Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

OCSP/TLS/SCT: Fix a number of test failures.

Browse source 
These were caused by earlier code updates.

This commit also removes the ocsp stapling logging script; it was
defunctional and the information provided by it wnever really has been
especially interesting.
This commit is contained in:
Johanna Amann 2017-05-02 13:47:46 -07:00
parent a334247478
commit 876f492a35
11 changed files with 122 additions and 212 deletions
Download patch file Download diff file Expand all files Collapse all files

118
scripts/policy/protocols/ssl/ocsp-stapling.bro
View file

@ -1,118 +0,0 @@
#! Log ocsp stapling information
module OCSP_STAPLING;
export {
redef enum Log::ID += { LOG };
type Info: record {
## timestamp
ts: time &log;
## status type
status_type: count &log;
## connection id
cid: conn_id &log;
## connection uid
cuid: string &log;
## size of this response
size: count &log;
## responseStatus
responseStatus: string &log;
## responseType
responseType: string &log;
## version
version: count &log;
## responderID
responderID: string &log;
## producedAt
producedAt: string &log;
## NOTE: the following are specific to one cert id
## the above are for one message which may contain
## several responses
## index
idx: count &log &optional;
## cert id
cert_id: OCSP::CertId &log &optional;
## certStatus (this is the response to look at)
certStatus: string &log &optional;
## thisUpdate
thisUpdate: string &log &optional;
## nextUpdate
nextUpdate: string &log &optional;
};
}
event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
{
local resp: OCSP::Response = ocsp_parse_response(response);
# TOCHECK: is this right?
local resp_size: count =|response|;
if (resp?$responses)
{
local num: count = 0;
for (x in resp$responses)
{
num += 1;
local single_resp: OCSP::SingleResp = resp$responses[x];
local cert_id: OCSP::CertId = [$hashAlgorithm = single_resp$hashAlgorithm,
$issuerNameHash = single_resp$issuerNameHash,
$issuerKeyHash = single_resp$issuerKeyHash,
$serialNumber = single_resp$serialNumber];
local resp_rec: Info = [$ts = network_time(),
$status_type = status_type,
$cid = c$id,
$cuid = c$uid,
$size = resp_size,
$responseStatus = resp$responseStatus,
$responseType = resp$responseType,
$version = resp$version,
$responderID = resp$responderID,
$producedAt = resp$producedAt,
$idx = num,
$cert_id = cert_id,
$certStatus = single_resp$certStatus,
$thisUpdate = single_resp$thisUpdate];
if (single_resp?$nextUpdate)
resp_rec$nextUpdate = single_resp$nextUpdate;
Log::write(LOG, resp_rec);
}
}
else
{
# no response content? this is weird but log it anyway
local resp_rec_empty: Info = [$ts = network_time(),
$status_type = status_type,
$cid = c$id,
$cuid = c$uid,
$size = resp_size,
$responseStatus = resp$responseStatus,
$responseType = resp$responseType,
$version = resp$version,
$responderID = resp$responderID,
$producedAt = resp$producedAt];
Log::write(LOG, resp_rec_empty);
}
}
event bro_init()
{
Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]);
}

2
scripts/test-all-policy.bro
View file

@ -34,6 +34,7 @@
@load frameworks/files/entropy-test-all-files.bro
#@load frameworks/files/extract-all-files.bro
@load frameworks/files/hash-all-files.bro
@load files/x509/log-ocsp.bro
@load frameworks/packet-filter/shunt.bro
@load frameworks/software/version-changes.bro
@load frameworks/software/vulnerable.bro
@ -98,6 +99,7 @@
#@load protocols/ssl/notary.bro
@load protocols/ssl/validate-certs.bro
@load protocols/ssl/validate-ocsp.bro
@load protocols/ssl/validate-sct.bro
@load protocols/ssl/weak-keys.bro
@load tuning/__load__.bro
@load tuning/defaults/__load__.bro