From 80ad31aec02fcaa046a11240b5081ea7e1aa17cc Mon Sep 17 00:00:00 2001 From: yrutschle Date: Sun, 4 Nov 2018 22:25:16 +0100 Subject: [PATCH] refactoring: replace magic constants with symbols --- probe.c | 15 ++++++--------- tls.c | 55 ++++++++++++++++++++++++++----------------------------- tls.h | 10 ++++++++++ 3 files changed, 42 insertions(+), 38 deletions(-) diff --git a/probe.c b/probe.c index 8130ab9..15ff8b9 100644 --- a/probe.c +++ b/probe.c @@ -228,15 +228,12 @@ static int is_http_protocol(const char *p, int len, struct proto *proto) /* Says if it's TLS, optionally with SNI and ALPN lists in proto->data */ static int is_tls_protocol(const char *p, int len, struct proto *proto) { - int valid_tls; - - valid_tls = parse_tls_header(proto->data, p, len); - - if(valid_tls <= 0) - return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT; - - /* There *was* a valid match */ - return PROBE_MATCH; + switch (parse_tls_header(proto->data, p, len)) { + case TLS_MATCH: return PROBE_MATCH; + case TLS_NOMATCH: return PROBE_NEXT; + case TLS_ELENGTH: return PROBE_AGAIN; + default: return PROBE_NEXT; + } } static int probe_adb_cnxn_message(const char *p) diff --git a/tls.c b/tls.c index 970584b..2f3e55f 100644 --- a/tls.c +++ b/tls.c @@ -61,12 +61,9 @@ static int has_match(char**, const char*, size_t); * hello handshake, returning a status code * * Returns: - * >=0 - length of the hostname and updates *hostname - * caller is responsible for freeing *hostname - * -1 - Incomplete request - * -2 - No Host header included in this request - * -3 - Invalid hostname pointer - * < -4 - Invalid TLS client hello + * 0: no match + * 1: match + * < 0: error code (see tls.h) */ int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len) { @@ -78,12 +75,12 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da /* Check that our TCP payload is at least large enough for a TLS header */ if (data_len < TLS_HEADER_LEN) - return -1; + return TLS_ELENGTH; tls_content_type = data[0]; if (tls_content_type != TLS_HANDSHAKE_CONTENT_TYPE) { if (verbose) fprintf(stderr, "Request did not begin with TLS handshake.\n"); - return -5; + return TLS_EPROTOCOL; } tls_version_major = data[1]; @@ -92,7 +89,7 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da if (verbose) fprintf(stderr, "Received SSL %d.%d handshake which cannot be parsed.\n", tls_version_major, tls_version_minor); - return -2; + return TLS_EVERSION; } /* TLS record length */ @@ -102,18 +99,18 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da /* Check we received entire TLS record length */ if (data_len < len) - return -1; + return TLS_ELENGTH; /* * Handshake */ if (pos + 1 > data_len) { - return -5; + return TLS_EPROTOCOL; } if (data[pos] != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { if (verbose) fprintf(stderr, "Not a client hello\n"); - return -5; + return TLS_EPROTOCOL; } /* Skip past fixed length records: @@ -127,35 +124,35 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da /* Session ID */ if (pos + 1 > data_len) - return -5; + return TLS_EPROTOCOL; len = (unsigned char)data[pos]; pos += 1 + len; /* Cipher Suites */ if (pos + 2 > data_len) - return -5; + return TLS_EPROTOCOL; len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1]; pos += 2 + len; /* Compression Methods */ if (pos + 1 > data_len) - return -5; + return TLS_EPROTOCOL; len = (unsigned char)data[pos]; pos += 1 + len; if (pos == data_len && tls_version_major == 3 && tls_version_minor == 0) { if (verbose) fprintf(stderr, "Received SSL 3.0 handshake without extensions\n"); - return -2; + return TLS_EVERSION; } /* Extensions */ if (pos + 2 > data_len) - return -5; + return TLS_EPROTOCOL; len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1]; pos += 2; if (pos + len > data_len) - return -5; + return TLS_EPROTOCOL; /* By now we know it's TLS. if SNI or ALPN is set, parse extensions to see if * they match. Otherwise, it's a match already */ @@ -163,7 +160,7 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da (tls_data->match_mode.tls_match_alpn || tls_data->match_mode.tls_match_sni)) { return parse_extensions(tls_data, data + pos, len); } else { - return 1; + return TLS_MATCH; } } @@ -174,7 +171,7 @@ parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t da int sni_match = 0, alpn_match = 0; if (tls_data == NULL) - return -3; + return TLS_EINVAL; /* Parse each 4 bytes for the extension header */ while (pos + 4 <= data_len) { @@ -183,7 +180,7 @@ parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t da (unsigned char) data[pos + 3]; if (pos + 4 + len > data_len) - return -5; + return TLS_EPROTOCOL; size_t extension_type = ((unsigned char) data[pos] << 8) + (unsigned char) data[pos + 1]; @@ -201,7 +198,7 @@ parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t da /* Check we ended where we expected to */ if (pos != data_len) - return -5; + return TLS_EPROTOCOL; return (sni_match && alpn_match) || (!tls_data->match_mode.tls_match_sni && alpn_match) @@ -218,14 +215,14 @@ parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data (unsigned char)data[pos + 2]; if (pos + 3 + len > data_len) - return -5; + return TLS_EPROTOCOL; switch (data[pos]) { /* name type */ case 0x00: /* host_name */ if(has_match(tls_data->sni_hostname_list, data + pos + 3, len)) { return len; } else { - return -2; + return TLS_ENOEXT; } default: if (verbose) fprintf(stderr, "Unknown server name extension name type: %d\n", @@ -235,9 +232,9 @@ parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data } /* Check we ended where we expected to */ if (pos != data_len) - return -5; + return TLS_EPROTOCOL; - return -2; + return TLS_ENOEXT; } static int @@ -249,7 +246,7 @@ parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_ len = (unsigned char)data[pos]; if (pos + 1 + len > data_len) - return -5; + return TLS_EPROTOCOL; if (len > 0 && has_match(tls_data->alpn_protocol_list, data + pos + 1, len)) { return len; @@ -260,9 +257,9 @@ parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_ } /* Check we ended where we expected to */ if (pos != data_len) - return -5; + return TLS_EPROTOCOL; - return -2; + return TLS_ENOEXT; } static int diff --git a/tls.h b/tls.h index 0e79e0c..6ef0ebf 100644 --- a/tls.h +++ b/tls.h @@ -35,4 +35,14 @@ int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_ struct TLSProtocol *new_tls_data(); struct TLSProtocol *tls_data_set_list(struct TLSProtocol *, int, char**); +#define TLS_MATCH 1 +#define TLS_NOMATCH 0 + +#define TLS_EINVAL -1 /* Invalid parameter (NULL data pointer) */ +#define TLS_ELENGTH -2 /* Incomplete request */ +#define TLS_EVERSION -3 /* TLS version that cannot be parsed */ +#define TLS_ENOEXT -4 /* No ALPN or SNI extension found */ +#define TLS_EPROTOCOL -5 /* Protocol error */ + + #endif