Merge remote-tracking branch 'origin/topic/bernhard/even-more-ssl-changes'

Good stuff! (but I admit I didn't look at the OpenSSL code too closely :) * origin/topic/bernhard/even-more-ssl-changes: small test update & script fix update baselines & add ocsp leak check Add policy script adding ocsp validation to ssl.log Implement verification of OCSP replies. Add tls flag to smtp.log. Will be set if a connection switched to startls. add starttls support for pop3 Add smtp starttls support Replace errors when parsing x509 certs with weirds (as requested by Seth). move tls content types from heartbleed to consts.bro. Seems better to put them there... Add new features from other branch to the heartbleed-detector (and clean them up). Let TLS analyzer fail better when no longer in sync with the data stream. The version field in each record-layer packet is now re-checked. BIT-1190 #merged Conflicts: testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
2025-10-11 11:08:20 +00:00 · 2014-05-16 14:38:31 -07:00 · 2014-05-16 14:38:31 -07:00 · ed4cd9352a
commit ed4cd9352a
parent 8c3cf8921a e749f17821
46 changed files with 880 additions and 254 deletions
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@ -41,13 +41,13 @@ function describe_file(f: fa_file): string

 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_SMTP, 
+	Files::register_protocol(Analyzer::ANALYZER_SMTP,
 	                         [$get_file_handle = SMTP::get_file_handle,
 	                          $describe        = SMTP::describe_file]);
 	}

 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( c?$smtp )
+	if ( c?$smtp && !c$smtp$tls )
 		c$smtp$fuids[|c$smtp$fuids|] = f$id;
 	}
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -49,7 +49,9 @@ export {
 		path:              vector of addr  &log &optional;
 		## Value of the User-Agent header from the client.
 		user_agent:        string          &log &optional;
-		
+
+		## Indicates that the connection has switched to using TLS.
+		tls:               bool            &log &default=F;
 		## Indicates if the "Received: from" headers should still be
 		## processed.
 		process_received_from: bool        &default=T;
@ -276,6 +278,12 @@ event connection_state_remove(c: connection) &priority=-5
 		smtp_message(c);
 	}

+event smtp_starttls(c: connection) &priority=5
+	{
+	if ( c?$smtp )
+		c$smtp$tls = T;
+	}
+
 function describe(rec: Info): string
 	{
 	if ( rec?$mailfrom && rec?$rcptto )
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@ -15,6 +15,17 @@ export {
 		[TLSv12] = "TLSv12",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };

+	## TLS content types:
+	const CHANGE_CIPHER_SPEC = 20;
+	const ALERT = 21;
+	const HANDSHAKE = 22;
+	const APPLICATION_DATA = 23;
+	const HEARTBEAT = 24;
+	const V2_ERROR = 300;
+	const V2_CLIENT_HELLO = 301;
+	const V2_CLIENT_MASTER_KEY = 302;
+	const V2_SERVER_HELLO = 304;
+
 	## Mapping between numeric codes and human readable strings for alert
 	## levels.
 	const alert_levels: table[count] of string = {