git ssb

1
/*
2
# probe.c: Code for probing protocols
3
#
4
# Copyright (C) 2007-2012  Yves Rutschle
5
# 
6
# This program is free software; you can redistribute it
7
# and/or modify it under the terms of the GNU General Public
8
# License as published by the Free Software Foundation; either
9
# version 2 of the License, or (at your option) any later
10
# version.
11
# 
12
# This program is distributed in the hope that it will be
13
# useful, but WITHOUT ANY WARRANTY; without even the implied
14
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
15
# PURPOSE.  See the GNU General Public License for more
16
# details.
17
# 
18
# The full text for the General Public License is here:
19
# http://www.gnu.org/licenses/gpl.html
20
*/
21
22
#define _GNU_SOURCE
23
#include <stdio.h>
24
#include <regex.h>
25
#include <ctype.h>
26
#include "probe.h"
27
28
29
30
static int is_ssh_protocol(const char *p, int len, struct proto*);
31
static int is_openvpn_protocol(const char *p, int len, struct proto*);
32
static int is_tinc_protocol(const char *p, int len, struct proto*);
33
static int is_xmpp_protocol(const char *p, int len, struct proto*);
34
static int is_http_protocol(const char *p, int len, struct proto*);
35
static int is_tls_protocol(const char *p, int len, struct proto*);
36
static int is_true(const char *p, int len, struct proto* proto) { return 1; }
37
38
/* Table of protocols that have a built-in probe
39
 */
40
static struct proto builtins[] = {
41
    /* description   service  saddr   probe  */
42
    { "ssh",         "sshd",   NULL,   is_ssh_protocol},
43
    { "openvpn",     NULL,     NULL,   is_openvpn_protocol },
44
    { "tinc",        NULL,     NULL,   is_tinc_protocol },
45
    { "xmpp",        NULL,     NULL,   is_xmpp_protocol },
46
    { "http",        NULL,     NULL,   is_http_protocol },
47
    { "ssl",         NULL,     NULL,   is_tls_protocol },
48
    { "tls",         NULL,     NULL,   is_tls_protocol },
49
    { "anyprot",     NULL,     NULL,   is_true }
50
};
51
52
static struct proto *protocols;
53
static char* on_timeout = "ssh";
54
55
struct proto*  get_builtins(void) {
56
    return builtins;
57
}
58
59
int get_num_builtins(void) {
60
    return ARRAY_SIZE(builtins);
61
}
62
63
/* Sets the protocol name to connect to in case of timeout */
64
void set_ontimeout(const char* name)
65
{
66
    asprintf(&on_timeout, "%s", name);
67
}
68
69
/* Returns the protocol to connect to in case of timeout; 
70
 * if not found, return the first protocol specified 
71
 */
72
struct proto* timeout_protocol(void) 
73
{
74
    struct proto* p = get_first_protocol();
75
    for (; p && strcmp(p->description, on_timeout); p = p->next);
76
    if (p) return p;
77
    return get_first_protocol();
78
}
79
80
/* returns the first protocol (caller can then follow the *next pointers) */
81
struct proto* get_first_protocol(void)
82
{
83
    return protocols;
84
}
85
86
void set_protocol_list(struct proto* prots)
87
{
88
    protocols = prots;
89
}
90
91
/* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */
92
#define HEXDUMP_COLS 16
93
void hexdump(const char *mem, unsigned int len)
94
{
95
    unsigned int i, j;
96
97
    for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
98
    {
99
        /* print offset */
100
        if(i % HEXDUMP_COLS == 0)
101
            printf("0x%06x: ", i);
102
103
        /* print hex data */
104
        if(i < len)
105
            printf("%02x ", 0xFF & mem[i]);
106
        else /* end of block, just aligning for ASCII dump */
107
            printf("   ");
108
109
        /* print ASCII dump */
110
        if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) {
111
            for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) {
112
                if(j >= len) /* end of block, not really printing */
113
                    putchar(' ');
114
                else if(isprint(mem[j])) /* printable char */
115
                    putchar(0xFF & mem[j]);        
116
                else /* other char */
117
                    putchar('.');
118
            }
119
            putchar('\n');
120
        }
121
    }
122
}
123
124
/* Is the buffer the beginning of an SSH connection? */
125
static int is_ssh_protocol(const char *p, int len, struct proto *proto)
126
{
127
    if (!strncmp(p, "SSH-", 4)) {
128
        return 1;
129
    }
130
    return 0;
131
}
132
133
/* Is the buffer the beginning of an OpenVPN connection?
134
 *
135
 * Code inspired from OpenVPN port-share option; however, OpenVPN code is
136
 * wrong: users using pre-shared secrets have non-initialised key_id fields so
137
 * p[3] & 7 should not be looked at, and also the key_method can be specified
138
 * to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1.
139
 * See:
140
 * http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
141
 * and OpenVPN ssl.c, ssl.h and options.c
142
 */
143
static int is_openvpn_protocol (const char*p,int len, struct proto *proto)
144
{
145
    int packet_len = ntohs(*(uint16_t*)p);
146
147
    return packet_len == len - 2;
148
}
149
150
/* Is the buffer the beginning of a tinc connections?
151
 * (protocol is undocumented, but starts with "0 " in 1.0.15)
152
 * */
153
static int is_tinc_protocol( const char *p, int len, struct proto *proto)
154
{
155
    return !strncmp(p, "0 ", 2);
156
}
157
158
/* Is the buffer the beginning of a jabber (XMPP) connections?
159
 * (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy
160
 * clients, just checking first frame containing "jabber" in xml entity)
161
 * */
162
static int is_xmpp_protocol( const char *p, int len, struct proto *proto)
163
{
164
    return strstr(p, "jabber") ? 1 : 0;
165
}
166
167
static int probe_http_method(const char *p, const char *opt)
168
{
169
    return !strcmp(p, opt);
170
}
171
172
/* Is the buffer the beginning of an HTTP connection?  */
173
static int is_http_protocol(const char *p, int len, struct proto *proto)
174
{
175
    /* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */
176
    if (strstr(p, "HTTP"))
177
        return 1;
178
179
    /* Otherwise it could be HTTP/1.0 without version: check if it's got an
180
     * HTTP method (RFC2616 5.1.1) */
181
    probe_http_method(p, "OPTIONS");
182
    probe_http_method(p, "GET");
183
    probe_http_method(p, "HEAD");
184
    probe_http_method(p, "POST");
185
    probe_http_method(p, "PUT");
186
    probe_http_method(p, "DELETE");
187
    probe_http_method(p, "TRACE");
188
    probe_http_method(p, "CONNECT");
189
190
    return 0;
191
}
192
193
static int is_tls_protocol(const char *p, int len, struct proto *proto)
194
{
195
    /* TLS packet starts with a record "Hello" (0x16), followed by version
196
     * (0x03 0x00-0x03) (RFC6101 A.1)
197
     * This means we reject SSLv2 and lower, which is actually a good thing (RFC6176)
198
     */
199
    return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03);
200
}
201
202
static int regex_probe(const char *p, int len, struct proto *proto)
203
{
204
    regex_t** probe_list = (regex_t**)(proto->data);
205
    int i=0;
206
207
    while (probe_list[i]) {
208
        if (!regexec(probe_list[i], p, 0, NULL, 0)) {
209
            return 1;
210
        }
211
        i++;
212
    }
213
    return 0;
214
}
215
216
/* 
217
 * Read the beginning of data coming from the client connection and check if
218
 * it's a known protocol. Then leave the data on the defered
219
 * write buffer of the connection and returns a pointer to the protocol
220
 * structure
221
 */
222
struct proto* probe_client_protocol(struct connection *cnx)
223
{
224
    char buffer[BUFSIZ];
225
    struct proto *p;
226
    int n;
227
228
    n = read(cnx->q[0].fd, buffer, sizeof(buffer));
229
    /* It's possible that read() returns an error, e.g. if the client
230
     * disconnected between the previous call to select() and now. If that
231
     * happens, we just connect to the default protocol so the caller of this
232
     * function does not have to deal with a specific  failure condition (the
233
     * connection will just fail later normally). */
234
    if (n > 0) {
235
        defer_write(&cnx->q[1], buffer, n);
236
237
        for (p = protocols; p; p = p->next) {
238
            if (! p->probe) continue;
239
            if (verbose) fprintf(stderr, "probing for %s\n", p->description);
240
            if (p->probe(buffer, n, p)) {
241
                if (verbose) fprintf(stderr, "probe %s successful\n", p->description);
242
                return p;
243
            }
244
        }
245
    }
246
247
    if (verbose) 
248
        fprintf(stderr, 
249
                "all probes failed, connecting to first protocol: %s\n", 
250
                protocols->description);
251
252
    /* If none worked, return the first one affected (that's completely
253
     * arbitrary) */
254
    return protocols;
255
}
256
257
/* Returns the structure for specified protocol or NULL if not found */
258
static struct proto* get_protocol(const char* description)
259
{
260
    int i;
261
262
    for (i = 0; i < ARRAY_SIZE(builtins); i++) {
263
        if (!strcmp(builtins[i].description, description)) {
264
            return &builtins[i];
265
        }
266
    }
267
    return NULL;
268
}
269
270
/* Returns the probe for specified protocol:
271
 * parameter is the description in builtins[], or "regex" 
272
 * */
273
T_PROBE* get_probe(const char* description) {
274
    struct proto* p = get_protocol(description);
275
276
    if (p)
277
        return p->probe;
278
279
    /* Special case of "regex" probe (we don't want to set it in builtins
280
     * because builtins is also used to build the command-line options and
281
     * regexp is not legal on the command line)*/
282
    if (!strcmp(description, "regex"))
283
        return regex_probe;
284
285
    return NULL;
286
}
287
288
289