This commit mostly does a lot of refactoring of the current SSL
analyzer, which is split into several parts.
The handshake protocol is completely taken out of the SSL analyzer and
was refactored into its own analyzer (called tls-handshake-analyzer).
This will also (finally) make it possible to deal with TLS record
fragmentation.
Apart from that, the parts of the SSL analyzer that are common to DTLS
were split into their own pac files. Both the SSL analyzer and the (very
basic, mostly nonfunctional) DTLS analyzer use their own pac files and
those shared pac files.
All SSL tests still pass after refactoring so I hope I did not break
anything too badly.
At the moment, we have two different modules in one directory and I
guess the way I am doing this might be an abuse of the system. It seems
to work though...
intermediate chains that it encounters on the wire and use those to try
to validate chains that might be missing intermediate certificates.
This vastly improves the number of certificates that Bro can validate.
The only drawback is that now validation behavior is not entirely
predictable anymore - the certificate of a server can fail to validate
when Bro just started up (due to the intermediate missing), and succeed
later, when the intermediate can be found in the cache.
Has been tested on big-ish clusters and should not introduce any
performance problems.
Basically, at least some rdp certificates specify a completely invalid
and nonsensical value for theyr key type. OpenSSL does not like this and
refuses to parse the key in this case. With this change, we detect this
case and special-case it, hinting to OpenSSL what kind of key we have.
This gives us additional information that we would not have otherwhise
in the log file (like key length and the exponent).
For testing data store queries, when statements may not work well if
time stops advancing e.g. due to lack of input sources, so try to
workaround by reading a trace file in unit test.
- New fields for certificate type, number of certificates,
if certificates are permanent on the server, and the selected
security protocol.
- Fixed some issues with X.509 certificate handling over RDP
(the event handler wasn't sufficiently constrained).
- Better detection of and transition into encrypted mode. No more
binpac parse failures from the test traces anymore!
- Some event name clean up and new events.
- X.509 Certificate chains are now handled correctly (was only grabbing
a single certificate).
- More data pulled into scriptland.
- Logs expanded with client screen resolution and desired color depth.
- Values in UTF-16 on the wire are converted to UTF-8 before being
sent to scriptland.
- If the RDP turns into SSL records, we now pass data that appears
to be SSL to the PIA analyzer.
- If RDP uses native encryption with X.509 certs we pass those
certs to the files framework and the base scripts pass them forward
to the X.509 analyzer.
- Lots of cleanup and adjustment to fit the documented protocol
a bit better.
- Cleaned up the DPD signatures.
- Moved to flowunit instead of datagram.
- Added tests.
* origin/topic/gilbert/plugin-api-tweak:
Updating plugin.hooks baseline so that test succeeds
Revert spacing change that shouldn't have been included with the previous changeset ... should fix all of the plugin tests save hooks, which needs to be updated.
More small fixes
Small fixes
Incremental
Re-updating plugin.hooks test to include new argument output (after merge).
Fixing logic errors in HandlePluginResult
Updating tests and tweaking HookArgument to include Frame support.
Incremental commit: implementing a wrapper for the Val class.
Reverting change to const status of network_time. Also, see FIXME: in Func.cc / HandlePluginResult ...
Tweaks to result handling to make things a little more sane.
Plugin API: minor change (adding parent frame) to support calling methods from hook. Also declare network time update argument to be const because good practice.
BIT-1270 #merged
Conflicts:
testing/btest/Baseline/plugins.hooks/output
* origin/topic/johanna/ssl-policy:
Extend the weak-keys policy file to also alert when encountering ssl connections with old versions as well as unsafe cipher suites.
BIT-1321 #merged
ssl connections with old versions as well as unsafe cipher suites.
Also make the notice suppression handling of other ssl policy files
a tad more robust.
* origin/fastpath:
Crashing bug in WriterBackend when deserializing WriterInfo where config is present. Testcase crashes on unpatched versions of Bro.
Fix wrong value test in WriterBackend. Found by Aaron Eppert (aeppert@gmail.com)
is present. Testcase crashes on unpatched versions of Bro.
Found by Aaron Eppert <aeppert@gmail.com>.
This (probably) fixes the crash issue with sqlite a few people have
reported on the mailing list in the past.
The init-plugin scripts now expects a destination directory. Normally
that would be a new subdirectory, but for the tests to keep working we
can also put it right into the current directory.
- Rename event "socks_login_userpass" to "socks_login_userpass_request"
- Rename event "socks_login_reply" to "socks_login_userpass_reply"
- Split unsupported authN weird into 2 types: method vs. version
Addresses BIT-1011
Later, this might be something btest itself could provide to help
parallelize communication tests. E.g. unit tests requests a unique
number from some range and btest coordinates the distribution of those
among all tests.
