tls: dynamic buffers

src/detect-engine-analyzer.c

@@ -446,12 +446,6 @@ static void EngineAnalysisRulesPrintFP(const Signature *s)
         fprintf(rule_engine_analysis_FD, "%s",
                 payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream");
     }
-    else if (list_type == DETECT_SM_LIST_TLSSNI_MATCH)
-        fprintf(rule_engine_analysis_FD, "tls sni extension content");
-    else if (list_type == DETECT_SM_LIST_TLSISSUER_MATCH)
-        fprintf(rule_engine_analysis_FD, "tls issuer content");
-    else if (list_type == DETECT_SM_LIST_TLSSUBJECT_MATCH)
-        fprintf(rule_engine_analysis_FD, "tls subject content");
     else if (list_type == DETECT_SM_LIST_DNP3_DATA_MATCH)
         fprintf(rule_engine_analysis_FD, "dnp3 data content");
     else {

src/detect-engine.c

@@ -2811,15 +2811,6 @@ const char *DetectSigmatchListEnumToString(enum DetectSigmatchListEnum type)
         case DETECT_SM_LIST_FILEMATCH:
             return "file";
 
-        case DETECT_SM_LIST_TLSSNI_MATCH:
-            return "tls sni extension";
-        case DETECT_SM_LIST_TLSISSUER_MATCH:
-            return "tls issuer";
-        case DETECT_SM_LIST_TLSSUBJECT_MATCH:
-            return "tls subject";
-        case DETECT_SM_LIST_TLSVALIDITY_MATCH:
-            return "tls validity";
-
         case DETECT_SM_LIST_MODBUS_MATCH:
             return "modbus";
         case DETECT_SM_LIST_DNP3_DATA_MATCH:

src/detect-parse.c

@@ -146,10 +146,6 @@ const char *DetectListToHumanString(int list)
         CASE_CODE_STRING(DETECT_SM_LIST_DMATCH, "dcerpc");
         CASE_CODE_STRING(DETECT_SM_LIST_TMATCH, "tag");
         CASE_CODE_STRING(DETECT_SM_LIST_FILEMATCH, "file");
-        CASE_CODE_STRING(DETECT_SM_LIST_TLSSNI_MATCH, "tls_sni");
-        CASE_CODE_STRING(DETECT_SM_LIST_TLSISSUER_MATCH, "tls_cert_issuer");
-        CASE_CODE_STRING(DETECT_SM_LIST_TLSSUBJECT_MATCH, "tls_cert_subject");
-        CASE_CODE_STRING(DETECT_SM_LIST_TLSVALIDITY_MATCH, "tls_cert_validity");
         CASE_CODE_STRING(DETECT_SM_LIST_MODBUS_MATCH, "modbus");
         CASE_CODE_STRING(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH, "template");
         CASE_CODE_STRING(DETECT_SM_LIST_POSTMATCH, "postmatch");
@@ -173,10 +169,6 @@ const char *DetectListToString(int list)
         CASE_CODE(DETECT_SM_LIST_DMATCH);
         CASE_CODE(DETECT_SM_LIST_TMATCH);
         CASE_CODE(DETECT_SM_LIST_FILEMATCH);
-        CASE_CODE(DETECT_SM_LIST_TLSSNI_MATCH);
-        CASE_CODE(DETECT_SM_LIST_TLSISSUER_MATCH);
-        CASE_CODE(DETECT_SM_LIST_TLSSUBJECT_MATCH);
-        CASE_CODE(DETECT_SM_LIST_TLSVALIDITY_MATCH);
         CASE_CODE(DETECT_SM_LIST_MODBUS_MATCH);
         CASE_CODE(DETECT_SM_LIST_TEMPLATE_BUFFER_MATCH);
         CASE_CODE(DETECT_SM_LIST_POSTMATCH);

src/detect-tls-cert-issuer.c

@@ -55,6 +55,7 @@
 
 static int DetectTlsIssuerSetup(DetectEngineCtx *, Signature *, char *);
 static void DetectTlsIssuerRegisterTests(void);
+static int g_tls_cert_issuer_buffer_id = 0;
 
 /**
  * \brief Registration function for keyword: tls_cert_issuer
@@ -73,13 +74,14 @@ void DetectTlsIssuerRegister(void)
     sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_CERT_ISSUER].flags |= SIGMATCH_PAYLOAD;
 
-    DetectMpmAppLayerRegister("tls_cert_issuer", SIG_FLAG_TOCLIENT,
-            DETECT_SM_LIST_TLSISSUER_MATCH, 2,
+    DetectAppLayerMpmRegister("tls_cert_issuer", SIG_FLAG_TOCLIENT, 2,
             PrefilterTxTlsIssuerRegister);
 
-    DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT,
-            DETECT_SM_LIST_TLSISSUER_MATCH,
+    DetectAppLayerInspectEngineRegister2("tls_cert_issuer",
+            ALPROTO_TLS, SIG_FLAG_TOCLIENT,
             DetectEngineInspectTlsIssuer);
+
+    g_tls_cert_issuer_buffer_id = DetectBufferTypeGetByName("tls_cert_issuer");
 }
 
 
@@ -94,7 +96,7 @@ void DetectTlsIssuerRegister(void)
  */
 static int DetectTlsIssuerSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
 {
-    s->init_data->list = DETECT_SM_LIST_TLSISSUER_MATCH;
+    s->init_data->list = g_tls_cert_issuer_buffer_id;
     s->alproto = ALPROTO_TLS;
     return 0;
 }
@@ -123,7 +125,7 @@ static int DetectTlsIssuerTest01(void)
     sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
     FAIL_IF_NOT_NULL(sm);
 
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_TLSISSUER_MATCH];
+    sm = de_ctx->sig_list->sm_lists[g_tls_cert_issuer_buffer_id];
     FAIL_IF_NULL(sm);
 
     FAIL_IF(sm->type != DETECT_CONTENT);

src/detect-tls-cert-subject.c

@@ -55,6 +55,7 @@
 
 static int DetectTlsSubjectSetup(DetectEngineCtx *, Signature *, char *);
 static void DetectTlsSubjectRegisterTests(void);
+static int g_tls_cert_subject_buffer_id = 0;
 
 /**
  * \brief Registration function for keyword: tls_cert_issuer
@@ -73,14 +74,14 @@ void DetectTlsSubjectRegister(void)
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_CERT_SUBJECT].flags |= SIGMATCH_PAYLOAD;
 
-    DetectMpmAppLayerRegister("tls_cert_subject", SIG_FLAG_TOCLIENT,
-            DETECT_SM_LIST_TLSSUBJECT_MATCH, 2,
+    DetectAppLayerMpmRegister("tls_cert_subject", SIG_FLAG_TOCLIENT, 2,
             PrefilterTxTlsSubjectRegister);
 
-    DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT,
-            DETECT_SM_LIST_TLSSUBJECT_MATCH,
+    DetectAppLayerInspectEngineRegister2("tls_cert_subject",
+            ALPROTO_TLS, SIG_FLAG_TOCLIENT,
             DetectEngineInspectTlsSubject);
 
+    g_tls_cert_subject_buffer_id = DetectBufferTypeGetByName("tls_cert_subject");
 }
 
 /**
@@ -94,7 +95,7 @@ void DetectTlsSubjectRegister(void)
  */
 static int DetectTlsSubjectSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
 {
-    s->init_data->list = DETECT_SM_LIST_TLSSUBJECT_MATCH;
+    s->init_data->list = g_tls_cert_subject_buffer_id;
     s->alproto = ALPROTO_TLS;
     return 0;
 }
@@ -123,7 +124,7 @@ static int DetectTlsSubjectTest01(void)
     sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH];
     FAIL_IF_NOT_NULL(sm);
 
-    sm = de_ctx->sig_list->sm_lists[DETECT_SM_LIST_TLSSUBJECT_MATCH];
+    sm = de_ctx->sig_list->sm_lists[g_tls_cert_subject_buffer_id];
     FAIL_IF_NULL(sm);
 
     FAIL_IF(sm->type != DETECT_CONTENT);

src/detect-tls-cert-validity.c

@@ -68,11 +68,12 @@ static int DetectTlsValidSetup (DetectEngineCtx *, Signature *s, char *str);
 static int DetectTlsNotBeforeSetup (DetectEngineCtx *, Signature *s, char *str);
 static int DetectTlsNotAfterSetup (DetectEngineCtx *, Signature *s, char *str);
 static int DetectTlsValiditySetup (DetectEngineCtx *, Signature *s, char *str, uint8_t);
-void TlsNotBeforeRegisterTests(void);
-void TlsNotAfterRegisterTests(void);
-void TlsExpiredRegisterTests(void);
-void TlsValidRegisterTests(void);
+static void TlsNotBeforeRegisterTests(void);
+static void TlsNotAfterRegisterTests(void);
+static void TlsExpiredRegisterTests(void);
+static void TlsValidRegisterTests(void);
 static void DetectTlsValidityFree(void *);
+static int g_tls_validity_buffer_id = 0;
 
 /**
  * \brief Registration function for tls validity keywords.
@@ -119,9 +120,11 @@ void DetectTlsValidityRegister (void)
 
     DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
 
-    DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOCLIENT,
-            DETECT_SM_LIST_TLSVALIDITY_MATCH,
+    DetectAppLayerInspectEngineRegister2("tls_validity",
+            ALPROTO_TLS, SIG_FLAG_TOCLIENT,
             DetectEngineInspectTlsValidity);
+
+    g_tls_validity_buffer_id = DetectBufferTypeGetByName("tls_validity");
 }
 
 /**
@@ -447,7 +450,7 @@ static int DetectTlsExpiredSetup (DetectEngineCtx *de_ctx, Signature *s,
     s->flags |= SIG_FLAG_APPLAYER;
     s->alproto = ALPROTO_TLS;
 
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH);
+    SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
 
     return 0;
 
@@ -505,7 +508,7 @@ static int DetectTlsValidSetup (DetectEngineCtx *de_ctx, Signature *s,
     s->flags |= SIG_FLAG_APPLAYER;
     s->alproto = ALPROTO_TLS;
 
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH);
+    SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
 
     return 0;
 
@@ -608,7 +611,7 @@ static int DetectTlsValiditySetup (DetectEngineCtx *de_ctx, Signature *s,
     s->flags |= SIG_FLAG_APPLAYER;
     s->alproto = ALPROTO_TLS;
 
-    SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_TLSVALIDITY_MATCH);
+    SigMatchAppendSMToList(s, sm, g_tls_validity_buffer_id);
 
     return 0;
 

src/detect-tls-sni.c

@@ -55,6 +55,7 @@
 
 static int DetectTlsSniSetup(DetectEngineCtx *, Signature *, char *);
 static void DetectTlsSniRegisterTests(void);
+static int g_tls_sni_buffer_id = 0;
 
 /**
  * \brief Registration function for keyword: tls_sni
@@ -73,13 +74,14 @@ void DetectTlsSniRegister(void)
     sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_NOOPT;
     sigmatch_table[DETECT_AL_TLS_SNI].flags |= SIGMATCH_PAYLOAD;
 
-    DetectMpmAppLayerRegister("tls_sni", SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_TLSSNI_MATCH, 2,
+    DetectAppLayerMpmRegister("tls_sni", SIG_FLAG_TOSERVER, 2,
             PrefilterTxTlsSniRegister);
 
-    DetectAppLayerInspectEngineRegister(ALPROTO_TLS, SIG_FLAG_TOSERVER,
-            DETECT_SM_LIST_TLSSNI_MATCH,
+    DetectAppLayerInspectEngineRegister2("tls_sni",
+            ALPROTO_TLS, SIG_FLAG_TOSERVER,
             DetectEngineInspectTlsSni);
+
+    g_tls_sni_buffer_id = DetectBufferTypeGetByName("tls_sni");
 }
 
 
@@ -94,7 +96,7 @@ void DetectTlsSniRegister(void)
  */
 static int DetectTlsSniSetup(DetectEngineCtx *de_ctx, Signature *s, char *str)
 {
-    s->init_data->list = DETECT_SM_LIST_TLSSNI_MATCH;
+    s->init_data->list = g_tls_sni_buffer_id;
     s->alproto = ALPROTO_TLS;
     return 0;
 }

src/detect.h

@@ -120,11 +120,6 @@ enum DetectSigmatchListEnum {
 
     DETECT_SM_LIST_FILEMATCH,
 
-    DETECT_SM_LIST_TLSSNI_MATCH,
-    DETECT_SM_LIST_TLSISSUER_MATCH,
-    DETECT_SM_LIST_TLSSUBJECT_MATCH,
-    DETECT_SM_LIST_TLSVALIDITY_MATCH,
-
     DETECT_SM_LIST_MODBUS_MATCH,
 
     DETECT_SM_LIST_CIP_MATCH,