suricata
app-layer-ssl.h File Reference
#include "app-layer-protos.h"
#include "app-layer-parser.h"
#include "decode-events.h"
#include "util-ja3.h"
#include "queue.h"
Include dependency graph for app-layer-ssl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  SSLCertsChain_
 
struct  SSLStateConnp_
 
struct  SSLState_
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Macros

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)
 
#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)
 
#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)
 
#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)
 
#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)
 
#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)
 
#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)
 
#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)
 
#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)
 
#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)
 
#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)
 
#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)
 
#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)
 
#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)
 
#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)
 
#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)
 
#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)
 
#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)
 
#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)
 
#define SSL_AL_FLAG_SSL_CLIENT_SESSION_ID   BIT_U32(19)
 
#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)
 
#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)
 
#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)
 
#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)
 
#define SSL_TLS_LOG_PEM   (1 << 0)
 
#define SSL_EXTENSION_SNI   0x0000
 
#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a
 
#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b
 
#define SSL_EXTENSION_SESSION_TICKET   0x0023
 
#define SSL_EXTENSION_EARLY_DATA   0x002a
 
#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b
 
#define SSL_SNI_TYPE_HOST_NAME   0
 
#define SSL_VERSION_MAX_STRLEN   20
 

Typedefs

typedef struct SSLCertsChain_ SSLCertsChain
 
typedef struct SSLStateConnp_ SSLStateConnp
 
typedef struct SSLState_ SSLState
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Enumerations

enum  {
  TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, TLS_DECODER_EVENT_INVALID_TLS_HEADER, TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
  TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT, TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT,
  TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS, TLS_DECODER_EVENT_INVALID_SNI_TYPE,
  TLS_DECODER_EVENT_INVALID_SNI_LENGTH, TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET, TLS_DECODER_EVENT_INVALID_CERTIFICATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY, TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED, TLS_DECODER_EVENT_INVALID_SSL_RECORD
}
 
enum  { TLS_STATE_IN_PROGRESS = 0, TLS_STATE_CERT_READY = 1, TLS_HANDSHAKE_DONE = 2, TLS_STATE_FINISHED = 3 }
 
enum  {
  TLS_VERSION_UNKNOWN = 0x0000, SSL_VERSION_2 = 0x0200, SSL_VERSION_3 = 0x0300, TLS_VERSION_10 = 0x0301,
  TLS_VERSION_11 = 0x0302, TLS_VERSION_12 = 0x0303, TLS_VERSION_13 = 0x0304, TLS_VERSION_13_DRAFT28 = 0x7f1c,
  TLS_VERSION_13_DRAFT27 = 0x7f1b, TLS_VERSION_13_DRAFT26 = 0x7f1a, TLS_VERSION_13_DRAFT25 = 0x7f19, TLS_VERSION_13_DRAFT24 = 0x7f18,
  TLS_VERSION_13_DRAFT23 = 0x7f17, TLS_VERSION_13_DRAFT22 = 0x7f16, TLS_VERSION_13_DRAFT21 = 0x7f15, TLS_VERSION_13_DRAFT20 = 0x7f14,
  TLS_VERSION_13_DRAFT19 = 0x7f13, TLS_VERSION_13_DRAFT18 = 0x7f12, TLS_VERSION_13_DRAFT17 = 0x7f11, TLS_VERSION_13_DRAFT16 = 0x7f10,
  TLS_VERSION_13_PRE_DRAFT16 = 0x7f01, TLS_VERSION_13_DRAFT20_FB = 0xfb14, TLS_VERSION_13_DRAFT21_FB = 0xfb15, TLS_VERSION_13_DRAFT22_FB = 0xfb16,
  TLS_VERSION_13_DRAFT23_FB = 0xfb17, TLS_VERSION_13_DRAFT26_FB = 0xfb1a
}
 

Functions

void RegisterSSLParsers (void)
 Function to register the SSL protocol parser and other functions. More...
 
void SSLParserRegisterTests (void)
 
void SSLSetEvent (SSLState *ssl_state, uint8_t event)
 
void SSLVersionToString (uint16_t, char *)
 
void SSLEnableJA3 (void)
 if not explicitly disabled in config, enable ja3 support More...
 
bool SSLJA3IsEnabled (void)
 

Detailed Description

Macro Definition Documentation

◆ SSL_AL_FLAG_CH_VERSION_EXTENSION

#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)

Definition at line 115 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)

Definition at line 80 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)

Definition at line 79 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_EARLY_DATA

#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)

Definition at line 123 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HANDSHAKE_DONE

#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)

Definition at line 106 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_CLIENT_INIT

#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)

Definition at line 102 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_INFLIGHT

#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)

Definition at line 101 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_SERVER_INIT

#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)

Definition at line 103 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_LOG_WITHOUT_CERT

#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)

Definition at line 119 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)

Definition at line 77 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SESSION_RESUMED

#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)

Definition at line 112 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_HS

#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)

Definition at line 83 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY

#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)

Definition at line 85 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_SESSION_ID

#define SSL_AL_FLAG_SSL_CLIENT_SESSION_ID   BIT_U32(19)

Definition at line 110 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)

Definition at line 86 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_NO_SESSION_ID

#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)

Definition at line 88 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_HS

#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)

Definition at line 84 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)

Definition at line 87 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_HELLO

#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)

Definition at line 91 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_KEYX

#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)

Definition at line 93 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_FINISHED

#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)

Definition at line 98 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_HELLO

#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)

Definition at line 92 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_KEYX

#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)

Definition at line 94 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_UNKNOWN

#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)

Definition at line 95 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EARLY_DATA

#define SSL_EXTENSION_EARLY_DATA   0x002a

Definition at line 133 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EC_POINT_FORMATS

#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b

Definition at line 131 of file app-layer-ssl.h.

◆ SSL_EXTENSION_ELLIPTIC_CURVES

#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a

Definition at line 130 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SESSION_TICKET

#define SSL_EXTENSION_SESSION_TICKET   0x0023

Definition at line 132 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SNI

#define SSL_EXTENSION_SNI   0x0000

Definition at line 129 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SUPPORTED_VERSIONS

#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b

Definition at line 134 of file app-layer-ssl.h.

◆ SSL_SNI_TYPE_HOST_NAME

#define SSL_SNI_TYPE_HOST_NAME   0

Definition at line 137 of file app-layer-ssl.h.

◆ SSL_TLS_LOG_PEM

#define SSL_TLS_LOG_PEM   (1 << 0)

Definition at line 126 of file app-layer-ssl.h.

◆ SSL_VERSION_MAX_STRLEN

#define SSL_VERSION_MAX_STRLEN   20

Definition at line 140 of file app-layer-ssl.h.

Typedef Documentation

◆ SSLCertsChain

typedef struct SSLCertsChain_ SSLCertsChain

◆ SSLState

typedef struct SSLState_ SSLState

SSLv[2.0|3.[0|1|2|3]] state structure.

   Structure to store the SSL state values.

◆ SSLStateConnp

typedef struct SSLStateConnp_ SSLStateConnp

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER 
TLS_DECODER_EVENT_INVALID_TLS_HEADER 
TLS_DECODER_EVENT_INVALID_RECORD_VERSION 
TLS_DECODER_EVENT_INVALID_RECORD_TYPE 
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE 
TLS_DECODER_EVENT_HEARTBEAT 
TLS_DECODER_EVENT_INVALID_HEARTBEAT 
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT 
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH 
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH 
TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS 
TLS_DECODER_EVENT_INVALID_SNI_TYPE 
TLS_DECODER_EVENT_INVALID_SNI_LENGTH 
TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET 
TLS_DECODER_EVENT_INVALID_CERTIFICATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY 
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED 
TLS_DECODER_EVENT_INVALID_SSL_RECORD 

Definition at line 35 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_STATE_IN_PROGRESS 
TLS_STATE_CERT_READY 
TLS_HANDSHAKE_DONE 
TLS_STATE_FINISHED 

Definition at line 68 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_VERSION_UNKNOWN 
SSL_VERSION_2 
SSL_VERSION_3 
TLS_VERSION_10 
TLS_VERSION_11 
TLS_VERSION_12 
TLS_VERSION_13 
TLS_VERSION_13_DRAFT28 
TLS_VERSION_13_DRAFT27 
TLS_VERSION_13_DRAFT26 
TLS_VERSION_13_DRAFT25 
TLS_VERSION_13_DRAFT24 
TLS_VERSION_13_DRAFT23 
TLS_VERSION_13_DRAFT22 
TLS_VERSION_13_DRAFT21 
TLS_VERSION_13_DRAFT20 
TLS_VERSION_13_DRAFT19 
TLS_VERSION_13_DRAFT18 
TLS_VERSION_13_DRAFT17 
TLS_VERSION_13_DRAFT16 
TLS_VERSION_13_PRE_DRAFT16 
TLS_VERSION_13_DRAFT20_FB 
TLS_VERSION_13_DRAFT21_FB 
TLS_VERSION_13_DRAFT22_FB 
TLS_VERSION_13_DRAFT23_FB 
TLS_VERSION_13_DRAFT26_FB 

Definition at line 143 of file app-layer-ssl.h.

Function Documentation

◆ RegisterSSLParsers()

void RegisterSSLParsers ( void  )

Function to register the SSL protocol parser and other functions.

SSLv2 and SSLv23

Definition at line 2917 of file app-layer-ssl.c.

References ALPROTO_TLS, AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), SC_ATOMIC_INIT, and ssl_config.

Referenced by AppLayerParserRegisterProtocolParsers().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SSLEnableJA3()

void SSLEnableJA3 ( void  )

if not explicitly disabled in config, enable ja3 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3059 of file app-layer-ssl.c.

References SslConfig_::disable_ja3, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLJA3IsEnabled()

bool SSLJA3IsEnabled ( void  )

Definition at line 3072 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

Referenced by Ja3IsDisabled().

Here is the caller graph for this function:

◆ SSLParserRegisterTests()

void SSLParserRegisterTests ( void  )

Definition at line 5495 of file app-layer-ssl.c.

References UtRegisterTest().

Here is the call graph for this function:

◆ SSLSetEvent()

void SSLSetEvent ( SSLState ssl_state,
uint8_t  event 
)

Definition at line 236 of file app-layer-ssl.c.

References AppLayerDecoderEventsSetEventRaw(), SSLState_::decoder_events, SSLState_::events, and SCLogDebug.

Here is the call graph for this function:

◆ SSLVersionToString()