* origin/topic/jsiwek/openssl-1.1:
Update install instructions for OpenSSL 1.1 compat
Remove requestorName parameter of ocsp_request event
Adjust x509 unit tests to work around OpenSSL 1.0 vs. 1.1 differences
Fixes for OpenSSL 1.1 support
This field isn't publicly available via the OpenSSL 1.1 API, not used
in the base scripts, and has no example in the test suit, so removing
it is simpler than trying to support manually parsing it out of the
raw data.
The following tests currently fail due to what seems like different
behavior in OpenSSL 1.1 vs 1.0:
scripts/base/protocols/rdp/rdp-x509.bro
bifs/x509_verify.bro
When encountering an extension unknown to OpenSSL, we would read from
the wrong memory location. Also added a testcase to prevent this specific
case from happening again.
This commit marks (hopefully) ever one-parameter constructor as explicit.
It also uses override in (hopefully) all circumstances where a virtual
method is overridden.
There are a very few other minor changes - most of them were necessary
to get everything to compile (like one additional constructor). In one
case I changed an implicit operation to an explicit string conversion -
I think the automatically chosen conversion was much more convoluted.
This took longer than I want to admit but not as long as I feared :)
* topic/johanna/openssl-1.1:
Fix recently introduced double free in OpenSSL code.
Adjust coding style & fix test failures.
Adapt most of the X509 support to OpenSSL 1.1
The file used a relative path which leads to problems if it is included
by an external Plugin. This commit changes this to an absolute path,
like everywhere else.
* remotes/origin/topic/jsiwek/prealloc-ports:
Clean up PortManager class, mark PortVal ctors deprecated.
Add BRO_DEPRECATED macro.
Preallocate all possible PortVals.
BIT-1881 #merged
There are two new script level functions to query and lookup files
from the core by their IDs. These are adding feature parity for
similarly named functions for files. The function prototypes are
as follows:
Files::file_exists(fuid: string): bool
Files::lookup_File(fuid: string): fa_file
It turns out that the serial number field in all events was never
populated correctly. Instead, the previous field (issuer key hash) was
re-read and repeated in all events.
Closes#1830.
* origin/topic/johanna/ocsp-sct-validate: (82 commits)
Tiny script changes for SSL.
Update CT Log list
SSL: Update OCSP/SCT scripts and documentation.
Revert "add parameter 'status_type' to event ssl_stapled_ocsp"
Revert "parse multiple OCSP stapling responses"
SCT: Fix script error when mime type of file unknown.
SCT: another memory leak in SCT parsing.
SCT validation: fix small memory leak (public keys were not freed)
Change end-of-connection handling for validation
OCSP/TLS/SCT: Fix a number of test failures.
SCT Validate: make caching a bit less aggressive.
SSL: Fix type of ssl validation result
TLS-SCT: compile on old versions of OpenSSL (1.0.1...)
SCT: Add caching support for validation
SCT: Add signed certificate timestamp validation script.
SCT: Allow verification of SCTs in Certs.
SCT: only compare correct OID/NID for Cert/OCSP.
SCT: add validation of proofs for extensions and OCSP.
SCT: pass timestamp as uint64 instead of time
Add CT log information to Bro
...
This is much more complex than the TLS Extension/OCSP cases. We need to
first alter the certificate and remove the extension from it, before
extracting the tbscert. Furthermore, we need the key hash of the issuing
certificate to be able to validate the proof - which means that we need
a valid certificate chain.
Missing: documentation, nice integration so that we can just add a
script and use this in Bro.
This does not yet work for certificates, because this requires some
changing the ASN.1 structure before validation (we need to extract the
tbscert and remove the SCT extension before).
API will change in the future.
With this change, we also parse signed certificate timestamps from OCSP
replies. This introduces a common base class between the OCSP and X509
analyzer, which now share a bit of common code. The event for signed
certificate timestamps is raised by both and thus renamed do:
x509_ocsp_ext_signed_certificate_timestamp
This makes it much easier for protocols where the mime type is known in
advance like, for example, TLS. We now do no longer have to perform deep
script-level magic.
Instead of having an additional string argument specifying if we are
sending a request or a reply, we now have an ANALYZER_OCSP_REQUEST and
an ANALYZER_OCSP_REPLY
Instead of having a big event, that tries to parse all the data into a
huge datastructure, we do the more common thing and use a series of
smaller events to parse requests and responses.
The new events are:
ocsp_request -> raised for an ocsp request, giving version and requestor
ocsp_request_certificate -> raised n times per request, once per cert
ocsp_response_status -> raised for each ocsp response, giving status
ocsp_response_bytes -> raised for each ocsp response with information
ocsp_response_certificate -> raised for each cert in an ocsp response
This is a tiny bit evil because it uses parts of the SSL protocol
analyzer in the X.509 certificate parser. Which is the fault of the
protocol, which replicates the functionality.
This undoes the changes applied in merge 9db27a6d60
and goes back to the state in the branch as of the merge 5ab3b86.
Getting rid of the additional layer of removing analyzers and just
keeping them in the set introduced subtle differences in behavior since
a few calls were still passed along. Skipping all of these with SetSkip
introduced yet other subtle behavioral differences.
* origin/topic/robin/file-analysis-fixes:
Adding test with command line that used to trigger a crash.
Cleaning up a couple of comments.
Fix delay in disabling file analyzers.
Fix file analyzer memory management.
The merge changes around functionality a bit again - instead of having
a list of done analyzers, analyzers are simply set to skipping when they
are removed, and cleaned up later on destruction of the AnalyzerSet.
BIT-1782 #merged
When a file analyzer signaled being done with data delivery, the
analyzer would only be scheduled for removal at that poing, meaning it
could still receive more data until that action actually took effect.
Now we make sure to not send any more data to an analyzer.
File analyzers got deleted immediately once the queue with the
corresponding removal operation got drained. That however can happen
while the analyzer is still doing stuff: the queue is drained whenever
any the "special" file analysis events needing immediate attention has
been executed. This fix now only schedules the analyzer for deletion
at that time, but postpones the actual operation until file object
itself is being destroyed.
At one place in the code, we do not check the correct return code. This
makes it possible for a reply to get a response of "good", when the ocsp
reply is not actually signed by the responder in question.
This also instructs ocsp verication to skip certificate chain
validation, which we do ourselves earlier because the OCSP verify
function cannot do it correctly (no way to pass timestamp).
