TLS: Fix missing IP addresses and better skip of encrypted messages (#…

…5668)

* TLS: Fix missing IP info in some events (#5584)

If no packets are seen from the client, its IP layer info
is not filled. In this case, the IP layer info stored in
the server's stream is used.

* TLS: Fix handling of encrypted messages (#5584)

Before this patch, the connection would only be considered encrypted
after it has switched ciphers in both directions. This caused problems
as encrypted messages can be received from one end of the connection
before the other end has transitioned to encryption.

This patch updates the TLS parser to handle streams individually.

Closes: #5584

packetbeat/protos/tls/tls.go

@@ -133,7 +133,7 @@ func (plugin *tlsPlugin) doParse(
 
 	// Ignore further traffic after the handshake is completed (encrypted connection)
 	// TODO: request/response analysis
-	if conn.handshakeCompleted > 1 {
+	if 0 != conn.handshakeCompleted&(1<<dir) {
 		return conn
 	}
 
@@ -169,8 +169,8 @@ func (plugin *tlsPlugin) doParse(
 			}
 
 		case resultEncrypted:
-			conn.handshakeCompleted++
-			if conn.handshakeCompleted > 1 {
+			conn.handshakeCompleted |= 1 << dir
+			if conn.handshakeCompleted == 3 {
 				plugin.sendEvent(conn)
 			}
 		}
@@ -295,12 +295,17 @@ func (plugin *tlsPlugin) createEvent(conn *tlsConnectionData) beat.Event {
 	src := &common.Endpoint{}
 	dst := &common.Endpoint{}
 
-	if client.tcptuple != nil {
-		src.IP = client.tcptuple.SrcIP.String()
-		src.Port = client.tcptuple.SrcPort
-		dst.IP = client.tcptuple.DstIP.String()
-		dst.Port = client.tcptuple.DstPort
+	tcptuple := client.tcptuple
+	if tcptuple == nil {
+		tcptuple = server.tcptuple
 	}
+	if tcptuple != nil {
+		src.IP = tcptuple.SrcIP.String()
+		src.Port = tcptuple.SrcPort
+		dst.IP = tcptuple.DstIP.String()
+		dst.Port = tcptuple.DstPort
+	}
+
 	if client.cmdlineTuple != nil {
 		src.Proc = string(client.cmdlineTuple.Src)
 		dst.Proc = string(client.cmdlineTuple.Dst)