TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET,
/* Certificates decoding messages */
TLS_DECODER_EVENT_INVALID_CERTIFICATE,
- TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT,
- TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT,
TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH,
- TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER,
+ TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY,
TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED,
TLS_DECODER_EVENT_INVALID_SSL_RECORD,
};
to log TLSv1.3 sessions. */
#define SSL_AL_FLAG_LOG_WITHOUT_CERT BIT_U32(22)
+/* Encountered a early data extension in client hello. This extension is
+ used by 0-RTT. */
+#define SSL_AL_FLAG_EARLY_DATA BIT_U32(23)
+
/* config flags */
#define SSL_TLS_LOG_PEM (1 << 0)
#define SSL_EXTENSION_ELLIPTIC_CURVES 0x000a
#define SSL_EXTENSION_EC_POINT_FORMATS 0x000b
#define SSL_EXTENSION_SESSION_TICKET 0x0023
+#define SSL_EXTENSION_EARLY_DATA 0x002a
#define SSL_EXTENSION_SUPPORTED_VERSIONS 0x002b
/* SNI types */
#define SSL_SNI_TYPE_HOST_NAME 0
+/* Max string length of the TLS version string */
+#define SSL_VERSION_MAX_STRLEN 20
+
/* SSL versions. We'll use a unified format for all, with the top byte
* holding the major version and the lower byte the minor version */
enum {
TLS_VERSION_13_DRAFT17 = 0x7f11,
TLS_VERSION_13_DRAFT16 = 0x7f10,
TLS_VERSION_13_PRE_DRAFT16 = 0x7f01,
+ TLS_VERSION_13_DRAFT20_FB = 0xfb14,
+ TLS_VERSION_13_DRAFT21_FB = 0xfb15,
+ TLS_VERSION_13_DRAFT22_FB = 0xfb16,
+ TLS_VERSION_13_DRAFT23_FB = 0xfb17,
+ TLS_VERSION_13_DRAFT26_FB = 0xfb1a,
};
typedef struct SSLCertsChain_ {
uint32_t handshake_length;
/* the no of bytes processed in the currently parsed record */
- uint16_t bytes_processed;
+ uint32_t bytes_processed;
/* the no of bytes processed in the currently parsed handshake */
uint16_t hs_bytes_processed;
uint32_t cert_log_flag;
+ JA3Buffer *ja3_str;
+ char *ja3_hash;
+
/* buffer for the tls record.
* We use a malloced buffer, if the record is fragmented */
uint8_t *trec;
typedef struct SSLState_ {
Flow *f;
+ AppLayerTxData tx_data;
+
/* holds some state flags we need */
uint32_t flags;
- /* specifies which loggers are done logging */
- uint32_t logged;
-
- /* detect flags */
- uint64_t detect_flags_ts;
- uint64_t detect_flags_tc;
-
/* there might be a better place to store this*/
uint16_t hb_record_len;
uint32_t current_flags;
- JA3Buffer *ja3_str;
- char *ja3_hash;
-
SSLStateConnp *curr_connp;
SSLStateConnp client_connp;
SSLStateConnp server_connp;
- DetectEngineState *de_state;
AppLayerDecoderEvents *decoder_events;
} SSLState;
void RegisterSSLParsers(void);
void SSLParserRegisterTests(void);
void SSLSetEvent(SSLState *ssl_state, uint8_t event);
+void SSLVersionToString(uint16_t, char *);
+void SSLEnableJA3(void);
+bool SSLJA3IsEnabled(void);
#endif /* __APP_LAYER_SSL_H__ */