Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

analyzer/ssl: handle missing <openssl/kdf.h>

Browse source
This commit is contained in:
Florian Wilkens 2021-05-07 17:04:16 +02:00 committed by Florian Wilkens
parent 95a6ee27b1
commit 979bf20769
3 changed files with 16 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmake

@ -1 +1 @@
Subproject commit 74259745dea5ee4889d1ac1f4ebde4e2c59c329a Subproject commit cce53d15008a26dcb1b7eb534a78f52f9355c676

12
src/analyzer/protocol/ssl/SSL.cc
View file

@ -11,7 +11,10 @@
#include <arpa/inet.h> #include <arpa/inet.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/kdf.h>
#ifdef OPENSSL_HAVE_KDF_H
#include <openssl/kdf.h>
#endif
static void print_hex(std::string name, u_char* data, int len) static void print_hex(std::string name, u_char* data, int len)
{ {
@ -146,6 +149,7 @@ void SSL_Analyzer::SetKeys(const u_char* data, int len)
bool SSL_Analyzer::TLS12_PRF(const std::string& secret, const std::string& label, bool SSL_Analyzer::TLS12_PRF(const std::string& secret, const std::string& label,
const char* rnd1, size_t rnd1_len, const char* rnd2, size_t rnd2_len, u_char* out, size_t out_len) const char* rnd1, size_t rnd1_len, const char* rnd2, size_t rnd2_len, u_char* out, size_t out_len)
{ {
#ifdef OPENSSL_HAVE_KDF_H
// alloc buffers // alloc buffers
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
size_t seed_len = label.length() + rnd1_len + rnd2_len; size_t seed_len = label.length() + rnd1_len + rnd2_len;
@ -174,6 +178,7 @@ bool SSL_Analyzer::TLS12_PRF(const std::string& secret, const std::string& label
abort: abort:
EVP_PKEY_CTX_free(pctx); EVP_PKEY_CTX_free(pctx);
#endif
return false; return false;
} }
@ -201,6 +206,8 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i
// Secret present, but no keys derived yet: derive keys // Secret present, but no keys derived yet: derive keys
if ( secret != nullptr && secret->Len() != 0 && ( keys == nullptr || keys->Len() == 0 ) ) if ( secret != nullptr && secret->Len() != 0 && ( keys == nullptr || keys->Len() == 0 ) )
{ {
#ifdef OPENSSL_HAVE_KDF_H
DBG_LOG(DBG_ANALYZER, "Deriving TLS keys for connection foo");
uint32_t ts = htonl((uint32_t) handshake_interp->gmt_unix_time()); uint32_t ts = htonl((uint32_t) handshake_interp->gmt_unix_time());
char crand[32] = {0x00}; char crand[32] = {0x00};
@ -221,6 +228,7 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i
// save derived keys // save derived keys
SetKeys(keybuf, sizeof(keybuf)); SetKeys(keybuf, sizeof(keybuf));
#endif
} }
// Keys present: decrypt TLS application data // Keys present: decrypt TLS application data
@ -304,7 +312,7 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool i
return true; return true;
} }
// This is only reached if key derivation somehow failed // This is only reached if key derivation fails or is unsupported
return false; return false;
} }

3
zeek-config.h.in
View file

@ -77,6 +77,9 @@
/* Compatibility for Darwin */ /* Compatibility for Darwin */
#cmakedefine NEED_NAMESER_COMPAT_H #cmakedefine NEED_NAMESER_COMPAT_H
/* openssl/kdf.h for TLS PRF (key derivation) */
#cmakedefine OPENSSL_HAVE_KDF_H
/* d2i_x509 uses const char** */ /* d2i_x509 uses const char** */
#cmakedefine OPENSSL_D2I_X509_USES_CONST_CHAR #cmakedefine OPENSSL_D2I_X509_USES_CONST_CHAR