Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Spicy-TLS: address review feedback re convert-functions

Browse source 
This switches convert-functions from being called in the evt file to
being called directly in the spicy file.

See GH-3765 for details.
This commit is contained in:
Johanna Amann 2024-07-17 12:44:14 +01:00
parent 4acd0297b0
commit f36be3dafc
2 changed files with 37 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/analyzer/protocol/ssl/spicy/SSL.evt
View file

@ -17,7 +17,7 @@ on SSL::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, SSL::get
on SSL::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, SSL::get_direction(sh), self.ec_point_format_list); on SSL::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, SSL::get_direction(sh), self.ec_point_format_list);
on SSL::ServerNameList -> event ssl_extension_server_name($conn, SSL::get_direction(sh), SSL::convert_server_names(self)); on SSL::ServerNameList -> event ssl_extension_server_name($conn, SSL::get_direction(sh), self.server_name_list);
on SSL::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket); on SSL::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
@ -33,15 +33,15 @@ on SSL::Extension -> event ssl_extension($conn, SSL::get_direction(sh), self.cod
on SSL::Handshake_message::length -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length); on SSL::Handshake_message::length -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length);
on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), SSL::convert_signature_algorithms(self)); on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), self.supported_signature_algorithms_converted);
on SSL::ServerHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,)); on SSL::ServerHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,));
on SSL::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.namedgroup,)); on SSL::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.namedgroup,));
on SSL::ClientHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), SSL::convert_clienthellokeyshare(self)); on SSL::ClientHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), self.named_groups);
on SSL::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, SSL::get_direction(sh), SSL::convert_identities(self.identities), SSL::convert_binders(self.binders)); on SSL::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, SSL::get_direction(sh), self.identities, self.binders);
on SSL::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, SSL::get_direction(sh), self.selected_identity); on SSL::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, SSL::get_direction(sh), self.selected_identity);
@ -62,7 +62,7 @@ on SSL::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
on SSL::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms); on SSL::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
on SSL::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, SSL::get_direction(sh), SSL::convert_protocol_name_list(self)); on SSL::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, SSL::get_direction(sh), self.protocol_name_list);
on SSL::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, SSL::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature); on SSL::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, SSL::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
@ -78,7 +78,7 @@ on SSL::Heartbeat -> event ssl_heartbeat($conn, SSL::get_direction(sh), length,
on SSL::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response); on SSL::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
on SSL::CertificateRequest if ( SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::convert_signature_algorithms(self.supported_signature_algorithms), SSL::convert_certificate_authorities(self)); on SSL::CertificateRequest if ( SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, self.supported_signature_algorithms.supported_signature_algorithms_converted, self.certificate_authorities);
on SSL::CertificateRequest if ( ! SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::create_empty_sigmature_algorithms(), SSL::convert_certificate_authorities(self)); on SSL::CertificateRequest if ( ! SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::create_empty_sigmature_algorithms(), self.certificate_authorities);
on SSL::DirectionCheck::%done if ( self.was_flipped ) -> event ssl_connection_flipped($conn); on SSL::DirectionCheck::%done if ( self.was_flipped ) -> event ssl_connection_flipped($conn);

50
src/analyzer/protocol/ssl/spicy/SSL.spicy
View file

@ -870,7 +870,7 @@ type CertificateRequest = unit(sh: Share) {
False -> : bytes &size=0; False -> : bytes &size=0;
}; };
certificate_authorities_len: uint16; certificate_authorities_len: uint16;
certificate_authorities: CertificateAuthority[] &size=self.certificate_authorities_len; certificate_authorities: CertificateAuthority[] &size=self.certificate_authorities_len &convert=convert_certificate_authorities($$);
}; };
type CertificateAuthority = unit { type CertificateAuthority = unit {
@ -1059,8 +1059,8 @@ type PSKBindersList = unit {
}; };
type OfferedPsks = unit(sh: Share) { type OfferedPsks = unit(sh: Share) {
identities: PSKIdentitiesList; identities: PSKIdentitiesList &convert=convert_identities($$);
binders: PSKBindersList; binders: PSKBindersList &convert=convert_binders($$);
}; };
type PreSharedKey = unit(sh: Share, client_hello: bool) { type PreSharedKey = unit(sh: Share, client_hello: bool) {
@ -1121,6 +1121,11 @@ type ServerHelloKeyShareChoice = unit(sh: Share, length: uint16) {
type ClientHelloKeyShare = unit(sh: Share) { type ClientHelloKeyShare = unit(sh: Share) {
length: uint16; length: uint16;
keyshares : KeyShareEntry[] &size=self.length; keyshares : KeyShareEntry[] &size=self.length;
var named_groups: vector<uint16>;
on keyshares {
self.named_groups = convert_clienthellokeyshare(self.keyshares);
}
}; };
type KeyShare = unit(client_hello: bool, sh: Share, length: uint16) { type KeyShare = unit(client_hello: bool, sh: Share, length: uint16) {
@ -1170,7 +1175,7 @@ type ProtocolName = unit {
type ProtocolNameList = unit(sh: Share) { type ProtocolNameList = unit(sh: Share) {
length: uint16; length: uint16;
protocol_name_list: ProtocolName[] &size=self.length; protocol_name_list: ProtocolName[] &size=self.length &convert=convert_protocol_name_list($$);
}; };
type ServerName = unit { type ServerName = unit {
@ -1187,7 +1192,7 @@ type ServerName = unit {
type ServerNameList = unit(sh: Share) { type ServerNameList = unit(sh: Share) {
length: uint16; length: uint16;
server_name_list: ServerName[] &size=self.length; server_name_list: ServerName[] &size=self.length &convert=SSL::convert_server_names($$);
}; };
type EcPointsFormat_extension = unit(sh: Share) { type EcPointsFormat_extension = unit(sh: Share) {
@ -1200,16 +1205,21 @@ type EllipticCurveList = unit(sh: Share) {
elliptic_curve_list: uint16[self.length/2]; # when possible - convert to enum elliptic_curve_list: uint16[self.length/2]; # when possible - convert to enum
}; };
type SignatureAlgorithms = unit(sh: Share) {
length: uint16;
supported_signature_algorithms: SignatureAndHashAlgorithm[] &size=self.length;
};
type SignatureAndHashAlgorithm = unit { type SignatureAndHashAlgorithm = unit {
hash: uint8; # &convert=HashAlgorithm($$); hash: uint8; # &convert=HashAlgorithm($$);
signature: uint8; # &convert=SignatureAlgorithm($$); signature: uint8; # &convert=SignatureAlgorithm($$);
}; };
type SignatureAlgorithms = unit(sh: Share) {
length: uint16;
supported_signature_algorithms: SignatureAndHashAlgorithm[] &size=self.length;
var supported_signature_algorithms_converted: vector<tuple<uint8, uint8>>;
on supported_signature_algorithms {
self.supported_signature_algorithms_converted = convert_signature_algorithms(self.supported_signature_algorithms);
}
};
type RenegotiationInfo = unit { type RenegotiationInfo = unit {
length: uint8; length: uint8;
renegotiated_connection: bytes &size=self.length; renegotiated_connection: bytes &size=self.length;
@ -1749,18 +1759,18 @@ type SingleCertificate = unit {
import zeek; import zeek;
public function convert_server_names(snl: SSL::ServerNameList) : vector<bytes> { public function convert_server_names(snl: vector<ServerName>) : vector<bytes> {
local out: vector<bytes>; local out: vector<bytes>;
for ( i in snl.server_name_list ) for ( i in snl )
out.push_back(i.host_name); out.push_back(i.host_name);
return out; return out;
} }
public function convert_signature_algorithms(sa: SSL::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> { public function convert_signature_algorithms(sa: vector<SignatureAndHashAlgorithm>) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
local out: vector<tuple<uint8, uint8>>; local out: vector<tuple<uint8, uint8>>;
for ( i in sa.supported_signature_algorithms ) for ( i in sa )
out.push_back(tuple(i.hash, i.signature)); out.push_back(tuple(i.hash, i.signature));
return out; return out;
@ -1771,10 +1781,10 @@ public function create_empty_sigmature_algorithms() : vector<tuple<HashAlgorithm
return out; return out;
} }
public function convert_clienthellokeyshare(ks: SSL::ClientHelloKeyShare) : vector<uint16> { public function convert_clienthellokeyshare(ks: vector<KeyShareEntry>) : vector<uint16> {
local out: vector<uint16>; local out: vector<uint16>;
for ( i in ks.keyshares ) for ( i in ks )
out.push_back(i.namedgroup); out.push_back(i.namedgroup);
return out; return out;
@ -1796,16 +1806,16 @@ public function convert_identities(id: SSL::PSKIdentitiesList) : vector<tuple<id
return out; return out;
} }
public function convert_protocol_name_list(pns: SSL::ProtocolNameList) : vector<bytes> { public function convert_protocol_name_list(pns: vector<ProtocolName>) : vector<bytes> {
local out: vector<bytes>; local out: vector<bytes>;
for ( i in pns.protocol_name_list ) for ( i in pns )
out.push_back(i.name); out.push_back(i.name);
return out; return out;
} }
public function convert_certificate_authorities(c: SSL::CertificateRequest) : vector<bytes> { public function convert_certificate_authorities(c: vector<CertificateAuthority>) : vector<bytes> {
local out: vector<bytes>; local out: vector<bytes>;
for ( i in c.certificate_authorities ) for ( i in c )
out.push_back(i.certificate_authority); out.push_back(i.certificate_authority);
return out; return out;
} }