Merge remote-tracking branch 'origin/master' into topic/johanna/spicy-tls

* origin/master: (200 commits) Update link to slack in README.md Update bifcl, binpac, and broker repos for cmake changes bison_target argument changes from HEADER to DEFINES_FILE Update cmake submodule [nomail] Start of 6.1.0 development Switch broker submodule back to master Update broker submodule to 2.6.0 release tag [nomail] [skip ci] Update docs submodule [nomail] [skip ci] Updating CHANGES and VERSION. Update baseline for coverage.test-all-policy-cluster test catch-and-release: Mark cr_check_rule as is_used Add test-all-policy-cluster Revert "Merge remote-tracking branch 'origin/topic/vern/at-if-analyze'" Simplify code generated for Spicy analyzer port ranges. Register test analyzer only for required ports. Update doc submodule [nomail] [skip ci] Update broker submodule [nomail] Update ZeekJS submodule to 0.9.1 Fix disappearing unit fields in Spicy type export. Bump cluster testsuite to latest main ...
2025-10-12 03:28:19 +00:00 · 2023-06-01 14:41:10 +02:00 · 2023-06-01 14:41:10 +02:00 · 0d462c37fa
commit 0d462c37fa
parent c50f68f414 39b1cede33
684 changed files with 18065 additions and 3963 deletions
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -68,6 +68,9 @@ export {
 		## Flag to indicate if this record already has been logged, to
 		## prevent duplicates.
 		logged:           bool             &default=F;
+		## Flag to indicate that we have seen a Hello Retry request message.
+		## Used internally for ssl_history logging
+		hrr_seen:         bool             &default=F;

 		## SSL history showing which types of packets we received in which order.
 		## Letters have the following meaning with client-sent letters being capitalized:
@ -283,6 +286,10 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
 		}
 	c$ssl$cipher = cipher_desc[cipher];

+	# Check if this is a hello retry request. A magic value in the random is used to signal this
+	if ( server_random == "\xCF\x21\xAD\x74\xE5\x9A\x61\x11\xBE\x1D\x8C\x02\x1E\x65\xB8\x91\xC2\xA2\x11\x16\x7A\xBB\x8C\x5E\x07\x9E\x09\xE2\xC8\xA8\x33\x9C" )
+		c$ssl$hrr_seen = T;
+
 	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
 		c$ssl$resumed = T;
 	}
@ -360,7 +367,14 @@ event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, len
 			add_to_history(c, is_client, "c");
 			break;
 		case SSL::SERVER_HELLO:
-			add_to_history(c, is_client, "s");
+			if ( c$ssl$hrr_seen )
+				{
+				# the server_hello event is raised first, and sets the flag
+				add_to_history(c, is_client, "j");
+				c$ssl$hrr_seen = F;
+				}
+			else
+				add_to_history(c, is_client, "s");
 			break;
 		case SSL::HELLO_VERIFY_REQUEST:
 			add_to_history(c, is_client, "v");
@ -512,7 +526,11 @@ event ssl_plaintext_data(c: connection, is_client: bool, record_version: count,

 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-	# if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-	# 	if ( info$c?$ssl )
-	# 		finish(info$c, T);
+#	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+#		if ( info$c?$ssl )
+#			{
+#			# analyzer errored out; prevent us from trying to remove it later
+#			delete info$c$ssl$analyzer_id;
+#			finish(info$c, F);
+#			}
 	}