Address PR feedback

This addresses feedback to GH-1814. The most significant change is the
fact that the ChipertextRecord now can remain &transient - which might
lead to improved speed.

scripts/policy/protocols/ssl/decryption.zeek

@@ -1,9 +1,9 @@
-##! This script allows for the decryption of certain TLS 1.2 connection, if the user is in possession
+##! This script allows for the decryption of certain TLS 1.2 connections, if the user is in possession
 ##! of the private key material for the session. Key material can either be provided via a file (useful
-##! for processing trace files) or via sending events via broker (for live decoding).
+##! for processing trace files) or via sending events via Broker (for live decoding).
 ##!
 ##! Please note that this feature is experimental and can change without guarantees to our typical
-##! deprecation tieline. Please also note that currently only TLS 1.2 connections that use the
+##! deprecation timeline. Please also note that currently only TLS 1.2 connections that use the
 ##! TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite are supported.
 
 @load base/frameworks/input
@@ -26,19 +26,19 @@ export {
 	## Secrets expire after this time of not being used.
 	const secret_expiration = 5 mins &redef;
 
-	## This event can be triggered, e.g., via broker to add known keys to the TLS key database.
+	## This event can be triggered, e.g., via Broker to add known keys to the TLS key database.
 	##
 	## client_random: client random for which the key is set
 	##
 	## keys: key material
 	global add_keys: event(client_random: string, keys: string);
 
-	## This event can be triggered, e.g., via broker to add known secrets to the TLS secret datbase.
+	## This event can be triggered, e.g., via Broker to add known secrets to the TLS secret datbase.
 	##
 	## client_random: client random for which the secret is set
 	##
 	## secrets: derived TLS secrets material
-	global add_secret: event(client_random: string, secret: string);
+	global add_secret: event(client_random: string, secrets: string);
 }
 
 @if ( keylog_file == "" )
@@ -47,8 +47,8 @@ export {
 global secrets: table[string] of string = {} &redef;
 global keys: table[string] of string = {} &redef;
 @else
-#global secrets: table[string] of string = {} &read_expire=secret_expiration &redef;
+global secrets: table[string] of string = {} &read_expire=secret_expiration &redef;
-#global keys: table[string] of string = {} &read_expire=secret_expiration &redef;
+global keys: table[string] of string = {} &read_expire=secret_expiration &redef;
 @endif
 
 

src/analyzer/protocol/ssl/SSL.cc

@@ -23,8 +23,15 @@
 namespace zeek::analyzer::ssl
 	{
 
-#define MSB(a) ((a >> 8) & 0xff)
+template <typename T> static inline T MSB(const T a)
-#define LSB(a) (a & 0xff)
+	{
+	return ((a >> 8) & 0xff);
+	}
+
+template <typename T> static inline T LSB(const T a)
+	{
+	return (a & 0xff);
+	}
 
 static std::basic_string<unsigned char> fmt_seq(uint32_t num)
 	{
@@ -147,7 +154,7 @@ void SSL_Analyzer::SetKeys(const zeek::StringVal& nkeys)
 
 void SSL_Analyzer::SetKeys(const std::vector<u_char> newkeys)
 	{
-	keys = newkeys;
+	keys = std::move(newkeys);
 	}
 
 std::optional<std::vector<u_char>>
@@ -396,7 +403,7 @@ void SSL_Analyzer::ForwardDecryptedData(const std::vector<u_char>& data, bool is
 			pia->FirstPacket(false, nullptr);
 			}
 		else
-			reporter->FatalError("Could not initialize PIA");
+			reporter->Error("Could not initialize PIA");
 		}
 
 	ForwardStream(data.size(), data.data(), is_orig);

src/analyzer/protocol/ssl/SSL.h

@@ -25,7 +25,7 @@ namespace zeek::analyzer::ssl
 
 class SSL_Analyzer final : public analyzer::tcp::TCP_ApplicationAnalyzer
 	{
-	// let binpac forward encryppted TLS application data to us.
+	// let binpac forward encrypted TLS application data to us.
 	friend class binpac::SSL::SSL_Conn;
 
 public:
@@ -54,7 +54,7 @@ public:
 	 * connection. (For TLS 1.2 this is the pre-master secret)
 	 *
 	 * Please note that these functions currently are hardcoded to only work with a single TLS 1.2
-	 * cuphersuite (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).
+	 * ciphersuite (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).
 	 *
 	 * @param secret The secret to set
 	 */

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -45,7 +45,7 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_ciphertext_record(rec : SSLRecord, cont: bytestring) : bool
+	function proc_ciphertext_record(rec : SSLRecord, cont: const_bytestring) : bool
 		%{
 		if ( established_ == false && determine_tls13() == 1 )
 			{
@@ -72,7 +72,7 @@ refine connection SSL_Conn += {
 		if ( rec->content_type() == APPLICATION_DATA && decryption_failed_ == false )
 			{
 			// If decryption of one packet fails, do not try to decrypt future packets.
-			if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.data(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) )
+			if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) )
 				decryption_failed_ = true;
 			}
 

src/analyzer/protocol/ssl/ssl-dtls-protocol.pac

@@ -96,7 +96,7 @@ type UnknownRecord(rec: SSLRecord) = record {
 };
 
 type CiphertextRecord(rec: SSLRecord) = record {
-	cont : bytestring &restofdata;
+	cont : bytestring &restofdata &transient;
 };
 
 ######################################################################