suricata
app-layer-ssl.h File Reference
#include "util-ja3.h"
#include "rust.h"
Include dependency graph for app-layer-ssl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  SSLCertsChain_
 
struct  SSLAlpns_
 
struct  SSLStateConnp_
 
struct  SSLState_
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Macros

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)
 
#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)
 
#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)
 
#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)
 
#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)
 
#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)
 
#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)
 
#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)
 
#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)
 
#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)
 
#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)
 
#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)
 
#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)
 
#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)
 
#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)
 
#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)
 
#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)
 
#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)
 
#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)
 
#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)
 
#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)
 
#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)
 
#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)
 
#define TLS_TS_RANDOM_SET   BIT_U32(24)
 
#define TLS_TC_RANDOM_SET   BIT_U32(25)
 
#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)
 
#define SSL_TLS_LOG_PEM   (1 << 0)
 
#define SSL_EXTENSION_SNI   0x0000
 
#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a
 
#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b
 
#define SSL_EXTENSION_SIGNATURE_ALGORITHMS   0x000d
 
#define SSL_EXTENSION_ALPN   0x0010
 
#define SSL_EXTENSION_SESSION_TICKET   0x0023
 
#define SSL_EXTENSION_EARLY_DATA   0x002a
 
#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b
 
#define SSL_SNI_TYPE_HOST_NAME   0
 
#define SSL_VERSION_MAX_STRLEN   20
 
#define TLS_RANDOM_LEN   32
 

Typedefs

typedef struct SSLCertsChain_ SSLCertsChain
 
typedef struct SSLAlpns_ SSLAlpns
 
typedef struct SSLStateConnp_ SSLStateConnp
 
typedef struct SSLState_ SSLState
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Enumerations

enum  TlsFrameTypes {
  TLS_FRAME_PDU = 0, TLS_FRAME_HDR, TLS_FRAME_DATA, TLS_FRAME_ALERT_DATA,
  TLS_FRAME_HB_DATA, TLS_FRAME_SSLV2_HDR, TLS_FRAME_SSLV2_PDU
}
 
enum  {
  TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, TLS_DECODER_EVENT_INVALID_TLS_HEADER, TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
  TLS_DECODER_EVENT_INVALID_RECORD_LENGTH, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT,
  TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT, TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
  TLS_DECODER_EVENT_INVALID_SNI_TYPE, TLS_DECODER_EVENT_INVALID_SNI_LENGTH, TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET, TLS_DECODER_EVENT_INVALID_CERTIFICATE,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY, TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED,
  TLS_DECODER_EVENT_INVALID_SSL_RECORD
}
 
enum  { TLS_STATE_IN_PROGRESS = 0, TLS_STATE_CERT_READY = 1, TLS_HANDSHAKE_DONE = 2, TLS_STATE_FINISHED = 3 }
 
enum  {
  TLS_VERSION_UNKNOWN = 0x0000, SSL_VERSION_2 = 0x0200, SSL_VERSION_3 = 0x0300, TLS_VERSION_10 = 0x0301,
  TLS_VERSION_11 = 0x0302, TLS_VERSION_12 = 0x0303, TLS_VERSION_13 = 0x0304, TLS_VERSION_13_DRAFT28 = 0x7f1c,
  TLS_VERSION_13_DRAFT27 = 0x7f1b, TLS_VERSION_13_DRAFT26 = 0x7f1a, TLS_VERSION_13_DRAFT25 = 0x7f19, TLS_VERSION_13_DRAFT24 = 0x7f18,
  TLS_VERSION_13_DRAFT23 = 0x7f17, TLS_VERSION_13_DRAFT22 = 0x7f16, TLS_VERSION_13_DRAFT21 = 0x7f15, TLS_VERSION_13_DRAFT20 = 0x7f14,
  TLS_VERSION_13_DRAFT19 = 0x7f13, TLS_VERSION_13_DRAFT18 = 0x7f12, TLS_VERSION_13_DRAFT17 = 0x7f11, TLS_VERSION_13_DRAFT16 = 0x7f10,
  TLS_VERSION_13_PRE_DRAFT16 = 0x7f01, TLS_VERSION_13_DRAFT20_FB = 0xfb14, TLS_VERSION_13_DRAFT21_FB = 0xfb15, TLS_VERSION_13_DRAFT22_FB = 0xfb16,
  TLS_VERSION_13_DRAFT23_FB = 0xfb17, TLS_VERSION_13_DRAFT26_FB = 0xfb1a
}
 

Functions

void RegisterSSLParsers (void)
 Function to register the SSL protocol parser and other functions. More...
 
void SSLVersionToString (uint16_t, char *)
 
void SSLEnableJA3 (void)
 if not explicitly disabled in config, enable ja3 support More...
 
bool SSLJA3IsEnabled (void)
 return whether ja3 is effectively enabled More...
 
void SSLEnableJA4 (void)
 if not explicitly disabled in config, enable ja4 support More...
 
bool SSLJA4IsEnabled (void)
 return whether ja4 is effectively enabled More...
 

Detailed Description

Macro Definition Documentation

◆ SSL_AL_FLAG_CH_VERSION_EXTENSION

#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)

Definition at line 120 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)

Definition at line 88 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)

Definition at line 87 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_EARLY_DATA

#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)

Definition at line 128 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HANDSHAKE_DONE

#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)

Definition at line 114 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_CLIENT_INIT

#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)

Definition at line 110 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_INFLIGHT

#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)

Definition at line 109 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_SERVER_INIT

#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)

Definition at line 111 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_LOG_WITHOUT_CERT

#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)

Definition at line 124 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_NEED_CLIENT_CERT

#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)

Definition at line 136 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)

Definition at line 85 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SESSION_RESUMED

#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)

Definition at line 117 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_HS

#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)

Definition at line 91 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY

#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)

Definition at line 93 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)

Definition at line 94 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_NO_SESSION_ID

#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)

Definition at line 96 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_HS

#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)

Definition at line 92 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)

Definition at line 95 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_HELLO

#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)

Definition at line 99 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_KEYX

#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)

Definition at line 101 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_FINISHED

#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)

Definition at line 106 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_HELLO

#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)

Definition at line 100 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_KEYX

#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)

Definition at line 102 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_UNKNOWN

#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)

Definition at line 103 of file app-layer-ssl.h.

◆ SSL_EXTENSION_ALPN

#define SSL_EXTENSION_ALPN   0x0010

Definition at line 146 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EARLY_DATA

#define SSL_EXTENSION_EARLY_DATA   0x002a

Definition at line 148 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EC_POINT_FORMATS

#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b

Definition at line 144 of file app-layer-ssl.h.

◆ SSL_EXTENSION_ELLIPTIC_CURVES

#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a

Definition at line 143 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SESSION_TICKET

#define SSL_EXTENSION_SESSION_TICKET   0x0023

Definition at line 147 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SIGNATURE_ALGORITHMS

#define SSL_EXTENSION_SIGNATURE_ALGORITHMS   0x000d

Definition at line 145 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SNI

#define SSL_EXTENSION_SNI   0x0000

Definition at line 142 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SUPPORTED_VERSIONS

#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b

Definition at line 149 of file app-layer-ssl.h.

◆ SSL_SNI_TYPE_HOST_NAME

#define SSL_SNI_TYPE_HOST_NAME   0

Definition at line 152 of file app-layer-ssl.h.

◆ SSL_TLS_LOG_PEM

#define SSL_TLS_LOG_PEM   (1 << 0)

Definition at line 139 of file app-layer-ssl.h.

◆ SSL_VERSION_MAX_STRLEN

#define SSL_VERSION_MAX_STRLEN   20

Definition at line 155 of file app-layer-ssl.h.

◆ TLS_RANDOM_LEN

#define TLS_RANDOM_LEN   32

Definition at line 158 of file app-layer-ssl.h.

◆ TLS_TC_RANDOM_SET

#define TLS_TC_RANDOM_SET   BIT_U32(25)

Definition at line 134 of file app-layer-ssl.h.

◆ TLS_TS_RANDOM_SET

#define TLS_TS_RANDOM_SET   BIT_U32(24)

Definition at line 131 of file app-layer-ssl.h.

Typedef Documentation

◆ SSLAlpns

typedef struct SSLAlpns_ SSLAlpns

◆ SSLCertsChain

typedef struct SSLCertsChain_ SSLCertsChain

◆ SSLState

typedef struct SSLState_ SSLState

SSLv[2.0|3.[0|1|2|3]] state structure.

   Structure to store the SSL state values.

◆ SSLStateConnp

typedef struct SSLStateConnp_ SSLStateConnp

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER 
TLS_DECODER_EVENT_INVALID_TLS_HEADER 
TLS_DECODER_EVENT_INVALID_RECORD_VERSION 
TLS_DECODER_EVENT_INVALID_RECORD_TYPE 
TLS_DECODER_EVENT_INVALID_RECORD_LENGTH 
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE 
TLS_DECODER_EVENT_HEARTBEAT 
TLS_DECODER_EVENT_INVALID_HEARTBEAT 
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT 
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH 
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH 
TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS 
TLS_DECODER_EVENT_INVALID_SNI_TYPE 
TLS_DECODER_EVENT_INVALID_SNI_LENGTH 
TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET 
TLS_DECODER_EVENT_INVALID_CERTIFICATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY 
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED 
TLS_DECODER_EVENT_INVALID_SSL_RECORD 

Definition at line 42 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_STATE_IN_PROGRESS 
TLS_STATE_CERT_READY 
TLS_HANDSHAKE_DONE 
TLS_STATE_FINISHED 

Definition at line 76 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_VERSION_UNKNOWN 
SSL_VERSION_2 
SSL_VERSION_3 
TLS_VERSION_10 
TLS_VERSION_11 
TLS_VERSION_12 
TLS_VERSION_13 
TLS_VERSION_13_DRAFT28 
TLS_VERSION_13_DRAFT27 
TLS_VERSION_13_DRAFT26 
TLS_VERSION_13_DRAFT25 
TLS_VERSION_13_DRAFT24 
TLS_VERSION_13_DRAFT23 
TLS_VERSION_13_DRAFT22 
TLS_VERSION_13_DRAFT21 
TLS_VERSION_13_DRAFT20 
TLS_VERSION_13_DRAFT19 
TLS_VERSION_13_DRAFT18 
TLS_VERSION_13_DRAFT17 
TLS_VERSION_13_DRAFT16 
TLS_VERSION_13_PRE_DRAFT16 
TLS_VERSION_13_DRAFT20_FB 
TLS_VERSION_13_DRAFT21_FB 
TLS_VERSION_13_DRAFT22_FB 
TLS_VERSION_13_DRAFT23_FB 
TLS_VERSION_13_DRAFT26_FB 

Definition at line 161 of file app-layer-ssl.h.

◆ TlsFrameTypes

Enumerator
TLS_FRAME_PDU 

whole PDU, so header + data

TLS_FRAME_HDR 

only header portion

TLS_FRAME_DATA 

only data portion

TLS_FRAME_ALERT_DATA 
TLS_FRAME_HB_DATA 
TLS_FRAME_SSLV2_HDR 
TLS_FRAME_SSLV2_PDU 

Definition at line 32 of file app-layer-ssl.h.

Function Documentation

◆ RegisterSSLParsers()

void RegisterSSLParsers ( void  )

Function to register the SSL protocol parser and other functions.

SSLv2 and SSLv23

Definition at line 3209 of file app-layer-ssl.c.

References ALPROTO_TLS, AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), SC_ATOMIC_INIT, and ssl_config.

Here is the call graph for this function:

◆ SSLEnableJA3()

void SSLEnableJA3 ( void  )

if not explicitly disabled in config, enable ja3 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3342 of file app-layer-ssl.c.

References SslConfig_::disable_ja3, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLEnableJA4()

void SSLEnableJA4 ( void  )

if not explicitly disabled in config, enable ja4 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3359 of file app-layer-ssl.c.

References SslConfig_::disable_ja4, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLJA3IsEnabled()

bool SSLJA3IsEnabled ( void  )

return whether ja3 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values
trueif enabled, false otherwise

Definition at line 3378 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

◆ SSLJA4IsEnabled()

bool SSLJA4IsEnabled ( void  )

return whether ja4 is effectively enabled

This means that it either has been enabled explicitly or has been enabled by having loaded a rule while not being explicitly disabled.

Return values
trueif enabled, false otherwise

Definition at line 3391 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

◆ SSLVersionToString()