Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix SCT validation when invalid certificates are in chain.

Browse source 
At the moment it would try to access an unset optional in this case.
This commit is contained in:
Johanna Amann 2018-05-22 17:18:14 -07:00
parent 84c1d9c808
commit 1fec186c39
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/policy/protocols/ssl/validate-sct.bro
View file

@ -180,6 +180,8 @@ hook ssl_finishing(c: connection) &priority=19
{ {
if ( i == 0 ) # end-host-cert if ( i == 0 ) # end-host-cert
next; next;
if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle )
next;
issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4); issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash); valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);