Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/src/analyzer/protocol/ssl/proc-certificate.pac
Johanna Amann 2315d0344a SSL/GH-2211: Address review feedback, remove USE_FLIPPED 
It turns out that we can just do this by using an argument.
2022-07-05 13:23:18 +01:00

39 lines
1.3 KiB
JavaScript
Raw Blame History

function proc_certificate(is_orig: bool, is_flipped: bool, certificates : bytestring[]) : bool
%{
if ( certificates->size() == 0 )
return true;
zeek::ODesc common;
common.AddRaw("Analyzer::ANALYZER_SSL");
common.Add(zeek_analyzer()->Conn()->StartTime());
common.AddRaw(is_orig ^ is_flipped ? "T" : "F", 1);
zeek_analyzer()->Conn()->IDString(&common);
static const string user_mime = "application/x-x509-user-cert";
static const string ca_mime = "application/x-x509-ca-cert";
for ( unsigned int i = 0; i < certificates->size(); ++i )
{
const bytestring& cert = (*certificates)[i];
if ( cert.length() <= 0 )
{
zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate", "",
zeek_analyzer()->GetAnalyzerName());
continue;
}
zeek::ODesc file_handle;
file_handle.Add(common.Description());
file_handle.Add(i);
string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), zeek_analyzer()->GetAnalyzerTag(),
zeek_analyzer()->Conn(), is_orig ^ is_flipped,
file_id, i == 0 ? user_mime : ca_mime);
zeek::file_mgr->EndOfFile(file_id);
}
return true;
%}
Reference in a new issue View git blame Copy permalink