OCSP: split into two analysers in scriptland.

Instead of having an additional string argument specifying if we are
sending a request or a reply, we now have an ANALYZER_OCSP_REQUEST and
an ANALYZER_OCSP_REPLY

src/file_analysis/analyzer/x509/OCSP.cc

@@ -74,21 +74,19 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
 	BIO_reset(bio);
 	}
 
-file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file)
+file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
 	{
-	Val* ocsp_type = get_ocsp_type(args, "ocsp_type");
-
-	if (! ocsp_type )
-		return 0;
-
-	return new OCSP(args, file, ocsp_type->AsString()->CheckString());
+	return new OCSP(args, file, true);
 	}
 
-file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file)
+file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
+	{
+	return new OCSP(args, file, false);
+	}
+
+file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
+	: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
 	{
-	ocsp_type = arg_ocsp_type;
-	ocsp_data.clear();
 	}
 
 bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
@@ -108,7 +106,7 @@ bool file_analysis::OCSP::EndOfFile()
 	{
 	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
 
-	if (ocsp_type == "request")
+	if ( request )
 		{
 		OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
 
@@ -121,7 +119,7 @@ bool file_analysis::OCSP::EndOfFile()
 		ParseRequest(req, GetFile()->GetID().c_str());
 		OCSP_REQUEST_free(req);
 		}
-	else if (ocsp_type == "response")
+	else
 		{
 		OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
 		if (!resp)
@@ -134,11 +132,6 @@ bool file_analysis::OCSP::EndOfFile()
 		ParseResponse(resp_val, GetFile()->GetID().c_str());
 		Unref(resp_val);
 		}
-	else
-		{
-	  reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str()));
-		return false;
-		}
 
 	return true;
 }

src/file_analysis/analyzer/x509/OCSP.h

@@ -23,18 +23,18 @@ public:
 	virtual bool Undelivered(uint64 offset, uint64 len);
 	virtual bool EndOfFile();
 
-
-	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
+	static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
+	static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
 
 protected:
-	OCSP(RecordVal* args, File* file, const string& ocsp_type);
+	OCSP(RecordVal* args, File* file, bool request);
 
 private:
 	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
 	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
 
 	std::string ocsp_data;
-	std::string ocsp_type;
+	bool request = false; // true if ocsp request, false if reply
 };
 
 class OCSP_RESPVal: public OpaqueVal {

src/file_analysis/analyzer/x509/Plugin.cc

@@ -14,7 +14,8 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
-		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
+		AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
+		AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
 
 		plugin::Configuration config;
 		config.name = "Bro::X509";