]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fdbd9b3)
tls/heartbleed: improve encrypted logic
authorVictor Julien <victor@inliniac.net>
Wed, 23 Apr 2014 13:53:25 +0000 (15:53 +0200)
committerVictor Julien <victor@inliniac.net>
Fri, 2 May 2014 09:55:12 +0000 (11:55 +0200)
Don't assume that if the type field isn't 01 or 02 it's an encrypted
heartbeat. Instead, use our knowledge of the SSL state.

src/app-layer-ssl.c patch | blob | blame | history

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index f1aa19af0ce5ebd4bead0ee17e8508c6831811b9..88326230740f821b3640dbc4f325beac3a4f6503 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -355,7 +355,15 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
     }
     hb_type = *input++;
 
-    if((ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) == 0) {
+    if (!(ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
+        if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
+            AppLayerDecoderEventsSetEvent(ssl_state->f,
+                    TLS_DECODER_EVENT_INVALID_HEARTBEAT);
+            return -1;
+        }
+    }
+
+    if ((ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) == 0) {
         ssl_state->flags |= SSL_AL_FLAG_HB_INFLIGHT;
 
         if (direction) {
@@ -369,7 +377,7 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
         }
         /* if we reach this poin then can we assume that the HB request
          * is encrypted if so lets set the heartbeat record len */
-        if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
+        if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
             ssl_state->hb_record_len = ssl_state->curr_connp->record_length;
             SCLogDebug("Encrypted HeartBeat Request In-flight. Storing len %u", ssl_state->hb_record_len);
             return (ssl_state->curr_connp->record_length - 3);
@@ -419,7 +427,7 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
 
         /* if we reach this poin then can we assume that the HB request is
          *encrypted if so lets set the heartbeat record len */
-        if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
+        if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
             /* check to see if the encrypted response is longer than the
              * encrypted request */
             if (ssl_state->hb_record_len > 0 &&
Mirror of https://github.com/OISF/suricata.git