1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
Patch by Michael Calmer <mc@suse.de> for ssldump >= 0.9b3 which backports several
fixes and some minor enhancements from upstream CVS 2006-06-19.
--- ssldump-0.9b3/ssl/sslprint.c 2002-08-17 03:33:17.000000000 +0200
+++ ssldump-0.9b3/ssl/sslprint.c.cvs 2010-04-06 17:12:40.000000000 +0200
@@ -248,12 +248,12 @@
SSL_DECODE_UINT16(ssl,0,0,&d,&length);
if(d.len!=length){
- explain(ssl,"Short record\n");
+ explain(ssl," Short record: %u bytes available (expecting: %u)\n",length,d.len);
return(0);
}
P_(P_RH){
- explain(ssl,"V%d.%d(%d)",vermaj,vermin,length);
+ explain(ssl," V%d.%d(%d)",vermaj,vermin,length);
}
@@ -262,19 +262,22 @@
r=ssl_decode_record(ssl,ssl->decoder,direction,ct,version,&d);
if(r==SSL_BAD_MAC){
- explain(ssl," bad MAC\n");
+ explain(ssl," bad MAC\n");
return(0);
}
if(r){
- if(r=ssl_print_enum(ssl,0,ContentType_decoder,ct))
+ if(r=ssl_print_enum(ssl,0,ContentType_decoder,ct)) {
+ printf(" unknown record type: %d\n", ct);
ERETURN(r);
+ }
printf("\n");
}
else{
- if(r=ssl_decode_switch(ssl,ContentType_decoder,data[0],direction,q,
- &d))
+ if(r=ssl_decode_switch(ssl,ContentType_decoder,data[0],direction,q, &d)) {
+ printf(" unknown record type: %d\n", ct);
ERETURN(r);
+ }
}
return(0);
@@ -369,7 +372,7 @@
dtable++;
}
- return(-1);
+ return(R_NOT_FOUND);
}
int ssl_decode_enum(ssl,name,size,dtable,p,data,x)
@@ -416,8 +419,7 @@
dtable++;
}
- explain(ssl,"%s","unknown value");
- return(0);
+ return(R_NOT_FOUND);
}
int explain(ssl_obj *ssl,char *format,...)
@@ -535,7 +537,7 @@
printf("\n");
for(i=0;i<d->len;i++){
- if(!isprint(d->data[i]) && !strchr("\r\n\t",d->data[i])){
+ if(d->data[i] == 0 || (!isprint(d->data[i]) && !strchr("\r\n\t",d->data[i]))){
bit8=1;
break;
}
@@ -557,7 +559,8 @@
else{
int nl=1;
INDENT;
- printf("---------------------------------------------------------------\n"); if(SSL_print_flags & SSL_PRINT_NROFF){
+ printf("---------------------------------------------------------------\n");
+ if(SSL_print_flags & SSL_PRINT_NROFF){
if(ssl->process_ciphertext & ssl->direction)
printf("\\f[CI]");
else
--- ssldump-0.9b3/ssl/ssl_analyze.c 2010-04-06 16:58:23.000000000 +0200
+++ ssldump-0.9b3/ssl/ssl_analyze.c.cvs 2010-04-06 17:08:22.000000000 +0200
@@ -359,12 +359,16 @@
case 23:
break;
default:
- printf("Unknown SSL content type %d\n",q->data[0] & 255);
- ABORT(R_INTERNAL);
+ DBG((0,"Unknown SSL content type %d for segment %u:%u(%u)",
+ q->data[0] & 255,seg->s_seq,seg->s_seq+seg->len,seg->len));
}
rec_len=COMBINE(q->data[3],q->data[4]);
+ /* SSL v3.0 spec says a record may not exceed 2**14 + 2048 == 18432 */
+ if(rec_len > 18432)
+ ABORT(R_INTERNAL);
+
/*Expand the buffer*/
if(q->_allocated<(rec_len+SSL_HEADER_SIZE)){
if(!(q->data=realloc(q->data,rec_len+5)))
--- ssldump-0.9b3/base/tcppack.c 2002-09-09 23:02:58.000000000 +0200
+++ ssldump-0.9b3/base/tcppack.c.cvs 2010-04-06 17:06:46.000000000 +0200
@@ -95,11 +95,11 @@
proper order. This shouldn't be a problem, though,
except for simultaneous connects*/
if((p->tcp->th_flags & (TH_SYN|TH_ACK))!=TH_SYN){
- DBG((0,"TCP: rejecting packet from unknown connection\n"));
+ DBG((0,"TCP: rejecting packet from unknown connection, seq: %u\n",ntohl(p->tcp->th_seq)));
return(0);
}
- DBG((0,"SYN1\n"));
+ DBG((0,"SYN1 seq: %u",ntohl(p->tcp->th_seq)));
if(r=new_connection(handler,ctx,p,&conn))
ABORT(r);
conn->i2r.seq=ntohl(p->tcp->th_seq)+1;
@@ -117,14 +117,14 @@
conn->r2i.seq=ntohl(p->tcp->th_seq)+1;
conn->r2i.ack=ntohl(p->tcp->th_ack)+1;
conn->state=TCP_STATE_SYN2;
- DBG((0,"SYN2\n"));
+ DBG((0,"SYN2 seq: %u",ntohl(p->tcp->th_seq)));
break;
case TCP_STATE_SYN2:
{
char *sn=0,*dn=0;
if(direction != DIR_I2R)
break;
- DBG((0,"ACK\n"));
+ DBG((0,"ACK seq: %u",ntohl(p->tcp->th_seq)));
conn->i2r.ack=ntohl(p->tcp->th_ack)+1;
lookuphostname(&conn->i_addr,&sn);
lookuphostname(&conn->r_addr,&dn);
@@ -228,7 +228,8 @@
l=p->len - p->tcp->th_off * 4;
if(stream->close){
- DBG((0,"Rejecting packet received after FIN"));
+ DBG((0,"Rejecting packet received after FIN: %u:%u(%u)",
+ ntohl(p->tcp->th_seq),ntohl(p->tcp->th_seq+l),l));
return(0);
}
@@ -341,20 +342,26 @@
if(conn->state == TCP_STATE_ESTABLISHED)
conn->state=TCP_STATE_FIN1;
else
- conn->state=TCP_STATE_CLOSED;
+ conn->state=TCP_STATE_CLOSED;
}
stream->oo_queue=seg->next;
seg->next=0;
stream->seq=seg->s_seq + seg->len;
- if(r=conn->analyzer->vtbl->data(conn->analyzer->obj,&_seg,direction))
+ DBG((0,"Analyzing segment: %u:%u(%u)", seg->s_seq, seg->s_seq+seg->len, seg->len));
+ if(r=conn->analyzer->vtbl->data(conn->analyzer->obj,&_seg,direction)) {
+ DBG((0,"ABORT due to segment: %u:%u(%u)", seg->s_seq, seg->s_seq+seg->len, seg->len));
ABORT(r);
+ }
}
if(stream->close){
- if(r=conn->analyzer->vtbl->close(conn->analyzer->obj,p,direction))
- ABORT(r);
+ DBG((0,"Closing with segment: %u:%u(%u)", seg->s_seq, stream->seq, seg->len));
+ if(r=conn->analyzer->vtbl->close(conn->analyzer->obj,p,direction)) {
+ DBG((0,"ABORT due to segment: %u:%u(%u)", seg->s_seq, stream->seq, seg->len));
+ ABORT(r);
+ }
}
free_tcp_segment_queue(_seg.next);
--- ssldump-0.9b3/common/lib/r_assoc.c 2001-12-24 07:06:26.000000000 +0100
+++ ssldump-0.9b3/common/lib/r_assoc.c.cvs 2010-04-06 17:01:11.000000000 +0200
@@ -306,7 +306,7 @@
ABORT(R_NO_MEMORY);
for(i=0;i<new->size;i++){
if(r=copy_assoc_chain(new->chains+i,old->chains[i]))
- ABORT(r);
+ ABORT(R_NO_MEMORY);
}
*newp=new;
|