diff --git a/NEWS b/NEWS index 349aeb51b9..b1ffcfbee1 100644 --- a/NEWS +++ b/NEWS @@ -151,6 +151,10 @@ Deprecated Functionality - ``Type::GetAliases()`` and ``Type::AddAlias()`` are deprecated, use ``Type::Aliases()`` and ``Type::RegisterAlias()``. +- The ``ssh1_server_host_key`` event's modulus and exponent parameters, + *e* and *p*, were named in misleading way (*e* is the modulus) + and now deprecated in favor of the new *modulus* and *exponent* parameters. + Zeek 3.2.0 ========== diff --git a/scripts/base/protocols/ssh/main.zeek b/scripts/base/protocols/ssh/main.zeek index a26234abf5..199c80be8c 100644 --- a/scripts/base/protocols/ssh/main.zeek +++ b/scripts/base/protocols/ssh/main.zeek @@ -292,9 +292,9 @@ function generate_fingerprint(c: connection, key: string) c$ssh$host_key = join_string_vec(lx, ":"); } -event ssh1_server_host_key(c: connection, p: string, e: string) &priority=5 +event ssh1_server_host_key(c: connection, modulus: string, exponent: string) &priority=5 { - generate_fingerprint(c, e + p); + generate_fingerprint(c, modulus + exponent); } event ssh2_server_host_key(c: connection, key: string) &priority=5 diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index abc0c2d3f6..fd1cd776d9 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -127,16 +127,26 @@ event ssh2_server_host_key%(c: connection, key: string%); ## c: The connection over which the :abbr:`SSH (Secure Shell)` ## connection took place. ## -## p: The prime for the server's public host key. +## p: The exponent for the server's public host key (note this parameter +## is truly the exponent even though named *p* and the *exponent* parameter +## will eventually replace it). ## -## e: The exponent for the serer's public host key. +## e: The prime modulus for the server's public host key (note this parameter +## is truly the modulus even though named *e* and the *modulus* parameter +## will eventually replace it). +## +## modulus: The prime modulus of the server's public host key. +## +## exponent: The exponent of the server's public host key. ## ## .. zeek:see:: ssh_server_version ssh_client_version ## ssh_auth_successful ssh_auth_failed ssh_auth_result ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh2_gss_error ssh2_ecc_key -event ssh1_server_host_key%(c: connection, p: string, e: string%); +event ssh1_server_host_key%(c: connection, p: string &deprecated="Remove in v4.1", e: string &deprecated="Remove in v4.1", modulus: string, exponent: string%); +event ssh1_server_host_key%(c: connection, modulus: string, exponent: string%); +event ssh1_server_host_key%(c: connection, p: string, e: string%) &deprecated="Remove in v4.1. The 'p' and 'e' parameters are misleadingly named don't use them."; ## During the :abbr:`SSH (Secure Shell)` key exchange, the server ## supplies its public host key. This event is generated when the diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 84735440bb..8cbedda91d 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -177,25 +177,25 @@ refine flow SSH_Flow += { return true; %} - function proc_ssh1_server_host_key(p: bytestring, e: bytestring): bool + function proc_ssh1_server_host_key(exp: bytestring, mod: bytestring): bool %{ if ( ssh1_server_host_key ) { zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(), - to_stringval(${p}), - to_stringval(${e})); + to_stringval(${exp}), + to_stringval(${mod}), + to_stringval(${mod}), + to_stringval(${exp})); } if ( ssh_server_host_key ) { unsigned char digest[MD5_DIGEST_LENGTH]; auto ctx = zeek::detail::hash_init(zeek::detail::Hash_MD5); - // Note: the 'p' and 'e' parameters actually have swapped meanings with - // 'p' actually being the exponent. // Fingerprint is calculated over concatenation of modulus + exponent. - zeek::detail::hash_update(ctx, ${e}.data(), ${e}.length()); - zeek::detail::hash_update(ctx, ${p}.data(), ${p}.length()); + zeek::detail::hash_update(ctx, ${mod}.data(), ${mod}.length()); + zeek::detail::hash_update(ctx, ${exp}.data(), ${exp}.length()); zeek::detail::hash_final(ctx, digest); zeek::BifEvent::enqueue_ssh_server_host_key(connection()->zeek_analyzer(), @@ -267,5 +267,5 @@ refine typeattr SSH2_ECC_INIT += &let { }; refine typeattr SSH1_PUBLIC_KEY += &let { - proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_p.val, host_key_e.val); + proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_exp.val, host_key_mod.val); }; diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 99f361974f..b7ae75b2b3 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -60,11 +60,11 @@ type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_typ type SSH1_PUBLIC_KEY(length: uint32) = record { cookie : bytestring &length=8; server_key : uint32; - server_key_p : ssh1_mp_int; - server_key_e : ssh1_mp_int; + server_key_exp : ssh1_mp_int; + server_key_mod : ssh1_mp_int; host_key : uint32; - host_key_p : ssh1_mp_int; - host_key_e : ssh1_mp_int; + host_key_exp : ssh1_mp_int; + host_key_mod : ssh1_mp_int; flags : uint32; supported_ciphers : uint32; supported_auths : uint32; diff --git a/testing/btest/scripts/base/protocols/ssh/fingerprints.zeek b/testing/btest/scripts/base/protocols/ssh/fingerprints.zeek index 6af3c55a6a..f0ef8fad21 100644 --- a/testing/btest/scripts/base/protocols/ssh/fingerprints.zeek +++ b/testing/btest/scripts/base/protocols/ssh/fingerprints.zeek @@ -8,9 +8,9 @@ event ssh2_server_host_key(c: connection, key: string) print "ssh2 server host key fingerprint", md5_hash(key); } -event ssh1_server_host_key(c: connection, p: string, e: string) +event ssh1_server_host_key(c: connection, modulus: string, exponent: string) { - print "ssh1 server host key fingerprint", md5_hash(e + p); + print "ssh1 server host key fingerprint", md5_hash(modulus + exponent); } event ssh_server_host_key(c: connection, hash: string)