Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Refactoring ssh-protocol.pac:

Browse source 
- Simplify and unify some types
  - Fix parsing of the key exchange messages, so we can transition
  - states properly again.
This commit is contained in:
Vlad Grigorescu 2015-03-11 11:58:31 -04:00
parent 3ad6b3004b
commit 82c4037929
3 changed files with 81 additions and 101 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/ssh/events.bif
View file

@ -10,6 +10,6 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%); event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
event ssh_server_host_key%(c: connection, key: string%); event ssh2_server_host_key%(c: connection, key: string%);
event ssh1_server_host_key%(c: connection, p: string, e: string%); event ssh1_server_host_key%(c: connection, p: string, e: string%);

25
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -65,7 +65,7 @@ refine flow SSH_Flow += {
return true; return true;
%} %}
function proc_ssh_kexinit(msg: SSH_KEXINIT): bool function proc_ssh2_kexinit(msg: SSH2_KEXINIT): bool
%{ %{
if ( ! ssh_capabilities ) if ( ! ssh_capabilities )
return false; return false;
@ -110,11 +110,11 @@ refine flow SSH_Flow += {
return true; return true;
%} %}
function proc_ssh_server_host_key(key: bytestring): bool function proc_ssh2_server_host_key(key: bytestring): bool
%{ %{
if ( ssh_server_host_key ) if ( ssh2_server_host_key )
{ {
BifEvent::generate_ssh_server_host_key(connection()->bro_analyzer(), BifEvent::generate_ssh2_server_host_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), connection()->bro_analyzer()->Conn(),
bytestring_to_val(${key})); bytestring_to_val(${key}));
} }
@ -138,15 +138,14 @@ refine flow SSH_Flow += {
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->bro_analyzer()->ProtocolConfirmation();
return true; return true;
%} %}
}; };
refine typeattr SSH_Version += &let { refine typeattr SSH_Version += &let {
proc: bool = $context.flow.proc_ssh_version(this); proc: bool = $context.flow.proc_ssh_version(this);
}; };
refine typeattr SSH_KEXINIT += &let { refine typeattr SSH2_KEXINIT += &let {
proc: bool = $context.flow.proc_ssh_kexinit(this); proc: bool = $context.flow.proc_ssh2_kexinit(this);
}; };
refine typeattr SSH1_Message += &let { refine typeattr SSH1_Message += &let {
@ -157,14 +156,14 @@ refine typeattr SSH2_Message += &let {
proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == MSG_NEWKEYS); proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == MSG_NEWKEYS);
}; };
refine typeattr SSH_DH_GEX_REPLY += &let { refine typeattr SSH2_DH_GEX_REPLY += &let {
proc: bool = $context.flow.proc_ssh_server_host_key(k_s.val); proc: bool = $context.flow.proc_ssh2_server_host_key(k_s.val);
}; };
refine typeattr SSH_ECC_REPLY += &let { refine typeattr SSH2_ECC_REPLY += &let {
proc: bool = $context.flow.proc_ssh_server_host_key(k_s.val); proc: bool = $context.flow.proc_ssh2_server_host_key(k_s.val);
}; };
refine typeattr SSH1_PUBLIC_KEY += &let { refine typeattr SSH1_PUBLIC_KEY += &let {
proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_p.val, host_key_e.val); proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_p.val, host_key_e.val);
}; };

155
src/analyzer/protocol/ssh/ssh-protocol.pac
View file

@ -1,15 +1,17 @@
%include consts.pac %include consts.pac
## SSH Generic # Common constructs across SSH1 and SSH2
########################################
# We have 3 basic types of messages:
#
# - SSH_Version messages just have a string with the banner string of the client or server
# - Encrypted messages have no usable data, but those never get passed in by SSH.cc
# - Finally, key exchange messages have a common format.
type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of { type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of {
VERSION_EXCHANGE -> version : SSH_Version(is_orig); VERSION_EXCHANGE -> version : SSH_Version(is_orig);
KEX_INIT -> kex : SSH_Key_Exchange(is_orig); default -> kex : SSH_Key_Exchange(is_orig);
KEX_DH_GEX -> kex_dh_gex : SSH_Key_Exchange_DH_GEX(is_orig);
KEX_DH -> kex_dh : SSH_Key_Exchange_DH(is_orig);
KEX_ECC -> kex_ecc : SSH_Key_Exchange_ECC(is_orig);
KEX_GSS -> kex_gss : SSH_Key_Exchange_GSS(is_orig);
KEX_RSA -> kex_rsa : SSH_Key_Exchange_RSA(is_orig);
} &byteorder=bigendian; } &byteorder=bigendian;
type SSH_Version(is_orig: bool) = record { type SSH_Version(is_orig: bool) = record {
@ -25,7 +27,8 @@ type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of
SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig); SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig);
}; };
## SSH1 # SSH1 constructs
#################
type SSH1_Key_Exchange(is_orig: bool) = record { type SSH1_Key_Exchange(is_orig: bool) = record {
packet_length : uint32; packet_length : uint32;
@ -70,28 +73,32 @@ type ssh1_mp_int = record {
## SSH2 ## SSH2
type SSH2_Key_Exchange_Header = record { type SSH2_Header(is_orig: bool) = record {
packet_length : uint32; packet_length : uint32;
padding_length : uint8; padding_length : uint8;
msg_type : uint8; msg_type : uint8;
} &let { } &let {
payload_length : uint32 = packet_length - padding_length - 2; payload_length : uint32 = packet_length - padding_length - 2;
} &length=6; detach : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS);
};
type SSH2_Key_Exchange(is_orig: bool) = record { type SSH2_Key_Exchange(is_orig: bool) = record {
header : SSH2_Key_Exchange_Header; header : SSH2_Header(is_orig);
payload : SSH2_Message(is_orig, header.msg_type, header.payload_length); payload : SSH2_Message(is_orig, header.msg_type, header.payload_length);
pad : bytestring &length=header.padding_length; pad : bytestring &length=header.padding_length;
} &length=header.packet_length + 4; } &length=header.packet_length + 4;
type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of {
MSG_KEXINIT -> kexinit : SSH_KEXINIT(length, is_orig); KEX_INIT -> kex : SSH2_KEXINIT(length, is_orig);
default -> unknown : bytestring &length=length; KEX_DH_GEX -> kex_dh_gex : SSH2_Key_Exchange_DH_GEX_Message(is_orig, msg_type, length);
} &let { KEX_DH -> kex_dh : SSH2_Key_Exchange_DH_Message(is_orig, msg_type, length);
detach : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS); KEX_ECC -> kex_ecc : SSH2_Key_Exchange_ECC_Message(is_orig, msg_type, length);
KEX_GSS -> kex_gss : SSH2_Key_Exchange_GSS_Message(is_orig, msg_type, length);
KEX_RSA -> kex_rsa : SSH2_Key_Exchange_RSA_Message(is_orig, msg_type, length);
default -> unknown : bytestring &length=length;
}; };
type SSH_KEXINIT(length: uint32, is_orig: bool) = record { type SSH2_KEXINIT(length: uint32, is_orig: bool) = record {
cookie : bytestring &length=16; cookie : bytestring &length=16;
kex_algorithms : ssh_string; kex_algorithms : ssh_string;
server_host_key_algorithms : ssh_string; server_host_key_algorithms : ssh_string;
@ -111,53 +118,43 @@ type SSH_KEXINIT(length: uint32, is_orig: bool) = record {
# KEX_DH exchanges # KEX_DH exchanges
type SSH_Key_Exchange_DH(is_orig: bool) = record { type SSH2_Key_Exchange_DH_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
header : SSH2_Key_Exchange_Header; SSH_MSG_KEXDH_INIT -> init : SSH2_DH_GEX_INIT(length);
payload : SSH_Key_Exchange_DH_Message(is_orig, header.msg_type, header.payload_length); SSH_MSG_KEXDH_REPLY -> reply : SSH2_DH_GEX_REPLY(length);
pad : bytestring &length=header.padding_length; default -> unknown: bytestring &length=length &transient;
} &length=header.packet_length + 4;
type SSH_Key_Exchange_DH_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
SSH_MSG_KEXDH_INIT -> init : SSH_DH_GEX_INIT(length);
SSH_MSG_KEXDH_REPLY -> reply : SSH_DH_GEX_REPLY(length);
}; };
# KEX_DH_GEX exchanges # KEX_DH_GEX exchanges
type SSH_Key_Exchange_DH_GEX(is_orig: bool) = record { type SSH2_Key_Exchange_DH_GEX_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
header : SSH2_Key_Exchange_Header; SSH_MSG_KEX_DH_GEX_REQUEST_OLD -> request_old : SSH2_DH_GEX_REQUEST_OLD;
payload : SSH_Key_Exchange_DH_GEX_Message(is_orig, header.msg_type, header.payload_length); SSH_MSG_KEX_DH_GEX_REQUEST -> request : SSH2_DH_GEX_REQUEST;
pad : bytestring &length=header.padding_length; SSH_MSG_KEX_DH_GEX_GROUP -> group : SSH2_DH_GEX_GROUP(length);
} &length=header.packet_length + 4; SSH_MSG_KEX_DH_GEX_INIT -> init : SSH2_DH_GEX_INIT(length);
SSH_MSG_KEX_DH_GEX_REPLY -> reply : SSH2_DH_GEX_REPLY(length);
type SSH_Key_Exchange_DH_GEX_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { default -> unknown : bytestring &length=length &transient;
SSH_MSG_KEX_DH_GEX_REQUEST_OLD -> request_old : SSH_DH_GEX_REQUEST_OLD;
SSH_MSG_KEX_DH_GEX_REQUEST -> request : SSH_DH_GEX_REQUEST;
SSH_MSG_KEX_DH_GEX_GROUP -> group : SSH_DH_GEX_GROUP(length);
SSH_MSG_KEX_DH_GEX_INIT -> init : SSH_DH_GEX_INIT(length);
SSH_MSG_KEX_DH_GEX_REPLY -> reply : SSH_DH_GEX_REPLY(length);
}; };
type SSH_DH_GEX_REQUEST = record { type SSH2_DH_GEX_REQUEST = record {
min : uint32; min : uint32;
n : uint32; n : uint32;
max : uint32; max : uint32;
} &length=12; } &length=12;
type SSH_DH_GEX_REQUEST_OLD = record { type SSH2_DH_GEX_REQUEST_OLD = record {
n : uint32; n : uint32;
} &length=4; } &length=4;
type SSH_DH_GEX_GROUP(length: uint32) = record { type SSH2_DH_GEX_GROUP(length: uint32) = record {
p : ssh_string; p : ssh_string;
g : ssh_string; g : ssh_string;
} &length=length; } &length=length;
type SSH_DH_GEX_INIT(length: uint32) = record { type SSH2_DH_GEX_INIT(length: uint32) = record {
e : ssh_string; e : ssh_string;
} &length=length; } &length=length;
type SSH_DH_GEX_REPLY(length: uint32) = record { type SSH2_DH_GEX_REPLY(length: uint32) = record {
k_s : ssh_string; k_s : ssh_string;
f : ssh_string; f : ssh_string;
signature : ssh_string; signature : ssh_string;
@ -165,59 +162,47 @@ type SSH_DH_GEX_REPLY(length: uint32) = record {
# KEX_RSA exchanges # KEX_RSA exchanges
type SSH_Key_Exchange_RSA(is_orig: bool) = record { type SSH2_Key_Exchange_RSA_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
header : SSH2_Key_Exchange_Header; SSH_MSG_KEXRSA_PUBKEY -> pubkey : SSH2_RSA_PUBKEY(length);
payload : SSH_Key_Exchange_RSA_Message(is_orig, header.msg_type, header.payload_length); SSH_MSG_KEXRSA_SECRET -> secret : SSH2_RSA_SECRET(length);
pad : bytestring &length=header.padding_length; SSH_MSG_KEXRSA_DONE -> done : SSH2_RSA_DONE(length);
} &length=header.packet_length + 4;
type SSH_Key_Exchange_RSA_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
SSH_MSG_KEXRSA_PUBKEY -> pubkey : SSH_RSA_PUBKEY(length);
SSH_MSG_KEXRSA_SECRET -> secret : SSH_RSA_SECRET(length);
SSH_MSG_KEXRSA_DONE -> done : SSH_RSA_DONE(length);
}; };
type SSH_RSA_PUBKEY(length: uint32) = record { type SSH2_RSA_PUBKEY(length: uint32) = record {
k_s : ssh_string; k_s : ssh_string;
k_t : ssh_string; k_t : ssh_string;
} &length=length; } &length=length;
type SSH_RSA_SECRET(length: uint32) = record { type SSH2_RSA_SECRET(length: uint32) = record {
encrypted_payload : ssh_string; encrypted_payload : ssh_string;
} &length=length; } &length=length;
type SSH_RSA_DONE(length: uint32) = record { type SSH2_RSA_DONE(length: uint32) = record {
signature : ssh_string; signature : ssh_string;
} &length=length; } &length=length;
# KEX_GSS exchanges # KEX_GSS exchanges
type SSH_Key_Exchange_GSS(is_orig: bool) = record { type SSH2_Key_Exchange_GSS_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
header : SSH2_Key_Exchange_Header; SSH_MSG_KEXGSS_INIT -> init : SSH2_GSS_INIT(length);
payload : SSH_Key_Exchange_GSS_Message(is_orig, header.msg_type, header.payload_length); SSH_MSG_KEXGSS_CONTINUE -> cont : SSH2_GSS_CONTINUE(length);
pad : bytestring &length=header.padding_length; SSH_MSG_KEXGSS_COMPLETE -> complete : SSH2_GSS_COMPLETE(length);
} &length=header.packet_length + 4; SSH_MSG_KEXGSS_HOSTKEY -> hostkey : SSH2_GSS_HOSTKEY(length);
SSH_MSG_KEXGSS_ERROR -> error : SSH2_GSS_ERROR(length);
type SSH_Key_Exchange_GSS_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of { SSH_MSG_KEXGSS_GROUPREQ -> groupreq : SSH2_DH_GEX_REQUEST;
SSH_MSG_KEXGSS_INIT -> init : SSH_GSS_INIT(length); SSH_MSG_KEXGSS_GROUP -> group : SSH2_DH_GEX_GROUP(length);
SSH_MSG_KEXGSS_CONTINUE -> cont : SSH_GSS_CONTINUE(length);
SSH_MSG_KEXGSS_COMPLETE -> complete : SSH_GSS_COMPLETE(length);
SSH_MSG_KEXGSS_HOSTKEY -> hostkey : SSH_GSS_HOSTKEY(length);
SSH_MSG_KEXGSS_ERROR -> error : SSH_GSS_ERROR(length);
SSH_MSG_KEXGSS_GROUPREQ -> groupreq : SSH_DH_GEX_REQUEST;
SSH_MSG_KEXGSS_GROUP -> group : SSH_DH_GEX_GROUP(length);
}; };
type SSH_GSS_INIT(length: uint32) = record { type SSH2_GSS_INIT(length: uint32) = record {
output_token : ssh_string; output_token : ssh_string;
e : ssh_string; e : ssh_string;
} &length=length; } &length=length;
type SSH_GSS_CONTINUE(length: uint32) = record { type SSH2_GSS_CONTINUE(length: uint32) = record {
output_token : ssh_string; output_token : ssh_string;
} &length=length; } &length=length;
type SSH_GSS_COMPLETE(length: uint32) = record { type SSH2_GSS_COMPLETE(length: uint32) = record {
f : ssh_string; f : ssh_string;
per_msg_token : ssh_string; per_msg_token : ssh_string;
have_token : uint8; have_token : uint8;
@ -227,11 +212,11 @@ type SSH_GSS_COMPLETE(length: uint32) = record {
}; };
} &length=length; } &length=length;
type SSH_GSS_HOSTKEY(length: uint32) = record { type SSH2_GSS_HOSTKEY(length: uint32) = record {
k_s : ssh_string; k_s : ssh_string;
} &length=length; } &length=length;
type SSH_GSS_ERROR(length: uint32) = record { type SSH2_GSS_ERROR(length: uint32) = record {
major_status : uint32; major_status : uint32;
minor_status : uint32; minor_status : uint32;
message : ssh_string; message : ssh_string;
@ -240,31 +225,27 @@ type SSH_GSS_ERROR(length: uint32) = record {
# KEX_ECDH and KEX_ECMQV exchanges # KEX_ECDH and KEX_ECMQV exchanges
type SSH_Key_Exchange_ECC(is_orig: bool) = record { type SSH2_Key_Exchange_ECC_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
header : SSH2_Key_Exchange_Header; SSH_MSG_KEX_ECDH_INIT -> init : SSH2_ECC_INIT(length);
payload : SSH_Key_Exchange_ECC_Message(is_orig, header.msg_type, header.payload_length); SSH_MSG_KEX_ECDH_REPLY -> reply : SSH2_ECC_REPLY(length);
pad : bytestring &length=header.padding_length;
} &length=header.packet_length + 4;
type SSH_Key_Exchange_ECC_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
SSH_MSG_KEX_ECDH_INIT -> init : SSH_ECC_INIT(length);
SSH_MSG_KEX_ECDH_REPLY -> reply : SSH_ECC_REPLY(length);
}; };
# This deviates from the RFC. SSH_MSG_KEX_ECDH_INIT and # This deviates from the RFC. SSH_MSG_KEX_ECDH_INIT and
# SSH_MSG_KEX_ECMQV_INIT can be parsed the same way. # SSH_MSG_KEX_ECMQV_INIT can be parsed the same way.
type SSH_ECC_INIT(length: uint32) = record { type SSH2_ECC_INIT(length: uint32) = record {
q_c : ssh_string; q_c : ssh_string;
}; };
# This deviates from the RFC. SSH_MSG_KEX_ECDH_REPLY and # This deviates from the RFC. SSH_MSG_KEX_ECDH_REPLY and
# SSH_MSG_KEX_ECMQV_REPLY can be parsed the same way. # SSH_MSG_KEX_ECMQV_REPLY can be parsed the same way.
type SSH_ECC_REPLY(length: uint32) = record { type SSH2_ECC_REPLY(length: uint32) = record {
k_s : ssh_string; k_s : ssh_string;
q_s : ssh_string; q_s : ssh_string;
signature : ssh_string; signature : ssh_string;
}; };
# Helper types
type ssh_string = record { type ssh_string = record {
len : uint32; len : uint32;
val : bytestring &length=len; val : bytestring &length=len;