From ce0410f28361aa57823b34ee2fc89bcbc28d2824 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 27 Nov 2023 20:44:42 +0100
Subject: [PATCH] OCSP: Open-code unknown revoke reason strings

OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility.

Reference: https://github.com/openssl/openssl/commit/1c8a7f5091e2c5aebc043be86bcbedc6947e1c6f
(cherry picked from commit 02d00a19849d15f472b32a98a8fee27b20f2cb14)
---
 src/file_analysis/analyzer/x509/OCSP.cc       | 28 +++++++++++++++++--
 .../.stdout                                   |  2 +-
 .../ocsp.log                                  |  2 +-
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index e3114183d2..9c2b06d4db 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -181,11 +181,20 @@ struct ASN1Seq
 		decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length);
 		}
 
-	~ASN1Seq() { sk_ASN1_TYPE_pop_free(decoded, ASN1_TYPE_free); }
+	~ASN1Seq()
+		{
+		sk_ASN1_TYPE_pop_free(decoded, ASN1_TYPE_free);
+		}
 
-	explicit operator bool() const { return decoded; }
+	explicit operator bool() const
+		{
+		return decoded;
+		}
 
-	operator ASN1_SEQUENCE_ANY*() const { return decoded; }
+	operator ASN1_SEQUENCE_ANY*() const
+		{
+		return decoded;
+		}
 
 	ASN1_SEQUENCE_ANY* decoded;
 	};
@@ -559,6 +568,19 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp)
 			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(reason);
+
+#if OPENSSL_VERSION_NUMBER < 0x30200000L
+				// OpenSSL 3.2.0 and later return the right strings for
+				// OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN (9) and
+				// OCSP_REVOKED_STATUS_AACOMPROMISE (10).
+				//
+				// For versions older than that, fix it up by hand.
+				if ( (reason == 9 || reason == 10) &&
+				     zeek::util::streq(revoke_reason, "(UNKNOWN)") )
+					{
+					revoke_reason = reason == 9 ? "privilegeWithdrawn" : "aACompromise";
+					}
+#endif
 				rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
 				}
 			else
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
index 3a3072a5a5..273b216e49 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
@@ -12,7 +12,7 @@ ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XX
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, (UNKNOWN), XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, XXXXXXXXXX.XXXXXX, privilegeWithdrawn, XXXXXXXXXX.XXXXXX, XXXXXXXXXX.XXXXXX
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, XXXXXXXXXX.XXXXXX, sha1WithRSAEncryption
 request, 0, 
 request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
index 7a5f1b27ba..e0976d0485 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -9,6 +9,6 @@
 #types	time	string	string	string	string	string	string	time	string	time	time
 XXXXXXXXXX.XXXXXX	Fv1Mrl4zObGy9drLdg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	XXXXXXXXXX.XXXXXX	superseded	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	F7TCyr1Y6YSyUVOW5	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	XXXXXXXXXX.XXXXXX	unspecified	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	(UNKNOWN)	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
+XXXXXXXXXX.XXXXXX	FmK7Wj1W7PV2RclIig	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	XXXXXXXXXX.XXXXXX	privilegeWithdrawn	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX	FfpvoO3DJXnAcoNnp4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	XXXXXXXXXX.XXXXXX	keyCompromise	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX
 #close XXXX-XX-XX-XX-XX-XX