diff --git a/CHANGES b/CHANGES index 9aae471b07..38746ee44a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,10 @@ +2.3-316 | 2014-11-25 17:35:06 -0800 + + * Make the SSL analyzer skip further processing once encountering + situations which are very probably non-recoverable. (Johanna + Amann) + 2.3-313 | 2014-11-25 14:27:07 -0800 * Make SSL v2 protocol tests more strict. In its former state they diff --git a/VERSION b/VERSION index 449f02efea..d6becd7005 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-313 +2.3-316 diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index 64d5d78df6..2433886d14 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -112,7 +112,10 @@ refine connection SSL_Conn += { cipher_suites24 : uint24[]) : bool %{ if ( ! version_ok(version) ) + { bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version)); + bro_analyzer()->SetSkip(true); + } else bro_analyzer()->ProtocolConfirmation(); @@ -152,7 +155,10 @@ refine connection SSL_Conn += { comp_method : uint8) : bool %{ if ( ! version_ok(version) ) + { bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version)); + bro_analyzer()->SetSkip(true); + } if ( ssl_server_hello ) { @@ -202,6 +208,7 @@ refine connection SSL_Conn += { // This should be impossible due to the binpac parser // and protocol description bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %lu", length)); + bro_analyzer()->SetSkip(true); return true; } @@ -392,7 +399,11 @@ refine connection SSL_Conn += { function proc_check_v2_server_hello_version(version: uint16) : bool %{ if ( version != SSLv20 ) + { bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL server hello. Version: %d", version)); + bro_analyzer()->SetSkip(true); + return false; + } return true; %} @@ -479,13 +490,13 @@ refine typeattr ServerHello += &let { }; refine typeattr V2ServerHello += &let { - proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, - conn_id_data, 0, 0, ciphers, 0); - check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version); + proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, + conn_id_data, 0, 0, ciphers, 0) &requires(check_v2) &if(check_v2 == true); + cert : bool = $context.connection.proc_v2_certificate(rec, cert_data) - &requires(proc); + &requires(proc) &requires(check_v2) &if(check_v2 == true); }; refine typeattr Certificate += &let { diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index a613ebdb68..cb794bd8a4 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -759,6 +759,7 @@ refine connection SSL_Conn += { version != TLSv11 && version != TLSv12 ) { bro_analyzer()->ProtocolViolation(fmt("Invalid version late in TLS connection. Packet reported version: %d", version)); + bro_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } } @@ -775,6 +776,7 @@ refine connection SSL_Conn += { version != TLSv11 && version != TLSv12 ) { bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL client hello. Version: %d", version)); + bro_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } @@ -791,6 +793,7 @@ refine connection SSL_Conn += { else // this is not SSL or TLS. { bro_analyzer()->ProtocolViolation(fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3)); + bro_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } } @@ -800,6 +803,7 @@ refine connection SSL_Conn += { version != TLSv11 && version != TLSv12 ) { bro_analyzer()->ProtocolViolation(fmt("Invalid version in TLS connection. Version: %d", version)); + bro_analyzer()->SetSkip(true); return UNKNOWN_VERSION; } @@ -810,6 +814,7 @@ refine connection SSL_Conn += { } bro_analyzer()->ProtocolViolation(fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0)); + bro_analyzer()->SetSkip(true); return UNKNOWN_VERSION; %}