SSL decryption: small style changes, a bit of documentation

2025-10-08 01:28:20 +00:00 · 2022-01-05 10:50:28 +00:00 · 2022-01-05 10:50:28 +00:00 · 4204615997
commit 4204615997
parent f77213ba66
3 changed files with 17 additions and 18 deletions
--- a/scripts/policy/protocols/ssl/decryption.zeek
+++ b/scripts/policy/protocols/ssl/decryption.zeek
@ -68,31 +68,22 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 	c$ssl$client_random = client_random;

 	if ( client_random in keys )
-		{
 		set_keys(c, keys[client_random]);
-		}
 	else if ( client_random in secrets )
-		{
 		set_secret(c, secrets[client_random]);
 	}
-	}

 event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	if ( c$ssl?$client_random )
 		{
 		if ( c$ssl$client_random in keys )
-			{
 			set_keys(c, keys[c$ssl$client_random]);
-			}
 		else if ( c$ssl$client_random in secrets )
-			{
 			set_secret(c, secrets[c$ssl$client_random]);
-			}
 		else
 			{
-			# FIXME: replace with @if gated reporter
-			#print "No suitable key or secret found for random:", c$ssl$client_random;
+			# FIXME: perhaps report that we could not decrypt the session
 			}
 		}
 	}
@ -105,7 +96,5 @@ event SSL::tls_input_done()
 event Input::end_of_data(name: string, source: string)
 	{
 	if ( name == input_stream_name )
-		{
 		event SSL::tls_input_done();
 	}
-	}
--- a/src/analyzer/protocol/ssl/DTLS.h
+++ b/src/analyzer/protocol/ssl/DTLS.h
@ -39,6 +39,13 @@ public:

 	static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); }

+	/**
+	 * Try to decrypt TLS application data from a packet.
+	 *
+	 * For DTLS, this operation is not currently implemented and this function will
+	 * always return false.
+	 *
+	 **/
 	bool TryDecryptApplicationData(int len, const u_char* data, bool is_orig, uint8_t content_type,
 	                               uint16_t raw_tls_version);

--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@ -141,11 +141,14 @@ protected:
 	binpac::TLSHandshake::Handshake_Conn* handshake_interp;
 	bool had_gap;

-	// FIXME: should this be moved into the connection?
+	// client and server sequence number, used for TLS 1.2 decryption
 	int c_seq;
 	int s_seq;
+	// secret, for decyption
 	std::string secret;
+	// derived keys, for decryption
 	std::vector<u_char> keys;
+	// PIA, for decrypted data
 	zeek::analyzer::pia::PIA_TCP* pia;
 	};