mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Parse pre-shared-key extension.
No documentation yet...
This commit is contained in:
Johanna Amann
parent
5ba46eaa71
commit
e85a016521
8 changed files with 162 additions and 3 deletions
|
|
@ -4170,6 +4170,10 @@ export {
|
|||
SignatureAlgorithm: count; ##< Signature algorithm number
|
||||
};
|
||||
|
||||
type PSKIdentity: record {
|
||||
identity: string; ##< PSK identity
|
||||
obfuscated_ticket_age: count;
|
||||
};
|
||||
|
||||
## Number of non-DTLS frames that can occur in a DTLS connection before
|
||||
## parsing of the connection is suspended.
|
||||
|
|
@ -4191,6 +4195,8 @@ module GLOBAL;
|
|||
## directly and then remove this alias.
|
||||
type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
|
||||
|
||||
type psk_identity_vec: vector of SSL::PSKIdentity;
|
||||
|
||||
module X509;
|
||||
export {
|
||||
type Certificate: record {
|
||||
|
|
|
|||
|
|
@ -182,6 +182,9 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
|
|||
## ssl_rsa_client_pms ssl_server_signature
|
||||
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
|
||||
|
||||
event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%);
|
||||
event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%);
|
||||
|
||||
## Generated if a named curve is chosen by the server for an SSL/TLS connection.
|
||||
## The curve is sent by the server in the ServerKeyExchange message as defined
|
||||
## in :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
|
||||
|
|
|
|||
|
|
@ -411,6 +411,50 @@ refine connection Handshake_Conn += {
|
|||
return true;
|
||||
%}
|
||||
|
||||
function proc_pre_shared_key_server_hello(rec: HandshakeRecord, identities: PSKIdentitiesList, binders: PSKBindersList) : bool
|
||||
%{
|
||||
if ( ! ssl_extension_pre_shared_key_server_hello )
|
||||
return true;
|
||||
|
||||
VectorVal* slist = new VectorVal(internal_type("psk_identity_vec")->AsVectorType());
|
||||
|
||||
if ( identities && identities->identities() )
|
||||
{
|
||||
uint32 i = 0;
|
||||
for ( auto&& identity : *(identities->identities()) )
|
||||
{
|
||||
RecordVal* el = new RecordVal(BifType::Record::SSL::PSKIdentity);
|
||||
el->Assign(0, new StringVal(identity->identity().length(), (const char*) identity->identity().data()));
|
||||
el->Assign(1, val_mgr->GetCount(identity->obfuscated_ticket_age()));
|
||||
slist->Assign(i++, el);
|
||||
}
|
||||
}
|
||||
|
||||
VectorVal* blist = new VectorVal(internal_type("string_vec")->AsVectorType());
|
||||
if ( binders && binders->binders() )
|
||||
{
|
||||
uint32 i = 0;
|
||||
for ( auto&& binder : *(binders->binders()) )
|
||||
blist->Assign(i++, new StringVal(binder->binder().length(), (const char*) binder->binder().data()));
|
||||
}
|
||||
|
||||
BifEvent::generate_ssl_extension_pre_shared_key_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
|
||||
${rec.is_orig}, slist, blist);
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
function proc_pre_shared_key_client_hello(rec: HandshakeRecord, selected_identity: uint16) : bool
|
||||
%{
|
||||
if ( ! ssl_extension_pre_shared_key_client_hello )
|
||||
return true;
|
||||
|
||||
BifEvent::generate_ssl_extension_pre_shared_key_server_hello(bro_analyzer(),
|
||||
bro_analyzer()->Conn(), ${rec.is_orig}, selected_identity);
|
||||
|
||||
return true;
|
||||
%}
|
||||
|
||||
};
|
||||
|
||||
refine typeattr ClientHello += &let {
|
||||
|
|
@ -520,6 +564,14 @@ refine typeattr PSKKeyExchangeModes += &let {
|
|||
proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
|
||||
};
|
||||
|
||||
refine typeattr OfferedPsks += &let {
|
||||
proc : bool = $context.connection.proc_pre_shared_key_server_hello(rec, identities, binders);
|
||||
};
|
||||
|
||||
refine typeattr SelectedPreSharedKeyIdentity += &let {
|
||||
proc : bool = $context.connection.proc_pre_shared_key_client_hello(rec, selected_identity);
|
||||
};
|
||||
|
||||
refine typeattr Handshake += &let {
|
||||
proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -778,6 +778,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
|
|||
EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
|
||||
EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
|
||||
EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
|
||||
EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0);
|
||||
default -> data: bytestring &restofdata;
|
||||
};
|
||||
} &length=data_len+4 &exportsourcedata;
|
||||
|
|
@ -864,6 +865,43 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
|
|||
default -> other : bytestring &restofdata &transient;
|
||||
};
|
||||
|
||||
type SelectedPreSharedKeyIdentity(rec: HandshakeRecord) = record {
|
||||
selected_identity: uint16;
|
||||
};
|
||||
|
||||
type PSKIdentity() = record {
|
||||
length: uint16;
|
||||
identity: bytestring &length=length;
|
||||
obfuscated_ticket_age: uint32;
|
||||
};
|
||||
|
||||
type PSKIdentitiesList() = record {
|
||||
length: uint16;
|
||||
identities: PSKIdentity[] &until($input.length() == 0);
|
||||
} &length=length+2;
|
||||
|
||||
type PSKBinder() = record {
|
||||
length: uint8;
|
||||
binder: bytestring &length=length;
|
||||
};
|
||||
|
||||
type PSKBindersList() = record {
|
||||
length: uint16;
|
||||
binders: PSKBinder[] &until($input.length() == 0);
|
||||
} &length=length+2;
|
||||
|
||||
type OfferedPsks(rec: HandshakeRecord) = record {
|
||||
identities: PSKIdentitiesList;
|
||||
binders: PSKBindersList;
|
||||
};
|
||||
|
||||
type PreSharedKey(rec: HandshakeRecord) = case rec.msg_type of {
|
||||
CLIENT_HELLO -> offered_psks : OfferedPsks(rec);
|
||||
SERVER_HELLO -> selected_identity : SelectedPreSharedKeyIdentity(rec);
|
||||
# ... well, we don't parse hello retry requests yet, because I don't have an example of them on the wire.
|
||||
default -> other : bytestring &restofdata &transient;
|
||||
};
|
||||
|
||||
type SignatureAlgorithm(rec: HandshakeRecord) = record {
|
||||
length: uint16;
|
||||
supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
module SSL;
|
||||
|
||||
type SignatureAndHashAlgorithm: record;
|
||||
type PSKIdentity: record;
|
||||
|
||||
module GLOBAL;
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ sha1, dsa
|
|||
sha256, dsa
|
||||
sha384, dsa
|
||||
sha512, dsa
|
||||
supported_versions(, 192.168.6.240, 139.162.123.134
|
||||
supported_versions, 192.168.6.240, 139.162.123.134
|
||||
TLSv13-draft19
|
||||
TLSv12
|
||||
TLSv11
|
||||
|
|
@ -78,7 +78,7 @@ sha1, dsa
|
|||
sha256, dsa
|
||||
sha384, dsa
|
||||
sha512, dsa
|
||||
supported_versions(, 192.168.6.240, 139.162.123.134
|
||||
supported_versions, 192.168.6.240, 139.162.123.134
|
||||
TLSv13-draft19
|
||||
TLSv12
|
||||
TLSv11
|
||||
|
|
@ -86,3 +86,50 @@ TLSv10
|
|||
psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
|
||||
1
|
||||
0
|
||||
pre_shared_key client hello, 192.168.6.240, 139.162.123.134, [[identity=\x01\xf3\x88\x12\xae\xeb\x13\x01\xed]\xcf\x0b\x8f\xad\xf2\xc1I\x9f-\xfa\xe1\x98\x9f\xb7\x82@\x81Or\x0e\xbe\xfc\xa3\xbc\x8f\x03\x86\xf1\x8e\xae\xd7\xe5\xa2\xee\xf3\xde\xb7\xa5\xf6\\xeb\x18^ICPm!|\x09\xe0NE\xe8\x0f\xda\xf8\xf2\xa8s\x84\x17>\xe5\xd9!\x19\x09\xfe\xdb\xa87\x05\xd7\xd06JG\xeb\xad\xf9\xf8\x13?#\xdc\xe7J\xad\x14\xbfS.\x98\xd8\xd2r\x01\xef\xc5\x0c_\xdf\xc9[7\xa7l\xa7\xa0\xb5\xda\x83\x16\x10\xa1\xdb\xe2<j\xfeN=uU\xd3\xf3[\x021\xb1\xff\xcc\xbbZ\x1d\xab\x14=\xca\x80\x07!d\x06\xbe\xc6\x90\x94\x92S\xcfu\x8e\x92_/\xc9\xf0H\xf3\xd0\xfa\xeb\xb6&, obfuscated_ticket_age=1415540021]], [\xdcJ$\x00L\x12\x87\x929wEed\xbd\xf6\xcb4\x04ip5\x95\xe2X\xca[Kx}\xadHY\xae\xab\xedz\xb3\xcaK=\xa0\x09ER\x0a\x8dO\xe4]
|
||||
pre_shared_key server hello, 192.168.6.240, 139.162.123.134, 0
|
||||
Point formats, 192.168.178.80, 174.138.9.219, T
|
||||
uncompressed
|
||||
ansiX962_compressed_prime
|
||||
ansiX962_compressed_char2
|
||||
Curves, 192.168.178.80, 174.138.9.219
|
||||
x25519
|
||||
secp256r1
|
||||
x448
|
||||
secp521r1
|
||||
secp384r1
|
||||
signature_algorithm, 192.168.178.80, 174.138.9.219
|
||||
sha256, ecdsa
|
||||
sha384, ecdsa
|
||||
sha512, ecdsa
|
||||
Intrinsic, ed25519
|
||||
Intrinsic, ed448
|
||||
Intrinsic, rsa_pss_sha256
|
||||
Intrinsic, rsa_pss_sha384
|
||||
Intrinsic, rsa_pss_sha512
|
||||
Intrinsic, rsa_pss_sha256
|
||||
Intrinsic, rsa_pss_sha384
|
||||
Intrinsic, rsa_pss_sha512
|
||||
sha256, rsa
|
||||
sha384, rsa
|
||||
sha512, rsa
|
||||
sha224, ecdsa
|
||||
sha1, ecdsa
|
||||
sha224, rsa
|
||||
sha1, rsa
|
||||
sha224, dsa
|
||||
sha1, dsa
|
||||
sha256, dsa
|
||||
sha384, dsa
|
||||
sha512, dsa
|
||||
supported_versions, 192.168.178.80, 174.138.9.219
|
||||
TLSv13
|
||||
TLSv12
|
||||
TLSv11
|
||||
TLSv10
|
||||
psk_key_exchange_modes, 192.168.178.80, 174.138.9.219
|
||||
1
|
||||
pre_shared_key client hello, 192.168.178.80, 174.138.9.219, [[identity=Client_identity, obfuscated_ticket_age=0]], [\xdbm7\xb6\xb9\xa3\xb29C\xb5\xa3\xa4\8\x95\x94o\x8d'\xd7\x99\x91R\xea\xcb\xa82\x9cb$e\xe9]
|
||||
supported_versions, 192.168.178.80, 174.138.9.219
|
||||
TLSv13
|
||||
pre_shared_key server hello, 192.168.178.80, 174.138.9.219, 0
|
||||
|
|
|
|||
BIN
testing/btest/Traces/tls/tls13_psk_succesfull.pcap
Normal file
BIN
testing/btest/Traces/tls/tls13_psk_succesfull.pcap
Normal file
Binary file not shown.
|
|
@ -1,5 +1,6 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
|
||||
# @TEST-EXEC: bro -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
|
||||
# @TEST-EXEC: btest-diff .stdout
|
||||
|
||||
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
|
||||
|
|
@ -37,7 +38,7 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
|
|||
|
||||
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
|
||||
{
|
||||
print "supported_versions(", c$id$orig_h, c$id$resp_h;
|
||||
print "supported_versions", c$id$orig_h, c$id$resp_h;
|
||||
for ( i in versions )
|
||||
print SSL::version_strings[versions[i]];
|
||||
}
|
||||
|
|
@ -48,3 +49,14 @@ event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes:
|
|||
for ( i in modes )
|
||||
print modes[i];
|
||||
}
|
||||
|
||||
event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec)
|
||||
{
|
||||
print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
|
||||
|
||||
}
|
||||
|
||||
event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count)
|
||||
{
|
||||
print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue