From 85ce22eb0b455c71efac95271a056599f3b3c545 Mon Sep 17 00:00:00 2001 From: Katerina Kubecova Date: Mon, 26 Feb 2024 14:58:25 +0100 Subject: [PATCH] tcp ao works, but can not be closed --- lib/socket.h | 1 + proto/bgp/bgp.c | 43 ++++++++++++++++++++++++++----------------- proto/bgp/config.Y | 31 +++++++++++++++++++++++-------- proto/bgp/packets.c | 21 +++++++++++++++++++-- sysdep/linux/sysio.h | 24 ++++++++++++++++++++---- sysdep/unix/io.c | 1 + 6 files changed, 90 insertions(+), 31 deletions(-) diff --git a/lib/socket.h b/lib/socket.h index 8cae88ee..3772cb5c 100644 --- a/lib/socket.h +++ b/lib/socket.h @@ -120,6 +120,7 @@ int sk_set_min_ttl(sock *s, int ttl); /* Set minimal accepted TTL for given sock int sk_set_md5_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int setkey); int get_current_key_id(int sock_fd); +int get_rnext_key_id(int sock_fd); int sk_set_ao_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int passwd_id_loc, int passwd_id_rem, const char *cipher, int set_current); void ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_id_rem, int passwd_id_loc); void log_tcp_ao_info(int sock_fd); diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c index 5bbc96c3..a79147de 100644 --- a/proto/bgp/bgp.c +++ b/proto/bgp/bgp.c @@ -179,7 +179,6 @@ bgp_open(struct bgp_proto *p) sk->type = SK_TCP_PASSIVE; sk->ttl = 255; sk->saddr = addr; - // sk->daddr = p->remote_ip; sk->sport = port; sk->iface = ifa; sk->vrf = p->p.vrf; @@ -189,12 +188,11 @@ bgp_open(struct bgp_proto *p) sk->tbsize = BGP_TX_BUFFER_SIZE; sk->rx_hook = bgp_incoming_connection; sk->err_hook = bgp_listen_sock_err; - //sk->password = p->cf->password; - log("passive connect p %i, c cf %i %s", p, p->cf, p->cf->password ? p->cf->password : "no password"); if (sk_open(sk) < 0) goto err; - + + log("____________________________________________________________________________%i %i", sk->fd, sk->ao_key); bs = mb_allocz(proto_pool, sizeof(struct bgp_socket)); bs->sk = sk; bs->uc = 1; @@ -251,6 +249,7 @@ bgp_setup_auth(struct bgp_proto *p, int enable) { log("set ao auth [%s]", p->cf->ao_key->master_key); struct ao_key *key = p->cf->ao_key; + p->sock->sk->ao_key = key; do { rv = sk_set_ao_auth(p->sock->sk, p->cf->local_ip, prefix, pxlen, p->cf->iface, @@ -1085,6 +1084,7 @@ bgp_setup_conn(struct bgp_proto *p, struct bgp_conn *conn) conn->channels_to_send = 0; conn->last_channel = 0; conn->last_channel_count = 0; + conn->last_used_ao_key = -1; conn->connect_timer = tm_new_init(p->p.pool, bgp_connect_timeout, conn, 0, 0); conn->hold_timer = tm_new_init(p->p.pool, bgp_hold_timeout, conn, 0, 0); @@ -1160,11 +1160,11 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c bgp_setup_sk(conn, s); bgp_conn_set_state(conn, BS_CONNECT); - log("active open p %i, c cf %i %s ", p, p->cf, p->cf->password ? p->cf->password : "no password"); if (sk_open(s) < 0) goto err; - //int rv = sk_set_ao_auth(s, p->local_ip, p->remote_ip, -1, s->iface, s->password ? s->password : "d3f4u1t", 1); + log("a..........................................................................................fd %i key %i %I", s->fd, s->ao_key, s->daddr); + /* Set minimal receive TTL if needed */ if (p->cf->ttl_security) if (sk_set_min_ttl(s, 256 - hops) < 0) @@ -2170,9 +2170,9 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new) log("in reconf ao"); sock *s_passiv = old_proto.sock->sk; sock *s_activ = old_proto.conn->sk; - int key_in_use = get_current_key_id(s_activ->fd); + int key_in_use_rem = get_current_key_id(s_activ->fd); - if (key_in_use == -1) + if (key_in_use_rem == -1) { log("Unable to detect currently used key"); return 0; @@ -2180,10 +2180,15 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new) struct ao_key *old_aos[256]; memset(&old_aos, 0, sizeof(struct ao_key*)*256); + struct ao_key *old_rem_id[256]; + memset(&old_rem_id, 0, sizeof(struct ao_key*)*256); + for(struct ao_key *ao_key = old_proto.cf->ao_key; ao_key; ao_key = ao_key->next_key) { old_aos[ao_key->local_id] = ao_key; + old_rem_id[ao_key->remote_id] = ao_key; } + int key_in_use = old_rem_id[key_in_use_rem]->local_id; for(struct ao_key *ao_key = new.ao_key; ao_key; ao_key = ao_key->next_key) { if(old_aos[ao_key->local_id]) @@ -2191,15 +2196,13 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new) if(compare_aos(ao_key, old_aos[ao_key->local_id])) { struct ao_key *o = old_aos[ao_key->local_id]; - log("%i %i %i %i %s %s %s %s", ao_key->local_id, o->local_id, ao_key->remote_id, o->remote_id, ao_key->cipher, o->cipher, ao_key->master_key, o->master_key); + log("%i %i (master %i) %i %i %s %s %s %s", ao_key->local_id, o->local_id, key_in_use, ao_key->remote_id, o->remote_id, ao_key->cipher, o->cipher, ao_key->master_key, o->master_key); if (ao_key->local_id == key_in_use) { - //struct ao_key *o = old_aos[ao_key->local_id]; - //log("%i %i %i %i %s %s %s %s", ao_key->local_id, o->local_id, ao_key->remote_id, o->remote_id, ao_key->cipher, o->cipher, ao_key->master_key, o->master_key); - log("Currently used master key part update. This is not allowed."); + cf_warn("TCP AO reconfiguration: Currently used master key (%i) part update. This is not allowed.", ao_key->local_id); return 0; } - log("Reusing key id. Not nice. Lets try to update."); + cf_warn("TCP AO reconfiguration: Reusing or manipulating key with id %i. This might break connection.", ao_key->local_id); struct ao_key *old_key = old_aos[ao_key->local_id]; ao_delete_key(s_activ, old_proto.remote_ip, -1, s_activ->iface, old_key->local_id, old_key->remote_id); @@ -2211,13 +2214,19 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new) } else { + if (old_rem_id[ao_key->remote_id]) + cf_warn("TCP AO reconfiguration: Reusing remote id %i with new local id %i. This might break your connection.", ao_key->remote_id, ao_key->local_id); sk_set_ao_auth(s_activ, old_proto.local_ip, old_proto.remote_ip, -1, s_activ->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1); sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0); } + s_activ->ao_key = new.ao_key; + s_passiv->ao_key = new.ao_key; - if (ao_key->required == 1) + if (ao_key->required == 1 && (ao_key->local_id != get_rnext_key_id(s_activ->fd))) { - ao_try_change_master(s_activ->fd, ao_key->local_id); // or remote id? + ao_try_change_master(s_activ->fd, ao_key->local_id); + if (old_proto.conn->hold_timer->expires != 0) + bgp_schedule_packet(old_proto.conn, NULL, PKT_KEEPALIVE); // According to RFC we should not send keepalive shortly after another, but since reconfiguration is rare, this is harmless } } for(int i = 0; i<256; i++) @@ -2226,14 +2235,14 @@ int reconfigure_tcp_ao(struct bgp_proto old_proto, struct bgp_config new) { if (i == key_in_use) { - log("Currently used key deletion. This is not allowed."); + cf_warn("TCP AO reconfiguration: Currently used key (id %i) deletion. This is not allowed.", i); return 0; } ao_delete_key(s_activ, old_proto.remote_ip, -1, s_activ->iface, old_aos[i]->local_id, old_aos[i]->remote_id); ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_aos[i]->local_id, old_aos[i]->remote_id); } } - log("no changes in ao"); + log("no big changes in ao"); return 1; } diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y index f3cac939..e0fc6aef 100644 --- a/proto/bgp/config.Y +++ b/proto/bgp/config.Y @@ -245,6 +245,8 @@ ao_key: ao_first_item: LOCAL ID expr ';' { + if($3 >= 256) + cf_error("Key ids ust be in range 0 - 255"); if (!BGP_CFG->ao_lp) BGP_CFG->ao_lp = lp_new(rp_new(&root_pool, "ao struct pool")); struct ao_key *new_key = lp_alloc(BGP_CFG->ao_lp, sizeof(struct ao_key)); @@ -252,20 +254,27 @@ ao_first_item: BGP_CFG->ao_key = new_key; BGP_CFG->ao_key->required = 0; BGP_CFG->ao_key->local_id = $3; + BGP_CFG->ao_key->remote_id = -1; } ; ao_item: - REMOTE ID expr ';' {log("remote id %i", $3); BGP_CFG->ao_key->remote_id = $3; } - | CIPHER text ';' { char *c = lp_alloc(BGP_CFG->ao_lp, strlen($2)); + REMOTE ID expr ';' { + if ($3 > 255) + cf_error("TCP AO: Key id must be in range 0 - 255"); + BGP_CFG->ao_key->remote_id = $3; } + | CIPHER text ';' { + if (strcmp($2, "cmac(aes128)") & strcmp($2, "hmac(sha1)") & strcmp($2, "hmac(sha224)") & strcmp($2, "hmac(sha256)") & strcmp($2, "hmac(sha384)") & strcmp($2, "hmac(sha512)")& strcmp($2, "hmac(md5)")) + cf_error("TCP AO: Here are ciphers 'cmac(aes128)', 'hmac(md5)', 'hmac(sha1)', 'hmac(sha224)', 'hmac(sha256)', 'hmac(sha384)' and 'hmac(sha512)' hardcoded. If there is another cipher available in kernel, please contact BIRD developers."); + char *c = lp_alloc(BGP_CFG->ao_lp, strlen($2)); memcpy(c, $2, strlen($2)); BGP_CFG->ao_key->cipher = c; - log("ciph[%s]", $2); } + } | MASTER KEY text ';' { char *k = lp_alloc(BGP_CFG->ao_lp, strlen($3)); memcpy(k, $3, strlen($3)); BGP_CFG->ao_key->master_key = k; - log("key[%s]", BGP_CFG->ao_key->master_key);} + } | DEPRECATED ';' { BGP_CFG->ao_key->required = -1; } | REQUIRED ';' { BGP_CFG->ao_key->required = 1; } ; @@ -283,21 +292,27 @@ tcp_ao_end: while (key) { if (used_aos_id_loc[key->local_id]) - cf_error("Reused local key id"); + cf_error("TCP AO: Reused local key id %i", key->local_id); used_aos_id_loc[key->local_id] = 1; + if (key->remote_id == -1) + cf_error("TCP AO: No remote key id for local id %i", key->local_id); if (used_aos_id_rem[key->remote_id]) - cf_error("Reused remote key id"); + cf_error("TCP AO: Reused remote key id %i", key->remote_id); used_aos_id_rem[key->remote_id] = 1; + if (!key->cipher) + cf_error("TCP AO: No cipher given for key id %i.", key->local_id); + if (!key->master_key) + cf_error("TCP AO: No master key given for key id %i.", key->local_id); if (key->required == 1) { if (required_found) - cf_error("How do you want to use two keys at once? Check 'REQUIRED'"); + cf_error("TCP AO: How do you want to use two keys at once? Check 'REQUIRED'"); required_found = 1; } key = key->next_key; } if (required_found == 0) - cf_error("Missing 'REQUIRED'. Which key should be used?"); + cf_error("TCP AO: Missing 'REQUIRED'. Which key should be used?"); } bgp_channel_start: bgp_afi diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 97c1102e..eae6f874 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -3424,8 +3424,25 @@ int bgp_rx(sock *sk, uint size) { struct bgp_conn *conn = sk->data; - //if (get_current_key_id(sk->fd) == conn->last_used_ao_key) TODO: uncoment after debug - log_ao(sk->fd); + + if (sk->ao_key) + { + if (get_current_key_id(sk->fd) != conn->last_used_ao_key) + { + if (conn->hold_timer->expires != 0) + bgp_schedule_packet(conn, NULL, PKT_KEEPALIVE); // We might send this keepalive shortly after another. RFC says we should wait, but since reconfiguration is rare, this is harmless. + conn->last_used_ao_key = get_current_key_id(sk->fd); + log_ao(sk->fd); + log("%i", sk->ao_key); + } + else //todo delete after debug + { + log_ao(sk->fd); + log("%i %i", get_current_key_id(sk->fd), conn->last_used_ao_key); + log("fd %i sk %i key %i", sk->fd, sk, sk->ao_key); + } + } + byte *pkt_start = sk->rbuf; byte *end = pkt_start + size; uint i, len; diff --git a/sysdep/linux/sysio.h b/sysdep/linux/sysio.h index a2e43182..4252623d 100644 --- a/sysdep/linux/sysio.h +++ b/sysdep/linux/sysio.h @@ -253,6 +253,21 @@ int get_current_key_id(int sock_fd) return tmp.current_key; } +int get_rnext_key_id(int sock_fd) +{ + struct tcp_ao_info_opt_ext tmp; + memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext)); + socklen_t len = sizeof(tmp); + + if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len)) + { + log("get rnext ao key failed %i", errno); + return -1; + } + else + return tmp.rnext; +} + void log_tcp_ao_get_key(int sock_fd) { @@ -290,7 +305,9 @@ sk_set_ao_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct iface * { struct tcp_ao_add_ext ao; memset(&ao, 0, sizeof(struct tcp_ao_add_ext)); - log("in sk set ao, pass %s", passwd); + if (!s->ao_key) + bug("no ao key"); + log(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>in sk set ao, pass %s fd %i sk %i %i", passwd, s->fd, s, s->ao_key); /* int af; if (ipa_is_ip4(remote)) af = AF_INET; @@ -318,8 +335,7 @@ sk_set_ao_auth(sock *s, ip_addr local, ip_addr remote, int pxlen, struct iface * ao.keylen = strlen(passwd); memcpy(ao.key, passwd, (strlen(passwd) > TCP_AO_MAXKEYLEN_) ? TCP_AO_MAXKEYLEN_ : strlen(passwd)); - - int IPPROTO_TCP_ = 6; + if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_ADD_KEY, &ao, sizeof(ao)) < 0) bug("tcp ao err %i", errno); @@ -341,7 +357,7 @@ ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_ del.prefix = 32; else del.prefix = 128; - int IPPROTO_TCP_ = 6; + if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_DEL_KEY, &del, sizeof(del)) < 0) bug("tcp ao deletion err %i", errno); log("tcp ao key %i %i deleted", passwd_id_loc, passwd_id_rem); diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c index 12986ee8..6057b6e1 100644 --- a/sysdep/unix/io.c +++ b/sysdep/unix/io.c @@ -1098,6 +1098,7 @@ sk_passive_connected(sock *s, int type) t->vrf = s->vrf; t->rbsize = s->rbsize; t->tbsize = s->tbsize; + t->ao_key = s->ao_key; if (type == SK_TCP) {