From b1e2783788c183e78e490d8711962dca2f4587dd Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 20 Mar 2018 09:29:41 +0100 Subject: [PATCH] auth/krb5: move kerberos5 wrapper to rust root Make it available outside of just the SMB parser. --- rust/src/kerberos.rs | 73 +++++++++++++++++++++++++++++++++++++++++ rust/src/lib.rs | 2 ++ rust/src/smb/auth.rs | 53 ++---------------------------- rust/src/smb/mod.rs | 2 -- rust/src/smb/session.rs | 2 +- 5 files changed, 79 insertions(+), 53 deletions(-) create mode 100644 rust/src/kerberos.rs diff --git a/rust/src/kerberos.rs b/rust/src/kerberos.rs new file mode 100644 index 0000000000..9d46daf496 --- /dev/null +++ b/rust/src/kerberos.rs @@ -0,0 +1,73 @@ +/* Copyright (C) 2018 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +use kerberos_parser::krb5_parser::parse_ap_req; +use kerberos_parser::krb5::{ApReq,Realm,PrincipalName}; +use nom::{IResult, ErrorKind, le_u16}; +use der_parser; +use der_parser::parse_der_oid; + +use log::*; + +pub const SECBLOB_NOT_SPNEGO : u32 = 128; +pub const SECBLOB_KRB_FMT_ERR : u32 = 129; + +#[derive(Debug,PartialEq)] +pub struct Kerberos5Ticket { + pub realm: Realm, + pub sname: PrincipalName, +} + +fn parse_kerberos5_request_do(blob: &[u8]) -> IResult<&[u8], ApReq> +{ + let blob = match der_parser::parse_der(blob) { + IResult::Done(_, b) => { + match b.content.as_slice() { + Ok(b) => { b }, + _ => { return IResult::Error(error_code!(ErrorKind::Custom(SECBLOB_KRB_FMT_ERR))); }, + } + }, + IResult::Incomplete(needed) => { return IResult::Incomplete(needed); }, + IResult::Error(err) => { return IResult::Error(err); }, + }; + do_parse!( + blob, + base_o: parse_der_oid >> + tok_id: le_u16 >> + ap_req: parse_ap_req >> + ({ + SCLogDebug!("parse_kerberos5_request: base_o {:?}", base_o.as_oid()); + SCLogDebug!("parse_kerberos5_request: tok_id {}", tok_id); + ap_req + }) + ) +} + +pub fn parse_kerberos5_request(blob: &[u8]) -> IResult<&[u8], Kerberos5Ticket> +{ + match parse_kerberos5_request_do(blob) { + IResult::Done(rem, req) => { + let t = Kerberos5Ticket { + realm: req.ticket.realm, + sname: req.ticket.sname, + }; + return IResult::Done(rem, t); + } + IResult::Incomplete(needed) => { return IResult::Incomplete(needed); }, + IResult::Error(err) => { return IResult::Error(err); }, + } +} diff --git a/rust/src/lib.rs b/rust/src/lib.rs index c2d7ff99bb..0ecc7829a0 100644 --- a/rust/src/lib.rs +++ b/rust/src/lib.rs @@ -25,6 +25,7 @@ extern crate nom; extern crate crc; extern crate der_parser; +extern crate kerberos_parser; #[macro_use] pub mod log; @@ -39,6 +40,7 @@ pub mod filecontainer; pub mod filetracker; #[macro_use] pub mod parser; +pub mod kerberos; #[cfg(feature = "lua")] pub mod lua; diff --git a/rust/src/smb/auth.rs b/rust/src/smb/auth.rs index 006b08cfbb..24292be6bb 100644 --- a/rust/src/smb/auth.rs +++ b/rust/src/smb/auth.rs @@ -15,57 +15,14 @@ * 02110-1301, USA. */ -use smb::kerberos_parser::krb5_parser::parse_ap_req; -use smb::kerberos_parser::krb5::{ApReq,Realm,PrincipalName}; +use kerberos::*; use log::*; use smb::ntlmssp_records::*; use smb::smb::*; -use nom::{IResult, ErrorKind, le_u16}; +use nom::{IResult, ErrorKind}; use der_parser; -use der_parser::parse_der_oid; - -#[derive(Debug,PartialEq)] -pub struct Kerberos5Ticket { - pub realm: Realm, - pub sname: PrincipalName, -} - -// get SPNEGO -// get OIDS -// if OID has KERBEROS get KERBEROS data -// else if OID has NTLMSSP get NTLMSSP -// else bruteforce NTLMSSP - -fn parse_kerberos5_request(blob: &[u8]) -> IResult<&[u8], ApReq> -{ - let blob = match der_parser::parse_der(blob) { - IResult::Done(_, b) => { - match b.content.as_slice() { - Ok(b) => { b }, - _ => { return IResult::Error(error_code!(ErrorKind::Custom(SECBLOB_KRB_FMT_ERR))); }, - } - }, - IResult::Incomplete(needed) => { return IResult::Incomplete(needed); }, - IResult::Error(err) => { return IResult::Error(err); }, - }; - do_parse!( - blob, - base_o: parse_der_oid >> - tok_id: le_u16 >> - ap_req: parse_ap_req >> - ({ - SCLogDebug!("parse_kerberos5_request: base_o {:?}", base_o.as_oid()); - SCLogDebug!("parse_kerberos5_request: tok_id {}", tok_id); - ap_req - }) - ) -} - - -pub const SECBLOB_NOT_SPNEGO : u32 = 128; -pub const SECBLOB_KRB_FMT_ERR : u32 = 129; fn parse_secblob_get_spnego(blob: &[u8]) -> IResult<&[u8], &[u8]> { @@ -183,11 +140,7 @@ fn parse_secblob_spnego(blob: &[u8]) -> Option der_parser::DerObjectContent::OctetString(ref os) => { if have_kerberos { match parse_kerberos5_request(os) { - IResult::Done(_, req) => { - let t = Kerberos5Ticket { - realm: req.ticket.realm, - sname: req.ticket.sname, - }; + IResult::Done(_, t) => { kticket = Some(t) }, _ => { }, diff --git a/rust/src/smb/mod.rs b/rust/src/smb/mod.rs index 618a59c3c0..65e1577ffc 100644 --- a/rust/src/smb/mod.rs +++ b/rust/src/smb/mod.rs @@ -15,8 +15,6 @@ * 02110-1301, USA. */ -extern crate kerberos_parser; - pub mod smb_records; pub mod smb1_records; pub mod smb2_records; diff --git a/rust/src/smb/session.rs b/rust/src/smb/session.rs index ed57c6cf6d..741a0d63d0 100644 --- a/rust/src/smb/session.rs +++ b/rust/src/smb/session.rs @@ -16,7 +16,7 @@ */ use log::*; - +use kerberos::*; use smb::smb::*; use smb::smb1_session::*; use smb::auth::*; -- 2.47.2