relay.c 57 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679
  1. /* Name: relay.c
  2. *
  3. * This file contains code that the relay station runs once the TLS handshake for
  4. * a tagged flow has been completed.
  5. *
  6. * These functions will extract covert data from the header
  7. * of HTTP GET requests and insert downstream data into leaf resources
  8. *
  9. * It is also responsible for keeping track of the HTTP state of the flow
  10. *
  11. * Slitheen - a decoy routing system for censorship resistance
  12. * Copyright (C) 2017 Cecylia Bocovich (cbocovic@uwaterloo.ca)
  13. *
  14. * This program is free software: you can redistribute it and/or modify
  15. * it under the terms of the GNU General Public License as published by
  16. * the Free Software Foundation, version 3.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU General Public License
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  25. *
  26. * Additional permission under GNU GPL version 3 section 7
  27. *
  28. * If you modify this Program, or any covered work, by linking or combining
  29. * it with the OpenSSL library (or a modified version of that library),
  30. * containing parts covered by the terms of the OpenSSL Licence and the
  31. * SSLeay license, the licensors of this Program grant you additional
  32. * permission to convey the resulting work. Corresponding Source for a
  33. * non-source form of such a combination shall include the source code
  34. * for the parts of the OpenSSL library used as well as that of the covered
  35. * work.
  36. */
  37. #include <stdio.h>
  38. #include <stdlib.h>
  39. #include <stdint.h>
  40. #include <regex.h>
  41. #include <sys/socket.h>
  42. #include <sys/types.h>
  43. #include <netinet/in.h>
  44. #include <netdb.h>
  45. #include <unistd.h>
  46. #include <pthread.h>
  47. #include <string.h>
  48. #include <openssl/bio.h>
  49. #include <openssl/evp.h>
  50. #include <openssl/rand.h>
  51. #include "relay.h"
  52. #include "packet.h"
  53. #include "flow.h"
  54. #include "crypto.h"
  55. #include "util.h"
  56. /** Called when a TLS application record is received for a
  57. * tagged flow. Upstream packets will be checked for covert
  58. * requests to censored sites, downstream packets will be
  59. * replaced with data from the censored queue or with garbage
  60. *
  61. * Inputs:
  62. * f: the tagged flow
  63. * info: the processed received application packet
  64. *
  65. * Output:
  66. * 0 on success, 1 on failure
  67. */
  68. int replace_packet(flow *f, struct packet_info *info){
  69. if (info == NULL || info->tcp_hdr == NULL){
  70. return 0;
  71. }
  72. #ifdef DEBUG
  73. fprintf(stdout,"Flow: %x:%d > %x:%d (%s)\n", info->ip_hdr->src.s_addr, ntohs(info->tcp_hdr->src_port), info->ip_hdr->dst.s_addr, ntohs(info->tcp_hdr->dst_port), (info->ip_hdr->src.s_addr != f->src_ip.s_addr)? "incoming":"outgoing");
  74. fprintf(stdout,"ID number: %u\n", htonl(info->ip_hdr->id));
  75. fprintf(stdout,"Sequence number: %u\n", htonl(info->tcp_hdr->sequence_num));
  76. fprintf(stdout,"Acknowledgement number: %u\n", htonl(info->tcp_hdr->ack_num));
  77. fflush(stdout);
  78. #endif
  79. if(info->app_data_len <= 0){
  80. return 0;
  81. }
  82. /* if outgoing, decrypt and look at header */
  83. if(info->ip_hdr->src.s_addr == f->src_ip.s_addr){
  84. read_header(f, info);
  85. return 0;
  86. } else {
  87. #ifdef DEBUG
  88. printf("Current sequence number: %d\n", f->downstream_seq_num);
  89. printf("Received sequence number: %d\n", htonl(info->tcp_hdr->sequence_num));
  90. #endif
  91. uint32_t offset = htonl(info->tcp_hdr->sequence_num) - f->downstream_seq_num;
  92. if(offset == 0)
  93. f->downstream_seq_num += info->app_data_len;
  94. /* if incoming, replace with data from queue */
  95. process_downstream(f, offset, info);
  96. #ifdef DEBUG2
  97. uint8_t *p = (uint8_t *) info->tcp_hdr;
  98. fprintf(stdout, "ip hdr length: %d\n", htons(info->ip_hdr->len));
  99. fprintf(stdout, "Injecting the following packet:\n");
  100. for(int i=0; i< htons(info->ip_hdr->len)-1; i++){
  101. fprintf(stdout, "%02x ", p[i]);
  102. }
  103. fprintf(stdout, "\n");
  104. fflush(stdout);
  105. #endif
  106. }
  107. return 0;
  108. }
  109. /** Reads the HTTP header of upstream data and searches for
  110. * a covert request in an x-slitheen header. Sends this
  111. * request to the indicated site and saves the response to
  112. * the censored queue
  113. *
  114. * Inputs:
  115. * f: the tagged flow
  116. * info: the processed received packet
  117. *
  118. * Ouput:
  119. * 0 on success, 1 on failure
  120. */
  121. int read_header(flow *f, struct packet_info *info){
  122. uint8_t *p = info->app_data;
  123. if (info->tcp_hdr == NULL){
  124. return 0;
  125. }
  126. uint8_t *record_ptr = NULL;
  127. struct record_header *record_hdr;
  128. uint32_t record_length;
  129. if(f->upstream_remaining > 0){
  130. //check to see whether the previous record has finished
  131. if(f->upstream_remaining > info->app_data_len){
  132. //ignore entire packet for now
  133. queue_block *new_block = smalloc(sizeof(queue_block));
  134. uint8_t *block_data = smalloc(info->app_data_len);
  135. memcpy(block_data, p, info->app_data_len);
  136. new_block->len = info->app_data_len;
  137. new_block->offset = 0;
  138. new_block->data = block_data;
  139. new_block->next = NULL;
  140. //add block to upstream data chain
  141. if(f->upstream_queue == NULL){
  142. f->upstream_queue = new_block;
  143. } else {
  144. queue_block *last = f->upstream_queue;
  145. while(last->next != NULL){
  146. last = last->next;
  147. }
  148. last->next = new_block;
  149. }
  150. f->upstream_remaining -= info->app_data_len;
  151. return 0;
  152. } else {
  153. //process what we have
  154. record_hdr = (struct record_header*) f->upstream_queue->data;
  155. record_length = RECORD_LEN(record_hdr);
  156. record_ptr = smalloc(record_length+ RECORD_HEADER_LEN);
  157. queue_block *current = f->upstream_queue;
  158. int32_t offset =0;
  159. while(f->upstream_queue != NULL){
  160. memcpy(record_ptr+offset, current->data, current->len);
  161. offset += current->len;
  162. free(current->data);
  163. f->upstream_queue = current->next;
  164. free(current);
  165. current = f->upstream_queue;
  166. }
  167. memcpy(record_ptr+offset, p, f->upstream_remaining);
  168. p = record_ptr;
  169. record_hdr = (struct record_header*) p;
  170. f->upstream_remaining = 0;
  171. }
  172. } else {
  173. //check to see if the new record is too long
  174. record_hdr = (struct record_header*) p;
  175. record_length = RECORD_LEN(record_hdr);
  176. if(record_length + RECORD_HEADER_LEN > info->app_data_len){
  177. //add info to upstream queue
  178. queue_block *new_block = smalloc(sizeof(queue_block));
  179. uint8_t *block_data = smalloc(info->app_data_len);
  180. memcpy(block_data, p, info->app_data_len);
  181. new_block->len = info->app_data_len;
  182. new_block->data = block_data;
  183. new_block->next = NULL;
  184. //add block to upstream queue
  185. if(f->upstream_queue == NULL){
  186. f->upstream_queue = new_block;
  187. } else {
  188. queue_block *last = f->upstream_queue;
  189. while(last->next != NULL){
  190. last = last->next;
  191. }
  192. last->next = new_block;
  193. }
  194. f->upstream_remaining = record_length - new_block->len;
  195. return 0;
  196. }
  197. }
  198. p+= RECORD_HEADER_LEN;
  199. uint8_t *decrypted_data = smalloc(record_length);
  200. memcpy(decrypted_data, p, record_length);
  201. int32_t decrypted_len = encrypt(f, decrypted_data, decrypted_data, record_length, 0, record_hdr->type, 0, 0);
  202. if(decrypted_len<0){
  203. printf("US: decryption failed!\n");
  204. if(record_ptr != NULL)
  205. free(record_ptr);
  206. free(decrypted_data);
  207. return 0;
  208. }
  209. if(record_hdr->type == 0x15){
  210. printf("received alert %x:%d > %x:%d (%s)\n", info->ip_hdr->src.s_addr, ntohs(info->tcp_hdr->src_port), info->ip_hdr->dst.s_addr, ntohs(info->tcp_hdr->dst_port), (info->ip_hdr->src.s_addr != f->src_ip.s_addr)? "incoming":"outgoing");
  211. for(int i=0; i<decrypted_len; i++){
  212. printf("%02x ", decrypted_data[EVP_GCM_TLS_EXPLICIT_IV_LEN + i]);
  213. }
  214. printf("\n");
  215. fflush(stdout);
  216. //TODO: re-encrypt and return
  217. }
  218. #ifdef DEBUG_US
  219. printf("Upstream data: (%x:%d > %x:%d )\n",info->ip_hdr->src.s_addr,ntohs(info->tcp_hdr->src_port), info->ip_hdr->dst.s_addr, ntohs(info->tcp_hdr->dst_port));
  220. printf("%s\n", decrypted_data+EVP_GCM_TLS_EXPLICIT_IV_LEN);
  221. #endif
  222. /* search through decrypted data for x-ignore */
  223. char *header_ptr = strstr((const char *) decrypted_data+EVP_GCM_TLS_EXPLICIT_IV_LEN, "X-Slitheen");
  224. uint8_t *upstream_data;
  225. if(header_ptr == NULL){
  226. if(record_ptr != NULL)
  227. free(record_ptr);
  228. free(decrypted_data);
  229. return 0;
  230. }
  231. #ifdef DEBUG_US
  232. printf("UPSTREAM: Found x-slitheen header\n");
  233. fflush(stdout);
  234. fprintf(stdout,"UPSTREAM Flow: %x:%d > %x:%d (%s)\n", info->ip_hdr->src.s_addr,ntohs(info->tcp_hdr->src_port), info->ip_hdr->dst.s_addr, ntohs(info->tcp_hdr->dst_port) ,(info->ip_hdr->src.s_addr != f->src_ip.s_addr)? "incoming":"outgoing");
  235. fprintf(stdout, "Sequence number: %d\n", ntohs(info->tcp_hdr->sequence_num));
  236. #endif
  237. header_ptr += strlen("X-Slitheen: ");
  238. if(*header_ptr == '\r' || *header_ptr == '\0'){
  239. #ifdef DEBUG_US
  240. printf("No messages\n");
  241. #endif
  242. free(decrypted_data);
  243. return 0;
  244. }
  245. int32_t num_messages = 1;
  246. char *messages[50]; //TODO: grow this array
  247. messages[0] = header_ptr;
  248. char *c = header_ptr;
  249. while(*c != '\r' && *c != '\0'){
  250. if(*c == ' '){
  251. *c = '\0';
  252. messages[num_messages] = c+1;
  253. num_messages ++;
  254. }
  255. c++;
  256. }
  257. c++;
  258. *c = '\0';
  259. #ifdef DEBUG_US
  260. printf("UPSTREAM: Found %d messages\n", num_messages);
  261. #endif
  262. for(int i=0; i< num_messages; i++){
  263. char *message = messages[i];
  264. //b64 decode the data
  265. int32_t decode_len = strlen(message);
  266. if(message[decode_len-2] == '='){
  267. decode_len = decode_len*3/4 - 2;
  268. } else if(message[decode_len-1] == '='){
  269. decode_len = decode_len*3/4 - 1;
  270. } else {
  271. decode_len = decode_len*3/4;
  272. }
  273. upstream_data = smalloc(decode_len + 1);
  274. BIO *bio, *b64;
  275. bio = BIO_new_mem_buf(message, -1);
  276. b64 = BIO_new(BIO_f_base64());
  277. bio = BIO_push(b64, bio);
  278. BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
  279. int32_t output_len = BIO_read(bio, upstream_data, strlen(message));
  280. BIO_free_all(bio);
  281. #ifdef DEBUG_US
  282. printf("Decoded to get %d bytes:\n", output_len);
  283. for(int j=0; j< output_len; j++){
  284. printf("%02x ", upstream_data[j]);
  285. }
  286. printf("\n");
  287. fflush(stdout);
  288. #endif
  289. p = upstream_data;
  290. if(i== 0){
  291. //this is the Slitheen ID
  292. #ifdef DEBUG_US
  293. printf("Slitheen ID:");
  294. for(int j=0; j< output_len; j++){
  295. printf("%02x ", p[j]);
  296. }
  297. printf("\n");
  298. #endif
  299. //find stream table or create new one
  300. client *last = clients->first;
  301. while(last != NULL){
  302. if(!memcmp(last->slitheen_id, p, output_len)){
  303. f->streams = last->streams;
  304. f->downstream_queue = last->downstream_queue;
  305. f->client_ptr = last;
  306. break;
  307. #ifdef DEBUG_US
  308. } else {
  309. for(int j=0; j< output_len; j++){
  310. printf("%02x ", last->slitheen_id[j]);
  311. }
  312. printf(" != ");
  313. for(int j=0; j< output_len; j++){
  314. printf("%02x ", p[j]);
  315. }
  316. printf("\n");
  317. #endif
  318. }
  319. last = last->next;
  320. }
  321. if(f->streams == NULL){
  322. //create new client
  323. printf("Creating a new client\n");
  324. client *new_client = smalloc(sizeof(client));
  325. memcpy(new_client->slitheen_id, p, output_len);
  326. new_client->streams = smalloc(sizeof(stream_table));
  327. new_client->streams->first = NULL;
  328. new_client->downstream_queue = smalloc(sizeof(data_queue));
  329. sem_init(&(new_client->queue_lock), 0, 1);
  330. new_client->downstream_queue->first_block = NULL;
  331. new_client->encryption_counter = 0;
  332. new_client->next = NULL;
  333. /* Now generate super encryption keys */
  334. generate_client_super_keys(new_client->slitheen_id, new_client);
  335. //add to client table
  336. if(clients->first == NULL){
  337. clients->first = new_client;
  338. } else {
  339. client *last = clients->first;
  340. while(last->next != NULL){
  341. last = last->next;
  342. }
  343. last->next = new_client;
  344. }
  345. //set f's stream table
  346. f->client_ptr = new_client;
  347. f->streams = new_client->streams;
  348. f->downstream_queue = new_client->downstream_queue;
  349. }
  350. free(upstream_data);
  351. continue;
  352. }
  353. while(output_len > 0){
  354. struct sl_up_hdr *sl_hdr = (struct sl_up_hdr *) p;
  355. uint16_t stream_id = sl_hdr->stream_id;
  356. uint16_t stream_len = ntohs(sl_hdr->len);
  357. p += sizeof(struct sl_up_hdr);
  358. output_len -= sizeof(struct sl_up_hdr);
  359. stream_table *streams = f->streams;
  360. //If a thread for this stream id exists, get the thread info and pipe data
  361. int32_t stream_pipe = -1;
  362. stream *last = streams->first;
  363. if(streams->first != NULL){
  364. if(last->stream_id == stream_id){
  365. stream_pipe = last->pipefd;
  366. } else {
  367. while(last->next != NULL){
  368. last = last->next;
  369. if(last->stream_id == stream_id){
  370. stream_pipe = last->pipefd;
  371. break;
  372. }
  373. }
  374. }
  375. }
  376. if(stream_pipe != -1){
  377. if(stream_len ==0){
  378. printf("Client closed. We are here\n");
  379. close(stream_pipe);
  380. break;
  381. }
  382. #ifdef DEBUG_US
  383. printf("Found stream id %d\n", last->stream_id);
  384. printf("Writing %d bytes to pipe\n", stream_len);
  385. #endif
  386. int32_t bytes_sent = write(stream_pipe, p, stream_len);
  387. if(bytes_sent < 0){
  388. printf("Error sending bytes to stream pipe\n");
  389. }
  390. } else if(stream_len > 0){
  391. /*Else, spawn a thread to handle the proxy to this site*/
  392. pthread_t proxy_thread;
  393. int32_t pipefd[2];
  394. if(pipe(pipefd) < 0){
  395. printf("Error creating pipe\n");
  396. free(decrypted_data);
  397. if(record_ptr != NULL)
  398. free(record_ptr);
  399. return 1;
  400. }
  401. uint8_t *initial_data = smalloc(stream_len);
  402. memcpy(initial_data, p, stream_len);
  403. struct proxy_thread_data *thread_data =
  404. smalloc(sizeof(struct proxy_thread_data));
  405. thread_data->initial_data = initial_data;
  406. thread_data->initial_len = stream_len;
  407. thread_data->stream_id = stream_id;
  408. thread_data->pipefd = pipefd[0];
  409. thread_data->streams = f->streams;
  410. thread_data->downstream_queue = f->downstream_queue;
  411. thread_data->client = f->client_ptr;
  412. pthread_create(&proxy_thread, NULL, proxy_covert_site, (void *) thread_data);
  413. pthread_detach(proxy_thread);
  414. printf("Spawned thread for proxy\n");
  415. //add stream to table
  416. stream *new_stream = smalloc(sizeof(stream));
  417. new_stream->stream_id = stream_id;
  418. new_stream->pipefd = pipefd[1];
  419. new_stream->next = NULL;
  420. if(streams->first == NULL){
  421. streams->first = new_stream;
  422. } else {
  423. stream *last = streams->first;
  424. while(last->next != NULL){
  425. last = last->next;
  426. }
  427. last->next = new_stream;
  428. }
  429. } else{
  430. printf("Error, stream len 0\n");
  431. break;
  432. }
  433. output_len -= stream_len;
  434. p += stream_len;
  435. }
  436. free(upstream_data);
  437. }
  438. //save a reference to the proxy threads in a global table
  439. free(decrypted_data);
  440. if(record_ptr != NULL)
  441. free(record_ptr);
  442. return 0;
  443. }
  444. /** Called by spawned pthreads in read_header to send upstream
  445. * data to the censored site and receive responses. Downstream
  446. * data is stored in the slitheen id's downstream_queue. Function and
  447. * thread will terminate when the client closes the connection
  448. * to the covert destination
  449. *
  450. * Input:
  451. * A struct that contains the following information:
  452. * - the tagged flow
  453. * - the initial upstream data + len (including connect request)
  454. * - the read end of the pipe
  455. * - the downstream queue for the client
  456. *
  457. */
  458. void *proxy_covert_site(void *data){
  459. struct proxy_thread_data *thread_data =
  460. (struct proxy_thread_data *) data;
  461. uint8_t *p = thread_data->initial_data;
  462. uint16_t data_len = thread_data->initial_len;
  463. uint16_t stream_id = thread_data->stream_id;
  464. int32_t bytes_sent;
  465. #ifdef DEBUG_PROXY
  466. printf("PROXY: created new thread for stream %d\n", stream_id);
  467. #endif
  468. stream_table *streams = thread_data->streams;
  469. data_queue *downstream_queue = thread_data->downstream_queue;
  470. client *clnt = thread_data->client;
  471. struct socks_req *clnt_req = (struct socks_req *) p;
  472. p += 4;
  473. data_len -= 4;
  474. int32_t handle = -1;
  475. //see if it's a connect request
  476. if(clnt_req->cmd != 0x01){
  477. printf("PROXY: error not a connect request\n");
  478. goto err;
  479. }
  480. struct sockaddr_in dest;
  481. dest.sin_family = AF_INET;
  482. uint8_t domain_len;
  483. switch(clnt_req->addr_type){
  484. case 0x01:
  485. //IPv4
  486. dest.sin_addr.s_addr = *((uint32_t*) p);
  487. p += 4;
  488. data_len -= 4;
  489. break;
  490. case 0x03:
  491. //domain name
  492. domain_len = p[0];
  493. p++;
  494. data_len --;
  495. uint8_t *domain_name = smalloc(domain_len+1);
  496. memcpy(domain_name, p, domain_len);
  497. domain_name[domain_len] = '\0';
  498. struct hostent *host;
  499. host = gethostbyname((const char *) domain_name);
  500. dest.sin_addr = *((struct in_addr *) host->h_addr);
  501. p += domain_len;
  502. data_len -= domain_len;
  503. free(domain_name);
  504. break;
  505. case 0x04:
  506. //IPv6
  507. printf("PROXY: error IPv6\n");
  508. goto err;//TODO: add IPv6 functionality
  509. break;
  510. }
  511. //now set the port
  512. dest.sin_port = *((uint16_t *) p);
  513. p += 2;
  514. data_len -= 2;
  515. handle = socket(AF_INET, SOCK_STREAM, 0);
  516. if(handle < 0){
  517. printf("PROXY: error creating socket\n");
  518. goto err;
  519. }
  520. struct sockaddr_in my_addr;
  521. socklen_t my_addr_len = sizeof(my_addr);
  522. int32_t error = connect (handle, (struct sockaddr *) &dest, sizeof (struct sockaddr));
  523. #ifdef DEBUG_PROXY
  524. printf("PROXY: Connected to covert site for stream %d\n", stream_id);
  525. #endif
  526. fflush(stdout);
  527. if(error <0){
  528. goto err;
  529. }
  530. getsockname(handle, (struct sockaddr *) &my_addr, &my_addr_len);
  531. //see if there were extra upstream bytes
  532. if(data_len > 0){
  533. #ifdef DEBUG_PROXY
  534. printf("Data len is %d\n", data_len);
  535. printf("Upstream bytes: ");
  536. for(int i=0; i< data_len; i++){
  537. printf("%02x ", p[i]);
  538. }
  539. printf("\n");
  540. #endif
  541. bytes_sent = send(handle, p,
  542. data_len, 0);
  543. if( bytes_sent <= 0){
  544. goto err;
  545. }
  546. }
  547. uint8_t *buffer = smalloc(BUFSIZ);
  548. int32_t buffer_len = BUFSIZ;
  549. //now select on reading from the pipe and from the socket
  550. for(;;){
  551. fd_set readfds;
  552. fd_set writefds;
  553. int32_t nfds = (handle > thread_data->pipefd) ?
  554. handle +1 : thread_data->pipefd + 1;
  555. FD_ZERO(&readfds);
  556. FD_ZERO(&writefds);
  557. FD_SET(thread_data->pipefd, &readfds);
  558. FD_SET(handle, &readfds);
  559. FD_SET(handle, &writefds);
  560. if (select(nfds, &readfds, &writefds, NULL, NULL) < 0){
  561. printf("select error\n");
  562. break;
  563. }
  564. if(FD_ISSET(thread_data->pipefd, &readfds) && FD_ISSET(handle, &writefds)){
  565. //we have upstream data ready for writing
  566. int32_t bytes_read = read(thread_data->pipefd, buffer, buffer_len);
  567. if(bytes_read > 0){
  568. #ifdef DEBUG_PROXY
  569. printf("PROXY (id %d): read %d bytes from pipe\n", stream_id, bytes_read);
  570. for(int i=0; i< bytes_read; i++){
  571. printf("%02x ", buffer[i]);
  572. }
  573. printf("\n");
  574. printf("%s\n", buffer);
  575. #endif
  576. bytes_sent = send(handle, buffer,
  577. bytes_read, 0);
  578. if( bytes_sent <= 0){
  579. printf("Error sending bytes to covert site (stream %d)\n", stream_id);
  580. break;
  581. } else if (bytes_sent < bytes_read){
  582. printf("Sent less bytes than read to covert site (stream %d)\n", stream_id);
  583. break;
  584. }
  585. } else {
  586. //Client closed the connection, we can delete this stream from the downstream queue
  587. printf("Deleting stream %d from the downstream queue\n", stream_id);
  588. sem_wait(&clnt->queue_lock);
  589. queue_block *last = downstream_queue->first_block;
  590. queue_block *prev = last;
  591. while(last != NULL){
  592. if(last->stream_id == stream_id){
  593. //remove block from queue
  594. printf("removing a block!\n");
  595. fflush(stdout);
  596. if(last == downstream_queue->first_block){
  597. downstream_queue->first_block = last->next;
  598. free(last->data);
  599. free(last);
  600. last = downstream_queue->first_block;
  601. prev = last;
  602. } else {
  603. prev->next = last->next;
  604. free(last->data);
  605. free(last);
  606. last = prev->next;
  607. }
  608. } else {
  609. prev = last;
  610. last = last->next;
  611. }
  612. }
  613. sem_post(&clnt->queue_lock);
  614. printf("Finished deleting from downstream queue\n");
  615. fflush(stdout);
  616. break;
  617. }
  618. }
  619. if (FD_ISSET(handle, &readfds)){
  620. //we have downstream data read for saving
  621. int32_t bytes_read;
  622. bytes_read = recv(handle, buffer, buffer_len, 0);
  623. if(bytes_read > 0){
  624. uint8_t *new_data = smalloc(bytes_read);
  625. memcpy(new_data, buffer, bytes_read);
  626. #ifdef DEBUG_PROXY
  627. printf("PROXY (id %d): read %d bytes from censored site\n",stream_id, bytes_read);
  628. for(int i=0; i< bytes_read; i++){
  629. printf("%02x ", buffer[i]);
  630. }
  631. printf("\n");
  632. #endif
  633. //make a new queue block
  634. queue_block *new_block = smalloc(sizeof(queue_block));
  635. new_block->len = bytes_read;
  636. new_block->offset = 0;
  637. new_block->data = new_data;
  638. new_block->next = NULL;
  639. new_block->stream_id = stream_id;
  640. sem_wait(&clnt->queue_lock);
  641. if(downstream_queue->first_block == NULL){
  642. downstream_queue->first_block = new_block;
  643. }
  644. else{
  645. queue_block *last = downstream_queue->first_block;
  646. while(last->next != NULL)
  647. last = last->next;
  648. last->next = new_block;
  649. }
  650. sem_post(&clnt->queue_lock);
  651. } else {
  652. printf("PROXY (id %d): read %d bytes from censored site\n",stream_id, bytes_read);
  653. break;
  654. }
  655. }
  656. }
  657. printf("Closing connection for stream %d\n", stream_id);
  658. //remove self from list
  659. stream *last = streams->first;
  660. stream *prev = last;
  661. if(streams->first != NULL){
  662. if(last->stream_id == stream_id){
  663. streams->first = last->next;
  664. free(last);
  665. } else {
  666. while(last->next != NULL){
  667. prev = last;
  668. last = last->next;
  669. if(last->stream_id == stream_id){
  670. prev->next = last->next;
  671. free(last);
  672. break;
  673. }
  674. }
  675. }
  676. }
  677. if(thread_data->initial_data != NULL){
  678. free(thread_data->initial_data);
  679. }
  680. free(thread_data);
  681. free(buffer);
  682. close(handle);
  683. pthread_detach(pthread_self());
  684. pthread_exit(NULL);
  685. return 0;
  686. err:
  687. //remove self from list
  688. last = streams->first;
  689. prev = last;
  690. if(streams->first != NULL){
  691. if(last->stream_id == stream_id){
  692. streams->first = last->next;
  693. free(last);
  694. } else {
  695. while(last->next != NULL){
  696. prev = last;
  697. last = last->next;
  698. if(last->stream_id == stream_id){
  699. prev->next = last->next;
  700. free(last);
  701. break;
  702. }
  703. }
  704. }
  705. }
  706. if(thread_data->initial_data != NULL){
  707. free(thread_data->initial_data);
  708. }
  709. free(thread_data);
  710. if(handle > 0){
  711. close(handle);
  712. }
  713. pthread_detach(pthread_self());
  714. pthread_exit(NULL);
  715. return 0;
  716. }
  717. /** Replaces downstream record contents with data from the
  718. * censored queue, padding with garbage bytes if no more
  719. * censored data exists.
  720. *
  721. * Inputs:
  722. * f: the tagged flow
  723. * data: a pointer to the received packet's application
  724. * data
  725. * data_len: the length of the packet's application data
  726. * offset: if the packet is misordered, the number of
  727. * application-level bytes in missing packets
  728. *
  729. * Output:
  730. * Returns 0 on sucess
  731. */
  732. int process_downstream(flow *f, int32_t offset, struct packet_info *info){
  733. uint8_t *p = info->app_data;
  734. uint32_t remaining_packet_len = info->app_data_len;
  735. uint32_t partial_offset;
  736. uint32_t remaining_record_len, record_len;
  737. uint8_t partial = 0, false_tag = 0, changed = 0;
  738. uint8_t *record, *record_ptr;
  739. int32_t n;
  740. struct record_header *record_hdr;
  741. while(remaining_packet_len > 0){ //while bytes remain in the packet
  742. if(f->partial_record != NULL){
  743. partial = 1;
  744. remaining_record_len = f->partial_record_total_len - f->partial_record_len;
  745. if(remaining_record_len > remaining_packet_len){ //ignore entire packet
  746. partial_offset = f->partial_record_len;
  747. f->partial_record_len += remaining_packet_len;
  748. memcpy(f->partial_record+ partial_offset, p, remaining_packet_len);
  749. remaining_record_len = remaining_packet_len;
  750. } else { // finishing out this record
  751. partial_offset = f->partial_record_len;
  752. f->partial_record_len += remaining_record_len;
  753. memcpy(f->partial_record+ partial_offset, p, remaining_record_len);
  754. }
  755. record_len = remaining_record_len;
  756. //copy record to temporary ptr
  757. record_ptr = malloc(f->partial_record_len);
  758. memcpy(record_ptr, f->partial_record, f->partial_record_len);
  759. } else { //new record
  760. if(remaining_packet_len < RECORD_HEADER_LEN){
  761. #ifdef DEBUG
  762. printf("partial record header: \n");
  763. for(int i= 0; i< remaining_packet_len; i++){
  764. printf("%02x ", p[i]);
  765. }
  766. printf("\n");
  767. fflush(stdout);
  768. #endif
  769. f->partial_record_header = smalloc(RECORD_HEADER_LEN);
  770. memcpy(f->partial_record_header, p, remaining_packet_len);
  771. f->partial_record_header_len = remaining_packet_len;
  772. remaining_packet_len -= remaining_packet_len;
  773. break;
  774. }
  775. if(f->partial_record_header_len > 0){
  776. memcpy(f->partial_record_header+ f->partial_record_header_len,
  777. p, RECORD_HEADER_LEN - f->partial_record_header_len);
  778. record_hdr = (struct record_header *) f->partial_record_header;
  779. } else {
  780. record_hdr = (struct record_header*) p;
  781. }
  782. record_len = RECORD_LEN(record_hdr);
  783. #ifdef DEBUG_DOWN
  784. fprintf(stdout,"Flow: %x > %x (%s)\n", info->ip_hdr->src.s_addr, info->ip_hdr->dst.s_addr, (info->ip_hdr->src.s_addr != f->src_ip.s_addr)? "incoming":"outgoing");
  785. fprintf(stdout,"ID number: %u\n", htonl(info->ip_hdr->id));
  786. fprintf(stdout,"Sequence number: %u\n", htonl(info->tcp_hdr->sequence_num));
  787. fprintf(stdout,"Acknowledgement number: %u\n", htonl(info->tcp_hdr->ack_num));
  788. fprintf(stdout, "Record:\n");
  789. for(int i=0; i< RECORD_HEADER_LEN; i++){
  790. printf("%02x ", ((uint8_t *) record_hdr)[i]);
  791. }
  792. printf("\n");
  793. printf("Text: ");
  794. printf("%s", ((uint8_t *) record_hdr) + RECORD_HEADER_LEN);
  795. printf("\n");
  796. fflush(stdout);
  797. #endif
  798. p += (RECORD_HEADER_LEN - f->partial_record_header_len);
  799. remaining_packet_len -= (RECORD_HEADER_LEN - f->partial_record_header_len);
  800. if(record_len > remaining_packet_len){
  801. partial = 1;
  802. f->partial_record = smalloc(record_len);
  803. f->partial_record_dec = smalloc(record_len);
  804. f->partial_record_total_len = record_len;
  805. f->partial_record_len = remaining_packet_len;
  806. partial_offset = 0;
  807. memcpy(f->partial_record, p, remaining_packet_len);
  808. }
  809. remaining_record_len = (record_len > remaining_packet_len) ? remaining_packet_len : record_len;
  810. record_len = remaining_record_len;
  811. //copy record to temporary ptr
  812. record_ptr = malloc(remaining_record_len);
  813. memcpy(record_ptr, p, remaining_record_len); //points to the beginning of record data
  814. }
  815. #ifdef DEBUG_DOWN
  816. printf("Received bytes (len %d)\n", remaining_record_len);
  817. for(int i=0; i< remaining_record_len; i++){
  818. printf("%02x ", p[i]);
  819. }
  820. printf("\n");
  821. #endif
  822. record = p; // save location of original data
  823. p = record_ptr;
  824. if(partial){
  825. //if we now have all of the record, decrypt full thing and check tag
  826. if(f->partial_record_len == f->partial_record_total_len){
  827. #ifdef DEBUG_DOWN
  828. printf("Received full partial record (len=%d):\n", f->partial_record_len);
  829. for(int i=0; i< f->partial_record_len; i ++){
  830. printf("%02x", record_ptr[i]);
  831. }
  832. printf("\n");
  833. #endif
  834. n = encrypt(f, record_ptr, record_ptr, f->partial_record_len, 1, 0x17, 0, 0);
  835. if(n <= 0){
  836. free(f->partial_record_dec);
  837. free(f->partial_record);
  838. f->partial_record = NULL;
  839. f->partial_record_dec = NULL;
  840. f->partial_record_total_len = 0;
  841. f->partial_record_len = 0;
  842. free(record_ptr);
  843. return 0; //TODO: goto err or return correctly
  844. }
  845. } else {
  846. //partially decrypt record
  847. n = partial_aes_gcm_tls_cipher(f, record_ptr, record_ptr, f->partial_record_len, 0);
  848. if(n <= 0){
  849. //do something smarter here
  850. printf("Decryption failed\n");
  851. if(f->partial_record_header_len > 0){
  852. f->partial_record_header_len = 0;
  853. free(f->partial_record_header);
  854. }
  855. free(record_ptr);
  856. return 0;//TODO: goto err to free record_ptr
  857. }
  858. }
  859. //copy already modified data
  860. memcpy(p, f->partial_record_dec, partial_offset);
  861. //now update pointer to past where we've already parsed
  862. if(partial_offset){
  863. p += partial_offset;
  864. if(n + EVP_GCM_TLS_EXPLICIT_IV_LEN >= partial_offset){
  865. remaining_record_len = n + EVP_GCM_TLS_EXPLICIT_IV_LEN - partial_offset;
  866. } else {//only received last part of tag
  867. remaining_record_len = 0;
  868. }
  869. } else {
  870. p += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  871. remaining_record_len = n;
  872. }
  873. } else {
  874. //now decrypt the record
  875. n = encrypt(f, record_ptr, record_ptr, remaining_record_len, 1,
  876. record_hdr->type, 0, 0);
  877. if(n < 0){
  878. //do something smarter here
  879. printf("Decryption failed\n");
  880. if(f->partial_record_header_len > 0){
  881. f->partial_record_header_len = 0;
  882. free(f->partial_record_header);
  883. }
  884. free(record_ptr);
  885. return 0;//TODO goto an err to free record_ptr
  886. }
  887. p += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  888. remaining_record_len = n;
  889. }
  890. changed = 1;
  891. #ifdef DEBUG_DOWN
  892. printf("Decrypted new record\n");
  893. printf("Bytes:\n");
  894. for(int i=0; i< n; i++){
  895. printf("%02x ", record_ptr[EVP_GCM_TLS_EXPLICIT_IV_LEN+i]);
  896. }
  897. printf("\n");
  898. printf("Text:\n");
  899. printf("%s\n", record_ptr+EVP_GCM_TLS_EXPLICIT_IV_LEN);
  900. printf("Parseable text:\n");
  901. printf("%s\n", p);
  902. fflush(stdout);
  903. #endif
  904. char *len_ptr, *needle;
  905. while(remaining_record_len > 0){
  906. #ifdef RESOURCE_DEBUG
  907. printf("Current state (flow %p): %x\n", f, f->httpstate);
  908. printf("Remaining record len: %d\n", remaining_record_len);
  909. #endif
  910. switch(f->httpstate){
  911. case PARSE_HEADER:
  912. //determine whether it's transfer encoded or otherwise
  913. //figure out what the content-type is
  914. len_ptr = strstr((const char *) p, "Content-Type: image");
  915. if(len_ptr != NULL){
  916. f->replace_response = 1;
  917. memcpy(len_ptr + 14, "sli/theen", 9);
  918. char *c = len_ptr + 14+9;
  919. while(c[0] != '\r'){
  920. c[0] = ' ';
  921. c++;
  922. }
  923. #ifdef RESOURCE_DEBUG
  924. printf("Found and replaced leaf header\n");
  925. #endif
  926. } else {
  927. //check for video
  928. len_ptr = strstr((const char *) p, "Content-Type: video/webm");
  929. if(len_ptr != NULL){
  930. printf("Found webm resource!\n");
  931. f->replace_response = 1;
  932. memcpy(len_ptr + 14, "sli/theenv", 10);
  933. char *c = len_ptr + 14+10;
  934. while(c[0] != '\r'){
  935. c[0] = ' ';
  936. c++;
  937. }
  938. }
  939. else {
  940. f->replace_response = 0;
  941. }
  942. }
  943. //TODO: more cases for more status codes
  944. //TODO: better way of finding terminating string
  945. len_ptr = strstr((const char *) p, "304 Not Modified");
  946. if(len_ptr != NULL){
  947. //no message body, look for terminating string
  948. len_ptr = strstr((const char *) p, "\r\n\r\n");
  949. if(len_ptr != NULL){
  950. f->httpstate = PARSE_HEADER;
  951. remaining_record_len -= (((uint8_t *)len_ptr - p) + 4);
  952. p = (uint8_t *) len_ptr + 4;
  953. #ifdef RESOURCE_DEBUG
  954. printf("Found a 304 not modified, waiting for next header\n");
  955. printf("Remaining record len: %d\n", remaining_record_len);
  956. #endif
  957. } else {
  958. #ifdef RESOURCE_DEBUG
  959. printf("Missing end of header. Sending to FORFEIT_REST (%p)\n", f);
  960. #endif
  961. f->httpstate = FORFEIT_REST;
  962. }
  963. break;
  964. }
  965. //check for 200 OK message
  966. len_ptr = strstr((const char *) p, "200 OK");
  967. if(len_ptr == NULL){
  968. f->replace_response = 0;
  969. }
  970. len_ptr = strstr((const char *) p, "Transfer-Encoding");
  971. if(len_ptr != NULL){
  972. printf("Transfer encoding\n");
  973. if(!memcmp(len_ptr + 19, "chunked", 7)){
  974. printf("Chunked\n");
  975. //now find end of header
  976. len_ptr = strstr((const char *) p, "\r\n\r\n");
  977. if(len_ptr != NULL){
  978. f->httpstate = BEGIN_CHUNK;
  979. remaining_record_len -= (((uint8_t *)len_ptr - p) + 4);
  980. p = (uint8_t *) len_ptr + 4;
  981. } else {
  982. printf("Couldn't find end of header\n");
  983. f->httpstate = FORFEIT_REST;
  984. }
  985. } else {// other encodings not yet implemented
  986. f->httpstate = FORFEIT_REST;
  987. }
  988. } else {
  989. len_ptr = strstr((const char *) p, "Content-Length:");
  990. if(len_ptr != NULL){
  991. len_ptr += 15;
  992. f->remaining_response_len = strtol((const char *) len_ptr, NULL, 10);
  993. #ifdef RESOURCE_DEBUG
  994. printf("content-length: %d\n", f->remaining_response_len);
  995. #endif
  996. len_ptr = strstr((const char *) p, "\r\n\r\n");
  997. if(len_ptr != NULL){
  998. f->httpstate = MID_CONTENT;
  999. remaining_record_len -= (((uint8_t *)len_ptr - p) + 4);
  1000. p = (uint8_t *) len_ptr + 4;
  1001. #ifdef RESOURCE_DEBUG
  1002. printf("Remaining record len: %d\n", remaining_record_len);
  1003. #endif
  1004. } else {
  1005. remaining_record_len = 0;
  1006. #ifdef RESOURCE_DEBUG
  1007. printf("Missing end of header. Sending to FORFEIT_REST (%p)\n", f);
  1008. #endif
  1009. f->httpstate = FORFEIT_REST;
  1010. }
  1011. } else {
  1012. #ifdef RESOURCE_DEBUG
  1013. printf("No content length of transfer encoding field, sending to FORFEIT_REST (%p)\n", f);
  1014. #endif
  1015. f->httpstate = FORFEIT_REST;
  1016. remaining_record_len = 0;
  1017. }
  1018. }
  1019. break;
  1020. case MID_CONTENT:
  1021. //check if content is replaceable
  1022. if(f->remaining_response_len > remaining_record_len){
  1023. if(f->replace_response){
  1024. fill_with_downstream(f, p, remaining_record_len);
  1025. #ifdef DEBUG_DOWN
  1026. printf("Replaced with:\n");
  1027. for(int i=0; i< remaining_record_len; i++){
  1028. printf("%02x ", p[i]);
  1029. }
  1030. printf("\n");
  1031. #endif
  1032. }
  1033. f->remaining_response_len -= remaining_record_len;
  1034. p += remaining_record_len;
  1035. remaining_record_len = 0;
  1036. } else {
  1037. if(f->replace_response){
  1038. fill_with_downstream(f, p, remaining_record_len);
  1039. #ifdef DEBUG_DOWN
  1040. printf("Replaced with:\n");
  1041. for(int i=0; i< remaining_record_len; i++){
  1042. printf("%02x ", p[i]);
  1043. }
  1044. printf("\n");
  1045. #endif
  1046. }
  1047. remaining_record_len -= f->remaining_response_len;
  1048. p += f->remaining_response_len;
  1049. #ifdef DEBUG_DOWN
  1050. printf("Change state %x --> PARSE_HEADER (%p)\n", f->httpstate, f);
  1051. #endif
  1052. f->httpstate = PARSE_HEADER;
  1053. f->remaining_response_len = 0;
  1054. }
  1055. break;
  1056. case BEGIN_CHUNK:
  1057. {
  1058. int32_t chunk_size = strtol((const char *) p, NULL, 16);
  1059. #ifdef RESOURCE_DEBUG
  1060. printf("BEGIN_CHUNK: chunk size is %d\n", chunk_size);
  1061. #endif
  1062. if(chunk_size == 0){
  1063. f->httpstate = END_BODY;
  1064. } else {
  1065. f->httpstate = MID_CHUNK;
  1066. }
  1067. f->remaining_response_len = chunk_size;
  1068. needle = strstr((const char *) p, "\r\n");
  1069. if(needle != NULL){
  1070. remaining_record_len -= ((uint8_t *) needle - p + 2);
  1071. p = (uint8_t *) needle + 2;
  1072. } else {
  1073. remaining_record_len = 0;
  1074. #ifdef RESOURCE_DEBUG
  1075. printf("Error parsing in BEGIN_CHUNK, FORFEIT (%p)\n", f);
  1076. #endif
  1077. f->httpstate = FORFEIT_REST;
  1078. }
  1079. }
  1080. break;
  1081. case MID_CHUNK:
  1082. if(f->remaining_response_len > remaining_record_len){
  1083. if(f->replace_response){
  1084. fill_with_downstream(f, p, remaining_record_len);
  1085. #ifdef DEBUG_DOWN
  1086. printf("Replaced with:\n");
  1087. for(int i=0; i< remaining_record_len; i++){
  1088. printf("%02x ", p[i]);
  1089. }
  1090. printf("\n");
  1091. #endif
  1092. }
  1093. f->remaining_response_len -= remaining_record_len;
  1094. p += remaining_record_len;
  1095. remaining_record_len = 0;
  1096. } else {
  1097. if(f->replace_response){
  1098. fill_with_downstream(f, p, f->remaining_response_len);
  1099. #ifdef DEBUG_DOWN
  1100. printf("Replaced with:\n");
  1101. for(int i=0; i< f->remaining_response_len; i++){
  1102. printf("%02x ", p[i]);
  1103. }
  1104. printf("\n");
  1105. #endif
  1106. }
  1107. remaining_record_len -= f->remaining_response_len;
  1108. p += f->remaining_response_len;
  1109. f->remaining_response_len = 0;
  1110. f->httpstate = END_CHUNK;
  1111. }
  1112. break;
  1113. case END_CHUNK:
  1114. needle = strstr((const char *) p, "\r\n");
  1115. if(needle != NULL){
  1116. f->httpstate = BEGIN_CHUNK;
  1117. p += 2;
  1118. remaining_record_len -= 2;
  1119. } else {
  1120. remaining_record_len = 0;
  1121. printf("Couldn't find end of chunk, sending to FORFEIT_REST (%p)\n", f);
  1122. f->httpstate = FORFEIT_REST;
  1123. }
  1124. break;
  1125. case END_BODY:
  1126. needle = strstr((const char *) p, "\r\n");
  1127. if(needle != NULL){
  1128. printf("Change state %x --> PARSE_HEADER (%p)\n", f->httpstate, f);
  1129. f->httpstate = PARSE_HEADER;
  1130. p += 2;
  1131. remaining_record_len -= 2;
  1132. } else {
  1133. remaining_record_len = 0;
  1134. printf("Couldn't find end of body, sending to FORFEIT_REST (%p)\n", f);
  1135. f->httpstate = FORFEIT_REST;
  1136. }
  1137. break;
  1138. case FORFEIT_REST:
  1139. case USE_REST:
  1140. remaining_record_len = 0;
  1141. break;
  1142. default:
  1143. break;
  1144. }
  1145. }
  1146. #ifdef DEBUG_DOWN
  1147. if(changed && f->replace_response){
  1148. printf("Resource is now\n");
  1149. printf("Bytes:\n");
  1150. for(int i=0; i< n; i++){
  1151. printf("%02x ", record_ptr[EVP_GCM_TLS_EXPLICIT_IV_LEN+i]);
  1152. }
  1153. printf("\n");
  1154. printf("Text:\n");
  1155. printf("%s\n", record_ptr+EVP_GCM_TLS_EXPLICIT_IV_LEN);
  1156. fflush(stdout);
  1157. }
  1158. #endif
  1159. if(partial){
  1160. //partially encrypting data
  1161. //first copy plaintext to flow struct
  1162. if(n + EVP_GCM_TLS_EXPLICIT_IV_LEN >= partial_offset){
  1163. memcpy(f->partial_record_dec + partial_offset, record_ptr+partial_offset, n + EVP_GCM_TLS_EXPLICIT_IV_LEN - partial_offset);
  1164. } //otherwise, this packet contains only part of the tag
  1165. n = partial_aes_gcm_tls_cipher(f, record_ptr, record_ptr, n+ EVP_GCM_TLS_EXPLICIT_IV_LEN, 1);
  1166. if(n < 0){
  1167. printf("Partial decryption failed!\n");
  1168. free(record_ptr);
  1169. return 0;
  1170. }
  1171. #ifdef DEBUG_DOWN
  1172. printf("Partially encrypted bytes:\n");
  1173. for(int i=0; i < n + EVP_GCM_TLS_EXPLICIT_IV_LEN; i++){
  1174. printf("%02x ", record_ptr[i]);
  1175. }
  1176. printf("\n");
  1177. #endif
  1178. //if we received all of the partial packet, add tag and release it
  1179. if (f->partial_record_len == f->partial_record_total_len){
  1180. //compute tag
  1181. #ifdef DEBUG_DOWN
  1182. partial_aes_gcm_tls_tag(f, record_ptr + n + EVP_GCM_TLS_EXPLICIT_IV_LEN, n);
  1183. printf("tag: (%d bytes)\n", EVP_GCM_TLS_TAG_LEN);
  1184. for(int i=0; i< EVP_GCM_TLS_TAG_LEN; i++){
  1185. printf("%02x ", record_ptr[n + EVP_GCM_TLS_EXPLICIT_IV_LEN+i]);
  1186. }
  1187. printf("\n");
  1188. #endif
  1189. if(false_tag){//tag on original record was incorrect O.o add incorrect tag
  1190. } else {//compute correct tag TODO: fill in
  1191. }
  1192. free(f->partial_record_dec);
  1193. free(f->partial_record);
  1194. f->partial_record = NULL;
  1195. f->partial_record_dec = NULL;
  1196. f->partial_record_total_len = 0;
  1197. f->partial_record_len = 0;
  1198. partial = 0;
  1199. } else {
  1200. //compute tag just to clear out ctx
  1201. uint8_t *tag = smalloc(EVP_GCM_TLS_TAG_LEN);
  1202. partial_aes_gcm_tls_tag(f, tag, EVP_GCM_TLS_TAG_LEN);
  1203. free(tag);
  1204. }
  1205. p = record_ptr + partial_offset;
  1206. partial_offset += n + EVP_GCM_TLS_EXPLICIT_IV_LEN - partial_offset;
  1207. } else {
  1208. if((n = encrypt(f, record_ptr, record_ptr, n + EVP_GCM_TLS_EXPLICIT_IV_LEN,
  1209. 1, record_hdr->type, 1, 1)) < 0){
  1210. printf("UH OH, failed to re-encrypt record\n");
  1211. if(f->partial_record_header_len > 0){
  1212. f->partial_record_header_len = 0;
  1213. free(f->partial_record_header);
  1214. }
  1215. free(record_ptr);
  1216. return 0;
  1217. }
  1218. p = record_ptr;
  1219. }
  1220. #ifdef DEBUG_DOWN2
  1221. fprintf(stdout,"Flow: %x:%d > %x:%d (%s)\n", info->ip_hdr->src.s_addr, ntohs(info->tcp_hdr->src_port), info->ip_hdr->dst.s_addr, ntohs(info->tcp_hdr->dst_port), (info->ip_hdr->src.s_addr != f->src_ip.s_addr)? "incoming":"outgoing");
  1222. fprintf(stdout,"ID number: %u\n", htonl(info->ip_hdr->id));
  1223. fprintf(stdout,"Sequence number: %u\n", htonl(info->tcp_hdr->sequence_num));
  1224. fprintf(stdout,"Acknowledgement number: %u\n", htonl(info->tcp_hdr->ack_num));
  1225. printf("New ciphertext bytes:\n");
  1226. for(int i=0; i< n; i++){
  1227. printf("%02x ", record_ptr[i]);
  1228. }
  1229. printf("\n");
  1230. #endif
  1231. //Copy changed temporary data to original packet
  1232. memcpy(record, p, record_len);
  1233. p = record + record_len;
  1234. remaining_packet_len -= record_len;
  1235. if(f->partial_record_header_len > 0){
  1236. f->partial_record_header_len = 0;
  1237. free(f->partial_record_header);
  1238. }
  1239. free(record_ptr);//free temporary record
  1240. }
  1241. if(changed){
  1242. tcp_checksum(info);
  1243. }
  1244. return 0;
  1245. }
  1246. /** Fills a given pointer with downstream data of the specified length. If no downstream data
  1247. * exists, pads it with garbage bytes. All downstream data is accompanied by a stream id and
  1248. * lengths of both the downstream data and garbage data
  1249. *
  1250. * Inputs:
  1251. * data: a pointer to where the downstream data should be entered
  1252. * length: The length of the downstream data required
  1253. *
  1254. */
  1255. int fill_with_downstream(flow *f, uint8_t *data, int32_t length){
  1256. printf("In fill_with_ds\n");
  1257. uint8_t *p = data;
  1258. int32_t remaining = length;
  1259. struct slitheen_header *sl_hdr;
  1260. data_queue *downstream_queue = f->downstream_queue;
  1261. client *client_ptr = f->client_ptr;
  1262. if(client_ptr == NULL){
  1263. //printf("ERROR: no client\n");
  1264. return 1;
  1265. }
  1266. //Fill as much as we can from the censored_queue
  1267. //Note: need enough for the header and one block of data (16 byte IV, 16 byte
  1268. // block, 16 byte MAC) = header_len + 48.
  1269. while((remaining > (SLITHEEN_HEADER_LEN + 48)) && downstream_queue != NULL && downstream_queue->first_block != NULL){
  1270. //amount of data we'll actualy fill with (16 byte IV and 16 byte MAC)
  1271. int32_t fill_amount = remaining - SLITHEEN_HEADER_LEN - 32;
  1272. fill_amount -= fill_amount % 16; //rounded down to nearest block size
  1273. sem_wait(&client_ptr->queue_lock);
  1274. queue_block *first_block = downstream_queue->first_block;
  1275. int32_t block_length = first_block->len;
  1276. int32_t offset = first_block->offset;
  1277. #ifdef DEBUG
  1278. printf("Censored queue is at %p.\n", first_block);
  1279. printf("This block has %d bytes left\n", block_length - offset);
  1280. printf("We need %d bytes\n", remaining - SLITHEEN_HEADER_LEN);
  1281. #endif
  1282. uint8_t *encrypted_data = p;
  1283. sl_hdr = (struct slitheen_header *) p;
  1284. sl_hdr->counter = ++(client_ptr->encryption_counter);
  1285. sl_hdr->stream_id = first_block->stream_id;
  1286. sl_hdr->len = 0x0000;
  1287. sl_hdr->garbage = 0x0000;
  1288. sl_hdr->zeros = 0x0000;
  1289. p += SLITHEEN_HEADER_LEN;
  1290. remaining -= SLITHEEN_HEADER_LEN;
  1291. p += 16; //iv length
  1292. remaining -= 16;
  1293. if(block_length > offset + fill_amount){
  1294. //use part of the block, update offset
  1295. memcpy(p, first_block->data+offset, fill_amount);
  1296. first_block->offset += fill_amount;
  1297. p += fill_amount;
  1298. sl_hdr->len = fill_amount;
  1299. remaining -= fill_amount;
  1300. } else {
  1301. //use all of the block and free it
  1302. memcpy(p, first_block->data+offset, block_length - offset);
  1303. free(first_block->data);
  1304. downstream_queue->first_block = first_block->next;
  1305. free(first_block);
  1306. p += (block_length - offset);
  1307. sl_hdr->len = (block_length - offset);
  1308. remaining -= (block_length - offset);
  1309. }
  1310. sem_post(&client_ptr->queue_lock);
  1311. //pad to 16 bytes if necessary
  1312. uint8_t padding = 0;
  1313. if(sl_hdr->len %16){
  1314. padding = 16 - (sl_hdr->len)%16;
  1315. memset(p, padding, padding);
  1316. remaining -= padding;
  1317. p += padding;
  1318. }
  1319. p += 16;
  1320. remaining -= 16;
  1321. //fill rest of packet with padding, if needed
  1322. if(remaining < SLITHEEN_HEADER_LEN){
  1323. RAND_bytes(p, remaining);
  1324. sl_hdr->garbage = htons(remaining);
  1325. p += remaining;
  1326. remaining -= remaining;
  1327. }
  1328. int16_t data_len = sl_hdr->len;
  1329. sl_hdr->len = htons(sl_hdr->len);
  1330. //now encrypt
  1331. super_encrypt(client_ptr, encrypted_data, data_len + padding);
  1332. #ifdef DEBUG_DOWN
  1333. printf("DWNSTRM: slitheen header: ");
  1334. for(int i=0; i< SLITHEEN_HEADER_LEN; i++){
  1335. printf("%02x ",((uint8_t *) sl_hdr)[i]);
  1336. }
  1337. printf("\n");
  1338. printf("Sending %d downstream bytes:", data_len);
  1339. for(int i=0; i< data_len+16+16; i++){
  1340. printf("%02x ", ((uint8_t *) sl_hdr)[i+SLITHEEN_HEADER_LEN]);
  1341. }
  1342. printf("\n");
  1343. #endif
  1344. }
  1345. //now, if we need more data, fill with garbage
  1346. if(remaining >= SLITHEEN_HEADER_LEN ){
  1347. sl_hdr = (struct slitheen_header *) p;
  1348. sl_hdr->counter = 0x00;
  1349. sl_hdr->stream_id = 0x00;
  1350. remaining -= SLITHEEN_HEADER_LEN;
  1351. sl_hdr->len = 0x00;
  1352. sl_hdr->garbage = htons(remaining);
  1353. sl_hdr->zeros = 0x0000;
  1354. #ifdef DEBUG_DOWN
  1355. printf("DWNSTRM: slitheen header: ");
  1356. for(int i=0; i< SLITHEEN_HEADER_LEN; i++){
  1357. printf("%02x ", p[i]);
  1358. }
  1359. printf("\n");
  1360. #endif
  1361. //encrypt slitheen header
  1362. super_encrypt(client_ptr, p, 0);
  1363. p += SLITHEEN_HEADER_LEN;
  1364. RAND_bytes(p, remaining);
  1365. } else if(remaining > 0){
  1366. //fill with random data
  1367. RAND_bytes(p, remaining);
  1368. }
  1369. return 0;
  1370. }
  1371. /** Computes the TCP checksum of the data according to RFC 793
  1372. * sum all 16-bit words in the segment, pad the last word if
  1373. * needed
  1374. *
  1375. * there is a pseudo-header prefixed to the segment and
  1376. * included in the checksum:
  1377. *
  1378. * +--------+--------+--------+--------+
  1379. * | Source Address |
  1380. * +--------+--------+--------+--------+
  1381. * | Destination Address |
  1382. * +--------+--------+--------+--------+
  1383. * | zero | PTCL | TCP Length |
  1384. * +--------+--------+--------+--------+
  1385. */
  1386. uint16_t tcp_checksum(struct packet_info *info){
  1387. uint16_t tcp_length = info->app_data_len + info->size_tcp_hdr;
  1388. struct in_addr src = info->ip_hdr->src;
  1389. struct in_addr dst = info->ip_hdr->dst;
  1390. uint8_t proto = IPPROTO_TCP;
  1391. //set the checksum to zero
  1392. info->tcp_hdr->chksum = 0;
  1393. //sum pseudoheader
  1394. uint32_t sum = (ntohl(src.s_addr)) >> 16;
  1395. sum += (ntohl(src.s_addr)) &0xFFFF;
  1396. sum += (ntohl(dst.s_addr)) >> 16;
  1397. sum += (ntohl(dst.s_addr)) & 0xFFFF;
  1398. sum += proto;
  1399. sum += tcp_length;
  1400. //sum tcp header (with zero-d checksum)
  1401. uint8_t *p = (uint8_t *) info->tcp_hdr;
  1402. for(int i=0; i < info->size_tcp_hdr; i+=2){
  1403. sum += (uint16_t) ((p[i] << 8) + p[i+1]);
  1404. }
  1405. //now sum the application data
  1406. p = info->app_data;
  1407. for(int i=0; i< info->app_data_len-1; i+=2){
  1408. sum += (uint16_t) ((p[i] << 8) + p[i+1]);
  1409. }
  1410. if(info->app_data_len %2 != 0){
  1411. sum += (uint16_t) (p[info->app_data_len - 1]) << 8;
  1412. }
  1413. //now add most significant to last significant bits
  1414. sum = (sum >> 16) + (sum & 0xFFFF);
  1415. sum += sum >>16;
  1416. //now subtract from 0xFF
  1417. sum = 0xFFFF - sum;
  1418. //set chksum to calculated value
  1419. info->tcp_hdr->chksum = ntohs(sum);
  1420. return (uint16_t) sum;
  1421. }