From dda1bbb7fce99aff6f35fdecd9927976442925d2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 8 Nov 2023 08:00:49 +0000
Subject: [PATCH] Spicy TLS: fix parsing of no-extension hellos, port
 registration

Parsing of client/server hellos that do not contain extensions should
now work correctly.

The port registration is now done Zeek-side, wich fixes some test
failures.
---
 scripts/base/protocols/ssl/files.zeek     | 12 ++++++------
 scripts/base/protocols/ssl/main.zeek      |  4 ++--
 src/analyzer/protocol/ssl/spicy/SSL.evt   |  6 ++----
 src/analyzer/protocol/ssl/spicy/SSL.spicy | 17 ++++++++++-------
 4 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/scripts/base/protocols/ssl/files.zeek b/scripts/base/protocols/ssl/files.zeek
index 0dd00e4f77..69bfadcc96 100644
--- a/scripts/base/protocols/ssl/files.zeek
+++ b/scripts/base/protocols/ssl/files.zeek
@@ -96,13 +96,13 @@ function describe_file(f: fa_file): string
 
 event zeek_init() &priority=5
 	{
-	# Files::register_protocol(Analyzer::ANALYZER_SSL,
-	#                          [$get_file_handle = SSL::get_file_handle,
-	#                           $describe        = SSL::describe_file]);
+	Files::register_protocol(Analyzer::ANALYZER_SSL,
+	                         [$get_file_handle = SSL::get_file_handle,
+	                          $describe        = SSL::describe_file]);
 
-	# Files::register_protocol(Analyzer::ANALYZER_DTLS,
-	#                          [$get_file_handle = SSL::get_file_handle,
-	#                           $describe        = SSL::describe_file]);
+	Files::register_protocol(Analyzer::ANALYZER_DTLS,
+	                         [$get_file_handle = SSL::get_file_handle,
+	                          $describe        = SSL::describe_file]);
 
 
 	local ssl_filter = Log::get_filter(SSL::LOG, "default");
diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek
index dab9a71e99..eadc4e20fb 100644
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@@ -197,8 +197,8 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
 event zeek_init() &priority=6
 	{
 	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
-	#Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
-	#Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
 	}
 
 function set_session(c: connection)
diff --git a/src/analyzer/protocol/ssl/spicy/SSL.evt b/src/analyzer/protocol/ssl/spicy/SSL.evt
index facb77120e..7d93bbccd3 100644
--- a/src/analyzer/protocol/ssl/spicy/SSL.evt
+++ b/src/analyzer/protocol/ssl/spicy/SSL.evt
@@ -1,10 +1,8 @@
 protocol analyzer SSL over TCP:
-	parse with SSL::Message,
-	port 443/tcp;
+	parse with SSL::Message;
 
  protocol analyzer DTLS over UDP:
- 	parse with SSL::Message,
- 	port 443/udp;
+ 	parse with SSL::Message;
 
 import SSL;
 import zeek;
diff --git a/src/analyzer/protocol/ssl/spicy/SSL.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy
index 996648d8ff..764223d492 100644
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@@ -846,6 +846,10 @@ type Handshake_message = unit(inout msg: Message, inout sh: Share) {
   on unhandled {
     print "Unhandled handshake message of type ", self.msg_type;
   }
+  on %error(emsg: string) {
+    print "Error in handshake message of type", self.msg_type, self, emsg;
+    print self;
+  }
 };
 
 type HelloRequest = unit(inout sh: Share) {
@@ -910,9 +914,8 @@ type ClientHello = unit(len: uint64, msg: Message, inout sh: Share) {
   cipher_suites: uint16[self.cipher_suites_length/2];
   compression_methods_length: uint8;
   compression_methods: uint8[self.compression_methods_length];
-  extensions_length: uint16 if ( len > self.offset() );
-  extensions: Extension(sh, True)[] &size=self.extensions_length if ( len > self.offset() );
-
+  extensions_length: uint16 if ( len > self.offset() + 2 );
+  extensions: Extension(sh, True)[] &size=self.extensions_length if ( len > self.offset() + 2 );
   on %error(emsg: string) {
     print "Error in client hello", emsg;
     print self;
@@ -955,8 +958,8 @@ type ServerHelloOneThree = unit(len: uint64, msg: Message, inout sh: Share, serv
   random_bytes: bytes &size=32;
   gmt_unix_time: uint32 &parse-from=self.random_bytes;
   cipher_suite: uint16;
-  extensions_length: uint16 if ( len > self.offset() );
-  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() );
+  extensions_length: uint16 if ( len > self.offset() + 2 );
+  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() + 2);
 
   on cipher_suite {
     sh.chosen_cipher = self.cipher_suite;
@@ -971,8 +974,8 @@ type ServerHello = unit(len: uint64, msg: Message, inout sh: Share, server_versi
   session_id: bytes &size=self.session_id_length;
   cipher_suite: uint16;
   compression_method: uint8;
-  extensions_length: uint16 if ( len > self.offset() );
-  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() );
+  extensions_length: uint16 if ( len > self.offset() + 2 );
+  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() + 2 );
 
   on cipher_suite {
     sh.chosen_cipher = self.cipher_suite;