1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
* \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
*
*/
#ifndef __APP_LAYER_SSL_H__
#define __APP_LAYER_SSL_H__
#include "decode-events.h"
#include "queue.h"
enum {
/* TLS protocol messages */
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER,
TLS_DECODER_EVENT_INVALID_TLS_HEADER,
TLS_DECODER_EVENT_INVALID_RECORD_VERSION,
TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
TLS_DECODER_EVENT_HEARTBEAT,
TLS_DECODER_EVENT_INVALID_HEARTBEAT,
TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT,
TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH,
/* Certificates decoding messages */
TLS_DECODER_EVENT_INVALID_CERTIFICATE,
TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT,
TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT,
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH,
TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING,
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED,
TLS_DECODER_EVENT_INVALID_SSL_RECORD,
};
/* Flag to indicate that server will now on send encrypted msgs */
#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC 0x0001
/* Flag to indicate that client will now on send encrypted msgs */
#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC 0x0002
#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC 0x0004
/* SSL related flags */
#define SSL_AL_FLAG_SSL_CLIENT_HS 0x0008
#define SSL_AL_FLAG_SSL_SERVER_HS 0x0010
#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY 0x0020
#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED 0x0040
#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED 0x0080
#define SSL_AL_FLAG_SSL_NO_SESSION_ID 0x0100
/* flags specific to detect-ssl-state keyword */
#define SSL_AL_FLAG_STATE_CLIENT_HELLO 0x0200
#define SSL_AL_FLAG_STATE_SERVER_HELLO 0x0400
#define SSL_AL_FLAG_STATE_CLIENT_KEYX 0x0800
#define SSL_AL_FLAG_STATE_SERVER_KEYX 0x1000
#define SSL_AL_FLAG_STATE_UNKNOWN 0x2000
#define SSL_AL_FLAG_STATE_LOGGED 0x4000
/* flags specific to HeartBeat state */
#define SSL_AL_FLAG_HB_INFLIGHT 0x8000
#define SSL_AL_FLAG_HB_CLIENT_INIT 0x10000
#define SSL_AL_FLAG_HB_SERVER_INIT 0x20000
/* flags for file storage */
#define SSL_AL_FLAG_STATE_STORED 0x40000
#define SSL_AL_FLAG_STATE_LOGGED_LUA 0x80000
/* config flags */
#define SSL_TLS_LOG_PEM (1 << 0)
/* extensions */
#define SSL_EXTENSION_SNI 0x0000
/* SSL versions. We'll use a unified format for all, with the top byte
* holding the major version and the lower byte the minor version */
enum {
TLS_VERSION_UNKNOWN = 0x0000,
SSL_VERSION_2 = 0x0200,
SSL_VERSION_3 = 0x0300,
TLS_VERSION_10 = 0x0301,
TLS_VERSION_11 = 0x0302,
TLS_VERSION_12 = 0x0303,
};
typedef struct SSLCertsChain_ {
uint8_t *cert_data;
uint32_t cert_len;
TAILQ_ENTRY(SSLCertsChain_) next;
} SSLCertsChain;
typedef struct SSLStateConnp_ {
/* record length */
uint32_t record_length;
/* record length's length for SSLv2 */
uint32_t record_lengths_length;
/* offset of the beginning of the current message (including header) */
uint32_t message_start;
uint32_t message_length;
uint16_t version;
uint8_t content_type;
uint8_t handshake_type;
uint32_t handshake_length;
/* the no of bytes processed in the currently parsed record */
uint16_t bytes_processed;
/* the no of bytes processed in the currently parsed handshake */
uint16_t hs_bytes_processed;
/* sslv2 client hello session id length */
uint16_t session_id_length;
char *cert0_subject;
char *cert0_issuerdn;
char *cert0_fingerprint;
/* ssl server name indication extension */
char *sni;
uint8_t *cert_input;
uint32_t cert_input_len;
TAILQ_HEAD(, SSLCertsChain_) certs;
uint32_t cert_log_flag;
/* buffer for the tls record.
* We use a malloced buffer, if the record is fragmented */
uint8_t *trec;
uint32_t trec_len;
uint32_t trec_pos;
} SSLStateConnp;
/**
* \brief SSLv[2.0|3.[0|1|2|3]] state structure.
*
* Structure to store the SSL state values.
*/
typedef struct SSLState_ {
Flow *f;
/* holds some state flags we need */
uint32_t flags;
SSLStateConnp *curr_connp;
SSLStateConnp client_connp;
SSLStateConnp server_connp;
/* there might be a better place to store this*/
uint16_t hb_record_len;
} SSLState;
void RegisterSSLParsers(void);
void SSLParserRegisterTests(void);
#endif /* __APP_LAYER_SSL_H__ */
|
