int EmbedOcspLookup(void* ctx, const char* url, int urlSz, byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf) { char domainName[80], path[80]; int port, httpBufSz, sfd = -1; int ocspRespSz = 0; byte* httpBuf = NULL; (void)ctx; if (ocspReqBuf == NULL || ocspReqSz == 0) { CYASSL_MSG("OCSP request is required for lookup"); return -1; } if (ocspRespBuf == NULL) { CYASSL_MSG("Cannot save OCSP response"); return -1; } if (decode_url(url, urlSz, domainName, path, &port) < 0) { CYASSL_MSG("Unable to decode OCSP URL"); return -1; } /* Note, the library uses the EmbedOcspRespFree() callback to * free this buffer. */ httpBufSz = SCRATCH_BUFFER_SIZE; httpBuf = (byte*)XMALLOC(httpBufSz, NULL, DYNAMIC_TYPE_IN_BUFFER); if (httpBuf == NULL) { CYASSL_MSG("Unable to create OCSP response buffer"); return -1; } httpBufSz = build_http_request(domainName, path, ocspReqSz, httpBuf, httpBufSz); if ((tcp_connect(&sfd, domainName, port) == 0) && (sfd > 0)) { int written; written = (int)send(sfd, httpBuf, httpBufSz, 0); if (written == httpBufSz) { written = (int)send(sfd, ocspReqBuf, ocspReqSz, 0); if (written == ocspReqSz) { ocspRespSz = process_http_response(sfd, ocspRespBuf, httpBuf, SCRATCH_BUFFER_SIZE); } } close(sfd); if (ocspRespSz == 0) { CYASSL_MSG("OCSP response was not OK, no OCSP response"); XFREE(httpBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); return -1; } } else { CYASSL_MSG("OCSP Responder connection failed"); close(sfd); XFREE(httpBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); return -1; } XFREE(httpBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); return ocspRespSz; }
int EmbedOcspLookup(void* ctx, const char* url, int urlSz, byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf) { SOCKET_T sfd = 0; word16 port; int ret = -1; #ifdef CYASSL_SMALL_STACK char* path; char* domainName; #else char path[80]; char domainName[80]; #endif #ifdef CYASSL_SMALL_STACK path = (char*)XMALLOC(80, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (path == NULL) return -1; domainName = (char*)XMALLOC(80, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (domainName == NULL) { XFREE(path, NULL, DYNAMIC_TYPE_TMP_BUFFER); return -1; } #endif (void)ctx; if (ocspReqBuf == NULL || ocspReqSz == 0) { CYASSL_MSG("OCSP request is required for lookup"); } else if (ocspRespBuf == NULL) { CYASSL_MSG("Cannot save OCSP response"); } else if (decode_url(url, urlSz, domainName, path, &port) < 0) { CYASSL_MSG("Unable to decode OCSP URL"); } else { /* Note, the library uses the EmbedOcspRespFree() callback to * free this buffer. */ int httpBufSz = SCRATCH_BUFFER_SIZE; byte* httpBuf = (byte*)XMALLOC(httpBufSz, NULL, DYNAMIC_TYPE_IN_BUFFER); if (httpBuf == NULL) { CYASSL_MSG("Unable to create OCSP response buffer"); } else { httpBufSz = build_http_request(domainName, path, ocspReqSz, httpBuf, httpBufSz); if ((tcp_connect(&sfd, domainName, port) != 0) || (sfd <= 0)) { CYASSL_MSG("OCSP Responder connection failed"); } else if ((int)send(sfd, (char*)httpBuf, httpBufSz, 0) != httpBufSz) { CYASSL_MSG("OCSP http request failed"); } else if ((int)send(sfd, (char*)ocspReqBuf, ocspReqSz, 0) != ocspReqSz) { CYASSL_MSG("OCSP ocsp request failed"); } else { ret = process_http_response(sfd, ocspRespBuf, httpBuf, SCRATCH_BUFFER_SIZE); } close(sfd); XFREE(httpBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); } } #ifdef CYASSL_SMALL_STACK XFREE(path, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(domainName, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; }
/* Process TCP packets * Return 0 to accept packet, otherwise to drop packet */ int process_tcp_packet(struct mypacket *packet, char inout) { int ret = 0; struct myiphdr *iphdr = packet->iphdr; struct mytcphdr *tcphdr = packet->tcphdr; unsigned char *payload = packet->payload; char sip[16], dip[16]; ip2str(iphdr->saddr, sip); ip2str(iphdr->daddr, dip); unsigned short sport, dport; //unsigned int seq, ack; sport = ntohs(tcphdr->th_sport); dport = ntohs(tcphdr->th_dport); //seq = tcphdr->th_seq; //ack = tcphdr->th_ack; log_debug("[TCP] This packet goes from %s:%d to %s:%d", sip, sport, dip, dport); log_debug("TCP flags: %s", tcp_flags(tcphdr->th_flags)); struct fourtuple fourtp; fourtp.saddr = iphdr->saddr; fourtp.daddr = iphdr->daddr; fourtp.sport = tcphdr->th_sport; fourtp.dport = tcphdr->th_dport; // for testing uni-directional packet forwarding to bypass IP blocking //if (dport == 80 && is_blocked_ip(dip)) { // log_debug("Going to forward that packet!!!"); // unsigned int newlen = packet->len + 4; // char *newpkt = (char*)malloc(newlen); // memcpy(newpkt, packet->data, packet->len); // *(u_int32_t*)(newpkt + packet->len) = iphdr->daddr; // ip_hdr(newpkt)->daddr = str2ip(PACKET_FORWARDER); // send_raw(newpkt, newlen); // log_debug("sent!!!"); // return 0; //} if (tcphdr->th_flags == TCP_SYN) { // Processing outgoing SYN packet. // Uploading diagnostic log is disabled. (2017.9.1) //if (strcmp(dip, FEEDBACK_SERVER_IP) == 0) // return 0; // choose a strategy for the newly created connection int sid = choose_strategy_by_historical_result(iphdr->daddr); log_debug("Using strategy %s", g_strats[sid].name); set_sid(&fourtp, sid); //cache_strategy(&fourtp, sid); if (g_strats[sid].process_syn) { ret = g_strats[sid].process_syn(packet); #ifndef EVALUATION if (ret) { need_evaluation(&fourtp); } #endif } } if (tcphdr->th_flags == (TCP_SYN | TCP_ACK)) { // Got a SYN-ACK from server // send an ACK with 1 TTL to make home router happy if (opt_inject_ack_with_one_ttl) send_ACK_with_one_ttl(dip, dport, sip, sport, tcphdr->th_ack, htonl(ntohl(tcphdr->th_seq)+1)); struct fourtuple reverse_fourtp; reverse_fourtp.saddr = iphdr->daddr; reverse_fourtp.daddr = iphdr->saddr; reverse_fourtp.sport = tcphdr->th_dport; reverse_fourtp.dport = tcphdr->th_sport; int sid = get_sid(&reverse_fourtp); if (sid >= 0) { if (get_ttl(iphdr->saddr) == 0) { // if TTL hasn't been initialized // find initial TTL from SYN/ACK packet int ttl = choose_appropriate_ttl(iphdr->ttl); set_ttl(iphdr->saddr, ttl); } if (g_strats[sid].process_synack) { ret = g_strats[sid].process_synack(packet); #ifndef EVALUATION if (ret) { need_evaluation(&reverse_fourtp); } #endif } } else if (sid == -1) { ret = process_synack_for_ttl_probing(packet); } //if (opt_inject_syn_and_syn_ack_with_one_ttl) // send_one_ttl_SYN_and_SYN_ACK(dip, dport, sip, sport, tcphdr->th_ack, tcphdr->th_seq); } else if ((tcphdr->th_flags & TCP_ACK) && !(tcphdr->th_flags & (TCP_SYN | TCP_RST))) { // ignore ACK packets without payload if (packet->payload_len == 0) return 0; if (dport == 80) { if ((payload[0] == 'G' && payload[1] == 'E' && payload[2] == 'T' && payload[3] == ' ') || (payload[0] == 'P' && payload[1] == 'O' && payload[2] == 'S' && payload[3] == 'T' && payload[4] == ' ')) { // Got a outgoing HTTP request log_debug("[TCP] Sent a HTTP request from %s:%d to %s:%d.", sip, sport, dip, dport); int i, j, k, l; //char req_line[1000]; //for (i = 0; i < 1000; i++) { // if (payload[i] == '\r' || payload[i] == '\n') { // req_line[i] = 0; // break; // } // req_line[i] = payload[i]; //} // Generate the HTTP request line. Format: GET/POST domain/url. e.g. GET www.google.com/index.php char req_line2[1000]; // copy GET/POST for (i = 0; payload[i] != ' ' && i < packet->payload_len; i++) { req_line2[i] = payload[i]; } req_line2[i++] = ' '; k = i; // find Host field for (j = i; j < packet->payload_len; j++) { if (payload[j] == 'H' && payload[j+1] == 'o' && payload[j+2] == 's' && payload[j+3] == 't' && payload[j+4] == ':' && (payload[j-1] == '\r' || payload[j-1] == '\n')) { j += 5; // copy Host value while (payload[j] == ' ') j++; for (l = 0; l < 99 && j+l < packet->payload_len; l++) { if (payload[j+l] == '\r' || payload[j+l] == '\n') break; req_line2[k++] = payload[j+l]; } break; } } // copy the rest of request line for (; i < 900 && i < packet->payload_len; i++) { if (payload[i] == '\r' || payload[i] == '\n') { break; } req_line2[k++] = payload[i]; } req_line2[k] = 0; log_debug("[TCP] %s", req_line2); int sid = get_sid(&fourtp); if (sid >= 0 && g_strats[sid].process_request) { ret = g_strats[sid].process_request(packet); #ifndef EVALUATION if (ret) { need_evaluation(&fourtp); } #endif } #ifdef EVALUATION if (strstr(req_line2, "ultrasurf") || strstr(req_line2, "goodword")) { need_evaluation(&fourtp); } #endif cache_http_request(&fourtp, req_line2); } } else if (sport == 80) { if (payload[0] == 'H' && payload[1] == 'T' && payload[2] == 'T' && payload[3] == 'P') { // Got a incoming HTTP response log_debug("[TCP] Got a HTTP response from %s:%d to %s:%d.", sip, sport, dip, dport); process_http_response(&fourtp, tcphdr->th_seq, iphdr->ttl); } } else if (dport == 53) { // Got a DNS request over TCP log_debug("[TCP] Sent a DNS request from %s:%d to %s:%d.", sip, sport, dip, dport); int sid = get_sid(&fourtp); if (sid >= 0 && g_strats[sid].process_request) { ret = g_strats[sid].process_request(packet); #ifndef EVALUATION if (ret) { need_evaluation(&fourtp); } #endif } cache_dns_tcp_request(&fourtp); } else if (sport == 53) { // Got a DNS response over TCP, maybe triggered by our app, or maybe not log_debug("[TCP] Got a DNS response from %s:%d to %s:%d.", sip, sport, dip, dport); // parse the DNS response to get the first qname const unsigned char *dns_payload = packet->payload + 2; struct mydnshdr *dnshdr = (struct mydnshdr*)dns_payload; unsigned short txn_id = htons(dnshdr->txn_id); int qdcount = ntohs(dnshdr->questions); char qname[MAX_QNAME_LEN]; if (qdcount > 0) { //log_debug("Questions: %d", qdcount); unsigned char *ptr = (unsigned char *)(dnshdr + 1); { struct mydnsquery query; int j = 0, l; while (1) { for (l = *ptr++; l != 0; l--) { query.qname[j++] = *ptr++; if (j >= MAX_QNAME_LEN) { while (*ptr != 0) ptr++; break; } } if (*ptr == 0) { query.qname[j] = 0; ptr++; break; } query.qname[j++] = '.'; } query.qtype = (ptr[0] << 8) + ptr[1]; query.qclass = (ptr[2] << 8) + ptr[3]; log_debug("DNS Query: %s %d %d", query.qname, query.qtype, query.qclass); // use the first query to calc hash qname[0] = 0; strncat(qname, query.qname, MAX_QNAME_LEN - 1); } // Tell the caching thread to process the dns udp response // use DNS transaction ID and first query name as unique ID // transaction ID alone may cause collision process_dns_tcp_response(txn_id, qname, &fourtp, tcphdr->th_seq, iphdr->ttl, packet->payload, packet->payload_len); } } else if (dport == opt_vpn_port) { // outgoing packet int sid = get_sid(&fourtp); if (sid >= 0 && g_strats[sid].process_request) { ret = g_strats[sid].process_request(packet); if (ret) { if (opt_inject_syn_and_syn_ack_with_one_ttl == 1) send_one_ttl_SYN(sip, sport, dip, dport, tcphdr->th_seq); else if (opt_inject_syn_and_syn_ack_with_one_ttl == 2) send_one_ttl_SYN_and_SYN_ACK(sip, sport, dip, dport, tcphdr->th_seq, tcphdr->th_ack); } } } else if (sport == opt_vpn_port) { // incomine packet } else if (dport == opt_tor_port) { // outgoing packet int sid = get_sid(&fourtp); if (sid >= 0 && g_strats[sid].process_request) { ret = g_strats[sid].process_request(packet); if (ret) { if (opt_inject_syn_and_syn_ack_with_one_ttl == 1) send_one_ttl_SYN(sip, sport, dip, dport, tcphdr->th_seq); else if (opt_inject_syn_and_syn_ack_with_one_ttl == 2) send_one_ttl_SYN_and_SYN_ACK(sip, sport, dip, dport, tcphdr->th_seq, tcphdr->th_ack); } } } else if (sport == opt_tor_port) { // incomine packet } else { // TODO: for all other protocols. This branch is a piece of temporary code, should be re-write. if (inout == 0) { // incoming packet log_debug("this is an incoming packet."); } else { // outgoing packet log_debug("this is an outgoing packet."); int sid = get_sid(&fourtp); if (sid >= 0 && g_strats[sid].process_request) { ret = g_strats[sid].process_request(packet); if (ret) { if (opt_inject_syn_and_syn_ack_with_one_ttl == 1) send_one_ttl_SYN(sip, sport, dip, dport, tcphdr->th_seq); else if (opt_inject_syn_and_syn_ack_with_one_ttl == 2) send_one_ttl_SYN_and_SYN_ACK(sip, sport, dip, dport, tcphdr->th_seq, tcphdr->th_ack); } } } } } else if (tcphdr->th_flags & TCP_RST) { // Got an incoming RST log_debug("[TCP] Got an incoming RST from %s:%d to %s:%d.", sip, sport, dip, dport); process_incoming_RST(packet); } return ret; }