From 3ed188e0bcb6f4ae5b6c5eafdd75ce1f8e3d7246 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 20 Apr 2020 07:06:31 +0200 Subject: [PATCH] ssl: support multi-frag certificate assembly Support reassembling multi-frag certificates. For this the cert queuing code is changed to queue just the cert, not entire tls record. Improve message tracking. Better track where a message starts and ends before passing data around. Add wrapper macros to check for 'impossible' conditions that are activate in debug validation mode. This helps fuzzers find input that might trigger these conditions, if they exist. --- src/app-layer-ssl.c | 308 ++++++++++++++++++++---------- src/tests/detect-tls-ja3-hash.c | 2 +- src/tests/detect-tls-ja3-string.c | 2 +- src/tests/detect-tls-sni.c | 4 +- 4 files changed, 213 insertions(+), 103 deletions(-) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index b4f3a63111..b1f6268151 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -196,10 +196,41 @@ static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size, return -1; } +#ifdef DEBUG_VALIDATION +#define ValidateRecordState(connp) \ + do { \ + DEBUG_VALIDATE_BUG_ON(((connp)->record_length + SSLV3_RECORD_HDR_LEN) < \ + (connp)->bytes_processed); \ + } while(0); +#else +#define ValidateRecordState(...) +#endif + +#ifdef DEBUG_VALIDATION +#define ValidateTrecBuffer(connp) \ + do { \ + DEBUG_VALIDATE_BUG_ON((connp)->trec_pos > (connp)->trec_len); \ + DEBUG_VALIDATE_BUG_ON((connp)->trec == NULL && (connp)->trec_len > 0); \ + DEBUG_VALIDATE_BUG_ON((connp)->trec == NULL && (connp)->trec_pos > 0); \ + } while(0) +#else +#define ValidateTrecBuffer(...) +#endif + +#define SSLParserHSReset(connp) \ + do { \ + (connp)->trec_pos = 0; \ + (connp)->handshake_type = 0; \ + (connp)->hs_bytes_processed = 0; \ + (connp)->message_length = 0; \ + (connp)->message_start = 0; \ + } while(0) + #define SSLParserReset(state) \ do { \ SCLogDebug("resetting state"); \ (state)->curr_connp->bytes_processed = 0; \ + SSLParserHSReset((state)->curr_connp); \ } while(0) void SSLSetEvent(SSLState *ssl_state, uint8_t event) @@ -490,7 +521,6 @@ static int TlsDecodeHSCertificate(SSLState *ssl_state, { const uint8_t *input = (uint8_t *)initial_input; uint32_t err_code = 0; - X509 *x509 = NULL; if (!(HAS_SPACE(3))) @@ -507,6 +537,7 @@ static int TlsDecodeHSCertificate(SSLState *ssl_state, while (processed_len < cert_chain_len) { err_code = 0; + int rc = 0; if (!(HAS_SPACE(3))) goto invalid_cert; @@ -517,16 +548,12 @@ static int TlsDecodeHSCertificate(SSLState *ssl_state, if (!(HAS_SPACE(cert_len))) goto invalid_cert; - // uint32_t err = 0; - int rc = 0; - /* only store fields from the first certificate in the chain */ if (processed_len == 0 && ssl_state->server_connp.cert0_subject == NULL && ssl_state->server_connp.cert0_issuerdn == NULL && ssl_state->server_connp.cert0_serial == NULL) { - char * str; int64_t not_before, not_after; x509 = rs_x509_decode(input, cert_len, &err_code); @@ -535,7 +562,7 @@ static int TlsDecodeHSCertificate(SSLState *ssl_state, goto next; } - str = rs_x509_get_subject(x509); + char *str = rs_x509_get_subject(x509); if (str == NULL) { err_code = ERR_EXTRACT_SUBJECT; goto error; @@ -568,13 +595,17 @@ static int TlsDecodeHSCertificate(SSLState *ssl_state, x509 = NULL; rc = TlsDecodeHSCertificateFingerprint(ssl_state, input, cert_len); - if (rc != 0) + if (rc != 0) { + SCLogDebug("TlsDecodeHSCertificateFingerprint failed with %d", rc); goto error; + } } rc = TlsDecodeHSCertificateAddCertToChain(ssl_state, input, cert_len); - if (rc != 0) + if (rc != 0) { + SCLogDebug("TlsDecodeHSCertificateAddCertToChain failed with %d", rc); goto error; + } next: input += cert_len; @@ -1373,20 +1404,67 @@ end: return 0; } +/** \internal + * \brief Get Certificates len so we can know now much (more) we need to buffer + * If we already have a few bytes queued up in 'trec' we use those or a mix of + * those with the input. + */ +static uint32_t GetCertsLen(SSLStateConnp *curr_connp, const uint8_t *input, + const uint32_t input_len) +{ + if (curr_connp->trec != NULL && curr_connp->trec_pos > 0) { + if (curr_connp->trec_pos >= 3) { + const uint8_t * const ptr = curr_connp->trec; + uint32_t len = (*ptr << 16 | *(ptr + 1) << 8 | *(ptr + 2)) + 3; + SCLogDebug("length %u (trec)", len); + return len; + } else if (input_len + curr_connp->trec_pos >= 3) { + uint8_t buf[3] = { 0, 0, 0, }; // init to 0 to make scan-build happy + uint32_t i = 0; + for (uint32_t x = 0; x < curr_connp->trec_pos && i < 3; x++) { + buf[i++] = curr_connp->trec[x]; + } + for (uint32_t x = 0; x < input_len && i < 3; x++) { + buf[i++] = input[x]; + } + uint32_t len = (buf[0] << 16 | buf[1] << 8 | buf[2]) + 3; + SCLogDebug("length %u (part trec, part input)", len); + return len; + } + return 0; + } else if (input_len >= 3) { + uint32_t len = (*input << 16 | *(input + 1) << 8 | *(input + 2)) + 3; + SCLogDebug("length %u (input)", len); + return len; + } else { + SCLogDebug("length unknown (input len %u)", input_len); + return 0; + } +} + /** \internal * \brief setup or grow the `trec` space in the connp */ -static int EnsureRecordSpace(SSLStateConnp *curr_connp, const uint32_t input_len) +static int EnsureRecordSpace(SSLStateConnp *curr_connp, const uint8_t * const input, + const uint32_t input_len) { + ValidateTrecBuffer(curr_connp); + + uint32_t certs_len = GetCertsLen(curr_connp, input, input_len); + if (certs_len == 0) { + SCLogDebug("cert_len unknown still, create small buffer to start"); + certs_len = 256; + } + if (curr_connp->trec == NULL) { - curr_connp->trec_len = 2 * curr_connp->record_length + SSLV3_RECORD_HDR_LEN + 1; + curr_connp->trec_len = certs_len; curr_connp->trec = SCMalloc(curr_connp->trec_len); if (unlikely(curr_connp->trec == NULL)) goto error; } - if (curr_connp->trec_pos + input_len >= curr_connp->trec_len) { - curr_connp->trec_len = curr_connp->trec_pos + 2 * input_len + 1; + if (certs_len > curr_connp->trec_len) { + curr_connp->trec_len = certs_len; void *ptmp = SCRealloc(curr_connp->trec, curr_connp->trec_len); if (unlikely(ptmp == NULL)) { SCFree(curr_connp->trec); @@ -1395,11 +1473,12 @@ static int EnsureRecordSpace(SSLStateConnp *curr_connp, const uint32_t input_len } curr_connp->trec = ptmp; } - + ValidateTrecBuffer(curr_connp); return 0; error: curr_connp->trec_len = 0; curr_connp->trec_pos = 0; + ValidateTrecBuffer(curr_connp); return -1; } @@ -1410,34 +1489,52 @@ HaveEntireRecord(const SSLStateConnp *curr_connp, const uint32_t input_len) (curr_connp->record_length + SSLV3_RECORD_HDR_LEN); } +#ifdef DEBUG_VALIDATION static inline bool RecordAlreadyProcessed(const SSLStateConnp *curr_connp) { return ((curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < curr_connp->bytes_processed); } +#endif static inline int SSLv3ParseHandshakeTypeCertificate(SSLState *ssl_state, const uint8_t * const initial_input, const uint32_t input_len) { - if (EnsureRecordSpace(ssl_state->curr_connp, input_len) < 0) { - /* error, skip packet */ + ValidateTrecBuffer(ssl_state->curr_connp); + const uint32_t certs_len = GetCertsLen(ssl_state->curr_connp, initial_input, input_len); + SCLogDebug("certs_len %u", certs_len); + + if (EnsureRecordSpace(ssl_state->curr_connp, initial_input, input_len) < 0) { + /* error, skip input data */ ssl_state->curr_connp->bytes_processed += input_len; return -1; } + ValidateTrecBuffer(ssl_state->curr_connp); uint32_t write_len = 0; - if (HaveEntireRecord(ssl_state->curr_connp, input_len)) { - if (RecordAlreadyProcessed(ssl_state->curr_connp)) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); - return -1; - } - write_len = (ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN) - ssl_state->curr_connp->bytes_processed; + if (certs_len != 0 && ssl_state->curr_connp->trec_pos + input_len >= certs_len) { + write_len = certs_len - ssl_state->curr_connp->trec_pos; + /* get data left in this frag. The length field may indicate more + * data than just in this record. */ + uint32_t cur_frag_left = ssl_state->curr_connp->record_length + + SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed; + SCLogDebug("write_len %u cur_frag_left %u", write_len, cur_frag_left); + write_len = MIN(write_len, cur_frag_left); } else { - write_len = input_len; + uint32_t cur_frag_left = (ssl_state->curr_connp->record_length + + SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed); + SCLogDebug("cur_frag_left %u", cur_frag_left); + write_len = MIN(input_len, cur_frag_left); + SCLogDebug("write_len %u", write_len); + } + if (write_len == 0) { + /* no (new) data, so we're done */ + ValidateTrecBuffer(ssl_state->curr_connp); + return 0; } + BUG_ON(write_len > input_len); if (SafeMemcpy(ssl_state->curr_connp->trec, ssl_state->curr_connp->trec_pos, @@ -1446,35 +1543,40 @@ static inline int SSLv3ParseHandshakeTypeCertificate(SSLState *ssl_state, return -1; } ssl_state->curr_connp->trec_pos += write_len; + SCLogDebug("ssl_state->curr_connp->trec_pos %u", ssl_state->curr_connp->trec_pos); + DEBUG_VALIDATE_BUG_ON(certs_len != 0 && certs_len < ssl_state->curr_connp->trec_pos); - int rc = TlsDecodeHSCertificate(ssl_state, ssl_state->curr_connp->trec, - ssl_state->curr_connp->trec_pos); - if (rc > 0) { - /* do not return normally if the packet was fragmented: - we would return the size of the _entire_ message, - while we expect only the number of bytes parsed bytes - from the _current_ fragment */ - if (write_len < (ssl_state->curr_connp->trec_pos - rc)) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); - return -1; - } - - uint32_t diff = write_len - - (ssl_state->curr_connp->trec_pos - rc); - ssl_state->curr_connp->bytes_processed += diff; - - ssl_state->curr_connp->trec_pos = 0; - ssl_state->curr_connp->handshake_type = 0; - ssl_state->curr_connp->hs_bytes_processed = 0; - ssl_state->curr_connp->message_length = 0; - - return diff; - } else { + /* if we didn't yet get enough to determine the certs len, or we can + * see we didn't buffer enough for the certs, don't bother trying to + * parse it the data */ + if (certs_len == 0 || certs_len > ssl_state->curr_connp->trec_pos) { ssl_state->curr_connp->bytes_processed += write_len; + SCLogDebug("bytes_processed %u record_len %u", + ssl_state->curr_connp->bytes_processed, ssl_state->curr_connp->record_length); + ValidateTrecBuffer(ssl_state->curr_connp); return write_len; } + + int rc = TlsDecodeHSCertificate(ssl_state, ssl_state->curr_connp->trec, + ssl_state->curr_connp->trec_pos); + SCLogDebug("rc %d", rc); + if (rc > 0) { + DEBUG_VALIDATE_BUG_ON(rc != (int)ssl_state->curr_connp->trec_pos); + SSLParserHSReset(ssl_state->curr_connp); + } else if (rc < 0) { + SCLogDebug("error parsing cert, reset state"); + SSLParserHSReset(ssl_state->curr_connp); + /* fall through to still consume the cert bytes */ + } + ssl_state->curr_connp->bytes_processed += write_len; + ValidateTrecBuffer(ssl_state->curr_connp); + return write_len; } +/** + * \retval parsed number of consumed bytes + * \retval < 0 error + */ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, uint32_t input_len, uint8_t direction) { @@ -1484,6 +1586,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, if (input_len == 0) { return 0; } + DEBUG_VALIDATE_BUG_ON(RecordAlreadyProcessed(ssl_state->curr_connp)); switch (ssl_state->curr_connp->handshake_type) { case SSLV3_HS_CLIENT_HELLO: @@ -1528,8 +1631,9 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, "direction!"); break; } - return SSLv3ParseHandshakeTypeCertificate(ssl_state, + rc = SSLv3ParseHandshakeTypeCertificate(ssl_state, initial_input, input_len); + return rc; break; case SSLV3_HS_HELLO_REQUEST: @@ -1549,37 +1653,24 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, ssl_state->flags |= ssl_state->current_flags; + SCLogDebug("message: start %u length %u", ssl_state->curr_connp->message_start, ssl_state->curr_connp->message_length); + SCLogDebug("input_len %u ssl_state->curr_connp->bytes_processed %u", input_len, ssl_state->curr_connp->bytes_processed); + uint32_t write_len = 0; - if (HaveEntireRecord(ssl_state->curr_connp, input_len)) { - if (RecordAlreadyProcessed(ssl_state->curr_connp)) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); - return -1; - } - write_len = (ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN) - ssl_state->curr_connp->bytes_processed; - } else { - write_len = input_len; - } + if (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length < + ssl_state->curr_connp->bytes_processed + input_len) { + SCLogDebug("msg done"); - if ((ssl_state->curr_connp->trec_pos + write_len) >= - ssl_state->curr_connp->message_length) { - if (ssl_state->curr_connp->message_length < - ssl_state->curr_connp->trec_pos) { - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); - return -1; - } - const uint32_t parsed = ssl_state->curr_connp->message_length - - ssl_state->curr_connp->trec_pos; - ssl_state->curr_connp->bytes_processed += parsed; - ssl_state->curr_connp->handshake_type = 0; - ssl_state->curr_connp->hs_bytes_processed = 0; - ssl_state->curr_connp->message_length = 0; - ssl_state->curr_connp->trec_pos = 0; - return parsed; - } else { - ssl_state->curr_connp->trec_pos += write_len; + write_len = (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length) - + ssl_state->curr_connp->bytes_processed; + DEBUG_VALIDATE_BUG_ON(write_len > input_len); ssl_state->curr_connp->bytes_processed += write_len; + SSLParserHSReset(ssl_state->curr_connp); + SCLogDebug("write_len %u", write_len); return write_len; + } else { + ssl_state->curr_connp->bytes_processed += input_len; + return input_len; } } @@ -1593,6 +1684,10 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input return 0; } + SCLogDebug("bytes_processed %u", ssl_state->curr_connp->bytes_processed); + SCLogDebug("ssl_state->curr_connp->hs_bytes_processed %u input %p input_len %u", + ssl_state->curr_connp->hs_bytes_processed, input, input_len); + switch (ssl_state->curr_connp->hs_bytes_processed) { case 0: ssl_state->curr_connp->handshake_type = *(input++); @@ -1632,15 +1727,18 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input ssl_state->curr_connp->bytes_processed++; ssl_state->curr_connp->hs_bytes_processed++; --input_len; + ssl_state->curr_connp->message_start = ssl_state->curr_connp->bytes_processed; /* fall through */ } + SCLogDebug("message len %u input %p", ssl_state->curr_connp->message_length, input); int retval = SSLv3ParseHandshakeType(ssl_state, input, input_len, direction); if (retval < 0 || retval > (int)input_len) { DEBUG_VALIDATE_BUG_ON(retval > (int)input_len); return retval; } + SCLogDebug("retval %d input_len %u", retval, input_len); input += retval; return (input - initial_input); @@ -2214,9 +2312,10 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserState *pstate, const uint8_t *input, - uint32_t input_len) + const uint32_t input_len) { uint32_t parsed = 0; + uint32_t record_len; /* slice of input_len for the current record */ if (ssl_state->curr_connp->bytes_processed < SSLV3_RECORD_HDR_LEN) { int retval = SSLv3ParseRecord(direction, ssl_state, input, input_len); @@ -2227,10 +2326,19 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, return -1; } parsed += retval; - input_len -= retval; + record_len = MIN(input_len - parsed, ssl_state->curr_connp->record_length); + SCLogDebug("record_len %u (input_len %u, parsed %u, ssl_state->curr_connp->record_length %u)", + record_len, input_len, parsed, ssl_state->curr_connp->record_length); + } else { + ValidateRecordState(ssl_state->curr_connp); + + record_len = (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN)- ssl_state->curr_connp->bytes_processed; + record_len = MIN(input_len, record_len); } + SCLogDebug("record length %u processed %u got %u", + ssl_state->curr_connp->record_length, ssl_state->curr_connp->bytes_processed, record_len); - if (input_len == 0) { + if (record_len == 0) { return parsed; } @@ -2311,9 +2419,9 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, } int retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed, - input_len, direction); - if (retval < 0 || retval > (int)input_len) { - DEBUG_VALIDATE_BUG_ON(retval > (int)input_len); + record_len, direction); + if (retval < 0 || retval > (int)record_len) { + DEBUG_VALIDATE_BUG_ON(retval > (int)record_len); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE); SSLSetEvent(ssl_state, @@ -2321,12 +2429,17 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, SCLogDebug("SSLv3ParseHandshakeProtocol returned %d", retval); return -1; } + SCLogDebug("retval %d", retval); parsed += retval; - input_len -= retval; - (void)input_len; /* for scan-build */ + record_len -= retval; + (void)record_len; /* for scan-build */ - if (ssl_state->curr_connp->bytes_processed == + SCLogDebug("bytes_processed %u (record+hdr %u)", ssl_state->curr_connp->bytes_processed, + (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN)); + ValidateRecordState(ssl_state->curr_connp); + + if (ssl_state->curr_connp->bytes_processed >= ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) { SCLogDebug("record ready"); @@ -2340,7 +2453,7 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, } case SSLV3_HEARTBEAT_PROTOCOL: { int retval = SSLv3ParseHeartbeatProtocol(ssl_state, input + parsed, - input_len, direction); + record_len, direction); if (retval < 0) { SCLogDebug("SSLv3ParseHeartbeatProtocol returned %d", retval); return -1; @@ -2355,7 +2468,10 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, return -1; } - if (HaveEntireRecord(ssl_state->curr_connp, input_len)) { + if (HaveEntireRecord(ssl_state->curr_connp, record_len)) { + DEBUG_VALIDATE_BUG_ON(((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < + ssl_state->curr_connp->bytes_processed)); + if ((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < ssl_state->curr_connp->bytes_processed) { /* defensive checks. Something is wrong. */ @@ -2373,13 +2489,15 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed; parsed += diff; SSLParserReset(ssl_state); + ValidateRecordState(ssl_state->curr_connp); return parsed; /* we still don't have the entire record for the one we are currently parsing */ } else { - parsed += input_len; - ssl_state->curr_connp->bytes_processed += input_len; + parsed += record_len; + ssl_state->curr_connp->bytes_processed += record_len; + ValidateRecordState(ssl_state->curr_connp); return parsed; } } @@ -2481,9 +2599,11 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLa SCLogDebug("SSLv2 decoder consumed %d bytes: %u left", retval, input_len); } else { if (ssl_state->curr_connp->bytes_processed == 0) { - SCLogDebug("New TLS record"); + SCLogDebug("New TLS record: record_length %u", + ssl_state->curr_connp->record_length); } else { - SCLogDebug("Continuing parsing TLS record"); + SCLogDebug("Continuing parsing TLS record: record_length %u, bytes_processed %u", + ssl_state->curr_connp->record_length, ssl_state->curr_connp->bytes_processed); } int retval = SSLv3Decode(direction, ssl_state, pstate, input, input_len); @@ -5256,16 +5376,6 @@ static int SSLParserTest25(void) FLOWLOCK_UNLOCK(&f); FAIL_IF(r != 0); - /* The reason hs_bytes_processed is 2 is because, the record - * immediately after the client key exchange is 2 bytes long, - * and next time we see a new handshake, it is after we have - * seen a change cipher spec. Hence when we process the - * handshake, we immediately break and don't parse the pdu from - * where we left off, and leave the hs_bytes_processed var - * isn't reset. */ - FAIL_IF(ssl_state->client_connp.bytes_processed != 0); - FAIL_IF(ssl_state->client_connp.hs_bytes_processed != 2); - AppLayerParserThreadCtxFree(alp_tctx); StreamTcpFreeConfig(TRUE); FLOW_DESTROY(&f); diff --git a/src/tests/detect-tls-ja3-hash.c b/src/tests/detect-tls-ja3-hash.c index 3e666a9aa3..8919815ad5 100644 --- a/src/tests/detect-tls-ja3-hash.c +++ b/src/tests/detect-tls-ja3-hash.c @@ -37,7 +37,7 @@ static void DetectTlsJa3HashRegisterTests(void) static int DetectTlsJa3HashTest01(void) { /* Client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E, + uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, diff --git a/src/tests/detect-tls-ja3-string.c b/src/tests/detect-tls-ja3-string.c index 2363c8d8ad..09115cd089 100644 --- a/src/tests/detect-tls-ja3-string.c +++ b/src/tests/detect-tls-ja3-string.c @@ -37,7 +37,7 @@ static void DetectTlsJa3StringRegisterTests(void) static int DetectTlsJa3StringTest01(void) { /* Client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E, + uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, diff --git a/src/tests/detect-tls-sni.c b/src/tests/detect-tls-sni.c index 8d340cf164..fb671e10fe 100644 --- a/src/tests/detect-tls-sni.c +++ b/src/tests/detect-tls-sni.c @@ -28,7 +28,7 @@ static int DetectTlsSniTest01(void) { /* client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E, + uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, @@ -116,7 +116,7 @@ static int DetectTlsSniTest01(void) static int DetectTlsSniTest02(void) { /* client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x82, 0x01, 0x00, 0x00, 0x7E, + uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, -- 2.47.2