/src/suricata7/rust/src/ike/logger.rs

Source
/* Copyright (C) 2020 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

use super::ike::{IKEState, IKETransaction};
use super::ipsec_parser::IKEV2_FLAG_INITIATOR;
use crate::core::Direction;
use crate::ike::parser::{ExchangeType, IsakmpPayloadType, SaAttribute};
use crate::jsonbuilder::{JsonBuilder, JsonError};
use num_traits::FromPrimitive;
use std;
use std::collections::HashSet;
use std::convert::TryFrom;

const LOG_EXTENDED: u32 = 0x01;

fn add_attributes(transform: &Vec<SaAttribute>, js: &mut JsonBuilder) -> Result<(), JsonError> {
    let mut logged: HashSet<String> = HashSet::new();

    for attribute in transform {
        let key = attribute.attribute_type.to_string();

        if logged.contains(&key) {
            continue;
        }
        logged.insert(key.clone());

        js.set_string(
            &key,
            attribute.attribute_value.to_string().as_str(),
        )?;

        if let Some(numeric_value) = attribute.numeric_value {
            js.set_uint(
                format!("{}_raw", attribute.attribute_type).as_str(),
                numeric_value as u64,
            )?;
        } else if let Some(hex_value) = &attribute.hex_value {
            js.set_string(
                format!("{}_raw", attribute.attribute_type).as_str(),
                hex_value,
            )?;
        }
    }

    return Ok(());
}

fn log_ike(
    state: &IKEState, tx: &IKETransaction, flags: u32, jb: &mut JsonBuilder,
) -> Result<(), JsonError> {
    jb.open_object("ike")?;

    jb.set_uint("version_major", tx.hdr.maj_ver as u64)?;
    jb.set_uint("version_minor", tx.hdr.min_ver as u64)?;
    jb.set_string("init_spi", &tx.hdr.spi_initiator)?;
    jb.set_string("resp_spi", &tx.hdr.spi_responder)?;
    jb.set_uint("message_id", tx.hdr.msg_id as u64)?;

    if tx.ike_version == 1 {
        if let Some(exchange_type) = tx.hdr.ikev1_header.exchange_type {
            jb.set_uint("exchange_type", exchange_type as u64)?;
            if (flags & LOG_EXTENDED) == LOG_EXTENDED {
                if let Some(etype) = ExchangeType::from_u8(exchange_type) {
                    jb.set_string("exchange_type_verbose", etype.to_string().as_str())?;
                };
            }
        }
    } else if tx.ike_version == 2 {
        jb.set_uint("exchange_type", tx.hdr.ikev2_header.exch_type.0 as u64)?;
    }

    if tx.ike_version == 1 {
        if state.ikev1_container.server.nb_transforms > 0 {
            // log the first transform as the chosen one
            add_attributes(&state.ikev1_container.server.transform, jb)?;
        }
        if tx.direction == Direction::ToClient && tx.hdr.ikev1_transforms.len() > 1 {
            // in case we have multiple server transforms log them in a list
            jb.open_array("server_proposals")?;
            for server_transform in &tx.hdr.ikev1_transforms {
                jb.start_object()?;
                add_attributes(server_transform, jb)?;
                jb.close()?;
            }
            jb.close()?;
        }
    } else if tx.ike_version == 2 {
        if tx.hdr.flags & IKEV2_FLAG_INITIATOR != 0 {
            jb.set_string("role", "initiator")?;
        } else {
            jb.set_string("role", "responder")?;
            jb.set_string("alg_enc", &format!("{:?}", state.ikev2_container.alg_enc))?;
            jb.set_string("alg_auth", &format!("{:?}", state.ikev2_container.alg_auth))?;
            jb.set_string("alg_prf", &format!("{:?}", state.ikev2_container.alg_prf))?;
            jb.set_string("alg_dh", &format!("{:?}", state.ikev2_container.alg_dh))?;
            jb.set_string("alg_esn", &format!("{:?}", state.ikev2_container.alg_esn))?;
        }
    }

    // payloads in packet
    jb.open_array("payload")?;
    if tx.ike_version == 1 {
        if let Some(payload_types) = &tx.payload_types.ikev1_payload_types {
            for pt in payload_types {
                append_payload_type_extended(jb, pt)?;
            }
        }
    } else if tx.ike_version == 2 {
        for payload in tx.payload_types.ikev2_payload_types.iter() {
            jb.append_string(&format!("{:?}", payload))?;
        }
    }
    jb.close()?;

    if tx.ike_version == 1 {
        log_ikev1(state, tx, jb)?;
    } else if tx.ike_version == 2 {
        log_ikev2(tx, jb)?;
    }
    jb.close()?;
    return Ok(());
}

fn log_ikev1(state: &IKEState, tx: &IKETransaction, jb: &mut JsonBuilder) -> Result<(), JsonError> {
    jb.open_object("ikev1")?;

    if let Some(doi) = state.ikev1_container.domain_of_interpretation {
        jb.set_uint("doi", doi as u64)?;
    }
    jb.set_bool("encrypted_payloads", tx.hdr.ikev1_header.encrypted_payloads)?;

    if !tx.hdr.ikev1_header.encrypted_payloads {
        // enable logging of collected state if not-encrypted payloads

        // client data
        jb.open_object("client")?;
        if !state.ikev1_container.client.key_exchange.is_empty() {
            jb.set_string(
                "key_exchange_payload",
                &state.ikev1_container.client.key_exchange,
            )?;
            if let Ok(client_key_length) =
                u64::try_from(state.ikev1_container.client.key_exchange.len())
            {
                jb.set_uint("key_exchange_payload_length", client_key_length / 2)?;
            }
        }
        if !state.ikev1_container.client.nonce.is_empty() {
            jb.set_string("nonce_payload", &state.ikev1_container.client.nonce)?;
            if let Ok(client_nonce_length) = u64::try_from(state.ikev1_container.client.nonce.len())
            {
                jb.set_uint("nonce_payload_length", client_nonce_length / 2)?;
            }
        }

        if tx.direction == Direction::ToServer && !tx.hdr.ikev1_transforms.is_empty() {
            jb.open_array("proposals")?;
            for client_transform in &tx.hdr.ikev1_transforms {
                jb.start_object()?;
                add_attributes(client_transform, jb)?;
                jb.close()?;
            }
            jb.close()?; // proposals
        }
        jb.close()?; // client

        // server data
        jb.open_object("server")?;
        if !state.ikev1_container.server.key_exchange.is_empty() {
            jb.set_string(
                "key_exchange_payload",
                &state.ikev1_container.server.key_exchange,
            )?;
            if let Ok(server_key_length) =
                u64::try_from(state.ikev1_container.server.key_exchange.len())
            {
                jb.set_uint("key_exchange_payload_length", server_key_length / 2)?;
            }
        }
        if !state.ikev1_container.server.nonce.is_empty() {
            jb.set_string("nonce_payload", &state.ikev1_container.server.nonce)?;
            if let Ok(server_nonce_length) = u64::try_from(state.ikev1_container.server.nonce.len())
            {
                jb.set_uint("nonce_payload_length", server_nonce_length / 2)?;
            }
        }
        jb.close()?; // server

        if !tx.hdr.ikev1_header.vendor_ids.is_empty() {
            jb.open_array("vendor_ids")?;
            for vendor in &tx.hdr.ikev1_header.vendor_ids {
                jb.append_string(vendor)?;
            }
            jb.close()?; // vendor_ids
        }
    }
    jb.close()?;

    return Ok(());
}

fn append_payload_type_extended(js: &mut JsonBuilder, pt: &u8) -> Result<(), JsonError> {
    if let Some(v) = IsakmpPayloadType::from_u8(*pt) {
        js.append_string(&format!("{:?}", v))?;
    }
    Ok(())
}

fn log_ikev2(tx: &IKETransaction, jb: &mut JsonBuilder) -> Result<(), JsonError> {
    jb.open_object("ikev2")?;

    jb.set_uint("errors", tx.errors as u64)?;
    if !tx.notify_types.is_empty() {
        jb.open_array("notify")?;
        for notify in tx.notify_types.iter() {
            jb.append_string(&format!("{:?}", notify))?;
        }
        jb.close()?;
    }
    jb.close()?;
    Ok(())
}

#[no_mangle]
pub unsafe extern "C" fn rs_ike_logger_log(
    state: &mut IKEState, tx: *mut std::os::raw::c_void, flags: u32, js: &mut JsonBuilder,
) -> bool {
    let tx = cast_pointer!(tx, IKETransaction);
    log_ike(state, tx, flags, js).is_ok()
}

Coverage Report

Created: 2026-01-16 07:00

Line	Count	Source
1		/* Copyright (C) 2020 Open Information Security Foundation
2		*
3		* You can copy, redistribute or modify this Program under the terms of
4		* the GNU General Public License version 2 as published by the Free
5		* Software Foundation.
6		*
7		* This program is distributed in the hope that it will be useful,
8		* but WITHOUT ANY WARRANTY; without even the implied warranty of
9		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10		* GNU General Public License for more details.
11		*
12		* You should have received a copy of the GNU General Public License
13		* version 2 along with this program; if not, write to the Free Software
14		* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15		* 02110-1301, USA.
16		*/
17
18		use super::ike::{IKEState, IKETransaction};
19		use super::ipsec_parser::IKEV2_FLAG_INITIATOR;
20		use crate::core::Direction;
21		use crate::ike::parser::{ExchangeType, IsakmpPayloadType, SaAttribute};
22		use crate::jsonbuilder::{JsonBuilder, JsonError};
23		use num_traits::FromPrimitive;
24		use std;
25		use std::collections::HashSet;
26		use std::convert::TryFrom;
27
28		const LOG_EXTENDED: u32 = 0x01;
29
30	2.56k	fn add_attributes(transform: &Vec<SaAttribute>, js: &mut JsonBuilder) -> Result<(), JsonError> {
31	2.56k	let mut logged: HashSet<String> = HashSet::new();
32
33	15.0k	for attribute in transform {
34	12.5k	let key = attribute.attribute_type.to_string();
35
36	12.5k	if logged.contains(&key) {
37	48	continue;
38	12.4k	}
39	12.4k	logged.insert(key.clone());
40
41	12.4k	js.set_string(
42	12.4k	&key,
43	12.4k	attribute.attribute_value.to_string().as_str(),
44	0	)?;
45
46	12.4k	if let Some(numeric_value) = attribute.numeric_value {
47	11.5k	js.set_uint(
48	11.5k	format!("{}_raw", attribute.attribute_type).as_str(),
49	11.5k	numeric_value as u64,
50	0	)?;
51	874	} else if let Some(hex_value) = &attribute.hex_value {
52	874	js.set_string(
53	874	format!("{}_raw", attribute.attribute_type).as_str(),
54	874	hex_value,
55	0	)?;
56	0	}
57		}
58
59	2.56k	return Ok(());
60	2.56k	}
61
62	9.74k	fn log_ike(
63	9.74k	state: &IKEState, tx: &IKETransaction, flags: u32, jb: &mut JsonBuilder,
64	9.74k	) -> Result<(), JsonError> {
65	9.74k	jb.open_object("ike")?;
66
67	9.74k	jb.set_uint("version_major", tx.hdr.maj_ver as u64)?;
68	9.74k	jb.set_uint("version_minor", tx.hdr.min_ver as u64)?;
69	9.74k	jb.set_string("init_spi", &tx.hdr.spi_initiator)?;
70	9.74k	jb.set_string("resp_spi", &tx.hdr.spi_responder)?;
71	9.74k	jb.set_uint("message_id", tx.hdr.msg_id as u64)?;
72
73	9.74k	if tx.ike_version == 1 {
74	6.82k	if let Some(exchange_type) = tx.hdr.ikev1_header.exchange_type {
75	6.82k	jb.set_uint("exchange_type", exchange_type as u64)?;
76	6.82k	if (flags & LOG_EXTENDED) == LOG_EXTENDED {
77	934	if let Some(etype) = ExchangeType::from_u8(exchange_type) {
78	802	jb.set_string("exchange_type_verbose", etype.to_string().as_str())?;
79	132	};
80	5.89k	}
81	0	}
82	2.91k	} else if tx.ike_version == 2 {
83	2.91k	jb.set_uint("exchange_type", tx.hdr.ikev2_header.exch_type.0 as u64)?;
84	0	}
85
86	9.74k	if tx.ike_version == 1 {
87	6.82k	if state.ikev1_container.server.nb_transforms > 0 {
88		// log the first transform as the chosen one
89	617	add_attributes(&state.ikev1_container.server.transform, jb)?;
90	6.21k	}
91	6.82k	if tx.direction == Direction::ToClient && tx.hdr.ikev1_transforms.len() > 1 {
92		// in case we have multiple server transforms log them in a list
93	3	jb.open_array("server_proposals")?;
94	9	for server_transform in &tx.hdr.ikev1_transforms {
95	6	jb.start_object()?;
96	6	add_attributes(server_transform, jb)?;
97	6	jb.close()?;
98		}
99	3	jb.close()?;
100	6.82k	}
101	2.91k	} else if tx.ike_version == 2 {
102	2.91k	if tx.hdr.flags & IKEV2_FLAG_INITIATOR != 0 {
103	172	jb.set_string("role", "initiator")?;
104		} else {
105	2.74k	jb.set_string("role", "responder")?;
106	2.74k	jb.set_string("alg_enc", &format!("{:?}", state.ikev2_container.alg_enc))?;
107	2.74k	jb.set_string("alg_auth", &format!("{:?}", state.ikev2_container.alg_auth))?;
108	2.74k	jb.set_string("alg_prf", &format!("{:?}", state.ikev2_container.alg_prf))?;
109	2.74k	jb.set_string("alg_dh", &format!("{:?}", state.ikev2_container.alg_dh))?;
110	2.74k	jb.set_string("alg_esn", &format!("{:?}", state.ikev2_container.alg_esn))?;
111		}
112	0	}
113
114		// payloads in packet
115	9.74k	jb.open_array("payload")?;
116	9.74k	if tx.ike_version == 1 {
117	6.82k	if let Some(payload_types) = &tx.payload_types.ikev1_payload_types {
118	23.8k	for pt in payload_types {
119	17.0k	append_payload_type_extended(jb, pt)?;
120		}
121	0	}
122	2.91k	} else if tx.ike_version == 2 {
123	2.91k	for payload in tx.payload_types.ikev2_payload_types.iter() {
124	12	jb.append_string(&format!("{:?}", payload))?;
125		}
126	0	}
127	9.74k	jb.close()?;
128
129	9.74k	if tx.ike_version == 1 {
130	6.82k	log_ikev1(state, tx, jb)?;
131	2.91k	} else if tx.ike_version == 2 {
132	2.91k	log_ikev2(tx, jb)?;
133	0	}
134	9.74k	jb.close()?;
135	9.74k	return Ok(());
136	9.74k	}
137
138	6.82k	fn log_ikev1(state: &IKEState, tx: &IKETransaction, jb: &mut JsonBuilder) -> Result<(), JsonError> {
139	6.82k	jb.open_object("ikev1")?;
140
141	6.82k	if let Some(doi) = state.ikev1_container.domain_of_interpretation {
142	3.44k	jb.set_uint("doi", doi as u64)?;
143	3.38k	}
144	6.82k	jb.set_bool("encrypted_payloads", tx.hdr.ikev1_header.encrypted_payloads)?;
145
146	6.82k	if !tx.hdr.ikev1_header.encrypted_payloads {
147		// enable logging of collected state if not-encrypted payloads
148
149		// client data
150	5.39k	jb.open_object("client")?;
151	5.39k	if !state.ikev1_container.client.key_exchange.is_empty() {
152	590	jb.set_string(
153	590	"key_exchange_payload",
154	590	&state.ikev1_container.client.key_exchange,
155	0	)?;
156	590	if let Ok(client_key_length) =
157	590	u64::try_from(state.ikev1_container.client.key_exchange.len())
158		{
159	590	jb.set_uint("key_exchange_payload_length", client_key_length / 2)?;
160	0	}
161	4.80k	}
162	5.39k	if !state.ikev1_container.client.nonce.is_empty() {
163	512	jb.set_string("nonce_payload", &state.ikev1_container.client.nonce)?;
164	512	if let Ok(client_nonce_length) = u64::try_from(state.ikev1_container.client.nonce.len())
165		{
166	512	jb.set_uint("nonce_payload_length", client_nonce_length / 2)?;
167	0	}
168	4.88k	}
169
170	5.39k	if tx.direction == Direction::ToServer && !tx.hdr.ikev1_transforms.is_empty() {
171	1.94k	jb.open_array("proposals")?;
172	3.89k	for client_transform in &tx.hdr.ikev1_transforms {
173	1.94k	jb.start_object()?;
174	1.94k	add_attributes(client_transform, jb)?;
175	1.94k	jb.close()?;
176		}
177	1.94k	jb.close()?; // proposals
178	3.44k	}
179	5.39k	jb.close()?; // client
180
181		// server data
182	5.39k	jb.open_object("server")?;
183	5.39k	if !state.ikev1_container.server.key_exchange.is_empty() {
184	1.50k	jb.set_string(
185	1.50k	"key_exchange_payload",
186	1.50k	&state.ikev1_container.server.key_exchange,
187	0	)?;
188	1.50k	if let Ok(server_key_length) =
189	1.50k	u64::try_from(state.ikev1_container.server.key_exchange.len())
190		{
191	1.50k	jb.set_uint("key_exchange_payload_length", server_key_length / 2)?;
192	0	}
193	3.88k	}
194	5.39k	if !state.ikev1_container.server.nonce.is_empty() {
195	1.27k	jb.set_string("nonce_payload", &state.ikev1_container.server.nonce)?;
196	1.27k	if let Ok(server_nonce_length) = u64::try_from(state.ikev1_container.server.nonce.len())
197		{
198	1.27k	jb.set_uint("nonce_payload_length", server_nonce_length / 2)?;
199	0	}
200	4.12k	}
201	5.39k	jb.close()?; // server
202
203	5.39k	if !tx.hdr.ikev1_header.vendor_ids.is_empty() {
204	1.41k	jb.open_array("vendor_ids")?;
205	5.07k	for vendor in &tx.hdr.ikev1_header.vendor_ids {
206	3.66k	jb.append_string(vendor)?;
207		}
208	1.41k	jb.close()?; // vendor_ids
209	3.97k	}
210	1.43k	}
211	6.82k	jb.close()?;
212
213	6.82k	return Ok(());
214	6.82k	}
215
216	17.0k	fn append_payload_type_extended(js: &mut JsonBuilder, pt: &u8) -> Result<(), JsonError> {
217	17.0k	if let Some(v) = IsakmpPayloadType::from_u8(*pt) {
218	15.4k	js.append_string(&format!("{:?}", v))?;
219	1.55k	}
220	17.0k	Ok(())
221	17.0k	}
222
223	2.91k	fn log_ikev2(tx: &IKETransaction, jb: &mut JsonBuilder) -> Result<(), JsonError> {
224	2.91k	jb.open_object("ikev2")?;
225
226	2.91k	jb.set_uint("errors", tx.errors as u64)?;
227	2.91k	if !tx.notify_types.is_empty() {
228	0	jb.open_array("notify")?;
229	0	for notify in tx.notify_types.iter() {
230	0	jb.append_string(&format!("{:?}", notify))?;
231		}
232	0	jb.close()?;
233	2.91k	}
234	2.91k	jb.close()?;
235	2.91k	Ok(())
236	2.91k	}
237
238		#[no_mangle]
239	9.74k	pub unsafe extern "C" fn rs_ike_logger_log(
240	9.74k	state: &mut IKEState, tx: *mut std::os::raw::c_void, flags: u32, js: &mut JsonBuilder,
241	9.74k	) -> bool {
242	9.74k	let tx = cast_pointer!(tx, IKETransaction);
243	9.74k	log_ike(state, tx, flags, js).is_ok()
244	9.74k	}