mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
e14eddeb97
This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
75 lines
2.2 KiB
Text
75 lines
2.2 KiB
Text
##! Perform validation of stapled OCSP responses.
|
|
#!
|
|
#! Note: this _only_ performs validation of stapled OCSP responsed. It does
|
|
#! not validate OCSP responses that are retrieved via HTTP, because we do not
|
|
#! have a mapping to certificates.
|
|
|
|
|
|
@load base/frameworks/notice
|
|
@load base/protocols/ssl
|
|
|
|
module SSL;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## This indicates that the OCSP response was not deemed
|
|
## to be valid.
|
|
Invalid_Ocsp_Response
|
|
};
|
|
|
|
redef record Info += {
|
|
## Result of ocsp validation for this connection.
|
|
ocsp_status: string &log &optional;
|
|
## ocsp response as string.
|
|
ocsp_response: string &optional;
|
|
};
|
|
|
|
}
|
|
|
|
# SHA256 hash values for recently validated chains along with the OCSP validation
|
|
# status are kept in this table to avoid constant validation every time the same
|
|
# certificate chain is seen.
|
|
global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
|
|
|
|
event ssl_stapled_ocsp(c: connection, is_client: bool, response: string) &priority=3
|
|
{
|
|
c$ssl$ocsp_response = response;
|
|
}
|
|
|
|
event ssl_established(c: connection) &priority=3
|
|
{
|
|
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 || !c$ssl?$ocsp_response )
|
|
return;
|
|
|
|
local hash = c$ssl$cert_chain[0]$sha1;
|
|
local chain: vector of opaque of x509 = vector();
|
|
for ( i in c$ssl$cert_chain )
|
|
{
|
|
if ( c$ssl$cert_chain[i]?$x509 )
|
|
chain[i] = c$ssl$cert_chain[i]$x509$handle;
|
|
}
|
|
|
|
local chain_fuids = "";
|
|
for ( i in c$ssl$cert_chain )
|
|
chain_fuids += cat(c$ssl$cert_chain[i]$fuid, ",");
|
|
|
|
local reply_id = cat(sha256_hash(c$ssl$ocsp_response), chain_fuids);
|
|
|
|
if ( reply_id in recently_ocsp_validated )
|
|
{
|
|
c$ssl$ocsp_status = recently_ocsp_validated[reply_id];
|
|
return;
|
|
}
|
|
|
|
local result = x509_ocsp_verify(chain, c$ssl$ocsp_response, root_certs);
|
|
c$ssl$ocsp_status = result$result_string;
|
|
recently_ocsp_validated[reply_id] = result$result_string;
|
|
|
|
if( result$result_string != "good" )
|
|
{
|
|
local message = fmt("OCSP response validation failed with (%s)", result$result_string);
|
|
NOTICE([$note=Invalid_Ocsp_Response, $msg=message,
|
|
$sub=c$ssl$subject, $conn=c,
|
|
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)]);
|
|
}
|
|
}
|