suricata
app-layer-ssl.h File Reference
#include "util-ja3.h"
#include "rust.h"
Include dependency graph for app-layer-ssl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  SSLCertsChain_
 
struct  SSLAlpns_
 
struct  SSLStateConnp_
 
struct  SSLState_
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Macros

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)
 
#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)
 
#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)
 
#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)
 
#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)
 
#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)
 
#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)
 
#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)
 
#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)
 
#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)
 
#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)
 
#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)
 
#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)
 
#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)
 
#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)
 
#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)
 
#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)
 
#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)
 
#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)
 
#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)
 
#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)
 
#define TLS_TS_RANDOM_SET   BIT_U32(24)
 
#define TLS_TC_RANDOM_SET   BIT_U32(25)
 
#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)
 
#define SSL_TLS_LOG_PEM   (1 << 0)
 
#define SSL_EXTENSION_SNI   0x0000
 
#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a
 
#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b
 
#define SSL_EXTENSION_SIGNATURE_ALGORITHMS   0x000d
 
#define SSL_EXTENSION_ALPN   0x0010
 
#define SSL_EXTENSION_SESSION_TICKET   0x0023
 
#define SSL_EXTENSION_EARLY_DATA   0x002a
 
#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b
 
#define SSL_SNI_TYPE_HOST_NAME   0
 
#define SSL_VERSION_MAX_STRLEN   20
 
#define TLS_RANDOM_LEN   32
 

Typedefs

typedef struct SSLCertsChain_ SSLCertsChain
 
typedef struct SSLAlpns_ SSLAlpns
 
typedef struct SSLStateConnp_ SSLStateConnp
 
typedef struct SSLState_ SSLState
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Enumerations

enum  TlsFrameTypes {
  TLS_FRAME_PDU = 0, TLS_FRAME_HDR, TLS_FRAME_DATA, TLS_FRAME_ALERT_DATA,
  TLS_FRAME_HB_DATA, TLS_FRAME_SSLV2_HDR, TLS_FRAME_SSLV2_PDU
}
 
enum  {
  TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, TLS_DECODER_EVENT_INVALID_TLS_HEADER, TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
  TLS_DECODER_EVENT_INVALID_RECORD_LENGTH, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT,
  TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT, TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
  TLS_DECODER_EVENT_INVALID_SNI_TYPE, TLS_DECODER_EVENT_INVALID_SNI_LENGTH, TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET, TLS_DECODER_EVENT_INVALID_ALERT,
  TLS_DECODER_EVENT_INVALID_CERTIFICATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY,
  TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED, TLS_DECODER_EVENT_INVALID_SSL_RECORD
}
 
enum  TlsStateClient {
  TLS_STATE_CLIENT_IN_PROGRESS = 0, TLS_STATE_CLIENT_HELLO_DONE, TLS_STATE_CLIENT_CERT_DONE, TLS_STATE_CLIENT_HANDSHAKE_DONE,
  TLS_STATE_CLIENT_FINISHED
}
 
enum  TlsStateServer {
  TLS_STATE_SERVER_IN_PROGRESS = 0, TLS_STATE_SERVER_HELLO, TLS_STATE_SERVER_CERT_DONE, TLS_STATE_SERVER_HELLO_DONE,
  TLS_STATE_SERVER_HANDSHAKE_DONE, TLS_STATE_SERVER_FINISHED
}
 
enum  {
  TLS_VERSION_UNKNOWN = 0x0000, SSL_VERSION_2 = 0x0200, SSL_VERSION_3 = 0x0300, TLS_VERSION_10 = 0x0301,
  TLS_VERSION_11 = 0x0302, TLS_VERSION_12 = 0x0303, TLS_VERSION_13 = 0x0304, TLS_VERSION_13_DRAFT28 = 0x7f1c,
  TLS_VERSION_13_DRAFT27 = 0x7f1b, TLS_VERSION_13_DRAFT26 = 0x7f1a, TLS_VERSION_13_DRAFT25 = 0x7f19, TLS_VERSION_13_DRAFT24 = 0x7f18,
  TLS_VERSION_13_DRAFT23 = 0x7f17, TLS_VERSION_13_DRAFT22 = 0x7f16, TLS_VERSION_13_DRAFT21 = 0x7f15, TLS_VERSION_13_DRAFT20 = 0x7f14,
  TLS_VERSION_13_DRAFT19 = 0x7f13, TLS_VERSION_13_DRAFT18 = 0x7f12, TLS_VERSION_13_DRAFT17 = 0x7f11, TLS_VERSION_13_DRAFT16 = 0x7f10,
  TLS_VERSION_13_PRE_DRAFT16 = 0x7f01, TLS_VERSION_13_DRAFT20_FB = 0xfb14, TLS_VERSION_13_DRAFT21_FB = 0xfb15, TLS_VERSION_13_DRAFT22_FB = 0xfb16,
  TLS_VERSION_13_DRAFT23_FB = 0xfb17, TLS_VERSION_13_DRAFT26_FB = 0xfb1a
}
 

Functions

void RegisterSSLParsers (void)
 Function to register the SSL protocol parser and other functions. More...
 
void SSLVersionToString (uint16_t, char *)
 
void SSLEnableJA3 (void)
 if not explicitly disabled in config, enable ja3 support More...
 
bool SSLJA3IsEnabled (void)
 return whether ja3 is effectively enabled More...
 
void SSLEnableJA4 (void)
 if not explicitly disabled in config, enable ja4 support More...
 
bool SSLJA4IsEnabled (void)
 return whether ja4 is effectively enabled More...
 

Detailed Description

Macro Definition Documentation

◆ SSL_AL_FLAG_CH_VERSION_EXTENSION

#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)

Definition at line 125 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)

Definition at line 99 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)

Definition at line 98 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_EARLY_DATA

#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)

Definition at line 133 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_CLIENT_INIT

#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)

Definition at line 118 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_INFLIGHT

#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)

Definition at line 117 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_SERVER_INIT

#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)

Definition at line 119 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_LOG_WITHOUT_CERT

#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)

Definition at line 129 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_NEED_CLIENT_CERT

#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)

Definition at line 141 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)

Definition at line 96 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SESSION_RESUMED

#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)

Definition at line 122 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_HS

#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)

Definition at line 102 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY

#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)

Definition at line 104 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)

Definition at line 105 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_NO_SESSION_ID

#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)

Definition at line 107 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_HS

#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)

Definition at line 103 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)

Definition at line 106 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_HELLO

#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)

Definition at line 110 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_KEYX

#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)

Definition at line 112 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_HELLO

#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)

Definition at line 111 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_KEYX

#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)

Definition at line 113 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_UNKNOWN

#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)

Definition at line 114 of file app-layer-ssl.h.

◆ SSL_EXTENSION_ALPN

#define SSL_EXTENSION_ALPN   0x0010

Definition at line 151 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EARLY_DATA

#define SSL_EXTENSION_EARLY_DATA   0x002a

Definition at line 153 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EC_POINT_FORMATS

#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b

Definition at line 149 of file app-layer-ssl.h.

◆ SSL_EXTENSION_ELLIPTIC_CURVES

#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a

Definition at line 148 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SESSION_TICKET

#define SSL_EXTENSION_SESSION_TICKET   0x0023

Definition at line 152 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SIGNATURE_ALGORITHMS

#define SSL_EXTENSION_SIGNATURE_ALGORITHMS   0x000d

Definition at line 150 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SNI

#define SSL_EXTENSION_SNI   0x0000

Definition at line 147 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SUPPORTED_VERSIONS

#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b

Definition at line 154 of file app-layer-ssl.h.

◆ SSL_SNI_TYPE_HOST_NAME

#define SSL_SNI_TYPE_HOST_NAME   0

Definition at line 157 of file app-layer-ssl.h.

◆ SSL_TLS_LOG_PEM

#define SSL_TLS_LOG_PEM   (1 << 0)

Definition at line 144 of file app-layer-ssl.h.

◆ SSL_VERSION_MAX_STRLEN

#define SSL_VERSION_MAX_STRLEN   20

Definition at line 160 of file app-layer-ssl.h.

◆ TLS_RANDOM_LEN

#define TLS_RANDOM_LEN   32

Definition at line 163 of file app-layer-ssl.h.

◆ TLS_TC_RANDOM_SET

#define TLS_TC_RANDOM_SET   BIT_U32(25)

Definition at line 139 of file app-layer-ssl.h.

◆ TLS_TS_RANDOM_SET

#define TLS_TS_RANDOM_SET   BIT_U32(24)

Definition at line 136 of file app-layer-ssl.h.

Typedef Documentation

◆ SSLAlpns

typedef struct SSLAlpns_ SSLAlpns

◆ SSLCertsChain

typedef struct SSLCertsChain_ SSLCertsChain

◆ SSLState

typedef struct SSLState_ SSLState

SSLv[2.0|3.[0|1|2|3]] state structure.

   Structure to store the SSL state values.

◆ SSLStateConnp

typedef struct SSLStateConnp_ SSLStateConnp

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER 
TLS_DECODER_EVENT_INVALID_TLS_HEADER 
TLS_DECODER_EVENT_INVALID_RECORD_VERSION 
TLS_DECODER_EVENT_INVALID_RECORD_TYPE 
TLS_DECODER_EVENT_INVALID_RECORD_LENGTH 
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE 
TLS_DECODER_EVENT_HEARTBEAT 
TLS_DECODER_EVENT_INVALID_HEARTBEAT 
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT 
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH 
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH 
TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS 
TLS_DECODER_EVENT_INVALID_SNI_TYPE 
TLS_DECODER_EVENT_INVALID_SNI_LENGTH 
TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET 
TLS_DECODER_EVENT_INVALID_ALERT 
TLS_DECODER_EVENT_INVALID_CERTIFICATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY 
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED 
TLS_DECODER_EVENT_INVALID_SSL_RECORD 

Definition at line 42 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_VERSION_UNKNOWN 
SSL_VERSION_2 
SSL_VERSION_3 
TLS_VERSION_10 
TLS_VERSION_11 
TLS_VERSION_12 
TLS_VERSION_13 
TLS_VERSION_13_DRAFT28 
TLS_VERSION_13_DRAFT27 
TLS_VERSION_13_DRAFT26 
TLS_VERSION_13_DRAFT25 
TLS_VERSION_13_DRAFT24 
TLS_VERSION_13_DRAFT23 
TLS_VERSION_13_DRAFT22 
TLS_VERSION_13_DRAFT21 
TLS_VERSION_13_DRAFT20 
TLS_VERSION_13_DRAFT19 
TLS_VERSION_13_DRAFT18 
TLS_VERSION_13_DRAFT17 
TLS_VERSION_13_DRAFT16 
TLS_VERSION_13_PRE_DRAFT16 
TLS_VERSION_13_DRAFT20_FB 
TLS_VERSION_13_DRAFT21_FB 
TLS_VERSION_13_DRAFT22_FB 
TLS_VERSION_13_DRAFT23_FB 
TLS_VERSION_13_DRAFT26_FB 

Definition at line 166 of file app-layer-ssl.h.

◆ TlsFrameTypes

Enumerator
TLS_FRAME_PDU 

whole PDU, so header + data

TLS_FRAME_HDR 

only header portion

TLS_FRAME_DATA 

only data portion

TLS_FRAME_ALERT_DATA 
TLS_FRAME_HB_DATA 
TLS_FRAME_SSLV2_HDR 
TLS_FRAME_SSLV2_PDU 

Definition at line 32 of file app-layer-ssl.h.

◆ TlsStateClient

Enumerator
TLS_STATE_CLIENT_IN_PROGRESS 
TLS_STATE_CLIENT_HELLO_DONE 
TLS_STATE_CLIENT_CERT_DONE 
TLS_STATE_CLIENT_HANDSHAKE_DONE 
TLS_STATE_CLIENT_FINISHED 

Definition at line 77 of file app-layer-ssl.h.

◆ TlsStateServer

Enumerator
TLS_STATE_SERVER_IN_PROGRESS 
TLS_STATE_SERVER_HELLO 
TLS_STATE_SERVER_CERT_DONE 
TLS_STATE_SERVER_HELLO_DONE 
TLS_STATE_SERVER_HANDSHAKE_DONE 
TLS_STATE_SERVER_FINISHED 

Definition at line 85 of file app-layer-ssl.h.

Function Documentation

◆ RegisterSSLParsers()

void RegisterSSLParsers ( void  )

Function to register the SSL protocol parser and other functions.

SSLv2 and SSLv23

Definition at line 3349 of file app-layer-ssl.c.

References ALPROTO_TLS, AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), SC_ATOMIC_INIT, and ssl_config.

Here is the call graph for this function:

◆ SSLEnableJA3()

void SSLEnableJA3 ( void  )

if not explicitly disabled in config, enable ja3 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3489 of file app-layer-ssl.c.

References SslConfig_::disable_ja3, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLEnableJA4()

void SSLEnableJA4 ( void  )

if not explicitly disabled in config, enable ja4 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3506 of file app-layer-ssl.c.

References SslConfig_::disable_ja4, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLJA3IsEnabled()

bool SSLJA3IsEnabled ( void  )

return whether ja3 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values
trueif enabled, false otherwise

Definition at line 3525 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

◆ SSLJA4IsEnabled()

bool SSLJA4IsEnabled ( void  )

return whether ja4 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values
trueif enabled, false otherwise

Definition at line 3538 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

◆ SSLVersionToString()