add optional logging for parsed ocsp stapling message

2025-10-07 00:58:19 +00:00 · 2015-07-02 14:23:38 -07:00 · 2015-07-02 14:23:38 -07:00 · 386a5b811d
commit 386a5b811d
parent 2743966fcc
3 changed files with 150 additions and 1 deletions
--- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt
+++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}

 bro_plugin_begin(Bro OCSP)
 bro_plugin_cc(OCSP.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif)
+bro_plugin_bif(events.bif types.bif functions.bif)
 bro_plugin_end()
--- a/src/file_analysis/analyzer/ocsp/functions.bif
+++ b/src/file_analysis/analyzer/ocsp/functions.bif
@ -0,0 +1,36 @@
+%%{
+#include "file_analysis/analyzer/ocsp/OCSP.h"
+#include "types.bif.h"
+%%}
+
+## Parses a OCSP response into an OCSP::Response structure.
+##
+## ocsp_reply: OCSP data.
+##
+## Returns: A OCSP::Response structure.
+##
+## .. bro:see:: ssl_stapled_ocsp
+function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
+        %{
+	const unsigned char* start = ocsp_reply->Bytes();
+	OCSP_RESPONSE *resp = NULL;
+	file_analysis::OCSP_RESPVal* resp_val = NULL;
+	RecordVal* resp_record = NULL;
+	resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len());
+	if ( ! resp )
+		{
+		reporter->Weird("OPENSSL Could not parse OCSP response");
+		return NULL;
+		}
+	resp_val = new file_analysis::OCSP_RESPVal(resp);
+	resp_record = file_analysis::OCSP::ParseResponse(resp_val);
+	if (!resp_record)
+		{
+		reporter->Weird("Internal fail to parse OCSP response");
+		Unref(resp_val);
+		return NULL;
+		}
+	Unref(resp_val);
+	//Unref(resp_record);
+	return resp_record;
+	%}