]> git.ipfire.org Git - people/ms/suricata.git/blob - rust/src/http2/http2.rs
projects / people / ms / suricata.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
http2: keep track of dynamic headers table size
[people/ms/suricata.git] / rust / src / http2 / http2.rs
1 /* Copyright (C) 2020 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18 use super::files::*;
19 use super::parser;
20 use crate::applayer::{self, *};
21 use crate::core::{
22 self, AppProto, Flow, SuricataFileContext, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_TCP,
23 STREAM_TOCLIENT, STREAM_TOSERVER,
24 };
25 use crate::filecontainer::*;
26 use crate::filetracker::*;
27 use nom;
28 use std;
29 use std::ffi::{CStr, CString};
30 use std::fmt;
31 use std::mem::transmute;
32
33 static mut ALPROTO_HTTP2: AppProto = ALPROTO_UNKNOWN;
34
35 const HTTP2_DEFAULT_MAX_FRAME_SIZE: u32 = 16384;
36 const HTTP2_MAX_HANDLED_FRAME_SIZE: usize = 65536;
37 const HTTP2_MIN_HANDLED_FRAME_SIZE: usize = 256;
38
39 pub static mut SURICATA_HTTP2_FILE_CONFIG: Option<&'static SuricataFileContext> = None;
40
41 #[no_mangle]
42 pub extern "C" fn rs_http2_init(context: &'static mut SuricataFileContext) {
43 unsafe {
44 SURICATA_HTTP2_FILE_CONFIG = Some(context);
45 }
46 }
47
48 #[repr(u8)]
49 #[derive(Copy, Clone, PartialOrd, PartialEq)]
50 pub enum HTTP2ConnectionState {
51 Http2StateInit = 0,
52 Http2StateMagicDone = 1,
53 }
54
55 const HTTP2_FRAME_HEADER_LEN: usize = 9;
56 const HTTP2_MAGIC_LEN: usize = 24;
57 const HTTP2_FRAME_GOAWAY_LEN: usize = 4;
58 const HTTP2_FRAME_RSTSTREAM_LEN: usize = 4;
59 const HTTP2_FRAME_PRIORITY_LEN: usize = 1;
60 const HTTP2_FRAME_WINDOWUPDATE_LEN: usize = 4;
61 //TODO make this configurable
62 pub const HTTP2_MAX_TABLESIZE: u32 = 0x10000; // 65536
63
64 #[repr(u8)]
65 #[derive(Copy, Clone, PartialOrd, PartialEq, Debug)]
66 pub enum HTTP2FrameUnhandledReason {
67 UnknownType = 0,
68 TooLong = 1,
69 ParsingError = 2,
70 Incomplete = 3,
71 }
72
73 impl fmt::Display for HTTP2FrameUnhandledReason {
74 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
75 write!(f, "{:?}", self)
76 }
77 }
78
79 #[derive(Debug)]
80 pub struct HTTP2FrameUnhandled {
81 pub reason: HTTP2FrameUnhandledReason,
82 }
83
84 pub enum HTTP2FrameTypeData {
85 PRIORITY(parser::HTTP2FramePriority),
86 GOAWAY(parser::HTTP2FrameGoAway),
87 RSTSTREAM(parser::HTTP2FrameRstStream),
88 SETTINGS(Vec<parser::HTTP2FrameSettings>),
89 WINDOWUPDATE(parser::HTTP2FrameWindowUpdate),
90 HEADERS(parser::HTTP2FrameHeaders),
91 PUSHPROMISE(parser::HTTP2FramePushPromise),
92 CONTINUATION(parser::HTTP2FrameContinuation),
93 PING,
94 DATA,
95 //not a defined frame
96 UNHANDLED(HTTP2FrameUnhandled),
97 }
98
99 #[repr(u8)]
100 #[derive(Copy, Clone, PartialOrd, PartialEq, Debug)]
101 pub enum HTTP2TransactionState {
102 HTTP2StateIdle = 0,
103 HTTP2StateOpen = 1,
104 HTTP2StateReserved = 2,
105 HTTP2StateDataClient = 3,
106 HTTP2StateHalfClosedClient = 4,
107 HTTP2StateDataServer = 5,
108 HTTP2StateHalfClosedServer = 6,
109 HTTP2StateClosed = 7,
110 //not a RFC-defined state, used for stream 0 frames appyling to the global connection
111 HTTP2StateGlobal = 8,
112 }
113
114 pub struct HTTP2Frame {
115 pub header: parser::HTTP2FrameHeader,
116 pub data: HTTP2FrameTypeData,
117 }
118
119 pub struct HTTP2Transaction {
120 tx_id: u64,
121 pub stream_id: u32,
122 pub state: HTTP2TransactionState,
123 child_stream_id: u32,
124
125 pub frames_tc: Vec<HTTP2Frame>,
126 pub frames_ts: Vec<HTTP2Frame>,
127
128 de_state: Option<*mut core::DetectEngineState>,
129 events: *mut core::AppLayerDecoderEvents,
130 tx_data: AppLayerTxData,
131 ft: FileTransferTracker,
132
133 //temporary escaped header for detection
134 //must be attached to transaction for memory management (be freed at the right time)
135 pub escaped: Vec<Vec<u8>>,
136 }
137
138 impl HTTP2Transaction {
139 pub fn new() -> HTTP2Transaction {
140 HTTP2Transaction {
141 tx_id: 0,
142 stream_id: 0,
143 child_stream_id: 0,
144 state: HTTP2TransactionState::HTTP2StateIdle,
145 frames_tc: Vec::new(),
146 frames_ts: Vec::new(),
147 de_state: None,
148 events: std::ptr::null_mut(),
149 tx_data: AppLayerTxData::new(),
150 ft: FileTransferTracker::new(),
151 escaped: Vec::with_capacity(16),
152 }
153 }
154
155 pub fn free(&mut self) {
156 if self.events != std::ptr::null_mut() {
157 core::sc_app_layer_decoder_events_free_events(&mut self.events);
158 }
159 if let Some(state) = self.de_state {
160 core::sc_detect_engine_state_free(state);
161 }
162 }
163
164 fn handle_frame(
165 &mut self, header: &parser::HTTP2FrameHeader, data: &HTTP2FrameTypeData, dir: u8,
166 ) {
167 //handle child_stream_id changes
168 match data {
169 HTTP2FrameTypeData::PUSHPROMISE(hs) => {
170 if dir == STREAM_TOCLIENT {
171 //we could set an event if self.child_stream_id != 0
172 if header.flags & parser::HTTP2_FLAG_HEADER_END_HEADERS == 0 {
173 self.child_stream_id = hs.stream_id;
174 }
175 self.state = HTTP2TransactionState::HTTP2StateReserved;
176 }
177 }
178 HTTP2FrameTypeData::CONTINUATION(_) => {
179 if dir == STREAM_TOCLIENT
180 && header.flags & parser::HTTP2_FLAG_HEADER_END_HEADERS != 0
181 {
182 self.child_stream_id = 0;
183 }
184 }
185 HTTP2FrameTypeData::HEADERS(_) => {
186 if dir == STREAM_TOCLIENT {
187 self.child_stream_id = 0;
188 }
189 }
190 HTTP2FrameTypeData::RSTSTREAM(_) => {
191 self.child_stream_id = 0;
192 }
193 _ => {}
194 }
195 //handle closing state changes
196 match data {
197 HTTP2FrameTypeData::HEADERS(_) | HTTP2FrameTypeData::DATA => {
198 if header.flags & parser::HTTP2_FLAG_HEADER_EOS != 0 {
199 match self.state {
200 HTTP2TransactionState::HTTP2StateHalfClosedClient
201 | HTTP2TransactionState::HTTP2StateDataServer => {
202 if dir == STREAM_TOCLIENT {
203 self.state = HTTP2TransactionState::HTTP2StateClosed;
204 }
205 }
206 HTTP2TransactionState::HTTP2StateHalfClosedServer => {
207 if dir == STREAM_TOSERVER {
208 self.state = HTTP2TransactionState::HTTP2StateClosed;
209 }
210 }
211 // do not revert back to a half closed state
212 HTTP2TransactionState::HTTP2StateClosed => {}
213 HTTP2TransactionState::HTTP2StateGlobal => {}
214 _ => {
215 if dir == STREAM_TOCLIENT {
216 self.state = HTTP2TransactionState::HTTP2StateHalfClosedServer;
217 } else {
218 self.state = HTTP2TransactionState::HTTP2StateHalfClosedClient;
219 }
220 }
221 }
222 } else if header.ftype == parser::HTTP2FrameType::DATA as u8 {
223 //not end of stream
224 if dir == STREAM_TOSERVER {
225 if self.state < HTTP2TransactionState::HTTP2StateDataClient {
226 self.state = HTTP2TransactionState::HTTP2StateDataClient;
227 }
228 } else {
229 if self.state < HTTP2TransactionState::HTTP2StateDataServer {
230 self.state = HTTP2TransactionState::HTTP2StateDataServer;
231 }
232 }
233 }
234 }
235 _ => {}
236 }
237 }
238 }
239
240 impl Drop for HTTP2Transaction {
241 fn drop(&mut self) {
242 self.free();
243 }
244 }
245
246 #[repr(u32)]
247 pub enum HTTP2Event {
248 InvalidFrameHeader = 0,
249 InvalidClientMagic,
250 InvalidFrameData,
251 InvalidHeader,
252 InvalidFrameLength,
253 ExtraHeaderData,
254 LongFrameData,
255 StreamIdReuse,
256 InvalidHTTP1Settings,
257 }
258
259 impl HTTP2Event {
260 fn from_i32(value: i32) -> Option<HTTP2Event> {
261 match value {
262 0 => Some(HTTP2Event::InvalidFrameHeader),
263 1 => Some(HTTP2Event::InvalidClientMagic),
264 2 => Some(HTTP2Event::InvalidFrameData),
265 3 => Some(HTTP2Event::InvalidHeader),
266 4 => Some(HTTP2Event::InvalidFrameLength),
267 5 => Some(HTTP2Event::ExtraHeaderData),
268 6 => Some(HTTP2Event::LongFrameData),
269 7 => Some(HTTP2Event::StreamIdReuse),
270 8 => Some(HTTP2Event::InvalidHTTP1Settings),
271 _ => None,
272 }
273 }
274 }
275
276 pub struct HTTP2DynTable {
277 pub table: Vec<parser::HTTP2FrameHeaderBlock>,
278 pub current_size: usize,
279 pub max_size: usize,
280 pub overflow: u8,
281 }
282
283 impl HTTP2DynTable {
284 pub fn new() -> Self {
285 Self {
286 table: Vec::with_capacity(64),
287 current_size: 0,
288 max_size: 4096, //default value
289 overflow: 0,
290 }
291 }
292 }
293
294 pub struct HTTP2State {
295 tx_id: u64,
296 request_frame_size: u32,
297 response_frame_size: u32,
298 dynamic_headers_ts: HTTP2DynTable,
299 dynamic_headers_tc: HTTP2DynTable,
300 transactions: Vec<HTTP2Transaction>,
301 progress: HTTP2ConnectionState,
302 pub files: HTTP2Files,
303 }
304
305 impl HTTP2State {
306 pub fn new() -> Self {
307 Self {
308 tx_id: 0,
309 request_frame_size: 0,
310 response_frame_size: 0,
311 // the headers are encoded on one byte
312 // with a fixed number of static headers, and
313 // a variable number of dynamic headers
314 dynamic_headers_ts: HTTP2DynTable::new(),
315 dynamic_headers_tc: HTTP2DynTable::new(),
316 transactions: Vec::new(),
317 progress: HTTP2ConnectionState::Http2StateInit,
318 files: HTTP2Files::new(),
319 }
320 }
321
322 pub fn free(&mut self) {
323 self.transactions.clear();
324 self.files.free();
325 }
326
327 pub fn set_event(&mut self, event: HTTP2Event) {
328 let len = self.transactions.len();
329 if len == 0 {
330 return;
331 }
332 let tx = &mut self.transactions[len - 1];
333 let ev = event as u8;
334 core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, ev);
335 }
336
337 // Free a transaction by ID.
338 fn free_tx(&mut self, tx_id: u64) {
339 let len = self.transactions.len();
340 let mut found = false;
341 let mut index = 0;
342 for i in 0..len {
343 let tx = &self.transactions[i];
344 if tx.tx_id == tx_id + 1 {
345 found = true;
346 index = i;
347 break;
348 }
349 }
350 if found {
351 self.transactions.remove(index);
352 }
353 }
354
355 pub fn get_tx(&mut self, tx_id: u64) -> Option<&HTTP2Transaction> {
356 for tx in &mut self.transactions {
357 if tx.tx_id == tx_id + 1 {
358 return Some(tx);
359 }
360 }
361 return None;
362 }
363
364 fn find_tx_index(&mut self, sid: u32, header: &parser::HTTP2FrameHeader) -> usize {
365 for i in 0..self.transactions.len() {
366 //reverse order should be faster
367 let idx = self.transactions.len() - 1 - i;
368 if sid == self.transactions[idx].stream_id {
369 if self.transactions[idx].state == HTTP2TransactionState::HTTP2StateClosed {
370 //these frames can be received in this state for a short period
371 if header.ftype != parser::HTTP2FrameType::RSTSTREAM as u8
372 && header.ftype != parser::HTTP2FrameType::WINDOWUPDATE as u8
373 && header.ftype != parser::HTTP2FrameType::PRIORITY as u8
374 {
375 self.set_event(HTTP2Event::StreamIdReuse);
376 }
377 }
378 return idx + 1;
379 }
380 }
381 return 0;
382 }
383
384 fn find_child_stream_id(&mut self, sid: u32) -> u32 {
385 for i in 0..self.transactions.len() {
386 //reverse order should be faster
387 if sid == self.transactions[self.transactions.len() - 1 - i].stream_id {
388 if self.transactions[self.transactions.len() - 1 - i].child_stream_id > 0 {
389 return self.transactions[self.transactions.len() - 1 - i].child_stream_id;
390 }
391 return sid;
392 }
393 }
394 return sid;
395 }
396
397 fn create_global_tx(&mut self) -> &mut HTTP2Transaction {
398 //special transaction with only one frame
399 //as it affects the global connection, there is no end to it
400 let mut tx = HTTP2Transaction::new();
401 self.tx_id += 1;
402 tx.tx_id = self.tx_id;
403 tx.state = HTTP2TransactionState::HTTP2StateGlobal;
404 self.transactions.push(tx);
405 return self.transactions.last_mut().unwrap();
406 }
407
408 pub fn find_or_create_tx(
409 &mut self, header: &parser::HTTP2FrameHeader, data: &HTTP2FrameTypeData, dir: u8,
410 ) -> &mut HTTP2Transaction {
411 if header.stream_id == 0 {
412 return self.create_global_tx();
413 }
414 let sid = match data {
415 //yes, the right stream_id for Suricata is not the header one
416 HTTP2FrameTypeData::PUSHPROMISE(hs) => hs.stream_id,
417 HTTP2FrameTypeData::CONTINUATION(_) => {
418 if dir == STREAM_TOCLIENT {
419 //continuation of a push promise
420 self.find_child_stream_id(header.stream_id)
421 } else {
422 header.stream_id
423 }
424 }
425 _ => header.stream_id,
426 };
427 let index = self.find_tx_index(sid, header);
428 if index > 0 {
429 return &mut self.transactions[index - 1];
430 } else {
431 let mut tx = HTTP2Transaction::new();
432 self.tx_id += 1;
433 tx.tx_id = self.tx_id;
434 tx.stream_id = sid;
435 tx.state = HTTP2TransactionState::HTTP2StateOpen;
436 self.transactions.push(tx);
437 return self.transactions.last_mut().unwrap();
438 }
439 }
440
441 fn parse_frame_data(
442 &mut self, ftype: u8, input: &[u8], complete: bool, hflags: u8, dir: u8,
443 ) -> HTTP2FrameTypeData {
444 match num::FromPrimitive::from_u8(ftype) {
445 Some(parser::HTTP2FrameType::GOAWAY) => {
446 if input.len() < HTTP2_FRAME_GOAWAY_LEN {
447 self.set_event(HTTP2Event::InvalidFrameLength);
448 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
449 reason: HTTP2FrameUnhandledReason::Incomplete,
450 });
451 }
452 match parser::http2_parse_frame_goaway(input) {
453 Ok((_, goaway)) => {
454 return HTTP2FrameTypeData::GOAWAY(goaway);
455 }
456 Err(_) => {
457 self.set_event(HTTP2Event::InvalidFrameData);
458 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
459 reason: HTTP2FrameUnhandledReason::ParsingError,
460 });
461 }
462 }
463 }
464 Some(parser::HTTP2FrameType::SETTINGS) => {
465 match parser::http2_parse_frame_settings(input) {
466 Ok((_, set)) => {
467 for i in 0..set.len() {
468 if set[i].id == parser::HTTP2SettingsId::SETTINGSHEADERTABLESIZE {
469 //set for both endpoints ? to be tested
470 self.dynamic_headers_tc.max_size = set[i].value as usize;
471 self.dynamic_headers_ts.max_size = set[i].value as usize;
472 if set[i].value > HTTP2_MAX_TABLESIZE {
473 //mark potential overflow
474 self.dynamic_headers_tc.overflow = 1;
475 self.dynamic_headers_ts.overflow = 1;
476 } else {
477 //reset in case peer set a lower value, to be tested
478 self.dynamic_headers_tc.overflow = 0;
479 self.dynamic_headers_ts.overflow = 0;
480 }
481 }
482 }
483 //we could set an event on remaining data
484 return HTTP2FrameTypeData::SETTINGS(set);
485 }
486 Err(nom::Err::Incomplete(_)) => {
487 if complete {
488 self.set_event(HTTP2Event::InvalidFrameData);
489 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
490 reason: HTTP2FrameUnhandledReason::ParsingError,
491 });
492 } else {
493 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
494 reason: HTTP2FrameUnhandledReason::TooLong,
495 });
496 }
497 }
498 Err(_) => {
499 self.set_event(HTTP2Event::InvalidFrameData);
500 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
501 reason: HTTP2FrameUnhandledReason::ParsingError,
502 });
503 }
504 }
505 }
506 Some(parser::HTTP2FrameType::RSTSTREAM) => {
507 if input.len() != HTTP2_FRAME_RSTSTREAM_LEN {
508 self.set_event(HTTP2Event::InvalidFrameLength);
509 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
510 reason: HTTP2FrameUnhandledReason::Incomplete,
511 });
512 } else {
513 match parser::http2_parse_frame_rststream(input) {
514 Ok((_, rst)) => {
515 return HTTP2FrameTypeData::RSTSTREAM(rst);
516 }
517 Err(_) => {
518 self.set_event(HTTP2Event::InvalidFrameData);
519 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
520 reason: HTTP2FrameUnhandledReason::ParsingError,
521 });
522 }
523 }
524 }
525 }
526 Some(parser::HTTP2FrameType::PRIORITY) => {
527 if input.len() != HTTP2_FRAME_PRIORITY_LEN {
528 self.set_event(HTTP2Event::InvalidFrameLength);
529 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
530 reason: HTTP2FrameUnhandledReason::Incomplete,
531 });
532 } else {
533 match parser::http2_parse_frame_priority(input) {
534 Ok((_, priority)) => {
535 return HTTP2FrameTypeData::PRIORITY(priority);
536 }
537 Err(_) => {
538 self.set_event(HTTP2Event::InvalidFrameData);
539 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
540 reason: HTTP2FrameUnhandledReason::ParsingError,
541 });
542 }
543 }
544 }
545 }
546 Some(parser::HTTP2FrameType::WINDOWUPDATE) => {
547 if input.len() != HTTP2_FRAME_WINDOWUPDATE_LEN {
548 self.set_event(HTTP2Event::InvalidFrameLength);
549 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
550 reason: HTTP2FrameUnhandledReason::Incomplete,
551 });
552 } else {
553 match parser::http2_parse_frame_windowupdate(input) {
554 Ok((_, wu)) => {
555 return HTTP2FrameTypeData::WINDOWUPDATE(wu);
556 }
557 Err(_) => {
558 self.set_event(HTTP2Event::InvalidFrameData);
559 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
560 reason: HTTP2FrameUnhandledReason::ParsingError,
561 });
562 }
563 }
564 }
565 }
566 Some(parser::HTTP2FrameType::PUSHPROMISE) => {
567 let dyn_headers = if dir == STREAM_TOCLIENT {
568 &mut self.dynamic_headers_tc
569 } else {
570 &mut self.dynamic_headers_ts
571 };
572 match parser::http2_parse_frame_push_promise(input, hflags, dyn_headers) {
573 Ok((_, hs)) => {
574 for i in 0..hs.blocks.len() {
575 if hs.blocks[i].error
576 >= parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeError
577 {
578 self.set_event(HTTP2Event::InvalidHeader);
579 }
580 }
581 return HTTP2FrameTypeData::PUSHPROMISE(hs);
582 }
583 Err(nom::Err::Incomplete(_)) => {
584 if complete {
585 self.set_event(HTTP2Event::InvalidFrameData);
586 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
587 reason: HTTP2FrameUnhandledReason::ParsingError,
588 });
589 } else {
590 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
591 reason: HTTP2FrameUnhandledReason::TooLong,
592 });
593 }
594 }
595 Err(_) => {
596 self.set_event(HTTP2Event::InvalidFrameData);
597 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
598 reason: HTTP2FrameUnhandledReason::ParsingError,
599 });
600 }
601 }
602 }
603 Some(parser::HTTP2FrameType::DATA) => {
604 return HTTP2FrameTypeData::DATA;
605 }
606 Some(parser::HTTP2FrameType::CONTINUATION) => {
607 let dyn_headers = if dir == STREAM_TOCLIENT {
608 &mut self.dynamic_headers_tc
609 } else {
610 &mut self.dynamic_headers_ts
611 };
612 match parser::http2_parse_frame_continuation(input, dyn_headers) {
613 Ok((_, hs)) => {
614 for i in 0..hs.blocks.len() {
615 if hs.blocks[i].error
616 >= parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeError
617 {
618 self.set_event(HTTP2Event::InvalidHeader);
619 }
620 }
621 return HTTP2FrameTypeData::CONTINUATION(hs);
622 }
623 Err(nom::Err::Incomplete(_)) => {
624 if complete {
625 self.set_event(HTTP2Event::InvalidFrameData);
626 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
627 reason: HTTP2FrameUnhandledReason::ParsingError,
628 });
629 } else {
630 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
631 reason: HTTP2FrameUnhandledReason::TooLong,
632 });
633 }
634 }
635 Err(_) => {
636 self.set_event(HTTP2Event::InvalidFrameData);
637 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
638 reason: HTTP2FrameUnhandledReason::ParsingError,
639 });
640 }
641 }
642 }
643 Some(parser::HTTP2FrameType::HEADERS) => {
644 let dyn_headers = if dir == STREAM_TOCLIENT {
645 &mut self.dynamic_headers_tc
646 } else {
647 &mut self.dynamic_headers_ts
648 };
649 match parser::http2_parse_frame_headers(input, hflags, dyn_headers) {
650 Ok((hrem, hs)) => {
651 for i in 0..hs.blocks.len() {
652 if hs.blocks[i].error
653 >= parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeError
654 {
655 self.set_event(HTTP2Event::InvalidHeader);
656 }
657 }
658 if hrem.len() > 0 {
659 SCLogDebug!("Remaining data for HTTP2 headers");
660 self.set_event(HTTP2Event::ExtraHeaderData);
661 }
662 return HTTP2FrameTypeData::HEADERS(hs);
663 }
664 Err(nom::Err::Incomplete(_)) => {
665 if complete {
666 self.set_event(HTTP2Event::InvalidFrameData);
667 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
668 reason: HTTP2FrameUnhandledReason::ParsingError,
669 });
670 } else {
671 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
672 reason: HTTP2FrameUnhandledReason::TooLong,
673 });
674 }
675 }
676 Err(_) => {
677 self.set_event(HTTP2Event::InvalidFrameData);
678 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
679 reason: HTTP2FrameUnhandledReason::ParsingError,
680 });
681 }
682 }
683 }
684 Some(parser::HTTP2FrameType::PING) => {
685 return HTTP2FrameTypeData::PING;
686 }
687 _ => {
688 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
689 reason: HTTP2FrameUnhandledReason::UnknownType,
690 });
691 }
692 }
693 }
694
695 fn stream_data(&mut self, dir: u8, input: &[u8], over: bool, txid: u64) {
696 match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
697 Some(sfcm) => {
698 for tx in &mut self.transactions {
699 if tx.tx_id == txid {
700 let xid: u32 = tx.tx_id as u32;
701 let (files, flags) = self.files.get(dir);
702 tx.ft.tx_id = tx.tx_id;
703 tx.ft.new_chunk(
704 sfcm,
705 files,
706 flags,
707 b"",
708 input,
709 tx.ft.tracked, //offset = append
710 input.len() as u32,
711 0,
712 over,
713 &xid,
714 );
715 break;
716 }
717 }
718 }
719 None => panic!("BUG"),
720 }
721 }
722
723 fn parse_frames(&mut self, mut input: &[u8], il: usize, dir: u8) -> AppLayerResult {
724 while input.len() > 0 {
725 match parser::http2_parse_frame_header(input) {
726 Ok((rem, head)) => {
727 let hl = head.length as usize;
728
729 //we check for completeness first
730 if rem.len() < hl {
731 //but limit ourselves so as not to exhaust memory
732 if hl < HTTP2_MAX_HANDLED_FRAME_SIZE {
733 return AppLayerResult::incomplete(
734 (il - input.len()) as u32,
735 (HTTP2_FRAME_HEADER_LEN + hl) as u32,
736 );
737 } else if rem.len() < HTTP2_MIN_HANDLED_FRAME_SIZE {
738 return AppLayerResult::incomplete(
739 (il - input.len()) as u32,
740 (HTTP2_FRAME_HEADER_LEN + HTTP2_MIN_HANDLED_FRAME_SIZE) as u32,
741 );
742 } else {
743 self.set_event(HTTP2Event::LongFrameData);
744 self.request_frame_size = head.length - (rem.len() as u32);
745 }
746 }
747
748 //get a safe length for the buffer
749 let (hlsafe, complete) = if rem.len() < hl {
750 (rem.len(), false)
751 } else {
752 (hl, true)
753 };
754
755 if head.length == 0 && head.ftype == parser::HTTP2FrameType::SETTINGS as u8 {
756 input = &rem[hlsafe..];
757 continue;
758 }
759 let txdata = self.parse_frame_data(
760 head.ftype,
761 &rem[..hlsafe],
762 complete,
763 head.flags,
764 dir,
765 );
766
767 let tx = self.find_or_create_tx(&head, &txdata, dir);
768 tx.handle_frame(&head, &txdata, dir);
769 let over = head.flags & parser::HTTP2_FLAG_HEADER_EOS != 0;
770 let txid = tx.tx_id;
771 let ftype = head.ftype;
772 if dir == STREAM_TOSERVER {
773 tx.frames_ts.push(HTTP2Frame {
774 header: head,
775 data: txdata,
776 });
777 } else {
778 tx.frames_tc.push(HTTP2Frame {
779 header: head,
780 data: txdata,
781 });
782 }
783 if ftype == parser::HTTP2FrameType::DATA as u8 {
784 self.stream_data(dir, &rem[..hlsafe], over, txid);
785 }
786 input = &rem[hlsafe..];
787 }
788 Err(nom::Err::Incomplete(_)) => {
789 //we may have consumed data from previous records
790 return AppLayerResult::incomplete(
791 (il - input.len()) as u32,
792 HTTP2_FRAME_HEADER_LEN as u32,
793 );
794 }
795 Err(_) => {
796 self.set_event(HTTP2Event::InvalidFrameHeader);
797 return AppLayerResult::err();
798 }
799 }
800 }
801 return AppLayerResult::ok();
802 }
803
804 fn parse_ts(&mut self, mut input: &[u8]) -> AppLayerResult {
805 //very first : skip magic
806 let mut magic_consumed = 0;
807 if self.progress < HTTP2ConnectionState::Http2StateMagicDone {
808 //skip magic
809 if input.len() >= HTTP2_MAGIC_LEN {
810 //skip magic
811 match std::str::from_utf8(&input[..HTTP2_MAGIC_LEN]) {
812 Ok("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n") => {
813 input = &input[HTTP2_MAGIC_LEN..];
814 magic_consumed = HTTP2_MAGIC_LEN;
815 }
816 Ok(&_) => {
817 self.set_event(HTTP2Event::InvalidClientMagic);
818 }
819 Err(_) => {
820 return AppLayerResult::err();
821 }
822 }
823 self.progress = HTTP2ConnectionState::Http2StateMagicDone;
824 } else {
825 //still more buffer
826 return AppLayerResult::incomplete(0 as u32, HTTP2_MAGIC_LEN as u32);
827 }
828 }
829 //first consume frame bytes
830 let il = input.len();
831 if self.request_frame_size > 0 {
832 let ilen = input.len() as u32;
833 if self.request_frame_size >= ilen {
834 self.request_frame_size -= ilen;
835 return AppLayerResult::ok();
836 } else {
837 let start = self.request_frame_size as usize;
838 input = &input[start..];
839 self.request_frame_size = 0;
840 }
841 }
842
843 //then parse all we can
844 let r = self.parse_frames(input, il, STREAM_TOSERVER);
845 if r.status == 1 {
846 //adds bytes consumed by banner to incomplete result
847 return AppLayerResult::incomplete(r.consumed + magic_consumed as u32, r.needed);
848 } else {
849 return r;
850 }
851 }
852
853 fn parse_tc(&mut self, mut input: &[u8]) -> AppLayerResult {
854 //first consume frame bytes
855 let il = input.len();
856 if self.response_frame_size > 0 {
857 let ilen = input.len() as u32;
858 if self.response_frame_size >= ilen {
859 self.response_frame_size -= ilen;
860 return AppLayerResult::ok();
861 } else {
862 let start = self.response_frame_size as usize;
863 input = &input[start..];
864 self.response_frame_size = 0;
865 }
866 }
867 //then parse all we can
868 return self.parse_frames(input, il, STREAM_TOCLIENT);
869 }
870
871 fn tx_iterator(
872 &mut self, min_tx_id: u64, state: &mut u64,
873 ) -> Option<(&HTTP2Transaction, u64, bool)> {
874 let mut index = *state as usize;
875 let len = self.transactions.len();
876
877 while index < len {
878 let tx = &self.transactions[index];
879 if tx.tx_id < min_tx_id + 1 {
880 index += 1;
881 continue;
882 }
883 *state = index as u64;
884 return Some((tx, tx.tx_id - 1, (len - index) > 1));
885 }
886
887 return None;
888 }
889 }
890
891 // C exports.
892
893 export_tx_get_detect_state!(rs_http2_tx_get_detect_state, HTTP2Transaction);
894 export_tx_set_detect_state!(rs_http2_tx_set_detect_state, HTTP2Transaction);
895
896 export_tx_data_get!(rs_http2_get_tx_data, HTTP2Transaction);
897
898 /// C entry point for a probing parser.
899 #[no_mangle]
900 pub extern "C" fn rs_http2_probing_parser_tc(
901 _flow: *const Flow, _direction: u8, input: *const u8, input_len: u32, _rdir: *mut u8,
902 ) -> AppProto {
903 if input != std::ptr::null_mut() {
904 let slice = build_slice!(input, input_len as usize);
905 match parser::http2_parse_frame_header(slice) {
906 Ok((_, header)) => {
907 if header.reserved != 0
908 || header.length > HTTP2_DEFAULT_MAX_FRAME_SIZE
909 || header.flags & 0xFE != 0
910 || header.ftype != parser::HTTP2FrameType::SETTINGS as u8
911 {
912 return unsafe { ALPROTO_FAILED };
913 }
914 return unsafe { ALPROTO_HTTP2 };
915 }
916 Err(nom::Err::Incomplete(_)) => {
917 return ALPROTO_UNKNOWN;
918 }
919 Err(_) => {
920 return unsafe { ALPROTO_FAILED };
921 }
922 }
923 }
924 return ALPROTO_UNKNOWN;
925 }
926
927 /// Extern functions operating on HTTP2.
928 extern "C" {
929 pub fn HTTP2MimicHttp1Request(
930 orig_state: *mut std::os::raw::c_void, new_state: *mut std::os::raw::c_void,
931 );
932 }
933
934 #[no_mangle]
935 pub extern "C" fn rs_http2_state_new(
936 orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto,
937 ) -> *mut std::os::raw::c_void {
938 let state = HTTP2State::new();
939 let boxed = Box::new(state);
940 let r = unsafe { transmute(boxed) };
941 if orig_state != std::ptr::null_mut() {
942 //we could check ALPROTO_HTTP == orig_proto
943 unsafe {
944 HTTP2MimicHttp1Request(orig_state, r);
945 }
946 }
947 return r;
948 }
949
950 #[no_mangle]
951 pub extern "C" fn rs_http2_state_free(state: *mut std::os::raw::c_void) {
952 // Just unbox...
953 let mut state: Box<HTTP2State> = unsafe { transmute(state) };
954 state.free();
955 }
956
957 #[no_mangle]
958 pub extern "C" fn rs_http2_state_tx_free(state: *mut std::os::raw::c_void, tx_id: u64) {
959 let state = cast_pointer!(state, HTTP2State);
960 state.free_tx(tx_id);
961 }
962
963 #[no_mangle]
964 pub extern "C" fn rs_http2_parse_ts(
965 flow: *const Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
966 input: *const u8, input_len: u32, _data: *const std::os::raw::c_void, _flags: u8,
967 ) -> AppLayerResult {
968 let state = cast_pointer!(state, HTTP2State);
969 let buf = build_slice!(input, input_len as usize);
970
971 state.files.flags_ts = unsafe { FileFlowToFlags(flow, STREAM_TOSERVER) };
972 return state.parse_ts(buf);
973 }
974
975 #[no_mangle]
976 pub extern "C" fn rs_http2_parse_tc(
977 flow: *const Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
978 input: *const u8, input_len: u32, _data: *const std::os::raw::c_void, _flags: u8,
979 ) -> AppLayerResult {
980 let state = cast_pointer!(state, HTTP2State);
981 let buf = build_slice!(input, input_len as usize);
982 state.files.flags_tc = unsafe { FileFlowToFlags(flow, STREAM_TOCLIENT) };
983 return state.parse_tc(buf);
984 }
985
986 #[no_mangle]
987 pub extern "C" fn rs_http2_state_get_tx(
988 state: *mut std::os::raw::c_void, tx_id: u64,
989 ) -> *mut std::os::raw::c_void {
990 let state = cast_pointer!(state, HTTP2State);
991 match state.get_tx(tx_id) {
992 Some(tx) => {
993 return unsafe { transmute(tx) };
994 }
995 None => {
996 return std::ptr::null_mut();
997 }
998 }
999 }
1000
1001 #[no_mangle]
1002 pub extern "C" fn rs_http2_state_get_tx_count(state: *mut std::os::raw::c_void) -> u64 {
1003 let state = cast_pointer!(state, HTTP2State);
1004 return state.tx_id;
1005 }
1006
1007 #[no_mangle]
1008 pub extern "C" fn rs_http2_state_progress_completion_status(_direction: u8) -> std::os::raw::c_int {
1009 return HTTP2TransactionState::HTTP2StateClosed as i32;
1010 }
1011
1012 #[no_mangle]
1013 pub extern "C" fn rs_http2_tx_get_state(tx: *mut std::os::raw::c_void) -> HTTP2TransactionState {
1014 let tx = cast_pointer!(tx, HTTP2Transaction);
1015 return tx.state;
1016 }
1017
1018 #[no_mangle]
1019 pub extern "C" fn rs_http2_tx_get_alstate_progress(
1020 tx: *mut std::os::raw::c_void, _direction: u8,
1021 ) -> std::os::raw::c_int {
1022 return rs_http2_tx_get_state(tx) as i32;
1023 }
1024
1025 #[no_mangle]
1026 pub extern "C" fn rs_http2_state_get_events(
1027 tx: *mut std::os::raw::c_void,
1028 ) -> *mut core::AppLayerDecoderEvents {
1029 let tx = cast_pointer!(tx, HTTP2Transaction);
1030 return tx.events;
1031 }
1032
1033 #[no_mangle]
1034 pub extern "C" fn rs_http2_state_get_event_info(
1035 event_name: *const std::os::raw::c_char, event_id: *mut std::os::raw::c_int,
1036 event_type: *mut core::AppLayerEventType,
1037 ) -> std::os::raw::c_int {
1038 if event_name == std::ptr::null() {
1039 return -1;
1040 }
1041 let c_event_name: &CStr = unsafe { CStr::from_ptr(event_name) };
1042 let event = match c_event_name.to_str() {
1043 Ok(s) => {
1044 match s {
1045 "invalid_frame_header" => HTTP2Event::InvalidFrameHeader as i32,
1046 "invalid_client_magic" => HTTP2Event::InvalidClientMagic as i32,
1047 "invalid_frame_data" => HTTP2Event::InvalidFrameData as i32,
1048 "invalid_header" => HTTP2Event::InvalidHeader as i32,
1049 "invalid_frame_length" => HTTP2Event::InvalidFrameLength as i32,
1050 "extra_header_data" => HTTP2Event::ExtraHeaderData as i32,
1051 "long_frame_data" => HTTP2Event::LongFrameData as i32,
1052 "stream_id_reuse" => HTTP2Event::StreamIdReuse as i32,
1053 "invalid_http1_settings" => HTTP2Event::InvalidHTTP1Settings as i32,
1054 _ => -1, // unknown event
1055 }
1056 }
1057 Err(_) => -1, // UTF-8 conversion failed
1058 };
1059 unsafe {
1060 *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
1061 *event_id = event as std::os::raw::c_int;
1062 };
1063 0
1064 }
1065
1066 #[no_mangle]
1067 pub extern "C" fn rs_http2_state_get_event_info_by_id(
1068 event_id: std::os::raw::c_int, event_name: *mut *const std::os::raw::c_char,
1069 event_type: *mut core::AppLayerEventType,
1070 ) -> i8 {
1071 if let Some(e) = HTTP2Event::from_i32(event_id as i32) {
1072 let estr = match e {
1073 HTTP2Event::InvalidFrameHeader => "invalid_frame_header\0",
1074 HTTP2Event::InvalidClientMagic => "invalid_client_magic\0",
1075 HTTP2Event::InvalidFrameData => "invalid_frame_data\0",
1076 HTTP2Event::InvalidHeader => "invalid_header\0",
1077 HTTP2Event::InvalidFrameLength => "invalid_frame_length\0",
1078 HTTP2Event::ExtraHeaderData => "extra_header_data\0",
1079 HTTP2Event::LongFrameData => "long_frame_data\0",
1080 HTTP2Event::StreamIdReuse => "stream_id_reuse\0",
1081 HTTP2Event::InvalidHTTP1Settings => "invalid_http1_settings\0",
1082 };
1083 unsafe {
1084 *event_name = estr.as_ptr() as *const std::os::raw::c_char;
1085 *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
1086 };
1087 0
1088 } else {
1089 -1
1090 }
1091 }
1092 #[no_mangle]
1093 pub extern "C" fn rs_http2_state_get_tx_iterator(
1094 _ipproto: u8, _alproto: AppProto, state: *mut std::os::raw::c_void, min_tx_id: u64,
1095 _max_tx_id: u64, istate: &mut u64,
1096 ) -> applayer::AppLayerGetTxIterTuple {
1097 let state = cast_pointer!(state, HTTP2State);
1098 match state.tx_iterator(min_tx_id, istate) {
1099 Some((tx, out_tx_id, has_next)) => {
1100 let c_tx = unsafe { transmute(tx) };
1101 let ires = applayer::AppLayerGetTxIterTuple::with_values(c_tx, out_tx_id, has_next);
1102 return ires;
1103 }
1104 None => {
1105 return applayer::AppLayerGetTxIterTuple::not_found();
1106 }
1107 }
1108 }
1109
1110 #[no_mangle]
1111 pub extern "C" fn rs_http2_getfiles(
1112 state: *mut std::os::raw::c_void, direction: u8,
1113 ) -> *mut FileContainer {
1114 let state = cast_pointer!(state, HTTP2State);
1115 if direction == STREAM_TOCLIENT {
1116 &mut state.files.files_tc as *mut FileContainer
1117 } else {
1118 &mut state.files.files_ts as *mut FileContainer
1119 }
1120 }
1121
1122 // Parser name as a C style string.
1123 const PARSER_NAME: &'static [u8] = b"http2\0";
1124
1125 #[no_mangle]
1126 pub unsafe extern "C" fn rs_http2_register_parser() {
1127 let default_port = CString::new("[80]").unwrap();
1128 let parser = RustParser {
1129 name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
1130 default_port: default_port.as_ptr(),
1131 ipproto: IPPROTO_TCP,
1132 probe_ts: None, // big magic string should be enough
1133 probe_tc: Some(rs_http2_probing_parser_tc),
1134 min_depth: HTTP2_FRAME_HEADER_LEN as u16,
1135 max_depth: HTTP2_MAGIC_LEN as u16,
1136 state_new: rs_http2_state_new,
1137 state_free: rs_http2_state_free,
1138 tx_free: rs_http2_state_tx_free,
1139 parse_ts: rs_http2_parse_ts,
1140 parse_tc: rs_http2_parse_tc,
1141 get_tx_count: rs_http2_state_get_tx_count,
1142 get_tx: rs_http2_state_get_tx,
1143 tx_get_comp_st: rs_http2_state_progress_completion_status,
1144 tx_get_progress: rs_http2_tx_get_alstate_progress,
1145 get_de_state: rs_http2_tx_get_detect_state,
1146 set_de_state: rs_http2_tx_set_detect_state,
1147 get_events: Some(rs_http2_state_get_events),
1148 get_eventinfo: Some(rs_http2_state_get_event_info),
1149 get_eventinfo_byid: Some(rs_http2_state_get_event_info_by_id),
1150 localstorage_new: None,
1151 localstorage_free: None,
1152 get_files: Some(rs_http2_getfiles),
1153 get_tx_iterator: Some(rs_http2_state_get_tx_iterator),
1154 get_tx_data: rs_http2_get_tx_data,
1155 apply_tx_config: None,
1156 flags: 0,
1157 truncate: None,
1158 };
1159
1160 let ip_proto_str = CString::new("tcp").unwrap();
1161
1162 if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
1163 let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
1164 ALPROTO_HTTP2 = alproto;
1165 if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
1166 let _ = AppLayerRegisterParser(&parser, alproto);
1167 }
1168 SCLogDebug!("Rust http2 parser registered.");
1169 } else {
1170 SCLogNotice!("Protocol detector and parser disabled for HTTP2.");
1171 }
1172 }
Michael's tree of suricata