* origin/topic/johanna/x509-cn:
Use our new features to send the CN and SAN fields of certificates to the intel framework.
Do not log common name by default (it is most interesting for scripts) and add a test case.
extract most specific common name from certificates
BIT-1323 #merged
- Any files where the total size was below the size of the
default bof_buffer size couldn't have stream analyzers successfully
attached because the bof_buffer never reached the full size
and was never flushed. This branch explicitly marks the buf_buffer
as full and flushes it when the file is being removed.
- Re-arrange how some fa_file fields (e.g. source, connection info, mime
type) get updated/set for consistency.
- Add more robust mechanisms for flushing the reassembly buffer.
The goal being to report all gaps and deliveries to file analyzers
regardless of the state of the reassembly buffer at the time it has to
be flushed.
MIME entities buffered data and passed it along to protocol analyzers in
discrete amounts, but a gap is always passed along right away, so the
ordering of these "events" can cause incorrect file analysis. The
change here is to never leave any MIME data buffered -- it should now be
passed along line by line as it is seen, but may still temporarily make
use of a buffer allocated by the analyzer as it works on decoding
content.
* origin/topic/johanna/ticket-1212:
Fix ocsp reply validation - there were a few things that definitely were wrong.
fix null pointer dereference in ocsp verification code in case no certificate is sent as part as the ocsp reply.
Now the right signer certificate for the reply is looked up (and no longer assumed that it is the first one) and a few compares are fixed. Plus - there are more test cases that partially send certificates in the ocsp message and partially do not - and it seems to work fine in all cases.
Addresses BIT-1212
is sent as part as the ocsp reply.
Addresses BIT-1212
There is an additional issue here that prevents the correct verification of
proofs in quite a few cases; this will be addressed in a separate commit.
with a MIME type.
Whenever that MIME is detected, Bro will now automatically activate
the analyzer. The interface mimics how well-known ports are defined
for protocol analyzers.
This isn't actually used by any existing file analyzer (because we
don't have any yet that target a specific file format), but there's a
test making sure it works.
* origin/topic/bernhard/ticket-1195:
update test baseline
Make buffer for certificate subjects bigger. Flush buffer between reads (in case we still get something with a longer subject).
BIT-1195 #merged
* origin/fastpath:
last ssl fixes - missed three more.
and more tiny ssl script fixes
a few more small fixes for chains containing broken certs.
fix expression errors in x509 policy scrips when unparseable data is in certificate chain.
Good stuff! (but I admit I didn't look at the OpenSSL code too closely :)
* origin/topic/bernhard/even-more-ssl-changes:
small test update & script fix
update baselines & add ocsp leak check
Add policy script adding ocsp validation to ssl.log
Implement verification of OCSP replies.
Add tls flag to smtp.log. Will be set if a connection switched to startls.
add starttls support for pop3
Add smtp starttls support
Replace errors when parsing x509 certs with weirds (as requested by Seth).
move tls content types from heartbleed to consts.bro. Seems better to put them there...
Add new features from other branch to the heartbleed-detector (and clean them up).
Let TLS analyzer fail better when no longer in sync with the data stream. The version field in each record-layer packet is now re-checked.
BIT-1190 #merged
Conflicts:
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
* origin/fastpath:
Fix missing "irc-dcc-data" service field from IRC DCC connections.
Change X509 extension value parsing to not abort on malloc failures.
file_analysis::Manager's dtor now doesn't assume any more analysis
progress can be made because too many of Bro's other subsystems
are shutdown by that point. Any file analysis requests made after
Terminate cannot be reliably processed.
The value of *bof_buffer_size* in the *fa_file* record was supposed to
always limit the amount of data used by the signature matching engine,
but some corner cases would cause matching to be performed on data
beyond that.
