From: Victor Julien <victor@inliniac.net>
Date: Wed, 23 Apr 2014 13:53:25 +0000 (+0200)
Subject: tls/heartbleed: improve encrypted logic
X-Git-Tag: suricata-2.0.1rc1~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=31655aef7e313c8528c9c576ec465c429021884c;p=thirdparty%2Fsuricata.git

tls/heartbleed: improve encrypted logic

Don't assume that if the type field isn't 01 or 02 it's an encrypted
heartbeat. Instead, use our knowledge of the SSL state.
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index f1aa19af0c..8832623074 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -355,7 +355,15 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
     }
     hb_type = *input++;
 
-    if((ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) == 0) {
+    if (!(ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC)) {
+        if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
+            AppLayerDecoderEventsSetEvent(ssl_state->f,
+                    TLS_DECODER_EVENT_INVALID_HEARTBEAT);
+            return -1;
+        }
+    }
+
+    if ((ssl_state->flags & SSL_AL_FLAG_HB_INFLIGHT) == 0) {
         ssl_state->flags |= SSL_AL_FLAG_HB_INFLIGHT;
 
         if (direction) {
@@ -369,7 +377,7 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
         }
         /* if we reach this poin then can we assume that the HB request
          * is encrypted if so lets set the heartbeat record len */
-        if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
+        if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
             ssl_state->hb_record_len = ssl_state->curr_connp->record_length;
             SCLogDebug("Encrypted HeartBeat Request In-flight. Storing len %u", ssl_state->hb_record_len);
             return (ssl_state->curr_connp->record_length - 3);
@@ -419,7 +427,7 @@ static int SSLv3ParseHeartbeatProtocol(SSLState *ssl_state, uint8_t *input,
 
         /* if we reach this poin then can we assume that the HB request is
          *encrypted if so lets set the heartbeat record len */
-        if (!(hb_type == TLS_HB_REQUEST || hb_type == TLS_HB_RESPONSE)) {
+        if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
             /* check to see if the encrypted response is longer than the
              * encrypted request */
             if (ssl_state->hb_record_len > 0 &&