1 /* Copyright (C) 2007-2012 Open Information Security Foundation
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22 * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
26 #ifndef __APP_LAYER_SSL_H__
27 #define __APP_LAYER_SSL_H__
29 #include "decode-events.h"
33 /* TLS protocol messages */
34 TLS_DECODER_EVENT_INVALID_SSLV2_HEADER
,
35 TLS_DECODER_EVENT_INVALID_TLS_HEADER
,
36 TLS_DECODER_EVENT_INVALID_RECORD_VERSION
,
37 TLS_DECODER_EVENT_INVALID_RECORD_TYPE
,
38 TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE
,
39 TLS_DECODER_EVENT_HEARTBEAT
,
40 TLS_DECODER_EVENT_INVALID_HEARTBEAT
,
41 TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT
,
42 TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH
,
43 /* Certificates decoding messages */
44 TLS_DECODER_EVENT_INVALID_CERTIFICATE
,
45 TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT
,
46 TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT
,
47 TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH
,
48 TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING
,
49 TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED
,
50 TLS_DECODER_EVENT_INVALID_SSL_RECORD
,
53 /* Flag to indicate that server will now on send encrypted msgs */
54 #define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC 0x0001
55 /* Flag to indicate that client will now on send encrypted msgs */
56 #define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC 0x0002
57 #define SSL_AL_FLAG_CHANGE_CIPHER_SPEC 0x0004
59 /* SSL related flags */
60 #define SSL_AL_FLAG_SSL_CLIENT_HS 0x0008
61 #define SSL_AL_FLAG_SSL_SERVER_HS 0x0010
62 #define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY 0x0020
63 #define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED 0x0040
64 #define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED 0x0080
65 #define SSL_AL_FLAG_SSL_NO_SESSION_ID 0x0100
67 /* flags specific to detect-ssl-state keyword */
68 #define SSL_AL_FLAG_STATE_CLIENT_HELLO 0x0200
69 #define SSL_AL_FLAG_STATE_SERVER_HELLO 0x0400
70 #define SSL_AL_FLAG_STATE_CLIENT_KEYX 0x0800
71 #define SSL_AL_FLAG_STATE_SERVER_KEYX 0x1000
72 #define SSL_AL_FLAG_STATE_UNKNOWN 0x2000
74 #define SSL_AL_FLAG_STATE_LOGGED 0x4000
76 /* flags specific to HeartBeat state */
77 #define SSL_AL_FLAG_HB_INFLIGHT 0x8000
78 #define SSL_AL_FLAG_HB_CLIENT_INIT 0x10000
79 #define SSL_AL_FLAG_HB_SERVER_INIT 0x20000
81 /* flags for file storage */
82 #define SSL_AL_FLAG_STATE_STORED 0x40000
85 #define SSL_TLS_LOG_PEM (1 << 0)
89 /* SSL versions. We'll use a unified format for all, with the top byte
90 * holding the major version and the lower byte the minor version */
92 TLS_VERSION_UNKNOWN
= 0x0000,
93 SSL_VERSION_2
= 0x0200,
94 SSL_VERSION_3
= 0x0300,
95 TLS_VERSION_10
= 0x0301,
96 TLS_VERSION_11
= 0x0302,
97 TLS_VERSION_12
= 0x0303,
100 typedef struct SSLCertsChain_
{
103 TAILQ_ENTRY(SSLCertsChain_
) next
;
107 typedef struct SSLStateConnp_
{
109 uint32_t record_length
;
110 /* record length's length for SSLv2 */
111 uint32_t record_lengths_length
;
113 /* offset of the beginning of the current message (including header) */
114 uint32_t message_start
;
115 uint32_t message_length
;
118 uint8_t content_type
;
120 uint8_t handshake_type
;
121 uint32_t handshake_length
;
123 /* the no of bytes processed in the currently parsed record */
124 uint16_t bytes_processed
;
125 /* the no of bytes processed in the currently parsed handshake */
126 uint16_t hs_bytes_processed
;
128 /* sslv2 client hello session id length */
129 uint16_t session_id_length
;
132 char *cert0_issuerdn
;
133 char *cert0_fingerprint
;
136 uint32_t cert_input_len
;
138 TAILQ_HEAD(, SSLCertsChain_
) certs
;
140 uint32_t cert_log_flag
;
142 /* buffer for the tls record.
143 * We use a malloced buffer, if the record is fragmented */
150 * \brief SSLv[2.0|3.[0|1|2|3]] state structure.
152 * Structure to store the SSL state values.
154 typedef struct SSLState_
{
157 /* holds some state flags we need */
160 SSLStateConnp
*curr_connp
;
162 SSLStateConnp client_connp
;
163 SSLStateConnp server_connp
;
165 /* there might be a better place to store this*/
166 uint16_t hb_record_len
;
169 void RegisterSSLParsers(void);
170 void SSLParserRegisterTests(void);
172 #endif /* __APP_LAYER_SSL_H__ */