1 /*-
2 * SPDX-License-Identifier: ISC
3 *
4 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 *
18 * $OpenBSD: pf_osfp.c,v 1.14 2008/06/12 18:17:01 henning Exp $
19 */
20
21 #include <sys/cdefs.h>
22 __FBSDID("$FreeBSD$");
23
24 #include "opt_inet6.h"
25
26 #include <sys/param.h>
27 #include <sys/kernel.h>
28 #include <sys/lock.h>
29 #include <sys/mbuf.h>
30 #include <sys/socket.h>
31
32 #include <netinet/in.h>
33 #include <netinet/ip.h>
34 #include <netinet/tcp.h>
35
36 #include <net/if.h>
37 #include <net/vnet.h>
38 #include <net/pfvar.h>
39
40 #ifdef INET6
41 #include <netinet/ip6.h>
42 #endif
43
44 static MALLOC_DEFINE(M_PFOSFP, "pf_osfp", "pf(4) operating system fingerprints");
45 #define DPFPRINTF(format, x...) \
46 if (V_pf_status.debug >= PF_DEBUG_NOISY) \
47 printf(format , ##x)
48
49 SLIST_HEAD(pf_osfp_list, pf_os_fingerprint);
50 VNET_DEFINE_STATIC(struct pf_osfp_list, pf_osfp_list) =
51 SLIST_HEAD_INITIALIZER();
52 #define V_pf_osfp_list VNET(pf_osfp_list)
53
54 static struct pf_osfp_enlist *pf_osfp_fingerprint_hdr(const struct ip *,
55 const struct ip6_hdr *,
56 const struct tcphdr *);
57 static struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *,
58 struct pf_os_fingerprint *, u_int8_t);
59 static struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *,
60 struct pf_os_fingerprint *);
61 static void pf_osfp_insert(struct pf_osfp_list *,
62 struct pf_os_fingerprint *);
63 #ifdef PFDEBUG
64 static struct pf_os_fingerprint *pf_osfp_validate(void);
65 #endif
66
67 /*
68 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
69 * Returns the list of possible OSes.
70 */
71 struct pf_osfp_enlist *
72 pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off,
73 const struct tcphdr *tcp)
74 {
75 struct ip *ip;
76 struct ip6_hdr *ip6;
77 char hdr[60];
78
79 if ((pd->af != PF_INET && pd->af != PF_INET6) ||
80 pd->proto != IPPROTO_TCP || (tcp->th_off << 2) < sizeof(*tcp))
81 return (NULL);
82
83 if (pd->af == PF_INET) {
84 ip = mtod(m, struct ip *);
85 ip6 = (struct ip6_hdr *)NULL;
86 } else {
87 ip = (struct ip *)NULL;
88 ip6 = mtod(m, struct ip6_hdr *);
89 }
90 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL,
91 pd->af)) return (NULL);
92
93 return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr));
94 }
95
96 static struct pf_osfp_enlist *
97 pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcp)
98 {
99 struct pf_os_fingerprint fp, *fpresult;
100 int cnt, optlen = 0;
101 const u_int8_t *optp;
102 #ifdef INET6
103 char srcname[INET6_ADDRSTRLEN];
104 #else
105 char srcname[INET_ADDRSTRLEN];
106 #endif
107
108 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN)
109 return (NULL);
110 if (ip) {
111 if ((ip->ip_off & htons(IP_OFFMASK)) != 0)
112 return (NULL);
113 }
114
115 memset(&fp, 0, sizeof(fp));
116
117 if (ip) {
118 fp.fp_psize = ntohs(ip->ip_len);
119 fp.fp_ttl = ip->ip_ttl;
120 if (ip->ip_off & htons(IP_DF))
121 fp.fp_flags |= PF_OSFP_DF;
122 inet_ntoa_r(ip->ip_src, srcname);
123 }
124 #ifdef INET6
125 else if (ip6) {
126 /* jumbo payload? */
127 fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
128 fp.fp_ttl = ip6->ip6_hlim;
129 fp.fp_flags |= PF_OSFP_DF;
130 fp.fp_flags |= PF_OSFP_INET6;
131 ip6_sprintf(srcname, (const struct in6_addr *)&ip6->ip6_src);
132 }
133 #endif
134 else
135 return (NULL);
136 fp.fp_wsize = ntohs(tcp->th_win);
137
138 cnt = (tcp->th_off << 2) - sizeof(*tcp);
139 optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
140 for (; cnt > 0; cnt -= optlen, optp += optlen) {
141 if (*optp == TCPOPT_EOL)
142 break;
143
144 fp.fp_optcnt++;
145 if (*optp == TCPOPT_NOP) {
146 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
147 PF_OSFP_TCPOPT_NOP;
148 optlen = 1;
149 } else {
150 if (cnt < 2)
151 return (NULL);
152 optlen = optp[1];
153 if (optlen > cnt || optlen < 2)
154 return (NULL);
155 switch (*optp) {
156 case TCPOPT_MAXSEG:
157 if (optlen >= TCPOLEN_MAXSEG)
158 memcpy(&fp.fp_mss, &optp[2],
159 sizeof(fp.fp_mss));
160 fp.fp_tcpopts = (fp.fp_tcpopts <<
161 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
162 NTOHS(fp.fp_mss);
163 break;
164 case TCPOPT_WINDOW:
165 if (optlen >= TCPOLEN_WINDOW)
166 memcpy(&fp.fp_wscale, &optp[2],
167 sizeof(fp.fp_wscale));
168 NTOHS(fp.fp_wscale);
169 fp.fp_tcpopts = (fp.fp_tcpopts <<
170 PF_OSFP_TCPOPT_BITS) |
171 PF_OSFP_TCPOPT_WSCALE;
172 break;
173 case TCPOPT_SACK_PERMITTED:
174 fp.fp_tcpopts = (fp.fp_tcpopts <<
175 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
176 break;
177 case TCPOPT_TIMESTAMP:
178 if (optlen >= TCPOLEN_TIMESTAMP) {
179 u_int32_t ts;
180 memcpy(&ts, &optp[2], sizeof(ts));
181 if (ts == 0)
182 fp.fp_flags |= PF_OSFP_TS0;
183 }
184 fp.fp_tcpopts = (fp.fp_tcpopts <<
185 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
186 break;
187 default:
188 return (NULL);
189 }
190 }
191 optlen = MAX(optlen, 1); /* paranoia */
192 }
193
194 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
195 "(TS=%s,M=%s%d,W=%s%d)\n",
196 srcname, ntohs(tcp->th_sport),
197 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
198 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
199 (fp.fp_flags & PF_OSFP_TS0) ? "" : "",
200 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
201 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
202 fp.fp_mss,
203 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
204 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
205 fp.fp_wscale);
206
207 if ((fpresult = pf_osfp_find(&V_pf_osfp_list, &fp,
208 PF_OSFP_MAXTTL_OFFSET)))
209 return (&fpresult->fp_oses);
210 return (NULL);
211 }
212
213 /* Match a fingerprint ID against a list of OSes */
214 int
215 pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
216 {
217 struct pf_osfp_entry *entry;
218 int os_class, os_version, os_subtype;
219 int en_class, en_version, en_subtype;
220
221 if (os == PF_OSFP_ANY)
222 return (1);
223 if (list == NULL) {
224 DPFPRINTF("osfp no match against %x\n", os);
225 return (os == PF_OSFP_UNKNOWN);
226 }
227 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
228 SLIST_FOREACH(entry, list, fp_entry) {
229 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
230 if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
231 (os_version == PF_OSFP_ANY || en_version == os_version) &&
232 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
233 DPFPRINTF("osfp matched %s %s %s %x==%x\n",
234 entry->fp_class_nm, entry->fp_version_nm,
235 entry->fp_subtype_nm, os, entry->fp_os);
236 return (1);
237 }
238 }
239 DPFPRINTF("fingerprint 0x%x didn't match\n", os);
240 return (0);
241 }
242
243 /* Flush the fingerprint list */
244 void
245 pf_osfp_flush(void)
246 {
247 struct pf_os_fingerprint *fp;
248 struct pf_osfp_entry *entry;
249
250 while ((fp = SLIST_FIRST(&V_pf_osfp_list))) {
251 SLIST_REMOVE_HEAD(&V_pf_osfp_list, fp_next);
252 while ((entry = SLIST_FIRST(&fp->fp_oses))) {
253 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
254 free(entry, M_PFOSFP);
255 }
256 free(fp, M_PFOSFP);
257 }
258 }
259
260 /* Add a fingerprint */
261 int
262 pf_osfp_add(struct pf_osfp_ioctl *fpioc)
263 {
264 struct pf_os_fingerprint *fp, fpadd;
265 struct pf_osfp_entry *entry;
266
267 PF_RULES_WASSERT();
268
269 memset(&fpadd, 0, sizeof(fpadd));
270 fpadd.fp_tcpopts = fpioc->fp_tcpopts;
271 fpadd.fp_wsize = fpioc->fp_wsize;
272 fpadd.fp_psize = fpioc->fp_psize;
273 fpadd.fp_mss = fpioc->fp_mss;
274 fpadd.fp_flags = fpioc->fp_flags;
275 fpadd.fp_optcnt = fpioc->fp_optcnt;
276 fpadd.fp_wscale = fpioc->fp_wscale;
277 fpadd.fp_ttl = fpioc->fp_ttl;
278
279 #if 0 /* XXX RYAN wants to fix logging */
280 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
281 "(TS=%s,M=%s%d,W=%s%d) %x\n",
282 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
283 fpioc->fp_os.fp_subtype_nm,
284 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
285 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
286 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
287 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
288 fpadd.fp_wsize,
289 fpadd.fp_ttl,
290 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
291 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
292 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
293 fpadd.fp_psize,
294 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
295 (fpadd.fp_flags & PF_OSFP_TS0) ? "" : "",
296 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
297 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
298 fpadd.fp_mss,
299 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
300 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
301 fpadd.fp_wscale,
302 fpioc->fp_os.fp_os);
303 #endif
304
305 if ((fp = pf_osfp_find_exact(&V_pf_osfp_list, &fpadd))) {
306 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
307 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
308 return (EEXIST);
309 }
310 if ((entry = malloc(sizeof(*entry), M_PFOSFP, M_NOWAIT))
311 == NULL)
312 return (ENOMEM);
313 } else {
314 if ((fp = malloc(sizeof(*fp), M_PFOSFP, M_ZERO | M_NOWAIT))
315 == NULL)
316 return (ENOMEM);
317 fp->fp_tcpopts = fpioc->fp_tcpopts;
318 fp->fp_wsize = fpioc->fp_wsize;
319 fp->fp_psize = fpioc->fp_psize;
320 fp->fp_mss = fpioc->fp_mss;
321 fp->fp_flags = fpioc->fp_flags;
322 fp->fp_optcnt = fpioc->fp_optcnt;
323 fp->fp_wscale = fpioc->fp_wscale;
324 fp->fp_ttl = fpioc->fp_ttl;
325 SLIST_INIT(&fp->fp_oses);
326 if ((entry = malloc(sizeof(*entry), M_PFOSFP, M_NOWAIT))
327 == NULL) {
328 free(fp, M_PFOSFP);
329 return (ENOMEM);
330 }
331 pf_osfp_insert(&V_pf_osfp_list, fp);
332 }
333 memcpy(entry, &fpioc->fp_os, sizeof(*entry));
334
335 /* Make sure the strings are NUL terminated */
336 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
337 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
338 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
339
340 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
341
342 #ifdef PFDEBUG
343 if ((fp = pf_osfp_validate()))
344 printf("Invalid fingerprint list\n");
345 #endif /* PFDEBUG */
346 return (0);
347 }
348
349 /* Find a fingerprint in the list */
350 static struct pf_os_fingerprint *
351 pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
352 u_int8_t ttldiff)
353 {
354 struct pf_os_fingerprint *f;
355
356 #define MATCH_INT(_MOD, _DC, _field) \
357 if ((f->fp_flags & _DC) == 0) { \
358 if ((f->fp_flags & _MOD) == 0) { \
359 if (f->_field != find->_field) \
360 continue; \
361 } else { \
362 if (f->_field == 0 || find->_field % f->_field) \
363 continue; \
364 } \
365 }
366
367 SLIST_FOREACH(f, list, fp_next) {
368 if (f->fp_tcpopts != find->fp_tcpopts ||
369 f->fp_optcnt != find->fp_optcnt ||
370 f->fp_ttl < find->fp_ttl ||
371 f->fp_ttl - find->fp_ttl > ttldiff ||
372 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
373 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
374 continue;
375
376 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
377 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
378 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
379 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
380 if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
381 if (find->fp_mss == 0)
382 continue;
383
384 /*
385 * Some "smart" NAT devices and DSL routers will tweak the MSS size and
386 * will set it to whatever is suitable for the link type.
387 */
388 #define SMART_MSS 1460
389 if ((find->fp_wsize % find->fp_mss ||
390 find->fp_wsize / find->fp_mss !=
391 f->fp_wsize) &&
392 (find->fp_wsize % SMART_MSS ||
393 find->fp_wsize / SMART_MSS !=
394 f->fp_wsize))
395 continue;
396 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
397 if (find->fp_mss == 0)
398 continue;
399
400 #define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr))
401 #define SMART_MTU (SMART_MSS + MTUOFF)
402 if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
403 find->fp_wsize / (find->fp_mss + MTUOFF) !=
404 f->fp_wsize) &&
405 (find->fp_wsize % SMART_MTU ||
406 find->fp_wsize / SMART_MTU !=
407 f->fp_wsize))
408 continue;
409 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
410 if (f->fp_wsize == 0 || find->fp_wsize %
411 f->fp_wsize)
412 continue;
413 } else {
414 if (f->fp_wsize != find->fp_wsize)
415 continue;
416 }
417 }
418 return (f);
419 }
420
421 return (NULL);
422 }
423
424 /* Find an exact fingerprint in the list */
425 static struct pf_os_fingerprint *
426 pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
427 {
428 struct pf_os_fingerprint *f;
429
430 SLIST_FOREACH(f, list, fp_next) {
431 if (f->fp_tcpopts == find->fp_tcpopts &&
432 f->fp_wsize == find->fp_wsize &&
433 f->fp_psize == find->fp_psize &&
434 f->fp_mss == find->fp_mss &&
435 f->fp_flags == find->fp_flags &&
436 f->fp_optcnt == find->fp_optcnt &&
437 f->fp_wscale == find->fp_wscale &&
438 f->fp_ttl == find->fp_ttl)
439 return (f);
440 }
441
442 return (NULL);
443 }
444
445 /* Insert a fingerprint into the list */
446 static void
447 pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
448 {
449 struct pf_os_fingerprint *f, *prev = NULL;
450
451 /* XXX need to go semi tree based. can key on tcp options */
452
453 SLIST_FOREACH(f, list, fp_next)
454 prev = f;
455 if (prev)
456 SLIST_INSERT_AFTER(prev, ins, fp_next);
457 else
458 SLIST_INSERT_HEAD(list, ins, fp_next);
459 }
460
461 /* Fill a fingerprint by its number (from an ioctl) */
462 int
463 pf_osfp_get(struct pf_osfp_ioctl *fpioc)
464 {
465 struct pf_os_fingerprint *fp;
466 struct pf_osfp_entry *entry;
467 int num = fpioc->fp_getnum;
468 int i = 0;
469
470 memset(fpioc, 0, sizeof(*fpioc));
471 SLIST_FOREACH(fp, &V_pf_osfp_list, fp_next) {
472 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
473 if (i++ == num) {
474 fpioc->fp_mss = fp->fp_mss;
475 fpioc->fp_wsize = fp->fp_wsize;
476 fpioc->fp_flags = fp->fp_flags;
477 fpioc->fp_psize = fp->fp_psize;
478 fpioc->fp_ttl = fp->fp_ttl;
479 fpioc->fp_wscale = fp->fp_wscale;
480 fpioc->fp_getnum = num;
481 memcpy(&fpioc->fp_os, entry,
482 sizeof(fpioc->fp_os));
483 return (0);
484 }
485 }
486 }
487
488 return (EBUSY);
489 }
490
491 #ifdef PFDEBUG
492 /* Validate that each signature is reachable */
493 static struct pf_os_fingerprint *
494 pf_osfp_validate(void)
495 {
496 struct pf_os_fingerprint *f, *f2, find;
497
498 SLIST_FOREACH(f, &V_pf_osfp_list, fp_next) {
499 memcpy(&find, f, sizeof(find));
500
501 /* We do a few MSS/th_win percolations to make things unique */
502 if (find.fp_mss == 0)
503 find.fp_mss = 128;
504 if (f->fp_flags & PF_OSFP_WSIZE_MSS)
505 find.fp_wsize *= find.fp_mss;
506 else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
507 find.fp_wsize *= (find.fp_mss + 40);
508 else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
509 find.fp_wsize *= 2;
510 if (f != (f2 = pf_osfp_find(&V_pf_osfp_list, &find, 0))) {
511 if (f2)
512 printf("Found \"%s %s %s\" instead of "
513 "\"%s %s %s\"\n",
514 SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
515 SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
516 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
517 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
518 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
519 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
520 else
521 printf("Couldn't find \"%s %s %s\"\n",
522 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
523 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
524 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
525 return (f);
526 }
527 }
528 return (NULL);
529 }
530 #endif /* PFDEBUG */
Cache object: 1611b625d3628bb7170c0d936bcbcddf
|