From 02d00a19849d15f472b32a98a8fee27b20f2cb14 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 27 Nov 2023 20:44:42 +0100
Subject: [PATCH 1/2] OCSP: Open-code unknown revoke reason strings

OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility.

Reference: https://github.com/openssl/openssl/commit/1c8a7f5091e2c5aebc043be86bcbedc6947e1c6f
---
 src/file_analysis/analyzer/x509/OCSP.cc               | 11 +++++++++++
 .../scripts.base.protocols.ssl.ocsp-revoked/.stdout   |  2 +-
 .../scripts.base.protocols.ssl.ocsp-revoked/ocsp.log  |  2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index c9aca6e070..1d0815812e 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -506,6 +506,17 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp) {
 
             if ( reason != OCSP_REVOKED_STATUS_NOSTATUS ) {
                 const char* revoke_reason = OCSP_crl_reason_str(reason);
+
+#if OPENSSL_VERSION_NUMBER < 0x30200000L
+                // OpenSSL 3.2.0 and later return the right strings for
+                // OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN (9) and
+                // OCSP_REVOKED_STATUS_AACOMPROMISE (10).
+                //
+                // For versions older than that, fix it up by hand.
+                if ( (reason == 9 || reason == 10) && zeek::util::streq(revoke_reason, "(UNKNOWN)") ) {
+                    revoke_reason = reason == 9 ? "privilegeWithdrawn" : "aACompromise";
+                }
+#endif
                 rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
             }
             else
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
index 3a3072a5a5..273b216e49 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
@@ -12,7 +12,7 @@ ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XX
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, (UNKNOWN), XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, privilegeWithdrawn, XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XXXXXXXXXX.XXXXXX, sha1WithRSAEncryption
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
index 7a5f1b27ba..e0976d0485 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -9,6 +9,6 @@
 #types	time	string	string	string	string	string	string	time	string	time	time
 XXXXXXXXXX.XXXXXX	Fv1Mrl4zObGy9drLdg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	XXXXXXXXXX.XXXXXX	superseded	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	F7TCyr1Y6YSyUVOW5	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	XXXXXXXXXX.XXXXXX	unspecified	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	(UNKNOWN)	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	privilegeWithdrawn	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	FfpvoO3DJXnAcoNnp4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	XXXXXXXXXX.XXXXXX	keyCompromise	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 #close XXXX-XX-XX-XX-XX-XX

From 2284ad4b85f8e1812426dbee5cabbb5021327e80 Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Tue, 28 Nov 2023 00:11:35 +0000
Subject: [PATCH 2/2] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 35b5d2daf1..58bcac3d97 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 35b5d2daf1578d00eae08012b83d3b59f71d00e4
+Subproject commit 58bcac3d97bacd2bcb55feb5488893094ed4f6d1