Spicy TLS: Re-enable starttls for RDP

2025-10-04 15:48:19 +00:00 · 2023-11-06 13:32:27 +00:00 · 2023-11-06 13:32:27 +00:00 · 32d27b1b3f
commit 32d27b1b3f
parent c682e5723b
3 changed files with 26 additions and 26 deletions
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -516,11 +516,11 @@ hook finalize_ssl(c: connection)

 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=5
 	{
-	#if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-	#	{
-	#	set_session(info$c);
-	#	info$c$ssl$analyzer_id = info$aid;
-	#	}
+	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+		{
+		set_session(info$c);
+		info$c$ssl$analyzer_id = info$aid;
+		}
 	}

 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
@ -536,11 +536,11 @@ event ssl_plaintext_data(c: connection, is_client: bool, record_version: count,

 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-#	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-#		if ( info$c?$ssl )
-#			{
-#			# analyzer errored out; prevent us from trying to remove it later
-#			delete info$c$ssl$analyzer_id;
-#			finish(info$c, F);
-#			}
+	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+		if ( info$c?$ssl )
+			{
+			# analyzer errored out; prevent us from trying to remove it later
+			delete info$c$ssl$analyzer_id;
+			finish(info$c, F);
+			}
 	}
--- a/src/analyzer/protocol/rdp/RDP.cc
+++ b/src/analyzer/protocol/rdp/RDP.cc
@ -1,6 +1,7 @@
 #include "zeek/analyzer/protocol/rdp/RDP.h"

 #include "zeek/Reporter.h"
+#include "zeek/analyzer/Manager.h"
 #include "zeek/analyzer/protocol/rdp/events.bif.h"
 #include "zeek/analyzer/protocol/rdp/types.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
@ -11,7 +12,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c) : analyzer::tcp::TCP_ApplicationAnalyz
    interp = new binpac::RDP::RDP_Conn(this);

    had_gap = false;
-    // ssl = nullptr;
+    tls_active = false;
 }

 RDP_Analyzer::~RDP_Analyzer() { delete interp; }
@ -44,19 +45,18 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig) {
        // 0x01 is SSL/TLS
        // 0x03-0x04 is CredSSP which is effectively SSL/TLS
        if ( interp->encryption_method() > 0x00 ) {
-            /*
-    if ( ! ssl ) {
-        ssl = new analyzer::ssl::SSL_Analyzer(Conn());
-        if ( ! AddChildAnalyzer(ssl) ) {
-            reporter->AnalyzerError(this,
-                                    "failed to add TCP child analyzer "
-                                    "to RDP analyzer: already exists");
-            return;
-        }
-    }
+            if ( ! tls_active ) {
+                tls_active = true;
+                Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+                if ( ! AddChildAnalyzer(ssl) ) {
+                    reporter->AnalyzerError(this,
+                                            "failed to add TCP child analyzer "
+                                            "to RDP analyzer");
+                    return;
+                }
+            }

-    ForwardStream(len, data, orig);
-             */
+            ForwardStream(len, data, orig);
        }
        else {
            if ( rdp_native_encrypted_data )
--- a/src/analyzer/protocol/rdp/RDP.h
+++ b/src/analyzer/protocol/rdp/RDP.h
@ -24,7 +24,7 @@ protected:
    binpac::RDP::RDP_Conn* interp;

    bool had_gap;
-    // analyzer::ssl::SSL_Analyzer* ssl;
+    bool tls_active;
 };

 } // namespace zeek::analyzer::rdp