mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 09:38:19 +00:00
d5678418da
SetMime now only works on the first call (as it was documented) and unused code was used from one of the x.509 functions.
406 lines
11 KiB
C++
406 lines
11 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#include <string>
|
|
|
|
#include "OCSP.h"
|
|
#include "X509.h"
|
|
#include "Event.h"
|
|
|
|
#include "types.bif.h"
|
|
#include "ocsp_events.bif.h"
|
|
|
|
#include "file_analysis/Manager.h"
|
|
|
|
#include <openssl/x509.h>
|
|
#include <openssl/x509v3.h>
|
|
#include <openssl/asn1.h>
|
|
#include <openssl/opensslconf.h>
|
|
|
|
#include "file_analysis/analyzer/x509/X509.h"
|
|
|
|
// helper function of sk_X509_value to avoid namespace problem
|
|
// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
|
|
// X509 => file_analysis::X509
|
|
X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
|
|
{
|
|
return sk_X509_value(certs, i);
|
|
}
|
|
|
|
using namespace file_analysis;
|
|
|
|
IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
|
|
|
|
#define OCSP_STRING_BUF_SIZE 2048
|
|
|
|
static Val* get_ocsp_type(RecordVal* args, const char* name)
|
|
{
|
|
Val* rval = args->Lookup(name);
|
|
|
|
if ( ! rval )
|
|
reporter->Error("File extraction analyzer missing arg field: %s", name);
|
|
|
|
return rval;
|
|
}
|
|
|
|
static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio)
|
|
{
|
|
if (resp_id->type == V_OCSP_RESPID_NAME)
|
|
X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE);
|
|
else if (resp_id->type == V_OCSP_RESPID_KEY)
|
|
i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING);
|
|
}
|
|
|
|
void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
|
|
{
|
|
char buf[OCSP_STRING_BUF_SIZE];
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm);
|
|
int len = BIO_read(bio, buf, sizeof(buf));
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
|
|
i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING);
|
|
len = BIO_read(bio, buf, sizeof(buf));
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
|
|
i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING);
|
|
len = BIO_read(bio, buf, sizeof(buf));
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
|
|
i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
}
|
|
|
|
file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
|
|
{
|
|
return new OCSP(args, file, true);
|
|
}
|
|
|
|
file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
|
|
{
|
|
return new OCSP(args, file, false);
|
|
}
|
|
|
|
file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
|
|
: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
|
|
{
|
|
}
|
|
|
|
bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
|
|
{
|
|
ocsp_data.append(reinterpret_cast<const char*>(data), len);
|
|
return true;
|
|
}
|
|
|
|
bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// we parse the entire OCSP response in EOF, because we just pass it on
|
|
// to OpenSSL.
|
|
bool file_analysis::OCSP::EndOfFile()
|
|
{
|
|
const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
|
|
|
|
if ( request )
|
|
{
|
|
OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
|
|
|
|
if (!req)
|
|
{
|
|
reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
|
|
return false;
|
|
}
|
|
|
|
ParseRequest(req, GetFile()->GetID().c_str());
|
|
OCSP_REQUEST_free(req);
|
|
}
|
|
else
|
|
{
|
|
OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
|
|
if (!resp)
|
|
{
|
|
reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
|
|
return false;
|
|
}
|
|
|
|
OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
|
|
ParseResponse(resp_val, GetFile()->GetID().c_str());
|
|
Unref(resp_val);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid)
|
|
{
|
|
OCSP_REQINFO *inf = req->tbsRequest;
|
|
|
|
char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
// build up our response as we go along...
|
|
val_list* vl = new val_list();
|
|
vl->append(GetFile()->GetVal()->Ref());
|
|
vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
|
|
BIO *bio = BIO_new(BIO_s_mem());
|
|
|
|
if (inf->requestorName != NULL)
|
|
{
|
|
GENERAL_NAME_print(bio, inf->requestorName);
|
|
int len = BIO_read(bio, buf, sizeof(buf));
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
}
|
|
else
|
|
vl->append(new StringVal(0, ""));
|
|
|
|
mgr.QueueEvent(ocsp_request, vl);
|
|
|
|
int req_count = OCSP_request_onereq_count(req);
|
|
for ( int i=0; i<req_count; i++ )
|
|
{
|
|
val_list* rvl = new val_list();
|
|
rvl->append(GetFile()->GetVal()->Ref());
|
|
|
|
OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
|
|
OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
|
|
|
|
ocsp_add_cert_id(cert_id, rvl, bio);
|
|
mgr.QueueEvent(ocsp_request_certificate, rvl);
|
|
}
|
|
|
|
BIO_free(bio);
|
|
}
|
|
|
|
void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
|
|
{
|
|
OCSP_RESPONSE *resp = resp_val->GetResp();
|
|
OCSP_RESPBYTES *resp_bytes = resp->responseBytes;
|
|
OCSP_BASICRESP *basic_resp = nullptr;
|
|
OCSP_RESPDATA *resp_data = nullptr;
|
|
OCSP_RESPID *resp_id = nullptr;
|
|
|
|
int resp_count, num_ext = 0;
|
|
VectorVal *certs_vector = nullptr;
|
|
int len = 0;
|
|
|
|
char buf[OCSP_STRING_BUF_SIZE];
|
|
memset(buf, 0, sizeof(buf));
|
|
|
|
val_list* vl = new val_list();
|
|
vl->append(GetFile()->GetVal()->Ref());
|
|
|
|
const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
|
|
StringVal* status_val = new StringVal(strlen(status_str), status_str);
|
|
vl->append(status_val->Ref());
|
|
mgr.QueueEvent(ocsp_response_status, vl);
|
|
vl = nullptr;
|
|
|
|
if (!resp_bytes)
|
|
{
|
|
Unref(status_val);
|
|
return;
|
|
}
|
|
|
|
BIO *bio = BIO_new(BIO_s_mem());
|
|
//i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
|
|
//int len = BIO_read(bio, buf, sizeof(buf));
|
|
//BIO_reset(bio);
|
|
|
|
// get the basic response
|
|
basic_resp = OCSP_response_get1_basic(resp);
|
|
if ( !basic_resp )
|
|
goto clean_up;
|
|
|
|
resp_data = basic_resp->tbsResponseData;
|
|
if ( !resp_data )
|
|
goto clean_up;
|
|
|
|
vl = new val_list();
|
|
vl->append(GetFile()->GetVal()->Ref());
|
|
vl->append(resp_val->Ref());
|
|
vl->append(status_val);
|
|
vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
|
|
|
|
// responderID
|
|
resp_id = resp_data->responderId;
|
|
OCSP_RESPID_bio(resp_id, bio);
|
|
len = BIO_read(bio, buf, sizeof(buf));
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
|
|
// producedAt
|
|
vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
|
|
|
|
// responses
|
|
resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
|
|
for ( int i=0; i<resp_count; i++ )
|
|
{
|
|
OCSP_SINGLERESP *single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i);
|
|
if ( !single_resp )
|
|
continue;
|
|
|
|
val_list* rvl = new val_list();
|
|
rvl->append(GetFile()->GetVal()->Ref());
|
|
|
|
// cert id
|
|
OCSP_CERTID *cert_id = single_resp->certId;
|
|
ocsp_add_cert_id(cert_id, rvl, bio);
|
|
BIO_reset(bio);
|
|
|
|
// certStatus
|
|
OCSP_CERTSTATUS *cert_status = single_resp->certStatus;
|
|
const char* cert_status_str = OCSP_cert_status_str(cert_status->type);
|
|
rvl->append(new StringVal(strlen(cert_status_str), cert_status_str));
|
|
|
|
// revocation time and reason if revoked
|
|
if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED )
|
|
{
|
|
OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked;
|
|
rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
|
|
|
|
if ( revoked_info->revocationReason )
|
|
{
|
|
const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
|
|
rvl->append(new StringVal(strlen(revoke_reason), revoke_reason));
|
|
}
|
|
else
|
|
rvl->append(new StringVal(0, ""));
|
|
}
|
|
else
|
|
{
|
|
rvl->append(new Val(0, TYPE_TIME));
|
|
rvl->append(new StringVal(0, ""));
|
|
}
|
|
|
|
rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
|
|
if ( single_resp->nextUpdate )
|
|
rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
|
|
else
|
|
rvl->append(new Val(0, TYPE_TIME));
|
|
|
|
mgr.QueueEvent(ocsp_response_certificate, rvl);
|
|
|
|
num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
|
|
for ( int k = 0; k < num_ext; ++k )
|
|
{
|
|
X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k);
|
|
if ( ! ex )
|
|
continue;
|
|
|
|
ParseExtension(ex, ocsp_extension, false);
|
|
}
|
|
}
|
|
|
|
i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
|
|
len = BIO_read(bio, buf, sizeof(buf));
|
|
vl->append(new StringVal(len, buf));
|
|
BIO_reset(bio);
|
|
|
|
//i2a_ASN1_OBJECT(bio, basic_resp->signature);
|
|
//len = BIO_read(bio, buf, sizeof(buf));
|
|
//ocsp_resp_record->Assign(7, new StringVal(len, buf));
|
|
//BIO_reset(bio);
|
|
|
|
certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
|
|
vl->append(certs_vector);
|
|
if ( basic_resp->certs )
|
|
{
|
|
int num_certs = sk_X509_num(basic_resp->certs);
|
|
for ( int i=0; i<num_certs; i++ )
|
|
{
|
|
::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
|
|
//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
|
|
if (this_cert)
|
|
certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
|
|
else
|
|
reporter->Weird("OpenSSL returned null certificate");
|
|
}
|
|
}
|
|
mgr.QueueEvent(ocsp_response_bytes, vl);
|
|
|
|
// ok, now that we are done with the actual certificate - let's parse extensions :)
|
|
num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
|
|
for ( int k = 0; k < num_ext; ++k )
|
|
{
|
|
X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k);
|
|
if ( ! ex )
|
|
continue;
|
|
|
|
ParseExtension(ex, ocsp_extension, true);
|
|
}
|
|
|
|
clean_up:
|
|
if (basic_resp)
|
|
OCSP_BASICRESP_free(basic_resp);
|
|
BIO_free(bio);
|
|
}
|
|
|
|
void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
|
|
{
|
|
// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
|
|
// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
|
|
// look it up by performing a string comparison on the oid.
|
|
#ifdef NID_ct_cert_scts
|
|
if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts )
|
|
#else
|
|
if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 )
|
|
#endif
|
|
ParseSignedCertificateTimestamps(ex);
|
|
}
|
|
|
|
OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
|
|
{
|
|
ocsp_resp = arg_ocsp_resp;
|
|
}
|
|
|
|
OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
|
|
{
|
|
ocsp_resp = nullptr;
|
|
}
|
|
|
|
OCSP_RESPVal::~OCSP_RESPVal()
|
|
{
|
|
if (ocsp_resp)
|
|
OCSP_RESPONSE_free(ocsp_resp);
|
|
}
|
|
|
|
OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
|
|
{
|
|
return ocsp_resp;
|
|
}
|
|
|
|
bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
|
|
{
|
|
DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
|
|
unsigned char *buf = nullptr;
|
|
int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
|
|
if ( length < 0 )
|
|
return false;
|
|
bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
|
|
OPENSSL_free(buf);
|
|
return res;
|
|
}
|
|
|
|
bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
|
|
{
|
|
DO_UNSERIALIZE(OpaqueVal)
|
|
|
|
int length;
|
|
unsigned char *ocsp_resp_buf, *opensslbuf;
|
|
|
|
if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_resp_buf), &length) )
|
|
return false;
|
|
opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
|
|
ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
|
|
delete[] ocsp_resp_buf;
|
|
if ( !ocsp_resp )
|
|
return false;
|
|
return true;
|
|
}
|