/*************************************** *************************************
****************************************************************************/
static void
text_out_banner(struct Output *out, FILE *fp, time_t timestamp,
unsigned ip, unsigned ip_proto, unsigned port,
enum ApplicationProtocol proto, unsigned ttl,
const unsigned char *px, unsigned length)
{
char banner_buffer[4096];
const char *service = masscan_app_to_string(proto);
if (strcmp(service ,"unknown") == 0) {
service = port_to_service(port, ip_proto);
}
UNUSEDPARM(out);
UNUSEDPARM(ttl);
fprintf(fp, "%s %s %u %u.%u.%u.%u %u %s %s\n",
"banner",
name_from_ip_proto(ip_proto),
port,
(ip>>24)&0xFF,
(ip>>16)&0xFF,
(ip>> 8)&0xFF,
(ip>> 0)&0xFF,
(unsigned)timestamp,
service,
normalize_string(px, length, banner_buffer, sizeof(banner_buffer))
);
fflush(fp);
}
static void
print_port(u_int16_t port, int numeric)
{
char *service;
if (numeric || (service = port_to_service(port)) == NULL)
printf("%u", port);
else
printf("%s", service);
}
static void
print_port(uint16_t port, uint8_t protocol, int numeric)
{
const char *service;
if (numeric || (service = port_to_service(port, protocol)) == NULL)
printf("%u", port);
else
printf("%s", service);
}
static char* service_to_string(__u16 port, __u16 proto)
{
static char *service;
char buf[30];
if ( (service=port_to_service(port,proto))==NULL){
sprintf(buf,"%u",port);
return buf;
}
return service;
}
char *
port_to_anyname(unsigned int port, unsigned short proto)
{
char *name;
static char buf[10];
if ((name = port_to_service(port, proto)) != NULL)
return name;
else {
sprintf(buf, "%u", port);
return buf;
}
}
static const char *obtain_cert(const char *hostname, const char *proto, unsigned port,
const char *app_proto, unsigned quiet)
{
socket_st hd;
char txt_port[16];
unsigned udp = 0;
static char tmpfile[32];
int fd, ret;
const char *str = "Obtaining certificate from";
const char *service;
if (strcmp(proto, "udp") == 0)
udp = 1;
else if (strcmp(proto, "tcp") != 0) {
/* we cannot handle this protocol */
return NULL;
}
strcpy(tmpfile, "danetool-certXXXXXX");
sockets_init();
snprintf(txt_port, sizeof(txt_port), "%u", port);
if (quiet)
str = NULL;
service = port_to_service(txt_port, proto);
socket_open(&hd, hostname, service, udp, str);
if (app_proto == NULL) app_proto = service;
socket_starttls(&hd, app_proto);
umask(066);
fd = mkstemp(tmpfile);
if (fd == -1) {
int e = errno;
fprintf(stderr, "error[%d]: %s\n", __LINE__,
strerror(e));
exit(1);
}
ret = get_cert(&hd, hostname, udp, fd);
close(fd);
socket_bye(&hd);
if (ret == -1)
return NULL;
else
return tmpfile;
}
static void
text_out_status(struct Output *out, FILE *fp, time_t timestamp,
int status, unsigned ip, unsigned ip_proto, unsigned port, unsigned reason, unsigned ttl)
{
const char *service = port_to_service(port, ip_proto);
UNUSEDPARM(ttl);
UNUSEDPARM(reason);
UNUSEDPARM(out);
fprintf(fp, "%s %s %u %u.%u.%u.%u %u %s\n",
status_string(status),
name_from_ip_proto(ip_proto),
port,
(ip>>24)&0xFF,
(ip>>16)&0xFF,
(ip>> 8)&0xFF,
(ip>> 0)&0xFF,
(unsigned)timestamp,
service
);
fflush(fp);
}
int main(int argc, char **argv)
{
int ret;
int i;
gnutls_session_t state;
char portname[6];
socket_st hd;
char app_proto[32] = "";
cmd_parser(argc, argv);
#ifndef _WIN32
signal(SIGPIPE, SIG_IGN);
#endif
sockets_init();
if (gnutls_global_init() < 0) {
fprintf(stderr, "global state initialization error\n");
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(debug);
/* get server name */
snprintf(portname, sizeof(portname), "%d", port);
/* X509 stuff */
if (gnutls_certificate_allocate_credentials(&xcred) < 0) { /* space for 2 certificates */
fprintf(stderr, "memory error\n");
exit(1);
}
/* SRP stuff */
#ifdef ENABLE_SRP
if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) {
fprintf(stderr, "memory error\n");
exit(1);
}
#endif
#ifdef ENABLE_ANON
/* ANON stuff */
if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) {
fprintf(stderr, "memory error\n");
exit(1);
}
#endif
if (HAVE_OPT(STARTTLS_PROTO)) {
snprintf(app_proto, sizeof(app_proto), "%s", OPT_ARG(STARTTLS_PROTO));
}
if (app_proto[0] == 0) {
snprintf(app_proto, sizeof(app_proto), "%s", port_to_service(portname, "tcp"));
}
sockets_init();
i = 0;
printf("GnuTLS debug client %s\n", gnutls_check_version(NULL));
printf("Checking %s:%s\n", hostname, portname);
do {
if (tls_tests[i].test_name == NULL)
break; /* finished */
/* if neither of SSL3 and TLSv1 are supported, exit
*/
if (i > 6 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0
&& ssl3_ok == 0) {
fprintf(stderr,
"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2\n");
break;
}
socket_open(&hd, hostname, portname, 0, NULL);
hd.verbose = verbose;
socket_starttls(&hd, app_proto);
gnutls_init(&state, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
gnutls_transport_set_ptr(state, (gnutls_transport_ptr_t)
gl_fd_to_handle(hd.fd));
set_read_funcs(state);
if (hostname && is_ip(hostname) == 0)
gnutls_server_name_set(state, GNUTLS_NAME_DNS,
hostname, strlen(hostname));
do {
if (strcmp(app_proto, "https") != 0 && tls_tests[i].https_only != 0) {
i++;
break;
}
ret = tls_tests[i].func(state);
if (ret != TEST_IGNORE) {
printf("%58s...", tls_tests[i].test_name);
fflush(stdout);
}
if (ret == TEST_SUCCEED) {
if (tls_tests[i].suc_str == NULL)
printf(" %s\n", ext_text);
else
printf(" %s\n", tls_tests[i].suc_str);
} else if (ret == TEST_FAILED)
printf(" %s\n", tls_tests[i].fail_str);
else if (ret == TEST_UNSURE)
printf(" %s\n", tls_tests[i].unsure_str);
else if (ret == TEST_IGNORE) {
if (tls_tests[i+1].test_name)
i++;
else
break;
}
}
while (ret == TEST_IGNORE
&& tls_tests[i].test_name != NULL);
gnutls_deinit(state);
socket_bye(&hd);
i++;
}
while (1);
#ifdef ENABLE_SRP
gnutls_srp_free_client_credentials(srp_cred);
#endif
gnutls_certificate_free_credentials(xcred);
#ifdef ENABLE_ANON
gnutls_anon_free_client_credentials(anon_cred);
#endif
gnutls_global_deinit();
return 0;
}
static int
cert_verify_callback (gnutls_session_t session)
{
int rc;
unsigned int status = 0;
int ssh = ENABLED_OPT(TOFU);
const char* txt_service;
if (!x509_cafile && !pgp_keyring)
return 0;
rc = cert_verify(session, hostname);
if (rc == 0)
{
printf ("*** Verifying server certificate failed...\n");
if (!insecure && !ssh)
return -1;
}
else if (ENABLED_OPT(OCSP))
{ /* off-line verification succeeded. Try OCSP */
rc = cert_verify_ocsp(session);
if (rc == 0)
{
printf ("*** Verifying (with OCSP) server certificate failed...\n");
if (!insecure && !ssh)
return -1;
}
else if (rc == -1)
printf("*** OCSP response ignored\n");
}
if (ssh) /* try ssh auth */
{
unsigned int list_size;
const gnutls_datum_t * cert;
cert = gnutls_certificate_get_peers(session, &list_size);
if (cert == NULL)
{
fprintf(stderr, "Cannot obtain peer's certificate!\n");
return -1;
}
txt_service = port_to_service(service);
rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname, txt_service,
GNUTLS_CRT_X509, cert, 0);
if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
{
print_cert_info_compact(session);
fprintf(stderr, "Host %s (%s) has never been contacted before.\n", hostname, txt_service);
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
rc = read_yesno("Are you sure you want to trust it? (y/N): ");
if (rc == 0)
return -1;
}
else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH)
{
print_cert_info_compact(session);
fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname);
fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n");
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
rc = read_yesno("Do you trust the received key? (y/N): ");
if (rc == 0)
return -1;
}
else if (rc < 0)
{
fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(rc));
return -1;
}
if (rc != 0)
{
rc = gnutls_store_pubkey(NULL, NULL, hostname, txt_service,
GNUTLS_CRT_X509, cert, 0, 0);
if (rc < 0)
fprintf(stderr, "Could not store key: %s\n", gnutls_strerror(rc));
}
}
return 0;
}
static int
cert_verify_callback (gnutls_session_t session)
{
int rc;
unsigned int status = 0;
int ssh = ENABLED_OPT(TOFU);
#ifdef HAVE_DANE
int dane = ENABLED_OPT(DANE);
#endif
int ca_verify = ENABLED_OPT(CA_VERIFICATION);
const char* txt_service;
print_cert_info (session, verbose, print_cert);
if (ca_verify)
{
rc = cert_verify(session, hostname);
if (rc == 0)
{
printf ("*** Verifying server certificate failed...\n");
if (!insecure && !ssh)
return -1;
}
else if (ENABLED_OPT(OCSP) && gnutls_ocsp_status_request_is_checked(session, 0) == 0)
{ /* off-line verification succeeded. Try OCSP */
rc = cert_verify_ocsp(session);
if (rc == 0)
{
printf ("*** Verifying (with OCSP) server certificate failed...\n");
if (!insecure && !ssh)
return -1;
}
else if (rc == -1)
printf("*** OCSP response ignored\n");
}
}
if (ssh) /* try ssh auth */
{
unsigned int list_size;
const gnutls_datum_t * cert;
cert = gnutls_certificate_get_peers(session, &list_size);
if (cert == NULL)
{
fprintf(stderr, "Cannot obtain peer's certificate!\n");
return -1;
}
txt_service = port_to_service(service);
rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname, txt_service,
GNUTLS_CRT_X509, cert, 0);
if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND)
{
print_cert_info_compact(session);
fprintf(stderr, "Host %s (%s) has never been contacted before.\n", hostname, txt_service);
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
rc = read_yesno("Are you sure you want to trust it? (y/N): ");
if (rc == 0)
return -1;
}
else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH)
{
print_cert_info_compact(session);
fprintf(stderr, "Warning: host %s is known and it is associated with a different key.\n", hostname);
fprintf(stderr, "It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n");
if (status == 0)
fprintf(stderr, "Its certificate is valid for %s.\n", hostname);
rc = read_yesno("Do you trust the received key? (y/N): ");
if (rc == 0)
return -1;
}
else if (rc < 0)
{
fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", gnutls_strerror(rc));
return -1;
}
if (rc != 0)
{
rc = gnutls_store_pubkey(NULL, NULL, hostname, txt_service,
GNUTLS_CRT_X509, cert, 0, 0);
if (rc < 0)
fprintf(stderr, "Could not store key: %s\n", gnutls_strerror(rc));
}
}
#ifdef HAVE_DANE
if (dane) /* try DANE auth */
{
unsigned int sflags = ENABLED_OPT(LOCAL_DNS)?0:DANE_F_IGNORE_LOCAL_RESOLVER;
rc = dane_verify_session_crt( NULL, session, hostname, udp?"udp":"tcp", atoi(service),
sflags, 0, &status);
if (rc < 0)
{
fprintf(stderr, "*** DANE verification error: %s\n", dane_strerror(rc));
if (!insecure)
return -1;
}
else
{
gnutls_datum_t out;
rc = dane_verification_status_print( status, &out, 0);
if (rc < 0)
{
fprintf(stderr, "*** DANE error: %s\n", dane_strerror(rc));
if (!insecure)
return -1;
}
fprintf(stderr, "- %s\n", out.data);
gnutls_free(out.data);
}
}
#endif
return 0;
}
