Remove opaque of ocsp_resp.

Only used in one event, without any way to use the opaque for anything
else. At this point this just seems like a complication that has no
reason to be there.

NEWS

@@ -319,6 +319,11 @@ Changed Functionality
   - logging
     - bro/logs/<stream>
 
+- The ``resp_ref`` argument was removed from the ``ocsp_response_bytes``
+  event. ``resp_ref`` was not used by anything in the codebase and could not be
+  passed to any other functions for further processing. The remainder of the
+	``ocsp_response_bytes`` is unchanged.
+
 Removed Functionality
 ---------------------
 

src/file_analysis/analyzer/x509/OCSP.cc

@@ -175,9 +175,7 @@ bool file_analysis::OCSP::EndOfFile()
 			return false;
 			}
 
-		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
-		ParseResponse(resp_val);
-		Unref(resp_val);
+		ParseResponse(resp);
 		}
 
 	return true;
@@ -449,9 +447,8 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 	BIO_free(bio);
 }
 
-void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
+void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	{
-	OCSP_RESPONSE   *resp       = resp_val->GetResp();
 	//OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
 	OCSP_BASICRESP  *basic_resp = nullptr;
 	OCSP_RESPDATA   *resp_data  = nullptr;
@@ -506,7 +503,6 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 #endif
 
 	vl.append(GetFile()->GetVal()->Ref());
-	vl.append(resp_val->Ref());
 	vl.append(status_val);
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
@@ -690,52 +686,3 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 		ParseSignedCertificateTimestamps(ex);
 	}
 
-OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
-	{
-	ocsp_resp = arg_ocsp_resp;
-	}
-
-OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
-	{
-	ocsp_resp = nullptr;
-	}
-
-OCSP_RESPVal::~OCSP_RESPVal()
-	{
-	if (ocsp_resp)
-		OCSP_RESPONSE_free(ocsp_resp);
-	}
-
-OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
-	{
-	return ocsp_resp;
-	}
-
-IMPLEMENT_OPAQUE_VALUE(OCSP_RESPVal)
-
-broker::data OCSP_RESPVal::DoSerialize() const
-	{
-        unsigned char *buf = NULL;
-        int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
-        if ( length < 0 )
-                return broker::none();
-
-	auto d = std::string(reinterpret_cast<const char*>(buf), length);
-        OPENSSL_free(buf);
-
-	return d;
-	}
-
-bool OCSP_RESPVal::DoUnserialize(const broker::data& data)
-	{
-	if ( caf::get_if<broker::none>(&data) )
-		return false;
-
-	auto s = caf::get_if<std::string>(&data);
-	if ( ! s )
-		return false;
-
-	auto opensslbuf = reinterpret_cast<const unsigned char*>(s->data());
-        ocsp_resp = d2i_OCSP_RESPONSE(NULL, &opensslbuf, s->size());
-	return (ocsp_resp != nullptr);
-	}

src/file_analysis/analyzer/x509/OCSP.h

@@ -5,7 +5,6 @@
 
 #include <string>
 
-#include "OpaqueVal.h"
 #include "../File.h"
 #include "Analyzer.h"
 #include "X509Common.h"
@@ -14,8 +13,6 @@
 
 namespace file_analysis {
 
-class OCSP_RESPVal;
-
 class OCSP : public file_analysis::X509Common {
 public:
 	bool DeliverStream(const u_char* data, uint64 len) override;
@@ -29,7 +26,7 @@ protected:
 	OCSP(RecordVal* args, File* file, bool request);
 
 private:
-	void ParseResponse(OCSP_RESPVal*);
+	void ParseResponse(OCSP_RESPONSE*);
 	void ParseRequest(OCSP_REQUEST*);
 	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
@@ -37,19 +34,6 @@ private:
 	bool request = false; // true if ocsp request, false if reply
 };
 
-class OCSP_RESPVal: public OpaqueVal {
-public:
-	explicit OCSP_RESPVal(OCSP_RESPONSE *);
-	~OCSP_RESPVal() override;
-	OCSP_RESPONSE *GetResp() const;
-protected:
-	OCSP_RESPVal();
-
-	DECLARE_OPAQUE_VALUE(OCSP_RESPVal)
-private:
-	OCSP_RESPONSE *ocsp_resp;
-};
-
 }
 
 #endif

src/file_analysis/analyzer/x509/ocsp_events.bif

@@ -52,9 +52,6 @@ event ocsp_response_status%(f: fa_file, status: string%);
 ##
 ## f: The file.
 ##
-## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
-##          OCSP response.
-##
 ## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
 ##
 ## version: Version of the OCSP response (typically - for version 1).
@@ -71,7 +68,7 @@ event ocsp_response_status%(f: fa_file, status: string%);
 ## .. zeek:see:: ocsp_request ocsp_request_certificate ocsp_response_status
 ##              ocsp_response_certificate ocsp_extension
 ##              x509_ocsp_ext_signed_certificate_timestamp
-event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
+event ocsp_response_bytes%(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
 
 ## This event is raised for each SingleResponse contained in an OCSP response.
 ## See :rfc:`6960` for more details on OCSP.

testing/btest/Baseline/broker.opaque/out

@@ -20,7 +20,6 @@
 ============ X509
 [version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 [version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=904651200.0, not_valid_after=1832673600.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
-============ OCSP_RESPVal
 ============ Entropy
 [entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
 [entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]

testing/btest/broker/opaque.zeek

@@ -75,9 +75,6 @@ event zeek_init()
 	print x509_parse(x509);
 	print x509_parse(x5092);
 
-	print "============ OCSP_RESPVal";
-	# TODO: Not sure how to test?
-
 	print "============ Entropy";
 	local handle = entropy_test_init();
 	entropy_test_add(handle, "dh3Hie02uh^s#Sdf9L3frd243h$d78r2G4cM6*Q05d(7rh46f!0|4-f");

testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test

@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}

testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test

@@ -31,7 +31,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}

testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test

@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}

testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test

@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}

testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test

@@ -32,7 +32,7 @@ event ocsp_response_status(f: fa_file, status: string)
 	print "ocsp_response_status", status;
 	}
 
-event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+event ocsp_response_bytes(f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
 	{
 	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
 	}