Merge from /nmap-exp/david/nmap-os.

This brings in four discrete changes:

1. The widening of ranges for T test expressions in nmap-os-db. Any expressions
   that were not already ranges were expanded to cover plus and minus five of
   their original values.
2. The normalization of TG expressions in nmap-os-db. Nmap is only capable of
   outputting 0x20, 0x40, 0x80, and 0xFF for a TG value, but many fingerprints
   had values other than these. They have all been rounded to their nearest
   likely value.
3. The elimination of the U1.TOS and IE.TOSI tests (both having to do with type
   of service). This was effected by setting their MatchPoints to 0.
4. A cleanup and refactoring of OS fingerprint output code. This should not
   have any impact on output, except in one case: when debugging is non-zero or
   verbosity is greater than one, and at least one perfect match was found,
   Nmap used to print "OS Fingerprint:" before the fingerprint. Now it prints
   "TCP/IP fingerprint:" in this case like in all the others.

FingerPrintResults.cc

@@ -118,7 +118,7 @@ FingerPrintResults::FingerPrintResults() {
   FPs = (FingerPrint **) safe_zalloc(MAX(o.maxOSTries(), 10) * sizeof(FingerPrint *));
   maxTimingRatio = 0;
   maxTimingRatio = 0;
-  numFPs = goodFP = 0;
+  numFPs = 0;
 }
 
 FingerPrintResults::~FingerPrintResults() {

FingerPrintResults.h

@@ -158,7 +158,6 @@ class FingerPrintResults {
 
   FingerPrint **FPs; /* Fingerprint data obtained from host */
   int numFPs;
-  int goodFP;
 
 /* If the fingerprint is of potentially poor quality, we don't want to
    print it and ask the user to submit it.  In that case, the reason

Target.cc

@@ -244,7 +244,7 @@ struct in_addr Target::v4host() {
 }
 
 // Returns IPv4 host address or NULL if unavailable.
-const struct in_addr *Target::v4hostip() {
+const struct in_addr *Target::v4hostip() const {
   struct sockaddr_in *sin = (struct sockaddr_in *) &targetsock;
   if (sin->sin_family == AF_INET) {
     return &(sin->sin_addr);
@@ -454,7 +454,7 @@ void Target::setDeviceNames(const char *name, const char *fullname) {
 }
 
 /* Returns the 6-byte long MAC address, or NULL if none has been set */
-const u8 *Target::MACAddress() {
+const u8 *Target::MACAddress() const {
   return (MACaddress_set)? MACaddress : NULL;
 }
 

Target.h

@@ -148,7 +148,7 @@ class Target {
   void setTargetSockAddr(struct sockaddr_storage *ss, size_t ss_len);
   // Returns IPv4 target host address or {0} if unavailable.
   struct in_addr v4host();
-  const struct in_addr *v4hostip();
+  const struct in_addr *v4hostip() const;
   /* The source address used to reach the target */
   int SourceSockAddr(struct sockaddr_storage *ss, size_t *ss_len);
   /* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
@@ -234,7 +234,7 @@ class Target {
   int setNextHopMACAddress(const u8 *addy); // this should be the target's own MAC if directlyConnected()
 
   /* Returns a pointer to 6-byte MAC address, or NULL if none is set */
-  const u8 *MACAddress();
+  const u8 *MACAddress() const;
   const u8 *SrcMACAddress();
   const u8 *NextHopMACAddress();
 

osscan2.cc

@@ -3677,7 +3677,6 @@ static void endRound(OsScanInfo *OSI, HostOsScan *HOS, int roundNum) {
       if (roundNum > 0) {
         if(o.verbose) error("WARNING:  OS didn't match until try #%d", roundNum + 1);
       }
-      hsi->target->FPR->goodFP = roundNum;
       match_fingerprint(hsi->target->FPR->FPs[roundNum], hsi->target->FPR, 
                         o.reference_FPs, OSSCAN_GUESS_THRESHOLD);
       hsi->isCompleted = true;
@@ -3728,12 +3727,9 @@ static void findBestFPs(OsScanInfo *OSI) {
       }
     }
 
-    hsi->target->FPR->goodFP = bestaccidx;
-
     // Now we redo the match, since target->FPR has various data (such as
     // target->FPR->numFPs) which is not in FP_matches[bestaccidx].  This is
     // kinda ugly.
-    if (hsi->target->FPR->goodFP >= 0)
     match_fingerprint(hsi->target->FPR->FPs[bestaccidx], hsi->target->FPR, 
                       o.reference_FPs, OSSCAN_GUESS_THRESHOLD);
   }

output.cc

@@ -1555,6 +1555,22 @@ void printmacinfo(Target *currenths) {
 
 
 
+/* A convenience wrapper around mergeFPs. */
+static const char *merge_fpr(const FingerPrintResults *FPR,
+                             const Target *currenths,
+                             bool isGoodFP, bool wrapit) {
+  return mergeFPs(FPR->FPs, FPR->numFPs, isGoodFP, currenths->v4hostip(),
+                  currenths->distance, currenths->MACAddress(),
+                  FPR->osscan_opentcpport, FPR->osscan_closedtcpport,
+                  FPR->osscan_closedudpport, wrapit);
+}
+
+static void write_merged_fpr(const FingerPrintResults *FPR,
+                             const Target *currenths,
+                             bool isGoodFP, bool wrapit) {
+  log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT, "TCP/IP fingerprint:\n%s\n",
+            merge_fpr(FPR, currenths, isGoodFP, wrapit));
+}
 
 /* Prints the formatted OS Scan output to stdout, logfiles, etc (but only
    if an OS Scan was performed).*/
@@ -1563,7 +1579,6 @@ void printosscanoutput(Target *currenths) {
   char numlst[512]; /* For creating lists of numbers */
   char *p; /* Used in manipulating numlst above */
   FingerPrintResults *FPR;
-  int distance = -1;
   int osscan_flag;
   
   if (!(osscan_flag = currenths->osscanPerformed()))
@@ -1573,9 +1588,6 @@ void printosscanoutput(Target *currenths) {
     return;
   FPR = currenths->FPR;
 
-  if (currenths->distance != -1)
-	distance = currenths->distance;
-
   log_write(LOG_XML, "<os>");
   if (FPR->osscan_opentcpport > 0) {
     log_write(LOG_XML, 
@@ -1605,130 +1617,82 @@ void printosscanoutput(Target *currenths) {
   
   if (FPR->overall_results == OSSCAN_SUCCESS && 
       (FPR->num_perfect_matches <= 8 || o.debugging)) {
+    /* Success, not too many perfect matches. */
     if (FPR->num_perfect_matches > 0) {
+      /* Some perfect matches. */
+      for (i = 0; FPR->accuracy[i] == 1; i++) {
         char *p;
-      log_write(LOG_MACHINE,"\tOS: %s",  FPR->prints[0]->OS_name);
-      log_write(LOG_XML, "<osmatch name=\"%s\" accuracy=\"100\" line=\"%d\" />\n", 
-		p = xml_convert(FPR->prints[0]->OS_name), 
-		FPR->prints[0]->line);
-      free(p);
-      i = 1;
-      while(FPR->accuracy[i] == 1 ) {
-	log_write(LOG_MACHINE,"|%s", FPR->prints[i]->OS_name);
         log_write(LOG_XML, "<osmatch name=\"%s\" accuracy=\"100\" line=\"%d\" />\n", 
                   p = xml_convert(FPR->prints[i]->OS_name),
                   FPR->prints[i]->line);
         free(p);
-	i++;
       }
-      if (FPR->num_perfect_matches == 1)
-	log_write(LOG_PLAIN,
-		  "OS details: %s", 
-		  FPR->prints[0]->OS_name);
 
-      else {
+      log_write(LOG_MACHINE,"\tOS: %s",  FPR->prints[0]->OS_name);
-	log_write(LOG_PLAIN,
+      for (i = 1; FPR->accuracy[i] == 1; i++)
-		  "OS details: %s", 
+        log_write(LOG_MACHINE,"|%s", FPR->prints[i]->OS_name);
-		  FPR->prints[0]->OS_name);
+
-	i = 1;
+      log_write(LOG_PLAIN, "OS details: %s", FPR->prints[0]->OS_name);
-	while(FPR->accuracy[i] == 1) {
+      for (i = 1; FPR->accuracy[i] == 1; i++)
-	  log_write(LOG_PLAIN,", %s", 
+        log_write(LOG_PLAIN,", %s", FPR->prints[i]->OS_name);
-		    FPR->prints[i]->OS_name);
+      log_write(LOG_PLAIN, "\n");
-	  i++;
+
-	}
+      if (o.debugging || o.verbose > 1)
-      }
+        write_merged_fpr(FPR, currenths, reason != NULL, true);
     } else {
+      /* No perfect matches. */
       if ((o.verbose > 1 || o.debugging) && reason)
         log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,
                   "OS fingerprint not ideal because: %s\n", reason);
 
       if ((o.osscan_guess || reason) && FPR->num_matches > 0) {
-	char *p;
         /* Print the best guesses available */
-	log_write(LOG_PLAIN,"Aggressive OS guesses: %s (%d%%)", FPR->prints[0]->OS_name, (int) (FPR->accuracy[0] * 100));
+        for (i = 0; i < 10 && i < FPR->num_matches && FPR->accuracy[i] > FPR->accuracy[0] - 0.10; i++) {
-	log_write(LOG_XML, "<osmatch name=\"%s\" accuracy=\"%d\" line=\"%d\"/>\n", 
+          char *p;
-		  p = xml_convert(FPR->prints[0]->OS_name),  
-		  (int) (FPR->accuracy[0] * 100), 
-		  FPR->prints[0]->line);
-	free(p);
-
-	for(i=1; i < 10 && FPR->num_matches > i && FPR->accuracy[i] > FPR->accuracy[0] - 0.10; i++) {
-
-	  log_write(LOG_PLAIN,", %s (%d%%)", FPR->prints[i]->OS_name, (int) (FPR->accuracy[i] * 100));
           log_write(LOG_XML, "<osmatch name=\"%s\" accuracy=\"%d\" line=\"%d\"/>\n", 
                     p = xml_convert(FPR->prints[i]->OS_name),  
                     (int) (FPR->accuracy[i] * 100), 
                     FPR->prints[i]->line);
           free(p);
         }
+
+        log_write(LOG_PLAIN,"Aggressive OS guesses: %s (%d%%)", FPR->prints[0]->OS_name, (int) (FPR->accuracy[0] * 100));
+        for (i = 1; i < 10 && FPR->num_matches > i && FPR->accuracy[i] > FPR->accuracy[0] - 0.10; i++)
+          log_write(LOG_PLAIN,", %s (%d%%)", FPR->prints[i]->OS_name, (int) (FPR->accuracy[i] * 100));
         log_write(LOG_PLAIN, "\n");
       }
+
       if (!reason) {
-	log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).\nTCP/IP fingerprint:\n%s\n",
+        log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).\n");
-		  mergeFPs(FPR->FPs, FPR->numFPs, true,
+        write_merged_fpr(FPR, currenths, true, true);
-			   currenths->v4hostip(), distance, currenths->MACAddress(),
-			   FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
-			   true));
-	
       } else {
-
+        log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No exact OS matches for host (test conditions non-ideal).\n");
-	  log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No exact OS matches for host (test conditions non-ideal).");
         if (o.verbose > 1 || o.debugging)
-	    log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT, 
+          write_merged_fpr(FPR, currenths, false, false);
-		      "\nTCP/IP fingerprint:\n%s",
-		      mergeFPs(FPR->FPs, FPR->numFPs, false,
-					  currenths->v4hostip(), distance, currenths->MACAddress(),
-					  FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
-					  false));
       }
     }
-      
-    log_write(LOG_PLAIN,"\n");	  
-    if (FPR->goodFP >= 0 && (o.debugging || o.verbose > 1) && 
-	FPR->num_perfect_matches > 0 ) {
-      log_write(LOG_PLAIN,"OS Fingerprint:\n%s\n",
-		mergeFPs(FPR->FPs, FPR->numFPs, !reason,
-			 currenths->v4hostip(), distance, currenths->MACAddress(),
-			 FPR->osscan_opentcpport, FPR->osscan_closedtcpport, 
-			 FPR->osscan_closedudpport, true));
-
-    }
-
   } else if (FPR->overall_results == OSSCAN_NOMATCHES) {
-    const char *reason = FPR->OmitSubmissionFP();
+    /* No matches at all. */
-    if ((o.verbose > 1 || o.debugging) && reason)
-      log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"OS fingerprint not ideal because: %s\n", reason);
     if (!reason) {
-      log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).\nTCP/IP fingerprint:\n%s\n",
+      log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).\n");
-		mergeFPs(FPR->FPs, FPR->numFPs, true,
+      write_merged_fpr(FPR, currenths, true, true);
-			 currenths->v4hostip(), distance, currenths->MACAddress(),
-			 FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
-			 true));
     } else {
+      log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"OS fingerprint not ideal because: %s\n", reason);
       log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"No OS matches for host\n");
-      if (o.verbose > 1)
+      if (o.debugging || o.verbose > 1)
-	log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT, "\nTCP/IP fingerprint:\n%s",
+        write_merged_fpr(FPR, currenths, false, false);
-		  mergeFPs(FPR->FPs, FPR->numFPs, false,
-				      currenths->v4hostip(), distance, currenths->MACAddress(),
-				      FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
-				      false));
     }
   } else if (FPR->overall_results == OSSCAN_TOOMANYMATCHES || (FPR->num_perfect_matches > 8 && !o.debugging)) {
-    log_write(LOG_PLAIN,"Too many fingerprints match this host to give specific OS details\n");
+    /* Too many perfect matches. */
-    if (o.debugging || o.verbose > 1) {
+    log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT,"Too many fingerprints match this host to give specific OS details\n");
-      log_write(LOG_PLAIN,"TCP/IP fingerprint:\n%s",
+    if (o.debugging || o.verbose > 1)
-		mergeFPs(FPR->FPs, FPR->numFPs, false,
+      write_merged_fpr(FPR, currenths, false, false);
-				    currenths->v4hostip(), distance, currenths->MACAddress(),
+  } else {
-				    FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
+    assert(0);
-				    false));
   }
-  } else { assert(0); }
   
   if (o.debugging || o.verbose) {
-    char *xml_osfp = xml_convert(mergeFPs(FPR->FPs, FPR->numFPs, !reason,
+    char *xml_osfp = xml_convert(merge_fpr(FPR, currenths, reason != NULL, reason != NULL));
-				 currenths->v4hostip(), distance, currenths->MACAddress(),
-				 FPR->osscan_opentcpport, FPR->osscan_closedtcpport, FPR->osscan_closedudpport,
-				 !reason));
     log_write(LOG_XML,"<osfingerprint fingerprint=\"%s\" />\n", xml_osfp);
     free(xml_osfp);
   }
@@ -1746,9 +1710,9 @@ void printosscanoutput(Target *currenths) {
     log_write(LOG_XML, "<uptime seconds=\"%li\" lastboot=\"%s\" />\n", tv.tv_sec - currenths->seq.lastboot, tmbuf);
   }
   
-  if (distance!=-1) {
+  if (currenths->distance!=-1) {
-    log_write(LOG_PLAIN, "Network Distance: %d hop%s\n", distance, (distance == 1)? "" : "s");
+    log_write(LOG_PLAIN, "Network Distance: %d hop%s\n", currenths->distance, (currenths->distance == 1)? "" : "s");
-    log_write(LOG_XML, "<distance value=\"%d\" />\n", distance);
+    log_write(LOG_XML, "<distance value=\"%d\" />\n", currenths->distance);
   }
   
   if (currenths->seq.responses > 3) {