From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 4 Sep 2025 06:46:50 +0000 (+0200)
Subject: tls: add test for altname with zero inside
X-Git-Tag: suricata-8.0.2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5ee45a08696cd0da8e9affaeb62fdcb5302b6715;p=thirdparty%2Fsuricata-verify.git

tls: add test for altname with zero inside

Ticket: 7881
---

diff --git a/tests/tls/tls-altname-zero/README.md b/tests/tls/tls-altname-zero/README.md
new file mode 100644
index 000000000..7f178093f
--- /dev/null
+++ b/tests/tls/tls-altname-zero/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Checks behavior with tls subject altname containing a zero.
+
+## PCAP
+
+Modified tls-glupteba/input.pcap to inject a zero in a subject altname
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7881
diff --git a/tests/tls/tls-altname-zero/input.pcap b/tests/tls/tls-altname-zero/input.pcap
new file mode 100644
index 000000000..55e9c353b
Binary files /dev/null and b/tests/tls/tls-altname-zero/input.pcap differ
diff --git a/tests/tls/tls-altname-zero/test.rules b/tests/tls/tls-altname-zero/test.rules
new file mode 100644
index 000000000..23e3b0daf
--- /dev/null
+++ b/tests/tls/tls-altname-zero/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Glupteba TROJAN"; flow:to_client; tls.subjectaltname; content:"server15.xn--j1ahhq.xn--p1ai"; content: "xn--j1ahhq.xn--p1ai"; sid:1;)
+
diff --git a/tests/tls/tls-altname-zero/test.yaml b/tests/tls/tls-altname-zero/test.yaml
new file mode 100644
index 000000000..505853c0d
--- /dev/null
+++ b/tests/tls/tls-altname-zero/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8.0.1
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 72.16.54.30
+      dest_port: 443
+      event_type: tls
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 192.168.134.106
+      src_port: 23481
+      tls.fingerprint: 8d:97:4b:41:04:3f:55:37:d0:58:90:a4:13:3b:7b:85:c6:46:81:cb
+      tls.issuerdn: C=US, O=Let's Encrypt, CN=R3
+      tls.notafter: '2023-03-01T06:47:30'
+      tls.notbefore: '2022-12-01T06:47:31'
+      tls.serial: 03:DE:23:89:7E:97:FB:86:8E:7C:C5:53:09:FE:AE:D0:AE:20
+      tls.subject: CN=xn--j1ahhq.xn--p1ai
+      tls.version: TLSv1