check sid only in TLSv1.3

2024-11-20 04:22:29 +00:00 · 2024-04-23 22:45:42 +03:00 · 2024-04-23 22:45:42 +03:00 · bd290b1b5f
commit bd290b1b5f
parent a48a2e87a3
3 changed files with 33 additions and 22 deletions
--- a/extend.c
+++ b/extend.c
@ -217,9 +217,7 @@ int on_response(struct poolhd *pool, struct eval *val,
                break;
            }
            else if ((dp->detect & DETECT_TLS_INVSID)
-                    && neq_tls_sid(req, qn, resp, sn)
-                    && !neq_tls_sid(
-                        fake_tls.data, fake_tls.size, resp, sn)) {
+                    && neq_tls_sid(req, qn, resp, sn)) {
                break;
            }
            else if ((dp->detect & DETECT_TLS_ALERT)
--- a/main.c
+++ b/main.c
@ -292,8 +292,8 @@ int get_addr(const char *str, struct sockaddr_ina *addr)
 int get_addr_with_port(const char *str, struct sockaddr_ina *addr)
 {
    uint16_t port = 0;
-    char *s = (char *)str, *e = 0;
-    char *end = 0, *p = s;
+    const char *s = str, *p = str, *e = 0;
+    char *end = 0;

    if (*str == '[') {
        e = strchr(str, ']');
--- a/packets.c
+++ b/packets.c
@ -72,22 +72,14 @@ char *strncasestr(char *a, size_t as, char *b, size_t bs)
 }


-size_t find_tls_ext_offset(uint16_t type, char *data, size_t size) 
+size_t find_tls_ext_offset(uint16_t type, 
+        char *data, size_t size, size_t skip) 
 {
-    if (size < 44) {
+    if (size <= (skip + 2)) {
        return 0;
    }
-    uint8_t sid_len = data[43];
-    if (size < 44 + sid_len + 2) {
-        return 0;
-    }
-    uint16_t cip_len = ANTOHS(data, 44 + sid_len);
-
-    size_t skip = 44 + sid_len + 2 + cip_len + 4;
-    if (size <= skip) {
-        return 0;
-    }
-    uint16_t ext_len = ANTOHS(data, skip - 2);
+    uint16_t ext_len = ANTOHS(data, skip);
+    skip += 2;
    
    if (ext_len < (size - skip)) {
        size = ext_len + skip;
@ -104,14 +96,30 @@ size_t find_tls_ext_offset(uint16_t type, char *data, size_t size)
 }


+size_t chello_ext_offset(uint16_t type, char *data, size_t size)
+{
+    if (size < 44) {
+        return 0;
+    }
+    uint8_t sid_len = data[43];
+    if (size < 44 + sid_len + 2) {
+        return 0;
+    }
+    uint16_t cip_len = ANTOHS(data, 44 + sid_len);
+
+    size_t skip = 44 + sid_len + 2 + cip_len + 2;
+    return find_tls_ext_offset(type, data, size, skip);
+}
+
+
 int change_tls_sni(const char *host, char *buffer, size_t bsize)
 {
    size_t sni_offs, pad_offs;
    
-    if (!(sni_offs = find_tls_ext_offset(0x00, buffer, bsize))) {
+    if (!(sni_offs = chello_ext_offset(0x00, buffer, bsize))) {
        return -1;
    }
-    if (!(pad_offs = find_tls_ext_offset(0x15, buffer, bsize))) {
+    if (!(pad_offs = chello_ext_offset(0x15, buffer, bsize))) {
        return -1;
    }
    char *sni = &buffer[sni_offs];
@ -154,7 +162,7 @@ int parse_tls(char *buffer, size_t bsize, char **hs)
    if (!is_tls_chello(buffer, bsize)) {
        return 0;
    }
-    size_t sni_offs = find_tls_ext_offset(0x00, buffer, bsize);
+    size_t sni_offs = chello_ext_offset(0x00, buffer, bsize);
    
    if (!sni_offs || (sni_offs + 12) >= bsize) {
        return 0;
@ -324,10 +332,15 @@ bool neq_tls_sid(char *req, size_t qn, char *resp, size_t sn)
            || ANTOHS(resp, 0) != 0x1603) {
        return 0;
    }
+    uint8_t sid_len = req[43];
+    size_t skip = 44 + sid_len + 3;
+    
+    if (!find_tls_ext_offset(0x2b, resp, sn, skip)) {
+        return 0;
+    }
    if (req[43] != resp[43]) {
        return 1;
    }
-    uint8_t sid_len = req[43];
    return memcmp(req + 44, resp + 44, sid_len);
 }