Make parsing of ServerKeyExchange work for D(TLS) < 1.2.

Now we only parse the SignatureAndHashalgorithm field in cases where it is present. This change also takes care to respect SCTs, which do include the SignatureAndHashalgorithm in their digitally-signed struct, even when used in protocol versions that do not have the SignatureAndHashalgorithm in the protocols digitally-signed struct. I also added tests to make sure this does indeed work with TLS 1.1 - it turns out that so far we did not have a single TLS 1.1 pcap.
2025-10-06 16:48:19 +00:00 · 2017-11-30 12:18:14 -08:00 · 2017-11-30 12:18:14 -08:00 · 94f55532f2
commit 94f55532f2
parent fdf8717588
18 changed files with 163 additions and 17 deletions
--- a/testing/btest/scripts/base/protocols/ssl/basic.test
+++ b/testing/btest/scripts/base/protocols/ssl/basic.test
@ -3,3 +3,4 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log
--- a/testing/btest/scripts/base/protocols/ssl/dtls.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls.test
@ -1,5 +1,10 @@
 # This tests a normal SSL connection and the log it outputs.

-# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cp ssl.log ssl1_2.log
+# @TEST-EXEC: cp x509.log x5091_2.log
+# @TEST-EXEC: btest-diff ssl1_2.log
+# @TEST-EXEC: btest-diff x5091_2.log
--- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@ -4,6 +4,12 @@
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
 # @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
 # @TEST-EXEC: btest-diff ssl-all.log

 # Test the new client and server key exchange events.
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@ -1,5 +1,15 @@
 # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+#
+# The following file contains a tls 1.0 connection with a SCT in a TLS extension.
+# This is interesting because the digitally-signed struct in TLS 1.0 does not come
+# with a SignatureAndHashAlgorithm structure. The digitally-signed struct in the
+# SCT is, however, based on the TLS 1.2 RFC, no matter which version of TLS one
+# uses in the end. So this one does have a Signature/Hash alg, even if the protocol
+# itself does not carry it in the same struct.
+#
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: test ! -f dpd.log

 export {
 	type LogInfo: record {
--- a/testing/btest/scripts/base/protocols/ssl/tls1_1.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls1_1.test
@ -0,0 +1,6 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log