mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 11:08:20 +00:00
232777ca9b
In TLS 1.3, the ChangeCipherSpec message is meaningless; it only is included to convince middleboxes that the devices actually are speaking TLS 1.2. Nowadays some TLS 1.3 implementations also just don't send the packet. In a push to unify our handling of TLS 1.3 connections - ignore CCS and always go with application data packet counting to determine if connections are or are not encrypted.
75 lines
2.3 KiB
C++
75 lines
2.3 KiB
C++
#include "zeek/analyzer/protocol/ssl/DTLS.h"
|
|
#include "zeek/Reporter.h"
|
|
#include "zeek/util.h"
|
|
|
|
#include "analyzer/protocol/ssl/events.bif.h"
|
|
#include "analyzer/protocol/ssl/dtls_pac.h"
|
|
#include "analyzer/protocol/ssl/tls-handshake_pac.h"
|
|
|
|
namespace zeek::analyzer::dtls {
|
|
|
|
DTLS_Analyzer::DTLS_Analyzer(Connection* c)
|
|
: analyzer::Analyzer("DTLS", c)
|
|
{
|
|
interp = new binpac::DTLS::SSL_Conn(this);
|
|
handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this);
|
|
}
|
|
|
|
DTLS_Analyzer::~DTLS_Analyzer()
|
|
{
|
|
delete interp;
|
|
delete handshake_interp;
|
|
}
|
|
|
|
void DTLS_Analyzer::Done()
|
|
{
|
|
Analyzer::Done();
|
|
interp->FlowEOF(true);
|
|
interp->FlowEOF(false);
|
|
handshake_interp->FlowEOF(true);
|
|
handshake_interp->FlowEOF(false);
|
|
}
|
|
|
|
void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip, int caplen)
|
|
{
|
|
Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
|
|
|
|
// In this case the packet is a STUN packet. Skip it without complaining.
|
|
if ( len > 20 && data[4] == 0x21 && data[5] == 0x12 && data[6] == 0xa4 && data[7] == 0x42 )
|
|
return;
|
|
|
|
interp->NewData(orig, data, data + len);
|
|
}
|
|
|
|
void DTLS_Analyzer::EndOfData(bool is_orig)
|
|
{
|
|
Analyzer::EndOfData(is_orig);
|
|
interp->FlowEOF(is_orig);
|
|
handshake_interp->FlowEOF(is_orig);
|
|
}
|
|
|
|
uint16_t DTLS_Analyzer::GetNegotiatedVersion() const
|
|
{
|
|
return handshake_interp->chosen_version();
|
|
}
|
|
|
|
void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig)
|
|
{
|
|
handshake_interp->set_record_version(raw_tls_version);
|
|
try
|
|
{
|
|
handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1);
|
|
uint32_t host_length = htonl(length);
|
|
// the parser inspects a uint24_t - since it is big-endian, it should be ok to just skip
|
|
// the first byte of the uint32_t. Since we get the data from an uint24_t from the dtls-parser, this should
|
|
// always yield the correct result.
|
|
handshake_interp->NewData(orig, (const unsigned char*) &host_length + 1, (const unsigned char*) &host_length + sizeof(host_length));
|
|
handshake_interp->NewData(orig, begin, end);
|
|
}
|
|
catch ( const binpac::Exception& e )
|
|
{
|
|
ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
|
|
}
|
|
}
|
|
|
|
} // namespace zeek::analyzer::dtls
|