1 /* Copyright (C) 2020 Open Information Security Foundation
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20 use crate::applayer::{self, *};
22 self, AppProto, Flow, SuricataFileContext, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_TCP,
23 STREAM_TOCLIENT, STREAM_TOSERVER,
25 use crate::filecontainer::*;
26 use crate::filetracker::*;
29 use std::ffi::{CStr, CString};
31 use std::mem::transmute;
33 static mut ALPROTO_HTTP2: AppProto = ALPROTO_UNKNOWN;
35 const HTTP2_DEFAULT_MAX_FRAME_SIZE: u32 = 16384;
36 const HTTP2_MAX_HANDLED_FRAME_SIZE: usize = 65536;
37 const HTTP2_MIN_HANDLED_FRAME_SIZE: usize = 256;
39 pub static mut SURICATA_HTTP2_FILE_CONFIG: Option<&'static SuricataFileContext> = None;
42 pub extern "C" fn rs_http2_init(context: &'static mut SuricataFileContext) {
44 SURICATA_HTTP2_FILE_CONFIG = Some(context);
49 #[derive(Copy, Clone, PartialOrd, PartialEq)]
50 pub enum HTTP2ConnectionState {
52 Http2StateMagicDone = 1,
55 const HTTP2_FRAME_HEADER_LEN: usize = 9;
56 const HTTP2_MAGIC_LEN: usize = 24;
57 const HTTP2_FRAME_GOAWAY_LEN: usize = 4;
58 const HTTP2_FRAME_RSTSTREAM_LEN: usize = 4;
59 const HTTP2_FRAME_PRIORITY_LEN: usize = 5;
60 const HTTP2_FRAME_WINDOWUPDATE_LEN: usize = 4;
61 //TODO make this configurable
62 pub const HTTP2_MAX_TABLESIZE: u32 = 0x10000; // 65536
65 #[derive(Copy, Clone, PartialOrd, PartialEq, Debug)]
66 pub enum HTTP2FrameUnhandledReason {
73 impl fmt::Display for HTTP2FrameUnhandledReason {
74 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
75 write!(f, "{:?}", self)
80 pub struct HTTP2FrameUnhandled {
81 pub reason: HTTP2FrameUnhandledReason,
84 pub enum HTTP2FrameTypeData {
85 PRIORITY(parser::HTTP2FramePriority),
86 GOAWAY(parser::HTTP2FrameGoAway),
87 RSTSTREAM(parser::HTTP2FrameRstStream),
88 SETTINGS(Vec<parser::HTTP2FrameSettings>),
89 WINDOWUPDATE(parser::HTTP2FrameWindowUpdate),
90 HEADERS(parser::HTTP2FrameHeaders),
91 PUSHPROMISE(parser::HTTP2FramePushPromise),
92 CONTINUATION(parser::HTTP2FrameContinuation),
96 UNHANDLED(HTTP2FrameUnhandled),
100 #[derive(Copy, Clone, PartialOrd, PartialEq, Debug)]
101 pub enum HTTP2TransactionState {
104 HTTP2StateReserved = 2,
105 HTTP2StateDataClient = 3,
106 HTTP2StateHalfClosedClient = 4,
107 HTTP2StateDataServer = 5,
108 HTTP2StateHalfClosedServer = 6,
109 HTTP2StateClosed = 7,
110 //not a RFC-defined state, used for stream 0 frames appyling to the global connection
111 HTTP2StateGlobal = 8,
114 pub struct HTTP2Frame {
115 pub header: parser::HTTP2FrameHeader,
116 pub data: HTTP2FrameTypeData,
119 pub struct HTTP2Transaction {
122 pub state: HTTP2TransactionState,
123 child_stream_id: u32,
125 pub frames_tc: Vec<HTTP2Frame>,
126 pub frames_ts: Vec<HTTP2Frame>,
128 de_state: Option<*mut core::DetectEngineState>,
129 events: *mut core::AppLayerDecoderEvents,
130 tx_data: AppLayerTxData,
131 ft: FileTransferTracker,
133 //temporary escaped header for detection
134 //must be attached to transaction for memory management (be freed at the right time)
135 pub escaped: Vec<Vec<u8>>,
138 impl HTTP2Transaction {
139 pub fn new() -> HTTP2Transaction {
144 state: HTTP2TransactionState::HTTP2StateIdle,
145 frames_tc: Vec::new(),
146 frames_ts: Vec::new(),
148 events: std::ptr::null_mut(),
149 tx_data: AppLayerTxData::new(),
150 ft: FileTransferTracker::new(),
151 escaped: Vec::with_capacity(16),
155 pub fn free(&mut self) {
156 if self.events != std::ptr::null_mut() {
157 core::sc_app_layer_decoder_events_free_events(&mut self.events);
159 if let Some(state) = self.de_state {
160 core::sc_detect_engine_state_free(state);
165 &mut self, header: &parser::HTTP2FrameHeader, data: &HTTP2FrameTypeData, dir: u8,
167 //handle child_stream_id changes
169 HTTP2FrameTypeData::PUSHPROMISE(hs) => {
170 if dir == STREAM_TOCLIENT {
171 //we could set an event if self.child_stream_id != 0
172 if header.flags & parser::HTTP2_FLAG_HEADER_END_HEADERS == 0 {
173 self.child_stream_id = hs.stream_id;
175 self.state = HTTP2TransactionState::HTTP2StateReserved;
178 HTTP2FrameTypeData::CONTINUATION(_) => {
179 if dir == STREAM_TOCLIENT
180 && header.flags & parser::HTTP2_FLAG_HEADER_END_HEADERS != 0
182 self.child_stream_id = 0;
185 HTTP2FrameTypeData::HEADERS(_) => {
186 if dir == STREAM_TOCLIENT {
187 self.child_stream_id = 0;
190 HTTP2FrameTypeData::RSTSTREAM(_) => {
191 self.child_stream_id = 0;
195 //handle closing state changes
197 HTTP2FrameTypeData::HEADERS(_) | HTTP2FrameTypeData::DATA => {
198 if header.flags & parser::HTTP2_FLAG_HEADER_EOS != 0 {
200 HTTP2TransactionState::HTTP2StateHalfClosedClient
201 | HTTP2TransactionState::HTTP2StateDataServer => {
202 if dir == STREAM_TOCLIENT {
203 self.state = HTTP2TransactionState::HTTP2StateClosed;
206 HTTP2TransactionState::HTTP2StateHalfClosedServer => {
207 if dir == STREAM_TOSERVER {
208 self.state = HTTP2TransactionState::HTTP2StateClosed;
211 // do not revert back to a half closed state
212 HTTP2TransactionState::HTTP2StateClosed => {}
213 HTTP2TransactionState::HTTP2StateGlobal => {}
215 if dir == STREAM_TOCLIENT {
216 self.state = HTTP2TransactionState::HTTP2StateHalfClosedServer;
218 self.state = HTTP2TransactionState::HTTP2StateHalfClosedClient;
222 } else if header.ftype == parser::HTTP2FrameType::DATA as u8 {
224 if dir == STREAM_TOSERVER {
225 if self.state < HTTP2TransactionState::HTTP2StateDataClient {
226 self.state = HTTP2TransactionState::HTTP2StateDataClient;
229 if self.state < HTTP2TransactionState::HTTP2StateDataServer {
230 self.state = HTTP2TransactionState::HTTP2StateDataServer;
240 impl Drop for HTTP2Transaction {
247 pub enum HTTP2Event {
248 InvalidFrameHeader = 0,
256 InvalidHTTP1Settings,
260 fn from_i32(value: i32) -> Option<HTTP2Event> {
262 0 => Some(HTTP2Event::InvalidFrameHeader),
263 1 => Some(HTTP2Event::InvalidClientMagic),
264 2 => Some(HTTP2Event::InvalidFrameData),
265 3 => Some(HTTP2Event::InvalidHeader),
266 4 => Some(HTTP2Event::InvalidFrameLength),
267 5 => Some(HTTP2Event::ExtraHeaderData),
268 6 => Some(HTTP2Event::LongFrameData),
269 7 => Some(HTTP2Event::StreamIdReuse),
270 8 => Some(HTTP2Event::InvalidHTTP1Settings),
276 pub struct HTTP2DynTable {
277 pub table: Vec<parser::HTTP2FrameHeaderBlock>,
278 pub current_size: usize,
284 pub fn new() -> Self {
286 table: Vec::with_capacity(64),
288 max_size: 4096, //default value
294 pub struct HTTP2State {
296 request_frame_size: u32,
297 response_frame_size: u32,
298 dynamic_headers_ts: HTTP2DynTable,
299 dynamic_headers_tc: HTTP2DynTable,
300 transactions: Vec<HTTP2Transaction>,
301 progress: HTTP2ConnectionState,
302 pub files: HTTP2Files,
306 pub fn new() -> Self {
309 request_frame_size: 0,
310 response_frame_size: 0,
311 // the headers are encoded on one byte
312 // with a fixed number of static headers, and
313 // a variable number of dynamic headers
314 dynamic_headers_ts: HTTP2DynTable::new(),
315 dynamic_headers_tc: HTTP2DynTable::new(),
316 transactions: Vec::new(),
317 progress: HTTP2ConnectionState::Http2StateInit,
318 files: HTTP2Files::new(),
322 pub fn free(&mut self) {
323 self.transactions.clear();
327 pub fn set_event(&mut self, event: HTTP2Event) {
328 let len = self.transactions.len();
332 let tx = &mut self.transactions[len - 1];
333 let ev = event as u8;
334 core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, ev);
337 // Free a transaction by ID.
338 fn free_tx(&mut self, tx_id: u64) {
339 let len = self.transactions.len();
340 let mut found = false;
343 let tx = &self.transactions[i];
344 if tx.tx_id == tx_id + 1 {
351 self.transactions.remove(index);
355 pub fn get_tx(&mut self, tx_id: u64) -> Option<&HTTP2Transaction> {
356 for tx in &mut self.transactions {
357 if tx.tx_id == tx_id + 1 {
364 fn find_tx_index(&mut self, sid: u32) -> usize {
365 for i in 0..self.transactions.len() {
366 //reverse order should be faster
367 let idx = self.transactions.len() - 1 - i;
368 if sid == self.transactions[idx].stream_id {
375 fn find_child_stream_id(&mut self, sid: u32) -> u32 {
376 for i in 0..self.transactions.len() {
377 //reverse order should be faster
378 if sid == self.transactions[self.transactions.len() - 1 - i].stream_id {
379 if self.transactions[self.transactions.len() - 1 - i].child_stream_id > 0 {
380 return self.transactions[self.transactions.len() - 1 - i].child_stream_id;
388 fn create_global_tx(&mut self) -> &mut HTTP2Transaction {
389 //special transaction with only one frame
390 //as it affects the global connection, there is no end to it
391 let mut tx = HTTP2Transaction::new();
393 tx.tx_id = self.tx_id;
394 tx.state = HTTP2TransactionState::HTTP2StateGlobal;
395 self.transactions.push(tx);
396 return self.transactions.last_mut().unwrap();
399 pub fn find_or_create_tx(
400 &mut self, header: &parser::HTTP2FrameHeader, data: &HTTP2FrameTypeData, dir: u8,
401 ) -> &mut HTTP2Transaction {
402 if header.stream_id == 0 {
403 return self.create_global_tx();
405 let sid = match data {
406 //yes, the right stream_id for Suricata is not the header one
407 HTTP2FrameTypeData::PUSHPROMISE(hs) => hs.stream_id,
408 HTTP2FrameTypeData::CONTINUATION(_) => {
409 if dir == STREAM_TOCLIENT {
410 //continuation of a push promise
411 self.find_child_stream_id(header.stream_id)
416 _ => header.stream_id,
418 let index = self.find_tx_index(sid);
420 if self.transactions[index - 1].state == HTTP2TransactionState::HTTP2StateClosed {
421 //these frames can be received in this state for a short period
422 if header.ftype != parser::HTTP2FrameType::RSTSTREAM as u8
423 && header.ftype != parser::HTTP2FrameType::WINDOWUPDATE as u8
424 && header.ftype != parser::HTTP2FrameType::PRIORITY as u8
426 self.set_event(HTTP2Event::StreamIdReuse);
429 return &mut self.transactions[index - 1];
431 let mut tx = HTTP2Transaction::new();
433 tx.tx_id = self.tx_id;
435 tx.state = HTTP2TransactionState::HTTP2StateOpen;
436 self.transactions.push(tx);
437 return self.transactions.last_mut().unwrap();
441 fn process_headers(&mut self, blocks: &Vec<parser::HTTP2FrameHeaderBlock>, dir: u8) {
442 let (mut update, mut sizeup) = (false, 0);
443 for i in 0..blocks.len() {
444 if blocks[i].error >= parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeError {
445 self.set_event(HTTP2Event::InvalidHeader);
446 } else if blocks[i].error
447 == parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate
450 if blocks[i].sizeupdate > sizeup {
451 sizeup = blocks[i].sizeupdate;
456 //borrow checker forbids to pass directly dyn_headers
457 let dyn_headers = if dir == STREAM_TOCLIENT {
458 &mut self.dynamic_headers_tc
460 &mut self.dynamic_headers_ts
462 dyn_headers.max_size = sizeup as usize;
467 &mut self, ftype: u8, input: &[u8], complete: bool, hflags: u8, dir: u8,
468 ) -> HTTP2FrameTypeData {
469 match num::FromPrimitive::from_u8(ftype) {
470 Some(parser::HTTP2FrameType::GOAWAY) => {
471 if input.len() < HTTP2_FRAME_GOAWAY_LEN {
472 self.set_event(HTTP2Event::InvalidFrameLength);
473 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
474 reason: HTTP2FrameUnhandledReason::Incomplete,
477 match parser::http2_parse_frame_goaway(input) {
479 return HTTP2FrameTypeData::GOAWAY(goaway);
482 self.set_event(HTTP2Event::InvalidFrameData);
483 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
484 reason: HTTP2FrameUnhandledReason::ParsingError,
489 Some(parser::HTTP2FrameType::SETTINGS) => {
490 match parser::http2_parse_frame_settings(input) {
492 for i in 0..set.len() {
493 if set[i].id == parser::HTTP2SettingsId::SETTINGSHEADERTABLESIZE {
494 //reverse order as this is what we accept from the other endpoint
495 let dyn_headers = if dir == STREAM_TOCLIENT {
496 &mut self.dynamic_headers_ts
498 &mut self.dynamic_headers_tc
500 dyn_headers.max_size = set[i].value as usize;
501 if set[i].value > HTTP2_MAX_TABLESIZE {
502 //mark potential overflow
503 dyn_headers.overflow = 1;
505 //reset in case peer set a lower value, to be tested
506 dyn_headers.overflow = 0;
510 //we could set an event on remaining data
511 return HTTP2FrameTypeData::SETTINGS(set);
513 Err(nom::Err::Incomplete(_)) => {
515 self.set_event(HTTP2Event::InvalidFrameData);
516 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
517 reason: HTTP2FrameUnhandledReason::ParsingError,
520 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
521 reason: HTTP2FrameUnhandledReason::TooLong,
526 self.set_event(HTTP2Event::InvalidFrameData);
527 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
528 reason: HTTP2FrameUnhandledReason::ParsingError,
533 Some(parser::HTTP2FrameType::RSTSTREAM) => {
534 if input.len() != HTTP2_FRAME_RSTSTREAM_LEN {
535 self.set_event(HTTP2Event::InvalidFrameLength);
536 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
537 reason: HTTP2FrameUnhandledReason::Incomplete,
540 match parser::http2_parse_frame_rststream(input) {
542 return HTTP2FrameTypeData::RSTSTREAM(rst);
545 self.set_event(HTTP2Event::InvalidFrameData);
546 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
547 reason: HTTP2FrameUnhandledReason::ParsingError,
553 Some(parser::HTTP2FrameType::PRIORITY) => {
554 if input.len() != HTTP2_FRAME_PRIORITY_LEN {
555 self.set_event(HTTP2Event::InvalidFrameLength);
556 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
557 reason: HTTP2FrameUnhandledReason::Incomplete,
560 match parser::http2_parse_frame_priority(input) {
561 Ok((_, priority)) => {
562 return HTTP2FrameTypeData::PRIORITY(priority);
565 self.set_event(HTTP2Event::InvalidFrameData);
566 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
567 reason: HTTP2FrameUnhandledReason::ParsingError,
573 Some(parser::HTTP2FrameType::WINDOWUPDATE) => {
574 if input.len() != HTTP2_FRAME_WINDOWUPDATE_LEN {
575 self.set_event(HTTP2Event::InvalidFrameLength);
576 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
577 reason: HTTP2FrameUnhandledReason::Incomplete,
580 match parser::http2_parse_frame_windowupdate(input) {
582 return HTTP2FrameTypeData::WINDOWUPDATE(wu);
585 self.set_event(HTTP2Event::InvalidFrameData);
586 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
587 reason: HTTP2FrameUnhandledReason::ParsingError,
593 Some(parser::HTTP2FrameType::PUSHPROMISE) => {
594 let dyn_headers = if dir == STREAM_TOCLIENT {
595 &mut self.dynamic_headers_tc
597 &mut self.dynamic_headers_ts
599 match parser::http2_parse_frame_push_promise(input, hflags, dyn_headers) {
601 self.process_headers(&hs.blocks, dir);
602 return HTTP2FrameTypeData::PUSHPROMISE(hs);
604 Err(nom::Err::Incomplete(_)) => {
606 self.set_event(HTTP2Event::InvalidFrameData);
607 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
608 reason: HTTP2FrameUnhandledReason::ParsingError,
611 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
612 reason: HTTP2FrameUnhandledReason::TooLong,
617 self.set_event(HTTP2Event::InvalidFrameData);
618 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
619 reason: HTTP2FrameUnhandledReason::ParsingError,
624 Some(parser::HTTP2FrameType::DATA) => {
625 return HTTP2FrameTypeData::DATA;
627 Some(parser::HTTP2FrameType::CONTINUATION) => {
628 let dyn_headers = if dir == STREAM_TOCLIENT {
629 &mut self.dynamic_headers_tc
631 &mut self.dynamic_headers_ts
633 match parser::http2_parse_frame_continuation(input, dyn_headers) {
635 self.process_headers(&hs.blocks, dir);
636 return HTTP2FrameTypeData::CONTINUATION(hs);
638 Err(nom::Err::Incomplete(_)) => {
640 self.set_event(HTTP2Event::InvalidFrameData);
641 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
642 reason: HTTP2FrameUnhandledReason::ParsingError,
645 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
646 reason: HTTP2FrameUnhandledReason::TooLong,
651 self.set_event(HTTP2Event::InvalidFrameData);
652 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
653 reason: HTTP2FrameUnhandledReason::ParsingError,
658 Some(parser::HTTP2FrameType::HEADERS) => {
659 let dyn_headers = if dir == STREAM_TOCLIENT {
660 &mut self.dynamic_headers_tc
662 &mut self.dynamic_headers_ts
664 match parser::http2_parse_frame_headers(input, hflags, dyn_headers) {
666 self.process_headers(&hs.blocks, dir);
668 SCLogDebug!("Remaining data for HTTP2 headers");
669 self.set_event(HTTP2Event::ExtraHeaderData);
671 return HTTP2FrameTypeData::HEADERS(hs);
673 Err(nom::Err::Incomplete(_)) => {
675 self.set_event(HTTP2Event::InvalidFrameData);
676 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
677 reason: HTTP2FrameUnhandledReason::ParsingError,
680 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
681 reason: HTTP2FrameUnhandledReason::TooLong,
686 self.set_event(HTTP2Event::InvalidFrameData);
687 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
688 reason: HTTP2FrameUnhandledReason::ParsingError,
693 Some(parser::HTTP2FrameType::PING) => {
694 return HTTP2FrameTypeData::PING;
697 return HTTP2FrameTypeData::UNHANDLED(HTTP2FrameUnhandled {
698 reason: HTTP2FrameUnhandledReason::UnknownType,
704 fn parse_frames(&mut self, mut input: &[u8], il: usize, dir: u8) -> AppLayerResult {
705 while input.len() > 0 {
706 match parser::http2_parse_frame_header(input) {
708 let hl = head.length as usize;
710 //we check for completeness first
712 //but limit ourselves so as not to exhaust memory
713 if hl < HTTP2_MAX_HANDLED_FRAME_SIZE {
714 return AppLayerResult::incomplete(
715 (il - input.len()) as u32,
716 (HTTP2_FRAME_HEADER_LEN + hl) as u32,
718 } else if rem.len() < HTTP2_MIN_HANDLED_FRAME_SIZE {
719 return AppLayerResult::incomplete(
720 (il - input.len()) as u32,
721 (HTTP2_FRAME_HEADER_LEN + HTTP2_MIN_HANDLED_FRAME_SIZE) as u32,
724 self.set_event(HTTP2Event::LongFrameData);
725 self.request_frame_size = head.length - (rem.len() as u32);
729 //get a safe length for the buffer
730 let (hlsafe, complete) = if rem.len() < hl {
736 if head.length == 0 && head.ftype == parser::HTTP2FrameType::SETTINGS as u8 {
737 input = &rem[hlsafe..];
740 let txdata = self.parse_frame_data(
748 let tx = self.find_or_create_tx(&head, &txdata, dir);
749 tx.handle_frame(&head, &txdata, dir);
750 let over = head.flags & parser::HTTP2_FLAG_HEADER_EOS != 0;
751 let ftype = head.ftype;
752 let sid = head.stream_id;
753 if dir == STREAM_TOSERVER {
754 tx.frames_ts.push(HTTP2Frame {
759 tx.frames_tc.push(HTTP2Frame {
764 if ftype == parser::HTTP2FrameType::DATA as u8 {
765 match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
767 //borrow checker forbids to reuse directly tx
768 let index = self.find_tx_index(sid);
770 let mut tx_same = &mut self.transactions[index - 1];
771 let xid: u32 = tx_same.tx_id as u32;
772 tx_same.ft.tx_id = tx_same.tx_id - 1;
773 let (files, flags) = self.files.get(dir);
774 tx_same.ft.new_chunk(
780 tx_same.ft.tracked, //offset = append
788 None => panic!("BUG"),
791 input = &rem[hlsafe..];
793 Err(nom::Err::Incomplete(_)) => {
794 //we may have consumed data from previous records
795 return AppLayerResult::incomplete(
796 (il - input.len()) as u32,
797 HTTP2_FRAME_HEADER_LEN as u32,
801 self.set_event(HTTP2Event::InvalidFrameHeader);
802 return AppLayerResult::err();
806 return AppLayerResult::ok();
809 fn parse_ts(&mut self, mut input: &[u8]) -> AppLayerResult {
810 //very first : skip magic
811 let mut magic_consumed = 0;
812 if self.progress < HTTP2ConnectionState::Http2StateMagicDone {
814 if input.len() >= HTTP2_MAGIC_LEN {
816 match std::str::from_utf8(&input[..HTTP2_MAGIC_LEN]) {
817 Ok("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n") => {
818 input = &input[HTTP2_MAGIC_LEN..];
819 magic_consumed = HTTP2_MAGIC_LEN;
822 self.set_event(HTTP2Event::InvalidClientMagic);
825 return AppLayerResult::err();
828 self.progress = HTTP2ConnectionState::Http2StateMagicDone;
831 return AppLayerResult::incomplete(0 as u32, HTTP2_MAGIC_LEN as u32);
834 //first consume frame bytes
835 let il = input.len();
836 if self.request_frame_size > 0 {
837 let ilen = input.len() as u32;
838 if self.request_frame_size >= ilen {
839 self.request_frame_size -= ilen;
840 return AppLayerResult::ok();
842 let start = self.request_frame_size as usize;
843 input = &input[start..];
844 self.request_frame_size = 0;
848 //then parse all we can
849 let r = self.parse_frames(input, il, STREAM_TOSERVER);
851 //adds bytes consumed by banner to incomplete result
852 return AppLayerResult::incomplete(r.consumed + magic_consumed as u32, r.needed);
858 fn parse_tc(&mut self, mut input: &[u8]) -> AppLayerResult {
859 //first consume frame bytes
860 let il = input.len();
861 if self.response_frame_size > 0 {
862 let ilen = input.len() as u32;
863 if self.response_frame_size >= ilen {
864 self.response_frame_size -= ilen;
865 return AppLayerResult::ok();
867 let start = self.response_frame_size as usize;
868 input = &input[start..];
869 self.response_frame_size = 0;
872 //then parse all we can
873 return self.parse_frames(input, il, STREAM_TOCLIENT);
877 &mut self, min_tx_id: u64, state: &mut u64,
878 ) -> Option<(&HTTP2Transaction, u64, bool)> {
879 let mut index = *state as usize;
880 let len = self.transactions.len();
883 let tx = &self.transactions[index];
884 if tx.tx_id < min_tx_id + 1 {
888 *state = index as u64;
889 return Some((tx, tx.tx_id - 1, (len - index) > 1));
898 export_tx_get_detect_state!(rs_http2_tx_get_detect_state, HTTP2Transaction);
899 export_tx_set_detect_state!(rs_http2_tx_set_detect_state, HTTP2Transaction);
901 export_tx_data_get!(rs_http2_get_tx_data, HTTP2Transaction);
903 /// C entry point for a probing parser.
905 pub extern "C" fn rs_http2_probing_parser_tc(
906 _flow: *const Flow, _direction: u8, input: *const u8, input_len: u32, _rdir: *mut u8,
908 if input != std::ptr::null_mut() {
909 let slice = build_slice!(input, input_len as usize);
910 match parser::http2_parse_frame_header(slice) {
912 if header.reserved != 0
913 || header.length > HTTP2_DEFAULT_MAX_FRAME_SIZE
914 || header.flags & 0xFE != 0
915 || header.ftype != parser::HTTP2FrameType::SETTINGS as u8
917 return unsafe { ALPROTO_FAILED };
919 return unsafe { ALPROTO_HTTP2 };
921 Err(nom::Err::Incomplete(_)) => {
922 return ALPROTO_UNKNOWN;
925 return unsafe { ALPROTO_FAILED };
929 return ALPROTO_UNKNOWN;
932 /// Extern functions operating on HTTP2.
934 pub fn HTTP2MimicHttp1Request(
935 orig_state: *mut std::os::raw::c_void, new_state: *mut std::os::raw::c_void,
940 pub extern "C" fn rs_http2_state_new(
941 orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto,
942 ) -> *mut std::os::raw::c_void {
943 let state = HTTP2State::new();
944 let boxed = Box::new(state);
945 let r = unsafe { transmute(boxed) };
946 if orig_state != std::ptr::null_mut() {
947 //we could check ALPROTO_HTTP == orig_proto
949 HTTP2MimicHttp1Request(orig_state, r);
956 pub extern "C" fn rs_http2_state_free(state: *mut std::os::raw::c_void) {
958 let mut state: Box<HTTP2State> = unsafe { transmute(state) };
963 pub extern "C" fn rs_http2_state_tx_free(state: *mut std::os::raw::c_void, tx_id: u64) {
964 let state = cast_pointer!(state, HTTP2State);
965 state.free_tx(tx_id);
969 pub extern "C" fn rs_http2_parse_ts(
970 flow: *const Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
971 input: *const u8, input_len: u32, _data: *const std::os::raw::c_void, _flags: u8,
972 ) -> AppLayerResult {
973 let state = cast_pointer!(state, HTTP2State);
974 let buf = build_slice!(input, input_len as usize);
976 state.files.flags_ts = unsafe { FileFlowToFlags(flow, STREAM_TOSERVER) };
977 state.files.flags_ts = state.files.flags_ts | FILE_USE_DETECT;
978 return state.parse_ts(buf);
982 pub extern "C" fn rs_http2_parse_tc(
983 flow: *const Flow, state: *mut std::os::raw::c_void, _pstate: *mut std::os::raw::c_void,
984 input: *const u8, input_len: u32, _data: *const std::os::raw::c_void, _flags: u8,
985 ) -> AppLayerResult {
986 let state = cast_pointer!(state, HTTP2State);
987 let buf = build_slice!(input, input_len as usize);
988 state.files.flags_tc = unsafe { FileFlowToFlags(flow, STREAM_TOCLIENT) };
989 state.files.flags_tc = state.files.flags_tc | FILE_USE_DETECT;
990 return state.parse_tc(buf);
994 pub extern "C" fn rs_http2_state_get_tx(
995 state: *mut std::os::raw::c_void, tx_id: u64,
996 ) -> *mut std::os::raw::c_void {
997 let state = cast_pointer!(state, HTTP2State);
998 match state.get_tx(tx_id) {
1000 return unsafe { transmute(tx) };
1003 return std::ptr::null_mut();
1009 pub extern "C" fn rs_http2_state_get_tx_count(state: *mut std::os::raw::c_void) -> u64 {
1010 let state = cast_pointer!(state, HTTP2State);
1015 pub extern "C" fn rs_http2_state_progress_completion_status(_direction: u8) -> std::os::raw::c_int {
1016 return HTTP2TransactionState::HTTP2StateClosed as i32;
1020 pub extern "C" fn rs_http2_tx_get_state(tx: *mut std::os::raw::c_void) -> HTTP2TransactionState {
1021 let tx = cast_pointer!(tx, HTTP2Transaction);
1026 pub extern "C" fn rs_http2_tx_get_alstate_progress(
1027 tx: *mut std::os::raw::c_void, _direction: u8,
1028 ) -> std::os::raw::c_int {
1029 return rs_http2_tx_get_state(tx) as i32;
1033 pub extern "C" fn rs_http2_state_get_events(
1034 tx: *mut std::os::raw::c_void,
1035 ) -> *mut core::AppLayerDecoderEvents {
1036 let tx = cast_pointer!(tx, HTTP2Transaction);
1041 pub extern "C" fn rs_http2_state_get_event_info(
1042 event_name: *const std::os::raw::c_char, event_id: *mut std::os::raw::c_int,
1043 event_type: *mut core::AppLayerEventType,
1044 ) -> std::os::raw::c_int {
1045 if event_name == std::ptr::null() {
1048 let c_event_name: &CStr = unsafe { CStr::from_ptr(event_name) };
1049 let event = match c_event_name.to_str() {
1052 "invalid_frame_header" => HTTP2Event::InvalidFrameHeader as i32,
1053 "invalid_client_magic" => HTTP2Event::InvalidClientMagic as i32,
1054 "invalid_frame_data" => HTTP2Event::InvalidFrameData as i32,
1055 "invalid_header" => HTTP2Event::InvalidHeader as i32,
1056 "invalid_frame_length" => HTTP2Event::InvalidFrameLength as i32,
1057 "extra_header_data" => HTTP2Event::ExtraHeaderData as i32,
1058 "long_frame_data" => HTTP2Event::LongFrameData as i32,
1059 "stream_id_reuse" => HTTP2Event::StreamIdReuse as i32,
1060 "invalid_http1_settings" => HTTP2Event::InvalidHTTP1Settings as i32,
1061 _ => -1, // unknown event
1064 Err(_) => -1, // UTF-8 conversion failed
1067 *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
1068 *event_id = event as std::os::raw::c_int;
1074 pub extern "C" fn rs_http2_state_get_event_info_by_id(
1075 event_id: std::os::raw::c_int, event_name: *mut *const std::os::raw::c_char,
1076 event_type: *mut core::AppLayerEventType,
1078 if let Some(e) = HTTP2Event::from_i32(event_id as i32) {
1079 let estr = match e {
1080 HTTP2Event::InvalidFrameHeader => "invalid_frame_header\0",
1081 HTTP2Event::InvalidClientMagic => "invalid_client_magic\0",
1082 HTTP2Event::InvalidFrameData => "invalid_frame_data\0",
1083 HTTP2Event::InvalidHeader => "invalid_header\0",
1084 HTTP2Event::InvalidFrameLength => "invalid_frame_length\0",
1085 HTTP2Event::ExtraHeaderData => "extra_header_data\0",
1086 HTTP2Event::LongFrameData => "long_frame_data\0",
1087 HTTP2Event::StreamIdReuse => "stream_id_reuse\0",
1088 HTTP2Event::InvalidHTTP1Settings => "invalid_http1_settings\0",
1091 *event_name = estr.as_ptr() as *const std::os::raw::c_char;
1092 *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
1100 pub extern "C" fn rs_http2_state_get_tx_iterator(
1101 _ipproto: u8, _alproto: AppProto, state: *mut std::os::raw::c_void, min_tx_id: u64,
1102 _max_tx_id: u64, istate: &mut u64,
1103 ) -> applayer::AppLayerGetTxIterTuple {
1104 let state = cast_pointer!(state, HTTP2State);
1105 match state.tx_iterator(min_tx_id, istate) {
1106 Some((tx, out_tx_id, has_next)) => {
1107 let c_tx = unsafe { transmute(tx) };
1108 let ires = applayer::AppLayerGetTxIterTuple::with_values(c_tx, out_tx_id, has_next);
1112 return applayer::AppLayerGetTxIterTuple::not_found();
1118 pub extern "C" fn rs_http2_getfiles(
1119 state: *mut std::os::raw::c_void, direction: u8,
1120 ) -> *mut FileContainer {
1121 let state = cast_pointer!(state, HTTP2State);
1122 if direction == STREAM_TOCLIENT {
1123 &mut state.files.files_tc as *mut FileContainer
1125 &mut state.files.files_ts as *mut FileContainer
1129 // Parser name as a C style string.
1130 const PARSER_NAME: &'static [u8] = b"http2\0";
1133 pub unsafe extern "C" fn rs_http2_register_parser() {
1134 let default_port = CString::new("[80]").unwrap();
1135 let parser = RustParser {
1136 name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
1137 default_port: default_port.as_ptr(),
1138 ipproto: IPPROTO_TCP,
1139 probe_ts: None, // big magic string should be enough
1140 probe_tc: Some(rs_http2_probing_parser_tc),
1141 min_depth: HTTP2_FRAME_HEADER_LEN as u16,
1142 max_depth: HTTP2_MAGIC_LEN as u16,
1143 state_new: rs_http2_state_new,
1144 state_free: rs_http2_state_free,
1145 tx_free: rs_http2_state_tx_free,
1146 parse_ts: rs_http2_parse_ts,
1147 parse_tc: rs_http2_parse_tc,
1148 get_tx_count: rs_http2_state_get_tx_count,
1149 get_tx: rs_http2_state_get_tx,
1150 tx_get_comp_st: rs_http2_state_progress_completion_status,
1151 tx_get_progress: rs_http2_tx_get_alstate_progress,
1152 get_de_state: rs_http2_tx_get_detect_state,
1153 set_de_state: rs_http2_tx_set_detect_state,
1154 get_events: Some(rs_http2_state_get_events),
1155 get_eventinfo: Some(rs_http2_state_get_event_info),
1156 get_eventinfo_byid: Some(rs_http2_state_get_event_info_by_id),
1157 localstorage_new: None,
1158 localstorage_free: None,
1159 get_files: Some(rs_http2_getfiles),
1160 get_tx_iterator: Some(rs_http2_state_get_tx_iterator),
1161 get_tx_data: rs_http2_get_tx_data,
1162 apply_tx_config: None,
1167 let ip_proto_str = CString::new("tcp").unwrap();
1169 if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
1170 let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
1171 ALPROTO_HTTP2 = alproto;
1172 if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
1173 let _ = AppLayerRegisterParser(&parser, alproto);
1175 SCLogDebug!("Rust http2 parser registered.");
1177 SCLogNotice!("Protocol detector and parser disabled for HTTP2.");
projects / people / ms / suricata.git / blob