From 1fec186c39cbfe814b8d6e2cbbfff3e9397d17d7 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 22 May 2018 17:18:14 -0700
Subject: [PATCH] Fix SCT validation when invalid certificates are in chain.

At the moment it would try to access an unset optional in this case.
---
 scripts/policy/protocols/ssl/validate-sct.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index a89a5e5b19..f4d1646ae8 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -180,6 +180,8 @@ hook ssl_finishing(c: connection) &priority=19
 					{
 					if ( i == 0 ) # end-host-cert
 						next;
+					if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle )
+						next;
 
 					issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
 					valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);