diff --git a/NEWS b/NEWS index c2d0411e25..ac4bfa3c07 100644 --- a/NEWS +++ b/NEWS @@ -319,6 +319,11 @@ Changed Functionality - logging - bro/logs/ +- The ``resp_ref`` argument was removed from the ``ocsp_response_bytes`` + event. ``resp_ref`` was not used by anything in the codebase and could not be + passed to any other functions for further processing. The remainder of the + ``ocsp_response_bytes`` is unchanged. + Removed Functionality --------------------- diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 269126c9d9..69898143ce 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -175,9 +175,7 @@ bool file_analysis::OCSP::EndOfFile() return false; } - OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership - ParseResponse(resp_val); - Unref(resp_val); + ParseResponse(resp); } return true; @@ -449,9 +447,8 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req) BIO_free(bio); } -void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) +void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp) { - OCSP_RESPONSE *resp = resp_val->GetResp(); //OCSP_RESPBYTES *resp_bytes = resp->responseBytes; OCSP_BASICRESP *basic_resp = nullptr; OCSP_RESPDATA *resp_data = nullptr; @@ -506,7 +503,6 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) #endif vl.append(GetFile()->GetVal()->Ref()); - vl.append(resp_val->Ref()); vl.append(status_val); #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER) @@ -690,52 +686,3 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa ParseSignedCertificateTimestamps(ex); } -OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type) - { - ocsp_resp = arg_ocsp_resp; - } - -OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type) - { - ocsp_resp = nullptr; - } - -OCSP_RESPVal::~OCSP_RESPVal() - { - if (ocsp_resp) - OCSP_RESPONSE_free(ocsp_resp); - } - -OCSP_RESPONSE* OCSP_RESPVal::GetResp() const - { - return ocsp_resp; - } - -IMPLEMENT_OPAQUE_VALUE(OCSP_RESPVal) - -broker::data OCSP_RESPVal::DoSerialize() const - { - unsigned char *buf = NULL; - int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf); - if ( length < 0 ) - return broker::none(); - - auto d = std::string(reinterpret_cast(buf), length); - OPENSSL_free(buf); - - return d; - } - -bool OCSP_RESPVal::DoUnserialize(const broker::data& data) - { - if ( caf::get_if(&data) ) - return false; - - auto s = caf::get_if(&data); - if ( ! s ) - return false; - - auto opensslbuf = reinterpret_cast(s->data()); - ocsp_resp = d2i_OCSP_RESPONSE(NULL, &opensslbuf, s->size()); - return (ocsp_resp != nullptr); - } diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h index 4f706b8f64..c2cc0f6e5d 100644 --- a/src/file_analysis/analyzer/x509/OCSP.h +++ b/src/file_analysis/analyzer/x509/OCSP.h @@ -5,7 +5,6 @@ #include -#include "OpaqueVal.h" #include "../File.h" #include "Analyzer.h" #include "X509Common.h" @@ -14,8 +13,6 @@ namespace file_analysis { -class OCSP_RESPVal; - class OCSP : public file_analysis::X509Common { public: bool DeliverStream(const u_char* data, uint64 len) override; @@ -29,7 +26,7 @@ protected: OCSP(RecordVal* args, File* file, bool request); private: - void ParseResponse(OCSP_RESPVal*); + void ParseResponse(OCSP_RESPONSE*); void ParseRequest(OCSP_REQUEST*); void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override; @@ -37,19 +34,6 @@ private: bool request = false; // true if ocsp request, false if reply }; -class OCSP_RESPVal: public OpaqueVal { -public: - explicit OCSP_RESPVal(OCSP_RESPONSE *); - ~OCSP_RESPVal() override; - OCSP_RESPONSE *GetResp() const; -protected: - OCSP_RESPVal(); - - DECLARE_OPAQUE_VALUE(OCSP_RESPVal) -private: - OCSP_RESPONSE *ocsp_resp; -}; - } #endif diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index 564126b2bb..fe17344490 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -52,9 +52,6 @@ event ocsp_response_status%(f: fa_file, status: string%); ## ## f: The file. ## -## req_ref: An opaque pointer to the underlying OpenSSL data structure of the -## OCSP response. -## ## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). ## ## version: Version of the OCSP response (typically - for version 1). @@ -71,7 +68,7 @@ event ocsp_response_status%(f: fa_file, status: string%); ## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status ## ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp -event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); +event ocsp_response_bytes%(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%); ## This event is raised for each SingleResponse contained in an OCSP response. ## See :rfc:`6960` for more details on OCSP. diff --git a/testing/btest/Baseline/broker.opaque/out b/testing/btest/Baseline/broker.opaque/out index 4582e8dc2b..35bf821c47 100644 --- a/testing/btest/Baseline/broker.opaque/out +++ b/testing/btest/Baseline/broker.opaque/out @@ -20,7 +20,6 @@ ============ X509 [version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] [version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] -============ OCSP_RESPVal ============ Entropy [entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027] [entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027] diff --git a/testing/btest/broker/opaque.zeek b/testing/btest/broker/opaque.zeek index bddd68e0be..e0a3bef6c7 100644 --- a/testing/btest/broker/opaque.zeek +++ b/testing/btest/broker/opaque.zeek @@ -75,9 +75,6 @@ event zeek_init() print x509_parse(x509); print x509_parse(x5092); - print "============ OCSP_RESPVal"; - # TODO: Not sure how to test? - print "============ Entropy"; local handle = entropy_test_init(); entropy_test_add(handle, "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f"); diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test index 747c1a667c..6b4b034c69 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string) print "ocsp_response_status", status; } -event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) +event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) { print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test index 348da52f96..5106a17c75 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test @@ -31,7 +31,7 @@ event ocsp_response_status(f: fa_file, status: string) print "ocsp_response_status", status; } -event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) +event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) { print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test index 1942b57bad..67f62e451d 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test @@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string) print "ocsp_response_status", status; } -event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) +event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) { print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test index 871ac59a34..568915d7aa 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test @@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string) print "ocsp_response_status", status; } -event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) +event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) { print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index 5f5f1486ea..e26bae59a5 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string) print "ocsp_response_status", status; } -event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) +event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector) { print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm; }