Merge remote-tracking branch 'origin/topic/johanna/1323'

* origin/topic/johanna/1323:
  TLS 1.3 changes: Address review feedback
  Add one more TLS 1.3 testcase and update NEWS
  Fix TLS 1.3 session resumption detection.
  Introduce ssl_probable_encrypted_handshake_message event
  SSL Analyzer: ignore CCS for TLS 1.3
  TLS analyzer: change logic to track TLS 1.3 connection establishment

CHANGES

@@ -1,4 +1,44 @@
 
+4.1.0-dev.19 | 2020-12-22 10:58:13 -0800
+
+  * Add new TLS 1.3 constants. (Johanna Amann)
+
+  * Fix TLS 1.3 session resumption detection. (Johanna Amann)
+
+    Now we detect TLS 1.3 session resumption by looking if both sides have
+    the PSK extension set, which is much more exact than the previous
+    approach.
+
+  * Introduce ssl_probable_encrypted_handshake_message event (Johanna Amann)
+
+    This event is raised for messages that (probably) are TLS 1.3 handshake
+    messages, including finished. This allows scripts to examine handshake
+    messages without having to handle all encrypted messages.
+
+  * SSL Analyzer: ignore CCS for TLS 1.3 (Johanna Amann)
+
+    In TLS 1.3, the ChangeCipherSpec message is meaningless; it only is
+    included to convince middleboxes that the devices actually are speaking
+    TLS 1.2. Nowadays some TLS 1.3 implementations also just don't send the
+    packet.
+
+    In a push to unify our handling of TLS 1.3 connections - ignore CCS and
+    always go with application data packet counting to determine if
+    connections are or are not encrypted.
+
+  * GH-1323: TLS analyzer: change logic to track TLS 1.3 connection establishment (Johanna Amann)
+
+    This commit changes the logic that is used to tracks connection
+    establishment - and moves it from scriptland into the core.
+
+    TLS 1.3 connection establishment is much more finnicky for us than the
+    establishment of earlier versions - since we cannot rely on the CCS
+    message anymore (which is meaningless and not sent in a lot of cases).
+
+    With this commit, the ssl_encrypted_data message gets raised for
+    encrypted TLS 1.3 handshake messages - which is much more correct than
+    the behavior before that just interpreted them as plaintext messages.
+
 4.1.0-dev.12 | 2020-12-21 10:55:13 -0800
 
   * Add MacOS Big Sur to CI (Christian Kreibich, Corelight)

NEWS

@@ -177,6 +177,8 @@ New Functionality
   The zkg source tree resides in ``auxil/package-manager`` as an
   additional Git submodule.
 
+- Added a new ``ssl_probable_encrypted_handshake_message`` event, which
+  is raised for encrypted TLS 1.3 handshake messages.
 
 Changed Functionality
 ---------------------
@@ -256,6 +258,31 @@ Changed Functionality
   can be triggered by anybody controlling one of the endpoints (instead
   of both).  For discussion, see https://github.com/zeek/zeek/issues/343.
 
+- TLS 1.3 support was improved in several ways:
+
+  * In the past, some TLS 1.3 sessions were misidentified as using session
+    resumption when, in fact, they were not resumed. This was caused by
+    the TLS session ID which no longer has any meaning in TLS 1.3. This was
+    fixed.
+
+  * Similarly, in the past, TLS 1.3 sessions that use TLS 1.3 PSKs for
+    session resumption were not marked as resumed. This also was fixed.
+
+  * The way in which session establishment for TLS 1.3 is performed was
+    rewritten. This causes the ``ssl_encrypted_data`` event to be correctly
+    raised; in the past this did not work for some sessions. A new
+    ``ssl_probable_encrypted_handshake_message`` event was added that is
+    raised for encrypted TLS 1.3 handshake packets.
+
+  * In the same vein, hello retry requests in TLS 1.3 should now always
+    be handled correctly; in the past this only happened in some cases.
+
+    Please note: When a connection uses Hello Retry requests you will see
+    two client hello and two server hello events in a single connection.
+
+    This happened in the past, but may become more common now; this might
+    trigger unexpected behavior in your scripts.
+
 Removed Functionality
 ---------------------
 
@@ -283,6 +310,10 @@ Removed Functionality
   the Zeek distribution and will get built unless overridden with the
   ``--with-caf=`` configuration option.
 
+- ``server_appdata`` and ``client_appdata`` were removed from ``SSL::Info``.
+  These variables were only used internally, and did not give a correct counts
+  in all circumstances.
+
 Deprecated Functionality
 ------------------------
 

VERSION

@@ -1 +1 @@
-4.1.0-dev.12
+4.1.0-dev.19

scripts/base/protocols/ssl/consts.zeek

@@ -137,6 +137,53 @@ export {
 		[120] = "no_application_protocol",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
+	# Map SSL Extension values to consts for easier readability of code.
+	# More information can be found here:
+	# http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
+	const SSL_EXTENSION_SERVER_NAME = 0;
+	const SSL_EXTENSION_MAX_FRAGMENT_LENGTH = 1;
+	const SSL_EXTENSION_CLIENT_CERTIFICATE_URL = 2;
+	const SSL_EXTENSION_TRUSTED_CA_KEYS = 3;
+	const SSL_EXTENSION_TRUNCATED_HMAC = 4;
+	const SSL_EXTENSION_STATUS_REQUEST = 5;
+	const SSL_EXTENSION_USER_MAPPING = 6;
+	const SSL_EXTENSION_CLIENT_AUTHZ = 7;
+	const SSL_EXTENSION_SERVER_AUTHZ = 8;
+	const SSL_EXTENSION_CERT_TYPE = 9;
+	const SSL_EXTENSION_SUPPORTED_GROUPS = 10;
+	const SSL_EXTENSION_EC_POINT_FORMATS = 11;
+	const SSL_EXTENSION_SRP = 12;
+	const SSL_EXTENSION_SIGNATURE_ALGORITHMS = 13;
+	const SSL_EXTENSION_USE_SRTP = 14;
+	const SSL_EXTENSION_HEARTBEAT = 15;
+	const SSL_EXTENSION_APPLICATION_LAYER_PROTOCOL_NEGOTIATION = 16;
+	const SSL_EXTENSION_STATUS_REQUEST_V2 = 17;
+	const SSL_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP = 18;
+	const SSL_EXTENSION_CLIENT_CERTIFICATE_TYPE = 19;
+	const SSL_EXTENSION_SERVER_CERTIFICATE_TYPE = 20;
+	const SSL_EXTENSION_PADDING = 21;
+	const SSL_EXTENSION_ENCRYPT_THEN_MAC = 22;
+	const SSL_EXTENSION_EXTENDED_MASTER_SECRET = 23;
+	const SSL_EXTENSION_TOKEN_BINDING = 24;
+	const SSL_EXTENSION_CACHED_INFO = 25;
+	const SSL_EXTENSION_SESSIONTICKET_TLS = 35;
+	const SSL_EXTENSION_KEY_SHARE = 40;
+	const SSL_EXTENSION_PRE_SHARED_KEY = 41;
+	const SSL_EXTENSION_EARLY_DATA = 42;
+	const SSL_EXTENSION_SUPPORTED_VERSIONS = 43;
+	const SSL_EXTENSION_COOKIE = 44;
+	const SSL_EXTENSION_PSK_KEY_EXCHANGE_MODES = 45;
+	const SSL_EXTENSION_TICKETEARLYDATAINFO = 46;
+	const SSL_EXTENSION_CERTIFICATE_AUTHORITIES = 47;
+	const SSL_EXTENSION_OID_FILTERS = 48;
+	const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172;
+	const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175;
+	const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180;
+	const SSL_EXTENSION_CHANNEL_ID = 30031;
+	const SSL_EXTENSION_CHANNEL_ID_NEW = 30032;
+	const SSL_EXTENSION_PADDING_TEMP = 35655;
+	const SSL_EXTENSION_RENEGOTIATION_INFO = 65281;
+
 	## Mapping between numeric codes and human readable strings for SSL/TLS
 	## extensions.
 	# More information can be found here:

scripts/base/protocols/ssl/main.zeek

@@ -46,12 +46,10 @@ export {
 		## by the client. This value is used to determine if a session
 		## is being resumed. It's not logged.
 		client_key_exchange_seen: bool     &default=F;
-		## Count to track if the server already sent an application data
-		## packet for TLS 1.3. Used to track when a session was established.
-		server_appdata:   count            &default=0;
-		## Flag to track if the client already sent an application data
-		## packet for TLS 1.3. Used to track when a session was established.
-		client_appdata:   bool             &default=F;
+		## Track if the client sent a pre-shared-key extension.
+		## Used to determine if a TLS 1.3 session is being resumed.
+		## Not logged.
+		client_psk_seen: bool     &default=F;
 
 		## Last alert that was seen during the connection.
 		last_alert:       string           &log &optional;
@@ -237,7 +235,7 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
 		}
 	c$ssl$cipher = cipher_desc[cipher];
 
-	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
+	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
 		c$ssl$resumed = T;
 	}
 
@@ -305,10 +303,16 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &pri
 	{
 	set_session(c);
 
-	if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 )
+	if ( is_orig && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 )
 		# In this case, we might have an empty ID. Set back to F in client_hello event
 		# if it is not empty after all.
 		c$ssl$client_ticket_empty_session_seen = T;
+	else if ( is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY )
+		# In this case, the client sent a PSK extension which can be used for resumption
+		c$ssl$client_psk_seen = T;
+	else if ( ! is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen )
+		# In this case, the server accepted the PSK offered by the client.
+		c$ssl$resumed = T;
 	}
 
 event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
@@ -370,41 +374,8 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
 	if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
 		return;
 
-	if ( c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
-		{
 	local wi = Weird::Info($ts=network_time(), $name="ssl_early_application_data", $uid=c$uid, $id=c$id);
 	Weird::weird(wi);
-		return;
-		}
-
-	if ( is_orig )
-		{
-		c$ssl$client_appdata = T;
-		return;
-		}
-
-	if ( c$ssl$client_appdata && c$ssl$server_appdata == 0 )
-		{
-		# something went wrong in the handshake here - we can't say if it was established. Just abort.
-		return;
-		}
-  else if ( ! c$ssl$client_appdata && c$ssl$server_appdata == 0 )
-		{
-		c$ssl$server_appdata = 1;
-		return;
-		}
-	else if ( c$ssl$client_appdata && c$ssl$server_appdata == 1 )
-		{
-		# wait for one more packet before we believe it was established. This one could be an encrypted alert.
-		c$ssl$server_appdata = 2;
-		return;
-		}
-	else if ( c$ssl$client_appdata && c$ssl$server_appdata == 2 )
-		{
-		set_ssl_established(c);
-		event ssl_established(c);
-		return;
-		}
 	}
 
 event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,

src/analyzer/protocol/ssl/DTLS.cc

@@ -48,6 +48,10 @@ void DTLS_Analyzer::EndOfData(bool is_orig)
 	handshake_interp->FlowEOF(is_orig);
 	}
 
+uint16_t DTLS_Analyzer::GetNegotiatedVersion() const
+  {
+  return handshake_interp->chosen_version();
+  }
 
 void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig)
 	{

src/analyzer/protocol/ssl/DTLS.h

@@ -21,7 +21,8 @@ public:
 	void EndOfData(bool is_orig) override;
 
 	void SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig);
-
+	// Get the TLS version that the server chose. 0 if not yet known.
+	uint16_t GetNegotiatedVersion() const;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DTLS_Analyzer(conn); }

src/analyzer/protocol/ssl/SSL.cc

@@ -48,6 +48,11 @@ void SSL_Analyzer::StartEncryption()
 	interp->setEstablished();
 	}
 
+uint16_t SSL_Analyzer::GetNegotiatedVersion() const
+	{
+	return handshake_interp->chosen_version();
+	}
+
 void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);

src/analyzer/protocol/ssl/SSL.h

@@ -24,6 +24,8 @@ public:
 
 	// Tell the analyzer that encryption has started.
 	void StartEncryption();
+	// Get the TLS version that the server chose. 0 if not yet known.
+	uint16_t GetNegotiatedVersion() const;
 
 	// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;

src/analyzer/protocol/ssl/events.bif

@@ -559,9 +559,42 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
 ## length: length of the entire message.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    ssl_alert ssl_heartbeat
+##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
 event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
 
+## This event is generated for application data records of TLS 1.3 connections of which
+## we suspect that they contain handshake messages.
+##
+## In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets
+## typically exchanged are the client hello and the server hello. The first few packets
+## after the client and server hello, however, are a continuation of the handshake and
+## still include handshake data.
+##
+## This event is raised for these packets of which we suspect that they are handshake records,
+## including the finished record.
+##
+## The heuristic for this is: all application data record after the server hello are
+## handshake records until at least one application data record has been received
+## from both the server and the client. Typically, the server will send more records
+## before the client sends the first application data record; and the first application
+## data record of the client will typically include the finished message.
+##
+## Given the encrypted nature of the protocol, in some cases this determination is
+## not correct; the client can send more handshake packets before the finished message, e.g.,
+## when client certificates are used.
+##
+## Note that :zeek:see::ssl_encrypted_data is also raised for these messages.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## length: length of the entire message.
+##
+## .. zeek:see::  ssl_client_hello ssl_established ssl_server_hello
+##    ssl_encrypted_data
+event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, length: count%);
+
 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it.
 ## See description in :rfc:`6066`.

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -45,6 +45,13 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
+		if ( established_ == false && determine_tls13() == 1 )
+			{
+			if ( ssl_probable_encrypted_handshake_message )
+				zeek::BifEvent::enqueue_ssl_probable_encrypted_handshake_message(zeek_analyzer(),
+					zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
+			}
+
 		if ( client_state_ == STATE_ENCRYPTED &&
 		     server_state_ == STATE_ENCRYPTED &&
 		     established_ == false )

src/analyzer/protocol/ssl/ssl-dtls-protocol.pac

@@ -44,8 +44,15 @@ enum AnalyzerState {
 type ChangeCipherSpec(rec: SSLRecord) = record {
 	type : uint8;
 } &length = 1, &let {
-	state_changed : bool =
-		$context.connection.startEncryption(rec.is_orig);
+	# I know this looks a bit weird. Basically - in TLS 1.3, CCS is meaningless
+	# fluff that just is used to pretend to TLS 1.2 devices listening in that
+	# yes, this is TLS. Since we want to know which packets come after this,
+	# and since we do have special handling for TLS 1.3 - let's ignore it in
+	# that case.
+	state_changed : bool = case $context.connection.determine_tls13() of {
+		1 -> false;
+		0 -> $context.connection.startEncryption(rec.is_orig);
+	};
 };
 
 
@@ -130,4 +137,14 @@ refine connection SSL_Conn += {
 			server_state_ = STATE_ENCRYPTED;
 		return true;
 		%}
+
+	function determine_tls13() : int
+		%{
+		// let's be conservative and only return yes if it has a valid TLS 1.3 version number here.
+		uint16_t negotiated_version = zeek_analyzer()->GetNegotiatedVersion();
+		if ( negotiated_version == TLSv13 || negotiated_version/0xFF == 0x7F )
+			return 1;
+
+		return 0;
+		%}
 };

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -30,10 +30,10 @@ type SSLRecord(is_orig: bool) = record {
 		UNKNOWN_VERSION -> 0;
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
-	};
+	} &requires(version);
 };
 
-type RecordText(rec: SSLRecord) = case $context.connection.state(rec.is_orig) of {
+type RecordText(rec: SSLRecord) = case $context.connection.determine_state(rec.is_orig, rec.content_type) of {
 	STATE_ENCRYPTED
 		-> ciphertext : CiphertextRecord(rec);
 	default
@@ -137,6 +137,49 @@ type SSLPDU(is_orig: bool) = record {
 
 refine connection SSL_Conn += {
 
+	## So - this falls a bit under the envelope of dirty hack - but I don't
+	## really have a better idea. This function determines if a packet should
+	## be handled as an encrypted or as a plaintext packet.
+	##
+	## For TLS 1.2 and below - this is relatively straightforward. Everything
+	## that arrives before CCS (Change Cipher Spec) is a plaintext record. And
+	## everything that arrives after CCS will be encrypted.
+	##
+	## TLS 1.3, however, messes this up a bunch. Some clients still choose to
+	## send a CCS message. The message, however, is pretty much meaningless
+	## from a protocol perspective - and just ignored by the other side. Also -
+	## it is not necessary to send it and some implementations just don't.
+	##
+	## So - what we do here is that we enable the encrypted flag when we get
+	## the first application data in a connection that negotiated TLS 1.3.
+	##
+	## This is correct insofar as the packet will be encrypted. We sadly loose
+	## a bit of context here - we can't really say when we get the first packet
+	## that uses the final cryptographic key material - and will contain content
+	## data. We just don't have that information available in TLS 1.3 anymore.
+	function determine_state(is_orig: bool, content_type: int) : int
+		%{
+		int current_state = state(is_orig);
+		if ( current_state == STATE_ENCRYPTED || content_type != APPLICATION_DATA )
+			return current_state;
+
+		// state = STATE_CLEAR && content_type == APPLICATION_DATA
+		uint16_t negotiated_version = zeek_analyzer()->GetNegotiatedVersion();
+
+		// in theory, we should check for TLS13 or draft-TLS13 instead of doing the reverse.
+		// But - people use weird version numbers. And all of those weird version numbers are
+		// some sort of TLS1.3. So - let's do it this way round instead.
+		if ( negotiated_version != SSLv20 && negotiated_version != SSLv30 && negotiated_version != TLSv10 && negotiated_version != TLSv11 && negotiated_version != TLSv12 )
+			{
+			// well, it seems like this is a TLS 1.3 (or equivalent) applicatio data packet. Let's enable encryption
+			// and handle it as encrypted.
+			startEncryption(is_orig);
+			return STATE_ENCRYPTED;
+			}
+
+		return current_state; // has to be STATE_CLEAR
+		%}
+
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
 					head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int
 		%{

src/analyzer/protocol/ssl/tls-handshake-protocol.pac

@@ -795,10 +795,14 @@ type SupportedVersions(rec: HandshakeRecord) = record {
 	versions: uint16[] &until($input.length() == 0);
 } &length=length+1;
 
+# If the server sends it, this is the authorative version. Set it.
 type OneSupportedVersion(rec: HandshakeRecord) = record {
 	version: uint16;
+} &let {
+	version_set : bool = $context.connection.set_version(version);
 };
 
+
 type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
 	length: uint8;
 	modes: uint8[] &until($input.length() == 0);
@@ -944,6 +948,7 @@ refine connection Handshake_Conn += {
 	%init{
 		chosen_cipher_ = NO_CHOSEN_CIPHER;
 		chosen_version_ = UNKNOWN_VERSION;
+
 		record_version_ = 0;
 	%}
 
@@ -955,10 +960,18 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function chosen_version() : int %{ return chosen_version_; %}
+	function chosen_version() : uint16 %{ return chosen_version_; %}
 
+	# This function is called several times in certain circumstances.
+	# If it is called twice, it is first called due to the supported_versions
+	# field in the server hello - and then again due to the outer version in
+	# the server hello. So - once we have a version here, let's just stick
+	# with it.
 	function set_version(version: uint16) : bool
 		%{
+		if ( chosen_version_ != UNKNOWN_VERSION )
+			return false;
+
 		chosen_version_ = version;
 		return true;
 		%}

testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log

@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout

@@ -1,4 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 unknown-27242
 x25519
@@ -7,6 +8,7 @@ key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p
 unknown-19018
 x25519
 client, TLSv10, TLSv12
+tls13draft16-chrome55.0.2879.0-canary.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-43690
 x25519
@@ -14,6 +16,13 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 server, TLSv10, TLSv13-draft14
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+established, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-60138
 x25519
@@ -21,17 +30,30 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 server, TLSv10, TLSv13-draft14
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+tls13draft16-ff52.a01-aborted.pcap
 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 x25519
 secp256r1
 secp384r1
 client, TLSv10, TLSv12
 client, TLSv10, TLSv12
+tls13draft16-ff52.a01.pcap
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
@@ -40,6 +62,12 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 server, TLSv10, TLSv13-draft16
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
@@ -48,13 +76,23 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 server, TLSv10, TLSv13-draft16
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
+encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
+tls13_psk_succesfull.pcap
 key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
 x25519
 client, TLSv10, TLSv12
@@ -69,16 +107,21 @@ encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
+hrr.pcap
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
 secp224r1
 client, TLSv10, TLSv12
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
 secp256r1
 server, TLSv12, TLSv12
+key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
+secp256r1
+client, TLSv12, TLSv12
+key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
+secp256r1
+server, TLSv12, TLSv12
+encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
-encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 22
-encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 22
-encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23

testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log

@@ -18,7 +18,7 @@ XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.6.203	53227	52.32.149.186	443	-	-	-
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	F	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.6.203	53996	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
@@ -61,5 +61,5 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.178.80	54220	174.138.9.219	443	TLSv1
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	T	-	-	T	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ssl.tls13_encrypted_handshake_events/.stdout

@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Probable handshake, F, 23
+encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
+Probable handshake, F, 716
+encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
+Probable handshake, F, 281
+encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
+Probable handshake, F, 69
+encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
+Probable handshake, T, 69
+Established!
+encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], T, TLSv12, 23
+encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], T, TLSv12, 23

testing/btest/Baseline/scripts.base.protocols.ssl.tls13_encrypted_handshake_events/ssl.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.186.133	43056	192.168.186.134	9090	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/protocols/ssl/tls13.test

@@ -1,13 +1,19 @@
+# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary-aborted.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-out.log
+# @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "tls13draft16-ff52.a01-aborted.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "tls13draft16-ff52.a01.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "tls13_psk_succesfull.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: echo "hrr.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: btest-diff ssl-out.log

testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test

@@ -0,0 +1,22 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_wolfssl.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/ssl
+
+redef SSL::disable_analyzer_after_detection=F;
+
+event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
+	{
+	print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
+	}
+
+event ssl_established(c: connection)
+	{
+	print "Established!";
+	}
+
+event ssl_probable_encrypted_handshake_message(c: connection, is_orig: bool, length: count)
+	{
+	print "Probable handshake", is_orig, length;
+	}