From 1ede6bf7fe4df38b694959bf7bfd80715e3b6cd0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sat, 9 Sep 2017 22:25:49 -0700
Subject: [PATCH] Add TLS 1.3 fix and testcase.

It turns out that Chrome supports an experimental mode to support TLS
1.3, which uses a non-standard way to negotiate TLS 1.3 with a server.
This non-standard way to negotiate TLS 1.3 breaks the current draft RFC
and re-uses an extension on the server-side with a different binary
formatting, causing us to throw a binpac exception.

This patch ignores the extension when sent by the server, continuing to
correctly parse the server_hello reply (as far as possible).

From what I can tell this seems to be google working around the fact
that MITM equipment cannot deal with TLS 1.3 server hellos; this change
makes the fact that TLS 1.3 is used completely opaque unless one looks
into a few extensions.

We currently log this as TLS 1.2.
---
 .../protocol/ssl/tls-handshake-protocol.pac     |   7 ++++++-
 .../.stdout                                     |   1 +
 .../ssl.log                                     |  10 ++++++++++
 ...hrome-63.0.3211.0-canary-tls_experiment.pcap | Bin 0 -> 5317 bytes
 .../base/protocols/ssl/tls13-experiment.test    |  16 ++++++++++++++++
 5 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
 create mode 100644 testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls13-experiment.test

diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 6a1988111e..febfce68b9 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -487,7 +487,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
-		EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0);
+		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
@@ -495,6 +495,11 @@ type SSLExtension(rec: HandshakeRecord) = record {
 
 %include tls-handshake-signed_certificate_timestamp.pac
 
+type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of {
+	true -> a: SupportedVersions(rec);
+	false -> b: bytestring &length=data_len &transient;
+}
+
 type SupportedVersions(rec: HandshakeRecord) = record {
 	length: uint8;
 	versions: uint16[] &until($input.length() == 0);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
new file mode 100644
index 0000000000..0b7bcb5742
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
@@ -0,0 +1 @@
+7e01
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
new file mode 100644
index 0000000000..c88237dd18
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-09-10-05-23-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1505019126.007778	CHhAvVGS1DHFjwGM9	192.168.0.2	62873	104.196.219.53	443	TLSv12	TLS_AES_128_GCM_SHA256	x25519	tls.ctf.network	T	-	-	T	-	-	-	-	-	-
+#close	2017-09-10-05-23-16
diff --git a/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap b/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2b8040b10907ac1de7dc37ddab9c21bb8cbd7595
GIT binary patch
literal 5317
zcmdUzcUTkMwudJPB~)nvM0)QXLg*j@QX)l^&_sGuiXb2;Afli^01*h%5g{~DdJ#gA
zqJW}QK@m}USER$4=)K?f=y&cpf8UvB<(bLOe%G44e|u%G8Ek)+3k67kzYh`s0^V$P
zRAC5|v;Z2sCfXoL-!@NgkW6c*MjISB1pu1uq?&*x*%ews5dd}T7+2WDK^jL*@mGkX
z3h2?1StS5KNl2?8Fc>KW0;iN+l*=Kukw5|92S`6)2LJ=`o@l?gzkGmnZa@`u0LYVR
zZ4=2v50J)9TnuSBGw8uThv72tSnnr2mIMl?v<+-nC(=Pr<V12X2LNb;RHFSOZh5;e
z#JERP{)pQjq_c$6(Fx0X1Hk{pyGbMyi4L3qpa;fHv_FYZ6vUcHlqLLIA}gIRV&``v
zGYkR+2N|*tgRQ(SNDr8V9SB@Y914h#U-5JAaxdJv#%Xw)DPTKbRg}B%{nqQFP`*%F
zT&JjaUCFnOGQz3|e5X|Wu*B^g*H|FHyRg6rVT3Zm2x0^&f;d6C7vEb%U?eaB89*i=
z1t<WNpsU2<VgNV-FTf!Im;eR<IOgwlMbgpVMe?$<f1tOYC%^)>@PS4{Y$t)iNk|~1
zFgPhG1WrZ<fkFUMfb?f?VrPI3parO*ZnAJUe}5k-8A+J{6YyIqaGn4_7!U(QUcMyy
z;sCgzVq4*D?B=w}+eyCERILR}utHU`>KRV-8ncGR%u{nf0_+3<yHHVHyLJPdLKqYV
z0Vu%}4l+2vuvo#91fYRH)6<De1keGx`hR~AWn~rt`Aew(SOW40F5(gppZa47u#B3P
z1c%cBUo{^5l9g>>BLyh`O(OAOECgsH1%BF}MA9k*H<2i0|9=tH?0zSLLItjYlD`Ur
z6^l)r<yBtlbhJHKM$~_fAIn{$d#?L}dxSKIoY%E<<i84)5u7?nP#gS2Q3zgdbH-&g
z2RD-dIng$Ye$N!hN4Y)~m-Htni#EOR4Flx>y#ZkY-9sQO;HMzRf}ObMqw{v(Z7`3h
zbbPbY?-<aH>MOjvNn`QFNHLwa!0=2#I3@T~N($V(w(fhC?`WmdbFq3FD;2w!lg@A2
z`HGv)A25D0X)2*6A;%DAKD8)I54u~?T*?xmP(<v;GA?Qv+M3lIDgxuYyj~eCqU;W1
zk#TeQ(cEHG_vOtwE@yuaKD|@Ik?O<YkLamG1{pJUooYMG!u%?$OrR=`wyAb3c1sGj
z@QgBsTC6rz_5%x`OeSJ&;r`uK=9;-sR=*pn$x@2hjbr6H3RmTV-uICnf9ooVJoqsx
zk4za=@<Ev~ewN-uzEg2g^=%h*yOF_CE^$R?`UM+(qRnLeZ1mtWu_2y;eYg?|m%EL@
zvlayX=o!yu9}<0>_PwZZNOpRIqeC8_>M@K$+nEYX_c69cA6@X;;*tzX{wgjbSEuN`
zMJ<H8`7LC5FQ@-Tx%TO&C1ys17++*ehTvea!NZk;T|sxOS3zVz|6-^l)B8cIM*~J$
zW_UI+S7|1_$r8@MI`U#8M`n|X3}xzXEJrq~m=8=*Ir*d0RzYgDXRSVFhK1oiD>j#&
zrErO|)wzT~CuHVuzPYI2iR!P`_~;t;op0&7M~$l3)1K1z4Fk6c&8KB=nFr@k*clFB
z5BnU;#wN=l+`Gqv+UL$N`S{6IS8;k<K#wppyh4VU>DLYGyV|Cax*uOb>_=}1Jv9tH
z^(DMk$&uTjFSA?&*XkY?X~yz0k*c&Man>!!==iOnlTm>TnP^gbz0+tj${_M@vR-bt
zU%|8k>+>pecRIunaE;;BbBqISy_0TXDQL@5a@EP^Bqg@E`zPiaLe@=lDFdy#W@V%K
zs+XN39+{>%(d@>##~cQ=*q@+No7BC|HTxj`Q}b+~TX!V?dfPb&wN;Uoy|Ka<e%iCo
z63;7zY;9D-3w(Ui*Oc@Qh838*$TJeV+L5SFT9F1^mnUA9+;dMFeq=&x+xdp0$VWO|
ze8gzf*q%Gy^Cs!0;AD^$13q9&MAcDZgBtze>}Z34;c@#1EC-dRB2Tq+CNiWjtFZn!
z908i3qdQa?3tnwf+Ra=w&lNlw=nD;)XY9|7cu-i3hz9l*lhM)rc(N8O?fnXaE&J9I
z`!OoH;?*Y2i2LO85REJh$8;%LG4T`X>S+3p&BSjPUiWZVBv@9Z=5<tGSnxND%BAeO
zyY_vLzv0I{!NQvP_}q^;yc>qWk@A=^GQ3N<Kc-vAK!v=l$qch~OSCH^LOm7%cbOBP
z6TTDn;T|u!j47g{M4f_dNz*5x%XDC&DGv$5dxp$uhpk4y-)8LADVfFPDm_TvjW8{$
zHP<LjO`?gzAJcL(u@ZhoZ+@zm+t~Ewo+C;rdlYrv5PQEiiC)mnYxt|t?CbHo4f9Cc
z-Vccnjr8=Au{hr2+&rjiicdTAmy1~G=qA1SvJ4v8hC5xf_+F4EQ;mwI!0>hzxkfhT
zQMyrQ%%ZlN!>_ZJk;q23mt9n<b-thGnp5)LEQS@4)&iATksydT-Uj5H^}H^m?Y<-V
z@+^fs91~`y7S8|DQqo<vnK|8Y*71$7laydt_Llg>e0r17vDFKr43oJ6Xj5Izljyc;
z1?E2M^O^ZtyOoH!4g^l>xg@*X`@l*9cZDW*RMB$F(`)!a`^Q0k*#0ZWu<v$Tp3i^E
ziskm?>{+aGsPM3r%*s^1bU@7L?eYIHqx1aC=ofy^=#{De`yatn{(DC67cYj;J{)-5
z_CU_qoDDKDzw7`rn4I$Tt1Py=7upsaZyuMfdcz9(jf8^)#u3tfGN`dEIf~qQNdwP)
zdwJ;Hr_Q`Gwf?=Y4h^aM;Wr}5*RIE0IIR}!N4+Gxd^3Wc!A(WM(;+x{JfS<;{H)kD
z2^hw#cZ4u>wM!zEg7cXki)?5kHas#^rO>W`d|<E5h0VgpegDac-7HDTX~4WkA;Nih
znqa$lIDtPrip?O@UpYOyazuA3+QxQGgS*u*ZgQvOV~x4@l@mA?RWz?l_2b3qjosw1
zP8tg=(5<aMGiODHbUun%*9}mtHQU{<%4q20`!?P(CohvO?8JyWIA^OtgX#_3Fgtqc
zf5yUKX++aV3q9whu5MZxR?F=#NXuNKIN9!=M46n}Q+npEYQ*%;F`5yJK9_}-Yk2R7
zrZd-Gzv_f$bOv_D?Qm^gvRo_7bV{?TI}h~E+?8pIoqxHx628#=_&sA*Vw)iSb$EI>
z$E}^aEGbdQ`6Jnkiye|_sp}e4vaADGm)r5YdZfZIk@JOEV?DtqgHc5y6LaR?Qws`C
z&(C+}T31T3T)NR^Ikhi9U3DGlnFTLsFYveY5|4(M(BH;vEbIR;;2T-oV?NXqz-vP7
zKP;rA?-kleD|1x0=4A?>Rd6?|vkJ|s6Pd6k|6a#7FuoX*tWJJmUWMeuhmRJwq8DbH
z`|dngGe~(Q^2J;nYlYC+cD+*4-VAjp&S6&)-eiB3v`^v_W|!fb)*54_P_BG56VuDp
zL;mh2Uudx47R!e092qNp%lLZk<Or#8k{Sd(5ch3u$%<Yr=jo>+jcm7<E=jz4HyJ*!
zyO0H6^_uX%@!&Y-wGaFEJv)y}nnIN;gKJdUJMs&h&T?(<PaAx`IAY9Le2ThI?cqnR
zSgRqy;wLA^UU*er=wsP5!gwcb#Vo#1wtuVK?E`lNWRa+~jlf6M`AN-B(Ra#5Ika9N
zeA2_&l_;cqaP3ZyM<ZR4txW@zR{VJm9<Q&AYmbZD_=UR@u=hIT!fYvTVcwQ*(>OgM
zopDbf==jbkDy0fyJEV?tFswWflpnR3e@7XhO2DKi-%4b`m<dSERxK}yANM@QdQ_{w
z?S$=QG?BiX@7u0(xQRvd86WPTpG;{ZCEq)EdwMmzHZq=ARZm4(V5RjK)dp>h<c6r8
z$D>Q2={r}8>!eTVP_u^6@uyj9DW6w}M2^DbrZ|p&TdSkq92f9Me%MPJ{ES<l@qdKw
zcd4st^LRB3Pm<5ue0rPnT^Xirx@0ic^rJ)tPeP7ERvbKBtV~RF_PMRm(E2z%4|2!;
zYaFecnf23p+P$5iKqlnKimQQms9$3ozRb^MdtZQ@?f$8u5C?Ll)UO^Jp7Hw9Zr<m4
zE@IO*U2^kYbBVSwo_4Cwm!H>}oOi#HYj$09bbp5dJ$Nzngfe?j9T1b3Kp!r6_Dzwr
z$h4gQIW{l0NO<5_NfaM%=N8Gaw65aw2fHC&A+F18!`cns2_~Wiv%*QmPXx?ZtS{v~
zl5pv-`Mim*ZE+tM-q7F1CGnUFQ>63UHZaO(jkF5RT@gCpT_?%JT_9vz#ATo8)fTFS
zlDN!6I}-U-&N`p*RbG*9KK1lF%WWqHe*Ts0&)GvTVZ+h+!7Uau>6ipvN)^d{C))gu
z?6C_^po0%CV{%pJic|xws@RpU3yFyO9<5rAFiwt4n?4G%U7R8$-(#D%#&KPgld*dE
z9M3ete`#30UEgBIYr9wEj9U2;>d@HBLvjbJEmX8uShINH-b^&@RjSrQaDNFouKh(Z
zQp!n}qG{>cdy^Xs0jb&Ziu*OkCA`ZyI~ip}-0#$AwM+>H9ph5JMh_?N-=@@@q_=mj
z-a>lGak>*TdMB9CEy3L|(f-_{LktkS#EdT1{d-2Q|F!F91-_O={hra0{ZS6peH+-u
z9{sBht*CXKTQ-6%G@1peStma7NUUYvzu4)c$8`X>=d|BResK0%L5GsEJc8pAd(`nT
z%MaVFF@x4KT)FNNp0yK)EcHTr5C$5JF+*cqyt3!fE+0xGl0IQfN$YMMHOhXRr?I;l
zH6!3adOy%ke%KYVXrY^v-fK<a?eJMHFU^w~LE(tHwPKol5rI0_U-w+lq)}+gOLpQ;
zNyU$0)oV=k$ioR<%%FTXM-u-nFFzjR#~JZ+e5h<IW#(}*%l>i^monC)cJKQQlupH6
z2Q+WuiCcdK*W5h>>grx;)uH8Wk4Caf`Xiy>ljI~RJd#g^I(js{LPj`=wQ5vVe$Bf3
zno~Na2b#a%LLBE+aGbTlI+1997VUt%b_cO&|7QJr(Owc9Ls}2M1~@h-VEAjCWf$d5
zh!xg<C%W$tiM@jVBsNHZ#4UcXaQ^jT;csF<0tC1T#z(Y&#OM!L5{U}Y|CY!~2l&?g
zPW-!IQh1(XqLJEVHqE%H(1ERz;&`#TLnEYSOTQsCFl&^9>3M0YMCLvvQ)XSE`E1QW
zBaW>jKTwqTj8mg9;2aeAX@9B{s*m6!s#CP*cXc*MfcuU5a8RB4cm7f*4{_v(Gk9>2
z*JGLiI4f#MtQ%UYw@F%MWYjtp(Wntj7TKS}++qW8vTnIc(546o%5tv*Gtupe7dsoy
zYAq8!t<tY~u%yZS8qaYvTrpM95Bj8DVf}3)cIFOU(@o!^UFVBktXp;Her^MAbq$PE
z_3Bs^br;-NRmW&cwM1P*@nTA42$fHSb+6A5+VRQ>^%n80iPM>H$j!INqc-&url3Pc
zqFVRkrl2Y0Vl)2eICYx0ThnsmuEP&$de}wlY<$}@^OjEep>cH{Zxw4qzB?jWaP%Ir
z6#29BPsMkgO%Cqflg?SJ<|(Jj8D)CeX2jV#V<OV@Olk^Oh<~O#BH>|0%o#Kk{w10>
zsown%U4rYM6r|kNMn)8d1%6RwJ+ZBMQefp!0Ak(Ncmi*7ckeMKQfRvB``cTQyybP_
zUZOXd7vv-hur=y9Q?i5a^xQs4fdio^GFR%2r3yqqk&SCcHhkZ=x~C?RHl!o)ERFBW
z#|(Dw7&LW7EhPu-#iPw#&Fd7$+7i$C6rMmX=RdifN#l47FhR_W<9OjD&uG}#G5dDd
zh%hC^sY`wzk}dDzvBj4wx|gGC@J)iARZH2rnnDQGkPE@GPlmTuwiB2FO&{*`WO&#!
zpS%xc=_M#h>bP}L5jy9h0N7>Iz4Y;^w&upiG8G|iVi7-7JR6vr+a^s(Drig1Tb80r
tnFm|)-w;)X8iW0ZwFz_j`9iJf58c<tkTz+7D`}O7?JwPb0oNwazW}tm&SU@p

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
new file mode 100644
index 0000000000..d49cd928f6
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
+# to be an undocumented extension where the TLS version is negotiated via the server sending back
+# an supported_versions extension (which, according to the RFC is strictly prohibited).
+#
+# This only seems to happen with Chrome talking to google servers. We do not recognize this as
+# TLS 1.3, but we do not abort when encountering traffic like this.
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+	{
+	if ( ! is_orig && code == 43 )
+		print bytestring_to_hexstr(val);
+	}