Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 21:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'topic/johanna/ocsp-sct-validate' of ssh://git.bro.org/bro into topic/johanna/ocsp-sct-validate

Browse source
This commit is contained in:
Johanna Amann 2017-05-14 08:07:18 -07:00
commit 0107ad6c31
3 changed files with 17 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

11
scripts/policy/protocols/ssl/validate-certs.bro
View file

@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
return result;
}
# The server issues CCS only after sending the certificates. This should
# be more robust than using SSL_established, on the off chance that we don't
# get that event.
#
# This is not TLSv1.3 compatible - but we will not have certificates in
# that case in any way, so it even saves us a few cycles.
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3
hook ssl_finishing(c: connection) &priority=20
{
if ( is_orig )
return;
# If there aren't any certs we can't very well do certificate validation.
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 )

7
scripts/policy/protocols/ssl/validate-sct.bro
View file

@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
}
# Priority = 2 will be handled after validation is done
event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
# Priority = 19 will be handled after validation is done
hook ssl_finishing(c: connection) &priority=19
{
if ( is_orig )
return;
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
return;