CLOSE状态时携带负载v3.0.0

5 files changed, 72 insertions, 34 deletions

diff --git a/src/SSL_Analyze.c b/src/SSL_Analyze.c
index 0fd703f..f555b9a 100644
--- a/src/SSL_Analyze.c
+++ b/src/SSL_Analyze.c
@@ -161,10 +161,6 @@ extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_
 			ssl_context=(struct ssl_runtime_context *)(*pme);
 		case OP_STATE_DATA:
 			return_val=ssl_parse_stream(a_tcp, ssl_context ,thread_seq, a_packet);
-			if(SSL_FLASE==return_val || ssl_context->business.return_value&PROT_STATE_DROPME)
-			{
-				state=APP_STATE_DROPME;
-			}
 			break;
 		case OP_STATE_CLOSE:
 			if(ssl_context->version!=UNKNOWN_VERSION)
@@ -173,12 +169,18 @@ extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_
 			}
 
 			ssl_context->over_flag=SSL_TRUE;
+			return_val=ssl_parse_stream(a_tcp, ssl_context ,thread_seq, a_packet);
 			ssl_call_plugins(a_tcp, ssl_context, NULL, 0, SSL_INTEREST_KEY_MASK, thread_seq, a_packet);		
 			break;
 		default:
 			break;
 	}
 
+	if(SSL_FLASE==return_val || ssl_context->business.return_value&PROT_STATE_DROPME)
+	{
+		state=APP_STATE_DROPME;
+	}
+
 	if(ssl_context->business.return_value&PROT_STATE_DROPPKT)
 	{
 		state|=APP_STATE_DROPPKT;
@@ -189,6 +191,10 @@ extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_
 		ssl_release_context(ssl_context, thread_seq);
 		*pme=NULL;
 	}
+	else
+	{
+		ssl_context->business.return_value=0;
+	}
 	
 	return state;
 }
diff --git a/src/SSL_Message.c b/src/SSL_Message.c
index 0ad84ff..82999d5 100644
--- a/src/SSL_Message.c
+++ b/src/SSL_Message.c
@@ -307,19 +307,24 @@ int ssl_parse_encrypt_server_name(struct ssl_client_hello *chello, struct ssl_l2
 	return 1;
 }
 
-UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *payload, int payload_len)
+int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *payload, int payload_len)
 {
 	int offset=0,one_ltv=0;
 	chello->total_len=BtoL3BytesNum((const char *)(payload+1));
-	if(chello->total_len<0 || (chello->total_len+CLIENT_HELLO_HDRLEN > payload_len) || (chello->total_len-(int)sizeof(chello->version)<0)) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/
+	if(chello->total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
+	}
+
+	if((chello->total_len+CLIENT_HELLO_HDRLEN > payload_len) || (chello->total_len-(int)sizeof(chello->version)<0))
+	{
+		return SSL_FLASE;
 	}
 
 	chello->version=ssl_get_hello_version((unsigned char *)payload, payload_len);
 	if(chello->version==0)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 
 	offset+=(CLIENT_HELLO_HDRLEN+sizeof(chello->version));
@@ -330,7 +335,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
 	
 	if(payload_len-offset-SSL_RANDOM_SIZE<=0)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	
 	chello->random.bytes.len=SSL_RANDOM_SIZE;
@@ -341,7 +346,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
 	one_ltv=ssl_parse_lv1(&(chello->session), payload+offset, payload_len-offset);
 	if(one_ltv==-1)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	offset+=one_ltv;
 	
@@ -349,7 +354,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
 	one_ltv=ssl_parse_lv2(&chello->ciphersuites, payload+offset, payload_len-offset);
 	if(one_ltv==-1)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	offset+=one_ltv;
 
@@ -357,7 +362,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
 	one_ltv=ssl_parse_lv1(&(chello->compress_method), payload+offset, payload_len-offset);
 	if(one_ltv==-1)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	offset+=one_ltv;
 
@@ -370,7 +375,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
 		one_ltv=ssl_parse_ltv2(&(chello->extensions.extension[i]), payload+offset, payload_len-offset);
 		if(one_ltv==-1)
 		{
-			return SSL_RETURN_DROPME;
+			return SSL_FLASE;
 		}
 		offset+=one_ltv;
 		chello->extensions.num++;
@@ -397,10 +402,10 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
 		}
 	}
 
-	return SSL_RETURN_NORM;
+	return SSL_TRUE;
 }
 
-UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *payload, int payload_len)
+int ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *payload, int payload_len)
 {
 	int offset=0,one_ltv=0;
 	int ja3s_string_offset=0;
@@ -408,13 +413,13 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
 	shello->total_len = BtoL3BytesNum((const char *)(payload+1));
 	if(shello->total_len<0 || (shello->total_len+SERVER_HELLO_HDRLEN > payload_len-offset))
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 
 	shello->version=ssl_get_hello_version((unsigned char *)payload, payload_len-offset);
 	if(shello->version==0)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	
 	ja3s_string_offset+=snprintf(ja3s_string+ja3s_string_offset, sizeof(ja3s_string)-ja3s_string_offset, "%u,", shello->version);
@@ -427,7 +432,7 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
 	
 	if(payload_len-offset-SSL_RANDOM_SIZE<=0)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	
 	shello->random.bytes.len=SSL_RANDOM_SIZE;
@@ -438,7 +443,7 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
 	one_ltv=ssl_parse_lv1(&(shello->session), payload+offset, payload_len-offset);
 	if(one_ltv==-1)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	offset+=one_ltv;
 	
@@ -464,7 +469,7 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
 		one_ltv=ssl_parse_ltv2(&(shello->extensions.extension[i]), payload+offset, payload_len-offset);
 		if(one_ltv==-1)
 		{
-			return SSL_RETURN_DROPME;
+			return SSL_FLASE;
 		}
 		offset+=one_ltv;
 		shello->extensions.num++;
@@ -475,30 +480,30 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
 	ja3s_string_offset--;
 	if(ja3s_string_offset==0)
 	{
-		return SSL_RETURN_DROPME;		
+		return SSL_FLASE;		
 	}
 
 	ja3s_string[ja3s_string_offset]='\0';
 	shello->ja3s.fingerprint_md5_len=ja3_md5sum(ja3s_string, ja3s_string_offset, shello->ja3s.fingerprint_md5, sizeof(shello->ja3s.fingerprint_md5));
 	shello->ja3s.fingerprint_md5[shello->ja3s.fingerprint_md5_len]='\0';
 	
-	return 1;
+	return SSL_TRUE;
 }
 
-UCHAR ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ticket, char *payload, int payload_len)
+int ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ticket, char *payload, int payload_len)
 {
 	int offset=0;
 	new_session_ticket->total_len=BtoL3BytesNum((const char *)(payload+1));
 	if(new_session_ticket->total_len<0)
 	{
-		return SSL_RETURN_DROPME;
+		return SSL_FLASE;
 	}
 	
 	/*4 means _type+len*/
 	if(new_session_ticket->total_len+SESSION_TICKET_HDRLEN > payload_len-offset)
 	{
 		/**packet trunked**/
-		return SSL_RETURN_NORM;
+		return SSL_FLASE;
 	}
 	offset+=SESSION_TICKET_HDRLEN;
 	new_session_ticket->lift_time=BtoL4BytesNum((const char *)(payload+offset));
@@ -507,7 +512,7 @@ UCHAR ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ti
 	
 	new_session_ticket->ticket=(unsigned char *)(payload+offset);
 
-	return SSL_RETURN_NORM;
+	return SSL_TRUE;
 }
 
 int ssl_parse_certificate_detail(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet)
@@ -648,9 +653,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
 			struct ssl_certificate certificate={0};
 			ssl_context->stream.certificate=&certificate;
 			state=ssl_parse_certificate(a_tcp, ssl_context, payload+offset, payload_len-offset, thread_seq, a_packet);
-			if(state==SSL_FLASE)
+			if(state!=SSL_TRUE)
 			{
-				return SSL_FLASE;
+				return state;
 			}
 			offset+=(certificate.total_len+CERTIFICATE_HDRLEN);
 			ssl_context->stream.certificate=NULL;
@@ -666,9 +671,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
 			struct ssl_client_hello chello={0};
 			ssl_context->stream.chello=&chello;
 			state=ssl_parse_client_hello(&chello, (unsigned char *)(payload+offset), payload_len-offset);
-			if(state==SSL_FLASE)
+			if(state!=SSL_TRUE)
 			{
-				return SSL_FLASE;
+				return state;
 			}
 
 			ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), chello.total_len+CLIENT_HELLO_HDRLEN, SSL_CLIENT_HELLO_MASK, thread_seq, a_packet);
@@ -686,9 +691,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
 			struct ssl_server_hello shello={0};
 			ssl_context->stream.shello=&shello;
 			state=ssl_parse_server_hello(&shello, (unsigned char *)(payload+offset), payload_len-offset);
-			if(state==SSL_FLASE)
+			if(state!=SSL_TRUE)
 			{
-				return SSL_FLASE;
+				return state;
 			}
 			
 			ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), shello.total_len+SERVER_HELLO_HDRLEN, SSL_SERVER_HELLO_MASK, thread_seq, a_packet);
@@ -704,9 +709,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
 			struct ssl_new_session_ticket new_session_ticket={0};
 			ssl_context->stream.new_session_ticket=&new_session_ticket;
 			state=ssl_parse_new_session_ticket(&new_session_ticket, (payload+offset), (payload_len-offset));
-			if(state==SSL_FLASE)
+			if(state!=SSL_TRUE)
 			{
-				return SSL_FLASE;
+				return state;
 			}
 
 			ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), new_session_ticket.total_len+SESSION_TICKET_HDRLEN, SSL_NEW_SESSION_TICKET_MASK, thread_seq, a_packet);
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 0286461..c659d31 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -42,3 +42,4 @@ add_test(NAME RUN_E21_BUG_E21_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURC
 add_test(NAME RUN_E21_BUG_XXG_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/xxg/ssl_xxg_target_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/xxg/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
 add_test(NAME RUN_BUG_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/bug/ssl_bug_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/bug/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
 add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/multiple_handshake/ssl_multiple_handshake_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/multiple_handshake/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
+add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/close_contains_payload/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
diff --git a/test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap b/test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap
new file mode 100644
index 0000000..514ed60
--- /dev/null
+++ b/test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap
diff --git a/test/pcap/close_contains_payload/ssl_close_contains_payload_result.json b/test/pcap/close_contains_payload/ssl_close_contains_payload_result.json
new file mode 100644
index 0000000..88f77d9
--- /dev/null
+++ b/test/pcap/close_contains_payload/ssl_close_contains_payload_result.json
@@ -0,0 +1,26 @@
+[{
+		"Tuple4":	"192.168.50.28.63669>18.163.185.193.443",
+		"ssl_sni":	"www.firefox.com",
+		"ssl_client_version":	"TLS1.2",
+		"ssl_ja3_hash":	"45b1a0eca9605cd8789cd7e1a5ccd9b0",
+		"ssl_ja3s_hash":	"9a1de6823a92d66172ce93d309e73e4e",
+		"ssl_cert_version":	"v3",
+		"ssl_cert_Issuer":	"DigiCert SHA2 Secure Server CA;DigiCert Inc;;;;;US",
+		"ssl_cert_IssuerCN":	"DigiCert SHA2 Secure Server CA",
+		"ssl_cert_IssuerO":	"DigiCert Inc",
+		"ssl_cert_IssuerC":	"US",
+		"ssl_cert_Sub":	"redirect-san.mozilla.org;Mozilla Corporation;WebOps;Mountain View;;California;US",
+		"ssl_cert_SubCN":	"redirect-san.mozilla.org",
+		"ssl_cert_SubO":	"Mozilla Corporation",
+		"ssl_cert_SubC":	"US",
+		"ssl_cert_SubP":	"California",
+		"ssl_cert_SubL":	"Mountain View",
+		"ssl_cert_SubU":	"WebOps",
+		"ssl_cert_SubAltName":	"leandatapractices.org;leandatapractices.com;mozilla-podcasts.org;mozilla.com;gv.dev;getfirefox.com;geckoview.dev;firefoxquantum.com;firefox.com;taskcluster.net;contributejson.org;www.firefox.com;masterfirefoxos.mozilla.org;mobilepartners.mozilla.org;www.leandatapractices.org;www.leandatapractices.com;www.getfirefox.com;mozilla.org.uk;webwewant.mozilla.org;thehub.mozilla.com;nightly.mozilla.org;pontoon.mozillalabs.com;videos.mozilla.org;videos-cdn.mozilla.net;treestatus.mozilla.org;techspeakers.mozilla.org;redirect-san.mozilla.org;input.mozilla.com;join.mozilla.org;content.mozilla.org;activations.mozilla.org;addons.mozilla.com;airmo.mozilla.org;ask.mozilla.org;aurora.mozilla.org;beta.mozilla.org;careers.mozilla.com;designlanguage.mozilla.org;input.mozilla.org;dnt.mozilla.org;events.mozilla.org;forums.mozilla.org;friends.mozilla.org;git.mozilla.org;hub.mozilla.com;hub.mozilla.org;activations.mozilla.com;www.mozilla.com",
+		"ssl_cert_SerialNum":	"0x019d2b994ec99445c735d2a6d739e43a",
+		"ssl_cert_AgID":	"1.2.840.113549.1.1.11",
+		"ssl_cert_From":	"200406000000Z",
+		"ssl_cert_To":	"210414120000Z",
+		"ssl_cert_SSLFPAg":	"1.2.840.113549.1.1.11",
+		"name":	"SSL_RESULT_1"
+}]