transforms: move hash transforms to rust

md5, sha1 and sha256 Ticket: 7229
OISF · Oct 29, 2024 · 4905bba · 4905bba
1 parent a6b251b
commit 4905bba
Show file tree

Hide file tree

Showing 12 changed files with 249 additions and 446 deletions.
diff --git a/rust/src/detect/transforms/hash.rs b/rust/src/detect/transforms/hash.rs
@@ -0,0 +1,239 @@
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+use super::{
+    DetectHelperTransformRegister, DetectSignatureAddTransform, InspectionBufferCheckAndExpand,
+    InspectionBufferLength, InspectionBufferPtr, InspectionBufferTruncate, SCTransformTableElmt,
+};
+use crate::detect::SIGMATCH_NOOPT;
+use crate::ffi::hashing::{G_DISABLE_HASHING, SC_SHA1_LEN, SC_SHA256_LEN};
+use digest::{Digest, Update};
+use md5::Md5;
+use sha1::Sha1;
+use sha2::Sha256;
+
+use std::os::raw::{c_int, c_void};
+use std::ptr;
+
+static mut G_TRANSFORM_MD5_ID: c_int = 0;
+static mut G_TRANSFORM_SHA1_ID: c_int = 0;
+static mut G_TRANSFORM_SHA256_ID: c_int = 0;
+
+const SC_MD5_LEN: usize = 16;
+
+#[no_mangle]
+unsafe extern "C" fn md5_setup(
+    _de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if unsafe { G_DISABLE_HASHING } {
+        SCLogError!("MD5 hashing has been disabled, needed for to_md5 keyword");
+        return -1;
+    }
+    return DetectSignatureAddTransform(s, G_TRANSFORM_MD5_ID, ptr::null_mut());
+}
+
+fn md5_transform_do(input: &[u8], output: &mut [u8]) {
+    Md5::new().chain(input).finalize_into(output.into());
+}
+
+#[no_mangle]
+unsafe extern "C" fn md5_transform(buffer: *mut c_void, _ctx: *mut c_void) {
+    let input = InspectionBufferPtr(buffer);
+    let input_len = InspectionBufferLength(buffer);
+    if input.is_null() || input_len == 0 {
+        return;
+    }
+    let input = build_slice!(input, input_len as usize);
+
+    let output = InspectionBufferCheckAndExpand(buffer, SC_MD5_LEN as u32);
+    if output.is_null() {
+        // allocation failure
+        return;
+    }
+    let output = std::slice::from_raw_parts_mut(output, SC_MD5_LEN);
+
+    md5_transform_do(input, output);
+
+    InspectionBufferTruncate(buffer, SC_MD5_LEN as u32);
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn DetectTransformMd5Register() {
+    let kw = SCTransformTableElmt {
+        name: b"to_md5\0".as_ptr() as *const libc::c_char,
+        desc: b"convert to md5 hash of the buffer\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/transforms.html#to-md5\0".as_ptr() as *const libc::c_char,
+        Setup: md5_setup,
+        flags: SIGMATCH_NOOPT,
+        Transform: md5_transform,
+        Free: None,
+        TransformValidate: None,
+    };
+    unsafe {
+        G_TRANSFORM_MD5_ID = DetectHelperTransformRegister(&kw);
+        if G_TRANSFORM_MD5_ID < 0 {
+            SCLogWarning!("Failed registering transform md5");
+        }
+    }
+}
+
+#[no_mangle]
+unsafe extern "C" fn sha1_setup(
+    _de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if unsafe { G_DISABLE_HASHING } {
+        SCLogError!("SHA1 hashing has been disabled, needed for to_sha1 keyword");
+        return -1;
+    }
+    return DetectSignatureAddTransform(s, G_TRANSFORM_SHA1_ID, ptr::null_mut());
+}
+
+fn sha1_transform_do(input: &[u8], output: &mut [u8]) {
+    Sha1::new().chain(input).finalize_into(output.into());
+}
+
+#[no_mangle]
+unsafe extern "C" fn sha1_transform(buffer: *mut c_void, _ctx: *mut c_void) {
+    let input = InspectionBufferPtr(buffer);
+    let input_len = InspectionBufferLength(buffer);
+    if input.is_null() || input_len == 0 {
+        return;
+    }
+    let input = build_slice!(input, input_len as usize);
+
+    let output = InspectionBufferCheckAndExpand(buffer, SC_SHA1_LEN as u32);
+    if output.is_null() {
+        // allocation failure
+        return;
+    }
+    let output = std::slice::from_raw_parts_mut(output, SC_SHA1_LEN);
+
+    sha1_transform_do(input, output);
+
+    InspectionBufferTruncate(buffer, SC_SHA1_LEN as u32);
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn DetectTransformSha1Register() {
+    let kw = SCTransformTableElmt {
+        name: b"to_sha1\0".as_ptr() as *const libc::c_char,
+        desc: b"convert to sha1 hash of the buffer\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/transforms.html#to-sha1\0".as_ptr() as *const libc::c_char,
+        Setup: sha1_setup,
+        flags: SIGMATCH_NOOPT,
+        Transform: sha1_transform,
+        Free: None,
+        TransformValidate: None,
+    };
+    unsafe {
+        G_TRANSFORM_SHA1_ID = DetectHelperTransformRegister(&kw);
+        if G_TRANSFORM_SHA1_ID < 0 {
+            SCLogWarning!("Failed registering transform sha1");
+        }
+    }
+}
+
+#[no_mangle]
+unsafe extern "C" fn sha256_setup(
+    _de: *mut c_void, s: *mut c_void, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if unsafe { G_DISABLE_HASHING } {
+        SCLogError!("SHA256 hashing has been disabled, needed for to_sha256 keyword");
+        return -1;
+    }
+    return DetectSignatureAddTransform(s, G_TRANSFORM_SHA256_ID, ptr::null_mut());
+}
+
+fn sha256_transform_do(input: &[u8], output: &mut [u8]) {
+    Sha256::new().chain(input).finalize_into(output.into());
+}
+
+#[no_mangle]
+unsafe extern "C" fn sha256_transform(buffer: *mut c_void, _ctx: *mut c_void) {
+    let input = InspectionBufferPtr(buffer);
+    let input_len = InspectionBufferLength(buffer);
+    if input.is_null() || input_len == 0 {
+        return;
+    }
+    let input = build_slice!(input, input_len as usize);
+
+    let output = InspectionBufferCheckAndExpand(buffer, SC_SHA256_LEN as u32);
+    if output.is_null() {
+        // allocation failure
+        return;
+    }
+    let output = std::slice::from_raw_parts_mut(output, SC_SHA256_LEN);
+
+    sha256_transform_do(input, output);
+
+    InspectionBufferTruncate(buffer, SC_SHA256_LEN as u32);
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn DetectTransformSha256Register() {
+    let kw = SCTransformTableElmt {
+        name: b"to_sha256\0".as_ptr() as *const libc::c_char,
+        desc: b"convert to sha256 hash of the buffer\0".as_ptr() as *const libc::c_char,
+        url: b"/rules/transforms.html#to-sha256\0".as_ptr() as *const libc::c_char,
+        Setup: sha256_setup,
+        flags: SIGMATCH_NOOPT,
+        Transform: sha256_transform,
+        Free: None,
+        TransformValidate: None,
+    };
+    unsafe {
+        G_TRANSFORM_SHA256_ID = DetectHelperTransformRegister(&kw);
+        if G_TRANSFORM_SHA256_ID < 0 {
+            SCLogWarning!("Failed registering transform sha256");
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_md5_transform() {
+        let buf = b" A B C D ";
+        let mut out = vec![0; SC_MD5_LEN];
+        md5_transform_do(buf, &mut out);
+        assert_eq!(
+            out,
+            b"\xe0\x59\xf8\x30\x43\x69\x58\xb6\x45\x82\x8c\xc2\x33\xc2\x47\x13"
+        );
+    }
+
+    #[test]
+    fn test_sha1_transform() {
+        let buf = b" A B C D ";
+        let mut out = vec![0; SC_SHA1_LEN];
+        sha1_transform_do(buf, &mut out);
+        assert_eq!(
+            out,
+            b"\xc8\xdc\x44\x97\xf7\xe0\x55\xf8\x6b\x88\x90\x52\x08\x2c\x0c\x7b\xdc\xc9\xc8\x89"
+        );
+    }
+
+    #[test]
+    fn test_sha256_transform() {
+        let buf = b" A B C D ";
+        let mut out = vec![0; SC_SHA256_LEN];
+        sha256_transform_do(buf, &mut out);
+        assert_eq!(out, b"\xd6\xbf\x7d\x8d\x69\x53\x02\x4d\x0d\x84\x5c\x99\x9b\xae\x93\xcc\xac\x68\xea\xab\x9a\xc9\x77\xd0\xfd\x30\x6a\xf5\x9a\x3d\xe4\x3a");
+    }
+}
diff --git a/rust/src/detect/transforms/mod.rs b/rust/src/detect/transforms/mod.rs
@@ -22,6 +22,7 @@ use std::os::raw::{c_char, c_int, c_void};
 pub mod compress_whitespace;
 pub mod dotprefix;
 pub mod strip_whitespace;
+pub mod hash;
 
 #[repr(C)]
 #[allow(non_snake_case)]

diff --git a/rust/src/ffi/hashing.rs b/rust/src/ffi/hashing.rs
@@ -205,6 +205,13 @@ unsafe fn finalize<D: Digest>(digest: D, out: *mut u8, len: u32) {
     output.copy_from_slice(&result);
 }
 
+pub static mut G_DISABLE_HASHING: bool = false;
+
+#[no_mangle]
+pub unsafe extern "C" fn SCDisableHashing() {
+    G_DISABLE_HASHING = true;
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -308,10 +308,7 @@ noinst_HEADERS = \
 	detect-transform-base64.h \
 	detect-transform-casechange.h \
 	detect-transform-header-lowercase.h \
-	detect-transform-md5.h \
 	detect-transform-pcrexform.h \
-	detect-transform-sha1.h \
-	detect-transform-sha256.h \
 	detect-transform-strip-pseudo-headers.h \
 	detect-transform-urldecode.h \
 	detect-transform-xor.h \
@@ -874,10 +871,7 @@ libsuricata_c_a_SOURCES = \
 	detect-transform-base64.c \
 	detect-transform-casechange.c \
 	detect-transform-header-lowercase.c \
-	detect-transform-md5.c \
 	detect-transform-pcrexform.c \
-	detect-transform-sha1.c \
-	detect-transform-sha256.c \
 	detect-transform-strip-pseudo-headers.c \
 	detect-transform-urldecode.c \
 	detect-transform-xor.c \

diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c
@@ -216,9 +216,6 @@
 #include "detect-engine-content-inspection.h"
 
 #include "detect-transform-strip-pseudo-headers.h"
-#include "detect-transform-md5.h"
-#include "detect-transform-sha1.h"
-#include "detect-transform-sha256.h"
 #include "detect-transform-pcrexform.h"
 #include "detect-transform-urldecode.h"
 #include "detect-transform-xor.h"