git ssb

1
/*
2
# probe.c: Code for probing protocols
3
#
4
# Copyright (C) 2007-2012  Yves Rutschle
5
# 
6
# This program is free software; you can redistribute it
7
# and/or modify it under the terms of the GNU General Public
8
# License as published by the Free Software Foundation; either
9
# version 2 of the License, or (at your option) any later
10
# version.
11
# 
12
# This program is distributed in the hope that it will be
13
# useful, but WITHOUT ANY WARRANTY; without even the implied
14
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
15
# PURPOSE.  See the GNU General Public License for more
16
# details.
17
# 
18
# The full text for the General Public License is here:
19
# http://www.gnu.org/licenses/gpl.html
20
*/
21
22
#define _GNU_SOURCE
23
#include <stdio.h>
24
#include <regex.h>
25
#include <ctype.h>
26
#include "probe.h"
27
28
29
30
static int is_ssh_protocol(const char *p, int len, struct proto*);
31
static int is_openvpn_protocol(const char *p, int len, struct proto*);
32
static int is_tinc_protocol(const char *p, int len, struct proto*);
33
static int is_xmpp_protocol(const char *p, int len, struct proto*);
34
static int is_http_protocol(const char *p, int len, struct proto*);
35
static int is_tls_protocol(const char *p, int len, struct proto*);
36
static int is_adb_protocol(const char *p, int len, struct proto*);
37
static int is_true(const char *p, int len, struct proto* proto) { return 1; }
38
39
/* Table of protocols that have a built-in probe
40
 */
41
static struct proto builtins[] = {
42
    /* description   service  saddr   probe  */
43
    { "ssh",         "sshd",   NULL,   is_ssh_protocol},
44
    { "openvpn",     NULL,     NULL,   is_openvpn_protocol },
45
    { "tinc",        NULL,     NULL,   is_tinc_protocol },
46
    { "xmpp",        NULL,     NULL,   is_xmpp_protocol },
47
    { "http",        NULL,     NULL,   is_http_protocol },
48
    { "ssl",         NULL,     NULL,   is_tls_protocol },
49
    { "tls",         NULL,     NULL,   is_tls_protocol },
50
    { "adb",         NULL,     NULL,   is_adb_protocol },
51
    { "anyprot",     NULL,     NULL,   is_true }
52
};
53
54
static struct proto *protocols;
55
static char* on_timeout = "ssh";
56
57
struct proto*  get_builtins(void) {
58
    return builtins;
59
}
60
61
int get_num_builtins(void) {
62
    return ARRAY_SIZE(builtins);
63
}
64
65
/* Sets the protocol name to connect to in case of timeout */
66
void set_ontimeout(const char* name)
67
{
68
    int res = asprintf(&on_timeout, "%s", name);
69
    CHECK_RES_DIE(res, "asprintf");
70
}
71
72
/* Returns the protocol to connect to in case of timeout; 
73
 * if not found, return the first protocol specified 
74
 */
75
struct proto* timeout_protocol(void) 
76
{
77
    struct proto* p = get_first_protocol();
78
    for (; p && strcmp(p->description, on_timeout); p = p->next);
79
    if (p) return p;
80
    return get_first_protocol();
81
}
82
83
/* returns the first protocol (caller can then follow the *next pointers) */
84
struct proto* get_first_protocol(void)
85
{
86
    return protocols;
87
}
88
89
void set_protocol_list(struct proto* prots)
90
{
91
    protocols = prots;
92
}
93
94
/* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */
95
#define HEXDUMP_COLS 16
96
void hexdump(const char *mem, unsigned int len)
97
{
98
    unsigned int i, j;
99
100
    for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
101
    {
102
        /* print offset */
103
        if(i % HEXDUMP_COLS == 0)
104
            printf("0x%06x: ", i);
105
106
        /* print hex data */
107
        if(i < len)
108
            printf("%02x ", 0xFF & mem[i]);
109
        else /* end of block, just aligning for ASCII dump */
110
            printf("   ");
111
112
        /* print ASCII dump */
113
        if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) {
114
            for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) {
115
                if(j >= len) /* end of block, not really printing */
116
                    putchar(' ');
117
                else if(isprint(mem[j])) /* printable char */
118
                    putchar(0xFF & mem[j]);        
119
                else /* other char */
120
                    putchar('.');
121
            }
122
            putchar('\n');
123
        }
124
    }
125
}
126
127
/* Is the buffer the beginning of an SSH connection? */
128
static int is_ssh_protocol(const char *p, int len, struct proto *proto)
129
{
130
    if (len < 4)
131
        return PROBE_AGAIN;
132
133
    return !strncmp(p, "SSH-", 4);
134
}
135
136
/* Is the buffer the beginning of an OpenVPN connection?
137
 *
138
 * Code inspired from OpenVPN port-share option; however, OpenVPN code is
139
 * wrong: users using pre-shared secrets have non-initialised key_id fields so
140
 * p[3] & 7 should not be looked at, and also the key_method can be specified
141
 * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1.
142
 * See:
143
 * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
144
 * and OpenVPN ssl.c, ssl.h and options.c
145
 */
146
static int is_openvpn_protocol (const char*p,int len, struct proto *proto)
147
{
148
    int packet_len;
149
150
    if (len < 2)
151
        return PROBE_AGAIN;
152
153
    packet_len = ntohs(*(uint16_t*)p);
154
    return packet_len == len - 2;
155
}
156
157
/* Is the buffer the beginning of a tinc connections?
158
 * (protocol is undocumented, but starts with "0 " in 1.0.15)
159
 * */
160
static int is_tinc_protocol( const char *p, int len, struct proto *proto)
161
{
162
    if (len < 2)
163
        return PROBE_AGAIN;
164
165
    return !strncmp(p, "0 ", 2);
166
}
167
168
/* Is the buffer the beginning of a jabber (XMPP) connections?
169
 * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy
170
 * clients, just checking first frame containing "jabber" in xml entity)
171
 * */
172
static int is_xmpp_protocol( const char *p, int len, struct proto *proto)
173
{
174
    /* sometimes the word 'jabber' shows up late in the initial string,
175
       sometimes after a newline. this makes sure we snarf the entire preamble
176
       and detect it. (fixed for adium/pidgin) */
177
    if (len < 50)
178
        return PROBE_AGAIN;
179
180
    return memmem(p, len, "jabber", 6) ? 1 : 0;
181
}
182
183
static int probe_http_method(const char *p, int len, const char *opt)
184
{
185
    if (len < strlen(opt))
186
        return PROBE_AGAIN;
187
188
    return !strncmp(p, opt, len);
189
}
190
191
/* Is the buffer the beginning of an HTTP connection?  */
192
static int is_http_protocol(const char *p, int len, struct proto *proto)
193
{
194
    int res;
195
    /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */
196
    if (memmem(p, len, "HTTP", 4))
197
        return PROBE_MATCH;
198
199
#define PROBE_HTTP_METHOD(opt) if ((res = probe_http_method(p, len, opt)) != PROBE_NEXT) return res
200
201
    /* Otherwise it could be HTTP/1.0 without version: check if it's got an
202
     * HTTP method (RFC2616 5.1.1) */
203
    PROBE_HTTP_METHOD("OPTIONS");
204
    PROBE_HTTP_METHOD("GET");
205
    PROBE_HTTP_METHOD("HEAD");
206
    PROBE_HTTP_METHOD("POST");
207
    PROBE_HTTP_METHOD("PUT");
208
    PROBE_HTTP_METHOD("DELETE");
209
    PROBE_HTTP_METHOD("TRACE");
210
    PROBE_HTTP_METHOD("CONNECT");
211
212
#undef PROBE_HTTP_METHOD
213
214
    return PROBE_NEXT;
215
}
216
217
static int is_tls_protocol(const char *p, int len, struct proto *proto)
218
{
219
    if (len < 3)
220
        return PROBE_AGAIN;
221
222
    /* TLS packet starts with a record "Hello" (0x16), followed by version
223
     * (0x03 0x00-0x03) (RFC6101 A.1)
224
     * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176)
225
     */
226
    return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03);
227
}
228
229
static int is_adb_protocol(const char *p, int len, struct proto *proto)
230
{
231
    if (len < 30)
232
        return PROBE_AGAIN;
233
234
    /* The initial ADB host->device packet has a command type of CNXN, and a
235
     * data payload starting with "host:".  Note that current versions of the
236
     * client hardcode "host::" (with empty serialno and banner fields) but
237
     * other clients may populate those fields.
238
     *
239
     * We aren't checking amessage.data_length, under the assumption that
240
     * a packet >= 30 bytes long will have "something" in the payload field.
241
     */
242
    return !memcmp(&p[0], "CNXN", 4) && !memcmp(&p[24], "host:", 5);
243
}
244
245
static int regex_probe(const char *p, int len, struct proto *proto)
246
{
247
    regex_t **probe = proto->data;
248
    regmatch_t pos = { 0, len };
249
250
    for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++)
251
        /* try them all */;
252
253
    return (*probe != NULL);
254
}
255
256
/* 
257
 * Read the beginning of data coming from the client connection and check if
258
 * it's a known protocol. 
259
 * Return PROBE_AGAIN if not enough data, or PROBE_MATCH if it succeeded in
260
 * which case cnx->proto is set to the appropriate protocol.
261
 */
262
int probe_client_protocol(struct connection *cnx)
263
{
264
    char buffer[BUFSIZ];
265
    struct proto *p;
266
    int n;
267
268
    n = read(cnx->q[0].fd, buffer, sizeof(buffer));
269
    /* It's possible that read() returns an error, e.g. if the client
270
     * disconnected between the previous call to select() and now. If that
271
     * happens, we just connect to the default protocol so the caller of this
272
     * function does not have to deal with a specific  failure condition (the
273
     * connection will just fail later normally). */
274
    if (n > 0) {
275
        int res = PROBE_NEXT;
276
277
        defer_write(&cnx->q[1], buffer, n);
278
279
        for (p = cnx->proto; p && res == PROBE_NEXT; p = p->next) {
280
            if (! p->probe) continue;
281
            if (verbose) fprintf(stderr, "probing for %s\n", p->description);
282
283
            cnx->proto = p;
284
            res = p->probe(cnx->q[1].begin_deferred_data, cnx->q[1].deferred_data_size, p);
285
        }
286
        if (res != PROBE_NEXT)
287
            return res;
288
    }
289
290
    if (verbose) 
291
        fprintf(stderr, 
292
                "all probes failed, connecting to first protocol: %s\n", 
293
                protocols->description);
294
295
    /* If none worked, return the first one affected (that's completely
296
     * arbitrary) */
297
    cnx->proto = protocols;
298
    return PROBE_MATCH;
299
}
300
301
/* Returns the structure for specified protocol or NULL if not found */
302
static struct proto* get_protocol(const char* description)
303
{
304
    int i;
305
306
    for (i = 0; i < ARRAY_SIZE(builtins); i++) {
307
        if (!strcmp(builtins[i].description, description)) {
308
            return &builtins[i];
309
        }
310
    }
311
    return NULL;
312
}
313
314
/* Returns the probe for specified protocol:
315
 * parameter is the description in builtins[], or "regex" 
316
 * */
317
T_PROBE* get_probe(const char* description) {
318
    struct proto* p = get_protocol(description);
319
320
    if (p)
321
        return p->probe;
322
323
    /* Special case of "regex" probe (we don't want to set it in builtins
324
     * because builtins is also used to build the command-line options and
325
     * regexp is not legal on the command line)*/
326
    if (!strcmp(description, "regex"))
327
        return regex_probe;
328
329
    return NULL;
330
}
331
332
333