From c670613996435d7e833eec724a77c91a8b3f0969 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 8 Feb 2017 10:57:30 -0800
Subject: [PATCH] Make OCSP analyzer part of the X.509 analyzer

This allows the easier integration of shared functionality. And it also
makes logical sense, given that OCSP is not interesting without X.509.
---
 scripts/base/files/ocsp/README                |  1 -
 scripts/base/files/ocsp/__load__.bro          |  1 -
 scripts/base/files/x509/README                |  1 +
 .../files/{ocsp/main.bro => x509/ocsp.bro}    |  2 ++
 scripts/base/init-default.bro                 |  1 -
 .../policy/protocols/ssl/validate-ocsp.bro    |  2 +-
 src/file_analysis/analyzer/CMakeLists.txt     |  1 -
 .../analyzer/ocsp/CMakeLists.txt              | 10 --------
 src/file_analysis/analyzer/ocsp/Plugin.cc     | 25 -------------------
 .../analyzer/x509/CMakeLists.txt              |  4 +--
 .../analyzer/{ocsp => x509}/OCSP.cc           |  4 +--
 .../analyzer/{ocsp => x509}/OCSP.h            |  0
 src/file_analysis/analyzer/x509/Plugin.cc     |  4 ++-
 .../{ocsp/events.bif => x509/ocsp_events.bif} |  0
 .../functions.bif => x509/ocsp_functions.bif} |  4 +--
 .../{ocsp/types.bif => x509/ocsp_types.bif}   |  0
 16 files changed, 13 insertions(+), 47 deletions(-)
 delete mode 100644 scripts/base/files/ocsp/README
 delete mode 100644 scripts/base/files/ocsp/__load__.bro
 rename scripts/base/files/{ocsp/main.bro => x509/ocsp.bro} (99%)
 delete mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt
 delete mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc
 rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.cc (99%)
 rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.h (100%)
 rename src/file_analysis/analyzer/{ocsp/events.bif => x509/ocsp_events.bif} (100%)
 rename src/file_analysis/analyzer/{ocsp/functions.bif => x509/ocsp_functions.bif} (95%)
 rename src/file_analysis/analyzer/{ocsp/types.bif => x509/ocsp_types.bif} (100%)

diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README
deleted file mode 100644
index beabe8a3fc..0000000000
--- a/scripts/base/files/ocsp/README
+++ /dev/null
@@ -1 +0,0 @@
-Support for ocsp file analysis framework.
diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro
deleted file mode 100644
index d551be57d3..0000000000
--- a/scripts/base/files/ocsp/__load__.bro
+++ /dev/null
@@ -1 +0,0 @@
-@load ./main
\ No newline at end of file
diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
index 8b50366cd2..b523eb4fc4 100644
--- a/scripts/base/files/x509/README
+++ b/scripts/base/files/x509/README
@@ -1 +1,2 @@
 Support for X509 certificates with the file analysis framework.
+Also supposrts OCSP requests and responses.
diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/x509/ocsp.bro
similarity index 99%
rename from scripts/base/files/ocsp/main.bro
rename to scripts/base/files/x509/ocsp.bro
index 3474e3a797..4a4836eee5 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/x509/ocsp.bro
@@ -2,6 +2,8 @@
 @load base/utils/paths
 @load base/utils/queue
 
+# Note - this needs some cleaning up and is currently not loaded by default.
+
 module OCSP;
 
 export {
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 82379ec31c..65b41305c7 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -77,7 +77,6 @@
 @load base/files/extract
 @load base/files/unified2
 @load base/files/x509
-@load base/files/ocsp
 
 @load base/misc/find-checksum-offloading
 @load base/misc/find-filtered-trace
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 6667d9fbae..8f0da3ef2f 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,4 +1,4 @@
-##! Perform OCSP response validation.
+##! Perform validation of stapled OCSP responses.
 
 @load base/frameworks/notice
 @load base/protocols/ssl
diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt
index 9296f4e6de..ef17247997 100644
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@@ -5,4 +5,3 @@ add_subdirectory(hash)
 add_subdirectory(pe)
 add_subdirectory(unified2)
 add_subdirectory(x509)
-add_subdirectory(ocsp)
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
deleted file mode 100644
index 12c54c1c84..0000000000
--- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-
-include(BroPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
-                           ${CMAKE_CURRENT_BINARY_DIR})
-
-bro_plugin_begin(Bro OCSP)
-bro_plugin_cc(OCSP.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
-bro_plugin_end()
diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc
deleted file mode 100644
index f7edbd1d6d..0000000000
--- a/src/file_analysis/analyzer/ocsp/Plugin.cc
+++ /dev/null
@@ -1,25 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-
-#include "plugin/Plugin.h"
-
-#include "OCSP.h"
-
-namespace plugin {
-namespace Bro_OCSP {
-
-class Plugin : public plugin::Plugin {
-public:
-	plugin::Configuration Configure()
-		{
-		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
-
-		plugin::Configuration config;
-		config.name = "Bro::OCSP";
-		config.description = "OCSP analyzer";
-		return config;
-		}
-} plugin;
-
-}
-}
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index aa663cfa6e..e95b4ae6e6 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
+bro_plugin_cc(X509.cc OCSP.cc Plugin.cc)
+bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
similarity index 99%
rename from src/file_analysis/analyzer/ocsp/OCSP.cc
rename to src/file_analysis/analyzer/x509/OCSP.cc
index d54f1f345b..926f30cf37 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -5,8 +5,8 @@
 #include "OCSP.h"
 #include "Event.h"
 
-#include "events.bif.h"
-#include "types.bif.h"
+#include "ocsp_events.bif.h"
+#include "ocsp_types.bif.h"
 
 #include "file_analysis/Manager.h"
 
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
similarity index 100%
rename from src/file_analysis/analyzer/ocsp/OCSP.h
rename to src/file_analysis/analyzer/x509/OCSP.h
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index d9d1b71ab4..5a0b67136a 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -4,6 +4,7 @@
 #include "plugin/Plugin.h"
 
 #include "X509.h"
+#include "OCSP.h"
 
 namespace plugin {
 namespace Bro_X509 {
@@ -13,10 +14,11 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
+		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
 
 		plugin::Configuration config;
 		config.name = "Bro::X509";
-		config.description = "X509 analyzer";
+		config.description = "X509 and OCSP analyzer";
 		return config;
 		}
 } plugin;
diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
similarity index 100%
rename from src/file_analysis/analyzer/ocsp/events.bif
rename to src/file_analysis/analyzer/x509/ocsp_events.bif
diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif
similarity index 95%
rename from src/file_analysis/analyzer/ocsp/functions.bif
rename to src/file_analysis/analyzer/x509/ocsp_functions.bif
index 164b4a63ec..a5f31f9411 100644
--- a/src/file_analysis/analyzer/ocsp/functions.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif
@@ -1,6 +1,6 @@
 %%{
-#include "file_analysis/analyzer/ocsp/OCSP.h"
-#include "types.bif.h"
+#include "file_analysis/analyzer/x509/OCSP.h"
+#include "ocsp_types.bif.h"
 %%}
 
 ## Parses a OCSP response into an OCSP::Response structure.
diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif
similarity index 100%
rename from src/file_analysis/analyzer/ocsp/types.bif
rename to src/file_analysis/analyzer/x509/ocsp_types.bif