| | 1 | /* Copyright (C) 2017-2020 Open Information Security Foundation |
| | 2 | * |
| | 3 | * You can copy, redistribute or modify this Program under the terms of |
| | 4 | * the GNU General Public License version 2 as published by the Free |
| | 5 | * Software Foundation. |
| | 6 | * |
| | 7 | * This program is distributed in the hope that it will be useful, |
| | 8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | 9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | 10 | * GNU General Public License for more details. |
| | 11 | * |
| | 12 | * You should have received a copy of the GNU General Public License |
| | 13 | * version 2 along with this program; if not, write to the Free Software |
| | 14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
| | 15 | * 02110-1301, USA. |
| | 16 | */ |
| | 17 | |
| | 18 | // written by Pierre Chifflier <chifflier@wzdftpd.net> |
| | 19 | |
| | 20 | use std; |
| | 21 | use std::ffi::CString; |
| | 22 | use nom; |
| | 23 | use nom::IResult; |
| | 24 | use nom::number::streaming::be_u32; |
| | 25 | use der_parser::der::der_read_element_header; |
| | 26 | use der_parser::ber::BerClass; |
| | 27 | use kerberos_parser::krb5_parser; |
| | 28 | use kerberos_parser::krb5::{EncryptionType,ErrorCode,MessageType,PrincipalName,Realm}; |
| | 29 | use crate::applayer::{self, *}; |
| | 30 | use crate::core; |
| | 31 | use crate::core::{AppProto,Flow,ALPROTO_FAILED,ALPROTO_UNKNOWN,Direction}; |
| | 32 | |
| | 33 | #[derive(AppLayerEvent)] |
| | 34 | pub enum KRB5Event { |
| | 35 | MalformedData, |
| | 36 | WeakEncryption, |
| | 37 | } |
| | 38 | |
| | 39 | pub struct KRB5State { |
| | 40 | pub req_id: u8, |
| | 41 | |
| | 42 | pub record_ts: usize, |
| | 43 | pub defrag_buf_ts: Vec<u8>, |
| | 44 | pub record_tc: usize, |
| | 45 | pub defrag_buf_tc: Vec<u8>, |
| | 46 | |
| | 47 | /// List of transactions for this session |
| | 48 | transactions: Vec<KRB5Transaction>, |
| | 49 | |
| | 50 | /// tx counter for assigning incrementing id's to tx's |
| | 51 | tx_id: u64, |
| | 52 | } |
| | 53 | |
| | 54 | impl State<KRB5Transaction> for KRB5State { |
| | 55 | fn get_transactions(&self) -> &[KRB5Transaction] { |
| | 56 | &self.transactions |
| | 57 | } |
| | 58 | } |
| | 59 | |
| | 60 | pub struct KRB5Transaction { |
| | 61 | /// The message type: AS-REQ, AS-REP, etc. |
| | 62 | pub msg_type: MessageType, |
| | 63 | |
| | 64 | /// The client PrincipalName, if present |
| | 65 | pub cname: Option<PrincipalName>, |
| | 66 | /// The server Realm, if present |
| | 67 | pub realm: Option<Realm>, |
| | 68 | /// The server PrincipalName, if present |
| | 69 | pub sname: Option<PrincipalName>, |
| | 70 | |
| | 71 | /// Encryption used (only in AS-REP and TGS-REP) |
| | 72 | pub etype: Option<EncryptionType>, |
| | 73 | |
| | 74 | /// Error code, if request has failed |
| | 75 | pub error_code: Option<ErrorCode>, |
| | 76 | |
| | 77 | /// The internal transaction id |
| | 78 | id: u64, |
| | 79 | |
| | 80 | tx_data: applayer::AppLayerTxData, |
| | 81 | } |
| | 82 | |
| | 83 | impl Transaction for KRB5Transaction { |
| | 84 | fn id(&self) -> u64 { |
| | 85 | self.id |
| | 86 | } |
| | 87 | } |
| | 88 | |
| | 89 | pub fn to_hex_string(bytes: &[u8]) -> String { |
| | 90 | let mut s = String::new(); |
| | 91 | for &b in bytes { |
| | 92 | s.push_str(&format!("{:02X}", b)); |
| | 93 | } |
| | 94 | s |
| | 95 | } |
| | 96 | |
| | 97 | impl KRB5State { |
| | 98 | pub fn new() -> KRB5State { |
| | 99 | KRB5State{ |
| | 100 | req_id: 0, |
| | 101 | record_ts: 0, |
| | 102 | defrag_buf_ts: Vec::new(), |
| | 103 | record_tc: 0, |
| | 104 | defrag_buf_tc: Vec::new(), |
| | 105 | transactions: Vec::new(), |
| | 106 | tx_id: 0, |
| | 107 | } |
| | 108 | } |
| | 109 | |
| | 110 | /// Parse a Kerberos request message |
| | 111 | /// |
| | 112 | /// Returns 0 in case of success, or -1 on error |
| | 113 | fn parse(&mut self, i: &[u8], _direction: Direction) -> i32 { |
| | 114 | match der_read_element_header(i) { |
| | 115 | Ok((_rem,hdr)) => { |
| | 116 | // Kerberos messages start with an APPLICATION header |
| | 117 | if hdr.class != BerClass::Application { return 0; } |
| | 118 | match hdr.tag.0 { |
| | 119 | 10 => { |
| | 120 | self.req_id = 10; |
| | 121 | }, |
| | 122 | 11 => { |
| | 123 | let res = krb5_parser::parse_as_rep(i); |
| | 124 | if let Ok((_,kdc_rep)) = res { |
| | 125 | let mut tx = self.new_tx(); |
| | 126 | tx.msg_type = MessageType::KRB_AS_REP; |
| | 127 | tx.cname = Some(kdc_rep.cname); |
| | 128 | tx.realm = Some(kdc_rep.crealm); |
| | 129 | tx.sname = Some(kdc_rep.ticket.sname); |
| | 130 | tx.etype = Some(kdc_rep.enc_part.etype); |
| | 131 | self.transactions.push(tx); |
| | 132 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
| | 133 | self.set_event(KRB5Event::WeakEncryption); |
| | 134 | } |
| | 135 | }; |
| | 136 | self.req_id = 0; |
| | 137 | }, |
| | 138 | 12 => { |
| | 139 | self.req_id = 12; |
| | 140 | }, |
| | 141 | 13 => { |
| | 142 | let res = krb5_parser::parse_tgs_rep(i); |
| | 143 | if let Ok((_,kdc_rep)) = res { |
| | 144 | let mut tx = self.new_tx(); |
| | 145 | tx.msg_type = MessageType::KRB_TGS_REP; |
| | 146 | tx.cname = Some(kdc_rep.cname); |
| | 147 | tx.realm = Some(kdc_rep.crealm); |
| | 148 | tx.sname = Some(kdc_rep.ticket.sname); |
| | 149 | tx.etype = Some(kdc_rep.enc_part.etype); |
| | 150 | self.transactions.push(tx); |
| | 151 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
| | 152 | self.set_event(KRB5Event::WeakEncryption); |
| | 153 | } |
| | 154 | }; |
| | 155 | self.req_id = 0; |
| | 156 | }, |
| | 157 | 14 => { |
| | 158 | self.req_id = 14; |
| | 159 | }, |
| | 160 | 15 => { |
| | 161 | self.req_id = 0; |
| | 162 | }, |
| | 163 | 30 => { |
| | 164 | let res = krb5_parser::parse_krb_error(i); |
| | 165 | if let Ok((_,error)) = res { |
| | 166 | let mut tx = self.new_tx(); |
| | 167 | tx.msg_type = MessageType(self.req_id as u32); |
| | 168 | tx.cname = error.cname; |
| | 169 | tx.realm = error.crealm; |
| | 170 | tx.sname = Some(error.sname); |
| | 171 | tx.error_code = Some(error.error_code); |
| | 172 | self.transactions.push(tx); |
| | 173 | }; |
| | 174 | self.req_id = 0; |
| | 175 | }, |
| | 176 | _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag); }, |
| | 177 | } |
| | 178 | 0 |
| | 179 | }, |
| | 180 | Err(nom::Err::Incomplete(_)) => { |
| | 181 | SCLogDebug!("Insufficient data while parsing KRB5 data"); |
| | 182 | self.set_event(KRB5Event::MalformedData); |
| | 183 | -1 |
| | 184 | }, |
| | 185 | Err(_) => { |
| | 186 | SCLogDebug!("Error while parsing KRB5 data"); |
| | 187 | self.set_event(KRB5Event::MalformedData); |
| | 188 | -1 |
| | 189 | }, |
| | 190 | } |
| | 191 | } |
| | 192 | |
| | 193 | pub fn free(&mut self) { |
| | 194 | // All transactions are freed when the `transactions` object is freed. |
| | 195 | // But let's be explicit |
| | 196 | self.transactions.clear(); |
| | 197 | } |
| | 198 | |
| | 199 | fn new_tx(&mut self) -> KRB5Transaction { |
| | 200 | self.tx_id += 1; |
| | 201 | KRB5Transaction::new(self.tx_id) |
| | 202 | } |
| | 203 | |
| | 204 | fn get_tx_by_id(&mut self, tx_id: u64) -> Option<&KRB5Transaction> { |
| | 205 | self.transactions.iter().find(|&tx| tx.id == tx_id + 1) |
| | 206 | } |
| | 207 | |
| | 208 | fn free_tx(&mut self, tx_id: u64) { |
| | 209 | let tx = self.transactions.iter().position(|tx| tx.id == tx_id + 1); |
| | 210 | debug_assert!(tx != None); |
| | 211 | if let Some(idx) = tx { |
| | 212 | let _ = self.transactions.remove(idx); |
| | 213 | } |
| | 214 | } |
| | 215 | |
| | 216 | /// Set an event. The event is set on the most recent transaction. |
| | 217 | fn set_event(&mut self, event: KRB5Event) { |
| | 218 | if let Some(tx) = self.transactions.last_mut() { |
| | 219 | tx.tx_data.set_event(event as u8); |
| | 220 | } |
| | 221 | } |
| | 222 | } |
| | 223 | |
| | 224 | impl KRB5Transaction { |
| | 225 | pub fn new(id: u64) -> KRB5Transaction { |
| | 226 | KRB5Transaction{ |
| | 227 | msg_type: MessageType(0), |
| | 228 | cname: None, |
| | 229 | realm: None, |
| | 230 | sname: None, |
| | 231 | etype: None, |
| | 232 | error_code: None, |
| | 233 | id: id, |
| | 234 | tx_data: applayer::AppLayerTxData::new(), |
| | 235 | } |
| | 236 | } |
| | 237 | } |
| | 238 | |
| | 239 | /// Return true if Kerberos `EncryptionType` is weak |
| | 240 | pub fn test_weak_encryption(alg:EncryptionType) -> bool { |
| | 241 | match alg { |
| | 242 | EncryptionType::AES128_CTS_HMAC_SHA1_96 | |
| | 243 | EncryptionType::AES256_CTS_HMAC_SHA1_96 | |
| | 244 | EncryptionType::AES128_CTS_HMAC_SHA256_128 | |
| | 245 | EncryptionType::AES256_CTS_HMAC_SHA384_192 | |
| | 246 | EncryptionType::CAMELLIA128_CTS_CMAC | |
| | 247 | EncryptionType::CAMELLIA256_CTS_CMAC => false, |
| | 248 | _ => true, // all other ciphers are weak or deprecated |
| | 249 | } |
| | 250 | } |
| | 251 | |
| | 252 | |
| | 253 | |
| | 254 | |
| | 255 | |
| | 256 | /// Returns *mut KRB5State |
| | 257 | #[no_mangle] |
| | 258 | pub extern "C" fn rs_krb5_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void { |
| | 259 | let state = KRB5State::new(); |
| | 260 | let boxed = Box::new(state); |
| | 261 | return Box::into_raw(boxed) as *mut _; |
| | 262 | } |
| | 263 | |
| | 264 | /// Params: |
| | 265 | /// - state: *mut KRB5State as void pointer |
| | 266 | #[no_mangle] |
| | 267 | pub extern "C" fn rs_krb5_state_free(state: *mut std::os::raw::c_void) { |
| | 268 | let mut state: Box<KRB5State> = unsafe{Box::from_raw(state as _)}; |
| | 269 | state.free(); |
| | 270 | } |
| | 271 | |
| | 272 | #[no_mangle] |
| | 273 | pub unsafe extern "C" fn rs_krb5_state_get_tx(state: *mut std::os::raw::c_void, |
| | 274 | tx_id: u64) |
| | 275 | -> *mut std::os::raw::c_void |
| | 276 | { |
| | 277 | let state = cast_pointer!(state,KRB5State); |
| | 278 | match state.get_tx_by_id(tx_id) { |
| | 279 | Some(tx) => tx as *const _ as *mut _, |
| | 280 | None => std::ptr::null_mut(), |
| | 281 | } |
| | 282 | } |
| | 283 | |
| | 284 | #[no_mangle] |
| | 285 | pub unsafe extern "C" fn rs_krb5_state_get_tx_count(state: *mut std::os::raw::c_void) |
| | 286 | -> u64 |
| | 287 | { |
| | 288 | let state = cast_pointer!(state,KRB5State); |
| | 289 | state.tx_id |
| | 290 | } |
| | 291 | |
| | 292 | #[no_mangle] |
| | 293 | pub unsafe extern "C" fn rs_krb5_state_tx_free(state: *mut std::os::raw::c_void, |
| | 294 | tx_id: u64) |
| | 295 | { |
| | 296 | let state = cast_pointer!(state,KRB5State); |
| | 297 | state.free_tx(tx_id); |
| | 298 | } |
| | 299 | |
| | 300 | #[no_mangle] |
| | 301 | pub extern "C" fn rs_krb5_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void, |
| | 302 | _direction: u8) |
| | 303 | -> std::os::raw::c_int |
| | 304 | { |
| | 305 | 1 |
| | 306 | } |
| | 307 | |
| | 308 | static mut ALPROTO_KRB5 : AppProto = ALPROTO_UNKNOWN; |
| | 309 | |
| | 310 | #[no_mangle] |
| | 311 | pub unsafe extern "C" fn rs_krb5_probing_parser(_flow: *const Flow, |
| | 312 | _direction: u8, |
| | 313 | input:*const u8, input_len: u32, |
| | 314 | _rdir: *mut u8) -> AppProto |
| | 315 | { |
| | 316 | let slice = build_slice!(input,input_len as usize); |
| | 317 | let alproto = ALPROTO_KRB5; |
| | 318 | if slice.len() <= 10 { return ALPROTO_FAILED; } |
| | 319 | match der_read_element_header(slice) { |
| | 320 | Ok((rem, ref hdr)) => { |
| | 321 | // Kerberos messages start with an APPLICATION header |
| | 322 | if hdr.class != BerClass::Application { return ALPROTO_FAILED; } |
| | 323 | // Tag number should be <= 30 |
| | 324 | if hdr.tag.0 > 30 { return ALPROTO_FAILED; } |
| | 325 | // Kerberos messages contain sequences |
| | 326 | if rem.is_empty() || rem[0] != 0x30 { return ALPROTO_FAILED; } |
| | 327 | // Check kerberos version |
| | 328 | if let Ok((rem,_hdr)) = der_read_element_header(rem) { |
| | 329 | if rem.len() > 5 { |
| | 330 | match (rem[2],rem[3],rem[4]) { |
| | 331 | // Encoding of DER integer 5 (version) |
| | 332 | (2,1,5) => { return alproto; }, |
| | 333 | _ => (), |
| | 334 | } |
| | 335 | } |
| | 336 | } |
| | 337 | return ALPROTO_FAILED; |
| | 338 | }, |
| | 339 | Err(nom::Err::Incomplete(_)) => { |
| | 340 | return ALPROTO_UNKNOWN; |
| | 341 | }, |
| | 342 | Err(_) => { |
| | 343 | return ALPROTO_FAILED; |
| | 344 | }, |
| | 345 | } |
| | 346 | } |
| | 347 | |
| | 348 | #[no_mangle] |
| | 349 | pub unsafe extern "C" fn rs_krb5_probing_parser_tcp(_flow: *const Flow, |
| | 350 | direction: u8, |
| | 351 | input:*const u8, input_len: u32, |
| | 352 | rdir: *mut u8) -> AppProto |
| | 353 | { |
| | 354 | let slice = build_slice!(input,input_len as usize); |
| | 355 | if slice.len() <= 14 { return ALPROTO_FAILED; } |
| | 356 | match be_u32(slice) as IResult<&[u8],u32> { |
| | 357 | Ok((rem, record_mark)) => { |
| | 358 | // protocol implementations forbid very large requests |
| | 359 | if record_mark > 16384 { return ALPROTO_FAILED; } |
| | 360 | return rs_krb5_probing_parser(_flow, direction, |
| | 361 | rem.as_ptr(), rem.len() as u32, rdir); |
| | 362 | }, |
| | 363 | Err(nom::Err::Incomplete(_)) => { |
| | 364 | return ALPROTO_UNKNOWN; |
| | 365 | }, |
| | 366 | Err(_) => { |
| | 367 | return ALPROTO_FAILED; |
| | 368 | }, |
| | 369 | } |
| | 370 | } |
| | 371 | |
| | 372 | #[no_mangle] |
| | 373 | pub unsafe extern "C" fn rs_krb5_parse_request(_flow: *const core::Flow, |
| | 374 | state: *mut std::os::raw::c_void, |
| | 375 | _pstate: *mut std::os::raw::c_void, |
| | 376 | input: *const u8, |
| | 377 | input_len: u32, |
| | 378 | _data: *const std::os::raw::c_void, |
| | 379 | _flags: u8) -> AppLayerResult { |
| | 380 | let buf = build_slice!(input,input_len as usize); |
| | 381 | let state = cast_pointer!(state,KRB5State); |
| | 382 | if state.parse(buf, Direction::ToServer) < 0 { |
| | 383 | return AppLayerResult::err(); |
| | 384 | } |
| | 385 | AppLayerResult::ok() |
| | 386 | } |
| | 387 | |
| | 388 | #[no_mangle] |
| | 389 | pub unsafe extern "C" fn rs_krb5_parse_response(_flow: *const core::Flow, |
| | 390 | state: *mut std::os::raw::c_void, |
| | 391 | _pstate: *mut std::os::raw::c_void, |
| | 392 | input: *const u8, |
| | 393 | input_len: u32, |
| | 394 | _data: *const std::os::raw::c_void, |
| | 395 | _flags: u8) -> AppLayerResult { |
| | 396 | let buf = build_slice!(input,input_len as usize); |
| | 397 | let state = cast_pointer!(state,KRB5State); |
| | 398 | if state.parse(buf, Direction::ToClient) < 0 { |
| | 399 | return AppLayerResult::err(); |
| | 400 | } |
| | 401 | AppLayerResult::ok() |
| | 402 | } |
| | 403 | |
| | 404 | #[no_mangle] |
| | 405 | pub unsafe extern "C" fn rs_krb5_parse_request_tcp(_flow: *const core::Flow, |
| | 406 | state: *mut std::os::raw::c_void, |
| | 407 | _pstate: *mut std::os::raw::c_void, |
| | 408 | input: *const u8, |
| | 409 | input_len: u32, |
| | 410 | _data: *const std::os::raw::c_void, |
| | 411 | _flags: u8) -> AppLayerResult { |
| | 412 | let buf = build_slice!(input,input_len as usize); |
| | 413 | let state = cast_pointer!(state,KRB5State); |
| | 414 | |
| | 415 | let mut v : Vec<u8>; |
| | 416 | let tcp_buffer = match state.record_ts { |
| | 417 | 0 => buf, |
| | 418 | _ => { |
| | 419 | // sanity check to avoid memory exhaustion |
| | 420 | if state.defrag_buf_ts.len() + buf.len() > 100000 { |
| | 421 | SCLogDebug!("rs_krb5_parse_request_tcp: TCP buffer exploded {} {}", |
| | 422 | state.defrag_buf_ts.len(), buf.len()); |
| | 423 | return AppLayerResult::err(); |
| | 424 | } |
| | 425 | v = state.defrag_buf_ts.split_off(0); |
| | 426 | v.extend_from_slice(buf); |
| | 427 | v.as_slice() |
| | 428 | } |
| | 429 | }; |
| | 430 | let mut cur_i = tcp_buffer; |
| | 431 | while cur_i.len() > 0 { |
| | 432 | if state.record_ts == 0 { |
| | 433 | match be_u32(cur_i) as IResult<&[u8],u32> { |
| | 434 | Ok((rem,record)) => { |
| | 435 | state.record_ts = record as usize; |
| | 436 | cur_i = rem; |
| | 437 | }, |
| | 438 | Err(nom::Err::Incomplete(_)) => { |
| | 439 | state.defrag_buf_ts.extend_from_slice(cur_i); |
| | 440 | return AppLayerResult::ok(); |
| | 441 | } |
| | 442 | _ => { |
| | 443 | SCLogDebug!("rs_krb5_parse_request_tcp: reading record mark failed!"); |
| | 444 | return AppLayerResult::err(); |
| | 445 | } |
| | 446 | } |
| | 447 | } |
| | 448 | if cur_i.len() >= state.record_ts { |
| | 449 | if state.parse(cur_i, Direction::ToServer) < 0 { |
| | 450 | return AppLayerResult::err(); |
| | 451 | } |
| | 452 | state.record_ts = 0; |
| | 453 | cur_i = &cur_i[state.record_ts..]; |
| | 454 | } else { |
| | 455 | // more fragments required |
| | 456 | state.defrag_buf_ts.extend_from_slice(cur_i); |
| | 457 | return AppLayerResult::ok(); |
| | 458 | } |
| | 459 | } |
| | 460 | AppLayerResult::ok() |
| | 461 | } |
| | 462 | |
| | 463 | #[no_mangle] |
| | 464 | pub unsafe extern "C" fn rs_krb5_parse_response_tcp(_flow: *const core::Flow, |
| | 465 | state: *mut std::os::raw::c_void, |
| | 466 | _pstate: *mut std::os::raw::c_void, |
| | 467 | input: *const u8, |
| | 468 | input_len: u32, |
| | 469 | _data: *const std::os::raw::c_void, |
| | 470 | _flags: u8) -> AppLayerResult { |
| | 471 | let buf = build_slice!(input,input_len as usize); |
| | 472 | let state = cast_pointer!(state,KRB5State); |
| | 473 | |
| | 474 | let mut v : Vec<u8>; |
| | 475 | let tcp_buffer = match state.record_tc { |
| | 476 | 0 => buf, |
| | 477 | _ => { |
| | 478 | // sanity check to avoid memory exhaustion |
| | 479 | if state.defrag_buf_tc.len() + buf.len() > 100000 { |
| | 480 | SCLogDebug!("rs_krb5_parse_response_tcp: TCP buffer exploded {} {}", |
| | 481 | state.defrag_buf_tc.len(), buf.len()); |
| | 482 | return AppLayerResult::err(); |
| | 483 | } |
| | 484 | v = state.defrag_buf_tc.split_off(0); |
| | 485 | v.extend_from_slice(buf); |
| | 486 | v.as_slice() |
| | 487 | } |
| | 488 | }; |
| | 489 | let mut cur_i = tcp_buffer; |
| | 490 | while cur_i.len() > 0 { |
| | 491 | if state.record_tc == 0 { |
| | 492 | match be_u32(cur_i) as IResult<&[u8],_> { |
| | 493 | Ok((rem,record)) => { |
| | 494 | state.record_tc = record as usize; |
| | 495 | cur_i = rem; |
| | 496 | }, |
| | 497 | Err(nom::Err::Incomplete(_)) => { |
| | 498 | state.defrag_buf_tc.extend_from_slice(cur_i); |
| | 499 | return AppLayerResult::ok(); |
| | 500 | } |
| | 501 | _ => { |
| | 502 | SCLogDebug!("reading record mark failed!"); |
| | 503 | return AppLayerResult::ok(); |
| | 504 | } |
| | 505 | } |
| | 506 | } |
| | 507 | if cur_i.len() >= state.record_tc { |
| | 508 | if state.parse(cur_i, Direction::ToClient) < 0 { |
| | 509 | return AppLayerResult::err(); |
| | 510 | } |
| | 511 | state.record_tc = 0; |
| | 512 | cur_i = &cur_i[state.record_tc..]; |
| | 513 | } else { |
| | 514 | // more fragments required |
| | 515 | state.defrag_buf_tc.extend_from_slice(cur_i); |
| | 516 | return AppLayerResult::ok(); |
| | 517 | } |
| | 518 | } |
| | 519 | AppLayerResult::ok() |
| | 520 | } |
| | 521 | |
| | 522 | export_tx_data_get!(rs_krb5_get_tx_data, KRB5Transaction); |
| | 523 | |
| | 524 | const PARSER_NAME : &'static [u8] = b"krb5\0"; |
| | 525 | |
| | 526 | #[no_mangle] |
| | 527 | pub unsafe extern "C" fn rs_register_krb5_parser() { |
| | 528 | let default_port = CString::new("88").unwrap(); |
| | 529 | let mut parser = RustParser { |
| | 530 | name : PARSER_NAME.as_ptr() as *const std::os::raw::c_char, |
| | 531 | default_port : default_port.as_ptr(), |
| | 532 | ipproto : core::IPPROTO_UDP, |
| | 533 | probe_ts : Some(rs_krb5_probing_parser), |
| | 534 | probe_tc : Some(rs_krb5_probing_parser), |
| | 535 | min_depth : 0, |
| | 536 | max_depth : 16, |
| | 537 | state_new : rs_krb5_state_new, |
| | 538 | state_free : rs_krb5_state_free, |
| | 539 | tx_free : rs_krb5_state_tx_free, |
| | 540 | parse_ts : rs_krb5_parse_request, |
| | 541 | parse_tc : rs_krb5_parse_response, |
| | 542 | get_tx_count : rs_krb5_state_get_tx_count, |
| | 543 | get_tx : rs_krb5_state_get_tx, |
| | 544 | tx_comp_st_ts : 1, |
| | 545 | tx_comp_st_tc : 1, |
| | 546 | tx_get_progress : rs_krb5_tx_get_alstate_progress, |
| | 547 | get_eventinfo : Some(KRB5Event::get_event_info), |
| | 548 | get_eventinfo_byid : Some(KRB5Event::get_event_info_by_id), |
| | 549 | localstorage_new : None, |
| | 550 | localstorage_free : None, |
| | 551 | get_files : None, |
| | 552 | get_tx_iterator : Some(applayer::state_get_tx_iterator::<KRB5State, KRB5Transaction>), |
| | 553 | get_tx_data : rs_krb5_get_tx_data, |
| | 554 | apply_tx_config : None, |
| | 555 | flags : APP_LAYER_PARSER_OPT_UNIDIR_TXS, |
| | 556 | truncate : None, |
| | 557 | }; |
| | 558 | // register UDP parser |
| | 559 | let ip_proto_str = CString::new("udp").unwrap(); |
| | 560 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { |
| | 561 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); |
| | 562 | // store the allocated ID for the probe function |
| | 563 | ALPROTO_KRB5 = alproto; |
| | 564 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { |
| | 565 | let _ = AppLayerRegisterParser(&parser, alproto); |
| | 566 | } |
| | 567 | } else { |
| | 568 | SCLogDebug!("Protocol detector and parser disabled for KRB5/UDP."); |
| | 569 | } |
| | 570 | // register TCP parser |
| | 571 | parser.ipproto = core::IPPROTO_TCP; |
| | 572 | parser.probe_ts = Some(rs_krb5_probing_parser_tcp); |
| | 573 | parser.probe_tc = Some(rs_krb5_probing_parser_tcp); |
| | 574 | parser.parse_ts = rs_krb5_parse_request_tcp; |
| | 575 | parser.parse_tc = rs_krb5_parse_response_tcp; |
| | 576 | let ip_proto_str = CString::new("tcp").unwrap(); |
| | 577 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { |
| | 578 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); |
| | 579 | // store the allocated ID for the probe function |
| | 580 | ALPROTO_KRB5 = alproto; |
| | 581 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { |
| | 582 | let _ = AppLayerRegisterParser(&parser, alproto); |
| | 583 | } |
| | 584 | } else { |
| | 585 | SCLogDebug!("Protocol detector and parser disabled for KRB5/TCP."); |
| | 586 | } |
| | 587 | } |
projects / people / ms / suricata.git / blame_incremental