git ssb

0+

cel / sslh



Tree: ab3324be477b2663196e0cc73d96aa38d59da65a

Files: ab3324be477b2663196e0cc73d96aa38d59da65a / probe.c

11821 bytesRaw
1/*
2# probe.c: Code for probing protocols
3#
4# Copyright (C) 2007-2015  Yves Rutschle
5# 
6# This program is free software; you can redistribute it
7# and/or modify it under the terms of the GNU General Public
8# License as published by the Free Software Foundation; either
9# version 2 of the License, or (at your option) any later
10# version.
11# 
12# This program is distributed in the hope that it will be
13# useful, but WITHOUT ANY WARRANTY; without even the implied
14# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
15# PURPOSE.  See the GNU General Public License for more
16# details.
17# 
18# The full text for the General Public License is here:
19# http://www.gnu.org/licenses/gpl.html
20*/
21
22#define _GNU_SOURCE
23#include <stdio.h>
24#ifdef ENABLE_REGEX
25#ifdef LIBPCRE
26#include <pcreposix.h>
27#else
28#include <regex.h>
29#endif
30#endif
31#include <ctype.h>
32#include "probe.h"
33
34
35
36static int is_ssh_protocol(const char *p, int len, struct proto*);
37static int is_openvpn_protocol(const char *p, int len, struct proto*);
38static int is_tinc_protocol(const char *p, int len, struct proto*);
39static int is_xmpp_protocol(const char *p, int len, struct proto*);
40static int is_http_protocol(const char *p, int len, struct proto*);
41static int is_tls_protocol(const char *p, int len, struct proto*);
42static int is_adb_protocol(const char *p, int len, struct proto*);
43static int is_true(const char *p, int len, struct proto* proto) { return 1; }
44
45/* Table of protocols that have a built-in probe
46 */
47static struct proto builtins[] = {
48    /* description   service  saddr   probe  */
49    { "ssh",         "sshd",   NULL,   is_ssh_protocol},
50    { "openvpn",     NULL,     NULL,   is_openvpn_protocol },
51    { "tinc",        NULL,     NULL,   is_tinc_protocol },
52    { "xmpp",        NULL,     NULL,   is_xmpp_protocol },
53    { "http",        NULL,     NULL,   is_http_protocol },
54    { "ssl",         NULL,     NULL,   is_tls_protocol },
55    { "tls",         NULL,     NULL,   is_tls_protocol },
56    { "adb",         NULL,     NULL,   is_adb_protocol },
57    { "anyprot",     NULL,     NULL,   is_true }
58};
59
60static struct proto *protocols;
61static char* on_timeout = "ssh";
62
63struct proto*  get_builtins(void) {
64    return builtins;
65}
66
67int get_num_builtins(void) {
68    return ARRAY_SIZE(builtins);
69}
70
71/* Sets the protocol name to connect to in case of timeout */
72void set_ontimeout(const char* name)
73{
74    int res = asprintf(&on_timeout, "%s", name);
75    CHECK_RES_DIE(res, "asprintf");
76}
77
78/* Returns the protocol to connect to in case of timeout; 
79 * if not found, return the first protocol specified 
80 */
81struct proto* timeout_protocol(void) 
82{
83    struct proto* p = get_first_protocol();
84    for (; p && strcmp(p->description, on_timeout); p = p->next);
85    if (p) return p;
86    return get_first_protocol();
87}
88
89/* returns the first protocol (caller can then follow the *next pointers) */
90struct proto* get_first_protocol(void)
91{
92    return protocols;
93}
94
95void set_protocol_list(struct proto* prots)
96{
97    protocols = prots;
98}
99
100/* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */
101#define HEXDUMP_COLS 16
102void hexdump(const char *mem, unsigned int len)
103{
104    unsigned int i, j;
105
106    for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
107    {
108        /* print offset */
109        if(i % HEXDUMP_COLS == 0)
110            printf("0x%06x: ", i);
111
112        /* print hex data */
113        if(i < len)
114            printf("%02x ", 0xFF & mem[i]);
115        else /* end of block, just aligning for ASCII dump */
116            printf("   ");
117
118        /* print ASCII dump */
119        if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) {
120            for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) {
121                if(j >= len) /* end of block, not really printing */
122                    putchar(' ');
123                else if(isprint(mem[j])) /* printable char */
124                    putchar(0xFF & mem[j]);        
125                else /* other char */
126                    putchar('.');
127            }
128            putchar('\n');
129        }
130    }
131}
132
133/* Is the buffer the beginning of an SSH connection? */
134static int is_ssh_protocol(const char *p, int len, struct proto *proto)
135{
136    if (len < 4)
137        return PROBE_AGAIN;
138
139    return !strncmp(p, "SSH-", 4);
140}
141
142/* Is the buffer the beginning of an OpenVPN connection?
143 *
144 * Code inspired from OpenVPN port-share option; however, OpenVPN code is
145 * wrong: users using pre-shared secrets have non-initialised key_id fields so
146 * p[3] & 7 should not be looked at, and also the key_method can be specified
147 * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1.
148 * See:
149 * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
150 * and OpenVPN ssl.c, ssl.h and options.c
151 */
152static int is_openvpn_protocol (const char*p,int len, struct proto *proto)
153{
154    int packet_len;
155
156    if (len < 2)
157        return PROBE_AGAIN;
158
159    packet_len = ntohs(*(uint16_t*)p);
160    return packet_len == len - 2;
161}
162
163/* Is the buffer the beginning of a tinc connections?
164 * Protocol is documented here: http://www.tinc-vpn.org/documentation/tinc.pdf
165 * First connection starts with "0 " in 1.0.15)
166 * */
167static int is_tinc_protocol( const char *p, int len, struct proto *proto)
168{
169    if (len < 2)
170        return PROBE_AGAIN;
171
172    return !strncmp(p, "0 ", 2);
173}
174
175/* Is the buffer the beginning of a jabber (XMPP) connections?
176 * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy
177 * clients, just checking first frame containing "jabber" in xml entity)
178 * */
179static int is_xmpp_protocol( const char *p, int len, struct proto *proto)
180{
181    /* sometimes the word 'jabber' shows up late in the initial string,
182       sometimes after a newline. this makes sure we snarf the entire preamble
183       and detect it. (fixed for adium/pidgin) */
184    if (len < 50)
185        return PROBE_AGAIN;
186
187    return memmem(p, len, "jabber", 6) ? 1 : 0;
188}
189
190static int probe_http_method(const char *p, int len, const char *opt)
191{
192    if (len < strlen(opt))
193        return PROBE_AGAIN;
194
195    return !strncmp(p, opt, len);
196}
197
198/* Is the buffer the beginning of an HTTP connection?  */
199static int is_http_protocol(const char *p, int len, struct proto *proto)
200{
201    int res;
202    /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */
203    if (memmem(p, len, "HTTP", 4))
204        return PROBE_MATCH;
205
206#define PROBE_HTTP_METHOD(opt) if ((res = probe_http_method(p, len, opt)) != PROBE_NEXT) return res
207
208    /* Otherwise it could be HTTP/1.0 without version: check if it's got an
209     * HTTP method (RFC2616 5.1.1) */
210    PROBE_HTTP_METHOD("OPTIONS");
211    PROBE_HTTP_METHOD("GET");
212    PROBE_HTTP_METHOD("HEAD");
213    PROBE_HTTP_METHOD("POST");
214    PROBE_HTTP_METHOD("PUT");
215    PROBE_HTTP_METHOD("DELETE");
216    PROBE_HTTP_METHOD("TRACE");
217    PROBE_HTTP_METHOD("CONNECT");
218
219#undef PROBE_HTTP_METHOD
220
221    return PROBE_NEXT;
222}
223
224static int is_sni_protocol(const char *p, int len, struct proto *proto)
225{
226    int valid_tls;
227    char *hostname;
228    char **sni_hostname;
229
230    valid_tls = parse_tls_header(p, len, &hostname);
231
232    if(valid_tls < 0)
233        return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT;
234
235    if (verbose) fprintf(stderr, "sni hostname: %s\n", hostname);
236
237    /* Assume does not match */
238    valid_tls = PROBE_NEXT;
239
240    for (sni_hostname = proto->data; *sni_hostname; sni_hostname++) {
241        fprintf(stderr, "matching [%s] with [%s]\n", hostname, *sni_hostname);
242        if(!strcmp(hostname, *sni_hostname)) {
243            valid_tls = PROBE_MATCH;
244            break;
245        }
246    }
247
248    free(hostname);
249    return valid_tls;
250}
251
252static int is_tls_protocol(const char *p, int len, struct proto *proto)
253{
254    if (len < 3)
255        return PROBE_AGAIN;
256
257    /* TLS packet starts with a record "Hello" (0x16), followed by version
258     * (0x03 0x00-0x03) (RFC6101 A.1)
259     * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176)
260     */
261    return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03);
262}
263
264static int is_adb_protocol(const char *p, int len, struct proto *proto)
265{
266    if (len < 30)
267        return PROBE_AGAIN;
268
269    /* The initial ADB host->device packet has a command type of CNXN, and a
270     * data payload starting with "host:".  Note that current versions of the
271     * client hardcode "host::" (with empty serialno and banner fields) but
272     * other clients may populate those fields.
273     *
274     * We aren't checking amessage.data_length, under the assumption that
275     * a packet >= 30 bytes long will have "something" in the payload field.
276     */
277    return !memcmp(&p[0], "CNXN", 4) && !memcmp(&p[24], "host:", 5);
278}
279
280static int regex_probe(const char *p, int len, struct proto *proto)
281{
282#ifdef ENABLE_REGEX
283    regex_t **probe = proto->data;
284    regmatch_t pos = { 0, len };
285
286    for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++)
287        /* try them all */;
288
289    return (*probe != NULL);
290#else
291    /* Should never happen as we check when loading config file */
292    fprintf(stderr, "FATAL: regex probe called but not built in\n");
293    exit(5);
294#endif
295}
296
297/* 
298 * Read the beginning of data coming from the client connection and check if
299 * it's a known protocol. 
300 * Return PROBE_AGAIN if not enough data, or PROBE_MATCH if it succeeded in
301 * which case cnx->proto is set to the appropriate protocol.
302 */
303int probe_client_protocol(struct connection *cnx)
304{
305    char buffer[BUFSIZ];
306    struct proto *p;
307    int n;
308
309    n = read(cnx->q[0].fd, buffer, sizeof(buffer));
310    /* It's possible that read() returns an error, e.g. if the client
311     * disconnected between the previous call to select() and now. If that
312     * happens, we just connect to the default protocol so the caller of this
313     * function does not have to deal with a specific  failure condition (the
314     * connection will just fail later normally). */
315    if (n > 0) {
316        int res = PROBE_NEXT;
317
318        defer_write(&cnx->q[1], buffer, n);
319
320        for (p = cnx->proto; p && res == PROBE_NEXT; p = p->next) {
321            if (! p->probe) continue;
322            if (verbose) fprintf(stderr, "probing for %s\n", p->description);
323
324            cnx->proto = p;
325            res = p->probe(cnx->q[1].begin_deferred_data, cnx->q[1].deferred_data_size, p);
326        }
327        if (res != PROBE_NEXT)
328            return res;
329    }
330
331    if (verbose) 
332        fprintf(stderr, 
333                "all probes failed, connecting to first protocol: %s\n", 
334                protocols->description);
335
336    /* If none worked, return the first one affected (that's completely
337     * arbitrary) */
338    cnx->proto = protocols;
339    return PROBE_MATCH;
340}
341
342/* Returns the structure for specified protocol or NULL if not found */
343static struct proto* get_protocol(const char* description)
344{
345    int i;
346
347    for (i = 0; i < ARRAY_SIZE(builtins); i++) {
348        if (!strcmp(builtins[i].description, description)) {
349            return &builtins[i];
350        }
351    }
352    return NULL;
353}
354
355/* Returns the probe for specified protocol:
356 * parameter is the description in builtins[], or "regex" 
357 * */
358T_PROBE* get_probe(const char* description) {
359    struct proto* p = get_protocol(description);
360
361    if (p)
362        return p->probe;
363
364    /* Special case of "regex" probe (we don't want to set it in builtins
365     * because builtins is also used to build the command-line options and
366     * regexp is not legal on the command line)*/
367    if (!strcmp(description, "regex"))
368        return regex_probe;
369
370    /* Special case of "sni" probe for same reason as above*/
371    if (!strcmp(description, "sni"))
372        return is_sni_protocol;
373
374    /* Special case of "timeout" is allowed as a probe name in the
375     * configuration file even though it's not really a probe */
376    if (!strcmp(description, "timeout"))
377        return is_true;
378
379    return NULL;
380}
381
382
383

Built with git-ssb-web