]>
Commit | Line | Data |
---|---|---|
2f5834cd | 1 | /* Copyright (C) 2017-2020 Open Information Security Foundation |
77f0c11c PC |
2 | * |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
18 | // written by Pierre Chifflier <chifflier@wzdftpd.net> | |
19 | ||
77f0c11c | 20 | use std; |
e92cb36b | 21 | use std::ffi::CString; |
13b73997 | 22 | use nom; |
f3ddd712 | 23 | use nom::IResult; |
44250067 | 24 | use nom::number::streaming::be_u32; |
5b809f77 | 25 | use der_parser::der::der_read_element_header; |
6b8517dc | 26 | use der_parser::ber::BerClass; |
77f0c11c | 27 | use kerberos_parser::krb5_parser; |
3a017f61 | 28 | use kerberos_parser::krb5::{EncryptionType,ErrorCode,MessageType,PrincipalName,Realm}; |
2f5834cd | 29 | use crate::applayer::{self, *}; |
209e2f17 | 30 | use crate::core::{self, *}; |
77f0c11c | 31 | |
e92cb36b | 32 | #[derive(AppLayerEvent)] |
77f0c11c | 33 | pub enum KRB5Event { |
e92cb36b | 34 | MalformedData, |
50370511 | 35 | WeakEncryption, |
77f0c11c PC |
36 | } |
37 | ||
38 | pub struct KRB5State { | |
39 | pub req_id: u8, | |
40 | ||
e9ae62ed PC |
41 | pub record_ts: usize, |
42 | pub defrag_buf_ts: Vec<u8>, | |
43 | pub record_tc: usize, | |
44 | pub defrag_buf_tc: Vec<u8>, | |
45 | ||
77f0c11c PC |
46 | /// List of transactions for this session |
47 | transactions: Vec<KRB5Transaction>, | |
48 | ||
49 | /// tx counter for assigning incrementing id's to tx's | |
50 | tx_id: u64, | |
51 | } | |
52 | ||
238ec953 JI |
53 | impl State<KRB5Transaction> for KRB5State { |
54 | fn get_transactions(&self) -> &[KRB5Transaction] { | |
55 | &self.transactions | |
56 | } | |
57 | } | |
58 | ||
77f0c11c PC |
59 | pub struct KRB5Transaction { |
60 | /// The message type: AS-REQ, AS-REP, etc. | |
61 | pub msg_type: MessageType, | |
62 | ||
63 | /// The client PrincipalName, if present | |
64 | pub cname: Option<PrincipalName>, | |
65 | /// The server Realm, if present | |
66 | pub realm: Option<Realm>, | |
67 | /// The server PrincipalName, if present | |
68 | pub sname: Option<PrincipalName>, | |
69 | ||
70 | /// Encryption used (only in AS-REP and TGS-REP) | |
71 | pub etype: Option<EncryptionType>, | |
72 | ||
52f5c791 | 73 | /// Error code, if request has failed |
3a017f61 | 74 | pub error_code: Option<ErrorCode>, |
52f5c791 | 75 | |
77f0c11c PC |
76 | /// The internal transaction id |
77 | id: u64, | |
78 | ||
79 | /// The detection engine state, if present | |
80 | de_state: Option<*mut core::DetectEngineState>, | |
81 | ||
82 | /// The events associated with this transaction | |
83 | events: *mut core::AppLayerDecoderEvents, | |
84 | ||
9f29366c | 85 | tx_data: applayer::AppLayerTxData, |
77f0c11c PC |
86 | } |
87 | ||
238ec953 JI |
88 | impl Transaction for KRB5Transaction { |
89 | fn id(&self) -> u64 { | |
90 | self.id | |
91 | } | |
92 | } | |
93 | ||
77f0c11c PC |
94 | pub fn to_hex_string(bytes: &[u8]) -> String { |
95 | let mut s = String::new(); | |
96 | for &b in bytes { | |
97 | s.push_str(&format!("{:02X}", b)); | |
98 | } | |
99 | s | |
100 | } | |
101 | ||
102 | impl KRB5State { | |
103 | pub fn new() -> KRB5State { | |
104 | KRB5State{ | |
105 | req_id: 0, | |
e9ae62ed PC |
106 | record_ts: 0, |
107 | defrag_buf_ts: Vec::new(), | |
108 | record_tc: 0, | |
109 | defrag_buf_tc: Vec::new(), | |
77f0c11c PC |
110 | transactions: Vec::new(), |
111 | tx_id: 0, | |
112 | } | |
113 | } | |
114 | ||
115 | /// Parse a Kerberos request message | |
116 | /// | |
44d3f264 | 117 | /// Returns 0 in case of success, or -1 on error |
209e2f17 | 118 | fn parse(&mut self, i: &[u8], _direction: Direction) -> i32 { |
77f0c11c | 119 | match der_read_element_header(i) { |
13b73997 | 120 | Ok((_rem,hdr)) => { |
77f0c11c | 121 | // Kerberos messages start with an APPLICATION header |
6b8517dc | 122 | if hdr.class != BerClass::Application { return 0; } |
5b809f77 | 123 | match hdr.tag.0 { |
77f0c11c | 124 | 10 => { |
5b809f77 | 125 | self.req_id = 10; |
77f0c11c PC |
126 | }, |
127 | 11 => { | |
128 | let res = krb5_parser::parse_as_rep(i); | |
13b73997 | 129 | if let Ok((_,kdc_rep)) = res { |
77f0c11c PC |
130 | let mut tx = self.new_tx(); |
131 | tx.msg_type = MessageType::KRB_AS_REP; | |
132 | tx.cname = Some(kdc_rep.cname); | |
133 | tx.realm = Some(kdc_rep.crealm); | |
134 | tx.sname = Some(kdc_rep.ticket.sname); | |
135 | tx.etype = Some(kdc_rep.enc_part.etype); | |
136 | self.transactions.push(tx); | |
50370511 PC |
137 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
138 | self.set_event(KRB5Event::WeakEncryption); | |
139 | } | |
13b73997 | 140 | }; |
77f0c11c PC |
141 | self.req_id = 0; |
142 | }, | |
143 | 12 => { | |
5b809f77 | 144 | self.req_id = 12; |
77f0c11c PC |
145 | }, |
146 | 13 => { | |
147 | let res = krb5_parser::parse_tgs_rep(i); | |
13b73997 | 148 | if let Ok((_,kdc_rep)) = res { |
77f0c11c PC |
149 | let mut tx = self.new_tx(); |
150 | tx.msg_type = MessageType::KRB_TGS_REP; | |
151 | tx.cname = Some(kdc_rep.cname); | |
152 | tx.realm = Some(kdc_rep.crealm); | |
153 | tx.sname = Some(kdc_rep.ticket.sname); | |
154 | tx.etype = Some(kdc_rep.enc_part.etype); | |
155 | self.transactions.push(tx); | |
50370511 PC |
156 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
157 | self.set_event(KRB5Event::WeakEncryption); | |
158 | } | |
13b73997 | 159 | }; |
77f0c11c PC |
160 | self.req_id = 0; |
161 | }, | |
162 | 14 => { | |
5b809f77 | 163 | self.req_id = 14; |
77f0c11c PC |
164 | }, |
165 | 15 => { | |
166 | self.req_id = 0; | |
167 | }, | |
168 | 30 => { | |
52f5c791 | 169 | let res = krb5_parser::parse_krb_error(i); |
13b73997 | 170 | if let Ok((_,error)) = res { |
52f5c791 PC |
171 | let mut tx = self.new_tx(); |
172 | tx.msg_type = MessageType(self.req_id as u32); | |
173 | tx.cname = error.cname; | |
174 | tx.realm = error.crealm; | |
175 | tx.sname = Some(error.sname); | |
176 | tx.error_code = Some(error.error_code); | |
177 | self.transactions.push(tx); | |
13b73997 | 178 | }; |
77f0c11c PC |
179 | self.req_id = 0; |
180 | }, | |
181 | _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag); }, | |
182 | } | |
183 | 0 | |
184 | }, | |
13b73997 | 185 | Err(nom::Err::Incomplete(_)) => { |
77f0c11c PC |
186 | SCLogDebug!("Insufficient data while parsing KRB5 data"); |
187 | self.set_event(KRB5Event::MalformedData); | |
188 | -1 | |
189 | }, | |
13b73997 | 190 | Err(_) => { |
77f0c11c PC |
191 | SCLogDebug!("Error while parsing KRB5 data"); |
192 | self.set_event(KRB5Event::MalformedData); | |
193 | -1 | |
194 | }, | |
195 | } | |
196 | } | |
197 | ||
77f0c11c PC |
198 | pub fn free(&mut self) { |
199 | // All transactions are freed when the `transactions` object is freed. | |
200 | // But let's be explicit | |
201 | self.transactions.clear(); | |
202 | } | |
203 | ||
204 | fn new_tx(&mut self) -> KRB5Transaction { | |
205 | self.tx_id += 1; | |
206 | KRB5Transaction::new(self.tx_id) | |
207 | } | |
208 | ||
209 | fn get_tx_by_id(&mut self, tx_id: u64) -> Option<&KRB5Transaction> { | |
210 | self.transactions.iter().find(|&tx| tx.id == tx_id + 1) | |
211 | } | |
212 | ||
213 | fn free_tx(&mut self, tx_id: u64) { | |
69cf5c9e | 214 | let tx = self.transactions.iter().position(|tx| tx.id == tx_id + 1); |
77f0c11c PC |
215 | debug_assert!(tx != None); |
216 | if let Some(idx) = tx { | |
217 | let _ = self.transactions.remove(idx); | |
218 | } | |
219 | } | |
220 | ||
221 | /// Set an event. The event is set on the most recent transaction. | |
222 | fn set_event(&mut self, event: KRB5Event) { | |
223 | if let Some(tx) = self.transactions.last_mut() { | |
224 | let ev = event as u8; | |
225 | core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, ev); | |
226 | } | |
227 | } | |
228 | } | |
229 | ||
230 | impl KRB5Transaction { | |
231 | pub fn new(id: u64) -> KRB5Transaction { | |
232 | KRB5Transaction{ | |
233 | msg_type: MessageType(0), | |
234 | cname: None, | |
235 | realm: None, | |
236 | sname: None, | |
237 | etype: None, | |
52f5c791 | 238 | error_code: None, |
77f0c11c PC |
239 | id: id, |
240 | de_state: None, | |
241 | events: std::ptr::null_mut(), | |
9f29366c | 242 | tx_data: applayer::AppLayerTxData::new(), |
77f0c11c PC |
243 | } |
244 | } | |
245 | } | |
246 | ||
247 | impl Drop for KRB5Transaction { | |
248 | fn drop(&mut self) { | |
922a453d | 249 | if !self.events.is_null() { |
77f0c11c PC |
250 | core::sc_app_layer_decoder_events_free_events(&mut self.events); |
251 | } | |
252 | if let Some(state) = self.de_state { | |
253 | sc_detect_engine_state_free(state); | |
254 | } | |
255 | } | |
256 | } | |
257 | ||
50370511 PC |
258 | /// Return true if Kerberos `EncryptionType` is weak |
259 | pub fn test_weak_encryption(alg:EncryptionType) -> bool { | |
260 | match alg { | |
261 | EncryptionType::AES128_CTS_HMAC_SHA1_96 | | |
262 | EncryptionType::AES256_CTS_HMAC_SHA1_96 | | |
263 | EncryptionType::AES128_CTS_HMAC_SHA256_128 | | |
264 | EncryptionType::AES256_CTS_HMAC_SHA384_192 | | |
265 | EncryptionType::CAMELLIA128_CTS_CMAC | | |
266 | EncryptionType::CAMELLIA256_CTS_CMAC => false, | |
267 | _ => true, // all other ciphers are weak or deprecated | |
268 | } | |
269 | } | |
270 | ||
271 | ||
77f0c11c PC |
272 | |
273 | ||
274 | ||
275 | /// Returns *mut KRB5State | |
276 | #[no_mangle] | |
547d6c2d | 277 | pub extern "C" fn rs_krb5_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void { |
77f0c11c PC |
278 | let state = KRB5State::new(); |
279 | let boxed = Box::new(state); | |
53413f2d | 280 | return Box::into_raw(boxed) as *mut _; |
77f0c11c PC |
281 | } |
282 | ||
283 | /// Params: | |
284 | /// - state: *mut KRB5State as void pointer | |
285 | #[no_mangle] | |
3f6624bf | 286 | pub extern "C" fn rs_krb5_state_free(state: *mut std::os::raw::c_void) { |
53413f2d | 287 | let mut state: Box<KRB5State> = unsafe{Box::from_raw(state as _)}; |
77f0c11c PC |
288 | state.free(); |
289 | } | |
290 | ||
291 | #[no_mangle] | |
363b5f99 | 292 | pub unsafe extern "C" fn rs_krb5_state_get_tx(state: *mut std::os::raw::c_void, |
bf1bd407 | 293 | tx_id: u64) |
3f6624bf | 294 | -> *mut std::os::raw::c_void |
77f0c11c PC |
295 | { |
296 | let state = cast_pointer!(state,KRB5State); | |
297 | match state.get_tx_by_id(tx_id) { | |
53413f2d | 298 | Some(tx) => tx as *const _ as *mut _, |
77f0c11c PC |
299 | None => std::ptr::null_mut(), |
300 | } | |
301 | } | |
302 | ||
303 | #[no_mangle] | |
363b5f99 | 304 | pub unsafe extern "C" fn rs_krb5_state_get_tx_count(state: *mut std::os::raw::c_void) |
bf1bd407 | 305 | -> u64 |
77f0c11c PC |
306 | { |
307 | let state = cast_pointer!(state,KRB5State); | |
308 | state.tx_id | |
309 | } | |
310 | ||
311 | #[no_mangle] | |
363b5f99 | 312 | pub unsafe extern "C" fn rs_krb5_state_tx_free(state: *mut std::os::raw::c_void, |
bf1bd407 | 313 | tx_id: u64) |
77f0c11c PC |
314 | { |
315 | let state = cast_pointer!(state,KRB5State); | |
316 | state.free_tx(tx_id); | |
317 | } | |
318 | ||
77f0c11c | 319 | #[no_mangle] |
3f6624bf | 320 | pub extern "C" fn rs_krb5_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void, |
bf1bd407 | 321 | _direction: u8) |
3f6624bf | 322 | -> std::os::raw::c_int |
77f0c11c PC |
323 | { |
324 | 1 | |
325 | } | |
326 | ||
77f0c11c | 327 | #[no_mangle] |
363b5f99 | 328 | pub unsafe extern "C" fn rs_krb5_state_set_tx_detect_state( |
3f6624bf VJ |
329 | tx: *mut std::os::raw::c_void, |
330 | de_state: &mut core::DetectEngineState) -> std::os::raw::c_int | |
77f0c11c PC |
331 | { |
332 | let tx = cast_pointer!(tx,KRB5Transaction); | |
333 | tx.de_state = Some(de_state); | |
334 | 0 | |
335 | } | |
336 | ||
337 | #[no_mangle] | |
363b5f99 | 338 | pub unsafe extern "C" fn rs_krb5_state_get_tx_detect_state( |
3f6624bf | 339 | tx: *mut std::os::raw::c_void) |
77f0c11c PC |
340 | -> *mut core::DetectEngineState |
341 | { | |
342 | let tx = cast_pointer!(tx,KRB5Transaction); | |
343 | match tx.de_state { | |
344 | Some(ds) => ds, | |
345 | None => std::ptr::null_mut(), | |
346 | } | |
347 | } | |
348 | ||
77f0c11c | 349 | #[no_mangle] |
363b5f99 | 350 | pub unsafe extern "C" fn rs_krb5_state_get_events(tx: *mut std::os::raw::c_void) |
77f0c11c PC |
351 | -> *mut core::AppLayerDecoderEvents |
352 | { | |
d568e7fa JL |
353 | let tx = cast_pointer!(tx, KRB5Transaction); |
354 | return tx.events; | |
77f0c11c PC |
355 | } |
356 | ||
77f0c11c PC |
357 | static mut ALPROTO_KRB5 : AppProto = ALPROTO_UNKNOWN; |
358 | ||
359 | #[no_mangle] | |
363b5f99 | 360 | pub unsafe extern "C" fn rs_krb5_probing_parser(_flow: *const Flow, |
422e4892 | 361 | _direction: u8, |
bf1bd407 | 362 | input:*const u8, input_len: u32, |
422e4892 VJ |
363 | _rdir: *mut u8) -> AppProto |
364 | { | |
77f0c11c | 365 | let slice = build_slice!(input,input_len as usize); |
363b5f99 JI |
366 | let alproto = ALPROTO_KRB5; |
367 | if slice.len() <= 10 { return ALPROTO_FAILED; } | |
77f0c11c | 368 | match der_read_element_header(slice) { |
13b73997 | 369 | Ok((rem, ref hdr)) => { |
77f0c11c | 370 | // Kerberos messages start with an APPLICATION header |
363b5f99 | 371 | if hdr.class != BerClass::Application { return ALPROTO_FAILED; } |
77f0c11c | 372 | // Tag number should be <= 30 |
363b5f99 | 373 | if hdr.tag.0 > 30 { return ALPROTO_FAILED; } |
77f0c11c | 374 | // Kerberos messages contain sequences |
363b5f99 | 375 | if rem.is_empty() || rem[0] != 0x30 { return ALPROTO_FAILED; } |
645ba175 | 376 | // Check kerberos version |
13b73997 | 377 | if let Ok((rem,_hdr)) = der_read_element_header(rem) { |
645ba175 PC |
378 | if rem.len() > 5 { |
379 | match (rem[2],rem[3],rem[4]) { | |
380 | // Encoding of DER integer 5 (version) | |
381 | (2,1,5) => { return alproto; }, | |
382 | _ => (), | |
383 | } | |
384 | } | |
385 | } | |
363b5f99 | 386 | return ALPROTO_FAILED; |
77f0c11c | 387 | }, |
13b73997 | 388 | Err(nom::Err::Incomplete(_)) => { |
77f0c11c PC |
389 | return ALPROTO_UNKNOWN; |
390 | }, | |
13b73997 | 391 | Err(_) => { |
363b5f99 | 392 | return ALPROTO_FAILED; |
77f0c11c PC |
393 | }, |
394 | } | |
395 | } | |
396 | ||
1e5f5d40 | 397 | #[no_mangle] |
363b5f99 | 398 | pub unsafe extern "C" fn rs_krb5_probing_parser_tcp(_flow: *const Flow, |
422e4892 | 399 | direction: u8, |
bf1bd407 | 400 | input:*const u8, input_len: u32, |
422e4892 VJ |
401 | rdir: *mut u8) -> AppProto |
402 | { | |
1e5f5d40 | 403 | let slice = build_slice!(input,input_len as usize); |
363b5f99 | 404 | if slice.len() <= 14 { return ALPROTO_FAILED; } |
f3ddd712 | 405 | match be_u32(slice) as IResult<&[u8],u32> { |
13b73997 | 406 | Ok((rem, record_mark)) => { |
3eade88b | 407 | // protocol implementations forbid very large requests |
363b5f99 | 408 | if record_mark > 16384 { return ALPROTO_FAILED; } |
422e4892 VJ |
409 | return rs_krb5_probing_parser(_flow, direction, |
410 | rem.as_ptr(), rem.len() as u32, rdir); | |
1e5f5d40 | 411 | }, |
13b73997 | 412 | Err(nom::Err::Incomplete(_)) => { |
1e5f5d40 PC |
413 | return ALPROTO_UNKNOWN; |
414 | }, | |
13b73997 | 415 | Err(_) => { |
363b5f99 | 416 | return ALPROTO_FAILED; |
1e5f5d40 PC |
417 | }, |
418 | } | |
419 | } | |
420 | ||
77f0c11c | 421 | #[no_mangle] |
363b5f99 | 422 | pub unsafe extern "C" fn rs_krb5_parse_request(_flow: *const core::Flow, |
3f6624bf VJ |
423 | state: *mut std::os::raw::c_void, |
424 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 425 | input: *const u8, |
77f0c11c | 426 | input_len: u32, |
3f6624bf | 427 | _data: *const std::os::raw::c_void, |
44d3f264 | 428 | _flags: u8) -> AppLayerResult { |
77f0c11c PC |
429 | let buf = build_slice!(input,input_len as usize); |
430 | let state = cast_pointer!(state,KRB5State); | |
209e2f17 | 431 | if state.parse(buf, Direction::ToServer) < 0 { |
44d3f264 VJ |
432 | return AppLayerResult::err(); |
433 | } | |
434 | AppLayerResult::ok() | |
77f0c11c PC |
435 | } |
436 | ||
437 | #[no_mangle] | |
363b5f99 | 438 | pub unsafe extern "C" fn rs_krb5_parse_response(_flow: *const core::Flow, |
3f6624bf VJ |
439 | state: *mut std::os::raw::c_void, |
440 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 441 | input: *const u8, |
77f0c11c | 442 | input_len: u32, |
3f6624bf | 443 | _data: *const std::os::raw::c_void, |
44d3f264 | 444 | _flags: u8) -> AppLayerResult { |
77f0c11c PC |
445 | let buf = build_slice!(input,input_len as usize); |
446 | let state = cast_pointer!(state,KRB5State); | |
209e2f17 | 447 | if state.parse(buf, Direction::ToClient) < 0 { |
44d3f264 VJ |
448 | return AppLayerResult::err(); |
449 | } | |
450 | AppLayerResult::ok() | |
77f0c11c PC |
451 | } |
452 | ||
1e5f5d40 | 453 | #[no_mangle] |
363b5f99 | 454 | pub unsafe extern "C" fn rs_krb5_parse_request_tcp(_flow: *const core::Flow, |
3f6624bf VJ |
455 | state: *mut std::os::raw::c_void, |
456 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 457 | input: *const u8, |
1e5f5d40 | 458 | input_len: u32, |
3f6624bf | 459 | _data: *const std::os::raw::c_void, |
44d3f264 | 460 | _flags: u8) -> AppLayerResult { |
1e5f5d40 PC |
461 | let buf = build_slice!(input,input_len as usize); |
462 | let state = cast_pointer!(state,KRB5State); | |
e9ae62ed PC |
463 | |
464 | let mut v : Vec<u8>; | |
e9ae62ed PC |
465 | let tcp_buffer = match state.record_ts { |
466 | 0 => buf, | |
467 | _ => { | |
468 | // sanity check to avoid memory exhaustion | |
469 | if state.defrag_buf_ts.len() + buf.len() > 100000 { | |
12c2d18c | 470 | SCLogDebug!("rs_krb5_parse_request_tcp: TCP buffer exploded {} {}", |
e9ae62ed | 471 | state.defrag_buf_ts.len(), buf.len()); |
44d3f264 | 472 | return AppLayerResult::err(); |
e9ae62ed PC |
473 | } |
474 | v = state.defrag_buf_ts.split_off(0); | |
475 | v.extend_from_slice(buf); | |
476 | v.as_slice() | |
477 | } | |
478 | }; | |
479 | let mut cur_i = tcp_buffer; | |
480 | while cur_i.len() > 0 { | |
481 | if state.record_ts == 0 { | |
f3ddd712 | 482 | match be_u32(cur_i) as IResult<&[u8],u32> { |
13b73997 | 483 | Ok((rem,record)) => { |
e9ae62ed PC |
484 | state.record_ts = record as usize; |
485 | cur_i = rem; | |
486 | }, | |
23f796a0 PA |
487 | Err(nom::Err::Incomplete(_)) => { |
488 | state.defrag_buf_ts.extend_from_slice(cur_i); | |
44d3f264 | 489 | return AppLayerResult::ok(); |
23f796a0 | 490 | } |
e9ae62ed | 491 | _ => { |
7bc3c3ac | 492 | SCLogDebug!("rs_krb5_parse_request_tcp: reading record mark failed!"); |
44d3f264 | 493 | return AppLayerResult::err(); |
e9ae62ed PC |
494 | } |
495 | } | |
496 | } | |
497 | if cur_i.len() >= state.record_ts { | |
209e2f17 | 498 | if state.parse(cur_i, Direction::ToServer) < 0 { |
44d3f264 | 499 | return AppLayerResult::err(); |
e9ae62ed PC |
500 | } |
501 | state.record_ts = 0; | |
502 | cur_i = &cur_i[state.record_ts..]; | |
503 | } else { | |
504 | // more fragments required | |
505 | state.defrag_buf_ts.extend_from_slice(cur_i); | |
44d3f264 | 506 | return AppLayerResult::ok(); |
e9ae62ed PC |
507 | } |
508 | } | |
44d3f264 | 509 | AppLayerResult::ok() |
1e5f5d40 PC |
510 | } |
511 | ||
512 | #[no_mangle] | |
363b5f99 | 513 | pub unsafe extern "C" fn rs_krb5_parse_response_tcp(_flow: *const core::Flow, |
3f6624bf VJ |
514 | state: *mut std::os::raw::c_void, |
515 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 516 | input: *const u8, |
1e5f5d40 | 517 | input_len: u32, |
3f6624bf | 518 | _data: *const std::os::raw::c_void, |
44d3f264 | 519 | _flags: u8) -> AppLayerResult { |
1e5f5d40 PC |
520 | let buf = build_slice!(input,input_len as usize); |
521 | let state = cast_pointer!(state,KRB5State); | |
e9ae62ed PC |
522 | |
523 | let mut v : Vec<u8>; | |
e9ae62ed PC |
524 | let tcp_buffer = match state.record_tc { |
525 | 0 => buf, | |
526 | _ => { | |
527 | // sanity check to avoid memory exhaustion | |
528 | if state.defrag_buf_tc.len() + buf.len() > 100000 { | |
529 | SCLogDebug!("rs_krb5_parse_response_tcp: TCP buffer exploded {} {}", | |
530 | state.defrag_buf_tc.len(), buf.len()); | |
44d3f264 | 531 | return AppLayerResult::err(); |
e9ae62ed PC |
532 | } |
533 | v = state.defrag_buf_tc.split_off(0); | |
534 | v.extend_from_slice(buf); | |
535 | v.as_slice() | |
536 | } | |
537 | }; | |
538 | let mut cur_i = tcp_buffer; | |
539 | while cur_i.len() > 0 { | |
540 | if state.record_tc == 0 { | |
f3ddd712 | 541 | match be_u32(cur_i) as IResult<&[u8],_> { |
13b73997 | 542 | Ok((rem,record)) => { |
e9ae62ed PC |
543 | state.record_tc = record as usize; |
544 | cur_i = rem; | |
545 | }, | |
23f796a0 PA |
546 | Err(nom::Err::Incomplete(_)) => { |
547 | state.defrag_buf_tc.extend_from_slice(cur_i); | |
44d3f264 | 548 | return AppLayerResult::ok(); |
23f796a0 | 549 | } |
e9ae62ed | 550 | _ => { |
76dd9515 | 551 | SCLogDebug!("reading record mark failed!"); |
44d3f264 | 552 | return AppLayerResult::ok(); |
e9ae62ed PC |
553 | } |
554 | } | |
555 | } | |
556 | if cur_i.len() >= state.record_tc { | |
209e2f17 | 557 | if state.parse(cur_i, Direction::ToClient) < 0 { |
44d3f264 | 558 | return AppLayerResult::err(); |
e9ae62ed PC |
559 | } |
560 | state.record_tc = 0; | |
561 | cur_i = &cur_i[state.record_tc..]; | |
562 | } else { | |
563 | // more fragments required | |
564 | state.defrag_buf_tc.extend_from_slice(cur_i); | |
44d3f264 | 565 | return AppLayerResult::ok(); |
e9ae62ed PC |
566 | } |
567 | } | |
44d3f264 | 568 | AppLayerResult::ok() |
1e5f5d40 PC |
569 | } |
570 | ||
9f29366c | 571 | export_tx_data_get!(rs_krb5_get_tx_data, KRB5Transaction); |
77f0c11c PC |
572 | |
573 | const PARSER_NAME : &'static [u8] = b"krb5\0"; | |
574 | ||
575 | #[no_mangle] | |
576 | pub unsafe extern "C" fn rs_register_krb5_parser() { | |
577 | let default_port = CString::new("88").unwrap(); | |
1e5f5d40 | 578 | let mut parser = RustParser { |
12c2d18c JL |
579 | name : PARSER_NAME.as_ptr() as *const std::os::raw::c_char, |
580 | default_port : default_port.as_ptr(), | |
581 | ipproto : core::IPPROTO_UDP, | |
66632465 PA |
582 | probe_ts : Some(rs_krb5_probing_parser), |
583 | probe_tc : Some(rs_krb5_probing_parser), | |
12c2d18c JL |
584 | min_depth : 0, |
585 | max_depth : 16, | |
586 | state_new : rs_krb5_state_new, | |
587 | state_free : rs_krb5_state_free, | |
588 | tx_free : rs_krb5_state_tx_free, | |
589 | parse_ts : rs_krb5_parse_request, | |
590 | parse_tc : rs_krb5_parse_response, | |
591 | get_tx_count : rs_krb5_state_get_tx_count, | |
592 | get_tx : rs_krb5_state_get_tx, | |
efc9a7a3 VJ |
593 | tx_comp_st_ts : 1, |
594 | tx_comp_st_tc : 1, | |
12c2d18c | 595 | tx_get_progress : rs_krb5_tx_get_alstate_progress, |
12c2d18c JL |
596 | get_de_state : rs_krb5_state_get_tx_detect_state, |
597 | set_de_state : rs_krb5_state_set_tx_detect_state, | |
598 | get_events : Some(rs_krb5_state_get_events), | |
e92cb36b JI |
599 | get_eventinfo : Some(KRB5Event::get_event_info), |
600 | get_eventinfo_byid : Some(KRB5Event::get_event_info_by_id), | |
12c2d18c JL |
601 | localstorage_new : None, |
602 | localstorage_free : None, | |
12c2d18c | 603 | get_files : None, |
238ec953 | 604 | get_tx_iterator : Some(applayer::state_get_tx_iterator::<KRB5State, KRB5Transaction>), |
c94a5e63 | 605 | get_tx_data : rs_krb5_get_tx_data, |
5665fc83 | 606 | apply_tx_config : None, |
f7dee602 | 607 | flags : APP_LAYER_PARSER_OPT_UNIDIR_TXS, |
4da0d9bd | 608 | truncate : None, |
77f0c11c | 609 | }; |
1e5f5d40 | 610 | // register UDP parser |
77f0c11c PC |
611 | let ip_proto_str = CString::new("udp").unwrap(); |
612 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
613 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
614 | // store the allocated ID for the probe function | |
615 | ALPROTO_KRB5 = alproto; | |
616 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
617 | let _ = AppLayerRegisterParser(&parser, alproto); | |
618 | } | |
619 | } else { | |
12c2d18c | 620 | SCLogDebug!("Protocol detector and parser disabled for KRB5/UDP."); |
1e5f5d40 PC |
621 | } |
622 | // register TCP parser | |
0301ceab | 623 | parser.ipproto = core::IPPROTO_TCP; |
66632465 PA |
624 | parser.probe_ts = Some(rs_krb5_probing_parser_tcp); |
625 | parser.probe_tc = Some(rs_krb5_probing_parser_tcp); | |
1e5f5d40 PC |
626 | parser.parse_ts = rs_krb5_parse_request_tcp; |
627 | parser.parse_tc = rs_krb5_parse_response_tcp; | |
628 | let ip_proto_str = CString::new("tcp").unwrap(); | |
629 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
630 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
631 | // store the allocated ID for the probe function | |
632 | ALPROTO_KRB5 = alproto; | |
633 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
634 | let _ = AppLayerRegisterParser(&parser, alproto); | |
635 | } | |
636 | } else { | |
12c2d18c | 637 | SCLogDebug!("Protocol detector and parser disabled for KRB5/TCP."); |
77f0c11c PC |
638 | } |
639 | } |