diff --git a/CHANGES b/CHANGES index 8689b23c05..9aae471b07 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,13 @@ +2.3-313 | 2014-11-25 14:27:07 -0800 + + * Make SSL v2 protocol tests more strict. In its former state they + triggered on http traffic over port 443 sometimes. Found by Michał + Purzyński. (Johanna Amann) + + * Fix X509 analyzer to correctly return ECDSA as the key_type for + ECDSA certs. Bug found by Michał Purzyński. (Johanna Amann) + 2.3-310 | 2014-11-19 10:56:59 -0600 * Disable verbose bison output. (Jon Siwek) diff --git a/VERSION b/VERSION index f10ef60374..449f02efea 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-310 +2.3-313 diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 8e7f7a221d..a613ebdb68 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -36,7 +36,7 @@ type SSLRecord(is_orig: bool) = record { } &length = length+5, &byteorder=bigendian, &let { version : int = - $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4); + $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig); content_type : int = case version of { SSLv20 -> head2+300; @@ -748,7 +748,7 @@ refine connection SSL_Conn += { %} function determine_ssl_record_layer(head0 : uint8, head1 : uint8, - head2 : uint8, head3: uint8, head4: uint8) : int + head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ // re-check record layer version to be sure that we still are synchronized with // the data stream @@ -768,7 +768,7 @@ refine connection SSL_Conn += { if ( head0 & 0x80 ) { - if ( head2 == 0x01 ) // SSLv2 client hello. + if ( head2 == 0x01 && is_orig ) // SSLv2 client hello. { uint16 version = (head3 << 8) | head4; if ( version != SSLv20 && version != SSLv30 && version != TLSv10 && @@ -782,7 +782,7 @@ refine connection SSL_Conn += { return SSLv20; } - else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2. + else if ( head2 == 0x04 && head4 < 2 && ! is_orig ) // SSLv2 server hello. This connection will continue using SSLv2. { record_layer_version_ = SSLv20; return SSLv20; diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 78b6bdd645..69f399c9dc 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -147,7 +147,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) #ifndef OPENSSL_NO_EC else if ( pkey->type == EVP_PKEY_EC ) { - pX509Cert->Assign(8, new StringVal("dsa")); + pX509Cert->Assign(8, new StringVal("ecdsa")); pX509Cert->Assign(11, KeyCurve(pkey)); } #endif diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log new file mode 100644 index 0000000000..66b30f7b7f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-11-25-19-14-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1416942644.508914 CXWv6p3arKYeMETxOg 192.168.4.149 49422 23.92.19.75 443 TLSv12 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp384r1 - F - - T Fi6J8q3lDJpbQWAnvi,FDXMnz1NjsQeaBxCU (empty) CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - +#close 2014-11-25-19-14-54 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log new file mode 100644 index 0000000000..efed125f6a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2014-11-25-19-15-51 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1416942644.593119 Fi6J8q3lDJpbQWAnvi 3 F0AFBBF558BF4D1B71FED9CB33793EE4 CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1415404800.000000 1573171199.000000 id-ecPublicKey ecdsa-with-SHA256 ecdsa 384 - secp384r1 pantz.org,www.pantz.org - - - F - +1416942644.593119 FDXMnz1NjsQeaBxCU 3 510601E63B50673C55EE4E19DA304CA8 CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1394668800.000000 1868054399.000000 id-ecPublicKey ecdsa-with-SHA384 ecdsa 256 - prime256v1 - - - - T 0 +#close 2014-11-25-19-15-52 diff --git a/testing/btest/Traces/tls/ecdsa-cert.pcap b/testing/btest/Traces/tls/ecdsa-cert.pcap new file mode 100644 index 0000000000..8ad7fb70af Binary files /dev/null and b/testing/btest/Traces/tls/ecdsa-cert.pcap differ diff --git a/testing/btest/scripts/base/protocols/ssl/ecdsa.test b/testing/btest/scripts/base/protocols/ssl/ecdsa.test new file mode 100644 index 0000000000..a2db7c2cb5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ecdsa.test @@ -0,0 +1,3 @@ +# @TEST-EXEC: bro -C -r $TRACES/tls/ecdsa-cert.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log