Merge remote-tracking branch 'origin/fastpath'

* origin/fastpath:
  make sslv2 protocol tests more strict - in its current state they triggered on http traffic over port 443 sometimes.
  Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs.

CHANGES

@@ -1,4 +1,13 @@
 
+2.3-313 | 2014-11-25 14:27:07 -0800
+
+  * Make SSL v2 protocol tests more strict. In its former state they
+    triggered on http traffic over port 443 sometimes. Found by Michał
+    Purzyński. (Johanna Amann)
+
+  * Fix X509 analyzer to correctly return ECDSA as the key_type for
+    ECDSA certs. Bug found by Michał Purzyński. (Johanna Amann)
+
 2.3-310 | 2014-11-19 10:56:59 -0600
 
   * Disable verbose bison output. (Jon Siwek)

VERSION

@@ -1 +1 @@
-2.3-310
+2.3-313

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -36,7 +36,7 @@ type SSLRecord(is_orig: bool) = record {
 } &length = length+5, &byteorder=bigendian,
 	&let {
 	version : int =
-		$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4);
+		$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
 
 	content_type : int = case version of {
 		SSLv20 -> head2+300;
@@ -748,7 +748,7 @@ refine connection SSL_Conn += {
 		%}
 
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
-					head2 : uint8, head3: uint8, head4: uint8) : int
+					head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int
 		%{
 		// re-check record layer version to be sure that we still are synchronized with
 		// the data stream
@@ -768,7 +768,7 @@ refine connection SSL_Conn += {
 
 		if ( head0 & 0x80 )
 			{
-			if ( head2 == 0x01 ) // SSLv2 client hello.
+			if ( head2 == 0x01 && is_orig ) // SSLv2 client hello.
 				{
 				uint16 version = (head3 << 8) | head4;
 				if ( version != SSLv20 && version != SSLv30 && version != TLSv10 &&
@@ -782,7 +782,7 @@ refine connection SSL_Conn += {
 					return SSLv20;
 				}
 
-			else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2.
+			else if ( head2 == 0x04 && head4 < 2 && ! is_orig ) // SSLv2 server hello. This connection will continue using SSLv2.
 				{
 				record_layer_version_ = SSLv20;
 				return SSLv20;

src/file_analysis/analyzer/x509/X509.cc

@@ -147,7 +147,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 #ifndef OPENSSL_NO_EC
 		else if ( pkey->type == EVP_PKEY_EC )
 			{
-			pX509Cert->Assign(8, new StringVal("dsa"));
+			pX509Cert->Assign(8, new StringVal("ecdsa"));
 			pX509Cert->Assign(11, KeyCurve(pkey));
 			}
 #endif

testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-11-25-19-14-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1416942644.508914	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	TLSv12	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	secp384r1	-	F	-	-	T	Fi6J8q3lDJpbQWAnvi,FDXMnz1NjsQeaBxCU	(empty)	CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated	CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
+#close	2014-11-25-19-14-54

testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-11-25-19-15-51
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1416942644.593119	Fi6J8q3lDJpbQWAnvi	3	F0AFBBF558BF4D1B71FED9CB33793EE4	CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated	CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1415404800.000000	1573171199.000000	id-ecPublicKey	ecdsa-with-SHA256	ecdsa	384	-	secp384r1	pantz.org,www.pantz.org	-	-	-	F	-
+1416942644.593119	FDXMnz1NjsQeaBxCU	3	510601E63B50673C55EE4E19DA304CA8	CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1394668800.000000	1868054399.000000	id-ecPublicKey	ecdsa-with-SHA384	ecdsa	256	-	prime256v1	-	-	-	-	T	0
+#close	2014-11-25-19-15-52

testing/btest/scripts/base/protocols/ssl/ecdsa.test

@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ecdsa-cert.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log