Add very basic ocsp stapling support.

This only allows access to the ocsp stapling response data. No verification or anything else at the moment.
2025-10-02 06:38:20 +00:00 · 2014-04-24 12:36:05 -07:00 · 2014-04-24 12:36:05 -07:00 · c24629abf4
commit c24629abf4
parent 9b7eb293f1
7 changed files with 41 additions and 2 deletions
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@ -81,5 +81,6 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR

-# Load heartbleed detection. Only superficially tested, might contain bugs.
-@load policy/protocols/ssl/heartbleed
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);

+## This event contains the OCSP response contained in a Certificate Status Request
+## message, when the client requested OCSP stapling and the server supports it. See
+## description in :rfc:`6066`
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## response: OCSP data.
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}

+	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
+		%{
+		 if ( status_type == 1 ) // ocsp
+			{
+			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
+			  bro_analyzer()->Conn(), ${rec.is_orig},
+			  new StringVal(response.length(), (const char*) response.data()));
+			}
+
+		return true;
+		%}
 };

 refine typeattr Alert += &let {
@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
+
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+};
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {

 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
 	response: bytestring &restofdata;
 };

--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@ -0,0 +1 @@
+F, 1995
--- a/testing/btest/Traces/tls/ocsp-stapling.trace
+++ b/testing/btest/Traces/tls/ocsp-stapling.trace
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	print is_orig, |response|;
+	}