From 05915571dbc0bc8697c9a40b3f8f3d33beb37c6e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 20 Mar 2017 12:17:40 -0700 Subject: [PATCH 1/4] Updating submodule(s). [nomail] --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 96583ab378..cf7ea4e1ad 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 96583ab378b1de32ac9804246e1b0e2845fc8b3e +Subproject commit cf7ea4e1ad18920058f32e95bbea3bdd765b6094 From ca51dfc9c7ea47bb63de5f00aa68a92d05eff0e1 Mon Sep 17 00:00:00 2001 From: Daniel Thayer Date: Wed, 22 Mar 2017 14:37:37 -0500 Subject: [PATCH 2/4] Fix a test that was failing on some platforms Fixed by sorting the .stderr file, since the ordering of lines was not consistent on all platforms. --- .../scripts/base/frameworks/input/missing-file-initially.bro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro index 73fd57284e..4db255b69d 100644 --- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro +++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro @@ -8,7 +8,7 @@ # @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat # @TEST-EXEC: btest-bg-wait -k 3 # @TEST-EXEC: btest-diff bro/.stdout -# @TEST-EXEC: btest-diff bro/.stderr +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr @TEST-START-FILE does-exist.dat #separator \x09 From 0cd0ffed13746e80ced2fe01085a096368f08b22 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 5 Apr 2017 08:58:08 -0700 Subject: [PATCH 3/4] SSL: update dpd signature for TLS1.3 The dpd signature missed a few cases that are used for TLS 1.3, especially when draft versions (which are all that we are seeing at the moment) are being negotiated. This fix mostly allows draft versions in the server hello (identified by 7F[version]; since we do not know how many drafts there will be, we are currently allowing a rather safe upper limit. --- scripts/base/protocols/ssl/dpd.sig | 4 ++-- .../scripts.base.protocols.ssl.dpd/.stdout | 3 +++ .../Traces/tls/tls-13draft19-early-data.pcap | Bin 0 -> 15980 bytes .../btest/scripts/base/protocols/ssl/dpd.test | 1 + 4 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 testing/btest/Traces/tls/tls-13draft19-early-data.pcap diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig index 2ebe1cc634..1b8cad2f76 100644 --- a/scripts/base/protocols/ssl/dpd.sig +++ b/scripts/base/protocols/ssl/dpd.sig @@ -1,7 +1,7 @@ signature dpd_ssl_server { ip-proto == tcp # Server hello. - payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/ + payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/ requires-reverse-signature dpd_ssl_client enable "ssl" tcp-state responder @@ -10,7 +10,7 @@ signature dpd_ssl_server { signature dpd_ssl_client { ip-proto == tcp # Client hello. - payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/ + payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/ tcp-state originator } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout index 7b2d255900..bbdfb4a3a6 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout @@ -8,3 +8,6 @@ Start test run Client hello, 10.0.0.80, 68.233.76.12, 771 Start test run Client hello, 192.168.6.217, 67.207.128.99, 771 +Start test run +Client hello, 192.168.6.240, 139.162.123.134, 771 +Client hello, 192.168.6.240, 139.162.123.134, 771 diff --git a/testing/btest/Traces/tls/tls-13draft19-early-data.pcap b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap new file mode 100644 index 0000000000000000000000000000000000000000..042ca6aaf6d58481aa84ac84e2a8f71332c3a5bf GIT binary patch literal 15980 zcmch-Wl)_<(5}7E;O_1a+}$O(1a}Ya?(QCfyK5j2LXhCDf#484KyY_GYh}OL=S{Nr zK7YRYpr#7ydFtwWx_kA^^qQ&e_xa!eNWlO7fdqg7|9OM9skyn02v7k24H^Kdi0`pM z9xR=GLR~Nb2>?J?2tpVj3{8LDQ3ib+UEm$|w89?z1nH0gdbtMt>1pl(004)C`Tzz2 z0R;vI14qC-1`m1$2@U`x0qKd~_b(ei==?wf07huvI}jOU0mxpdXE7rH zTFA^pb0m2k`4=4$90m>*v3VCn2U>atA};{RqChHW{GpruTp6U>z2-OFnLs*W0165w zNgDw0KYFV{WDt>%6%4=$bPH(wP6VTAAqEkvkN%N}gMt}Q_&2czM8tvs0~`TKdk_#D z=ZbTl!TxF+3?;=V7b;j-1VWiY}r$>82R1rhR7 z7Oebyq3MWBh=7eS$cxl95P!$zkBGA`fq^2P5B6Kc37;Sx;{#9tdyE}_c@Y)y69F*V zH6Ws23j|;n3h-n6PJ~)q0tXQ@HUEv+S@JiL5JUvUMHw8J@BZi>;K70PO%o^At4WSA zV3fYAC$n~AunroL=SB-*LzB_y;J~TV{55rkkTfRZao0MX&1I(pQ|c zG0xZ$uoRO9uXjA?LH~xHD)ee^J(YBv#C0y!bcZXu6IxPm|?H!2IpQ|wPA8wQ&)OmmHyU~)MX7fhcbDXv5=VKwP ziO!y+Xt0wrYrzm#fwd&dN3*e5e3-%;=?W$=hx?fBI(k|WkE8_WFM9hN!mj#?Sh+t| zB1`f-b-5DSW^fm^@cg%JLU9y?~s0jWl1KK^@ydBB+CGqK6>pfI+` ziz^L9*u1d%hgMB5w#`<9apG6H``>eUtR|u?^6VZ?jc*CEoo}R}KUl0VHEC?e_|qG$ zGNGv=ZMoA23v8}z=SC+*eov2haDP3d0`bJ4_MH~7kjawu&V*WcwbXXMnks9cr9lc1 zN1;(5s9B=4L)XlrSu*`eUJEYHmbx(=k`X~B^IC13m%^Vytkl)a$)=H$F56XNV4RPR z;63;kfOkSFZG*DyW9$|OyD9EX*+~hOY=$e}psmmIhqlv}9ivNxq=Cit^=+?ozN-Y` zLDfQqrlUn+2IuzA#+C!3d8Kup33G*8_?*Ym=Y_zJXGjd+*{p`ZU@>E`U^F#PQag>@Pa*kG!0Y zlW*u!(9K)RQap>(_Oii9Wz@-?B-ng++1*I|k~Fx(vuRXI#>cCf^FH%8}ad?o$kRGHU4^Q#%AOs!e+nOHW)#guQK&9}p$iyY@2-bRz>3!$ofR z7CFP=-L%i!Qv-R0I>fbjm9nATaL2J8zCe!Y(1tR1+Tf7Y@3P9(XwCV#_Df+iOvY!Q zGD$jQG)J68Ini}}zTL{;WuIdWki5?s-winOjFI%cUHJyZf7&(&e#Ssx_-qEHu`~p2 z$0%cyma+D7lc>f!$RIBEmyNQX9xm;Q15*VKT`rl@s&GzGKkDg26);BZ^bMHGo##K$s z^xbbM+hxrIxJ1@upUy)ri(1E(jOV0gx8D;Ea(!wyLWf?0xhgt(S7FVW2_GrYyKU5W zh^S#rCrB>k57?MC=*0uK_nf7Uivm^t!2hoN5I-uv#;=v%y7%W=G9&nFTbIa#nq};CG;~r#Ybr&_&XBcsL)2Bu<4NXS&1cGQ znGZ(D^t=U)XTP8(6~{Il_q=o!xzplOHtatYO7u2Xd;Ne=-CI)Ksh+nElM`6ZkgoY^ z!v7ZUGELGXIX-;ehMa{EYy^3MEi680B%h7go!Q8qz0$55;?<~VN7-V-1y}om>_uI6 z|70{Gr+to~AADt2`=#T-B?Wh7t*)RX*-B0Zq8HqDo{SdjGJ%G8-opV)FO6Swtvp#_ ztUqNctb9Y^_GjP6yxJ(?!{K(QVVr*Fa0zLJf@Gg{Mf-GEy(VH-8TadmuD9OZxfa6; zW5*#*oYMg4WSx}T&!4m!609nGP-{Y(|b79AD^=PTJE*uX3C5^8XA)7l2pchgg&-^V!Vpe8;G%tUTYG(bDvxw7{&j_X1^1qV!~>zh5A?a5?_gDI z17_R=YA{=^72jW*<=jP&FXwD~1TNJ{L!=L_pI&o7(MGp8(rS!6fxqA$BVlzg#@ z6SrY_HSWTVW*Aa>J$qRHJYanozQRXk9x?#n@!HeT;VAovK=abjm@mRAUI*+%eBHXj z8YdKjAU>dKU1USXrH{!`GJ~A-6RyI!2M%uF$x07vsDriMSdYUtHGPlCw!l!V zeYf~!S5;?Sv+B?lMYvb|)u5p>EhW7jnc+lxidW;p38TdfHkRZvIL?cGuLImdCU;1P=`Ph@#rSsRhRW7+=aib05ZuA7B)m3puQQT{ZN1 z0X2nJZ*zUGrk&ae@vMFn1-$ve!VH(?{L>Br(LVOa)LUesL`CfYM?5t6SvCb^gE324 zJtD3bLI^O>xjRmJgIDucqgqmjOMBu(D-L~tUBcH>#2ed|3Cw$Vb%k|T?~Zz#VE1l( z++f-oF)kg1o6#>Y^d6uX zF3Le1@mLy4&&%$RW%VF6td4dw%U_AVB&wEL7AXgtLEv*?Y);Cb-<-dr6w^Dz)lJK} zIiB9mK(>O6E0%O5TapJH!YkhqCr4Qj!wxR8^$B?bw})W3I-ekyc@A~-6_owH-VubQ zXw|v&Aka;RmiWjc7nr7rV2;>W4`s-Y;-F3dNY5`G`|y=vTyoQ{9X=B%xoARpBqKpKz)MMpunqti>CTzMb@z%;*P1u_<}5y15z1V zzAh_Xrb5*aubLrXV#%BOEXVId#@Ut!a{jt;GYOhc2NTSQcPaDi=&em?Z&Dp}-T2%{ zR{5ax({nyD#?Tj?&mc3oGQ%;FxoCPR9noL18S`oTE}eK?fw}Qr=bWVF2!EX%`-sXA z15x=jWoUt{WD@xK5P55NU)AdSUgd0D-%2+!35o8v2mupH1V?BM?6n|6WKiYr09O8g zKi%DTgU(|1LcgBH9OLU*9Bl(okUyc{{yd9~s{v0Egdk#TD+B;^Yz2+qPZ5BaB}mX( zl2`KUTHwfuB9}Y z2;jn7Oui+VI5)0DV6;4QLeC0iXzv%Jwkk6k8o&yBU0lD%LoZoe^llVRQzP!0G2CDY zDF>u<8mRQ&=PtwnnmhgHf0%nOaPE!h#edEn=L-ZN1~_lf`2A!H@Ow}K5$!Dgk%)r= zaHap7s0H%okJ(~us!qUn%gp3Fs&bWYp<`N6r38E<<4$ulH34VHKRg}HWiS*n zHW3r$Ev!A*$8-p;U#{~>+3F=2&h<}R< zXpNr_0LEoU_3yYS5-^WzfwawkxZv`&Y|#Q6x`KZQD5>f}Eqn2yhf&2^{W$)C7tK$! z?o1F$a{6}HrC;jYb%SRBqgBKO3Kr?^Vraltkv+uj3rAB{w?>l$*kaeR#36*0u6(I9 zJt=uPSxtlBjLn4ZE8R+*Ij^nn7w8`o&9X7f3G7`m^Lcim1C-d-%~V3|QE2&dme-h- zpY$QGl3Bp|eG1jxmfao3O4Jl&;UtIKNR3B#SNB|(%ySsgqaHpHQ)sc!t706pnN)xB z>pco(`}jh+kg^W5$aZ9>N;9;wz<`k2P9WkoQwHR(VxYhNJv*YNL9tw8_$`+6^(;<> z!0fm|HTgT1_rO>xCIg8D!~lRcFfl;mkL-}^MgbAa7XFb4%nr5EpTtQ?5D^psbc%q| z2EFa&WaTF6wVo8NSXEqSkfj}C4Xp-d=kENX!bG_f@Re|6_|lNta=1l zdJVM133L!>{NW{GpMqXi0yf_GdI10sMQ|4CZx8&TmwoBk552$j!<;_- z(2EM#BSiUCFNmlOB>uZD=5HWfeDwb>T^H@o{!16k4_&vv`SEXE1eJg5N(1>3q)WEr z*?;H~s{`qx(fu!7X+R2VP~{_Cc1F{kM1NBw9o&J#;SVSVGYp2D5yKRa`eBulO0L~%&S|V?j(rZ2PFS{rhkbB z>CSNfP4_5}UJL3@+T;Dq^tCsrh#g8G;+X*);5kq?X#Adk;P|s}AmSU;evX)7DuOar~bB!)UzW80H3Zq?xF>P+b3GApB z!C+-jhpW`4G_QUk7z-u;>pH*Hqk@2|+T@uII7{u*$R};WN(_OafM=wp&~1GQNr@_B zu5pP5OoPW#XXCefAE{IgY&ifd%!@J<06DbqL>_mESEj9(!|afj4jjqrnnOCW9==sl zTGf>YUUfsV0(r0!%5brY8=%C|enR*=75^+bjKJ*#6STtT|Mk%ZC3!6oQ}+i@L)Pc- z64?<#z`XVbM9c;f1Ax8+jo(ud;6yPAO2rqazougMhabreOhtkJX~+^VuL}W_I|Nj8 zdC1QFd#bOSv?Sjk`!m=0TaR84si7lS19!_)rz7-R2#?x)z3x)(TRpwZuSi2=3G4i%VrKqzRk_&Q@W3gg5ghw}t6hE!FIW)VG2E+VQvcg@qQ zpyv{fR$7IR8hvmqLZKo&*3T%I=ZcEixd|5!)$2wTHDKK}h--E0^^>lOIjA^Um$Tf9 z+p=&2vrCHIW)(h8*Y`f^%)zSsOy86fim`p#`+nu_kuoyr5JvQ}}qLfI^F>ucd0CYeyxgU}U+em;w0 z9&P`ZN$5NN;&_5vRINb1K>G;{a{w*FY(72fMY^mYulXj&h1!fV)vjgK0HUkReSnyz zLkI{^T%1K@HqnHm2+k0GQ40#Y%l#rGwpN+&*3|3L^(2-9r zDv*1)WN`h6sbpVlqCzugSuJyJh~MAvG-gk}Gbc~Ru%BKybuzs6izcc+<0Ssv9-3Ns z7_JgOtNSfQ4~oudZmP52&1YXT5xr~+E(Al`<{)g{u3x&k%3pkzF8rwBOVsk^|3qF36kyb-fVVDk)NS5SsJ9ZBK`b zOPd^q;L`%~YF@Q0V7A_uQ$J-lR1RA5aDi$snCXAkUhW^YH~-h#dtUIf_GVE0L+#y4 zlEa{;A?~{2jCz}*Bese-Lc`UA#`0Rmb@+QWrUETP5Wqd1aEX9* z7ACphH!h`7MSY4rL7U!k;u?xq|A;EPz^J+M{qA`)-3srT;GOqb@A6u;|YBv3jQ7q!@v8o6u5E6)D#;eNN zRtumJPRU$Mne9j5(S)IG4&cWwOzfs!&I&rJpxX{2X_^SFy&!w58x?o&kWxspDY_iN z*5$0nkUt#9L%$iub?m?ut?N8z)k@8|==i=@RM_#td1!oBw~)5Sbd-ua)SGNaXKCQP z770VQbEWFd0hh0D(v+KG*;wgFTDAoqIO?m!xbk^ESK^t{FlF=arFW8-!-JJToJtAFSk_34{uEv zhCyAn8VQ@WU*k*?V3!<3yOVukGN)dgJNa&#<3}X}1*eNoet`WBPCDV3nJKe3)cQ*_b`+ z#A^jUO~PO}Z@Tf87zWV6?;K2DIG95>vy;SaU`P{930^jQDKL-ln3}}nbuTr|FN8~R za-1*hn?dxP&|1;Sl;3*tK;@uF=XPW-*m%^7;`2zim82-SMd0D8tF4^gKk!>5XL>Ph zEUi-522N1rfSJ;At3#2*<2JJ^ocd6w>qM(nnaJT19Y=mh5U`8XFe825J^gk2-X*nR zo+9vT;xUR@Y1s6AYp$&MN*<&~v|GJ_LyNCoZ%OGlv_f$V+|TAtF9y+IMCL@}J_>TJ zgjOuD_$k)4YQ$2!jfIFaI=~X00rY}+})I!a!!^rS`YDirF*2}Fc(dG zoN75SACmjIQEH|l#mqu$SP(?}rs)PV6ckwSM`FeMxmDEWEI$>7Uj1Hz9f4OfNn?9T ztt+_S)4+8f!b8=C4_^zpS{_entTy<6w~Y)S<-kVqh^DvAaedeePMf znyS3rPTzec?iohGJVf|HSB6zdI`fT+5C`)3!8qCviLBFcXex4|?Zs{=M5iyiC)G;< zwI`#>CIwCE>j#oi~ljm(zxiJk;XpG3_|o9DYL-OUYT){HAsB#sZL!HAf^9Dv2j7q?>R0 z43d`EbrF*njJX>*dX+zGBEMdA&XCsxRC^VGwHJ79`7!?3NvDCkgLcxEG=J`-&kF)@ zkhfxit+l^y8?EmHchZfZT|TB9FTbx7LW9tEtd$hbo!)D#z)zkvKlcBUiP2&KZ@DhP z;FyvdS7ki$66lq#>XDL%DxspHB2=W=$r{Yu&8eOG78 z28UP-_a+)V*@FbQl~#yk{m~89=!q5cx(yibUv0af>Q6__^BMD&^y?+VfW4p4ou`eY zJ_^WzVJlApuU~PuAOeTDK+P93(GXQ_(#D6YxaEE+G6eppwb|eh-){9bGl{Jwbml3e zxtN^y;`%!lvdc5ep|M+D1qEV4Mb*x=8T3)gM#Z>crQw@yZ}n~;i)GQWFG#&Kc0!ER zg6vBgU8}Dr>ug@C`LDTsjrccf+cj#XL`hOmw1r)apDZ;q={m9KzppIs z`}V?WHb0k<h&CBfynU zx9t1pg#{lvGnSD&Ys`aIUxJz1w={}U0$!xu#}SOxV6G%tsNJs~WMpL{I!8PgbRIm`aEX#2;iwuzYQxM_YHa9{vbWiRQo(hzso5a6 z)%Mb)Q#kru%u1t6vs%lVGs)vFTrDC^_}xcI79ll&d z!~3H6amLImYvBQ#MVf>iO#l3dfKbEaHPm288l3>%N`y`D{rz3fj7O~2I^QjLL(CTJ zR77=%#A$|&Zp)_}+yoO{_&UKf?@Q+Z&G46l_iwy%n%qTip6VCm5GcNgYMTyjD!s`2L4=Btg?44lJ>SodMMmw0uJST$&5metF;)|Y|XBIQE) z5%s`DIxL>V4^W&qP8;~f*ye9KAr$RxX||4izgL1|6%N_Vz9oZ(uks+>SsQ^1L(T+v zhF8GGRuP}&A(ndH;%nVnda1uzHAAVkV->@H6s}yF%&PIZmQp#WhsH8ibnxs@y0yNr z@Hr%}EPw5i<7$9Gt7MzIqd&)9O8E5)Av}JDPHAc5lG(cxc1bl~!SrPqk#|C8z5D49 z&il--i1c>fT0dMxUtZ@8j-smkGJV_s4;k-xvT`p+tUrgXRm{5@9clqUfv(IH}}`t`*``Y z_Uc*vL+vFl4`?bAVFL^D&L=&xq1*0J^enK1j8TTTV5^K8SLsGr={%;fy-bNt=ll$o zZB4a|9rbZggfqZu8z*!BowCi$jjD$70lsAYsr<>aXAH}NDMLbjA#YWOn(-?xE1`UO z#J2KYnliDVF;REDUf`xGdb7&?Ri==#+Q^b!j*p{2!yO*`P0f{aC0&9Ng7`~$QC1(5 z)GHbOBxfJJc_CfiNvi#BrfxlA#;LuY88NMHGOP=Uc%wMS$rR$+xc z$1oI9>RQUtZxK2j59#$rnM$`^p6gCaEILXE5|fDV&D?5%Zd!OSWPz&iw&FLNC(YFy zAfGqA#E)Re3g(*17zi1%e#X*a{e+I(seTgH$sjd2veS0MG2InFv{}g<^Yu_k?=~&s zH1Eq=>-nx2oK!dD2;1_kb)c4+U=XQ&obj%SuoA2_j$~@RQZkKAQu_P!`j&Uh_+bKt zC8Z(6DxcFu6dHK7n6nmpPLy}B-V3|~XlV2994VTE;i>0<=iA!uA#%%qgS;*?N6Q?6 z=f>)EKG8CZF%GZp+JFmn9&=`If2a3k^Vtx$ACYTsvTXP$14ANysxS7l(i3BG{UVgW zo#{42dz3zJu$WhN4~|8!ciI;L;BOKswS0ull%BfNOchFX zbJ6ZYMuO3gv@57&z$srmjG8KJi(U5okt>V{C{z!>&*$ApC1Hh1d#M$XVB05|K~?c3bwW_YAtm&N zqBFJ}auV}Jb>VnzQ`ECr|EV<%$H{Tmr=#;skZ>4QKoAroS6sS

#EMdK(4TiwOMknXRs%8?-Rk>Kq0 z%)MklfBAH77gKaxHU2I6C3g@y{>xg|vy8S#xn&o;E&5y?5A=FDZRsUyw-LE12SKmQ zQ_3rqU^IAmbm`7nJ?K#Hr2)Pp-K$Or0S0O8OboBARBqDN z(VQt=Qr&FckFN!`p`jNv4~(pD2h)iFEEPsfXiLJ%X?@9_ulWxqAjmqAuaajq31LQE zS%18KTY!1qK1;iqpmEUPoGy>A&YW~1sEB9N>}YvY(n~JJ1aG$=KgC1e`n1`sy&?+(=xflP>t3v>+MRVL~P482ZTC?nX;;SyXTnS zsEnRlGkZlWk4nGfnS#bTJ#VDyr1AyZx)aRYnc$<@a6J!DB(HexF>rsxePAytOO?J5 zR2vY5DWNM4HKgA}TR!7oo{jlhH1uxY>zkq2Ck@oLXP0CQn^iuCNW$<;2BmBHuYAAq zU2X6$BoRfs1wS}@P_iDr(17-A7tug?)g#4s@#3WPRRNc>(Jno+jDBn8-tBj@)|t8t zm5}0VL#&xK{w1(>cgjc}gy-NbH8T9l%=`6k`58y6w6nz!x_SKA!V7NBUq5wu6dxon z-R;YhS-?<}Ka(GSPkwt@@}i6AN-5KFR4|bO<@zhz2|R=!Mbw7t>G1yD=F&qY6}V26 z{Znt;dhfZ@8@L;)7atDgqZQQ1XlsplUXzFJ4e{7To^(cIX;o=4Vuh`k<)+;)?bnzQ0^=j@ME0rqE2g>Rl>Nx5vnv z%o%OYdJ6G=+jB&vWLp)U5xUpxNVw2Dms95HZ=jh_cT)ONq9ces+{eiJ!T>Z>;2Y71 zxGGm8w*;OKID2e^hcsgkm7N-!0TWD9SYbE|zFy&kpR^+x)Vy-$u)W%;K* zMD(T4Fd0=+q6xQ4lXcH4rtmKco%DG$ob!#g@`55db>_w_p)TE*c=~pt?Ks}VB1=<# z)YyvNQHGv#q@*+3AR2cTvZ)p5`EqWoVuOqj3|?FC@@%E%Y4suR+7fdxJFjsKZ*f3z zVW@(uCEu^IJH6A+^DB6g7xfa)$lGv_`a#%xcuS=y&raz3ClApc*zy?Br@VNwqv!9d zJha$lUf?qY&d$@J={Qd*MNK1;QnYD?-TUSsT}KQgvN6BMVd-b8L$?r2mf!uR8oYi` zwGMxW!?iQ-9HWSS+v|md0+UE{4R~8fzq>|~Ud(!fGgQNN^g(=G~sjX}>&{ZRi&HnW*oq zTR!23=tt;-x~L{yy!_VifXjwwnqz)RK2_4$PUtV{;0(&e`~AK@bR&i&ZFsE0s06HI zp~1JBR=@Y#froX>kuD`TCRadeyuvloF_O0?Q^gqm>F9$5i~^2+ z7o%_@8heN$0}~xFvauiC?aPU#qAXL|l_I%g3z@AhMspeDAe$;TJFW0!UdV$XubX9!_g{r948U>{R2HwAz?_8<=M4s z{+KB&_Cj4PJ48MSjIoL20P1{2zCp!gGrh{rbP1erHu`$fw{M;(5;DX^S$LP8Ni{(- zacu_Z>eJW_v&Tp)OKp4|iMeUf*cnjQ%>h6qPC`)6hjNmXp9^f&MypzTS2uK?iBzK1pMw4G=Bfi5!{85A5?qg z!hfy3urfbuZwIge0_weh`Y!+Tog+A3{?UboQ_mJZa_12g8F+~M=Fw_1)E%D<%P!2! zq&5ce8>O$JP_E>=Lg4Y5g3NDgE~!h|2PUi=JnWCLQ*YkTN8h8eGm18okf}!4$_kB# zi>2mEzcCHL&Gw+gN*@)T?2A=Kw1Z71TC_73Cts}3T-cCZE#1wL^re4;`TB@58=Mu@ zux}rGpJjsXt4`CbL5Xt6H`@nZOk2eX1n43Lp%FFN3p`jh@;;w#-FK7~_sm;o_>JFe z8sIR97^DJ*m#cZvg5rYCxvAZU!|>6$FY!npp;76bJ_$VUaE^midOs|kRL%evKPL!{ z-oV*IJ0SplB%Z#36Vpq-Dxsb)Q3y86*3=Qn(Ggr%yoJjgyCpkrXt9J0;ijv3>Sgn; zj<$nOz(TpX@E+{_II)9>M2z&Zit<#aTntt#8=;)|p}4QM@MU~xAuow>s#W6j1E>#E&8CUWACrCq`h9>qR1hoV(et_%L;ghhU&w=I>g+%`1TPw7I1 zaZHKGvnQ}WE%<)XW34`}BN0#3KPotSi2#(5=)jEp_r4keHK?y`{>VlgNz# z@gKKI83jPKLVo+#S^*zL#MGk>x(`UY^A{0VEA~Or0d-^N-?(QxiJzS17FWQe(f1SF z&cXEOmJdAl{DvuT%7c{3ikQ74Kr;U}_+00e1yXgp&9^-@yl%z_Yt&M0u9Q5uodpq| zScN(;_bV<<(_q9kLS3`N5{4x!_D9>E*)6!R#LTSs9O9wI;1p@MfkAbU9&04-2Q^ia zs@>9^GcX~2Rnj~S2SFTfR-x~!NhiKNH-J9#IMk>TadmN)cmiTUw{zLo6AKL4Gw`8ZD4%803O)CBO zt>(WhWdMo78sL9x|9zza$T13nvPYrn*X%*C0A`OpD0?)ce`Ze?JOT4o{txY7R1#Ty zMr;Q7+!Rq3N?B}zaQq-kFMyVQ`uz_}?2JM`EcN_mDd2}C;5|?c*k3Jyh`B)GzuyCO nqXGH-V(Yg^+Ji0zf$pac5dd$-11Wj`NvV1RqO^Jc7v=u|4k6Oq literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test index dc514ff9d4..02f3905e48 100644 --- a/testing/btest/scripts/base/protocols/ssl/dpd.test +++ b/testing/btest/scripts/base/protocols/ssl/dpd.test @@ -2,6 +2,7 @@ # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT +# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT # @TEST-EXEC: btest-diff .stdout @load base/frameworks/dpd From 6c9449c780518e45bdc05387288f7be81cafed79 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 5 Apr 2017 11:54:53 -0700 Subject: [PATCH 4/4] Add support for two TLS 1.3 extensions. New events: event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) --- scripts/base/protocols/ssl/consts.bro | 4 ++ src/analyzer/protocol/ssl/events.bif | 44 +++++++++++++ src/analyzer/protocol/ssl/ssl-defs.pac | 4 ++ .../protocol/ssl/tls-handshake-analyzer.pac | 40 +++++++++++ .../protocol/ssl/tls-handshake-protocol.pac | 12 ++++ .../.stdout | 66 +++++++++++++++++++ .../protocols/ssl/tls-extension-events.test | 15 +++++ 7 files changed, 185 insertions(+) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 2f646de516..9d9460906a 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -163,6 +163,10 @@ export { [42] = "early_data", # new for 1.3, state of draft-16 [43] = "supported_versions", # new for 1.3, state of draft-16 [44] = "cookie", # new for 1.3, state of draft-16 + [45] = "psk_key_exchange_modes", # new for 1.3, state of draft-18 + [46] = "TicketEarlyDataInfo", # new for 1.3, state of draft-16 + [47] = "certificate_authorities", # new for 1.3, state of draft-18 + [48] = "oid_filters", # new for 1.3, state of draft-18 [13172] = "next_protocol_negotiation", [13175] = "origin_bound_certificates", [13180] = "encrypted_client_certificates", diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 2855dd7fe9..8142f67c7d 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -87,6 +87,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server ## ssl_session_ticket_handshake ssl_extension_ec_point_formats ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is @@ -104,6 +105,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm ## ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%); ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension @@ -122,6 +124,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm ## ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%); ## Generated for an Signature Algorithms extension. This TLS extension @@ -139,6 +142,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%); ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 @@ -155,6 +159,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_server_curve +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%); ## Generated if a named curve is chosen by the server for an SSL/TLS connection. @@ -169,6 +174,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%) ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation ## ssl_extension_server_name ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_server_curve%(c: connection, curve: count%); ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains @@ -204,6 +210,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%); ## ssl_session_ticket_handshake ssl_extension ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_server_name ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%); ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is @@ -223,8 +230,45 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or ## ssl_extension_elliptic_curves ssl_extension_ec_point_formats ## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_key_share +## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); +## Generated for an TLS Supported Versions extension. This TLS extension +## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. +## It contains the TLS versions that it supports. This informaion can be used by +## the server to choose the best TLS version o use. +## +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## versions: List of supported TLS versions. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_application_layer_protocol_negotiation +## ssl_extension_key_share ssl_extension_server_name +## ssl_extension_psk_key_exchange_modes +event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%); + +## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined +## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the +## list of Pre-Shared Key Exchange Modes that it supports. +## c: The connection. +## +## is_orig: True if event is raised for originator side of the connection. +## +## versions: List of supported Pre-Shared Key Exchange Modes. +## +## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_application_layer_protocol_negotiation +## ssl_extension_key_share ssl_extension_server_name +## ssl_extension_supported_versions +event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%); + ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that ## as it can. This event signals the time when an SSL/TLS has finished the diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index 405ec34fbf..26eb29bfc5 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -150,6 +150,10 @@ enum SSLExtensions { EXT_EARLY_DATA = 42, EXT_SUPPORTED_VERSIONS = 43, EXT_COOKIE = 44, + EXT_PSK_KEY_EXCHANGE_MODES = 45, + EXT_TICKET_EARLY_DATA_INFO = 46, + EXT_CERTIFICATE_AUTHORITIES = 47, + EXT_OID_FILTERS = 48, EXT_NEXT_PROTOCOL_NEGOTIATION = 13172, EXT_ORIGIN_BOUND_CERTIFICATES = 13175, EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180, diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index a4f4f94c6f..c85f3205ef 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -189,6 +189,38 @@ refine connection Handshake_Conn += { return true; %} + function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool + %{ + VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType()); + + if ( versions_list ) + { + for ( int i = 0; i < versions_list->size(); ++i ) + versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT)); + } + + BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, versions); + + return true; + %} + + function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool + %{ + VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType()); + + if ( mode_list ) + { + for ( int i = 0; i < mode_list->size(); ++i ) + modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT)); + } + + BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(), + ${rec.is_orig}, modes); + + return true; + %} + function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool %{ vector* certs = cl; @@ -329,6 +361,14 @@ refine typeattr DhServerKeyExchange += &let { proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys); }; +refine typeattr SupportedVersions += &let { + proc : bool = $context.connection.proc_supported_versions(rec, versions); +}; + +refine typeattr PSKKeyExchangeModes += &let { + proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes); +}; + refine typeattr Handshake += &let { proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length); }; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index da01a27f1d..0f6287ea4a 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -486,10 +486,22 @@ type SSLExtension(rec: HandshakeRecord) = record { EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0); EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0); EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0); + EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0); + EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; } &length=data_len+4 &exportsourcedata; +type SupportedVersions(rec: HandshakeRecord) = record { + length: uint8; + versions: uint16[] &until($input.length() == 0); +} &length=length+1; + +type PSKKeyExchangeModes(rec: HandshakeRecord) = record { + length: uint8; + modes: uint8[] &until($input.length() == 0); +} &length=length+1; + type ServerNameHostName() = record { length: uint16; host_name: bytestring &length=length; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout index c9434d9ddd..d5ab2cf618 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout @@ -20,3 +20,69 @@ uncompressed ansiX962_compressed_prime ansiX962_compressed_char2 ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1] +Point formats, 192.168.6.240, 139.162.123.134, T +uncompressed +ansiX962_compressed_prime +ansiX962_compressed_char2 +Curves, 192.168.6.240, 139.162.123.134 +x25519 +secp256r1 +secp521r1 +secp384r1 +signature_algorithm, 192.168.6.240, 139.162.123.134 +sha256, ecdsa +sha384, ecdsa +sha512, ecdsa +unknown-8, unknown-4 +unknown-8, unknown-5 +unknown-8, unknown-6 +sha256, rsa +sha384, rsa +sha512, rsa +sha1, ecdsa +sha1, rsa +sha1, dsa +sha256, dsa +sha384, dsa +sha512, dsa +supported_versions(, 192.168.6.240, 139.162.123.134 +TLSv13-draft19 +TLSv12 +TLSv11 +TLSv10 +psk_key_exchange_modes, 192.168.6.240, 139.162.123.134 +1 +0 +Point formats, 192.168.6.240, 139.162.123.134, T +uncompressed +ansiX962_compressed_prime +ansiX962_compressed_char2 +Curves, 192.168.6.240, 139.162.123.134 +x25519 +secp256r1 +secp521r1 +secp384r1 +signature_algorithm, 192.168.6.240, 139.162.123.134 +sha256, ecdsa +sha384, ecdsa +sha512, ecdsa +unknown-8, unknown-4 +unknown-8, unknown-5 +unknown-8, unknown-6 +sha256, rsa +sha384, rsa +sha512, rsa +sha1, ecdsa +sha1, rsa +sha1, dsa +sha256, dsa +sha384, dsa +sha512, dsa +supported_versions(, 192.168.6.240, 139.162.123.134 +TLSv13-draft19 +TLSv12 +TLSv11 +TLSv10 +psk_key_exchange_modes, 192.168.6.240, 139.162.123.134 +1 +0 diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test index 261a698833..b8f3d42242 100644 --- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test +++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test @@ -1,4 +1,5 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT +# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT # @TEST-EXEC: btest-diff .stdout event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec) @@ -33,3 +34,17 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_ print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm]; } } + +event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) + { + print "supported_versions(", c$id$orig_h, c$id$resp_h; + for ( i in versions ) + print SSL::version_strings[versions[i]]; + } + +event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) + { + print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h; + for ( i in modes ) + print modes[i]; + }