Merge remote-tracking branch 'origin/topic/johanna/tls13'

BIT-1727 #merged * origin/topic/johanna/tls13: Better way to deal with overloaded Assign constructors. A few tabbing fixes in TLS 1.3 support TLS 1.3 support.
2025-10-02 14:48:21 +00:00 · 2016-10-13 15:48:27 -07:00 · 2016-10-13 15:48:27 -07:00 · c9d449e363
commit c9d449e363
parent 38f6ca87ae eb3a3bc807
23 changed files with 449 additions and 83 deletions
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-08-01-16-08-40
+#open	2016-10-07-19-25-03
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@ -138,6 +138,7 @@ scripts/base/init-bare.bro
    build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
    build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro
    build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro
    build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro
    build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro
    build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro
@ -166,4 +167,4 @@ scripts/base/init-bare.bro
    build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
  scripts/base/utils/paths.bro
-#close	2016-08-01-16-08-40
+#close	2016-10-07-19-25-03
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-10-03-00-47-23
+#open	2016-10-07-19-25-14
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@ -138,6 +138,7 @@ scripts/base/init-bare.bro
    build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
    build/scripts/base/bif/plugins/Bro_SSL.types.bif.bro
    build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro
    build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro
    build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro
    build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro
@ -354,4 +355,4 @@ scripts/base/init-default.bro
  scripts/base/misc/find-filtered-trace.bro
  scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-10-03-00-47-23
+#close	2016-10-07-19-25-14
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -247,7 +247,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1475791240.79714, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@ -377,7 +377,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1475791240.79714, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -410,7 +410,7 @@
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
-0.000000   MetaHookPost  CallFunction(strftime, <frame>, (%Y, 1475791240.796752)) -> <no result>
+0.000000   MetaHookPost  CallFunction(strftime, <frame>, (%Y, 1475869873.545611)) -> <no result>
 0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(to_count, <frame>, (2016)) -> <no result>
@ -512,6 +512,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_SSH.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SSH.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SSL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SSL.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SSL.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Syslog.events.bif.bro) -> -1
@ -965,7 +966,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1475791240.79714, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@ -1095,7 +1096,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1475791240.79714, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1128,7 +1129,7 @@
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
-0.000000   MetaHookPre   CallFunction(strftime, <frame>, (%Y, 1475791240.796752))
+0.000000   MetaHookPre   CallFunction(strftime, <frame>, (%Y, 1475869873.545611))
 0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
 0.000000   MetaHookPre   CallFunction(to_count, <frame>, (2016))
@ -1230,6 +1231,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_SSH.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SSH.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SSL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SSL.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SSL.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SteppingStone.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Syslog.events.bif.bro)
@ -1682,7 +1684,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1475791240.79714, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@ -1812,7 +1814,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1475791240.79714, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1475869873.545999, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -1845,7 +1847,7 @@
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
-0.000000 | HookCallFunction strftime(%Y, 1475791240.796752)
+0.000000 | HookCallFunction strftime(%Y, 1475869873.545611)
 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
 0.000000 | HookCallFunction to_count(2016)
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@ -0,0 +1,34 @@
+key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
+unknown-27242
+x25519
+key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
+unknown-19018
+x25519
+key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
+unknown-43690
+x25519
+key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
+x25519
+key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
+unknown-60138
+x25519
+key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
+x25519
+established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
+key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
+x25519
+secp256r1
+secp384r1
+key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
+x25519
+secp256r1
+secp384r1
+key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
+secp384r1
+key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
+x25519
+secp256r1
+secp384r1
+key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
+secp384r1
+established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
@ -0,0 +1,44 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2016-10-07-19-21-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1475791805.525848	ClEkJM2Vm5giqnMf4h	192.168.6.203	53227	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
+1475791805.468951	CHhAvVGS1DHFjwGM9	192.168.6.203	53226	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
+#close	2016-10-07-19-21-58
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2016-10-07-19-21-59
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1475794630.046060	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	F	-	-	-	-	-	-
+1475794635.195006	ClEkJM2Vm5giqnMf4h	192.168.6.203	53996	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
+#close	2016-10-07-19-21-59
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2016-10-07-19-22-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1475787575.867992	CHhAvVGS1DHFjwGM9	192.150.187.20	54980	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
+1475787575.922474	ClEkJM2Vm5giqnMf4h	192.150.187.20	54982	52.32.149.186	443	-	-	-	tls13.crypto.mozilla.org	F	protocol_version	-	F	-	-	-	-	-	-
+#close	2016-10-07-19-22-00
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2016-10-07-19-22-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1475795116.906579	CHhAvVGS1DHFjwGM9	192.150.187.20	36778	138.68.41.77	443	TLSv13-draft16	TLS_CHACHA20_POLY1305_SHA256	secp384r1	-	F	unknown_ca	-	F	-	-	-	-	-	-
+1475795124.328003	ClEkJM2Vm5giqnMf4h	192.150.187.20	36782	138.68.41.77	443	TLSv13-draft16	TLS_CHACHA20_POLY1305_SHA256	secp384r1	-	F	-	-	T	-	-	-	-	-	-
+#close	2016-10-07-19-22-01
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Traces/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
+++ b/testing/btest/Traces/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
--- a/testing/btest/Traces/tls/tls13draft16-chrome55.0.2879.0-canary.pcap
+++ b/testing/btest/Traces/tls/tls13draft16-chrome55.0.2879.0-canary.pcap
--- a/testing/btest/Traces/tls/tls13draft16-ff52.a01-aborted.pcap
+++ b/testing/btest/Traces/tls/tls13draft16-ff52.a01-aborted.pcap
--- a/testing/btest/Traces/tls/tls13draft16-ff52.a01.pcap
+++ b/testing/btest/Traces/tls/tls13draft16-ff52.a01.pcap
--- a/testing/btest/scripts/base/protocols/ssl/tls13.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13.test
@ -0,0 +1,29 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-out.log
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-out.log
+# @TEST-EXEC: btest-diff ssl-out.log
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
+	{
+	print "key_share", c$id, is_orig;
+	for ( i in curves )
+		{
+		print SSL::ec_curves[curves[i]];
+		}
+	}
+
+event ssl_established(c: connection)
+	{
+	print "established", c$id;
+	}
+
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+	{
+	print "encrypted", c$id, is_orig, content_type;
+	}