From 74b847a122ed38dc5f003685dbfea2252b093494 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 18 Jun 2025 10:52:56 +0100
Subject: [PATCH] Spicy SSL analyzer: make record layer version parsing more
 strict

The Spicy based SSL analyzer was, so far, more permissive with the
record layer versions that it would accept.

This change brings the parsing of record layer versions in line with the
binpac based analyzer. This behavioral difference was discovered due to
a test that changed with the recent dpd log changes.
---
 src/analyzer/protocol/ssl/spicy/SSL.spicy | 2 +-
 testing/btest/core/pppoe-over-qinq.zeek   | 3 ---
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy
index ee50442cb3..f89b81b191 100644
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@@ -740,7 +740,7 @@ type SSL2ClientMasterKey = unit(length: uint16, inout sh: Share) {
 # For TLS-y protocols - determine how to continue
 type TLSRecordFragmentChoice = unit(content_type: uint8, handshakesink: sink&, alertsink: sink&, inout msg: Message, inout sh: Share) {
     # content_type: uint8; # &convert=ContentType($$);
-    version: uint16;
+    version: uint16 &requires=($$ == SSLv3 || $$ == TLSv10 || $$ == TLSv11 || $$ == TLSv12 : "Invalid version in record layer. Version: %s" % $$);
 
     switch (is_dtls_version(self.version)) {
         True -> dtlsfragment: DTLSRecordFragment(content_type, handshakesink, alertsink, msg, sh);
diff --git a/testing/btest/core/pppoe-over-qinq.zeek b/testing/btest/core/pppoe-over-qinq.zeek
index a0a12e490b..26f3cc61b3 100644
--- a/testing/btest/core/pppoe-over-qinq.zeek
+++ b/testing/btest/core/pppoe-over-qinq.zeek
@@ -1,5 +1,2 @@
-# Disable test temporarily - see GH-4547
-# @TEST-REQUIRES: ! have-spicy-ssl
-
 # @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap
 # @TEST-EXEC: btest-diff conn.log