mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 20:48:21 +00:00
Merge branch 'topic/johanna/tls13-extensions' into topic/johanna/ocsp-sct-validate
This commit is contained in:
Johanna Amann
commit
61906fe7fb
15 changed files with 204 additions and 5 deletions
|
|
@ -87,6 +87,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
|
|||
## ssl_session_ticket_handshake ssl_extension_ec_point_formats
|
||||
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
|
||||
|
||||
## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
|
||||
|
|
@ -104,6 +105,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
|
|||
## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
|
||||
## ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
|
||||
|
||||
## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
|
||||
|
|
@ -122,6 +124,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
|
|||
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
|
||||
## ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
|
||||
|
||||
## Generated for an Signature Algorithms extension. This TLS extension
|
||||
|
|
@ -139,6 +142,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
|
|||
## ssl_session_ticket_handshake ssl_extension
|
||||
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_server_name ssl_server_curve ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
|
||||
|
||||
## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
|
||||
|
|
@ -155,6 +159,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
|
|||
## ssl_session_ticket_handshake ssl_extension
|
||||
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_server_name ssl_server_curve
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
|
||||
|
||||
## Generated if a named curve is chosen by the server for an SSL/TLS connection.
|
||||
|
|
@ -169,6 +174,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
|
|||
## ssl_session_ticket_handshake ssl_extension
|
||||
## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_server_name ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_server_curve%(c: connection, curve: count%);
|
||||
|
||||
## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
|
||||
|
|
@ -204,6 +210,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
|
|||
## ssl_session_ticket_handshake ssl_extension
|
||||
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
|
||||
## ssl_extension_server_name ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
|
||||
|
||||
## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
|
||||
|
|
@ -223,6 +230,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
|
|||
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
|
||||
## ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_key_share
|
||||
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
|
||||
event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
|
||||
|
||||
## Generated for the signed_certificate_timestamp TLS extension as defined in
|
||||
|
|
@ -247,6 +255,42 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
|
|||
## signature: signature part of the digitally_signed struct
|
||||
event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
|
||||
|
||||
## Generated for an TLS Supported Versions extension. This TLS extension
|
||||
## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
|
||||
## It contains the TLS versions that it supports. This informaion can be used by
|
||||
## the server to choose the best TLS version o use.
|
||||
##
|
||||
## c: The connection.
|
||||
##
|
||||
## is_orig: True if event is raised for originator side of the connection.
|
||||
##
|
||||
## versions: List of supported TLS versions.
|
||||
##
|
||||
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
|
||||
## ssl_session_ticket_handshake ssl_extension
|
||||
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
|
||||
## ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_key_share ssl_extension_server_name
|
||||
## ssl_extension_psk_key_exchange_modes
|
||||
event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
|
||||
|
||||
## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
|
||||
## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
|
||||
## list of Pre-Shared Key Exchange Modes that it supports.
|
||||
## c: The connection.
|
||||
##
|
||||
## is_orig: True if event is raised for originator side of the connection.
|
||||
##
|
||||
## versions: List of supported Pre-Shared Key Exchange Modes.
|
||||
##
|
||||
## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
|
||||
## ssl_session_ticket_handshake ssl_extension
|
||||
## ssl_extension_elliptic_curves ssl_extension_ec_point_formats
|
||||
## ssl_extension_application_layer_protocol_negotiation
|
||||
## ssl_extension_key_share ssl_extension_server_name
|
||||
## ssl_extension_supported_versions
|
||||
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
|
||||
|
||||
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
|
||||
## an unencrypted handshake, and Bro extracts as much information out of that
|
||||
## as it can. This event signals the time when an SSL/TLS has finished the
|
||||
|
|
|
|||
|
|
@ -150,6 +150,10 @@ enum SSLExtensions {
|
|||
EXT_EARLY_DATA = 42,
|
||||
EXT_SUPPORTED_VERSIONS = 43,
|
||||
EXT_COOKIE = 44,
|
||||
EXT_PSK_KEY_EXCHANGE_MODES = 45,
|
||||
EXT_TICKET_EARLY_DATA_INFO = 46,
|
||||
EXT_CERTIFICATE_AUTHORITIES = 47,
|
||||
EXT_OID_FILTERS = 48,
|
||||
EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
|
||||
EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
|
||||
EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
|
||||
|
|
|
|||
|
|
@ -189,6 +189,38 @@ refine connection Handshake_Conn += {
|
|||
return true;
|
||||
%}
|
||||
|
||||
function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
|
||||
%{
|
||||
VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
|
||||
|
||||
if ( versions_list )
|
||||
{
|
||||
for ( int i = 0; i < versions_list->size(); ++i )
|
||||
versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT));
|
||||
}
|
||||
|
||||
BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
${rec.is_orig}, versions);
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
|
||||
%{
|
||||
VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
|
||||
|
||||
if ( mode_list )
|
||||
{
|
||||
for ( int i = 0; i < mode_list->size(); ++i )
|
||||
modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT));
|
||||
}
|
||||
|
||||
BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
${rec.is_orig}, modes);
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool
|
||||
%{
|
||||
vector<X509Certificate*>* certs = cl;
|
||||
|
|
@ -364,6 +396,14 @@ refine typeattr DhServerKeyExchange += &let {
|
|||
proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
|
||||
};
|
||||
|
||||
refine typeattr SupportedVersions += &let {
|
||||
proc : bool = $context.connection.proc_supported_versions(rec, versions);
|
||||
};
|
||||
|
||||
refine typeattr PSKKeyExchangeModes += &let {
|
||||
proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
|
||||
};
|
||||
|
||||
refine typeattr Handshake += &let {
|
||||
proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -499,12 +499,24 @@ type SSLExtension(rec: HandshakeRecord) = record {
|
|||
EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
|
||||
EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
|
||||
EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
|
||||
EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0);
|
||||
EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
|
||||
default -> data: bytestring &restofdata;
|
||||
};
|
||||
} &length=data_len+4 &exportsourcedata;
|
||||
|
||||
%include tls-handshake-signed_certificate_timestamp.pac
|
||||
|
||||
type SupportedVersions(rec: HandshakeRecord) = record {
|
||||
length: uint8;
|
||||
versions: uint16[] &until($input.length() == 0);
|
||||
} &length=length+1;
|
||||
|
||||
type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
|
||||
length: uint8;
|
||||
modes: uint8[] &until($input.length() == 0);
|
||||
} &length=length+1;
|
||||
|
||||
type ServerNameHostName() = record {
|
||||
length: uint16;
|
||||
host_name: bytestring &length=length;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue