Files: 2781c75ff99cd5da7b25f6b883d78ff3de987308 / probe.c
8923 bytesRaw
1 | /* |
2 | # probe.c: Code for probing protocols |
3 | # |
4 | # Copyright (C) 2007-2012 Yves Rutschle |
5 | # |
6 | # This program is free software; you can redistribute it |
7 | # and/or modify it under the terms of the GNU General Public |
8 | # License as published by the Free Software Foundation; either |
9 | # version 2 of the License, or (at your option) any later |
10 | # version. |
11 | # |
12 | # This program is distributed in the hope that it will be |
13 | # useful, but WITHOUT ANY WARRANTY; without even the implied |
14 | # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR |
15 | # PURPOSE. See the GNU General Public License for more |
16 | # details. |
17 | # |
18 | # The full text for the General Public License is here: |
19 | # http://www.gnu.org/licenses/gpl.html |
20 | */ |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | |
28 | |
29 | |
30 | static int is_ssh_protocol(const char *p, int len, struct proto*); |
31 | static int is_openvpn_protocol(const char *p, int len, struct proto*); |
32 | static int is_tinc_protocol(const char *p, int len, struct proto*); |
33 | static int is_xmpp_protocol(const char *p, int len, struct proto*); |
34 | static int is_http_protocol(const char *p, int len, struct proto*); |
35 | static int is_tls_protocol(const char *p, int len, struct proto*); |
36 | static int is_true(const char *p, int len, struct proto* proto) { return 1; } |
37 | |
38 | /* Table of protocols that have a built-in probe |
39 | */ |
40 | static struct proto builtins[] = { |
41 | /* description service saddr probe */ |
42 | { "ssh", "sshd", NULL, is_ssh_protocol}, |
43 | { "openvpn", NULL, NULL, is_openvpn_protocol }, |
44 | { "tinc", NULL, NULL, is_tinc_protocol }, |
45 | { "xmpp", NULL, NULL, is_xmpp_protocol }, |
46 | { "http", NULL, NULL, is_http_protocol }, |
47 | { "ssl", NULL, NULL, is_tls_protocol }, |
48 | { "tls", NULL, NULL, is_tls_protocol }, |
49 | { "anyprot", NULL, NULL, is_true } |
50 | }; |
51 | |
52 | static struct proto *protocols; |
53 | static char* on_timeout = "ssh"; |
54 | |
55 | struct proto* get_builtins(void) { |
56 | return builtins; |
57 | } |
58 | |
59 | int get_num_builtins(void) { |
60 | return ARRAY_SIZE(builtins); |
61 | } |
62 | |
63 | /* Sets the protocol name to connect to in case of timeout */ |
64 | void set_ontimeout(const char* name) |
65 | { |
66 | asprintf(&on_timeout, "%s", name); |
67 | } |
68 | |
69 | /* Returns the protocol to connect to in case of timeout; |
70 | * if not found, return the first protocol specified |
71 | */ |
72 | struct proto* timeout_protocol(void) |
73 | { |
74 | struct proto* p = get_first_protocol(); |
75 | for (; p && strcmp(p->description, on_timeout); p = p->next); |
76 | if (p) return p; |
77 | return get_first_protocol(); |
78 | } |
79 | |
80 | /* returns the first protocol (caller can then follow the *next pointers) */ |
81 | struct proto* get_first_protocol(void) |
82 | { |
83 | return protocols; |
84 | } |
85 | |
86 | void set_protocol_list(struct proto* prots) |
87 | { |
88 | protocols = prots; |
89 | } |
90 | |
91 | /* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */ |
92 | |
93 | void hexdump(const char *mem, unsigned int len) |
94 | { |
95 | unsigned int i, j; |
96 | |
97 | for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++) |
98 | { |
99 | /* print offset */ |
100 | if(i % HEXDUMP_COLS == 0) |
101 | printf("0x%06x: ", i); |
102 | |
103 | /* print hex data */ |
104 | if(i < len) |
105 | printf("%02x ", 0xFF & mem[i]); |
106 | else /* end of block, just aligning for ASCII dump */ |
107 | printf(" "); |
108 | |
109 | /* print ASCII dump */ |
110 | if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) { |
111 | for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) { |
112 | if(j >= len) /* end of block, not really printing */ |
113 | putchar(' '); |
114 | else if(isprint(mem[j])) /* printable char */ |
115 | putchar(0xFF & mem[j]); |
116 | else /* other char */ |
117 | putchar('.'); |
118 | } |
119 | putchar('\n'); |
120 | } |
121 | } |
122 | } |
123 | |
124 | /* Is the buffer the beginning of an SSH connection? */ |
125 | static int is_ssh_protocol(const char *p, int len, struct proto *proto) |
126 | { |
127 | if (!strncmp(p, "SSH-", 4)) { |
128 | return 1; |
129 | } |
130 | return 0; |
131 | } |
132 | |
133 | /* Is the buffer the beginning of an OpenVPN connection? |
134 | * |
135 | * Code inspired from OpenVPN port-share option; however, OpenVPN code is |
136 | * wrong: users using pre-shared secrets have non-initialised key_id fields so |
137 | * p[3] & 7 should not be looked at, and also the key_method can be specified |
138 | * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1. |
139 | * See: |
140 | * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html |
141 | * and OpenVPN ssl.c, ssl.h and options.c |
142 | */ |
143 | static int is_openvpn_protocol (const char*p,int len, struct proto *proto) |
144 | { |
145 | int packet_len = ntohs(*(uint16_t*)p); |
146 | |
147 | return packet_len == len - 2; |
148 | } |
149 | |
150 | /* Is the buffer the beginning of a tinc connections? |
151 | * (protocol is undocumented, but starts with "0 " in 1.0.15) |
152 | * */ |
153 | static int is_tinc_protocol( const char *p, int len, struct proto *proto) |
154 | { |
155 | return !strncmp(p, "0 ", 2); |
156 | } |
157 | |
158 | /* Is the buffer the beginning of a jabber (XMPP) connections? |
159 | * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy |
160 | * clients, just checking first frame containing "jabber" in xml entity) |
161 | * */ |
162 | static int is_xmpp_protocol( const char *p, int len, struct proto *proto) |
163 | { |
164 | return strstr(p, "jabber") ? 1 : 0; |
165 | } |
166 | |
167 | static int probe_http_method(const char *p, const char *opt) |
168 | { |
169 | return !strcmp(p, opt); |
170 | } |
171 | |
172 | /* Is the buffer the beginning of an HTTP connection? */ |
173 | static int is_http_protocol(const char *p, int len, struct proto *proto) |
174 | { |
175 | /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */ |
176 | if (strstr(p, "HTTP")) |
177 | return 1; |
178 | |
179 | /* Otherwise it could be HTTP/1.0 without version: check if it's got an |
180 | * HTTP method (RFC2616 5.1.1) */ |
181 | probe_http_method(p, "OPTIONS"); |
182 | probe_http_method(p, "GET"); |
183 | probe_http_method(p, "HEAD"); |
184 | probe_http_method(p, "POST"); |
185 | probe_http_method(p, "PUT"); |
186 | probe_http_method(p, "DELETE"); |
187 | probe_http_method(p, "TRACE"); |
188 | probe_http_method(p, "CONNECT"); |
189 | |
190 | return 0; |
191 | } |
192 | |
193 | static int is_tls_protocol(const char *p, int len, struct proto *proto) |
194 | { |
195 | /* TLS packet starts with a record "Hello" (0x16), followed by version |
196 | * (0x03 0x00-0x03) (RFC6101 A.1) |
197 | * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176) |
198 | */ |
199 | return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03); |
200 | } |
201 | |
202 | static int regex_probe(const char *p, int len, struct proto *proto) |
203 | { |
204 | regex_t** probe_list = (regex_t**)(proto->data); |
205 | int i=0; |
206 | |
207 | while (probe_list[i]) { |
208 | if (!regexec(probe_list[i], p, 0, NULL, 0)) { |
209 | return 1; |
210 | } |
211 | i++; |
212 | } |
213 | return 0; |
214 | } |
215 | |
216 | /* |
217 | * Read the beginning of data coming from the client connection and check if |
218 | * it's a known protocol. Then leave the data on the defered |
219 | * write buffer of the connection and returns a pointer to the protocol |
220 | * structure |
221 | */ |
222 | struct proto* probe_client_protocol(struct connection *cnx) |
223 | { |
224 | char buffer[BUFSIZ]; |
225 | struct proto *p; |
226 | int n; |
227 | |
228 | n = read(cnx->q[0].fd, buffer, sizeof(buffer)); |
229 | /* It's possible that read() returns an error, e.g. if the client |
230 | * disconnected between the previous call to select() and now. If that |
231 | * happens, we just connect to the default protocol so the caller of this |
232 | * function does not have to deal with a specific failure condition (the |
233 | * connection will just fail later normally). */ |
234 | if (n > 0) { |
235 | defer_write(&cnx->q[1], buffer, n); |
236 | |
237 | for (p = protocols; p; p = p->next) { |
238 | if (! p->probe) continue; |
239 | if (verbose) fprintf(stderr, "probing for %s\n", p->description); |
240 | if (p->probe(buffer, n, p)) { |
241 | if (verbose) fprintf(stderr, "probe %s successful\n", p->description); |
242 | return p; |
243 | } |
244 | } |
245 | } |
246 | |
247 | if (verbose) |
248 | fprintf(stderr, |
249 | "all probes failed, connecting to first protocol: %s\n", |
250 | protocols->description); |
251 | |
252 | /* If none worked, return the first one affected (that's completely |
253 | * arbitrary) */ |
254 | return protocols; |
255 | } |
256 | |
257 | /* Returns the structure for specified protocol or NULL if not found */ |
258 | static struct proto* get_protocol(const char* description) |
259 | { |
260 | int i; |
261 | |
262 | for (i = 0; i < ARRAY_SIZE(builtins); i++) { |
263 | if (!strcmp(builtins[i].description, description)) { |
264 | return &builtins[i]; |
265 | } |
266 | } |
267 | return NULL; |
268 | } |
269 | |
270 | /* Returns the probe for specified protocol: |
271 | * parameter is the description in builtins[], or "regex" |
272 | * */ |
273 | T_PROBE* get_probe(const char* description) { |
274 | struct proto* p = get_protocol(description); |
275 | |
276 | if (p) |
277 | return p->probe; |
278 | |
279 | /* Special case of "regex" probe (we don't want to set it in builtins |
280 | * because builtins is also used to build the command-line options and |
281 | * regexp is not legal on the command line)*/ |
282 | if (!strcmp(description, "regex")) |
283 | return regex_probe; |
284 | |
285 | return NULL; |
286 | } |
287 | |
288 | |
289 |
Built with git-ssb-web