From: Victor Julien <vjulien@oisf.net>
Date: Mon, 22 Aug 2022 08:49:34 +0000 (+0200)
Subject: tls: avoid tls.invalid_handshake_message FP
X-Git-Tag: suricata-6.0.10~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f987a99ddf114062af92e5750c145edf726f643;p=thirdparty%2Fsuricata.git

tls: avoid tls.invalid_handshake_message FP

Don't set TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE event on encrypted
handshake messages.

(cherry picked from commit cf4c201acbf6e9558e450a8dc76d12b48bf49b8d)
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 113dd34fae..2a61c87544 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1623,7 +1623,13 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input
             input_len -= avail_record_len;
 
             SSLParserHSReset(ssl_state->curr_connp);
-            SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
+
+            if ((direction && (ssl_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC)) ||
+                    (!direction && (ssl_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC))) {
+                // after Change Cipher Spec we get Encrypted Handshake Messages
+            } else {
+                SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
+            }
             continue;
         }