Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 20:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

First (sadly not completely working) approach at caching X509 certificates

Browse source 
This approach mostly relies on script-level changes. In scriptland, we track
which certificates should be cached - and also perform the caching and the
replaying of events there.

This actually is probably nearly functional - the problem is the fact that now
the event ordering is wrong - and file_state_remove is called before the x509
events are thrown.

The fix probably is to move to a callback from the core - which can execute
things in the right order again. (Or just write the whole event-raising inside
the core - but that is both less flexible and a lot more cumbersome).
This commit is contained in:
Johanna Amann 2020-03-06 15:16:52 -08:00
parent 64855dfa0e
commit 0829164a3e
5 changed files with 153 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/file_analysis/analyzer/x509/functions.bif
View file

@ -881,3 +881,10 @@ function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
return x509_entity_hash(cert_handle, hash_alg, 2);
%}
function x509_set_certificate_cache%(tbl: string_any_table%) : bool
%{
file_analysis::X509::SetCertificateCache({NewRef{}, tbl->AsTableVal()});
return val_mgr->GetBool(1);
%}