From 06ca14ea45271c7032d27b596edb4e6e787d354d Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 26 Oct 2010 16:41:15 -0400 Subject: [PATCH 01/71] Updated SSL analyzer and Bro script with lots of new ciphers. --- policy/ssl-ciphers.bro | 1009 ++++++++++++++++++++++++---------------- policy/ssl.bro | 41 +- src/SSLCiphers.cc | 454 +++++++++++++++++- src/SSLCiphers.h | 310 +++++++++--- 4 files changed, 1316 insertions(+), 498 deletions(-) diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro index 143244d364..307565eb36 100644 --- a/policy/ssl-ciphers.bro +++ b/policy/ssl-ciphers.bro @@ -11,154 +11,218 @@ const SSLv20_CK_IDEA_128_CBC_WITH_MD5 = 0x050080; const SSLv20_CK_DES_64_CBC_WITH_MD5 = 0x060040; const SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0; -# --- sslv3x --- - -const SSLv3x_NULL_WITH_NULL_NULL = 0x0000; - -# The following CipherSuite definitions require that the server -# provide an RSA certificate that can be used for key exchange. The -# server may request either an RSA or a DSS signature-capable -# certificate in the certificate request message. - -const SSLv3x_RSA_WITH_NULL_MD5 = 0x0001; -const SSLv3x_RSA_WITH_NULL_SHA = 0x0002; -const SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; -const SSLv3x_RSA_WITH_RC4_128_MD5 = 0x0004; -const SSLv3x_RSA_WITH_RC4_128_SHA = 0x0005; -const SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; -const SSLv3x_RSA_WITH_IDEA_CBC_SHA = 0x0007; -const SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; -const SSLv3x_RSA_WITH_DES_CBC_SHA = 0x0009; -const SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A; - -# The following CipherSuite definitions are used for -# server-authenticated (and optionally client-authenticated) -# Diffie-Hellman. DH denotes cipher suites in which the server's -# certificate contains the Diffie-Hellman parameters signed by the -# certificate authority (CA). DHE denotes ephemeral Diffie-Hellman, -# where the Diffie-Hellman parameters are signed by a DSS or RSA -# certificate, which has been signed by the CA. The signing -# algorithm used is specified after the DH or DHE parameter. In all -# cases, the client must have the same type of certificate, and must -# use the Diffie-Hellman parameters chosen by the server. - -const SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B; -const SSLv3x_DH_DSS_WITH_DES_CBC_SHA = 0x000C; -const SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D; -const SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E; -const SSLv3x_DH_RSA_WITH_DES_CBC_SHA = 0x000F; -const SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; -const SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; -const SSLv3x_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; -const SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; -const SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; -const SSLv3x_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; -const SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; - -# The following cipher suites are used for completely anonymous -# Diffie-Hellman communications in which neither party is -# authenticated. Note that this mode is vulnerable to -# man-in-the-middle attacks and is therefore strongly discouraged. - -const SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017; -const SSLv3x_DH_anon_WITH_RC4_128_MD5 = 0x0018; -const SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019; -const SSLv3x_DH_anon_WITH_DES_CBC_SHA = 0x001A; -const SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B; - -# The final cipher suites are for the FORTEZZA token. - -const SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C; -const SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D; -# This seems to be assigned to a Kerberos cipher in TLS 1.1 -#const SSLv3x_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E; - - -# Following are some newer ciphers defined in RFC 4346 (TLS 1.1) - -# Kerberos ciphers - -const SSLv3x_KRB5_WITH_DES_CBC_SHA = 0x001E; -const SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F; -const SSLv3x_KRB5_WITH_RC4_128_SHA = 0x0020; -const SSLv3x_KRB5_WITH_IDEA_CBC_SHA = 0x0021; -const SSLv3x_KRB5_WITH_DES_CBC_MD5 = 0x0022; -const SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023; -const SSLv3x_KRB5_WITH_RC4_128_MD5 = 0x0024; -const SSLv3x_KRB5_WITH_IDEA_CBC_MD5 = 0x0025; - -# Kerberos export ciphers - -const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026; -const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027; -const SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028; -const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029; -const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A; -const SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B; - - -# AES ciphers - -const SSLv3x_RSA_WITH_AES_128_CBC_SHA = 0x002F; -const SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; -const SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; -const SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; -const SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; -const SSLv3x_DH_anon_WITH_AES_128_CBC_SHA = 0x0034; -const SSLv3x_RSA_WITH_AES_256_CBC_SHA = 0x0035; -const SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; -const SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; -const SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; -const SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; -const SSLv3x_DH_anon_WITH_AES_256_CBC_SHA = 0x003A; - -# Mostly more RFC defined suites -const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; # [RFC4132] -const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; # [RFC4132] -const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; # [RFC4132] -const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; # [RFC4132] -const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; # [RFC4132] -const TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046; # [RFC4132] - -# The following are tagged as "Widely Deployed implementation": -const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0x0047; -const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0x0048; -const TLS_ECDH_ECDSA_WITH_DES_CBC_SHA = 0x0049; -const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0x004A; -const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0x004B; -const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0x004C; -const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060; -const TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061; -const TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; -const TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; -const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; -const TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; -const TLS_CK_DHE_DSS_WITH_RC4_128_SHA = 0x0066; - -const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; # [RFC4132] -const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; # [RFC4132] -const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; # [RFC4132] -const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; # [RFC4132] -const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; # [RFC4132] -const TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089; # [RFC4132] -const TLS_PSK_WITH_RC4_128_SHA = 0x008A; # [RFC4279] -const TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B; # [RFC4279] -const TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C; # [RFC4279] -const TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D; # [RFC4279] -const TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E; # [RFC4279] -const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F; # [RFC4279] -const TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090; # [RFC4279] -const TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091; # [RFC4279] -const TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092; # [RFC4279] -const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093; # [RFC4279] -const TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094; # [RFC4279] -const TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095; # [RFC4279] -const TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; # [RFC4162] -const TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097; # [RFC4162] -const TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098; # [RFC4162] -const TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099; # [RFC4162] -const TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A; # [RFC4162] -const TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B; # [RFC4162] +# --- TLS --- +const TLS_NULL_WITH_NULL_NULL = 0x0000; +const TLS_RSA_WITH_NULL_MD5 = 0x0001; +const TLS_RSA_WITH_NULL_SHA = 0x0002; +const TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; +const TLS_RSA_WITH_RC4_128_MD5 = 0x0004; +const TLS_RSA_WITH_RC4_128_SHA = 0x0005; +const TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; +const TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007; +const TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; +const TLS_RSA_WITH_DES_CBC_SHA = 0x0009; +const TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A; +const TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B; +const TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C; +const TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D; +const TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E; +const TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F; +const TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; +const TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; +const TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; +const TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; +const TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; +const TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; +const TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; +const TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; +const TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018; +const TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; +const TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A; +const TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B; +const SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C; +const SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D; +const TLS_KRB5_WITH_DES_CBC_SHA = 0x001E; +const TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F; +const TLS_KRB5_WITH_RC4_128_SHA = 0x0020; +const TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021; +const TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022; +const TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023; +const TLS_KRB5_WITH_RC4_128_MD5 = 0x0024; +const TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025; +const TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026; +const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027; +const TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028; +const TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029; +const TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A; +const TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B; +const TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; +const TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; +const TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; +const TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; +const TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; +const TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; +const TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; +const TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; +const TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; +const TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; +const TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; +const TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; +const TLS_RSA_WITH_NULL_SHA256 = 0x003B; +const TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; +const TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; +const TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E; +const TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F; +const TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040; +const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; +const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; +const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; +const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; +const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; +const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; +const TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060; +const TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061; +const TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; +const TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; +const TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; +const TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; +const TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; +const TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; +const TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068; +const TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069; +const TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A; +const TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; +const TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C; +const TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D; +const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; +const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; +const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; +const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; +const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; +const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; +const TLS_PSK_WITH_RC4_128_SHA = 0x008A; +const TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B; +const TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C; +const TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D; +const TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E; +const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F; +const TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090; +const TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091; +const TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092; +const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093; +const TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094; +const TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095; +const TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; +const TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097; +const TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098; +const TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099; +const TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A; +const TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B; +const TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; +const TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D; +const TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; +const TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F; +const TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0; +const TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1; +const TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; +const TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3; +const TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4; +const TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5; +const TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6; +const TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7; +const TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8; +const TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9; +const TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA; +const TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB; +const TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC; +const TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD; +const TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE; +const TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF; +const TLS_PSK_WITH_NULL_SHA256 = 0x00B0; +const TLS_PSK_WITH_NULL_SHA384 = 0x00B1; +const TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2; +const TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3; +const TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4; +const TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5; +const TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6; +const TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7; +const TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8; +const TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9; +const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA; +const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB; +const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC; +const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD; +const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE; +const TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF; +const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0; +const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1; +const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2; +const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3; +const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4; +const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5; +const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001; +const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002; +const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003; +const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004; +const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005; +const TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006; +const TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007; +const TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008; +const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009; +const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A; +const TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B; +const TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C; +const TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D; +const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E; +const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F; +const TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010; +const TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011; +const TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012; +const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013; +const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014; +const TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015; +const TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016; +const TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017; +const TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018; +const TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019; +const TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A; +const TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B; +const TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C; +const TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D; +const TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E; +const TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F; +const TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020; +const TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021; +const TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022; +const TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023; +const TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024; +const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025; +const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026; +const TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027; +const TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028; +const TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029; +const TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A; +const TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B; +const TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C; +const TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D; +const TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E; +const TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F; +const TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030; +const TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031; +const TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032; +const TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033; +const TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034; +const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035; +const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036; +const TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037; +const TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038; +const TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039; +const TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A; +const TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B; +const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE; +const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF; +const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1; +const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0; # Cipher specifications native to TLS can be included in Version 2.0 client @@ -186,196 +250,218 @@ const ssl_cipher_desc: table[count] of string = { "SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5", [SSLv20_CK_DES_64_CBC_WITH_MD5] = "SSLv20_CK_DES_64_CBC_WITH_MD5", - # --- sslv3x --- - [SSLv3x_NULL_WITH_NULL_NULL] = "SSLv3x_NULL_WITH_NULL_NULL", - - [SSLv3x_RSA_WITH_NULL_MD5] = "SSLv3x_RSA_WITH_NULL_MD5", - [SSLv3x_RSA_WITH_NULL_SHA] = "SSLv3x_RSA_WITH_NULL_SHA", - [SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5] = - "SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5", - [SSLv3x_RSA_WITH_RC4_128_MD5] = "SSLv3x_RSA_WITH_RC4_128_MD5", - [SSLv3x_RSA_WITH_RC4_128_SHA] = "SSLv3x_RSA_WITH_RC4_128_SHA", - [SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5] = - "SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5", - [SSLv3x_RSA_WITH_IDEA_CBC_SHA] = "SSLv3x_RSA_WITH_IDEA_CBC_SHA", - [SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_RSA_WITH_DES_CBC_SHA] = "SSLv3x_RSA_WITH_DES_CBC_SHA", - [SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA] = "SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA", - - [SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DH_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DH_DSS_WITH_DES_CBC_SHA", - [SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DH_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DH_RSA_WITH_DES_CBC_SHA", - [SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DHE_DSS_WITH_DES_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DHE_RSA_WITH_DES_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - - [SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5] = - "SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5", - [SSLv3x_DH_anon_WITH_RC4_128_MD5] = "SSLv3x_DH_anon_WITH_RC4_128_MD5", - [SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA] = - "SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA", - [SSLv3x_DH_anon_WITH_DES_CBC_SHA] = "SSLv3x_DH_anon_WITH_DES_CBC_SHA", - [SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA", - - [SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA] = - "SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA", - [SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] = - "SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA", - [SSLv3x_KRB5_WITH_DES_CBC_SHA] = - "SSLv3x_KRB5_WITH_DES_CBC_SHA", - [SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA] = - "SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA", - [SSLv3x_KRB5_WITH_RC4_128_SHA] = - "SSLv3x_KRB5_WITH_RC4_128_SHA", - [SSLv3x_KRB5_WITH_IDEA_CBC_SHA] = - "SSLv3x_KRB5_WITH_IDEA_CBC_SHA", - [SSLv3x_KRB5_WITH_DES_CBC_MD5] = - "SSLv3x_KRB5_WITH_DES_CBC_MD5", - [SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5] = - "SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5", - [SSLv3x_KRB5_WITH_RC4_128_MD5] = - "SSLv3x_KRB5_WITH_RC4_128_MD5", - [SSLv3x_KRB5_WITH_IDEA_CBC_MD5] = - "SSLv3x_KRB5_WITH_IDEA_CBC_MD5", - [SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA] = - "SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA", - [SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] = - "SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", - [SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA] = - "SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA", - [SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5] = - "SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5", - [SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] = - "SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", - [SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5] = - "SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5", - [SSLv3x_RSA_WITH_AES_128_CBC_SHA] = - "SSLv3x_RSA_WITH_AES_128_CBC_SHA", - [SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA] = - "SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA", - [SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA] = - "SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA] = - "SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA] = - "SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA", - [SSLv3x_DH_anon_WITH_AES_128_CBC_SHA] = - "SSLv3x_DH_anon_WITH_AES_128_CBC_SHA", - [SSLv3x_RSA_WITH_AES_256_CBC_SHA] = - "SSLv3x_RSA_WITH_AES_256_CBC_SHA", - [SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA] = - "SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA", - [SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA] = - "SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA", - [SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA] = - "SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA", - [SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA] = - "SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA", - [SSLv3x_DH_anon_WITH_AES_256_CBC_SHA] = - "SSLv3x_DH_anon_WITH_AES_256_CBC_SHA", - - [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", - [TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA] = - "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_NULL_SHA] = - "TLS_ECDH_ECDSA_WITH_NULL_SHA", - [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - [TLS_ECDH_ECDSA_WITH_DES_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5] = - "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5", - [TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = - "TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5", - [TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA] = - "TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA", - [TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = - "TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", - [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA] = - "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA", - [TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = - "TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", - [TLS_CK_DHE_DSS_WITH_RC4_128_SHA] = - "TLS_CK_DHE_DSS_WITH_RC4_128_SHA", - [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", - [TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA] = - "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", - [TLS_PSK_WITH_RC4_128_SHA] = - "TLS_PSK_WITH_RC4_128_SHA", - [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = - "TLS_PSK_WITH_3DES_EDE_CBC_SHA", - [TLS_PSK_WITH_AES_128_CBC_SHA] = - "TLS_PSK_WITH_AES_128_CBC_SHA", - [TLS_PSK_WITH_AES_256_CBC_SHA] = - "TLS_PSK_WITH_AES_256_CBC_SHA", - [TLS_DHE_PSK_WITH_RC4_128_SHA] = - "TLS_DHE_PSK_WITH_RC4_128_SHA", - [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = - "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", - [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = - "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", - [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = - "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", - [TLS_RSA_PSK_WITH_RC4_128_SHA] = - "TLS_RSA_PSK_WITH_RC4_128_SHA", - [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = - "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", - [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = - "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", - [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = - "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", - [TLS_RSA_WITH_SEED_CBC_SHA] = - "TLS_RSA_WITH_SEED_CBC_SHA", - [TLS_DH_DSS_WITH_SEED_CBC_SHA] = - "TLS_DH_DSS_WITH_SEED_CBC_SHA", - [TLS_DH_RSA_WITH_SEED_CBC_SHA] = - "TLS_DH_RSA_WITH_SEED_CBC_SHA", - [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = - "TLS_DHE_DSS_WITH_SEED_CBC_SHA", - [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = - "TLS_DHE_RSA_WITH_SEED_CBC_SHA", - [TLS_DH_anon_WITH_SEED_CBC_SHA] = - "TLS_DH_anon_WITH_SEED_CBC_SHA" + # --- TLS --- + [TLS_NULL_WITH_NULL_NULL] = "TLS_NULL_WITH_NULL_NULL", + [TLS_RSA_WITH_NULL_MD5] = "TLS_RSA_WITH_NULL_MD5", + [TLS_RSA_WITH_NULL_SHA] = "TLS_RSA_WITH_NULL_SHA", + [TLS_RSA_EXPORT_WITH_RC4_40_MD5] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5", + [TLS_RSA_WITH_RC4_128_MD5] = "TLS_RSA_WITH_RC4_128_MD5", + [TLS_RSA_WITH_RC4_128_SHA] = "TLS_RSA_WITH_RC4_128_SHA", + [TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", + [TLS_RSA_WITH_IDEA_CBC_SHA] = "TLS_RSA_WITH_IDEA_CBC_SHA", + [TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", + [TLS_RSA_WITH_DES_CBC_SHA] = "TLS_RSA_WITH_DES_CBC_SHA", + [TLS_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DH_DSS_WITH_DES_CBC_SHA] = "TLS_DH_DSS_WITH_DES_CBC_SHA", + [TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA", + [TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DH_RSA_WITH_DES_CBC_SHA] = "TLS_DH_RSA_WITH_DES_CBC_SHA", + [TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DHE_DSS_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_WITH_DES_CBC_SHA", + [TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + [TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DHE_RSA_WITH_DES_CBC_SHA] = "TLS_DHE_RSA_WITH_DES_CBC_SHA", + [TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5] = "TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5", + [TLS_DH_ANON_WITH_RC4_128_MD5] = "TLS_DH_ANON_WITH_RC4_128_MD5", + [TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA] = "TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA", + [TLS_DH_ANON_WITH_DES_CBC_SHA] = "TLS_DH_ANON_WITH_DES_CBC_SHA", + [TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA", + [SSL_FORTEZZA_KEA_WITH_NULL_SHA] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA", + [SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA", + [TLS_KRB5_WITH_DES_CBC_SHA] = "TLS_KRB5_WITH_DES_CBC_SHA", + [TLS_KRB5_WITH_3DES_EDE_CBC_SHA] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", + [TLS_KRB5_WITH_RC4_128_SHA] = "TLS_KRB5_WITH_RC4_128_SHA", + [TLS_KRB5_WITH_IDEA_CBC_SHA] = "TLS_KRB5_WITH_IDEA_CBC_SHA", + [TLS_KRB5_WITH_DES_CBC_MD5] = "TLS_KRB5_WITH_DES_CBC_MD5", + [TLS_KRB5_WITH_3DES_EDE_CBC_MD5] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", + [TLS_KRB5_WITH_RC4_128_MD5] = "TLS_KRB5_WITH_RC4_128_MD5", + [TLS_KRB5_WITH_IDEA_CBC_MD5] = "TLS_KRB5_WITH_IDEA_CBC_MD5", + [TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", + [TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", + [TLS_KRB5_EXPORT_WITH_RC4_40_SHA] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", + [TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", + [TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", + [TLS_KRB5_EXPORT_WITH_RC4_40_MD5] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", + [TLS_RSA_WITH_AES_128_CBC_SHA] = "TLS_RSA_WITH_AES_128_CBC_SHA", + [TLS_DH_DSS_WITH_AES_128_CBC_SHA] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA", + [TLS_DH_RSA_WITH_AES_128_CBC_SHA] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA", + [TLS_DHE_DSS_WITH_AES_128_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + [TLS_DHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + [TLS_DH_ANON_WITH_AES_128_CBC_SHA] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA", + [TLS_RSA_WITH_AES_256_CBC_SHA] = "TLS_RSA_WITH_AES_256_CBC_SHA", + [TLS_DH_DSS_WITH_AES_256_CBC_SHA] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA", + [TLS_DH_RSA_WITH_AES_256_CBC_SHA] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA", + [TLS_DHE_DSS_WITH_AES_256_CBC_SHA] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + [TLS_DHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + [TLS_DH_ANON_WITH_AES_256_CBC_SHA] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA", + [TLS_RSA_WITH_NULL_SHA256] = "TLS_RSA_WITH_NULL_SHA256", + [TLS_RSA_WITH_AES_128_CBC_SHA256] = "TLS_RSA_WITH_AES_128_CBC_SHA256", + [TLS_RSA_WITH_AES_256_CBC_SHA256] = "TLS_RSA_WITH_AES_256_CBC_SHA256", + [TLS_DH_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", + [TLS_DH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256", + [TLS_DHE_DSS_WITH_AES_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + [TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA", + [TLS_RSA_EXPORT1024_WITH_RC4_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5", + [TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5", + [TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA", + [TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA", + [TLS_RSA_EXPORT1024_WITH_RC4_56_SHA] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA", + [TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA", + [TLS_DHE_DSS_WITH_RC4_128_SHA] = "TLS_DHE_DSS_WITH_RC4_128_SHA", + [TLS_DHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + [TLS_DH_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", + [TLS_DH_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256", + [TLS_DHE_DSS_WITH_AES_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + [TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + [TLS_DH_ANON_WITH_AES_128_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256", + [TLS_DH_ANON_WITH_AES_256_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256", + [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + [TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA", + [TLS_PSK_WITH_RC4_128_SHA] = "TLS_PSK_WITH_RC4_128_SHA", + [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_PSK_WITH_AES_128_CBC_SHA] = "TLS_PSK_WITH_AES_128_CBC_SHA", + [TLS_PSK_WITH_AES_256_CBC_SHA] = "TLS_PSK_WITH_AES_256_CBC_SHA", + [TLS_DHE_PSK_WITH_RC4_128_SHA] = "TLS_DHE_PSK_WITH_RC4_128_SHA", + [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", + [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", + [TLS_RSA_PSK_WITH_RC4_128_SHA] = "TLS_RSA_PSK_WITH_RC4_128_SHA", + [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", + [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", + [TLS_RSA_WITH_SEED_CBC_SHA] = "TLS_RSA_WITH_SEED_CBC_SHA", + [TLS_DH_DSS_WITH_SEED_CBC_SHA] = "TLS_DH_DSS_WITH_SEED_CBC_SHA", + [TLS_DH_RSA_WITH_SEED_CBC_SHA] = "TLS_DH_RSA_WITH_SEED_CBC_SHA", + [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA", + [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA", + [TLS_DH_ANON_WITH_SEED_CBC_SHA] = "TLS_DH_ANON_WITH_SEED_CBC_SHA", + [TLS_RSA_WITH_AES_128_GCM_SHA256] = "TLS_RSA_WITH_AES_128_GCM_SHA256", + [TLS_RSA_WITH_AES_256_GCM_SHA384] = "TLS_RSA_WITH_AES_256_GCM_SHA384", + [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + [TLS_DHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + [TLS_DH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256", + [TLS_DH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384", + [TLS_DHE_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + [TLS_DHE_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + [TLS_DH_DSS_WITH_AES_128_GCM_SHA256] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", + [TLS_DH_DSS_WITH_AES_256_GCM_SHA384] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", + [TLS_DH_ANON_WITH_AES_128_GCM_SHA256] = "TLS_DH_ANON_WITH_AES_128_GCM_SHA256", + [TLS_DH_ANON_WITH_AES_256_GCM_SHA384] = "TLS_DH_ANON_WITH_AES_256_GCM_SHA384", + [TLS_PSK_WITH_AES_128_GCM_SHA256] = "TLS_PSK_WITH_AES_128_GCM_SHA256", + [TLS_PSK_WITH_AES_256_GCM_SHA384] = "TLS_PSK_WITH_AES_256_GCM_SHA384", + [TLS_DHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", + [TLS_DHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", + [TLS_RSA_PSK_WITH_AES_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", + [TLS_RSA_PSK_WITH_AES_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", + [TLS_PSK_WITH_AES_128_CBC_SHA256] = "TLS_PSK_WITH_AES_128_CBC_SHA256", + [TLS_PSK_WITH_AES_256_CBC_SHA384] = "TLS_PSK_WITH_AES_256_CBC_SHA384", + [TLS_PSK_WITH_NULL_SHA256] = "TLS_PSK_WITH_NULL_SHA256", + [TLS_PSK_WITH_NULL_SHA384] = "TLS_PSK_WITH_NULL_SHA384", + [TLS_DHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", + [TLS_DHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", + [TLS_DHE_PSK_WITH_NULL_SHA256] = "TLS_DHE_PSK_WITH_NULL_SHA256", + [TLS_DHE_PSK_WITH_NULL_SHA384] = "TLS_DHE_PSK_WITH_NULL_SHA384", + [TLS_RSA_PSK_WITH_AES_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", + [TLS_RSA_PSK_WITH_AES_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", + [TLS_RSA_PSK_WITH_NULL_SHA256] = "TLS_RSA_PSK_WITH_NULL_SHA256", + [TLS_RSA_PSK_WITH_NULL_SHA384] = "TLS_RSA_PSK_WITH_NULL_SHA384", + [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256", + [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256", + [TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA", + [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", + [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_NULL_SHA] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA", + [TLS_ECDHE_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + [TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + [TLS_ECDH_RSA_WITH_NULL_SHA] = "TLS_ECDH_RSA_WITH_NULL_SHA", + [TLS_ECDH_RSA_WITH_RC4_128_SHA] = "TLS_ECDH_RSA_WITH_RC4_128_SHA", + [TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDH_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + [TLS_ECDH_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_RSA_WITH_NULL_SHA] = "TLS_ECDHE_RSA_WITH_NULL_SHA", + [TLS_ECDHE_RSA_WITH_RC4_128_SHA] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + [TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + [TLS_ECDH_ANON_WITH_NULL_SHA] = "TLS_ECDH_ANON_WITH_NULL_SHA", + [TLS_ECDH_ANON_WITH_RC4_128_SHA] = "TLS_ECDH_ANON_WITH_RC4_128_SHA", + [TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDH_ANON_WITH_AES_128_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_128_CBC_SHA", + [TLS_ECDH_ANON_WITH_AES_256_CBC_SHA] = "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA", + [TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", + [TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", + [TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", + [TLS_SRP_SHA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", + [TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", + [TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", + [TLS_SRP_SHA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", + [TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", + [TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + [TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + [TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + [TLS_ECDHE_PSK_WITH_RC4_128_SHA] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA", + [TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", + [TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + [TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", + [TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", + [TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", + [TLS_ECDHE_PSK_WITH_NULL_SHA] = "TLS_ECDHE_PSK_WITH_NULL_SHA", + [TLS_ECDHE_PSK_WITH_NULL_SHA256] = "TLS_ECDHE_PSK_WITH_NULL_SHA256", + [TLS_ECDHE_PSK_WITH_NULL_SHA384] = "TLS_ECDHE_PSK_WITH_NULL_SHA384", + [SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA", + [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", + [SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2", + [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2", }; @@ -385,101 +471,218 @@ const ssl_cipher_desc: table[count] of string = { const ssl_cipherset_EXPORT: set[count] = { SSLv20_CK_RC4_128_EXPORT40_WITH_MD5, SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, - SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, - SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5 + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, }; # --- this set holds all DES ciphers const ssl_cipherset_DES: set[count] = { SSLv20_CK_DES_64_CBC_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_DSS_WITH_DES_CBC_SHA, - SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_RSA_WITH_DES_CBC_SHA, - SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_DSS_WITH_DES_CBC_SHA, - SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_anon_WITH_DES_CBC_SHA, - SSLv3x_KRB5_WITH_DES_CBC_SHA, - SSLv3x_KRB5_WITH_DES_CBC_MD5, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_DSS_WITH_DES_CBC_SHA, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_WITH_DES_CBC_SHA, + TLS_KRB5_WITH_DES_CBC_SHA, + TLS_KRB5_WITH_DES_CBC_MD5, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, + SSL_RSA_FIPS_WITH_DES_CBC_SHA, + SSL_RSA_FIPS_WITH_DES_CBC_SHA_2, }; # --- this set holds all 3DES ciphers const ssl_cipherset_3DES: set[count] = { SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5, - SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA, - SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA, - SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5 + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_KRB5_WITH_3DES_EDE_CBC_SHA, + TLS_KRB5_WITH_3DES_EDE_CBC_MD5, + TLS_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA, + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA, + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2, }; # --- this set holds all RC2 ciphers const ssl_cipherset_RC2: set[count] = { SSLv20_CK_RC2_128_CBC_WITH_MD5, SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, }; # --- this set holds all RC4 ciphers const ssl_cipherset_RC4: set[count] = { SSLv20_CK_RC4_128_WITH_MD5, SSLv20_CK_RC4_128_EXPORT40_WITH_MD5, - SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, - SSLv3x_RSA_WITH_RC4_128_MD5, - SSLv3x_RSA_WITH_RC4_128_SHA, - SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, - SSLv3x_DH_anon_WITH_RC4_128_MD5, - SSLv3x_KRB5_WITH_RC4_128_SHA, - SSLv3x_KRB5_WITH_RC4_128_MD5, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA, - SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5 + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_WITH_RC4_128_MD5, + TLS_RSA_WITH_RC4_128_SHA, + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_WITH_RC4_128_MD5, + TLS_KRB5_WITH_RC4_128_SHA, + TLS_KRB5_WITH_RC4_128_MD5, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, + TLS_PSK_WITH_RC4_128_SHA, + TLS_DHE_PSK_WITH_RC4_128_SHA, + TLS_RSA_PSK_WITH_RC4_128_SHA, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDH_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDH_ANON_WITH_RC4_128_SHA, + TLS_ECDHE_PSK_WITH_RC4_128_SHA, }; # --- this set holds all IDEA ciphers const ssl_cipherset_IDEA: set[count] = { SSLv20_CK_IDEA_128_CBC_WITH_MD5, - SSLv3x_RSA_WITH_IDEA_CBC_SHA, - SSLv3x_KRB5_WITH_IDEA_CBC_SHA, - SSLv3x_KRB5_WITH_IDEA_CBC_MD5 + TLS_RSA_WITH_IDEA_CBC_SHA, + TLS_KRB5_WITH_IDEA_CBC_SHA, + TLS_KRB5_WITH_IDEA_CBC_MD5 }; # --- this set holds all AES ciphers const ssl_cipherset_AES: set[count] = { - SSLv3x_RSA_WITH_AES_128_CBC_SHA, - SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA, - SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA, - SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA, - SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA, - SSLv3x_DH_anon_WITH_AES_128_CBC_SHA, - SSLv3x_RSA_WITH_AES_256_CBC_SHA, - SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA, - SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA, - SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA, - SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA, - SSLv3x_DH_anon_WITH_AES_256_CBC_SHA + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_DH_DSS_WITH_AES_128_CBC_SHA, + TLS_DH_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DH_ANON_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_DH_DSS_WITH_AES_256_CBC_SHA, + TLS_DH_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DH_ANON_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_DH_DSS_WITH_AES_128_CBC_SHA256, + TLS_DH_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DH_DSS_WITH_AES_256_CBC_SHA256, + TLS_DH_RSA_WITH_AES_256_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + TLS_DH_ANON_WITH_AES_128_CBC_SHA256, + TLS_DH_ANON_WITH_AES_256_CBC_SHA256, + TLS_PSK_WITH_AES_128_CBC_SHA, + TLS_PSK_WITH_AES_256_CBC_SHA, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_DH_RSA_WITH_AES_128_GCM_SHA256, + TLS_DH_RSA_WITH_AES_256_GCM_SHA384, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DH_DSS_WITH_AES_128_GCM_SHA256, + TLS_DH_DSS_WITH_AES_256_GCM_SHA384, + TLS_DH_ANON_WITH_AES_128_GCM_SHA256, + TLS_DH_ANON_WITH_AES_256_GCM_SHA384, + TLS_PSK_WITH_AES_128_GCM_SHA256, + TLS_PSK_WITH_AES_256_GCM_SHA384, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, + TLS_PSK_WITH_AES_128_CBC_SHA256, + TLS_PSK_WITH_AES_256_CBC_SHA384, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_128_CBC_SHA, + TLS_ECDH_ANON_WITH_AES_256_CBC_SHA, + TLS_SRP_SHA_WITH_AES_128_CBC_SHA, + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, + TLS_SRP_SHA_WITH_AES_256_CBC_SHA, + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, }; diff --git a/policy/ssl.bro b/policy/ssl.bro index 216abb2d10..6a347a14cc 100644 --- a/policy/ssl.bro +++ b/policy/ssl.bro @@ -85,29 +85,28 @@ const myWeakCiphers: set[count] = { SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSLv20_CK_DES_64_CBC_WITH_MD5, - SSLv3x_NULL_WITH_NULL_NULL, - SSLv3x_RSA_WITH_NULL_MD5, - SSLv3x_RSA_WITH_NULL_SHA, - SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5, - SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5, - SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_RSA_WITH_DES_CBC_SHA, + TLS_NULL_WITH_NULL_NULL, + TLS_RSA_WITH_NULL_MD5, + TLS_RSA_WITH_NULL_SHA, + TLS_RSA_EXPORT_WITH_RC4_40_MD5, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_DSS_WITH_DES_CBC_SHA, - SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_RSA_WITH_DES_CBC_SHA, - SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_DSS_WITH_DES_CBC_SHA, - SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_DSS_WITH_DES_CBC_SHA, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, + TLS_DHE_RSA_WITH_DES_CBC_SHA, - SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5, - SSLv3x_DH_anon_WITH_RC4_128_MD5, - SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA, - SSLv3x_DH_anon_WITH_DES_CBC_SHA, - SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA, - SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + TLS_DH_ANON_WITH_RC4_128_MD5, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + TLS_DH_ANON_WITH_DES_CBC_SHA, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, }; const x509_ignore_errors: set[int] = { diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index 1eaf3898e2..e8972beb21 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -389,16 +389,16 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 96, 160 }, - { SSL_FORTEZZA_KEA_WITH_RC4_128_SHA, - SSL_CIPHER_TYPE_STREAM, - SSL_FLAG_SSLv30, - SSL_CIPHER_RC4, - SSL_MAC_SHA, - SSL_KEY_EXCHANGE_FORTEZZA_KEA, - 0, - 128, - 160 - }, + //{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA, + // SSL_CIPHER_TYPE_STREAM, + // SSL_FLAG_SSLv30, + // SSL_CIPHER_RC4, + // SSL_MAC_SHA, + // SSL_KEY_EXCHANGE_FORTEZZA_KEA, + // 0, + // 128, + // 160 + //}, // --- special SSLv3 FIPS ciphers { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, @@ -591,7 +591,439 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 0, 256, 160 - } + }, + { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_DSS, + 0, + 128, + 160 + }, + { TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_RSA, + 0, + 128, + 160 + }, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_DSS, + 0, + 128, + 160 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_ANON, + 0, + 128, + 160 + }, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_RSA, + 0, + 256, + 160 + }, + { TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_DSS, + 0, + 256, + 160 + }, + { TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_RSA, + 0, + 256, + 160 + }, + { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_DSS, + 0, + 256, + 160 + }, + { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_RSA, + 0, + 256, + 160 + }, + { TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_CAMELLIA, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_ANON, + 0, + 256, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 168, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 256, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 0, + 160 + }, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 168, + 160 + }, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 128, + 160 + }, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 256, + 160 + }, + { TLS_ECDHE_RSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 0, + 160 + }, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + 0, + 128, + 160 + }, + { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 168, + 160 + }, + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 256, + 160 + }, + { TLS_ECDH_ECDSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 0, + 160 + }, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ECDSA, + 0, + 128, + 160 + }, + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 168, + 160 + }, + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 128, + 160 + }, + { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 256, + 160 + }, + { TLS_ECDH_RSA_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 0, + 160 + }, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_RSA, + 0, + 128, + 160 + }, + { TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_3DES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 168, + 160 + }, + { TLS_ECDH_anon_WITH_AES_128_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 128, + 160 + }, + { TLS_ECDH_anon_WITH_AES_256_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_AES, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 256, + 160 + }, + { TLS_ECDH_anon_WITH_NULL_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 0, + 160 + }, + { TLS_ECDH_anon_WITH_RC4_128_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_RC4, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_ECDH_ANON, + 0, + 128, + 160 + }, + { TLS_RSA_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_DSS_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_DSS, + 0, + 128, + 160 + }, + { TLS_DH_RSA_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_RSA, + 0, + 128, + 160 + }, + { TLS_DHE_DSS_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_DSS, + 0, + 128, + 160 + }, + { TLS_DHE_RSA_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DHE_RSA, + 0, + 128, + 160 + }, + { TLS_DH_anon_WITH_SEED_CBC_SHA, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_SEED, + SSL_MAC_SHA, + SSL_KEY_EXCHANGE_DH_ANON, + 0, + 128, + 160 + }, + + }; const uint SSL_CipherSpecs_Count = diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 389c4d1992..5d13b5b8b6 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -12,14 +12,14 @@ */ enum SSLv2_CipherSpec { // --- standard SSLv2 ciphers - SSL_CK_RC4_128_WITH_MD5 = 0x010080, - SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080, - SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080, - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080, - SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080, - SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040, - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0, - SSL_CK_RC4_64_WITH_MD5 = 0x080080 + SSL_CK_RC4_128_WITH_MD5 = 0x010080, + SSL_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080, + SSL_CK_RC2_128_CBC_WITH_MD5 = 0x030080, + SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080, + SSL_CK_IDEA_128_CBC_WITH_MD5 = 0x050080, + SSL_CK_DES_64_CBC_WITH_MD5 = 0x060040, + SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0, + SSL_CK_RC4_64_WITH_MD5 = 0x080080 }; @@ -28,60 +28,236 @@ enum SSLv2_CipherSpec { */ enum SSL3_1_CipherSpec { // --- standard SSLv3x ciphers - TLS_NULL_WITH_NULL_NULL = 0x0000, - TLS_RSA_WITH_NULL_MD5 = 0x0001, - TLS_RSA_WITH_NULL_SHA = 0x0002, - TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, - TLS_RSA_WITH_RC4_128_MD5 = 0x0004, - TLS_RSA_WITH_RC4_128_SHA = 0x0005, - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, - TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007, - TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, - TLS_RSA_WITH_DES_CBC_SHA = 0x0009, - TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, - TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, - TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C, - TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, - TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, - TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F, - TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, - TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, - TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, - TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, - TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, - TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, - TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, - TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, - TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, - TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, - // --- special SSLv3 ciphers - SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, - SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, - SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E, - // --- special SSLv3 FIPS ciphers - SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0XFEFF, - // --- new 56 bit export ciphers - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062, - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064, - TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063, - TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065, - TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066, + TLS_NULL_WITH_NULL_NULL = 0x0000, + TLS_RSA_WITH_NULL_MD5 = 0x0001, + TLS_RSA_WITH_NULL_SHA = 0x0002, + TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003, + TLS_RSA_WITH_RC4_128_MD5 = 0x0004, + TLS_RSA_WITH_RC4_128_SHA = 0x0005, + TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006, + TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007, + TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008, + TLS_RSA_WITH_DES_CBC_SHA = 0x0009, + TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A, + TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B, + TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C, + TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D, + TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E, + TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F, + TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010, + TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011, + TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013, + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, + TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, + TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, + TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, + TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, + TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, + TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, + // --- special SSLv3 ciphers + SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, + SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, + //SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E, + // -- RFC 2712 (ciphers not fully described in SSLCiphers.cc) + TLS_KRB5_WITH_DES_CBC_SHA = 0x001E, + TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F, + TLS_KRB5_WITH_RC4_128_SHA = 0x0020, + TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021, + TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022, + TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023, + TLS_KRB5_WITH_RC4_128_MD5 = 0x0024, + TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027, + TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028, + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029, + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A, + TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B, + // --- new AES ciphers - TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, - TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, - TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, - TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, - TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, - TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, - TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, - TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, - TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, - TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, - TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, - TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A + TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F, + TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030, + TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, + TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, + TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, + TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, + TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, + TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A, + TLS_RSA_WITH_NULL_SHA256 = 0x003B, + TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, + TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, + TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E, + TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040, + // -- RFC 4132 + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041, + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042, + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046, + // -- Non-RFC. Widely deployed implementation (ciphers not fully described in SSLCiphers.cc) + TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060, + TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061, + TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062, + TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063, + TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064, + TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065, + TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066, + // -- RFC 5246 (ciphers not fully described in SSLCiphers.cc) + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067, + TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068, + TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, + TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C, + TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D, + // -- RFC 5932 + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084, + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085, + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089, + // -- RFC 4279 (ciphers not fully described in SSLCiphers.cc) + TLS_PSK_WITH_RC4_128_SHA = 0x008A, + TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, + TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C, + TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D, + TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E, + TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091, + TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092, + TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095, + // -- RFC 4162 + TLS_RSA_WITH_SEED_CBC_SHA = 0x0096, + TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097, + TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098, + TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099, + TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A, + TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B, + // -- RFC 5288 (ciphers not fully described in SSLCiphers.cc) + TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, + TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E, + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F, + TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0, + TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2, + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, + TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, + TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, + TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6, + TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7, + // -- RFC 5487 (ciphers not fully described in SSLCiphers.cc) + TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, + TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, + TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA, + TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB, + TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC, + TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD, + TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE, + TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF, + TLS_PSK_WITH_NULL_SHA256 = 0x00B0, + TLS_PSK_WITH_NULL_SHA384 = 0x00B1, + TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2, + TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3, + TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4, + TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5, + TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6, + TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7, + TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8, + TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9, + // -- RFC 5932 (ciphers not fully described in SSLCiphers.cc) + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA, + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB, + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE, + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0, + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1, + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2, + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3, + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4, + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, + // -- RFC 4492 + TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005, + TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A, + TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B, + TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C, + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F, + TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010, + TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, + TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015, + TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016, + TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017, + TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018, + TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019, + // -- RFC 5054 (ciphers not fully described in SSLCiphers.cc) + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A, + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B, + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C, + TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D, + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E, + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F, + TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020, + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021, + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022, + // -- RFC 5289 (ciphers not fully described in SSLCiphers.cc) + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024, + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029, + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C, + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D, + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030, + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031, + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032, + // -- RFC 5489 (ciphers not fully described in SSLCiphers.cc) + TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033, + TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036, + TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037, + TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038, + TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039, + TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A, + TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B, + // --- special SSLv3 FIPS ciphers + SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF, + SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFe0, }; enum SSL_CipherType { @@ -99,7 +275,9 @@ enum SSL_BulkCipherAlgorithm { SSL_CIPHER_DES40, SSL_CIPHER_FORTEZZA, SSL_CIPHER_IDEA, - SSL_CIPHER_AES + SSL_CIPHER_AES, + SSL_CIPHER_CAMELLIA, + SSL_CIPHER_SEED, }; enum SSL_MACAlgorithm { @@ -126,7 +304,13 @@ enum SSL_KeyExchangeAlgorithm { SSL_KEY_EXCHANGE_FORTEZZA_KEA, // --- new 56 bit export ciphers SSL_KEY_EXCHANGE_RSA_EXPORT1024, - SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 + SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024, + // -- Elliptic Curve key change algorithms (rfc4492) + SSL_KEY_EXCHANGE_ECDH_ECDSA, + SSL_KEY_EXCHANGE_ECDHE_ECDSA, + SSL_KEY_EXCHANGE_ECDH_RSA, + SSL_KEY_EXCHANGE_ECDHE_RSA, + SSL_KEY_EXCHANGE_ECDH_ANON, }; #if 0 From 5edf0eb75d2af64602f29b4e99e64c172c2892ea Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 26 Oct 2010 16:41:57 -0400 Subject: [PATCH 02/71] Modification from rmkml to support SSL extensions. --- src/SSLv3.cc | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/SSLv3.cc b/src/SSLv3.cc index 4d89f27ad8..d4b558ba79 100644 --- a/src/SSLv3.cc +++ b/src/SSLv3.cc @@ -941,9 +941,9 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length, if ( length > ssl_max_cipherspec_size ) { if ( is_orig ) - Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size"); + Weird("SSLv3: Client has CipherSpecs > ssl_max_cipherspec_size"); else - Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size"); + Weird("SSLv3: Server has CipherSpecs > ssl_max_cipherspec_size"); } const u_char* pCipher = data; @@ -1357,8 +1357,16 @@ int SSLv3_HandshakeRecord::checkClientHello() if ( sessionIDLength + cipherSuiteLength + compressionMethodLength + 38 != length ) { - endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); - return 0; + uint16 sslExtensionsLength = + uint16(data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 1 ] << 8 ) | data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 2 ]; + if ( sslExtensionsLength < 4 ) + endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); + if ( sessionIDLength + cipherSuiteLength + + compressionMethodLength + 2 + sslExtensionsLength + 38 != length ) + { + endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); + return 0; + } } return 1; @@ -1384,7 +1392,7 @@ int SSLv3_HandshakeRecord::checkServerHello() return 0; } - if ( (sessionIDLength + 38) != length ) + if ( (sessionIDLength + 45) != length ) { endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); return 0; From a598bdb5556a9f2038a52a473c53a7429d8b2491 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Dec 2010 15:23:54 -0500 Subject: [PATCH 03/71] Fixed the problem with do_split function which caused it to bail 1 separator early. --- src/strings.bif | 75 +++++++++++++++++++++---------------------------- 1 file changed, 32 insertions(+), 43 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 44b0c57eb6..2820726e30 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -198,7 +198,6 @@ static int match_prefix(int s_len, const char* s, int t_len, const char* t) Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, int incl_sep, int max_num_sep) { - const BroString* str = str_val->AsString(); TableVal* a = new TableVal(internal_type("string_array")->AsTableType()); ListVal* other_strings = 0; @@ -209,66 +208,56 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, // the future we expect to change this by giving RE_Matcher a // const char* segment. - const char* s = str->CheckString(); - int len = strlen(s); - const char* end_of_s = s + len; + const u_char* s = str_val->Bytes(); + int n = str_val->Len(); + const u_char* end_of_s = s + n; int num = 0; int num_sep = 0; + + int offset = 0; - while ( 1 ) + while ( n > 0 ) { - int offset = 0; - const char* t; - - if ( max_num_sep > 0 && num_sep >= max_num_sep ) - t = end_of_s; - else + offset = 0; + // Find next match offset. + int end_of_match; + while ( n > 0 && + (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) { - for ( t = s; t < end_of_s; ++t ) - { - offset = re->MatchPrefix(t); - - if ( other_strings ) - { - val_list* vl = other_strings->Vals(); - loop_over_list(*vl, i) - { - const BroString* sub = - (*vl)[i]->AsString(); - if ( sub->Len() > offset && - match_prefix(end_of_s - t, - t, sub->Len(), - (const char*) (sub->Bytes())) ) - { - offset = sub->Len(); - } - } - } - - if ( offset > 0 ) - break; - } + printf("character %d\n", offset); + // Move on to next character. + ++offset; + --n; } - + Val* ind = new Val(++num, TYPE_COUNT); - a->Assign(ind, new StringVal(t - s, s)); + a->Assign(ind, new StringVal(offset, (const char*) s)); Unref(ind); - if ( t >= end_of_s ) + // No more separators will be needed if this is the end of string. + if ( n <= 0 ) break; - ++num_sep; - if ( incl_sep ) { // including the part that matches the pattern ind = new Val(++num, TYPE_COUNT); - a->Assign(ind, new StringVal(offset, t)); + a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset)); Unref(ind); } - - s = t + offset; + + if ( max_num_sep && num_sep >= max_num_sep ) + break; + + ++num_sep; + + offset += end_of_match; + n -= end_of_match; + s += offset; + if ( s > end_of_s ) + { internal_error("RegMatch in split goes beyond the string"); + } } if ( other_strings ) From 61c99176ad9e8ca43bf7711ea385f5c97d507b33 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Dec 2010 15:59:08 -0500 Subject: [PATCH 04/71] Readded the other changes to remove CheckString calls from strings.bif. --- src/strings.bif | 107 ++++++++++++++++++++++-------------------------- 1 file changed, 49 insertions(+), 58 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 2820726e30..d3c1ca2e5d 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -138,27 +138,27 @@ function sort_string_array%(a: string_array%): string_array function edit%(arg_s: string, arg_edit_char: string%): string %{ - const char* s = arg_s->AsString()->CheckString(); - const char* edit_s = arg_edit_char->AsString()->CheckString(); - - if ( strlen(edit_s) != 1 ) + if ( arg_edit_char->Len() != 1 ) builtin_run_time("not exactly one edit character", @ARG@[1]); + + const u_char* s = arg_s->Bytes(); + const u_char* edit_s = arg_edit_char->Bytes(); - char edit_c = *edit_s; + u_char edit_c = *edit_s; - int n = strlen(s) + 1; - char* new_s = new char[n]; + int n = arg_s->Len(); + u_char* new_s = new u_char[n+1]; int ind = 0; - for ( ; *s; ++s ) + for ( int i=0; iCheckString(); - int n = strlen(s) + 1; + const u_char* s = str->Bytes(); + int n = str->Len(); char* lower_s = new char[n]; + char* ls = lower_s; - char* ls; - for ( ls = lower_s; *s; ++s ) + for (int i=0; iCheckString(); - int n = strlen(s) + 1; + const u_char* s = str->Bytes(); + int n = str->Len(); char* upper_s = new char[n]; - - char* us; - for ( us = upper_s; *s; ++s ) + char* us = upper_s; + + for (int i=0; iCheckString(); + const u_char* s = str->Bytes(); + int n = str->Len(); - int n = strlen(s) + 1; - char* strip_s = new char[n]; - - if ( n == 1 ) + if ( n == 0 ) // Empty string. - return new StringVal(new BroString(1, byte_vec(strip_s), 0)); + return new StringVal(new BroString(s, n, 1)); - while ( isspace(*s) ) - ++s; - - strncpy(strip_s, s, n); - - char* s2 = strip_s; - char* e = &s2[strlen(s2) - 1]; - - while ( e > s2 && isspace(*e) ) + const u_char* sp = s; + // Move a pointer to the end of the string + const u_char* e = &sp[n-1]; + while ( e > sp && isspace(*e) ) --e; - e[1] = '\0'; // safe even if e hasn't changed, due to n = strlen + 1 + // Move the pointer for the beginning of the string + while ( isspace(*sp) ) + ++sp; - return new StringVal(new BroString(1, byte_vec(s2), (e-s2)+1)); + return new StringVal(new BroString(sp, e-sp+1, 1)); %} function string_fill%(len: int, source: string%): string %{ - const char* src = source->CheckString(); - - int sn = strlen(src); + const u_char* src = source->Bytes(); + int n = source->Len(); char* dst = new char[len]; - for ( int i = 0; i < len; i += sn ) - ::memcpy((dst + i), src, min(sn, len - i)); + for ( int i = 0; i < len; i += n ) + ::memcpy((dst + i), src, min(n, len - i)); dst[len - 1] = 0; @@ -639,11 +629,12 @@ function string_fill%(len: int, source: string%): string # function str_shell_escape%(source: string%): string %{ - unsigned j = 0; - const char* src = source->CheckString(); - char* dst = new char[strlen(src) * 2 + 1]; + uint j = 0; + const u_char* src = source->Bytes(); + uint n = source->Len(); + byte_vec dst = new u_char[n * 2 + 1]; - for ( unsigned i = 0; i < strlen(src); ++i ) + for ( uint i = 0; i < n; ++i ) { switch ( src[i] ) { case '`': case '"': case '\\': case '$': @@ -661,7 +652,7 @@ function str_shell_escape%(source: string%): string } dst[j] = '\0'; - return new StringVal(new BroString(1, byte_vec(dst), j)); + return new StringVal(new BroString(1, dst, j)); %} # Returns all occurrences of the given pattern in the given string (an empty From 266acde342227a699e0639c53a04fbf1490f4435 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 9 Dec 2010 16:01:19 -0500 Subject: [PATCH 05/71] Removed an accidental debugging printf. --- src/strings.bif | 1 - 1 file changed, 1 deletion(-) diff --git a/src/strings.bif b/src/strings.bif index d3c1ca2e5d..253709e858 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -224,7 +224,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, while ( n > 0 && (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) { - printf("character %d\n", offset); // Move on to next character. ++offset; --n; From b8ab0ebc22fec9e3ed132a1bbcba86ee1d88e940 Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Sat, 11 Dec 2010 10:51:37 -0800 Subject: [PATCH 06/71] Remvoing expire timer from http_sessions. The expire timeout for the http_sessions table is unnecessary and it actually breaks http session semantics for long-lived sessions. The connection_state_remove() event can take care of cleaning up unanswered sessions. If a HTTP transfer exceeds the expire timer, then once the expire timer fires we get an "unanswered" HTTP request in http.log and once the reply is done (http_reply_done event), it fails to locate the associated request (because it expired) and thus results in an "unsolicited" HTTP reply being logged (althoug they should be one http session). There was a comment in the expire_function mentioning that without the expire timer some requests don't show up with the test-suite. However, after checking back with Robin, I could not reproduce this behavior. (Actually there's one fewer request in the output without the expire-timer, but this can be explained by the above observation, so this is not an error but the way it should be). This patch results in changes to test-suite output: * Timestamps for unanswered HTTP replies differ for unanswered request in the "short" test. * Medium testcase (note: lines are sorted, they are not in the order):: -902189670.828700 (0 "" [40880 (interrupted)]) -902189670.828700 GET /1998/b142.ps -902189670.828700 start <>:<> <>:80 +902189670.828700 GET /1998/b142.ps (200 "OK" [40880 (interrupted)] <>) --- policy/heavy.http.bro | 3 --- policy/http.bro | 38 ++------------------------------------ 2 files changed, 2 insertions(+), 39 deletions(-) delete mode 100644 policy/heavy.http.bro diff --git a/policy/heavy.http.bro b/policy/heavy.http.bro deleted file mode 100644 index f3be0bf058..0000000000 --- a/policy/heavy.http.bro +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: heavy.http.bro 4723 2007-08-07 18:14:35Z vern $ - -redef http_sessions &write_expire = 5 hrs; diff --git a/policy/http.bro b/policy/http.bro index 90b0aa2daa..a5b13d7637 100644 --- a/policy/http.bro +++ b/policy/http.bro @@ -79,18 +79,8 @@ type http_session_info: record { const http_log = open_log_file("http") &redef; -# Called when an HTTP session times out. -global expire_http_session: - function(t: table[conn_id] of http_session_info, id: conn_id) - : interval; - -export { - # Indexed by conn_id. - # (Exported so that we can define a timeout on it.) - global http_sessions: table[conn_id] of http_session_info - &expire_func = expire_http_session - &read_expire = 15 min; -} +# Indexed by conn_id. +global http_sessions: table[conn_id] of http_session_info; global http_session_id = 0; @@ -202,30 +192,6 @@ event connection_state_remove(c: connection) delete http_sessions[c$id]; } -function expire_http_session(t: table[conn_id] of http_session_info, - id: conn_id): interval - { - ### FIXME: not really clear that we need this function at all ... - # - # One would think that connection_state_remove() already takes care - # of everything. However, without this expire-handler, some requests - # don't show up with the test-suite (but haven't reproduced with - # smaller traces) - Robin. - - local s = http_sessions[id]; - finish_stream(id, s$id, s$request_stream); - return 0 sec; - } - -# event connection_timeout(c: connection) -# { -# if ( ! maintain_http_sessions ) -# { -# local id = c$id; -# if ( [id$orig_h, id$resp_h] in http_sessions ) -# delete http_sessions[id$orig_h, id$resp_h]; -# } -# } # event http_stats(c: connection, stats: http_stats_rec) # { From 763a446182934679f5e56146bee26b2e7cad1f3b Mon Sep 17 00:00:00 2001 From: Gregor Maier Date: Mon, 13 Dec 2010 19:11:05 -0800 Subject: [PATCH 07/71] Some small tweaks to the HTTP analyzer From ticket #339 http://tracker.icir.org/bro/ticket/339 : * Fixing a couple of minor issues in the HTTP analyzer, that made the analyzer raise a ProtocolViolation() on strange but seemingly legal HTTP traffic. Well, the traffic might not necessarily be adhering the RFC, but the server has understood it. * Also stops parsing when the message is interrupted to prevent further parsing and ProtocolViolation() generation. * skip_http_entity_data: check return value of FindAnalyzer, since it can be NULL In addition: * http-headers.bro now loads http.bro Testsuite changes: * Added a new weird (empty_http_request). This shows up once in the medium testsuite. * no change when running short testsuite --- policy/http-header.bro | 2 ++ src/HTTP.cc | 45 ++++++++++++++++++++++++++++++++++++++---- src/bro.bif | 13 ++++++++---- 3 files changed, 52 insertions(+), 8 deletions(-) diff --git a/policy/http-header.bro b/policy/http-header.bro index 3d676488ff..259031b024 100644 --- a/policy/http-header.bro +++ b/policy/http-header.bro @@ -2,6 +2,8 @@ # Prints out detailed HTTP headers. +@load http + module HTTP; export { diff --git a/src/HTTP.cc b/src/HTTP.cc index 0cccf75103..85872f7c79 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -16,16 +16,21 @@ const bool DEBUG_http = false; +/* The EXPECT_*_NOTHING states are used to prevent further parsing. Used + * if a message was interrupted. + */ enum { EXPECT_REQUEST_LINE, EXPECT_REQUEST_MESSAGE, EXPECT_REQUEST_TRAILER, + EXPECT_REQUEST_NOTHING, }; enum { EXPECT_REPLY_LINE, EXPECT_REPLY_MESSAGE, EXPECT_REPLY_TRAILER, + EXPECT_REPLY_NOTHING, }; HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body) @@ -851,7 +856,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) HTTP_Event("crud_trailing_HTTP_request", new_string_val(line, end_of_line)); else - ProtocolViolation("not a http request line"); + { + // We do see HTTP requests with a trailing EOL that's not + // not accounted for by the content-length. This will lead + // to a call to this method with len==0 while we are + // expecting a new request. Since HTTP servers handle + // such request gracefully, we should do so as well. + if (len==0) + Weird("empty_http_request"); + else + { + ProtocolViolation("not a http request line"); + request_state = EXPECT_REQUEST_NOTHING; + } + } } break; @@ -861,6 +879,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) case EXPECT_REQUEST_TRAILER: break; + + case EXPECT_REQUEST_NOTHING: + break; } } else @@ -873,6 +894,8 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) if ( unanswered_requests.empty() ) Weird("unmatched_HTTP_reply"); + else + ProtocolConfirmation(); reply_state = EXPECT_REPLY_MESSAGE; reply_ongoing = 1; @@ -885,7 +908,10 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) len); } else + { ProtocolViolation("not a http reply line"); + reply_state = EXPECT_REPLY_NOTHING; + } break; @@ -895,6 +921,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) case EXPECT_REPLY_TRAILER: break; + + case EXPECT_REPLY_NOTHING: + break; } } } @@ -1042,6 +1071,8 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) // HTTP methods for distributed authoring. "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", "COPY", "MOVE", "LOCK", "UNLOCK", + // More stuff + "POLL", "REPORT", "SUBSCRIBE", "BMOVE", "SEARCH", @@ -1055,7 +1086,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) if ( ! http_methods[i] ) { - // Weird("HTTP_unknown_method"); + //Weird("HTTP_unknown_method"); if ( RequestExpected() ) HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line)); return 0; @@ -1256,7 +1287,10 @@ void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg) num_request_lines = 0; - request_state = EXPECT_REQUEST_LINE; + if (interrupted) + request_state = EXPECT_REQUEST_NOTHING; + else + request_state = EXPECT_REQUEST_LINE; } void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) @@ -1285,7 +1319,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) reply_reason_phrase = 0; } - reply_state = EXPECT_REPLY_LINE; + if (interrupted) + reply_state = EXPECT_REPLY_NOTHING; + else + reply_state = EXPECT_REPLY_LINE; } void HTTP_Analyzer::RequestClash(Val* /* clash_val */) diff --git a/src/bro.bif b/src/bro.bif index 0de77bfc49..af841600c8 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1365,12 +1365,17 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any { Analyzer* ha = c->FindAnalyzer(id); - if ( ha->GetTag() == AnalyzerTag::HTTP ) - static_cast(ha)->SkipEntityData(is_orig); + if (ha) + { + if ( ha->GetTag() == AnalyzerTag::HTTP ) + static_cast(ha)->SkipEntityData(is_orig); + else + run_time("non-HTTP analyzer associated with connection record"); + } else - run_time("non-HTTP analyzer associated with connection record"); - } + run_time("could not find analyzer for skip_http_entity_data"); + } else run_time("no analyzer associated with connection record"); From d8aecb174a0234f702b8fb882dafa70bfc5d2d61 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 15 Dec 2010 11:40:17 -0600 Subject: [PATCH 08/71] Escape commands given to CMake's execute_process --- cmake/cmake_uninstall.cmake.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/cmake_uninstall.cmake.in b/cmake/cmake_uninstall.cmake.in index e801cff1c3..bed4da63d3 100644 --- a/cmake/cmake_uninstall.cmake.in +++ b/cmake/cmake_uninstall.cmake.in @@ -8,7 +8,7 @@ function(uninstall_manifest manifestPath) message(STATUS "Uninstalling: ${fileName}") execute_process( - COMMAND @CMAKE_COMMAND@ -E remove "${fileName}" + COMMAND "@CMAKE_COMMAND@" -E remove "${fileName}" OUTPUT_VARIABLE rm_out RESULT_VARIABLE rm_retval ) From 017367d362117de03f4a1d3031de1840a8c77a7d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 20 Dec 2010 12:01:26 -0800 Subject: [PATCH 09/71] Updating submodules --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index 2873ac642e..4e1dad4ee6 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 2873ac642e2780cbbba3c0882423a75ca3350534 +Subproject commit 4e1dad4ee69b85d04af72c0faaff47fddf3240e2 diff --git a/aux/bro-aux b/aux/bro-aux index 0a946b4d66..7b829fbe8d 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 0a946b4d660fda37a868bb01974211df9cd48ac7 +Subproject commit 7b829fbe8d6fa36c33c0c07a8f09cc0d68cd17f1 diff --git a/aux/broccoli b/aux/broccoli index 2a5e0d385e..2bf6c82eed 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 2a5e0d385e392f8b2212da5ab570d4600bbb8aa7 +Subproject commit 2bf6c82eed841d2a8e7104875717296fe50ca126 diff --git a/aux/broctl b/aux/broctl index df922e8a64..801e842c39 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit df922e8a64a631aadb485b5044fe9ae1046d47ca +Subproject commit 801e842c39ae25a93a3e68eb479938056b44a82d From edfdd9d436bc3d054893eb64fe0794a0a1ae3936 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 20 Dec 2010 12:03:58 -0800 Subject: [PATCH 10/71] Updating submodule --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 801e842c39..a05be1242b 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 801e842c39ae25a93a3e68eb479938056b44a82d +Subproject commit a05be1242b4e06dca1bb1a38ed871e7e2d78181b From fa07bcd2331db6c43fe7ccecd8b33a72766e1bb4 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 5 Jan 2011 12:05:39 -0600 Subject: [PATCH 11/71] Changes to allow source packaging via CPack - Refactored all packaging related stuff into a single CMake module - Build should no longer fail when optional sources (e.g. broctl) do not exist in the source directory, instead a warning is issued - Additional configure options to change packaging behavior --- CMakeLists.txt | 76 ++------------ cmake/CheckOptionalBuildSources.cmake | 21 ++++ cmake/ConfigurePackaging.cmake | 146 ++++++++++++++++++++++++++ cmake/SetPackageFileName.cmake | 18 ---- cmake/SetPackageGenerators.cmake | 23 ---- cmake/SetPackageVersion.cmake | 27 ----- configure | 13 +++ 7 files changed, 186 insertions(+), 138 deletions(-) create mode 100644 cmake/CheckOptionalBuildSources.cmake create mode 100644 cmake/ConfigurePackaging.cmake delete mode 100644 cmake/SetPackageFileName.cmake delete mode 100644 cmake/SetPackageGenerators.cmake delete mode 100644 cmake/SetPackageVersion.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index a86e0b7d70..b90eea6727 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -159,81 +159,17 @@ add_subdirectory(policy) #add_subdirectory(scripts) #add_subdirectory(doc) -if (INSTALL_BROCCOLI) - if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/broccoli/CMakeLists.txt) - add_subdirectory(aux/broccoli) - else () - message(FATAL_ERROR "Broccoli selected for installation, " - "but the source code does not exist in " - "${CMAKE_CURRENT_SOURCE_DIR}/aux/broccoli") - endif () -endif () +include(CheckOptionalBuildSources) -if (INSTALL_BROCTL) - if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/broctl/CMakeLists.txt) - add_subdirectory(aux/broctl) - else () - message(FATAL_ERROR "Broctl selected for installation, " - "but the source code does not exist in " - "${CMAKE_CURRENT_SOURCE_DIR}/aux/broctl") - endif () -endif () - -if (INSTALL_AUX_TOOLS) - if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/bro-aux/CMakeLists.txt) - add_subdirectory(aux/bro-aux) - else () - message(FATAL_ERROR "Bro auxilliary tools selected for installation, " - "but the source code does not exist in " - "${CMAKE_CURRENT_SOURCE_DIR}/aux/bro-aux") - endif () -endif () +CheckOptionalBuildSources(aux/broctl Broctl INSTALL_BROCTL) +CheckOptionalBuildSources(aux/bro-aux Bro-Aux INSTALL_AUX_TOOLS) +CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI) ######################################################################## ## Packaging Setup -include(SetPackageVersion) -SetPackageVersion(${VERSION}) -include(SetPackageGenerators) -include(SetPackageFileName) - -set(CPACK_PACKAGE_VENDOR "Lawrence Berkeley National Laboratory") -set(CPACK_PACKAGE_CONTACT "info@bro-ids.org") -set(CPACK_PACKAGE_DESCRIPTION_SUMMARY - "The Bro Network Intrusion Detection System") - -# CPack may enforce file name extensions for certain package generators -configure_file(${CMAKE_CURRENT_SOURCE_DIR}/README - ${CMAKE_CURRENT_BINARY_DIR}/README.txt - COPYONLY) -configure_file(${CMAKE_CURRENT_SOURCE_DIR}/COPYING - ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt - COPYONLY) - -set(CPACK_PACKAGE_DESCRIPTION_FILE ${CMAKE_CURRENT_BINARY_DIR}/README.txt) -set(CPACK_RESOURCE_FILE_LICENSE ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt) -set(CPACK_RESOURCE_FILE_README ${CMAKE_CURRENT_BINARY_DIR}/README.txt) -set(CPACK_RESOURCE_FILE_WELCOME ${CMAKE_CURRENT_BINARY_DIR}/README.txt) - -if (APPLE) - # /usr prefix is hardcoded for PackageMaker generator, but that - # directory may not be ideal for OS X (it's tricky to remove - # packages installed there). So instead we rely on CMAKE_INSTALL_PREFIX - # and set the following variable to workaround the hardcoded /usr prefix - set(CPACK_PACKAGING_INSTALL_PREFIX "/") - set(CPACK_PACKAGE_DEFAULT_LOCATION ${CMAKE_INSTALL_PREFIX}) -elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - # A prefix of /usr would follow Filesystem Hierarchy Standard. - # For RPM packaging by CPack, /usr should be a default, but - # CMAKE_INSTALL_PREFIX also needs to be set to /usr so that - # the default BROPATH is set right at build time - set(CPACK_RPM_PACKAGE_LICENSE "BSD") -endif () - -# Ignore the build directory -set(CPACK_SOURCE_IGNORE_FILES ${CMAKE_BINARY_DIR} ".git") - -include(CPack) +include(ConfigurePackaging) +ConfigurePackaging(${VERSION}) ######################################################################## ## Build Summary diff --git a/cmake/CheckOptionalBuildSources.cmake b/cmake/CheckOptionalBuildSources.cmake new file mode 100644 index 0000000000..f901d432f6 --- /dev/null +++ b/cmake/CheckOptionalBuildSources.cmake @@ -0,0 +1,21 @@ +# A macro that checks whether optional sources exist and if they do, they +# are added to the build/install process, else a warning is issued +# +# _dir: the subdir of the current source dir in which the optional +# sources are located +# _packageName: a string that identifies the package +# _varName: name of the variable indicating whether package is scheduled +# to be installed + +macro(CheckOptionalBuildSources _dir _packageName _varName) + if (${_varName}) + if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${_dir}/CMakeLists.txt) + add_subdirectory(${_dir}) + else () + message(WARNING "${_packageName} source code does not exist in " + "${CMAKE_CURRENT_SOURCE_DIR}/${_dir} " + "so it will not be built or installed") + set(${_varName} false) + endif () + endif () +endmacro(CheckOptionalBuildSources) diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake new file mode 100644 index 0000000000..eaad56dee6 --- /dev/null +++ b/cmake/ConfigurePackaging.cmake @@ -0,0 +1,146 @@ +# A collection of macros to assist in configuring CMake/Cpack +# source and binary packaging + +# Sets CPack version variables by splitting the first macro argument +# using "." as a delimiter. If the length of the split list is +# greater than 2, all remaining elements are tacked on to the patch +# level version. +macro(SetPackageVersion _version) + string(REPLACE "." " " version_numbers ${_version}) + separate_arguments(version_numbers) + + list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MAJOR) + list(REMOVE_AT version_numbers 0) + list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MINOR) + list(REMOVE_AT version_numbers 0) + list(LENGTH version_numbers version_length) + + while (version_length GREATER 0) + list(GET version_numbers 0 patch_level) + if (CPACK_PACKAGE_VERSION_PATCH) + set(CPACK_PACKAGE_VERSION_PATCH + "${CPACK_PACKAGE_VERSION_PATCH}.${patch_level}") + else () + set(CPACK_PACKAGE_VERSION_PATCH ${patch_level}) + endif () + list(REMOVE_AT version_numbers 0) + list(LENGTH version_numbers version_length) + endwhile () +endmacro(SetPackageVersion) + +# Sets the list of desired package types to be created by the make +# package target. A .tar.gz is only made for source packages, and +# binary pacakage format depends on the operating system: +# +# Darwin - PackageMaker +# Linux - RPM if the platform has rpmbuild installed +# DEB is ommitted because CPack does not give enough +# control over how the package is created and lacks support +# for automatic dependency detection. +# +# +# CPACK_GENERATOR is set by this macro +# CPACK_SOURCE_GENERATOR is set by this macro +macro(SetPackageGenerators) + set(CPACK_SOURCE_GENERATOR TGZ) + if (APPLE) + list(APPEND CPACK_GENERATOR PackageMaker) + elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") + find_program(RPMBUILD_EXE rpmbuild) + if (RPMBUILD_EXE) + set(CPACK_GENERATOR ${CPACK_GENERATOR} RPM) + endif () + endif () +endmacro(SetPackageGenerators) + +# Sets CPACK_PACKAGE_FILE_NAME in the following format: +# +# --- +# +# and CPACK_SOURCE_PACKAGE_FILE_NAME as: +# +# - +macro(SetPackageFileName _version) + if (PACKAGE_NAME_PREFIX) + set(CPACK_PACKAGE_FILE_NAME "${PACKAGE_NAME_PREFIX}-${_version}") + set(CPACK_SOURCE_PACKAGE_FILE_NAME "${PACKAGE_NAME_PREFIX}-${_version}") + else () + set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${_version}") + set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${_version}") + endif () + + set(CPACK_PACKAGE_FILE_NAME + "${CPACK_PACKAGE_FILE_NAME}-${CMAKE_SYSTEM_NAME}") + + if (APPLE) + # Only Intel-based Macs are supported. CMAKE_SYSTEM_PROCESSOR may + # return the confusing 'i386' if running a 32-bit kernel, but chances + # are the binary is x86_64 (or more generally 'Intel') compatible. + set(arch "Intel") + else () + set (arch ${CMAKE_SYSTEM_PROCESSOR}) + endif () + + set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${arch}") +endmacro(SetPackageFileName) + +# Sets up binary package metadata +macro(SetPackageMetadata) + set(CPACK_PACKAGE_VENDOR "Lawrence Berkeley National Laboratory") + set(CPACK_PACKAGE_CONTACT "info@bro-ids.org") + set(CPACK_PACKAGE_DESCRIPTION_SUMMARY + "The Bro Network Intrusion Detection System") + + # CPack may enforce file name extensions for certain package generators + configure_file(${CMAKE_CURRENT_SOURCE_DIR}/README + ${CMAKE_CURRENT_BINARY_DIR}/README.txt + COPYONLY) + configure_file(${CMAKE_CURRENT_SOURCE_DIR}/COPYING + ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt + COPYONLY) + + set(CPACK_PACKAGE_DESCRIPTION_FILE ${CMAKE_CURRENT_BINARY_DIR}/README.txt) + set(CPACK_RESOURCE_FILE_LICENSE ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt) + set(CPACK_RESOURCE_FILE_README ${CMAKE_CURRENT_BINARY_DIR}/README.txt) + set(CPACK_RESOURCE_FILE_WELCOME ${CMAKE_CURRENT_BINARY_DIR}/README.txt) +endmacro(SetPackageMetadata) + +# Determines the right install location/prefix for binary packages +macro(SetPackageInstallLocation) + if (APPLE) + # /usr prefix is hardcoded for PackageMaker generator, but that + # directory may not be ideal for OS X (it's tricky to remove + # packages installed there). So instead we rely on CMAKE_INSTALL_PREFIX + # and set the following variable to workaround the hardcoded /usr prefix + set(CPACK_PACKAGING_INSTALL_PREFIX "/") + set(CPACK_PACKAGE_DEFAULT_LOCATION ${CMAKE_INSTALL_PREFIX}) + elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") + # A prefix of /usr would follow Filesystem Hierarchy Standard. + # For RPM packaging by CPack, /usr should be a default, but + # CMAKE_INSTALL_PREFIX also needs to be set to /usr so that + # the default BROPATH is set right at build time + set(CPACK_RPM_PACKAGE_LICENSE "BSD") + endif () +endmacro(SetPackageInstallLocation) + +# Main macro to configure all the packaging options +macro(ConfigurePackaging _version) + # If this CMake project is a sub-project of another, we will not + # configure the packaging because CPack will fail in the case that + # the parent project has already configured packaging + if (NOT "${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") + return() + endif () + + SetPackageVersion(${_version}) + SetPackageGenerators() + SetPackageFileName(${_version}) + SetPackageMetadata() + SetPackageInstallLocation() + + # add default files/directories to ignore for source package + # user may specify others via configure script + list(APPEND CPACK_SOURCE_IGNORE_FILES ${CMAKE_BINARY_DIR} ".git") + + include(CPack) +endmacro(ConfigurePackaging) diff --git a/cmake/SetPackageFileName.cmake b/cmake/SetPackageFileName.cmake deleted file mode 100644 index 759f72ab82..0000000000 --- a/cmake/SetPackageFileName.cmake +++ /dev/null @@ -1,18 +0,0 @@ -# Sets CPACK_PACKAGE_FILE name in the following format: -# -# --- -# -# The version must already be set in the VERSION variable - -set(CPACK_PACKAGE_FILE_NAME "${CMAKE_PROJECT_NAME}-${VERSION}") -set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${CMAKE_SYSTEM_NAME}") -if (APPLE) - # Only Intel-based Macs are supported. CMAKE_SYSTEM_PROCESSOR may - # return the confusing 'i386' if running a 32-bit kernel, but chances - # are the binary is x86_64 (or more generally 'Intel') compatible. - set(arch "Intel") -else () - set (arch ${CMAKE_SYSTEM_PROCESSOR}) -endif () - -set(CPACK_PACKAGE_FILE_NAME "${CPACK_PACKAGE_FILE_NAME}-${arch}") diff --git a/cmake/SetPackageGenerators.cmake b/cmake/SetPackageGenerators.cmake deleted file mode 100644 index edd80ee3d6..0000000000 --- a/cmake/SetPackageGenerators.cmake +++ /dev/null @@ -1,23 +0,0 @@ -# Sets the list of desired package types to be created by the make -# package target. A .tar.gz is always made, and depending on the -# operating system, more are added: -# -# Darwin - PackageMaker -# Linux - RPM if the platform has rpmbuild installed -# DEB is ommitted because CPack does not give enough -# control over how the package is created and lacks support -# for automatic dependency detection. -# -# -# CPACK_GENERATOR is set by this module - -set(CPACK_GENERATOR TGZ) -set(CPACK_SOURCE_GENERATOR TGZ) -if (APPLE) - list(APPEND CPACK_GENERATOR PackageMaker) -elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - find_program(RPMBUILD_EXE rpmbuild) - if (RPMBUILD_EXE) - set(CPACK_GENERATOR ${CPACK_GENERATOR} RPM) - endif () -endif () diff --git a/cmake/SetPackageVersion.cmake b/cmake/SetPackageVersion.cmake deleted file mode 100644 index 19c9d404e3..0000000000 --- a/cmake/SetPackageVersion.cmake +++ /dev/null @@ -1,27 +0,0 @@ -# Sets CPack version variables by splitting the first macro argument -# using "." as a delimiter. If the length of the split list is -# greater than 2, all remaining elements are tacked on to the patch -# level version. - -macro(SetPackageVersion _version) - string(REPLACE "." " " version_numbers ${_version}) - separate_arguments(version_numbers) - - list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MAJOR) - list(REMOVE_AT version_numbers 0) - list(GET version_numbers 0 CPACK_PACKAGE_VERSION_MINOR) - list(REMOVE_AT version_numbers 0) - list(LENGTH version_numbers version_length) - - while (version_length GREATER 0) - list(GET version_numbers 0 patch_level) - if (CPACK_PACKAGE_VERSION_PATCH) - set(CPACK_PACKAGE_VERSION_PATCH - "${CPACK_PACKAGE_VERSION_PATCH}.${patch_level}") - else () - set(CPACK_PACKAGE_VERSION_PATCH ${patch_level}) - endif () - list(REMOVE_AT version_numbers 0) - list(LENGTH version_numbers version_length) - endwhile () -endmacro(SetPackageVersion) diff --git a/configure b/configure index ec66a68e98..bdfb554506 100755 --- a/configure +++ b/configure @@ -44,6 +44,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-geoip=PATH path to the libGeoIP install root --with-perftools=PATH path to Google Perftools install root + Packaging Options (for developers): + --ignore-dirs=PATHS paths to ignore when creating source package + (semicolon delimited and quoted when multiple) + --pkg-name-prefix=NAME use the given name as the package prefix instead + of the default CMake project name + Influential Environment Variables (only on first invocation per build directory): CC C compiler command @@ -79,6 +85,7 @@ append_cache_entry INSTALL_AUX_TOOLS BOOL true append_cache_entry INSTALL_BROCCOLI BOOL true append_cache_entry INSTALL_BROCTL BOOL true append_cache_entry STANDALONE BOOL true +append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING # parse arguments while [ $# -ne 0 ]; do @@ -155,6 +162,12 @@ while [ $# -ne 0 ]; do --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; + --ignore-dirs=*) + append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg + ;; + --pkg-name-prefix=*) + append_cache_entry PACKAGE_NAME_PREFIX STRING $optarg + ;; *) echo "Invalid option '$1'. Try $0 --help to see available options." exit 1 From b496d63632ebec4aa78b5721bcb52b22d8a54a9e Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 6 Jan 2011 16:57:25 -0600 Subject: [PATCH 12/71] Added OS X configures options for SDK & minimum version --- configure | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/configure b/configure index bdfb554506..dce70e6534 100755 --- a/configure +++ b/configure @@ -49,6 +49,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]... (semicolon delimited and quoted when multiple) --pkg-name-prefix=NAME use the given name as the package prefix instead of the default CMake project name + --osx-sysroot=PATH path to the OS X SDK to compile against + --osx-min-version=VER minimum OS X version (the deployment target) Influential Environment Variables (only on first invocation per build directory): @@ -168,6 +170,12 @@ while [ $# -ne 0 ]; do --pkg-name-prefix=*) append_cache_entry PACKAGE_NAME_PREFIX STRING $optarg ;; + --osx-sysroot=*) + append_cache_entry CMAKE_OSX_SYSROOT PATH $optarg + ;; + --osx-min-version=*) + append_cache_entry CMAKE_OSX_DEPLOYMENT_TARGET STRING $optarg + ;; *) echo "Invalid option '$1'. Try $0 --help to see available options." exit 1 From e1ebf81f769c2ce725deff04df71e72c33b54fc7 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 6 Jan 2011 16:59:48 -0600 Subject: [PATCH 13/71] Prefer static libraries for some dependencies on OS X This makes binary packaging easier because OS X doesn't ship with all the shared libraries we may link against (libmagic and libGeoIP in this case) --- cmake/FindLibGeoIP.cmake | 10 +++++++++- cmake/FindLibMagic.cmake | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/cmake/FindLibGeoIP.cmake b/cmake/FindLibGeoIP.cmake index ef8529e2e3..618dba6463 100644 --- a/cmake/FindLibGeoIP.cmake +++ b/cmake/FindLibGeoIP.cmake @@ -21,8 +21,16 @@ find_path(LibGeoIP_ROOT_DIR NAMES include/GeoIPCity.h ) +if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") + # the static version of the library is preferred on OS X for the + # purposes of making packages (libGeoIP doesn't ship w/ OS X) + set(libgeoip_names libGeoIp.a GeoIP) +else () + set(libgeoip_names GeoIP) +endif () + find_library(LibGeoIP_LIBRARY - NAMES GeoIP + NAMES ${libgeoip_names} HINTS ${LibGeoIP_ROOT_DIR}/lib ) diff --git a/cmake/FindLibMagic.cmake b/cmake/FindLibMagic.cmake index e96245e8c0..23cc7efe39 100644 --- a/cmake/FindLibMagic.cmake +++ b/cmake/FindLibMagic.cmake @@ -21,8 +21,16 @@ find_path(LibMagic_ROOT_DIR NAMES include/magic.h ) +if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") + # the static version of the library is preferred on OS X for the + # purposes of making packages (libmagic doesn't ship w/ OS X) + set(libmagic_names libmagic.a magic) +else () + set(libmagic_names magic) +endif () + find_library(LibMagic_LIBRARY - NAMES magic + NAMES ${libmagic_names} HINTS ${LibMagic_ROOT_DIR}/lib ) From 3f6aa735e96fcfd91e8fe187b26b74bf2c82bc9d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 6 Jan 2011 17:06:51 -0600 Subject: [PATCH 14/71] Fix for OS X 10.5 compile error wrt llabs() GCC < 4.1.0 possibly has a problem w/ choosing an llabs() unambigiously from stdlib.h and cstdlib See also http://gcc.gnu.org/bugzilla/show_bug.cgi?id=13943 --- cmake/OSSpecific.cmake | 27 ++++++++++++++++++++++++++- config.h.in | 3 +++ src/Val.cc | 4 ++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/cmake/OSSpecific.cmake b/cmake/OSSpecific.cmake index 03788813c3..b63ce54f6d 100644 --- a/cmake/OSSpecific.cmake +++ b/cmake/OSSpecific.cmake @@ -1,3 +1,6 @@ +include(CheckCSourceCompiles) +include(CheckCXXSourceCompiles) + if (${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") # alternate malloc is faster for FreeBSD, but needs more testing # need to add way to set this from the command line @@ -7,6 +10,28 @@ elseif (${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD") set(USE_NMALLOC true) elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") + # The following may have a greater scope than just Darwin + # (i.e. any platform w/ GCC < 4.1.0), but I've only seen + # it on OS X 10.5, which has GCC 4.0.1, so the workaround + # will be stuck here for now. + # + # See also http://gcc.gnu.org/bugzilla/show_bug.cgi?id=13943 + + check_cxx_source_compiles(" + #include + #include + using namespace std; + int main() { + llabs(1); + return 0; + } + " darwin_llabs_works) + + if (NOT darwin_llabs_works) + # abs() should be used in this case, the long long version should + # exist in the __gnu_cxx namespace + set(DARWIN_NO_LLABS true) + endif () elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") set(HAVE_LINUX true) @@ -25,7 +50,7 @@ elseif (${CMAKE_SYSTEM_NAME} MATCHES "irix") elseif (${CMAKE_SYSTEM_NAME} MATCHES "ultrix") list(APPEND CMAKE_C_FLAGS -std1 -g3) list(APPEND CMAKE_CXX_FLAGS -std1 -g3) - include(CheckCSourceCompiles) + check_c_source_compiles(" #include int main() { diff --git a/config.h.in b/config.h.in index f1405813fc..46915563a8 100644 --- a/config.h.in +++ b/config.h.in @@ -146,3 +146,6 @@ /* Define u_int8_t */ #define u_int8_t @U_INT8_T@ + +/* Whether llabs will be ambiguous in stdlib.h and cstdlib headers */ +#cmakedefine DARWIN_NO_LLABS diff --git a/src/Val.cc b/src/Val.cc index 9a1ee700ff..f43bafe4d7 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -524,7 +524,11 @@ Val* Val::SizeVal() const { switch ( type->InternalType() ) { case TYPE_INTERNAL_INT: +#ifdef DARWIN_NO_LLABS + return new Val(abs(val.int_val), TYPE_COUNT); +#else return new Val(llabs(val.int_val), TYPE_COUNT); +#endif case TYPE_INTERNAL_UNSIGNED: return new Val(val.uint_val, TYPE_COUNT); From dbca5be43c36b7dcd22a3c9c992bd5bfb6e2bddd Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Jan 2011 17:16:10 -0800 Subject: [PATCH 15/71] Applying Seth's patch from #265 adding entropy BiFs. --- policy/bro.init | 8 ++ src/NetVar.cc | 4 + src/NetVar.h | 2 + src/RandTest.cc | 256 ++++++++++++++++++++++++++++++++++++++++++++++++ src/RandTest.h | 68 +++++++++++++ src/bro.bif | 89 ++++++++++++++++- 6 files changed, 423 insertions(+), 4 deletions(-) create mode 100644 src/RandTest.cc create mode 100644 src/RandTest.h diff --git a/policy/bro.init b/policy/bro.init index 1ba8f59b4d..f9742798c4 100644 --- a/policy/bro.init +++ b/policy/bro.init @@ -264,6 +264,14 @@ type geo_location: record { longitude: double; }; +type entropy_test_result: record { + entropy: double; + chi_square: double; + mean: double; + monte_carlo_pi: double; + serial_correlation: double; +}; + # Prototypes of Bro built-in functions. @load strings.bif.bro @load bro.bif.bro diff --git a/src/NetVar.cc b/src/NetVar.cc index 2c817fdc17..0af742ef3e 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -126,6 +126,8 @@ TableType* smb_negotiate; RecordType* geo_location; +RecordType* entropy_test_result; + TableType* dhcp_router_list; RecordType* dhcp_msg; @@ -460,6 +462,8 @@ void init_net_var() geo_location = internal_type("geo_location")->AsRecordType(); + entropy_test_result = internal_type("entropy_test_result")->AsRecordType(); + dhcp_router_list = internal_type("dhcp_router_list")->AsTableType(); dhcp_msg = internal_type("dhcp_msg")->AsRecordType(); diff --git a/src/NetVar.h b/src/NetVar.h index 904bccdb77..7461ec8be0 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -133,6 +133,8 @@ extern TableType* smb_negotiate; extern RecordType* geo_location; +extern RecordType* entropy_test_result; + extern TableType* dhcp_router_list; extern RecordType* dhcp_msg; diff --git a/src/RandTest.cc b/src/RandTest.cc new file mode 100644 index 0000000000..f779a23f94 --- /dev/null +++ b/src/RandTest.cc @@ -0,0 +1,256 @@ +/* + + Apply various randomness tests to a stream of bytes + + by John Walker -- September 1996 + http://www.fourmilab.ch/ + + Modified for Bro by Seth Hall - July 2010 +*/ + +#include + +RandTest::RandTest() + { + totalc = 0; + mp = 0; + sccfirst = 1; + inmont = mcount = 0; + cexp = montex = montey = montepi = sccu0 = scclast = scct1 = scct2 = scct3 = 0.0; + + for (int i = 0; i < 256; i++) + { + ccount[i] = 0; + } + } + +void RandTest::add(void *buf, int bufl) + { + unsigned char *bp = (unsigned char*)buf; + int oc; + + while (bufl-- > 0) + { + oc = *bp++; + ccount[oc]++; /* Update counter for this bin */ + totalc++; + + /* Update inside / outside circle counts for Monte Carlo + computation of PI */ + monte[mp++] = oc; /* Save character for Monte Carlo */ + if (mp >= RT_MONTEN) /* Calculate every RT_MONTEN character */ + { + mp = 0; + mcount++; + montex = 0; + montey = 0; + for (int mj=0; mj < RT_MONTEN/2; mj++) + { + montex = (montex * 256.0) + monte[mj]; + montey = (montey * 256.0) + monte[(RT_MONTEN / 2) + mj]; + } + if (montex*montex + montey*montey <= RT_INCIRC) + { + inmont++; + } + } + + /* Update calculation of serial correlation coefficient */ + if (sccfirst) + { + sccfirst = 0; + scclast = 0; + sccu0 = oc; + } + else + { + scct1 = scct1 + scclast * oc; + } + + scct2 = scct2 + oc; + scct3 = scct3 + (oc * oc); + scclast = oc; + oc <<= 1; + } + } + +void RandTest::end(double *r_ent, double *r_chisq, + double *r_mean, double *r_montepicalc, double *r_scc) + { + int i; + double ent, chisq, scc, datasum; + ent = 0.0; chisq = 0.0; scc = 0.0; datasum = 0.0; + double prob[256]; /* Probabilities per bin for entropy */ + + /* Complete calculation of serial correlation coefficient */ + scct1 = scct1 + scclast * sccu0; + scct2 = scct2 * scct2; + scc = totalc * scct3 - scct2; + if (scc == 0.0) + scc = -100000; + else + scc = (totalc * scct1 - scct2) / scc; + + /* Scan bins and calculate probability for each bin and + Chi-Square distribution. The probability will be reused + in the entropy calculation below. While we're at it, + we sum of all the data which will be used to compute the + mean. */ + cexp = totalc / 256.0; /* Expected count per bin */ + for (i = 0; i < 256; i++) + { + double a = ccount[i] - cexp; + + prob[i] = ((double) ccount[i]) / totalc; + chisq += (a * a) / cexp; + datasum += ((double) i) * ccount[i]; + } + + /* Calculate entropy */ + for (i = 0; i < 256; i++) + { + if (prob[i] > 0.0) + { + ent += prob[i] * rt_log2(1 / prob[i]); + } + } + + /* Calculate Monte Carlo value for PI from percentage of hits + within the circle */ + montepi = 4.0 * (((double) inmont) / mcount); + + /* Return results through arguments */ + *r_ent = ent; + *r_chisq = chisq; + *r_mean = datasum / totalc; + *r_montepicalc = montepi; + *r_scc = scc; + } +/* + + Apply various randomness tests to a stream of bytes + + by John Walker -- September 1996 + http://www.fourmilab.ch/ + + Modified for Bro by Seth Hall - July 2010 +*/ + +#include + +RandTest::RandTest() + { + totalc = 0; + mp = 0; + sccfirst = 1; + inmont = mcount = 0; + cexp = montex = montey = montepi = sccu0 = scclast = scct1 = scct2 = scct3 = 0.0; + + for (int i = 0; i < 256; i++) + { + ccount[i] = 0; + } + } + +void RandTest::add(void *buf, int bufl) + { + unsigned char *bp = (unsigned char*)buf; + int oc; + + while (bufl-- > 0) + { + oc = *bp++; + ccount[oc]++; /* Update counter for this bin */ + totalc++; + + /* Update inside / outside circle counts for Monte Carlo + computation of PI */ + monte[mp++] = oc; /* Save character for Monte Carlo */ + if (mp >= RT_MONTEN) /* Calculate every RT_MONTEN character */ + { + mp = 0; + mcount++; + montex = 0; + montey = 0; + for (int mj=0; mj < RT_MONTEN/2; mj++) + { + montex = (montex * 256.0) + monte[mj]; + montey = (montey * 256.0) + monte[(RT_MONTEN / 2) + mj]; + } + if (montex*montex + montey*montey <= RT_INCIRC) + { + inmont++; + } + } + + /* Update calculation of serial correlation coefficient */ + if (sccfirst) + { + sccfirst = 0; + scclast = 0; + sccu0 = oc; + } + else + { + scct1 = scct1 + scclast * oc; + } + + scct2 = scct2 + oc; + scct3 = scct3 + (oc * oc); + scclast = oc; + oc <<= 1; + } + } + +void RandTest::end(double *r_ent, double *r_chisq, + double *r_mean, double *r_montepicalc, double *r_scc) + { + int i; + double ent, chisq, scc, datasum; + ent = 0.0; chisq = 0.0; scc = 0.0; datasum = 0.0; + double prob[256]; /* Probabilities per bin for entropy */ + + /* Complete calculation of serial correlation coefficient */ + scct1 = scct1 + scclast * sccu0; + scct2 = scct2 * scct2; + scc = totalc * scct3 - scct2; + if (scc == 0.0) + scc = -100000; + else + scc = (totalc * scct1 - scct2) / scc; + + /* Scan bins and calculate probability for each bin and + Chi-Square distribution. The probability will be reused + in the entropy calculation below. While we're at it, + we sum of all the data which will be used to compute the + mean. */ + cexp = totalc / 256.0; /* Expected count per bin */ + for (i = 0; i < 256; i++) + { + double a = ccount[i] - cexp; + + prob[i] = ((double) ccount[i]) / totalc; + chisq += (a * a) / cexp; + datasum += ((double) i) * ccount[i]; + } + + /* Calculate entropy */ + for (i = 0; i < 256; i++) + { + if (prob[i] > 0.0) + { + ent += prob[i] * rt_log2(1 / prob[i]); + } + } + + /* Calculate Monte Carlo value for PI from percentage of hits + within the circle */ + montepi = 4.0 * (((double) inmont) / mcount); + + /* Return results through arguments */ + *r_ent = ent; + *r_chisq = chisq; + *r_mean = datasum / totalc; + *r_montepicalc = montepi; + *r_scc = scc; + } diff --git a/src/RandTest.h b/src/RandTest.h new file mode 100644 index 0000000000..bed4d93f00 --- /dev/null +++ b/src/RandTest.h @@ -0,0 +1,68 @@ +#include + +#define log2of10 3.32192809488736234787 +/* RT_LOG2 -- Calculate log to the base 2 */ +static double rt_log2(double x) +{ + return log2of10 * log10(x); +} + +#define RT_MONTEN 6 /* Bytes used as Monte Carlo + co-ordinates. This should be no more + bits than the mantissa of your "double" + floating point type. */ + +// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0); +#define RT_INCIRC 281474943156225.0 + +class RandTest { + public: + RandTest(); + void add(void *buf, int bufl); + void end(double *r_ent, double *r_chisq, double *r_mean, + double *r_montepicalc, double *r_scc); + + private: + long ccount[256]; /* Bins to count occurrences of values */ + long totalc; /* Total bytes counted */ + int mp; + int sccfirst; + unsigned int monte[RT_MONTEN]; + long inmont, mcount; + double cexp, montex, montey, montepi, + sccu0, scclast, scct1, scct2, scct3; + }; +#include + +#define log2of10 3.32192809488736234787 +/* RT_LOG2 -- Calculate log to the base 2 */ +static double rt_log2(double x) +{ + return log2of10 * log10(x); +} + +#define RT_MONTEN 6 /* Bytes used as Monte Carlo + co-ordinates. This should be no more + bits than the mantissa of your "double" + floating point type. */ + +// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0); +#define RT_INCIRC 281474943156225.0 + +class RandTest { + public: + RandTest(); + void add(void *buf, int bufl); + void end(double *r_ent, double *r_chisq, double *r_mean, + double *r_montepicalc, double *r_scc); + + private: + long ccount[256]; /* Bins to count occurrences of values */ + long totalc; /* Total bytes counted */ + int mp; + int sccfirst; + unsigned int monte[RT_MONTEN]; + long inmont, mcount; + double cexp, montex, montey, montepi, + sccu0, scclast, scct1, scct2, scct3; + }; \ No newline at end of file diff --git a/src/bro.bif b/src/bro.bif index 0de77bfc49..a9d76ba462 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1725,7 +1725,7 @@ function md5_hmac%(...%): string %%{ static map md5_states; -BroString* convert_md5_index_to_string(Val* index) +BroString* convert_index_to_string(Val* index) { ODesc d; index->Describe(&d); @@ -1735,7 +1735,7 @@ BroString* convert_md5_index_to_string(Val* index) function md5_hash_init%(index: any%): bool %{ - BroString* s = convert_md5_index_to_string(index); + BroString* s = convert_index_to_string(index); int status = 0; if ( md5_states.count(*s) < 1 ) @@ -1752,7 +1752,7 @@ function md5_hash_init%(index: any%): bool function md5_hash_update%(index: any, data: string%): bool %{ - BroString* s = convert_md5_index_to_string(index); + BroString* s = convert_index_to_string(index); int status = 0; if ( md5_states.count(*s) > 0 ) @@ -1767,7 +1767,7 @@ function md5_hash_update%(index: any, data: string%): bool function md5_hash_finish%(index: any%): string %{ - BroString* s = convert_md5_index_to_string(index); + BroString* s = convert_index_to_string(index); StringVal* printable_digest; if ( md5_states.count(*s) > 0 ) @@ -3196,3 +3196,84 @@ function disable_event_group%(group: string%) : any event_registry->EnableGroup(group->CheckString(), false); return 0; %} + + +%%{ +#include +static map entropy_states; +%%} + +function find_entropy%(data: string%): entropy_test_result + %{ + double montepi, scc, ent, mean, chisq; + montepi = scc = ent = mean = chisq = 0.0; + RecordVal* ent_result = new RecordVal(entropy_test_result); + RandTest *rt = new RandTest(); + + rt->add((char*) data->Bytes(), data->Len()); + rt->end(&ent, &chisq, &mean, &montepi, &scc); + delete rt; + + ent_result->Assign(0, new Val(ent, TYPE_DOUBLE)); + ent_result->Assign(1, new Val(chisq, TYPE_DOUBLE)); + ent_result->Assign(2, new Val(mean, TYPE_DOUBLE)); + ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); + ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); + return ent_result; + %} + +function entropy_test_init%(index: any%): bool + %{ + BroString* s = convert_index_to_string(index); + int status = 0; + + if ( entropy_states.count(*s) < 1 ) + { + entropy_states[*s] = new RandTest(); + status = 1; + } + + delete s; + return new Val(status, TYPE_BOOL); + %} + +function entropy_test_add%(index: any, data: string%): bool + %{ + BroString* s = convert_index_to_string(index); + int status = 0; + + if ( entropy_states.count(*s) > 0 ) + { + entropy_states[*s]->add((char*) data->Bytes(), data->Len()); + status = 1; + } + + delete s; + return new Val(status, TYPE_BOOL); + %} + +function entropy_test_finish%(index: any%): entropy_test_result + %{ + BroString* s = convert_index_to_string(index); + double montepi, scc, ent, mean, chisq; + montepi = scc = ent = mean = chisq = 0.0; + RecordVal* ent_result = new RecordVal(entropy_test_result); + + if ( entropy_states.count(*s) > 0 ) + { + RandTest *rt; + rt = entropy_states[*s]; + rt->end(&ent, &chisq, &mean, &montepi, &scc); + entropy_states.erase(*s); + delete rt; + } + + ent_result->Assign(0, new Val(ent, TYPE_DOUBLE)); + ent_result->Assign(1, new Val(chisq, TYPE_DOUBLE)); + ent_result->Assign(2, new Val(mean, TYPE_DOUBLE)); + ent_result->Assign(3, new Val(montepi, TYPE_DOUBLE)); + ent_result->Assign(4, new Val(scc, TYPE_DOUBLE)); + + delete s; + return ent_result; + %} From 6345129eaf6a70519de0d7714cfcecd4e278139a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Jan 2011 19:17:44 -0800 Subject: [PATCH 16/71] A few smaller tweaks. --- src/CMakeLists.txt | 1 + src/RandTest.cc | 160 +++++---------------------------------------- src/RandTest.h | 38 +---------- src/bro.bif | 11 ++-- 4 files changed, 26 insertions(+), 184 deletions(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 81ed0d81af..0f67dc173e 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -320,6 +320,7 @@ set(bro_SRCS PrefixTable.cc PriorityQueue.cc Queue.cc + RandTest.cc RE.cc RPC.cc Reassem.cc diff --git a/src/RandTest.cc b/src/RandTest.cc index f779a23f94..638cc6c765 100644 --- a/src/RandTest.cc +++ b/src/RandTest.cc @@ -1,9 +1,13 @@ /* + Apply various randomness tests to a stream of bytes - Apply various randomness tests to a stream of bytes + by John Walker -- September 1996 + http://www.fourmilab.ch/random - by John Walker -- September 1996 - http://www.fourmilab.ch/ + This software is in the public domain. Permission to use, copy, modify, + and distribute this software and its documentation for any purpose and + without fee is hereby granted, without any conditions or restrictions. + This software is provided “as is” without express or implied warranty. Modified for Bro by Seth Hall - July 2010 */ @@ -17,8 +21,8 @@ RandTest::RandTest() sccfirst = 1; inmont = mcount = 0; cexp = montex = montey = montepi = sccu0 = scclast = scct1 = scct2 = scct3 = 0.0; - - for (int i = 0; i < 256; i++) + + for (int i = 0; i < 256; i++) { ccount[i] = 0; } @@ -44,7 +48,7 @@ void RandTest::add(void *buf, int bufl) mcount++; montex = 0; montey = 0; - for (int mj=0; mj < RT_MONTEN/2; mj++) + for (int mj=0; mj < RT_MONTEN/2; mj++) { montex = (montex * 256.0) + monte[mj]; montey = (montey * 256.0) + monte[(RT_MONTEN / 2) + mj]; @@ -61,8 +65,8 @@ void RandTest::add(void *buf, int bufl) sccfirst = 0; scclast = 0; sccu0 = oc; - } - else + } + else { scct1 = scct1 + scclast * oc; } @@ -90,22 +94,22 @@ void RandTest::end(double *r_ent, double *r_chisq, scc = -100000; else scc = (totalc * scct1 - scct2) / scc; - + /* Scan bins and calculate probability for each bin and Chi-Square distribution. The probability will be reused in the entropy calculation below. While we're at it, we sum of all the data which will be used to compute the mean. */ cexp = totalc / 256.0; /* Expected count per bin */ - for (i = 0; i < 256; i++) + for (i = 0; i < 256; i++) { double a = ccount[i] - cexp; - + prob[i] = ((double) ccount[i]) / totalc; chisq += (a * a) / cexp; datasum += ((double) i) * ccount[i]; } - + /* Calculate entropy */ for (i = 0; i < 256; i++) { @@ -114,139 +118,11 @@ void RandTest::end(double *r_ent, double *r_chisq, ent += prob[i] * rt_log2(1 / prob[i]); } } - + /* Calculate Monte Carlo value for PI from percentage of hits within the circle */ montepi = 4.0 * (((double) inmont) / mcount); - - /* Return results through arguments */ - *r_ent = ent; - *r_chisq = chisq; - *r_mean = datasum / totalc; - *r_montepicalc = montepi; - *r_scc = scc; - } -/* - - Apply various randomness tests to a stream of bytes - - by John Walker -- September 1996 - http://www.fourmilab.ch/ - - Modified for Bro by Seth Hall - July 2010 -*/ - -#include - -RandTest::RandTest() - { - totalc = 0; - mp = 0; - sccfirst = 1; - inmont = mcount = 0; - cexp = montex = montey = montepi = sccu0 = scclast = scct1 = scct2 = scct3 = 0.0; - - for (int i = 0; i < 256; i++) - { - ccount[i] = 0; - } - } - -void RandTest::add(void *buf, int bufl) - { - unsigned char *bp = (unsigned char*)buf; - int oc; - - while (bufl-- > 0) - { - oc = *bp++; - ccount[oc]++; /* Update counter for this bin */ - totalc++; - - /* Update inside / outside circle counts for Monte Carlo - computation of PI */ - monte[mp++] = oc; /* Save character for Monte Carlo */ - if (mp >= RT_MONTEN) /* Calculate every RT_MONTEN character */ - { - mp = 0; - mcount++; - montex = 0; - montey = 0; - for (int mj=0; mj < RT_MONTEN/2; mj++) - { - montex = (montex * 256.0) + monte[mj]; - montey = (montey * 256.0) + monte[(RT_MONTEN / 2) + mj]; - } - if (montex*montex + montey*montey <= RT_INCIRC) - { - inmont++; - } - } - - /* Update calculation of serial correlation coefficient */ - if (sccfirst) - { - sccfirst = 0; - scclast = 0; - sccu0 = oc; - } - else - { - scct1 = scct1 + scclast * oc; - } - - scct2 = scct2 + oc; - scct3 = scct3 + (oc * oc); - scclast = oc; - oc <<= 1; - } - } - -void RandTest::end(double *r_ent, double *r_chisq, - double *r_mean, double *r_montepicalc, double *r_scc) - { - int i; - double ent, chisq, scc, datasum; - ent = 0.0; chisq = 0.0; scc = 0.0; datasum = 0.0; - double prob[256]; /* Probabilities per bin for entropy */ - - /* Complete calculation of serial correlation coefficient */ - scct1 = scct1 + scclast * sccu0; - scct2 = scct2 * scct2; - scc = totalc * scct3 - scct2; - if (scc == 0.0) - scc = -100000; - else - scc = (totalc * scct1 - scct2) / scc; - - /* Scan bins and calculate probability for each bin and - Chi-Square distribution. The probability will be reused - in the entropy calculation below. While we're at it, - we sum of all the data which will be used to compute the - mean. */ - cexp = totalc / 256.0; /* Expected count per bin */ - for (i = 0; i < 256; i++) - { - double a = ccount[i] - cexp; - - prob[i] = ((double) ccount[i]) / totalc; - chisq += (a * a) / cexp; - datasum += ((double) i) * ccount[i]; - } - - /* Calculate entropy */ - for (i = 0; i < 256; i++) - { - if (prob[i] > 0.0) - { - ent += prob[i] * rt_log2(1 / prob[i]); - } - } - - /* Calculate Monte Carlo value for PI from percentage of hits - within the circle */ - montepi = 4.0 * (((double) inmont) / mcount); - + /* Return results through arguments */ *r_ent = ent; *r_chisq = chisq; diff --git a/src/RandTest.h b/src/RandTest.h index bed4d93f00..a4f551b602 100644 --- a/src/RandTest.h +++ b/src/RandTest.h @@ -21,7 +21,7 @@ class RandTest { void add(void *buf, int bufl); void end(double *r_ent, double *r_chisq, double *r_mean, double *r_montepicalc, double *r_scc); - + private: long ccount[256]; /* Bins to count occurrences of values */ long totalc; /* Total bytes counted */ @@ -29,40 +29,6 @@ class RandTest { int sccfirst; unsigned int monte[RT_MONTEN]; long inmont, mcount; - double cexp, montex, montey, montepi, + double cexp, montex, montey, montepi, sccu0, scclast, scct1, scct2, scct3; }; -#include - -#define log2of10 3.32192809488736234787 -/* RT_LOG2 -- Calculate log to the base 2 */ -static double rt_log2(double x) -{ - return log2of10 * log10(x); -} - -#define RT_MONTEN 6 /* Bytes used as Monte Carlo - co-ordinates. This should be no more - bits than the mantissa of your "double" - floating point type. */ - -// RT_INCIRC = pow(pow(256.0, (double) (RT_MONTEN / 2)) - 1, 2.0); -#define RT_INCIRC 281474943156225.0 - -class RandTest { - public: - RandTest(); - void add(void *buf, int bufl); - void end(double *r_ent, double *r_chisq, double *r_mean, - double *r_montepicalc, double *r_scc); - - private: - long ccount[256]; /* Bins to count occurrences of values */ - long totalc; /* Total bytes counted */ - int mp; - int sccfirst; - unsigned int monte[RT_MONTEN]; - long inmont, mcount; - double cexp, montex, montey, montepi, - sccu0, scclast, scct1, scct2, scct3; - }; \ No newline at end of file diff --git a/src/bro.bif b/src/bro.bif index a9d76ba462..5acd958316 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -3201,7 +3201,7 @@ function disable_event_group%(group: string%) : any %%{ #include static map entropy_states; -%%} +%%} function find_entropy%(data: string%): entropy_test_result %{ @@ -3241,13 +3241,13 @@ function entropy_test_add%(index: any, data: string%): bool %{ BroString* s = convert_index_to_string(index); int status = 0; - + if ( entropy_states.count(*s) > 0 ) { entropy_states[*s]->add((char*) data->Bytes(), data->Len()); status = 1; } - + delete s; return new Val(status, TYPE_BOOL); %} @@ -3258,11 +3258,10 @@ function entropy_test_finish%(index: any%): entropy_test_result double montepi, scc, ent, mean, chisq; montepi = scc = ent = mean = chisq = 0.0; RecordVal* ent_result = new RecordVal(entropy_test_result); - + if ( entropy_states.count(*s) > 0 ) { - RandTest *rt; - rt = entropy_states[*s]; + RandTest *rt = entropy_states[*s]; rt->end(&ent, &chisq, &mean, &montepi, &scc); entropy_states.erase(*s); delete rt; From f5715e7c1481cd2c05b9559242280aea85096467 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 10 Jan 2011 12:58:40 -0600 Subject: [PATCH 17/71] Fix for PackageMaker not accepting non-numeric versions --- cmake/ConfigurePackaging.cmake | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake index eaad56dee6..031731598f 100644 --- a/cmake/ConfigurePackaging.cmake +++ b/cmake/ConfigurePackaging.cmake @@ -26,6 +26,16 @@ macro(SetPackageVersion _version) list(REMOVE_AT version_numbers 0) list(LENGTH version_numbers version_length) endwhile () + + if (APPLE) + # Mac PackageMaker package requires only numbers in the versioning + string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MAJOR + ${CPACK_PACKAGE_VERSION_MAJOR}) + string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MINOR + ${CPACK_PACKAGE_VERSION_MINOR}) + string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_PATCH + ${CPACK_PACKAGE_VERSION_PATCH}) + endif () endmacro(SetPackageVersion) # Sets the list of desired package types to be created by the make @@ -43,6 +53,7 @@ endmacro(SetPackageVersion) # CPACK_SOURCE_GENERATOR is set by this macro macro(SetPackageGenerators) set(CPACK_SOURCE_GENERATOR TGZ) + set(CPACK_GENERATOR TGZ) if (APPLE) list(APPEND CPACK_GENERATOR PackageMaker) elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") From f228e32679cb488e2f06d76e6f07d28dffd9b49f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 10 Jan 2011 11:59:12 -0800 Subject: [PATCH 18/71] Keep buffering state across file rotation (Justin Azoff) Closes #207. From there: When files are rotated they lose their buffered flag, this is because File::Open only does a SetBuf? when it opens the file itself, but Rotate calls rotate_file to open the file. --- src/File.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/File.cc b/src/File.cc index a57147d923..d2b9381ca0 100644 --- a/src/File.cc +++ b/src/File.cc @@ -195,10 +195,9 @@ bool BroFile::Open(FILE* file) InstallRotateTimer(); if ( ! f ) - { f = fopen(name, access); - SetBuf(buffered); - } + + SetBuf(buffered); if ( f ) { From 06bd8baef635939ed4df8ca5e5d2b9a7ca58b355 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 10 Jan 2011 12:19:13 -0800 Subject: [PATCH 19/71] Fix for portmapper analyzer segfaulting when parsing portmap dump replies. (Gregor Maier) Closes #332. --- src/portmap-analyzer.pac | 4 ++++ src/portmap-protocol.pac | 1 + 2 files changed, 5 insertions(+) diff --git a/src/portmap-analyzer.pac b/src/portmap-analyzer.pac index 546be2e9cc..1e7921a9ff 100644 --- a/src/portmap-analyzer.pac +++ b/src/portmap-analyzer.pac @@ -79,6 +79,10 @@ function PortmapBuildDumpVal(params: PortmapDumpResults): BroVal for ( int i = 0; i < params->size(); ++i ) { + // The last element has cont()!=1 and this element doesn't contain a + // mapping. + if ((*params)[i]->cont() != 1) + continue; Val* m = PortmapBuildMappingVal((*params)[i]->mapping()); Val* index = new Val(i + 1, TYPE_COUNT); mappings->Assign(index, m); diff --git a/src/portmap-protocol.pac b/src/portmap-protocol.pac index d9f3e5be97..65a478fb2d 100644 --- a/src/portmap-protocol.pac +++ b/src/portmap-protocol.pac @@ -68,6 +68,7 @@ type PortmapDumpEntry = record { }; }; +# The final element that has cont!=1 will be included in the array. type PortmapDumpResults = PortmapDumpEntry[] &until($element.cont != 1); type PortmapCallItResults = record { From 911230b037923182e04899801db3fbc3f58dbf3d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 11 Jan 2011 15:58:18 -0600 Subject: [PATCH 20/71] Add warning when building and installing are done by different users --- CMakeLists.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index b90eea6727..8f2c07d90c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -212,3 +212,17 @@ message( "\n" "\n================================================================\n" ) + +######################################################################## +## Show warning when installing user is different from the one that configured + +install(CODE " + if (NOT $ENV{USER} STREQUAL \$ENV{USER}) + message(STATUS \"ATTENTION: Install is being performed by user \" + \"'\$ENV{USER}', but the build directory was configured by \" + \"user '$ENV{USER}'. This may result in a permissions error \" + \"when writing the install manifest, but you can ignore it \" + \"and consider the installation as successful if you don't \" + \"care about the install manifest.\") + endif () +") From 5d1f1e9edb5c39219f9f83b5c874e38be915795d Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Tue, 11 Jan 2011 19:30:31 -0600 Subject: [PATCH 21/71] Fix package configuration macro returning from sub-project too early --- CMakeLists.txt | 9 +++++++-- cmake/ConfigurePackaging.cmake | 7 ------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8f2c07d90c..92e9df2f8b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -168,8 +168,13 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI) ######################################################################## ## Packaging Setup -include(ConfigurePackaging) -ConfigurePackaging(${VERSION}) +# If this CMake project is a sub-project of another, we will not +# configure the generic packaging because CPack will fail in the case +# that the parent project has already configured packaging +if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") + include(ConfigurePackaging) + ConfigurePackaging(${VERSION}) +endif () ######################################################################## ## Build Summary diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake index 031731598f..0bfed76728 100644 --- a/cmake/ConfigurePackaging.cmake +++ b/cmake/ConfigurePackaging.cmake @@ -136,13 +136,6 @@ endmacro(SetPackageInstallLocation) # Main macro to configure all the packaging options macro(ConfigurePackaging _version) - # If this CMake project is a sub-project of another, we will not - # configure the packaging because CPack will fail in the case that - # the parent project has already configured packaging - if (NOT "${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") - return() - endif () - SetPackageVersion(${_version}) SetPackageGenerators() SetPackageFileName(${_version}) From 793678205720c998caa5ea006650dd04bd64fe12 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 12 Jan 2011 16:26:25 -0600 Subject: [PATCH 22/71] Changes for CPack binary packaging --- cmake/ConfigurePackaging.cmake | 44 ++++++++++++++++++---------------- cmake/MAC_PACKAGE_INTRO | 20 ++++++++++++++++ configure | 4 ++++ 3 files changed, 47 insertions(+), 21 deletions(-) create mode 100644 cmake/MAC_PACKAGE_INTRO diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake index 0bfed76728..97fef9b938 100644 --- a/cmake/ConfigurePackaging.cmake +++ b/cmake/ConfigurePackaging.cmake @@ -36,6 +36,19 @@ macro(SetPackageVersion _version) string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_PATCH ${CPACK_PACKAGE_VERSION_PATCH}) endif () + + if (${CMAKE_SYSTEM_NAME} MATCHES "Linux") + # RPM version accepts letters, but not dashes. + string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MAJOR + ${CPACK_PACKAGE_VERSION_MAJOR}) + string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MINOR + ${CPACK_PACKAGE_VERSION_MINOR}) + string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_PATCH + ${CPACK_PACKAGE_VERSION_PATCH}) + endif () + + # Minimum supported OS X version + set(CPACK_OSX_PACKAGE_VERSION 10.5) endmacro(SetPackageVersion) # Sets the list of desired package types to be created by the make @@ -53,7 +66,7 @@ endmacro(SetPackageVersion) # CPACK_SOURCE_GENERATOR is set by this macro macro(SetPackageGenerators) set(CPACK_SOURCE_GENERATOR TGZ) - set(CPACK_GENERATOR TGZ) + #set(CPACK_GENERATOR TGZ) if (APPLE) list(APPEND CPACK_GENERATOR PackageMaker) elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") @@ -109,30 +122,17 @@ macro(SetPackageMetadata) configure_file(${CMAKE_CURRENT_SOURCE_DIR}/COPYING ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt COPYONLY) + configure_file(${CMAKE_CURRENT_SOURCE_DIR}/cmake/MAC_PACKAGE_INTRO + ${CMAKE_CURRENT_BINARY_DIR}/MAC_PACKAGE_INTRO.txt) set(CPACK_PACKAGE_DESCRIPTION_FILE ${CMAKE_CURRENT_BINARY_DIR}/README.txt) set(CPACK_RESOURCE_FILE_LICENSE ${CMAKE_CURRENT_BINARY_DIR}/COPYING.txt) set(CPACK_RESOURCE_FILE_README ${CMAKE_CURRENT_BINARY_DIR}/README.txt) - set(CPACK_RESOURCE_FILE_WELCOME ${CMAKE_CURRENT_BINARY_DIR}/README.txt) -endmacro(SetPackageMetadata) + set(CPACK_RESOURCE_FILE_WELCOME + ${CMAKE_CURRENT_BINARY_DIR}/MAC_PACKAGE_INTRO.txt) -# Determines the right install location/prefix for binary packages -macro(SetPackageInstallLocation) - if (APPLE) - # /usr prefix is hardcoded for PackageMaker generator, but that - # directory may not be ideal for OS X (it's tricky to remove - # packages installed there). So instead we rely on CMAKE_INSTALL_PREFIX - # and set the following variable to workaround the hardcoded /usr prefix - set(CPACK_PACKAGING_INSTALL_PREFIX "/") - set(CPACK_PACKAGE_DEFAULT_LOCATION ${CMAKE_INSTALL_PREFIX}) - elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux") - # A prefix of /usr would follow Filesystem Hierarchy Standard. - # For RPM packaging by CPack, /usr should be a default, but - # CMAKE_INSTALL_PREFIX also needs to be set to /usr so that - # the default BROPATH is set right at build time - set(CPACK_RPM_PACKAGE_LICENSE "BSD") - endif () -endmacro(SetPackageInstallLocation) + set(CPACK_RPM_PACKAGE_LICENSE "BSD") +endmacro(SetPackageMetadata) # Main macro to configure all the packaging options macro(ConfigurePackaging _version) @@ -140,7 +140,9 @@ macro(ConfigurePackaging _version) SetPackageGenerators() SetPackageFileName(${_version}) SetPackageMetadata() - SetPackageInstallLocation() + + set(CPACK_SET_DESTDIR true) + set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX}) # add default files/directories to ignore for source package # user may specify others via configure script diff --git a/cmake/MAC_PACKAGE_INTRO b/cmake/MAC_PACKAGE_INTRO new file mode 100644 index 0000000000..7838a8b054 --- /dev/null +++ b/cmake/MAC_PACKAGE_INTRO @@ -0,0 +1,20 @@ +This package will install @CMAKE_PROJECT_NAME@ into the following location: + + @CMAKE_INSTALL_PREFIX@ + +You may choose to update your PATH environment variable: + + # For Bash + export PATH=@CMAKE_INSTALL_PREFIX@/bin:$PATH + + # For CSH + setenv PATH @CMAKE_INSTALL_PREFIX@/bin:$PATH + +If you have more than one volume, please choose the install +destination as the one that contains the root filesystem. + +If you have an existing broccoli.conf file that is modified or +otherwise different from the version included in the package, it +will be overwritten and a backup of the existing file placed in: + + @CMAKE_INSTALL_PREFIX@/etc/broccoli.conf. diff --git a/configure b/configure index dce70e6534..86bad6379e 100755 --- a/configure +++ b/configure @@ -45,6 +45,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-perftools=PATH path to Google Perftools install root Packaging Options (for developers): + --enable-package toggles special build logic for binary packaging --ignore-dirs=PATHS paths to ignore when creating source package (semicolon delimited and quoted when multiple) --pkg-name-prefix=NAME use the given name as the package prefix instead @@ -164,6 +165,9 @@ while [ $# -ne 0 ]; do --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; + --enable-package) + append_cache_entry PACKAGING_MODE BOOL true + ;; --ignore-dirs=*) append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg ;; From 8d4f487add74e087599b68d219dcc94895939347 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 13 Jan 2011 21:52:29 -0600 Subject: [PATCH 23/71] Changes to CMake logic for binary packaging - pre/post install scripts now track configuration files that may be clobbered on package install/upgrade through the INSTALLED_CONFIG_FILES CMake variable and attempts to make backups when the distribution's file differs from the existing file. --- CMakeLists.txt | 5 +++ aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- cmake/ConfigurePackaging.cmake | 42 +++++++++++++++++++++++++ cmake/MAC_PACKAGE_INTRO | 12 ++++--- cmake/package_postupgrade.sh.in | 56 +++++++++++++++++++++++++++++++++ cmake/package_preinstall.sh.in | 34 ++++++++++++++++++++ configure | 4 +-- 10 files changed, 151 insertions(+), 10 deletions(-) create mode 100755 cmake/package_postupgrade.sh.in create mode 100755 cmake/package_preinstall.sh.in diff --git a/CMakeLists.txt b/CMakeLists.txt index 92e9df2f8b..783efd685a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -168,6 +168,11 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI) ######################################################################## ## Packaging Setup +if (INSTALL_BROCTL) + # CPack RPM Generator may not automatically detect this + set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0") +endif () + # If this CMake project is a sub-project of another, we will not # configure the generic packaging because CPack will fail in the case # that the parent project has already configured packaging diff --git a/aux/binpac b/aux/binpac index 4e1dad4ee6..eca3047a90 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 4e1dad4ee69b85d04af72c0faaff47fddf3240e2 +Subproject commit eca3047a90e11975df8c1d523c796fe45bc4ea4e diff --git a/aux/bro-aux b/aux/bro-aux index 7b829fbe8d..148ce0f3ab 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 7b829fbe8d6fa36c33c0c07a8f09cc0d68cd17f1 +Subproject commit 148ce0f3abdea5019fa1642d8108b09cc4c8d7a0 diff --git a/aux/broccoli b/aux/broccoli index 2bf6c82eed..b133618869 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 2bf6c82eed841d2a8e7104875717296fe50ca126 +Subproject commit b1336188695fb900ac30c48164fea831c2aae2f4 diff --git a/aux/broctl b/aux/broctl index a05be1242b..a6ebc3ee2f 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit a05be1242b4e06dca1bb1a38ed871e7e2d78181b +Subproject commit a6ebc3ee2fc986a62244e03a3d7c7162aa33838b diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake index 97fef9b938..3cbc7cba0c 100644 --- a/cmake/ConfigurePackaging.cmake +++ b/cmake/ConfigurePackaging.cmake @@ -134,12 +134,54 @@ macro(SetPackageMetadata) set(CPACK_RPM_PACKAGE_LICENSE "BSD") endmacro(SetPackageMetadata) +# Sets pre and post install scripts for PackageMaker and RPM packages. +# The main functionality that such scripts offer is a way to make backups +# of "configuration" files that a user may have modified. +# A better way to prevent an RPM from not overwriting config files is +# with the %config(noreplace) .spec attribute, but CPack does not have any +# good hooks into using that yet, so we re-use the pre/post install scripts +# See also: http://public.kitware.com/Bug/view.php?id=10294 +macro(SetPackageInstallScripts) + + # Remove duplicates from the list of installed config files + separate_arguments(INSTALLED_CONFIG_FILES) + list(REMOVE_DUPLICATES INSTALLED_CONFIG_FILES) + # Space delimit the list again + foreach (_file ${INSTALLED_CONFIG_FILES}) + set(_tmp "${_tmp} ${_file}") + endforeach () + set(INSTALLED_CONFIG_FILES "${_tmp}" CACHE STRING "" FORCE) + + if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in) + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in + ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh + @ONLY) + set(CPACK_PREFLIGHT_SCRIPT + ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh) + set(CPACK_RPM_PRE_INSTALL_SCRIPT_FILE + ${CMAKE_CURRENT_BINARY_DIR}/package_preinstall.sh) + endif () + + if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in) + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_postupgrade.sh.in + ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh + @ONLY) + set(CPACK_POSTUPGRADE_SCRIPT + ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh) + set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE + ${CMAKE_CURRENT_BINARY_DIR}/package_postupgrade.sh) + endif () +endmacro(SetPackageInstallScripts) + # Main macro to configure all the packaging options macro(ConfigurePackaging _version) SetPackageVersion(${_version}) SetPackageGenerators() SetPackageFileName(${_version}) SetPackageMetadata() + SetPackageInstallScripts() set(CPACK_SET_DESTDIR true) set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX}) diff --git a/cmake/MAC_PACKAGE_INTRO b/cmake/MAC_PACKAGE_INTRO index 7838a8b054..b1fc25891b 100644 --- a/cmake/MAC_PACKAGE_INTRO +++ b/cmake/MAC_PACKAGE_INTRO @@ -13,8 +13,12 @@ You may choose to update your PATH environment variable: If you have more than one volume, please choose the install destination as the one that contains the root filesystem. -If you have an existing broccoli.conf file that is modified or -otherwise different from the version included in the package, it -will be overwritten and a backup of the existing file placed in: +If you have existing configuration files that are modified or +otherwise different from the version included in the package, +this installer will attempt to prevent clobbering them by +backing them up like: - @CMAKE_INSTALL_PREFIX@/etc/broccoli.conf. + @CMAKE_INSTALL_PREFIX@/etc/. + +but its also advisable to make your own backups of important +files before proceeding. diff --git a/cmake/package_postupgrade.sh.in b/cmake/package_postupgrade.sh.in new file mode 100755 index 0000000000..6cae58dc9f --- /dev/null +++ b/cmake/package_postupgrade.sh.in @@ -0,0 +1,56 @@ +#!/bin/sh + +# This script is meant to be used by binary packages post-installation. +# Variables between @ symbols are replaced by CMake at configure time. + +backupDesc="# Backup made by install of @CMAKE_PROJECT_NAME@ version @VERSION@" +backupNamesFile=/tmp/bro_install_backups + +# check whether it's safe to remove backup configuration files that +# the most recent package install created + +if [ -e ${backupNamesFile} ]; then + backupFileList=`cat ${backupNamesFile}` + + for backupFile in ${backupFileList}; do + origFile=`echo ${backupFile} | sed 's/\(.*\)\..*/\1/'` + + diff ${origFile} ${backupFile} > /dev/null 2>&1 + + if [ $? -eq 0 ]; then + # if the installed version and the backup version don't differ + # then we can remove the backup version + rm ${backupFile} + else + # keep the backup, prepend text explaining what created it + tmpfile=/tmp/bro_install_tmp$$ + echo ${backupDesc} > ${tmpfile} + echo "" >> ${tmpfile} + cat ${backupFile} >> ${tmpfile} + cp ${tmpfile} ${backupFile} + rm ${tmpfile} + fi + + done + + rm ${backupNamesFile} +fi + +# make sure that world-writeable dirs have the sticky bit set +# so that unprivileged can't rename/remove files within + +if [ -d /var/opt/bro/spool ]; then + chmod +t /var/opt/bro/spool +fi + +if [ -d /var/opt/bro/spool/tmp ]; then + chmod +t /var/opt/bro/spool/tmp +fi + +if [ -d /var/opt/bro/spool/policy ]; then + chmod +t /var/opt/bro/spool/policy +fi + +if [ -d /var/opt/bro/logs ]; then + chmod +t /var/opt/bro/logs +fi diff --git a/cmake/package_preinstall.sh.in b/cmake/package_preinstall.sh.in new file mode 100755 index 0000000000..790e750f0e --- /dev/null +++ b/cmake/package_preinstall.sh.in @@ -0,0 +1,34 @@ +#!/bin/sh + +# This script is meant to be used by binary packages pre-installation. +# Variables between @ symbols are replaced by CMake at configure time. + +configFiles="@INSTALLED_CONFIG_FILES@" +backupNamesFile=/tmp/bro_install_backups + +# Checks if a config file exists in a default location and makes a backup +# so that a modified version is not clobbered +backupFile () { + origFile="$1" + + if [ -e ${origFile} ]; then + # choose a file suffix that doesn't already exist + ver=1 + while [ -e ${origFile}.${ver} ]; do + ver=$(( ver + 1 )) + done + + backupFile=${origFile}.${ver} + + cp ${origFile} ${backupFile} + + # the post upgrade script will check whether the installed + # config file actually differs from existing version + # and delete unnecessary backups + echo "${backupFile}" >> ${backupNamesFile} + fi +} + +for file in ${configFiles}; do + backupFile "${file}" +done diff --git a/configure b/configure index 86bad6379e..18094abfa1 100755 --- a/configure +++ b/configure @@ -45,7 +45,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-perftools=PATH path to Google Perftools install root Packaging Options (for developers): - --enable-package toggles special build logic for binary packaging + --package toggles special build logic for binary packaging --ignore-dirs=PATHS paths to ignore when creating source package (semicolon delimited and quoted when multiple) --pkg-name-prefix=NAME use the given name as the package prefix instead @@ -165,7 +165,7 @@ while [ $# -ne 0 ]; do --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; - --enable-package) + --package) append_cache_entry PACKAGING_MODE BOOL true ;; --ignore-dirs=*) From 1d8ad8e946c87eb018b76d3ea6627a3c5f27675a Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 14 Jan 2011 22:25:10 -0600 Subject: [PATCH 24/71] Changes for packaging - Added 'dist' target to top-level Makefile for doing source packages - Added 'make-*-packages' scripts for generating binary packages - Fixes for the ConfigurePackaging CMake script - No longer fails when package version doesn't include a patch-level - Now considers the case when a package doesn't install any config files and the INSTALLED_CONFIG_FILES var is empty --- INSTALL | 8 +++- Makefile | 49 +++++++++++++++++++++++-- aux/broccoli | 2 +- aux/broctl | 2 +- cmake/ConfigurePackaging.cmake | 34 ++++++++++------- configure | 4 -- make-mac-packages | 67 ++++++++++++++++++++++++++++++++++ make-rpm-packages | 42 +++++++++++++++++++++ 8 files changed, 185 insertions(+), 23 deletions(-) create mode 100755 make-mac-packages create mode 100755 make-rpm-packages diff --git a/INSTALL b/INSTALL index c8e08b3000..7692d27966 100644 --- a/INSTALL +++ b/INSTALL @@ -70,12 +70,18 @@ build/, using default build options. It then installs the Bro binary into /usr/local/bro/bin. Depending on the Bro package you downloaded, there may be auxiliary tools and libraries available in the aux/ directory. If so, they will be installed by default as well -if not explicitly disabled via configure options. +if not explicitly disabled via configure options and may also have +additional installation/configuration instructions that you can +find in their source directories. You can specify a different installation directory with > ./configure --prefix= +Note that "/usr" and "/opt/bro" are standard prefixes for binary +packages to be installed, so those are typically not good choices +unless you are creating such a package. + Run "./configure --help" for more options. Running Bro diff --git a/Makefile b/Makefile index 10f64df310..8bf528dd26 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,14 @@ # BUILD=build +BROCCOLI=aux/broccoli +BROCTL=aux/broctl + +# CMake/CPack versions before 2.8.2 have bugs that can create bad packages +CMAKE_PACK_REQ=2.8.2 +CMAKE_VER=`cmake -version` + +OSX_VER_CMD=sw_vers | sed -n 's/ProductVersion://p' | cut -d . -f 2 all: configured ( cd $(BUILD) && make ) @@ -16,13 +24,48 @@ install: configured clean: configured ( cd $(BUILD) && make clean ) -dist: configured - ( cd $(BUILD) && make package_source ) +dist: cmake_version + # Minimum Bro source package + ( \ + ./configure --ignore-dirs='aux/broctl;aux/broccoli' --pkg-name-prefix=Bro && \ + cd $(BUILD) && \ + make package_source \ + ) + # Full Bro source package + ( \ + ./configure --pkg-name-prefix=Bro-all && \ + cd $(BUILD) && \ + make package_source \ + ) + # Broccoli source package + ( \ + cd $(BROCCOLI) && \ + ./configure && \ + cd $(BUILD) && \ + make package_source && \ + mv Broccoli*.tar.gz ../../../$(BUILD)/ && \ + cd .. && \ + rm -r $(BUILD) \ + ) + # Broctl source package + ( \ + cd $(BROCTL) && \ + ./configure && \ + cd $(BUILD) && \ + make package_source && \ + mv Broctl*.tar.gz ../../../$(BUILD)/ && \ + cd .. && \ + rm -r $(BUILD) \ + ) distclean: rm -rf $(BUILD) -.PHONY : configured configured: @test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 ) @test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 ) + +cmake_version: + @test "$(CMAKE_VER)" \> "cmake version $(CMAKE_PACK_REQ)" || ( echo "Error: please use a CMake version greater than $(CMAKE_PACK_REQ)" && exit 1 ) + +.PHONY : all install clean distclean configured cmake_version diff --git a/aux/broccoli b/aux/broccoli index b133618869..c2769d9cd8 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit b1336188695fb900ac30c48164fea831c2aae2f4 +Subproject commit c2769d9cd826ecaa08431d6af329db75a7d43583 diff --git a/aux/broctl b/aux/broctl index a6ebc3ee2f..13986eb507 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit a6ebc3ee2fc986a62244e03a3d7c7162aa33838b +Subproject commit 13986eb50729f45834eb050be4a6233c83f9295d diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake index 3cbc7cba0c..51f1c04d96 100644 --- a/cmake/ConfigurePackaging.cmake +++ b/cmake/ConfigurePackaging.cmake @@ -4,7 +4,9 @@ # Sets CPack version variables by splitting the first macro argument # using "." as a delimiter. If the length of the split list is # greater than 2, all remaining elements are tacked on to the patch -# level version. +# level version. Not that the version set by the macro is internal +# to binary packaging, the file name of our package will reflect the +# exact version number. macro(SetPackageVersion _version) string(REPLACE "." " " version_numbers ${_version}) separate_arguments(version_numbers) @@ -33,8 +35,10 @@ macro(SetPackageVersion _version) ${CPACK_PACKAGE_VERSION_MAJOR}) string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_MINOR ${CPACK_PACKAGE_VERSION_MINOR}) - string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_PATCH - ${CPACK_PACKAGE_VERSION_PATCH}) + if (CPACK_PACKAGE_VERSION_PATCH) + string(REGEX REPLACE "[_a-zA-Z-]" "" CPACK_PACKAGE_VERSION_PATCH + ${CPACK_PACKAGE_VERSION_PATCH}) + endif () endif () if (${CMAKE_SYSTEM_NAME} MATCHES "Linux") @@ -43,8 +47,10 @@ macro(SetPackageVersion _version) ${CPACK_PACKAGE_VERSION_MAJOR}) string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_MINOR ${CPACK_PACKAGE_VERSION_MINOR}) - string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_PATCH - ${CPACK_PACKAGE_VERSION_PATCH}) + if (CPACK_PACKAGE_VERSION_PATCH) + string(REGEX REPLACE "[-]" "" CPACK_PACKAGE_VERSION_PATCH + ${CPACK_PACKAGE_VERSION_PATCH}) + endif () endif () # Minimum supported OS X version @@ -143,14 +149,16 @@ endmacro(SetPackageMetadata) # See also: http://public.kitware.com/Bug/view.php?id=10294 macro(SetPackageInstallScripts) - # Remove duplicates from the list of installed config files - separate_arguments(INSTALLED_CONFIG_FILES) - list(REMOVE_DUPLICATES INSTALLED_CONFIG_FILES) - # Space delimit the list again - foreach (_file ${INSTALLED_CONFIG_FILES}) - set(_tmp "${_tmp} ${_file}") - endforeach () - set(INSTALLED_CONFIG_FILES "${_tmp}" CACHE STRING "" FORCE) + if (INSTALLED_CONFIG_FILES) + # Remove duplicates from the list of installed config files + separate_arguments(INSTALLED_CONFIG_FILES) + list(REMOVE_DUPLICATES INSTALLED_CONFIG_FILES) + # Space delimit the list again + foreach (_file ${INSTALLED_CONFIG_FILES}) + set(_tmp "${_tmp} ${_file}") + endforeach () + set(INSTALLED_CONFIG_FILES "${_tmp}" CACHE STRING "" FORCE) + endif () if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in) configure_file( diff --git a/configure b/configure index 18094abfa1..dce70e6534 100755 --- a/configure +++ b/configure @@ -45,7 +45,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-perftools=PATH path to Google Perftools install root Packaging Options (for developers): - --package toggles special build logic for binary packaging --ignore-dirs=PATHS paths to ignore when creating source package (semicolon delimited and quoted when multiple) --pkg-name-prefix=NAME use the given name as the package prefix instead @@ -165,9 +164,6 @@ while [ $# -ne 0 ]; do --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; - --package) - append_cache_entry PACKAGING_MODE BOOL true - ;; --ignore-dirs=*) append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg ;; diff --git a/make-mac-packages b/make-mac-packages new file mode 100755 index 0000000000..713d8d3311 --- /dev/null +++ b/make-mac-packages @@ -0,0 +1,67 @@ +#!/bin/sh + +# This script creates binary packages for Mac OS X. +# They can be found in build/ after running. + +# CMake/CPack versions before 2.8.2 have bugs that can create bad packages +CMAKE_PACK_REQ=2.8.3 +CMAKE_VER=`cmake -version` + +if [ "${CMAKE_VER}" \< "${CMAKE_PACK_REQ}" ]; then + echo "Package creation requires CMake > 2.8.2" >&2 + exit 1 +fi + +type sw_vers > /dev/null 2>&1 || { + echo "Unable to get Mac OS X version" >&2; + exit 1; +} + +# Get the OS X minor version +# 5 = Leopard, 6 = Snow Leopard, 7 = Lion ... +osx_ver=`sw_vers | sed -n 's/ProductVersion://p' | cut -d . -f 2` + +if [ ${osx_ver} -lt 5 ]; then + echo "Packages for OS X < 10.5 are not supported" >&2 + exit 1 +elif [ ${osx_ver} -eq 5 ]; then + # On OS X 10.5, the x86_64 version of libresolv is broken, + # so we build for i386 as the easiest solution + arch=i386 +else + # Currently it's just easiest to build the 10.5 package on + # on 10.5, but if it weren't for the libresolv issue, we could + # potentially build packages for older OS X version by using the + # --osx-sysroot and --osx-min-version options + arch=x86_64 +fi + +# Minimum Bro +CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=/opt/bro \ + --disable-broccoli --disable-broctl --pkg-name-prefix=Bro +cd build +make package +cd .. + +# Full Bro package +CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=/opt/bro \ + --pkg-name-prefix=Bro-all +cd build +make package +cd .. + +# Broccoli +cd aux/broccoli +CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=/opt/bro +cd build +make package +mv Broccoli*.dmg ../../../build/ +cd ../../.. + +# Broctl +cd aux/broctl +CMAKE_OSX_ARCHITECTURES=${arch} ./configure --prefix=/opt/bro +cd build +make package +mv Broctl*.dmg ../../../build/ +cd ../../.. diff --git a/make-rpm-packages b/make-rpm-packages new file mode 100755 index 0000000000..bbd797b8e2 --- /dev/null +++ b/make-rpm-packages @@ -0,0 +1,42 @@ +#!/bin/sh + +# This script generates binary RPM packages. +# They can be found in build/ after running. + +# CMake/CPack versions before 2.8.2 have bugs that can create bad packages +CMAKE_PACK_REQ=2.8.2 +CMAKE_VER=`cmake -version` + +if [ "${CMAKE_VER}" \< "${CMAKE_PACK_REQ}" ]; then + echo "Package creation requires CMake > 2.8.2" >&2 + exit 1 +fi + +# Minimum Bro +./configure --prefix=/opt/bro --disable-broccoli --disable-broctl \ + --pkg-name-prefix=Bro +cd build +make package +cd .. + +# Full Bro package +./configure --prefix=/opt/bro --pkg-name-prefix=Bro-all +cd build +make package +cd .. + +# Broccoli +cd aux/broccoli +./configure --prefix=/opt/bro +cd build +make package +mv Broccoli*.rpm ../../../build/ +cd ../../.. + +# Broctl +cd aux/broctl +./configure --prefix=/opt/bro +cd build +make package +mv Broctl*.rpm ../../../build/ +cd ../../.. From aa0691ba21f6456a324ccdef2967f35837bf570e Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Sat, 15 Jan 2011 16:32:56 -0800 Subject: [PATCH 25/71] Updating submodule(s). --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index eca3047a90..7bbd3b14c0 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit eca3047a90e11975df8c1d523c796fe45bc4ea4e +Subproject commit 7bbd3b14c02321ff2a63d7267e9ae022bda4f5bc diff --git a/aux/bro-aux b/aux/bro-aux index 148ce0f3ab..62b2f1bdd5 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 148ce0f3abdea5019fa1642d8108b09cc4c8d7a0 +Subproject commit 62b2f1bdd52d355fb0384c3f0e8f1879c7c17724 diff --git a/aux/broccoli b/aux/broccoli index c2769d9cd8..cd02839cf0 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit c2769d9cd826ecaa08431d6af329db75a7d43583 +Subproject commit cd02839cf07d4db34f30bbdbb41711bc8b06b1ac diff --git a/aux/broctl b/aux/broctl index 13986eb507..798ea05965 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 13986eb50729f45834eb050be4a6233c83f9295d +Subproject commit 798ea05965318333af4df8fe9f0296eb3a669f4f From 9cfef93522a55087814eab8c13ad866f19e1e439 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 18 Jan 2011 14:40:37 -0500 Subject: [PATCH 26/71] Fixed bug in do_split implementation. Test suite succeeds! --- src/strings.bif | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 253709e858..2e499ca0c4 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -204,10 +204,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, if ( other_sep && other_sep->Size() > 0 ) other_strings = other_sep->ConvertToPureList(); - // Currently let us assume that str is NUL-terminated. In - // the future we expect to change this by giving RE_Matcher a - // const char* segment. - const u_char* s = str_val->Bytes(); int n = str_val->Len(); const u_char* end_of_s = s + n; @@ -215,7 +211,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, int num_sep = 0; int offset = 0; - while ( n > 0 ) { offset = 0; @@ -224,7 +219,7 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, while ( n > 0 && (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) { - // Move on to next character. + // Move on to next byte. ++offset; --n; } @@ -249,7 +244,6 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, ++num_sep; - offset += end_of_match; n -= end_of_match; s += offset; From 3d9461eca1e94f39fd483fb12a4aae353fd43cde Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 19 Jan 2011 10:35:27 -0500 Subject: [PATCH 27/71] Added a BRO_DNS_FAKE message to the help output. --- src/main.cc | 1 + src/util.cc | 9 +++++++++ src/util.h | 1 + 3 files changed, 11 insertions(+) diff --git a/src/main.cc b/src/main.cc index 5df9b1c65c..b31acdda58 100644 --- a/src/main.cc +++ b/src/main.cc @@ -184,6 +184,7 @@ void usage() fprintf(stderr, " $BROPATH | file search path (%s)\n", bro_path()); fprintf(stderr, " $BRO_PREFIXES | prefix list (%s)\n", bro_prefixes()); + fprintf(stderr, " $BRO_DNS_FAKE | enable faked DNS query responses (%s)\n", bro_dns_fake()); exit(1); } diff --git a/src/util.cc b/src/util.cc index d8390a866c..2244f74cb5 100644 --- a/src/util.cc +++ b/src/util.cc @@ -804,6 +804,15 @@ const char* bro_prefixes() return p; } + +const char* bro_dns_fake() + { + char* dns_fake = getenv("BRO_DNS_FAKE"); + if ( !dns_fake ) + return ""; + else + return dns_fake; + } FILE* open_file(const char* filename, const char** full_filename) { diff --git a/src/util.h b/src/util.h index f4f007a27d..4af2a27bd8 100644 --- a/src/util.h +++ b/src/util.h @@ -177,6 +177,7 @@ extern int int_list_cmp(const void* v1, const void* v2); extern const char* bro_path(); extern const char* bro_prefixes(); +extern const char* bro_dns_fake(); extern FILE* search_for_file(const char* filename, const char* ext, const char** full_filename); From c7a5bf071db9ba141405983b2ab7b27f78603403 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 19 Jan 2011 11:46:35 -0500 Subject: [PATCH 28/71] Prepared the old analyzer for extracting SSL extensions. --- src/SSLCiphers.cc | 44 +++++++++++++++++++++---------------------- src/SSLCiphers.h | 48 +++++++++++++++++++++++------------------------ src/SSLv3.cc | 46 +++++++++++++++++++++++++-------------------- 3 files changed, 72 insertions(+), 66 deletions(-) diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index e8972beb21..002262d853 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -319,52 +319,52 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 168, 160 }, - { TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5, + { TLS_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_CIPHER_TYPE_STREAM, SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_RC4, SSL_MAC_MD5, - SSL_KEY_EXCHANGE_DH_ANON_EXPORT, + SSL_KEY_EXCHANGE_DH_anon_EXPORT, 0, 40, 128 }, - { TLS_DH_ANON_WITH_RC4_128_MD5, + { TLS_DH_anon_WITH_RC4_128_MD5, SSL_CIPHER_TYPE_STREAM, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_RC4, SSL_MAC_MD5, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 128 }, - { TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA, + { TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_DES40, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 40, 160 }, - { TLS_DH_ANON_WITH_DES_CBC_SHA, + { TLS_DH_anon_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_DES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 56, 160 }, - { TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA, + { TLS_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_3DES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 168, 160 @@ -522,12 +522,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 128, 160 }, - { TLS_DH_ANON_WITH_AES_128_CBC_SHA, + { TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 160 @@ -582,12 +582,12 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 256, 160 }, - { TLS_DH_ANON_WITH_AES_256_CBC_SHA, + { TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 256, 160 @@ -647,7 +647,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_CAMELLIA, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 160 @@ -707,7 +707,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_CAMELLIA, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 256, 160 @@ -917,7 +917,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_3DES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 168, 160 @@ -927,7 +927,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 128, 160 @@ -937,7 +937,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_AES, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 256, 160 @@ -947,7 +947,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_NULL, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 0, 160 @@ -957,7 +957,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_RC4, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, 0, 128, 160 @@ -1017,7 +1017,7 @@ SSL_CipherSpec SSL_CipherSpecs[] = { SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, SSL_CIPHER_SEED, SSL_MAC_SHA, - SSL_KEY_EXCHANGE_DH_ANON, + SSL_KEY_EXCHANGE_DH_anon, 0, 128, 160 diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 5d13b5b8b6..408a3b1567 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -51,11 +51,11 @@ enum SSL3_1_CipherSpec { TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014, TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016, - TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017, - TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018, - TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019, - TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A, - TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B, + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017, + TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018, + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019, + TLS_DH_anon_WITH_DES_CBC_SHA = 0x001A, + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B, // --- special SSLv3 ciphers SSL_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C, SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D, @@ -82,13 +82,13 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031, TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032, TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033, - TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034, + TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034, TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035, TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036, TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037, TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038, TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039, - TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A, + TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A, TLS_RSA_WITH_NULL_SHA256 = 0x003B, TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C, TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D, @@ -101,7 +101,7 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045, - TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046, // -- Non-RFC. Widely deployed implementation (ciphers not fully described in SSLCiphers.cc) TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060, TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061, @@ -116,15 +116,15 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B, - TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C, - TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D, + TLS_DH_anon_WITH_AES_128_CBC_SHA256 = 0x006C, + TLS_DH_anon_WITH_AES_256_CBC_SHA256 = 0x006D, // -- RFC 5932 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088, - TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089, // -- RFC 4279 (ciphers not fully described in SSLCiphers.cc) TLS_PSK_WITH_RC4_128_SHA = 0x008A, TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B, @@ -144,7 +144,7 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098, TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099, TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A, - TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B, + TLS_DH_anon_WITH_SEED_CBC_SHA = 0x009B, // -- RFC 5288 (ciphers not fully described in SSLCiphers.cc) TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C, TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D, @@ -156,8 +156,8 @@ enum SSL3_1_CipherSpec { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3, TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4, TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5, - TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6, - TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7, + TLS_DH_anon_WITH_AES_128_GCM_SHA256 = 0x00A6, + TLS_DH_anon_WITH_AES_256_GCM_SHA384 = 0x00A7, // -- RFC 5487 (ciphers not fully described in SSLCiphers.cc) TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8, TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9, @@ -183,13 +183,13 @@ enum SSL3_1_CipherSpec { TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE, - TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0, TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1, TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4, - TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5, // -- RFC 4492 TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001, TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002, @@ -211,11 +211,11 @@ enum SSL3_1_CipherSpec { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014, - TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015, - TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016, - TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017, - TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018, - TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019, + TLS_ECDH_anon_WITH_NULL_SHA = 0xC015, + TLS_ECDH_anon_WITH_RC4_128_SHA = 0xC016, + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xC017, + TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xC018, + TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xC019, // -- RFC 5054 (ciphers not fully described in SSLCiphers.cc) TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A, TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B, @@ -299,8 +299,8 @@ enum SSL_KeyExchangeAlgorithm { SSL_KEY_EXCHANGE_DHE_DSS_EXPORT, SSL_KEY_EXCHANGE_DHE_RSA, SSL_KEY_EXCHANGE_DHE_RSA_EXPORT, - SSL_KEY_EXCHANGE_DH_ANON, - SSL_KEY_EXCHANGE_DH_ANON_EXPORT, + SSL_KEY_EXCHANGE_DH_anon, + SSL_KEY_EXCHANGE_DH_anon_EXPORT, SSL_KEY_EXCHANGE_FORTEZZA_KEA, // --- new 56 bit export ciphers SSL_KEY_EXCHANGE_RSA_EXPORT1024, @@ -310,7 +310,7 @@ enum SSL_KeyExchangeAlgorithm { SSL_KEY_EXCHANGE_ECDHE_ECDSA, SSL_KEY_EXCHANGE_ECDH_RSA, SSL_KEY_EXCHANGE_ECDHE_RSA, - SSL_KEY_EXCHANGE_ECDH_ANON, + SSL_KEY_EXCHANGE_ECDH_anon, }; #if 0 diff --git a/src/SSLv3.cc b/src/SSLv3.cc index d4b558ba79..92d18c6f26 100644 --- a/src/SSLv3.cc +++ b/src/SSLv3.cc @@ -195,7 +195,7 @@ void SSLv3_Interpreter::printStats() printf( "SSLv3x:\n" ); printf( "Note: Because handshake messages may be coalesced into a \n"); printf( " single SSLv3x record, the number of total messages for SSLv3x plus \n"); - printf( " the number of total records seen for SSLv2 won't match \n"); + printf( " the number of total records seen for SSLv3 won't match \n"); printf( " SSLProxy_Analyzer::totalRecords! \n"); printf( "total connections = %u\n", totalConnections ); printf( "opened connections (complete handshake) = %u\n", openedConnections ); @@ -554,7 +554,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) } else { - if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) + if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) { if ( rec->length < 2 ) { @@ -595,11 +595,11 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) switch (cipherSuite) { case TLS_NULL_WITH_NULL_NULL: - case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5: - case TLS_DH_ANON_WITH_RC4_128_MD5: - case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: - case TLS_DH_ANON_WITH_DES_CBC_SHA: - case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA: + case TLS_DH_anon_EXPORT_WITH_RC4_40_MD5: + case TLS_DH_anon_WITH_RC4_128_MD5: + case TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA: + case TLS_DH_anon_WITH_DES_CBC_SHA: + case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: { Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!"); break; @@ -618,7 +618,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) break; } - if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT ) + if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT ) Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!"); // FIXME: Insert weird checks! @@ -654,7 +654,7 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) } else { - if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) + if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_anon_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 ) { if ( rec->length < 2 ) { @@ -1328,7 +1328,9 @@ int SSLv3_HandshakeRecord::checkClientHello() version != SSLProxy_Analyzer::SSLv31 ) endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!"); - uint8 sessionIDLength = uint8(data[38]); + uint16 offset = 38; + uint8 sessionIDLength = uint8(data[offset]); + offset += (1 + sessionIDLength); if ( sessionIDLength > 32 ) { endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!"); @@ -1336,33 +1338,37 @@ int SSLv3_HandshakeRecord::checkClientHello() } uint16 cipherSuiteLength = - uint16(data[39 + sessionIDLength] << 8 ) | - data[40 + sessionIDLength]; + uint16(data[offset] << 8) | data[offset+1]; + offset += (2 + cipherSuiteLength); if ( cipherSuiteLength < 2 ) endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!"); - if ( cipherSuiteLength + sessionIDLength + 41 > recordLength ) + if ( offset > recordLength ) { endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!"); return 0; } - uint8 compressionMethodLength = - uint8(data[41 + sessionIDLength + cipherSuiteLength]); + uint8 compressionMethodLength = uint8(data[offset]); + offset += (1 + compressionMethodLength); if ( compressionMethodLength < 1 ) endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!"); - if ( sessionIDLength + cipherSuiteLength + - compressionMethodLength + 38 != length ) + if ( offset != length ) { uint16 sslExtensionsLength = - uint16(data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 1 ] << 8 ) | data[41 + sessionIDLength + cipherSuiteLength + compressionMethodLength + 2 ]; + uint16(data[offset] << 8 ) | data[offset+1]; + offset += 2; + if ( sslExtensionsLength < 4 ) endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); - if ( sessionIDLength + cipherSuiteLength + - compressionMethodLength + 2 + sslExtensionsLength + 38 != length ) + + // TODO: extract SSL extensions here + + offset += sslExtensionsLength; + if ( offset != length+4 ) { endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!"); return 0; From ceb1bc8ee081e921c218044e6508ac185ca61db2 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 19 Jan 2011 12:10:34 -0500 Subject: [PATCH 29/71] Reworded BRO_DNS_FAKE message. --- src/main.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.cc b/src/main.cc index b31acdda58..e6def65167 100644 --- a/src/main.cc +++ b/src/main.cc @@ -184,7 +184,7 @@ void usage() fprintf(stderr, " $BROPATH | file search path (%s)\n", bro_path()); fprintf(stderr, " $BRO_PREFIXES | prefix list (%s)\n", bro_prefixes()); - fprintf(stderr, " $BRO_DNS_FAKE | enable faked DNS query responses (%s)\n", bro_dns_fake()); + fprintf(stderr, " $BRO_DNS_FAKE | disable DNS lookups (%s)\n", bro_dns_fake()); exit(1); } From ffaa20602cef18b24842ec28dd86fa9328db5026 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 10:08:42 -0800 Subject: [PATCH 30/71] IPv6 UDP checksum calculation was broken. (Matti Mantere) --- src/net_util.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/net_util.cc b/src/net_util.cc index e49d575fa0..2ec6f4f653 100644 --- a/src/net_util.cc +++ b/src/net_util.cc @@ -97,7 +97,9 @@ int udp6_checksum(const struct ip6_hdr* ip6, const struct udphdr* up, int len) sum = ones_complement_checksum((void*) ip6->ip6_src.s6_addr, 16, sum); sum = ones_complement_checksum((void*) ip6->ip6_dst.s6_addr, 16, sum); - sum = ones_complement_checksum((void*) &len, 4, sum); + uint32 l = htonl(len); + sum = ones_complement_checksum((void*) &l, 4, sum); + uint32 addl_pseudo = htons(IPPROTO_UDP); sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum); sum = ones_complement_checksum((void*) up, len, sum); From bbbe32e443fe5e7399d3e81f77bc862fb5d3fed7 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 11:12:41 -0800 Subject: [PATCH 31/71] Working around not being able to do lookup_addr() for IPv6 addresses. Rather than crashing, we warn the user once and then always time out the call. This addresses #291, and a #355 is new ticket scheduling fixing the actual problem to later. --- src/Trigger.cc | 6 ++++++ src/bro.bif | 16 +++++++++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/src/Trigger.cc b/src/Trigger.cc index c9e236f1fa..e71c19732b 100644 --- a/src/Trigger.cc +++ b/src/Trigger.cc @@ -130,11 +130,17 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts, Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0; + // Make sure we don't get deleted if somebody calls a method like + // Timeout() while evaluating the trigger. + Ref(this); + if ( ! Eval() && timeout ) { timer = new TriggerTimer(timeout->AsInterval(), this); timer_mgr->Add(timer); } + + Unref(this); } Trigger::~Trigger() diff --git a/src/bro.bif b/src/bro.bif index af841600c8..bdcd898bcf 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -2813,7 +2813,7 @@ private: # function result. Therefore, they can only be called inside a when-condition. function lookup_addr%(host: addr%) : string %{ - // FIXME: Is should be easy to adapt the function to synchronous + // FIXME: It should be easy to adapt the function to synchronous // lookups if we're reading a trace. Trigger* trigger = frame->GetTrigger(); @@ -2829,8 +2829,18 @@ function lookup_addr%(host: addr%) : string #ifdef BROv6 if ( ! is_v4_addr(host) ) { - builtin_run_time("lookup_addr() only supports IPv4 addresses"); - return new StringVal(""); + // FIXME: This is a temporary work-around until we get this + // fixed. We warn the user once, and always trigger a timeout. + // Ticket #355 records the problem. + static bool warned = false; + if ( ! warned ) + { + warn("lookup_addr() only supports IPv4 addresses currently"); + warned = true; + } + + trigger->Timeout(); + return 0; } dns_mgr->AsyncLookupAddr(to_v4_addr(host), From a7df00eca711a029e034315dd4a52547decaf7cc Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 11:28:27 -0800 Subject: [PATCH 32/71] Connection compressor fix from #338. This changes starting times of quite a few connections in the test-suite, but that all seems legitimate. --- src/ConnCompressor.cc | 31 ------------------------------- src/ConnCompressor.h | 4 ---- 2 files changed, 35 deletions(-) diff --git a/src/ConnCompressor.cc b/src/ConnCompressor.cc index f38c0dcb89..36ecbd6c9a 100644 --- a/src/ConnCompressor.cc +++ b/src/ConnCompressor.cc @@ -391,26 +391,6 @@ Connection* ConnCompressor::NextFromOrig(PendingConn* pending, double t, { if ( (tp->th_flags & TH_ACK) && ! pending->ACK ) Weird(pending, t, "repeated_SYN_with_ack"); - else - { - // We adjust the start-time. Unfortunately - // this means that we have to create a new - // PendingConn as all of them need to be - // monotonically increasing in time. This - // leads to some inconsistencies with TCP.cc, - // as by doing this we basically restart our - // attempt_timer. - - pending = MoveState(t, pending); - - // Removing is necessary because the key - // will be destroyed at some point. - conns.Remove(&pending->key, sizeof(pending->key), - pending->hash, true); - conns.Dictionary::Insert(&pending->key, - sizeof(pending->key), pending->hash, - MakeMapPtr(pending), 0); - } } else @@ -715,17 +695,6 @@ uint8 ConnCompressor::MakeFlags(const PendingConn* c) const return tcp_flags; } -ConnCompressor::PendingConn* ConnCompressor::MoveState(double time, - PendingConn* c) - { - PendingConn* nc = MakeNewState(time); - memcpy(nc, c, sizeof(PendingConn)); - c->invalid = 1; - nc->time = time; - ++sizes.pending_in_mem; - return nc; - } - ConnCompressor::PendingConn* ConnCompressor::MakeNewState(double t) { // See if there is enough space in the current block. diff --git a/src/ConnCompressor.h b/src/ConnCompressor.h index f0069024a2..a76a35134a 100644 --- a/src/ConnCompressor.h +++ b/src/ConnCompressor.h @@ -138,10 +138,6 @@ private: // Fakes a TCP packet based on the available information. const IP_Hdr* PendingConnToPacket(const PendingConn* c); - // For changing the timestamp of PendingConn - allocates a new one, - // sets the given time, and copies all other data from old. - PendingConn* MoveState(double time, PendingConn* old); - // Construct a TCP-flags byte. uint8 MakeFlags(const PendingConn* c) const; From b67e4e5765ab4bb781661ea58291456558bdbb0a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 11:53:31 -0800 Subject: [PATCH 33/71] Loading scan.bro in portmappter.bro, per #330. --- policy/portmapper.bro | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/portmapper.bro b/policy/portmapper.bro index ecf952e9fc..99ce096ee0 100644 --- a/policy/portmapper.bro +++ b/policy/portmapper.bro @@ -4,6 +4,7 @@ @load hot @load conn @load weird +@load scan module Portmapper; From fc5a143bbe5c74841165ca153f862060252be391 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 12:27:15 -0800 Subject: [PATCH 34/71] Removing noisy output about doing incremental serialization. Addresses #292. --- src/PersistenceSerializer.cc | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc index f31fdb4d88..96e1686e74 100644 --- a/src/PersistenceSerializer.cc +++ b/src/PersistenceSerializer.cc @@ -348,9 +348,6 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status) status->conn_cookie = status->conns->InitForIteration(); status->conns->MakeRobustCookie(status->conn_cookie); } - - if ( status->info.may_suspend ) - bro_logger->Log("Starting incremental serialization..."); } else if ( cont->ChildSuspended() ) @@ -480,9 +477,6 @@ bool PersistenceSerializer::RunSerialization(SerialStatus* status) } } - if ( status->info.may_suspend ) - bro_logger->Log("Finished incremental serialization."); - delete status; return ret; } From 6ea8def6f65fc52dcc4102f68377ca3c6d608bbd Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 19 Jan 2011 14:55:51 -0600 Subject: [PATCH 35/71] MacPorts & Fink paths now prepended to default search prefixes --- CMakeLists.txt | 1 + aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- cmake/MacDependencyPaths.cmake | 10 ++++++++++ 6 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 cmake/MacDependencyPaths.cmake diff --git a/CMakeLists.txt b/CMakeLists.txt index 783efd685a..005c5aec15 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -57,6 +57,7 @@ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${EXTRA_COMPILE_FLAGS}") ######################################################################## ## Dependency Configuration +include(MacDependencyPaths) include(FindRequiredPackage) # Check cache value first to avoid displaying "Found sed" messages everytime diff --git a/aux/binpac b/aux/binpac index 7bbd3b14c0..898cfd5ddc 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 7bbd3b14c02321ff2a63d7267e9ae022bda4f5bc +Subproject commit 898cfd5ddc8cd356e4052c0bd699e51812a91e98 diff --git a/aux/bro-aux b/aux/bro-aux index 62b2f1bdd5..d741ee2ebd 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 62b2f1bdd52d355fb0384c3f0e8f1879c7c17724 +Subproject commit d741ee2ebd6576d9329218bfb53941b4de5375b6 diff --git a/aux/broccoli b/aux/broccoli index cd02839cf0..a5dbe7a0ea 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit cd02839cf07d4db34f30bbdbb41711bc8b06b1ac +Subproject commit a5dbe7a0eacd8628c1382707ae9596ad97c538aa diff --git a/aux/broctl b/aux/broctl index 798ea05965..0c96b764bf 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 798ea05965318333af4df8fe9f0296eb3a669f4f +Subproject commit 0c96b764bfef264a2f8b42363a5e090c4f65cca2 diff --git a/cmake/MacDependencyPaths.cmake b/cmake/MacDependencyPaths.cmake new file mode 100644 index 0000000000..9a8c6efc6a --- /dev/null +++ b/cmake/MacDependencyPaths.cmake @@ -0,0 +1,10 @@ +if (NOT _MAC_DEPENDENCY_PATHS) +set(_MAC_DEPENDENCY_PATHS) + # As of CMake 2.8.3, Fink and MacPorts search paths are appended to the + # default search prefix paths, but the nicer thing would be if they are + # prepended to the default, so that is fixed here. + if (APPLE) + list(INSERT CMAKE_SYSTEM_PREFIX_PATH 0 /opt/local) # MacPorts + list(INSERT CMAKE_SYSTEM_PREFIX_PATH 0 /sw) # Fink + endif () +endif () From 5247a64eaa0011f1bfc8fc8fcb290cff8a148471 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 19 Jan 2011 16:56:30 -0600 Subject: [PATCH 36/71] Changed behavior of how binary packaging installs config files. The pre/post install scripts for RPMs should not perform any logic to backup config files, instead relying on the standard logic that RPMs normally do. For Mac packages, when an existing config file differs from the package's version, the previous version is always kept and an alert is displayed to the user explaining the situation. --- aux/broccoli | 2 +- aux/broctl | 2 +- cmake/ConfigurePackaging.cmake | 20 ++++++++++++------- cmake/MAC_PACKAGE_INTRO | 6 +----- cmake/package_postupgrade.sh.in | 34 +++++++++++++++++++++++---------- 5 files changed, 40 insertions(+), 24 deletions(-) diff --git a/aux/broccoli b/aux/broccoli index c2769d9cd8..ab273570c2 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit c2769d9cd826ecaa08431d6af329db75a7d43583 +Subproject commit ab273570c22b04f977877a2eb707c982319fd9c7 diff --git a/aux/broctl b/aux/broctl index 13986eb507..1fe790706f 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 13986eb50729f45834eb050be4a6233c83f9295d +Subproject commit 1fe790706fcf3d9338b8fb073956c02a55686bb0 diff --git a/cmake/ConfigurePackaging.cmake b/cmake/ConfigurePackaging.cmake index 51f1c04d96..f77dcc0fae 100644 --- a/cmake/ConfigurePackaging.cmake +++ b/cmake/ConfigurePackaging.cmake @@ -140,14 +140,12 @@ macro(SetPackageMetadata) set(CPACK_RPM_PACKAGE_LICENSE "BSD") endmacro(SetPackageMetadata) -# Sets pre and post install scripts for PackageMaker and RPM packages. +# Sets pre and post install scripts for PackageMaker packages. # The main functionality that such scripts offer is a way to make backups # of "configuration" files that a user may have modified. -# A better way to prevent an RPM from not overwriting config files is -# with the %config(noreplace) .spec attribute, but CPack does not have any -# good hooks into using that yet, so we re-use the pre/post install scripts -# See also: http://public.kitware.com/Bug/view.php?id=10294 -macro(SetPackageInstallScripts) +# Note that RPMs already have a robust mechanism for dealing with +# user-modified files, so we do not need this additional functionality +macro(SetPackageInstallScripts VERSION) if (INSTALLED_CONFIG_FILES) # Remove duplicates from the list of installed config files @@ -160,6 +158,14 @@ macro(SetPackageInstallScripts) set(INSTALLED_CONFIG_FILES "${_tmp}" CACHE STRING "" FORCE) endif () + if (${CMAKE_SYSTEM_NAME} MATCHES "Linux") + # Leaving the set of installed config files empty will just + # bypass the logic in the pre/post install scripts and let + # the RPM do their own thing (regarding backups, etc.) + # when upgrading packages. + set (INSTALLED_CONFIG_FILES "") + endif () + if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in) configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/cmake/package_preinstall.sh.in @@ -189,7 +195,7 @@ macro(ConfigurePackaging _version) SetPackageGenerators() SetPackageFileName(${_version}) SetPackageMetadata() - SetPackageInstallScripts() + SetPackageInstallScripts(${_version}) set(CPACK_SET_DESTDIR true) set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX}) diff --git a/cmake/MAC_PACKAGE_INTRO b/cmake/MAC_PACKAGE_INTRO index b1fc25891b..ef37e62a1a 100644 --- a/cmake/MAC_PACKAGE_INTRO +++ b/cmake/MAC_PACKAGE_INTRO @@ -15,10 +15,6 @@ destination as the one that contains the root filesystem. If you have existing configuration files that are modified or otherwise different from the version included in the package, -this installer will attempt to prevent clobbering them by -backing them up like: - - @CMAKE_INSTALL_PREFIX@/etc/. - +this installer will attempt to prevent overwirting them, but its also advisable to make your own backups of important files before proceeding. diff --git a/cmake/package_postupgrade.sh.in b/cmake/package_postupgrade.sh.in index 6cae58dc9f..7ae35185f6 100755 --- a/cmake/package_postupgrade.sh.in +++ b/cmake/package_postupgrade.sh.in @@ -3,8 +3,9 @@ # This script is meant to be used by binary packages post-installation. # Variables between @ symbols are replaced by CMake at configure time. -backupDesc="# Backup made by install of @CMAKE_PROJECT_NAME@ version @VERSION@" backupNamesFile=/tmp/bro_install_backups +version=@VERSION@ +newFiles="" # check whether it's safe to remove backup configuration files that # the most recent package install created @@ -13,22 +14,25 @@ if [ -e ${backupNamesFile} ]; then backupFileList=`cat ${backupNamesFile}` for backupFile in ${backupFileList}; do - origFile=`echo ${backupFile} | sed 's/\(.*\)\..*/\1/'` + origFileName=`echo ${backupFile} | sed 's/\(.*\)\..*/\1/'` - diff ${origFile} ${backupFile} > /dev/null 2>&1 + diff ${origFileName} ${backupFile} > /dev/null 2>&1 if [ $? -eq 0 ]; then # if the installed version and the backup version don't differ # then we can remove the backup version rm ${backupFile} else - # keep the backup, prepend text explaining what created it - tmpfile=/tmp/bro_install_tmp$$ - echo ${backupDesc} > ${tmpfile} - echo "" >> ${tmpfile} - cat ${backupFile} >> ${tmpfile} - cp ${tmpfile} ${backupFile} - rm ${tmpfile} + # The backup file differs from the newly installed version, + # since we can't tell if the backup version has been modified + # by the user, we should restore it to its original location + # and rename the new version appropriately. + + newFileName=${origFileName}.${version} + newFiles="${newFiles}\n${newFileName}" + + mv ${origFileName} ${newFileName} + mv ${backupFile} ${origFileName} fi done @@ -36,6 +40,16 @@ if [ -e ${backupNamesFile} ]; then rm ${backupNamesFile} fi +if [ -n "${newFiles}" ]; then +# Use some apple script to display a message to user +/usr/bin/osascript << EOF + tell application "System Events" + activate + display alert "Existing configuration files differ from the ones that would be installed by this package. To avoid overwriting configuration which you may have modified, the following new config files have been installed:\n${newFiles}\n\nIf you have previously modified configuration files, please make sure that they are still compatible, else you should update your config files to the new versions." + end tell +EOF +fi + # make sure that world-writeable dirs have the sticky bit set # so that unprivileged can't rename/remove files within From eb72ca77711e5b4e8214924aec00ef712ae5ee23 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 16:45:42 -0800 Subject: [PATCH 37/71] Revert "Some small tweaks to the HTTP analyzer". This reverts commit 763a446182934679f5e56146bee26b2e7cad1f3b. --- policy/http-header.bro | 2 -- src/HTTP.cc | 45 ++++-------------------------------------- src/bro.bif | 13 ++++-------- 3 files changed, 8 insertions(+), 52 deletions(-) diff --git a/policy/http-header.bro b/policy/http-header.bro index 259031b024..3d676488ff 100644 --- a/policy/http-header.bro +++ b/policy/http-header.bro @@ -2,8 +2,6 @@ # Prints out detailed HTTP headers. -@load http - module HTTP; export { diff --git a/src/HTTP.cc b/src/HTTP.cc index 85872f7c79..0cccf75103 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -16,21 +16,16 @@ const bool DEBUG_http = false; -/* The EXPECT_*_NOTHING states are used to prevent further parsing. Used - * if a message was interrupted. - */ enum { EXPECT_REQUEST_LINE, EXPECT_REQUEST_MESSAGE, EXPECT_REQUEST_TRAILER, - EXPECT_REQUEST_NOTHING, }; enum { EXPECT_REPLY_LINE, EXPECT_REPLY_MESSAGE, EXPECT_REPLY_TRAILER, - EXPECT_REPLY_NOTHING, }; HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body) @@ -856,20 +851,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) HTTP_Event("crud_trailing_HTTP_request", new_string_val(line, end_of_line)); else - { - // We do see HTTP requests with a trailing EOL that's not - // not accounted for by the content-length. This will lead - // to a call to this method with len==0 while we are - // expecting a new request. Since HTTP servers handle - // such request gracefully, we should do so as well. - if (len==0) - Weird("empty_http_request"); - else - { - ProtocolViolation("not a http request line"); - request_state = EXPECT_REQUEST_NOTHING; - } - } + ProtocolViolation("not a http request line"); } break; @@ -879,9 +861,6 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) case EXPECT_REQUEST_TRAILER: break; - - case EXPECT_REQUEST_NOTHING: - break; } } else @@ -894,8 +873,6 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) if ( unanswered_requests.empty() ) Weird("unmatched_HTTP_reply"); - else - ProtocolConfirmation(); reply_state = EXPECT_REPLY_MESSAGE; reply_ongoing = 1; @@ -908,10 +885,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) len); } else - { ProtocolViolation("not a http reply line"); - reply_state = EXPECT_REPLY_NOTHING; - } break; @@ -921,9 +895,6 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) case EXPECT_REPLY_TRAILER: break; - - case EXPECT_REPLY_NOTHING: - break; } } } @@ -1071,8 +1042,6 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) // HTTP methods for distributed authoring. "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", "COPY", "MOVE", "LOCK", "UNLOCK", - // More stuff - "POLL", "REPORT", "SUBSCRIBE", "BMOVE", "SEARCH", @@ -1086,7 +1055,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) if ( ! http_methods[i] ) { - //Weird("HTTP_unknown_method"); + // Weird("HTTP_unknown_method"); if ( RequestExpected() ) HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line)); return 0; @@ -1287,10 +1256,7 @@ void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg) num_request_lines = 0; - if (interrupted) - request_state = EXPECT_REQUEST_NOTHING; - else - request_state = EXPECT_REQUEST_LINE; + request_state = EXPECT_REQUEST_LINE; } void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) @@ -1319,10 +1285,7 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) reply_reason_phrase = 0; } - if (interrupted) - reply_state = EXPECT_REPLY_NOTHING; - else - reply_state = EXPECT_REPLY_LINE; + reply_state = EXPECT_REPLY_LINE; } void HTTP_Analyzer::RequestClash(Val* /* clash_val */) diff --git a/src/bro.bif b/src/bro.bif index af841600c8..0de77bfc49 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1365,17 +1365,12 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any { Analyzer* ha = c->FindAnalyzer(id); - if (ha) - { - if ( ha->GetTag() == AnalyzerTag::HTTP ) - static_cast(ha)->SkipEntityData(is_orig); - else - run_time("non-HTTP analyzer associated with connection record"); - } + if ( ha->GetTag() == AnalyzerTag::HTTP ) + static_cast(ha)->SkipEntityData(is_orig); else - run_time("could not find analyzer for skip_http_entity_data"); - + run_time("non-HTTP analyzer associated with connection record"); } + else run_time("no analyzer associated with connection record"); From e1ab9b1c6911133384bfb25b621800829d9fea90 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 19 Jan 2011 10:09:22 -0500 Subject: [PATCH 38/71] Pattern construction BiFs will now work if no packets have been read. --- src/bro.bif | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/bro.bif b/src/bro.bif index e9f994204a..585c458184 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1848,15 +1848,15 @@ function uuid_to_string%(uuid: string%): string %} -# The following functions are attempts to convert strings into -# patterns at run-time. These attempts were later *abandoned* because -# NFA and DFA cannot be cleanly deallocated. +# The following functions convert strings into patterns at run-time. As the +# computed NFAs and DFAs cannot be cleanly deallocated (at least for now), +# they can only be used at initialization time. function merge_pattern%(p1: pattern, p2: pattern%): pattern %{ - if ( reading_live ) + if ( bro_start_network_time != 0.0 ) { - builtin_run_time("should not call merge_pattern while reading live traffic"); + builtin_run_time("merge_pattern can only be called at init time"); return 0; } @@ -1900,9 +1900,9 @@ function convert_for_pattern%(s: string%): string function string_to_pattern%(s: string, convert: bool%): pattern %{ - if ( reading_live ) + if ( bro_start_network_time != 0.0 ) { - builtin_run_time("should not call merge_pattern while reading live traffic"); + builtin_run_time("string_to_pattern can only be called at init time"); return 0; } From 75335b933e4f016b857a90bf746dffa17577bf8c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 6 Jan 2011 16:53:31 -0800 Subject: [PATCH 39/71] Removing global_attrs from parser, per #11, and also record attributes. Both aren't used anywhere. Along with these goes some more now unused code. Closes #11. --- src/Expr.cc | 50 +++++++++--------------------------- src/Expr.h | 2 +- src/Type.cc | 73 +++++++++++++---------------------------------------- src/Type.h | 18 +------------ src/Val.cc | 9 ------- src/Val.h | 7 ----- src/parse.y | 29 +++------------------ src/scan.l | 2 -- 8 files changed, 35 insertions(+), 155 deletions(-) diff --git a/src/Expr.cc b/src/Expr.cc index 77466f2a55..dbfca7c9cb 100644 --- a/src/Expr.cc +++ b/src/Expr.cc @@ -2611,7 +2611,6 @@ Val* AssignExpr::Eval(Frame* f) const if ( v ) { op1->Assign(f, v); - //### op1->SetAttribs(); return val ? val->Ref() : v->Ref(); } else @@ -3062,13 +3061,6 @@ FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name) if ( IsError() ) return; - if ( streq(arg_field_name, "attr") ) - { - field = -1; - SetType(op->Type()->AttributesType()->Ref()); - return; - } - if ( ! IsRecord(op->Type()->Tag()) ) ExprError("not a record"); else @@ -3106,12 +3098,7 @@ void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode) return; if ( field < 0 ) - { - Val* lhs = op->Eval(f); - lhs->SetAttribs(v->AsRecordVal()); - Unref(lhs); - return; - } + ExprError("no such field in record"); Val* op_v = op->Eval(f); if ( op_v ) @@ -3124,9 +3111,6 @@ void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode) Val* FieldExpr::Fold(Val* v) const { - if ( field < 0 ) - return v->GetAttribs(true)->Ref(); - Val* result = v->AsRecordVal()->Lookup(field); if ( result ) return result->Ref(); @@ -3179,24 +3163,20 @@ bool FieldExpr::DoUnserialize(UnserialInfo* info) return td != 0; } -HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name, - bool arg_is_attr) +HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name) : UnaryExpr(EXPR_HAS_FIELD, arg_op) { field_name = arg_field_name; - is_attr = arg_is_attr; field = 0; if ( IsError() ) return; - if ( ! is_attr && ! IsRecord(op->Type()->Tag()) ) + if ( ! IsRecord(op->Type()->Tag()) ) ExprError("not a record"); else { - RecordType* rt = is_attr ? - op->Type()->AttributesType() : - op->Type()->AsRecordType(); + RecordType* rt = op->Type()->AsRecordType(); field = rt->FieldOffset(field_name); if ( field < 0 ) @@ -3215,10 +3195,7 @@ Val* HasFieldExpr::Fold(Val* v) const { RecordVal* rec_to_look_at; - if ( is_attr ) - rec_to_look_at = v->GetAttribs(false); - else - rec_to_look_at = v->AsRecordVal(); + rec_to_look_at = v->AsRecordVal(); if ( ! rec_to_look_at ) return new Val(0, TYPE_BOOL); @@ -3235,12 +3212,7 @@ void HasFieldExpr::ExprDescribe(ODesc* d) const op->Describe(d); if ( d->IsReadable() ) - { - if ( is_attr ) - d->Add("?$$"); - else - d->Add("?$"); - } + d->Add("?$"); if ( IsError() ) d->Add(""); @@ -3255,13 +3227,17 @@ IMPLEMENT_SERIAL(HasFieldExpr, SER_HAS_FIELD_EXPR); bool HasFieldExpr::DoSerialize(SerialInfo* info) const { DO_SERIALIZE(SER_HAS_FIELD_EXPR, UnaryExpr); - return SERIALIZE(is_attr) && SERIALIZE(field_name) && SERIALIZE(field); + + // Serialize the former "bool is_attr" first for backwards compatibility. + return SERIALIZE(false) && SERIALIZE(field_name) && SERIALIZE(field); } bool HasFieldExpr::DoUnserialize(UnserialInfo* info) { DO_UNSERIALIZE(UnaryExpr); - return UNSERIALIZE(&is_attr) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field); + // Unserialize the former "bool is_attr" first for backwards compatibility. + bool not_used; + return UNSERIALIZE(¬_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field); } RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list) @@ -3507,8 +3483,6 @@ Val* SetConstructorExpr::Eval(Frame* f) const aggr->Assign(element, 0); } - aggr->AsTableVal()->SetAttrs(attrs); - return aggr; } diff --git a/src/Expr.h b/src/Expr.h index c078d4651c..9c338a0f8a 100644 --- a/src/Expr.h +++ b/src/Expr.h @@ -709,7 +709,7 @@ protected: // "rec?$$attrname" is true if the attribute attrname is not nil. class HasFieldExpr : public UnaryExpr { public: - HasFieldExpr(Expr* op, const char* field_name, bool is_attr); + HasFieldExpr(Expr* op, const char* field_name); ~HasFieldExpr(); protected: diff --git a/src/Type.cc b/src/Type.cc index 1f5c22d58b..55794dfce5 100644 --- a/src/Type.cc +++ b/src/Type.cc @@ -10,20 +10,6 @@ #include "Scope.h" #include "Serializer.h" -RecordType* init_global_attrs(); - -bool in_global_attr_decl = false; -RecordType* global_attributes_type = init_global_attrs(); - -RecordType* init_global_attrs() - { - in_global_attr_decl = true; - RecordType* rt = new RecordType(new type_decl_list); - in_global_attr_decl = false; - rt->MakeGlobalAttributeType(); - return rt; - } - const char* type_name(TypeTag t) { static char errbuf[512]; @@ -58,7 +44,6 @@ BroType::BroType(TypeTag t, bool arg_base_type) tag = t; is_network_order = 0; base_type = arg_base_type; - is_global_attributes_type = false; switch ( tag ) { case TYPE_VOID: @@ -118,28 +103,6 @@ BroType::BroType(TypeTag t, bool arg_base_type) break; } - // Kind of hacky; we don't want an error while we're defining - // the global attrs! - if ( in_global_attr_decl ) - { - attributes_type = 0; - return; - } - - if ( ! global_attributes_type ) - SetError(); - else - attributes_type = global_attributes_type; - } - -bool BroType::SetAttributesType(type_decl_list* attr_types) - { - TypeList* global = new TypeList(); - global->Append(global_attributes_type); - - attributes_type = refine_type(global, attr_types)->AsRecordType(); - - return (attributes_type != 0); } int BroType::MatchesIndex(ListExpr*& /* index */) const @@ -241,16 +204,6 @@ BroType* BroType::Unserialize(UnserialInfo* info, TypeTag want) return t2; } - // For the global_attribute_type, we also return our current instance. - if ( t->is_global_attributes_type ) - { - BroType* t2 = global_attributes_type; - Unref(t); - t2->Ref(); - assert(t2); - return t2; - } - assert(t); return t; } @@ -267,10 +220,15 @@ bool BroType::DoSerialize(SerialInfo* info) const return false; if ( ! (SERIALIZE(is_network_order) && SERIALIZE(base_type) && - SERIALIZE(is_global_attributes_type)) ) + // Serialize the former "bool is_global_attributes_type" for + // backwards compatibility. + SERIALIZE(false)) ) return false; - SERIALIZE_OPTIONAL(attributes_type); + // Likewise, serialize the former optional "RecordType* attributes_type" + // for backwards compatibility. + void* null = NULL; + SERIALIZE(null); info->s->WriteCloseTag("Type"); @@ -288,13 +246,19 @@ bool BroType::DoUnserialize(UnserialInfo* info) tag = (TypeTag) c1; internal_tag = (InternalTypeTag) c2; + bool not_used; + if ( ! (UNSERIALIZE(&is_network_order) && UNSERIALIZE(&base_type) - && UNSERIALIZE(&is_global_attributes_type)) ) + // Unerialize the former "bool is_global_attributes_type" for + // backwards compatibility. + && UNSERIALIZE(¬_used)) ) return 0; - BroType* type; - UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info, TYPE_RECORD)); - attributes_type = (RecordType*) type; + BroType* not_used_either; + + // Likewise, unserialize the former optional "RecordType* + // attributes_type" for backwards compatibility. + UNSERIALIZE_OPTIONAL(not_used_either, BroType::Unserialize(info, TYPE_RECORD)); return true; } @@ -721,9 +685,6 @@ TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs) type = t; attrs = arg_attrs ? new Attributes(arg_attrs, t) : 0; id = i; - - if ( in_global_attr_decl && ! attrs->FindAttr(ATTR_DEFAULT) ) - error("global attribute types must have default values"); } TypeDecl::~TypeDecl() diff --git a/src/Type.h b/src/Type.h index 7778fabc1e..ff4d3df9e6 100644 --- a/src/Type.h +++ b/src/Type.h @@ -60,9 +60,6 @@ class EnumType; class Serializer; class VectorType; -extern bool in_global_attr_decl; -extern RecordType* global_attributes_type; - const int DOES_NOT_MATCH_INDEX = 0; const int MATCHES_INDEX_SCALAR = 1; const int MATCHES_INDEX_VECTOR = 2; @@ -74,15 +71,6 @@ public: TypeTag Tag() const { return tag; } InternalTypeTag InternalType() const { return internal_tag; } - // Type for the attributes (metadata) on this type. - RecordType* AttributesType() - { - if ( ! attributes_type ) - attributes_type = global_attributes_type; - return attributes_type; - } - bool SetAttributesType(type_decl_list* attr_types); - // Whether it's stored in network order. int IsNetworkOrder() const { return is_network_order; } @@ -211,8 +199,6 @@ public: BroType* Ref() { ::Ref(this); return this; } - void MakeGlobalAttributeType() { is_global_attributes_type = true; } - virtual void Describe(ODesc* d) const; virtual unsigned MemoryAllocation() const; @@ -221,7 +207,7 @@ public: static BroType* Unserialize(UnserialInfo* info, TypeTag want = TYPE_ANY); protected: - BroType() { attributes_type = 0; } + BroType() { } void SetError(); @@ -232,8 +218,6 @@ private: InternalTypeTag internal_tag; bool is_network_order; bool base_type; - bool is_global_attributes_type; - RecordType* attributes_type; }; class TypeList : public BroType { diff --git a/src/Val.cc b/src/Val.cc index f43bafe4d7..4519d76f30 100644 --- a/src/Val.cc +++ b/src/Val.cc @@ -414,15 +414,6 @@ bool Val::DoUnserialize(UnserialInfo* info) return false; } -RecordVal* Val::GetAttribs(bool instantiate) - { - if ( ! instantiate || attribs ) - return attribs; - - attribs = new RecordVal(type->AttributesType()); - return attribs; - } - int Val::IsZero() const { switch ( type->InternalType() ) { diff --git a/src/Val.h b/src/Val.h index 5a2faee9d7..d21562c907 100644 --- a/src/Val.h +++ b/src/Val.h @@ -178,13 +178,6 @@ public: Val* Ref() { ::Ref(this); return this; } virtual Val* Clone() const; - RecordVal* GetAttribs(bool instantiate); - void SetAttribs(RecordVal* arg_attribs) - { - Unref((Val*) attribs); - attribs = arg_attribs; - } - int IsZero() const; int IsOne() const; diff --git a/src/parse.y b/src/parse.y index b0bb39f0ea..3cf2c07b18 100644 --- a/src/parse.y +++ b/src/parse.y @@ -8,7 +8,7 @@ %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST %token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FILE TOK_FOR -%token TOK_FUNCTION TOK_GLOBAL TOK_GLOBAL_ATTR TOK_ID TOK_IF TOK_INT +%token TOK_FUNCTION TOK_GLOBAL TOK_ID TOK_IF TOK_INT %token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE TOK_MATCH TOK_NET %token TOK_NEXT TOK_OF TOK_PATTERN TOK_PATTERN_TEXT %token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF @@ -53,7 +53,7 @@ %type func_hdr func_params %type type_list %type type_decl formal_args_decl -%type type_decl_list formal_args_decl_list opt_attr_attr +%type type_decl_list formal_args_decl_list %type formal_args %type expr_list opt_expr_list %type case @@ -417,13 +417,7 @@ expr: | expr TOK_HAS_FIELD TOK_ID { set_location(@1, @3); - $$ = new HasFieldExpr($1, $3, false); - } - - | expr TOK_HAS_ATTR TOK_ID - { - set_location(@1, @3); - $$ = new HasFieldExpr($1, $3, true); + $$ = new HasFieldExpr($1, $3); } | anonymous_function @@ -821,17 +815,9 @@ decl: } } - | TOK_TYPE global_id ':' refined_type opt_attr opt_attr_attr ';' + | TOK_TYPE global_id ':' refined_type opt_attr ';' { add_type($2, $4, $5, 0); - if ( $6 ) - $2->AsType()->SetAttributesType($6); - } - - | TOK_GLOBAL_ATTR ':' { in_global_attr_decl = true; } - '{' type_decl_list '}' ';' { in_global_attr_decl = false; } - { - global_attributes_type = new RecordType($5); } | TOK_EVENT event_id ':' refined_type opt_attr ';' @@ -856,13 +842,6 @@ conditional: { do_atelse(); } ; -opt_attr_attr: - TOK_ATTR_ATTR '=' '{' type_decl_list '}' - { $$ = $4; } - | - { $$ = 0; } - ; - func_hdr: TOK_FUNCTION global_id func_params { diff --git a/src/scan.l b/src/scan.l index 0d479dc44e..9dc4d828e0 100644 --- a/src/scan.l +++ b/src/scan.l @@ -151,9 +151,7 @@ file return TOK_FILE; for return TOK_FOR; function return TOK_FUNCTION; global return TOK_GLOBAL; -global_attr return TOK_GLOBAL_ATTR; "?$" return TOK_HAS_FIELD; -"?$$" return TOK_HAS_ATTR; if return TOK_IF; in return TOK_IN; "!"{OWS}in/[^A-Za-z0-9] return TOK_NOT_IN; /* don't confuse w "! infoo"! */ From 0a3f84681a48c5b644bed8a23a73aed93cc0fca2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 18:11:40 -0800 Subject: [PATCH 40/71] Updating submodules. --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index 7bbd3b14c0..898cfd5ddc 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 7bbd3b14c02321ff2a63d7267e9ae022bda4f5bc +Subproject commit 898cfd5ddc8cd356e4052c0bd699e51812a91e98 diff --git a/aux/bro-aux b/aux/bro-aux index 62b2f1bdd5..d741ee2ebd 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 62b2f1bdd52d355fb0384c3f0e8f1879c7c17724 +Subproject commit d741ee2ebd6576d9329218bfb53941b4de5375b6 diff --git a/aux/broccoli b/aux/broccoli index 72fbaebc88..c745d747ec 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 72fbaebc886f5538b4a3c07f6e334c28bfb4138a +Subproject commit c745d747ec65f608bead605fc26f84ca44be21c9 diff --git a/aux/broctl b/aux/broctl index c41aa2131c..4133635936 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit c41aa2131ce5aa07ce675d9ccbd4d61455f623d7 +Subproject commit 41336359365238036fd63f8bf8d2624da71c200b From bbe078e06c320a4ec7ed63d40bdee5ebb91fb885 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 20 Jan 2011 12:37:38 -0600 Subject: [PATCH 41/71] Changed configure wrapper to create config.status --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- configure | 6 ++++++ 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index 898cfd5ddc..fd6d44cd33 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 898cfd5ddc8cd356e4052c0bd699e51812a91e98 +Subproject commit fd6d44cd33113e9be2bfed41fb40e1a14463f4fb diff --git a/aux/bro-aux b/aux/bro-aux index d741ee2ebd..4960f96e02 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit d741ee2ebd6576d9329218bfb53941b4de5375b6 +Subproject commit 4960f96e0280a71117fde3ad93542ed87d67e7a1 diff --git a/aux/broccoli b/aux/broccoli index c745d747ec..1deee84b06 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit c745d747ec65f608bead605fc26f84ca44be21c9 +Subproject commit 1deee84b06deb2b104996c41e82942082a9dc88d diff --git a/aux/broctl b/aux/broctl index 4133635936..3ae777aa65 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 41336359365238036fd63f8bf8d2624da71c200b +Subproject commit 3ae777aa658f7c4714107b464700d1e2e60c9952 diff --git a/configure b/configure index dce70e6534..01be939a4e 100755 --- a/configure +++ b/configure @@ -2,6 +2,8 @@ # Convenience wrapper for easily viewing/setting options that # the project's CMake scripts will recognize +command="$0 $*" + # check for `cmake` command type cmake > /dev/null 2>&1 || { echo "\ @@ -217,3 +219,7 @@ if [ -n "$CMakeGenerator" ]; then else cmake $CMakeCacheEntries $sourcedir fi + +echo "# This is the command used to configure this build" > config.status +echo $command >> config.status +chmod u+x config.status From ef1650f6a2072bc686b265e1d0a5e5ec3529b80a Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 15:07:24 -0500 Subject: [PATCH 42/71] Cleaned up g++ warnings. --- src/DCE_RPC.cc | 2 +- src/PrefixTable.cc | 4 ++-- src/RemoteSerializer.cc | 26 +++++++++++++------------- src/SMB.cc | 2 +- src/cq.c | 2 +- src/dce_rpc.pac | 4 ++-- src/patricia.c | 2 +- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc index fe163f2632..62f7806c51 100644 --- a/src/DCE_RPC.cc +++ b/src/DCE_RPC.cc @@ -82,7 +82,7 @@ UUID::UUID(const char* str) } if ( i != 16 ) - internal_error(fmt("invalid UUID string: %s", str)); + internal_error("invalid UUID string: %s", str); } typedef map uuid_map_t; diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc index e654b8440e..b3313c82e5 100644 --- a/src/PrefixTable.cc +++ b/src/PrefixTable.cc @@ -99,8 +99,8 @@ void* PrefixTable::Lookup(const Val* value, bool exact) const break; default: - internal_error(fmt("Wrong index type %d for PrefixTable", - value->Type()->Tag())); + internal_error("Wrong index type %d for PrefixTable", + value->Type()->Tag()); return 0; } } diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index a9329cc9cb..6709ea0456 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -1505,13 +1505,13 @@ bool RemoteSerializer::DoMessage() { // We shut the connection to this peer down, // so we ignore all further messages. - DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d", + DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%llu", msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); return true; } - DEBUG_COMM(fmt("parent: %s from child; peer is #%d", + DEBUG_COMM(fmt("parent: %s from child; peer is #%llu", msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); @@ -2610,7 +2610,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer) bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len) { - DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str)); + DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), str)); if ( ! child_pid ) return false; @@ -2635,7 +2635,7 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap, nargs); DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)", - msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap))); + msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -2715,7 +2715,7 @@ void RemoteSerializer::InternalCommError(const char* msg) #ifdef DEBUG_COMMUNICATION DumpDebugData(); #else - internal_error(msg); + internal_error(msg, ""); #endif } @@ -3065,7 +3065,7 @@ bool SocketComm::ProcessParentMessage() } default: - internal_error(fmt("unknown msg type %d", parent_msgtype)); + internal_error("unknown msg type %d", parent_msgtype); return true; } @@ -3235,7 +3235,7 @@ bool SocketComm::ForwardChunkToPeer() { #ifdef DEBUG if ( parent_peer ) - DEBUG_COMM(fmt("child: not connected to #%d", parent_id)); + DEBUG_COMM(fmt("child: not connected to #%d", (uint) parent_id)); #endif } @@ -3319,7 +3319,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer) CMsg* msg = (CMsg*) c->data; DEBUG_COMM(fmt("child: %s from peer #%d", - msgToStr(msg->Type()), peer->id)); + msgToStr(msg->Type()), (uint) peer->id)); switch ( msg->Type() ) { case MSG_PHASE_DONE: @@ -3795,7 +3795,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp)); + DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), tmp)); delete [] tmp; #endif if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE, @@ -3814,7 +3814,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); - DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3850,7 +3850,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp)); + DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), (uint) peer->id, tmp)); delete [] tmp; #endif @@ -3870,7 +3870,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", - msgToStr(type), peer->id, fmt_uint32s(nargs, ap))); + msgToStr(type), (uint) peer->id, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3890,7 +3890,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c) { - DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id)); + DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, (uint) peer->id)); if ( ! sendToIO(peer->io, c) ) { Error(fmt("child: write error %s", io->Error()), peer); diff --git a/src/SMB.cc b/src/SMB.cc index 7ee6986d3d..a950302090 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -166,7 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) const u_char* tmp = data_start + next; if ( data_start + next < data + body.length() ) { - Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start)); + Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %ld", next, data + body.length() - data_start)); break; } diff --git a/src/cq.c b/src/cq.c index 63e4275369..5263fb17b1 100644 --- a/src/cq.c +++ b/src/cq.c @@ -570,7 +570,7 @@ cq_debugbucket(register struct cq_handle *hp, bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri); if (bp2 != buckets) { fprintf(stderr, - "%f in wrong bucket! (off by %d)\n", + "%f in wrong bucket! (off by %ld)\n", bp->pri, bp2 - buckets); cq_dump(hp); abort(); diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac index 0aa689b532..58c2250c26 100644 --- a/src/dce_rpc.pac +++ b/src/dce_rpc.pac @@ -8,5 +8,5 @@ analyzer DCE_RPC withcontext { flow: DCE_RPC_Flow; }; -%include "dce_rpc-protocol.pac" -%include "dce_rpc-analyzer.pac" +%include dce_rpc-protocol.pac +%include dce_rpc-analyzer.pac diff --git a/src/patricia.c b/src/patricia.c index c9d271803c..8e40cb5ef6 100644 --- a/src/patricia.c +++ b/src/patricia.c @@ -1027,7 +1027,7 @@ lookup_then_remove (patricia_tree_t *tree, char *string) { patricia_node_t *node; - if (node = try_search_exact (tree, string)) + if ( (node = try_search_exact(tree, string)) ) patricia_remove (tree, node); } From b7b29c6f92bd5ffa5ba4053e7fa9041ec8840d6c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 15:08:54 -0500 Subject: [PATCH 43/71] Added line to expect shift/reduce errors in parse.in This is the resolution that Gregor brought up in December, 2010 on the bro-dev list. --- src/parse.y | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/parse.y b/src/parse.y index b0bb39f0ea..1eed09cbf1 100644 --- a/src/parse.y +++ b/src/parse.y @@ -3,6 +3,8 @@ // See the file "COPYING" in the main distribution directory for copyright. %} +%expect 71 + %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF %token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST From fbf7d5ccc0c6566e6a195b400bbe99548dca49cf Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 15:10:31 -0500 Subject: [PATCH 44/71] Cleaned up the output from running binpac. Added an extra dependency to the dce_rpc pac files and running binpac with the -q (quiet) flag which requires changes to binpac which will be committed soon. --- src/CMakeLists.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 81ed0d81af..927f5e660b 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -160,7 +160,7 @@ macro(BINPAC_TARGET pacFile) add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.h ${CMAKE_CURRENT_BINARY_DIR}/${basename}_pac.cc COMMAND ${BinPAC_EXE} - ARGS -d ${CMAKE_CURRENT_BINARY_DIR} + ARGS -q -d ${CMAKE_CURRENT_BINARY_DIR} -I ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/${pacFile} DEPENDS ${BinPAC_EXE} ${pacFile} @@ -177,9 +177,9 @@ binpac_target(binpac_bro-lib.pac) binpac_target(bittorrent.pac bittorrent-protocol.pac bittorrent-analyzer.pac) binpac_target(dce_rpc.pac - dce_rpc-protocol.pac dce_rpc-analyzer.pac) + dce_rpc-protocol.pac dce_rpc-analyzer.pac epmapper.pac) binpac_target(dce_rpc_simple.pac - dce_rpc-protocol.pac) + dce_rpc-protocol.pac epmapper.pac) binpac_target(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac) binpac_target(dns.pac From 05f27c54418e33817ce92fd80b808a7f5a5e07fc Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 20 Jan 2011 16:30:16 -0500 Subject: [PATCH 45/71] Fixed a small problem in the remote serialization code. This is from ticket #86. It needs verified, but everything seemed to work the same (except for the bug!) with the change. --- src/RemoteSerializer.cc | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index a9329cc9cb..51add7c3df 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -823,14 +823,9 @@ bool RemoteSerializer::SendCall(SerialInfo* info, PeerID id, if ( ! peer ) return false; - // Do not send events back to originating peer. - if ( current_peer == peer ) - return true; - return SendCall(info, peer, name, vl); } - bool RemoteSerializer::SendCall(SerialInfo* info, Peer* peer, const char* name, val_list* vl) { @@ -1841,10 +1836,9 @@ bool RemoteSerializer::EnterPhaseRunning(Peer* peer) if ( in_sync == peer ) in_sync = 0; - current_peer->phase = Peer::RUNNING; + peer->phase = Peer::RUNNING; Log(LogInfo, "phase: running", peer); - - RaiseEvent(remote_connection_handshake_done, current_peer); + RaiseEvent(remote_connection_handshake_done, peer); if ( remote_trace_sync_interval ) { @@ -2008,12 +2002,11 @@ bool RemoteSerializer::HandshakeDone(Peer* peer) return false; #endif - if ( ! (current_peer->caps & Peer::PID_64BIT) ) - Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", current_peer); + if ( ! (peer->caps & Peer::PID_64BIT) ) + Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", peer); - if ( (current_peer->caps & Peer::NEW_CACHE_STRATEGY) ) - Log(LogInfo, "peer supports keep-in-cache; using that", - current_peer); + if ( (peer->caps & Peer::NEW_CACHE_STRATEGY) ) + Log(LogInfo, "peer supports keep-in-cache; using that", peer); if ( peer->sync_requested != Peer::NONE ) { @@ -2030,7 +2023,7 @@ bool RemoteSerializer::HandshakeDone(Peer* peer) { Log(LogError, "misconfiguration: authoritative state on both sides", current_peer); - CloseConnection(current_peer); + CloseConnection(peer); return false; } From 9cea6c5b0118654bf6c9507780fc7a5f9446f2fa Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 19 Jan 2011 21:34:12 -0800 Subject: [PATCH 46/71] Some small tweaks to the HTTP analyzer. From ticket #339. --- CHANGES | 5 +++++ VERSION | 2 +- policy/http-header.bro | 2 ++ src/HTTP.cc | 46 ++++++++++++++++++++++++++++++++++++++---- src/bro.bif | 13 ++++++++---- 5 files changed, 59 insertions(+), 9 deletions(-) diff --git a/CHANGES b/CHANGES index ec9e145188..f055e2dd58 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +1.6-dev.27 Thu Jan 20 13:52:25 PST 2011 + + * Fine-tuning of the HTTP analyzer in terms of raising protocol + violations and interrupted transfers. (Gregor Maier) + 1.6-dev.21 Wed Jan 19 17:36:02 PST 2011 * Added 4 new BiFs and a new record type for testing the entropy diff --git a/VERSION b/VERSION index 1d53112687..bd5814e634 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6-dev.21 +1.6-dev.27 diff --git a/policy/http-header.bro b/policy/http-header.bro index 3d676488ff..259031b024 100644 --- a/policy/http-header.bro +++ b/policy/http-header.bro @@ -2,6 +2,8 @@ # Prints out detailed HTTP headers. +@load http + module HTTP; export { diff --git a/src/HTTP.cc b/src/HTTP.cc index 0cccf75103..a8f4481216 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -16,16 +16,20 @@ const bool DEBUG_http = false; +// The EXPECT_*_NOTHING states are used to prevent further parsing. Used if a +// message was interrupted. enum { EXPECT_REQUEST_LINE, EXPECT_REQUEST_MESSAGE, EXPECT_REQUEST_TRAILER, + EXPECT_REQUEST_NOTHING, }; enum { EXPECT_REPLY_LINE, EXPECT_REPLY_MESSAGE, EXPECT_REPLY_TRAILER, + EXPECT_REPLY_NOTHING, }; HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body) @@ -851,7 +855,23 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) HTTP_Event("crud_trailing_HTTP_request", new_string_val(line, end_of_line)); else - ProtocolViolation("not a http request line"); + { + // We do see HTTP requests with a + // trailing EOL that's not accounted + // for by the content-length. This + // will lead to a call to this method + // with len==0 while we are expecting + // a new request. Since HTTP servers + // handle such requests gracefully, + // we should do so as well. + if ( len == 0 ) + Weird("empty_http_request"); + else + { + ProtocolViolation("not a http request line"); + request_state = EXPECT_REQUEST_NOTHING; + } + } } break; @@ -861,6 +881,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) case EXPECT_REQUEST_TRAILER: break; + + case EXPECT_REQUEST_NOTHING: + break; } } else @@ -873,6 +896,8 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) if ( unanswered_requests.empty() ) Weird("unmatched_HTTP_reply"); + else + ProtocolConfirmation(); reply_state = EXPECT_REPLY_MESSAGE; reply_ongoing = 1; @@ -884,8 +909,11 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) ExpectReplyMessageBody(), len); } - else + else + { ProtocolViolation("not a http reply line"); + reply_state = EXPECT_REPLY_NOTHING; + } break; @@ -895,6 +923,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) case EXPECT_REPLY_TRAILER: break; + + case EXPECT_REPLY_NOTHING: + break; } } } @@ -1042,6 +1073,7 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line) // HTTP methods for distributed authoring. "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", "COPY", "MOVE", "LOCK", "UNLOCK", + "POLL", "REPORT", "SUBSCRIBE", "BMOVE", "SEARCH", @@ -1256,7 +1288,10 @@ void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg) num_request_lines = 0; - request_state = EXPECT_REQUEST_LINE; + if ( interrupted ) + request_state = EXPECT_REQUEST_NOTHING; + else + request_state = EXPECT_REQUEST_LINE; } void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) @@ -1285,7 +1320,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg) reply_reason_phrase = 0; } - reply_state = EXPECT_REPLY_LINE; + if ( interrupted ) + reply_state = EXPECT_REPLY_NOTHING; + else + reply_state = EXPECT_REPLY_LINE; } void HTTP_Analyzer::RequestClash(Val* /* clash_val */) diff --git a/src/bro.bif b/src/bro.bif index 585c458184..1daa2e5b68 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -1365,12 +1365,17 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any { Analyzer* ha = c->FindAnalyzer(id); - if ( ha->GetTag() == AnalyzerTag::HTTP ) - static_cast(ha)->SkipEntityData(is_orig); + if ( ha ) + { + if ( ha->GetTag() == AnalyzerTag::HTTP ) + static_cast(ha)->SkipEntityData(is_orig); + else + run_time("non-HTTP analyzer associated with connection record"); + } else - run_time("non-HTTP analyzer associated with connection record"); - } + run_time("could not find analyzer for skip_http_entity_data"); + } else run_time("no analyzer associated with connection record"); From 5035a4346ac6277e7a357ea1d7c561f427e0a46c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 20 Jan 2011 13:57:04 -0800 Subject: [PATCH 47/71] Fixing inconsistent CHANGES layout. --- CHANGES | 73 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/CHANGES b/CHANGES index f055e2dd58..1afd3e69ad 100644 --- a/CHANGES +++ b/CHANGES @@ -1,57 +1,59 @@ 1.6-dev.27 Thu Jan 20 13:52:25 PST 2011 - * Fine-tuning of the HTTP analyzer in terms of raising protocol - violations and interrupted transfers. (Gregor Maier) +- Fine-tuning of the HTTP analyzer in terms of raising protocol + violations and interrupted transfers. (Gregor Maier) + 1.6-dev.21 Wed Jan 19 17:36:02 PST 2011 - * Added 4 new BiFs and a new record type for testing the entropy - of strings. (Seth Hall) +- Added 4 new BiFs and a new record type for testing the entropy of + strings. (Seth Hall) - find_entropy(data: string): entropy_test_result - This is a one shot function that accepts a string - and returns the result of the entropy calculations. + find_entropy(data: string): entropy_test_result + This is a one shot function that accepts a string and + returns the result of the entropy calculations. - entropy_test_init(index: any): bool - This and the next two functions are for calculating - entropy piece-wise. It only needs an index which can - be any type of variable. It needs to be something - that uniquely identifies the data stream that is - currently having it's entropy calculated. + entropy_test_init(index: any): bool + This and the next two functions are for calculating entropy + piece-wise. It only needs an index which can be any type of + variable. It needs to be something that uniquely identifies + the data stream that is currently having it's entropy + calculated. - entropy_test_add(index: any, data: string): bool - This function is used to add data into the entropy - calculation. It takes the index used in the function - above and the data that you are adding and returns - true if everything seemed to work, false otherwise. + entropy_test_add(index: any, data: string): bool + This function is used to add data into the entropy + calculation. It takes the index used in the function above + and the data that you are adding and returns true if + everything seemed to work, false otherwise. - entropy_test_finish(index: any): entropy_test_result - Calling this function indicates that all of the - desired data has been inserted into the - entropy_test_add function and the entropy should be - calculated. This function *must* be called in order - to clean up an internal state tracking variable. If - this is never called on an index, it will result in - a memory leak. + entropy_test_finish(index: any): entropy_test_result + Calling this function indicates that all of the desired data + has been inserted into the entropy_test_add function and the + entropy should be calculated. This function *must* be called + in order to clean up an internal state tracking variable. + If this is never called on an index, it will result in a + memory leak. - The entropy_test_result values have several measures of the - entropy, but a good one to work with is the "entropy" attribute. - It's a double and as the value approaches 8.0 it can be - considered more and more random. For example, a value of 7.832 - would be quite random but a value of 4.671 is not very random. + The entropy_test_result values have several measures of the + entropy, but a good one to work with is the "entropy" attribute. + It's a double and as the value approaches 8.0 it can be considered + more and more random. For example, a value of 7.832 would be + quite random but a value of 4.671 is not very random. 1.6-dev.20 Wed Jan 19 17:30:11 PST 2011 - * BRO_DNS_FAKE is now listed in the --help output. (Seth Hall) +- BRO_DNS_FAKE is now listed in the --help output. (Seth Hall) + 1.6-dev.18 Wed Jan 19 16:37:13 PST 2011 - * Removing unnecessary expire timer from http_sessions. (Gregor - Maier) +- Removing unnecessary expire timer from http_sessions. (Gregor + Maier) + 1.6-dev.16 Sat Jan 15 14:14:21 PST 2011 -- Updates to the build system (Jonathan Siwek) +- Updates to the build system. (Jonathan Siwek) * ``make dist`` is now available to be used with the top-level Makefile for creating source packages according to #344. @@ -72,6 +74,7 @@ configured/built now works (although, a harmless error message about not being able to write the install manifest may occur). + 1.6-dev.3 Wed Dec 8 04:09:38 PST 2010 - Merge with Subversion repository as of r7137. Incorporated change: From 668824d1b608079e629c755c917b594395e71187 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 20 Jan 2011 14:36:07 -0800 Subject: [PATCH 48/71] A few smaller tweaks. --- src/strings.bif | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 2e499ca0c4..76e4200b79 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -140,7 +140,7 @@ function edit%(arg_s: string, arg_edit_char: string%): string %{ if ( arg_edit_char->Len() != 1 ) builtin_run_time("not exactly one edit character", @ARG@[1]); - + const u_char* s = arg_s->Bytes(); const u_char* edit_s = arg_edit_char->Bytes(); @@ -150,7 +150,7 @@ function edit%(arg_s: string, arg_edit_char: string%): string u_char* new_s = new u_char[n+1]; int ind = 0; - for ( int i=0; i 0 ) { @@ -217,13 +217,13 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, // Find next match offset. int end_of_match; while ( n > 0 && - (end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 ) + (end_of_match = re->MatchPrefix(s + offset, n)) <= 0 ) { // Move on to next byte. ++offset; --n; } - + Val* ind = new Val(++num, TYPE_COUNT); a->Assign(ind, new StringVal(offset, (const char*) s)); Unref(ind); @@ -238,19 +238,17 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset)); Unref(ind); } - + if ( max_num_sep && num_sep >= max_num_sep ) break; - + ++num_sep; - + n -= end_of_match; s += offset; - + if ( s > end_of_s ) - { internal_error("RegMatch in split goes beyond the string"); - } } if ( other_strings ) @@ -463,7 +461,7 @@ function to_lower%(str: string%): string char* lower_s = new char[n]; char* ls = lower_s; - for (int i=0; iLen(); char* upper_s = new char[n]; char* us = upper_s; - - for (int i=0; i sp && isspace(*e) ) --e; - // Move the pointer for the beginning of the string - while ( isspace(*sp) ) + // Move the pointer for the beginning of the string. + while ( isspace(*sp) && sp <= e ) ++sp; - return new StringVal(new BroString(sp, e-sp+1, 1)); + if ( sp > e ) + return new StringVal(new BroString()); + else + return new StringVal(new BroString(sp, (e - sp + 1), 1)); %} function string_fill%(len: int, source: string%): string @@ -622,12 +624,12 @@ function string_fill%(len: int, source: string%): string # function str_shell_escape%(source: string%): string %{ - uint j = 0; + unsigned j = 0; const u_char* src = source->Bytes(); - uint n = source->Len(); + unsigned n = source->Len(); byte_vec dst = new u_char[n * 2 + 1]; - for ( uint i = 0; i < n; ++i ) + for ( unsigned i = 0; i < n; ++i ) { switch ( src[i] ) { case '`': case '"': case '\\': case '$': From 0fe30453cf9dfe92bafb2b8c993ef540a8468a1f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 21 Jan 2011 20:59:51 -0500 Subject: [PATCH 49/71] Removing some apparently unnecessary lines. --- src/strings.bif | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 76e4200b79..77ac90ddd4 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -598,10 +598,7 @@ function strip%(str: string%): string while ( isspace(*sp) && sp <= e ) ++sp; - if ( sp > e ) - return new StringVal(new BroString()); - else - return new StringVal(new BroString(sp, (e - sp + 1), 1)); + return new StringVal(new BroString(sp, (e - sp + 1), 1)); %} function string_fill%(len: int, source: string%): string From 4da36217b78125d4d21d0869467a2302784ecd49 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 24 Jan 2011 11:02:16 -0600 Subject: [PATCH 50/71] Fix for the --with-binpac configure option Compiling from existing sources no longer overrides this option. --- CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 005c5aec15..e048305c8d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -77,7 +77,8 @@ FindRequiredPackage(PCAP) FindRequiredPackage(OpenSSL) FindRequiredPackage(BIND) -if (EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt) +if (NOT BinPAC_ROOT_DIR AND + EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt) add_subdirectory(aux/binpac) endif () FindRequiredPackage(BinPAC) From 4817f7de4ec9af3b8b9cd2780c47ee4567bee3fb Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Mon, 24 Jan 2011 11:26:29 -0600 Subject: [PATCH 51/71] Configure wrapper now deletes previous CMake cache --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- configure | 18 +++--------------- 5 files changed, 7 insertions(+), 19 deletions(-) diff --git a/aux/binpac b/aux/binpac index be0147ae8d..668bfa1832 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit be0147ae8df149206408f669ea233931e8889718 +Subproject commit 668bfa183250c14056e5e7790f07f4cb2b06d275 diff --git a/aux/bro-aux b/aux/bro-aux index e6fa79f8c6..fd60602c87 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit e6fa79f8c6584476c6a50118990e9e69be41823b +Subproject commit fd60602c87503124a0e1f1f886ebb9730835fd5c diff --git a/aux/broccoli b/aux/broccoli index 05a35440b0..c3f2610730 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 05a35440b0369e5e5e74731300ceddbe78cd53e4 +Subproject commit c3f26107302e6bcfc45c5681eb9d69b48fad7b62 diff --git a/aux/broctl b/aux/broctl index 818bc09e35..5173da3952 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 818bc09e35691f3d5c6de56481dac79d5b87db75 +Subproject commit 5173da39523f6db4a087cc60d04f4fd6765f4e15 diff --git a/configure b/configure index 01be939a4e..cc18423584 100755 --- a/configure +++ b/configure @@ -189,21 +189,9 @@ done if [ -d $builddir ]; then # If build directory exists, check if it has a CMake cache if [ -f $builddir/CMakeCache.txt ]; then - # If the Cmake cache exists, then check that it thinks - # the source tree exists where it's currently located - cmakehomedir=`grep CMAKE_HOME_DIRECTORY $builddir/CMakeCache.txt | \ - sed 's/CMAKE_HOME_DIRECTORY:INTERNAL=//g'` - if [ "$cmakehomedir" != "$sourcedir" ]; then - # The source tree moved since the build was last configured - echo "\ -The source tree has been moved from: - $cmakehomedir -to: - $sourcedir -To reconfigure in the new source directory, please delete: - $builddir/CMakeCache.txt" >&2 - exit 1 - fi + # If the CMake cache exists, delete it so that this configuration + # is not tainted by a previous one + rm -f $builddir/CMakeCache.txt fi else # Create build directory From 64182833717f803e9f45c0f9d050a9732caf92e8 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 24 Jan 2011 13:43:49 -0500 Subject: [PATCH 52/71] Two more small compile time error fixes. --- src/Sessions.cc | 2 +- src/main.cc | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Sessions.cc b/src/Sessions.cc index fd443d4dcc..ffa5cd22f5 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -1354,7 +1354,7 @@ void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr, const u_char* pkt) { DumpPacket(hdr, pkt); - internal_error(msg); + internal_error("%s", msg); } void NetSessions::Weird(const char* name, diff --git a/src/main.cc b/src/main.cc index 82866302fd..a8f283dcbc 100644 --- a/src/main.cc +++ b/src/main.cc @@ -8,6 +8,7 @@ #include #include #include +#include #ifdef HAVE_GETOPT_H #include #endif @@ -421,7 +422,7 @@ int main(int argc, char** argv) prog = argv[0]; - prefixes.append(""); // "" = "no prefix" + prefixes.append(strdup("")); // "" = "no prefix" char* p = getenv("BRO_PREFIXES"); if ( p ) From 2bf7461d9c4d18715cf7740e9ff54f5ba70005cf Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 24 Jan 2011 15:21:39 -0800 Subject: [PATCH 53/71] Updating submodule(s). --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index 668bfa1832..1cdccf62f5 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 668bfa183250c14056e5e7790f07f4cb2b06d275 +Subproject commit 1cdccf62f55369f278ddd392804ade580116a47b diff --git a/aux/bro-aux b/aux/bro-aux index fd60602c87..89476012d9 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit fd60602c87503124a0e1f1f886ebb9730835fd5c +Subproject commit 89476012d96039a9ed415993b2f6f7601436cda2 diff --git a/aux/broccoli b/aux/broccoli index c3f2610730..9ad8f64aec 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit c3f26107302e6bcfc45c5681eb9d69b48fad7b62 +Subproject commit 9ad8f64aecbb3320eaee087a867b5742ccfdafa1 diff --git a/aux/broctl b/aux/broctl index 5173da3952..43bdb0fbf1 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 5173da39523f6db4a087cc60d04f4fd6765f4e15 +Subproject commit 43bdb0fbf1a0a55fa7a862d19c471c279df62a73 From 8974265d39cb59887ff8efa738aa01274d2c147a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 24 Jan 2011 15:28:46 -0800 Subject: [PATCH 54/71] Fixing bug in SMB analyzer. --- CHANGES | 8 ++++++++ VERSION | 2 +- src/SMB.cc | 4 ++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 25c5a760dd..e04fcc6eb7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,11 @@ +1.6-dev.33 Mon Jan 24 15:29:04 PST 2011 + +- Fixing bug in SMB analyzer. (Robin Sommer) + +- Configure wrapper now deletes previous CMake cache (Jon Siwek) + +- Fix for the --with-binpac configure option. (Jon Siwek) + 1.6-dev.30 Thu Jan 20 16:32:43 PST 2011 - Changed configure wrapper to create config.status. (Jon Siwek) diff --git a/VERSION b/VERSION index 2dd8fb7891..add8d15215 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6-dev.30 +1.6-dev.33 diff --git a/src/SMB.cc b/src/SMB.cc index 7ee6986d3d..db4d4608b2 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -480,8 +480,8 @@ int SMB_Session::ParseTreeConnectAndx(binpac::SMB::SMB_header const& hdr, r->Assign(0, new Val(req.flags(), TYPE_COUNT)); r->Assign(1, new StringVal(req.password_length(), (const char*) req.password())); - r->Assign(3, new StringVal(path)); - r->Assign(4, new StringVal(service)); + r->Assign(2, new StringVal(path)); + r->Assign(3, new StringVal(service)); if ( strstr_n(norm_path->Len(), norm_path->Bytes(), 5, (const u_char*) "\\IPC$") != -1 ) From 91d7c48ced18b3a5a3a7998d3ea57bf2c4e392a8 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 25 Jan 2011 17:58:09 -0800 Subject: [PATCH 55/71] Updating submodule(s). --- aux/binpac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/binpac b/aux/binpac index 1cdccf62f5..7d4c82121c 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 1cdccf62f55369f278ddd392804ade580116a47b +Subproject commit 7d4c82121c09ab8d978adbe404bb633ede72820f From a19391b94b437ad85e1bcffcb2fd582daae081bf Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 27 Jan 2011 11:33:20 -0600 Subject: [PATCH 56/71] Fix typo in PCAPTests.cmake With this correction, the configure tests should now be pulling in the correct user-specified libpcap headers --- cmake/PCAPTests.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/PCAPTests.cmake b/cmake/PCAPTests.cmake index 83f79dec53..1b62d3ab57 100644 --- a/cmake/PCAPTests.cmake +++ b/cmake/PCAPTests.cmake @@ -2,7 +2,7 @@ include(CheckFunctionExists) include(CheckCSourceCompiles) include(CheckIncludeFiles) -set(CMAKE_REQUIRED_INCLUDES ${LIBPCAP_INCLUDE_DIR}) +set(CMAKE_REQUIRED_INCLUDES ${PCAP_INCLUDE_DIR}) set(CMAKE_REQUIRED_LIBRARIES ${PCAP_LIBRARY}) check_include_files(pcap-int.h HAVE_PCAP_INT_H) From da3fb85e5c2f795baac1663d9d06cb8d8b385ec1 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 28 Jan 2011 10:10:16 -0600 Subject: [PATCH 57/71] Adding more configure options for finding dependencies --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- configure | 29 +++++++++++++++++++++++++++++ 5 files changed, 33 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index 1cdccf62f5..b79d06a6ac 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 1cdccf62f55369f278ddd392804ade580116a47b +Subproject commit b79d06a6acf785476b9273cbacc956c2a07b8972 diff --git a/aux/bro-aux b/aux/bro-aux index 89476012d9..06feef2851 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 89476012d96039a9ed415993b2f6f7601436cda2 +Subproject commit 06feef28515a8527a7c290faecc343d341a9cc68 diff --git a/aux/broccoli b/aux/broccoli index 9ad8f64aec..b7115b8421 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 9ad8f64aecbb3320eaee087a867b5742ccfdafa1 +Subproject commit b7115b84210dcf5b04c900d7490f5dab968227c4 diff --git a/aux/broctl b/aux/broctl index 43bdb0fbf1..d10b20da82 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 43bdb0fbf1a0a55fa7a862d19c471c279df62a73 +Subproject commit d10b20da8227d0b9bc8bfecb6a044c8b470e910f diff --git a/configure b/configure index cc18423584..f1d864640d 100755 --- a/configure +++ b/configure @@ -40,11 +40,18 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-bind=PATH path to BIND install root --with-pcap=PATH path to libpcap install root --with-binpac=PATH path to BinPAC install root + --with-flex=PATH path to flex executable + --with-bison=PATH path to bison executable + --with-perl=PATH path to perl executable Optional Packages in Non-Standard Locations: --with-libmagic=PATH path to libmagic install root --with-geoip=PATH path to the libGeoIP install root --with-perftools=PATH path to Google Perftools install root + --with-python=PATH path to Python interpreter + --with-python-lib=PATH path to libpython + --with-python-inc=PATH path to Python headers + --with-swig=PATH path to SWIG executable Packaging Options (for developers): --ignore-dirs=PATHS paths to ignore when creating source package @@ -157,6 +164,15 @@ while [ $# -ne 0 ]; do --with-binpac=*) append_cache_entry BinPAC_ROOT_DIR PATH $optarg ;; + --with-flex=*) + append_cache_entry FLEX_EXECUTABLE PATH $optarg + ;; + --with-bison=*) + append_cache_entry BISON_EXECUTABLE PATH $optarg + ;; + --with-perl=*) + append_cache_entry PERL_EXECUTABLE PATH $optarg + ;; --with-libmagic=*) append_cache_entry LibMagic_ROOT_DIR PATH $optarg ;; @@ -166,6 +182,19 @@ while [ $# -ne 0 ]; do --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; + --with-python=*) + append_cache_entry PYTHON_EXECUTABLE PATH $optarg + ;; + --with-python-lib=*) + append_cache_entry PYTHON_LIBRARY PATH $optarg + ;; + --with-python-inc=*) + append_cache_entry PYTHON_INCLUDE_DIR PATH $optarg + append_cache_entry PYTHON_INCLUDE_PATH PATH $optarg + ;; + --with-swig=*) + append_cache_entry SWIG_EXECUTABLE PATH $optarg + ;; --ignore-dirs=*) append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING $optarg ;; From c8076619ce54177def38e515c6466ebda237798f Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 28 Jan 2011 16:18:57 -0500 Subject: [PATCH 58/71] Added new TLS ciphers --- policy/bro.init | 2 +- policy/ssl-ciphers.bro | 5 ++++ src/SSLCiphers.cc | 53 ++++++++++++++++++++++++++++++++++++++++++ src/SSLCiphers.h | 11 ++++++++- 4 files changed, 69 insertions(+), 2 deletions(-) diff --git a/policy/bro.init b/policy/bro.init index 1ba8f59b4d..e8f208bb6b 100644 --- a/policy/bro.init +++ b/policy/bro.init @@ -905,7 +905,7 @@ global dns_max_queries = 5; # The maxiumum size in bytes for an SSL cipherspec. If we see a packet that # has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs. -const ssl_max_cipherspec_size = 45 &redef; +const ssl_max_cipherspec_size = 68 &redef; # SSL and X.509 types. type cipher_suites_list: set[count]; diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro index 307565eb36..3926d591cd 100644 --- a/policy/ssl-ciphers.bro +++ b/policy/ssl-ciphers.bro @@ -223,6 +223,11 @@ const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF; const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1; const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0; +const SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80; +const SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81; +const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82; +const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83; +const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF; # Cipher specifications native to TLS can be included in Version 2.0 client diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc index 002262d853..400f7421ce 100644 --- a/src/SSLCiphers.cc +++ b/src/SSLCiphers.cc @@ -399,6 +399,48 @@ SSL_CipherSpec SSL_CipherSpecs[] = { // 128, // 160 //}, + + { SSL_RSA_WITH_RC2_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_RC2, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 56, + 160 + }, + { SSL_RSA_WITH_IDEA_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_IDEA, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 128, + 160 + }, + { SSL_RSA_WITH_DES_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_DES, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 56, + 160 + }, + { SSL_RSA_WITH_3DES_EDE_CBC_MD5, + SSL_CIPHER_TYPE_BLOCK, + SSL_FLAG_SSLv20, + SSL_CIPHER_3DES, + SSL_MAC_MD5, + SSL_KEY_EXCHANGE_RSA, + 0, + 168, + 160 + }, + // --- special SSLv3 FIPS ciphers { SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_CIPHER_TYPE_BLOCK, @@ -1023,6 +1065,17 @@ SSL_CipherSpec SSL_CipherSpecs[] = { 160 }, + { TLS_EMPTY_RENEGOTIATION_INFO_SCSV, + SSL_CIPHER_TYPE_NULL, + SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31, + SSL_CIPHER_NULL, + SSL_MAC_NULL, + SSL_KEY_EXCHANGE_NULL, + 0, + 0, + 0 + }, + }; diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h index 408a3b1567..12b3ecc0aa 100644 --- a/src/SSLCiphers.h +++ b/src/SSLCiphers.h @@ -253,11 +253,20 @@ enum SSL3_1_CipherSpec { TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039, TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A, TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B, + // --- special SSLv3 FIPS ciphers SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF, SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1, - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFe0, + SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2 = 0xFFE0, + + // Tags for SSL 2 cipher kinds which are not specified for SSL 3. + SSL_RSA_WITH_RC2_CBC_MD5 = 0xFF80, + SSL_RSA_WITH_IDEA_CBC_MD5 = 0xFF81, + SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82, + SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83, + + TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF, }; enum SSL_CipherType { From 1ccfca09ac6f04e508de764686c40670915d732c Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Fri, 28 Jan 2011 16:24:07 -0500 Subject: [PATCH 59/71] Fixes to SSL/TLS analyzer Analyzer can cope with zero length client and server certificates. It does still generate a weird though. Extended cipherspec_size weirds are not thrown anymore, they are incredibly overwhelming and should be handled completely at the scripting in my opinion. Integrated and expanded on patch Rmkml from ticket #209 that fixes problem with not parsing or expecting SSL extensions. SSL extensions still are not extracted and passed to script land, but the analyzer doesn't fail anymore. --- src/SSLProxy.cc | 2 - src/SSLv3.cc | 188 ++++++++++++++++++++++++------------------------ 2 files changed, 92 insertions(+), 98 deletions(-) diff --git a/src/SSLProxy.cc b/src/SSLProxy.cc index a0cf73b8fb..38ce3ba085 100644 --- a/src/SSLProxy.cc +++ b/src/SSLProxy.cc @@ -174,7 +174,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length) if ( ! computeExpectedSize(data, length) ) return false; - // Insert weird here replacing assert. if ( neededSize > expectedSize ) { sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize"); @@ -278,7 +277,6 @@ bool SSL_RecordBuilder::addSegment(const u_char* data, int length) { // another (middle) segment if ( length <= MIN_FRAGMENT_SIZE ) sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" ); - addData(data, length); break; } diff --git a/src/SSLv3.cc b/src/SSLv3.cc index 92d18c6f26..9343b5076f 100644 --- a/src/SSLv3.cc +++ b/src/SSLv3.cc @@ -383,84 +383,71 @@ void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec) case SSL3_1_CERTIFICATE: { - if ( rec->length >= 3 ) + const u_char* pData = rec->data; + uint32 certListLength = + uint32((pData[4] << 16) | + pData[5] << 8) | pData[6]; + + // Sum of all cert sizes has to match + // certListLength. + uint tempLength = 0; + uint certCount = 0; + while ( tempLength < certListLength ) { - const u_char* pData = rec->data; - uint32 certListLength = - uint32((pData[4] << 16) | - pData[5] << 8) | pData[6]; - - // Size consistency checks. - if ( certListLength + 3 != uint32(rec->length) ) + if ( tempLength + 3 <= certListLength ) { - if ( rec->endp->IsOrig() ) - Weird("SSLv3x: Corrupt length field in client certificate list!"); - else - Weird("SSLv3x: Corrupt length field in server certificate list!"); - return; - } - - // Sum of all cert sizes has to match - // certListLength. - uint tempLength = 0; - uint certCount = 0; - while ( tempLength < certListLength ) - { - if ( tempLength + 3 <= certListLength ) - { - ++certCount; - uint32 certLength = - uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9]; - tempLength += certLength + 3; - } - else - { - Weird("SSLv3x: Corrupt length field in certificate list!"); - return; - } - } - - if ( tempLength > certListLength ) - { - Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain"); - return; - } - - SSL_InterpreterEndpoint* pEp = - (SSL_InterpreterEndpoint*) rec->endp; - - if ( certCount == 0 ) - { // we don't have a certificate... - if ( rec->endp->IsOrig() ) - { - Weird("SSLv3x: Client certificate is missing!"); - break; - } - else - { - Weird("SSLv3x: Server certificate is missing!"); - break; - } - } - - if ( certCount > 1 ) - { // we have a chain - analyzeCertificate(pEp, - rec->data + 7, - certListLength, 1, true); + ++certCount; + uint32 certLength = + uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9]; + tempLength += certLength + 3; } else { - // We have a single certificate. - // FIXME. - analyzeCertificate(pEp, - rec->data + 10, - certListLength-3, 1, false); + Weird("SSLv3x: Corrupt length field in certificate list!"); + return; } + } + if ( tempLength > certListLength ) + { + Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain"); + return; + } + + SSL_InterpreterEndpoint* pEp = + (SSL_InterpreterEndpoint*) rec->endp; + + if ( certCount == 0 ) + { + // we don't have a certificate, but this is valid + // according to RFC2246 + if ( rec->endp->IsOrig() ) + { + Weird("SSLv3x: Client certificate is missing!"); + break; + } + else + { + Weird("SSLv3x: Server certificate is missing!"); + break; + } + } + + if ( certCount > 1 ) + { // we have a chain + analyzeCertificate(pEp, + rec->data + 7, + certListLength, 1, true); } else - Weird("SSLv3x: Certificate record too small!" ); + { + // We have a single certificate. + // FIXME. + analyzeCertificate(pEp, + rec->data + 10, + certListLength-3, 1, false); + } + break; } @@ -938,13 +925,15 @@ TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length, { int is_orig = (SSL_InterpreterEndpoint*) s == orig; - if ( length > ssl_max_cipherspec_size ) - { - if ( is_orig ) - Weird("SSLv3: Client has CipherSpecs > ssl_max_cipherspec_size"); - else - Weird("SSLv3: Server has CipherSpecs > ssl_max_cipherspec_size"); - } + // This probably shouldn't be a weird. This data should be passed to + // script layer and dealt with there as appropriate. + //if ( length > ssl_max_cipherspec_size ) + // { + // if ( is_orig ) + // Weird("SSLv3: Client has CipherSpecs > ssl_max_cipherspec_size"); + // else + // Weird("SSLv3: Server has CipherSpecs > ssl_max_cipherspec_size"); + // } const u_char* pCipher = data; SSL_CipherSpec* pCipherSuiteTemp = 0; @@ -1236,16 +1225,6 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len, uint16 version, SSLv3_Endpoint const* e) : SSLv3_Record(data, len, version, e) { - // Weird-check for minimum handshake length header. - if ( len < 4 ) - { - e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!"); - type = 255; - length = 0; - next = 0; - return; - } - // Don't analyze encrypted client handshake messages. if ( e->IsOrig() && ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen && @@ -1270,7 +1249,10 @@ SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len, type = uint8(*(this->data)); length = ExtractInt24(data, len, 1); - if ( length + 4 < len ) + + if ( length == 0 ) // this is a special case to deal with 0 length certs + next = 0; + else if ( length + 4 < len ) next = new SSLv3_HandshakeRecord(data + length + 4, len - (length + 4), version, e); else if ( length + 4 > len ) @@ -1340,7 +1322,6 @@ int SSLv3_HandshakeRecord::checkClientHello() uint16 cipherSuiteLength = uint16(data[offset] << 8) | data[offset+1]; offset += (2 + cipherSuiteLength); - if ( cipherSuiteLength < 2 ) endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!"); @@ -1352,16 +1333,14 @@ int SSLv3_HandshakeRecord::checkClientHello() uint8 compressionMethodLength = uint8(data[offset]); offset += (1 + compressionMethodLength); - if ( compressionMethodLength < 1 ) endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!"); - if ( offset != length ) + if ( offset < length ) { uint16 sslExtensionsLength = - uint16(data[offset] << 8 ) | data[offset+1]; + uint16(data[offset] << 8) | data[offset+1]; offset += 2; - if ( sslExtensionsLength < 4 ) endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); @@ -1391,16 +1370,33 @@ int SSLv3_HandshakeRecord::checkServerHello() version != SSLProxy_Analyzer::SSLv31 ) endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!"); - uint8 sessionIDLength = uint8(data[38]); + uint16 offset = 38; + uint8 sessionIDLength = uint8(data[offset]); if ( sessionIDLength > 32 ) { endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!"); return 0; } - - if ( (sessionIDLength + 45) != length ) + offset += (1 + sessionIDLength); + + offset += 3; // account for cipher and compression method + if ( offset < length ) { - endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); + uint16 sslExtensionsLength = + uint16(data[offset] << 8) | data[offset+1]; + offset += 2; + if ( sslExtensionsLength < 4 ) + endp->Interpreter()->Weird("SSLv3x: Extensions length too small!"); + + // TODO: extract SSL extensions here + offset += sslExtensionsLength; + + if ( offset != length+4 ) + { + endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!"); + return 0; + } + return 0; } From 7432761558547b2af1e74be558563da5dc66e523 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 31 Jan 2011 08:48:41 -0800 Subject: [PATCH 60/71] Updating submodule(s). --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index 7d4c82121c..26d02716f9 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 7d4c82121c09ab8d978adbe404bb633ede72820f +Subproject commit 26d02716f9090651f319a4bfdf8ede49b3a7b53a diff --git a/aux/bro-aux b/aux/bro-aux index 06feef2851..afa0a0d8b3 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit 06feef28515a8527a7c290faecc343d341a9cc68 +Subproject commit afa0a0d8b3fdfa5306507948f08ac9f07696eb21 diff --git a/aux/broccoli b/aux/broccoli index b7115b8421..2b8a1c9c32 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit b7115b84210dcf5b04c900d7490f5dab968227c4 +Subproject commit 2b8a1c9c32dab2da9ebb54238c1b60e40bb8688f diff --git a/aux/broctl b/aux/broctl index d10b20da82..b15af09054 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit d10b20da8227d0b9bc8bfecb6a044c8b470e910f +Subproject commit b15af09054741850af828c6fc6dbd140c0f89b2b From 65687d86d834e722b39164c5d0664b1906510804 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 31 Jan 2011 12:19:11 -0500 Subject: [PATCH 61/71] *Now* this passes the test suite. I got the last fix wrong and I was still misunderstanding one behavior of the existing do_split function. When a separator match goes to the last character of the string, a blank string element should be appended to the string_array to indicate that a successful split occurred. --- src/strings.bif | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/strings.bif b/src/strings.bif index 77ac90ddd4..af3ebed149 100644 --- a/src/strings.bif +++ b/src/strings.bif @@ -211,7 +211,7 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, int num_sep = 0; int offset = 0; - while ( n > 0 ) + while ( n >= 0 ) { offset = 0; // Find next match offset. @@ -227,25 +227,25 @@ Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep, Val* ind = new Val(++num, TYPE_COUNT); a->Assign(ind, new StringVal(offset, (const char*) s)); Unref(ind); - + // No more separators will be needed if this is the end of string. if ( n <= 0 ) break; - + if ( incl_sep ) { // including the part that matches the pattern ind = new Val(++num, TYPE_COUNT); a->Assign(ind, new StringVal(end_of_match, (const char*) s+offset)); Unref(ind); } - + if ( max_num_sep && num_sep >= max_num_sep ) break; ++num_sep; n -= end_of_match; - s += offset; + s += offset + end_of_match;; if ( s > end_of_s ) internal_error("RegMatch in split goes beyond the string"); From 88b31a04d0d71047da931add4b0689c5f0eabac9 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 31 Jan 2011 15:36:01 -0800 Subject: [PATCH 62/71] Updating submodule(s). --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index b15af09054..572efd43cf 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit b15af09054741850af828c6fc6dbd140c0f89b2b +Subproject commit 572efd43cf52e4c41b32a9c5a4a015f783370b41 From e00acaddd8d445e1589c0dfc4820f2bda8344a31 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 31 Jan 2011 16:40:24 -0800 Subject: [PATCH 63/71] Login's confused messages now go through weird.bro. --- CHANGES | 4 ++++ VERSION | 2 +- policy/login.bro | 5 +---- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 0af3a0a896..286e9abe76 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1.6-dev.39 Mon Jan 31 16:42:23 PST 2011 + +- Login's confused messages now go through weird.bro. (Robin Sommer) + 1.6-dev.36 Mon Jan 31 08:45:35 PST 2011 - Adding more configure options for finding dependencies, (Jon Siwek) diff --git a/VERSION b/VERSION index 3ea16f0f3f..80eb02f177 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6-dev.36 +1.6-dev.39 diff --git a/policy/login.bro b/policy/login.bro index 26d32ca08c..9d45249bb1 100644 --- a/policy/login.bro +++ b/policy/login.bro @@ -544,10 +544,7 @@ event login_confused(c: connection, msg: string, line: string) append_addl(c, ""); - if ( line == "" ) - print Weird::weird_file, fmt("%.6f %s %s", network_time(), id_string(c$id), msg); - else - print Weird::weird_file, fmt("%.6f %s %s (%s)", network_time(), id_string(c$id), msg, line); + event conn_weird_addl(msg, c, line); set_record_packets(c$id, T); } From ee6abcba72f5d64199928345740dd195a264296c Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 3 Feb 2011 21:57:11 -0800 Subject: [PATCH 64/71] Updating submodule(s). --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 572efd43cf..3910266eb0 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 572efd43cf52e4c41b32a9c5a4a015f783370b41 +Subproject commit 3910266eb016a6dd30616c13ebe93a925fda2a72 From 51b3efbb1a803f0d9f464babb696a9338c22c4d7 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 4 Feb 2011 17:39:38 -0800 Subject: [PATCH 65/71] Fixing bug with defining bro_int_t and bro_uint_t as 64-bit in some platforms. --- src/util.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/util.h b/src/util.h index f4f007a27d..43e0f2c6c1 100644 --- a/src/util.h +++ b/src/util.h @@ -39,13 +39,9 @@ extern HeapLeakChecker* heap_checker; #endif -typedef unsigned long long int uint64; typedef unsigned int uint32; typedef unsigned short uint16; typedef unsigned char uint8; -typedef long long int int64; -typedef int64 bro_int_t; -typedef uint64 bro_uint_t; #if SIZEOF_LONG_LONG == 8 typedef unsigned long long uint64; @@ -57,6 +53,9 @@ typedef long int int64; # error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org." #endif +typedef int64 bro_int_t; +typedef uint64 bro_uint_t; + // "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of // pointer size. They can be cast safely to a pointer, e.g. in Lists, // which represent their entities as void* pointers. From 4d12ac861da59ca13d009586da5f1624aaeb299f Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 4 Feb 2011 17:58:19 -0800 Subject: [PATCH 66/71] Smarter way to increase the parent/child pipe's socket buffer. (Craig Leres). This is from #383. --- src/RemoteSerializer.cc | 54 ++++++++++++++++++++++++++--------------- src/RemoteSerializer.h | 2 ++ 2 files changed, 37 insertions(+), 19 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 51add7c3df..22e98b29ae 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -544,6 +544,36 @@ void RemoteSerializer::Init() initialized = 1; } +void RemoteSerializer::SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose) + { + int defsize = 0; + socklen_t len = sizeof(defsize); + + if ( getsockopt(fd, SOL_SOCKET, opt, (void *)&defsize, &len) < 0 ) + { + if ( verbose ) + Log(LogInfo, fmt("warning: cannot get socket buffer size (%s): %s", what, strerror(errno))); + return; + } + + for ( int trysize = size; trysize > defsize; trysize -= 1024 ) + { + if ( setsockopt(fd, SOL_SOCKET, opt, &trysize, sizeof(trysize)) >= 0 ) + { + if ( verbose ) + { + if ( trysize == size ) + Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK", defsize / 1024, trysize / 1024)); + else + Log(LogInfo, fmt("raised pipe's socket buffer size from %dK to %dK (%dK was requested)", defsize / 1024, trysize / 1024, size / 1024)); + } + return; + } + } + + Log(LogInfo, fmt("warning: cannot increase %s socket buffer size from %dK (%dK was requested)", what, defsize / 1024, size / 1024)); + } + void RemoteSerializer::Fork() { if ( child_pid ) @@ -562,25 +592,11 @@ void RemoteSerializer::Fork() return; } - int bufsize; - socklen_t len = sizeof(bufsize); - - if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 ) - Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno))); - else - Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE)); - - bufsize = SOCKBUF_SIZE; - - if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, - &bufsize, sizeof(bufsize) ) < 0 || - setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF, - &bufsize, sizeof(bufsize) ) < 0 || - setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF, - &bufsize, sizeof(bufsize) ) < 0 || - setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF, - &bufsize, sizeof(bufsize) ) < 0 ) - Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno))); + // Try to increase the size of the socket send and receive buffers. + SetSocketBufferSize(pipe[0], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 1); + SetSocketBufferSize(pipe[0], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0); + SetSocketBufferSize(pipe[1], SO_SNDBUF, "SO_SNDBUF", SOCKBUF_SIZE, 0); + SetSocketBufferSize(pipe[1], SO_RCVBUF, "SO_RCVBUF", SOCKBUF_SIZE, 0); child_pid = 0; diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h index a84a0619fa..6afec4ec6f 100644 --- a/src/RemoteSerializer.h +++ b/src/RemoteSerializer.h @@ -297,6 +297,8 @@ protected: bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only bool SendToChild(ChunkedIO::Chunk* c); + void SetSocketBufferSize(int fd, int opt, const char *what, int size, int verbose); + private: enum { TYPE, ARGS } msgstate; // current state of reading comm. Peer* current_peer; From 0d9de7d71997c783c273b1e2b7b00c9cf864b037 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 7 Feb 2011 14:07:29 -0800 Subject: [PATCH 67/71] Updating submodule(s). --- aux/broctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aux/broctl b/aux/broctl index 3910266eb0..fc940bbb72 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 3910266eb016a6dd30616c13ebe93a925fda2a72 +Subproject commit fc940bbb72abbaef2e5f10ea4ab616ec9b61fe0a From 275c6e64cce6a0a9e187c347864c909e04b4ef03 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 8 Feb 2011 12:47:10 -0500 Subject: [PATCH 68/71] PRI macros are currently not working for some reason. --- src/RemoteSerializer.cc | 29 +++++++++++++++-------------- src/SMB.cc | 4 +++- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 6709ea0456..7d731c5204 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -159,6 +159,7 @@ #include #include #include +#include #include "config.h" #ifdef TIME_WITH_SYS_TIME @@ -1505,13 +1506,13 @@ bool RemoteSerializer::DoMessage() { // We shut the connection to this peer down, // so we ignore all further messages. - DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%llu", + DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRId64, msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); return true; } - DEBUG_COMM(fmt("parent: %s from child; peer is #%llu", + DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRId64, msgToStr(current_msgtype), current_peer ? current_peer->id : 0)); @@ -2610,7 +2611,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer) bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len) { - DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), str)); + DEBUG_COMM(fmt("parent: (->child) %s (#%" PRId64 ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str)); if ( ! child_pid ) return false; @@ -2634,8 +2635,8 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap, nargs); - DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)", - msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("parent: (->child) %s (#%" PRId64 ",%s)", + msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3235,7 +3236,7 @@ bool SocketComm::ForwardChunkToPeer() { #ifdef DEBUG if ( parent_peer ) - DEBUG_COMM(fmt("child: not connected to #%d", (uint) parent_id)); + DEBUG_COMM(fmt("child: not connected to #%" PRId64, parent_id)); #endif } @@ -3318,8 +3319,8 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer) CMsg* msg = (CMsg*) c->data; - DEBUG_COMM(fmt("child: %s from peer #%d", - msgToStr(msg->Type()), (uint) peer->id)); + DEBUG_COMM(fmt("child: %s from peer #%" PRId64, + msgToStr(msg->Type()), peer->id)); switch ( msg->Type() ) { case MSG_PHASE_DONE: @@ -3795,7 +3796,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), tmp)); + DEBUG_COMM(fmt("child: (->parent) %s (#%" PRId64 ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp)); delete [] tmp; #endif if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE, @@ -3814,7 +3815,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); - DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("child: (->parent) %s (#%" PRId64 ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3850,7 +3851,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len) #ifdef DEBUG // str may already by constructed with fmt() const char* tmp = copy_string(str); - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), (uint) peer->id, tmp)); + DEBUG_COMM(fmt("child: (->peer) %s to #%" PRId64 " (%s)", msgToStr(type), peer->id, tmp)); delete [] tmp; #endif @@ -3869,8 +3870,8 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) #ifdef DEBUG va_start(ap,nargs); - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", - msgToStr(type), (uint) peer->id, fmt_uint32s(nargs, ap))); + DEBUG_COMM(fmt("child: (->peer) %s to #%" PRId64 " (%s)", + msgToStr(type), peer->id, fmt_uint32s(nargs, ap))); va_end(ap); #endif @@ -3890,7 +3891,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c) { - DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, (uint) peer->id)); + DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRId64, c->len, peer->id)); if ( ! sendToIO(peer->io, c) ) { Error(fmt("child: write error %s", io->Error()), peer); diff --git a/src/SMB.cc b/src/SMB.cc index a950302090..5520ef4848 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -6,6 +6,7 @@ #include "SMB.h" #include "smb_pac.h" #include "Val.h" +#include "inttypes.h" namespace { const bool DEBUG_smb_ipc = true; @@ -166,7 +167,8 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) const u_char* tmp = data_start + next; if ( data_start + next < data + body.length() ) { - Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %ld", next, data + body.length() - data_start)); + //Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRId32, next, data + body.length() - data_start)); + printf("ANDX buffer overlapping: next = %" PRId64 ", buffer_end = %" PRId32 " ", next, data + body.length() - data_start); break; } From 888719e922bd1cb154de17749825da184a969c8d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 8 Feb 2011 14:22:23 -0800 Subject: [PATCH 69/71] Adding new aux/btest submodule. --- .gitmodules | 3 +++ aux/btest | 1 + 2 files changed, 4 insertions(+) create mode 160000 aux/btest diff --git a/.gitmodules b/.gitmodules index e2dcd2b8a4..326e1fe506 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,6 @@ [submodule "aux/broctl"] path = aux/broctl url = git://git.icir.org/broctl +[submodule "aux/btest"] + path = aux/btest + url = git://git.icir.org/btest diff --git a/aux/btest b/aux/btest new file mode 160000 index 0000000000..a2b04952ae --- /dev/null +++ b/aux/btest @@ -0,0 +1 @@ +Subproject commit a2b04952ae91dcd27d5e68a42d5d26c291ecb1f5 From b54445b725609b8439a643325c1457d63382d07b Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 8 Feb 2011 20:28:56 -0500 Subject: [PATCH 70/71] Fixed problem with PRI macros. Thanks Gregor! --- src/RemoteSerializer.cc | 1 - src/SMB.cc | 4 +--- src/util.h | 6 ++++++ 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc index 7d731c5204..f185b0c4ff 100644 --- a/src/RemoteSerializer.cc +++ b/src/RemoteSerializer.cc @@ -159,7 +159,6 @@ #include #include #include -#include #include "config.h" #ifdef TIME_WITH_SYS_TIME diff --git a/src/SMB.cc b/src/SMB.cc index 5520ef4848..78caf55eab 100644 --- a/src/SMB.cc +++ b/src/SMB.cc @@ -6,7 +6,6 @@ #include "SMB.h" #include "smb_pac.h" #include "Val.h" -#include "inttypes.h" namespace { const bool DEBUG_smb_ipc = true; @@ -167,8 +166,7 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) const u_char* tmp = data_start + next; if ( data_start + next < data + body.length() ) { - //Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRId32, next, data + body.length() - data_start)); - printf("ANDX buffer overlapping: next = %" PRId64 ", buffer_end = %" PRId32 " ", next, data + body.length() - data_start); + Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRIdPTR, next, data + body.length() - data_start)); break; } diff --git a/src/util.h b/src/util.h index f4f007a27d..4e648cee5d 100644 --- a/src/util.h +++ b/src/util.h @@ -11,6 +11,12 @@ #include #include "config.h" +#define _ISOC99_SOURCE +#define __STDC_LIMIT_MACROS +#define __STDC_CONSTANT_MACROS +#define __STDC_FORMAT_MACROS +#include "inttypes.h" + #if __STDC__ #define myattribute __attribute__ #else From f79a1f6e584df4369d9059ddbbab25b942380650 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 16 Feb 2011 08:44:33 -0800 Subject: [PATCH 71/71] Updating submodule(s). --- aux/bro-aux | 2 +- aux/broccoli | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/aux/bro-aux b/aux/bro-aux index afa0a0d8b3..7e50bac938 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit afa0a0d8b3fdfa5306507948f08ac9f07696eb21 +Subproject commit 7e50bac938af1831ecf9660159145a3c2e77e13d diff --git a/aux/broccoli b/aux/broccoli index 2b8a1c9c32..a1c6b6e59b 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 2b8a1c9c32dab2da9ebb54238c1b60e40bb8688f +Subproject commit a1c6b6e59b3087b6b79a37a847c669b61ae2c522