SSL Analyzer: track connection direction by messages

This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.

scripts/policy/protocols/ssl/decryption.zeek

@@ -99,7 +99,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 		set_secret(c, secrets[client_random]);
 	}
 
-event ssl_change_cipher_spec(c: connection, is_orig: bool)
+event ssl_change_cipher_spec(c: connection, is_client: bool)
 	{
 	if ( c$ssl?$client_random )
 		{

scripts/policy/protocols/ssl/heartbleed.zeek

@@ -79,7 +79,7 @@ event zeek_init()
 	min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
 	}
 
-event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
+event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
 	if ( ! c?$ssl )
 		return;
@@ -97,7 +97,7 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 				$identifier=cat(c$uid, length, payload_length)
 				]);
 			}
-		else if ( is_orig )
+		else if ( is_client )
 			{
 			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
 				$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
@@ -118,9 +118,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 		}
 	}
 
-event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
+event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
 	{
-	if ( is_orig )
+	if ( is_client )
 		++c$ssl$originator_heartbeats;
 	else
 		++c$ssl$responder_heartbeats;
@@ -129,14 +129,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( c$ssl$enc_appdata_packages == 0 )
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig),
+				$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
 				$conn=c,
 				$n=length,
 				$identifier=fmt("%s%s", c$uid, "early")
 				]);
 	else if ( duration < 1min )
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %s", length, is_orig, duration),
+				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
 				$conn=c,
 				$n=length,
 				$identifier=fmt("%s%s", c$uid, "early")
@@ -158,7 +158,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
 				]);
 
-	if ( is_orig && length < 19 )
+	if ( is_client && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
 				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
 				$conn=c,
@@ -192,7 +192,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 		}
 
-	if ( is_orig )
+	if ( is_client )
 		{
 		if ( c$ssl?$last_responder_heartbeat_request_size )
 			{
@@ -223,13 +223,13 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	}
 
-event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
+event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
 	{
 	if ( !c?$ssl )
 		return;
 
 	if ( content_type == SSL::HEARTBEAT )
-		event ssl_encrypted_heartbeat(c, is_orig, length);
+		event ssl_encrypted_heartbeat(c, is_client, length);
 	else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) )
 		{
 		++c$ssl$enc_appdata_packages;

scripts/policy/protocols/ssl/ssl-log-ext.zeek

@@ -73,12 +73,12 @@ event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, t
 	c$ssl$ticket_lifetime_hint = ticket_lifetime_hint;
 	}
 
-event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+event ssl_extension(c: connection, is_client: bool, code: count, val: string)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		{
 		if ( ! c$ssl?$ssl_client_exts )
 			c$ssl$ssl_client_exts = vector();
@@ -92,28 +92,28 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
 		}
 	}
 
-event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	c$ssl$point_formats = point_formats;
 	}
 
-event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	c$ssl$client_curves = curves;
 	}
 
-event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, names: string_vec)
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, names: string_vec)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$orig_alpn = names;
 	}
 
@@ -126,39 +126,39 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
 	c$ssl$dh_param_size = key_length;
 	}
 
-event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$client_supported_versions = versions;
 	else
 		c$ssl$server_supported_version = versions[0];
 	}
 
-	event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	c$ssl$psk_key_exchange_modes = modes;
 	}
 
-event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec)
+event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
 	{
 	if ( ! c?$ssl )
 		return;
 
-	if ( is_orig )
+	if ( is_client )
 		c$ssl$client_key_share_groups = curves;
 	else
 		c$ssl$server_key_share_group = curves[0];
 	}
 
-event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec)
+event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec)
 	{
-	if ( ! c?$ssl || ! is_orig )
+	if ( ! c?$ssl || ! is_client )
 		return;
 
 	local sigalgs: index_vec = vector();

scripts/policy/protocols/ssl/validate-ocsp.zeek

@@ -31,7 +31,7 @@ export {
 # certificate chain is seen.
 global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3
+event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) &priority=3
 	{
 	c$ssl$ocsp_response = response;
 	}

scripts/policy/protocols/ssl/validate-sct.zeek

@@ -74,7 +74,7 @@ event zeek_init()
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
 	}
 
-event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+event ssl_extension_signed_certificate_timestamp(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
 	{
 	c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
 	}