int
tls_process_segment(capture_packet_t *packet, struct tcphdr *tcp)
{
struct SSLConnection *conn;
const u_char *payload = capture_packet_get_payload(packet);
uint32_t size_payload = capture_packet_get_payload_len(packet);
uint8_t *out;
uint32_t outl = packet->payload_len;
out = sng_malloc(outl);
struct in_addr ip_src, ip_dst;
uint16_t sport = packet->sport;
uint16_t dport = packet->dport;
// Convert addresses
inet_pton(AF_INET, packet->ip_src, &ip_src);
inet_pton(AF_INET, packet->ip_dst, &ip_dst);
// Try to find a session for this ip
if ((conn = tls_connection_find(ip_src, sport))) {
// Update last connection direction
conn->direction = tls_connection_dir(conn, ip_src, sport);
// Check current connection state
switch (conn->state) {
case TCP_STATE_SYN:
// First SYN received, this package must be SYN/ACK
if (tcp->th_flags & TH_SYN & ~TH_ACK)
conn->state = TCP_STATE_SYN_ACK;
break;
case TCP_STATE_SYN_ACK:
// We expect an ACK packet here
if (tcp->th_flags & ~TH_SYN & TH_ACK)
conn->state = TCP_STATE_ESTABLISHED;
break;
case TCP_STATE_ACK:
case TCP_STATE_ESTABLISHED:
// Process data segment!
if (tls_process_record(conn, payload, size_payload, &out, &outl) == 0) {
if ((int32_t) outl > 0) {
capture_packet_set_payload(packet, out, outl);
capture_packet_set_type(packet, CAPTURE_PACKET_SIP_TLS);
return 0;
}
}
break;
case TCP_STATE_FIN:
case TCP_STATE_CLOSED:
// We can delete this connection
tls_connection_destroy(conn);
break;
}
} else {
if (tcp->th_flags & TH_SYN & ~TH_ACK) {
// New connection, store it status and leave
tls_connection_create(ip_src, sport, ip_dst, dport);
}
}
sng_free(out);
return 0;
}
int
capture_eep_send_v3(capture_packet_t *pkt)
{
struct hep_generic *hg = NULL;
void* buffer;
unsigned int buflen = 0, iplen = 0, tlen = 0;
hep_chunk_ip4_t src_ip4, dst_ip4;
#ifdef USE_IPV6
hep_chunk_ip6_t src_ip6, dst_ip6;
#endif
hep_chunk_t payload_chunk;
hep_chunk_t authkey_chunk;
capture_frame_t *frame = vector_first(pkt->frames);
unsigned char *data = capture_packet_get_payload(pkt);
unsigned int len = capture_packet_get_payload_len(pkt);
hg = sng_malloc(sizeof(struct hep_generic));
/* header set "HEP3" */
memcpy(hg->header.id, "\x48\x45\x50\x33", 4);
/* IP proto */
hg->ip_family.chunk.vendor_id = htons(0x0000);
hg->ip_family.chunk.type_id = htons(0x0001);
hg->ip_family.data = pkt->ip_version == 4 ? AF_INET : AF_INET6;
hg->ip_family.chunk.length = htons(sizeof(hg->ip_family));
/* Proto ID */
hg->ip_proto.chunk.vendor_id = htons(0x0000);
hg->ip_proto.chunk.type_id = htons(0x0002);
hg->ip_proto.data = pkt->proto;
hg->ip_proto.chunk.length = htons(sizeof(hg->ip_proto));
/* IPv4 */
if (pkt->ip_version == 4) {
/* SRC IP */
src_ip4.chunk.vendor_id = htons(0x0000);
src_ip4.chunk.type_id = htons(0x0003);
inet_pton(AF_INET, pkt->ip_src, &src_ip4.data);
src_ip4.chunk.length = htons(sizeof(src_ip4));
/* DST IP */
dst_ip4.chunk.vendor_id = htons(0x0000);
dst_ip4.chunk.type_id = htons(0x0004);
inet_pton(AF_INET, pkt->ip_dst, &dst_ip4.data);
dst_ip4.chunk.length = htons(sizeof(dst_ip4));
iplen = sizeof(dst_ip4) + sizeof(src_ip4);
}
#ifdef USE_IPV6
/* IPv6 */
else if(pkt->ip_version == 6) {
/* SRC IPv6 */
src_ip6.chunk.vendor_id = htons(0x0000);
src_ip6.chunk.type_id = htons(0x0005);
inet_pton(AF_INET6, pkt->ip_src, &src_ip6.data);
src_ip6.chunk.length = htonl(sizeof(src_ip6));
/* DST IPv6 */
dst_ip6.chunk.vendor_id = htons(0x0000);
dst_ip6.chunk.type_id = htons(0x0006);
inet_pton(AF_INET6, pkt->ip_dst, &dst_ip6.data);
dst_ip6.chunk.length = htonl(sizeof(dst_ip6));
iplen = sizeof(dst_ip6) + sizeof(src_ip6);
}
#endif
/* SRC PORT */
hg->src_port.chunk.vendor_id = htons(0x0000);
hg->src_port.chunk.type_id = htons(0x0007);
hg->src_port.data = htons(pkt->sport);
hg->src_port.chunk.length = htons(sizeof(hg->src_port));
/* DST PORT */
hg->dst_port.chunk.vendor_id = htons(0x0000);
hg->dst_port.chunk.type_id = htons(0x0008);
hg->dst_port.data = htons(pkt->dport);
hg->dst_port.chunk.length = htons(sizeof(hg->dst_port));
/* TIMESTAMP SEC */
hg->time_sec.chunk.vendor_id = htons(0x0000);
hg->time_sec.chunk.type_id = htons(0x0009);
hg->time_sec.data = htonl(frame->header->ts.tv_sec);
hg->time_sec.chunk.length = htons(sizeof(hg->time_sec));
/* TIMESTAMP USEC */
hg->time_usec.chunk.vendor_id = htons(0x0000);
hg->time_usec.chunk.type_id = htons(0x000a);
hg->time_usec.data = htonl(frame->header->ts.tv_usec);
hg->time_usec.chunk.length = htons(sizeof(hg->time_usec));
/* Protocol TYPE */
hg->proto_t.chunk.vendor_id = htons(0x0000);
hg->proto_t.chunk.type_id = htons(0x000b);
hg->proto_t.data = 1;
hg->proto_t.chunk.length = htons(sizeof(hg->proto_t));
/* Capture ID */
hg->capt_id.chunk.vendor_id = htons(0x0000);
hg->capt_id.chunk.type_id = htons(0x000c);
hg->capt_id.data = htons(eep_cfg.capt_id);
hg->capt_id.chunk.length = htons(sizeof(hg->capt_id));
/* Payload */
payload_chunk.vendor_id = htons(0x0000);
payload_chunk.type_id = htons(0x000f);
payload_chunk.length = htons(sizeof(payload_chunk) + len);
tlen = sizeof(struct hep_generic) + len + iplen + sizeof(hep_chunk_t);
/* auth key */
if (eep_cfg.capt_password != NULL) {
tlen += sizeof(hep_chunk_t);
/* Auth key */
authkey_chunk.vendor_id = htons(0x0000);
authkey_chunk.type_id = htons(0x000e);
authkey_chunk.length = htons(sizeof(authkey_chunk) + strlen(eep_cfg.capt_password));
tlen += strlen(eep_cfg.capt_password);
}
/* total */
hg->header.length = htons(tlen);
if (!(buffer = sng_malloc(tlen))) {
sng_free(hg);
return 1;
}
memcpy((void*) buffer, hg, sizeof(struct hep_generic));
buflen = sizeof(struct hep_generic);
/* IPv4 */
if (pkt->ip_version == 4) {
/* SRC IP */
memcpy((void*) buffer + buflen, &src_ip4, sizeof(struct hep_chunk_ip4));
buflen += sizeof(struct hep_chunk_ip4);
memcpy((void*) buffer + buflen, &dst_ip4, sizeof(struct hep_chunk_ip4));
buflen += sizeof(struct hep_chunk_ip4);
}
#ifdef USE_IPV6
/* IPv6 */
else if(pkt->ip_version == 6) {
/* SRC IPv6 */
memcpy((void*) buffer+buflen, &src_ip4, sizeof(struct hep_chunk_ip6));
buflen += sizeof(struct hep_chunk_ip6);
memcpy((void*) buffer+buflen, &dst_ip6, sizeof(struct hep_chunk_ip6));
buflen += sizeof(struct hep_chunk_ip6);
}
#endif
/* AUTH KEY CHUNK */
if (eep_cfg.capt_password != NULL) {
memcpy((void*) buffer + buflen, &authkey_chunk, sizeof(struct hep_chunk));
buflen += sizeof(struct hep_chunk);
/* Now copying payload self */
memcpy((void*) buffer + buflen, eep_cfg.capt_password, strlen(eep_cfg.capt_password));
buflen += strlen(eep_cfg.capt_password);
}
/* PAYLOAD CHUNK */
memcpy((void*) buffer + buflen, &payload_chunk, sizeof(struct hep_chunk));
buflen += sizeof(struct hep_chunk);
/* Now copying payload itself */
memcpy((void*) buffer + buflen, data, len);
buflen += len;
if (send(eep_cfg.client_sock, buffer, buflen, 0) == -1) {
return 1;
}
/* FREE */
sng_free(buffer);
sng_free(hg);
return 0;
}
const char *
msg_get_payload(sip_msg_t *msg)
{
return (const char *) capture_packet_get_payload(msg->packet);
}
int
capture_eep_send_v2(capture_packet_t *pkt)
{
void* buffer;
unsigned int buflen = 0, tlen = 0;
struct hep_hdr hdr;
struct hep_timehdr hep_time;
struct hep_iphdr hep_ipheader;
#ifdef USE_IPV6
struct hep_ip6hdr hep_ip6header;
#endif
unsigned char *data = capture_packet_get_payload(pkt);
unsigned int len = capture_packet_get_payload_len(pkt);
capture_frame_t *frame = vector_first(pkt->frames);
/* Version && proto */
hdr.hp_v = 2;
hdr.hp_f = pkt->ip_version == 4 ? AF_INET : AF_INET6;
hdr.hp_p = pkt->proto;
hdr.hp_sport = htons(pkt->sport);
hdr.hp_dport = htons(pkt->dport);
/* Timestamp */
hep_time.tv_sec = frame->header->ts.tv_sec;
hep_time.tv_usec = frame->header->ts.tv_usec;
hep_time.captid = eep_cfg.capt_id;
/* Calculate initial HEP packet size */
tlen = sizeof(struct hep_hdr) + sizeof(struct hep_timehdr);
/* IPv4 */
if (pkt->ip_version == 4) {
inet_pton(AF_INET, pkt->ip_src, &hep_ipheader.hp_src);
inet_pton(AF_INET, pkt->ip_dst, &hep_ipheader.hp_dst);
tlen += sizeof(struct hep_iphdr);
hdr.hp_l += sizeof(struct hep_iphdr);
}
#ifdef USE_IPV6
/* IPv6 */
else if(pkt->ip_version == 6) {
inet_pton(AF_INET6, pkt->ip_src, &hep_ip6header.hp6_src);
inet_pton(AF_INET6, pkt->ip_dst, &hep_ip6header.hp6_dst);
tlen += sizeof(struct hep_ip6hdr);
hdr.hp_l += sizeof(struct hep_ip6hdr);
}
#endif
// Add payload size to the final size of HEP packet
tlen += len;
hdr.hp_l = htons(tlen);
// Allocate memory for HEPv2 packet
if (!(buffer = sng_malloc(tlen)))
return 1;
// Copy basic headers
buflen = 0;
memcpy((void*) buffer + buflen, &hdr, sizeof(struct hep_hdr));
buflen += sizeof(struct hep_hdr);
// Copy IP header
if (pkt->ip_version == 4) {
memcpy((void*) buffer + buflen, &hep_ipheader, sizeof(struct hep_iphdr));
buflen += sizeof(struct hep_iphdr);
}
#ifdef USE_IPV6
else if(pkt->ip_version == 6) {
memcpy((void*) buffer + buflen, &hep_ip6header, sizeof(struct hep_ip6hdr));
buflen += sizeof(struct hep_ip6hdr);
}
#endif
// Copy TImestamp header
memcpy((void*) buffer + buflen, &hep_time, sizeof(struct hep_timehdr));
buflen += sizeof(struct hep_timehdr);
// Now copy payload itself
memcpy((void*) buffer + buflen, data, len);
buflen += len;
if (send(eep_cfg.client_sock, buffer, buflen, 0) == -1) {
return 1;
}
/* FREE */
sng_free(buffer);
return 1;
}
int
capture_ws_check_packet(capture_packet_t *packet)
{
int ws_off = 0;
u_char ws_fin;
u_char ws_opcode;
u_char ws_mask;
uint8_t ws_len;
u_char ws_mask_key[4];
u_char *payload, *newpayload;
uint32_t size_payload;
int i;
/**
* WSocket header definition according to RFC 6455
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-------+-+-------------+-------------------------------+
* |F|R|R|R| opcode|M| Payload len | Extended payload length |
* |I|S|S|S| (4) |A| (7) | (16/64) |
* |N|V|V|V| |S| | (if payload len==126/127) |
* | |1|2|3| |K| | |
* +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
* | Extended payload length continued, if payload len == 127 |
* + - - - - - - - - - - - - - - - +-------------------------------+
* | |Masking-key, if MASK set to 1 |
* +-------------------------------+-------------------------------+
* | Masking-key (continued) | Payload Data |
* +-------------------------------- - - - - - - - - - - - - - - - +
* : Payload Data continued ... :
* + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
* | Payload Data continued ... |
* +---------------------------------------------------------------+
*/
// Get payload from packet(s)
size_payload = capture_packet_get_payload_len(packet);
payload = capture_packet_get_payload(packet);
// Check we have payload
if (size_payload == 0)
return 0;
// Flags && Opcode
ws_fin = (*payload & WH_FIN) >> 4;
ws_opcode = *payload & WH_OPCODE;
ws_off++;
// Only interested in Ws text packets
if (ws_opcode != WS_OPCODE_TEXT)
return 0;
// Masked flag && Payload len
ws_mask = (*(payload + ws_off) & WH_MASK) >> 4;
ws_len = (*(payload + ws_off) & WH_LEN);
ws_off++;
// Skip Payload len
switch (ws_len) {
// Extended
case 126:
ws_off += 2;
break;
case 127:
ws_off += 8;
break;
default:
return 0;
}
// Get Masking key if mask is enabled
if (ws_mask) {
memcpy(ws_mask_key, (payload + ws_off), 4);
ws_off += 4;
}
// Skip Websocket headers
size_payload -= ws_off;
if ((int32_t) size_payload <= 0)
return 0;
newpayload = sng_malloc(size_payload);
memcpy(newpayload, payload + ws_off, size_payload);
// If mask is enabled, unmask the payload
if (ws_mask) {
for (i = 0; i < size_payload; i++)
newpayload[i] = newpayload[i] ^ ws_mask_key[i % 4];
}
// Set new packet payload into the packet
capture_packet_set_payload(packet, newpayload, size_payload);
if (packet->type == CAPTURE_PACKET_SIP_TLS) {
capture_packet_set_type(packet, CAPTURE_PACKET_SIP_WSS);
} else {
capture_packet_set_type(packet, CAPTURE_PACKET_SIP_WS);
}
return 1;
}