Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

potentially fix a memory problem ocsp-measurement

Browse source
This commit is contained in:
Liang Zhu 2015-07-09 11:56:58 -07:00
parent 535525e283
commit 406fec9ef4
1 changed files with 17 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

37
scripts/policy/protocols/ssl/ocsp-measurement.bro
View file

@ -88,14 +88,10 @@ export {
## the time when SSL connection is established ## the time when SSL connection is established
ssl_establish_ts: time &log &optional; ssl_establish_ts: time &log &optional;
};
## - map to OCSP_MEASUREMENT::Info ## the time when event connection_state_remove happens
## - indexed by source ip(addr), ocsp uri(string), issuer name ssl_end_ts: time &log &optional;
## hash(string), serialNumber(string) };
## - is it possible server sends two same certificate? To be
## safe, let's use a queue to store OCSP_MEASUREMENT::Info
type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins;
## a group of constant string for hash algorithm ## a group of constant string for hash algorithm
## to save memory, remove any unseen hash algorithm ## to save memory, remove any unseen hash algorithm
@ -110,8 +106,12 @@ export {
global ocsp_info_add: event(c: connection); global ocsp_info_add: event(c: connection);
} }
# by different hash algorithm, OCSP_Mapping ## - map to OCSP_MEASUREMENT::Info
global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping; ## - indexed by hash algorithm(string), source ip(addr), ocsp
## uri(string), issuer name hash(string), serialNumber(string)
## - is it possible server sends two same certificate? To be
## safe, let's use a queue to store OCSP_MEASUREMENT::Info
global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins;
# track number of ocsp requests in this connection # track number of ocsp requests in this connection
redef record connection += { redef record connection += {
@ -281,10 +281,10 @@ function fill_ocsp_info(c: connection)
local h = cert_id$hashAlgorithm; local h = cert_id$hashAlgorithm;
local src_ip: addr = c$id$orig_h; local src_ip: addr = c$id$orig_h;
if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] ) if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map )
ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init(); ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init();
Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info); Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info);
} }
} }
@ -454,12 +454,12 @@ event connection_state_remove(c: connection) &priority= -20
local h = hash_algorithm[i]; local h = hash_algorithm[i];
for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] ) for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] )
{ {
if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] ) if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map )
{ {
# find a ocsp to ssl match # find a ocsp to ssl match
local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]); local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]);
if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]; delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number];
local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]); local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]);
if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0) if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]; delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number];
@ -468,6 +468,7 @@ event connection_state_remove(c: connection) &priority= -20
ocsp_info$ssl_cid = c$id; ocsp_info$ssl_cid = c$id;
ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts; ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts;
ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts; ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts;
ocsp_info$ssl_end_ts = network_time();
Log::write(LOG, ocsp_info); Log::write(LOG, ocsp_info);
} }
} }
@ -476,9 +477,5 @@ event connection_state_remove(c: connection) &priority= -20
event bro_init() event bro_init()
{ {
# initialize ocsp_map
for (i in hash_algorithm)
ocsp_map[hash_algorithm[i]] = table();
Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]); Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]);
} }