summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/SSL_Analyze.c14
-rw-r--r--src/SSL_Message.c65
-rw-r--r--test/CMakeLists.txt1
-rw-r--r--test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcapbin0 -> 2755152 bytes
-rw-r--r--test/pcap/close_contains_payload/ssl_close_contains_payload_result.json26
5 files changed, 72 insertions, 34 deletions
diff --git a/src/SSL_Analyze.c b/src/SSL_Analyze.c
index 0fd703f..f555b9a 100644
--- a/src/SSL_Analyze.c
+++ b/src/SSL_Analyze.c
@@ -161,10 +161,6 @@ extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_
ssl_context=(struct ssl_runtime_context *)(*pme);
case OP_STATE_DATA:
return_val=ssl_parse_stream(a_tcp, ssl_context ,thread_seq, a_packet);
- if(SSL_FLASE==return_val || ssl_context->business.return_value&PROT_STATE_DROPME)
- {
- state=APP_STATE_DROPME;
- }
break;
case OP_STATE_CLOSE:
if(ssl_context->version!=UNKNOWN_VERSION)
@@ -173,12 +169,18 @@ extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_
}
ssl_context->over_flag=SSL_TRUE;
+ return_val=ssl_parse_stream(a_tcp, ssl_context ,thread_seq, a_packet);
ssl_call_plugins(a_tcp, ssl_context, NULL, 0, SSL_INTEREST_KEY_MASK, thread_seq, a_packet);
break;
default:
break;
}
+ if(SSL_FLASE==return_val || ssl_context->business.return_value&PROT_STATE_DROPME)
+ {
+ state=APP_STATE_DROPME;
+ }
+
if(ssl_context->business.return_value&PROT_STATE_DROPPKT)
{
state|=APP_STATE_DROPPKT;
@@ -189,6 +191,10 @@ extern "C" char SSL_ENTRY(const struct streaminfo *a_tcp, void**pme, int thread_
ssl_release_context(ssl_context, thread_seq);
*pme=NULL;
}
+ else
+ {
+ ssl_context->business.return_value=0;
+ }
return state;
}
diff --git a/src/SSL_Message.c b/src/SSL_Message.c
index 0ad84ff..82999d5 100644
--- a/src/SSL_Message.c
+++ b/src/SSL_Message.c
@@ -307,19 +307,24 @@ int ssl_parse_encrypt_server_name(struct ssl_client_hello *chello, struct ssl_l2
return 1;
}
-UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *payload, int payload_len)
+int ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *payload, int payload_len)
{
int offset=0,one_ltv=0;
chello->total_len=BtoL3BytesNum((const char *)(payload+1));
- if(chello->total_len<0 || (chello->total_len+CLIENT_HELLO_HDRLEN > payload_len) || (chello->total_len-(int)sizeof(chello->version)<0)) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/
+ if(chello->total_len<0) /*CLIENT_HELLO_HDRLEN: 4 means client_type+len*/
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
+ }
+
+ if((chello->total_len+CLIENT_HELLO_HDRLEN > payload_len) || (chello->total_len-(int)sizeof(chello->version)<0))
+ {
+ return SSL_FLASE;
}
chello->version=ssl_get_hello_version((unsigned char *)payload, payload_len);
if(chello->version==0)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=(CLIENT_HELLO_HDRLEN+sizeof(chello->version));
@@ -330,7 +335,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
if(payload_len-offset-SSL_RANDOM_SIZE<=0)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
chello->random.bytes.len=SSL_RANDOM_SIZE;
@@ -341,7 +346,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
one_ltv=ssl_parse_lv1(&(chello->session), payload+offset, payload_len-offset);
if(one_ltv==-1)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=one_ltv;
@@ -349,7 +354,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
one_ltv=ssl_parse_lv2(&chello->ciphersuites, payload+offset, payload_len-offset);
if(one_ltv==-1)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=one_ltv;
@@ -357,7 +362,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
one_ltv=ssl_parse_lv1(&(chello->compress_method), payload+offset, payload_len-offset);
if(one_ltv==-1)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=one_ltv;
@@ -370,7 +375,7 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
one_ltv=ssl_parse_ltv2(&(chello->extensions.extension[i]), payload+offset, payload_len-offset);
if(one_ltv==-1)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=one_ltv;
chello->extensions.num++;
@@ -397,10 +402,10 @@ UCHAR ssl_parse_client_hello(struct ssl_client_hello *chello, unsigned char *pay
}
}
- return SSL_RETURN_NORM;
+ return SSL_TRUE;
}
-UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *payload, int payload_len)
+int ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *payload, int payload_len)
{
int offset=0,one_ltv=0;
int ja3s_string_offset=0;
@@ -408,13 +413,13 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
shello->total_len = BtoL3BytesNum((const char *)(payload+1));
if(shello->total_len<0 || (shello->total_len+SERVER_HELLO_HDRLEN > payload_len-offset))
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
shello->version=ssl_get_hello_version((unsigned char *)payload, payload_len-offset);
if(shello->version==0)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
ja3s_string_offset+=snprintf(ja3s_string+ja3s_string_offset, sizeof(ja3s_string)-ja3s_string_offset, "%u,", shello->version);
@@ -427,7 +432,7 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
if(payload_len-offset-SSL_RANDOM_SIZE<=0)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
shello->random.bytes.len=SSL_RANDOM_SIZE;
@@ -438,7 +443,7 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
one_ltv=ssl_parse_lv1(&(shello->session), payload+offset, payload_len-offset);
if(one_ltv==-1)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=one_ltv;
@@ -464,7 +469,7 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
one_ltv=ssl_parse_ltv2(&(shello->extensions.extension[i]), payload+offset, payload_len-offset);
if(one_ltv==-1)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
offset+=one_ltv;
shello->extensions.num++;
@@ -475,30 +480,30 @@ UCHAR ssl_parse_server_hello(struct ssl_server_hello *shello, unsigned char *pay
ja3s_string_offset--;
if(ja3s_string_offset==0)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
ja3s_string[ja3s_string_offset]='\0';
shello->ja3s.fingerprint_md5_len=ja3_md5sum(ja3s_string, ja3s_string_offset, shello->ja3s.fingerprint_md5, sizeof(shello->ja3s.fingerprint_md5));
shello->ja3s.fingerprint_md5[shello->ja3s.fingerprint_md5_len]='\0';
- return 1;
+ return SSL_TRUE;
}
-UCHAR ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ticket, char *payload, int payload_len)
+int ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ticket, char *payload, int payload_len)
{
int offset=0;
new_session_ticket->total_len=BtoL3BytesNum((const char *)(payload+1));
if(new_session_ticket->total_len<0)
{
- return SSL_RETURN_DROPME;
+ return SSL_FLASE;
}
/*4 means _type+len*/
if(new_session_ticket->total_len+SESSION_TICKET_HDRLEN > payload_len-offset)
{
/**packet trunked**/
- return SSL_RETURN_NORM;
+ return SSL_FLASE;
}
offset+=SESSION_TICKET_HDRLEN;
new_session_ticket->lift_time=BtoL4BytesNum((const char *)(payload+offset));
@@ -507,7 +512,7 @@ UCHAR ssl_parse_new_session_ticket(struct ssl_new_session_ticket *new_session_ti
new_session_ticket->ticket=(unsigned char *)(payload+offset);
- return SSL_RETURN_NORM;
+ return SSL_TRUE;
}
int ssl_parse_certificate_detail(const struct streaminfo *a_tcp, struct ssl_runtime_context *ssl_context, char *payload, int payload_len, int thread_seq, const void *a_packet)
@@ -648,9 +653,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
struct ssl_certificate certificate={0};
ssl_context->stream.certificate=&certificate;
state=ssl_parse_certificate(a_tcp, ssl_context, payload+offset, payload_len-offset, thread_seq, a_packet);
- if(state==SSL_FLASE)
+ if(state!=SSL_TRUE)
{
- return SSL_FLASE;
+ return state;
}
offset+=(certificate.total_len+CERTIFICATE_HDRLEN);
ssl_context->stream.certificate=NULL;
@@ -666,9 +671,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
struct ssl_client_hello chello={0};
ssl_context->stream.chello=&chello;
state=ssl_parse_client_hello(&chello, (unsigned char *)(payload+offset), payload_len-offset);
- if(state==SSL_FLASE)
+ if(state!=SSL_TRUE)
{
- return SSL_FLASE;
+ return state;
}
ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), chello.total_len+CLIENT_HELLO_HDRLEN, SSL_CLIENT_HELLO_MASK, thread_seq, a_packet);
@@ -686,9 +691,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
struct ssl_server_hello shello={0};
ssl_context->stream.shello=&shello;
state=ssl_parse_server_hello(&shello, (unsigned char *)(payload+offset), payload_len-offset);
- if(state==SSL_FLASE)
+ if(state!=SSL_TRUE)
{
- return SSL_FLASE;
+ return state;
}
ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), shello.total_len+SERVER_HELLO_HDRLEN, SSL_SERVER_HELLO_MASK, thread_seq, a_packet);
@@ -704,9 +709,9 @@ int ssl_parse_handshake(const struct streaminfo *a_tcp, struct ssl_runtime_conte
struct ssl_new_session_ticket new_session_ticket={0};
ssl_context->stream.new_session_ticket=&new_session_ticket;
state=ssl_parse_new_session_ticket(&new_session_ticket, (payload+offset), (payload_len-offset));
- if(state==SSL_FLASE)
+ if(state!=SSL_TRUE)
{
- return SSL_FLASE;
+ return state;
}
ssl_call_plugins(a_tcp, ssl_context, (char *)(payload+offset), new_session_ticket.total_len+SESSION_TICKET_HDRLEN, SSL_NEW_SESSION_TICKET_MASK, thread_seq, a_packet);
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 0286461..c659d31 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -42,3 +42,4 @@ add_test(NAME RUN_E21_BUG_E21_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURC
add_test(NAME RUN_E21_BUG_XXG_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/xxg/ssl_xxg_target_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/xxg/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
add_test(NAME RUN_BUG_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/bug/ssl_bug_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/bug/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
add_test(NAME RUN_MULTIPLE_HANDSHAKE_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/multiple_handshake/ssl_multiple_handshake_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/multiple_handshake/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
+add_test(NAME RUN_CLOSE_CONTAINS_PAYLOAD_TEST COMMAND proto_test_main ${CMAKE_CURRENT_SOURCE_DIR}/pcap/close_contains_payload/ssl_close_contains_payload_result.json -f "find ${CMAKE_CURRENT_SOURCE_DIR}/pcap/close_contains_payload/ -name *.pcap|sort -V" WORKING_DIRECTORY ${PROTO_TEST_RUN_DIR})
diff --git a/test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap b/test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap
new file mode 100644
index 0000000..514ed60
--- /dev/null
+++ b/test/pcap/close_contains_payload/1-TachyonVPN-192.168.50.28.63669-18.163.185.193.443.pcap
Binary files differ
diff --git a/test/pcap/close_contains_payload/ssl_close_contains_payload_result.json b/test/pcap/close_contains_payload/ssl_close_contains_payload_result.json
new file mode 100644
index 0000000..88f77d9
--- /dev/null
+++ b/test/pcap/close_contains_payload/ssl_close_contains_payload_result.json
@@ -0,0 +1,26 @@
+[{
+ "Tuple4": "192.168.50.28.63669>18.163.185.193.443",
+ "ssl_sni": "www.firefox.com",
+ "ssl_client_version": "TLS1.2",
+ "ssl_ja3_hash": "45b1a0eca9605cd8789cd7e1a5ccd9b0",
+ "ssl_ja3s_hash": "9a1de6823a92d66172ce93d309e73e4e",
+ "ssl_cert_version": "v3",
+ "ssl_cert_Issuer": "DigiCert SHA2 Secure Server CA;DigiCert Inc;;;;;US",
+ "ssl_cert_IssuerCN": "DigiCert SHA2 Secure Server CA",
+ "ssl_cert_IssuerO": "DigiCert Inc",
+ "ssl_cert_IssuerC": "US",
+ "ssl_cert_Sub": "redirect-san.mozilla.org;Mozilla Corporation;WebOps;Mountain View;;California;US",
+ "ssl_cert_SubCN": "redirect-san.mozilla.org",
+ "ssl_cert_SubO": "Mozilla Corporation",
+ "ssl_cert_SubC": "US",
+ "ssl_cert_SubP": "California",
+ "ssl_cert_SubL": "Mountain View",
+ "ssl_cert_SubU": "WebOps",
+ "ssl_cert_SubAltName": "leandatapractices.org;leandatapractices.com;mozilla-podcasts.org;mozilla.com;gv.dev;getfirefox.com;geckoview.dev;firefoxquantum.com;firefox.com;taskcluster.net;contributejson.org;www.firefox.com;masterfirefoxos.mozilla.org;mobilepartners.mozilla.org;www.leandatapractices.org;www.leandatapractices.com;www.getfirefox.com;mozilla.org.uk;webwewant.mozilla.org;thehub.mozilla.com;nightly.mozilla.org;pontoon.mozillalabs.com;videos.mozilla.org;videos-cdn.mozilla.net;treestatus.mozilla.org;techspeakers.mozilla.org;redirect-san.mozilla.org;input.mozilla.com;join.mozilla.org;content.mozilla.org;activations.mozilla.org;addons.mozilla.com;airmo.mozilla.org;ask.mozilla.org;aurora.mozilla.org;beta.mozilla.org;careers.mozilla.com;designlanguage.mozilla.org;input.mozilla.org;dnt.mozilla.org;events.mozilla.org;forums.mozilla.org;friends.mozilla.org;git.mozilla.org;hub.mozilla.com;hub.mozilla.org;activations.mozilla.com;www.mozilla.com",
+ "ssl_cert_SerialNum": "0x019d2b994ec99445c735d2a6d739e43a",
+ "ssl_cert_AgID": "1.2.840.113549.1.1.11",
+ "ssl_cert_From": "200406000000Z",
+ "ssl_cert_To": "210414120000Z",
+ "ssl_cert_SSLFPAg": "1.2.840.113549.1.1.11",
+ "name": "SSL_RESULT_1"
+}]
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 23:33:40 +0000