[people/ms/suricata.git] / src / app-layer-smtp.h

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
 */

#ifndef __APP_LAYER_SMTP_H__
#define __APP_LAYER_SMTP_H__

#include "decode-events.h"
#include "util-decode-mime.h"
#include "queue.h"
#include "util-streaming-buffer.h"
#include "rust.h"

enum {
    SMTP_DECODER_EVENT_INVALID_REPLY,
    SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST,
    SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED,
    SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED,
    SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE,
    SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED,
    SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE,
    SMTP_DECODER_EVENT_TLS_REJECTED,
    SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED,

    /* MIME Events */
    SMTP_DECODER_EVENT_MIME_PARSE_FAILED,
    SMTP_DECODER_EVENT_MIME_MALFORMED_MSG,
    SMTP_DECODER_EVENT_MIME_INVALID_BASE64,
    SMTP_DECODER_EVENT_MIME_INVALID_QP,
    SMTP_DECODER_EVENT_MIME_LONG_LINE,
    SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE,
    SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
    SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
    SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,
    SMTP_DECODER_EVENT_MIME_LONG_FILENAME,

    /* Invalid behavior or content */
    SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
    SMTP_DECODER_EVENT_UNPARSABLE_CONTENT,
};

typedef struct SMTPString_ {
    uint8_t *str;
    uint16_t len;

    TAILQ_ENTRY(SMTPString_) next;
} SMTPString;

typedef struct SMTPTransaction_ {
    /** id of this tx, starting at 0 */
    uint64_t tx_id;

    AppLayerTxData tx_data;

    int done;
    /** the first message contained in the session */
    MimeDecEntity *msg_head;
    /** the last message contained in the session */
    MimeDecEntity *msg_tail;
    /** the mime decoding parser state */
    MimeDecParseState *mime_state;

    /* MAIL FROM parameters */
    uint8_t *mail_from;
    uint16_t mail_from_len;

    TAILQ_HEAD(, SMTPString_) rcpt_to_list;  /**< rcpt to string list */

    TAILQ_ENTRY(SMTPTransaction_) next;
} SMTPTransaction;

typedef struct SMTPConfig {

    int decode_mime;
    MimeDecConfig mime_config;
    uint32_t content_limit;
    uint32_t content_inspect_min_size;
    uint32_t content_inspect_window;

    int raw_extraction;

    StreamingBufferConfig sbcfg;
} SMTPConfig;

typedef struct SMTPState_ {
    SMTPTransaction *curr_tx;
    TAILQ_HEAD(, SMTPTransaction_) tx_list;  /**< transaction list */
    uint64_t tx_cnt;
    uint64_t toserver_data_count;
    uint64_t toserver_last_data_stamp;

    /* current input that is being parsed */
    const uint8_t *input;
    int32_t input_len;
    uint8_t direction;

    /* --parser details-- */
    /** current line extracted by the parser from the call to SMTPGetline() */
    const uint8_t *current_line;
    /** length of the line in current_line.  Doesn't include the delimiter */
    int32_t current_line_len;
    uint8_t current_line_delimiter_len;

    /** used to indicate if the current_line buffer is a malloced buffer.  We
     * use a malloced buffer, if a line is fragmented */
    uint8_t *tc_db;
    int32_t tc_db_len;
    uint8_t tc_current_line_db;
    /** we have see LF for the currently parsed line */
    uint8_t tc_current_line_lf_seen;

    /** used to indicate if the current_line buffer is a malloced buffer.  We
     * use a malloced buffer, if a line is fragmented */
    uint8_t *ts_db;
    int32_t ts_db_len;
    uint8_t ts_current_line_db;
    /** we have see LF for the currently parsed line */
    uint8_t ts_current_line_lf_seen;

    /** var to indicate parser state */
    uint8_t parser_state;
    /** current command in progress */
    uint8_t current_command;
    /** bdat chunk len */
    uint32_t bdat_chunk_len;
    /** bdat chunk idx */
    uint32_t bdat_chunk_idx;

    /* the request commands are store here and the reply handler uses these
     * stored command in the buffer to match the reply(ies) with the command */
    /** the command buffer */
    uint8_t *cmds;
    /** the buffer length */
    uint16_t cmds_buffer_len;
    /** no of commands stored in the above buffer */
    uint16_t cmds_cnt;
    /** index of the command in the buffer, currently in inspection by reply
     *  handler */
    uint16_t cmds_idx;

    /* HELO of HELO message content */
    uint16_t helo_len;
    uint8_t *helo;

    /* SMTP Mime decoding and file extraction */
    /** the list of files sent to the server */
    FileContainer *files_ts;
    uint32_t file_track_id;
} SMTPState;

/* Create SMTP config structure */
extern SMTPConfig smtp_config;

int SMTPProcessDataChunk(const uint8_t *chunk, uint32_t len, MimeDecParseState *state);
void *SMTPStateAlloc(void *orig_state, AppProto proto_orig);
void RegisterSMTPParsers(void);
void SMTPParserCleanup(void);
void SMTPParserRegisterTests(void);

#endif /* __APP_LAYER_SMTP_H__ */
Commit	Line	Data
576ec7da AS	1	/* Copyright (C) 2007-2010 Open Information Security Foundation
	2	*
	3	* You can copy, redistribute or modify this Program under the terms of
	4	* the GNU General Public License version 2 as published by the Free
	5	* Software Foundation.
	6	*
	7	* This program is distributed in the hope that it will be useful,
	8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	10	* GNU General Public License for more details.
	11	*
	12	* You should have received a copy of the GNU General Public License
	13	* version 2 along with this program; if not, write to the Free Software
	14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
	15	* 02110-1301, USA.
	16	*/
	17
	18	/**
	19	* \file
	20	*
420befb1	21	* \author Anoop Saldanha <anoopsaldanha@gmail.com>
576ec7da AS	22	*/
	23
	24	#ifndef __APP_LAYER_SMTP_H__
	25	#define __APP_LAYER_SMTP_H__
	26
5311cd48	27	#include "decode-events.h"
54df8665	28	#include "util-decode-mime.h"
56b74c8b	29	#include "queue.h"
e43ce0a9	30	#include "util-streaming-buffer.h"
bc11a1c2	31	#include "rust.h"
5311cd48 AS	32
	33	enum {
	34	SMTP_DECODER_EVENT_INVALID_REPLY,
	35	SMTP_DECODER_EVENT_UNABLE_TO_MATCH_REPLY_WITH_REQUEST,
	36	SMTP_DECODER_EVENT_MAX_COMMAND_LINE_LEN_EXCEEDED,
	37	SMTP_DECODER_EVENT_MAX_REPLY_LINE_LEN_EXCEEDED,
	38	SMTP_DECODER_EVENT_INVALID_PIPELINED_SEQUENCE,
	39	SMTP_DECODER_EVENT_BDAT_CHUNK_LEN_EXCEEDED,
	40	SMTP_DECODER_EVENT_NO_SERVER_WELCOME_MESSAGE,
	41	SMTP_DECODER_EVENT_TLS_REJECTED,
	42	SMTP_DECODER_EVENT_DATA_COMMAND_REJECTED,
c2dc6867 DA	43
	44	/* MIME Events */
	45	SMTP_DECODER_EVENT_MIME_PARSE_FAILED,
	46	SMTP_DECODER_EVENT_MIME_MALFORMED_MSG,
	47	SMTP_DECODER_EVENT_MIME_INVALID_BASE64,
	48	SMTP_DECODER_EVENT_MIME_INVALID_QP,
	49	SMTP_DECODER_EVENT_MIME_LONG_LINE,
	50	SMTP_DECODER_EVENT_MIME_LONG_ENC_LINE,
	51	SMTP_DECODER_EVENT_MIME_LONG_HEADER_NAME,
	52	SMTP_DECODER_EVENT_MIME_LONG_HEADER_VALUE,
6d170cad	53	SMTP_DECODER_EVENT_MIME_BOUNDARY_TOO_LONG,
130b8d26	54	SMTP_DECODER_EVENT_MIME_LONG_FILENAME,
10e2e2a8 EL	55
	56	/* Invalid behavior or content */
	57	SMTP_DECODER_EVENT_DUPLICATE_FIELDS,
5dbedbfa	58	SMTP_DECODER_EVENT_UNPARSABLE_CONTENT,
5311cd48 AS	59	};
5311cd48 AS	60
752fdba9 EL	61	typedef struct SMTPString_ {
	62	uint8_t *str;
	63	uint16_t len;
	64
	65	TAILQ_ENTRY(SMTPString_) next;
	66	} SMTPString;
	67
56b74c8b VJ	68	typedef struct SMTPTransaction_ {
	69	/** id of this tx, starting at 0 */
	70	uint64_t tx_id;
73b59bda	71
bc11a1c2	72	AppLayerTxData tx_data;
73b59bda	73
d209699a	74	int done;
56b74c8b VJ	75	/** the first message contained in the session */
	76	MimeDecEntity *msg_head;
	77	/** the last message contained in the session */
	78	MimeDecEntity *msg_tail;
	79	/** the mime decoding parser state */
	80	MimeDecParseState *mime_state;
	81
7bca8268 EL	82	/* MAIL FROM parameters */
	83	uint8_t *mail_from;
	84	uint16_t mail_from_len;
	85
752fdba9 EL	86	TAILQ_HEAD(, SMTPString_) rcpt_to_list; /*< rcpt to string list /
752fdba9 EL	87
56b74c8b VJ	88	TAILQ_ENTRY(SMTPTransaction_) next;
	89	} SMTPTransaction;
	90
26ba647d GL	91	typedef struct SMTPConfig {
	92
	93	int decode_mime;
	94	MimeDecConfig mime_config;
	95	uint32_t content_limit;
	96	uint32_t content_inspect_min_size;
	97	uint32_t content_inspect_window;
e43ce0a9	98
46973511 MA	99	int raw_extraction;
46973511 MA	100
e43ce0a9	101	StreamingBufferConfig sbcfg;
26ba647d GL	102	} SMTPConfig;
26ba647d GL	103
576ec7da	104	typedef struct SMTPState_ {
56b74c8b VJ	105	SMTPTransaction *curr_tx;
	106	TAILQ_HEAD(, SMTPTransaction_) tx_list; /*< transaction list /
	107	uint64_t tx_cnt;
5f15e7c6 VJ	108	uint64_t toserver_data_count;
5f15e7c6 VJ	109	uint64_t toserver_last_data_stamp;
56b74c8b	110
576ec7da	111	/* current input that is being parsed */
579cc9f0	112	const uint8_t *input;
88115902 AS	113	int32_t input_len;
88115902 AS	114	uint8_t direction;
576ec7da AS	115
576ec7da AS	116	/* --parser details-- */
0468dbd5	117	/** current line extracted by the parser from the call to SMTPGetline() */
579cc9f0	118	const uint8_t *current_line;
0468dbd5	119	/** length of the line in current_line. Doesn't include the delimiter */
88115902	120	int32_t current_line_len;
d3ca65de	121	uint8_t current_line_delimiter_len;
88115902	122
0468dbd5	123	/** used to indicate if the current_line buffer is a malloced buffer. We
88115902 AS	124	* use a malloced buffer, if a line is fragmented */
	125	uint8_t *tc_db;
	126	int32_t tc_db_len;
	127	uint8_t tc_current_line_db;
0468dbd5	128	/** we have see LF for the currently parsed line */
88115902 AS	129	uint8_t tc_current_line_lf_seen;
88115902 AS	130
0468dbd5	131	/** used to indicate if the current_line buffer is a malloced buffer. We
576ec7da	132	* use a malloced buffer, if a line is fragmented */
88115902 AS	133	uint8_t *ts_db;
	134	int32_t ts_db_len;
	135	uint8_t ts_current_line_db;
0468dbd5	136	/** we have see LF for the currently parsed line */
88115902 AS	137	uint8_t ts_current_line_lf_seen;
88115902 AS	138
0468dbd5	139	/** var to indicate parser state */
576ec7da	140	uint8_t parser_state;
0468dbd5	141	/** current command in progress */
576ec7da	142	uint8_t current_command;
d3ca65de AS	143	/** bdat chunk len */
	144	uint32_t bdat_chunk_len;
	145	/** bdat chunk idx */
	146	uint32_t bdat_chunk_idx;
576ec7da AS	147
	148	/* the request commands are store here and the reply handler uses these
	149	* stored command in the buffer to match the reply(ies) with the command */
bc5c9f4a	150	/** the command buffer */
576ec7da	151	uint8_t *cmds;
bc5c9f4a VJ	152	/** the buffer length */
	153	uint16_t cmds_buffer_len;
	154	/** no of commands stored in the above buffer */
	155	uint16_t cmds_cnt;
	156	/** index of the command in the buffer, currently in inspection by reply
	157	* handler */
	158	uint16_t cmds_idx;
4d38a571	159
9132e403 VJ	160	/* HELO of HELO message content */
	161	uint16_t helo_len;
	162	uint8_t *helo;
	163
c2dc6867 DA	164	/* SMTP Mime decoding and file extraction */
	165	/** the list of files sent to the server */
	166	FileContainer *files_ts;
9132e403	167	uint32_t file_track_id;
576ec7da AS	168	} SMTPState;
576ec7da AS	169
d2657bec GL	170	/* Create SMTP config structure */
	171	extern SMTPConfig smtp_config;
	172
	173	int SMTPProcessDataChunk(const uint8_t chunk, uint32_t len, MimeDecParseState state);
547d6c2d	174	void SMTPStateAlloc(void orig_state, AppProto proto_orig);
576ec7da	175	void RegisterSMTPParsers(void);
7a0dbc6f	176	void SMTPParserCleanup(void);
576ec7da AS	177	void SMTPParserRegisterTests(void);
	178
	179	#endif /* __APP_LAYER_SMTP_H__ */