Add very basic ocsp stapling support.

This only allows access to the ocsp stapling response data. No verification
or anything else at the moment.

src/analyzer/protocol/ssl/events.bif

@@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
+## This event contains the OCSP response contained in a Certificate Status Request
+## message, when the client requested OCSP stapling and the server supports it. See
+## description in :rfc:`6066`
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## response: OCSP data.
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);

src/analyzer/protocol/ssl/ssl-analyzer.pac

@@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
+		%{
+		 if ( status_type == 1 ) // ocsp
+			{
+			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
+			  bro_analyzer()->Conn(), ${rec.is_orig},
+			  new StringVal(response.length(), (const char*) response.data()));
+			}
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
+
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+};

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {
 
 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
 	response: bytestring &restofdata;
 };