Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/fastpath'

Browse source 
* origin/fastpath:
  make sslv2 protocol tests more strict - in its current state they triggered on http traffic over port 443 sometimes.
  Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs.
This commit is contained in:
Robin Sommer 2014-11-25 14:27:07 -08:00
commit 977446e7ee
8 changed files with 39 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
CHANGES
View file

@ -1,4 +1,13 @@
2.3-313 | 2014-11-25 14:27:07 -0800
* Make SSL v2 protocol tests more strict. In its former state they
triggered on http traffic over port 443 sometimes. Found by Michał
Purzyński. (Johanna Amann)
* Fix X509 analyzer to correctly return ECDSA as the key_type for
ECDSA certs. Bug found by Michał Purzyński. (Johanna Amann)
2.3-310 | 2014-11-19 10:56:59 -0600
* Disable verbose bison output. (Jon Siwek)

2
VERSION
View file

@ -1 +1 @@
2.3-310
2.3-313

8
src/analyzer/protocol/ssl/ssl-protocol.pac
View file

@ -36,7 +36,7 @@ type SSLRecord(is_orig: bool) = record {
} &length = length+5, &byteorder=bigendian,
&let {
version : int =
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4);
$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig);
content_type : int = case version of {
SSLv20 -> head2+300;
@ -748,7 +748,7 @@ refine connection SSL_Conn += {
%}
function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
head2 : uint8, head3: uint8, head4: uint8) : int
head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int
%{
// re-check record layer version to be sure that we still are synchronized with
// the data stream
@ -768,7 +768,7 @@ refine connection SSL_Conn += {
if ( head0 & 0x80 )
{
if ( head2 == 0x01 ) // SSLv2 client hello.
if ( head2 == 0x01 && is_orig ) // SSLv2 client hello.
{
uint16 version = (head3 << 8) | head4;
if ( version != SSLv20 && version != SSLv30 && version != TLSv10 &&
@ -782,7 +782,7 @@ refine connection SSL_Conn += {
return SSLv20;
}
else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2.
else if ( head2 == 0x04 && head4 < 2 && ! is_orig ) // SSLv2 server hello. This connection will continue using SSLv2.
{
record_layer_version_ = SSLv20;
return SSLv20;

2
src/file_analysis/analyzer/x509/X509.cc
View file

@ -147,7 +147,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
#ifndef OPENSSL_NO_EC
else if ( pkey->type == EVP_PKEY_EC )
{
pX509Cert->Assign(8, new StringVal("dsa"));
pX509Cert->Assign(8, new StringVal("ecdsa"));
pX509Cert->Assign(11, KeyCurve(pkey));
}
#endif

10
testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/ssl.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2014-11-25-19-14-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string
1416942644.508914 CXWv6p3arKYeMETxOg 192.168.4.149 49422 23.92.19.75 443 TLSv12 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 secp384r1 - F - - T Fi6J8q3lDJpbQWAnvi,FDXMnz1NjsQeaBxCU (empty) CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB - -
#close 2014-11-25-19-14-54

11
testing/btest/Baseline/scripts.base.protocols.ssl.ecdsa/x509.log Normal file
View file

@ -0,0 +1,11 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path x509
#open 2014-11-25-19-15-51
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
1416942644.593119 Fi6J8q3lDJpbQWAnvi 3 F0AFBBF558BF4D1B71FED9CB33793EE4 CN=pantz.org,OU=PositiveSSL,OU=Domain Control Validated CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1415404800.000000 1573171199.000000 id-ecPublicKey ecdsa-with-SHA256 ecdsa 384 - secp384r1 pantz.org,www.pantz.org - - - F -
1416942644.593119 FDXMnz1NjsQeaBxCU 3 510601E63B50673C55EE4E19DA304CA8 CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1394668800.000000 1868054399.000000 id-ecPublicKey ecdsa-with-SHA384 ecdsa 256 - prime256v1 - - - - T 0
#close 2014-11-25-19-15-52

BIN
testing/btest/Traces/tls/ecdsa-cert.pcap Normal file
View file

Binary file not shown.

3
testing/btest/scripts/base/protocols/ssl/ecdsa.test Normal file
View file

@ -0,0 +1,3 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/ecdsa-cert.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log