From cd21b7f1303adcafcfe5949ba394cc8c407ec429 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 25 Nov 2014 11:18:07 -0800 Subject: [PATCH 1/2] Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Returned dsa so far. Bug found by Michał Purzyński --- src/file_analysis/analyzer/x509/X509.cc | 2 +- .../scripts.base.protocols.ssl.ecdsa/ssl.log | 10 ++++++++++ .../scripts.base.protocols.ssl.ecdsa/x509.log | 11 +++++++++++ testing/btest/Traces/tls/ecdsa-cert.pcap | Bin 0 -> 4238 bytes .../btest/scripts/base/protocols/ssl/ecdsa.test | 3 +++ 5 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log create mode 100644 testing/btest/Traces/tls/ecdsa-cert.pcap create mode 100644 testing/btest/scripts/base/protocols/ssl/ecdsa.test diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 78b6bdd645..69f399c9dc 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -147,7 +147,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) #ifndef OPENSSL_NO_EC else if ( pkey->type == EVP_PKEY_EC ) { - pX509Cert->Assign(8, new StringVal("dsa")); + pX509Cert->Assign(8, new StringVal("ecdsa")); pX509Cert->Assign(11, KeyCurve(pkey)); } #endif diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log new file mode 100644 index 0000000000..66b30f7b7f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-11-25-19-14-54 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1416942644.508914 CXWv6p3arKYeMETxOg 192.168.4.149 49422 23.92.19.75 443 TLSv12 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp384r1 - F - - T Fi6J8q3lDJpbQWAnvi,FDXMnz1NjsQeaBxCU (empty) CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - - +#close 2014-11-25-19-14-54 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log new file mode 100644 index 0000000000..efed125f6a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log @@ -0,0 +1,11 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2014-11-25-19-15-51 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1416942644.593119 Fi6J8q3lDJpbQWAnvi 3 F0AFBBF558BF4D1B71FED9CB33793EE4 CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1415404800.000000 1573171199.000000 id-ecPublicKey ecdsa-with-SHA256 ecdsa 384 - secp384r1 pantz.org,www.pantz.org - - - F - +1416942644.593119 FDXMnz1NjsQeaBxCU 3 510601E63B50673C55EE4E19DA304CA8 CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1394668800.000000 1868054399.000000 id-ecPublicKey ecdsa-with-SHA384 ecdsa 256 - prime256v1 - - - - T 0 +#close 2014-11-25-19-15-52 diff --git a/testing/btest/Traces/tls/ecdsa-cert.pcap b/testing/btest/Traces/tls/ecdsa-cert.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8ad7fb70afe96dfe933dd1c5da618a344de1927c GIT binary patch literal 4238 zcmd5=2~<;88vfssg@9~<7$QheKxBOZTu`B4Kv1EIECPeIku?egLIA;~m{LV3h`1Hh zieQy$>(YuvvG!TCN2JQQZ)IGDTB}9TspFuw%)N^-&OLeez5jmyfB*aa z-@7;Go4?pf0uB8a4Fu|VpVvgzmvZ54bdMW27XMVXtX`TNax$C`K>+^Y>Hgr)1z_vx zbwlHY(~lYxO|Fvt1=x5m+0)Y{0w8J5euAQCg5V1rdph&+JDSv^XC39iG}OmUkE{2g zL!X2kfQ%b^86#s4MAK2@%I1;<$it!<^DOCuJUu#1@&%G<{1F%(dE()?1HR?KWQ2;_ zD{*^|s(5YOix7HRp{dlRO91d9-V+!ZBR*>8K`u%QZZ9Jesg)6LKom<|9{LSN6j21> zK>*=GQ5{v`cZ0Xw$T4#0$!^@BmPdPZumAb1`gqhkx0)@}ZH@t~Wf|6$bz<#V3swMi zumu*teDHzsPz)%qFPqu7zGkTrl>_!v@9D!srHs-X%k zTp%lB-PqBr18dCEun8uC2dswx;IU>bk2PXR-~i2`AF4Cwp@Ei&VH^Y^MBE|~fC-o)u#qU4 zLqH0{xdfNwQXGOqau8Q&lBOtvA}NX_NRq_X1c6t<{0YBrU0-30w>Anh=2FQ^j7f8q zH0&ufg?k@f*RKLvQy;{Z6BzN7kpbN0fUdoa$oWAVjS{3FEr$9;$sF`|f~U@{5d zM^XG(hg4IwbDU*|*I%OJAFXSuwU$>YH*4#>Z`nIZ8tQ>{0TA^d5y<1@x5jtP_5F}4`lP$+%@Cs$=? z)T*>zSmfM-G1r?I&QxV9HOkzih=@>`Ib*61$skjap($`zsZ*F-^o*y=2T5=_F3V^b zLCpg?V2|6W_5$gbJIS!BgfovmOIkV3eM7YE-i#IF1V7q!exDc_-}054lHI*{LwuXV zg~CrtH@1py%@1_$4&hzCF@|IGi&pqsrEuoKO_SfUdGy^}Qsf!>uZotW6E~lvI;<0) zs?!n|7%g!|Hx-+aw3rbUS~NZ7-}ol-e%x=OZDUA-Pq&@;<+tgK4GP)Dm=@6%j%~Gt z?;dVQZ?CC{%dgMq@UJU+N4F$4CIrz#qxIwzGDg^3i2Ec1`oRvgh_T@EUAP2?!=s44 zJCd1!jiq!5GliMJHADt9@r4W(5sz_UM)%s0gvcgUqsh#k;Ng+2TP^nlRk|usg?~Kc zGb0#2mz%Q8h#(0j5(C=OVa#-9YE5uW&~iB*i3TR9(_V~9Q0T|$2!lAGU&DSz=n0|c zgFL_;4P=&m&>IUu(D_Uriu=WE7;=CI&424b!`Sx$63fLeLRKYYXAVMSM&j9-(bkMa z+s`2Fki5J+_kKbRC@*R%FjGi7xL(~+aZWO?E5xs`s`KRDOs9hep+Bum4s*Y(JaN3# zY7R148!wArZ++paLG|LDW#XKi;pMAG*;q^6eqH{sdB@ZtD}maIih46@BlLxB8qOtd zPn?-DDeC^)R#%zO`T=!Kp^W{{>KZdcSJxv3)U`ZGtx+Z`6ZAD5kfTXesg;_1eK9j$ zGOxa3_Vhtr&)#DGKh&RCM%XV1I;F(Qe;q0RbP9CsW#y-QwX?DEpMP(#@>f{sz9nL~ zH+$7!<@cos9yJ;0;<06y4I&>`kIwhA_nlB{|FA?Xh+NX??|QZCQ2CXj$3gAmGFRJw zcF5vhc&fDhY)BN$Q3c-TTbFi6&9$$Nd>^Su5>gSxAQj2U+F=!9b$IjUy8*%1*B%SW zt2&oIKt*0FGFaIARD@WrQ%}8$@EI-=6Z8T9Gc6g0A*3`?UWUu1(Jc(ng;4y`mJVX% zOhCUFwl)xmDGUzOcp&N^x6I(Z4%>K}IlS%Z~t-IUUo0c(+D_8A{h-gq8>X`Lx)pn9WhB_yLj=}F;hxnek{;>m&EafyCLWB{*`|#{^joRiP#qqV(nhnB|o5Z)10+OuQ zrw8N6f~n(vUF*}r?E3ujHowC6qkTwK<3W zNg2fz+1Ryg7iC+n7sSRZp5l4Y#%TY7OKbiRgT8Ir%bR8J4r=#*&9R|jPi6BOn?h6D zn*Qzg{b6XUHW4F6I~%|agpS)Qh-bGrzX4G!g|7PE?e~23c?g7+@9%t2Yk^$pHgw=L_gqin zUvpMMcj}Ia_S5q7Gk@^g^)$D``S!w+&?S{WKMwd-w4lW(-UrY3YBJhVqn#mcFN+i5 zsExtmbWwNc>OUH-v2m3g2rCrBKm7dr#3|ab=e`}D?;&);JAfX$!rs`ZD}fFPS zqb6j#rOKqNS&=O|yz`3Trq7G(j@-Gn>#EDqv^$p1E%sltNd3O#-qbsDTRwJAITPJ3 zUNJRgHf#|~3l2;;GF)z*Z2_l_1a?QHSBnlh(T^K{|DqvB9_tu&G9|Xk&2z{2t#_)b zSNl(S>-KZ&+NdMZaZ5wTZXJ+AyO#2O+mcfW#N-ZjA)5gMe>3a#HR1bI+L5mo<|xk_@4f#OcUga9S%hf|M(pH`{ma< zOw&!l3_0vO$Lbx9Lx@Lf^`~Nt`ZBS=TN|r8K`kHr)mv+Vh?QPw2LH(A_Y%uc;@I;f l5+lm%`Vn7AiuVrm9ewpbf&=L&MpKmLo&hn|Nv0V}{talHAS?g? literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/ecdsa.test b/testing/btest/scripts/base/protocols/ssl/ecdsa.test new file mode 100644 index 0000000000..a2db7c2cb5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ecdsa.test @@ -0,0 +1,3 @@ +# @TEST-EXEC: bro -C -r $TRACES/tls/ecdsa-cert.pcap %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff x509.log From 1e2ba6ebfb22a3abf1d31452794f76b81cb86c19 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 25 Nov 2014 13:11:06 -0800 Subject: [PATCH 2/2] make sslv2 protocol tests more strict - in its current state they triggered on http traffic over port 443 sometimes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sorry, no test because that specific traffic is a tad hard to get. Found by Michał Purzyński. --- src/analyzer/protocol/ssl/ssl-protocol.pac | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 8e7f7a221d..6011f2b837 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -36,7 +36,7 @@ type SSLRecord(is_orig: bool) = record { } &length = length+5, &byteorder=bigendian, &let { version : int = - $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4); + $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig); content_type : int = case version of { SSLv20 -> head2+300; @@ -748,7 +748,7 @@ refine connection SSL_Conn += { %} function determine_ssl_record_layer(head0 : uint8, head1 : uint8, - head2 : uint8, head3: uint8, head4: uint8) : int + head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ // re-check record layer version to be sure that we still are synchronized with // the data stream @@ -768,7 +768,7 @@ refine connection SSL_Conn += { if ( head0 & 0x80 ) { - if ( head2 == 0x01 ) // SSLv2 client hello. + if ( head2 == 0x01 && is_orig ) // SSLv2 client hello. { uint16 version = (head3 << 8) | head4; if ( version != SSLv20 && version != SSLv30 && version != TLSv10 && @@ -782,7 +782,7 @@ refine connection SSL_Conn += { return SSLv20; } - else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2. + else if ( head2 == 0x04 && head4 < 2 && !is_orig ) // SSLv2 server hello. This connection will continue using SSLv2. { record_layer_version_ = SSLv20; return SSLv20;