-/* Copyright (C) 2007-2011 Open Information Security Foundation
+/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
#include "app-layer-tls-handshake.h"
#include "conf.h"
+#include "decode-events.h"
#include "util-spm.h"
#include "util-unittest.h"
#include "util-byte.h"
+SCEnumCharMap tls_decoder_event_table[ ] = {
+ /* TLS protocol messages */
+ { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
+ { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER },
+ { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
+ { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
+ /* Certificates decoding messages */
+ { "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE },
+ { "CERTIFICATE_MISSING_FIELD", TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD },
+ { NULL, -1 },
+};
+
typedef struct SslConfig_ {
int no_reassemble;
} SslConfig;
if (ssl_state->bytes_processed < (ssl_state->record_lengths_length + 1)) {
retval = SSLv2ParseRecord(direction, ssl_state, input, input_len);
if (retval == -1) {
- SCLogDebug("Error parsing SSLv2Header");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER);
return -1;
} else {
input += retval;
SCLogWarning(SC_ERR_ALPARSER, "SSLV2_MT_ERROR msg_type received. "
"Error encountered in establishing the sslv2 "
"session, may be version");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
break;
if (ssl_state->bytes_processed < SSLV3_RECORD_LEN) {
retval = SSLv3ParseRecord(direction, ssl_state, input, input_len);
if (retval == -1) {
- SCLogDebug("Error parsing SSLv3Header");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_TLS_HEADER);
return -1;
} else {
parsed += retval;
retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed, input_len);
if (retval == -1) {
- SCLogDebug("Error parsing SSLv3.x. Let's get outta here");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
return -1;
} else {
if ((uint32_t)retval > input_len) {
break;
default:
- SCLogDebug("Bad ssl record type");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_RECORD_TYPE);
return -1;
}
*
* \retval >=0 On success.
*/
-static int SSLDecode(uint8_t direction, void *alstate, AppLayerParserState *pstate,
+static int SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLayerParserState *pstate,
uint8_t *input, uint32_t input_len)
{
SSLState *ssl_state = (SSLState *)alstate;
int retval = 0;
uint8_t counter = 0;
+ ssl_state->f = f;
+
/* if we have more than one record */
while (input_len) {
if (counter++ == 30) {
uint8_t *input, uint32_t input_len,
void *local_data, AppLayerParserResult *output)
{
- return SSLDecode(0 /* toserver */, alstate, pstate, input, input_len);
+ return SSLDecode(f, 0 /* toserver */, alstate, pstate, input, input_len);
}
int SSLParseServerRecord(Flow *f, void *alstate, AppLayerParserState *pstate,
uint8_t *input, uint32_t input_len,
void *local_data, AppLayerParserResult *output)
{
- return SSLDecode(1 /* toclient */, alstate, pstate, input, input_len);
+ return SSLDecode(f, 1 /* toclient */, alstate, pstate, input, input_len);
}
/**
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
SSLParseServerRecord);
+ AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
-/* Copyright (C) 2007-2010 Open Information Security Foundation
+/* Copyright (C) 2007-2012 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* \file
*
* \author Anoop Saldanha <anoopsaldanha@gmail.com>
+ * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
*
*/
#ifndef __APP_LAYER_SSL_H__
#define __APP_LAYER_SSL_H__
+#include "decode-events.h"
+
+enum {
+ /* TLS protocol messages */
+ TLS_DECODER_EVENT_INVALID_SSLV2_HEADER,
+ TLS_DECODER_EVENT_INVALID_TLS_HEADER,
+ TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
+ TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
+ /* Certificates decoding messages */
+ TLS_DECODER_EVENT_INVALID_CERTIFICATE,
+ TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD,
+};
+
/* Flag to indicate that server will now on send encrypted msgs */
#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC 0x0001
/* Flag to indicate that client will now on send encrypted msgs */
* Structure to store the SSL state values.
*/
typedef struct SSLState_ {
+ Flow *f;
+
/* record length */
uint32_t record_length;
/* record length's length for SSLv2 */
#include "debug.h"
#include "decode.h"
+#include "app-layer-parser.h"
+#include "decode-events.h"
+
#include "app-layer-ssl.h"
#include "app-layer-tls-handshake.h"
if (input - start_data + cur_cert_length > input_len) {
SCLogWarning(SC_ERR_ALPARSER, "ASN.1 structure contains invalid length\n");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE);
return -1;
}
cert = DecodeDer(input, cur_cert_length);
if (cert == NULL) {
SCLogWarning(SC_ERR_ALPARSER, "decoding ASN.1 structure for X509 certificate failed\n");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_CERTIFICATE);
}
if (cert != NULL) {
rc = Asn1DerGetSubjectDN(cert, buffer, sizeof(buffer));
if (rc != 0) {
SCLogWarning(SC_ERR_ALPARSER, "X509: could not get subject\n");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD);
} else {
//SCLogInfo("TLS Cert %d: %s\n", i, buffer);
if (i==0) {
rc = Asn1DerGetIssuerDN(cert, buffer, sizeof(buffer));
if (rc != 0) {
SCLogWarning(SC_ERR_ALPARSER, "X509: could not get issuerdn\n");
+ AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_CERTIFICATE_MISSING_FIELD);
} else {
//SCLogInfo("TLS IssuerDN %d: %s\n", i, buffer);
if (i==0) {