src/app-layer-ssl.h

   1 /* Copyright (C) 2007-2012 Open Information Security Foundation
   2  *
   3  * You can copy, redistribute or modify this Program under the terms of
   4  * the GNU General Public License version 2 as published by the Free
   5  * Software Foundation.
   6  *
   7  * This program is distributed in the hope that it will be useful,
   8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  10  * GNU General Public License for more details.
  11  *
  12  * You should have received a copy of the GNU General Public License
  13  * version 2 along with this program; if not, write to the Free Software
  14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  15  * 02110-1301, USA.
  16  */
  17
  18 /**
  19  * \file
  20  *
  21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
  22  * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
  23  *
  24  */
  25
  26 #ifndef __APP_LAYER_SSL_H__
  27 #define __APP_LAYER_SSL_H__
  28
  29 #include "decode-events.h"
  30 #include "queue.h"
  31
  32 enum {
  33     /* TLS protocol messages */
  34     TLS_DECODER_EVENT_INVALID_SSLV2_HEADER,
  35     TLS_DECODER_EVENT_INVALID_TLS_HEADER,
  36     TLS_DECODER_EVENT_INVALID_RECORD_VERSION,
  37     TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
  38     TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
  39     TLS_DECODER_EVENT_HEARTBEAT,
  40     TLS_DECODER_EVENT_INVALID_HEARTBEAT,
  41     TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT,
  42     TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH,
  43     /* Certificates decoding messages */
  44     TLS_DECODER_EVENT_INVALID_CERTIFICATE,
  45     TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT,
  46     TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT,
  47     TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH,
  48     TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING,
  49     TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED,
  50     TLS_DECODER_EVENT_INVALID_SSL_RECORD,
  51 };
  52
  53 /* Flag to indicate that server will now on send encrypted msgs */
  54 #define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   0x0001
  55 /* Flag to indicate that client will now on send encrypted msgs */
  56 #define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   0x0002
  57 #define SSL_AL_FLAG_CHANGE_CIPHER_SPEC          0x0004
  58
  59 /* SSL related flags */
  60 #define SSL_AL_FLAG_SSL_CLIENT_HS               0x0008
  61 #define SSL_AL_FLAG_SSL_SERVER_HS               0x0010
  62 #define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY       0x0020
  63 #define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED    0x0040
  64 #define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED    0x0080
  65 #define SSL_AL_FLAG_SSL_NO_SESSION_ID           0x0100
  66
  67 /* flags specific to detect-ssl-state keyword */
  68 #define SSL_AL_FLAG_STATE_CLIENT_HELLO          0x0200
  69 #define SSL_AL_FLAG_STATE_SERVER_HELLO          0x0400
  70 #define SSL_AL_FLAG_STATE_CLIENT_KEYX           0x0800
  71 #define SSL_AL_FLAG_STATE_SERVER_KEYX           0x1000
  72 #define SSL_AL_FLAG_STATE_UNKNOWN               0x2000
  73
  74 #define SSL_AL_FLAG_STATE_LOGGED                0x4000
  75
  76 /* flags specific to HeartBeat state */
  77 #define SSL_AL_FLAG_HB_INFLIGHT                 0x8000
  78 #define SSL_AL_FLAG_HB_CLIENT_INIT              0x10000
  79 #define SSL_AL_FLAG_HB_SERVER_INIT              0x20000
  80
  81 /* flags for file storage */
  82 #define SSL_AL_FLAG_STATE_STORED                0x40000
  83
  84 /* config flags */
  85 #define SSL_TLS_LOG_PEM                         (1 << 0)
  86
  87
  88
  89 /* SSL versions.  We'll use a unified format for all, with the top byte
  90  * holding the major version and the lower byte the minor version */
  91 enum {
  92     TLS_VERSION_UNKNOWN = 0x0000,
  93     SSL_VERSION_2 = 0x0200,
  94     SSL_VERSION_3 = 0x0300,
  95     TLS_VERSION_10 = 0x0301,
  96     TLS_VERSION_11 = 0x0302,
  97     TLS_VERSION_12 = 0x0303,
  98 };
  99
 100 typedef struct SSLCertsChain_ {
 101     uint8_t *cert_data;
 102     uint32_t cert_len;
 103     TAILQ_ENTRY(SSLCertsChain_) next;
 104 } SSLCertsChain;
 105
 106
 107 typedef struct SSLStateConnp_ {
 108     /* record length */
 109     uint32_t record_length;
 110     /* record length's length for SSLv2 */
 111     uint32_t record_lengths_length;
 112
 113     /* offset of the beginning of the current message (including header) */
 114     uint32_t message_start;
 115     uint32_t message_length;
 116
 117     uint16_t version;
 118     uint8_t content_type;
 119
 120     uint8_t handshake_type;
 121     uint32_t handshake_length;
 122
 123     /* the no of bytes processed in the currently parsed record */
 124     uint16_t bytes_processed;
 125     /* the no of bytes processed in the currently parsed handshake */
 126     uint16_t hs_bytes_processed;
 127
 128     /* sslv2 client hello session id length */
 129     uint16_t session_id_length;
 130
 131     char *cert0_subject;
 132     char *cert0_issuerdn;
 133     char *cert0_fingerprint;
 134
 135     uint8_t *cert_input;
 136     uint32_t cert_input_len;
 137
 138     TAILQ_HEAD(, SSLCertsChain_) certs;
 139
 140     uint32_t cert_log_flag;
 141
 142     /* buffer for the tls record.
 143      * We use a malloced buffer, if the record is fragmented */
 144     uint8_t *trec;
 145     uint32_t trec_len;
 146     uint32_t trec_pos;
 147 } SSLStateConnp;
 148
 149 /**
 150  * \brief SSLv[2.0|3.[0|1|2|3]] state structure.
 151  *
 152  *        Structure to store the SSL state values.
 153  */
 154 typedef struct SSLState_ {
 155     Flow *f;
 156
 157     /* holds some state flags we need */
 158     uint32_t flags;
 159
 160     SSLStateConnp *curr_connp;
 161
 162     SSLStateConnp client_connp;
 163     SSLStateConnp server_connp;
 164
 165     /* there might be a better place to store this*/
 166     uint16_t hb_record_len;
 167 } SSLState;
 168
 169 void RegisterSSLParsers(void);
 170 void SSLParserRegisterTests(void);
 171
 172 #endif /* __APP_LAYER_SSL_H__ */