Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

SSL Analyzer: track connection direction by messages

Browse source 
This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.
This commit is contained in:
Johanna Amann 2022-06-24 19:27:13 +02:00 committed by Johanna Amann
parent a7aa345c76
commit e14eddeb97
30 changed files with 344 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

20
testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
View file

@ -5,31 +5,31 @@
@load base/protocols/ssl
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
{
print "Curves", c$id$orig_h, c$id$resp_h;
for ( i in curves )
print SSL::ec_curves[curves[i]];
}
event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
{
print "Point formats", c$id$orig_h, c$id$resp_h, is_orig;
print "Point formats", c$id$orig_h, c$id$resp_h, is_client;
for ( i in point_formats )
print SSL::ec_point_formats[point_formats[i]];
}
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec)
{
print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
}
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec)
{
print "server_name", c$id$orig_h, c$id$resp_h, names;
}
event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm)
event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm)
{
print "signature_algorithm", c$id$orig_h, c$id$resp_h;
for ( i in signature_algorithms)
@ -38,26 +38,26 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
}
}
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
{
print "supported_versions", c$id$orig_h, c$id$resp_h;
for ( i in versions )
print SSL::version_strings[versions[i]];
}
event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
{
print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
for ( i in modes )
print modes[i];
}
event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)
event ssl_extension_pre_shared_key_client_hello(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec)
{
print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
}
event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count)
event ssl_extension_pre_shared_key_server_hello(c: connection, is_client: bool, selected_identity: count)
{
print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity;
}