app-layer-ssl.h File Reference

#include "util-ja3.h"
#include "rust.h"

Include dependency graph for app-layer-ssl.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	SSLCertsChain_
struct	SSLAlpns_
struct	SSLStateConnp_
struct	SSLState_
	SSLv[2.0|3.[0|1|2|3]] state structure. More...

Macros
#define	SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)
#define	SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)
#define	SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)
#define	SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)
#define	SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)
#define	SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)
#define	SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)
#define	SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)
#define	SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)
#define	SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)
#define	SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)
#define	SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)
#define	SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)
#define	SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)
#define	SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)
#define	SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)
#define	SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)
#define	SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)
#define	SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)
#define	SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)
#define	SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)
#define	SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)
#define	SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)
#define	TLS_TS_RANDOM_SET   BIT_U32(24)
#define	TLS_TC_RANDOM_SET   BIT_U32(25)
#define	SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)
#define	SSL_TLS_LOG_PEM   (1 << 0)
#define	SSL_EXTENSION_SNI   0x0000
#define	SSL_EXTENSION_ELLIPTIC_CURVES   0x000a
#define	SSL_EXTENSION_EC_POINT_FORMATS   0x000b
#define	SSL_EXTENSION_SIGNATURE_ALGORITHMS   0x000d
#define	SSL_EXTENSION_ALPN   0x0010
#define	SSL_EXTENSION_SESSION_TICKET   0x0023
#define	SSL_EXTENSION_EARLY_DATA   0x002a
#define	SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b
#define	SSL_SNI_TYPE_HOST_NAME   0
#define	SSL_VERSION_MAX_STRLEN   20
#define	TLS_RANDOM_LEN   32

Typedefs
typedef struct SSLCertsChain_	SSLCertsChain
typedef struct SSLAlpns_	SSLAlpns
typedef struct SSLStateConnp_	SSLStateConnp
typedef struct SSLState_	SSLState
	SSLv[2.0|3.[0|1|2|3]] state structure. More...

Enumerations
enum	TlsFrameTypes {   TLS_FRAME_PDU = 0, TLS_FRAME_HDR, TLS_FRAME_DATA, TLS_FRAME_ALERT_DATA,   TLS_FRAME_HB_DATA, TLS_FRAME_SSLV2_HDR, TLS_FRAME_SSLV2_PDU }
enum	{   TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, TLS_DECODER_EVENT_INVALID_TLS_HEADER, TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE,   TLS_DECODER_EVENT_INVALID_RECORD_LENGTH, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT,   TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT, TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,   TLS_DECODER_EVENT_INVALID_SNI_TYPE, TLS_DECODER_EVENT_INVALID_SNI_LENGTH, TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET, TLS_DECODER_EVENT_INVALID_ALERT,   TLS_DECODER_EVENT_INVALID_CERTIFICATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL,   TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS,   TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY,   TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED, TLS_DECODER_EVENT_INVALID_SSL_RECORD }
enum	{ TLS_STATE_IN_PROGRESS = 0, TLS_STATE_CERT_READY = 1, TLS_HANDSHAKE_DONE = 2, TLS_STATE_FINISHED = 3 }
enum	{   TLS_VERSION_UNKNOWN = 0x0000, SSL_VERSION_2 = 0x0200, SSL_VERSION_3 = 0x0300, TLS_VERSION_10 = 0x0301,   TLS_VERSION_11 = 0x0302, TLS_VERSION_12 = 0x0303, TLS_VERSION_13 = 0x0304, TLS_VERSION_13_DRAFT28 = 0x7f1c,   TLS_VERSION_13_DRAFT27 = 0x7f1b, TLS_VERSION_13_DRAFT26 = 0x7f1a, TLS_VERSION_13_DRAFT25 = 0x7f19, TLS_VERSION_13_DRAFT24 = 0x7f18,   TLS_VERSION_13_DRAFT23 = 0x7f17, TLS_VERSION_13_DRAFT22 = 0x7f16, TLS_VERSION_13_DRAFT21 = 0x7f15, TLS_VERSION_13_DRAFT20 = 0x7f14,   TLS_VERSION_13_DRAFT19 = 0x7f13, TLS_VERSION_13_DRAFT18 = 0x7f12, TLS_VERSION_13_DRAFT17 = 0x7f11, TLS_VERSION_13_DRAFT16 = 0x7f10,   TLS_VERSION_13_PRE_DRAFT16 = 0x7f01, TLS_VERSION_13_DRAFT20_FB = 0xfb14, TLS_VERSION_13_DRAFT21_FB = 0xfb15, TLS_VERSION_13_DRAFT22_FB = 0xfb16,   TLS_VERSION_13_DRAFT23_FB = 0xfb17, TLS_VERSION_13_DRAFT26_FB = 0xfb1a }

Functions
void	RegisterSSLParsers (void)
	Function to register the SSL protocol parser and other functions. More...
void	SSLVersionToString (uint16_t, char *)
void	SSLEnableJA3 (void)
	if not explicitly disabled in config, enable ja3 support More...
bool	SSLJA3IsEnabled (void)
	return whether ja3 is effectively enabled More...
void	SSLEnableJA4 (void)
	if not explicitly disabled in config, enable ja4 support More...
bool	SSLJA4IsEnabled (void)
	return whether ja4 is effectively enabled More...

Detailed Description

Author

Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com

Pierre Chifflier pierr.nosp@m.e.ch.nosp@m.iffli.nosp@m.er@s.nosp@m.si.go.nosp@m.uv.f.nosp@m.r

Definition in file app-layer-ssl.h.

Macro Definition Documentation

SSL_AL_FLAG_CH_VERSION_EXTENSION

#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)

Definition at line 121 of file app-layer-ssl.h.

SSL_AL_FLAG_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)

Definition at line 89 of file app-layer-ssl.h.

SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)

Definition at line 88 of file app-layer-ssl.h.

SSL_AL_FLAG_EARLY_DATA

#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)

Definition at line 129 of file app-layer-ssl.h.

SSL_AL_FLAG_HANDSHAKE_DONE

#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)

Definition at line 115 of file app-layer-ssl.h.

SSL_AL_FLAG_HB_CLIENT_INIT

#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)

Definition at line 111 of file app-layer-ssl.h.

SSL_AL_FLAG_HB_INFLIGHT

#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)

Definition at line 110 of file app-layer-ssl.h.

SSL_AL_FLAG_HB_SERVER_INIT

#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)

Definition at line 112 of file app-layer-ssl.h.

SSL_AL_FLAG_LOG_WITHOUT_CERT

#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)

Definition at line 125 of file app-layer-ssl.h.

SSL_AL_FLAG_NEED_CLIENT_CERT

#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)

Definition at line 137 of file app-layer-ssl.h.

SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)

Definition at line 86 of file app-layer-ssl.h.

SSL_AL_FLAG_SESSION_RESUMED

#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)

Definition at line 118 of file app-layer-ssl.h.

SSL_AL_FLAG_SSL_CLIENT_HS

#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)

Definition at line 92 of file app-layer-ssl.h.

SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY

#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)

Definition at line 94 of file app-layer-ssl.h.

SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)

Definition at line 95 of file app-layer-ssl.h.

SSL_AL_FLAG_SSL_NO_SESSION_ID

#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)

Definition at line 97 of file app-layer-ssl.h.

SSL_AL_FLAG_SSL_SERVER_HS

#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)

Definition at line 93 of file app-layer-ssl.h.

SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)

Definition at line 96 of file app-layer-ssl.h.

SSL_AL_FLAG_STATE_CLIENT_HELLO

#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)

Definition at line 100 of file app-layer-ssl.h.

SSL_AL_FLAG_STATE_CLIENT_KEYX

#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)

Definition at line 102 of file app-layer-ssl.h.

SSL_AL_FLAG_STATE_FINISHED

#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)

Definition at line 107 of file app-layer-ssl.h.

SSL_AL_FLAG_STATE_SERVER_HELLO

#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)

Definition at line 101 of file app-layer-ssl.h.

SSL_AL_FLAG_STATE_SERVER_KEYX

#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)

Definition at line 103 of file app-layer-ssl.h.

SSL_AL_FLAG_STATE_UNKNOWN

#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)

Definition at line 104 of file app-layer-ssl.h.

SSL_EXTENSION_ALPN

#define SSL_EXTENSION_ALPN   0x0010

Definition at line 147 of file app-layer-ssl.h.

SSL_EXTENSION_EARLY_DATA

#define SSL_EXTENSION_EARLY_DATA   0x002a

Definition at line 149 of file app-layer-ssl.h.

SSL_EXTENSION_EC_POINT_FORMATS

#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b

Definition at line 145 of file app-layer-ssl.h.

SSL_EXTENSION_ELLIPTIC_CURVES

#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a

Definition at line 144 of file app-layer-ssl.h.

SSL_EXTENSION_SESSION_TICKET

#define SSL_EXTENSION_SESSION_TICKET   0x0023

Definition at line 148 of file app-layer-ssl.h.

SSL_EXTENSION_SIGNATURE_ALGORITHMS

#define SSL_EXTENSION_SIGNATURE_ALGORITHMS   0x000d

Definition at line 146 of file app-layer-ssl.h.

SSL_EXTENSION_SNI

#define SSL_EXTENSION_SNI   0x0000

Definition at line 143 of file app-layer-ssl.h.

SSL_EXTENSION_SUPPORTED_VERSIONS

#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b

Definition at line 150 of file app-layer-ssl.h.

SSL_SNI_TYPE_HOST_NAME

#define SSL_SNI_TYPE_HOST_NAME   0

Definition at line 153 of file app-layer-ssl.h.

SSL_TLS_LOG_PEM

#define SSL_TLS_LOG_PEM   (1 << 0)

Definition at line 140 of file app-layer-ssl.h.

SSL_VERSION_MAX_STRLEN

#define SSL_VERSION_MAX_STRLEN   20

Definition at line 156 of file app-layer-ssl.h.

TLS_RANDOM_LEN

#define TLS_RANDOM_LEN   32

Definition at line 159 of file app-layer-ssl.h.

TLS_TC_RANDOM_SET

#define TLS_TC_RANDOM_SET   BIT_U32(25)

Definition at line 135 of file app-layer-ssl.h.

TLS_TS_RANDOM_SET

#define TLS_TS_RANDOM_SET   BIT_U32(24)

Definition at line 132 of file app-layer-ssl.h.

Typedef Documentation

SSLAlpns

typedef struct SSLAlpns_ SSLAlpns

SSLCertsChain

typedef struct SSLCertsChain_ SSLCertsChain

SSLState

typedef struct SSLState_ SSLState

SSLv[2.0|3.[0|1|2|3]] state structure.

   Structure to store the SSL state values.

SSLStateConnp

typedef struct SSLStateConnp_ SSLStateConnp

Enumeration Type Documentation

anonymous enum

anonymous enum

Enumerator
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER
TLS_DECODER_EVENT_INVALID_TLS_HEADER
TLS_DECODER_EVENT_INVALID_RECORD_VERSION
TLS_DECODER_EVENT_INVALID_RECORD_TYPE
TLS_DECODER_EVENT_INVALID_RECORD_LENGTH
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE
TLS_DECODER_EVENT_HEARTBEAT
TLS_DECODER_EVENT_INVALID_HEARTBEAT
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH
TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS
TLS_DECODER_EVENT_INVALID_SNI_TYPE
TLS_DECODER_EVENT_INVALID_SNI_LENGTH
TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET
TLS_DECODER_EVENT_INVALID_ALERT
TLS_DECODER_EVENT_INVALID_CERTIFICATE
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER
TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE
TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED
TLS_DECODER_EVENT_INVALID_SSL_RECORD

Definition at line 42 of file app-layer-ssl.h.

anonymous enum

anonymous enum

Enumerator
TLS_STATE_IN_PROGRESS
TLS_STATE_CERT_READY
TLS_HANDSHAKE_DONE
TLS_STATE_FINISHED

Definition at line 77 of file app-layer-ssl.h.

anonymous enum

anonymous enum

Enumerator
TLS_VERSION_UNKNOWN
SSL_VERSION_2
SSL_VERSION_3
TLS_VERSION_10
TLS_VERSION_11
TLS_VERSION_12
TLS_VERSION_13
TLS_VERSION_13_DRAFT28
TLS_VERSION_13_DRAFT27
TLS_VERSION_13_DRAFT26
TLS_VERSION_13_DRAFT25
TLS_VERSION_13_DRAFT24
TLS_VERSION_13_DRAFT23
TLS_VERSION_13_DRAFT22
TLS_VERSION_13_DRAFT21
TLS_VERSION_13_DRAFT20
TLS_VERSION_13_DRAFT19
TLS_VERSION_13_DRAFT18
TLS_VERSION_13_DRAFT17
TLS_VERSION_13_DRAFT16
TLS_VERSION_13_PRE_DRAFT16
TLS_VERSION_13_DRAFT20_FB
TLS_VERSION_13_DRAFT21_FB
TLS_VERSION_13_DRAFT22_FB
TLS_VERSION_13_DRAFT23_FB
TLS_VERSION_13_DRAFT26_FB

Definition at line 162 of file app-layer-ssl.h.

TlsFrameTypes

enum TlsFrameTypes

Enumerator
TLS_FRAME_PDU	whole PDU, so header + data
TLS_FRAME_HDR	only header portion
TLS_FRAME_DATA	only data portion
TLS_FRAME_ALERT_DATA
TLS_FRAME_HB_DATA
TLS_FRAME_SSLV2_HDR
TLS_FRAME_SSLV2_PDU

Definition at line 32 of file app-layer-ssl.h.

Function Documentation

RegisterSSLParsers()

void RegisterSSLParsers

(

void

)

Function to register the SSL protocol parser and other functions.

SSLv2 and SSLv23

Definition at line 3246 of file app-layer-ssl.c.

References ALPROTO_TLS, AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), SC_ATOMIC_INIT, and ssl_config.

Here is the call graph for this function:

SSLEnableJA3()

void SSLEnableJA3

(

void

)

if not explicitly disabled in config, enable ja3 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3379 of file app-layer-ssl.c.

References SslConfig_::disable_ja3, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

SSLEnableJA4()

void SSLEnableJA4

(

void

)

if not explicitly disabled in config, enable ja4 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3396 of file app-layer-ssl.c.

References SslConfig_::disable_ja4, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

SSLJA3IsEnabled()

bool SSLJA3IsEnabled

(

void

)

return whether ja3 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values

true	if enabled, false otherwise

Definition at line 3415 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

SSLJA4IsEnabled()

bool SSLJA4IsEnabled

(

void

)

return whether ja4 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values

true	if enabled, false otherwise

Definition at line 3428 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

SSLVersionToString()

void SSLVersionToString	(	uint16_t	,
		char *
	)

Definition at line 333 of file app-layer-ssl.c.

References SSL_VERSION_2, SSL_VERSION_3, strlcat(), TLS_VERSION_10, TLS_VERSION_11, TLS_VERSION_12, TLS_VERSION_13, TLS_VERSION_13_DRAFT16, TLS_VERSION_13_DRAFT17, TLS_VERSION_13_DRAFT18, TLS_VERSION_13_DRAFT19, TLS_VERSION_13_DRAFT20, TLS_VERSION_13_DRAFT20_FB, TLS_VERSION_13_DRAFT21, TLS_VERSION_13_DRAFT21_FB, TLS_VERSION_13_DRAFT22, TLS_VERSION_13_DRAFT22_FB, TLS_VERSION_13_DRAFT23, TLS_VERSION_13_DRAFT23_FB, TLS_VERSION_13_DRAFT24, TLS_VERSION_13_DRAFT25, TLS_VERSION_13_DRAFT26, TLS_VERSION_13_DRAFT26_FB, TLS_VERSION_13_DRAFT27, TLS_VERSION_13_DRAFT28, TLS_VERSION_13_PRE_DRAFT16, TLS_VERSION_UNKNOWN, and version.

Here is the call graph for this function: