Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change end-of-connection handling for validation

Browse source 
Move from using CCS (before: established) to just doing certificate
validation at the end of the connection.

This is (again) more robust in the case of aborted connection. I am
moving this into a hook because of the complexity of the
end-of-connection handling for SSL.

This should probably be extended to not just handle SSL validation, but
all other logging constructs that are currently called in _established.
This commit is contained in:
Johanna Amann 2017-05-11 22:50:20 -07:00
parent a334247478
commit eb50b3fed1
3 changed files with 17 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/protocols/ssl/main.bro
View file

@ -103,6 +103,9 @@ export {
## Event that can be handled to access the SSL ## Event that can be handled to access the SSL
## record as it is sent on to the logging framework. ## record as it is sent on to the logging framework.
global log_ssl: event(rec: Info); global log_ssl: event(rec: Info);
# do everything you want to do right before logging here
global ssl_finishing: hook(c: connection);
} }
redef record connection += { redef record connection += {
@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7
c$ssl$established = T; c$ssl$established = T;
} }
event ssl_established(c: connection) &priority=20
{
hook ssl_finishing(c);
}
event ssl_established(c: connection) &priority=-5 event ssl_established(c: connection) &priority=-5
{ {
finish(c, T); finish(c, T);
} }
event connection_state_remove(c: connection) &priority=20
{
if ( c?$ssl && ! c$ssl$logged )
hook ssl_finishing(c);
}
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$ssl ) if ( c?$ssl )

11
scripts/policy/protocols/ssl/validate-certs.bro
View file

@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
return result; return result;
} }
# The server issues CCS only after sending the certificates. This should hook ssl_finishing(c: connection) &priority=20
# be more robust than using SSL_established, on the off chance that we don't
# get that event.
#
# This is not TLSv1.3 compatible - but we will not have certificates in
# that case in any way, so it even saves us a few cycles.
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3
{ {
if ( is_orig )
return;
# If there aren't any certs we can't very well do certificate validation. # If there aren't any certs we can't very well do certificate validation.
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 ) ! c$ssl$cert_chain[0]?$x509 )

7
scripts/policy/protocols/ssl/validate-sct.bro
View file

@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src); c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
} }
# Priority = 2 will be handled after validation is done # Priority = 19 will be handled after validation is done
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2 hook ssl_finishing(c: connection) &priority=19
{ {
if ( is_orig )
return;
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 ) if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
return; return;