Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

SSL decryption: small style changes, a bit of documentation

Browse source
This commit is contained in:
Johanna Amann 2022-01-05 10:50:28 +00:00
parent f77213ba66
commit 4204615997
3 changed files with 17 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/policy/protocols/ssl/decryption.zeek
View file

@ -68,31 +68,22 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
c$ssl$client_random = client_random; c$ssl$client_random = client_random;
if ( client_random in keys ) if ( client_random in keys )
{
set_keys(c, keys[client_random]); set_keys(c, keys[client_random]);
}
else if ( client_random in secrets ) else if ( client_random in secrets )
{
set_secret(c, secrets[client_random]); set_secret(c, secrets[client_random]);
} }
}
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
{ {
if ( c$ssl?$client_random ) if ( c$ssl?$client_random )
{ {
if ( c$ssl$client_random in keys ) if ( c$ssl$client_random in keys )
{
set_keys(c, keys[c$ssl$client_random]); set_keys(c, keys[c$ssl$client_random]);
}
else if ( c$ssl$client_random in secrets ) else if ( c$ssl$client_random in secrets )
{
set_secret(c, secrets[c$ssl$client_random]); set_secret(c, secrets[c$ssl$client_random]);
}
else else
{ {
# FIXME: replace with @if gated reporter # FIXME: perhaps report that we could not decrypt the session
#print "No suitable key or secret found for random:", c$ssl$client_random;
} }
} }
} }
@ -105,7 +96,5 @@ event SSL::tls_input_done()
event Input::end_of_data(name: string, source: string) event Input::end_of_data(name: string, source: string)
{ {
if ( name == input_stream_name ) if ( name == input_stream_name )
{
event SSL::tls_input_done(); event SSL::tls_input_done();
} }
}

7
src/analyzer/protocol/ssl/DTLS.h
View file

@ -39,6 +39,13 @@ public:
static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); } static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); }
/**
* Try to decrypt TLS application data from a packet.
*
* For DTLS, this operation is not currently implemented and this function will
* always return false.
*
**/
bool TryDecryptApplicationData(int len, const u_char* data, bool is_orig, uint8_t content_type, bool TryDecryptApplicationData(int len, const u_char* data, bool is_orig, uint8_t content_type,
uint16_t raw_tls_version); uint16_t raw_tls_version);

5
src/analyzer/protocol/ssl/SSL.h
View file

@ -141,11 +141,14 @@ protected:
binpac::TLSHandshake::Handshake_Conn* handshake_interp; binpac::TLSHandshake::Handshake_Conn* handshake_interp;
bool had_gap; bool had_gap;
// FIXME: should this be moved into the connection? // client and server sequence number, used for TLS 1.2 decryption
int c_seq; int c_seq;
int s_seq; int s_seq;
// secret, for decyption
std::string secret; std::string secret;
// derived keys, for decryption
std::vector<u_char> keys; std::vector<u_char> keys;
// PIA, for decrypted data
zeek::analyzer::pia::PIA_TCP* pia; zeek::analyzer::pia::PIA_TCP* pia;
}; };