处理Client Hello中的GREASE close #134

platform/src/ssl_service_cache.cpp

@@ -81,14 +81,11 @@ static size_t ssl_svc_client_st_mk_key(const struct ssl_chello* chello, char* ke
 		memcpy(key_buff+key_len, chello->sign_algos, chello->sign_algos_len);
 		key_len+=chello->sign_algos_len;
 	}
-	/*
-	//Temporary remove EC groups from client identifier for ssl_chello_parse cannot handling GREASE type.
 	if(chello->supported_groups && sz-key_len > chello->supported_groups_len)
 	{
 		memcpy(key_buff+key_len, chello->supported_groups, chello->supported_groups_len);
 		key_len+=chello->supported_groups_len;
 	}
-	*/
 	return key_len;
 }
 static long cli_st_read_cb(void * data, const uchar * key, uint size, void * user_arg)

platform/src/ssl_utils.cpp

@@ -1743,6 +1743,20 @@ void ssl_chello_free(struct ssl_chello* chello)
 	chello->cipher_suites = NULL;
 	FREE(&chello);
 }
+static int cipher_is_grease(uint16_t cipher)
+{
+	uint16_t a=cipher>>8;
+	uint16_t b=cipher&0x00ff;
+	//https://tools.ietf.org/html/draft-davidben-tls-grease-01#section-5
+	if(a==b && (a&0x0f)==0x0a)
+	{
+		return 1;
+	}
+	else
+	{
+		return 0;
+	}
+}
 
 static int  parse_server_name_extension(const unsigned char *buff, uint16_t buff_len, struct ssl_chello* chello)
 {
@@ -1863,10 +1877,18 @@ static int parse_supported_groups_extension(const unsigned char* buff, uint16_t
 	{
 		return CHELLO_PARSE_INVALID_FORMAT;
 	}
-	char *supported_groups = ALLOC(char, len);
+	chello->supported_groups = ALLOC(char, len);
-	memcpy(supported_groups, (void*)(buff + 2), len);
+	uint16_t* known_groups = (uint16_t*) chello->supported_groups;
-	chello->supported_groups = supported_groups;
+	uint16_t* raw_groups= (uint16_t*) (buff + 2);
-	chello->supported_groups_len = len;
+	size_t i=0, j=0;
+	for(i=0; i<len/2; i++)
+	{
+		if(!cipher_is_grease(raw_groups[i]))
+		{
+			known_groups[j++]=raw_groups[i];
+		}
+	}
+	chello->supported_groups_len = j*2;
 	return CHELLO_PARSE_SUCCESS;
 }
 
@@ -2281,7 +2303,7 @@ struct ssl_chello* ssl_chello_parse(const unsigned char* buff, size_t buff_len,
 		for(i=0, j=0; i<len/2; i++)
 		{
 			//https://security.stackexchange.com/questions/176951/google-chrome-weird-random-cipher-suite
-			if(cipher_suites_convert_helper(raw_cipher[i], NULL, 0)>0)
+			if(!cipher_is_grease(raw_cipher[i]))
 			{
 				known_cipher[j++]=raw_cipher[i];
 			}