Merge remote-tracking branch 'origin/topic/jsiwek/ssl-empty-files'

* origin/topic/jsiwek/ssl-empty-files:
  Skip file analysis for zero-length SSL/TLS data

CHANGES

@@ -1,4 +1,8 @@
 
+3.1.0-dev.460 | 2020-01-29 11:16:15 -0800
+
+  * Skip file analysis for zero-length SSL/TLS data (Jon Siwek, Corelight)
+
 3.1.0-dev.458 | 2020-01-29 12:53:32 +0000
 
   * Add a new supervisor framework that enables Zeek to operate

VERSION

@@ -1 +1 @@
-3.1.0-dev.458
+3.1.0-dev.460

src/analyzer/protocol/ssl/proc-certificate.pac

@@ -16,6 +16,12 @@
 			{
 			const bytestring& cert = (*certificates)[i];
 
+			if ( cert.length() <= 0 )
+				{
+				reporter->Weird(bro_analyzer()->Conn(), "zero_length_certificate");
+				continue;
+				}
+
 			ODesc file_handle;
 			file_handle.Add(common.Description());
 			file_handle.Add(i);

src/analyzer/protocol/ssl/tls-handshake-analyzer.pac

@@ -303,7 +303,7 @@ refine connection Handshake_Conn += {
 		common.AddRaw("F");
 		bro_analyzer()->Conn()->IDString(&common);
 
-		if ( status_type == 1 ) // ocsp
+		if ( status_type == 1 && response.length() > 0 ) // ocsp
 			{
 			ODesc file_handle;
 			file_handle.Add(common.Description());
@@ -323,6 +323,10 @@ refine connection Handshake_Conn += {
 
 			file_mgr->EndOfFile(file_id);
 			}
+		else if ( response.length() == 0 )
+			{
+			reporter->Weird(bro_analyzer()->Conn(), "SSL_zero_length_stapled_OCSP_message");
+			}
 
 		return true;
 		%}