Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

TLS analyzer: change logic to track TLS 1.3 connection establishment

Browse source 
This commit changes the logic that is used to tracks connection
establishment - and moves it from scriptland into the core.

TLS 1.3 connection establishment is much more finnicky for us than the
establishment of earlier versions - since we cannot rely on the CCS
message anymore (which is meaningless and not sent in a lot of cases).

With this commit, the ssl_encrypted_data message gets raised for
encrypted TLS 1.3 handshake messages - which is much more correct than
the behavior before that just interpreted them as plaintext messages.

I will refine this a bit more - at the moment the connection established
event happens a bit too early - earlier than TLS 1.3 connections
actually can be estasblished.

Part of GH-1323
This commit is contained in:
Johanna Amann 2020-12-14 19:51:05 +00:00 committed by Johanna Amann
parent f5d306a732
commit bea3075c1f
5 changed files with 68 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

43
scripts/base/protocols/ssl/main.zeek
View file

@ -46,12 +46,6 @@ export {
## by the client. This value is used to determine if a session
## is being resumed. It's not logged.
client_key_exchange_seen: bool &default=F;
## Count to track if the server already sent an application data
## packet for TLS 1.3. Used to track when a session was established.
server_appdata: count &default=0;
## Flag to track if the client already sent an application data
## packet for TLS 1.3. Used to track when a session was established.
client_appdata: bool &default=F;
## Last alert that was seen during the connection.
last_alert: string &log &optional;
@ -370,41 +364,8 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
return;
if ( c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
{
local wi = Weird::Info($ts=network_time(), $name="ssl_early_application_data", $uid=c$uid, $id=c$id);
Weird::weird(wi);
return;
}
if ( is_orig )
{
c$ssl$client_appdata = T;
return;
}
if ( c$ssl$client_appdata && c$ssl$server_appdata == 0 )
{
# something went wrong in the handshake here - we can't say if it was established. Just abort.
return;
}
else if ( ! c$ssl$client_appdata && c$ssl$server_appdata == 0 )
{
c$ssl$server_appdata = 1;
return;
}
else if ( c$ssl$client_appdata && c$ssl$server_appdata == 1 )
{
# wait for one more packet before we believe it was established. This one could be an encrypted alert.
c$ssl$server_appdata = 2;
return;
}
else if ( c$ssl$client_appdata && c$ssl$server_appdata == 2 )
{
set_ssl_established(c);
event ssl_established(c);
return;
}
local wi = Weird::Info($ts=network_time(), $name="ssl_early_application_data", $uid=c$uid, $id=c$id);
Weird::weird(wi);
}
event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,