SSL Analyzer: track connection direction by messages

This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.

scripts/base/protocols/ssl/files.zeek

@@ -152,6 +152,7 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 		c$ssl$client_cert_chain_fps = string_vec();
 		}
 
+	# Note - for SSL connections, is_orig indicates client/server, not necessary originator/responder.
 	if ( f$is_orig )
 		c$ssl$client_cert_chain += f$info;
 	else

scripts/base/protocols/ssl/main.zeek

@@ -72,9 +72,14 @@ export {
 		## SSL history showing which types of packets we received in which order.
 		## Letters have the following meaning with client-sent letters being capitalized:
 		##
+		## A direction flip occurs when the client hello packet is not sent from the originator
+		## of a connection. This can, e.g., occur when DTLS is used in a connection that was
+		## set up using STUN.
+		##
 		## ======  ====================================================
 		## Letter  Meaning
 		## ======  ====================================================
+		## ^       direction flipped
 		## H       hello_request
 		## C       client_hello
 		## S       server_hello
@@ -198,9 +203,9 @@ function set_session(c: connection)
 		}
 	}
 
-function add_to_history(c: connection, is_orig: bool, char: string)
+function add_to_history(c: connection, is_client: bool, char: string)
 	{
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char);
 	else
 		c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char);
@@ -284,9 +289,9 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
 		c$ssl$resumed = T;
 	}
 
-event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
 	{
-	if ( is_orig || |versions| != 1 )
+	if ( is_client || |versions| != 1 )
 		return;
 
 	set_session(c);
@@ -302,20 +307,20 @@ event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priori
 	c$ssl$curve = ec_curves[curve];
 	}
 
-event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
+event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
 	{
-	if ( is_orig || |curves| != 1 )
+	if ( is_client || |curves| != 1 )
 		return;
 
 	set_session(c);
 	c$ssl$curve = ec_curves[curves[0]];
 	}
 
-event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
+event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
 
-	if ( is_orig && |names| > 0 )
+	if ( is_client && |names| > 0 )
 		{
 		c$ssl$server_name = names[0];
 		if ( |names| > 1 )
@@ -323,133 +328,140 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
 		}
 	}
 
-event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec)
 	{
 	set_session(c);
 
-	if ( is_orig )
+	if ( is_client )
 		return;
 
 	if ( |protocols| > 0 )
 		c$ssl$next_protocol = protocols[0];
 	}
 
-event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5
+event ssl_connection_flipped(c: connection)
 	{
 	set_session(c);
 
-	if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE )
+	c$ssl$ssl_history += "^";
+	}
+
+event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count) &priority=5
+	{
+	set_session(c);
+
+	if ( is_client && msg_type == SSL::CLIENT_KEY_EXCHANGE )
 		c$ssl$client_key_exchange_seen = T;
 
 	switch ( msg_type )
 		{
 		case SSL::HELLO_REQUEST:
-			add_to_history(c, is_orig, "h");
+			add_to_history(c, is_client, "h");
 			break;
 		case SSL::CLIENT_HELLO:
-			add_to_history(c, is_orig, "c");
+			add_to_history(c, is_client, "c");
 			break;
 		case SSL::SERVER_HELLO:
-			add_to_history(c, is_orig, "s");
+			add_to_history(c, is_client, "s");
 			break;
 		case SSL::HELLO_VERIFY_REQUEST:
-			add_to_history(c, is_orig, "v");
+			add_to_history(c, is_client, "v");
 			break;
 		case SSL::SESSION_TICKET:
-			add_to_history(c, is_orig, "t");
+			add_to_history(c, is_client, "t");
 			break;
 		# end of early data
 		case 5:
-			add_to_history(c, is_orig, "e");
+			add_to_history(c, is_client, "e");
 			break;
 		case SSL::HELLO_RETRY_REQUEST:
-			add_to_history(c, is_orig, "j");
+			add_to_history(c, is_client, "j");
 			break;
 		case SSL::ENCRYPTED_EXTENSIONS:
-			add_to_history(c, is_orig, "o");
+			add_to_history(c, is_client, "o");
 			break;
 		case SSL::CERTIFICATE:
-			add_to_history(c, is_orig, "x");
+			add_to_history(c, is_client, "x");
 			break;
 		case SSL::SERVER_KEY_EXCHANGE:
-			add_to_history(c, is_orig, "k");
+			add_to_history(c, is_client, "k");
 			break;
 		case SSL::CERTIFICATE_REQUEST:
-			add_to_history(c, is_orig, "r");
+			add_to_history(c, is_client, "r");
 			break;
 		case SSL::SERVER_HELLO_DONE:
-			add_to_history(c, is_orig, "n");
+			add_to_history(c, is_client, "n");
 			break;
 		case SSL::CERTIFICATE_VERIFY:
-			add_to_history(c, is_orig, "y");
+			add_to_history(c, is_client, "y");
 			break;
 		case SSL::CLIENT_KEY_EXCHANGE:
-			add_to_history(c, is_orig, "g");
+			add_to_history(c, is_client, "g");
 			break;
 		case SSL::FINISHED:
-			add_to_history(c, is_orig, "f");
+			add_to_history(c, is_client, "f");
 			break;
 		case SSL::CERTIFICATE_URL:
-			add_to_history(c, is_orig, "w");
+			add_to_history(c, is_client, "w");
 			break;
 		case SSL::CERTIFICATE_STATUS:
-			add_to_history(c, is_orig, "u");
+			add_to_history(c, is_client, "u");
 			break;
 		case SSL::SUPPLEMENTAL_DATA:
-			add_to_history(c, is_orig, "a");
+			add_to_history(c, is_client, "a");
 			break;
 		case SSL::KEY_UPDATE:
-			add_to_history(c, is_orig, "p");
+			add_to_history(c, is_client, "p");
 			break;
 		# message hash
 		case 254:
-			add_to_history(c, is_orig, "m");
+			add_to_history(c, is_client, "m");
 			break;
 		default:
-			add_to_history(c, is_orig, "z");
+			add_to_history(c, is_client, "z");
 			break;
 		}
 	}
 
 # Extension event is fired _before_ the respective client or server hello.
 # Important for client_ticket_empty_session_seen.
-event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
+event ssl_extension(c: connection, is_client: bool, code: count, val: string) &priority=5
 	{
 	set_session(c);
 
-	if ( is_orig && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 )
+	if ( is_client && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 )
 		# In this case, we might have an empty ID. Set back to F in client_hello event
 		# if it is not empty after all.
 		c$ssl$client_ticket_empty_session_seen = T;
-	else if ( is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY )
+	else if ( is_client && code == SSL_EXTENSION_PRE_SHARED_KEY )
 		# In this case, the client sent a PSK extension which can be used for resumption
 		c$ssl$client_psk_seen = T;
-	else if ( ! is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen )
+	else if ( ! is_client && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen )
 		# In this case, the server accepted the PSK offered by the client.
 		c$ssl$resumed = T;
 	}
 
-event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
+event ssl_change_cipher_spec(c: connection, is_client: bool) &priority=5
 	{
 	set_session(c);
-	add_to_history(c, is_orig, "i");
+	add_to_history(c, is_client, "i");
 
-	if ( is_orig && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen )
+	if ( is_client && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen )
 		c$ssl$resumed = T;
 	}
 
-event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
+event ssl_alert(c: connection, is_client: bool, level: count, desc: count) &priority=5
 	{
 	set_session(c);
-	add_to_history(c, is_orig, "l");
+	add_to_history(c, is_client, "l");
 
 	c$ssl$last_alert = alert_descriptions[desc];
 	}
 
-event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
+event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
 	set_session(c);
-	add_to_history(c, is_orig, "b");
+	add_to_history(c, is_client, "b");
 	}
 
 event ssl_established(c: connection) &priority=7
@@ -489,7 +501,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 		}
 	}
 
-event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) &priority=5
+event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
 	{
 	set_session(c);
 

scripts/policy/protocols/ssl/decryption.zeek

@@ -99,7 +99,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 		set_secret(c, secrets[client_random]);
 	}
 
-event ssl_change_cipher_spec(c: connection, is_orig: bool)
+event ssl_change_cipher_spec(c: connection, is_client: bool)
 	{
 	if ( c$ssl?$client_random )
 		{

scripts/policy/protocols/ssl/heartbleed.zeek

@@ -79,7 +79,7 @@ event zeek_init()
 	min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
 	}
 
-event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
+event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
 	if ( ! c?$ssl )
 		return;
@@ -97,7 +97,7 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 				$identifier=cat(c$uid, length, payload_length)
 				]);
 			}
-		else if ( is_orig )
+		else if ( is_client )
 			{
 			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
 				$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
@@ -118,9 +118,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 		}
 	}
 
-event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
+event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
 	{
-	if ( is_orig )
+	if ( is_client )
 		++c$ssl$originator_heartbeats;
 	else
 		++c$ssl$responder_heartbeats;
@@ -129,14 +129,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( c$ssl$enc_appdata_packages == 0 )
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig),
+				$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
 				$conn=c,
 				$n=length,
 				$identifier=fmt("%s%s", c$uid, "early")
 				]);
 	else if ( duration < 1min )
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %s", length, is_orig, duration),
+				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
 				$conn=c,
 				$n=length,
 				$identifier=fmt("%s%s", c$uid, "early")
@@ -158,7 +158,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
 				]);
 
-	if ( is_orig && length < 19 )
+	if ( is_client && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
 				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
 				$conn=c,
@@ -192,7 +192,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 		}
 
-	if ( is_orig )
+	if ( is_client )
 		{
 		if ( c$ssl?$last_responder_heartbeat_request_size )
 			{
@@ -223,13 +223,13 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
 	{
 	if ( !c?$ssl )
 		return;
 
 	if ( content_type == SSL::HEARTBEAT )
-		event ssl_encrypted_heartbeat(c, is_orig, length);
+		event ssl_encrypted_heartbeat(c, is_client, length);
 	else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) )
 		{
 		++c$ssl$enc_appdata_packages;

scripts/policy/protocols/ssl/ssl-log-ext.zeek

@@ -73,12 +73,12 @@ event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, t
 	c$ssl$ticket_lifetime_hint = ticket_lifetime_hint;
 	}
 
-event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+event ssl_extension(c: connection, is_client: bool, code: count, val: string)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		{
 		if ( ! c$ssl?$ssl_client_exts )
 			c$ssl$ssl_client_exts = vector();
@@ -92,28 +92,28 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
 		}
 	}
 
-event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	c$ssl$point_formats = point_formats;
 	}
 
-event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	c$ssl$client_curves = curves;
 	}
 
-event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, names: string_vec)
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, names: string_vec)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$orig_alpn = names;
 	}
 
@@ -126,39 +126,39 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
 	c$ssl$dh_param_size = key_length;
 	}
 
-event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$client_supported_versions = versions;
 	else
 		c$ssl$server_supported_version = versions[0];
 	}
 
-	event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	c$ssl$psk_key_exchange_modes = modes;
 	}
 
-event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
+event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$client_key_share_groups = curves;
 	else
 		c$ssl$server_key_share_group = curves[0];
 	}
 
-event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec)
+event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	local sigalgs: index_vec = vector();

scripts/policy/protocols/ssl/validate-ocsp.zeek

@@ -31,7 +31,7 @@ export {
 # certificate chain is seen.
 global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3
+event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) &priority=3
 	{
 	c$ssl$ocsp_response = response;
 	}

scripts/policy/protocols/ssl/validate-sct.zeek

@@ -74,7 +74,7 @@ event zeek_init()
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}
 
-event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+event ssl_extension_signed_certificate_timestamp(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
 	{
 	c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
 	}