From 2d8368fee90bf53398ba572227c74a697033f2e4 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 3 Sep 2014 22:07:21 -0700 Subject: [PATCH 1/2] fix null pointer dereference in ocsp verification code in case no certificate is sent as part as the ocsp reply. Addresses BIT-1212 There is an additional issue here that prevents the correct verification of proofs in quite a few cases; this will be addressed in a separate commit. --- src/file_analysis/analyzer/x509/functions.bif | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index 9a8a8e78b7..d7903b4921 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -250,6 +250,17 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c // inject the certificates in the certificate list of the OCSP reply, they actually are used during // the lookup. // Yay. + + if ( basic->certs == 0 ) + { + basic->certs = sk_X509_new_null(); + if ( !basic->certs ) + { + rval = x509_result_record(-1, "Could not allocate basic x509 stack"); + goto x509_ocsp_cleanup; + } + } + issuer_certificate = 0; for ( int i = 0; i < sk_X509_num(untrusted_certs); i++) { From 8f1cbb8b0a9a8099e14aa806ae5120f6e8790d8f Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Thu, 4 Sep 2014 11:15:16 -0700 Subject: [PATCH 2/2] Fix ocsp reply validation - there were a few things that definitely were wrong. Now the right signer certificate for the reply is looked up (and no longer assumed that it is the first one) and a few compares are fixed. Plus - there are more test cases that partially send certificates in the ocsp message and partially do not - and it seems to work fine in all cases. Addresses BIT-1212 --- src/file_analysis/analyzer/x509/functions.bif | 57 ++++++++++++++++-- .../ssl-digicert.log | 10 +++ .../ssl-twimg.log | 10 +++ .../Traces/tls/ocsp-stapling-digicert.trace | Bin 0 -> 6395 bytes .../Traces/tls/ocsp-stapling-twimg.trace | Bin 0 -> 6513 bytes .../policy/protocols/ssl/validate-ocsp.bro | 6 ++ 6 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log create mode 100644 testing/btest/Traces/tls/ocsp-stapling-digicert.trace create mode 100644 testing/btest/Traces/tls/ocsp-stapling-twimg.trace diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif index d7903b4921..a3d8258b33 100644 --- a/src/file_analysis/analyzer/x509/functions.bif +++ b/src/file_analysis/analyzer/x509/functions.bif @@ -104,6 +104,39 @@ STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec) return untrusted_certs; } +// we need this function to be able to identify the signer certificate of an OCSP request out +// of a list of possible certificates. +X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid) + { + // we support two lookup types - either by response id or by key. + if ( rid->type == V_OCSP_RESPID_NAME ) + return X509_find_by_subject(certs, rid->value.byName); + + // there only should be name and type - but let's be sure... + if ( rid->type != V_OCSP_RESPID_KEY ) + return 0; + + // Just like OpenSSL, we just support SHA-1 lookups and bail out otherwhise. + if ( rid->value.byKey->length != SHA_DIGEST_LENGTH ) + return 0; + + unsigned char* key_hash = rid->value.byKey->data; + for ( int i = 0; i < sk_X509_num(certs); ++i ) + { + unsigned char digest[SHA_DIGEST_LENGTH]; + X509* cert = sk_X509_value(certs, i); + if ( !X509_pubkey_digest(cert, EVP_sha1(), digest, NULL) ) + // digest failed for this certificate, try with next + continue; + + if ( memcmp(digest, key_hash, SHA_DIGEST_LENGTH) == 0 ) + // keys match, return certificate + return cert; + } + + return 0; + } + %%} ## Parses a certificate into an X509::Certificate structure. @@ -221,6 +254,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c int out = -1; int result = -1; X509* issuer_certificate = 0; + X509* signer = 0; OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len()); if ( ! resp ) { @@ -266,14 +300,30 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c { sk_X509_push(basic->certs, X509_dup(sk_X509_value(untrusted_certs, i))); - if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) ) + if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) == 0 ) issuer_certificate = sk_X509_value(untrusted_certs, i); } // Because we actually want to be able to give nice error messages that show why we were // not able to verify the OCSP response - do our own verification logic first. + signer = x509_get_ocsp_signer(basic->certs, basic->tbsResponseData->responderId); + /* + Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it. + Needs a different lookup because the root store is no stack of X509 certs + + if ( !signer ) + // if we did not find it in the certificates that were sent, search in the root store + signer = x509_get_ocsp_signer(basic->certs, basic->tbsResponseData->responderId); + */ + + if ( !signer ) + { + rval = x509_result_record(-1, "Could not find OCSP responder certificate"); + goto x509_ocsp_cleanup; + } + csc = X509_STORE_CTX_new(); - X509_STORE_CTX_init(csc, ctx, sk_X509_value(basic->certs, 0), basic->certs); + X509_STORE_CTX_init(csc, ctx, signer, basic->certs); X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time); X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_OCSP_HELPER); @@ -292,7 +342,6 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c goto x509_ocsp_cleanup; } - // ok, now we verified the OCSP response. This means that we have a valid chain tying it // to a root that we trust and that the signature also hopefully is valid. This does not yet // mean that the ocsp response actually matches the certificate the server send us or that @@ -333,7 +382,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c goto x509_ocsp_cleanup; } - if ( ! OCSP_id_cmp(certid, single->certId) ) + if ( OCSP_id_cmp(certid, single->certId) != 0 ) return x509_result_record(-1, "OCSP reply is not for host certificate"); // next - check freshness of proof... diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log new file mode 100644 index 0000000000..bb0a25ac0c --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-09-04-19-17-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status +#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string +1404148886.994021 CXWv6p3arKYeMETxOg 192.168.4.149 51293 72.21.91.29 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - - - T FhwjYM0FkbvVCvMf2,Fajs2d2lipsadwoK1h (empty) CN=www.digicert.com,O=DigiCert\, Inc.,L=Lehi,ST=Utah,C=US,postalCode=84043,street=2600 West Executive Parkway,street=Suite 500,serialNumber=5299537-0142,1.3.6.1.4.1.311.60.2.1.2=#130455746168,1.3.6.1.4.1.311.60.2.1.3=#13025553,businessCategory=Private Organization CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US - - good +#close 2014-09-04-19-17-18 diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log new file mode 100644 index 0000000000..4806744a5c --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2014-09-04-19-17-14 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer ocsp_status +#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string string +1409786981.016881 CXWv6p3arKYeMETxOg 192.168.4.149 53106 93.184.216.146 443 TLSv10 TLS_ECDHE_RSA_WITH_RC4_128_SHA secp256r1 - - - T FtaZVlJfywdNmVFr1,FoILekwkdtTuZtlVa (empty) CN=si0.twimg.com,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US - - good +#close 2014-09-04-19-17-14 diff --git a/testing/btest/Traces/tls/ocsp-stapling-digicert.trace b/testing/btest/Traces/tls/ocsp-stapling-digicert.trace new file mode 100644 index 0000000000000000000000000000000000000000..982249c0f5ac877bb97e32850978e3136b0f5692 GIT binary patch literal 6395 zcmc&&c|4Tc|3A-cwy}({j3R?B3VCL-riI8FiAY*yj|gK|G8mGgQc>Ac)K!$F8`bnJ zMK|1#O3BTwZlNquTI72knr@cd-}kTIyk6(^nsc7>yg%pj{(R2+bDq<3<3cVD5CHEt zItl;+J4a5G+Di|M02}xpYd|^i?|m_abPw}8tNFnS01Rb^41pmD0B#}Su({-Vx!R3L z)nny=F{l#U=%`m705}4%48h|G2*NKYnq$|50TFQH=(Y1i!E)Hg+BojGjWKjBXaMMt zo~*%;F$+jl?Z)oH5Cv#~xLaJG-y!lFIzqrf3nXm4V)I3T4n)J+l=Z5fcbj&-M2M|^t)l0qHby2cO0Y!yL0`ocMoDaeXB18meFhd9xAmJSdBr49qo*{`+v5p{>Y~tgY78)A5zzsffg^w1v`fq1wp-k)%o~ri!4SRDVCVfR1%iYh- z-Hq<(;_L0^!t(a_quaX&hPVgPjg8Pb(!%gfEmR*J`#Hm|4ywgqGMHH38D%3v3^{Z* zhAc{!unqJMabdaBR|R^y_<2W+fib8kg(Rd#LI?<3cQM>w-`D@cAdX6KV7Ykl+#*uR z+Dv_Y?S;A;C_{_M5J$x@3j$OD`(ST~uZ^ONxv1j!*leZ_iqhA*2eF_p?ykWs?+|yo ztxKR!s7p9Q1SMm$C{&^zbYtN}5`|GA>>>X*o4Dv3Q6q>AteQ^z=7 zz#|zym1IbV;*Wtthyc$C2eg7Uy+ur@W?LvsOhn(-Ba*hmxF$i&m$4T0vV^Aee_4jrNIlnM=qHW4_irY z;e7RfR5s9S;V1ug&z!VIN|%8hL-vbf^Y3Lo$8p(q3I`fYExnb`M^;p8>X@(bS|u`& z`r_98x5vtxZ@stO=CfhMW7)mNT~ax0Jqi%5Tkqz?TG>B>-&C|$qBNz~gOyoExM%Cg zFCv(ybJcQlOGh#debs+jJ*VS^7wOJFk0bAVN&C{JR%@}i1@x!Di68Z4R_kTDv7@ICn@I!r3tsG_!%30vWV(nO@sp%T%JJFhEke3Tn!#zYJ zXlyfTcrq5iIaA-7xSpT9wHz}`Cm6tetV!o}W{yu0UnWIKxTx__Mq3 ztKC*Sp?Zr5Jd?Hi{Q7$>)mwlhU~M|{iN z?3}$19cnr={&)g@@tGfMsk-U$IU(|MoR>-BQFM-W+mc_;|H?@0?|Sw5vF;I%l^Qw? z@GI|_8`dv{(wx$pY1M<->Dr>+vw+7yun4rKUUabr3E^+ab?X)xRL z%Q1mDfN&XQ6Dm+PKI>bRB8L~5lq6FQ(+|3A?(~t1oy0xrJ5gZ&_bR1^&V#86tCS)y z9q8uXo?djLprGJD7e7~b`U*$7oxeYeSDY3yP$sV$NeeUee(3&x)y#h@0uSs@5>^jq zoRTuP@>Dr<$l?$EH{_BMkkId`%85_j@7h*fYN*%QJk(P_q+MFFv?fEE*+WbI)K5O; zrV#%-pO{vOU80)2*YT#(6!DUaO@AlK%lGPquCd>|JAB!KS!W98Sg8r0t#tiOyK<*Q z^*XDL)s{`Uo#f6`cEYxET@Tz^(;Z%ooS$XuyQZ2lFk(57SrsiZc>n5tsXgKj54iza zZ{I)B=((Bj3uoU$h36&KF+(&wM%_bMm_&nnh9&e2Xj5n3Kp{4h=9`8#sv+v_%4cS&;tvecjUe-u-dS@^98 zAQrGJu0X{xX&T$h{3r=-X?V1pD5?nO-$Yf5Coxc%R8i&sqcB;GOR)*M95u{YnzNX* zh^J10zLP|imy1{`e$T`ej#wU!DUvU`WL#k3*$5u92vBRm|D>(|6uN2a;E#o}bm7C)}n)lKcjq-_Y#906`jDveqlhdaq%euZV`qC>?c+&(aeqcJ*3( z*)GN@JYSvM@pOAPW8iX5lyAR!%d;z?ak}^hW_j(gm|2zwZ46A0#ea>>`~oE^PRD(*P5I40mxX5k8h!58oIR=3}d-1^F&%<8_> zHhe8XINbI?>T#OE0ZjQNq4G!L$J^vHKR%%TCZ_yC_7jyqCTUFhX<%qn1AuiZ{o1P3 zv&y^fe~5sGcBDfJAdlg>= z6J^4)EUL2*MfJ3`u(NXz8h~2BLp@PV1dp2qzq2GP2CpR1u7!}&Yn~cvco_t2d;XF$ zJ=)X{hTUL_g&fMaAzf4#R(^Pfcb+a&?q!P|N%9Vwy#gnZXc*tye#l0m*7L#k5cRhO zH_J}(d8I_~bzCZw+5UMyb=lIoFHf&m>G5~Ze?u8zKb*&HIN&^6pDZ7;*sDQ5y6JWv zEq+d)=ab{ZkB_PD8Wgp=dnB%p+@t^Q-RU-wuxo{1JI_iTiP=(4VK2VuIWElSLJr+9u{LOGC<7mK-!3)lA@X=D8wjxmA?e# zlR3!eDx;`puotB6i7Pj-CDnXL%M<$C(|V$pLr<+*J9GgJKey%hA=%1P$;#Ze&k;#F zP`*})1-dG)zZ1zS*;%?aD5^42$~s-^eww)TjprkMtA<=JIbW_3h;NAgGwodKnG?|g zLl54VT(k3|vx*Put+~RV@FsBH?@IAzzBhAseEz-DBE9<{%_Dl)J2 zy56Dl~Q*XM@2{pFLYCZJn7 z)@f7jx&qTri(WdX7TC|S)}oDQ)w{R&`kRXzr}R8_Tc$=}D&^Oso`=(zAIg zP#>O+U0D!BzI}pQ!R`3-dz87ero90f=q`*&vK3oqgWaQGn|jrZDEYBJLy2pKC^9@0 zam|_5@(bULC|x|1_qqU-K<}_N`A!GqWm0EA!R~b6ofbxrsTjOeFd{sElO=Ja;$Wm> z9nml%!|S!5U)>-nz4_?dnuOMsk20eh4~kiT3|gmp#s2Q1jk5fiWhn-q1q$!sM+0g% z=)E%eRRa5}Xxey&16BO7hUM?HHGf z0sxSJcNAEgERYDPz6KLW;VTmbGOqcta-gp*6v!)O#c0KF%O!_1tPkPbhO;Az7ZW~xi9y<=PhZPVSd=?@`X!&4 z+ilP#nYC!cwSc3J^wi`tccpe`E^WN`pD$}OAN6*+M~?Pp%+G7eN_%%dLgKnyD+{K=Gy?4Dd`Y}R!jsAFiEgBB~#28tQk;Xrg#+rAPoaME1a1eem&=JTZhUm zjo@hWP{7mT96oz}-$pCUNKiWwR6~5MO%5kGSAPo&r-;PFaK@LyaPGyzdEIB+NDOyS z`P@z`gOgm7gq_KKl zYzbLQNvF_!>tCjyb|xYNz8xXVz!K#!0jI<)rR6c&j+co;O z@^%+dA)4-h6Gil-Q+0CK-Vd+J8+FqiH(ta~cb)HVEi@Jqq_Dtk*$%s@CafL$zNZHfWa`r0uA>5~lDjTxYT zq3S~T+Sm`n>VQ~3&yfrBr;YC3?m~_(%#jbg9C~^e<%u5eDwA}!stOy$TIc3f& z(;7GhDYLhwj9;o_C{m)N8G@)HhXt|Rcv2AUvAEen(GuD)9>Vc0DmydQoH4BB|Bm%v DA!xCz literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/tls/ocsp-stapling-twimg.trace b/testing/btest/Traces/tls/ocsp-stapling-twimg.trace new file mode 100644 index 0000000000000000000000000000000000000000..f53762f6e0cf1a6c48338a95b48bffafd8e46997 GIT binary patch literal 6513 zcmcgwdpwle*Wb_FTn6KQOPX>yQg~cL?juQ&k}gis7-NjwVvwRVN0c8*bt)=Jlsc7@ z&_!vwoSag+DJ3069i@;&mx&4FDhbj0P}V-=4j;lpgANb&fQc27t??$u7W!0)U{D^!t*N_cz~& z#i~oJVpb#JKM9{d3r_<;AdxFDB9Vk)(y~TQ#ZVdm5@85E-vt0SNTV@?JETK|ZUq$p z8_Em^gp4#`)i+{ulLuU&hBc|mcG8z_52Irw0@Of3_F}F8*g!NizOmQnjn8-OT?0{F zeHC4RuxQAx9*Cj=U4X`D6ilWm?IU>(p>DBp&brw4n|L2NCoomfc#q^wHfD2<=}iuLLrfW5eSNM+Wl4oJ8x~*Uz{?p zVqj_}E>Dp$PWMcICy!xdGQdO4skjV<=ue`k5d8hj)o>L=$g0S>b2(fFJC;YE5ydjs z!Zi?^s-l>fm}nXTr&w^xlocImZh-5dDWZzbmld8|P8i)aE-pTn8O37L8LlRlxUPo0 zxfO0F z9tfQq$BGv7WmV+oC31N@cI;$iw5ga+RFRM4;-*#&wY@88s==GCpJs#|FAnf+?Oo}RY)R_o+P-gXSzN1I zIp$X69^!TGN&|YM!>5lHv^03%DU0xUzk1fO zye)Za??y5P2(TVt`}iaaoKG^v$3dTu)gx)*>Zz)}9dR2TP82F`EO>^|8~#bk^Ze}{ zJ{Acmkkm=4g}WPWyJt)ZE-%Y>kkJY6z(Vg`!}){_NI;3iC!|6mnJ*a)z8ok1YiuB8 zF@lm$FlB{AnI>?f*f4T@S|pDp!JxvRqJX2Y@@XhHM>15aV;fhtt3h75hN|f zB!rzXf}sI-C1Q=^5R8yi*p25K&eQ>u+JnCkw7jS%3T8zsw~ozD6k?*5wR~%1e}S)$B_c? zg}8Acs{Dy5Kdt=1qRMYBQTbB{ec~>X6b*n;p<%jy7>^fYZ)V1djj)ucre-Xrr3uHv z))dY_jiY3(ek|*T45gE%;&%8Hipf})+(^6~0;aBm^u|HOqpP?X!`BaA zC6>f6QZyck>x*d|OV=E>IGPm~BVh$T?TZv4-A=qOCTb6H5`t#p_JF#>m*#+a1KcbR zmqQy+L4hIQU}SZMO$t_L40s*58Te*(@JHu9P9XPcffUEjlxaoJVpV~zs=_sbRqh@Q zjTwRQ%l_22i)K|WTT#D=>lC}_n5O4v-KK5(-qu@k6!NZ-SdYDPlc(kA&;1B)z716S z*tjtGQLy5wI5NXeV{t46NI?d}F*mh;q6 zUc)0KTk8M4wNJt)!l=O3K0zEi`l!}EZ9aW&bTkjPc+}u=TO79d;f}5$Z(#vR%i(_i z|MsHs-Kxvt+{^}0~4T6*bYx98-E ziWxSUM(omVb17b=&2}>*k5E#ragyQ6yt_FUBWD)|9y#NfdtuS4K${4G-whyb;iMR{ zP*H_jE7!HlZ4UTAcJI=!UpcNbOX;j~X|LK_ot5TXY|Mdwmk9DBR?8H$&vo}wwAXvO zvx-<&x~t;XJqz%a@Y)E!m{hLDWHu8>(<>T7^ zX1_eRYDwYbYo8n*M0Q^LIFpferQu`=Q>Wae%1F88)cc^pJLOlp9V>KaChN?~vnglJK#!kT?ZLC50-kCqzJijAGng{GW$4 z#dP>T|4m7Wi;FN}#l)G!vSXs-xV-4tBq)krzCymNMriYO`Pf`|PKW|YfDYn89ALxW zXb=j&c_0jMA%_kakQ)nWF646o3ozj`l4C*1C@6tucyKl1B6%j9VZrAZ$YDYW^gI$3 zQSNXJ2M#ed(&7tGE$G`%gb@Wo;4j34m4DCAD?dwA`Ekk0FMUv4`JV~_+zZk=7k)>; zy>g*d97y{@`_RtN?p+}#7S6LlBpgwYO9zP}AF$vz9j@cT8MM=(XC?@S6ygr8M>|Cp zBSfSN=|CQeg?>QaLtaA?$QC4nB9~2iHiDofvJ}Nd0S5bHT24Pfp{O<@O zUu=&#UE~tqpPP;~>@d`pCUmnxCS4ryV*B0qUdfY`s7dLzmUtFKJoK}rb??_UKHN%V zbmpIN%84KIdcbtTqQfczW^4P$7kSq+Wa8%;o%2}QTr+3#=H4;6$>!2Aty4~&|F!h& zJ}MAus|^s3EDZmvRzJ^kx`(;$=I)9hAFJ9;=giN)KbDq$a~F1~C38Nd-u{Kc(e1n? zjmz`hctQVUGm`&#;or#xb>zn@nM})DTHYU|y9(|8GO#`|=@PB{QBTPU1^r8gM%hV; zeP*v0oKBW%c=G9b0KQ;#y5jUl=HnVa6otzUN&{ngtFIjCQ!CxwVBIIw8j4%kdfT ztV*7wKqP3x%LLU<&m)iOR)JQ9G~9+W(l+t2q{#ZS=5(mjp()#|hdg?R!(Sj%#`b-BJ5!R=9ZEfL?8U)122v4iBoE zX-~EFc53=fT|s#JR8}sHwX^P^uzGO6cHh%Y0Wa6&K9=uURLUvKPiCA*_H1eUC+cNs zb7y~MM#uVj`_^CgJ7wHDKlhqC@k#c7njR3AfAHLPF;rR7BdzV_Y*s}+Y`d`j!lfM{scZmt^wm(zmS#(Z&bG-8l{~PMh`h9xh_o@ap z@>{0utMqEvf?_;V4q(%XK*N>9NVA`t5PN!J`uiPCvJCB03D|_|1t+DhHoau3zo^_B z+7)hl(b`QXslV&4=7)Lrk1{CI?~3MRPV%^C;aQ*P#mB%O9e-S`>B7PuY9D#p8oa3S zjYUU;`n;9(Cgp`%)V!K-owB?C89Z-)T+!B2qh$62ztVM?)_*MZp!Qal2Kf2!wrcpj z{$Exk)p_IiTK^X(4RYDtbz16|!;5#g7C*r}#wg9x(}_&0F51${3t+y`m{?ie*2-2l zZa%c(`YsMZ&5?F;{JKT5_YPC{m)KXXHP~cgaDUUYj)Wa8nO>Hy_Nej~!O9Qs+C*dY zZ4cNg3=!QNB}!I)g(afOuL=4pya7mwxOT~7|1Q$w+l6;^PHYywxgDCnMwpOr=bF(K zYv!PFziGz3GGTSy-1#HjZ5*W!LdU=2vyOf%56ai{Ex< zIb61VR(&PN_V6uw{%aqyiQAatjxZ{Kq%eFxRSYfu@x@|b&iAeamoLptkv{0F=v1KutMwQ1jD1PEzeKNXL4Jqe@KUi`%5P!Gq!#7 zlGSbt2!By))bkNqSNKGB;y%^Ox4l{Od-y+XX2)zc+jLYMsY_ zqv(&T20#@X8l$6+QG{$!^hu+le+5Rr$rnbS3B!QY9fCL3`{7OXWKif^^Sgpn`NIy% z;GqvG4;HVfifnGpI%^bQ@+h?6>MY)y4MFV#$6uV>bL(nTckeCJz$V`*sg8A9aty2N zjPo)d*7`WsIz>Dl@3P>td-K>geeXVn9y&-DE_3vL_sX60_LY)ztVP8h=cI>jj^T3N zoqo5+*ZneM0qxSR@bY8*AvvLDwGWOSPO2r~%k$fa+7?HaoWG@gyeGpk`Y)Umdo18p z_y`|eF*EM8ByVoi*}1LJhSaBLOSx%mPa0?{ZOdAbzP5AI{^GDW^}ZcE_-f|pga8a-s3;*WOC|*E08EH}ln}Hd z!)6ZZtIP{H&@f)fe{9W+Y3#B2{O$8kEJkKJLj^zfX2pr`n%R$><_oh->`ixwg6_J} b_{K~lAxC89<56Z_5Sgh2`X<&OJoNb=RnO#{ literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro index b0392f9c27..e7e3c3ff8e 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.bro @@ -1,4 +1,10 @@ # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: btest-diff ssl.log +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT +# @TEST-EXEC: mv ssl.log ssl-twimg.log +# @TEST-EXEC: btest-diff ssl-twimg.log +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT +# @TEST-EXEC: mv ssl.log ssl-digicert.log +# @TEST-EXEC: btest-diff ssl-digicert.log @load protocols/ssl/validate-ocsp