nfs4: support records wrapped in GSSAPI integrity

diff --git a/rust/src/nfs/nfs.rs b/rust/src/nfs/nfs.rs
index 643af76279cbfb9e12bacae65252133e611489d6..f919ea8bb6075c3cdc8c78cdc2fbfba2da14a304 100644 (file)
--- a/rust/src/nfs/nfs.rs
+++ b/rust/src/nfs/nfs.rs
@@ -238,6 +238,9 @@ pub struct NFSRequestXidMap {
 
     /// READ replies can use this to get to the handle the request used
     pub file_handle:Vec<u8>,
+
+    pub gssapi_proc: u32,
+    pub gssapi_service: u32,
 }
 
 impl NFSRequestXidMap {
@@ -248,6 +251,8 @@ impl NFSRequestXidMap {
             chunk_offset:chunk_offset,
             file_name:Vec::new(),
             file_handle:Vec::new(),
+            gssapi_proc: 0,
+            gssapi_service: 0,
         }
     }
 }

diff --git a/rust/src/nfs/nfs4.rs b/rust/src/nfs/nfs4.rs
index 0d385ef305a84642f5de63cd9f41d08883da28a0..a5d85fc08918b7c35cb3e4c89592218e2228d603 100644 (file)
--- a/rust/src/nfs/nfs4.rs
+++ b/rust/src/nfs/nfs4.rs
@@ -195,16 +195,39 @@ impl NFSState {
                 }
             }
         } else if r.procedure == NFSPROC4_COMPOUND {
-            match parse_nfs4_request_compound(r.prog_data) {
+            let mut data = r.prog_data;
+
+            if let RpcRequestCreds::GssApi(ref creds) = r.creds {
+                if creds.procedure == 0  && creds.service == 2 {
+                    SCLogDebug!("GSS INTEGRITIY: {:?}", creds);
+                    match parse_rpc_gssapi_integrity(r.prog_data) {
+                        IResult::Done(_rem, rec) => {
+                            SCLogDebug!("GSS INTEGRITIY wrapper: {:?}", rec);
+                            data = rec.data;
+                            // store proc and serv for the reply
+                            xidmap.gssapi_proc = creds.procedure;
+                            xidmap.gssapi_service = creds.service;
+                        },
+                        IResult::Incomplete(_n) => {
+                            SCLogDebug!("NFSPROC4_COMPOUND/GSS INTEGRITIY: INCOMPLETE {:?}", _n);
+                            self.set_event(NFSEvent::MalformedData);
+                            return 0;
+                        },
+                        IResult::Error(e) => { panic!("NFSPROC4_COMPOUND/GSS INTEGRITIY: Parsing failed: {:?}",e);  },
+                    }
+                }
+            }
+
+            match parse_nfs4_request_compound(data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("NFSPROC4_COMPOUND: {:?}", rd);
                     self.compound_request(&r, &rd, &mut xidmap);
                 },
                 IResult::Incomplete(_n) => {
-                    SCLogNotice!("NFSPROC4_COMPOUND: INCOMPLETE {:?}", _n);
+                    SCLogDebug!("NFSPROC4_COMPOUND: INCOMPLETE {:?}", _n);
                     self.set_event(NFSEvent::MalformedData);
                 },
-                IResult::Error(e) => { panic!("Parsing failed: {:?}",e);  },
+                IResult::Error(e) => { panic!("NFSPROC4_COMPOUND: Parsing failed: {:?}",e);  },
             };
         }
 
@@ -274,7 +297,25 @@ impl NFSState {
     pub fn process_reply_record_v4<'b>(&mut self, r: &RpcReplyPacket<'b>,
             xidmap: &mut NFSRequestXidMap) -> u32 {
         if xidmap.procedure == NFSPROC4_COMPOUND {
-            match parse_nfs4_response_compound(r.prog_data) {
+            let mut data = r.prog_data;
+
+            if xidmap.gssapi_proc == 0 && xidmap.gssapi_service == 2 {
+
+                SCLogDebug!("GSS INTEGRITIY as set by call: {:?}", xidmap);
+                match parse_rpc_gssapi_integrity(r.prog_data) {
+                    IResult::Done(_rem, rec) => {
+                        SCLogDebug!("GSS INTEGRITIY wrapper: {:?}", rec);
+                        data = rec.data;
+                    },
+                    IResult::Incomplete(_n) => {
+                        SCLogDebug!("NFSPROC4_COMPOUND/GSS INTEGRITIY: INCOMPLETE {:?}", _n);
+                        self.set_event(NFSEvent::MalformedData);
+                        return 0;
+                    },
+                    IResult::Error(e) => { panic!("NFSPROC4_COMPOUND/GSS INTEGRITIY: Parsing failed: {:?}",e);  },
+                }
+            }
+            match parse_nfs4_response_compound(data) {
                 IResult::Done(_, rd) => {
                     SCLogDebug!("COMPOUNDv4: {:?}", rd);
                     self.compound_response(&r, &rd, xidmap);