Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

SSL Analyzer: track connection direction by messages

Browse source 
This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.
This commit is contained in:
Johanna Amann 2022-06-24 19:27:13 +02:00 committed by Johanna Amann
parent a7aa345c76
commit e14eddeb97
30 changed files with 344 additions and 179 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/protocols/ssl/files.zeek
View file

@ -152,6 +152,7 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
c$ssl$client_cert_chain_fps = string_vec(); c$ssl$client_cert_chain_fps = string_vec();
} }
# Note - for SSL connections, is_orig indicates client/server, not necessary originator/responder.
if ( f$is_orig ) if ( f$is_orig )
c$ssl$client_cert_chain += f$info; c$ssl$client_cert_chain += f$info;
else else

102
scripts/base/protocols/ssl/main.zeek
View file

@ -72,9 +72,14 @@ export {
## SSL history showing which types of packets we received in which order. ## SSL history showing which types of packets we received in which order.
## Letters have the following meaning with client-sent letters being capitalized: ## Letters have the following meaning with client-sent letters being capitalized:
## ##
## A direction flip occurs when the client hello packet is not sent from the originator
## of a connection. This can, e.g., occur when DTLS is used in a connection that was
## set up using STUN.
##
## ====== ==================================================== ## ====== ====================================================
## Letter Meaning ## Letter Meaning
## ====== ==================================================== ## ====== ====================================================
## ^ direction flipped
## H hello_request ## H hello_request
## C client_hello ## C client_hello
## S server_hello ## S server_hello
@ -198,9 +203,9 @@ function set_session(c: connection)
} }
} }
function add_to_history(c: connection, is_orig: bool, char: string) function add_to_history(c: connection, is_client: bool, char: string)
{ {
if ( is_orig ) if ( is_client )
c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char); c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char);
else else
c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char); c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char);
@ -284,9 +289,9 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
c$ssl$resumed = T; c$ssl$resumed = T;
} }
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
{ {
if ( is_orig || |versions| != 1 ) if ( is_client || |versions| != 1 )
return; return;
set_session(c); set_session(c);
@ -302,20 +307,20 @@ event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priori
c$ssl$curve = ec_curves[curve]; c$ssl$curve = ec_curves[curve];
} }
event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
{ {
if ( is_orig || |curves| != 1 ) if ( is_client || |curves| != 1 )
return; return;
set_session(c); set_session(c);
c$ssl$curve = ec_curves[curves[0]]; c$ssl$curve = ec_curves[curves[0]];
} }
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5 event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec) &priority=5
{ {
set_session(c); set_session(c);
if ( is_orig && |names| > 0 ) if ( is_client && |names| > 0 )
{ {
c$ssl$server_name = names[0]; c$ssl$server_name = names[0];
if ( |names| > 1 ) if ( |names| > 1 )
@ -323,133 +328,140 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
} }
} }
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec) event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec)
{ {
set_session(c); set_session(c);
if ( is_orig ) if ( is_client )
return; return;
if ( |protocols| > 0 ) if ( |protocols| > 0 )
c$ssl$next_protocol = protocols[0]; c$ssl$next_protocol = protocols[0];
} }
event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5 event ssl_connection_flipped(c: connection)
{ {
set_session(c); set_session(c);
if ( is_orig && msg_type == SSL::CLIENT_KEY_EXCHANGE ) c$ssl$ssl_history += "^";
}
event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count) &priority=5
{
set_session(c);
if ( is_client && msg_type == SSL::CLIENT_KEY_EXCHANGE )
c$ssl$client_key_exchange_seen = T; c$ssl$client_key_exchange_seen = T;
switch ( msg_type ) switch ( msg_type )
{ {
case SSL::HELLO_REQUEST: case SSL::HELLO_REQUEST:
add_to_history(c, is_orig, "h"); add_to_history(c, is_client, "h");
break; break;
case SSL::CLIENT_HELLO: case SSL::CLIENT_HELLO:
add_to_history(c, is_orig, "c"); add_to_history(c, is_client, "c");
break; break;
case SSL::SERVER_HELLO: case SSL::SERVER_HELLO:
add_to_history(c, is_orig, "s"); add_to_history(c, is_client, "s");
break; break;
case SSL::HELLO_VERIFY_REQUEST: case SSL::HELLO_VERIFY_REQUEST:
add_to_history(c, is_orig, "v"); add_to_history(c, is_client, "v");
break; break;
case SSL::SESSION_TICKET: case SSL::SESSION_TICKET:
add_to_history(c, is_orig, "t"); add_to_history(c, is_client, "t");
break; break;
# end of early data # end of early data
case 5: case 5:
add_to_history(c, is_orig, "e"); add_to_history(c, is_client, "e");
break; break;
case SSL::HELLO_RETRY_REQUEST: case SSL::HELLO_RETRY_REQUEST:
add_to_history(c, is_orig, "j"); add_to_history(c, is_client, "j");
break; break;
case SSL::ENCRYPTED_EXTENSIONS: case SSL::ENCRYPTED_EXTENSIONS:
add_to_history(c, is_orig, "o"); add_to_history(c, is_client, "o");
break; break;
case SSL::CERTIFICATE: case SSL::CERTIFICATE:
add_to_history(c, is_orig, "x"); add_to_history(c, is_client, "x");
break; break;
case SSL::SERVER_KEY_EXCHANGE: case SSL::SERVER_KEY_EXCHANGE:
add_to_history(c, is_orig, "k"); add_to_history(c, is_client, "k");
break; break;
case SSL::CERTIFICATE_REQUEST: case SSL::CERTIFICATE_REQUEST:
add_to_history(c, is_orig, "r"); add_to_history(c, is_client, "r");
break; break;
case SSL::SERVER_HELLO_DONE: case SSL::SERVER_HELLO_DONE:
add_to_history(c, is_orig, "n"); add_to_history(c, is_client, "n");
break; break;
case SSL::CERTIFICATE_VERIFY: case SSL::CERTIFICATE_VERIFY:
add_to_history(c, is_orig, "y"); add_to_history(c, is_client, "y");
break; break;
case SSL::CLIENT_KEY_EXCHANGE: case SSL::CLIENT_KEY_EXCHANGE:
add_to_history(c, is_orig, "g"); add_to_history(c, is_client, "g");
break; break;
case SSL::FINISHED: case SSL::FINISHED:
add_to_history(c, is_orig, "f"); add_to_history(c, is_client, "f");
break; break;
case SSL::CERTIFICATE_URL: case SSL::CERTIFICATE_URL:
add_to_history(c, is_orig, "w"); add_to_history(c, is_client, "w");
break; break;
case SSL::CERTIFICATE_STATUS: case SSL::CERTIFICATE_STATUS:
add_to_history(c, is_orig, "u"); add_to_history(c, is_client, "u");
break; break;
case SSL::SUPPLEMENTAL_DATA: case SSL::SUPPLEMENTAL_DATA:
add_to_history(c, is_orig, "a"); add_to_history(c, is_client, "a");
break; break;
case SSL::KEY_UPDATE: case SSL::KEY_UPDATE:
add_to_history(c, is_orig, "p"); add_to_history(c, is_client, "p");
break; break;
# message hash # message hash
case 254: case 254:
add_to_history(c, is_orig, "m"); add_to_history(c, is_client, "m");
break; break;
default: default:
add_to_history(c, is_orig, "z"); add_to_history(c, is_client, "z");
break; break;
} }
} }
# Extension event is fired _before_ the respective client or server hello. # Extension event is fired _before_ the respective client or server hello.
# Important for client_ticket_empty_session_seen. # Important for client_ticket_empty_session_seen.
event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5 event ssl_extension(c: connection, is_client: bool, code: count, val: string) &priority=5
{ {
set_session(c); set_session(c);
if ( is_orig && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 ) if ( is_client && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 )
# In this case, we might have an empty ID. Set back to F in client_hello event # In this case, we might have an empty ID. Set back to F in client_hello event
# if it is not empty after all. # if it is not empty after all.
c$ssl$client_ticket_empty_session_seen = T; c$ssl$client_ticket_empty_session_seen = T;
else if ( is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY ) else if ( is_client && code == SSL_EXTENSION_PRE_SHARED_KEY )
# In this case, the client sent a PSK extension which can be used for resumption # In this case, the client sent a PSK extension which can be used for resumption
c$ssl$client_psk_seen = T; c$ssl$client_psk_seen = T;
else if ( ! is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen ) else if ( ! is_client && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen )
# In this case, the server accepted the PSK offered by the client. # In this case, the server accepted the PSK offered by the client.
c$ssl$resumed = T; c$ssl$resumed = T;
} }
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5 event ssl_change_cipher_spec(c: connection, is_client: bool) &priority=5
{ {
set_session(c); set_session(c);
add_to_history(c, is_orig, "i"); add_to_history(c, is_client, "i");
if ( is_orig && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen ) if ( is_client && c$ssl$client_ticket_empty_session_seen && ! c$ssl$client_key_exchange_seen )
c$ssl$resumed = T; c$ssl$resumed = T;
} }
event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5 event ssl_alert(c: connection, is_client: bool, level: count, desc: count) &priority=5
{ {
set_session(c); set_session(c);
add_to_history(c, is_orig, "l"); add_to_history(c, is_client, "l");
c$ssl$last_alert = alert_descriptions[desc]; c$ssl$last_alert = alert_descriptions[desc];
} }
event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
{ {
set_session(c); set_session(c);
add_to_history(c, is_orig, "b"); add_to_history(c, is_client, "b");
} }
event ssl_established(c: connection) &priority=7 event ssl_established(c: connection) &priority=7
@ -489,7 +501,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
} }
} }
event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) &priority=5 event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count) &priority=5
{ {
set_session(c); set_session(c);

2
scripts/policy/protocols/ssl/decryption.zeek
View file

@ -99,7 +99,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
set_secret(c, secrets[client_random]); set_secret(c, secrets[client_random]);
} }
event ssl_change_cipher_spec(c: connection, is_orig: bool) event ssl_change_cipher_spec(c: connection, is_client: bool)
{ {
if ( c$ssl?$client_random ) if ( c$ssl?$client_random )
{ {

20
scripts/policy/protocols/ssl/heartbleed.zeek
View file

@ -79,7 +79,7 @@ event zeek_init()
min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40]; min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
} }
event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
{ {
if ( ! c?$ssl ) if ( ! c?$ssl )
return; return;
@ -97,7 +97,7 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
$identifier=cat(c$uid, length, payload_length) $identifier=cat(c$uid, length, payload_length)
]); ]);
} }
else if ( is_orig ) else if ( is_client )
{ {
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack, NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length), $msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
@ -118,9 +118,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
} }
} }
event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
{ {
if ( is_orig ) if ( is_client )
++c$ssl$originator_heartbeats; ++c$ssl$originator_heartbeats;
else else
++c$ssl$responder_heartbeats; ++c$ssl$responder_heartbeats;
@ -129,14 +129,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
if ( c$ssl$enc_appdata_packages == 0 ) if ( c$ssl$enc_appdata_packages == 0 )
NOTICE([$note=SSL_Heartbeat_Attack, NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig), $msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
$conn=c, $conn=c,
$n=length, $n=length,
$identifier=fmt("%s%s", c$uid, "early") $identifier=fmt("%s%s", c$uid, "early")
]); ]);
else if ( duration < 1min ) else if ( duration < 1min )
NOTICE([$note=SSL_Heartbeat_Attack, NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %s", length, is_orig, duration), $msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
$conn=c, $conn=c,
$n=length, $n=length,
$identifier=fmt("%s%s", c$uid, "early") $identifier=fmt("%s%s", c$uid, "early")
@ -158,7 +158,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
]); ]);
if ( is_orig && length < 19 ) if ( is_client && length < 19 )
NOTICE([$note=SSL_Heartbeat_Odd_Length, NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration), $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
$conn=c, $conn=c,
@ -192,7 +192,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
} }
if ( is_orig ) if ( is_client )
{ {
if ( c$ssl?$last_responder_heartbeat_request_size ) if ( c$ssl?$last_responder_heartbeat_request_size )
{ {
@ -223,13 +223,13 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
} }
} }
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{ {
if ( !c?$ssl ) if ( !c?$ssl )
return; return;
if ( content_type == SSL::HEARTBEAT ) if ( content_type == SSL::HEARTBEAT )
event ssl_encrypted_heartbeat(c, is_orig, length); event ssl_encrypted_heartbeat(c, is_client, length);
else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) ) else if ( (content_type == SSL::APPLICATION_DATA) && (length > 0) )
{ {
++c$ssl$enc_appdata_packages; ++c$ssl$enc_appdata_packages;

32
scripts/policy/protocols/ssl/ssl-log-ext.zeek
View file

@ -73,12 +73,12 @@ event ssl_session_ticket_handshake(c: connection, ticket_lifetime_hint: count, t
c$ssl$ticket_lifetime_hint = ticket_lifetime_hint; c$ssl$ticket_lifetime_hint = ticket_lifetime_hint;
} }
event ssl_extension(c: connection, is_orig: bool, code: count, val: string) event ssl_extension(c: connection, is_client: bool, code: count, val: string)
{ {
if ( ! c?$ssl ) if ( ! c?$ssl )
return; return;
if ( is_orig ) if ( is_client )
{ {
if ( ! c$ssl?$ssl_client_exts ) if ( ! c$ssl?$ssl_client_exts )
c$ssl$ssl_client_exts = vector(); c$ssl$ssl_client_exts = vector();
@ -92,28 +92,28 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
} }
} }
event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec) event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
{ {
if ( ! c?$ssl || ! is_orig ) if ( ! c?$ssl || ! is_client )
return; return;
c$ssl$point_formats = point_formats; c$ssl$point_formats = point_formats;
} }
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec) event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
{ {
if ( ! c?$ssl || ! is_orig ) if ( ! c?$ssl || ! is_client )
return; return;
c$ssl$client_curves = curves; c$ssl$client_curves = curves;
} }
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, names: string_vec) event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, names: string_vec)
{ {
if ( ! c?$ssl ) if ( ! c?$ssl )
return; return;
if ( is_orig ) if ( is_client )
c$ssl$orig_alpn = names; c$ssl$orig_alpn = names;
} }
@ -126,39 +126,39 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
c$ssl$dh_param_size = key_length; c$ssl$dh_param_size = key_length;
} }
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
{ {
if ( ! c?$ssl ) if ( ! c?$ssl )
return; return;
if ( is_orig ) if ( is_client )
c$ssl$client_supported_versions = versions; c$ssl$client_supported_versions = versions;
else else
c$ssl$server_supported_version = versions[0]; c$ssl$server_supported_version = versions[0];
} }
event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
{ {
if ( ! c?$ssl || ! is_orig ) if ( ! c?$ssl || ! is_client )
return; return;
c$ssl$psk_key_exchange_modes = modes; c$ssl$psk_key_exchange_modes = modes;
} }
event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
{ {
if ( ! c?$ssl ) if ( ! c?$ssl )
return; return;
if ( is_orig ) if ( is_client )
c$ssl$client_key_share_groups = curves; c$ssl$client_key_share_groups = curves;
else else
c$ssl$server_key_share_group = curves[0]; c$ssl$server_key_share_group = curves[0];
} }
event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec) event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec)
{ {
if ( ! c?$ssl || ! is_orig ) if ( ! c?$ssl || ! is_client )
return; return;
local sigalgs: index_vec = vector(); local sigalgs: index_vec = vector();

2
scripts/policy/protocols/ssl/validate-ocsp.zeek
View file

@ -31,7 +31,7 @@ export {
# certificate chain is seen. # certificate chain is seen.
global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) &priority=3
{ {
c$ssl$ocsp_response = response; c$ssl$ocsp_response = response;
} }

2
scripts/policy/protocols/ssl/validate-sct.zeek
View file

@ -74,7 +74,7 @@ event zeek_init()
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response"); Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
} }
event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5 event ssl_extension_signed_certificate_timestamp(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
{ {
c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT); c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
} }

5
src/analyzer/protocol/ssl/DTLS.cc
View file

@ -83,4 +83,9 @@ bool DTLS_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool
return false; return false;
} }
bool DTLS_Analyzer::GetFlipped()
{
return handshake_interp->flipped();
}
} // namespace zeek::analyzer::dtls } // namespace zeek::analyzer::dtls

8
src/analyzer/protocol/ssl/DTLS.h
View file

@ -39,6 +39,14 @@ public:
static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); } static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); }
/**
* Check if the connection is flipped--meaning that the TLS client is the responder of the
* connection.
*
* @return True if connection is flipped.
*/
bool GetFlipped();
/** /**
* Try to decrypt TLS application data from a packet. * Try to decrypt TLS application data from a packet.
* *

5
src/analyzer/protocol/ssl/SSL.cc
View file

@ -413,4 +413,9 @@ void SSL_Analyzer::ForwardDecryptedData(const std::vector<u_char>& data, bool is
ForwardStream(data.size(), data.data(), is_orig); ForwardStream(data.size(), data.data(), is_orig);
} }
bool SSL_Analyzer::GetFlipped()
{
return handshake_interp->flipped();
}
} // namespace zeek::analyzer::ssl } // namespace zeek::analyzer::ssl

8
src/analyzer/protocol/ssl/SSL.h
View file

@ -97,6 +97,14 @@ public:
*/ */
void SetKeys(const std::vector<u_char> newkeys); void SetKeys(const std::vector<u_char> newkeys);
/**
* Check if the connection is flipped--meaning that the TLS client is the responder of the
* connection.
*
* @return True if connection is flipped.
*/
bool GetFlipped();
protected: protected:
/** /**
* Try to decrypt TLS application data from a packet. Requires secret or keys to be set prior. * Try to decrypt TLS application data from a packet. Requires secret or keys to be set prior.

141
src/analyzer/protocol/ssl/events.bif
View file

@ -34,7 +34,7 @@
## ssl_session_ticket_handshake x509_certificate ssl_handshake_message ## ssl_session_ticket_handshake x509_certificate ssl_handshake_message
## ssl_change_cipher_spec ## ssl_change_cipher_spec
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ## ssl_rsa_client_pms ssl_connection_flipped
event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%); event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@ -78,7 +78,7 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
## ssl_session_ticket_handshake x509_certificate ## ssl_session_ticket_handshake x509_certificate
## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec ## ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ## ssl_rsa_client_pms ssl_connection_flipped
event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%); event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS ## Generated for SSL/TLS extensions seen in an initial handshake. SSL/TLS
@ -90,7 +90,9 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## code: The numerical code of the extension. The values are standardized as ## code: The numerical code of the extension. The values are standardized as
## part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps ## part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps
@ -104,7 +106,8 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share ## ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%); ## ssl_connection_flipped
event ssl_extension%(c: connection, is_client: bool, code: count, val: string%);
## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
## defined in :rfc:`4492` and sent by the client in the initial handshake. It ## defined in :rfc:`4492` and sent by the client in the initial handshake. It
@ -112,7 +115,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## curves: List of supported elliptic curves. ## curves: List of supported elliptic curves.
## ##
@ -124,7 +129,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%); event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: index_vec%);
## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
## is defined in :rfc:`4492` and sent by the client and/or server in the initial ## is defined in :rfc:`4492` and sent by the client and/or server in the initial
@ -133,7 +138,9 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## point_formats: List of supported point formats. ## point_formats: List of supported point formats.
## ##
@ -146,7 +153,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature ## ssl_rsa_client_pms ssl_server_signature
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%); event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_formats: index_vec%);
## Generated for an Signature Algorithms extension. This TLS extension ## Generated for an Signature Algorithms extension. This TLS extension
## is defined in :rfc:`5246` and sent by the client in the initial ## is defined in :rfc:`5246` and sent by the client in the initial
@ -155,7 +162,9 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## signature_algorithms: List of supported signature and hash algorithm pairs. ## signature_algorithms: List of supported signature and hash algorithm pairs.
## ##
@ -167,7 +176,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature ## ssl_rsa_client_pms ssl_server_signature
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%); event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
## and sent by the client and the server in the initial handshake. It gives the list of ## and sent by the client and the server in the initial handshake. It gives the list of
@ -175,7 +184,9 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for the originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## curves: List of supported/chosen named groups. ## curves: List of supported/chosen named groups.
## ##
@ -187,7 +198,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature ## ssl_rsa_client_pms ssl_server_signature
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%); event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec%);
## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello. ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
## ##
@ -196,7 +207,9 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for the originator side of the connection ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## identities: A list of the identities the client is willing to negotiate with the server. ## identities: A list of the identities the client is willing to negotiate with the server.
## ##
@ -209,13 +222,15 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello ## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%); event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec%);
## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello. ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for the originator side of the connection ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## selected_identity: The identity the server chose as a 0-based index into the identities ## selected_identity: The identity the server chose as a 0-based index into the identities
## the client sent. ## the client sent.
@ -227,7 +242,7 @@ event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, i
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params ## ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello ## ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%); event ssl_extension_pre_shared_key_server_hello%(c: connection, is_client: bool, selected_identity: count%);
## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
## This event contains the named curve name and the server ECDH parameters contained ## This event contains the named curve name and the server ECDH parameters contained
@ -332,7 +347,9 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## protocols: List of supported application layer protocols. ## protocols: List of supported application layer protocols.
## ##
@ -343,7 +360,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_extension_signed_certificate_timestamp ## ssl_extension_signed_certificate_timestamp
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%); event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_client: bool, protocols: string_vec%);
## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
## defined in :rfc:`3546` and sent by the client in the initial handshake. It ## defined in :rfc:`3546` and sent by the client in the initial handshake. It
@ -353,7 +370,9 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## names: A list of server names (DNS hostnames). ## names: A list of server names (DNS hostnames).
## ##
@ -365,7 +384,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions ## ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
## ssl_extension_signed_certificate_timestamp ## ssl_extension_signed_certificate_timestamp
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%); event ssl_extension_server_name%(c: connection, is_client: bool, names: string_vec%);
## Generated for the signed_certificate_timestamp TLS extension as defined in ## Generated for the signed_certificate_timestamp TLS extension as defined in
## :rfc:`6962`. The extension is used to transmit signed proofs that are ## :rfc:`6962`. The extension is used to transmit signed proofs that are
@ -373,7 +392,9 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## version: the version of the protocol to which the SCT conforms. Always ## version: the version of the protocol to which the SCT conforms. Always
## should be 0 (representing version 1) ## should be 0 (representing version 1)
@ -396,7 +417,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
## ssl_extension_application_layer_protocol_negotiation ## ssl_extension_application_layer_protocol_negotiation
## x509_ocsp_ext_signed_certificate_timestamp sct_verify ## x509_ocsp_ext_signed_certificate_timestamp sct_verify
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
## Generated for an TLS Supported Versions extension. This TLS extension ## Generated for an TLS Supported Versions extension. This TLS extension
## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake. ## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
@ -405,7 +426,9 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## versions: List of supported TLS versions. ## versions: List of supported TLS versions.
## ##
@ -416,14 +439,16 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
## ssl_extension_key_share ssl_extension_server_name ## ssl_extension_key_share ssl_extension_server_name
## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp ## ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%); event ssl_extension_supported_versions%(c: connection, is_client: bool, versions: index_vec%);
## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the ## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
## list of Pre-Shared Key Exchange Modes that it supports. ## list of Pre-Shared Key Exchange Modes that it supports.
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## versions: List of supported Pre-Shared Key Exchange Modes. ## versions: List of supported Pre-Shared Key Exchange Modes.
## ##
@ -434,7 +459,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
## ssl_extension_key_share ssl_extension_server_name ## ssl_extension_key_share ssl_extension_server_name
## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp ## ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello ## ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%); event ssl_extension_psk_key_exchange_modes%(c: connection, is_client: bool, modes: index_vec%);
## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
## an unencrypted handshake, and Zeek extracts as much information out of that ## an unencrypted handshake, and Zeek extracts as much information out of that
@ -462,7 +487,9 @@ event ssl_established%(c: connection%);
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## level: The severity level, as sent in the *alert*. The values are defined as ## level: The severity level, as sent in the *alert*. The values are defined as
## part of the SSL/TLS protocol. ## part of the SSL/TLS protocol.
@ -472,7 +499,7 @@ event ssl_established%(c: connection%);
## ##
## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake ## ssl_session_ticket_handshake
event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%); event ssl_alert%(c: connection, is_client: bool, level: count, desc: count%);
## Generated for SSL/TLS handshake messages that are a part of the ## Generated for SSL/TLS handshake messages that are a part of the
## stateless-server session resumption mechanism. SSL/TLS sessions start with ## stateless-server session resumption mechanism. SSL/TLS sessions start with
@ -501,7 +528,9 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## length: length of the entire heartbeat message. ## length: length of the entire heartbeat message.
## ##
@ -515,7 +544,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
## ##
## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_alert ssl_encrypted_data ## ssl_alert ssl_encrypted_data
event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%); event ssl_heartbeat%(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
## Generated for SSL/TLS messages that are sent before full session encryption ## Generated for SSL/TLS messages that are sent before full session encryption
## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3; ## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
@ -526,7 +555,9 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## record_version: TLS version given in the record layer of the message. ## record_version: TLS version given in the record layer of the message.
## Set to 0 for SSLv2. ## Set to 0 for SSLv2.
@ -538,7 +569,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
## ##
## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_alert ssl_heartbeat ## ssl_alert ssl_heartbeat
event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%);
## Generated for SSL/TLS messages that are sent after session encryption ## Generated for SSL/TLS messages that are sent after session encryption
## started. ## started.
@ -548,7 +579,9 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## record_version: TLS version given in the record layer of the message. ## record_version: TLS version given in the record layer of the message.
## Set to 0 for SSLv2. ## Set to 0 for SSLv2.
@ -560,7 +593,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
## ##
## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello ## .. zeek:see:: ssl_client_hello ssl_established ssl_extension ssl_server_hello
## ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message ## ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%); event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%);
## This event is generated for application data records of TLS 1.3 connections of which ## This event is generated for application data records of TLS 1.3 connections of which
## we suspect that they contain handshake messages. ## we suspect that they contain handshake messages.
@ -587,13 +620,15 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, c
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## length: length of the entire message. ## length: length of the entire message.
## ##
## .. zeek:see:: ssl_client_hello ssl_established ssl_server_hello ## .. zeek:see:: ssl_client_hello ssl_established ssl_server_hello
## ssl_encrypted_data ## ssl_encrypted_data
event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, length: count%); event ssl_probable_encrypted_handshake_message%(c: connection, is_client: bool, length: count%);
## This event contains the OCSP response contained in a Certificate Status Request ## This event contains the OCSP response contained in a Certificate Status Request
## message, when the client requested OCSP stapling and the server supports it. ## message, when the client requested OCSP stapling and the server supports it.
@ -601,16 +636,20 @@ event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, le
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## response: OCSP data. ## response: OCSP data.
event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); event ssl_stapled_ocsp%(c: connection, is_client: bool, response: string%);
## This event is raised for each unencrypted SSL/TLS handshake message. ## This event is raised for each unencrypted SSL/TLS handshake message.
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## msg_type: Type of the handshake message that was seen. ## msg_type: Type of the handshake message that was seen.
## ##
@ -618,17 +657,33 @@ event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
## ##
## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello
## ssl_change_cipher_spec ## ssl_change_cipher_spec ssl_connection_flipped
event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, length: count%); event ssl_handshake_message%(c: connection, is_client: bool, msg_type: count, length: count%);
## This event is raised when a SSL/TLS ChangeCipherSpec message is encountered ## This event is raised when a SSL/TLS ChangeCipherSpec message is encountered
## before encryption begins. Traffic will be encrypted following this message. ## before encryption begins. Traffic will be encrypted following this message.
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: True if event is raised for originator side of the connection. ## is_client: True if event is raised for the client side of the connection
## (the side that sends the client hello). This is typically equivalent
## with the originator, but does not have to be in all circumstances.
## ##
## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello ## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate ssl_client_hello ## ssl_session_ticket_handshake x509_certificate ssl_client_hello
## ssl_handshake_message ## ssl_handshake_message
event ssl_change_cipher_spec%(c: connection, is_orig: bool%); event ssl_change_cipher_spec%(c: connection, is_client: bool%);
## Zeek typically assumes that the originator of a connection is the client of the SSL/TLS
## session. In some scenarios this does not hold, and the responder of a connection is the
## client, and the initiator is the server.
##
## In these cases, Zeek raises this event. Connection direction is detected by looking at the
## server hello, client hello, and hello request handshake messages.
##
## c: The connection.
##
## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
## ssl_session_ticket_handshake x509_certificate ssl_client_hello
## ssl_handshake_message
event ssl_connection_flipped%(c: connection%);

12
src/analyzer/protocol/ssl/proc-certificate.pac
View file

@ -3,10 +3,18 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
if ( certificates->size() == 0 ) if ( certificates->size() == 0 )
return true; return true;
// this has to execute in both contexts, ssl and tls-handshake. In one we have flipped_,
// in the other we have ssl_analyzer()->GetFlipped(). And in both cases the other case
// does not work (and cannot be made to work easily).
#ifndef USE_FLIPPED
bool flipped_ = zeek_analyzer()->GetFlipped();
#endif
zeek::ODesc common; zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_SSL"); common.AddRaw("Analyzer::ANALYZER_SSL");
common.Add(zeek_analyzer()->Conn()->StartTime()); common.Add(zeek_analyzer()->Conn()->StartTime());
common.AddRaw(is_orig ? "T" : "F", 1); common.AddRaw(is_orig ^ flipped_ ? "T" : "F", 1);
zeek_analyzer()->Conn()->IDString(&common); zeek_analyzer()->Conn()->IDString(&common);
static const string user_mime = "application/x-x509-user-cert"; static const string user_mime = "application/x-x509-user-cert";
@ -31,7 +39,7 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), zeek_analyzer()->GetAnalyzerTag(), cert.length(), zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), is_orig, zeek_analyzer()->Conn(), is_orig ^ flipped_,
file_id, i == 0 ? user_mime : ca_mime); file_id, i == 0 ? user_mime : ca_mime);
zeek::file_mgr->EndOfFile(file_id); zeek::file_mgr->EndOfFile(file_id);
} }

12
src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
View file

@ -34,7 +34,7 @@ refine connection SSL_Conn += {
%{ %{
if ( ssl_alert ) if ( ssl_alert )
zeek::BifEvent::enqueue_ssl_alert(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_alert(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, level, desc); ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), level, desc);
return true; return true;
%} %}
function proc_unknown_record(rec: SSLRecord) : bool function proc_unknown_record(rec: SSLRecord) : bool
@ -66,13 +66,13 @@ refine connection SSL_Conn += {
if ( ssl_encrypted_data ) if ( ssl_encrypted_data )
{ {
zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
} }
if ( rec->content_type() == APPLICATION_DATA && decryption_failed_ == false ) if ( rec->content_type() == APPLICATION_DATA && decryption_failed_ == false )
{ {
// If decryption of one packet fails, do not try to decrypt future packets. // If decryption of one packet fails, do not try to decrypt future packets.
if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) ) if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig() ^ zeek_analyzer()->GetFlipped(), rec->content_type(), rec->raw_tls_version()) )
decryption_failed_ = true; decryption_failed_ = true;
} }
@ -83,7 +83,7 @@ refine connection SSL_Conn += {
%{ %{
if ( ssl_plaintext_data ) if ( ssl_plaintext_data )
zeek::BifEvent::enqueue_ssl_plaintext_data(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_plaintext_data(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length}); zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
return true; return true;
%} %}
@ -92,7 +92,7 @@ refine connection SSL_Conn += {
%{ %{
if ( ssl_heartbeat ) if ( ssl_heartbeat )
zeek::BifEvent::enqueue_ssl_heartbeat(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_heartbeat(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length, zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.length}, type, payload_length,
zeek::make_intrusive<zeek::StringVal>(data.length(), (const char*) data.data())); zeek::make_intrusive<zeek::StringVal>(data.length(), (const char*) data.data()));
return true; return true;
%} %}
@ -114,7 +114,7 @@ refine connection SSL_Conn += {
%{ %{
if ( ssl_change_cipher_spec ) if ( ssl_change_cipher_spec )
zeek::BifEvent::enqueue_ssl_change_cipher_spec(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_change_cipher_spec(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}); zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped());
return true; return true;
%} %}

34
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -161,7 +161,7 @@ refine connection Handshake_Conn += {
if ( ssl_extension ) if ( ssl_extension )
zeek::BifEvent::enqueue_ssl_extension(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_extension(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, type, zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, type,
zeek::make_intrusive<zeek::StringVal>(length, reinterpret_cast<const char*>(data))); zeek::make_intrusive<zeek::StringVal>(length, reinterpret_cast<const char*>(data)));
return true; return true;
%} %}
@ -180,7 +180,7 @@ refine connection Handshake_Conn += {
} }
zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(points)); ${rec.is_orig} ^ flipped_, std::move(points));
return true; return true;
%} %}
@ -199,7 +199,7 @@ refine connection Handshake_Conn += {
} }
zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(curves)); ${rec.is_orig} ^ flipped_, std::move(curves));
return true; return true;
%} %}
@ -217,7 +217,7 @@ refine connection Handshake_Conn += {
nglist->Assign(i, zeek::val_mgr->Count((*keyshare)[i]->namedgroup())); nglist->Assign(i, zeek::val_mgr->Count((*keyshare)[i]->namedgroup()));
} }
zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist));
return true; return true;
%} %}
@ -230,7 +230,7 @@ refine connection Handshake_Conn += {
auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
nglist->Assign(0u, zeek::val_mgr->Count(keyshare->namedgroup())); nglist->Assign(0u, zeek::val_mgr->Count(keyshare->namedgroup()));
zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist));
return true; return true;
%} %}
@ -242,7 +242,7 @@ refine connection Handshake_Conn += {
auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec); auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
nglist->Assign(0u, zeek::val_mgr->Count(namedgroup)); nglist->Assign(0u, zeek::val_mgr->Count(namedgroup));
zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist)); zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist));
return true; return true;
%} %}
@ -264,7 +264,7 @@ refine connection Handshake_Conn += {
} }
} }
zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(slist)); zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(slist));
return true; return true;
%} %}
@ -283,7 +283,7 @@ refine connection Handshake_Conn += {
} }
zeek::BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(plist)); ${rec.is_orig} ^ flipped_, std::move(plist));
return true; return true;
%} %}
@ -312,7 +312,7 @@ refine connection Handshake_Conn += {
if ( ssl_extension_server_name ) if ( ssl_extension_server_name )
zeek::BifEvent::enqueue_ssl_extension_server_name(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_server_name(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(servers)); ${rec.is_orig} ^ flipped_, std::move(servers));
return true; return true;
%} %}
@ -331,7 +331,7 @@ refine connection Handshake_Conn += {
} }
zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(versions)); ${rec.is_orig} ^ flipped_, std::move(versions));
return true; return true;
%} %}
@ -345,7 +345,7 @@ refine connection Handshake_Conn += {
versions->Assign(0u, zeek::val_mgr->Count(version)); versions->Assign(0u, zeek::val_mgr->Count(version));
zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(versions)); ${rec.is_orig} ^ flipped_, std::move(versions));
return true; return true;
%} %}
@ -364,7 +364,7 @@ refine connection Handshake_Conn += {
} }
zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(modes)); ${rec.is_orig} ^ flipped_, std::move(modes));
return true; return true;
%} %}
@ -412,7 +412,7 @@ refine connection Handshake_Conn += {
if ( ssl_stapled_ocsp ) if ( ssl_stapled_ocsp )
zeek::BifEvent::enqueue_ssl_stapled_ocsp(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_stapled_ocsp(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
${rec.is_orig}, ${rec.is_orig} ^ flipped_,
zeek::make_intrusive<zeek::StringVal>(response.length(), (const char*) response.data())); zeek::make_intrusive<zeek::StringVal>(response.length(), (const char*) response.data()));
zeek::file_mgr->EndOfFile(file_id); zeek::file_mgr->EndOfFile(file_id);
@ -515,7 +515,7 @@ refine connection Handshake_Conn += {
ha->Assign(1, digitally_signed_algorithms->SignatureAlgorithm()); ha->Assign(1, digitally_signed_algorithms->SignatureAlgorithm());
zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_,
version, version,
zeek::make_intrusive<zeek::StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())), zeek::make_intrusive<zeek::StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
timestamp, timestamp,
@ -578,7 +578,7 @@ refine connection Handshake_Conn += {
%{ %{
if ( ssl_handshake_message ) if ( ssl_handshake_message )
zeek::BifEvent::enqueue_ssl_handshake_message(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_handshake_message(zeek_analyzer(),
zeek_analyzer()->Conn(), is_orig, msg_type, to_int()(length)); zeek_analyzer()->Conn(), is_orig ^ flipped_, msg_type, to_int()(length));
return true; return true;
%} %}
@ -610,7 +610,7 @@ refine connection Handshake_Conn += {
} }
zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(), zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(),
${rec.is_orig}, std::move(slist), std::move(blist)); ${rec.is_orig} ^ flipped_, std::move(slist), std::move(blist));
return true; return true;
%} %}
@ -621,7 +621,7 @@ refine connection Handshake_Conn += {
return true; return true;
zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(zeek_analyzer(), zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(zeek_analyzer(),
zeek_analyzer()->Conn(), ${rec.is_orig}, selected_identity); zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, selected_identity);
return true; return true;
%} %}

52
src/analyzer/protocol/ssl/tls-handshake-protocol.pac
View file

@ -61,7 +61,9 @@ type UnknownHandshake(hs: HandshakeRecord, is_orig: bool) = record {
###################################################################### ######################################################################
# Hello Request is empty # Hello Request is empty
type HelloRequest(rec: HandshakeRecord) = empty; type HelloRequest(rec: HandshakeRecord) = record {
direction_check : DirectionCheck(false, rec); # should be sent by responder
};
###################################################################### ######################################################################
@ -69,6 +71,7 @@ type HelloRequest(rec: HandshakeRecord) = empty;
###################################################################### ######################################################################
type ClientHello(rec: HandshakeRecord) = record { type ClientHello(rec: HandshakeRecord) = record {
direction_check : DirectionCheck(true, rec); # should be sent by originator
client_version : uint16; client_version : uint16;
gmt_unix_time : uint32; gmt_unix_time : uint32;
random_bytes : bytestring &length = 28; random_bytes : bytestring &length = 28;
@ -100,6 +103,7 @@ type ClientHelloCookie(rec: HandshakeRecord) = record {
# TLS 1.3 server hello is different from earlier versions. Trick around a # TLS 1.3 server hello is different from earlier versions. Trick around a
# bit, route 1.3 requests to a different record than earlier. # bit, route 1.3 requests to a different record than earlier.
type ServerHelloChoice(rec: HandshakeRecord) = record { type ServerHelloChoice(rec: HandshakeRecord) = record {
direction_check : DirectionCheck(false, rec); # should be sent by responder
server_version0 : uint8; server_version0 : uint8;
server_version1 : uint8; server_version1 : uint8;
hello: case parsed_version of { hello: case parsed_version of {
@ -140,6 +144,13 @@ type ServerHello13(rec: HandshakeRecord, server_version: uint16) = record {
$context.connection.set_cipher(cipher_suite[0]); $context.connection.set_cipher(cipher_suite[0]);
}; };
# Used to check if originator/responder are reversed for this connection
type DirectionCheck(desired: bool, rec: HandshakeRecord) = record {
} &let {
proc : bool = $context.connection.check_flipped(desired, rec.is_orig);
};
###################################################################### ######################################################################
# DTLS Hello Verify Request # DTLS Hello Verify Request
###################################################################### ######################################################################
@ -785,7 +796,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
%include tls-handshake-signed_certificate_timestamp.pac %include tls-handshake-signed_certificate_timestamp.pac
type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of { type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case ( rec.is_orig ^ $context.connection.flipped() ) of {
true -> a: SupportedVersions(rec); true -> a: SupportedVersions(rec);
false -> b: OneSupportedVersion(rec); false -> b: OneSupportedVersion(rec);
} }
@ -946,9 +957,13 @@ refine connection Handshake_Conn += {
bytestring client_random_; bytestring client_random_;
bytestring server_random_; bytestring server_random_;
uint32 gmt_unix_time_; uint32 gmt_unix_time_;
bool flipped_;
bool already_alerted_;
%} %}
%init{ %init{
flipped_ = false;
already_alerted_ = false;
chosen_cipher_ = NO_CHOSEN_CIPHER; chosen_cipher_ = NO_CHOSEN_CIPHER;
chosen_version_ = UNKNOWN_VERSION; chosen_version_ = UNKNOWN_VERSION;
@ -985,6 +1000,39 @@ refine connection Handshake_Conn += {
return true; return true;
%} %}
function check_flipped(desired: bool, is_orig: bool) : bool
%{
if ( flipped_ )
{
if ( desired == is_orig )
{
// well, I guess we get to flip it back - and alert on this
flipped_ = false;
zeek::BifEvent::enqueue_ssl_connection_flipped(zeek_analyzer(), zeek_analyzer()->Conn());
if ( ! already_alerted_ )
{
already_alerted_ = true;
zeek_analyzer()->Weird("SSL_unclear_connection_direction");
}
}
}
else
{
if ( desired != is_orig )
{
flipped_ = true;
zeek::BifEvent::enqueue_ssl_connection_flipped(zeek_analyzer(), zeek_analyzer()->Conn());
}
}
return true;
%}
function flipped() : bool
%{
return flipped_;
%}
function record_version() : uint16 %{ return record_version_; %} function record_version() : uint16 %{ return record_version_; %}
function set_record_version(version: uint16) : bool function set_record_version(version: uint16) : bool

1
src/analyzer/protocol/ssl/tls-handshake.pac
View file

@ -8,6 +8,7 @@
#include "zeek/analyzer/protocol/ssl/types.bif.h" #include "zeek/analyzer/protocol/ssl/types.bif.h"
#include "zeek/analyzer/protocol/ssl/events.bif.h" #include "zeek/analyzer/protocol/ssl/events.bif.h"
#define USE_FLIPPED
%} %}
analyzer TLSHandshake withcontext { analyzer TLSHandshake withcontext {

9
testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout Normal file
View file

@ -0,0 +1,9 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T, 11
T, 10
T, 15
T, 14
65279, \x8ev\xfa \xbf\x84\xd0[\xddQ\xe8\xce\xdb!\xdf\x8f\xa6kW\xc3zC\xb4\xa0z\x09o~, \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00, [49172, 49162, 57, 56, 55, 54, 136, 135, 134, 133, 49177, 58, 137, 49167, 49157, 53, 132, 49171, 49161, 51, 50, 49, 48, 154, 153, 152, 151, 69, 68, 67, 66, 49176, 52, 155, 70, 49166, 49156, 47, 150, 65, 7, 49170, 49160, 22, 19, 16, 13, 49175, 27, 49165, 49155, 10, 21, 18, 15, 12, 26, 9, 20, 17, 14, 11, 25, 8, 6, 49168, 49158, 49173, 49163, 49153, 2, 1, 255]
F, 11
F, 14
F, 65281

2
testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps subject issuer client_subject client_issuer sni_matches_cert #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established ssl_history cert_chain_fps client_cert_chain_fps subject issuer client_subject client_issuer sni_matches_cert
#types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] string string string string bool #types time string addr port addr port string string string string bool string string bool string vector[string] vector[string] string string string string bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.82 51462 74.201.205.9 43044 DTLSv10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T cSXKRNxgyiI d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f 968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=a CN=a - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.82 51462 74.201.205.9 43044 DTLSv10 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA secp256r1 - F - - T ^CsxkrnXGYIi 968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f CN=a CN=a CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
View file

@ -7,7 +7,7 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_client: 1 - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
View file

@ -7,7 +7,7 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_client: 1 - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
View file

@ -7,5 +7,5 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG (empty) 3600.000000 - - - - - XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_client: 1 - 54.221.166.250 162.219.2.166 443 86 - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

5
testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
View file

@ -2,6 +2,7 @@
# @TEST-EXEC: btest-diff ssl.log # @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: touch dpd.log # @TEST-EXEC: touch dpd.log
# @TEST-EXEC: btest-diff dpd.log # @TEST-EXEC: btest-diff dpd.log
# @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl @load base/protocols/ssl
@load base/frameworks/dpd @load base/frameworks/dpd
@ -14,3 +15,7 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
print version, client_random, session_id, ciphers; print version, client_random, session_id, ciphers;
} }
event ssl_extension(c: connection, is_client: bool, code: count, val: string)
{
print is_client, code;
}

16
testing/btest/scripts/base/protocols/ssl/handshake-events.test
View file

@ -12,22 +12,22 @@ event ssl_established(c: connection)
print "Established", c$id$orig_h, c$id$resp_h; print "Established", c$id$orig_h, c$id$resp_h;
} }
event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) event ssl_handshake_message(c: connection, is_client: bool, msg_type: count, length: count)
{ {
print "Handshake", c$id$orig_h, c$id$resp_h, is_orig, msg_type, length; print "Handshake", c$id$orig_h, c$id$resp_h, is_client, msg_type, length;
} }
event ssl_change_cipher_spec(c: connection, is_orig: bool) event ssl_change_cipher_spec(c: connection, is_client: bool)
{ {
print "CCS", c$id$orig_h, c$id$resp_h, is_orig; print "CCS", c$id$orig_h, c$id$resp_h, is_client;
} }
event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) event ssl_plaintext_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{ {
print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; print "Plaintext data", c$id$orig_h, c$id$resp_h, is_client, SSL::version_strings[record_version], content_type, length;
} }
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{ {
print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length; print "Encrypted data", c$id$orig_h, c$id$resp_h, is_client, SSL::version_strings[record_version], content_type, length;
} }

4
testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
View file

@ -7,12 +7,12 @@ redef SSL::root_certs += {
["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64",
}; };
event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) event ssl_stapled_ocsp(c: connection, is_client: bool, response: string)
{ {
local chain: vector of opaque of x509 = vector(); local chain: vector of opaque of x509 = vector();
for ( i in c$ssl$cert_chain ) for ( i in c$ssl$cert_chain )
chain[i] = c$ssl$cert_chain[i]$x509$handle; chain[i] = c$ssl$cert_chain[i]$x509$handle;
print is_orig, |response|; print is_client, |response|;
print x509_ocsp_verify(chain, response, SSL::root_certs); print x509_ocsp_verify(chain, response, SSL::root_certs);
} }

2
testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
View file

@ -26,7 +26,7 @@ redef record SSL::Info += {
ct_proofs: vector of LogInfo &default=vector(); ct_proofs: vector of LogInfo &default=vector();
}; };
event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) event ssl_extension_signed_certificate_timestamp(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
{ {
print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature); c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature);

20
testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
View file

@ -5,31 +5,31 @@
@load base/protocols/ssl @load base/protocols/ssl
event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec) event ssl_extension_elliptic_curves(c: connection, is_client: bool, curves: index_vec)
{ {
print "Curves", c$id$orig_h, c$id$resp_h; print "Curves", c$id$orig_h, c$id$resp_h;
for ( i in curves ) for ( i in curves )
print SSL::ec_curves[curves[i]]; print SSL::ec_curves[curves[i]];
} }
event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec) event ssl_extension_ec_point_formats(c: connection, is_client: bool, point_formats: index_vec)
{ {
print "Point formats", c$id$orig_h, c$id$resp_h, is_orig; print "Point formats", c$id$orig_h, c$id$resp_h, is_client;
for ( i in point_formats ) for ( i in point_formats )
print SSL::ec_point_formats[point_formats[i]]; print SSL::ec_point_formats[point_formats[i]];
} }
event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec) event ssl_extension_application_layer_protocol_negotiation(c: connection, is_client: bool, protocols: string_vec)
{ {
print "ALPN", c$id$orig_h, c$id$resp_h, protocols; print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
} }
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) event ssl_extension_server_name(c: connection, is_client: bool, names: string_vec)
{ {
print "server_name", c$id$orig_h, c$id$resp_h, names; print "server_name", c$id$orig_h, c$id$resp_h, names;
} }
event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm) event ssl_extension_signature_algorithm(c: connection, is_client: bool, signature_algorithms: vector of SSL::SignatureAndHashAlgorithm)
{ {
print "signature_algorithm", c$id$orig_h, c$id$resp_h; print "signature_algorithm", c$id$orig_h, c$id$resp_h;
for ( i in signature_algorithms) for ( i in signature_algorithms)
@ -38,26 +38,26 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
} }
} }
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec) event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)
{ {
print "supported_versions", c$id$orig_h, c$id$resp_h; print "supported_versions", c$id$orig_h, c$id$resp_h;
for ( i in versions ) for ( i in versions )
print SSL::version_strings[versions[i]]; print SSL::version_strings[versions[i]];
} }
event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) event ssl_extension_psk_key_exchange_modes(c: connection, is_client: bool, modes: index_vec)
{ {
print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h; print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
for ( i in modes ) for ( i in modes )
print modes[i]; print modes[i];
} }
event ssl_extension_pre_shared_key_client_hello(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec) event ssl_extension_pre_shared_key_client_hello(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec)
{ {
print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders; print "pre_shared_key client hello", c$id$orig_h, c$id$resp_h, identities, binders;
} }
event ssl_extension_pre_shared_key_server_hello(c: connection, is_orig: bool, selected_identity: count) event ssl_extension_pre_shared_key_server_hello(c: connection, is_client: bool, selected_identity: count)
{ {
print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity; print "pre_shared_key server hello", c$id$orig_h, c$id$resp_h, selected_identity;
} }

4
testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
View file

@ -14,8 +14,8 @@
@load base/protocols/ssl @load base/protocols/ssl
event ssl_extension(c: connection, is_orig: bool, code: count, val: string) event ssl_extension(c: connection, is_client: bool, code: count, val: string)
{ {
if ( ! is_orig && code == 43 ) if ( ! is_client && code == 43 )
print bytestring_to_hexstr(val); print bytestring_to_hexstr(val);
} }

8
testing/btest/scripts/base/protocols/ssl/tls13.test
View file

@ -23,9 +23,9 @@
redef SSL::disable_analyzer_after_detection=F; redef SSL::disable_analyzer_after_detection=F;
event ssl_extension_key_share(c: connection, is_orig: bool, curves: index_vec) event ssl_extension_key_share(c: connection, is_client: bool, curves: index_vec)
{ {
print "key_share", c$id, is_orig; print "key_share", c$id, is_client;
for ( i in curves ) for ( i in curves )
{ {
print SSL::ec_curves[curves[i]]; print SSL::ec_curves[curves[i]];
@ -37,9 +37,9 @@ event ssl_established(c: connection)
print "established", c$id; print "established", c$id;
} }
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{ {
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; print "encrypted", c$id, is_client, SSL::version_strings[record_version], content_type;
} }
event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5 event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) &priority=5

8
testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test
View file

@ -6,9 +6,9 @@
redef SSL::disable_analyzer_after_detection=F; redef SSL::disable_analyzer_after_detection=F;
event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count) event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
{ {
print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type; print "encrypted", c$id, is_client, SSL::version_strings[record_version], content_type;
} }
event ssl_established(c: connection) event ssl_established(c: connection)
@ -16,7 +16,7 @@ event ssl_established(c: connection)
print "Established!"; print "Established!";
} }
event ssl_probable_encrypted_handshake_message(c: connection, is_orig: bool, length: count) event ssl_probable_encrypted_handshake_message(c: connection, is_client: bool, length: count)
{ {
print "Probable handshake", is_orig, length; print "Probable handshake", is_client, length;
} }