Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ssl: rudimentary decryption for TLS 1.2

Browse source 
Several limitations still apply:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the only supported cipher suite
- Some tests are broken due to a failing assertion regarding bytestring
- No newly written tests for decryption (the patch was tested extensively for our paper)
- Several small open technical questions marked with FIXME
- Architecture in the ssl module might not be optimal
This commit is contained in:
Florian Wilkens 2021-04-19 11:18:59 +02:00
parent db534b79fb
commit 2d950ffde9
21 changed files with 541 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
View file

@ -9079,6 +9079,7 @@ XXXXXXXXXX.XXXXXX ssl_encrypted_data
[2] record_version: count = 771
[3] content_type: count = 22
[4] length: count = 32
[5] payload: string = \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7
XXXXXXXXXX.XXXXXX raw_packet
[0] p: raw_pkt_hdr = [l2=[encap=LINK_ETHERNET, len=91, cap_len=91, src=58:b0:35:86:54:8d, dst=cc:b2:55:f4:62:92, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=77, id=51331, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
@ -9176,6 +9177,7 @@ XXXXXXXXXX.XXXXXX ssl_encrypted_data
[2] record_version: count = 771
[3] content_type: count = 22
[4] length: count = 32
[5] payload: string = Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09!
XXXXXXXXXX.XXXXXX raw_packet
[0] p: raw_pkt_hdr = [l2=[encap=LINK_ETHERNET, len=97, cap_len=97, src=cc:b2:55:f4:62:92, dst=58:b0:35:86:54:8d, vlan=<uninitialized>, inner_vlan=<uninitialized>, eth_type=2048, proto=L3_IPV4], ip=[hl=20, tos=0, len=83, id=50807, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]

2
testing/btest/scripts/base/protocols/ssl/handshake-events.test
View file

@ -27,7 +27,7 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
}
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
{
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
}

2
testing/btest/scripts/base/protocols/ssl/tls13.test
View file

@ -37,7 +37,7 @@ event ssl_established(c: connection)
print "established", c$id;
}
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
{
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
}

2
testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test
View file

@ -6,7 +6,7 @@
redef SSL::disable_analyzer_after_detection=F;
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
{
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
}