]>
Commit | Line | Data |
---|---|---|
2f5834cd | 1 | /* Copyright (C) 2017-2020 Open Information Security Foundation |
77f0c11c PC |
2 | * |
3 | * You can copy, redistribute or modify this Program under the terms of | |
4 | * the GNU General Public License version 2 as published by the Free | |
5 | * Software Foundation. | |
6 | * | |
7 | * This program is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | * | |
12 | * You should have received a copy of the GNU General Public License | |
13 | * version 2 along with this program; if not, write to the Free Software | |
14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
15 | * 02110-1301, USA. | |
16 | */ | |
17 | ||
18 | // written by Pierre Chifflier <chifflier@wzdftpd.net> | |
19 | ||
77f0c11c PC |
20 | use std; |
21 | use std::ffi::{CStr,CString}; | |
13b73997 | 22 | use nom; |
f3ddd712 | 23 | use nom::IResult; |
44250067 | 24 | use nom::number::streaming::be_u32; |
5b809f77 | 25 | use der_parser::der::der_read_element_header; |
6b8517dc | 26 | use der_parser::ber::BerClass; |
77f0c11c | 27 | use kerberos_parser::krb5_parser; |
3a017f61 | 28 | use kerberos_parser::krb5::{EncryptionType,ErrorCode,MessageType,PrincipalName,Realm}; |
2f5834cd | 29 | use crate::applayer::{self, *}; |
42e5065a JI |
30 | use crate::core; |
31 | use crate::core::{AppProto,Flow,ALPROTO_FAILED,ALPROTO_UNKNOWN,STREAM_TOCLIENT,STREAM_TOSERVER,sc_detect_engine_state_free}; | |
77f0c11c | 32 | |
42e5065a | 33 | use crate::log::*; |
77f0c11c PC |
34 | |
35 | #[repr(u32)] | |
36 | pub enum KRB5Event { | |
37 | MalformedData = 0, | |
50370511 | 38 | WeakEncryption, |
77f0c11c PC |
39 | } |
40 | ||
12c2d18c JL |
41 | impl KRB5Event { |
42 | fn from_i32(value: i32) -> Option<KRB5Event> { | |
43 | match value { | |
44 | 0 => Some(KRB5Event::MalformedData), | |
45 | 1 => Some(KRB5Event::WeakEncryption), | |
46 | _ => None, | |
47 | } | |
48 | } | |
49 | } | |
50 | ||
77f0c11c PC |
51 | pub struct KRB5State { |
52 | pub req_id: u8, | |
53 | ||
e9ae62ed PC |
54 | pub record_ts: usize, |
55 | pub defrag_buf_ts: Vec<u8>, | |
56 | pub record_tc: usize, | |
57 | pub defrag_buf_tc: Vec<u8>, | |
58 | ||
77f0c11c PC |
59 | /// List of transactions for this session |
60 | transactions: Vec<KRB5Transaction>, | |
61 | ||
62 | /// tx counter for assigning incrementing id's to tx's | |
63 | tx_id: u64, | |
64 | } | |
65 | ||
66 | pub struct KRB5Transaction { | |
67 | /// The message type: AS-REQ, AS-REP, etc. | |
68 | pub msg_type: MessageType, | |
69 | ||
70 | /// The client PrincipalName, if present | |
71 | pub cname: Option<PrincipalName>, | |
72 | /// The server Realm, if present | |
73 | pub realm: Option<Realm>, | |
74 | /// The server PrincipalName, if present | |
75 | pub sname: Option<PrincipalName>, | |
76 | ||
77 | /// Encryption used (only in AS-REP and TGS-REP) | |
78 | pub etype: Option<EncryptionType>, | |
79 | ||
52f5c791 | 80 | /// Error code, if request has failed |
3a017f61 | 81 | pub error_code: Option<ErrorCode>, |
52f5c791 | 82 | |
77f0c11c PC |
83 | /// The internal transaction id |
84 | id: u64, | |
85 | ||
86 | /// The detection engine state, if present | |
87 | de_state: Option<*mut core::DetectEngineState>, | |
88 | ||
89 | /// The events associated with this transaction | |
90 | events: *mut core::AppLayerDecoderEvents, | |
91 | ||
92 | logged: applayer::LoggerFlags, | |
fa4b9d37 | 93 | detect_flags: applayer::TxDetectFlags, |
77f0c11c PC |
94 | } |
95 | ||
96 | pub fn to_hex_string(bytes: &[u8]) -> String { | |
97 | let mut s = String::new(); | |
98 | for &b in bytes { | |
99 | s.push_str(&format!("{:02X}", b)); | |
100 | } | |
101 | s | |
102 | } | |
103 | ||
104 | impl KRB5State { | |
105 | pub fn new() -> KRB5State { | |
106 | KRB5State{ | |
107 | req_id: 0, | |
e9ae62ed PC |
108 | record_ts: 0, |
109 | defrag_buf_ts: Vec::new(), | |
110 | record_tc: 0, | |
111 | defrag_buf_tc: Vec::new(), | |
77f0c11c PC |
112 | transactions: Vec::new(), |
113 | tx_id: 0, | |
114 | } | |
115 | } | |
116 | ||
117 | /// Parse a Kerberos request message | |
118 | /// | |
44d3f264 | 119 | /// Returns 0 in case of success, or -1 on error |
ae10a92b | 120 | fn parse(&mut self, i: &[u8], _direction: u8) -> i32 { |
77f0c11c | 121 | match der_read_element_header(i) { |
13b73997 | 122 | Ok((_rem,hdr)) => { |
77f0c11c | 123 | // Kerberos messages start with an APPLICATION header |
6b8517dc | 124 | if hdr.class != BerClass::Application { return 0; } |
5b809f77 | 125 | match hdr.tag.0 { |
77f0c11c | 126 | 10 => { |
5b809f77 | 127 | self.req_id = 10; |
77f0c11c PC |
128 | }, |
129 | 11 => { | |
130 | let res = krb5_parser::parse_as_rep(i); | |
13b73997 | 131 | if let Ok((_,kdc_rep)) = res { |
77f0c11c PC |
132 | let mut tx = self.new_tx(); |
133 | tx.msg_type = MessageType::KRB_AS_REP; | |
134 | tx.cname = Some(kdc_rep.cname); | |
135 | tx.realm = Some(kdc_rep.crealm); | |
136 | tx.sname = Some(kdc_rep.ticket.sname); | |
137 | tx.etype = Some(kdc_rep.enc_part.etype); | |
138 | self.transactions.push(tx); | |
50370511 PC |
139 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
140 | self.set_event(KRB5Event::WeakEncryption); | |
141 | } | |
13b73997 | 142 | }; |
77f0c11c PC |
143 | self.req_id = 0; |
144 | }, | |
145 | 12 => { | |
5b809f77 | 146 | self.req_id = 12; |
77f0c11c PC |
147 | }, |
148 | 13 => { | |
149 | let res = krb5_parser::parse_tgs_rep(i); | |
13b73997 | 150 | if let Ok((_,kdc_rep)) = res { |
77f0c11c PC |
151 | let mut tx = self.new_tx(); |
152 | tx.msg_type = MessageType::KRB_TGS_REP; | |
153 | tx.cname = Some(kdc_rep.cname); | |
154 | tx.realm = Some(kdc_rep.crealm); | |
155 | tx.sname = Some(kdc_rep.ticket.sname); | |
156 | tx.etype = Some(kdc_rep.enc_part.etype); | |
157 | self.transactions.push(tx); | |
50370511 PC |
158 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
159 | self.set_event(KRB5Event::WeakEncryption); | |
160 | } | |
13b73997 | 161 | }; |
77f0c11c PC |
162 | self.req_id = 0; |
163 | }, | |
164 | 14 => { | |
5b809f77 | 165 | self.req_id = 14; |
77f0c11c PC |
166 | }, |
167 | 15 => { | |
168 | self.req_id = 0; | |
169 | }, | |
170 | 30 => { | |
52f5c791 | 171 | let res = krb5_parser::parse_krb_error(i); |
13b73997 | 172 | if let Ok((_,error)) = res { |
52f5c791 PC |
173 | let mut tx = self.new_tx(); |
174 | tx.msg_type = MessageType(self.req_id as u32); | |
175 | tx.cname = error.cname; | |
176 | tx.realm = error.crealm; | |
177 | tx.sname = Some(error.sname); | |
178 | tx.error_code = Some(error.error_code); | |
179 | self.transactions.push(tx); | |
13b73997 | 180 | }; |
77f0c11c PC |
181 | self.req_id = 0; |
182 | }, | |
183 | _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag); }, | |
184 | } | |
185 | 0 | |
186 | }, | |
13b73997 | 187 | Err(nom::Err::Incomplete(_)) => { |
77f0c11c PC |
188 | SCLogDebug!("Insufficient data while parsing KRB5 data"); |
189 | self.set_event(KRB5Event::MalformedData); | |
190 | -1 | |
191 | }, | |
13b73997 | 192 | Err(_) => { |
77f0c11c PC |
193 | SCLogDebug!("Error while parsing KRB5 data"); |
194 | self.set_event(KRB5Event::MalformedData); | |
195 | -1 | |
196 | }, | |
197 | } | |
198 | } | |
199 | ||
77f0c11c PC |
200 | pub fn free(&mut self) { |
201 | // All transactions are freed when the `transactions` object is freed. | |
202 | // But let's be explicit | |
203 | self.transactions.clear(); | |
204 | } | |
205 | ||
206 | fn new_tx(&mut self) -> KRB5Transaction { | |
207 | self.tx_id += 1; | |
208 | KRB5Transaction::new(self.tx_id) | |
209 | } | |
210 | ||
211 | fn get_tx_by_id(&mut self, tx_id: u64) -> Option<&KRB5Transaction> { | |
212 | self.transactions.iter().find(|&tx| tx.id == tx_id + 1) | |
213 | } | |
214 | ||
215 | fn free_tx(&mut self, tx_id: u64) { | |
216 | let tx = self.transactions.iter().position(|ref tx| tx.id == tx_id + 1); | |
217 | debug_assert!(tx != None); | |
218 | if let Some(idx) = tx { | |
219 | let _ = self.transactions.remove(idx); | |
220 | } | |
221 | } | |
222 | ||
223 | /// Set an event. The event is set on the most recent transaction. | |
224 | fn set_event(&mut self, event: KRB5Event) { | |
225 | if let Some(tx) = self.transactions.last_mut() { | |
226 | let ev = event as u8; | |
227 | core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, ev); | |
228 | } | |
229 | } | |
230 | } | |
231 | ||
232 | impl KRB5Transaction { | |
233 | pub fn new(id: u64) -> KRB5Transaction { | |
234 | KRB5Transaction{ | |
235 | msg_type: MessageType(0), | |
236 | cname: None, | |
237 | realm: None, | |
238 | sname: None, | |
239 | etype: None, | |
52f5c791 | 240 | error_code: None, |
77f0c11c PC |
241 | id: id, |
242 | de_state: None, | |
243 | events: std::ptr::null_mut(), | |
244 | logged: applayer::LoggerFlags::new(), | |
fa4b9d37 | 245 | detect_flags: applayer::TxDetectFlags::default(), |
77f0c11c PC |
246 | } |
247 | } | |
248 | } | |
249 | ||
250 | impl Drop for KRB5Transaction { | |
251 | fn drop(&mut self) { | |
252 | if self.events != std::ptr::null_mut() { | |
253 | core::sc_app_layer_decoder_events_free_events(&mut self.events); | |
254 | } | |
255 | if let Some(state) = self.de_state { | |
256 | sc_detect_engine_state_free(state); | |
257 | } | |
258 | } | |
259 | } | |
260 | ||
50370511 PC |
261 | /// Return true if Kerberos `EncryptionType` is weak |
262 | pub fn test_weak_encryption(alg:EncryptionType) -> bool { | |
263 | match alg { | |
264 | EncryptionType::AES128_CTS_HMAC_SHA1_96 | | |
265 | EncryptionType::AES256_CTS_HMAC_SHA1_96 | | |
266 | EncryptionType::AES128_CTS_HMAC_SHA256_128 | | |
267 | EncryptionType::AES256_CTS_HMAC_SHA384_192 | | |
268 | EncryptionType::CAMELLIA128_CTS_CMAC | | |
269 | EncryptionType::CAMELLIA256_CTS_CMAC => false, | |
270 | _ => true, // all other ciphers are weak or deprecated | |
271 | } | |
272 | } | |
273 | ||
274 | ||
77f0c11c PC |
275 | |
276 | ||
277 | ||
278 | /// Returns *mut KRB5State | |
279 | #[no_mangle] | |
3f6624bf | 280 | pub extern "C" fn rs_krb5_state_new() -> *mut std::os::raw::c_void { |
77f0c11c PC |
281 | let state = KRB5State::new(); |
282 | let boxed = Box::new(state); | |
283 | return unsafe{std::mem::transmute(boxed)}; | |
284 | } | |
285 | ||
286 | /// Params: | |
287 | /// - state: *mut KRB5State as void pointer | |
288 | #[no_mangle] | |
3f6624bf | 289 | pub extern "C" fn rs_krb5_state_free(state: *mut std::os::raw::c_void) { |
77f0c11c PC |
290 | // Just unbox... |
291 | let mut state: Box<KRB5State> = unsafe{std::mem::transmute(state)}; | |
292 | state.free(); | |
293 | } | |
294 | ||
295 | #[no_mangle] | |
3f6624bf | 296 | pub extern "C" fn rs_krb5_state_get_tx(state: *mut std::os::raw::c_void, |
bf1bd407 | 297 | tx_id: u64) |
3f6624bf | 298 | -> *mut std::os::raw::c_void |
77f0c11c PC |
299 | { |
300 | let state = cast_pointer!(state,KRB5State); | |
301 | match state.get_tx_by_id(tx_id) { | |
302 | Some(tx) => unsafe{std::mem::transmute(tx)}, | |
303 | None => std::ptr::null_mut(), | |
304 | } | |
305 | } | |
306 | ||
307 | #[no_mangle] | |
3f6624bf | 308 | pub extern "C" fn rs_krb5_state_get_tx_count(state: *mut std::os::raw::c_void) |
bf1bd407 | 309 | -> u64 |
77f0c11c PC |
310 | { |
311 | let state = cast_pointer!(state,KRB5State); | |
312 | state.tx_id | |
313 | } | |
314 | ||
315 | #[no_mangle] | |
3f6624bf | 316 | pub extern "C" fn rs_krb5_state_tx_free(state: *mut std::os::raw::c_void, |
bf1bd407 | 317 | tx_id: u64) |
77f0c11c PC |
318 | { |
319 | let state = cast_pointer!(state,KRB5State); | |
320 | state.free_tx(tx_id); | |
321 | } | |
322 | ||
323 | #[no_mangle] | |
324 | pub extern "C" fn rs_krb5_state_progress_completion_status( | |
bf1bd407 | 325 | _direction: u8) |
3f6624bf | 326 | -> std::os::raw::c_int |
77f0c11c PC |
327 | { |
328 | return 1; | |
329 | } | |
330 | ||
331 | #[no_mangle] | |
3f6624bf | 332 | pub extern "C" fn rs_krb5_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void, |
bf1bd407 | 333 | _direction: u8) |
3f6624bf | 334 | -> std::os::raw::c_int |
77f0c11c PC |
335 | { |
336 | 1 | |
337 | } | |
338 | ||
339 | #[no_mangle] | |
3f6624bf VJ |
340 | pub extern "C" fn rs_krb5_tx_set_logged(_state: *mut std::os::raw::c_void, |
341 | tx: *mut std::os::raw::c_void, | |
bf1bd407 | 342 | logged: u32) |
77f0c11c PC |
343 | { |
344 | let tx = cast_pointer!(tx,KRB5Transaction); | |
345 | tx.logged.set(logged); | |
346 | } | |
347 | ||
348 | #[no_mangle] | |
3f6624bf VJ |
349 | pub extern "C" fn rs_krb5_tx_get_logged(_state: *mut std::os::raw::c_void, |
350 | tx: *mut std::os::raw::c_void) | |
77f0c11c PC |
351 | -> u32 |
352 | { | |
353 | let tx = cast_pointer!(tx,KRB5Transaction); | |
354 | return tx.logged.get(); | |
355 | } | |
356 | ||
357 | ||
358 | #[no_mangle] | |
359 | pub extern "C" fn rs_krb5_state_set_tx_detect_state( | |
3f6624bf VJ |
360 | tx: *mut std::os::raw::c_void, |
361 | de_state: &mut core::DetectEngineState) -> std::os::raw::c_int | |
77f0c11c PC |
362 | { |
363 | let tx = cast_pointer!(tx,KRB5Transaction); | |
364 | tx.de_state = Some(de_state); | |
365 | 0 | |
366 | } | |
367 | ||
368 | #[no_mangle] | |
369 | pub extern "C" fn rs_krb5_state_get_tx_detect_state( | |
3f6624bf | 370 | tx: *mut std::os::raw::c_void) |
77f0c11c PC |
371 | -> *mut core::DetectEngineState |
372 | { | |
373 | let tx = cast_pointer!(tx,KRB5Transaction); | |
374 | match tx.de_state { | |
375 | Some(ds) => ds, | |
376 | None => std::ptr::null_mut(), | |
377 | } | |
378 | } | |
379 | ||
12c2d18c JL |
380 | #[no_mangle] |
381 | pub extern "C" fn rs_krb5_state_get_event_info_by_id(event_id: std::os::raw::c_int, | |
382 | event_name: *mut *const std::os::raw::c_char, | |
383 | event_type: *mut core::AppLayerEventType) | |
384 | -> i8 | |
385 | { | |
386 | if let Some(e) = KRB5Event::from_i32(event_id as i32) { | |
387 | let estr = match e { | |
388 | KRB5Event::MalformedData => { "malformed_data\0" }, | |
389 | KRB5Event::WeakEncryption => { "weak_encryption\0" }, | |
390 | }; | |
391 | unsafe{ | |
392 | *event_name = estr.as_ptr() as *const std::os::raw::c_char; | |
393 | *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION; | |
394 | }; | |
395 | 0 | |
396 | } else { | |
397 | -1 | |
398 | } | |
399 | } | |
77f0c11c PC |
400 | |
401 | #[no_mangle] | |
3f6624bf | 402 | pub extern "C" fn rs_krb5_state_get_events(tx: *mut std::os::raw::c_void) |
77f0c11c PC |
403 | -> *mut core::AppLayerDecoderEvents |
404 | { | |
d568e7fa JL |
405 | let tx = cast_pointer!(tx, KRB5Transaction); |
406 | return tx.events; | |
77f0c11c PC |
407 | } |
408 | ||
409 | #[no_mangle] | |
3f6624bf VJ |
410 | pub extern "C" fn rs_krb5_state_get_event_info(event_name: *const std::os::raw::c_char, |
411 | event_id: *mut std::os::raw::c_int, | |
77f0c11c | 412 | event_type: *mut core::AppLayerEventType) |
3f6624bf | 413 | -> std::os::raw::c_int |
77f0c11c PC |
414 | { |
415 | if event_name == std::ptr::null() { return -1; } | |
416 | let c_event_name: &CStr = unsafe { CStr::from_ptr(event_name) }; | |
417 | let event = match c_event_name.to_str() { | |
418 | Ok(s) => { | |
419 | match s { | |
420 | "malformed_data" => KRB5Event::MalformedData as i32, | |
50370511 | 421 | "weak_encryption" => KRB5Event::WeakEncryption as i32, |
77f0c11c PC |
422 | _ => -1, // unknown event |
423 | } | |
424 | }, | |
425 | Err(_) => -1, // UTF-8 conversion failed | |
426 | }; | |
427 | unsafe{ | |
428 | *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION; | |
3f6624bf | 429 | *event_id = event as std::os::raw::c_int; |
77f0c11c PC |
430 | }; |
431 | 0 | |
432 | } | |
433 | static mut ALPROTO_KRB5 : AppProto = ALPROTO_UNKNOWN; | |
434 | ||
435 | #[no_mangle] | |
422e4892 VJ |
436 | pub extern "C" fn rs_krb5_probing_parser(_flow: *const Flow, |
437 | _direction: u8, | |
bf1bd407 | 438 | input:*const u8, input_len: u32, |
422e4892 VJ |
439 | _rdir: *mut u8) -> AppProto |
440 | { | |
77f0c11c PC |
441 | let slice = build_slice!(input,input_len as usize); |
442 | let alproto = unsafe{ ALPROTO_KRB5 }; | |
443 | if slice.len() <= 10 { return unsafe{ALPROTO_FAILED}; } | |
444 | match der_read_element_header(slice) { | |
13b73997 | 445 | Ok((rem, ref hdr)) => { |
77f0c11c | 446 | // Kerberos messages start with an APPLICATION header |
6b8517dc | 447 | if hdr.class != BerClass::Application { return unsafe{ALPROTO_FAILED}; } |
77f0c11c | 448 | // Tag number should be <= 30 |
5b809f77 | 449 | if hdr.tag.0 >= 30 { return unsafe{ALPROTO_FAILED}; } |
77f0c11c PC |
450 | // Kerberos messages contain sequences |
451 | if rem.is_empty() || rem[0] != 0x30 { return unsafe{ALPROTO_FAILED}; } | |
645ba175 | 452 | // Check kerberos version |
13b73997 | 453 | if let Ok((rem,_hdr)) = der_read_element_header(rem) { |
645ba175 PC |
454 | if rem.len() > 5 { |
455 | match (rem[2],rem[3],rem[4]) { | |
456 | // Encoding of DER integer 5 (version) | |
457 | (2,1,5) => { return alproto; }, | |
458 | _ => (), | |
459 | } | |
460 | } | |
461 | } | |
462 | return unsafe{ALPROTO_FAILED}; | |
77f0c11c | 463 | }, |
13b73997 | 464 | Err(nom::Err::Incomplete(_)) => { |
77f0c11c PC |
465 | return ALPROTO_UNKNOWN; |
466 | }, | |
13b73997 | 467 | Err(_) => { |
77f0c11c PC |
468 | return unsafe{ALPROTO_FAILED}; |
469 | }, | |
470 | } | |
471 | } | |
472 | ||
1e5f5d40 | 473 | #[no_mangle] |
422e4892 VJ |
474 | pub extern "C" fn rs_krb5_probing_parser_tcp(_flow: *const Flow, |
475 | direction: u8, | |
bf1bd407 | 476 | input:*const u8, input_len: u32, |
422e4892 VJ |
477 | rdir: *mut u8) -> AppProto |
478 | { | |
1e5f5d40 PC |
479 | let slice = build_slice!(input,input_len as usize); |
480 | if slice.len() <= 14 { return unsafe{ALPROTO_FAILED}; } | |
f3ddd712 | 481 | match be_u32(slice) as IResult<&[u8],u32> { |
13b73997 | 482 | Ok((rem, record_mark)) => { |
3eade88b PC |
483 | // protocol implementations forbid very large requests |
484 | if record_mark > 16384 { return unsafe{ALPROTO_FAILED}; } | |
422e4892 VJ |
485 | return rs_krb5_probing_parser(_flow, direction, |
486 | rem.as_ptr(), rem.len() as u32, rdir); | |
1e5f5d40 | 487 | }, |
13b73997 | 488 | Err(nom::Err::Incomplete(_)) => { |
1e5f5d40 PC |
489 | return ALPROTO_UNKNOWN; |
490 | }, | |
13b73997 | 491 | Err(_) => { |
1e5f5d40 PC |
492 | return unsafe{ALPROTO_FAILED}; |
493 | }, | |
494 | } | |
495 | } | |
496 | ||
77f0c11c PC |
497 | #[no_mangle] |
498 | pub extern "C" fn rs_krb5_parse_request(_flow: *const core::Flow, | |
3f6624bf VJ |
499 | state: *mut std::os::raw::c_void, |
500 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 501 | input: *const u8, |
77f0c11c | 502 | input_len: u32, |
3f6624bf | 503 | _data: *const std::os::raw::c_void, |
44d3f264 | 504 | _flags: u8) -> AppLayerResult { |
77f0c11c PC |
505 | let buf = build_slice!(input,input_len as usize); |
506 | let state = cast_pointer!(state,KRB5State); | |
44d3f264 VJ |
507 | if state.parse(buf, STREAM_TOSERVER) < 0 { |
508 | return AppLayerResult::err(); | |
509 | } | |
510 | AppLayerResult::ok() | |
77f0c11c PC |
511 | } |
512 | ||
513 | #[no_mangle] | |
514 | pub extern "C" fn rs_krb5_parse_response(_flow: *const core::Flow, | |
3f6624bf VJ |
515 | state: *mut std::os::raw::c_void, |
516 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 517 | input: *const u8, |
77f0c11c | 518 | input_len: u32, |
3f6624bf | 519 | _data: *const std::os::raw::c_void, |
44d3f264 | 520 | _flags: u8) -> AppLayerResult { |
77f0c11c PC |
521 | let buf = build_slice!(input,input_len as usize); |
522 | let state = cast_pointer!(state,KRB5State); | |
44d3f264 VJ |
523 | if state.parse(buf, STREAM_TOCLIENT) < 0 { |
524 | return AppLayerResult::err(); | |
525 | } | |
526 | AppLayerResult::ok() | |
77f0c11c PC |
527 | } |
528 | ||
1e5f5d40 PC |
529 | #[no_mangle] |
530 | pub extern "C" fn rs_krb5_parse_request_tcp(_flow: *const core::Flow, | |
3f6624bf VJ |
531 | state: *mut std::os::raw::c_void, |
532 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 533 | input: *const u8, |
1e5f5d40 | 534 | input_len: u32, |
3f6624bf | 535 | _data: *const std::os::raw::c_void, |
44d3f264 | 536 | _flags: u8) -> AppLayerResult { |
1e5f5d40 PC |
537 | let buf = build_slice!(input,input_len as usize); |
538 | let state = cast_pointer!(state,KRB5State); | |
e9ae62ed PC |
539 | |
540 | let mut v : Vec<u8>; | |
e9ae62ed PC |
541 | let tcp_buffer = match state.record_ts { |
542 | 0 => buf, | |
543 | _ => { | |
544 | // sanity check to avoid memory exhaustion | |
545 | if state.defrag_buf_ts.len() + buf.len() > 100000 { | |
12c2d18c | 546 | SCLogDebug!("rs_krb5_parse_request_tcp: TCP buffer exploded {} {}", |
e9ae62ed | 547 | state.defrag_buf_ts.len(), buf.len()); |
44d3f264 | 548 | return AppLayerResult::err(); |
e9ae62ed PC |
549 | } |
550 | v = state.defrag_buf_ts.split_off(0); | |
551 | v.extend_from_slice(buf); | |
552 | v.as_slice() | |
553 | } | |
554 | }; | |
555 | let mut cur_i = tcp_buffer; | |
556 | while cur_i.len() > 0 { | |
557 | if state.record_ts == 0 { | |
f3ddd712 | 558 | match be_u32(cur_i) as IResult<&[u8],u32> { |
13b73997 | 559 | Ok((rem,record)) => { |
e9ae62ed PC |
560 | state.record_ts = record as usize; |
561 | cur_i = rem; | |
562 | }, | |
23f796a0 PA |
563 | Err(nom::Err::Incomplete(_)) => { |
564 | state.defrag_buf_ts.extend_from_slice(cur_i); | |
44d3f264 | 565 | return AppLayerResult::ok(); |
23f796a0 | 566 | } |
e9ae62ed | 567 | _ => { |
7bc3c3ac | 568 | SCLogDebug!("rs_krb5_parse_request_tcp: reading record mark failed!"); |
44d3f264 | 569 | return AppLayerResult::err(); |
e9ae62ed PC |
570 | } |
571 | } | |
572 | } | |
573 | if cur_i.len() >= state.record_ts { | |
44d3f264 VJ |
574 | if state.parse(cur_i, STREAM_TOSERVER) < 0 { |
575 | return AppLayerResult::err(); | |
e9ae62ed PC |
576 | } |
577 | state.record_ts = 0; | |
578 | cur_i = &cur_i[state.record_ts..]; | |
579 | } else { | |
580 | // more fragments required | |
581 | state.defrag_buf_ts.extend_from_slice(cur_i); | |
44d3f264 | 582 | return AppLayerResult::ok(); |
e9ae62ed PC |
583 | } |
584 | } | |
44d3f264 | 585 | AppLayerResult::ok() |
1e5f5d40 PC |
586 | } |
587 | ||
588 | #[no_mangle] | |
589 | pub extern "C" fn rs_krb5_parse_response_tcp(_flow: *const core::Flow, | |
3f6624bf VJ |
590 | state: *mut std::os::raw::c_void, |
591 | _pstate: *mut std::os::raw::c_void, | |
bf1bd407 | 592 | input: *const u8, |
1e5f5d40 | 593 | input_len: u32, |
3f6624bf | 594 | _data: *const std::os::raw::c_void, |
44d3f264 | 595 | _flags: u8) -> AppLayerResult { |
1e5f5d40 PC |
596 | let buf = build_slice!(input,input_len as usize); |
597 | let state = cast_pointer!(state,KRB5State); | |
e9ae62ed PC |
598 | |
599 | let mut v : Vec<u8>; | |
e9ae62ed PC |
600 | let tcp_buffer = match state.record_tc { |
601 | 0 => buf, | |
602 | _ => { | |
603 | // sanity check to avoid memory exhaustion | |
604 | if state.defrag_buf_tc.len() + buf.len() > 100000 { | |
605 | SCLogDebug!("rs_krb5_parse_response_tcp: TCP buffer exploded {} {}", | |
606 | state.defrag_buf_tc.len(), buf.len()); | |
44d3f264 | 607 | return AppLayerResult::err(); |
e9ae62ed PC |
608 | } |
609 | v = state.defrag_buf_tc.split_off(0); | |
610 | v.extend_from_slice(buf); | |
611 | v.as_slice() | |
612 | } | |
613 | }; | |
614 | let mut cur_i = tcp_buffer; | |
615 | while cur_i.len() > 0 { | |
616 | if state.record_tc == 0 { | |
f3ddd712 | 617 | match be_u32(cur_i) as IResult<&[u8],_> { |
13b73997 | 618 | Ok((rem,record)) => { |
e9ae62ed PC |
619 | state.record_tc = record as usize; |
620 | cur_i = rem; | |
621 | }, | |
23f796a0 PA |
622 | Err(nom::Err::Incomplete(_)) => { |
623 | state.defrag_buf_tc.extend_from_slice(cur_i); | |
44d3f264 | 624 | return AppLayerResult::ok(); |
23f796a0 | 625 | } |
e9ae62ed | 626 | _ => { |
76dd9515 | 627 | SCLogDebug!("reading record mark failed!"); |
44d3f264 | 628 | return AppLayerResult::ok(); |
e9ae62ed PC |
629 | } |
630 | } | |
631 | } | |
632 | if cur_i.len() >= state.record_tc { | |
44d3f264 VJ |
633 | if state.parse(cur_i, STREAM_TOCLIENT) < 0 { |
634 | return AppLayerResult::err(); | |
e9ae62ed PC |
635 | } |
636 | state.record_tc = 0; | |
637 | cur_i = &cur_i[state.record_tc..]; | |
638 | } else { | |
639 | // more fragments required | |
640 | state.defrag_buf_tc.extend_from_slice(cur_i); | |
44d3f264 | 641 | return AppLayerResult::ok(); |
e9ae62ed PC |
642 | } |
643 | } | |
44d3f264 | 644 | AppLayerResult::ok() |
1e5f5d40 PC |
645 | } |
646 | ||
fa4b9d37 JI |
647 | export_tx_detect_flags_set!(rs_krb5_tx_detect_flags_set, KRB5Transaction); |
648 | export_tx_detect_flags_get!(rs_krb5_tx_detect_flags_get, KRB5Transaction); | |
77f0c11c PC |
649 | |
650 | const PARSER_NAME : &'static [u8] = b"krb5\0"; | |
651 | ||
652 | #[no_mangle] | |
653 | pub unsafe extern "C" fn rs_register_krb5_parser() { | |
654 | let default_port = CString::new("88").unwrap(); | |
1e5f5d40 | 655 | let mut parser = RustParser { |
12c2d18c JL |
656 | name : PARSER_NAME.as_ptr() as *const std::os::raw::c_char, |
657 | default_port : default_port.as_ptr(), | |
658 | ipproto : core::IPPROTO_UDP, | |
66632465 PA |
659 | probe_ts : Some(rs_krb5_probing_parser), |
660 | probe_tc : Some(rs_krb5_probing_parser), | |
12c2d18c JL |
661 | min_depth : 0, |
662 | max_depth : 16, | |
663 | state_new : rs_krb5_state_new, | |
664 | state_free : rs_krb5_state_free, | |
665 | tx_free : rs_krb5_state_tx_free, | |
666 | parse_ts : rs_krb5_parse_request, | |
667 | parse_tc : rs_krb5_parse_response, | |
668 | get_tx_count : rs_krb5_state_get_tx_count, | |
669 | get_tx : rs_krb5_state_get_tx, | |
670 | tx_get_comp_st : rs_krb5_state_progress_completion_status, | |
671 | tx_get_progress : rs_krb5_tx_get_alstate_progress, | |
672 | get_tx_logged : Some(rs_krb5_tx_get_logged), | |
673 | set_tx_logged : Some(rs_krb5_tx_set_logged), | |
674 | get_de_state : rs_krb5_state_get_tx_detect_state, | |
675 | set_de_state : rs_krb5_state_set_tx_detect_state, | |
676 | get_events : Some(rs_krb5_state_get_events), | |
677 | get_eventinfo : Some(rs_krb5_state_get_event_info), | |
678 | get_eventinfo_byid : Some(rs_krb5_state_get_event_info_by_id), | |
679 | localstorage_new : None, | |
680 | localstorage_free : None, | |
12c2d18c JL |
681 | get_files : None, |
682 | get_tx_iterator : None, | |
fa4b9d37 JI |
683 | get_tx_detect_flags: Some(rs_krb5_tx_detect_flags_get), |
684 | set_tx_detect_flags: Some(rs_krb5_tx_detect_flags_set), | |
411f428a | 685 | get_tx_data : None, |
5665fc83 | 686 | apply_tx_config : None, |
77f0c11c | 687 | }; |
1e5f5d40 | 688 | // register UDP parser |
77f0c11c PC |
689 | let ip_proto_str = CString::new("udp").unwrap(); |
690 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
691 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
692 | // store the allocated ID for the probe function | |
693 | ALPROTO_KRB5 = alproto; | |
694 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
695 | let _ = AppLayerRegisterParser(&parser, alproto); | |
696 | } | |
697 | } else { | |
12c2d18c | 698 | SCLogDebug!("Protocol detector and parser disabled for KRB5/UDP."); |
1e5f5d40 PC |
699 | } |
700 | // register TCP parser | |
0301ceab | 701 | parser.ipproto = core::IPPROTO_TCP; |
66632465 PA |
702 | parser.probe_ts = Some(rs_krb5_probing_parser_tcp); |
703 | parser.probe_tc = Some(rs_krb5_probing_parser_tcp); | |
1e5f5d40 PC |
704 | parser.parse_ts = rs_krb5_parse_request_tcp; |
705 | parser.parse_tc = rs_krb5_parse_response_tcp; | |
706 | let ip_proto_str = CString::new("tcp").unwrap(); | |
707 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
708 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
709 | // store the allocated ID for the probe function | |
710 | ALPROTO_KRB5 = alproto; | |
711 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
712 | let _ = AppLayerRegisterParser(&parser, alproto); | |
713 | } | |
714 | } else { | |
12c2d18c | 715 | SCLogDebug!("Protocol detector and parser disabled for KRB5/TCP."); |
77f0c11c PC |
716 | } |
717 | } |