From c682e5723b9eb62ff307c83617c243c1b0195d3c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 6 Nov 2023 12:48:30 +0000
Subject: [PATCH] Spicy TLS: rename the analyzer to SSL

Naming the analyzer different than the old one was a mistake that
required unnecessary code changes; keeping the old name makes things
like StartTLS in other protocol work without additional code changes.
---
 scripts/base/protocols/ssl/dpd.sig            |  4 +-
 src/analyzer/protocol/CMakeLists.txt          |  1 -
 src/analyzer/protocol/ssl/CMakeLists.txt      |  2 +
 .../protocol/ssl/spicy/CMakeLists.txt         |  1 +
 src/analyzer/protocol/ssl/spicy/SSL.evt       | 86 +++++++++++++++++++
 .../{tls/TLS.spicy => ssl/spicy/SSL.spicy}    | 26 +++---
 src/analyzer/protocol/tls/CMakeLists.txt      |  1 -
 src/analyzer/protocol/tls/TLS.evt             | 86 -------------------
 8 files changed, 104 insertions(+), 103 deletions(-)
 create mode 100644 src/analyzer/protocol/ssl/spicy/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/ssl/spicy/SSL.evt
 rename src/analyzer/protocol/{tls/TLS.spicy => ssl/spicy/SSL.spicy} (99%)
 delete mode 100644 src/analyzer/protocol/tls/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/tls/TLS.evt

diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index 3bcf034dde..2603441d9a 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -3,7 +3,7 @@ signature dpd_tls_server {
   # SSL3 / TLS Server hello.
   payload /^(\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50])).*/
   tcp-state responder
-  enable "tls"
+  enable "ssl"
 }
 
 signature dpd_tls_client {
@@ -11,7 +11,7 @@ signature dpd_tls_client {
   # SSL3 / TLS Client hello.
   payload /^\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03].*/
   tcp-state originator
-  enable "tls"
+  enable "ssl"
 }
 
 signature dpd_dtls_client {
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 4c808d6e5e..79e5b6cea0 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -42,6 +42,5 @@ add_subdirectory(ssh)
 add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
-add_subdirectory(tls)
 add_subdirectory(xmpp)
 add_subdirectory(zip)
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 4d49622f57..a6688a123a 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -1,3 +1,5 @@
+add_subdirectory(spicy)
+
 zeek_add_plugin(
     Zeek
     SSL
diff --git a/src/analyzer/protocol/ssl/spicy/CMakeLists.txt b/src/analyzer/protocol/ssl/spicy/CMakeLists.txt
new file mode 100644
index 0000000000..2b7e766f7f
--- /dev/null
+++ b/src/analyzer/protocol/ssl/spicy/CMakeLists.txt
@@ -0,0 +1 @@
+spicy_add_analyzer(NAME SSL SOURCES SSL.spicy SSL.evt)
diff --git a/src/analyzer/protocol/ssl/spicy/SSL.evt b/src/analyzer/protocol/ssl/spicy/SSL.evt
new file mode 100644
index 0000000000..facb77120e
--- /dev/null
+++ b/src/analyzer/protocol/ssl/spicy/SSL.evt
@@ -0,0 +1,86 @@
+protocol analyzer SSL over TCP:
+	parse with SSL::Message,
+	port 443/tcp;
+
+ protocol analyzer DTLS over UDP:
+ 	parse with SSL::Message,
+ 	port 443/udp;
+
+import SSL;
+import zeek;
+import spicy;
+
+on SSL::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
+
+on SSL::ServerHello -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
+on SSL::ServerHelloOneThree -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, "", self.cipher_suite, 0);
+
+on SSL::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, SSL::get_direction(sh), self.elliptic_curve_list);
+
+on SSL::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, SSL::get_direction(sh), self.ec_point_format_list);
+
+on SSL::ServerNameList -> event ssl_extension_server_name($conn, SSL::get_direction(sh), SSL::convert_server_names(self));
+
+on SSL::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
+
+on SSL::PlaintextRecord::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
+# weird trigger for event ordering
+on SSL::PlaintextRecord::%done if ( msg.context().ccs_seen == 2 && content_type == 20 ) -> event ssl_established($conn);
+on SSL::PlaintextRecord::trigger_zero if ( content_type == 23 && sh.tls_13 == True && ( sh.established == False || sh.both_sides_encrypted_first_time ) ) -> event ssl_probable_encrypted_handshake_message($conn, SSL::get_direction(sh), self.length);
+on SSL::PlaintextRecord::trigger_one if ( sh.both_sides_encrypted_first_time == True ) -> event ssl_established($conn);
+on SSL::PlaintextRecord::trigger_two if ( self.encrypted == False ) -> event ssl_plaintext_data($conn, SSL::get_direction(sh), msg.record_version, content_type, self.length);
+on SSL::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_encrypted_data($conn, SSL::get_direction(sh), msg.record_version, content_type, self.length);
+
+on SSL::Extension -> event ssl_extension($conn, SSL::get_direction(sh), self.code, self.raw);
+
+on SSL::Handshake_message::length -> event ssl_handshake_message($conn, SSL::get_direction(sh), self.msg_type, self.length);
+
+on SSL::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, SSL::get_direction(sh), SSL::convert_signature_algorithms(self));
+
+on SSL::ServerHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,));
+
+on SSL::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), vector<uint16>(self.namedgroup,));
+
+on SSL::ClientHelloKeyShare -> event ssl_extension_key_share($conn, SSL::get_direction(sh), SSL::convert_clienthellokeyshare(self));
+
+on SSL::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, SSL::get_direction(sh), SSL::convert_identities(self.identities), SSL::convert_binders(self.binders));
+
+on SSL::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, SSL::get_direction(sh), self.selected_identity);
+
+on SSL::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
+
+on SSL::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+
+on SSL::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
+
+on SSL::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
+
+# just use nonsense values for no algorithm. Same as in the old analyzer
+on SSL::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
+
+on SSL::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
+
+on SSL::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
+
+on SSL::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
+
+on SSL::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, SSL::get_direction(sh), SSL::convert_protocol_name_list(self));
+
+on SSL::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, SSL::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
+
+on SSL::SupportedVersions -> event ssl_extension_supported_versions($conn, SSL::get_direction(sh), self.versions);
+
+on SSL::OneSupportedVersion -> event ssl_extension_supported_versions($conn, SSL::get_direction(sh), vector<uint16>(self.version,));
+
+on SSL::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, SSL::get_direction(sh), self.modes);
+
+on SSL::Alert_message -> event ssl_alert($conn, SSL::get_direction(sh), self.level, self.description);
+
+on SSL::Heartbeat -> event ssl_heartbeat($conn, SSL::get_direction(sh), length, self.tpe, self.payload_length, self.data);
+
+on SSL::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
+
+on SSL::CertificateRequest if ( SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::convert_signature_algorithms(self.supported_signature_algorithms), SSL::convert_certificate_authorities(self));
+on SSL::CertificateRequest if ( ! SSL::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, SSL::get_direction(sh), self.certificate_types, SSL::create_empty_sigmature_algorithms(), SSL::convert_certificate_authorities(self));
+
+on SSL::DirectionCheck::%done if ( self.was_flipped ) -> event ssl_connection_flipped($conn);
diff --git a/src/analyzer/protocol/tls/TLS.spicy b/src/analyzer/protocol/ssl/spicy/SSL.spicy
similarity index 99%
rename from src/analyzer/protocol/tls/TLS.spicy
rename to src/analyzer/protocol/ssl/spicy/SSL.spicy
index 94d7ac9bc6..996648d8ff 100644
--- a/src/analyzer/protocol/tls/TLS.spicy
+++ b/src/analyzer/protocol/ssl/spicy/SSL.spicy
@@ -1,4 +1,4 @@
-module TLS;
+module SSL;
 
 import spicy;
 
@@ -1740,7 +1740,7 @@ type SingleCertificate = unit {
 
 import zeek;
 
-public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
+public function convert_server_names(snl: SSL::ServerNameList) : vector<bytes> {
   local out: vector<bytes>;
 
   for ( i in snl.server_name_list )
@@ -1749,7 +1749,7 @@ public function convert_server_names(snl: TLS::ServerNameList) : vector<bytes> {
   return out;
 }
 
-public function convert_signature_algorithms(sa: TLS::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
+public function convert_signature_algorithms(sa: SSL::SignatureAlgorithms) : vector<tuple<HashAlgorithm: uint8, SignatureAlgorithm: uint8>> {
   local out: vector<tuple<uint8, uint8>>;
   for ( i in sa.supported_signature_algorithms )
     out.push_back(tuple(i.hash, i.signature));
@@ -1762,7 +1762,7 @@ public function create_empty_sigmature_algorithms() : vector<tuple<HashAlgorithm
   return out;
 }
 
-public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vector<uint16> {
+public function convert_clienthellokeyshare(ks: SSL::ClientHelloKeyShare) : vector<uint16> {
   local out: vector<uint16>;
 
   for ( i in ks.keyshares )
@@ -1771,7 +1771,7 @@ public function convert_clienthellokeyshare(ks: TLS::ClientHelloKeyShare) : vect
   return out;
 }
 
-public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
+public function convert_binders(bi: SSL::PSKBindersList) : vector<bytes> {
   local out: vector<bytes>;
 
   for ( i in bi.binders )
@@ -1780,21 +1780,21 @@ public function convert_binders(bi: TLS::PSKBindersList) : vector<bytes> {
   return out;
 }
 
-public function convert_identities(id: TLS::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
+public function convert_identities(id: SSL::PSKIdentitiesList) : vector<tuple<identity: bytes, obfuscated_ticket_age: uint32>> {
   local out: vector<tuple<bytes, uint32>>;
   for ( i in id.identities )
     out.push_back(tuple(i.identity, i.obfuscated_ticket_age));
   return out;
 }
 
-public function convert_protocol_name_list(pns: TLS::ProtocolNameList) : vector<bytes> {
+public function convert_protocol_name_list(pns: SSL::ProtocolNameList) : vector<bytes> {
   local out: vector<bytes>;
   for ( i in pns.protocol_name_list )
     out.push_back(i.name);
   return out;
 }
 
-public function convert_certificate_authorities(c: TLS::CertificateRequest) : vector<bytes> {
+public function convert_certificate_authorities(c: SSL::CertificateRequest) : vector<bytes> {
   local out: vector<bytes>;
   for ( i in c.certificate_authorities )
     out.push_back(i.certificate_authority);
@@ -1830,23 +1830,23 @@ public function check_direction(inout sh: Share, desired: bool) : bool {
   return False;
 }
 
-on TLS::ClientHello::%done {
+on SSL::ClientHello::%done {
   spicy::accept_input();
 }
 
-on TLS::ClientHello::%error {
+on SSL::ClientHello::%error {
   spicy::decline_input("error while parsing TLS client hello");
 }
 
-on TLS::ServerHello::%done {
+on SSL::ServerHello::%done {
   spicy::accept_input();
 }
 
-on TLS::ServerHello::%error {
+on SSL::ServerHello::%error {
   spicy::decline_input("error while parsing TLS server hello");
 }
 
-on TLS::Certificate::%done {
+on SSL::Certificate::%done {
   local first: bool = True;
   for ( i in self.certificate_list )
     {
diff --git a/src/analyzer/protocol/tls/CMakeLists.txt b/src/analyzer/protocol/tls/CMakeLists.txt
deleted file mode 100644
index 4a3f894d51..0000000000
--- a/src/analyzer/protocol/tls/CMakeLists.txt
+++ /dev/null
@@ -1 +0,0 @@
-spicy_add_analyzer(NAME TLS SOURCES TLS.spicy TLS.evt)
diff --git a/src/analyzer/protocol/tls/TLS.evt b/src/analyzer/protocol/tls/TLS.evt
deleted file mode 100644
index b6ee2575de..0000000000
--- a/src/analyzer/protocol/tls/TLS.evt
+++ /dev/null
@@ -1,86 +0,0 @@
-protocol analyzer TLS over TCP:
-	parse with TLS::Message,
-	port 443/tcp;
-
- protocol analyzer DTLS over UDP:
- 	parse with TLS::Message,
- 	port 443/udp;
-
-import TLS;
-import zeek;
-import spicy;
-
-on TLS::ClientHello -> event ssl_client_hello($conn, self.client_version, msg.record_version, cast<time>(self.random.gmt_unix_time), self.random.random_bytes, self.session_id, self.cipher_suites, self.compression_methods);
-
-on TLS::ServerHello -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, self.session_id, self.cipher_suite, self.compression_method);
-on TLS::ServerHelloOneThree -> event ssl_server_hello($conn, server_version, msg.record_version, cast<time>(self.gmt_unix_time), self.random_bytes, "", self.cipher_suite, 0);
-
-on TLS::EllipticCurveList -> event ssl_extension_elliptic_curves($conn, TLS::get_direction(sh), self.elliptic_curve_list);
-
-on TLS::EcPointsFormat_extension -> event ssl_extension_ec_point_formats($conn, TLS::get_direction(sh), self.ec_point_format_list);
-
-on TLS::ServerNameList -> event ssl_extension_server_name($conn, TLS::get_direction(sh), TLS::convert_server_names(self));
-
-on TLS::NewSessionTicket -> event ssl_session_ticket_handshake($conn, self.ticket_lifetime_hint, self.ticket);
-
-on TLS::PlaintextRecord::ccs -> event ssl_change_cipher_spec($conn, $is_orig);
-# weird trigger for event ordering
-on TLS::PlaintextRecord::%done if ( msg.context().ccs_seen == 2 && content_type == 20 ) -> event ssl_established($conn);
-on TLS::PlaintextRecord::trigger_zero if ( content_type == 23 && sh.tls_13 == True && ( sh.established == False || sh.both_sides_encrypted_first_time ) ) -> event ssl_probable_encrypted_handshake_message($conn, TLS::get_direction(sh), self.length);
-on TLS::PlaintextRecord::trigger_one if ( sh.both_sides_encrypted_first_time == True ) -> event ssl_established($conn);
-on TLS::PlaintextRecord::trigger_two if ( self.encrypted == False ) -> event ssl_plaintext_data($conn, TLS::get_direction(sh), msg.record_version, content_type, self.length);
-on TLS::PlaintextRecord::trigger_two if ( self.encrypted == True ) -> event ssl_encrypted_data($conn, TLS::get_direction(sh), msg.record_version, content_type, self.length);
-
-on TLS::Extension -> event ssl_extension($conn, TLS::get_direction(sh), self.code, self.raw);
-
-on TLS::Handshake_message::length -> event ssl_handshake_message($conn, TLS::get_direction(sh), self.msg_type, self.length);
-
-on TLS::SignatureAlgorithms -> event ssl_extension_signature_algorithm($conn, TLS::get_direction(sh), TLS::convert_signature_algorithms(self));
-
-on TLS::ServerHelloKeyShare -> event ssl_extension_key_share($conn, TLS::get_direction(sh), vector<uint16>(self.keyshare.namedgroup,));
-
-on TLS::HelloRetryRequestKeyShare -> event ssl_extension_key_share($conn, TLS::get_direction(sh), vector<uint16>(self.namedgroup,));
-
-on TLS::ClientHelloKeyShare -> event ssl_extension_key_share($conn, TLS::get_direction(sh), TLS::convert_clienthellokeyshare(self));
-
-on TLS::OfferedPsks -> event ssl_extension_pre_shared_key_client_hello($conn, TLS::get_direction(sh), TLS::convert_identities(self.identities), TLS::convert_binders(self.binders));
-
-on TLS::SelectedPreSharedKeyIdentity -> event ssl_extension_pre_shared_key_server_hello($conn, TLS::get_direction(sh), self.selected_identity);
-
-on TLS::ServerECDHParamsAndSignature -> event ssl_ecdh_server_params($conn, self.curve, self.point);
-
-on TLS::DheServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
-
-on TLS::DhAnonServerKeyExchange -> event ssl_dh_server_params($conn, self.dh_p, self.dh_g, self.dh_Ys);
-
-on TLS::ServerKeyExchangeSignature if ( self?.algorithm ) -> event ssl_server_signature($conn, tuple(self.algorithm.hash, self.algorithm.signature), self.signature);
-
-# just use nonsense values for no algorithm. Same as in the old analyzer
-on TLS::ServerKeyExchangeSignature if ( ! self?.algorithm ) -> event ssl_server_signature($conn, tuple(256, 256), self.signature);
-
-on TLS::EcdhClientKeyExchange -> event ssl_ecdh_client_params($conn, self.point);
-
-on TLS::DhClientKeyExchange -> event ssl_dh_client_params($conn, self.dh_Yc);
-
-on TLS::RsaClientKeyExchange -> event ssl_rsa_client_pms($conn, self.rsa_pms);
-
-on TLS::ProtocolNameList -> event ssl_extension_application_layer_protocol_negotiation($conn, TLS::get_direction(sh), TLS::convert_protocol_name_list(self));
-
-on TLS::SignedCertificateTimestamp -> event ssl_extension_signed_certificate_timestamp($conn, TLS::get_direction(sh), self.version, self.logid, self.timestamp, tuple(self.digitally_signed_algorithms.hash, self.digitally_signed_algorithms.signature), self.digitally_signed_signature);
-
-on TLS::SupportedVersions -> event ssl_extension_supported_versions($conn, TLS::get_direction(sh), self.versions);
-
-on TLS::OneSupportedVersion -> event ssl_extension_supported_versions($conn, TLS::get_direction(sh), vector<uint16>(self.version,));
-
-on TLS::PSKKeyExchangeModes -> event ssl_extension_psk_key_exchange_modes($conn, TLS::get_direction(sh), self.modes);
-
-on TLS::Alert_message -> event ssl_alert($conn, TLS::get_direction(sh), self.level, self.description);
-
-on TLS::Heartbeat -> event ssl_heartbeat($conn, TLS::get_direction(sh), length, self.tpe, self.payload_length, self.data);
-
-on TLS::CertificateStatus -> event ssl_stapled_ocsp($conn, $is_orig, self.response);
-
-on TLS::CertificateRequest if ( TLS::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, TLS::get_direction(sh), self.certificate_types, TLS::convert_signature_algorithms(self.supported_signature_algorithms), TLS::convert_certificate_authorities(self));
-on TLS::CertificateRequest if ( ! TLS::uses_signature_and_hashalgorithm(sh) ) -> event ssl_certificate_request($conn, TLS::get_direction(sh), self.certificate_types, TLS::create_empty_sigmature_algorithms(), TLS::convert_certificate_authorities(self));
-
-on TLS::DirectionCheck::%done if ( self.was_flipped ) -> event ssl_connection_flipped($conn);