From 8c67b9c8fccddcd6f834c95f0bdf94502e11ad22 Mon Sep 17 00:00:00 2001
From: Florian Wilkens <wilkens@informatik.uni-hamburg.de>
Date: Wed, 12 May 2021 11:46:17 +0200
Subject: [PATCH] testing: add ssl/decryption test

---
 .../http.log                                     |  11 +++++++++++
 testing/btest/Traces/tls/tls12-decryption.pcap   | Bin 0 -> 6106 bytes
 .../scripts/policy/protocols/ssl/decryption.zeek |  10 ++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.decryption/http.log
 create mode 100644 testing/btest/Traces/tls/tls12-decryption.pcap
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/decryption.zeek

diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.decryption/http.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.decryption/http.log
new file mode 100644
index 0000000000..a01d49a497
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.decryption/http.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.100.70	48216	193.99.144.80	443	1	GET	heise.de	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0	-	0	229	301	Moved Permanently	-	-	(empty)	-	-	-	-	-	-	FaOfPL638bbaQ1KMh	-	text/html
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/tls/tls12-decryption.pcap b/testing/btest/Traces/tls/tls12-decryption.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..73ffaa14bd5279e5735181330c88b0edb5f855b0
GIT binary patch
literal 6106
zcmdT|c{o+u-{1R8jv@0LnMFAEF`W!uQ$&V14oQ@gIrEUIgd-w1%9yE3GQ^Ff%$1>}
zGDMQ0a%JkKGL$KmcW<tW-+g}X^SuAP`+3%R_FCt=KkK{J`g}iYeOGVG%{&x<0e(Ih
z0E8>DbXoTD7jVFS_#G(#_iul3gu%bxhDPv!9sp=ixwHT+oCBt@*ipa9;euI%HCQi2
zr*jW6&P9Eh3G4;{6b5?>gTga}nR>J%?I0RWhah{*Z9;}I*YVep5ldwp3qOL2po8@d
z)`1=8FT&`Jx$NI#V_}Cjkdw)O^dRUP$nh|;4*We*{=;V_D)*Ytj9Ywegwc~CSiyzB
zN3f6Jn!n=+GU99gHyp4J1+0~=h$vMm4}wU={wpFcxDed=1Mw|_$c+Y3@C1Wj(P)!P
zDJ-`b#ElHb2!BfX?yaa+g$_Q>BQ8^m5_aF1Jhel(Nb}j7wA}kF2i4uU_LR-#+a$N}
zk40CNvsUYc$#GsN15k|+3{?S-bQ{130C-m?H-9IBqZ7ab0ITpn0Kfn+15AJ*+`tR)
z!7U(chl1P1;BQ!w|4^<9c-MdcA9*5y2w(v$vi1O=2)F}o@Mpq4V|34^zCY{JnK;UP
zF{`7haFO!uoVt37$@W**PUK|<!@$~@l)8Xhza^FowxI(m0O6?R+N5jk&R)SZpP6?z
z`Oadvsw%E^n<|X-YoXgbavp!aqc)P#k;_opWRjWRP$sxE0>}VZ3>t$*!^7YOxG`uf
z8i&SX@K`(!17blOh(g0Y%fXI=fB=Bf0s$_dVa?C~r#}d-%ADwaCF<r7P>K&lLLjPW
zO9&)M(d~Tz6ZK1l>pHDqN_~Xs{}w^4_n-rg!!$t3dZ7LcDn{G*lL%t)>3>D!1;0ej
z{y>~T5V_&ypun^@L!<dEuGmf3n8=-!)i!u%P-McY_9Dlhxv<kbjp60_hyh)o5dr|I
zb;2Pl!U$l{08I0Bk}(4GKN$uS69%Tg05|>)(8mE-eu#$UhG^*Tx$qjJQ0(X(UmzE}
zrK{ZsOCvuz;ILIIv<*kUE5;yZaT^FSVgX2j$OzHn(3Th+2g=fd$PIBK6$XxN#!dk{
z{e|_s9Q;Cj0yd1$94N9Pw1a1x0ufSFP#`KQDiD=z)~YHB&_7j(gUAN4ATVf-A3+4s
zK+#|O2C)E|2C@KfI|GUaQ?Ws2fGB5?r(eSUThF)*{fY^Fu(;e1=i@L&!vw>tiR{?2
zHl}>(o|31Y%NHN&=V4Bs%#P1Ir~mq@+Z|sSdRd_M{Zs1(^HQ&tTYBadWm>m+azl6V
z`|-&I27UiSgfXL^Zs!RQ-)#a-50Q<;^SF*izPowI0ji~Snc915-%vMLzAmTx)jYgz
z$onbLNsJw++@tMvmiuV$^Lc>?&Aquc&Z45$(qyGH^q`jS)70&u$@nDBsljs8^Iqv4
zukO4)<RO!omM^KRB3$mbKfa=3GS$sg&sMP|hn=N>TWF+4H0frMN?~2bQz!mW0YPg;
zfQj<WY_96;y*MrT46W=>-%w~+Q1WRgU5JL#gqY#!6J!CwRSX7=!sbGPNL>PhEDv4=
z2V${wXz<4y3SvV3=0MC*5U_5{jN!&`-s$Dh$-e6nv2aJW!GHR&*JXii>5vd&EQaBQ
zxFa|@36(t6)>co-%;>cygvxW`Ih$J{%MD}@#27;RAd!ta1jcY7@}?#)@25!cCU`i(
z^dNZqxj>>nOi(f0KTX_zn#e;ONWW|tCWwLdlNQEEqcBDf(uMFioJ%AVhyo!Jju9Rt
z2BZzcV*(*5NOA)n1#<KM1MlGD52FY8BR;?sU2}s5VsH#=pZ0~IFepsqJSK7um;nNT
z1=|$)?jT5%lfsLKQmhh2O*r@z?+r7_3p2Kx&N`05;Tmjn=z%GKMB6?{4<!P;J#jBi
z^nmOvZ*)OLiLi<!N65v13TG)^dv^9$_YWNPK?&<LB@U%EF;oW!<hbcW8Rh1ev<|=A
zCRiT4-&#xqBU=Oa>unMECvk?z*Pj7gHRoCl;u2sRKs5o<xbrvhnWO=Z^?q9=e(CoD
zKhur3c%iq`=dPyuQDl8-ZB6yB&PN_Mn9ro9FmWG23G;Xw_O(m%h#KRY56!XY@-zrs
z3>D5boDr-V*`CRDW9rvHgM%CnG!Te1ORTVZEAcmpb}v^gKZ&|sGr9Jx1zD)=bn&T}
ztotDsSIvePeWJ9Fy%0&om&I3&6JIIn91RZSwf#NeL<ckJ);M`8t0?DYsQ9Hw*A{)q
z%lP^q9~+>ivZ7d<{kuoPJSLM<mw{rL%VEvpA*`KI=c0`9b?xNq5n?q=IkwNu3%}Jw
zKkrU>xg%@x@uc?UX|v0jMtR3{v2k)S#xFP-*+hm$v>km*Qg<JGp~)LyqE^Z+)n8~R
zZNU3>O3RL9MUp68h)PoLjH=r0XC+B~BrH(bdR;n26jeN0Ug@WF>sB4b+>A2Sb17%o
z^X@J}aA|Ks#l(YvGW4BTW1+w2@|6LM8$`o6!QyDLE{?2P;0a6==hZfm-_KlQ;_evU
zGHZ|~Q5@#=ni_83>*nGXK=lx|aC7mZ2AuG75~lc_@DC8y^(GK`ATGoT&B46af+9@z
z_J*6ag{{|h5+XtniKwbTRD#xZQdL3qpX&cfd;d2Xtw(W5wJ+qRJY!*hf8H{wWr;SM
zQ5dQdTVy9$a$BbMfpJB7g8TA`w)__?`%*Y9l@I=Yx%i4I-#kr2=bEY4ym|{^=zQZ1
z+fRpfPk!ifo3UZsez!42T;l8(l5Zu)q`;peS<^#f>Uw0ov};Wkol0%wkGIP{B)+!y
zc~d|st@30}FVIqQmwDFUJmsu(>Wh1P;z8+*C5Xqa&d+-#^1=0<80$Se4=3sCXJr;+
zUN#N-+V$#>wqKWMifyoWIpJJ6%e#2RcEVy+Ew*Z3!72yuyG!&znmHEBUEuh9p$`vd
zxx>}fjLPJkmlj31?*`F=d2VGAC+a!c$>{kH=6Uf$T>r=@=n8Kvju1PdE^E4ohj6ew
z!Uvzt(h9~vMjP4!tDPpa2U6dtL#P<}f3$|`1B;EDqmx$vvg!l}Z%=tYc%A*_9sL84
z7YAyvBEg5`ut{6*7gbz6DeL=XXvFBkiPigD_R(>y5M^EOOdz9Q^iFfL-a!yy!v|RJ
zM1Rpcq%XN(;(zF#27)StQHB&DVy=9yT#U@dM}8h#{DwJ7K5&4dt8J~QOExAr_<8)Y
zU;OKK@W1Rmn-3IgS~Fn$*Q5C}u_WS9J;$5Mukr53*gdSP4Nq&Js*8oBs8gMP5&WkO
z=|Yvy2nk+yo$3E>6)Eo-Ze8f5timeb-!gv3^9cCD%Wq{@Zq2iUj^l@$-FlziTs&pe
z!jll|=l}BCSI;}6j~ElEYTVXg0V*<<5qlmw+&!b)s+z~_e(<uUbW_B_%{%*^lt3QU
z3L}RojJ)(bM;ts>(p)qI{F##DTiF7|V_s{~(T#=4Ip3DZPqS`&7xA&nO+D@F#Q8?W
zPjO4qa-5uUr)Q`>sdkHu<BcogU*0D?p|*W=@Rcf-#i|EQXB|O1&X{+PMO)b3K&AJd
zZdK~(WCg}5hSi$i@!W+EWuPn*07{_&L19(20^P7k<e7I1Me4789_^vlUC4YbIDeh{
zZ05qdU4Ier7!cqq3-@D;2;Cv7moe1vIzQoZYjL36@1>C1kc-1)m-CA{L*rV~m-~B6
zDL{IVen`?Yv+c79l40(uo^z7sgbTJcS9e#2v~`cQR%-iomygDrOgx)e&$%@HlFRSR
zRj|@SVCdT)U&BphD$}1Z@YER8*62C8n6SDw0|z3VUd;w`X?oCt4u{zdNDd0iWR5me
zcg_vfrcHmzvK-Y7HbTX;>>uv#pH>kaktc`^PCT__8&O&w<`iSO{=HkBUOVurkz}7|
z#?JKAv)AyCPE|~~8HU=X&u;S(FHZ;)H6v(09n;M}^*Qx(lilryW4<-0{EpvR&M8Vy
zg}*0ew!4If%uXZ6V+=EV*hNm>o$$#UNjQ<RHAMuJsJv@QC;jFWaqok`j!Sj$S^mS%
zq|*}vpXX-~M8{w{;13uKDgS|Zk;;c49xMG<L|$+{NOJuwA7<)Fhae)(O0WWeh_I>B
zhkGOXb4&XjX>r3J+`xAsai8mE>2+)mob!l%G=7j1wgf@MUJB_Mc{GA3*FNtX#`kGV
ziwSfDL&qH6wRABRsl6C+;Cl4@E)j9J?-d<Dfm27MY)w5t{rE5>^`IqfPCYKwNzv(v
zM!=~DDtjaK$Yn-cM!Fw_uO#~5W?A6r(bWQ|hv!M!$DRC%Meo6Ig4atsM~?%5{bA<{
z;earsIgfimoxI*}Vjd4A+4_HajKeG?tB24kGLIdi$^I>2dGkV3=V|k=FGS|qJi1c$
zpY7`JcQ|i49!v75E_c`MQx7?u9KB2Kt#bZuqJX)>{sSgJjukn4P-vgC<#2bQNqp6#
z<&#e=PK?GCGlxHo-X(a8uXpkZO)9(f^C`>a>uTJG1W0dIng<L?dnjz3a?RhvdZf%=
z=G;o`&oe@?T+?khx~-2j*pX78@?_>qP`<;`FLSK@Jl{g3@ut(a`GFMAOXP)yuxqJj
zw>`{`SHSlj{8XQ6E(PAwi65*)=J>7*9=HO}FH*Kr0!*RuuiZlwZKi~tXkbT1J3Pnp
z!O}k{p`1+4W#)kc{xGt<@B{iTR=Qj{R3ISUa(^n7ykI@{7(1as*!>1|a+hl}kBXSW
zL}(D@9DljZ-cgstXUvQ<PW_~=qbZ{DzpJ1>x1c>L9Nax07};Jt@|SOaV!L>>pb(>M
z#UnNgaG-7=hjidgx}Ncze#U79SDzm78~2^gd~Lay1MUoUS=dgPQBv9sjQj6h>@V2C
zXi2Pnwo;OOIy~swpH+LoI7b_u8m}_pIr7l$KdbD;^sxv3l1me;C`#6=l4hNE@9*fu
zoo_f-lo}&9Q>r}3f8IXr$l<1eyOnq9dTV;?SJKP}?A633wM*<SGhETDDabM`(23=#
zS9zUg&V`=X1@EsYtju>U_w8=_>OzdRIwTS9hmVe%-TAQc<VrI{_uxs7wT&eGO5^ui
zl~wj>=vVeyN)54vA%sO=zU+s$Tc#_N{hBp8rRNko$sM#9p9qIVF(*i|+1TLQaa&}?
z29xkWEu2ClWouNRO5;x>Q4uM-IVv*RrRel&@QN*=&_AL=1C9!1c*RhD{}9GGq4a^N
zl`-v&Rn&g!DYHgW^}}-tf$YpKk3+LtwV~GAo@!j8_-(^{>Cg4kBr=ckFCR;~t?AiD
z{;Z2riP8{RAiTHc6Rxz@=#AbUX!Bx~>9^bOD5|CHdGGC~nE3D_Zz%@=Kc83kEpc4J
z4f2HZ-lB=VRu|QPyR+l7S+3ND7v6FTS$3c7tiV2U*L%Ore!5{B=e`M>8_|_$2?r8x
z)RcsMRm@2<IesX<mbH)NIwY@}?_kXoYt2oTl`9&sD?4(P)SF#AU@)Sd{<Mphuz1)j
zo9lU@$S3=Tm^n3E_L5bN*0b52>3=6V-@ez_I2NWoZE%t6>e18kt`g7LC}TO~lCY4{
zMS^V8AvLTdv+An*@xATC2gns4Ki_y<f@8m{nJ%_VLp4FaL@=7)ocruPn#3H(3vsvT
z#37BT>fVV0>8bj#iSJ66NPlF<&CAJ8erW49GMx;OG3EJMY%Is{iCSz)@;%M?@>CY(
zs1RP%x;0~0a|o-<;@8~ju+HfYDd96l(yZpeU&cLa5~?YQX#1rPb0&>{r<XBBTHli>
zL`^KTE%IEV+v~-7<ji|1-($2L&F&=w3FUd`3Xj*E1{u^`R^=>Kt9QN*xXh@6-OtS2
zQyvvQv`^u>QTQ?iQ`EIE6xuwze6p}8s-=Ob)l)|({r>eSCQj15;PJuCLcS2mV{*-<
zEyI6zO~fCT_hI_>aF)LNnIK`=v{rWIt>GwJ1u#`j%6IXD$c@)7os`J5+ZXt@I4(~o
z|GD?d;80ce@jJ$Y+i62lJVn-l%1aDM?sLand{&e(S%ZM{u*~_fE5SYFw(-<=B!tM=
z-Sq!$f7`yczu`7Zk3KE1BU=~V-{ybW-$G&O(U5}?A3VbVR5&V-vQ^9g3#!1{{x<Qi
zh_ILizTFTr9~}gd3*IpJ5hVCQ{pJLWXz9!!@Kw^hJo-8BK}{{vVK?02f7zl1*M_j=
zE?YluZ3t|?4q?4R1aXH7_E*HM7kJ@o7kF1TM|ZX^9NkwU*ubUCog2}eZxCkcqk|xd
gZ${jF->yX6vF0Os%cNX^ecZcwntcu@lk*M!2lLmP?EnA(

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/policy/protocols/ssl/decryption.zeek b/testing/btest/scripts/policy/protocols/ssl/decryption.zeek
new file mode 100644
index 0000000000..9e73ef418f
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/decryption.zeek
@@ -0,0 +1,10 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls12-decryption.pcap %INPUT
+
+# @TEST-EXEC: btest-diff http.log
+
+@load protocols/ssl/decryption
+@load base/protocols/http
+
+redef SSL::secrets += {
+["\xb4\x0a\x24\x4b\x48\xe4\x2e\xac\x28\x71\x44\xb1\xb7\x39\x30\x57\xca\xa1\x31\xf9\x61\xa7\x8e\x38\xb0\xe7\x7c\x1e"] = "\xbd\x01\xe5\x89\xd1\x05\x19\x9e\x9a\xb5\xfc\x9b\xd7\x58\xb5\xf2\x88\xdb\x28\xfd\x80\xaa\x02\x26\x1e\x47\x65\xac\x13\x57\xd0\x07\xfd\x08\xc7\xbd\xab\x45\x45\x0e\x01\x5a\x01\xd0\x8e\x5e\x7c\xa6",
+};