Start porting the old spicy TLS analyzer into Zeek

This is very WIP and currently produces a link error.

scripts/base/protocols/ssl/files.zeek

@@ -96,13 +96,13 @@ function describe_file(f: fa_file): string
 
 event zeek_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_SSL,
+	# Files::register_protocol(Analyzer::ANALYZER_SSL,
-	                         [$get_file_handle = SSL::get_file_handle,
+	#                          [$get_file_handle = SSL::get_file_handle,
-	                          $describe        = SSL::describe_file]);
+	#                           $describe        = SSL::describe_file]);
 
-	Files::register_protocol(Analyzer::ANALYZER_DTLS,
+	# Files::register_protocol(Analyzer::ANALYZER_DTLS,
-	                         [$get_file_handle = SSL::get_file_handle,
+	#                          [$get_file_handle = SSL::get_file_handle,
-	                          $describe        = SSL::describe_file]);
+	#                           $describe        = SSL::describe_file]);
 
 
 	local ssl_filter = Log::get_filter(SSL::LOG, "default");

scripts/base/protocols/ssl/main.zeek

@@ -190,8 +190,8 @@ redef likely_server_ports += { ssl_ports, dtls_ports };
 event zeek_init() &priority=6
 	{
 	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl, $path="ssl", $policy=log_policy]);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
+	#Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ssl_ports);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
+	#Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, dtls_ports);
 	}
 
 function set_session(c: connection)
@@ -492,11 +492,11 @@ hook finalize_ssl(c: connection)
 
 event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=5
 	{
-	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+	#if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-		{
+	#	{
-		set_session(info$c);
+	#	set_session(info$c);
-		info$c$ssl$analyzer_id = info$aid;
+	#	info$c$ssl$analyzer_id = info$aid;
-		}
+	#	}
 	}
 
 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
@@ -512,7 +512,7 @@ event ssl_plaintext_data(c: connection, is_client: bool, record_version: count,
 
 event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo) &priority=5
 	{
-	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
+	# if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
-		if ( info$c?$ssl )
+	# 	if ( info$c?$ssl )
-			finish(info$c, T);
+	# 		finish(info$c, T);
 	}

src/analyzer/protocol/CMakeLists.txt

@@ -35,8 +35,9 @@ add_subdirectory(smtp)
 add_subdirectory(snmp)
 add_subdirectory(socks)
 add_subdirectory(ssh)
-add_subdirectory(ssl)
+#add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
+add_subdirectory(tls)
 add_subdirectory(xmpp)
 add_subdirectory(zip)

src/analyzer/protocol/tls/CMakeLists.txt

@@ -0,0 +1,8 @@
+spicy_add_analyzer(
+  NAME
+		TLS
+  SOURCES
+		TLS.spicy
+		TLS.evt
+		zeek_TLS.spicy
+)

src/analyzer/protocol/tls/TLS.evt

@@ -0,0 +1,73 @@
+protocol analyzer TLS over TCP:
+	parse with TLS::Message,
+	port 443/tcp;
+
+import Zeek_TLS;
+
+on TLS::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
+
+on TLS::ServerHello -> event ssl_server_hello($conn, self.server_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
+
+# on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, $is_orig, self.elliptic_curve_list);
+# 
+# on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, $is_orig, self.ec_point_format_list);
+# 
+# on TLS::ServerNameList -> event ssl_extension_server_name($conn, $is_orig, Zeek_TLS::convert_server_names(self));
+# 
+# on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
+# 
+# on TLS::RecordFragment::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
+# 
+# on TLS::RecordFragment::ccs if ( msg.context().ccs_seen == 2 ) -> event ssl_established($conn);
+# 
+# on TLS::Handshake_message -> event ssl_handshake_message($conn, $is_orig, self.msg_type, self.length);
+# 
+# on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, $is_orig, Zeek_TLS::convert_signature_algorithms(self));
+# 
+# on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.keyshare.namedgroup,));
+# 
+# on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, $is_orig, vector<uint16>(self.namedgroup,));
+# 
+# on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, $is_orig, Zeek_TLS::convert_clienthellokeyshare(self));
+# 
+# on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, $is_orig, Zeek_TLS::convert_identities(self.identities), Zeek_TLS::convert_binders(self.binders));
+# 
+# on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, $is_orig, self.selected_identity);
+# 
+# on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
+# 
+# on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+# 
+# on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+# 
+# on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
+# 
+# # just use nonsense values for no algorithm. Same as in the old analyzer
+# on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
+# 
+# on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
+# 
+# on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
+# 
+# on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
+# 
+# on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, $is_orig, Zeek_TLS::convert_protocol_name_list(self));
+# 
+# on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, $is_orig, self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
+# 
+# on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, $is_orig, self.versions);
+# 
+# on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, $is_orig, vector<uint16>(self.version,));
+# 
+# on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, $is_orig, self.modes);
+# 
+# on TLS::Alert_message -> event ssl_alert($conn, $is_orig, self.level, self.description);
+# 
+# on TLS::Heartbeat -> event ssl_heartbeat($conn, $is_orig, length, self.tpe, self.payload_length, self.data);
+# 
+# on TLS::RecordFragment::appdata if ( msg.encrypted == False ) -> event ssl_plaintext_data($conn, $is_orig, self.version, self.content_type, self.length);
+# 
+# on TLS::RecordFragment::appdata if ( msg.encrypted == True ) -> event ssl_encrypted_data($conn, $is_orig, self.version, self.content_type, self.length);
+# 
+# on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
+# 

src/analyzer/protocol/tls/zeek_TLS.spicy

@@ -0,0 +1,83 @@
+module Zeek_TLS;
+
+import TLS;
+import zeek;
+
+public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
+  local out: vector<bytes>;
+
+  for ( i in snl.server_name_list )
+    out.push_back(i.host_name);
+
+  return out;
+}
+
+public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
+  local out: vector<tuple<uint8, uint8>>;
+  for ( i in sa.supported_signature_algorithms )
+    out.push_back(tuple(i.hash, i.signature));
+
+  return out;
+}
+
+public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
+  local out: vector<uint16>;
+
+  for ( i in ks.keyshares )
+    out.push_back(i.namedgroup);
+
+  return out;
+}
+
+public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
+  local out: vector<bytes>;
+
+  for ( i in bi.binders )
+    out.push_back(i.binder);
+
+  return out;
+}
+
+public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
+  local out: vector<tuple<bytes, uint32>>;
+  for ( i in id.identities )
+    out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
+  return out;
+}
+
+public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
+  local out: vector<bytes>;
+  for ( i in pns.protocol_name_list )
+    out.push_back(i.name);
+  return out;
+}
+
+on TLS::ClientHello::%done {
+  zeek::confirm_protocol();
+}
+
+# on TLS::ClientHello::%error {
+#   zeek::reject_protocol("error while parsing TLS client hello");
+# }
+# 
+# on TLS::ServerHello::%done {
+#   zeek::confirm_protocol();
+# }
+# 
+# on TLS::ServerHello::%error {
+#   zeek::reject_protocol("error while parsing TLS server hello");
+# }
+# 
+# on TLS::Certificate::%done {
+#   local first: bool = True;
+#   for ( i in self.certificate_list )
+#     {
+#     if ( first )
+# 			zeek::file_begin("application/x-x509-user-cert");
+# 		else
+# 			zeek::file_begin("application/x-x509-ca-cert");
+# 		zeek::file_data_in(i.cert);
+#     zeek::file_end();
+#     first = False;
+#     }
+# }