From e9a87566ef9d5e1e88e54d9cfea97d4fef19a46f Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 26 Apr 2016 12:30:28 -0700 Subject: [PATCH] Fix parsing of x509 pre-y2k dates There was a bug in the new parsing code, introduced in 708ede22c6781e854739c67332ac18a391f4782f which parses validity times incorrectly if they are before the year 2000. What happens in this case is that the 2-digit year will be interpreted to be in the 21st century (1999 will be parsed as 2099, e.g.). --- src/file_analysis/analyzer/x509/X509.cc | 2 +- .../scripts.base.files.x509.1999/x509.log | 12 ++++++++++++ testing/btest/Traces/tls/telesec.pcap | Bin 0 -> 7636 bytes testing/btest/scripts/base/files/x509/1999.test | 5 +++++ 4 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.files.x509.1999/x509.log create mode 100644 testing/btest/Traces/tls/telesec.pcap create mode 100644 testing/btest/scripts/base/files/x509/1999.test diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index e8ea5cb7b4..ebf7b1d04f 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -543,7 +543,7 @@ double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* } // year is first two digits in YY format. Buffer expects YYYY format. - if ( pString[0] - '0' < 50 ) // RFC 2459 4.1.2.5.1 + if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1 { *(pBuffer++) = '2'; *(pBuffer++) = '0'; diff --git a/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log b/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log new file mode 100644 index 0000000000..60bd109b5d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path x509 +#open 2016-04-26-19-27-59 +#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len +#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count +1461697070.246986 Feyr3x4h8S7yqikqYd 3 339D9ED8E73927C9 CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE 1384251451.000000 1479427199.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - imap.gmx.net,imap.gmx.de - - - F - +1461697070.246986 FdSwvBrmfL9It607b 3 21B6777E8CBD0EA8 CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE 1362146309.000000 1562716740.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0 +1461697070.246986 F7YtKFoAux1T0Ycb3 3 26 CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE 931522260.000000 1562716740.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 5 +#close 2016-04-26-19-27-59 diff --git a/testing/btest/Traces/tls/telesec.pcap b/testing/btest/Traces/tls/telesec.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0f27b68d594910f6bedc6749be233d09e7a87b03 GIT binary patch literal 7636 zcmds6cRbX8{C|J$&Yiu^N;Z+K&z-%pLxnOj$~f+?tRVmM|a}@0gQb{MgTzIfkv&Y zJ5b>Tj&L6vKslppQ_2cT-6gYsIDriS=J;*qz?_(w$=XMBZhj$DJ7R`^*7fw(0Cw{c z+{g%55CAv=$8iLY=RgonZsUZE4D1>KH;O**AAT?w9%Ew^chm+O-2@r{8pIMM3>mY4 ze>P$k*rMqOEew_jFO!qZ8AT`HIJuou%fDgh&=MCm??Q-d2~n}}%e-~IXJGTrDw{Iz zL5S{@Bq%7lzXnEtJ>N`23>ibbTF(!b!?0juDk2iR#uh{5tNtybgrKPMm&u4?cm&Zx z0HTJ+)2-HRo1=GAX!Pzp*w5eS0eH3PGOHlP9uK*3J118fJ|U}CL-6|iJcSQ;!<)(jRuivV^36QBk1 zfdwG3gjggNFAE1a0D&dU;sj!V3-b-h?5W{2Ia zjBUp>i{uu>58nTj6B%)!baB8*_u2i8#^qNiRMXHkxVbv_r+aQ{91|(NBg|q-oAsUphW5lUlSk&5OsB#76BXZ43vrFseLl6!QfF@s|@St2o zyc>Z?##!4?W}u4L0XJF7Rl_AdhRFzzk+Y9rGNL1B%#g?kT9}+|xW64m7L~?s;~|Uv zyv;Q_Hiju@#lY^S@S@z<4V+}Wqq94OALYf4gvcDa`cz$%B8c*1$0Rbzk->}#W<*fr zP#NqD7g^j5d!7M}(ji=Q2m^j;%2Cm=JMd(2S4J4ag%Kd_R( zA|@Kco}xwoBbpgwPKk}6Q#9!eiYQ9Pp2U-RL&9lMnnB?!G$R;HGzC$Zm>z@!;8PF* z0MB#dQV;|*nlbtA8@s=Zs*_HLCGG4wY`{qclu|x9d`pcrvTc^KTsMY*6`>sQe*F7>LuRHTHTV$zE z!`-e$F#=~)-;uj3^b$T?d+9IB7%j)CA1G1XuuGs;LyD=schlL^Z- zh7kZ0t~FW)QLs|A0-|CxgPGxBC?}B^l*|kH3+7iI1D7SFAQJFE1hpx#DzQj2`+*e@ z9j5scU?OaEnAVS8@cr2fzF044!iUi0t0l>eCCLqG$#r3L8a6F#^9QVe2-6=}GpOiK zGw}QMkO0^|&Wz=ea0@vl zEF^|$=1+_H%VpD9FfN8;aYhgrDK&UT1=SuqhazbzKjIY`5c4M|u}jhD{PBlyY39EV zGGu;6!(W*{kj?xulbK(;e@si1Ur%QKiD?UnX8t*EjA%4@_k;;1Z~3p}&cf`ZCRHv_Zwf7%_?!bRSnp?@gvL9NYp-Wdt2uJt@0aVH8VTZN7A?d=iW z>-W7|WKrII`pp+iovx$$XNNy>KfXooo5#OxfgxYxosB1FAX!S)i?7`k@Oz*v9Hy9_ zey$Uhc(!92<*msEX|5L4qwh@=oo46yl;ggdUohpOk!?r~fLIJgx&Te#So=e$j`@-Pum?d zpT10TlOQQ|Lyo+&Jn!((;&w5jbX&1E-;i6}Mu7cu72drFQendZrFZS&mtk8P6g z${nrp>-zhJdISoLGDx^1-g*9BQsJfrik<>$OJAo>_c(nmZg4lxJ?$%7wuNse4BN$P zW{|7+7jbf00ny^lEwLsZ+eY-ZL+m2U`|h4tHE@`}uI;_4mDJ ziQ$z#Ek*f9DUV`_!ks4&JKY&PLUiI7y_>+Jug z;3oHC_GAgkU1)L#YE)uSqL-#KDg@X&f6(8VKZwoz(vz9ruy~C5d8;Qgzt&&%+uGIF z*~!V(*UG||Ix5jvM^?2jb?gM8QD>g;#j(X#9oJXnoI`O~b2 zC(?8@7jcKR@U(TjT%MX-p&p4la#dGHGs*nWEx}!2#-6D6rro{G{b#76N}N?Z`K-nARPzw!|AyEZvega#e562in<{qy2m1SOnskt-Ot*c5sz|j+>R}VX4#P-Y@41H_ zzou>4YX3QsUMA@mxM#n)!ny~|dplR;@dqPSH4aORZr(k;&(i#9Q(0|_XK3#9N~xV~ zoN6;v20|2VKeYF#uPo>z<8H0dS@lnm3Gh7F*T&mNHBqZv&~~r>$=WSf_wnwa@^jiP zS{ypm_RPZrvGyj!-N+Tbc` z%{x%w_O|M&1ZPQE+IstUE*x3Y=C?fYh%dMkDrI@_VoOC+ut0vtGurm$w97fG?#%|z za~7mOE98Dzwe61dC8O2X&bHxoS~f36`a(&k#7;)cO&rxEOVoUV{`^*61laOI7}FMx zU-S#>Qub;OWd2IHK7);^t39})%wUZ9MZ6|6znLwY`6Ym{PugVW|GCV={+-!<@X|Js5`TK?S=f5RT0hgroBZ;5oc77Z(mt$?Al`}Zo5Wu zGtW0!iYJ9|^rrYH^+ta^x91A2nQq6o+Z~_}-jmX6wO--nrD){7t#2jjbf`FV{yeqK zCHNP!+xIu$Nw{-t-}7jbs-lr3&yE6{<6n%A+%TNBo!a?Yo|fG~k>9LS-LIuPH&w8$ zYrVewdC!3MkEt0Hmu6Ry)TsE+n#4GjSS{Jp>j#D}*0$<(tbNnPICUYw>(iXW$y@ZB zEjHd$yeHGt7d+iMpwz3jLf3P5XB0;PzoPq&E!^R?h5<9vaz9C|YaP1X#IcC(4i~5p z2VQ{K-`d+J@6KdrSORb6j?PkPESo&=@yU&ILI!&|NL zf|iwBm@$vCzbaSM;OKiUkIPGyr5!jb*S+l+-akN4c|7;+x2+Oi+*0~`Ube4Ie68wG z->VbwkI>%IV6(f<`Au8tIPY202 z6wX#z+tuKsaWb)~!)v>@Jh`P>toYp9yY%U6DC&!55|w-hW}gihD)sCw(u&HL)%@79 zA;{RmAnH@>$@Eekv-6KB&MGazwC|6&F68?9Rbb1B1b(z^9`jwtPiAx2*R717KVu9Aa%uhDLp zh{$*GZ*vUp#}Jite?_#YhI4$g1^x*!y6*mSj+d_C0Sh{ejbFSzI9Lkq$U13xskV%G^dh2Bz?xl;$$=*3V*wwXWOJn*1 zl`iVbCUug&P*QJb*t2x|`|UZ84US}CF*oxjf>`JZHl{KV2+9n>7)UI8G6PvuLk6l$ zf(*n@A7`L&825z}CV|BV`;=0zG_|`vAzknVsuvZ$JI6V8xD<1r*)z+X^V&J??>^Wh zHp5B$xs<}GSWsmLrv$Y!u*ISSrfE3Wb3CYDVNk;{#Eu3Yzb$dxLwARe z8!I}VqduEj+kEU@p3oic;6i&%xohuOee_$^|0yjfTnl~CvF2E^gS*s2Tl@D4%q1;) zAx|HZ4{w!iyq$GuhS^Yg+lbjrn|4+xzt5+$J2N6?3HGN26$iFCoN@nlKdq0%h`eH@ zQ+HdHx953mRX$~*r~*3NCP5)aXXWp#akn$KFW1Xl+pwnXsJ>uNHNL)=r${wAs^r;` zEZ39kx^K%Xk0{NynYWs{%E9Q};I60X`jmiwd^cF38BHdUG6mAkD#nFa(B&@j{3VS| z3RoJ?bN!k|D-ulOm#kxBY24@q)0nRX5f85+02&NDHh$?gmxA3G;)kWbMTFf}cWn%D zvnz%u3Y$anM{~H$?>*4f{P4k&)%+w|5u+Mno%xu-KUX5_C}!|_{1k)N0$ZR9LV{pZ z)?|Yi;$9xoxC>J&5x8V7Wj9#q_YAcI;b0PsHofQnTB literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/files/x509/1999.test b/testing/btest/scripts/base/files/x509/1999.test new file mode 100644 index 0000000000..7c1ab7971f --- /dev/null +++ b/testing/btest/scripts/base/files/x509/1999.test @@ -0,0 +1,5 @@ +# Test that the timestamp of a pre-y-2000 certificate is correctly parsed + +# @TEST-EXEC: bro -r $TRACES/tls/telesec.pcap +# @TEST-EXEC: btest-diff x509.log +