Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 20:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/johanna/1323'

Browse source 
* origin/topic/johanna/1323:
  TLS 1.3 changes: Address review feedback
  Add one more TLS 1.3 testcase and update NEWS
  Fix TLS 1.3 session resumption detection.
  Introduce ssl_probable_encrypted_handshake_message event
  SSL Analyzer: ignore CCS for TLS 1.3
  TLS analyzer: change logic to track TLS 1.3 connection establishment
This commit is contained in:
Jon Siwek 2020-12-22 10:58:13 -08:00
commit 604fbea00d
24 changed files with 558 additions and 249 deletions
Download patch file Download diff file Expand all files Collapse all files

6
testing/btest/scripts/base/protocols/ssl/tls13.test
View file

@ -1,13 +1,19 @@
# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary-aborted.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
# @TEST-EXEC: cat ssl.log > ssl-out.log
# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
# @TEST-EXEC: cat ssl.log >> ssl-out.log
# @TEST-EXEC: echo "tls13draft16-ff52.a01-aborted.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
# @TEST-EXEC: cat ssl.log >> ssl-out.log
# @TEST-EXEC: echo "tls13draft16-ff52.a01.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
# @TEST-EXEC: cat ssl.log >> ssl-out.log
# @TEST-EXEC: echo "tls13_psk_succesfull.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
# @TEST-EXEC: cat ssl.log >> ssl-out.log
# @TEST-EXEC: echo "hrr.pcap"
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
# @TEST-EXEC: cat ssl.log >> ssl-out.log
# @TEST-EXEC: btest-diff ssl-out.log

22
testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test Normal file
View file

@ -0,0 +1,22 @@
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_wolfssl.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
redef SSL::disable_analyzer_after_detection=F;
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
{
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
}
event ssl_established(c: connection)
{
print "Established!";
}
event ssl_probable_encrypted_handshake_message(c: connection, is_orig: bool, length: count)
{
print "Probable handshake", is_orig, length;
}