diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc index 17df73bd6e..71b7511716 100644 --- a/src/analyzer/protocol/ssl/SSL.cc +++ b/src/analyzer/protocol/ssl/SSL.cc @@ -61,19 +61,15 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig) } } -void SSL_Analyzer::SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig) +void SSL_Analyzer::SendHandshake(const u_char* begin, const u_char* end, bool orig) { try { - handshake_interp->NewData(orig, (const unsigned char*) &msg_type, (const unsigned char*) &msg_type + 1); - uint32 host_length = htonl(length); - handshake_interp->NewData(orig, (const unsigned char*) &host_length, (const unsigned char*) &host_length + sizeof(host_length)); handshake_interp->NewData(orig, begin, end); } catch ( const binpac::Exception& e ) { ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); - fprintf(stderr, "Handshake exception: %s\n", e.c_msg()); } } diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h index a17611846c..3294aa9db5 100644 --- a/src/analyzer/protocol/ssl/SSL.h +++ b/src/analyzer/protocol/ssl/SSL.h @@ -21,7 +21,7 @@ public: virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(uint64 seq, int len, bool orig); - void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig); + void SendHandshake(const u_char* begin, const u_char* end, bool orig); // Overriden from tcp::TCP_ApplicationAnalyzer. virtual void EndpointEOF(bool is_orig); diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac index 709e8c32b2..3d61b215a2 100644 --- a/src/analyzer/protocol/ssl/ssl-analyzer.pac +++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac @@ -23,11 +23,9 @@ refine connection SSL_Conn += { return true; %} - function proc_handshake(rec: SSLRecord, msg_type: uint8, length: uint24, data: bytestring, is_orig: bool) : bool + function proc_handshake(rec: SSLRecord, data: bytestring, is_orig: bool) : bool %{ - fprintf(stderr, "Forwarding to Handshake analyzer: msg_type: %u, length: %u\n", msg_type, to_int()(length)); - fprintf(stderr, "%u\n", data.end() - data.begin()); - bro_analyzer()->SendHandshake(msg_type, to_int()(length), data.begin(), data.end(), is_orig); + bro_analyzer()->SendHandshake(data.begin(), data.end(), is_orig); return true; %} }; @@ -58,5 +56,5 @@ refine typeattr V2ClientMasterKey += &let { }; refine typeattr Handshake += &let { - proc : bool = $context.connection.proc_handshake(rec, msg_type, length, data, rec.is_orig); + proc : bool = $context.connection.proc_handshake(rec, data, rec.is_orig); }; diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index b0f51cd54a..a90bd03868 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -43,9 +43,10 @@ refine casetype PlaintextRecord += { }; type Handshake(rec: SSLRecord) = record { - msg_type: uint8; - length: uint24; - data: bytestring &length=to_int()(length); +# msg_type: uint8; +# length: uint24; +# data: bytestring &length=to_int()(length); + data: bytestring &restofdata; }; ###################################################################### diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index a52381189b..17432fa5cb 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -200,10 +200,10 @@ refine connection Handshake_Conn += { return true; %} - function proc_handshake(is_orig: bool, msg_type: uint8, length: uint32) : bool + function proc_handshake(is_orig: bool, msg_type: uint8, length: uint24) : bool %{ BifEvent::generate_ssl_handshake_message(bro_analyzer(), - bro_analyzer()->Conn(), is_orig, msg_type, length); + bro_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); return true; %} diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 25f890d089..296df5fb9d 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -25,10 +25,9 @@ enum HandshakeType { type HandshakeRecord(is_orig: bool) = record { msg_type: uint8; - msg_length: uint32; + msg_length: uint24; rec: Handshake(this); -# rec: bytestring &length=10 &transient; -} &length=(msg_length + 5); +} &length=(to_int()(msg_length) + 4); type Handshake(rec: HandshakeRecord) = case rec.msg_type of { HELLO_REQUEST -> hello_request : HelloRequest(rec); @@ -500,34 +499,14 @@ refine connection Handshake_Conn += { %member{ uint32 chosen_cipher_; - uint8 msg_type_; - uint32 msg_length_; %} %init{ chosen_cipher_ = NO_CHOSEN_CIPHER; - msg_type_ = 0; - msg_length_ = 0; %} function chosen_cipher() : int %{ return chosen_cipher_; %} - function msg_type() : uint8 %{ return msg_type_; %} - - function msg_length() : uint32 %{ fprintf(stderr, "Got length %d\n", msg_length_); return msg_length_; %} - - function set_msg_type(type: uint8) : bool - %{ - msg_type_ = type; - return true; - %} - - function set_msg_length(len: uint32) : bool - %{ - msg_length_ = len; - return true; - %} - function set_cipher(cipher: uint32) : bool %{ chosen_cipher_ = cipher; diff --git a/src/analyzer/protocol/ssl/tls-handshake.pac b/src/analyzer/protocol/ssl/tls-handshake.pac index 36d6999557..a3c45fa492 100644 --- a/src/analyzer/protocol/ssl/tls-handshake.pac +++ b/src/analyzer/protocol/ssl/tls-handshake.pac @@ -13,6 +13,7 @@ connection Handshake_Conn(bro_analyzer: BroAnalyzer) { downflow = Handshake_Flow(false); }; +%include ssl-defs.pac %include tls-handshake-protocol.pac flow Handshake_Flow(is_orig: bool) { @@ -20,4 +21,3 @@ flow Handshake_Flow(is_orig: bool) { } %include tls-handshake-analyzer.pac -%include ssl-defs.pac diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout new file mode 100644 index 0000000000..5caff40c4a --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/.stdout @@ -0,0 +1 @@ +10000 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log new file mode 100644 index 0000000000..c8278858e5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.fragment/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2015-03-12-01-22-34 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer +#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string +1426117218.083491 CXWv6p3arKYeMETxOg 192.168.6.86 61454 104.236.167.107 4433 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 secp256r1 104.236.167.107 F - - F FsQdqWuF9t3e4W0d (empty) - - - - +#close 2015-03-12-01-22-34 diff --git a/testing/btest/Traces/tls/tls-fragmented-handshake.pcap.gz b/testing/btest/Traces/tls/tls-fragmented-handshake.pcap.gz new file mode 100644 index 0000000000..6642502fa0 Binary files /dev/null and b/testing/btest/Traces/tls/tls-fragmented-handshake.pcap.gz differ diff --git a/testing/btest/scripts/base/protocols/ssl/fragment.test b/testing/btest/scripts/base/protocols/ssl/fragment.test new file mode 100644 index 0000000000..b01a78a07a --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/fragment.test @@ -0,0 +1,12 @@ +# Test a heavily fragmented tls connection + +# @TEST-EXEC: cat $TRACES/tls/tls-fragmented-handshake.pcap.gz | gunzip | bro -r - %INPUT +# @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: btest-diff .stdout + +# Certificate has 10,000 alternative names :) +event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) + { + print |ext$dns|; + } +