Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ssl: rudimentary decryption for TLS 1.2

Browse source 
Several limitations still apply:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the only supported cipher suite
- Some tests are broken due to a failing assertion regarding bytestring
- No newly written tests for decryption (the patch was tested extensively for our paper)
- Several small open technical questions marked with FIXME
- Architecture in the ssl module might not be optimal
This commit is contained in:
Florian Wilkens 2021-04-19 11:18:59 +02:00
parent db534b79fb
commit 2d950ffde9
21 changed files with 541 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
testing/btest/scripts/base/protocols/ssl/handshake-events.test
View file

@ -27,7 +27,7 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
}
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
{
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
}

2
testing/btest/scripts/base/protocols/ssl/tls13.test
View file

@ -37,7 +37,7 @@ event ssl_established(c: connection)
print "established", c$id;
}
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
{
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
}

2
testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test
View file

@ -6,7 +6,7 @@
redef SSL::disable_analyzer_after_detection=F;
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count, payload: string)
{
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
}