suricata
detect-tls-cert-validity.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Mats Klepsland <mats.klepsland@gmail.com>
22  *
23  */
24 
25 /**
26  * \test This is a test for a valid value 1430000000.
27  *
28  * \retval 1 on success.
29  * \retval 0 on failure.
30  */
31 static int ValidityTestParse01 (void)
32 {
33  DetectTlsValidityData *dd = NULL;
34  dd = DetectTlsValidityParse("1430000000");
35  FAIL_IF_NULL(dd);
36  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_EQ);
37  DetectTlsValidityFree(dd);
38  PASS;
39 }
40 
41 /**
42  * \test This is a test for a valid value >1430000000.
43  *
44  * \retval 1 on success.
45  * \retval 0 on failure.
46  */
47 static int ValidityTestParse02 (void)
48 {
49  DetectTlsValidityData *dd = NULL;
50  dd = DetectTlsValidityParse(">1430000000");
51  FAIL_IF_NULL(dd);
52  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_GT);
53  DetectTlsValidityFree(dd);
54  PASS;
55 }
56 
57 /**
58  * \test This is a test for a valid value <1430000000.
59  *
60  * \retval 1 on success.
61  * \retval 0 on failure.
62  */
63 static int ValidityTestParse03 (void)
64 {
65  DetectTlsValidityData *dd = NULL;
66  dd = DetectTlsValidityParse("<1430000000");
67  FAIL_IF_NULL(dd);
68  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_LT);
69  DetectTlsValidityFree(dd);
70  PASS;
71 }
72 
73 /**
74  * \test This is a test for a valid value 1430000000<>1470000000.
75  *
76  * \retval 1 on success.
77  * \retval 0 on failure.
78  */
79 static int ValidityTestParse04 (void)
80 {
81  DetectTlsValidityData *dd = NULL;
82  dd = DetectTlsValidityParse("1430000000<>1470000000");
83  FAIL_IF_NULL(dd);
84  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->epoch2 == 1470000000 &&
86  DetectTlsValidityFree(dd);
87  PASS;
88 }
89 
90 /**
91  * \test This is a test for a invalid value A.
92  *
93  * \retval 1 on success.
94  * \retval 0 on failure.
95  */
96 static int ValidityTestParse05 (void)
97 {
98  DetectTlsValidityData *dd = NULL;
99  dd = DetectTlsValidityParse("A");
100  FAIL_IF_NOT_NULL(dd);
101  PASS;
102 }
103 
104 /**
105  * \test This is a test for a invalid value >1430000000<>1470000000.
106  *
107  * \retval 1 on success.
108  * \retval 0 on failure.
109  */
110 static int ValidityTestParse06 (void)
111 {
112  DetectTlsValidityData *dd = NULL;
113  dd = DetectTlsValidityParse(">1430000000<>1470000000");
114  FAIL_IF_NOT_NULL(dd);
115  PASS;
116 }
117 
118 /**
119  * \test This is a test for a invalid value 1430000000<>.
120  *
121  * \retval 1 on success.
122  * \retval 0 on failure.
123  */
124 static int ValidityTestParse07 (void)
125 {
126  DetectTlsValidityData *dd = NULL;
127  dd = DetectTlsValidityParse("1430000000<>");
128  FAIL_IF_NOT_NULL(dd);
129  PASS;
130 }
131 
132 /**
133  * \test This is a test for a invalid value <>1430000000.
134  *
135  * \retval 1 on success.
136  * \retval 0 on failure.
137  */
138 static int ValidityTestParse08 (void)
139 {
140  DetectTlsValidityData *dd = NULL;
141  dd = DetectTlsValidityParse("<>1430000000");
142  FAIL_IF_NOT_NULL(dd);
143  PASS;
144 }
145 
146 /**
147  * \test This is a test for a invalid value "".
148  *
149  * \retval 1 on success.
150  * \retval 0 on failure.
151  */
152 static int ValidityTestParse09 (void)
153 {
154  DetectTlsValidityData *dd = NULL;
155  dd = DetectTlsValidityParse("");
156  FAIL_IF_NOT_NULL(dd);
157  PASS;
158 }
159 
160 /**
161  * \test This is a test for a invalid value " ".
162  *
163  * \retval 1 on success.
164  * \retval 0 on failure.
165  */
166 static int ValidityTestParse10 (void)
167 {
168  DetectTlsValidityData *dd = NULL;
169  dd = DetectTlsValidityParse(" ");
170  FAIL_IF_NOT_NULL(dd);
171  PASS;
172 }
173 
174 /**
175  * \test This is a test for a invalid value 1490000000<>1430000000.
176  *
177  * \retval 1 on success.
178  * \retval 0 on failure.
179  */
180 static int ValidityTestParse11 (void)
181 {
182  DetectTlsValidityData *dd = NULL;
183  dd = DetectTlsValidityParse("1490000000<>1430000000");
184  FAIL_IF_NOT_NULL(dd);
185  PASS;
186 }
187 
188 /**
189  * \test This is a test for a valid value 1430000000 <> 1490000000.
190  *
191  * \retval 1 on success.
192  * \retval 0 on failure.
193  */
194 static int ValidityTestParse12 (void)
195 {
196  DetectTlsValidityData *dd = NULL;
197  dd = DetectTlsValidityParse("1430000000 <> 1490000000");
198  FAIL_IF_NULL(dd);
199  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->epoch2 == 1490000000 &&
201  DetectTlsValidityFree(dd);
202  PASS;
203 }
204 
205 /**
206  * \test This is a test for a valid value > 1430000000.
207  *
208  * \retval 1 on success.
209  * \retval 0 on failure.
210  */
211 static int ValidityTestParse13 (void)
212 {
213  DetectTlsValidityData *dd = NULL;
214  dd = DetectTlsValidityParse("> 1430000000 ");
215  FAIL_IF_NULL(dd);
216  FAIL_IF_NOT(dd->epoch == 1430000000 && dd->mode == DETECT_TLS_VALIDITY_GT);
217  DetectTlsValidityFree(dd);
218  PASS;
219 }
220 
221 /**
222  * \test This is a test for a valid value < 1490000000.
223  *
224  * \retval 1 on success.
225  * \retval 0 on failure.
226  */
227 static int ValidityTestParse14 (void)
228 {
229  DetectTlsValidityData *dd = NULL;
230  dd = DetectTlsValidityParse("< 1490000000 ");
231  FAIL_IF_NULL(dd);
232  FAIL_IF_NOT(dd->epoch == 1490000000 && dd->mode == DETECT_TLS_VALIDITY_LT);
233  DetectTlsValidityFree(dd);
234  PASS;
235 }
236 
237 /**
238  * \test This is a test for a valid value 1490000000.
239  *
240  * \retval 1 on success.
241  * \retval 0 on failure.
242  */
243 static int ValidityTestParse15 (void)
244 {
245  DetectTlsValidityData *dd = NULL;
246  dd = DetectTlsValidityParse(" 1490000000 ");
247  FAIL_IF_NULL(dd);
248  FAIL_IF_NOT(dd->epoch == 1490000000 && dd->mode == DETECT_TLS_VALIDITY_EQ);
249  DetectTlsValidityFree(dd);
250  PASS;
251 }
252 
253 /**
254  * \test This is a test for a valid value 2015-10.
255  *
256  * \retval 1 on success.
257  * \retval 0 on failure.
258  */
259 static int ValidityTestParse16 (void)
260 {
261  DetectTlsValidityData *dd = NULL;
262  dd = DetectTlsValidityParse("2015-10");
263  FAIL_IF_NULL(dd);
264  FAIL_IF_NOT(dd->epoch == 1443657600 && dd->mode == DETECT_TLS_VALIDITY_EQ);
265  DetectTlsValidityFree(dd);
266  PASS;
267 }
268 
269 /**
270  * \test This is a test for a valid value >2015-10-22.
271  *
272  * \retval 1 on success.
273  * \retval 0 on failure.
274  */
275 static int ValidityTestParse17 (void)
276 {
277  DetectTlsValidityData *dd = NULL;
278  dd = DetectTlsValidityParse(">2015-10-22");
279  FAIL_IF_NULL(dd);
280  FAIL_IF_NOT(dd->epoch == 1445472000 && dd->mode == DETECT_TLS_VALIDITY_GT);
281  DetectTlsValidityFree(dd);
282  PASS;
283 }
284 
285 /**
286  * \test This is a test for a valid value <2015-10-22 23.
287  *
288  * \retval 1 on success.
289  * \retval 0 on failure.
290  */
291 static int ValidityTestParse18 (void)
292 {
293  DetectTlsValidityData *dd = NULL;
294  dd = DetectTlsValidityParse("<2015-10-22 23");
295  FAIL_IF_NULL(dd);
296  FAIL_IF_NOT(dd->epoch == 1445554800 && dd->mode == DETECT_TLS_VALIDITY_LT);
297  DetectTlsValidityFree(dd);
298  PASS;
299 }
300 
301 /**
302  * \test This is a test for a valid value 2015-10-22 23:59.
303  *
304  * \retval 1 on success.
305  * \retval 0 on failure.
306  */
307 static int ValidityTestParse19 (void)
308 {
309  DetectTlsValidityData *dd = NULL;
310  dd = DetectTlsValidityParse("2015-10-22 23:59");
311  FAIL_IF_NULL(dd);
312  FAIL_IF_NOT(dd->epoch == 1445558340 && dd->mode == DETECT_TLS_VALIDITY_EQ);
313  DetectTlsValidityFree(dd);
314  PASS;
315 }
316 
317 /**
318  * \test This is a test for a valid value 2015-10-22 23:59:59.
319  *
320  * \retval 1 on success.
321  * \retval 0 on failure.
322  */
323 static int ValidityTestParse20 (void)
324 {
325  DetectTlsValidityData *dd = NULL;
326  dd = DetectTlsValidityParse("2015-10-22 23:59:59");
327  FAIL_IF_NULL(dd);
328  FAIL_IF_NOT(dd->epoch == 1445558399 && dd->mode == DETECT_TLS_VALIDITY_EQ);
329  DetectTlsValidityFree(dd);
330  PASS;
331 }
332 
333 /**
334  * \test This is a test for a valid value 2015-10-22T23.
335  *
336  * \retval 1 on success.
337  * \retval 0 on failure.
338  */
339 static int ValidityTestParse21 (void)
340 {
341  DetectTlsValidityData *dd = NULL;
342  dd = DetectTlsValidityParse("2015-10-22T23");
343  FAIL_IF_NULL(dd);
344  FAIL_IF_NOT(dd->epoch == 1445554800 && dd->mode == DETECT_TLS_VALIDITY_EQ);
345  DetectTlsValidityFree(dd);
346  PASS;
347 }
348 
349 /**
350  * \test This is a test for a valid value 2015-10-22T23:59.
351  *
352  * \retval 1 on success.
353  * \retval 0 on failure.
354  */
355 static int ValidityTestParse22 (void)
356 {
357  DetectTlsValidityData *dd = NULL;
358  dd = DetectTlsValidityParse("2015-10-22T23:59");
359  FAIL_IF_NULL(dd);
360  FAIL_IF_NOT(dd->epoch == 1445558340 && dd->mode == DETECT_TLS_VALIDITY_EQ);
361  DetectTlsValidityFree(dd);
362  PASS;
363 }
364 
365 /**
366  * \test This is a test for a valid value 2015-10-22T23:59:59.
367  *
368  * \retval 1 on success.
369  * \retval 0 on failure.
370  */
371 static int ValidityTestParse23 (void)
372 {
373  DetectTlsValidityData *dd = NULL;
374  dd = DetectTlsValidityParse("2015-10-22T23:59:59");
375  FAIL_IF_NULL(dd);
376  FAIL_IF_NOT(dd->epoch == 1445558399 && dd->mode == DETECT_TLS_VALIDITY_EQ);
377  DetectTlsValidityFree(dd);
378  PASS;
379 }
380 
381 /**
382  * \test Test matching on validity dates in a certificate.
383  *
384  * \retval 1 on success.
385  * \retval 0 on failure.
386  */
387 static int ValidityTestDetect01(void)
388 {
389  /* client hello */
390  uint8_t client_hello[] = {
391  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
392  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
393  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
394  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
395  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
396  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
397  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
398  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
399  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
400  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
401  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
402  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
403  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
404  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
405  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
406  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
407  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
408  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
409  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
410  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
411  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
412  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
413  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
414  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
415  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
416  0x03, 0x04, 0x02, 0x02, 0x02
417  };
418 
419  /* server hello */
420  uint8_t server_hello[] = {
421  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
422  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
423  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
424  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
425  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
426  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
427  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
428  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
429  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
430  0x0b, 0x00, 0x02, 0x01, 0x00
431  };
432 
433  /* certificate */
434  uint8_t certificate[] = {
435  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
436  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
437  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
438  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
439  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
440  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
441  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
442  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
443  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
444  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
445  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
446  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
447  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
448  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
449  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
450  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
451  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
452  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
453  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
454  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
455  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
456  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
457  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
458  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
459  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
460  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
461  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
462  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
463  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
464  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
465  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
466  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
467  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
468  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
469  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
470  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
471  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
472  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
473  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
474  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
475  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
476  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
477  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
478  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
479  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
480  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
481  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
482  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
483  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
484  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
485  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
486  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
487  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
488  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
489  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
490  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
491  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
492  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
493  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
494  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
495  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
496  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
497  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
498  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
499  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
500  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
501  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
502  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
503  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
504  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
505  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
506  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
507  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
508  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
509  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
510  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
511  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
512  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
513  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
514  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
515  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
516  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
517  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
518  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
519  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
520  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
521  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
522  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
523  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
524  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
525  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
526  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
527  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
528  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
529  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
530  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
531  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
532  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
533  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
534  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
535  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
536  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
537  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
538  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
539  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
540  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
541  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
542  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
543  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
544  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
545  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
546  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
547  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
548  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
549  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
550  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
551  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
552  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
553  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
554  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
555  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
556  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
557  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
558  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
559  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
560  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
561  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
562  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
563  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
564  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
565  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
566  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
567  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
568  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
569  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
570  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
571  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
572  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
573  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
574  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
575  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
576  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
577  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
578  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
579  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
580  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
581  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
582  };
583 
584  Flow f;
585  SSLState *ssl_state = NULL;
586  TcpSession ssn;
587  Packet *p1 = NULL;
588  Packet *p2 = NULL;
589  Packet *p3 = NULL;
590  ThreadVars tv;
591  DetectEngineThreadCtx *det_ctx = NULL;
593 
594  memset(&tv, 0, sizeof(ThreadVars));
595  memset(&f, 0, sizeof(Flow));
596  memset(&ssn, 0, sizeof(TcpSession));
597 
598  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
599  "192.168.1.5", "192.168.1.1", 51251, 443);
600  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
601  "192.168.1.1", "192.168.1.5", 443, 51251);
602  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
603  "192.168.1.1", "192.168.1.5", 443, 51251);
604 
605  FLOW_INITIALIZE(&f);
606  f.flags |= FLOW_IPV4;
607  f.proto = IPPROTO_TCP;
609  f.alproto = ALPROTO_TLS;
610 
611  p1->flow = &f;
615  p1->pcap_cnt = 1;
616 
617  p2->flow = &f;
621  p2->pcap_cnt = 2;
622 
623  p3->flow = &f;
627  p3->pcap_cnt = 3;
628 
630 
632  FAIL_IF_NULL(de_ctx);
633 
634  de_ctx->flags |= DE_QUIET;
635 
636  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
637  "(msg:\"Test tls_cert_notbefore\"; "
638  "tls_cert_notbefore:<2016-07-20; sid:1;)");
639  FAIL_IF_NULL(s);
640 
641  s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
642  "(msg:\"Test tls_cert_notafter\"; "
643  "tls_cert_notafter:>2016-09-01; sid:2;)");
644  FAIL_IF_NULL(s);
645 
646  SigGroupBuild(de_ctx);
647  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
648 
649  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
650  STREAM_TOSERVER, client_hello,
651  sizeof(client_hello));
652 
653  FAIL_IF(r != 0);
654 
655  ssl_state = f.alstate;
656  FAIL_IF_NULL(ssl_state);
657 
658  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
659 
660  FAIL_IF(PacketAlertCheck(p1, 1));
661  FAIL_IF(PacketAlertCheck(p1, 2));
662 
663  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
664  server_hello, sizeof(server_hello));
665 
666  FAIL_IF(r != 0);
667 
668  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
669 
670  FAIL_IF(PacketAlertCheck(p2, 1));
671  FAIL_IF(PacketAlertCheck(p2, 2));
672 
673  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
674  certificate, sizeof(certificate));
675 
676  FAIL_IF(r != 0);
677 
678  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
679 
682 
683  AppLayerParserThreadCtxFree(alp_tctx);
684  DetectEngineThreadCtxDeinit(&tv, det_ctx);
685  DetectEngineCtxFree(de_ctx);
686 
688  FLOW_DESTROY(&f);
689  UTHFreePacket(p1);
690  UTHFreePacket(p2);
691  UTHFreePacket(p3);
692 
693  PASS;
694 }
695 
696 /**
697  * \test Test matching on an expired certificate.
698  *
699  * Traffic from expired.badssl.com
700  *
701  * \retval 1 on success.
702  * \retval 0 on failure.
703  */
704 static int ExpiredTestDetect01(void)
705 {
706  /* client hello */
707  uint8_t client_hello[] = {
708  0x16, 0x03, 0x03, 0x00, 0x5a, 0x01, 0x00, 0x00,
709  0x56, 0x03, 0x03, 0x62, 0x87, 0xa4, 0x11, 0x3e,
710  0x11, 0x32, 0x7d, 0xbc, 0x5b, 0x63, 0xb7, 0xaf,
711  0x55, 0x8d, 0x46, 0x5b, 0x8f, 0xac, 0x50, 0x02,
712  0x90, 0xe3, 0x55, 0x03, 0xfe, 0xad, 0xa6, 0x92,
713  0x56, 0x75, 0xf9, 0x00, 0x00, 0x08, 0x00, 0x35,
714  0x00, 0x2f, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00,
715  0x00, 0x25, 0x00, 0x00, 0x00, 0x17, 0x00, 0x15,
716  0x00, 0x00, 0x12, 0x65, 0x78, 0x70, 0x69, 0x72,
717  0x65, 0x64, 0x2e, 0x62, 0x61, 0x64, 0x73, 0x73,
718  0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x0d, 0x00,
719  0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01
720  };
721 
722  /* server hello */
723  uint8_t server_hello[] = {
724  0x16, 0x03, 0x03, 0x00, 0x55, 0x02, 0x00, 0x00,
725  0x51, 0x03, 0x03, 0x22, 0xa1, 0xd8, 0xd0, 0x3c,
726  0x8d, 0x32, 0x7e, 0x4f, 0x60, 0x27, 0xf6, 0x0c,
727  0x99, 0x7a, 0x8e, 0x6e, 0x52, 0xa5, 0xf4, 0x20,
728  0x2e, 0xa1, 0xa4, 0x0b, 0xd5, 0x80, 0x9b, 0xec,
729  0xbd, 0x2c, 0x6c, 0x20, 0x7a, 0x9b, 0xcc, 0x6b,
730  0xbf, 0x3d, 0xfc, 0x7c, 0x31, 0x78, 0x65, 0x1e,
731  0xcc, 0x41, 0x0b, 0x8b, 0x3d, 0x4e, 0xde, 0x45,
732  0xe5, 0x20, 0xf5, 0xbd, 0x8e, 0x99, 0xce, 0xc2,
733  0xad, 0x88, 0x08, 0x27, 0x00, 0x2f, 0x00, 0x00,
734  0x09, 0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00,
735  0x01, 0x00
736  };
737 
738  /* certificate */
739  uint8_t certificate[] = {
740  0x16, 0x03, 0x03, 0x05, 0x59, 0x0b, 0x00, 0x05,
741  0x55, 0x00, 0x05, 0x52, 0x00, 0x05, 0x4f, 0x30,
742  0x82, 0x05, 0x4b, 0x30, 0x82, 0x04, 0x33, 0xa0,
743  0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x4a, 0xe7,
744  0x95, 0x49, 0xfa, 0x9a, 0xbe, 0x3f, 0x10, 0x0f,
745  0x17, 0xa4, 0x78, 0xe1, 0x69, 0x09, 0x30, 0x0d,
746  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
747  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x90,
748  0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
749  0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x1b, 0x30,
750  0x19, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x12,
751  0x47, 0x72, 0x65, 0x61, 0x74, 0x65, 0x72, 0x20,
752  0x4d, 0x61, 0x6e, 0x63, 0x68, 0x65, 0x73, 0x74,
753  0x65, 0x72, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
754  0x55, 0x04, 0x07, 0x13, 0x07, 0x53, 0x61, 0x6c,
755  0x66, 0x6f, 0x72, 0x64, 0x31, 0x1a, 0x30, 0x18,
756  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x11, 0x43,
757  0x4f, 0x4d, 0x4f, 0x44, 0x4f, 0x20, 0x43, 0x41,
758  0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64,
759  0x31, 0x36, 0x30, 0x34, 0x06, 0x03, 0x55, 0x04,
760  0x03, 0x13, 0x2d, 0x43, 0x4f, 0x4d, 0x4f, 0x44,
761  0x4f, 0x20, 0x52, 0x53, 0x41, 0x20, 0x44, 0x6f,
762  0x6d, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x61, 0x6c,
763  0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
764  0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53,
765  0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41,
766  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34,
767  0x30, 0x39, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
768  0x5a, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x31,
769  0x32, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a,
770  0x30, 0x59, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03,
771  0x55, 0x04, 0x0b, 0x13, 0x18, 0x44, 0x6f, 0x6d,
772  0x61, 0x69, 0x6e, 0x20, 0x43, 0x6f, 0x6e, 0x74,
773  0x72, 0x6f, 0x6c, 0x20, 0x56, 0x61, 0x6c, 0x69,
774  0x64, 0x61, 0x74, 0x65, 0x64, 0x31, 0x1d, 0x30,
775  0x1b, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x14,
776  0x50, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65,
777  0x53, 0x53, 0x4c, 0x20, 0x57, 0x69, 0x6c, 0x64,
778  0x63, 0x61, 0x72, 0x64, 0x31, 0x15, 0x30, 0x13,
779  0x06, 0x03, 0x55, 0x04, 0x03, 0x14, 0x0c, 0x2a,
780  0x2e, 0x62, 0x61, 0x64, 0x73, 0x73, 0x6c, 0x2e,
781  0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30,
782  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
783  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
784  0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
785  0x82, 0x01, 0x01, 0x00, 0xc2, 0x04, 0xec, 0xf8,
786  0x8c, 0xee, 0x04, 0xc2, 0xb3, 0xd8, 0x50, 0xd5,
787  0x70, 0x58, 0xcc, 0x93, 0x18, 0xeb, 0x5c, 0xa8,
788  0x68, 0x49, 0xb0, 0x22, 0xb5, 0xf9, 0x95, 0x9e,
789  0xb1, 0x2b, 0x2c, 0x76, 0x3e, 0x6c, 0xc0, 0x4b,
790  0x60, 0x4c, 0x4c, 0xea, 0xb2, 0xb4, 0xc0, 0x0f,
791  0x80, 0xb6, 0xb0, 0xf9, 0x72, 0xc9, 0x86, 0x02,
792  0xf9, 0x5c, 0x41, 0x5d, 0x13, 0x2b, 0x7f, 0x71,
793  0xc4, 0x4b, 0xbc, 0xe9, 0x94, 0x2e, 0x50, 0x37,
794  0xa6, 0x67, 0x1c, 0x61, 0x8c, 0xf6, 0x41, 0x42,
795  0xc5, 0x46, 0xd3, 0x16, 0x87, 0x27, 0x9f, 0x74,
796  0xeb, 0x0a, 0x9d, 0x11, 0x52, 0x26, 0x21, 0x73,
797  0x6c, 0x84, 0x4c, 0x79, 0x55, 0xe4, 0xd1, 0x6b,
798  0xe8, 0x06, 0x3d, 0x48, 0x15, 0x52, 0xad, 0xb3,
799  0x28, 0xdb, 0xaa, 0xff, 0x6e, 0xff, 0x60, 0x95,
800  0x4a, 0x77, 0x6b, 0x39, 0xf1, 0x24, 0xd1, 0x31,
801  0xb6, 0xdd, 0x4d, 0xc0, 0xc4, 0xfc, 0x53, 0xb9,
802  0x6d, 0x42, 0xad, 0xb5, 0x7c, 0xfe, 0xae, 0xf5,
803  0x15, 0xd2, 0x33, 0x48, 0xe7, 0x22, 0x71, 0xc7,
804  0xc2, 0x14, 0x7a, 0x6c, 0x28, 0xea, 0x37, 0x4a,
805  0xdf, 0xea, 0x6c, 0xb5, 0x72, 0xb4, 0x7e, 0x5a,
806  0xa2, 0x16, 0xdc, 0x69, 0xb1, 0x57, 0x44, 0xdb,
807  0x0a, 0x12, 0xab, 0xde, 0xc3, 0x0f, 0x47, 0x74,
808  0x5c, 0x41, 0x22, 0xe1, 0x9a, 0xf9, 0x1b, 0x93,
809  0xe6, 0xad, 0x22, 0x06, 0x29, 0x2e, 0xb1, 0xba,
810  0x49, 0x1c, 0x0c, 0x27, 0x9e, 0xa3, 0xfb, 0x8b,
811  0xf7, 0x40, 0x72, 0x00, 0xac, 0x92, 0x08, 0xd9,
812  0x8c, 0x57, 0x84, 0x53, 0x81, 0x05, 0xcb, 0xe6,
813  0xfe, 0x6b, 0x54, 0x98, 0x40, 0x27, 0x85, 0xc7,
814  0x10, 0xbb, 0x73, 0x70, 0xef, 0x69, 0x18, 0x41,
815  0x07, 0x45, 0x55, 0x7c, 0xf9, 0x64, 0x3f, 0x3d,
816  0x2c, 0xc3, 0xa9, 0x7c, 0xeb, 0x93, 0x1a, 0x4c,
817  0x86, 0xd1, 0xca, 0x85, 0x02, 0x03, 0x01, 0x00,
818  0x01, 0xa3, 0x82, 0x01, 0xd5, 0x30, 0x82, 0x01,
819  0xd1, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
820  0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x90, 0xaf,
821  0x6a, 0x3a, 0x94, 0x5a, 0x0b, 0xd8, 0x90, 0xea,
822  0x12, 0x56, 0x73, 0xdf, 0x43, 0xb4, 0x3a, 0x28,
823  0xda, 0xe7, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
824  0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d, 0xee, 0xc1,
825  0x7b, 0x81, 0x0b, 0x3a, 0x47, 0x69, 0x71, 0x18,
826  0x7d, 0x11, 0x37, 0x93, 0xbc, 0xa5, 0x1b, 0x3f,
827  0xfb, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
828  0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05,
829  0xa0, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
830  0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30,
831  0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16,
832  0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
833  0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
834  0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x4f,
835  0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x48, 0x30,
836  0x46, 0x30, 0x3a, 0x06, 0x0b, 0x2b, 0x06, 0x01,
837  0x04, 0x01, 0xb2, 0x31, 0x01, 0x02, 0x02, 0x07,
838  0x30, 0x2b, 0x30, 0x29, 0x06, 0x08, 0x2b, 0x06,
839  0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1d,
840  0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
841  0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2e, 0x63,
842  0x6f, 0x6d, 0x6f, 0x64, 0x6f, 0x2e, 0x63, 0x6f,
843  0x6d, 0x2f, 0x43, 0x50, 0x53, 0x30, 0x08, 0x06,
844  0x06, 0x67, 0x81, 0x0c, 0x01, 0x02, 0x01, 0x30,
845  0x54, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x4d,
846  0x30, 0x4b, 0x30, 0x49, 0xa0, 0x47, 0xa0, 0x45,
847  0x86, 0x43, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
848  0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
849  0x6f, 0x64, 0x6f, 0x63, 0x61, 0x2e, 0x63, 0x6f,
850  0x6d, 0x2f, 0x43, 0x4f, 0x4d, 0x4f, 0x44, 0x4f,
851  0x52, 0x53, 0x41, 0x44, 0x6f, 0x6d, 0x61, 0x69,
852  0x6e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74,
853  0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63, 0x75, 0x72,
854  0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43,
855  0x41, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x81, 0x85,
856  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
857  0x01, 0x01, 0x04, 0x79, 0x30, 0x77, 0x30, 0x4f,
858  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
859  0x30, 0x02, 0x86, 0x43, 0x68, 0x74, 0x74, 0x70,
860  0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x74, 0x2e, 0x63,
861  0x6f, 0x6d, 0x6f, 0x64, 0x6f, 0x63, 0x61, 0x2e,
862  0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x4f, 0x4d, 0x4f,
863  0x44, 0x4f, 0x52, 0x53, 0x41, 0x44, 0x6f, 0x6d,
864  0x61, 0x69, 0x6e, 0x56, 0x61, 0x6c, 0x69, 0x64,
865  0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63,
866  0x75, 0x72, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65,
867  0x72, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x74, 0x30,
868  0x24, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
869  0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74,
870  0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70,
871  0x2e, 0x63, 0x6f, 0x6d, 0x6f, 0x64, 0x6f, 0x63,
872  0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x23, 0x06,
873  0x03, 0x55, 0x1d, 0x11, 0x04, 0x1c, 0x30, 0x1a,
874  0x82, 0x0c, 0x2a, 0x2e, 0x62, 0x61, 0x64, 0x73,
875  0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0a,
876  0x62, 0x61, 0x64, 0x73, 0x73, 0x6c, 0x2e, 0x63,
877  0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
878  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
879  0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x6a, 0x7a,
880  0xf1, 0xda, 0xff, 0x03, 0x07, 0x72, 0x78, 0xc5,
881  0x66, 0xa1, 0x4f, 0x46, 0x43, 0x0e, 0x5f, 0x14,
882  0x21, 0x8c, 0x75, 0x1a, 0xeb, 0x36, 0xe0, 0x1f,
883  0xa4, 0x10, 0x15, 0xec, 0xda, 0x33, 0x25, 0x7c,
884  0x3b, 0xb5, 0x0a, 0xc7, 0x01, 0x38, 0x3d, 0x27,
885  0xfd, 0x58, 0xd9, 0xcc, 0xea, 0x2d, 0x69, 0x39,
886  0x7c, 0xbe, 0x97, 0xef, 0x0b, 0xd6, 0x0b, 0x58,
887  0xe7, 0x8c, 0x7f, 0xbf, 0xb3, 0x4c, 0x1d, 0xf3,
888  0xb7, 0x90, 0x80, 0xa6, 0x36, 0x7c, 0x14, 0x5b,
889  0xec, 0x07, 0x2d, 0x02, 0x3e, 0x1b, 0x5b, 0x63,
890  0x5b, 0x15, 0xab, 0x00, 0xfa, 0x1f, 0x3b, 0x19,
891  0x2d, 0xdf, 0xe2, 0x23, 0x10, 0x11, 0x07, 0x7e,
892  0x72, 0x7f, 0xe2, 0xbf, 0xb7, 0x00, 0x1b, 0x98,
893  0x2f, 0x2c, 0x3f, 0xce, 0x85, 0x9a, 0x27, 0x8c,
894  0x10, 0x22, 0x08, 0x41, 0x2b, 0x8a, 0x3e, 0x82,
895  0x4e, 0xfc, 0xdd, 0x21, 0xc6, 0x56, 0x74, 0x70,
896  0xa4, 0x34, 0xf2, 0xb1, 0x40, 0x9e, 0x2b, 0x58,
897  0xa2, 0x59, 0x0f, 0x1d, 0x48, 0xef, 0xeb, 0x11,
898  0x3e, 0xc1, 0x4a, 0x9e, 0xbc, 0x65, 0x55, 0x6d,
899  0xc6, 0xa3, 0xef, 0xd5, 0xd4, 0x96, 0xcd, 0xf1,
900  0xae, 0x27, 0xf7, 0xa4, 0x57, 0x14, 0x3c, 0x94,
901  0x41, 0x05, 0x7a, 0x8b, 0xa1, 0x37, 0x47, 0xd7,
902  0xf5, 0x7d, 0xdc, 0xfa, 0xce, 0x6f, 0x31, 0xa2,
903  0xb0, 0x8c, 0xea, 0xcc, 0x12, 0x9b, 0x22, 0xf1,
904  0x34, 0x70, 0xcf, 0x7d, 0x75, 0x4a, 0x8b, 0x68,
905  0x29, 0x0c, 0x1e, 0xe9, 0x96, 0xa8, 0xcf, 0xb0,
906  0x12, 0x1f, 0x5c, 0x2a, 0xee, 0x67, 0x2f, 0x7f,
907  0xbd, 0x73, 0xf3, 0x5a, 0x01, 0x22, 0x0c, 0x70,
908  0xfa, 0xcd, 0x45, 0xef, 0x78, 0x5c, 0xce, 0x0d,
909  0xfa, 0x4e, 0xe1, 0xef, 0xce, 0x65, 0x9f, 0x47,
910  0x0c, 0x4f, 0xbb, 0x36, 0x44, 0x68, 0x56, 0x5c,
911  0x56, 0x59, 0xad, 0xaa, 0x8a, 0xbc,
912  };
913 
914  Flow f;
915  SSLState *ssl_state = NULL;
916  TcpSession ssn;
917  Packet *p1 = NULL;
918  Packet *p2 = NULL;
919  Packet *p3 = NULL;
920  ThreadVars tv;
921  DetectEngineThreadCtx *det_ctx = NULL;
923 
924  memset(&tv, 0, sizeof(ThreadVars));
925  memset(&f, 0, sizeof(Flow));
926  memset(&ssn, 0, sizeof(TcpSession));
927 
928  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
929  "192.168.1.5", "192.168.1.1", 51251, 443);
930  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
931  "192.168.1.1", "192.168.1.5", 443, 51251);
932  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
933  "192.168.1.1", "192.168.1.5", 443, 51251);
934 
935  FLOW_INITIALIZE(&f);
936  f.flags |= FLOW_IPV4;
937  f.proto = IPPROTO_TCP;
939  f.alproto = ALPROTO_TLS;
940 
941  p1->flow = &f;
945  p1->pcap_cnt = 1;
946 
947  p2->flow = &f;
951  p2->pcap_cnt = 2;
952 
953  p3->flow = &f;
957  p3->pcap_cnt = 3;
958 
959  f.lastts.tv_sec = 1474978656; /* 2016-09-27 */
960 
962 
964  FAIL_IF_NULL(de_ctx);
965 
966  de_ctx->flags |= DE_QUIET;
967 
968  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
969  "(msg:\"Test tls_cert_expired\"; "
970  "tls_cert_expired; sid:1;)");
971  FAIL_IF_NULL(s);
972 
973  SigGroupBuild(de_ctx);
974  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
975 
976  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
977  client_hello, sizeof(client_hello));
978 
979  FAIL_IF(r != 0);
980 
981  ssl_state = f.alstate;
982  FAIL_IF_NULL(ssl_state);
983 
984  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
985 
986  FAIL_IF(PacketAlertCheck(p1, 1));
987 
988  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
989  server_hello, sizeof(server_hello));
990 
991  FAIL_IF(r != 0);
992 
993  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
994 
995  FAIL_IF(PacketAlertCheck(p2, 1));
996 
997  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
998  certificate, sizeof(certificate));
999 
1000  FAIL_IF(r != 0);
1001 
1002  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
1003 
1004  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
1005 
1006  AppLayerParserThreadCtxFree(alp_tctx);
1007  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1008  DetectEngineCtxFree(de_ctx);
1009 
1011  FLOW_DESTROY(&f);
1012  UTHFreePacket(p1);
1013  UTHFreePacket(p2);
1014  UTHFreePacket(p3);
1015 
1016  PASS;
1017 }
1018 
1019 /**
1020  * \test Test matching on a valid TLS certificate.
1021  *
1022  * \retval 1 on success.
1023  * \retval 0 on failure.
1024  */
1025 static int ValidTestDetect01(void)
1026 {
1027  /* client hello */
1028  uint8_t client_hello[] = {
1029  0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00,
1030  0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86,
1031  0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc,
1032  0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b,
1033  0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46,
1034  0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b,
1035  0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13,
1036  0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f,
1037  0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85,
1038  0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00,
1039  0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f,
1040  0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01,
1041  0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00,
1042  0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
1043  0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
1044  0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00,
1045  0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31,
1046  0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05,
1047  0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32,
1048  0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e,
1049  0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31,
1050  0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00,
1051  0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00,
1052  0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02,
1053  0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02,
1054  0x03, 0x04, 0x02, 0x02, 0x02
1055  };
1056 
1057  /* server hello */
1058  uint8_t server_hello[] = {
1059  0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00,
1060  0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd,
1061  0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d,
1062  0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1,
1063  0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23,
1064  0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00,
1065  0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
1066  0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10,
1067  0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00,
1068  0x0b, 0x00, 0x02, 0x01, 0x00
1069  };
1070 
1071  /* certificate */
1072  uint8_t certificate[] = {
1073  0x16, 0x03, 0x03, 0x04, 0x93, 0x0b, 0x00, 0x04,
1074  0x8f, 0x00, 0x04, 0x8c, 0x00, 0x04, 0x89, 0x30,
1075  0x82, 0x04, 0x85, 0x30, 0x82, 0x03, 0x6d, 0xa0,
1076  0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x5c, 0x19,
1077  0xb7, 0xb1, 0x32, 0x3b, 0x1c, 0xa1, 0x30, 0x0d,
1078  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
1079  0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x49, 0x31,
1080  0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
1081  0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11,
1082  0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
1083  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
1084  0x63, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
1085  0x04, 0x03, 0x13, 0x1c, 0x47, 0x6f, 0x6f, 0x67,
1086  0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72,
1087  0x6e, 0x65, 0x74, 0x20, 0x41, 0x75, 0x74, 0x68,
1088  0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x47, 0x32,
1089  0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x37,
1090  0x31, 0x33, 0x31, 0x33, 0x32, 0x34, 0x35, 0x32,
1091  0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x30,
1092  0x35, 0x31, 0x33, 0x31, 0x36, 0x30, 0x30, 0x5a,
1093  0x30, 0x65, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
1094  0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
1095  0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
1096  0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
1097  0x72, 0x6e, 0x69, 0x61, 0x31, 0x16, 0x30, 0x14,
1098  0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x0d, 0x4d,
1099  0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20,
1100  0x56, 0x69, 0x65, 0x77, 0x31, 0x13, 0x30, 0x11,
1101  0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x47,
1102  0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e,
1103  0x63, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
1104  0x04, 0x03, 0x0c, 0x0b, 0x2a, 0x2e, 0x67, 0x6f,
1105  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
1106  0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
1107  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
1108  0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
1109  0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
1110  0xa5, 0x0a, 0xb9, 0xb1, 0xca, 0x36, 0xd1, 0xae,
1111  0x22, 0x38, 0x07, 0x06, 0xc9, 0x1a, 0x56, 0x4f,
1112  0xbb, 0xdf, 0xa8, 0x6d, 0xbd, 0xee, 0x76, 0x16,
1113  0xbc, 0x53, 0x3c, 0x03, 0x6a, 0x5c, 0x94, 0x50,
1114  0x87, 0x2f, 0x28, 0xb4, 0x4e, 0xd5, 0x9b, 0x8f,
1115  0xfe, 0x02, 0xde, 0x2a, 0x83, 0x01, 0xf9, 0x45,
1116  0x61, 0x0e, 0x66, 0x0e, 0x24, 0x22, 0xe2, 0x59,
1117  0x66, 0x0d, 0xd3, 0xe9, 0x77, 0x8a, 0x7e, 0x42,
1118  0xaa, 0x5a, 0xf9, 0x05, 0xbf, 0x30, 0xc7, 0x03,
1119  0x2b, 0xdc, 0xa6, 0x9c, 0xe0, 0x9f, 0x0d, 0xf1,
1120  0x28, 0x19, 0xf8, 0xf2, 0x02, 0xfa, 0xbd, 0x62,
1121  0xa0, 0xf3, 0x02, 0x2b, 0xcd, 0xf7, 0x09, 0x04,
1122  0x3b, 0x52, 0xd8, 0x65, 0x4b, 0x4a, 0x70, 0xe4,
1123  0x57, 0xc9, 0x2e, 0x2a, 0xf6, 0x9c, 0x6e, 0xd8,
1124  0xde, 0x01, 0x52, 0xc9, 0x6f, 0xe9, 0xef, 0x82,
1125  0xbc, 0x0b, 0x95, 0xb2, 0xef, 0xcb, 0x91, 0xa6,
1126  0x0b, 0x2d, 0x14, 0xc6, 0x00, 0xa9, 0x33, 0x86,
1127  0x64, 0x00, 0xd4, 0x92, 0x19, 0x53, 0x3d, 0xfd,
1128  0xcd, 0xc6, 0x1a, 0xf2, 0x0e, 0x67, 0xc2, 0x1d,
1129  0x2c, 0xe0, 0xe8, 0x29, 0x97, 0x1c, 0xb6, 0xc4,
1130  0xb2, 0x02, 0x0c, 0x83, 0xb8, 0x60, 0x61, 0xf5,
1131  0x61, 0x2d, 0x73, 0x5e, 0x85, 0x4d, 0xbd, 0x0d,
1132  0xe7, 0x1a, 0x37, 0x56, 0x8d, 0xe5, 0x50, 0x0c,
1133  0xc9, 0x64, 0x4c, 0x11, 0xea, 0xf3, 0xcb, 0x26,
1134  0x34, 0xbd, 0x02, 0xf5, 0xc1, 0xfb, 0xa2, 0xec,
1135  0x27, 0xbb, 0x60, 0xbe, 0x0b, 0xf6, 0xe7, 0x3c,
1136  0x2d, 0xc9, 0xe7, 0xb0, 0x30, 0x28, 0x17, 0x3d,
1137  0x90, 0xf1, 0x63, 0x8e, 0x49, 0xf7, 0x15, 0x78,
1138  0x21, 0xcc, 0x45, 0xe6, 0x86, 0xb2, 0xd8, 0xb0,
1139  0x2e, 0x5a, 0xb0, 0x58, 0xd3, 0xb6, 0x11, 0x40,
1140  0xae, 0x81, 0x1f, 0x6b, 0x7a, 0xaf, 0x40, 0x50,
1141  0xf9, 0x2e, 0x81, 0x8b, 0xec, 0x26, 0x11, 0x3f,
1142  0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01,
1143  0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x1d, 0x06,
1144  0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14,
1145  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
1146  0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
1147  0x05, 0x07, 0x03, 0x02, 0x30, 0x21, 0x06, 0x03,
1148  0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82,
1149  0x0b, 0x2a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
1150  0x65, 0x2e, 0x6e, 0x6f, 0x82, 0x09, 0x67, 0x6f,
1151  0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0x30,
1152  0x68, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1153  0x07, 0x01, 0x01, 0x04, 0x5c, 0x30, 0x5a, 0x30,
1154  0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
1155  0x07, 0x30, 0x02, 0x86, 0x1f, 0x68, 0x74, 0x74,
1156  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
1157  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
1158  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
1159  0x2e, 0x63, 0x72, 0x74, 0x30, 0x2b, 0x06, 0x08,
1160  0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
1161  0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
1162  0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73,
1163  0x31, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
1164  0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73,
1165  0x70, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
1166  0x04, 0x16, 0x04, 0x14, 0xc6, 0x53, 0x87, 0x42,
1167  0x2d, 0xc8, 0xee, 0x7a, 0x62, 0x1e, 0x83, 0xdb,
1168  0x0d, 0xe2, 0x32, 0xeb, 0x8b, 0xaf, 0x69, 0x40,
1169  0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
1170  0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
1171  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,
1172  0x16, 0x80, 0x14, 0x4a, 0xdd, 0x06, 0x16, 0x1b,
1173  0xbc, 0xf6, 0x68, 0xb5, 0x76, 0xf5, 0x81, 0xb6,
1174  0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f, 0x30,
1175  0x21, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x1a,
1176  0x30, 0x18, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
1177  0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x05, 0x01,
1178  0x30, 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01,
1179  0x02, 0x02, 0x30, 0x30, 0x06, 0x03, 0x55, 0x1d,
1180  0x1f, 0x04, 0x29, 0x30, 0x27, 0x30, 0x25, 0xa0,
1181  0x23, 0xa0, 0x21, 0x86, 0x1f, 0x68, 0x74, 0x74,
1182  0x70, 0x3a, 0x2f, 0x2f, 0x70, 0x6b, 0x69, 0x2e,
1183  0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63,
1184  0x6f, 0x6d, 0x2f, 0x47, 0x49, 0x41, 0x47, 0x32,
1185  0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09,
1186  0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
1187  0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
1188  0x7b, 0x27, 0x00, 0x46, 0x8f, 0xfd, 0x5b, 0xff,
1189  0xcb, 0x05, 0x9b, 0xf7, 0xf1, 0x68, 0xf6, 0x9a,
1190  0x7b, 0xba, 0x53, 0xdf, 0x63, 0xed, 0x11, 0x94,
1191  0x39, 0xf2, 0xd0, 0x20, 0xcd, 0xa3, 0xc4, 0x98,
1192  0xa5, 0x10, 0x74, 0xe7, 0x10, 0x6d, 0x07, 0xf8,
1193  0x33, 0x87, 0x05, 0x43, 0x0e, 0x64, 0x77, 0x09,
1194  0x18, 0x4f, 0x38, 0x2e, 0x45, 0xae, 0xa8, 0x34,
1195  0x3a, 0xa8, 0x33, 0xac, 0x9d, 0xdd, 0x25, 0x91,
1196  0x59, 0x43, 0xbe, 0x0f, 0x87, 0x16, 0x2f, 0xb5,
1197  0x27, 0xfd, 0xce, 0x2f, 0x35, 0x5d, 0x12, 0xa1,
1198  0x66, 0xac, 0xf7, 0x95, 0x38, 0x0f, 0xe5, 0xb1,
1199  0x18, 0x18, 0xe6, 0x80, 0x52, 0x31, 0x8a, 0x66,
1200  0x02, 0x52, 0x1a, 0xa4, 0x32, 0x6a, 0x61, 0x05,
1201  0xcf, 0x1d, 0xf9, 0x90, 0x73, 0xf0, 0xeb, 0x20,
1202  0x31, 0x7b, 0x2e, 0xc0, 0xb0, 0xfb, 0x5c, 0xcc,
1203  0xdc, 0x76, 0x55, 0x72, 0xaf, 0xb1, 0x05, 0xf4,
1204  0xad, 0xf9, 0xd7, 0x73, 0x5c, 0x2c, 0xbf, 0x0d,
1205  0x84, 0x18, 0x01, 0x1d, 0x4d, 0x08, 0xa9, 0x4e,
1206  0x37, 0xb7, 0x58, 0xc4, 0x05, 0x0e, 0x65, 0x63,
1207  0xd2, 0x88, 0x02, 0xf5, 0x82, 0x17, 0x08, 0xd5,
1208  0x8f, 0x80, 0xc7, 0x82, 0x29, 0xbb, 0xe1, 0x04,
1209  0xbe, 0xf6, 0xe1, 0x8c, 0xbc, 0x3a, 0xf8, 0xf9,
1210  0x56, 0xda, 0xdc, 0x8e, 0xc6, 0xe6, 0x63, 0x98,
1211  0x12, 0x08, 0x41, 0x2c, 0x9d, 0x7c, 0x82, 0x0d,
1212  0x1e, 0xea, 0xba, 0xde, 0x32, 0x09, 0xda, 0x52,
1213  0x24, 0x4f, 0xcc, 0xb6, 0x09, 0x33, 0x8b, 0x00,
1214  0xf9, 0x83, 0xb3, 0xc6, 0xa4, 0x90, 0x49, 0x83,
1215  0x2d, 0x36, 0xd9, 0x11, 0x78, 0xd0, 0x62, 0x9f,
1216  0xc4, 0x8f, 0x84, 0xba, 0x7f, 0xaa, 0x04, 0xf1,
1217  0xd9, 0xa4, 0xad, 0x5d, 0x63, 0xee, 0x72, 0xc6,
1218  0x4d, 0xd1, 0x4b, 0x41, 0x8f, 0x40, 0x0f, 0x7d,
1219  0xcd, 0xb8, 0x2e, 0x5b, 0x6e, 0x21, 0xc9, 0x3d
1220  };
1221 
1222  Flow f;
1223  SSLState *ssl_state = NULL;
1224  TcpSession ssn;
1225  Packet *p1 = NULL;
1226  Packet *p2 = NULL;
1227  Packet *p3 = NULL;
1228  ThreadVars tv;
1229  DetectEngineThreadCtx *det_ctx = NULL;
1231 
1232  memset(&tv, 0, sizeof(ThreadVars));
1233  memset(&f, 0, sizeof(Flow));
1234  memset(&ssn, 0, sizeof(TcpSession));
1235 
1236  p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP,
1237  "192.168.1.5", "192.168.1.1", 51251, 443);
1238  p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
1239  "192.168.1.1", "192.168.1.5", 443, 51251);
1240  p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
1241  "192.168.1.1", "192.168.1.5", 443, 51251);
1242 
1243  FLOW_INITIALIZE(&f);
1244  f.flags |= FLOW_IPV4;
1245  f.proto = IPPROTO_TCP;
1247  f.alproto = ALPROTO_TLS;
1248 
1249  p1->flow = &f;
1253  p1->pcap_cnt = 1;
1254 
1255  p2->flow = &f;
1259  p2->pcap_cnt = 2;
1260 
1261  p3->flow = &f;
1265  p3->pcap_cnt = 3;
1266 
1267  f.lastts.tv_sec = 1474978656; /* 2016-09-27 */
1268 
1270 
1272  FAIL_IF_NULL(de_ctx);
1273 
1274  de_ctx->flags |= DE_QUIET;
1275 
1276  Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
1277  "(msg:\"Test tls_cert_valid\"; "
1278  "tls_cert_valid; sid:1;)");
1279  FAIL_IF_NULL(s);
1280 
1281  SigGroupBuild(de_ctx);
1282  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1283 
1284  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
1285  client_hello, sizeof(client_hello));
1286 
1287  FAIL_IF(r != 0);
1288 
1289  ssl_state = f.alstate;
1290  FAIL_IF_NULL(ssl_state);
1291 
1292  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
1293 
1294  FAIL_IF(PacketAlertCheck(p1, 1));
1295 
1296  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1297  server_hello, sizeof(server_hello));
1298 
1299  FAIL_IF(r != 0);
1300 
1301  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
1302 
1303  FAIL_IF(PacketAlertCheck(p2, 1));
1304 
1305  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
1306  certificate, sizeof(certificate));
1307 
1308  FAIL_IF(r != 0);
1309 
1310  SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
1311 
1312  FAIL_IF_NOT(PacketAlertCheck(p3, 1));
1313 
1314  AppLayerParserThreadCtxFree(alp_tctx);
1315  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1316  DetectEngineCtxFree(de_ctx);
1317 
1319  FLOW_DESTROY(&f);
1320  UTHFreePacket(p1);
1321  UTHFreePacket(p2);
1322  UTHFreePacket(p3);
1323 
1324  PASS;
1325 }
1326 
1327 /**
1328  * \brief Register unit tests for tls_cert_notbefore.
1329  */
1331 {
1332  UtRegisterTest("ValidityTestParse01", ValidityTestParse01);
1333  UtRegisterTest("ValidityTestParse03", ValidityTestParse03);
1334  UtRegisterTest("ValidityTestParse05", ValidityTestParse05);
1335  UtRegisterTest("ValidityTestParse07", ValidityTestParse07);
1336  UtRegisterTest("ValidityTestParse09", ValidityTestParse09);
1337  UtRegisterTest("ValidityTestParse11", ValidityTestParse11);
1338  UtRegisterTest("ValidityTestParse13", ValidityTestParse13);
1339  UtRegisterTest("ValidityTestParse15", ValidityTestParse15);
1340  UtRegisterTest("ValidityTestParse17", ValidityTestParse17);
1341  UtRegisterTest("ValidityTestParse19", ValidityTestParse19);
1342  UtRegisterTest("ValidityTestParse21", ValidityTestParse21);
1343  UtRegisterTest("ValidityTestParse23", ValidityTestParse23);
1344  UtRegisterTest("ValidityTestDetect01", ValidityTestDetect01);
1345 }
1346 
1347 /**
1348  * \brief Register unit tests for tls_cert_notafter.
1349  */
1351 {
1352  UtRegisterTest("ValidityTestParse02", ValidityTestParse02);
1353  UtRegisterTest("ValidityTestParse04", ValidityTestParse04);
1354  UtRegisterTest("ValidityTestParse06", ValidityTestParse06);
1355  UtRegisterTest("ValidityTestParse08", ValidityTestParse08);
1356  UtRegisterTest("ValidityTestParse10", ValidityTestParse10);
1357  UtRegisterTest("ValidityTestParse12", ValidityTestParse12);
1358  UtRegisterTest("ValidityTestParse14", ValidityTestParse14);
1359  UtRegisterTest("ValidityTestParse16", ValidityTestParse16);
1360  UtRegisterTest("ValidityTestParse18", ValidityTestParse18);
1361  UtRegisterTest("ValidityTestParse20", ValidityTestParse20);
1362  UtRegisterTest("ValidityTestParse22", ValidityTestParse22);
1363 }
1364 
1365 /**
1366  * \brief Register unit tests for tls_cert_expired
1367  */
1369 {
1370  UtRegisterTest("ExpiredTestDetect01", ExpiredTestDetect01);
1371 }
1372 
1373 /**
1374  * \brief Register unit tests for tls_cert_valid
1375  */
1377 {
1378  UtRegisterTest("ValidTestDetect01", ValidTestDetect01);
1379 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
void TlsValidRegisterTests(void)
Register unit tests for tls_cert_valid.
struct Flow_ * flow
Definition: decode.h:446
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:344
void TlsExpiredRegisterTests(void)
Register unit tests for tls_cert_expired.
#define PASS
Pass the test.
#define DETECT_TLS_VALIDITY_RA
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
uint64_t pcap_cnt
Definition: decode.h:562
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:522
#define TRUE
void TlsNotBeforeRegisterTests(void)
Register unit tests for tls_cert_notbefore.
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SSLv[2.0|3.[0|1|2|3]] state structure.
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
uint8_t flags
Definition: detect.h:762
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
#define DETECT_TLS_VALIDITY_LT
uint8_t flowflags
Definition: decode.h:440
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
struct timeval lastts
Definition: flow.h:358
#define DETECT_TLS_VALIDITY_GT
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define PKT_HAS_FLOW
Definition: decode.h:1094
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Per thread variable structure.
Definition: threadvars.h:57
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
void TlsNotAfterRegisterTests(void)
Register unit tests for tls_cert_notafter.
AppProto alproto
application level protocol
Definition: flow.h:409
uint32_t flags
Definition: decode.h:444
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
uint8_t protomap
Definition: flow.h:404
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
#define DETECT_TLS_VALIDITY_EQ
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1092
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtx * DetectEngineCtxInit(void)