1 /*
2 * Copyright 2004-2009 Rob Beverly
3 * Copyright 2015-2021 The Regents of the University of California
4 * All rights reserved.
5 *
6 * This file is part of Spoofer.
7 *
8 * Spoofer is free software: you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation, either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * Spoofer is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with Spoofer. If not, see <http://www.gnu.org/licenses/>.
20 *
21 * Additional permission under GNU GPL version 3 section 7
22 *
23 * If you modify this Program, or any covered work, by linking or combining
24 * it with OpenSSL (or a modified version of that library), containing
25 * parts covered by the terms of the OpenSSL license, the licensors of
26 * this Program grant you additional permission to convey the resulting
27 * work. Corresponding Source for a non-source form of such a combination
28 * shall include the source code for the parts of OpenSSL used as well as
29 * that of the covered work.
30 */
31
32 /****************************************************************************
33 Program: $Id: net.cc,v 1.174 2021/04/30 00:25:58 kkeys Exp $
34 Author: Rob Beverly <rbeverly at csail.mit.edu>
35 Ken Keys, CAIDA
36 Date: $Date: 2021/04/30 00:25:58 $
37 Description: Spoofer utility routines
38 ****************************************************************************/
39 #include <stdarg.h>
40 #include <map>
41 #include "spoof_pcap.h"
42 #include "spoof.h"
43
44 #ifdef HAVE_PCAP
45 static const int always_verify = 1;
46 #else
47 static const int always_verify = 0;
48 #endif
49
50 static bool spoof_rawip_send(socket_t spoofsock, socket_t udpsock,
51 const void *msg, size_t len, probe_info *pinfo, ssize_t sniff_len);
52 #ifdef HAVE_PCAP
53 static bool spoof_pcap_send(socket_t spoofsock, socket_t udpsock,
54 const void *msg, size_t len, probe_info *pinfo, ssize_t sniff_len);
55 #endif
56
57 struct spoof_api_info {
58 const int layer;
59 const char *label;
60 bool attempt_printed;
61 bool (*send)(socket_t, socket_t, const void*, size_t, probe_info*,
62 ssize_t sniff_len);
63 };
64
65 // in order of decreasing preference
66 static spoof_api_info spoof_apis[] = {
67 #ifdef HAVE_PCAP_SENDPACKET
68 { 2, "pcap", false, spoof_pcap_send },
69 #endif
70 { 3, "raw ip", false, spoof_rawip_send },
71 { 0, "auto" , false, nullptr },
72 };
73
layer_pref(int layer)74 static inline int layer_pref(int layer) {
75 int pref;
76 for (pref = 0; spoof_apis[pref].send; pref++)
77 if (spoof_apis[pref].layer == layer) return pref;
78 return pref;
79 }
80
81 struct iface_info {
82 enum {UNKNOWN, BROKEN, WORKS};
83 const char * const ifname; // name of interface with this->src
84 int dlt; // data link type
85 OptMutex mutex;
86 volatile int online_udp_filter_able; // online pcap filter works for UDP?
87 // (may be different for TCP)
88
iface_infoiface_info89 iface_info(const char *ifname_) : ifname(ifname_), dlt(-1), mutex(),
90 online_udp_filter_able(iface_info::UNKNOWN)
91 { }
92 private:
93 iface_info(const iface_info&) NO_METHOD;
94 iface_info operator=(const iface_info&) NO_METHOD;
95 };
96
97 struct route_info {
98 static const size_t FAILED = INT_MAX;
99 struct iface_info * const ifinfo; // interface info
100 uint8_t *linkhdr; // copy of sniffed link layer header
101 volatile size_t linklen; // length of this->linkhdr
102
route_inforoute_info103 route_info(struct iface_info *ii) : ifinfo(ii), linkhdr(), linklen()
104 { }
105 private:
106 route_info(const route_info&) NO_METHOD;
107 route_info operator=(const route_info&) NO_METHOD;
108 };
109
110 struct probe_info {
111 const int proto;
112 const int spoof;
113 const int receiving;
114 enum ProbeStatus status;
115 int layer_sent; // layer of last attempted send
116 int layer_success; // layer of successful pkt; -1 for sniff error
117 int n_sent; // number of packets sent
118 int n_sniffed; // number of packets sniffed
119 bool warnedSkipSpoof; // already warned about skipping spoof
120 sockaddr_storage src_ss;
121 sockaddr *src_sa;
122 const sockaddr *dst_sa;
123 struct route_info *rtinfo;
124 #ifdef HAVE_PCAP
125 struct bpf_program cap_bpfprog; // capturing filter
126 struct bpf_program test_bpfprog; // scanning/checking filter (offline)
127 bool has_online_filter;
128 bool has_cap_bpfprog;
129 bool has_test_bpfprog;
130 pcap_t *sniffer; // for sniffing packets we've sent
131 pcap_t *writer; // for sending L2 spoofed packets
132 probe_info *pilot_pinfo; // non-spoof info needed for L2 spoofing
133 mutable char dlt_buf[16];
134 #endif
135
136 private:
137 probe_info(const probe_info&) NO_METHOD;
138 probe_info operator=(const probe_info&) NO_METHOD;
139 public:
140 probe_info(int proto_, bool spoof_,
141 sockaddr *src_sa_, const sockaddr *dst_sa_, bool receiving_ = false);
142
~probe_infoprobe_info143 ~probe_info() {
144 #ifdef HAVE_PCAP
145 free_sniffer();
146 if (writer) pcap_close(writer);
147 #endif // HAVE_PCAP
148 }
149
setStatusprobe_info150 void setStatus(ProbeStatus s) {
151 if (status < s) status = s;
152 if (status == s) {
153 debug(DEVELOP, "setStatus %s\n", probeStatusStr[s]);
154 } else {
155 debug(DEVELOP, "setStatus %s (still %s)\n",
156 probeStatusStr[s], probeStatusStr[status]);
157 }
158 }
159 #ifdef HAVE_PCAP
160 void free_sniffer();
161 const char *dlt_str() const;
162 #endif // HAVE_PCAP
163 };
164
165 // layer to spoof on: 0 = undecided, 2 = link, 3 = ip
166 // v0 v1 v2 v3 v4 v5 v6
167 int spoof_layer[7] = { -1, -1, -1, -1, 0, -1, 0 };
168
169 #define spoof_layer(sa) \
170 (*((sa)->sa_family == AF_INET6 ? &spoof_layer[6] : &spoof_layer[4]))
171 // note: spoof_layer(sa) is an lvalue
172
173 static OptMutex spoof_layer_4_mutex;
174 static OptMutex spoof_layer_6_mutex;
175 #define spoof_layer_mutex(sa) \
176 ((sa)->sa_family == AF_INET6 ? spoof_layer_6_mutex : spoof_layer_4_mutex)
177
178 // copy a sockaddr to a std::string (in binary form)
179 struct saToStr {
180 std::string str;
saToStrsaToStr181 saToStr(const sockaddr *sa) : str(sa_ipaddr(sa), addrlen(sa->sa_family)) {}
182 };
183
184 #ifdef HAVE_PCAP
185 static std::map<std::string, iface_info *> iface_info_map; //indexed by src addr
186 static OptMutex ifinfo_mutex;
187 static std::map<std::string, route_info *> route_info_map; //indexed by dst addr
188 static OptMutex routeinfo_mutex;
189 #endif // HAVE_PCAP
190
191 /* compare the IP address part of two sockaddrs */
sa_addr_cmp(const sockaddr * a,const sockaddr * b)192 static inline int sa_addr_cmp(const sockaddr *a, const sockaddr *b)
193 {
194 return (a->sa_family != b->sa_family) ?
195 (a->sa_family - b->sa_family) :
196 memcmp(sa_ipaddr(a), sa_ipaddr(b), addrlen(a->sa_family));
197 }
198
199 // Similar to inet_ntop(), but takes a sockaddr argument. If dst is
200 // NULL, sa_ntop() will return a pointer to (non-reentrant-safe) static memory.
sa_ntop(const sockaddr * sa,char * dst,size_t len)201 const char *sa_ntop(const sockaddr *sa, char *dst, size_t len)
202 {
203 static char buf[INET6_ADDRSTRLEN+1];
204 const void *addr = sa_ipaddr(sa);
205 if (!dst) {
206 dst = buf;
207 len = sizeof(buf);
208 }
209 if (!addr) {
210 snprintf(dst, len, "(bad fam %d)", sa->sa_family);
211 return dst;
212 }
213 memset(dst, 0, len);
214 if (!inet_ntop(sa->sa_family, addr, dst, safe_int<unsigned>(len)))
215 printf("!! inet_ntop error: %d %s\n", errno, strerror(errno));
216 return dst;
217 }
218
219 /*
220 * Writes into buf if it is not null, otherwise writes into a static buffer.
221 */
sock_errmsg(int err,char * buf,size_t buflen)222 const char *sock_errmsg(int err, char *buf, size_t buflen)
223 {
224 static char staticbuf[256];
225 if (!buf) {
226 buf = staticbuf;
227 buflen = sizeof(staticbuf);
228 }
229 #ifdef _WIN32
230 char str[1024] = "";
231 FormatMessage(
232 FORMAT_MESSAGE_FROM_SYSTEM |
233 FORMAT_MESSAGE_IGNORE_INSERTS,
234 nullptr, static_cast<DWORD>(err), 0,
235 str, sizeof(str), nullptr);
236 #else
237 char *str = strerror(err);
238 #endif
239 snprintf(buf, buflen, "%s (error %d)", str, err);
240 return buf;
241 }
242
243 /* Can only be called immediately after a socket function that caused an error.
244 * Writes into buf if it is not null, otherwise writes into a static buffer.
245 */
sock_last_errmsg(char * buf,size_t buflen)246 const char *sock_last_errmsg(char *buf, size_t buflen)
247 {
248 #ifdef _WIN32
249 int err = WSAGetLastError();
250 #else
251 int err = errno;
252 #endif
253 return sock_errmsg(err, buf, buflen);
254 }
255
256 #ifdef HAVE_LIBSSL
ssl_err(const char * str)257 void ssl_err(const char *str)
258 {
259 unsigned long err;
260 char buf[2048] = "(no error)";
261 char *p = buf;
262 while ((err = ERR_get_error()) && p + 4 < buf + sizeof(buf)) {
263 if (p != buf)
264 p += sprintf(p, " // ");
265 ERR_error_string_n(err, p, safe_int<size_t>(buf + sizeof(buf) - p));
266 p += strlen(p);
267 }
268 severe("%s: %s", str, buf);
269 }
270
ssl_io_error(SSL * ssl,int ret,const char * str)271 void ssl_io_error(SSL *ssl, int ret, const char *str)
272 {
273 char buf[256];
274 unsigned long err;
275 switch (SSL_get_error(ssl, ret)) {
276 case SSL_ERROR_NONE:
277 break;
278 case SSL_ERROR_ZERO_RETURN:
279 severe("%s: SSL_ERROR_ZERO_RETURN", str);
280 break;
281 case SSL_ERROR_WANT_READ:
282 severe("%s: SSL_ERROR_WANT_READ", str);
283 break;
284 case SSL_ERROR_WANT_WRITE:
285 severe("%s: SSL_ERROR_WANT_WRITE", str);
286 break;
287 case SSL_ERROR_WANT_CONNECT:
288 severe("%s: SSL_ERROR_WANT_CONNECT", str);
289 break;
290 case SSL_ERROR_SYSCALL:
291 if (ret == 0) {
292 severe("%s: SSL/system: invalid EOF", str);
293 } else if (ret == -1) {
294 severe("%s: SSL/system: %s", str, SockLastErrmsg()());
295 } else {
296 while ((err = ERR_get_error()))
297 severe("%s: SSL/system: %s", str, ERR_error_string(err, buf));
298 }
299 break;
300 case SSL_ERROR_SSL:
301 while ((err = ERR_get_error()))
302 severe("%s: SSL/lib: %s", str, ERR_error_string(err, buf));
303 break;
304 default:
305 severe("%s: unknown ssl error", str);
306 break;
307 }
308 }
309 #endif // HAVE_LIBSSL
310
311 #ifdef HAVE_PCAP
dlt_str() const312 const char *probe_info::dlt_str() const
313 {
314 if (!rtinfo || !rtinfo->ifinfo)
315 return "DLT undef"; // shouldn't happen
316 #ifdef HAVE_PCAP_DATALINK_VAL_TO_NAME
317 const char *result = pcap_datalink_val_to_name(rtinfo->ifinfo->dlt);
318 if (result) return result;
319 #endif
320 sprintf(dlt_buf, "DLT %d", rtinfo->ifinfo->dlt);
321 return dlt_buf;
322 }
323
324 static void print_pcap_error(pcap_t *pcap, ssize_t rc, const char *fmt, ...) FORMAT_PRINTF(3, 4);
print_pcap_error(pcap_t * pcap,ssize_t rc,const char * fmt,...)325 static void print_pcap_error(pcap_t *pcap, ssize_t rc, const char *fmt, ...)
326 {
327 char buf[1024+PCAP_ERRBUF_SIZE];
328 size_t space = sizeof(buf);
329 va_list ap;
330 va_start(ap, fmt);
331 int len = vsnprintf(buf, space, fmt, ap);
332 va_end(ap);
333 if (len < 0) return;
334 space -= static_cast<size_t>(len);
335 switch (rc) {
336 case 0:
337 snprintf(buf+len, space, ": %s\n", "success");
338 break;
339 #ifdef PCAP_WARNING
340 case PCAP_WARNING:
341 #endif
342 case PCAP_ERROR:
343 snprintf(buf+len, space, ": %s\n", pcap_geterr(pcap));
344 break;
345 #ifdef PCAP_WARNING
346 case PCAP_WARNING_PROMISC_NOTSUP:
347 case PCAP_ERROR_NO_SUCH_DEVICE:
348 case PCAP_ERROR_PERM_DENIED:
349 //snprintf(buf+len, space, ": %s (%s)\n", pcap_statustostr(rc), pcap_geterr(pcap));
350 snprintf(buf+len, space, ": %zd (%s)\n", rc, pcap_geterr(pcap));
351 break;
352 #endif
353 default:
354 //snprintf(buf+len, space, ": %s\n", pcap_statustostr(rc));
355 snprintf(buf+len, space, ": %zd\n", rc);
356 }
357 severe("%s", buf);
358 }
359
360 /* Returns pointer to allocated memory. Caller should free() it when done. */
get_ifname_by_addr(const sockaddr * sa)361 static char *get_ifname_by_addr(const sockaddr *sa)
362 {
363 char *ifname = nullptr;
364 pcap_if_t *alldevs = nullptr;
365 char errbuf[PCAP_ERRBUF_SIZE];
366
367 if (pcap_findalldevs(&alldevs, errbuf) < 0) {
368 warn("pcap_findalldevs: %s", errbuf);
369 goto done;
370 }
371 pcap_if_t *dev;
372 for (dev = alldevs; dev; dev = dev->next) {
373 for (pcap_addr_t *daddr = dev->addresses; daddr; daddr = daddr->next) {
374 if (daddr->addr && sa_addr_cmp(daddr->addr, sa) == 0) {
375 ifname = strdup(dev->name);
376 goto done;
377 }
378 }
379 }
380
381 done:
382 if (alldevs) pcap_freealldevs(alldevs);
383 debug(DEVELOP, ">> get_ifname_by_addr %s: %s\n",
384 ntopBuf(sa)(), ifname ? ifname : "(NONE)");
385 return ifname;
386 }
387
count_leading_ones(const void * data,size_t len)388 static unsigned count_leading_ones(const void *data, size_t len)
389 {
390 const uint8_t *s = reinterpret_cast<const uint8_t*>(data);
391 unsigned n = 0;
392 for (size_t i = 0; i < len && s[i]; i++) {
393 if (s[i] != 0xFF) {
394 for (int j = 0; j < 8 && (s[i] & (0x80 >> j)); j++)
395 n++;
396 break;
397 }
398 n += 8;
399 }
400 return n;
401 }
402 #endif // HAVE_PCAP
403
dump_ifaces()404 void dump_ifaces()
405 {
406 #ifdef HAVE_PCAP
407 pcap_if_t *alldevs = nullptr;
408 char errbuf[PCAP_ERRBUF_SIZE];
409
410 if (pcap_findalldevs(&alldevs, errbuf) < 0) {
411 warn("pcap_findalldevs: %s", errbuf);
412 return;
413 }
414 pcap_if_t *dev;
415 for (dev = alldevs; dev; dev = dev->next) {
416 printf("dev %s", dev->name);
417 #ifdef PCAP_IF_LOOPBACK
418 if (dev->flags & PCAP_IF_LOOPBACK) printf(" LOOPBACK");
419 #endif
420 #ifdef PCAP_IF_UP
421 if (dev->flags & PCAP_IF_UP) printf(" UP");
422 #endif
423 #ifdef PCAP_IF_RUNNING
424 if (dev->flags & PCAP_IF_RUNNING) printf(" RUNNING");
425 #endif
426 if (dev->description) printf(" (%s)", dev->description);
427 printf("\n");
428 for (pcap_addr_t *daddr = dev->addresses; daddr; daddr = daddr->next) {
429 if (!daddr->addr) {
430 printf(" %s\n", "(no address)");
431 continue;
432 } else if (daddr->addr->sa_family == AF_INET) {
433 printf(" inet %s", ntopBuf(daddr->addr)());
434 if (daddr->netmask)
435 printf(" mask=%s", ntopBuf(daddr->netmask)());
436 } else if (daddr->addr->sa_family == AF_INET6) {
437 printf(" inet6 %s", ntopBuf(daddr->addr)());
438 if (daddr->netmask) {
439 printf("/%u", count_leading_ones(sa_ipaddr(daddr->netmask),
440 addrlen(daddr->netmask->sa_family)));
441 }
442 unsigned long scope = sa_in6(daddr->addr)->sin6_scope_id;
443 if (scope)
444 printf(" scope=%#lx", scope);
445 } else {
446 continue;
447 }
448 if (daddr->broadaddr && daddr->broadaddr->sa_family != AF_UNSPEC)
449 printf(" bcast=%s", ntopBuf(daddr->broadaddr)());
450 if (daddr->dstaddr && daddr->dstaddr->sa_family != AF_UNSPEC)
451 printf(" dst=%s", ntopBuf(daddr->dstaddr)());
452 printf("\n");
453 }
454 }
455 printf("\n");
456
457 if (alldevs) pcap_freealldevs(alldevs);
458 #endif // HAVE_PCAP
459 }
460
461 #ifdef HAVE_PCAP
462 /* Find or create an iface_info for an outbound address. */
get_iface_info(const sockaddr * src_sa)463 static struct iface_info *get_iface_info(const sockaddr *src_sa)
464 {
465 debug(DEVELOP, ">> get_iface_info %s\n", ntopBuf(src_sa)());
466 LockGuard lock(ifinfo_mutex);
467
468 // If we have the answer cached, return that.
469 iface_info * &ref = iface_info_map[saToStr(src_sa).str];
470 if (ref) {
471 debug(DEVELOP, ">> get_iface_info: found %s\n", ref->ifname);
472 return ref;
473 }
474
475 // Look it up.
476 char *ifname = get_ifname_by_addr(src_sa);
477 if (!ifname) return nullptr;
478 return ref = new iface_info(ifname);
479 }
480 #endif // HAVE_PCAP
481
482 /* Find or create a route_info matching the parameters. */
get_route_info(struct probe_info * pinfo)483 static void get_route_info(struct probe_info *pinfo)
484 {
485 #ifdef HAVE_PCAP
486 const sockaddr *remote_sa = pinfo->receiving ? pinfo->src_sa : pinfo->dst_sa;
487 debug(DEVELOP, ">> get_route_info %s\n", ntopBuf(remote_sa)());
488 LockGuard lock(routeinfo_mutex);
489
490 // If we have the answer cached, use that.
491 route_info * &ref = route_info_map[saToStr(remote_sa).str];
492 if (ref) {
493 debug(DEVELOP, ">> get_route_info: found %s\n", ref->ifinfo->ifname);
494 pinfo->rtinfo = ref;
495 return;
496 }
497
498 if (pinfo->spoof)
499 return; // caller will have to use a pilot to find the route
500
501 if (!pinfo->src_sa) { // shouldn't happen
502 severe("internal error: no src_sa");
503 return;
504 }
505
506 // Find the interface for the source address.
507 struct iface_info *ifinfo = get_iface_info(pinfo->src_sa);
508 if (!ifinfo) { // shouldn't happen
509 severe("no interface for %s", ntopBuf(pinfo->src_sa)());
510 return;
511 }
512
513 pinfo->rtinfo = ref = new route_info(ifinfo);
514 #endif
515 }
516
517 #ifdef HAVE_PCAP
518 static OptMutex pcap_compiler_mutex;
519
520 /* Prepare to sniff a probe packet, if necessary. */
init_sniffer(struct probe_info * pinfo,size_t pay_len)521 bool init_sniffer(struct probe_info *pinfo, size_t pay_len)
522 {
523 if (pinfo->proto != IPPROTO_UDP) {
524 severe("internal error: init_sniffer proto = %d", pinfo->proto);
525 return false;
526 }
527 IPv ipv = familytoipv(pinfo->dst_sa->sa_family);
528 int snaplen = safe_int<int>((ipv == IPv4 ? sizeof(ip) : sizeof(ip6_hdr)) +
529 32/*link header*/ + sizeof(udphdr) + pay_len);
530 const char *ifname;
531 char errbuf[PCAP_ERRBUF_SIZE] = "(empty errbuf)";
532 int rc;
533 pcap_t *dead_pcap = nullptr;
534 pcap_t *test_pcap = nullptr;
535 char expr[1024];
536 char *xtail = expr;
537
538 if (pinfo->sniffer) return true;
539 debug(DEVELOP, ">> init_sniffer\n");
540 if (!pinfo->rtinfo) get_route_info(pinfo);
541 if (!pinfo->rtinfo) goto error;
542 ifname = pinfo->rtinfo->ifinfo->ifname;
543 debug(DEVELOP, ">> init_sniffer: pcap_create %s\n", ifname);
544 #ifdef HAVE_PCAP_CREATE
545 pinfo->sniffer = pcap_create(ifname, errbuf);
546 if (!pinfo->sniffer) {
547 printf("error in pcap_create: %s\n", errbuf);
548 goto error;
549 }
550 rc = pcap_set_snaplen(pinfo->sniffer, safe_int<int>(snaplen));
551 if (rc != 0) { // error or warning
552 print_pcap_error(pinfo->sniffer, rc, "%s: pcap_set_snaplen", ifname);
553 if (rc < 0) goto error; // error
554 }
555 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
556 // Tell pcap to deliver packets immediately, instead of buffering them.
557 // (Necessary on linux in libpcap >1.9 (with TPACKET_V3), maybe elsewhere)
558 rc = pcap_set_immediate_mode(pinfo->sniffer, 1);
559 if (rc != 0) { // error or warning
560 print_pcap_error(pinfo->sniffer, rc, "%s: pcap_set_immediate_mode", ifname);
561 if (rc < 0) goto error; // error
562 }
563 #endif // HAVE_PCAP_SET_IMMEDIATE_MODE
564 debug(DEVELOP, ">> init_sniffer: pcap_activate\n");
565 rc = pcap_activate(pinfo->sniffer);
566 if (rc != 0) { // error or warning
567 print_pcap_error(pinfo->sniffer, rc, "%s: pcap_activate", ifname);
568 if (rc < 0) goto error; // error
569 }
570 #else // !HAVE_PCAP_CREATE
571 pinfo->sniffer = pcap_open_live(ifname, snaplen, 0, 0, errbuf);
572 if (!pinfo->sniffer) {
573 printf("error in pcap_open_live: %s\n", errbuf);
574 goto error;
575 }
576 #endif // HAVE_PCAP_CREATE
577 if (pcap_setnonblock(pinfo->sniffer, 1, errbuf) < 0) {
578 printf("error in pcap_setnonblock: %s\n", errbuf);
579 goto error;
580 }
581 pinfo->rtinfo->ifinfo->dlt = pcap_datalink(pinfo->sniffer);
582 debug(DEVELOP, "pcap_create %s ok, %s\n", ifname, pinfo->dlt_str());
583
584 #ifdef DLT_LINUX_SLL
585 if (pinfo->rtinfo->ifinfo->dlt == DLT_LINUX_SLL) {
586 // Online userspace filters are known to be broken on LINUX_SLL (per
587 // https://github.com/the-tcpdump-group/libpcap/issues/184 and my own
588 // testing on a linux ppp iface), but they do _occasionally_ match, so
589 // we don't rely on a functional test and risk a false positive.
590 LockGuard guard(pinfo->rtinfo->ifinfo->mutex);
591 pinfo->rtinfo->ifinfo->online_udp_filter_able = iface_info::BROKEN;
592 }
593 #endif
594
595 // Compile a capturing filter (preferably online)
596 if (pinfo->spoof) {
597 if (ipv == IPv4) {
598 xtail += sprintf(xtail, "ip[2:2] = %zu and ",
599 sizeof(ip) + sizeof(udphdr) + pay_len);
600 } else if (ipv == IPv6) {
601 xtail += sprintf(xtail, "ip6[4:2] = %zu and ",
602 sizeof(udphdr) + pay_len);
603 }
604 }
605 xtail += sprintf(xtail, "udp and dst port %d and dst host %s",
606 ntohs(sa_port(pinfo->dst_sa)), ntopBuf(pinfo->dst_sa)());
607 if (!pinfo->receiving && !pinfo->spoof) {
608 // receive: there will be multiple sources, some spoofed.
609 // send spoofed: OS may rewrite src; sniff_spoofed will verify it.
610 // send nonspoofed: filter on src.
611 xtail += sprintf(xtail, " and src port %d and src host %s",
612 ntohs(sa_port(pinfo->src_sa)), ntopBuf(pinfo->src_sa)());
613 }
614
615 pinfo->has_online_filter = false;
616
617 debug(DEVELOP, ">> init_sniffer (cap): %s\n", expr);
618 {
619 LockGuard guard(pcap_compiler_mutex);
620 rc = pcap_compile(pinfo->sniffer, &pinfo->cap_bpfprog, expr, 1,
621 0xFFFFFFFF);
622 if (rc != 0) { // error or warning
623 print_pcap_error(pinfo->sniffer, rc, "%s: pcap_compile (cap)", ifname);
624 if (rc < 0) goto error; // error
625 }
626 }
627 pinfo->has_cap_bpfprog = true;
628
629 if (pinfo->rtinfo->ifinfo->online_udp_filter_able == iface_info::BROKEN) {
630 // We'll apply the capturing filter offline instead.
631 debug(DEVELOP, ">> init_sniffer: no online filter\n");
632 } else {
633 debug(DEVELOP, ">> init_sniffer: pcap_setfilter\n");
634 rc = pcap_setfilter(pinfo->sniffer, &pinfo->cap_bpfprog);
635 if (rc < 0) { // error
636 print_pcap_error(pinfo->sniffer, rc, "%s: pcap_setfilter", ifname);
637 } else {
638 pinfo->has_online_filter = true;
639 pinfo->has_cap_bpfprog = false;
640 pcap_freecode(&pinfo->cap_bpfprog);
641 }
642 }
643
644 // Compile an offline filter for...
645 if (!pinfo->spoof || pinfo->receiving) {
646 // ...scanning for the IP header (sending non-spoof or receiving)
647 if (!(test_pcap = dead_pcap = pcap_open_dead(DLT_RAW, snaplen))) {
648 severe("pcap_open_dead: %s", errbuf);
649 goto error;
650 }
651 } else {
652 // ...checking the src (sending spoof)
653 sprintf(expr, "src port %d and src host %s",
654 ntohs(sa_port(pinfo->src_sa)), ntopBuf(pinfo->src_sa)());
655 test_pcap = pinfo->sniffer;
656 }
657 debug(DEVELOP, ">> init_sniffer (test): %s\n", expr);
658 {
659 LockGuard guard(pcap_compiler_mutex);
660 rc = pcap_compile(test_pcap, &pinfo->test_bpfprog, expr, 1, 0xFFFFFFFF);
661 if (rc != 0) { // error or warning
662 print_pcap_error(test_pcap, rc, "%s: pcap_compile (test)", ifname);
663 if (rc < 0) goto error; // error
664 }
665 }
666 pinfo->has_test_bpfprog = true;
667 if (dead_pcap) pcap_close(dead_pcap);
668 return true;
669 error:
670 if (pinfo->sniffer) pcap_close(pinfo->sniffer);
671 if (dead_pcap) pcap_close(dead_pcap);
672 pinfo->sniffer = nullptr;
673 return false;
674 }
675 #endif // HAVE_PCAP
676
probe_info(int proto_,bool spoof_,sockaddr * src_sa_,const sockaddr * dst_sa_,bool receiving_)677 probe_info::probe_info(int proto_, bool spoof_,
678 sockaddr *src_sa_, const sockaddr *dst_sa_, bool receiving_) :
679 proto(proto_), spoof(spoof_), receiving(receiving_), status(UNTRIED),
680 layer_sent(0), layer_success(0), n_sent(0), n_sniffed(0), warnedSkipSpoof(),
681 src_ss(), src_sa(spoof_ ? src_sa_ : nullptr), dst_sa(dst_sa_), rtinfo()
682 #ifdef HAVE_PCAP
683 , cap_bpfprog(), test_bpfprog(),
684 has_online_filter(false), has_cap_bpfprog(false), has_test_bpfprog(false),
685 sniffer(), writer(), pilot_pinfo()
686 #endif
687 {
688 memset(&src_ss, 0, sizeof(src_ss));
689 #ifdef HAVE_PCAP
690 memset(&cap_bpfprog, 0, sizeof(cap_bpfprog));
691 memset(&test_bpfprog, 0, sizeof(test_bpfprog));
692 #endif
693 }
694
new_probe_info(int proto,bool spoof,socket_t nonSpoofSock,sockaddr * src_sa,const sockaddr * dst_sa,bool receiving)695 struct probe_info *new_probe_info(int proto, bool spoof, socket_t nonSpoofSock,
696 sockaddr *src_sa, const sockaddr *dst_sa, bool receiving)
697 {
698 probe_info *pinfo = new probe_info(proto, spoof, src_sa, dst_sa, receiving);
699 if (!pinfo) {
700 severe("out of memory in new_probe_info");
701 return pinfo;
702 }
703
704 if (!always_verify && spoof_layer(dst_sa) != 2 && spoof_layer(dst_sa) != 0)
705 return pinfo;
706
707 if (!spoof) {
708 /* Identify the source address for routing to the destination. */
709 pinfo->src_sa = (sockaddr*)&pinfo->src_ss;
710 socklen_t srclen = sizeof(pinfo->src_ss);
711 // note: getsockname() depends on sock already being connect()ed
712 if (getsockname(nonSpoofSock, pinfo->src_sa, &srclen) < 0) {
713 pinfo->src_sa = nullptr;
714 severe("getsockname: %s", SockLastErrmsg()());
715 delete pinfo;
716 return nullptr;
717 }
718 debug(DEVELOP, ">> new_probe_info: connected from %s port %d\n",
719 ntopBuf(pinfo->src_sa)(), ntohs(sa_port(pinfo->src_sa)));
720
721 sockaddr_storage peer_ss;
722 sockaddr *peer_sa = (sockaddr*)&peer_ss;
723 socklen_t peerlen = sizeof(peer_ss);
724 if (getpeername(nonSpoofSock, peer_sa, &peerlen) < 0) {
725 severe("getpeername: %s", SockLastErrmsg()());
726 } else {
727 debug(DEVELOP, ">> new_probe_info: connected to %s port %d\n",
728 ntopBuf(peer_sa)(), ntohs(sa_port(peer_sa)));
729 }
730 }
731
732 get_route_info(pinfo);
733 return pinfo;
734 }
735
736 #ifdef HAVE_PCAP
737
get_ip_packet(struct probe_info * pinfo,const struct pcap_pkthdr * phdr,const u_char * data)738 const u_char *get_ip_packet(/*const*/ struct probe_info *pinfo,
739 const struct pcap_pkthdr *phdr, const u_char *data)
740 {
741 assert(!pinfo->spoof || pinfo->receiving);
742 assert(pinfo->has_test_bpfprog);
743 const u_char *result = nullptr;
744
745 // Instead of trying to implement many link layer parsers ourselves, or
746 // relying on a poorly maintained or insufficiently portable third-party
747 // library, we use an offline pcap filter to scan for the IP header. It's
748 // not very efficient, but it applies only to packets that already passed
749 // the capture filter.
750 int v = 0;
751 for (size_t i = 0; i < phdr->caplen - 20; i++) {
752 if (pcap_offline_filter(&pinfo->test_bpfprog, phdr, data + i)) {
753 v = ((data[i] & 0xF0) >> 4);
754 if (v != 4 && v != 6) continue; // shouldn't happen
755 result = data + i;
756 break;
757 }
758 }
759 if (!result) {
760 severe("internal error: IP packet not found (%s)", pinfo->dlt_str());
761 return nullptr;
762 }
763 debug(DEVELOP, "IPv%d offset: %zd (%s)\n", v, result - data,
764 pinfo->dlt_str());
765
766 return result;
767 }
768
pkt_captured(probe_info * pinfo,const struct pcap_pkthdr * phdr,const u_char * data)769 struct probe_info *pkt_captured(probe_info *pinfo,
770 const struct pcap_pkthdr *phdr, const u_char *data)
771 {
772 if (verbosity >= DEVELOP) {
773 printf("sniffed packet:\n");
774 binDump(data, phdr->caplen, TRUE);
775 }
776
777 if (!pinfo->has_online_filter) {
778 // We didn't filter online, so we must filter offline.
779 assert(pinfo->has_cap_bpfprog);
780 if (!pcap_offline_filter(&pinfo->cap_bpfprog, phdr, data)) {
781 debug(DEVELOP, "(no capture)\n");
782 return nullptr;
783 }
784 debug(DEVELOP, "(capture)\n");
785 }
786
787 return pinfo;
788 }
789
pkt_captured(u_char * userdata,const struct pcap_pkthdr * phdr,const u_char * data)790 static struct probe_info *pkt_captured(u_char *userdata,
791 const struct pcap_pkthdr *phdr, const u_char *data)
792 {
793 #pragma GCC diagnostic push
794 #pragma GCC diagnostic ignored "-Wcast-align"
795 return pkt_captured((struct probe_info*)userdata, phdr, data);
796 #pragma GCC diagnostic pop
797 }
798
799 // Record a copy of a link layer header.
sniff_link(u_char * userdata,const struct pcap_pkthdr * phdr,const u_char * data)800 static void sniff_link(u_char *userdata,
801 const struct pcap_pkthdr *phdr, const u_char *data)
802 {
803 debug(DEVELOP, ">> sniff_link\n");
804 struct probe_info *pinfo = pkt_captured(userdata, phdr, data);
805 if (!pinfo) return;
806 pinfo->n_sniffed++;
807 pinfo->setStatus(CONFIRMED);
808
809 time_t t; debug(DEVELOP, "(%lld)", safe_int<long long>(time(&t)));
810 struct route_info *rtinfo = pinfo->rtinfo;
811 const u_char *pdu = get_ip_packet(pinfo, phdr, data);
812 if (pdu) {
813 rtinfo->linklen = safe_int<size_t>(pdu - data);
814 rtinfo->linkhdr = new uint8_t[rtinfo->linklen];
815 memcpy(rtinfo->linkhdr, data, rtinfo->linklen);
816 if (pinfo->proto == IPPROTO_UDP && pinfo->has_online_filter &&
817 rtinfo->ifinfo->online_udp_filter_able == iface_info::UNKNOWN)
818 {
819 // NB: TCP and UDP results may differ, and we care only about UDP.
820 debug(DEVELOP, "Online filter works on %s (%s).\n",
821 pinfo->rtinfo->ifinfo->ifname, pinfo->dlt_str());
822 LockGuard guard(rtinfo->ifinfo->mutex);
823 rtinfo->ifinfo->online_udp_filter_able = iface_info::WORKS;
824 }
825 pinfo->layer_success = pinfo->layer_sent;
826 }
827 }
828
sniff_spoofed(u_char * userdata,const struct pcap_pkthdr * phdr,const u_char * data)829 static void sniff_spoofed(u_char *userdata,
830 const struct pcap_pkthdr *phdr, const u_char *data)
831 {
832 debug(DEVELOP, ">> sniff_spoofed\n");
833 struct probe_info *pinfo = pkt_captured(userdata, phdr, data);
834 if (!pinfo) return;
835 pinfo->n_sniffed++;
836
837 time_t t; debug(DEVELOP, "(%lld)", safe_int<long long>(time(&t)));
838
839 // Compare sniffed address to the spoofed address we originally sent
840 if (pcap_offline_filter(&pinfo->test_bpfprog, phdr, data)) {
841 // Sources matched; spoofing works at layer_sent.
842 debug(HIGH, "(M%d)", pinfo->layer_sent);
843 debug(DEVELOP, "sniffed pkt DOES contain spoof addr/port\n");
844 pinfo->setStatus(CONFIRMED);
845 int layer = pinfo->layer_success = pinfo->layer_sent;
846 // Update spoof_layer iff layer_success is more preferred
847 LockGuard spoof_layer_guard(spoof_layer_mutex(pinfo->dst_sa));
848 if (layer_pref(spoof_layer(pinfo->dst_sa)) > layer_pref(layer))
849 spoof_layer(pinfo->dst_sa) = layer;
850 } else {
851 // Src was REWRITTEN
852 debug(HIGH, "(!M%d)", pinfo->layer_sent);
853 debug(DEVELOP, "sniffed pkt DOES NOT contain spoof addr/port\n");
854 pinfo->setStatus(REWRITTEN);
855 }
856 }
857
free_sniffer()858 void probe_info::free_sniffer()
859 {
860 if (has_cap_bpfprog) {
861 pcap_freecode(&cap_bpfprog);
862 has_cap_bpfprog = false;
863 }
864 if (has_test_bpfprog) {
865 pcap_freecode(&test_bpfprog);
866 has_test_bpfprog = false;
867 }
868 if (sniffer) {
869 pcap_close(sniffer);
870 sniffer = nullptr;
871 }
872 }
873
spoofer_pcap_poll(struct probe_info * pinfo,const char * label,pcap_handler callback,u_char * userdata)874 int spoofer_pcap_poll(struct probe_info *pinfo, const char *label, pcap_handler callback, u_char *userdata)
875 {
876 time_t now;
877 debug(DEVELOP, ">> %s: pcap_dispatch (%lld)\n", label,
878 safe_int<long long>(time(&now)));
879 int rc = pcap_dispatch(pinfo->sniffer, 1, callback, userdata);
880 debug(DEVELOP, ">> %s: pcap_dispatch done (%lld)\n", label,
881 safe_int<long long>(time(&now)));
882 if (rc < 0) {
883 print_pcap_error(pinfo->sniffer, rc, "pcap_dispatch on %s",
884 pinfo->rtinfo->ifinfo->ifname);
885 pinfo->free_sniffer();
886 debug(DEVELOP, "status: %s\n", probeStatusStr[pinfo->status]);
887 }
888 return rc;
889 }
890
891 // Pcap timeout does not work on all platforms, so we use a nonblocking pcap
892 // and poll it until we find what we're looking for, or 3s has elapsed.
egress_pcap_dispatch(struct probe_info * pinfo,const char * label)893 static int egress_pcap_dispatch(struct probe_info *pinfo, const char *label)
894 {
895 time_t end, now;
896 time(&end);
897 end += 3;
898 while (true) {
899 int rc = spoofer_pcap_poll(pinfo, label,
900 pinfo->spoof ? sniff_spoofed : sniff_link, (u_char*)pinfo);
901 if (rc < 0) {
902 return rc; // error
903 } else if (pinfo->layer_success > 0) {
904 debug(DEVELOP, ">> sniffed %sspoofed L%d\n",
905 pinfo->spoof ? "" : "non-", pinfo->layer_success);
906 pinfo->free_sniffer();
907 debug(DEVELOP, "status: %s\n", probeStatusStr[pinfo->status]);
908 return rc; // found what we're looking for
909 } else if (pinfo->n_sniffed == pinfo->n_sent) {
910 debug(DEVELOP, "n_sniffed %d == n_sent %d\n", pinfo->n_sniffed, pinfo->n_sent);
911 return rc; // found a modified packet; there's no point in
912 // continuing to sniff until we send another
913 }
914 if (time(&now) > end) break;
915 msleep(100); // 0.1s
916 }
917 pinfo->free_sniffer();
918 printf("lost(L%d)\n", pinfo->layer_sent);
919 if (!pinfo->spoof && !pinfo->layer_success && pinfo->has_online_filter &&
920 pinfo->proto == IPPROTO_UDP)
921 {
922 iface_info * const &ifinfo = pinfo->rtinfo->ifinfo;
923 LockGuard guard(ifinfo->mutex);
924 if (ifinfo->online_udp_filter_able == iface_info::UNKNOWN) {
925 ifinfo->online_udp_filter_able = iface_info::BROKEN;
926 pprintf((verbosity >= DEVELOP) ? "Warning" : "Info",
927 "Online filter failed on %s (%s); reverting to offline filter.\n",
928 ifinfo->ifname, pinfo->dlt_str());
929 }
930 }
931 if (!pinfo->spoof && !pinfo->layer_success && pinfo->proto == IPPROTO_UDP &&
932 (!pinfo->has_online_filter ||
933 pinfo->rtinfo->ifinfo->online_udp_filter_able == iface_info::WORKS))
934 {
935 // Failure to sniff a non-spoofed packet indicates a lack of routing
936 // (assuming filtering works); remember that fact, so we can skip
937 // future attempts. (Note: failure to sniff a L3 spoofed packet might
938 // mean that, or might mean the OS blocks L3 spoofing.)
939 pinfo->rtinfo->linklen = route_info::FAILED;
940 debug(DEVELOP, "routing to %s failed\n", ntopBuf(pinfo->dst_sa)());
941 }
942 debug(DEVELOP, "status: %s\n", probeStatusStr[pinfo->status]);
943 return 0;
944 }
945 #endif // HAVE_PCAP
946
spoof_layer2possible(const IPv & ipv)947 static bool spoof_layer2possible(const IPv &ipv)
948 {
949 static bool flags[7] = { false, false, false, false, false, false, false };
950 #ifdef HAVE_PCAP_SENDPACKET
951 static bool cached = false;
952
953 if (cached) return flags[ipv];
954
955 pcap_if_t *alldevs = nullptr;
956 char errbuf[PCAP_ERRBUF_SIZE];
957
958 // This test looks for a device with a routable address that can be opened
959 // with pcap_open_live(). Thus it will catch some cases of insuffucient
960 // permission, or no interfaces for the given ipv. It will not catch the
961 // (much more rare) case of having multiple interfaces where one can be
962 // opened but the one we'll need can not.
963 if (pcap_findalldevs(&alldevs, errbuf) < 0) {
964 warn("pcap_findalldevs: %s", errbuf);
965 goto done;
966 }
967 pcap_if_t *dev;
968 unsigned char loopback4[IPV4ADDRLEN];
969 unsigned char loopback6[IPV6ADDRLEN];
970 inet_pton(AF_INET, "127.0.0.1", loopback4);
971 inet_pton(AF_INET6, "::1", loopback6);
972 for (dev = alldevs; dev; dev = dev->next) {
973 bool *flag;
974 for (pcap_addr_t *daddr = dev->addresses; daddr; daddr = daddr->next) {
975 // Check for useful address
976 if (!daddr->addr) continue;
977 switch (daddr->addr->sa_family) {
978 case AF_INET:
979 if (memcmp(sa_ipaddr(daddr->addr), loopback4, IPV4ADDRLEN) == 0)
980 continue; // ignore loopback address
981 flag = &flags[IPv4];
982 break;
983 case AF_INET6:
984 if (memcmp(sa_ipaddr(daddr->addr), loopback6, IPV6ADDRLEN) == 0)
985 continue; // ignore loopback address
986 if (nptohl(ua_field(sockaddr_in6, daddr->addr, sin6_scope_id)))
987 continue; // ignore site-local and link-local addresses
988 flag = &flags[IPv6];
989 break;
990 default:
991 continue; // ignore non-IP address
992 }
993 if (*flag) continue; // no need to repeat test
994
995 // Check for ability to open
996 pcap_t *writer = pcap_open_live(dev->name, 0, 0, 0, errbuf);
997 if (!writer) {
998 debug(LOW, "ERROR: pcap_open_live: %s\n", errbuf);
999 break; // failed to open DEVICE; another address won't help
1000 }
1001
1002 // We'd like to test pcap_sendpacket() here, but we don't yet know
1003 // how to generate a valid packet for this iface (and using a dummy
1004 // packet with length 0 gives false negatives on some platforms).
1005
1006 pcap_close(writer);
1007 *flag = true;
1008 }
1009 }
1010 cached = true;
1011
1012 done:
1013 if (alldevs) pcap_freealldevs(alldevs);
1014 #else
1015 #endif // HAVE_PCAP_SENDPACKET
1016 return flags[ipv];
1017 }
1018
free_probe_info(struct probe_info * pinfo,bool skipSniffing)1019 enum ProbeStatus free_probe_info(struct probe_info *pinfo, bool skipSniffing)
1020 {
1021 #ifdef HAVE_PCAP
1022 if (pinfo->pilot_pinfo)
1023 free_probe_info(pinfo->pilot_pinfo, true);
1024 if (pinfo->sniffer && !skipSniffing)
1025 egress_pcap_dispatch(pinfo, "free_probe_info");
1026 pinfo->free_sniffer();
1027 #endif // HAVE_PCAP
1028
1029 enum ProbeStatus pstatus = pinfo->status;
1030 delete pinfo;
1031 return pstatus;
1032 }
1033
1034 // If !spoof and src, udpsock will be bound to src.
1035 // Note: UDP errors may be asynchronously generated due to an ICMP response and
1036 // not reported until the next use of the socket. We must open a new socket for
1037 // each destination to be sure it doesn't receive errors from a previous probe.
initSockets(bool spoof,IPv ipv,socket_t & spoofsock,socket_t & udpsock,const sockaddr * src,const sockaddr * dst)1038 bool initSockets(bool spoof, IPv ipv, socket_t& spoofsock, socket_t& udpsock,
1039 const sockaddr *src, const sockaddr *dst)
1040 {
1041 spoofsock = INVALID_SOCKET;
1042 udpsock = INVALID_SOCKET;
1043 family_t family = ipvtofamily(ipv);
1044 {
1045 // We need udpsock...
1046 // if not spoofing, to send a nonspoofed probe;
1047 // if spoofing, we may need to learn the outbound iface for sniffing;
1048 // if spoofing layer 2, we may need to send a nonspoofed pilot packet.
1049 udpsock = newSocket(family, SOCK_DGRAM, IPPROTO_UDP);
1050 if (udpsock == INVALID_SOCKET)
1051 return false;
1052 debug(DEVELOP, "IPv%d udpsock=%d\n", ipv, safe_int<int>(udpsock));
1053 int ttl = spoof ? 1 : // pilot pkt goes just far enough to be sniffed
1054 TTL_OUT; // pkt must reach server and have known initial TTL
1055 if (setSockTTL(family, udpsock, ttl) < 0) {
1056 severe("set IPv%d socket TTL: %s", ipv, SockLastErrmsg()());
1057 return false;
1058 }
1059 if (!spoof && src) {
1060 debug(DEVELOP, "bind IPv%d src %s %d\n", ipv, ntopBuf(src)(),
1061 ntohs(sa_port(src)));
1062 if (bind(udpsock, src, sa_len(src)) < 0) {
1063 info("bind IPv%d src %s %d: %s", ipv, ntopBuf(src)(),
1064 ntohs(sa_port(src)), SockLastErrmsg()());
1065 return false;
1066 }
1067 }
1068 }
1069 if (udpsock != INVALID_SOCKET && dst) {
1070 // code that depends on this connect():
1071 // - getsockname() in new_probe_info()
1072 // - send() in socketSend() for nonspoof or pilot
1073 if (connect(udpsock, dst, sa_len(dst)) < 0) {
1074 info("connect IPv%d target %s %d: %s", ipv, ntopBuf(dst)(),
1075 ntohs(sa_port(dst)), SockLastErrmsg()());
1076 return false;
1077 }
1078 debug(DEVELOP, "connect IPv%d target %s %d: %s\n", ipv,
1079 ntopBuf(dst)(), ntohs(sa_port(dst)), "success");
1080 }
1081 if (!spoof)
1082 return true;
1083 if (ipv == IPv4 &&
1084 (spoof_layer[ipv] == 0 || spoof_layer[ipv] == 3))
1085 {
1086 // we want to at least try to spoof at layer 3
1087 spoofsock = newSocket(family, SOCK_RAW, IPPROTO_UDP);
1088 if (spoofsock == INVALID_SOCKET) {
1089 severe("Spoofer needs root/admin or other special privileges to "
1090 "open raw sockets.");
1091 } else {
1092 debug(DEVELOP, "IPv%d spoofsock=%d\n", ipv, safe_int<int>(spoofsock));
1093 if (optSocketHDRINCL(spoofsock) == 0) // IPv4 only
1094 return true; // layer 3 spoofing is possible
1095 }
1096 }
1097 if (spoof_layer[ipv] == 0 || spoof_layer[ipv] == 2) {
1098 // we may want to spoof at layer 2
1099 if (spoof_layer2possible(ipv))
1100 return true; // layer 2 spoofing is possible
1101 notice("No accessible nonlocal IPv%d interfaces.", ipv);
1102 }
1103 return false;
1104 }
1105
1106 // Get and clear any error on the socket. For best results, allow some time
1107 // for an ICMP error response after the last operation before calling this.
getSockErr(socket_t sock,char * buf,size_t buflen)1108 const char *getSockErr(socket_t sock, char *buf, size_t buflen)
1109 {
1110 int err = 0;
1111 socklen_t errlen = sizeof(err);
1112 if (getsockopt(sock, SOL_SOCKET, SO_ERROR, (char*)&err, &errlen) < 0) {
1113 return sock_last_errmsg(buf, buflen);
1114 } else if (err != 0) {
1115 return sock_errmsg(err, buf, buflen);
1116 }
1117 return nullptr;
1118 }
1119
1120 // Close a probing socket. If there were any asynchronous errors pending on
1121 // the socket, report them and return false.
closeSocket(socket_t & sock,IPv ipv)1122 bool closeSocket(socket_t &sock, IPv ipv)
1123 {
1124 int err = 0;
1125 if (sock == INVALID_SOCKET) return true;
1126 char ebuf[256];
1127 if (getSockErr(sock, ebuf, sizeof(ebuf)))
1128 debug(DEVELOP, "async error before IPv%d close: %s\n", ipv, ebuf);
1129 ::closesocket(sock);
1130 sock = INVALID_SOCKET;
1131 return err == 0;
1132 }
1133
1134 /* IP pseudo headers for TCP/UDP checksum. */
1135 struct pseudo_ip4 {
1136 char unused_padding[8];
1137 struct in_addr pip_src, pip_dst;
1138 uint8_t zeros[1];
1139 uint8_t pip_p;
1140 uint16_t pip_udp_len;
1141 };
1142 STATIC_ASSERT(sizeof(pseudo_ip4) == sizeof(ip), pseudo_ip4_size_is_wrong);
1143
1144 struct pseudo_ip6 {
1145 struct in6_addr pip6_src, pip6_dst;
1146 uint32_t pip6_udp_len;
1147 uint8_t zeros[3];
1148 uint8_t pip6_nxt;
1149 };
1150 STATIC_ASSERT(sizeof(pseudo_ip6) == sizeof(ip6_hdr), pseudo_ip6_size_is_wrong);
1151
1152 // Properly aligned memory layout for crafting a packet
1153 struct ip4udp {
1154 union {
1155 ip ip4;
1156 pseudo_ip4 pip4;
1157 };
1158 udphdr udp;
1159 };
1160
1161 struct ip6udp {
1162 union {
1163 ip6_hdr ip6;
1164 pseudo_ip6 pip6;
1165 };
1166 udphdr udp;
1167 };
1168
1169 /**
1170 * craftPacket - Fill buffer with the spoofed packet
1171 */
craftPacket(uint32_t * buf,const void * payload,size_t payloadlen,const sockaddr * src,const sockaddr * dst,u_char ttl,unsigned short ipid)1172 size_t craftPacket(uint32_t *buf, const void *payload, size_t payloadlen,
1173 const sockaddr *src, const sockaddr *dst, u_char ttl,
1174 unsigned short ipid)
1175 {
1176 struct udphdr *udp = nullptr;
1177 size_t ip_hdr_len, packetlen;
1178
1179 if (dst->sa_family == AF_INET) {
1180 ip_hdr_len = sizeof(ip);
1181 udp = &((ip4udp *)buf)->udp;
1182 } else {
1183 ip_hdr_len = sizeof(ip6_hdr);
1184 udp = &((ip6udp *)buf)->udp;
1185 }
1186 packetlen = ip_hdr_len + sizeof(*udp) + payloadlen;
1187 memset(buf, 0, ip_hdr_len + sizeof(*udp));
1188 memcpy((uint8_t*)udp + sizeof(*udp), payload, payloadlen);
1189
1190 /* Fill in UDP header. */
1191 udp->uh_sport = sa_port(src);
1192 udp->uh_dport = sa_port(dst);
1193 udp->uh_ulen = htons(safe_int<uint16_t>(sizeof(*udp) + payloadlen));
1194
1195 /* Fill in IP pseudo header. */
1196 if (dst->sa_family == AF_INET) {
1197 struct pseudo_ip4 *pip4 = &((ip4udp *)buf)->pip4;
1198 pip4->pip_p = IPPROTO_UDP;
1199 pip4->pip_udp_len = udp->uh_ulen;
1200 memcpy(&pip4->pip_src, sa_ipaddr(src), IPV4ADDRLEN);
1201 memcpy(&pip4->pip_dst, sa_ipaddr(dst), IPV4ADDRLEN);
1202 } else if (dst->sa_family == AF_INET6) {
1203 struct pseudo_ip6 *pip6 = &((ip6udp *)buf)->pip6;
1204 pip6->pip6_nxt = IPPROTO_UDP;
1205 pip6->pip6_udp_len = udp->uh_ulen;
1206 memcpy(&pip6->pip6_src, sa_ipaddr(src), IPV6ADDRLEN);
1207 memcpy(&pip6->pip6_dst, sa_ipaddr(dst), IPV6ADDRLEN);
1208 } else {
1209 return 0; // shouldn't happen
1210 }
1211
1212 /* Calculate UDP checksum. */
1213 if ((udp->uh_sum = in_cksum(buf, packetlen)) == 0)
1214 udp->uh_sum = 0xffff;
1215
1216 /* Now fill in the real IP header fields. */
1217 memset(buf, 0, ip_hdr_len);
1218
1219 if (dst->sa_family == AF_INET) {
1220 /* Note: BSD raw (ip) sockets expect host byte order for ip_len and
1221 * ip_off, but that will be handled later if we actually use raw ip. */
1222 struct ip *ip4 = &((ip4udp *)buf)->ip4;
1223 ip4->ip_v = 4;
1224 ip4->ip_hl = (ip_hdr_len >> 2) & 0x0F;
1225 ip4->ip_tos = 0;
1226 ip4->ip_len = htons(safe_int<uint16_t>(packetlen));
1227 ip4->ip_id = (ttl == TTL_OUT) ?
1228 safe_int<unsigned short>(spoofer_rand(32768)) :
1229 htons(ipid);
1230 ip4->ip_off = htons(IP_DF);
1231 ip4->ip_ttl = ttl;
1232 ip4->ip_p = IPPROTO_UDP;
1233 memcpy(&ip4->ip_src, sa_ipaddr(src), IPV4ADDRLEN);
1234 memcpy(&ip4->ip_dst, sa_ipaddr(dst), IPV4ADDRLEN);
1235
1236 /* Calculate IPv4 checksum. */
1237 ip4->ip_sum = in_cksum(ip4, sizeof(*ip4));
1238
1239 } else {
1240 struct ip6_hdr *ip6 = &((ip6udp *)buf)->ip6;
1241 ip6->ip6_vfc = 6 << 4;
1242 ip6->ip6_plen = htons(safe_int<uint16_t>(sizeof(*udp) + payloadlen));
1243 ip6->ip6_nxt = IPPROTO_UDP;
1244 ip6->ip6_hlim = ttl;
1245 memcpy(&ip6->ip6_src, sa_ipaddr(src), IPV6ADDRLEN);
1246 memcpy(&ip6->ip6_dst, sa_ipaddr(dst), IPV6ADDRLEN);
1247 }
1248
1249 if (verbosity >= DEVELOP) {
1250 printf("IP packet:\n");
1251 binDump(buf, packetlen, TRUE);
1252 }
1253 return (packetlen);
1254 }
1255
1256
1257 /**
1258 * craftProbe - Build Spoofer probe payload
1259 */
craftProbe(probe_t * probe,bool spoof,const SpooferSpoofSchedule::Item * item)1260 void craftProbe(probe_t *probe, bool spoof, const SpooferSpoofSchedule::Item *item) {
1261 memset(probe, 0, sizeof(*probe));
1262 probe->hdr.ver = htons(PAYLOAD_VERSION);
1263 probe->hdr.spoofed = htons(!spoof);
1264 probe->tst.ts = htonl(item->timestamp());
1265 memcpy(probe->tst.src_addr + IPV6ADDRLEN - item->srcip().size(),
1266 item->srcip().data(), item->srcip().size());
1267 memcpy(probe->tst.dst_addr + IPV6ADDRLEN - item->dstip().size(),
1268 item->dstip().data(), item->dstip().size());
1269 memcpy(probe->tst.seqno, item->seqno().data(), SEQNOSIZE);
1270 memcpy(probe->tst.hmac, item->hmac().data(), HMACSIZE);
1271 }
1272
1273
1274 /**
1275 * in_cksum - compute an IP checksum
1276 */
in_cksum(const void * addr,size_t len)1277 unsigned short in_cksum(const void *addr, size_t len) {
1278 size_t nleft = len;
1279 uint32_t sum = 0;
1280 const unsigned short *w = (const unsigned short *)addr;
1281 unsigned short answer = 0;
1282
1283 /*
1284 * Our algorithm is simple, using a 32 bit accumulator (sum), we add
1285 * sequential 16 bit words to it, and at the end, fold back all the
1286 * carry bits from the top 16 bits into the lower 16 bits.
1287 */
1288 while (nleft > 1) {
1289 sum += *w++;
1290 nleft -= 2;
1291 }
1292
1293 /* 4mop up an odd byte, if necessary */
1294 if (nleft == 1) {
1295 *(unsigned char *)(&answer) = *(const unsigned char *)w ;
1296 sum += answer;
1297 }
1298
1299 /* 4add back carry outs from top 16 bits to low 16 bits */
1300 sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
1301 sum += (sum >> 16); /* add carry */
1302 answer = static_cast<uint16_t>(~sum); /* truncate to 16 bits */
1303 return(answer);
1304 }
1305
1306 /**
1307 * genSequence - Generate a random sequence of digits and lowercase letters
1308 * (not NUL terminated).
1309 */
genSequence(char * buf,int len)1310 char *genSequence(char *buf, int len) {
1311 for (int i = 0; i < len; i++) {
1312 char c = (char)spoofer_rand(10+26);
1313 buf[i] = safe_int<char>((c < 10) ? '0' + c : 'a' + (c - 10));
1314 }
1315 return buf;
1316 }
1317
1318
1319 #if 0
1320 /*!
1321 * \brief Subtract one struct timeval from another.
1322 *
1323 * Taken from:
1324 * http://www.gnu.org/software/hello/manual/libc/Elapsed-Time.html
1325 *
1326 * \param[out] result difference between the struct timevals at \a x and
1327 * \a y (x minus y). This parameter may be NULL.
1328 *
1329 * \return 1 if the difference is negative, otherwise 0.
1330 */
1331 static int
1332 timeval_subtract(
1333 struct timeval *resultPtr,
1334 struct timeval x,
1335 struct timeval y)
1336 {
1337 struct timeval result;
1338
1339 /* Perform the carry for the later subtraction by updating y. */
1340 if (x.tv_usec < y.tv_usec) {
1341 int nsec = (y.tv_usec - x.tv_usec) / 1000000 + 1;
1342 y.tv_usec -= 1000000 * nsec;
1343 y.tv_sec += nsec;
1344 }
1345 if (x.tv_usec - y.tv_usec > 1000000) {
1346 int nsec = (x.tv_usec - y.tv_usec) / 1000000;
1347 y.tv_usec += 1000000 * nsec;
1348 y.tv_sec -= nsec;
1349 }
1350
1351 /* Compute the time remaining to wait.
1352 tv_usec is certainly positive. */
1353 result.tv_sec = x.tv_sec - y.tv_sec;
1354 result.tv_usec = x.tv_usec - y.tv_usec;
1355
1356 if (resultPtr)
1357 *resultPtr = result;
1358
1359 /* Return 1 if result is negative. */
1360 return x.tv_sec < y.tv_sec;
1361 }
1362
1363 /*
1364 Handy routines that follow taken directly from R. Stevens UNP
1365 */
1366
1367 /*! \brief Read "n" bytes from a descriptor. */
1368 ssize_t readn(int fd, void *vptr, size_t n, time_t wait) {
1369 size_t nleft;
1370 ssize_t nread;
1371 char *ptr;
1372 fd_set fds;
1373 struct timeval deadline;
1374
1375 FD_ZERO(&fds);
1376 FD_SET(fd, &fds);
1377
1378 if (gettimeofday(&deadline, NULL))
1379 return -1;
1380 deadline.tv_sec += wait;
1381
1382 ptr = vptr;
1383 nleft = n;
1384 while (nleft > 0) {
1385 struct timeval timeout;
1386 {
1387 struct timeval now;
1388 if (gettimeofday(&now, NULL))
1389 return -1;
1390 if (timeval_subtract(&timeout, deadline, now))
1391 /* timed out */
1392 break;
1393 }
1394
1395 int ret = 0;
1396 if ((ret = select(fd + 1, &fds, NULL, NULL, &timeout)) < 0)
1397 return -1;
1398 else if (ret == 0)
1399 /* timed out */
1400 break;
1401 #ifdef _WIN32
1402 if ( (nread = recv(fd, ptr, nleft, 0)) < 0)
1403 #else
1404 if ( (nread = read(fd, ptr, nleft)) < 0)
1405 #endif
1406 {
1407 if (errno == EINTR)
1408 nread = 0; /* and call read() again */
1409 else
1410 return(-1);
1411 } else if (nread == 0)
1412 break; /* EOF */
1413
1414 nleft -= nread;
1415 ptr += nread;
1416 }
1417 return(n - nleft); /* return >= 0 */
1418 }
1419 /* end readn */
1420
1421 ssize_t
1422 Readn(int fd, void *ptr, size_t nbytes, time_t wait)
1423 {
1424 ssize_t n;
1425
1426 if ( (n = readn(fd, ptr, nbytes, wait)) < 0)
1427 warn("readn error: %s", SockLastErrmsg()());
1428 return(n);
1429 }
1430 #else
1431
1432 /* Rob's read function */
Readn(socket_t fd,void * vptr,size_t n,time_t timeout)1433 size_t Readn(socket_t fd, void *vptr, size_t n, time_t timeout) {
1434 ssize_t nread = 0;
1435 size_t bytes_read = 0;
1436 char *ptr;
1437 fd_set fds;
1438 struct timeval tv;
1439
1440 ptr = (char*)vptr;
1441 while (bytes_read < n) {
1442 FD_ZERO(&fds);
1443 FD_SET(fd, &fds);
1444 tv.tv_usec = 0;
1445 tv.tv_sec = timeout;
1446 if (select(static_cast<int>(fd) + 1, &fds, nullptr, nullptr, &tv) <= 0)
1447 break;
1448 #ifdef _WIN32
1449 if ( (nread = recv(fd, ptr, 1, 0)) < 0) {
1450 #else
1451 if ( (nread = read(fd, ptr, 1)) < 0) {
1452 #endif
1453 warn("unexpected read: %d: %s", (int) nread, SockLastErrmsg()());
1454 } else if (nread == 0) {
1455 break; /* EOF */
1456 } else if (nread == 1) {
1457 bytes_read++;
1458 ptr++;
1459 } else {
1460 warn("unexpected read: %d", (int) nread);
1461 }
1462 }
1463 return(bytes_read);
1464 }
1465 #endif
1466
1467 static ssize_t /* Write "n" bytes to a descriptor. */
1468 writen(socket_t fd, const void *vptr, size_t n)
1469 {
1470 SEND_LEN_T nleft = safe_int<SEND_LEN_T>(n);
1471 SEND_RET_T nwritten;
1472 const char *ptr;
1473
1474 ptr = (const char*)vptr;
1475 while (nleft > 0) {
1476 if ((nwritten = send(fd, ptr, nleft, 0)) <= 0) {
1477 if (errno == EINTR) continue; // keep trying
1478 return -1; // error
1479 }
1480 nleft -= safe_int<SEND_LEN_T>(nwritten);
1481 ptr += nwritten;
1482 }
1483 return safe_int<ssize_t>(n);
1484 }
1485 /* end writen */
1486
1487 void
1488 Writen(socket_t fd, const void *ptr, size_t nbytes)
1489 {
1490 if (writen(fd, ptr, nbytes) != (ssize_t)nbytes)
1491 warn("writen error: %s", SockLastErrmsg()());
1492 }
1493
1494
1495 static int
1496 my_read(socket_t fd, char *ptr)
1497 {
1498 static ssize_t read_cnt = 0;
1499 static char *read_ptr;
1500 static char read_buf[MAXMSGSIZE];
1501
1502 if (read_cnt <= 0) {
1503 again:
1504 #ifdef _WIN32
1505 read_cnt = recv(fd, read_buf, sizeof(read_buf), 0);
1506 #else
1507 read_cnt = read(fd, read_buf, sizeof(read_buf));
1508 #endif
1509 if (read_cnt < 0) {
1510 if (errno == EINTR)
1511 goto again;
1512 return(-1);
1513 } else if (read_cnt == 0)
1514 return(0);
1515 read_ptr = read_buf;
1516 }
1517
1518 read_cnt--;
1519 *ptr = *read_ptr++;
1520 return(1);
1521 }
1522
1523 static ssize_t
1524 readline(socket_t fd, void *vptr, size_t maxlen)
1525 {
1526 size_t n;
1527 int rc;
1528 char c, *ptr;
1529
1530 ptr = (char *)vptr;
1531 for (n = 1; n < maxlen; n++) {
1532 if ( (rc = my_read(fd, &c)) == 1) {
1533 *ptr++ = c;
1534 if (c == '\n')
1535 break; /* newline is stored, like fgets() */
1536 } else if (rc == 0) {
1537 if (n == 1)
1538 return(0); /* EOF, no data read */
1539 else
1540 break; /* EOF, some data was read */
1541 } else
1542 return(-1); /* error, errno set by read() */
1543 }
1544
1545 *ptr = 0; /* null terminate like fgets() */
1546 return safe_int<ssize_t>(n);
1547 }
1548 /* end readline */
1549
1550 ssize_t
1551 Readline(socket_t fd, void *ptr, size_t maxlen)
1552 {
1553 ssize_t n;
1554
1555 if ( (n = readline(fd, ptr, maxlen)) < 0)
1556 warn("readline error: %s", SockLastErrmsg()());
1557 if (n == 0)
1558 printf("** server terminated prematurely");
1559 return(n);
1560 }
1561
1562 /* New socket wrapper */
1563 socket_t newSocket(family_t family, int type, int proto) {
1564 socket_t sock = 0;
1565
1566 if ((sock = socket(family, type, proto)) == INVALID_SOCKET)
1567 warn("create socket failed: %s", SockLastErrmsg()());
1568 return (sock);
1569 }
1570
1571 int setSockTTL(family_t family, socket_t sock, int val)
1572 {
1573 if (family == AF_INET6)
1574 return setsockopt(sock, IPPROTO_IPV6, IPV6_UNICAST_HOPS, (char *)&val, sizeof(val));
1575 else
1576 return setsockopt(sock, IPPROTO_IP, IP_TTL, (char *)&val, sizeof(val));
1577 }
1578
1579 int getSockTTL(family_t family, socket_t sock, int *val)
1580 {
1581 socklen_t size = sizeof(*val);
1582 if (family == AF_INET6)
1583 return getsockopt(sock, IPPROTO_IPV6, IPV6_UNICAST_HOPS, (char *)val, &size);
1584 else
1585 return getsockopt(sock, IPPROTO_IP, IP_TTL, (char *)val, &size);
1586 }
1587
1588 int optSocketHDRINCL(socket_t sock) {
1589 #ifdef _WIN32
1590 BOOL on = TRUE;
1591 #else
1592 int on = 1;
1593 #endif
1594
1595 int ret = setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on));
1596 if (ret < 0)
1597 severe("setsockopt IP_HDRINCL: %s", SockLastErrmsg()());
1598 return ret;
1599 }
1600
1601 int socketSend(socket_t sock, const void *msg, size_t len,
1602 struct probe_info *pinfo)
1603 {
1604 if (pinfo->spoof) {
1605 severe("internal error: socketSend() with pinfo->spoof==true");
1606 return -1;
1607 }
1608
1609 #ifdef HAVE_PCAP
1610 if (!pinfo->sniffer && (
1611 // need verification
1612 (always_verify && !pinfo->layer_success) ||
1613 // need linkhdr
1614 ((spoof_layer(pinfo->dst_sa) == 0 || spoof_layer(pinfo->dst_sa) == 2) &&
1615 pinfo->rtinfo && !pinfo->rtinfo->linkhdr)))
1616 {
1617 init_sniffer(pinfo, len);
1618 }
1619 #endif
1620
1621 debug(DEVELOP, ">> socketSend: send %zu bytes to %s port %d\n",
1622 len, ntopBuf(pinfo->dst_sa)(), ntohs(sa_port(pinfo->dst_sa)));
1623
1624 // On FreeBSD connected datagram sockets, an ICMP error response to an
1625 // earlier packet is reported as an error in the next use of the socket
1626 // (see: SO_ERROR in man getsockopt). We don't want to count those
1627 // external errors as send failure, so we use SO_ERROR to clear errors
1628 // before the next send(). Note, there's still a tiny chance of receiving
1629 // an ICMP response between SO_ERROR and send(). We could ignore certain
1630 // error code values from send(), but that would open a maze of #ifdefs
1631 // and platform-specific interpretations of error codes. (An alternate
1632 // solution would be to open a new socket for every packet.)
1633 char ebuf[256];
1634 if (getSockErr(sock, ebuf, sizeof(ebuf))) {
1635 debug(DEVELOP, ">> socketSend: %s port %d: ignoring async error: %s\n",
1636 ntopBuf(pinfo->dst_sa)(), ntohs(sa_port(pinfo->dst_sa)),
1637 ebuf);
1638 }
1639 // sock is already connect()ed, so we don't need sendto() with a dest (and
1640 // BSD would fail if we supplied one, even if it's the same).
1641 if (send(sock, (const char*)msg, safe_int<SEND_LEN_T>(len), 0) >= 0) {
1642 pinfo->layer_sent = 4;
1643 pinfo->setStatus(UNCONFIRMED);
1644 pinfo->n_sent++;
1645 return 0;
1646 } else {
1647 pinfo->setStatus(SENDFAIL);
1648 return -1;
1649 }
1650 }
1651
1652 int socketSendSpoof(socket_t spoofsock, socket_t udpsock, const void *msg,
1653 size_t len, struct probe_info *pinfo)
1654 {
1655 const sockaddr *dst = pinfo->dst_sa;
1656 int result = -1;
1657
1658 if (!pinfo->spoof) {
1659 severe("internal error: socketSendSpoof() with pinfo->spoof==false");
1660 return -1;
1661 }
1662
1663 // Note: If spoof_layer==0, the first thread to sniff a spoofed probe will
1664 // set spoof_layer, which may affect other threads. (In older versions,
1665 // we'd block other threads in that case, which was especially slow if our
1666 // dest was unroutable: we'd hold the lock through sniffer timeouts for
1667 // both the L3 spoof and the L2 spoof's pilot.) Now, other threads aren't
1668 // blocked; furthermore, one will likely succeed and set spoof_layer fast
1669 // enough that we'll know to not bother trying other APIs.
1670
1671 debug(DEVELOP, ">> socketSendSpoof: layer %d\n", spoof_layer(dst));
1672
1673 if (pinfo->rtinfo && pinfo->rtinfo->linklen == route_info::FAILED) {
1674 // Sniffing failed for a non-spoofed packet to same destination.
1675 // We can't even try L2 spoofing without the linkhdr.
1676 // We _could_ try L3 spoofing, but it would be a waste of time; and it's
1677 // better to leave the status at UNTRIED, not UNCONFIRMED.
1678 if (!pinfo->warnedSkipSpoof || verbosity >= DEVELOP)
1679 info("skipping spoof to %s where non-spoof failed%s",
1680 ntopBuf(dst)(), pinfo->warnedSkipSpoof ? " (debug)" : "");
1681 pinfo->warnedSkipSpoof = true;
1682 return -1;
1683 }
1684
1685 #ifdef HAVE_PCAP
1686 if (!pinfo->rtinfo || !pinfo->rtinfo->ifinfo) {
1687 // use the pilot socket to fill in rtinfo and ifinfo
1688 pinfo->pilot_pinfo =
1689 new_probe_info(IPPROTO_UDP, false, udpsock, nullptr, dst);
1690 if (!pinfo->pilot_pinfo) return -1;
1691 pinfo->rtinfo = pinfo->pilot_pinfo->rtinfo;
1692 }
1693 #endif
1694
1695 for (int pref = 0; spoof_apis[pref].send; pref++) {
1696 spoof_api_info &api = spoof_apis[pref];
1697 if (!(spoof_layer(dst) == 0 || spoof_layer(dst) == api.layer))
1698 continue;
1699
1700 ssize_t sniff_len = -1;
1701 ssize_t pay_len = safe_int<ssize_t>(len - sizeof(udphdr) -
1702 (dst->sa_family == AF_INET ? sizeof(ip) : sizeof(ip6_hdr)));
1703 debug(DEVELOP, ">> socketSendSpoof: sendto %zd bytes to %s port %d\n",
1704 pay_len, ntopBuf(dst)(), ntohs(sa_port(dst)));
1705
1706 #ifdef HAVE_PCAP
1707 if (spoof_layer(dst) == 0) {
1708 if (!api.attempt_printed) {
1709 api.attempt_printed = true;
1710 printf("Attempting to spoof IPv%d with %s (L%d)\n",
1711 familytoipv(dst->sa_family), api.label, api.layer);
1712 }
1713 sniff_len = pay_len; // to verify that this spoofing api works
1714 } else if ((always_verify && !pinfo->layer_success)) {
1715 sniff_len = pay_len; // to verify this pinfo
1716 }
1717 #endif
1718
1719 if (api.send(spoofsock, udpsock, msg, len, pinfo, sniff_len)) {
1720 pinfo->layer_sent = api.layer;
1721 pinfo->setStatus(UNCONFIRMED);
1722 pinfo->n_sent++;
1723
1724 #ifdef HAVE_PCAP
1725 if (!pinfo->sniffer) {
1726 debug(DEVELOP, "not sniffing\n");
1727 } else if (spoof_layer(dst) != 0) {
1728 // API is already known; defer sniffing til free_probe_info()
1729 debug(DEVELOP, "defer sniffing\n");
1730 } else {
1731 debug(DEVELOP, "sniffing\n");
1732 // Sniff the packet to make sure it was transmitted intact.
1733 if (egress_pcap_dispatch(pinfo, "socketSendSpoof") < 0)
1734 break;
1735 if (pinfo->layer_success <= 0) // did not sniff this packet
1736 continue; // maybe try another API
1737 }
1738 #else // HAVE_PCAP
1739 // Can't sniff; we just have to assume spoofing worked.
1740 #endif // HAVE_PCAP
1741 result = 0;
1742 break;
1743 }
1744 pinfo->setStatus(SENDFAIL);
1745 pinfo->layer_sent = 0;
1746 }
1747
1748 return result;
1749 }
1750
1751 static bool spoof_rawip_send(socket_t spoofsock, socket_t udpsock ATR_UNUSED,
1752 const void *msg, size_t len, probe_info *pinfo, ssize_t sniff_len)
1753 {
1754 if (spoofsock == INVALID_SOCKET) return false;
1755 ssize_t rc;
1756 const sockaddr *dst = pinfo->dst_sa;
1757
1758 #ifdef HAVE_PCAP
1759 if (sniff_len >= 0)
1760 init_sniffer(pinfo, safe_int<size_t>(sniff_len));
1761 #endif
1762
1763 #ifdef _BSD /* BSD raw (ip) sockets expect ip_len and ip_off in host order */
1764 uint32_t *bsd_msg = new uint32_t[(len+3)/4]; // uint32 for alignment
1765 memcpy(bsd_msg, msg, len);
1766 struct ip *ip = (struct ip *)bsd_msg;
1767 ip->ip_len = ntohs(ip->ip_len);
1768 ip->ip_off = ntohs(ip->ip_off);
1769 rc = sendto(spoofsock, bsd_msg, len, 0, dst, sa_len(dst));
1770 delete[] bsd_msg;
1771 #else
1772 rc = sendto(spoofsock, (const char*)msg, safe_int<SEND_LEN_T>(len), 0, dst, sa_len(dst));
1773 #endif
1774
1775 if (rc < 0)
1776 warn("send (L3) to %s: %s", ntopBuf(dst)(), SockLastErrmsg()());
1777 return rc >= 0;
1778 }
1779
1780 #ifdef HAVE_PCAP_SENDPACKET
1781 static bool spoof_pcap_send(socket_t spoofsock ATR_UNUSED, socket_t udpsock,
1782 const void *msg, size_t len, probe_info *pinfo, ssize_t sniff_len)
1783 {
1784 const sockaddr *dst = pinfo->dst_sa;
1785 if (pinfo->rtinfo && pinfo->rtinfo->linklen == route_info::FAILED) {
1786 // Sniffing failed for a non-spoofed packet to same destination.
1787 // We can't even try L2 spoofing without the linkhdr.
1788 info("%s: Couldn't find route to host", ntopBuf(dst)());
1789 return false;
1790 }
1791
1792 if (!pinfo->rtinfo || !pinfo->rtinfo->linkhdr) {
1793 debug(DEVELOP, "%s: No known route to host; sending pilot packet\n",
1794 ntopBuf(dst)());
1795 if (!pinfo->pilot_pinfo)
1796 pinfo->pilot_pinfo =
1797 new_probe_info(IPPROTO_UDP, false, udpsock, nullptr, dst);
1798 if (!pinfo->pilot_pinfo) return false;
1799 if (socketSend(udpsock, "", 0, pinfo->pilot_pinfo) < 0)
1800 debug(DEVELOP, "pilot to %s: %s\n", ntopBuf(dst)(),
1801 SockLastErrmsg()());
1802 else
1803 egress_pcap_dispatch(pinfo->pilot_pinfo, "pilot");
1804 pinfo->rtinfo = pinfo->pilot_pinfo->rtinfo;
1805 if (!pinfo->rtinfo || !pinfo->rtinfo->linkhdr) {
1806 info("%s: Can't find route to host", ntopBuf(dst)());
1807 return false;
1808 }
1809 debug(DEVELOP, "%s: pilot packet successful\n", ntopBuf(dst)());
1810 }
1811
1812 u_char pktbuf[BIGBUF]; // link layer PDU
1813 // Copy previously sniffed link header into new packet. (This won't work
1814 // if link header includes a checksum or other payload-dependent fields.)
1815 memcpy(pktbuf, pinfo->rtinfo->linkhdr, pinfo->rtinfo->linklen);
1816 memcpy(pktbuf + pinfo->rtinfo->linklen, msg, len);
1817
1818 if (!pinfo->writer) {
1819 debug(DEVELOP, ">> pcap_open_live\n");
1820 char errbuf[PCAP_ERRBUF_SIZE];
1821 pinfo->writer = pcap_open_live(pinfo->rtinfo->ifinfo->ifname, 0, 0, 0, errbuf);
1822 if (!pinfo->writer) {
1823 printf("ERROR: pcap_open_live: %s", errbuf);
1824 return false;
1825 }
1826 if (verbosity >= DEVELOP) {
1827 printf("L2 (%s) PDU:\n", pinfo->dlt_str());
1828 binDump(pktbuf, pinfo->rtinfo->linklen + len, TRUE);
1829 }
1830 }
1831
1832 if (sniff_len >= 0)
1833 init_sniffer(pinfo, safe_int<size_t>(sniff_len));
1834
1835 debug(DEVELOP, ">> socketSendSpoof: pcap_sendpacket %zu bytes to %s port %d\n",
1836 len, ntopBuf(dst)(), ntohs(sa_port(dst)));
1837 int rc = pcap_sendpacket(pinfo->writer, pktbuf,
1838 safe_int<int>(pinfo->rtinfo->linklen + len));
1839 if (rc < 0) {
1840 print_pcap_error(pinfo->writer, rc, "pcap_sendpacket (L2) on %s to %s",
1841 pinfo->rtinfo->ifinfo->ifname, ntopBuf(dst)());
1842 }
1843 return rc >= 0;
1844 }
1845 #endif // HAVE_PCAP_SENDPACKET
1846
1847 #ifndef HAVE_INET_PTON
1848 static int inet_pton4(const char *src, struct in_addr *dst)
1849 {
1850 int octet;
1851 unsigned int num;
1852 const char *p, *off;
1853 uint8_t tmp[4];
1854 static const char digits[] = "0123456789";
1855
1856 octet = 0;
1857 p = src;
1858 while (1) {
1859 num = 0;
1860 while (*p && ((off = strchr(digits, *p)) != NULL)) {
1861 num *= 10;
1862 num += (off - digits);
1863
1864 if (num > 255) return 0;
1865
1866 p++;
1867 }
1868 if (!*p) break;
1869
1870 /*
1871 * Not a digit, MUST be a dot, else we
1872 * die.
1873 */
1874 if (*p != '.') {
1875 return 0;
1876 }
1877
1878 tmp[octet++] = num;
1879 p++;
1880 }
1881
1882 /*
1883 * End of the string. At the fourth
1884 * octet is OK, anything else is an
1885 * error.
1886 */
1887 if (octet != 3) {
1888 return 0;
1889 }
1890 tmp[3] = num;
1891
1892 memcpy(dst, &tmp, sizeof(tmp));
1893 return 1;
1894 }
1895
1896
1897 #ifdef HAVE_STRUCT_SOCKADDR_IN6
1898 /* int
1899 * inet_pton6(src, dst)
1900 * convert presentation level address to network order binary form.
1901 * return:
1902 * 1 if `src' is a valid [RFC1884 2.2] address, else 0.
1903 * notice:
1904 * (1) does not touch `dst' unless it's returning 1.
1905 * (2) :: in a full address is silently ignored.
1906 * credit:
1907 * inspired by Mark Andrews.
1908 * author:
1909 * Paul Vixie, 1996.
1910 */
1911 static int
1912 inet_pton6(const char *src, unsigned char *dst)
1913 {
1914 static const char xdigits_l[] = "0123456789abcdef",
1915 xdigits_u[] = "0123456789ABCDEF";
1916 u_char tmp[IPV6ADDRLEN], *tp, *endp, *colonp;
1917 const char *xdigits, *curtok;
1918 int ch, saw_xdigit;
1919 u_int val;
1920
1921 memset((tp = tmp), 0, IPV6ADDRLEN);
1922 endp = tp + IPV6ADDRLEN;
1923 colonp = NULL;
1924 /* Leading :: requires some special handling. */
1925 if (*src == ':')
1926 if (*++src != ':')
1927 return (0);
1928 curtok = src;
1929 saw_xdigit = 0;
1930 val = 0;
1931 while ((ch = *src++) != '\0') {
1932 const char *pch;
1933
1934 if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
1935 pch = strchr((xdigits = xdigits_u), ch);
1936 if (pch != NULL) {
1937 val <<= 4;
1938 val |= (pch - xdigits);
1939 if (val > 0xffff)
1940 return (0);
1941 saw_xdigit = 1;
1942 continue;
1943 }
1944 if (ch == ':') {
1945 curtok = src;
1946 if (!saw_xdigit) {
1947 if (colonp)
1948 return (0);
1949 colonp = tp;
1950 continue;
1951 }
1952 if (tp + 2> endp)
1953 return (0);
1954 *tp++ = (u_char) (val >> 8) & 0xff;
1955 *tp++ = (u_char) val & 0xff;
1956 saw_xdigit = 0;
1957 val = 0;
1958 continue;
1959 }
1960 if (ch == '.' && ((tp + IPV4ADDRLEN) <= endp) &&
1961 inet_pton4(curtok, (struct in_addr *) tp) > 0) {
1962 tp += IPV4ADDRLEN;
1963 saw_xdigit = 0;
1964 break; /* '\0' was seen by inet_pton4(). */
1965 }
1966 return (0);
1967 }
1968 if (saw_xdigit) {
1969 if (tp + 2 > endp)
1970 return (0);
1971 *tp++ = (u_char) (val >> 8) & 0xff;
1972 *tp++ = (u_char) val & 0xff;
1973 }
1974 if (colonp != NULL) {
1975 /*
1976 * Since some memmove()'s erroneously fail to handle
1977 * overlapping regions, we'll do the shift by hand.
1978 */
1979 const int n = tp - colonp;
1980 int i;
1981
1982 for (i = 1; i <= n; i++) {
1983 endp[- i] = colonp[n - i];
1984 colonp[n - i] = 0;
1985 }
1986 tp = endp;
1987 }
1988 if (tp != endp)
1989 return (0);
1990 /* bcopy(tmp, dst, IN6ADDRSZ); */
1991 memcpy(dst, tmp, IPV6ADDRLEN);
1992 return (1);
1993 }
1994 #endif
1995
1996 /*
1997 * Utility function, so that the rest of the server doesn't
1998 * have ifdef's around IPv6 support
1999 */
2000 int inet_pton(int af, const char *src, void *dst)
2001 {
2002 if (af == AF_INET) {
2003 return inet_pton4(src, (struct in_addr*)dst);
2004 }
2005
2006 #ifdef HAVE_STRUCT_SOCKADDR_IN6
2007 if (af == AF_INET6) {
2008 return inet_pton6(src, (unsigned char*)dst);
2009 }
2010 #endif
2011
2012 return -1;
2013 }
2014 #endif
2015
2016
2017 #ifndef HAVE_INET_NTOP
2018 /*
2019 * Utility function, so that the rest of the server doesn't
2020 * have ifdef's around IPv6 support
2021 */
2022 const char *inet_ntop(int af, const void *src, char *dst, size_t cnt)
2023 {
2024 if (af == AF_INET) {
2025 const uint8_t *ipaddr = (const uint8_t *)src;
2026
2027 if (cnt <= INET_ADDRSTRLEN) return NULL;
2028
2029 snprintf(dst, cnt, "%d.%d.%d.%d",
2030 ipaddr[0], ipaddr[1],
2031 ipaddr[2], ipaddr[3]);
2032 return dst;
2033 }
2034
2035 /*
2036 * If the system doesn't define this, we define it
2037 * in missing.h
2038 */
2039 if (af == AF_INET6) {
2040 const struct in6_addr *ipaddr = (const struct in6_addr *)src;
2041
2042 if (cnt <= INET6_ADDRSTRLEN) return NULL;
2043
2044 snprintf(dst, cnt, "%x:%x:%x:%x:%x:%x:%x:%x",
2045 (ipaddr->s6_addr[0] << 8) | ipaddr->s6_addr[1],
2046 (ipaddr->s6_addr[2] << 8) | ipaddr->s6_addr[3],
2047 (ipaddr->s6_addr[4] << 8) | ipaddr->s6_addr[5],
2048 (ipaddr->s6_addr[6] << 8) | ipaddr->s6_addr[7],
2049 (ipaddr->s6_addr[8] << 8) | ipaddr->s6_addr[9],
2050 (ipaddr->s6_addr[10] << 8) | ipaddr->s6_addr[11],
2051 (ipaddr->s6_addr[12] << 8) | ipaddr->s6_addr[13],
2052 (ipaddr->s6_addr[14] << 8) | ipaddr->s6_addr[15]);
2053 return dst;
2054 }
2055
2056 return NULL; /* don't support IPv6 */
2057 }
2058 #endif
2059