X-Git-Url: https://git.tcpdump.org/libpcap/blobdiff_plain/d4d65e7c4c0a6233784b346dcb0ebb7e23a3feaa..09b51d326c38ea8e10ce4da09c09d50e08c5aeb8:/rpcapd/daemon.c diff --git a/rpcapd/daemon.c b/rpcapd/daemon.c index 85aa0f98..9b0f8285 100644 --- a/rpcapd/daemon.c +++ b/rpcapd/daemon.c @@ -39,12 +39,14 @@ #include // for the errno variable #include // for malloc(), free(), ... #include // for strlen(), ... +#include // for INT_MAX #ifdef _WIN32 #include // for threads #else #include #include + #include #include #include // for select() and such #include // for password management @@ -63,40 +65,57 @@ #include "daemon.h" #include "log.h" -#define RPCAP_TIMEOUT_INIT 90 /* Initial timeout for RPCAP connections (default: 90 sec) */ -#define RPCAP_TIMEOUT_RUNTIME 180 /* Run-time timeout for RPCAP connections (default: 3 min) */ -#define RPCAP_SUSPEND_WRONGAUTH 1 /* If the authentication is wrong, stops 1 sec before accepting a new auth message */ +#ifdef HAVE_OPENSSL +#include +#include "sslutils.h" +#endif + +// +// Timeout, in seconds, when we're waiting for a client to send us an +// authentication request; if they don't send us a request within that +// interval, we drop the connection, so we don't stay stuck forever. +// +#define RPCAP_TIMEOUT_INIT 90 + +// +// Timeout, in seconds, when we're waiting for an authenticated client +// to send us a request, if a capture isn't in progress; if they don't +// send us a request within that interval, we drop the connection, so +// we don't stay stuck forever. +// +#define RPCAP_TIMEOUT_RUNTIME 180 + +// +// Time, in seconds, that we wait after a failed authentication attempt +// before processing the next request; this prevents a client from +// rapidly trying different accounts or passwords. +// +#define RPCAP_SUSPEND_WRONGAUTH 1 // Parameters for the service loop. struct daemon_slpars { - SOCKET sockctrl_in; //!< SOCKET ID of the input side of the control connection - SOCKET sockctrl_out; //!< SOCKET ID of the output side of the control connection - uint8 protocol_version; //!< negotiated protocol version + SOCKET sockctrl; //!< SOCKET ID of the control connection + SSL *ssl; //!< Optional SSL handler for the controlling sockets int isactive; //!< Not null if the daemon has to run in active mode int nullAuthAllowed; //!< '1' if we permit NULL authentication, '0' otherwise }; -/* - * Data for a session managed by a thread. - */ -struct session { - SOCKET sockctrl_out; - SOCKET sockdata; - uint8 protocol_version; - pcap_t *fp; - unsigned int TotCapt; -}; - // -// Structure to refer to a thread. +// Data for a session managed by a thread. // It includes both a Boolean indicating whether we *have* a thread, // and a platform-dependent (UN*X vs. Windows) identifier for the // thread; on Windows, we could use an invalid handle to indicate // that we don't have a thread, but there *is* no portable "no thread" // value for a pthread_t on UN*X. // -struct thread_handle { +struct session { + SOCKET sockctrl; + SOCKET sockdata; + SSL *ctrl_ssl, *data_ssl; // optional SSL handlers for sockctrl and sockdata. + uint8 protocol_version; + pcap_t *fp; + unsigned int TotCapt; int have_thread; #ifdef _WIN32 HANDLE thread; @@ -106,52 +125,116 @@ struct thread_handle { }; // Locally defined functions -static int daemon_msg_err(SOCKET sockctrl_in, uint32 plen); +static int daemon_msg_err(SOCKET sockctrl, SSL *, uint32 plen); static int daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen); static int daemon_AuthUserPwd(char *username, char *password, char *errbuf); -static int daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen); +static int daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, + uint32 plen); -static int daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_t sourcelen); -static int daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_handle *threaddata, char *source, struct session **sessionp, struct rpcap_sampling *samp_param); -static int daemon_msg_endcap_req(struct daemon_slpars *pars, struct session *session, struct thread_handle *threaddata); +static int daemon_msg_open_req(uint8 ver, struct daemon_slpars *pars, + uint32 plen, char *source, size_t sourcelen); +static int daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, + uint32 plen, char *source, struct session **sessionp, + struct rpcap_sampling *samp_param, int uses_ssl); +static int daemon_msg_endcap_req(uint8 ver, struct daemon_slpars *pars, + struct session *session); -static int daemon_msg_updatefilter_req(struct daemon_slpars *pars, struct session *session, uint32 plen); -static int daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *plenp, char *errbuf); +static int daemon_msg_updatefilter_req(uint8 ver, struct daemon_slpars *pars, + struct session *session, uint32 plen); +static int daemon_unpackapplyfilter(SOCKET sockctrl, SSL *, struct session *session, uint32 *plenp, char *errbuf); -static int daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 plen, struct pcap_stat *stats, unsigned int svrcapt); +static int daemon_msg_stats_req(uint8 ver, struct daemon_slpars *pars, + struct session *session, uint32 plen, struct pcap_stat *stats, + unsigned int svrcapt); -static int daemon_msg_setsampling_req(struct daemon_slpars *pars, uint32 plen, struct rpcap_sampling *samp_param); +static int daemon_msg_setsampling_req(uint8 ver, struct daemon_slpars *pars, + uint32 plen, struct rpcap_sampling *samp_param); static void daemon_seraddr(struct sockaddr_storage *sockaddrin, struct rpcap_sockaddr *sockaddrout); #ifdef _WIN32 static unsigned __stdcall daemon_thrdatamain(void *ptr); #else static void *daemon_thrdatamain(void *ptr); +static void noop_handler(int sign); +#endif + +static int rpcapd_recv_msg_header(SOCKET sock, SSL *, struct rpcap_header *headerp); +static int rpcapd_recv(SOCKET sock, SSL *, char *buffer, size_t toread, uint32 *plen, char *errmsgbuf); +static int rpcapd_discard(SOCKET sock, SSL *, uint32 len); +static void session_close(struct session *); + +// +// TLS record layer header; used when processing the first message from +// the client, in case we aren't doing TLS but they are. +// +struct tls_record_header { + uint8 type; // ContentType - will be 22, for Handshake + uint8 version_major; // TLS protocol major version + uint8 version_injor; // TLS protocol minor version + // This is *not* aligned on a 2-byte boundary; we just + // declare it as two bytes. Don't assume any particular + // compiler's mechanism for saying "packed"! + uint8 length_hi; // Upper 8 bits of payload length + uint8 length_lo; // Low 8 bits of payload length +}; + +#define TLS_RECORD_HEADER_LEN 5 // Don't use sizeof in case it's padded + +#define TLS_RECORD_TYPE_ALERT 21 +#define TLS_RECORD_TYPE_HANDSHAKE 22 + +// +// TLS alert message. +// +struct tls_alert { + uint8 alert_level; + uint8 alert_description; +}; + +#define TLS_ALERT_LEN 2 + +#define TLS_ALERT_LEVEL_FATAL 2 +#define TLS_ALERT_HANDSHAKE_FAILURE 40 + +static int is_url(const char *source); + +/* + * Maximum sizes for fixed-bit-width values. + */ +#ifndef UINT16_MAX +#define UINT16_MAX 65535U #endif -static int rpcapd_recv_msg_header(SOCKET sock, struct rpcap_header *headerp); -static int rpcapd_recv(SOCKET sock, char *buffer, size_t toread, uint32 *plen, char *errmsgbuf); -static int rpcapd_discard(SOCKET sock, uint32 len); +#ifndef UINT32_MAX +#define UINT32_MAX 4294967295U +#endif int -daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nullAuthAllowed) +daemon_serviceloop(SOCKET sockctrl, int isactive, char *passiveClients, + int nullAuthAllowed, int uses_ssl) { + uint8 first_octet; + struct tls_record_header tls_header; + struct tls_alert tls_alert; struct daemon_slpars pars; // service loop parameters char errbuf[PCAP_ERRBUF_SIZE + 1]; // keeps the error string, prior to be printed char errmsgbuf[PCAP_ERRBUF_SIZE + 1]; // buffer for errors to send to the client + int host_port_check_status; + SSL *ssl = NULL; int nrecv; struct rpcap_header header; // RPCAP message general header uint32 plen; // payload length from header int authenticated = 0; // 1 if the client has successfully authenticated char source[PCAP_BUF_SIZE+1]; // keeps the string that contains the interface to open int got_source = 0; // 1 if we've gotten the source from an open request +#ifndef _WIN32 + struct sigaction action; +#endif struct session *session = NULL; // struct session main variable const char *msg_type_string; // string for message type int client_told_us_to_close = 0; // 1 if the client told us to close the capture - struct thread_handle threaddata; // 'read from daemon and send to client' thread - // needed to save the values of the statistics struct pcap_stat stats; unsigned int svrcapt; @@ -163,31 +246,256 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu struct timeval tv; // maximum time the select() can block waiting for data int retval; // select() return value + *errbuf = 0; // Initialize errbuf + + // + // Peek into the socket to determine whether the client sent us + // a TLS handshake message or a non-TLS rpcapd message. + // + // The first byte of an rpcapd request is the version number; + // the first byte of a TLS handshake message is 22. The + // first request to an rpcapd server must be an authentication + // request or a close request, and must have a version number + // of 0, so it will be possible to distinguish between an + // initial plaintext request to a server and an initial TLS + // handshake message. + // + nrecv = sock_recv(sockctrl, NULL, (char *)&first_octet, 1, + SOCK_EOF_ISNT_ERROR|SOCK_MSG_PEEK, errbuf, PCAP_ERRBUF_SIZE); + if (nrecv == -1) + { + // Fatal error. + rpcapd_log(LOGPRIO_ERROR, "Peek from client failed: %s", errbuf); + goto end; + } + if (nrecv == 0) + { + // Client closed the connection. + goto end; + } + +#ifdef HAVE_OPENSSL + // + // We have to upgrade to TLS as soon as possible, so that the + // whole protocol goes through the encrypted tunnel, including + // early error messages. + // + // Even in active mode, the other end has to initiate the TLS + // handshake as we still are the server as far as TLS is concerned, + // so we don't check isactive. + // + if (uses_ssl) + { + // + // We're expecting a TLS handshake message. If this + // isn't one, assume it's a non-TLS rpcapd message. + // + // The first octet of a TLS handshake is + // TLS_RECORD_TYPE_HANDSHAKE. + // + if (first_octet != TLS_RECORD_TYPE_HANDSHAKE) + { + // + // We assume this is a non-TLS rpcapd message. + // + // Read the message header from the client. + // + nrecv = rpcapd_recv_msg_header(sockctrl, NULL, &header); + if (nrecv == -1) + { + // Fatal error. + goto end; + } + if (nrecv == -2) + { + // Client closed the connection. + goto end; + } + plen = header.plen; + + // Discard the rest of the message. + if (rpcapd_discard(sockctrl, NULL, plen) == -1) + { + // Network error. + goto end; + } + + // + // Send an authentication error, indicating + // that we require TLS. + // + if (rpcap_senderror(sockctrl, NULL, header.ver, + PCAP_ERR_TLS_REQUIRED, + "TLS is required by this server", errbuf) == -1) + { + // That failed; log a message and give up. + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + goto end; + } + + // Shut the session down. + goto end; + } + ssl = ssl_promotion(1, sockctrl, errbuf, PCAP_ERRBUF_SIZE); + if (! ssl) + { + rpcapd_log(LOGPRIO_ERROR, "TLS handshake on control connection failed: %s", + errbuf); + goto end; + } + } + else +#endif + { + // + // We're expecting a non-TLS rpcapd message. If this + // looks, instead, like a TLS handshake message, send + // a TLS handshake_failed alert. + // + // The first octet of a TLS handshake is + // TLS_RECORD_TYPE_HANDSHAKE. + // + if (first_octet == TLS_RECORD_TYPE_HANDSHAKE) + { + // + // TLS handshake. + // Read the record header. + // + nrecv = sock_recv(sockctrl, ssl, (char *) &tls_header, + sizeof tls_header, SOCK_RECEIVEALL_YES|SOCK_EOF_ISNT_ERROR, + errbuf, PCAP_ERRBUF_SIZE); + if (nrecv == -1) + { + // Network error. + rpcapd_log(LOGPRIO_ERROR, "Read from client failed: %s", errbuf); + goto end; + } + if (nrecv == 0) + { + // Immediate EOF + goto end; + } + plen = (tls_header.length_hi << 8U) | tls_header.length_lo; + + // Discard the rest of the message. + if (rpcapd_discard(sockctrl, NULL, plen) == -1) + { + // Network error. + goto end; + } + + // + // Send a TLS handshake failure alert. + // Use the same version the client sent us. + // + tls_header.type = TLS_RECORD_TYPE_ALERT; + tls_header.length_hi = 0; + tls_header.length_lo = TLS_ALERT_LEN; + + if (sock_send(sockctrl, NULL, (char *) &tls_header, + TLS_RECORD_HEADER_LEN, errbuf, PCAP_ERRBUF_SIZE) == -1) + { + // That failed; log a message and give up. + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + goto end; + } + + tls_alert.alert_level = TLS_ALERT_LEVEL_FATAL; + tls_alert.alert_description = TLS_ALERT_HANDSHAKE_FAILURE; + if (sock_send(sockctrl, NULL, (char *) &tls_alert, + TLS_ALERT_LEN, errbuf, PCAP_ERRBUF_SIZE) == -1) + { + // That failed; log a message and give up. + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + goto end; + } + // + // Give up anyway. + // + goto end; + } + } + // Set parameters structure - pars.sockctrl_in = sockctrl_in; - pars.sockctrl_out = sockctrl_out; - pars.protocol_version = 0; // not yet known + pars.sockctrl = sockctrl; + pars.ssl = ssl; pars.isactive = isactive; // active mode pars.nullAuthAllowed = nullAuthAllowed; - // We don't have a thread yet. - threaddata.have_thread = 0; // - // We *shouldn't* have to initialize the thread indicator - // itself, because the compiler *should* realize that we - // only use this if have_thread isn't 0, but we *do* have - // to do it, because not all compilers *do* realize that. + // We have a connection. // - // There is no "invalid thread handle" value for a UN*X - // pthread_t, so we just zero it out. + // If it's a passive mode connection, check whether the connecting + // host is among the ones allowed. // -#ifdef _WIN32 - threaddata.thread = INVALID_HANDLE_VALUE; -#else - memset(&threaddata.thread, 0, sizeof(threaddata.thread)); -#endif + // In either case, we were handed a copy of the host list; free it + // as soon as we're done with it. + // + if (pars.isactive) + { + // Nothing to do. + free(passiveClients); + passiveClients = NULL; + } + else + { + struct sockaddr_storage from; + socklen_t fromlen; - *errbuf = 0; // Initialize errbuf + // + // Get the address of the other end of the connection. + // + fromlen = sizeof(struct sockaddr_storage); + if (getpeername(pars.sockctrl, (struct sockaddr *)&from, + &fromlen) == -1) + { + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "getpeername() failed"); + if (rpcap_senderror(pars.sockctrl, pars.ssl, 0, PCAP_ERR_NETW, errmsgbuf, errbuf) == -1) + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + goto end; + } + + // + // Are they in the list of host/port combinations we allow? + // + host_port_check_status = sock_check_hostlist(passiveClients, RPCAP_HOSTLIST_SEP, &from, errmsgbuf, PCAP_ERRBUF_SIZE); + free(passiveClients); + passiveClients = NULL; + if (host_port_check_status < 0) + { + if (host_port_check_status == -2) { + // + // We got an error; log it. + // + rpcapd_log(LOGPRIO_ERROR, "%s", errmsgbuf); + } + + // + // Sorry, we can't let you in. + // + if (rpcap_senderror(pars.sockctrl, pars.ssl, 0, PCAP_ERR_HOSTNOAUTH, errmsgbuf, errbuf) == -1) + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + goto end; + } + } + +#ifndef _WIN32 + // + // Catch SIGUSR1, but do nothing. We use it to interrupt the + // capture thread to break it out of a loop in which it's + // blocked waiting for packets to arrive. + // + // We don't want interrupted system calls to restart, so that + // the read routine for the pcap_t gets EINTR rather than + // restarting if it's blocked in a system call. + // + memset(&action, 0, sizeof (action)); + action.sa_handler = noop_handler; + action.sa_flags = 0; + sigemptyset(&action.sa_mask); + sigaction(SIGUSR1, &action, NULL); +#endif // // The client must first authenticate; loop until they send us a @@ -198,10 +506,11 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu while (!authenticated) { // - // If we're in active mode, we have to check for the - // initial timeout. - // - // XXX - do this on *every* trip through the loop? + // If we're not in active mode, we use select(), with a + // timeout, to wait for an authentication request; if + // the timeout expires, we drop the connection, so that + // a client can't just connect to us and leave us + // waiting forever. // if (!pars.isactive) { @@ -210,13 +519,14 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu tv.tv_sec = RPCAP_TIMEOUT_INIT; tv.tv_usec = 0; - FD_SET(pars.sockctrl_in, &rfds); + FD_SET(pars.sockctrl, &rfds); - retval = select(pars.sockctrl_in + 1, &rfds, NULL, NULL, &tv); + retval = select((int)pars.sockctrl + 1, &rfds, NULL, NULL, &tv); if (retval == -1) { - sock_geterror("select failed: ", errmsgbuf, PCAP_ERRBUF_SIZE); - if (rpcap_senderror(pars.sockctrl_out, 0, PCAP_ERR_NETW, errmsgbuf, errbuf) == -1) + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "select() failed"); + if (rpcap_senderror(pars.sockctrl, pars.ssl, 0, PCAP_ERR_NETW, errmsgbuf, errbuf) == -1) rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } @@ -225,7 +535,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // So, this was a fake connection. Drop it down if (retval == 0) { - if (rpcap_senderror(pars.sockctrl_out, 0, PCAP_ERR_INITTIMEOUT, "The RPCAP initial timeout has expired", errbuf) == -1) + if (rpcap_senderror(pars.sockctrl, pars.ssl, 0, PCAP_ERR_INITTIMEOUT, "The RPCAP initial timeout has expired", errbuf) == -1) rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } @@ -234,7 +544,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // // Read the message header from the client. // - nrecv = rpcapd_recv_msg_header(pars.sockctrl_in, &header); + nrecv = rpcapd_recv_msg_header(pars.sockctrl, pars.ssl, &header); if (nrecv == -1) { // Fatal error. @@ -249,49 +559,17 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu plen = header.plen; // - // Did the client specify a version we can handle? + // While we're in the authentication pharse, all requests + // must use version 0. // - if (!RPCAP_VERSION_IS_SUPPORTED(header.ver)) + if (header.ver != 0) { // - // Tell them it's not a valid protocol version. - // - uint8 reply_version; - - // - // If RPCAP_MIN_VERSION is 0, no version is too - // old, as the oldest supported version is 0, - // and there are no negative versions. + // Send it back to them with their version. // -#if RPCAP_MIN_VERSION != 0 - if (header.ver < RPCAP_MIN_VERSION) - { - // - // Their maximum version is too old; - // there *is* no version we can both - // handle, and they might reject - // an error with a version they don't - // understand, so reply with the - // version they sent. That may - // make them retry with that version, - // but they'll give up on that - // failure. - // - reply_version = header.ver; - } - else -#endif - { - // - // Their maximum version is too new, - // but they might be able to handle - // *our* maximum version, so reply - // with that version. - // - reply_version = RPCAP_MAX_VERSION; - } - if (rpcap_senderror(pars.sockctrl_out, reply_version, - PCAP_ERR_WRONGVER, "RPCAP version number mismatch", + if (rpcap_senderror(pars.sockctrl, pars.ssl, header.ver, + PCAP_ERR_WRONGVER, + "RPCAP version in requests in the authentication phase must be 0", errbuf) == -1) { // That failed; log a message and give up. @@ -299,22 +577,12 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu goto end; } - // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) - { - // Network error. - goto end; - } - - // Let them try again. - continue; + // Discard the rest of the message and drop the + // connection. + (void)rpcapd_discard(pars.sockctrl, pars.ssl, plen); + goto end; } - // - // OK, we use the version the client specified. - // - pars.protocol_version = header.ver; - switch (header.type) { case RPCAP_MSG_AUTH_REQ: @@ -344,7 +612,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // Discard the rest of the message, if // there is anything more. // - (void)rpcapd_discard(pars.sockctrl_in, plen); + (void)rpcapd_discard(pars.sockctrl, pars.ssl, plen); // We're done with this client. goto end; @@ -356,7 +624,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // an error message rather than a "let // me log in" message, indicating that // we're not allowed to connect to them? - (void)daemon_msg_err(pars.sockctrl_in, plen); + (void)daemon_msg_err(pars.sockctrl, pars.ssl, plen); goto end; case RPCAP_MSG_FINDALLIF_REQ: @@ -373,21 +641,21 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu msg_type_string = rpcap_msg_type_string(header.type); if (msg_type_string != NULL) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "%s request sent before authentication was completed", msg_type_string); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "%s request sent before authentication was completed", msg_type_string); } else { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Message of type %u sent before authentication was completed", header.type); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Message of type %u sent before authentication was completed", header.type); } - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, PCAP_ERR_WRONGMSG, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_WRONGMSG, errmsgbuf, errbuf) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { // Network error. goto end; @@ -409,21 +677,21 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu msg_type_string = rpcap_msg_type_string(header.type); if (msg_type_string != NULL) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message %s received from client", msg_type_string); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message %s received from client", msg_type_string); } else { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message of type %u received from client", header.type); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message of type %u received from client", header.type); } - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, PCAP_ERR_WRONGMSG, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_WRONGMSG, errmsgbuf, errbuf) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { // Fatal error. goto end; @@ -434,16 +702,16 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // // Unknown message type. // - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Unknown message type %u", header.type); - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, PCAP_ERR_WRONGMSG, + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Unknown message type %u", header.type); + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_WRONGMSG, errmsgbuf, errbuf) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { // Fatal error. goto end; @@ -481,7 +749,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // // Be carefully: the capture can have been started, but an error occurred (so session != NULL, but // sockdata is 0 - if ((!pars.isactive) && ((session == NULL) || ((session != NULL) && (session->sockdata == 0)))) + if ((!pars.isactive) && (session == NULL || session->sockdata == 0)) { // Check for the initial timeout FD_ZERO(&rfds); @@ -489,14 +757,18 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu tv.tv_sec = RPCAP_TIMEOUT_RUNTIME; tv.tv_usec = 0; - FD_SET(pars.sockctrl_in, &rfds); - - retval = select(pars.sockctrl_in + 1, &rfds, NULL, NULL, &tv); + FD_SET(pars.sockctrl, &rfds); +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + retval = 1; +#else + retval = select((int)pars.sockctrl + 1, &rfds, NULL, NULL, &tv); +#endif if (retval == -1) { - sock_geterror("select failed: ", errmsgbuf, PCAP_ERRBUF_SIZE); - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, PCAP_ERR_NETW, + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "select() failed"); + if (rpcap_senderror(pars.sockctrl, pars.ssl, + 0, PCAP_ERR_NETW, errmsgbuf, errbuf) == -1) rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; @@ -506,9 +778,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // So, this was a fake connection. Drop it down if (retval == 0) { - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, - PCAP_ERR_INITTIMEOUT, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + 0, PCAP_ERR_INITTIMEOUT, "The RPCAP initial timeout has expired", errbuf) == -1) rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -519,7 +790,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // // Read the message header from the client. // - nrecv = rpcapd_recv_msg_header(pars.sockctrl_in, &header); + nrecv = rpcapd_recv_msg_header(pars.sockctrl, pars.ssl, &header); if (nrecv == -1) { // Fatal error. @@ -534,21 +805,20 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu plen = header.plen; // - // Did the client specify the version we negotiated? - // - // For now, there's only one version. + // Did the client specify a protocol version that we + // support? // - if (header.ver != pars.protocol_version) + if (!RPCAP_VERSION_IS_SUPPORTED(header.ver)) { // - // Tell them it's not the negotiated version. + // Tell them it's not a supported version. // Send the error message with their version, // so they don't reject it as having the wrong // version. // - if (rpcap_senderror(pars.sockctrl_out, + if (rpcap_senderror(pars.sockctrl, pars.ssl, header.ver, PCAP_ERR_WRONGVER, - "RPCAP version in message isn't the negotiated version", + "RPCAP version in message isn't supported by the server", errbuf) == -1) { // That failed; log a message and give up. @@ -557,7 +827,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu } // Discard the rest of the message. - (void)rpcapd_discard(pars.sockctrl_in, plen); + (void)rpcapd_discard(pars.sockctrl, pars.ssl, plen); // Give up on them. goto end; } @@ -566,7 +836,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu { case RPCAP_MSG_ERROR: // The other endpoint reported an error { - (void)daemon_msg_err(pars.sockctrl_in, plen); + (void)daemon_msg_err(pars.sockctrl, pars.ssl, plen); // Do nothing; just exit; the error code is already into the errbuf // XXX - actually exit.... break; @@ -574,7 +844,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu case RPCAP_MSG_FINDALLIF_REQ: { - if (daemon_msg_findallif_req(&pars, plen) == -1) + if (daemon_msg_findallif_req(header.ver, &pars, plen) == -1) { // Fatal error; a message has // been logged, so just give up. @@ -594,7 +864,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // us multiple open requests, the last // one wins. // - retval = daemon_msg_open_req(&pars, plen, source, sizeof(source)); + retval = daemon_msg_open_req(header.ver, &pars, + plen, source, sizeof(source)); if (retval == -1) { // Fatal error; a message has @@ -611,8 +882,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu { // They never told us what device // to capture on! - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_STARTCAPTURE, "No capture device was specified", errbuf) == -1) @@ -622,14 +893,16 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { goto end; } break; } - if (daemon_msg_startcap_req(&pars, plen, &threaddata, source, &session, &samp_param) == -1) + if (daemon_msg_startcap_req(header.ver, &pars, + plen, source, &session, &samp_param, + uses_ssl) == -1) { // Fatal error; a message has // been logged, so just give up. @@ -642,7 +915,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu { if (session) { - if (daemon_msg_updatefilter_req(&pars, session, plen) == -1) + if (daemon_msg_updatefilter_req(header.ver, + &pars, session, plen) == -1) { // Fatal error; a message has // been logged, so just give up. @@ -651,8 +925,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu } else { - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_UPDATEFILTER, "Device not opened. Cannot update filter", errbuf) == -1) @@ -673,13 +947,14 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // This is used only in case of active mode. // client_told_us_to_close = 1; - SOCK_DEBUG_MESSAGE("The other end system asked to close the connection."); + rpcapd_log(LOGPRIO_DEBUG, "The other end system asked to close the connection."); goto end; } case RPCAP_MSG_STATS_REQ: { - if (daemon_msg_stats_req(&pars, session, plen, &stats, svrcapt) == -1) + if (daemon_msg_stats_req(header.ver, &pars, + session, plen, &stats, svrcapt) == -1) { // Fatal error; a message has // been logged, so just give up. @@ -705,7 +980,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu svrcapt = 0; } - if (daemon_msg_endcap_req(&pars, session, &threaddata) == -1) + if (daemon_msg_endcap_req(header.ver, + &pars, session) == -1) { free(session); session = NULL; @@ -718,8 +994,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu } else { - rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, + rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_ENDCAPTURE, "Device not opened. Cannot close the capture", errbuf); @@ -729,7 +1005,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu case RPCAP_MSG_SETSAMPLING_REQ: { - if (daemon_msg_setsampling_req(&pars, plen, &samp_param) == -1) + if (daemon_msg_setsampling_req(header.ver, + &pars, plen, &samp_param) == -1) { // Fatal error; a message has // been logged, so just give up. @@ -745,8 +1022,8 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // get to reauthenticate. // rpcapd_log(LOGPRIO_INFO, "The client sent an RPCAP_MSG_AUTH_REQ message after authentication was completed"); - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_WRONGMSG, "RPCAP_MSG_AUTH_REQ request sent after authentication was completed", errbuf) == -1) @@ -755,7 +1032,7 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu goto end; } // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { // Fatal error. goto end; @@ -778,22 +1055,22 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu if (msg_type_string != NULL) { rpcapd_log(LOGPRIO_INFO, "The client sent a %s server-to-client message", msg_type_string); - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message %s received from client", msg_type_string); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message %s received from client", msg_type_string); } else { rpcapd_log(LOGPRIO_INFO, "The client sent a server-to-client message of type %u", header.type); - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message of type %u received from client", header.type); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Server-to-client message of type %u received from client", header.type); } - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, PCAP_ERR_WRONGMSG, + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_WRONGMSG, errmsgbuf, errbuf) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { // Fatal error. goto end; @@ -805,16 +1082,16 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu // Unknown message type. // rpcapd_log(LOGPRIO_INFO, "The client sent a message of type %u", header.type); - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Unknown message type %u", header.type); - if (rpcap_senderror(pars.sockctrl_out, - pars.protocol_version, PCAP_ERR_WRONGMSG, + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Unknown message type %u", header.type); + if (rpcap_senderror(pars.sockctrl, pars.ssl, + header.ver, PCAP_ERR_WRONGMSG, errbuf, errmsgbuf) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); goto end; } // Discard the rest of the message. - if (rpcapd_discard(pars.sockctrl_in, plen) == -1) + if (rpcapd_discard(pars.sockctrl, pars.ssl, plen) == -1) { // Fatal error. goto end; @@ -825,58 +1102,34 @@ daemon_serviceloop(SOCKET sockctrl_in, SOCKET sockctrl_out, int isactive, int nu } end: - // The child thread is about to end - - // perform pcap_t cleanup, in case it has not been done + // The service loop is finishing up. + // If we have a capture session running, close it. if (session) { - if (threaddata.have_thread) - { -#ifdef _WIN32 - // - // Tell the data connection thread main capture - // loop to break out of that loop. - // - pcap_breakloop(session->fp); - - // - // If it's currently blocked waiting for packets - // to arrive, try to wake it up, so it can see - // the "break out of the loop" indication. - // - SetEvent(pcap_getevent(session->fp)); - - // - // Wait for the thread to exit, so we don't close - // sockets out from under it. - // - // XXX - have a timeout, so we don't wait forever? - // - WaitForSingleObject(threaddata.thread, INFINITE); - - // - // Release the thread handle, as we're done with - // it. - // - CloseHandle(threaddata.thread); -#else - pthread_cancel(threaddata.thread); -#endif - threaddata.have_thread = 0; - } - if (session->sockdata) - { - sock_close(session->sockdata, NULL, 0); - session->sockdata = 0; - } - pcap_close(session->fp); + session_close(session); free(session); session = NULL; } + if (passiveClients) { + free(passiveClients); + } + // + // Finish using the SSL handle for the control socket, if we + // have an SSL connection, and close the control socket. + // +#ifdef HAVE_OPENSSL + if (ssl) + { + // Finish using the SSL handle for the socket. + // This must be done *before* the socket is closed. + ssl_finish(ssl); + } +#endif + sock_close(sockctrl, NULL, 0); + // Print message and return - SOCK_DEBUG_MESSAGE("I'm exiting from the child loop"); - SOCK_DEBUG_MESSAGE(errbuf); + rpcapd_log(LOGPRIO_DEBUG, "I'm exiting from the child loop"); return client_told_us_to_close; } @@ -885,7 +1138,7 @@ end: * This handles the RPCAP_MSG_ERR message. */ static int -daemon_msg_err(SOCKET sockctrl_in, uint32 plen) +daemon_msg_err(SOCKET sockctrl, SSL *ssl, uint32 plen) { char errbuf[PCAP_ERRBUF_SIZE]; char remote_errbuf[PCAP_ERRBUF_SIZE]; @@ -896,7 +1149,7 @@ daemon_msg_err(SOCKET sockctrl_in, uint32 plen) * Message is too long; just read as much of it as we * can into the buffer provided, and discard the rest. */ - if (sock_recv(sockctrl_in, remote_errbuf, PCAP_ERRBUF_SIZE - 1, + if (sock_recv(sockctrl, ssl, remote_errbuf, PCAP_ERRBUF_SIZE - 1, SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE) == -1) { @@ -904,7 +1157,7 @@ daemon_msg_err(SOCKET sockctrl_in, uint32 plen) rpcapd_log(LOGPRIO_ERROR, "Read from client failed: %s", errbuf); return -1; } - if (rpcapd_discard(sockctrl_in, plen - (PCAP_ERRBUF_SIZE - 1)) == -1) + if (rpcapd_discard(sockctrl, ssl, plen - (PCAP_ERRBUF_SIZE - 1)) == -1) { // Network error. return -1; @@ -922,7 +1175,7 @@ daemon_msg_err(SOCKET sockctrl_in, uint32 plen) } else { - if (sock_recv(sockctrl_in, remote_errbuf, plen, + if (sock_recv(sockctrl, ssl, remote_errbuf, plen, SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE) == -1) { @@ -968,11 +1221,13 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to send to the client - struct rpcap_header header; // RPCAP message general header int status; struct rpcap_auth auth; // RPCAP authentication header + char sendbuf[RPCAP_NETBUF_SIZE]; // temporary buffer in which data to be sent is buffered + int sendbufidx = 0; // index which keeps the number of bytes currently buffered + struct rpcap_authreply *authreply; // authentication reply message - status = rpcapd_recv(pars->sockctrl_in, (char *) &auth, sizeof(struct rpcap_auth), &plen, errmsgbuf); + status = rpcapd_recv(pars->sockctrl, pars->ssl, (char *) &auth, sizeof(struct rpcap_auth), &plen, errmsgbuf); if (status == -1) { return -1; @@ -989,8 +1244,16 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) if (!pars->nullAuthAllowed) { // Send the client an error reply. - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Authentication failed; NULL authentication not permitted."); - goto error; + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, + "Authentication failed; NULL authentication not permitted."); + if (rpcap_senderror(pars->sockctrl, pars->ssl, + 0, PCAP_ERR_AUTH_FAILED, errmsgbuf, errbuf) == -1) + { + // That failed; log a message and give up. + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + return -1; + } + goto error_noreply; } break; } @@ -1008,7 +1271,7 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) PCAP_ERRBUF_SIZE, errno, "malloc() failed"); goto error; } - status = rpcapd_recv(pars->sockctrl_in, username, usernamelen, &plen, errmsgbuf); + status = rpcapd_recv(pars->sockctrl, pars->ssl, username, usernamelen, &plen, errmsgbuf); if (status == -1) { free(username); @@ -1030,7 +1293,7 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) free(username); goto error; } - status = rpcapd_recv(pars->sockctrl_in, passwd, passwdlen, &plen, errmsgbuf); + status = rpcapd_recv(pars->sockctrl, pars->ssl, passwd, passwdlen, &plen, errmsgbuf); if (status == -1) { free(username); @@ -1053,9 +1316,8 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) // free(username); free(passwd); - if (rpcap_senderror(pars->sockctrl_out, - pars->protocol_version, - PCAP_ERR_AUTH, errmsgbuf, errbuf) == -1) + if (rpcap_senderror(pars->sockctrl, pars->ssl, + 0, PCAP_ERR_AUTH_FAILED, errmsgbuf, errbuf) == -1) { // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -1082,23 +1344,54 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) } default: - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized."); - goto error; + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, + "Authentication type not recognized."); + if (rpcap_senderror(pars->sockctrl, pars->ssl, + 0, PCAP_ERR_AUTH_TYPE_NOTSUP, errmsgbuf, errbuf) == -1) + { + // That failed; log a message and give up. + rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); + return -1; + } + goto error_noreply; } // The authentication succeeded; let the client know. - rpcap_createhdr(&header, pars->protocol_version, RPCAP_MSG_AUTH_REPLY, 0, 0); + if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx, + RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) + goto error; + + rpcap_createhdr((struct rpcap_header *) sendbuf, 0, + RPCAP_MSG_AUTH_REPLY, 0, sizeof(struct rpcap_authreply)); + + authreply = (struct rpcap_authreply *) &sendbuf[sendbufidx]; - // Send the ok message back - if (sock_send(pars->sockctrl_out, (char *) &header, sizeof (struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_bufferize(NULL, sizeof(struct rpcap_authreply), NULL, &sendbufidx, + RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) + goto error; + + // + // Indicate to our peer what versions we support and what our + // version of the byte-order magic is (which will tell the + // client whether our byte order differs from theirs, in which + // case they will need to byte-swap some fields in some + // link-layer types' headers). + // + memset(authreply, 0, sizeof(struct rpcap_authreply)); + authreply->minvers = RPCAP_MIN_VERSION; + authreply->maxvers = RPCAP_MAX_VERSION; + authreply->byte_order_magic = RPCAP_BYTE_ORDER_MAGIC; + + // Send the reply. + if (sock_send(pars->sockctrl, pars->ssl, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) { - // That failed; log a messsage and give up. + // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); return -1; } // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { return -1; } @@ -1106,8 +1399,8 @@ daemon_msg_auth_req(struct daemon_slpars *pars, uint32 plen) return 0; error: - if (rpcap_senderror(pars->sockctrl_out, pars->protocol_version, - PCAP_ERR_AUTH, errmsgbuf, errbuf) == -1) + if (rpcap_senderror(pars->sockctrl, pars->ssl, 0, PCAP_ERR_AUTH, + errmsgbuf, errbuf) == -1) { // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -1116,7 +1409,7 @@ error: error_noreply: // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { return -1; } @@ -1136,16 +1429,32 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) * policies, user right assignment) * However, it seems to me that if you run it as a service, this * right should be provided by default. + * + * XXX - hopefully, this returns errors such as ERROR_LOGON_FAILURE, + * which merely indicates that the user name or password is + * incorrect, not whether it's the user name or the password + * that's incorrect, so a client that's trying to brute-force + * accounts doesn't know whether it's the user name or the + * password that's incorrect, so it doesn't know whether to + * stop trying to log in with a given user name and move on + * to another user name. */ + DWORD error; HANDLE Token; + char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to log + if (LogonUser(username, ".", password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &Token) == 0) { - int error; - + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed"); error = GetLastError(); - FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, 0, errbuf, - PCAP_ERRBUF_SIZE, NULL); - + if (error != ERROR_LOGON_FAILURE) + { + // Some error other than an authentication error; + // log it. + pcap_fmt_errmsg_for_win32_err(errmsgbuf, + PCAP_ERRBUF_SIZE, error, "LogonUser() failed"); + rpcapd_log(LOGPRIO_ERROR, "%s", errmsgbuf); + } return -1; } @@ -1153,12 +1462,10 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) // I didn't test it. if (ImpersonateLoggedOnUser(Token) == 0) { - int error; - - error = GetLastError(); - FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, 0, errbuf, - PCAP_ERRBUF_SIZE, NULL); - + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed"); + pcap_fmt_errmsg_for_win32_err(errmsgbuf, PCAP_ERRBUF_SIZE, + GetLastError(), "ImpersonateLoggedOnUser() failed"); + rpcapd_log(LOGPRIO_ERROR, "%s", errmsgbuf); CloseHandle(Token); return -1; } @@ -1170,7 +1477,7 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) /* * See * - * http://www.unixpapa.com/incnote/passwd.html + * https://www.unixpapa.com/incnote/passwd.html * * We use the Solaris/Linux shadow password authentication if * we have getspnam(), otherwise we just do traditional @@ -1186,16 +1493,18 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) * only password database or some other authentication mechanism, * behind its API. */ + int error; struct passwd *user; char *user_password; #ifdef HAVE_GETSPNAM struct spwd *usersp; #endif + char *crypt_password; // This call is needed to get the uid if ((user = getpwnam(username)) == NULL) { - pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: no such user"); + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed"); return -1; } @@ -1203,7 +1512,7 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) // This call is needed to get the password; otherwise 'x' is returned if ((usersp = getspnam(username)) == NULL) { - pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: no such user"); + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed"); return -1; } user_password = usersp->sp_pwdp; @@ -1221,23 +1530,52 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) user_password = user->pw_passwd; #endif - if (strcmp(user_password, (char *) crypt(password, user_password)) != 0) + // + // The Single UNIX Specification says that if crypt() fails it + // sets errno, but some implementatons that haven't been run + // through the SUS test suite might not do so. + // + errno = 0; + crypt_password = crypt(password, user_password); + if (crypt_password == NULL) { - pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: password incorrect"); + error = errno; + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed"); + if (error == 0) + { + // It didn't set errno. + rpcapd_log(LOGPRIO_ERROR, "crypt() failed"); + } + else + { + rpcapd_log(LOGPRIO_ERROR, "crypt() failed: %s", + strerror(error)); + } + return -1; + } + if (strcmp(user_password, crypt_password) != 0) + { + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed"); return -1; } if (setuid(user->pw_uid)) { + error = errno; pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, - errno, "setuid"); + error, "setuid"); + rpcapd_log(LOGPRIO_ERROR, "setuid() failed: %s", + strerror(error)); return -1; } /* if (setgid(user->pw_gid)) { + error = errno; pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, errno, "setgid"); + rpcapd_log(LOGPRIO_ERROR, "setgid() failed: %s", + strerror(error)); return -1; } */ @@ -1247,8 +1585,23 @@ daemon_AuthUserPwd(char *username, char *password, char *errbuf) } +/* + * Make sure that the reply length won't overflow 32 bits if we add the + * specified amount to it. If it won't, add that amount to it. + * + * We check whether replylen + itemlen > UINT32_MAX, but subtract itemlen + * from both sides, to prevent overflow. + */ +#define CHECK_AND_INCREASE_REPLY_LEN(itemlen) \ + if (replylen > UINT32_MAX - (itemlen)) { \ + pcap_strlcpy(errmsgbuf, "Reply length doesn't fit in 32 bits", \ + sizeof (errmsgbuf)); \ + goto error; \ + } \ + replylen += (uint32)(itemlen) + static int -daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) +daemon_msg_findallif_req(uint8 ver, struct daemon_slpars *pars, uint32 plen) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to send to the client @@ -1257,11 +1610,11 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) pcap_if_t *alldevs = NULL; // pointer to the header of the interface chain pcap_if_t *d; // temp pointer needed to scan the interface chain struct pcap_addr *address; // pcap structure that keeps a network address of an interface - struct rpcap_findalldevs_if *findalldevs_if;// rpcap structure that packet all the data of an interface together + uint32 replylen; // length of reply payload uint16 nif = 0; // counts the number of interface listed // Discard the rest of the message; there shouldn't be any payload. - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { // Network error. return -1; @@ -1273,7 +1626,7 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) if (alldevs == NULL) { - if (rpcap_senderror(pars->sockctrl_out, pars->protocol_version, + if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_NOREMOTEIF, "No interfaces found! Make sure libpcap/WinPcap is properly installed" " and you have the right to access to the remote device.", @@ -1285,18 +1638,37 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) return 0; } - // checks the number of interfaces and it computes the total length of the payload + // This checks the number of interfaces and computes the total + // length of the payload. + replylen = 0; for (d = alldevs; d != NULL; d = d->next) { nif++; - if (d->description) - plen+= strlen(d->description); - if (d->name) - plen+= strlen(d->name); + if (d->description) { + size_t stringlen = strlen(d->description); + if (stringlen > UINT16_MAX) { + pcap_strlcpy(errmsgbuf, + "Description length doesn't fit in 16 bits", + sizeof (errmsgbuf)); + goto error; + } + CHECK_AND_INCREASE_REPLY_LEN(stringlen); + } + if (d->name) { + size_t stringlen = strlen(d->name); + if (stringlen > UINT16_MAX) { + pcap_strlcpy(errmsgbuf, + "Name length doesn't fit in 16 bits", + sizeof (errmsgbuf)); + goto error; + } + CHECK_AND_INCREASE_REPLY_LEN(stringlen); + } - plen+= sizeof(struct rpcap_findalldevs_if); + CHECK_AND_INCREASE_REPLY_LEN(sizeof(struct rpcap_findalldevs_if)); + uint16_t naddrs = 0; for (address = d->addresses; address != NULL; address = address->next) { /* @@ -1308,7 +1680,14 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) #ifdef AF_INET6 case AF_INET6: #endif - plen+= (sizeof(struct rpcap_sockaddr) * 4); + CHECK_AND_INCREASE_REPLY_LEN(sizeof(struct rpcap_sockaddr) * 4); + if (naddrs == UINT16_MAX) { + pcap_strlcpy(errmsgbuf, + "Number of interfaces doesn't fit in 16 bits", + sizeof (errmsgbuf)); + goto error; + } + naddrs++; break; default: @@ -1317,37 +1696,50 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) } } - // RPCAP findalldevs command + // RPCAP findalldevs reply if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) goto error; - rpcap_createhdr((struct rpcap_header *) sendbuf, pars->protocol_version, - RPCAP_MSG_FINDALLIF_REPLY, nif, plen); + rpcap_createhdr((struct rpcap_header *) sendbuf, ver, + RPCAP_MSG_FINDALLIF_REPLY, nif, replylen); // send the interface list for (d = alldevs; d != NULL; d = d->next) { uint16 lname, ldescr; - findalldevs_if = (struct rpcap_findalldevs_if *) &sendbuf[sendbufidx]; + // Note: the findalldevs_if entries are *not* neatly + // aligned on 4-byte boundaries, because they're + // preceded by strings that aren't padded to 4-byte + // boundaries, so we cannot just cast output buffer + // boundaries to struct rpcap_findalldevs_if pointers + // and store into them - we must fill in a structure and + // then copy the structure to the buffer, as not all + // systems support unaligned access (some, such as + // SPARC, crash; others, such as Arm, may just ignore + // the lower-order bits). + struct rpcap_findalldevs_if findalldevs_if; - if (sock_bufferize(NULL, sizeof(struct rpcap_findalldevs_if), NULL, - &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) - goto error; - - memset(findalldevs_if, 0, sizeof(struct rpcap_findalldevs_if)); - - if (d->description) ldescr = (short) strlen(d->description); - else ldescr = 0; - if (d->name) lname = (short) strlen(d->name); - else lname = 0; + /* + * We've already established that the string lengths + * fit in 16 bits. + */ + if (d->description) + ldescr = (uint16) strlen(d->description); + else + ldescr = 0; + if (d->name) + lname = (uint16) strlen(d->name); + else + lname = 0; - findalldevs_if->desclen = htons(ldescr); - findalldevs_if->namelen = htons(lname); - findalldevs_if->flags = htonl(d->flags); + findalldevs_if.desclen = htons(ldescr); + findalldevs_if.namelen = htons(lname); + findalldevs_if.flags = htonl(d->flags); + uint16_t naddrs = 0; for (address = d->addresses; address != NULL; address = address->next) { /* @@ -1359,14 +1751,20 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) #ifdef AF_INET6 case AF_INET6: #endif - findalldevs_if->naddr++; + naddrs++; break; default: break; } } - findalldevs_if->naddr = htons(findalldevs_if->naddr); + findalldevs_if.naddr = htons(naddrs); + findalldevs_if.dummy = 0; + + if (sock_bufferize(&findalldevs_if, sizeof(struct rpcap_findalldevs_if), sendbuf, + &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errmsgbuf, + PCAP_ERRBUF_SIZE) == -1) + goto error; if (sock_bufferize(d->name, lname, sendbuf, &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errmsgbuf, @@ -1427,7 +1825,7 @@ daemon_msg_findallif_req(struct daemon_slpars *pars, uint32 plen) pcap_freealldevs(alldevs); // Send a final command that says "now send it!" - if (sock_send(pars->sockctrl_out, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_send(pars->sockctrl, pars->ssl, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); return -1; @@ -1439,7 +1837,7 @@ error: if (alldevs) pcap_freealldevs(alldevs); - if (rpcap_senderror(pars->sockctrl_out, pars->protocol_version, + if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_FINDALLIF, errmsgbuf, errbuf) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -1453,7 +1851,8 @@ error: to discard excess data in the message, if present) */ static int -daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_t sourcelen) +daemon_msg_open_req(uint8 ver, struct daemon_slpars *pars, uint32 plen, + char *source, size_t sourcelen) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to send to the client @@ -1465,11 +1864,11 @@ daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_ if (plen > sourcelen - 1) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Source string too long"); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Source string too long"); goto error; } - nread = sock_recv(pars->sockctrl_in, source, plen, + nread = sock_recv(pars->sockctrl, pars->ssl, source, plen, SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE); if (nread == -1) { @@ -1479,14 +1878,19 @@ daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_ source[nread] = '\0'; plen -= nread; - // XXX - make sure it's *not* a URL; we don't support opening - // remote devices here. + // Is this a URL rather than a device? + // If so, reject it. + if (is_url(source)) + { + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Source string refers to a remote device"); + goto error; + } // Open the selected device // This is a fake open, since we do that only to get the needed parameters, then we close the device again if ((fp = pcap_open_live(source, 1500 /* fake snaplen */, - 0 /* no promis */, + 0 /* no promisc */, 1000 /* fake timeout */, errmsgbuf)) == NULL) goto error; @@ -1496,7 +1900,7 @@ daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_ RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) goto error; - rpcap_createhdr((struct rpcap_header *) sendbuf, pars->protocol_version, + rpcap_createhdr((struct rpcap_header *) sendbuf, ver, RPCAP_MSG_OPEN_REPLY, 0, sizeof(struct rpcap_openreply)); openreply = (struct rpcap_openreply *) &sendbuf[sendbufidx]; @@ -1507,12 +1911,20 @@ daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_ memset(openreply, 0, sizeof(struct rpcap_openreply)); openreply->linktype = htonl(pcap_datalink(fp)); + /* + * This is always 0 for live captures; we no longer support it + * as something we read from capture files and supply to + * clients, but we have to send it over the wire, as open + * replies are expected to have 8 bytes of payload by + * existing clients. + */ + openreply->tzoff = 0; // We're done with the pcap_t. pcap_close(fp); // Send the reply. - if (sock_send(pars->sockctrl_out, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_send(pars->sockctrl, pars->ssl, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); return -1; @@ -1520,8 +1932,8 @@ daemon_msg_open_req(struct daemon_slpars *pars, uint32 plen, char *source, size_ return 0; error: - if (rpcap_senderror(pars->sockctrl_out, pars->protocol_version, - PCAP_ERR_OPEN, errmsgbuf, errbuf) == -1) + if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_OPEN, + errmsgbuf, errbuf) == -1) { // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -1529,7 +1941,7 @@ error: } // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { return -1; } @@ -1541,7 +1953,9 @@ error: to discard excess data in the message, if present) */ static int -daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_handle *threaddata, char *source, struct session **sessionp, struct rpcap_sampling *samp_param _U_) +daemon_msg_startcap_req(uint8 ver, struct daemon_slpars *pars, uint32 plen, + char *source, struct session **sessionp, + struct rpcap_sampling *samp_param _U_, int uses_ssl) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to send to the client @@ -1553,17 +1967,12 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h int sendbufidx = 0; // index which keeps the number of bytes currently buffered // socket-related variables - SOCKET sockdata = INVALID_SOCKET; // socket descriptor of the data connection struct addrinfo hints; // temp, needed to open a socket connection struct addrinfo *addrinfo; // temp, needed to open a socket connection struct sockaddr_storage saddr; // temp, needed to retrieve the network data port chosen on the local machine socklen_t saddrlen; // temp, needed to retrieve the network data port chosen on the local machine int ret; // return value from functions -#ifndef _WIN32 - pthread_attr_t detachedAttribute; // temp, needed to set the created thread as detached -#endif - // RPCAP-related variables struct rpcap_startcapreq startcapreq; // start capture request message struct rpcap_startcapreply *startcapreply; // start capture reply message @@ -1571,7 +1980,7 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h addrinfo = NULL; - status = rpcapd_recv(pars->sockctrl_in, (char *) &startcapreq, + status = rpcapd_recv(pars->sockctrl, pars->ssl, (char *) &startcapreq, sizeof(struct rpcap_startcapreq), &plen, errmsgbuf); if (status == -1) { @@ -1584,14 +1993,42 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h startcapreq.flags = ntohs(startcapreq.flags); + // Check that the client does not ask for UDP is the server has been asked + // to enforce encryption, as SSL is not supported yet with UDP: + if (uses_ssl && (startcapreq.flags & RPCAP_STARTCAPREQ_FLAG_DGRAM)) + { + snprintf(errbuf, PCAP_ERRBUF_SIZE, + "SSL not supported with UDP forward of remote packets"); + goto error; + } + // Create a session structure session = malloc(sizeof(struct session)); if (session == NULL) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Can't allocate session structure"); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Can't allocate session structure"); goto error; } + session->sockdata = INVALID_SOCKET; + session->ctrl_ssl = session->data_ssl = NULL; + // We don't have a thread yet. + session->have_thread = 0; + // + // We *shouldn't* have to initialize the thread indicator + // itself, because the compiler *should* realize that we + // only use this if have_thread isn't 0, but we *do* have + // to do it, because not all compilers *do* realize that. + // + // There is no "invalid thread handle" value for a UN*X + // pthread_t, so we just zero it out. + // +#ifdef _WIN32 + session->thread = INVALID_HANDLE_VALUE; +#else + memset(&session->thread, 0, sizeof(session->thread)); +#endif + // Open the selected device if ((session->fp = pcap_open_live(source, ntohl(startcapreq.snaplen), @@ -1623,9 +2060,10 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h we want to connect to */ saddrlen = sizeof(struct sockaddr_storage); - if (getpeername(pars->sockctrl_in, (struct sockaddr *) &saddr, &saddrlen) == -1) + if (getpeername(pars->sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1) { - sock_geterror("getpeername(): ", errmsgbuf, PCAP_ERRBUF_SIZE); + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "getpeername() failed"); goto error; } @@ -1636,38 +2074,40 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h // Now we have to create a new socket to send packets if (serveropen_dp) // Data connection is opened by the server toward the client { - pcap_snprintf(portdata, sizeof portdata, "%d", ntohs(startcapreq.portdata)); + snprintf(portdata, sizeof portdata, "%d", ntohs(startcapreq.portdata)); // Get the name of the other peer (needed to connect to that specific network address) if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peerhost, sizeof(peerhost), NULL, 0, NI_NUMERICHOST)) { - sock_geterror("getnameinfo(): ", errmsgbuf, PCAP_ERRBUF_SIZE); + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "getnameinfo() failed"); goto error; } if (sock_initaddress(peerhost, portdata, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) goto error; - if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) + if ((session->sockdata = sock_open(peerhost, addrinfo, SOCKOPEN_CLIENT, 0, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) goto error; } else // Data connection is opened by the client toward the server { hints.ai_flags = AI_PASSIVE; - // Let's the server socket pick up a free network port for us - if (sock_initaddress(NULL, "0", &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) + // Make the server socket pick up a free network port for us + if (sock_initaddress(NULL, NULL, &hints, &addrinfo, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) goto error; - if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) + if ((session->sockdata = sock_open(NULL, addrinfo, SOCKOPEN_SERVER, 1 /* max 1 connection in queue */, errmsgbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) goto error; // get the complete sockaddr structure used in the data connection saddrlen = sizeof(struct sockaddr_storage); - if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1) + if (getsockname(session->sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1) { - sock_geterror("getsockname(): ", errmsgbuf, PCAP_ERRBUF_SIZE); + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "getsockname() failed"); goto error; } @@ -1675,7 +2115,8 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, portdata, sizeof(portdata), NI_NUMERICSERV)) { - sock_geterror("getnameinfo(): ", errmsgbuf, PCAP_ERRBUF_SIZE); + sock_geterrmsg(errmsgbuf, PCAP_ERRBUF_SIZE, + "getnameinfo() failed"); goto error; } } @@ -1685,11 +2126,12 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h addrinfo = NULL; // Needed to send an error on the ctrl connection - session->sockctrl_out = pars->sockctrl_out; - session->protocol_version = pars->protocol_version; + session->sockctrl = pars->sockctrl; + session->ctrl_ssl = pars->ssl; + session->protocol_version = ver; // Now I can set the filter - ret = daemon_unpackapplyfilter(pars->sockctrl_in, session, &plen, errmsgbuf); + ret = daemon_unpackapplyfilter(pars->sockctrl, pars->ssl, session, &plen, errmsgbuf); if (ret == -1) { // Fatal error. A message has been logged; just give up. @@ -1706,7 +2148,7 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) goto error; - rpcap_createhdr((struct rpcap_header *) sendbuf, pars->protocol_version, + rpcap_createhdr((struct rpcap_header *) sendbuf, ver, RPCAP_MSG_STARTCAP_REPLY, 0, sizeof(struct rpcap_startcapreply)); startcapreply = (struct rpcap_startcapreply *) &sendbuf[sendbufidx]; @@ -1724,7 +2166,7 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h startcapreply->portdata = htons(port); } - if (sock_send(pars->sockctrl_out, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_send(pars->sockctrl, pars->ssl, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) { // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -1738,52 +2180,62 @@ daemon_msg_startcap_req(struct daemon_slpars *pars, uint32 plen, struct thread_h // Connection creation saddrlen = sizeof(struct sockaddr_storage); - socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen); + socktemp = accept(session->sockdata, (struct sockaddr *) &saddr, &saddrlen); if (socktemp == INVALID_SOCKET) { - sock_geterror("accept(): ", errbuf, PCAP_ERRBUF_SIZE); + sock_geterrmsg(errbuf, PCAP_ERRBUF_SIZE, + "accept() failed"); rpcapd_log(LOGPRIO_ERROR, "Accept of data connection failed: %s", errbuf); goto error; } // Now that I accepted the connection, the server socket is no longer needed - sock_close(sockdata, NULL, 0); - sockdata = socktemp; + sock_close(session->sockdata, NULL, 0); + session->sockdata = socktemp; } - session->sockdata = sockdata; + SSL *ssl = NULL; + if (uses_ssl) + { +#ifdef HAVE_OPENSSL + /* In both active or passive cases, wait for the client to initiate the + * TLS handshake. Yes during that time the control socket will not be + * served, but the same was true from the above call to accept(). */ + ssl = ssl_promotion(1, session->sockdata, errbuf, PCAP_ERRBUF_SIZE); + if (! ssl) + { + rpcapd_log(LOGPRIO_ERROR, "TLS handshake failed: %s", errbuf); + goto error; + } +#endif + } + session->data_ssl = ssl; // Now we have to create a new thread to receive packets #ifdef _WIN32 - threaddata->thread = (HANDLE)_beginthreadex(NULL, 0, daemon_thrdatamain, + session->thread = (HANDLE)_beginthreadex(NULL, 0, daemon_thrdatamain, (void *) session, 0, NULL); - if (threaddata->thread == 0) + if (session->thread == 0) { - pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error creating the data thread"); + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error creating the data thread"); goto error; } #else - /* GV we need this to create the thread as detached. */ - /* GV otherwise, the thread handle is not destroyed */ - pthread_attr_init(&detachedAttribute); - pthread_attr_setdetachstate(&detachedAttribute, PTHREAD_CREATE_DETACHED); - ret = pthread_create(&threaddata->thread, &detachedAttribute, - daemon_thrdatamain, (void *) session); + ret = pthread_create(&session->thread, NULL, daemon_thrdatamain, + (void *) session); if (ret != 0) { pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, ret, "Error creating the data thread"); - pthread_attr_destroy(&detachedAttribute); goto error; } - pthread_attr_destroy(&detachedAttribute); #endif - threaddata->have_thread = 1; + session->have_thread = 1; // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) goto fatal_error; *sessionp = session; @@ -1799,32 +2251,13 @@ error: if (addrinfo) freeaddrinfo(addrinfo); - if (threaddata->have_thread) - { -#ifdef _WIN32 - if (session->fp) - { - pcap_breakloop(session->fp); - SetEvent(pcap_getevent(session->fp)); - } - CloseHandle(threaddata->thread); -#else - pthread_cancel(threaddata->thread); -#endif - threaddata->have_thread = 0; - } - - if (sockdata != INVALID_SOCKET) - sock_close(sockdata, NULL, 0); - if (session) { - if (session->fp) - pcap_close(session->fp); + session_close(session); free(session); } - if (rpcap_senderror(pars->sockctrl_out, pars->protocol_version, + if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_STARTCAPTURE, errmsgbuf, errbuf) == -1) { // That failed; log a message and give up. @@ -1833,7 +2266,7 @@ error: } // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { // Network error. return -1; @@ -1848,51 +2281,9 @@ fatal_error: // *sessionp = NULL; - if (threaddata->have_thread) - { -#ifdef _WIN32 - if (session && session->fp) - { - // - // Tell the data connection thread main capture - // loop to break out of that loop. - // - pcap_breakloop(session->fp); - - // - // If it's currently blocked waiting for packets - // to arrive, try to wake it up, so it can see - // the "break out of the loop" indication. - // - SetEvent(pcap_getevent(session->fp)); - } - - // - // Wait for the thread to exit, so we don't close - // sockets out from under it. - // - // XXX - have a timeout, so we don't wait forever? - // - WaitForSingleObject(threaddata->thread, INFINITE); - - // - // Release the thread handle, as we're done with - // it. - // - CloseHandle(threaddata->thread); -#else - pthread_cancel(threaddata->thread); -#endif - threaddata->have_thread = 0; - } - - if (sockdata != INVALID_SOCKET) - sock_close(sockdata, NULL, 0); - if (session) { - if (session->fp) - pcap_close(session->fp); + session_close(session); free(session); } @@ -1900,57 +2291,17 @@ fatal_error: } static int -daemon_msg_endcap_req(struct daemon_slpars *pars, struct session *session, struct thread_handle *threaddata) +daemon_msg_endcap_req(uint8 ver, struct daemon_slpars *pars, + struct session *session) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors struct rpcap_header header; - if (threaddata->have_thread) - { -#ifdef _WIN32 - // - // Tell the data connection thread main capture loop to - // break out of that loop. - // - pcap_breakloop(session->fp); - - // - // If it's currently blocked waiting for packets to - // arrive, try to wake it up, so it can see the "break - // out of the loop" indication. - // - SetEvent(pcap_getevent(session->fp)); - - // - // Wait for the thread to exit, so we don't close - // sockets out from under it. - // - // XXX - have a timeout, so we don't wait forever? - // - WaitForSingleObject(threaddata->thread, INFINITE); - - // - // Release the thread handle, as we're done with - // it. - // - CloseHandle(threaddata->thread); -#else - pthread_cancel(threaddata->thread); -#endif - threaddata->have_thread = 0; - } - if (session->sockdata) - { - sock_close(session->sockdata, NULL, 0); - session->sockdata = 0; - } - - pcap_close(session->fp); + session_close(session); - rpcap_createhdr(&header, pars->protocol_version, - RPCAP_MSG_ENDCAP_REPLY, 0, 0); + rpcap_createhdr(&header, ver, RPCAP_MSG_ENDCAP_REPLY, 0, 0); - if (sock_send(pars->sockctrl_out, (char *) &header, sizeof(struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_send(pars->sockctrl, pars->ssl, (char *) &header, sizeof(struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE) == -1) { // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -1960,8 +2311,25 @@ daemon_msg_endcap_req(struct daemon_slpars *pars, struct session *session, struc return 0; } +// +// We impose a limit on the filter program size, so that, on Windows, +// where there's only one server process with multiple threads, it's +// harder to eat all the server address space by sending larger filter +// programs. (This isn't an issue on UN*X, where there are multiple +// server processes, one per client connection.) +// +// We pick a value that limits each filter to 64K; that value is twice +// the in-kernel limit for Linux and 16 times the in-kernel limit for +// *BSD and macOS. +// +// It also prevents an overflow on 32-bit platforms when calculating +// the total size of the filter program. (It's not an issue on 64-bit +// platforms with a 64-bit size_t, as the filter size is 32 bits.) +// +#define RPCAP_BPF_MAXINSNS 8192 + static int -daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *plenp, char *errmsgbuf) +daemon_unpackapplyfilter(SOCKET sockctrl, SSL *ctrl_ssl, struct session *session, uint32 *plenp, char *errmsgbuf) { int status; struct rpcap_filter filter; @@ -1970,7 +2338,7 @@ daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *pl struct bpf_program bf_prog; unsigned int i; - status = rpcapd_recv(sockctrl_in, (char *) &filter, + status = rpcapd_recv(sockctrl, ctrl_ssl, (char *) &filter, sizeof(struct rpcap_filter), plenp, errmsgbuf); if (status == -1) { @@ -1985,10 +2353,17 @@ daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *pl if (ntohs(filter.filtertype) != RPCAP_UPDATEFILTER_BPF) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Only BPF/NPF filters are currently supported"); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Only BPF/NPF filters are currently supported"); return -2; } + if (bf_prog.bf_len > RPCAP_BPF_MAXINSNS) + { + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, + "Filter program is larger than the maximum size of %d instructions", + RPCAP_BPF_MAXINSNS); + return -2; + } bf_insn = (struct bpf_insn *) malloc (sizeof(struct bpf_insn) * bf_prog.bf_len); if (bf_insn == NULL) { @@ -2001,7 +2376,7 @@ daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *pl for (i = 0; i < bf_prog.bf_len; i++) { - status = rpcapd_recv(sockctrl_in, (char *) &insn, + status = rpcapd_recv(sockctrl, ctrl_ssl, (char *) &insn, sizeof(struct rpcap_filterbpf_insn), plenp, errmsgbuf); if (status == -1) { @@ -2020,15 +2395,18 @@ daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *pl bf_insn++; } + // + // XXX - pcap_setfilter() should do the validation for us. + // if (bpf_validate(bf_prog.bf_insns, bf_prog.bf_len) == 0) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "The filter contains bogus instructions"); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "The filter contains bogus instructions"); return -2; } if (pcap_setfilter(session->fp, &bf_prog)) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "RPCAP error: %s", pcap_geterr(session->fp)); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "RPCAP error: %s", pcap_geterr(session->fp)); return -2; } @@ -2036,14 +2414,15 @@ daemon_unpackapplyfilter(SOCKET sockctrl_in, struct session *session, uint32 *pl } static int -daemon_msg_updatefilter_req(struct daemon_slpars *pars, struct session *session, uint32 plen) +daemon_msg_updatefilter_req(uint8 ver, struct daemon_slpars *pars, + struct session *session, uint32 plen) { char errbuf[PCAP_ERRBUF_SIZE]; char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to send to the client int ret; // status of daemon_unpackapplyfilter() struct rpcap_header header; // keeps the answer to the updatefilter command - ret = daemon_unpackapplyfilter(pars->sockctrl_in, session, &plen, errmsgbuf); + ret = daemon_unpackapplyfilter(pars->sockctrl, pars->ssl, session, &plen, errmsgbuf); if (ret == -1) { // Fatal error. A message has been logged; just give up. @@ -2056,19 +2435,18 @@ daemon_msg_updatefilter_req(struct daemon_slpars *pars, struct session *session, } // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { // Network error. return -1; } // A response is needed, otherwise the other host does not know that everything went well - rpcap_createhdr(&header, pars->protocol_version, - RPCAP_MSG_UPDATEFILTER_REPLY, 0, 0); + rpcap_createhdr(&header, ver, RPCAP_MSG_UPDATEFILTER_REPLY, 0, 0); - if (sock_send(pars->sockctrl_out, (char *) &header, sizeof (struct rpcap_header), pcap_geterr(session->fp), PCAP_ERRBUF_SIZE)) + if (sock_send(pars->sockctrl, pars->ssl, (char *) &header, sizeof (struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE)) { - // That failed; log a messsage and give up. + // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); return -1; } @@ -2076,12 +2454,12 @@ daemon_msg_updatefilter_req(struct daemon_slpars *pars, struct session *session, return 0; error: - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { return -1; } - rpcap_senderror(pars->sockctrl_out, pars->protocol_version, - PCAP_ERR_UPDATEFILTER, errmsgbuf, NULL); + rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_UPDATEFILTER, + errmsgbuf, NULL); return 0; } @@ -2090,7 +2468,8 @@ error: \brief Received the sampling parameters from remote host and it stores in the pcap_t structure. */ static int -daemon_msg_setsampling_req(struct daemon_slpars *pars, uint32 plen, struct rpcap_sampling *samp_param) +daemon_msg_setsampling_req(uint8 ver, struct daemon_slpars *pars, uint32 plen, + struct rpcap_sampling *samp_param) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors char errmsgbuf[PCAP_ERRBUF_SIZE]; @@ -2098,7 +2477,7 @@ daemon_msg_setsampling_req(struct daemon_slpars *pars, uint32 plen, struct rpcap struct rpcap_sampling rpcap_samp; int status; - status = rpcapd_recv(pars->sockctrl_in, (char *) &rpcap_samp, sizeof(struct rpcap_sampling), &plen, errmsgbuf); + status = rpcapd_recv(pars->sockctrl, pars->ssl, (char *) &rpcap_samp, sizeof(struct rpcap_sampling), &plen, errmsgbuf); if (status == -1) { return -1; @@ -2113,17 +2492,16 @@ daemon_msg_setsampling_req(struct daemon_slpars *pars, uint32 plen, struct rpcap samp_param->value = ntohl(rpcap_samp.value); // A response is needed, otherwise the other host does not know that everything went well - rpcap_createhdr(&header, pars->protocol_version, - RPCAP_MSG_SETSAMPLING_REPLY, 0, 0); + rpcap_createhdr(&header, ver, RPCAP_MSG_SETSAMPLING_REPLY, 0, 0); - if (sock_send(pars->sockctrl_out, (char *) &header, sizeof (struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_send(pars->sockctrl, pars->ssl, (char *) &header, sizeof (struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE) == -1) { - // That failed; log a messsage and give up. + // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); return -1; } - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { return -1; } @@ -2131,8 +2509,8 @@ daemon_msg_setsampling_req(struct daemon_slpars *pars, uint32 plen, struct rpcap return 0; error: - if (rpcap_senderror(pars->sockctrl_out, pars->protocol_version, - PCAP_ERR_AUTH, errmsgbuf, errbuf) == -1) + if (rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_SETSAMPLING, + errmsgbuf, errbuf) == -1) { // That failed; log a message and give up. rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); @@ -2140,7 +2518,7 @@ error: } // Check if all the data has been read; if not, discard the data in excess - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { return -1; } @@ -2149,7 +2527,9 @@ error: } static int -daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 plen, struct pcap_stat *stats, unsigned int svrcapt) +daemon_msg_stats_req(uint8 ver, struct daemon_slpars *pars, + struct session *session, uint32 plen, struct pcap_stat *stats, + unsigned int svrcapt) { char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors char errmsgbuf[PCAP_ERRBUF_SIZE]; // buffer for errors to send to the client @@ -2158,7 +2538,7 @@ daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 struct rpcap_stats *netstats; // statistics sent on the network // Checks that the header does not contain other data; if so, discard it - if (rpcapd_discard(pars->sockctrl_in, plen) == -1) + if (rpcapd_discard(pars->sockctrl, pars->ssl, plen) == -1) { // Network error. return -1; @@ -2168,7 +2548,7 @@ daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errmsgbuf, PCAP_ERRBUF_SIZE) == -1) goto error; - rpcap_createhdr((struct rpcap_header *) sendbuf, pars->protocol_version, + rpcap_createhdr((struct rpcap_header *) sendbuf, ver, RPCAP_MSG_STATS_REPLY, 0, (uint16) sizeof(struct rpcap_stats)); netstats = (struct rpcap_stats *) &sendbuf[sendbufidx]; @@ -2181,7 +2561,7 @@ daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 { if (pcap_stats(session->fp, stats) == -1) { - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "%s", pcap_geterr(session->fp)); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "%s", pcap_geterr(session->fp)); goto error; } @@ -2202,7 +2582,7 @@ daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 } // Send the packet - if (sock_send(pars->sockctrl_out, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_send(pars->sockctrl, pars->ssl, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) == -1) { rpcapd_log(LOGPRIO_ERROR, "Send to client failed: %s", errbuf); return -1; @@ -2211,8 +2591,8 @@ daemon_msg_stats_req(struct daemon_slpars *pars, struct session *session, uint32 return 0; error: - rpcap_senderror(pars->sockctrl_out, pars->protocol_version, - PCAP_ERR_GETSTATS, errmsgbuf, NULL); + rpcap_senderror(pars->sockctrl, pars->ssl, ver, PCAP_ERR_GETSTATS, + errmsgbuf, NULL); return 0; } @@ -2233,6 +2613,9 @@ daemon_thrdatamain(void *ptr) char *sendbuf; // temporary buffer in which data to be sent is buffered int sendbufidx; // index which keeps the number of bytes currently buffered int status; +#ifndef _WIN32 + sigset_t sigusr1; // signal set with just SIGUSR1 +#endif session = (struct session *) ptr; @@ -2267,7 +2650,21 @@ daemon_thrdatamain(void *ptr) // // So we don't need to make sure that sendbufsize will overflow. // + // However, we *do* need to make sure its value fits in an int, + // because sock_send() can't send more than INT_MAX bytes (it could + // do so on 64-bit UN*Xes, but can't do so on Windows, not even + // 64-bit Windows, as the send() buffer size argument is an int + // in Winsock). + // sendbufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + pcap_snapshot(session->fp); + if (sendbufsize > INT_MAX) + { + rpcapd_log(LOGPRIO_ERROR, + "Buffer size for this child thread would be larger than %d", + INT_MAX); + sendbuf = NULL; // we haven't allocated a buffer, so nothing to free + goto error; + } sendbuf = (char *) malloc (sendbufsize); if (sendbuf == NULL) { @@ -2277,30 +2674,36 @@ daemon_thrdatamain(void *ptr) } #ifndef _WIN32 - // Modify thread params so that it can be killed at any time - retval = pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL); - if (retval != 0) - { - pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, - retval, "pthread_setcancelstate"); - rpcapd_log(LOGPRIO_ERROR, - "Can't set cancel state on data thread: %s", errbuf); - goto error; - } - retval = pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL); - if (retval != 0) - { - pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, - retval, "pthread_setcanceltype"); - rpcapd_log(LOGPRIO_ERROR, - "Can't set cancel type on data thread: %s", errbuf); - goto error; - } + // + // Set the signal set to include just SIGUSR1, and block that + // signal; we only want it unblocked when we're reading + // packets - we dn't want any other system calls, such as + // ones being used to send to the client or to log messages, + // to be interrupted. + // + sigemptyset(&sigusr1); + sigaddset(&sigusr1, SIGUSR1); + pthread_sigmask(SIG_BLOCK, &sigusr1, NULL); #endif // Retrieve the packets - while ((retval = pcap_next_ex(session->fp, &pkt_header, (const u_char **) &pkt_data)) >= 0) // cast to avoid a compiler warning + for (;;) { +#ifndef _WIN32 + // + // Unblock SIGUSR1 while we might be waiting for packets. + // + pthread_sigmask(SIG_UNBLOCK, &sigusr1, NULL); +#endif + retval = pcap_next_ex(session->fp, &pkt_header, (const u_char **) &pkt_data); // cast to avoid a compiler warning +#ifndef _WIN32 + // + // Now block it again. + // + pthread_sigmask(SIG_BLOCK, &sigusr1, NULL); +#endif + if (retval < 0) + break; // error if (retval == 0) // Read timeout elapsed continue; @@ -2308,7 +2711,7 @@ daemon_thrdatamain(void *ptr) // Bufferize the general header if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, - &sendbufidx, sendbufsize, SOCKBUF_CHECKONLY, errbuf, + &sendbufidx, (int)sendbufsize, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE) == -1) { rpcapd_log(LOGPRIO_ERROR, @@ -2325,7 +2728,7 @@ daemon_thrdatamain(void *ptr) // Bufferize the pkt header if (sock_bufferize(NULL, sizeof(struct rpcap_pkthdr), NULL, - &sendbufidx, sendbufsize, SOCKBUF_CHECKONLY, errbuf, + &sendbufidx, (int)sendbufsize, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE) == -1) { rpcapd_log(LOGPRIO_ERROR, @@ -2337,12 +2740,16 @@ daemon_thrdatamain(void *ptr) net_pkt_header->caplen = htonl(pkt_header->caplen); net_pkt_header->len = htonl(pkt_header->len); net_pkt_header->npkt = htonl(++(session->TotCapt)); - net_pkt_header->timestamp_sec = htonl(pkt_header->ts.tv_sec); - net_pkt_header->timestamp_usec = htonl(pkt_header->ts.tv_usec); + // + // This protocol needs to be updated with a new version + // before 2038-01-19 03:14:07 UTC. + // + net_pkt_header->timestamp_sec = htonl((uint32)pkt_header->ts.tv_sec); + net_pkt_header->timestamp_usec = htonl((uint32)pkt_header->ts.tv_usec); // Bufferize the pkt data if (sock_bufferize((char *) pkt_data, pkt_header->caplen, - sendbuf, &sendbufidx, sendbufsize, SOCKBUF_BUFFERIZE, + sendbuf, &sendbufidx, (int)sendbufsize, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE) == -1) { rpcapd_log(LOGPRIO_ERROR, @@ -2354,7 +2761,7 @@ daemon_thrdatamain(void *ptr) // Send the packet // If the client dropped the connection, don't report an // error, just quit. - status = sock_send(session->sockdata, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE); + status = sock_send(session->sockdata, session->data_ssl, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE); if (status < 0) { if (status == -1) @@ -2376,23 +2783,40 @@ daemon_thrdatamain(void *ptr) } } - if (retval == -1) + if (retval < 0 && retval != PCAP_ERROR_BREAK) { - pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error reading the packets: %s", pcap_geterr(session->fp)); - rpcap_senderror(session->sockctrl_out, session->protocol_version, + // + // Failed with an error other than "we were told to break + // out of the loop". + // + // The latter just means that the client told us to stop + // capturing, so there's no error to report. + // + snprintf(errbuf, PCAP_ERRBUF_SIZE, "Error reading the packets: %s", pcap_geterr(session->fp)); + rpcap_senderror(session->sockctrl, session->ctrl_ssl, session->protocol_version, PCAP_ERR_READEX, errbuf, NULL); - goto error; } error: - closesocket(session->sockdata); - session->sockdata = 0; - + // + // The main thread will clean up the session structure. + // free(sendbuf); return 0; } +#ifndef _WIN32 +// +// Do-nothing handler for SIGUSR1; the sole purpose of SIGUSR1 is to +// interrupt the data thread if it's blocked in a system call waiting +// for packets to arrive. +// +static void noop_handler(int sign _U_) +{ +} +#endif + /*! \brief It serializes a network address. @@ -2417,19 +2841,25 @@ daemon_seraddr(struct sockaddr_storage *sockaddrin, struct rpcap_sockaddr *socka if (sockaddrin == NULL) return; // Warning: we support only AF_INET and AF_INET6 + // + // Note: as noted above, the output structures are not + // neatly aligned on 4-byte boundaries, so we must fill + // in an aligned structure and then copy it to the output + // buffer with memcpy(). switch (sockaddrin->ss_family) { case AF_INET: { struct sockaddr_in *sockaddrin_ipv4; - struct rpcap_sockaddr_in *sockaddrout_ipv4; + struct rpcap_sockaddr_in sockaddrout_ipv4; sockaddrin_ipv4 = (struct sockaddr_in *) sockaddrin; - sockaddrout_ipv4 = (struct rpcap_sockaddr_in *) sockaddrout; - sockaddrout_ipv4->family = htons(RPCAP_AF_INET); - sockaddrout_ipv4->port = htons(sockaddrin_ipv4->sin_port); - memcpy(&sockaddrout_ipv4->addr, &sockaddrin_ipv4->sin_addr, sizeof(sockaddrout_ipv4->addr)); - memset(sockaddrout_ipv4->zero, 0, sizeof(sockaddrout_ipv4->zero)); + + sockaddrout_ipv4.family = htons(RPCAP_AF_INET); + sockaddrout_ipv4.port = htons(sockaddrin_ipv4->sin_port); + memcpy(&sockaddrout_ipv4.addr, &sockaddrin_ipv4->sin_addr, sizeof(sockaddrout_ipv4.addr)); + memset(sockaddrout_ipv4.zero, 0, sizeof(sockaddrout_ipv4.zero)); + memcpy(sockaddrout, &sockaddrout_ipv4, sizeof(struct rpcap_sockaddr_in)); break; } @@ -2437,15 +2867,16 @@ daemon_seraddr(struct sockaddr_storage *sockaddrin, struct rpcap_sockaddr *socka case AF_INET6: { struct sockaddr_in6 *sockaddrin_ipv6; - struct rpcap_sockaddr_in6 *sockaddrout_ipv6; + struct rpcap_sockaddr_in6 sockaddrout_ipv6; sockaddrin_ipv6 = (struct sockaddr_in6 *) sockaddrin; - sockaddrout_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrout; - sockaddrout_ipv6->family = htons(RPCAP_AF_INET6); - sockaddrout_ipv6->port = htons(sockaddrin_ipv6->sin6_port); - sockaddrout_ipv6->flowinfo = htonl(sockaddrin_ipv6->sin6_flowinfo); - memcpy(&sockaddrout_ipv6->addr, &sockaddrin_ipv6->sin6_addr, sizeof(sockaddrout_ipv6->addr)); - sockaddrout_ipv6->scope_id = htonl(sockaddrin_ipv6->sin6_scope_id); + + sockaddrout_ipv6.family = htons(RPCAP_AF_INET6); + sockaddrout_ipv6.port = htons(sockaddrin_ipv6->sin6_port); + sockaddrout_ipv6.flowinfo = htonl(sockaddrin_ipv6->sin6_flowinfo); + memcpy(&sockaddrout_ipv6.addr, &sockaddrin_ipv6->sin6_addr, sizeof(sockaddrout_ipv6.addr)); + sockaddrout_ipv6.scope_id = htonl(sockaddrin_ipv6->sin6_scope_id); + memcpy(sockaddrout, &sockaddrout_ipv6, sizeof(struct rpcap_sockaddr_in6)); break; } #endif @@ -2458,6 +2889,7 @@ daemon_seraddr(struct sockaddr_storage *sockaddrin, struct rpcap_sockaddr *socka */ void sleep_secs(int secs) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION #ifdef _WIN32 Sleep(secs*1000); #else @@ -2469,18 +2901,19 @@ void sleep_secs(int secs) while (secs_remaining != 0) secs_remaining = sleep(secs_remaining); #endif +#endif } /* * Read the header of a message. */ static int -rpcapd_recv_msg_header(SOCKET sock, struct rpcap_header *headerp) +rpcapd_recv_msg_header(SOCKET sock, SSL *ssl, struct rpcap_header *headerp) { int nread; char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors - nread = sock_recv(sock, (char *) headerp, sizeof(struct rpcap_header), + nread = sock_recv(sock, ssl, (char *) headerp, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES|SOCK_EOF_ISNT_ERROR, errbuf, PCAP_ERRBUF_SIZE); if (nread == -1) { @@ -2507,7 +2940,7 @@ rpcapd_recv_msg_header(SOCKET sock, struct rpcap_header *headerp) * error. */ static int -rpcapd_recv(SOCKET sock, char *buffer, size_t toread, uint32 *plen, char *errmsgbuf) +rpcapd_recv(SOCKET sock, SSL *ssl, char *buffer, size_t toread, uint32 *plen, char *errmsgbuf) { int nread; char errbuf[PCAP_ERRBUF_SIZE]; // buffer for network errors @@ -2515,10 +2948,10 @@ rpcapd_recv(SOCKET sock, char *buffer, size_t toread, uint32 *plen, char *errmsg if (toread > *plen) { // Tell the client and continue. - pcap_snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Message payload is too short"); + snprintf(errmsgbuf, PCAP_ERRBUF_SIZE, "Message payload is too short"); return -2; } - nread = sock_recv(sock, buffer, toread, + nread = sock_recv(sock, ssl, buffer, toread, SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE); if (nread == -1) { @@ -2536,13 +2969,13 @@ rpcapd_recv(SOCKET sock, char *buffer, size_t toread, uint32 *plen, char *errmsg * error. */ static int -rpcapd_discard(SOCKET sock, uint32 len) +rpcapd_discard(SOCKET sock, SSL *ssl, uint32 len) { char errbuf[PCAP_ERRBUF_SIZE + 1]; // keeps the error string, prior to be printed if (len != 0) { - if (sock_discard(sock, len, errbuf, PCAP_ERRBUF_SIZE) == -1) + if (sock_discard(sock, ssl, len, errbuf, PCAP_ERRBUF_SIZE) == -1) { // Network error. rpcapd_log(LOGPRIO_ERROR, "Read from client failed: %s", errbuf); @@ -2551,3 +2984,163 @@ rpcapd_discard(SOCKET sock, uint32 len) } return 0; } + +// +// Shut down any packet-capture thread associated with the session, +// close the SSL handle for the data socket if we have one, close +// the data socket if we have one, and close the underlying packet +// capture handle if we have one. +// +// We do not, of course, touch the controlling socket that's also +// copied into the session, as the service loop might still use it. +// +static void session_close(struct session *session) +{ + if (session->have_thread) + { + // + // Tell the data connection thread main capture loop to + // break out of that loop. + // + // This may be sufficient to wake up a blocked thread, + // but it's not guaranteed to be sufficient. + // + pcap_breakloop(session->fp); + +#ifdef _WIN32 + // + // Set the event on which a read would block, so that, + // if it's currently blocked waiting for packets to + // arrive, it'll wake up, so it can see the "break + // out of the loop" indication. (pcap_breakloop() + // might do this, but older versions don't. Setting + // it twice should, at worst, cause an extra wakeup, + // which shouldn't be a problem.) + // + // XXX - what about modules other than NPF? + // + SetEvent(pcap_getevent(session->fp)); + + // + // Wait for the thread to exit, so we don't close + // sockets out from under it. + // + // XXX - have a timeout, so we don't wait forever? + // + WaitForSingleObject(session->thread, INFINITE); + + // + // Release the thread handle, as we're done with + // it. + // + CloseHandle(session->thread); + session->have_thread = 0; + session->thread = INVALID_HANDLE_VALUE; +#else + // + // Send a SIGUSR1 signal to the thread, so that, if + // it's currently blocked waiting for packets to arrive, + // it'll wake up (we've turned off SA_RESTART for + // SIGUSR1, so that the system call in which it's blocked + // should return EINTR rather than restarting). + // + pthread_kill(session->thread, SIGUSR1); + + // + // Wait for the thread to exit, so we don't close + // sockets out from under it. + // + // XXX - have a timeout, so we don't wait forever? + // + pthread_join(session->thread, NULL); + session->have_thread = 0; + memset(&session->thread, 0, sizeof(session->thread)); +#endif + } + +#ifdef HAVE_OPENSSL + if (session->data_ssl) + { + // Finish using the SSL handle for the socket. + // This must be done *before* the socket is closed. + ssl_finish(session->data_ssl); + session->data_ssl = NULL; + } +#endif + + if (session->sockdata != INVALID_SOCKET) + { + sock_close(session->sockdata, NULL, 0); + session->sockdata = INVALID_SOCKET; + } + + if (session->fp) + { + pcap_close(session->fp); + session->fp = NULL; + } +} + +// +// Check whether a capture source string is a URL or not. +// This includes URLs that refer to a local device; a scheme, followed +// by ://, followed by *another* scheme and ://, is just silly, and +// anybody who supplies that will get an error. +// +static int +is_url(const char *source) +{ + char *colonp; + + /* + * RFC 3986 says: + * + * URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ] + * + * hier-part = "//" authority path-abempty + * / path-absolute + * / path-rootless + * / path-empty + * + * authority = [ userinfo "@" ] host [ ":" port ] + * + * userinfo = *( unreserved / pct-encoded / sub-delims / ":" ) + * + * Step 1: look for the ":" at the end of the scheme. + * A colon in the source is *NOT* sufficient to indicate that + * this is a URL, as interface names on some platforms might + * include colons (e.g., I think some Solaris interfaces + * might). + */ + colonp = strchr(source, ':'); + if (colonp == NULL) + { + /* + * The source is the device to open. It's not a URL. + */ + return (0); + } + + /* + * All schemes must have "//" after them, i.e. we only support + * hier-part = "//" authority path-abempty, not + * hier-part = path-absolute + * hier-part = path-rootless + * hier-part = path-empty + * + * We need that in order to distinguish between a local device + * name that happens to contain a colon and a URI. + */ + if (strncmp(colonp + 1, "//", 2) != 0) + { + /* + * The source is the device to open. It's not a URL. + */ + return (0); + } + + /* + * It's a URL. + */ + return (1); +}