X509 caching: small API changes, tests & test updates

Changed some configuration defaults to potentially more same values. The callback function is now a hook to allow costomization of the events that are raised. Tests now exist. Test baselines are updated.
2025-10-04 23:58:20 +00:00 · 2020-03-11 13:27:56 -07:00 · 2020-03-11 13:27:56 -07:00 · 4b09947f41
commit 4b09947f41
parent 65e99bafed
15 changed files with 227 additions and 92 deletions
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -61,10 +61,11 @@ bool file_analysis::X509::EndOfFile()
 				return false;
 			// yup, let's call the callback.

-			val_list vl(1);
+			val_list vl(2);
 			vl.push_back(GetFile()->GetVal()->Ref());
 			vl.push_back(new StringVal(cert_sha256));
-			cache_hit_callback->Call(&vl);
+			Val* v = cache_hit_callback->Call(&vl);
+			Unref(v);
 			return false;
 			}
 		}
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@ -882,6 +882,22 @@ function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
 	return x509_entity_hash(cert_handle, hash_alg, 2);
 	%}

+## This function can be used to set up certificate caching. It has to be passed a table[string] which
+## can contain any type.
+##
+## After this is set up, for each certificate encountered, the X509 analyzer will check if the entry
+## tbl[sha256 of certificate] is set. If this is the case, the X509 analyzer will skip all further
+## processing, and instead just call the callback that is set with
+## zeek:id:`x509_set_certificate_cache_hit_callback`.
+##
+## tbl: Table to use as the certificate cache.
+##
+## Returns: Always returns true.
+##
+## .. note:: The base scripts use this function to set up certificate caching. You should only change the
+##           cache table if you are sure you will not conflict with the base scripts.
+##
+## .. zeek:see:: x509_set_certificate_cache_hit_callback
 function x509_set_certificate_cache%(tbl: string_any_table%) : bool
 	%{
 	file_analysis::X509::SetCertificateCache({NewRef{}, tbl->AsTableVal()});
@ -889,7 +905,18 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
 	return val_mgr->GetBool(1);
 	%}

-function x509_set_certificate_cache_hit_callback%(f: string_file_function%) : bool
+## This function sets up the callback that is called when an entry is matched against the table set
+## by :zeek:id:`x509_set_certificate_cache`.
+##
+## f: The callback that will be called when encountering a certificate in the cache table.
+##
+## Returns: Always returns true.
+##
+## .. note:: The base scripts use this function to set up certificate caching. You should only change the
+##           callback function if you are sure you will not conflict with the base scripts.
+##
+## .. zeek:see:: x509_set_certificate_cache
+function x509_set_certificate_cache_hit_callback%(f: string_file_hook%) : bool
 	%{
 	file_analysis::X509::SetCertificateCacheHitCallback({NewRef{}, f->AsFunc()});