mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
bea3075c1f
This commit changes the logic that is used to tracks connection establishment - and moves it from scriptland into the core. TLS 1.3 connection establishment is much more finnicky for us than the establishment of earlier versions - since we cannot rely on the CCS message anymore (which is meaningless and not sent in a lot of cases). With this commit, the ssl_encrypted_data message gets raised for encrypted TLS 1.3 handshake messages - which is much more correct than the behavior before that just interpreted them as plaintext messages. I will refine this a bit more - at the moment the connection established event happens a bit too early - earlier than TLS 1.3 connections actually can be estasblished. Part of GH-1323
99 lines
2.3 KiB
C++
99 lines
2.3 KiB
C++
#include "zeek/analyzer/protocol/ssl/SSL.h"
|
|
|
|
#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
|
|
#include "zeek/Reporter.h"
|
|
#include "zeek/util.h"
|
|
|
|
#include "analyzer/protocol/ssl/events.bif.h"
|
|
#include "analyzer/protocol/ssl/ssl_pac.h"
|
|
#include "analyzer/protocol/ssl/tls-handshake_pac.h"
|
|
|
|
namespace zeek::analyzer::ssl {
|
|
|
|
SSL_Analyzer::SSL_Analyzer(Connection* c)
|
|
: analyzer::tcp::TCP_ApplicationAnalyzer("SSL", c)
|
|
{
|
|
interp = new binpac::SSL::SSL_Conn(this);
|
|
handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this);
|
|
had_gap = false;
|
|
}
|
|
|
|
SSL_Analyzer::~SSL_Analyzer()
|
|
{
|
|
delete interp;
|
|
delete handshake_interp;
|
|
}
|
|
|
|
void SSL_Analyzer::Done()
|
|
{
|
|
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
|
|
|
|
interp->FlowEOF(true);
|
|
interp->FlowEOF(false);
|
|
handshake_interp->FlowEOF(true);
|
|
handshake_interp->FlowEOF(false);
|
|
}
|
|
|
|
void SSL_Analyzer::EndpointEOF(bool is_orig)
|
|
{
|
|
analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
|
|
interp->FlowEOF(is_orig);
|
|
handshake_interp->FlowEOF(is_orig);
|
|
}
|
|
|
|
void SSL_Analyzer::StartEncryption()
|
|
{
|
|
interp->startEncryption(true);
|
|
interp->startEncryption(false);
|
|
interp->setEstablished();
|
|
}
|
|
|
|
uint16_t SSL_Analyzer::GetNegotiatedVersion() const
|
|
{
|
|
return handshake_interp->chosen_version();
|
|
}
|
|
|
|
void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
|
{
|
|
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
|
|
|
|
assert(TCP());
|
|
if ( TCP()->IsPartial() )
|
|
return;
|
|
|
|
if ( had_gap )
|
|
// If only one side had a content gap, we could still try to
|
|
// deliver data to the other side if the script layer can handle this.
|
|
return;
|
|
|
|
try
|
|
{
|
|
interp->NewData(orig, data, data + len);
|
|
}
|
|
catch ( const binpac::Exception& e )
|
|
{
|
|
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
|
|
}
|
|
}
|
|
|
|
void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin, const u_char* end, bool orig)
|
|
{
|
|
handshake_interp->set_record_version(raw_tls_version);
|
|
try
|
|
{
|
|
handshake_interp->NewData(orig, begin, end);
|
|
}
|
|
catch ( const binpac::Exception& e )
|
|
{
|
|
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
|
|
}
|
|
}
|
|
|
|
void SSL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
|
|
{
|
|
analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
|
|
had_gap = true;
|
|
interp->NewGap(orig, len);
|
|
}
|
|
|
|
} // namespace zeek::analyzer::ssl
|