[people/ms/suricata.git] / src / app-layer-smtp.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 */

#ifndef __APP_LAYER_SMTP_H__
#define __APP_LAYER_SMTP_H__

#include "decode-events.h"
#include "util-decode-mime.h"
#include "queue.h"
#include "util-streaming-buffer.h"

enum {
    SMTP_DECODER_EVENT_INVALID_REPLY,
    SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST,
    SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED,
    SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED,
    SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE,
    SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED,
    SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE,
    SMTP_DECODER_EVENT_TLS_REJECTED,
    SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED,

    /* MIME Events */
    SMTP_DECODER_EVENT_MIME_PARSE_FAILED,
    SMTP_DECODER_EVENT_MIME_MALFORMED_MSG,
    SMTP_DECODER_EVENT_MIME_INVALID_BASE64,
    SMTP_DECODER_EVENT_MIME_INVALID_QP,
    SMTP_DECODER_EVENT_MIME_LONG_LINE,
    SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE,
    SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
    SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
    SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,

    /* Invalid behavior or content */
    SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
    SMTP_DECODER_EVENT_UNPARSABLE_CONTENT,
};

typedef struct SMTPString_ {
    uint8_t *str;
    uint16_t len;

    TAILQ_ENTRY(SMTPString_) next;
} SMTPString;

typedef struct SMTPTransaction_ {
    /** id of this tx, starting at 0 */
    uint64_t tx_id;

    uint64_t detect_flags_ts;
    uint64_t detect_flags_tc;

    int done;
    /** indicates loggers done logging */
    uint32_t logged;
    /** the first message contained in the session */
    MimeDecEntity *msg_head;
    /** the last message contained in the session */
    MimeDecEntity *msg_tail;
    /** the mime decoding parser state */
    MimeDecParseState *mime_state;

    AppLayerDecoderEvents *decoder_events;          /**< per tx events */
    DetectEngineState *de_state;

    /* MAIL FROM parameters */
    uint8_t *mail_from;
    uint16_t mail_from_len;

    TAILQ_HEAD(, SMTPString_) rcpt_to_list;  /**< rcpt to string list */

    TAILQ_ENTRY(SMTPTransaction_) next;
} SMTPTransaction;

typedef struct SMTPConfig {

    int decode_mime;
    MimeDecConfig mime_config;
    uint32_t content_limit;
    uint32_t content_inspect_min_size;
    uint32_t content_inspect_window;

    StreamingBufferConfig sbcfg;
} SMTPConfig;

typedef struct SMTPState_ {
    SMTPTransaction *curr_tx;
    TAILQ_HEAD(, SMTPTransaction_) tx_list;  /**< transaction list */
    uint64_t tx_cnt;

    /* current input that is being parsed */
    uint8_t *input;
    int32_t input_len;
    uint8_t direction;

    /* --parser details-- */
    /** current line extracted by the parser from the call to SMTPGetline() */
    uint8_t *current_line;
    /** length of the line in current_line.  Doesn't include the delimiter */
    int32_t current_line_len;
    uint8_t current_line_delimiter_len;

    /** used to indicate if the current_line buffer is a malloced buffer.  We
     * use a malloced buffer, if a line is fragmented */
    uint8_t *tc_db;
    int32_t tc_db_len;
    uint8_t tc_current_line_db;
    /** we have see LF for the currently parsed line */
    uint8_t tc_current_line_lf_seen;

    /** used to indicate if the current_line buffer is a malloced buffer.  We
     * use a malloced buffer, if a line is fragmented */
    uint8_t *ts_db;
    int32_t ts_db_len;
    uint8_t ts_current_line_db;
    /** we have see LF for the currently parsed line */
    uint8_t ts_current_line_lf_seen;

    /** var to indicate parser state */
    uint8_t parser_state;
    /** current command in progress */
    uint8_t current_command;
    /** bdat chunk len */
    uint32_t bdat_chunk_len;
    /** bdat chunk idx */
    uint32_t bdat_chunk_idx;

    /* the request commands are store here and the reply handler uses these
     * stored command in the buffer to match the reply(ies) with the command */
    /** the command buffer */
    uint8_t *cmds;
    /** the buffer length */
    uint16_t cmds_buffer_len;
    /** no of commands stored in the above buffer */
    uint16_t cmds_cnt;
    /** index of the command in the buffer, currently in inspection by reply
     *  handler */
    uint16_t cmds_idx;

    /* SMTP Mime decoding and file extraction */
    /** the list of files sent to the server */
    FileContainer *files_ts;

    /* HELO of HELO message content */
    uint8_t *helo;
    uint16_t helo_len;
} SMTPState;

/* Create SMTP config structure */
extern SMTPConfig smtp_config;

int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, MimeDecParseState *state);
void *SMTPStateAlloc(void);
void RegisterSMTPParsers(void);
void SMTPParserCleanup(void);
void SMTPParserRegisterTests(void);

#endif /* __APP_LAYER_SMTP_H__ */
Commit	Line	Data
576ec7da AS	1	/* Copyright (C) 2007-2010 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
420befb1	21	* \author Anoop Saldanha <anoopsaldanha@gmail.com>
576ec7da AS	22	*/
	23
	24	#ifndef __APP_LAYER_SMTP_H__
	25	#define __APP_LAYER_SMTP_H__
	26
5311cd48	27	#include "decode-events.h"
54df8665	28	#include "util-decode-mime.h"
56b74c8b	29	#include "queue.h"
e43ce0a9	30	#include "util-streaming-buffer.h"
5311cd48 AS	31
	32	enum {
	33	SMTP_DECODER_EVENT_INVALID_REPLY,
	34	SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST,
	35	SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED,
	36	SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED,
	37	SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE,
	38	SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED,
	39	SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE,
	40	SMTP_DECODER_EVENT_TLS_REJECTED,
	41	SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED,
c2dc6867 DA	42
	43	/* MIME Events */
	44	SMTP_DECODER_EVENT_MIME_PARSE_FAILED,
	45	SMTP_DECODER_EVENT_MIME_MALFORMED_MSG,
	46	SMTP_DECODER_EVENT_MIME_INVALID_BASE64,
	47	SMTP_DECODER_EVENT_MIME_INVALID_QP,
	48	SMTP_DECODER_EVENT_MIME_LONG_LINE,
	49	SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE,
	50	SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
	51	SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
6d170cad	52	SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,
10e2e2a8 EL	53
	54	/* Invalid behavior or content */
	55	SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
5dbedbfa	56	SMTP_DECODER_EVENT_UNPARSABLE_CONTENT,
5311cd48 AS	57	};
5311cd48 AS	58
752fdba9 EL	59	typedef struct SMTPString_ {
	60	uint8_t *str;
	61	uint16_t len;
	62
	63	TAILQ_ENTRY(SMTPString_) next;
	64	} SMTPString;
	65
56b74c8b VJ	66	typedef struct SMTPTransaction_ {
	67	/** id of this tx, starting at 0 */
	68	uint64_t tx_id;
73b59bda VJ	69
	70	uint64_t detect_flags_ts;
	71	uint64_t detect_flags_tc;
	72
d209699a	73	int done;
d484812d MK	74	/** indicates loggers done logging */
d484812d MK	75	uint32_t logged;
56b74c8b VJ	76	/** the first message contained in the session */
	77	MimeDecEntity *msg_head;
	78	/** the last message contained in the session */
	79	MimeDecEntity *msg_tail;
	80	/** the mime decoding parser state */
	81	MimeDecParseState *mime_state;
	82
d209699a	83	AppLayerDecoderEvents decoder_events; /< per tx events /
e984a572	84	DetectEngineState *de_state;
d209699a	85
7bca8268 EL	86	/* MAIL FROM parameters */
	87	uint8_t *mail_from;
	88	uint16_t mail_from_len;
	89
752fdba9 EL	90	TAILQ_HEAD(, SMTPString_) rcpt_to_list; /*< rcpt to string list /
752fdba9 EL	91
56b74c8b VJ	92	TAILQ_ENTRY(SMTPTransaction_) next;
	93	} SMTPTransaction;
	94
26ba647d GL	95	typedef struct SMTPConfig {
	96
	97	int decode_mime;
	98	MimeDecConfig mime_config;
	99	uint32_t content_limit;
	100	uint32_t content_inspect_min_size;
	101	uint32_t content_inspect_window;
e43ce0a9 VJ	102
e43ce0a9 VJ	103	StreamingBufferConfig sbcfg;
26ba647d GL	104	} SMTPConfig;
26ba647d GL	105
576ec7da	106	typedef struct SMTPState_ {
56b74c8b VJ	107	SMTPTransaction *curr_tx;
	108	TAILQ_HEAD(, SMTPTransaction_) tx_list; /*< transaction list /
	109	uint64_t tx_cnt;
	110
576ec7da AS	111	/* current input that is being parsed */
576ec7da AS	112	uint8_t *input;
88115902 AS	113	int32_t input_len;
88115902 AS	114	uint8_t direction;
576ec7da AS	115
576ec7da AS	116	/* --parser details-- */
0468dbd5	117	/** current line extracted by the parser from the call to SMTPGetline() */
576ec7da	118	uint8_t *current_line;
0468dbd5	119	/** length of the line in current_line. Doesn't include the delimiter */
88115902	120	int32_t current_line_len;
d3ca65de	121	uint8_t current_line_delimiter_len;
88115902	122
0468dbd5	123	/** used to indicate if the current_line buffer is a malloced buffer. We
88115902 AS	124	* use a malloced buffer, if a line is fragmented */
	125	uint8_t *tc_db;
	126	int32_t tc_db_len;
	127	uint8_t tc_current_line_db;
0468dbd5	128	/** we have see LF for the currently parsed line */
88115902 AS	129	uint8_t tc_current_line_lf_seen;
88115902 AS	130
0468dbd5	131	/** used to indicate if the current_line buffer is a malloced buffer. We
576ec7da	132	* use a malloced buffer, if a line is fragmented */
88115902 AS	133	uint8_t *ts_db;
	134	int32_t ts_db_len;
	135	uint8_t ts_current_line_db;
0468dbd5	136	/** we have see LF for the currently parsed line */
88115902 AS	137	uint8_t ts_current_line_lf_seen;
88115902 AS	138
0468dbd5	139	/** var to indicate parser state */
576ec7da	140	uint8_t parser_state;
0468dbd5	141	/** current command in progress */
576ec7da	142	uint8_t current_command;
d3ca65de AS	143	/** bdat chunk len */
	144	uint32_t bdat_chunk_len;
	145	/** bdat chunk idx */
	146	uint32_t bdat_chunk_idx;
576ec7da AS	147
	148	/* the request commands are store here and the reply handler uses these
	149	* stored command in the buffer to match the reply(ies) with the command */
bc5c9f4a	150	/** the command buffer */
576ec7da	151	uint8_t *cmds;
bc5c9f4a VJ	152	/** the buffer length */
	153	uint16_t cmds_buffer_len;
	154	/** no of commands stored in the above buffer */
	155	uint16_t cmds_cnt;
	156	/** index of the command in the buffer, currently in inspection by reply
	157	* handler */
	158	uint16_t cmds_idx;
4d38a571	159
c2dc6867 DA	160	/* SMTP Mime decoding and file extraction */
	161	/** the list of files sent to the server */
	162	FileContainer *files_ts;
c2dc6867	163
7bca8268 EL	164	/* HELO of HELO message content */
	165	uint8_t *helo;
	166	uint16_t helo_len;
576ec7da AS	167	} SMTPState;
576ec7da AS	168
d2657bec GL	169	/* Create SMTP config structure */
	170	extern SMTPConfig smtp_config;
	171
	172	int SMTPProcessDataChunk(const uint8_t chunk, uint32_t len, MimeDecParseState state);
	173	void *SMTPStateAlloc(void);
576ec7da	174	void RegisterSMTPParsers(void);
7a0dbc6f	175	void SMTPParserCleanup(void);
576ec7da AS	176	void SMTPParserRegisterTests(void);
	177
	178	#endif /* __APP_LAYER_SMTP_H__ */