suricata
detect-tls-cert-fingerprint.c
Go to the documentation of this file.
1 /* Copyright (C) 2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 #include "detect-engine-build.h"
26 #include "app-layer-parser.h"
27 /**
28  * \test Test that a signature containing tls_cert_fingerprint is correctly parsed
29  * and that the keyword is registered.
30  */
31 static int DetectTlsFingerprintTest01(void)
32 {
33  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
34  FAIL_IF_NULL(de_ctx);
35  de_ctx->flags |= DE_QUIET;
36 
37  Signature *s = DetectEngineAppendSig(de_ctx,
38  "alert tls any any -> any any "
39  "(msg:\"Testing tls.cert_fingerprint\"; "
40  "tls.cert_fingerprint; "
41  "content:\"11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99:00\"; "
42  "sid:1;)");
43  FAIL_IF_NULL(s);
44 
45  /* sm should not be in the MATCH list */
46  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
47  FAIL_IF_NOT_NULL(sm);
48 
49  sm = DetectBufferGetFirstSigMatch(s, g_tls_cert_fingerprint_buffer_id);
50  FAIL_IF_NULL(sm);
51 
52  FAIL_IF(sm->type != DETECT_CONTENT);
53  FAIL_IF_NOT_NULL(sm->next);
54 
55  SigGroupCleanup(de_ctx);
56  DetectEngineCtxFree(de_ctx);
57 
58  PASS;
59 }
60 
61 /**
62  * \test Test matching for fingerprint of a certificate.
63  */
64 static int DetectTlsFingerprintTest02(void)
65 {
66  /* client hello */
67  uint8_t client_hello[] = {
68  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
69  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
70  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
71  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
72  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
73  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
74  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
75  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
76  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
77  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
78  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
79  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
80  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
81  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
82  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
83  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
84  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
85  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
86  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
87  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
88  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
89  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
90  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
91  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
92  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
93  0x03, 0x04, 0x02, 0x02, 0x02
94  };
95 
96  /* server hello */
97  uint8_t server_hello[] = {
98  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
99  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
100  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
101  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
102  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
103  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
104  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
105  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
106  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
107  0x0b, 0x00, 0x02, 0x01, 0x00
108  };
109 
110  /* certificate */
111  uint8_t certificate[] = {
112  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
113  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
114  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
115  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
116  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
117  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
118  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
119  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
120  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
121  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
122  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
123  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
124  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
125  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
126  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
127  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
128  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
129  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
130  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
131  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
132  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
133  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
134  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
135  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
136  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
137  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
138  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
139  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
140  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
141  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
142  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
143  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
144  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
145  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
146  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
147  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
148  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
149  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
150  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
151  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
152  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
153  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
154  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
155  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
156  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
157  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
158  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
159  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
160  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
161  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
162  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
163  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
164  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
165  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
166  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
167  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
168  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
169  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
170  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
171  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
172  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
173  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
174  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
175  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
176  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
177  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
178  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
179  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
180  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
181  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
182  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
183  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
184  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
185  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
186  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
187  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
188  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
189  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
190  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
191  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
192  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
193  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
194  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
195  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
196  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
197  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
198  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
199  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
200  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
201  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
202  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
203  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
204  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
205  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
206  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
207  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
208  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
209  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
210  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
211  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
212  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
213  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
214  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
215  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
216  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
217  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
218  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
219  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
220  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
221  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
222  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
223  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
224  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
225  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
226  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
227  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
228  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
229  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
230  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
231  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
232  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
233  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
234  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
235  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
236  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
237  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
238  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
239  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
240  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
241  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
242  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
243  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
244  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
245  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
246  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
247  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
248  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
249  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
250  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
251  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
252  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
253  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
254  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
255  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
256  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
257  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
258  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
259  };
260 
261  Flow f;
262  SSLState *ssl_state = NULL;
263  TcpSession ssn;
264  Packet *p1 = NULL;
265  Packet *p2 = NULL;
266  Packet *p3 = NULL;
267  ThreadVars tv;
268  DetectEngineThreadCtx *det_ctx = NULL;
269  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
270 
271  memset(&tv, 0, sizeof(ThreadVars));
272  memset(&f, 0, sizeof(Flow));
273  memset(&ssn, 0, sizeof(TcpSession));
274 
275  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
276  "192.168.1.5", "192.168.1.1", 51251, 443);
277  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
278  "192.168.1.1", "192.168.1.5", 443, 51251);
279  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
280  "192.168.1.1", "192.168.1.5", 443, 51251);
281 
282  FLOW_INITIALIZE(&f);
283  f.flags |= FLOW_IPV4;
284  f.proto = IPPROTO_TCP;
285  f.protomap = FlowGetProtoMapping(f.proto);
286  f.alproto = ALPROTO_TLS;
287 
288  p1->flow = &f;
289  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
290  p1->flowflags |= FLOW_PKT_TOSERVER;
291  p1->flowflags |= FLOW_PKT_ESTABLISHED;
292  p1->pcap_cnt = 1;
293 
294  p2->flow = &f;
295  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
296  p2->flowflags |= FLOW_PKT_TOCLIENT;
297  p2->flowflags |= FLOW_PKT_ESTABLISHED;
298  p2->pcap_cnt = 2;
299 
300  p3->flow = &f;
301  p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
302  p3->flowflags |= FLOW_PKT_TOCLIENT;
303  p3->flowflags |= FLOW_PKT_ESTABLISHED;
304  p3->pcap_cnt = 3;
305 
306  StreamTcpInitConfig(true);
307 
308  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
309  FAIL_IF_NULL(de_ctx);
310 
311  de_ctx->mpm_matcher = mpm_default_matcher;
312  de_ctx->flags |= DE_QUIET;
313 
314  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
315  "(msg:\"Test tls.cert_fingerprint\"; "
316  "tls.cert_fingerprint; "
317  "content:\"4a:a3:66:76:82:cb:6b:23:bb:c3:58:47:23:a4:63:a7:78:a4:a1:18\"; "
318  "sid:1;)");
319  FAIL_IF_NULL(s);
320 
321  SigGroupBuild(de_ctx);
322  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
323 
324  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
325  STREAM_TOSERVER, client_hello,
326  sizeof(client_hello));
327 
328  FAIL_IF(r != 0);
329 
330  ssl_state = f.alstate;
331  FAIL_IF_NULL(ssl_state);
332 
333  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
334 
335  FAIL_IF(PacketAlertCheck(p1, 1));
336 
337  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
338  server_hello, sizeof(server_hello));
339 
340  FAIL_IF(r != 0);
341 
342  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
343 
344  FAIL_IF(PacketAlertCheck(p2, 1));
345 
346  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
347  certificate, sizeof(certificate));
348 
349  FAIL_IF(r != 0);
350 
351  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
352 
353  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
354 
355  AppLayerParserThreadCtxFree(alp_tctx);
356  DetectEngineThreadCtxDeinit(&tv, det_ctx);
357  SigGroupCleanup(de_ctx);
358  DetectEngineCtxFree(de_ctx);
359  StreamTcpFreeConfig(true);
360  FLOW_DESTROY(&f);
361  UTHFreePacket(p1);
362  UTHFreePacket(p2);
363  UTHFreePacket(p3);
364 
365  PASS;
366 }
367 
368 static void DetectTlsFingerprintRegisterTests(void)
369 {
370  UtRegisterTest("DetectTlsFingerprintTest01", DetectTlsFingerprintTest01);
371  UtRegisterTest("DetectTlsFingerprintTest02", DetectTlsFingerprintTest02);
372 }
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:296
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1325
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1264
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:70
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:592
Flow_::proto
uint8_t proto
Definition: flow.h:378
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:510
Flow_
Flow data structure.
Definition: flow.h:356
Flow_::protomap
uint8_t protomap
Definition: flow.h:450
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:504
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:260
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:844
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2211
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:98
Packet_
Definition: decode.h:473
detect-engine-build.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
Packet_::flow
struct Flow_ * flow
Definition: decode.h:512
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
SigMatch_::type
uint16_t type
Definition: detect.h:350
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3574
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:601
SigMatch_
a single match condition for a signature
Definition: detect.h:349
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1261