mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 14:08:20 +00:00
9e81342c92
This commit moves the notary script into the policy directory, along with some architectural changes: the main SSL script now has functionality to add and remove tokens for a given record. When adding a token, the script delays the logging until the token has been removed or until the record exceeds a maximum delay time. As before, the base SSL script stores all records sequentially and buffers even non-delayed records for the sake of having an ordered log file. If this turns out to be not so important, we can easily revert to a simpler logic. (This is still WiP, some debuggin statements still linger.)
111 lines
2.8 KiB
Text
111 lines
2.8 KiB
Text
module Notary;
|
|
|
|
export {
|
|
## A response from the ICSI certificate notary.
|
|
type Response: record {
|
|
first_seen: count &log &optional;
|
|
last_seen: count &log &optional;
|
|
times_seen: count &log &optional;
|
|
valid: bool &log &optional;
|
|
};
|
|
|
|
## The notary domain to query.
|
|
const domain = "notary.icsi.berkeley.edu" &redef;
|
|
}
|
|
|
|
redef record SSL::Info += {
|
|
sha1: string &log &optional;
|
|
notary: Response &log &optional;
|
|
};
|
|
|
|
# The DNS cache of notary responses.
|
|
global notary_cache: table[string] of Response &create_expire = 1 hr;
|
|
|
|
# The records that wait for a notary response identified by the cert digest.
|
|
# Each digest refers to a list of connection UIDs which are updated when a DNS
|
|
# reply arrives asynchronously.
|
|
global waiting: table[string] of vector of string;
|
|
|
|
function clear_waitlist(digest: string)
|
|
{
|
|
print "----- clearing waitlist -----";
|
|
if ( digest in waiting )
|
|
{
|
|
for ( i in waiting[digest] )
|
|
{
|
|
print fmt("----- retrieving %s -----", waiting[digest][i]);
|
|
local info = SSL::clear_delayed_record(waiting[digest][i], "notary");
|
|
info$notary = [];
|
|
}
|
|
delete waiting[digest];
|
|
}
|
|
}
|
|
|
|
event x509_certificate(c: connection, is_orig: bool, cert: X509,
|
|
chain_idx: count, chain_len: count, der_cert: string)
|
|
{
|
|
if ( is_orig || chain_idx != 0 || ! c?$ssl )
|
|
return;
|
|
|
|
local digest = sha1_hash(der_cert);
|
|
c$ssl$sha1 = digest;
|
|
|
|
if ( digest in notary_cache )
|
|
{
|
|
c$ssl$notary = notary_cache[digest];
|
|
return;
|
|
}
|
|
|
|
print fmt("----- adding %s -----", c$ssl$uid);
|
|
SSL::add_delayed_record(c$ssl, "notary");
|
|
|
|
local waits_already = digest in waiting;
|
|
if ( ! waits_already )
|
|
waiting[digest] = vector();
|
|
waiting[digest][|waiting[digest]|] = c$uid;
|
|
if ( waits_already )
|
|
return;
|
|
|
|
when ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) )
|
|
{
|
|
print fmt("----- when for %s: %s -----", digest, str);
|
|
# Cache every response for a digest.
|
|
notary_cache[digest] = [];
|
|
|
|
# Parse notary answer.
|
|
if ( str == "<???>" )
|
|
{
|
|
# TODO: Should we handle NXDOMAIN separately?
|
|
clear_waitlist(digest);
|
|
return;
|
|
}
|
|
local fields = split(str, / /);
|
|
if ( |fields| != 5 ) # version 1 has 5 fields.
|
|
{
|
|
clear_waitlist(digest);
|
|
return;
|
|
}
|
|
local version = split(fields[1], /=/)[2];
|
|
if ( version != "1" )
|
|
{
|
|
clear_waitlist(digest);
|
|
return;
|
|
}
|
|
local r = notary_cache[digest];
|
|
r$first_seen = to_count(split(fields[2], /=/)[2]);
|
|
r$last_seen = to_count(split(fields[3], /=/)[2]);
|
|
r$times_seen = to_count(split(fields[4], /=/)[2]);
|
|
r$valid = split(fields[5], /=/)[2] == "1";
|
|
|
|
# Assign notary answer to all waiting records.
|
|
if ( digest in waiting )
|
|
{
|
|
for ( i in waiting[digest] )
|
|
{
|
|
local info = SSL::clear_delayed_record(waiting[digest][i], "notary");
|
|
info$notary = r;
|
|
}
|
|
delete waiting[digest];
|
|
}
|
|
}
|
|
}
|