Spicy TLS: Re-enable starttls for RDP

scripts/base/protocols/ssl/main.zeek

@@ -516,11 +516,11 @@ hook finalize_ssl(c: connection)
 
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=5
 	{
-	#if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-	#	{
+		{
-	#	set_session(info$c);
+		set_session(info$c);
-	#	info$c$ssl$analyzer_id = info$aid;
+		info$c$ssl$analyzer_id = info$aid;
-	#	}
+		}
 	}
 
 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
@@ -536,11 +536,11 @@ event ssl_plaintext_data(c: connection, is_client: bool, record_version: count,
 
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-#	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-#		if ( info$c?$ssl )
+		if ( info$c?$ssl )
-#			{
+			{
-#			# analyzer errored out; prevent us from trying to remove it later
+			# analyzer errored out; prevent us from trying to remove it later
-#			delete info$c$ssl$analyzer_id;
+			delete info$c$ssl$analyzer_id;
-#			finish(info$c, F);
+			finish(info$c, F);
-#			}
+			}
 	}

src/analyzer/protocol/rdp/RDP.cc

@@ -1,6 +1,7 @@
 #include "zeek/analyzer/protocol/rdp/RDP.h"
 
 #include "zeek/Reporter.h"
+#include "zeek/analyzer/Manager.h"
 #include "zeek/analyzer/protocol/rdp/events.bif.h"
 #include "zeek/analyzer/protocol/rdp/types.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
@@ -11,7 +12,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c) : analyzer::tcp::TCP_ApplicationAnalyz
     interp = new binpac::RDP::RDP_Conn(this);
 
     had_gap = false;
-    // ssl = nullptr;
+    tls_active = false;
 }
 
 RDP_Analyzer::~RDP_Analyzer() { delete interp; }
@@ -44,19 +45,18 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) {
         // 0x01 is SSL/TLS
         // 0x03-0x04 is CredSSP which is effectively SSL/TLS
         if ( interp->encryption_method() > 0x00 ) {
-            /*
+            if ( ! tls_active ) {
-    if ( ! ssl ) {
+                tls_active = true;
-        ssl = new analyzer::ssl::SSL_Analyzer(Conn());
+                Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
-        if ( ! AddChildAnalyzer(ssl) ) {
+                if ( ! AddChildAnalyzer(ssl) ) {
-            reporter->AnalyzerError(this,
+                    reporter->AnalyzerError(this,
-                                    "failed to add TCP child analyzer "
+                                            "failed to add TCP child analyzer "
-                                    "to RDP analyzer: already exists");
+                                            "to RDP analyzer");
-            return;
+                    return;
-        }
+                }
-    }
+            }
 
-    ForwardStream(len, data, orig);
+            ForwardStream(len, data, orig);
-             */
         }
         else {
             if ( rdp_native_encrypted_data )

src/analyzer/protocol/rdp/RDP.h

@@ -24,7 +24,7 @@ protected:
     binpac::RDP::RDP_Conn* interp;
 
     bool had_gap;
-    // analyzer::ssl::SSL_Analyzer* ssl;
+    bool tls_active;
 };
 
 } // namespace zeek::analyzer::rdp