detect-ssl-version: add support for TLSv1.3

diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c
index 8a429f04aea759c1c32bba97592a702c7a9f1826..e107d524d3932fe4d3f91ce68c55faa14b35d581 100644 (file)
--- a/src/detect-ssl-version.c
+++ b/src/detect-ssl-version.c
@@ -148,6 +148,28 @@ static int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx,
                 ret = 1;
             sig_ver = TLS12;
             break;
+        case TLS_VERSION_13_DRAFT28:
+        case TLS_VERSION_13_DRAFT27:
+        case TLS_VERSION_13_DRAFT26:
+        case TLS_VERSION_13_DRAFT25:
+        case TLS_VERSION_13_DRAFT24:
+        case TLS_VERSION_13_DRAFT23:
+        case TLS_VERSION_13_DRAFT22:
+        case TLS_VERSION_13_DRAFT21:
+        case TLS_VERSION_13_DRAFT20:
+        case TLS_VERSION_13_DRAFT19:
+        case TLS_VERSION_13_DRAFT18:
+        case TLS_VERSION_13_DRAFT17:
+        case TLS_VERSION_13_DRAFT16:
+        case TLS_VERSION_13_PRE_DRAFT16:
+            if (((ver >> 8) & 0xff) == 0x7f)
+                ver = TLS_VERSION_13;
+            /* fall through */
+        case TLS_VERSION_13:
+            if (ver == ssl->data[TLS13].ver)
+                ret = 1;
+            sig_ver = TLS13;
+            break;
     }
 
     if (sig_ver == TLS_UNKNOWN)
@@ -219,26 +241,30 @@ static DetectSslVersionData *DetectSslVersionParse(const char *str)
                 tmp_str++;
             }
 
-            if (strncasecmp("sslv2", tmp_str, 5) == 0) {
+            if (strcasecmp("sslv2", tmp_str) == 0) {
                 ssl->data[SSLv2].ver = SSL_VERSION_2;
                 if (neg == 1)
                     ssl->data[SSLv2].flags |= DETECT_SSL_VERSION_NEGATED;
-            } else if (strncasecmp("sslv3", tmp_str, 5) == 0) {
+            } else if (strcasecmp("sslv3", tmp_str) == 0) {
                 ssl->data[SSLv3].ver = SSL_VERSION_3;
                 if (neg == 1)
                     ssl->data[SSLv3].flags |= DETECT_SSL_VERSION_NEGATED;
-            } else if (strncasecmp("tls1.0", tmp_str, 6) == 0) {
+            } else if (strcasecmp("tls1.0", tmp_str) == 0) {
                 ssl->data[TLS10].ver = TLS_VERSION_10;
                 if (neg == 1)
                     ssl->data[TLS10].flags |= DETECT_SSL_VERSION_NEGATED;
-            } else if (strncasecmp("tls1.1", tmp_str, 6) == 0) {
+            } else if (strcasecmp("tls1.1", tmp_str) == 0) {
                 ssl->data[TLS11].ver = TLS_VERSION_11;
                 if (neg == 1)
                     ssl->data[TLS11].flags |= DETECT_SSL_VERSION_NEGATED;
-            } else if (strncasecmp("tls1.2", tmp_str, 6) == 0) {
+            } else if (strcasecmp("tls1.2", tmp_str) == 0) {
                 ssl->data[TLS12].ver = TLS_VERSION_12;
                 if (neg == 1)
                     ssl->data[TLS12].flags |= DETECT_SSL_VERSION_NEGATED;
+            } else if (strcasecmp("tls1.3", tmp_str) == 0) {
+                ssl->data[TLS13].ver = TLS_VERSION_13;
+                if (neg == 1)
+                    ssl->data[TLS13].flags |= DETECT_SSL_VERSION_NEGATED;
             }  else if (strcmp(tmp_str, "") == 0) {
                 SCFree(orig);
                 if (found == 0)

diff --git a/src/detect-ssl-version.h b/src/detect-ssl-version.h
index b9a0f86194689f0f74c022b6dc775ee9ca97cd7d..6809178c5f0f27ad92082cabe36ed3edd651f8b8 100644 (file)
--- a/src/detect-ssl-version.h
+++ b/src/detect-ssl-version.h
@@ -33,9 +33,10 @@ enum {
     TLS10 = 2,
     TLS11 = 3,
     TLS12 = 4,
+    TLS13 = 5,
 
-    TLS_SIZE = 5,
-    TLS_UNKNOWN = 6,
+    TLS_SIZE = 6,
+    TLS_UNKNOWN = 7,
 };
 
 typedef struct SSLVersionData_ {