Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/src/analyzer/protocol/ssl/proc-client-hello-tls.pac
Florian Wilkens 2d950ffde9 ssl: rudimentary decryption for TLS 1.2 
Several limitations still apply:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is the only supported cipher suite
- Some tests are broken due to a failing assertion regarding bytestring
- No newly written tests for decryption (the patch was tested extensively for our paper)
- Several small open technical questions marked with FIXME
- Architecture in the ssl module might not be optimal
2021-04-19 17:38:02 +02:00

56 lines
1.8 KiB
JavaScript
Raw Blame History

function proc_client_hello(
version : uint16, ts : double,
client_random : bytestring,
session_id : uint8[],
cipher_suites16 : uint16[],
cipher_suites24 : uint24[],
compression_methods: uint8[]) : bool
%{
if ( ! version_ok(version) )
{
zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version));
zeek_analyzer()->SetSkip(true);
}
else
zeek_analyzer()->ProtocolConfirmation();
if ( ssl_client_hello )
{
vector<int> cipher_suites;
if ( cipher_suites16 )
std::copy(cipher_suites16->begin(), cipher_suites16->end(), std::back_inserter(cipher_suites));
else
std::transform(cipher_suites24->begin(), cipher_suites24->end(), std::back_inserter(cipher_suites), to_int());
auto cipher_vec = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
for ( unsigned int i = 0; i < cipher_suites.size(); ++i )
{
auto ciph = zeek::val_mgr->Count(cipher_suites[i]);
cipher_vec->Assign(i, ciph);
}
auto comp_vec = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
if ( compression_methods )
{
for ( unsigned int i = 0; i < compression_methods->size(); ++i )
{
auto comp = zeek::val_mgr->Count((*compression_methods)[i]);
comp_vec->Assign(i, comp);
}
}
set_client_random(client_random);
set_gmt_unix_time(ts);
zeek::BifEvent::enqueue_ssl_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(),
version, record_version(), ts,
zeek::make_intrusive<zeek::StringVal>(client_random.length(),
(const char*) client_random.data()),
{zeek::AdoptRef{}, to_string_val(session_id)},
std::move(cipher_vec), std::move(comp_vec));
}
return true;
%}
Reference in a new issue View git blame Copy permalink