/***************************************************************************
* EchoClient.cc -- *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2012 Insecure.Com LLC. Nmap is *
* also a registered trademark of Insecure.Com LLC. This program is free *
* software; you may redistribute and/or modify it under the terms of the *
* GNU General Public License as published by the Free Software *
* Foundation; Version 2 with the clarifications and exceptions described *
* below. This guarantees your right to use, modify, and redistribute *
* this software under certain conditions. If you wish to embed Nmap *
* technology into proprietary software, we sell alternative licenses *
* (contact sales@insecure.com). Dozens of software vendors already *
* license Nmap technology such as host discovery, port scanning, OS *
* detection, version detection, and the Nmap Scripting Engine. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we interpret that term as broadly as copyright law *
* allows. For example, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-db or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap, as well as other software we distribute under this *
* license such as Zenmap, Ncat, and Nping. This list is not exclusive, *
* but is meant to clarify our interpretation of derived works with some *
* common examples. Our interpretation applies only to Nmap--we don't *
* speak for other people's GPL works. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to dozens *
* of software vendors, and generally include a perpetual license as well *
* as providing for priority support and updates. They also fund the *
* continued development of Nmap. Please email sales@insecure.com for *
* further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included docs/licenses/OpenSSL.txt file, and distribute *
* linked combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to nmap-dev@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one of the *
* Insecure.Org development mailing lists, or checking them into the Nmap *
* source code repository, it is understood (unless you specify otherwise) *
* that you are offering the Nmap Project (Insecure.Com LLC) the *
* unlimited, non-exclusive right to reuse, modify, and relicense the *
* code. Nmap will always be available Open Source, but this is important *
* because the inability to relicense code has caused devastating problems *
* for other Free Software projects (such as KDE and NASM). We also *
* occasionally relicense the code to third parties as discussed above. *
* If you wish to specify special license conditions of your *
* contributions, just say so when you send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License v2.0 for more details at *
* http://www.gnu.org/licenses/gpl-2.0.html , or in the COPYING file *
* included with Nmap. *
* *
***************************************************************************/
#include "nping.h"
#include "EchoClient.h"
#include "EchoHeader.h"
#include "output.h"
#include "NEPContext.h"
#include "NpingOps.h"
#include "nsock.h"
#include "Crypto.h"
extern NpingOps o;
extern EchoClient ec;
EchoClient::EchoClient() {
this->reset();
} /* End of EchoClient constructor */
EchoClient::~EchoClient() {
this->reset();
} /* End of EchoClient destructor */
/** Sets every attribute to its default value- */
void EchoClient::reset() {
memset(&this->srvaddr4, 0, sizeof(struct sockaddr_in));
memset(&this->srvaddr6, 0, sizeof(struct sockaddr_in6));
memset(this->lasthdr, 0, MAX_NEP_PACKET_LENGTH);
this->readbytes=0;
this->af=AF_INET;
} /* End of reset() */
/** Closes current connection and destroys Nsock handlers */
int EchoClient::cleanup(){
this->probe.cleanup();
return OP_SUCCESS;
} /* End of cleanup() */
/** This is the main method, the boss of it all. It sets up nsock, establishes
* a TCP connection with the server, performs the NEP authentication handshake,
* sends the appropriate packet specs and handles raw packet transmission and
* NEP_ECHO reception and display. */
int EchoClient::start(NpingTarget *target, u16 port){
outPrint(DBG_4, "%s(%p, %u)", __func__, target, port);
/* Init Nsock in the probe engine */
if( this->probe.init_nsock() != OP_SUCCESS ){
outError(QT_2, "Couln't initialize Nsock.");
return OP_FAILURE;
}else{
/* Extract the nsock pool handler and store it here */
this->nsp=this->probe.getNsockPool();
this->nsi=nsi_new(this->nsp, NULL);
}
/* Schedule a TCP connection attempt */
if( this->nep_connect(target, port) != OP_SUCCESS ){
outError(QT_2, "Connection failed.");
return OP_FAILURE;
}
/* Perform NEP authentication handshake */
if( this->nep_handshake() != OP_SUCCESS ){
outError(QT_2, "Handshake failed.");
return OP_FAILURE;
}
/* Send packet specification */
if( this->nep_send_packet_spec() != OP_SUCCESS ){
outError(QT_2, "Couldn't send packet specification.");
return OP_FAILURE;
}
/* Wait for confirmation */
if( this->nep_recv_ready() != OP_SUCCESS ){
outError(QT_2, "Didn't receive server's OK.");
return OP_FAILURE;
}
/* Schedule read of the first 16 bytes to determine the full packet length */
nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN);
/* Start the probe mode engine */
probe.start();
return OP_SUCCESS;
} /* End of start() */
/** Attempts to establish a TCP connection to "target:port". On success it
* returns OP_SUCCESS. OP_FAILURE is returned when it was impossible to
* connect to the remote host (this can be because the server rejected the
* connection or because the connect() timed out). */
int EchoClient::nep_connect(NpingTarget *target, u16 port){
outPrint(DBG_4, "%s(%p, %u)", __func__, target, port);
struct sockaddr_storage ss;
struct sockaddr_storage src;
size_t ss_len;
struct sockaddr_in *s4=(struct sockaddr_in *)&ss;
struct sockaddr_in6 *s6=(struct sockaddr_in6 *)&ss;
enum nsock_loopstatus loopstatus;
if(target==NULL)
outFatal(QT_3, "nep_connect(): NULL parameter supplied.");
else
target->getTargetSockAddr(&ss, &ss_len);
/* AF_INET6 */
if( s6->sin6_family==AF_INET6 ){
this->af=AF_INET6;
this->srvaddr6.sin6_family = AF_INET6;
this->srvaddr6.sin6_port = htons(port);
this->srvaddr6.sin6_addr = s6->sin6_addr;
this->srvaddr6.sin6_flowinfo = 0;
#ifdef HAVE_SOCKADDR_IN6_SIN6_LEN
this->srvaddr6.sin6_len = sizeof(struct sockaddr_in6);
#endif
/* Try to bind the IOD to the IP address supplied by the user */
nsi_set_localaddr(this->nsi, o.getSourceSockAddr(&src), sizeof(sockaddr_in6));
/* Schedule a connect event */
nsock_connect_tcp(this->nsp, this->nsi, connect_done_handler, ECHO_CONNECT_TIMEOUT,
NULL, (struct sockaddr *) &this->srvaddr6, sizeof(this->srvaddr6), port);
/* AF_INET */
}else{
this->af=AF_INET;
this->srvaddr4.sin_family = AF_INET;
this->srvaddr4.sin_port = htons(port);
this->srvaddr4.sin_addr = s4->sin_addr;
#ifdef HAVE_SOCKADDR_IN_SIN_LEN
this->srvaddr4.sin_len = sizeof(struct sockaddr_in);
#endif
/* Try to bind the IOD to the IP address supplied by the user */
nsi_set_localaddr(this->nsi, o.getSourceSockAddr(&src), sizeof(sockaddr_in));
/* Schedule a connect event */
nsock_connect_tcp(this->nsp, this->nsi, connect_done_handler, ECHO_CONNECT_TIMEOUT,
NULL, (struct sockaddr *) &this->srvaddr4, sizeof(this->srvaddr4), port);
}
/* Try to connect or timeout */
loopstatus=nsock_loop(this->nsp, ECHO_CONNECT_TIMEOUT-1);
/* If nsock tells us that the handler asked to quit the loop, then the connect was successful */
return (loopstatus==NSOCK_LOOP_QUIT) ? OP_SUCCESS : OP_FAILURE;
} /* End of nep_connect() */
/** Attempts to perform the NEP authentication handshake with the server.
* Returns OP_SUCCESS if the authentication went well and OP_FAILURE otherwise */
int EchoClient::nep_handshake(){
outPrint(DBG_4, "%s()", __func__);
enum nsock_loopstatus loopstatus;
EchoHeader h;
/* Receive NEP_HANDSHAKE_SERVER message */
nsock_readbytes(this->nsp, this->nsi, recv_hs_server_handler, ECHO_READ_TIMEOUT, NULL, NEP_HANDSHAKE_SERVER_LEN);
loopstatus=nsock_loop(this->nsp, ECHO_READ_TIMEOUT-1);
if(loopstatus!=NSOCK_LOOP_QUIT)
return OP_FAILURE;
/* Generate client nonces and the session cryptographic keys*/
this->ctx.generateInitialClientSequence();
this->ctx.generateClientNonce();
this->ctx.generateCipherKeyC2S();
this->ctx.generateCipherKeyS2C();
this->ctx.generateMacKeyC2S();
this->ctx.generateMacKeyS2C();
outPrint(DBG_4,"Session Key MAC_C2S:"); print_hexdump(DBG_4,ctx.getMacKeyC2S(), MAC_KEY_LEN);
outPrint(DBG_4,"Session Key MAC_S2C:"); print_hexdump(DBG_4,ctx.getMacKeyS2C(), MAC_KEY_LEN);
outPrint(DBG_4,"Session Key CIPHER_C2S:"); print_hexdump(DBG_4,ctx.getCipherKeyC2S(), MAC_KEY_LEN);
outPrint(DBG_4,"Session Key CIPHER_S2C:"); print_hexdump(DBG_4,ctx.getCipherKeyS2C(), MAC_KEY_LEN);
/* Send NEP_HANDSHAKE_CLIENT message */
if( this->generate_hs_client(&h)!=OP_SUCCESS )
return OP_FAILURE;
nsock_write(this->nsp, this->nsi, write_done_handler, ECHO_WRITE_TIMEOUT, NULL, (char *)h.getBinaryBuffer(), h.getLen());
loopstatus=nsock_loop(this->nsp, ECHO_WRITE_TIMEOUT-1);
if(loopstatus!=NSOCK_LOOP_QUIT)
return OP_FAILURE;
/* Receive NEP_HANDSHAKE_FINAL message */
nsock_readbytes(this->nsp, this->nsi, recv_hs_final_handler, ECHO_READ_TIMEOUT, NULL, NEP_HANDSHAKE_FINAL_LEN);
loopstatus=nsock_loop(this->nsp, ECHO_READ_TIMEOUT-1);
if(loopstatus!=NSOCK_LOOP_QUIT)
return OP_FAILURE;
outPrint(DBG_1, "===NEP Handshake completed successfully===");
return OP_SUCCESS;
} /* End of nep_handshake() */
/** Sends the appropriate NEP_PACKET_SPEC message to the server. Returns
* OP_SUCCESS on success and OP_FAILURE in case of error. */
int EchoClient::nep_send_packet_spec(){
outPrint(DBG_4, "%s()", __func__);
enum nsock_loopstatus loopstatus;
EchoHeader h;
if (this->generate_packet_spec(&h)!=OP_SUCCESS)
return OP_FAILURE;
/* Send NEP_PACKET_SPEC message */
nsock_write(this->nsp, this->nsi, write_done_handler, ECHO_WRITE_TIMEOUT, NULL, (const char*)h.getBinaryBuffer(), h.getLen());
loopstatus=nsock_loop(this->nsp, ECHO_WRITE_TIMEOUT-1);
if(loopstatus!=NSOCK_LOOP_QUIT)
return OP_FAILURE;
else
return OP_SUCCESS;
} /* End of nep_send_packetspec() */
/** Receives and parses a NEP_READY message from the server. Returns OP_SUCCESS
* on success and OP_FAILURE in case of error. */
int EchoClient::nep_recv_ready(){
outPrint(DBG_4, "%s()", __func__);
enum nsock_loopstatus loopstatus;
/* Receive NEP_READY message */
nsock_readbytes(this->nsp, this->nsi, recv_ready_handler, ECHO_READ_TIMEOUT, NULL, NEP_READY_LEN);
loopstatus=nsock_loop(this->nsp, ECHO_READ_TIMEOUT-1);
if(loopstatus!=NSOCK_LOOP_QUIT)
return OP_FAILURE;
else
return OP_SUCCESS;
} /* End of nep_recv_ready(){ */
/** Reads and parses a NEP_ECHO message from the server. Returns OP_SUCCESS
* on success and OP_FAILURE in case of error. */
int EchoClient::nep_recv_echo(u8 *packet, size_t packetlen){
outPrint(DBG_4, "%s(%p, %lu)", __func__, packet, (unsigned long)packetlen);
EchoHeader pkt_in;
char *delayedstr=NULL;
nsock_event_id ev_id;
u8 *pkt=NULL;
u16 pktlen=0;
u8 pktinfobuffer[512+1];
struct timeval *t = (struct timeval *)nsock_gettimeofday();
memset(pktinfobuffer, 0, sizeof(pktinfobuffer));
/* Verify the received packet (this covers authentication etc) */
if(this->parse_echo(packet, packetlen)!=OP_SUCCESS){
return OP_FAILURE;
}
/* Once we have authenticated the received message, extract the echoed packet */
if(pkt_in.storeRecvData(packet, packetlen)==OP_FAILURE){
outPrint(VB_0, "Unexpected error dealing with the NEP_ECHO message,");
return OP_FAILURE;
}
if((pkt=pkt_in.getEchoedPacket(&pktlen))==NULL){
outPrint(VB_0, "Error displaying received NEP_ECHO message)");
return OP_FAILURE;
}
o.stats.addEchoedPacket(pktlen);
/* Guess the time the packet was captured. We do this computing the RTT
* between the last sent packet and the received echo packet. We assume
* the packet was captured RTT/2 seconds ago. */
struct timeval tmp=o.getLastPacketSentTime();
float sent_time = o.stats.elapsedRuntime(&tmp);
float now_time = o.stats.elapsedRuntime(t);
float rtt = now_time - sent_time;
float final_time = sent_time + rtt/2;
/* @todo: compute the link layer offset from the DLT type and discard
* link layer headers */
getPacketStrInfo("IP", pkt, pktlen, pktinfobuffer, 512);
outPrint(VB_0,"CAPT (%.4fs) %s", final_time, pktinfobuffer );
if( o.getVerbosity() >= VB_3)
luis_hdump((char*)pkt, pktlen);
/* Check if there is a delayed RCVD string that is waiting to be printed */
if( (delayedstr=o.getDelayedRcvd(&ev_id))!=NULL ){
printf("%s", delayedstr);
free(delayedstr);
nsock_event_cancel(this->nsp, ev_id, 0);
}
return OP_SUCCESS;
} /* End of nep_recv_echo() */
/** Processes and validates a received NEP_HANDSHAKE_SERVER message. On success
* it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet
* is not valid. */
int EchoClient::parse_hs_server(u8 *pkt, size_t pktlen){
outPrint(DBG_4, "%s()", __func__);
EchoHeader h;
if(pkt==NULL){
outPrint(DBG_1,"%s(): NULL parameter supplied.", __func__ );
return OP_FAILURE;
}
if(pktlen!=NEP_HANDSHAKE_SERVER_LEN){
outPrint(DBG_1,"%s(): Unexpected length supplied.", __func__ );
return OP_FAILURE;
}
h.storeRecvData(pkt, pktlen);
/* Validate version number */
if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){
outPrint(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() );
return OP_FAILURE;
}
/* Ensure the expected message type was received */
if(h.getMessageType()!=TYPE_NEP_HANDSHAKE_SERVER){
outPrint(DBG_1, "Expected NEP_HANDSHAKE_SERVER but received %02X", h.getMessageType() );
return OP_FAILURE;
}
/* Ensure the received timestamp falls into the allowed time window */
//if( h.verifyTimestamp()!=OP_SUCCESS ){
// outPrint(DBG_1, "NEP_HANDSHAKE_SERVER timestamp is too old", h.getMessageType() );
// return OP_FAILURE;
//}
/* Ensure message length is correct */
if( h.getTotalLength()!=(NEP_HANDSHAKE_SERVER_LEN/4)){
outPrint(DBG_1, "Received NEP_HANDSHAKE_SERVER specifies an incorrect length (%u)", h.getTotalLength()*4 );
return OP_FAILURE;
}
/* Check the authenticity of the received message */
this->ctx.setServerNonce(h.getServerNonce());
this->ctx.generateMacKeyS2CInitial();
if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){
outPrint(DBG_1, "NEP_HANDSHAKE_SERVER authentication failed" );
return OP_FAILURE;
}
this->ctx.setLastServerSequence( h.getSequenceNumber() );
return OP_SUCCESS;
} /* End of parse_hs_server() */
/** Processes and validates a received NEP_HANDSHAKE_FINAL message. On success
* it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet
* is not valid. */
int EchoClient::parse_hs_final(u8 *pkt, size_t pktlen){
outPrint(DBG_4, "%s()", __func__);
EchoHeader h;
u8 *next_iv=NULL;
if(pkt==NULL){
outPrint(DBG_1,"%s(): NULL parameter supplied.", __func__ );
return OP_FAILURE;
}
if(pktlen!=NEP_HANDSHAKE_FINAL_LEN){
outPrint(DBG_1,"%s(): Unexpected length supplied.", __func__ );
return OP_FAILURE;
}
h.storeRecvData(pkt, pktlen);
/* Validate version number */
if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){
outPrint(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() );
return OP_FAILURE;
}
/* Ensure the expected message type was received */
if(h.getMessageType()!=TYPE_NEP_HANDSHAKE_FINAL){
outPrint(DBG_1, "Expected NEP_HANDSHAKE_FINAL but received %02X", h.getMessageType() );
return OP_FAILURE;
}
/* Ensure the received sequence number is the previous+1 */
if( h.getSequenceNumber()!=(this->ctx.getLastServerSequence()+1)){
outPrint(DBG_1, "Expected sequence number %d but received %d", this->ctx.getLastServerSequence()+1, h.getSequenceNumber() );
return OP_FAILURE;
}else{
/* Increment next expected sequence number*/
this->ctx.getNextServerSequence();
}
/* Ensure the received timestamp falls into the allowed time window */
//if( h.verifyTimestamp()!=OP_SUCCESS ){
// outPrint(DBG_1, "NEP_HANDSHAKE_FINAL timestamp is too old", h.getMessageType() );
// return OP_FAILURE;
//}
/* Ensure message length is correct */
if( h.getTotalLength()!=(NEP_HANDSHAKE_FINAL_LEN/4)){
outPrint(DBG_1, "Received NEP_HANDSHAKE_FINAL specifies an incorrect length (%u)", h.getTotalLength()*4 );
return OP_FAILURE;
}
/* Ensure the server echoed the nonce we sent in our NEP_HANDSHAKE_CLIENT */
if( memcmp(h.getClientNonce(), this->ctx.getClientNonce(), NONCE_LEN)!=0 ){
outPrint(DBG_1, "Echoed nonce in NEP_HANDSHAKE_FINAL message does not match client generate nonce");
return OP_FAILURE;
}
/* Decrypt the encrypted part of the message before validating the MAC */
if((next_iv=h.decrypt(this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getServerNonce(), TYPE_NEP_HANDSHAKE_FINAL))==NULL){
outPrint(DBG_1, "Failed to decrypt NEP_HANDSHAKE_FINAL data." );
return OP_FAILURE;
}
this->ctx.setNextDecryptionIV(next_iv);
/* Check the authenticity of the received message */
if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){
outPrint(DBG_1, "NEP_HANDSHAKE_FINAL authentication failed" );
return OP_FAILURE;
}
return OP_SUCCESS;
} /* End of parse_hs_final() */
/** Processes and validates a received NEP_READY message. On success
* it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet
* is not valid. */
int EchoClient::parse_ready(u8 *pkt, size_t pktlen){
outPrint(DBG_4, "%s()", __func__);
EchoHeader h;
u8 *next_iv=NULL;
if(pkt==NULL){
outPrint(DBG_1,"%s(): NULL parameter supplied.", __func__ );
return OP_FAILURE;
}
if(pktlen!=NEP_READY_LEN){
outPrint(DBG_1,"%s(): Unexpected length supplied.", __func__ );
return OP_FAILURE;
}
h.storeRecvData(pkt, pktlen);
/* Decrypt message */
if((next_iv=h.decrypt(this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV(), TYPE_NEP_READY))==NULL){
outPrint(DBG_1, "Failed to decrypt NEP_READY data." );
return OP_FAILURE;
}
this->ctx.setNextDecryptionIV(next_iv);
/* Validate version number */
if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){
outPrint(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() );
return OP_FAILURE;
}
/* Ensure the expected message type was received */
if(h.getMessageType()!=TYPE_NEP_READY){
outPrint(DBG_1, "Expected NEP_READY but received %02X", h.getMessageType() );
return OP_FAILURE;
}
/* Ensure the received sequence number is the previous+1 */
if( h.getSequenceNumber()!=(this->ctx.getLastServerSequence()+1)){
outPrint(DBG_1, "Expected sequence number %d but received %d", this->ctx.getLastServerSequence()+1, h.getSequenceNumber() );
return OP_FAILURE;
}else{
/* Increment next expected sequence number*/
this->ctx.getNextServerSequence();
}
/* Ensure the received timestamp falls into the allowed time window */
//if( h.verifyTimestamp()!=OP_SUCCESS ){
// outPrint(DBG_1, "NEP_READY timestamp is too old", h.getMessageType() );
// return OP_FAILURE;
//}
/* Ensure message length is correct */
if( h.getTotalLength()!=(NEP_READY_LEN/4)){
outPrint(DBG_1, "Received NEP_READY specifies an incorrect length (%u)", h.getTotalLength()*4 );
return OP_FAILURE;
}
/* Check the authenticity of the received message */
if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){
outPrint(DBG_1, "NEP_READY authentication failed" );
return OP_FAILURE;
}
return OP_SUCCESS;
} /* End of parse_hs_final() */
/** Processes and validates a received NEP_ECHO message. On success
* it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet
* is not valid. */
int EchoClient::parse_echo(u8 *pkt, size_t pktlen){
outPrint(DBG_4, "%s()", __func__);
EchoHeader h;
u8 *next_iv=NULL;
if(pkt==NULL){
outPrint(DBG_1,"%s(): NULL parameter supplied.", __func__ );
return OP_FAILURE;
}
if(pktlen<NEP_ECHO_MIN_LEN){
outPrint(DBG_1,"%s(): Unexpected length supplied.", __func__ );
return OP_FAILURE;
}
h.storeRecvData(pkt, pktlen);
/* Decrypt message */
if((next_iv=h.decrypt(this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV(), TYPE_NEP_ECHO))==NULL){
outPrint(DBG_1, "Failed to decrypt NEP_ECHO data." );
return OP_FAILURE;
}
this->ctx.setNextDecryptionIV(next_iv);
/* Validate version number */
if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){
outPrint(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() );
return OP_FAILURE;
}
/* Ensure the expected message type was received */
if(h.getMessageType()!=TYPE_NEP_ECHO){
outPrint(DBG_1, "Expected NEP_ECHO but received %02X", h.getMessageType() );
return OP_FAILURE;
}
/* Ensure the received sequence number is the previous+1 */
if( h.getSequenceNumber()!=(this->ctx.getLastServerSequence()+1)){
outPrint(DBG_1, "Expected sequence number %d but received %d", this->ctx.getLastServerSequence()+1, h.getSequenceNumber() );
return OP_FAILURE;
}else{
/* Increment next expected sequence number*/
this->ctx.getNextServerSequence();
}
/* Ensure the received timestamp falls into the allowed time window */
//if( h.verifyTimestamp()!=OP_SUCCESS ){
// outPrint(DBG_1, "NEP_ECHO timestamp is too old", h.getMessageType() );
// return OP_FAILURE;
//}
// /* Ensure message length is correct */
// if( h.getTotalLength()!=(pktlen/4)){
// outPrint(DBG_1, "Received NEP_ECHO specifies an incorrect length (%u)", h.getTotalLength()*4 );
// return OP_FAILURE;
// }
/* Fix the object's internal state, since the ECHO message was not created
* by the object but from received data. */
h.updateEchoInternals();
/* Check the authenticity of the received message */
if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){
outPrint(DBG_1, "NEP_ECHO authentication failed" );
return OP_FAILURE;
}else{
outPrint(DBG_1, "Received NEP_ECHO was authenticated successfully");
}
/* Overwrite the received buffer with the decrypted data */
h.dumpToBinaryBuffer(pkt, pktlen);
return OP_SUCCESS;
} /* End of parse_hs_final() */
/** Processes and validates a received NEP_ERROR message. On success
* it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet
* is not valid. */
int EchoClient::parse_error(u8 *pkt, size_t pktlen){
outPrint(DBG_4, "%s()", __func__);
return OP_SUCCESS;
} /* End of parse_hs_final() */
/** Generates a NEP_HANDSHAKE_CLIENT message. On success it returns OP_SUCCESS.
* OP_FAILURE is returned in case of error. */
int EchoClient::generate_hs_client(EchoHeader *h){
outPrint(DBG_4, "%s()", __func__);
u8 *next_iv=NULL;
if(h==NULL)
return OP_FAILURE;
/* Craft NEP_HANDSHAKE_CLIENT message */
h->setMessageType(TYPE_NEP_HANDSHAKE_CLIENT);
h->setSequenceNumber( this->ctx.getLastClientSequence() );
h->setTimestamp();
h->setServerNonce( this->ctx.getServerNonce() );
h->setClientNonce( this->ctx.getClientNonce() );
if(this->af==AF_INET6){
h->setPartnerAddress(this->srvaddr6.sin6_addr);
}else{
h->setPartnerAddress(this->srvaddr4.sin_addr);
}
h->setTotalLength();
h->setMessageAuthenticationCode( this->ctx.getMacKeyC2S(), MAC_KEY_LEN);
if( (next_iv=h->encrypt(this->ctx.getCipherKeyC2S(), CIPHER_KEY_LEN, this->ctx.getClientNonce()))==NULL )
return OP_FAILURE;
this->ctx.setNextEncryptionIV(next_iv);
return OP_SUCCESS;
} /* End of generate_hs_client() */
/** Generates a NEP_PACKET_SPEC message. On success it returns OP_SUCCESS.
* OP_FAILURE is returned in case of error. */
int EchoClient::generate_packet_spec(EchoHeader *h){
outPrint(DBG_4, "%s()", __func__);
int ports=-1;
u8 nxthdr=0;
u8 aux8=0;
u16 aux16=0;
u16 *p16=NULL;
u32 aux32=0;
u8 *next_iv=NULL;
if(h==NULL)
return OP_FAILURE;
h->setMessageType(TYPE_NEP_PACKET_SPEC);
h->setSequenceNumber( this->ctx.getNextClientSequence() );
h->setTimestamp();
h->setIPVersion( o.getIPVersion()==AF_INET6 ? 0x06: 0x04 );
h->setPacketCount( (o.getPacketCount()>0xFFFF) ? 0xFFFF : o.getPacketCount() );
/** Insert packet field specifiers */
if(o.ipv6()){ /* AF_INET6 */
/* Traffic class */
aux8=o.getTrafficClass();
h->addFieldSpec(PSPEC_IPv6_TCLASS, (u8*)&aux8);
/* Flow label */
aux32=htonl(o.getFlowLabel());
h->addFieldSpec(PSPEC_IPv6_FLOW, (u8*)&aux32);
}else{ /* AF_INET */
/* IP Identification */
aux16=htons(o.getIdentification());
h->addFieldSpec(PSPEC_IPv4_ID, (u8*)&aux16);
/* Type of Service */
aux8=o.getTOS();
h->addFieldSpec(PSPEC_IPv4_TOS, (u8*)&aux8);
/* Fragment Offset */
/** @todo Implement this. Nping does not currently offer --fragoff */
}
switch( o.getMode() ){
case TCP:
nxthdr=6;
h->setProtocol(PSPEC_PROTO_TCP);
/* Source TCP Port */
aux16=htons(o.getSourcePort());
h->addFieldSpec(PSPEC_TCP_SPORT, (u8*)&aux16);
/* Destination TCP Port */
if( (p16=o.getTargetPorts(&ports))!=NULL && ports==1 ){
aux16=htons(*p16);
h->addFieldSpec(PSPEC_TCP_DPORT, (u8*)&aux16);
}
/* Sequence number */
aux32=htonl(o.getTCPSequence());
h->addFieldSpec(PSPEC_TCP_SEQ, (u8*)&aux32);
/* Acknowledgment */
aux32=htonl(o.getTCPAck());
h->addFieldSpec(PSPEC_TCP_ACK, (u8*)&aux32);
/* Flags */
aux8=o.getTCPFlags();
h->addFieldSpec(PSPEC_TCP_FLAGS, (u8*)&aux8);
/* Window size */
aux16=htons(o.getTCPWindow());
h->addFieldSpec(PSPEC_TCP_WIN, (u8*)&aux16);
/* Urgent pointer */
/** @todo Implement this. Nping does not currently offer --urp */
break;
case UDP:
nxthdr=17;
h->setProtocol(PSPEC_PROTO_UDP);
/* Source UDP Port */
aux16=htons(o.getSourcePort());
h->addFieldSpec(PSPEC_UDP_SPORT, (u8*)&aux16);
/* Destination TCP Port */
if( (p16=o.getTargetPorts(&ports))!=NULL && ports==1 ){
aux16=htons(*p16);
h->addFieldSpec(PSPEC_UDP_DPORT, (u8*)&aux16);
}
/* Packet length */
aux16=htons(8+o.getPayloadLen());
h->addFieldSpec(PSPEC_UDP_LEN, (u8*)&aux16);
break;
case ICMP:
nxthdr=1;
h->setProtocol(PSPEC_PROTO_ICMP);
aux8=o.getICMPType();
h->addFieldSpec(PSPEC_ICMP_TYPE, (u8*)&aux8);
aux8=o.getICMPCode();
h->addFieldSpec(PSPEC_ICMP_CODE, (u8*)&aux8);
break;
case UDP_UNPRIV:
case TCP_CONNECT:
case ARP:
default:
outFatal(QT_3, "%s packets are not supported in Echo Mode", o.mode2Ascii(o.getMode()) );
break;
}
/* Next protocol number */
if(o.ipv4())
h->addFieldSpec(PSPEC_IPv4_PROTO, (u8*)&nxthdr);
else
h->addFieldSpec(PSPEC_IPv6_NHDR, (u8*)&nxthdr);
if( o.issetPayloadBuffer() && o.getPayloadLen()>0){
h->addFieldSpec(PSPEC_PAYLOAD_MAGIC, (u8*)o.getPayloadBuffer(), MIN(o.getPayloadLen(), NEP_PAYLOADMAGIC_MAX_BYTES));
}
/* Done inserting packet field specifiers, now finish the packet */
h->setTotalLength();
h->setMessageAuthenticationCode(this->ctx.getMacKeyC2S(), MAC_KEY_LEN);
/* Encrypt message */
if( (next_iv=h->encrypt(this->ctx.getCipherKeyC2S(), CIPHER_KEY_LEN, this->ctx.getNextEncryptionIV()))==NULL )
return OP_FAILURE;
this->ctx.setNextEncryptionIV(next_iv);
return OP_SUCCESS;
} /* End of generate_packet_spec() */
/** Handles reception of a full NEP message. (the common NEP header). Basically
* it stores received data in the internal buffer and passes the control to
* the nep_recv_echo() method, which is the one in charge of processing
* NEP_ECHO packets */
int EchoClient::nep_echoed_packet_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
EchoHeader pkt_in;
u8 *recvbuff=NULL;
int recvbytes=0;
u8 aux[128];
u8 *pkt_start=this->lasthdr;
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
if(status!=NSE_STATUS_KILL){
outError(QT_2, "===========================================================================");
outError(QT_2, "ERROR: Server closed the connection. No more CAPT packets will be received.");
outError(QT_2, "===========================================================================");
}
return OP_FAILURE;
}
/* Read the remaining data */
if( (recvbuff=(u8 *)nse_readbuf(nse, &recvbytes))==NULL ){
outPrint(DBG_4,"nep_echoed_packet_handler(): nse_readbuf failed!\n");
return OP_FAILURE;
}else{
outPrint(DBG_4, "%s() Received %d bytes", __func__, recvbytes);
}
/* When we get here we'll have part of the packet stored in this->lasthdr and
* part of it (and possible more packets) stored in recvbuff. */
while(recvbytes>0){
/* Determine if we received the expected number of bytes or we received more
* than that. For that we need to decrypt the first 16 bytes so we can have
* a look at packet length */
Crypto::aes128_cbc_decrypt(pkt_start, 16, aux, this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV());
pkt_in.storeRecvData(aux, 16);
int plen=pkt_in.getTotalLength()*4;
outPrint(DBG_4, "%s() Packet claims to have a length of %d bytes", __func__, plen);
/* If the packet is bigger than the maximum NEP packet, discard it. */
if(plen>MAX_NEP_PACKET_LENGTH){
outError(DBG_1,"Warning. Received NEP packet (%dB) is bigger than %d bytes.", plen, MAX_NEP_PACKET_LENGTH);
return OP_FAILURE;
}
/* If we have read the whole packet, give it to nep_recv_echo for processing */
if (plen==((int)this->readbytes+recvbytes)){
memcpy(this->lasthdr+this->readbytes, recvbuff, recvbytes);
this->readbytes+=recvbytes;
outPrint(DBG_4,"%s(): Received exact length (%d).", __func__, recvbytes);
this->nep_recv_echo(this->lasthdr, this->readbytes);
nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN);
return OP_SUCCESS;
/* This one can't happen in the first iteration since we scheduled the
* event with the exact amount of bytes, but may happen after that if we
* received more data and one of the packets is incomplete */
}else if(recvbytes<plen){
memcpy(this->lasthdr, recvbuff, recvbytes);
this->readbytes=recvbytes;
outPrint(DBG_4,"%s(): Missing %d bytes. Scheduled read operation for remaining bytes", __func__, plen-recvbytes);
nsock_readbytes(nsp, nsi, echoed_packet_handler, NSOCK_INFINITE, NULL, plen-recvbytes);
return OP_SUCCESS;
}else{ /* Received more than one packet */
outPrint(DBG_4,"%s(): Received more than one packet", __func__);
memcpy(this->lasthdr+this->readbytes, recvbuff, plen-this->readbytes);
this->nep_recv_echo(this->lasthdr, plen);
recvbuff+=plen-this->readbytes;
recvbytes-=plen-this->readbytes;
this->readbytes=0;
pkt_start=recvbuff;
}
}
return OP_SUCCESS;
} /* End of nep_echoed_packet_handler() */
/** Handles reception of the first 16 bytes (the common NEP header). Basically
* it checks the Total Length field of the header to determine how many bytes
* are left to read to get the entire packet. If there are more bytes to be
* receives, a read event is scheduled. However, we may have read them all when
* this handler is called (due to nsock behaviour) so in that case we just pass
* control to nep_recv_echo(), which is the one in charge of processing
* NEP_ECHO packets */
int EchoClient::nep_recv_std_header_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
nsock_iod nsi = nse_iod(nse);
EchoHeader pkt_in;
u8 *recvbuff=NULL;
int recvbytes=0;
u8 aux[128];
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
if(status!=NSE_STATUS_KILL){
outError(QT_2, "===========================================================================");
outError(QT_2, "ERROR: Server closed the connection. No more CAPT packets will be received.");
outError(QT_2, "===========================================================================");
}
return OP_FAILURE;
}
/* Read data */
if( (recvbuff=(u8 *)nse_readbuf(nse, &recvbytes))==NULL ){
outPrint(DBG_4,"%s(): nse_readbuf failed.", __func__);
return OP_FAILURE;
}else{
outPrint(DBG_4, "%s() Received %d bytes", __func__, recvbytes);
}
/* Here there are different possibilites. We may have received exactly one
* packet, we may have received more than one packet (as there is no way to
* make Nsock return an exact amount of bytes), or we may have received
* less than one packet. In the last case, we determine the number of bytes
* left and schedule another read event. */
while(recvbytes>0){
/* Decrypt the first 16 bytes so we can have a look at packet length */
Crypto::aes128_cbc_decrypt(recvbuff, 16, aux, this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV());
pkt_in.storeRecvData(aux, 16);
int plen=pkt_in.getTotalLength()*4;
/* If the packet is bigger than the maximum NEP packet, discard it. */
if(plen>MAX_NEP_PACKET_LENGTH){
outError(DBG_1,"Warning. Received NEP packet (%dB) is bigger than %d bytes.", plen, MAX_NEP_PACKET_LENGTH);
return OP_FAILURE;
}
/* If we have read the whole packet, give it to nep_recv_echo for processing */
if (plen==recvbytes){
outPrint(DBG_4,"%s(): Received exact length (%d).", __func__, recvbytes);
this->nep_recv_echo(recvbuff, recvbytes);
nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN);
return OP_SUCCESS;
}else if(recvbytes<plen){
memcpy(this->lasthdr, recvbuff, recvbytes);
this->readbytes=recvbytes;
outPrint(DBG_4,"%s(): Missing %d bytes. Scheduled read operation for remaining bytes", __func__, plen-recvbytes);
nsock_readbytes(nsp, nsi, echoed_packet_handler, NSOCK_INFINITE, NULL, plen-recvbytes);
return OP_SUCCESS;
}else{ /* Received more than one packet */
outPrint(DBG_4,"%s(): Received more than one packet", __func__);
this->nep_recv_echo(recvbuff, plen);
recvbuff+=plen;
recvbytes-=plen;
}
}
/* Schedule another read event for the next echo packet */
nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN);
return OP_SUCCESS;
} /* End of nep_recv_std_header_handler() */
/** Handles reception of NEP_HANDSHAKE_SERVER message. It handles the received
* data provided by nsock and passes it to the parse_hs_server() which is the
* one in charge of validating NEP_HANDSHAKE_SERVER packets and updating
* the internal context accordingly. Returns OP_SUCCESS on success and
* OP_FAILURE in case of error. */
int EchoClient::nep_recv_hs_server_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
u8 *inbuff=NULL;
int inlen=0;
/* Ask nsock to provide received data */
if( (inbuff=(u8 *)nse_readbuf(nse, &inlen))==NULL )
return OP_FAILURE;
/* Process the NEP_HANDSHAKE_SERVER message */
if ( this->parse_hs_server(inbuff, (size_t)inlen)!=OP_SUCCESS ){
return OP_FAILURE;
}
return OP_SUCCESS;
} /* End of nep_recv_hs_server_handler() */
/** Handles reception of NEP_HANDSHAKE_FINAL message. It handles the received
* data provided by nsock and passes it to the parse_hs_final() which is the
* one in charge of validating NEP_HANDSHAKE_FINAL packets and updating
* the internal context accordingly. Returns OP_SUCCESS on success and
* OP_FAILURE in case of error. */
int EchoClient::nep_recv_hs_final_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
u8 *inbuff=NULL;
int inlen=0;
/* Ask nsock to provide received data */
if( (inbuff=(u8 *)nse_readbuf(nse, &inlen))==NULL )
return OP_FAILURE;
/* Process the NEP_HANDSHAKE_SERVER message */
if ( this->parse_hs_final(inbuff, (size_t)inlen)!=OP_SUCCESS ){
return OP_FAILURE;
}
return OP_SUCCESS;
} /* End of nep_recv_hs_final_handler() */
/** Handles reception of NEP_READY message. It handles the received
* data provided by nsock and passes it to the parse_readyl() which is the
* one in charge of validating NEP_HANDSHAKE_FINAL packets and updating
* the internal context accordingly. Returns OP_SUCCESS on success and
* OP_FAILURE in case of error. */
int EchoClient::nep_recv_ready_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
u8 *inbuff=NULL;
int inlen=0;
/* Ask nsock to provide received data */
if( (inbuff=(u8 *)nse_readbuf(nse, &inlen))==NULL )
return OP_FAILURE;
/* Process the NEP_HANDSHAKE_SERVER message */
if ( this->parse_ready(inbuff, (size_t)inlen)!=OP_SUCCESS ){
return OP_FAILURE;
}
return OP_SUCCESS;
} /* End of nep_recv_ready_handler() */
/******************************************************************************/
/**** HANDLER WRAPPERS ********************************************************/
/******************************************************************************/
/** This handler is a wrapper for the EchoClient::nep_echoed_packet_handler()
* method. We need this because C++ does not allow to use class methods as
* callback functions for things like signal() or the Nsock lib. */
void echoed_packet_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
ec.nep_echoed_packet_handler(nsp, nse, arg);
return;
} /* End of echoed_packet_handler() */
/** This handler is a wrapper for the EchoClient::nep_recv_std_header_handler()
* method. We need this because C++ does not allow to use class methods as
* callback functions for things like signal() or the Nsock lib. */
void recv_std_header_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
ec.nep_recv_std_header_handler(nsp, nse, arg);
return;
} /* End of recv_std_header_handler() */
/** Simple wrapper for TCP connection establishment. In this case we don't need
* to do anything special, just detect it the connection was successful. If
* it was, we call nsock_loop_quit(), which indicates the success to
* the method that scheduled the event and called nsock_loop() */
void connect_done_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
outPrint(DBG_4, "%s(): Failed to connect.", __func__);
}else{
nsock_loop_quit(nsp);
}
return;
} /* End of connect_done_handler() */
/** Really simple wrapper for write calls where we don't need to perform any
* special operations. It just checks if the write even was successful and
* in that case it calls nsock_loop_quit(), which indicates the success to
* the method that scheduled the event and called nsock_loop() */
void write_done_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
outPrint(DBG_4, "%s(): Write operation failed.", __func__);
}else{
nsock_loop_quit(nsp);
}
return;
} /* End of connect_done_handler() */
/** This handler is a wrapper for the EchoClient::recv_hs_server_handler()
* method. We need this because C++ does not allow to use class methods as
* callback functions for things like signal() or the Nsock lib. */
void recv_hs_server_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
outPrint(DBG_4, "%s(): Read operation failed.", __func__);
}else if(ec.nep_recv_hs_server_handler(nsp, nse, arg)==OP_SUCCESS){
nsock_loop_quit(nsp);
}
return;
} /* End of recv_hs_server_handler() */
/** This handler is a wrapper for the EchoClient::recv_hs_final_handler()
* method. We need this because C++ does not allow to use class methods as
* callback functions for things like signal() or the Nsock lib. */
void recv_hs_final_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
outPrint(DBG_4, "%s(): Read operation failed.", __func__);
}else if(ec.nep_recv_hs_final_handler(nsp, nse, arg)==OP_SUCCESS){
nsock_loop_quit(nsp);
}
return;
} /* End of recv_hs_server_handler() */
/** This handler is a wrapper for the EchoClient::nep_recv_ready_handler()
* method. We need this because C++ does not allow to use class methods as
* callback functions for things like signal() or the Nsock lib. */
void recv_ready_handler(nsock_pool nsp, nsock_event nse, void *arg){
outPrint(DBG_4, "%s()", __func__);
enum nse_status status=nse_status(nse);
if (status!=NSE_STATUS_SUCCESS){
outPrint(DBG_4, "%s(): Read operation failed.", __func__);
}else if(ec.nep_recv_ready_handler(nsp, nse, arg)==OP_SUCCESS){
nsock_loop_quit(nsp);
}
return;
} /* End of recv_hs_server_handler() */