mirror of https://github.com/moparisthebest/sslh
364 lines
11 KiB
C
364 lines
11 KiB
C
/*
|
|
# probe.c: Code for probing protocols
|
|
#
|
|
# Copyright (C) 2007-2015 Yves Rutschle
|
|
#
|
|
# This program is free software; you can redistribute it
|
|
# and/or modify it under the terms of the GNU General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2 of the License, or (at your option) any later
|
|
# version.
|
|
#
|
|
# This program is distributed in the hope that it will be
|
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
# PURPOSE. See the GNU General Public License for more
|
|
# details.
|
|
#
|
|
# The full text for the General Public License is here:
|
|
# http://www.gnu.org/licenses/gpl.html
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <stdio.h>
|
|
#ifdef LIBPCRE
|
|
#include <regex.h>
|
|
#endif
|
|
#include <ctype.h>
|
|
#include "probe.h"
|
|
|
|
|
|
|
|
static int is_ssh_protocol(const char *p, int len, struct proto*);
|
|
static int is_openvpn_protocol(const char *p, int len, struct proto*);
|
|
static int is_tinc_protocol(const char *p, int len, struct proto*);
|
|
static int is_xmpp_protocol(const char *p, int len, struct proto*);
|
|
static int is_http_protocol(const char *p, int len, struct proto*);
|
|
static int is_tls_protocol(const char *p, int len, struct proto*);
|
|
static int is_adb_protocol(const char *p, int len, struct proto*);
|
|
static int is_true(const char *p, int len, struct proto* proto) { return 1; }
|
|
|
|
/* Table of protocols that have a built-in probe
|
|
*/
|
|
static struct proto builtins[] = {
|
|
/* description service saddr log_level probe */
|
|
{ "ssh", "sshd", NULL, 1, is_ssh_protocol},
|
|
{ "openvpn", NULL, NULL, 1, is_openvpn_protocol },
|
|
{ "tinc", NULL, NULL, 1, is_tinc_protocol },
|
|
{ "xmpp", NULL, NULL, 1, is_xmpp_protocol },
|
|
{ "http", NULL, NULL, 1, is_http_protocol },
|
|
{ "ssl", NULL, NULL, 1, is_tls_protocol },
|
|
{ "tls", NULL, NULL, 1, is_tls_protocol },
|
|
{ "adb", NULL, NULL, 1, is_adb_protocol },
|
|
{ "anyprot", NULL, NULL, 1, is_true }
|
|
};
|
|
|
|
static struct proto *protocols;
|
|
static char* on_timeout = "ssh";
|
|
|
|
struct proto* get_builtins(void) {
|
|
return builtins;
|
|
}
|
|
|
|
int get_num_builtins(void) {
|
|
return ARRAY_SIZE(builtins);
|
|
}
|
|
|
|
/* Sets the protocol name to connect to in case of timeout */
|
|
void set_ontimeout(const char* name)
|
|
{
|
|
int res = asprintf(&on_timeout, "%s", name);
|
|
CHECK_RES_DIE(res, "asprintf");
|
|
}
|
|
|
|
/* Returns the protocol to connect to in case of timeout;
|
|
* if not found, return the first protocol specified
|
|
*/
|
|
struct proto* timeout_protocol(void)
|
|
{
|
|
struct proto* p = get_first_protocol();
|
|
for (; p && strcmp(p->description, on_timeout); p = p->next);
|
|
if (p) return p;
|
|
return get_first_protocol();
|
|
}
|
|
|
|
/* returns the first protocol (caller can then follow the *next pointers) */
|
|
struct proto* get_first_protocol(void)
|
|
{
|
|
return protocols;
|
|
}
|
|
|
|
void set_protocol_list(struct proto* prots)
|
|
{
|
|
protocols = prots;
|
|
}
|
|
|
|
/* From http://grapsus.net/blog/post/Hexadecimal-dump-in-C */
|
|
#define HEXDUMP_COLS 16
|
|
void hexdump(const char *mem, unsigned int len)
|
|
{
|
|
unsigned int i, j;
|
|
|
|
for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
|
|
{
|
|
/* print offset */
|
|
if(i % HEXDUMP_COLS == 0)
|
|
printf("0x%06x: ", i);
|
|
|
|
/* print hex data */
|
|
if(i < len)
|
|
printf("%02x ", 0xFF & mem[i]);
|
|
else /* end of block, just aligning for ASCII dump */
|
|
printf(" ");
|
|
|
|
/* print ASCII dump */
|
|
if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) {
|
|
for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) {
|
|
if(j >= len) /* end of block, not really printing */
|
|
putchar(' ');
|
|
else if(isprint(mem[j])) /* printable char */
|
|
putchar(0xFF & mem[j]);
|
|
else /* other char */
|
|
putchar('.');
|
|
}
|
|
putchar('\n');
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Is the buffer the beginning of an SSH connection? */
|
|
static int is_ssh_protocol(const char *p, int len, struct proto *proto)
|
|
{
|
|
if (len < 4)
|
|
return PROBE_AGAIN;
|
|
|
|
return !strncmp(p, "SSH-", 4);
|
|
}
|
|
|
|
/* Is the buffer the beginning of an OpenVPN connection?
|
|
*
|
|
* Code inspired from OpenVPN port-share option; however, OpenVPN code is
|
|
* wrong: users using pre-shared secrets have non-initialised key_id fields so
|
|
* p[3] & 7 should not be looked at, and also the key_method can be specified
|
|
* to 1 which changes the opcode to P_CONTROL_HARD_RESET_CLIENT_V1.
|
|
* See:
|
|
* http://www.fengnet.com/book/vpns%20illustrated%20tunnels%20%20vpnsand%20ipsec/ch08lev1sec5.html
|
|
* and OpenVPN ssl.c, ssl.h and options.c
|
|
*/
|
|
static int is_openvpn_protocol (const char*p,int len, struct proto *proto)
|
|
{
|
|
int packet_len;
|
|
|
|
if (len < 2)
|
|
return PROBE_AGAIN;
|
|
|
|
packet_len = ntohs(*(uint16_t*)p);
|
|
return packet_len == len - 2;
|
|
}
|
|
|
|
/* Is the buffer the beginning of a tinc connections?
|
|
* Protocol is documented here: http://www.tinc-vpn.org/documentation/tinc.pdf
|
|
* First connection starts with "0 " in 1.0.15)
|
|
* */
|
|
static int is_tinc_protocol( const char *p, int len, struct proto *proto)
|
|
{
|
|
if (len < 2)
|
|
return PROBE_AGAIN;
|
|
|
|
return !strncmp(p, "0 ", 2);
|
|
}
|
|
|
|
/* Is the buffer the beginning of a jabber (XMPP) connections?
|
|
* (Protocol is documented (http://tools.ietf.org/html/rfc6120) but for lazy
|
|
* clients, just checking first frame containing "jabber" in xml entity)
|
|
* */
|
|
static int is_xmpp_protocol( const char *p, int len, struct proto *proto)
|
|
{
|
|
/* sometimes the word 'jabber' shows up late in the initial string,
|
|
sometimes after a newline. this makes sure we snarf the entire preamble
|
|
and detect it. (fixed for adium/pidgin) */
|
|
if (len < 50)
|
|
return PROBE_AGAIN;
|
|
|
|
return memmem(p, len, "jabber", 6) ? 1 : 0;
|
|
}
|
|
|
|
static int probe_http_method(const char *p, int len, const char *opt)
|
|
{
|
|
if (len < strlen(opt))
|
|
return PROBE_AGAIN;
|
|
|
|
return !strncmp(p, opt, len);
|
|
}
|
|
|
|
/* Is the buffer the beginning of an HTTP connection? */
|
|
static int is_http_protocol(const char *p, int len, struct proto *proto)
|
|
{
|
|
int res;
|
|
/* If it's got HTTP in the request (HTTP/1.1) then it's HTTP */
|
|
if (memmem(p, len, "HTTP", 4))
|
|
return PROBE_MATCH;
|
|
|
|
#define PROBE_HTTP_METHOD(opt) if ((res = probe_http_method(p, len, opt)) != PROBE_NEXT) return res
|
|
|
|
/* Otherwise it could be HTTP/1.0 without version: check if it's got an
|
|
* HTTP method (RFC2616 5.1.1) */
|
|
PROBE_HTTP_METHOD("OPTIONS");
|
|
PROBE_HTTP_METHOD("GET");
|
|
PROBE_HTTP_METHOD("HEAD");
|
|
PROBE_HTTP_METHOD("POST");
|
|
PROBE_HTTP_METHOD("PUT");
|
|
PROBE_HTTP_METHOD("DELETE");
|
|
PROBE_HTTP_METHOD("TRACE");
|
|
PROBE_HTTP_METHOD("CONNECT");
|
|
|
|
#undef PROBE_HTTP_METHOD
|
|
|
|
return PROBE_NEXT;
|
|
}
|
|
|
|
static int is_sni_alpn_protocol(const char *p, int len, struct proto *proto)
|
|
{
|
|
int valid_tls;
|
|
|
|
valid_tls = parse_tls_header(proto->data, p, len);
|
|
|
|
if(valid_tls < 0)
|
|
return -1 == valid_tls ? PROBE_AGAIN : PROBE_NEXT;
|
|
|
|
/* There *was* a valid match */
|
|
return PROBE_MATCH;
|
|
}
|
|
|
|
static int is_tls_protocol(const char *p, int len, struct proto *proto)
|
|
{
|
|
if (len < 3)
|
|
return PROBE_AGAIN;
|
|
|
|
/* TLS packet starts with a record "Hello" (0x16), followed by version
|
|
* (0x03 0x00-0x03) (RFC6101 A.1)
|
|
* This means we reject SSLv2 and lower, which is actually a good thing (RFC6176)
|
|
*/
|
|
return p[0] == 0x16 && p[1] == 0x03 && ( p[2] >= 0 && p[2] <= 0x03);
|
|
}
|
|
|
|
static int is_adb_protocol(const char *p, int len, struct proto *proto)
|
|
{
|
|
if (len < 30)
|
|
return PROBE_AGAIN;
|
|
|
|
/* The initial ADB host->device packet has a command type of CNXN, and a
|
|
* data payload starting with "host:". Note that current versions of the
|
|
* client hardcode "host::" (with empty serialno and banner fields) but
|
|
* other clients may populate those fields.
|
|
*
|
|
* We aren't checking amessage.data_length, under the assumption that
|
|
* a packet >= 30 bytes long will have "something" in the payload field.
|
|
*/
|
|
return !memcmp(&p[0], "CNXN", 4) && !memcmp(&p[24], "host:", 5);
|
|
}
|
|
|
|
static int regex_probe(const char *p, int len, struct proto *proto)
|
|
{
|
|
#ifdef LIBPCRE
|
|
regex_t **probe = proto->data;
|
|
regmatch_t pos = { 0, len };
|
|
|
|
for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++)
|
|
/* try them all */;
|
|
|
|
return (*probe != NULL);
|
|
#else
|
|
/* Should never happen as we check when loading config file */
|
|
fprintf(stderr, "FATAL: regex probe called but not built in\n");
|
|
exit(5);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* Read the beginning of data coming from the client connection and check if
|
|
* it's a known protocol.
|
|
* Return PROBE_AGAIN if not enough data, or PROBE_MATCH if it succeeded in
|
|
* which case cnx->proto is set to the appropriate protocol.
|
|
*/
|
|
int probe_client_protocol(struct connection *cnx)
|
|
{
|
|
char buffer[BUFSIZ];
|
|
struct proto *p;
|
|
int n;
|
|
|
|
n = read(cnx->q[0].fd, buffer, sizeof(buffer));
|
|
/* It's possible that read() returns an error, e.g. if the client
|
|
* disconnected between the previous call to select() and now. If that
|
|
* happens, we just connect to the default protocol so the caller of this
|
|
* function does not have to deal with a specific failure condition (the
|
|
* connection will just fail later normally). */
|
|
if (n > 0) {
|
|
int res = PROBE_NEXT;
|
|
|
|
defer_write(&cnx->q[1], buffer, n);
|
|
|
|
for (p = cnx->proto; p && res == PROBE_NEXT; p = p->next) {
|
|
if (! p->probe) continue;
|
|
if (verbose) fprintf(stderr, "probing for %s\n", p->description);
|
|
|
|
cnx->proto = p;
|
|
res = p->probe(cnx->q[1].begin_deferred_data, cnx->q[1].deferred_data_size, p);
|
|
}
|
|
if (res != PROBE_NEXT)
|
|
return res;
|
|
}
|
|
|
|
if (verbose)
|
|
fprintf(stderr,
|
|
"all probes failed, connecting to first protocol: %s\n",
|
|
protocols->description);
|
|
|
|
/* If none worked, return the first one affected (that's completely
|
|
* arbitrary) */
|
|
cnx->proto = protocols;
|
|
return PROBE_MATCH;
|
|
}
|
|
|
|
/* Returns the structure for specified protocol or NULL if not found */
|
|
static struct proto* get_protocol(const char* description)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(builtins); i++) {
|
|
if (!strcmp(builtins[i].description, description)) {
|
|
return &builtins[i];
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/* Returns the probe for specified protocol:
|
|
* parameter is the description in builtins[], or "regex"
|
|
* */
|
|
T_PROBE* get_probe(const char* description) {
|
|
struct proto* p = get_protocol(description);
|
|
|
|
if (p)
|
|
return p->probe;
|
|
|
|
/* Special case of "regex" probe (we don't want to set it in builtins
|
|
* because builtins is also used to build the command-line options and
|
|
* regexp is not legal on the command line)*/
|
|
if (!strcmp(description, "regex"))
|
|
return regex_probe;
|
|
|
|
/* Special case of "sni/alpn" probe for same reason as above*/
|
|
if (!strcmp(description, "sni_alpn"))
|
|
return is_sni_alpn_protocol;
|
|
|
|
/* Special case of "timeout" is allowed as a probe name in the
|
|
* configuration file even though it's not really a probe */
|
|
if (!strcmp(description, "timeout"))
|
|
return is_true;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|