mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
e14eddeb97
This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
63 lines
2.2 KiB
Text
63 lines
2.2 KiB
Text
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/chrome-34-google.trace %INPUT
|
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
|
|
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
@load base/protocols/ssl
|
|
|
|
event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
|
|
{
|
|
print "Curves", c$id$orig_h, c$id$resp_h;
|
|
for ( i in curves )
|
|
print SSL::ec_curves[curves[i]];
|
|
}
|
|
|
|
event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
|
|
{
|
|
print "Point formats", c$id$orig_h, c$id$resp_h, is_client;
|
|
for ( i in point_formats )
|
|
print SSL::ec_point_formats[point_formats[i]];
|
|
}
|
|
|
|
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec)
|
|
{
|
|
print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
|
|
}
|
|
|
|
event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec)
|
|
{
|
|
print "server_name", c$id$orig_h, c$id$resp_h, names;
|
|
}
|
|
|
|
event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm)
|
|
{
|
|
print "signature_algorithm", c$id$orig_h, c$id$resp_h;
|
|
for ( i in signature_algorithms)
|
|
{
|
|
print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm];
|
|
}
|
|
}
|
|
|
|
event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
|
|
{
|
|
print "supported_versions", c$id$orig_h, c$id$resp_h;
|
|
for ( i in versions )
|
|
print SSL::version_strings[versions[i]];
|
|
}
|
|
|
|
event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
|
|
{
|
|
print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
|
|
for ( i in modes )
|
|
print modes[i];
|
|
}
|
|
|
|
event ssl_extension_pre_shared_key_client_hello(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec)
|
|
{
|
|
print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
|
|
}
|
|
|
|
event ssl_extension_pre_shared_key_server_hello(c: connection, is_client: bool, selected_identity: count)
|
|
{
|
|
print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity;
|
|
}
|