OISF · victorjulien · Aug 5, 2022 · Aug 18, 2022 · Aug 8, 2022 · Aug 5, 2022
@@ -47,7 +47,7 @@ ntp-parser = "~0.6.0"
 ipsec-parser = "~0.7.0"
 snmp-parser = "~0.6.0"
 tls-parser = "~0.11.0"
-x509-parser = "~0.6.5"
+x509-parser = "~0.14.0"
 libc = "~0.2.82"
 sha2 = "~0.10.2"
 digest = "~0.10.3"

@@ -21,7 +21,7 @@ use super::rdp::{RdpTransaction, RdpTransactionItem};
 use crate::jsonbuilder::{JsonBuilder, JsonError};
 use crate::rdp::parser::*;
 use crate::rdp::windows;
-use x509_parser::parse_x509_der;
+use x509_parser::prelude::{X509Certificate, FromDer};
 
 #[no_mangle]
 pub extern "C" fn rs_rdp_to_json(tx: &mut RdpTransaction, js: &mut JsonBuilder) -> bool {
@@ -50,7 +50,7 @@ fn log(tx: &RdpTransaction, js: &mut JsonBuilder) -> Result<(), JsonError> {
             js.set_string("event_type", "tls_handshake")?;
             js.open_array("x509_serials")?;
             for blob in chain {
-                match parse_x509_der(&blob.data) {
+                match X509Certificate::from_der(&blob.data) {
                     Ok((_, cert)) => {
                         js.append_string(&cert.tbs_certificate.serial.to_str_radix(16))?;
                     }

@@ -18,10 +18,9 @@
 // written by Pierre Chifflier  <chifflier@wzdftpd.net>
 
 use crate::common::rust_string_to_c;
-use nom;
 use std;
 use std::os::raw::c_char;
-use x509_parser::{error::X509Error, parse_x509_der, X509Certificate};
+use x509_parser::prelude::*;
 
 #[repr(u32)]
 pub enum X509DecodeError {
@@ -54,7 +53,7 @@ pub unsafe extern "C" fn rs_x509_decode(
     err_code: *mut u32,
 ) -> *mut X509 {
     let slice = std::slice::from_raw_parts(input, input_len as usize);
-    let res = parse_x509_der(slice);
+    let res = X509Certificate::from_der(slice);
     match res {
         Ok((_rem, cert)) => Box::into_raw(Box::new(X509(cert))),
         Err(e) => {
@@ -112,8 +111,8 @@ pub unsafe extern "C" fn rs_x509_get_validity(
         return -1;
     }
     let x509 = &*ptr;
-    let n_b = x509.0.tbs_certificate.validity.not_before.to_timespec().sec;
-    let n_a = x509.0.tbs_certificate.validity.not_after.to_timespec().sec;
+    let n_b = x509.0.validity().not_before.timestamp();
+    let n_a = x509.0.validity().not_after.timestamp();
     *not_before = n_b;
     *not_after = n_a;
     0

@@ -1245,11 +1245,6 @@ EXTRA_DIST = \
 	tests/detect-tls-cert-subject.c \
 	tests/detect-tls-cert-validity.c \
 	tests/detect-tls-certs.c \
-	tests/detect-tls-ja3-hash.c \
-	tests/detect-tls-ja3-string.c \
-	tests/detect-tls-ja3s-hash.c \
-	tests/detect-tls-ja3s-string.c \
-	tests/detect-tls-sni.c \
 	tests/detect-tls-version.c \
 	tests/detect.c \
 	tests/stream-tcp.c

@@ -45,6 +45,7 @@ enum {
     TLS_DECODER_EVENT_INVALID_TLS_HEADER,
     TLS_DECODER_EVENT_INVALID_RECORD_VERSION,
     TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
+    TLS_DECODER_EVENT_INVALID_RECORD_LENGTH,
     TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
     TLS_DECODER_EVENT_HEARTBEAT,
     TLS_DECODER_EVENT_INVALID_HEARTBEAT,
@@ -190,7 +191,6 @@ typedef struct SSLStateConnp_ {
     uint32_t record_lengths_length;
 
     /* offset of the beginning of the current message (including header) */
-    uint32_t message_start;
     uint32_t message_length;
 
     uint16_t version;
@@ -201,8 +201,6 @@ typedef struct SSLStateConnp_ {
 
     /* the no of bytes processed in the currently parsed record */
     uint32_t bytes_processed;
-    /* the no of bytes processed in the currently parsed handshake */
-    uint16_t hs_bytes_processed;
 
     uint16_t session_id_length;
 
@@ -225,11 +223,13 @@ typedef struct SSLStateConnp_ {
     JA3Buffer *ja3_str;
     char *ja3_hash;
 
-    /* buffer for the tls record.
-     * We use a malloced buffer, if the record is fragmented */
-    uint8_t *trec;
-    uint32_t trec_len;
-    uint32_t trec_pos;
+    /* handshake tls fragmentation buffer. Handshake messages can be fragmented over multiple
+     * TLS records. */
+    uint8_t *hs_buffer;
+    uint8_t hs_buffer_message_type;
+    uint32_t hs_buffer_message_size;
+    uint32_t hs_buffer_size;   /**< allocation size */
+    uint32_t hs_buffer_offset; /**< write offset */
 } SSLStateConnp;
 
 /**
@@ -260,7 +260,6 @@ typedef struct SSLState_ {
 
 void RegisterSSLParsers(void);
 void SSLParserRegisterTests(void);
-void SSLSetEvent(SSLState *ssl_state, uint8_t event);
 void SSLVersionToString(uint16_t, char *);
 void SSLEnableJA3(void);
 bool SSLJA3IsEnabled(void);

@@ -59,9 +59,6 @@
 #include "util-unittest-helper.h"
 
 static int DetectTlsJa3HashSetup(DetectEngineCtx *, Signature *, const char *);
-#ifdef UNITTESTS
-static void DetectTlsJa3HashRegisterTests(void);
-#endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *f, const uint8_t flow_flags,
@@ -82,9 +79,6 @@ void DetectTlsJa3HashRegister(void)
     sigmatch_table[DETECT_AL_TLS_JA3_HASH].desc = "sticky buffer to match the JA3 hash buffer";
     sigmatch_table[DETECT_AL_TLS_JA3_HASH].url = "/rules/ja3-keywords.html#ja3-hash";
     sigmatch_table[DETECT_AL_TLS_JA3_HASH].Setup = DetectTlsJa3HashSetup;
-#ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_TLS_JA3_HASH].RegisterTests = DetectTlsJa3HashRegisterTests;
-#endif
     sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_JA3_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
@@ -220,7 +214,3 @@ static void DetectTlsJa3HashSetupCallback(const DetectEngineCtx *de_ctx,
         }
     }
 }
-
-#ifdef UNITTESTS
-#include "tests/detect-tls-ja3-hash.c"
-#endif
@@ -59,9 +59,6 @@
 #include "util-unittest-helper.h"
 
 static int DetectTlsJa3StringSetup(DetectEngineCtx *, Signature *, const char *);
-#ifdef UNITTESTS
-static void DetectTlsJa3StringRegisterTests(void);
-#endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *f, const uint8_t flow_flags,
@@ -98,9 +95,6 @@ void DetectTlsJa3StringRegister(void)
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].desc = "sticky buffer to match the JA3 string buffer";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].url = "/rules/ja3-keywords.html#ja3-string";
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].Setup = DetectTlsJa3StringSetup;
-#ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_TLS_JA3_STRING].RegisterTests = DetectTlsJa3StringRegisterTests;
-#endif
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_JA3_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
@@ -177,7 +171,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     return buffer;
 }
-
-#ifdef UNITTESTS
-#include "tests/detect-tls-ja3-string.c"
-#endif
@@ -59,9 +59,6 @@
 #include "util-unittest-helper.h"
 
 static int DetectTlsJa3SHashSetup(DetectEngineCtx *, Signature *, const char *);
-#ifdef UNITTESTS
-static void DetectTlsJa3SHashRegisterTests(void);
-#endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *f, const uint8_t flow_flags,
@@ -81,9 +78,6 @@ void DetectTlsJa3SHashRegister(void)
     sigmatch_table[DETECT_AL_TLS_JA3S_HASH].desc = "sticky buffer to match the JA3S hash buffer";
     sigmatch_table[DETECT_AL_TLS_JA3S_HASH].url = "/rules/ja3-keywords.html#ja3s-hash";
     sigmatch_table[DETECT_AL_TLS_JA3S_HASH].Setup = DetectTlsJa3SHashSetup;
-#ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_TLS_JA3S_HASH].RegisterTests = DetectTlsJa3SHashRegisterTests;
-#endif
     sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_JA3S_HASH].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
@@ -218,7 +212,3 @@ static void DetectTlsJa3SHashSetupCallback(const DetectEngineCtx *de_ctx,
         }
     }
 }
-
-#ifdef UNITTESTS
-#include "tests/detect-tls-ja3s-hash.c"
-#endif
@@ -59,9 +59,6 @@
 #include "util-unittest-helper.h"
 
 static int DetectTlsJa3SStringSetup(DetectEngineCtx *, Signature *, const char *);
-#ifdef UNITTESTS
-static void DetectTlsJa3SStringRegisterTests(void);
-#endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *f, const uint8_t flow_flags,
@@ -98,9 +95,6 @@ void DetectTlsJa3SStringRegister(void)
             "sticky buffer to match the JA3S string buffer";
     sigmatch_table[DETECT_AL_TLS_JA3S_STRING].url = "/rules/ja3-keywords.html#ja3s-string";
     sigmatch_table[DETECT_AL_TLS_JA3S_STRING].Setup = DetectTlsJa3SStringSetup;
-#ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_TLS_JA3S_STRING].RegisterTests = DetectTlsJa3SStringRegisterTests;
-#endif
     sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_JA3S_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
@@ -177,7 +171,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     return buffer;
 }
-
-#ifdef UNITTESTS
-#include "tests/detect-tls-ja3s-string.c"
-#endif
@@ -55,9 +55,6 @@
 #include "util-unittest-helper.h"
 
 static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, const char *);
-#ifdef UNITTESTS
-static void DetectTlsSniRegisterTests(void);
-#endif
 static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
        const DetectEngineTransforms *transforms,
        Flow *f, const uint8_t flow_flags,
@@ -75,9 +72,6 @@ void DetectTlsSniRegister(void)
             "sticky buffer to match specifically and only on the TLS SNI buffer";
     sigmatch_table[DETECT_AL_TLS_SNI].url = "/rules/tls-keywords.html#tls-sni";
     sigmatch_table[DETECT_AL_TLS_SNI].Setup = DetectTlsSniSetup;
-#ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_TLS_SNI].RegisterTests = DetectTlsSniRegisterTests;
-#endif
     sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
@@ -136,7 +130,3 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
 
     return buffer;
 }
-
-#ifdef UNITTESTS
-#include "tests/detect-tls-sni.c"
-#endif