Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Polish changes for ecdhe/dhe

Browse source
This commit is contained in:
Bernhard Amann 2014-04-27 00:09:00 -07:00
parent fb56b22cff
commit ef5b021e77
5 changed files with 24 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

30
scripts/policy/protocols/ssl/weak-keys.bro
View file

@ -10,7 +10,7 @@ module SSL;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
## Indicates that a server is using a potentially unsafe key. ## Indicates that a server is using a potentially unsafe key.
SSL_Weak_Key, Weak_Key,
}; };
## The category of hosts you would like to be notified about which have ## The category of hosts you would like to be notified about which have
@ -52,10 +52,10 @@ event ssl_established(c: connection) &priority=3
local key_length = cert$key_length; local key_length = cert$key_length;
if ( key_length < notify_minimal_key_length ) if ( key_length < notify_minimal_key_length )
NOTICE([$note=SSL_Weak_Key, NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak certificate with %d bit key", key_length), $msg=fmt("Host uses weak certificate with %d bit key", key_length),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$orig_h, c$id$orig_p, key_length) $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
]); ]);
} }
@ -66,25 +66,25 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
local key_length = |Ys|*8; # key length in bits local key_length = |Ys|*8; # key length in bits
if ( key_length < notify_minimal_key_length ) if ( key_length < notify_minimal_key_length )
NOTICE([$note=SSL_Weak_Key, NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak DH parameters with %d key bits", key_length), $msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$orig_h, c$id$orig_p, key_length) $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
]); ]);
if ( notify_dh_length_shorter_cert_length && if ( notify_dh_length_shorter_cert_length &&
c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 && c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type && c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" || ( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) ) c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
{ {
if ( c$ssl$cert_chain[0]$x509$certificate?$key_length && if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
c$ssl$cert_chain[0]$x509$certificate$key_length > key_length ) c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
NOTICE([$note=SSL_Weak_Key, NOTICE([$note=Weak_Key,
$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$orig_h, c$id$orig_p) $identifier=cat(c$id$orig_h, c$id$orig_p)
]); ]);
} }
} }

2
src/analyzer/protocol/ssl/ssl-defs.pac
View file

@ -62,7 +62,7 @@ enum SSLExtensions {
}; };
enum ECCurveType { enum ECCurveType {
EXPLICIT_PRIME = 1, EXPLICIT_PRIME = 1,
EXPLICIT_CHAR = 2, EXPLICIT_CHAR = 2,
NAMED_CURVE = 3 NAMED_CURVE = 3
}; };

4
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -566,7 +566,7 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
# We also do not parse the actual signature data following the named curve. # We also do not parse the actual signature data following the named curve.
type EcServerKeyExchange(rec: SSLRecord) = record { type EcServerKeyExchange(rec: SSLRecord) = record {
curve_type: uint8; curve_type: uint8;
curve: uint16; # only if curve_type = 3 curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
data: bytestring &restofdata &transient; data: bytestring &restofdata &transient;
}; };
@ -739,7 +739,7 @@ refine connection SSL_Conn += {
function chosen_cipher() : int %{ return chosen_cipher_; %} function chosen_cipher() : int %{ return chosen_cipher_; %}
function set_cipher(cipher: int64) : bool function set_cipher(cipher: uint32) : bool
%{ %{
chosen_cipher_ = cipher; chosen_cipher_ = cipher;
return true; return true;

10
testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log → testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
View file

@ -3,10 +3,10 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2014-04-27-06-41-50 #open 2014-04-27-07-15-32
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - 1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - 1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
1398558136.542637 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - 1398558136.542637 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - -
#close 2014-04-27-06-41-50 #close 2014-04-27-07-15-32

3
testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
View file

@ -1,6 +1,5 @@
# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT # @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
# @TEST-EXEC: mv notice.log notice-1.log # @TEST-EXEC: btest-diff notice.log
# @TEST-EXEC: btest-diff notice-1.log
@load protocols/ssl/weak-keys @load protocols/ssl/weak-keys