From 2bb47d8d9a0c16c83b41004e51fb593ad9136633 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 26 Jun 2025 17:06:43 +0100 Subject: [PATCH] Spicy SSL analyzer: move unknown version out of possible range This moves the negotiated version outside of the possible range of protocol values. I don't think it was possible to cause a problem with this in the past - but this approach seems safer. --- src/analyzer/protocol/ssl/spicy/SSL.spicy | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy index 848ad06a45..6f902d406b 100644 --- a/src/analyzer/protocol/ssl/spicy/SSL.spicy +++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy @@ -177,7 +177,8 @@ type NameType = enum { # anonymous = 0, rsa= 1, dsa= 2, ecdsa= 3 # }; -const UNKNOWN_VERSION: uint16 = 0x0000; +# UNKNOWN_VERSION is outside the 16-bit range of real possible versions +const UNKNOWN_VERSION: uint32 = 0xFFFF0000; const SSLv2 = 0x0002; const SSLv3 = 0x0300; const TLSv10 = 0x0301; @@ -567,7 +568,7 @@ type Share = unit { # version as seen in server_hello (for signature and hash-alg choice) var chosen_version_sh_outer: uint16; # final negotiated version - can e.g. be used to distinguished tls 1.3 - var negotiated_version: uint16; + var negotiated_version: uint32 = UNKNOWN_VERSION; # set to true if chosen version is identified as a tls 1.3 version var tls_13: bool; var chosen_cipher: uint16; @@ -660,7 +661,7 @@ public type Message = unit { sink handshakesink; sink alertsink; - var record_version: uint16; + var record_version: uint32; var dtls: bool = False; var partial: bool = False; var first_packet: bool = True; # needed for SSLv2, which sadly is quite stateful.