diff --git a/NEWS b/NEWS index 806a43eac4..5fef32d1e9 100644 --- a/NEWS +++ b/NEWS @@ -207,6 +207,10 @@ New Functionality - The ``ip4_hdr`` record was extended by ``DF``, ``MF``, ``offset`` and ``sum`` to aid packet-level analysis use-cases. +- Zeek now supports parsing the recently standardized DTLS 1.3. Besides the protocol + messages being correctly parsed and raising the typical SSL/TLS events, the biggest + visible change is the newly added ``ssl_extension_connection_id`` event. + Changed Functionality --------------------- @@ -306,6 +310,9 @@ Changed Functionality - Libpcap based packet source now avoids the 32bit wraparound of link and dropped packet counters as reported by users. +- The ``ssl_history`` field of ``ssl.log`` now correctly logs Hello Retry Request + messages. Before, they were incorrectly logged as Server Hellos. + Removed Functionality --------------------- diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac index 61c1e21846..be60fdfc77 100644 --- a/src/analyzer/protocol/ssl/dtls-analyzer.pac +++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac @@ -156,7 +156,9 @@ refine connection SSL_Conn += { if ( ssl_encrypted_data ) { - // FIXME: swallow is not quite the correct length, because we are not parsing the entire header + // In case a CID is given, swallow is not quite the correct length, because we are not parsing the entire header. This is not entirely + // trivial to work around, and the workaround won't work in all cases - and it might also not matter. + // We also have more potentially interesting information (the sequence number) - which we don't currently give to scriptland. zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(), zeek_analyzer()->Conn(), is_orig ^ zeek_analyzer()->GetFlipped(), DTLSv13, APPLICATION_DATA, ur->swallow().length()); } diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac index 84f1542362..45fd556bbb 100644 --- a/src/analyzer/protocol/ssl/dtls-protocol.pac +++ b/src/analyzer/protocol/ssl/dtls-protocol.pac @@ -24,15 +24,24 @@ type SSLRecordSwitch(is_orig: bool) = record { type UnifiedRecord(firstbyte: uint8, is_orig: bool) = record { # sequence_number: bytestring &length=(sequence_number_length?2:1); - # lets just ignore eveything for now. We have very limited example - # data, and it is hard to parse the CID due to variable length. + # If we have a CID, we do currently not try to parse anything, as the connection + # ID is variable length, with the length not given in this packet (but only in the hello message + # of the opposite side of the direction). + seqnum: case with_cid of { + false -> sequence_number: bytestring &length=(sequence_number_length?2:1); + true -> nothing1: bytestring &length=0; + } &requires(sequence_number_length) &requires(with_cid); + lenthfield: case (with_cid == false && length_present == true) of { + true -> length: uint16; + false -> nothing2: bytestring &length=0; + } &requires(length_present) &requires(with_cid); swallow: bytestring &restofdata; } &let { with_cid: bool = ((firstbyte&0x10)==0x10); sequence_number_length: bool = ((firstbyte&0x08)==0x08); - lengh_present: bool = ((firstbyte&0x04)==0x04); + length_present: bool = ((firstbyte&0x04)==0x04); epoch_low_bits: uint8 = (firstbyte&0x03); -}; +} &byteorder = bigendian; type SSLRecord(content_type: uint8, is_orig: bool) = record { version: uint16; diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 7749c5c758..ec86cc38d5 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -106,7 +106,7 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello -## ssl_connection_flipped +## ssl_connection_flipped ssl_extension_connection_id event ssl_extension%(c: connection, is_client: bool, code: count, val: string%); ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is @@ -129,6 +129,7 @@ event ssl_extension%(c: connection, is_client: bool, code: count, val: string%); ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: index_vec%); ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension @@ -153,6 +154,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: ind ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_formats: index_vec%); ## Generated for an Signature Algorithms extension. This TLS extension @@ -176,6 +178,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_form ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec%); ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 @@ -198,6 +201,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signatu ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec%); ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello. @@ -222,6 +226,7 @@ event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello +## ssl_extension_connection_id event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec%); ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello. @@ -242,6 +247,7 @@ event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_pre_shared_key_server_hello%(c: connection, is_client: bool, selected_identity: count%); ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve @@ -360,6 +366,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%); ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_client: bool, protocols: string_vec%); ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is @@ -384,6 +391,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_cl ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_server_name%(c: connection, is_client: bool, names: string_vec%); ## Generated for the signed_certificate_timestamp TLS extension as defined in @@ -417,6 +425,7 @@ event ssl_extension_server_name%(c: connection, is_client: bool, names: string_v ## ssl_extension_application_layer_protocol_negotiation ## x509_ocsp_ext_signed_certificate_timestamp sct_verify ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated for an TLS Supported Versions extension. This TLS extension @@ -439,6 +448,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool ## ssl_extension_key_share ssl_extension_server_name ## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_supported_versions%(c: connection, is_client: bool, versions: index_vec%); ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined @@ -459,8 +469,30 @@ event ssl_extension_supported_versions%(c: connection, is_client: bool, versions ## ssl_extension_key_share ssl_extension_server_name ## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +## ssl_extension_connection_id event ssl_extension_psk_key_exchange_modes%(c: connection, is_client: bool, modes: index_vec%); +## Generated for an DTLS Connection ID extension. This TLS extension is defined +## in the RFC 9146 and sent by the client or the server to signify that Connection IDs should +## be used for the connection. +## +## c: The connection. +## +## is_client: True if event is raised for the client side of the connection +## (the side that sends the client hello). This is typically equivalent +## with the originator, but does not have to be in all circumstances. +## +## cid: The connection ID given by the client or the server. +## +## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello +## ssl_session_ticket_handshake ssl_extension +## ssl_extension_elliptic_curves ssl_extension_ec_point_formats +## ssl_extension_application_layer_protocol_negotiation +## ssl_extension_key_share ssl_extension_server_name +## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp +## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello +event ssl_extension_connection_id%(c: connection, is_client: bool, cid: string%); + ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Zeek extracts as much information out of that ## as it can. This event signals the time when an SSL/TLS has finished the @@ -577,6 +609,12 @@ event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count, ## Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed ## from its default to false for this event to be generated. ## +## Also note that, for DTLS 1.3, it is not always possible to give an exact length for +## the payload that is transported in the packet. If connection IDs are used, the length +## provided is the length of the entire packet, without the first byte (for the unified header). +## If no connection IDs are used, the length given is the actual payload length. Connection IDs +## are used with the connection ID extension in the client or server hello. +## ## c: The connection. ## ## is_client: True if event is raised for the client side of the connection @@ -589,10 +627,11 @@ event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count, ## content_type: message type as reported by TLS session layer. Not populated for ## SSLv2. ## -## length: length of the entire message. +## length: encrypted payload length of the message. ## ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message +## ssl_extension_connection_id event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%); ## This event is generated for application data records of TLS 1.3 connections of which diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index 796fc2ba5a..ae9930f1a6 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -157,6 +157,7 @@ enum SSLExtensions { EXT_CERTIFICATE_AUTHORITIES = 47, EXT_OID_FILTERS = 48, EXT_KEY_SHARE = 51, + EXT_CONNECTION_ID = 54, EXT_NEXT_PROTOCOL_NEGOTIATION = 13172, EXT_ORIGIN_BOUND_CERTIFICATES = 13175, EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180, diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index ce19a4b2a9..77cd5ab4dc 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -670,6 +670,17 @@ refine connection Handshake_Conn += { return true; %} + function proc_connection_id(rec: HandshakeRecord, cid: bytestring) : bool + %{ + if ( ! ssl_extension_connection_id ) + return true; + + auto cid_string = zeek::make_intrusive(cid.length(), (const char*) cid.data()); + zeek::BifEvent::enqueue_ssl_extension_connection_id(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, cid_string); + + return true; + %} + }; refine typeattr ClientHello += &let { @@ -802,3 +813,7 @@ refine typeattr SignedCertificateTimestamp += &let { refine typeattr CertificateRequest += &let { proc: bool = $context.connection.proc_certificate_request(rec, this); }; + +refine typeattr ConnectionId += &let { + proc: bool = $context.connection.proc_connection_id(rec, cid); +}; diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 2aa6b6a45e..014afa7490 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -811,12 +811,18 @@ type SSLExtension(rec: HandshakeRecord) = record { EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0); EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0); EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0); + EXT_CONNECTION_ID -> connection_id: ConnectionId(rec)[] &until($element == 0 || $element != 0); default -> data: bytestring &restofdata; }; } &length=data_len+4 &exportsourcedata; %include tls-handshake-signed_certificate_timestamp.pac +type ConnectionId(rec: HandshakeRecord) = record { + length: uint8; + cid: bytestring &length=length; +}; + type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case ( rec.is_orig ^ $context.connection.flipped() ) of { true -> a: SupportedVersions(rec); false -> b: OneSupportedVersion(rec); diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout new file mode 100644 index 0000000000..439fc963f9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout @@ -0,0 +1,52 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +CH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +SH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +SH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 31 +Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1298 +Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 289 +Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 61 +Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 61 +start CID test +CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID +CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID +CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID +CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID +CH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +SH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID +CH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, fancy server CID +SH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 52 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 89 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1365 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1292 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 310 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 82 +Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 1366 +CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID +CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID +CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID +CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +SH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +CH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +SH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 31 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 68 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1378 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1237 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 289 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 61 +Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 1351 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log new file mode 100644 index 0000000000..87b51d1170 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log @@ -0,0 +1,25 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.168.36.147 33714 10.168.36.144 11111 DTLSv13 TLS_AES_128_GCM_SHA256 secp256r1 - F - - T CjCs - - - +#close XXXX-XX-XX-XX-XX-XX +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert +#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 10.168.36.147 57488 10.168.36.144 11111 DTLSv13 TLS_AES_128_GCM_SHA256 secp256r1 - F - - T CjCs - - - +XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 10.168.36.147 47904 10.168.36.144 11111 DTLSv13 TLS_AES_128_GCM_SHA256 secp256r1 - F - - T CjCs - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.168.36.147 52232 10.168.36.144 11111 - - - - F - - F CCC - - - +XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 10.168.36.147 56544 10.168.36.144 11111 - - - - F - - F CCC - - - +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 10.168.36.147 58771 10.168.36.144 11111 - - - - F - - F CCCC - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl.log deleted file mode 100644 index e8253d3f47..0000000000 --- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl.log +++ /dev/null @@ -1,11 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path ssl -#open XXXX-XX-XX-XX-XX-XX -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps sni_matches_cert -#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] bool -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.168.36.147 33714 10.168.36.144 11111 DTLSv13 TLS_AES_128_GCM_SHA256 secp256r1 - F - - T CjCs - - - -#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tls/dtls13-cid.pcap b/testing/btest/Traces/tls/dtls13-cid.pcap new file mode 100644 index 0000000000..c3943b22a3 Binary files /dev/null and b/testing/btest/Traces/tls/dtls13-cid.pcap differ diff --git a/testing/btest/scripts/base/protocols/ssl/dtls-13.test b/testing/btest/scripts/base/protocols/ssl/dtls-13.test index 61c358da21..5fcb4d8b69 100644 --- a/testing/btest/scripts/base/protocols/ssl/dtls-13.test +++ b/testing/btest/scripts/base/protocols/ssl/dtls-13.test @@ -1,6 +1,30 @@ # This tests a normal SSL connection and the log it outputs. # @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT -# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: cp ssl.log ssl-all.log +# @TEST-EXEC: echo "start CID test" +# @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-cid.pcap %INPUT +# @TEST-EXEC: cat ssl.log >> ssl-all.log +# @TEST-EXEC: btest-diff ssl-all.log +# @TEST-EXEC: btest-diff .stdout # @TEST-EXEC: test ! -f dpd.log +event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) + { + print "CH", c$id, version, record_version; + } + +event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) + { + print "SH", c$id, version, record_version; + } + +event ssl_extension_connection_id(c: connection, is_client: bool, cid: string) + { + print "CID", c$id, is_client, cid; + } + +event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) + { + print "Encrypted", c$id, is_client, record_version, content_type, length; + }