NSIS-ka
A free C++ implementation of NSIS protocols

Changeset 4094


Ignore:
Timestamp:
Jul 13, 2009, 6:04:37 PM (8 years ago)
Author:
bless
Message:
  • modified tp_queryencap to also intercept packets that have no RAO set, if the new option intercept-requires-rao==false
  • tp_queryencap will check for the C-Flag if intercept-requires-rao==false (otherwise normal Confirm and Data Packets in C-mode will be captured by tp_queryencap, too)
Location:
protlib/branches/20080820-configpar
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • protlib/branches/20080820-configpar/include/tp_queryencap.h

    r4091 r4094  
    5353  * @param raovec               - vector of router alert option values that should be intercepted
    5454  * @param tpoverudp            - pointer to UDP send/recv module (required to get source port for sending packets)
     55  * @param strict_rao           - if set an RAO is strictly required for interception, otherwise the magic number suffices
    5556  * @param magic_number         - GIST magic number (first 32 bit of UDP payload) in host byte order, only checked if != 0
    5657  * @param sleep                - time (in ms) that listener and receiver wait at a poll() call
     
    6768      vector<uint32>& raovec,
    6869      const TPoverUDP* tpoverudp,
     70      const bool &strict_rao,
    6971      uint32 GIST_magic_num= 0,
    7072      uint32 sleep = ThreadParam::default_sleep_time,
     
    8082      dest(dest),
    8183      common_header_length(common_header_length),
     84      strict_rao(strict_rao),
    8285      magic_number(GIST_magic_num),
    8386      getmsglength(getmsglength),
     
    9699    /// what is the length of the common header
    97100    const unsigned short common_header_length;
     101    /// RAO required for interception? (read-only)
     102    const bool &strict_rao;
    98103    /// GIST magic number that should be verified (must be given in host order)
    99104    const uint32 magic_number;
     105
    100106    /// function pointer to a function that figures out the msg length in number of 4 byte words
    101107    /// it returns false if error occured (e.g., malformed header), result is returned in variable clen_words
  • protlib/branches/20080820-configpar/src/tp_queryencap.cpp

    r4091 r4094  
    444444
    445445  // if we set this var to "1" the packet will be taken, if we set it to "0", we don't take it
    446   int intercept=0;
     446  bool intercept= false;
    447447
    448448  TPMsg *tpmsg = 0;
     
    481481          ipq_packet_msg_t *m = ipq_get_packet (buf);
    482482          struct ip6_hdr *ip = (struct ip6_hdr *) m->payload;
    483 
     483          uint8 next_header= ip->ip6_nxt;
    484484          uint8 ip_ttl = ip->ip6_hlim;
     485          const uint8 ip6_headerlen= 40;
    485486
    486487          // this is the IPv6 capturer, we have got a handle to the IPv6 Queue, so we can be sure to receive only IPv6 packets
     
    488489          // We have to check, if Hop-By-Hop Option Header is present. If it is, it is the first extension header
    489490          // with code "0" in ip6_next of base header
    490           if (ip->ip6_nxt == 0) intercept= 1;
     491          if (next_header == 0) intercept= true;
    491492             
    492493          // We have to look for RAO option in Hop-by-Hop extension header, if it is NOT set to a value we look for, don't intercept
    493           if (intercept == 1)
     494          if (intercept)
    494495          {
    495             struct ip6_hbh *optheader = (struct ip6_hbh *) (m->payload + 40);
    496             Log (DEBUG_LOG, LOG_NORMAL, tpparam.name, "[IPv6catcher] - IPv6 Packet with HbH-option header received, inspecting it");
    497             intercept=0;
     496            struct ip6_hbh *optheader = (struct ip6_hbh *) (m->payload + ip6_headerlen);
     497            DLog(tpparam.name, "[IPv6catcher] - IPv6 Packet with HbH-option header received, inspecting it");
     498            intercept= false;
    498499             
    499500            int i = 0;
    500             option = (ip_opt *) (m->payload +42);
     501            option = (ip_opt *) (m->payload + ip6_headerlen + 2);
    501502           
    502503            if (option->opt1 == IP6_RAO_OPT_TYPE) {
    503               intercept = 1;
     504              intercept = true;
    504505            }
    505506            else
     
    511512                {
    512513                  i++;
    513                   option = (ip_opt *) (m->payload +42 +i);
     514                  option = (ip_opt *) (m->payload + ip6_headerlen + 2 +i);
    514515                }
    515516                // No PADDING! We have hit an option and its not Router alert! We must move "LENGTH+2" right!
    516517                if ((option->opt1 != 0)&(option->opt1 != IP6_RAO_OPT_TYPE)) i = option->opt2+2;
    517                 option = (ip_opt *) (m->payload + 42 + i);
     518                option = (ip_opt *) (m->payload + ip6_headerlen + 2 + i);
    518519                // We have hit Router Alert! Break loop, leave it alone!
    519                 if (option->opt1 == IP6_RAO_OPT_TYPE) { intercept=1; break; }
     520                if (option->opt1 == IP6_RAO_OPT_TYPE) { intercept= true; break; }
    520521              }
    521522              while (i <= optheader->ip6h_len); // don't overrun end of ip hop-by-hop options header!
     
    532533            }
    533534               
    534             Log (DEBUG_LOG, LOG_NORMAL, tpparam.name, "[IPv6catcher] - Listening for RAOs: " << os.str().c_str());
    535             Log (DEBUG_LOG, LOG_NORMAL, tpparam.name, "[IPv6catcher] - Inspecting RAO value of: " << ntohs(option->opt3));
    536 
    537             intercept = 0;
     535            DLog(tpparam.name, "[IPv6catcher] - Listening for RAOs: " << os.str().c_str());
     536            DLog(tpparam.name, "[IPv6catcher] - Inspecting RAO value of: " << ntohs(option->opt3));
     537
     538            intercept = false;
    538539            // inspect RAO vector
    539540            for (unsigned int i = 0; i < tpparam.raovec.size(); i++) {
    540               if (tpparam.raovec[i] == ntohs(option->opt3)) intercept = 1;
    541             }
    542           }
    543 
    544           // if intercept is 0, RAO value did not match
    545           if (intercept == 0)
     541              if (tpparam.raovec[i] == ntohs(option->opt3)) intercept= true;
     542            } // end for
     543          } // end if intercept
     544
     545          // if intercept is false, RAO value did not match, stop here if strict RAO matching is required
     546          if (intercept == false && tpparam.strict_rao)
    546547          {
    547548            // we don't care about this packet, let it pass the firewall
     
    551552            //Log (DEBUG_LOG, LOG_NORMAL, tpparam.name, "[IPv6catcher] - I let a packet without RAO set pass");
    552553          }
    553 
    554           int offset = 40; // will point to IP payload, initially size of IPv6 header
    555           // one RAO value matched, now check for magic number
    556           if (intercept == 1)
     554          else
    557555          {
    558             // so far the RAO instructs us to intercept this packet, but we still have to check for the magic number
    559             Log (DEBUG_LOG, LOG_NORMAL, tpparam.name, "[IPv6catcher] - I am instructed to intercept this RAO");
    560            
     556            if (intercept)
     557            {
     558              // so far the RAO instructs us to intercept this packet, but we still have to check for the magic number
     559              DLog(tpparam.name, "[IPv6catcher] - I am instructed to intercept this RAO");
     560            }
     561            else
     562            {
     563              DLog(tpparam.name, "[IPv6catcher] - Checking for interception even if no RAO used");
     564              intercept= true;
     565            }
     566          }
     567
     568          int offset = ip6_headerlen; // will point to IP payload, initially size of IPv6 header
     569
     570          // one RAO value matched (or we do not require strict RAO checking), now check for magic number
     571          if (intercept)
     572          {         
    561573            peer_addr = new appladdress();
    562574            own_addr = new appladdress();
    563575                         
    564576            // Now to do: iterate over extension headers to find the start of the UDP header
    565 
    566             // the first extension header is the hop-by-hop options header and it IS present
     577            // the first extension header is the hop-by-hop options header and it is present
     578            // if RAO was used
    567579            struct ip6_ext *extheader = (struct ip6_ext *) (m->payload + offset);
    568580                 
    569581            // if the 2nd extension header is upper layer header, we found the UDP offset
    570             if (extheader->ip6e_nxt == IPPROTO_UDP)
     582            if (next_header == IPPROTO_UDP)
    571583            {
    572584              DLog(tpparam.name, "[IPv6catcher] - Instantly found UDP header, do not loop over headers");
    573585            }
    574             else 
     586            else
    575587            {
     588              // assume that some extension header is present
     589              next_header= extheader->ip6e_nxt;
    576590              // iterate if next header is not UDP
    577               while (extheader->ip6e_nxt != IPPROTO_UDP)
     591              while (next_header != IPPROTO_UDP)
    578592              {
    579593                // advance to next extension header
     
    587601                }
    588602                extheader = (struct ip6_ext *) (m->payload + offset);
     603                next_header= extheader->ip6e_nxt;
    589604              } // end while
     605              // set offset to next header following the last extension header that we saw
     606              offset = offset + 8 + (extheader->ip6e_len * 8);
    590607            }
    591             // set offset to next header following the last extension header that we saw
    592             offset = offset + 8 + (extheader->ip6e_len * 8);
    593608
    594609            // magic number is only checked for if != 0
     
    606621                  die (h);
    607622                // stop interception
    608                 intercept= 0;
     623                intercept= false;
    609624              }
    610625              else
     626              {
    611627                DLog(tpparam.name, "[IPv6catcher] - " << color[green] << "magic number matched" << color[off]);
     628                uint32 *common_header_word2= reinterpret_cast<uint32 *>(m->payload + offset + udp_header_size + 8);
     629                if ( !tpparam.strict_rao && (ntohl(*common_header_word2) & 0x8000)==0 )
     630                {
     631                  DLog(tpparam.name, "[IPv6catcher] - C-Flag not set - will not intercept");
     632                  intercept= false;
     633                }
     634              }
    612635
    613636            } // endif magic number given
     
    615638
    616639          // packet passed all checks, so this packet is to be processed by this node
    617           if (intercept == 1)
     640          if (intercept)
    618641          {
    619642            // we let the firewall stop it and process it further in userspace
     
    698721    // get new thread state
    699722    currstate = get_state ();
    700     intercept = 0;
     723    intercept= false;
    701724  } // end while(!terminate)
    702725   
     
    767790
    768791
    769     //if we set this var to "1" the packet will be taken, if we set it to "0", we don't take it
     792    // if we set this var to "1" the packet will be punted, if we set it to "0", we don't punt it
    770793    bool intercept= false;
    771794   
     
    820843            // We have to check if Option field is present, packets without options will be allowed to pass netfilter
    821844            // Packets with Options set will be stopped at firewall and the copies processed
    822            
    823845            if ((ip->ihl) > 5)
    824846            {
     
    876898                  }
    877899                } // end for
    878                      
    879                 // magic number is only checked for if not zero
    880                 if (tpparam.magic_number != 0)
    881                 {
    882                   uint32 *magic_number_field= reinterpret_cast<uint32 *>(m->payload + 4 * (ip->ihl) + udp_header_size);
    883                   // now check for magic number in UDP payload
    884                   if (tpparam.magic_number != ntohl(*magic_number_field))
    885                   { // magic_number does not fit -> do not intercept the packet
    886                     // we don't care about this packet, let it pass the firewall
    887                     WLog(tpparam.name, "[IPv4catcher] - magic number mismatch, read: 0x" << hex << ntohl(*magic_number_field) << dec);
    888                     // do not intercept
    889                     intercept= false;
    890                   }
    891                   else
    892                     DLog(tpparam.name, "[IPv4catcher] - " << color[green] << "magic number matched" << color[off]);
    893 
    894                 } // endif magic number given
    895      
     900
     901                if (intercept)
     902                  DLog(tpparam.name, "[IPv4catcher] - I am instructed to intercept packages with this RAO (" << (int) rao << ")");
    896903              } // opt 148
    897904              else
     
    907914                     
    908915              //DLog("[IPv4catcher]" , "Let a Packet pass");
    909               intercept= false;
     916              if (tpparam.strict_rao)
     917                intercept= false;
     918              else // let the magic number decide
     919              {
     920                DLog(tpparam.name, "[IPv4catcher] - Checking for interception even if no RAO used");
     921                intercept= true;
     922              }
    910923            }
    911924
     925            // magic number is only checked for if not zero
     926            if (intercept && tpparam.magic_number != 0)
     927            {
     928              uint32 *magic_number_field= reinterpret_cast<uint32 *>(m->payload + 4 * (ip->ihl) + udp_header_size);
     929              // now check for magic number in UDP payload
     930              if (tpparam.magic_number != ntohl(*magic_number_field))
     931                { // magic_number does not fit -> do not intercept the packet
     932                  // we don't care about this packet, let it pass the firewall
     933                  WLog(tpparam.name, "[IPv4catcher] - magic number mismatch, read: 0x" << hex << ntohl(*magic_number_field) << dec);
     934                  // do not intercept
     935                  intercept= false;
     936                }
     937              else
     938              {
     939                DLog(tpparam.name, "[IPv4catcher] - " << color[green] << "magic number matched" << color[off]);
     940                uint32 *common_header_word2= reinterpret_cast<uint32 *>(m->payload + 4 * (ip->ihl) + udp_header_size + 8);
     941                if ( !tpparam.strict_rao && (ntohl(*common_header_word2) & 0x8000)==0 )
     942                {
     943                  DLog(tpparam.name, "[IPv4catcher] - C-Flag not set - will not intercept");
     944                  intercept= false;
     945                }
     946              }
     947             
     948            } // endif magic number given
     949           
    912950            // if intercept is still true, we really will intercept it now
    913951            if (intercept == true)
    914952            {
    915               DLog(tpparam.name, "[IPv4catcher] - I am instructed to intercept packages with this RAO");
    916953
    917954              status = ipq_set_verdict (h, m->packet_id,
Note: See TracChangeset for help on using the changeset viewer.