diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
commit | a0aa2307322cd47bbf416810ac0292925e03be87 (patch) | |
tree | 37076262a026c4b48c8a0e84f44ff9187556ca35 /rust/src/krb | |
parent | Initial commit. (diff) | |
download | suricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip |
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'rust/src/krb')
-rw-r--r-- | rust/src/krb/detect.rs | 331 | ||||
-rw-r--r-- | rust/src/krb/krb5.rs | 638 | ||||
-rw-r--r-- | rust/src/krb/log.rs | 74 | ||||
-rw-r--r-- | rust/src/krb/mod.rs | 24 |
4 files changed, 1067 insertions, 0 deletions
diff --git a/rust/src/krb/detect.rs b/rust/src/krb/detect.rs new file mode 100644 index 0000000..25cce9b --- /dev/null +++ b/rust/src/krb/detect.rs @@ -0,0 +1,331 @@ +/* Copyright (C) 2018 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +// written by Pierre Chifflier <chifflier@wzdftpd.net> + +use crate::krb::krb5::{test_weak_encryption, KRB5Transaction}; + +use kerberos_parser::krb5::EncryptionType; + +use nom7::branch::alt; +use nom7::bytes::complete::{is_a, tag, take_while, take_while1}; +use nom7::character::complete::char; +use nom7::combinator::{all_consuming, map_res, opt}; +use nom7::multi::many1; +use nom7::IResult; + +use std::ffi::CStr; + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_tx_get_msgtype(tx: &mut KRB5Transaction, ptr: *mut u32) { + *ptr = tx.msg_type.0; +} + +/// Get error code, if present in transaction +/// Return 0 if error code was filled, else 1 +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_tx_get_errcode(tx: &mut KRB5Transaction, ptr: *mut i32) -> u32 { + match tx.error_code { + Some(ref e) => { + *ptr = e.0; + 0 + } + None => 1, + } +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_tx_get_cname( + tx: &mut KRB5Transaction, i: u32, buffer: *mut *const u8, buffer_len: *mut u32, +) -> u8 { + if let Some(ref s) = tx.cname { + if (i as usize) < s.name_string.len() { + let value = &s.name_string[i as usize]; + *buffer = value.as_ptr(); + *buffer_len = value.len() as u32; + return 1; + } + } + 0 +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_tx_get_sname( + tx: &mut KRB5Transaction, i: u32, buffer: *mut *const u8, buffer_len: *mut u32, +) -> u8 { + if let Some(ref s) = tx.sname { + if (i as usize) < s.name_string.len() { + let value = &s.name_string[i as usize]; + *buffer = value.as_ptr(); + *buffer_len = value.len() as u32; + return 1; + } + } + 0 +} + +const KRB_TICKET_FASTARRAY_SIZE: usize = 256; + +#[derive(Debug)] +pub struct DetectKrb5TicketEncryptionList { + positive: [bool; KRB_TICKET_FASTARRAY_SIZE], + negative: [bool; KRB_TICKET_FASTARRAY_SIZE], + other: Vec<EncryptionType>, +} + +impl Default for DetectKrb5TicketEncryptionList { + fn default() -> Self { + Self::new() + } +} + +impl DetectKrb5TicketEncryptionList { + pub fn new() -> Self { + Self { + positive: [false; KRB_TICKET_FASTARRAY_SIZE], + negative: [false; KRB_TICKET_FASTARRAY_SIZE], + other: Vec::new(), + } + } +} + + +// Suppress large enum variant lint as the LIST is very large compared +// to the boolean variant. +#[derive(Debug)] +#[allow(clippy::large_enum_variant)] +pub enum DetectKrb5TicketEncryptionData { + WEAK(bool), + LIST(DetectKrb5TicketEncryptionList), +} + +pub fn detect_parse_encryption_weak(i: &str) -> IResult<&str, DetectKrb5TicketEncryptionData> { + let (i, neg) = opt(char('!'))(i)?; + let (i, _) = tag("weak")(i)?; + let value = neg.is_none(); + return Ok((i, DetectKrb5TicketEncryptionData::WEAK(value))); +} + +trait MyFromStr { + fn from_str(s: &str) -> Result<Self, String> + where + Self: Sized; +} + +impl MyFromStr for EncryptionType { + fn from_str(s: &str) -> Result<Self, String> { + let su_slice: &str = s; + match su_slice { + "des-cbc-crc" => Ok(EncryptionType::DES_CBC_CRC), + "des-cbc-md4" => Ok(EncryptionType::DES_CBC_MD4), + "des-cbc-md5" => Ok(EncryptionType::DES_CBC_MD5), + "des3-cbc-md5" => Ok(EncryptionType::DES3_CBC_MD5), + "des3-cbc-sha1" => Ok(EncryptionType::DES3_CBC_SHA1), + "dsaWithSHA1-CmsOID" => Ok(EncryptionType::DSAWITHSHA1_CMSOID), + "md5WithRSAEncryption-CmsOID" => Ok(EncryptionType::MD5WITHRSAENCRYPTION_CMSOID), + "sha1WithRSAEncryption-CmsOID" => Ok(EncryptionType::SHA1WITHRSAENCRYPTION_CMSOID), + "rc2CBC-EnvOID" => Ok(EncryptionType::RC2CBC_ENVOID), + "rsaEncryption-EnvOID" => Ok(EncryptionType::RSAENCRYPTION_ENVOID), + "rsaES-OAEP-ENV-OID" => Ok(EncryptionType::RSAES_OAEP_ENV_OID), + "des-ede3-cbc-Env-OID" => Ok(EncryptionType::DES_EDE3_CBC_ENV_OID), + "des3-cbc-sha1-kd" => Ok(EncryptionType::DES3_CBC_SHA1_KD), + "aes128-cts-hmac-sha1-96" => Ok(EncryptionType::AES128_CTS_HMAC_SHA1_96), + "aes256-cts-hmac-sha1-96" => Ok(EncryptionType::AES256_CTS_HMAC_SHA1_96), + "aes128-cts-hmac-sha256-128" => Ok(EncryptionType::AES128_CTS_HMAC_SHA256_128), + "aes256-cts-hmac-sha384-192" => Ok(EncryptionType::AES256_CTS_HMAC_SHA384_192), + "rc4-hmac" => Ok(EncryptionType::RC4_HMAC), + "rc4-hmac-exp" => Ok(EncryptionType::RC4_HMAC_EXP), + "camellia128-cts-cmac" => Ok(EncryptionType::CAMELLIA128_CTS_CMAC), + "camellia256-cts-cmac" => Ok(EncryptionType::CAMELLIA256_CTS_CMAC), + "subkey-keymaterial" => Ok(EncryptionType::SUBKEY_KEYMATERIAL), + "rc4-md4" => Ok(EncryptionType::RC4_MD4), + "rc4-plain2" => Ok(EncryptionType::RC4_PLAIN2), + "rc4-lm" => Ok(EncryptionType::RC4_LM), + "rc4-sha" => Ok(EncryptionType::RC4_SHA), + "des-plain" => Ok(EncryptionType::DES_PLAIN), + "rc4-hmac-OLD" => Ok(EncryptionType::RC4_HMAC_OLD), + "rc4-plain-OLD" => Ok(EncryptionType::RC4_PLAIN_OLD), + "rc4-hmac-OLD-exp" => Ok(EncryptionType::RC4_HMAC_OLD_EXP), + "rc4-plain-OLD-exp" => Ok(EncryptionType::RC4_PLAIN_OLD_EXP), + "rc4-plain" => Ok(EncryptionType::RC4_PLAIN), + "rc4-plain-exp" => Ok(EncryptionType::RC4_PLAIN_EXP), + _ => { + if let Ok(num) = s.parse::<i32>() { + return Ok(EncryptionType(num)); + } else { + return Err(format!("'{}' is not a valid value for EncryptionType", s)); + } + } + } + } +} + +pub fn is_alphanumeric_or_dash(chr: char) -> bool { + return chr.is_alphanumeric() || chr == '-'; +} + +pub fn detect_parse_encryption_item(i: &str) -> IResult<&str, EncryptionType> { + let (i, _) = opt(is_a(" "))(i)?; + let (i, e) = map_res(take_while1(is_alphanumeric_or_dash), |s: &str| { + EncryptionType::from_str(s) + })(i)?; + let (i, _) = opt(is_a(" "))(i)?; + let (i, _) = opt(char(','))(i)?; + return Ok((i, e)); +} + +pub fn detect_parse_encryption_list(i: &str) -> IResult<&str, DetectKrb5TicketEncryptionData> { + let mut l = DetectKrb5TicketEncryptionList::new(); + let (i, v) = many1(detect_parse_encryption_item)(i)?; + for &val in v.iter() { + let vali = val.0; + if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE { + l.negative[(-vali) as usize] = true; + } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE { + l.positive[vali as usize] = true; + } else { + l.other.push(val); + } + } + return Ok((i, DetectKrb5TicketEncryptionData::LIST(l))); +} + +pub fn detect_parse_encryption(i: &str) -> IResult<&str, DetectKrb5TicketEncryptionData> { + let (i, _) = opt(is_a(" "))(i)?; + let (i, parsed) = alt((detect_parse_encryption_weak, detect_parse_encryption_list))(i)?; + let (i, _) = all_consuming(take_while(|c| c == ' '))(i)?; + return Ok((i, parsed)); +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_detect_encryption_parse( + ustr: *const std::os::raw::c_char, +) -> *mut DetectKrb5TicketEncryptionData { + let ft_name: &CStr = CStr::from_ptr(ustr); //unsafe + if let Ok(s) = ft_name.to_str() { + if let Ok((_, ctx)) = detect_parse_encryption(s) { + let boxed = Box::new(ctx); + return Box::into_raw(boxed) as *mut _; + } + } + return std::ptr::null_mut(); +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_detect_encryption_match( + tx: &mut KRB5Transaction, ctx: &DetectKrb5TicketEncryptionData, +) -> std::os::raw::c_int { + if let Some(x) = tx.ticket_etype { + match ctx { + DetectKrb5TicketEncryptionData::WEAK(w) => { + if (test_weak_encryption(x) && *w) || (!test_weak_encryption(x) && !*w) { + return 1; + } + } + DetectKrb5TicketEncryptionData::LIST(l) => { + let vali = x.0; + if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE { + if l.negative[(-vali) as usize] { + return 1; + } + } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE { + if l.positive[vali as usize] { + return 1; + } + } else { + for &val in l.other.iter() { + if x == val { + return 1; + } + } + } + } + } + } + return 0; +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_detect_encryption_free(ctx: &mut DetectKrb5TicketEncryptionData) { + // Just unbox... + std::mem::drop(Box::from_raw(ctx)); +} + +#[cfg(test)] +mod tests { + + use super::*; + + #[test] + fn test_detect_parse_encryption() { + match detect_parse_encryption(" weak ") { + Ok((rem, ctx)) => { + match ctx { + DetectKrb5TicketEncryptionData::WEAK(w) => { + assert!(w); + } + _ => { + panic!("Result should have been weak."); + } + } + // And we should have no bytes left. + assert_eq!(rem.len(), 0); + } + _ => { + panic!("Result should have been ok."); + } + } + match detect_parse_encryption("!weak") { + Ok((rem, ctx)) => { + match ctx { + DetectKrb5TicketEncryptionData::WEAK(w) => { + assert!(!w); + } + _ => { + panic!("Result should have been weak."); + } + } + // And we should have no bytes left. + assert_eq!(rem.len(), 0); + } + _ => { + panic!("Result should have been ok."); + } + } + match detect_parse_encryption(" des-cbc-crc , -128,2 257") { + Ok((rem, ctx)) => { + match ctx { + DetectKrb5TicketEncryptionData::LIST(l) => { + assert!(l.positive[EncryptionType::DES_CBC_CRC.0 as usize]); + assert!(l.negative[128]); + assert!(l.positive[2]); + assert_eq!(l.other.len(), 1); + assert_eq!(l.other[0], EncryptionType(257)); + } + _ => { + panic!("Result should have been list."); + } + } + // And we should have no bytes left. + assert_eq!(rem.len(), 0); + } + _ => { + panic!("Result should have been ok."); + } + } + } +} diff --git a/rust/src/krb/krb5.rs b/rust/src/krb/krb5.rs new file mode 100644 index 0000000..3282d50 --- /dev/null +++ b/rust/src/krb/krb5.rs @@ -0,0 +1,638 @@ +/* Copyright (C) 2017-2021 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +// written by Pierre Chifflier <chifflier@wzdftpd.net> + +use std; +use std::ffi::CString; +use nom7::{Err, IResult}; +use nom7::number::streaming::be_u32; +use der_parser::der::der_read_element_header; +use der_parser::ber::Class; +use kerberos_parser::krb5_parser; +use kerberos_parser::krb5::{EncryptionType,ErrorCode,MessageType,PrincipalName,Realm}; +use crate::applayer::{self, *}; +use crate::core; +use crate::core::{AppProto,Flow,ALPROTO_FAILED,ALPROTO_UNKNOWN,Direction}; + +#[derive(AppLayerEvent)] +pub enum KRB5Event { + MalformedData, + WeakEncryption, +} + +pub struct KRB5State { + state_data: AppLayerStateData, + + pub req_id: u8, + + pub record_ts: usize, + pub defrag_buf_ts: Vec<u8>, + pub record_tc: usize, + pub defrag_buf_tc: Vec<u8>, + + /// List of transactions for this session + transactions: Vec<KRB5Transaction>, + + /// tx counter for assigning incrementing id's to tx's + tx_id: u64, +} + +impl State<KRB5Transaction> for KRB5State { + fn get_transaction_count(&self) -> usize { + self.transactions.len() + } + + fn get_transaction_by_index(&self, index: usize) -> Option<&KRB5Transaction> { + self.transactions.get(index) + } +} + +pub struct KRB5Transaction { + /// The message type: AS-REQ, AS-REP, etc. + pub msg_type: MessageType, + + /// The client PrincipalName, if present + pub cname: Option<PrincipalName>, + /// The server Realm, if present + pub realm: Option<Realm>, + /// The server PrincipalName, if present + pub sname: Option<PrincipalName>, + + /// Encryption used (only in AS-REP and TGS-REP) + pub etype: Option<EncryptionType>, + + /// Encryption used for ticket + pub ticket_etype: Option<EncryptionType>, + + /// Error code, if request has failed + pub error_code: Option<ErrorCode>, + + /// Message type of request. For using in responses. + pub req_type: Option<MessageType>, + + /// The internal transaction id + id: u64, + + tx_data: applayer::AppLayerTxData, +} + +impl Transaction for KRB5Transaction { + fn id(&self) -> u64 { + self.id + } +} + +impl Default for KRB5State { + fn default() -> Self { + Self::new() + } +} + +impl KRB5State { + pub fn new() -> KRB5State { + Self { + state_data: AppLayerStateData::new(), + req_id: 0, + record_ts: 0, + defrag_buf_ts: Vec::new(), + record_tc: 0, + defrag_buf_tc: Vec::new(), + transactions: Vec::new(), + tx_id: 0, + } + } + + /// Parse a Kerberos request message + /// + /// Returns 0 in case of success, or -1 on error + fn parse(&mut self, i: &[u8], direction: Direction) -> i32 { + match der_read_element_header(i) { + Ok((_rem,hdr)) => { + // Kerberos messages start with an APPLICATION header + if hdr.class() != Class::Application { return 0; } + match hdr.tag().0 { + 10 => { + let req = krb5_parser::parse_as_req(i); + if let Ok((_,kdc_req)) = req { + let mut tx = self.new_tx(direction); + tx.msg_type = MessageType::KRB_AS_REQ; + tx.cname = kdc_req.req_body.cname; + tx.realm = Some(kdc_req.req_body.realm); + tx.sname = kdc_req.req_body.sname; + tx.etype = None; + self.transactions.push(tx); + }; + self.req_id = 10; + }, + 11 => { + let res = krb5_parser::parse_as_rep(i); + if let Ok((_,kdc_rep)) = res { + let mut tx = self.new_tx(direction); + tx.msg_type = MessageType::KRB_AS_REP; + if self.req_id > 0 { + // set request type only if previous message + // was a request + tx.req_type = Some(MessageType(self.req_id.into())); + } + tx.cname = Some(kdc_rep.cname); + tx.realm = Some(kdc_rep.crealm); + tx.sname = Some(kdc_rep.ticket.sname); + tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype); + tx.etype = Some(kdc_rep.enc_part.etype); + self.transactions.push(tx); + if test_weak_encryption(kdc_rep.enc_part.etype) { + self.set_event(KRB5Event::WeakEncryption); + } + }; + self.req_id = 0; + }, + 12 => { + let req = krb5_parser::parse_tgs_req(i); + if let Ok((_,kdc_req)) = req { + let mut tx = self.new_tx(direction); + tx.msg_type = MessageType::KRB_TGS_REQ; + tx.cname = kdc_req.req_body.cname; + tx.realm = Some(kdc_req.req_body.realm); + tx.sname = kdc_req.req_body.sname; + tx.etype = None; + self.transactions.push(tx); + }; + self.req_id = 12; + }, + 13 => { + let res = krb5_parser::parse_tgs_rep(i); + if let Ok((_,kdc_rep)) = res { + let mut tx = self.new_tx(direction); + tx.msg_type = MessageType::KRB_TGS_REP; + if self.req_id > 0 { + // set request type only if previous message + // was a request + tx.req_type = Some(MessageType(self.req_id.into())); + } + tx.cname = Some(kdc_rep.cname); + tx.realm = Some(kdc_rep.crealm); + tx.ticket_etype = Some(kdc_rep.ticket.enc_part.etype); + tx.sname = Some(kdc_rep.ticket.sname); + tx.etype = Some(kdc_rep.enc_part.etype); + self.transactions.push(tx); + if test_weak_encryption(kdc_rep.enc_part.etype) { + self.set_event(KRB5Event::WeakEncryption); + } + }; + self.req_id = 0; + }, + 14 => { + self.req_id = 14; + }, + 15 => { + self.req_id = 0; + }, + 30 => { + let res = krb5_parser::parse_krb_error(i); + if let Ok((_,error)) = res { + let mut tx = self.new_tx(direction); + if self.req_id > 0 { + // set request type only if previous message + // was a request + tx.req_type = Some(MessageType(self.req_id.into())); + } + tx.msg_type = MessageType::KRB_ERROR; + tx.cname = error.cname; + tx.realm = error.crealm; + tx.sname = Some(error.sname); + tx.error_code = Some(error.error_code); + self.transactions.push(tx); + }; + self.req_id = 0; + }, + _ => { SCLogDebug!("unknown/unsupported tag {}", hdr.tag()); }, + } + 0 + }, + Err(Err::Incomplete(_)) => { + SCLogDebug!("Insufficient data while parsing KRB5 data"); + self.set_event(KRB5Event::MalformedData); + -1 + }, + Err(_) => { + SCLogDebug!("Error while parsing KRB5 data"); + self.set_event(KRB5Event::MalformedData); + -1 + }, + } + } + + pub fn free(&mut self) { + // All transactions are freed when the `transactions` object is freed. + // But let's be explicit + self.transactions.clear(); + } + + fn new_tx(&mut self, direction: Direction) -> KRB5Transaction { + self.tx_id += 1; + KRB5Transaction::new(direction, self.tx_id) + } + + fn get_tx_by_id(&mut self, tx_id: u64) -> Option<&KRB5Transaction> { + self.transactions.iter().find(|&tx| tx.id == tx_id + 1) + } + + fn free_tx(&mut self, tx_id: u64) { + let tx = self.transactions.iter().position(|tx| tx.id == tx_id + 1); + debug_assert!(tx.is_some()); + if let Some(idx) = tx { + let _ = self.transactions.remove(idx); + } + } + + /// Set an event. The event is set on the most recent transaction. + fn set_event(&mut self, event: KRB5Event) { + if let Some(tx) = self.transactions.last_mut() { + tx.tx_data.set_event(event as u8); + } + } +} + +impl KRB5Transaction { + pub fn new(direction: Direction, id: u64) -> KRB5Transaction { + let krbtx = KRB5Transaction{ + msg_type: MessageType(0), + cname: None, + realm: None, + sname: None, + etype: None, + ticket_etype: None, + error_code: None, + req_type: None, + id, + tx_data: applayer::AppLayerTxData::for_direction(direction), + }; + return krbtx; + } +} + +/// Return true if Kerberos `EncryptionType` is weak +pub fn test_weak_encryption(alg:EncryptionType) -> bool { + match alg { + EncryptionType::AES128_CTS_HMAC_SHA1_96 | + EncryptionType::AES256_CTS_HMAC_SHA1_96 | + EncryptionType::AES128_CTS_HMAC_SHA256_128 | + EncryptionType::AES256_CTS_HMAC_SHA384_192 | + EncryptionType::CAMELLIA128_CTS_CMAC | + EncryptionType::CAMELLIA256_CTS_CMAC => false, + _ => true, // all other ciphers are weak or deprecated + } +} + + + + + +/// Returns *mut KRB5State +#[no_mangle] +pub extern "C" fn rs_krb5_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void { + let state = KRB5State::new(); + let boxed = Box::new(state); + return Box::into_raw(boxed) as *mut _; +} + +/// Params: +/// - state: *mut KRB5State as void pointer +#[no_mangle] +pub extern "C" fn rs_krb5_state_free(state: *mut std::os::raw::c_void) { + let mut state: Box<KRB5State> = unsafe{Box::from_raw(state as _)}; + state.free(); +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_state_get_tx(state: *mut std::os::raw::c_void, + tx_id: u64) + -> *mut std::os::raw::c_void +{ + let state = cast_pointer!(state,KRB5State); + match state.get_tx_by_id(tx_id) { + Some(tx) => tx as *const _ as *mut _, + None => std::ptr::null_mut(), + } +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_state_get_tx_count(state: *mut std::os::raw::c_void) + -> u64 +{ + let state = cast_pointer!(state,KRB5State); + state.tx_id +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_state_tx_free(state: *mut std::os::raw::c_void, + tx_id: u64) +{ + let state = cast_pointer!(state,KRB5State); + state.free_tx(tx_id); +} + +#[no_mangle] +pub extern "C" fn rs_krb5_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void, + _direction: u8) + -> std::os::raw::c_int +{ + 1 +} + +static mut ALPROTO_KRB5 : AppProto = ALPROTO_UNKNOWN; + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_probing_parser(_flow: *const Flow, + _direction: u8, + input:*const u8, input_len: u32, + _rdir: *mut u8) -> AppProto +{ + let slice = build_slice!(input,input_len as usize); + let alproto = ALPROTO_KRB5; + if slice.len() <= 10 { return ALPROTO_FAILED; } + match der_read_element_header(slice) { + Ok((rem, ref hdr)) => { + // Kerberos messages start with an APPLICATION header + if hdr.class() != Class::Application { return ALPROTO_FAILED; } + // Tag number should be <= 30 + if hdr.tag().0 > 30 { return ALPROTO_FAILED; } + // Kerberos messages contain sequences + if rem.is_empty() || rem[0] != 0x30 { return ALPROTO_FAILED; } + // Check kerberos version + if let Ok((rem,_hdr)) = der_read_element_header(rem) { + if rem.len() > 5 { + #[allow(clippy::single_match)] + match (rem[2],rem[3],rem[4]) { + // Encoding of DER integer 5 (version) + (2,1,5) => { return alproto; }, + _ => (), + } + } + } + return ALPROTO_FAILED; + }, + Err(Err::Incomplete(_)) => { + return ALPROTO_UNKNOWN; + }, + Err(_) => { + return ALPROTO_FAILED; + }, + } +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_probing_parser_tcp(_flow: *const Flow, + direction: u8, + input:*const u8, input_len: u32, + rdir: *mut u8) -> AppProto +{ + let slice = build_slice!(input,input_len as usize); + if slice.len() <= 14 { return ALPROTO_FAILED; } + match be_u32(slice) as IResult<&[u8],u32> { + Ok((rem, record_mark)) => { + // protocol implementations forbid very large requests + if record_mark > 16384 { return ALPROTO_FAILED; } + return rs_krb5_probing_parser(_flow, direction, + rem.as_ptr(), rem.len() as u32, rdir); + }, + Err(Err::Incomplete(_)) => { + return ALPROTO_UNKNOWN; + }, + Err(_) => { + return ALPROTO_FAILED; + }, + } +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_parse_request(_flow: *const core::Flow, + state: *mut std::os::raw::c_void, + _pstate: *mut std::os::raw::c_void, + stream_slice: StreamSlice, + _data: *const std::os::raw::c_void, + ) -> AppLayerResult { + let buf = stream_slice.as_slice(); + let state = cast_pointer!(state,KRB5State); + if state.parse(buf, Direction::ToServer) < 0 { + return AppLayerResult::err(); + } + AppLayerResult::ok() +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_parse_response(_flow: *const core::Flow, + state: *mut std::os::raw::c_void, + _pstate: *mut std::os::raw::c_void, + stream_slice: StreamSlice, + _data: *const std::os::raw::c_void, + ) -> AppLayerResult { + let buf = stream_slice.as_slice(); + let state = cast_pointer!(state,KRB5State); + if state.parse(buf, Direction::ToClient) < 0 { + return AppLayerResult::err(); + } + AppLayerResult::ok() +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_parse_request_tcp(_flow: *const core::Flow, + state: *mut std::os::raw::c_void, + _pstate: *mut std::os::raw::c_void, + stream_slice: StreamSlice, + _data: *const std::os::raw::c_void, + ) -> AppLayerResult { + let state = cast_pointer!(state,KRB5State); + let buf = stream_slice.as_slice(); + + let mut v : Vec<u8>; + let tcp_buffer = match state.record_ts { + 0 => buf, + _ => { + // sanity check to avoid memory exhaustion + if state.defrag_buf_ts.len() + buf.len() > 100000 { + SCLogDebug!("rs_krb5_parse_request_tcp: TCP buffer exploded {} {}", + state.defrag_buf_ts.len(), buf.len()); + return AppLayerResult::err(); + } + v = state.defrag_buf_ts.split_off(0); + v.extend_from_slice(buf); + v.as_slice() + } + }; + let mut cur_i = tcp_buffer; + while !cur_i.is_empty() { + if state.record_ts == 0 { + match be_u32(cur_i) as IResult<&[u8],u32> { + Ok((rem,record)) => { + state.record_ts = record as usize; + cur_i = rem; + }, + Err(Err::Incomplete(_)) => { + state.defrag_buf_ts.extend_from_slice(cur_i); + return AppLayerResult::ok(); + } + _ => { + SCLogDebug!("rs_krb5_parse_request_tcp: reading record mark failed!"); + return AppLayerResult::err(); + } + } + } + if cur_i.len() >= state.record_ts { + if state.parse(cur_i, Direction::ToServer) < 0 { + return AppLayerResult::err(); + } + state.record_ts = 0; + cur_i = &cur_i[state.record_ts..]; + } else { + // more fragments required + state.defrag_buf_ts.extend_from_slice(cur_i); + return AppLayerResult::ok(); + } + } + AppLayerResult::ok() +} + +#[no_mangle] +pub unsafe extern "C" fn rs_krb5_parse_response_tcp(_flow: *const core::Flow, + state: *mut std::os::raw::c_void, + _pstate: *mut std::os::raw::c_void, + stream_slice: StreamSlice, + _data: *const std::os::raw::c_void, + ) -> AppLayerResult { + let state = cast_pointer!(state,KRB5State); + let buf = stream_slice.as_slice(); + + let mut v : Vec<u8>; + let tcp_buffer = match state.record_tc { + 0 => buf, + _ => { + // sanity check to avoid memory exhaustion + if state.defrag_buf_tc.len() + buf.len() > 100000 { + SCLogDebug!("rs_krb5_parse_response_tcp: TCP buffer exploded {} {}", + state.defrag_buf_tc.len(), buf.len()); + return AppLayerResult::err(); + } + v = state.defrag_buf_tc.split_off(0); + v.extend_from_slice(buf); + v.as_slice() + } + }; + let mut cur_i = tcp_buffer; + while !cur_i.is_empty() { + if state.record_tc == 0 { + match be_u32(cur_i) as IResult<&[u8],_> { + Ok((rem,record)) => { + state.record_tc = record as usize; + cur_i = rem; + }, + Err(Err::Incomplete(_)) => { + state.defrag_buf_tc.extend_from_slice(cur_i); + return AppLayerResult::ok(); + } + _ => { + SCLogDebug!("reading record mark failed!"); + return AppLayerResult::ok(); + } + } + } + if cur_i.len() >= state.record_tc { + if state.parse(cur_i, Direction::ToClient) < 0 { + return AppLayerResult::err(); + } + state.record_tc = 0; + cur_i = &cur_i[state.record_tc..]; + } else { + // more fragments required + state.defrag_buf_tc.extend_from_slice(cur_i); + return AppLayerResult::ok(); + } + } + AppLayerResult::ok() +} + +export_tx_data_get!(rs_krb5_get_tx_data, KRB5Transaction); +export_state_data_get!(rs_krb5_get_state_data, KRB5State); + +const PARSER_NAME : &[u8] = b"krb5\0"; + +#[no_mangle] +pub unsafe extern "C" fn rs_register_krb5_parser() { + let default_port = CString::new("88").unwrap(); + let mut parser = RustParser { + name : PARSER_NAME.as_ptr() as *const std::os::raw::c_char, + default_port : default_port.as_ptr(), + ipproto : core::IPPROTO_UDP, + probe_ts : Some(rs_krb5_probing_parser), + probe_tc : Some(rs_krb5_probing_parser), + min_depth : 0, + max_depth : 16, + state_new : rs_krb5_state_new, + state_free : rs_krb5_state_free, + tx_free : rs_krb5_state_tx_free, + parse_ts : rs_krb5_parse_request, + parse_tc : rs_krb5_parse_response, + get_tx_count : rs_krb5_state_get_tx_count, + get_tx : rs_krb5_state_get_tx, + tx_comp_st_ts : 1, + tx_comp_st_tc : 1, + tx_get_progress : rs_krb5_tx_get_alstate_progress, + get_eventinfo : Some(KRB5Event::get_event_info), + get_eventinfo_byid : Some(KRB5Event::get_event_info_by_id), + localstorage_new : None, + localstorage_free : None, + get_tx_files : None, + get_tx_iterator : Some(applayer::state_get_tx_iterator::<KRB5State, KRB5Transaction>), + get_tx_data : rs_krb5_get_tx_data, + get_state_data : rs_krb5_get_state_data, + apply_tx_config : None, + flags : 0, + truncate : None, + get_frame_id_by_name: None, + get_frame_name_by_id: None, + }; + // register UDP parser + let ip_proto_str = CString::new("udp").unwrap(); + if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { + let alproto = AppLayerRegisterProtocolDetection(&parser, 1); + // store the allocated ID for the probe function + ALPROTO_KRB5 = alproto; + if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { + let _ = AppLayerRegisterParser(&parser, alproto); + } + } else { + SCLogDebug!("Protocol detector and parser disabled for KRB5/UDP."); + } + // register TCP parser + parser.ipproto = core::IPPROTO_TCP; + parser.probe_ts = Some(rs_krb5_probing_parser_tcp); + parser.probe_tc = Some(rs_krb5_probing_parser_tcp); + parser.parse_ts = rs_krb5_parse_request_tcp; + parser.parse_tc = rs_krb5_parse_response_tcp; + let ip_proto_str = CString::new("tcp").unwrap(); + if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { + let alproto = AppLayerRegisterProtocolDetection(&parser, 1); + // store the allocated ID for the probe function + ALPROTO_KRB5 = alproto; + if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { + let _ = AppLayerRegisterParser(&parser, alproto); + } + } else { + SCLogDebug!("Protocol detector and parser disabled for KRB5/TCP."); + } +} diff --git a/rust/src/krb/log.rs b/rust/src/krb/log.rs new file mode 100644 index 0000000..7cb9525 --- /dev/null +++ b/rust/src/krb/log.rs @@ -0,0 +1,74 @@ +/* Copyright (C) 2018 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +// written by Pierre Chifflier <chifflier@wzdftpd.net> + +use crate::jsonbuilder::{JsonBuilder, JsonError}; +use crate::krb::krb5::{KRB5Transaction,test_weak_encryption}; + +fn krb5_log_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> Result<(), JsonError> +{ + match tx.error_code { + Some(c) => { + jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?; + if let Some(req_type) = tx.req_type { + jsb.set_string("failed_request", &format!("{:?}", req_type))?; + } else { + // In case we capture the response but not the request + // we can't know the failed request type, since it could be + // AS-REQ or TGS-REQ + jsb.set_string("failed_request", "UNKNOWN")?; + } + jsb.set_string("error_code", &format!("{:?}", c))?; + }, + None => { jsb.set_string("msg_type", &format!("{:?}", tx.msg_type))?; }, + } + let cname = match tx.cname { + Some(ref x) => format!("{}", x), + None => "<empty>".to_owned(), + }; + let realm = match tx.realm { + Some(ref x) => x.0.to_string(), + None => "<empty>".to_owned(), + }; + let sname = match tx.sname { + Some(ref x) => format!("{}", x), + None => "<empty>".to_owned(), + }; + let encryption = match tx.etype { + Some(ref x) => format!("{:?}", x), + None => "<none>".to_owned(), + }; + jsb.set_string("cname", &cname)?; + jsb.set_string("realm", &realm)?; + jsb.set_string("sname", &sname)?; + jsb.set_string("encryption", &encryption)?; + jsb.set_bool("weak_encryption", tx.etype.map_or(false,test_weak_encryption))?; + if let Some(x) = tx.ticket_etype { + let refs = format!("{:?}", x); + jsb.set_string("ticket_encryption", &refs)?; + jsb.set_bool("ticket_weak_encryption", test_weak_encryption(x))?; + } + + return Ok(()); +} + +#[no_mangle] +pub extern "C" fn rs_krb5_log_json_response(jsb: &mut JsonBuilder, tx: &mut KRB5Transaction) -> bool +{ + krb5_log_response(jsb, tx).is_ok() +} diff --git a/rust/src/krb/mod.rs b/rust/src/krb/mod.rs new file mode 100644 index 0000000..ca6237d --- /dev/null +++ b/rust/src/krb/mod.rs @@ -0,0 +1,24 @@ +/* Copyright (C) 2017-2018 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +//! Kerberos-v5 application layer, logger and detection module. + +// written by Pierre Chifflier <chifflier@wzdftpd.net> + +pub mod krb5; +pub mod detect; +pub mod log; |