From 5ee45a08696cd0da8e9affaeb62fdcb5302b6715 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 4 Sep 2025 08:46:50 +0200
Subject: [PATCH] tls: add test for altname with zero inside

Ticket: 7881
---
 tests/tls/tls-altname-zero/README.md  |  11 +++++++++++
 tests/tls/tls-altname-zero/input.pcap | Bin 0 -> 2858 bytes
 tests/tls/tls-altname-zero/test.rules |   2 ++
 tests/tls/tls-altname-zero/test.yaml  |  24 ++++++++++++++++++++++++
 4 files changed, 37 insertions(+)
 create mode 100644 tests/tls/tls-altname-zero/README.md
 create mode 100644 tests/tls/tls-altname-zero/input.pcap
 create mode 100644 tests/tls/tls-altname-zero/test.rules
 create mode 100644 tests/tls/tls-altname-zero/test.yaml

diff --git a/tests/tls/tls-altname-zero/README.md b/tests/tls/tls-altname-zero/README.md
new file mode 100644
index 000000000..7f178093f
--- /dev/null
+++ b/tests/tls/tls-altname-zero/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Checks behavior with tls subject altname containing a zero.
+
+## PCAP
+
+Modified tls-glupteba/input.pcap to inject a zero in a subject altname
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7881
diff --git a/tests/tls/tls-altname-zero/input.pcap b/tests/tls/tls-altname-zero/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..55e9c353b483324d44af36ce9d8fffcf43c71db0
GIT binary patch
literal 2858
zc-n<l3piBi8~@IkGh=2L*J<3DsLdtgjLVSPeW-O^mE;!HpJg;c7?xONnj$5Xbt@s8
zp(`qhT-L5^7m=2-(kiQ1MP&-L8~*3GtiR{+%zvKeo%!DLd%xfLzW4jh`+l8GSBqeP
zfcek#Gyo9x`@n-1Xz~vQaIi6M;zIS>o*zB$Pw$o~CIedl^zbli()F~)b4j}$<T+YC
zHBc=UNX1!PU?vFFon=X%T3{Kg<5y+egNiM^^&A(o;0!nuRO?fN1qNUy?V`v8A!V~H
zRuJ`HmT&EiT*<ZvkMqw12Z?Ku#*FJCkFk``vOFSEK{fUeH~Zy=NZfRodP<GL>lu~{
zb1X7TvZye@b9(>;0*C+sPwWvBfHeSE0$>gR0{|s#>r$W*08;==05AsN6aXgy$R+>*
z07L)~2p=p1KoI~630MO_2S5P;G5{n5hX^qKJuR;E60;iebptGU-u+I`UbHo*Up(7>
ztLRG6&jR~Z->k#;5kOwZ#!H)kSMe9Qa`Nd%vnA$~i&^SSHjHMoF-oU`SJ=vM^CZ_A
z{uyKAaL3nfJ<dXWI?Gc2WJwk*8wJ;~ePg-U0t2v-0J;BlP_F2&)?ar9m-&8ZkmX<8
zAG5k`-1&&^-J9+yWwL?H2bDk9R2XRuc!$VMPxkBQ9Py7m-?Pc%peV;m(Jg>-3C|{R
z8p2+Sv65Cu0}>OEGyzEs6_OaJ5ScndfFT%GB=qVY*`M=IQd)fTR?1Xadl?g@ktha9
z4oMR<2$CiO)PyaKQb+`Mgro$!Z)G!3I_^-FXwKZIRgp~FJ^uXI@TmD9f)ea%ifSp-
zOib7&C>!ONS(viDG1n9|opVudREw>Fs?CNg?cHN!w43e6<3+IWVL00_2o*v)|GNx`
z2na$*4q(rzun>Yk<0;;bC*z%?;hovN)Qw_`f;V|ST?w02DZV96Q1P;o7F&H6T5jR#
zvB8Sl%!>P3msIpE!rD*VD6+X6v*|*4zWS*s)fJJEt@d4H?JpzuShtCpF}I&y{ZF6U
zpzUzxNH?3WNk81&@6abQOAFG@ifEZkeZAw^Wl?BJit`TzCwJDSpM0p}6;@x7m@#En
zue2qQ^(ryGv+kooP0r(&EY4WYp+q~!f?KjTom?C961x<%-que9eA(*q@L|-B-CH6i
z4LTE#We#lYQsb))Rs?+yU9OFdW`1|}!y9z%^O1LY;i`rf$8>MN@}VLjtun5pt3TyX
zDBK_ao-*i86#3hY!I)B@vqFL;DkPYpvREcH<sfJpK?pGM462FyD-ryp$c7|{NR+}P
zFh7D(85~x^!(kN62FoH0gzi><#qE*Ofpsb`f)6rtkNtE{;iU-G#$jDV1!V~6bk;TH
z8(tnQWiAx!0qyeq6#6f}qVDs|5QI3Q_UQ6?ABB>Z@uH%_t&ENNrmQel2p3ZdD~!Jj
z)%iCBPGT&C1TBOZV<-Iyf3pH2gx+D!uuwgc%a7*r*{mh>BGi}zQHiMJxh4`(Q;DdV
zMAUpS3KpZBCFjm<*F+L%DhV``1e!|%B`(N95@;z2T(cy&<lo;JKYAu&i*7*4B+{+}
zG7t=*79?p*H3%ephG`c<_0TWoWduVEwK*C2heu*6ii+gUR;3xaDUql%6CcOI2w_I{
zSXEnG<Oq0CIkP5z?2)Hb;W*Eus#Q<W?Qylm@cDD0sfw*IIfrTKR$9!{$r!NS|CQ6<
z^wOQL4-_^grQ73`|B&)R|ESyNs#yDV-GzFF!Y7H{G!<)9s(AkhjGgTt$*NRv8ms=e
z`SF!G>+89d>GVxvoCQvsWx1xexPOpT=ljQrtpLcHB<Rx^!{V*!zJ0H*7@o>c_iJrx
z<FQ8i)IF<vJ64zT-@0$paUQoZv|T%t?d>@pFv|L&7422EXitsn$=IBcX^`O8y*}i(
zTq5n{yZEdXyiZC&#SK;8ZSR(Mq@|gc-_9rw^AUw|SQW*kRI`IzkrCI@{z;UzwfVWM
zPKKW1%_d>mr=uH2|6K7?U*mK%Z*{}z@c6(|LR2}E9ikXdf1zQfX2&`s+8lrVGcxFA
z;|@|4oI2K@IPlQ<zSr1YS7PJW(3Murjg&W7(}GfE0CWThYU_;d{caa^JbuIHF~QJ-
zo^G$RW4ubEZ^&;tU&~!{aSkEC(Sz~=ne8n%&t-f;Z*CYCaYd7(za9Ru4#^vc5%><N
zWt4jMBk8<~=!uSyJK{Xivjb08m#!Qh_%{6hDHrqK+uGh1oLS}Me^JZp?@7nx_VFF`
zU7k;*G~d}i=nKvR5O$L|-yEyI-5qG3Mf1`gvqqpHk8NlHAxk~kC*qGuhOAmseTPO}
zMp4*^$nDjIi9cGqs+qQVYMl=Id_Hh;1Dt79>uhp;j%77(r@sB_^HthJ=5X{QZE@n-
zl5w$n3*%N?k#TRt`wFJ&+dFqf%gPFeq^xN24R@~Pdh-T?6U;T!fk3rZ`7syV*_P$p
z+mm<Ok!hFh683S#BO~#phd6EnspbBZo=`&}zq%vF?KF9SYD2oYw>mL1+%Va=lDSfy
zxAzvuq<C$?V6HE;V_k&)^3#JyIi1~Aa&-n&k8zFg8{<AMiJuEuP4r+H!36XDhfDkD
z1Due!v7v2&QfeSD_c(qzL1gFdvO6^v6#wz$VQR3|XUdA0PhtO0@#F+t@d4QF?!SEt
B&C>t?

literal 0
Hc-jL100001

diff --git a/tests/tls/tls-altname-zero/test.rules b/tests/tls/tls-altname-zero/test.rules
new file mode 100644
index 000000000..23e3b0daf
--- /dev/null
+++ b/tests/tls/tls-altname-zero/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Glupteba TROJAN"; flow:to_client; tls.subjectaltname; content:"server15.xn--j1ahhq.xn--p1ai"; content: "xn--j1ahhq.xn--p1ai"; sid:1;)
+
diff --git a/tests/tls/tls-altname-zero/test.yaml b/tests/tls/tls-altname-zero/test.yaml
new file mode 100644
index 000000000..505853c0d
--- /dev/null
+++ b/tests/tls/tls-altname-zero/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8.0.1
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 72.16.54.30
+      dest_port: 443
+      event_type: tls
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 192.168.134.106
+      src_port: 23481
+      tls.fingerprint: 8d:97:4b:41:04:3f:55:37:d0:58:90:a4:13:3b:7b:85:c6:46:81:cb
+      tls.issuerdn: C=US, O=Let's Encrypt, CN=R3
+      tls.notafter: '2023-03-01T06:47:30'
+      tls.notbefore: '2022-12-01T06:47:31'
+      tls.serial: 03:DE:23:89:7E:97:FB:86:8E:7C:C5:53:09:FE:AE:D0:AE:20
+      tls.subject: CN=xn--j1ahhq.xn--p1ai
+      tls.version: TLSv1
-- 
2.47.3