From 545848d9067c9ce35e8825961ce82943d3c945ff Mon Sep 17 00:00:00 2001 From: Liang Zhu Date: Wed, 8 Jul 2015 14:11:14 -0700 Subject: [PATCH] add parameter 'status_type' to event ssl_stapled_ocsp --- scripts/policy/protocols/ssl/ocsp-stapling.bro | 2 +- scripts/policy/protocols/ssl/validate-ocsp.bro | 2 +- src/analyzer/protocol/ssl/events.bif | 4 +++- src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 3 ++- testing/btest/core/leaks/x509_ocsp_verify.bro | 2 +- testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro index 64c3d198f2..298f6d3990 100644 --- a/scripts/policy/protocols/ssl/ocsp-stapling.bro +++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro @@ -53,7 +53,7 @@ export { }; } -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local resp: OCSP::Response = ocsp_parse_response(response); diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro index 3beabbe59c..6667d9fbae 100644 --- a/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -27,7 +27,7 @@ export { # certificate chain is seen. global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3 { c$ssl$ocsp_response = response; } diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 18704d25ec..09e9c2d75e 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -294,7 +294,9 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len ## is_orig: True if event is raised for originator side of the connection. ## ## response: OCSP data. -event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%); +## +## status_type: status_type in received OCSP stapled response +event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%); ## This event is raised for each unencrypted SSL/TLS handshake message. ## diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 84a7936daf..89177dfb51 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -173,7 +173,8 @@ refine connection Handshake_Conn += { BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(), bro_analyzer()->Conn(), ${rec.is_orig}, new StringVal(response.length(), - (const char*) response.data())); + (const char*) response.data()), + status_type); } return true; %} diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro index ab24f28ee8..4a4d081e09 100644 --- a/testing/btest/core/leaks/x509_ocsp_verify.bro +++ b/testing/btest/core/leaks/x509_ocsp_verify.bro @@ -9,7 +9,7 @@ @load base/protocols/ssl -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain ) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 6424f263f1..440b1b2ebf 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -5,7 +5,7 @@ redef SSL::root_certs += { ["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64", }; -event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) { local chain: vector of opaque of x509 = vector(); for ( i in c$ssl$cert_chain )