From a8347e1bc271b8a0447755b1298b88c8d70e94d0 Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Mon, 29 Oct 2018 21:26:13 +0100 Subject: [PATCH] app-layer-ssl: fix flow and inspection bypass for TLSv1.3 --- src/app-layer-ssl.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index e9f431e6f8..8bff446191 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -2216,27 +2216,26 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0)) break; - if ((ssl_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC) && - (ssl_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC)) { - - if (ssl_config.encrypt_mode != SSL_CNF_ENC_HANDLE_FULL) { - SCLogDebug("setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD"); - AppLayerParserStateSetFlag(pstate, - APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD); - } - } - /* if we see (encrypted) aplication data, then this means the handshake must be done */ ssl_state->flags |= SSL_AL_FLAG_HANDSHAKE_DONE; + if (ssl_config.encrypt_mode != SSL_CNF_ENC_HANDLE_FULL) { + SCLogDebug("setting APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD"); + AppLayerParserStateSetFlag(pstate, + APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD); + } + /* Encrypted data, reassembly not asked, bypass asked, let's sacrifice * heartbeat lke inspection to be able to be able to bypass the flow */ if (ssl_config.encrypt_mode == SSL_CNF_ENC_HANDLE_BYPASS) { SCLogDebug("setting APP_LAYER_PARSER_NO_REASSEMBLY"); - AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_REASSEMBLY); - AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_NO_INSPECTION); - AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_BYPASS_READY); + AppLayerParserStateSetFlag(pstate, + APP_LAYER_PARSER_NO_REASSEMBLY); + AppLayerParserStateSetFlag(pstate, + APP_LAYER_PARSER_NO_INSPECTION); + AppLayerParserStateSetFlag(pstate, + APP_LAYER_PARSER_BYPASS_READY); } break; -- 2.47.2