Commit graph

59 commits

Author SHA1 Message Date
Johanna Amann
34225e83ba Update TLS consts, mainly new named curves.
Add test for X25519Kyber768Draft00 (post-quantum key agreement)
2024-05-23 14:50:36 +01:00
Johanna Amann
ff27eb5a69 SSL: Add new extension types and ECH test
This commit adds a multitude of new extension types that were added in
the last few years; it also adds grease values to extensions, curves,
and ciphersuites.

Furthermore, it adds a test that contains a encrypted-client-hello
key-exchange (which uses several extension types that we do not have in
our baseline so far).
2023-10-30 14:19:16 +00:00
Johanna Amann
527c0dc09f Merge remote-tracking branch 'origin/master' into topic/johanna/dtls13
* origin/master: (35 commits)
  Update doc submodule [nomail] [skip ci]
  Updating submodule(s) [nomail]
  zeek.bif: Add log2() and ceil()
  Use the same rules as cmake submodule to reformat Zeek
  Update cmake submodule after reformat
  Fixup Val.h/Val.cc: Actually move ValFromJSON into zeek::detail
  Implement from_json bif
  Revert "Skip version.h by default for Zeek sources"
  BTest baseline updates for -O gen-C++
  updates to C++ maintenance scripts to better handle uncompilable BTests
  added ZEEK_REPORT_UNCOMPILABLE environment variable for "-O report-uncompilable"
  Skip version.h by default for Zeek sources
  core.network_time.broker: Test reliability improvement
  cluster/supervisor: Multi-logger awareness
  Bump zeek-archiver submodule
  ci: Add public-ecr-vacuum.sh
  Update doc submodule [nomail] [skip ci]
  generate-docs: Only update submodule pointer during scheduled builds
  BTest baseline updates for ZAM
  NTP: Detect out-of-order packets
  ...
2023-05-10 13:02:08 +01:00
Johanna Amann
a8e84c6192 DTLS 1.3: finish implementation, add connection_id extension
This commit adds support for the connection_id extension, adds a trace
that uses DTLS 1.3 connection IDs, and adds parsing for the DTLS 1.3
unified header, in case connection IDs are not used.

In case connection IDs are used, parsing of the DTLS 1.3 unified header
is skipped. This is due to the fact, that the header then contains a
variable length element, with the length of the element not given in the
header. Instead, the length is given in the client/server hello message
of the opposite side of the connection (which we might have missed).

Furthermore, parsing is not of a high importance, since we are not
passing the connection ID, or any of the other parsed values of the
unified header into scriptland.
2023-05-10 11:17:24 +01:00
Johanna Amann
d6c4c510ea Add basic DTLSv1.3 support
DTLSv1.3 changes the DTLS record format, introducing a completely new
header - which is a first for DTLS.

We don't currently completely parse this header, as this requires a bit
more statekeeping. This will be added in a future revision. This also
also has little practical implications.
2023-05-03 16:17:31 +01:00
Johanna Amann
21888a145a SSL: do not try to disable failed analyzer
Currently, if a TLS/DTLS analyzer fails with a protocol violation, we
will still try to remove the analyzer later, which results in the
following error message:

error: connection does not have analyzer specified to disable

Now, instead we don't try removing the analyzer anymore, after a
violation occurred.
2023-05-03 11:16:14 +01:00
Johanna Amann
b56b856da9 SSL/TLS: Parse CertificateRequest message
This commit introduces parsing of the CertificateRequest message in the
TLS handshake. It introduces a new event ssl_certificate_request, as
well as a new function parse_distinguished_name, which can be used to
parse part of the ssl_certificate_request event parameters.

This commit also introduces a new policy script, which appends
information about the CAs a TLS server requests in the
CertificateRequest message, if it sends it.
2023-03-09 09:12:29 +01:00
Johanna Amann
590d4aa13e TLS decryption: add test, fix small issues
Add a test loading keys from an external file. Make some debug messages
slightly better and remove unnecessary debug output.
2022-03-01 17:45:11 +00:00
Johanna Amann
b8b6ac744e Merge remote-tracking branch 'origin/master' into topic/johanna/tls12-decryption 2021-10-13 10:49:29 +01:00
Johanna Amann
e58b03a43f Add policy script suppressing certificate events
The added disable-certificate-events-known-certs.zeek disables repeated
X509 events in SSL connections, given that the connection terminates at
the same server and used the samt SNI as a previously seen connection
with the same certificate.

For people that see significant amounts of TLS 1.2 traffic, this could
reduce the amount of raised events significantly - especially when a
lot of connections are repeat connections to the same servers.

The practical impact of not raising these events is actually very little
- unless a script directly interacts with the x509 events, everything
works as before - the x509 variables in the connection records are still
being set (from the cache).
2021-06-29 11:39:18 +01:00
Florian Wilkens
8c67b9c8fc testing: add ssl/decryption test 2021-06-25 11:05:29 +02:00
Johanna Amann
22ed75c3ce Add one more TLS 1.3 testcase and update NEWS 2020-12-15 16:57:26 +00:00
Jon Siwek
7965dcd041 Convert pcapng test suite files to pcap format
The former isn't supported by default on OpenBSD.
2019-11-08 13:08:06 -08:00
Johanna Amann
86ac468882 support the newer TLS 1.3 key_share extension.
This one adds a separate new case that has to be parsed differently - if
a hello-retry-request is sent, only the namedgroup is sent - without the
additional key material.

Support for the legacy extension is retained.
2019-06-03 14:40:33 +10:00
Johanna Amann
e85a016521 Parse pre-shared-key extension.
No documentation yet...
2019-04-22 23:02:39 +02:00
Johanna Amann
f39efd0317 Recognize TLS 1.3 negotiation correctly.
The way in which TLS 1.3 is negotiated was changed slightly in later
revisions of the standard. The final version is only sent in an
extension - while the version field in the server hello still shows TLS
1.2.

This patch makes ssl.log show the correct version again.
2018-03-27 14:58:06 -07:00
Johanna Amann
94f55532f2 Make parsing of ServerKeyExchange work for D(TLS) < 1.2.
Now we only parse the SignatureAndHashalgorithm field in cases where it
is present. This change also takes care to respect SCTs, which do
include the SignatureAndHashalgorithm in their digitally-signed struct,
even when used in protocol versions that do not have the
SignatureAndHashalgorithm in the protocols digitally-signed struct.

I also added tests to make sure this does indeed work with TLS 1.1 - it
turns out that so far we did not have a single TLS 1.1 pcap.
2017-11-30 12:20:45 -08:00
Johanna Amann
1ede6bf7fe Add TLS 1.3 fix and testcase.
It turns out that Chrome supports an experimental mode to support TLS
1.3, which uses a non-standard way to negotiate TLS 1.3 with a server.
This non-standard way to negotiate TLS 1.3 breaks the current draft RFC
and re-uses an extension on the server-side with a different binary
formatting, causing us to throw a binpac exception.

This patch ignores the extension when sent by the server, continuing to
correctly parse the server_hello reply (as far as possible).

From what I can tell this seems to be google working around the fact
that MITM equipment cannot deal with TLS 1.3 server hellos; this change
makes the fact that TLS 1.3 is used completely opaque unless one looks
into a few extensions.

We currently log this as TLS 1.2.
2017-09-09 22:25:49 -07:00
Johanna Amann
61906fe7fb Merge branch 'topic/johanna/tls13-extensions' into topic/johanna/ocsp-sct-validate 2017-04-05 12:04:15 -07:00
Johanna Amann
0cd0ffed13 SSL: update dpd signature for TLS1.3
The dpd signature missed a few cases that are used for TLS 1.3,
especially when draft versions (which are all that we are seeing at the
moment) are being negotiated.

This fix mostly allows draft versions in the server hello (identified by
7F[version]; since we do not know how many drafts there will be, we are
currently allowing a rather safe upper limit.
2017-04-05 08:58:08 -07:00
Johanna Amann
22b1eda472 SCT: Add signed certificate timestamp validation script.
This also rewrites the certificate validation script (which we need for
this) slightly.

This could need a bit of caching, but should generally work very
reliably.
2017-03-29 09:17:30 -07:00
Johanna Amann
b061a5db1a Merge branch 'topic/johanna/signed_certificate_timestamp' into topic/johanna/ocsp-new 2017-02-10 17:04:50 -08:00
Johanna Amann
dfc871f831 Merge remote-tracking branch 'origin/master' into topic/johanna/ocsp 2017-02-08 10:35:12 -08:00
Johanna Amann
5dd19f84a7 Add parsing of signed certificate timestamps out of X.509 certs.
This is a tiny bit evil because it uses parts of the SSL protocol
analyzer in the X.509 certificate parser. Which is the fault of the
protocol, which replicates the functionality.
2017-02-07 13:31:21 -08:00
Johanna Amann
3882ba6fbf Add support for the signed_certificate_timestamp TLS extension. 2017-02-03 11:23:49 -08:00
Johanna Amann
fdef28ce7c TLS 1.3 support.
Well, at least -draft-16, and we don't quite parse all extensions yet
(not that there is that much left to parse).
2016-10-07 12:51:43 -07:00
Johanna Amann
39bdc397a0 DTLS: Fix interaction with STUN
Now the DTLS analyzer cleanly skips all STUN messages; no warnings
should be logged to dpd.log and parsing should work flawlessly with
intermixed STUN messages.
2016-05-17 16:36:46 -07:00
Johanna Amann
6905984ee7 Merge remote-tracking branch 'origin/master' into topic/johanna/xmpp-starttls 2016-04-29 12:56:12 -07:00
Johanna Amann
124126cabc Merge remote-tracking branch 'origin/master' into topic/johanna/imap-starttls 2016-04-26 12:48:53 -07:00
Johanna Amann
e9a87566ef Fix parsing of x509 pre-y2k dates
There was a bug in the new parsing code, introduced in
708ede22c6 which parses validity times
incorrectly if they are before the year 2000. What happens in this case
is that the 2-digit year will be interpreted to be in the 21st century
(1999 will be parsed as 2099, e.g.).
2016-04-26 12:30:28 -07:00
Johanna Amann
3669b6aa9c Merge remote-tracking branch 'origin/master' into topic/johanna/imap-starttls 2016-04-26 10:52:16 -07:00
Johanna Amann
a88b32ca03 Add testcase for CVE-2015-3194 2016-01-19 14:45:52 -08:00
Robin Sommer
0ba6bec710 Merge remote-tracking branch 'origin/topic/johanna/irc-starttls'
* origin/topic/johanna/irc-starttls:
  StartTLS support for IRC

BIT-1513 #merged
2015-12-18 11:20:59 -08:00
Johanna Amann
da9b5425e4 Merge remote-tracking branch 'origin/master' into topic/johanna/ocsp 2015-12-14 16:05:41 -08:00
Johanna Amann
c7f0945f54 Add missing pcap file for tls dpd test. 2015-10-23 15:04:26 -07:00
Yun Zheng Hu
2327f5bba5 Fixed parsing of V_ASN1_GENERALIZEDTIME timestamps in x509 certificates 2015-09-10 10:50:35 +02:00
Liang Zhu
61f7276c80 parse revocation time and reason in ocsp response 2015-07-31 13:39:25 -07:00
Johanna Amann
5a8eac521c StartTLS support for IRC 2015-07-29 11:47:59 -07:00
Johanna Amann
4a5737708c Basic IMAP StartTLS analyzer.
Parses certificates out of imap connections using StartTLS. Aborts
processing if StartTLS is not found.
2015-07-22 10:35:49 -07:00
Johanna Amann
0b897c70da Add xmpp dpd sig and fix a few parsing problems for connections that do
not upgrade to TLS.
2015-07-21 13:20:35 -07:00
Johanna Amann
574bcb0a51 Add simple XMPP StartTLS analyzer.
This is a very simple XMPP analyzer that basically only can parse the
protocol until the client and server start negotiating a TLS session. At
that point, the TLS analyzer is attached.

While the basic case seems to be working, I fully expect that I missed
something and that this might break in a lot of cases.
2015-07-21 12:18:14 -07:00
Liang Zhu
fc35ab9bf5 add a btest for ocsp http get 2015-07-15 01:30:46 -07:00
Liang Zhu
d1c568663c add btest and fix bug 2015-06-19 09:37:10 -07:00
Johanna Amann
28e6aa9561 Merge remote-tracking branch 'origin/master' into topic/johanna/dtls 2015-03-18 12:25:39 -07:00
Johanna Amann
ba27bb54d4 Implement correct parsing of TLS record fragmentation.
Finally. Our test-case is a >400kb certificate with 10,000 alternative
names. :)
2015-03-11 18:23:08 -07:00
Johanna Amann
038fbf9b9e First step for a DTLS analyzer.
This commit mostly does a lot of refactoring of the current SSL
analyzer, which is split into several parts.

The handshake protocol is completely taken out of the SSL analyzer and
was refactored into its own analyzer (called tls-handshake-analyzer).
This will also (finally) make it possible to deal with TLS record
fragmentation.

Apart from that, the parts of the SSL analyzer that are common to DTLS
were split into their own pac files. Both the SSL analyzer and the (very
basic, mostly nonfunctional) DTLS analyzer use their own pac files and
those shared pac files.

All SSL tests still pass after refactoring so I hope I did not break
anything too badly.

At the moment, we have two different modules in one directory and I
guess the way I am doing this might be an abuse of the system. It seems
to work though...
2015-03-11 15:07:13 -07:00
Johanna Amann
6ab5701ad0 Update certificate validation script - new version will cache valid
intermediate chains that it encounters on the wire and use those to try
to validate chains that might be missing intermediate certificates.

This vastly improves the number of certificates that Bro can validate.
The only drawback is that now validation behavior is not entirely
predictable anymore - the certificate of a server can fail to validate
when Bro just started up (due to the intermediate missing), and succeed
later, when the intermediate can be found in the cache.

Has been tested on big-ish clusters and should not introduce any
performance problems.
2015-03-09 12:46:33 -07:00
Johanna Amann
e48c6ccc4a Do not log common name by default (it is most interesting for scripts)
and add a test case.
2015-03-03 16:38:25 -08:00
Johanna Amann
cd21b7f130 Fix x509 analyzer to correctly return ecdsa as the key_type for ecdsa certs.
Returned dsa so far.

Bug found by Michał Purzyński
2014-11-25 11:18:07 -08:00
Johanna Amann
8f1cbb8b0a Fix ocsp reply validation - there were a few things that definitely were wrong.
Now the right signer certificate for the reply is looked up (and no longer assumed that it is the first one) and a few compares are fixed. Plus - there are more test cases that partially send certificates in the ocsp message and partially do not - and it seems to work fine in all cases.

Addresses BIT-1212
2014-09-04 12:22:55 -07:00