Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-1634: Address feedback

Browse source 
This commit addreses feedback for GH-1643, changing typos and renaming
one of the fields in x509.log.
This commit is contained in:
Johanna Amann 2021-07-02 15:12:58 +01:00
parent 6a6961b474
commit 8972676e92
34 changed files with 184 additions and 184 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/files/x509/main.zeek
View file

@ -19,11 +19,11 @@ export {
## file ID is not present in the X509 log.
option log_x509_in_files_log: bool = F;
## Type that is used to decide which certificates are duplicates for loggign purposes.
## Type that is used to decide which certificates are duplicates for logging purposes.
## When adding entries to this, also change the create_deduplication_index to update them.
type LogCertHash: record {
## Certificate fingerprint
fp: string;
fingerprint: string;
## Indicates if this certificate was a end-host certificate, or sent as part of a chain
host_cert: bool;
## Indicates if this certificate was sent from the client
@ -35,7 +35,7 @@ export {
## Current timestamp.
ts: time &log;
## Fingerprint of the certificate - uses chosen algorithm.
fp: string &log;
fingerprint: string &log;
## Basic information about the certificate.
certificate: X509::Certificate &log;
## The opaque wrapping the certificate. Mainly used
@ -160,14 +160,14 @@ hook create_deduplication_index(i: X509::Info)
if ( i?$deduplication_index || relog_known_certificates_after == 0secs )
return;
i$deduplication_index = LogCertHash($fp=i$fp, $host_cert=i$host_cert, $client_cert=i$client_cert);
i$deduplication_index = LogCertHash($fingerprint=i$fingerprint, $host_cert=i$host_cert, $client_cert=i$client_cert);
}
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
{
local der_cert = x509_get_certificate_string(cert_ref);
local fp = hash_function(der_cert);
f$info$x509 = [$ts=f$info$ts, $fp=fp, $certificate=cert, $handle=cert_ref];
f$info$x509 = [$ts=f$info$ts, $fingerprint=fp, $certificate=cert, $handle=cert_ref];
if ( f$info$mime_type == "application/x-x509-user-cert" )
f$info$x509$host_cert = T;
if ( f$is_orig )

8
scripts/base/protocols/ssl/files.zeek
View file

@ -162,13 +162,13 @@ hook ssl_finishing(c: connection) &priority=20
{
if ( c$ssl?$cert_chain)
for ( i in c$ssl$cert_chain )
if ( c$ssl$cert_chain[i]?$x509 && c$ssl$cert_chain[i]$x509?$fp )
c$ssl$cert_chain_fps += c$ssl$cert_chain[i]$x509$fp;
if ( c$ssl$cert_chain[i]?$x509 && c$ssl$cert_chain[i]$x509?$fingerprint )
c$ssl$cert_chain_fps += c$ssl$cert_chain[i]$x509$fingerprint;
if ( c$ssl?$client_cert_chain )
for ( i in c$ssl$client_cert_chain )
if ( c$ssl$client_cert_chain[i]?$x509 && c$ssl$client_cert_chain[i]$x509?$fp )
c$ssl$client_cert_chain_fps += c$ssl$client_cert_chain[i]$x509$fp;
if ( c$ssl$client_cert_chain[i]?$x509 && c$ssl$client_cert_chain[i]$x509?$fingerprint )
c$ssl$client_cert_chain_fps += c$ssl$client_cert_chain[i]$x509$fingerprint;
if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 &&
c$ssl$cert_chain[0]?$x509 )

2
scripts/policy/files/x509/log-ocsp.zeek
View file

@ -1 +1 @@
@deprecated("Remove in v5.1. OCSP logging is now disabled by default")
@deprecated("Remove in v5.1. OCSP logging is now enabled by default")