suricata
detect-tls-cert-validity.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  * Implements tls certificate validity keywords
24  */
25 
26 #include "suricata-common.h"
27 #include "threads.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-content.h"
36 #include "detect-pcre.h"
38 
39 #include "flow.h"
40 #include "flow-util.h"
41 #include "flow-var.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "app-layer-ssl.h"
47 
48 #include "util-time.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 /**
53  * [tls_notbefore|tls_notafter]:[<|>]<date string>[<><date string>];
54  */
55 #define PARSE_REGEX "^\\s*(<|>)?\\s*([ -:TW0-9]+)\\s*(?:(<>)\\s*([ -:TW0-9]+))?\\s*$"
56 static pcre *parse_regex;
57 static pcre_extra *parse_regex_study;
58 
59 static int DetectTlsValidityMatch (ThreadVars *, DetectEngineThreadCtx *, Flow *,
60  uint8_t, void *, void *, const Signature *,
61  const SigMatchCtx *);
62 
63 static time_t DateStringToEpoch (char *);
64 static DetectTlsValidityData *DetectTlsValidityParse (const char *);
65 static int DetectTlsExpiredSetup (DetectEngineCtx *, Signature *s, const char *str);
66 static int DetectTlsValidSetup (DetectEngineCtx *, Signature *s, const char *str);
67 static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, const char *str);
68 static int DetectTlsNotAfterSetup (DetectEngineCtx *, Signature *s, const char *str);
69 static int DetectTlsValiditySetup (DetectEngineCtx *, Signature *s, const char *str, uint8_t);
70 static void TlsNotBeforeRegisterTests(void);
71 static void TlsNotAfterRegisterTests(void);
72 static void TlsExpiredRegisterTests(void);
73 static void TlsValidRegisterTests(void);
74 static void DetectTlsValidityFree(void *);
75 static int g_tls_validity_buffer_id = 0;
76 
77 static int DetectEngineInspectTlsValidity(ThreadVars *tv,
78  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
79  const Signature *s, const SigMatchData *smd,
80  Flow *f, uint8_t flags, void *alstate,
81  void *txv, uint64_t tx_id);
82 
83 /**
84  * \brief Registration function for tls validity keywords.
85  */
87 {
88  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].name = "tls_cert_notbefore";
89  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].desc = "match TLS certificate notBefore field";
90  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-notbefore";
92  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].AppLayerTxMatch = DetectTlsValidityMatch;
93  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Setup = DetectTlsNotBeforeSetup;
94  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].Free = DetectTlsValidityFree;
95  sigmatch_table[DETECT_AL_TLS_NOTBEFORE].RegisterTests = TlsNotBeforeRegisterTests;
96 
97  sigmatch_table[DETECT_AL_TLS_NOTAFTER].name = "tls_cert_notafter";
98  sigmatch_table[DETECT_AL_TLS_NOTAFTER].desc = "match TLS certificate notAfter field";
99  sigmatch_table[DETECT_AL_TLS_NOTAFTER].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-notafter";
101  sigmatch_table[DETECT_AL_TLS_NOTAFTER].AppLayerTxMatch = DetectTlsValidityMatch;
102  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Setup = DetectTlsNotAfterSetup;
103  sigmatch_table[DETECT_AL_TLS_NOTAFTER].Free = DetectTlsValidityFree;
104  sigmatch_table[DETECT_AL_TLS_NOTAFTER].RegisterTests = TlsNotAfterRegisterTests;
105 
106  sigmatch_table[DETECT_AL_TLS_EXPIRED].name = "tls_cert_expired";
107  sigmatch_table[DETECT_AL_TLS_EXPIRED].desc = "match expired TLS certificates";
108  sigmatch_table[DETECT_AL_TLS_EXPIRED].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-expired";
110  sigmatch_table[DETECT_AL_TLS_EXPIRED].AppLayerTxMatch = DetectTlsValidityMatch;
111  sigmatch_table[DETECT_AL_TLS_EXPIRED].Setup = DetectTlsExpiredSetup;
112  sigmatch_table[DETECT_AL_TLS_EXPIRED].Free = DetectTlsValidityFree;
113  sigmatch_table[DETECT_AL_TLS_EXPIRED].RegisterTests = TlsExpiredRegisterTests;
115 
116  sigmatch_table[DETECT_AL_TLS_VALID].name = "tls_cert_valid";
117  sigmatch_table[DETECT_AL_TLS_VALID].desc = "match valid TLS certificates";
118  sigmatch_table[DETECT_AL_TLS_VALID].url = DOC_URL DOC_VERSION "/rules/tls-keywords.html#tls-cert-valid";
120  sigmatch_table[DETECT_AL_TLS_VALID].AppLayerTxMatch = DetectTlsValidityMatch;
121  sigmatch_table[DETECT_AL_TLS_VALID].Setup = DetectTlsValidSetup;
122  sigmatch_table[DETECT_AL_TLS_VALID].Free = DetectTlsValidityFree;
123  sigmatch_table[DETECT_AL_TLS_VALID].RegisterTests = TlsValidRegisterTests;
125 
126  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
127 
130  DetectEngineInspectTlsValidity);
131 
132  g_tls_validity_buffer_id = DetectBufferTypeGetByName("tls_validity");
133 }
134 
135 static int DetectEngineInspectTlsValidity(ThreadVars *tv,
136  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
137  const Signature *s, const SigMatchData *smd,
138  Flow *f, uint8_t flags, void *alstate,
139  void *txv, uint64_t tx_id)
140 {
141  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
142  f, flags, alstate, txv, tx_id);
143 }
144 /**
145  * \internal
146  * \brief Function to match validity field in a tls certificate.
147  *
148  * \param t Pointer to thread vars.
149  * \param det_ctx Pointer to the pattern matcher thread.
150  * \param f Pointer to the current flow.
151  * \param flags Flags.
152  * \param state App layer state.
153  * \param s Pointer to the Signature.
154  * \param m Pointer to the sigmatch that we will cast into
155  * DetectTlsValidityData.
156  *
157  * \retval 0 no match.
158  * \retval 1 match.
159  */
160 static int DetectTlsValidityMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
161  Flow *f, uint8_t flags, void *state,
162  void *txv, const Signature *s,
163  const SigMatchCtx *ctx)
164 {
165  SCEnter();
166 
167  SSLState *ssl_state = (SSLState *)state;
168  if (ssl_state == NULL) {
169  SCLogDebug("no tls state, no match");
170  SCReturnInt(0);
171  }
172 
173  int ret = 0;
174 
175  SSLStateConnp *connp = NULL;
176  if (flags & STREAM_TOSERVER)
177  connp = &ssl_state->client_connp;
178  else
179  connp = &ssl_state->server_connp;
180 
181  const DetectTlsValidityData *dd = (const DetectTlsValidityData *)ctx;
182 
183  time_t cert_epoch = 0;
184  if (dd->type == DETECT_TLS_TYPE_NOTBEFORE)
185  cert_epoch = connp->cert0_not_before;
186  else if (dd->type == DETECT_TLS_TYPE_NOTAFTER)
187  cert_epoch = connp->cert0_not_after;
188 
189  if (cert_epoch == 0)
190  SCReturnInt(0);
191 
192  if ((dd->mode & DETECT_TLS_VALIDITY_EQ) && cert_epoch == dd->epoch)
193  ret = 1;
194  else if ((dd->mode & DETECT_TLS_VALIDITY_LT) && cert_epoch <= dd->epoch)
195  ret = 1;
196  else if ((dd->mode & DETECT_TLS_VALIDITY_GT) && cert_epoch >= dd->epoch)
197  ret = 1;
198  else if ((dd->mode & DETECT_TLS_VALIDITY_RA) &&
199  cert_epoch >= dd->epoch && cert_epoch <= dd->epoch2)
200  ret = 1;
201  else if ((dd->mode & DETECT_TLS_VALIDITY_EX) &&
202  f->lastts.tv_sec > cert_epoch)
203  ret = 1;
204  else if ((dd->mode & DETECT_TLS_VALIDITY_VA) &&
205  f->lastts.tv_sec <= cert_epoch)
206  ret = 1;
207 
208  SCReturnInt(ret);
209 }
210 
211 /**
212  * \internal
213  * \brief Function to check if string is epoch.
214  *
215  * \param string Date string.
216  *
217  * \retval epoch time on success.
218  * \retval 0 on failure.
219  */
220 static time_t StringIsEpoch (char *string)
221 {
222  if (strlen(string) == 0)
223  return -1;
224 
225  /* We assume that the date string is epoch if it consists of only
226  digits. */
227  char *sp = string;
228  while (*sp) {
229  if (isdigit(*sp++) == 0)
230  return -1;
231  }
232 
233  return strtol(string, NULL, 10);
234 }
235 
236 /**
237  * \internal
238  * \brief Function to convert date string to epoch.
239  *
240  * \param string Date string.
241  *
242  * \retval epoch on success.
243  * \retval 0 on failure.
244  */
245 static time_t DateStringToEpoch (char *string)
246 {
247  int r = 0;
248  struct tm tm;
249  const char *patterns[] = {
250  /* ISO 8601 */
251  "%Y-%m",
252  "%Y-%m-%d",
253  "%Y-%m-%d %H",
254  "%Y-%m-%d %H:%M",
255  "%Y-%m-%d %H:%M:%S",
256  "%Y-%m-%dT%H",
257  "%Y-%m-%dT%H:%M",
258  "%Y-%m-%dT%H:%M:%S",
259  "%H:%M",
260  "%H:%M:%S",
261  };
262 
263  /* Skip leading whitespace. */
264  while (isspace(*string))
265  string++;
266 
267  size_t inlen, oldlen;
268 
269  oldlen = inlen = strlen(string);
270 
271  /* Skip trailing whitespace */
272  while (inlen > 0 && isspace(string[inlen - 1]))
273  inlen--;
274 
275  char tmp[inlen + 1];
276 
277  if (inlen < oldlen) {
278  strlcpy(tmp, string, inlen + 1);
279  string = tmp;
280  }
281 
282  time_t epoch = StringIsEpoch(string);
283  if (epoch != -1) {
284  return epoch;;
285  }
286 
287  r = SCStringPatternToTime(string, patterns, 10, &tm);
288 
289  if (r != 0)
290  return -1;
291 
292  return SCMkTimeUtc(&tm);
293 }
294 
295 /**
296  * \internal
297  * \brief Function to parse options passed via tls validity keywords.
298  *
299  * \param rawstr Pointer to the user provided options.
300  *
301  * \retval dd pointer to DetectTlsValidityData on success.
302  * \retval NULL on failure.
303  */
304 static DetectTlsValidityData *DetectTlsValidityParse (const char *rawstr)
305 {
306  DetectTlsValidityData *dd = NULL;
307 #define MAX_SUBSTRINGS 30
308  int ret = 0, res = 0;
309  int ov[MAX_SUBSTRINGS];
310  char mode[2] = "";
311  char value1[20] = "";
312  char value2[20] = "";
313  char range[3] = "";
314 
315  ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0,
316  0, ov, MAX_SUBSTRINGS);
317  if (ret < 3 || ret > 5) {
318  SCLogError(SC_ERR_PCRE_MATCH, "Parse error %s", rawstr);
319  goto error;
320  }
321 
322  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 1, mode,
323  sizeof(mode));
324  if (res < 0) {
325  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
326  goto error;
327  }
328  SCLogDebug("mode \"%s\"", mode);
329 
330  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 2, value1,
331  sizeof(value1));
332  if (res < 0) {
333  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
334  goto error;
335  }
336  SCLogDebug("value1 \"%s\"", value1);
337 
338  if (ret > 3) {
339  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 3,
340  range, sizeof(range));
341  if (res < 0) {
342  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
343  goto error;
344  }
345  SCLogDebug("range \"%s\"", range);
346 
347  if (ret > 4) {
348  res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4,
349  value2, sizeof(value2));
350  if (res < 0) {
352  "pcre_copy_substring failed");
353  goto error;
354  }
355  SCLogDebug("value2 \"%s\"", value2);
356  }
357  }
358 
359  dd = SCMalloc(sizeof(DetectTlsValidityData));
360  if (unlikely(dd == NULL))
361  goto error;
362 
363  dd->epoch = 0;
364  dd->epoch2 = 0;
365  dd->mode = 0;
366 
367  if (strlen(mode) > 0) {
368  if (mode[0] == '<')
370  else if (mode[0] == '>')
372  }
373 
374  if (strlen(range) > 0) {
375  if (strcmp("<>", range) == 0)
377  }
378 
379  if (strlen(range) != 0 && strlen(mode) != 0) {
381  "Range specified but mode also set");
382  goto error;
383  }
384 
385  if (dd->mode == 0) {
387  }
388 
389  /* set the first value */
390  dd->epoch = DateStringToEpoch(value1);
391  if (dd->epoch == -1)
392  goto error;
393 
394  /* set the second value if specified */
395  if (strlen(value2) > 0) {
396  if (!(dd->mode & DETECT_TLS_VALIDITY_RA)) {
398  "Multiple tls validity values specified but mode is not range");
399  goto error;
400  }
401 
402  dd->epoch2 = DateStringToEpoch(value2);
403  if (dd->epoch2 == -1)
404  goto error;
405 
406  if (dd->epoch2 <= dd->epoch) {
408  "Second value in range must not be smaller than the first");
409  goto error;
410  }
411  }
412  return dd;
413 
414 error:
415  if (dd)
416  SCFree(dd);
417  return NULL;
418 }
419 
420 /**
421  * \brief Function to add the parsed tls_cert_expired into the current signature.
422  *
423  * \param de_ctx Pointer to the Detection Engine Context.
424  * \param s Pointer to the Current Signature.
425  * \param rawstr Pointer to the user provided flags options.
426  *
427  * \retval 0 on Success.
428  * \retval -1 on Failure.
429  */
430 static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
431  const char *rawstr)
432 {
433  DetectTlsValidityData *dd = NULL;
434  SigMatch *sm = NULL;
435 
436  SCLogDebug("\'%s\'", rawstr);
437 
439  return -1;
440 
441  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
442  if (dd == NULL) {
443  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
444  goto error;
445  }
446 
447  /* okay so far so good, lets get this into a SigMatch
448  * and put it in the Signature. */
449  sm = SigMatchAlloc();
450  if (sm == NULL)
451  goto error;
452 
455  dd->epoch = 0;
456  dd->epoch2 = 0;
457 
459  sm->ctx = (void *)dd;
460 
461  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
462  return 0;
463 
464 error:
465  DetectTlsValidityFree(dd);
466  if (sm)
467  SCFree(sm);
468  return -1;
469 }
470 
471 /**
472  * \brief Function to add the parsed tls_cert_valid into the current signature.
473  *
474  * \param de_ctx Pointer to the Detection Engine Context.
475  * \param s Pointer to the Current Signature.
476  * \param rawstr Pointer to the user provided flags options.
477  *
478  * \retval 0 on Success.
479  * \retval -1 on Failure.
480  */
481 static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
482  const char *rawstr)
483 {
484  DetectTlsValidityData *dd = NULL;
485  SigMatch *sm = NULL;
486 
487  SCLogDebug("\'%s\'", rawstr);
488 
490  return -1;
491 
492  dd = SCCalloc(1, sizeof(DetectTlsValidityData));
493  if (dd == NULL) {
494  SCLogError(SC_ERR_INVALID_ARGUMENT,"Allocation \'%s\' failed", rawstr);
495  goto error;
496  }
497 
498  /* okay so far so good, lets get this into a SigMatch
499  * and put it in the Signature. */
500  sm = SigMatchAlloc();
501  if (sm == NULL)
502  goto error;
503 
506  dd->epoch = 0;
507  dd->epoch2 = 0;
508 
510  sm->ctx = (void *)dd;
511 
512  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
513  return 0;
514 
515 error:
516  DetectTlsValidityFree(dd);
517  if (sm)
518  SCFree(sm);
519  return -1;
520 }
521 
522 /**
523  * \brief Function to add the parsed tls_notbefore into the current signature.
524  *
525  * \param de_ctx Pointer to the Detection Engine Context.
526  * \param s Pointer to the Current Signature.
527  * \param rawstr Pointer to the user provided flags options.
528  *
529  * \retval 0 on Success.
530  * \retval -1 on Failure.
531  */
532 static int DetectTlsNotBeforeSetup (DetectEngineCtx *de_ctx, Signature *s,
533  const char *rawstr)
534 {
536  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
537 
538  SCReturnInt(r);
539 }
540 
541 /**
542  * \brief Function to add the parsed tls_notafter into the current signature.
543  *
544  * \param de_ctx Pointer to the Detection Engine Context.
545  * \param s Pointer to the Current Signature.
546  * \param rawstr Pointer to the user provided flags options.
547  *
548  * \retval 0 on Success.
549  * \retval -1 on Failure.
550  */
551 static int DetectTlsNotAfterSetup (DetectEngineCtx *de_ctx, Signature *s,
552  const char *rawstr)
553 {
554  uint8_t type = DETECT_TLS_TYPE_NOTAFTER;
555  int r = DetectTlsValiditySetup(de_ctx, s, rawstr, type);
556 
557  SCReturnInt(r);
558 }
559 
560 /**
561  * \brief Function to add the parsed tls validity field into the current signature.
562  *
563  * \param de_ctx Pointer to the Detection Engine Context.
564  * \param s Pointer to the Current Signature.
565  * \param rawstr Pointer to the user provided flags options.
566  * \param type Defines if this is notBefore or notAfter.
567  *
568  * \retval 0 on Success.
569  * \retval -1 on Failure.
570  */
571 static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
572  const char *rawstr, uint8_t type)
573 {
574  DetectTlsValidityData *dd = NULL;
575  SigMatch *sm = NULL;
576 
577  SCLogDebug("\'%s\'", rawstr);
578 
580  return -1;
581 
582  dd = DetectTlsValidityParse(rawstr);
583  if (dd == NULL) {
584  SCLogError(SC_ERR_INVALID_ARGUMENT,"Parsing \'%s\' failed", rawstr);
585  goto error;
586  }
587 
588  /* okay so far so good, lets get this into a SigMatch
589  * and put it in the Signature. */
590  sm = SigMatchAlloc();
591  if (sm == NULL)
592  goto error;
593 
594  if (type == DETECT_TLS_TYPE_NOTBEFORE) {
597  }
598  else if (type == DETECT_TLS_TYPE_NOTAFTER) {
601  }
602  else {
603  goto error;
604  }
605 
606  sm->ctx = (void *)dd;
607 
608  SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
609  return 0;
610 
611 error:
612  DetectTlsValidityFree(dd);
613  if (sm)
614  SCFree(sm);
615  return -1;
616 }
617 
618 /**
619  * \internal
620  * \brief Function to free memory associated with DetectTlsValidityData.
621  *
622  * \param de_ptr Pointer to DetectTlsValidityData.
623  */
624 void DetectTlsValidityFree(void *de_ptr)
625 {
627  if (dd)
628  SCFree(dd);
629 }
630 
631 #ifdef UNITTESTS
632 
633 /**
634  * \test This is a test for a valid value 1430000000.
635  *
636  * \retval 1 on success.
637  * \retval 0 on failure.
638  */
639 static int ValidityTestParse01 (void)
640 {
641  DetectTlsValidityData *dd = NULL;
642  dd = DetectTlsValidityParse("1430000000");
643  FAIL_IF_NULL(dd);
644  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_EQ);
645  DetectTlsValidityFree(dd);
646  PASS;
647 }
648 
649 /**
650  * \test This is a test for a valid value >1430000000.
651  *
652  * \retval 1 on success.
653  * \retval 0 on failure.
654  */
655 static int ValidityTestParse02 (void)
656 {
657  DetectTlsValidityData *dd = NULL;
658  dd = DetectTlsValidityParse(">1430000000");
659  FAIL_IF_NULL(dd);
660  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_GT);
661  DetectTlsValidityFree(dd);
662  PASS;
663 }
664 
665 /**
666  * \test This is a test for a valid value <1430000000.
667  *
668  * \retval 1 on success.
669  * \retval 0 on failure.
670  */
671 static int ValidityTestParse03 (void)
672 {
673  DetectTlsValidityData *dd = NULL;
674  dd = DetectTlsValidityParse("<1430000000");
675  FAIL_IF_NULL(dd);
676  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_LT);
677  DetectTlsValidityFree(dd);
678  PASS;
679 }
680 
681 /**
682  * \test This is a test for a valid value 1430000000<>1470000000.
683  *
684  * \retval 1 on success.
685  * \retval 0 on failure.
686  */
687 static int ValidityTestParse04 (void)
688 {
689  DetectTlsValidityData *dd = NULL;
690  dd = DetectTlsValidityParse("1430000000<>1470000000");
691  FAIL_IF_NULL(dd);
692  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->epoch2 == 1470000000 &&
694  DetectTlsValidityFree(dd);
695  PASS;
696 }
697 
698 /**
699  * \test This is a test for a invalid value A.
700  *
701  * \retval 1 on success.
702  * \retval 0 on failure.
703  */
704 static int ValidityTestParse05 (void)
705 {
706  DetectTlsValidityData *dd = NULL;
707  dd = DetectTlsValidityParse("A");
708  FAIL_IF_NOT_NULL(dd);
709  PASS;
710 }
711 
712 /**
713  * \test This is a test for a invalid value >1430000000<>1470000000.
714  *
715  * \retval 1 on success.
716  * \retval 0 on failure.
717  */
718 static int ValidityTestParse06 (void)
719 {
720  DetectTlsValidityData *dd = NULL;
721  dd = DetectTlsValidityParse(">1430000000<>1470000000");
722  FAIL_IF_NOT_NULL(dd);
723  PASS;
724 }
725 
726 /**
727  * \test This is a test for a invalid value 1430000000<>.
728  *
729  * \retval 1 on success.
730  * \retval 0 on failure.
731  */
732 static int ValidityTestParse07 (void)
733 {
734  DetectTlsValidityData *dd = NULL;
735  dd = DetectTlsValidityParse("1430000000<>");
736  FAIL_IF_NOT_NULL(dd);
737  PASS;
738 }
739 
740 /**
741  * \test This is a test for a invalid value <>1430000000.
742  *
743  * \retval 1 on success.
744  * \retval 0 on failure.
745  */
746 static int ValidityTestParse08 (void)
747 {
748  DetectTlsValidityData *dd = NULL;
749  dd = DetectTlsValidityParse("<>1430000000");
750  FAIL_IF_NOT_NULL(dd);
751  PASS;
752 }
753 
754 /**
755  * \test This is a test for a invalid value "".
756  *
757  * \retval 1 on success.
758  * \retval 0 on failure.
759  */
760 static int ValidityTestParse09 (void)
761 {
762  DetectTlsValidityData *dd = NULL;
763  dd = DetectTlsValidityParse("");
764  FAIL_IF_NOT_NULL(dd);
765  PASS;
766 }
767 
768 /**
769  * \test This is a test for a invalid value " ".
770  *
771  * \retval 1 on success.
772  * \retval 0 on failure.
773  */
774 static int ValidityTestParse10 (void)
775 {
776  DetectTlsValidityData *dd = NULL;
777  dd = DetectTlsValidityParse(" ");
778  FAIL_IF_NOT_NULL(dd);
779  PASS;
780 }
781 
782 /**
783  * \test This is a test for a invalid value 1490000000<>1430000000.
784  *
785  * \retval 1 on success.
786  * \retval 0 on failure.
787  */
788 static int ValidityTestParse11 (void)
789 {
790  DetectTlsValidityData *dd = NULL;
791  dd = DetectTlsValidityParse("1490000000<>1430000000");
792  FAIL_IF_NOT_NULL(dd);
793  PASS;
794 }
795 
796 /**
797  * \test This is a test for a valid value 1430000000 <> 1490000000.
798  *
799  * \retval 1 on success.
800  * \retval 0 on failure.
801  */
802 static int ValidityTestParse12 (void)
803 {
804  DetectTlsValidityData *dd = NULL;
805  dd = DetectTlsValidityParse("1430000000 <> 1490000000");
806  FAIL_IF_NULL(dd);
807  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->epoch2 == 1490000000 &&
809  DetectTlsValidityFree(dd);
810  PASS;
811 }
812 
813 /**
814  * \test This is a test for a valid value > 1430000000.
815  *
816  * \retval 1 on success.
817  * \retval 0 on failure.
818  */
819 static int ValidityTestParse13 (void)
820 {
821  DetectTlsValidityData *dd = NULL;
822  dd = DetectTlsValidityParse("> 1430000000 ");
823  FAIL_IF_NULL(dd);
824  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_GT);
825  DetectTlsValidityFree(dd);
826  PASS;
827 }
828 
829 /**
830  * \test This is a test for a valid value < 1490000000.
831  *
832  * \retval 1 on success.
833  * \retval 0 on failure.
834  */
835 static int ValidityTestParse14 (void)
836 {
837  DetectTlsValidityData *dd = NULL;
838  dd = DetectTlsValidityParse("< 1490000000 ");
839  FAIL_IF_NULL(dd);
840  FAIL_IF_NOT(dd->epoch == 1490000000 && dd->mode == DETECT_TLS_VALIDITY_LT);
841  DetectTlsValidityFree(dd);
842  PASS;
843 }
844 
845 /**
846  * \test This is a test for a valid value 1490000000.
847  *
848  * \retval 1 on success.
849  * \retval 0 on failure.
850  */
851 static int ValidityTestParse15 (void)
852 {
853  DetectTlsValidityData *dd = NULL;
854  dd = DetectTlsValidityParse(" 1490000000 ");
855  FAIL_IF_NULL(dd);
856  FAIL_IF_NOT(dd->epoch == 1490000000 && dd->mode == DETECT_TLS_VALIDITY_EQ);
857  DetectTlsValidityFree(dd);
858  PASS;
859 }
860 
861 /**
862  * \test This is a test for a valid value 2015-10.
863  *
864  * \retval 1 on success.
865  * \retval 0 on failure.
866  */
867 static int ValidityTestParse16 (void)
868 {
869  DetectTlsValidityData *dd = NULL;
870  dd = DetectTlsValidityParse("2015-10");
871  FAIL_IF_NULL(dd);
872  FAIL_IF_NOT(dd->epoch == 1443657600 && dd->mode == DETECT_TLS_VALIDITY_EQ);
873  DetectTlsValidityFree(dd);
874  PASS;
875 }
876 
877 /**
878  * \test This is a test for a valid value >2015-10-22.
879  *
880  * \retval 1 on success.
881  * \retval 0 on failure.
882  */
883 static int ValidityTestParse17 (void)
884 {
885  DetectTlsValidityData *dd = NULL;
886  dd = DetectTlsValidityParse(">2015-10-22");
887  FAIL_IF_NULL(dd);
888  FAIL_IF_NOT(dd->epoch == 1445472000 && dd->mode == DETECT_TLS_VALIDITY_GT);
889  DetectTlsValidityFree(dd);
890  PASS;
891 }
892 
893 /**
894  * \test This is a test for a valid value <2015-10-22 23.
895  *
896  * \retval 1 on success.
897  * \retval 0 on failure.
898  */
899 static int ValidityTestParse18 (void)
900 {
901  DetectTlsValidityData *dd = NULL;
902  dd = DetectTlsValidityParse("<2015-10-22 23");
903  FAIL_IF_NULL(dd);
904  FAIL_IF_NOT(dd->epoch == 1445554800 && dd->mode == DETECT_TLS_VALIDITY_LT);
905  DetectTlsValidityFree(dd);
906  PASS;
907 }
908 
909 /**
910  * \test This is a test for a valid value 2015-10-22 23:59.
911  *
912  * \retval 1 on success.
913  * \retval 0 on failure.
914  */
915 static int ValidityTestParse19 (void)
916 {
917  DetectTlsValidityData *dd = NULL;
918  dd = DetectTlsValidityParse("2015-10-22 23:59");
919  FAIL_IF_NULL(dd);
920  FAIL_IF_NOT(dd->epoch == 1445558340 && dd->mode == DETECT_TLS_VALIDITY_EQ);
921  DetectTlsValidityFree(dd);
922  PASS;
923 }
924 
925 /**
926  * \test This is a test for a valid value 2015-10-22 23:59:59.
927  *
928  * \retval 1 on success.
929  * \retval 0 on failure.
930  */
931 static int ValidityTestParse20 (void)
932 {
933  DetectTlsValidityData *dd = NULL;
934  dd = DetectTlsValidityParse("2015-10-22 23:59:59");
935  FAIL_IF_NULL(dd);
936  FAIL_IF_NOT(dd->epoch == 1445558399 && dd->mode == DETECT_TLS_VALIDITY_EQ);
937  DetectTlsValidityFree(dd);
938  PASS;
939 }
940 
941 /**
942  * \test This is a test for a valid value 2015-10-22T23.
943  *
944  * \retval 1 on success.
945  * \retval 0 on failure.
946  */
947 static int ValidityTestParse21 (void)
948 {
949  DetectTlsValidityData *dd = NULL;
950  dd = DetectTlsValidityParse("2015-10-22T23");
951  FAIL_IF_NULL(dd);
952  FAIL_IF_NOT(dd->epoch == 1445554800 && dd->mode == DETECT_TLS_VALIDITY_EQ);
953  DetectTlsValidityFree(dd);
954  PASS;
955 }
956 
957 /**
958  * \test This is a test for a valid value 2015-10-22T23:59.
959  *
960  * \retval 1 on success.
961  * \retval 0 on failure.
962  */
963 static int ValidityTestParse22 (void)
964 {
965  DetectTlsValidityData *dd = NULL;
966  dd = DetectTlsValidityParse("2015-10-22T23:59");
967  FAIL_IF_NULL(dd);
968  FAIL_IF_NOT(dd->epoch == 1445558340 && dd->mode == DETECT_TLS_VALIDITY_EQ);
969  DetectTlsValidityFree(dd);
970  PASS;
971 }
972 
973 /**
974  * \test This is a test for a valid value 2015-10-22T23:59:59.
975  *
976  * \retval 1 on success.
977  * \retval 0 on failure.
978  */
979 static int ValidityTestParse23 (void)
980 {
981  DetectTlsValidityData *dd = NULL;
982  dd = DetectTlsValidityParse("2015-10-22T23:59:59");
983  FAIL_IF_NULL(dd);
984  FAIL_IF_NOT(dd->epoch == 1445558399 && dd->mode == DETECT_TLS_VALIDITY_EQ);
985  DetectTlsValidityFree(dd);
986  PASS;
987 }
988 
989 /**
990  * \test Test matching on validity dates in a certificate.
991  *
992  * \retval 1 on success.
993  * \retval 0 on failure.
994  */
995 static int ValidityTestDetect01(void)
996 {
997  /* client hello */
998  uint8_t client_hello[] = {
999  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
1000  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
1001  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
1002  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
1003  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
1004  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
1005  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
1006  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
1007  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
1008  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
1009  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
1010  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
1011  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
1012  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
1013  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
1014  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
1015  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
1016  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
1017  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
1018  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
1019  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
1020  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
1021  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
1022  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
1023  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
1024  0x03, 0x04, 0x02, 0x02, 0x02
1025  };
1026 
1027  /* server hello */
1028  uint8_t server_hello[] = {
1029  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
1030  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
1031  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
1032  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
1033  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
1034  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
1035  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
1036  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
1037  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
1038  0x0b, 0x00, 0x02, 0x01, 0x00
1039  };
1040 
1041  /* certificate */
1042  uint8_t certificate[] = {
1043  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
1044  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
1045  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
1046  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
1047  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
1048  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
1049  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
1050  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
1051  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
1052  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
1053  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
1054  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
1055  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
1056  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
1057  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
1058  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
1059  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
1060  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
1061  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
1062  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
1063  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
1064  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
1065  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1066  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
1067  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
1068  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
1069  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
1070  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
1071  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
1072  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
1073  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
1074  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
1075  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
1076  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
1077  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
1078  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
1079  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
1080  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
1081  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
1082  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
1083  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
1084  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
1085  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
1086  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
1087  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
1088  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
1089  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
1090  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
1091  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
1092  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
1093  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
1094  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
1095  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
1096  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
1097  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
1098  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
1099  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
1100  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
1101  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
1102  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
1103  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
1104  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
1105  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
1106  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
1107  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
1108  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
1109  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
1110  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
1111  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
1112  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
1113  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
1114  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
1115  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
1116  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
1117  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
1118  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
1119  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
1120  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
1121  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
1122  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1123  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
1124  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1125  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
1126  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
1127  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
1128  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
1129  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
1130  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
1131  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
1132  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
1133  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
1134  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
1135  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
1136  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
1137  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
1138  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
1139  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
1140  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
1141  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
1142  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
1143  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
1144  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
1145  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
1146  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
1147  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
1148  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
1149  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
1150  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
1151  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
1152  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
1153  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
1154  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
1155  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
1156  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
1157  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
1158  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
1159  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
1160  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
1161  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
1162  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
1163  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
1164  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
1165  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
1166  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
1167  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
1168  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
1169  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
1170  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
1171  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
1172  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
1173  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
1174  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
1175  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
1176  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
1177  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
1178  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
1179  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
1180  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
1181  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
1182  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
1183  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
1184  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
1185  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
1186  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
1187  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
1188  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
1189  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
1190  };
1191 
1192  Flow f;
1193  SSLState *ssl_state = NULL;
1194  TcpSession ssn;
1195  Packet *p1 = NULL;
1196  Packet *p2 = NULL;
1197  Packet *p3 = NULL;
1198  Signature *s = NULL;
1199  ThreadVars tv;
1200  DetectEngineThreadCtx *det_ctx = NULL;
1202 
1203  memset(&tv, 0, sizeof(ThreadVars));
1204  memset(&f, 0, sizeof(Flow));
1205  memset(&ssn, 0, sizeof(TcpSession));
1206 
1207  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
1208  "192.168.1.5", "192.168.1.1", 51251, 443);
1209  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
1210  "192.168.1.1", "192.168.1.5", 443, 51251);
1211  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
1212  "192.168.1.1", "192.168.1.5", 443, 51251);
1213 
1214  FLOW_INITIALIZE(&f);
1215  f.flags |= FLOW_IPV4;
1216  f.proto = IPPROTO_TCP;
1218  f.alproto = ALPROTO_TLS;
1219 
1220  p1->flow = &f;
1224  p1->pcap_cnt = 1;
1225 
1226  p2->flow = &f;
1230  p2->pcap_cnt = 2;
1231 
1232  p3->flow = &f;
1236  p3->pcap_cnt = 3;
1237 
1239 
1241  FAIL_IF_NULL(de_ctx);
1242 
1243  de_ctx->flags |= DE_QUIET;
1244 
1245  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
1246  "(msg:\"Test tls_cert_notbefore\"; "
1247  "tls_cert_notbefore:<2016-07-20; sid:1;)");
1248  FAIL_IF_NULL(s);
1249 
1250  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
1251  "(msg:\"Test tls_cert_notafter\"; "
1252  "tls_cert_notafter:>2016-09-01; sid:2;)");
1253  FAIL_IF_NULL(s);
1254 
1255  SigGroupBuild(de_ctx);
1256  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1257 
1258  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
1259  STREAM_TOSERVER, client_hello,
1260  sizeof(client_hello));
1261 
1262  FAIL_IF(r != 0);
1263 
1264  ssl_state = f.alstate;
1265  FAIL_IF_NULL(ssl_state);
1266 
1267  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
1268 
1269  FAIL_IF(PacketAlertCheck(p1, 1));
1270  FAIL_IF(PacketAlertCheck(p1, 2));
1271 
1272  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1273  server_hello, sizeof(server_hello));
1274 
1275  FAIL_IF(r != 0);
1276 
1277  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
1278 
1279  FAIL_IF(PacketAlertCheck(p2, 1));
1280  FAIL_IF(PacketAlertCheck(p2, 2));
1281 
1282  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1283  certificate, sizeof(certificate));
1284 
1285  FAIL_IF(r != 0);
1286 
1287  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
1288 
1289  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
1290  FAIL_IF_NOT(PacketAlertCheck(p3, 2));
1291 
1292  AppLayerParserThreadCtxFree(alp_tctx);
1293  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1294  DetectEngineCtxFree(de_ctx);
1295 
1297  FLOW_DESTROY(&f);
1298  UTHFreePacket(p1);
1299  UTHFreePacket(p2);
1300  UTHFreePacket(p3);
1301 
1302  PASS;
1303 }
1304 
1305 /**
1306  * \test Test matching on an expired certificate.
1307  *
1308  * Traffic from expired.badssl.com
1309  *
1310  * \retval 1 on success.
1311  * \retval 0 on failure.
1312  */
1313 static int ExpiredTestDetect01(void)
1314 {
1315  /* client hello */
1316  uint8_t client_hello[] = {
1317  0x16, 0x03, 0x03, 0x00, 0x5a, 0x01, 0x00, 0x00,
1318  0x56, 0x03, 0x03, 0x62, 0x87, 0xa4, 0x11, 0x3e,
1319  0x11, 0x32, 0x7d, 0xbc, 0x5b, 0x63, 0xb7, 0xaf,
1320  0x55, 0x8d, 0x46, 0x5b, 0x8f, 0xac, 0x50, 0x02,
1321  0x90, 0xe3, 0x55, 0x03, 0xfe, 0xad, 0xa6, 0x92,
1322  0x56, 0x75, 0xf9, 0x00, 0x00, 0x08, 0x00, 0x35,
1323  0x00, 0x2f, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00,
1324  0x00, 0x25, 0x00, 0x00, 0x00, 0x17, 0x00, 0x15,
1325  0x00, 0x00, 0x12, 0x65, 0x78, 0x70, 0x69, 0x72,
1326  0x65, 0x64, 0x2e, 0x62, 0x61, 0x64, 0x73, 0x73,
1327  0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x0d, 0x00,
1328  0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01
1329  };
1330 
1331  /* server hello */
1332  uint8_t server_hello[] = {
1333  0x16, 0x03, 0x03, 0x00, 0x55, 0x02, 0x00, 0x00,
1334  0x51, 0x03, 0x03, 0x22, 0xa1, 0xd8, 0xd0, 0x3c,
1335  0x8d, 0x32, 0x7e, 0x4f, 0x60, 0x27, 0xf6, 0x0c,
1336  0x99, 0x7a, 0x8e, 0x6e, 0x52, 0xa5, 0xf4, 0x20,
1337  0x2e, 0xa1, 0xa4, 0x0b, 0xd5, 0x80, 0x9b, 0xec,
1338  0xbd, 0x2c, 0x6c, 0x20, 0x7a, 0x9b, 0xcc, 0x6b,
1339  0xbf, 0x3d, 0xfc, 0x7c, 0x31, 0x78, 0x65, 0x1e,
1340  0xcc, 0x41, 0x0b, 0x8b, 0x3d, 0x4e, 0xde, 0x45,
1341  0xe5, 0x20, 0xf5, 0xbd, 0x8e, 0x99, 0xce, 0xc2,
1342  0xad, 0x88, 0x08, 0x27, 0x00, 0x2f, 0x00, 0x00,
1343  0x09, 0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00,
1344  0x01, 0x00
1345  };
1346 
1347  /* certificate */
1348  uint8_t certificate[] = {
1349  0x16, 0x03, 0x03, 0x05, 0x59, 0x0b, 0x00, 0x05,
1350  0x55, 0x00, 0x05, 0x52, 0x00, 0x05, 0x4f, 0x30,
1351  0x82, 0x05, 0x4b, 0x30, 0x82, 0x04, 0x33, 0xa0,
1352  0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x4a, 0xe7,
1353  0x95, 0x49, 0xfa, 0x9a, 0xbe, 0x3f, 0x10, 0x0f,
1354  0x17, 0xa4, 0x78, 0xe1, 0x69, 0x09, 0x30, 0x0d,
1355  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
1356  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x90,
1357  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
1358  0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x1b, 0x30,
1359  0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x12,
1360  0x47, 0x72, 0x65, 0x61, 0x74, 0x65, 0x72, 0x20,
1361  0x4d, 0x61, 0x6e, 0x63, 0x68, 0x65, 0x73, 0x74,
1362  0x65, 0x72, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
1363  0x55, 0x04, 0x07, 0x13, 0x07, 0x53, 0x61, 0x6c,
1364  0x66, 0x6f, 0x72, 0x64, 0x31, 0x1a, 0x30, 0x18,
1365  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x43,
1366  0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x43, 0x41,
1367  0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64,
1368  0x31, 0x36, 0x30, 0x34, 0x06, 0x03, 0x55, 0x04,
1369  0x03, 0x13, 0x2d, 0x43, 0x4f, 0x4d, 0x4f, 0x44,
1370  0x4f, 0x20, 0x52, 0x53, 0x41, 0x20, 0x44, 0x6f,
1371  0x6d, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x61, 0x6c,
1372  0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
1373  0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53,
1374  0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41,
1375  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34,
1376  0x30, 0x39, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
1377  0x5a, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x31,
1378  0x32, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a,
1379  0x30, 0x59, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03,
1380  0x55, 0x04, 0x0b, 0x13, 0x18, 0x44, 0x6f, 0x6d,
1381  0x61, 0x69, 0x6e, 0x20, 0x43, 0x6f, 0x6e, 0x74,
1382  0x72, 0x6f, 0x6c, 0x20, 0x56, 0x61, 0x6c, 0x69,
1383  0x64, 0x61, 0x74, 0x65, 0x64, 0x31, 0x1d, 0x30,
1384  0x1b, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x14,
1385  0x50, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65,
1386  0x53, 0x53, 0x4c, 0x20, 0x57, 0x69, 0x6c, 0x64,
1387  0x63, 0x61, 0x72, 0x64, 0x31, 0x15, 0x30, 0x13,
1388  0x06, 0x03, 0x55, 0x04, 0x03, 0x14, 0x0c, 0x2a,
1389  0x2e, 0x62, 0x61, 0x64, 0x73, 0x73, 0x6c, 0x2e,
1390  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30,
1391  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
1392  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
1393  0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
1394  0x82, 0x01, 0x01, 0x00, 0xc2, 0x04, 0xec, 0xf8,
1395  0x8c, 0xee, 0x04, 0xc2, 0xb3, 0xd8, 0x50, 0xd5,
1396  0x70, 0x58, 0xcc, 0x93, 0x18, 0xeb, 0x5c, 0xa8,
1397  0x68, 0x49, 0xb0, 0x22, 0xb5, 0xf9, 0x95, 0x9e,
1398  0xb1, 0x2b, 0x2c, 0x76, 0x3e, 0x6c, 0xc0, 0x4b,
1399  0x60, 0x4c, 0x4c, 0xea, 0xb2, 0xb4, 0xc0, 0x0f,
1400  0x80, 0xb6, 0xb0, 0xf9, 0x72, 0xc9, 0x86, 0x02,
1401  0xf9, 0x5c, 0x41, 0x5d, 0x13, 0x2b, 0x7f, 0x71,
1402  0xc4, 0x4b, 0xbc, 0xe9, 0x94, 0x2e, 0x50, 0x37,
1403  0xa6, 0x67, 0x1c, 0x61, 0x8c, 0xf6, 0x41, 0x42,
1404  0xc5, 0x46, 0xd3, 0x16, 0x87, 0x27, 0x9f, 0x74,
1405  0xeb, 0x0a, 0x9d, 0x11, 0x52, 0x26, 0x21, 0x73,
1406  0x6c, 0x84, 0x4c, 0x79, 0x55, 0xe4, 0xd1, 0x6b,
1407  0xe8, 0x06, 0x3d, 0x48, 0x15, 0x52, 0xad, 0xb3,
1408  0x28, 0xdb, 0xaa, 0xff, 0x6e, 0xff, 0x60, 0x95,
1409  0x4a, 0x77, 0x6b, 0x39, 0xf1, 0x24, 0xd1, 0x31,
1410  0xb6, 0xdd, 0x4d, 0xc0, 0xc4, 0xfc, 0x53, 0xb9,
1411  0x6d, 0x42, 0xad, 0xb5, 0x7c, 0xfe, 0xae, 0xf5,
1412  0x15, 0xd2, 0x33, 0x48, 0xe7, 0x22, 0x71, 0xc7,
1413  0xc2, 0x14, 0x7a, 0x6c, 0x28, 0xea, 0x37, 0x4a,
1414  0xdf, 0xea, 0x6c, 0xb5, 0x72, 0xb4, 0x7e, 0x5a,
1415  0xa2, 0x16, 0xdc, 0x69, 0xb1, 0x57, 0x44, 0xdb,
1416  0x0a, 0x12, 0xab, 0xde, 0xc3, 0x0f, 0x47, 0x74,
1417  0x5c, 0x41, 0x22, 0xe1, 0x9a, 0xf9, 0x1b, 0x93,
1418  0xe6, 0xad, 0x22, 0x06, 0x29, 0x2e, 0xb1, 0xba,
1419  0x49, 0x1c, 0x0c, 0x27, 0x9e, 0xa3, 0xfb, 0x8b,
1420  0xf7, 0x40, 0x72, 0x00, 0xac, 0x92, 0x08, 0xd9,
1421  0x8c, 0x57, 0x84, 0x53, 0x81, 0x05, 0xcb, 0xe6,
1422  0xfe, 0x6b, 0x54, 0x98, 0x40, 0x27, 0x85, 0xc7,
1423  0x10, 0xbb, 0x73, 0x70, 0xef, 0x69, 0x18, 0x41,
1424  0x07, 0x45, 0x55, 0x7c, 0xf9, 0x64, 0x3f, 0x3d,
1425  0x2c, 0xc3, 0xa9, 0x7c, 0xeb, 0x93, 0x1a, 0x4c,
1426  0x86, 0xd1, 0xca, 0x85, 0x02, 0x03, 0x01, 0x00,
1427  0x01, 0xa3, 0x82, 0x01, 0xd5, 0x30, 0x82, 0x01,
1428  0xd1, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
1429  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x90, 0xaf,
1430  0x6a, 0x3a, 0x94, 0x5a, 0x0b, 0xd8, 0x90, 0xea,
1431  0x12, 0x56, 0x73, 0xdf, 0x43, 0xb4, 0x3a, 0x28,
1432  0xda, 0xe7, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
1433  0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d, 0xee, 0xc1,
1434  0x7b, 0x81, 0x0b, 0x3a, 0x47, 0x69, 0x71, 0x18,
1435  0x7d, 0x11, 0x37, 0x93, 0xbc, 0xa5, 0x1b, 0x3f,
1436  0xfb, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
1437  0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05,
1438  0xa0, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
1439  0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30,
1440  0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16,
1441  0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
1442  0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
1443  0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x4f,
1444  0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x48, 0x30,
1445  0x46, 0x30, 0x3a, 0x06, 0x0b, 0x2b, 0x06, 0x01,
1446  0x04, 0x01, 0xb2, 0x31, 0x01, 0x02, 0x02, 0x07,
1447  0x30, 0x2b, 0x30, 0x29, 0x06, 0x08, 0x2b, 0x06,
1448  0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1d,
1449  0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
1450  0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2e, 0x63,
1451  0x6f, 0x6d, 0x6f, 0x64, 0x6f, 0x2e, 0x63, 0x6f,
1452  0x6d, 0x2f, 0x43, 0x50, 0x53, 0x30, 0x08, 0x06,
1453  0x06, 0x67, 0x81, 0x0c, 0x01, 0x02, 0x01, 0x30,
1454  0x54, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x4d,
1455  0x30, 0x4b, 0x30, 0x49, 0xa0, 0x47, 0xa0, 0x45,
1456  0x86, 0x43, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
1457  0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
1458  0x6f, 0x64, 0x6f, 0x63, 0x61, 0x2e, 0x63, 0x6f,
1459  0x6d, 0x2f, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f,
1460  0x52, 0x53, 0x41, 0x44, 0x6f, 0x6d, 0x61, 0x69,
1461  0x6e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74,
1462  0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63, 0x75, 0x72,
1463  0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43,
1464  0x41, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x81, 0x85,
1465  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
1466  0x01, 0x01, 0x04, 0x79, 0x30, 0x77, 0x30, 0x4f,
1467  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
1468  0x30, 0x02, 0x86, 0x43, 0x68, 0x74, 0x74, 0x70,
1469  0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x74, 0x2e, 0x63,
1470  0x6f, 0x6d, 0x6f, 0x64, 0x6f, 0x63, 0x61, 0x2e,
1471  0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x4f, 0x4d, 0x4f,
1472  0x44, 0x4f, 0x52, 0x53, 0x41, 0x44, 0x6f, 0x6d,
1473  0x61, 0x69, 0x6e, 0x56, 0x61, 0x6c, 0x69, 0x64,
1474  0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63,
1475  0x75, 0x72, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65,
1476  0x72, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x74, 0x30,
1477  0x24, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1478  0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74,
1479  0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
1480  0x2e, 0x63, 0x6f, 0x6d, 0x6f, 0x64, 0x6f, 0x63,
1481  0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x23, 0x06,
1482  0x03, 0x55, 0x1d, 0x11, 0x04, 0x1c, 0x30, 0x1a,
1483  0x82, 0x0c, 0x2a, 0x2e, 0x62, 0x61, 0x64, 0x73,
1484  0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0a,
1485  0x62, 0x61, 0x64, 0x73, 0x73, 0x6c, 0x2e, 0x63,
1486  0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
1487  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
1488  0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6a, 0x7a,
1489  0xf1, 0xda, 0xff, 0x03, 0x07, 0x72, 0x78, 0xc5,
1490  0x66, 0xa1, 0x4f, 0x46, 0x43, 0x0e, 0x5f, 0x14,
1491  0x21, 0x8c, 0x75, 0x1a, 0xeb, 0x36, 0xe0, 0x1f,
1492  0xa4, 0x10, 0x15, 0xec, 0xda, 0x33, 0x25, 0x7c,
1493  0x3b, 0xb5, 0x0a, 0xc7, 0x01, 0x38, 0x3d, 0x27,
1494  0xfd, 0x58, 0xd9, 0xcc, 0xea, 0x2d, 0x69, 0x39,
1495  0x7c, 0xbe, 0x97, 0xef, 0x0b, 0xd6, 0x0b, 0x58,
1496  0xe7, 0x8c, 0x7f, 0xbf, 0xb3, 0x4c, 0x1d, 0xf3,
1497  0xb7, 0x90, 0x80, 0xa6, 0x36, 0x7c, 0x14, 0x5b,
1498  0xec, 0x07, 0x2d, 0x02, 0x3e, 0x1b, 0x5b, 0x63,
1499  0x5b, 0x15, 0xab, 0x00, 0xfa, 0x1f, 0x3b, 0x19,
1500  0x2d, 0xdf, 0xe2, 0x23, 0x10, 0x11, 0x07, 0x7e,
1501  0x72, 0x7f, 0xe2, 0xbf, 0xb7, 0x00, 0x1b, 0x98,
1502  0x2f, 0x2c, 0x3f, 0xce, 0x85, 0x9a, 0x27, 0x8c,
1503  0x10, 0x22, 0x08, 0x41, 0x2b, 0x8a, 0x3e, 0x82,
1504  0x4e, 0xfc, 0xdd, 0x21, 0xc6, 0x56, 0x74, 0x70,
1505  0xa4, 0x34, 0xf2, 0xb1, 0x40, 0x9e, 0x2b, 0x58,
1506  0xa2, 0x59, 0x0f, 0x1d, 0x48, 0xef, 0xeb, 0x11,
1507  0x3e, 0xc1, 0x4a, 0x9e, 0xbc, 0x65, 0x55, 0x6d,
1508  0xc6, 0xa3, 0xef, 0xd5, 0xd4, 0x96, 0xcd, 0xf1,
1509  0xae, 0x27, 0xf7, 0xa4, 0x57, 0x14, 0x3c, 0x94,
1510  0x41, 0x05, 0x7a, 0x8b, 0xa1, 0x37, 0x47, 0xd7,
1511  0xf5, 0x7d, 0xdc, 0xfa, 0xce, 0x6f, 0x31, 0xa2,
1512  0xb0, 0x8c, 0xea, 0xcc, 0x12, 0x9b, 0x22, 0xf1,
1513  0x34, 0x70, 0xcf, 0x7d, 0x75, 0x4a, 0x8b, 0x68,
1514  0x29, 0x0c, 0x1e, 0xe9, 0x96, 0xa8, 0xcf, 0xb0,
1515  0x12, 0x1f, 0x5c, 0x2a, 0xee, 0x67, 0x2f, 0x7f,
1516  0xbd, 0x73, 0xf3, 0x5a, 0x01, 0x22, 0x0c, 0x70,
1517  0xfa, 0xcd, 0x45, 0xef, 0x78, 0x5c, 0xce, 0x0d,
1518  0xfa, 0x4e, 0xe1, 0xef, 0xce, 0x65, 0x9f, 0x47,
1519  0x0c, 0x4f, 0xbb, 0x36, 0x44, 0x68, 0x56, 0x5c,
1520  0x56, 0x59, 0xad, 0xaa, 0x8a, 0xbc,
1521  };
1522 
1523  Flow f;
1524  SSLState *ssl_state = NULL;
1525  TcpSession ssn;
1526  Packet *p1 = NULL;
1527  Packet *p2 = NULL;
1528  Packet *p3 = NULL;
1529  Signature *s = NULL;
1530  ThreadVars tv;
1531  DetectEngineThreadCtx *det_ctx = NULL;
1533 
1534  memset(&tv, 0, sizeof(ThreadVars));
1535  memset(&f, 0, sizeof(Flow));
1536  memset(&ssn, 0, sizeof(TcpSession));
1537 
1538  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
1539  "192.168.1.5", "192.168.1.1", 51251, 443);
1540  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
1541  "192.168.1.1", "192.168.1.5", 443, 51251);
1542  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
1543  "192.168.1.1", "192.168.1.5", 443, 51251);
1544 
1545  FLOW_INITIALIZE(&f);
1546  f.flags |= FLOW_IPV4;
1547  f.proto = IPPROTO_TCP;
1549  f.alproto = ALPROTO_TLS;
1550 
1551  p1->flow = &f;
1555  p1->pcap_cnt = 1;
1556 
1557  p2->flow = &f;
1561  p2->pcap_cnt = 2;
1562 
1563  p3->flow = &f;
1567  p3->pcap_cnt = 3;
1568 
1569  f.lastts.tv_sec = 1474978656; /* 2016-09-27 */
1570 
1572 
1574  FAIL_IF_NULL(de_ctx);
1575 
1576  de_ctx->flags |= DE_QUIET;
1577 
1578  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
1579  "(msg:\"Test tls_cert_expired\"; "
1580  "tls_cert_expired; sid:1;)");
1581  FAIL_IF_NULL(s);
1582 
1583  SigGroupBuild(de_ctx);
1584  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1585 
1586  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
1587  client_hello, sizeof(client_hello));
1588 
1589  FAIL_IF(r != 0);
1590 
1591  ssl_state = f.alstate;
1592  FAIL_IF_NULL(ssl_state);
1593 
1594  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
1595 
1596  FAIL_IF(PacketAlertCheck(p1, 1));
1597 
1598  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1599  server_hello, sizeof(server_hello));
1600 
1601  FAIL_IF(r != 0);
1602 
1603  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
1604 
1605  FAIL_IF(PacketAlertCheck(p2, 1));
1606 
1607  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1608  certificate, sizeof(certificate));
1609 
1610  FAIL_IF(r != 0);
1611 
1612  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
1613 
1614  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
1615 
1616  AppLayerParserThreadCtxFree(alp_tctx);
1617  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1618  DetectEngineCtxFree(de_ctx);
1619 
1621  FLOW_DESTROY(&f);
1622  UTHFreePacket(p1);
1623  UTHFreePacket(p2);
1624  UTHFreePacket(p3);
1625 
1626  PASS;
1627 }
1628 
1629 /**
1630  * \test Test matching on a valid TLS certificate.
1631  *
1632  * \retval 1 on success.
1633  * \retval 0 on failure.
1634  */
1635 static int ValidTestDetect01(void)
1636 {
1637  /* client hello */
1638  uint8_t client_hello[] = {
1639  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
1640  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
1641  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
1642  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
1643  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
1644  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
1645  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
1646  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
1647  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
1648  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
1649  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
1650  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
1651  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
1652  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
1653  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
1654  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
1655  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
1656  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
1657  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
1658  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
1659  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
1660  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
1661  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
1662  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
1663  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
1664  0x03, 0x04, 0x02, 0x02, 0x02
1665  };
1666 
1667  /* server hello */
1668  uint8_t server_hello[] = {
1669  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
1670  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
1671  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
1672  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
1673  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
1674  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
1675  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
1676  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
1677  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
1678  0x0b, 0x00, 0x02, 0x01, 0x00
1679  };
1680 
1681  /* certificate */
1682  uint8_t certificate[] = {
1683  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
1684  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
1685  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
1686  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
1687  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
1688  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
1689  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
1690  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
1691  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
1692  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
1693  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
1694  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
1695  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
1696  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
1697  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
1698  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
1699  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
1700  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
1701  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
1702  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
1703  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
1704  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
1705  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1706  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
1707  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
1708  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
1709  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
1710  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
1711  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
1712  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
1713  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
1714  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
1715  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
1716  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
1717  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
1718  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
1719  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
1720  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
1721  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
1722  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
1723  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
1724  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
1725  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
1726  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
1727  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
1728  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
1729  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
1730  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
1731  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
1732  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
1733  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
1734  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
1735  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
1736  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
1737  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
1738  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
1739  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
1740  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
1741  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
1742  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
1743  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
1744  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
1745  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
1746  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
1747  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
1748  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
1749  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
1750  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
1751  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
1752  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
1753  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
1754  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
1755  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
1756  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
1757  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
1758  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
1759  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
1760  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
1761  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
1762  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1763  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
1764  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1765  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
1766  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
1767  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
1768  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
1769  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
1770  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
1771  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
1772  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
1773  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
1774  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
1775  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
1776  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
1777  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
1778  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
1779  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
1780  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
1781  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
1782  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
1783  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
1784  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
1785  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
1786  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
1787  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
1788  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
1789  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
1790  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
1791  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
1792  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
1793  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
1794  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
1795  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
1796  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
1797  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
1798  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
1799  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
1800  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
1801  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
1802  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
1803  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
1804  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
1805  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
1806  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
1807  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
1808  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
1809  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
1810  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
1811  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
1812  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
1813  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
1814  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
1815  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
1816  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
1817  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
1818  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
1819  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
1820  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
1821  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
1822  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
1823  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
1824  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
1825  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
1826  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
1827  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
1828  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
1829  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
1830  };
1831 
1832  Flow f;
1833  SSLState *ssl_state = NULL;
1834  TcpSession ssn;
1835  Packet *p1 = NULL;
1836  Packet *p2 = NULL;
1837  Packet *p3 = NULL;
1838  Signature *s = NULL;
1839  ThreadVars tv;
1840  DetectEngineThreadCtx *det_ctx = NULL;
1842 
1843  memset(&tv, 0, sizeof(ThreadVars));
1844  memset(&f, 0, sizeof(Flow));
1845  memset(&ssn, 0, sizeof(TcpSession));
1846 
1847  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
1848  "192.168.1.5", "192.168.1.1", 51251, 443);
1849  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
1850  "192.168.1.1", "192.168.1.5", 443, 51251);
1851  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
1852  "192.168.1.1", "192.168.1.5", 443, 51251);
1853 
1854  FLOW_INITIALIZE(&f);
1855  f.flags |= FLOW_IPV4;
1856  f.proto = IPPROTO_TCP;
1858  f.alproto = ALPROTO_TLS;
1859 
1860  p1->flow = &f;
1864  p1->pcap_cnt = 1;
1865 
1866  p2->flow = &f;
1870  p2->pcap_cnt = 2;
1871 
1872  p3->flow = &f;
1876  p3->pcap_cnt = 3;
1877 
1878  f.lastts.tv_sec = 1474978656; /* 2016-09-27 */
1879 
1881 
1883  FAIL_IF_NULL(de_ctx);
1884 
1885  de_ctx->flags |= DE_QUIET;
1886 
1887  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
1888  "(msg:\"Test tls_cert_valid\"; "
1889  "tls_cert_valid; sid:1;)");
1890  FAIL_IF_NULL(s);
1891 
1892  SigGroupBuild(de_ctx);
1893  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1894 
1895  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
1896  client_hello, sizeof(client_hello));
1897 
1898  FAIL_IF(r != 0);
1899 
1900  ssl_state = f.alstate;
1901  FAIL_IF_NULL(ssl_state);
1902 
1903  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
1904 
1905  FAIL_IF(PacketAlertCheck(p1, 1));
1906 
1907  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1908  server_hello, sizeof(server_hello));
1909 
1910  FAIL_IF(r != 0);
1911 
1912  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
1913 
1914  FAIL_IF(PacketAlertCheck(p2, 1));
1915 
1916  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1917  certificate, sizeof(certificate));
1918 
1919  FAIL_IF(r != 0);
1920 
1921  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
1922 
1923  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
1924 
1925  AppLayerParserThreadCtxFree(alp_tctx);
1926  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1927  DetectEngineCtxFree(de_ctx);
1928 
1930  FLOW_DESTROY(&f);
1931  UTHFreePacket(p1);
1932  UTHFreePacket(p2);
1933  UTHFreePacket(p3);
1934 
1935  PASS;
1936 }
1937 
1938 #endif /* UNITTESTS */
1939 
1940 /**
1941  * \brief Register unit tests for tls_cert_notbefore.
1942  */
1943 void TlsNotBeforeRegisterTests(void)
1944 {
1945 #ifdef UNITTESTS /* UNITTESTS */
1946  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
1947  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
1948  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
1949  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
1950  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
1951  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
1952  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
1953  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
1954  UtRegisterTest("ValidityTestParse17", ValidityTestParse17);
1955  UtRegisterTest("ValidityTestParse19", ValidityTestParse19);
1956  UtRegisterTest("ValidityTestParse21", ValidityTestParse21);
1957  UtRegisterTest("ValidityTestParse23", ValidityTestParse23);
1958  UtRegisterTest("ValidityTestDetect01", ValidityTestDetect01);
1959 #endif /* UNITTESTS */
1960 }
1961 
1962 /**
1963  * \brief Register unit tests for tls_cert_notafter.
1964  */
1965 void TlsNotAfterRegisterTests(void)
1966 {
1967 #ifdef UNITTESTS /* UNITTESTS */
1968  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
1969  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
1970  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
1971  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
1972  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
1973  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
1974  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
1975  UtRegisterTest("ValidityTestParse16", ValidityTestParse16);
1976  UtRegisterTest("ValidityTestParse18", ValidityTestParse18);
1977  UtRegisterTest("ValidityTestParse20", ValidityTestParse20);
1978  UtRegisterTest("ValidityTestParse22", ValidityTestParse22);
1979 #endif /* UNITTESTS */
1980 }
1981 
1982 /**
1983  * \brief Register unit tests for tls_cert_expired
1984  */
1985 void TlsExpiredRegisterTests(void)
1986 {
1987 #ifdef UNITTESTS /* UNITTESTS */
1988  UtRegisterTest("ExpiredTestDetect01", ExpiredTestDetect01);
1989 #endif /* UNITTESTS */
1990 }
1991 
1992 /**
1993  * \brief Register unit tests for tls_cert_valid
1994  */
1995 void TlsValidRegisterTests(void)
1996 {
1997 #ifdef UNITTESTS /* UNITTESTS */
1998  UtRegisterTest("ValidTestDetect01", ValidTestDetect01);
1999 #endif /* UNITTESTS */
2000 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
time_t cert0_not_before
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:444
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:346
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
#define DETECT_TLS_VALIDITY_RA
SSLStateConnp server_connp
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define DETECT_TLS_TYPE_NOTAFTER
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
Data needed for Match()
Definition: detect.h:333
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
uint64_t pcap_cnt
Definition: decode.h:566
time_t cert0_not_after
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1160
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Signature container.
Definition: detect.h:492
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
#define PARSE_REGEX
main detection engine ctx
Definition: detect.h:720
#define MAX_SUBSTRINGS
void DetectTlsValidityRegister(void)
Registration function for tls validity keywords.
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
time_t SCMkTimeUtc(struct tm *tp)
Convert broken-down time to seconds since Unix epoch.
Definition: util-time.c:410
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:436
#define DE_QUIET
Definition: detect.h:298
int DetectBufferTypeGetByName(const char *name)
#define str(s)
#define SCCalloc(nm, a)
Definition: util-mem.h:205
#define SIG_FLAG_TOCLIENT
Definition: detect.h:244
uint16_t type
uint8_t flags
Definition: detect.h:721
void(* Free)(void *)
Definition: detect.h:1151
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
#define DETECT_TLS_VALIDITY_LT
uint8_t flowflags
Definition: decode.h:438
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
#define DETECT_TLS_VALIDITY_VA
uint8_t type
Definition: detect.h:325
#define SCReturnInt(x)
Definition: util-debug.h:341
struct timeval lastts
Definition: flow.h:356
#define DETECT_TLS_VALIDITY_EX
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
SigMatchCtx * ctx
Definition: detect.h:327
#define SCMalloc(a)
Definition: util-mem.h:174
#define DETECT_TLS_VALIDITY_GT
#define SCFree(a)
Definition: util-mem.h:236
PoolThreadReserved res
uint16_t tx_id
#define DETECT_TLS_TYPE_NOTBEFORE
int SCStringPatternToTime(char *string, const char **patterns, int num_patterns, struct tm *tp)
Parse a date string based on specified patterns.
Definition: util-time.c:453
#define SIGMATCH_NOOPT
Definition: detect.h:1328
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1129
const char * url
Definition: detect.h:1163
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1101
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:194
AppProto alproto
application level protocol
Definition: flow.h:407
uint32_t flags
Definition: decode.h:442
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1154
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:402
Flow data structure.
Definition: flow.h:327
#define FLOW_IPV4
Definition: flow.h:93
#define DETECT_TLS_VALIDITY_EQ
uint32_t flags
Definition: flow.h:377
SSLStateConnp client_connp
#define PKT_STREAM_EST
Definition: decode.h:1099
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)