50
54
#include "util-byte.h"
56
SCEnumCharMap tls_decoder_event_table[ ] = {
57
/* TLS protocol messages */
58
{ "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
59
{ "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER },
60
{ "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
61
{ "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
62
/* Certificates decoding messages */
63
{ "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE },
64
{ "CERTIFICATE_MISSING_ELEMENT", TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT },
65
{ "CERTIFICATE_UNKNOWN_ELEMENT", TLS_DECODER_EVENT_CERTIFICATE_UNKNOWN_ELEMENT },
66
{ "CERTIFICATE_INVALID_LENGTH", TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH },
67
{ "CERTIFICATE_INVALID_STRING", TLS_DECODER_EVENT_CERTIFICATE_INVALID_STRING },
68
{ "ERROR_MESSAGE_ENCOUNTERED", TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED },
52
72
typedef struct SslConfig_ {
99
121
uint8_t *initial_input = input;
100
122
uint32_t parsed = 0;
102
125
if (input_len == 0) {
106
switch (ssl_state->handshake_type) {
129
switch (ssl_state->curr_connp->handshake_type) {
107
130
case SSLV3_HS_CLIENT_HELLO:
108
131
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_HELLO;
110
switch (ssl_state->bytes_processed) {
112
ssl_state->bytes_processed++;
113
ssl_state->handshake_client_hello_ssl_version = *(input++) << 8;
114
if (--input_len == 0)
117
ssl_state->bytes_processed++;
118
ssl_state->handshake_client_hello_ssl_version |= *(input++);
119
if (--input_len == 0)
124
134
case SSLV3_HS_SERVER_HELLO:
125
135
ssl_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO;
127
switch (ssl_state->bytes_processed) {
129
ssl_state->bytes_processed++;
130
ssl_state->handshake_server_hello_ssl_version = *(input++) << 8;
131
if (--input_len == 0)
134
ssl_state->bytes_processed++;
135
ssl_state->handshake_server_hello_ssl_version |= *(input++);
136
if (--input_len == 0)
141
139
case SSLV3_HS_SERVER_KEY_EXCHANGE:
146
144
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_KEYX;
147
case SSLV3_HS_CERTIFICATE:
148
if (ssl_state->curr_connp->trec == NULL) {
149
ssl_state->curr_connp->trec_len = 2 * ssl_state->curr_connp->record_length + SSLV3_RECORD_LEN + 1;
150
ssl_state->curr_connp->trec = SCMalloc( ssl_state->curr_connp->trec_len );
152
if (ssl_state->curr_connp->trec_pos + input_len >= ssl_state->curr_connp->trec_len) {
153
ssl_state->curr_connp->trec_len = ssl_state->curr_connp->trec_len + 2 * input_len + 1;
154
ssl_state->curr_connp->trec = SCRealloc( ssl_state->curr_connp->trec, ssl_state->curr_connp->trec_len );
156
if (ssl_state->curr_connp->trec == NULL) {
157
ssl_state->curr_connp->trec_len = 0;
158
/* error, skip packet */
160
ssl_state->curr_connp->bytes_processed += input_len;
163
memcpy(ssl_state->curr_connp->trec + ssl_state->curr_connp->trec_pos, initial_input, input_len);
164
ssl_state->curr_connp->trec_pos += input_len;
166
rc = DecodeTLSHandshakeServerCertificate(ssl_state, ssl_state->curr_connp->trec, ssl_state->curr_connp->trec_pos);
168
/* do not return normally if the packet was fragmented:
169
* we would return the size of the *entire* message,
170
* while we expect only the number of bytes parsed bytes
171
* from the *current* fragment
173
uint32_t diff = input_len - (ssl_state->curr_connp->trec_pos - rc);
174
ssl_state->curr_connp->bytes_processed += diff;
149
178
case SSLV3_HS_HELLO_REQUEST:
150
case SSLV3_HS_CERTIFICATE:
151
179
case SSLV3_HS_CERTIFICATE_REQUEST:
152
180
case SSLV3_HS_CERTIFICATE_VERIFY:
153
181
case SSLV3_HS_FINISHED:
161
/* looks like we have another record */
162
parsed += (input - initial_input);
163
if ((input_len + ssl_state->bytes_processed) >= ssl_state->record_length + SSLV3_RECORD_LEN) {
164
uint32_t diff = ssl_state->record_length + SSLV3_RECORD_LEN - ssl_state->bytes_processed;
166
ssl_state->bytes_processed += diff;
169
/* we still don't have the entire record for the one we are
170
* currently parsing */
189
/* skip the rest of the current message */
190
uint32_t next_msg_offset = ssl_state->curr_connp->message_start + SSLV3_MESSAGE_HDR_LEN + ssl_state->curr_connp->message_length;
191
if (ssl_state->curr_connp->bytes_processed + input_len < next_msg_offset) {
192
/* we don't have enough data */
172
193
parsed += input_len;
173
ssl_state->bytes_processed += input_len;
194
ssl_state->curr_connp->bytes_processed += input_len;
197
uint32_t diff = next_msg_offset - ssl_state->curr_connp->bytes_processed;
199
ssl_state->curr_connp->bytes_processed += diff;
178
203
static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, uint8_t *input,
179
204
uint32_t input_len)
181
206
uint8_t *initial_input = input;
183
209
if (input_len == 0) {
187
switch (ssl_state->bytes_processed) {
189
if (input_len >= 4) {
190
ssl_state->handshake_type = *(input++);
193
ssl_state->bytes_processed += 4;
196
ssl_state->handshake_type = *(input++);
197
ssl_state->bytes_processed++;
198
if (--input_len == 0)
202
ssl_state->bytes_processed++;
204
if (--input_len == 0)
207
ssl_state->bytes_processed++;
209
if (--input_len == 0)
212
ssl_state->bytes_processed++;
214
if (--input_len == 0)
219
return (input - initial_input);
221
int retval = SSLv3ParseHandshakeType(ssl_state, input, input_len);
226
return (input - initial_input);
213
if (ssl_state->curr_connp->message_start == 0) {
214
ssl_state->curr_connp->message_start = SSLV3_RECORD_LEN;
217
switch (ssl_state->curr_connp->bytes_processed - ssl_state->curr_connp->message_start) {
219
ssl_state->curr_connp->handshake_type = *(input++);
220
ssl_state->curr_connp->bytes_processed++;
221
if (--input_len == 0)
224
ssl_state->curr_connp->message_length = *(input++) << 16;
225
ssl_state->curr_connp->bytes_processed++;
226
if (--input_len == 0)
229
ssl_state->curr_connp->message_length |= *(input++) << 8;
230
ssl_state->curr_connp->bytes_processed++;
231
if (--input_len == 0)
234
ssl_state->curr_connp->message_length |= *(input++);
235
ssl_state->curr_connp->bytes_processed++;
236
if (--input_len == 0)
240
retval = SSLv3ParseHandshakeType(ssl_state, input, input_len);
246
uint32_t next_msg_offset = ssl_state->curr_connp->message_start + SSLV3_MESSAGE_HDR_LEN + ssl_state->curr_connp->message_length;
247
if (ssl_state->curr_connp->bytes_processed == next_msg_offset) {
248
ssl_state->curr_connp->handshake_type = 0;
249
ssl_state->curr_connp->message_length = 0;
250
ssl_state->curr_connp->message_start = next_msg_offset;
251
} else if (ssl_state->curr_connp->bytes_processed > next_msg_offset) {
255
return (input - initial_input);
230
258
static int SSLv3ParseRecord(uint8_t direction, SSLState *ssl_state,
239
switch (ssl_state->bytes_processed) {
267
switch (ssl_state->curr_connp->bytes_processed) {
241
269
if (input_len >= 5) {
243
ssl_state->cur_content_type = input[0];
244
if (direction == 0) {
245
ssl_state->client_content_type = input[0];
246
ssl_state->client_version = input[1] << 8;
247
ssl_state->client_version |= input[2];
251
ssl_state->server_content_type = input[0];
252
ssl_state->server_version = input[1] << 8;
253
ssl_state->server_version |= input[2];
255
ssl_state->record_length = input[3] << 8;
256
ssl_state->record_length |= input[4];
257
ssl_state->bytes_processed += SSLV3_RECORD_LEN;
270
ssl_state->curr_connp->content_type = input[0];
271
ssl_state->curr_connp->version = input[1] << 8;
272
ssl_state->curr_connp->version |= input[2];
273
ssl_state->curr_connp->record_length = input[3] << 8;
274
ssl_state->curr_connp->record_length |= input[4];
275
ssl_state->curr_connp->bytes_processed += SSLV3_RECORD_LEN;
258
276
return SSLV3_RECORD_LEN;
260
ssl_state->cur_content_type = *input;
261
if (direction == 0) {
262
ssl_state->client_content_type = *(input++);
264
ssl_state->server_content_type = *(input++);
278
ssl_state->curr_connp->content_type = *(input++);
266
279
if (--input_len == 0)
270
if (direction == 0) {
271
ssl_state->client_version = *(input++) << 8;
273
ssl_state->server_version = *(input++) << 8;
283
ssl_state->curr_connp->version = *(input++) << 8;
275
284
if (--input_len == 0)
278
if (direction == 0) {
279
ssl_state->client_version |= *(input++);
281
ssl_state->server_version |= *(input++);
287
ssl_state->curr_connp->version |= *(input++);
283
288
if (--input_len == 0)
286
ssl_state->record_length = *(input++) << 8;
291
ssl_state->curr_connp->record_length = *(input++) << 8;
287
292
if (--input_len == 0)
290
ssl_state->record_length |= *(input++);
291
if (ssl_state->record_length <= SSLV3_RECORD_LEN)
295
ssl_state->curr_connp->record_length |= *(input++);
296
if (ssl_state->curr_connp->record_length <= SSLV3_RECORD_LEN)
293
298
if (--input_len == 0)
295
} /* switch (ssl_state->bytes_processed) */
300
} /* switch (ssl_state->curr_connp->bytes_processed) */
297
ssl_state->bytes_processed += (input - initial_input);
302
ssl_state->curr_connp->bytes_processed += (input - initial_input);
299
304
return (input - initial_input);
311
if (ssl_state->record_lengths_length == 2) {
312
switch (ssl_state->bytes_processed) {
316
if (ssl_state->curr_connp->record_lengths_length == 2) {
317
switch (ssl_state->curr_connp->bytes_processed) {
314
if (input_len >= ssl_state->record_lengths_length + 1) {
315
ssl_state->record_length = (0x7f & input[0]) << 8 | input[1];
316
ssl_state->cur_content_type = input[2];
317
if (direction == 0) {
318
ssl_state->client_content_type = input[2];
319
ssl_state->client_version = SSL_VERSION_2;
321
ssl_state->server_content_type = input[2];
322
ssl_state->server_version = SSL_VERSION_2;
324
ssl_state->bytes_processed += 3;
319
if (input_len >= ssl_state->curr_connp->record_lengths_length + 1) {
320
ssl_state->curr_connp->record_length = (0x7f & input[0]) << 8 | input[1];
321
ssl_state->curr_connp->content_type = input[2];
322
ssl_state->curr_connp->version = SSL_VERSION_2;
323
ssl_state->curr_connp->bytes_processed += 3;
327
ssl_state->record_length = (0x7f & *(input++)) << 8;
326
ssl_state->curr_connp->record_length = (0x7f & *(input++)) << 8;
328
327
if (--input_len == 0)
333
ssl_state->record_length |= *(input++);
332
ssl_state->curr_connp->record_length |= *(input++);
334
333
if (--input_len == 0)
337
ssl_state->cur_content_type = *input;
338
if (direction == 0) {
339
ssl_state->client_content_type = *(input++);
340
ssl_state->client_version = SSL_VERSION_2;
342
ssl_state->server_content_type = *(input++);
343
ssl_state->server_version = SSL_VERSION_2;
336
ssl_state->curr_connp->content_type = *(input++);
337
ssl_state->curr_connp->version = SSL_VERSION_2;
345
338
if (--input_len == 0)
347
} /* switch (ssl_state->bytes_processed) */
340
} /* switch (ssl_state->curr_connp->bytes_processed) */
350
switch (ssl_state->bytes_processed) {
343
switch (ssl_state->curr_connp->bytes_processed) {
352
if (input_len >= ssl_state->record_lengths_length + 1) {
353
ssl_state->record_length = (0x3f & input[0]) << 8 | input[1];
354
ssl_state->cur_content_type = input[3];
355
if (direction == 0) {
356
ssl_state->client_content_type = input[3];
357
ssl_state->client_version = SSL_VERSION_2;
359
ssl_state->server_content_type = input[3];
360
ssl_state->server_version = SSL_VERSION_2;
362
ssl_state->bytes_processed += 4;
345
if (input_len >= ssl_state->curr_connp->record_lengths_length + 1) {
346
ssl_state->curr_connp->record_length = (0x3f & input[0]) << 8 | input[1];
347
ssl_state->curr_connp->content_type = input[3];
348
ssl_state->curr_connp->version = SSL_VERSION_2;
349
ssl_state->curr_connp->bytes_processed += 4;
365
ssl_state->record_length = (0x3f & *(input++)) << 8;
352
ssl_state->curr_connp->record_length = (0x3f & *(input++)) << 8;
366
353
if (--input_len == 0)
371
ssl_state->record_length |= *(input++);
358
ssl_state->curr_connp->record_length |= *(input++);
372
359
if (--input_len == 0)
405
386
uint8_t *initial_input = input;
407
if (ssl_state->bytes_processed == 0) {
388
if (ssl_state->curr_connp->bytes_processed == 0) {
408
389
if (input[0] & 0x80) {
409
ssl_state->record_lengths_length = 2;
390
ssl_state->curr_connp->record_lengths_length = 2;
411
ssl_state->record_lengths_length = 3;
392
ssl_state->curr_connp->record_lengths_length = 3;
415
396
/* the + 1 because, we also read one extra byte inside SSLv2ParseRecord
416
397
* to read the msg_type */
417
if (ssl_state->bytes_processed < (ssl_state->record_lengths_length + 1)) {
398
if (ssl_state->curr_connp->bytes_processed < (ssl_state->curr_connp->record_lengths_length + 1)) {
418
399
retval = SSLv2ParseRecord(direction, ssl_state, input, input_len);
419
400
if (retval == -1) {
420
SCLogDebug("Error parsing SSLv2Header");
401
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER);
441
423
ssl_state->flags |= SSL_AL_FLAG_STATE_CLIENT_HELLO;
442
424
ssl_state->flags |= SSL_AL_FLAG_SSL_CLIENT_HS;
444
if (ssl_state->record_lengths_length == 3) {
445
switch (ssl_state->bytes_processed) {
426
if (ssl_state->curr_connp->record_lengths_length == 3) {
427
switch (ssl_state->curr_connp->bytes_processed) {
447
429
if (input_len >= 6) {
448
ssl_state->session_id_length = input[4] << 8;
449
ssl_state->session_id_length |= input[5];
430
ssl_state->curr_connp->session_id_length = input[4] << 8;
431
ssl_state->curr_connp->session_id_length |= input[5];
452
ssl_state->bytes_processed += 6;
453
if (ssl_state->session_id_length == 0) {
434
ssl_state->curr_connp->bytes_processed += 6;
435
if (ssl_state->curr_connp->session_id_length == 0) {
454
436
ssl_state->flags |= SSL_AL_FLAG_SSL_NO_SESSION_ID;
459
ssl_state->bytes_processed++;
441
ssl_state->curr_connp->bytes_processed++;
460
442
if (--input_len == 0)
465
ssl_state->bytes_processed++;
447
ssl_state->curr_connp->bytes_processed++;
466
448
if (--input_len == 0)
470
ssl_state->bytes_processed++;
452
ssl_state->curr_connp->bytes_processed++;
471
453
if (--input_len == 0)
475
ssl_state->bytes_processed++;
457
ssl_state->curr_connp->bytes_processed++;
476
458
if (--input_len == 0)
479
ssl_state->session_id_length = *(input++) << 8;
480
ssl_state->bytes_processed++;
461
ssl_state->curr_connp->session_id_length = *(input++) << 8;
462
ssl_state->curr_connp->bytes_processed++;
481
463
if (--input_len == 0)
484
ssl_state->session_id_length |= *(input++);
485
ssl_state->bytes_processed++;
466
ssl_state->curr_connp->session_id_length |= *(input++);
467
ssl_state->curr_connp->bytes_processed++;
486
468
if (--input_len == 0)
488
} /* switch (ssl_state->bytes_processed) */
470
} /* switch (ssl_state->curr_connp->bytes_processed) */
490
/* ssl_state->record_lengths_length is 3 */
472
/* ssl_state->curr_connp->record_lengths_length is 3 */
492
switch (ssl_state->bytes_processed) {
474
switch (ssl_state->curr_connp->bytes_processed) {
494
476
if (input_len >= 6) {
495
ssl_state->session_id_length = input[4] << 8;
496
ssl_state->session_id_length |= input[5];
477
ssl_state->curr_connp->session_id_length = input[4] << 8;
478
ssl_state->curr_connp->session_id_length |= input[5];
499
ssl_state->bytes_processed += 6;
500
if (ssl_state->session_id_length == 0) {
481
ssl_state->curr_connp->bytes_processed += 6;
482
if (ssl_state->curr_connp->session_id_length == 0) {
501
483
ssl_state->flags |= SSL_AL_FLAG_SSL_NO_SESSION_ID;
506
ssl_state->bytes_processed++;
488
ssl_state->curr_connp->bytes_processed++;
507
489
if (--input_len == 0)
512
ssl_state->bytes_processed++;
494
ssl_state->curr_connp->bytes_processed++;
513
495
if (--input_len == 0)
517
ssl_state->bytes_processed++;
499
ssl_state->curr_connp->bytes_processed++;
518
500
if (--input_len == 0)
522
ssl_state->bytes_processed++;
504
ssl_state->curr_connp->bytes_processed++;
523
505
if (--input_len == 0)
526
ssl_state->session_id_length = *(input++) << 8;
527
ssl_state->bytes_processed++;
508
ssl_state->curr_connp->session_id_length = *(input++) << 8;
509
ssl_state->curr_connp->bytes_processed++;
528
510
if (--input_len == 0)
531
ssl_state->session_id_length |= *(input++);
532
ssl_state->bytes_processed++;
513
ssl_state->curr_connp->session_id_length |= *(input++);
514
ssl_state->curr_connp->bytes_processed++;
533
515
if (--input_len == 0)
535
} /* switch (ssl_state->bytes_processed) */
536
} /* else - if (ssl_state->record_lengths_length == 3) */
517
} /* switch (ssl_state->curr_connp->bytes_processed) */
518
} /* else - if (ssl_state->curr_connp->record_lengths_length == 3) */
662
644
pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY;
665
649
case SSLV3_HANDSHAKE_PROTOCOL:
666
650
if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC)
669
653
retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed, input_len);
671
SCLogDebug("Error parsing SSLv3.x. Let's get outta here");
655
AppLayerDecoderEventsSetEvent(ssl_state->f, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
658
if ((uint32_t)retval > input_len) {
659
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
660
"state. Let's get outta here");
661
SSLParserReset(ssl_state);
674
664
parsed += retval;
675
665
input_len -= retval;
676
if (ssl_state->bytes_processed == ssl_state->record_length + SSLV3_RECORD_LEN) {
666
if (ssl_state->curr_connp->bytes_processed == ssl_state->curr_connp->record_length + SSLV3_RECORD_LEN) {
677
667
SSLParserReset(ssl_state);
724
716
* \retval >=0 On success.
726
static int SSLDecode(uint8_t direction, void *alstate, AppLayerParserState *pstate,
727
uint8_t *input, uint32_t input_len)
718
static int SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLayerParserState *pstate,
719
uint8_t *input, uint32_t ilen)
729
721
SSLState *ssl_state = (SSLState *)alstate;
731
723
uint8_t counter = 0;
725
int32_t input_len = (int32_t)ilen;
730
ssl_state->curr_connp = &ssl_state->client_connp;
732
ssl_state->curr_connp = &ssl_state->server_connp;
733
734
/* if we have more than one record */
735
while (input_len > 0) {
735
736
if (counter++ == 30) {
736
737
SCLogDebug("Looks like we have looped quite a bit. Reset state "
737
738
"and get out of here");
738
739
SSLParserReset(ssl_state);
742
/* ssl_state->bytes_processed is either ways it is either 0 for a
743
/* ssl_state->bytes_processed is 0 for a
743
744
* fresh record or positive to indicate a record currently being
745
switch (ssl_state->bytes_processed) {
746
switch (ssl_state->curr_connp->bytes_processed) {
746
747
/* fresh record */
748
749
/* only SSLv2, has one of the top 2 bits set */
749
750
if (input[0] & 0x80 || input[0] & 0x40) {
750
751
SCLogDebug("SSLv2 detected");
751
ssl_state->cur_ssl_version = SSL_VERSION_2;
752
ssl_state->curr_connp->version = SSL_VERSION_2;
752
753
retval = SSLv2Decode(direction, ssl_state, pstate, input,
755
756
SCLogDebug("Error parsing SSLv2.x. Reseting parser "
756
757
"state. Let's get outta here");
757
758
SSLParserReset(ssl_state);
760
761
input_len -= retval;
764
765
SCLogDebug("SSLv3.x detected");
766
/* we will keep it this way till our record parser tells
767
* us what exact version it is */
768
ssl_state->curr_connp->version = TLS_VERSION_UNKNOWN;
765
769
retval = SSLv3Decode(direction, ssl_state, pstate, input,
768
772
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
769
773
"state. Let's get outta here");
770
774
SSLParserReset(ssl_state);
773
777
input_len -= retval;
779
if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_LEN
780
&& ssl_state->curr_connp->record_length == 0) {
782
SSLParserReset(ssl_state);
799
808
"previously left off");
800
809
retval = SSLv3Decode(direction, ssl_state, pstate, input,
803
812
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
804
813
"state. Let's get outta here");
805
814
SSLParserReset(ssl_state);
817
if (retval > input_len) {
818
SCLogDebug("Error parsing SSLv3.x. Reseting parser "
819
"state. Let's get outta here");
820
SSLParserReset(ssl_state);
808
822
input_len -= retval;
824
if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_LEN
825
&& ssl_state->curr_connp->record_length == 0) {
827
SSLParserReset(ssl_state);
814
} /* switch (ssl_state->bytes_processed) */
833
} /* switch (ssl_state->curr_connp->bytes_processed) */
815
834
} /* while (input_len) */
821
840
uint8_t *input, uint32_t input_len,
822
841
void *local_data, AppLayerParserResult *output)
824
return SSLDecode(0 /* toserver */, alstate, pstate, input, input_len);
843
return SSLDecode(f, 0 /* toserver */, alstate, pstate, input, input_len);
827
846
int SSLParseServerRecord(Flow *f, void *alstate, AppLayerParserState *pstate,
828
847
uint8_t *input, uint32_t input_len,
829
848
void *local_data, AppLayerParserResult *output)
831
return SSLDecode(1 /* toclient */, alstate, pstate, input, input_len);
850
return SSLDecode(f, 1 /* toclient */, alstate, pstate, input, input_len);
852
871
void SSLStateFree(void *p)
873
SSLState *ssl_state = (SSLState *)p;
875
if (ssl_state->client_connp.trec)
876
SCFree(ssl_state->client_connp.trec);
877
if (ssl_state->client_connp.cert0_subject)
878
SCFree(ssl_state->client_connp.cert0_subject);
879
if (ssl_state->client_connp.cert0_issuerdn)
880
SCFree(ssl_state->client_connp.cert0_issuerdn);
882
if (ssl_state->server_connp.trec)
883
SCFree(ssl_state->server_connp.trec);
884
if (ssl_state->server_connp.cert0_subject)
885
SCFree(ssl_state->server_connp.cert0_subject);
886
if (ssl_state->server_connp.cert0_issuerdn)
887
SCFree(ssl_state->server_connp.cert0_issuerdn);
894
static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen)
896
/* probably a rst/fin sending an eof */
898
return ALPROTO_UNKNOWN;
900
/* for now just the 3 byte header ones */
901
/* \todo Detect the 2 byte ones */
902
if ((input[0] & 0x80) && (input[2] == 0x01)) {
906
return ALPROTO_FAILED;
860
910
* \brief Function to register the SSL protocol parser and other functions
862
912
void RegisterSSLParsers(void)
914
char *proto_name = "tls";
864
916
/** SSLv2 and SSLv23*/
865
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
917
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 00 02|", 5, 2, STREAM_TOSERVER);
866
918
/* subsection - SSLv2 style record by client, but informing the server the max
867
919
* version it supports */
868
920
/* Updated by Anoop Saldanha. Disabled it for now. We'll get back to it
871
923
//AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|00 02|", 7, 5, STREAM_TOCLIENT);
874
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
875
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
926
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 00|", 3, 0, STREAM_TOSERVER);
927
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 00|", 3, 0, STREAM_TOSERVER); /* client hello */
877
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
878
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
929
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 01|", 3, 0, STREAM_TOSERVER);
930
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 01|", 3, 0, STREAM_TOSERVER); /* client hello */
880
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
881
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
932
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 02|", 3, 0, STREAM_TOSERVER);
933
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 02|", 3, 0, STREAM_TOSERVER); /* client hello */
883
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
884
AlpProtoAdd(&alp_proto_ctx, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
935
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|01 03 03|", 3, 0, STREAM_TOSERVER);
936
AlpProtoAdd(&alp_proto_ctx, proto_name, IPPROTO_TCP, ALPROTO_TLS, "|16 03 03|", 3, 0, STREAM_TOSERVER); /* client hello */
886
AppLayerRegisterProto("tls", ALPROTO_TLS, STREAM_TOSERVER,
938
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOSERVER,
887
939
SSLParseClientRecord);
889
AppLayerRegisterProto("tls", ALPROTO_TLS, STREAM_TOCLIENT,
941
AppLayerRegisterProto(proto_name, ALPROTO_TLS, STREAM_TOCLIENT,
890
942
SSLParseServerRecord);
943
AppLayerDecoderEventsModuleRegister(ALPROTO_TLS, tls_decoder_event_table);
892
945
AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
947
AppLayerRegisterProbingParser(&alp_proto_ctx,
954
APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1,
894
957
/* Get the value of no reassembly option from the config file */
895
if (ConfGetBool("tls.no_reassemble", &ssl_config.no_reassemble) != 1)
958
if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
896
959
ssl_config.no_reassemble = 1;
1749
if (ssl_state->client_content_type != 0x16) {
1812
if (ssl_state->client_connp.content_type != 0x16) {
1750
1813
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
1751
ssl_state->client_content_type);
1756
if (ssl_state->client_version != SSL_VERSION_3) {
1757
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1758
SSL_VERSION_3, ssl_state->client_version);
1763
if (ssl_state->handshake_client_hello_ssl_version != SSL_VERSION_3) {
1764
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1765
SSL_VERSION_3, ssl_state->handshake_client_hello_ssl_version);
1814
ssl_state->client_connp.content_type);
1819
if (ssl_state->client_connp.version != SSL_VERSION_3) {
1820
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1821
SSL_VERSION_3, ssl_state->client_connp.version);
1834
if (ssl_state->client_content_type != 0x16) {
1890
if (ssl_state->client_connp.content_type != 0x16) {
1835
1891
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
1836
ssl_state->client_content_type);
1841
if (ssl_state->client_version != SSL_VERSION_3) {
1842
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1843
SSL_VERSION_3, ssl_state->client_version);
1848
if (ssl_state->handshake_client_hello_ssl_version != SSL_VERSION_3) {
1849
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1850
SSL_VERSION_3, ssl_state->handshake_client_hello_ssl_version);
1892
ssl_state->client_connp.content_type);
1897
if (ssl_state->client_connp.version != SSL_VERSION_3) {
1898
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1899
SSL_VERSION_3, ssl_state->client_connp.version);
1918
if (ssl_state->client_content_type != 0x16) {
1967
if (ssl_state->client_connp.content_type != 0x16) {
1919
1968
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
1920
ssl_state->client_content_type);
1925
if (ssl_state->client_version != SSL_VERSION_3) {
1926
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1927
SSL_VERSION_3, ssl_state->client_version);
1932
if (ssl_state->handshake_client_hello_ssl_version != SSL_VERSION_3) {
1933
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1934
SSL_VERSION_3, ssl_state->handshake_client_hello_ssl_version);
1969
ssl_state->client_connp.content_type);
1974
if (ssl_state->client_connp.version != SSL_VERSION_3) {
1975
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
1976
SSL_VERSION_3, ssl_state->client_connp.version);
2014
if (ssl_state->client_content_type != 0x16) {
2056
if (ssl_state->client_connp.content_type != 0x16) {
2015
2057
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
2016
ssl_state->client_content_type);
2021
if (ssl_state->client_version != SSL_VERSION_3) {
2022
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2023
SSL_VERSION_3, ssl_state->client_version);
2028
if (ssl_state->handshake_client_hello_ssl_version != SSL_VERSION_3) {
2029
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2030
SSL_VERSION_3, ssl_state->handshake_client_hello_ssl_version);
2058
ssl_state->client_connp.content_type);
2063
if (ssl_state->client_connp.version != SSL_VERSION_3) {
2064
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2065
SSL_VERSION_3, ssl_state->client_connp.version);
2122
if (ssl_state->client_content_type != 0x16) {
2157
if (ssl_state->client_connp.content_type != 0x16) {
2123
2158
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17,
2124
ssl_state->client_content_type);
2129
if (ssl_state->client_version != SSL_VERSION_3) {
2130
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2131
SSL_VERSION_3, ssl_state->client_version);
2136
if (ssl_state->handshake_client_hello_ssl_version != SSL_VERSION_3) {
2137
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2138
SSL_VERSION_3, ssl_state->handshake_client_hello_ssl_version);
2159
ssl_state->client_connp.content_type);
2164
if (ssl_state->client_connp.version != SSL_VERSION_3) {
2165
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2166
SSL_VERSION_3, ssl_state->client_connp.version);
2945
2973
/* with multiple records the client content type hold the type from the last
2947
if (app_state->client_content_type != SSLV3_HANDSHAKE_PROTOCOL) {
2975
if (app_state->client_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL) {
2948
2976
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
2949
SSLV3_HANDSHAKE_PROTOCOL, app_state->client_content_type);
2977
SSLV3_HANDSHAKE_PROTOCOL, app_state->client_connp.content_type);
2954
if (app_state->client_version != SSL_VERSION_3) {
2982
if (app_state->client_connp.version != SSL_VERSION_3) {
2955
2983
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2956
SSL_VERSION_3, app_state->client_version);
2984
SSL_VERSION_3, app_state->client_connp.version);
2979
3007
/* with multiple records the serve content type hold the type from the last
2981
if (app_state->server_content_type != SSLV3_HANDSHAKE_PROTOCOL) {
3009
if (app_state->server_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL) {
2982
3010
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ",
2983
SSLV3_HANDSHAKE_PROTOCOL, app_state->server_content_type);
3011
SSLV3_HANDSHAKE_PROTOCOL, app_state->server_connp.content_type);
2988
if (app_state->server_version != SSL_VERSION_3) {
3016
if (app_state->server_connp.version != SSL_VERSION_3) {
2989
3017
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
2990
SSL_VERSION_3, app_state->server_version);
3018
SSL_VERSION_3, app_state->server_connp.version);
3121
if (ssl_state->client_content_type != 0x16) {
3149
if (ssl_state->client_connp.content_type != 0x16) {
3122
3150
printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16,
3123
ssl_state->client_content_type);
3128
if (ssl_state->client_version != SSL_VERSION_3) {
3129
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
3130
SSL_VERSION_3, ssl_state->client_version);
3135
if (ssl_state->handshake_client_hello_ssl_version != SSL_VERSION_3) {
3136
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
3137
SSL_VERSION_3, ssl_state->handshake_client_hello_ssl_version);
3151
ssl_state->client_connp.content_type);
3156
if (ssl_state->client_connp.version != SSL_VERSION_3) {
3157
printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ",
3158
SSL_VERSION_3, ssl_state->client_connp.version);