Spicy TLS: fix parsing of no-extension hellos, port registration

Parsing of client/server hellos that do not contain extensions should now work correctly. The port registration is now done Zeek-side, wich fixes some test failures.
2025-10-04 15:48:19 +00:00 · 2023-11-08 08:00:49 +00:00 · 2023-11-08 08:00:49 +00:00 · dda1bbb7fc
commit dda1bbb7fc
parent 32d27b1b3f
4 changed files with 20 additions and 19 deletions
--- a/scripts/base/protocols/ssl/files.zeek
+++ b/scripts/base/protocols/ssl/files.zeek
@ -96,13 +96,13 @@ function describe_file(f: fa_file): string

 event zeek_init() &priority=5
 	{
-	# Files::register_protocol(Analyzer::ANALYZER_SSL,
-	#                          [$get_file_handle = SSL::get_file_handle,
-	#                           $describe        = SSL::describe_file]);
+	Files::register_protocol(Analyzer::ANALYZER_SSL,
+	                         [$get_file_handle = SSL::get_file_handle,
+	                          $describe        = SSL::describe_file]);

-	# Files::register_protocol(Analyzer::ANALYZER_DTLS,
-	#                          [$get_file_handle = SSL::get_file_handle,
-	#                           $describe        = SSL::describe_file]);
+	Files::register_protocol(Analyzer::ANALYZER_DTLS,
+	                         [$get_file_handle = SSL::get_file_handle,
+	                          $describe        = SSL::describe_file]);


 	local ssl_filter = Log::get_filter(SSL::LOG, "default");
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -197,8 +197,8 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
 event zeek_init() &priority=6
 	{
 	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
-	#Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
-	#Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
 	}

 function set_session(c: connection)
--- a/src/analyzer/protocol/ssl/spicy/SSL.evt
+++ b/src/analyzer/protocol/ssl/spicy/SSL.evt
@ -1,10 +1,8 @@
 protocol analyzer SSL over TCP:
-	parse with SSL::Message,
-	port 443/tcp;
+	parse with SSL::Message;

 protocol analyzer DTLS over UDP:
- 	parse with SSL::Message,
- 	port 443/udp;
+ 	parse with SSL::Message;

 import SSL;
 import zeek;
--- a/src/analyzer/protocol/ssl/spicy/SSL.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@ -846,6 +846,10 @@ type Handshake_message = unit(inout msg: Message, inout sh: Share) {
  on unhandled {
    print "Unhandled handshake message of type ", self.msg_type;
  }
+  on %error(emsg: string) {
+    print "Error in handshake message of type", self.msg_type, self, emsg;
+    print self;
+  }
 };

 type HelloRequest = unit(inout sh: Share) {
@ -910,9 +914,8 @@ type ClientHello = unit(len: uint64, msg: Message, inout sh: Share) {
  cipher_suites: uint16[self.cipher_suites_length/2];
  compression_methods_length: uint8;
  compression_methods: uint8[self.compression_methods_length];
-  extensions_length: uint16 if ( len > self.offset() );
-  extensions: Extension(sh, True)[] &size=self.extensions_length if ( len > self.offset() );
-
+  extensions_length: uint16 if ( len > self.offset() + 2 );
+  extensions: Extension(sh, True)[] &size=self.extensions_length if ( len > self.offset() + 2 );
  on %error(emsg: string) {
    print "Error in client hello", emsg;
    print self;
@ -955,8 +958,8 @@ type ServerHelloOneThree = unit(len: uint64, msg: Message, inout sh: Share, serv
  random_bytes: bytes &size=32;
  gmt_unix_time: uint32 &parse-from=self.random_bytes;
  cipher_suite: uint16;
-  extensions_length: uint16 if ( len > self.offset() );
-  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() );
+  extensions_length: uint16 if ( len > self.offset() + 2 );
+  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() + 2);

  on cipher_suite {
    sh.chosen_cipher = self.cipher_suite;
@ -971,8 +974,8 @@ type ServerHello = unit(len: uint64, msg: Message, inout sh: Share, server_versi
  session_id: bytes &size=self.session_id_length;
  cipher_suite: uint16;
  compression_method: uint8;
-  extensions_length: uint16 if ( len > self.offset() );
-  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() );
+  extensions_length: uint16 if ( len > self.offset() + 2 );
+  extensions: Extension(sh, False)[] &size=self.extensions_length if ( len > self.offset() + 2 );

  on cipher_suite {
    sh.chosen_cipher = self.cipher_suite;