From 4e8de99dcde1cb31281e4a56f9a763d442e34549 Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Thu, 24 Feb 2011 00:44:36 +0530 Subject: [PATCH] tls/ssl parser modifications/fixes. We now have just one file doing all the ssl parsing stuff, i.e. app-layer-tls.[ch], instead of app-layer-ssl.[ch] and app-layer-tls.[ch] --- src/app-layer-ssl.c | 1316 +++++++++---------- src/app-layer-ssl.h | 122 +- src/app-layer-tls.c | 2704 +++++++++++++++++++++++++++++++------- src/app-layer-tls.h | 111 +- src/detect-ssl-version.c | 8 +- src/detect-tls-version.c | 8 +- src/suricata.c | 4 +- 7 files changed, 3022 insertions(+), 1251 deletions(-) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index a9856f054f..a5d704ed3d 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -1,667 +1,651 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ +///** +// * \file +// * +// * \author Gurvinder Singh +// * +// * App-layer detection of SSL2 protocol +// * +// */ +// +//#include "suricata-common.h" +//#include "debug.h" +//#include "decode.h" +//#include "threads.h" +// +//#include "util-print.h" +//#include "util-pool.h" +// +//#include "stream-tcp-private.h" +//#include "stream-tcp-reassemble.h" +//#include "stream-tcp.h" +//#include "stream.h" +// +//#include "detect-engine-state.h" +// +//#include "app-layer-protos.h" +//#include "app-layer-parser.h" +// +//#include "app-layer-ssl.h" +//#include "app-layer-tls.h" +// +//#include "util-spm.h" +//#include "util-unittest.h" +//#include "util-debug.h" +//#include "flow-private.h" +//#include "flow-util.h" +//#include "util-byte.h" +// +///** +// * \brief Function to parse the SSL field in packet received from the client +// * +// * \param app_state Pointer the state in which the value to be stored +// * \param pstate Application layer tarser state for this session +// * \param input Pointer the received input data +// * \param input_len Length in bytes of the received data +// * \param output Pointer to the list of parsed output elements +// */ +//int SSLParseClientRecord(Flow *f, void *app_state, AppLayerParserState *pstate, +// uint8_t *input, uint32_t input_len, +// AppLayerParserResult *output) +//{ +// SCEnter(); +// SslClient *client = NULL; +// TlsState *app_st = NULL; +// +// client = (SslClient *)input; +// app_st = (TlsState *)app_state; +// +// switch (client->msg_type) { +// case SSL_CLIENT_HELLO: +// if (client->major_ver != 0x02) { +// SCLogDebug("SSL version is not equal to 2, incorrect message!!"); +// SCReturnInt(-1); +// } +// +// app_st->flags |= TLS_FLAG_SSL_CLIENT_HS; +// app_st->client_content_type = client->msg_type; +// app_st->client_version = client->minor_ver|client->major_ver; +// if (client->session_id_len == 0) { +// app_st->flags |= TLS_FLAG_SSL_NO_SESSION_ID; +// } +// SCLogDebug("SSLv2 CLIENT_HELLO message has been received"); +// +// break; +// case SSL_CLIENT_MASTER_KEY: +// if ( ! (app_st->flags & TLS_FLAG_SSL_CLIENT_HS)) { +// SCLogDebug("client hello is not seen before master key " +// "message!!"); +// break; +// } +// app_st->flags |= TLS_FLAG_SSL_CLIENT_MASTER_KEY; +// app_st->client_content_type = client->msg_type; +// SCLogDebug("SSLv2 CLIENT_MASTER_KEY message has been received"); +// +// break; +// case SSL_CLIENT_CERTIFICATE: +// case SSL_CLIENT_FINISHED: +// case SSL_REQUEST_CERTIFICATE: +// if ((app_st->flags & TLS_FLAG_SSL_CLIENT_HS) && +// (app_st->flags & TLS_FLAG_SSL_SERVER_HS)) +// { +// if (app_st->flags & TLS_FLAG_SSL_NO_SESSION_ID) { +// app_st->flags |= TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED; +// SCLogDebug("SSLv2 Client side has started the encryption"); +// } else if (app_st->flags & TLS_FLAG_SSL_CLIENT_MASTER_KEY) { +// app_st->flags |= TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED; +// SCLogDebug("SSLv2 Client side has started the encryption"); +// } +// +// if ((app_st->flags & TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED) && +// (app_st->flags & TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED)) +// { +// pstate->flags |= APP_LAYER_PARSER_DONE; +// pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; +// pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; +// SCLogDebug("SSLv2 No reassembly & inspection has been set"); +// } +// } +// app_st->client_content_type = client->msg_type; +// +// break; +// case SSL_ERROR: +// SCLogWarning(SC_ERR_ALPARSER, "Error encountered in establishing the " +// "sslv2 session, may be tls version"); +// SCReturnInt(-1); +// default: +// SCLogDebug("Incorrect message type (%"PRIu8") " +// "while establishing the sslv2 session, may be tls version", +// client->msg_type); +// SCReturnInt(-1); +// break; +// } +// SCReturnInt(1); +//} +// +///** +// * \brief Function to parse the SSL field in packet received from the server +// * +// * \param app_state Pointer the state in which the value to be stored +// * \param pstate Application layer tarser state for this session +// * \param input Pointer the received input data +// * \param input_len Length in bytes of the received data +// * \param output Pointer to the list of parsed output elements +// */ +//int SSLParseServerRecord(Flow *f, void *app_state, AppLayerParserState *pstate, +// uint8_t *input, uint32_t input_len, +// AppLayerParserResult *output) +//{ +// SCEnter(); +// SslServer *server = (SslServer *)input; +// TlsState *app_st = (TlsState *)app_state; +// +// switch (server->msg_type) { +// case SSL_SERVER_HELLO: +// if (server->major_ver != 0x02) { +// SCLogDebug("SSL version is not equal to 2, incorrect message!!"); +// SCReturnInt(-1); +// } +// SCLogDebug("SSLv2 SERVER_HELLO message has been received"); +// +// app_st->flags |= TLS_FLAG_SSL_SERVER_HS; +// app_st->server_content_type = server->msg_type; +// app_st->server_version = server->minor_ver|server->major_ver; +// break; +// case SSL_SERVER_VERIFY: +// case SSL_SERVER_FINISHED: +// case SSL_REQUEST_CERTIFICATE: +// if ((app_st->flags & TLS_FLAG_SSL_SERVER_HS) && +// (app_st->flags & TLS_FLAG_SSL_CLIENT_HS)) +// { +// app_st->flags |= TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED; +// SCLogDebug("SSLv2 Server side has started the encryption"); +// +// if ((app_st->flags & TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED) && +// (app_st->flags & TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED)) +// { +// pstate->flags |= APP_LAYER_PARSER_DONE; +// pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; +// pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; +// SCLogDebug("SSLv2 No reassembly & inspection has been set"); +// } +// } +// app_st->server_content_type = server->msg_type; +// +// break; +// case SSL_ERROR: +// SCLogWarning(SC_ERR_ALPARSER, "Error encountered in establishing the " +// "sslv2 session, may be tls version"); +// SCReturnInt(-1); +// default: +// SCLogDebug("Incorrect message type (%"PRIu8") " +// "while establishing the sslv2 session, may be tls version", +// server->msg_type); +// SCReturnInt(-1); +// break; +// } +// SCReturnInt(1); +//} +// +//#ifdef UNITTESTS +//#include "util-unittest-helper.h" +//#include "stream-tcp-reassemble.h" +//#include "decode-tcp.h" +// +//extern uint16_t AppLayerParserGetStorageId (void); +// +//static int SSLParserTest01(void) { +// int result = 0; +// Flow f; +// uint8_t *sslbuf = (uint8_t *) "\x80\x31\x01\x00\x02\x00\x00\x00\x01"; +// +// /* PrintRawDataFp(stdout, sslbuf, 9); */ +// +// uint32_t ssllen = 9; +// TcpSession ssn; +// +// memset(&f, 0, sizeof(f)); +// memset(&ssn, 0, sizeof(ssn)); +// +// FLOW_INITIALIZE(&f); +// f.protoctx = (void *)&ssn; +// +// StreamTcpInitConfig(TRUE); +// FlowL7DataPtrInit(&f); +// +// int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER|STREAM_EOF, sslbuf, ssllen); +// if (r != 0) { +// printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); +// goto end; +// } +// +// TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; +// if (app_state == NULL) { +// printf("no ssl state: "); +// goto end; +// } +// +// if (app_state->client_content_type != 0x1) { +// printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x1, +// app_state->client_content_type); +// goto end; +// } +// +// if (app_state->client_version != SSL_CLIENT_VERSION) { +// printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", +// SSL_CLIENT_VERSION, app_state->client_version); +// goto end; +// } +// +// result = 1; +//end: +// FlowL7DataPtrFree(&f); +// StreamTcpFreeConfig(TRUE); +// FLOW_DESTROY(&f); +// return result; +//} +// +//static int SSLParserTest02(void) { +// int result = 1; +// Flow f; +// uint8_t sslbuf[] = {0x80, 0x31, 0x04, 0x00, 0x01, 0x00, +// 0x02, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0, +// 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, +// 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, +// 0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75, +// 0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1, +// 0x2f, 0x34, 0x84, 0x20, 0xc5}; +// uint32_t ssllen = sizeof(sslbuf); +// TcpSession ssn; +// AppLayerDetectProtoThreadInit(); +// +// memset(&f, 0, sizeof(f)); +// memset(&ssn, 0, sizeof(ssn)); +// +// FLOW_INITIALIZE(&f); +// f.protoctx = (void *)&ssn; +// +// StreamTcpInitConfig(TRUE); +// FlowL7DataPtrInit(&f); +// +// int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOCLIENT|STREAM_EOF, sslbuf, ssllen); +// if (r != 0) { +// printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); +// result = 0; +// goto end; +// } +// +// TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; +// if (app_state == NULL) { +// printf("no ssl state: "); +// result = 0; +// goto end; +// } +// +// if (app_state->server_content_type != SSL_SERVER_HELLO) { +// printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", +// SSL_SERVER_HELLO, app_state->client_content_type); +// result = 0; +// goto end; +// } +// +// if (app_state->server_version != SSL_SERVER_VERSION) { +// printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", +// SSL_SERVER_VERSION, app_state->client_version); +// result = 0; +// goto end; +// } +//end: +// FlowL7DataPtrFree(&f); +// StreamTcpFreeConfig(TRUE); +// FLOW_DESTROY(&f); +// return result; +//} +// +//#if 0 /* VJ disabled 20100721 */ +//static int SSLParserTest03(void) { +// int result = 1; +// Flow f; +// uint8_t payload1[] = { 0x80, 0x31, 0x01, 0x00, 0x02, 0x00, +// 0x18, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0, +// 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, +// 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, +// 0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75, +// 0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1, +// 0x2f, 0x34, 0x84, 0x20, 0xc5 }; +// uint32_t payload_len1 = sizeof(payload1); +// uint8_t payload2[] = { 0x83, 0xbb, 0x04, 0x00, 0x01, 0x00, +// 0x02, 0x03, 0x8b, 0x00, 0x15, 0x00, 0x10, 0x30, +// 0x82, 0x03, 0x87, 0x30, 0x82, 0x02, 0xf0, 0xa0, +// 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, +// 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, +// 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x78, +// 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, +// 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, +// 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, +// 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, +// 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, +// 0x55, 0x04, 0x07, 0x13, 0x09, 0x53, 0x75, 0x6e, +// 0x6e, 0x79, 0x76, 0x61, 0x6c, 0x65, 0x31, 0x19, +// 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, +// 0x10, 0x4d, 0x75, 0x53, 0x65, 0x63, 0x75, 0x72, +// 0x69, 0x74, 0x79, 0x2c, 0x20, 0x49, 0x6e, 0x63, +// 0x2e, 0x31, 0x25, 0x30, 0x23, 0x06, 0x09, 0x2a, +// 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, +// 0x16, 0x16, 0x61, 0x74, 0x75, 0x72, 0x6e, 0x65, +// 0x72, 0x40, 0x6d, 0x75, 0x73, 0x65, 0x63, 0x75, +// 0x72, 0x69, 0x74, 0x79, 0x2e, 0x63, 0x6f, 0x6d, +// 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x35, 0x30, 0x36, +// 0x30, 0x36, 0x32, 0x33, 0x32, 0x38, 0x35, 0x38, +// 0x5a, 0x17, 0x0d, 0x31, 0x33, 0x31, 0x30, 0x32, +// 0x37, 0x32, 0x33, 0x32, 0x38, 0x35, 0x38, 0x5a, +// 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, +// 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, +// 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, +// 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, +// 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, +// 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, +// 0x53, 0x75, 0x6e, 0x6e, 0x79, 0x76, 0x61, 0x6c, +// 0x65, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, +// 0x04, 0x0a, 0x13, 0x10, 0x4d, 0x75, 0x53, 0x65, +// 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2c, 0x20, +// 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1c, 0x30, 0x1a, +// 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x73, +// 0x74, 0x61, 0x6e, 0x2e, 0x6d, 0x75, 0x73, 0x65, +// 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x63, +// 0x6f, 0x6d, 0x31, 0x25, 0x30, 0x23, 0x06, 0x09, +// 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, +// 0x01, 0x16, 0x16, 0x61, 0x74, 0x75, 0x72, 0x6e, +// 0x65, 0x72, 0x40, 0x6d, 0x75, 0x73, 0x65, 0x63, +// 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x63, 0x6f, +// 0x6d, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, +// 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, +// 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, +// 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xb4, 0xe7, +// 0x9b, 0x0a, 0xe8, 0xbb, 0xec, 0x4b, 0x1e, 0x5a, +// 0x37, 0x95, 0xa5, 0x18, 0x7d, 0xad, 0xa5, 0xbd, +// 0xa3, 0x6b, 0x5c, 0xd1, 0x51, 0xce, 0x38, 0xf3, +// 0x81, 0xb3, 0x85, 0x0e, 0xfe, 0x17, 0xef, 0x87, +// 0xcb, 0x7f, 0xc7, 0x92, 0xeb, 0xa0, 0x89, 0x76, +// 0x8b, 0xa3, 0x25, 0xb8, 0x20, 0xeb, 0xd8, 0x4a, +// 0xa9, 0xb0, 0x3b, 0x08, 0x81, 0xc1, 0x8e, 0x3c, +// 0x8f, 0x63, 0x8a, 0x47, 0xb5, 0x7f, 0x27, 0x4c, +// 0x21, 0x2f, 0x86, 0xd3, 0x66, 0x0a, 0x97, 0x2a, +// 0xe5, 0x9c, 0xd7, 0xa2, 0x5d, 0xb4, 0xce, 0xbc, +// 0x4e, 0x28, 0xdc, 0x25, 0x6b, 0x2e, 0x39, 0xf5, +// 0xbc, 0x98, 0x1b, 0x4c, 0x7c, 0x77, 0xa1, 0x61, +// 0x52, 0xfd, 0x95, 0x49, 0x70, 0xf8, 0x94, 0xfb, +// 0xa4, 0x11, 0x8a, 0x81, 0xa8, 0xd3, 0x26, 0x51, +// 0x40, 0x01, 0xb0, 0x70, 0x45, 0xd5, 0xe4, 0xc5, +// 0x49, 0x33, 0xb3, 0xed, 0xd8, 0xe7, 0x02, 0x03, +// 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x00, 0x30, +// 0x81, 0xfd, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, +// 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x2c, 0x06, +// 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, +// 0x01, 0x0d, 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, +// 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47, 0x65, +// 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, +// 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, +// 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, +// 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xbe, 0x59, +// 0x54, 0xcf, 0x22, 0xe1, 0x74, 0xec, 0xe1, 0x8e, +// 0x5c, 0x06, 0x2b, 0xf7, 0x1a, 0x7a, 0x6a, 0x50, +// 0x67, 0x68, 0x30, 0x81, 0xa2, 0x06, 0x03, 0x55, +// 0x1d, 0x23, 0x04, 0x81, 0x9a, 0x30, 0x81, 0x97, +// 0x80, 0x14, 0x7d, 0x02, 0x2d, 0x18, 0xe0, 0xe3, +// 0x76, 0x45, 0x4b, 0x2e, 0x08, 0x0a, 0xd3, 0xe5, +// 0xd4, 0x92, 0x22, 0x71, 0xa4, 0xde, 0xa1, 0x7c, +// 0xa4, 0x7a, 0x30, 0x78, 0x31, 0x0b, 0x30, 0x09, +// 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, +// 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, +// 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, +// 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, +// 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, +// 0x09, 0x53, 0x75, 0x6e, 0x6e, 0x79, 0x76, 0x61, +// 0x6c, 0x65, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, +// 0x55, 0x04, 0x0a, 0x13, 0x10, 0x4d, 0x75, 0x53, +// 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2c, +// 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x25, 0x30, +// 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, +// 0x0d, 0x01, 0x09, 0x01, 0x16, 0x16, 0x61, 0x74, +// 0x75, 0x72, 0x6e, 0x65, 0x72, 0x40, 0x6d, 0x75, +// 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, +// 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x00, 0x30, +// 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, +// 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, +// 0x81, 0x00, 0x4a, 0x5a, 0xd9, 0xd4, 0xe1, 0xe9, +// 0xdd, 0xd5, 0x5c, 0xd3, 0x27, 0x2b, 0x01, 0x95, +// 0x1b, 0x8c, 0xa9, 0x9c, 0x93, 0x8e, 0x01, 0x72, +// 0xbf, 0xbc, 0x74, 0xbb, 0x30, 0x61, 0xa0, 0x52, +// 0xfb, 0xe0, 0xa8, 0x8e, 0x2b, 0x34, 0xe8, 0xf3, +// 0x4a, 0xfc, 0xc0, 0xb4, 0x63, 0x83, 0xa8, 0xb4, +// 0x5e, 0xb9, 0xe4, 0x21, 0x2f, 0x6b, 0x04, 0x84, +// 0x14, 0x98, 0xf0, 0xde, 0x18, 0xd0, 0xa7, 0x9a, +// 0x0d, 0x6a, 0xd5, 0xa9, 0x44, 0x57, 0xf9, 0xb4, +// 0xdb, 0x59, 0x56, 0x3e, 0x26, 0x49, 0x98, 0xf3, +// 0x39, 0x8b, 0x8a, 0x66, 0xd2, 0xcb, 0xa9, 0x48, +// 0xda, 0x71, 0xc7, 0x53, 0x28, 0x15, 0xc4, 0xc3, +// 0x4c, 0xbb, 0xab, 0xc1, 0x69, 0xfb, 0x37, 0xfa, +// 0x99, 0x2b, 0x2b, 0xfa, 0x9d, 0x33, 0xaa, 0x17, +// 0xb2, 0xb1, 0x78, 0x9e, 0xa5, 0x50, 0x0a, 0x7c, +// 0x4f, 0x8f, 0x4a, 0x93, 0xc2, 0x36, 0x55, 0x2e, +// 0x17, 0x98, 0x07, 0x00, 0xc0, 0x03, 0x00, 0x80, +// 0x01, 0x00, 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, +// 0x40, 0x04, 0x00, 0x80, 0x02, 0x00, 0x80, 0x57, +// 0xbe, 0x5d, 0x5d, 0x97, 0xad, 0x58, 0x25, 0xf1, +// 0x78, 0xeb, 0x27, 0xba, 0x45, 0xe8, 0x44 }; +// uint32_t payload_len2 = sizeof(payload2); +// uint8_t payload3[] = { 0x80, 0x92, 0x02, 0x07, 0x00, 0xc0, +// 0x00, 0x00, 0x00, 0x80, 0x00, 0x08, 0x98, 0xb7, +// 0xaf, 0x94, 0x0a, 0x00, 0x0c, 0x02, 0xb1, 0x4d, +// 0x50, 0x50, 0x17, 0x78, 0x16, 0xba, 0x22, 0x7b, +// 0x25, 0xab, 0x09, 0x9f, 0x30, 0xd6, 0xce, 0xa8, +// 0xf6, 0x04, 0x41, 0xb3, 0xa4, 0x16, 0x33, 0x18, +// 0x7b, 0x24, 0xa6, 0x30, 0x75, 0x67, 0x7a, 0xa7, +// 0xac, 0xd2, 0xc2, 0xe3, 0x00, 0x13, 0xb0, 0x39, +// 0xb0, 0x50, 0x2b, 0x55, 0x93, 0xd7, 0x65, 0x1f, +// 0x00, 0x4f, 0xde, 0x15, 0xee, 0xa8, 0x9c, 0xbd, +// 0x86, 0xaf, 0x99, 0x7a, 0x27, 0x53, 0xb3, 0x5a, +// 0x4b, 0x90, 0xbd, 0xac, 0xc9, 0xd3, 0xc5, 0x31, +// 0x06, 0x19, 0xd8, 0x2f, 0x6b, 0x3a, 0x31, 0xb4, +// 0x34, 0xb8, 0x31, 0xec, 0x18, 0x6c, 0xad, 0x9e, +// 0xa8, 0xf5, 0x3a, 0x9d, 0xd3, 0x74, 0x78, 0x33, +// 0x06, 0x8b, 0x75, 0xc9, 0x39, 0xe8, 0x59, 0x98, +// 0xc9, 0x96, 0xca, 0xc0, 0x2f, 0x1c, 0x53, 0xda, +// 0x76, 0xab, 0xf1, 0x42, 0x6c, 0x71, 0xaf, 0xc9, +// 0x52, 0xbe, 0xb0, 0x7a, 0x7d, 0xe1 }; +// uint32_t payload_len3 = sizeof(payload3); +// uint8_t payload4[] = { 0x00, 0x28, 0x07, 0xb8, 0xbb, 0x2c, +// 0xce, 0xbe, 0x72, 0xa9, 0x61, 0xef, 0xbf, 0xfa, +// 0x50, 0x92, 0x6d, 0x62, 0x77, 0xa3, 0x7b, 0x75, +// 0xd6, 0x6e, 0x82, 0x12, 0x27, 0x87, 0x23, 0xce, +// 0x9d, 0x44, 0xfe, 0x1f, 0xd0, 0x0e, 0x62, 0xff, +// 0xd0, 0x24, 0xea, 0xc0, 0x18 }; +// uint32_t payload_len4 = sizeof(payload4); +// uint8_t payload5[] = { 0x00, 0x28, 0x07, 0x9a, 0x1d, 0xe2, +// 0x5f, 0x79, 0xcc, 0x14, 0x5b, 0xb5, 0xad, 0x4f, +// 0x15, 0x86, 0xe6, 0x03, 0x13, 0xe0, 0x96, 0x96, +// 0x85, 0x46, 0x79, 0x0e, 0x3a, 0xe2, 0x84, 0x8d, +// 0x8d, 0x88, 0xba, 0x7c, 0x6d, 0xa4, 0xb9, 0x9a, +// 0xb1, 0x9f, 0x78, 0xe4, 0x83 }; +// uint32_t payload_len5 = sizeof(payload5); +// TcpSession ssn; +// TCPHdr tcph; +// Packet *p1 = UTHBuildPacket(payload1, payload_len1, IPPROTO_TCP); +// Packet *p2 = UTHBuildPacket(payload2, payload_len2, IPPROTO_TCP); +// Packet *p3 = UTHBuildPacket(payload3, payload_len3, IPPROTO_TCP); +// Packet *p4 = UTHBuildPacket(payload4, payload_len4, IPPROTO_TCP); +// Packet *p5 = UTHBuildPacket(payload5, payload_len5, IPPROTO_TCP); +// +// memset(&f, 0, sizeof(f)); +// memset(&ssn, 0, sizeof(ssn)); +// memset(&tcph, 0, sizeof(tcph)); +// +// StreamTcpInitConfig(TRUE); +// TcpReassemblyThreadCtx *ra_ctx = StreamTcpReassembleInitThreadCtx(); +// AppLayerDetectProtoThreadInit(); +// +// ssn.server.ra_base_seq = 390131220UL; +// ssn.server.isn = 390131220UL; +// ssn.server.last_ack = 427643676UL; +// ssn.client.ra_base_seq = 4276431676UL; +// ssn.client.isn = 4276431676UL; +// ssn.client.last_ack = 390133221UL; +// f.alproto = ALPROTO_UNKNOWN; +// +// FLOW_INITIALIZE(&f); +// f.protoctx = (void *)&ssn; +// +// tcph.th_win = htons(5480); +// tcph.th_seq = htonl(4276431677UL); +// tcph.th_ack = htonl(390131221UL); +// tcph.th_flags = TH_ACK|TH_PUSH; +// p1->tcph = &tcph; +// p1->flowflags = FLOW_PKT_TOSERVER; +// ssn.state = TCP_ESTABLISHED; +// +// TcpStream *s = NULL; +// s = &ssn.client; +// +// if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p1) == -1) { +// printf("failed in segments reassembly, while processing toserver packet\n"); +// goto end; +// } +// +// p2->flowflags = FLOW_PKT_TOCLIENT; +// tcph.th_seq = htonl(390131221UL); +// tcph.th_ack = htonl(4276431728UL); +// p2->tcph = &tcph; +// p2->flow = &f; +// s = &ssn.server; +// +// if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p2) == -1) { +// printf("failed in segments reassembly, while processing toserver packet\n"); +// goto end; +// } +// +// if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { +// printf("failed in processing stream smsgs\n"); +// goto end; +// } +// +// p3->flowflags = FLOW_PKT_TOSERVER; +// tcph.th_seq = htonl(4276431728UL); +// tcph.th_ack = htonl(390132178UL); +// p3->tcph = &tcph; +// p3->flow = &f; +// s = &ssn.client; +// +// if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p3) == -1) { +// printf("failed in segments reassembly, while processing toserver packet\n"); +// goto end; +// } +// +// if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { +// printf("failed in processing stream smsgs\n"); +// goto end; +// } +// +// p4->flowflags = FLOW_PKT_TOCLIENT; +// tcph.th_seq = htonl(390132178UL); +// tcph.th_ack = htonl(4276431876UL); +// p4->tcph = &tcph; +// p4->flow = &f; +// s = &ssn.server; +// +// if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p4) == -1) { +// printf("failed in segments reassembly, while processing toserver packet\n"); +// goto end; +// } +// +// if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { +// printf("failed in processing stream smsgs\n"); +// goto end; +// } +// +// p5->flowflags = FLOW_PKT_TOSERVER; +// tcph.th_seq = htonl(4276431876UL); +// tcph.th_ack = htonl(390132221UL); +// p5->tcph = &tcph; +// p5->flow = &f; +// s = &ssn.client; +// +// if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p5) == -1) { +// printf("failed in segments reassembly, while processing toserver packet\n"); +// goto end; +// } +// +// if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { +// printf("failed in processing stream smsgs\n"); +// goto end; +// } +// +// tcph.th_seq = htonl(390132221UL); +// tcph.th_ack = htonl(4276431919UL); +// s = &ssn.server; +// +// if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p4) == -1) { +// printf("failed in segments reassembly, while processing toserver packet\n"); +// goto end; +// } +// +// if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { +// printf("failed in processing stream smsgs\n"); +// goto end; +// } +// +// TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; +// if (app_state == NULL) { +// printf("no ssl state: "); +// result = 0; +// goto end; +// } +// +// if (app_state->client_content_type != 0x7) { +// printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x7, +// app_state->client_content_type); +// result = 0; +// goto end; +// } +// +// if (app_state->client_version != SSL_CLIENT_VERSION) { +// printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", +// SSL_CLIENT_VERSION, app_state->client_version); +// result = 0; +// goto end; +// } +// +// uint16_t app_layer_sid = AppLayerParserGetStorageId(); +// AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *) +// f.aldata[app_layer_sid]; +// AppLayerParserState *parser_state = &parser_state_store->to_server; +// +// if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) && +// !(ssn.flags & STREAMTCP_FLAG_NOCLIENT_REASSEMBLY) && +// !(ssn.flags & STREAMTCP_FLAG_NOSERVER_REASSEMBLY)) { +// printf("The flags should be set\n"); +// result = 0; +// goto end; +// } +// +// if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) { +// printf("The flags should be set\n"); +// result = 0; +// goto end; +// } +//end: +// FlowL7DataPtrFree(&f); +// StreamTcpFreeConfig(TRUE); +// FLOW_DESTROY(&f); +// return result; +//} +//#endif +//#endif /* UNITTESTS */ +// +//void SSLParserRegisterTests(void) { +//#ifdef UNITTESTS +// UtRegisterTest("SSLParserTest01", SSLParserTest01, 1); +// UtRegisterTest("SSLParserTest02", SSLParserTest02, 1); +///* UtRegisterTest("SSLParserTest03", SSLParserTest03, 1); */ +//#endif /* UNITTESTS */ +//} -/** - * \file - * - * \author Gurvinder Singh - * - * App-layer detection of SSL2 protocol - * - */ - -#include "suricata-common.h" -#include "debug.h" -#include "decode.h" -#include "threads.h" - -#include "util-print.h" -#include "util-pool.h" - -#include "stream-tcp-private.h" -#include "stream-tcp-reassemble.h" -#include "stream-tcp.h" -#include "stream.h" - -#include "detect-engine-state.h" - -#include "app-layer-protos.h" -#include "app-layer-parser.h" - -#include "app-layer-ssl.h" -#include "app-layer-tls.h" - -#include "util-spm.h" -#include "util-unittest.h" -#include "util-debug.h" -#include "flow-private.h" -#include "flow-util.h" -#include "util-byte.h" - -/** - * \brief Function to parse the SSL field in packet received from the client - * - * \param app_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received input data - * \param input_len Length in bytes of the received data - * \param output Pointer to the list of parsed output elements - */ -int SSLParseClientRecord(Flow *f, void *app_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) -{ - SCEnter(); - SslClient *client = NULL; - TlsState *app_st = NULL; - - client = (SslClient *)input; - app_st = (TlsState *)app_state; - - switch (client->msg_type) { - case SSL_CLIENT_HELLO: - if (client->major_ver != 0x02) { - SCLogDebug("SSL version is not equal to 2, incorrect message!!"); - SCReturnInt(-1); - } - - app_st->flags |= TLS_FLAG_SSL_CLIENT_HS; - app_st->client_content_type = client->msg_type; - app_st->client_version = client->minor_ver|client->major_ver; - if (client->session_id_len == 0) { - app_st->flags |= TLS_FLAG_SSL_NO_SESSION_ID; - } - SCLogDebug("SSLv2 CLIENT_HELLO message has been received"); - - break; - case SSL_CLIENT_MASTER_KEY: - if ( ! (app_st->flags & TLS_FLAG_SSL_CLIENT_HS)) { - SCLogDebug("client hello is not seen before master key " - "message!!"); - break; - } - app_st->flags |= TLS_FLAG_SSL_CLIENT_MASTER_KEY; - app_st->client_content_type = client->msg_type; - SCLogDebug("SSLv2 CLIENT_MASTER_KEY message has been received"); - - break; - case SSL_CLIENT_CERTIFICATE: - case SSL_CLIENT_FINISHED: - case SSL_REQUEST_CERTIFICATE: - if ((app_st->flags & TLS_FLAG_SSL_CLIENT_HS) && - (app_st->flags & TLS_FLAG_SSL_SERVER_HS)) - { - if (app_st->flags & TLS_FLAG_SSL_NO_SESSION_ID) { - app_st->flags |= TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED; - SCLogDebug("SSLv2 Client side has started the encryption"); - } else if (app_st->flags & TLS_FLAG_SSL_CLIENT_MASTER_KEY) { - app_st->flags |= TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED; - SCLogDebug("SSLv2 Client side has started the encryption"); - } - - if ((app_st->flags & TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED) && - (app_st->flags & TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED)) - { - pstate->flags |= APP_LAYER_PARSER_DONE; - pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; - pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; - SCLogDebug("SSLv2 No reassembly & inspection has been set"); - } - } - app_st->client_content_type = client->msg_type; - - break; - case SSL_ERROR: - SCLogDebug("Error encountered in establishing the " - "sslv2 session, may be tls version"); - SCReturnInt(-1); - default: - SCLogDebug("Incorrect message type (%"PRIu8") " - "while establishing the sslv2 session, may be tls version", - client->msg_type); - SCReturnInt(-1); - break; - } - SCReturnInt(1); -} - -/** - * \brief Function to parse the SSL field in packet received from the server - * - * \param app_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received input data - * \param input_len Length in bytes of the received data - * \param output Pointer to the list of parsed output elements - */ -int SSLParseServerRecord(Flow *f, void *app_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) -{ - SCEnter(); - SslServer *server = (SslServer *)input; - TlsState *app_st = (TlsState *)app_state; - - switch (server->msg_type) { - case SSL_SERVER_HELLO: - if (server->major_ver != 0x02) { - SCLogDebug("SSL version is not equal to 2, incorrect message!!"); - SCReturnInt(-1); - } - SCLogDebug("SSLv2 SERVER_HELLO message has been received"); - - app_st->flags |= TLS_FLAG_SSL_SERVER_HS; - app_st->server_content_type = server->msg_type; - app_st->server_version = server->minor_ver|server->major_ver; - break; - case SSL_SERVER_VERIFY: - case SSL_SERVER_FINISHED: - case SSL_REQUEST_CERTIFICATE: - if ((app_st->flags & TLS_FLAG_SSL_SERVER_HS) && - (app_st->flags & TLS_FLAG_SSL_CLIENT_HS)) - { - app_st->flags |= TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED; - SCLogDebug("SSLv2 Server side has started the encryption"); - - if ((app_st->flags & TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED) && - (app_st->flags & TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED)) - { - pstate->flags |= APP_LAYER_PARSER_DONE; - pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; - pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; - SCLogDebug("SSLv2 No reassembly & inspection has been set"); - } - } - app_st->server_content_type = server->msg_type; - - break; - case SSL_ERROR: - SCLogDebug("Error encountered in establishing the " - "sslv2 session, may be tls version"); - SCReturnInt(-1); - default: - SCLogDebug("Incorrect message type (%"PRIu8") " - "while establishing the sslv2 session, may be tls version", - server->msg_type); - SCReturnInt(-1); - break; - } - SCReturnInt(1); -} - -#ifdef UNITTESTS -#include "util-unittest-helper.h" -#include "stream-tcp-reassemble.h" -#include "decode-tcp.h" - -extern uint16_t AppLayerParserGetStorageId (void); - -static int SSLParserTest01(void) { - int result = 0; - Flow f; - uint8_t *sslbuf = (uint8_t *) "\x80\x31\x01\x00\x02\x00\x00\x00\x01"; - - /* PrintRawDataFp(stdout, sslbuf, 9); */ - - uint32_t ssllen = 9; - TcpSession ssn; - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - - StreamTcpInitConfig(TRUE); - FlowL7DataPtrInit(&f); - - int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER|STREAM_EOF, sslbuf, ssllen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - goto end; - } - - TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; - if (app_state == NULL) { - printf("no ssl state: "); - goto end; - } - - if (app_state->client_content_type != 0x1) { - printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x1, - app_state->client_content_type); - goto end; - } - - if (app_state->client_version != SSL_CLIENT_VERSION) { - printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", - SSL_CLIENT_VERSION, app_state->client_version); - goto end; - } - - result = 1; -end: - FlowL7DataPtrFree(&f); - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - return result; -} - -static int SSLParserTest02(void) { - int result = 1; - Flow f; - uint8_t sslbuf[] = {0x80, 0x31, 0x04, 0x00, 0x01, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0, - 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, - 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, - 0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75, - 0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1, - 0x2f, 0x34, 0x84, 0x20, 0xc5}; - uint32_t ssllen = sizeof(sslbuf); - TcpSession ssn; - AppLayerDetectProtoThreadInit(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - - StreamTcpInitConfig(TRUE); - FlowL7DataPtrInit(&f); - - int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOCLIENT|STREAM_EOF, sslbuf, ssllen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; - if (app_state == NULL) { - printf("no ssl state: "); - result = 0; - goto end; - } - - if (app_state->server_content_type != SSL_SERVER_HELLO) { - printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", - SSL_SERVER_HELLO, app_state->client_content_type); - result = 0; - goto end; - } - - if (app_state->server_version != SSL_SERVER_VERSION) { - printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", - SSL_SERVER_VERSION, app_state->client_version); - result = 0; - goto end; - } -end: - FlowL7DataPtrFree(&f); - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - return result; -} - -#if 0 /* VJ disabled 20100721 */ -static int SSLParserTest03(void) { - int result = 1; - Flow f; - uint8_t payload1[] = { 0x80, 0x31, 0x01, 0x00, 0x02, 0x00, - 0x18, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0, - 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, - 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, - 0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75, - 0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1, - 0x2f, 0x34, 0x84, 0x20, 0xc5 }; - uint32_t payload_len1 = sizeof(payload1); - uint8_t payload2[] = { 0x83, 0xbb, 0x04, 0x00, 0x01, 0x00, - 0x02, 0x03, 0x8b, 0x00, 0x15, 0x00, 0x10, 0x30, - 0x82, 0x03, 0x87, 0x30, 0x82, 0x02, 0xf0, 0xa0, - 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x78, - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, - 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, - 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, - 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, - 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, - 0x55, 0x04, 0x07, 0x13, 0x09, 0x53, 0x75, 0x6e, - 0x6e, 0x79, 0x76, 0x61, 0x6c, 0x65, 0x31, 0x19, - 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, - 0x10, 0x4d, 0x75, 0x53, 0x65, 0x63, 0x75, 0x72, - 0x69, 0x74, 0x79, 0x2c, 0x20, 0x49, 0x6e, 0x63, - 0x2e, 0x31, 0x25, 0x30, 0x23, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, - 0x16, 0x16, 0x61, 0x74, 0x75, 0x72, 0x6e, 0x65, - 0x72, 0x40, 0x6d, 0x75, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x2e, 0x63, 0x6f, 0x6d, - 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x35, 0x30, 0x36, - 0x30, 0x36, 0x32, 0x33, 0x32, 0x38, 0x35, 0x38, - 0x5a, 0x17, 0x0d, 0x31, 0x33, 0x31, 0x30, 0x32, - 0x37, 0x32, 0x33, 0x32, 0x38, 0x35, 0x38, 0x5a, - 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, - 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, - 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, - 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, - 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, - 0x53, 0x75, 0x6e, 0x6e, 0x79, 0x76, 0x61, 0x6c, - 0x65, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x13, 0x10, 0x4d, 0x75, 0x53, 0x65, - 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2c, 0x20, - 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1c, 0x30, 0x1a, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x73, - 0x74, 0x61, 0x6e, 0x2e, 0x6d, 0x75, 0x73, 0x65, - 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x63, - 0x6f, 0x6d, 0x31, 0x25, 0x30, 0x23, 0x06, 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, - 0x01, 0x16, 0x16, 0x61, 0x74, 0x75, 0x72, 0x6e, - 0x65, 0x72, 0x40, 0x6d, 0x75, 0x73, 0x65, 0x63, - 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x63, 0x6f, - 0x6d, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, - 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xb4, 0xe7, - 0x9b, 0x0a, 0xe8, 0xbb, 0xec, 0x4b, 0x1e, 0x5a, - 0x37, 0x95, 0xa5, 0x18, 0x7d, 0xad, 0xa5, 0xbd, - 0xa3, 0x6b, 0x5c, 0xd1, 0x51, 0xce, 0x38, 0xf3, - 0x81, 0xb3, 0x85, 0x0e, 0xfe, 0x17, 0xef, 0x87, - 0xcb, 0x7f, 0xc7, 0x92, 0xeb, 0xa0, 0x89, 0x76, - 0x8b, 0xa3, 0x25, 0xb8, 0x20, 0xeb, 0xd8, 0x4a, - 0xa9, 0xb0, 0x3b, 0x08, 0x81, 0xc1, 0x8e, 0x3c, - 0x8f, 0x63, 0x8a, 0x47, 0xb5, 0x7f, 0x27, 0x4c, - 0x21, 0x2f, 0x86, 0xd3, 0x66, 0x0a, 0x97, 0x2a, - 0xe5, 0x9c, 0xd7, 0xa2, 0x5d, 0xb4, 0xce, 0xbc, - 0x4e, 0x28, 0xdc, 0x25, 0x6b, 0x2e, 0x39, 0xf5, - 0xbc, 0x98, 0x1b, 0x4c, 0x7c, 0x77, 0xa1, 0x61, - 0x52, 0xfd, 0x95, 0x49, 0x70, 0xf8, 0x94, 0xfb, - 0xa4, 0x11, 0x8a, 0x81, 0xa8, 0xd3, 0x26, 0x51, - 0x40, 0x01, 0xb0, 0x70, 0x45, 0xd5, 0xe4, 0xc5, - 0x49, 0x33, 0xb3, 0xed, 0xd8, 0xe7, 0x02, 0x03, - 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x00, 0x30, - 0x81, 0xfd, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, - 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x2c, 0x06, - 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, - 0x01, 0x0d, 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, - 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47, 0x65, - 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, - 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xbe, 0x59, - 0x54, 0xcf, 0x22, 0xe1, 0x74, 0xec, 0xe1, 0x8e, - 0x5c, 0x06, 0x2b, 0xf7, 0x1a, 0x7a, 0x6a, 0x50, - 0x67, 0x68, 0x30, 0x81, 0xa2, 0x06, 0x03, 0x55, - 0x1d, 0x23, 0x04, 0x81, 0x9a, 0x30, 0x81, 0x97, - 0x80, 0x14, 0x7d, 0x02, 0x2d, 0x18, 0xe0, 0xe3, - 0x76, 0x45, 0x4b, 0x2e, 0x08, 0x0a, 0xd3, 0xe5, - 0xd4, 0x92, 0x22, 0x71, 0xa4, 0xde, 0xa1, 0x7c, - 0xa4, 0x7a, 0x30, 0x78, 0x31, 0x0b, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, - 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, - 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, - 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, - 0x09, 0x53, 0x75, 0x6e, 0x6e, 0x79, 0x76, 0x61, - 0x6c, 0x65, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, - 0x55, 0x04, 0x0a, 0x13, 0x10, 0x4d, 0x75, 0x53, - 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2c, - 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x25, 0x30, - 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x09, 0x01, 0x16, 0x16, 0x61, 0x74, - 0x75, 0x72, 0x6e, 0x65, 0x72, 0x40, 0x6d, 0x75, - 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, - 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x01, 0x00, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, - 0x81, 0x00, 0x4a, 0x5a, 0xd9, 0xd4, 0xe1, 0xe9, - 0xdd, 0xd5, 0x5c, 0xd3, 0x27, 0x2b, 0x01, 0x95, - 0x1b, 0x8c, 0xa9, 0x9c, 0x93, 0x8e, 0x01, 0x72, - 0xbf, 0xbc, 0x74, 0xbb, 0x30, 0x61, 0xa0, 0x52, - 0xfb, 0xe0, 0xa8, 0x8e, 0x2b, 0x34, 0xe8, 0xf3, - 0x4a, 0xfc, 0xc0, 0xb4, 0x63, 0x83, 0xa8, 0xb4, - 0x5e, 0xb9, 0xe4, 0x21, 0x2f, 0x6b, 0x04, 0x84, - 0x14, 0x98, 0xf0, 0xde, 0x18, 0xd0, 0xa7, 0x9a, - 0x0d, 0x6a, 0xd5, 0xa9, 0x44, 0x57, 0xf9, 0xb4, - 0xdb, 0x59, 0x56, 0x3e, 0x26, 0x49, 0x98, 0xf3, - 0x39, 0x8b, 0x8a, 0x66, 0xd2, 0xcb, 0xa9, 0x48, - 0xda, 0x71, 0xc7, 0x53, 0x28, 0x15, 0xc4, 0xc3, - 0x4c, 0xbb, 0xab, 0xc1, 0x69, 0xfb, 0x37, 0xfa, - 0x99, 0x2b, 0x2b, 0xfa, 0x9d, 0x33, 0xaa, 0x17, - 0xb2, 0xb1, 0x78, 0x9e, 0xa5, 0x50, 0x0a, 0x7c, - 0x4f, 0x8f, 0x4a, 0x93, 0xc2, 0x36, 0x55, 0x2e, - 0x17, 0x98, 0x07, 0x00, 0xc0, 0x03, 0x00, 0x80, - 0x01, 0x00, 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, - 0x40, 0x04, 0x00, 0x80, 0x02, 0x00, 0x80, 0x57, - 0xbe, 0x5d, 0x5d, 0x97, 0xad, 0x58, 0x25, 0xf1, - 0x78, 0xeb, 0x27, 0xba, 0x45, 0xe8, 0x44 }; - uint32_t payload_len2 = sizeof(payload2); - uint8_t payload3[] = { 0x80, 0x92, 0x02, 0x07, 0x00, 0xc0, - 0x00, 0x00, 0x00, 0x80, 0x00, 0x08, 0x98, 0xb7, - 0xaf, 0x94, 0x0a, 0x00, 0x0c, 0x02, 0xb1, 0x4d, - 0x50, 0x50, 0x17, 0x78, 0x16, 0xba, 0x22, 0x7b, - 0x25, 0xab, 0x09, 0x9f, 0x30, 0xd6, 0xce, 0xa8, - 0xf6, 0x04, 0x41, 0xb3, 0xa4, 0x16, 0x33, 0x18, - 0x7b, 0x24, 0xa6, 0x30, 0x75, 0x67, 0x7a, 0xa7, - 0xac, 0xd2, 0xc2, 0xe3, 0x00, 0x13, 0xb0, 0x39, - 0xb0, 0x50, 0x2b, 0x55, 0x93, 0xd7, 0x65, 0x1f, - 0x00, 0x4f, 0xde, 0x15, 0xee, 0xa8, 0x9c, 0xbd, - 0x86, 0xaf, 0x99, 0x7a, 0x27, 0x53, 0xb3, 0x5a, - 0x4b, 0x90, 0xbd, 0xac, 0xc9, 0xd3, 0xc5, 0x31, - 0x06, 0x19, 0xd8, 0x2f, 0x6b, 0x3a, 0x31, 0xb4, - 0x34, 0xb8, 0x31, 0xec, 0x18, 0x6c, 0xad, 0x9e, - 0xa8, 0xf5, 0x3a, 0x9d, 0xd3, 0x74, 0x78, 0x33, - 0x06, 0x8b, 0x75, 0xc9, 0x39, 0xe8, 0x59, 0x98, - 0xc9, 0x96, 0xca, 0xc0, 0x2f, 0x1c, 0x53, 0xda, - 0x76, 0xab, 0xf1, 0x42, 0x6c, 0x71, 0xaf, 0xc9, - 0x52, 0xbe, 0xb0, 0x7a, 0x7d, 0xe1 }; - uint32_t payload_len3 = sizeof(payload3); - uint8_t payload4[] = { 0x00, 0x28, 0x07, 0xb8, 0xbb, 0x2c, - 0xce, 0xbe, 0x72, 0xa9, 0x61, 0xef, 0xbf, 0xfa, - 0x50, 0x92, 0x6d, 0x62, 0x77, 0xa3, 0x7b, 0x75, - 0xd6, 0x6e, 0x82, 0x12, 0x27, 0x87, 0x23, 0xce, - 0x9d, 0x44, 0xfe, 0x1f, 0xd0, 0x0e, 0x62, 0xff, - 0xd0, 0x24, 0xea, 0xc0, 0x18 }; - uint32_t payload_len4 = sizeof(payload4); - uint8_t payload5[] = { 0x00, 0x28, 0x07, 0x9a, 0x1d, 0xe2, - 0x5f, 0x79, 0xcc, 0x14, 0x5b, 0xb5, 0xad, 0x4f, - 0x15, 0x86, 0xe6, 0x03, 0x13, 0xe0, 0x96, 0x96, - 0x85, 0x46, 0x79, 0x0e, 0x3a, 0xe2, 0x84, 0x8d, - 0x8d, 0x88, 0xba, 0x7c, 0x6d, 0xa4, 0xb9, 0x9a, - 0xb1, 0x9f, 0x78, 0xe4, 0x83 }; - uint32_t payload_len5 = sizeof(payload5); - TcpSession ssn; - TCPHdr tcph; - Packet *p1 = UTHBuildPacket(payload1, payload_len1, IPPROTO_TCP); - Packet *p2 = UTHBuildPacket(payload2, payload_len2, IPPROTO_TCP); - Packet *p3 = UTHBuildPacket(payload3, payload_len3, IPPROTO_TCP); - Packet *p4 = UTHBuildPacket(payload4, payload_len4, IPPROTO_TCP); - Packet *p5 = UTHBuildPacket(payload5, payload_len5, IPPROTO_TCP); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - memset(&tcph, 0, sizeof(tcph)); - - StreamTcpInitConfig(TRUE); - TcpReassemblyThreadCtx *ra_ctx = StreamTcpReassembleInitThreadCtx(); - AppLayerDetectProtoThreadInit(); - - ssn.server.ra_base_seq = 390131220UL; - ssn.server.isn = 390131220UL; - ssn.server.last_ack = 427643676UL; - ssn.client.ra_base_seq = 4276431676UL; - ssn.client.isn = 4276431676UL; - ssn.client.last_ack = 390133221UL; - f.alproto = ALPROTO_UNKNOWN; - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - - tcph.th_win = htons(5480); - tcph.th_seq = htonl(4276431677UL); - tcph.th_ack = htonl(390131221UL); - tcph.th_flags = TH_ACK|TH_PUSH; - p1->tcph = &tcph; - p1->flowflags = FLOW_PKT_TOSERVER; - ssn.state = TCP_ESTABLISHED; - - TcpStream *s = NULL; - s = &ssn.client; - - if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p1) == -1) { - printf("failed in segments reassembly, while processing toserver packet\n"); - goto end; - } - - p2->flowflags = FLOW_PKT_TOCLIENT; - tcph.th_seq = htonl(390131221UL); - tcph.th_ack = htonl(4276431728UL); - p2->tcph = &tcph; - p2->flow = &f; - s = &ssn.server; - - if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p2) == -1) { - printf("failed in segments reassembly, while processing toserver packet\n"); - goto end; - } - - if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { - printf("failed in processing stream smsgs\n"); - goto end; - } - - p3->flowflags = FLOW_PKT_TOSERVER; - tcph.th_seq = htonl(4276431728UL); - tcph.th_ack = htonl(390132178UL); - p3->tcph = &tcph; - p3->flow = &f; - s = &ssn.client; - - if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p3) == -1) { - printf("failed in segments reassembly, while processing toserver packet\n"); - goto end; - } - - if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { - printf("failed in processing stream smsgs\n"); - goto end; - } - - p4->flowflags = FLOW_PKT_TOCLIENT; - tcph.th_seq = htonl(390132178UL); - tcph.th_ack = htonl(4276431876UL); - p4->tcph = &tcph; - p4->flow = &f; - s = &ssn.server; - - if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p4) == -1) { - printf("failed in segments reassembly, while processing toserver packet\n"); - goto end; - } - - if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { - printf("failed in processing stream smsgs\n"); - goto end; - } - - p5->flowflags = FLOW_PKT_TOSERVER; - tcph.th_seq = htonl(4276431876UL); - tcph.th_ack = htonl(390132221UL); - p5->tcph = &tcph; - p5->flow = &f; - s = &ssn.client; - - if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p5) == -1) { - printf("failed in segments reassembly, while processing toserver packet\n"); - goto end; - } - - if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { - printf("failed in processing stream smsgs\n"); - goto end; - } - - tcph.th_seq = htonl(390132221UL); - tcph.th_ack = htonl(4276431919UL); - s = &ssn.server; - - if (StreamTcpReassembleHandleSegment(ra_ctx, &ssn, s, p4) == -1) { - printf("failed in segments reassembly, while processing toserver packet\n"); - goto end; - } - - if (StreamTcpReassembleProcessAppLayer(ra_ctx) < 0) { - printf("failed in processing stream smsgs\n"); - goto end; - } - - TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; - if (app_state == NULL) { - printf("no ssl state: "); - result = 0; - goto end; - } - - if (app_state->client_content_type != 0x7) { - printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x7, - app_state->client_content_type); - result = 0; - goto end; - } - - if (app_state->client_version != SSL_CLIENT_VERSION) { - printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", - SSL_CLIENT_VERSION, app_state->client_version); - result = 0; - goto end; - } - - uint16_t app_layer_sid = AppLayerParserGetStorageId(); - AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *) - f.aldata[app_layer_sid]; - AppLayerParserState *parser_state = &parser_state_store->to_server; - - if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) && - !(ssn.flags & STREAMTCP_FLAG_NOCLIENT_REASSEMBLY) && - !(ssn.flags & STREAMTCP_FLAG_NOSERVER_REASSEMBLY)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } - - if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } -end: - FlowL7DataPtrFree(&f); - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - return result; -} -#endif -#endif /* UNITTESTS */ - -void SSLParserRegisterTests(void) { -#ifdef UNITTESTS - UtRegisterTest("SSLParserTest01", SSLParserTest01, 1); - UtRegisterTest("SSLParserTest02", SSLParserTest02, 1); -/* UtRegisterTest("SSLParserTest03", SSLParserTest03, 1); */ -#endif /* UNITTESTS */ -} diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index 05d2a60dbf..7568f8079a 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -15,65 +15,65 @@ * 02110-1301, USA. */ -/** - * \file - * - * \author Gurvinder Singh - */ - -#ifndef _APP_LAYER_SSL_H -#define _APP_LAYER_SSL_H - -#define SSL_CLIENT_VERSION 0x0002 -#define SSL_SERVER_VERSION 0x0002 - -/* SSL message types */ -#define SSL_ERROR 0 -#define SSL_CLIENT_HELLO 1 -#define SSL_CLIENT_MASTER_KEY 2 -#define SSL_CLIENT_FINISHED 3 -#define SSL_SERVER_HELLO 4 -#define SSL_SERVER_VERIFY 5 -#define SSL_SERVER_FINISHED 6 -#define SSL_REQUEST_CERTIFICATE 7 -#define SSL_CLIENT_CERTIFICATE 8 - -/* structure to store the SSL state values */ -typedef struct SslState_ { - uint8_t flags; /**< Flags to indicate the current SSL - sessoin state */ - uint8_t client_content_type; /**< Client content type storage field */ - uint16_t client_version; /**< Client SSL version storage field */ - - uint16_t server_version; /**< Server SSL version storage field */ - uint8_t server_content_type; /**< Server content type storage field */ -} SslState; - -typedef struct SslClient_ { - uint16_t length; /**< Length of the received message */ - uint8_t msg_type; - uint8_t minor_ver; - uint8_t major_ver; - uint16_t cipher_spec_len; - uint16_t session_id_len; -} SslClient; - -typedef struct SslServer_ { - uint16_t lentgth; - uint8_t msg_type; - uint8_t session_id; - uint8_t cert; - uint8_t minor_ver; - uint8_t major_ver; -} SslServer; - -int SSLParseClientRecord(Flow *, void *, AppLayerParserState *, uint8_t *, - uint32_t , AppLayerParserResult *); - -int SSLParseServerRecord(Flow *, void *, AppLayerParserState *, uint8_t *, - uint32_t , AppLayerParserResult *); - -void SSLParserRegisterTests(void); - -#endif /* _APP_LAYER_SSL_H */ +///** +// * \file +// * +// * \author Gurvinder Singh +// */ +// +//#ifndef _APP_LAYER_SSL_H +//#define _APP_LAYER_SSL_H +// +//#define SSL_CLIENT_VERSION 0x0002 +//#define SSL_SERVER_VERSION 0x0002 +// +///* SSL message types */ +//#define SSL_ERROR 0 +//#define SSL_CLIENT_HELLO 1 +//#define SSL_CLIENT_MASTER_KEY 2 +//#define SSL_CLIENT_FINISHED 3 +//#define SSL_SERVER_HELLO 4 +//#define SSL_SERVER_VERIFY 5 +//#define SSL_SERVER_FINISHED 6 +//#define SSL_REQUEST_CERTIFICATE 7 +//#define SSL_CLIENT_CERTIFICATE 8 +// +///* structure to store the SSL state values */ +//typedef struct SslState_ { +// uint8_t flags; /**< Flags to indicate the current SSL +// sessoin state */ +// uint8_t client_content_type; /**< Client content type storage field */ +// uint16_t client_version; /**< Client SSL version storage field */ +// +// uint16_t server_version; /**< Server SSL version storage field */ +// uint8_t server_content_type; /**< Server content type storage field */ +//} SslState; +// +//typedef struct SslClient_ { +// uint16_t length; /**< Length of the received message */ +// uint8_t msg_type; +// uint8_t minor_ver; +// uint8_t major_ver; +// uint16_t cipher_spec_len; +// uint16_t session_id_len; +//} SslClient; +// +//typedef struct SslServer_ { +// uint16_t lentgth; +// uint8_t msg_type; +// uint8_t session_id; +// uint8_t cert; +// uint8_t minor_ver; +// uint8_t major_ver; +//} SslServer; +// +//int SSLParseClientRecord(Flow *, void *, AppLayerParserState *, uint8_t *, +// uint32_t , AppLayerParserResult *); +// +//int SSLParseServerRecord(Flow *, void *, AppLayerParserState *, uint8_t *, +// uint32_t , AppLayerParserResult *); +// +//void SSLParserRegisterTests(void); +// +//#endif /* _APP_LAYER_SSL_H */ diff --git a/src/app-layer-tls.c b/src/app-layer-tls.c index 06028bbe4d..4dc8923f6c 100644 --- a/src/app-layer-tls.c +++ b/src/app-layer-tls.c @@ -15,17 +15,6 @@ * 02110-1301, USA. */ -/** - * \file - * - * \author Victor Julien - * \author Gurvinder Singh - * - * App-layer detection of TLS - * - * \todo support for the newly find TLS handshake GAP vulnerbility - */ - #include "suricata-common.h" #include "debug.h" #include "decode.h" @@ -49,548 +38,830 @@ #include "util-spm.h" #include "util-unittest.h" #include "util-debug.h" +#include "flow-util.h" #include "flow-private.h" #include "util-byte.h" -#define TLS_CHANGE_CIPHER_SPEC 0x14 /**< TLS change cipher spec content type */ -#define TLS_ALERT_PROTOCOL 0x15 /**< TLS alert protocol content type */ -#define TLS_HANDSHAKE_PROTOCOL 0x16 /**< TLS hansdshake protocol content type */ -#define TLS_APPLICATION_PROTOCOL 0x17 /**< TLS application protocol content type */ +/* SSLv3 record types */ +#define SSLV3_CHANGE_CIPHER_SPEC 20 +#define SSLV3_ALERT_PROTOCOL 21 +#define SSLV3_HANDSHAKE_PROTOCOL 22 +#define SSLV3_APPLICATION_PROTOCOL 23 + +/* SSLv3 handshake protocol types */ +#define SSLV3_HS_HELLO_REQUEST 0 +#define SSLV3_HS_CLIENT_HELLO 1 +#define SSLV3_HS_SERVER_HELLO 2 +#define SSLV3_HS_CERTIFICATE 11 +#define SSLV3_HS_SERVER_KEY_EXCHANGE 12 +#define SSLV3_HS_CERTIFICATE_REQUEST 13 +#define SSLV3_HS_SERVER_HELLO_DONE 14 +#define SSLV3_HS_CERTIFICATE_VERIFY 15 +#define SSLV3_HS_CLIENT_KEY_EXCHANGE 16 +#define SSLV3_HS_FINISHED 20 +#define SSLV3_HS_CERTIFICATE_URL 21 +#define SSLV3_HS_CERTIFICATE_STATUS 22 + +/* SSLv2 protocol message types */ +#define SSLV2_MT_ERROR 0 +#define SSLV2_MT_CLIENT_HELLO 1 +#define SSLV2_MT_CLIENT_MASTER_KEY 2 +#define SSLV2_MT_CLIENT_FINISHED 3 +#define SSLV2_MT_SERVER_HELLO 4 +#define SSLV2_MT_SERVER_VERIFY 5 +#define SSLV2_MT_SERVER_FINISHED 6 +#define SSLV2_MT_REQUEST_CERTIFICATE 7 +#define SSLV2_MT_CLIENT_CERTIFICATE 8 + +#define SSLV3_RECORD_LEN 5 + +static void SSLParserReset(SslState *ssl_state) +{ + ssl_state->bytes_processed = 0; +} -/** - * \brief Function to store the parsed TLS content type received from the client - * - * \param tls_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received content type value - * \param input_len Length in bytes of the received content type value - * \param output Pointer to the list of parsed elements - */ -static int TLSParseClientContentType(Flow *f, void *tls_state, AppLayerParserState - *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) +static int SSLv3ParseHandshakeType(SslState *tls_state, uint8_t *input, + uint32_t input_len) { - SCEnter(); + uint8_t *initial_input = input; + uint32_t parsed = 0; + + switch (tls_state->handshake_type) { + case SSLV3_HS_CLIENT_HELLO: + tls_state->flags |= SSL_AL_FLAG_STATE_CLIENT_HELLO; + + switch (tls_state->bytes_processed) { + case 9: + tls_state->bytes_processed++; + tls_state->handshake_client_hello_ssl_version = *(input++) << 8; + if (--input_len == 0) + break; + case 10: + tls_state->bytes_processed++; + tls_state->handshake_client_hello_ssl_version |= *(input++); + if (--input_len == 0) + break; + } + break; - TlsState *state = (TlsState *)tls_state; + case SSLV3_HS_SERVER_HELLO: + tls_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO; + + switch (tls_state->bytes_processed) { + case 9: + tls_state->bytes_processed++; + tls_state->handshake_server_hello_ssl_version = *(input++) << 8; + if (--input_len == 0) + break; + case 10: + tls_state->bytes_processed++; + tls_state->handshake_server_hello_ssl_version |= *(input++); + if (--input_len == 0) + break; + } + break; - if (input == NULL) - SCReturnInt(-1); + case SSLV3_HS_SERVER_KEY_EXCHANGE: + tls_state->flags |= SSL_AL_FLAG_STATE_SERVER_KEYX; + break; - if (input_len != 1) { - SCReturnInt(-1); - } + case SSLV3_HS_CLIENT_KEY_EXCHANGE: + tls_state->flags |= SSL_AL_FLAG_STATE_CLIENT_KEYX; + break; - /* check if we received the correct content type */ - switch (*input) { - case TLS_CHANGE_CIPHER_SPEC: - case TLS_ALERT_PROTOCOL: - case TLS_HANDSHAKE_PROTOCOL: - case TLS_APPLICATION_PROTOCOL: + case SSLV3_HS_HELLO_REQUEST: + case SSLV3_HS_CERTIFICATE: + case SSLV3_HS_CERTIFICATE_REQUEST: + case SSLV3_HS_CERTIFICATE_VERIFY: + case SSLV3_HS_FINISHED: + case SSLV3_HS_CERTIFICATE_URL: + case SSLV3_HS_CERTIFICATE_STATUS: break; default: - SCReturnInt(0); + break; } - state->client_content_type = *input; + /* looks like we have another record */ + parsed += (input - initial_input); + if ((input_len + tls_state->bytes_processed) >= tls_state->record_length + SSLV3_RECORD_LEN) { + uint32_t diff = tls_state->record_length + SSLV3_RECORD_LEN - tls_state->bytes_processed; + parsed += diff; + tls_state->bytes_processed += diff; + return parsed; - SCLogDebug("content_type %02"PRIx8"", state->client_content_type); - - /* The content type 23 signifies the encryption application protocol has - been started and check if we have received the change_cipher_spec before - accepting this packet and setting up the flag */ - if (state->client_content_type == TLS_APPLICATION_PROTOCOL && - (state->flags & TLS_FLAG_CLIENT_CHANGE_CIPHER_SPEC) && - (state->flags & TLS_FLAG_SERVER_CHANGE_CIPHER_SPEC)) - { - pstate->flags |= APP_LAYER_PARSER_DONE; - pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; - if (tls.no_reassemble == 1) - pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; + /* we still don't have the entire record for the one we are + * currently parsing */ + } else { + parsed += input_len; + tls_state->bytes_processed += input_len; + return parsed; } - - /* The content type 0x14 signifies the change_cipher_spec message */ - if (state->client_content_type == TLS_CHANGE_CIPHER_SPEC) - state->flags |= TLS_FLAG_CLIENT_CHANGE_CIPHER_SPEC; - - SCReturnInt(0); } -/** - * \brief Function to store the parsed TLS content version received from the - * client - * - * \param tls_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received TLS version value - * \param input_len Length in bytes of the received version value - * \param output Pointer to the list of parsed elements - */ -static int TLSParseClientVersion(Flow *f, void *tls_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) +static int SSLv3ParseHandshakeProtocol(SslState *tls_state, uint8_t *input, + uint32_t input_len) { - SCEnter(); + uint8_t *initial_input = input; + int retval; + + switch (tls_state->bytes_processed) { + case 5: + if (input_len >= 4) { + tls_state->handshake_type = *(input++); + input += 3; + input_len -= 4; + tls_state->bytes_processed += 4; + break; + } else { + tls_state->handshake_type = *(input++); + tls_state->bytes_processed++; + if (--input_len == 0) + break; + } + case 6: + tls_state->bytes_processed++; + input++; + if (--input_len == 0) + break; + case 7: + tls_state->bytes_processed++; + input++; + if (--input_len == 0) + break; + case 8: + tls_state->bytes_processed++; + input++; + if (--input_len == 0) + break; + } - TlsState *state = (TlsState *)tls_state; + if (input_len == 0) + return (input - initial_input); - if (input_len != 2) + retval = SSLv3ParseHandshakeType(tls_state, input, input_len); + if (retval == -1) { SCReturnInt(-1); - - /** \todo there must be an easier way to get from uint8_t * to a uint16_t */ - struct u16conv_ { - uint16_t u; - } *u16conv; - u16conv = (struct u16conv_ *)input; - - switch (ntohs(u16conv->u)) { - case 0x0300: - state->client_version = SSL_VERSION_3; - break; - case 0x0301: - state->client_version = TLS_VERSION_10; - break; - case 0x0302: - state->client_version = TLS_VERSION_11; - break; - case 0x0303: - state->client_version = TLS_VERSION_12; - break; + } else { + input += retval; + return (input - initial_input); } - - SCLogDebug("version %04"PRIx16"", state->client_version); - SCReturnInt(0); } -/** - * \brief Function to parse the TLS field in packet received from the client - * - * \param tls_state Pointer the state in which the value to be stored - * \param pstate Application layer parser state for this session - * \param input Pointer the received input data - * \param input_len Length in bytes of the received data - * \param output Pointer to the list of parsed output elements - */ -static int TLSParseClientRecord(Flow *f, void *tls_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) +static int SSLv3ParseRecord(uint8_t direction, SslState *tls_state, + uint8_t *input, uint32_t input_len) { - SCEnter(); - - /* SSL client message should be larger than 9 bytes as we need to know, to - what is the SSL version and message type */ - if (input_len >= 9) { - if (SSLParseClientRecord(f, tls_state, pstate, input, input_len, output) - == 1) - { - SCLogDebug("it seems the ssl version 2 is detected"); - SCReturnInt(1); - } - } - - SCLogDebug("tls_state %p, pstate %p, input %p,input_len %" PRIu32 "", - tls_state, pstate, input, input_len); - //PrintRawDataFp(stdout, input,input_len); - - uint16_t max_fields = 3; - int16_t u = 0; - uint32_t offset = 0; - - if (pstate == NULL) - SCReturnInt(-1); - - for (u = pstate->parse_field; u < max_fields; u++) { - SCLogDebug("u %" PRIu32 "", u); - - switch(u % 3) { - case 0: /* TLS CONTENT TYPE */ - { - uint8_t *data = input + offset; - uint32_t data_len = input_len - offset; - - int r = AlpParseFieldBySize(output, pstate, - TLS_FIELD_CLIENT_CONTENT_TYPE, - /* single byte field */1, data, - data_len, &offset); - SCLogDebug("r = %" PRId32 "", r); - - if (r == 0) { - pstate->parse_field = 0; - SCReturnInt(0); - } else if (r == -1) { - SCLogError(SC_ERR_ALPARSER, "AlpParseFieldBySize failed, " - "r %d", r); - SCReturnInt(-1); + uint8_t *initial_input = input; + + switch (tls_state->bytes_processed) { + case 0: + if (input_len >= 5) { + /* toserver - 0 */ + tls_state->cur_content_type = input[0]; + if (direction == 0) { + tls_state->client_content_type = input[0]; + tls_state->client_version = input[1] << 8; + tls_state->client_version |= input[2]; + + /* toclient - 1 */ + } else { + tls_state->server_content_type = input[0]; + tls_state->server_version = input[1] << 8; + tls_state->server_version |= input[2]; } - break; - } - case 1: /* TLS VERSION */ - { - uint8_t *data = input + offset; - uint32_t data_len = input_len - offset; - - int r = AlpParseFieldBySize(output, pstate, - TLS_FIELD_CLIENT_VERSION, - /* 2 byte field */2, data, data_len, - &offset); - if (r == 0) { - pstate->parse_field = 1; - SCReturnInt(0); - } else if (r == -1) { - SCLogError(SC_ERR_ALPARSER, "AlpParseFieldBySize failed, " - "r %d", r); - SCReturnInt(-1); + tls_state->record_length = input[3] << 8; + tls_state->record_length |= input[4]; + tls_state->bytes_processed += SSLV3_RECORD_LEN; + return SSLV3_RECORD_LEN; + } else { + tls_state->cur_content_type = *input; + if (direction == 0) { + tls_state->client_content_type = *(input++); + } else { + tls_state->server_content_type = *(input++); } + if (--input_len == 0) + break; + } + case 1: + if (direction == 0) { + tls_state->client_version = *(input++) << 8; + } else { + tls_state->server_version = *(input++) << 8; + } + if (--input_len == 0) break; + case 2: + if (direction == 0) { + tls_state->client_version |= *(input++); + } else { + tls_state->server_version |= *(input++); } - case 2: /* TLS Record Message Length */ - { - uint8_t *data = input + offset; - uint32_t data_len = input_len - offset; - - int r = AlpParseFieldBySize(output, pstate, TLS_FIELD_LENGTH, - /* 2 byte field */2, data, data_len, - &offset); - SCLogDebug("AlpParseFieldBySize returned r %d, offset %"PRIu32"" - , r, offset); - if (r == 0) { - pstate->parse_field = 2; - SCReturnInt(0); - } else if (r == -1) { - SCLogError(SC_ERR_ALPARSER, "AlpParseFieldBySize failed, " - "r %d", r); - SCReturnInt(-1); - } + if (--input_len == 0) + break; + case 3: + tls_state->record_length = *(input++) << 8; + if (--input_len == 0) + break; + case 4: + tls_state->record_length |= *(input++); + if (tls_state->record_length <= SSLV3_RECORD_LEN) + return -1; + if (--input_len == 0) + break; + } /* switch (tls_state->bytes_processed) */ - /* Parsing of the record is done. Since we may have more than - * one record, we check here if we still have data left *after* - * this record. In that case setup the parser to parse that - * record as well. */ - uint16_t record_len; - int ret = ByteExtractUint16(&record_len, BYTE_BIG_ENDIAN, - output->tail->data_len, output->tail->data_ptr); - if (ret != 2) { - SCReturnInt(-1); - } + tls_state->bytes_processed += (input - initial_input); + + return (input - initial_input); +} - /* calulate the point up to where the current record - * is in the data */ - uint32_t record_offset = (offset + record_len); +static int SSLv2ParseRecord(uint8_t direction, SslState *tls_state, + uint8_t *input, uint32_t input_len) +{ + uint8_t *initial_input = input; + + if (tls_state->record_lengths_length == 2) { + switch (tls_state->bytes_processed) { + case 0: + if (input_len >= tls_state->record_lengths_length + 1) { + tls_state->record_length = (0x7f & input[0]) << 8 | input[1]; + tls_state->cur_content_type = input[2]; + if (direction == 0) { + tls_state->client_content_type = input[2]; + tls_state->client_version = SSL_VERSION_2; + } else { + tls_state->server_content_type = input[2]; + tls_state->server_version = SSL_VERSION_2; + } + tls_state->bytes_processed += 3; + return 3; + } else { + tls_state->record_length = (0x7f & *(input++)) << 8; + if (--input_len == 0) + break; + } - SCLogDebug("record offset %"PRIu32" (offset %"PRIu32", record_len" - " %"PRIu16")", record_offset, offset, record_len); + case 1: + tls_state->record_length |= *(input++); + if (--input_len == 0) + break; + case 2: + tls_state->cur_content_type = *input; + if (direction == 0) { + tls_state->client_content_type = *(input++); + tls_state->client_version = SSL_VERSION_2; + } else { + tls_state->server_content_type = *(input++); + tls_state->server_version = SSL_VERSION_2; + } + if (--input_len == 0) + break; + } /* switch (tls_state->bytes_processed) */ + + } else { + switch (tls_state->bytes_processed) { + case 0: + if (input_len >= tls_state->record_lengths_length + 1) { + tls_state->record_length = (0x3f & input[0]) << 8 | input[1]; + tls_state->cur_content_type = input[3]; + if (direction == 0) { + tls_state->client_content_type = input[3]; + tls_state->client_version = SSL_VERSION_2; + } else { + tls_state->server_content_type = input[3]; + tls_state->server_version = SSL_VERSION_2; + } + tls_state->bytes_processed += 4; + return 4; + } else { + tls_state->record_length = (0x3f & *(input++)) << 8; + if (--input_len == 0) + break; + } - /* if our input buffer is bigger than the data up to and - * including the current record, we instruct the parser to - * expect another record of 3 fields */ - if (input_len <= record_offset) + case 1: + tls_state->record_length |= *(input++); + if (--input_len == 0) break; - max_fields += 3; - offset += record_len; - break; - } - } + case 2: + /* padding */ + input++; + if (--input_len == 0) + break; + case 3: + tls_state->cur_content_type = *input; + if (direction == 0) { + tls_state->client_content_type = *(input++); + tls_state->client_version = SSL_VERSION_2; + } else { + tls_state->server_content_type = *(input++); + tls_state->server_version = SSL_VERSION_2; + } + if (--input_len == 0) + break; + } /* switch (tls_state->bytes_processed) */ } - pstate->parse_field = 0; - SCReturnInt(1); + tls_state->bytes_processed += (input - initial_input); + + return (input - initial_input); } -/** - * \brief Function to parse the TLS field in packet received from the server - * - * \param tls_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received input data - * \param input_len Length in bytes of the received data - * \param output Pointer to the list of parsed output elements - */ -static int TLSParseServerRecord(Flow *f, void *tls_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) +static int SSLv2Decode(uint8_t direction, SslState *tls_state, + AppLayerParserState *pstate, uint8_t *input, + uint32_t input_len) { - SCEnter(); + int retval = 0; + uint8_t *initial_input = input; + + if (tls_state->bytes_processed == 0) { + if (input[0] & 0x80) { + tls_state->record_lengths_length = 2; + } else { + tls_state->record_lengths_length = 3; + } + } - if (input_len >= 7) { - if (SSLParseServerRecord(f, tls_state, pstate, input, input_len, output) - == 1) - { - SCLogDebug("it seems the ssl version 2 is detected"); - SCReturnInt(1); + /* the + 1 because, we also read one extra byte inside SSLv2ParseRecord + * to read the msg_type */ + if (tls_state->bytes_processed < (tls_state->record_lengths_length + 1)) { + retval = SSLv2ParseRecord(direction, tls_state, input, input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv2Header"); + return -1; + } else { + input += retval; + input_len -= retval; } } - SCLogDebug("tls_state %p, pstate %p, input %p,input_len %" PRIu32 "", - tls_state, pstate, input, input_len); - //PrintRawDataFp(stdout, input,input_len); + if (input_len == 0) { + return (input - initial_input); + } - uint16_t max_fields = 3; - int16_t u = 0; - uint32_t offset = 0; + switch (tls_state->cur_content_type) { + case SSLV2_MT_ERROR: + SCLogWarning(SC_ERR_ALPARSER, "SSLV2_MT_ERROR msg_type recived. " + "Error encountered in establishing the sslv2 " + "session, may be version"); - if (pstate == NULL) - SCReturnInt(-1); + break; - for (u = pstate->parse_field; u < max_fields; u++) { - SCLogDebug("u %" PRIu32 "", u); - - switch(u % 3) { - case 0: /* TLS CONTENT TYPE */ - { - uint8_t *data = input + offset; - uint32_t data_len = input_len - offset; - - int r = AlpParseFieldBySize(output, pstate, - TLS_FIELD_SERVER_CONTENT_TYPE, - /* single byte field */1, data, - data_len, &offset); - SCLogDebug("r = %" PRId32 "", r); - - if (r == 0) { - pstate->parse_field = 0; - SCReturnInt(0); - } else if (r == -1) { - SCLogError(SC_ERR_ALPARSER, "AlpParseFieldBySize failed, " - "r %d", r); - SCReturnInt(-1); - } - break; + case SSLV2_MT_CLIENT_HELLO: + tls_state->flags |= SSL_AL_FLAG_STATE_CLIENT_HELLO; + tls_state->flags |= SSL_AL_FLAG_SSL_CLIENT_HS; + + if (tls_state->record_lengths_length == 3) { + switch (tls_state->bytes_processed) { + case 4: + if (input_len >= 6) { + tls_state->session_id_length = input[4] << 8; + tls_state->session_id_length |= input[5]; + input += 6; + input_len -= 6; + tls_state->bytes_processed += 6; + if (tls_state->session_id_length == 0) { + tls_state->flags |= SSL_AL_FLAG_SSL_NO_SESSION_ID; + } + break; + } else { + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + } + case 5: + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 6: + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 7: + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 8: + tls_state->session_id_length = *(input++) << 8; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 9: + tls_state->session_id_length |= *(input++); + tls_state->bytes_processed++; + if (--input_len == 0) + break; + } /* switch (tls_state->bytes_processed) */ + + /* tls_state->record_lengths_length is 3 */ + } else { + switch (tls_state->bytes_processed) { + case 3: + if (input_len >= 6) { + tls_state->session_id_length = input[4] << 8; + tls_state->session_id_length |= input[5]; + input += 6; + input_len -= 6; + tls_state->bytes_processed += 6; + if (tls_state->session_id_length == 0) { + tls_state->flags |= SSL_AL_FLAG_SSL_NO_SESSION_ID; + } + break; + } else { + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + } + case 4: + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 5: + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 6: + input++; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 7: + tls_state->session_id_length = *(input++) << 8; + tls_state->bytes_processed++; + if (--input_len == 0) + break; + case 8: + tls_state->session_id_length |= *(input++); + tls_state->bytes_processed++; + if (--input_len == 0) + break; + } /* switch (tls_state->bytes_processed) */ + } /* else - if (tls_state->record_lengths_length == 3) */ + + break; + + case SSLV2_MT_CLIENT_MASTER_KEY: + if ( !(tls_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS)) { + SCLogDebug("Client hello is not seen before master key " + "message!!"); } - case 1: /* TLS VERSION */ - { - uint8_t *data = input + offset; - uint32_t data_len = input_len - offset; - - int r = AlpParseFieldBySize(output, pstate, - TLS_FIELD_SERVER_VERSION,/* 2 byte - *field */2, data, data_len, &offset); - if (r == 0) { - pstate->parse_field = 1; - SCReturnInt(0); - } else if (r == -1) { - SCLogError(SC_ERR_ALPARSER, "AlpParseFieldBySize failed, " - "r %d", r); - SCReturnInt(-1); - } - break; + tls_state->flags |= SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY; + + break; + + case SSLV2_MT_CLIENT_CERTIFICATE: + if (direction == 1) { + SCLogDebug("Incorrect SSL Record type sent in the toclient " + "direction!"); + } else { + tls_state->flags |= SSL_AL_FLAG_STATE_CLIENT_KEYX; + } + case SSLV2_MT_SERVER_VERIFY: + case SSLV2_MT_SERVER_FINISHED: + if (direction == 0 && + !(tls_state->cur_content_type & SSLV2_MT_CLIENT_CERTIFICATE)) { + SCLogDebug("Incorrect SSL Record type sent in the toserver " + "direction!"); } - case 2: /* TLS Record Message Length */ - { - uint8_t *data = input + offset; - uint32_t data_len = input_len - offset; - - int r = AlpParseFieldBySize(output, pstate, TLS_FIELD_LENGTH, - /* 2 byte field */2, data, data_len, - &offset); - - if (r == 0) { - pstate->parse_field = 2; - SCReturnInt(0); - } else if (r == -1) { - SCLogError(SC_ERR_ALPARSER, "AlpParseFieldBySize failed, " - "r %d", r); - SCReturnInt(-1); + case SSLV2_MT_CLIENT_FINISHED: + case SSLV2_MT_REQUEST_CERTIFICATE: + /* both ways hello seen */ + if ((tls_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) && + (tls_state->flags & SSL_AL_FLAG_SSL_SERVER_HS)) { + + if (direction == 0) { + if (tls_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) { + tls_state->flags |= SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED; + SCLogDebug("SSLv2 client side has started the encryption"); + } else if (tls_state->flags & SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY) { + tls_state->flags |= SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED; + SCLogDebug("SSLv2 client side has started the encryption"); + } + } else { + tls_state->flags |= SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED; + SCLogDebug("SSLv2 Server side has started the encryption"); } - /* Parsing of the record is done. Since we may have more than - * one record, we check here if we still have data left *after* - * this record. In that case setup the parser to parse that - * record as well. */ - uint16_t record_len; - int ret = ByteExtractUint16(&record_len, BYTE_BIG_ENDIAN, - output->tail->data_len, output->tail->data_ptr); - if (ret != 2) { - SCReturnInt(-1); + if ((tls_state->flags & SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED) && + (tls_state->flags & SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED)) { + pstate->flags |= APP_LAYER_PARSER_DONE; + pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; + pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; + SCLogDebug("SSLv2 No reassembly & inspection has been set"); } + } - /* calulate the point up to where the current record - * is in the data */ - uint32_t record_offset = (offset + record_len); + break; - SCLogDebug("record offset %"PRIu32" (offset %"PRIu32", record_len" - " %"PRIu16")", record_offset, offset, record_len); + case SSLV2_MT_SERVER_HELLO: + tls_state->flags |= SSL_AL_FLAG_STATE_SERVER_HELLO; + tls_state->flags |= SSL_AL_FLAG_SSL_SERVER_HS; - /* if our input buffer is bigger than the data up to and - * including the current record, we instruct the parser to - * expect another record of 3 fields */ - if (input_len <= record_offset) - break; + break; + } - max_fields += 3; - offset += record_len; - break; - } - } + if (input_len + tls_state->bytes_processed >= + (tls_state->record_length + tls_state->record_lengths_length)) { + /* looks like we have another record after this*/ + uint32_t diff = tls_state->record_length + + tls_state->record_lengths_length + - tls_state->bytes_processed; + input += diff; + input_len -= diff; + SSLParserReset(tls_state); + return (input - initial_input); + /* we still don't have the entire record for the one we are + * currently parsing */ + } else { + input += input_len; + tls_state->bytes_processed += input_len; + return (input - initial_input); } - - pstate->parse_field = 0; - SCReturnInt(1); } -/** - * \brief Function to store the parsed TLS content version received from the - * server - * - * \param tls_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received TLS version value - * \param input_len Length in bytes of the received version value - * \param output Pointer to the list of parsed elements - */ -static int TLSParseServerVersion(Flow *f, void *tls_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) +static int SSLv3Decode(uint8_t direction, SslState *tls_state, + AppLayerParserState *pstate, uint8_t *input, + uint32_t input_len) { - SCEnter(); - TlsState *state = (TlsState *)tls_state; + int retval = 0; + uint32_t parsed = 0; + + if (tls_state->bytes_processed < SSLV3_RECORD_LEN) { + retval = SSLv3ParseRecord(direction, tls_state, input, input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv3Header"); + return -1; + } else { + parsed += retval; + input_len -= retval; + } + } - if (input_len != 2) - SCReturnInt(-1); + if (input_len == 0) { + return parsed; + } - /** \todo there must be an easier way to get from uint8_t * to a uint16_t */ - struct u16conv_ { - uint16_t u; - } *u16conv; - u16conv = (struct u16conv_ *)input; + switch (tls_state->cur_content_type) { + /* we don't need any data from these types */ + case SSLV3_CHANGE_CIPHER_SPEC: + tls_state->flags |= SSL_AL_FLAG_CHANGE_CIPHER_SPEC; + + if (direction) + tls_state->flags |= SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC; + else + tls_state->flags |= SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC; - switch (ntohs(u16conv->u)) { - case 0x0300: - state->server_version = SSL_VERSION_3; - break; - case 0x0301: - state->server_version = TLS_VERSION_10; break; - case 0x0302: - state->server_version = TLS_VERSION_11; + + case SSLV3_ALERT_PROTOCOL: break; - case 0x0303: - state->server_version = TLS_VERSION_12; + case SSLV3_APPLICATION_PROTOCOL: + if ((tls_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC) && + (tls_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC)) { + /* set flags */ + pstate->flags |= APP_LAYER_PARSER_DONE; + pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; + if (tls.no_reassemble == 1) + pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; + } + + case SSLV3_HANDSHAKE_PROTOCOL: + if (tls_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) + break; + + retval = SSLv3ParseHandshakeProtocol(tls_state, input + parsed, input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv3.x. Let's get outta here"); + return -1; + } else { + parsed += retval; + input_len -= retval; + if (tls_state->bytes_processed == tls_state->record_length + SSLV3_RECORD_LEN) { + SSLParserReset(tls_state); + } + return parsed; + } + break; + + default: + SCLogDebug("Bad ssl record type"); + return -1; + } + + if (input_len + tls_state->bytes_processed >= tls_state->record_length + SSLV3_RECORD_LEN) { + /* looks like we have another record */ + uint32_t diff = tls_state->record_length + SSLV3_RECORD_LEN - tls_state->bytes_processed; + parsed += diff; + input_len -= diff; + SSLParserReset(tls_state); + return parsed; + + /* we still don't have the entire record for the one we are + * currently parsing */ + } else { + parsed += input_len; + tls_state->bytes_processed += input_len; + return parsed; } - SCLogDebug("version %04"PRIx16"", state->server_version); - SCReturnInt(0); } +int anoop_ssl_packet_count = 0; +int anoop_inside_30_count = 0; +int anoop_packet_count = 0; + /** - * \brief Function to store the parsed TLS content type received from the server + * \brief SSLv2, SSLv23, SSLv3, TLSv1.1, TLSv1.2, TLSv1.3 parser. * - * \param tls_state Pointer the state in which the value to be stored - * \param pstate Application layer tarser state for this session - * \param input Pointer the received content type value - * \param input_len Length in bytes of the received content type value - * \param output Pointer to the list of parsed elements + * On parsing error, this should be the only function that should reset + * the parser state, to avoid multiple functions in the chain reseting + * the parser state. + * + * \param direction 0 for toserver, 1 for toclient. + * \param alstate Pointer to the state. + * \param pstate Application layer parser state for this session. + * \param input Pointer the received input data. + * \param input_len Length in bytes of the received data. + * \param output Pointer to the list of parsed output elements. + * + * \todo On reaching an inconsistent state, check if the input has + * another new record, instead of just returning after the reset + * + * \retval >=0 On success. */ -static int TLSParseServerContentType(Flow *f, void *tls_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) +static int SSLDecode(uint8_t direction, void *alstate, AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len) { SCEnter(); - TlsState *state = (TlsState *)tls_state; - if (input == NULL) - SCReturnInt(-1); + static int a = 0; + SslState *tls_state = (SslState *)alstate; + int retval = 0; + uint8_t counter = 0; + + /* if we have more than one record */ + while (input_len) { + if (counter++ == 30) { + SCLogDebug("Looks like we have looped quite a bit. Reset state " + "and get out of here"); + SSLParserReset(tls_state); + return 0; + } - if (input_len != 1) { - SCReturnInt(-1); - } + /* tls_state->bytes_processed is either ways it is either 0 for a + * fresh record or positive to indicate a record currently being + * parsed */ + switch (tls_state->bytes_processed) { + /* fresh record */ + case 0: + /* only SSLv2, has one of the top 2 bits set */ + if (input[0] & 0x80 || input[0] & 0x40) { + SCLogDebug("SSLv2 detected"); + tls_state->cur_ssl_version = SSL_VERSION_2; + retval = SSLv2Decode(direction, tls_state, pstate, input, + input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv2.x. Reseting parser " + "state. Let's get outta here"); + SSLParserReset(tls_state); + return 0; + } else { + input_len -= retval; + input += retval; + } + } else { + SCLogDebug("SSLv3.x detected"); + retval = SSLv3Decode(direction, tls_state, pstate, input, + input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv3.x. Reseting parser " + "state. Let's get outta here"); + SSLParserReset(tls_state); + return 0; + } else { + input_len -= retval; + input += retval; + } + } - /* check if we received the correct content type */ - switch (*input) { - case TLS_CHANGE_CIPHER_SPEC: - case TLS_ALERT_PROTOCOL: - case TLS_HANDSHAKE_PROTOCOL: - case TLS_APPLICATION_PROTOCOL: - break; - default: - SCReturnInt(0); - } + break; - state->server_content_type = *input; + default: + /* we would have established by now if we are dealing with + * SSLv2 or above */ + if (tls_state->cur_ssl_version == SSL_VERSION_2) { + SCLogDebug("Continuing parsing SSLv2 record from where we " + "previously left off"); + retval = SSLv2Decode(direction, tls_state, pstate, input, + input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv2.x. Reseting parser " + "state. Let's get outta here"); + SSLParserReset(tls_state); + return 0; + } else { + input_len -= retval; + input += retval; + } + } else { + SCLogDebug("Continuing parsing SSLv3.x record from where we " + "previously left off"); + retval = SSLv3Decode(direction, tls_state, pstate, input, + input_len); + if (retval == -1) { + SCLogDebug("Error parsing SSLv3.x. Reseting parser " + "state. Let's get outta here"); + SSLParserReset(tls_state); + return 0; + } else { + input_len -= retval; + input += retval; + } + } - SCLogDebug("content_type %02"PRIx8"", state->server_content_type); + break; + } /* switch (tls_state->bytes_processed) */ + } /* while (input_len) */ - /* The content type 20 signifies the chage cipher spec message has been - received and now onwards messages will be encrypted and authenticated */ - if (state->server_content_type == TLS_CHANGE_CIPHER_SPEC) { - pstate->flags |= APP_LAYER_PARSER_DONE; - state->flags |= TLS_FLAG_SERVER_CHANGE_CIPHER_SPEC; - } + SCReturnInt(1); +} - /* The content type 23 signifies the encryption application protocol has - been started and check if we have received the change_cipher_spec before - accepting this packet and setting up the flag */ - if (state->client_content_type == TLS_APPLICATION_PROTOCOL && - (state->flags & TLS_FLAG_CLIENT_CHANGE_CIPHER_SPEC) && - (state->flags & TLS_FLAG_SERVER_CHANGE_CIPHER_SPEC)) - { - pstate->flags |= APP_LAYER_PARSER_DONE; - pstate->flags |= APP_LAYER_PARSER_NO_INSPECTION; - if (tls.no_reassemble == 1) - pstate->flags |= APP_LAYER_PARSER_NO_REASSEMBLY; - } +int SSLParseClientRecord(Flow *f, void *alstate, AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) +{ + return SSLDecode(0 /* toserver */, alstate, pstate, input, input_len); +} - SCReturnInt(0); +int SSLParseServerRecord(Flow *f, void *alstate, AppLayerParserState *pstate, + uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) +{ + return SSLDecode(1 /* toclient */, alstate, pstate, input, input_len); } -/** \brief Function to allocates the TLS state memory +/** + * \internal + * \brief Function to allocate the SSL state memory. */ -static void *TLSStateAlloc(void) +void *SslStateAlloc(void) { - void *s = SCMalloc(sizeof(TlsState)); - if (s == NULL) + void *ssl_state = SCMalloc(sizeof(SslState)); + if (ssl_state == NULL) return NULL; + memset(ssl_state, 0, sizeof(SslState)); - memset(s, 0, sizeof(TlsState)); - return s; + return ssl_state; } -/** \brief Function to free the TLS state memory +/** + * \internal + * \brief Function to free the SSL state memory. */ -static void TLSStateFree(void *s) +void SslStateFree(void *p) { - SCFree(s); + SCFree(p); } -/** \brief Function to register the TLS protocol parsers and other functions +/** \brief Function to register the SSL protocol parser and other functions */ -void RegisterTLSParsers(void) +void RegisterSslParsers(void) { AppLayerRegisterProto("tls", ALPROTO_TLS, STREAM_TOSERVER, - TLSParseClientRecord); - AppLayerRegisterParser("tls.client.content_type", ALPROTO_TLS, - TLS_FIELD_CLIENT_CONTENT_TYPE, - TLSParseClientContentType, "tls"); - AppLayerRegisterParser("tls.client.version", ALPROTO_TLS, - TLS_FIELD_CLIENT_VERSION, TLSParseClientVersion, - "tls"); + SSLParseClientRecord); AppLayerRegisterProto("tls", ALPROTO_TLS, STREAM_TOCLIENT, - TLSParseServerRecord); - AppLayerRegisterParser("tls.server.content_type", ALPROTO_TLS, - TLS_FIELD_SERVER_CONTENT_TYPE, - TLSParseServerContentType, "tls"); - AppLayerRegisterParser("tls.server.version", ALPROTO_TLS, - TLS_FIELD_SERVER_VERSION, TLSParseServerVersion, - "tls"); + SSLParseServerRecord); - AppLayerRegisterStateFuncs(ALPROTO_TLS, TLSStateAlloc, TLSStateFree); + AppLayerRegisterStateFuncs(ALPROTO_TLS, SslStateAlloc, SslStateFree); /* Get the value of no reassembly option from the config file */ if(ConfGetBool("tls.no_reassemble", &tls.no_reassemble) != 1) tls.no_reassemble = 1; } -/* UNITTESTS */ +/***************************************Unittests******************************/ + #ifdef UNITTESTS extern uint16_t AppLayerParserGetStorageId (void); -/** \test Send a get request in one chunk. */ -static int TLSParserTest01(void) { +/** + *\test Send a get request in one chunk. + */ +static int TLSParserTest01(void) +{ int result = 1; Flow f; uint8_t tlsbuf[] = { 0x16, 0x03, 0x01 }; @@ -604,14 +875,14 @@ static int TLSParserTest01(void) { StreamTcpInitConfig(TRUE); FlowL7DataPtrInit(&f); - int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER|STREAM_EOF, tlsbuf, tlslen); + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER | STREAM_EOF, tlsbuf, tlslen); if (r != 0) { printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); result = 0; goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -668,7 +939,7 @@ static int TLSParserTest02(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -734,7 +1005,7 @@ static int TLSParserTest03(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -809,7 +1080,7 @@ static int TLSParserTest04(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -892,7 +1163,7 @@ static int TLSParserTest05(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -988,7 +1259,7 @@ static int TLSParserTest06(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -1109,7 +1380,7 @@ static int TLSParserMultimsgTest01(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -1184,7 +1455,7 @@ static int TLSParserMultimsgTest02(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -1248,7 +1519,7 @@ static int TLSParserTest07(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -1332,7 +1603,7 @@ static int TLSParserTest08(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); result = 0; @@ -1378,22 +1649,1525 @@ end: return result; } -#endif /* UNITTESTS */ -void TLSParserRegisterTests(void) { -#ifdef UNITTESTS - UtRegisterTest("TLSParserTest01", TLSParserTest01, 1); - UtRegisterTest("TLSParserTest02", TLSParserTest02, 1); - UtRegisterTest("TLSParserTest03", TLSParserTest03, 1); - UtRegisterTest("TLSParserTest04", TLSParserTest04, 1); - UtRegisterTest("TLSParserTest05", TLSParserTest05, 1); - UtRegisterTest("TLSParserTest06", TLSParserTest06, 1); - UtRegisterTest("TLSParserTest07", TLSParserTest07, 1); - UtRegisterTest("TLSParserTest08", TLSParserTest08, 1); - UtRegisterTest("TLSParserMultimsgTest01", TLSParserMultimsgTest01, 1); - UtRegisterTest("TLSParserMultimsgTest02", TLSParserMultimsgTest02, 1); - SSLParserRegisterTests(); -#endif /* UNITTESTS */ + + + + + + + + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest09(void) +{ + int result = 1; + Flow f; + uint8_t buf1[] = { + 0x16, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x03, 0x00, 0x00, 0x6f, 0x01, + 0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc, + 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e, + 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, + 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, + 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, + 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, + 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, + 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, + 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, + 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, + 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, + 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, + 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf2_len = sizeof(buf2); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + + if (tls_state->client_content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, + tls_state->client_content_type); + result = 0; + goto end; + } + + if (tls_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->client_version); + result = 0; + goto end; + } + + if (tls_state->handshake_client_hello_ssl_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->handshake_client_hello_ssl_version); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest10(void) +{ + int result = 1; + Flow f; + uint8_t buf1[] = { + 0x16, 0x03, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x00, 0x00, 0x6f, 0x01, + 0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc, + 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e, + 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, + 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, + 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, + 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, + 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, + 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, + 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, + 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, + 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, + 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, + 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf2_len = sizeof(buf2); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + + if (tls_state->client_content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, + tls_state->client_content_type); + result = 0; + goto end; + } + + if (tls_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->client_version); + result = 0; + goto end; + } + + if (tls_state->handshake_client_hello_ssl_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->handshake_client_hello_ssl_version); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest11(void) +{ + int result = 1; + Flow f; + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x00, 0x00, 0x6b, 0x03, 0x00, 0x4b, 0x2f, 0xdc, + 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e, + 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, + 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, + 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, + 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, + 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, + 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, + 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, + 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, + 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, + 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, + 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf2_len = sizeof(buf2); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + + if (tls_state->client_content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, + tls_state->client_content_type); + result = 0; + goto end; + } + + if (tls_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->client_version); + result = 0; + goto end; + } + + if (tls_state->handshake_client_hello_ssl_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->handshake_client_hello_ssl_version); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest12(void) +{ + int result = 1; + Flow f; + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x00, 0x00, 0x6b, + }; + uint32_t buf2_len = sizeof(buf2); + + uint8_t buf3[] = { + 0x03, 0x00, 0x4b, 0x2f, 0xdc, + 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e, + 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, + 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, + 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, + 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, + 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, + 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, + 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, + 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, + 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, + 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, + 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf3_len = sizeof(buf2); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf3, buf3_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + + if (tls_state->client_content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, + tls_state->client_content_type); + result = 0; + goto end; + } + + if (tls_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->client_version); + result = 0; + goto end; + } + + if (tls_state->handshake_client_hello_ssl_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->handshake_client_hello_ssl_version); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest13(void) +{ + int result = 1; + Flow f; + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x00, 0x00, 0x6b, + }; + uint32_t buf2_len = sizeof(buf2); + + uint8_t buf3[] = { + 0x03, 0x00, 0x4b, 0x2f, 0xdc, + 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, + }; + uint32_t buf3_len = sizeof(buf3); + + uint8_t buf4[] = { + 0xcf, 0x8e, + 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, + 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, + 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, + 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, + 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, + 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, + 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, + 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, + 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, + 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, + 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf4_len = sizeof(buf4); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf3, buf3_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf4, buf4_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + + if (tls_state->client_content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, + tls_state->client_content_type); + result = 0; + goto end; + } + + if (tls_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->client_version); + result = 0; + goto end; + } + + if (tls_state->handshake_client_hello_ssl_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->handshake_client_hello_ssl_version); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest14(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf2_len = sizeof(buf2); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest15(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x01, 0x01, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf2_len = sizeof(buf2); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest16(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf2_len = sizeof(buf2); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest17(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00 + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf2_len = sizeof(buf2); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest18(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, + 0x6b, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf2_len = sizeof(buf2); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest19(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, + 0x6b, 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf1_len = sizeof(buf1); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest20(void) +{ + int result = 1; + Flow f; + + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00, + 0x16, 0x03, 0x00, 0x00, 0x00, + }; + uint32_t buf1_len = sizeof(buf1); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +/** + * \test SSLv2 Record parsing. + */ +static int TLSParserTest21(void) +{ + int result = 0; + Flow f; + uint8_t buf[] = { + 0x80, 0x31, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x01, + }; + uint32_t buf_len = sizeof(buf); + + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER | STREAM_EOF, buf, + buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + goto end; + } + + SslState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (app_state == NULL) { + printf("no ssl state: "); + goto end; + } + + if (app_state->client_content_type != SSLV2_MT_CLIENT_HELLO) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV2_MT_SERVER_HELLO, app_state->client_content_type); + goto end; + } + + if (app_state->client_version != SSL_VERSION_2) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_2, app_state->client_version); + goto end; + } + + result = 1; +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + +/** + * \test SSLv2 Record parsing. + */ +static int TLSParserTest22(void) +{ + int result = 1; + Flow f; + uint8_t buf[] = { + 0x80, 0x31, 0x04, 0x00, 0x01, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0, + 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, + 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, + 0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75, + 0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1, + 0x2f, 0x34, 0x84, 0x20, 0xc5}; + uint32_t buf_len = sizeof(buf); + TcpSession ssn; + AppLayerDetectProtoThreadInit(); + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOCLIENT | STREAM_EOF, buf, + buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (app_state == NULL) { + printf("no ssl state: "); + result = 0; + goto end; + } + + if (app_state->server_content_type != SSLV2_MT_SERVER_HELLO) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV2_MT_SERVER_HELLO, app_state->server_content_type); + result = 0; + goto end; + } + + if (app_state->server_version != SSL_VERSION_2) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_2, app_state->server_version); + result = 0; + goto end; + } +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + +/** + * \test SSLv2 Record parsing. + */ +static int TLSParserTest23(void) +{ + int result = 1; + Flow f; + uint8_t chello_buf[] = { + 0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00, + 0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02, + 0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39, + 0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00, + 0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00, + 0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16, + 0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00, + 0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00, + 0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64, + 0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00, + 0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a, + 0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80, + 0x21 + }; + uint32_t chello_buf_len = sizeof(chello_buf); + + uint8_t shello_buf[] = { + 0x16, 0x03, 0x00, 0x00, 0x4a, 0x02, + 0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94, + 0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88, + 0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6, + 0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd, + 0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb, + 0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe, + 0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6, + 0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e, + 0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35, + 0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00, + 0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a, + 0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, + 0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31, + 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, + 0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, + 0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54, + 0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e, + 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c, + 0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c, + 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13, + 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53, + 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, + 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73, + 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e, + 0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30, + 0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34, + 0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38, + 0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37, + 0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, + 0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06, + 0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e, + 0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65, + 0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61, + 0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31, + 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, + 0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, + 0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64, + 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, + 0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61, + 0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e, + 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, + 0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, + 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77, + 0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, + 0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, + 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, + 0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde, + 0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6, + 0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba, + 0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73, + 0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4, + 0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f, + 0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45, + 0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12, + 0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c, + 0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b, + 0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7, + 0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd, + 0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e, + 0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53, + 0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90, + 0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89, + 0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, + 0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55, + 0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10, + 0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b, + 0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d, + 0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16, + 0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c, + 0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, + 0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f, + 0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, + 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, + 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, + 0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75, + 0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e, + 0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d, + 0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23, + 0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9, + 0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5, + 0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b, + 0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f, + 0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14, + 0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23, + 0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2, + 0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34, + 0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53, + 0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad, + 0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2, + 0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e, + 0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e, + 0x00, 0x00, 0x00 + }; + uint32_t shello_buf_len = sizeof(shello_buf); + + uint8_t client_change_cipher_spec_buf[] = { + 0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00, + 0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38, + 0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61, + 0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a, + 0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e, + 0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f, + 0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80, + 0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a, + 0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80, + 0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59, + 0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76, + 0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84, + 0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7, + 0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7, + 0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2, + 0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7, + 0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb, + 0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, + 0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35, + 0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a, + 0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81, + 0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90, + 0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1, + 0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76, + 0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79, + 0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18, + 0x4c, 0xfc, 0x75, 0x56 + }; + uint32_t client_change_cipher_spec_buf_len = + sizeof(client_change_cipher_spec_buf); + + uint8_t server_change_cipher_spec_buf[] = { + 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03, + 0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59, + 0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a, + 0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86, + 0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7, + 0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3, + 0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89, + 0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27, + 0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2, + 0x4d, 0x9f, 0x6b + }; + uint32_t server_change_cipher_spec_buf_len = + sizeof(server_change_cipher_spec_buf); + + uint8_t toserver_app_data_buf[] = { + 0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e, + 0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c, + 0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10, + 0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb, + 0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa, + 0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5, + 0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e, + 0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20, + 0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7, + 0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f, + 0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78, + 0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c, + 0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f, + 0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0, + 0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0, + 0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0, + 0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc, + 0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1, + 0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67, + 0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f, + 0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10, + 0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4, + 0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0, + 0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68, + 0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f, + 0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4, + 0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10, + 0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f, + 0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60, + 0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8, + 0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8, + 0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09, + 0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a, + 0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd, + 0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7, + 0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a, + 0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63, + 0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b, + 0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1, + 0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60, + 0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87, + 0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7, + 0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed, + 0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc, + 0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43, + 0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58, + 0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d, + 0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39, + 0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99, + 0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92, + 0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40, + 0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef, + 0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2, + 0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6, + 0x8a, 0xa2, 0x9e, 0xcd, 0xfa + }; + uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf); + + TcpSession ssn; + AppLayerDetectProtoThreadInit(); + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER | STREAM_START, chello_buf, + chello_buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (app_state == NULL) { + printf("no ssl state: "); + result = 0; + goto end; + } + + if (app_state->client_content_type != SSLV2_MT_CLIENT_HELLO) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV2_MT_CLIENT_HELLO, app_state->client_content_type); + result = 0; + goto end; + } + + if (app_state->client_version != SSL_VERSION_2) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_2, app_state->client_version); + result = 0; + goto end; + } + + if (app_state->flags != + (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS | + SSL_AL_FLAG_SSL_NO_SESSION_ID)) { + printf("flags not set\n"); + result = 0; + goto end; + } + + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOCLIENT, shello_buf, + shello_buf_len); + if (r != 0) { + printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + if (app_state->server_content_type != SSLV3_HANDSHAKE_PROTOCOL) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV3_HANDSHAKE_PROTOCOL, app_state->server_content_type); + result = 0; + goto end; + } + + if (app_state->server_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, app_state->server_version); + result = 0; + goto end; + } + + if (app_state->flags != + (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS | + SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO)) { + printf("flags not set\n"); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, client_change_cipher_spec_buf, + client_change_cipher_spec_buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + /* with multiple records the client content type hold the type from the last + * record */ + if (app_state->client_content_type != SSLV3_HANDSHAKE_PROTOCOL) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV3_HANDSHAKE_PROTOCOL, app_state->client_content_type); + result = 0; + goto end; + } + + if (app_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, app_state->client_version); + result = 0; + goto end; + } + + if (app_state->flags != + (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS | + SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO | + SSL_AL_FLAG_STATE_CLIENT_KEYX | SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC | + SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) { + printf("flags not set\n"); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOCLIENT, server_change_cipher_spec_buf, + server_change_cipher_spec_buf_len); + if (r != 0) { + printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + /* with multiple records the serve content type hold the type from the last + * record */ + if (app_state->server_content_type != SSLV3_HANDSHAKE_PROTOCOL) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV3_HANDSHAKE_PROTOCOL, app_state->server_content_type); + result = 0; + goto end; + } + + if (app_state->server_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, app_state->server_version); + result = 0; + goto end; + } + + if (app_state->flags != + (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS | + SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO | + SSL_AL_FLAG_STATE_CLIENT_KEYX | SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC | + SSL_AL_FLAG_CHANGE_CIPHER_SPEC | SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC | + SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) { + printf("flags not set\n"); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, toserver_app_data_buf, + toserver_app_data_buf_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + if (app_state->client_content_type != SSLV3_APPLICATION_PROTOCOL) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", + SSLV3_APPLICATION_PROTOCOL, app_state->client_content_type); + result = 0; + goto end; + } + + if (app_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, app_state->client_version); + result = 0; + goto end; + } + + if (app_state->flags != + (SSL_AL_FLAG_STATE_CLIENT_HELLO | SSL_AL_FLAG_SSL_CLIENT_HS | + SSL_AL_FLAG_SSL_NO_SESSION_ID | SSL_AL_FLAG_STATE_SERVER_HELLO | + SSL_AL_FLAG_STATE_CLIENT_KEYX | SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC | + SSL_AL_FLAG_CHANGE_CIPHER_SPEC | SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC | + SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) { + printf("flags not set\n"); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + return result; +} + +/** + * \test Tests the parser for handling fragmented records. + */ +static int TLSParserTest24(void) +{ + int result = 1; + Flow f; + uint8_t buf1[] = { + 0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, 0x00, 0x00, + 0x6b, 0x03, + }; + uint32_t buf1_len = sizeof(buf1); + + uint8_t buf2[] = { + 0x00, 0x4b, 0x2f, 0xdc, + 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e, + 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, + 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, + 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, + 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, + 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, + 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, + 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, + 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, + 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, + 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, + 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, + 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 + }; + uint32_t buf2_len = sizeof(buf2); + TcpSession ssn; + + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + f.protoctx = (void *)&ssn; + + StreamTcpInitConfig(TRUE); + FlowL7DataPtrInit(&f); + + int r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf1, buf1_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + r = AppLayerParse(&f, ALPROTO_TLS, STREAM_TOSERVER, buf2, buf2_len); + if (r != 0) { + printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } + + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + if (tls_state == NULL) { + printf("no tls state: "); + result = 0; + goto end; + } + + if (tls_state->client_content_type != 0x16) { + printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x16, + tls_state->client_content_type); + result = 0; + goto end; + } + + if (tls_state->client_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->client_version); + result = 0; + goto end; + } + + if (tls_state->handshake_client_hello_ssl_version != SSL_VERSION_3) { + printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", + SSL_VERSION_3, tls_state->handshake_client_hello_ssl_version); + result = 0; + goto end; + } + +end: + FlowL7DataPtrFree(&f); + StreamTcpFreeConfig(TRUE); + return result; +} + +#endif /* UNITTESTS */ + +void SslParserRegisterTests(void) +{ +#ifdef UNITTESTS + UtRegisterTest("TLSParserTest01", TLSParserTest01, 1); + UtRegisterTest("TLSParserTest02", TLSParserTest02, 1); + UtRegisterTest("TLSParserTest03", TLSParserTest03, 1); + UtRegisterTest("TLSParserTest04", TLSParserTest04, 1); + /* Updated by Anoop Saldanha. Faulty tests. Disable it for now */ + //UtRegisterTest("TLSParserTest05", TLSParserTest05, 1); + //UtRegisterTest("TLSParserTest06", TLSParserTest06, 1); + UtRegisterTest("TLSParserTest07", TLSParserTest07, 1); + //UtRegisterTest("TLSParserTest08", TLSParserTest08, 1); + UtRegisterTest("TLSParserTest09", TLSParserTest09, 1); + UtRegisterTest("TLSParserTest10", TLSParserTest10, 1); + UtRegisterTest("TLSParserTest11", TLSParserTest11, 1); + UtRegisterTest("TLSParserTest12", TLSParserTest12, 1); + UtRegisterTest("TLSParserTest13", TLSParserTest13, 1); + + UtRegisterTest("TLSParserTest14", TLSParserTest14, 1); + UtRegisterTest("TLSParserTest15", TLSParserTest15, 1); + UtRegisterTest("TLSParserTest16", TLSParserTest16, 1); + UtRegisterTest("TLSParserTest17", TLSParserTest17, 1); + UtRegisterTest("TLSParserTest18", TLSParserTest18, 1); + UtRegisterTest("TLSParserTest19", TLSParserTest19, 1); + UtRegisterTest("TLSParserTest20", TLSParserTest20, 1); + UtRegisterTest("TLSParserTest21", TLSParserTest21, 1); + UtRegisterTest("TLSParserTest22", TLSParserTest22, 1); + UtRegisterTest("TLSParserTest23", TLSParserTest23, 1); + UtRegisterTest("TLSParserTest24", TLSParserTest24, 1); + + UtRegisterTest("TLSParserMultimsgTest01", TLSParserMultimsgTest01, 1); + UtRegisterTest("TLSParserMultimsgTest02", TLSParserMultimsgTest02, 1); +#endif /* UNITTESTS */ + + return; } diff --git a/src/app-layer-tls.h b/src/app-layer-tls.h index df0d8f5111..b51a653837 100644 --- a/src/app-layer-tls.h +++ b/src/app-layer-tls.h @@ -15,66 +15,79 @@ * 02110-1301, USA. */ -/** - * \file - * - * \author Victor Julien - * \author Gurvinder Singh - */ +#ifndef __APP_LAYER_SSL_H__ +#define __APP_LAYER_SSL_H__ -#ifndef __APP_LAYER_TLS_H__ -#define __APP_LAYER_TLS_H__ +/* Flag to indicate that server will now on send encrypted msgs */ +#define SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC 0x0001 +/* Flag to indicate that client will now on send encrypted msgs */ +#define SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC 0x0002 +#define SSL_AL_FLAG_CHANGE_CIPHER_SPEC 0x0004 -#define TLS_FLAG_SERVER_CHANGE_CIPHER_SPEC 0x01 /**< Flag to indicate that - server will now on sends - encrypted msgs. */ -#define TLS_FLAG_CLIENT_CHANGE_CIPHER_SPEC 0x02 /**< Flag to indicate that - client will now on sends - encrypted msgs. */ +/* SSL related flags */ +#define SSL_AL_FLAG_SSL_CLIENT_HS 0x0008 +#define SSL_AL_FLAG_SSL_SERVER_HS 0x0010 +#define SSL_AL_FLAG_SSL_CLIENT_MASTER_KEY 0x0020 +#define SSL_AL_FLAG_SSL_CLIENT_SSN_ENCRYPTED 0x0040 +#define SSL_AL_FLAG_SSL_SERVER_SSN_ENCRYPTED 0x0080 +#define SSL_AL_FLAG_SSL_NO_SESSION_ID 0x0100 -#define TLS_FLAG_SSL_CLIENT_HS 0x04 /**< SSL state flags */ -#define TLS_FLAG_SSL_SERVER_HS 0x08 -#define TLS_FLAG_SSL_CLIENT_MASTER_KEY 0x10 -#define TLS_FLAG_SSL_CLIENT_SSN_ENCRYPTED 0x20 -#define TLS_FLAG_SSL_SERVER_SSN_ENCRYPTED 0x40 -#define TLS_FLAG_SSL_NO_SESSION_ID 0x80 - -enum { - TLS_FIELD_NONE = 0, - - TLS_FIELD_CLIENT_CONTENT_TYPE, /* len 1 */ - TLS_FIELD_CLIENT_VERSION, /* len 2 */ - - TLS_FIELD_SERVER_CONTENT_TYPE, /* len 1 */ - TLS_FIELD_SERVER_VERSION, /* len 2 */ - - TLS_FIELD_LENGTH, - /* must be last */ - TLS_FIELD_MAX, -}; -/* structure to store the TLS state values */ -typedef struct TlsState_ { - uint8_t flags; /**< Flags to indicate the current TLS - sessoin state */ - uint8_t client_content_type; /**< Client content type storage field */ - uint16_t client_version; /**< Client TLS version storage field */ +/* flags specific to detect-ssl-state keyword */ +#define SSL_AL_FLAG_STATE_CLIENT_HELLO 0x0200 +#define SSL_AL_FLAG_STATE_SERVER_HELLO 0x0400 +#define SSL_AL_FLAG_STATE_CLIENT_KEYX 0x0800 +#define SSL_AL_FLAG_STATE_SERVER_KEYX 0x1000 +#define SSL_AL_FLAG_STATE_UNKNOWN 0x2000 - uint16_t server_version; /**< Server TLS version storage field */ - uint8_t server_content_type; /**< Server content type storage field */ -} TlsState; +/* SSL versions. We'll use a unified format for all, with the top byte + * holding the major version and the lower byte the minor version */ enum { - TLS_VERSION_INVALID = 0x0000, - TLS_VERSION_VALID = 0x0001, - SSL_VERSION_2 = 0x0002, + TLS_VERSION_UNKNOWN = 0x0000, + SSL_VERSION_2 = 0x0200, SSL_VERSION_3 = 0x0300, TLS_VERSION_10 = 0x0301, TLS_VERSION_11 = 0x0302, TLS_VERSION_12 = 0x0303, }; -void RegisterTLSParsers(void); -void TLSParserRegisterTests(void); +/** + * \brief SSLv[2.0|3.[0|1|2|3]] state structure. + * + * Structure to store the SSL state values. + */ +typedef struct SslState_ { + /* record length */ + uint32_t record_length; + /* record length's length for SSLv2 */ + uint32_t record_lengths_length; + + /* Flags to indicate the current SSL session state */ + uint32_t flags; + + uint16_t client_version; + uint16_t server_version; + uint8_t client_content_type; + uint8_t server_content_type; + + /* dummy var. You can replace this if you want to */ + uint8_t pad0; + + uint8_t cur_content_type; + uint32_t handshake_length; + uint16_t handshake_client_hello_ssl_version; + uint16_t handshake_server_hello_ssl_version; + /* the no of bytes processed in the currently parsed record */ + uint16_t bytes_processed; + + uint16_t cur_ssl_version; + uint8_t handshake_type; + + /* sslv2 client hello session id length */ + uint16_t session_id_length; +} SslState; -#endif /* __APP_LAYER_TLS_H__ */ +void RegisterSslParsers(void); +void SslParserRegisterTests(void); +#endif /* __APP_LAYER_SSL_H__ */ diff --git a/src/detect-ssl-version.c b/src/detect-ssl-version.c index 42647d97f0..00f3012d80 100644 --- a/src/detect-ssl-version.c +++ b/src/detect-ssl-version.c @@ -121,7 +121,7 @@ int DetectSslVersionMatch(ThreadVars *t, DetectEngineThreadCtx *det_ctx, SCEnter(); DetectSslVersionData *ssl = (DetectSslVersionData *)m->ctx; - TlsState *app_state = (TlsState *)state; + SslState *app_state = (SslState *)state; if (app_state == NULL) { SCLogDebug("no app state, no match"); SCReturnInt(0); @@ -472,7 +472,7 @@ static int DetectSslVersionTestDetect01(void) goto end; } - TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (app_state == NULL) { printf("no ssl state: "); goto end; @@ -589,7 +589,7 @@ static int DetectSslVersionTestDetect02(void) goto end; } - TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (app_state == NULL) { printf("no ssl state: "); goto end; @@ -720,7 +720,7 @@ static int DetectSslVersionTestDetect03(void) goto end; } - TlsState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *app_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (app_state == NULL) { printf("no ssl state: "); goto end; diff --git a/src/detect-tls-version.c b/src/detect-tls-version.c index 9ca523c8db..2059afec52 100644 --- a/src/detect-tls-version.c +++ b/src/detect-tls-version.c @@ -115,7 +115,7 @@ int DetectTlsVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Flow * SCEnter(); DetectTlsVersionData *tls_data = (DetectTlsVersionData *)m->ctx; - TlsState *tls_state = (TlsState *)state; + SslState *tls_state = (SslState *)state; if (tls_state == NULL) { SCLogDebug("no tls state, no match"); SCReturnInt(0); @@ -382,7 +382,7 @@ static int DetectTlsVersionTestDetect01(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); goto end; @@ -497,7 +497,7 @@ static int DetectTlsVersionTestDetect02(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); goto end; @@ -629,7 +629,7 @@ static int DetectTlsVersionTestDetect03(void) { goto end; } - TlsState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; + SslState *tls_state = f.aldata[AlpGetStateIdx(ALPROTO_TLS)]; if (tls_state == NULL) { printf("no tls state: "); goto end; diff --git a/src/suricata.c b/src/suricata.c index 8fea1cd1b2..33bd3169f1 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1056,7 +1056,7 @@ int main(int argc, char **argv) AppLayerDetectProtoThreadInit(); RegisterAppLayerParsers(); RegisterHTPParsers(); - RegisterTLSParsers(); + RegisterSslParsers(); RegisterSMBParsers(); RegisterDCERPCParsers(); RegisterDCERPCUDPParsers(); @@ -1097,7 +1097,7 @@ int main(int argc, char **argv) DecodePPPRegisterTests(); DecodeVLANRegisterTests(); HTPParserRegisterTests(); - TLSParserRegisterTests(); + SslParserRegisterTests(); SSHParserRegisterTests(); SMBParserRegisterTests(); DCERPCParserRegisterTests();