[stegotorus/master] git-svn-id: svn+ssh://spartan.csl.sri.com/svn/private/DEFIANCE@137 a58ff0ac-194c-e011-a152-003048836090 - tor-commits

20 Jul 2012

commit bc7435272a84dec0a3c865acf95fffb57e661c7b
Author: Vinod Yegneswaran vinod@csl.sri.com
Date:   Fri Nov 11 05:20:14 2011 +0000
git-svn-id: svn+ssh://spartan.csl.sri.com/svn/private/DEFIANCE@137 a58ff0ac-194c-e011-a152-003048836090
---
 src/steg/payloads.c |  241 ++++++++++++++++++++++++++++----------------------
 src/steg/payloads.h |    2 +-
 src/steg/x_http.c   |    2 +-
 src/steg/x_http2.c  |   30 ++++---
 4 files changed, 153 insertions(+), 122 deletions(-)

diff --git a/src/steg/payloads.c b/src/steg/payloads.c
index a3e2f65..76bb213 100644
--- a/src/steg/payloads.c
+++ b/src/steg/payloads.c
@@ -387,28 +387,46 @@ int parse_client_headers(char* inbuf, char* outbuf, int len) {
int 
-find_uri_type(char* buf) {
+find_uri_type(char* buf_orig, int buflen) {
char* uri;
-  int uri_len;
   char* ext;
-  if (strncmp(buf, "GET", 3) != 0 && strncmp(buf, "POST", 4) != 0) 
-    return -1;
+  char* buf = malloc(buflen+1);
+  char* uri_end;
+
+
+  memcpy(buf, buf_orig, buflen);
+  buf[buflen] = 0;
-  buf = strchr(buf, ' ') + 1;
-  uri_len = strchr(buf, ' ') - buf;
-  if (uri_len < 0) {
-    fprintf(stderr, "buf = %sabc\n", buf);
-    exit (-1);
+  if (strncmp(buf, "GET", 3) != 0
+      && strncmp(buf, "POST", 4) != 0) {
+    fprintf(stderr, "HERE %s\n", buf);
+    return -1;
+  }
+  
+
+
+  uri = strchr(buf, ' ') + 1;
+  if (uri == NULL) {
+    fprintf(stderr, "Invalid URL\n");
+    return -1;
   }
-  uri = malloc(uri_len + 1);
+  uri_end = strchr(uri, ' ');
+
+  if (uri_end == NULL) {
+    fprintf(stderr, "unterminated uri\n");
+    return -1;
+  }
+
+  uri_end[0] = 0;
+  
+
+
-  strncpy(uri, buf, uri_len);
-  uri[uri_len] = 0;
ext = strrchr(uri, '/');
@@ -435,6 +453,9 @@ find_uri_type(char* buf) {
   if (!strncmp(ext, ".swf", 4) || !strncmp(ext, ".SWF", 4))
     return HTTP_CONTENT_SWF;
+
+
+  free(buf);
   return -1;
}
@@ -503,9 +524,9 @@ unsigned int find_client_payload(char* buf, int len, int type) {
     pentry_header* p = &payload_hdrs[r];
     if (p->ptype == type) {
       inbuf = payloads[r];
-      if (find_uri_type(inbuf) != HTTP_CONTENT_SWF &&
-          find_uri_type(inbuf) != HTTP_CONTENT_HTML &&
-	  find_uri_type(inbuf) != HTTP_CONTENT_JAVASCRIPT) {
+      if (find_uri_type(inbuf, p->length) != HTTP_CONTENT_SWF &&
+          find_uri_type(inbuf, p->length) != HTTP_CONTENT_HTML &&
+	  find_uri_type(inbuf, p->length) != HTTP_CONTENT_JAVASCRIPT) {
    goto next;
       }
       if (p->length > len) {
@@ -546,112 +567,111 @@ unsigned int find_client_payload(char* buf, int len, int type) {
-/* int skipJSPattern(char *cp, int len) { */
-/*   int i,j; */
+int skipJSPattern(char *cp, int len) {
+  int i,j;
-/*   char keywords [21][10]= {"function", "return", "var", "int", "random", "Math", "while",  */
-/* 			   "else", "for", "document", "write", "writeln", "true",  */
-/* 			   "false", "True", "False", "window", "indexOf", "navigator", "case", "if"}; */
+  char keywords [21][10]= {"function", "return", "var", "int", "random", "Math", "while",
+			   "else", "for", "document", "write", "writeln", "true",
+			   "false", "True", "False", "window", "indexOf", "navigator", "case", "if"};
-/*   return 0; */
-/*   if (len < 1) return 0; */
+  if (len < 1) return 0;
-/*   // change the limit to 21 to enable if as a keyword */
-/*   for (i=0; i < 20; i++) { */
-/*     char* word = keywords[i]; */
+  // change the limit to 21 to enable if as a keyword
+  for (i=0; i < 20; i++) {
+    char* word = keywords[i];
-/*     if (len <= (int) strlen(word)) */
-/*       continue; */
-
-/*     if (word[0] != cp[0]) */
-/*       continue; */
-
-/*     for (j=1; j < (int) strlen(word); j++) { */
-/*       if (isxdigit(word[j])) { */
-/* 	if (!isxdigit(cp[j])) */
-/* 	  goto next_word; */
-/* 	else */
-/* 	  continue; */
-/*       } */
+    if (len <= (int) strlen(word))
+      continue;
+
+    if (word[0] != cp[0])
+      continue;
+
+    for (j=1; j < (int) strlen(word); j++) {
+      if (isxdigit(word[j])) {
+	if (!isxdigit(cp[j]))
+	  goto next_word;
+	else
+	  continue;
+      }
-/*       if (cp[j] != word[j]) */
-/* 	goto next_word; */
-/*     } */
-/*     if (!isalnum(cp[j])) */
-/*       return strlen(word)+1; */
+      if (cp[j] != word[j])
+	goto next_word;
+    }
+    if (!isalnum(cp[j]))
+      return strlen(word)+1;
-/*   next_word: */
-/*     continue; */
-/*   } */
+  next_word:
+    continue;
+  }
-/*   return 0; */
-/* } */
+  return 0;
+}
-int skipJSPattern (char *cp, int len) {
+/* int skipJSPattern (char *cp, int len) { */
-  // log_debug("Turning off skipJSPattern for debugging");
-  //  return 0;
+/*   // log_debug("Turning off skipJSPattern for debugging"); */
+/*   //  return 0; */
-  if (len < 1) return 0;
+/*   if (len < 1) return 0; */
-  if (len > 8) {
-    // "function " and "function("
-    if (cp[0] == 'f' &&
-        !strncmp(cp+1, "un", 2) &&
-        isxdigit(cp[3]) &&
-        !strncmp(cp+4, "tion", 4) &&
-        (cp[8] == ' ' || cp[8] == '('))
-    return 9;
-  }
+/*   if (len > 8) { */
+/*     // "function " and "function(" */
+/*     if (cp[0] == 'f' && */
+/*         !strncmp(cp+1, "un", 2) && */
+/*         isxdigit(cp[3]) && */
+/*         !strncmp(cp+4, "tion", 4) && */
+/*         (cp[8] == ' ' || cp[8] == '(')) */
+/*     return 9; */
+/*   } */
-  if (len > 6) {
-    // "return "
-    if (cp[0] == 'r' &&
-        isxdigit(cp[1]) &&
-        !strncmp(cp+2, "turn ", 5)) 
-    return 7;
-    // "switch "
-    if (cp[0] == 's' &&
-        !strncmp(cp+1, "wit", 3) &&
-        isxdigit(cp[4]) &&
-        !strncmp(cp+5, "h ", 2)) 
-    return 7;
-  }
+/*   if (len > 6) { */
+/*     // "return " */
+/*     if (cp[0] == 'r' && */
+/*         isxdigit(cp[1]) && */
+/*         !strncmp(cp+2, "turn ", 5))  */
+/*     return 7; */
+/*     // "switch " */
+/*     if (cp[0] == 's' && */
+/*         !strncmp(cp+1, "wit", 3) && */
+/*         isxdigit(cp[4]) && */
+/*         !strncmp(cp+5, "h ", 2))  */
+/*     return 7; */
+/*   } */
-  if (len > 5) {
-    // "while " and "while("
-    if (cp[0] == 'w' &&
-        !strncmp(cp+1, "hil", 3) &&
-        isxdigit(cp[4]) &&
-        (cp[5] == ' ' || cp[5] == '('))
-    return 6;
-  }
+/*   if (len > 5) { */
+/*     // "while " and "while(" */
+/*     if (cp[0] == 'w' && */
+/*         !strncmp(cp+1, "hil", 3) && */
+/*         isxdigit(cp[4]) && */
+/*         (cp[5] == ' ' || cp[5] == '(')) */
+/*     return 6; */
+/*   } */
-  if (len > 4) {
-    // "else " and "else{"
-    if (cp[0] == 'e' &&
-        !strncmp(cp, "ls", 2) &&
-        isxdigit(cp[3]) &&
-        (cp[4] == ' ' || cp[4] == '{'))
-    return 5;
-  }
+/*   if (len > 4) { */
+/*     // "else " and "else{" */
+/*     if (cp[0] == 'e' && */
+/*         !strncmp(cp, "ls", 2) && */
+/*         isxdigit(cp[3]) && */
+/*         (cp[4] == ' ' || cp[4] == '{')) */
+/*     return 5; */
+/*   } */
-  if (len > 3) {
-    // "var "
-    if (cp[0] == 'v' &&
-        isxdigit(cp[1]) &&
-        cp[2] == 'r' &&
-        cp[3] == ' ')
-    return 4;
-  }
+/*   if (len > 3) { */
+/*     // "var " */
+/*     if (cp[0] == 'v' && */
+/*         isxdigit(cp[1]) && */
+/*         cp[2] == 'r' && */
+/*         cp[3] == ' ') */
+/*     return 4; */
+/*   } */
-  return 0;
-}
+/*   return 0; */
+/* } */
@@ -781,9 +801,10 @@ unsigned int capacityJS3 (char* buf, int len, int mode) {
       } else {
         bp = bp+j+1;
       }
-// #ifdef DEBUG
-// printf("got |%c|\n", *(bp-1));
-// #endif
+
+      if (len < buf + len - bp) {
+	fprintf(stderr, "HERE\n");
+      }
       j = offset2Hex(bp, (buf+len)-bp, 1);
     } // while
     return cnt;
@@ -804,12 +825,20 @@ unsigned int capacityJS3 (char* buf, int len, int mode) {
          } else {
            bp = bp+j+1;
          }
-#ifdef DEBUG
-printf("got |%c|\n", *(bp-1));
-#endif
+
+	 if (len < jsEnd - buf || len < jsEnd - bp) {
+	   fprintf(stderr, "HERE2\n");
+	 }
+
+
          j = offset2Hex(bp, jsEnd-bp, 1);
        } // while (j != -1)
+       if (buf + len < bp + 9) {
+	 fprintf(stderr, "HERE3\n");
+       }
+
+
        bp += 9;
      } // while (bp < (buf+len))
      return cnt;
diff --git a/src/steg/payloads.h b/src/steg/payloads.h
index 7d66bbf..7629b14 100644
--- a/src/steg/payloads.h
+++ b/src/steg/payloads.h
@@ -153,7 +153,7 @@ char * strInBinary (const char *pattern, unsigned int patternLen, const char *bl
 unsigned int capacityPDF (char* buf, int len);
 unsigned int get_max_PDF_capacity(void);
 int find_content_length (char *hdr, int hlen);
-int find_uri_type(char* buf);
+int find_uri_type(char* buf, int size);
int gen_response_header(char* content_type, int gzip, int length, char* buf, int buflen);
diff --git a/src/steg/x_http.c b/src/steg/x_http.c
index eb08401..c26fe1f 100644
--- a/src/steg/x_http.c
+++ b/src/steg/x_http.c
@@ -71,7 +71,7 @@ x_http_detect(conn_t *conn)
 {
   struct evbuffer *buf = conn_get_inbound(conn);
   unsigned char *data;
-   return 0;
+  return 0;
/* Look for the text of http_response_1. */
   if (evbuffer_get_length(buf) >= sizeof http_response_1 - 1) {
diff --git a/src/steg/x_http2.c b/src/steg/x_http2.c
index 3695c27..a1bc100 100644
--- a/src/steg/x_http2.c
+++ b/src/steg/x_http2.c
@@ -51,8 +51,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#define MIN_COOKIE_SIZE 128
-#define MAX_COOKIE_SIZE 2048
+#define MIN_COOKIE_SIZE 24
+#define MAX_COOKIE_SIZE 1024
int 
@@ -187,7 +187,7 @@ x_http2_detect(conn_t *conn)
   struct evbuffer *buf = conn_get_inbound(conn);
   unsigned char *data;
-  // return 0;
+  //return 0;
 /*****
  Here is a list of HTTP response codes extracted from the server-portals.out trace
@@ -490,7 +490,7 @@ x_http2_client_cookie_transmit (steg_t *s, struct evbuffer *source, conn_t *conn
conn_cease_transmission(conn);
-  downcast_steg(s)->type = find_uri_type(buf);
+  downcast_steg(s)->type = find_uri_type(buf, sizeof(buf));
   downcast_steg(s)->have_transmitted = 1;
   return 0;
 }
@@ -528,6 +528,10 @@ int gen_uri_field(char* uri, unsigned int uri_sz, char* data, int datalen) {
     if (r == 0 && datalen > 0)
       uri[so_far++] = '/';
+    if (r == 2 && datalen > 0)
+      uri[so_far++] = '_';
+
+
     if (so_far > uri_sz - 6) {
       fprintf(stderr, "too small\n");
       return 0;
@@ -636,7 +640,7 @@ x_http2_client_uri_transmit (steg_t *s, struct evbuffer *source, conn_t *conn) {
evbuffer_drain(source, slen);
   conn_cease_transmission(conn);
-  downcast_steg(s)->type = find_uri_type(outbuf);
+  downcast_steg(s)->type = find_uri_type(outbuf, sizeof(outbuf));
   downcast_steg(s)->have_transmitted = 1;
   return 0;
@@ -675,7 +679,7 @@ x_http2_transmit(steg_t *s, struct evbuffer *source, conn_t *conn)
        the only plausible places to put it are the URL and cookies.  This
        presently uses the URL. And it can't be binary. */
-    if (evbuffer_get_length(source) < 128)
+    if (evbuffer_get_length(source) < 72)
       return x_http2_client_uri_transmit(s, source, conn); //@@
     return x_http2_client_cookie_transmit(s, source, conn); //@@
   } 
@@ -736,21 +740,21 @@ x_http2_server_receive(steg_t *s, conn_t *conn, struct evbuffer *dest, struct ev
     log_debug("SERVER received request header of length %d", (int)s2.pos);
data = evbuffer_pullup(source, s2.pos+4);
+
     if (data == NULL) {
       log_debug("SERVER evbuffer_pullup fails");
       return RECV_BAD;
     }
-    limit = data + s2.pos;
-    type = find_uri_type((char *)data);
+    data[s2.pos+3] = 0;
-    data[s2.pos+4] = 0;
-    //    fprintf(stderr, "data = %s\n", data);
+    limit = data + s2.pos;
+
+    type = find_uri_type((char *)data, s2.pos+4);
if (strstr((char*) data, "Cookie") != NULL) {
-      data = (unsigned char*) strstr((char*) data, "Cookie:");
-      p = data + sizeof "Cookie: "-1;
+      p = (unsigned char*) strstr((char*) data, "Cookie:") + + sizeof "Cookie: "-1;
       cookie_mode = 1;
     }
     else
@@ -784,8 +788,6 @@ x_http2_server_receive(steg_t *s, conn_t *conn, struct evbuffer *dest, struct ev
outbuf[sofar] = 0;
-    //    fprintf(stderr, "recvd = %d\n", sofar);
-
     if (secondhalf) {
       fprintf(stderr, "incorrect cookie or uri recovery \n");
       exit(-1);

    