Branch data Line data Source code
1 : : // $Id: SSLInterpreter.h 5988 2008-07-19 07:02:12Z vern $
2 : :
3 : : #ifndef sslinterpreter_h
4 : : #define sslinterpreter_h
5 : :
6 : : #include "util.h"
7 : : #include "SSLProxy.h"
8 : :
9 : : // --- forward declarations ----------------------------------------------------
10 : :
11 : : class SSLProxy_Analyzer;
12 : : class Contents_SSL;
13 : : class SSL_InterpreterEndpoint;
14 : : class SSL_DataBlock;
15 : :
16 : : // --- SSL_Interpreter --------------------------------------------------------
17 : :
18 : : /*!
19 : : * \brief This class is the abstract base-class for the different ssl
20 : : * interpreters used for the different ssl versions.
21 : : *
22 : : * Since there is currently no support in Bro for a change of the connection
23 : : * type (IMAP -> TLS, for example), we decided not to inherit from the class
24 : : * Connection. This way, we can easily switch to SSLv3x after we've seen (and
25 : : * analyzed) a SSLv2 client hello record with a version number > SSLv2.
26 : : *
27 : : * There currently two (non-abstract) interpreters: SSLv2_Interpreter and
28 : : * SSLv3_Interpreter. The first one supports SSL 2.0, the second one supports
29 : : * both SSL 3.0 and SSL 3.1/TLS 1.0.
30 : : *
31 : : * See SSLProxy_Analyzer for additional information.
32 : : */
33 : : class SSL_Interpreter {
34 : : public:
35 : : SSL_Interpreter(SSLProxy_Analyzer* proxy);
36 : : virtual ~SSL_Interpreter();
37 : :
38 : : static uint32 analyzedCertificates; ///< how often analyzeCertificate() has been called
39 : : static uint32 verifiedCertificates; ///< how many certificates have actually been verified
40 : : static uint32 failedCertificates; ///< how many certificates have failed verification
41 : : static uint32 certificateChains; ///< counter for certificate chains
42 : :
43 : : // In order to initialize the correct SSL_InterpreterEndpoints,
44 : : // override it in the corresponding subclass.
45 : : virtual void BuildInterpreterEndpoints() = 0;
46 : : virtual void Init();
47 : :
48 : : SSL_InterpreterEndpoint* Orig() const;
49 : : SSL_InterpreterEndpoint* Resp() const;
50 : : SSLProxy_Analyzer* Proxy() const;
51 : : int Is_Orig(SSL_InterpreterEndpoint* p) const;
52 : :
53 : : virtual void analyzeCertificate(SSL_InterpreterEndpoint* s,
54 : : const u_char* data, int length,
55 : : uint8 type, bool isChain);
56 : :
57 : : void Weird(const char* name) const;
58 : :
59 : : static void printStats();
60 : :
61 : : void fire_ssl_conn_attempt(uint16 sslVersion,
62 : : TableVal* currentCipherSuites);
63 : : void fire_ssl_conn_server_reply(uint16 sslVersion,
64 : : TableVal* currentCipherSuites);
65 : : void fire_ssl_conn_established(uint16 sslVersion, uint32 cipherSuite);
66 : : void fire_ssl_conn_reused(const SSL_DataBlock* pData);
67 : : void fire_ssl_conn_alert(uint16 sslVersion, uint16 level,
68 : : uint16 description);
69 : :
70 : : protected:
71 : : TableVal* MakeSessionID(const u_char* data, int len);
72 : :
73 : : SSLProxy_Analyzer* proxy;
74 : : SSL_InterpreterEndpoint* orig;
75 : : SSL_InterpreterEndpoint* resp;
76 : : };
77 : :
78 : : // --- SSL_InterpreterEndpoint ------------------------------------------------
79 : :
80 : : /*!
81 : : * \brief This abstract class represents the SSL_InterpreterEndpoints for the
82 : : * SSL_Interpreter.
83 : : *
84 : : * The key-method is Deliver() which receives the ssl records
85 : : * from the SSLProxy_Analyzer. So overwrite the Deliver()-method and do
86 : : * whatever analysis on the record content (and/or pass it to the corresponding
87 : : * SSL_Interpreter).
88 : : */
89 : : class SSL_InterpreterEndpoint {
90 : : public:
91 : : SSL_InterpreterEndpoint(SSL_Interpreter* interpreter, bool is_orig);
92 : : virtual ~SSL_InterpreterEndpoint();
93 : :
94 : : /**This method is called by corresponding SSLProxy_Analyzer and
95 : : * delivers the data.
96 : : * @param t time, when the segment was received by bro (?)
97 : : * @param len length of TCP-Segment
98 : : * @param data content of TCP-Segment
99 : : */
100 : : virtual void Deliver(int len, const u_char* data) = 0;
101 : : bool isDataPending();
102 : : void SetPeer(SSL_InterpreterEndpoint* p);
103 : : int IsOrig() const;
104 : : SSL_InterpreterEndpoint* Peer() const;
105 : : SSL_Interpreter* Interpreter() const;
106 : :
107 : 0 : Contents_SSL* GetProxyEndpoint() { return proxyEndpoint; }
108 : :
109 : : void SetProxyEndpoint(Contents_SSL* proxyEndpoint);
110 : :
111 : : protected:
112 : : SSL_Interpreter* interpreter; ///< Pointer to the SSL_Interpreter to which this endpoint belongs to
113 : : SSL_InterpreterEndpoint* peer; ///< Pointer to the peer of this endpoint
114 : : Contents_SSL* proxyEndpoint; ///< Pointer to the corresponding Contents_SSL
115 : : bool ourProxyEndpoint; // true if we need to delete the proxyEndpoint
116 : : int is_orig; ///< true if this endpoint is the originator of the connection, false otherwise
117 : : };
118 : :
119 : : // --- class CertStore --------------------------------------------------------
120 : : /*!
121 : : * \brief This class is used to store some information about a X509 certificate.
122 : : *
123 : : * To save memory, we only store some characteristic criterias about a
124 : : * certificate, that's currently it's size and a hashsum.
125 : : *
126 : : * \note This class is currently <b>experimental</b>.
127 : : */
128 : : class CertStore {
129 : : public:
130 : : uint32 ip_addr; ///< ip address where this certificate is from
131 : : uint32 port; ///< port number where this certificate is from
132 : :
133 : : int certSize; ///< size of the certificate in bytes
134 : : hash_t certHash; ///< hashsum obver the entire certificate
135 : : int isValid; ///< boolean value indicating if the certificate is valid
136 : : int changes; ///< counter for how often this certificate has changed for the above ip + port number
137 : :
138 : : CertStore(uint32 ip, uint32 port, hash_t hash, int size);
139 : : bool isSameCert(hash_t hash, int length);
140 : : };
141 : :
142 : : #endif
|