Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Certificate caching - now working in principle.

Browse source 
I moved the replay function to a callback - which now means that the replayed
functions are called before file_state remove. Which makes this virtually
identical with the events raised by the core.

Currently this is mostly missing tests, leak-testing and performance-tests.
This commit is contained in:
Johanna Amann 2020-03-09 14:25:06 -07:00
parent 0829164a3e
commit 65e99bafed
5 changed files with 93 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/file_analysis/analyzer/x509/X509.cc
View file

@ -55,9 +55,16 @@ bool file_analysis::X509::EndOfFile()
auto index = make_intrusive<StringVal>(cert_sha256);
if ( certificate_cache->Lookup(index.get(), false) )
// in this case, the certificate is in the cache and we do not
// do any further processing here
// do any further processing here. However, if there is a callback, we execute it.
{
std::cerr << "Skipping " << cert_sha256 << std::endl;
if ( ! cache_hit_callback )
return false;
// yup, let's call the callback.
val_list vl(1);
vl.push_back(GetFile()->GetVal()->Ref());
vl.push_back(new StringVal(cert_sha256));
cache_hit_callback->Call(&vl);
return false;
}
}

8
src/file_analysis/analyzer/x509/X509.h
View file

@ -7,6 +7,7 @@
#include "OpaqueVal.h"
#include "X509Common.h"
#include "Func.h"
#if ( OPENSSL_VERSION_NUMBER < 0x10002000L ) || defined(LIBRESSL_VERSION_NUMBER)
@ -118,6 +119,12 @@ public:
static void SetCertificateCache(IntrusivePtr<TableVal> cache)
{ certificate_cache = cache; }
/**
* Sets the callback when a certificate cache hit is encountered
*/
static void SetCertificateCacheHitCallback(IntrusivePtr<Func> func)
{ cache_hit_callback = func; }
protected:
X509(RecordVal* args, File* file);
@ -134,6 +141,7 @@ private:
/** X509 stores associated with global script-layer values */
inline static std::map<Val*, X509_STORE*> x509_stores = std::map<Val*, X509_STORE*>();
inline static IntrusivePtr<TableVal> certificate_cache = nullptr;
inline static IntrusivePtr<Func> cache_hit_callback = nullptr;
};
/**

7
src/file_analysis/analyzer/x509/functions.bif
View file

@ -888,3 +888,10 @@ function x509_set_certificate_cache%(tbl: string_any_table%) : bool
return val_mgr->GetBool(1);
%}
function x509_set_certificate_cache_hit_callback%(f: string_file_function%) : bool
%{
file_analysis::X509::SetCertificateCacheHitCallback({NewRef{}, f->AsFunc()});
return val_mgr->GetBool(1);
%}