From bb55f828096e5690e0b97079a53f0e77b171d480 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 29 Jun 2018 16:15:34 -0500 Subject: [PATCH] Remove requestorName parameter of ocsp_request event This field isn't publicly available via the OpenSSL 1.1 API, not used in the base scripts, and has no example in the test suit, so removing it is simpler than trying to support manually parsing it out of the raw data. --- NEWS | 2 ++ src/file_analysis/analyzer/x509/OCSP.cc | 13 ------------- src/file_analysis/analyzer/x509/ocsp_events.bif | 5 +---- .../scripts/base/protocols/ssl/ocsp-http-get.test | 4 ++-- .../base/protocols/ssl/ocsp-request-only.test | 4 ++-- .../base/protocols/ssl/ocsp-request-response.test | 4 ++-- .../base/protocols/ssl/ocsp-response-only.test | 4 ++-- .../scripts/base/protocols/ssl/ocsp-revoked.test | 4 ++-- 8 files changed, 13 insertions(+), 27 deletions(-) diff --git a/NEWS b/NEWS index a4f233a116..bbfb567e91 100644 --- a/NEWS +++ b/NEWS @@ -344,6 +344,8 @@ Removed Functionality available (though Broker should be able to handle IPv6 automatically). +- The "ocsp_request" event no longer has "requestorName" parameter. + Deprecated Functionality ------------------------ diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index e22440aab8..ccb6762739 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -422,13 +422,10 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) vl->append(GetFile()->GetVal()->Ref()); uint64 version = 0; - GENERAL_NAME* general_name = nullptr; #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) if ( req->tbsRequest->version ) version = (uint64)ASN1_INTEGER_get(req->tbsRequest->version); - - general_name = req->tbsRequest->requestorName; #else version = parse_request_version(req); // TODO: try to parse out general name ? @@ -438,16 +435,6 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid) BIO *bio = BIO_new(BIO_s_mem()); - if ( general_name ) - { - GENERAL_NAME_print(bio, general_name); - int len = BIO_read(bio, buf, sizeof(buf)); - vl->append(new StringVal(len, buf)); - BIO_reset(bio); - } - else - vl->append(new StringVal(0, "")); - mgr.QueueEvent(ocsp_request, vl); int req_count = OCSP_request_onereq_count(req); diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif index 4e0ed6e9dc..f49208d238 100644 --- a/src/file_analysis/analyzer/x509/ocsp_events.bif +++ b/src/file_analysis/analyzer/x509/ocsp_events.bif @@ -7,13 +7,10 @@ ## ## req: version: the version of the OCSP request. Typically 0 (Version 1). ## -## requestorName: name of the OCSP requestor. This attribute is optional; if -## it is not set, an empty string is returned here. -## ## .. bro:see:: ocsp_request_certificate ocsp_response_status ## ocsp_response_bytes ocsp_response_certificate ocsp_extension ## x509_ocsp_ext_signed_certificate_timestamp -event ocsp_request%(f: fa_file, version: count, requestorName: string%); +event ocsp_request%(f: fa_file, version: count%); ## Event that is raised when encountering an OCSP request for a certificate, ## e.g. in an HTTP connection. See :rfc:`6960` for more details. diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test index ff48772b6a..c8c8acc589 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test @@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) print "extension: ", ext, global_resp; } -event ocsp_request(f: fa_file, version: count, requestorName: string) +event ocsp_request(f: fa_file, version: count) { - print "request", version, requestorName; + print "request", version, ""; } event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test index 0176716553..05483717b0 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test @@ -16,9 +16,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) print "extension: ", ext, global_resp; } -event ocsp_request(f: fa_file, version: count, requestorName: string) +event ocsp_request(f: fa_file, version: count) { - print "request", version, requestorName; + print "request", version, ""; } event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test index 3adfab9aa2..b95203dfd8 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test @@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) print "extension: ", ext, global_resp; } -event ocsp_request(f: fa_file, version: count, requestorName: string) +event ocsp_request(f: fa_file, version: count) { - print "request", version, requestorName; + print "request", version, ""; } event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test index f99a71802c..43dbf82583 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test @@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) print "extension: ", ext, global_resp; } -event ocsp_request(f: fa_file, version: count, requestorName: string) +event ocsp_request(f: fa_file, version: count) { - print "request", version, requestorName; + print "request", version, ""; } event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string) diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test index ae39640f3f..e4378135ad 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test @@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool) print "extension: ", ext, global_resp; } -event ocsp_request(f: fa_file, version: count, requestorName: string) +event ocsp_request(f: fa_file, version: count) { - print "request", version, requestorName; + print "request", version, ""; } event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)