1 /* Copyright (C) 2007-2020 Open Information Security Foundation 2 * 3 * You can copy, redistribute or modify this Program under the terms of 4 * the GNU General Public License version 2 as published by the Free 5 * Software Foundation. 6 * 7 * This program is distributed in the hope that it will be useful, 8 * but WITHOUT ANY WARRANTY; without even the implied warranty of 9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 * GNU General Public License for more details. 11 * 12 * You should have received a copy of the GNU General Public License 13 * version 2 along with this program; if not, write to the Free Software 14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 15 * 02110-1301, USA. 16 */ 17 18 /** 19 * \file 20 * 21 * \author Victor Julien <victor@inliniac.net> 22 * \author Anoop Saldanha <anoopsaldanha@gmail.com> 23 */ 24 25 #ifndef __APP_LAYER_PARSER_H__ 26 #define __APP_LAYER_PARSER_H__ 27 28 #include "app-layer-events.h" 29 #include "detect-engine-state.h" 30 #include "util-file.h" 31 #include "stream-tcp-private.h" 32 #include "rust.h" 33 #include "util-config.h" 34 35 /* Flags for AppLayerParserState. */ 36 // flag available BIT_U8(0) 37 #define APP_LAYER_PARSER_NO_INSPECTION BIT_U8(1) 38 #define APP_LAYER_PARSER_NO_REASSEMBLY BIT_U8(2) 39 #define APP_LAYER_PARSER_NO_INSPECTION_PAYLOAD BIT_U8(3) 40 #define APP_LAYER_PARSER_BYPASS_READY BIT_U8(4) 41 #define APP_LAYER_PARSER_EOF_TS BIT_U8(5) 42 #define APP_LAYER_PARSER_EOF_TC BIT_U8(6) 43 44 /* Flags for AppLayerParserProtoCtx. */ 45 #define APP_LAYER_PARSER_OPT_ACCEPT_GAPS BIT_U32(0) 46 #define APP_LAYER_PARSER_OPT_UNIDIR_TXS BIT_U32(1) 47 48 #define APP_LAYER_PARSER_INT_STREAM_DEPTH_SET BIT_U32(0) 49 50 /* applies to DetectFlags uint64_t field */ 51 52 /** is tx fully inspected? */ 53 #define APP_LAYER_TX_INSPECTED_FLAG BIT_U64(63) 54 /** other 63 bits are for tracking which prefilter engine is already 55 * completely inspected */ 56 #define APP_LAYER_TX_PREFILTER_MASK ~APP_LAYER_TX_INSPECTED_FLAG 57 58 /** parser has successfully processed in the input, and has consumed 59 * all of it. */ 60 #define APP_LAYER_OK (AppLayerResult) { 0, 0, 0 } 61 62 /** parser has hit an unrecoverable error. Returning this to the API 63 * leads to no further calls to the parser. */ 64 #define APP_LAYER_ERROR (AppLayerResult) { -1, 0, 0 } 65 66 /** parser needs more data. Through 'c' it will indicate how many 67 * of the input bytes it has consumed. Through 'n' it will indicate 68 * how many more bytes it needs before getting called again. 69 * \note consumed (c) should never be more than the input len 70 * needed (n) + consumed (c) should be more than the input len 71 */ 72 #define APP_LAYER_INCOMPLETE(c,n) (AppLayerResult) { 1, (c), (n) } 73 74 int AppLayerParserProtoIsRegistered(uint8_t ipproto, AppProto alproto); 75 76 /***** transaction handling *****/ 77 78 int AppLayerParserSetup(void); 79 void AppLayerParserPostStreamSetup(void); 80 int AppLayerParserDeSetup(void); 81 82 typedef struct AppLayerParserThreadCtx_ AppLayerParserThreadCtx; 83 84 /** 85 * \brief Gets a new app layer protocol's parser thread context. 86 * 87 * \retval Non-NULL pointer on success. 88 * NULL pointer on failure. 89 */ 90 AppLayerParserThreadCtx *AppLayerParserThreadCtxAlloc(void); 91 92 /** 93 * \brief Destroys the app layer parser thread context obtained 94 * using AppLayerParserThreadCtxAlloc(). 95 * 96 * \param tctx Pointer to the thread context to be destroyed. 97 */ 98 void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx); 99 100 /** 101 * \brief Given a protocol name, checks if the parser is enabled in 102 * the conf file. 103 * 104 * \param alproto_name Name of the app layer protocol. 105 * 106 * \retval 1 If enabled. 107 * \retval 0 If disabled. 108 */ 109 int AppLayerParserConfParserEnabled(const char *ipproto, 110 const char *alproto_name); 111 112 /** \brief Prototype for parsing functions */ 113 typedef AppLayerResult (*AppLayerParserFPtr)(Flow *f, void *protocol_state, 114 AppLayerParserState *pstate, 115 const uint8_t *buf, uint32_t buf_len, 116 void *local_storage, const uint8_t flags); 117 118 typedef struct AppLayerGetTxIterState { 119 union { 120 void *ptr; 121 uint64_t u64; 122 } un; 123 } AppLayerGetTxIterState; 124 125 /** \brief tx iterator prototype */ 126 typedef AppLayerGetTxIterTuple (*AppLayerGetTxIteratorFunc) 127 (const uint8_t ipproto, const AppProto alproto, 128 void *alstate, uint64_t min_tx_id, uint64_t max_tx_id, 129 AppLayerGetTxIterState *state); 130 131 /***** Parser related registration *****/ 132 133 /** 134 * \brief Register app layer parser for the protocol. 135 * 136 * \retval 0 On success. 137 * \retval -1 On failure. 138 */ 139 int AppLayerParserRegisterParser(uint8_t ipproto, AppProto alproto, 140 uint8_t direction, 141 AppLayerParserFPtr Parser); 142 void AppLayerParserRegisterParserAcceptableDataDirection(uint8_t ipproto, 143 AppProto alproto, 144 uint8_t direction); 145 void AppLayerParserRegisterOptionFlags(uint8_t ipproto, AppProto alproto, 146 uint32_t flags); 147 void AppLayerParserRegisterStateFuncs(uint8_t ipproto, AppProto alproto, 148 void *(*StateAlloc)(void *, AppProto), void (*StateFree)(void *)); 149 void AppLayerParserRegisterLocalStorageFunc(uint8_t ipproto, AppProto proto, 150 void *(*LocalStorageAlloc)(void), 151 void (*LocalStorageFree)(void *)); 152 void AppLayerParserRegisterGetFilesFunc(uint8_t ipproto, AppProto alproto, 153 FileContainer *(*StateGetFiles)(void *, uint8_t)); 154 void AppLayerParserRegisterGetEventsFunc(uint8_t ipproto, AppProto proto, 155 AppLayerDecoderEvents *(*StateGetEvents)(void *) __attribute__((nonnull))); 156 void AppLayerParserRegisterLoggerFuncs(uint8_t ipproto, AppProto alproto, 157 LoggerId (*StateGetTxLogged)(void *, void *), 158 void (*StateSetTxLogged)(void *, void *, LoggerId)); 159 void AppLayerParserRegisterLogger(uint8_t ipproto, AppProto alproto); 160 void AppLayerParserRegisterLoggerBits(uint8_t ipproto, AppProto alproto, LoggerId bits); 161 void AppLayerParserRegisterTruncateFunc(uint8_t ipproto, AppProto alproto, 162 void (*Truncate)(void *, uint8_t)); 163 void AppLayerParserRegisterGetStateProgressFunc(uint8_t ipproto, AppProto alproto, 164 int (*StateGetStateProgress)(void *alstate, uint8_t direction)); 165 void AppLayerParserRegisterTxFreeFunc(uint8_t ipproto, AppProto alproto, 166 void (*StateTransactionFree)(void *, uint64_t)); 167 void AppLayerParserRegisterGetTxCnt(uint8_t ipproto, AppProto alproto, 168 uint64_t (*StateGetTxCnt)(void *alstate)); 169 void AppLayerParserRegisterGetTx(uint8_t ipproto, AppProto alproto, 170 void *(StateGetTx)(void *alstate, uint64_t tx_id)); 171 void AppLayerParserRegisterGetTxIterator(uint8_t ipproto, AppProto alproto, 172 AppLayerGetTxIteratorFunc Func); 173 void AppLayerParserRegisterGetStateProgressCompletionStatus(AppProto alproto, 174 int (*StateGetStateProgressCompletionStatus)(uint8_t direction)); 175 void AppLayerParserRegisterGetEventInfo(uint8_t ipproto, AppProto alproto, 176 int (*StateGetEventInfo)(const char *event_name, int *event_id, 177 AppLayerEventType *event_type)); 178 void AppLayerParserRegisterGetEventInfoById(uint8_t ipproto, AppProto alproto, 179 int (*StateGetEventInfoById)(int event_id, const char **event_name, 180 AppLayerEventType *event_type)); 181 void AppLayerParserRegisterDetectStateFuncs(uint8_t ipproto, AppProto alproto, 182 DetectEngineState *(*GetTxDetectState)(void *tx), 183 int (*SetTxDetectState)(void *tx, DetectEngineState *)); 184 void AppLayerParserRegisterGetStreamDepth(uint8_t ipproto, 185 AppProto alproto, 186 uint32_t (*GetStreamDepth)(void)); 187 void AppLayerParserRegisterSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, 188 void (*SetStreamDepthFlag)(void *tx, uint8_t flags)); 189 190 void AppLayerParserRegisterTxDataFunc(uint8_t ipproto, AppProto alproto, 191 AppLayerTxData *(*GetTxData)(void *tx)); 192 void AppLayerParserRegisterApplyTxConfigFunc(uint8_t ipproto, AppProto alproto, 193 bool (*ApplyTxConfig)(void *state, void *tx, int mode, AppLayerTxConfig)); 194 195 /***** Get and transaction functions *****/ 196 197 uint32_t AppLayerParserGetOptionFlags(uint8_t protomap, AppProto alproto); 198 AppLayerGetTxIteratorFunc AppLayerGetTxIterator(const uint8_t ipproto, 199 const AppProto alproto); 200 201 void *AppLayerParserGetProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto); 202 void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto alproto, 203 void *local_data); 204 205 206 uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate); 207 void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id); 208 209 uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction); 210 void AppLayerParserSetTransactionInspectId(const Flow *f, AppLayerParserState *pstate, 211 void *alstate, const uint8_t flags, bool tag_txs_as_inspected); 212 213 AppLayerDecoderEvents *AppLayerParserGetDecoderEvents(AppLayerParserState *pstate); 214 void AppLayerParserSetDecoderEvents(AppLayerParserState *pstate, AppLayerDecoderEvents *devents); 215 AppLayerDecoderEvents *AppLayerParserGetEventsByTx(uint8_t ipproto, AppProto alproto, void *tx); 216 FileContainer *AppLayerParserGetFiles(const Flow *f, const uint8_t direction); 217 int AppLayerParserGetStateProgress(uint8_t ipproto, AppProto alproto, 218 void *alstate, uint8_t direction); 219 uint64_t AppLayerParserGetTxCnt(const Flow *, void *alstate); 220 void *AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id); 221 int AppLayerParserGetStateProgressCompletionStatus(AppProto alproto, uint8_t direction); 222 int AppLayerParserGetEventInfo(uint8_t ipproto, AppProto alproto, const char *event_name, 223 int *event_id, AppLayerEventType *event_type); 224 int AppLayerParserGetEventInfoById(uint8_t ipproto, AppProto alproto, int event_id, 225 const char **event_name, AppLayerEventType *event_type); 226 227 uint64_t AppLayerParserGetTransactionActive(const Flow *f, AppLayerParserState *pstate, uint8_t direction); 228 229 uint8_t AppLayerParserGetFirstDataDir(uint8_t ipproto, AppProto alproto); 230 231 int AppLayerParserSupportsFiles(uint8_t ipproto, AppProto alproto); 232 int AppLayerParserSupportsTxDetectState(uint8_t ipproto, AppProto alproto); 233 int AppLayerParserHasTxDetectState(uint8_t ipproto, AppProto alproto, void *alstate); 234 DetectEngineState *AppLayerParserGetTxDetectState(uint8_t ipproto, AppProto alproto, void *tx); 235 int AppLayerParserSetTxDetectState(const Flow *f, void *tx, DetectEngineState *s); 236 237 bool AppLayerParserSupportsTxDetectFlags(AppProto alproto); 238 239 AppLayerTxData *AppLayerParserGetTxData(uint8_t ipproto, AppProto alproto, void *tx); 240 void AppLayerParserApplyTxConfig(uint8_t ipproto, AppProto alproto, 241 void *state, void *tx, enum ConfigAction mode, AppLayerTxConfig); 242 243 /***** General *****/ 244 245 int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *tctx, Flow *f, AppProto alproto, 246 uint8_t flags, const uint8_t *input, uint32_t input_len); 247 void AppLayerParserSetEOF(AppLayerParserState *pstate); 248 bool AppLayerParserHasDecoderEvents(AppLayerParserState *pstate); 249 int AppLayerParserProtocolIsTxEventAware(uint8_t ipproto, AppProto alproto); 250 int AppLayerParserProtocolHasLogger(uint8_t ipproto, AppProto alproto); 251 LoggerId AppLayerParserProtocolGetLoggerBits(uint8_t ipproto, AppProto alproto); 252 void AppLayerParserTriggerRawStreamReassembly(Flow *f, int direction); 253 void AppLayerParserSetStreamDepth(uint8_t ipproto, AppProto alproto, uint32_t stream_depth); 254 uint32_t AppLayerParserGetStreamDepth(const Flow *f); 255 void AppLayerParserSetStreamDepthFlag(uint8_t ipproto, AppProto alproto, void *state, uint64_t tx_id, uint8_t flags); 256 int AppLayerParserIsEnabled(AppProto alproto); 257 258 /***** Cleanup *****/ 259 260 void AppLayerParserStateProtoCleanup( 261 uint8_t protomap, AppProto alproto, void *alstate, AppLayerParserState *pstate); 262 void AppLayerParserStateCleanup(const Flow *f, void *alstate, AppLayerParserState *pstate); 263 264 void AppLayerParserRegisterProtocolParsers(void); 265 266 267 void AppLayerParserStateSetFlag(AppLayerParserState *pstate, uint8_t flag); 268 int AppLayerParserStateIssetFlag(AppLayerParserState *pstate, uint8_t flag); 269 270 void AppLayerParserStreamTruncated(uint8_t ipproto, AppProto alproto, void *alstate, 271 uint8_t direction); 272 273 274 275 AppLayerParserState *AppLayerParserStateAlloc(void); 276 void AppLayerParserStateFree(AppLayerParserState *pstate); 277 278 void AppLayerParserTransactionsCleanup(Flow *f); 279 280 #ifdef DEBUG 281 void AppLayerParserStatePrintDetails(AppLayerParserState *pstate); 282 #endif 283 284 285 /***** Unittests *****/ 286 287 #ifdef UNITTESTS 288 void AppLayerParserRegisterProtocolUnittests(uint8_t ipproto, AppProto alproto, 289 void (*RegisterUnittests)(void)); 290 void AppLayerParserRegisterUnittests(void); 291 void AppLayerParserBackupParserTable(void); 292 void AppLayerParserRestoreParserTable(void); 293 void UTHAppLayerParserStateGetIds(void *ptr, uint64_t *i1, uint64_t *i2, uint64_t *log, uint64_t *min); 294 #endif 295 296 #endif /* __APP_LAYER_PARSER_H__ */ 297