Spicy TLS: event ordering

This commit mostly changes the ordering of some the events, so that they
fit the event order of the old analyzer (and also are more
representative of the order of how things are happening on the wire).

src/analyzer/protocol/tls/TLS.evt

@@ -24,14 +24,16 @@ on TLS::ServerNameList -> event ssl_extension_server_name($conn, TLS::get_direct
 on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
 
 on TLS::PlaintextRecord::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
-on TLS::PlaintextRecord::ccs if ( msg.context().ccs_seen == 2 ) -> event ssl_established($conn);
+# weird trigger for event ordering
+on TLS::PlaintextRecord::%done if ( msg.context().ccs_seen == 2 && content_type == 20 ) -> event ssl_established($conn);
+on TLS::PlaintextRecord::trigger_zero if ( content_type == 23 && sh.tls_13 == True && ( sh.established == False || sh.both_sides_encrypted_first_time ) ) -> event ssl_probable_encrypted_handshake_message($conn, TLS::get_direction(sh), self.length);
 on TLS::PlaintextRecord::trigger_one if ( sh.both_sides_encrypted_first_time == True ) -> event ssl_established($conn);
 on TLS::PlaintextRecord::trigger_two if ( self.encrypted == False ) -> event ssl_plaintext_data($conn, TLS::get_direction(sh), msg.record_version, content_type, self.length);
 on TLS::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_encrypted_data($conn, TLS::get_direction(sh), msg.record_version, content_type, self.length);
 
 on TLS::Extension -> event ssl_extension($conn, TLS::get_direction(sh), self.code, self.raw);
 
-on TLS::Handshake_message -> event ssl_handshake_message($conn, TLS::get_direction(sh), self.msg_type, self.length);
+on TLS::Handshake_message::length -> event ssl_handshake_message($conn, TLS::get_direction(sh), self.msg_type, self.length);
 
 on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, TLS::get_direction(sh), TLS::convert_signature_algorithms(self));
 

src/analyzer/protocol/tls/TLS.spicy

@@ -569,6 +569,7 @@ type Share = unit {
   var client_encrypted: bool;
   var server_encrypted: bool;
   var both_sides_encrypted_first_time: bool;
+  var established: bool;
 
   on %init {
     self.ccs_seen = 0;
@@ -580,6 +581,7 @@ type Share = unit {
     self.server_encrypted = False;
     self.client_encrypted = False;
     self.both_sides_encrypted_first_time = False;
+    self.established = False;
   }
 };
 
@@ -611,6 +613,7 @@ function startEncryption(inout handshakesink: sink, inout alertsink: sink, inout
     if ( sh.client_encrypted && sh.server_encrypted ) {
       print "Encrypted first time";
       sh.both_sides_encrypted_first_time = True;
+      sh.established = True;
     }
   }
 }
@@ -702,8 +705,8 @@ type PlaintextRecord = unit(content_type: uint8, handshakesink: sink, alertsink:
   length: uint16;
   var encrypted: bool;
   # convenient triggers to hang stuff in the evt file from. Two of them for event ordering :)
-  trigger_one: bytes &size=0;
-  trigger_two: bytes &size=0;
+  trigger_zero: void;
+  trigger_one: void;
   switch ( ContentType(content_type) ) {
     ContentType::handshake -> : bytes &size=self.length -> handshakesink;
     ContentType::application_data -> {
@@ -717,6 +720,8 @@ type PlaintextRecord = unit(content_type: uint8, handshakesink: sink, alertsink:
     ContentType::alert -> : bytes &size=self.length -> alertsink;
     * -> unhandled : bytes &size=self.length;
   };
+  trigger_two: void;
+  trigger_three: void;
 
   on unhandled {
     print "Unhandled content type", content_type;