From ef5b021e77c04bcb1921b39dbffa975fc9722a4c Mon Sep 17 00:00:00 2001 From: Bernhard Amann Date: Sun, 27 Apr 2014 00:09:00 -0700 Subject: [PATCH] Polish changes for ecdhe/dhe --- scripts/policy/protocols/ssl/weak-keys.bro | 30 +++++++++---------- src/analyzer/protocol/ssl/ssl-defs.pac | 2 +- src/analyzer/protocol/ssl/ssl-protocol.pac | 4 +-- .../{notice-1.log => notice.log} | 10 +++---- .../policy/protocols/ssl/weak-keys.bro | 3 +- 5 files changed, 24 insertions(+), 25 deletions(-) rename testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/{notice-1.log => notice.log} (55%) diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro index 27cfb31554..f8a7b504b3 100644 --- a/scripts/policy/protocols/ssl/weak-keys.bro +++ b/scripts/policy/protocols/ssl/weak-keys.bro @@ -10,7 +10,7 @@ module SSL; export { redef enum Notice::Type += { ## Indicates that a server is using a potentially unsafe key. - SSL_Weak_Key, + Weak_Key, }; ## The category of hosts you would like to be notified about which have @@ -52,10 +52,10 @@ event ssl_established(c: connection) &priority=3 local key_length = cert$key_length; if ( key_length < notify_minimal_key_length ) - NOTICE([$note=SSL_Weak_Key, + NOTICE([$note=Weak_Key, $msg=fmt("Host uses weak certificate with %d bit key", key_length), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$orig_h, c$id$orig_p, key_length) + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$orig_h, c$id$orig_p, key_length) ]); } @@ -66,25 +66,25 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri local key_length = |Ys|*8; # key length in bits if ( key_length < notify_minimal_key_length ) - NOTICE([$note=SSL_Weak_Key, - $msg=fmt("Host uses weak DH parameters with %d key bits", key_length), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$orig_h, c$id$orig_p, key_length) + NOTICE([$note=Weak_Key, + $msg=fmt("Host uses weak DH parameters with %d key bits", key_length), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$orig_h, c$id$orig_p, key_length) ]); if ( notify_dh_length_shorter_cert_length && c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 && c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type && - ( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" || - c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) ) + ( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" || + c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) ) { if ( c$ssl$cert_chain[0]$x509$certificate?$key_length && c$ssl$cert_chain[0]$x509$certificate$key_length > key_length ) - NOTICE([$note=SSL_Weak_Key, - $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", - key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), - $conn=c, $suppress_for=1day, - $identifier=cat(c$id$orig_h, c$id$orig_p) + NOTICE([$note=Weak_Key, + $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits", + key_length, c$ssl$cert_chain[0]$x509$certificate$key_length), + $conn=c, $suppress_for=1day, + $identifier=cat(c$id$orig_h, c$id$orig_p) ]); } } diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac index a4074443b9..29eb1d1fb9 100644 --- a/src/analyzer/protocol/ssl/ssl-defs.pac +++ b/src/analyzer/protocol/ssl/ssl-defs.pac @@ -62,7 +62,7 @@ enum SSLExtensions { }; enum ECCurveType { - EXPLICIT_PRIME = 1, + EXPLICIT_PRIME = 1, EXPLICIT_CHAR = 2, NAMED_CURVE = 3 }; diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 840aca4b84..af220f39de 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -566,7 +566,7 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher( # We also do not parse the actual signature data following the named curve. type EcServerKeyExchange(rec: SSLRecord) = record { curve_type: uint8; - curve: uint16; # only if curve_type = 3 + curve: uint16; # only if curve_type = 3 (NAMED_CURVE) data: bytestring &restofdata &transient; }; @@ -739,7 +739,7 @@ refine connection SSL_Conn += { function chosen_cipher() : int %{ return chosen_cipher_; %} - function set_cipher(cipher: int64) : bool + function set_cipher(cipher: uint32) : bool %{ chosen_cipher_ = cipher; return true; diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log similarity index 55% rename from testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log rename to testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log index a8784bd8c8..b44fb54b70 100644 --- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path notice -#open 2014-04-27-06-41-50 +#open 2014-04-27-07-15-32 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double -1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - -1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - -1398558136.542637 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::SSL_Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - -#close 2014-04-27-06-41-50 +1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak DH parameters with 1024 key bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - +1398558136.430417 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key DH key length of 1024 bits is smaller certificate key length of 2048 bits - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - +1398558136.542637 CXWv6p3arKYeMETxOg 192.168.18.50 62277 162.219.2.166 443 - - - tcp SSL::Weak_Key Host uses weak certificate with 2048 bit key - 192.168.18.50 162.219.2.166 443 - bro Notice::ACTION_LOG 86400.000000 F - - - - - +#close 2014-04-27-07-15-32 diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro index ba07b6e647..42ef2ecc16 100644 --- a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro +++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro @@ -1,6 +1,5 @@ # @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT -# @TEST-EXEC: mv notice.log notice-1.log -# @TEST-EXEC: btest-diff notice-1.log +# @TEST-EXEC: btest-diff notice.log @load protocols/ssl/weak-keys