Merge remote-tracking branch 'origin/topic/jsiwek/ssl-empty-files'

* origin/topic/jsiwek/ssl-empty-files: Skip file analysis for zero-length SSL/TLS data
2025-10-10 02:28:21 +00:00 · 2020-01-29 11:09:45 -08:00 · 2020-01-29 11:09:45 -08:00 · ad18014bed
commit ad18014bed
parent 6bcd583836 f939bcad7e
4 changed files with 16 additions and 2 deletions
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@ -16,6 +16,12 @@
 			{
 			const bytestring& cert = (*certificates)[i];

+			if ( cert.length() <= 0 )
+				{
+				reporter->Weird(bro_analyzer()->Conn(), "zero_length_certificate");
+				continue;
+				}
+
 			ODesc file_handle;
 			file_handle.Add(common.Description());
 			file_handle.Add(i);
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -303,7 +303,7 @@ refine connection Handshake_Conn += {
 		common.AddRaw("F");
 		bro_analyzer()->Conn()->IDString(&common);

-		if ( status_type == 1 ) // ocsp
+		if ( status_type == 1 && response.length() > 0 ) // ocsp
 			{
 			ODesc file_handle;
 			file_handle.Add(common.Description());
@ -323,6 +323,10 @@ refine connection Handshake_Conn += {

 			file_mgr->EndOfFile(file_id);
 			}
+		else if ( response.length() == 0 )
+			{
+			reporter->Weird(bro_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message");
+			}

 		return true;
 		%}