tls: store list of subject alternative names

So far, the SANs were available as a part of IssuerDN via x509_parser crate but SANs were not available to the SSLState* to be directly used to setup and match against a sticky buffer. Expose it to SSLStateConnp. Feature 5234
2 years ago · 3a1c12414a
parent 8560564657
commit 3a1c12414a
3 changed files with 74 additions and 0 deletions
--- a/rust/src/x509/mod.rs
+++ b/rust/src/x509/mod.rs
@ -23,7 +23,9 @@ use crate::common::rust_string_to_c;
 use nom7::Err;
 use std;
 use std::os::raw::c_char;
 use std::fmt;
 use x509_parser::prelude::*;
 use crate::x509::GeneralName;
 mod time;
 mod log;
@ -46,6 +48,19 @@ pub enum X509DecodeError {
 pub struct X509(X509Certificate<'static>);
 pub struct SCGeneralName<'a>(&'a GeneralName<'a>);
 impl<'a> fmt::Display for SCGeneralName<'a> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self.0 {
            GeneralName::DNSName(s) => write!(f, "{}", s),
            GeneralName::URI(s) => write!(f, "{}", s),
            GeneralName::IPAddress(s) => write!(f, "{:?}", s),
            _ => write!(f, "{}", self.0)
        }
    }
 }
 /// Attempt to parse a X.509 from input, and return a pointer to the parsed object if successful.
 ///
 /// # Safety
@ -79,6 +94,37 @@ pub unsafe extern "C" fn rs_x509_get_subject(ptr: *const X509) -> *mut c_char {
    rust_string_to_c(subject)
 }
 #[no_mangle]
 pub unsafe extern "C" fn rs_x509_get_subjectaltname_len(ptr: *const X509) -> u16 {
    if ptr.is_null() {
        return 0;
    }
    let x509 = cast_pointer! {ptr, X509};
    let san_list = x509.0.tbs_certificate.subject_alternative_name();
    if let Ok(Some(sans)) = san_list {
        // SAN length in a certificate is kept u16 following discussions at
        // https://community.letsencrypt.org/t/why-sans-are-limited-to-100-domains-only
        debug_validate_bug_on!(sans.value.general_names.len() == u16::MAX.into());
        return sans.value.general_names.len() as u16;
    }
    return 0;
 }
 #[no_mangle]
 pub unsafe extern "C" fn rs_x509_get_subjectaltname_at(ptr: *const X509, idx: u16) -> *mut c_char {
    if ptr.is_null() {
        return std::ptr::null_mut();
    }
    let x509 = cast_pointer! {ptr, X509};
    let san_list = x509.0.tbs_certificate.subject_alternative_name();
    if let Ok(Some(sans)) = san_list {
        let general_name = &sans.value.general_names[idx as usize];
        let dns_name = SCGeneralName(general_name);
        return rust_string_to_c(dns_name.to_string());
    }
    return std::ptr::null_mut();
 }
 #[no_mangle]
 pub unsafe extern "C" fn rs_x509_get_issuer(ptr: *const X509) -> *mut c_char {
    if ptr.is_null() {
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -292,6 +292,8 @@ static inline int SafeMemcpy(void *dst, size_t dst_offset, size_t dst_size,
        }                                                                                          \
    } while (0)
 static void SSLStateCertSANFree(SSLStateConnp *connp);
 static void *SSLGetTx(void *state, uint64_t tx_id)
 {
    SSLState *ssl_state = (SSLState *)state;
@ -546,6 +548,15 @@ static int TlsDecodeHSCertificate(SSLState *ssl_state, SSLStateConnp *connp,
        }
        connp->cert0_issuerdn = str;
        connp->cert0_sans_len = rs_x509_get_subjectaltname_len(x509);
        char **sans = SCCalloc(connp->cert0_sans_len, sizeof(char *));
        if (sans == NULL) {
            goto error;
        }
        for (uint16_t i = 0; i < connp->cert0_sans_len; i++) {
            sans[i] = rs_x509_get_subjectaltname_at(x509, i);
        }
        connp->cert0_sans = sans;
        str = rs_x509_get_serial(x509);
        if (str == NULL) {
            err_code = ERR_INVALID_SERIAL;
@ -584,6 +595,8 @@ error:
        TlsDecodeHSCertificateErrSetEvent(ssl_state, err_code);
    if (x509 != NULL)
        rs_x509_free(x509);
    SSLStateCertSANFree(connp);
    return -1;
 invalid_cert:
@ -2832,6 +2845,16 @@ static void *SSLStateAlloc(void *orig_state, AppProto proto_orig)
    return (void *)ssl_state;
 }
 static void SSLStateCertSANFree(SSLStateConnp *connp)
 {
    if (connp->cert0_sans) {
        for (uint16_t i = 0; i < connp->cert0_sans_len; i++) {
            rs_cstring_free(connp->cert0_sans[i]);
        }
        SCFree(connp->cert0_sans);
    }
 }
 /**
 * \internal
 * \brief Function to free the SSL state memory.
@ -2882,6 +2905,9 @@ static void SSLStateFree(void *p)
    if (ssl_state->server_connp.hs_buffer)
        SCFree(ssl_state->server_connp.hs_buffer);
    SSLStateCertSANFree(&ssl_state->server_connp);
    SSLStateCertSANFree(&ssl_state->client_connp);
    AppLayerDecoderEventsFreeEvents(&ssl_state->tx_data.events);
    if (ssl_state->tx_data.de_state != NULL) {
--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@ -254,6 +254,8 @@ typedef struct SSLStateConnp_ {
    int64_t cert0_not_after;
    char *cert0_fingerprint;
    char **cert0_sans;
    uint16_t cert0_sans_len;
    /* ssl server name indication extension */
    char *sni;