Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Spicy TLS - full test suite pass

Browse source 
With this commit, the entire Zeek test suite passes using spicy TLS.
Tests that either use a SSLv2 handshake, or DTLS are skipped, as the
parser currently does not support either.

Similarly, tests that rely on behavior we cannot replicate (baseline,
hooks, exact error messages) are passed. Other than that, all the
TLS-based tests pass with 100% the exact same baseline results.

This necessitated a couple of small tweaks to the spicy file - the
testcases uncovered several small problems.

This commit also enables cirrus tests for Spicy SSL/TLS.
This commit is contained in:
Johanna Amann 2024-08-13 14:41:37 +01:00
parent 1e282989fe
commit 84c4d53a4e
16 changed files with 97 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.cirrus.yml
View file

@ -14,6 +14,7 @@ config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WOR
no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
spicy_ssl_config: &SPICY_SSL_CONFIG --build-type=release --disable-broker-tests --enable-spicy-ssl --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
@ -228,6 +229,17 @@ debian12_binary_task:
env: env:
ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG ZEEK_CI_CONFIGURE_FLAGS: *BINARY_CONFIG
debian12_spicy_ssl_task:
container:
# Just use a recent/common distro to run a test using spicy ssl.
# Debian 12 (bookworm) EOL: TBD
dockerfile: ci/debian-12/Dockerfile
<< : *RESOURCES_TEMPLATE
<< : *CI_TEMPLATE
<< : *SKIP_TASK_ON_PR
env:
ZEEK_CI_CONFIGURE_FLAGS: *SPICY_SSL_CONFIG
debian11_task: debian11_task:
container: container:
# Debian 11 EOL: June 2026 # Debian 11 EOL: June 2026

6
src/analyzer/protocol/ssl/spicy/SSL.evt
View file

@ -1,8 +1,8 @@
protocol analyzer SSL over TCP: protocol analyzer SSL over TCP:
parse with SSL::Message; parse with SSL::Message;
protocol analyzer DTLS over UDP: protocol analyzer DTLS over UDP:
parse with SSL::Message; parse with SSL::DTLSMessage;
import SSL; import SSL;
import zeek; import zeek;
@ -31,7 +31,7 @@ on SSL::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_
on SSL::Extension -> event ssl_extension($conn, SSL::get_direction(sh), self.code, self.raw); on SSL::Extension -> event ssl_extension($conn, SSL::get_direction(sh), self.code, self.raw);
on SSL::Handshake_message::length -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length); on SSL::Handshake_message -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length);
on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), self.supported_signature_algorithms_converted); on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), self.supported_signature_algorithms_converted);

95
src/analyzer/protocol/ssl/spicy/SSL.spicy
View file

@ -412,7 +412,7 @@ type TLSCiphers = enum {
TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D, TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D,
TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E, TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E,
TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F, TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F,
TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040, TLSDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040,
TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041, TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041,
TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042, TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042,
TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043, TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043,
@ -644,11 +644,17 @@ function check_partial(): bool {
# m: Message(False); # m: Message(False);
# }; # };
# #
# public type DTLSMessage = unit { public type DTLSMessage = unit {
# %context = Share; # %context = Share;
# #
# m: Message(True); # m: Message(True);
# }; : skip bytes &eod;
on %init {
zeek::skip_input();
# spicy::decline_input("No DTLS support");
}
};
public type Message = unit { public type Message = unit {
%context = Share; %context = Share;
@ -666,7 +672,6 @@ public type Message = unit {
self.partial = check_partial(); self.partial = check_partial();
} }
: skip bytes &eod if ( self.partial ); : skip bytes &eod if ( self.partial );
fragment: RecordFragmentChoice(self.handshakesink, self.alertsink, self, self.context())[]; fragment: RecordFragmentChoice(self.handshakesink, self.alertsink, self, self.context())[];
}; };
@ -718,7 +723,7 @@ type PlaintextRecord = unit(content_type: uint8, handshakesink: sink&, alertsink
ContentType::application_data -> { ContentType::application_data -> {
switch (self.encrypted) { switch (self.encrypted) {
False -> appdata: bytes &size=self.length; False -> appdata: bytes &size=self.length;
True -> cryptdata: bytes &size=self.length; True -> : skip bytes &size=self.length;
}; };
} }
ContentType::change_cipher_spec -> ccs: bytes &size=self.length; ContentType::change_cipher_spec -> ccs: bytes &size=self.length;
@ -729,10 +734,6 @@ type PlaintextRecord = unit(content_type: uint8, handshakesink: sink&, alertsink
trigger_two: void; trigger_two: void;
trigger_three: void; trigger_three: void;
# on unhandled {
# print "Unhandled content type", content_type;
# }
on length { on length {
self.encrypted = determine_encryption_on(self, content_type, handshakesink, alertsink, sh); self.encrypted = determine_encryption_on(self, content_type, handshakesink, alertsink, sh);
} }
@ -831,19 +832,24 @@ type Handshake_message = unit(inout msg: Message, inout sh: Share) {
fragment_offset: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network) if(msg.dtls); fragment_offset: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network) if(msg.dtls);
fragment_length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network) if(msg.dtls); fragment_length: bytes &size=3 &convert=$$.to_uint(spicy::ByteOrder::Network) if(msg.dtls);
# This indirection in a way seems a bit unnecessary, but I don't se a nice way around it.
# We need to make sure that the length of the inner message cannot extend beyond the length
# of this message. In binpac we did this by attaching an &size field to the unit that self-referred
# to itself.
switch (HandshakeType(self.msg_type)) { switch (HandshakeType(self.msg_type)) {
HandshakeType::hello_request -> hr: HelloRequest(sh); HandshakeType::hello_request -> hr: HelloRequest(sh) &max-size=self.length;
HandshakeType::client_hello -> client_hello: ClientHello(self.length, msg, sh); HandshakeType::client_hello -> client_hello: ClientHello(self.length, msg, sh) &max-size=self.length;
HandshakeType::server_hello_done -> : bytes &size=self.length; # Fixme: alert if length != 0 HandshakeType::server_hello_done -> : bytes &size=self.length; # TODO: raise error if != 0
HandshakeType::hello_verify_request -> hello_verify_request: HelloVerifyRequest; HandshakeType::hello_verify_request -> hello_verify_request: HelloVerifyRequest &max-size=self.length;
HandshakeType::server_hello -> server_hello: ServerHelloChoice(self.length, msg, sh); HandshakeType::server_hello -> server_hello: ServerHelloChoice(self.length, msg, sh) &max-size=self.length;
HandshakeType::certificate -> certificate: Certificate(sh); HandshakeType::certificate -> certificate: Certificate(sh) &max-size=self.length;
HandshakeType::certificate_request -> certificate_request: CertificateRequest(sh); HandshakeType::certificate_request -> certificate_request: CertificateRequest(sh) &max-size=self.length;
HandshakeType::certificate_verify -> : bytes &size=self.length; # opaque encrypted data HandshakeType::certificate_verify -> : bytes &size=self.length; # opaque encrypted data
HandshakeType::client_key_exchange -> client_key_exchange: ClientKeyExchange(sh, self.length); HandshakeType::client_key_exchange -> client_key_exchange: ClientKeyExchange(sh, self.length) &max-size=self.length;
HandshakeType::server_key_exchange -> server_key_exchange: ServerKeyExchange(sh, self.length); HandshakeType::server_key_exchange -> server_key_exchange: ServerKeyExchange(sh, self.length) &max-size=self.length;
HandshakeType::NewSessionTicket -> session_ticket: NewSessionTicket; HandshakeType::NewSessionTicket -> session_ticket: NewSessionTicket &max-size=self.length;
HandshakeType::certificate_status -> certificate_status: CertificateStatus; HandshakeType::certificate_status -> certificate_status: CertificateStatus &max-size=self.length;
* -> unhandled: skip bytes &size=self.length; * -> unhandled: skip bytes &size=self.length;
}; };
@ -995,21 +1001,21 @@ type Extension = unit(inout sh: Share, client_hello: bool) {
switch (Extensions(self.code)) { switch (Extensions(self.code)) {
# Extensions::next_protocol_negotiation -> :bytes &size=self.extension_size; # alert if != 0 # Extensions::next_protocol_negotiation -> :bytes &size=self.extension_size; # alert if != 0
Extensions::ec_point_formats -> ec_point_formats: EcPointsFormat_extension(sh) if(self.length > 0); Extensions::ec_point_formats -> ec_point_formats: EcPointsFormat_extension(sh) &max-size=self.length if(self.length > 0);
Extensions::supported_groups -> elliptic_curves: EllipticCurveList(sh) if(self.length > 0); Extensions::supported_groups -> elliptic_curves: EllipticCurveList(sh) &max-size=self.length if(self.length > 0);
Extensions::SessionTicket_TLS -> ticket_data: bytes &size=self.length; # ticket data Extensions::SessionTicket_TLS -> ticket_data: bytes &size=self.length; # ticket data
Extensions::heartbeat -> heartbeat: uint8 &convert=HeartbeatMode($$) if(self.length > 0); Extensions::heartbeat -> heartbeat: uint8 &convert=HeartbeatMode($$) &max-size=self.length if(self.length > 0);
Extensions::signature_algorithms -> signature_algorithms: SignatureAlgorithms(sh) if(self.length > 0); Extensions::signature_algorithms -> signature_algorithms: SignatureAlgorithms(sh) &max-size=self.length if(self.length > 0);
Extensions::renegotiation_info -> renegotiation_info: RenegotiationInfo if(self.length > 0); Extensions::renegotiation_info -> renegotiation_info: RenegotiationInfo &max-size=self.length if(self.length > 0);
Extensions::server_name -> server_name: ServerNameList(sh) if(self.length > 0); Extensions::server_name -> server_name: ServerNameList(sh) &max-size=self.length if(self.length > 0);
Extensions::application_layer_protocol_negotiation -> application_layer_protocol_negotiation: ProtocolNameList(sh) if(self.length > 0); Extensions::application_layer_protocol_negotiation -> application_layer_protocol_negotiation: ProtocolNameList(sh) &max-size=self.length if(self.length > 0);
Extensions::status_request -> status_request: StatusRequest(self.length) if(self.length > 0); Extensions::status_request -> status_request: StatusRequest(self.length) &max-size=self.length if(self.length > 0);
Extensions::signed_certificate_timestamp -> signed_certificate_timestamp: SignedCertificateTimestampList(sh) if(self.length > 0); Extensions::signed_certificate_timestamp -> signed_certificate_timestamp: SignedCertificateTimestampList(sh) &max-size=self.length if(self.length > 0);
Extensions::key_share_old -> key_share_old: KeyShare(client_hello, sh, self.length) if(self.length > 0); Extensions::key_share_old -> key_share_old: KeyShare(client_hello, sh, self.length) &max-size=self.length if(self.length > 0);
Extensions::key_share -> key_share: KeyShare(client_hello, sh, self.length) if(self.length > 0); Extensions::key_share -> key_share: KeyShare(client_hello, sh, self.length) &max-size=self.length if(self.length > 0);
Extensions::supported_versions -> supported_versions: SupportedVersionsSelector(sh, client_hello) if(self.length > 0); Extensions::supported_versions -> supported_versions: SupportedVersionsSelector(sh, client_hello) &max-size=self.length if(self.length > 0);
Extensions::psk_key_exchange_modes -> psk_key_exchange_modes: PSKKeyExchangeModes(sh) if(self.length > 0); Extensions::psk_key_exchange_modes -> psk_key_exchange_modes: PSKKeyExchangeModes(sh) &max-size=self.length if(self.length > 0);
Extensions::pre_shared_key -> pre_shared_key: PreSharedKey(sh, client_hello) if(self.length > 0); Extensions::pre_shared_key -> pre_shared_key: PreSharedKey(sh, client_hello) &max-size=self.length if(self.length > 0);
* -> unknown: bytes &size=self.length; * -> unknown: bytes &size=self.length;
}; };
@ -1838,16 +1844,24 @@ on SSL::ClientHello::%done {
spicy::accept_input(); spicy::accept_input();
} }
on SSL::ClientHello::%error { on SSL::ClientHello::%error(emsg: string) {
spicy::decline_input("error while parsing TLS client hello"); spicy::decline_input("error while parsing TLS client hello - " + emsg);
} }
on SSL::ServerHello::%done { on SSL::ServerHello::%done {
spicy::accept_input(); spicy::accept_input();
} }
on SSL::ServerHello::%error { on SSL::ServerHello::%error(emsg: string) {
spicy::decline_input("error while parsing TLS server hello"); spicy::decline_input("error while parsing TLS server hello - " +emsg);
}
#on SSL::Handshake_message::%error(emsg: string) {
# spicy::decline_input("lalala");
#}
on SSL::Handshake::%error(emsg: string) {
spicy::decline_input(emsg);
} }
on SSL::Certificate::%done { on SSL::Certificate::%done {
@ -1896,6 +1910,11 @@ on SSL::Certificate::%done {
# print self; # print self;
# } # }
# #
# on PlaintextRecord::%error(emsg: string) {
# print "Error in plaintextrecord", emsg;
# print self;
# }
#
# on Extension::code { # on Extension::code {
# print "Extension", self.code, client_hello; # print "Extension", self.code, client_hello;
# } # }

1
testing/btest/core/analyzer-confirmation-violation-info.zeek
View file

@ -1,4 +1,5 @@
# @TEST-DOC: The SSL analyzer picks up on the traffic in pppoe-over-qing, but then raises analyzer_violation_info # @TEST-DOC: The SSL analyzer picks up on the traffic in pppoe-over-qing, but then raises analyzer_violation_info
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap %INPUT # @TEST-EXEC: zeek -r $TRACES/pppoe-over-qinq.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: btest-diff .stdout

1
testing/btest/coverage/bare-load-baseline.test
View file

@ -9,6 +9,7 @@
# below does. Don't ask. :-) # below does. Don't ask. :-)
# @TEST-REQUIRES: $SCRIPTS/have-spicy # This test logs loaded scripts, so disable it if Spicy and it associated plugin is unavailable. # @TEST-REQUIRES: $SCRIPTS/have-spicy # This test logs loaded scripts, so disable it if Spicy and it associated plugin is unavailable.
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b misc/loaded-scripts # @TEST-EXEC: zeek -b misc/loaded-scripts
# @TEST-EXEC: test -e loaded_scripts.log # @TEST-EXEC: test -e loaded_scripts.log
# @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | awk 'NR>0{print $1}' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | awk 'NR>0{print $1}' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix

1
testing/btest/coverage/default-load-baseline.test
View file

@ -8,6 +8,7 @@
# below does. Don't ask. :-) # below does. Don't ask. :-)
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy # @TEST-REQUIRES: ${SCRIPTS}/have-spicy
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek misc/loaded-scripts # @TEST-EXEC: zeek misc/loaded-scripts
# @TEST-EXEC: test -e loaded_scripts.log # @TEST-EXEC: test -e loaded_scripts.log
# @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix

1
testing/btest/plugins/hooks.zeek
View file

@ -1,5 +1,6 @@
# @TEST-REQUIRES: test "${ZEEK_ZAM}" != "1" # @TEST-REQUIRES: test "${ZEEK_ZAM}" != "1"
# @TEST-REQUIRES: ${SCRIPTS}/have-spicy # This test logs loaded scripts, so disable it if Spicy and the associated plugin are unavailable. # @TEST-REQUIRES: ${SCRIPTS}/have-spicy # This test logs loaded scripts, so disable it if Spicy and the associated plugin are unavailable.
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Hooks # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Hooks
# @TEST-EXEC: cp -r %DIR/hooks-plugin/* . # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make

3
testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
View file

@ -1,5 +1,8 @@
# This tests the certificate_request message parsing # This tests the certificate_request message parsing
# Does not work in spicy version, due to missing DTLS support
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -r $TRACES/tls/client-certificate.pcap %INPUT > out # @TEST-EXEC: zeek -b -r $TRACES/tls/client-certificate.pcap %INPUT > out
# @TEST-EXEC: zeek -C -b -r $TRACES/tls/certificate-request-failed.pcap %INPUT >> out # @TEST-EXEC: zeek -C -b -r $TRACES/tls/certificate-request-failed.pcap %INPUT >> out
# @TEST-EXEC: zeek -C -b -r $TRACES/tls/webrtc-stun.pcap %INPUT >> out # @TEST-EXEC: zeek -C -b -r $TRACES/tls/webrtc-stun.pcap %INPUT >> out

3
testing/btest/scripts/base/protocols/ssl/dpd.test
View file

@ -1,3 +1,6 @@
# Does not work in spicy version, due to missing SSLv2 handshake support
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -C -b -r $TRACES/tls/ssl-v2.trace %INPUT # @TEST-EXEC: zeek -C -b -r $TRACES/tls/ssl-v2.trace %INPUT
# @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT
# @TEST-EXEC: zeek -b -r $TRACES/tls/tls1.2.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/tls1.2.trace %INPUT

1
testing/btest/scripts/base/protocols/ssl/dtls-13.test
View file

@ -1,5 +1,6 @@
# This tests a normal SSL connection and the log it outputs. # This tests a normal SSL connection and the log it outputs.
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT # @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT
# @TEST-EXEC: cp ssl.log ssl-all.log # @TEST-EXEC: cp ssl.log ssl-all.log
# @TEST-EXEC: echo "start CID test" # @TEST-EXEC: echo "start CID test"

1
testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
View file

@ -1,3 +1,4 @@
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -r $TRACES/tls/webrtc-stun.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/webrtc-stun.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log # @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: touch dpd.log # @TEST-EXEC: touch dpd.log

1
testing/btest/scripts/base/protocols/ssl/dtls.test
View file

@ -1,5 +1,6 @@
# This tests a normal SSL connection and the log it outputs. # This tests a normal SSL connection and the log it outputs.
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -r $TRACES/tls/dtls1_0.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/dtls1_0.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log # @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log # @TEST-EXEC: btest-diff x509.log

3
testing/btest/scripts/base/protocols/ssl/keyexchange.test
View file

@ -1,3 +1,6 @@
# Does not work in spicy version, due to missing DTLS and SSLv2 handshake support
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT
# @TEST-EXEC: cat ssl.log > ssl-all.log # @TEST-EXEC: cat ssl.log > ssl-all.log
# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT

3
testing/btest/scripts/policy/frameworks/intel/seen/certs.zeek
View file

@ -1,3 +1,6 @@
# Does not work in spicy version, due to missing SSLv2 handshake support
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -Cr $TRACES/tls/ecdsa-cert.pcap %INPUT # @TEST-EXEC: zeek -b -Cr $TRACES/tls/ecdsa-cert.pcap %INPUT
# @TEST-EXEC: cat intel.log > intel-all.log # @TEST-EXEC: cat intel.log > intel-all.log
# @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT

3
testing/btest/scripts/policy/protocols/ssl/ssl-log-ext.zeek
View file

@ -1,3 +1,6 @@
# Does not work in spicy version, due to missing SSLv2 handshake support
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT
# @TEST-EXEC: cat ssl.log > ssl-all.log # @TEST-EXEC: cat ssl.log > ssl-all.log
# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT

3
testing/btest/scripts/policy/protocols/ssl/weak-keys.zeek
View file

@ -1,3 +1,6 @@
# Does not work in spicy version, due to missing SSLv2 handshake support
# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
# @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT
# @TEST-EXEC: cp notice.log notice-out.log # @TEST-EXEC: cp notice.log notice-out.log
# @TEST-EXEC: zeek -b -r $TRACES/tls/ssl-v2.trace %INPUT # @TEST-EXEC: zeek -b -r $TRACES/tls/ssl-v2.trace %INPUT