ptunnel-ng/src/pkt.c

/*
 * pkt.c
 * ptunnel is licensed under the BSD license:
 *
 * Copyright (c) 2004-2011, Daniel Stoedle <daniels@cs.uit.no>,
 * Yellow Lemon Software. All rights reserved.
 *
 * Copyright (c) 2017-2019, Toni Uhlig <matzeton@googlemail.com>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * - Neither the name of the Yellow Lemon Software nor the names of its
 *   contributors may be used to endorse or promote products derived from this
 *   software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * Contacting the author:
 * You can get in touch with me, Daniel Stødle (that's the Norwegian letter oe,
 * in case your text editor didn't realize), here: <daniels@cs.uit.no>
 *
 * The official ptunnel website is here:
 * <http://www.cs.uit.no/~daniels/PingTunnel/>
 *
 * Note that the source code is best viewed with tabs set to 4 spaces.
 */

#ifndef WIN32
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pthread.h>
#endif
#include <sys/time.h>

#include "ptunnel.h"
#include "pkt.h"
#include "pdesc.h"
#include "options.h"
#include "utils.h"

static proxy_desc_t * handle_incoming_tunnel_request(unsigned bytes,
                                                     struct sockaddr_in * addr,
                                                     int icmp_sock,
                                                     icmp_echo_packet_t * const pkt,
                                                     ping_tunnel_pkt_t * const pt_pkt)
{
    struct timeval tt;
    struct in_addr in_addr;
    uint32_t init_state;
    proxy_desc_t * cur;

    pt_log(kLog_info, "Incoming tunnel request from %s.\n", inet_ntoa(*(struct in_addr *)&addr->sin_addr));

    gettimeofday(&tt, 0);
    if (tt.tv_sec < seq_expiry_tbl[pt_pkt->id_no]) {
        pt_log(kLog_verbose, "Dropping request: ID was recently in use.\n");
        return NULL;
    }

    in_addr.s_addr = pt_pkt->dst_ip;
    pt_log(kLog_info,
           "Starting new session to %s:%d with ID %d\n",
           inet_ntoa(in_addr),
           ntohl(pt_pkt->dst_port),
           pt_pkt->id_no);

    if ((opts.restrict_dst_ip && opts.given_dst_ip && opts.given_dst_ip != pt_pkt->dst_ip) ||
        (opts.restrict_dst_port && (uint32_t)-1 != opts.given_dst_port &&
         opts.given_dst_port != ntohl(pt_pkt->dst_port))) {
        pt_log(kLog_info, "Destination administratively prohibited!\n");
        return NULL;
    }

    if (opts.password) {
        init_state = kProto_authenticate;
    } else {
        init_state = kProto_data;
    }

    cur = (proxy_desc_t *)create_and_insert_proxy_desc(
        pt_pkt->id_no, pkt->identifier, 0, addr, pt_pkt->dst_ip, ntohl(pt_pkt->dst_port), init_state, kProxy_flag);
    if (!cur) {
        /* if failed, abort. Logging is done in create_insert_proxy_desc */
        pt_log(kLog_error, "Failed to create proxy descriptor!\n");
        return NULL;
    }
    if (pt_pkt->data_len > 0) {
        handle_data(pkt, bytes, cur);
    }
    if (init_state == kProto_authenticate) {
        pt_log(kLog_debug, "Sending authentication challenge..\n");
        /* Send challenge */
        cur->challenge = generate_challenge();
        memcpy(cur->buf, cur->challenge, sizeof(challenge_t));
        queue_packet(icmp_sock, cur, cur->buf, sizeof(challenge_t), 0, 0, kProto_authenticate | cur->type_flag);
    }

    return cur;
}

static void handle_auth_request(unsigned bytes,
                                int icmp_sock,
                                icmp_echo_packet_t * const pkt,
                                proxy_desc_t * const cur,
                                challenge_t * const challenge)
{
    if (!opts.password) {
        pt_log(kLog_error,
               "This proxy requires a password! "
               "Please supply one usin  g the -x switch.\n");
        send_termination_msg(cur, icmp_sock);
        cur->should_remove = 1;
        return;
    }
#ifdef ENABLE_SHA512
    if (opts.force_sha512) {
        pt_log(kLog_debug, "Got authentication challenge - sending SHA512 response\n");
        generate_response_sha512(&challenge->plain, &challenge->digest);
    } else
#endif
    {
        pt_log(kLog_debug, "Got authentication challenge - sending MD5 response\n");
        generate_response_md5(&challenge->plain, &challenge->digest);
    }

    memcpy(cur->buf, challenge, sizeof(challenge_t));
    queue_packet(icmp_sock, cur, cur->buf, sizeof(challenge_t), 0, 0, kProto_authenticate | cur->type_flag);
    /* We have authenticated locally.
     * It's up to the proxy now if it accepts our   response or not..
     */
    cur->authenticated = 1;
    handle_data(pkt, bytes, cur);
}

static void handle_auth_response(unsigned bytes,
                                 int icmp_sock,
                                 icmp_echo_packet_t * const pkt,
                                 proxy_desc_t * const cur,
                                 challenge_t * const challenge)
{
    pt_log(kLog_debug,
           "Received remote %s challenge response.\n",
           (challenge->digest.hash_type == HT_SHA512 ? "SHA512" : "MD5"));
    if ((!opts.force_sha512 && challenge->digest.hash_type == HT_MD5 &&
         validate_challenge_md5(cur->challenge, &challenge->digest)) ||
#ifdef ENABLE_SHA512
        (challenge->digest.hash_type == HT_SHA512 && validate_challenge_sha512(cur->challenge, &challenge->digest)) ||
#endif
        cur->authenticated) {
        pt_log(kLog_verbose, "Remote end authenticated successfully.\n");
        /* Authentication has succeeded, so now we can proceed
         * to handle incoming   TCP data.
         */
        cur->authenticated = 1;
        cur->state = kProto_data;
        /* Insert the packet into the receive ring, to avoid
         * confusing the reliab  ility mechanism.
         */
        handle_data(pkt, bytes, cur);
    } else {
        pt_log(kLog_info, "Remote end failed authentication.\n");
        send_termination_msg(cur, icmp_sock);
        cur->should_remove = 1;
    }
}

static void header_byteorder_ntoh(icmp_echo_packet_t * const icmp_pkt, ping_tunnel_pkt_t * const pt_pkt)
{
    pt_pkt->state = ntohl(pt_pkt->state);
    icmp_pkt->identifier = ntohs(icmp_pkt->identifier);
    icmp_pkt->seq = ntohs(icmp_pkt->seq);
    pt_pkt->id_no = ntohs(pt_pkt->id_no);
    pt_pkt->seq_no = ntohs(pt_pkt->seq_no);
}

static proxy_desc_t * get_proxy_descriptor(uint16_t id_no)
{
    proxy_desc_t * cur;

    /* Find the relevant connection, if it exists */
    pthread_mutex_lock(&chain_lock);
    for (cur = chain; cur; cur = cur->next) {
        if (cur->id_no == id_no) {
            break;
        }
    }
    pthread_mutex_unlock(&chain_lock);

    return cur;
}

/* handle_proxy_packet:
 * Processes incoming ICMP packets for the proxy. The packet can come either from the
 * packet capture lib, or from the actual socket or both.
 * Input:  A buffer pointing at the start of an IP header, the buffer length and the proxy
 * descriptor chain.
 */
void handle_packet(char * buf, unsigned bytes, int is_pcap, struct sockaddr_in * addr, int icmp_sock)
{
    ip_packet_t * ip_pkt = NULL;
    icmp_echo_packet_t * pkt;
    ping_tunnel_pkt_t * pt_pkt;
    proxy_desc_t * cur;
    int pkt_flag;
    enum pkt_flag type_flag, proxy_flag;
    challenge_t * challenge;

    proxy_flag = kProxy_flag;

    if (bytes < sizeof(icmp_echo_packet_t) + sizeof(ping_tunnel_pkt_t)) {
        pt_log(kLog_verbose,
               "Skipping this packet - too short. "
               "Expect: %lu+%lu = %lu ; Got: %u\n",
               sizeof(icmp_echo_packet_t),
               sizeof(ping_tunnel_pkt_t),
               sizeof(icmp_echo_packet_t) + sizeof(ping_tunnel_pkt_t),
               bytes);
        return;
    }

    if (opts.udp || opts.unprivileged) {
        pkt = (icmp_echo_packet_t *)buf;
        pt_pkt = (ping_tunnel_pkt_t *)pkt->data;
    } else {
        ip_pkt = (ip_packet_t *)buf;
        pkt = (icmp_echo_packet_t *)ip_pkt->data;
        pt_pkt = (ping_tunnel_pkt_t *)pkt->data;
    }

    if (ntohl(pt_pkt->magic) != opts.magic) {
        pt_log(kLog_verbose, "Ignored incoming packet. Magic value 0x%X mismatch.\n", ntohl(pt_pkt->magic));
        return;
    }

    header_byteorder_ntoh(pkt, pt_pkt);
    cur = get_proxy_descriptor(pt_pkt->id_no);

    /* Handle the packet if it comes from "the other end." This is a bit tricky
     * to get right, since we receive both our own and the other end's packets.
     * Basically, a proxy will accept any packet from a user, regardless if it
     * has a valid connection or not. A user will only accept the packet if there
     * exists a connection to handle it.
     */
    if (cur) {
        type_flag = cur->type_flag;
        if (type_flag == kProxy_flag) {
            cur->icmp_id = pkt->identifier;
            cur->ping_seq = pkt->seq;
        }
        if (!is_pcap)
            cur->xfer.icmp_in++;
    } else {
        type_flag = kProxy_flag;
    }

    pkt_flag = (int)pt_pkt->state & kFlag_mask;
    pt_pkt->state &= ~kFlag_mask;
    if (pt_pkt->state > (kNum_proto_types - 1)) {
        pt_log(kLog_error, "Dropping packet with invalid state.\n");
        return;
    }

    pt_log(kLog_sendrecv,
           "Recv: %4d [%4d] bytes "
           "[id = 0x%04X] [seq = %d] "
           "[seq_no = %d] [type = %s] "
           "[ack = %d] [icmp = %d] "
           "[user = %s] [pcap = %d]\n",
           bytes,
           ntohl(pt_pkt->data_len),
           pkt->identifier,
           ntohs(pkt->seq),
           pt_pkt->seq_no,
           state_name[pt_pkt->state & (~kFlag_mask)],
           ntohl(pt_pkt->ack),
           pkt->type,
           (pkt_flag == kUser_flag ? "yes" : "no"),
           is_pcap);
    log_sendrecv_hexstr("RECV ICMP", pkt, sizeof(*pkt));
    log_sendrecv_hexstr("RECV PTNG", pt_pkt, sizeof(*pt_pkt));
    if (bytes - (pt_pkt->data - buf) > 0) {
        log_sendrecv_hexstr("RECV PAYL", pt_pkt->data, bytes - (pt_pkt->data - buf));
    }

    /* This test essentially verifies that the packet comes from someone who isn't us. */
    if ((pkt_flag == kUser_flag && type_flag == proxy_flag) || (pkt_flag == proxy_flag && type_flag == kUser_flag)) {
        pt_pkt->data_len = ntohl(pt_pkt->data_len);
        pt_pkt->ack = ntohl(pt_pkt->ack);
        if (pt_pkt->state == kProxy_start) {
            if (!cur && type_flag == proxy_flag) {
                cur = handle_incoming_tunnel_request(bytes, addr, icmp_sock, pkt, pt_pkt);
                if (!cur) {
                    return;
                }
            } else if (type_flag == kUser_flag) {
                pt_log(kLog_error, "Dropping proxy session request - we are not a proxy!\n");
                return;
            } else {
                pt_log(kLog_error,
                       "Dropping duplicate proxy session request "
                       "with ID %d and seq %d.\n",
                       pt_pkt->id_no,
                       pt_pkt->seq_no);
            }
        } else if (cur && pt_pkt->state == kProto_authenticate) {
            /* Sanity check packet length, and make sure it matches what we expect */
            if (pt_pkt->data_len != sizeof(challenge_t)) {
                pt_log(kLog_error,
                       "Received challenge packet, but data length "
                       "is not as expected.\n");
                pt_log(kLog_debug, "Data length: %u  Expected: %lu\n", pt_pkt->data_len, sizeof(challenge_t));
                cur->should_remove = 1;
                return;
            }
            /* Prevent packet data from being forwarded over TCP! */
            pt_pkt->data_len = 0;
            challenge = (challenge_t *)pt_pkt->data;
            /* If client: Compute response to challenge */
            if (type_flag == kUser_flag) {
                /* Required for integration tests w/ passwd set. */
                pt_log(kLog_debug, "AUTH-REQUEST: Received ack-series starting at seq %d\n", pt_pkt->seq_no);
                handle_auth_request(bytes, icmp_sock, pkt, cur, challenge);
                return;
            }
            /* If proxy: Handle client's response to challenge */
            else if (type_flag == proxy_flag) {
                cur->next_remote_seq++;
                handle_auth_response(bytes, icmp_sock, pkt, cur, challenge);
                return;
            }
        }
        /* Handle close-messages for connections we know about */
        if (cur && pt_pkt->state == kProto_close) {
            pt_log(kLog_info, "Received session close from remote peer.\n");
            cur->should_remove = 1;
            return;
        }
        /* The proxy will ignore any other packets from the client
         * until it has been authenticated. The packet resend mechanism
         * insures that this isn't problematic.
         */
        if (type_flag == proxy_flag && opts.password && cur && !cur->authenticated) {
            pt_log(kLog_debug,
                   "Ignoring packet with seq-no %d "
                   "- not authenticated yet.\n",
                   pt_pkt->seq_no);
            return;
        }

        if (cur && cur->sock) {
            double now = time_as_double();
            if (pt_pkt->state != kProto_ack) {
                cur->last_data_activity = now;
            }
            if (pt_pkt->state == kProto_data || pt_pkt->state == kProxy_start || pt_pkt->state == kProto_ack) {
                if (pt_pkt->state == kProxy_start) {
                    pt_pkt->data_len = 0;
                }
                handle_data(pkt, bytes, cur);
            }
            handle_ack(pt_pkt->ack, cur);
            cur->last_activity = now;
        }
    }
}

static void queue_payload_data(ping_tunnel_pkt_t * const pt_pkt, proxy_desc_t * const cur)
{
    /* Check if we should add payload data to the queue. */
    if (!cur->recv_ring[cur->recv_idx] && pt_pkt->state == kProto_data) {
        pt_log(kLog_debug, "Queing data packet: %d\n", pt_pkt->seq_no);
        cur->recv_ring[cur->recv_idx] = create_fwd_desc(pt_pkt->seq_no, pt_pkt->data_len, pt_pkt->data);
        cur->recv_wait_send++;
        cur->recv_idx++;
    } else {
        pt_log(kLog_debug, "Dup packet for %d ?\n", pt_pkt->seq_no);
    }

    cur->next_remote_seq++;
    if (cur->recv_idx >= cur->window_size) {
        cur->recv_idx = 0;
    }

    /* Check if we have already received some of the next packets. */
    while (cur->recv_ring[cur->recv_idx]) {
        if (cur->recv_ring[cur->recv_idx]->seq_no == cur->next_remote_seq) {
            cur->next_remote_seq++;
            cur->recv_idx++;
            if (cur->recv_idx >= cur->window_size) {
                cur->recv_idx = 0;
            }
        } else {
            break;
        }
    }
}

static void queue_payload_data_out_of_order(ping_tunnel_pkt_t * const pt_pkt, proxy_desc_t * const cur)
{
    int r, s, d, pos;
    pos = -1; /* If pos ends up staying -1, packet is discarded. */
    r = cur->next_remote_seq;
    s = pt_pkt->seq_no;
    d = s - r;
    if (d < 0) { /* This packet _may_ be old, or seq_no may have wrapped around */
        d = (s + 0xFFFF) - r;
        if (cur->window_size && d < cur->window_size) {
            /* Counter has wrapped, so we should add this packet to the recv ring */
            pos = (cur->recv_idx + d) % cur->window_size;
        }
    } else if (cur->window_size && d < cur->window_size) {
        pos = (cur->recv_idx + d) % cur->window_size;
    }

    if (pos != -1) {
        if (!cur->recv_ring[pos]) {
            pt_log(kLog_verbose,
                   "Out of order. Expected: %d  Got: %d  Inserted: %d "
                   "(cur = %d)\n",
                   cur->next_remote_seq,
                   pt_pkt->seq_no,
                   pos,
                   cur->recv_idx);
            cur->recv_ring[pos] = create_fwd_desc(pt_pkt->seq_no, pt_pkt->data_len, pt_pkt->data);
            cur->recv_wait_send++;
        }
    } else {
        pt_log(kLog_info, "Packet discarded - outside receive window.\n");
    }
}

/* handle_data:
 * Utility function for handling kProto_data packets, and place the data it contains
 * onto the passed-in receive ring.
 */
void handle_data(icmp_echo_packet_t * pkt, int total_len, proxy_desc_t * cur)
{
    ping_tunnel_pkt_t * pt_pkt = (ping_tunnel_pkt_t *)pkt->data;
    int expected_len = sizeof(ip_packet_t) + sizeof(icmp_echo_packet_t) + sizeof(ping_tunnel_pkt_t); /* 20+8+28 */
    /* Place packet in the receive ring, in its proper place.
     * This works as follows:
     * -1. Packet == ack packet? Perform ack, and continue.
     * 0. seq_no < next_remote_seq, and absolute difference is bigger than w size => discard
     * 1. If seq_no == next_remote_seq, we have no problems; just put it in the ring.
     * 2. If seq_no > next_remote_seq + remaining window size, discard packet.
     *    Send resend request for missing packets.
     * 3. Else, put packet in the proper place in the ring
     *    (don't overwrite if one is already there), but don't increment next_remote_seq_no
     * 4. If packed was not discarded, process ack info in packet.
     */
    expected_len += pt_pkt->data_len;
    expected_len += expected_len % 2;
    if (opts.udp || opts.unprivileged) {
        expected_len -= sizeof(ip_packet_t);
    }
    if (total_len < expected_len) {
        pt_log(kLog_error, "Packet not completely received: %d Should be: %d.\n", total_len, expected_len);
        pt_log(kLog_debug, "Data length: %d Total length: %d\n", pt_pkt->data_len, total_len);
        /* just ignore that packet */
        return;
    }

    if (pt_pkt->seq_no == cur->next_remote_seq) {
        queue_payload_data(pt_pkt, cur);
    } else {
        queue_payload_data_out_of_order(pt_pkt, cur);
    }
}

void handle_ack(uint32_t seq_no, proxy_desc_t * cur)
{
    if (cur->send_wait_ack > 0) {
        int i, can_ack = 0, count = 0;
        i = cur->send_idx - 1;
        if (i < 0) {
            i = cur->window_size - 1;
        }

        pt_log(kLog_debug, "Received ack-series starting at seq %d\n", seq_no);
        while (count < cur->window_size) {
            if (!cur->send_ring[i].pkt) {
                break;
            }
            if (cur->send_ring[i].seq_no == seq_no) {
                can_ack = 1;
            } else if (!can_ack) {
                cur->send_first_ack = i;
            }
            if (can_ack) {
                free(cur->send_ring[i].pkt);
                cur->send_ring[i].pkt = 0;
                cur->send_ring[i].pkt_len = 0;
                cur->send_wait_ack--;
            }
            i--;
            if (i < 0) {
                i = cur->window_size - 1;
            }
            count++;
        }
    } else {
        pt_log(kLog_verbose,
               "Dropping superfluous acknowledgement for seq %d "
               "(no outstanding packets needing ack.)\n",
               seq_no);
    }
}