tls: accept validity before 1970

modify TLS certificate decoding of validity timestamps to support times between 1950 and 2049, as per RFC 5280 Ticket: #3253
3 years ago · e8db6255cb
parent 0c0fcc9411
commit e8db6255cb
2 changed files with 46 additions and 7 deletions
--- a/src/detect-tls-cert-validity.c
+++ b/src/detect-tls-cert-validity.c
@ -201,19 +201,19 @@ static int DetectTlsValidityMatch (DetectEngineThreadCtx *det_ctx,
 * \param string Date string.
 *
 * \retval epoch time on success.
- * \retval 0 on failure.
+ * \retval LONG_MIN on failure.
 */
 static time_t StringIsEpoch (char *string)
 {
    if (strlen(string) == 0)
-        return -1;
+        return LONG_MIN;

    /* We assume that the date string is epoch if it consists of only
       digits. */
    char *sp = string;
    while (*sp) {
        if (isdigit(*sp++) == 0)
-            return -1;
+            return LONG_MIN;
    }

    return strtol(string, NULL, 10);
@ -266,14 +266,14 @@ static time_t DateStringToEpoch (char *string)
    }

    time_t epoch = StringIsEpoch(string);
-    if (epoch != -1) {
+    if (epoch != LONG_MIN) {
        return epoch;
    }

    r = SCStringPatternToTime(string, patterns, 10, &tm);

    if (r != 0)
-        return -1;
+        return LONG_MIN;

    return SCMkTimeUtc(&tm);
 }
@ -371,7 +371,7 @@ static DetectTlsValidityData *DetectTlsValidityParse (const char *rawstr)

    /* set the first value */
    dd->epoch = DateStringToEpoch(value1);
-    if (dd->epoch == -1)
+    if (dd->epoch == LONG_MIN)
        goto error;

    /* set the second value if specified */
@ -382,7 +382,7 @@ static DetectTlsValidityData *DetectTlsValidityParse (const char *rawstr)
        }

        dd->epoch2 = DateStringToEpoch(value2);
-        if (dd->epoch2 == -1)
+        if (dd->epoch2 == LONG_MIN)
            goto error;

        if (dd->epoch2 <= dd->epoch) {
--- a/src/tests/detect-tls-cert-validity.c
+++ b/src/tests/detect-tls-cert-validity.c
@ -382,6 +382,43 @@ static int ValidityTestParse23 (void)
    PASS;
 }

+/**
+ * \test This is a test for a valid value of 1970-01-01T00:00:00
+ * that is at epoch 0, within the range of acceptable
+ * values (1950-2049) as per RFC 5280. (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)
+ *
+ * \retval 1 on success.
+ * \retval 0 on failure.
+ */
+static int ValidityTestParse24(void)
+{
+    DetectTlsValidityData *dd = NULL;
+    dd = DetectTlsValidityParse("1970-01-01T00:00:00");
+    FAIL_IF_NULL(dd);
+    FAIL_IF_NOT(dd->epoch == 0 && dd->mode == DETECT_TLS_VALIDITY_EQ);
+    DetectTlsValidityFree(NULL, dd);
+    PASS;
+}
+
+/**
+ * \test This is a test for a valid value of 1965-10-22T23:59:59
+ * that is lower than epoch 0, but within the range of
+ * acceptable values (1950-2049) as per RFC 5280.
+ * (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)
+ *
+ * \retval 1 on success.
+ * \retval 0 on failure.
+ */
+static int ValidityTestParse25(void)
+{
+    DetectTlsValidityData *dd = NULL;
+    dd = DetectTlsValidityParse("1969-12-31T23:59:59");
+    FAIL_IF_NULL(dd);
+    FAIL_IF_NOT(dd->epoch == -1 && dd->mode == DETECT_TLS_VALIDITY_EQ);
+    DetectTlsValidityFree(NULL, dd);
+    PASS;
+}
+
 /**
 * \test Test matching on validity dates in a certificate.
 *
@ -1345,6 +1382,8 @@ void TlsNotBeforeRegisterTests(void)
    UtRegisterTest("ValidityTestParse19", ValidityTestParse19);
    UtRegisterTest("ValidityTestParse21", ValidityTestParse21);
    UtRegisterTest("ValidityTestParse23", ValidityTestParse23);
+    UtRegisterTest("ValidityTestParse24", ValidityTestParse24);
+    UtRegisterTest("ValidityTestParse25", ValidityTestParse25);
    UtRegisterTest("ValidityTestDetect01", ValidityTestDetect01);
 }