ssl: Prevent unbounded ssl_history growth

The ssl_history field may grow unbounded (e.g., ssl_alert event). Prevent this
by capping using a configurable limit (default 100) and raise a weird once reached.

NEWS

@@ -174,6 +174,11 @@ Changed Functionality
   If there are more alerts, a new weird "SSL_excessive_alerts_in_record" is raised.
   For non-TLS 1.3, the maximum can be redefined via ``SSL::max_alerts_per_record``.
 
+- The ``ssl_history`` field in the ssl.log is now capped at a configurable
+  limit of 100 characters prevent unbounded growth. The limit can be changed
+  via the option ``SSL::max_ssl_history_length``. When reached, a new weird
+  named "SSL_max_ssl_history_length_reached" is raised.
+
 Deprecated Functionality
 ------------------------
 

scripts/base/protocols/ssl/main.zeek

@@ -143,6 +143,10 @@ export {
 	## (especially with large file transfers).
 	option disable_analyzer_after_detection = T;
 
+	## Maximum length of the ssl_history field to prevent unbounded
+	## growth when the parser is running into unexpected situations.
+	option max_ssl_history_length = 100;
+
 	## Delays an SSL record for a specific token: the record will not be
 	## logged as long as the token exists or until 15 seconds elapses.
 	global delay_log: function(info: Info, token: string);
@@ -208,10 +212,16 @@ function set_session(c: connection)
 
 function add_to_history(c: connection, is_client: bool, char: string)
 	{
+	if ( |c$ssl$ssl_history| == max_ssl_history_length )
+		return;
+
 	if ( is_client )
 		c$ssl$ssl_history = c$ssl$ssl_history+to_upper(char);
 	else
 		c$ssl$ssl_history = c$ssl$ssl_history+to_lower(char);
+
+	if ( |c$ssl$ssl_history| == max_ssl_history_length )
+		Reporter::conn_weird("SSL_max_ssl_history_length_reached", c);
 	}
 
 function delay_log(info: Info, token: string)

testing/btest/Baseline/scripts.base.protocols.ssl.max-history-length/ssl-max-history-length-3.log

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9	Csx

testing/btest/Baseline/scripts.base.protocols.ssl.max-history-length/ssl-max-history-length-default.log

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9	CsxknGIti

testing/btest/Baseline/scripts.base.protocols.ssl.max-history-length/weird-max-history-length-3.log

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9	SSL_max_ssl_history_length_reached

testing/btest/scripts/base/protocols/ssl/max-history-length.test

@@ -0,0 +1,12 @@
+# Test max history length functionality
+
+# @TEST-EXEC: zeek -r $TRACES/tls/tls-conn-with-extensions.trace
+# @TEST-EXEC: zeek-cut uid ssl_history < ssl.log > ssl-max-history-length-default.log
+# @TEST-EXEC: btest-diff ssl-max-history-length-default.log
+# @TEST-EXEC: ! test -f weird.log
+#
+# @TEST-EXEC: zeek -r $TRACES/tls/tls-conn-with-extensions.trace SSL::max_ssl_history_length=3
+# @TEST-EXEC: zeek-cut uid ssl_history < ssl.log > ssl-max-history-length-3.log
+# @TEST-EXEC: zeek-cut uid name < weird.log > weird-max-history-length-3.log
+# @TEST-EXEC: btest-diff ssl-max-history-length-3.log
+# @TEST-EXEC: btest-diff weird-max-history-length-3.log