From 76d6a5feedba223acdf399c68a92488cc6b5b1a1 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Mon, 25 Sep 2023 20:14:29 +0200
Subject: [PATCH] detect/asn1: handle in PMATCH

Since the asn1 keyword is processing payload data, move the handling of
the keyword into the PMATCH with content inspection.

Use u32 as buffer length in the Rust FFI
---
 rust/src/asn1/mod.rs                   |  2 +-
 src/detect-asn1.c                      | 41 +++++---------------------
 src/detect-asn1.h                      |  3 ++
 src/detect-engine-content-inspection.c |  8 +++++
 4 files changed, 20 insertions(+), 34 deletions(-)

diff --git a/rust/src/asn1/mod.rs b/rust/src/asn1/mod.rs
index 4b77b0ca28d5..cf382cf6077c 100644
--- a/rust/src/asn1/mod.rs
+++ b/rust/src/asn1/mod.rs
@@ -218,7 +218,7 @@ fn asn1_decode<'a>(
 /// pointer must be freed using `rs_asn1_free`
 #[no_mangle]
 pub unsafe extern "C" fn rs_asn1_decode(
-    input: *const u8, input_len: u16, buffer_offset: u32, ad_ptr: *const DetectAsn1Data,
+    input: *const u8, input_len: u32, buffer_offset: u32, ad_ptr: *const DetectAsn1Data,
 ) -> *mut Asn1<'static> {
     if input.is_null() || input_len == 0 || ad_ptr.is_null() {
         return std::ptr::null_mut();
diff --git a/src/detect-asn1.c b/src/detect-asn1.c
index 5b3a3a2229b2..c70bf8921fd3 100644
--- a/src/detect-asn1.c
+++ b/src/detect-asn1.c
@@ -36,8 +36,6 @@
 #include "util-byte.h"
 #include "util-debug.h"
 
-static int DetectAsn1Match(DetectEngineThreadCtx *, Packet *,
-                     const Signature *, const SigMatchCtx *);
 static int DetectAsn1Setup (DetectEngineCtx *, Signature *, const char *);
 #ifdef UNITTESTS
 static void DetectAsn1RegisterTests(void);
@@ -50,7 +48,6 @@ static void DetectAsn1Free(DetectEngineCtx *, void *);
 void DetectAsn1Register(void)
 {
     sigmatch_table[DETECT_ASN1].name = "asn1";
-    sigmatch_table[DETECT_ASN1].Match = DetectAsn1Match;
     sigmatch_table[DETECT_ASN1].Setup = DetectAsn1Setup;
     sigmatch_table[DETECT_ASN1].Free  = DetectAsn1Free;
 #ifdef UNITTESTS
@@ -58,37 +55,14 @@ void DetectAsn1Register(void)
 #endif
 }
 
-/**
- * \brief This function will decode the asn1 data and inspect the resulting
- *        nodes to detect if any of the specified checks match this data
- *
- * \param det_ctx pointer to the detect engine thread context
- * \param p pointer to the current packet
- * \param s pointer to the signature
- * \param ctx pointer to the sigmatch that we will cast into `DetectAsn1Data`
- *
- * \retval 1 match
- * \retval 0 no match
- */
-static int DetectAsn1Match(DetectEngineThreadCtx *det_ctx, Packet *p,
-                    const Signature *s, const SigMatchCtx *ctx)
+bool DetectAsn1Match(const SigMatchData *smd, const uint8_t *buffer, const uint32_t buffer_len,
+        const uint32_t offset)
 {
-    uint8_t ret = 0;
-
-    if (p->payload_len == 0) {
-        /* No error, parser done, no data in bounds to decode */
-        return 0;
-    }
-
-    const DetectAsn1Data *ad = (const DetectAsn1Data *)ctx;
-
-    Asn1 *asn1 = rs_asn1_decode(p->payload, p->payload_len, det_ctx->buffer_offset, ad);
-
-    ret = rs_asn1_checks(asn1, ad);
-
+    const DetectAsn1Data *ad = (const DetectAsn1Data *)smd->ctx;
+    Asn1 *asn1 = rs_asn1_decode(buffer, buffer_len, offset, ad);
+    uint8_t ret = rs_asn1_checks(asn1, ad);
     rs_asn1_free(asn1);
-
-    return ret;
+    return ret == 1;
 }
 
 /**
@@ -127,12 +101,13 @@ static int DetectAsn1Setup(DetectEngineCtx *de_ctx, Signature *s, const char *as
     if (ad == NULL)
         return -1;
 
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_ASN1, (SigMatchCtx *)ad, DETECT_SM_LIST_MATCH) ==
+    if (SigMatchAppendSMToList(de_ctx, s, DETECT_ASN1, (SigMatchCtx *)ad, DETECT_SM_LIST_PMATCH) ==
             NULL) {
         DetectAsn1Free(de_ctx, ad);
         return -1;
     }
 
+    s->flags |= SIG_FLAG_REQUIRE_PACKET;
     return 0;
 }
 
diff --git a/src/detect-asn1.h b/src/detect-asn1.h
index a7b67340aa27..8c81ddcb305b 100644
--- a/src/detect-asn1.h
+++ b/src/detect-asn1.h
@@ -26,4 +26,7 @@
 /* prototypes */
 void DetectAsn1Register (void);
 
+bool DetectAsn1Match(const SigMatchData *smd, const uint8_t *buffer, const uint32_t buffer_len,
+        const uint32_t offset);
+
 #endif /* __DETECT_ASN1_H__ */
diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index 8c5feb61a226..d6dc980bf1d0 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -31,6 +31,7 @@
 #include "detect.h"
 #include "detect-engine.h"
 #include "detect-parse.h"
+#include "detect-asn1.h"
 #include "detect-content.h"
 #include "detect-pcre.h"
 #include "detect-isdataat.h"
@@ -683,6 +684,13 @@ uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThrea
                 }
             }
         }
+    } else if (smd->type == DETECT_ASN1) {
+        if (!DetectAsn1Match(smd, buffer, buffer_len, det_ctx->buffer_offset)) {
+            SCLogDebug("asn1 no_match");
+            goto no_match;
+        }
+        SCLogDebug("asn1 match");
+        goto match;
     } else {
         SCLogDebug("sm->type %u", smd->type);
 #ifdef DEBUG