diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc index 2d9017a338..46624e23c0 100644 --- a/src/file_analysis/File.cc +++ b/src/file_analysis/File.cc @@ -294,7 +294,7 @@ void File::SetReassemblyBuffer(uint64 max) bool File::SetMime(const string& mime_type) { - if ( mime_type.empty() || bof_buffer.size != 0 ) + if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference ) return false; did_metadata_inference = true; diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h index c52d9efbc4..1d4fb03789 100644 --- a/src/file_analysis/File.h +++ b/src/file_analysis/File.h @@ -176,8 +176,10 @@ public: * Sets the MIME type for a file to a specific value. * * Setting the MIME type has to be done before the MIME type is - * inferred from the content. After a MIME type has been set once, - * it cannot be changed anymore. + * inferred from the content, and before any data is passed to the + * analyzer (the beginning of file buffer has to be empty). After + * data has been sent or a MIME type has been set once, it cannot be + * changed. * * This function should only be called when it does not make sense * to perform automated MIME type detections. This is e.g. the case diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 3140a1e9db..1659230bff 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -118,6 +118,12 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset, if ( ! file ) return ""; + // This only has any effect when + // * called for the first time for a file + // * being called before file->DataIn is called for the first time (before data is + // added to the bof buffer). + // Afterwards SetMime just ignores what is passed to it. Thus this only has effect during + // the first Manager::DataIn call for each file. if ( ! mime_type.empty() ) file->SetMime(mime_type); diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index d4ab6c8dfc..ce39b8144c 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -98,7 +98,8 @@ public: * certificates are passed as files; here the type of the file is set by * the protocol. If this parameter is give, mime type detection will be * disabled. - * This parameter is only used for the first bit of data for each file. + * This parameter only has any effect for the first DataIn call of each + * file. It is ignored for all subsequent calls. * @return a unique file ID string which, in certain contexts, may be * cached and passed back in to a subsequent function call in order * to avoid costly file handle lookups (which have to go through diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc index 6ce51f9dd3..3770b5692c 100644 --- a/src/file_analysis/analyzer/x509/OCSP.cc +++ b/src/file_analysis/analyzer/x509/OCSP.cc @@ -344,6 +344,9 @@ clean_up: void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid) { +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. #ifdef NID_ct_cert_scts if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts ) #else diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index b26bd4a1da..2999007146 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -240,7 +240,10 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); -#ifdef NID_ct_cert_scts +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. +#ifdef NID_ct_precert_scts else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) #else else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 ) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index e3fcb0ce11..a4901b31e5 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -624,6 +624,9 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa { x = X509_dup(x); assert(x); +// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts. +// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually +// look it up by performing a string comparison on the oid. #ifdef NID_ct_precert_scts int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1); if ( pos < 0 ) @@ -778,12 +781,6 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha int res = 0; - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509); - if ( key == 0 ) - { - printf("No key in X509_get0_pubkey_bitstr\n"); - } - if ( type == 0 ) res = X509_NAME_digest(subject_name, dgst, md, &len); else if ( type == 1 )