Coverage Report

Created: 2026-06-30 07:20

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/src/detect-tls-cert-subject.c
Line
Count
Source
1
/* Copyright (C) 2007-2022 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
/**
19
 * \file
20
 *
21
 * \author Mats Klepsland <mats.klepsland@gmail.com>
22
 *
23
 * Implements support for tls.cert_subject keyword.
24
 */
25
26
#include "suricata-common.h"
27
#include "threads.h"
28
#include "decode.h"
29
#include "detect.h"
30
31
#include "detect-parse.h"
32
#include "detect-engine.h"
33
#include "detect-engine-mpm.h"
34
#include "detect-engine-prefilter.h"
35
#include "detect-content.h"
36
#include "detect-pcre.h"
37
#include "detect-tls-cert-subject.h"
38
39
#include "flow.h"
40
#include "flow-util.h"
41
#include "flow-var.h"
42
43
#include "util-debug.h"
44
#include "util-spm.h"
45
#include "util-print.h"
46
47
#include "stream-tcp.h"
48
49
#include "app-layer.h"
50
#include "app-layer-ssl.h"
51
52
#include "util-unittest.h"
53
#include "util-unittest-helper.h"
54
55
static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, const char *);
56
#ifdef UNITTESTS
57
static void DetectTlsSubjectRegisterTests(void);
58
#endif
59
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
60
        const DetectEngineTransforms *transforms,
61
        Flow *f, const uint8_t flow_flags,
62
        void *txv, const int list_id);
63
static int g_tls_cert_subject_buffer_id = 0;
64
65
/**
66
 * \brief Registration function for keyword: tls.cert_subject
67
 */
68
void DetectTlsSubjectRegister(void)
69
75
{
70
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].name = "tls.cert_subject";
71
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].alias = "tls_cert_subject";
72
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].desc =
73
75
            "sticky buffer to match specifically and only on the TLS cert subject buffer";
74
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].url = "/rules/tls-keywords.html#tls-cert-subject";
75
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].Setup = DetectTlsSubjectSetup;
76
#ifdef UNITTESTS
77
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].RegisterTests = DetectTlsSubjectRegisterTests;
78
#endif
79
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
80
75
    sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_INFO_STICKY_BUFFER;
81
82
75
    DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOSERVER,
83
75
            TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
84
85
75
    DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOSERVER, 2,
86
75
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS, TLS_STATE_CERT_READY);
87
88
75
    DetectAppLayerInspectEngineRegister2("tls.cert_subject", ALPROTO_TLS, SIG_FLAG_TOCLIENT,
89
75
            TLS_STATE_CERT_READY, DetectEngineInspectBufferGeneric, GetData);
90
91
75
    DetectAppLayerMpmRegister2("tls.cert_subject", SIG_FLAG_TOCLIENT, 2,
92
75
            PrefilterGenericMpmRegister, GetData, ALPROTO_TLS,
93
75
            TLS_STATE_CERT_READY);
94
95
75
    DetectBufferTypeSupportsMultiInstance("tls.cert_subject");
96
97
75
    DetectBufferTypeSetDescriptionByName("tls.cert_subject",
98
75
            "TLS certificate subject");
99
100
75
    g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls.cert_subject");
101
75
}
102
103
/**
104
 * \brief this function setup the tls.cert_subject modifier keyword used in the rule
105
 *
106
 * \param de_ctx   Pointer to the Detection Engine Context
107
 * \param s        Pointer to the Signature to which the current keyword belongs
108
 * \param str      Should hold an empty string always
109
 *
110
 * \retval 0  On success
111
 * \retval -1 On failure
112
 */
113
static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
114
2.97k
{
115
2.97k
    if (DetectBufferSetActiveList(de_ctx, s, g_tls_cert_subject_buffer_id) < 0)
116
139
        return -1;
117
118
2.84k
    if (DetectSignatureSetAppProto(s, ALPROTO_TLS) < 0)
119
126
        return -1;
120
121
2.71k
    return 0;
122
2.84k
}
123
124
static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx,
125
        const DetectEngineTransforms *transforms, Flow *f,
126
        const uint8_t flow_flags, void *txv, const int list_id)
127
24
{
128
24
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
129
24
    if (buffer->inspect == NULL) {
130
19
        const SSLState *ssl_state = (SSLState *)f->alstate;
131
19
        const SSLStateConnp *connp;
132
133
19
        if (flow_flags & STREAM_TOSERVER) {
134
5
            connp = &ssl_state->client_connp;
135
14
        } else {
136
14
            connp = &ssl_state->server_connp;
137
14
        }
138
139
19
        if (connp->cert0_subject == NULL) {
140
8
            return NULL;
141
8
        }
142
143
11
        const uint32_t data_len = strlen(connp->cert0_subject);
144
11
        const uint8_t *data = (uint8_t *)connp->cert0_subject;
145
146
11
        InspectionBufferSetup(det_ctx, list_id, buffer, data, data_len);
147
11
        InspectionBufferApplyTransforms(buffer, transforms);
148
11
    }
149
150
16
    return buffer;
151
24
}
152
153
#ifdef UNITTESTS
154
#include "tests/detect-tls-cert-subject.c"
155
#endif