From 32cb6d6bc31c03d746bb0b72b012dd6730308c54 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 2 Sep 2011 23:55:32 -0700 Subject: [PATCH 1/8] Adding group "comm" to communication tests for parallelizing execution with new btest version. --- testing/btest/istate/broccoli.bro | 1 + testing/btest/istate/events-ssl.bro | 2 +- testing/btest/istate/events.bro | 2 +- testing/btest/istate/pybroccoli.py | 1 + testing/btest/istate/sync.bro | 2 +- testing/btest/policy/frameworks/cluster/start-it-up.bro | 3 ++- .../btest/policy/frameworks/control/configuration_update.bro | 3 ++- testing/btest/policy/frameworks/control/id_value.bro | 1 + testing/btest/policy/frameworks/control/shutdown.bro | 1 + testing/btest/policy/frameworks/logging/remote-types.bro | 2 +- testing/btest/policy/frameworks/logging/remote.bro | 2 +- testing/btest/policy/frameworks/metrics/basic-cluster.bro | 3 ++- 12 files changed, 15 insertions(+), 8 deletions(-) diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro index 7f97f40585..def9a786d4 100644 --- a/testing/btest/istate/broccoli.bro +++ b/testing/btest/istate/broccoli.bro @@ -1,6 +1,7 @@ # @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro # @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1 # @TEST-EXEC: btest-bg-wait -k 20 diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro index cfacae9da8..02fd957a4d 100644 --- a/testing/btest/istate/events-ssl.bro +++ b/testing/btest/istate/events-ssl.bro @@ -1,4 +1,4 @@ -# +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run sender bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro # @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro # @TEST-EXEC: btest-bg-wait -k 20 diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro index ecf2f2e2ad..d2dfc63239 100644 --- a/testing/btest/istate/events.bro +++ b/testing/btest/istate/events.bro @@ -1,4 +1,4 @@ -# +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run sender bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro # @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro # @TEST-EXEC: btest-bg-wait -k 20 diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py index b7fb53a955..ec4097ac55 100644 --- a/testing/btest/istate/pybroccoli.py +++ b/testing/btest/istate/pybroccoli.py @@ -1,3 +1,4 @@ +# @TEST-GROUP: comm # @TEST-REQUIRES: grep -vq '#define BROv6' $BUILD/config.h # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro index 567bbf2af1..c41542d074 100644 --- a/testing/btest/istate/sync.bro +++ b/testing/btest/istate/sync.bro @@ -1,4 +1,4 @@ -# +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run sender bro %INPUT ../sender.bro # @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro # @TEST-EXEC: btest-bg-wait 20 diff --git a/testing/btest/policy/frameworks/cluster/start-it-up.bro b/testing/btest/policy/frameworks/cluster/start-it-up.bro index d1eb94d5e1..c7d6c4746a 100644 --- a/testing/btest/policy/frameworks/cluster/start-it-up.bro +++ b/testing/btest/policy/frameworks/cluster/start-it-up.bro @@ -1,3 +1,4 @@ +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT # @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT # @TEST-EXEC: btest-bg-run proxy-2 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT @@ -23,4 +24,4 @@ redef Cluster::nodes = { event remote_connection_handshake_done(p: event_peer) { print "Connected to a peer"; - } \ No newline at end of file + } diff --git a/testing/btest/policy/frameworks/control/configuration_update.bro b/testing/btest/policy/frameworks/control/configuration_update.bro index 23b4998a1b..6d0f886d13 100644 --- a/testing/btest/policy/frameworks/control/configuration_update.bro +++ b/testing/btest/policy/frameworks/control/configuration_update.bro @@ -1,3 +1,4 @@ +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65531/tcp # @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update # @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown @@ -23,4 +24,4 @@ event bro_init() event bro_done() { print test_var; - } \ No newline at end of file + } diff --git a/testing/btest/policy/frameworks/control/id_value.bro b/testing/btest/policy/frameworks/control/id_value.bro index 9f0cb76861..c751928506 100644 --- a/testing/btest/policy/frameworks/control/id_value.bro +++ b/testing/btest/policy/frameworks/control/id_value.bro @@ -1,3 +1,4 @@ +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port_clear=65532/tcp # @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var # @TEST-EXEC: btest-bg-wait -k 1 diff --git a/testing/btest/policy/frameworks/control/shutdown.bro b/testing/btest/policy/frameworks/control/shutdown.bro index 55af973faa..e7aabea686 100644 --- a/testing/btest/policy/frameworks/control/shutdown.bro +++ b/testing/btest/policy/frameworks/control/shutdown.bro @@ -1,3 +1,4 @@ +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port_clear=65530/tcp # @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown # @TEST-EXEC: btest-bg-wait 1 diff --git a/testing/btest/policy/frameworks/logging/remote-types.bro b/testing/btest/policy/frameworks/logging/remote-types.bro index 08960eba86..164e7f3984 100644 --- a/testing/btest/policy/frameworks/logging/remote-types.bro +++ b/testing/btest/policy/frameworks/logging/remote-types.bro @@ -1,4 +1,4 @@ -# +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro # @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro # @TEST-EXEC: btest-bg-wait -k 1 diff --git a/testing/btest/policy/frameworks/logging/remote.bro b/testing/btest/policy/frameworks/logging/remote.bro index 00d7d69463..34cf714446 100644 --- a/testing/btest/policy/frameworks/logging/remote.bro +++ b/testing/btest/policy/frameworks/logging/remote.bro @@ -1,4 +1,4 @@ -# +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro # @TEST-EXEC: sleep 1 # @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro diff --git a/testing/btest/policy/frameworks/metrics/basic-cluster.bro b/testing/btest/policy/frameworks/metrics/basic-cluster.bro index eda41c3759..a282a962e4 100644 --- a/testing/btest/policy/frameworks/metrics/basic-cluster.bro +++ b/testing/btest/policy/frameworks/metrics/basic-cluster.bro @@ -1,3 +1,4 @@ +# @TEST-GROUP: comm # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT # @TEST-EXEC: btest-bg-run proxy-1 BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT # @TEST-EXEC: sleep 1 @@ -35,4 +36,4 @@ event bro_init() Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1); } -@endif \ No newline at end of file +@endif From 935f1f55b58fccd372ea862ed8a05fc96ee199be Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 5 Sep 2011 08:26:07 -0700 Subject: [PATCH 2/8] Updating submodule(s). --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/aux/binpac b/aux/binpac index a3a9410ded..032b4e0f02 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit a3a9410dedc842f6bb9859642f334ed354633b57 +Subproject commit 032b4e0f028a08257be0c703b27a7559e57bd40a diff --git a/aux/bro-aux b/aux/bro-aux index d68b98bb99..04d149a194 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit d68b98bb995a105b257f805ec4ff22c4929c7476 +Subproject commit 04d149a194e06ed5410ea3af924ff48b9129cd3b diff --git a/aux/broccoli b/aux/broccoli index 743f10dda8..89c20c7f06 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit 743f10dda8cd5655ea3dc6eb705ff5414ed4f535 +Subproject commit 89c20c7f063afe5f39aa72bfec02d6996b291c13 diff --git a/aux/broctl b/aux/broctl index cf4ce9dfc5..2b9053d40d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit cf4ce9dfc5d6dc4e6d311955eeaec2d679e8669b +Subproject commit 2b9053d40d7ef497c8cef6357b59f43129976d65 From b3764dcad568dd3ffddfb1a4489ea226822e54e1 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 29 Feb 2012 09:43:37 -0500 Subject: [PATCH 3/8] Cleaned up dead code from the old SSL analyzers. (Reported by Julien Sentier) --- scripts/base/init-bare.bro | 11 -- src/NetVar.cc | 21 --- src/NetVar.h | 10 -- src/X509.cc | 263 ------------------------------------- src/event.bif | 2 - 5 files changed, 307 deletions(-) delete mode 100644 src/X509.cc diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index c4ae4b134a..23b01167a6 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -1719,13 +1719,6 @@ global dns_skip_all_addl = T &redef; ## traffic and do not process it. Set to 0 to turn off this functionality. global dns_max_queries = 5; -## The maxiumum size in bytes for an SSL cipher specifcation. If we see a packet -## that has bigger cipherspecs, we won't do a comparisons of cipherspecs. -const ssl_max_cipherspec_size = 68 &redef; - -# todo::Is this still used? -# type X509_extensions: table[count] of string; - ## An X509 certificate. ## ## .. bro:see:: x509_certificate @@ -1738,10 +1731,6 @@ type X509: record { not_valid_after: time; ##< Timestamp after when certificate is not valid. }; -# This is indexed with the CA's name and yields a DER (binary) encoded certificate. -# todo::Is this still used? -# const root_ca_certs: table[string] of string = {} &redef; - ## HTTP session statistics. ## ## .. bro:see:: http_stats diff --git a/src/NetVar.cc b/src/NetVar.cc index f5939b54d2..59cc1cc633 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -47,15 +47,6 @@ int tcp_max_initial_window; int tcp_max_above_hole_without_any_acks; int tcp_excessive_data_without_further_acks; -int ssl_compare_cipherspecs; -int ssl_analyze_certificates; -int ssl_store_certificates; -int ssl_verify_certificates; -int ssl_store_key_material; -int ssl_max_cipherspec_size; -StringVal* ssl_store_cert_path; -StringVal* x509_trusted_cert_path; -TableType* cipher_suites_list; RecordType* x509_type; double non_analyzed_lifetime; @@ -192,8 +183,6 @@ StringVal* ssl_ca_certificate; StringVal* ssl_private_key; StringVal* ssl_passphrase; -StringVal* x509_crl_file; - Val* profiling_file; double profiling_interval; int expensive_profiling_multiple; @@ -353,17 +342,7 @@ void init_net_var() tcp_excessive_data_without_further_acks = opt_internal_int("tcp_excessive_data_without_further_acks"); - ssl_compare_cipherspecs = opt_internal_int("ssl_compare_cipherspecs"); - ssl_analyze_certificates = opt_internal_int("ssl_analyze_certificates"); - ssl_store_certificates = opt_internal_int("ssl_store_certificates"); - ssl_verify_certificates = opt_internal_int("ssl_verify_certificates"); - ssl_store_key_material = opt_internal_int("ssl_store_key_material"); - ssl_max_cipherspec_size = opt_internal_int("ssl_max_cipherspec_size"); - - x509_trusted_cert_path = opt_internal_string("X509_trusted_cert_path"); - ssl_store_cert_path = opt_internal_string("ssl_store_cert_path"); x509_type = internal_type("X509")->AsRecordType(); - x509_crl_file = opt_internal_string("X509_crl_file"); non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime"); tcp_inactivity_timeout = opt_internal_double("tcp_inactivity_timeout"); diff --git a/src/NetVar.h b/src/NetVar.h index 9d2d87d736..425ea93e09 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -50,17 +50,7 @@ extern int tcp_max_initial_window; extern int tcp_max_above_hole_without_any_acks; extern int tcp_excessive_data_without_further_acks; -// see policy/ssl.bro for details -extern int ssl_compare_cipherspecs; -extern int ssl_analyze_certificates; -extern int ssl_store_certificates; -extern int ssl_verify_certificates; -extern int ssl_store_key_material; -extern int ssl_max_cipherspec_size; -extern StringVal* ssl_store_cert_path; -extern StringVal* x509_trusted_cert_path; extern RecordType* x509_type; -extern StringVal* x509_crl_file; extern double non_analyzed_lifetime; extern double tcp_inactivity_timeout; diff --git a/src/X509.cc b/src/X509.cc deleted file mode 100644 index 55b6b78f04..0000000000 --- a/src/X509.cc +++ /dev/null @@ -1,263 +0,0 @@ -#include - -#include "X509.h" -#include "config.h" - -// ### NOTE: while d2i_X509 does not take a const u_char** pointer, -// here we assume d2i_X509 does not write to , so it is safe to -// convert data to a non-const pointer. Could some X509 guru verify -// this? - -X509* d2i_X509_(X509** px, const u_char** in, int len) - { -#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR - return d2i_X509(px, in, len); -#else - return d2i_X509(px, (u_char**)in, len); -#endif - } - -X509_STORE* X509_Cert::ctx = 0; -X509_LOOKUP* X509_Cert::lookup = 0; -X509_STORE_CTX X509_Cert::csc; -bool X509_Cert::bInited = false; - -// TODO: Check if Key < 768 Bits => Weakness! -// FIXME: Merge verify and verifyChain. - -void X509_Cert::sslCertificateEvent(Contents_SSL* e, X509* pCert) - { - EventHandlerPtr event = ssl_certificate; - if ( ! event ) - return; - - char tmp[256]; - RecordVal* pX509Cert = new RecordVal(x509_type); - - X509_NAME_oneline(X509_get_issuer_name(pCert), tmp, sizeof tmp); - pX509Cert->Assign(0, new StringVal(tmp)); - X509_NAME_oneline(X509_get_subject_name(pCert), tmp, sizeof tmp); - pX509Cert->Assign(1, new StringVal(tmp)); - pX509Cert->Assign(2, new AddrVal(e->Conn()->OrigAddr())); - - val_list* vl = new val_list; - vl->append(e->BuildConnVal()); - vl->append(pX509Cert); - vl->append(new Val(e->IsOrig(), TYPE_BOOL)); - - e->Conn()->ConnectionEvent(event, e, vl); - } - -void X509_Cert::sslCertificateError(Contents_SSL* e, int error_numbe) - { - Val* err_str = new StringVal(X509_verify_cert_error_string(csc.error)); - val_list* vl = new val_list; - - vl->append(e->BuildConnVal()); - vl->append(new Val(csc.error, TYPE_INT)); - vl->append(err_str); - - e->Conn()->ConnectionEvent(ssl_X509_error, e, vl); - } - -int X509_Cert::init() - { -#if 0 - OpenSSL_add_all_algorithms(); -#endif - - ctx = X509_STORE_new(); - int flag = 0; - int ret = 0; - - if ( x509_trusted_cert_path && - x509_trusted_cert_path->AsString()->Len() > 0 ) - { // add the path(s) for the local CA's certificates - const BroString* pString = x509_trusted_cert_path->AsString(); - - lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir()); - if ( ! lookup ) - { - reporter->Error("X509_Cert::init(): initing lookup failed\n"); - flag = 1; - } - - int i = X509_LOOKUP_add_dir(lookup, - (const char*) pString->Bytes(), - X509_FILETYPE_PEM); - if ( ! i ) - { - reporter->Error("X509_Cert::init(): error adding lookup directory\n"); - ret = 0; - } - } - else - { - printf("X509: Using the default trusted cert path.\n"); - X509_STORE_set_default_paths(ctx); - } - - // Add crl functionality - will only add if defined and - // X509_STORE_add_lookup was successful. - if ( ! flag && x509_crl_file && x509_crl_file->AsString()->Len() > 0 ) - { - const BroString* rString = x509_crl_file->AsString(); - - if ( X509_load_crl_file(lookup, (const char*) rString->Bytes(), - X509_FILETYPE_PEM) != 1 ) - { - reporter->Error("X509_Cert::init(): error reading CRL file\n"); - ret = 1; - } - -#if 0 - // Note, openssl version must be > 0.9.7(a). - X509_STORE_set_flags(ctx, - X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); -#endif - } - - bInited = true; - return ret; - } - -int X509_Cert::verify(Contents_SSL* e, const u_char* data, uint32 len) - { - if ( ! bInited ) - init(); - - X509* pCert = d2i_X509_(NULL, &data, len); - if ( ! pCert ) - { - // 5 = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY - sslCertificateError(e, 5); - return -1; - } - - sslCertificateEvent(e, pCert); - - X509_STORE_CTX_init(&csc, ctx, pCert, 0); - X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time); - int i = X509_verify_cert(&csc); - X509_STORE_CTX_cleanup(&csc); - int ret = 0; - - int ext = X509_get_ext_count(pCert); - - if ( ext > 0 ) - { - TableVal* x509ex = new TableVal(x509_extension); - val_list* vl = new val_list; - char buf[256]; - - for ( int k = 0; k < ext; ++k ) - { - X509_EXTENSION* ex = X509_get_ext(pCert, k); - ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex); - i2t_ASN1_OBJECT(buf, sizeof(buf), obj); - - Val* index = new Val(k+1, TYPE_COUNT); - Val* value = new StringVal(strlen(buf), buf); - x509ex->Assign(index, value); - Unref(index); - // later we can do critical extensions like: - // X509_EXTENSION_get_critical(ex); - } - - vl->append(e->BuildConnVal()); - vl->append(x509ex); - e->Conn()->ConnectionEvent(process_X509_extensions, e, vl); - } - - if ( ! i ) - { - sslCertificateError(e, csc.error); - ret = csc.error; - } - else - ret = 0; - - delete pCert; - return ret; - } - -int X509_Cert::verifyChain(Contents_SSL* e, const u_char* data, uint32 len) - { - if ( ! bInited ) - init(); - - // Gets an ssl3x cert chain (could be one single cert, too, - // but in chain format). - - // Init the stack. - STACK_OF(X509)* untrustedCerts = sk_X509_new_null(); - if ( ! untrustedCerts ) - { - // Internal error allocating stack of untrusted certs. - // 11 = X509_V_ERR_OUT_OF_MEM - sslCertificateError(e, 11); - return -1; - } - - // NOT AGAIN!!! - // Extract certificates and put them into an OpenSSL Stack. - uint tempLength = 0; - int certCount = 0; - X509* pCert = 0; // base cert, this one is to be verified - - while ( tempLength < len ) - { - ++certCount; - uint32 certLength = - uint32((data[tempLength + 0] << 16) | - data[tempLength + 1] << 8) | - data[tempLength + 2]; - - // Points to current cert. - const u_char* pCurrentCert = &data[tempLength+3]; - - X509* pTemp = d2i_X509_(0, &pCurrentCert, certLength); - if ( ! pTemp ) - { // error is somewhat of a misnomer - // 5 = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY - sslCertificateError(e, 5); - //FIXME: free ptrs - return -1; - } - - if ( certCount == 1 ) - // The first certificate goes directly into the ctx. - pCert = pTemp; - else - // The remaining certificates (if any) are put into - // the list of untrusted certificates - sk_X509_push(untrustedCerts, pTemp); - - tempLength += certLength + 3; - } - - sslCertificateEvent(e, pCert); - - X509_STORE_CTX_init(&csc, ctx, pCert, untrustedCerts); - X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time); - int i = X509_verify_cert(&csc); - X509_STORE_CTX_cleanup(&csc); - //X509_STORE_CTX_free(&csc); - int ret = 0; - - if ( ! i ) - { - sslCertificateError(e, csc.error); - ret = csc.error; - } - else - ret = 0; - - delete pCert; - // Free the stack, incuding. contents. - - // FIXME: could this break Bro's memory tracking? - sk_X509_pop_free(untrustedCerts, X509_free); - - return ret; - } diff --git a/src/event.bif b/src/event.bif index 1423750f29..0578664f54 100644 --- a/src/event.bif +++ b/src/event.bif @@ -4594,7 +4594,6 @@ event ssh_server_version%(c: connection, version: string%); ## ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -## ssl_max_cipherspec_size event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%); ## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions @@ -4625,7 +4624,6 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio ## ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension ## ssl_session_ticket_handshake x509_certificate x509_error x509_extension -## ssl_max_cipherspec_size event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%); ## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS sessions From bfeca444dbe6d7355465834f7b1024227b14cd6d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 29 Feb 2012 17:09:38 -0800 Subject: [PATCH 4/8] Sorting all output for the external tests. Let's see how this goes. The script keeps comments at the beginning. --- testing/scripts/diff-canonifier-external | 1 + testing/scripts/diff-sort | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100755 testing/scripts/diff-sort diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external index 1f953183d3..6796614362 100755 --- a/testing/scripts/diff-canonifier-external +++ b/testing/scripts/diff-canonifier-external @@ -6,3 +6,4 @@ | `dirname $0`/diff-remove-uids \ | `dirname $0`/diff-remove-mime-types \ | `dirname $0`/diff-remove-x509-names \ + | `dirname $0`/diff-sort diff --git a/testing/scripts/diff-sort b/testing/scripts/diff-sort new file mode 100755 index 0000000000..08b36c79bf --- /dev/null +++ b/testing/scripts/diff-sort @@ -0,0 +1,19 @@ +#! /usr/bin/env bash +# +# A diff canonifier that sorts all lines but keeps all comments +# at the top. It also adds a note at the beginning as a reminder +# that the output has been sorted. + +if [ "$TMP" == "" ]; then + TMP=/tmp +fi + +tmp=$TMP/`basename $0`.$$.tmp + +cat >$tmp + +echo "### NOTE: This file has been sorted with `basename $0`." +cat $tmp | grep ^# +cat $tmp | grep -v ^# | sort -s + +rm -f $tmp From 92ed583ee78beaf19e25ea9ebb43cf764d6b3e13 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 29 Feb 2012 17:19:38 -0800 Subject: [PATCH 5/8] Adding btest group "leaks" to leak tests. This will make it easier to run just the leak tests. --- testing/btest/core/leaks/dns.bro | 2 ++ testing/btest/core/leaks/test-all.bro | 2 ++ 2 files changed, 4 insertions(+) diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.bro index 3d3fdc6f09..2816750758 100644 --- a/testing/btest/core/leaks/dns.bro +++ b/testing/btest/core/leaks/dns.bro @@ -1,5 +1,7 @@ # Needs perftools support. # +# @TEST-GROUP: leaks +# # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace %INPUT diff --git a/testing/btest/core/leaks/test-all.bro b/testing/btest/core/leaks/test-all.bro index 6e605372c9..f217cc229c 100644 --- a/testing/btest/core/leaks/test-all.bro +++ b/testing/btest/core/leaks/test-all.bro @@ -1,5 +1,7 @@ # Needs perftools support. # +# @TEST-GROUP: leaks +# # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks # # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace test-all-policy From 87ad77cc100697659c72429386b5264ae67051dc Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 29 Feb 2012 22:34:31 -0500 Subject: [PATCH 6/8] Standardized on the &default function for SSL constants. --- scripts/base/protocols/ssl/consts.bro | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro index 9d16ab18ba..ab130c4318 100644 --- a/scripts/base/protocols/ssl/consts.bro +++ b/scripts/base/protocols/ssl/consts.bro @@ -13,7 +13,7 @@ export { [TLSv10] = "TLSv10", [TLSv11] = "TLSv11", [TLSv12] = "TLSv12", - } &default="UNKNOWN"; + } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## Mapping between numeric codes and human readable strings for alert ## levels. @@ -535,7 +535,7 @@ export { [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", [SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2", [SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2", - } &default="UNKNOWN"; + } &default=function(i: count):string { return fmt("unknown-%d", i); }; ## Mapping between the constants and string values for SSL/TLS errors. const x509_errors: table[count] of string = { @@ -573,6 +573,6 @@ export { [31] = "keyusage no certsign", [32] = "unable to get crl issuer", [33] = "unhandled critical extension", - }; + } &default=function(i: count):string { return fmt("unknown-%d", i); }; } From ef5e9caaf45ac13b2834a71a6c32299ca9f93350 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 1 Mar 2012 13:00:44 -0600 Subject: [PATCH 7/8] Changes to how script coverage integrates with test suites. - BRO_PROFILER_FILE now passes .X* templated filenames to mkstemp for generating unique coverage state files. All test suites now use this so each Bro instance writes to a unique coverage file. - Rearranging Makefile targets. The general rule is that if the all/brief target fails out due to a test failure, then the dependent coverage target won't run, but can still be invoked directly later. (e.g. make brief || make coverage) --- src/Brofiler.cc | 34 ++++++++++++++++++++++++++++++- src/Brofiler.h | 4 +++- testing/Makefile | 1 + testing/btest/Makefile | 19 +++++++++++------ testing/btest/btest.cfg | 2 +- testing/external/Makefile | 4 ++++ testing/external/subdir-btest.cfg | 2 +- testing/scripts/btest-bg-run | 7 ------- 8 files changed, 56 insertions(+), 17 deletions(-) delete mode 100755 testing/scripts/btest-bg-run diff --git a/src/Brofiler.cc b/src/Brofiler.cc index 783d027761..ce16916635 100644 --- a/src/Brofiler.cc +++ b/src/Brofiler.cc @@ -1,4 +1,5 @@ #include +#include #include #include #include "Brofiler.h" @@ -48,7 +49,38 @@ bool Brofiler::WriteStats() char* bf = getenv("BRO_PROFILER_FILE"); if ( ! bf ) return false; - FILE* f = fopen(bf, "w"); + bool gen_unique = false; + const char* p = strstr(bf, ".X"); + if ( p ) + { + gen_unique = true; + while ( *(++p) ) + { + if ( *p != 'X' ) + { + gen_unique = false; + break; + } + } + } + + FILE* f; + + if ( gen_unique ) + { + int fd = mkstemp(bf); + if ( fd == -1 ) + { + reporter->Error("Failed to generate unique file name from BRO_PROFILER_FILE: %s\n", bf); + return false; + } + f = fdopen(fd, "w"); + } + else + { + f = fopen(bf, "w"); + } + if ( ! f ) { reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing\n", bf); diff --git a/src/Brofiler.h b/src/Brofiler.h index edbe1e932c..698a2e03a6 100644 --- a/src/Brofiler.h +++ b/src/Brofiler.h @@ -26,7 +26,9 @@ public: /** * Combines usage stats from current run with any read from ReadStats(), * then writes information to file pointed to by environment variable - * BRO_PROFILER_FILE. + * BRO_PROFILER_FILE. If the value of that env. variable ends with + * ".XXXX" (any amount of X's), then it is first passed through mkstemp + * to get a unique file. * * @return: true when usage info is written, otherwise false. */ diff --git a/testing/Makefile b/testing/Makefile index f65d5a1fef..1c82580ec4 100644 --- a/testing/Makefile +++ b/testing/Makefile @@ -12,6 +12,7 @@ make-brief: @for repo in $(DIRS); do (cd $$repo && make brief ); done coverage: + @for repo in $(DIRS); do (cd $$repo && echo "Coverage for '$$repo' dir:" && make coverage); done @test -f btest/coverage.log && cp btest/coverage.log `mktemp brocov.tmp.XXX` || true @for f in external/*/coverage.log; do test -f $$f && cp $$f `mktemp brocov.tmp.XXX` || true; done @echo "Complete test suite code coverage:" diff --git a/testing/btest/Makefile b/testing/btest/Makefile index a2ca30609a..caf0a786f7 100644 --- a/testing/btest/Makefile +++ b/testing/btest/Makefile @@ -2,16 +2,23 @@ DIAG=diag.log BTEST=../../aux/btest/btest -all: cleanup - # Showing all tests. - @$(BTEST) -f $(DIAG) - @../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts +all: cleanup btest-verbose coverage -brief: cleanup - # Brief output showing only failed tests. +# Showing all tests. +btest-verbose: + @$(BTEST) -f $(DIAG) + +brief: cleanup btest-brief coverage + +# Brief output showing only failed tests. +btest-brief: @$(BTEST) -b -f $(DIAG) + +coverage: @../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts cleanup: @rm -f $(DIAG) @rm -f .tmp/script-coverage* + +.PHONY: all btest-verbose brief btest-brief coverage cleanup diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 2126e733e7..8c36ef6c1a 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -18,4 +18,4 @@ DIST=%(testbase)s/../.. BUILD=%(testbase)s/../../build TEST_DIFF_CANONIFIER=$SCRIPTS/diff-canonifier TMPDIR=%(testbase)s/.tmp -BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage +BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXX diff --git a/testing/external/Makefile b/testing/external/Makefile index 994d8962c0..b705734003 100644 --- a/testing/external/Makefile +++ b/testing/external/Makefile @@ -24,3 +24,7 @@ push: status: @for repo in $(REPOS); do ( cd $$repo && echo '>>' $$repo && git status -bs && echo ); done +coverage: + @for repo in $(REPOS); do (cd $$repo && echo "Coverage for '$$repo' repo:" && make coverage); done + +.PHONY: all brief init pull push status coverage diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index 7b1d59cb07..b9ddf309b4 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -17,4 +17,4 @@ TRACES=%(testbase)s/Traces SCRIPTS=%(testbase)s/../scripts DIST=%(testbase)s/../../.. BUILD=%(testbase)s/../../../build -BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage +BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXX diff --git a/testing/scripts/btest-bg-run b/testing/scripts/btest-bg-run deleted file mode 100755 index 64a38b9759..0000000000 --- a/testing/scripts/btest-bg-run +++ /dev/null @@ -1,7 +0,0 @@ -#! /usr/bin/env bash - -# This is a wrapper script to btest's real btest-bg-run. It's used -# when collecting Bro script coverage statistics so that two independent -# Bro processing don't try to write those usage statistics to the same file. - -BRO_PROFILER_FILE=`mktemp $TMPDIR/script-coverage.XXXX` $BTEST_PATH/btest-bg-run $@ From fef671e4a6480605e2500e970093d4999ee9de31 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 2 Mar 2012 12:40:25 -0600 Subject: [PATCH 8/8] Fix a BRO_PROFILER_FILE/mkstemp portability issue. (addresses #794) --- src/Brofiler.cc | 22 ++++------------------ src/Brofiler.h | 2 +- testing/btest/btest.cfg | 2 +- testing/external/subdir-btest.cfg | 2 +- 4 files changed, 7 insertions(+), 21 deletions(-) diff --git a/src/Brofiler.cc b/src/Brofiler.cc index ce16916635..c9a3505069 100644 --- a/src/Brofiler.cc +++ b/src/Brofiler.cc @@ -49,29 +49,15 @@ bool Brofiler::WriteStats() char* bf = getenv("BRO_PROFILER_FILE"); if ( ! bf ) return false; - bool gen_unique = false; - const char* p = strstr(bf, ".X"); - if ( p ) - { - gen_unique = true; - while ( *(++p) ) - { - if ( *p != 'X' ) - { - gen_unique = false; - break; - } - } - } - FILE* f; + const char* p = strstr(bf, ".XXXXXX"); - if ( gen_unique ) + if ( p && ! p[7] ) { int fd = mkstemp(bf); if ( fd == -1 ) { - reporter->Error("Failed to generate unique file name from BRO_PROFILER_FILE: %s\n", bf); + reporter->Error("Failed to generate unique file name from BRO_PROFILER_FILE: %s", bf); return false; } f = fdopen(fd, "w"); @@ -83,7 +69,7 @@ bool Brofiler::WriteStats() if ( ! f ) { - reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing\n", bf); + reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf); return false; } diff --git a/src/Brofiler.h b/src/Brofiler.h index 698a2e03a6..22e5808bf6 100644 --- a/src/Brofiler.h +++ b/src/Brofiler.h @@ -27,7 +27,7 @@ public: * Combines usage stats from current run with any read from ReadStats(), * then writes information to file pointed to by environment variable * BRO_PROFILER_FILE. If the value of that env. variable ends with - * ".XXXX" (any amount of X's), then it is first passed through mkstemp + * ".XXXXXX" (exactly 6 X's), then it is first passed through mkstemp * to get a unique file. * * @return: true when usage info is written, otherwise false. diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg index 8c36ef6c1a..6afbde1ddb 100644 --- a/testing/btest/btest.cfg +++ b/testing/btest/btest.cfg @@ -18,4 +18,4 @@ DIST=%(testbase)s/../.. BUILD=%(testbase)s/../../build TEST_DIFF_CANONIFIER=$SCRIPTS/diff-canonifier TMPDIR=%(testbase)s/.tmp -BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXX +BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index b9ddf309b4..c4e74f99fa 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -17,4 +17,4 @@ TRACES=%(testbase)s/Traces SCRIPTS=%(testbase)s/../scripts DIST=%(testbase)s/../../.. BUILD=%(testbase)s/../../../build -BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXX +BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX