1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
|
#define _GNU_SOURCE
#include "libtrace.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <getopt.h>
#include <stdbool.h>
#include <stddef.h>
#include <string.h>
#include <time.h>
#include "ipenc.h"
static void usage(char *argv0)
{
fprintf(stderr,"Usage:\n"
"%s flags inputfile outputfile\n"
"-s --encrypt-source Encrypt the source addresses\n"
"-d --encrypt-dest Encrypt the destination addresses\n"
"-c --cryptopan=key Encrypt the addresses with the cryptopan\n"
" prefix preserving\n"
"-f --keyfile=file A file containing the cryptopan key\n"
"-p --prefix=C.I.D.R/bits Substitute the prefix of the address\n"
"-H --libtrace-help Print libtrace runtime documentation\n"
"-z --compress-level Compress the output trace at the specified level\n"
"-Z --compress-type Compress the output trace using the specified"
" compression algorithm\n"
,argv0);
exit(1);
}
/* Incrementally update a checksum */
static void update_in_cksum(uint16_t *csum, uint16_t old, uint16_t new)
{
uint32_t sum = (~htons(*csum) & 0xFFFF)
+ (~htons(old) & 0xFFFF)
+ htons(new);
sum = (sum & 0xFFFF) + (sum >> 16);
*csum = htons(~(sum + (sum >> 16)));
}
static void update_in_cksum32(uint16_t *csum, uint32_t old, uint32_t new)
{
update_in_cksum(csum,(uint16_t)(old>>16),(uint16_t)(new>>16));
update_in_cksum(csum,(uint16_t)(old&0xFFFF),(uint16_t)(new&0xFFFF));
}
/* Ok this is remarkably complicated
*
* We want to change one, or the other IP address, while preserving
* the checksum. TCP and UDP both include the faux header in their
* checksum calculations, so you have to update them too. ICMP is
* even worse -- it can include the original IP packet that caused the
* error! So anonymise that too, but remember that it's travelling in
* the opposite direction so we need to encrypt the destination and
* source instead of the source and destination!
*/
static void encrypt_ips(struct libtrace_ip *ip,bool enc_source,bool enc_dest)
{
struct libtrace_tcp *tcp;
struct libtrace_udp *udp;
struct libtrace_icmp *icmp;
tcp=trace_get_tcp_from_ip(ip,NULL);
udp=trace_get_udp_from_ip(ip,NULL);
icmp=trace_get_icmp_from_ip(ip,NULL);
if (enc_source) {
uint32_t old_ip=ip->ip_src.s_addr;
uint32_t new_ip=htonl(enc_ip(
htonl(ip->ip_src.s_addr)
));
update_in_cksum32(&ip->ip_sum,old_ip,new_ip);
if (tcp) update_in_cksum32(&tcp->check,old_ip,new_ip);
if (udp) update_in_cksum32(&udp->check,old_ip,new_ip);
ip->ip_src.s_addr = new_ip;
}
if (enc_dest) {
uint32_t old_ip=ip->ip_dst.s_addr;
uint32_t new_ip=htonl(enc_ip(
htonl(ip->ip_dst.s_addr)
));
update_in_cksum32(&ip->ip_sum,old_ip,new_ip);
if (tcp) update_in_cksum32(&tcp->check,old_ip,new_ip);
if (udp) update_in_cksum32(&udp->check,old_ip,new_ip);
ip->ip_dst.s_addr = new_ip;
}
if (icmp) {
/* These are error codes that return the IP packet
* internally
*/
if (icmp->type == 3
|| icmp->type == 5
|| icmp->type == 11) {
char *ptr = (char *)icmp;
encrypt_ips(
(struct libtrace_ip*)(ptr+
sizeof(struct libtrace_icmp)),
enc_dest,
enc_source);
}
if (enc_source || enc_dest)
icmp->checksum = 0;
}
}
int main(int argc, char *argv[])
{
enum enc_type_t enc_type = ENC_NONE;
char *key = NULL;
struct libtrace_t *trace = 0;
struct libtrace_packet_t *packet = trace_create_packet();
struct libtrace_out_t *writer = 0;
bool enc_source = false;
bool enc_dest = false;
char *output = 0;
int level = -1;
char *compress_type_str=NULL;
trace_option_compresstype_t compress_type = TRACE_OPTION_COMPRESSTYPE_NONE;
if (argc<2)
usage(argv[0]);
while (1) {
int option_index;
struct option long_options[] = {
{ "encrypt-source", 0, 0, 's' },
{ "encrypt-dest", 0, 0, 'd' },
{ "cryptopan", 1, 0, 'c' },
{ "cryptopan-file", 1, 0, 'f' },
{ "prefix", 1, 0, 'p' },
{ "compress-level", 1, 0, 'z' },
{ "compress-type", 1, 0, 'Z' },
{ "libtrace-help", 0, 0, 'H' },
{ NULL, 0, 0, 0 },
};
int c=getopt_long(argc, argv, "Z:z:sc:f:dp:H",
long_options, &option_index);
if (c==-1)
break;
switch (c) {
case 'Z': compress_type_str=optarg; break;
case 'z': level = atoi(optarg); break;
case 's': enc_source=true; break;
case 'd': enc_dest =true; break;
case 'c':
if (key!=NULL) {
fprintf(stderr,"You can only have one encryption type and one key\n");
usage(argv[0]);
}
key=strdup(optarg);
enc_type = ENC_CRYPTOPAN;
break;
case 'f':
if(key != NULL) {
fprintf(stderr,"You can only have one encryption type and one key\n");
usage(argv[0]);
}
FILE * infile = fopen(optarg,"rb");
if(infile == NULL) {
perror("Failed to open cryptopan keyfile");
return 1;
}
key = (char *) malloc(sizeof(char *) * 32);
if(fread(key,1,32,infile) != 32) {
if(ferror(infile)) {
perror("Failed while reading cryptopan keyfile");
}
}
fclose(infile);
enc_type = ENC_CRYPTOPAN;
break;
case 'p':
if (key!=NULL) {
fprintf(stderr,"You can only have one encryption type and one key\n");
usage(argv[0]);
}
key=strdup(optarg);
enc_type = ENC_PREFIX_SUBSTITUTION;
break;
case 'H':
trace_help();
exit(1);
break;
default:
fprintf(stderr,"unknown option: %c\n",c);
usage(argv[0]);
}
}
if (compress_type_str == NULL && level >= 0) {
fprintf(stderr, "Compression level set, but no compression type was defined, setting to gzip\n");
compress_type = TRACE_OPTION_COMPRESSTYPE_ZLIB;
}
else if (compress_type_str == NULL) {
/* If a level or type is not specified, use the "none"
* compression module */
compress_type = TRACE_OPTION_COMPRESSTYPE_NONE;
}
/* I decided to be fairly generous in what I accept for the
* compression type string */
else if (strncmp(compress_type_str, "gz", 2) == 0 ||
strncmp(compress_type_str, "zlib", 4) == 0) {
compress_type = TRACE_OPTION_COMPRESSTYPE_ZLIB;
} else if (strncmp(compress_type_str, "bz", 2) == 0) {
compress_type = TRACE_OPTION_COMPRESSTYPE_BZ2;
} else if (strncmp(compress_type_str, "lzo", 3) == 0) {
compress_type = TRACE_OPTION_COMPRESSTYPE_LZO;
} else if (strncmp(compress_type_str, "xz", 2) == 0) {
compress_type = TRACE_OPTION_COMPRESSTYPE_LZMA;
} else if (strncmp(compress_type_str, "no", 2) == 0) {
compress_type = TRACE_OPTION_COMPRESSTYPE_NONE;
} else {
fprintf(stderr, "Unknown compression type: %s\n",
compress_type_str);
return 1;
}
enc_init(enc_type,key);
/* open input uri */
trace = trace_create(argv[optind]);
if (trace_is_err(trace)) {
trace_perror(trace,"trace_create");
trace_destroy(trace);
return 1;
}
if (optind +1>= argc) {
/* no output specified, output in same format to
* stdout
*/
output = strdup("erf:-");
writer = trace_create_output(output);
} else {
writer = trace_create_output(argv[optind +1]);
}
if (trace_is_err_output(writer)) {
trace_perror_output(writer,"trace_create_output");
trace_destroy_output(writer);
trace_destroy(trace);
return 1;
}
/* Hopefully this will deal nicely with people who want to crank the
* compression level up to 11 :) */
if (level > 9) {
fprintf(stderr, "WARNING: Compression level > 9 specified, setting to 9 instead\n");
level = 9;
}
if (level >= 0 && trace_config_output(writer,
TRACE_OPTION_OUTPUT_COMPRESS, &level) == -1) {
trace_perror_output(writer, "Configuring compression level");
trace_destroy_output(writer);
trace_destroy(trace);
return 1;
}
if (trace_config_output(writer, TRACE_OPTION_OUTPUT_COMPRESSTYPE,
&compress_type) == -1) {
trace_perror_output(writer, "Configuring compression type");
trace_destroy_output(writer);
trace_destroy(trace);
return 1;
}
if (trace_start(trace)==-1) {
trace_perror(trace,"trace_start");
trace_destroy_output(writer);
trace_destroy(trace);
return 1;
}
if (trace_start_output(writer)==-1) {
trace_perror_output(writer,"trace_start_output");
trace_destroy_output(writer);
trace_destroy(trace);
return 1;
}
for(;;) {
struct libtrace_ip *ipptr;
libtrace_udp_t *udp = NULL;
libtrace_tcp_t *tcp = NULL;
int psize;
psize = trace_read_packet(trace, packet);
if (psize == 0) {
break;
}
if (psize < 0) {
trace_perror(trace,"read_packet");
break;
}
ipptr = trace_get_ip(packet);
if (ipptr && (enc_source || enc_dest)) {
encrypt_ips(ipptr,enc_source,enc_dest);
ipptr->ip_sum = 0;
}
/* Replace checksums so that IP encryption cannot be
* reversed */
/* XXX replace with nice use of trace_get_transport() */
udp = trace_get_udp(packet);
if (udp && (enc_source || enc_dest)) {
udp->check = 0;
}
tcp = trace_get_tcp(packet);
if (tcp && (enc_source || enc_dest)) {
tcp->check = 0;
}
/* TODO: Encrypt IP's in ARP packets */
if (trace_write_packet(writer,packet)==-1) {
trace_perror_output(writer,"writer");
break;
}
}
trace_destroy_packet(packet);
trace_destroy(trace);
trace_destroy_output(writer);
return 0;
}
|
