detect/asn1: handle in PMATCH

Since the asn1 keyword is processing payload data, move the handling of the keyword into the PMATCH with content inspection. Use u32 as buffer length in the Rust FFI
2 years ago · d3ccff5822
parent 13cc493885
commit d3ccff5822
4 changed files with 20 additions and 34 deletions
--- a/rust/src/asn1/mod.rs
+++ b/rust/src/asn1/mod.rs
@ -218,7 +218,7 @@ fn asn1_decode<'a>(
 /// pointer must be freed using `rs_asn1_free`
 #[no_mangle]
 pub unsafe extern "C" fn rs_asn1_decode(
-    input: *const u8, input_len: u16, buffer_offset: u32, ad_ptr: *const DetectAsn1Data,
+    input: *const u8, input_len: u32, buffer_offset: u32, ad_ptr: *const DetectAsn1Data,
 ) -> *mut Asn1<'static> {
    if input.is_null() || input_len == 0 || ad_ptr.is_null() {
        return std::ptr::null_mut();
--- a/src/detect-asn1.c
+++ b/src/detect-asn1.c
@ -36,8 +36,6 @@
 #include "util-byte.h"
 #include "util-debug.h"

-static int DetectAsn1Match(DetectEngineThreadCtx *, Packet *,
-                     const Signature *, const SigMatchCtx *);
 static int DetectAsn1Setup (DetectEngineCtx *, Signature *, const char *);
 #ifdef UNITTESTS
 static void DetectAsn1RegisterTests(void);
@ -50,7 +48,6 @@ static void DetectAsn1Free(DetectEngineCtx *, void *);
 void DetectAsn1Register(void)
 {
    sigmatch_table[DETECT_ASN1].name = "asn1";
-    sigmatch_table[DETECT_ASN1].Match = DetectAsn1Match;
    sigmatch_table[DETECT_ASN1].Setup = DetectAsn1Setup;
    sigmatch_table[DETECT_ASN1].Free  = DetectAsn1Free;
 #ifdef UNITTESTS
@ -58,37 +55,14 @@ void DetectAsn1Register(void)
 #endif
 }

-/**
- * \brief This function will decode the asn1 data and inspect the resulting
- *        nodes to detect if any of the specified checks match this data
- *
- * \param det_ctx pointer to the detect engine thread context
- * \param p pointer to the current packet
- * \param s pointer to the signature
- * \param ctx pointer to the sigmatch that we will cast into `DetectAsn1Data`
- *
- * \retval 1 match
- * \retval 0 no match
- */
-static int DetectAsn1Match(DetectEngineThreadCtx *det_ctx, Packet *p,
-                    const Signature *s, const SigMatchCtx *ctx)
+bool DetectAsn1Match(const SigMatchData *smd, const uint8_t *buffer, const uint32_t buffer_len,
+        const uint32_t offset)
 {
-    uint8_t ret = 0;
-
-    if (p->payload_len == 0) {
-        /* No error, parser done, no data in bounds to decode */
-        return 0;
-    }
-
-    const DetectAsn1Data *ad = (const DetectAsn1Data *)ctx;
-
-    Asn1 *asn1 = rs_asn1_decode(p->payload, p->payload_len, det_ctx->buffer_offset, ad);
-
-    ret = rs_asn1_checks(asn1, ad);
-
+    const DetectAsn1Data *ad = (const DetectAsn1Data *)smd->ctx;
+    Asn1 *asn1 = rs_asn1_decode(buffer, buffer_len, offset, ad);
+    uint8_t ret = rs_asn1_checks(asn1, ad);
    rs_asn1_free(asn1);
-
-    return ret;
+    return ret == 1;
 }

 /**
@ -127,12 +101,13 @@ static int DetectAsn1Setup(DetectEngineCtx *de_ctx, Signature *s, const char *as
    if (ad == NULL)
        return -1;

-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_ASN1, (SigMatchCtx *)ad, DETECT_SM_LIST_MATCH) ==
+    if (SigMatchAppendSMToList(de_ctx, s, DETECT_ASN1, (SigMatchCtx *)ad, DETECT_SM_LIST_PMATCH) ==
            NULL) {
        DetectAsn1Free(de_ctx, ad);
        return -1;
    }

+    s->flags |= SIG_FLAG_REQUIRE_PACKET;
    return 0;
 }

--- a/src/detect-asn1.h
+++ b/src/detect-asn1.h
@ -26,4 +26,7 @@
 /* prototypes */
 void DetectAsn1Register (void);

+bool DetectAsn1Match(const SigMatchData *smd, const uint8_t *buffer, const uint32_t buffer_len,
+        const uint32_t offset);
+
 #endif /* __DETECT_ASN1_H__ */
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@ -31,6 +31,7 @@
 #include "detect.h"
 #include "detect-engine.h"
 #include "detect-parse.h"
+#include "detect-asn1.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-isdataat.h"
@ -656,6 +657,13 @@ int DetectEngineContentInspectionInternal(DetectEngineCtx *de_ctx, DetectEngineT
                }
            }
        }
+    } else if (smd->type == DETECT_ASN1) {
+        if (!DetectAsn1Match(smd, buffer, buffer_len, det_ctx->buffer_offset)) {
+            SCLogDebug("asn1 no_match");
+            goto no_match;
+        }
+        SCLogDebug("asn1 match");
+        goto match;
    } else {
        SCLogDebug("sm->type %u", smd->type);
 #ifdef DEBUG