Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

SSL/GH-2211: Address review feedback, remove USE_FLIPPED

Browse source 
It turns out that we can just do this by using an argument.
This commit is contained in:
Johanna Amann 2022-07-05 13:23:18 +01:00
parent e14eddeb97
commit 2315d0344a
4 changed files with 5 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/analyzer/protocol/ssl/proc-certificate.pac
View file

@ -1,20 +1,12 @@
function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool function proc_certificate(is_orig: bool, is_flipped: bool, certificates : bytestring[]) : bool
%{ %{
if ( certificates->size() == 0 ) if ( certificates->size() == 0 )
return true; return true;
// this has to execute in both contexts, ssl and tls-handshake. In one we have flipped_,
// in the other we have ssl_analyzer()->GetFlipped(). And in both cases the other case
// does not work (and cannot be made to work easily).
#ifndef USE_FLIPPED
bool flipped_ = zeek_analyzer()->GetFlipped();
#endif
zeek::ODesc common; zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_SSL"); common.AddRaw("Analyzer::ANALYZER_SSL");
common.Add(zeek_analyzer()->Conn()->StartTime()); common.Add(zeek_analyzer()->Conn()->StartTime());
common.AddRaw(is_orig ^ flipped_ ? "T" : "F", 1); common.AddRaw(is_orig ^ is_flipped ? "T" : "F", 1);
zeek_analyzer()->Conn()->IDString(&common); zeek_analyzer()->Conn()->IDString(&common);
static const string user_mime = "application/x-x509-user-cert"; static const string user_mime = "application/x-x509-user-cert";
@ -39,7 +31,7 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), zeek_analyzer()->GetAnalyzerTag(), cert.length(), zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), is_orig ^ flipped_, zeek_analyzer()->Conn(), is_orig ^ is_flipped,
file_id, i == 0 ? user_mime : ca_mime); file_id, i == 0 ? user_mime : ca_mime);
zeek::file_mgr->EndOfFile(file_id); zeek::file_mgr->EndOfFile(file_id);
} }

2
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -103,7 +103,7 @@ refine connection SSL_Conn += {
function proc_v2_certificate(is_orig: bool, cert : bytestring) : bool function proc_v2_certificate(is_orig: bool, cert : bytestring) : bool
%{ %{
vector<bytestring>* cert_list = new vector<bytestring>(1,cert); vector<bytestring>* cert_list = new vector<bytestring>(1,cert);
bool ret = proc_certificate(is_orig, cert_list); bool ret = proc_certificate(is_orig, zeek_analyzer()->GetFlipped(), cert_list);
delete cert_list; delete cert_list;
return ret; return ret;
%} %}

2
src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
View file

@ -377,7 +377,7 @@ refine connection Handshake_Conn += {
std::transform(certs->begin(), certs->end(), std::transform(certs->begin(), certs->end(),
std::back_inserter(*cert_list), extract_certs()); std::back_inserter(*cert_list), extract_certs());
bool ret = proc_certificate(is_orig, cert_list); bool ret = proc_certificate(is_orig, flipped_, cert_list);
delete cert_list; delete cert_list;
return ret; return ret;
%} %}

1
src/analyzer/protocol/ssl/tls-handshake.pac
View file

@ -8,7 +8,6 @@
#include "zeek/analyzer/protocol/ssl/types.bif.h" #include "zeek/analyzer/protocol/ssl/types.bif.h"
#include "zeek/analyzer/protocol/ssl/events.bif.h" #include "zeek/analyzer/protocol/ssl/events.bif.h"
#define USE_FLIPPED
%} %}
analyzer TLSHandshake withcontext { analyzer TLSHandshake withcontext {