projects / people / ms / suricata.git / blame
| Commit | Line | Data |
|---|---|---|
| 2f5834cd | 1 | /* Copyright (C) 2017-2020 Open Information Security Foundation |
| 77f0c11c PC |
2 | * |
| 3 | * You can copy, redistribute or modify this Program under the terms of | |
| 4 | * the GNU General Public License version 2 as published by the Free | |
| 5 | * Software Foundation. | |
| 6 | * | |
| 7 | * This program is distributed in the hope that it will be useful, | |
| 8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 10 | * GNU General Public License for more details. | |
| 11 | * | |
| 12 | * You should have received a copy of the GNU General Public License | |
| 13 | * version 2 along with this program; if not, write to the Free Software | |
| 14 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA | |
| 15 | * 02110-1301, USA. | |
| 16 | */ | |
| 17 | ||
| 18 | // written by Pierre Chifflier <chifflier@wzdftpd.net> | |
| 19 | ||
| 77f0c11c | 20 | use std; |
| e92cb36b | 21 | use std::ffi::CString; |
| 13b73997 | 22 | use nom; |
| f3ddd712 | 23 | use nom::IResult; |
| 44250067 | 24 | use nom::number::streaming::be_u32; |
| 5b809f77 | 25 | use der_parser::der::der_read_element_header; |
| 6b8517dc | 26 | use der_parser::ber::BerClass; |
| 77f0c11c | 27 | use kerberos_parser::krb5_parser; |
| 3a017f61 | 28 | use kerberos_parser::krb5::{EncryptionType,ErrorCode,MessageType,PrincipalName,Realm}; |
| 2f5834cd | 29 | use crate::applayer::{self, *}; |
| 9c67c634 JI |
30 | use crate::core; |
| 31 | use crate::core::{AppProto,Flow,ALPROTO_FAILED,ALPROTO_UNKNOWN,Direction}; | |
| 77f0c11c | 32 | |
| e92cb36b | 33 | #[derive(AppLayerEvent)] |
| 77f0c11c | 34 | pub enum KRB5Event { |
| e92cb36b | 35 | MalformedData, |
| 50370511 | 36 | WeakEncryption, |
| 77f0c11c PC |
37 | } |
| 38 | ||
| 39 | pub struct KRB5State { | |
| 40 | pub req_id: u8, | |
| 41 | ||
| e9ae62ed PC |
42 | pub record_ts: usize, |
| 43 | pub defrag_buf_ts: Vec<u8>, | |
| 44 | pub record_tc: usize, | |
| 45 | pub defrag_buf_tc: Vec<u8>, | |
| 46 | ||
| 77f0c11c PC |
47 | /// List of transactions for this session |
| 48 | transactions: Vec<KRB5Transaction>, | |
| 49 | ||
| 50 | /// tx counter for assigning incrementing id's to tx's | |
| 51 | tx_id: u64, | |
| 52 | } | |
| 53 | ||
| 238ec953 JI |
54 | impl State<KRB5Transaction> for KRB5State { |
| 55 | fn get_transactions(&self) -> &[KRB5Transaction] { | |
| 56 | &self.transactions | |
| 57 | } | |
| 58 | } | |
| 59 | ||
| 77f0c11c PC |
60 | pub struct KRB5Transaction { |
| 61 | /// The message type: AS-REQ, AS-REP, etc. | |
| 62 | pub msg_type: MessageType, | |
| 63 | ||
| 64 | /// The client PrincipalName, if present | |
| 65 | pub cname: Option<PrincipalName>, | |
| 66 | /// The server Realm, if present | |
| 67 | pub realm: Option<Realm>, | |
| 68 | /// The server PrincipalName, if present | |
| 69 | pub sname: Option<PrincipalName>, | |
| 70 | ||
| 71 | /// Encryption used (only in AS-REP and TGS-REP) | |
| 72 | pub etype: Option<EncryptionType>, | |
| 73 | ||
| 52f5c791 | 74 | /// Error code, if request has failed |
| 3a017f61 | 75 | pub error_code: Option<ErrorCode>, |
| 52f5c791 | 76 | |
| 77f0c11c PC |
77 | /// The internal transaction id |
| 78 | id: u64, | |
| 79 | ||
| 9f29366c | 80 | tx_data: applayer::AppLayerTxData, |
| 77f0c11c PC |
81 | } |
| 82 | ||
| 238ec953 JI |
83 | impl Transaction for KRB5Transaction { |
| 84 | fn id(&self) -> u64 { | |
| 85 | self.id | |
| 86 | } | |
| 87 | } | |
| 88 | ||
| 77f0c11c PC |
89 | pub fn to_hex_string(bytes: &[u8]) -> String { |
| 90 | let mut s = String::new(); | |
| 91 | for &b in bytes { | |
| 92 | s.push_str(&format!("{:02X}", b)); | |
| 93 | } | |
| 94 | s | |
| 95 | } | |
| 96 | ||
| 97 | impl KRB5State { | |
| 98 | pub fn new() -> KRB5State { | |
| 99 | KRB5State{ | |
| 100 | req_id: 0, | |
| e9ae62ed PC |
101 | record_ts: 0, |
| 102 | defrag_buf_ts: Vec::new(), | |
| 103 | record_tc: 0, | |
| 104 | defrag_buf_tc: Vec::new(), | |
| 77f0c11c PC |
105 | transactions: Vec::new(), |
| 106 | tx_id: 0, | |
| 107 | } | |
| 108 | } | |
| 109 | ||
| 110 | /// Parse a Kerberos request message | |
| 111 | /// | |
| 44d3f264 | 112 | /// Returns 0 in case of success, or -1 on error |
| 209e2f17 | 113 | fn parse(&mut self, i: &[u8], _direction: Direction) -> i32 { |
| 77f0c11c | 114 | match der_read_element_header(i) { |
| 13b73997 | 115 | Ok((_rem,hdr)) => { |
| 77f0c11c | 116 | // Kerberos messages start with an APPLICATION header |
| 6b8517dc | 117 | if hdr.class != BerClass::Application { return 0; } |
| 5b809f77 | 118 | match hdr.tag.0 { |
| 77f0c11c | 119 | 10 => { |
| 5b809f77 | 120 | self.req_id = 10; |
| 77f0c11c PC |
121 | }, |
| 122 | 11 => { | |
| 123 | let res = krb5_parser::parse_as_rep(i); | |
| 13b73997 | 124 | if let Ok((_,kdc_rep)) = res { |
| 77f0c11c PC |
125 | let mut tx = self.new_tx(); |
| 126 | tx.msg_type = MessageType::KRB_AS_REP; | |
| 127 | tx.cname = Some(kdc_rep.cname); | |
| 128 | tx.realm = Some(kdc_rep.crealm); | |
| 129 | tx.sname = Some(kdc_rep.ticket.sname); | |
| 130 | tx.etype = Some(kdc_rep.enc_part.etype); | |
| 131 | self.transactions.push(tx); | |
| 50370511 PC |
132 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
| 133 | self.set_event(KRB5Event::WeakEncryption); | |
| 134 | } | |
| 13b73997 | 135 | }; |
| 77f0c11c PC |
136 | self.req_id = 0; |
| 137 | }, | |
| 138 | 12 => { | |
| 5b809f77 | 139 | self.req_id = 12; |
| 77f0c11c PC |
140 | }, |
| 141 | 13 => { | |
| 142 | let res = krb5_parser::parse_tgs_rep(i); | |
| 13b73997 | 143 | if let Ok((_,kdc_rep)) = res { |
| 77f0c11c PC |
144 | let mut tx = self.new_tx(); |
| 145 | tx.msg_type = MessageType::KRB_TGS_REP; | |
| 146 | tx.cname = Some(kdc_rep.cname); | |
| 147 | tx.realm = Some(kdc_rep.crealm); | |
| 148 | tx.sname = Some(kdc_rep.ticket.sname); | |
| 149 | tx.etype = Some(kdc_rep.enc_part.etype); | |
| 150 | self.transactions.push(tx); | |
| 50370511 PC |
151 | if test_weak_encryption(kdc_rep.enc_part.etype) { |
| 152 | self.set_event(KRB5Event::WeakEncryption); | |
| 153 | } | |
| 13b73997 | 154 | }; |
| 77f0c11c PC |
155 | self.req_id = 0; |
| 156 | }, | |
| 157 | 14 => { | |
| 5b809f77 | 158 | self.req_id = 14; |
| 77f0c11c PC |
159 | }, |
| 160 | 15 => { | |
| 161 | self.req_id = 0; | |
| 162 | }, | |
| 163 | 30 => { | |
| 52f5c791 | 164 | let res = krb5_parser::parse_krb_error(i); |
| 13b73997 | 165 | if let Ok((_,error)) = res { |
| 52f5c791 PC |
166 | let mut tx = self.new_tx(); |
| 167 | tx.msg_type = MessageType(self.req_id as u32); | |
| 168 | tx.cname = error.cname; | |
| 169 | tx.realm = error.crealm; | |
| 170 | tx.sname = Some(error.sname); | |
| 171 | tx.error_code = Some(error.error_code); | |
| 172 | self.transactions.push(tx); | |
| 13b73997 | 173 | }; |
| 77f0c11c PC |
174 | self.req_id = 0; |
| 175 | }, | |
| 176 | _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag); }, | |
| 177 | } | |
| 178 | 0 | |
| 179 | }, | |
| 13b73997 | 180 | Err(nom::Err::Incomplete(_)) => { |
| 77f0c11c PC |
181 | SCLogDebug!("Insufficient data while parsing KRB5 data"); |
| 182 | self.set_event(KRB5Event::MalformedData); | |
| 183 | -1 | |
| 184 | }, | |
| 13b73997 | 185 | Err(_) => { |
| 77f0c11c PC |
186 | SCLogDebug!("Error while parsing KRB5 data"); |
| 187 | self.set_event(KRB5Event::MalformedData); | |
| 188 | -1 | |
| 189 | }, | |
| 190 | } | |
| 191 | } | |
| 192 | ||
| 77f0c11c PC |
193 | pub fn free(&mut self) { |
| 194 | // All transactions are freed when the `transactions` object is freed. | |
| 195 | // But let's be explicit | |
| 196 | self.transactions.clear(); | |
| 197 | } | |
| 198 | ||
| 199 | fn new_tx(&mut self) -> KRB5Transaction { | |
| 200 | self.tx_id += 1; | |
| 201 | KRB5Transaction::new(self.tx_id) | |
| 202 | } | |
| 203 | ||
| 204 | fn get_tx_by_id(&mut self, tx_id: u64) -> Option<&KRB5Transaction> { | |
| 205 | self.transactions.iter().find(|&tx| tx.id == tx_id + 1) | |
| 206 | } | |
| 207 | ||
| 208 | fn free_tx(&mut self, tx_id: u64) { | |
| 69cf5c9e | 209 | let tx = self.transactions.iter().position(|tx| tx.id == tx_id + 1); |
| 77f0c11c PC |
210 | debug_assert!(tx != None); |
| 211 | if let Some(idx) = tx { | |
| 212 | let _ = self.transactions.remove(idx); | |
| 213 | } | |
| 214 | } | |
| 215 | ||
| 216 | /// Set an event. The event is set on the most recent transaction. | |
| 217 | fn set_event(&mut self, event: KRB5Event) { | |
| 218 | if let Some(tx) = self.transactions.last_mut() { | |
| 7732efbe | 219 | tx.tx_data.set_event(event as u8); |
| 77f0c11c PC |
220 | } |
| 221 | } | |
| 222 | } | |
| 223 | ||
| 224 | impl KRB5Transaction { | |
| 225 | pub fn new(id: u64) -> KRB5Transaction { | |
| 226 | KRB5Transaction{ | |
| 227 | msg_type: MessageType(0), | |
| 228 | cname: None, | |
| 229 | realm: None, | |
| 230 | sname: None, | |
| 231 | etype: None, | |
| 52f5c791 | 232 | error_code: None, |
| 77f0c11c | 233 | id: id, |
| 9f29366c | 234 | tx_data: applayer::AppLayerTxData::new(), |
| 77f0c11c PC |
235 | } |
| 236 | } | |
| 237 | } | |
| 238 | ||
| 50370511 PC |
239 | /// Return true if Kerberos `EncryptionType` is weak |
| 240 | pub fn test_weak_encryption(alg:EncryptionType) -> bool { | |
| 241 | match alg { | |
| 242 | EncryptionType::AES128_CTS_HMAC_SHA1_96 | | |
| 243 | EncryptionType::AES256_CTS_HMAC_SHA1_96 | | |
| 244 | EncryptionType::AES128_CTS_HMAC_SHA256_128 | | |
| 245 | EncryptionType::AES256_CTS_HMAC_SHA384_192 | | |
| 246 | EncryptionType::CAMELLIA128_CTS_CMAC | | |
| 247 | EncryptionType::CAMELLIA256_CTS_CMAC => false, | |
| 248 | _ => true, // all other ciphers are weak or deprecated | |
| 249 | } | |
| 250 | } | |
| 251 | ||
| 252 | ||
| 77f0c11c PC |
253 | |
| 254 | ||
| 255 | ||
| 256 | /// Returns *mut KRB5State | |
| 257 | #[no_mangle] | |
| 547d6c2d | 258 | pub extern "C" fn rs_krb5_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void { |
| 77f0c11c PC |
259 | let state = KRB5State::new(); |
| 260 | let boxed = Box::new(state); | |
| 53413f2d | 261 | return Box::into_raw(boxed) as *mut _; |
| 77f0c11c PC |
262 | } |
| 263 | ||
| 264 | /// Params: | |
| 265 | /// - state: *mut KRB5State as void pointer | |
| 266 | #[no_mangle] | |
| 3f6624bf | 267 | pub extern "C" fn rs_krb5_state_free(state: *mut std::os::raw::c_void) { |
| 53413f2d | 268 | let mut state: Box<KRB5State> = unsafe{Box::from_raw(state as _)}; |
| 77f0c11c PC |
269 | state.free(); |
| 270 | } | |
| 271 | ||
| 272 | #[no_mangle] | |
| 363b5f99 | 273 | pub unsafe extern "C" fn rs_krb5_state_get_tx(state: *mut std::os::raw::c_void, |
| bf1bd407 | 274 | tx_id: u64) |
| 3f6624bf | 275 | -> *mut std::os::raw::c_void |
| 77f0c11c PC |
276 | { |
| 277 | let state = cast_pointer!(state,KRB5State); | |
| 278 | match state.get_tx_by_id(tx_id) { | |
| 53413f2d | 279 | Some(tx) => tx as *const _ as *mut _, |
| 77f0c11c PC |
280 | None => std::ptr::null_mut(), |
| 281 | } | |
| 282 | } | |
| 283 | ||
| 284 | #[no_mangle] | |
| 363b5f99 | 285 | pub unsafe extern "C" fn rs_krb5_state_get_tx_count(state: *mut std::os::raw::c_void) |
| bf1bd407 | 286 | -> u64 |
| 77f0c11c PC |
287 | { |
| 288 | let state = cast_pointer!(state,KRB5State); | |
| 289 | state.tx_id | |
| 290 | } | |
| 291 | ||
| 292 | #[no_mangle] | |
| 363b5f99 | 293 | pub unsafe extern "C" fn rs_krb5_state_tx_free(state: *mut std::os::raw::c_void, |
| bf1bd407 | 294 | tx_id: u64) |
| 77f0c11c PC |
295 | { |
| 296 | let state = cast_pointer!(state,KRB5State); | |
| 297 | state.free_tx(tx_id); | |
| 298 | } | |
| 299 | ||
| 77f0c11c | 300 | #[no_mangle] |
| 3f6624bf | 301 | pub extern "C" fn rs_krb5_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void, |
| bf1bd407 | 302 | _direction: u8) |
| 3f6624bf | 303 | -> std::os::raw::c_int |
| 77f0c11c PC |
304 | { |
| 305 | 1 | |
| 306 | } | |
| 307 | ||
| 77f0c11c PC |
308 | static mut ALPROTO_KRB5 : AppProto = ALPROTO_UNKNOWN; |
| 309 | ||
| 310 | #[no_mangle] | |
| 363b5f99 | 311 | pub unsafe extern "C" fn rs_krb5_probing_parser(_flow: *const Flow, |
| 422e4892 | 312 | _direction: u8, |
| bf1bd407 | 313 | input:*const u8, input_len: u32, |
| 422e4892 VJ |
314 | _rdir: *mut u8) -> AppProto |
| 315 | { | |
| 77f0c11c | 316 | let slice = build_slice!(input,input_len as usize); |
| 363b5f99 JI |
317 | let alproto = ALPROTO_KRB5; |
| 318 | if slice.len() <= 10 { return ALPROTO_FAILED; } | |
| 77f0c11c | 319 | match der_read_element_header(slice) { |
| 13b73997 | 320 | Ok((rem, ref hdr)) => { |
| 77f0c11c | 321 | // Kerberos messages start with an APPLICATION header |
| 363b5f99 | 322 | if hdr.class != BerClass::Application { return ALPROTO_FAILED; } |
| 77f0c11c | 323 | // Tag number should be <= 30 |
| 363b5f99 | 324 | if hdr.tag.0 > 30 { return ALPROTO_FAILED; } |
| 77f0c11c | 325 | // Kerberos messages contain sequences |
| 363b5f99 | 326 | if rem.is_empty() || rem[0] != 0x30 { return ALPROTO_FAILED; } |
| 645ba175 | 327 | // Check kerberos version |
| 13b73997 | 328 | if let Ok((rem,_hdr)) = der_read_element_header(rem) { |
| 645ba175 PC |
329 | if rem.len() > 5 { |
| 330 | match (rem[2],rem[3],rem[4]) { | |
| 331 | // Encoding of DER integer 5 (version) | |
| 332 | (2,1,5) => { return alproto; }, | |
| 333 | _ => (), | |
| 334 | } | |
| 335 | } | |
| 336 | } | |
| 363b5f99 | 337 | return ALPROTO_FAILED; |
| 77f0c11c | 338 | }, |
| 13b73997 | 339 | Err(nom::Err::Incomplete(_)) => { |
| 77f0c11c PC |
340 | return ALPROTO_UNKNOWN; |
| 341 | }, | |
| 13b73997 | 342 | Err(_) => { |
| 363b5f99 | 343 | return ALPROTO_FAILED; |
| 77f0c11c PC |
344 | }, |
| 345 | } | |
| 346 | } | |
| 347 | ||
| 1e5f5d40 | 348 | #[no_mangle] |
| 363b5f99 | 349 | pub unsafe extern "C" fn rs_krb5_probing_parser_tcp(_flow: *const Flow, |
| 422e4892 | 350 | direction: u8, |
| bf1bd407 | 351 | input:*const u8, input_len: u32, |
| 422e4892 VJ |
352 | rdir: *mut u8) -> AppProto |
| 353 | { | |
| 1e5f5d40 | 354 | let slice = build_slice!(input,input_len as usize); |
| 363b5f99 | 355 | if slice.len() <= 14 { return ALPROTO_FAILED; } |
| f3ddd712 | 356 | match be_u32(slice) as IResult<&[u8],u32> { |
| 13b73997 | 357 | Ok((rem, record_mark)) => { |
| 3eade88b | 358 | // protocol implementations forbid very large requests |
| 363b5f99 | 359 | if record_mark > 16384 { return ALPROTO_FAILED; } |
| 422e4892 VJ |
360 | return rs_krb5_probing_parser(_flow, direction, |
| 361 | rem.as_ptr(), rem.len() as u32, rdir); | |
| 1e5f5d40 | 362 | }, |
| 13b73997 | 363 | Err(nom::Err::Incomplete(_)) => { |
| 1e5f5d40 PC |
364 | return ALPROTO_UNKNOWN; |
| 365 | }, | |
| 13b73997 | 366 | Err(_) => { |
| 363b5f99 | 367 | return ALPROTO_FAILED; |
| 1e5f5d40 PC |
368 | }, |
| 369 | } | |
| 370 | } | |
| 371 | ||
| 77f0c11c | 372 | #[no_mangle] |
| 363b5f99 | 373 | pub unsafe extern "C" fn rs_krb5_parse_request(_flow: *const core::Flow, |
| 3f6624bf VJ |
374 | state: *mut std::os::raw::c_void, |
| 375 | _pstate: *mut std::os::raw::c_void, | |
| bf1bd407 | 376 | input: *const u8, |
| 77f0c11c | 377 | input_len: u32, |
| 3f6624bf | 378 | _data: *const std::os::raw::c_void, |
| 44d3f264 | 379 | _flags: u8) -> AppLayerResult { |
| 77f0c11c PC |
380 | let buf = build_slice!(input,input_len as usize); |
| 381 | let state = cast_pointer!(state,KRB5State); | |
| 209e2f17 | 382 | if state.parse(buf, Direction::ToServer) < 0 { |
| 44d3f264 VJ |
383 | return AppLayerResult::err(); |
| 384 | } | |
| 385 | AppLayerResult::ok() | |
| 77f0c11c PC |
386 | } |
| 387 | ||
| 388 | #[no_mangle] | |
| 363b5f99 | 389 | pub unsafe extern "C" fn rs_krb5_parse_response(_flow: *const core::Flow, |
| 3f6624bf VJ |
390 | state: *mut std::os::raw::c_void, |
| 391 | _pstate: *mut std::os::raw::c_void, | |
| bf1bd407 | 392 | input: *const u8, |
| 77f0c11c | 393 | input_len: u32, |
| 3f6624bf | 394 | _data: *const std::os::raw::c_void, |
| 44d3f264 | 395 | _flags: u8) -> AppLayerResult { |
| 77f0c11c PC |
396 | let buf = build_slice!(input,input_len as usize); |
| 397 | let state = cast_pointer!(state,KRB5State); | |
| 209e2f17 | 398 | if state.parse(buf, Direction::ToClient) < 0 { |
| 44d3f264 VJ |
399 | return AppLayerResult::err(); |
| 400 | } | |
| 401 | AppLayerResult::ok() | |
| 77f0c11c PC |
402 | } |
| 403 | ||
| 1e5f5d40 | 404 | #[no_mangle] |
| 363b5f99 | 405 | pub unsafe extern "C" fn rs_krb5_parse_request_tcp(_flow: *const core::Flow, |
| 3f6624bf VJ |
406 | state: *mut std::os::raw::c_void, |
| 407 | _pstate: *mut std::os::raw::c_void, | |
| bf1bd407 | 408 | input: *const u8, |
| 1e5f5d40 | 409 | input_len: u32, |
| 3f6624bf | 410 | _data: *const std::os::raw::c_void, |
| 44d3f264 | 411 | _flags: u8) -> AppLayerResult { |
| 1e5f5d40 PC |
412 | let buf = build_slice!(input,input_len as usize); |
| 413 | let state = cast_pointer!(state,KRB5State); | |
| e9ae62ed PC |
414 | |
| 415 | let mut v : Vec<u8>; | |
| e9ae62ed PC |
416 | let tcp_buffer = match state.record_ts { |
| 417 | 0 => buf, | |
| 418 | _ => { | |
| 419 | // sanity check to avoid memory exhaustion | |
| 420 | if state.defrag_buf_ts.len() + buf.len() > 100000 { | |
| 12c2d18c | 421 | SCLogDebug!("rs_krb5_parse_request_tcp: TCP buffer exploded {} {}", |
| e9ae62ed | 422 | state.defrag_buf_ts.len(), buf.len()); |
| 44d3f264 | 423 | return AppLayerResult::err(); |
| e9ae62ed PC |
424 | } |
| 425 | v = state.defrag_buf_ts.split_off(0); | |
| 426 | v.extend_from_slice(buf); | |
| 427 | v.as_slice() | |
| 428 | } | |
| 429 | }; | |
| 430 | let mut cur_i = tcp_buffer; | |
| 431 | while cur_i.len() > 0 { | |
| 432 | if state.record_ts == 0 { | |
| f3ddd712 | 433 | match be_u32(cur_i) as IResult<&[u8],u32> { |
| 13b73997 | 434 | Ok((rem,record)) => { |
| e9ae62ed PC |
435 | state.record_ts = record as usize; |
| 436 | cur_i = rem; | |
| 437 | }, | |
| 23f796a0 PA |
438 | Err(nom::Err::Incomplete(_)) => { |
| 439 | state.defrag_buf_ts.extend_from_slice(cur_i); | |
| 44d3f264 | 440 | return AppLayerResult::ok(); |
| 23f796a0 | 441 | } |
| e9ae62ed | 442 | _ => { |
| 7bc3c3ac | 443 | SCLogDebug!("rs_krb5_parse_request_tcp: reading record mark failed!"); |
| 44d3f264 | 444 | return AppLayerResult::err(); |
| e9ae62ed PC |
445 | } |
| 446 | } | |
| 447 | } | |
| 448 | if cur_i.len() >= state.record_ts { | |
| 209e2f17 | 449 | if state.parse(cur_i, Direction::ToServer) < 0 { |
| 44d3f264 | 450 | return AppLayerResult::err(); |
| e9ae62ed PC |
451 | } |
| 452 | state.record_ts = 0; | |
| 453 | cur_i = &cur_i[state.record_ts..]; | |
| 454 | } else { | |
| 455 | // more fragments required | |
| 456 | state.defrag_buf_ts.extend_from_slice(cur_i); | |
| 44d3f264 | 457 | return AppLayerResult::ok(); |
| e9ae62ed PC |
458 | } |
| 459 | } | |
| 44d3f264 | 460 | AppLayerResult::ok() |
| 1e5f5d40 PC |
461 | } |
| 462 | ||
| 463 | #[no_mangle] | |
| 363b5f99 | 464 | pub unsafe extern "C" fn rs_krb5_parse_response_tcp(_flow: *const core::Flow, |
| 3f6624bf VJ |
465 | state: *mut std::os::raw::c_void, |
| 466 | _pstate: *mut std::os::raw::c_void, | |
| bf1bd407 | 467 | input: *const u8, |
| 1e5f5d40 | 468 | input_len: u32, |
| 3f6624bf | 469 | _data: *const std::os::raw::c_void, |
| 44d3f264 | 470 | _flags: u8) -> AppLayerResult { |
| 1e5f5d40 PC |
471 | let buf = build_slice!(input,input_len as usize); |
| 472 | let state = cast_pointer!(state,KRB5State); | |
| e9ae62ed PC |
473 | |
| 474 | let mut v : Vec<u8>; | |
| e9ae62ed PC |
475 | let tcp_buffer = match state.record_tc { |
| 476 | 0 => buf, | |
| 477 | _ => { | |
| 478 | // sanity check to avoid memory exhaustion | |
| 479 | if state.defrag_buf_tc.len() + buf.len() > 100000 { | |
| 480 | SCLogDebug!("rs_krb5_parse_response_tcp: TCP buffer exploded {} {}", | |
| 481 | state.defrag_buf_tc.len(), buf.len()); | |
| 44d3f264 | 482 | return AppLayerResult::err(); |
| e9ae62ed PC |
483 | } |
| 484 | v = state.defrag_buf_tc.split_off(0); | |
| 485 | v.extend_from_slice(buf); | |
| 486 | v.as_slice() | |
| 487 | } | |
| 488 | }; | |
| 489 | let mut cur_i = tcp_buffer; | |
| 490 | while cur_i.len() > 0 { | |
| 491 | if state.record_tc == 0 { | |
| f3ddd712 | 492 | match be_u32(cur_i) as IResult<&[u8],_> { |
| 13b73997 | 493 | Ok((rem,record)) => { |
| e9ae62ed PC |
494 | state.record_tc = record as usize; |
| 495 | cur_i = rem; | |
| 496 | }, | |
| 23f796a0 PA |
497 | Err(nom::Err::Incomplete(_)) => { |
| 498 | state.defrag_buf_tc.extend_from_slice(cur_i); | |
| 44d3f264 | 499 | return AppLayerResult::ok(); |
| 23f796a0 | 500 | } |
| e9ae62ed | 501 | _ => { |
| 76dd9515 | 502 | SCLogDebug!("reading record mark failed!"); |
| 44d3f264 | 503 | return AppLayerResult::ok(); |
| e9ae62ed PC |
504 | } |
| 505 | } | |
| 506 | } | |
| 507 | if cur_i.len() >= state.record_tc { | |
| 209e2f17 | 508 | if state.parse(cur_i, Direction::ToClient) < 0 { |
| 44d3f264 | 509 | return AppLayerResult::err(); |
| e9ae62ed PC |
510 | } |
| 511 | state.record_tc = 0; | |
| 512 | cur_i = &cur_i[state.record_tc..]; | |
| 513 | } else { | |
| 514 | // more fragments required | |
| 515 | state.defrag_buf_tc.extend_from_slice(cur_i); | |
| 44d3f264 | 516 | return AppLayerResult::ok(); |
| e9ae62ed PC |
517 | } |
| 518 | } | |
| 44d3f264 | 519 | AppLayerResult::ok() |
| 1e5f5d40 PC |
520 | } |
| 521 | ||
| 9f29366c | 522 | export_tx_data_get!(rs_krb5_get_tx_data, KRB5Transaction); |
| 77f0c11c PC |
523 | |
| 524 | const PARSER_NAME : &'static [u8] = b"krb5\0"; | |
| 525 | ||
| 526 | #[no_mangle] | |
| 527 | pub unsafe extern "C" fn rs_register_krb5_parser() { | |
| 528 | let default_port = CString::new("88").unwrap(); | |
| 1e5f5d40 | 529 | let mut parser = RustParser { |
| 12c2d18c JL |
530 | name : PARSER_NAME.as_ptr() as *const std::os::raw::c_char, |
| 531 | default_port : default_port.as_ptr(), | |
| 532 | ipproto : core::IPPROTO_UDP, | |
| 66632465 PA |
533 | probe_ts : Some(rs_krb5_probing_parser), |
| 534 | probe_tc : Some(rs_krb5_probing_parser), | |
| 12c2d18c JL |
535 | min_depth : 0, |
| 536 | max_depth : 16, | |
| 537 | state_new : rs_krb5_state_new, | |
| 538 | state_free : rs_krb5_state_free, | |
| 539 | tx_free : rs_krb5_state_tx_free, | |
| 540 | parse_ts : rs_krb5_parse_request, | |
| 541 | parse_tc : rs_krb5_parse_response, | |
| 542 | get_tx_count : rs_krb5_state_get_tx_count, | |
| 543 | get_tx : rs_krb5_state_get_tx, | |
| efc9a7a3 VJ |
544 | tx_comp_st_ts : 1, |
| 545 | tx_comp_st_tc : 1, | |
| 12c2d18c | 546 | tx_get_progress : rs_krb5_tx_get_alstate_progress, |
| e92cb36b JI |
547 | get_eventinfo : Some(KRB5Event::get_event_info), |
| 548 | get_eventinfo_byid : Some(KRB5Event::get_event_info_by_id), | |
| 12c2d18c JL |
549 | localstorage_new : None, |
| 550 | localstorage_free : None, | |
| 12c2d18c | 551 | get_files : None, |
| 238ec953 | 552 | get_tx_iterator : Some(applayer::state_get_tx_iterator::<KRB5State, KRB5Transaction>), |
| c94a5e63 | 553 | get_tx_data : rs_krb5_get_tx_data, |
| 5665fc83 | 554 | apply_tx_config : None, |
| f7dee602 | 555 | flags : APP_LAYER_PARSER_OPT_UNIDIR_TXS, |
| 4da0d9bd | 556 | truncate : None, |
| 77f0c11c | 557 | }; |
| 1e5f5d40 | 558 | // register UDP parser |
| 77f0c11c PC |
559 | let ip_proto_str = CString::new("udp").unwrap(); |
| 560 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
| 561 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
| 562 | // store the allocated ID for the probe function | |
| 563 | ALPROTO_KRB5 = alproto; | |
| 564 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
| 565 | let _ = AppLayerRegisterParser(&parser, alproto); | |
| 566 | } | |
| 567 | } else { | |
| 12c2d18c | 568 | SCLogDebug!("Protocol detector and parser disabled for KRB5/UDP."); |
| 1e5f5d40 PC |
569 | } |
| 570 | // register TCP parser | |
| 0301ceab | 571 | parser.ipproto = core::IPPROTO_TCP; |
| 66632465 PA |
572 | parser.probe_ts = Some(rs_krb5_probing_parser_tcp); |
| 573 | parser.probe_tc = Some(rs_krb5_probing_parser_tcp); | |
| 1e5f5d40 PC |
574 | parser.parse_ts = rs_krb5_parse_request_tcp; |
| 575 | parser.parse_tc = rs_krb5_parse_response_tcp; | |
| 576 | let ip_proto_str = CString::new("tcp").unwrap(); | |
| 577 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
| 578 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); | |
| 579 | // store the allocated ID for the probe function | |
| 580 | ALPROTO_KRB5 = alproto; | |
| 581 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { | |
| 582 | let _ = AppLayerRegisterParser(&parser, alproto); | |
| 583 | } | |
| 584 | } else { | |
| 12c2d18c | 585 | SCLogDebug!("Protocol detector and parser disabled for KRB5/TCP."); |
| 77f0c11c PC |
586 | } |
| 587 | } |