/src/suricata7/rust/src/dhcp/dhcp.rs
Line | Count | Source |
1 | | /* Copyright (C) 2018-2021 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | use crate::applayer::{self, *}; |
19 | | use crate::core; |
20 | | use crate::core::{ALPROTO_UNKNOWN, AppProto, Flow, IPPROTO_UDP}; |
21 | | use crate::dhcp::parser::*; |
22 | | use std; |
23 | | use std::ffi::CString; |
24 | | |
25 | | static mut ALPROTO_DHCP: AppProto = ALPROTO_UNKNOWN; |
26 | | |
27 | | static DHCP_MIN_FRAME_LEN: u32 = 232; |
28 | | |
29 | | pub const BOOTP_REQUEST: u8 = 1; |
30 | | pub const BOOTP_REPLY: u8 = 2; |
31 | | |
32 | | // DHCP option types. Names based on IANA naming: |
33 | | // https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml |
34 | | pub const DHCP_OPT_SUBNET_MASK: u8 = 1; |
35 | | pub const DHCP_OPT_ROUTERS: u8 = 3; |
36 | | pub const DHCP_OPT_DNS_SERVER: u8 = 6; |
37 | | pub const DHCP_OPT_HOSTNAME: u8 = 12; |
38 | | pub const DHCP_OPT_REQUESTED_IP: u8 = 50; |
39 | | pub const DHCP_OPT_ADDRESS_TIME: u8 = 51; |
40 | | pub const DHCP_OPT_TYPE: u8 = 53; |
41 | | //unused pub const DHCP_OPT_SERVER_ID: u8 = 54; |
42 | | pub const DHCP_OPT_PARAMETER_LIST: u8 = 55; |
43 | | pub const DHCP_OPT_RENEWAL_TIME: u8 = 58; |
44 | | pub const DHCP_OPT_REBINDING_TIME: u8 = 59; |
45 | | pub const DHCP_OPT_VENDOR_CLASS_ID: u8 = 60; |
46 | | pub const DHCP_OPT_CLIENT_ID: u8 = 61; |
47 | | pub const DHCP_OPT_END: u8 = 255; |
48 | | |
49 | | /// DHCP message types. |
50 | | pub const DHCP_TYPE_DISCOVER: u8 = 1; |
51 | | pub const DHCP_TYPE_OFFER: u8 = 2; |
52 | | pub const DHCP_TYPE_REQUEST: u8 = 3; |
53 | | pub const DHCP_TYPE_DECLINE: u8 = 4; |
54 | | pub const DHCP_TYPE_ACK: u8 = 5; |
55 | | pub const DHCP_TYPE_NAK: u8 = 6; |
56 | | pub const DHCP_TYPE_RELEASE: u8 = 7; |
57 | | pub const DHCP_TYPE_INFORM: u8 = 8; |
58 | | |
59 | | // DHCP parameter types. |
60 | | // https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.txt |
61 | | pub const DHCP_PARAM_SUBNET_MASK: u8 = 1; |
62 | | pub const DHCP_PARAM_ROUTER: u8 = 3; |
63 | | pub const DHCP_PARAM_DNS_SERVER: u8 = 6; |
64 | | pub const DHCP_PARAM_DOMAIN: u8 = 15; |
65 | | pub const DHCP_PARAM_ARP_TIMEOUT: u8 = 35; |
66 | | pub const DHCP_PARAM_NTP_SERVER: u8 = 42; |
67 | | pub const DHCP_PARAM_TFTP_SERVER_NAME: u8 = 66; |
68 | | pub const DHCP_PARAM_TFTP_SERVER_IP: u8 = 150; |
69 | | |
70 | | #[derive(AppLayerEvent)] |
71 | | pub enum DHCPEvent { |
72 | | TruncatedOptions, |
73 | | MalformedOptions, |
74 | | } |
75 | | |
76 | | /// The concept of a transaction is more to satisfy the Suricata |
77 | | /// app-layer. This DHCP parser is actually stateless where each |
78 | | /// message is its own transaction. |
79 | | pub struct DHCPTransaction { |
80 | | tx_id: u64, |
81 | | pub message: DHCPMessage, |
82 | | tx_data: applayer::AppLayerTxData, |
83 | | } |
84 | | |
85 | | impl DHCPTransaction { |
86 | 33.9k | pub fn new(id: u64, message: DHCPMessage) -> DHCPTransaction { |
87 | 33.9k | DHCPTransaction { |
88 | 33.9k | tx_id: id, |
89 | 33.9k | message, |
90 | 33.9k | tx_data: applayer::AppLayerTxData::new(), |
91 | 33.9k | } |
92 | 33.9k | } |
93 | | } |
94 | | |
95 | | impl Transaction for DHCPTransaction { |
96 | 304k | fn id(&self) -> u64 { |
97 | 304k | self.tx_id |
98 | 304k | } |
99 | | } |
100 | | |
101 | | #[derive(Default)] |
102 | | pub struct DHCPState { |
103 | | state_data: AppLayerStateData, |
104 | | |
105 | | // Internal transaction ID. |
106 | | tx_id: u64, |
107 | | |
108 | | // List of transactions. |
109 | | transactions: Vec<DHCPTransaction>, |
110 | | |
111 | | events: u16, |
112 | | } |
113 | | |
114 | | impl State<DHCPTransaction> for DHCPState { |
115 | 86.7k | fn get_transaction_count(&self) -> usize { |
116 | 86.7k | self.transactions.len() |
117 | 86.7k | } |
118 | | |
119 | 217k | fn get_transaction_by_index(&self, index: usize) -> Option<&DHCPTransaction> { |
120 | 217k | self.transactions.get(index) |
121 | 217k | } |
122 | | } |
123 | | |
124 | | impl DHCPState { |
125 | 2.22k | pub fn new() -> Self { |
126 | 2.22k | Default::default() |
127 | 2.22k | } |
128 | | |
129 | 34.2k | pub fn parse(&mut self, input: &[u8]) -> bool { |
130 | 34.2k | match dhcp_parse(input) { |
131 | 33.9k | Ok((_, message)) => { |
132 | 33.9k | let malformed_options = message.malformed_options; |
133 | 33.9k | let truncated_options = message.truncated_options; |
134 | 33.9k | self.tx_id += 1; |
135 | 33.9k | let transaction = DHCPTransaction::new(self.tx_id, message); |
136 | 33.9k | self.transactions.push(transaction); |
137 | 33.9k | if malformed_options { |
138 | 0 | self.set_event(DHCPEvent::MalformedOptions); |
139 | 33.9k | } |
140 | 33.9k | if truncated_options { |
141 | 28.3k | self.set_event(DHCPEvent::TruncatedOptions); |
142 | 28.3k | } |
143 | 33.9k | return true; |
144 | | } |
145 | | _ => { |
146 | 314 | return false; |
147 | | } |
148 | | } |
149 | 34.2k | } |
150 | | |
151 | 575 | pub fn get_tx(&mut self, tx_id: u64) -> Option<&DHCPTransaction> { |
152 | 4.10k | self.transactions.iter().find(|tx| tx.tx_id == tx_id + 1) |
153 | 575 | } |
154 | | |
155 | 29.6k | fn free_tx(&mut self, tx_id: u64) { |
156 | 29.6k | let len = self.transactions.len(); |
157 | 29.6k | let mut found = false; |
158 | 29.6k | let mut index = 0; |
159 | 29.6k | for i in 0..len { |
160 | 29.6k | let tx = &self.transactions[i]; |
161 | 29.6k | if tx.tx_id == tx_id + 1 { |
162 | 29.6k | found = true; |
163 | 29.6k | index = i; |
164 | 29.6k | break; |
165 | 0 | } |
166 | | } |
167 | 29.6k | if found { |
168 | 29.6k | self.transactions.remove(index); |
169 | 29.6k | } |
170 | 29.6k | } |
171 | | |
172 | 28.3k | fn set_event(&mut self, event: DHCPEvent) { |
173 | 28.3k | if let Some(tx) = self.transactions.last_mut() { |
174 | 28.3k | tx.tx_data.set_event(event as u8); |
175 | 28.3k | self.events += 1; |
176 | 28.3k | } |
177 | 28.3k | } |
178 | | } |
179 | | |
180 | | #[no_mangle] |
181 | 969 | pub unsafe extern "C" fn rs_dhcp_probing_parser(_flow: *const Flow, |
182 | 969 | _direction: u8, |
183 | 969 | input: *const u8, |
184 | 969 | input_len: u32, |
185 | 969 | _rdir: *mut u8) -> AppProto |
186 | | { |
187 | 969 | if input_len < DHCP_MIN_FRAME_LEN || input.is_null() { |
188 | 14 | return ALPROTO_UNKNOWN; |
189 | 955 | } |
190 | | |
191 | 955 | let slice = build_slice!(input, input_len as usize); |
192 | 955 | match parse_header(slice) { |
193 | | Ok((_, _)) => { |
194 | 951 | return ALPROTO_DHCP; |
195 | | } |
196 | | _ => { |
197 | 4 | return ALPROTO_UNKNOWN; |
198 | | } |
199 | | } |
200 | 969 | } |
201 | | |
202 | | #[no_mangle] |
203 | 169k | pub extern "C" fn rs_dhcp_tx_get_alstate_progress(_tx: *mut std::os::raw::c_void, |
204 | 169k | _direction: u8) -> std::os::raw::c_int { |
205 | | // As this is a stateless parser, simply use 1. |
206 | 169k | return 1; |
207 | 169k | } |
208 | | |
209 | | #[no_mangle] |
210 | 575 | pub unsafe extern "C" fn rs_dhcp_state_get_tx(state: *mut std::os::raw::c_void, |
211 | 575 | tx_id: u64) -> *mut std::os::raw::c_void { |
212 | 575 | let state = cast_pointer!(state, DHCPState); |
213 | 575 | match state.get_tx(tx_id) { |
214 | 575 | Some(tx) => { |
215 | 575 | return tx as *const _ as *mut _; |
216 | | } |
217 | | None => { |
218 | 0 | return std::ptr::null_mut(); |
219 | | } |
220 | | } |
221 | 575 | } |
222 | | |
223 | | #[no_mangle] |
224 | 109k | pub unsafe extern "C" fn rs_dhcp_state_get_tx_count(state: *mut std::os::raw::c_void) -> u64 { |
225 | 109k | let state = cast_pointer!(state, DHCPState); |
226 | 109k | return state.tx_id; |
227 | 109k | } |
228 | | |
229 | | #[no_mangle] |
230 | 34.2k | pub unsafe extern "C" fn rs_dhcp_parse(_flow: *const core::Flow, |
231 | 34.2k | state: *mut std::os::raw::c_void, |
232 | 34.2k | _pstate: *mut std::os::raw::c_void, |
233 | 34.2k | stream_slice: StreamSlice, |
234 | 34.2k | _data: *const std::os::raw::c_void, |
235 | 34.2k | ) -> AppLayerResult { |
236 | 34.2k | let state = cast_pointer!(state, DHCPState); |
237 | 34.2k | if state.parse(stream_slice.as_slice()) { |
238 | 33.9k | return AppLayerResult::ok(); |
239 | 314 | } |
240 | 314 | return AppLayerResult::err(); |
241 | 34.2k | } |
242 | | |
243 | | #[no_mangle] |
244 | 29.6k | pub unsafe extern "C" fn rs_dhcp_state_tx_free( |
245 | 29.6k | state: *mut std::os::raw::c_void, |
246 | 29.6k | tx_id: u64) |
247 | | { |
248 | 29.6k | let state = cast_pointer!(state, DHCPState); |
249 | 29.6k | state.free_tx(tx_id); |
250 | 29.6k | } |
251 | | |
252 | | #[no_mangle] |
253 | 2.22k | pub extern "C" fn rs_dhcp_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void { |
254 | 2.22k | let state = DHCPState::new(); |
255 | 2.22k | let boxed = Box::new(state); |
256 | 2.22k | return Box::into_raw(boxed) as *mut _; |
257 | 2.22k | } |
258 | | |
259 | | #[no_mangle] |
260 | 2.22k | pub unsafe extern "C" fn rs_dhcp_state_free(state: *mut std::os::raw::c_void) { |
261 | 2.22k | std::mem::drop(Box::from_raw(state as *mut DHCPState)); |
262 | 2.22k | } |
263 | | |
264 | | export_tx_data_get!(rs_dhcp_get_tx_data, DHCPTransaction); |
265 | | export_state_data_get!(rs_dhcp_get_state_data, DHCPState); |
266 | | |
267 | | const PARSER_NAME: &[u8] = b"dhcp\0"; |
268 | | |
269 | | #[no_mangle] |
270 | 34 | pub unsafe extern "C" fn rs_dhcp_register_parser() { |
271 | | SCLogDebug!("Registering DHCP parser."); |
272 | 34 | let ports = CString::new("[67,68]").unwrap(); |
273 | 34 | let parser = RustParser { |
274 | 34 | name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char, |
275 | 34 | default_port : ports.as_ptr(), |
276 | 34 | ipproto : IPPROTO_UDP, |
277 | 34 | probe_ts : Some(rs_dhcp_probing_parser), |
278 | 34 | probe_tc : Some(rs_dhcp_probing_parser), |
279 | 34 | min_depth : 0, |
280 | 34 | max_depth : 16, |
281 | 34 | state_new : rs_dhcp_state_new, |
282 | 34 | state_free : rs_dhcp_state_free, |
283 | 34 | tx_free : rs_dhcp_state_tx_free, |
284 | 34 | parse_ts : rs_dhcp_parse, |
285 | 34 | parse_tc : rs_dhcp_parse, |
286 | 34 | get_tx_count : rs_dhcp_state_get_tx_count, |
287 | 34 | get_tx : rs_dhcp_state_get_tx, |
288 | 34 | tx_comp_st_ts : 1, |
289 | 34 | tx_comp_st_tc : 1, |
290 | 34 | tx_get_progress : rs_dhcp_tx_get_alstate_progress, |
291 | 34 | get_eventinfo : Some(DHCPEvent::get_event_info), |
292 | 34 | get_eventinfo_byid : Some(DHCPEvent::get_event_info_by_id), |
293 | 34 | localstorage_new : None, |
294 | 34 | localstorage_free : None, |
295 | 34 | get_tx_files : None, |
296 | 34 | get_tx_iterator : Some(applayer::state_get_tx_iterator::<DHCPState, DHCPTransaction>), |
297 | 34 | get_tx_data : rs_dhcp_get_tx_data, |
298 | 34 | get_state_data : rs_dhcp_get_state_data, |
299 | 34 | apply_tx_config : None, |
300 | 34 | flags : 0, |
301 | 34 | truncate : None, |
302 | 34 | get_frame_id_by_name: None, |
303 | 34 | get_frame_name_by_id: None, |
304 | 34 | }; |
305 | | |
306 | 34 | let ip_proto_str = CString::new("udp").unwrap(); |
307 | | |
308 | 34 | if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { |
309 | 34 | let alproto = AppLayerRegisterProtocolDetection(&parser, 1); |
310 | 34 | ALPROTO_DHCP = alproto; |
311 | 34 | if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 { |
312 | 34 | let _ = AppLayerRegisterParser(&parser, alproto); |
313 | 34 | } |
314 | 0 | } else { |
315 | 0 | SCLogDebug!("Protocol detector and parser disabled for DHCP."); |
316 | 0 | } |
317 | 34 | } |