2 * Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * $OpenBSD: pf_osfp.c,v 1.14 2008/06/12 18:17:01 henning Exp $
19 #include <sys/cdefs.h>
20 __FBSDID("$FreeBSD$");
22 #include <sys/param.h>
23 #include <sys/kernel.h>
24 #include <sys/socket.h>
26 #include <netinet/in.h>
27 #include <netinet/ip.h>
28 #include <netinet/tcp.h>
31 #include <net/pfvar.h>
33 #include <netinet/ip6.h>
34 #include <netinet6/in6_var.h>
36 static MALLOC_DEFINE(M_PFOSFP, "pf_osfp", "pf(4) operating system fingerprints");
37 #define DPFPRINTF(format, x...) \
38 if (V_pf_status.debug >= PF_DEBUG_NOISY) \
41 SLIST_HEAD(pf_osfp_list, pf_os_fingerprint);
42 static VNET_DEFINE(struct pf_osfp_list, pf_osfp_list) =
43 SLIST_HEAD_INITIALIZER();
44 #define V_pf_osfp_list VNET(pf_osfp_list)
46 static struct pf_osfp_enlist *pf_osfp_fingerprint_hdr(const struct ip *,
47 const struct ip6_hdr *,
48 const struct tcphdr *);
49 static struct pf_os_fingerprint *pf_osfp_find(struct pf_osfp_list *,
50 struct pf_os_fingerprint *, u_int8_t);
51 static struct pf_os_fingerprint *pf_osfp_find_exact(struct pf_osfp_list *,
52 struct pf_os_fingerprint *);
53 static void pf_osfp_insert(struct pf_osfp_list *,
54 struct pf_os_fingerprint *);
56 static struct pf_os_fingerprint *pf_osfp_validate(void);
60 * Passively fingerprint the OS of the host (IPv4 TCP SYN packets only)
61 * Returns the list of possible OSes.
63 struct pf_osfp_enlist *
64 pf_osfp_fingerprint(struct pf_pdesc *pd, struct mbuf *m, int off,
65 const struct tcphdr *tcp)
71 if ((pd->af != PF_INET && pd->af != PF_INET6) ||
72 pd->proto != IPPROTO_TCP || (tcp->th_off << 2) < sizeof(*tcp))
75 if (pd->af == PF_INET) {
76 ip = mtod(m, struct ip *);
77 ip6 = (struct ip6_hdr *)NULL;
79 ip = (struct ip *)NULL;
80 ip6 = mtod(m, struct ip6_hdr *);
82 if (!pf_pull_hdr(m, off, hdr, tcp->th_off << 2, NULL, NULL,
83 pd->af)) return (NULL);
85 return (pf_osfp_fingerprint_hdr(ip, ip6, (struct tcphdr *)hdr));
88 static struct pf_osfp_enlist *
89 pf_osfp_fingerprint_hdr(const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcp)
91 struct pf_os_fingerprint fp, *fpresult;
96 if ((tcp->th_flags & (TH_SYN|TH_ACK)) != TH_SYN)
99 if ((ip->ip_off & htons(IP_OFFMASK)) != 0)
103 memset(&fp, 0, sizeof(fp));
106 fp.fp_psize = ntohs(ip->ip_len);
107 fp.fp_ttl = ip->ip_ttl;
108 if (ip->ip_off & htons(IP_DF))
109 fp.fp_flags |= PF_OSFP_DF;
110 strlcpy(srcname, inet_ntoa(ip->ip_src), sizeof(srcname));
115 fp.fp_psize = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
116 fp.fp_ttl = ip6->ip6_hlim;
117 fp.fp_flags |= PF_OSFP_DF;
118 fp.fp_flags |= PF_OSFP_INET6;
119 strlcpy(srcname, ip6_sprintf((struct in6_addr *)&ip6->ip6_src),
125 fp.fp_wsize = ntohs(tcp->th_win);
128 cnt = (tcp->th_off << 2) - sizeof(*tcp);
129 optp = (const u_int8_t *)((const char *)tcp + sizeof(*tcp));
130 for (; cnt > 0; cnt -= optlen, optp += optlen) {
131 if (*optp == TCPOPT_EOL)
135 if (*optp == TCPOPT_NOP) {
136 fp.fp_tcpopts = (fp.fp_tcpopts << PF_OSFP_TCPOPT_BITS) |
143 if (optlen > cnt || optlen < 2)
147 if (optlen >= TCPOLEN_MAXSEG)
148 memcpy(&fp.fp_mss, &optp[2],
150 fp.fp_tcpopts = (fp.fp_tcpopts <<
151 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_MSS;
155 if (optlen >= TCPOLEN_WINDOW)
156 memcpy(&fp.fp_wscale, &optp[2],
157 sizeof(fp.fp_wscale));
159 fp.fp_tcpopts = (fp.fp_tcpopts <<
160 PF_OSFP_TCPOPT_BITS) |
161 PF_OSFP_TCPOPT_WSCALE;
163 case TCPOPT_SACK_PERMITTED:
164 fp.fp_tcpopts = (fp.fp_tcpopts <<
165 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_SACK;
167 case TCPOPT_TIMESTAMP:
168 if (optlen >= TCPOLEN_TIMESTAMP) {
170 memcpy(&ts, &optp[2], sizeof(ts));
172 fp.fp_flags |= PF_OSFP_TS0;
175 fp.fp_tcpopts = (fp.fp_tcpopts <<
176 PF_OSFP_TCPOPT_BITS) | PF_OSFP_TCPOPT_TS;
182 optlen = MAX(optlen, 1); /* paranoia */
185 DPFPRINTF("fingerprinted %s:%d %d:%d:%d:%d:%llx (%d) "
186 "(TS=%s,M=%s%d,W=%s%d)\n",
187 srcname, ntohs(tcp->th_sport),
188 fp.fp_wsize, fp.fp_ttl, (fp.fp_flags & PF_OSFP_DF) != 0,
189 fp.fp_psize, (long long int)fp.fp_tcpopts, fp.fp_optcnt,
190 (fp.fp_flags & PF_OSFP_TS0) ? "0" : "",
191 (fp.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
192 (fp.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
194 (fp.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
195 (fp.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
198 if ((fpresult = pf_osfp_find(&V_pf_osfp_list, &fp,
199 PF_OSFP_MAXTTL_OFFSET)))
200 return (&fpresult->fp_oses);
204 /* Match a fingerprint ID against a list of OSes */
206 pf_osfp_match(struct pf_osfp_enlist *list, pf_osfp_t os)
208 struct pf_osfp_entry *entry;
209 int os_class, os_version, os_subtype;
210 int en_class, en_version, en_subtype;
212 if (os == PF_OSFP_ANY)
215 DPFPRINTF("osfp no match against %x\n", os);
216 return (os == PF_OSFP_UNKNOWN);
218 PF_OSFP_UNPACK(os, os_class, os_version, os_subtype);
219 SLIST_FOREACH(entry, list, fp_entry) {
220 PF_OSFP_UNPACK(entry->fp_os, en_class, en_version, en_subtype);
221 if ((os_class == PF_OSFP_ANY || en_class == os_class) &&
222 (os_version == PF_OSFP_ANY || en_version == os_version) &&
223 (os_subtype == PF_OSFP_ANY || en_subtype == os_subtype)) {
224 DPFPRINTF("osfp matched %s %s %s %x==%x\n",
225 entry->fp_class_nm, entry->fp_version_nm,
226 entry->fp_subtype_nm, os, entry->fp_os);
230 DPFPRINTF("fingerprint 0x%x didn't match\n", os);
234 /* Flush the fingerprint list */
238 struct pf_os_fingerprint *fp;
239 struct pf_osfp_entry *entry;
241 while ((fp = SLIST_FIRST(&V_pf_osfp_list))) {
242 SLIST_REMOVE_HEAD(&V_pf_osfp_list, fp_next);
243 while ((entry = SLIST_FIRST(&fp->fp_oses))) {
244 SLIST_REMOVE_HEAD(&fp->fp_oses, fp_entry);
245 free(entry, M_PFOSFP);
252 /* Add a fingerprint */
254 pf_osfp_add(struct pf_osfp_ioctl *fpioc)
256 struct pf_os_fingerprint *fp, fpadd;
257 struct pf_osfp_entry *entry;
261 memset(&fpadd, 0, sizeof(fpadd));
262 fpadd.fp_tcpopts = fpioc->fp_tcpopts;
263 fpadd.fp_wsize = fpioc->fp_wsize;
264 fpadd.fp_psize = fpioc->fp_psize;
265 fpadd.fp_mss = fpioc->fp_mss;
266 fpadd.fp_flags = fpioc->fp_flags;
267 fpadd.fp_optcnt = fpioc->fp_optcnt;
268 fpadd.fp_wscale = fpioc->fp_wscale;
269 fpadd.fp_ttl = fpioc->fp_ttl;
271 #if 0 /* XXX RYAN wants to fix logging */
272 DPFPRINTF("adding osfp %s %s %s = %s%d:%d:%d:%s%d:0x%llx %d "
273 "(TS=%s,M=%s%d,W=%s%d) %x\n",
274 fpioc->fp_os.fp_class_nm, fpioc->fp_os.fp_version_nm,
275 fpioc->fp_os.fp_subtype_nm,
276 (fpadd.fp_flags & PF_OSFP_WSIZE_MOD) ? "%" :
277 (fpadd.fp_flags & PF_OSFP_WSIZE_MSS) ? "S" :
278 (fpadd.fp_flags & PF_OSFP_WSIZE_MTU) ? "T" :
279 (fpadd.fp_flags & PF_OSFP_WSIZE_DC) ? "*" : "",
282 (fpadd.fp_flags & PF_OSFP_DF) ? 1 : 0,
283 (fpadd.fp_flags & PF_OSFP_PSIZE_MOD) ? "%" :
284 (fpadd.fp_flags & PF_OSFP_PSIZE_DC) ? "*" : "",
286 (long long int)fpadd.fp_tcpopts, fpadd.fp_optcnt,
287 (fpadd.fp_flags & PF_OSFP_TS0) ? "0" : "",
288 (fpadd.fp_flags & PF_OSFP_MSS_MOD) ? "%" :
289 (fpadd.fp_flags & PF_OSFP_MSS_DC) ? "*" : "",
291 (fpadd.fp_flags & PF_OSFP_WSCALE_MOD) ? "%" :
292 (fpadd.fp_flags & PF_OSFP_WSCALE_DC) ? "*" : "",
297 if ((fp = pf_osfp_find_exact(&V_pf_osfp_list, &fpadd))) {
298 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
299 if (PF_OSFP_ENTRY_EQ(entry, &fpioc->fp_os))
302 if ((entry = malloc(sizeof(*entry), M_PFOSFP, M_NOWAIT))
306 if ((fp = malloc(sizeof(*fp), M_PFOSFP, M_ZERO | M_NOWAIT))
309 fp->fp_tcpopts = fpioc->fp_tcpopts;
310 fp->fp_wsize = fpioc->fp_wsize;
311 fp->fp_psize = fpioc->fp_psize;
312 fp->fp_mss = fpioc->fp_mss;
313 fp->fp_flags = fpioc->fp_flags;
314 fp->fp_optcnt = fpioc->fp_optcnt;
315 fp->fp_wscale = fpioc->fp_wscale;
316 fp->fp_ttl = fpioc->fp_ttl;
317 SLIST_INIT(&fp->fp_oses);
318 if ((entry = malloc(sizeof(*entry), M_PFOSFP, M_NOWAIT))
323 pf_osfp_insert(&V_pf_osfp_list, fp);
325 memcpy(entry, &fpioc->fp_os, sizeof(*entry));
327 /* Make sure the strings are NUL terminated */
328 entry->fp_class_nm[sizeof(entry->fp_class_nm)-1] = '\0';
329 entry->fp_version_nm[sizeof(entry->fp_version_nm)-1] = '\0';
330 entry->fp_subtype_nm[sizeof(entry->fp_subtype_nm)-1] = '\0';
332 SLIST_INSERT_HEAD(&fp->fp_oses, entry, fp_entry);
335 if ((fp = pf_osfp_validate()))
336 printf("Invalid fingerprint list\n");
342 /* Find a fingerprint in the list */
343 static struct pf_os_fingerprint *
344 pf_osfp_find(struct pf_osfp_list *list, struct pf_os_fingerprint *find,
347 struct pf_os_fingerprint *f;
349 #define MATCH_INT(_MOD, _DC, _field) \
350 if ((f->fp_flags & _DC) == 0) { \
351 if ((f->fp_flags & _MOD) == 0) { \
352 if (f->_field != find->_field) \
355 if (f->_field == 0 || find->_field % f->_field) \
360 SLIST_FOREACH(f, list, fp_next) {
361 if (f->fp_tcpopts != find->fp_tcpopts ||
362 f->fp_optcnt != find->fp_optcnt ||
363 f->fp_ttl < find->fp_ttl ||
364 f->fp_ttl - find->fp_ttl > ttldiff ||
365 (f->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)) !=
366 (find->fp_flags & (PF_OSFP_DF|PF_OSFP_TS0)))
369 MATCH_INT(PF_OSFP_PSIZE_MOD, PF_OSFP_PSIZE_DC, fp_psize)
370 MATCH_INT(PF_OSFP_MSS_MOD, PF_OSFP_MSS_DC, fp_mss)
371 MATCH_INT(PF_OSFP_WSCALE_MOD, PF_OSFP_WSCALE_DC, fp_wscale)
372 if ((f->fp_flags & PF_OSFP_WSIZE_DC) == 0) {
373 if (f->fp_flags & PF_OSFP_WSIZE_MSS) {
374 if (find->fp_mss == 0)
378 * Some "smart" NAT devices and DSL routers will tweak the MSS size and
379 * will set it to whatever is suitable for the link type.
381 #define SMART_MSS 1460
382 if ((find->fp_wsize % find->fp_mss ||
383 find->fp_wsize / find->fp_mss !=
385 (find->fp_wsize % SMART_MSS ||
386 find->fp_wsize / SMART_MSS !=
389 } else if (f->fp_flags & PF_OSFP_WSIZE_MTU) {
390 if (find->fp_mss == 0)
393 #define MTUOFF (sizeof(struct ip) + sizeof(struct tcphdr))
394 #define SMART_MTU (SMART_MSS + MTUOFF)
395 if ((find->fp_wsize % (find->fp_mss + MTUOFF) ||
396 find->fp_wsize / (find->fp_mss + MTUOFF) !=
398 (find->fp_wsize % SMART_MTU ||
399 find->fp_wsize / SMART_MTU !=
402 } else if (f->fp_flags & PF_OSFP_WSIZE_MOD) {
403 if (f->fp_wsize == 0 || find->fp_wsize %
407 if (f->fp_wsize != find->fp_wsize)
417 /* Find an exact fingerprint in the list */
418 static struct pf_os_fingerprint *
419 pf_osfp_find_exact(struct pf_osfp_list *list, struct pf_os_fingerprint *find)
421 struct pf_os_fingerprint *f;
423 SLIST_FOREACH(f, list, fp_next) {
424 if (f->fp_tcpopts == find->fp_tcpopts &&
425 f->fp_wsize == find->fp_wsize &&
426 f->fp_psize == find->fp_psize &&
427 f->fp_mss == find->fp_mss &&
428 f->fp_flags == find->fp_flags &&
429 f->fp_optcnt == find->fp_optcnt &&
430 f->fp_wscale == find->fp_wscale &&
431 f->fp_ttl == find->fp_ttl)
438 /* Insert a fingerprint into the list */
440 pf_osfp_insert(struct pf_osfp_list *list, struct pf_os_fingerprint *ins)
442 struct pf_os_fingerprint *f, *prev = NULL;
444 /* XXX need to go semi tree based. can key on tcp options */
446 SLIST_FOREACH(f, list, fp_next)
449 SLIST_INSERT_AFTER(prev, ins, fp_next);
451 SLIST_INSERT_HEAD(list, ins, fp_next);
454 /* Fill a fingerprint by its number (from an ioctl) */
456 pf_osfp_get(struct pf_osfp_ioctl *fpioc)
458 struct pf_os_fingerprint *fp;
459 struct pf_osfp_entry *entry;
460 int num = fpioc->fp_getnum;
464 memset(fpioc, 0, sizeof(*fpioc));
465 SLIST_FOREACH(fp, &V_pf_osfp_list, fp_next) {
466 SLIST_FOREACH(entry, &fp->fp_oses, fp_entry) {
468 fpioc->fp_mss = fp->fp_mss;
469 fpioc->fp_wsize = fp->fp_wsize;
470 fpioc->fp_flags = fp->fp_flags;
471 fpioc->fp_psize = fp->fp_psize;
472 fpioc->fp_ttl = fp->fp_ttl;
473 fpioc->fp_wscale = fp->fp_wscale;
474 fpioc->fp_getnum = num;
475 memcpy(&fpioc->fp_os, entry,
476 sizeof(fpioc->fp_os));
487 /* Validate that each signature is reachable */
488 static struct pf_os_fingerprint *
489 pf_osfp_validate(void)
491 struct pf_os_fingerprint *f, *f2, find;
493 SLIST_FOREACH(f, &V_pf_osfp_list, fp_next) {
494 memcpy(&find, f, sizeof(find));
496 /* We do a few MSS/th_win percolations to make things unique */
497 if (find.fp_mss == 0)
499 if (f->fp_flags & PF_OSFP_WSIZE_MSS)
500 find.fp_wsize *= find.fp_mss;
501 else if (f->fp_flags & PF_OSFP_WSIZE_MTU)
502 find.fp_wsize *= (find.fp_mss + 40);
503 else if (f->fp_flags & PF_OSFP_WSIZE_MOD)
505 if (f != (f2 = pf_osfp_find(&V_pf_osfp_list, &find, 0))) {
507 printf("Found \"%s %s %s\" instead of "
509 SLIST_FIRST(&f2->fp_oses)->fp_class_nm,
510 SLIST_FIRST(&f2->fp_oses)->fp_version_nm,
511 SLIST_FIRST(&f2->fp_oses)->fp_subtype_nm,
512 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
513 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
514 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);
516 printf("Couldn't find \"%s %s %s\"\n",
517 SLIST_FIRST(&f->fp_oses)->fp_class_nm,
518 SLIST_FIRST(&f->fp_oses)->fp_version_nm,
519 SLIST_FIRST(&f->fp_oses)->fp_subtype_nm);