diff --git a/scripts/policy/protocols/ssl/decryption.zeek b/scripts/policy/protocols/ssl/decryption.zeek index 81ed2ee33e..3440b11f36 100644 --- a/scripts/policy/protocols/ssl/decryption.zeek +++ b/scripts/policy/protocols/ssl/decryption.zeek @@ -1,9 +1,9 @@ -##! This script allows for the decryption of certain TLS 1.2 connection, if the user is in possession +##! This script allows for the decryption of certain TLS 1.2 connections, if the user is in possession ##! of the private key material for the session. Key material can either be provided via a file (useful -##! for processing trace files) or via sending events via broker (for live decoding). +##! for processing trace files) or via sending events via Broker (for live decoding). ##! ##! Please note that this feature is experimental and can change without guarantees to our typical -##! deprecation tieline. Please also note that currently only TLS 1.2 connections that use the +##! deprecation timeline. Please also note that currently only TLS 1.2 connections that use the ##! TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite are supported. @load base/frameworks/input @@ -26,19 +26,19 @@ export { ## Secrets expire after this time of not being used. const secret_expiration = 5 mins &redef; - ## This event can be triggered, e.g., via broker to add known keys to the TLS key database. + ## This event can be triggered, e.g., via Broker to add known keys to the TLS key database. ## ## client_random: client random for which the key is set ## ## keys: key material global add_keys: event(client_random: string, keys: string); - ## This event can be triggered, e.g., via broker to add known secrets to the TLS secret datbase. + ## This event can be triggered, e.g., via Broker to add known secrets to the TLS secret datbase. ## ## client_random: client random for which the secret is set ## ## secrets: derived TLS secrets material - global add_secret: event(client_random: string, secret: string); + global add_secret: event(client_random: string, secrets: string); } @if ( keylog_file == "" ) @@ -47,8 +47,8 @@ export { global secrets: table[string] of string = {} &redef; global keys: table[string] of string = {} &redef; @else -#global secrets: table[string] of string = {} &read_expire=secret_expiration &redef; -#global keys: table[string] of string = {} &read_expire=secret_expiration &redef; +global secrets: table[string] of string = {} &read_expire=secret_expiration &redef; +global keys: table[string] of string = {} &read_expire=secret_expiration &redef; @endif diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index e968ccfef9..37ef7286cc 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -23,8 +23,15 @@ namespace zeek::analyzer::ssl { -#define MSB(a) ((a >> 8) & 0xff) -#define LSB(a) (a & 0xff) +template static inline T MSB(const T a) + { + return ((a >> 8) & 0xff); + } + +template static inline T LSB(const T a) + { + return (a & 0xff); + } static std::basic_string fmt_seq(uint32_t num) { @@ -147,7 +154,7 @@ void SSL_Analyzer::SetKeys(const zeek::StringVal& nkeys) void SSL_Analyzer::SetKeys(const std::vector newkeys) { - keys = newkeys; + keys = std::move(newkeys); } std::optional> @@ -396,7 +403,7 @@ void SSL_Analyzer::ForwardDecryptedData(const std::vector& data, bool is pia->FirstPacket(false, nullptr); } else - reporter->FatalError("Could not initialize PIA"); + reporter->Error("Could not initialize PIA"); } ForwardStream(data.size(), data.data(), is_orig); diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index 415dcd9129..5fdbc27dca 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -25,7 +25,7 @@ namespace zeek::analyzer::ssl class SSL_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer { - // let binpac forward encryppted TLS application data to us. + // let binpac forward encrypted TLS application data to us. friend class binpac::SSL::SSL_Conn; public: @@ -54,7 +54,7 @@ public: * connection. (For TLS 1.2 this is the pre-master secret) * * Please note that these functions currently are hardcoded to only work with a single TLS 1.2 - * cuphersuite (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384). + * ciphersuite (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384). * * @param secret The secret to set */ diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac index 32849bd910..8ddecbe318 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac @@ -45,7 +45,7 @@ refine connection SSL_Conn += { return true; %} - function proc_ciphertext_record(rec : SSLRecord, cont: bytestring) : bool + function proc_ciphertext_record(rec : SSLRecord, cont: const_bytestring) : bool %{ if ( established_ == false && determine_tls13() == 1 ) { @@ -72,7 +72,7 @@ refine connection SSL_Conn += { if ( rec->content_type() == APPLICATION_DATA && decryption_failed_ == false ) { // If decryption of one packet fails, do not try to decrypt future packets. - if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.data(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) ) + if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) ) decryption_failed_ = true; } diff --git a/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac b/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac index 156c1bf6f4..ad2b869ae8 100644 --- a/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac @@ -96,7 +96,7 @@ type UnknownRecord(rec: SSLRecord) = record { }; type CiphertextRecord(rec: SSLRecord) = record { - cont : bytestring &restofdata; + cont : bytestring &restofdata &transient; }; ######################################################################