suricata
detect-tls-cert-subject.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 #include "detect-engine-build.h"
26 #include "detect-engine-alert.h"
27 #include "app-layer-parser.h"
28 
29 /**
30  * \test Test that a signature containing a tls.cert_subject is correctly parsed
31  * and that the keyword is registered.
32  */
33 static int DetectTlsSubjectTest01(void)
34 {
35  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
36  FAIL_IF_NULL(de_ctx);
37  de_ctx->flags |= DE_QUIET;
38 
39  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
40  "(msg:\"Testing tls.cert_subject\"; "
41  "tls.cert_subject; content:\"test\"; sid:1;)");
42  FAIL_IF_NULL(s);
43 
44  /* sm should not be in the MATCH list */
45  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
46  FAIL_IF_NOT_NULL(sm);
47 
48  sm = DetectBufferGetFirstSigMatch(s, g_tls_cert_subject_buffer_id);
49  FAIL_IF_NULL(sm);
50 
51  FAIL_IF(sm->type != DETECT_CONTENT);
52  FAIL_IF_NOT_NULL(sm->next);
53 
54  SigGroupCleanup(de_ctx);
55  DetectEngineCtxFree(de_ctx);
56 
57  PASS;
58 }
59 
60 /**
61  * \test Test matching for google in the subject of a certificate
62  *
63  */
64 static int DetectTlsSubjectTest02(void)
65 {
66  /* client hello */
67  uint8_t client_hello[] = {
68  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
69  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
70  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
71  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
72  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
73  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
74  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
75  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
76  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
77  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
78  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
79  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
80  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
81  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
82  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
83  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
84  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
85  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
86  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
87  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
88  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
89  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
90  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
91  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
92  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
93  0x03, 0x04, 0x02, 0x02, 0x02
94  };
95 
96  /* server hello */
97  uint8_t server_hello[] = {
98  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
99  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
100  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
101  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
102  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
103  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
104  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
105  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
106  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
107  0x0b, 0x00, 0x02, 0x01, 0x00
108  };
109 
110  /* certificate */
111  uint8_t certificate[] = {
112  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
113  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
114  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
115  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
116  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
117  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
118  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
119  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
120  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
121  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
122  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
123  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
124  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
125  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
126  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
127  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
128  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
129  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
130  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
131  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
132  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
133  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
134  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
135  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
136  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
137  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
138  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
139  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
140  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
141  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
142  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
143  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
144  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
145  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
146  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
147  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
148  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
149  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
150  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
151  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
152  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
153  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
154  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
155  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
156  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
157  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
158  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
159  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
160  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
161  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
162  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
163  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
164  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
165  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
166  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
167  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
168  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
169  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
170  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
171  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
172  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
173  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
174  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
175  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
176  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
177  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
178  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
179  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
180  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
181  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
182  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
183  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
184  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
185  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
186  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
187  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
188  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
189  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
190  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
191  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
192  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
193  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
194  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
195  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
196  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
197  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
198  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
199  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
200  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
201  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
202  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
203  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
204  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
205  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
206  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
207  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
208  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
209  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
210  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
211  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
212  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
213  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
214  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
215  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
216  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
217  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
218  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
219  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
220  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
221  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
222  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
223  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
224  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
225  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
226  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
227  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
228  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
229  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
230  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
231  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
232  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
233  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
234  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
235  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
236  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
237  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
238  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
239  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
240  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
241  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
242  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
243  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
244  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
245  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
246  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
247  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
248  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
249  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
250  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
251  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
252  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
253  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
254  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
255  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
256  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
257  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
258  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
259  };
260 
261  Flow f;
262  SSLState *ssl_state = NULL;
263  TcpSession ssn;
264  Packet *p1 = NULL;
265  Packet *p2 = NULL;
266  Packet *p3 = NULL;
267  ThreadVars tv;
268  DetectEngineThreadCtx *det_ctx = NULL;
269  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
270 
271  memset(&tv, 0, sizeof(ThreadVars));
272  memset(&f, 0, sizeof(Flow));
273  memset(&ssn, 0, sizeof(TcpSession));
274 
275  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
276  "192.168.1.5", "192.168.1.1", 51251, 443);
277  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
278  "192.168.1.1", "192.168.1.5", 443, 51251);
279  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
280  "192.168.1.1", "192.168.1.5", 443, 51251);
281 
282  FLOW_INITIALIZE(&f);
283  f.flags |= FLOW_IPV4;
284  f.proto = IPPROTO_TCP;
285  f.protomap = FlowGetProtoMapping(f.proto);
286  f.alproto = ALPROTO_TLS;
287 
288  p1->flow = &f;
289  p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
290  p1->flowflags |= FLOW_PKT_TOSERVER;
291  p1->flowflags |= FLOW_PKT_ESTABLISHED;
292  p1->pcap_cnt = 1;
293 
294  p2->flow = &f;
295  p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
296  p2->flowflags |= FLOW_PKT_TOCLIENT;
297  p2->flowflags |= FLOW_PKT_ESTABLISHED;
298  p2->pcap_cnt = 2;
299 
300  p3->flow = &f;
301  p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
302  p3->flowflags |= FLOW_PKT_TOCLIENT;
303  p3->flowflags |= FLOW_PKT_ESTABLISHED;
304  p3->pcap_cnt = 3;
305 
306  StreamTcpInitConfig(true);
307 
308  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
309  FAIL_IF_NULL(de_ctx);
310 
311  de_ctx->mpm_matcher = mpm_default_matcher;
312  de_ctx->flags |= DE_QUIET;
313 
314  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
315  "(msg:\"Test tls.cert_subject\"; "
316  "tls.cert_subject; content:\"google\"; nocase; "
317  "sid:1;)");
318  FAIL_IF_NULL(s);
319 
320  SigGroupBuild(de_ctx);
321  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
322 
323  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
324  STREAM_TOSERVER, client_hello,
325  sizeof(client_hello));
326 
327  FAIL_IF(r != 0);
328 
329  ssl_state = f.alstate;
330  FAIL_IF_NULL(ssl_state);
331 
332  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
333 
334  FAIL_IF(PacketAlertCheck(p1, 1));
335 
336  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
337  server_hello, sizeof(server_hello));
338 
339  FAIL_IF(r != 0);
340 
341  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
342 
343  FAIL_IF(PacketAlertCheck(p2, 1));
344 
345  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
346  certificate, sizeof(certificate));
347 
348  FAIL_IF(r != 0);
349 
350  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
351 
352  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
353 
354  if (alp_tctx != NULL)
355  AppLayerParserThreadCtxFree(alp_tctx);
356  if (det_ctx != NULL)
357  DetectEngineThreadCtxDeinit(&tv, det_ctx);
358  if (de_ctx != NULL)
359  SigGroupCleanup(de_ctx);
360  if (de_ctx != NULL)
361  DetectEngineCtxFree(de_ctx);
362 
363  StreamTcpFreeConfig(true);
364  FLOW_DESTROY(&f);
365  UTHFreePacket(p1);
366  UTHFreePacket(p2);
367  UTHFreePacket(p3);
368 
369  PASS;
370 }
371 
372 static void DetectTlsSubjectRegisterTests(void)
373 {
374  UtRegisterTest("DetectTlsSubjectTest01", DetectTlsSubjectTest01);
375  UtRegisterTest("DetectTlsSubjectTest02", DetectTlsSubjectTest02);
376 }
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:288
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:581
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:607
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1895
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:354
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:842
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
app-layer-parser.h
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:97
Packet_
Definition: decode.h:437
detect-engine-build.h
detect-engine-alert.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:665
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:224
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
SigMatch_::type
uint16_t type
Definition: detect.h:351
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1304
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:596
SigMatch_
a single match condition for a signature
Definition: detect.h:350
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019