mysql: Recognize when client/server negotiate SSL

This instantiates the SSL analyzer when the client requests SSL
so that Zeek now has a bit more visibility into encrypted MySQL
connections.

The pattern used is the same as in the IMAP, POP or XMPP analyzer.

src/analyzer/protocol/mysql/MySQL.cc

@@ -3,6 +3,7 @@
 #include "zeek/analyzer/protocol/mysql/MySQL.h"
 
 #include "zeek/Reporter.h"
+#include "zeek/analyzer/Manager.h"
 #include "zeek/analyzer/protocol/mysql/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
 
@@ -13,6 +14,7 @@ MySQL_Analyzer::MySQL_Analyzer(Connection* c) : analyzer::tcp::TCP_ApplicationAn
 	{
 	interp = new binpac::MySQL::MySQL_Conn(this);
 	had_gap = false;
+	tls_active = false;
 	}
 
 MySQL_Analyzer::~MySQL_Analyzer()
@@ -31,13 +33,34 @@ void MySQL_Analyzer::Done()
 void MySQL_Analyzer::EndpointEOF(bool is_orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+
+	if ( tls_active )
+		ForwardEndOfData(is_orig);
+
 	interp->FlowEOF(is_orig);
 	}
 
+void MySQL_Analyzer::StartTLS()
+	{
+	tls_active = true;
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+	}
+
 void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
+	if ( tls_active )
+		{
+		// If TLS has been initiated, forward to child and
+		// short-circuit further processing
+		ForwardStream(len, data, orig);
+		return;
+		}
+
 	if ( TCP() && TCP()->IsPartial() )
 		return;
 
@@ -60,6 +83,10 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 void MySQL_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+
+	if ( tls_active )
+		ForwardUndelivered(seq, len, orig);
+
 	had_gap = true;
 	interp->NewGap(orig, len);
 	}