Allow sniffer to follow ports using STARTTLS.

2014-11-07 14:37:00 -08:00 · 2014-11-07 14:37:00 -08:00 · d829b5f93b
commit d829b5f93b
parent 4441e3be1a
1 changed files with 19 additions and 5 deletions
--- a/src/sniffer.c
+++ b/src/sniffer.c
@ -2534,19 +2534,33 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
        *end = *sslFrame + *sslBytes;
    }

-#ifdef OLD_HELLO_ALLOWED
-
    if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) {
-        int rhSize;
+        /* Sanity check the packet for an old style client hello. */
+        int rhSize =
+            ((ssl->buffers.inputBuffer.buffer[
+                                   ssl->buffers.inputBuffer.idx] & 0x7f) << 8) |
+            ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 1];
+
+        if ((rhSize <= (*sslBytes - 2)) &&
+            (ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 2]
+                                                             == OLD_HELLO_ID) &&
+            (ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 3]
+                                                              == SSLv3_MAJOR)) {
+#ifdef OLD_HELLO_ALLOWED
        int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error);
        if (ret < 0)
            return -1;  /* error already set */
        if (*sslBytes <= 0)
            return 1;
+#endif
+        }
+        else {
+#ifdef STARTTLS_ALLOWED
+            return 1;
+#endif
+        }
    }

-#endif
-    
    return 0;
 }