third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-05-31 23:59:22 +03:00
Code Issues Packages Projects Releases Wiki Activity

refactoring: replace magic constants with symbols

Browse Source
This commit is contained in:
yrutschle 2018-11-04 22:25:16 +01:00
parent d6c714166a
commit 80ad31aec0
3 changed files with 42 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
probe.c
View File

@ -228,15 +228,12 @@ static int is_http_protocol(const char *p, int len, struct proto *proto)
/* Says if it's TLS, optionally with SNI and ALPN lists in proto->data */ /* Says if it's TLS, optionally with SNI and ALPN lists in proto->data */
static int is_tls_protocol(const char *p, int len, struct proto *proto) static int is_tls_protocol(const char *p, int len, struct proto *proto)
{ {
int valid_tls; switch (parse_tls_header(proto->data, p, len)) {
case TLS_MATCH: return PROBE_MATCH;
valid_tls = parse_tls_header(proto->data, p, len); case TLS_NOMATCH: return PROBE_NEXT;
case TLS_ELENGTH: return PROBE_AGAIN;
if(valid_tls <= 0) default: return PROBE_NEXT;
return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT; }
/* There *was* a valid match */
return PROBE_MATCH;
} }
static int probe_adb_cnxn_message(const char *p) static int probe_adb_cnxn_message(const char *p)

55
tls.c
View File

@ -61,12 +61,9 @@ static int has_match(char**, const char*, size_t);
* hello handshake, returning a status code * hello handshake, returning a status code
* *
* Returns: * Returns:
* >=0 - length of the hostname and updates *hostname * 0: no match
* caller is responsible for freeing *hostname * 1: match
* -1 - Incomplete request * < 0: error code (see tls.h)
* -2 - No Host header included in this request
* -3 - Invalid hostname pointer
* < -4 - Invalid TLS client hello
*/ */
int int
parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len) { parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t data_len) {
@ -78,12 +75,12 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da
/* Check that our TCP payload is at least large enough for a TLS header */ /* Check that our TCP payload is at least large enough for a TLS header */
if (data_len < TLS_HEADER_LEN) if (data_len < TLS_HEADER_LEN)
return -1; return TLS_ELENGTH;
tls_content_type = data[0]; tls_content_type = data[0];
if (tls_content_type != TLS_HANDSHAKE_CONTENT_TYPE) { if (tls_content_type != TLS_HANDSHAKE_CONTENT_TYPE) {
if (verbose) fprintf(stderr, "Request did not begin with TLS handshake.\n"); if (verbose) fprintf(stderr, "Request did not begin with TLS handshake.\n");
return -5; return TLS_EPROTOCOL;
} }
tls_version_major = data[1]; tls_version_major = data[1];
@ -92,7 +89,7 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da
if (verbose) fprintf(stderr, "Received SSL %d.%d handshake which cannot be parsed.\n", if (verbose) fprintf(stderr, "Received SSL %d.%d handshake which cannot be parsed.\n",
tls_version_major, tls_version_minor); tls_version_major, tls_version_minor);
return -2; return TLS_EVERSION;
} }
/* TLS record length */ /* TLS record length */
@ -102,18 +99,18 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da
/* Check we received entire TLS record length */ /* Check we received entire TLS record length */
if (data_len < len) if (data_len < len)
return -1; return TLS_ELENGTH;
/* /*
* Handshake * Handshake
*/ */
if (pos + 1 > data_len) { if (pos + 1 > data_len) {
return -5; return TLS_EPROTOCOL;
} }
if (data[pos] != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) { if (data[pos] != TLS_HANDSHAKE_TYPE_CLIENT_HELLO) {
if (verbose) fprintf(stderr, "Not a client hello\n"); if (verbose) fprintf(stderr, "Not a client hello\n");
return -5; return TLS_EPROTOCOL;
} }
/* Skip past fixed length records: /* Skip past fixed length records:
@ -127,35 +124,35 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da
/* Session ID */ /* Session ID */
if (pos + 1 > data_len) if (pos + 1 > data_len)
return -5; return TLS_EPROTOCOL;
len = (unsigned char)data[pos]; len = (unsigned char)data[pos];
pos += 1 + len; pos += 1 + len;
/* Cipher Suites */ /* Cipher Suites */
if (pos + 2 > data_len) if (pos + 2 > data_len)
return -5; return TLS_EPROTOCOL;
len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1]; len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1];
pos += 2 + len; pos += 2 + len;
/* Compression Methods */ /* Compression Methods */
if (pos + 1 > data_len) if (pos + 1 > data_len)
return -5; return TLS_EPROTOCOL;
len = (unsigned char)data[pos]; len = (unsigned char)data[pos];
pos += 1 + len; pos += 1 + len;
if (pos == data_len && tls_version_major == 3 && tls_version_minor == 0) { if (pos == data_len && tls_version_major == 3 && tls_version_minor == 0) {
if (verbose) fprintf(stderr, "Received SSL 3.0 handshake without extensions\n"); if (verbose) fprintf(stderr, "Received SSL 3.0 handshake without extensions\n");
return -2; return TLS_EVERSION;
} }
/* Extensions */ /* Extensions */
if (pos + 2 > data_len) if (pos + 2 > data_len)
return -5; return TLS_EPROTOCOL;
len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1]; len = ((unsigned char)data[pos] << 8) + (unsigned char)data[pos + 1];
pos += 2; pos += 2;
if (pos + len > data_len) if (pos + len > data_len)
return -5; return TLS_EPROTOCOL;
/* By now we know it's TLS. if SNI or ALPN is set, parse extensions to see if /* By now we know it's TLS. if SNI or ALPN is set, parse extensions to see if
* they match. Otherwise, it's a match already */ * they match. Otherwise, it's a match already */
@ -163,7 +160,7 @@ parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_t da
(tls_data->match_mode.tls_match_alpn || tls_data->match_mode.tls_match_sni)) { (tls_data->match_mode.tls_match_alpn || tls_data->match_mode.tls_match_sni)) {
return parse_extensions(tls_data, data + pos, len); return parse_extensions(tls_data, data + pos, len);
} else { } else {
return 1; return TLS_MATCH;
} }
} }
@ -174,7 +171,7 @@ parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t da
int sni_match = 0, alpn_match = 0; int sni_match = 0, alpn_match = 0;
if (tls_data == NULL) if (tls_data == NULL)
return -3; return TLS_EINVAL;
/* Parse each 4 bytes for the extension header */ /* Parse each 4 bytes for the extension header */
while (pos + 4 <= data_len) { while (pos + 4 <= data_len) {
@ -183,7 +180,7 @@ parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t da
(unsigned char) data[pos + 3]; (unsigned char) data[pos + 3];
if (pos + 4 + len > data_len) if (pos + 4 + len > data_len)
return -5; return TLS_EPROTOCOL;
size_t extension_type = ((unsigned char) data[pos] << 8) + size_t extension_type = ((unsigned char) data[pos] << 8) +
(unsigned char) data[pos + 1]; (unsigned char) data[pos + 1];
@ -201,7 +198,7 @@ parse_extensions(const struct TLSProtocol *tls_data, const char *data, size_t da
/* Check we ended where we expected to */ /* Check we ended where we expected to */
if (pos != data_len) if (pos != data_len)
return -5; return TLS_EPROTOCOL;
return (sni_match && alpn_match) return (sni_match && alpn_match)
|| (!tls_data->match_mode.tls_match_sni && alpn_match) || (!tls_data->match_mode.tls_match_sni && alpn_match)
@ -218,14 +215,14 @@ parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data
(unsigned char)data[pos + 2]; (unsigned char)data[pos + 2];
if (pos + 3 + len > data_len) if (pos + 3 + len > data_len)
return -5; return TLS_EPROTOCOL;
switch (data[pos]) { /* name type */ switch (data[pos]) { /* name type */
case 0x00: /* host_name */ case 0x00: /* host_name */
if(has_match(tls_data->sni_hostname_list, data + pos + 3, len)) { if(has_match(tls_data->sni_hostname_list, data + pos + 3, len)) {
return len; return len;
} else { } else {
return -2; return TLS_ENOEXT;
} }
default: default:
if (verbose) fprintf(stderr, "Unknown server name extension name type: %d\n", if (verbose) fprintf(stderr, "Unknown server name extension name type: %d\n",
@ -235,9 +232,9 @@ parse_server_name_extension(const struct TLSProtocol *tls_data, const char *data
} }
/* Check we ended where we expected to */ /* Check we ended where we expected to */
if (pos != data_len) if (pos != data_len)
return -5; return TLS_EPROTOCOL;
return -2; return TLS_ENOEXT;
} }
static int static int
@ -249,7 +246,7 @@ parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_
len = (unsigned char)data[pos]; len = (unsigned char)data[pos];
if (pos + 1 + len > data_len) if (pos + 1 + len > data_len)
return -5; return TLS_EPROTOCOL;
if (len > 0 && has_match(tls_data->alpn_protocol_list, data + pos + 1, len)) { if (len > 0 && has_match(tls_data->alpn_protocol_list, data + pos + 1, len)) {
return len; return len;
@ -260,9 +257,9 @@ parse_alpn_extension(const struct TLSProtocol *tls_data, const char *data, size_
} }
/* Check we ended where we expected to */ /* Check we ended where we expected to */
if (pos != data_len) if (pos != data_len)
return -5; return TLS_EPROTOCOL;
return -2; return TLS_ENOEXT;
} }
static int static int

10
tls.h
View File

@ -35,4 +35,14 @@ int parse_tls_header(const struct TLSProtocol *tls_data, const char *data, size_
struct TLSProtocol *new_tls_data(); struct TLSProtocol *new_tls_data();
struct TLSProtocol *tls_data_set_list(struct TLSProtocol *, int, char**); struct TLSProtocol *tls_data_set_list(struct TLSProtocol *, int, char**);
#define TLS_MATCH 1
#define TLS_NOMATCH 0
#define TLS_EINVAL -1 /* Invalid parameter (NULL data pointer) */
#define TLS_ELENGTH -2 /* Incomplete request */
#define TLS_EVERSION -3 /* TLS version that cannot be parsed */
#define TLS_ENOEXT -4 /* No ALPN or SNI extension found */
#define TLS_EPROTOCOL -5 /* Protocol error */
#endif #endif