state->curr_connp->hs_bytes_processed++;
1697  if (--input_len == 0 || ssl_state->curr_connp->bytes_processed ==
1698  (ssl_state->curr_connp->record_length +
1700  return (input - initial_input);
1701  }
1702 
1703  /* fall through */
1704  case 2:
1705  ssl_state->curr_connp->message_length |= *(input++) << 8;
1706  ssl_state->curr_connp->bytes_processed++;
1707  ssl_state->curr_connp->hs_bytes_processed++;
1708  if (--input_len == 0 || ssl_state->curr_connp->bytes_processed ==
1709  (ssl_state->curr_connp->record_length +
1711  return (input - initial_input);
1712  }
1713 
1714  /* fall through */
1715  case 3:
1716  ssl_state->curr_connp->message_length |= *(input++);
1717  ssl_state->curr_connp->bytes_processed++;
1718  ssl_state->curr_connp->hs_bytes_processed++;
1719  --input_len;
1720  ssl_state->curr_connp->message_start = ssl_state->curr_connp->bytes_processed;
1721 
1722  /* fall through */
1723  }
1724  SCLogDebug("message len %u input %p", ssl_state->curr_connp->message_length, input);
1725 
1726  int retval = SSLv3ParseHandshakeType(ssl_state, input, input_len, direction);
1727  if (retval < 0 || retval > (int)input_len) {
1728  DEBUG_VALIDATE_BUG_ON(retval > (int)input_len);
1729  return retval;
1730  }
1731  SCLogDebug("retval %d input_len %u", retval, input_len);
1732  input += retval;
1733 
1734  return (input - initial_input);
1735 }
1736 
1737 /**
1738  * \internal
1739  * \brief TLS Heartbeat parser (see RFC 6520)
1740  *
1741  * \param sslstate Pointer to the SSL state.
1742  * \param input Pointer to the received input data.
1743  * \param input_len Length in bytes of the received data.
1744  * \param direction 1 toclient, 0 toserver
1745  *
1746  * \retval The number of bytes parsed on success, 0 if nothing parsed, -1 on failure.
1747  */
1748 static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, const uint8_t *input,
1749  uint32_t input_len, uint8_t direction)
1750 {
1751  uint8_t hb_type;
1752  uint16_t payload_len;
1753  uint32_t padding_len;
1754 
1755  /* expect at least 3 bytes: heartbeat type (1) + length (2) */
1756  if (input_len < 3) {
1757  return 0;
1758  }
1759 
1760  hb_type = *input++;
1761 
1762  if (!(ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
1763  if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
1765  return -1;
1766  }
1767  }
1768 
1769  if ((ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) == 0) {
1770  ssl_state->flags |= SSL_AL_FLAG_HB_INFLIGHT;
1771 
1772  if (direction) {
1773  SCLogDebug("HeartBeat Record type sent in the toclient direction!");
1774  ssl_state->flags |= SSL_AL_FLAG_HB_SERVER_INIT;
1775  } else {
1776  SCLogDebug("HeartBeat Record type sent in the toserver direction!");
1777  ssl_state->flags |= SSL_AL_FLAG_HB_CLIENT_INIT;
1778  }
1779 
1780  /* if we reach this point, then we can assume that the HB request
1781  is encrypted. If so, let's set the HB record length */
1782  if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
1783  ssl_state->hb_record_len = ssl_state->curr_connp->record_length;
1784  SCLogDebug("Encrypted HeartBeat Request In-flight. Storing len %u",
1785  ssl_state->hb_record_len);
1786  return (ssl_state->curr_connp->record_length - 3);
1787  }
1788 
1789  payload_len = (uint16_t)(*input << 8) | *(input + 1);
1790 
1791  /* check that the requested payload length is really present in
1792  the record (CVE-2014-0160) */
1793  if ((uint32_t)(payload_len+3) > ssl_state->curr_connp->record_length) {
1794  SCLogDebug("We have a short record in HeartBeat Request");
1796  return -1;
1797  }
1798 
1799  /* check the padding length. It must be at least 16 bytes
1800  (RFC 6520, section 4) */
1801  padding_len = ssl_state->curr_connp->record_length - payload_len - 3;
1802  if (padding_len < 16) {
1803  SCLogDebug("We have a short record in HeartBeat Request");
1805  return -1;
1806  }
1807 
1808  /* we don't have the payload */
1809  if (input_len < payload_len + padding_len) {
1810  return 0;
1811  }
1812 
1813  /* OpenSSL still seems to discard multiple in-flight
1814  heartbeats although some tools send multiple at once */
1815  } else if (direction == 1 && (ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) &&
1816  (ssl_state->flags & SSL_AL_FLAG_HB_SERVER_INIT)) {
1817  SCLogDebug("Multiple in-flight server initiated HeartBeats");
1819  return -1;
1820 
1821  } else if (direction == 0 && (ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) &&
1822  (ssl_state->flags & SSL_AL_FLAG_HB_CLIENT_INIT)) {
1823  SCLogDebug("Multiple in-flight client initiated HeartBeats");
1825  return -1;
1826 
1827  } else {
1828  /* we have a HB record in the opposite direction of the request,
1829  let's reset our flags */
1830  ssl_state->flags &= ~SSL_AL_FLAG_HB_INFLIGHT;
1831  ssl_state->flags &= ~SSL_AL_FLAG_HB_SERVER_INIT;
1832  ssl_state->flags &= ~SSL_AL_FLAG_HB_CLIENT_INIT;
1833 
1834  /* if we reach this point, then we can assume that the HB request
1835  is encrypted. If so, let's set the HB record length */
1836  if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
1837  /* check to see if the encrypted response is longer than the
1838  encrypted request */
1839  if (ssl_state->hb_record_len > 0 && ssl_state->hb_record_len <
1840  ssl_state->curr_connp->record_length) {
1841  SCLogDebug("My heart is bleeding.. OpenSSL HeartBleed response (%u)",
1842  ssl_state->hb_record_len);
1843  SSLSetEvent(ssl_state,
1845  ssl_state->hb_record_len = 0;
1846  return -1;
1847  }
1848  }
1849 
1850  /* reset the HB record length in case we have a legit HB followed
1851  by a bad one */
1852  ssl_state->hb_record_len = 0;
1853  }
1854 
1855  /* skip the HeartBeat, 3 bytes were already parsed,
1856  e.g |18 03 02| for TLS 1.2 */
1857  return (ssl_state->curr_connp->record_length - 3);
1858 }
1859 
1860 static int SSLv3ParseRecord(uint8_t direction, SSLState *ssl_state,
1861  const uint8_t *input, uint32_t input_len)
1862 {
1863  const uint8_t *initial_input = input;
1864 
1865  if (input_len == 0) {
1866  return 0;
1867  }
1868 
1869  uint8_t skip_version = 0;
1870 
1871  /* Only set SSL/TLS version here if it has not already been set in
1872  client/server hello. */
1873  if (direction == 0) {
1874  if ((ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
1875  (ssl_state->client_connp.version != TLS_VERSION_UNKNOWN)) {
1876  skip_version = 1;
1877  }
1878  } else {
1879  if ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
1880  (ssl_state->server_connp.version != TLS_VERSION_UNKNOWN)) {
1881  skip_version = 1;
1882  }
1883  }
1884 
1885  switch (ssl_state->curr_connp->bytes_processed) {
1886  case 0:
1887  if (input_len >= 5) {
1888  ssl_state->curr_connp->content_type = input[0];
1889  if (!skip_version) {
1890  ssl_state->curr_connp->version = (uint16_t)(input[1] << 8) | input[2];
1891  }
1892  ssl_state->curr_connp->record_length = input[3] << 8;
1893  ssl_state->curr_connp->record_length |= input[4];
1895  return SSLV3_RECORD_HDR_LEN;
1896  } else {
1897  ssl_state->curr_connp->content_type = *(input++);
1898  if (--input_len == 0)
1899  break;
1900  }
1901 
1902  /* fall through */
1903  case 1:
1904  if (!skip_version) {
1905  ssl_state->curr_connp->version = (uint16_t)(*(input++) << 8);
1906  } else {
1907  input++;
1908  }
1909  if (--input_len == 0)
1910  break;
1911 
1912  /* fall through */
1913  case 2:
1914  if (!skip_version) {
1915  ssl_state->curr_connp->version |= *(input++);
1916  } else {
1917  input++;
1918  }
1919  if (--input_len == 0)
1920  break;
1921 
1922  /* fall through */
1923  case 3:
1924  ssl_state->curr_connp->record_length = *(input++) << 8;
1925  if (--input_len == 0)
1926  break;
1927 
1928  /* fall through */
1929  case 4:
1930  ssl_state->curr_connp->record_length |= *(input++);
1931  if (--input_len == 0)
1932  break;
1933 
1934  /* fall through */
1935  }
1936 
1937  ssl_state->curr_connp->bytes_processed += (input - initial_input);
1938 
1939  return (input - initial_input);
1940 }
1941 
1942 static int SSLv2ParseRecord(uint8_t direction, SSLState *ssl_state,
1943  const uint8_t *input, uint32_t input_len)
1944 {
1945  const uint8_t *initial_input = input;
1946 
1947  if (input_len == 0) {
1948  return 0;
1949  }
1950 
1951  if (ssl_state->curr_connp->record_lengths_length == 2) {
1952  switch (ssl_state->curr_connp->bytes_processed) {
1953  case 0:
1954  if (input_len >= ssl_state->curr_connp->record_lengths_length + 1) {
1955  ssl_state->curr_connp->record_length = (0x7f & input[0]) << 8 | input[1];
1956  ssl_state->curr_connp->content_type = input[2];
1957  ssl_state->curr_connp->version = SSL_VERSION_2;
1958  ssl_state->curr_connp->bytes_processed += 3;
1959  return 3;
1960  } else {
1961  ssl_state->curr_connp->record_length = (0x7f & *(input++)) << 8;
1962  if (--input_len == 0)
1963  break;
1964  }
1965 
1966  /* fall through */
1967  case 1:
1968  ssl_state->curr_connp->record_length |= *(input++);
1969  if (--input_len == 0)
1970  break;
1971 
1972  /* fall through */
1973  case 2:
1974  ssl_state->curr_connp->content_type = *(input++);
1975  ssl_state->curr_connp->version = SSL_VERSION_2;
1976  if (--input_len == 0)
1977  break;
1978 
1979  /* fall through */
1980  }
1981 
1982  } else {
1983  switch (ssl_state->curr_connp->bytes_processed) {
1984  case 0:
1985  if (input_len >= ssl_state->curr_connp->record_lengths_length + 1) {
1986  ssl_state->curr_connp->record_length = (0x3f & input[0]) << 8 | input[1];
1987  ssl_state->curr_connp->content_type = input[3];
1988  ssl_state->curr_connp->version = SSL_VERSION_2;
1989  ssl_state->curr_connp->bytes_processed += 4;
1990  return 4;
1991  } else {
1992  ssl_state->curr_connp->record_length = (0x3f & *(input++)) << 8;
1993  if (--input_len == 0)
1994  break;
1995  }
1996 
1997  /* fall through */
1998  case 1:
1999  ssl_state->curr_connp->record_length |= *(input++);
2000  if (--input_len == 0)
2001  break;
2002 
2003  /* fall through */
2004  case 2:
2005  /* padding */
2006  input++;
2007  if (--input_len == 0)
2008  break;
2009 
2010  /* fall through */
2011  case 3:
2012  ssl_state->curr_connp->content_type = *(input++);
2013  ssl_state->curr_connp->version = SSL_VERSION_2;
2014  if (--input_len == 0)
2015  break;
2016 
2017  /* fall through */
2018  }
2019  }
2020 
2021  ssl_state->curr_connp->bytes_processed += (input - initial_input);
2022 
2023  return (input - initial_input);
2024 }
2025 
2026 static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserState *pstate,
2027  const uint8_t *input, uint32_t input_len, const StreamSlice stream_slice)
2028 {
2029  int retval = 0;
2030  const uint8_t *initial_input = input;
2031 
2032  if (ssl_state->curr_connp->bytes_processed == 0) {
2033  if (input[0] & 0x80) {
2034  ssl_state->curr_connp->record_lengths_length = 2;
2035  } else {
2036  ssl_state->curr_connp->record_lengths_length = 3;
2037  }
2038 
2039  SCLogDebug("record start: ssl2.hdr frame");
2040  AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input,
2041  ssl_state->curr_connp->record_lengths_length + 1, direction, TLS_FRAME_SSLV2_HDR);
2042  }
2043 
2044  SCLogDebug("direction %u ssl_state->curr_connp->record_lengths_length + 1 %u, "
2045  "ssl_state->curr_connp->bytes_processed %u",
2046  direction, ssl_state->curr_connp->record_lengths_length + 1,
2047  ssl_state->curr_connp->bytes_processed);
2048  /* the +1 is because we read one extra byte inside SSLv2ParseRecord
2049  to read the msg_type */
2050  if (ssl_state->curr_connp->bytes_processed <
2051  (ssl_state->curr_connp->record_lengths_length + 1)) {
2052  retval = SSLv2ParseRecord(direction, ssl_state, input, input_len);
2053  SCLogDebug("retval %d ssl_state->curr_connp->record_length %u", retval,
2054  ssl_state->curr_connp->record_length);
2055  if (retval < 0 || retval > (int)input_len) {
2056  DEBUG_VALIDATE_BUG_ON(retval > (int)input_len);
2058  return -1;
2059  }
2060  // TODO review
2061  // BUG_ON(ssl_state->curr_connp->record_lengths_length + 1 !=
2062  // ssl_state->curr_connp->bytes_processed);
2063 
2064  AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input,
2065  ssl_state->curr_connp->record_lengths_length + ssl_state->curr_connp->record_length,
2066  direction, TLS_FRAME_SSLV2_PDU);
2067  SCLogDebug("record start: ssl2.pdu frame");
2068 
2069  input += retval;
2070  input_len -= retval;
2071  }
2072 
2073  if (input_len == 0) {
2074  return (input - initial_input);
2075  }
2076 
2077  /* record_length should never be zero */
2078  if (ssl_state->curr_connp->record_length == 0) {
2079  SCLogDebug("SSLv2 record length is zero");
2081  return -1;
2082  }
2083 
2084  /* record_lengths_length should never be zero */
2085  if (ssl_state->curr_connp->record_lengths_length == 0) {
2086  SCLogDebug("SSLv2 record lengths length is zero");
2088  return -1;
2089  }
2090 
2091  switch (ssl_state->curr_connp->content_type) {
2092  case SSLV2_MT_ERROR:
2093  SCLogDebug("SSLV2_MT_ERROR msg_type received. Error encountered "
2094  "in establishing the sslv2 session, may be version");
2096 
2097  break;
2098 
2099  case SSLV2_MT_CLIENT_HELLO:
2102 
2103  if (ssl_state->curr_connp->record_lengths_length == 3) {
2104  switch (ssl_state->curr_connp->bytes_processed) {
2105  case 4:
2106  if (input_len >= 6) {
2107  uint16_t session_id_length = (input[5]) | (uint16_t)(input[4] << 8);
2108  input += 6;
2109  input_len -= 6;
2110  ssl_state->curr_connp->bytes_processed += 6;
2111  if (session_id_length == 0) {
2113  }
2114 
2115  break;
2116  } else {
2117  input++;
2118  ssl_state->curr_connp->bytes_processed++;
2119  if (--input_len == 0)
2120  break;
2121  }
2122 
2123  /* fall through */
2124  case 5:
2125  input++;
2126  ssl_state->curr_connp->bytes_processed++;
2127  if (--input_len == 0)
2128  break;
2129 
2130  /* fall through */
2131  case 6:
2132  input++;
2133  ssl_state->curr_connp->bytes_processed++;
2134  if (--input_len == 0)
2135  break;
2136 
2137  /* fall through */
2138  case 7:
2139  input++;
2140  ssl_state->curr_connp->bytes_processed++;
2141  if (--input_len == 0)
2142  break;
2143 
2144  /* fall through */
2145  case 8:
2146  ssl_state->curr_connp->bytes_processed++;
2147  if (--input_len == 0)
2148  break;
2149 
2150  /* fall through */
2151  case 9:
2152  ssl_state->curr_connp->bytes_processed++;
2153  if (--input_len == 0)
2154  break;
2155 
2156  /* fall through */
2157  }
2158 
2159  } else {
2160  switch (ssl_state->curr_connp->bytes_processed) {
2161  case 3:
2162  if (input_len >= 6) {
2163  uint16_t session_id_length = (input[5]) | (uint16_t)(input[4] << 8);
2164  input += 6;
2165  input_len -= 6;
2166  ssl_state->curr_connp->bytes_processed += 6;
2167  if (session_id_length == 0) {
2169  }
2170 
2171  break;
2172  } else {
2173  input++;
2174  ssl_state->curr_connp->bytes_processed++;
2175  if (--input_len == 0)
2176  break;
2177  }
2178 
2179  /* fall through */
2180  case 4:
2181  input++;
2182  ssl_state->curr_connp->bytes_processed++;
2183  if (--input_len == 0)
2184  break;
2185 
2186  /* fall through */
2187  case 5:
2188  input++;
2189  ssl_state->curr_connp->bytes_processed++;
2190  if (--input_len == 0)
2191  break;
2192 
2193  /* fall through */
2194  case 6:
2195  input++;
2196  ssl_state->curr_connp->bytes_processed++;
2197  if (--input_len == 0)
2198  break;
2199 
2200  /* fall through */
2201  case 7:
2202  ssl_state->curr_connp->bytes_processed++;
2203  if (--input_len == 0)
2204  break;
2205 
2206  /* fall through */
2207  case 8:
2208  ssl_state->curr_connp->bytes_processed++;
2209  if (--input_len == 0)
2210  break;
2211 
2212  /* fall through */
2213  }
2214  }
2215 
2216  break;
2217 
2219  if (!(ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS)) {
2220  SCLogDebug("Client hello is not seen before master key "
2221  "message!");
2222  }
2224 
2225  break;
2226 
2228  if (direction == 1) {
2229  SCLogDebug("Incorrect SSL Record type sent in the toclient "
2230  "direction!");
2231  } else {
2233  }
2234 
2235  /* fall through */
2238  if (direction == 0 &&
2239  !(ssl_state->curr_connp->content_type &
2241  SCLogDebug("Incorrect SSL Record type sent in the toserver "
2242  "direction!");
2243  }
2244 
2245  /* fall through */
2248  /* both client hello and server hello must be seen */
2249  if ((ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) &&
2250  (ssl_state->flags & SSL_AL_FLAG_SSL_SERVER_HS)) {
2251 
2252  if (direction == 0) {
2253  if (ssl_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) {
2255  SCLogDebug("SSLv2 client side has started the encryption");
2256  } else if (ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY) {
2258  SCLogDebug("SSLv2 client side has started the encryption");
2259  }
2260  } else {
2262  SCLogDebug("SSLv2 Server side has started the encryption");
2263  }
2264 
2265  if ((ssl_state->flags & SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED) &&
2267  {
2271  }
2272 
2276  }
2277  SCLogDebug("SSLv2 No reassembly & inspection has been set");
2278  }
2279  }
2280 
2281  break;
2282 
2283  case SSLV2_MT_SERVER_HELLO:
2286 
2287  break;
2288  }
2289 
2290  ssl_state->flags |= ssl_state->current_flags;
2291 
2292  if (input_len + ssl_state->curr_connp->bytes_processed >=
2293  (ssl_state->curr_connp->record_length +
2294  ssl_state->curr_connp->record_lengths_length)) {
2295 
2296  /* looks like we have another record after this */
2297  uint32_t diff = ssl_state->curr_connp->record_length +
2298  ssl_state->curr_connp->record_lengths_length + -
2299  ssl_state->curr_connp->bytes_processed;
2300  input += diff;
2301  SSLParserReset(ssl_state);
2302  return (input - initial_input);
2303 
2304  /* we still don't have the entire record for the one we are
2305  currently parsing */
2306  } else {
2307  input += input_len;
2308  ssl_state->curr_connp->bytes_processed += input_len;
2309  return (input - initial_input);
2310  }
2311 }
2312 
2313 static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserState *pstate,
2314  const uint8_t *input, const uint32_t input_len, const StreamSlice stream_slice)
2315 {
2316  uint32_t parsed = 0;
2317  uint32_t record_len; /* slice of input_len for the current record */
2318 
2319  if (ssl_state->curr_connp->bytes_processed < SSLV3_RECORD_HDR_LEN) {
2320  int retval = SSLv3ParseRecord(direction, ssl_state, input, input_len);
2321  if (retval < 0 || retval > (int)input_len) {
2322  DEBUG_VALIDATE_BUG_ON(retval > (int)input_len);
2323  SCLogDebug("SSLv3ParseRecord returned %d", retval);
2325  return -1;
2326  }
2327  SCLogDebug("%s input %p record_length %u", (direction == 0) ? "toserver" : "toclient",
2328  input, ssl_state->curr_connp->record_length);
2329  AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input,
2330  ssl_state->curr_connp->record_length + retval, direction, TLS_FRAME_PDU);
2332  ssl_state->f, &stream_slice, input, SSLV3_RECORD_HDR_LEN, direction, TLS_FRAME_HDR);
2333  parsed += retval;
2334  record_len = MIN(input_len - parsed, ssl_state->curr_connp->record_length);
2335  SCLogDebug("record_len %u (input_len %u, parsed %u, ssl_state->curr_connp->record_length %u)",
2336  record_len, input_len, parsed, ssl_state->curr_connp->record_length);
2337  } else {
2338  ValidateRecordState(ssl_state->curr_connp);
2339 
2340  record_len = (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN)- ssl_state->curr_connp->bytes_processed;
2341  record_len = MIN(input_len, record_len);
2342  }
2343  SCLogDebug("record length %u processed %u got %u",
2344  ssl_state->curr_connp->record_length, ssl_state->curr_connp->bytes_processed, record_len);
2345 
2346  if (record_len == 0) {
2347  return parsed;
2348  }
2349 
2350  /* record_length should never be zero */
2351  if (ssl_state->curr_connp->record_length == 0) {
2352  SCLogDebug("SSLv3 Record length is 0");
2354  return -1;
2355  }
2356  AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input + parsed,
2357  ssl_state->curr_connp->record_length, direction, TLS_FRAME_DATA);
2358 
2359  switch (ssl_state->curr_connp->content_type) {
2360 
2361  /* we don't need any data from these types */
2363  ssl_state->flags |= SSL_AL_FLAG_CHANGE_CIPHER_SPEC;
2364 
2365  if (direction) {
2367  } else {
2369  }
2370 
2371  break;
2372 
2373  case SSLV3_ALERT_PROTOCOL:
2374  AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input + parsed,
2375  ssl_state->curr_connp->record_length, direction, TLS_FRAME_ALERT_DATA);
2376  break;
2377 
2379  /* In TLSv1.3 early data (0-RTT) could be sent before the
2380  handshake is complete (rfc8446, section 2.3). We should
2381  therefore not mark the handshake as done before we have
2382  seen the ServerHello record. */
2383  if ((ssl_state->flags & SSL_AL_FLAG_EARLY_DATA) &&
2384  ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0))
2385  break;
2386 
2387  /* if we see (encrypted) aplication data, then this means the
2388  handshake must be done */
2389  ssl_state->flags |= SSL_AL_FLAG_HANDSHAKE_DONE;
2390 
2392  SCLogDebug("setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD");
2395  }
2396 
2397  /* Encrypted data, reassembly not asked, bypass asked, let's sacrifice
2398  * heartbeat lke inspection to be able to be able to bypass the flow */
2400  SCLogDebug("setting APP_LAYER_PARSER_NO_REASSEMBLY");
2407  }
2408 
2409  break;
2410 
2411  case SSLV3_HANDSHAKE_PROTOCOL: {
2412  if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
2413  /* In TLSv1.3, ChangeCipherSpec is only used for middlebox
2414  compability (rfc8446, appendix D.4). */
2415  // Client hello flags is needed to have a valid version
2416  if ((ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
2417  (ssl_state->client_connp.version > TLS_VERSION_12) &&
2418  ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0)) {
2419  /* do nothing */
2420  } else {
2421  // if we started parsing this, we must stop
2422  ssl_state->curr_connp->hs_bytes_processed = 0;
2423  break;
2424  }
2425  }
2426 
2427  if (ssl_state->curr_connp->record_length < 4) {
2428  SSLParserReset(ssl_state);
2430  SCLogDebug("record len < 4 => %u", ssl_state->curr_connp->record_length);
2431  return -1;
2432  }
2433 
2434  int retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed,
2435  record_len, direction);
2436  if (retval < 0 || retval > (int)record_len) {
2437  DEBUG_VALIDATE_BUG_ON(retval > (int)record_len);
2438  SSLSetEvent(ssl_state,
2440  SSLSetEvent(ssl_state,
2442  SCLogDebug("SSLv3ParseHandshakeProtocol returned %d", retval);
2443  return -1;
2444  }
2445  SCLogDebug("retval %d", retval);
2446 
2447  parsed += retval;
2448  record_len -= retval;
2449  (void)record_len; /* for scan-build */
2450 
2451  SCLogDebug("bytes_processed %u (record+hdr %u)", ssl_state->curr_connp->bytes_processed,
2453  ValidateRecordState(ssl_state->curr_connp);
2454 
2455  if (ssl_state->curr_connp->bytes_processed >=
2456  ssl_state->curr_connp->record_length +
2458  SCLogDebug("record ready");
2459  SSLParserReset(ssl_state);
2460  }
2461 
2462  SCLogDebug("trigger RAW! (post HS)");
2464  direction == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT);
2465  return parsed;
2466  }
2467  case SSLV3_HEARTBEAT_PROTOCOL: {
2468  AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input + parsed,
2469  ssl_state->curr_connp->record_length, direction, TLS_FRAME_HB_DATA);
2470  int retval = SSLv3ParseHeartbeatProtocol(ssl_state, input + parsed,
2471  record_len, direction);
2472  if (retval < 0) {
2473  SCLogDebug("SSLv3ParseHeartbeatProtocol returned %d", retval);
2474  return -1;
2475  }
2476  break;
2477  }
2478  default:
2479  /* \todo fix the event from invalid rule to unknown rule */
2482  SCLogDebug("unsupported record type");
2483  return -1;
2484  }
2485 
2486  if (HaveEntireRecord(ssl_state->curr_connp, record_len)) {
2488  ssl_state->curr_connp->bytes_processed));
2489 
2490  if ((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) <
2491  ssl_state->curr_connp->bytes_processed) {
2492  /* defensive checks. Something is wrong. */
2494  SCLogDebug("defensive checks. Something is wrong.");
2495  return -1;
2496  }
2497 
2498  SCLogDebug("record complete, trigger RAW");
2500  direction == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT);
2501 
2502  /* looks like we have another record */
2503  uint32_t diff = ssl_state->curr_connp->record_length +
2505  parsed += diff;
2506  SSLParserReset(ssl_state);
2507  ValidateRecordState(ssl_state->curr_connp);
2508  return parsed;
2509 
2510  /* we still don't have the entire record for the one we are
2511  currently parsing */
2512  } else {
2513  parsed += record_len;
2514  ssl_state->curr_connp->bytes_processed += record_len;
2515  ValidateRecordState(ssl_state->curr_connp);
2516  return parsed;
2517  }
2518 }
2519 
2520 /**
2521  * \internal
2522  * \brief SSLv2, SSLv23, SSLv3, TLSv1.1, TLSv1.2, TLSv1.3 parser.
2523  *
2524  * On parsing error, this should be the only function that should reset
2525  * the parser state, to avoid multiple functions in the chain reseting
2526  * the parser state.
2527  *
2528  * \param direction 0 for toserver, 1 for toclient.
2529  * \param alstate Pointer to the state.
2530  * \param pstate Application layer parser state for this session.
2531  * \param output Pointer to the list of parsed output elements.
2532  *
2533  * \todo On reaching an inconsistent state, check if the input has
2534  * another new record, instead of just returning after the reset
2535  *
2536  * \retval >=0 On success.
2537  */
2538 static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate,
2539  AppLayerParserState *pstate, StreamSlice stream_slice)
2540 {
2541  SSLState *ssl_state = (SSLState *)alstate;
2542  uint32_t counter = 0;
2543  ssl_state->f = f;
2544  const uint8_t *input = StreamSliceGetData(&stream_slice);
2545  int32_t input_len = (int32_t)StreamSliceGetDataLen(&stream_slice);
2546 
2547  if (input == NULL &&
2548  ((direction == 0 && AppLayerParserStateIssetFlag(pstate, APP_LAYER_PARSER_EOF_TS)) ||
2549  (direction == 1 &&
2551  /* flag session as finished if APP_LAYER_PARSER_EOF is set */
2552  ssl_state->flags |= SSL_AL_FLAG_STATE_FINISHED;
2554  } else if (input == NULL || input_len == 0) {
2556  }
2557 
2558  if (direction == 0)
2559  ssl_state->curr_connp = &ssl_state->client_connp;
2560  else
2561  ssl_state->curr_connp = &ssl_state->server_connp;
2562 
2563  /* If entering on a new record, reset the current flags. */
2564  if (ssl_state->curr_connp->bytes_processed == 0) {
2565  ssl_state->current_flags = 0;
2566  }
2567 
2568  /* if we have more than one record */
2569  uint32_t max_records = MAX((input_len / SSL_RECORD_MINIMUM_LENGTH),1);
2570  while (input_len > 0) {
2571  if (counter > max_records) {
2572  SCLogDebug("Looks like we have looped quite a bit. Reset state "
2573  "and get out of here");
2574  SSLParserReset(ssl_state);
2575  SSLSetEvent(ssl_state,
2577  return APP_LAYER_ERROR;
2578  }
2579 
2580  /* ssl_state->bytes_processed is zero for a fresh record or
2581  positive to indicate a record currently being parsed */
2582 
2583  if (ssl_state->curr_connp->bytes_processed == 0) {
2584  if ((input[0] & 0x80) || (input[0] & 0x40)) {
2585  /* only SSLv2, has one of the top 2 bits set */
2586  ssl_state->curr_connp->version = SSL_VERSION_2;
2587  SCLogDebug("SSLv2 detected");
2588  } else if (ssl_state->curr_connp->version == SSL_VERSION_2) {
2589  ssl_state->curr_connp->version = TLS_VERSION_UNKNOWN;
2590  SCLogDebug("SSL/TLS version reset");
2591  }
2592  }
2593  SCLogDebug("record %u: bytes_processed %u, version %02X", counter,
2594  ssl_state->curr_connp->bytes_processed, ssl_state->curr_connp->version);
2595 
2596  if (ssl_state->curr_connp->version == SSL_VERSION_2) {
2597  if (ssl_state->curr_connp->bytes_processed == 0) {
2598  SCLogDebug("New SSLv2 record parsing");
2599  } else {
2600  SCLogDebug("Continuing parsing SSLv2 record");
2601  }
2602  int retval = SSLv2Decode(direction, ssl_state, pstate, input, input_len, stream_slice);
2603  if (retval < 0 || retval > input_len) {
2604  DEBUG_VALIDATE_BUG_ON(retval > input_len);
2605  SCLogDebug("Error parsing SSLv2. Reseting parser "
2606  "state. Let's get outta here");
2607  SSLParserReset(ssl_state);
2608  SSLSetEvent(ssl_state,
2610  return APP_LAYER_OK;
2611  }
2612  input_len -= retval;
2613  input += retval;
2614  SCLogDebug("SSLv2 decoder consumed %d bytes: %u left", retval, input_len);
2615  } else {
2616  if (ssl_state->curr_connp->bytes_processed == 0) {
2617  SCLogDebug("New TLS record: record_length %u",
2618  ssl_state->curr_connp->record_length);
2619  } else {
2620  SCLogDebug("Continuing parsing TLS record: record_length %u, bytes_processed %u",
2621  ssl_state->curr_connp->record_length, ssl_state->curr_connp->bytes_processed);
2622  }
2623  int retval = SSLv3Decode(direction, ssl_state, pstate, input, input_len, stream_slice);
2624  if (retval < 0 || retval > input_len) {
2625  DEBUG_VALIDATE_BUG_ON(retval > input_len);
2626  SCLogDebug("Error parsing TLS. Reseting parser "
2627  "state. Let's get outta here");
2628  SSLParserReset(ssl_state);
2629  return APP_LAYER_ERROR;
2630  }
2631  input_len -= retval;
2632  input += retval;
2633  SCLogDebug("TLS decoder consumed %d bytes: %u left", retval, input_len);
2634 
2636  && ssl_state->curr_connp->record_length == 0) {
2637  SCLogDebug("TLS empty record");
2638  /* empty record */
2639  SSLParserReset(ssl_state);
2640  }
2641  }
2642  counter++;
2643  } /* while (input_len) */
2644 
2645  /* mark handshake as done if we have subject and issuer */
2646  if (ssl_state->server_connp.cert0_subject &&
2647  ssl_state->server_connp.cert0_issuerdn) {
2648  SCLogDebug("SSL_AL_FLAG_HANDSHAKE_DONE");
2649  ssl_state->flags |= SSL_AL_FLAG_HANDSHAKE_DONE;
2650  }
2651 
2652  /* flag session as finished if APP_LAYER_PARSER_EOF is set */
2655  SCLogDebug("SSL_AL_FLAG_STATE_FINISHED");
2656  ssl_state->flags |= SSL_AL_FLAG_STATE_FINISHED;
2657  }
2658 
2659  return APP_LAYER_OK;
2660 }
2661 
2662 static AppLayerResult SSLParseClientRecord(Flow *f, void *alstate, AppLayerParserState *pstate,
2663  StreamSlice stream_slice, void *local_data)
2664 {
2665  return SSLDecode(f, 0 /* toserver */, alstate, pstate, stream_slice);
2666 }
2667 
2668 static AppLayerResult SSLParseServerRecord(Flow *f, void *alstate, AppLayerParserState *pstate,
2669  StreamSlice stream_slice, void *local_data)
2670 {
2671  return SSLDecode(f, 1 /* toclient */, alstate, pstate, stream_slice);
2672 }
2673 
2674 /**
2675  * \internal
2676  * \brief Function to allocate the SSL state memory.
2677  */
2678 static void *SSLStateAlloc(void *orig_state, AppProto proto_orig)
2679 {
2680  SSLState *ssl_state = SCMalloc(sizeof(SSLState));
2681  if (unlikely(ssl_state == NULL))
2682  return NULL;
2683  memset(ssl_state, 0, sizeof(SSLState));
2684  ssl_state->client_connp.cert_log_flag = 0;
2685  ssl_state->server_connp.cert_log_flag = 0;
2686  TAILQ_INIT(&ssl_state->server_connp.certs);
2687 
2688  return (void *)ssl_state;
2689 }
2690 
2691 /**
2692  * \internal
2693  * \brief Function to free the SSL state memory.
2694  */
2695 static void SSLStateFree(void *p)
2696 {
2697  SSLState *ssl_state = (SSLState *)p;
2698  SSLCertsChain *item;
2699 
2700  if (ssl_state->client_connp.trec)
2701  SCFree(ssl_state->client_connp.trec);
2702  if (ssl_state->client_connp.cert0_subject)
2703  rs_cstring_free(ssl_state->client_connp.cert0_subject);
2704  if (ssl_state->client_connp.cert0_issuerdn)
2705  rs_cstring_free(ssl_state->client_connp.cert0_issuerdn);
2706  if (ssl_state->client_connp.cert0_serial)
2707  rs_cstring_free(ssl_state->client_connp.cert0_serial);
2708  if (ssl_state->client_connp.cert0_fingerprint)
2710  if (ssl_state->client_connp.sni)
2711  SCFree(ssl_state->client_connp.sni);
2712  if (ssl_state->client_connp.session_id)
2713  SCFree(ssl_state->client_connp.session_id);
2714 
2715  if (ssl_state->server_connp.trec)
2716  SCFree(ssl_state->server_connp.trec);
2717  if (ssl_state->server_connp.cert0_subject)
2718  rs_cstring_free(ssl_state->server_connp.cert0_subject);
2719  if (ssl_state->server_connp.cert0_issuerdn)
2720  rs_cstring_free(ssl_state->server_connp.cert0_issuerdn);
2721  if (ssl_state->server_connp.cert0_serial)
2722  rs_cstring_free(ssl_state->server_connp.cert0_serial);
2723  if (ssl_state->server_connp.cert0_fingerprint)
2725  if (ssl_state->server_connp.sni)
2726  SCFree(ssl_state->server_connp.sni);
2727  if (ssl_state->server_connp.session_id)
2728  SCFree(ssl_state->server_connp.session_id);
2729 
2730  if (ssl_state->client_connp.ja3_str)
2731  Ja3BufferFree(&ssl_state->client_connp.ja3_str);
2732  if (ssl_state->client_connp.ja3_hash)
2733  SCFree(ssl_state->client_connp.ja3_hash);
2734  if (ssl_state->server_connp.ja3_str)
2735  Ja3BufferFree(&ssl_state->server_connp.ja3_str);
2736  if (ssl_state->server_connp.ja3_hash)
2737  SCFree(ssl_state->server_connp.ja3_hash);
2738 
2739  AppLayerDecoderEventsFreeEvents(&ssl_state->tx_data.events);
2740 
2741  if (ssl_state->tx_data.de_state != NULL) {
2742  DetectEngineStateFree(ssl_state->tx_data.de_state);
2743  }
2744 
2745  /* Free certificate chain */
2746  while ((item = TAILQ_FIRST(&ssl_state->server_connp.certs))) {
2747  TAILQ_REMOVE(&ssl_state->server_connp.certs, item, next);
2748  SCFree(item);
2749  }
2750  TAILQ_INIT(&ssl_state->server_connp.certs);
2751 
2752  SCFree(ssl_state);
2753 
2754  return;
2755 }
2756 
2757 static void SSLStateTransactionFree(void *state, uint64_t tx_id)
2758 {
2759  /* do nothing */
2760 }
2761 
2762 static AppProto SSLProbingParser(Flow *f, uint8_t direction,
2763  const uint8_t *input, uint32_t ilen, uint8_t *rdir)
2764 {
2765  /* probably a rst/fin sending an eof */
2766  if (ilen < 3)
2767  return ALPROTO_UNKNOWN;
2768 
2769  /* for now just the 3 byte header ones */
2770  /* \todo Detect the 2 byte ones */
2771  if ((input[0] & 0x80) && (input[2] == 0x01)) {
2772  return ALPROTO_TLS;
2773  }
2774 
2775  return ALPROTO_FAILED;
2776 }
2777 
2778 static int SSLStateGetFrameIdByName(const char *frame_name)
2779 {
2780  int id = SCMapEnumNameToValue(frame_name, tls_frame_table);
2781  if (id < 0) {
2782  return -1;
2783  }
2784  return id;
2785 }
2786 
2787 static const char *SSLStateGetFrameNameById(const uint8_t frame_id)
2788 {
2789  const char *name = SCMapEnumValueToName(frame_id, tls_frame_table);
2790  return name;
2791 }
2792 
2793 static int SSLStateGetEventInfo(const char *event_name,
2794  int *event_id, AppLayerEventType *event_type)
2795 {
2796  *event_id = SCMapEnumNameToValue(event_name, tls_decoder_event_table);
2797  if (*event_id == -1) {
2798  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%s\" not present in "
2799  "ssl's enum map table.", event_name);
2800  /* yes this is fatal */
2801  return -1;
2802  }
2803 
2804  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
2805 
2806  return 0;
2807 }
2808 
2809 static int SSLStateGetEventInfoById(int event_id, const char **event_name,
2810  AppLayerEventType *event_type)
2811 {
2812  *event_name = SCMapEnumValueToName(event_id, tls_decoder_event_table);
2813  if (*event_name == NULL) {
2814  SCLogError(SC_ERR_INVALID_ENUM_MAP, "event \"%d\" not present in "
2815  "ssl's enum map table.", event_id);
2816  /* yes this is fatal */
2817  return -1;
2818  }
2819 
2820  *event_type = APP_LAYER_EVENT_TYPE_TRANSACTION;
2821 
2822  return 0;
2823 }
2824 
2825 static int SSLRegisterPatternsForProtocolDetection(void)
2826 {
2827  if (AppLayerProtoDetectPMRegisterPatternCSwPP(IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2,
2828  STREAM_TOSERVER, SSLProbingParser, 0, 3) < 0) {
2829  return -1;
2830  }
2831 
2832  /** SSLv3 */
2834  "|01 03 00|", 3, 0, STREAM_TOSERVER) < 0)
2835  {
2836  return -1;
2837  }
2839  "|16 03 00|", 3, 0, STREAM_TOSERVER) < 0)
2840  {
2841  return -1;
2842  }
2843 
2844  /** TLSv1 */
2846  "|01 03 01|", 3, 0, STREAM_TOSERVER) < 0)
2847  {
2848  return -1;
2849  }
2851  "|16 03 01|", 3, 0, STREAM_TOSERVER) < 0)
2852  {
2853  return -1;
2854  }
2855 
2856  /** TLSv1.1 */
2858  "|01 03 02|", 3, 0, STREAM_TOSERVER) < 0)
2859  {
2860  return -1;
2861  }
2863  "|16 03 02|", 3, 0, STREAM_TOSERVER) < 0)
2864  {
2865  return -1;
2866  }
2867 
2868  /** TLSv1.2 */
2870  "|01 03 03|", 3, 0, STREAM_TOSERVER) < 0)
2871  {
2872  return -1;
2873  }
2875  "|16 03 03|", 3, 0, STREAM_TOSERVER) < 0)
2876  {
2877  return -1;
2878  }
2879 
2880  /***** toclient direction *****/
2881 
2883  "|15 03 00|", 3, 0, STREAM_TOCLIENT) < 0)
2884  {
2885  return -1;
2886  }
2888  "|16 03 00|", 3, 0, STREAM_TOCLIENT) < 0)
2889  {
2890  return -1;
2891  }
2893  "|17 03 00|", 3, 0, STREAM_TOCLIENT) < 0)
2894  {
2895  return -1;
2896  }
2897 
2898  /** TLSv1 */
2900  "|15 03 01|", 3, 0, STREAM_TOCLIENT) < 0)
2901  {
2902  return -1;
2903  }
2905  "|16 03 01|", 3, 0, STREAM_TOCLIENT) < 0)
2906  {
2907  return -1;
2908  }
2910  "|17 03 01|", 3, 0, STREAM_TOCLIENT) < 0)
2911  {
2912  return -1;
2913  }
2914 
2915  /** TLSv1.1 */
2917  "|15 03 02|", 3, 0, STREAM_TOCLIENT) < 0)
2918  {
2919  return -1;
2920  }
2922  "|16 03 02|", 3, 0, STREAM_TOCLIENT) < 0)
2923  {
2924  return -1;
2925  }
2927  "|17 03 02|", 3, 0, STREAM_TOCLIENT) < 0)
2928  {
2929  return -1;
2930  }
2931 
2932  /** TLSv1.2 */
2934  "|15 03 03|", 3, 0, STREAM_TOCLIENT) < 0)
2935  {
2936  return -1;
2937  }
2939  "|16 03 03|", 3, 0, STREAM_TOCLIENT) < 0)
2940  {
2941  return -1;
2942  }
2944  "|17 03 03|", 3, 0, STREAM_TOCLIENT) < 0)
2945  {
2946  return -1;
2947  }
2948 
2949  /* Subsection - SSLv2 style record by client, but informing the server
2950  * the max version it supports.
2951  * Updated by Anoop Saldanha. Disabled it for now. We'll get back to
2952  * it after some tests */
2953 #if 0
2955  "|01 03 00|", 5, 2, STREAM_TOSERVER) < 0)
2956  {
2957  return -1;
2958  }
2960  "|00 02|", 7, 5, STREAM_TOCLIENT) < 0)
2961  {
2962  return -1;
2963  }
2964 #endif
2965 
2966  return 0;
2967 }
2968 
2969 /**
2970  * \brief Function to register the SSL protocol parser and other functions
2971  */
2973 {
2974  const char *proto_name = "tls";
2975 
2976  SC_ATOMIC_INIT(ssl_config.enable_ja3);
2977 
2978  /** SSLv2 and SSLv23*/
2979  if (AppLayerProtoDetectConfProtoDetectionEnabled("tcp", proto_name)) {
2981 
2982  if (SSLRegisterPatternsForProtocolDetection() < 0)
2983  return;
2984 
2985  if (RunmodeIsUnittests()) {
2986  AppLayerProtoDetectPPRegister(IPPROTO_TCP,
2987  "443",
2988  ALPROTO_TLS,
2989  0, 3,
2990  STREAM_TOSERVER,
2991  SSLProbingParser, NULL);
2992  } else {
2993  if (AppLayerProtoDetectPPParseConfPorts("tcp", IPPROTO_TCP,
2994  proto_name, ALPROTO_TLS,
2995  0, 3,
2996  SSLProbingParser, NULL) == 0) {
2997  SCLogConfig("no TLS config found, "
2998  "enabling TLS detection on port 443.");
2999  AppLayerProtoDetectPPRegister(IPPROTO_TCP,
3000  "443",
3001  ALPROTO_TLS,
3002  0, 3,
3003  STREAM_TOSERVER,
3004  SSLProbingParser, NULL);
3005  }
3006  }
3007  } else {
3008  SCLogConfig("Protocol detection and parser disabled for %s protocol",
3009  proto_name);
3010  return;
3011  }
3012 
3013  if (AppLayerParserConfParserEnabled("tcp", proto_name)) {
3014  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TLS, STREAM_TOSERVER,
3015  SSLParseClientRecord);
3016 
3017  AppLayerParserRegisterParser(IPPROTO_TCP, ALPROTO_TLS, STREAM_TOCLIENT,
3018  SSLParseServerRecord);
3019 
3021  IPPROTO_TCP, ALPROTO_TLS, SSLStateGetFrameIdByName, SSLStateGetFrameNameById);
3022  AppLayerParserRegisterGetEventInfo(IPPROTO_TCP, ALPROTO_TLS, SSLStateGetEventInfo);
3023  AppLayerParserRegisterGetEventInfoById(IPPROTO_TCP, ALPROTO_TLS, SSLStateGetEventInfoById);
3024 
3025  AppLayerParserRegisterStateFuncs(IPPROTO_TCP, ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
3026 
3028 
3029  AppLayerParserRegisterTxFreeFunc(IPPROTO_TCP, ALPROTO_TLS, SSLStateTransactionFree);
3030 
3031  AppLayerParserRegisterGetTx(IPPROTO_TCP, ALPROTO_TLS, SSLGetTx);
3032  AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_TLS, SSLGetTxData);
3033 
3034  AppLayerParserRegisterGetTxCnt(IPPROTO_TCP, ALPROTO_TLS, SSLGetTxCnt);
3035 
3036  AppLayerParserRegisterGetStateProgressFunc(IPPROTO_TCP, ALPROTO_TLS, SSLGetAlstateProgress);
3037 
3040 
3041  ConfNode *enc_handle = ConfGetNode("app-layer.protocols.tls.encryption-handling");
3042  if (enc_handle != NULL && enc_handle->val != NULL) {
3043  SCLogDebug("have app-layer.protocols.tls.encryption-handling = %s", enc_handle->val);
3044  if (strcmp(enc_handle->val, "full") == 0) {
3046  } else if (strcmp(enc_handle->val, "bypass") == 0) {
3048  } else if (strcmp(enc_handle->val, "default") == 0) {
3050  } else {
3052  }
3053  } else {
3054  /* Get the value of no reassembly option from the config file */
3055  if (ConfGetNode("app-layer.protocols.tls.no-reassemble") == NULL) {
3056  int value = 0;
3057  if (ConfGetBool("tls.no-reassemble", &value) == 1 && value == 1)
3059  } else {
3060  int value = 0;
3061  if (ConfGetBool("app-layer.protocols.tls.no-reassemble", &value) == 1 && value == 1)
3063  }
3064  }
3065  SCLogDebug("ssl_config.encrypt_mode %u", ssl_config.encrypt_mode);
3066 
3067  /* Check if we should generate JA3 fingerprints */
3068  int enable_ja3 = SSL_CONFIG_DEFAULT_JA3;
3069  const char *strval = NULL;
3070  if (ConfGetValue("app-layer.protocols.tls.ja3-fingerprints", &strval) != 1) {
3071  enable_ja3 = SSL_CONFIG_DEFAULT_JA3;
3072  } else if (strcmp(strval, "auto") == 0) {
3073  enable_ja3 = SSL_CONFIG_DEFAULT_JA3;
3074  } else if (ConfValIsFalse(strval)) {
3075  enable_ja3 = 0;
3076  ssl_config.disable_ja3 = true;
3077  } else if (ConfValIsTrue(strval)) {
3078  enable_ja3 = true;
3079  }
3080  SC_ATOMIC_SET(ssl_config.enable_ja3, enable_ja3);
3081 
3082  if (g_disable_hashing) {
3083  if (SC_ATOMIC_GET(ssl_config.enable_ja3)) {
3084  SCLogWarning(
3085  SC_WARN_NO_JA3_SUPPORT, "MD5 calculation has been disabled, disabling JA3");
3086  SC_ATOMIC_SET(ssl_config.enable_ja3, 0);
3087  }
3088  } else {
3089  if (RunmodeIsUnittests()) {
3090  SC_ATOMIC_SET(ssl_config.enable_ja3, 1);
3091  }
3092  }
3093  } else {
3094  SCLogConfig("Parsed disabled for %s protocol. Protocol detection"
3095  "still on.", proto_name);
3096  }
3097 
3098 #ifdef UNITTESTS
3100 #endif
3101  return;
3102 }
3103 
3104 /**
3105  * \brief if not explicitly disabled in config, enable ja3 support
3106  *
3107  * Implemented using atomic to allow rule reloads to do this at
3108  * runtime.
3109  */
3110 void SSLEnableJA3(void)
3111 {
3113  return;
3114  }
3115  if (SC_ATOMIC_GET(ssl_config.enable_ja3)) {
3116  return;
3117  }
3118  SC_ATOMIC_SET(ssl_config.enable_ja3, 1);
3119 }
3120 
3122 {
3123  if (SC_ATOMIC_GET(ssl_config.enable_ja3)) {
3124  return true;
3125  }
3126  return false;
3127 }
3128 
3129 /***************************************Unittests******************************/
3130 
3131 #ifdef UNITTESTS
3132 
3133 /**
3134  *\test Send a get request in one chunk.
3135  */
3136 static int SSLParserTest01(void)
3137 {
3138  Flow f;
3139  uint8_t tlsbuf[] = { 0x16, 0x03, 0x01 };
3140  uint32_t tlslen = sizeof(tlsbuf);
3141  TcpSession ssn;
3143 
3144  memset(&f, 0, sizeof(f));
3145  memset(&ssn, 0, sizeof(ssn));
3146 
3147  FLOW_INITIALIZE(&f);
3148  f.protoctx = (void *)&ssn;
3149  f.proto = IPPROTO_TCP;
3150  f.alproto = ALPROTO_TLS;
3151 
3152  StreamTcpInitConfig(true);
3153 
3154  FLOWLOCK_WRLOCK(&f);
3155  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3156  STREAM_TOSERVER | STREAM_EOF, tlsbuf, tlslen);
3157  FLOWLOCK_UNLOCK(&f);
3158  FAIL_IF(r != 0);
3159 
3160  SSLState *ssl_state = f.alstate;
3161  FAIL_IF_NULL(ssl_state);
3162 
3163  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3164 
3165  FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
3166 
3168  StreamTcpFreeConfig(true);
3169  FLOW_DESTROY(&f);
3170 
3171  PASS;
3172 }
3173 
3174 /** \test Send a get request in two chunks. */
3175 static int SSLParserTest02(void)
3176 {
3177  Flow f;
3178  uint8_t tlsbuf1[] = { 0x16 };
3179  uint32_t tlslen1 = sizeof(tlsbuf1);
3180  uint8_t tlsbuf2[] = { 0x03, 0x01 };
3181  uint32_t tlslen2 = sizeof(tlsbuf2);
3182  TcpSession ssn;
3184 
3185  memset(&f, 0, sizeof(f));
3186  memset(&ssn, 0, sizeof(ssn));
3187  FLOW_INITIALIZE(&f);
3188  f.protoctx = (void *)&ssn;
3189  f.proto = IPPROTO_TCP;
3190  f.alproto = ALPROTO_TLS;
3191 
3192  StreamTcpInitConfig(true);
3193 
3194  FLOWLOCK_WRLOCK(&f);
3195  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3196  STREAM_TOSERVER, tlsbuf1, tlslen1);
3197  FLOWLOCK_UNLOCK(&f);
3198  FAIL_IF(r != 0);
3199 
3200  FLOWLOCK_WRLOCK(&f);
3201  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3202  tlsbuf2, tlslen2);
3203  FLOWLOCK_UNLOCK(&f);
3204  FAIL_IF(r != 0);
3205 
3206  SSLState *ssl_state = f.alstate;
3207  FAIL_IF_NULL(ssl_state);
3208 
3209  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3210 
3211  FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
3212 
3214  StreamTcpFreeConfig(true);
3215  FLOW_DESTROY(&f);
3216 
3217  PASS;
3218 }
3219 
3220 /** \test Send a get request in three chunks. */
3221 static int SSLParserTest03(void)
3222 {
3223  Flow f;
3224  uint8_t tlsbuf1[] = { 0x16 };
3225  uint32_t tlslen1 = sizeof(tlsbuf1);
3226  uint8_t tlsbuf2[] = { 0x03 };
3227  uint32_t tlslen2 = sizeof(tlsbuf2);
3228  uint8_t tlsbuf3[] = { 0x01 };
3229  uint32_t tlslen3 = sizeof(tlsbuf3);
3230  TcpSession ssn;
3232 
3233  memset(&f, 0, sizeof(f));
3234  memset(&ssn, 0, sizeof(ssn));
3235  FLOW_INITIALIZE(&f);
3236  f.protoctx = (void *)&ssn;
3237  f.proto = IPPROTO_TCP;
3238  f.alproto = ALPROTO_TLS;
3239 
3240  StreamTcpInitConfig(true);
3241 
3242  FLOWLOCK_WRLOCK(&f);
3243  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3244  STREAM_TOSERVER, tlsbuf1, tlslen1);
3245  FLOWLOCK_UNLOCK(&f);
3246  FAIL_IF(r != 0);
3247 
3248  FLOWLOCK_WRLOCK(&f);
3249  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3250  tlsbuf2, tlslen2);
3251  FLOWLOCK_UNLOCK(&f);
3252  FAIL_IF(r != 0);
3253 
3254  FLOWLOCK_WRLOCK(&f);
3255  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3256  tlsbuf3, tlslen3);
3257  FLOWLOCK_UNLOCK(&f);
3258  FAIL_IF(r != 0);
3259 
3260  SSLState *ssl_state = f.alstate;
3261  FAIL_IF_NULL(ssl_state);
3262 
3263  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3264 
3265  FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
3266 
3268  StreamTcpFreeConfig(true);
3269  FLOW_DESTROY(&f);
3270 
3271  PASS;
3272 }
3273 
3274 /** \test Send a get request in three chunks + more data. */
3275 static int SSLParserTest04(void)
3276 {
3277  Flow f;
3278  uint8_t tlsbuf1[] = { 0x16 };
3279  uint32_t tlslen1 = sizeof(tlsbuf1);
3280  uint8_t tlsbuf2[] = { 0x03 };
3281  uint32_t tlslen2 = sizeof(tlsbuf2);
3282  uint8_t tlsbuf3[] = { 0x01 };
3283  uint32_t tlslen3 = sizeof(tlsbuf3);
3284  uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 };
3285  uint32_t tlslen4 = sizeof(tlsbuf4);
3286  TcpSession ssn;
3288 
3289  memset(&f, 0, sizeof(f));
3290  memset(&ssn, 0, sizeof(ssn));
3291  FLOW_INITIALIZE(&f);
3292  f.protoctx = (void *)&ssn;
3293  f.proto = IPPROTO_TCP;
3294  f.alproto = ALPROTO_TLS;
3295 
3296  StreamTcpInitConfig(true);
3297 
3298  FLOWLOCK_WRLOCK(&f);
3299  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3300  STREAM_TOSERVER, tlsbuf1, tlslen1);
3301  FLOWLOCK_UNLOCK(&f);
3302  FAIL_IF(r != 0);
3303 
3304  FLOWLOCK_WRLOCK(&f);
3305  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3306  tlsbuf2, tlslen2);
3307  FLOWLOCK_UNLOCK(&f);
3308  FAIL_IF(r != 0);
3309 
3310  FLOWLOCK_WRLOCK(&f);
3311  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3312  tlsbuf3, tlslen3);
3313  FLOWLOCK_UNLOCK(&f);
3314  FAIL_IF(r != 0);
3315 
3316  FLOWLOCK_WRLOCK(&f);
3317  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3318  tlsbuf4, tlslen4);
3319  FLOWLOCK_UNLOCK(&f);
3320  FAIL_IF(r != 0);
3321 
3322  SSLState *ssl_state = f.alstate;
3323  FAIL_IF_NULL(ssl_state);
3324 
3325  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3326 
3327  FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
3328 
3330  StreamTcpFreeConfig(true);
3331  FLOW_DESTROY(&f);
3332 
3333  PASS;
3334 }
3335 
3336 #if 0
3337 /** \test Test the setting up of no reassembly and no payload inspection flag
3338  * after detection of the TLS handshake completion */
3339 static int SSLParserTest05(void)
3340 {
3341  int result = 1;
3342  Flow f;
3343  uint8_t tlsbuf[] = { 0x16, 0x03, 0x01, 0x00, 0x01 };
3344  uint32_t tlslen = sizeof(tlsbuf);
3345  TcpSession ssn;
3347 
3348  memset(&f, 0, sizeof(f));
3349  memset(&ssn, 0, sizeof(ssn));
3350  FLOW_INITIALIZE(&f);
3351  f.protoctx = (void *)&ssn;
3352  f.proto = IPPROTO_TCP;
3353  f.alproto = ALPROTO_TLS;
3354 
3355  StreamTcpInitConfig(true);
3356 
3357  int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3358  if (r != 0) {
3359  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3360  result = 0;
3361  goto end;
3362  }
3363 
3364  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
3365  if (r != 0) {
3366  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3367  result = 0;
3368  goto end;
3369  }
3370 
3371  tlsbuf[0] = 0x14;
3372 
3373  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3374  if (r != 0) {
3375  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3376  result = 0;
3377  goto end;
3378  }
3379 
3380  tlsbuf[0] = 0x14;
3381 
3382  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
3383  if (r != 0) {
3384  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3385  result = 0;
3386  goto end;
3387  }
3388 
3389  tlsbuf[0] = 0x17;
3390 
3391  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3392  if (r != 0) {
3393  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3394  result = 0;
3395  goto end;
3396  }
3397 
3398  SSLState *ssl_state = f.alstate;
3399  if (ssl_state == NULL) {
3400  printf("no tls state: ");
3401  result = 0;
3402  goto end;
3403  }
3404 
3405  if (ssl_state->client_connp.content_type != 0x17) {
3406  printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
3407  ssl_state->client_connp.content_type);
3408  result = 0;
3409  goto end;
3410  }
3411 
3412  if (ssl_state->client_connp.version != TLS_VERSION_10) {
3413  printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
3414  TLS_VERSION_10, ssl_state->client_connp.client_version);
3415  result = 0;
3416  goto end;
3417  }
3418 
3419  AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *)
3420  ssn.alparser;
3421  AppLayerParserState *parser_state = &parser_state_store->to_server;
3422 
3423  if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) &&
3426  {
3427  printf("The flags should be set\n");
3428  result = 0;
3429  goto end;
3430  }
3431 
3432  if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
3433  printf("The flags should be set\n");
3434  result = 0;
3435  goto end;
3436  }
3437 
3438 end:
3439  if (alp_tctx != NULL)
3441  StreamTcpFreeConfig(true);
3442  FLOW_DESTROY(&f);
3443  return result;
3444 }
3445 #endif
3446 
3447 #if 0
3448 /** \test Test the setting up of no reassembly and no payload inspection flag
3449  * after detection of the valid TLS handshake completion, the rouge
3450  * 0x17 packet will not be considered in the detection process */
3451 static int SSLParserTest06(void)
3452 {
3453  int result = 1;
3454  Flow f;
3455  uint8_t tlsbuf[] = { 0x16, 0x03, 0x01, 0x00, 0x01 };
3456  uint32_t tlslen = sizeof(tlsbuf);
3457  TcpSession ssn;
3459 
3460  memset(&f, 0, sizeof(f));
3461  memset(&ssn, 0, sizeof(ssn));
3462  FLOW_INITIALIZE(&f);
3463  f.protoctx = (void *)&ssn;
3464  f.proto = IPPROTO_TCP;
3465  f.alproto = ALPROTO_TLS;
3466 
3467  StreamTcpInitConfig(true);
3468 
3469  int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3470  if (r != 0) {
3471  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3472  result = 0;
3473  goto end;
3474  }
3475 
3476  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
3477  if (r != 0) {
3478  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3479  result = 0;
3480  goto end;
3481  }
3482 
3483  tlsbuf[0] = 0x14;
3484 
3485  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3486  if (r != 0) {
3487  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3488  result = 0;
3489  goto end;
3490  }
3491 
3492  tlsbuf[0] = 0x17;
3493 
3494  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3495  if (r != 0) {
3496  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3497  result = 0;
3498  goto end;
3499  }
3500 
3501  SSLState *ssl_state = f.alstate;
3502  if (ssl_state == NULL) {
3503  printf("no tls state: ");
3504  result = 0;
3505  goto end;
3506  }
3507 
3508  if (ssl_state->client_connp.content_type != 0x17) {
3509  printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
3510  ssl_state->client_connp._content_type);
3511  result = 0;
3512  goto end;
3513  }
3514 
3515  if (ssl_state->client_connp.version != TLS_VERSION_10) {
3516  printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
3517  TLS_VERSION_10, ssl_state->client_connp.version);
3518  result = 0;
3519  goto end;
3520  }
3521 
3522  AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *)
3523  ssn.alparser;
3524  AppLayerParserState *parser_state = &parser_state_store->to_server;
3525 
3526  if ((parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) ||
3529  printf("The flags should not be set\n");
3530  result = 0;
3531  goto end;
3532  }
3533 
3534  tlsbuf[0] = 0x14;
3535 
3536  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
3537  if (r != 0) {
3538  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3539  result = 0;
3540  goto end;
3541  }
3542 
3543  tlsbuf[0] = 0x17;
3544 
3545  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3546  if (r != 0) {
3547  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3548  result = 0;
3549  goto end;
3550  }
3551 
3552  if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) &&
3555  printf("The flags should be set\n");
3556  result = 0;
3557  goto end;
3558  }
3559 
3560  if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
3561  printf("The flags should be set\n");
3562  result = 0;
3563  goto end;
3564  }
3565 
3566 end:
3567  if (alp_tctx != NULL)
3569  StreamTcpFreeConfig(true);
3570  FLOW_DESTROY(&f);
3571  return result;
3572 }
3573 #endif
3574 
3575 /** \test multimsg test */
3576 static int SSLParserMultimsgTest01(void)
3577 {
3578  Flow f;
3579  /* 3 msgs */
3580  uint8_t tlsbuf1[] = {
3581  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
3582  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
3583  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
3584  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
3585  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
3586  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
3587  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
3588  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
3589  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
3590  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
3591  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
3592  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
3593  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
3594  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
3595  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
3596  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
3597  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
3598  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
3599  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
3600  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
3601  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
3602  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
3603  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
3604  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
3605  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c
3606  };
3607  uint32_t tlslen1 = sizeof(tlsbuf1);
3608  TcpSession ssn;
3610 
3611  memset(&f, 0, sizeof(f));
3612  memset(&ssn, 0, sizeof(ssn));
3613  FLOW_INITIALIZE(&f);
3614  f.protoctx = (void *)&ssn;
3615  f.proto = IPPROTO_TCP;
3616  f.alproto = ALPROTO_TLS;
3617 
3618  StreamTcpInitConfig(true);
3619 
3620  FLOWLOCK_WRLOCK(&f);
3621  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3622  STREAM_TOSERVER, tlsbuf1, tlslen1);
3623  FLOWLOCK_UNLOCK(&f);
3624  FAIL_IF(r != 0);
3625 
3626  SSLState *ssl_state = f.alstate;
3627  FAIL_IF_NULL(ssl_state);
3628 
3629  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3630 
3631  FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10);
3632 
3634  StreamTcpFreeConfig(true);
3635  FLOW_DESTROY(&f);
3636 
3637  PASS;
3638 }
3639 
3640 /** \test multimsg test server */
3641 static int SSLParserMultimsgTest02(void)
3642 {
3643  Flow f;
3644  /* 3 msgs */
3645  uint8_t tlsbuf1[] = {
3646  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
3647  0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82,
3648  0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d,
3649  0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b,
3650  0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0,
3651  0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2,
3652  0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2,
3653  0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33,
3654  0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2,
3655  0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a,
3656  0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e,
3657  0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73,
3658  0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde,
3659  0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa,
3660  0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9,
3661  0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97,
3662  0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66,
3663  0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01,
3664  0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc,
3665  0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb,
3666  0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01,
3667  0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e,
3668  0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d,
3669  0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45,
3670  0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c
3671  };
3672  uint32_t tlslen1 = sizeof(tlsbuf1);
3673  TcpSession ssn;
3675 
3676  memset(&f, 0, sizeof(f));
3677  memset(&ssn, 0, sizeof(ssn));
3678  FLOW_INITIALIZE(&f);
3679  f.protoctx = (void *)&ssn;
3680  f.proto = IPPROTO_TCP;
3681  f.alproto = ALPROTO_TLS;
3682 
3683  StreamTcpInitConfig(true);
3684 
3685  FLOWLOCK_WRLOCK(&f);
3686  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3687  STREAM_TOCLIENT, tlsbuf1, tlslen1);
3688  FLOWLOCK_UNLOCK(&f);
3689  FAIL_IF(r != 0);
3690 
3691  SSLState *ssl_state = f.alstate;
3692  FAIL_IF_NULL(ssl_state);
3693 
3694  FAIL_IF(ssl_state->server_connp.content_type != 0x16);
3695 
3696  FAIL_IF(ssl_state->server_connp.version != 0x0301);
3697 
3699  StreamTcpFreeConfig(true);
3700  FLOW_DESTROY(&f);
3701 
3702  PASS;
3703 }
3704 
3705 /**
3706  * \test Test the detection of SSLv3 protocol from the given packet
3707  */
3708 static int SSLParserTest07(void)
3709 {
3710  Flow f;
3711  uint8_t tlsbuf[] = { 0x16, 0x03, 0x00, 0x00, 0x4c, 0x01,
3712  0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f,
3713  0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb,
3714  0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f,
3715  0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93,
3716  0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06,
3717  0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00,
3718  0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13,
3719  0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65,
3720  0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68,
3721  0x2e, 0x6e, 0x6f };
3722  uint32_t tlslen = sizeof(tlsbuf);
3723  TcpSession ssn;
3725 
3726  memset(&f, 0, sizeof(f));
3727  memset(&ssn, 0, sizeof(ssn));
3728  FLOW_INITIALIZE(&f);
3729  f.protoctx = (void *)&ssn;
3730  f.proto = IPPROTO_TCP;
3731  f.alproto = ALPROTO_TLS;
3732 
3733  StreamTcpInitConfig(true);
3734 
3735  FLOWLOCK_WRLOCK(&f);
3736  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3737  STREAM_TOSERVER, tlsbuf, tlslen);
3738  FLOWLOCK_UNLOCK(&f);
3739  FAIL_IF(r != 0);
3740 
3741  SSLState *ssl_state = f.alstate;
3742  FAIL_IF_NULL(ssl_state);
3743 
3744  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3745 
3746  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
3747 
3749  StreamTcpFreeConfig(true);
3750  FLOW_DESTROY(&f);
3751 
3752  PASS;
3753 }
3754 
3755 #if 0
3756 /** \test Test the setting up of no reassembly and no payload inspection flag
3757  * after detection of the SSLv3 handshake completion */
3758 static int SSLParserTest08(void)
3759 {
3760  int result = 1;
3761  Flow f;
3762  uint8_t tlsbuf[] = { 0x16, 0x03, 0x00, 0x00, 0x01 };
3763  uint32_t tlslen = sizeof(tlsbuf);
3764  TcpSession ssn;
3766 
3767  memset(&f, 0, sizeof(f));
3768  memset(&ssn, 0, sizeof(ssn));
3769  FLOW_INITIALIZE(&f);
3770  f.protoctx = (void *)&ssn;
3771  f.proto = IPPROTO_TCP;
3772  f.alproto = ALPROTO_TLS;
3773 
3774  StreamTcpInitConfig(true);
3775 
3776  int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3777  if (r != 0) {
3778  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3779  result = 0;
3780  goto end;
3781  }
3782 
3783  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
3784  if (r != 0) {
3785  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3786  result = 0;
3787  goto end;
3788  }
3789 
3790  tlsbuf[0] = 0x14;
3791 
3792  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3793  if (r != 0) {
3794  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3795  result = 0;
3796  goto end;
3797  }
3798 
3799  tlsbuf[0] = 0x14;
3800 
3801  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen);
3802  if (r != 0) {
3803  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3804  result = 0;
3805  goto end;
3806  }
3807 
3808  tlsbuf[0] = 0x17;
3809 
3810  r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen);
3811  if (r != 0) {
3812  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3813  result = 0;
3814  goto end;
3815  }
3816 
3817  SSLState *ssl_state = f.alstate;
3818  if (ssl_state == NULL) {
3819  printf("no tls state: ");
3820  result = 0;
3821  goto end;
3822  }
3823 
3824  if (ssl_state->client_connp.content_type != 0x17) {
3825  printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
3826  ssl_state->client_connp.content_type);
3827  result = 0;
3828  goto end;
3829  }
3830 
3831  if (ssl_state->client_connp.version != SSL_VERSION_3) {
3832  printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
3833  SSL_VERSION_3, ssl_state->client_connp.version);
3834  result = 0;
3835  goto end;
3836  }
3837 
3838  AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *)
3839  ssn.alparser;
3840  AppLayerParserState *parser_state = &parser_state_store->to_server;
3841 
3842  if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) &&
3845  printf("The flags should be set\n");
3846  result = 0;
3847  goto end;
3848  }
3849 
3850  if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) {
3851  printf("The flags should be set\n");
3852  result = 0;
3853  goto end;
3854  }
3855 
3856 end:
3857  if (alp_tctx != NULL)
3859  StreamTcpFreeConfig(true);
3860  FLOW_DESTROY(&f);
3861  return result;
3862 }
3863 
3864 #endif
3865 
3866 /**
3867  * \test Tests the parser for handling fragmented records.
3868  */
3869 static int SSLParserTest09(void)
3870 {
3871  Flow f;
3872  uint8_t buf1[] = {
3873  0x16,
3874  };
3875  uint32_t buf1_len = sizeof(buf1);
3876 
3877  uint8_t buf2[] = {
3878  0x03, 0x00, 0x00, 0x4c, 0x01,
3879  0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f,
3880  0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb,
3881  0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f,
3882  0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93,
3883  0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06,
3884  0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00,
3885  0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13,
3886  0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65,
3887  0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68,
3888  0x2e, 0x6e, 0x6f
3889  };
3890  uint32_t buf2_len = sizeof(buf2);
3891  TcpSession ssn;
3893 
3894  memset(&f, 0, sizeof(f));
3895  memset(&ssn, 0, sizeof(ssn));
3896  FLOW_INITIALIZE(&f);
3897  f.protoctx = (void *)&ssn;
3898  f.proto = IPPROTO_TCP;
3899  f.alproto = ALPROTO_TLS;
3900 
3901  StreamTcpInitConfig(true);
3902 
3903  FLOWLOCK_WRLOCK(&f);
3904  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3905  STREAM_TOSERVER, buf1, buf1_len);
3906  FLOWLOCK_UNLOCK(&f);
3907  FAIL_IF(r != 0);
3908 
3909  FLOWLOCK_WRLOCK(&f);
3910  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3911  buf2, buf2_len);
3912  FLOWLOCK_UNLOCK(&f);
3913  FAIL_IF(r != 0);
3914 
3915  SSLState *ssl_state = f.alstate;
3916  FAIL_IF_NULL(ssl_state);
3917 
3918  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3919 
3920  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
3921 
3923  StreamTcpFreeConfig(true);
3924  FLOW_DESTROY(&f);
3925 
3926  PASS;
3927 }
3928 
3929 /**
3930  * \test Tests the parser for handling fragmented records.
3931  */
3932 static int SSLParserTest10(void)
3933 {
3934  Flow f;
3935  uint8_t buf1[] = {
3936  0x16, 0x03,
3937  };
3938  uint32_t buf1_len = sizeof(buf1);
3939 
3940  uint8_t buf2[] = {
3941  0x00, 0x00, 0x4c, 0x01,
3942  0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f,
3943  0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb,
3944  0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f,
3945  0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93,
3946  0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06,
3947  0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00,
3948  0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13,
3949  0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65,
3950  0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68,
3951  0x2e, 0x6e, 0x6f
3952  };
3953  uint32_t buf2_len = sizeof(buf2);
3954  TcpSession ssn;
3956 
3957  memset(&f, 0, sizeof(f));
3958  memset(&ssn, 0, sizeof(ssn));
3959  FLOW_INITIALIZE(&f);
3960  f.protoctx = (void *)&ssn;
3961  f.proto = IPPROTO_TCP;
3962  f.alproto = ALPROTO_TLS;
3963 
3964  StreamTcpInitConfig(true);
3965 
3966  FLOWLOCK_WRLOCK(&f);
3967  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
3968  STREAM_TOSERVER, buf1, buf1_len);
3969  FLOWLOCK_UNLOCK(&f);
3970  FAIL_IF(r != 0);
3971 
3972  FLOWLOCK_WRLOCK(&f);
3973  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
3974  buf2, buf2_len);
3975  FLOWLOCK_UNLOCK(&f);
3976  FAIL_IF(r != 0);
3977 
3978  SSLState *ssl_state = f.alstate;
3979  FAIL_IF_NULL(ssl_state);
3980 
3981  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
3982 
3983  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
3984 
3986  StreamTcpFreeConfig(true);
3987  FLOW_DESTROY(&f);
3988 
3989  PASS;
3990 }
3991 
3992 /**
3993  * \test Tests the parser for handling fragmented records.
3994  */
3995 static int SSLParserTest11(void)
3996 {
3997  Flow f;
3998  uint8_t buf1[] = {
3999  0x16, 0x03, 0x00, 0x00, 0x4c, 0x01,
4000  };
4001  uint32_t buf1_len = sizeof(buf1);
4002 
4003  uint8_t buf2[] = {
4004  0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f,
4005  0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb,
4006  0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f,
4007  0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93,
4008  0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06,
4009  0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00,
4010  0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13,
4011  0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65,
4012  0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68,
4013  0x2e, 0x6e, 0x6f
4014  };
4015  uint32_t buf2_len = sizeof(buf2);
4016  TcpSession ssn;
4018 
4019  memset(&f, 0, sizeof(f));
4020  memset(&ssn, 0, sizeof(ssn));
4021  FLOW_INITIALIZE(&f);
4022  f.protoctx = (void *)&ssn;
4023  f.proto = IPPROTO_TCP;
4024  f.alproto = ALPROTO_TLS;
4025 
4026  StreamTcpInitConfig(true);
4027 
4028  FLOWLOCK_WRLOCK(&f);
4029  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4030  STREAM_TOSERVER, buf1, buf1_len);
4031  FLOWLOCK_UNLOCK(&f);
4032  FAIL_IF(r != 0);
4033 
4034  FLOWLOCK_WRLOCK(&f);
4035  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4036  buf2, buf2_len);
4037  FLOWLOCK_UNLOCK(&f);
4038  FAIL_IF(r != 0);
4039 
4040  SSLState *ssl_state = f.alstate;
4041  FAIL_IF_NULL(ssl_state);
4042 
4043  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
4044 
4045  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
4046 
4048  StreamTcpFreeConfig(true);
4049  FLOW_DESTROY(&f);
4050 
4051  PASS;
4052 }
4053 
4054 /**
4055  * \test Tests the parser for handling fragmented records.
4056  */
4057 static int SSLParserTest12(void)
4058 {
4059  Flow f;
4060  uint8_t buf1[] = {
4061  0x16, 0x03, 0x00, 0x00, 0x4c, 0x01,
4062  };
4063  uint32_t buf1_len = sizeof(buf1);
4064 
4065  uint8_t buf2[] = {
4066  0x00, 0x00, 0x48,
4067  };
4068  uint32_t buf2_len = sizeof(buf2);
4069 
4070  uint8_t buf3[] = {
4071  0x03, 0x00, 0x57, 0x04, 0x9f,
4072  0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb,
4073  0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f,
4074  0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93,
4075  0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06,
4076  0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00,
4077  0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13,
4078  0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65,
4079  0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68,
4080  0x2e, 0x6e, 0x6f
4081  };
4082  uint32_t buf3_len = sizeof(buf2);
4083  TcpSession ssn;
4085 
4086  memset(&f, 0, sizeof(f));
4087  memset(&ssn, 0, sizeof(ssn));
4088  FLOW_INITIALIZE(&f);
4089  f.protoctx = (void *)&ssn;
4090  f.proto = IPPROTO_TCP;
4091  f.alproto = ALPROTO_TLS;
4092 
4093  StreamTcpInitConfig(true);
4094 
4095  FLOWLOCK_WRLOCK(&f);
4096  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4097  STREAM_TOSERVER, buf1, buf1_len);
4098  FLOWLOCK_UNLOCK(&f);
4099  FAIL_IF(r != 0);
4100 
4101  FLOWLOCK_WRLOCK(&f);
4102  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4103  buf2, buf2_len);
4104  FLOWLOCK_UNLOCK(&f);
4105  FAIL_IF(r != 0);
4106 
4107  FLOWLOCK_WRLOCK(&f);
4108  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4109  buf3, buf3_len);
4110  FLOWLOCK_UNLOCK(&f);
4111  FAIL_IF(r != 0);
4112 
4113  SSLState *ssl_state = f.alstate;
4114  FAIL_IF_NULL(ssl_state);
4115 
4116  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
4117 
4118  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
4119 
4121  StreamTcpFreeConfig(true);
4122  FLOW_DESTROY(&f);
4123 
4124  PASS;
4125 }
4126 
4127 /**
4128  * \test Tests the parser for handling fragmented records.
4129  */
4130 static int SSLParserTest13(void)
4131 {
4132  Flow f;
4133  uint8_t buf1[] = {
4134  0x16, 0x03, 0x00, 0x00, 0x4c, 0x01,
4135  };
4136  uint32_t buf1_len = sizeof(buf1);
4137 
4138  uint8_t buf2[] = {
4139  0x00, 0x00, 0x48,
4140  };
4141  uint32_t buf2_len = sizeof(buf2);
4142 
4143  uint8_t buf3[] = {
4144  0x03, 0x00, 0x57, 0x04, 0x9f,
4145  0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f,
4146  };
4147  uint32_t buf3_len = sizeof(buf3);
4148 
4149  uint8_t buf4[] = {
4150  0xbf, 0xbb,
4151  0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f,
4152  0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93,
4153  0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06,
4154  0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00,
4155  0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13,
4156  0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65,
4157  0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68,
4158  0x2e, 0x6e, 0x6f
4159  };
4160  uint32_t buf4_len = sizeof(buf4);
4161  TcpSession ssn;
4163 
4164  memset(&f, 0, sizeof(f));
4165  memset(&ssn, 0, sizeof(ssn));
4166  FLOW_INITIALIZE(&f);
4167  f.protoctx = (void *)&ssn;
4168  f.proto = IPPROTO_TCP;
4169  f.alproto = ALPROTO_TLS;
4170 
4171  StreamTcpInitConfig(true);
4172 
4173  FLOWLOCK_WRLOCK(&f);
4174  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4175  STREAM_TOSERVER, buf1, buf1_len);
4176  FLOWLOCK_UNLOCK(&f);
4177  FAIL_IF(r != 0);
4178 
4179  FLOWLOCK_WRLOCK(&f);
4180  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4181  buf2, buf2_len);
4182  FLOWLOCK_UNLOCK(&f);
4183  FAIL_IF(r != 0);
4184 
4185  FLOWLOCK_WRLOCK(&f);
4186  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4187  buf3, buf3_len);
4188  FLOWLOCK_UNLOCK(&f);
4189  FAIL_IF(r != 0);
4190 
4191  FLOWLOCK_WRLOCK(&f);
4192  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4193  buf4, buf4_len);
4194  FLOWLOCK_UNLOCK(&f);
4195  FAIL_IF(r != 0);
4196 
4197  SSLState *ssl_state = f.alstate;
4198  FAIL_IF_NULL(ssl_state);
4199 
4200  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
4201 
4202  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
4203 
4205  StreamTcpFreeConfig(true);
4206  FLOW_DESTROY(&f);
4207 
4208  PASS;
4209 }
4210 
4211 /**
4212  * \test Tests the parser for handling fragmented records.
4213  */
4214 static int SSLParserTest14(void)
4215 {
4216  Flow f;
4217 
4218  uint8_t buf1[] = {
4219  0x16, 0x03, 0x00, 0x00, 0x00,
4220  };
4221  uint32_t buf1_len = sizeof(buf1);
4222 
4223  uint8_t buf2[] = {
4224  0x16, 0x03, 0x00, 0x00, 0x00,
4225  };
4226  uint32_t buf2_len = sizeof(buf2);
4227 
4228  TcpSession ssn;
4230 
4231  memset(&f, 0, sizeof(f));
4232  memset(&ssn, 0, sizeof(ssn));
4233  FLOW_INITIALIZE(&f);
4234  f.protoctx = (void *)&ssn;
4235  f.proto = IPPROTO_TCP;
4236  f.alproto = ALPROTO_TLS;
4237 
4238  StreamTcpInitConfig(true);
4239 
4240  FLOWLOCK_WRLOCK(&f);
4241  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4242  STREAM_TOSERVER, buf1, buf1_len);
4243  FLOWLOCK_UNLOCK(&f);
4244  FAIL_IF(r != 0);
4245 
4246  FLOWLOCK_WRLOCK(&f);
4247  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4248  buf2, buf2_len);
4249  FLOWLOCK_UNLOCK(&f);
4250  FAIL_IF(r != 0);
4251 
4252  SSLState *ssl_state = f.alstate;
4253  FAIL_IF_NULL(ssl_state);
4254 
4256  StreamTcpFreeConfig(true);
4257  FLOW_DESTROY(&f);
4258 
4259  PASS;
4260 }
4261 
4262 /**
4263  * \test Tests the parser for handling fragmented records.
4264  */
4265 static int SSLParserTest15(void)
4266 {
4267  Flow f;
4268 
4269  uint8_t buf1[] = {
4270  0x16, 0x03, 0x00, 0x00, 0x01, 0x01,
4271  };
4272  uint32_t buf1_len = sizeof(buf1);
4273 
4274  TcpSession ssn;
4276 
4277  memset(&f, 0, sizeof(f));
4278  memset(&ssn, 0, sizeof(ssn));
4279  FLOW_INITIALIZE(&f);
4280  f.protoctx = (void *)&ssn;
4281  f.proto = IPPROTO_TCP;
4282  f.alproto = ALPROTO_TLS;
4283 
4284  StreamTcpInitConfig(true);
4285 
4286  FLOWLOCK_WRLOCK(&f);
4287  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4288  STREAM_TOSERVER, buf1, buf1_len);
4289  FLOWLOCK_UNLOCK(&f);
4290  FAIL_IF(r == 0);
4291 
4293  StreamTcpFreeConfig(true);
4294  FLOW_DESTROY(&f);
4295 
4296  PASS;
4297 }
4298 
4299 /**
4300  * \test Tests the parser for handling fragmented records.
4301  */
4302 static int SSLParserTest16(void)
4303 {
4304  Flow f;
4305 
4306  uint8_t buf1[] = {
4307  0x16, 0x03, 0x00, 0x00, 0x02, 0x01, 0x00
4308  };
4309  uint32_t buf1_len = sizeof(buf1);
4310 
4311  TcpSession ssn;
4313 
4314  memset(&f, 0, sizeof(f));
4315  memset(&ssn, 0, sizeof(ssn));
4316  FLOW_INITIALIZE(&f);
4317  f.protoctx = (void *)&ssn;
4318  f.proto = IPPROTO_TCP;
4319  f.alproto = ALPROTO_TLS;
4320 
4321  StreamTcpInitConfig(true);
4322 
4323  FLOWLOCK_WRLOCK(&f);
4324  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4325  STREAM_TOSERVER, buf1, buf1_len);
4326  FLOWLOCK_UNLOCK(&f);
4327  FAIL_IF(r == 0);
4328 
4330  StreamTcpFreeConfig(true);
4331  FLOW_DESTROY(&f);
4332 
4333  PASS;
4334 }
4335 
4336 /**
4337  * \test Tests the parser for handling fragmented records.
4338  */
4339 static int SSLParserTest17(void)
4340 {
4341  Flow f;
4342 
4343  uint8_t buf1[] = {
4344  0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00
4345  };
4346  uint32_t buf1_len = sizeof(buf1);
4347 
4348  TcpSession ssn;
4350 
4351  memset(&f, 0, sizeof(f));
4352  memset(&ssn, 0, sizeof(ssn));
4353  FLOW_INITIALIZE(&f);
4354  f.protoctx = (void *)&ssn;
4355  f.proto = IPPROTO_TCP;
4356  f.alproto = ALPROTO_TLS;
4357 
4358  StreamTcpInitConfig(true);
4359 
4360  FLOWLOCK_WRLOCK(&f);
4361  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4362  STREAM_TOSERVER, buf1, buf1_len);
4363  FLOWLOCK_UNLOCK(&f);
4364  FAIL_IF(r == 0);
4365 
4367  StreamTcpFreeConfig(true);
4368  FLOW_DESTROY(&f);
4369 
4370  PASS;
4371 }
4372 
4373 /**
4374  * \test Tests the parser for handling fragmented records.
4375  */
4376 static int SSLParserTest18(void)
4377 {
4378  Flow f;
4379 
4380  uint8_t buf1[] = {
4381  0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00,
4382  0x6b,
4383  };
4384  uint32_t buf1_len = sizeof(buf1);
4385 
4386  uint8_t buf2[] = {
4387  0x16, 0x03, 0x00, 0x00, 0x00,
4388  };
4389  uint32_t buf2_len = sizeof(buf2);
4390 
4391  TcpSession ssn;
4393 
4394  memset(&f, 0, sizeof(f));
4395  memset(&ssn, 0, sizeof(ssn));
4396  FLOW_INITIALIZE(&f);
4397  f.protoctx = (void *)&ssn;
4398  f.proto = IPPROTO_TCP;
4399  f.alproto = ALPROTO_TLS;
4400 
4401  StreamTcpInitConfig(true);
4402 
4403  FLOWLOCK_WRLOCK(&f);
4404  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4405  STREAM_TOSERVER, buf1, buf1_len);
4406  FLOWLOCK_UNLOCK(&f);
4407  FAIL_IF(r != 0);
4408 
4409  FLOWLOCK_WRLOCK(&f);
4410  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4411  buf2, buf2_len);
4412  FLOWLOCK_UNLOCK(&f);
4413  FAIL_IF(r != 0);
4414 
4415  SSLState *ssl_state = f.alstate;
4416  FAIL_IF_NULL(ssl_state);
4417 
4419  StreamTcpFreeConfig(true);
4420  FLOW_DESTROY(&f);
4421 
4422  PASS;
4423 }
4424 
4425 /**
4426  * \test Tests the parser for handling fragmented records.
4427  */
4428 static int SSLParserTest19(void)
4429 {
4430  Flow f;
4431 
4432  uint8_t buf1[] = {
4433  0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00,
4434  0x6b, 0x16, 0x03, 0x00, 0x00, 0x00,
4435  };
4436  uint32_t buf1_len = sizeof(buf1);
4437 
4438  TcpSession ssn;
4440 
4441  memset(&f, 0, sizeof(f));
4442  memset(&ssn, 0, sizeof(ssn));
4443  FLOW_INITIALIZE(&f);
4444  f.protoctx = (void *)&ssn;
4445  f.proto = IPPROTO_TCP;
4446  f.alproto = ALPROTO_TLS;
4447 
4448  StreamTcpInitConfig(true);
4449 
4450  FLOWLOCK_WRLOCK(&f);
4451  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4452  STREAM_TOSERVER, buf1, buf1_len);
4453  FLOWLOCK_UNLOCK(&f);
4454  FAIL_IF(r != 0);
4455 
4456  SSLState *ssl_state = f.alstate;
4457  FAIL_IF_NULL(ssl_state);
4458 
4460  StreamTcpFreeConfig(true);
4461  FLOW_DESTROY(&f);
4462 
4463  PASS;
4464 }
4465 
4466 /**
4467  * \test Tests the parser for handling fragmented records.
4468  */
4469 static int SSLParserTest20(void)
4470 {
4471  Flow f;
4472 
4473  uint8_t buf1[] = {
4474  0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00,
4475  0x16, 0x03, 0x00, 0x00, 0x00,
4476  };
4477  uint32_t buf1_len = sizeof(buf1);
4478 
4479  TcpSession ssn;
4481 
4482  memset(&f, 0, sizeof(f));
4483  memset(&ssn, 0, sizeof(ssn));
4484  FLOW_INITIALIZE(&f);
4485  f.protoctx = (void *)&ssn;
4486  f.proto = IPPROTO_TCP;
4487  f.alproto = ALPROTO_TLS;
4488 
4489  StreamTcpInitConfig(true);
4490 
4491  FLOWLOCK_WRLOCK(&f);
4492  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4493  STREAM_TOSERVER, buf1, buf1_len);
4494  FLOWLOCK_UNLOCK(&f);
4495  FAIL_IF(r == 0);
4496 
4498  StreamTcpFreeConfig(true);
4499  FLOW_DESTROY(&f);
4500 
4501  PASS;
4502 }
4503 
4504 /**
4505  * \test SSLv2 Record parsing.
4506  */
4507 static int SSLParserTest21(void)
4508 {
4509  Flow f;
4510  uint8_t buf[] = {
4511  0x80, 0x31, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00,
4512  0x01,
4513  };
4514  uint32_t buf_len = sizeof(buf);
4515 
4516  TcpSession ssn;
4518 
4519  memset(&f, 0, sizeof(f));
4520  memset(&ssn, 0, sizeof(ssn));
4521 
4522  FLOW_INITIALIZE(&f);
4523  f.protoctx = (void *)&ssn;
4524  f.proto = IPPROTO_TCP;
4525  f.alproto = ALPROTO_TLS;
4526 
4527  StreamTcpInitConfig(true);
4528 
4529  FLOWLOCK_WRLOCK(&f);
4530  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4531  STREAM_TOSERVER | STREAM_EOF, buf, buf_len);
4532  FLOWLOCK_UNLOCK(&f);
4533  FAIL_IF(r != 0);
4534 
4535  SSLState *app_state = f.alstate;
4536  FAIL_IF_NULL(app_state);
4537 
4539 
4540  FAIL_IF(app_state->client_connp.version != SSL_VERSION_2);
4541 
4543  StreamTcpFreeConfig(true);
4544  FLOW_DESTROY(&f);
4545 
4546  PASS;
4547 }
4548 
4549 /**
4550  * \test SSLv2 Record parsing.
4551  */
4552 static int SSLParserTest22(void)
4553 {
4554  Flow f;
4555  uint8_t buf[] = {
4556  0x80, 0x31, 0x04, 0x00, 0x01, 0x00,
4557  0x02, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0,
4558  0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00,
4559  0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04,
4560  0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75,
4561  0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1,
4562  0x2f, 0x34, 0x84, 0x20, 0xc5};
4563  uint32_t buf_len = sizeof(buf);
4564  TcpSession ssn;
4566 
4567  //AppLayerDetectProtoThreadInit();
4568 
4569  memset(&f, 0, sizeof(f));
4570  memset(&ssn, 0, sizeof(ssn));
4571 
4572  FLOW_INITIALIZE(&f);
4573  f.protoctx = (void *)&ssn;
4574  f.proto = IPPROTO_TCP;
4575  f.alproto = ALPROTO_TLS;
4576 
4577  StreamTcpInitConfig(true);
4578 
4579  FLOWLOCK_WRLOCK(&f);
4580  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4581  STREAM_TOCLIENT | STREAM_EOF, buf, buf_len);
4582  FLOWLOCK_UNLOCK(&f);
4583  FAIL_IF(r != 0);
4584 
4585  SSLState *app_state = f.alstate;
4586  FAIL_IF_NULL(app_state);
4587 
4589 
4590  FAIL_IF(app_state->server_connp.version != SSL_VERSION_2);
4591 
4593  StreamTcpFreeConfig(true);
4594  FLOW_DESTROY(&f);
4595 
4596  PASS;
4597 }
4598 
4599 /**
4600  * \test SSLv2 Record parsing.
4601  */
4602 static int SSLParserTest23(void)
4603 {
4604  Flow f;
4605  uint8_t chello_buf[] = {
4606  0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00,
4607  0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00,
4608  0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02,
4609  0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39,
4610  0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00,
4611  0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00,
4612  0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16,
4613  0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00,
4614  0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00,
4615  0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64,
4616  0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00,
4617  0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a,
4618  0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80,
4619  0x21
4620  };
4621  uint32_t chello_buf_len = sizeof(chello_buf);
4622 
4623  uint8_t shello_buf[] = {
4624  0x16, 0x03, 0x00, 0x00, 0x4a, 0x02,
4625  0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94,
4626  0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88,
4627  0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6,
4628  0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd,
4629  0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb,
4630  0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe,
4631  0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6,
4632  0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e,
4633  0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35,
4634  0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00,
4635  0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a,
4636  0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f,
4637  0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01,
4638  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
4639  0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30,
4640  0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
4641  0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31,
4642  0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08,
4643  0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
4644  0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13,
4645  0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
4646  0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54,
4647  0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06,
4648  0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e,
4649  0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c,
4650  0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c,
4651  0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43,
4652  0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
4653  0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
4654  0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13,
4655  0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53,
4656  0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c,
4657  0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06,
4658  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
4659  0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73,
4660  0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e,
4661  0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30,
4662  0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34,
4663  0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38,
4664  0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37,
4665  0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b,
4666  0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
4667  0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06,
4668  0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e,
4669  0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65,
4670  0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
4671  0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61,
4672  0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31,
4673  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
4674  0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20,
4675  0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64,
4676  0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
4677  0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65,
4678  0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61,
4679  0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
4680  0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
4681  0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c,
4682  0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d,
4683  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
4684  0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77,
4685  0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69,
4686  0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f,
4687  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
4688  0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
4689  0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
4690  0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde,
4691  0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6,
4692  0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba,
4693  0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73,
4694  0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4,
4695  0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f,
4696  0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45,
4697  0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12,
4698  0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c,
4699  0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b,
4700  0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7,
4701  0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd,
4702  0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e,
4703  0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53,
4704  0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90,
4705  0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89,
4706  0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
4707  0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55,
4708  0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10,
4709  0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b,
4710  0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d,
4711  0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
4712  0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16,
4713  0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c,
4714  0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
4715  0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f,
4716  0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
4717  0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
4718  0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09,
4719  0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01,
4720  0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30,
4721  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
4722  0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81,
4723  0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75,
4724  0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e,
4725  0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d,
4726  0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23,
4727  0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9,
4728  0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5,
4729  0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b,
4730  0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f,
4731  0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14,
4732  0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23,
4733  0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2,
4734  0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34,
4735  0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53,
4736  0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad,
4737  0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2,
4738  0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e,
4739  0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e,
4740  0x00, 0x00, 0x00
4741  };
4742  uint32_t shello_buf_len = sizeof(shello_buf);
4743 
4744  uint8_t client_change_cipher_spec_buf[] = {
4745  0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00,
4746  0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38,
4747  0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61,
4748  0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a,
4749  0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e,
4750  0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f,
4751  0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80,
4752  0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a,
4753  0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80,
4754  0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59,
4755  0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76,
4756  0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84,
4757  0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7,
4758  0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7,
4759  0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2,
4760  0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7,
4761  0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb,
4762  0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16,
4763  0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35,
4764  0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a,
4765  0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81,
4766  0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90,
4767  0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1,
4768  0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76,
4769  0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79,
4770  0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18,
4771  0x4c, 0xfc, 0x75, 0x56
4772  };
4773  uint32_t client_change_cipher_spec_buf_len =
4774  sizeof(client_change_cipher_spec_buf);
4775 
4776  uint8_t server_change_cipher_spec_buf[] = {
4777  0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03,
4778  0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59,
4779  0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a,
4780  0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86,
4781  0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7,
4782  0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3,
4783  0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89,
4784  0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27,
4785  0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2,
4786  0x4d, 0x9f, 0x6b
4787  };
4788  uint32_t server_change_cipher_spec_buf_len =
4789  sizeof(server_change_cipher_spec_buf);
4790 
4791  uint8_t toserver_app_data_buf[] = {
4792  0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e,
4793  0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c,
4794  0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10,
4795  0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb,
4796  0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa,
4797  0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5,
4798  0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e,
4799  0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20,
4800  0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7,
4801  0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f,
4802  0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78,
4803  0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c,
4804  0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f,
4805  0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0,
4806  0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0,
4807  0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0,
4808  0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc,
4809  0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1,
4810  0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67,
4811  0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f,
4812  0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10,
4813  0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4,
4814  0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0,
4815  0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68,
4816  0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f,
4817  0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4,
4818  0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10,
4819  0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f,
4820  0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60,
4821  0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8,
4822  0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8,
4823  0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09,
4824  0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a,
4825  0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd,
4826  0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7,
4827  0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a,
4828  0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63,
4829  0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b,
4830  0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1,
4831  0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60,
4832  0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87,
4833  0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7,
4834  0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed,
4835  0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc,
4836  0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43,
4837  0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58,
4838  0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d,
4839  0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39,
4840  0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99,
4841  0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92,
4842  0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40,
4843  0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef,
4844  0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2,
4845  0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6,
4846  0x8a, 0xa2, 0x9e, 0xcd, 0xfa
4847  };
4848  uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf);
4849 
4850  TcpSession ssn;
4852 
4853  //AppLayerDetectProtoThreadInit();
4854 
4855  memset(&f, 0, sizeof(f));
4856  memset(&ssn, 0, sizeof(ssn));
4857 
4858  FLOW_INITIALIZE(&f);
4859  f.protoctx = (void *)&ssn;
4860  f.proto = IPPROTO_TCP;
4861  f.alproto = ALPROTO_TLS;
4862 
4863  StreamTcpInitConfig(true);
4864 
4865  FLOWLOCK_WRLOCK(&f);
4866  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
4867  STREAM_TOSERVER | STREAM_START, chello_buf,
4868  chello_buf_len);
4869  FLOWLOCK_UNLOCK(&f);
4870  FAIL_IF(r != 0);
4871 
4872  SSLState *app_state = f.alstate;
4873  FAIL_IF_NULL(app_state);
4874 
4876 
4877  FAIL_IF(app_state->client_connp.version != SSL_VERSION_2);
4878 
4879  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0);
4880  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0);
4881  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0);
4882 
4883  FLOWLOCK_WRLOCK(&f);
4884  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
4885  shello_buf, shello_buf_len);
4886  FLOWLOCK_UNLOCK(&f);
4887  FAIL_IF(r != 0);
4888 
4890 
4891  FAIL_IF(app_state->server_connp.version != SSL_VERSION_3);
4892 
4893  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0);
4894  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0);
4895  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0);
4896  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0);
4897 
4898  FLOWLOCK_WRLOCK(&f);
4899  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4900  client_change_cipher_spec_buf,
4901  client_change_cipher_spec_buf_len);
4902  FLOWLOCK_UNLOCK(&f);
4903  FAIL_IF(r != 0);
4904 
4905  /* with multiple records the client content type hold the type from the last
4906  * record */
4908 
4909  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0);
4910  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0);
4911  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0);
4912  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0);
4913  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_KEYX) == 0);
4915  FAIL_IF((app_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) == 0);
4916 
4917  FLOWLOCK_WRLOCK(&f);
4918  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
4919  server_change_cipher_spec_buf,
4920  server_change_cipher_spec_buf_len);
4921  FLOWLOCK_UNLOCK(&f);
4922  FAIL_IF(r != 0);
4923 
4924  /* with multiple records the serve content type hold the type from the last
4925  * record */
4927 
4928  FAIL_IF(app_state->server_connp.version != SSL_VERSION_3);
4929 
4930  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0);
4931  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0);
4932  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0);
4933  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0);
4934  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_KEYX) == 0);
4937  FAIL_IF((app_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) == 0);
4938 
4939  FLOWLOCK_WRLOCK(&f);
4940  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
4941  toserver_app_data_buf, toserver_app_data_buf_len);
4942  FLOWLOCK_UNLOCK(&f);
4943  FAIL_IF(r != 0);
4944 
4946 
4947  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0);
4948  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0);
4949  FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0);
4950  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0);
4951  FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_KEYX) == 0);
4954  FAIL_IF((app_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) == 0);
4955 
4957 
4958  if (alp_tctx != NULL)
4960  StreamTcpFreeConfig(true);
4961  FLOW_DESTROY(&f);
4962 
4963  PASS;
4964 }
4965 
4966 /**
4967  * \test Tests the parser for handling fragmented records.
4968  */
4969 static int SSLParserTest24(void)
4970 {
4971  Flow f;
4972  uint8_t buf1[] = {
4973  0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, 0x00, 0x00,
4974  0x6b, 0x03,
4975  };
4976  uint32_t buf1_len = sizeof(buf1);
4977 
4978  uint8_t buf2[] = {
4979  0x00, 0x4b, 0x2f, 0xdc,
4980  0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e,
4981  0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb,
4982  0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97,
4983  0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d,
4984  0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff,
4985  0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35,
4986  0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52,
4987  0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24,
4988  0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38,
4989  0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44,
4990  0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41,
4991  0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff,
4992  0x00, 0x0a, 0x00, 0x02, 0x01, 0x00
4993  };
4994  uint32_t buf2_len = sizeof(buf2);
4995  TcpSession ssn;
4997 
4998  memset(&f, 0, sizeof(f));
4999  memset(&ssn, 0, sizeof(ssn));
5000  FLOW_INITIALIZE(&f);
5001  f.protoctx = (void *)&ssn;
5002  f.proto = IPPROTO_TCP;
5003  f.alproto = ALPROTO_TLS;
5004 
5005  StreamTcpInitConfig(true);
5006 
5007  FLOWLOCK_WRLOCK(&f);
5008  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
5009  STREAM_TOSERVER, buf1, buf1_len);
5010  FLOWLOCK_UNLOCK(&f);
5011  FAIL_IF(r != 0);
5012 
5013  FLOWLOCK_WRLOCK(&f);
5014  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
5015  buf2, buf2_len);
5016  FLOWLOCK_UNLOCK(&f);
5017  FAIL_IF(r != 0);
5018 
5019  SSLState *ssl_state = f.alstate;
5020  FAIL_IF_NULL(ssl_state);
5021 
5022  FAIL_IF(ssl_state->client_connp.content_type != 0x16);
5023 
5024  FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3);
5025 
5027  StreamTcpFreeConfig(true);
5028  FLOW_DESTROY(&f);
5029 
5030  PASS;
5031 }
5032 
5033 /**
5034  * \test Test for bug #955 and CVE-2013-5919. The data is from the
5035  * pcap that was used to report this issue.
5036  */
5037 static int SSLParserTest25(void)
5038 {
5039  Flow f;
5040  uint8_t client_hello[] = {
5041  0x16, 0x03, 0x01, 0x00, 0xd3, 0x01, 0x00, 0x00,
5042  0xcf, 0x03, 0x01, 0x51, 0x60, 0xc2, 0x15, 0x36,
5043  0x73, 0xf5, 0xb8, 0x58, 0x55, 0x3b, 0x68, 0x12,
5044  0x7d, 0xe3, 0x28, 0xa3, 0xe1, 0x02, 0x79, 0x2d,
5045  0x12, 0xe1, 0xf4, 0x24, 0x12, 0xa2, 0x9e, 0xf1,
5046  0x08, 0x49, 0x68, 0x20, 0x0e, 0x96, 0x46, 0x3d,
5047  0x84, 0x5a, 0xc6, 0x55, 0xeb, 0x3b, 0x53, 0x77,
5048  0xf4, 0x8e, 0xf4, 0xd2, 0x8b, 0xec, 0xd6, 0x99,
5049  0x63, 0x64, 0x62, 0xf8, 0x3f, 0x3b, 0xd5, 0x35,
5050  0x45, 0x1b, 0x16, 0xac, 0x00, 0x46, 0x00, 0x04,
5051  0x00, 0x05, 0x00, 0x2f, 0x00, 0x35, 0xc0, 0x02,
5052  0xc0, 0x04, 0xc0, 0x05, 0xc0, 0x0c, 0xc0, 0x0e,
5053  0xc0, 0x0f, 0xc0, 0x07, 0xc0, 0x09, 0xc0, 0x0a,
5054  0xc0, 0x11, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x33,
5055  0x00, 0x39, 0x00, 0x32, 0x00, 0x38, 0x00, 0x0a,
5056  0xc0, 0x03, 0xc0, 0x0d, 0xc0, 0x08, 0xc0, 0x12,
5057  0x00, 0x16, 0x00, 0x13, 0x00, 0x09, 0x00, 0x15,
5058  0x00, 0x12, 0x00, 0x03, 0x00, 0x08, 0x00, 0x14,
5059  0x00, 0x11, 0x00, 0xff, 0x01, 0x00, 0x00, 0x40,
5060  0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02,
5061  0x00, 0x0a, 0x00, 0x34, 0x00, 0x32, 0x00, 0x0e,
5062  0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x0c,
5063  0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x16,
5064  0x00, 0x17, 0x00, 0x08, 0x00, 0x06, 0x00, 0x07,
5065  0x00, 0x14, 0x00, 0x15, 0x00, 0x04, 0x00, 0x05,
5066  0x00, 0x12, 0x00, 0x13, 0x00, 0x01, 0x00, 0x02,
5067  0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11
5068  };
5069  uint32_t client_hello_len = sizeof(client_hello);
5070 
5071  uint8_t server_hello_certificate_done[] = {
5072  0x16, 0x03, 0x01, 0x00, 0x51, 0x02, 0x00, 0x00,
5073  0x4d, 0x03, 0x01, 0x51, 0x60, 0xc2, 0x17, 0xb7,
5074  0x81, 0xaa, 0x27, 0xa1, 0xd5, 0xfa, 0x14, 0xc1,
5075  0xe0, 0x05, 0xab, 0x75, 0xf2, 0x51, 0xe7, 0x6e,
5076  0xe6, 0xf9, 0xc4, 0x8f, 0x16, 0x08, 0x26, 0x6c,
5077  0x1b, 0x86, 0x90, 0x20, 0x0a, 0x38, 0x90, 0x2d,
5078  0x17, 0x7d, 0xb7, 0x6b, 0x6b, 0xe5, 0xeb, 0x61,
5079  0x90, 0x35, 0xf8, 0xcd, 0xb1, 0x2a, 0x69, 0x6e,
5080  0x0e, 0x3e, 0x5f, 0x90, 0xdc, 0x2f, 0x51, 0x45,
5081  0x68, 0x63, 0xe3, 0xb3, 0x00, 0x05, 0x00, 0x00,
5082  0x05, 0xff, 0x01, 0x00, 0x01, 0x00, 0x16, 0x03,
5083  0x01, 0x07, 0x60, 0x0b, 0x00, 0x07, 0x5c, 0x00,
5084  0x07, 0x59, 0x00, 0x03, 0xcc, 0x30, 0x82, 0x03,
5085  0xc8, 0x30, 0x82, 0x03, 0x31, 0xa0, 0x03, 0x02,
5086  0x01, 0x02, 0x02, 0x10, 0x01, 0x7f, 0x77, 0xde,
5087  0xb3, 0xbc, 0xbb, 0x23, 0x5d, 0x44, 0xcc, 0xc7,
5088  0xdb, 0xa6, 0x2e, 0x72, 0x30, 0x0d, 0x06, 0x09,
5089  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
5090  0x05, 0x05, 0x00, 0x30, 0x81, 0xba, 0x31, 0x1f,
5091  0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
5092  0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
5093  0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20,
5094  0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31,
5095  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0b,
5096  0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
5097  0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
5098  0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04,
5099  0x0b, 0x13, 0x2a, 0x56, 0x65, 0x72, 0x69, 0x53,
5100  0x69, 0x67, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65,
5101  0x72, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61,
5102  0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
5103  0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c,
5104  0x61, 0x73, 0x73, 0x20, 0x33, 0x31, 0x49, 0x30,
5105  0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40,
5106  0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
5107  0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
5108  0x2f, 0x43, 0x50, 0x53, 0x20, 0x49, 0x6e, 0x63,
5109  0x6f, 0x72, 0x70, 0x2e, 0x62, 0x79, 0x20, 0x52,
5110  0x65, 0x66, 0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42,
5111  0x49, 0x4c, 0x49, 0x54, 0x59, 0x20, 0x4c, 0x54,
5112  0x44, 0x2e, 0x28, 0x63, 0x29, 0x39, 0x37, 0x20,
5113  0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e,
5114  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x32, 0x30, 0x36,
5115  0x32, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
5116  0x5a, 0x17, 0x0d, 0x31, 0x33, 0x31, 0x32, 0x33,
5117  0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a,
5118  0x30, 0x68, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
5119  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
5120  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
5121  0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
5122  0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10,
5123  0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x50,
5124  0x61, 0x6c, 0x6f, 0x20, 0x41, 0x6c, 0x74, 0x6f,
5125  0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04,
5126  0x0a, 0x13, 0x0e, 0x46, 0x61, 0x63, 0x65, 0x62,
5127  0x6f, 0x6f, 0x6b, 0x2c, 0x20, 0x49, 0x6e, 0x63,
5128  0x2e, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
5129  0x04, 0x02, 0x14, 0x0e, 0x2a, 0x2e, 0x66, 0x61,
5130  0x63, 0x65, 0x62, 0x6f, 0x6f, 0x6b, 0x2e, 0x63,
5131  0x6f, 0x6d, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06,
5132  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
5133  0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00,
5134  0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xae,
5135  0x94, 0xb1, 0x71, 0xe2, 0xde, 0xcc, 0xc1, 0x69,
5136  0x3e, 0x05, 0x10, 0x63, 0x24, 0x01, 0x02, 0xe0,
5137  0x68, 0x9a, 0xe8, 0x3c, 0x39, 0xb6, 0xb3, 0xe7,
5138  0x4b, 0x97, 0xd4, 0x8d, 0x7b, 0x23, 0x68, 0x91,
5139  0x00, 0xb0, 0xb4, 0x96, 0xee, 0x62, 0xf0, 0xe6,
5140  0xd3, 0x56, 0xbc, 0xf4, 0xaa, 0x0f, 0x50, 0x64,
5141  0x34, 0x02, 0xf5, 0xd1, 0x76, 0x6a, 0xa9, 0x72,
5142  0x83, 0x5a, 0x75, 0x64, 0x72, 0x3f, 0x39, 0xbb,
5143  0xef, 0x52, 0x90, 0xde, 0xd9, 0xbc, 0xdb, 0xf9,
5144  0xd3, 0xd5, 0x5d, 0xfa, 0xd2, 0x3a, 0xa0, 0x3d,
5145  0xc6, 0x04, 0xc5, 0x4d, 0x29, 0xcf, 0x1d, 0x4b,
5146  0x3b, 0xdb, 0xd1, 0xa8, 0x09, 0xcf, 0xae, 0x47,
5147  0xb4, 0x4c, 0x7e, 0xae, 0x17, 0xc5, 0x10, 0x9b,
5148  0xee, 0x24, 0xa9, 0xcf, 0x4a, 0x8d, 0x91, 0x1b,
5149  0xb0, 0xfd, 0x04, 0x15, 0xae, 0x4c, 0x3f, 0x43,
5150  0x0a, 0xa1, 0x2a, 0x55, 0x7e, 0x2a, 0xe1, 0x02,
5151  0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x1e,
5152  0x30, 0x82, 0x01, 0x1a, 0x30, 0x09, 0x06, 0x03,
5153  0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
5154  0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d,
5155  0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86,
5156  0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x17,
5157  0x03, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b,
5158  0x06, 0x01, 0x05, 0x05, 0x07, 0x00, 0x01, 0x16,
5159  0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
5160  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72,
5161  0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f,
5162  0x6d, 0x2f, 0x72, 0x70, 0x61, 0x30, 0x3c, 0x06,
5163  0x03, 0x55, 0x1d, 0x1f, 0x04, 0x35, 0x30, 0x33,
5164  0x30, 0x31, 0xa0, 0x2f, 0xa0, 0x2d, 0x86, 0x2b,
5165  0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x53,
5166  0x56, 0x52, 0x49, 0x6e, 0x74, 0x6c, 0x2d, 0x63,
5167  0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73,
5168  0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
5169  0x53, 0x56, 0x52, 0x49, 0x6e, 0x74, 0x6c, 0x2e,
5170  0x63, 0x72, 0x6c, 0x30, 0x1d, 0x06, 0x03, 0x55,
5171  0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
5172  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01,
5173  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
5174  0x03, 0x02, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
5175  0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30,
5176  0x34, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
5177  0x07, 0x01, 0x01, 0x04, 0x28, 0x30, 0x26, 0x30,
5178  0x24, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
5179  0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74,
5180  0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
5181  0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67,
5182  0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x27, 0x06,
5183  0x03, 0x55, 0x1d, 0x11, 0x04, 0x20, 0x30, 0x1e,
5184  0x82, 0x0e, 0x2a, 0x2e, 0x66, 0x61, 0x63, 0x65,
5185  0x62, 0x6f, 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d,
5186  0x82, 0x0c, 0x66, 0x61, 0x63, 0x65, 0x62, 0x6f,
5187  0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d,
5188  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
5189  0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81,
5190  0x00, 0x5b, 0x6c, 0x2b, 0x75, 0xf8, 0xed, 0x30,
5191  0xaa, 0x51, 0xaa, 0xd3, 0x6a, 0xba, 0x59, 0x5e,
5192  0x55, 0x51, 0x41, 0x95, 0x1f, 0x81, 0xa5, 0x3b,
5193  0x44, 0x79, 0x10, 0xac, 0x1f, 0x76, 0xff, 0x78,
5194  0xfc, 0x27, 0x81, 0x61, 0x6b, 0x58, 0xf3, 0x12,
5195  0x2a, 0xfc, 0x1c, 0x87, 0x01, 0x04, 0x25, 0xe9,
5196  0xed, 0x43, 0xdf, 0x1a, 0x7b, 0xa6, 0x49, 0x80,
5197  0x60, 0x67, 0xe2, 0x68, 0x8a, 0xf0, 0x3d, 0xb5,
5198  0x8c, 0x7d, 0xf4, 0xee, 0x03, 0x30, 0x9a, 0x6a,
5199  0xfc, 0x24, 0x7c, 0xcb, 0x13, 0x4d, 0xc3, 0x3e,
5200  0x54, 0xc6, 0xbc, 0x1d, 0x51, 0x33, 0xa5, 0x32,
5201  0xa7, 0x32, 0x73, 0xb1, 0xd7, 0x9c, 0xad, 0xc0,
5202  0x8e, 0x7e, 0x1a, 0x83, 0x11, 0x6d, 0x34, 0x52,
5203  0x33, 0x40, 0xb0, 0x30, 0x54, 0x27, 0xa2, 0x17,
5204  0x42, 0x82, 0x7c, 0x98, 0x91, 0x66, 0x98, 0xee,
5205  0x7e, 0xaf, 0x8c, 0x3b, 0xdd, 0x71, 0x70, 0x08,
5206  0x17, 0x00, 0x03, 0x87, 0x30, 0x82, 0x03, 0x83,
5207  0x30, 0x82, 0x02, 0xec, 0xa0, 0x03, 0x02, 0x01,
5208  0x02, 0x02, 0x10, 0x46, 0xfc, 0xeb, 0xba, 0xb4,
5209  0xd0, 0x2f, 0x0f, 0x92, 0x60, 0x98, 0x23, 0x3f,
5210  0x93, 0x07, 0x8f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
5211  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
5212  0x05, 0x00, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09,
5213  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
5214  0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
5215  0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69,
5216  0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e,
5217  0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03,
5218  0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61,
5219  0x73, 0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62,
5220  0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d,
5221  0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74,
5222  0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
5223  0x6e, 0x20, 0x41, 0x75, 0x64, 0x68, 0x6f, 0x72,
5224  0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x39,
5225  0x37, 0x30, 0x34, 0x31, 0x37, 0x30, 0x30, 0x30,
5226  0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x36,
5227  0x31, 0x30, 0x32, 0x34, 0x32, 0x33, 0x35, 0x39,
5228  0x35, 0x39, 0x5a, 0x30, 0x81, 0xba, 0x31, 0x1f,
5229  0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
5230  0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67,
5231  0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20,
5232  0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31,
5233  0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0b,
5234  0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69,
5235  0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
5236  0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04,
5237  0x0b, 0x13, 0x2a, 0x56, 0x65, 0x72, 0x69, 0x53,
5238  0x69, 0x67, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65,
5239  0x72, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61,
5240  0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
5241  0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c,
5242  0x61, 0x73, 0x73, 0x20, 0x33, 0x31, 0x49, 0x30,
5243  0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40,
5244  0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
5245  0x73, 0x69,
5246  0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43,
5247  0x50, 0x53, 0x20, 0x49, 0x6e, 0x63, 0x6f, 0x72,
5248  0x70, 0x2e, 0x62, 0x79, 0x20, 0x52, 0x65, 0x66,
5249  0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42, 0x49, 0x4c,
5250  0x49, 0x54, 0x59, 0x20, 0x4c, 0x54, 0x44, 0x2e,
5251  0x28, 0x63, 0x29, 0x39, 0x37, 0x20, 0x56, 0x65,
5252  0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x30, 0x81,
5253  0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
5254  0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
5255  0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
5256  0x81, 0x81, 0x00, 0xd8, 0x82, 0x80, 0xe8, 0xd6,
5257  0x19, 0x02, 0x7d, 0x1f, 0x85, 0x18, 0x39, 0x25,
5258  0xa2, 0x65, 0x2b, 0xe1, 0xbf, 0xd4, 0x05, 0xd3,
5259  0xbc, 0xe6, 0x36, 0x3b, 0xaa, 0xf0, 0x4c, 0x6c,
5260  0x5b, 0xb6, 0xe7, 0xaa, 0x3c, 0x73, 0x45, 0x55,
5261  0xb2, 0xf1, 0xbd, 0xea, 0x97, 0x42, 0xed, 0x9a,
5262  0x34, 0x0a, 0x15, 0xd4, 0xa9, 0x5c, 0xf5, 0x40,
5263  0x25, 0xdd, 0xd9, 0x07, 0xc1, 0x32, 0xb2, 0x75,
5264  0x6c, 0xc4, 0xca, 0xbb, 0xa3, 0xfe, 0x56, 0x27,
5265  0x71, 0x43, 0xaa, 0x63, 0xf5, 0x30, 0x3e, 0x93,
5266  0x28, 0xe5, 0xfa, 0xf1, 0x09, 0x3b, 0xf3, 0xb7,
5267  0x4d, 0x4e, 0x39, 0xf7, 0x5c, 0x49, 0x5a, 0xb8,
5268  0xc1, 0x1d, 0xd3, 0xb2, 0x8a, 0xfe, 0x70, 0x30,
5269  0x95, 0x42, 0xcb, 0xfe, 0x2b, 0x51, 0x8b, 0x5a,
5270  0x3c, 0x3a, 0xf9, 0x22, 0x4f, 0x90, 0xb2, 0x02,
5271  0xa7, 0x53, 0x9c, 0x4f, 0x34, 0xe7, 0xab, 0x04,
5272  0xb2, 0x7b, 0x6f, 0x02, 0x03, 0x01, 0x00, 0x01,
5273  0xa3, 0x81, 0xe3, 0x30, 0x81, 0xe0, 0x30, 0x0f,
5274  0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x08, 0x30,
5275  0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30,
5276  0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d,
5277  0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86,
5278  0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x01,
5279  0x01, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b,
5280  0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16,
5281  0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f,
5282  0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72,
5283  0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f,
5284  0x6d, 0x2f, 0x43, 0x50, 0x53, 0x30, 0x34, 0x06,
5285  0x03, 0x55, 0x1d, 0x25, 0x04, 0x2d, 0x30, 0x2b,
5286  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
5287  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
5288  0x05, 0x07, 0x03, 0x02, 0x06, 0x09, 0x60, 0x86,
5289  0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01, 0x06,
5290  0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45,
5291  0x01, 0x08, 0x01, 0x30, 0x0b, 0x06, 0x03, 0x55,
5292  0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06,
5293  0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
5294  0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03,
5295  0x02, 0x01, 0x06, 0x30, 0x31, 0x06, 0x03, 0x55,
5296  0x1d, 0x1f, 0x04, 0x2a, 0x30, 0x28, 0x30, 0x26,
5297  0xa0, 0x24, 0xa0, 0x22, 0x86, 0x20, 0x68, 0x74,
5298  0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c,
5299  0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67,
5300  0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x63,
5301  0x61, 0x33, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d,
5302  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
5303  0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81,
5304  0x00, 0x40, 0x8e, 0x49, 0x97, 0x96, 0x8a, 0x73,
5305  0xdd, 0x8e, 0x4d, 0xef, 0x3e, 0x61, 0xb7, 0xca,
5306  0xa0, 0x62, 0xad, 0xf4, 0x0e, 0x0a, 0xbb, 0x75,
5307  0x3d, 0xe2, 0x6e, 0xd8, 0x2c, 0xc7, 0xbf, 0xf4,
5308  0xb9, 0x8c, 0x36, 0x9b, 0xca, 0xa2, 0xd0, 0x9c,
5309  0x72, 0x46, 0x39, 0xf6, 0xa6, 0x82, 0x03, 0x65,
5310  0x11, 0xc4, 0xbc, 0xbf, 0x2d, 0xa6, 0xf5, 0xd9,
5311  0x3b, 0x0a, 0xb5, 0x98, 0xfa, 0xb3, 0x78, 0xb9,
5312  0x1e, 0xf2, 0x2b, 0x4c, 0x62, 0xd5, 0xfd, 0xb2,
5313  0x7a, 0x1d, 0xdf, 0x33, 0xfd, 0x73, 0xf9, 0xa5,
5314  0xd8, 0x2d, 0x8c, 0x2a, 0xea, 0xd1, 0xfc, 0xb0,
5315  0x28, 0xb6, 0xe9, 0x49, 0x48, 0x13, 0x4b, 0x83,
5316  0x8a, 0x1b, 0x48, 0x7b, 0x24, 0xf7, 0x38, 0xde,
5317  0x6f, 0x41, 0x54, 0xb8, 0xab, 0x57, 0x6b, 0x06,
5318  0xdf, 0xc7, 0xa2, 0xd4, 0xa9, 0xf6, 0xf1, 0x36,
5319  0x62, 0x80, 0x88, 0xf2, 0x8b, 0x75, 0xd6, 0x80,
5320  0x75, 0x16, 0x03, 0x01, 0x00, 0x04, 0x0e, 0x00,
5321  0x00, 0x00
5322  };
5323  uint32_t server_hello_certificate_done_len = sizeof(server_hello_certificate_done);
5324 
5325  uint8_t client_key_exchange_cipher_enc_hs[] = {
5326  0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
5327  0x80, 0x00, 0x80, 0x14, 0x2b, 0x2f, 0x9f, 0x02,
5328  0x1d, 0x4e, 0x0d, 0xa7, 0x41, 0x0f, 0x99, 0xc5,
5329  0xe9, 0x49, 0x22, 0x14, 0xa0, 0x42, 0x7b, 0xb4,
5330  0x6d, 0x4f, 0x82, 0x3c, 0x3a, 0x6e, 0xed, 0xd5,
5331  0x6e, 0x72, 0x71, 0xae, 0x00, 0x4a, 0x9a, 0xc9,
5332  0x0e, 0x2d, 0x08, 0xa2, 0xd3, 0x3a, 0xb0, 0xb2,
5333  0x1a, 0x56, 0x01, 0x7c, 0x9a, 0xfa, 0xfb, 0x1a,
5334  0xd7, 0x7e, 0x20, 0x68, 0x51, 0xd0, 0xfe, 0xd9,
5335  0xdc, 0xa7, 0x0b, 0xeb, 0x1a, 0xb6, 0xd3, 0xc7,
5336  0x17, 0x1f, 0xf3, 0x6e, 0x91, 0xdd, 0x06, 0x0d,
5337  0x48, 0xde, 0xcd, 0x0c, 0x36, 0x8c, 0x83, 0x29,
5338  0x9a, 0x40, 0x03, 0xcd, 0xf3, 0x1b, 0xdb, 0xd8,
5339  0x44, 0x6b, 0x75, 0xf3, 0x5a, 0x9f, 0x26, 0x1a,
5340  0xc4, 0x16, 0x35, 0x8f, 0xc1, 0x15, 0x19, 0xa9,
5341  0xdf, 0x07, 0xa9, 0xe5, 0x56, 0x45, 0x6d, 0xca,
5342  0x20, 0x3c, 0xcf, 0x8e, 0xbe, 0x44, 0x68, 0x73,
5343  0xc8, 0x0b, 0xc7, 0x14, 0x03, 0x01, 0x00, 0x01,
5344  0x01, 0x16, 0x03, 0x01, 0x00, 0x24, 0xf9, 0x7e,
5345  0x28, 0x77, 0xa9, 0x9a, 0x08, 0x0c, 0x2e, 0xa9,
5346  0x09, 0x15, 0x27, 0xcd, 0x93, 0x5f, 0xc0, 0x32,
5347  0x0a, 0x8d, 0x62, 0xd3, 0x54, 0x79, 0x6b, 0x51,
5348  0xd7, 0xba, 0x02, 0xd6, 0xdb, 0x66, 0xe8, 0x97,
5349  0x5d, 0x7a
5350  };
5351  uint32_t client_key_exchange_cipher_enc_hs_len = sizeof(client_key_exchange_cipher_enc_hs);
5352 
5353  TcpSession ssn;
5355 
5356  memset(&f, 0, sizeof(f));
5357  memset(&ssn, 0, sizeof(ssn));
5358  FLOW_INITIALIZE(&f);
5359  f.protoctx = (void *)&ssn;
5360  f.proto = IPPROTO_TCP;
5361  f.alproto = ALPROTO_TLS;
5362 
5363  StreamTcpInitConfig(true);
5364 
5365  FLOWLOCK_WRLOCK(&f);
5366  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
5367  STREAM_TOSERVER, client_hello,
5368  client_hello_len);
5369  FLOWLOCK_UNLOCK(&f);
5370  FAIL_IF(r != 0);
5371 
5372  SSLState *ssl_state = f.alstate;
5373  FAIL_IF_NULL(ssl_state);
5374 
5375  FAIL_IF(ssl_state->client_connp.bytes_processed != 0);
5376  FAIL_IF(ssl_state->client_connp.hs_bytes_processed != 0);
5377 
5378  FLOWLOCK_WRLOCK(&f);
5379  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
5380  server_hello_certificate_done,
5381  server_hello_certificate_done_len);
5382  FLOWLOCK_UNLOCK(&f);
5383  FAIL_IF(r != 0);
5384 
5385  FAIL_IF(ssl_state->client_connp.bytes_processed != 0);
5386  FAIL_IF(ssl_state->client_connp.hs_bytes_processed != 0);
5387 
5388  FLOWLOCK_WRLOCK(&f);
5389  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
5390  client_key_exchange_cipher_enc_hs,
5391  client_key_exchange_cipher_enc_hs_len);
5392  FLOWLOCK_UNLOCK(&f);
5393  FAIL_IF(r != 0);
5394 
5396  StreamTcpFreeConfig(true);
5397  FLOW_DESTROY(&f);
5398 
5399  PASS;
5400 }
5401 
5402 static int SSLParserTest26(void)
5403 {
5404  Flow f;
5405  uint8_t client_hello[] = {
5406  0x16, 0x03, 0x01, 0x02, 0x0e, 0x01, 0x00, 0x02,
5407  0x0a, 0x03, 0x03, 0x58, 0x36, 0x15, 0x03, 0x8e,
5408  0x07, 0xf9, 0xad, 0x2a, 0xb7, 0x56, 0xbf, 0xe2,
5409  0xa2, 0xf8, 0x21, 0xe0, 0xbb, 0x69, 0xc2, 0xd6,
5410  0x76, 0xe6, 0x77, 0xfe, 0x09, 0xff, 0x8e, 0xac,
5411  0x80, 0xb5, 0x27, 0x20, 0xb7, 0xbb, 0x90, 0x35,
5412  0x7a, 0xdd, 0xd9, 0x67, 0xdf, 0x79, 0xd6, 0x16,
5413  0x90, 0xf6, 0xd7, 0x5c, 0xd3, 0x07, 0x19, 0x20,
5414  0x01, 0x39, 0x76, 0x25, 0x12, 0x32, 0x71, 0xa1,
5415  0x84, 0x8d, 0x2d, 0xea, 0x00, 0x88, 0xc0, 0x30,
5416  0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
5417  0xc0, 0x0a, 0x00, 0xa3, 0x00, 0x9f, 0x00, 0x6b,
5418  0x00, 0x6a, 0x00, 0x39, 0x00, 0x38, 0x00, 0x88,
5419  0x00, 0x87, 0xc0, 0x32, 0xc0, 0x2e, 0xc0, 0x2a,
5420  0xc0, 0x26, 0xc0, 0x0f, 0xc0, 0x05, 0x00, 0x9d,
5421  0x00, 0x3d, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x12,
5422  0xc0, 0x08, 0x00, 0x16, 0x00, 0x13, 0xc0, 0x0d,
5423  0xc0, 0x03, 0x00, 0x0a, 0xc0, 0x2f, 0xc0, 0x2b,
5424  0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09,
5425  0x00, 0xa2, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x40,
5426  0x00, 0x33, 0x00, 0x32, 0x00, 0x9a, 0x00, 0x99,
5427  0x00, 0x45, 0x00, 0x44, 0xc0, 0x31, 0xc0, 0x2d,
5428  0xc0, 0x29, 0xc0, 0x25, 0xc0, 0x0e, 0xc0, 0x04,
5429  0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0x96,
5430  0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0xc0, 0x0c,
5431  0xc0, 0x02, 0x00, 0x05, 0x00, 0x04, 0x00, 0x15,
5432  0x00, 0x12, 0x00, 0x09, 0x00, 0xff, 0x01, 0x00,
5433  0x01, 0x39, 0x00, 0x00, 0x00, 0x14, 0x00, 0x12,
5434  0x00, 0x00, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x79,
5435  0x6f, 0x75, 0x74, 0x75, 0x62, 0x65, 0x2e, 0x63,
5436  0x6f, 0x6d, 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00,
5437  0x01, 0x02, 0x00, 0x0a, 0x00, 0x34, 0x00, 0x32,
5438  0x00, 0x0e, 0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b,
5439  0x00, 0x0c, 0x00, 0x18, 0x00, 0x09, 0x00, 0x0a,
5440  0x00, 0x16, 0x00, 0x17, 0x00, 0x08, 0x00, 0x06,
5441  0x00, 0x07, 0x00, 0x14, 0x00, 0x15, 0x00, 0x04,
5442  0x00, 0x05, 0x00, 0x12, 0x00, 0x13, 0x00, 0x01,
5443  0x00, 0x02, 0x00, 0x03, 0x00, 0x0f, 0x00, 0x10,
5444  0x00, 0x11, 0x00, 0x23, 0x00, 0xb4, 0x05, 0x6c,
5445  0xfa, 0x27, 0x6f, 0x12, 0x2f, 0x2a, 0xe5, 0x56,
5446  0xcb, 0x42, 0x62, 0x44, 0xf2, 0xd7, 0xd1, 0x05,
5447  0x87, 0xd4, 0x52, 0x02, 0x10, 0x85, 0xa4, 0xa6,
5448  0x82, 0x6f, 0x6d, 0x7b, 0xaf, 0x11, 0xbe, 0x21,
5449  0x7e, 0x7c, 0x36, 0x03, 0x20, 0x29, 0xd8, 0xf9,
5450  0xe5, 0x2b, 0xe2, 0x26, 0xb2, 0x27, 0xc7, 0xb9,
5451  0xda, 0x59, 0xd7, 0xdc, 0xfd, 0x74, 0x74, 0x76,
5452  0xd0, 0x5e, 0xe4, 0xfe, 0x9d, 0xb7, 0x1b, 0x13,
5453  0x81, 0xce, 0x63, 0x75, 0x2b, 0x2f, 0x98, 0x3a,
5454  0x84, 0x46, 0xd3, 0x0c, 0xb3, 0x01, 0xdb, 0x62,
5455  0x51, 0x97, 0x92, 0x1c, 0xa5, 0x94, 0x60, 0xef,
5456  0xa6, 0xd8, 0xb2, 0x2f, 0x02, 0x42, 0x5c, 0xac,
5457  0xb4, 0xd9, 0x10, 0x2f, 0x7e, 0x89, 0xab, 0xa5,
5458  0xd7, 0x56, 0x6d, 0x03, 0xd2, 0x5f, 0x20, 0x2c,
5459  0xb6, 0x99, 0x2b, 0x66, 0xbd, 0xd4, 0xde, 0x53,
5460  0x76, 0x5c, 0x78, 0xf0, 0xe9, 0x6d, 0xa5, 0xc3,
5461  0x1a, 0x9e, 0x61, 0xb2, 0x45, 0xb0, 0xb3, 0x61,
5462  0xee, 0xa1, 0x07, 0xab, 0x2f, 0x84, 0xea, 0x43,
5463  0x76, 0x4b, 0x3d, 0xb0, 0xbe, 0xa4, 0xb4, 0x21,
5464  0xe1, 0xd3, 0xfd, 0x91, 0xe2, 0xe7, 0xf3, 0x38,
5465  0x9c, 0x56, 0x5f, 0xa1, 0xde, 0xa8, 0x2f, 0x0a,
5466  0x49, 0x6d, 0x44, 0x8e, 0xb7, 0xef, 0x4a, 0x6f,
5467  0x79, 0xb2, 0x00, 0x0d, 0x00, 0x20, 0x00, 0x1e,
5468  0x06, 0x01, 0x06, 0x02, 0x06, 0x03, 0x05, 0x01,
5469  0x05, 0x02, 0x05, 0x03, 0x04, 0x01, 0x04, 0x02,
5470  0x04, 0x03, 0x03, 0x01, 0x03, 0x02, 0x03, 0x03,
5471  0x02, 0x01, 0x02, 0x02, 0x02, 0x03, 0x00, 0x0f,
5472  0x00, 0x01, 0x01
5473  };
5474  uint32_t client_hello_len = sizeof(client_hello);
5475 
5476  uint8_t server_hello_change_cipher_spec[] = {
5477  0x16, 0x03, 0x03, 0x00, 0x57, 0x02, 0x00, 0x00,
5478  0x53, 0x03, 0x03, 0x58, 0x36, 0x15, 0x03, 0x9f,
5479  0x3b, 0xf3, 0x11, 0x96, 0x2b, 0xc3, 0xae, 0x91,
5480  0x8c, 0x5f, 0x8b, 0x3f, 0x90, 0xbd, 0xa9, 0x26,
5481  0x26, 0xb2, 0xfd, 0x12, 0xc5, 0xc5, 0x7b, 0xe4,
5482  0xd1, 0x3e, 0x81, 0x20, 0xb7, 0xbb, 0x90, 0x35,
5483  0x7a, 0xdd, 0xd9, 0x67, 0xdf, 0x79, 0xd6, 0x16,
5484  0x90, 0xf6, 0xd7, 0x5c, 0xd3, 0x07, 0x19, 0x20,
5485  0x01, 0x39, 0x76, 0x25, 0x12, 0x32, 0x71, 0xa1,
5486  0x84, 0x8d, 0x2d, 0xea, 0xc0, 0x2b, 0x00, 0x00,
5487  0x0b, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0b,
5488  0x00, 0x02, 0x01, 0x00, 0x14, 0x03, 0x03, 0x00,
5489  0x01, 0x01, 0x16, 0x03, 0x03, 0x00, 0x28, 0x00,
5490  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
5491  0x66, 0xfe, 0x07, 0x08, 0x33, 0x4d, 0xc2, 0x83,
5492  0x8e, 0x05, 0x8b, 0xf8, 0xd1, 0xb1, 0xa7, 0x16,
5493  0x4b, 0x42, 0x5c, 0x3a, 0xa4, 0x31, 0x0f, 0xba,
5494  0x84, 0x06, 0xcb, 0x9d, 0xc6, 0xc4, 0x66
5495  };
5496  uint32_t server_hello_change_cipher_spec_len = sizeof(server_hello_change_cipher_spec);
5497 
5498  TcpSession ssn;
5500 
5501  memset(&f, 0, sizeof(f));
5502  memset(&ssn, 0, sizeof(ssn));
5503  FLOW_INITIALIZE(&f);
5504  f.protoctx = (void *)&ssn;
5505  f.proto = IPPROTO_TCP;
5506  f.alproto = ALPROTO_TLS;
5507 
5508  StreamTcpInitConfig(true);
5509 
5510  FLOWLOCK_WRLOCK(&f);
5511  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
5512  STREAM_TOSERVER, client_hello,
5513  client_hello_len);
5514  FLOWLOCK_UNLOCK(&f);
5515  FAIL_IF(r != 0);
5516 
5517  SSLState *ssl_state = f.alstate;
5518  FAIL_IF_NULL(ssl_state);
5519 
5520  FAIL_IF((ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0);
5521  FAIL_IF_NULL(ssl_state->client_connp.session_id);
5522 
5523  FLOWLOCK_WRLOCK(&f);
5524  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
5525  server_hello_change_cipher_spec,
5526  server_hello_change_cipher_spec_len);
5527  FLOWLOCK_UNLOCK(&f);
5528  FAIL_IF(r != 0);
5529 
5531  FAIL_IF((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0);
5532 
5534  StreamTcpFreeConfig(true);
5535  FLOW_DESTROY(&f);
5536 
5537  PASS;
5538 }
5539 
5540 #endif /* UNITTESTS */
5541 
5543 {
5544 #ifdef UNITTESTS
5545  UtRegisterTest("SSLParserTest01", SSLParserTest01);
5546  UtRegisterTest("SSLParserTest02", SSLParserTest02);
5547  UtRegisterTest("SSLParserTest03", SSLParserTest03);
5548  UtRegisterTest("SSLParserTest04", SSLParserTest04);
5549  /* Updated by Anoop Saldanha. Faulty tests. Disable it for now */
5550  //UtRegisterTest("SSLParserTest05", SSLParserTest05, 1);
5551  //UtRegisterTest("SSLParserTest06", SSLParserTest06, 1);
5552  UtRegisterTest("SSLParserTest07", SSLParserTest07);
5553  //UtRegisterTest("SSLParserTest08", SSLParserTest08, 1);
5554  UtRegisterTest("SSLParserTest09", SSLParserTest09);
5555  UtRegisterTest("SSLParserTest10", SSLParserTest10);
5556  UtRegisterTest("SSLParserTest11", SSLParserTest11);
5557  UtRegisterTest("SSLParserTest12", SSLParserTest12);
5558  UtRegisterTest("SSLParserTest13", SSLParserTest13);
5559 
5560  UtRegisterTest("SSLParserTest14", SSLParserTest14);
5561  UtRegisterTest("SSLParserTest15", SSLParserTest15);
5562  UtRegisterTest("SSLParserTest16", SSLParserTest16);
5563  UtRegisterTest("SSLParserTest17", SSLParserTest17);
5564  UtRegisterTest("SSLParserTest18", SSLParserTest18);
5565  UtRegisterTest("SSLParserTest19", SSLParserTest19);
5566  UtRegisterTest("SSLParserTest20", SSLParserTest20);
5567  UtRegisterTest("SSLParserTest21", SSLParserTest21);
5568  UtRegisterTest("SSLParserTest22", SSLParserTest22);
5569  UtRegisterTest("SSLParserTest23", SSLParserTest23);
5570  UtRegisterTest("SSLParserTest24", SSLParserTest24);
5571  UtRegisterTest("SSLParserTest25", SSLParserTest25);
5572  UtRegisterTest("SSLParserTest26", SSLParserTest26);
5573 
5574  UtRegisterTest("SSLParserMultimsgTest01", SSLParserMultimsgTest01);
5575  UtRegisterTest("SSLParserMultimsgTest02", SSLParserMultimsgTest02);
5576 #endif /* UNITTESTS */
5577 
5578  return;
5579 }
SSLV3_CHANGE_CIPHER_SPEC
#define SSLV3_CHANGE_CIPHER_SPEC
Definition: app-layer-ssl.c:163
tls_frame_table
SCEnumCharMap tls_frame_table[]
Definition: app-layer-ssl.c:57
SSLStateConnp_::cert0_not_before
time_t cert0_not_before
Definition: app-layer-ssl.h:215
util-byte.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:212
AppLayerParserRegisterGetStateProgressFunc
void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, int(*StateGetProgress)(void *alstate, uint8_t direction))
Definition: app-layer-parser.c:503
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:243
SslConfig_::disable_ja3
bool disable_ja3
Definition: app-layer-ssl.c:157
SSL_EXTENSION_EC_POINT_FORMATS
#define SSL_EXTENSION_EC_POINT_FORMATS
Definition: app-layer-ssl.h:140
AppLayerProtoDetectPPParseConfPorts
int AppLayerProtoDetectPPParseConfPorts(const char *ipproto_name, uint8_t ipproto, const char *alproto_name, AppProto alproto, uint16_t min_depth, uint16_t max_depth, ProbingParserFPtr ProbingParserTs, ProbingParserFPtr ProbingParserTc)
Definition: app-layer-detect-proto.c:1727
len
uint8_t len
Definition: app-layer-dnp3.h:2
TLS_VERSION_11
@ TLS_VERSION_11
Definition: app-layer-ssl.h:158
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
JA3Buffer_
Definition: util-ja3.h:29
TLS_VERSION_13_DRAFT26_FB
@ TLS_VERSION_13_DRAFT26_FB
Definition: app-layer-ssl.h:179
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:184
TLS_HB_RESPONSE
#define TLS_HB_RESPONSE
Definition: app-layer-ssl.c:203
TLS_VERSION_12
@ TLS_VERSION_12
Definition: app-layer-ssl.h:159
SHA1_STRING_LENGTH
#define SHA1_STRING_LENGTH
Definition: app-layer-ssl.c:207
TAILQ_INIT
#define TAILQ_INIT(head)
Definition: queue.h:263
flow-util.h
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:315
ValidateTrecBuffer
#define ValidateTrecBuffer(...)
Definition: app-layer-ssl.c:249
SSL_AL_FLAG_HANDSHAKE_DONE
#define SSL_AL_FLAG_HANDSHAKE_DONE
Definition: app-layer-ssl.h:115
ConfNode_::val
char * val
Definition: conf.h:34
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:516
stream-tcp.h
ERR_INVALID_CERTIFICATE
@ ERR_INVALID_CERTIFICATE
Definition: app-layer-ssl.c:127
SSLV3_HS_FINISHED
#define SSLV3_HS_FINISHED
Definition: app-layer-ssl.c:180
SSLState_::hb_record_len
uint32_t hb_record_len
Definition: app-layer-ssl.h:252
TLS_VERSION_13_DRAFT21_FB
@ TLS_VERSION_13_DRAFT21_FB
Definition: app-layer-ssl.h:176
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSL_EXTENSION_ELLIPTIC_CURVES
#define SSL_EXTENSION_ELLIPTIC_CURVES
Definition: app-layer-ssl.h:139
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
SSLStateConnp_::message_length
uint32_t message_length
Definition: app-layer-ssl.h:197
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:260
TLS_VERSION_13_DRAFT21
@ TLS_VERSION_13_DRAFT21
Definition: app-layer-ssl.h:168
TLS_FRAME_DATA
@ TLS_FRAME_DATA
Definition: app-layer-ssl.h:38
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
SSL_AL_FLAG_EARLY_DATA
#define SSL_AL_FLAG_EARLY_DATA
Definition: app-layer-ssl.h:132
SSLStateConnp_::bytes_processed
uint32_t bytes_processed
Definition: app-layer-ssl.h:206
APP_LAYER_PARSER_BYPASS_READY
#define APP_LAYER_PARSER_BYPASS_READY
Definition: app-layer-parser.h:41
TLS_DECODER_EVENT_INVALID_SNI_TYPE
@ TLS_DECODER_EVENT_INVALID_SNI_TYPE
Definition: app-layer-ssl.h:58
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLV2_MT_SERVER_FINISHED
#define SSLV2_MT_SERVER_FINISHED
Definition: app-layer-ssl.c:191
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:261
SSL_AL_FLAG_SESSION_RESUMED
#define SSL_AL_FLAG_SESSION_RESUMED
Definition: app-layer-ssl.h:121
Flow_::proto
uint8_t proto
Definition: flow.h:375
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:80
ValidateRecordState
#define ValidateRecordState(...)
Definition: app-layer-ssl.c:238
SSLStateConnp_
Definition: app-layer-ssl.h:189
SSL_CERT_MAX_FIRST_ALLOC
#define SSL_CERT_MAX_FIRST_ALLOC
Definition: app-layer-ssl.c:1425
AppLayerParserConfParserEnabled
int AppLayerParserConfParserEnabled(const char *ipproto, const char *alproto_name)
check if a parser is enabled in the config Returns enabled always if: were running unittests
Definition: app-layer-parser.c:340
AppLayerParserTriggerRawStreamReassembly
void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction)
Definition: app-layer-parser.c:1476
SSLStateConnp_::ja3_hash
char * ja3_hash
Definition: app-layer-ssl.h:229
SSL_CONFIG_DEFAULT_JA3
#define SSL_CONFIG_DEFAULT_JA3
Definition: app-layer-ssl.c:144
SSLStateConnp_::session_id_length
uint16_t session_id_length
Definition: app-layer-ssl.h:210
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:175
TLS_STATE_FINISHED
@ TLS_STATE_FINISHED
Definition: app-layer-ssl.h:82
threads.h
ERR_EXTRACT_ISSUER
@ ERR_EXTRACT_ISSUER
Definition: app-layer-ssl.c:139
tls_decoder_event_table
SCEnumCharMap tls_decoder_event_table[]
Definition: app-layer-ssl.c:89
TLS_DECODER_EVENT_HEARTBEAT
@ TLS_DECODER_EVENT_HEARTBEAT
Definition: app-layer-ssl.h:52
flow-private.h
Flow_
Flow data structure.
Definition: flow.h:353
SSL_EXTENSION_SUPPORTED_VERSIONS
#define SSL_EXTENSION_SUPPORTED_VERSIONS
Definition: app-layer-ssl.h:143
SSLState_::f
Flow * f
Definition: app-layer-ssl.h:244
SSL_AL_FLAG_STATE_SERVER_HELLO
#define SSL_AL_FLAG_STATE_SERVER_HELLO
Definition: app-layer-ssl.h:101
AppLayerEventType
enum AppLayerEventType_ AppLayerEventType
SSLV3_HS_SERVER_HELLO
#define SSLV3_HS_SERVER_HELLO
Definition: app-layer-ssl.c:172
AppLayerParserRegisterStateProgressCompletionStatus
void AppLayerParserRegisterStateProgressCompletionStatus(AppProto alproto, const int ts, const int tc)
Definition: app-layer-parser.c:555
AppLayerParserRegisterParserAcceptableDataDirection
void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, AppProto alproto, uint8_t direction)
Definition: app-layer-parser.c:410
SSLState_::tx_data
AppLayerTxData tx_data
Definition: app-layer-ssl.h:246
SSLParserHSReset
#define SSLParserHSReset(connp)
Definition: app-layer-ssl.c:252
SSLV3_HS_CERTIFICATE
#define SSLV3_HS_CERTIFICATE
Definition: app-layer-ssl.c:174
AppLayerParserRegisterTxFreeFunc
void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, void(*StateTransactionFree)(void *, uint64_t))
Definition: app-layer-parser.c:514
SSLV3_HEARTBEAT_PROTOCOL
#define SSLV3_HEARTBEAT_PROTOCOL
Definition: app-layer-ssl.c:167
SSLV2_MT_SERVER_HELLO
#define SSLV2_MT_SERVER_HELLO
Definition: app-layer-ssl.c:189
FLOW_NOPAYLOAD_INSPECTION
#define FLOW_NOPAYLOAD_INSPECTION
Definition: flow.h:65
SSLState_::curr_connp
SSLStateConnp * curr_connp
Definition: app-layer-ssl.h:258
Ja3BufferAddValue
int Ja3BufferAddValue(JA3Buffer **buffer, uint32_t value)
Add value to buffer.
Definition: util-ja3.c:170
TLS_DECODER_EVENT_INVALID_CERTIFICATE
@ TLS_DECODER_EVENT_INVALID_CERTIFICATE
Definition: app-layer-ssl.h:62
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
TLS_DECODER_EVENT_INVALID_SNI_LENGTH
@ TLS_DECODER_EVENT_INVALID_SNI_LENGTH
Definition: app-layer-ssl.h:59
SSLV3_HS_CERTIFICATE_URL
#define SSLV3_HS_CERTIFICATE_URL
Definition: app-layer-ssl.c:181
TLS_VERSION_13_DRAFT18
@ TLS_VERSION_13_DRAFT18
Definition: app-layer-ssl.h:171
MIN
#define MIN(x, y)
Definition: suricata-common.h:372
AppLayerDecoderEventsFreeEvents
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
Definition: app-layer-events.c:130
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH
@ TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH
Definition: app-layer-ssl.h:55
util-ja3.h
stream-tcp-reassemble.h
SSL_AL_FLAG_STATE_SERVER_KEYX
#define SSL_AL_FLAG_STATE_SERVER_KEYX
Definition: app-layer-ssl.h:103
TLS_DECODER_EVENT_INVALID_SSL_RECORD
@ TLS_DECOD