mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 17:18:20 +00:00
038fbf9b9e
This commit mostly does a lot of refactoring of the current SSL analyzer, which is split into several parts. The handshake protocol is completely taken out of the SSL analyzer and was refactored into its own analyzer (called tls-handshake-analyzer). This will also (finally) make it possible to deal with TLS record fragmentation. Apart from that, the parts of the SSL analyzer that are common to DTLS were split into their own pac files. Both the SSL analyzer and the (very basic, mostly nonfunctional) DTLS analyzer use their own pac files and those shared pac files. All SSL tests still pass after refactoring so I hope I did not break anything too badly. At the moment, we have two different modules in one directory and I guess the way I am doing this might be an abuse of the system. It seems to work though...
62 lines
1.9 KiB
JavaScript
62 lines
1.9 KiB
JavaScript
# Analyzer for SSL (Bro-specific part).
|
|
|
|
refine connection SSL_Conn += {
|
|
|
|
%include proc-client-hello.pac
|
|
%include proc-server-hello.pac
|
|
%include proc-certificate.pac
|
|
|
|
function proc_v2_certificate(is_orig: bool, cert : bytestring) : bool
|
|
%{
|
|
vector<bytestring>* cert_list = new vector<bytestring>(1,cert);
|
|
bool ret = proc_certificate(is_orig, cert_list);
|
|
delete cert_list;
|
|
return ret;
|
|
%}
|
|
|
|
|
|
function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
|
|
%{
|
|
BifEvent::generate_ssl_established(bro_analyzer(),
|
|
bro_analyzer()->Conn());
|
|
|
|
return true;
|
|
%}
|
|
|
|
function proc_handshake(rec: SSLRecord, msg_type: uint8, length: uint24, data: bytestring, is_orig: bool) : bool
|
|
%{
|
|
fprintf(stderr, "Forwarding to Handshake analyzer: msg_type: %u, length: %u\n", msg_type, to_int()(length));
|
|
fprintf(stderr, "%u\n", data.end() - data.begin());
|
|
bro_analyzer()->SendHandshake(msg_type, to_int()(length), data.begin(), data.end(), is_orig);
|
|
return true;
|
|
%}
|
|
};
|
|
|
|
|
|
refine typeattr V2Error += &let {
|
|
proc : bool = $context.connection.proc_alert(rec, -1, error_code);
|
|
};
|
|
|
|
|
|
refine typeattr V2ClientHello += &let {
|
|
proc : bool = $context.connection.proc_client_hello(client_version, 0,
|
|
challenge, session_id, 0, ciphers);
|
|
};
|
|
|
|
refine typeattr V2ServerHello += &let {
|
|
check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version);
|
|
|
|
proc : bool = $context.connection.proc_server_hello(server_version, 0,
|
|
conn_id_data, 0, 0, ciphers, 0) &requires(check_v2) &if(check_v2 == true);
|
|
|
|
cert : bool = $context.connection.proc_v2_certificate(rec.is_orig, cert_data)
|
|
&requires(proc) &requires(check_v2) &if(check_v2 == true);
|
|
};
|
|
|
|
refine typeattr V2ClientMasterKey += &let {
|
|
proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind);
|
|
};
|
|
|
|
refine typeattr Handshake += &let {
|
|
proc : bool = $context.connection.proc_handshake(rec, msg_type, length, data, rec.is_orig);
|
|
};
|