add starttls support for pop3

src/analyzer/protocol/pop3/POP3.cc

@@ -13,6 +13,7 @@
 #include "POP3.h"
 #include "Event.h"
 #include "Reporter.h"
+#include "analyzer/Manager.h"
 #include "analyzer/protocol/login/NVT.h"
 
 #include "events.bif.h"
@@ -41,15 +42,18 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn)
 	waitingForAuthentication = false;
 	requestForMultiLine = false;
 	multiLine = false;
-	backOff = false;
+	tls = false;
 
 	lastRequiredCommand = 0;
 	authLines = 0;
 
 	mail = 0;
 
-	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true));
-	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false));
+	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	AddSupportAnalyzer(cl_orig);
+
+	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	AddSupportAnalyzer(cl_resp);
 	}
 
 POP3_Analyzer::~POP3_Analyzer()
@@ -69,7 +73,13 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
-	if ( (TCP() && TCP()->IsPartial()) || backOff )
+	if ( tls )
+		{
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	if ( (TCP() && TCP()->IsPartial()) )
 		return;
 
 	BroString terminated_string(data, len, 1);
@@ -717,8 +727,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 			break;
 
 		case STLS:
-			backOff = true;
-			POP3Event(pop3_terminate, false, "Terminating due to TLS");
+			tls = true;
+			StartTLS();
 			return;
 
 		case QUIT:
@@ -804,6 +814,22 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 	}
 	}
 
+void POP3_Analyzer::StartTLS()
+	{
+	// STARTTLS was succesful. Remove support analyzers, add SSL
+	// analyzer and throw event signifying the change.
+	RemoveSupportAnalyzer(cl_orig);
+	RemoveSupportAnalyzer(cl_resp);
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+
+	ConnectionEvent(pop3_starttls, vl);
+	}
+
 void POP3_Analyzer::AuthSuccessfull()
 	{
 	if ( user.size() )

src/analyzer/protocol/pop3/POP3.h

@@ -10,6 +10,7 @@
 #include <algorithm>
 
 #include "analyzer/protocol/tcp/TCP.h"
+#include "analyzer/protocol/tcp/ContentLine.h"
 #include "analyzer/protocol/login/NVT.h"
 #include "analyzer/protocol/mime/MIME.h"
 
@@ -97,6 +98,7 @@ protected:
 	void BeginData();
 	void ProcessData(int length, const char* line);
 	void EndData();
+	void StartTLS();
 
 	vector<string> TokenizeLine(const string input, const char split);
 	int ParseCmd(string cmd);
@@ -108,7 +110,9 @@ protected:
 	list<string> cmds;
 
 private:
-	bool backOff;
+	bool tls;
+	tcp::ContentLine_Analyzer* cl_orig;
+	tcp::ContentLine_Analyzer* cl_resp;
 };
 
 } } // namespace analyzer::* 

src/analyzer/protocol/pop3/events.bif

@@ -106,21 +106,14 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ##
 ## c: The connection.
 ##
-## is_orig: Always false.
-##
-## msg: A descriptive message why processing was stopped.
-##
 ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. note:: Currently, only the ``STARTLS`` command is recognized and
-##    triggers this.
-##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
 ##    been ported to Bro 2.x. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
-event pop3_terminate%(c: connection, is_orig: bool, msg: string%);
+event pop3_starttls%(c: connection%);
 
 ## Generated for successful authentications on POP3 connections.
 ##

testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-05-15-17-23-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1400173552.424910	CXWv6p3arKYeMETxOg	192.168.4.149	54775	192.168.4.149	110	TLSv12	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	-	-	-	-	T	FEdAw24VSam39HNlY5	(empty)	emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE	emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE	-	-
+#close	2014-05-15-17-23-07

testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-05-15-17-23-07
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1400173552.426860	FEdAw24VSam39HNlY5	3	01	emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE	emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE	1178385788.000000	1493745788.000000	rsaEncryption	md5WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	F	-
+#close	2014-05-15-17-23-07

testing/btest/scripts/base/protocols/pop3/starttls.bro

@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/conn
+@load base/protocols/ssl
+
+module POP3;
+
+const ports = {
+	110/tcp
+};
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports);
+	}
+
+