mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 02:58:20 +00:00
e14eddeb97
This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
65 lines
1.6 KiB
C++
65 lines
1.6 KiB
C++
#pragma once
|
|
|
|
#include "zeek/analyzer/protocol/ssl/events.bif.h"
|
|
|
|
namespace binpac
|
|
{
|
|
namespace DTLS
|
|
{
|
|
class SSL_Conn;
|
|
}
|
|
}
|
|
namespace binpac
|
|
{
|
|
namespace TLSHandshake
|
|
{
|
|
class Handshake_Conn;
|
|
}
|
|
}
|
|
|
|
namespace zeek::analyzer::dtls
|
|
{
|
|
|
|
class DTLS_Analyzer final : public analyzer::Analyzer
|
|
{
|
|
public:
|
|
explicit DTLS_Analyzer(Connection* conn);
|
|
~DTLS_Analyzer() override;
|
|
|
|
// Overriden from Analyzer.
|
|
void Done() override;
|
|
void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip,
|
|
int caplen) override;
|
|
void EndOfData(bool is_orig) override;
|
|
|
|
void SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length,
|
|
const u_char* begin, const u_char* end, bool orig);
|
|
// Get the TLS version that the server chose. 0 if not yet known.
|
|
uint16_t GetNegotiatedVersion() const;
|
|
|
|
static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); }
|
|
|
|
/**
|
|
* Check if the connection is flipped--meaning that the TLS client is the responder of the
|
|
* connection.
|
|
*
|
|
* @return True if connection is flipped.
|
|
*/
|
|
bool GetFlipped();
|
|
|
|
/**
|
|
* Try to decrypt TLS application data from a packet.
|
|
*
|
|
* For DTLS, this operation is not currently implemented and this function will
|
|
* always return false.
|
|
*
|
|
**/
|
|
bool TryDecryptApplicationData(int len, const u_char* data, bool is_orig, uint8_t content_type,
|
|
uint16_t raw_tls_version);
|
|
|
|
protected:
|
|
binpac::DTLS::SSL_Conn* interp;
|
|
binpac::TLSHandshake::Handshake_Conn* handshake_interp;
|
|
};
|
|
|
|
} // namespace zeek::analyzer::dtls
|