Coverage Report

Created: 2025-07-23 07:29

/src/suricata7/src/app-layer-ssl.h
Line
Count
Source (jump to first uncovered line)
1
/* Copyright (C) 2007-2022 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
/**
19
 * \file
20
 *
21
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22
 * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
23
 *
24
 */
25
26
#ifndef __APP_LAYER_SSL_H__
27
#define __APP_LAYER_SSL_H__
28
29
#include "util-ja3.h"
30
#include "rust.h"
31
32
enum TlsFrameTypes {
33
    TLS_FRAME_PDU = 0, /**< whole PDU, so header + data */
34
    TLS_FRAME_HDR,     /**< only header portion */
35
    TLS_FRAME_DATA,    /**< only data portion */
36
    TLS_FRAME_ALERT_DATA,
37
    TLS_FRAME_HB_DATA,
38
    TLS_FRAME_SSLV2_HDR,
39
    TLS_FRAME_SSLV2_PDU,
40
};
41
42
enum {
43
    /* TLS protocol messages */
44
    TLS_DECODER_EVENT_INVALID_SSLV2_HEADER,
45
    TLS_DECODER_EVENT_INVALID_TLS_HEADER,
46
    TLS_DECODER_EVENT_INVALID_RECORD_VERSION,
47
    TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
48
    TLS_DECODER_EVENT_INVALID_RECORD_LENGTH,
49
    TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
50
    TLS_DECODER_EVENT_HEARTBEAT,
51
    TLS_DECODER_EVENT_INVALID_HEARTBEAT,
52
    TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT,
53
    TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH,
54
    TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH,
55
    TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
56
    TLS_DECODER_EVENT_INVALID_SNI_TYPE,
57
    TLS_DECODER_EVENT_INVALID_SNI_LENGTH,
58
    TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET,
59
    /* Certificates decoding messages */
60
    TLS_DECODER_EVENT_INVALID_CERTIFICATE,
61
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH,
62
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION,
63
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL,
64
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER,
65
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME,
66
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE,
67
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS,
68
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER,
69
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT,
70
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER,
71
    TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY,
72
    TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED,
73
    TLS_DECODER_EVENT_INVALID_SSL_RECORD,
74
};
75
76
enum {
77
    TLS_STATE_IN_PROGRESS = 0,
78
    TLS_STATE_CERT_READY = 1,
79
    TLS_HANDSHAKE_DONE = 2,
80
    TLS_STATE_FINISHED = 3
81
};
82
83
/* Flag to indicate that server will now on send encrypted msgs */
84
25.6k
#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC   BIT_U32(0)
85
/* Flag to indicate that client will now on send encrypted msgs */
86
39.3k
#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC   BIT_U32(1)
87
113k
#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC          BIT_U32(2)
88
89
/* SSL related flags */
90
46.9k
#define SSL_AL_FLAG_SSL_CLIENT_HS               BIT_U32(3)
91
33.3k
#define SSL_AL_FLAG_SSL_SERVER_HS               BIT_U32(4)
92
17.1k
#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY       BIT_U32(5)
93
21.7k
#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED    BIT_U32(6)
94
5.44k
#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED    BIT_U32(7)
95
18.5k
#define SSL_AL_FLAG_SSL_NO_SESSION_ID           BIT_U32(8)
96
97
/* flags specific to detect-ssl-state keyword */
98
721k
#define SSL_AL_FLAG_STATE_CLIENT_HELLO          BIT_U32(9)
99
911k
#define SSL_AL_FLAG_STATE_SERVER_HELLO          BIT_U32(10)
100
4.98k
#define SSL_AL_FLAG_STATE_CLIENT_KEYX           BIT_U32(11)
101
1.68k
#define SSL_AL_FLAG_STATE_SERVER_KEYX           BIT_U32(12)
102
19
#define SSL_AL_FLAG_STATE_UNKNOWN               BIT_U32(13)
103
104
/* flag to indicate that session is finished */
105
1.70M
#define SSL_AL_FLAG_STATE_FINISHED              BIT_U32(14)
106
107
/* flags specific to HeartBeat state */
108
23.2k
#define SSL_AL_FLAG_HB_INFLIGHT                 BIT_U32(15)
109
9.21k
#define SSL_AL_FLAG_HB_CLIENT_INIT              BIT_U32(16)
110
9.17k
#define SSL_AL_FLAG_HB_SERVER_INIT              BIT_U32(17)
111
112
/* flag to indicate that handshake is done */
113
1.75M
#define SSL_AL_FLAG_HANDSHAKE_DONE              BIT_U32(18)
114
115
/* Session resumed without a full handshake */
116
36.1k
#define SSL_AL_FLAG_SESSION_RESUMED             BIT_U32(20)
117
118
/* Encountered a supported_versions extension in client hello */
119
11.1k
#define SSL_AL_FLAG_CH_VERSION_EXTENSION        BIT_U32(21)
120
121
/* Log the session even without ever seeing a certificate. This is used
122
   to log TLSv1.3 sessions. */
123
56.3k
#define SSL_AL_FLAG_LOG_WITHOUT_CERT            BIT_U32(22)
124
125
/* Encountered a early data extension in client hello. This extension is
126
   used by 0-RTT. */
127
46.2k
#define SSL_AL_FLAG_EARLY_DATA                  BIT_U32(23)
128
129
/* flag to indicate that server random was filled */
130
42.4k
#define TLS_TS_RANDOM_SET BIT_U32(24)
131
132
/* flag to indicate that client random was filled */
133
43.2k
#define TLS_TC_RANDOM_SET BIT_U32(25)
134
135
736k
#define SSL_AL_FLAG_NEED_CLIENT_CERT BIT_U32(26)
136
137
/* config flags */
138
551k
#define SSL_TLS_LOG_PEM                         (1 << 0)
139
140
/* extensions */
141
43.9k
#define SSL_EXTENSION_SNI                       0x0000
142
7.90k
#define SSL_EXTENSION_ELLIPTIC_CURVES           0x000a
143
9.84k
#define SSL_EXTENSION_EC_POINT_FORMATS          0x000b
144
6.03k
#define SSL_EXTENSION_SIGNATURE_ALGORITHMS      0x000d
145
10.1k
#define SSL_EXTENSION_ALPN                      0x0010
146
8.23k
#define SSL_EXTENSION_SESSION_TICKET            0x0023
147
649
#define SSL_EXTENSION_EARLY_DATA                0x002a
148
12.8k
#define SSL_EXTENSION_SUPPORTED_VERSIONS        0x002b
149
150
/* SNI types */
151
18.5k
#define SSL_SNI_TYPE_HOST_NAME                  0
152
153
/* Max string length of the TLS version string */
154
#define SSL_VERSION_MAX_STRLEN 20
155
156
/* TLS random bytes for the sticky buffer */
157
147k
#define TLS_RANDOM_LEN 32
158
159
/* SSL versions.  We'll use a unified format for all, with the top byte
160
 * holding the major version and the lower byte the minor version */
161
enum {
162
    TLS_VERSION_UNKNOWN = 0x0000,
163
    SSL_VERSION_2 = 0x0200,
164
    SSL_VERSION_3 = 0x0300,
165
    TLS_VERSION_10 = 0x0301,
166
    TLS_VERSION_11 = 0x0302,
167
    TLS_VERSION_12 = 0x0303,
168
    TLS_VERSION_13 = 0x0304,
169
    TLS_VERSION_13_DRAFT28 = 0x7f1c,
170
    TLS_VERSION_13_DRAFT27 = 0x7f1b,
171
    TLS_VERSION_13_DRAFT26 = 0x7f1a,
172
    TLS_VERSION_13_DRAFT25 = 0x7f19,
173
    TLS_VERSION_13_DRAFT24 = 0x7f18,
174
    TLS_VERSION_13_DRAFT23 = 0x7f17,
175
    TLS_VERSION_13_DRAFT22 = 0x7f16,
176
    TLS_VERSION_13_DRAFT21 = 0x7f15,
177
    TLS_VERSION_13_DRAFT20 = 0x7f14,
178
    TLS_VERSION_13_DRAFT19 = 0x7f13,
179
    TLS_VERSION_13_DRAFT18 = 0x7f12,
180
    TLS_VERSION_13_DRAFT17 = 0x7f11,
181
    TLS_VERSION_13_DRAFT16 = 0x7f10,
182
    TLS_VERSION_13_PRE_DRAFT16 = 0x7f01,
183
    TLS_VERSION_13_DRAFT20_FB = 0xfb14,
184
    TLS_VERSION_13_DRAFT21_FB = 0xfb15,
185
    TLS_VERSION_13_DRAFT22_FB = 0xfb16,
186
    TLS_VERSION_13_DRAFT23_FB = 0xfb17,
187
    TLS_VERSION_13_DRAFT26_FB = 0xfb1a,
188
};
189
190
static inline bool TLSVersionValid(const uint16_t version)
191
142k
{
192
142k
    switch (version) {
193
2.78k
        case TLS_VERSION_13:
194
31.0k
        case TLS_VERSION_12:
195
45.3k
        case TLS_VERSION_11:
196
81.8k
        case TLS_VERSION_10:
197
85.9k
        case SSL_VERSION_3:
198
199
87.1k
        case TLS_VERSION_13_DRAFT28:
200
88.8k
        case TLS_VERSION_13_DRAFT27:
201
89.9k
        case TLS_VERSION_13_DRAFT26:
202
90.6k
        case TLS_VERSION_13_DRAFT25:
203
91.7k
        case TLS_VERSION_13_DRAFT24:
204
105k
        case TLS_VERSION_13_DRAFT23:
205
106k
        case TLS_VERSION_13_DRAFT22:
206
108k
        case TLS_VERSION_13_DRAFT21:
207
109k
        case TLS_VERSION_13_DRAFT20:
208
110k
        case TLS_VERSION_13_DRAFT19:
209
112k
        case TLS_VERSION_13_DRAFT18:
210
113k
        case TLS_VERSION_13_DRAFT17:
211
117k
        case TLS_VERSION_13_DRAFT16:
212
118k
        case TLS_VERSION_13_PRE_DRAFT16:
213
120k
        case TLS_VERSION_13_DRAFT20_FB:
214
128k
        case TLS_VERSION_13_DRAFT21_FB:
215
134k
        case TLS_VERSION_13_DRAFT22_FB:
216
135k
        case TLS_VERSION_13_DRAFT23_FB:
217
135k
        case TLS_VERSION_13_DRAFT26_FB:
218
135k
            return true;
219
142k
    }
220
6.38k
    return false;
221
142k
}
Unexecuted instantiation: app-layer-parser.c:TLSVersionValid
app-layer-ssl.c:TLSVersionValid
Line
Count
Source
191
142k
{
192
142k
    switch (version) {
193
2.78k
        case TLS_VERSION_13:
194
31.0k
        case TLS_VERSION_12:
195
45.3k
        case TLS_VERSION_11:
196
81.8k
        case TLS_VERSION_10:
197
85.9k
        case SSL_VERSION_3:
198
199
87.1k
        case TLS_VERSION_13_DRAFT28:
200
88.8k
        case TLS_VERSION_13_DRAFT27:
201
89.9k
        case TLS_VERSION_13_DRAFT26:
202
90.6k
        case TLS_VERSION_13_DRAFT25:
203
91.7k
        case TLS_VERSION_13_DRAFT24:
204
105k
        case TLS_VERSION_13_DRAFT23:
205
106k
        case TLS_VERSION_13_DRAFT22:
206
108k
        case TLS_VERSION_13_DRAFT21:
207
109k
        case TLS_VERSION_13_DRAFT20:
208
110k
        case TLS_VERSION_13_DRAFT19:
209
112k
        case TLS_VERSION_13_DRAFT18:
210
113k
        case TLS_VERSION_13_DRAFT17:
211
117k
        case TLS_VERSION_13_DRAFT16:
212
118k
        case TLS_VERSION_13_PRE_DRAFT16:
213
120k
        case TLS_VERSION_13_DRAFT20_FB:
214
128k
        case TLS_VERSION_13_DRAFT21_FB:
215
134k
        case TLS_VERSION_13_DRAFT22_FB:
216
135k
        case TLS_VERSION_13_DRAFT23_FB:
217
135k
        case TLS_VERSION_13_DRAFT26_FB:
218
135k
            return true;
219
142k
    }
220
6.38k
    return false;
221
142k
}
Unexecuted instantiation: util-ja3.c:TLSVersionValid
Unexecuted instantiation: detect-ja4-hash.c:TLSVersionValid
Unexecuted instantiation: detect-ssl-state.c:TLSVersionValid
Unexecuted instantiation: detect-ssl-version.c:TLSVersionValid
Unexecuted instantiation: detect-tls.c:TLSVersionValid
Unexecuted instantiation: detect-tls-cert-fingerprint.c:TLSVersionValid
Unexecuted instantiation: detect-tls-cert-issuer.c:TLSVersionValid
Unexecuted instantiation: detect-tls-certs.c:TLSVersionValid
Unexecuted instantiation: detect-tls-cert-serial.c:TLSVersionValid
Unexecuted instantiation: detect-tls-cert-subject.c:TLSVersionValid
Unexecuted instantiation: detect-tls-cert-validity.c:TLSVersionValid
Unexecuted instantiation: detect-tls-ja3-hash.c:TLSVersionValid
Unexecuted instantiation: detect-tls-ja3s-hash.c:TLSVersionValid
Unexecuted instantiation: detect-tls-ja3s-string.c:TLSVersionValid
Unexecuted instantiation: detect-tls-ja3-string.c:TLSVersionValid
Unexecuted instantiation: detect-tls-sni.c:TLSVersionValid
Unexecuted instantiation: detect-tls-version.c:TLSVersionValid
Unexecuted instantiation: detect-tls-random.c:TLSVersionValid
Unexecuted instantiation: output.c:TLSVersionValid
Unexecuted instantiation: output-json-alert.c:TLSVersionValid
Unexecuted instantiation: output-json-quic.c:TLSVersionValid
Unexecuted instantiation: output-json-tls.c:TLSVersionValid
Unexecuted instantiation: log-tlslog.c:TLSVersionValid
Unexecuted instantiation: log-tlsstore.c:TLSVersionValid
222
223
typedef struct SSLCertsChain_ {
224
    uint8_t *cert_data;
225
    uint32_t cert_len;
226
    TAILQ_ENTRY(SSLCertsChain_) next;
227
} SSLCertsChain;
228
229
230
typedef struct SSLStateConnp_ {
231
    /* record length */
232
    uint32_t record_length;
233
    /* record length's length for SSLv2 */
234
    uint32_t record_lengths_length;
235
236
    /* offset of the beginning of the current message (including header) */
237
    uint32_t message_length;
238
239
    uint16_t version;
240
    uint8_t content_type;
241
242
    uint8_t handshake_type;
243
244
    /* the no of bytes processed in the currently parsed record */
245
    uint32_t bytes_processed;
246
247
    uint16_t session_id_length;
248
249
    uint8_t random[TLS_RANDOM_LEN];
250
    char *cert0_subject;
251
    char *cert0_issuerdn;
252
    char *cert0_serial;
253
    int64_t cert0_not_before;
254
    int64_t cert0_not_after;
255
    char *cert0_fingerprint;
256
257
    /* ssl server name indication extension */
258
    char *sni;
259
260
    char *session_id;
261
262
    TAILQ_HEAD(, SSLCertsChain_) certs;
263
264
    uint8_t *certs_buffer;
265
    uint32_t certs_buffer_size;
266
267
    uint32_t cert_log_flag;
268
269
    JA3Buffer *ja3_str;
270
    char *ja3_hash;
271
272
    JA4 *ja4;
273
274
    /* handshake tls fragmentation buffer. Handshake messages can be fragmented over multiple
275
     * TLS records. */
276
    uint8_t *hs_buffer;
277
    uint8_t hs_buffer_message_type;
278
    uint32_t hs_buffer_message_size;
279
    uint32_t hs_buffer_size;   /**< allocation size */
280
    uint32_t hs_buffer_offset; /**< write offset */
281
} SSLStateConnp;
282
283
/**
284
 * \brief SSLv[2.0|3.[0|1|2|3]] state structure.
285
 *
286
 *        Structure to store the SSL state values.
287
 */
288
typedef struct SSLState_ {
289
    Flow *f;
290
291
    AppLayerStateData state_data;
292
    AppLayerTxData tx_data;
293
294
    /* holds some state flags we need */
295
    uint32_t flags;
296
297
    /* there might be a better place to store this*/
298
    uint32_t hb_record_len;
299
300
    uint16_t events;
301
302
    uint32_t current_flags;
303
304
    SSLStateConnp *curr_connp;
305
306
    SSLStateConnp client_connp;
307
    SSLStateConnp server_connp;
308
} SSLState;
309
310
void RegisterSSLParsers(void);
311
void SSLVersionToString(uint16_t, char *);
312
void SSLEnableJA3(void);
313
bool SSLJA3IsEnabled(void);
314
void SSLEnableJA4(void);
315
bool SSLJA4IsEnabled(void);
316
317
#endif /* __APP_LAYER_SSL_H__ */