OCSP: Open-code unknown revoke reason strings

OpenSSL 3.2.0 knows about more reasons. Add some backwards compatibility. Reference: 1c8a7f5091 (cherry picked from commit 02d00a1984)
2025-10-14 20:48:21 +00:00 · 2023-11-27 20:44:42 +01:00 · 2023-11-27 20:44:42 +01:00 · ce0410f283
commit ce0410f283
parent ed40e2e0f9
3 changed files with 27 additions and 5 deletions
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@ -181,11 +181,20 @@ struct ASN1Seq
 		decoded = d2i_ASN1_SEQUENCE_ANY(nullptr, der_in, length);
 		}

-	~ASN1Seq() { sk_ASN1_TYPE_pop_free(decoded, ASN1_TYPE_free); }
+	~ASN1Seq()
+		{
+		sk_ASN1_TYPE_pop_free(decoded, ASN1_TYPE_free);
+		}

-	explicit operator bool() const { return decoded; }
+	explicit operator bool() const
+		{
+		return decoded;
+		}

-	operator ASN1_SEQUENCE_ANY*() const { return decoded; }
+	operator ASN1_SEQUENCE_ANY*() const
+		{
+		return decoded;
+		}

 	ASN1_SEQUENCE_ANY* decoded;
 	};
@ -559,6 +568,19 @@ void OCSP::ParseResponse(OCSP_RESPONSE* resp)
 			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(reason);
+
+#if OPENSSL_VERSION_NUMBER < 0x30200000L
+				// OpenSSL 3.2.0 and later return the right strings for
+				// OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN (9) and
+				// OCSP_REVOKED_STATUS_AACOMPROMISE (10).
+				//
+				// For versions older than that, fix it up by hand.
+				if ( (reason == 9 || reason == 10) &&
+				     zeek::util::streq(revoke_reason, "(UNKNOWN)") )
+					{
+					revoke_reason = reason == 9 ? "privilegeWithdrawn" : "aACompromise";
+					}
+#endif
 				rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
 				}
 			else