From b32c7c7a882a6f0ee3a75b20f376b2ddea409ab4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 19 Mar 2014 21:32:01 -0700
Subject: [PATCH] Add policy script to suppress non host-certificate logging in
 x509.log

Addresses BIT-1150
---
 .../protocols/ssl/log-hostcerts-only.bro      | 65 +++++++++++++++++++
 scripts/site/local.bro                        |  3 +
 scripts/test-all-policy.bro                   |  1 +
 .../x509.log                                  | 11 ++++
 .../protocols/ssl/log-hostcerts-only.bro      |  4 ++
 5 files changed, 84 insertions(+)
 create mode 100644 scripts/policy/protocols/ssl/log-hostcerts-only.bro
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro

diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
new file mode 100644
index 0000000000..75b1ae0423
--- /dev/null
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -0,0 +1,65 @@
+##! When this script is loaded, only the host certificates (client and server)
+##! will be logged to x509.log. Logging of all other certificates will be suppressed.
+
+module X509;
+
+export {
+	redef record Info += {
+	# Logging is suppressed if field is set to F
+		logcert: bool &default=T;
+	};
+}
+
+# We need both the Info and the fa_file record modified.
+# The only instant when we have both, the connection and the
+# file available without having to loop is in the file_over_new_connection
+# event.
+# When that event is raised, the x509 record in f$info (which is the only
+# record the logging framework gets) is not yet available. So - we
+# have to do this two times, sorry.
+# Alternatively, we could place it info Files::Info first - but we would
+# still have to copy it.
+redef record fa_file += {
+	logcert: bool &default=T;
+};
+
+function host_certs_only(rec: X509::Info): bool
+	{
+	return rec$logcert;
+	}
+
+event bro_init() &priority=2
+	{
+	local f = Log::get_filter(X509::LOG, "default");
+	Log::remove_filter(X509::LOG, "default"); # disable default logging
+	f$pred=host_certs_only; # and add our predicate
+	Log::add_filter(X509::LOG, f);
+	}
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2
+	{
+	if ( ! c?$ssl )
+		return;
+
+	local chain: vector of string;
+
+	if ( is_orig )
+		chain = c$ssl$client_cert_chain_fuids;
+	else
+		chain = c$ssl$cert_chain_fuids;
+
+	if ( |chain| == 0 )
+		{
+		Reporter::warning(fmt("Certificate not in chain? (fuid %s)", f$id));
+		return;
+		}
+
+	# Check if this is the host certificate
+	if ( f$id != chain[0] )
+		f$logcert=F;
+}
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=2
+	{
+	f$info$x509$logcert = f$logcert; # info record available, copy information.
+	}
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index ddaee42a93..e1a3574424 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -55,6 +55,9 @@
 # This script enables SSL/TLS certificate validation.
 @load protocols/ssl/validate-certs
 
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
 # Uncomment the following line to check each SSL certificate hash against the ICSI
 # certificate notary service; see http://notary.icsi.berkeley.edu .
 # @load protocols/ssl/notary
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index ee540c86bb..895a9a8901 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -86,6 +86,7 @@
 @load protocols/ssl/expiring-certs.bro
 @load protocols/ssl/extract-certs-pem.bro
 @load protocols/ssl/known-certs.bro
+@load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
 @load tuning/__load__.bro
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
new file mode 100644
index 0000000000..13f8280fa9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-03-20-04-29-44
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1394747126.862409	FlaIzV19yTmBYwWwc6	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747129.512954	FOye6a4kt8a7QChqw3	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+#close	2014-03-20-04-29-44
diff --git a/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro
new file mode 100644
index 0000000000..37f9f7592b
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/tls/google-duplicate.trace %INPUT
+# @TEST-EXEC: btest-diff x509.log
+
+@load protocols/ssl/log-hostcerts-only