DTLS working.

The only thing that is missing is a signature to detect the protocol (it
has no well-known port).

Reassembly is kind of fidgety - at the moment we only support
re-assembling one simultaneous message per direction (which looking at
our test-traffic might not be a problem). And I am not quite sure if I
got all cases correct...

But - it works :)

scripts/base/protocols/ssl/consts.bro

@@ -6,6 +6,11 @@ export {
 	const TLSv10 = 0x0301;
 	const TLSv11 = 0x0302;
 	const TLSv12 = 0x0303;
+
+	const DTLSv10 = 0xFEFF;
+	# DTLSv11 does not exist
+	const DTLSv12 = 0xFEFD;
+
 	## Mapping between the constants and string values for SSL/TLS versions.
 	const version_strings: table[count] of string = {
 		[SSLv2] = "SSLv2",
@@ -13,6 +18,8 @@ export {
 		[TLSv10] = "TLSv10",
 		[TLSv11] = "TLSv11",
 		[TLSv12] = "TLSv12",
+		[DTLSv10] = "DTLSv10",
+		[DTLSv12] = "DTLSv12"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	## TLS content types:

src/analyzer/protocol/ssl/CMakeLists.txt

@@ -6,7 +6,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro SSL)
 bro_plugin_cc(SSL.cc Plugin_SSL.cc)
 bro_plugin_bif(events.bif)
-bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac)
+bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyzer.pac ssl-defs.pac)
 bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac)
 bro_plugin_end()
 

src/analyzer/protocol/ssl/DTLS.cc

@@ -5,28 +5,61 @@
 
 #include "events.bif.h"
 
+#include "dtls_pac.h"
+#include "tls-handshake_pac.h"
+
 using namespace analyzer::dtls;
 
 DTLS_Analyzer::DTLS_Analyzer(Connection* c)
 : analyzer::Analyzer("DTLS", c)
 	{
 	interp = new binpac::DTLS::SSL_Conn(this);
-	fprintf(stderr, "Instantiated :)\n");
+	handshake_interp = new binpac::TLSHandshake::Handshake_Conn(this);
 	}
 
 DTLS_Analyzer::~DTLS_Analyzer()
 	{
 	delete interp;
+	delete handshake_interp;
 	}
 
 void DTLS_Analyzer::Done()
 	{
-		Analyzer::Done();
+	Analyzer::Done();
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	handshake_interp->FlowEOF(true);
+	handshake_interp->FlowEOF(false);
 	}
 
 void DTLS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-	fprintf(stderr, "Delivered packet :)\n");
 	interp->NewData(orig, data, data + len);
 	}
+
+void DTLS_Analyzer::EndOfData(bool is_orig)
+	{
+	Analyzer::EndOfData(is_orig);
+	interp->FlowEOF(is_orig);
+	handshake_interp->FlowEOF(is_orig);
+	}
+
+
+void DTLS_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig)
+	{
+	try
+		{
+		handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1);
+		uint32 host_length = htonl(length);
+		// the parser inspects a uint24 - since it is big-endian, it should be ok to just skip
+		// the first byte of the uint32. Since we get the data from an uint24 from the dtls-parser, this should
+		// always yield the correct result.
+		handshake_interp->NewData(orig, (const unsigned char*) &host_length + 1, (const unsigned char*) &host_length + sizeof(host_length));
+		handshake_interp->NewData(orig, begin, end);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}

src/analyzer/protocol/ssl/DTLS.h

@@ -4,7 +4,10 @@
 #include "events.bif.h"
 
 #include "analyzer/protocol/udp/UDP.h"
-#include "dtls_pac.h"
+
+namespace binpac { namespace DTLS { class SSL_Conn; } }
+
+namespace binpac { namespace TLSHandshake { class Handshake_Conn; } }
 
 namespace analyzer { namespace dtls {
 
@@ -17,6 +20,9 @@ public:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					uint64 seq, const IP_Hdr* ip, int caplen);
+	virtual void EndOfData(bool is_orig);
+
+	void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
 
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
@@ -24,6 +30,7 @@ public:
 
 protected:
 	binpac::DTLS::SSL_Conn* interp;
+	binpac::TLSHandshake::Handshake_Conn* handshake_interp;
 };
 
 } } // namespace analyzer::*

src/analyzer/protocol/ssl/SSL.cc

@@ -30,12 +30,15 @@ void SSL_Analyzer::Done()
 
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
+	handshake_interp->FlowEOF(true);
+	handshake_interp->FlowEOF(false);
 	}
 
 void SSL_Analyzer::EndpointEOF(bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
+	handshake_interp->FlowEOF(is_orig);
 	}
 
 void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)

src/analyzer/protocol/ssl/dtls-analyzer.pac

@@ -1,2 +1,150 @@
 
+refine connection SSL_Conn += {
+
+	%member{
+
+		struct message_info {
+			uint64 message_first_sequence; // the minumum dtls sequence number for this handshake fragment
+			bool first_sequence_seen; // did we actually see the fragment with the smallest number
+			uint64 message_last_sequence; // the mazimum dtls sequence number for this handshake fragment
+			uint16 message_handshake_sequence; // the handshake sequence number of this handshake (to identify)
+			uint32 message_length; // data length of this handshake (data in buffer)
+			uint32 message_sequence_seen; // a bitfield that shows which sequence numbers we already saw, offset from first_seq.
+			u_char* buffer;
+		} server, client;
+	%}
+
+	%init{
+		memset(&server, 0, sizeof(server));
+		memset(&client, 0, sizeof(client));
+	%}
+
+	%cleanup{
+		delete [] server.buffer;
+		delete [] client.buffer;
+	%}
+
+	function proc_dtls(pdu: SSLRecord, sequence: uint64): bool
+		%{
+		//fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch});
+
+		return true;
+		%}
+
+	function proc_handshake(pdu: SSLRecord, rec: Handshake): bool
+		%{
+		uint32 foffset = to_int()(${rec.fragment_offset});
+		uint32 flength = to_int()(${rec.fragment_length});
+		uint32 length = to_int()(${rec.length});
+		uint64 sequence_number = to_int()(${pdu.sequence_number});
+		//fprintf(stderr, "Handshake type: %d, length: %u, seq: %u, foffset: %u, flength: %u\n", ${rec.msg_type}, to_int()(${rec.length}), ${rec.message_seq}, to_int()(${rec.fragment_offset}), to_int()(${rec.fragment_length}));
+
+		if ( foffset == 0 && length == flength )
+			{
+			//fprintf(stderr, "Complete fragment, forwarding...\n");
+			bro_analyzer()->SendHandshake(${rec.msg_type}, length, ${rec.data}.begin(), ${rec.data}.end(), ${pdu.is_orig});
+			return true;
+			}
+
+		// if we fall through here, the message has to be reassembled. Let's first get the right info record...
+		message_info* i;
+		if ( ${pdu.is_orig} )
+			i = &client;
+		else
+			i = &server;
+
+		if ( length > MAX_DTLS_HANDSHAKE_RECORD )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("DTLS record length %u larger than allowed maximum.", length));
+			return true;
+			}
+
+		if ( i->message_handshake_sequence != ${rec.message_seq} || i->message_length != length || i->buffer == 0 )
+			{
+			// cannot resume reassembling. Let's abandon the current data and try anew...
+			delete [] i->buffer;
+			memset(i, 0, sizeof(message_info));
+			i->message_handshake_sequence = ${rec.message_seq};
+			i->message_length = length;
+			i->buffer = new u_char[length];
+			// does not have to be the first sequence number - we cannot figure that out at this point. If it is not,
+			// we will fix that later...
+			i->message_first_sequence = sequence_number;
+			}
+
+		// if we arrive here, we are actually ready to resume.
+		if ( i->message_first_sequence > sequence_number )
+			{
+			if ( i->first_sequence_seen )
+				{
+				bro_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake.");
+				return true;
+				}
+			// first sequence number was incorrect, let's fix that.
+			uint64 diff = i->message_first_sequence - sequence_number;
+			i->message_sequence_seen = i->message_sequence_seen << diff;
+			i->message_first_sequence = sequence_number;
+			}
+
+		// if we have offset 0, we know the smallest number...
+		if ( foffset == 0 )
+			i->first_sequence_seen = true;
+
+		// check if we already saw the message
+		if ( ( i->message_sequence_seen & ( 1 << (sequence_number - i->message_first_sequence) ) ) != 0 )
+			return true; // do not handle same message fragment twice
+
+		// copy data from fragment to buffer
+		if ( ${rec.data}.length() != flength )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("DTLS handshake record length does not match packet length"));
+			return true;
+			}
+
+		if ( foffset + flength > length )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("DTLS handshake fragment trying to write past end of buffer"));
+			return true;
+			}
+
+		// store that we handled fragment
+		i->message_sequence_seen |= 1 << (sequence_number - i->message_first_sequence);
+		memcpy(i->buffer + foffset, ${rec.data}.data(), ${rec.data}.length());
+
+		//fprintf(stderr, "Copied to buffer offset %u length %u\n", foffset, ${rec.data}.length());
+
+		// store last fragment information if this is the last fragment...
+
+		// check if we saw all fragments so far. If yes, forward...
+		if ( foffset + flength == length )
+			i->message_last_sequence = sequence_number;
+
+		if ( i->message_last_sequence != 0 && i->first_sequence_seen )
+			{
+			uint64 total_length = i->message_last_sequence - i->message_first_sequence;
+			if ( total_length > 32 )
+				{
+				bro_analyzer()->ProtocolViolation(fmt("DTLS Message fragmented over more than 32 pieces. Cannot reassemble."));
+				return true;
+				}
+
+			if ( ( ~(i->message_sequence_seen) & ( ( 1<<(total_length+1) ) -1 ) ) == 0 )
+				{
+				//fprintf(stderr, "ALl fragments here. Total length %u\n", length);
+				bro_analyzer()->SendHandshake(${rec.msg_type}, length, i->buffer, i->buffer + length, ${pdu.is_orig});
+				}
+			}
+
+
+		return true;
+		%}
+};
+
+refine typeattr SSLRecord += &let {
+	proc: bool = $context.connection.proc_dtls(this, to_int()(sequence_number));
+};
+
+refine typeattr Handshake += &let {
+	proc: bool = $context.connection.proc_handshake(rec, this);
+};
 

src/analyzer/protocol/ssl/dtls-protocol.pac

@@ -10,14 +10,27 @@ type DTLSPDU(is_orig: bool) = record {
 type SSLRecord(is_orig: bool) = record {
 	content_type: uint8;
 	version: uint16;
+# the epoch signalizes that a changecipherspec message has been received. Hence, everything with
+# an epoch > 0 should be encrypted
 	epoch: uint16;
 	sequence_number: uint48;
 	length: uint16;
-	rec: PlaintextRecord(this)[] &length=length;
-#	data: bytestring &restofdata &transient;
-} &byteorder = bigendian,
-	&let {
-	parse : bool = $context.connection.proc_dtls(this, to_int()(sequence_number));
+	cont: case valid of {
+		true -> rec: RecordText(this)[] &length=length;
+    false -> swallow: bytestring &restofdata;
+	};
+} &byteorder = bigendian, &let {
+# Do not parse body if packet version invalid
+	valid: bool = $context.connection.dtls_version_ok(version);
+};
+
+type RecordText(rec: SSLRecord) = case rec.epoch of {
+	0	-> plaintext : PlaintextRecord(rec);
+	default -> ciphertext : CiphertextRecord(rec);
+};
+
+refine casetype PlaintextRecord += {
+	HANDSHAKE		-> handshake : Handshake(rec);
 };
 
 type Handshake(rec: SSLRecord) = record {
@@ -26,15 +39,22 @@ type Handshake(rec: SSLRecord) = record {
 	message_seq: uint16;
 	fragment_offset: uint24;
 	fragment_length: uint24;
+	data: bytestring &restofdata;
 }
 
 refine connection SSL_Conn += {
 
-	function proc_dtls(pdu: SSLRecord, sequence: uint64): bool
-	%{
-		fprintf(stderr, "Type: %d, sequence number: %d, epoch: %d\n", ${pdu.content_type}, sequence, ${pdu.epoch});
+	function dtls_version_ok(version: uint16): uint16
+		%{
+		switch ( version ) {
+		case DTLSv10:
+		case DTLSv12:
+			return true;
 
-		return true;
-	%}
+		default:
+			bro_analyzer()->ProtocolViolation(fmt("Invalid version in DTLS connection. Packet reported version: %d", version));			
+			return false;
+		}
+		%}
 
 };

src/analyzer/protocol/ssl/dtls.pac

@@ -5,14 +5,21 @@
 
 %extern{
 #include "events.bif.h"
+
+namespace analyzer { namespace dtls { class DTLS_Analyzer; } }
+typedef analyzer::dtls::DTLS_Analyzer* DTLSAnalyzer;
+
+#include "DTLS.h"
 %}
 
+extern type DTLSAnalyzer;
+
 analyzer DTLS withcontext {
 	connection: SSL_Conn;
 	flow:       DTLS_Flow;
 };
 
-connection SSL_Conn(bro_analyzer: BroAnalyzer) {
+connection SSL_Conn(bro_analyzer: DTLSAnalyzer) {
 	upflow = DTLS_Flow(true);
 	downflow = DTLS_Flow(false);
 };
@@ -21,7 +28,6 @@ connection SSL_Conn(bro_analyzer: BroAnalyzer) {
 %include dtls-protocol.pac
 
 flow DTLS_Flow(is_orig: bool) {
-#	flowunit = SSLRecord(is_orig) withcontext(connection, this);
   datagram = DTLSPDU(is_orig) withcontext(connection, this);
 }
 

src/analyzer/protocol/ssl/ssl-defs.pac

@@ -71,6 +71,8 @@ function version_ok(vers : uint16) : bool
 	case TLSv10:
 	case TLSv11:
 	case TLSv12:
+	case DTLSv10:
+	case DTLSv12:
 		return true;
 
 	default:
@@ -86,6 +88,9 @@ using std::string;
 #include "events.bif.h"
 %}
 
+# a maximum of 100k for one record seems safe 
+let MAX_DTLS_HANDSHAKE_RECORD: uint32 = 100000;
+
 enum ContentType {
 	CHANGE_CIPHER_SPEC = 20,
 	ALERT = 21,
@@ -106,7 +111,11 @@ enum SSLVersions {
 	SSLv30		= 0x0300,
 	TLSv10		= 0x0301,
 	TLSv11		= 0x0302,
-	TLSv12		= 0x0303
+	TLSv12		= 0x0303,
+
+	DTLSv10   = 0xFEFF,
+# DTLSv11 does not exist.
+	DTLSv12   = 0xFEFD
 };
 
 enum SSLExtensions {

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -42,10 +42,8 @@ refine casetype PlaintextRecord += {
 	V2_SERVER_HELLO		-> v2_server_hello : V2ServerHello(rec);
 };
 
+# Handshakes are parsed by the handshake analyzer.
 type Handshake(rec: SSLRecord) = record {
-#	msg_type: uint8;
-#	length: uint24;
-#	data: bytestring &length=to_int()(length);
 	data: bytestring &restofdata;
 };
 

src/analyzer/protocol/ssl/tls-handshake-protocol.pac

@@ -6,6 +6,7 @@ enum HandshakeType {
 	HELLO_REQUEST       = 0,
 	CLIENT_HELLO        = 1,
 	SERVER_HELLO        = 2,
+	HELLO_VERIFY_REQUEST = 3, # DTLS
 	SESSION_TICKET      = 4, # RFC 5077
 	CERTIFICATE         = 11,
 	SERVER_KEY_EXCHANGE = 12,
@@ -30,20 +31,21 @@ type HandshakeRecord(is_orig: bool) = record {
 } &length=(to_int()(msg_length) + 4);
 
 type Handshake(rec: HandshakeRecord) = case rec.msg_type of {
-	HELLO_REQUEST       -> hello_request       : HelloRequest(rec);
-	CLIENT_HELLO        -> client_hello        : ClientHello(rec);
-	SERVER_HELLO        -> server_hello        : ServerHello(rec);
-	SESSION_TICKET      -> session_ticket      : SessionTicketHandshake(rec);
-	CERTIFICATE         -> certificate         : Certificate(rec);
-	SERVER_KEY_EXCHANGE -> server_key_exchange : ServerKeyExchange(rec);
-	CERTIFICATE_REQUEST -> certificate_request : CertificateRequest(rec);
-	SERVER_HELLO_DONE   -> server_hello_done   : ServerHelloDone(rec);
-	CERTIFICATE_VERIFY  -> certificate_verify  : CertificateVerify(rec);
-	CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec);
-	FINISHED            -> finished            : Finished(rec);
-	CERTIFICATE_URL     -> certificate_url     : bytestring &restofdata &transient;
-	CERTIFICATE_STATUS  -> certificate_status  : CertificateStatus(rec);
-	default             -> unknown_handshake   : UnknownHandshake(rec, rec.is_orig);
+	HELLO_REQUEST        -> hello_request        : HelloRequest(rec);
+	CLIENT_HELLO         -> client_hello         : ClientHello(rec);
+	SERVER_HELLO         -> server_hello         : ServerHello(rec);
+	HELLO_VERIFY_REQUEST -> hello_verify_request : HelloVerifyRequest(rec);
+	SESSION_TICKET       -> session_ticket       : SessionTicketHandshake(rec);
+	CERTIFICATE          -> certificate          : Certificate(rec);
+	SERVER_KEY_EXCHANGE  -> server_key_exchange  : ServerKeyExchange(rec);
+	CERTIFICATE_REQUEST  -> certificate_request  : CertificateRequest(rec);
+	SERVER_HELLO_DONE    -> server_hello_done    : ServerHelloDone(rec);
+	CERTIFICATE_VERIFY   -> certificate_verify   : CertificateVerify(rec);
+	CLIENT_KEY_EXCHANGE  -> client_key_exchange  : ClientKeyExchange(rec);
+	FINISHED             -> finished             : Finished(rec);
+	CERTIFICATE_URL      -> certificate_url      : bytestring &restofdata &transient;
+	CERTIFICATE_STATUS   -> certificate_status   : CertificateStatus(rec);
+	default              -> unknown_handshake    : UnknownHandshake(rec, rec.is_orig);
 }
 
 type HandshakePDU(is_orig: bool) = record {
@@ -72,6 +74,10 @@ type ClientHello(rec: HandshakeRecord) = record {
 	random_bytes : bytestring &length = 28;
 	session_len : uint8;
 	session_id : uint8[session_len];
+	dtls_cookie: case client_version of {
+		DTLSv10 -> cookie: ClientHelloCookie(rec);
+		default -> nothing: bytestring &length=0;
+	};
 	csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
 	csuits : uint16[csuit_len/2];
 	cmeth_len : uint8 &check(cmeth_len > 0);
@@ -82,6 +88,11 @@ type ClientHello(rec: HandshakeRecord) = record {
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
 };
 
+type ClientHelloCookie(rec: HandshakeRecord) = record {
+	cookie_len : uint8;
+	cookie : bytestring &length = cookie_len;
+};
+
 ######################################################################
 # V3 Server Hello (7.4.1.3.)
 ######################################################################
@@ -103,6 +114,16 @@ type ServerHello(rec: HandshakeRecord) = record {
 		$context.connection.set_cipher(cipher_suite[0]);
 };
 
+######################################################################
+# DTLS Hello Verify Request
+######################################################################
+
+type HelloVerifyRequest(rec: HandshakeRecord) = record {
+	version: uint16;
+	cookie_length: uint8;
+	cookie: bytestring &length=cookie_length;
+};
+
 ######################################################################
 # V3 Server Certificate (7.4.2.)
 ######################################################################

testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-03-12-22-40-14
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1425932016.520157	CXWv6p3arKYeMETxOg	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-
+#close	2015-03-12-22-40-14

testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x509.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-03-12-22-40-14
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1425932016.611299	FZi2Ct2AcCswhiIjKe	3	E8E48E456C32945F	CN=bro	CN=bro	1425931873.000000	1457467873.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2015-03-12-22-40-14

testing/btest/scripts/base/protocols/ssl/dtls.test

@@ -0,0 +1,5 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log