diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in index 4a4990a57dd..7201555c893 100644 --- a/rust/Cargo.toml.in +++ b/rust/Cargo.toml.in @@ -47,7 +47,7 @@ ntp-parser = "~0.6.0" ipsec-parser = "~0.7.0" snmp-parser = "~0.6.0" tls-parser = "~0.11.0" -x509-parser = "~0.6.5" +x509-parser = "~0.14.0" libc = "~0.2.82" sha2 = "~0.10.2" digest = "~0.10.3" diff --git a/rust/src/rdp/log.rs b/rust/src/rdp/log.rs index f8f08f5c38d..a9bba493209 100644 --- a/rust/src/rdp/log.rs +++ b/rust/src/rdp/log.rs @@ -21,7 +21,7 @@ use super::rdp::{RdpTransaction, RdpTransactionItem}; use crate::jsonbuilder::{JsonBuilder, JsonError}; use crate::rdp::parser::*; use crate::rdp::windows; -use x509_parser::parse_x509_der; +use x509_parser::prelude::{X509Certificate, FromDer}; #[no_mangle] pub extern "C" fn rs_rdp_to_json(tx: &mut RdpTransaction, js: &mut JsonBuilder) -> bool { @@ -50,7 +50,7 @@ fn log(tx: &RdpTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> { js.set_string("event_type", "tls_handshake")?; js.open_array("x509_serials")?; for blob in chain { - match parse_x509_der(&blob.data) { + match X509Certificate::from_der(&blob.data) { Ok((_, cert)) => { js.append_string(&cert.tbs_certificate.serial.to_str_radix(16))?; } diff --git a/rust/src/x509/mod.rs b/rust/src/x509/mod.rs index 428e6679351..25518387f99 100644 --- a/rust/src/x509/mod.rs +++ b/rust/src/x509/mod.rs @@ -18,10 +18,9 @@ // written by Pierre Chifflier use crate::common::rust_string_to_c; -use nom; use std; use std::os::raw::c_char; -use x509_parser::{error::X509Error, parse_x509_der, X509Certificate}; +use x509_parser::prelude::*; #[repr(u32)] pub enum X509DecodeError { @@ -54,7 +53,7 @@ pub unsafe extern "C" fn rs_x509_decode( err_code: *mut u32, ) -> *mut X509 { let slice = std::slice::from_raw_parts(input, input_len as usize); - let res = parse_x509_der(slice); + let res = X509Certificate::from_der(slice); match res { Ok((_rem, cert)) => Box::into_raw(Box::new(X509(cert))), Err(e) => { @@ -112,8 +111,8 @@ pub unsafe extern "C" fn rs_x509_get_validity( return -1; } let x509 = &*ptr; - let n_b = x509.0.tbs_certificate.validity.not_before.to_timespec().sec; - let n_a = x509.0.tbs_certificate.validity.not_after.to_timespec().sec; + let n_b = x509.0.validity().not_before.timestamp(); + let n_a = x509.0.validity().not_after.timestamp(); *not_before = n_b; *not_after = n_a; 0 diff --git a/src/Makefile.am b/src/Makefile.am index 30762104f46..85725462327 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1245,11 +1245,6 @@ EXTRA_DIST = \ tests/detect-tls-cert-subject.c \ tests/detect-tls-cert-validity.c \ tests/detect-tls-certs.c \ - tests/detect-tls-ja3-hash.c \ - tests/detect-tls-ja3-string.c \ - tests/detect-tls-ja3s-hash.c \ - tests/detect-tls-ja3s-string.c \ - tests/detect-tls-sni.c \ tests/detect-tls-version.c \ tests/detect.c \ tests/stream-tcp.c diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index 1cebb2bd2c1..95956fb87a3 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -88,39 +88,41 @@ SCEnumCharMap tls_frame_table[] = { { NULL, -1 }, }; -SCEnumCharMap tls_decoder_event_table[ ] = { +SCEnumCharMap tls_decoder_event_table[] = { /* TLS protocol messages */ - { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER }, - { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER }, - { "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION }, - { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE }, - { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE }, - { "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT }, - { "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT }, - { "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT }, + { "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER }, + { "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER }, + { "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION }, + { "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE }, + { "INVALID_RECORD_LENGTH", TLS_DECODER_EVENT_INVALID_RECORD_LENGTH }, + { "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE }, + { "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT }, + { "INVALID_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_INVALID_HEARTBEAT }, + { "OVERFLOW_HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_OVERFLOW_HEARTBEAT }, { "DATALEAK_HEARTBEAT_MISMATCH", TLS_DECODER_EVENT_DATALEAK_HEARTBEAT_MISMATCH }, - { "HANDSHAKE_INVALID_LENGTH", TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH }, - { "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS }, - { "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE }, - { "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH }, - { "TOO_MANY_RECORDS_IN_PACKET", TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET }, + { "HANDSHAKE_INVALID_LENGTH", TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH }, + { "MULTIPLE_SNI_EXTENSIONS", TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS }, + { "INVALID_SNI_TYPE", TLS_DECODER_EVENT_INVALID_SNI_TYPE }, + { "INVALID_SNI_LENGTH", TLS_DECODER_EVENT_INVALID_SNI_LENGTH }, + { "TOO_MANY_RECORDS_IN_PACKET", TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET }, /* certificate decoding messages */ - { "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE }, - { "CERTIFICATE_INVALID_LENGTH", TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH }, + { "INVALID_CERTIFICATE", TLS_DECODER_EVENT_INVALID_CERTIFICATE }, + { "CERTIFICATE_INVALID_LENGTH", TLS_DECODER_EVENT_CERTIFICATE_INVALID_LENGTH }, { "CERTIFICATE_INVALID_VERSION", TLS_DECODER_EVENT_CERTIFICATE_INVALID_VERSION }, - { "CERTIFICATE_INVALID_SERIAL", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL }, - { "CERTIFICATE_INVALID_ALGORITHMIDENTIFIER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER }, + { "CERTIFICATE_INVALID_SERIAL", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SERIAL }, + { "CERTIFICATE_INVALID_ALGORITHMIDENTIFIER", + TLS_DECODER_EVENT_CERTIFICATE_INVALID_ALGORITHMIDENTIFIER }, { "CERTIFICATE_INVALID_X509NAME", TLS_DECODER_EVENT_CERTIFICATE_INVALID_X509NAME }, - { "CERTIFICATE_INVALID_DATE", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE }, + { "CERTIFICATE_INVALID_DATE", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DATE }, { "CERTIFICATE_INVALID_EXTENSIONS", TLS_DECODER_EVENT_CERTIFICATE_INVALID_EXTENSIONS }, - { "CERTIFICATE_INVALID_DER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER }, + { "CERTIFICATE_INVALID_DER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_DER }, { "CERTIFICATE_INVALID_SUBJECT", TLS_DECODER_EVENT_CERTIFICATE_INVALID_SUBJECT }, - { "CERTIFICATE_INVALID_ISSUER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER }, + { "CERTIFICATE_INVALID_ISSUER", TLS_DECODER_EVENT_CERTIFICATE_INVALID_ISSUER }, { "CERTIFICATE_INVALID_VALIDITY", TLS_DECODER_EVENT_CERTIFICATE_INVALID_VALIDITY }, - { "ERROR_MESSAGE_ENCOUNTERED", TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED }, + { "ERROR_MESSAGE_ENCOUNTERED", TLS_DECODER_EVENT_ERROR_MSG_ENCOUNTERED }, /* used as a generic error event */ - { "INVALID_SSL_RECORD", TLS_DECODER_EVENT_INVALID_SSL_RECORD }, - { NULL, -1 }, + { "INVALID_SSL_RECORD", TLS_DECODER_EVENT_INVALID_SSL_RECORD }, + { NULL, -1 }, }; enum { @@ -196,6 +198,7 @@ SslConfig ssl_config; #define SSLV3_RECORD_HDR_LEN 5 #define SSLV3_MESSAGE_HDR_LEN 4 +#define SSLV3_RECORD_MAX_LEN 1 << 14 #define SSLV3_CLIENT_HELLO_VERSION_LEN 2 #define SSLV3_CLIENT_HELLO_RANDOM_LEN 32 @@ -210,6 +213,26 @@ SslConfig ssl_config; #define HAS_SPACE(n) ((uint64_t)(input - initial_input) + (uint64_t)(n) <= (uint64_t)(input_len)) +struct SSLDecoderResult { + int retval; // nr bytes consumed from input, or < 0 on error + uint32_t needed; // more bytes needed +}; +#define SSL_DECODER_ERROR(e) \ + (struct SSLDecoderResult) \ + { \ + (e), 0 \ + } +#define SSL_DECODER_OK(c) \ + (struct SSLDecoderResult) \ + { \ + (c), 0 \ + } +#define SSL_DECODER_INCOMPLETE(c, n) \ + (struct SSLDecoderResult) \ + { \ + (c), (n) \ + } + static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size, const void *src, size_t src_offset, size_t src_size, size_t src_tocopy) WARN_UNUSED; @@ -240,25 +263,11 @@ static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size, #define ValidateRecordState(...) #endif -#ifdef DEBUG_VALIDATION -#define ValidateTrecBuffer(connp) \ - do { \ - DEBUG_VALIDATE_BUG_ON((connp)->trec_pos > (connp)->trec_len); \ - DEBUG_VALIDATE_BUG_ON((connp)->trec == NULL && (connp)->trec_len > 0); \ - DEBUG_VALIDATE_BUG_ON((connp)->trec == NULL && (connp)->trec_pos > 0); \ - } while(0) -#else -#define ValidateTrecBuffer(...) -#endif - -#define SSLParserHSReset(connp) \ - do { \ - (connp)->trec_pos = 0; \ - (connp)->handshake_type = 0; \ - (connp)->hs_bytes_processed = 0; \ - (connp)->message_length = 0; \ - (connp)->message_start = 0; \ - } while(0) +#define SSLParserHSReset(connp) \ + do { \ + (connp)->handshake_type = 0; \ + (connp)->message_length = 0; \ + } while (0) #define SSLParserReset(state) \ do { \ @@ -267,16 +276,16 @@ static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size, SSLParserHSReset((state)->curr_connp); \ } while(0) -void SSLSetEvent(SSLState *ssl_state, uint8_t event) -{ - if (ssl_state == NULL) { - SCLogDebug("Could not set decoder event: %u", event); - return; - } - - AppLayerDecoderEventsSetEventRaw(&ssl_state->tx_data.events, event); - ssl_state->events++; -} +#define SSLSetEvent(ssl_state, event) \ + do { \ + SCLogDebug("setting event %u", (event)); \ + if ((ssl_state) == NULL) { \ + SCLogDebug("could not set decoder event %u", event); \ + } else { \ + AppLayerDecoderEventsSetEventRaw(&(ssl_state)->tx_data.events, (event)); \ + (ssl_state)->events++; \ + } \ + } while (0) static void *SSLGetTx(void *state, uint64_t tx_id) { @@ -1375,103 +1384,7 @@ static int TLSDecodeHandshakeHello(SSLState *ssl_state, } end: - ssl_state->curr_connp->hs_bytes_processed = 0; - return 0; -} - -/** \internal - * \brief Get Certificates len so we can know now much (more) we need to buffer - * If we already have a few bytes queued up in 'trec' we use those or a mix of - * those with the input. - */ -static uint32_t GetCertsLen(SSLStateConnp *curr_connp, const uint8_t *input, - const uint32_t input_len) -{ - if (curr_connp->trec != NULL && curr_connp->trec_pos > 0) { - if (curr_connp->trec_pos >= 3) { - const uint8_t * const ptr = curr_connp->trec; - uint32_t len = (*ptr << 16 | *(ptr + 1) << 8 | *(ptr + 2)) + 3; - SCLogDebug("length %u (trec)", len); - return len; - } else if (input_len + curr_connp->trec_pos >= 3) { - uint8_t buf[3] = { 0, 0, 0, }; // init to 0 to make scan-build happy - uint32_t i = 0; - for (uint32_t x = 0; x < curr_connp->trec_pos && i < 3; x++) { - buf[i++] = curr_connp->trec[x]; - } - for (uint32_t x = 0; x < input_len && i < 3; x++) { - buf[i++] = input[x]; - } - uint32_t len = (buf[0] << 16 | buf[1] << 8 | buf[2]) + 3; - SCLogDebug("length %u (part trec, part input)", len); - return len; - } - return 0; - } else if (input_len >= 3) { - uint32_t len = (*input << 16 | *(input + 1) << 8 | *(input + 2)) + 3; - SCLogDebug("length %u (input)", len); - return len; - } else { - SCLogDebug("length unknown (input len %u)", input_len); - return 0; - } -} - -// For certificates whose size is bigger than this, -// we do not allocate all the required memory straight away, -// to avoid DOS by RAM exhaustion, but we will allocate -// this memory once a consequent part of the certificate has been seen. -#define SSL_CERT_MAX_FIRST_ALLOC 65536 // 0x10000 - -/** \internal - * \brief setup or grow the `trec` space in the connp - */ -static int EnsureRecordSpace(SSLStateConnp *curr_connp, const uint8_t * const input, - const uint32_t input_len) -{ - ValidateTrecBuffer(curr_connp); - - uint32_t certs_len = GetCertsLen(curr_connp, input, input_len); - if (certs_len == 0) { - SCLogDebug("cert_len unknown still, create small buffer to start"); - certs_len = 256; - } - // Limit in a first time allocation for very large certificates - if (certs_len > SSL_CERT_MAX_FIRST_ALLOC && certs_len > curr_connp->trec_pos + input_len) { - certs_len = SSL_CERT_MAX_FIRST_ALLOC; - } - - if (curr_connp->trec == NULL) { - curr_connp->trec_len = certs_len; - curr_connp->trec = SCMalloc(curr_connp->trec_len); - if (unlikely(curr_connp->trec == NULL)) - goto error; - } - - if (certs_len > curr_connp->trec_len) { - curr_connp->trec_len = certs_len; - void *ptmp = SCRealloc(curr_connp->trec, curr_connp->trec_len); - if (unlikely(ptmp == NULL)) { - SCFree(curr_connp->trec); - curr_connp->trec = NULL; - goto error; - } - curr_connp->trec = ptmp; - } - ValidateTrecBuffer(curr_connp); return 0; -error: - curr_connp->trec_len = 0; - curr_connp->trec_pos = 0; - ValidateTrecBuffer(curr_connp); - return -1; -} - -static inline bool -HaveEntireRecord(const SSLStateConnp *curr_connp, const uint32_t input_len) -{ - return (curr_connp->bytes_processed + input_len) >= - (curr_connp->record_length + SSLV3_RECORD_HDR_LEN); } #ifdef DEBUG_VALIDATION @@ -1487,75 +1400,42 @@ static inline int SSLv3ParseHandshakeTypeCertificate(SSLState *ssl_state, const uint8_t * const initial_input, const uint32_t input_len) { - ValidateTrecBuffer(ssl_state->curr_connp); - const uint32_t certs_len = GetCertsLen(ssl_state->curr_connp, initial_input, input_len); - SCLogDebug("certs_len %u", certs_len); - - if (EnsureRecordSpace(ssl_state->curr_connp, initial_input, input_len) < 0) { - /* error, skip input data */ - ssl_state->curr_connp->bytes_processed += input_len; - return -1; - } - ValidateTrecBuffer(ssl_state->curr_connp); - - uint32_t write_len = 0; - if (certs_len != 0 && ssl_state->curr_connp->trec_pos + input_len >= certs_len) { - write_len = certs_len - ssl_state->curr_connp->trec_pos; - /* get data left in this frag. The length field may indicate more - * data than just in this record. */ - uint32_t cur_frag_left = ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed; - SCLogDebug("write_len %u cur_frag_left %u", write_len, cur_frag_left); - write_len = MIN(write_len, cur_frag_left); - } else { - uint32_t cur_frag_left = (ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed); - SCLogDebug("cur_frag_left %u", cur_frag_left); - write_len = MIN(input_len, cur_frag_left); - SCLogDebug("write_len %u", write_len); - } - if (write_len == 0) { - /* no (new) data, so we're done */ - ValidateTrecBuffer(ssl_state->curr_connp); - return 0; - } - BUG_ON(write_len > input_len); - - if (SafeMemcpy(ssl_state->curr_connp->trec, - ssl_state->curr_connp->trec_pos, - ssl_state->curr_connp->trec_len, - initial_input, 0, input_len, write_len) != 0) { - return -1; - } - ssl_state->curr_connp->trec_pos += write_len; - SCLogDebug("ssl_state->curr_connp->trec_pos %u", ssl_state->curr_connp->trec_pos); - DEBUG_VALIDATE_BUG_ON(certs_len != 0 && certs_len < ssl_state->curr_connp->trec_pos); - - /* if we didn't yet get enough to determine the certs len, or we can - * see we didn't buffer enough for the certs, don't bother trying to - * parse it the data */ - if (certs_len == 0 || certs_len > ssl_state->curr_connp->trec_pos) { - ssl_state->curr_connp->bytes_processed += write_len; - SCLogDebug("bytes_processed %u record_len %u", - ssl_state->curr_connp->bytes_processed, ssl_state->curr_connp->record_length); - ValidateTrecBuffer(ssl_state->curr_connp); - return write_len; - } - - int rc = TlsDecodeHSCertificate(ssl_state, ssl_state->curr_connp->trec, - ssl_state->curr_connp->trec_pos); + int rc = TlsDecodeHSCertificate(ssl_state, initial_input, input_len); SCLogDebug("rc %d", rc); if (rc > 0) { - DEBUG_VALIDATE_BUG_ON(rc != (int)ssl_state->curr_connp->trec_pos); + DEBUG_VALIDATE_BUG_ON(rc > (int)input_len); SSLParserHSReset(ssl_state->curr_connp); } else if (rc < 0) { SCLogDebug("error parsing cert, reset state"); SSLParserHSReset(ssl_state->curr_connp); /* fall through to still consume the cert bytes */ } - ssl_state->curr_connp->bytes_processed += write_len; - ValidateTrecBuffer(ssl_state->curr_connp); - return write_len; + return input_len; +} + +static int SupportedHandshakeType(const uint8_t type) +{ + switch (type) { + case SSLV3_HS_CLIENT_HELLO: + case SSLV3_HS_SERVER_HELLO: + case SSLV3_HS_SERVER_KEY_EXCHANGE: + case SSLV3_HS_CLIENT_KEY_EXCHANGE: + case SSLV3_HS_CERTIFICATE: + case SSLV3_HS_HELLO_REQUEST: + case SSLV3_HS_CERTIFICATE_REQUEST: + case SSLV3_HS_CERTIFICATE_VERIFY: + case SSLV3_HS_FINISHED: + case SSLV3_HS_CERTIFICATE_URL: + case SSLV3_HS_CERTIFICATE_STATUS: + case SSLV3_HS_NEW_SESSION_TICKET: + case SSLV3_HS_SERVER_HELLO_DONE: + return true; + break; + + default: + return false; + break; + } } /** @@ -1577,28 +1457,17 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, case SSLV3_HS_CLIENT_HELLO: ssl_state->current_flags = SSL_AL_FLAG_STATE_CLIENT_HELLO; - /* Only parse the message if it is complete */ - if (input_len >= ssl_state->curr_connp->message_length && - input_len >= 40) { - rc = TLSDecodeHandshakeHello(ssl_state, input, input_len); - if (rc < 0) - return rc; - } - + rc = TLSDecodeHandshakeHello(ssl_state, input, input_len); + if (rc < 0) + return rc; break; case SSLV3_HS_SERVER_HELLO: ssl_state->current_flags = SSL_AL_FLAG_STATE_SERVER_HELLO; - /* Only parse the message if it is complete */ - if (input_len >= ssl_state->curr_connp->message_length && - input_len >= 40) { - rc = TLSDecodeHandshakeHello(ssl_state, input, - ssl_state->curr_connp->message_length); - if (rc < 0) - return rc; - } - + rc = TLSDecodeHandshakeHello(ssl_state, input, ssl_state->curr_connp->message_length); + if (rc < 0) + return rc; break; case SSLV3_HS_SERVER_KEY_EXCHANGE: @@ -1616,9 +1485,11 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, "direction!"); break; } + rc = SSLv3ParseHandshakeTypeCertificate(ssl_state, initial_input, input_len); - return rc; + if (rc < 0) + return rc; break; case SSLV3_HS_HELLO_REQUEST: @@ -1631,6 +1502,8 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, case SSLV3_HS_NEW_SESSION_TICKET: SCLogDebug("new session ticket"); break; + case SSLV3_HS_SERVER_HELLO_DONE: + break; default: SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); return -1; @@ -1638,29 +1511,10 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, ssl_state->flags |= ssl_state->current_flags; - SCLogDebug("message: start %u length %u", ssl_state->curr_connp->message_start, ssl_state->curr_connp->message_length); + SCLogDebug("message: length %u", ssl_state->curr_connp->message_length); SCLogDebug("input_len %u ssl_state->curr_connp->bytes_processed %u", input_len, ssl_state->curr_connp->bytes_processed); - uint32_t write_len = 0; - if (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length < - ssl_state->curr_connp->bytes_processed + input_len) { - SCLogDebug("msg done"); - - // Safety check against integer underflow - DEBUG_VALIDATE_BUG_ON( - ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length < - ssl_state->curr_connp->bytes_processed); - write_len = (ssl_state->curr_connp->message_start + ssl_state->curr_connp->message_length) - - ssl_state->curr_connp->bytes_processed; - DEBUG_VALIDATE_BUG_ON(write_len > input_len); - ssl_state->curr_connp->bytes_processed += write_len; - SSLParserHSReset(ssl_state->curr_connp); - SCLogDebug("write_len %u", write_len); - return write_len; - } else { - ssl_state->curr_connp->bytes_processed += input_len; - return input_len; - } + return input_len; } static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input, @@ -1670,66 +1524,166 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input if (input_len == 0 || ssl_state->curr_connp->bytes_processed == (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN)) { - return 0; - } + SCReturnInt(0); + } + + while (input_len) { + SCLogDebug("input_len %u", input_len); + + if (ssl_state->curr_connp->hs_buffer != NULL) { + SCLogDebug("partial handshake record in place"); + const uint32_t need = ssl_state->curr_connp->hs_buffer_message_size - + ssl_state->curr_connp->hs_buffer_offset; + const uint32_t add = MIN(need, input_len); + + /* grow buffer to next multiple of 4k that fits all data we have */ + if (ssl_state->curr_connp->hs_buffer_offset + add > + ssl_state->curr_connp->hs_buffer_size) { + const uint32_t avail = ssl_state->curr_connp->hs_buffer_offset + add; + const uint32_t new_size = avail + (4096 - (avail % 4096)); + SCLogDebug("new_size %u, avail %u", new_size, avail); + void *ptr = SCRealloc(ssl_state->curr_connp->hs_buffer, new_size); + if (ptr == NULL) + return -1; + ssl_state->curr_connp->hs_buffer = ptr; + ssl_state->curr_connp->hs_buffer_size = new_size; + } - SCLogDebug("bytes_processed %u", ssl_state->curr_connp->bytes_processed); - SCLogDebug("ssl_state->curr_connp->hs_bytes_processed %u input %p input_len %u", - ssl_state->curr_connp->hs_bytes_processed, input, input_len); + SCLogDebug("ssl_state->curr_connp->hs_buffer_offset %u " + "ssl_state->curr_connp->hs_buffer_size %u", + ssl_state->curr_connp->hs_buffer_offset, ssl_state->curr_connp->hs_buffer_size); + SCLogDebug("to add %u total %u", add, ssl_state->curr_connp->hs_buffer_offset + add); - switch (ssl_state->curr_connp->hs_bytes_processed) { - case 0: - ssl_state->curr_connp->handshake_type = *(input++); - ssl_state->curr_connp->bytes_processed++; - ssl_state->curr_connp->hs_bytes_processed++; - if (--input_len == 0 || ssl_state->curr_connp->bytes_processed == - (ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN)) { - return (input - initial_input); + if (SafeMemcpy(ssl_state->curr_connp->hs_buffer, + ssl_state->curr_connp->hs_buffer_offset, + ssl_state->curr_connp->hs_buffer_size, input, 0, add, add) != 0) { + SCLogDebug("copy failed"); + return -1; } + ssl_state->curr_connp->hs_buffer_offset += add; - /* fall through */ - case 1: - ssl_state->curr_connp->message_length = *(input++) << 16; - ssl_state->curr_connp->bytes_processed++; - ssl_state->curr_connp->hs_bytes_processed++; - if (--input_len == 0 || ssl_state->curr_connp->bytes_processed == - (ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN)) { - return (input - initial_input); + if (ssl_state->curr_connp->hs_buffer_message_size <= + ssl_state->curr_connp->hs_buffer_offset + input_len) { + + ssl_state->curr_connp->handshake_type = + ssl_state->curr_connp->hs_buffer_message_type; + ssl_state->curr_connp->message_length = + ssl_state->curr_connp->hs_buffer_message_size; + + SCLogDebug("got all data now: handshake_type %u message_length %u", + ssl_state->curr_connp->handshake_type, + ssl_state->curr_connp->message_length); + + int retval = SSLv3ParseHandshakeType(ssl_state, ssl_state->curr_connp->hs_buffer, + ssl_state->curr_connp->hs_buffer_offset, direction); + if (retval < 0) { + SSLParserHSReset(ssl_state->curr_connp); + return (retval); + } + SCLogDebug("retval %d", retval); + + /* data processed, reset buffer */ + SCFree(ssl_state->curr_connp->hs_buffer); + ssl_state->curr_connp->hs_buffer = NULL; + ssl_state->curr_connp->hs_buffer_size = 0; + ssl_state->curr_connp->hs_buffer_message_size = 0; + ssl_state->curr_connp->hs_buffer_message_type = 0; + ssl_state->curr_connp->hs_buffer_offset = 0; + } else { + SCLogDebug("partial data"); } - /* fall through */ - case 2: - ssl_state->curr_connp->message_length |= *(input++) << 8; - ssl_state->curr_connp->bytes_processed++; - ssl_state->curr_connp->hs_bytes_processed++; - if (--input_len == 0 || ssl_state->curr_connp->bytes_processed == - (ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN)) { - return (input - initial_input); + input += add; + input_len -= add; + SCLogDebug("input_len %u", input_len); + SSLParserHSReset(ssl_state->curr_connp); + continue; + } + + SCLogDebug("bytes_processed %u", ssl_state->curr_connp->bytes_processed); + SCLogDebug("input %p input_len %u", input, input_len); + + if (input_len < 4) { + SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); + SCReturnInt(-1); + } + + ssl_state->curr_connp->handshake_type = input[0]; + ssl_state->curr_connp->message_length = input[1] << 16 | input[2] << 8 | input[3]; + SCLogDebug("handshake_type %u message len %u input %p input_len %u", + ssl_state->curr_connp->handshake_type, ssl_state->curr_connp->message_length, input, + input_len); + input += 4; + input_len -= 4; + + const uint32_t record_len = ssl_state->curr_connp->message_length; + /* see if we support this type. We check here to not use the fragment + * handling on things we don't support. */ + const bool supported_type = SupportedHandshakeType(ssl_state->curr_connp->handshake_type); + SCLogDebug("supported_type %s handshake_type %u/%02x", supported_type ? "true" : "false", + ssl_state->curr_connp->handshake_type, ssl_state->curr_connp->handshake_type); + if (!supported_type) { + uint32_t avail_record_len = MIN(input_len, record_len); + input += avail_record_len; + input_len -= avail_record_len; + + SSLParserHSReset(ssl_state->curr_connp); + + if ((direction && (ssl_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC)) || + (!direction && (ssl_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC))) { + // after Change Cipher Spec we get Encrypted Handshake Messages + } else { + SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE); } + continue; + } - /* fall through */ - case 3: - ssl_state->curr_connp->message_length |= *(input++); - ssl_state->curr_connp->bytes_processed++; - ssl_state->curr_connp->hs_bytes_processed++; - --input_len; - ssl_state->curr_connp->message_start = ssl_state->curr_connp->bytes_processed; + /* if the message lenght exceeds our input_len, we have a tls fragment. */ + if (record_len > input_len) { + const uint32_t avail = input_len; + const uint32_t size = avail + (4096 - (avail % 4096)); + SCLogDebug("initial buffer size %u, based on input %u", size, avail); + ssl_state->curr_connp->hs_buffer = SCCalloc(1, size); + if (ssl_state->curr_connp->hs_buffer == NULL) { + return -1; + } + ssl_state->curr_connp->hs_buffer_size = size; + ssl_state->curr_connp->hs_buffer_message_size = record_len; + ssl_state->curr_connp->hs_buffer_message_type = ssl_state->curr_connp->handshake_type; + + if (input_len > 0) { + if (SafeMemcpy(ssl_state->curr_connp->hs_buffer, 0, + ssl_state->curr_connp->hs_buffer_size, input, 0, input_len, + input_len) != 0) { + return -1; + } + ssl_state->curr_connp->hs_buffer_offset = input_len; + } + SCLogDebug("opened record buffer %p size %u offset %u type %u msg_size %u", + ssl_state->curr_connp->hs_buffer, ssl_state->curr_connp->hs_buffer_size, + ssl_state->curr_connp->hs_buffer_offset, + ssl_state->curr_connp->hs_buffer_message_type, + ssl_state->curr_connp->hs_buffer_message_size); + input += input_len; + SSLParserHSReset(ssl_state->curr_connp); + return (input - initial_input); - /* fall through */ - } - SCLogDebug("message len %u input %p", ssl_state->curr_connp->message_length, input); + } else { + /* full record, parse it now */ + int retval = SSLv3ParseHandshakeType( + ssl_state, input, ssl_state->curr_connp->message_length, direction); + if (retval < 0 || retval > (int)input_len) { + DEBUG_VALIDATE_BUG_ON(retval > (int)input_len); + return (retval); + } + SCLogDebug("retval %d input_len %u", retval, input_len); + input += retval; + input_len -= retval; - int retval = SSLv3ParseHandshakeType(ssl_state, input, input_len, direction); - if (retval < 0 || retval > (int)input_len) { - DEBUG_VALIDATE_BUG_ON(retval > (int)input_len); - return retval; + SSLParserHSReset(ssl_state->curr_connp); + } + SCLogDebug("input_len left %u", input_len); } - SCLogDebug("retval %d input_len %u", retval, input_len); - input += retval; - return (input - initial_input); } @@ -2022,10 +1976,10 @@ static int SSLv2ParseRecord(uint8_t direction, SSLState *ssl_state, return (input - initial_input); } -static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserState *pstate, - const uint8_t *input, uint32_t input_len, const StreamSlice stream_slice) +static struct SSLDecoderResult SSLv2Decode(uint8_t direction, SSLState *ssl_state, + AppLayerParserState *pstate, const uint8_t *input, uint32_t input_len, + const StreamSlice stream_slice) { - int retval = 0; const uint8_t *initial_input = input; if (ssl_state->curr_connp->bytes_processed == 0) { @@ -2048,17 +2002,14 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta to read the msg_type */ if (ssl_state->curr_connp->bytes_processed < (ssl_state->curr_connp->record_lengths_length + 1)) { - retval = SSLv2ParseRecord(direction, ssl_state, input, input_len); + const int retval = SSLv2ParseRecord(direction, ssl_state, input, input_len); SCLogDebug("retval %d ssl_state->curr_connp->record_length %u", retval, ssl_state->curr_connp->record_length); if (retval < 0 || retval > (int)input_len) { DEBUG_VALIDATE_BUG_ON(retval > (int)input_len); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER); - return -1; + return SSL_DECODER_ERROR(-1); } - // TODO review - // BUG_ON(ssl_state->curr_connp->record_lengths_length + 1 != - // ssl_state->curr_connp->bytes_processed); AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input, ssl_state->curr_connp->record_lengths_length + ssl_state->curr_connp->record_length, @@ -2069,22 +2020,31 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta input_len -= retval; } + /* if we don't have the full record, we return incomplete */ + if (ssl_state->curr_connp->record_length > input_len) { + uint32_t needed = ssl_state->curr_connp->record_length; + SCLogDebug("record len %u input_len %u parsed %u: need %u bytes more data", + ssl_state->curr_connp->record_length, input_len, (uint32_t)(input - initial_input), + needed); + return SSL_DECODER_INCOMPLETE((input - initial_input), needed); + } + if (input_len == 0) { - return (input - initial_input); + return SSL_DECODER_OK((input - initial_input)); } /* record_length should never be zero */ if (ssl_state->curr_connp->record_length == 0) { SCLogDebug("SSLv2 record length is zero"); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER); - return -1; + return SSL_DECODER_ERROR(-1); } /* record_lengths_length should never be zero */ if (ssl_state->curr_connp->record_lengths_length == 0) { SCLogDebug("SSLv2 record lengths length is zero"); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSLV2_HEADER); - return -1; + return SSL_DECODER_ERROR(-1); } switch (ssl_state->curr_connp->content_type) { @@ -2298,19 +2258,19 @@ static int SSLv2Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta ssl_state->curr_connp->bytes_processed; input += diff; SSLParserReset(ssl_state); - return (input - initial_input); - /* we still don't have the entire record for the one we are - currently parsing */ + /* we still don't have the entire record for the one we are + currently parsing */ } else { input += input_len; ssl_state->curr_connp->bytes_processed += input_len; - return (input - initial_input); } + return SSL_DECODER_OK((input - initial_input)); } -static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserState *pstate, - const uint8_t *input, const uint32_t input_len, const StreamSlice stream_slice) +static struct SSLDecoderResult SSLv3Decode(uint8_t direction, SSLState *ssl_state, + AppLayerParserState *pstate, const uint8_t *input, const uint32_t input_len, + const StreamSlice stream_slice) { uint32_t parsed = 0; uint32_t record_len; /* slice of input_len for the current record */ @@ -2321,7 +2281,7 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta DEBUG_VALIDATE_BUG_ON(retval > (int)input_len); SCLogDebug("SSLv3ParseRecord returned %d", retval); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_TLS_HEADER); - return -1; + return SSL_DECODER_ERROR(-1); } SCLogDebug("%s input %p record_length %u", (direction == 0) ? "toserver" : "toclient", input, ssl_state->curr_connp->record_length); @@ -2329,10 +2289,16 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta ssl_state->curr_connp->record_length + retval, direction, TLS_FRAME_PDU); AppLayerFrameNewByPointer( ssl_state->f, &stream_slice, input, SSLV3_RECORD_HDR_LEN, direction, TLS_FRAME_HDR); - parsed += retval; + parsed = retval; record_len = MIN(input_len - parsed, ssl_state->curr_connp->record_length); SCLogDebug("record_len %u (input_len %u, parsed %u, ssl_state->curr_connp->record_length %u)", record_len, input_len, parsed, ssl_state->curr_connp->record_length); + + /* records are not supposed to exceed 16384, but the length field is 16 bits. */ + if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_HDR_LEN && + ssl_state->curr_connp->record_length > SSLV3_RECORD_MAX_LEN) { + SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_RECORD_LENGTH); + } } else { ValidateRecordState(ssl_state->curr_connp); @@ -2342,21 +2308,28 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta SCLogDebug("record length %u processed %u got %u", ssl_state->curr_connp->record_length, ssl_state->curr_connp->bytes_processed, record_len); + /* if we don't have the full record, we return incomplete */ + if (ssl_state->curr_connp->record_length > input_len - parsed) { + uint32_t needed = ssl_state->curr_connp->record_length; + SCLogDebug("record len %u input_len %u parsed %u: need %u bytes more data", + ssl_state->curr_connp->record_length, input_len, parsed, needed); + return SSL_DECODER_INCOMPLETE(parsed, needed); + } + if (record_len == 0) { - return parsed; + return SSL_DECODER_OK(parsed); } /* record_length should never be zero */ if (ssl_state->curr_connp->record_length == 0) { SCLogDebug("SSLv3 Record length is 0"); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_TLS_HEADER); - return -1; + return SSL_DECODER_ERROR(-1); } AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input + parsed, ssl_state->curr_connp->record_length, direction, TLS_FRAME_DATA); switch (ssl_state->curr_connp->content_type) { - /* we don't need any data from these types */ case SSLV3_CHANGE_CIPHER_SPEC: ssl_state->flags |= SSL_AL_FLAG_CHANGE_CIPHER_SPEC; @@ -2366,7 +2339,6 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta } else { ssl_state->flags |= SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC; } - break; case SSLV3_ALERT_PROTOCOL: @@ -2404,7 +2376,6 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta AppLayerParserStateSetFlag(pstate, APP_LAYER_PARSER_BYPASS_READY); } - break; case SSLV3_HANDSHAKE_PROTOCOL: { @@ -2418,7 +2389,6 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta /* do nothing */ } else { // if we started parsing this, we must stop - ssl_state->curr_connp->hs_bytes_processed = 0; break; } } @@ -2427,41 +2397,20 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta SSLParserReset(ssl_state); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); SCLogDebug("record len < 4 => %u", ssl_state->curr_connp->record_length); - return -1; + return SSL_DECODER_ERROR(-1); } int retval = SSLv3ParseHandshakeProtocol(ssl_state, input + parsed, record_len, direction); + SCLogDebug("retval %d", retval); if (retval < 0 || retval > (int)record_len) { DEBUG_VALIDATE_BUG_ON(retval > (int)record_len); - SSLSetEvent(ssl_state, - TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE); - SSLSetEvent(ssl_state, - TLS_DECODER_EVENT_INVALID_SSL_RECORD); + SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE); SCLogDebug("SSLv3ParseHandshakeProtocol returned %d", retval); - return -1; + return SSL_DECODER_ERROR(-1); } - SCLogDebug("retval %d", retval); - - parsed += retval; - record_len -= retval; - (void)record_len; /* for scan-build */ - - SCLogDebug("bytes_processed %u (record+hdr %u)", ssl_state->curr_connp->bytes_processed, - (ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN)); ValidateRecordState(ssl_state->curr_connp); - - if (ssl_state->curr_connp->bytes_processed >= - ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN) { - SCLogDebug("record ready"); - SSLParserReset(ssl_state); - } - - SCLogDebug("trigger RAW! (post HS)"); - AppLayerParserTriggerRawStreamReassembly(ssl_state->f, - direction == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT); - return parsed; + break; } case SSLV3_HEARTBEAT_PROTOCOL: { AppLayerFrameNewByPointer(ssl_state->f, &stream_slice, input + parsed, @@ -2470,49 +2419,33 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state, AppLayerParserSta record_len, direction); if (retval < 0) { SCLogDebug("SSLv3ParseHeartbeatProtocol returned %d", retval); - return -1; + return SSL_DECODER_ERROR(-1); } break; } default: - /* \todo fix the event from invalid rule to unknown rule */ SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_RECORD_TYPE); - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); SCLogDebug("unsupported record type"); - return -1; + return SSL_DECODER_ERROR(-1); } - if (HaveEntireRecord(ssl_state->curr_connp, record_len)) { - DEBUG_VALIDATE_BUG_ON(((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < - ssl_state->curr_connp->bytes_processed)); - - if ((ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) < - ssl_state->curr_connp->bytes_processed) { - /* defensive checks. Something is wrong. */ - SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); - SCLogDebug("defensive checks. Something is wrong."); - return -1; - } + parsed += record_len; + ssl_state->curr_connp->bytes_processed += record_len; + if (ssl_state->curr_connp->bytes_processed >= + ssl_state->curr_connp->record_length + SSLV3_RECORD_HDR_LEN) { SCLogDebug("record complete, trigger RAW"); - AppLayerParserTriggerRawStreamReassembly(ssl_state->f, - direction == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT); - - /* looks like we have another record */ - uint32_t diff = ssl_state->curr_connp->record_length + - SSLV3_RECORD_HDR_LEN - ssl_state->curr_connp->bytes_processed; - parsed += diff; + AppLayerParserTriggerRawStreamReassembly( + ssl_state->f, direction == 0 ? STREAM_TOSERVER : STREAM_TOCLIENT); SSLParserReset(ssl_state); ValidateRecordState(ssl_state->curr_connp); - return parsed; + return SSL_DECODER_OK(parsed); - /* we still don't have the entire record for the one we are - currently parsing */ } else { - parsed += record_len; - ssl_state->curr_connp->bytes_processed += record_len; + /* we still don't have the entire record for the one we are + currently parsing */ ValidateRecordState(ssl_state->curr_connp); - return parsed; + return SSL_DECODER_OK(parsed); } } @@ -2541,6 +2474,7 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, uint32_t counter = 0; ssl_state->f = f; const uint8_t *input = StreamSliceGetData(&stream_slice); + const uint8_t *init_input = input; int32_t input_len = (int32_t)StreamSliceGetDataLen(&stream_slice); if (input == NULL && @@ -2589,8 +2523,8 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, SCLogDebug("SSL/TLS version reset"); } } - SCLogDebug("record %u: bytes_processed %u, version %02X", counter, - ssl_state->curr_connp->bytes_processed, ssl_state->curr_connp->version); + SCLogDebug("record %u: bytes_processed %u, version %02X, input_len %u", counter, + ssl_state->curr_connp->bytes_processed, ssl_state->curr_connp->version, input_len); if (ssl_state->curr_connp->version == SSL_VERSION_2) { if (ssl_state->curr_connp->bytes_processed == 0) { @@ -2598,19 +2532,25 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, } else { SCLogDebug("Continuing parsing SSLv2 record"); } - int retval = SSLv2Decode(direction, ssl_state, pstate, input, input_len, stream_slice); - if (retval < 0 || retval > input_len) { - DEBUG_VALIDATE_BUG_ON(retval > input_len); + struct SSLDecoderResult r = + SSLv2Decode(direction, ssl_state, pstate, input, input_len, stream_slice); + if (r.retval < 0 || r.retval > input_len) { + DEBUG_VALIDATE_BUG_ON(r.retval > input_len); SCLogDebug("Error parsing SSLv2. Reseting parser " "state. Let's get outta here"); SSLParserReset(ssl_state); SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD); - return APP_LAYER_OK; + return APP_LAYER_ERROR; + } else if (r.needed) { + input += r.retval; + SCLogDebug("returning consumed %" PRIuMAX " needed %u", + (uintmax_t)(input - init_input), r.needed); + SCReturnStruct(APP_LAYER_INCOMPLETE(input - init_input, r.needed)); } - input_len -= retval; - input += retval; - SCLogDebug("SSLv2 decoder consumed %d bytes: %u left", retval, input_len); + input_len -= r.retval; + input += r.retval; + SCLogDebug("SSLv2 decoder consumed %d bytes: %u left", r.retval, input_len); } else { if (ssl_state->curr_connp->bytes_processed == 0) { SCLogDebug("New TLS record: record_length %u", @@ -2619,17 +2559,23 @@ static AppLayerResult SSLDecode(Flow *f, uint8_t direction, void *alstate, SCLogDebug("Continuing parsing TLS record: record_length %u, bytes_processed %u", ssl_state->curr_connp->record_length, ssl_state->curr_connp->bytes_processed); } - int retval = SSLv3Decode(direction, ssl_state, pstate, input, input_len, stream_slice); - if (retval < 0 || retval > input_len) { - DEBUG_VALIDATE_BUG_ON(retval > input_len); + struct SSLDecoderResult r = + SSLv3Decode(direction, ssl_state, pstate, input, input_len, stream_slice); + if (r.retval < 0 || r.retval > input_len) { + DEBUG_VALIDATE_BUG_ON(r.retval > input_len); SCLogDebug("Error parsing TLS. Reseting parser " "state. Let's get outta here"); SSLParserReset(ssl_state); return APP_LAYER_ERROR; + } else if (r.needed) { + input += r.retval; + SCLogDebug("returning consumed %" PRIuMAX " needed %u", + (uintmax_t)(input - init_input), r.needed); + SCReturnStruct(APP_LAYER_INCOMPLETE(input - init_input, r.needed)); } - input_len -= retval; - input += retval; - SCLogDebug("TLS decoder consumed %d bytes: %u left", retval, input_len); + input_len -= r.retval; + input += r.retval; + SCLogDebug("TLS decoder consumed %d bytes: %u left", r.retval, input_len); if (ssl_state->curr_connp->bytes_processed == SSLV3_RECORD_HDR_LEN && ssl_state->curr_connp->record_length == 0) { @@ -2696,8 +2642,6 @@ static void SSLStateFree(void *p) SSLState *ssl_state = (SSLState *)p; SSLCertsChain *item; - if (ssl_state->client_connp.trec) - SCFree(ssl_state->client_connp.trec); if (ssl_state->client_connp.cert0_subject) rs_cstring_free(ssl_state->client_connp.cert0_subject); if (ssl_state->client_connp.cert0_issuerdn) @@ -2710,9 +2654,9 @@ static void SSLStateFree(void *p) SCFree(ssl_state->client_connp.sni); if (ssl_state->client_connp.session_id) SCFree(ssl_state->client_connp.session_id); + if (ssl_state->client_connp.hs_buffer) + SCFree(ssl_state->client_connp.hs_buffer); - if (ssl_state->server_connp.trec) - SCFree(ssl_state->server_connp.trec); if (ssl_state->server_connp.cert0_subject) rs_cstring_free(ssl_state->server_connp.cert0_subject); if (ssl_state->server_connp.cert0_issuerdn) @@ -2734,6 +2678,8 @@ static void SSLStateFree(void *p) Ja3BufferFree(&ssl_state->server_connp.ja3_str); if (ssl_state->server_connp.ja3_hash) SCFree(ssl_state->server_connp.ja3_hash); + if (ssl_state->server_connp.hs_buffer) + SCFree(ssl_state->server_connp.hs_buffer); AppLayerDecoderEventsFreeEvents(&ssl_state->tx_data.events); @@ -3094,9 +3040,6 @@ void RegisterSSLParsers(void) "still on.", proto_name); } -#ifdef UNITTESTS - AppLayerParserRegisterProtocolUnittests(IPPROTO_TCP, ALPROTO_TLS, SSLParserRegisterTests); -#endif return; } @@ -3124,2357 +3067,3 @@ bool SSLJA3IsEnabled(void) } return false; } - -/***************************************Unittests******************************/ - -#ifdef UNITTESTS - -/** - *\test Send a get request in one chunk. - */ -static int SSLParserTest01(void) -{ - Flow f; - uint8_t tlsbuf[] = { 0x16, 0x03, 0x01 }; - uint32_t tlslen = sizeof(tlsbuf); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER | STREAM_EOF, tlsbuf, tlslen); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** \test Send a get request in two chunks. */ -static int SSLParserTest02(void) -{ - Flow f; - uint8_t tlsbuf1[] = { 0x16 }; - uint32_t tlslen1 = sizeof(tlsbuf1); - uint8_t tlsbuf2[] = { 0x03, 0x01 }; - uint32_t tlslen2 = sizeof(tlsbuf2); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf2, tlslen2); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** \test Send a get request in three chunks. */ -static int SSLParserTest03(void) -{ - Flow f; - uint8_t tlsbuf1[] = { 0x16 }; - uint32_t tlslen1 = sizeof(tlsbuf1); - uint8_t tlsbuf2[] = { 0x03 }; - uint32_t tlslen2 = sizeof(tlsbuf2); - uint8_t tlsbuf3[] = { 0x01 }; - uint32_t tlslen3 = sizeof(tlsbuf3); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf2, tlslen2); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf3, tlslen3); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** \test Send a get request in three chunks + more data. */ -static int SSLParserTest04(void) -{ - Flow f; - uint8_t tlsbuf1[] = { 0x16 }; - uint32_t tlslen1 = sizeof(tlsbuf1); - uint8_t tlsbuf2[] = { 0x03 }; - uint32_t tlslen2 = sizeof(tlsbuf2); - uint8_t tlsbuf3[] = { 0x01 }; - uint32_t tlslen3 = sizeof(tlsbuf3); - uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 }; - uint32_t tlslen4 = sizeof(tlsbuf4); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf2, tlslen2); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf3, tlslen3); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf4, tlslen4); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -#if 0 -/** \test Test the setting up of no reassembly and no payload inspection flag - * after detection of the TLS handshake completion */ -static int SSLParserTest05(void) -{ - int result = 1; - Flow f; - uint8_t tlsbuf[] = { 0x16, 0x03, 0x01, 0x00, 0x01 }; - uint32_t tlslen = sizeof(tlsbuf); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x14; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x14; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x17; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - SSLState *ssl_state = f.alstate; - if (ssl_state == NULL) { - printf("no tls state: "); - result = 0; - goto end; - } - - if (ssl_state->client_connp.content_type != 0x17) { - printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, - ssl_state->client_connp.content_type); - result = 0; - goto end; - } - - if (ssl_state->client_connp.version != TLS_VERSION_10) { - printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", - TLS_VERSION_10, ssl_state->client_connp.client_version); - result = 0; - goto end; - } - - AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *) - ssn.alparser; - AppLayerParserState *parser_state = &parser_state_store->to_server; - - if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) && - !(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) && - !(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) - { - printf("The flags should be set\n"); - result = 0; - goto end; - } - - if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - return result; -} -#endif - -#if 0 -/** \test Test the setting up of no reassembly and no payload inspection flag - * after detection of the valid TLS handshake completion, the rouge - * 0x17 packet will not be considered in the detection process */ -static int SSLParserTest06(void) -{ - int result = 1; - Flow f; - uint8_t tlsbuf[] = { 0x16, 0x03, 0x01, 0x00, 0x01 }; - uint32_t tlslen = sizeof(tlsbuf); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x14; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x17; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - SSLState *ssl_state = f.alstate; - if (ssl_state == NULL) { - printf("no tls state: "); - result = 0; - goto end; - } - - if (ssl_state->client_connp.content_type != 0x17) { - printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, - ssl_state->client_connp._content_type); - result = 0; - goto end; - } - - if (ssl_state->client_connp.version != TLS_VERSION_10) { - printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", - TLS_VERSION_10, ssl_state->client_connp.version); - result = 0; - goto end; - } - - AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *) - ssn.alparser; - AppLayerParserState *parser_state = &parser_state_store->to_server; - - if ((parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) || - (ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) || - (ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) { - printf("The flags should not be set\n"); - result = 0; - goto end; - } - - tlsbuf[0] = 0x14; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x17; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) && - !(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) && - !(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } - - if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - return result; -} -#endif - -/** \test multimsg test */ -static int SSLParserMultimsgTest01(void) -{ - Flow f; - /* 3 msgs */ - uint8_t tlsbuf1[] = { - 0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00, - 0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82, - 0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d, - 0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b, - 0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0, - 0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2, - 0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2, - 0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33, - 0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2, - 0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a, - 0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e, - 0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73, - 0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde, - 0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa, - 0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9, - 0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97, - 0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66, - 0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01, - 0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc, - 0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb, - 0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01, - 0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e, - 0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d, - 0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45, - 0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c - }; - uint32_t tlslen1 = sizeof(tlsbuf1); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** \test multimsg test server */ -static int SSLParserMultimsgTest02(void) -{ - Flow f; - /* 3 msgs */ - uint8_t tlsbuf1[] = { - 0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00, - 0x82, 0x00, 0x80, 0xd3, 0x6f, 0x1f, 0x63, 0x82, - 0x8d, 0x75, 0x77, 0x8c, 0x91, 0xbc, 0xa1, 0x3d, - 0xbb, 0xe1, 0xb5, 0xd3, 0x31, 0x92, 0x59, 0x2b, - 0x2c, 0x43, 0x96, 0xa3, 0xaa, 0x23, 0x92, 0xd0, - 0x91, 0x2a, 0x5e, 0x10, 0x5b, 0xc8, 0xc1, 0xe2, - 0xd3, 0x5c, 0x8b, 0x8c, 0x91, 0x9e, 0xc2, 0xf2, - 0x9c, 0x3c, 0x4f, 0x37, 0x1e, 0x20, 0x5e, 0x33, - 0xd5, 0xf0, 0xd6, 0xaf, 0x89, 0xf5, 0xcc, 0xb2, - 0xcf, 0xc1, 0x60, 0x3a, 0x46, 0xd5, 0x4e, 0x2a, - 0xb6, 0x6a, 0xb9, 0xfc, 0x32, 0x8b, 0xe0, 0x6e, - 0xa0, 0xed, 0x25, 0xa0, 0xa4, 0x82, 0x81, 0x73, - 0x90, 0xbf, 0xb5, 0xde, 0xeb, 0x51, 0x8d, 0xde, - 0x5b, 0x6f, 0x94, 0xee, 0xba, 0xe5, 0x69, 0xfa, - 0x1a, 0x80, 0x30, 0x54, 0xeb, 0x12, 0x01, 0xb9, - 0xfe, 0xbf, 0x82, 0x95, 0x01, 0x7b, 0xb0, 0x97, - 0x14, 0xc2, 0x06, 0x3c, 0x69, 0xfb, 0x1c, 0x66, - 0x47, 0x17, 0xd9, 0x14, 0x03, 0x01, 0x00, 0x01, - 0x01, 0x16, 0x03, 0x01, 0x00, 0x30, 0xf6, 0xbc, - 0x0d, 0x6f, 0xe8, 0xbb, 0xaa, 0xbf, 0x14, 0xeb, - 0x7b, 0xcc, 0x6c, 0x28, 0xb0, 0xfc, 0xa6, 0x01, - 0x2a, 0x97, 0x96, 0x17, 0x5e, 0xe8, 0xb4, 0x4e, - 0x78, 0xc9, 0x04, 0x65, 0x53, 0xb6, 0x93, 0x3d, - 0xeb, 0x44, 0xee, 0x86, 0xf9, 0x80, 0x49, 0x45, - 0x21, 0x34, 0xd1, 0xee, 0xc8, 0x9c - }; - uint32_t tlslen1 = sizeof(tlsbuf1); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOCLIENT, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->server_connp.content_type != 0x16); - - FAIL_IF(ssl_state->server_connp.version != 0x0301); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Test the detection of SSLv3 protocol from the given packet - */ -static int SSLParserTest07(void) -{ - Flow f; - uint8_t tlsbuf[] = { 0x16, 0x03, 0x00, 0x00, 0x4c, 0x01, - 0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f, - 0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb, - 0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f, - 0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93, - 0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06, - 0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, - 0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65, - 0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68, - 0x2e, 0x6e, 0x6f }; - uint32_t tlslen = sizeof(tlsbuf); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf, tlslen); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -#if 0 -/** \test Test the setting up of no reassembly and no payload inspection flag - * after detection of the SSLv3 handshake completion */ -static int SSLParserTest08(void) -{ - int result = 1; - Flow f; - uint8_t tlsbuf[] = { 0x16, 0x03, 0x00, 0x00, 0x01 }; - uint32_t tlslen = sizeof(tlsbuf); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x14; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x14; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - tlsbuf[0] = 0x17; - - r = AppLayerParserParse(alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, tlsbuf, tlslen); - if (r != 0) { - printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); - result = 0; - goto end; - } - - SSLState *ssl_state = f.alstate; - if (ssl_state == NULL) { - printf("no tls state: "); - result = 0; - goto end; - } - - if (ssl_state->client_connp.content_type != 0x17) { - printf("expected content_type %" PRIu8 ", got %" PRIu8 ": ", 0x17, - ssl_state->client_connp.content_type); - result = 0; - goto end; - } - - if (ssl_state->client_connp.version != SSL_VERSION_3) { - printf("expected version %04" PRIu16 ", got %04" PRIu16 ": ", - SSL_VERSION_3, ssl_state->client_connp.version); - result = 0; - goto end; - } - - AppLayerParserStateStore *parser_state_store = (AppLayerParserStateStore *) - ssn.alparser; - AppLayerParserState *parser_state = &parser_state_store->to_server; - - if (!(parser_state->flags & APP_LAYER_PARSER_NO_INSPECTION) && - !(ssn.client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) && - !(ssn.server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } - - if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION)) { - printf("The flags should be set\n"); - result = 0; - goto end; - } - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - return result; -} - -#endif - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest09(void) -{ - Flow f; - uint8_t buf1[] = { - 0x16, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x03, 0x00, 0x00, 0x4c, 0x01, - 0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f, - 0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb, - 0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f, - 0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93, - 0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06, - 0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, - 0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65, - 0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68, - 0x2e, 0x6e, 0x6f - }; - uint32_t buf2_len = sizeof(buf2); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest10(void) -{ - Flow f; - uint8_t buf1[] = { - 0x16, 0x03, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x00, 0x00, 0x4c, 0x01, - 0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f, - 0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb, - 0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f, - 0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93, - 0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06, - 0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, - 0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65, - 0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68, - 0x2e, 0x6e, 0x6f - }; - uint32_t buf2_len = sizeof(buf2); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest11(void) -{ - Flow f; - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x4c, 0x01, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x00, 0x00, 0x48, 0x03, 0x00, 0x57, 0x04, 0x9f, - 0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb, - 0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f, - 0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93, - 0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06, - 0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, - 0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65, - 0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68, - 0x2e, 0x6e, 0x6f - }; - uint32_t buf2_len = sizeof(buf2); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest12(void) -{ - Flow f; - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x4c, 0x01, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x00, 0x00, 0x48, - }; - uint32_t buf2_len = sizeof(buf2); - - uint8_t buf3[] = { - 0x03, 0x00, 0x57, 0x04, 0x9f, - 0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, 0xbf, 0xbb, - 0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f, - 0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93, - 0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06, - 0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, - 0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65, - 0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68, - 0x2e, 0x6e, 0x6f - }; - uint32_t buf3_len = sizeof(buf2); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf3, buf3_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest13(void) -{ - Flow f; - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x4c, 0x01, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x00, 0x00, 0x48, - }; - uint32_t buf2_len = sizeof(buf2); - - uint8_t buf3[] = { - 0x03, 0x00, 0x57, 0x04, 0x9f, - 0x8c, 0x66, 0x61, 0xf6, 0x3d, 0x4f, - }; - uint32_t buf3_len = sizeof(buf3); - - uint8_t buf4[] = { - 0xbf, 0xbb, - 0xa7, 0x47, 0x21, 0x76, 0x6c, 0x21, 0x08, 0x9f, - 0xef, 0x3d, 0x0e, 0x5f, 0x65, 0x1a, 0xe1, 0x93, - 0xb8, 0xaf, 0xd2, 0x82, 0xbd, 0x00, 0x00, 0x06, - 0x00, 0x0a, 0x00, 0x16, 0x00, 0xff, 0x01, 0x00, - 0x00, 0x19, 0x00, 0x00, 0x00, 0x15, 0x00, 0x13, - 0x00, 0x00, 0x10, 0x61, 0x62, 0x63, 0x64, 0x65, - 0x66, 0x67, 0x68, 0x2e, 0x65, 0x66, 0x67, 0x68, - 0x2e, 0x6e, 0x6f - }; - uint32_t buf4_len = sizeof(buf4); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf3, buf3_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf4, buf4_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest14(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x00, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x16, 0x03, 0x00, 0x00, 0x00, - }; - uint32_t buf2_len = sizeof(buf2); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest15(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x01, 0x01, - }; - uint32_t buf1_len = sizeof(buf1); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r == 0); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest16(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x02, 0x01, 0x00 - }; - uint32_t buf1_len = sizeof(buf1); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r == 0); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest17(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00 - }; - uint32_t buf1_len = sizeof(buf1); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r == 0); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest18(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, - 0x6b, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x16, 0x03, 0x00, 0x00, 0x00, - }; - uint32_t buf2_len = sizeof(buf2); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest19(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, - 0x6b, 0x16, 0x03, 0x00, 0x00, 0x00, - }; - uint32_t buf1_len = sizeof(buf1); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest20(void) -{ - Flow f; - - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00, - 0x16, 0x03, 0x00, 0x00, 0x00, - }; - uint32_t buf1_len = sizeof(buf1); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r == 0); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test SSLv2 Record parsing. - */ -static int SSLParserTest21(void) -{ - Flow f; - uint8_t buf[] = { - 0x80, 0x31, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, - 0x01, - }; - uint32_t buf_len = sizeof(buf); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER | STREAM_EOF, buf, buf_len); - FAIL_IF(r != 0); - - SSLState *app_state = f.alstate; - FAIL_IF_NULL(app_state); - - FAIL_IF(app_state->client_connp.content_type != SSLV2_MT_CLIENT_HELLO); - - FAIL_IF(app_state->client_connp.version != SSL_VERSION_2); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test SSLv2 Record parsing. - */ -static int SSLParserTest22(void) -{ - Flow f; - uint8_t buf[] = { - 0x80, 0x31, 0x04, 0x00, 0x01, 0x00, - 0x02, 0x00, 0x00, 0x00, 0x10, 0x07, 0x00, 0xc0, - 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, - 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, - 0x00, 0x80, 0x02, 0x00, 0x80, 0x76, 0x64, 0x75, - 0x2d, 0xa7, 0x98, 0xfe, 0xc9, 0x12, 0x92, 0xc1, - 0x2f, 0x34, 0x84, 0x20, 0xc5}; - uint32_t buf_len = sizeof(buf); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - //AppLayerDetectProtoThreadInit(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOCLIENT | STREAM_EOF, buf, buf_len); - FAIL_IF(r != 0); - - SSLState *app_state = f.alstate; - FAIL_IF_NULL(app_state); - - FAIL_IF(app_state->server_connp.content_type != SSLV2_MT_SERVER_HELLO); - - FAIL_IF(app_state->server_connp.version != SSL_VERSION_2); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test SSLv2 Record parsing. - */ -static int SSLParserTest23(void) -{ - Flow f; - uint8_t chello_buf[] = { - 0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00, - 0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02, - 0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39, - 0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00, - 0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00, - 0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16, - 0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00, - 0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00, - 0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64, - 0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00, - 0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a, - 0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80, - 0x21 - }; - uint32_t chello_buf_len = sizeof(chello_buf); - - uint8_t shello_buf[] = { - 0x16, 0x03, 0x00, 0x00, 0x4a, 0x02, - 0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94, - 0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88, - 0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6, - 0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd, - 0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb, - 0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe, - 0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6, - 0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e, - 0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35, - 0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00, - 0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a, - 0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f, - 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, - 0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31, - 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08, - 0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, - 0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, - 0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54, - 0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06, - 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e, - 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c, - 0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c, - 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53, - 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, - 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73, - 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e, - 0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30, - 0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34, - 0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38, - 0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37, - 0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b, - 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, - 0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06, - 0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e, - 0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65, - 0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, - 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61, - 0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31, - 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, - 0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, - 0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64, - 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61, - 0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e, - 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, - 0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77, - 0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, - 0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, - 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, - 0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde, - 0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6, - 0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba, - 0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73, - 0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4, - 0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f, - 0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45, - 0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12, - 0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c, - 0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b, - 0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7, - 0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd, - 0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e, - 0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53, - 0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90, - 0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89, - 0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, - 0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55, - 0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10, - 0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b, - 0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d, - 0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, - 0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16, - 0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c, - 0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, - 0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f, - 0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, - 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, - 0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75, - 0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e, - 0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d, - 0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23, - 0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9, - 0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5, - 0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b, - 0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f, - 0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14, - 0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23, - 0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2, - 0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34, - 0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53, - 0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad, - 0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2, - 0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e, - 0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e, - 0x00, 0x00, 0x00 - }; - uint32_t shello_buf_len = sizeof(shello_buf); - - uint8_t client_change_cipher_spec_buf[] = { - 0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00, - 0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38, - 0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61, - 0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a, - 0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e, - 0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f, - 0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80, - 0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a, - 0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80, - 0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59, - 0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76, - 0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84, - 0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7, - 0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7, - 0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2, - 0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7, - 0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb, - 0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, - 0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35, - 0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a, - 0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81, - 0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90, - 0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1, - 0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76, - 0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79, - 0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18, - 0x4c, 0xfc, 0x75, 0x56 - }; - uint32_t client_change_cipher_spec_buf_len = - sizeof(client_change_cipher_spec_buf); - - uint8_t server_change_cipher_spec_buf[] = { - 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03, - 0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59, - 0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a, - 0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86, - 0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7, - 0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3, - 0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89, - 0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27, - 0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2, - 0x4d, 0x9f, 0x6b - }; - uint32_t server_change_cipher_spec_buf_len = - sizeof(server_change_cipher_spec_buf); - - uint8_t toserver_app_data_buf[] = { - 0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e, - 0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c, - 0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10, - 0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb, - 0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa, - 0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5, - 0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e, - 0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20, - 0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7, - 0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f, - 0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78, - 0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c, - 0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f, - 0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0, - 0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0, - 0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0, - 0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc, - 0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1, - 0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67, - 0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f, - 0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10, - 0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4, - 0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0, - 0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68, - 0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f, - 0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4, - 0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10, - 0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f, - 0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60, - 0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8, - 0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8, - 0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09, - 0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a, - 0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd, - 0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7, - 0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a, - 0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63, - 0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b, - 0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1, - 0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60, - 0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87, - 0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7, - 0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed, - 0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc, - 0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43, - 0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58, - 0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d, - 0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39, - 0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99, - 0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92, - 0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40, - 0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef, - 0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2, - 0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6, - 0x8a, 0xa2, 0x9e, 0xcd, 0xfa - }; - uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - //AppLayerDetectProtoThreadInit(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER | STREAM_START, chello_buf, - chello_buf_len); - FAIL_IF(r != 0); - - SSLState *app_state = f.alstate; - FAIL_IF_NULL(app_state); - - FAIL_IF(app_state->client_connp.content_type != SSLV2_MT_CLIENT_HELLO); - - FAIL_IF(app_state->client_connp.version != SSL_VERSION_2); - - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - shello_buf, shello_buf_len); - FAIL_IF(r != 0); - - FAIL_IF(app_state->server_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL); - - FAIL_IF(app_state->server_connp.version != SSL_VERSION_3); - - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - client_change_cipher_spec_buf, - client_change_cipher_spec_buf_len); - FAIL_IF(r != 0); - - /* with multiple records the client content type hold the type from the last - * record */ - FAIL_IF(app_state->client_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL); - - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_KEYX) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) == 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - server_change_cipher_spec_buf, - server_change_cipher_spec_buf_len); - FAIL_IF(r != 0); - - /* with multiple records the serve content type hold the type from the last - * record */ - FAIL_IF(app_state->server_connp.content_type != SSLV3_HANDSHAKE_PROTOCOL); - - FAIL_IF(app_state->server_connp.version != SSL_VERSION_3); - - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_KEYX) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) == 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - toserver_app_data_buf, toserver_app_data_buf_len); - FAIL_IF(r != 0); - - FAIL_IF(app_state->client_connp.content_type != SSLV3_APPLICATION_PROTOCOL); - - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_CLIENT_HS) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SSL_NO_SESSION_ID) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_STATE_CLIENT_KEYX) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC) == 0); - FAIL_IF((app_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) == 0); - - FAIL_IF_NOT(f.flags & FLOW_NOPAYLOAD_INSPECTION); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Tests the parser for handling fragmented records. - */ -static int SSLParserTest24(void) -{ - Flow f; - uint8_t buf1[] = { - 0x16, 0x03, 0x00, 0x00, 0x6f, 0x01, 0x00, 0x00, - 0x6b, 0x03, - }; - uint32_t buf1_len = sizeof(buf1); - - uint8_t buf2[] = { - 0x00, 0x4b, 0x2f, 0xdc, - 0x4e, 0xe6, 0x95, 0xf1, 0xa0, 0xc7, 0xcf, 0x8e, - 0xf6, 0xeb, 0x22, 0x6d, 0xce, 0x9c, 0x44, 0xfb, - 0xc8, 0xa0, 0x44, 0x31, 0x15, 0x4c, 0xe9, 0x97, - 0xa7, 0xa1, 0xfe, 0xea, 0xcc, 0x20, 0x4b, 0x5d, - 0xfb, 0xa5, 0x63, 0x7a, 0x73, 0x95, 0xf7, 0xff, - 0x42, 0xac, 0x8f, 0x46, 0xed, 0xe4, 0xb1, 0x35, - 0x35, 0x78, 0x1a, 0x9d, 0xaf, 0x10, 0xc5, 0x52, - 0xf3, 0x7b, 0xfb, 0xb5, 0xe9, 0xa8, 0x00, 0x24, - 0x00, 0x88, 0x00, 0x87, 0x00, 0x39, 0x00, 0x38, - 0x00, 0x84, 0x00, 0x35, 0x00, 0x45, 0x00, 0x44, - 0x00, 0x33, 0x00, 0x32, 0x00, 0x96, 0x00, 0x41, - 0x00, 0x2f, 0x00, 0x16, 0x00, 0x13, 0xfe, 0xff, - 0x00, 0x0a, 0x00, 0x02, 0x01, 0x00 - }; - uint32_t buf2_len = sizeof(buf2); - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf1, buf1_len); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - buf2, buf2_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != SSL_VERSION_3); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -/** - * \test Test for bug #955 and CVE-2013-5919. The data is from the - * pcap that was used to report this issue. - */ -static int SSLParserTest25(void) -{ - Flow f; - uint8_t client_hello[] = { - 0x16, 0x03, 0x01, 0x00, 0xd3, 0x01, 0x00, 0x00, - 0xcf, 0x03, 0x01, 0x51, 0x60, 0xc2, 0x15, 0x36, - 0x73, 0xf5, 0xb8, 0x58, 0x55, 0x3b, 0x68, 0x12, - 0x7d, 0xe3, 0x28, 0xa3, 0xe1, 0x02, 0x79, 0x2d, - 0x12, 0xe1, 0xf4, 0x24, 0x12, 0xa2, 0x9e, 0xf1, - 0x08, 0x49, 0x68, 0x20, 0x0e, 0x96, 0x46, 0x3d, - 0x84, 0x5a, 0xc6, 0x55, 0xeb, 0x3b, 0x53, 0x77, - 0xf4, 0x8e, 0xf4, 0xd2, 0x8b, 0xec, 0xd6, 0x99, - 0x63, 0x64, 0x62, 0xf8, 0x3f, 0x3b, 0xd5, 0x35, - 0x45, 0x1b, 0x16, 0xac, 0x00, 0x46, 0x00, 0x04, - 0x00, 0x05, 0x00, 0x2f, 0x00, 0x35, 0xc0, 0x02, - 0xc0, 0x04, 0xc0, 0x05, 0xc0, 0x0c, 0xc0, 0x0e, - 0xc0, 0x0f, 0xc0, 0x07, 0xc0, 0x09, 0xc0, 0x0a, - 0xc0, 0x11, 0xc0, 0x13, 0xc0, 0x14, 0x00, 0x33, - 0x00, 0x39, 0x00, 0x32, 0x00, 0x38, 0x00, 0x0a, - 0xc0, 0x03, 0xc0, 0x0d, 0xc0, 0x08, 0xc0, 0x12, - 0x00, 0x16, 0x00, 0x13, 0x00, 0x09, 0x00, 0x15, - 0x00, 0x12, 0x00, 0x03, 0x00, 0x08, 0x00, 0x14, - 0x00, 0x11, 0x00, 0xff, 0x01, 0x00, 0x00, 0x40, - 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, 0x01, 0x02, - 0x00, 0x0a, 0x00, 0x34, 0x00, 0x32, 0x00, 0x0e, - 0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b, 0x00, 0x0c, - 0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, 0x00, 0x16, - 0x00, 0x17, 0x00, 0x08, 0x00, 0x06, 0x00, 0x07, - 0x00, 0x14, 0x00, 0x15, 0x00, 0x04, 0x00, 0x05, - 0x00, 0x12, 0x00, 0x13, 0x00, 0x01, 0x00, 0x02, - 0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, 0x00, 0x11 - }; - uint32_t client_hello_len = sizeof(client_hello); - - uint8_t server_hello_certificate_done[] = { - 0x16, 0x03, 0x01, 0x00, 0x51, 0x02, 0x00, 0x00, - 0x4d, 0x03, 0x01, 0x51, 0x60, 0xc2, 0x17, 0xb7, - 0x81, 0xaa, 0x27, 0xa1, 0xd5, 0xfa, 0x14, 0xc1, - 0xe0, 0x05, 0xab, 0x75, 0xf2, 0x51, 0xe7, 0x6e, - 0xe6, 0xf9, 0xc4, 0x8f, 0x16, 0x08, 0x26, 0x6c, - 0x1b, 0x86, 0x90, 0x20, 0x0a, 0x38, 0x90, 0x2d, - 0x17, 0x7d, 0xb7, 0x6b, 0x6b, 0xe5, 0xeb, 0x61, - 0x90, 0x35, 0xf8, 0xcd, 0xb1, 0x2a, 0x69, 0x6e, - 0x0e, 0x3e, 0x5f, 0x90, 0xdc, 0x2f, 0x51, 0x45, - 0x68, 0x63, 0xe3, 0xb3, 0x00, 0x05, 0x00, 0x00, - 0x05, 0xff, 0x01, 0x00, 0x01, 0x00, 0x16, 0x03, - 0x01, 0x07, 0x60, 0x0b, 0x00, 0x07, 0x5c, 0x00, - 0x07, 0x59, 0x00, 0x03, 0xcc, 0x30, 0x82, 0x03, - 0xc8, 0x30, 0x82, 0x03, 0x31, 0xa0, 0x03, 0x02, - 0x01, 0x02, 0x02, 0x10, 0x01, 0x7f, 0x77, 0xde, - 0xb3, 0xbc, 0xbb, 0x23, 0x5d, 0x44, 0xcc, 0xc7, - 0xdb, 0xa6, 0x2e, 0x72, 0x30, 0x0d, 0x06, 0x09, - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, - 0x05, 0x05, 0x00, 0x30, 0x81, 0xba, 0x31, 0x1f, - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, - 0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, - 0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, - 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, - 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0b, - 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, - 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, - 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x2a, 0x56, 0x65, 0x72, 0x69, 0x53, - 0x69, 0x67, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, - 0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c, - 0x61, 0x73, 0x73, 0x20, 0x33, 0x31, 0x49, 0x30, - 0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40, - 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69, - 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x43, 0x50, 0x53, 0x20, 0x49, 0x6e, 0x63, - 0x6f, 0x72, 0x70, 0x2e, 0x62, 0x79, 0x20, 0x52, - 0x65, 0x66, 0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42, - 0x49, 0x4c, 0x49, 0x54, 0x59, 0x20, 0x4c, 0x54, - 0x44, 0x2e, 0x28, 0x63, 0x29, 0x39, 0x37, 0x20, - 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, - 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x32, 0x30, 0x36, - 0x32, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, - 0x5a, 0x17, 0x0d, 0x31, 0x33, 0x31, 0x32, 0x33, - 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, - 0x30, 0x68, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, - 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, - 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, - 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, - 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x50, - 0x61, 0x6c, 0x6f, 0x20, 0x41, 0x6c, 0x74, 0x6f, - 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, - 0x0a, 0x13, 0x0e, 0x46, 0x61, 0x63, 0x65, 0x62, - 0x6f, 0x6f, 0x6b, 0x2c, 0x20, 0x49, 0x6e, 0x63, - 0x2e, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, - 0x04, 0x02, 0x14, 0x0e, 0x2a, 0x2e, 0x66, 0x61, - 0x63, 0x65, 0x62, 0x6f, 0x6f, 0x6b, 0x2e, 0x63, - 0x6f, 0x6d, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, - 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xae, - 0x94, 0xb1, 0x71, 0xe2, 0xde, 0xcc, 0xc1, 0x69, - 0x3e, 0x05, 0x10, 0x63, 0x24, 0x01, 0x02, 0xe0, - 0x68, 0x9a, 0xe8, 0x3c, 0x39, 0xb6, 0xb3, 0xe7, - 0x4b, 0x97, 0xd4, 0x8d, 0x7b, 0x23, 0x68, 0x91, - 0x00, 0xb0, 0xb4, 0x96, 0xee, 0x62, 0xf0, 0xe6, - 0xd3, 0x56, 0xbc, 0xf4, 0xaa, 0x0f, 0x50, 0x64, - 0x34, 0x02, 0xf5, 0xd1, 0x76, 0x6a, 0xa9, 0x72, - 0x83, 0x5a, 0x75, 0x64, 0x72, 0x3f, 0x39, 0xbb, - 0xef, 0x52, 0x90, 0xde, 0xd9, 0xbc, 0xdb, 0xf9, - 0xd3, 0xd5, 0x5d, 0xfa, 0xd2, 0x3a, 0xa0, 0x3d, - 0xc6, 0x04, 0xc5, 0x4d, 0x29, 0xcf, 0x1d, 0x4b, - 0x3b, 0xdb, 0xd1, 0xa8, 0x09, 0xcf, 0xae, 0x47, - 0xb4, 0x4c, 0x7e, 0xae, 0x17, 0xc5, 0x10, 0x9b, - 0xee, 0x24, 0xa9, 0xcf, 0x4a, 0x8d, 0x91, 0x1b, - 0xb0, 0xfd, 0x04, 0x15, 0xae, 0x4c, 0x3f, 0x43, - 0x0a, 0xa1, 0x2a, 0x55, 0x7e, 0x2a, 0xe1, 0x02, - 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x1e, - 0x30, 0x82, 0x01, 0x1a, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, - 0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d, - 0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86, - 0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x17, - 0x03, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x00, 0x01, 0x16, - 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, - 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, - 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x72, 0x70, 0x61, 0x30, 0x3c, 0x06, - 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x35, 0x30, 0x33, - 0x30, 0x31, 0xa0, 0x2f, 0xa0, 0x2d, 0x86, 0x2b, - 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x53, - 0x56, 0x52, 0x49, 0x6e, 0x74, 0x6c, 0x2d, 0x63, - 0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, - 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x53, 0x56, 0x52, 0x49, 0x6e, 0x74, 0x6c, 0x2e, - 0x63, 0x72, 0x6c, 0x30, 0x1d, 0x06, 0x03, 0x55, - 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, - 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, - 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x03, 0x02, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, - 0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, - 0x34, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, - 0x07, 0x01, 0x01, 0x04, 0x28, 0x30, 0x26, 0x30, - 0x24, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, - 0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74, - 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, - 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, - 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x27, 0x06, - 0x03, 0x55, 0x1d, 0x11, 0x04, 0x20, 0x30, 0x1e, - 0x82, 0x0e, 0x2a, 0x2e, 0x66, 0x61, 0x63, 0x65, - 0x62, 0x6f, 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, - 0x82, 0x0c, 0x66, 0x61, 0x63, 0x65, 0x62, 0x6f, - 0x6f, 0x6b, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, - 0x00, 0x5b, 0x6c, 0x2b, 0x75, 0xf8, 0xed, 0x30, - 0xaa, 0x51, 0xaa, 0xd3, 0x6a, 0xba, 0x59, 0x5e, - 0x55, 0x51, 0x41, 0x95, 0x1f, 0x81, 0xa5, 0x3b, - 0x44, 0x79, 0x10, 0xac, 0x1f, 0x76, 0xff, 0x78, - 0xfc, 0x27, 0x81, 0x61, 0x6b, 0x58, 0xf3, 0x12, - 0x2a, 0xfc, 0x1c, 0x87, 0x01, 0x04, 0x25, 0xe9, - 0xed, 0x43, 0xdf, 0x1a, 0x7b, 0xa6, 0x49, 0x80, - 0x60, 0x67, 0xe2, 0x68, 0x8a, 0xf0, 0x3d, 0xb5, - 0x8c, 0x7d, 0xf4, 0xee, 0x03, 0x30, 0x9a, 0x6a, - 0xfc, 0x24, 0x7c, 0xcb, 0x13, 0x4d, 0xc3, 0x3e, - 0x54, 0xc6, 0xbc, 0x1d, 0x51, 0x33, 0xa5, 0x32, - 0xa7, 0x32, 0x73, 0xb1, 0xd7, 0x9c, 0xad, 0xc0, - 0x8e, 0x7e, 0x1a, 0x83, 0x11, 0x6d, 0x34, 0x52, - 0x33, 0x40, 0xb0, 0x30, 0x54, 0x27, 0xa2, 0x17, - 0x42, 0x82, 0x7c, 0x98, 0x91, 0x66, 0x98, 0xee, - 0x7e, 0xaf, 0x8c, 0x3b, 0xdd, 0x71, 0x70, 0x08, - 0x17, 0x00, 0x03, 0x87, 0x30, 0x82, 0x03, 0x83, - 0x30, 0x82, 0x02, 0xec, 0xa0, 0x03, 0x02, 0x01, - 0x02, 0x02, 0x10, 0x46, 0xfc, 0xeb, 0xba, 0xb4, - 0xd0, 0x2f, 0x0f, 0x92, 0x60, 0x98, 0x23, 0x3f, - 0x93, 0x07, 0x8f, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, - 0x05, 0x00, 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, - 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, - 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, - 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, - 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, - 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, - 0x73, 0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, - 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x20, 0x41, 0x75, 0x64, 0x68, 0x6f, 0x72, - 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x39, - 0x37, 0x30, 0x34, 0x31, 0x37, 0x30, 0x30, 0x30, - 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x36, - 0x31, 0x30, 0x32, 0x34, 0x32, 0x33, 0x35, 0x39, - 0x35, 0x39, 0x5a, 0x30, 0x81, 0xba, 0x31, 0x1f, - 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, - 0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, - 0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, - 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, - 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0b, - 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, - 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, - 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x2a, 0x56, 0x65, 0x72, 0x69, 0x53, - 0x69, 0x67, 0x6e, 0x20, 0x49, 0x6e, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, - 0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x43, 0x6c, - 0x61, 0x73, 0x73, 0x20, 0x33, 0x31, 0x49, 0x30, - 0x47, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x40, - 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69, - 0x73, 0x69, - 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43, - 0x50, 0x53, 0x20, 0x49, 0x6e, 0x63, 0x6f, 0x72, - 0x70, 0x2e, 0x62, 0x79, 0x20, 0x52, 0x65, 0x66, - 0x2e, 0x20, 0x4c, 0x49, 0x41, 0x42, 0x49, 0x4c, - 0x49, 0x54, 0x59, 0x20, 0x4c, 0x54, 0x44, 0x2e, - 0x28, 0x63, 0x29, 0x39, 0x37, 0x20, 0x56, 0x65, - 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x30, 0x81, - 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, - 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, - 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, - 0x81, 0x81, 0x00, 0xd8, 0x82, 0x80, 0xe8, 0xd6, - 0x19, 0x02, 0x7d, 0x1f, 0x85, 0x18, 0x39, 0x25, - 0xa2, 0x65, 0x2b, 0xe1, 0xbf, 0xd4, 0x05, 0xd3, - 0xbc, 0xe6, 0x36, 0x3b, 0xaa, 0xf0, 0x4c, 0x6c, - 0x5b, 0xb6, 0xe7, 0xaa, 0x3c, 0x73, 0x45, 0x55, - 0xb2, 0xf1, 0xbd, 0xea, 0x97, 0x42, 0xed, 0x9a, - 0x34, 0x0a, 0x15, 0xd4, 0xa9, 0x5c, 0xf5, 0x40, - 0x25, 0xdd, 0xd9, 0x07, 0xc1, 0x32, 0xb2, 0x75, - 0x6c, 0xc4, 0xca, 0xbb, 0xa3, 0xfe, 0x56, 0x27, - 0x71, 0x43, 0xaa, 0x63, 0xf5, 0x30, 0x3e, 0x93, - 0x28, 0xe5, 0xfa, 0xf1, 0x09, 0x3b, 0xf3, 0xb7, - 0x4d, 0x4e, 0x39, 0xf7, 0x5c, 0x49, 0x5a, 0xb8, - 0xc1, 0x1d, 0xd3, 0xb2, 0x8a, 0xfe, 0x70, 0x30, - 0x95, 0x42, 0xcb, 0xfe, 0x2b, 0x51, 0x8b, 0x5a, - 0x3c, 0x3a, 0xf9, 0x22, 0x4f, 0x90, 0xb2, 0x02, - 0xa7, 0x53, 0x9c, 0x4f, 0x34, 0xe7, 0xab, 0x04, - 0xb2, 0x7b, 0x6f, 0x02, 0x03, 0x01, 0x00, 0x01, - 0xa3, 0x81, 0xe3, 0x30, 0x81, 0xe0, 0x30, 0x0f, - 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x08, 0x30, - 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, - 0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d, - 0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86, - 0x48, 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x01, - 0x01, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b, - 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, - 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, - 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, - 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x43, 0x50, 0x53, 0x30, 0x34, 0x06, - 0x03, 0x55, 0x1d, 0x25, 0x04, 0x2d, 0x30, 0x2b, - 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, - 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, - 0x05, 0x07, 0x03, 0x02, 0x06, 0x09, 0x60, 0x86, - 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01, 0x06, - 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45, - 0x01, 0x08, 0x01, 0x30, 0x0b, 0x06, 0x03, 0x55, - 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, - 0x30, 0x11, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, - 0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, - 0x02, 0x01, 0x06, 0x30, 0x31, 0x06, 0x03, 0x55, - 0x1d, 0x1f, 0x04, 0x2a, 0x30, 0x28, 0x30, 0x26, - 0xa0, 0x24, 0xa0, 0x22, 0x86, 0x20, 0x68, 0x74, - 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, - 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, - 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x63, - 0x61, 0x33, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, - 0x00, 0x40, 0x8e, 0x49, 0x97, 0x96, 0x8a, 0x73, - 0xdd, 0x8e, 0x4d, 0xef, 0x3e, 0x61, 0xb7, 0xca, - 0xa0, 0x62, 0xad, 0xf4, 0x0e, 0x0a, 0xbb, 0x75, - 0x3d, 0xe2, 0x6e, 0xd8, 0x2c, 0xc7, 0xbf, 0xf4, - 0xb9, 0x8c, 0x36, 0x9b, 0xca, 0xa2, 0xd0, 0x9c, - 0x72, 0x46, 0x39, 0xf6, 0xa6, 0x82, 0x03, 0x65, - 0x11, 0xc4, 0xbc, 0xbf, 0x2d, 0xa6, 0xf5, 0xd9, - 0x3b, 0x0a, 0xb5, 0x98, 0xfa, 0xb3, 0x78, 0xb9, - 0x1e, 0xf2, 0x2b, 0x4c, 0x62, 0xd5, 0xfd, 0xb2, - 0x7a, 0x1d, 0xdf, 0x33, 0xfd, 0x73, 0xf9, 0xa5, - 0xd8, 0x2d, 0x8c, 0x2a, 0xea, 0xd1, 0xfc, 0xb0, - 0x28, 0xb6, 0xe9, 0x49, 0x48, 0x13, 0x4b, 0x83, - 0x8a, 0x1b, 0x48, 0x7b, 0x24, 0xf7, 0x38, 0xde, - 0x6f, 0x41, 0x54, 0xb8, 0xab, 0x57, 0x6b, 0x06, - 0xdf, 0xc7, 0xa2, 0xd4, 0xa9, 0xf6, 0xf1, 0x36, - 0x62, 0x80, 0x88, 0xf2, 0x8b, 0x75, 0xd6, 0x80, - 0x75, 0x16, 0x03, 0x01, 0x00, 0x04, 0x0e, 0x00, - 0x00, 0x00 - }; - uint32_t server_hello_certificate_done_len = sizeof(server_hello_certificate_done); - - uint8_t client_key_exchange_cipher_enc_hs[] = { - 0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00, - 0x80, 0x00, 0x80, 0x14, 0x2b, 0x2f, 0x9f, 0x02, - 0x1d, 0x4e, 0x0d, 0xa7, 0x41, 0x0f, 0x99, 0xc5, - 0xe9, 0x49, 0x22, 0x14, 0xa0, 0x42, 0x7b, 0xb4, - 0x6d, 0x4f, 0x82, 0x3c, 0x3a, 0x6e, 0xed, 0xd5, - 0x6e, 0x72, 0x71, 0xae, 0x00, 0x4a, 0x9a, 0xc9, - 0x0e, 0x2d, 0x08, 0xa2, 0xd3, 0x3a, 0xb0, 0xb2, - 0x1a, 0x56, 0x01, 0x7c, 0x9a, 0xfa, 0xfb, 0x1a, - 0xd7, 0x7e, 0x20, 0x68, 0x51, 0xd0, 0xfe, 0xd9, - 0xdc, 0xa7, 0x0b, 0xeb, 0x1a, 0xb6, 0xd3, 0xc7, - 0x17, 0x1f, 0xf3, 0x6e, 0x91, 0xdd, 0x06, 0x0d, - 0x48, 0xde, 0xcd, 0x0c, 0x36, 0x8c, 0x83, 0x29, - 0x9a, 0x40, 0x03, 0xcd, 0xf3, 0x1b, 0xdb, 0xd8, - 0x44, 0x6b, 0x75, 0xf3, 0x5a, 0x9f, 0x26, 0x1a, - 0xc4, 0x16, 0x35, 0x8f, 0xc1, 0x15, 0x19, 0xa9, - 0xdf, 0x07, 0xa9, 0xe5, 0x56, 0x45, 0x6d, 0xca, - 0x20, 0x3c, 0xcf, 0x8e, 0xbe, 0x44, 0x68, 0x73, - 0xc8, 0x0b, 0xc7, 0x14, 0x03, 0x01, 0x00, 0x01, - 0x01, 0x16, 0x03, 0x01, 0x00, 0x24, 0xf9, 0x7e, - 0x28, 0x77, 0xa9, 0x9a, 0x08, 0x0c, 0x2e, 0xa9, - 0x09, 0x15, 0x27, 0xcd, 0x93, 0x5f, 0xc0, 0x32, - 0x0a, 0x8d, 0x62, 0xd3, 0x54, 0x79, 0x6b, 0x51, - 0xd7, 0xba, 0x02, 0xd6, 0xdb, 0x66, 0xe8, 0x97, - 0x5d, 0x7a - }; - uint32_t client_key_exchange_cipher_enc_hs_len = sizeof(client_key_exchange_cipher_enc_hs); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, client_hello, - client_hello_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.bytes_processed != 0); - FAIL_IF(ssl_state->client_connp.hs_bytes_processed != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - server_hello_certificate_done, - server_hello_certificate_done_len); - FAIL_IF(r != 0); - - FAIL_IF(ssl_state->client_connp.bytes_processed != 0); - FAIL_IF(ssl_state->client_connp.hs_bytes_processed != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - client_key_exchange_cipher_enc_hs, - client_key_exchange_cipher_enc_hs_len); - FAIL_IF(r != 0); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -static int SSLParserTest26(void) -{ - Flow f; - uint8_t client_hello[] = { - 0x16, 0x03, 0x01, 0x02, 0x0e, 0x01, 0x00, 0x02, - 0x0a, 0x03, 0x03, 0x58, 0x36, 0x15, 0x03, 0x8e, - 0x07, 0xf9, 0xad, 0x2a, 0xb7, 0x56, 0xbf, 0xe2, - 0xa2, 0xf8, 0x21, 0xe0, 0xbb, 0x69, 0xc2, 0xd6, - 0x76, 0xe6, 0x77, 0xfe, 0x09, 0xff, 0x8e, 0xac, - 0x80, 0xb5, 0x27, 0x20, 0xb7, 0xbb, 0x90, 0x35, - 0x7a, 0xdd, 0xd9, 0x67, 0xdf, 0x79, 0xd6, 0x16, - 0x90, 0xf6, 0xd7, 0x5c, 0xd3, 0x07, 0x19, 0x20, - 0x01, 0x39, 0x76, 0x25, 0x12, 0x32, 0x71, 0xa1, - 0x84, 0x8d, 0x2d, 0xea, 0x00, 0x88, 0xc0, 0x30, - 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, - 0xc0, 0x0a, 0x00, 0xa3, 0x00, 0x9f, 0x00, 0x6b, - 0x00, 0x6a, 0x00, 0x39, 0x00, 0x38, 0x00, 0x88, - 0x00, 0x87, 0xc0, 0x32, 0xc0, 0x2e, 0xc0, 0x2a, - 0xc0, 0x26, 0xc0, 0x0f, 0xc0, 0x05, 0x00, 0x9d, - 0x00, 0x3d, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x12, - 0xc0, 0x08, 0x00, 0x16, 0x00, 0x13, 0xc0, 0x0d, - 0xc0, 0x03, 0x00, 0x0a, 0xc0, 0x2f, 0xc0, 0x2b, - 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, - 0x00, 0xa2, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x40, - 0x00, 0x33, 0x00, 0x32, 0x00, 0x9a, 0x00, 0x99, - 0x00, 0x45, 0x00, 0x44, 0xc0, 0x31, 0xc0, 0x2d, - 0xc0, 0x29, 0xc0, 0x25, 0xc0, 0x0e, 0xc0, 0x04, - 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0x96, - 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0xc0, 0x0c, - 0xc0, 0x02, 0x00, 0x05, 0x00, 0x04, 0x00, 0x15, - 0x00, 0x12, 0x00, 0x09, 0x00, 0xff, 0x01, 0x00, - 0x01, 0x39, 0x00, 0x00, 0x00, 0x14, 0x00, 0x12, - 0x00, 0x00, 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x79, - 0x6f, 0x75, 0x74, 0x75, 0x62, 0x65, 0x2e, 0x63, - 0x6f, 0x6d, 0x00, 0x0b, 0x00, 0x04, 0x03, 0x00, - 0x01, 0x02, 0x00, 0x0a, 0x00, 0x34, 0x00, 0x32, - 0x00, 0x0e, 0x00, 0x0d, 0x00, 0x19, 0x00, 0x0b, - 0x00, 0x0c, 0x00, 0x18, 0x00, 0x09, 0x00, 0x0a, - 0x00, 0x16, 0x00, 0x17, 0x00, 0x08, 0x00, 0x06, - 0x00, 0x07, 0x00, 0x14, 0x00, 0x15, 0x00, 0x04, - 0x00, 0x05, 0x00, 0x12, 0x00, 0x13, 0x00, 0x01, - 0x00, 0x02, 0x00, 0x03, 0x00, 0x0f, 0x00, 0x10, - 0x00, 0x11, 0x00, 0x23, 0x00, 0xb4, 0x05, 0x6c, - 0xfa, 0x27, 0x6f, 0x12, 0x2f, 0x2a, 0xe5, 0x56, - 0xcb, 0x42, 0x62, 0x44, 0xf2, 0xd7, 0xd1, 0x05, - 0x87, 0xd4, 0x52, 0x02, 0x10, 0x85, 0xa4, 0xa6, - 0x82, 0x6f, 0x6d, 0x7b, 0xaf, 0x11, 0xbe, 0x21, - 0x7e, 0x7c, 0x36, 0x03, 0x20, 0x29, 0xd8, 0xf9, - 0xe5, 0x2b, 0xe2, 0x26, 0xb2, 0x27, 0xc7, 0xb9, - 0xda, 0x59, 0xd7, 0xdc, 0xfd, 0x74, 0x74, 0x76, - 0xd0, 0x5e, 0xe4, 0xfe, 0x9d, 0xb7, 0x1b, 0x13, - 0x81, 0xce, 0x63, 0x75, 0x2b, 0x2f, 0x98, 0x3a, - 0x84, 0x46, 0xd3, 0x0c, 0xb3, 0x01, 0xdb, 0x62, - 0x51, 0x97, 0x92, 0x1c, 0xa5, 0x94, 0x60, 0xef, - 0xa6, 0xd8, 0xb2, 0x2f, 0x02, 0x42, 0x5c, 0xac, - 0xb4, 0xd9, 0x10, 0x2f, 0x7e, 0x89, 0xab, 0xa5, - 0xd7, 0x56, 0x6d, 0x03, 0xd2, 0x5f, 0x20, 0x2c, - 0xb6, 0x99, 0x2b, 0x66, 0xbd, 0xd4, 0xde, 0x53, - 0x76, 0x5c, 0x78, 0xf0, 0xe9, 0x6d, 0xa5, 0xc3, - 0x1a, 0x9e, 0x61, 0xb2, 0x45, 0xb0, 0xb3, 0x61, - 0xee, 0xa1, 0x07, 0xab, 0x2f, 0x84, 0xea, 0x43, - 0x76, 0x4b, 0x3d, 0xb0, 0xbe, 0xa4, 0xb4, 0x21, - 0xe1, 0xd3, 0xfd, 0x91, 0xe2, 0xe7, 0xf3, 0x38, - 0x9c, 0x56, 0x5f, 0xa1, 0xde, 0xa8, 0x2f, 0x0a, - 0x49, 0x6d, 0x44, 0x8e, 0xb7, 0xef, 0x4a, 0x6f, - 0x79, 0xb2, 0x00, 0x0d, 0x00, 0x20, 0x00, 0x1e, - 0x06, 0x01, 0x06, 0x02, 0x06, 0x03, 0x05, 0x01, - 0x05, 0x02, 0x05, 0x03, 0x04, 0x01, 0x04, 0x02, - 0x04, 0x03, 0x03, 0x01, 0x03, 0x02, 0x03, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x02, 0x03, 0x00, 0x0f, - 0x00, 0x01, 0x01 - }; - uint32_t client_hello_len = sizeof(client_hello); - - uint8_t server_hello_change_cipher_spec[] = { - 0x16, 0x03, 0x03, 0x00, 0x57, 0x02, 0x00, 0x00, - 0x53, 0x03, 0x03, 0x58, 0x36, 0x15, 0x03, 0x9f, - 0x3b, 0xf3, 0x11, 0x96, 0x2b, 0xc3, 0xae, 0x91, - 0x8c, 0x5f, 0x8b, 0x3f, 0x90, 0xbd, 0xa9, 0x26, - 0x26, 0xb2, 0xfd, 0x12, 0xc5, 0xc5, 0x7b, 0xe4, - 0xd1, 0x3e, 0x81, 0x20, 0xb7, 0xbb, 0x90, 0x35, - 0x7a, 0xdd, 0xd9, 0x67, 0xdf, 0x79, 0xd6, 0x16, - 0x90, 0xf6, 0xd7, 0x5c, 0xd3, 0x07, 0x19, 0x20, - 0x01, 0x39, 0x76, 0x25, 0x12, 0x32, 0x71, 0xa1, - 0x84, 0x8d, 0x2d, 0xea, 0xc0, 0x2b, 0x00, 0x00, - 0x0b, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x0b, - 0x00, 0x02, 0x01, 0x00, 0x14, 0x03, 0x03, 0x00, - 0x01, 0x01, 0x16, 0x03, 0x03, 0x00, 0x28, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, - 0x66, 0xfe, 0x07, 0x08, 0x33, 0x4d, 0xc2, 0x83, - 0x8e, 0x05, 0x8b, 0xf8, 0xd1, 0xb1, 0xa7, 0x16, - 0x4b, 0x42, 0x5c, 0x3a, 0xa4, 0x31, 0x0f, 0xba, - 0x84, 0x06, 0xcb, 0x9d, 0xc6, 0xc4, 0x66 - }; - uint32_t server_hello_change_cipher_spec_len = sizeof(server_hello_change_cipher_spec); - - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, client_hello, - client_hello_len); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF((ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) == 0); - FAIL_IF_NULL(ssl_state->client_connp.session_id); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - server_hello_change_cipher_spec, - server_hello_change_cipher_spec_len); - FAIL_IF(r != 0); - - FAIL_IF((ssl_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC) == 0); - FAIL_IF((ssl_state->flags & SSL_AL_FLAG_SESSION_RESUMED) == 0); - - AppLayerParserThreadCtxFree(alp_tctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - PASS; -} - -#endif /* UNITTESTS */ - -void SSLParserRegisterTests(void) -{ -#ifdef UNITTESTS - UtRegisterTest("SSLParserTest01", SSLParserTest01); - UtRegisterTest("SSLParserTest02", SSLParserTest02); - UtRegisterTest("SSLParserTest03", SSLParserTest03); - UtRegisterTest("SSLParserTest04", SSLParserTest04); - /* Updated by Anoop Saldanha. Faulty tests. Disable it for now */ - //UtRegisterTest("SSLParserTest05", SSLParserTest05, 1); - //UtRegisterTest("SSLParserTest06", SSLParserTest06, 1); - UtRegisterTest("SSLParserTest07", SSLParserTest07); - //UtRegisterTest("SSLParserTest08", SSLParserTest08, 1); - UtRegisterTest("SSLParserTest09", SSLParserTest09); - UtRegisterTest("SSLParserTest10", SSLParserTest10); - UtRegisterTest("SSLParserTest11", SSLParserTest11); - UtRegisterTest("SSLParserTest12", SSLParserTest12); - UtRegisterTest("SSLParserTest13", SSLParserTest13); - - UtRegisterTest("SSLParserTest14", SSLParserTest14); - UtRegisterTest("SSLParserTest15", SSLParserTest15); - UtRegisterTest("SSLParserTest16", SSLParserTest16); - UtRegisterTest("SSLParserTest17", SSLParserTest17); - UtRegisterTest("SSLParserTest18", SSLParserTest18); - UtRegisterTest("SSLParserTest19", SSLParserTest19); - UtRegisterTest("SSLParserTest20", SSLParserTest20); - UtRegisterTest("SSLParserTest21", SSLParserTest21); - UtRegisterTest("SSLParserTest22", SSLParserTest22); - UtRegisterTest("SSLParserTest23", SSLParserTest23); - UtRegisterTest("SSLParserTest24", SSLParserTest24); - UtRegisterTest("SSLParserTest25", SSLParserTest25); - UtRegisterTest("SSLParserTest26", SSLParserTest26); - - UtRegisterTest("SSLParserMultimsgTest01", SSLParserMultimsgTest01); - UtRegisterTest("SSLParserMultimsgTest02", SSLParserMultimsgTest02); -#endif /* UNITTESTS */ - - return; -} diff --git a/src/app-layer-ssl.h b/src/app-layer-ssl.h index 0a8c0db35c1..8d1b79974d2 100644 --- a/src/app-layer-ssl.h +++ b/src/app-layer-ssl.h @@ -45,6 +45,7 @@ enum { TLS_DECODER_EVENT_INVALID_TLS_HEADER, TLS_DECODER_EVENT_INVALID_RECORD_VERSION, TLS_DECODER_EVENT_INVALID_RECORD_TYPE, + TLS_DECODER_EVENT_INVALID_RECORD_LENGTH, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE, TLS_DECODER_EVENT_HEARTBEAT, TLS_DECODER_EVENT_INVALID_HEARTBEAT, @@ -190,7 +191,6 @@ typedef struct SSLStateConnp_ { uint32_t record_lengths_length; /* offset of the beginning of the current message (including header) */ - uint32_t message_start; uint32_t message_length; uint16_t version; @@ -201,8 +201,6 @@ typedef struct SSLStateConnp_ { /* the no of bytes processed in the currently parsed record */ uint32_t bytes_processed; - /* the no of bytes processed in the currently parsed handshake */ - uint16_t hs_bytes_processed; uint16_t session_id_length; @@ -225,11 +223,13 @@ typedef struct SSLStateConnp_ { JA3Buffer *ja3_str; char *ja3_hash; - /* buffer for the tls record. - * We use a malloced buffer, if the record is fragmented */ - uint8_t *trec; - uint32_t trec_len; - uint32_t trec_pos; + /* handshake tls fragmentation buffer. Handshake messages can be fragmented over multiple + * TLS records. */ + uint8_t *hs_buffer; + uint8_t hs_buffer_message_type; + uint32_t hs_buffer_message_size; + uint32_t hs_buffer_size; /**< allocation size */ + uint32_t hs_buffer_offset; /**< write offset */ } SSLStateConnp; /** @@ -260,7 +260,6 @@ typedef struct SSLState_ { void RegisterSSLParsers(void); void SSLParserRegisterTests(void); -void SSLSetEvent(SSLState *ssl_state, uint8_t event); void SSLVersionToString(uint16_t, char *); void SSLEnableJA3(void); bool SSLJA3IsEnabled(void); diff --git a/src/detect-tls-ja3-hash.c b/src/detect-tls-ja3-hash.c index 057191a8637..d82941627c7 100644 --- a/src/detect-tls-ja3-hash.c +++ b/src/detect-tls-ja3-hash.c @@ -59,9 +59,6 @@ #include "util-unittest-helper.h" static int DetectTlsJa3HashSetup(DetectEngineCtx *, Signature *, const char *); -#ifdef UNITTESTS -static void DetectTlsJa3HashRegisterTests(void); -#endif static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, @@ -82,9 +79,6 @@ void DetectTlsJa3HashRegister(void) sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer"; sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash"; sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_JA3_HASH].RegisterTests = DetectTlsJa3HashRegisterTests; -#endif sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; @@ -220,7 +214,3 @@ static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx, } } } - -#ifdef UNITTESTS -#include "tests/detect-tls-ja3-hash.c" -#endif diff --git a/src/detect-tls-ja3-string.c b/src/detect-tls-ja3-string.c index 6173e169594..7b75f2ecfaf 100644 --- a/src/detect-tls-ja3-string.c +++ b/src/detect-tls-ja3-string.c @@ -59,9 +59,6 @@ #include "util-unittest-helper.h" static int DetectTlsJa3StringSetup(DetectEngineCtx *, Signature *, const char *); -#ifdef UNITTESTS -static void DetectTlsJa3StringRegisterTests(void); -#endif static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, @@ -98,9 +95,6 @@ void DetectTlsJa3StringRegister(void) sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer"; sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string"; sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests; -#endif sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; @@ -177,7 +171,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return buffer; } - -#ifdef UNITTESTS -#include "tests/detect-tls-ja3-string.c" -#endif diff --git a/src/detect-tls-ja3s-hash.c b/src/detect-tls-ja3s-hash.c index 25b1201c359..c6dd3b53de0 100644 --- a/src/detect-tls-ja3s-hash.c +++ b/src/detect-tls-ja3s-hash.c @@ -59,9 +59,6 @@ #include "util-unittest-helper.h" static int DetectTlsJa3SHashSetup(DetectEngineCtx *, Signature *, const char *); -#ifdef UNITTESTS -static void DetectTlsJa3SHashRegisterTests(void); -#endif static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, @@ -81,9 +78,6 @@ void DetectTlsJa3SHashRegister(void) sigmatch_table[DETECT_AL_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer"; sigmatch_table[DETECT_AL_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash"; sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_JA3S_HASH].RegisterTests = DetectTlsJa3SHashRegisterTests; -#endif sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER; @@ -218,7 +212,3 @@ static void DetectTlsJa3SHashSetupCallback(const DetectEngineCtx *de_ctx, } } } - -#ifdef UNITTESTS -#include "tests/detect-tls-ja3s-hash.c" -#endif diff --git a/src/detect-tls-ja3s-string.c b/src/detect-tls-ja3s-string.c index 61f2c2c9a7d..e0c4da54ee4 100644 --- a/src/detect-tls-ja3s-string.c +++ b/src/detect-tls-ja3s-string.c @@ -59,9 +59,6 @@ #include "util-unittest-helper.h" static int DetectTlsJa3SStringSetup(DetectEngineCtx *, Signature *, const char *); -#ifdef UNITTESTS -static void DetectTlsJa3SStringRegisterTests(void); -#endif static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, @@ -98,9 +95,6 @@ void DetectTlsJa3SStringRegister(void) "sticky buffer to match the JA3S string buffer"; sigmatch_table[DETECT_AL_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string"; sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_JA3S_STRING].RegisterTests = DetectTlsJa3SStringRegisterTests; -#endif sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER; @@ -177,7 +171,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return buffer; } - -#ifdef UNITTESTS -#include "tests/detect-tls-ja3s-string.c" -#endif diff --git a/src/detect-tls-sni.c b/src/detect-tls-sni.c index bdb26ec2422..51731fafc1e 100644 --- a/src/detect-tls-sni.c +++ b/src/detect-tls-sni.c @@ -55,9 +55,6 @@ #include "util-unittest-helper.h" static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, const char *); -#ifdef UNITTESTS -static void DetectTlsSniRegisterTests(void); -#endif static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, const DetectEngineTransforms *transforms, Flow *f, const uint8_t flow_flags, @@ -75,9 +72,6 @@ void DetectTlsSniRegister(void) "sticky buffer to match specifically and only on the TLS SNI buffer"; sigmatch_table[DETECT_AL_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni"; sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup; -#ifdef UNITTESTS - sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests; -#endif sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER; @@ -136,7 +130,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return buffer; } - -#ifdef UNITTESTS -#include "tests/detect-tls-sni.c" -#endif diff --git a/src/tests/detect-ssl-state.c b/src/tests/detect-ssl-state.c index eba25b07d2c..6be8ea8d89b 100644 --- a/src/tests/detect-ssl-state.c +++ b/src/tests/detect-ssl-state.c @@ -89,411 +89,6 @@ static int DetectSslStateTest06(void) PASS; } -/** - * \test Test a valid dce_iface entry for a bind and bind_ack - */ -static int DetectSslStateTest07(void) -{ - uint8_t chello_buf[] = { - 0x80, 0x67, 0x01, 0x03, 0x00, 0x00, 0x4e, 0x00, - 0x00, 0x00, 0x10, 0x01, 0x00, 0x80, 0x03, 0x00, - 0x80, 0x07, 0x00, 0xc0, 0x06, 0x00, 0x40, 0x02, - 0x00, 0x80, 0x04, 0x00, 0x80, 0x00, 0x00, 0x39, - 0x00, 0x00, 0x38, 0x00, 0x00, 0x35, 0x00, 0x00, - 0x33, 0x00, 0x00, 0x32, 0x00, 0x00, 0x04, 0x00, - 0x00, 0x05, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x16, - 0x00, 0x00, 0x13, 0x00, 0xfe, 0xff, 0x00, 0x00, - 0x0a, 0x00, 0x00, 0x15, 0x00, 0x00, 0x12, 0x00, - 0xfe, 0xfe, 0x00, 0x00, 0x09, 0x00, 0x00, 0x64, - 0x00, 0x00, 0x62, 0x00, 0x00, 0x03, 0x00, 0x00, - 0x06, 0xa8, 0xb8, 0x93, 0xbb, 0x90, 0xe9, 0x2a, - 0xa2, 0x4d, 0x6d, 0xcc, 0x1c, 0xe7, 0x2a, 0x80, - 0x21 - }; - uint32_t chello_buf_len = sizeof(chello_buf); - - uint8_t shello_buf[] = { - 0x16, 0x03, 0x00, 0x00, 0x4a, 0x02, - 0x00, 0x00, 0x46, 0x03, 0x00, 0x44, 0x4c, 0x94, - 0x8f, 0xfe, 0x81, 0xed, 0x93, 0x65, 0x02, 0x88, - 0xa3, 0xf8, 0xeb, 0x63, 0x86, 0x0e, 0x2c, 0xf6, - 0x8d, 0xd0, 0x0f, 0x2c, 0x2a, 0xd6, 0x4f, 0xcd, - 0x2d, 0x3c, 0x16, 0xd7, 0xd6, 0x20, 0xa0, 0xfb, - 0x60, 0x86, 0x3d, 0x1e, 0x76, 0xf3, 0x30, 0xfe, - 0x0b, 0x01, 0xfd, 0x1a, 0x01, 0xed, 0x95, 0xf6, - 0x7b, 0x8e, 0xc0, 0xd4, 0x27, 0xbf, 0xf0, 0x6e, - 0xc7, 0x56, 0xb1, 0x47, 0xce, 0x98, 0x00, 0x35, - 0x00, 0x16, 0x03, 0x00, 0x03, 0x44, 0x0b, 0x00, - 0x03, 0x40, 0x00, 0x03, 0x3d, 0x00, 0x03, 0x3a, - 0x30, 0x82, 0x03, 0x36, 0x30, 0x82, 0x02, 0x9f, - 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, - 0x81, 0xa9, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, - 0x55, 0x04, 0x06, 0x13, 0x02, 0x58, 0x59, 0x31, - 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x08, - 0x13, 0x0c, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, - 0x44, 0x65, 0x73, 0x65, 0x72, 0x74, 0x31, 0x13, - 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, - 0x0a, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x54, - 0x6f, 0x77, 0x6e, 0x31, 0x17, 0x30, 0x15, 0x06, - 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x53, 0x6e, - 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, 0x2c, - 0x20, 0x4c, 0x74, 0x64, 0x31, 0x1e, 0x30, 0x1c, - 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x15, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x31, 0x15, 0x30, 0x13, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0c, 0x53, - 0x6e, 0x61, 0x6b, 0x65, 0x20, 0x4f, 0x69, 0x6c, - 0x20, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c, 0x06, - 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x09, 0x01, 0x16, 0x0f, 0x63, 0x61, 0x40, 0x73, - 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, 0x2e, - 0x64, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30, - 0x33, 0x30, 0x33, 0x30, 0x35, 0x31, 0x36, 0x34, - 0x37, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x30, 0x38, - 0x30, 0x33, 0x30, 0x33, 0x31, 0x36, 0x34, 0x37, - 0x34, 0x35, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x0b, - 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, - 0x02, 0x58, 0x59, 0x31, 0x15, 0x30, 0x13, 0x06, - 0x03, 0x55, 0x04, 0x08, 0x13, 0x0c, 0x53, 0x6e, - 0x61, 0x6b, 0x65, 0x20, 0x44, 0x65, 0x73, 0x65, - 0x72, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, - 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x6e, 0x61, - 0x6b, 0x65, 0x20, 0x54, 0x6f, 0x77, 0x6e, 0x31, - 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, - 0x13, 0x0e, 0x53, 0x6e, 0x61, 0x6b, 0x65, 0x20, - 0x4f, 0x69, 0x6c, 0x2c, 0x20, 0x4c, 0x74, 0x64, - 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, - 0x0b, 0x13, 0x0e, 0x57, 0x65, 0x62, 0x73, 0x65, - 0x72, 0x76, 0x65, 0x72, 0x20, 0x54, 0x65, 0x61, - 0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e, - 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, 0x6c, - 0x2e, 0x64, 0x6f, 0x6d, 0x31, 0x1f, 0x30, 0x1d, - 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x09, 0x01, 0x16, 0x10, 0x77, 0x77, 0x77, - 0x40, 0x73, 0x6e, 0x61, 0x6b, 0x65, 0x6f, 0x69, - 0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x30, 0x81, 0x9f, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, - 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, - 0x81, 0x00, 0xa4, 0x6e, 0x53, 0x14, 0x0a, 0xde, - 0x2c, 0xe3, 0x60, 0x55, 0x9a, 0xf2, 0x42, 0xa6, - 0xaf, 0x47, 0x12, 0x2f, 0x17, 0xce, 0xfa, 0xba, - 0xdc, 0x4e, 0x63, 0x56, 0x34, 0xb9, 0xba, 0x73, - 0x4b, 0x78, 0x44, 0x3d, 0xc6, 0x6c, 0x69, 0xa4, - 0x25, 0xb3, 0x61, 0x02, 0x9d, 0x09, 0x04, 0x3f, - 0x72, 0x3d, 0xd8, 0x27, 0xd3, 0xb0, 0x5a, 0x45, - 0x77, 0xb7, 0x36, 0xe4, 0x26, 0x23, 0xcc, 0x12, - 0xb8, 0xae, 0xde, 0xa7, 0xb6, 0x3a, 0x82, 0x3c, - 0x7c, 0x24, 0x59, 0x0a, 0xf8, 0x96, 0x43, 0x8b, - 0xa3, 0x29, 0x36, 0x3f, 0x91, 0x7f, 0x5d, 0xc7, - 0x23, 0x94, 0x29, 0x7f, 0x0a, 0xce, 0x0a, 0xbd, - 0x8d, 0x9b, 0x2f, 0x19, 0x17, 0xaa, 0xd5, 0x8e, - 0xec, 0x66, 0xa2, 0x37, 0xeb, 0x3f, 0x57, 0x53, - 0x3c, 0xf2, 0xaa, 0xbb, 0x79, 0x19, 0x4b, 0x90, - 0x7e, 0xa7, 0xa3, 0x99, 0xfe, 0x84, 0x4c, 0x89, - 0xf0, 0x3d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, - 0x6e, 0x30, 0x6c, 0x30, 0x1b, 0x06, 0x03, 0x55, - 0x1d, 0x11, 0x04, 0x14, 0x30, 0x12, 0x81, 0x10, - 0x77, 0x77, 0x77, 0x40, 0x73, 0x6e, 0x61, 0x6b, - 0x65, 0x6f, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d, - 0x30, 0x3a, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, - 0x86, 0xf8, 0x42, 0x01, 0x0d, 0x04, 0x2d, 0x16, - 0x2b, 0x6d, 0x6f, 0x64, 0x5f, 0x73, 0x73, 0x6c, - 0x20, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, - 0x65, 0x64, 0x20, 0x63, 0x75, 0x73, 0x74, 0x6f, - 0x6d, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, - 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x30, 0x11, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, - 0x01, 0x04, 0x04, 0x03, 0x02, 0x06, 0x40, 0x30, - 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, - 0x81, 0x00, 0xae, 0x79, 0x79, 0x22, 0x90, 0x75, - 0xfd, 0xa6, 0xd5, 0xc4, 0xb8, 0xc4, 0x99, 0x4e, - 0x1c, 0x05, 0x7c, 0x91, 0x59, 0xbe, 0x89, 0x0d, - 0x3d, 0xc6, 0x8c, 0xa3, 0xcf, 0xf6, 0xba, 0x23, - 0xdf, 0xb8, 0xae, 0x44, 0x68, 0x8a, 0x8f, 0xb9, - 0x8b, 0xcb, 0x12, 0xda, 0xe6, 0xa2, 0xca, 0xa5, - 0xa6, 0x55, 0xd9, 0xd2, 0xa1, 0xad, 0xba, 0x9b, - 0x2c, 0x44, 0x95, 0x1d, 0x4a, 0x90, 0x59, 0x7f, - 0x83, 0xae, 0x81, 0x5e, 0x3f, 0x92, 0xe0, 0x14, - 0x41, 0x82, 0x4e, 0x7f, 0x53, 0xfd, 0x10, 0x23, - 0xeb, 0x8a, 0xeb, 0xe9, 0x92, 0xea, 0x61, 0xf2, - 0x8e, 0x19, 0xa1, 0xd3, 0x49, 0xc0, 0x84, 0x34, - 0x1e, 0x2e, 0x6e, 0xf6, 0x98, 0xe2, 0x87, 0x53, - 0xd6, 0x55, 0xd9, 0x1a, 0x8a, 0x92, 0x5c, 0xad, - 0xdc, 0x1e, 0x1c, 0x30, 0xa7, 0x65, 0x9d, 0xc2, - 0x4f, 0x60, 0xd2, 0x6f, 0xdb, 0xe0, 0x9f, 0x9e, - 0xbc, 0x41, 0x16, 0x03, 0x00, 0x00, 0x04, 0x0e, - 0x00, 0x00, 0x00 - }; - uint32_t shello_buf_len = sizeof(shello_buf); - - uint8_t client_change_cipher_spec_buf[] = { - 0x16, 0x03, 0x00, 0x00, 0x84, 0x10, 0x00, 0x00, - 0x80, 0x65, 0x51, 0x2d, 0xa6, 0xd4, 0xa7, 0x38, - 0xdf, 0xac, 0x79, 0x1f, 0x0b, 0xd9, 0xb2, 0x61, - 0x7d, 0x73, 0x88, 0x32, 0xd9, 0xf2, 0x62, 0x3a, - 0x8b, 0x11, 0x04, 0x75, 0xca, 0x42, 0xff, 0x4e, - 0xd9, 0xcc, 0xb9, 0xfa, 0x86, 0xf3, 0x16, 0x2f, - 0x09, 0x73, 0x51, 0x66, 0xaa, 0x29, 0xcd, 0x80, - 0x61, 0x0f, 0xe8, 0x13, 0xce, 0x5b, 0x8e, 0x0a, - 0x23, 0xf8, 0x91, 0x5e, 0x5f, 0x54, 0x70, 0x80, - 0x8e, 0x7b, 0x28, 0xef, 0xb6, 0x69, 0xb2, 0x59, - 0x85, 0x74, 0x98, 0xe2, 0x7e, 0xd8, 0xcc, 0x76, - 0x80, 0xe1, 0xb6, 0x45, 0x4d, 0xc7, 0xcd, 0x84, - 0xce, 0xb4, 0x52, 0x79, 0x74, 0xcd, 0xe6, 0xd7, - 0xd1, 0x9c, 0xad, 0xef, 0x63, 0x6c, 0x0f, 0xf7, - 0x05, 0xe4, 0x4d, 0x1a, 0xd3, 0xcb, 0x9c, 0xd2, - 0x51, 0xb5, 0x61, 0xcb, 0xff, 0x7c, 0xee, 0xc7, - 0xbc, 0x5e, 0x15, 0xa3, 0xf2, 0x52, 0x0f, 0xbb, - 0x32, 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, - 0x03, 0x00, 0x00, 0x40, 0xa9, 0xd8, 0xd7, 0x35, - 0xbc, 0x39, 0x56, 0x98, 0xad, 0x87, 0x61, 0x2a, - 0xc4, 0x8f, 0xcc, 0x03, 0xcb, 0x93, 0x80, 0x81, - 0xb0, 0x4a, 0xc4, 0xd2, 0x09, 0x71, 0x3e, 0x90, - 0x3c, 0x8d, 0xe0, 0x95, 0x44, 0xfe, 0x56, 0xd1, - 0x7e, 0x88, 0xe2, 0x48, 0xfd, 0x76, 0x70, 0x76, - 0xe2, 0xcd, 0x06, 0xd0, 0xf3, 0x9d, 0x13, 0x79, - 0x67, 0x1e, 0x37, 0xf6, 0x98, 0xbe, 0x59, 0x18, - 0x4c, 0xfc, 0x75, 0x56 - }; - uint32_t client_change_cipher_spec_buf_len = - sizeof(client_change_cipher_spec_buf); - - uint8_t server_change_cipher_spec_buf[] = { - 0x14, 0x03, 0x00, 0x00, 0x01, 0x01, 0x16, 0x03, - 0x00, 0x00, 0x40, 0xce, 0x7c, 0x92, 0x43, 0x59, - 0xcc, 0x3d, 0x90, 0x91, 0x9c, 0x58, 0xf0, 0x7a, - 0xce, 0xae, 0x0d, 0x08, 0xe0, 0x76, 0xb4, 0x86, - 0xb1, 0x15, 0x5b, 0x32, 0xb8, 0x77, 0x53, 0xe7, - 0xa6, 0xf9, 0xd0, 0x95, 0x5f, 0xaa, 0x07, 0xc3, - 0x96, 0x7c, 0xc9, 0x88, 0xc2, 0x7a, 0x20, 0x89, - 0x4f, 0xeb, 0xeb, 0xb6, 0x19, 0xef, 0xaa, 0x27, - 0x73, 0x9d, 0xa6, 0xb4, 0x9f, 0xeb, 0x34, 0xe2, - 0x4d, 0x9f, 0x6b - }; - uint32_t server_change_cipher_spec_buf_len = - sizeof(server_change_cipher_spec_buf); - - uint8_t toserver_app_data_buf[] = { - 0x17, 0x03, 0x00, 0x01, 0xb0, 0x4a, 0xc3, 0x3e, - 0x9d, 0x77, 0x78, 0x01, 0x2c, 0xb4, 0xbc, 0x4c, - 0x9a, 0x84, 0xd7, 0xb9, 0x90, 0x0c, 0x21, 0x10, - 0xf0, 0xfa, 0x00, 0x7c, 0x16, 0xbb, 0x77, 0xfb, - 0x72, 0x42, 0x4f, 0xad, 0x50, 0x4a, 0xd0, 0xaa, - 0x6f, 0xaa, 0x44, 0x6c, 0x62, 0x94, 0x1b, 0xc5, - 0xfe, 0xe9, 0x1c, 0x5e, 0xde, 0x85, 0x0b, 0x0e, - 0x05, 0xe4, 0x18, 0x6e, 0xd2, 0xd3, 0xb5, 0x20, - 0xab, 0x81, 0xfd, 0x18, 0x9a, 0x73, 0xb8, 0xd7, - 0xef, 0xc3, 0xdd, 0x74, 0xd7, 0x9c, 0x1e, 0x6f, - 0x21, 0x6d, 0xf8, 0x24, 0xca, 0x3c, 0x70, 0x78, - 0x36, 0x12, 0x7a, 0x8a, 0x9c, 0xac, 0x4e, 0x1c, - 0xa8, 0xfb, 0x27, 0x30, 0xba, 0x9a, 0xf4, 0x2f, - 0x0a, 0xab, 0x80, 0x6a, 0xa1, 0x60, 0x74, 0xf0, - 0xe3, 0x91, 0x84, 0xe7, 0x90, 0x88, 0xcc, 0xf0, - 0x95, 0x7b, 0x0a, 0x22, 0xf2, 0xf9, 0x27, 0xe0, - 0xdd, 0x38, 0x0c, 0xfd, 0xe9, 0x03, 0x71, 0xdc, - 0x70, 0xa4, 0x6e, 0xdf, 0xe3, 0x72, 0x9e, 0xa1, - 0xf0, 0xc9, 0x00, 0xd6, 0x03, 0x55, 0x6a, 0x67, - 0x5d, 0x9c, 0xb8, 0x75, 0x01, 0xb0, 0x01, 0x9f, - 0xe6, 0xd2, 0x44, 0x18, 0xbc, 0xca, 0x7a, 0x10, - 0x39, 0xa6, 0xcf, 0x15, 0xc7, 0xf5, 0x35, 0xd4, - 0xb3, 0x6d, 0x91, 0x23, 0x84, 0x99, 0xba, 0xb0, - 0x7e, 0xd0, 0xc9, 0x4c, 0xbf, 0x3f, 0x33, 0x68, - 0x37, 0xb7, 0x7d, 0x44, 0xb0, 0x0b, 0x2c, 0x0f, - 0xd0, 0x75, 0xa2, 0x6b, 0x5b, 0xe1, 0x9f, 0xd4, - 0x69, 0x9a, 0x14, 0xc8, 0x29, 0xb7, 0xd9, 0x10, - 0xbb, 0x99, 0x30, 0x9a, 0xfb, 0xcc, 0x13, 0x1f, - 0x76, 0x4e, 0xe6, 0xdf, 0x14, 0xaa, 0xd5, 0x60, - 0xbf, 0x91, 0x49, 0x0d, 0x64, 0x42, 0x29, 0xa8, - 0x64, 0x27, 0xd4, 0x5e, 0x1b, 0x18, 0x03, 0xa8, - 0x73, 0xd6, 0x05, 0x6e, 0xf7, 0x50, 0xb0, 0x09, - 0x6b, 0x69, 0x7a, 0x12, 0x28, 0x58, 0xef, 0x5a, - 0x86, 0x11, 0xde, 0x71, 0x71, 0x9f, 0xca, 0xbd, - 0x79, 0x2a, 0xc2, 0xe5, 0x9b, 0x5e, 0x32, 0xe7, - 0xcb, 0x97, 0x6e, 0xa0, 0xea, 0xa4, 0xa4, 0x6a, - 0x32, 0xf9, 0x37, 0x39, 0xd8, 0x37, 0x6d, 0x63, - 0xf3, 0x08, 0x1c, 0xdd, 0x06, 0xdd, 0x2c, 0x2b, - 0x9f, 0x04, 0x88, 0x5f, 0x36, 0x42, 0xc1, 0xb1, - 0xc7, 0xe8, 0x2d, 0x5d, 0xa4, 0x6c, 0xe5, 0x60, - 0x94, 0xae, 0xd0, 0x90, 0x1e, 0x88, 0xa0, 0x87, - 0x52, 0xfb, 0xed, 0x97, 0xa5, 0x25, 0x5a, 0xb7, - 0x55, 0xc5, 0x13, 0x07, 0x85, 0x27, 0x40, 0xed, - 0xb8, 0xa0, 0x26, 0x13, 0x44, 0x0c, 0xfc, 0xcc, - 0x5a, 0x09, 0xe5, 0x44, 0xb5, 0x63, 0xa1, 0x43, - 0x51, 0x23, 0x4f, 0x17, 0x21, 0x89, 0x2e, 0x58, - 0xfd, 0xf9, 0x63, 0x74, 0x04, 0x70, 0x1e, 0x7d, - 0xd0, 0x66, 0xba, 0x40, 0x5e, 0x45, 0xdc, 0x39, - 0x7c, 0x53, 0x0f, 0xa8, 0x38, 0xb2, 0x13, 0x99, - 0x27, 0xd9, 0x4a, 0x51, 0xe9, 0x9f, 0x2a, 0x92, - 0xbb, 0x9c, 0x90, 0xab, 0xfd, 0xf1, 0xb7, 0x40, - 0x05, 0xa9, 0x7a, 0x20, 0x63, 0x36, 0xc1, 0xef, - 0xb9, 0xad, 0xa2, 0xe0, 0x1d, 0x20, 0x4f, 0xb2, - 0x34, 0xbd, 0xea, 0x07, 0xac, 0x21, 0xce, 0xf6, - 0x8a, 0xa2, 0x9e, 0xcd, 0xfa - }; - uint32_t toserver_app_data_buf_len = sizeof(toserver_app_data_buf); - - Signature *s = NULL; - ThreadVars th_v; - Packet *p = NULL; - Flow f; - TcpSession ssn; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - SSLState *ssl_state = NULL; - int r = 0; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&p, 0, sizeof(p)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"ssl state\"; ssl_state:client_hello; " - "sid:1;)"); - FAIL_IF_NULL(s); - - s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"ssl state\"; " - "ssl_state:server_hello; " - "sid:2;)"); - FAIL_IF_NULL(s); - - s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"ssl state\"; " - "ssl_state:client_keyx; " - "sid:3;)"); - FAIL_IF_NULL(s); - - s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"ssl state\"; " - "ssl_state:server_keyx; " - "sid:4;)"); - FAIL_IF_NULL(s); - - s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any " - "(msg:\"ssl state\"; " - "ssl_state:!client_hello; " - "sid:5;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER | STREAM_START, chello_buf, - chello_buf_len); - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF(ssl_state == NULL); - - /* do detect */ - p->alerts.cnt = 0; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(!PacketAlertCheck(p, 1)); - FAIL_IF(PacketAlertCheck(p, 2)); - FAIL_IF(PacketAlertCheck(p, 3)); - FAIL_IF(PacketAlertCheck(p, 4)); - FAIL_IF(PacketAlertCheck(p, 5)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - shello_buf, shello_buf_len); - FAIL_IF(r != 0); - - /* do detect */ - p->alerts.cnt = 0; - p->flowflags = (FLOW_PKT_TOCLIENT | FLOW_PKT_ESTABLISHED); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(PacketAlertCheck(p, 1)); - FAIL_IF(!PacketAlertCheck(p, 2)); - FAIL_IF(PacketAlertCheck(p, 3)); - FAIL_IF(PacketAlertCheck(p, 4)); - FAIL_IF(!PacketAlertCheck(p, 5)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - client_change_cipher_spec_buf, - client_change_cipher_spec_buf_len); - FAIL_IF(r != 0); - - /* do detect */ - p->alerts.cnt = 0; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(PacketAlertCheck(p, 1)); - FAIL_IF(PacketAlertCheck(p, 2)); - FAIL_IF(!PacketAlertCheck(p, 3)); - FAIL_IF(PacketAlertCheck(p, 4)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - server_change_cipher_spec_buf, - server_change_cipher_spec_buf_len); - FAIL_IF(r != 0); - - /* do detect */ - p->alerts.cnt = 0; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(PacketAlertCheck(p, 1)); - FAIL_IF(PacketAlertCheck(p, 2)); - FAIL_IF(PacketAlertCheck(p, 3)); - FAIL_IF(PacketAlertCheck(p, 4)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - toserver_app_data_buf, toserver_app_data_buf_len); - FAIL_IF(r != 0); - - /* do detect */ - p->alerts.cnt = 0; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(PacketAlertCheck(p, 1)); - FAIL_IF(PacketAlertCheck(p, 2)); - FAIL_IF(PacketAlertCheck(p, 3)); - FAIL_IF(PacketAlertCheck(p, 4)); - - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - PASS; -} - /** * \brief Test that the "|" character still works as a separate for * compatibility with older Suricata rules. @@ -536,7 +131,6 @@ static void DetectSslStateRegisterTests(void) UtRegisterTest("DetectSslStateTest04", DetectSslStateTest04); UtRegisterTest("DetectSslStateTest05", DetectSslStateTest05); UtRegisterTest("DetectSslStateTest06", DetectSslStateTest06); - UtRegisterTest("DetectSslStateTest07", DetectSslStateTest07); UtRegisterTest("DetectSslStateTest08", DetectSslStateTest08); UtRegisterTest("DetectSslStateTestParseNegate", DetectSslStateTestParseNegate); diff --git a/src/tests/detect-ssl-version.c b/src/tests/detect-ssl-version.c index 3923ff8d67e..d4a52976558 100644 --- a/src/tests/detect-ssl-version.c +++ b/src/tests/detect-ssl-version.c @@ -84,182 +84,6 @@ static int DetectSslVersionTestParse03(void) PASS; } -#include "stream-tcp-reassemble.h" - -/** \test Send a get request in three chunks + more data. */ -static int DetectSslVersionTestDetect01(void) -{ - Flow f; - uint8_t sslbuf1[] = { 0x16 }; - uint32_t ssllen1 = sizeof(sslbuf1); - uint8_t sslbuf2[] = { 0x03 }; - uint32_t ssllen2 = sizeof(sslbuf2); - uint8_t sslbuf3[] = { 0x01 }; - uint32_t ssllen3 = sizeof(sslbuf3); - uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 }; - uint32_t ssllen4 = sizeof(sslbuf4); - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, sslbuf1, ssllen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - sslbuf2, ssllen2); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - sslbuf3, ssllen3); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - sslbuf4, ssllen4); - FAIL_IF(r != 0); - - SSLState *app_state = f.alstate; - FAIL_IF_NULL(app_state); - - FAIL_IF(app_state->client_connp.content_type != 0x16); - - FAIL_IF(app_state->client_connp.version != TLS_VERSION_10); - - SCLogDebug("app_state is at %p, app_state->server_connp.version 0x%02X app_state->client_connp.version 0x%02X", - app_state, app_state->server_connp.version, app_state->client_connp.version); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - UTHFreePackets(&p, 1); - - PASS; -} - -static int DetectSslVersionTestDetect02(void) -{ - Flow f; - uint8_t sslbuf1[] = { 0x16 }; - uint32_t ssllen1 = sizeof(sslbuf1); - uint8_t sslbuf2[] = { 0x03 }; - uint32_t ssllen2 = sizeof(sslbuf2); - uint8_t sslbuf3[] = { 0x01 }; - uint32_t ssllen3 = sizeof(sslbuf3); - uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 }; - uint32_t ssllen4 = sizeof(sslbuf4); - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, sslbuf1, ssllen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - sslbuf2, ssllen2); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - sslbuf3, ssllen3); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - sslbuf4, ssllen4); - FAIL_IF(r != 0); - - SSLState *app_state = f.alstate; - FAIL_IF_NULL(app_state); - - FAIL_IF(app_state->client_connp.content_type != 0x16); - - FAIL_IF(app_state->client_connp.version != TLS_VERSION_10); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - - PASS; -} - /** * \brief this function registers unit tests for DetectSslVersion */ @@ -268,8 +92,4 @@ static void DetectSslVersionRegisterTests(void) UtRegisterTest("DetectSslVersionTestParse01", DetectSslVersionTestParse01); UtRegisterTest("DetectSslVersionTestParse02", DetectSslVersionTestParse02); UtRegisterTest("DetectSslVersionTestParse03", DetectSslVersionTestParse03); - UtRegisterTest("DetectSslVersionTestDetect01", - DetectSslVersionTestDetect01); - UtRegisterTest("DetectSslVersionTestDetect02", - DetectSslVersionTestDetect02); } diff --git a/src/tests/detect-tls-ja3-hash.c b/src/tests/detect-tls-ja3-hash.c deleted file mode 100644 index 1a562fe7094..00000000000 --- a/src/tests/detect-tls-ja3-hash.c +++ /dev/null @@ -1,220 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Mats Klepsland - * - */ - -#include "detect-engine-build.h" -#include "app-layer-parser.h" - -/** - * \test Test matching on a simple client hello packet - */ -static int DetectTlsJa3HashTest01(void) -{ - /* Client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, - 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, - 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, - 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, - 0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00, - 0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D, - 0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00, - 0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35, - 0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00, - 0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40, - 0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00, - 0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B, - 0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00, - 0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00, - 0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63, - 0x6F, 0x6D, }; - - - Flow f; - SSLState *ssl_state = NULL; - Packet *p = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 443); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3.hash\"; ja3.hash; " - "content:\"e7eca2baf4458d095b7f45da28c16c34\"; " - "sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf, sizeof(buf)); - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF_NULL(ssl_state->client_connp.ja3_hash); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p); - - PASS; -} - -/** - * \test Test matching on a simple client hello packet - */ -static int DetectTlsJa3HashTest02(void) -{ - /* Client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x01, 0x00, 0xc0, 0x01, 0x00, 0x00, 0xbc, - 0x03, 0x03, 0x03, 0xb7, 0x16, 0x16, 0x5a, 0xe7, 0xc1, - 0xbd, 0x46, 0x2f, 0xff, 0xf3, 0x68, 0xb8, 0x6f, 0x6e, - 0x93, 0xdf, 0x06, 0x6a, 0xa7, 0x2d, 0xa0, 0xea, 0x9f, - 0x48, 0xb5, 0xe7, 0x91, 0x20, 0xd7, 0x25, 0x00, 0x00, - 0x1c, 0x0a, 0x0a, 0xc0, 0x2b, 0xc0, 0x2f, 0xc0, 0x2c, - 0xc0, 0x30, 0xcc, 0xa9, 0xcc, 0xa8, 0xc0, 0x13, 0xc0, - 0x14, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x35, - 0x00, 0x0a, 0x01, 0x00, 0x00, 0x77, 0x1a, 0x1a, 0x00, - 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x12, 0x00, 0x10, 0x00, 0x00, 0x0d, 0x77, 0x77, 0x77, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x6e, - 0x6f, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, - 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, 0x03, 0x08, - 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, - 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x05, 0x00, - 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, - 0x00, 0x00, 0x10, 0x00, 0x0e, 0x00, 0x0c, 0x02, 0x68, - 0x32, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, - 0x31, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, - 0x00, 0x0a, 0x00, 0x08, 0xba, 0xba, 0x00, 0x1d, 0x00, - 0x17, 0x00, 0x18, 0x0a, 0x0a, 0x00, 0x01, 0x00 }; - - Flow f; - SSLState *ssl_state = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 443); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3.hash\"; ja3.hash; " - "content:\"bc6c386f480ee97b9d9e52d472b772d8\"; " - "sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf, sizeof(buf)); - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF_NULL(ssl_state->client_connp.ja3_hash); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p); - - PASS; -} - -static void DetectTlsJa3HashRegisterTests(void) -{ - UtRegisterTest("DetectTlsJa3HashTest01", DetectTlsJa3HashTest01); - UtRegisterTest("DetectTlsJa3HashTest02", DetectTlsJa3HashTest02); -} diff --git a/src/tests/detect-tls-ja3-string.c b/src/tests/detect-tls-ja3-string.c deleted file mode 100644 index ef3dcef0ff4..00000000000 --- a/src/tests/detect-tls-ja3-string.c +++ /dev/null @@ -1,123 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Mats Klepsland - * - */ - -#include "detect-engine-build.h" -#include "app-layer-parser.h" - -/** - * \test Test matching on a simple client hello packet - */ -static int DetectTlsJa3StringTest01(void) -{ - /* Client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, - 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, - 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, - 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, - 0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00, - 0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D, - 0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00, - 0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35, - 0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00, - 0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40, - 0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00, - 0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B, - 0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00, - 0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00, - 0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63, - 0x6F, 0x6D, }; - - - Flow f; - SSLState *ssl_state = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 443); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3.string\"; ja3.string; " - "content:\"-65-68-69-102-103-104-105-106-107-132-135-255,0,,\"; " - "sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf, sizeof(buf)); - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF_NULL(ssl_state->client_connp.ja3_str); - FAIL_IF_NULL(ssl_state->client_connp.ja3_str->data); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p); - - PASS; -} - -static void DetectTlsJa3StringRegisterTests(void) -{ - UtRegisterTest("DetectTlsJa3StringTest01", DetectTlsJa3StringTest01); -} diff --git a/src/tests/detect-tls-ja3s-hash.c b/src/tests/detect-tls-ja3s-hash.c deleted file mode 100644 index cf9fedec274..00000000000 --- a/src/tests/detect-tls-ja3s-hash.c +++ /dev/null @@ -1,169 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Mats Klepsland - * - */ - -#include "detect-engine-build.h" -#include "app-layer-parser.h" - -/** - * \test Test matching on a JA3S hash from a ServerHello record - */ -static int DetectTlsJa3SHashTest01(void) -{ - /* client hello */ - uint8_t client_hello[] = { - 0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00, - 0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86, - 0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc, - 0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b, - 0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46, - 0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b, - 0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, - 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f, - 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85, - 0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00, - 0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, - 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, - 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31, - 0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05, - 0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32, - 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e, - 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, - 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00, - 0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, - 0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, - 0x03, 0x04, 0x02, 0x02, 0x02 - }; - - /* server hello */ - uint8_t server_hello[] = { - 0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00, - 0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd, - 0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d, - 0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1, - 0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23, - 0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00, - 0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10, - 0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00 - }; - - Flow f; - SSLState *ssl_state = NULL; - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", 51251, 443); - p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", 443, 51251); - - FLOW_INITIALIZE(&f); - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - f.alproto = ALPROTO_TLS; - - p1->flow = &f; - p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->pcap_cnt = 1; - - p2->flow = &f; - p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->pcap_cnt = 2; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3s.hash\"; " - "ja3s.hash; " - "content:\"8217013c502e3461d19c75bb02a12aaf\"; " - "sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, client_hello, - sizeof(client_hello)); - - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p1); - - FAIL_IF(PacketAlertCheck(p1, 1)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - server_hello, sizeof(server_hello)); - - FAIL_IF(r != 0); - - FAIL_IF_NULL(ssl_state->server_connp.ja3_hash); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p2); - - FAIL_IF_NOT(PacketAlertCheck(p2, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p1); - UTHFreePacket(p2); - - PASS; -} - -void DetectTlsJa3SHashRegisterTests(void) -{ - UtRegisterTest("DetectTlsJa3SHashTest01", DetectTlsJa3SHashTest01); -} diff --git a/src/tests/detect-tls-ja3s-string.c b/src/tests/detect-tls-ja3s-string.c deleted file mode 100644 index e61ccb7bd33..00000000000 --- a/src/tests/detect-tls-ja3s-string.c +++ /dev/null @@ -1,162 +0,0 @@ -/* Copyright (C) 2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -#include "detect-engine-build.h" -#include "app-layer-parser.h" - -/** - * \test Test matching on a simple client hello packet - */ -static int DetectTlsJa3SStringTest01(void) -{ - /* client hello */ - uint8_t client_hello[] = { - 0x16, 0x03, 0x01, 0x00, 0xc8, 0x01, 0x00, 0x00, - 0xc4, 0x03, 0x03, 0xd6, 0x08, 0x5a, 0xa2, 0x86, - 0x5b, 0x85, 0xd4, 0x40, 0xab, 0xbe, 0xc0, 0xbc, - 0x41, 0xf2, 0x26, 0xf0, 0xfe, 0x21, 0xee, 0x8b, - 0x4c, 0x7e, 0x07, 0xc8, 0xec, 0xd2, 0x00, 0x46, - 0x4c, 0xeb, 0xb7, 0x00, 0x00, 0x16, 0xc0, 0x2b, - 0xc0, 0x2f, 0xc0, 0x0a, 0xc0, 0x09, 0xc0, 0x13, - 0xc0, 0x14, 0x00, 0x33, 0x00, 0x39, 0x00, 0x2f, - 0x00, 0x35, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x85, - 0x00, 0x00, 0x00, 0x12, 0x00, 0x10, 0x00, 0x00, - 0x0d, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x6e, 0x6f, 0xff, 0x01, - 0x00, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, - 0x06, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, - 0x00, 0x33, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, - 0x29, 0x00, 0x27, 0x05, 0x68, 0x32, 0x2d, 0x31, - 0x36, 0x05, 0x68, 0x32, 0x2d, 0x31, 0x35, 0x05, - 0x68, 0x32, 0x2d, 0x31, 0x34, 0x02, 0x68, 0x32, - 0x08, 0x73, 0x70, 0x64, 0x79, 0x2f, 0x33, 0x2e, - 0x31, 0x08, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, - 0x2e, 0x31, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x16, 0x00, - 0x14, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, - 0x01, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, - 0x03, 0x04, 0x02, 0x02, 0x02 - }; - - /* server hello */ - uint8_t server_hello[] = { - 0x16, 0x03, 0x03, 0x00, 0x48, 0x02, 0x00, 0x00, - 0x44, 0x03, 0x03, 0x57, 0x91, 0xb8, 0x63, 0xdd, - 0xdb, 0xbb, 0x23, 0xcf, 0x0b, 0x43, 0x02, 0x1d, - 0x46, 0x11, 0x27, 0x5c, 0x98, 0xcf, 0x67, 0xe1, - 0x94, 0x3d, 0x62, 0x7d, 0x38, 0x48, 0x21, 0x23, - 0xa5, 0x62, 0x31, 0x00, 0xc0, 0x2f, 0x00, 0x00, - 0x1c, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x10, - 0x00, 0x05, 0x00, 0x03, 0x02, 0x68, 0x32, 0x00, - 0x0b, 0x00, 0x02, 0x01, 0x00 - }; - - Flow f; - SSLState *ssl_state = NULL; - TcpSession ssn; - Packet *p1 = NULL; - Packet *p2 = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - p1 = UTHBuildPacketReal(client_hello, sizeof(client_hello), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", 51251, 443); - p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", 443, 51251); - - FLOW_INITIALIZE(&f); - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - f.alproto = ALPROTO_TLS; - - p1->flow = &f; - p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - p1->flowflags |= FLOW_PKT_TOSERVER; - p1->flowflags |= FLOW_PKT_ESTABLISHED; - p1->pcap_cnt = 1; - - p2->flow = &f; - p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST; - p2->flowflags |= FLOW_PKT_TOCLIENT; - p2->flowflags |= FLOW_PKT_ESTABLISHED; - p2->pcap_cnt = 2; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test ja3s_hash\"; " - "ja3s.string; " - "content:\"771,49199,65281-0-35-16-11\"; " - "sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, client_hello, - sizeof(client_hello)); - - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p1); - - FAIL_IF(PacketAlertCheck(p1, 1)); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT, - server_hello, sizeof(server_hello)); - - FAIL_IF(r != 0); - - FAIL_IF_NULL(ssl_state->server_connp.ja3_str); - - SigMatchSignatures(&tv, de_ctx, det_ctx, p2); - - FAIL_IF_NOT(PacketAlertCheck(p2, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p1); - UTHFreePacket(p2); - - PASS; -} - -static void DetectTlsJa3SStringRegisterTests(void) -{ - UtRegisterTest("DetectTlsJa3SStringTest01", DetectTlsJa3SStringTest01); -} diff --git a/src/tests/detect-tls-sni.c b/src/tests/detect-tls-sni.c deleted file mode 100644 index a9b45e894e7..00000000000 --- a/src/tests/detect-tls-sni.c +++ /dev/null @@ -1,216 +0,0 @@ -/* Copyright (C) 2007-2019 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Mats Klepsland - * - */ - -#include "detect-engine-build.h" -#include "app-layer-parser.h" - -/** - * \test Test matching on a simple google.com SNI - */ -static int DetectTlsSniTest01(void) -{ - /* client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, - 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, - 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, - 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, - 0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00, - 0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D, - 0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00, - 0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35, - 0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00, - 0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40, - 0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00, - 0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B, - 0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00, - 0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00, - 0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63, - 0x6F, 0x6D, }; - - Flow f; - SSLState *ssl_state = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 443); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls.sni option\"; " - "tls.sni; content:\"google.com\"; sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf, sizeof(buf)); - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - /* do detect */ - SigMatchSignatures(&tv, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p); - - PASS; -} - -/** - * \test Test matching on a simple google.com SNI with pcre - */ -static int DetectTlsSniTest02(void) -{ - /* client hello */ - uint8_t buf[] = { 0x16, 0x03, 0x03, 0x00, 0x84, 0x01, 0x00, 0x00, 0x7E, - 0x03, 0x03, 0x57, 0x04, 0x9F, 0x5D, 0xC9, 0x5C, 0x87, - 0xAE, 0xF2, 0xA7, 0x4A, 0xFC, 0x59, 0x78, 0x23, 0x31, - 0x61, 0x2D, 0x29, 0x92, 0xB6, 0x70, 0xA5, 0xA1, 0xFC, - 0x0E, 0x79, 0xFE, 0xC3, 0x97, 0x37, 0xC0, 0x00, 0x00, - 0x44, 0x00, 0x04, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0D, - 0x00, 0x10, 0x00, 0x13, 0x00, 0x16, 0x00, 0x2F, 0x00, - 0x30, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x35, - 0x00, 0x36, 0x00, 0x37, 0x00, 0x38, 0x00, 0x39, 0x00, - 0x3C, 0x00, 0x3D, 0x00, 0x3E, 0x00, 0x3F, 0x00, 0x40, - 0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x66, 0x00, - 0x67, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6A, 0x00, 0x6B, - 0x00, 0x84, 0x00, 0x87, 0x00, 0xFF, 0x01, 0x00, 0x00, - 0x13, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x0D, 0x00, 0x00, - 0x0A, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x65, 0x2E, 0x63, - 0x6F, 0x6D, }; - - Flow f; - SSLState *ssl_state = NULL; - ThreadVars tv; - DetectEngineThreadCtx *det_ctx = NULL; - TcpSession ssn; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&tv, 0, sizeof(ThreadVars)); - memset(&f, 0, sizeof(Flow)); - memset(&ssn, 0, sizeof(TcpSession)); - - Packet *p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 443); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.flags |= FLOW_IPV4; - f.proto = IPPROTO_TCP; - f.protomap = FlowGetProtoMapping(f.proto); - - p->flow = &f; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - p->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->mpm_matcher = mpm_default_matcher; - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls.sni option\"; " - "tls.sni; content:\"google\"; nocase; " - "pcre:\"/google\\.com$/i\"; sid:1;)"); - FAIL_IF_NULL(s); - - s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any " - "(msg:\"Test tls.sni option\"; " - "tls.sni; content:\"google\"; nocase; " - "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, buf, sizeof(buf)); - FAIL_IF(r != 0); - - ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - /* do detect */ - SigMatchSignatures(&tv, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - FAIL_IF_NOT(PacketAlertCheck(p, 2)); - - AppLayerParserThreadCtxFree(alp_tctx); - DetectEngineThreadCtxDeinit(&tv, det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - UTHFreePacket(p); - - PASS; -} - -static void DetectTlsSniRegisterTests(void) -{ - UtRegisterTest("DetectTlsSniTest01", DetectTlsSniTest01); - UtRegisterTest("DetectTlsSniTest02", DetectTlsSniTest02); -} diff --git a/src/tests/detect-tls-version.c b/src/tests/detect-tls-version.c index a0a42909d47..3f55faa89c0 100644 --- a/src/tests/detect-tls-version.c +++ b/src/tests/detect-tls-version.c @@ -53,192 +53,6 @@ static int DetectTlsVersionTestParse02 (void) PASS; } -#include "stream-tcp-reassemble.h" - -/** \test Send a get request in three chunks + more data. */ -static int DetectTlsVersionTestDetect01(void) -{ - Flow f; - uint8_t tlsbuf1[] = { 0x16 }; - uint32_t tlslen1 = sizeof(tlsbuf1); - uint8_t tlsbuf2[] = { 0x03 }; - uint32_t tlslen2 = sizeof(tlsbuf2); - uint8_t tlsbuf3[] = { 0x01 }; - uint32_t tlslen3 = sizeof(tlsbuf3); - uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x01 }; - uint32_t tlslen4 = sizeof(tlsbuf4); - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf2, tlslen2); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf3, tlslen3); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf4, tlslen4); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - SCLogDebug("ssl_state is at %p, ssl_state->server_version 0x%02X " - "ssl_state->client_version 0x%02X", - ssl_state, ssl_state->server_connp.version, - ssl_state->client_connp.version); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - UTHFreePackets(&p, 1); - - PASS; -} - -static int DetectTlsVersionTestDetect02(void) -{ - Flow f; - uint8_t tlsbuf1[] = { 0x16 }; - uint32_t tlslen1 = sizeof(tlsbuf1); - uint8_t tlsbuf2[] = { 0x03 }; - uint32_t tlslen2 = sizeof(tlsbuf2); - uint8_t tlsbuf3[] = { 0x01 }; - uint32_t tlslen3 = sizeof(tlsbuf3); - uint8_t tlsbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 }; - uint32_t tlslen4 = sizeof(tlsbuf4); - TcpSession ssn; - Packet *p = NULL; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_TLS; - - StreamTcpInitConfig(true); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; tls.version:1.0; sid:1;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, - STREAM_TOSERVER, tlsbuf1, tlslen1); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf2, tlslen2); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf3, tlslen3); - FAIL_IF(r != 0); - - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER, - tlsbuf4, tlslen4); - FAIL_IF(r != 0); - - SSLState *ssl_state = f.alstate; - FAIL_IF_NULL(ssl_state); - - FAIL_IF(ssl_state->client_connp.content_type != 0x16); - - FAIL_IF(ssl_state->client_connp.version != TLS_VERSION_10); - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF_NOT(PacketAlertCheck(p, 1)); - - AppLayerParserThreadCtxFree(alp_tctx); - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - StreamTcpFreeConfig(true); - FLOW_DESTROY(&f); - - UTHFreePackets(&p, 1); - - PASS; -} - /** * \brief this function registers unit tests for DetectTlsVersion */ @@ -246,8 +60,4 @@ static void DetectTlsVersionRegisterTests(void) { UtRegisterTest("DetectTlsVersionTestParse01", DetectTlsVersionTestParse01); UtRegisterTest("DetectTlsVersionTestParse02", DetectTlsVersionTestParse02); - UtRegisterTest("DetectTlsVersionTestDetect01", - DetectTlsVersionTestDetect01); - UtRegisterTest("DetectTlsVersionTestDetect02", - DetectTlsVersionTestDetect02); }