fix: renforcer limites TLS, timeouts socket et validation config
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Co-authored-by: aider (openrouter/openai/gpt-5.3-codex) <aider@aider.chat>
This commit is contained in:
Jacquin Antoine
@ -42,12 +42,14 @@ type ConnectionFlow struct {
|
||||
|
||||
// ParserImpl implements the api.Parser interface for TLS parsing
|
||||
type ParserImpl struct {
|
||||
mu sync.RWMutex
|
||||
flows map[string]*ConnectionFlow
|
||||
flowTimeout time.Duration
|
||||
cleanupDone chan struct{}
|
||||
cleanupClose chan struct{}
|
||||
closeOnce sync.Once
|
||||
mu sync.RWMutex
|
||||
flows map[string]*ConnectionFlow
|
||||
flowTimeout time.Duration
|
||||
cleanupDone chan struct{}
|
||||
cleanupClose chan struct{}
|
||||
closeOnce sync.Once
|
||||
maxTrackedFlows int
|
||||
maxHelloBufferBytes int
|
||||
}
|
||||
|
||||
// NewParser creates a new TLS parser with connection state tracking
|
||||
@ -58,10 +60,12 @@ func NewParser() *ParserImpl {
|
||||
// NewParserWithTimeout creates a new TLS parser with a custom flow timeout
|
||||
func NewParserWithTimeout(timeout time.Duration) *ParserImpl {
|
||||
p := &ParserImpl{
|
||||
flows: make(map[string]*ConnectionFlow),
|
||||
flowTimeout: timeout,
|
||||
cleanupDone: make(chan struct{}),
|
||||
cleanupClose: make(chan struct{}),
|
||||
flows: make(map[string]*ConnectionFlow),
|
||||
flowTimeout: timeout,
|
||||
cleanupDone: make(chan struct{}),
|
||||
cleanupClose: make(chan struct{}),
|
||||
maxTrackedFlows: 50000,
|
||||
maxHelloBufferBytes: 256 * 1024, // 256 KiB
|
||||
}
|
||||
go p.cleanupLoop()
|
||||
return p
|
||||
@ -164,15 +168,26 @@ func (p *ParserImpl) Process(pkt api.RawPacket) (*api.TLSClientHello, error) {
|
||||
return nil, nil // No payload
|
||||
}
|
||||
|
||||
// Get or create connection flow
|
||||
key := flowKey(srcIP, srcPort, dstIP, dstPort)
|
||||
|
||||
p.mu.RLock()
|
||||
_, flowExists := p.flows[key]
|
||||
p.mu.RUnlock()
|
||||
|
||||
if !flowExists && payload[0] != 22 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
flow := p.getOrCreateFlow(key, srcIP, srcPort, dstIP, dstPort, ipMeta, tcpMeta)
|
||||
if flow == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Check if flow is already done
|
||||
p.mu.RLock()
|
||||
isDone := flow.State == JA4_DONE
|
||||
state := flow.State
|
||||
p.mu.RUnlock()
|
||||
if isDone {
|
||||
if state == JA4_DONE {
|
||||
return nil, nil // Already processed this flow
|
||||
}
|
||||
|
||||
@ -201,8 +216,13 @@ func (p *ParserImpl) Process(pkt api.RawPacket) (*api.TLSClientHello, error) {
|
||||
}
|
||||
|
||||
// Check for fragmented ClientHello (accumulate segments)
|
||||
if flow.State == WAIT_CLIENT_HELLO || flow.State == NEW {
|
||||
if state == WAIT_CLIENT_HELLO || state == NEW {
|
||||
p.mu.Lock()
|
||||
if len(flow.HelloBuffer)+len(payload) > p.maxHelloBufferBytes {
|
||||
delete(p.flows, key)
|
||||
p.mu.Unlock()
|
||||
return nil, nil
|
||||
}
|
||||
flow.State = WAIT_CLIENT_HELLO
|
||||
flow.HelloBuffer = append(flow.HelloBuffer, payload...)
|
||||
bufferCopy := make([]byte, len(flow.HelloBuffer))
|
||||
@ -246,13 +266,17 @@ func (p *ParserImpl) getOrCreateFlow(key string, srcIP string, srcPort uint16, d
|
||||
return flow
|
||||
}
|
||||
|
||||
if len(p.flows) >= p.maxTrackedFlows {
|
||||
return nil
|
||||
}
|
||||
|
||||
flow := &ConnectionFlow{
|
||||
State: NEW,
|
||||
CreatedAt: time.Now(),
|
||||
LastSeen: time.Now(),
|
||||
SrcIP: srcIP, // Client IP
|
||||
SrcIP: srcIP, // Client IP
|
||||
SrcPort: srcPort, // Client port
|
||||
DstIP: dstIP, // Server IP (local machine)
|
||||
DstIP: dstIP, // Server IP (local machine)
|
||||
DstPort: dstPort, // Server port (local machine)
|
||||
IPMeta: ipMeta,
|
||||
TCPMeta: tcpMeta,
|
||||
|
||||
Reference in New Issue
Block a user