websocket: handle Sec-WebSocket-Extensions

Optimization to avoid consuming too much memory for decompression

Author: catenacyber

rust/src/websocket/parser.rs

@@ -101,3 +101,15 @@ pub fn parse_message(i: &[u8], max_pl_size: u32) -> IResult<&[u8], WebSocketPdu>
         },
     ))
 }
+
+pub(super) fn parse_cli_max_win(i: &[u8]) -> IResult<&[u8], u8> {
+    let (i, _space) = space0(i)?;
+    let (i, _name) = tag("client_max_window_bits=")(i)?;
+    verify(nomu8, |&v| (9..=15).contains(&v))(i)
+}
+
+pub(super) fn parse_srv_max_win(i: &[u8]) -> IResult<&[u8], u8> {
+    let (i, _space) = space0(i)?;
+    let (i, _name) = tag("server_max_window_bits=")(i)?;
+    verify(nomu8, |&v| (9..=15).contains(&v))(i)
+}

rust/src/websocket/websocket.rs

@@ -294,6 +294,18 @@ impl WebSocketState {
         // Input was fully consumed.
         return AppLayerResult::ok();
     }
+
+    fn use_extension(&mut self, hv: &[u8]) {
+        let iter = hv.split(|c| *c == b';');
+        for sub in iter {
+            if let Ok((_, val)) = parser::parse_cli_max_win(sub) {
+                self.c2s_dec = Some(Decompress::new_with_window_bits(false, val));
+            }
+            if let Ok((_, val)) = parser::parse_srv_max_win(sub) {
+                self.s2c_dec = Some(Decompress::new_with_window_bits(false, val));
+            }
+        }
+    }
 }
 
 // C exports.
@@ -316,10 +328,35 @@ pub unsafe extern "C" fn rs_websocket_probing_parser(
     return ALPROTO_UNKNOWN;
 }
 
-extern "C" fn rs_websocket_state_new(_orig_state: *mut c_void, _orig_proto: AppProto) -> *mut c_void {
+// Extern functions operating on HTTP2.
+extern "C" {
+    pub fn Http1GetDataForWebsocket(
+        orig_state: *mut std::os::raw::c_void, new_state: *mut std::os::raw::c_void,
+    );
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCWebSocketUseExtension(
+    state: *mut c_void, input: *const u8, input_len: u32,
+) {
+    if !input.is_null() {
+        let slice = build_slice!(input, input_len as usize);
+        let state = cast_pointer!(state, WebSocketState);
+        state.use_extension(slice);
+    }
+}
+
+extern "C" fn rs_websocket_state_new(orig_state: *mut c_void, orig_proto: AppProto) -> *mut c_void {
     let state = WebSocketState::new();
     let boxed = Box::new(state);
-    return Box::into_raw(boxed) as *mut c_void;
+    let r = Box::into_raw(boxed) as *mut c_void;
+    if !orig_state.is_null() && orig_proto == ALPROTO_HTTP1 as u16 {
+        //we could check ALPROTO_HTTP1 == orig_proto
+        unsafe {
+            Http1GetDataForWebsocket(orig_state, r);
+        }
+    }
+    return r;
 }
 
 unsafe extern "C" fn rs_websocket_state_free(state: *mut c_void) {

src/app-layer-htp.c

@@ -2552,6 +2552,20 @@ void *HtpGetTxForH2(void *alstate)
     return NULL;
 }
 
+void Http1GetDataForWebsocket(void *alstate_orig, void *wss)
+{
+    // get last transaction
+    htp_tx_t *h1tx = HtpGetTxForH2(alstate_orig);
+    if (wss == NULL || h1tx == NULL) {
+        return;
+    }
+    const htp_header_t *h = htp_tx_response_header(h1tx, "Sec-WebSocket-Extensions");
+    if (h == NULL) {
+        return;
+    }
+    SCWebSocketUseExtension(wss, htp_header_value_ptr(h), (uint32_t)htp_header_value_len(h));
+}
+
 static int HTPStateGetEventInfo(
         const char *event_name, uint8_t *event_id, AppLayerEventType *event_type)
 {