OCSP: Open-code unknown revoke reason strings

OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility.

Reference: 1c8a7f5091
(cherry picked from commit 02d00a1984)

src/file_analysis/analyzer/x509/OCSP.cc

@@ -181,11 +181,20 @@ struct ASN1Seq
 		decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length);
 		}
 
-	~ASN1Seq() { sk_ASN1_TYPE_pop_free(decoded, ASN1_TYPE_free); }
+	~ASN1Seq()
+		{
+		sk_ASN1_TYPE_pop_free(decoded, ASN1_TYPE_free);
+		}
 
-	explicit operator bool() const { return decoded; }
+	explicit operator bool() const
+		{
+		return decoded;
+		}
 
-	operator ASN1_SEQUENCE_ANY*() const { return decoded; }
+	operator ASN1_SEQUENCE_ANY*() const
+		{
+		return decoded;
+		}
 
 	ASN1_SEQUENCE_ANY* decoded;
 	};
@@ -559,6 +568,19 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp)
 			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(reason);
+
+#if OPENSSL_VERSION_NUMBER < 0x30200000L
+				// OpenSSL 3.2.0 and later return the right strings for
+				// OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN (9) and
+				// OCSP_REVOKED_STATUS_AACOMPROMISE (10).
+				//
+				// For versions older than that, fix it up by hand.
+				if ( (reason == 9 || reason == 10) &&
+				     zeek::util::streq(revoke_reason, "(UNKNOWN)") )
+					{
+					revoke_reason = reason == 9 ? "privilegeWithdrawn" : "aACompromise";
+					}
+#endif
 				rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
 				}
 			else

testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout

@@ -12,7 +12,7 @@ ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XX
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, (UNKNOWN), XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, privilegeWithdrawn, XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XXXXXXXXXX.XXXXXX, sha1WithRSAEncryption
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A

testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log

@@ -9,6 +9,6 @@
 #types	time	string	string	string	string	string	string	time	string	time	time
 XXXXXXXXXX.XXXXXX	Fv1Mrl4zObGy9drLdg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	XXXXXXXXXX.XXXXXX	superseded	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	F7TCyr1Y6YSyUVOW5	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	XXXXXXXXXX.XXXXXX	unspecified	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	(UNKNOWN)	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	privilegeWithdrawn	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	FfpvoO3DJXnAcoNnp4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	XXXXXXXXXX.XXXXXX	keyCompromise	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 #close XXXX-XX-XX-XX-XX-XX