Merge remote-tracking branch 'origin/topic/bernhard/ticket950'

* origin/topic/bernhard/ticket950:
  make client and server random available on script-level.

BIT-950 #merged

CHANGES

@@ -1,4 +1,9 @@
 
+2.1-1359 | 2013-09-18 15:01:50 -0700
+
+  * Make client and server random available on script-level. Addresses
+    BIT-950. (Eric Wustrow)
+
 2.1-1357 | 2013-09-18 14:58:52 -0700
 
   * Update HLL API and its documentation. (Bernhard Amann)

VERSION

@@ -1 +1 @@
-2.1-1357
+2.1-1359

scripts/base/protocols/ssl/main.bro

@@ -151,7 +151,7 @@ function finish(c: connection)
 		disable_analyzer(c$id, c$ssl$analyzer_id);
 	}
 
-event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set) &priority=5
 	{
 	set_session(c);
 
@@ -160,7 +160,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, session
 		c$ssl$session_id = bytestring_to_hexstr(session_id);
 	}
 
-event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
 	{
 	set_session(c);
 

src/analyzer/protocol/ssl/events.bif

@@ -17,13 +17,16 @@
 ##
 ## session_id: The session ID sent by the client (if any).
 ##
+## client_random: The random value sent by the client. For version 2 connections,
+##		  the client challenge is returned.
+##
 ## ciphers: The list of ciphers the client offered to use. The values are
 ##          standardized as part of the SSL/TLS protocol. The
 ##          :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
 ##
 ## .. bro:see:: ssl_alert  ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
-event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
+event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
 ## start with an unencrypted handshake, and Bro extracts as much information out
@@ -44,6 +47,9 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
 ##
 ## session_id: The session ID as sent back by the server (if any).
 ##
+## server_random: The random value sent by the server. For version 2 connections,
+##		  the connection-id is returned.
+##
 ## cipher: The cipher chosen by the server.  The values are standardized as part
 ##         of the SSL/TLS protocol. The :bro:id:`SSL::cipher_desc` table maps
 ##         them to descriptive names.
@@ -53,7 +59,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
-event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
+event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
 ## sessions start with an unencrypted handshake, and Bro extracts as much

src/analyzer/protocol/ssl/ssl-analyzer.pac

@@ -152,6 +152,7 @@ refine connection SSL_Conn += {
 
 	function proc_client_hello(rec: SSLRecord,
 					version : uint16, ts : double,
+					client_random : bytestring,
 					session_id : uint8[],
 					cipher_suites16 : uint16[],
 					cipher_suites24 : uint24[]) : bool
@@ -176,7 +177,8 @@ refine connection SSL_Conn += {
 				}
 
 			BifEvent::generate_ssl_client_hello(bro_analyzer(), bro_analyzer()->Conn(),
-							version, ts,
+							version, ts, new StringVal(client_random.length(),
+							(const char*) client_random.data()),
 							to_string_val(session_id),
 							cipher_set);
 
@@ -188,6 +190,7 @@ refine connection SSL_Conn += {
 
 	function proc_server_hello(rec: SSLRecord,
 					version : uint16, ts : double,
+					server_random : bytestring,
 					session_id : uint8[],
 					cipher_suites16 : uint16[],
 					cipher_suites24 : uint24[],
@@ -209,7 +212,8 @@ refine connection SSL_Conn += {
 
 			BifEvent::generate_ssl_server_hello(bro_analyzer(),
 							bro_analyzer()->Conn(),
-							version, ts,
+							version, ts, new StringVal(server_random.length(), 
+							(const char*) server_random.data()),
 							to_string_val(session_id),
 							ciphers->size()==0 ? 0 : ciphers->at(0), comp_method);
 
@@ -419,27 +423,27 @@ refine typeattr ApplicationData += &let {
 
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
-				gmt_unix_time,
+				gmt_unix_time, random_bytes,
 				session_id, csuits, 0)
 		&requires(state_changed);
 };
 
 refine typeattr V2ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
-				session_id, 0, ciphers)
+				challenge, session_id, 0, ciphers)
 		&requires(state_changed);
 };
 
 refine typeattr ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version,
-			gmt_unix_time, session_id, cipher_suite, 0,
+			gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
 			compression_method)
 		&requires(state_changed);
 };
 
 refine typeattr V2ServerHello += &let {
-	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0, 0,
+	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
-				0, ciphers, 0)
+				conn_id_data, 0, 0, ciphers, 0)
 		&requires(state_changed);
 
 	cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -346,7 +346,7 @@ type HelloRequest(rec: SSLRecord) = empty &let {
 type ClientHello(rec: SSLRecord) = record {
 	client_version : uint16;
 	gmt_unix_time : uint32;
-	random_bytes : bytestring &length = 28 &transient;
+	random_bytes : bytestring &length = 28;
 	session_len : uint8;
 	session_id : uint8[session_len];
 	csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
@@ -397,7 +397,7 @@ type V2ClientHello(rec: SSLRecord) = record {
 type ServerHello(rec: SSLRecord) = record {
 	server_version : uint16;
 	gmt_unix_time : uint32;
-	random_bytes : bytestring &length = 28 &transient;
+	random_bytes : bytestring &length = 28;
 	session_len : uint8;
 	session_id : uint8[session_len];
 	cipher_suite : uint16[1];

testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-random/.stdout

@@ -0,0 +1,2 @@
+8\xd0U@\xf1\xaamI\xb5SE^K\x82\xa4\xe0\x9eG\xf3\xdd\x1f\xeey\xa6[\xcc\xd7^D\x90
+\xa7^B\xf4'&^E]|c\x83KN\xb0^N6F\xbez\xbb^Ny\xbf^O\x85p\x83\x8dX

testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test

@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: count_set) 
+ 	{
+	print client_random;
+ 	}
+ 
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) 
+	{
+	print server_random;
+	}