From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Mon, 29 Oct 2018 19:56:51 +0000 (+0100)
Subject: app-layer-ssl: decode early data extension in ClientHello record
X-Git-Tag: suricata-4.1.0~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23993c18cdc91a184aae4dcaab4267e706b21fed;p=thirdparty%2Fsuricata.git

app-layer-ssl: decode early data extension in ClientHello record

Decode early data extension used by 0-RTT that is used to indicate that
application data will be sent right after the ClientHello record.
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index b6a5c9b30d..d2a0cc3022 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1174,6 +1174,19 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
                 break;
             }
 
+            case SSL_EXTENSION_EARLY_DATA:
+            {
+                if (ssl_state->current_flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
+                    /* Used by 0-RTT to indicate that encrypted data will
+                       be sent right after the ClientHello record. */
+                    ssl_state->flags |= SSL_AL_FLAG_EARLY_DATA;
+                }
+
+                input += ext_len;
+
+                break;
+            }
+
             case SSL_EXTENSION_SUPPORTED_VERSIONS:
             {
                 ret = TLSDecodeHSHelloExtensionSupportedVersions(ssl_state, input,
diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h
index 468f445302..d5e4adb03d 100644
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@@ -110,6 +110,10 @@ enum {
    to log TLSv1.3 sessions. */
 #define SSL_AL_FLAG_LOG_WITHOUT_CERT            BIT_U32(22)
 
+/* Encountered a early data extension in client hello. This extension is
+   used by 0-RTT. */
+#define SSL_AL_FLAG_EARLY_DATA                  BIT_U32(23)
+
 /* config flags */
 #define SSL_TLS_LOG_PEM                         (1 << 0)
 
@@ -118,6 +122,7 @@ enum {
 #define SSL_EXTENSION_ELLIPTIC_CURVES           0x000a
 #define SSL_EXTENSION_EC_POINT_FORMATS          0x000b
 #define SSL_EXTENSION_SESSION_TICKET            0x0023
+#define SSL_EXTENSION_EARLY_DATA                0x002a
 #define SSL_EXTENSION_SUPPORTED_VERSIONS        0x002b
 
 /* SNI types */