detect/ike: move ike.key_exchange_payload_length keyword to rust

Ticket: 8310
2 months ago · e85bf5be4d
parent 841fe44f34
commit e85bf5be4d
6 changed files with 71 additions and 200 deletions
--- a/rust/src/ike/detect.rs
+++ b/rust/src/ike/detect.rs
@ -20,9 +20,13 @@
 use super::ike::ALPROTO_IKE;
 use super::ipsec_parser::IkeV2Transform;
 use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER};
-use crate::detect::uint::{detect_match_uint, DetectUintData, SCDetectU8Free, SCDetectU8Parse};
+use crate::detect::uint::{
+    detect_match_uint, DetectUintData, SCDetectU32Free, SCDetectU32Parse, SCDetectU8Free,
+    SCDetectU8Parse,
+};
 use crate::detect::{
-    helper_keyword_register_sticky_buffer, SigTableElmtStickyBuffer, SIGMATCH_INFO_UINT8,
+    helper_keyword_register_sticky_buffer, SigTableElmtStickyBuffer, SIGMATCH_INFO_UINT32,
+    SIGMATCH_INFO_UINT8,
 };
 use crate::ike::ike::*;
 use std::ffi::CStr;
@ -31,7 +35,8 @@ use std::ptr;
 use suricata_sys::sys::{
    DetectEngineCtx, DetectEngineThreadCtx, SCDetectBufferSetActiveList,
    SCDetectHelperBufferMpmRegister, SCDetectHelperBufferRegister, SCDetectHelperKeywordRegister,
-    SCDetectSignatureSetAppProto, SCSigMatchAppendSMToList, SCSigTableAppLiteElmt, Signature,
+    SCDetectSignatureSetAppProto, SCSigMatchAppendSMToList, SCSigTableAppLiteElmt, SigMatchCtx,
+    Signature,
 };

 #[no_mangle]
@ -169,21 +174,6 @@ pub extern "C" fn SCIkeStateGetSaAttribute(
    return ret_code;
 }

-#[no_mangle]
-pub unsafe extern "C" fn SCIkeStateGetKeyExchangePayloadLength(
-    tx: &IKETransaction, value: *mut u32,
-) -> u8 {
-    debug_validate_bug_on!(value.is_null());
-
-    if tx.ike_version == 1 && !tx.hdr.ikev1_header.key_exchange.is_empty() {
-        *value = tx.hdr.ikev1_header.key_exchange.len() as u32;
-        return 1;
-    }
-
-    *value = 0;
-    return 0;
-}
-
 #[no_mangle]
 pub unsafe extern "C" fn SCIkeStateGetNoncePayloadLength(
    tx: &IKETransaction, value: *mut u32,
@ -231,7 +221,7 @@ unsafe extern "C" fn ike_detect_exchtype_setup(
        de,
        s,
        G_IKE_EXCHTYPE_KW_ID,
-        ctx as *mut suricata_sys::sys::SigMatchCtx,
+        ctx as *mut SigMatchCtx,
        G_IKE_EXCHTYPE_BUFFER_ID,
    )
    .is_null()
@ -244,7 +234,7 @@ unsafe extern "C" fn ike_detect_exchtype_setup(

 unsafe extern "C" fn ike_detect_exchtype_match(
    _de: *mut DetectEngineThreadCtx, _f: *mut crate::flow::Flow, _flags: u8, _state: *mut c_void,
-    tx: *mut c_void, _sig: *const Signature, ctx: *const suricata_sys::sys::SigMatchCtx,
+    tx: *mut c_void, _sig: *const Signature, ctx: *const SigMatchCtx,
 ) -> c_int {
    let tx = cast_pointer!(tx, IKETransaction);
    let ctx = cast_pointer!(ctx, DetectUintData<u8>);
@ -273,14 +263,58 @@ unsafe extern "C" fn ike_detect_exchtype_free(_de: *mut DetectEngineCtx, ctx: *m
    SCDetectU8Free(ctx);
 }

+unsafe extern "C" fn ike_detect_payload_len_setup(
+    de: *mut DetectEngineCtx, s: *mut Signature, raw: *const libc::c_char,
+) -> c_int {
+    if SCDetectSignatureSetAppProto(s, ALPROTO_IKE) != 0 {
+        return -1;
+    }
+    let ctx = SCDetectU32Parse(raw) as *mut c_void;
+    if ctx.is_null() {
+        return -1;
+    }
+    if SCSigMatchAppendSMToList(
+        de,
+        s,
+        G_IKE_PAYLOAD_LEN_KW_ID,
+        ctx as *mut SigMatchCtx,
+        G_IKE_PAYLOAD_LEN_BUFFER_ID,
+    )
+    .is_null()
+    {
+        ike_detect_payload_len_free(std::ptr::null_mut(), ctx);
+        return -1;
+    }
+    return 0;
+}
+
+unsafe extern "C" fn ike_detect_payload_len_match(
+    _de: *mut DetectEngineThreadCtx, _f: *mut crate::flow::Flow, _flags: u8, _state: *mut c_void,
+    tx: *mut c_void, _sig: *const Signature, ctx: *const SigMatchCtx,
+) -> c_int {
+    let tx = cast_pointer!(tx, IKETransaction);
+    let ctx = cast_pointer!(ctx, DetectUintData<u32>);
+    if tx.ike_version == 1 && !tx.hdr.ikev1_header.key_exchange.is_empty()
+        && detect_match_uint(ctx, tx.hdr.ikev1_header.key_exchange.len() as u32) {
+            return 1;
+        }
+    return 0;
+}
+
+unsafe extern "C" fn ike_detect_payload_len_free(_de: *mut DetectEngineCtx, ctx: *mut c_void) {
+    let ctx = cast_pointer!(ctx, DetectUintData<u32>);
+    SCDetectU32Free(ctx);
+}
+
 static mut G_IKE_SPI_INITIATOR_BUFFER_ID: c_int = 0;
 static mut G_IKE_SPI_RESPONDER_BUFFER_ID: c_int = 0;
 static mut G_IKE_EXCHTYPE_KW_ID: u16 = 0;
 static mut G_IKE_EXCHTYPE_BUFFER_ID: c_int = 0;
+static mut G_IKE_PAYLOAD_LEN_KW_ID: u16 = 0;
+static mut G_IKE_PAYLOAD_LEN_BUFFER_ID: c_int = 0;

 #[no_mangle]
 pub unsafe extern "C" fn SCDetectIkeRegister() {
-    // Inline registration for ike.exchtype keyword
    let kw = SCSigTableAppLiteElmt {
        name: b"ike.exchtype\0".as_ptr() as *const libc::c_char,
        desc: b"match IKE exchange type\0".as_ptr() as *const libc::c_char,
@ -296,6 +330,22 @@ pub unsafe extern "C" fn SCDetectIkeRegister() {
        ALPROTO_IKE,
        STREAM_TOSERVER | STREAM_TOCLIENT,
    );
+    let kw = SCSigTableAppLiteElmt {
+        name: b"ike.key_exchange_payload_length\0".as_ptr() as *const libc::c_char,
+        desc: b"match IKE key exchange payload length\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/ike-keywords.html#ike-key-exchange-payload-length\0".as_ptr()
+            as *const libc::c_char,
+        AppLayerTxMatch: Some(ike_detect_payload_len_match),
+        Setup: Some(ike_detect_payload_len_setup),
+        Free: Some(ike_detect_payload_len_free),
+        flags: SIGMATCH_INFO_UINT32,
+    };
+    G_IKE_PAYLOAD_LEN_KW_ID = SCDetectHelperKeywordRegister(&kw);
+    G_IKE_PAYLOAD_LEN_BUFFER_ID = SCDetectHelperBufferRegister(
+        b"ike.key_exchange_payload_length\0".as_ptr() as *const libc::c_char,
+        ALPROTO_IKE,
+        STREAM_TOSERVER | STREAM_TOCLIENT,
+    );
    let kw_initiator = SigTableElmtStickyBuffer {
        name: String::from("ike.init_spi"),
        desc: String::from("sticky buffer to match on the IKE spi initiator"),
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -228,7 +228,6 @@ noinst_HEADERS = \
 	detect-icode.h \
 	detect-id.h \
 	detect-ike-chosen-sa.h \
-	detect-ike-key-exchange-payload-length.h \
 	detect-ike-key-exchange-payload.h \
 	detect-ike-nonce-payload-length.h \
 	detect-ike-nonce-payload.h \
@ -811,7 +810,6 @@ libsuricata_c_a_SOURCES = \
 	detect-icode.c \
 	detect-id.c \
 	detect-ike-chosen-sa.c \
-	detect-ike-key-exchange-payload-length.c \
 	detect-ike-key-exchange-payload.c \
 	detect-ike-nonce-payload-length.c \
 	detect-ike-nonce-payload.c \
--- a/src/detect-engine-register.c
+++ b/src/detect-engine-register.c
@ -233,7 +233,6 @@
 #include "detect-dnp3.h"
 #include "detect-ike-vendor.h"
 #include "detect-ike-chosen-sa.h"
-#include "detect-ike-key-exchange-payload-length.h"
 #include "detect-ike-nonce-payload-length.h"
 #include "detect-ike-nonce-payload.h"
 #include "detect-ike-key-exchange-payload.h"
@ -590,7 +589,6 @@ void SigTableSetup(void)

    DetectIkeVendorRegister();
    DetectIkeChosenSaRegister();
-    DetectIkeKeyExchangePayloadLengthRegister();
    DetectIkeNoncePayloadLengthRegister();
    DetectIkeNonceRegister();
    DetectIkeKeyExchangeRegister();
--- a/src/detect-engine-register.h
+++ b/src/detect-engine-register.h
@ -283,7 +283,6 @@ enum DetectKeywordId {

    DETECT_IKE_VENDOR,
    DETECT_IKE_CHOSEN_SA,
-    DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH,
    DETECT_IKE_NONCE_PAYLOAD_LENGTH,
    DETECT_IKE_NONCE,
    DETECT_IKE_KEY_EXCHANGE,
--- a/src/detect-ike-key-exchange-payload-length.c
+++ b/src/detect-ike-key-exchange-payload-length.c
@ -1,146 +0,0 @@
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- *
- * \author Frank Honza <frank.honza@dcso.de>
- */
-
-#include "suricata-common.h"
-#include "conf.h"
-#include "detect.h"
-#include "detect-parse.h"
-#include "detect-engine.h"
-#include "detect-engine-content-inspection.h"
-#include "detect-ike-key-exchange-payload-length.h"
-#include "app-layer-parser.h"
-#include "util-byte.h"
-#include "detect-engine-uint.h"
-
-#include "rust-bindings.h"
-
-/**
- *   [ike.key_exchange_payload_length]:[=|<|>|<=|>=]<length>;
- */
-static int DetectIkeKeyExchangePayloadLengthSetup(DetectEngineCtx *, Signature *s, const char *str);
-static void DetectIkeKeyExchangePayloadLengthFree(DetectEngineCtx *, void *);
-static int g_ike_key_exch_payload_length_buffer_id = 0;
-
-static int DetectIkeKeyExchangePayloadLengthMatch(DetectEngineThreadCtx *, Flow *, uint8_t, void *,
-        void *, const Signature *, const SigMatchCtx *);
-
-/**
- * \brief Registration function for ike.key_exchange_payload_length keyword.
- */
-void DetectIkeKeyExchangePayloadLengthRegister(void)
-{
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].name = "ike.key_exchange_payload_length";
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].desc =
-            "match IKE key exchange payload length";
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].url =
-            "/rules/ike-keywords.html#ike-key-exchange-payload-length";
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].AppLayerTxMatch =
-            DetectIkeKeyExchangePayloadLengthMatch;
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Setup =
-            DetectIkeKeyExchangePayloadLengthSetup;
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].Free =
-            DetectIkeKeyExchangePayloadLengthFree;
-    sigmatch_table[DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH].flags = SIGMATCH_INFO_UINT32;
-
-    DetectAppLayerInspectEngineRegister("ike.key_exchange_payload_length", ALPROTO_IKE,
-            SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
-
-    DetectAppLayerInspectEngineRegister("ike.key_exchange_payload_length", ALPROTO_IKE,
-            SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL);
-
-    g_ike_key_exch_payload_length_buffer_id =
-            DetectBufferTypeGetByName("ike.key_exchange_payload_length");
-}
-
-/**
- * \internal
- * \brief Function to match key exchange payload length of a IKE state
- *
- * \param det_ctx Pointer to the pattern matcher thread.
- * \param f       Pointer to the current flow.
- * \param flags   Flags.
- * \param state   App layer state.
- * \param txv     Pointer to the Ike Transaction.
- * \param s       Pointer to the Signature.
- * \param ctx     Pointer to the sigmatch that we will cast into DetectU32Data.
- *
- * \retval 0 no match.
- * \retval 1 match.
- */
-static int DetectIkeKeyExchangePayloadLengthMatch(DetectEngineThreadCtx *det_ctx, Flow *f,
-        uint8_t flags, void *state, void *txv, const Signature *s, const SigMatchCtx *ctx)
-{
-    SCEnter();
-
-    uint32_t length;
-    if (!SCIkeStateGetKeyExchangePayloadLength(txv, &length))
-        SCReturnInt(0);
-    const DetectU32Data *du32 = (const DetectU32Data *)ctx;
-    return DetectU32Match(length, du32);
-}
-
-/**
- * \brief Function to add the parsed IKE key exchange payload length query into the current
- * signature.
- *
- * \param de_ctx Pointer to the Detection Engine Context.
- * \param s      Pointer to the Current Signature.
- * \param rawstr Pointer to the user provided flags options.
- *
- * \retval 0 on Success.
- * \retval -1 on Failure.
- */
-static int DetectIkeKeyExchangePayloadLengthSetup(
-        DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
-{
-    if (SCDetectSignatureSetAppProto(s, ALPROTO_IKE) != 0)
-        return -1;
-
-    DetectU32Data *key_exchange_payload_length = DetectU32Parse(rawstr);
-    if (key_exchange_payload_length == NULL)
-        return -1;
-
-    /* okay so far so good, lets get this into a SigMatch
-     * and put it in the Signature. */
-
-    if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH,
-                (SigMatchCtx *)key_exchange_payload_length,
-                g_ike_key_exch_payload_length_buffer_id) == NULL) {
-        goto error;
-    }
-    return 0;
-
-error:
-    DetectIkeKeyExchangePayloadLengthFree(de_ctx, key_exchange_payload_length);
-    return -1;
-}
-
-/**
- * \internal
- * \brief Function to free memory associated with DetectU32Data.
- *
- * \param de_ptr Pointer to DetectU32Data.
- */
-static void DetectIkeKeyExchangePayloadLengthFree(DetectEngineCtx *de_ctx, void *ptr)
-{
-    SCDetectU32Free(ptr);
-}
--- a/src/detect-ike-key-exchange-payload-length.h
+++ b/src/detect-ike-key-exchange-payload-length.h
@ -1,28 +0,0 @@
-/* Copyright (C) 2020 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- *
- * \author Frank Honza <frank.honza@dcso.de>
- */
-
-#ifndef SURICATA_DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH_H
-#define SURICATA_DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH_H
-
-void DetectIkeKeyExchangePayloadLengthRegister(void);
-
-#endif /* SURICATA_DETECT_IKE_KEY_EXCHANGE_PAYLOAD_LENGTH_H */