diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro new file mode 100644 index 0000000000..130bff92c3 --- /dev/null +++ b/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -0,0 +1,63 @@ +##! Perform OCSP response validation + +@load base/frameworks/notice +@load base/protocols/ssl + +module SSL; + +export { + redef enum Notice::Type += { + ## This indicates that the OCSP response was not deemed + ## to be valid. + Invalid_Ocsp_Response + }; + + redef record Info += { + ## Result of ocsp validation for this connection + ocsp_status: string &log &optional; + + ## ocsp response as string. + ocsp_response: string &optional; + }; + + ## MD5 hash values for recently validated chains along with the + ## ocsp validation status are kept in this table to avoid constant + ## validation every time the same certificate chain is seen. + global recently_ocsp_validated: table[string] of string = table() + &read_expire=5mins &synchronized &redef; +} + +event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3 + { + c$ssl$ocsp_response = response; + } + +event ssl_established(c: connection) &priority=3 + { + if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ) + return; + + local chain: vector of opaque of x509 = vector(); + for ( i in c$ssl$cert_chain ) + chain[i] = c$ssl$cert_chain[i]$x509$handle; + + local reply_id = cat(md5_hash(c$ssl$ocsp_response), join_string_vec(c$ssl$cert_chain_fuids, ".")); + + if ( reply_id in recently_ocsp_validated ) + { + c$ssl$ocsp_status = recently_ocsp_validated[reply_id]; + return; + } + + local result = x509_ocsp_verify(chain, c$ssl$ocsp_response, root_certs); + c$ssl$ocsp_status = result$result_string; + recently_ocsp_validated[reply_id] = result$result_string; + + if( result$result_string != "good" ) + { + local message = fmt("OCSP response validation failed with (%s)", result$result_string); + NOTICE([$note=Invalid_Ocsp_Response, $msg=message, + $sub=c$ssl$subject, $conn=c, + $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)]); + } + } diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log new file mode 100644 index 0000000000..4aa18abb22 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-05-16-18-20-51 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status +#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string +1398367809.790512 CXWv6p3arKYeMETxOg 192.168.4.149 56253 131.253.61.82 443 TLSv10 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA secp384r1 - - - T Fr1vuhmDOykX05Vj1,FlFGqI1PyTt7Vuo8E9,FSASzpV1NMIvbQ1W9 (empty) CN=login.live.com,OU=MSA,O=Microsoft Corporation,street=1 Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=Private Organization,1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3= #13025553CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US - - good +#close 2014-05-16-18-20-51 diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro new file mode 100644 index 0000000000..b0392f9c27 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -0,0 +1,4 @@ +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# @TEST-EXEC: btest-diff ssl.log + +@load protocols/ssl/validate-ocsp