Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 18:48:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/fastpath'

Browse source 
* origin/fastpath:
  make sslv2 protocol tests more strict - in its current state they triggered on http traffic over port 443 sometimes.
  Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs.
This commit is contained in:
Robin Sommer 2014-11-25 14:27:07 -08:00
commit 977446e7ee
8 changed files with 39 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -36,7 +36,7 @@ type SSLRecord(is_orig: bool) = record {
} &length = length+5, &byteorder=bigendian,
&let {
version : int =
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4);
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
content_type : int = case version of {
SSLv20 -> head2+300;
@ -748,7 +748,7 @@ refine connection SSL_Conn += {
%}
function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
head2 : uint8, head3: uint8, head4: uint8) : int
head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int
%{
// re-check record layer version to be sure that we still are synchronized with
// the data stream
@ -768,7 +768,7 @@ refine connection SSL_Conn += {
if ( head0 & 0x80 )
{
if ( head2 == 0x01 ) // SSLv2 client hello.
if ( head2 == 0x01 && is_orig ) // SSLv2 client hello.
{
uint16 version = (head3 << 8) | head4;
if ( version != SSLv20 && version != SSLv30 && version != TLSv10 &&
@ -782,7 +782,7 @@ refine connection SSL_Conn += {
return SSLv20;
}
else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2.
else if ( head2 == 0x04 && head4 < 2 && ! is_orig ) // SSLv2 server hello. This connection will continue using SSLv2.
{
record_layer_version_ = SSLv20;
return SSLv20;

2
src/file_analysis/analyzer/x509/X509.cc
View file

@ -147,7 +147,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
#ifndef OPENSSL_NO_EC
else if ( pkey->type == EVP_PKEY_EC )
{
pX509Cert->Assign(8, new StringVal("dsa"));
pX509Cert->Assign(8, new StringVal("ecdsa"));
pX509Cert->Assign(11, KeyCurve(pkey));
}
#endif