Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix circular reference problem and a few other small things.

Browse source 
SSL::Info now holds a reference to Files::Info instead of the
fa_files record.

Everything should work now, if everyone thinks that the interface is
ok I will update the test baselines in a bit.

addresses BIT-953, BIT-760
This commit is contained in:
Bernhard Amann 2014-03-04 05:29:04 -08:00
parent 110d9fbd6a
commit 7eb6b5133e
8 changed files with 24 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

26
scripts/base/files/x509/main.bro
View file

@ -39,7 +39,7 @@ event bro_init() &priority=5
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]); Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]);
} }
redef record fa_file += { redef record Files::Info += {
## Information about X509 certificates. This is used to keep ## Information about X509 certificates. This is used to keep
## certificate information until all events have been received. ## certificate information until all events have been received.
x509: X509::Info &optional; x509: X509::Info &optional;
@ -47,31 +47,31 @@ redef record fa_file += {
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
{ {
f$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref]; f$info$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
} }
event x509_extension(f: fa_file, ext: X509::Extension) &priority=5 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
{ {
if ( f?$x509 ) if ( f$info?$x509 )
f$x509$extensions[|f$x509$extensions|] = ext; f$info$x509$extensions[|f$info$x509$extensions|] = ext;
} }
event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5 event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
{ {
if ( f?$x509 ) if ( f$info?$x509 )
f$x509$basic_constraints = ext; f$info$x509$basic_constraints = ext;
} }
event x509_ext_subject_alternative_name(f: fa_file, names: string_vec) &priority=5 event x509_ext_subject_alternative_name(f: fa_file, names: string_vec) &priority=5
{ {
if ( f?$x509 ) if ( f$info?$x509 )
f$x509$san = names; f$info$x509$san = names;
} }
event file_state_remove(f: fa_file) event file_state_remove(f: fa_file) &priority=5
{ {
if ( f?$x509 ) if ( ! f$info?$x509 )
{ return;
Log::write(LOG, f$x509);
} Log::write(LOG, f$info$x509);
} }

9
scripts/base/protocols/ssl/files.bro
View file

@ -1,6 +1,7 @@
@load ./main @load ./main
@load base/utils/conn-ids @load base/utils/conn-ids
@load base/frameworks/files @load base/frameworks/files
@load base/files/x509
module SSL; module SSL;
@ -8,7 +9,7 @@ export {
redef record Info += { redef record Info += {
## Chain of certificates offered by the server to validate its ## Chain of certificates offered by the server to validate its
## complete signing chain. ## complete signing chain.
cert_chain: vector of fa_file &optional; cert_chain: vector of Files::Info &optional;
## An ordered vector of all certicate file unique IDs for the ## An ordered vector of all certicate file unique IDs for the
## certificates offered by the server. ## certificates offered by the server.
@ -16,7 +17,7 @@ export {
## Chain of certificates offered by the client to validate its ## Chain of certificates offered by the client to validate its
## complete signing chain. ## complete signing chain.
client_cert_chain: vector of fa_file &optional; client_cert_chain: vector of Files::Info &optional;
## An ordered vector of all certicate file unique IDs for the ## An ordered vector of all certicate file unique IDs for the
## certificates offered by the client. ## certificates offered by the client.
@ -80,12 +81,12 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
if ( is_orig ) if ( is_orig )
{ {
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f; c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id; c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
} }
else else
{ {
c$ssl$cert_chain[|c$ssl$cert_chain|] = f; c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id; c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
} }

2
scripts/policy/protocols/ssl/expiring-certs.bro
View file

@ -39,7 +39,7 @@ event ssl_established(c: connection) &priority=3
! addr_matches_host(c$id$resp_h, notify_certs_expiration) ) ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
return; return;
local hash = c$ssl$cert_chain[0]$info$md5; local hash = c$ssl$cert_chain[0]$md5;
local cert = c$ssl$cert_chain[0]$x509$certificate; local cert = c$ssl$cert_chain[0]$x509$certificate;
if ( cert$not_valid_before > network_time() ) if ( cert$not_valid_before > network_time() )

2
scripts/policy/protocols/ssl/extract-certs-pem.bro
View file

@ -34,7 +34,7 @@ event ssl_established(c: connection) &priority=5
if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) ) if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
return; return;
local hash = c$ssl$cert_chain[0]$info$sha1; local hash = c$ssl$cert_chain[0]$sha1;
local cert = c$ssl$cert_chain[0]$x509$handle; local cert = c$ssl$cert_chain[0]$x509$handle;
if ( hash in extracted_certs ) if ( hash in extracted_certs )

2
scripts/policy/protocols/ssl/known-certs.bro
View file

@ -51,7 +51,7 @@ event ssl_established(c: connection) &priority=3
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 ) if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
return; return;
local hash = c$ssl$cert_chain[0]$info$sha1; local hash = c$ssl$cert_chain[0]$sha1;
local cert = c$ssl$cert_chain[0]$x509$certificate; local cert = c$ssl$cert_chain[0]$x509$certificate;
local host = c$id$resp_h; local host = c$id$resp_h;

2
scripts/policy/protocols/ssl/notary.bro
View file

@ -42,7 +42,7 @@ event ssl_established(c: connection) &priority=3
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ) if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
return; return;
local digest = c$ssl$cert_chain[0]$info$sha1; local digest = c$ssl$cert_chain[0]$sha1;
if ( digest in notary_cache ) if ( digest in notary_cache )
{ {

2
scripts/test-all-policy.bro
View file

@ -26,6 +26,7 @@
@load frameworks/intel/seen/smtp.bro @load frameworks/intel/seen/smtp.bro
@load frameworks/intel/seen/ssl.bro @load frameworks/intel/seen/ssl.bro
@load frameworks/intel/seen/where-locations.bro @load frameworks/intel/seen/where-locations.bro
@load frameworks/intel/seen/x509.bro
@load frameworks/files/detect-MHR.bro @load frameworks/files/detect-MHR.bro
@load frameworks/files/hash-all-files.bro @load frameworks/files/hash-all-files.bro
@load frameworks/packet-filter/shunt.bro @load frameworks/packet-filter/shunt.bro
@ -82,7 +83,6 @@
@load protocols/ssh/geo-data.bro @load protocols/ssh/geo-data.bro
@load protocols/ssh/interesting-hostnames.bro @load protocols/ssh/interesting-hostnames.bro
@load protocols/ssh/software.bro @load protocols/ssh/software.bro
@load protocols/ssl/cert-hash.bro
@load protocols/ssl/expiring-certs.bro @load protocols/ssl/expiring-certs.bro
@load protocols/ssl/extract-certs-pem.bro @load protocols/ssl/extract-certs-pem.bro
@load protocols/ssl/known-certs.bro @load protocols/ssl/known-certs.bro

2
src/file_analysis/analyzer/x509/X509.cc
View file

@ -480,7 +480,7 @@ X509Val::~X509Val()
bool X509Val::DoSerialize(SerialInfo* info) const bool X509Val::DoSerialize(SerialInfo* info) const
{ {
DO_SERIALIZE(SER_X509_VAL, X509Val); DO_SERIALIZE(SER_X509_VAL, OpaqueVal);
unsigned char *buf = NULL; unsigned char *buf = NULL;