/*************************************************************************** * EchoClient.cc -- * * * ***********************IMPORTANT NMAP LICENSE TERMS************************ * * The Nmap Security Scanner is (C) 1996-2024 Nmap Software LLC ("The Nmap * Project"). Nmap is also a registered trademark of the Nmap Project. * * This program is distributed under the terms of the Nmap Public Source * License (NPSL). The exact license text applying to a particular Nmap * release or source code control revision is contained in the LICENSE * file distributed with that version of Nmap or source code control * revision. More Nmap copyright/legal information is available from * https://nmap.org/book/man-legal.html, and further information on the * NPSL license itself can be found at https://nmap.org/npsl/ . This * header summarizes some key points from the Nmap license, but is no * substitute for the actual license text. * * Nmap is generally free for end users to download and use themselves, * including commercial use. It is available from https://nmap.org. * * The Nmap license generally prohibits companies from using and * redistributing Nmap in commercial products, but we sell a special Nmap * OEM Edition with a more permissive license and special features for * this purpose. See https://nmap.org/oem/ * * If you have received a written Nmap license agreement or contract * stating terms other than these (such as an Nmap OEM license), you may * choose to use and redistribute Nmap under those terms instead. * * The official Nmap Windows builds include the Npcap software * (https://npcap.com) for packet capture and transmission. It is under * separate license terms which forbid redistribution without special * permission. So the official Nmap Windows builds may not be redistributed * without special permission (such as an Nmap OEM license). * * Source is provided to this software because we believe users have a * right to know exactly what a program is going to do before they run it. * This also allows you to audit the software for security holes. * * Source code also allows you to port Nmap to new platforms, fix bugs, and * add new features. You are highly encouraged to submit your changes as a * Github PR or by email to the dev@nmap.org mailing list for possible * incorporation into the main distribution. Unless you specify otherwise, it * is understood that you are offering us very broad rights to use your * submissions as described in the Nmap Public Source License Contributor * Agreement. This is important because we fund the project by selling licenses * with various terms, and also because the inability to relicense code has * caused devastating problems for other Free Software projects (such as KDE * and NASM). * * The free version of Nmap is distributed in the hope that it will be * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties, * indemnification and commercial support are all available through the * Npcap OEM program--see https://nmap.org/oem/ * ***************************************************************************/ #include "nping.h" #include "EchoClient.h" #include "EchoHeader.h" #include "output.h" #include "NEPContext.h" #include "NpingOps.h" #include "nsock.h" #include "Crypto.h" extern NpingOps o; extern EchoClient ec; EchoClient::EchoClient() { this->reset(); } /* End of EchoClient constructor */ EchoClient::~EchoClient() { this->reset(); } /* End of EchoClient destructor */ /** Sets every attribute to its default value- */ void EchoClient::reset() { memset(&this->srvaddr4, 0, sizeof(struct sockaddr_in)); memset(&this->srvaddr6, 0, sizeof(struct sockaddr_in6)); memset(this->lasthdr, 0, MAX_NEP_PACKET_LENGTH); this->readbytes=0; this->af=AF_INET; } /* End of reset() */ /** Closes current connection and destroys Nsock handlers */ int EchoClient::cleanup(){ this->probe.cleanup(); return OP_SUCCESS; } /* End of cleanup() */ /** This is the main method, the boss of it all. It sets up nsock, establishes * a TCP connection with the server, performs the NEP authentication handshake, * sends the appropriate packet specs and handles raw packet transmission and * NEP_ECHO reception and display. */ int EchoClient::start(NpingTarget *target, u16 port){ nping_print(DBG_4, "%s(%p, %u)", __func__, target, port); /* Init Nsock in the probe engine */ if( this->probe.init_nsock() != OP_SUCCESS ){ nping_warning(QT_2, "Couldn't initialize Nsock."); return OP_FAILURE; }else{ /* Extract the nsock pool handler and store it here */ this->nsp=this->probe.getNsockPool(); this->nsi=nsock_iod_new(this->nsp, NULL); } /* Schedule a TCP connection attempt */ if( this->nep_connect(target, port) != OP_SUCCESS ){ nping_warning(QT_2, "Connection failed."); return OP_FAILURE; } /* Perform NEP authentication handshake */ if( this->nep_handshake() != OP_SUCCESS ){ nping_warning(QT_2, "Handshake failed."); return OP_FAILURE; } /* Send packet specification */ if( this->nep_send_packet_spec() != OP_SUCCESS ){ nping_warning(QT_2, "Couldn't send packet specification."); return OP_FAILURE; } /* Wait for confirmation */ if( this->nep_recv_ready() != OP_SUCCESS ){ nping_warning(QT_2, "Didn't receive server's OK."); return OP_FAILURE; } /* Schedule read of the first 16 bytes to determine the full packet length */ nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN); /* Start the probe mode engine */ probe.start(); return OP_SUCCESS; } /* End of start() */ /** Attempts to establish a TCP connection to "target:port". On success it * returns OP_SUCCESS. OP_FAILURE is returned when it was impossible to * connect to the remote host (this can be because the server rejected the * connection or because the connect() timed out). */ int EchoClient::nep_connect(NpingTarget *target, u16 port){ nping_print(DBG_4, "%s(%p, %u)", __func__, target, port); struct sockaddr_storage ss; struct sockaddr_storage src; size_t ss_len; struct sockaddr_in *s4=(struct sockaddr_in *)&ss; struct sockaddr_in6 *s6=(struct sockaddr_in6 *)&ss; enum nsock_loopstatus loopstatus; if(target==NULL) nping_fatal(QT_3, "nep_connect(): NULL parameter supplied."); else target->getTargetSockAddr(&ss, &ss_len); /* AF_INET6 */ if( s6->sin6_family==AF_INET6 ){ this->af=AF_INET6; this->srvaddr6.sin6_family = AF_INET6; this->srvaddr6.sin6_port = htons(port); this->srvaddr6.sin6_addr = s6->sin6_addr; this->srvaddr6.sin6_flowinfo = 0; #ifdef HAVE_SOCKADDR_IN6_SIN6_LEN this->srvaddr6.sin6_len = sizeof(struct sockaddr_in6); #endif /* Try to bind the IOD to the IP address supplied by the user */ nsock_iod_set_localaddr(this->nsi, o.getSourceSockAddr(&src), sizeof(sockaddr_in6)); /* Schedule a connect event */ nsock_connect_tcp(this->nsp, this->nsi, connect_done_handler, ECHO_CONNECT_TIMEOUT, NULL, (struct sockaddr *) &this->srvaddr6, sizeof(this->srvaddr6), port); /* AF_INET */ }else{ this->af=AF_INET; this->srvaddr4.sin_family = AF_INET; this->srvaddr4.sin_port = htons(port); this->srvaddr4.sin_addr = s4->sin_addr; #ifdef HAVE_SOCKADDR_IN_SIN_LEN this->srvaddr4.sin_len = sizeof(struct sockaddr_in); #endif /* Try to bind the IOD to the IP address supplied by the user */ nsock_iod_set_localaddr(this->nsi, o.getSourceSockAddr(&src), sizeof(sockaddr_in)); /* Schedule a connect event */ nsock_connect_tcp(this->nsp, this->nsi, connect_done_handler, ECHO_CONNECT_TIMEOUT, NULL, (struct sockaddr *) &this->srvaddr4, sizeof(this->srvaddr4), port); } /* Try to connect or timeout */ loopstatus=nsock_loop(this->nsp, ECHO_CONNECT_TIMEOUT-1); /* If nsock tells us that the handler asked to quit the loop, then the connect was successful */ return (loopstatus==NSOCK_LOOP_QUIT) ? OP_SUCCESS : OP_FAILURE; } /* End of nep_connect() */ /** Attempts to perform the NEP authentication handshake with the server. * Returns OP_SUCCESS if the authentication went well and OP_FAILURE otherwise */ int EchoClient::nep_handshake(){ nping_print(DBG_4, "%s()", __func__); enum nsock_loopstatus loopstatus; EchoHeader h; /* Receive NEP_HANDSHAKE_SERVER message */ nsock_readbytes(this->nsp, this->nsi, recv_hs_server_handler, ECHO_READ_TIMEOUT, NULL, NEP_HANDSHAKE_SERVER_LEN); loopstatus=nsock_loop(this->nsp, ECHO_READ_TIMEOUT-1); if(loopstatus!=NSOCK_LOOP_QUIT) return OP_FAILURE; /* Generate client nonces and the session cryptographic keys*/ this->ctx.generateInitialClientSequence(); this->ctx.generateClientNonce(); this->ctx.generateCipherKeyC2S(); this->ctx.generateCipherKeyS2C(); this->ctx.generateMacKeyC2S(); this->ctx.generateMacKeyS2C(); nping_print(DBG_4,"Session Key MAC_C2S:"); print_hexdump(DBG_4,ctx.getMacKeyC2S(), MAC_KEY_LEN); nping_print(DBG_4,"Session Key MAC_S2C:"); print_hexdump(DBG_4,ctx.getMacKeyS2C(), MAC_KEY_LEN); nping_print(DBG_4,"Session Key CIPHER_C2S:"); print_hexdump(DBG_4,ctx.getCipherKeyC2S(), MAC_KEY_LEN); nping_print(DBG_4,"Session Key CIPHER_S2C:"); print_hexdump(DBG_4,ctx.getCipherKeyS2C(), MAC_KEY_LEN); /* Send NEP_HANDSHAKE_CLIENT message */ if( this->generate_hs_client(&h)!=OP_SUCCESS ) return OP_FAILURE; nsock_write(this->nsp, this->nsi, write_done_handler, ECHO_WRITE_TIMEOUT, NULL, (char *)h.getBinaryBuffer(), h.getLen()); loopstatus=nsock_loop(this->nsp, ECHO_WRITE_TIMEOUT-1); if(loopstatus!=NSOCK_LOOP_QUIT) return OP_FAILURE; /* Receive NEP_HANDSHAKE_FINAL message */ nsock_readbytes(this->nsp, this->nsi, recv_hs_final_handler, ECHO_READ_TIMEOUT, NULL, NEP_HANDSHAKE_FINAL_LEN); loopstatus=nsock_loop(this->nsp, ECHO_READ_TIMEOUT-1); if(loopstatus!=NSOCK_LOOP_QUIT) return OP_FAILURE; nping_print(DBG_1, "===NEP Handshake completed successfully==="); return OP_SUCCESS; } /* End of nep_handshake() */ /** Sends the appropriate NEP_PACKET_SPEC message to the server. Returns * OP_SUCCESS on success and OP_FAILURE in case of error. */ int EchoClient::nep_send_packet_spec(){ nping_print(DBG_4, "%s()", __func__); enum nsock_loopstatus loopstatus; EchoHeader h; if (this->generate_packet_spec(&h)!=OP_SUCCESS) return OP_FAILURE; /* Send NEP_PACKET_SPEC message */ nsock_write(this->nsp, this->nsi, write_done_handler, ECHO_WRITE_TIMEOUT, NULL, (const char*)h.getBinaryBuffer(), h.getLen()); loopstatus=nsock_loop(this->nsp, ECHO_WRITE_TIMEOUT-1); if(loopstatus!=NSOCK_LOOP_QUIT) return OP_FAILURE; else return OP_SUCCESS; } /* End of nep_send_packetspec() */ /** Receives and parses a NEP_READY message from the server. Returns OP_SUCCESS * on success and OP_FAILURE in case of error. */ int EchoClient::nep_recv_ready(){ nping_print(DBG_4, "%s()", __func__); enum nsock_loopstatus loopstatus; /* Receive NEP_READY message */ nsock_readbytes(this->nsp, this->nsi, recv_ready_handler, ECHO_READ_TIMEOUT, NULL, NEP_READY_LEN); loopstatus=nsock_loop(this->nsp, ECHO_READ_TIMEOUT-1); if(loopstatus!=NSOCK_LOOP_QUIT) return OP_FAILURE; else return OP_SUCCESS; } /* End of nep_recv_ready(){ */ /** Reads and parses a NEP_ECHO message from the server. Returns OP_SUCCESS * on success and OP_FAILURE in case of error. */ int EchoClient::nep_recv_echo(u8 *packet, size_t packetlen){ nping_print(DBG_4, "%s(%p, %lu)", __func__, packet, (unsigned long)packetlen); EchoHeader pkt_in; char *delayedstr=NULL; nsock_event_id ev_id; u8 *pkt=NULL; u16 pktlen=0; u8 pktinfobuffer[512+1]; struct timeval *t = (struct timeval *)nsock_gettimeofday(); memset(pktinfobuffer, 0, sizeof(pktinfobuffer)); /* Verify the received packet (this covers authentication etc) */ if(this->parse_echo(packet, packetlen)!=OP_SUCCESS){ return OP_FAILURE; } /* Once we have authenticated the received message, extract the echoed packet */ if(pkt_in.storeRecvData(packet, packetlen)==OP_FAILURE){ nping_print(VB_0, "Unexpected error dealing with the NEP_ECHO message,"); return OP_FAILURE; } if((pkt=pkt_in.getEchoedPacket(&pktlen))==NULL){ nping_print(VB_0, "Error displaying received NEP_ECHO message)"); return OP_FAILURE; } o.stats.addEchoedPacket(pktlen); /* Guess the time the packet was captured. We do this computing the RTT * between the last sent packet and the received echo packet. We assume * the packet was captured RTT/2 seconds ago. */ struct timeval tmp=o.getLastPacketSentTime(); float sent_time = o.stats.elapsedRuntime(&tmp); float now_time = o.stats.elapsedRuntime(t); float rtt = now_time - sent_time; float final_time = sent_time + rtt/2; /* @todo: compute the link layer offset from the DLT type and discard * link layer headers */ getPacketStrInfo("IP", pkt, pktlen, pktinfobuffer, 512); nping_print(VB_0,"CAPT (%.4fs) %s", final_time, pktinfobuffer ); if( o.getVerbosity() >= VB_3) luis_hdump((char*)pkt, pktlen); /* Check if there is a delayed RCVD string that is waiting to be printed */ if( (delayedstr=o.getDelayedRcvd(&ev_id))!=NULL ){ printf("%s", delayedstr); free(delayedstr); nsock_event_cancel(this->nsp, ev_id, 0); } return OP_SUCCESS; } /* End of nep_recv_echo() */ /** Processes and validates a received NEP_HANDSHAKE_SERVER message. On success * it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet * is not valid. */ int EchoClient::parse_hs_server(u8 *pkt, size_t pktlen){ nping_print(DBG_4, "%s()", __func__); EchoHeader h; if(pkt==NULL){ nping_print(DBG_1,"%s(): NULL parameter supplied.", __func__ ); return OP_FAILURE; } if(pktlen!=NEP_HANDSHAKE_SERVER_LEN){ nping_print(DBG_1,"%s(): Unexpected length supplied.", __func__ ); return OP_FAILURE; } h.storeRecvData(pkt, pktlen); /* Validate version number */ if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){ nping_print(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() ); return OP_FAILURE; } /* Ensure the expected message type was received */ if(h.getMessageType()!=TYPE_NEP_HANDSHAKE_SERVER){ nping_print(DBG_1, "Expected NEP_HANDSHAKE_SERVER but received %02X", h.getMessageType() ); return OP_FAILURE; } /* Ensure the received timestamp falls into the allowed time window */ //if( h.verifyTimestamp()!=OP_SUCCESS ){ // nping_print(DBG_1, "NEP_HANDSHAKE_SERVER timestamp is too old", h.getMessageType() ); // return OP_FAILURE; //} /* Ensure message length is correct */ if( h.getTotalLength()!=(NEP_HANDSHAKE_SERVER_LEN/4)){ nping_print(DBG_1, "Received NEP_HANDSHAKE_SERVER specifies an incorrect length (%u)", h.getTotalLength()*4 ); return OP_FAILURE; } /* Check the authenticity of the received message */ this->ctx.setServerNonce(h.getServerNonce()); this->ctx.generateMacKeyS2CInitial(); if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){ nping_print(DBG_1, "NEP_HANDSHAKE_SERVER authentication failed" ); return OP_FAILURE; } this->ctx.setLastServerSequence( h.getSequenceNumber() ); return OP_SUCCESS; } /* End of parse_hs_server() */ /** Processes and validates a received NEP_HANDSHAKE_FINAL message. On success * it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet * is not valid. */ int EchoClient::parse_hs_final(u8 *pkt, size_t pktlen){ nping_print(DBG_4, "%s()", __func__); EchoHeader h; u8 *next_iv=NULL; if(pkt==NULL){ nping_print(DBG_1,"%s(): NULL parameter supplied.", __func__ ); return OP_FAILURE; } if(pktlen!=NEP_HANDSHAKE_FINAL_LEN){ nping_print(DBG_1,"%s(): Unexpected length supplied.", __func__ ); return OP_FAILURE; } h.storeRecvData(pkt, pktlen); /* Validate version number */ if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){ nping_print(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() ); return OP_FAILURE; } /* Ensure the expected message type was received */ if(h.getMessageType()!=TYPE_NEP_HANDSHAKE_FINAL){ nping_print(DBG_1, "Expected NEP_HANDSHAKE_FINAL but received %02X", h.getMessageType() ); return OP_FAILURE; } /* Ensure the received sequence number is the previous+1 */ if( h.getSequenceNumber()!=(this->ctx.getLastServerSequence()+1)){ nping_print(DBG_1, "Expected sequence number %d but received %d", this->ctx.getLastServerSequence()+1, h.getSequenceNumber() ); return OP_FAILURE; }else{ /* Increment next expected sequence number*/ this->ctx.getNextServerSequence(); } /* Ensure the received timestamp falls into the allowed time window */ //if( h.verifyTimestamp()!=OP_SUCCESS ){ // nping_print(DBG_1, "NEP_HANDSHAKE_FINAL timestamp is too old", h.getMessageType() ); // return OP_FAILURE; //} /* Ensure message length is correct */ if( h.getTotalLength()!=(NEP_HANDSHAKE_FINAL_LEN/4)){ nping_print(DBG_1, "Received NEP_HANDSHAKE_FINAL specifies an incorrect length (%u)", h.getTotalLength()*4 ); return OP_FAILURE; } /* Ensure the server echoed the nonce we sent in our NEP_HANDSHAKE_CLIENT */ if( memcmp(h.getClientNonce(), this->ctx.getClientNonce(), NONCE_LEN)!=0 ){ nping_print(DBG_1, "Echoed nonce in NEP_HANDSHAKE_FINAL message does not match client generate nonce"); return OP_FAILURE; } /* Decrypt the encrypted part of the message before validating the MAC */ if((next_iv=h.decrypt(this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getServerNonce(), TYPE_NEP_HANDSHAKE_FINAL))==NULL){ nping_print(DBG_1, "Failed to decrypt NEP_HANDSHAKE_FINAL data." ); return OP_FAILURE; } this->ctx.setNextDecryptionIV(next_iv); /* Check the authenticity of the received message */ if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){ nping_print(DBG_1, "NEP_HANDSHAKE_FINAL authentication failed" ); return OP_FAILURE; } return OP_SUCCESS; } /* End of parse_hs_final() */ /** Processes and validates a received NEP_READY message. On success * it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet * is not valid. */ int EchoClient::parse_ready(u8 *pkt, size_t pktlen){ nping_print(DBG_4, "%s()", __func__); EchoHeader h; u8 *next_iv=NULL; if(pkt==NULL){ nping_print(DBG_1,"%s(): NULL parameter supplied.", __func__ ); return OP_FAILURE; } if(pktlen!=NEP_READY_LEN){ nping_print(DBG_1,"%s(): Unexpected length supplied.", __func__ ); return OP_FAILURE; } h.storeRecvData(pkt, pktlen); /* Decrypt message */ if((next_iv=h.decrypt(this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV(), TYPE_NEP_READY))==NULL){ nping_print(DBG_1, "Failed to decrypt NEP_READY data." ); return OP_FAILURE; } this->ctx.setNextDecryptionIV(next_iv); /* Validate version number */ if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){ nping_print(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() ); return OP_FAILURE; } /* Ensure the expected message type was received */ if(h.getMessageType()!=TYPE_NEP_READY){ nping_print(DBG_1, "Expected NEP_READY but received %02X", h.getMessageType() ); return OP_FAILURE; } /* Ensure the received sequence number is the previous+1 */ if( h.getSequenceNumber()!=(this->ctx.getLastServerSequence()+1)){ nping_print(DBG_1, "Expected sequence number %d but received %d", this->ctx.getLastServerSequence()+1, h.getSequenceNumber() ); return OP_FAILURE; }else{ /* Increment next expected sequence number*/ this->ctx.getNextServerSequence(); } /* Ensure the received timestamp falls into the allowed time window */ //if( h.verifyTimestamp()!=OP_SUCCESS ){ // nping_print(DBG_1, "NEP_READY timestamp is too old", h.getMessageType() ); // return OP_FAILURE; //} /* Ensure message length is correct */ if( h.getTotalLength()!=(NEP_READY_LEN/4)){ nping_print(DBG_1, "Received NEP_READY specifies an incorrect length (%u)", h.getTotalLength()*4 ); return OP_FAILURE; } /* Check the authenticity of the received message */ if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){ nping_print(DBG_1, "NEP_READY authentication failed" ); return OP_FAILURE; } return OP_SUCCESS; } /* End of parse_hs_final() */ /** Processes and validates a received NEP_ECHO message. On success * it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet * is not valid. */ int EchoClient::parse_echo(u8 *pkt, size_t pktlen){ nping_print(DBG_4, "%s()", __func__); EchoHeader h; u8 *next_iv=NULL; if(pkt==NULL){ nping_print(DBG_1,"%s(): NULL parameter supplied.", __func__ ); return OP_FAILURE; } if(pktlenctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV(), TYPE_NEP_ECHO))==NULL){ nping_print(DBG_1, "Failed to decrypt NEP_ECHO data." ); return OP_FAILURE; } this->ctx.setNextDecryptionIV(next_iv); /* Validate version number */ if( h.getVersion() != ECHO_CURRENT_PROTO_VER ){ nping_print(DBG_1, "Expected NEP version %02x but message used %02x", ECHO_CURRENT_PROTO_VER, h.getVersion() ); return OP_FAILURE; } /* Ensure the expected message type was received */ if(h.getMessageType()!=TYPE_NEP_ECHO){ nping_print(DBG_1, "Expected NEP_ECHO but received %02X", h.getMessageType() ); return OP_FAILURE; } /* Ensure the received sequence number is the previous+1 */ if( h.getSequenceNumber()!=(this->ctx.getLastServerSequence()+1)){ nping_print(DBG_1, "Expected sequence number %d but received %d", this->ctx.getLastServerSequence()+1, h.getSequenceNumber() ); return OP_FAILURE; }else{ /* Increment next expected sequence number*/ this->ctx.getNextServerSequence(); } /* Ensure the received timestamp falls into the allowed time window */ //if( h.verifyTimestamp()!=OP_SUCCESS ){ // nping_print(DBG_1, "NEP_ECHO timestamp is too old", h.getMessageType() ); // return OP_FAILURE; //} // /* Ensure message length is correct */ // if( h.getTotalLength()!=(pktlen/4)){ // nping_print(DBG_1, "Received NEP_ECHO specifies an incorrect length (%u)", h.getTotalLength()*4 ); // return OP_FAILURE; // } /* Fix the object's internal state, since the ECHO message was not created * by the object but from received data. */ h.updateEchoInternals(); /* Check the authenticity of the received message */ if( h.verifyMessageAuthenticationCode(this->ctx.getMacKeyS2C(), MAC_KEY_LEN )!=OP_SUCCESS ){ nping_print(DBG_1, "NEP_ECHO authentication failed" ); return OP_FAILURE; }else{ nping_print(DBG_1, "Received NEP_ECHO was authenticated successfully"); } /* Overwrite the received buffer with the decrypted data */ h.dumpToBinaryBuffer(pkt, pktlen); return OP_SUCCESS; } /* End of parse_hs_final() */ /** Processes and validates a received NEP_ERROR message. On success * it returns OP_SUCCESS. OP_FAILURE is returned in case the received packet * is not valid. */ int EchoClient::parse_error(u8 *pkt, size_t pktlen){ nping_print(DBG_4, "%s()", __func__); return OP_SUCCESS; } /* End of parse_hs_final() */ /** Generates a NEP_HANDSHAKE_CLIENT message. On success it returns OP_SUCCESS. * OP_FAILURE is returned in case of error. */ int EchoClient::generate_hs_client(EchoHeader *h){ nping_print(DBG_4, "%s()", __func__); u8 *next_iv=NULL; if(h==NULL) return OP_FAILURE; /* Craft NEP_HANDSHAKE_CLIENT message */ h->setMessageType(TYPE_NEP_HANDSHAKE_CLIENT); h->setSequenceNumber( this->ctx.getLastClientSequence() ); h->setTimestamp(); h->setServerNonce( this->ctx.getServerNonce() ); h->setClientNonce( this->ctx.getClientNonce() ); if(this->af==AF_INET6){ h->setPartnerAddress(this->srvaddr6.sin6_addr); }else{ h->setPartnerAddress(this->srvaddr4.sin_addr); } h->setTotalLength(); h->setMessageAuthenticationCode( this->ctx.getMacKeyC2S(), MAC_KEY_LEN); if( (next_iv=h->encrypt(this->ctx.getCipherKeyC2S(), CIPHER_KEY_LEN, this->ctx.getClientNonce()))==NULL ) return OP_FAILURE; this->ctx.setNextEncryptionIV(next_iv); return OP_SUCCESS; } /* End of generate_hs_client() */ /** Generates a NEP_PACKET_SPEC message. On success it returns OP_SUCCESS. * OP_FAILURE is returned in case of error. */ int EchoClient::generate_packet_spec(EchoHeader *h){ nping_print(DBG_4, "%s()", __func__); int ports=-1; u8 nxthdr=0; u8 aux8=0; u16 aux16=0; u16 *p16=NULL; u32 aux32=0; u8 *next_iv=NULL; if(h==NULL) return OP_FAILURE; h->setMessageType(TYPE_NEP_PACKET_SPEC); h->setSequenceNumber( this->ctx.getNextClientSequence() ); h->setTimestamp(); h->setIPVersion( o.getIPVersion()==AF_INET6 ? 0x06: 0x04 ); h->setPacketCount( (o.getPacketCount()>0xFFFF) ? 0xFFFF : o.getPacketCount() ); /** Insert packet field specifiers */ if(o.ipv6()){ /* AF_INET6 */ /* Traffic class */ aux8=o.getTrafficClass(); h->addFieldSpec(PSPEC_IPv6_TCLASS, (u8*)&aux8); /* Flow label */ aux32=htonl(o.getFlowLabel()); h->addFieldSpec(PSPEC_IPv6_FLOW, (u8*)&aux32); }else{ /* AF_INET */ /* IP Identification */ aux16=htons(o.getIdentification()); h->addFieldSpec(PSPEC_IPv4_ID, (u8*)&aux16); /* Type of Service */ aux8=o.getTOS(); h->addFieldSpec(PSPEC_IPv4_TOS, (u8*)&aux8); /* Fragment Offset */ /** @todo Implement this. Nping does not currently offer --fragoff */ } switch( o.getMode() ){ case TCP: nxthdr=6; h->setProtocol(PSPEC_PROTO_TCP); /* Source TCP Port */ aux16=htons(o.getSourcePort()); h->addFieldSpec(PSPEC_TCP_SPORT, (u8*)&aux16); /* Destination TCP Port */ if( (p16=o.getTargetPorts(&ports))!=NULL && ports==1 ){ aux16=htons(*p16); h->addFieldSpec(PSPEC_TCP_DPORT, (u8*)&aux16); } /* Sequence number */ aux32=htonl(o.getTCPSequence()); h->addFieldSpec(PSPEC_TCP_SEQ, (u8*)&aux32); /* Acknowledgment */ aux32=htonl(o.getTCPAck()); h->addFieldSpec(PSPEC_TCP_ACK, (u8*)&aux32); /* Flags */ aux8=o.getTCPFlags(); h->addFieldSpec(PSPEC_TCP_FLAGS, (u8*)&aux8); /* Window size */ aux16=htons(o.getTCPWindow()); h->addFieldSpec(PSPEC_TCP_WIN, (u8*)&aux16); /* Urgent pointer */ /** @todo Implement this. Nping does not currently offer --urp */ break; case UDP: nxthdr=17; h->setProtocol(PSPEC_PROTO_UDP); /* Source UDP Port */ aux16=htons(o.getSourcePort()); h->addFieldSpec(PSPEC_UDP_SPORT, (u8*)&aux16); /* Destination TCP Port */ if( (p16=o.getTargetPorts(&ports))!=NULL && ports==1 ){ aux16=htons(*p16); h->addFieldSpec(PSPEC_UDP_DPORT, (u8*)&aux16); } /* Packet length */ aux16=htons(8+o.getPayloadLen()); h->addFieldSpec(PSPEC_UDP_LEN, (u8*)&aux16); break; case ICMP: nxthdr=1; h->setProtocol(PSPEC_PROTO_ICMP); aux8=o.getICMPType(); h->addFieldSpec(PSPEC_ICMP_TYPE, (u8*)&aux8); aux8=o.getICMPCode(); h->addFieldSpec(PSPEC_ICMP_CODE, (u8*)&aux8); break; case UDP_UNPRIV: case TCP_CONNECT: case ARP: default: nping_fatal(QT_3, "%s packets are not supported in Echo Mode", o.mode2Ascii(o.getMode()) ); break; } /* Next protocol number */ if(o.ipv4()) h->addFieldSpec(PSPEC_IPv4_PROTO, (u8*)&nxthdr); else h->addFieldSpec(PSPEC_IPv6_NHDR, (u8*)&nxthdr); if( o.issetPayloadBuffer() && o.getPayloadLen()>0){ h->addFieldSpec(PSPEC_PAYLOAD_MAGIC, (u8*)o.getPayloadBuffer(), MIN(o.getPayloadLen(), NEP_PAYLOADMAGIC_MAX_BYTES)); } /* Done inserting packet field specifiers, now finish the packet */ h->setTotalLength(); h->setMessageAuthenticationCode(this->ctx.getMacKeyC2S(), MAC_KEY_LEN); /* Encrypt message */ if( (next_iv=h->encrypt(this->ctx.getCipherKeyC2S(), CIPHER_KEY_LEN, this->ctx.getNextEncryptionIV()))==NULL ) return OP_FAILURE; this->ctx.setNextEncryptionIV(next_iv); return OP_SUCCESS; } /* End of generate_packet_spec() */ /** Handles reception of a full NEP message. (the common NEP header). Basically * it stores received data in the internal buffer and passes the control to * the nep_recv_echo() method, which is the one in charge of processing * NEP_ECHO packets */ int EchoClient::nep_echoed_packet_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); EchoHeader pkt_in; u8 *recvbuff=NULL; int recvbytes=0; u8 aux[128]; u8 *pkt_start=this->lasthdr; enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ if(status!=NSE_STATUS_KILL){ nping_warning(QT_2, "==========================================================================="); nping_warning(QT_2, "ERROR: Server closed the connection. No more CAPT packets will be received."); nping_warning(QT_2, "==========================================================================="); } return OP_FAILURE; } /* Read the remaining data */ if( (recvbuff=(u8 *)nse_readbuf(nse, &recvbytes))==NULL ){ nping_print(DBG_4,"nep_echoed_packet_handler(): nse_readbuf failed!\n"); return OP_FAILURE; }else{ nping_print(DBG_4, "%s() Received %d bytes", __func__, recvbytes); } /* When we get here we'll have part of the packet stored in this->lasthdr and * part of it (and possible more packets) stored in recvbuff. */ while(recvbytes>0){ /* Determine if we received the expected number of bytes or we received more * than that. For that we need to decrypt the first 16 bytes so we can have * a look at packet length */ Crypto::aes128_cbc_decrypt(pkt_start, 16, aux, this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV()); pkt_in.storeRecvData(aux, 16); int plen=pkt_in.getTotalLength()*4; nping_print(DBG_4, "%s() Packet claims to have a length of %d bytes", __func__, plen); /* If the packet is bigger than the maximum NEP packet, discard it. */ if(plen>MAX_NEP_PACKET_LENGTH){ nping_warning(DBG_1,"Warning. Received NEP packet (%dB) is bigger than %d bytes.", plen, MAX_NEP_PACKET_LENGTH); return OP_FAILURE; } /* If we have read the whole packet, give it to nep_recv_echo for processing */ if (plen==((int)this->readbytes+recvbytes)){ memcpy(this->lasthdr+this->readbytes, recvbuff, recvbytes); this->readbytes+=recvbytes; nping_print(DBG_4,"%s(): Received exact length (%d).", __func__, recvbytes); this->nep_recv_echo(this->lasthdr, this->readbytes); nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN); return OP_SUCCESS; /* This one can't happen in the first iteration since we scheduled the * event with the exact amount of bytes, but may happen after that if we * received more data and one of the packets is incomplete */ }else if(recvbyteslasthdr, recvbuff, recvbytes); this->readbytes=recvbytes; nping_print(DBG_4,"%s(): Missing %d bytes. Scheduled read operation for remaining bytes", __func__, plen-recvbytes); nsock_readbytes(nsp, nsi, echoed_packet_handler, NSOCK_INFINITE, NULL, plen-recvbytes); return OP_SUCCESS; }else{ /* Received more than one packet */ nping_print(DBG_4,"%s(): Received more than one packet", __func__); memcpy(this->lasthdr+this->readbytes, recvbuff, plen-this->readbytes); this->nep_recv_echo(this->lasthdr, plen); recvbuff+=plen-this->readbytes; recvbytes-=plen-this->readbytes; this->readbytes=0; pkt_start=recvbuff; } } return OP_SUCCESS; } /* End of nep_echoed_packet_handler() */ /** Handles reception of the first 16 bytes (the common NEP header). Basically * it checks the Total Length field of the header to determine how many bytes * are left to read to get the entire packet. If there are more bytes to be * receives, a read event is scheduled. However, we may have read them all when * this handler is called (due to nsock behaviour) so in that case we just pass * control to nep_recv_echo(), which is the one in charge of processing * NEP_ECHO packets */ int EchoClient::nep_recv_std_header_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); nsock_iod nsi = nse_iod(nse); EchoHeader pkt_in; u8 *recvbuff=NULL; int recvbytes=0; u8 aux[128]; enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ if(status!=NSE_STATUS_KILL){ nping_warning(QT_2, "==========================================================================="); nping_warning(QT_2, "ERROR: Server closed the connection. No more CAPT packets will be received."); nping_warning(QT_2, "==========================================================================="); } return OP_FAILURE; } /* Read data */ if( (recvbuff=(u8 *)nse_readbuf(nse, &recvbytes))==NULL ){ nping_print(DBG_4,"%s(): nse_readbuf failed.", __func__); return OP_FAILURE; }else{ nping_print(DBG_4, "%s() Received %d bytes", __func__, recvbytes); } /* Here there are different possibilities. We may have received exactly one * packet, we may have received more than one packet (as there is no way to * make Nsock return an exact amount of bytes), or we may have received * less than one packet. In the last case, we determine the number of bytes * left and schedule another read event. */ while(recvbytes>0){ /* Decrypt the first 16 bytes so we can have a look at packet length */ Crypto::aes128_cbc_decrypt(recvbuff, 16, aux, this->ctx.getCipherKeyS2C(), CIPHER_KEY_LEN, this->ctx.getNextDecryptionIV()); pkt_in.storeRecvData(aux, 16); int plen=pkt_in.getTotalLength()*4; /* If the packet is bigger than the maximum NEP packet, discard it. */ if(plen>MAX_NEP_PACKET_LENGTH){ nping_warning(DBG_1,"Warning. Received NEP packet (%dB) is bigger than %d bytes.", plen, MAX_NEP_PACKET_LENGTH); return OP_FAILURE; } /* If we have read the whole packet, give it to nep_recv_echo for processing */ if (plen==recvbytes){ nping_print(DBG_4,"%s(): Received exact length (%d).", __func__, recvbytes); this->nep_recv_echo(recvbuff, recvbytes); nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN); return OP_SUCCESS; }else if(recvbyteslasthdr, recvbuff, recvbytes); this->readbytes=recvbytes; nping_print(DBG_4,"%s(): Missing %d bytes. Scheduled read operation for remaining bytes", __func__, plen-recvbytes); nsock_readbytes(nsp, nsi, echoed_packet_handler, NSOCK_INFINITE, NULL, plen-recvbytes); return OP_SUCCESS; }else{ /* Received more than one packet */ nping_print(DBG_4,"%s(): Received more than one packet", __func__); this->nep_recv_echo(recvbuff, plen); recvbuff+=plen; recvbytes-=plen; } } /* Schedule another read event for the next echo packet */ nsock_readbytes(this->nsp, this->nsi, recv_std_header_handler, NSOCK_INFINITE, NULL, STD_NEP_HEADER_LEN); return OP_SUCCESS; } /* End of nep_recv_std_header_handler() */ /** Handles reception of NEP_HANDSHAKE_SERVER message. It handles the received * data provided by nsock and passes it to the parse_hs_server() which is the * one in charge of validating NEP_HANDSHAKE_SERVER packets and updating * the internal context accordingly. Returns OP_SUCCESS on success and * OP_FAILURE in case of error. */ int EchoClient::nep_recv_hs_server_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); u8 *inbuff=NULL; int inlen=0; /* Ask nsock to provide received data */ if( (inbuff=(u8 *)nse_readbuf(nse, &inlen))==NULL ) return OP_FAILURE; /* Process the NEP_HANDSHAKE_SERVER message */ if ( this->parse_hs_server(inbuff, (size_t)inlen)!=OP_SUCCESS ){ return OP_FAILURE; } return OP_SUCCESS; } /* End of nep_recv_hs_server_handler() */ /** Handles reception of NEP_HANDSHAKE_FINAL message. It handles the received * data provided by nsock and passes it to the parse_hs_final() which is the * one in charge of validating NEP_HANDSHAKE_FINAL packets and updating * the internal context accordingly. Returns OP_SUCCESS on success and * OP_FAILURE in case of error. */ int EchoClient::nep_recv_hs_final_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); u8 *inbuff=NULL; int inlen=0; /* Ask nsock to provide received data */ if( (inbuff=(u8 *)nse_readbuf(nse, &inlen))==NULL ) return OP_FAILURE; /* Process the NEP_HANDSHAKE_SERVER message */ if ( this->parse_hs_final(inbuff, (size_t)inlen)!=OP_SUCCESS ){ return OP_FAILURE; } return OP_SUCCESS; } /* End of nep_recv_hs_final_handler() */ /** Handles reception of NEP_READY message. It handles the received * data provided by nsock and passes it to the parse_ready() which is the * one in charge of validating NEP_HANDSHAKE_FINAL packets and updating * the internal context accordingly. Returns OP_SUCCESS on success and * OP_FAILURE in case of error. */ int EchoClient::nep_recv_ready_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); u8 *inbuff=NULL; int inlen=0; /* Ask nsock to provide received data */ if( (inbuff=(u8 *)nse_readbuf(nse, &inlen))==NULL ) return OP_FAILURE; /* Process the NEP_HANDSHAKE_SERVER message */ if ( this->parse_ready(inbuff, (size_t)inlen)!=OP_SUCCESS ){ return OP_FAILURE; } return OP_SUCCESS; } /* End of nep_recv_ready_handler() */ /******************************************************************************/ /**** HANDLER WRAPPERS ********************************************************/ /******************************************************************************/ /** This handler is a wrapper for the EchoClient::nep_echoed_packet_handler() * method. We need this because C++ does not allow to use class methods as * callback functions for things like signal() or the Nsock lib. */ void echoed_packet_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); ec.nep_echoed_packet_handler(nsp, nse, arg); return; } /* End of echoed_packet_handler() */ /** This handler is a wrapper for the EchoClient::nep_recv_std_header_handler() * method. We need this because C++ does not allow to use class methods as * callback functions for things like signal() or the Nsock lib. */ void recv_std_header_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); ec.nep_recv_std_header_handler(nsp, nse, arg); return; } /* End of recv_std_header_handler() */ /** Simple wrapper for TCP connection establishment. In this case we don't need * to do anything special, just detect it the connection was successful. If * it was, we call nsock_loop_quit(), which indicates the success to * the method that scheduled the event and called nsock_loop() */ void connect_done_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ nping_print(DBG_4, "%s(): Failed to connect.", __func__); }else{ nsock_loop_quit(nsp); } return; } /* End of connect_done_handler() */ /** Really simple wrapper for write calls where we don't need to perform any * special operations. It just checks if the write even was successful and * in that case it calls nsock_loop_quit(), which indicates the success to * the method that scheduled the event and called nsock_loop() */ void write_done_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ nping_print(DBG_4, "%s(): Write operation failed.", __func__); }else{ nsock_loop_quit(nsp); } return; } /* End of connect_done_handler() */ /** This handler is a wrapper for the EchoClient::recv_hs_server_handler() * method. We need this because C++ does not allow to use class methods as * callback functions for things like signal() or the Nsock lib. */ void recv_hs_server_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ nping_print(DBG_4, "%s(): Read operation failed.", __func__); }else if(ec.nep_recv_hs_server_handler(nsp, nse, arg)==OP_SUCCESS){ nsock_loop_quit(nsp); } return; } /* End of recv_hs_server_handler() */ /** This handler is a wrapper for the EchoClient::recv_hs_final_handler() * method. We need this because C++ does not allow to use class methods as * callback functions for things like signal() or the Nsock lib. */ void recv_hs_final_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ nping_print(DBG_4, "%s(): Read operation failed.", __func__); }else if(ec.nep_recv_hs_final_handler(nsp, nse, arg)==OP_SUCCESS){ nsock_loop_quit(nsp); } return; } /* End of recv_hs_server_handler() */ /** This handler is a wrapper for the EchoClient::nep_recv_ready_handler() * method. We need this because C++ does not allow to use class methods as * callback functions for things like signal() or the Nsock lib. */ void recv_ready_handler(nsock_pool nsp, nsock_event nse, void *arg){ nping_print(DBG_4, "%s()", __func__); enum nse_status status=nse_status(nse); if (status!=NSE_STATUS_SUCCESS){ nping_print(DBG_4, "%s(): Read operation failed.", __func__); }else if(ec.nep_recv_ready_handler(nsp, nse, arg)==OP_SUCCESS){ nsock_loop_quit(nsp); } return; } /* End of recv_hs_server_handler() */