suricata
detect-tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2011-2012 ANSSI
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  * 3. The name of the author may not be used to endorse or promote products
14  * derived from this software without specific prior written permission.
15  *
16  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
17  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
18  * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
19  * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
20  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22  * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23  * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  */
27 
28 /**
29  * \file
30  *
31  * \author Pierre Chifflier <pierre.chifflier@ssi.gouv.fr>
32  *
33  * Implements the tls.* keywords
34  */
35 
36 #include "suricata-common.h"
37 #include "threads.h"
38 #include "debug.h"
39 #include "decode.h"
40 
41 #include "detect.h"
42 #include "detect-parse.h"
43 
44 #include "detect-engine.h"
45 #include "detect-engine-mpm.h"
46 #include "detect-engine-state.h"
47 
48 #include "flow.h"
49 #include "flow-var.h"
50 #include "flow-util.h"
51 
52 #include "util-debug.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 
56 #include "app-layer.h"
57 
58 #include "app-layer-ssl.h"
59 #include "detect-tls.h"
60 
61 #include "stream-tcp.h"
62 
63 /**
64  * \brief Regex for parsing "id" option, matching number or "number"
65  */
66 
67 #define PARSE_REGEX "^([A-z0-9\\s\\-\\.=,\\*@]+|\"[A-z0-9\\s\\-\\.=,\\*@]+\")\\s*$"
68 #define PARSE_REGEX_FINGERPRINT "^([A-z0-9\\:\\*]+|\"[A-z0-9\\:\\* ]+\")\\s*$"
69 
70 static DetectParseRegex subject_parse_regex;
71 static DetectParseRegex issuerdn_parse_regex;
72 static DetectParseRegex fingerprint_parse_regex;
73 
74 static int DetectTlsSubjectMatch (DetectEngineThreadCtx *,
75  Flow *, uint8_t, void *, void *,
76  const Signature *, const SigMatchCtx *);
77 static int DetectTlsSubjectSetup (DetectEngineCtx *, Signature *, const char *);
78 static void DetectTlsSubjectRegisterTests(void);
79 static void DetectTlsSubjectFree(DetectEngineCtx *, void *);
80 
81 static int DetectTlsIssuerDNMatch (DetectEngineThreadCtx *,
82  Flow *, uint8_t, void *, void *,
83  const Signature *, const SigMatchCtx *);
84 static int DetectTlsIssuerDNSetup (DetectEngineCtx *, Signature *, const char *);
85 static void DetectTlsIssuerDNRegisterTests(void);
86 static void DetectTlsIssuerDNFree(DetectEngineCtx *, void *);
87 
88 static int DetectTlsFingerprintMatch (DetectEngineThreadCtx *,
89  Flow *, uint8_t, void *, void *,
90  const Signature *, const SigMatchCtx *);
91 static int DetectTlsFingerprintSetup (DetectEngineCtx *, Signature *, const char *);
92 static void DetectTlsFingerprintFree(DetectEngineCtx *, void *);
93 
94 static int DetectTlsStoreSetup (DetectEngineCtx *, Signature *, const char *);
95 static int DetectTlsStorePostMatch (DetectEngineThreadCtx *det_ctx,
96  Packet *, const Signature *s, const SigMatchCtx *unused);
97 
98 static int g_tls_cert_list_id = 0;
99 
100 static int InspectTlsCert(ThreadVars *tv,
102  const Signature *s, const SigMatchData *smd,
103  Flow *f, uint8_t flags, void *alstate,
104  void *txv, uint64_t tx_id)
105 {
106  return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
107  f, flags, alstate, txv, tx_id);
108 }
109 
110 /**
111  * \brief Registration function for keyword: tls.version
112  */
113 void DetectTlsRegister (void)
114 {
115  sigmatch_table[DETECT_AL_TLS_SUBJECT].name = "tls.subject";
116  sigmatch_table[DETECT_AL_TLS_SUBJECT].desc = "match TLS/SSL certificate Subject field";
117  sigmatch_table[DETECT_AL_TLS_SUBJECT].url = "/rules/tls-keywords.html#tls-subject";
118  sigmatch_table[DETECT_AL_TLS_SUBJECT].AppLayerTxMatch = DetectTlsSubjectMatch;
119  sigmatch_table[DETECT_AL_TLS_SUBJECT].Setup = DetectTlsSubjectSetup;
120  sigmatch_table[DETECT_AL_TLS_SUBJECT].Free = DetectTlsSubjectFree;
121  sigmatch_table[DETECT_AL_TLS_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
124 
125  sigmatch_table[DETECT_AL_TLS_ISSUERDN].name = "tls.issuerdn";
126  sigmatch_table[DETECT_AL_TLS_ISSUERDN].desc = "match TLS/SSL certificate IssuerDN field";
127  sigmatch_table[DETECT_AL_TLS_ISSUERDN].url = "/rules/tls-keywords.html#tls-issuerdn";
128  sigmatch_table[DETECT_AL_TLS_ISSUERDN].AppLayerTxMatch = DetectTlsIssuerDNMatch;
129  sigmatch_table[DETECT_AL_TLS_ISSUERDN].Setup = DetectTlsIssuerDNSetup;
130  sigmatch_table[DETECT_AL_TLS_ISSUERDN].Free = DetectTlsIssuerDNFree;
131  sigmatch_table[DETECT_AL_TLS_ISSUERDN].RegisterTests = DetectTlsIssuerDNRegisterTests;
134 
135  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].name = "tls.fingerprint";
136  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].desc = "match TLS/SSL certificate SHA1 fingerprint";
137  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].url = "/rules/tls-keywords.html#tls-fingerprint";
138  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].AppLayerTxMatch = DetectTlsFingerprintMatch;
139  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Setup = DetectTlsFingerprintSetup;
140  sigmatch_table[DETECT_AL_TLS_FINGERPRINT].Free = DetectTlsFingerprintFree;
144 
145  sigmatch_table[DETECT_AL_TLS_STORE].name = "tls_store";
147  sigmatch_table[DETECT_AL_TLS_STORE].desc = "store TLS/SSL certificate on disk";
148  sigmatch_table[DETECT_AL_TLS_STORE].url = "/rules/tls-keywords.html#tls-store";
149  sigmatch_table[DETECT_AL_TLS_STORE].Match = DetectTlsStorePostMatch;
150  sigmatch_table[DETECT_AL_TLS_STORE].Setup = DetectTlsStoreSetup;
154 
155  DetectSetupParseRegexes(PARSE_REGEX, &subject_parse_regex);
156  DetectSetupParseRegexes(PARSE_REGEX, &issuerdn_parse_regex);
157  DetectSetupParseRegexes(PARSE_REGEX_FINGERPRINT, &fingerprint_parse_regex);
158 
159  g_tls_cert_list_id = DetectBufferTypeRegister("tls_cert");
160 
163  InspectTlsCert);
164 }
165 
166 /**
167  * \brief match the specified Subject on a tls session
168  *
169  * \param t pointer to thread vars
170  * \param det_ctx pointer to the pattern matcher thread
171  * \param p pointer to the current packet
172  * \param m pointer to the sigmatch that we will cast into DetectTlsData
173  *
174  * \retval 0 no match
175  * \retval 1 match
176  */
177 static int DetectTlsSubjectMatch (DetectEngineThreadCtx *det_ctx,
178  Flow *f, uint8_t flags, void *state, void *txv,
179  const Signature *s, const SigMatchCtx *m)
180 {
181  SCEnter();
182 
183  const DetectTlsData *tls_data = (const DetectTlsData *)m;
184  SSLState *ssl_state = (SSLState *)state;
185  if (ssl_state == NULL) {
186  SCLogDebug("no tls state, no match");
187  SCReturnInt(0);
188  }
189 
190  int ret = 0;
191 
192  SSLStateConnp *connp = NULL;
193  if (flags & STREAM_TOSERVER) {
194  connp = &ssl_state->client_connp;
195  } else {
196  connp = &ssl_state->server_connp;
197  }
198 
199  if (connp->cert0_subject != NULL) {
200  SCLogDebug("TLS: Subject is [%s], looking for [%s]\n",
201  connp->cert0_subject, tls_data->subject);
202 
203  if (strstr(connp->cert0_subject, tls_data->subject) != NULL) {
204  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
205  ret = 0;
206  } else {
207  ret = 1;
208  }
209  } else {
210  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
211  ret = 1;
212  } else {
213  ret = 0;
214  }
215  }
216  } else {
217  ret = 0;
218  }
219 
220  SCReturnInt(ret);
221 }
222 
223 /**
224  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
225  *
226  * \param de_ctx Pointer to the detection engine context
227  * \param str Pointer to the user provided id option
228  *
229  * \retval id_d pointer to DetectTlsData on success
230  * \retval NULL on failure
231  */
232 static DetectTlsData *DetectTlsSubjectParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
233 {
234  DetectTlsData *tls = NULL;
235  int ret = 0, res = 0;
236  int ov[MAX_SUBSTRINGS];
237  const char *str_ptr;
238  char *orig = NULL;
239  char *tmp_str;
240  uint32_t flag = 0;
241 
242  ret = DetectParsePcreExec(&subject_parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
243  if (ret != 2) {
244  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.subject option");
245  goto error;
246  }
247 
248  if (negate)
249  flag = DETECT_CONTENT_NEGATED;
250 
251  res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
252  if (res < 0) {
253  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
254  goto error;
255  }
256 
257  /* We have a correct id option */
258  tls = SCMalloc(sizeof(DetectTlsData));
259  if (unlikely(tls == NULL))
260  goto error;
261  tls->subject = NULL;
262  tls->flags = flag;
263 
264  orig = SCStrdup((char*)str_ptr);
265  if (unlikely(orig == NULL)) {
266  goto error;
267  }
268  pcre_free_substring(str_ptr);
269 
270  tmp_str=orig;
271 
272  /* Let's see if we need to escape "'s */
273  if (tmp_str[0] == '"') {
274  tmp_str[strlen(tmp_str) - 1] = '\0';
275  tmp_str += 1;
276  }
277 
278  tls->subject = SCStrdup(tmp_str);
279  if (unlikely(tls->subject == NULL)) {
280  goto error;
281  }
282 
283  SCFree(orig);
284 
285  SCLogDebug("will look for TLS subject %s", tls->subject);
286 
287  return tls;
288 
289 error:
290  if (orig != NULL)
291  SCFree(orig);
292  if (tls != NULL)
293  DetectTlsSubjectFree(de_ctx, tls);
294  return NULL;
295 
296 }
297 
298 /**
299  * \brief this function is used to add the parsed "id" option
300  * \brief into the current signature
301  *
302  * \param de_ctx pointer to the Detection Engine Context
303  * \param s pointer to the Current Signature
304  * \param idstr pointer to the user provided "id" option
305  *
306  * \retval 0 on Success
307  * \retval -1 on Failure
308  */
309 static int DetectTlsSubjectSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
310 {
311  DetectTlsData *tls = NULL;
312  SigMatch *sm = NULL;
313 
315  return -1;
316 
317  tls = DetectTlsSubjectParse(de_ctx, str, s->init_data->negated);
318  if (tls == NULL)
319  goto error;
320 
321  /* Okay so far so good, lets get this into a SigMatch
322  * and put it in the Signature. */
323  sm = SigMatchAlloc();
324  if (sm == NULL)
325  goto error;
326 
328  sm->ctx = (void *)tls;
329 
330  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
331  return 0;
332 
333 error:
334  if (tls != NULL)
335  DetectTlsSubjectFree(de_ctx, tls);
336  if (sm != NULL)
337  SCFree(sm);
338  return -1;
339 
340 }
341 
342 /**
343  * \brief this function will free memory associated with DetectTlsData
344  *
345  * \param id_d pointer to DetectTlsData
346  */
347 static void DetectTlsSubjectFree(DetectEngineCtx *de_ctx, void *ptr)
348 {
349  DetectTlsData *id_d = (DetectTlsData *)ptr;
350  if (ptr == NULL)
351  return;
352  if (id_d->subject != NULL)
353  SCFree(id_d->subject);
354  SCFree(id_d);
355 }
356 
357 /**
358  * \brief this function registers unit tests for DetectTlsSubject
359  */
360 static void DetectTlsSubjectRegisterTests(void)
361 {
362 }
363 
364 /**
365  * \brief match the specified IssuerDN on a tls session
366  *
367  * \param t pointer to thread vars
368  * \param det_ctx pointer to the pattern matcher thread
369  * \param p pointer to the current packet
370  * \param m pointer to the sigmatch that we will cast into DetectTlsData
371  *
372  * \retval 0 no match
373  * \retval 1 match
374  */
375 static int DetectTlsIssuerDNMatch (DetectEngineThreadCtx *det_ctx,
376  Flow *f, uint8_t flags, void *state, void *txv,
377  const Signature *s, const SigMatchCtx *m)
378 {
379  SCEnter();
380 
381  const DetectTlsData *tls_data = (const DetectTlsData *)m;
382  SSLState *ssl_state = (SSLState *)state;
383  if (ssl_state == NULL) {
384  SCLogDebug("no tls state, no match");
385  SCReturnInt(0);
386  }
387 
388  int ret = 0;
389 
390  SSLStateConnp *connp = NULL;
391  if (flags & STREAM_TOSERVER) {
392  connp = &ssl_state->client_connp;
393  } else {
394  connp = &ssl_state->server_connp;
395  }
396 
397  if (connp->cert0_issuerdn != NULL) {
398  SCLogDebug("TLS: IssuerDN is [%s], looking for [%s]\n",
399  connp->cert0_issuerdn, tls_data->issuerdn);
400 
401  if (strstr(connp->cert0_issuerdn, tls_data->issuerdn) != NULL) {
402  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
403  ret = 0;
404  } else {
405  ret = 1;
406  }
407  } else {
408  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
409  ret = 1;
410  } else {
411  ret = 0;
412  }
413  }
414  } else {
415  ret = 0;
416  }
417 
418  SCReturnInt(ret);
419 }
420 
421 /**
422  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
423  *
424  * \param de_ctx Pointer to the detection engine context
425  * \param str Pointer to the user provided id option
426  *
427  * \retval id_d pointer to DetectTlsData on success
428  * \retval NULL on failure
429  */
430 static DetectTlsData *DetectTlsIssuerDNParse(DetectEngineCtx *de_ctx, const char *str, bool negate)
431 {
432  DetectTlsData *tls = NULL;
433  int ret = 0, res = 0;
434  int ov[MAX_SUBSTRINGS];
435  const char *str_ptr;
436  char *orig = NULL;
437  char *tmp_str;
438  uint32_t flag = 0;
439 
440  ret = DetectParsePcreExec(&issuerdn_parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
441  if (ret != 2) {
442  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.issuerdn option");
443  goto error;
444  }
445 
446  if (negate)
447  flag = DETECT_CONTENT_NEGATED;
448 
449  res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
450  if (res < 0) {
451  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
452  goto error;
453  }
454 
455  /* We have a correct id option */
456  tls = SCMalloc(sizeof(DetectTlsData));
457  if (unlikely(tls == NULL))
458  goto error;
459  tls->issuerdn = NULL;
460  tls->flags = flag;
461 
462  orig = SCStrdup((char*)str_ptr);
463  if (unlikely(orig == NULL)) {
464  goto error;
465  }
466  pcre_free_substring(str_ptr);
467 
468  tmp_str=orig;
469 
470  /* Let's see if we need to escape "'s */
471  if (tmp_str[0] == '"')
472  {
473  tmp_str[strlen(tmp_str) - 1] = '\0';
474  tmp_str += 1;
475  }
476 
477  tls->issuerdn = SCStrdup(tmp_str);
478  if (unlikely(tls->issuerdn == NULL)) {
479  goto error;
480  }
481 
482  SCFree(orig);
483 
484  SCLogDebug("Will look for TLS issuerdn %s", tls->issuerdn);
485 
486  return tls;
487 
488 error:
489  if (orig != NULL)
490  SCFree(orig);
491  if (tls != NULL)
492  DetectTlsIssuerDNFree(de_ctx, tls);
493  return NULL;
494 
495 }
496 
497 /**
498  * \brief this function is used to add the parsed "id" option
499  * \brief into the current signature
500  *
501  * \param de_ctx pointer to the Detection Engine Context
502  * \param s pointer to the Current Signature
503  * \param idstr pointer to the user provided "id" option
504  *
505  * \retval 0 on Success
506  * \retval -1 on Failure
507  */
508 static int DetectTlsIssuerDNSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
509 {
510  DetectTlsData *tls = NULL;
511  SigMatch *sm = NULL;
512 
514  return -1;
515 
516  tls = DetectTlsIssuerDNParse(de_ctx, str, s->init_data->negated);
517  if (tls == NULL)
518  goto error;
519 
520  /* Okay so far so good, lets get this into a SigMatch
521  * and put it in the Signature. */
522  sm = SigMatchAlloc();
523  if (sm == NULL)
524  goto error;
525 
527  sm->ctx = (void *)tls;
528 
529  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
530  return 0;
531 
532 error:
533  if (tls != NULL)
534  DetectTlsIssuerDNFree(de_ctx, tls);
535  if (sm != NULL)
536  SCFree(sm);
537  return -1;
538 
539 }
540 
541 /**
542  * \brief this function will free memory associated with DetectTlsData
543  *
544  * \param id_d pointer to DetectTlsData
545  */
546 static void DetectTlsIssuerDNFree(DetectEngineCtx *de_ctx, void *ptr)
547 {
548  DetectTlsData *id_d = (DetectTlsData *)ptr;
549  SCFree(id_d->issuerdn);
550  SCFree(id_d);
551 }
552 
553 /**
554  * \brief This function is used to parse fingerprint passed via keyword: "fingerprint"
555  *
556  * \param de_ctx Pointer to the detection engine context
557  * \param str Pointer to the user provided fingerprint option
558  *
559  * \retval pointer to DetectTlsData on success
560  * \retval NULL on failure
561  */
562 static DetectTlsData *DetectTlsFingerprintParse (DetectEngineCtx *de_ctx, const char *str, bool negate)
563 {
564  DetectTlsData *tls = NULL;
565  int ret = 0, res = 0;
566  int ov[MAX_SUBSTRINGS];
567  const char *str_ptr;
568  char *orig;
569  char *tmp_str;
570  uint32_t flag = 0;
571 
572  ret = DetectParsePcreExec(&fingerprint_parse_regex, str, 0, 0, ov, MAX_SUBSTRINGS);
573  if (ret != 2) {
574  SCLogError(SC_ERR_PCRE_MATCH, "invalid tls.fingerprint option");
575  goto error;
576  }
577 
578  if (negate)
579  flag = DETECT_CONTENT_NEGATED;
580 
581  res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
582  if (res < 0) {
583  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
584  goto error;
585  }
586 
587  /* We have a correct id option */
588  tls = SCMalloc(sizeof(DetectTlsData));
589  if (unlikely(tls == NULL))
590  goto error;
591  tls->fingerprint = NULL;
592  tls->flags = flag;
593 
594  orig = SCStrdup((char*)str_ptr);
595  if (unlikely(orig == NULL)) {
596  goto error;
597  }
598  pcre_free_substring(str_ptr);
599 
600  tmp_str=orig;
601 
602  /* Let's see if we need to escape "'s */
603  if (tmp_str[0] == '"')
604  {
605  tmp_str[strlen(tmp_str) - 1] = '\0';
606  tmp_str += 1;
607  }
608 
609  tls->fingerprint = SCStrdup(tmp_str);
610  if (tls->fingerprint == NULL) {
611  SCLogError(SC_ERR_MEM_ALLOC, "Unable to allocate fingerprint");
612  }
613 
614  SCFree(orig);
615 
616  SCLogDebug("will look for TLS fingerprint %s", tls->fingerprint);
617 
618  return tls;
619 
620 error:
621  if (tls != NULL)
622  DetectTlsFingerprintFree(de_ctx, tls);
623  return NULL;
624 
625 }
626 /**
627  * \brief match the specified fingerprint on a tls session
628  *
629  * \param t pointer to thread vars
630  * \param det_ctx pointer to the pattern matcher thread
631  * \param p pointer to the current packet
632  * \param m pointer to the sigmatch that we will cast into DetectTlsData
633  *
634  * \retval 0 no match
635  * \retval 1 match
636  */
637 static int DetectTlsFingerprintMatch (DetectEngineThreadCtx *det_ctx,
638  Flow *f, uint8_t flags, void *state, void *txv,
639  const Signature *s, const SigMatchCtx *m)
640 {
641  SCEnter();
642  const DetectTlsData *tls_data = (const DetectTlsData *)m;
643  SSLState *ssl_state = (SSLState *)state;
644  if (ssl_state == NULL) {
645  SCLogDebug("no tls state, no match");
646  SCReturnInt(0);
647  }
648 
649  int ret = 0;
650 
651  SSLStateConnp *connp = NULL;
652  if (flags & STREAM_TOSERVER) {
653  connp = &ssl_state->client_connp;
654  } else {
655  connp = &ssl_state->server_connp;
656  }
657 
658  if (connp->cert0_fingerprint != NULL) {
659  SCLogDebug("TLS: Fingerprint is [%s], looking for [%s]\n",
660  connp->cert0_fingerprint,
661  tls_data->fingerprint);
662 
663  if (tls_data->fingerprint &&
664  (strstr(connp->cert0_fingerprint,
665  tls_data->fingerprint) != NULL)) {
666  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
667  ret = 0;
668  } else {
669  ret = 1;
670 
671  }
672  } else {
673  if (tls_data->flags & DETECT_CONTENT_NEGATED) {
674  ret = 1;
675  } else {
676  ret = 0;
677  }
678  }
679  } else {
680  ret = 0;
681  }
682 
683  SCReturnInt(ret);
684 }
685 
686 /**
687  * \brief this function is used to add the parsed "fingerprint" option
688  * \brief into the current signature
689  *
690  * \param de_ctx pointer to the Detection Engine Context
691  * \param s pointer to the Current Signature
692  * \param id pointer to the user provided "fingerprint" option
693  *
694  * \retval 0 on Success
695  * \retval -1 on Failure
696  */
697 static int DetectTlsFingerprintSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
698 {
699  DetectTlsData *tls = NULL;
700  SigMatch *sm = NULL;
701 
703  return -1;
704 
705  tls = DetectTlsFingerprintParse(de_ctx, str, s->init_data->negated);
706  if (tls == NULL)
707  goto error;
708 
709  /* Okay so far so good, lets get this into a SigMatch
710  * and put it in the Signature. */
711  sm = SigMatchAlloc();
712  if (sm == NULL)
713  goto error;
714 
716  sm->ctx = (void *)tls;
717 
718  SigMatchAppendSMToList(s, sm, g_tls_cert_list_id);
719  return 0;
720 
721 error:
722  if (tls != NULL)
723  DetectTlsFingerprintFree(de_ctx, tls);
724  if (sm != NULL)
725  SCFree(sm);
726  return -1;
727 
728 }
729 
730 /**
731  * \brief this function will free memory associated with DetectTlsData
732  *
733  * \param pointer to DetectTlsData
734  */
735 static void DetectTlsFingerprintFree(DetectEngineCtx *de_ctx, void *ptr)
736 {
737  DetectTlsData *id_d = (DetectTlsData *)ptr;
738  if (id_d->fingerprint)
739  SCFree(id_d->fingerprint);
740  SCFree(id_d);
741 }
742 
743 /**
744  * \brief this function is used to add the parsed "store" option
745  * \brief into the current signature
746  *
747  * \param de_ctx pointer to the Detection Engine Context
748  * \param s pointer to the Current Signature
749  * \param idstr pointer to the user provided "store" option
750  *
751  * \retval 0 on Success
752  * \retval -1 on Failure
753  */
754 static int DetectTlsStoreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
755 {
756  SigMatch *sm = NULL;
757 
759  return -1;
760 
761  sm = SigMatchAlloc();
762  if (sm == NULL)
763  return -1;
764 
766  s->flags |= SIG_FLAG_TLSSTORE;
767 
769  return 0;
770 }
771 
772 /** \warning modifies Flow::alstate */
773 static int DetectTlsStorePostMatch (DetectEngineThreadCtx *det_ctx,
774  Packet *p, const Signature *s, const SigMatchCtx *unused)
775 {
776  SCEnter();
777 
778  if (p->flow == NULL)
779  return 0;
780 
781  SSLState *ssl_state = FlowGetAppState(p->flow);
782  if (ssl_state == NULL) {
783  SCLogDebug("no tls state, no match");
784  SCReturnInt(0);
785  }
786 
788  SCReturnInt(1);
789 }
790 
791 
792 /**
793  * \brief this function registers unit tests for DetectTlsIssuerDN
794  */
795 static void DetectTlsIssuerDNRegisterTests(void)
796 {
797 }
SigTableElmt_::url
const char * url
Definition: detect.h:1212
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:202
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1468
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:233
DetectTlsData_::fingerprint
char * fingerprint
Definition: detect-tls.h:42
detect-engine.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing "id" option, matching number or "number".
Definition: detect-tls.c:67
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:255
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectTlsData_::issuerdn
char * issuerdn
Definition: detect-tls.h:41
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:256
SSLStateConnp_
Definition: app-layer-ssl.h:179
threads.h
Flow_
Flow data structure.
Definition: flow.h:343
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1203
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
SigTableElmt_::AppLayerTxMatch
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1181
DetectTlsData_
Definition: detect-tls.h:37
m
SCMutex m
Definition: flow-hash.h:3
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
DetectTlsData_::flags
uint32_t flags
Definition: detect-tls.h:39
SIG_FLAG_TOCLIENT
#define SIG_FLAG_TOCLIENT
Definition: detect.h:237
SigMatchData_
Data needed for Match()
Definition: detect.h:328
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:203
FlowGetAppState
void * FlowGetAppState(const Flow *f)
Definition: flow.c:1080
util-unittest-helper.h
DetectEngineInspectGenericList
int DetectEngineInspectGenericList(ThreadVars *tv, const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, const uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
Definition: detect-engine.c:1592
DETECT_AL_TLS_CERT_SUBJECT
@ DETECT_AL_TLS_CERT_SUBJECT
Definition: detect-engine-register.h:206
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1394
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DetectTlsData_::subject
char * subject
Definition: detect-tls.h:40
PARSE_REGEX_FINGERPRINT
#define PARSE_REGEX_FINGERPRINT
Definition: detect-tls.c:68
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
TLS_STATE_CERT_READY
@ TLS_STATE_CERT_READY
Definition: app-layer-ssl.h:70
DETECT_AL_TLS_CERT_ISSUER
@ DETECT_AL_TLS_CERT_ISSUER
Definition: detect-engine-register.h:205
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2470
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
DETECT_AL_TLS_SUBJECT
@ DETECT_AL_TLS_SUBJECT
Definition: detect-engine-register.h:107
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1207
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2400
Packet_
Definition: decode.h:411
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1398
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SignatureInitData_::negated
bool negated
Definition: detect.h:484
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DETECT_AL_TLS_CERT_FINGERPRINT
@ DETECT_AL_TLS_CERT_FINGERPRINT
Definition: detect-engine-register.h:208
DetectTlsRegister
void DetectTlsRegister(void)
Registration function for keyword: tls.version.
Definition: detect-tls.c:113
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:832
flags
uint8_t flags
Definition: decode-gre.h:0
SigTableElmt_::alias
const char * alias
Definition: detect.h:1210
detect-tls.h
suricata-common.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SSL_TLS_LOG_PEM
#define SSL_TLS_LOG_PEM
Definition: app-layer-ssl.h:125
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
str
#define str(s)
Definition: suricata-common.h:273
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
SSLStateConnp_::cert_log_flag
uint32_t cert_log_flag
Definition: app-layer-ssl.h:216
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
DETECT_AL_TLS_STORE
@ DETECT_AL_TLS_STORE
Definition: detect-engine-register.h:114
DETECT_AL_TLS_FINGERPRINT
@ DETECT_AL_TLS_FINGERPRINT
Definition: detect-engine-register.h:113
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1378
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:207
SIG_FLAG_TLSSTORE
#define SIG_FLAG_TLSSTORE
Definition: detect.h:239
flow.h
DetectAppLayerInspectEngineRegister
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback)
register inspect engine at start up time
Definition: detect-engine.c:170
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
DETECT_AL_TLS_ISSUERDN
@ DETECT_AL_TLS_ISSUERDN
Definition: detect-engine-register.h:108
app-layer-ssl.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
app-layer.h