2007-09-13 22:25:20 +00:00
|
|
|
/* follow_ssl.c
|
|
|
|
* SSL specific routines for following traffic streams
|
2006-02-04 23:44:05 +00:00
|
|
|
*
|
|
|
|
* $Id$
|
|
|
|
*
|
2007-09-10 23:50:46 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
*
|
2006-02-04 23:44:05 +00:00
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
2007-09-10 23:50:46 +00:00
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
|
|
|
|
* USA.
|
2006-02-04 23:44:05 +00:00
|
|
|
*/
|
|
|
|
|
2008-04-13 01:54:20 +00:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include <config.h>
|
|
|
|
#endif
|
2006-02-04 23:44:05 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_UNISTD_H
|
|
|
|
#include <unistd.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
2008-04-13 01:54:20 +00:00
|
|
|
#include <gtk/gtk.h>
|
|
|
|
|
2006-02-04 23:44:05 +00:00
|
|
|
#include <epan/follow.h>
|
|
|
|
#include <epan/dissectors/packet-ipv6.h>
|
|
|
|
#include <epan/prefs.h>
|
|
|
|
#include <epan/addr_resolv.h>
|
|
|
|
#include <epan/epan_dissect.h>
|
|
|
|
#include <epan/filesystem.h>
|
|
|
|
#include <epan/tap.h>
|
|
|
|
|
2008-04-13 01:54:20 +00:00
|
|
|
#include <../color.h>
|
|
|
|
#include <../alert_box.h>
|
|
|
|
#include <../simple_dialog.h>
|
|
|
|
#include <../util.h>
|
|
|
|
|
2010-10-10 19:33:42 +00:00
|
|
|
#include "gtkglobals.h"
|
2008-04-13 12:41:22 +00:00
|
|
|
#include <gtk/color_utils.h>
|
2008-04-13 01:54:20 +00:00
|
|
|
#include <gtk/main.h>
|
|
|
|
#include <gtk/dlg_utils.h>
|
|
|
|
#include <gtk/file_dlg.h>
|
|
|
|
#include <gtk/keys.h>
|
|
|
|
#include <gtk/gui_utils.h>
|
|
|
|
#include <gtk/font_utils.h>
|
|
|
|
#include "gtk/follow_ssl.h"
|
|
|
|
#include "gtk/follow_stream.h"
|
2010-06-25 22:09:34 +00:00
|
|
|
#include "gtk/utf8_entities.h"
|
2008-04-13 01:54:20 +00:00
|
|
|
|
2006-02-04 23:44:05 +00:00
|
|
|
#ifdef SSL_PLUGIN
|
|
|
|
#include "packet-ssl-utils.h"
|
|
|
|
#else
|
|
|
|
#include <epan/dissectors/packet-ssl-utils.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
gboolean is_server;
|
2007-01-12 13:02:49 +00:00
|
|
|
StringInfo data;
|
2006-02-04 23:44:05 +00:00
|
|
|
} SslDecryptedRecord;
|
|
|
|
|
|
|
|
static int
|
2006-02-06 01:01:09 +00:00
|
|
|
ssl_queue_packet_data(void *tapdata, packet_info *pinfo, epan_dissect_t *edt _U_, const void *ssl)
|
2006-02-04 23:44:05 +00:00
|
|
|
{
|
|
|
|
follow_info_t* follow_info = tapdata;
|
|
|
|
SslDecryptedRecord* rec;
|
2007-01-12 13:02:49 +00:00
|
|
|
SslDataInfo* appl_data;
|
|
|
|
gint total_len;
|
|
|
|
guchar *p;
|
2007-05-29 02:43:18 +00:00
|
|
|
int proto_ssl = (long) ssl;
|
2006-05-03 05:29:04 +00:00
|
|
|
SslPacketInfo* pi = p_get_proto_data(pinfo->fd, proto_ssl);
|
2006-02-04 23:44:05 +00:00
|
|
|
|
2008-05-22 15:46:27 +00:00
|
|
|
/* skip packet without decrypted data payload*/
|
2007-01-12 13:02:49 +00:00
|
|
|
if (!pi || !pi->appl_data)
|
2006-02-04 23:44:05 +00:00
|
|
|
return 0;
|
2007-01-12 13:02:49 +00:00
|
|
|
|
|
|
|
/* compute total length */
|
|
|
|
total_len = 0;
|
|
|
|
appl_data = pi->appl_data;
|
|
|
|
do {
|
2008-05-22 15:46:27 +00:00
|
|
|
total_len += appl_data->plain_data.data_len;
|
2007-01-12 13:02:49 +00:00
|
|
|
appl_data = appl_data->next;
|
|
|
|
} while (appl_data);
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2006-02-04 23:44:05 +00:00
|
|
|
/* compute packet direction */
|
2007-01-12 13:02:49 +00:00
|
|
|
rec = g_malloc(sizeof(SslDecryptedRecord) + total_len);
|
2006-02-04 23:44:05 +00:00
|
|
|
|
|
|
|
if (follow_info->client_port == 0) {
|
|
|
|
follow_info->client_port = pinfo->srcport;
|
2008-03-22 05:50:19 +00:00
|
|
|
COPY_ADDRESS(&follow_info->client_ip, &pinfo->src);
|
2006-02-04 23:44:05 +00:00
|
|
|
}
|
2008-03-22 05:50:19 +00:00
|
|
|
if (ADDRESSES_EQUAL(&follow_info->client_ip, &pinfo->src) &&
|
|
|
|
follow_info->client_port == pinfo->srcport)
|
2006-02-04 23:44:05 +00:00
|
|
|
rec->is_server = 0;
|
2008-05-22 15:46:27 +00:00
|
|
|
else
|
2006-02-04 23:44:05 +00:00
|
|
|
rec->is_server = 1;
|
|
|
|
|
|
|
|
/* update stream counter */
|
2007-01-12 13:02:49 +00:00
|
|
|
follow_info->bytes_written[rec->is_server] += total_len;
|
2008-05-22 15:46:27 +00:00
|
|
|
|
|
|
|
/* extract decrypted data and queue it locally */
|
2007-01-12 13:02:49 +00:00
|
|
|
rec->data.data = (guchar*)(rec + 1);
|
|
|
|
rec->data.data_len = total_len;
|
|
|
|
appl_data = pi->appl_data;
|
|
|
|
p = rec->data.data;
|
|
|
|
do {
|
|
|
|
memcpy(p, appl_data->plain_data.data, appl_data->plain_data.data_len);
|
2008-05-22 15:46:27 +00:00
|
|
|
p += appl_data->plain_data.data_len;
|
2007-01-12 13:02:49 +00:00
|
|
|
appl_data = appl_data->next;
|
|
|
|
} while (appl_data);
|
2007-11-03 04:45:35 +00:00
|
|
|
follow_info->payload = g_list_append(
|
|
|
|
follow_info->payload,rec);
|
2006-02-04 23:44:05 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-05-22 15:46:27 +00:00
|
|
|
extern gboolean
|
2006-02-17 11:56:52 +00:00
|
|
|
packet_is_ssl(epan_dissect_t* edt);
|
|
|
|
|
|
|
|
|
2006-02-06 15:00:49 +00:00
|
|
|
/* Follow the SSL stream, if any, to which the last packet that we called
|
2006-02-04 23:44:05 +00:00
|
|
|
a dissection routine on belongs (this might be the most recently
|
|
|
|
selected packet, or it might be the last packet in the file). */
|
|
|
|
void
|
2010-10-10 19:42:30 +00:00
|
|
|
follow_ssl_stream_cb(GtkWidget * w _U_, gpointer data _U_)
|
2006-02-04 23:44:05 +00:00
|
|
|
{
|
2010-10-10 19:33:42 +00:00
|
|
|
GtkWidget *filter_te, *filter_cm;
|
2007-09-10 23:50:46 +00:00
|
|
|
gchar *follow_filter;
|
2006-02-04 23:44:05 +00:00
|
|
|
const gchar *previous_filter;
|
2007-09-10 23:50:46 +00:00
|
|
|
int filter_out_filter_len, previous_filter_len;
|
2006-02-04 23:44:05 +00:00
|
|
|
const char *hostname0, *hostname1;
|
2007-09-10 23:50:46 +00:00
|
|
|
char *port0, *port1;
|
|
|
|
gchar *server_to_client_string = NULL;
|
|
|
|
gchar *client_to_server_string = NULL;
|
|
|
|
gchar *both_directions_string = NULL;
|
2007-11-03 04:45:35 +00:00
|
|
|
follow_stats_t stats;
|
2007-09-10 23:50:46 +00:00
|
|
|
follow_info_t *follow_info;
|
|
|
|
GString* msg;
|
2006-02-04 23:44:05 +00:00
|
|
|
|
2006-02-06 15:00:49 +00:00
|
|
|
/* we got ssl so we can follow */
|
2006-02-17 11:56:52 +00:00
|
|
|
if (!packet_is_ssl(cfile.edt)) {
|
|
|
|
simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
|
|
|
|
"Error following stream. Please make\n"
|
|
|
|
"sure you have an SSL packet selected.");
|
|
|
|
return;
|
2006-02-04 23:44:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
follow_info = g_new0(follow_info_t, 1);
|
2007-08-16 03:36:38 +00:00
|
|
|
follow_info->follow_type = FOLLOW_SSL;
|
|
|
|
|
2006-02-06 15:00:49 +00:00
|
|
|
/* Create a new filter that matches all packets in the SSL stream,
|
2006-02-04 23:44:05 +00:00
|
|
|
and set the display filter entry accordingly */
|
|
|
|
reset_tcp_reassembly();
|
|
|
|
follow_filter = build_follow_filter(&cfile.edt->pi);
|
2006-02-17 11:56:52 +00:00
|
|
|
if (!follow_filter)
|
|
|
|
{
|
|
|
|
simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
|
|
|
|
"Error creating filter for this stream.\n"
|
|
|
|
"A network layer header is needed");
|
2008-10-31 00:23:40 +00:00
|
|
|
g_free(follow_info);
|
2006-02-17 11:56:52 +00:00
|
|
|
return;
|
|
|
|
}
|
2006-02-04 23:44:05 +00:00
|
|
|
|
|
|
|
/* Set the display filter entry accordingly */
|
2010-10-10 19:33:42 +00:00
|
|
|
filter_cm = g_object_get_data(G_OBJECT(top_level), E_DFILTER_CM_KEY);
|
|
|
|
filter_te = gtk_bin_get_child(GTK_BIN(filter_cm));
|
2006-02-04 23:44:05 +00:00
|
|
|
|
|
|
|
/* needed in follow_filter_out_stream(), is there a better way? */
|
|
|
|
follow_info->filter_te = filter_te;
|
|
|
|
|
|
|
|
/* save previous filter, const since we're not supposed to alter */
|
|
|
|
previous_filter =
|
|
|
|
(const gchar *)gtk_entry_get_text(GTK_ENTRY(filter_te));
|
|
|
|
|
|
|
|
/* allocate our new filter. API claims g_malloc terminates program on failure */
|
|
|
|
/* my calc for max alloc needed is really +10 but when did a few extra bytes hurt ? */
|
2009-04-16 00:45:26 +00:00
|
|
|
previous_filter_len = previous_filter?(int)strlen(previous_filter):0;
|
|
|
|
filter_out_filter_len = (int)strlen(follow_filter) + previous_filter_len + 16;
|
2006-02-04 23:44:05 +00:00
|
|
|
follow_info->filter_out_filter = (gchar *)g_malloc(filter_out_filter_len);
|
|
|
|
|
|
|
|
/* append the negation */
|
2007-09-10 23:50:46 +00:00
|
|
|
if(previous_filter_len) {
|
2006-02-04 23:44:05 +00:00
|
|
|
g_snprintf(follow_info->filter_out_filter, filter_out_filter_len,
|
|
|
|
"%s and !(%s)", previous_filter, follow_filter);
|
|
|
|
} else {
|
|
|
|
g_snprintf(follow_info->filter_out_filter, filter_out_filter_len,
|
|
|
|
"!(%s)", follow_filter);
|
|
|
|
}
|
|
|
|
|
2006-02-14 14:53:03 +00:00
|
|
|
/* data will be passed via tap callback*/
|
2009-06-05 22:42:47 +00:00
|
|
|
msg = register_tap_listener("ssl", follow_info, follow_filter, 0,
|
2006-02-14 14:53:03 +00:00
|
|
|
NULL, ssl_queue_packet_data, NULL);
|
|
|
|
if (msg)
|
|
|
|
{
|
|
|
|
simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
|
|
|
|
"Can't register ssl tap: %s\n",msg->str);
|
2008-12-22 16:05:24 +00:00
|
|
|
g_free(follow_info->filter_out_filter);
|
2008-10-31 00:23:40 +00:00
|
|
|
g_free(follow_info);
|
2008-12-22 16:05:24 +00:00
|
|
|
g_free(follow_filter);
|
2006-02-14 14:53:03 +00:00
|
|
|
return;
|
|
|
|
}
|
2006-02-04 23:44:05 +00:00
|
|
|
gtk_entry_set_text(GTK_ENTRY(filter_te), follow_filter);
|
|
|
|
|
|
|
|
/* Run the display filter so it goes in effect - even if it's the
|
|
|
|
same as the previous display filter. */
|
|
|
|
main_filter_packets(&cfile, follow_filter, TRUE);
|
|
|
|
|
|
|
|
/* Free the filter string, as we're done with it. */
|
|
|
|
g_free(follow_filter);
|
|
|
|
|
|
|
|
remove_tap_listener(follow_info);
|
|
|
|
|
|
|
|
/* Stream to show */
|
2007-11-03 04:45:35 +00:00
|
|
|
follow_stats(&stats);
|
2006-02-04 23:44:05 +00:00
|
|
|
|
|
|
|
if (stats.is_ipv6) {
|
2007-09-10 23:50:46 +00:00
|
|
|
struct e_in6_addr ipaddr;
|
|
|
|
memcpy(&ipaddr, stats.ip_address[0], 16);
|
|
|
|
hostname0 = get_hostname6(&ipaddr);
|
|
|
|
memcpy(&ipaddr, stats.ip_address[0], 16);
|
|
|
|
hostname1 = get_hostname6(&ipaddr);
|
2006-02-04 23:44:05 +00:00
|
|
|
} else {
|
2007-09-10 23:50:46 +00:00
|
|
|
guint32 ipaddr;
|
|
|
|
memcpy(&ipaddr, stats.ip_address[0], 4);
|
|
|
|
hostname0 = get_hostname(ipaddr);
|
|
|
|
memcpy(&ipaddr, stats.ip_address[1], 4);
|
|
|
|
hostname1 = get_hostname(ipaddr);
|
2006-02-04 23:44:05 +00:00
|
|
|
}
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2007-11-03 04:45:35 +00:00
|
|
|
port0 = get_tcp_port(stats.port[0]);
|
|
|
|
port1 = get_tcp_port(stats.port[1]);
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2006-02-04 23:44:05 +00:00
|
|
|
follow_info->is_ipv6 = stats.is_ipv6;
|
|
|
|
|
2007-09-10 23:50:46 +00:00
|
|
|
/* Both Stream Directions */
|
|
|
|
both_directions_string = g_strdup_printf("Entire conversation (%u bytes)", follow_info->bytes_written[0] + follow_info->bytes_written[1]);
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2008-03-22 05:50:19 +00:00
|
|
|
if(follow_info->client_port == stats.port[0]) {
|
|
|
|
server_to_client_string =
|
2010-06-25 22:09:34 +00:00
|
|
|
g_strdup_printf("%s:%s " UTF8_RIGHTWARDS_ARROW " %s:%s (%u bytes)",
|
2008-03-22 05:50:19 +00:00
|
|
|
hostname0, port0,
|
|
|
|
hostname1, port1,
|
|
|
|
follow_info->bytes_written[0]);
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2008-03-22 05:50:19 +00:00
|
|
|
client_to_server_string =
|
2010-06-25 22:09:34 +00:00
|
|
|
g_strdup_printf("%s:%s " UTF8_RIGHTWARDS_ARROW " %s:%s (%u bytes)",
|
2008-03-22 05:50:19 +00:00
|
|
|
hostname1, port1,
|
|
|
|
hostname0, port0,
|
|
|
|
follow_info->bytes_written[1]);
|
|
|
|
} else {
|
|
|
|
server_to_client_string =
|
2010-06-25 22:09:34 +00:00
|
|
|
g_strdup_printf("%s:%s " UTF8_RIGHTWARDS_ARROW " %s:%s (%u bytes)",
|
2008-03-22 05:50:19 +00:00
|
|
|
hostname1, port1,
|
|
|
|
hostname0, port0,
|
|
|
|
follow_info->bytes_written[0]);
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2008-03-22 05:50:19 +00:00
|
|
|
client_to_server_string =
|
2010-06-25 22:09:34 +00:00
|
|
|
g_strdup_printf("%s:%s " UTF8_RIGHTWARDS_ARROW " %s:%s (%u bytes)",
|
2008-03-22 05:50:19 +00:00
|
|
|
hostname0, port0,
|
|
|
|
hostname1, port1,
|
|
|
|
follow_info->bytes_written[1]);
|
|
|
|
}
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2007-09-10 23:50:46 +00:00
|
|
|
follow_stream("Follow SSL Stream", follow_info, both_directions_string,
|
|
|
|
server_to_client_string, client_to_server_string);
|
2007-09-16 05:42:02 +00:00
|
|
|
|
|
|
|
g_free(both_directions_string);
|
|
|
|
g_free(server_to_client_string);
|
|
|
|
g_free(client_to_server_string);
|
2006-02-04 23:44:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#define FLT_BUF_SIZE 1024
|
|
|
|
|
|
|
|
/*
|
2010-01-29 16:13:26 +00:00
|
|
|
* XXX - the routine pointed to by "print_line_fcn_p" doesn't get handed lines,
|
2006-02-04 23:44:05 +00:00
|
|
|
* it gets handed bufferfuls. That's fine for "follow_write_raw()"
|
|
|
|
* and "follow_add_to_gtk_text()", but, as "follow_print_text()" calls
|
|
|
|
* the "print_line()" routine from "print.c", and as that routine might
|
|
|
|
* genuinely expect to be handed a line (if, for example, it's using
|
|
|
|
* some OS or desktop environment's printing API, and that API expects
|
|
|
|
* to be handed lines), "follow_print_text()" should probably accumulate
|
|
|
|
* lines in a buffer and hand them "print_line()". (If there's a
|
|
|
|
* complete line in a buffer - i.e., there's nothing of the line in
|
|
|
|
* the previous buffer or the next buffer - it can just hand that to
|
|
|
|
* "print_line()" after filtering out non-printables, as an
|
|
|
|
* optimization.)
|
|
|
|
*
|
|
|
|
* This might or might not be the reason why C arrays display
|
|
|
|
* correctly but get extra blank lines very other line when printed.
|
|
|
|
*/
|
2007-08-16 03:36:38 +00:00
|
|
|
frs_return_t
|
|
|
|
follow_read_ssl_stream(follow_info_t *follow_info,
|
2010-01-29 16:13:26 +00:00
|
|
|
gboolean (*print_line_fcn_p)(char *, size_t, gboolean, void *),
|
2007-08-16 03:36:38 +00:00
|
|
|
void *arg)
|
2006-02-04 23:44:05 +00:00
|
|
|
{
|
2007-09-13 22:11:50 +00:00
|
|
|
guint32 global_client_pos = 0, global_server_pos = 0;
|
2008-03-12 08:50:09 +00:00
|
|
|
guint32 server_packet_count = 0;
|
|
|
|
guint32 client_packet_count = 0;
|
2006-02-04 23:44:05 +00:00
|
|
|
guint32 *global_pos;
|
|
|
|
gboolean skip;
|
|
|
|
GList* cur;
|
2007-09-13 22:11:50 +00:00
|
|
|
frs_return_t frs_return;
|
2006-02-04 23:44:05 +00:00
|
|
|
|
2007-11-03 04:45:35 +00:00
|
|
|
for (cur = follow_info->payload; cur; cur = g_list_next(cur)) {
|
2006-02-04 23:44:05 +00:00
|
|
|
SslDecryptedRecord* rec = cur->data;
|
|
|
|
skip = FALSE;
|
|
|
|
if (!rec->is_server) {
|
|
|
|
global_pos = &global_client_pos;
|
|
|
|
if (follow_info->show_stream == FROM_SERVER) {
|
|
|
|
skip = TRUE;
|
|
|
|
}
|
2008-03-22 05:50:19 +00:00
|
|
|
} else {
|
2006-02-04 23:44:05 +00:00
|
|
|
global_pos = &global_server_pos;
|
|
|
|
if (follow_info->show_stream == FROM_CLIENT) {
|
|
|
|
skip = TRUE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!skip) {
|
2007-01-12 13:02:49 +00:00
|
|
|
size_t nchars = rec->data.data_len;
|
2009-04-16 00:45:26 +00:00
|
|
|
gchar *buffer = g_memdup(rec->data.data, (guint) nchars);
|
2008-05-22 15:46:27 +00:00
|
|
|
|
2010-01-29 16:13:26 +00:00
|
|
|
frs_return = follow_show(follow_info, print_line_fcn_p, buffer, nchars,
|
2008-03-12 08:50:09 +00:00
|
|
|
rec->is_server, arg, global_pos,
|
|
|
|
&server_packet_count, &client_packet_count);
|
2007-09-13 22:11:50 +00:00
|
|
|
g_free(buffer);
|
|
|
|
if(frs_return == FRS_PRINT_ERROR)
|
|
|
|
return frs_return;
|
|
|
|
}
|
2006-02-04 23:44:05 +00:00
|
|
|
}
|
|
|
|
|
2007-09-13 22:11:50 +00:00
|
|
|
return FRS_OK;
|
2006-02-04 23:44:05 +00:00
|
|
|
}
|