]> The Tcpdump Group git mirrors - libpcap/blob - pcap-rpcap.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CI: Call print_so_deps() on rpcapd in remote enabled build
[libpcap] / pcap-rpcap.c
1 /*
2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16 * nor the names of its contributors may be used to endorse or promote
17 * products derived from this software without specific prior written
18 * permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 *
32 */
33
34 #include <config.h>
35
36 #include "ftmacros.h"
37 #include "diag-control.h"
38
39 #include <string.h> /* for strlen(), ... */
40 #include <stdlib.h> /* for malloc(), free(), ... */
41 #include <stdarg.h> /* for functions with variable number of arguments */
42 #include <errno.h> /* for the errno variable */
43 #include <limits.h> /* for INT_MAX */
44 #include "sockutils.h"
45 #include "pcap-int.h"
46 #include "pcap-util.h"
47 #include "rpcap-protocol.h"
48 #include "pcap-rpcap.h"
49
50 #ifdef _WIN32
51 #include "charconv.h" /* for utf_8_to_acp_truncated() */
52 #endif
53
54 #ifdef HAVE_OPENSSL
55 #include "sslutils.h"
56 #endif
57
58 /*
59 * This file contains the pcap module for capturing from a remote machine's
60 * interfaces using the RPCAP protocol.
61 *
62 * WARNING: All the RPCAP functions that are allowed to return a buffer
63 * containing the error description can return max PCAP_ERRBUF_SIZE characters.
64 * However there is no guarantees that the string will be zero-terminated.
65 * Best practice is to define the errbuf variable as a char of size
66 * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
67 * of the buffer. This will guarantee that no buffer overflows occur even
68 * if we use the printf() to show the error on the screen.
69 *
70 * XXX - actually, null-terminating the error string is part of the
71 * contract for the pcap API; if there's any place in the pcap code
72 * that doesn't guarantee null-termination, even at the expense of
73 * cutting the message short, that's a bug and needs to be fixed.
74 */
75
76 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
77 #ifdef _WIN32
78 #define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
79 #endif
80
81 /*
82 * \brief Keeps a list of all the opened connections in the active mode.
83 *
84 * This structure defines a linked list of items that are needed to keep the info required to
85 * manage the active mode.
86 * In other words, when a new connection in active mode starts, this structure is updated so that
87 * it reflects the list of active mode connections currently opened.
88 * This structure is required by findalldevs() and open_remote() to see if they have to open a new
89 * control connection toward the host, or they already have a control connection in place.
90 */
91 struct activehosts
92 {
93 struct sockaddr_storage host;
94 PCAP_SOCKET sockctrl;
95 SSL *ssl;
96 uint8_t protocol_version;
97 int byte_swapped;
98 struct activehosts *next;
99 };
100
101 /* Keeps a list of all the opened connections in the active mode. */
102 static struct activehosts *activeHosts;
103
104 /*
105 * Keeps the main socket identifier when we want to accept a new remote
106 * connection (active mode only).
107 * See the documentation of pcap_remoteact_accept() and
108 * pcap_remoteact_cleanup() for more details.
109 */
110 static PCAP_SOCKET sockmain;
111 static SSL *ssl_main;
112
113 /*
114 * Private data for capturing remotely using the rpcap protocol.
115 */
116 struct pcap_rpcap {
117 /*
118 * This is '1' if we're the network client; it is needed by several
119 * functions (such as pcap_setfilter()) to know whether they have
120 * to use the socket or have to open the local adapter.
121 */
122 int rmt_clientside;
123
124 PCAP_SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */
125 PCAP_SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */
126 SSL *ctrl_ssl, *data_ssl; /* optional transport of rmt_sockctrl and rmt_sockdata via TLS */
127 int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
128 int rmt_capstarted; /* 'true' if the capture is already started (needed to know if we have to call the pcap_startcapture() */
129 char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
130
131 uint8_t protocol_version; /* negotiated protocol version */
132 uint8_t uses_ssl; /* User asked for rpcaps scheme */
133 int byte_swapped; /* Server byte order is swapped from ours */
134
135 unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */
136
137 /*
138 * This keeps the number of packets that have been received by the
139 * application.
140 *
141 * Packets dropped by the kernel buffer are not counted in this
142 * variable. It is always equal to (TotAccepted - TotDrops),
143 * except for the case of remote capture, in which we have also
144 * packets in flight, i.e. that have been transmitted by the remote
145 * host, but that have not been received (yet) from the client.
146 * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
147 * wrong result, since this number does not corresponds always to
148 * the number of packet received by the application. For this reason,
149 * in the remote capture we need another variable that takes into
150 * account of the number of packets actually received by the
151 * application.
152 */
153 unsigned int TotCapt;
154
155 struct pcap_stat stat;
156 /* XXX */
157 struct pcap *next; /* list of open pcaps that need stuff cleared on close */
158 };
159
160 /****************************************************
161 * *
162 * Locally defined functions *
163 * *
164 ****************************************************/
165 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
166 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
167 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
168 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
169 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
170 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
171 static int pcap_setsampling_remote(pcap_t *fp);
172 static int pcap_startcapture_remote(pcap_t *fp);
173 static int rpcap_recv_msg_header(PCAP_SOCKET sock, SSL *, struct rpcap_header *header, char *errbuf);
174 static int rpcap_check_msg_ver(PCAP_SOCKET sock, SSL *, uint8_t expected_ver, struct rpcap_header *header, char *errbuf);
175 static int rpcap_check_msg_type(PCAP_SOCKET sock, SSL *, uint8_t request_type, struct rpcap_header *header, uint16_t *errcode, char *errbuf);
176 static int rpcap_process_msg_header(PCAP_SOCKET sock, SSL *, uint8_t ver, uint8_t request_type, struct rpcap_header *header, char *errbuf);
177 static int rpcap_recv(PCAP_SOCKET sock, SSL *, void *buffer, size_t toread, uint32_t *plen, char *errbuf);
178 static void rpcap_msg_err(PCAP_SOCKET sockctrl, SSL *, uint32_t plen, char *remote_errbuf);
179 static int rpcap_discard(PCAP_SOCKET sock, SSL *, uint32_t len, char *errbuf);
180 static int rpcap_read_packet_msg(struct pcap_rpcap const *, pcap_t *p, size_t size);
181
182 /****************************************************
183 * *
184 * Function bodies *
185 * *
186 ****************************************************/
187
188 /*
189 * This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
190 * structure from the network byte order to a 'sockaddr_in" or
191 * 'sockaddr_in6' structure in the host byte order.
192 *
193 * It accepts an 'rpcap_sockaddr' structure as it is received from the
194 * network, and checks the address family field against various values
195 * to see whether it looks like an IPv4 address, an IPv6 address, or
196 * neither of those. It checks for multiple values in order to try
197 * to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
198 * or 'sockaddr_in6' structures over the wire with some members
199 * byte-swapped, and to handle the fact that AF_INET6 has different
200 * values on different OSes.
201 *
202 * For IPv4 addresses, it converts the address family to host byte
203 * order from network byte order and puts it into the structure,
204 * sets the length if a sockaddr structure has a length, converts the
205 * port number to host byte order from network byte order and puts
206 * it into the structure, copies over the IPv4 address, and zeroes
207 * out the zero padding.
208 *
209 * For IPv6 addresses, it converts the address family to host byte
210 * order from network byte order and puts it into the structure,
211 * sets the length if a sockaddr structure has a length, converts the
212 * port number and flow information to host byte order from network
213 * byte order and puts them into the structure, copies over the IPv6
214 * address, and converts the scope ID to host byte order from network
215 * byte order and puts it into the structure.
216 *
217 * The function will allocate the 'sockaddrout' variable according to the
218 * address family in use. In case the address does not belong to the
219 * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
220 * NULL pointer is returned. This usually happens because that address
221 * does not exist on the other host, or is of an address family other
222 * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
223 * structure containing all 'zero' values.
224 *
225 * Older RPCAPDs sent the addresses over the wire in the OS's native
226 * structure format. For most OSes, this looks like the over-the-wire
227 * format, but might have a different value for AF_INET6 than the value
228 * on the machine receiving the reply. For OSes with the newer BSD-style
229 * sockaddr structures, this has, instead of a 2-byte address family,
230 * a 1-byte structure length followed by a 1-byte address family. The
231 * RPCAPD code would put the address family in network byte order before
232 * sending it; that would set it to 0 on a little-endian machine, as
233 * htons() of any value between 1 and 255 would result in a value > 255,
234 * with its lower 8 bits zero, so putting that back into a 1-byte field
235 * would set it to 0.
236 *
237 * Therefore, for older RPCAPDs running on an OS with newer BSD-style
238 * sockaddr structures, the family field, if treated as a big-endian
239 * (network byte order) 16-bit field, would be:
240 *
241 * (length << 8) | family if sent by a big-endian machine
242 * (length << 8) if sent by a little-endian machine
243 *
244 * For current RPCAPDs, and for older RPCAPDs running on an OS with
245 * older BSD-style sockaddr structures, the family field, if treated
246 * as a big-endian 16-bit field, would just contain the family.
247 *
248 * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
249 * to be de-serialized.
250 *
251 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
252 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
253 * This variable will be allocated automatically inside this function.
254 *
255 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
256 * that will contain the error message (in case there is one).
257 *
258 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
259 * can be only the fact that the malloc() failed to allocate memory.
260 * The error message is returned in the 'errbuf' variable, while the deserialized address
261 * is returned into the 'sockaddrout' variable.
262 *
263 * \warning This function supports only AF_INET and AF_INET6 address families.
264 *
265 * \warning The sockaddrout (if not NULL) must be deallocated by the user.
266 */
267
268 /*
269 * Possible IPv4 family values other than the designated over-the-wire value,
270 * which is 2 (because everybody, except for Haiku uses 2 for AF_INET,
271 * and Haiku has probably never run the old rpcapd code that put address
272 * structures directly on the wire, rather than the new rpcapd code
273 * that serializes addresses, using 2 for AF_INET).
274 */
275 #define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */
276 #define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */
277 #define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2)
278 #define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8)
279
280 /*
281 * Possible IPv6 family values other than the designated over-the-wire value,
282 * which is 23 (because that's what Windows uses, and most RPCAP servers
283 * out there are probably running Windows, as WinPcap includes the server
284 * but few if any UN*Xes build and ship it).
285 *
286 * The new BSD sockaddr structure format was in place before 4.4-Lite, so
287 * all the free-software BSDs use it.
288 */
289 #define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */
290 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */
291 #define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */
292 #define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8)
293 #define LINUX_AF_INET6 10
294 #define HPUX_AF_INET6 22
295 #define AIX_AF_INET6 24
296 #define SOLARIS_AF_INET6 26
297
298 static int
299 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr **sockaddrout, char *errbuf)
300 {
301 /* Warning: we support only AF_INET and AF_INET6 */
302 switch (ntohs(sockaddrin->family))
303 {
304 case RPCAP_AF_INET:
305 case NEW_BSD_AF_INET_BE:
306 case NEW_BSD_AF_INET_LE:
307 {
308 struct rpcap_sockaddr_in *sockaddrin_ipv4;
309 struct sockaddr_in *sockaddrout_ipv4;
310
311 (*sockaddrout) = (struct sockaddr *) malloc(sizeof(struct sockaddr_in));
312 if ((*sockaddrout) == NULL)
313 {
314 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
315 errno, "malloc() failed");
316 return -1;
317 }
318 sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
319 sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
320 sockaddrout_ipv4->sin_family = AF_INET;
321 sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
322 memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
323 memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
324 break;
325 }
326
327 #ifdef AF_INET6
328 case RPCAP_AF_INET6:
329 case NEW_BSD_AF_INET6_BSD_BE:
330 case NEW_BSD_AF_INET6_FREEBSD_BE:
331 case NEW_BSD_AF_INET6_DARWIN_BE:
332 case NEW_BSD_AF_INET6_LE:
333 case LINUX_AF_INET6:
334 case HPUX_AF_INET6:
335 case AIX_AF_INET6:
336 case SOLARIS_AF_INET6:
337 {
338 struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
339 struct sockaddr_in6 *sockaddrout_ipv6;
340
341 (*sockaddrout) = (struct sockaddr *) malloc(sizeof(struct sockaddr_in6));
342 if ((*sockaddrout) == NULL)
343 {
344 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
345 errno, "malloc() failed");
346 return -1;
347 }
348 sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
349 sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
350 sockaddrout_ipv6->sin6_family = AF_INET6;
351 sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
352 sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
353 memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
354 sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
355 break;
356 }
357 #endif
358
359 default:
360 /*
361 * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
362 * support AF_INET6, it's not AF_INET).
363 */
364 *sockaddrout = NULL;
365 break;
366 }
367 return 0;
368 }
369
370 /*
371 * This function reads a packet from the network socket. It does not
372 * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
373 * the "nocb" string into its name).
374 *
375 * This function is called by pcap_read_rpcap().
376 *
377 * WARNING: By choice, this function does not make use of semaphores. A smarter
378 * implementation should put a semaphore into the data thread, and a signal will
379 * be raised as soon as there is data into the socket buffer.
380 * However this is complicated and it does not bring any advantages when reading
381 * from the network, in which network delays can be much more important than
382 * these optimizations. Therefore, we chose the following approach:
383 * - the 'timeout' chosen by the user is split in two (half on the server side,
384 * with the usual meaning, and half on the client side)
385 * - this function checks for packets; if there are no packets, it waits for
386 * timeout/2 and then it checks again. If packets are still missing, it returns,
387 * otherwise it reads packets.
388 */
389 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
390 {
391 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
392 struct rpcap_header *header; /* general header according to the RPCAP format */
393 struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */
394 u_char *net_pkt_data; /* packet data from the message */
395 uint32_t plen;
396 int retval = 0; /* generic return value */
397 int msglen;
398
399 /* Structures needed for the select() call */
400 struct timeval tv; /* maximum time the select() can block waiting for data */
401 fd_set rfds; /* set of socket descriptors we have to check */
402
403 /*
404 * Define the packet buffer timeout, to be used in the select()
405 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
406 */
407 tv.tv_sec = p->opt.timeout / 1000;
408 tv.tv_usec = (suseconds_t)((p->opt.timeout - tv.tv_sec * 1000) * 1000);
409
410 #ifdef HAVE_OPENSSL
411 /* Check if we still have bytes available in the last decoded TLS record.
412 * If that's the case, we know SSL_read will not block. */
413 retval = pr->data_ssl && SSL_pending(pr->data_ssl) > 0;
414 #endif
415 if (! retval)
416 {
417 /* Watch out sockdata to see if it has input */
418 FD_ZERO(&rfds);
419
420 /*
421 * 'fp->rmt_sockdata' has always to be set before calling the select(),
422 * since it is cleared by the select()
423 */
424 FD_SET(pr->rmt_sockdata, &rfds);
425
426 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
427 retval = 1;
428 #else
429 retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
430 #endif
431
432 if (retval == -1)
433 {
434 #ifndef _WIN32
435 if (errno == EINTR)
436 {
437 /* Interrupted. */
438 return 0;
439 }
440 #endif
441 sock_geterrmsg(p->errbuf, PCAP_ERRBUF_SIZE,
442 "select() failed");
443 return -1;
444 }
445 }
446
447 /* There is no data waiting, so return '0' */
448 if (retval == 0)
449 return 0;
450
451 /*
452 * We have to define 'header' as a pointer to a larger buffer,
453 * because in case of UDP we have to read all the message within a single call
454 */
455 header = (struct rpcap_header *) p->buffer;
456 net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
457 net_pkt_data = p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
458
459 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
460 {
461 /* Read the entire message from the network */
462 msglen = sock_recv_dgram(pr->rmt_sockdata, pr->data_ssl, p->buffer,
463 p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE);
464 if (msglen == -1)
465 {
466 /* Network error. */
467 return -1;
468 }
469 if (msglen == -3)
470 {
471 /* Interrupted receive. */
472 return 0;
473 }
474 if ((size_t)msglen < sizeof(struct rpcap_header))
475 {
476 /*
477 * Message is shorter than an rpcap header.
478 */
479 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
480 "UDP packet message is shorter than an rpcap header");
481 return -1;
482 }
483 plen = ntohl(header->plen);
484 if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
485 {
486 /*
487 * Message is shorter than the header claims it
488 * is.
489 */
490 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
491 "UDP packet message is shorter than its rpcap header claims");
492 return -1;
493 }
494 }
495 else
496 {
497 int status;
498
499 if ((size_t)p->cc < sizeof(struct rpcap_header))
500 {
501 /*
502 * We haven't read any of the packet header yet.
503 * The size we should get is the size of the
504 * packet header.
505 */
506 status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header));
507 if (status == -1)
508 {
509 /* Network error. */
510 return -1;
511 }
512 if (status == -3)
513 {
514 /* Interrupted receive. */
515 return 0;
516 }
517 }
518
519 /*
520 * We have the header, so we know how long the
521 * message payload is. The size we should get
522 * is the size of the packet header plus the
523 * size of the payload.
524 */
525 plen = ntohl(header->plen);
526 if (plen > p->bufsize - sizeof(struct rpcap_header))
527 {
528 /*
529 * This is bigger than the largest
530 * record we'd expect. (We do it by
531 * subtracting in order to avoid an
532 * overflow.)
533 */
534 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
535 "Server sent us a message larger than the largest expected packet message");
536 return -1;
537 }
538 status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header) + plen);
539 if (status == -1)
540 {
541 /* Network error. */
542 return -1;
543 }
544 if (status == -3)
545 {
546 /* Interrupted receive. */
547 return 0;
548 }
549
550 /*
551 * We have the entire message; reset the buffer pointer
552 * and count, as the next read should start a new
553 * message.
554 */
555 p->bp = p->buffer;
556 p->cc = 0;
557 }
558
559 /*
560 * We have the entire message.
561 */
562 header->plen = plen;
563
564 /*
565 * Did the server specify the version we negotiated?
566 */
567 if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->data_ssl, pr->protocol_version,
568 header, p->errbuf) == -1)
569 {
570 return 0; /* Return 'no packets received' */
571 }
572
573 /*
574 * Is this a RPCAP_MSG_PACKET message?
575 */
576 if (header->type != RPCAP_MSG_PACKET)
577 {
578 return 0; /* Return 'no packets received' */
579 }
580
581 if (ntohl(net_pkt_header->caplen) > plen)
582 {
583 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
584 "Packet's captured data goes past the end of the received packet message.");
585 return -1;
586 }
587
588 /* Fill in packet header */
589 pkt_header->caplen = ntohl(net_pkt_header->caplen);
590 pkt_header->len = ntohl(net_pkt_header->len);
591 pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
592 pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
593
594 /* Supply a pointer to the beginning of the packet data */
595 *pkt_data = net_pkt_data;
596
597 /*
598 * I don't update the counter of the packets dropped by the network since we're using TCP,
599 * therefore no packets are dropped. Just update the number of packets received correctly
600 */
601 pr->TotCapt++;
602
603 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
604 {
605 unsigned int npkt;
606
607 /* We're using UDP, so we need to update the counter of the packets dropped by the network */
608 npkt = ntohl(net_pkt_header->npkt);
609
610 if (pr->TotCapt != npkt)
611 {
612 pr->TotNetDrops += (npkt - pr->TotCapt);
613 pr->TotCapt = npkt;
614 }
615 }
616
617 /* Packet read successfully */
618 return 1;
619 }
620
621 /*
622 * This function reads a packet from the network socket.
623 *
624 * This function relies on the pcap_read_nocb_remote to deliver packets. The
625 * difference, here, is that as soon as a packet is read, it is delivered
626 * to the application by means of a callback function.
627 */
628 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
629 {
630 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
631 struct pcap_pkthdr pkt_header;
632 u_char *pkt_data;
633 int n = 0;
634 int ret;
635
636 /*
637 * If this is client-side, and we haven't already started
638 * the capture, start it now.
639 */
640 if (pr->rmt_clientside)
641 {
642 /* We are on an remote capture */
643 if (!pr->rmt_capstarted)
644 {
645 /*
646 * The capture isn't started yet, so try to
647 * start it.
648 */
649 if (pcap_startcapture_remote(p))
650 return -1;
651 }
652 }
653
654 /*
655 * This can conceivably process more than INT_MAX packets,
656 * which would overflow the packet count, causing it either
657 * to look like a negative number, and thus cause us to
658 * return a value that looks like an error, or overflow
659 * back into positive territory, and thus cause us to
660 * return a too-low count.
661 *
662 * Therefore, if the packet count is unlimited, we clip
663 * it at INT_MAX; this routine is not expected to
664 * process packets indefinitely, so that's not an issue.
665 */
666 if (PACKET_COUNT_IS_UNLIMITED(cnt))
667 cnt = INT_MAX;
668
669 while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
670 {
671 /*
672 * Has "pcap_breakloop()" been called?
673 */
674 if (p->break_loop) {
675 /*
676 * Yes - clear the flag that indicates that it
677 * has, and return PCAP_ERROR_BREAK to indicate
678 * that we were told to break out of the loop.
679 */
680 p->break_loop = 0;
681 return (PCAP_ERROR_BREAK);
682 }
683
684 /*
685 * Read some packets.
686 */
687 ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
688 if (ret == 1)
689 {
690 /*
691 * We got a packet.
692 *
693 * Do whatever post-processing is necessary, hand
694 * it to the callback, and count it so we can
695 * return the count.
696 */
697 pcapint_post_process(p->linktype, pr->byte_swapped,
698 &pkt_header, pkt_data);
699 (*callback)(user, &pkt_header, pkt_data);
700 n++;
701 }
702 else if (ret == -1)
703 {
704 /* Error. */
705 return ret;
706 }
707 else
708 {
709 /*
710 * No packet; this could mean that we timed
711 * out, or that we got interrupted, or that
712 * we got a bad packet.
713 *
714 * Were we told to break out of the loop?
715 */
716 if (p->break_loop) {
717 /*
718 * Yes.
719 */
720 p->break_loop = 0;
721 return (PCAP_ERROR_BREAK);
722 }
723 /* No - return the number of packets we've processed. */
724 return n;
725 }
726 }
727 return n;
728 }
729
730 /*
731 * This function sends a CLOSE command to the capture server if we're in
732 * passive mode and an ENDCAP command to the capture server if we're in
733 * active mode.
734 *
735 * It is called when the user calls pcap_close(). It sends a command
736 * to our peer that says 'ok, let's stop capturing'.
737 *
738 * WARNING: Since we're closing the connection, we do not check for errors.
739 */
740 static void pcap_cleanup_rpcap(pcap_t *fp)
741 {
742 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
743 struct rpcap_header header; /* header of the RPCAP packet */
744 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
745 int active = 0; /* active mode or not? */
746
747 /* detect if we're in active mode */
748 temp = activeHosts;
749 while (temp)
750 {
751 if (temp->sockctrl == pr->rmt_sockctrl)
752 {
753 active = 1;
754 break;
755 }
756 temp = temp->next;
757 }
758
759 if (!active)
760 {
761 rpcap_createhdr(&header, pr->protocol_version,
762 RPCAP_MSG_CLOSE, 0, 0);
763
764 /*
765 * Send the close request; don't report any errors, as
766 * we're closing this pcap_t, and have no place to report
767 * the error. No reply is sent to this message.
768 */
769 (void)sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
770 sizeof(struct rpcap_header), NULL, 0);
771 }
772 else
773 {
774 rpcap_createhdr(&header, pr->protocol_version,
775 RPCAP_MSG_ENDCAP_REQ, 0, 0);
776
777 /*
778 * Send the end capture request; don't report any errors,
779 * as we're closing this pcap_t, and have no place to
780 * report the error.
781 */
782 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
783 sizeof(struct rpcap_header), NULL, 0) == 0)
784 {
785 /*
786 * Wait for the answer; don't report any errors,
787 * as we're closing this pcap_t, and have no
788 * place to report the error.
789 */
790 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl,
791 pr->protocol_version, RPCAP_MSG_ENDCAP_REQ,
792 &header, NULL) == 0)
793 {
794 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl,
795 header.plen, NULL);
796 }
797 }
798 }
799
800 if (pr->rmt_sockdata)
801 {
802 #ifdef HAVE_OPENSSL
803 if (pr->data_ssl)
804 {
805 // Finish using the SSL handle for the data socket.
806 // This must be done *before* the socket is closed.
807 ssl_finish(pr->data_ssl);
808 pr->data_ssl = NULL;
809 }
810 #endif
811 sock_close(pr->rmt_sockdata, NULL, 0);
812 pr->rmt_sockdata = 0;
813 }
814
815 if ((!active) && (pr->rmt_sockctrl))
816 {
817 #ifdef HAVE_OPENSSL
818 if (pr->ctrl_ssl)
819 {
820 // Finish using the SSL handle for the control socket.
821 // This must be done *before* the socket is closed.
822 ssl_finish(pr->ctrl_ssl);
823 pr->ctrl_ssl = NULL;
824 }
825 #endif
826 sock_close(pr->rmt_sockctrl, NULL, 0);
827 }
828
829 pr->rmt_sockctrl = 0;
830 pr->ctrl_ssl = NULL;
831
832 if (pr->currentfilter)
833 {
834 free(pr->currentfilter);
835 pr->currentfilter = NULL;
836 }
837
838 pcapint_cleanup_live_common(fp);
839
840 /* To avoid inconsistencies in the number of sock_init() */
841 sock_cleanup();
842 }
843
844 /*
845 * This function retrieves network statistics from our peer;
846 * it provides only the standard statistics.
847 */
848 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
849 {
850 struct pcap_stat *retval;
851
852 retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
853
854 if (retval)
855 return 0;
856 else
857 return -1;
858 }
859
860 #ifdef _WIN32
861 /*
862 * This function retrieves network statistics from our peer;
863 * it provides the additional statistics supported by pcap_stats_ex().
864 */
865 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
866 {
867 *pcap_stat_size = sizeof (p->stat);
868
869 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
870 return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
871 }
872 #endif
873
874 /*
875 * This function retrieves network statistics from our peer. It
876 * is used by the two previous functions.
877 *
878 * It can be called in two modes:
879 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
880 * for pcap_stats())
881 * - PCAP_STATS_EX: if we want extended statistics (i.e., for
882 * pcap_stats_ex())
883 *
884 * This 'mode' parameter is needed because in pcap_stats() the variable that
885 * keeps the statistics is allocated by the user. On Windows, this structure
886 * has been extended in order to keep new stats. However, if the user has a
887 * smaller structure and it passes it to pcap_stats(), this function will
888 * try to fill in more data than the size of the structure, so that memory
889 * after the structure will be overwritten.
890 *
891 * So, we need to know it we have to copy just the standard fields, or the
892 * extended fields as well.
893 *
894 * In case we want to copy the extended fields as well, the problem of
895 * memory overflow no longer exists because the structure that's filled
896 * in is part of the pcap_t, so that it can be guaranteed to be large
897 * enough for the additional statistics.
898 *
899 * \param p: the pcap_t structure related to the current instance.
900 *
901 * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
902 * with pcap_stat(), where the structure is allocated by the user. In case
903 * of pcap_stats_ex(), this structure and the function return value point
904 * to the same variable.
905 *
906 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
907 *
908 * \return The structure that keeps the statistics, or NULL in case of error.
909 * The error string is placed in the pcap_t structure.
910 */
911 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
912 {
913 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
914 struct rpcap_header header; /* header of the RPCAP packet */
915 struct rpcap_stats netstats; /* statistics sent on the network */
916 uint32_t plen; /* data remaining in the message */
917
918 #ifdef _WIN32
919 if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
920 #else
921 if (mode != PCAP_STATS_STANDARD)
922 #endif
923 {
924 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
925 "Invalid stats mode %d", mode);
926 return NULL;
927 }
928
929 /*
930 * If the capture has not yet started, we cannot request statistics
931 * for the capture from our peer, so we return 0 for all statistics,
932 * as nothing's been seen yet.
933 */
934 if (!pr->rmt_capstarted)
935 {
936 ps->ps_drop = 0;
937 ps->ps_ifdrop = 0;
938 ps->ps_recv = 0;
939 #ifdef _WIN32
940 if (mode == PCAP_STATS_EX)
941 {
942 ps->ps_capt = 0;
943 ps->ps_sent = 0;
944 ps->ps_netdrop = 0;
945 }
946 #endif /* _WIN32 */
947
948 return ps;
949 }
950
951 rpcap_createhdr(&header, pr->protocol_version,
952 RPCAP_MSG_STATS_REQ, 0, 0);
953
954 /* Send the PCAP_STATS command */
955 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
956 sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
957 return NULL; /* Unrecoverable network error */
958
959 /* Receive and process the reply message header. */
960 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
961 RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
962 return NULL; /* Error */
963
964 plen = header.plen;
965
966 /* Read the reply body */
967 if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&netstats,
968 sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
969 goto error;
970
971 ps->ps_drop = ntohl(netstats.krnldrop);
972 ps->ps_ifdrop = ntohl(netstats.ifdrop);
973 ps->ps_recv = ntohl(netstats.ifrecv);
974 #ifdef _WIN32
975 if (mode == PCAP_STATS_EX)
976 {
977 ps->ps_capt = pr->TotCapt;
978 ps->ps_netdrop = pr->TotNetDrops;
979 ps->ps_sent = ntohl(netstats.svrcapt);
980 }
981 #endif /* _WIN32 */
982
983 /* Discard the rest of the message. */
984 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, p->errbuf) == -1)
985 goto error_nodiscard;
986
987 return ps;
988
989 error:
990 /*
991 * Discard the rest of the message.
992 * We already reported an error; if this gets an error, just
993 * drive on.
994 */
995 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
996
997 error_nodiscard:
998 return NULL;
999 }
1000
1001 /*
1002 * This function returns the entry in the list of active hosts for this
1003 * active connection (active mode only), or NULL if there is no
1004 * active connection or an error occurred. It is just for internal
1005 * use.
1006 *
1007 * \param host: a string that keeps the host name of the host for which we
1008 * want to get the socket ID for that active connection.
1009 *
1010 * \param error: a pointer to an int that is set to 1 if an error occurred
1011 * and 0 otherwise.
1012 *
1013 * \param errbuf: a pointer to a user-allocated buffer (of size
1014 * PCAP_ERRBUF_SIZE) that will contain the error message (in case
1015 * there is one).
1016 *
1017 * \return the entry for this host in the list of active connections
1018 * if found, NULL if it's not found or there's an error.
1019 */
1020 static struct activehosts *
1021 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
1022 {
1023 struct activehosts *temp; /* temp var needed to scan the host list chain */
1024 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
1025
1026 /* retrieve the network address corresponding to 'host' */
1027 addrinfo = NULL;
1028 memset(&hints, 0, sizeof(struct addrinfo));
1029 hints.ai_family = PF_UNSPEC;
1030 hints.ai_socktype = SOCK_STREAM;
1031
1032 addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
1033 PCAP_ERRBUF_SIZE);
1034 if (addrinfo == NULL)
1035 {
1036 *error = 1;
1037 return NULL;
1038 }
1039
1040 temp = activeHosts;
1041
1042 while (temp)
1043 {
1044 ai_next = addrinfo;
1045 while (ai_next)
1046 {
1047 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
1048 {
1049 *error = 0;
1050 freeaddrinfo(addrinfo);
1051 return temp;
1052 }
1053
1054 ai_next = ai_next->ai_next;
1055 }
1056 temp = temp->next;
1057 }
1058
1059 if (addrinfo)
1060 freeaddrinfo(addrinfo);
1061
1062 /*
1063 * The host for which you want to get the socket ID does not have an
1064 * active connection.
1065 */
1066 *error = 0;
1067 return NULL;
1068 }
1069
1070 /*
1071 * This function starts a remote capture.
1072 *
1073 * This function is required since the RPCAP protocol decouples the 'open'
1074 * from the 'start capture' functions.
1075 * This function takes all the parameters needed (which have been stored
1076 * into the pcap_t structure) and sends them to the server.
1077 *
1078 * \param fp: the pcap_t descriptor of the device currently open.
1079 *
1080 * \return '0' if everything is fine, '-1' otherwise. The error message
1081 * (if one) is returned into the 'errbuf' field of the pcap_t structure.
1082 */
1083 static int pcap_startcapture_remote(pcap_t *fp)
1084 {
1085 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1086 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1087 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1088 uint16_t portdata = 0; /* temp variable needed to keep the network port for the data connection */
1089 uint32_t plen;
1090 int active = 0; /* '1' if we're in active mode */
1091 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
1092 char host[INET6_ADDRSTRLEN + 1]; /* numeric name of the other host */
1093
1094 /* socket-related variables*/
1095 struct addrinfo hints; /* temp, needed to open a socket connection */
1096 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */
1097 PCAP_SOCKET sockdata = 0; /* socket descriptor of the data connection */
1098 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1099 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1100 int ai_family; /* temp, keeps the address family used by the control connection */
1101 struct sockaddr_in *sin4;
1102 struct sockaddr_in6 *sin6;
1103
1104 /* RPCAP-related variables*/
1105 struct rpcap_header header; /* header of the RPCAP packet */
1106 struct rpcap_startcapreq *startcapreq; /* start capture request message */
1107 struct rpcap_startcapreply startcapreply; /* start capture reply message */
1108
1109 /* Variables related to the buffer setting */
1110 int res;
1111 socklen_t itemp;
1112 int sockbufsize = 0;
1113 uint32_t server_sockbufsize;
1114
1115 // Take the opportunity to clear pr->data_ssl before any goto error,
1116 // as it seems p->priv is not zeroed after its malloced.
1117 // XXX - it now should be, as it's allocated by pcap_alloc_pcap_t(),
1118 // which does a calloc().
1119 pr->data_ssl = NULL;
1120
1121 /*
1122 * Let's check if sampling has been required.
1123 * If so, let's set it first
1124 */
1125 if (pcap_setsampling_remote(fp) != 0)
1126 return -1;
1127
1128 /* detect if we're in active mode */
1129 temp = activeHosts;
1130 while (temp)
1131 {
1132 if (temp->sockctrl == pr->rmt_sockctrl)
1133 {
1134 active = 1;
1135 break;
1136 }
1137 temp = temp->next;
1138 }
1139
1140 addrinfo = NULL;
1141
1142 /*
1143 * Gets the complete sockaddr structure used in the ctrl connection
1144 * This is needed to get the address family of the control socket
1145 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
1146 * since the ctrl socket can already be open in case of active mode;
1147 * so I would have to call getpeername() anyway
1148 */
1149 saddrlen = sizeof(struct sockaddr_storage);
1150 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1151 {
1152 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1153 "getsockname() failed");
1154 goto error_nodiscard;
1155 }
1156 ai_family = ((struct sockaddr_storage *) &saddr)->ss_family;
1157
1158 /* Get the numeric address of the remote host we are connected to */
1159 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host,
1160 sizeof(host), NULL, 0, NI_NUMERICHOST))
1161 {
1162 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1163 "getnameinfo() failed");
1164 goto error_nodiscard;
1165 }
1166
1167 /*
1168 * Data connection is opened by the server toward the client if:
1169 * - we're using TCP, and the user wants us to be in active mode
1170 * - we're using UDP
1171 */
1172 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1173 {
1174 /*
1175 * We have to create a new socket to receive packets
1176 * We have to do that immediately, since we have to tell the other
1177 * end which network port we picked up
1178 */
1179 memset(&hints, 0, sizeof(struct addrinfo));
1180 /* TEMP addrinfo is NULL in case of active */
1181 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1182 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1183 hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
1184
1185 /* Let's the server pick up a free network port for us */
1186 addrinfo = sock_initaddress(NULL, NULL, &hints, fp->errbuf,
1187 PCAP_ERRBUF_SIZE);
1188 if (addrinfo == NULL)
1189 goto error_nodiscard;
1190
1191 if ((sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER,
1192 1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1193 goto error_nodiscard;
1194
1195 /* addrinfo is no longer used */
1196 freeaddrinfo(addrinfo);
1197 addrinfo = NULL;
1198
1199 /* get the complete sockaddr structure used in the data connection */
1200 saddrlen = sizeof(struct sockaddr_storage);
1201 if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1202 {
1203 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1204 "getsockname() failed");
1205 goto error_nodiscard;
1206 }
1207
1208 switch (saddr.ss_family) {
1209
1210 case AF_INET:
1211 sin4 = (struct sockaddr_in *)&saddr;
1212 portdata = sin4->sin_port;
1213 break;
1214
1215 case AF_INET6:
1216 sin6 = (struct sockaddr_in6 *)&saddr;
1217 portdata = sin6->sin6_port;
1218 break;
1219
1220 default:
1221 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1222 "Local address has unknown address family %u",
1223 saddr.ss_family);
1224 goto error_nodiscard;
1225 }
1226 }
1227
1228 /*
1229 * Now it's time to start playing with the RPCAP protocol
1230 * RPCAP start capture command: create the request message
1231 */
1232 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1233 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1234 goto error_nodiscard;
1235
1236 rpcap_createhdr((struct rpcap_header *) sendbuf,
1237 pr->protocol_version, RPCAP_MSG_STARTCAP_REQ, 0,
1238 sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
1239
1240 /* Fill the structure needed to open an adapter remotely */
1241 startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx];
1242
1243 if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL,
1244 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1245 goto error_nodiscard;
1246
1247 memset(startcapreq, 0, sizeof(struct rpcap_startcapreq));
1248
1249 /* By default, apply half the timeout on one side, half of the other */
1250 fp->opt.timeout = fp->opt.timeout / 2;
1251 startcapreq->read_timeout = htonl(fp->opt.timeout);
1252
1253 /* portdata on the openreq is meaningful only if we're in active mode */
1254 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1255 {
1256 startcapreq->portdata = portdata;
1257 }
1258
1259 startcapreq->snaplen = htonl(fp->snapshot);
1260 startcapreq->flags = 0;
1261
1262 if (pr->rmt_flags & PCAP_OPENFLAG_PROMISCUOUS)
1263 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC;
1264 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
1265 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM;
1266 if (active)
1267 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN;
1268
1269 startcapreq->flags = htons(startcapreq->flags);
1270
1271 /* Pack the capture filter */
1272 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode))
1273 goto error_nodiscard;
1274
1275 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1276 PCAP_ERRBUF_SIZE) < 0)
1277 goto error_nodiscard;
1278
1279 /* Receive and process the reply message header. */
1280 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
1281 RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1)
1282 goto error_nodiscard;
1283
1284 plen = header.plen;
1285
1286 if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&startcapreply,
1287 sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1)
1288 goto error;
1289
1290 /*
1291 * In case of UDP data stream, the connection is always opened by the daemon
1292 * So, this case is already covered by the code above.
1293 * Now, we have still to handle TCP connections, because:
1294 * - if we're in active mode, we have to wait for a remote connection
1295 * - if we're in passive more, we have to start a connection
1296 *
1297 * We have to do he job in two steps because in case we're opening a TCP connection, we have
1298 * to tell the port we're using to the remote side; in case we're accepting a TCP
1299 * connection, we have to wait this info from the remote side.
1300 */
1301 if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1302 {
1303 if (!active)
1304 {
1305 char portstring[PCAP_BUF_SIZE];
1306
1307 memset(&hints, 0, sizeof(struct addrinfo));
1308 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1309 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1310 snprintf(portstring, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
1311
1312 /* Let's the server pick up a free network port for us */
1313 addrinfo = sock_initaddress(host, portstring, &hints,
1314 fp->errbuf, PCAP_ERRBUF_SIZE);
1315 if (addrinfo == NULL)
1316 goto error;
1317
1318 if ((sockdata = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1319 goto error;
1320
1321 /* addrinfo is no longer used */
1322 freeaddrinfo(addrinfo);
1323 addrinfo = NULL;
1324 }
1325 else
1326 {
1327 PCAP_SOCKET socktemp; /* We need another socket, since we're going to accept() a connection */
1328
1329 /* Connection creation */
1330 saddrlen = sizeof(struct sockaddr_storage);
1331
1332 socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen);
1333
1334 if (socktemp == INVALID_SOCKET)
1335 {
1336 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1337 "accept() failed");
1338 goto error;
1339 }
1340
1341 /* Now that I accepted the connection, the server socket is no longer needed */
1342 sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1343 sockdata = socktemp;
1344 }
1345 }
1346
1347 /* Let's save the socket of the data connection */
1348 pr->rmt_sockdata = sockdata;
1349
1350 #ifdef HAVE_OPENSSL
1351 if (pr->uses_ssl)
1352 {
1353 pr->data_ssl = ssl_promotion(0, sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1354 if (! pr->data_ssl) goto error;
1355 }
1356 #endif
1357
1358 /*
1359 * Set the size of the socket buffer for the data socket.
1360 * It has the same size as the local capture buffer used
1361 * on the other side of the connection.
1362 */
1363 server_sockbufsize = ntohl(startcapreply.bufsize);
1364
1365 /* Let's get the actual size of the socket buffer */
1366 itemp = sizeof(sockbufsize);
1367
1368 res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp);
1369 if (res == -1)
1370 {
1371 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1372 "pcap_startcapture_remote(): getsockopt() failed");
1373 goto error;
1374 }
1375
1376 /*
1377 * Warning: on some kernels (e.g. Linux), the size of the user
1378 * buffer does not take into account the pcap_header and such,
1379 * and it is set equal to the snaplen.
1380 *
1381 * In my view, this is wrong (the meaning of the bufsize became
1382 * a bit strange). So, here bufsize is the whole size of the
1383 * user buffer. In case the bufsize returned is too small,
1384 * let's adjust it accordingly.
1385 */
1386 if (server_sockbufsize <= (u_int) fp->snapshot)
1387 server_sockbufsize += sizeof(struct pcap_pkthdr);
1388
1389 /* if the current socket buffer is smaller than the desired one */
1390 if ((u_int) sockbufsize < server_sockbufsize)
1391 {
1392 /*
1393 * Loop until the buffer size is OK or the original
1394 * socket buffer size is larger than this one.
1395 */
1396 for (;;)
1397 {
1398 res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF,
1399 (char *)&(server_sockbufsize),
1400 sizeof(server_sockbufsize));
1401
1402 if (res == 0)
1403 break;
1404
1405 /*
1406 * If something goes wrong, halve the buffer size
1407 * (checking that it does not become smaller than
1408 * the current one).
1409 */
1410 server_sockbufsize /= 2;
1411
1412 if ((u_int) sockbufsize >= server_sockbufsize)
1413 {
1414 server_sockbufsize = sockbufsize;
1415 break;
1416 }
1417 }
1418 }
1419
1420 /*
1421 * Let's allocate the packet; this is required in order to put
1422 * the packet somewhere when extracting data from the socket.
1423 * Since buffering has already been done in the socket buffer,
1424 * here we need just a buffer whose size is equal to the
1425 * largest possible packet message for the snapshot size,
1426 * namely the length of the message header plus the length
1427 * of the packet header plus the snapshot length.
1428 */
1429 fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot;
1430
1431 fp->buffer = (u_char *)malloc(fp->bufsize);
1432 if (fp->buffer == NULL)
1433 {
1434 pcapint_fmt_errmsg_for_errno(fp->errbuf, PCAP_ERRBUF_SIZE,
1435 errno, "malloc");
1436 goto error;
1437 }
1438
1439 /*
1440 * The buffer is currently empty.
1441 */
1442 fp->bp = fp->buffer;
1443 fp->cc = 0;
1444
1445 /* Discard the rest of the message. */
1446 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, fp->errbuf) == -1)
1447 goto error_nodiscard;
1448
1449 /*
1450 * In case the user does not want to capture RPCAP packets, let's update the filter
1451 * We have to update it here (instead of sending it into the 'StartCapture' message
1452 * because when we generate the 'start capture' we do not know (yet) all the ports
1453 * we're currently using.
1454 */
1455 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1456 {
1457 struct bpf_program fcode;
1458
1459 if (pcap_createfilter_norpcappkt(fp, &fcode) == -1)
1460 goto error;
1461
1462 /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */
1463 /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */
1464 if (pcap_updatefilter_remote(fp, &fcode) == -1)
1465 goto error;
1466
1467 pcap_freecode(&fcode);
1468 }
1469
1470 pr->rmt_capstarted = 1;
1471 return 0;
1472
1473 error:
1474 /*
1475 * When the connection has been established, we have to close it. So, at the
1476 * beginning of this function, if an error occur we return immediately with
1477 * a return NULL; when the connection is established, we have to come here
1478 * ('goto error;') in order to close everything properly.
1479 */
1480
1481 /*
1482 * Discard the rest of the message.
1483 * We already reported an error; if this gets an error, just
1484 * drive on.
1485 */
1486 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
1487
1488 error_nodiscard:
1489 #ifdef HAVE_OPENSSL
1490 if (pr->data_ssl)
1491 {
1492 // Finish using the SSL handle for the data socket.
1493 // This must be done *before* the socket is closed.
1494 ssl_finish(pr->data_ssl);
1495 pr->data_ssl = NULL;
1496 }
1497 #endif
1498
1499 /* we can be here because sockdata said 'error' */
1500 if ((sockdata != 0) && (sockdata != INVALID_SOCKET))
1501 sock_close(sockdata, NULL, 0);
1502
1503 if (!active)
1504 {
1505 #ifdef HAVE_OPENSSL
1506 if (pr->ctrl_ssl)
1507 {
1508 // Finish using the SSL handle for the control socket.
1509 // This must be done *before* the socket is closed.
1510 ssl_finish(pr->ctrl_ssl);
1511 pr->ctrl_ssl = NULL;
1512 }
1513 #endif
1514 sock_close(pr->rmt_sockctrl, NULL, 0);
1515 }
1516
1517 if (addrinfo != NULL)
1518 freeaddrinfo(addrinfo);
1519
1520 /*
1521 * We do not have to call pcap_close() here, because this function is always called
1522 * by the user in case something bad happens
1523 */
1524 #if 0
1525 if (fp)
1526 {
1527 pcap_close(fp);
1528 fp= NULL;
1529 }
1530 #endif
1531
1532 return -1;
1533 }
1534
1535 /*
1536 * This function takes a bpf program and sends it to the other host.
1537 *
1538 * This function can be called in two cases:
1539 * - pcap_startcapture_remote() is called (we have to send the filter
1540 * along with the 'start capture' command)
1541 * - we want to update the filter during a capture (i.e. pcap_setfilter()
1542 * after the capture has been started)
1543 *
1544 * This function serializes the filter into the sending buffer ('sendbuf',
1545 * passed as a parameter) and return back. It does not send anything on
1546 * the network.
1547 *
1548 * \param fp: the pcap_t descriptor of the device currently opened.
1549 *
1550 * \param sendbuf: the buffer on which the serialized data has to copied.
1551 *
1552 * \param sendbufidx: it is used to return the amount of bytes copied into the buffer.
1553 *
1554 * \param prog: the bpf program we have to copy.
1555 *
1556 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1557 * is returned into the 'errbuf' field of the pcap_t structure.
1558 */
1559 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
1560 {
1561 struct rpcap_filter *filter;
1562 struct rpcap_filterbpf_insn *insn;
1563 struct bpf_insn *bf_insn;
1564 struct bpf_program fake_prog; /* To be used just in case the user forgot to set a filter */
1565 unsigned int i;
1566
1567 if (prog->bf_len == 0) /* No filters have been specified; so, let's apply a "fake" filter */
1568 {
1569 if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1)
1570 return -1;
1571
1572 prog = &fake_prog;
1573 }
1574
1575 filter = (struct rpcap_filter *) sendbuf;
1576
1577 if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx,
1578 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1579 return -1;
1580
1581 filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF);
1582 filter->nitems = htonl((int32_t)prog->bf_len);
1583
1584 if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn),
1585 NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1586 return -1;
1587
1588 insn = (struct rpcap_filterbpf_insn *) (filter + 1);
1589 bf_insn = prog->bf_insns;
1590
1591 for (i = 0; i < prog->bf_len; i++)
1592 {
1593 insn->code = htons(bf_insn->code);
1594 insn->jf = bf_insn->jf;
1595 insn->jt = bf_insn->jt;
1596 insn->k = htonl(bf_insn->k);
1597
1598 insn++;
1599 bf_insn++;
1600 }
1601
1602 return 0;
1603 }
1604
1605 /*
1606 * This function updates a filter on a remote host.
1607 *
1608 * It is called when the user wants to update a filter.
1609 * In case we're capturing from the network, it sends the filter to our
1610 * peer.
1611 * This function is *not* called automatically when the user calls
1612 * pcap_setfilter().
1613 * There will be two cases:
1614 * - the capture has been started: in this case, pcap_setfilter_rpcap()
1615 * calls pcap_updatefilter_remote()
1616 * - the capture has not started yet: in this case, pcap_setfilter_rpcap()
1617 * stores the filter into the pcap_t structure, and then the filter is
1618 * sent with pcap_startcap().
1619 *
1620 * WARNING This function *does not* clear the packet currently into the
1621 * buffers. Therefore, the user has to expect to receive some packets
1622 * that are related to the previous filter. If you want to discard all
1623 * the packets before applying a new filter, you have to close the
1624 * current capture session and start a new one.
1625 *
1626 * XXX - we really should have pcap_setfilter() always discard packets
1627 * received with the old filter, and have a separate pcap_setfilter_noflush()
1628 * function that doesn't discard any packets.
1629 */
1630 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
1631 {
1632 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1633 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1634 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1635 struct rpcap_header header; /* To keep the reply message */
1636
1637 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx,
1638 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1639 return -1;
1640
1641 rpcap_createhdr((struct rpcap_header *) sendbuf,
1642 pr->protocol_version, RPCAP_MSG_UPDATEFILTER_REQ, 0,
1643 sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn));
1644
1645 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog))
1646 return -1;
1647
1648 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1649 PCAP_ERRBUF_SIZE) < 0)
1650 return -1;
1651
1652 /* Receive and process the reply message header. */
1653 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
1654 RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1)
1655 return -1;
1656
1657 /*
1658 * It shouldn't have any contents; discard it if it does.
1659 */
1660 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
1661 return -1;
1662
1663 return 0;
1664 }
1665
1666 static void
1667 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
1668 {
1669 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1670
1671 /*
1672 * Check if:
1673 * - We are on an remote capture
1674 * - we do not want to capture RPCAP traffic
1675 *
1676 * If so, we have to save the current filter, because we have to
1677 * add some piece of stuff later
1678 */
1679 if (pr->rmt_clientside &&
1680 (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP))
1681 {
1682 if (pr->currentfilter)
1683 free(pr->currentfilter);
1684
1685 if (filter == NULL)
1686 filter = "";
1687
1688 pr->currentfilter = strdup(filter);
1689 }
1690 }
1691
1692 /*
1693 * This function sends a filter to a remote host.
1694 *
1695 * This function is called when the user wants to set a filter.
1696 * It sends the filter to our peer.
1697 * This function is called automatically when the user calls pcap_setfilter().
1698 *
1699 * Parameters and return values are exactly the same of pcap_setfilter().
1700 */
1701 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
1702 {
1703 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1704
1705 if (!pr->rmt_capstarted)
1706 {
1707 /* copy filter into the pcap_t structure */
1708 if (pcapint_install_bpf_program(fp, prog) == -1)
1709 return -1;
1710 return 0;
1711 }
1712
1713 /* we have to update a filter during run-time */
1714 if (pcap_updatefilter_remote(fp, prog))
1715 return -1;
1716
1717 return 0;
1718 }
1719
1720 /*
1721 * This function updates the current filter in order not to capture rpcap
1722 * packets.
1723 *
1724 * This function is called *only* when the user wants exclude RPCAP packets
1725 * related to the current session from the captured packets.
1726 *
1727 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1728 * is returned into the 'errbuf' field of the pcap_t structure.
1729 */
1730 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
1731 {
1732 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1733 int RetVal = 0;
1734
1735 /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1736 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1737 {
1738 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1739 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1740 char myaddress[128];
1741 char myctrlport[128];
1742 char mydataport[128];
1743 char peeraddress[128];
1744 char peerctrlport[128];
1745 char *newfilter;
1746
1747 /* Get the name/port of our peer */
1748 saddrlen = sizeof(struct sockaddr_storage);
1749 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1750 {
1751 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1752 "getpeername() failed");
1753 return -1;
1754 }
1755
1756 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress,
1757 sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1758 {
1759 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1760 "getnameinfo() failed");
1761 return -1;
1762 }
1763
1764 /* We cannot check the data port, because this is available only in case of TCP sockets */
1765 /* Get the name/port of the current host */
1766 if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1767 {
1768 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1769 "getsockname() failed");
1770 return -1;
1771 }
1772
1773 /* Get the local port the system picked up */
1774 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress,
1775 sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1776 {
1777 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1778 "getnameinfo() failed");
1779 return -1;
1780 }
1781
1782 /* Let's now check the data port */
1783 if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1784 {
1785 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1786 "getsockname() failed");
1787 return -1;
1788 }
1789
1790 /* Get the local port the system picked up */
1791 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
1792 {
1793 sock_geterrmsg(fp->errbuf, PCAP_ERRBUF_SIZE,
1794 "getnameinfo() failed");
1795 return -1;
1796 }
1797
1798 if (pr->currentfilter && pr->currentfilter[0] != '\0')
1799 {
1800 /*
1801 * We have a current filter; add items to it to
1802 * filter out this rpcap session.
1803 */
1804 if (pcapint_asprintf(&newfilter,
1805 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1806 pr->currentfilter, myaddress, peeraddress,
1807 myctrlport, peerctrlport, myaddress, peeraddress,
1808 mydataport) == -1)
1809 {
1810 /* Failed. */
1811 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1812 "Can't allocate memory for new filter");
1813 return -1;
1814 }
1815 }
1816 else
1817 {
1818 /*
1819 * We have no current filter; construct a filter to
1820 * filter out this rpcap session.
1821 */
1822 if (pcapint_asprintf(&newfilter,
1823 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1824 myaddress, peeraddress, myctrlport, peerctrlport,
1825 myaddress, peeraddress, mydataport) == -1)
1826 {
1827 /* Failed. */
1828 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1829 "Can't allocate memory for new filter");
1830 return -1;
1831 }
1832 }
1833
1834 /*
1835 * This is only an hack to prevent the save_current_filter
1836 * routine, which will be called when we call pcap_compile(),
1837 * from saving the modified filter.
1838 */
1839 pr->rmt_clientside = 0;
1840
1841 if (pcap_compile(fp, prog, newfilter, 1, 0) == -1)
1842 RetVal = -1;
1843
1844 /* Undo the hack. */
1845 pr->rmt_clientside = 1;
1846
1847 free(newfilter);
1848 }
1849
1850 return RetVal;
1851 }
1852
1853 /*
1854 * This function sets sampling parameters in the remote host.
1855 *
1856 * It is called when the user wants to set activate sampling on the
1857 * remote host.
1858 *
1859 * Sampling parameters are defined into the 'pcap_t' structure.
1860 *
1861 * \param p: the pcap_t descriptor of the device currently opened.
1862 *
1863 * \return '0' if everything is OK, '-1' is something goes wrong. The
1864 * error message is returned in the 'errbuf' member of the pcap_t structure.
1865 */
1866 static int pcap_setsampling_remote(pcap_t *fp)
1867 {
1868 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1869 char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */
1870 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1871 struct rpcap_header header; /* To keep the reply message */
1872 struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */
1873
1874 /* If no sampling is requested, return 'ok' */
1875 if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP)
1876 return 0;
1877
1878 /*
1879 * Check for sampling parameters that don't fit in a message.
1880 * We'll let the server complain about invalid parameters
1881 * that do fit into the message.
1882 */
1883 if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) {
1884 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1885 "Invalid sampling method %d", fp->rmt_samp.method);
1886 return -1;
1887 }
1888 if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) {
1889 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1890 "Invalid sampling value %d", fp->rmt_samp.value);
1891 return -1;
1892 }
1893
1894 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1895 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1896 return -1;
1897
1898 rpcap_createhdr((struct rpcap_header *) sendbuf,
1899 pr->protocol_version, RPCAP_MSG_SETSAMPLING_REQ, 0,
1900 sizeof(struct rpcap_sampling));
1901
1902 /* Fill the structure needed to open an adapter remotely */
1903 sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx];
1904
1905 if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL,
1906 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1907 return -1;
1908
1909 memset(sampling_pars, 0, sizeof(struct rpcap_sampling));
1910
1911 sampling_pars->method = (uint8_t)fp->rmt_samp.method;
1912 sampling_pars->value = (uint16_t)htonl(fp->rmt_samp.value);
1913
1914 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1915 PCAP_ERRBUF_SIZE) < 0)
1916 return -1;
1917
1918 /* Receive and process the reply message header. */
1919 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
1920 RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1)
1921 return -1;
1922
1923 /*
1924 * It shouldn't have any contents; discard it if it does.
1925 */
1926 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
1927 return -1;
1928
1929 return 0;
1930 }
1931
1932 /*********************************************************
1933 * *
1934 * Miscellaneous functions *
1935 * *
1936 *********************************************************/
1937
1938 /*
1939 * This function performs authentication and protocol version
1940 * negotiation. It is required in order to open the connection
1941 * with the other end party.
1942 *
1943 * It sends authentication parameters on the control socket and
1944 * reads the reply. If the reply is a success indication, it
1945 * checks whether the reply includes minimum and maximum supported
1946 * versions from the server; if not, it assumes both are 0, as
1947 * that means it's an older server that doesn't return supported
1948 * version numbers in authentication replies, so it only supports
1949 * version 0. It then tries to determine the maximum version
1950 * supported both by us and by the server. If it can find such a
1951 * version, it sets us up to use that version; otherwise, it fails,
1952 * indicating that there is no version supported by us and by the
1953 * server.
1954 *
1955 * \param sock: the socket we are currently using.
1956 *
1957 * \param ver: pointer to variable to which to set the protocol version
1958 * number we selected.
1959 *
1960 * \param byte_swapped: pointer to variable to which to set 1 if the
1961 * byte order the server says it has is byte-swapped from ours, 0
1962 * otherwise (whether it's the same as ours or is unknown).
1963 *
1964 * \param auth: authentication parameters that have to be sent.
1965 *
1966 * \param errbuf: a pointer to a user-allocated buffer (of size
1967 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
1968 * is one). It could be a network problem or the fact that the authorization
1969 * failed.
1970 *
1971 * \return '0' if everything is fine, '-1' for an error. For errors,
1972 * an error message string is returned in the 'errbuf' variable.
1973 */
1974 static int rpcap_doauth(PCAP_SOCKET sockctrl, SSL *ssl, uint8_t *ver,
1975 int *byte_swapped, struct pcap_rmtauth *auth, char *errbuf)
1976 {
1977 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */
1978 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1979 uint16_t length; /* length of the payload of this message */
1980 struct rpcap_auth *rpauth;
1981 uint16_t auth_type;
1982 struct rpcap_header header;
1983 size_t str_length;
1984 uint32_t plen;
1985 struct rpcap_authreply authreply; /* authentication reply message */
1986 uint8_t ourvers;
1987 int has_byte_order; /* The server sent its version of the byte-order magic number */
1988 u_int their_byte_order_magic; /* Here's what it is */
1989
1990 if (auth)
1991 {
1992 switch (auth->type)
1993 {
1994 case RPCAP_RMTAUTH_NULL:
1995 length = sizeof(struct rpcap_auth);
1996 break;
1997
1998 case RPCAP_RMTAUTH_PWD:
1999 length = sizeof(struct rpcap_auth);
2000 if (auth->username)
2001 {
2002 str_length = strlen(auth->username);
2003 if (str_length > 65535)
2004 {
2005 snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)");
2006 return -1;
2007 }
2008 length += (uint16_t)str_length;
2009 }
2010 if (auth->password)
2011 {
2012 str_length = strlen(auth->password);
2013 if (str_length > 65535)
2014 {
2015 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)");
2016 return -1;
2017 }
2018 length += (uint16_t)str_length;
2019 }
2020 break;
2021
2022 default:
2023 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
2024 return -1;
2025 }
2026
2027 auth_type = (uint16_t)auth->type;
2028 }
2029 else
2030 {
2031 auth_type = RPCAP_RMTAUTH_NULL;
2032 length = sizeof(struct rpcap_auth);
2033 }
2034
2035 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
2036 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2037 return -1;
2038
2039 rpcap_createhdr((struct rpcap_header *) sendbuf, 0,
2040 RPCAP_MSG_AUTH_REQ, 0, length);
2041
2042 rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx];
2043
2044 if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL,
2045 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2046 return -1;
2047
2048 memset(rpauth, 0, sizeof(struct rpcap_auth));
2049
2050 rpauth->type = htons(auth_type);
2051
2052 if (auth_type == RPCAP_RMTAUTH_PWD)
2053 {
2054 if (auth->username)
2055 rpauth->slen1 = (uint16_t)strlen(auth->username);
2056 else
2057 rpauth->slen1 = 0;
2058
2059 if (sock_bufferize(auth->username, rpauth->slen1, sendbuf,
2060 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2061 return -1;
2062
2063 if (auth->password)
2064 rpauth->slen2 = (uint16_t)strlen(auth->password);
2065 else
2066 rpauth->slen2 = 0;
2067
2068 if (sock_bufferize(auth->password, rpauth->slen2, sendbuf,
2069 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2070 return -1;
2071
2072 rpauth->slen1 = htons(rpauth->slen1);
2073 rpauth->slen2 = htons(rpauth->slen2);
2074 }
2075
2076 if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
2077 PCAP_ERRBUF_SIZE) < 0)
2078 return -1;
2079
2080 /* Receive and process the reply message header */
2081 if (rpcap_process_msg_header(sockctrl, ssl, 0, RPCAP_MSG_AUTH_REQ,
2082 &header, errbuf) == -1)
2083 return -1;
2084
2085 /*
2086 * OK, it's an authentication reply, so we're logged in.
2087 *
2088 * Did it send any additional information?
2089 */
2090 plen = header.plen;
2091 if (plen != 0)
2092 {
2093 size_t reply_len;
2094
2095 /* Yes - is it big enough to include version information? */
2096 if (plen < sizeof(struct rpcap_authreply_old))
2097 {
2098 /* No - discard it and fail. */
2099 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2100 "Authentication reply from server is too short");
2101 (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2102 return -1;
2103 }
2104
2105 /* Yes - does it include server byte order information? */
2106 if (plen == sizeof(struct rpcap_authreply_old))
2107 {
2108 /* No - just read the version information */
2109 has_byte_order = 0;
2110 reply_len = sizeof(struct rpcap_authreply_old);
2111 }
2112 else if (plen >= sizeof(struct rpcap_authreply_old))
2113 {
2114 /* Yes - read it all. */
2115 has_byte_order = 1;
2116 reply_len = sizeof(struct rpcap_authreply);
2117 }
2118 else
2119 {
2120 /*
2121 * Too long for old reply, too short for new reply.
2122 * Discard it and fail.
2123 */
2124 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2125 "Authentication reply from server is too short");
2126 (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2127 return -1;
2128 }
2129
2130 /* Read the reply body */
2131 if (rpcap_recv(sockctrl, ssl, (char *)&authreply,
2132 reply_len, &plen, errbuf) == -1)
2133 {
2134 (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2135 return -1;
2136 }
2137
2138 /* Discard the rest of the message, if there is any. */
2139 if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
2140 return -1;
2141
2142 /*
2143 * Check the minimum and maximum versions for sanity;
2144 * the minimum must be <= the maximum.
2145 */
2146 if (authreply.minvers > authreply.maxvers)
2147 {
2148 /*
2149 * Bogus - give up on this server.
2150 */
2151 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2152 "The server's minimum supported protocol version is greater than its maximum supported protocol version");
2153 return -1;
2154 }
2155
2156 if (has_byte_order)
2157 {
2158 their_byte_order_magic = authreply.byte_order_magic;
2159 }
2160 else
2161 {
2162 /*
2163 * The server didn't tell us what its byte
2164 * order is; assume it's ours.
2165 */
2166 their_byte_order_magic = RPCAP_BYTE_ORDER_MAGIC;
2167 }
2168 }
2169 else
2170 {
2171 /* No - it supports only version 0. */
2172 authreply.minvers = 0;
2173 authreply.maxvers = 0;
2174
2175 /*
2176 * And it didn't tell us what its byte order is; assume
2177 * it's ours.
2178 */
2179 has_byte_order = 0;
2180 their_byte_order_magic = RPCAP_BYTE_ORDER_MAGIC;
2181 }
2182
2183 /*
2184 * OK, let's start with the maximum version the server supports.
2185 */
2186 ourvers = authreply.maxvers;
2187
2188 #if RPCAP_MIN_VERSION != 0
2189 /*
2190 * If that's less than the minimum version we support, we
2191 * can't communicate.
2192 */
2193 if (ourvers < RPCAP_MIN_VERSION)
2194 goto novers;
2195 #endif
2196
2197 /*
2198 * If that's greater than the maximum version we support,
2199 * choose the maximum version we support.
2200 */
2201 if (ourvers > RPCAP_MAX_VERSION)
2202 {
2203 ourvers = RPCAP_MAX_VERSION;
2204
2205 /*
2206 * If that's less than the minimum version they
2207 * support, we can't communicate.
2208 */
2209 if (ourvers < authreply.minvers)
2210 goto novers;
2211 }
2212
2213 /*
2214 * Is the server byte order the opposite of ours?
2215 */
2216 if (their_byte_order_magic == RPCAP_BYTE_ORDER_MAGIC)
2217 {
2218 /* No, it's the same. */
2219 *byte_swapped = 0;
2220 }
2221 else if (their_byte_order_magic == RPCAP_BYTE_ORDER_MAGIC_SWAPPED)
2222 {
2223 /* Yes, it's the opposite of ours. */
2224 *byte_swapped = 1;
2225 }
2226 else
2227 {
2228 /* They sent us something bogus. */
2229 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2230 "The server did not send us a valid byte order value");
2231 return -1;
2232 }
2233
2234 *ver = ourvers;
2235 return 0;
2236
2237 novers:
2238 /*
2239 * There is no version we both support; that is a fatal error.
2240 */
2241 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2242 "The server doesn't support any protocol version that we support");
2243 return -1;
2244 }
2245
2246 /* non-alphanumeric unreserved characters plus sub-delims (RFC3986) */
2247 static const char userinfo_allowed_symbols[] = "-._~!&'()*+,;=";
2248
2249 /*
2250 * This function is a thin wrapper around rpcap_doauth which will use an auth
2251 * struct created from a username and password parsed out of the userinfo
2252 * portion of a URI.
2253 */
2254 static int rpcap_doauth_userinfo(PCAP_SOCKET sockctrl, SSL *ssl, uint8_t *ver,
2255 int *byte_swapped, const char *userinfo, char *errbuf)
2256 {
2257 struct pcap_rmtauth auth;
2258 const char *ptr;
2259 char *buf, username[256], password[256];
2260
2261 auth.type = RPCAP_RMTAUTH_PWD;
2262 auth.username = username;
2263 auth.password = password;
2264 buf = username;
2265
2266 username[0] = password[0] = '\0';
2267
2268 if ((ptr = userinfo) != NULL)
2269 {
2270 for (int pos = -1; (buf[++pos] = *ptr) != '\0'; ++ptr)
2271 {
2272 /* handle %xx encoded characters */
2273 if (*ptr == '%')
2274 {
2275 /* the pedantic thing to do here would be throwing an error on
2276 * a sequence like `%hi', however a lot of common tools just accept
2277 * such malarkey, so... probably it will be fine? */
2278 if (sscanf(ptr, "%%%02hhx", (unsigned char *)(buf+pos)) == 1)
2279 ptr += 2;
2280 /* other implementations aside, rejecting null bytes seems prudent */
2281 if (buf[pos] == '\0')
2282 {
2283 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Invalid escape `%%00` in userinfo");
2284 return -1;
2285 }
2286 }
2287 else if (*ptr == ':' && buf == username)
2288 {
2289 /* terminate username string and switch to password string */
2290 buf[pos] = '\0';
2291 buf = password;
2292 pos = -1;
2293 }
2294 /* constrain to characters allowed by RFC3986 */
2295 else if (*ptr >= 'A' && *ptr <= 'Z')
2296 continue;
2297 else if (*ptr >= 'a' && *ptr <= 'z')
2298 continue;
2299 else if (*ptr >= '0' && *ptr <= '9')
2300 continue;
2301 else if (*ptr < ' ' || *ptr > '~')
2302 {
2303 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Invalid character `\\%o` in userinfo", *ptr);
2304 return -1;
2305 }
2306 else if (strchr(userinfo_allowed_symbols, *ptr) == NULL)
2307 {
2308 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Invalid character `%c` in userinfo", *ptr);
2309 return -1;
2310 }
2311 }
2312
2313 return rpcap_doauth(sockctrl, ssl, ver, byte_swapped, &auth,
2314 errbuf);
2315 }
2316
2317 return rpcap_doauth(sockctrl, ssl, ver, byte_swapped, NULL, errbuf);
2318 }
2319
2320
2321 /* We don't currently support non-blocking mode. */
2322 static int
2323 pcap_getnonblock_rpcap(pcap_t *p)
2324 {
2325 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2326 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2327 return (-1);
2328 }
2329
2330 static int
2331 pcap_setnonblock_rpcap(pcap_t *p, int nonblock _U_)
2332 {
2333 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2334 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2335 return (-1);
2336 }
2337
2338 static int
2339 rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
2340 int *activep, PCAP_SOCKET *sockctrlp, uint8_t *uses_sslp, SSL **sslp,
2341 int rmt_flags, uint8_t *protocol_versionp, int *byte_swappedp,
2342 char *host, char *port, char *iface, char *errbuf)
2343 {
2344 int type;
2345 int auth_result;
2346 char userinfo[PCAP_BUF_SIZE+1];
2347 struct activehosts *activeconn; /* active connection, if there is one */
2348 int error; /* 1 if rpcap_remoteact_getsock got an error */
2349
2350 userinfo[0] = '\0';
2351
2352 /*
2353 * Determine the type of the source (NULL, file, local, remote).
2354 * You must have a valid source string even if we're in active mode,
2355 * because otherwise the call to the following function will fail.
2356 */
2357 if (pcapint_parsesrcstr_ex(source, &type, userinfo, host, port, iface, uses_sslp,
2358 errbuf) == -1)
2359 return -1;
2360
2361 /*
2362 * It must be remote.
2363 */
2364 if (type != PCAP_SRC_IFREMOTE)
2365 {
2366 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2367 "Non-remote interface passed to remote capture routine");
2368 return -1;
2369 }
2370
2371 /*
2372 * We don't yet support DTLS, so if the user asks for a TLS
2373 * connection and asks for data packets to be sent over UDP,
2374 * we have to give up.
2375 */
2376 if (*uses_sslp && (rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
2377 {
2378 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2379 "TLS not supported with UDP forward of remote packets");
2380 return -1;
2381 }
2382
2383 /* Warning: this call can be the first one called by the user. */
2384 /* For this reason, we have to initialize the Winsock support. */
2385 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2386 return -1;
2387
2388 /* Check for active mode */
2389 activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
2390 if (activeconn != NULL)
2391 {
2392 *activep = 1;
2393 *sockctrlp = activeconn->sockctrl;
2394 *sslp = activeconn->ssl;
2395 *protocol_versionp = activeconn->protocol_version;
2396 *byte_swappedp = activeconn->byte_swapped;
2397 }
2398 else
2399 {
2400 *activep = 0;
2401 struct addrinfo hints; /* temp variable needed to resolve hostnames into to socket representation */
2402 struct addrinfo *addrinfo; /* temp variable needed to resolve hostnames into to socket representation */
2403
2404 if (error)
2405 {
2406 /*
2407 * Call failed.
2408 */
2409 return -1;
2410 }
2411
2412 /*
2413 * We're not in active mode; let's try to open a new
2414 * control connection.
2415 */
2416 memset(&hints, 0, sizeof(struct addrinfo));
2417 hints.ai_family = PF_UNSPEC;
2418 hints.ai_socktype = SOCK_STREAM;
2419
2420 if (port[0] == 0)
2421 {
2422 /* the user chose not to specify the port */
2423 addrinfo = sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
2424 &hints, errbuf, PCAP_ERRBUF_SIZE);
2425 }
2426 else
2427 {
2428 addrinfo = sock_initaddress(host, port, &hints,
2429 errbuf, PCAP_ERRBUF_SIZE);
2430 }
2431 if (addrinfo == NULL)
2432 return -1;
2433
2434 if ((*sockctrlp = sock_open(host, addrinfo, SOCKOPEN_CLIENT, 0,
2435 errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2436 {
2437 freeaddrinfo(addrinfo);
2438 return -1;
2439 }
2440
2441 /* addrinfo is no longer used */
2442 freeaddrinfo(addrinfo);
2443 addrinfo = NULL;
2444
2445 if (*uses_sslp)
2446 {
2447 #ifdef HAVE_OPENSSL
2448 *sslp = ssl_promotion(0, *sockctrlp, errbuf,
2449 PCAP_ERRBUF_SIZE);
2450 if (!*sslp)
2451 {
2452 sock_close(*sockctrlp, NULL, 0);
2453 return -1;
2454 }
2455 #else
2456 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2457 "No TLS support");
2458 sock_close(*sockctrlp, NULL, 0);
2459 return -1;
2460 #endif
2461 }
2462
2463 if (auth == NULL && *userinfo != '\0')
2464 {
2465 auth_result = rpcap_doauth_userinfo(*sockctrlp, *sslp,
2466 protocol_versionp, byte_swappedp, userinfo, errbuf);
2467 }
2468 else
2469 {
2470 auth_result = rpcap_doauth(*sockctrlp, *sslp,
2471 protocol_versionp, byte_swappedp, auth, errbuf);
2472 }
2473
2474 if (auth_result == -1)
2475 {
2476 #ifdef HAVE_OPENSSL
2477 if (*sslp)
2478 {
2479 // Finish using the SSL handle for the socket.
2480 // This must be done *before* the socket is
2481 // closed.
2482 ssl_finish(*sslp);
2483 }
2484 #endif
2485 sock_close(*sockctrlp, NULL, 0);
2486 return -1;
2487 }
2488 }
2489 return 0;
2490 }
2491
2492 /*
2493 * This function opens a remote adapter by opening an RPCAP connection and
2494 * so on.
2495 *
2496 * It does the job of pcap_open_live() for a remote interface; it's called
2497 * by pcap_open() for remote interfaces.
2498 *
2499 * We do not start the capture until pcap_startcapture_remote() is called.
2500 *
2501 * This is because, when doing a remote capture, we cannot start capturing
2502 * data as soon as the 'open adapter' command is sent. Suppose the remote
2503 * adapter is already overloaded; if we start a capture (which, by default,
2504 * has a NULL filter) the new traffic can saturate the network.
2505 *
2506 * Instead, we want to "open" the adapter, then send a "start capture"
2507 * command only when we're ready to start the capture.
2508 * This function does this job: it sends an "open adapter" command
2509 * (according to the RPCAP protocol), but it does not start the capture.
2510 *
2511 * Since the other libpcap functions do not share this way of life, we
2512 * have to do some dirty things in order to make everything work.
2513 *
2514 * \param source: see pcap_open().
2515 * \param snaplen: see pcap_open().
2516 * \param flags: see pcap_open().
2517 * \param read_timeout: see pcap_open().
2518 * \param auth: see pcap_open().
2519 * \param errbuf: see pcap_open().
2520 *
2521 * \return a pcap_t pointer in case of success, NULL otherwise. In case of
2522 * success, the pcap_t pointer can be used as a parameter to the following
2523 * calls (pcap_compile() and so on). In case of problems, errbuf contains
2524 * a text explanation of error.
2525 *
2526 * WARNING: In case we call pcap_compile() and the capture has not yet
2527 * been started, the filter will be saved into the pcap_t structure,
2528 * and it will be sent to the other host later (when
2529 * pcap_startcapture_remote() is called).
2530 */
2531 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
2532 {
2533 pcap_t *fp;
2534 char *source_str;
2535 struct pcap_rpcap *pr; /* structure used when doing a remote live capture */
2536 char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE];
2537 PCAP_SOCKET sockctrl;
2538 SSL *ssl = NULL;
2539 uint8_t protocol_version; /* negotiated protocol version */
2540 int byte_swapped; /* server is known to be byte-swapped */
2541 int active;
2542 uint32_t plen;
2543 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
2544 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
2545
2546 /* RPCAP-related variables */
2547 struct rpcap_header header; /* header of the RPCAP packet */
2548 struct rpcap_openreply openreply; /* open reply message */
2549
2550 fp = PCAP_CREATE_COMMON(errbuf, struct pcap_rpcap);
2551 if (fp == NULL)
2552 {
2553 return NULL;
2554 }
2555 source_str = strdup(source);
2556 if (source_str == NULL) {
2557 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2558 errno, "malloc");
2559 return NULL;
2560 }
2561
2562 /*
2563 * Turn a negative snapshot value (invalid), a snapshot value of
2564 * 0 (unspecified), or a value bigger than the normal maximum
2565 * value, into the maximum allowed value.
2566 *
2567 * If some application really *needs* a bigger snapshot
2568 * length, we should just increase MAXIMUM_SNAPLEN.
2569 *
2570 * XXX - should we leave this up to the remote server to
2571 * do?
2572 */
2573 if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN)
2574 snaplen = MAXIMUM_SNAPLEN;
2575
2576 fp->opt.device = source_str;
2577 fp->snapshot = snaplen;
2578 fp->opt.timeout = read_timeout;
2579 pr = fp->priv;
2580 pr->rmt_flags = flags;
2581
2582 /*
2583 * Attempt to set up the session with the server.
2584 */
2585 if (rpcap_setup_session(fp->opt.device, auth, &active, &sockctrl,
2586 &pr->uses_ssl, &ssl, flags, &protocol_version, &byte_swapped,
2587 host, ctrlport, iface, errbuf) == -1)
2588 {
2589 /* Session setup failed. */
2590 pcap_close(fp);
2591 return NULL;
2592 }
2593
2594 /* All good so far, save the ssl handler */
2595 ssl_main = ssl;
2596
2597 /*
2598 * Now it's time to start playing with the RPCAP protocol
2599 * RPCAP open command: create the request message
2600 */
2601 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
2602 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2603 goto error_nodiscard;
2604
2605 rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version,
2606 RPCAP_MSG_OPEN_REQ, 0, (uint32_t) strlen(iface));
2607
2608 if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx,
2609 RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2610 goto error_nodiscard;
2611
2612 if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
2613 PCAP_ERRBUF_SIZE) < 0)
2614 goto error_nodiscard;
2615
2616 /* Receive and process the reply message header. */
2617 if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
2618 RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1)
2619 goto error_nodiscard;
2620 plen = header.plen;
2621
2622 /* Read the reply body */
2623 if (rpcap_recv(sockctrl, ssl, (char *)&openreply,
2624 sizeof(struct rpcap_openreply), &plen, errbuf) == -1)
2625 goto error;
2626
2627 /* Discard the rest of the message, if there is any. */
2628 if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
2629 goto error_nodiscard;
2630
2631 /* Set proper fields into the pcap_t struct */
2632 fp->linktype = ntohl(openreply.linktype);
2633 pr->rmt_sockctrl = sockctrl;
2634 pr->ctrl_ssl = ssl;
2635 pr->protocol_version = protocol_version;
2636 pr->byte_swapped = byte_swapped;
2637 pr->rmt_clientside = 1;
2638
2639 /* This code is duplicated from the end of this function */
2640 fp->read_op = pcap_read_rpcap;
2641 fp->save_current_filter_op = pcap_save_current_filter_rpcap;
2642 fp->setfilter_op = pcap_setfilter_rpcap;
2643 fp->getnonblock_op = pcap_getnonblock_rpcap;
2644 fp->setnonblock_op = pcap_setnonblock_rpcap;
2645 fp->stats_op = pcap_stats_rpcap;
2646 #ifdef _WIN32
2647 fp->stats_ex_op = pcap_stats_ex_rpcap;
2648 #endif
2649 fp->cleanup_op = pcap_cleanup_rpcap;
2650
2651 fp->activated = 1;
2652 return fp;
2653
2654 error:
2655 /*
2656 * When the connection has been established, we have to close it. So, at the
2657 * beginning of this function, if an error occur we return immediately with
2658 * a return NULL; when the connection is established, we have to come here
2659 * ('goto error;') in order to close everything properly.
2660 */
2661
2662 /*
2663 * Discard the rest of the message.
2664 * We already reported an error; if this gets an error, just
2665 * drive on.
2666 */
2667 (void)rpcap_discard(sockctrl, pr->ctrl_ssl, plen, NULL);
2668
2669 error_nodiscard:
2670 if (!active)
2671 {
2672 #ifdef HAVE_OPENSSL
2673 if (ssl)
2674 {
2675 // Finish using the SSL handle for the socket.
2676 // This must be done *before* the socket is closed.
2677 ssl_finish(ssl);
2678 }
2679 #endif
2680 sock_close(sockctrl, NULL, 0);
2681 }
2682
2683 pcap_close(fp);
2684 return NULL;
2685 }
2686
2687 /* String identifier to be used in the pcap_findalldevs_ex() */
2688 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter"
2689 #define PCAP_TEXT_SOURCE_ADAPTER_LEN (sizeof PCAP_TEXT_SOURCE_ADAPTER - 1)
2690 /* String identifier to be used in the pcap_findalldevs_ex() */
2691 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node"
2692 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST_LEN (sizeof PCAP_TEXT_SOURCE_ON_REMOTE_HOST - 1)
2693
2694 static void
2695 freeaddr(struct pcap_addr *addr)
2696 {
2697 free(addr->addr);
2698 free(addr->netmask);
2699 free(addr->broadaddr);
2700 free(addr->dstaddr);
2701 free(addr);
2702 }
2703
2704 int
2705 pcap_findalldevs_ex_remote(const char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
2706 {
2707 uint8_t protocol_version; /* protocol version */
2708 int byte_swapped; /* Server byte order is swapped from ours */
2709 PCAP_SOCKET sockctrl; /* socket descriptor of the control connection */
2710 SSL *ssl = NULL; /* optional SSL handler for sockctrl */
2711 uint32_t plen;
2712 struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */
2713 int i, j; /* temp variables */
2714 int nif; /* Number of interfaces listed */
2715 int active; /* 'true' if we the other end-party is in active mode */
2716 uint8_t uses_ssl;
2717 char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE];
2718 char tmpstring[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2719 pcap_if_t *lastdev; /* Last device in the pcap_if_t list */
2720 pcap_if_t *dev; /* Device we're adding to the pcap_if_t list */
2721
2722 /* List starts out empty. */
2723 (*alldevs) = NULL;
2724 lastdev = NULL;
2725
2726 /*
2727 * Attempt to set up the session with the server.
2728 */
2729 if (rpcap_setup_session(source, auth, &active, &sockctrl, &uses_ssl,
2730 &ssl, 0, &protocol_version, &byte_swapped, host, port, NULL,
2731 errbuf) == -1)
2732 {
2733 /* Session setup failed. */
2734 return -1;
2735 }
2736
2737 /* RPCAP findalldevs command */
2738 rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ,
2739 0, 0);
2740
2741 if (sock_send(sockctrl, ssl, (char *)&header, sizeof(struct rpcap_header),
2742 errbuf, PCAP_ERRBUF_SIZE) < 0)
2743 goto error_nodiscard;
2744
2745 /* Receive and process the reply message header. */
2746 if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
2747 RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1)
2748 goto error_nodiscard;
2749
2750 plen = header.plen;
2751
2752 /* read the number of interfaces */
2753 nif = ntohs(header.value);
2754
2755 /* loop until all interfaces have been received */
2756 for (i = 0; i < nif; i++)
2757 {
2758 struct rpcap_findalldevs_if findalldevs_if;
2759 char tmpstring2[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2760 struct pcap_addr *addr, *prevaddr;
2761
2762 tmpstring2[PCAP_BUF_SIZE] = 0;
2763
2764 /* receive the findalldevs structure from remote host */
2765 if (rpcap_recv(sockctrl, ssl, (char *)&findalldevs_if,
2766 sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1)
2767 goto error;
2768
2769 findalldevs_if.namelen = ntohs(findalldevs_if.namelen);
2770 findalldevs_if.desclen = ntohs(findalldevs_if.desclen);
2771 findalldevs_if.naddr = ntohs(findalldevs_if.naddr);
2772
2773 /* allocate the main structure */
2774 dev = (pcap_if_t *)malloc(sizeof(pcap_if_t));
2775 if (dev == NULL)
2776 {
2777 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2778 errno, "malloc() failed");
2779 goto error;
2780 }
2781
2782 /* Initialize the structure to 'zero' */
2783 memset(dev, 0, sizeof(pcap_if_t));
2784
2785 /* Append it to the list. */
2786 if (lastdev == NULL)
2787 {
2788 /*
2789 * List is empty, so it's also the first device.
2790 */
2791 *alldevs = dev;
2792 }
2793 else
2794 {
2795 /*
2796 * Append after the last device.
2797 */
2798 lastdev->next = dev;
2799 }
2800 /* It's now the last device. */
2801 lastdev = dev;
2802
2803 /* allocate mem for name and description */
2804 if (findalldevs_if.namelen)
2805 {
2806
2807 if (findalldevs_if.namelen >= sizeof(tmpstring))
2808 {
2809 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long");
2810 goto error;
2811 }
2812
2813 /* Retrieve adapter name */
2814 if (rpcap_recv(sockctrl, ssl, tmpstring,
2815 findalldevs_if.namelen, &plen, errbuf) == -1)
2816 goto error;
2817
2818 tmpstring[findalldevs_if.namelen] = 0;
2819
2820 /* Create the new device identifier */
2821 if (pcapint_createsrcstr_ex(tmpstring2, PCAP_SRC_IFREMOTE,
2822 NULL, host, port, tmpstring, uses_ssl, errbuf) == -1)
2823 goto error;
2824
2825 dev->name = strdup(tmpstring2);
2826 if (dev->name == NULL)
2827 {
2828 pcapint_fmt_errmsg_for_errno(errbuf,
2829 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2830 goto error;
2831 }
2832 }
2833
2834 if (findalldevs_if.desclen)
2835 {
2836 if (findalldevs_if.desclen >= sizeof(tmpstring))
2837 {
2838 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long");
2839 goto error;
2840 }
2841
2842 /* Retrieve adapter description */
2843 if (rpcap_recv(sockctrl, ssl, tmpstring,
2844 findalldevs_if.desclen, &plen, errbuf) == -1)
2845 goto error;
2846
2847 tmpstring[findalldevs_if.desclen] = 0;
2848
2849 if (pcapint_asprintf(&dev->description,
2850 "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER,
2851 tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host) == -1)
2852 {
2853 pcapint_fmt_errmsg_for_errno(errbuf,
2854 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2855 goto error;
2856 }
2857 }
2858
2859 dev->flags = ntohl(findalldevs_if.flags);
2860
2861 prevaddr = NULL;
2862 /* loop until all addresses have been received */
2863 for (j = 0; j < findalldevs_if.naddr; j++)
2864 {
2865 struct rpcap_findalldevs_ifaddr ifaddr;
2866
2867 /* Retrieve the interface addresses */
2868 if (rpcap_recv(sockctrl, ssl, (char *)&ifaddr,
2869 sizeof(struct rpcap_findalldevs_ifaddr),
2870 &plen, errbuf) == -1)
2871 goto error;
2872
2873 /*
2874 * Deserialize all the address components.
2875 */
2876 addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr));
2877 if (addr == NULL)
2878 {
2879 pcapint_fmt_errmsg_for_errno(errbuf,
2880 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2881 goto error;
2882 }
2883 addr->next = NULL;
2884 addr->addr = NULL;
2885 addr->netmask = NULL;
2886 addr->broadaddr = NULL;
2887 addr->dstaddr = NULL;
2888
2889 if (rpcap_deseraddr(&ifaddr.addr, &addr->addr,
2890 errbuf) == -1)
2891 {
2892 freeaddr(addr);
2893 goto error;
2894 }
2895 if (rpcap_deseraddr(&ifaddr.netmask, &addr->netmask,
2896 errbuf) == -1)
2897 {
2898 freeaddr(addr);
2899 goto error;
2900 }
2901 if (rpcap_deseraddr(&ifaddr.broadaddr, &addr->broadaddr,
2902 errbuf) == -1)
2903 {
2904 freeaddr(addr);
2905 goto error;
2906 }
2907 if (rpcap_deseraddr(&ifaddr.dstaddr, &addr->dstaddr,
2908 errbuf) == -1)
2909 {
2910 freeaddr(addr);
2911 goto error;
2912 }
2913
2914 if ((addr->addr == NULL) && (addr->netmask == NULL) &&
2915 (addr->broadaddr == NULL) && (addr->dstaddr == NULL))
2916 {
2917 /*
2918 * None of the addresses are IPv4 or IPv6
2919 * addresses, so throw this entry away.
2920 */
2921 free(addr);
2922 }
2923 else
2924 {
2925 /*
2926 * Add this entry to the list.
2927 */
2928 if (prevaddr == NULL)
2929 {
2930 dev->addresses = addr;
2931 }
2932 else
2933 {
2934 prevaddr->next = addr;
2935 }
2936 prevaddr = addr;
2937 }
2938 }
2939 }
2940
2941 /* Discard the rest of the message. */
2942 if (rpcap_discard(sockctrl, ssl, plen, errbuf) == 1)
2943 goto error_nodiscard;
2944
2945 /* Control connection has to be closed only in case the remote machine is in passive mode */
2946 if (!active)
2947 {
2948 /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */
2949 #ifdef HAVE_OPENSSL
2950 if (ssl)
2951 {
2952 // Finish using the SSL handle for the socket.
2953 // This must be done *before* the socket is closed.
2954 ssl_finish(ssl);
2955 }
2956 #endif
2957 if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE))
2958 return -1;
2959 }
2960
2961 /* To avoid inconsistencies in the number of sock_init() */
2962 sock_cleanup();
2963
2964 return 0;
2965
2966 error:
2967 /*
2968 * In case there has been an error, I don't want to overwrite it with a new one
2969 * if the following call fails. I want to return always the original error.
2970 *
2971 * Take care: this connection can already be closed when we try to close it.
2972 * This happens because a previous error in the rpcapd, which requested to
2973 * closed the connection. In that case, we already recognized that into the
2974 * rpspck_isheaderok() and we already acknowledged the closing.
2975 * In that sense, this call is useless here (however it is needed in case
2976 * the client generates the error).
2977 *
2978 * Checks if all the data has been read; if not, discard the data in excess
2979 */
2980 (void) rpcap_discard(sockctrl, ssl, plen, NULL);
2981
2982 error_nodiscard:
2983 /* Control connection has to be closed only in case the remote machine is in passive mode */
2984 if (!active)
2985 {
2986 #ifdef HAVE_OPENSSL
2987 if (ssl)
2988 {
2989 // Finish using the SSL handle for the socket.
2990 // This must be done *before* the socket is closed.
2991 ssl_finish(ssl);
2992 }
2993 #endif
2994 sock_close(sockctrl, NULL, 0);
2995 }
2996
2997 /* To avoid inconsistencies in the number of sock_init() */
2998 sock_cleanup();
2999
3000 /* Free whatever interfaces we've allocated. */
3001 pcap_freealldevs(*alldevs);
3002
3003 return -1;
3004 }
3005
3006 /*
3007 * Active mode routines.
3008 *
3009 * The old libpcap API is somewhat ugly, and makes active mode difficult
3010 * to implement; we provide some APIs for it that work only with rpcap.
3011 */
3012
3013 PCAP_SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, int uses_ssl, char *errbuf)
3014 {
3015 /* socket-related variables */
3016 struct addrinfo hints; /* temporary struct to keep settings needed to open the new socket */
3017 struct addrinfo *addrinfo; /* keeps the addrinfo chain; required to open a new socket */
3018 struct sockaddr_storage from; /* generic sockaddr_storage variable */
3019 socklen_t fromlen; /* keeps the length of the sockaddr_storage variable */
3020 PCAP_SOCKET sockctrl; /* keeps the main socket identifier */
3021 SSL *ssl = NULL; /* Optional SSL handler for sockctrl */
3022 uint8_t protocol_version; /* negotiated protocol version */
3023 int byte_swapped; /* 1 if server byte order is known to be the reverse of ours */
3024 struct activehosts *temp, *prev; /* temp var needed to scan he host list chain */
3025
3026 *connectinghost = 0; /* just in case */
3027
3028 /* Prepare to open a new server socket */
3029 memset(&hints, 0, sizeof(struct addrinfo));
3030 /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6 */
3031 hints.ai_family = AF_INET; /* PF_UNSPEC to have both IPv4 and IPv6 server */
3032 hints.ai_flags = AI_PASSIVE; /* Ready to a bind() socket */
3033 hints.ai_socktype = SOCK_STREAM;
3034
3035 /* Warning: this call can be the first one called by the user. */
3036 /* For this reason, we have to initialize the Winsock support. */
3037 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
3038 return (PCAP_SOCKET)-1;
3039
3040 /* Do the work */
3041 if ((port == NULL) || (port[0] == 0))
3042 {
3043 addrinfo = sock_initaddress(address,
3044 RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, errbuf,
3045 PCAP_ERRBUF_SIZE);
3046 }
3047 else
3048 {
3049 addrinfo = sock_initaddress(address, port, &hints, errbuf,
3050 PCAP_ERRBUF_SIZE);
3051 }
3052 if (addrinfo == NULL)
3053 {
3054 return (PCAP_SOCKET)-2;
3055 }
3056
3057 if ((sockmain = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
3058 {
3059 freeaddrinfo(addrinfo);
3060 return (PCAP_SOCKET)-2;
3061 }
3062 freeaddrinfo(addrinfo);
3063
3064 /* Connection creation */
3065 fromlen = sizeof(struct sockaddr_storage);
3066
3067 sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen);
3068
3069 /* We're not using sock_close, since we do not want to send a shutdown */
3070 /* (which is not allowed on a non-connected socket) */
3071 closesocket(sockmain);
3072 sockmain = 0;
3073
3074 if (sockctrl == INVALID_SOCKET)
3075 {
3076 sock_geterrmsg(errbuf, PCAP_ERRBUF_SIZE, "accept() failed");
3077 return (PCAP_SOCKET)-2;
3078 }
3079
3080 /* Promote to SSL early before any error message may be sent */
3081 if (uses_ssl)
3082 {
3083 #ifdef HAVE_OPENSSL
3084 ssl = ssl_promotion(0, sockctrl, errbuf, PCAP_ERRBUF_SIZE);
3085 if (! ssl)
3086 {
3087 sock_close(sockctrl, NULL, 0);
3088 return (PCAP_SOCKET)-1;
3089 }
3090 #else
3091 snprintf(errbuf, PCAP_ERRBUF_SIZE, "No TLS support");
3092 sock_close(sockctrl, NULL, 0);
3093 return (PCAP_SOCKET)-1;
3094 #endif
3095 }
3096
3097 /* Get the numeric for of the name of the connecting host */
3098 if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST))
3099 {
3100 sock_geterrmsg(errbuf, PCAP_ERRBUF_SIZE,
3101 "getnameinfo() failed");
3102 rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
3103 #ifdef HAVE_OPENSSL
3104 if (ssl)
3105 {
3106 // Finish using the SSL handle for the socket.
3107 // This must be done *before* the socket is closed.
3108 ssl_finish(ssl);
3109 }
3110 #endif
3111 sock_close(sockctrl, NULL, 0);
3112 return (PCAP_SOCKET)-1;
3113 }
3114
3115 /* checks if the connecting host is among the ones allowed */
3116 if (sock_check_hostlist(hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0)
3117 {
3118 rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
3119 #ifdef HAVE_OPENSSL
3120 if (ssl)
3121 {
3122 // Finish using the SSL handle for the socket.
3123 // This must be done *before* the socket is closed.
3124 ssl_finish(ssl);
3125 }
3126 #endif
3127 sock_close(sockctrl, NULL, 0);
3128 return (PCAP_SOCKET)-1;
3129 }
3130
3131 /*
3132 * Send authentication to the remote machine.
3133 */
3134 if (rpcap_doauth(sockctrl, ssl, &protocol_version, &byte_swapped,
3135 auth, errbuf) == -1)
3136 {
3137 /* Unrecoverable error. */
3138 rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
3139 #ifdef HAVE_OPENSSL
3140 if (ssl)
3141 {
3142 // Finish using the SSL handle for the socket.
3143 // This must be done *before* the socket is closed.
3144 ssl_finish(ssl);
3145 }
3146 #endif
3147 sock_close(sockctrl, NULL, 0);
3148 return (PCAP_SOCKET)-3;
3149 }
3150
3151 /* Checks that this host does not already have a cntrl connection in place */
3152
3153 /* Initialize pointers */
3154 temp = activeHosts;
3155 prev = NULL;
3156
3157 while (temp)
3158 {
3159 /* This host already has an active connection in place, so I don't have to update the host list */
3160 if (sock_cmpaddr(&temp->host, &from) == 0)
3161 return sockctrl;
3162
3163 prev = temp;
3164 temp = temp->next;
3165 }
3166
3167 /* The host does not exist in the list; so I have to update the list */
3168 if (prev)
3169 {
3170 prev->next = (struct activehosts *) malloc(sizeof(struct activehosts));
3171 temp = prev->next;
3172 }
3173 else
3174 {
3175 activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts));
3176 temp = activeHosts;
3177 }
3178
3179 if (temp == NULL)
3180 {
3181 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
3182 errno, "malloc() failed");
3183 rpcap_senderror(sockctrl, ssl, protocol_version, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
3184 #ifdef HAVE_OPENSSL
3185 if (ssl)
3186 {
3187 // Finish using the SSL handle for the socket.
3188 // This must be done *before* the socket is closed.
3189 ssl_finish(ssl);
3190 }
3191 #endif
3192 sock_close(sockctrl, NULL, 0);
3193 return (PCAP_SOCKET)-1;
3194 }
3195
3196 memcpy(&temp->host, &from, fromlen);
3197 temp->sockctrl = sockctrl;
3198 temp->ssl = ssl;
3199 temp->protocol_version = protocol_version;
3200 temp->byte_swapped = byte_swapped;
3201 temp->next = NULL;
3202
3203 return sockctrl;
3204 }
3205
3206 PCAP_SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
3207 {
3208 return pcap_remoteact_accept_ex(address, port, hostlist, connectinghost, auth, 0, errbuf);
3209 }
3210
3211 int pcap_remoteact_close(const char *host, char *errbuf)
3212 {
3213 struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */
3214 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
3215
3216 temp = activeHosts;
3217 prev = NULL;
3218
3219 /* retrieve the network address corresponding to 'host' */
3220 addrinfo = NULL;
3221 memset(&hints, 0, sizeof(struct addrinfo));
3222 hints.ai_family = PF_UNSPEC;
3223 hints.ai_socktype = SOCK_STREAM;
3224
3225 addrinfo = sock_initaddress(host, NULL, &hints, errbuf,
3226 PCAP_ERRBUF_SIZE);
3227 if (addrinfo == NULL)
3228 {
3229 return -1;
3230 }
3231
3232 while (temp)
3233 {
3234 ai_next = addrinfo;
3235 while (ai_next)
3236 {
3237 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
3238 {
3239 struct rpcap_header header;
3240 int status = 0;
3241
3242 /* Close this connection */
3243 rpcap_createhdr(&header, temp->protocol_version,
3244 RPCAP_MSG_CLOSE, 0, 0);
3245
3246 /*
3247 * Don't check for errors, since we're
3248 * just cleaning up.
3249 */
3250 if (sock_send(temp->sockctrl, temp->ssl,
3251 (char *)&header,
3252 sizeof(struct rpcap_header), errbuf,
3253 PCAP_ERRBUF_SIZE) < 0)
3254 {
3255 /*
3256 * Let that error be the one we
3257 * report.
3258 */
3259 #ifdef HAVE_OPENSSL
3260 if (temp->ssl)
3261 {
3262 // Finish using the SSL handle
3263 // for the socket.
3264 // This must be done *before*
3265 // the socket is closed.
3266 ssl_finish(temp->ssl);
3267 }
3268 #endif
3269 (void)sock_close(temp->sockctrl, NULL,
3270 0);
3271 status = -1;
3272 }
3273 else
3274 {
3275 #ifdef HAVE_OPENSSL
3276 if (temp->ssl)
3277 {
3278 // Finish using the SSL handle
3279 // for the socket.
3280 // This must be done *before*
3281 // the socket is closed.
3282 ssl_finish(temp->ssl);
3283 }
3284 #endif
3285 if (sock_close(temp->sockctrl, errbuf,
3286 PCAP_ERRBUF_SIZE) == -1)
3287 status = -1;
3288 }
3289
3290 /*
3291 * Remove the host from the list of active
3292 * hosts.
3293 */
3294 if (prev)
3295 prev->next = temp->next;
3296 else
3297 activeHosts = temp->next;
3298
3299 freeaddrinfo(addrinfo);
3300
3301 free(temp);
3302
3303 /* To avoid inconsistencies in the number of sock_init() */
3304 sock_cleanup();
3305
3306 return status;
3307 }
3308
3309 ai_next = ai_next->ai_next;
3310 }
3311 prev = temp;
3312 temp = temp->next;
3313 }
3314
3315 if (addrinfo)
3316 freeaddrinfo(addrinfo);
3317
3318 /* To avoid inconsistencies in the number of sock_init() */
3319 sock_cleanup();
3320
3321 snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known");
3322 return -1;
3323 }
3324
3325 void pcap_remoteact_cleanup(void)
3326 {
3327 # ifdef HAVE_OPENSSL
3328 if (ssl_main)
3329 {
3330 // Finish using the SSL handle for the main active socket.
3331 // This must be done *before* the socket is closed.
3332 ssl_finish(ssl_main);
3333 ssl_main = NULL;
3334 }
3335 # endif
3336
3337 /* Very dirty, but it works */
3338 if (sockmain)
3339 {
3340 closesocket(sockmain);
3341
3342 /* To avoid inconsistencies in the number of sock_init() */
3343 sock_cleanup();
3344 }
3345 }
3346
3347 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
3348 {
3349 struct activehosts *temp; /* temp var needed to scan the host list chain */
3350 size_t len;
3351 char hoststr[RPCAP_HOSTLIST_SIZE + 1];
3352
3353 temp = activeHosts;
3354
3355 len = 0;
3356 *hostlist = 0;
3357
3358 while (temp)
3359 {
3360 /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */
3361
3362 /* Get the numeric form of the name of the connecting host */
3363 if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr,
3364 RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1)
3365 /* if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */
3366 /* RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */
3367 {
3368 /* sock_geterrmsg(errbuf, PCAP_ERRBUF_SIZE, */
3369 /* "getnameinfo() failed"); */
3370 return -1;
3371 }
3372
3373 len = len + strlen(hoststr) + 1 /* the separator */;
3374
3375 if ((size < 0) || (len >= (size_t)size))
3376 {
3377 snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep "
3378 "the hostnames for all the active connections");
3379 return -1;
3380 }
3381
3382 pcapint_strlcat(hostlist, hoststr, PCAP_ERRBUF_SIZE);
3383 hostlist[len - 1] = sep;
3384 hostlist[len] = 0;
3385
3386 temp = temp->next;
3387 }
3388
3389 return 0;
3390 }
3391
3392 /*
3393 * Receive the header of a message.
3394 */
3395 static int rpcap_recv_msg_header(PCAP_SOCKET sock, SSL *ssl, struct rpcap_header *header, char *errbuf)
3396 {
3397 int nrecv;
3398
3399 nrecv = sock_recv(sock, ssl, (char *) header, sizeof(struct rpcap_header),
3400 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3401 PCAP_ERRBUF_SIZE);
3402 if (nrecv == -1)
3403 {
3404 /* Network error. */
3405 return -1;
3406 }
3407 header->plen = ntohl(header->plen);
3408 return 0;
3409 }
3410
3411 /*
3412 * Make sure the protocol version of a received message is what we were
3413 * expecting.
3414 */
3415 static int rpcap_check_msg_ver(PCAP_SOCKET sock, SSL *ssl, uint8_t expected_ver, struct rpcap_header *header, char *errbuf)
3416 {
3417 /*
3418 * Did the server specify the version we negotiated?
3419 */
3420 if (header->ver != expected_ver)
3421 {
3422 /*
3423 * Discard the rest of the message.
3424 */
3425 if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
3426 return -1;
3427
3428 /*
3429 * Tell our caller that it's not the negotiated version.
3430 */
3431 if (errbuf != NULL)
3432 {
3433 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3434 "Server sent us a message with version %u when we were expecting %u",
3435 header->ver, expected_ver);
3436 }
3437 return -1;
3438 }
3439 return 0;
3440 }
3441
3442 /*
3443 * Check the message type of a received message, which should either be
3444 * the expected message type or RPCAP_MSG_ERROR.
3445 */
3446 static int rpcap_check_msg_type(PCAP_SOCKET sock, SSL *ssl, uint8_t request_type, struct rpcap_header *header, uint16_t *errcode, char *errbuf)
3447 {
3448 const char *request_type_string;
3449 const char *msg_type_string;
3450
3451 /*
3452 * What type of message is it?
3453 */
3454 if (header->type == RPCAP_MSG_ERROR)
3455 {
3456 /*
3457 * The server reported an error.
3458 * Hand that error back to our caller.
3459 */
3460 *errcode = ntohs(header->value);
3461 rpcap_msg_err(sock, ssl, header->plen, errbuf);
3462 return -1;
3463 }
3464
3465 *errcode = 0;
3466
3467 /*
3468 * For a given request type value, the expected reply type value
3469 * is the request type value with ORed with RPCAP_MSG_IS_REPLY.
3470 */
3471 if (header->type != (request_type | RPCAP_MSG_IS_REPLY))
3472 {
3473 /*
3474 * This isn't a reply to the request we sent.
3475 */
3476
3477 /*
3478 * Discard the rest of the message.
3479 */
3480 if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
3481 return -1;
3482
3483 /*
3484 * Tell our caller about it.
3485 */
3486 request_type_string = rpcap_msg_type_string(request_type);
3487 msg_type_string = rpcap_msg_type_string(header->type);
3488 if (errbuf != NULL)
3489 {
3490 if (request_type_string == NULL)
3491 {
3492 /* This should not happen. */
3493 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3494 "rpcap_check_msg_type called for request message with type %u",
3495 request_type);
3496 return -1;
3497 }
3498 if (msg_type_string != NULL)
3499 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3500 "%s message received in response to a %s message",
3501 msg_type_string, request_type_string);
3502 else
3503 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3504 "Message of unknown type %u message received in response to a %s request",
3505 header->type, request_type_string);
3506 }
3507 return -1;
3508 }
3509
3510 return 0;
3511 }
3512
3513 /*
3514 * Receive and process the header of a message.
3515 */
3516 static int rpcap_process_msg_header(PCAP_SOCKET sock, SSL *ssl, uint8_t expected_ver, uint8_t request_type, struct rpcap_header *header, char *errbuf)
3517 {
3518 uint16_t errcode;
3519
3520 if (rpcap_recv_msg_header(sock, ssl, header, errbuf) == -1)
3521 {
3522 /* Network error. */
3523 return -1;
3524 }
3525
3526 /*
3527 * Did the server specify the version we negotiated?
3528 */
3529 if (rpcap_check_msg_ver(sock, ssl, expected_ver, header, errbuf) == -1)
3530 return -1;
3531
3532 /*
3533 * Check the message type.
3534 */
3535 return rpcap_check_msg_type(sock, ssl, request_type, header,
3536 &errcode, errbuf);
3537 }
3538
3539 /*
3540 * Read data from a message.
3541 * If we're trying to read more data than remains, puts an error
3542 * message into errbuf and returns -1. Otherwise, tries to read
3543 * the data and, if that succeeds, subtracts the amount read from
3544 * the number of bytes of data that remains.
3545 * Returns 0 on success and -1 on an error (short message or
3546 * network error).
3547 */
3548 static int rpcap_recv(PCAP_SOCKET sock, SSL *ssl, void *buffer, size_t toread, uint32_t *plen, char *errbuf)
3549 {
3550 int nread;
3551
3552 if (toread > *plen)
3553 {
3554 /* The server sent us a bad message */
3555 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short");
3556 return -1;
3557 }
3558 nread = sock_recv(sock, ssl, buffer, toread,
3559 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE);
3560 if (nread == -1)
3561 {
3562 return -1;
3563 }
3564 *plen -= nread;
3565 return 0;
3566 }
3567
3568 /*
3569 * This handles the RPCAP_MSG_ERROR message.
3570 */
3571 static void rpcap_msg_err(PCAP_SOCKET sockctrl, SSL *ssl, uint32_t plen, char *remote_errbuf)
3572 {
3573 char errbuf[PCAP_ERRBUF_SIZE];
3574
3575 if (plen >= PCAP_ERRBUF_SIZE)
3576 {
3577 /*
3578 * Message is too long; just read as much of it as we
3579 * can into the buffer provided, and discard the rest.
3580 */
3581 if (sock_recv(sockctrl, ssl, remote_errbuf, PCAP_ERRBUF_SIZE - 1,
3582 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3583 PCAP_ERRBUF_SIZE) == -1)
3584 {
3585 // Network error.
3586 DIAG_OFF_FORMAT_TRUNCATION
3587 snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3588 DIAG_ON_FORMAT_TRUNCATION
3589 return;
3590 }
3591
3592 /*
3593 * Null-terminate it.
3594 */
3595 remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0';
3596
3597 #ifdef _WIN32
3598 /*
3599 * If we're not in UTF-8 mode, convert it to the local
3600 * code page.
3601 */
3602 if (!pcapint_utf_8_mode)
3603 utf_8_to_acp_truncated(remote_errbuf);
3604 #endif
3605
3606 /*
3607 * Throw away the rest.
3608 */
3609 (void)rpcap_discard(sockctrl, ssl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf);
3610 }
3611 else if (plen == 0)
3612 {
3613 /* Empty error string. */
3614 remote_errbuf[0] = '\0';
3615 }
3616 else
3617 {
3618 if (sock_recv(sockctrl, ssl, remote_errbuf, plen,
3619 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3620 PCAP_ERRBUF_SIZE) == -1)
3621 {
3622 // Network error.
3623 DIAG_OFF_FORMAT_TRUNCATION
3624 snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3625 DIAG_ON_FORMAT_TRUNCATION
3626 return;
3627 }
3628
3629 /*
3630 * Null-terminate it.
3631 */
3632 remote_errbuf[plen] = '\0';
3633 }
3634 }
3635
3636 /*
3637 * Discard data from a connection.
3638 * Mostly used to discard wrong-sized messages.
3639 * Returns 0 on success, logs a message and returns -1 on a network
3640 * error.
3641 */
3642 static int rpcap_discard(PCAP_SOCKET sock, SSL *ssl, uint32_t len, char *errbuf)
3643 {
3644 if (len != 0)
3645 {
3646 if (sock_discard(sock, ssl, len, errbuf, PCAP_ERRBUF_SIZE) == -1)
3647 {
3648 // Network error.
3649 return -1;
3650 }
3651 }
3652 return 0;
3653 }
3654
3655 /*
3656 * Read bytes into the pcap_t's buffer until we have the specified
3657 * number of bytes read or we get an error or interrupt indication.
3658 */
3659 static int rpcap_read_packet_msg(struct pcap_rpcap const *rp, pcap_t *p, size_t size)
3660 {
3661 u_char *bp;
3662 u_int cc;
3663 int bytes_read;
3664
3665 bp = p->bp;
3666 cc = p->cc;
3667
3668 /*
3669 * Loop until we have the amount of data requested or we get
3670 * an error or interrupt.
3671 */
3672 while (cc < size)
3673 {
3674 /*
3675 * We haven't read all of the packet header yet.
3676 * Read what remains, which could be all of it.
3677 */
3678 bytes_read = sock_recv(rp->rmt_sockdata, rp->data_ssl, bp, size - cc,
3679 SOCK_RECEIVEALL_NO|SOCK_EOF_IS_ERROR, p->errbuf,
3680 PCAP_ERRBUF_SIZE);
3681
3682 if (bytes_read == -1)
3683 {
3684 /*
3685 * Network error. Update the read pointer and
3686 * byte count, and return an error indication.
3687 */
3688 p->bp = bp;
3689 p->cc = cc;
3690 return -1;
3691 }
3692 if (bytes_read == -3)
3693 {
3694 /*
3695 * Interrupted receive. Update the read
3696 * pointer and byte count, and return
3697 * an interrupted indication.
3698 */
3699 p->bp = bp;
3700 p->cc = cc;
3701 return -3;
3702 }
3703 if (bytes_read == 0)
3704 {
3705 /*
3706 * EOF - server terminated the connection.
3707 * Update the read pointer and byte count, and
3708 * return an error indication.
3709 */
3710 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
3711 "The server terminated the connection.");
3712 return -1;
3713 }
3714 bp += bytes_read;
3715 cc += bytes_read;
3716 }
3717 p->bp = bp;
3718 p->cc = cc;
3719 return 0;
3720 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism