0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-22 17:51:53 +00:00

tcp ao looks working, but there are no tests yet

This commit is contained in:
Katerina Kubecova 2024-02-28 16:15:28 +01:00
parent e27110ba8a
commit 026d89bd93
8 changed files with 8123 additions and 68 deletions

7927
configure~ Executable file

File diff suppressed because it is too large Load Diff

View File

@ -87,7 +87,10 @@ typedef struct birdsock {
node n; node n;
void *rbuf_alloc, *tbuf_alloc; void *rbuf_alloc, *tbuf_alloc;
const char *password; /* Password for MD5 authentication */ const char *password; /* Password for MD5 authentication */
struct ao_key *ao_key; /* Key for tcp ao authentication */ struct ao_key *ao_key_init; /* Key for tcp ao authentication icialization. */
char use_ao;
int last_used_ao_key; /* Last ID the other site requested */
int desired_ao_key; /* ID of requested ao key */
const char *err; /* Error message */ const char *err; /* Error message */
struct ssh_sock *ssh; /* Used in SK_SSH */ struct ssh_sock *ssh; /* Used in SK_SSH */
} sock; } sock;
@ -125,7 +128,8 @@ int sk_set_ao_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct ifa
void ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_id_rem, int passwd_id_loc); void ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_id_rem, int passwd_id_loc);
void log_tcp_ao_info(int sock_fd); void log_tcp_ao_info(int sock_fd);
void log_tcp_ao_get_key(int sock_fd); void log_tcp_ao_get_key(int sock_fd);
void ao_try_change_master(int sock_fd, int next_key_id); int check_ao_keys_id(int sock_fd, struct ao_key *key);
void ao_try_change_master(sock *s, int next_key_id_loc, int next_id_rem);
int sk_set_ipv6_checksum(sock *s, int offset); int sk_set_ipv6_checksum(sock *s, int offset);
int sk_set_icmp6_filter(sock *s, int p1, int p2); int sk_set_icmp6_filter(sock *s, int p1, int p2);
void sk_log_error(sock *s, const char *p); void sk_log_error(sock *s, const char *p);

View File

@ -192,7 +192,7 @@ bgp_open(struct bgp_proto *p)
if (sk_open(sk) < 0) if (sk_open(sk) < 0)
goto err; goto err;
log("____________________________________________________________________________%i %i", sk->fd, sk->ao_key); log("____________________________________________________________________________%i %i", sk->fd, sk->ao_key_init);
bs = mb_allocz(proto_pool, sizeof(struct bgp_socket)); bs = mb_allocz(proto_pool, sizeof(struct bgp_socket));
bs->sk = sk; bs->sk = sk;
bs->uc = 1; bs->uc = 1;
@ -247,16 +247,29 @@ bgp_setup_auth(struct bgp_proto *p, int enable)
int rv = 0; int rv = 0;
if (p->cf->ao_key) if (p->cf->ao_key)
{ {
log("set ao auth [%s]", p->cf->ao_key->master_key); if (enable)
struct ao_key *key = p->cf->ao_key; {
p->sock->sk->ao_key = key; log("set ao auth [%s]", p->cf->ao_key->master_key);
do { struct ao_key *key = p->cf->ao_key;
rv = sk_set_ao_auth(p->sock->sk, do {
rv = sk_set_ao_auth(p->sock->sk,
p->cf->local_ip, prefix, pxlen, p->cf->iface, p->cf->local_ip, prefix, pxlen, p->cf->iface,
key->master_key, key->local_id, key->remote_id, key->cipher, 0); key->master_key, key->local_id, key->remote_id, key->cipher, 0);
key = key->next_key; key = key->next_key;
} while(key); } while(key);
}
else
{
log("in bgp close");
struct ao_key *key = p->cf->ao_key;
while (key)
{
log("delete %i", key->local_id);
ao_delete_key(p->sock->sk, p->remote_ip, -1, p->sock->sk->iface, key->local_id, key->remote_id);
key = key->next_key;
}
}
} }
else if (enable) else if (enable)
rv = sk_set_md5_auth(p->sock->sk, rv = sk_set_md5_auth(p->sock->sk,
@ -1084,7 +1097,6 @@ bgp_setup_conn(struct bgp_proto *p, struct bgp_conn *conn)
conn->channels_to_send = 0; conn->channels_to_send = 0;
conn->last_channel = 0; conn->last_channel = 0;
conn->last_channel_count = 0; conn->last_channel_count = 0;
conn->last_used_ao_key = -1;
conn->connect_timer = tm_new_init(p->p.pool, bgp_connect_timeout, conn, 0, 0); conn->connect_timer = tm_new_init(p->p.pool, bgp_connect_timeout, conn, 0, 0);
conn->hold_timer = tm_new_init(p->p.pool, bgp_hold_timeout, conn, 0, 0); conn->hold_timer = tm_new_init(p->p.pool, bgp_hold_timeout, conn, 0, 0);
@ -1148,9 +1160,8 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c
s->rbsize = p->cf->enable_extended_messages ? BGP_RX_BUFFER_EXT_SIZE : BGP_RX_BUFFER_SIZE; s->rbsize = p->cf->enable_extended_messages ? BGP_RX_BUFFER_EXT_SIZE : BGP_RX_BUFFER_SIZE;
s->tbsize = p->cf->enable_extended_messages ? BGP_TX_BUFFER_EXT_SIZE : BGP_TX_BUFFER_SIZE; s->tbsize = p->cf->enable_extended_messages ? BGP_TX_BUFFER_EXT_SIZE : BGP_TX_BUFFER_SIZE;
s->tos = IP_PREC_INTERNET_CONTROL; s->tos = IP_PREC_INTERNET_CONTROL;
// s->password = "abcd1234";/
s->password = p->cf->password; s->password = p->cf->password;
s->ao_key = p->cf->ao_key; s->ao_key_init = p->cf->ao_key;
s->tx_hook = bgp_connected; s->tx_hook = bgp_connected;
s->flags = p->cf->free_bind ? SKF_FREEBIND : 0; s->flags = p->cf->free_bind ? SKF_FREEBIND : 0;
BGP_TRACE(D_EVENTS, "Connecting to %I%J from local address %I%J", BGP_TRACE(D_EVENTS, "Connecting to %I%J from local address %I%J",
@ -1163,7 +1174,7 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c
if (sk_open(s) < 0) if (sk_open(s) < 0)
goto err; goto err;
log("a..........................................................................................fd %i key %i %I", s->fd, s->ao_key, s->daddr); log("a..........................................................................................fd %i %I", s->fd, s->daddr);
/* Set minimal receive TTL if needed */ /* Set minimal receive TTL if needed */
if (p->cf->ttl_security) if (p->cf->ttl_security)
@ -1242,6 +1253,16 @@ bgp_incoming_connection(sock *sk, uint dummy UNUSED)
rfree(sk); rfree(sk);
return 0; return 0;
} }
if (p->cf->ao_key)
{
if (get_current_key_id(sk->fd) == -1)
{
log(L_WARN "BGP: Connection from address %I%J (port %d) has no TCP AO key",
sk->daddr, ipa_is_link_local(sk->daddr) ? sk->iface : NULL, sk->dport);
rfree(sk);
return 0;
}
}
/* /*
* BIRD should keep multiple incoming connections in OpenSent state (for * BIRD should keep multiple incoming connections in OpenSent state (for
@ -1284,6 +1305,11 @@ bgp_incoming_connection(sock *sk, uint dummy UNUSED)
if (sk_set_min_ttl(sk, 256 - hops) < 0) if (sk_set_min_ttl(sk, 256 - hops) < 0)
goto err; goto err;
if (p->cf->ao_key)
{
if (check_ao_keys_id(sk->fd, p->cf->ao_key) == 0)
sk->use_ao = 1;
}
if (p->cf->enable_extended_messages) if (p->cf->enable_extended_messages)
{ {
sk->rbsize = BGP_RX_BUFFER_EXT_SIZE; sk->rbsize = BGP_RX_BUFFER_EXT_SIZE;
@ -2165,11 +2191,62 @@ int compare_aos(struct ao_key *a, struct ao_key *b)
return strcmp(a->master_key, b->master_key); return strcmp(a->master_key, b->master_key);
} }
int reconfigure_ao_without_conn(struct bgp_proto old_proto, struct bgp_config new)
{
log("in reconf dead ao");
sock *s_passiv = old_proto.sock->sk;
struct ao_key *old_aos[256];
memset(&old_aos, 0, sizeof(struct ao_key*)*256);
struct ao_key *old_aos_rem[256];
memset(&old_aos_rem, 0, sizeof(struct ao_key*)*256);
for(struct ao_key *ao_key = old_proto.cf->ao_key; ao_key; ao_key = ao_key->next_key)
{
old_aos[ao_key->local_id] = ao_key;
old_aos_rem[ao_key->remote_id] = ao_key;
}
for(struct ao_key *ao_key = new.ao_key; ao_key; ao_key = ao_key->next_key)
{
if(old_aos[ao_key->local_id])
{
if(compare_aos(ao_key, old_aos[ao_key->local_id]))
{
struct ao_key *old_key = old_aos[ao_key->local_id];
ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_key->local_id, old_key->remote_id);
sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1);
}
old_aos[ao_key->local_id] = 0;
}
else if(old_aos_rem[ao_key->remote_id])
{
struct ao_key *old_key = old_aos_rem[ao_key->remote_id];
ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_key->local_id, old_key->remote_id);
sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1);
old_aos[old_key->local_id] = 0;
}
else
sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1);
}
for(int i = 0; i<256; i++)
{
if (old_aos[i])
ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_aos[i]->local_id, old_aos[i]->remote_id);
}
return 1;
}
int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new) int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new)
{ {
log("in reconf ao"); log("in reconf ao");
if (!old_proto.conn)
return reconfigure_ao_without_conn(old_proto, new); // Connection was not (re)established, so we can not change it.
sock *s_passiv = old_proto.sock->sk; sock *s_passiv = old_proto.sock->sk;
sock *s_activ = old_proto.conn->sk; sock *s_activ = old_proto.conn->sk;
int key_in_use_rem = get_current_key_id(s_activ->fd); int key_in_use_rem = get_current_key_id(s_activ->fd);
if (key_in_use_rem == -1) if (key_in_use_rem == -1)
@ -2177,6 +2254,8 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new)
log("Unable to detect currently used key"); log("Unable to detect currently used key");
return 0; return 0;
} }
int rnext_id = get_rnext_key_id(s_activ->fd);
log("old rnext %i", rnext_id);
struct ao_key *old_aos[256]; struct ao_key *old_aos[256];
memset(&old_aos, 0, sizeof(struct ao_key*)*256); memset(&old_aos, 0, sizeof(struct ao_key*)*256);
@ -2207,7 +2286,7 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new)
struct ao_key *old_key = old_aos[ao_key->local_id]; struct ao_key *old_key = old_aos[ao_key->local_id];
ao_delete_key(s_activ, old_proto.remote_ip, -1, s_activ->iface, old_key->local_id, old_key->remote_id); ao_delete_key(s_activ, old_proto.remote_ip, -1, s_activ->iface, old_key->local_id, old_key->remote_id);
ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_key->local_id, old_key->remote_id); ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_key->local_id, old_key->remote_id);
sk_set_ao_auth(s_activ, old_proto.local_ip, old_proto.remote_ip, -1, s_activ->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1); sk_set_ao_auth(s_activ, old_proto.local_ip, old_proto.remote_ip, -1, s_activ->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0);
sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0); sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0);
} }
old_aos[ao_key->local_id] = 0; old_aos[ao_key->local_id] = 0;
@ -2216,15 +2295,13 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new)
{ {
if (old_rem_id[ao_key->remote_id]) if (old_rem_id[ao_key->remote_id])
cf_warn("TCP AO reconfiguration: Reusing remote id %i with new local id %i. This might break your connection.", ao_key->remote_id, ao_key->local_id); cf_warn("TCP AO reconfiguration: Reusing remote id %i with new local id %i. This might break your connection.", ao_key->remote_id, ao_key->local_id);
sk_set_ao_auth(s_activ, old_proto.local_ip, old_proto.remote_ip, -1, s_activ->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1); sk_set_ao_auth(s_activ, old_proto.local_ip, old_proto.remote_ip, -1, s_activ->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0);
sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0); sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0);
} }
s_activ->ao_key = new.ao_key;
s_passiv->ao_key = new.ao_key;
if (ao_key->required == 1 && (ao_key->local_id != get_rnext_key_id(s_activ->fd))) if (ao_key->required == 1 && (ao_key->local_id != rnext_id))
{ {
ao_try_change_master(s_activ->fd, ao_key->local_id); ao_try_change_master(s_activ, ao_key->local_id, ao_key->remote_id);
if (old_proto.conn->hold_timer->expires != 0) if (old_proto.conn->hold_timer->expires != 0)
bgp_schedule_packet(old_proto.conn, NULL, PKT_KEEPALIVE); // According to RFC we should not send keepalive shortly after another, but since reconfiguration is rare, this is harmless bgp_schedule_packet(old_proto.conn, NULL, PKT_KEEPALIVE); // According to RFC we should not send keepalive shortly after another, but since reconfiguration is rare, this is harmless
} }
@ -2242,6 +2319,7 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new)
ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_aos[i]->local_id, old_aos[i]->remote_id); ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_aos[i]->local_id, old_aos[i]->remote_id);
} }
} }
log("no big changes in ao"); log("no big changes in ao");
return 1; return 1;
} }

View File

@ -307,7 +307,6 @@ struct bgp_conn {
u8 last_channel_count; /* Number of times the last channel was used in succession */ u8 last_channel_count; /* Number of times the last channel was used in succession */
int notify_code, notify_subcode, notify_size; int notify_code, notify_subcode, notify_size;
byte *notify_data; byte *notify_data;
int last_used_ao_key; /* ID of last ao authentication key, which was used */
uint hold_time, keepalive_time; /* Times calculated from my and neighbor's requirements */ uint hold_time, keepalive_time; /* Times calculated from my and neighbor's requirements */
}; };

View File

@ -3425,24 +3425,28 @@ bgp_rx(sock *sk, uint size)
{ {
struct bgp_conn *conn = sk->data; struct bgp_conn *conn = sk->data;
if (sk->ao_key) if (sk->use_ao && sk->desired_ao_key != sk->last_used_ao_key)
{ {
if (get_current_key_id(sk->fd) != conn->last_used_ao_key) int new_rnext = get_current_key_id(sk->fd);
if (new_rnext != sk->last_used_ao_key)
{ {
if (conn->hold_timer->expires != 0) if (conn->hold_timer->expires != 0)
bgp_schedule_packet(conn, NULL, PKT_KEEPALIVE); // We might send this keepalive shortly after another. RFC says we should wait, but since reconfiguration is rare, this is harmless. bgp_schedule_packet(conn, NULL, PKT_KEEPALIVE); // We might send this keepalive shortly after another. RFC says we should wait, but since reconfiguration is rare, this is harmless.
conn->last_used_ao_key = get_current_key_id(sk->fd); sk->last_used_ao_key = new_rnext;
log("Expected desired rnext %i, arrived %i", sk->desired_ao_key, new_rnext);
log_ao(sk->fd); log_ao(sk->fd);
log("%i", sk->ao_key);
} }
else //todo delete after debug else //todo delete after debug
{ {
log("Nothing happend %i %i", get_current_key_id(sk->fd), sk->last_used_ao_key);
log_ao(sk->fd); log_ao(sk->fd);
log("%i %i", get_current_key_id(sk->fd), conn->last_used_ao_key);
log("fd %i sk %i key %i", sk->fd, sk, sk->ao_key);
} }
} }
else
{
log("No ao or not expecting changes %i %i", get_current_key_id(sk->fd), sk->last_used_ao_key);
log_ao(sk->fd);
}
byte *pkt_start = sk->rbuf; byte *pkt_start = sk->rbuf;
byte *end = pkt_start + size; byte *end = pkt_start + size;
uint i, len; uint i, len;

BIN
sysdep/linux/.sysio.h.swp Normal file

Binary file not shown.

View File

@ -234,7 +234,7 @@ void log_tcp_ao_info(int sock_fd)
return; return;
} }
else else
log("current key id %i, next key %i,\n set current %i, ao required %i\n good packets %i, bad packets %i", log("current key id %i (rem), next key %i (loc),\n set current %i, ao required %i\n good packets %i, bad packets %i",
tmp.current_key, tmp.rnext, tmp.set_current, tmp.ao_required, tmp.pkt_good, tmp.pkt_bad); tmp.current_key, tmp.rnext, tmp.set_current, tmp.ao_required, tmp.pkt_good, tmp.pkt_bad);
} }
@ -268,8 +268,7 @@ int get_rnext_key_id(int sock_fd)
return tmp.rnext; return tmp.rnext;
} }
void int get_num_ao_keys(int sock_fd)
log_tcp_ao_get_key(int sock_fd)
{ {
struct tcp_ao_getsockopt_ext tmp; struct tcp_ao_getsockopt_ext tmp;
memset(&tmp, 0, sizeof(struct tcp_ao_getsockopt_ext)); memset(&tmp, 0, sizeof(struct tcp_ao_getsockopt_ext));
@ -279,12 +278,20 @@ log_tcp_ao_get_key(int sock_fd)
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, &tmp, &len)) if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, &tmp, &len))
{ {
log("log tcp ao get keys failed with err code %i", errno); log("tcp ao get keys failed with err code %i", errno);
return; return -1;
} }
return tmp.nkeys;
int nkeys = tmp.nkeys; }
void
log_tcp_ao_get_key(int sock_fd)
{
int nkeys = get_num_ao_keys(sock_fd);
if (nkeys < 0)
return;
struct tcp_ao_getsockopt_ext tm_all[nkeys]; struct tcp_ao_getsockopt_ext tm_all[nkeys];
socklen_t len = sizeof(struct tcp_ao_getsockopt_ext);
memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys); memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys);
tm_all[0].nkeys = nkeys; tm_all[0].nkeys = nkeys;
tm_all[0].get_all = 1; tm_all[0].get_all = 1;
@ -301,13 +308,11 @@ log_tcp_ao_get_key(int sock_fd)
} }
int int
sk_set_ao_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int passwd_id_loc, int passwd_id_rem, const char* cipher, int set_current) sk_set_ao_auth(sock *s, ip_addr local UNUSED, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int passwd_id_loc, int passwd_id_rem, const char* cipher, int set_current)
{ {
struct tcp_ao_add_ext ao; struct tcp_ao_add_ext ao;
memset(&ao, 0, sizeof(struct tcp_ao_add_ext)); memset(&ao, 0, sizeof(struct tcp_ao_add_ext));
if (!s->ao_key) log(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>in sk set ao, pass %s fd %i sk %i %i", passwd, s->fd, s);
bug("no ao key");
log(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>in sk set ao, pass %s fd %i sk %i %i", passwd, s->fd, s, s->ao_key);
/* int af; /* int af;
if (ipa_is_ip4(remote)) if (ipa_is_ip4(remote))
af = AF_INET; af = AF_INET;
@ -337,8 +342,16 @@ sk_set_ao_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct iface *
memcpy(ao.key, passwd, (strlen(passwd) > TCP_AO_MAXKEYLEN_) ? TCP_AO_MAXKEYLEN_ : strlen(passwd)); memcpy(ao.key, passwd, (strlen(passwd) > TCP_AO_MAXKEYLEN_) ? TCP_AO_MAXKEYLEN_ : strlen(passwd));
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_ADD_KEY, &ao, sizeof(ao)) < 0) if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_ADD_KEY, &ao, sizeof(ao)) < 0)
bug("tcp ao err %i", errno); {
if (errno == ENOPROTOOPT)
ERR_MSG("Kernel does not support extended TCP AO signatures");
else
ERR("TCP_AOSIG_EXT");
}
s->use_ao = 1;
if (set_current)
s->desired_ao_key = passwd_id_rem;
log_tcp_ao_get_key(s->fd); log_tcp_ao_get_key(s->fd);
return 0; return 0;
} }
@ -359,46 +372,79 @@ ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_
del.prefix = 128; del.prefix = 128;
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_DEL_KEY, &del, sizeof(del)) < 0) if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_DEL_KEY, &del, sizeof(del)) < 0)
{
log("log keys for debug delete error key %i %i", passwd_id_loc, passwd_id_rem);
log_tcp_ao_get_key(s->fd);
bug("tcp ao deletion err %i", errno); bug("tcp ao deletion err %i", errno);
}
log("tcp ao key %i %i deleted", passwd_id_loc, passwd_id_rem); log("tcp ao key %i %i deleted", passwd_id_loc, passwd_id_rem);
} }
void void
ao_try_change_master(int sock_fd, int next_master_id ) ao_try_change_master(sock *s, int next_master_id_loc, int next_master_id_rem)
{ {
struct tcp_ao_info_opt_ext tmp; struct tcp_ao_info_opt_ext tmp;
memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext)); memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext));
tmp.set_rnext = 1; tmp.set_rnext = 1;
tmp.rnext = next_master_id; tmp.rnext = next_master_id_loc;
if (setsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, sizeof(tmp))) if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, sizeof(tmp)))
{ {
log(" tcp ao change master key failed with err code %i", errno); log(" tcp ao change master key failed with err code %i", errno);
log_tcp_ao_get_key(sock_fd); log_tcp_ao_get_key(s->fd);
return; return;
} }
else else
log("tried to change master"); log("tried to change master");
s->desired_ao_key = next_master_id_rem;
} }
void int check_ao_keys_id(int sock_fd, struct ao_key *keys)
save_to_repair(int sock_fd)
{ {
struct tcp_ao_repair_ext replace_me; //TODO not ignore replace_me int errors = 0;
socklen_t len = sizeof(replace_me); int expected_keys[256]; //can not have char, because we must support 0 key id
memset(&replace_me, 0, sizeof(struct tcp_ao_repair_ext)); memset(expected_keys, 0, sizeof(int)*256);
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_REPAIR, &replace_me, &len) < 0) for (struct ao_key *key = keys; key; key = key->next_key)
bug("geting tcp ao img not succeed %i", errno); expected_keys[key->local_id] = key->remote_id + 1; // the + 1 because we do not want 0 id be 0
log("got tcp ao img"); int nkeys = get_num_ao_keys(sock_fd);
} if(nkeys == -1)
{
cf_warn("TCP AO: unable to get num of keys");
void return 1;
repair_tcp_ao(int sock_fd, struct iface *ifa) }
{ struct tcp_ao_getsockopt_ext tm_all[nkeys];
//if (setsockopt(sock_fd, SOL_TCP, TCP_AO_REPAIR, &ifa->tcp_ao_img, sizeof(ifa->tcp_ao_img)) < 0) socklen_t len = sizeof(struct tcp_ao_getsockopt_ext);
// bug("tcp ao err %i", errno); memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys);
log("tcp ao repair skiped"); tm_all[0].nkeys = nkeys;
tm_all[0].get_all = 1;
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, tm_all, &len)) // len should be still size of one struct. Because kernel net/ipv4/tcp_ao.c line 2165
{
cf_warn("log tcp ao get keys failed with err code %i", errno);
return 1;
}
for (int i = 0; i< nkeys; i++)
{
struct tcp_ao_getsockopt_ext sock_key = tm_all[i];
if (expected_keys[sock_key.rcvid] - 1 != sock_key.sndid)
{
if (expected_keys[sock_key.rcvid] == 0)
cf_warn("TCP AO: unexpected ao key %i %i", sock_key.rcvid, sock_key.sndid);
else
cf_warn("TCP AO: expected key local id %i has different remote id than expected (%i vs %i)", sock_key.rcvid, expected_keys[sock_key.rcvid] - 1, sock_key.sndid);
errors++;
}
expected_keys[sock_key.rcvid] = 0;
}
for (int i = 0; i < 256; i++)
{
if (expected_keys[i] != 0)
{
cf_warn("TCP AO: key %i %i is not in socket", i, expected_keys - 1);
errors++;
}
}
return errors;
} }
static inline int static inline int

View File

@ -1097,8 +1097,7 @@ sk_passive_connected(sock *s, int type)
t->tos = s->tos; t->tos = s->tos;
t->vrf = s->vrf; t->vrf = s->vrf;
t->rbsize = s->rbsize; t->rbsize = s->rbsize;
t->tbsize = s->tbsize; t->tbsize = s->tbsize;
t->ao_key = s->ao_key;
if (type == SK_TCP) if (type == SK_TCP)
{ {
@ -1459,12 +1458,10 @@ sk_open(sock *s)
if (bind(fd, &sa.sa, SA_LEN(sa)) < 0) if (bind(fd, &sa.sa, SA_LEN(sa)) < 0)
ERR2("bind"); ERR2("bind");
} }
//s->password = "abcd1234";
if (s->ao_key) if (s->ao_key_init)
{ {
log("set ao, %s", s->ao_key->cipher); struct ao_key *key = s->ao_key_init;
struct ao_key *key = s->ao_key;
do { do {
if (sk_set_ao_auth(s, s->saddr, s->daddr, -1, s->iface, key->master_key, key->local_id, key->remote_id, key->cipher, key->required == 1) < 0) if (sk_set_ao_auth(s, s->saddr, s->daddr, -1, s->iface, key->master_key, key->local_id, key->remote_id, key->cipher, key->required == 1) < 0)
goto err; goto err;