Polish changes for ecdhe/dhe

scripts/policy/protocols/ssl/weak-keys.bro

@@ -10,7 +10,7 @@ module SSL;
 export {
 	redef enum Notice::Type += {
 		## Indicates that a server is using a potentially unsafe key.
-		SSL_Weak_Key,
+		Weak_Key,
 	};
 
 	## The category of hosts you would like to be notified about which have
@@ -52,10 +52,10 @@ event ssl_established(c: connection) &priority=3
 	local key_length = cert$key_length;
 
 	if ( key_length < notify_minimal_key_length )
-		NOTICE([$note=SSL_Weak_Key,
+		NOTICE([$note=Weak_Key,
 		  $msg=fmt("Host uses weak certificate with %d bit key", key_length),
-			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		  $conn=c, $suppress_for=1day,
+		  $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
 		]);
 	}
 
@@ -66,25 +66,25 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
 
 	local key_length = |Ys|*8; # key length in bits
 	if ( key_length < notify_minimal_key_length )
-		NOTICE([$note=SSL_Weak_Key,
-			$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
-			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		NOTICE([$note=Weak_Key,
+		  $msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
+		  $conn=c, $suppress_for=1day,
+		  $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
 		]);
 
 	if ( notify_dh_length_shorter_cert_length &&
 	  c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
 	  c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
-		( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
-		  c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
+	  ( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
+	    c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
 		{
 		if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
 		  c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
-			NOTICE([$note=SSL_Weak_Key,
-				$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
-				key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
-				$conn=c, $suppress_for=1day,
-				$identifier=cat(c$id$orig_h, c$id$orig_p)
+			NOTICE([$note=Weak_Key,
+			  $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
+			  key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
+			  $conn=c, $suppress_for=1day,
+			  $identifier=cat(c$id$orig_h, c$id$orig_p)
 			]);
 		}
 	}

src/analyzer/protocol/ssl/ssl-defs.pac

@@ -62,7 +62,7 @@ enum SSLExtensions {
 };
 
 enum ECCurveType {
-  EXPLICIT_PRIME = 1,
+	EXPLICIT_PRIME = 1,
 	EXPLICIT_CHAR = 2,
 	NAMED_CURVE = 3
 };

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -566,7 +566,7 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 # We also do not parse the actual signature data following the named curve.
 type EcServerKeyExchange(rec: SSLRecord) = record {
 	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3
+	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
 	data: bytestring &restofdata &transient;
 };
 
@@ -739,7 +739,7 @@ refine connection SSL_Conn += {
 
 	function chosen_cipher() : int %{ return chosen_cipher_; %}
 
-	function set_cipher(cipher: int64) : bool
+	function set_cipher(cipher: uint32) : bool
 		%{
 		chosen_cipher_ = cipher;
 		return true;

testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-27-06-41-50
+#open	2014-04-27-07-15-32
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2014-04-27-06-41-50
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-04-27-07-15-32

testing/btest/scripts/policy/protocols/ssl/weak-keys.bro

@@ -1,6 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
-# @TEST-EXEC: mv notice.log notice-1.log
-# @TEST-EXEC: btest-diff notice-1.log
+# @TEST-EXEC: btest-diff notice.log
 
 @load protocols/ssl/weak-keys