suricata
Data Structures | Macros | Typedefs | Enumerations | Functions
app-layer-ssl.h File Reference
#include "util-ja3.h"
#include "rust.h"
Include dependency graph for app-layer-ssl.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  SSLCertsChain_
 
struct  SSLStateConnp_
 
struct  SSLState_
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Macros

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)
 
#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)
 
#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)
 
#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)
 
#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)
 
#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)
 
#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)
 
#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)
 
#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)
 
#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)
 
#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)
 
#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)
 
#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)
 
#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)
 
#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)
 
#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)
 
#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)
 
#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)
 
#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)
 
#define SSL_AL_FLAG_SSL_CLIENT_SESSION_ID   BIT_U32(19)
 
#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)
 
#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)
 
#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)
 
#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)
 
#define TLS_TS_RANDOM_SET   BIT_U32(24)
 
#define TLS_TC_RANDOM_SET   BIT_U32(25)
 
#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)
 
#define SSL_TLS_LOG_PEM   (1 << 0)
 
#define SSL_EXTENSION_SNI   0x0000
 
#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a
 
#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b
 
#define SSL_EXTENSION_SESSION_TICKET   0x0023
 
#define SSL_EXTENSION_EARLY_DATA   0x002a
 
#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b
 
#define SSL_SNI_TYPE_HOST_NAME   0
 
#define SSL_VERSION_MAX_STRLEN   20
 
#define TLS_RANDOM_LEN   32
 

Typedefs

typedef struct SSLCertsChain_ SSLCertsChain
 
typedef struct SSLStateConnp_ SSLStateConnp
 
typedef struct SSLState_ SSLState
 SSLv[2.0|3.[0|1|2|3]] state structure. More...
 

Enumerations

enum  TlsFrameTypes {
  TLS_FRAME_PDU = 0, TLS_FRAME_HDR, TLS_FRAME_DATA, TLS_FRAME_ALERT_DATA,
  TLS_FRAME_HB_DATA, TLS_FRAME_SSLV2_HDR, TLS_FRAME_SSLV2_PDU
}
 
enum  {
  TLS_DECODER_EVENT_INVALID_SSLV2_HEADER, TLS_DECODER_EVENT_INVALID_TLS_HEADER, TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
  TLS_DECODER_EVENT_INVALID_RECORD_LENGTH, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT,
  TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT, TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH, TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH, TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
  TLS_DECODER_EVENT_INVALID_SNI_TYPE, TLS_DECODER_EVENT_INVALID_SNI_LENGTH, TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET, TLS_DECODER_EVENT_INVALID_CERTIFICATE,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION, TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE, TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS, TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER,
  TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT, TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER, TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY, TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED,
  TLS_DECODER_EVENT_INVALID_SSL_RECORD
}
 
enum  { TLS_STATE_IN_PROGRESS = 0, TLS_STATE_CERT_READY = 1, TLS_HANDSHAKE_DONE = 2, TLS_STATE_FINISHED = 3 }
 
enum  {
  TLS_VERSION_UNKNOWN = 0x0000, SSL_VERSION_2 = 0x0200, SSL_VERSION_3 = 0x0300, TLS_VERSION_10 = 0x0301,
  TLS_VERSION_11 = 0x0302, TLS_VERSION_12 = 0x0303, TLS_VERSION_13 = 0x0304, TLS_VERSION_13_DRAFT28 = 0x7f1c,
  TLS_VERSION_13_DRAFT27 = 0x7f1b, TLS_VERSION_13_DRAFT26 = 0x7f1a, TLS_VERSION_13_DRAFT25 = 0x7f19, TLS_VERSION_13_DRAFT24 = 0x7f18,
  TLS_VERSION_13_DRAFT23 = 0x7f17, TLS_VERSION_13_DRAFT22 = 0x7f16, TLS_VERSION_13_DRAFT21 = 0x7f15, TLS_VERSION_13_DRAFT20 = 0x7f14,
  TLS_VERSION_13_DRAFT19 = 0x7f13, TLS_VERSION_13_DRAFT18 = 0x7f12, TLS_VERSION_13_DRAFT17 = 0x7f11, TLS_VERSION_13_DRAFT16 = 0x7f10,
  TLS_VERSION_13_PRE_DRAFT16 = 0x7f01, TLS_VERSION_13_DRAFT20_FB = 0xfb14, TLS_VERSION_13_DRAFT21_FB = 0xfb15, TLS_VERSION_13_DRAFT22_FB = 0xfb16,
  TLS_VERSION_13_DRAFT23_FB = 0xfb17, TLS_VERSION_13_DRAFT26_FB = 0xfb1a
}
 

Functions

void RegisterSSLParsers (void)
 Function to register the SSL protocol parser and other functions. More...
 
void SSLParserRegisterTests (void)
 
void SSLVersionToString (uint16_t, char *)
 
void SSLEnableJA3 (void)
 if not explicitly disabled in config, enable ja3 support More...
 
bool SSLJA3IsEnabled (void)
 

Detailed Description

Author
Anoop Saldanha anoop.nosp@m.sald.nosp@m.anha@.nosp@m.gmai.nosp@m.l.com
Pierre Chifflier pierr.nosp@m.e.ch.nosp@m.iffli.nosp@m.er@s.nosp@m.si.go.nosp@m.uv.f.nosp@m.r

Definition in file app-layer-ssl.h.

Macro Definition Documentation

◆ SSL_AL_FLAG_CH_VERSION_EXTENSION

#define SSL_AL_FLAG_CH_VERSION_EXTENSION   BIT_U32(21)

Definition at line 123 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC   BIT_U32(2)

Definition at line 88 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)

Definition at line 87 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_EARLY_DATA

#define SSL_AL_FLAG_EARLY_DATA   BIT_U32(23)

Definition at line 131 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HANDSHAKE_DONE

#define SSL_AL_FLAG_HANDSHAKE_DONE   BIT_U32(18)

Definition at line 114 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_CLIENT_INIT

#define SSL_AL_FLAG_HB_CLIENT_INIT   BIT_U32(16)

Definition at line 110 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_INFLIGHT

#define SSL_AL_FLAG_HB_INFLIGHT   BIT_U32(15)

Definition at line 109 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_HB_SERVER_INIT

#define SSL_AL_FLAG_HB_SERVER_INIT   BIT_U32(17)

Definition at line 111 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_LOG_WITHOUT_CERT

#define SSL_AL_FLAG_LOG_WITHOUT_CERT   BIT_U32(22)

Definition at line 127 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_NEED_CLIENT_CERT

#define SSL_AL_FLAG_NEED_CLIENT_CERT   BIT_U32(26)

Definition at line 139 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC

#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)

Definition at line 85 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SESSION_RESUMED

#define SSL_AL_FLAG_SESSION_RESUMED   BIT_U32(20)

Definition at line 120 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_HS

#define SSL_AL_FLAG_SSL_CLIENT_HS   BIT_U32(3)

Definition at line 91 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY

#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY   BIT_U32(5)

Definition at line 93 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_SESSION_ID

#define SSL_AL_FLAG_SSL_CLIENT_SESSION_ID   BIT_U32(19)

Definition at line 118 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED   BIT_U32(6)

Definition at line 94 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_NO_SESSION_ID

#define SSL_AL_FLAG_SSL_NO_SESSION_ID   BIT_U32(8)

Definition at line 96 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_HS

#define SSL_AL_FLAG_SSL_SERVER_HS   BIT_U32(4)

Definition at line 92 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED

#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED   BIT_U32(7)

Definition at line 95 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_HELLO

#define SSL_AL_FLAG_STATE_CLIENT_HELLO   BIT_U32(9)

Definition at line 99 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_CLIENT_KEYX

#define SSL_AL_FLAG_STATE_CLIENT_KEYX   BIT_U32(11)

Definition at line 101 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_FINISHED

#define SSL_AL_FLAG_STATE_FINISHED   BIT_U32(14)

Definition at line 106 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_HELLO

#define SSL_AL_FLAG_STATE_SERVER_HELLO   BIT_U32(10)

Definition at line 100 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_SERVER_KEYX

#define SSL_AL_FLAG_STATE_SERVER_KEYX   BIT_U32(12)

Definition at line 102 of file app-layer-ssl.h.

◆ SSL_AL_FLAG_STATE_UNKNOWN

#define SSL_AL_FLAG_STATE_UNKNOWN   BIT_U32(13)

Definition at line 103 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EARLY_DATA

#define SSL_EXTENSION_EARLY_DATA   0x002a

Definition at line 149 of file app-layer-ssl.h.

◆ SSL_EXTENSION_EC_POINT_FORMATS

#define SSL_EXTENSION_EC_POINT_FORMATS   0x000b

Definition at line 147 of file app-layer-ssl.h.

◆ SSL_EXTENSION_ELLIPTIC_CURVES

#define SSL_EXTENSION_ELLIPTIC_CURVES   0x000a

Definition at line 146 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SESSION_TICKET

#define SSL_EXTENSION_SESSION_TICKET   0x0023

Definition at line 148 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SNI

#define SSL_EXTENSION_SNI   0x0000

Definition at line 145 of file app-layer-ssl.h.

◆ SSL_EXTENSION_SUPPORTED_VERSIONS

#define SSL_EXTENSION_SUPPORTED_VERSIONS   0x002b

Definition at line 150 of file app-layer-ssl.h.

◆ SSL_SNI_TYPE_HOST_NAME

#define SSL_SNI_TYPE_HOST_NAME   0

Definition at line 153 of file app-layer-ssl.h.

◆ SSL_TLS_LOG_PEM

#define SSL_TLS_LOG_PEM   (1 << 0)

Definition at line 142 of file app-layer-ssl.h.

◆ SSL_VERSION_MAX_STRLEN

#define SSL_VERSION_MAX_STRLEN   20

Definition at line 156 of file app-layer-ssl.h.

◆ TLS_RANDOM_LEN

#define TLS_RANDOM_LEN   32

Definition at line 159 of file app-layer-ssl.h.

◆ TLS_TC_RANDOM_SET

#define TLS_TC_RANDOM_SET   BIT_U32(25)

Definition at line 137 of file app-layer-ssl.h.

◆ TLS_TS_RANDOM_SET

#define TLS_TS_RANDOM_SET   BIT_U32(24)

Definition at line 134 of file app-layer-ssl.h.

Typedef Documentation

◆ SSLCertsChain

typedef struct SSLCertsChain_ SSLCertsChain

◆ SSLState

typedef struct SSLState_ SSLState

SSLv[2.0|3.[0|1|2|3]] state structure. 

   Structure to store the SSL state values.

◆ SSLStateConnp

typedef struct SSLStateConnp_ SSLStateConnp

Enumeration Type Documentation

◆ anonymous enum

anonymous enum
Enumerator
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER 
TLS_DECODER_EVENT_INVALID_TLS_HEADER 
TLS_DECODER_EVENT_INVALID_RECORD_VERSION 
TLS_DECODER_EVENT_INVALID_RECORD_TYPE 
TLS_DECODER_EVENT_INVALID_RECORD_LENGTH 
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE 
TLS_DECODER_EVENT_HEARTBEAT 
TLS_DECODER_EVENT_INVALID_HEARTBEAT 
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT 
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH 
TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH 
TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS 
TLS_DECODER_EVENT_INVALID_SNI_TYPE 
TLS_DECODER_EVENT_INVALID_SNI_LENGTH 
TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET 
TLS_DECODER_EVENT_INVALID_CERTIFICATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER 
TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY 
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED 
TLS_DECODER_EVENT_INVALID_SSL_RECORD 

Definition at line 42 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_STATE_IN_PROGRESS 
TLS_STATE_CERT_READY 
TLS_HANDSHAKE_DONE 
TLS_STATE_FINISHED 

Definition at line 76 of file app-layer-ssl.h.

◆ anonymous enum

anonymous enum
Enumerator
TLS_VERSION_UNKNOWN 
SSL_VERSION_2 
SSL_VERSION_3 
TLS_VERSION_10 
TLS_VERSION_11 
TLS_VERSION_12 
TLS_VERSION_13 
TLS_VERSION_13_DRAFT28 
TLS_VERSION_13_DRAFT27 
TLS_VERSION_13_DRAFT26 
TLS_VERSION_13_DRAFT25 
TLS_VERSION_13_DRAFT24 
TLS_VERSION_13_DRAFT23 
TLS_VERSION_13_DRAFT22 
TLS_VERSION_13_DRAFT21 
TLS_VERSION_13_DRAFT20 
TLS_VERSION_13_DRAFT19 
TLS_VERSION_13_DRAFT18 
TLS_VERSION_13_DRAFT17 
TLS_VERSION_13_DRAFT16 
TLS_VERSION_13_PRE_DRAFT16 
TLS_VERSION_13_DRAFT20_FB 
TLS_VERSION_13_DRAFT21_FB 
TLS_VERSION_13_DRAFT22_FB 
TLS_VERSION_13_DRAFT23_FB 
TLS_VERSION_13_DRAFT26_FB 

Definition at line 162 of file app-layer-ssl.h.

◆ TlsFrameTypes

enum TlsFrameTypes
Enumerator
TLS_FRAME_PDU 

whole PDU, so header + data

TLS_FRAME_HDR 

only header portion

TLS_FRAME_DATA 

only data portion

TLS_FRAME_ALERT_DATA 
TLS_FRAME_HB_DATA 
TLS_FRAME_SSLV2_HDR 
TLS_FRAME_SSLV2_PDU 

Definition at line 32 of file app-layer-ssl.h.

Function Documentation

◆ RegisterSSLParsers()

void RegisterSSLParsers ( void  )

Function to register the SSL protocol parser and other functions.

SSLv2 and SSLv23

Definition at line 2956 of file app-layer-ssl.c.

References ALPROTO_TLS, AppLayerProtoDetectConfProtoDetectionEnabled(), AppLayerProtoDetectRegisterProtocol(), SC_ATOMIC_INIT, and ssl_config.

Here is the call graph for this function:

◆ SSLEnableJA3()

void SSLEnableJA3 ( void  )

if not explicitly disabled in config, enable ja3 support

Implemented using atomic to allow rule reloads to do this at runtime.

Definition at line 3091 of file app-layer-ssl.c.

References SslConfig_::disable_ja3, g_disable_hashing, SC_ATOMIC_GET, SC_ATOMIC_SET, and ssl_config.

◆ SSLJA3IsEnabled()

bool SSLJA3IsEnabled ( void  )

Definition at line 3102 of file app-layer-ssl.c.

References SC_ATOMIC_GET, and ssl_config.

Referenced by Ja3IsDisabled().

Here is the caller graph for this function:

◆ SSLParserRegisterTests()

void SSLParserRegisterTests ( void  )

◆ SSLVersionToString()

void SSLVersionToString ( uint16_t  ,
char *   
)

Definition at line 340 of file app-layer-ssl.c.

References SSL_VERSION_2, SSL_VERSION_3, strlcat(), TLS_VERSION_10, TLS_VERSION_11, TLS_VERSION_12, TLS_VERSION_13, TLS_VERSION_13_DRAFT16, TLS_VERSION_13_DRAFT17, TLS_VERSION_13_DRAFT18, TLS_VERSION_13_DRAFT19, TLS_VERSION_13_DRAFT20, TLS_VERSION_13_DRAFT20_FB, TLS_VERSION_13_DRAFT21, TLS_VERSION_13_DRAFT21_FB, TLS_VERSION_13_DRAFT22, TLS_VERSION_13_DRAFT22_FB, TLS_VERSION_13_DRAFT23, TLS_VERSION_13_DRAFT23_FB, TLS_VERSION_13_DRAFT24, TLS_VERSION_13_DRAFT25, TLS_VERSION_13_DRAFT26, TLS_VERSION_13_DRAFT26_FB, TLS_VERSION_13_DRAFT27, TLS_VERSION_13_DRAFT28, TLS_VERSION_13_PRE_DRAFT16, TLS_VERSION_UNKNOWN, and version.

Here is the call graph for this function: