src/app-layer-parser.h

   1 /* Copyright (C) 2007-2020 Open Information Security Foundation
   2  *
   3  * You can copy, redistribute or modify this Program under the terms of
   4  * the GNU General Public License version 2 as published by the Free
   5  * Software Foundation.
   6  *
   7  * This program is distributed in the hope that it will be useful,
   8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
   9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  10  * GNU General Public License for more details.
  11  *
  12  * You should have received a copy of the GNU General Public License
  13  * version 2 along with this program; if not, write to the Free Software
  14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  15  * 02110-1301, USA.
  16  */
  17
  18 /**
  19  * \file
  20  *
  21  * \author Victor Julien <victor@inliniac.net>
  22  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
  23  */
  24
  25 #ifndef __APP_LAYER_PARSER_H__
  26 #define __APP_LAYER_PARSER_H__
  27
  28 #include "app-layer-events.h"
  29 #include "detect-engine-state.h"
  30 #include "util-file.h"
  31 #include "stream-tcp-private.h"
  32 #include "rust.h"
  33 #include "util-config.h"
  34
  35 /* Flags for AppLayerParserState. */
  36 // flag available                               BIT_U8(0)
  37 #define APP_LAYER_PARSER_NO_INSPECTION          BIT_U8(1)
  38 #define APP_LAYER_PARSER_NO_REASSEMBLY          BIT_U8(2)
  39 #define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD  BIT_U8(3)
  40 #define APP_LAYER_PARSER_BYPASS_READY           BIT_U8(4)
  41 #define APP_LAYER_PARSER_EOF_TS                 BIT_U8(5)
  42 #define APP_LAYER_PARSER_EOF_TC                 BIT_U8(6)
  43
  44 /* Flags for AppLayerParserProtoCtx. */
  45 #define APP_LAYER_PARSER_OPT_ACCEPT_GAPS        BIT_U32(0)
  46 #define APP_LAYER_PARSER_OPT_UNIDIR_TXS         BIT_U32(1)
  47
  48 #define APP_LAYER_PARSER_INT_STREAM_DEPTH_SET   BIT_U32(0)
  49
  50 /* applies to DetectFlags uint64_t field */
  51
  52 /** reserved for future use */
  53 #define APP_LAYER_TX_RESERVED1_FLAG  BIT_U64(48)
  54 #define APP_LAYER_TX_RESERVED2_FLAG  BIT_U64(49)
  55 #define APP_LAYER_TX_RESERVED3_FLAG  BIT_U64(50)
  56 #define APP_LAYER_TX_RESERVED4_FLAG  BIT_U64(51)
  57 #define APP_LAYER_TX_RESERVED5_FLAG  BIT_U64(52)
  58 #define APP_LAYER_TX_RESERVED6_FLAG  BIT_U64(53)
  59 #define APP_LAYER_TX_RESERVED7_FLAG  BIT_U64(54)
  60 #define APP_LAYER_TX_RESERVED8_FLAG  BIT_U64(55)
  61 #define APP_LAYER_TX_RESERVED9_FLAG  BIT_U64(56)
  62 #define APP_LAYER_TX_RESERVED10_FLAG BIT_U64(57)
  63 #define APP_LAYER_TX_RESERVED11_FLAG BIT_U64(58)
  64 #define APP_LAYER_TX_RESERVED12_FLAG BIT_U64(59)
  65 #define APP_LAYER_TX_RESERVED13_FLAG BIT_U64(60)
  66 #define APP_LAYER_TX_RESERVED14_FLAG BIT_U64(61)
  67 #define APP_LAYER_TX_RESERVED15_FLAG BIT_U64(62)
  68
  69 #define APP_LAYER_TX_RESERVED_FLAGS                                                                \
  70     (APP_LAYER_TX_RESERVED1_FLAG | APP_LAYER_TX_RESERVED2_FLAG | APP_LAYER_TX_RESERVED3_FLAG |     \
  71             APP_LAYER_TX_RESERVED4_FLAG | APP_LAYER_TX_RESERVED5_FLAG |                            \
  72             APP_LAYER_TX_RESERVED6_FLAG | APP_LAYER_TX_RESERVED7_FLAG |                            \
  73             APP_LAYER_TX_RESERVED8_FLAG | APP_LAYER_TX_RESERVED9_FLAG |                            \
  74             APP_LAYER_TX_RESERVED10_FLAG | APP_LAYER_TX_RESERVED11_FLAG |                          \
  75             APP_LAYER_TX_RESERVED12_FLAG | APP_LAYER_TX_RESERVED13_FLAG |                          \
  76             APP_LAYER_TX_RESERVED14_FLAG | APP_LAYER_TX_RESERVED15_FLAG)
  77
  78 /** is tx fully inspected? */
  79 #define APP_LAYER_TX_INSPECTED_FLAG             BIT_U64(63)
  80 /** other 63 bits are for tracking which prefilter engine is already
  81  *  completely inspected */
  82 #define APP_LAYER_TX_PREFILTER_MASK ~(APP_LAYER_TX_INSPECTED_FLAG | APP_LAYER_TX_RESERVED_FLAGS)
  83
  84 /** parser has successfully processed in the input, and has consumed
  85  *  all of it. */
  86 #define APP_LAYER_OK (AppLayerResult) { 0, 0, 0 }
  87
  88 /** parser has hit an unrecoverable error. Returning this to the API
  89  *  leads to no further calls to the parser. */
  90 #define APP_LAYER_ERROR (AppLayerResult) { -1, 0, 0 }
  91
  92 /** parser needs more data. Through 'c' it will indicate how many
  93  *  of the input bytes it has consumed. Through 'n' it will indicate
  94  *  how many more bytes it needs before getting called again.
  95  *  \note consumed (c) should never be more than the input len
  96  *        needed (n) + consumed (c) should be more than the input len
  97  */
  98 #define APP_LAYER_INCOMPLETE(c,n) (AppLayerResult) { 1, (c), (n) }
  99
 100 int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto);
 101
 102 /***** transaction handling *****/
 103
 104 int AppLayerParserSetup(void);
 105 void AppLayerParserPostStreamSetup(void);
 106 int AppLayerParserDeSetup(void);
 107
 108 typedef struct AppLayerParserThreadCtx_ AppLayerParserThreadCtx;
 109
 110 /**
 111  * \brief Gets a new app layer protocol's parser thread context.
 112  *
 113  * \retval Non-NULL pointer on success.
 114  *         NULL pointer on failure.
 115  */
 116 AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void);
 117
 118 /**
 119  * \brief Destroys the app layer parser thread context obtained
 120  *        using AppLayerParserThreadCtxAlloc().
 121  *
 122  * \param tctx Pointer to the thread context to be destroyed.
 123  */
 124 void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx);
 125
 126 /**
 127  * \brief Given a protocol name, checks if the parser is enabled in
 128  *        the conf file.
 129  *
 130  * \param alproto_name Name of the app layer protocol.
 131  *
 132  * \retval 1 If enabled.
 133  * \retval 0 If disabled.
 134  */
 135 int AppLayerParserConfParserEnabled(const char *ipproto,
 136                                     const char *alproto_name);
 137
 138 /** \brief Prototype for parsing functions */
 139 typedef AppLayerResult (*AppLayerParserFPtr)(Flow *f, void *protocol_state,
 140         AppLayerParserState *pstate,
 141         const uint8_t *buf, uint32_t buf_len,
 142         void *local_storage, const uint8_t flags);
 143
 144 typedef struct AppLayerGetTxIterState {
 145     union {
 146         void *ptr;
 147         uint64_t u64;
 148     } un;
 149 } AppLayerGetTxIterState;
 150
 151 /** \brief tx iterator prototype */
 152 typedef AppLayerGetTxIterTuple (*AppLayerGetTxIteratorFunc)
 153        (const uint8_t ipproto, const AppProto alproto,
 154         void *alstate, uint64_t min_tx_id, uint64_t max_tx_id,
 155         AppLayerGetTxIterState *state);
 156
 157 /***** Parser related registration *****/
 158
 159 /**
 160  * \brief Register app layer parser for the protocol.
 161  *
 162  * \retval 0 On success.
 163  * \retval -1 On failure.
 164  */
 165 int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto,
 166                       uint8_t direction,
 167                       AppLayerParserFPtr Parser);
 168 void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto,
 169                                               AppProto alproto,
 170                                               uint8_t direction);
 171 void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto,
 172         uint32_t flags);
 173 void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto,
 174         void *(*StateAlloc)(void *, AppProto), void (*StateFree)(void *));
 175 void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto proto,
 176                                  void *(*LocalStorageAlloc)(void),
 177                                  void (*LocalStorageFree)(void *));
 178 void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto,
 179                              FileContainer *(*StateGetFiles)(void *, uint8_t));
 180 void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto,
 181     AppLayerDecoderEvents *(*StateGetEvents)(void *) __attribute__((nonnull)));
 182 void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto,
 183                          LoggerId (*StateGetTxLogged)(void *, void *),
 184                          void (*StateSetTxLogged)(void *, void *, LoggerId));
 185 void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto);
 186 void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits);
 187 void AppLayerParserRegisterTruncateFunc(uint8_t ipproto, AppProto alproto,
 188                              void (*Truncate)(void *, uint8_t));
 189 void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto,
 190     int (*StateGetStateProgress)(void *alstate, uint8_t direction));
 191 void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto,
 192                            void (*StateTransactionFree)(void *, uint64_t));
 193 void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto,
 194                          uint64_t (*StateGetTxCnt)(void *alstate));
 195 void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto,
 196                       void *(StateGetTx)(void *alstate, uint64_t tx_id));
 197 void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto,
 198                       AppLayerGetTxIteratorFunc Func);
 199 void AppLayerParserRegisterStateProgressCompletionStatus(
 200         AppProto alproto, const int ts, const int tc);
 201 void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto,
 202     int (*StateGetEventInfo)(const char *event_name, int *event_id,
 203                              AppLayerEventType *event_type));
 204 void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto,
 205     int (*StateGetEventInfoById)(int event_id, const char **event_name,
 206                                  AppLayerEventType *event_type));
 207 void AppLayerParserRegisterGetStreamDepth(uint8_t ipproto,
 208                                           AppProto alproto,
 209                                           uint32_t (*GetStreamDepth)(void));
 210 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto,
 211         void (*SetStreamDepthFlag)(void *tx, uint8_t flags));
 212
 213 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto,
 214         AppLayerTxData *(*GetTxData)(void *tx));
 215 void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto,
 216         bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig));
 217
 218 /***** Get and transaction functions *****/
 219
 220 uint32_t AppLayerParserGetOptionFlags(uint8_t protomap, AppProto alproto);
 221 AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto,
 222          const AppProto alproto);
 223
 224 void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto);
 225 void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto,
 226                                           void *local_data);
 227
 228
 229 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
 230 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id);
 231
 232 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);
 233 void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate,
 234                                 void *alstate, const uint8_t flags, bool tag_txs_as_inspected);
 235
 236 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate);
 237 void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents);
 238 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx);
 239 FileContainer *AppLayerParserGetFiles(const Flow *f, const uint8_t direction);
 240 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto,
 241                         void *alstate, uint8_t direction);
 242 uint64_t AppLayerParserGetTxCnt(const Flow *, void *alstate);
 243 void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id);
 244 int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction);
 245 int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name,
 246                     int *event_id, AppLayerEventType *event_type);
 247 int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id,
 248                     const char **event_name, AppLayerEventType *event_type);
 249
 250 uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction);
 251
 252 uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto);
 253
 254 int AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto);
 255
 256 AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx);
 257 void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto,
 258         void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig);
 259
 260 /***** General *****/
 261
 262 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *tctx, Flow *f, AppProto alproto,
 263                    uint8_t flags, const uint8_t *input, uint32_t input_len);
 264 void AppLayerParserSetEOF(AppLayerParserState *pstate);
 265 bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate);
 266 int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto);
 267 LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto);
 268 void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction);
 269 void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth);
 270 uint32_t AppLayerParserGetStreamDepth(const Flow *f);
 271 void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags);
 272 int AppLayerParserIsEnabled(AppProto alproto);
 273
 274 /***** Cleanup *****/
 275
 276 void AppLayerParserStateProtoCleanup(
 277         uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate);
 278 void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate);
 279
 280 void AppLayerParserRegisterProtocolParsers(void);
 281
 282
 283 void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag);
 284 int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag);
 285
 286 void AppLayerParserStreamTruncated(uint8_t ipproto, AppProto alproto, void *alstate,
 287                         uint8_t direction);
 288
 289
 290
 291 AppLayerParserState *AppLayerParserStateAlloc(void);
 292 void AppLayerParserStateFree(AppLayerParserState *pstate);
 293
 294 void AppLayerParserTransactionsCleanup(Flow *f);
 295
 296 #ifdef DEBUG
 297 void AppLayerParserStatePrintDetails(AppLayerParserState *pstate);
 298 #endif
 299
 300
 301 /***** Unittests *****/
 302
 303 #ifdef UNITTESTS
 304 void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto,
 305                                   void (*RegisterUnittests)(void));
 306 void AppLayerParserRegisterUnittests(void);
 307 void AppLayerParserBackupParserTable(void);
 308 void AppLayerParserRestoreParserTable(void);
 309 void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min);
 310 #endif
 311
 312 #endif /* __APP_LAYER_PARSER_H__ */