/* * BIRD Internet Routing Daemon -- Linux Multicasting and Network Includes * * (c) 1998--2000 Martin Mares * * Can be freely distributed and used under the terms of the GNU GPL. */ #include "sysdep/linux/tcp-ao.h" #ifndef IPV6_MINHOPCOUNT #define IPV6_MINHOPCOUNT 73 #endif #ifndef IPV6_FREEBIND #define IPV6_FREEBIND 78 #endif #ifndef TCP_MD5SIG_EXT #define TCP_MD5SIG_EXT 32 #endif #ifndef TCP_MD5SIG_FLAG_PREFIX #define TCP_MD5SIG_FLAG_PREFIX 1 #endif #ifndef TCP_AO_ADD_KEY #define TCP_AO_ADD_KEY 38 /* Add/Set MKT */ #define TCP_AO_DEL_KEY 39 /* Delete MKT */ #define TCP_AO_INFO 40 /* Set/list TCP-AO per-socket options */ #define TCP_AO_GET_KEYS 41 /* List MKT(s) */ #define TCP_AO_REPAIR 42 /* Get/Set SNEs and ISNs */ #endif /* We redefine the tcp_md5sig structure with different name to avoid collision with older headers */ struct tcp_md5sig_ext { struct sockaddr_storage tcpm_addr; /* Address associated */ u8 tcpm_flags; /* Extension flags */ u8 tcpm_prefixlen; /* Address prefix */ u16 tcpm_keylen; /* Key length */ u32 __tcpm_pad2; /* Zero */ u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* Key (binary) */ }; /* Linux does not care if sa_len is larger than needed */ #define SA_LEN(x) sizeof(sockaddr) /* * Linux IPv4 multicast syscalls */ #define INIT_MREQ4(maddr,ifa) \ { .imr_multiaddr = ipa_to_in4(maddr), .imr_ifindex = ifa->index } static inline int sk_setup_multicast4(sock *s) { struct ip_mreqn mr = { .imr_ifindex = s->iface->index }; int ttl = s->ttl; int n = 0; /* This defines where should we send _outgoing_ multicasts */ if (setsockopt(s->fd, SOL_IP, IP_MULTICAST_IF, &mr, sizeof(mr)) < 0) ERR("IP_MULTICAST_IF"); if (setsockopt(s->fd, SOL_IP, IP_MULTICAST_TTL, &ttl, sizeof(ttl)) < 0) ERR("IP_MULTICAST_TTL"); if (setsockopt(s->fd, SOL_IP, IP_MULTICAST_LOOP, &n, sizeof(n)) < 0) ERR("IP_MULTICAST_LOOP"); return 0; } static inline int sk_join_group4(sock *s, ip_addr maddr) { struct ip_mreqn mr = INIT_MREQ4(maddr, s->iface); if (setsockopt(s->fd, SOL_IP, IP_ADD_MEMBERSHIP, &mr, sizeof(mr)) < 0) ERR("IP_ADD_MEMBERSHIP"); return 0; } static inline int sk_leave_group4(sock *s, ip_addr maddr) { struct ip_mreqn mr = INIT_MREQ4(maddr, s->iface); if (setsockopt(s->fd, SOL_IP, IP_DROP_MEMBERSHIP, &mr, sizeof(mr)) < 0) ERR("IP_DROP_MEMBERSHIP"); return 0; } /* * Linux IPv4 packet control messages */ /* Mostly similar to standardized IPv6 code */ #define CMSG4_SPACE_PKTINFO CMSG_SPACE(sizeof(struct in_pktinfo)) #define CMSG4_SPACE_TTL CMSG_SPACE(sizeof(int)) static inline int sk_request_cmsg4_pktinfo(sock *s) { int y = 1; if (setsockopt(s->fd, SOL_IP, IP_PKTINFO, &y, sizeof(y)) < 0) ERR("IP_PKTINFO"); return 0; } static inline int sk_request_cmsg4_ttl(sock *s) { int y = 1; if (setsockopt(s->fd, SOL_IP, IP_RECVTTL, &y, sizeof(y)) < 0) ERR("IP_RECVTTL"); return 0; } static inline void sk_process_cmsg4_pktinfo(sock *s, struct cmsghdr *cm) { if (cm->cmsg_type == IP_PKTINFO) { struct in_pktinfo *pi = (struct in_pktinfo *) CMSG_DATA(cm); s->laddr = ipa_from_in4(pi->ipi_addr); s->lifindex = pi->ipi_ifindex; } } static inline void sk_process_cmsg4_ttl(sock *s, struct cmsghdr *cm) { if (cm->cmsg_type == IP_TTL) s->rcv_ttl = * (int *) CMSG_DATA(cm); } static inline void sk_prepare_cmsgs4(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen) { struct cmsghdr *cm; struct in_pktinfo *pi; int controllen = 0; msg->msg_control = cbuf; msg->msg_controllen = cbuflen; cm = CMSG_FIRSTHDR(msg); cm->cmsg_level = SOL_IP; cm->cmsg_type = IP_PKTINFO; cm->cmsg_len = CMSG_LEN(sizeof(*pi)); controllen += CMSG_SPACE(sizeof(*pi)); pi = (struct in_pktinfo *) CMSG_DATA(cm); pi->ipi_ifindex = s->iface ? s->iface->index : 0; pi->ipi_spec_dst = ipa_to_in4(s->saddr); pi->ipi_addr = ipa_to_in4(IPA_NONE); msg->msg_controllen = controllen; } /* * Miscellaneous Linux socket syscalls */ int sk_set_md5_auth(sock *s, ip_addr local UNUSED, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int setkey UNUSED) { struct tcp_md5sig_ext md5; log("md5 password is %i, socket fd %i", passwd, s->fd); memset(&md5, 0, sizeof(md5)); sockaddr_fill((sockaddr *) &md5.tcpm_addr, s->af, remote, ifa, 0); if (passwd) { int len = strlen(passwd); if (len > TCP_MD5SIG_MAXKEYLEN) ERR_MSG("The password for TCP MD5 Signature is too long"); md5.tcpm_keylen = len; memcpy(&md5.tcpm_key, passwd, len); } if (pxlen < 0) { if (setsockopt(s->fd, SOL_TCP, TCP_MD5SIG_EXT, &md5, sizeof(md5)) < 0) if (errno == ENOPROTOOPT) ERR_MSG("Kernel does not support TCP MD5 signatures"); else ERR("TCP_MD5SIG"); } else { md5.tcpm_flags = TCP_MD5SIG_FLAG_PREFIX; md5.tcpm_prefixlen = pxlen; if (setsockopt(s->fd, SOL_TCP, TCP_MD5SIG_EXT, &md5, sizeof(md5)) < 0) { if (errno == ENOPROTOOPT) ERR_MSG("Kernel does not support extended TCP MD5 signatures"); else ERR("TCP_MD5SIG_EXT"); } } return 0; } void log_tcp_ao_info(int sock_fd) { struct tcp_ao_info_opt_ext tmp; memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext)); socklen_t len = sizeof(tmp); log("socket: fd %i", sock_fd); if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len)) { log("log tcp ao info failed with err code %i", errno); return; } else log("current key id %i (rem), next key %i (loc),\n set current %i, ao required %i\n good packets %i, bad packets %i", tmp.current_key, tmp.rnext, tmp.set_current, tmp.ao_required, tmp.pkt_good, tmp.pkt_bad); } int get_current_key_id(int sock_fd) { struct tcp_ao_info_opt_ext tmp; memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext)); socklen_t len = sizeof(tmp); if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len)) { log("get current ao key failed %i", errno); return -1; } else return tmp.current_key; } int get_rnext_key_id(int sock_fd) { struct tcp_ao_info_opt_ext tmp; memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext)); socklen_t len = sizeof(tmp); if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len)) { log("get rnext ao key failed %i", errno); return -1; } else return tmp.rnext; } int get_num_ao_keys(int sock_fd) { struct tcp_ao_getsockopt_ext tmp; memset(&tmp, 0, sizeof(struct tcp_ao_getsockopt_ext)); socklen_t len = sizeof(tmp); tmp.nkeys = 1; tmp.get_all = 1; if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, &tmp, &len)) { log("tcp ao get keys failed with err code %i", errno); return -1; } return tmp.nkeys; } void log_tcp_ao_get_key(int sock_fd) { int nkeys = get_num_ao_keys(sock_fd); if (nkeys < 0) return; struct tcp_ao_getsockopt_ext tm_all[nkeys]; socklen_t len = sizeof(struct tcp_ao_getsockopt_ext); memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys); tm_all[0].nkeys = nkeys; tm_all[0].get_all = 1; if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, tm_all, &len)) // len should be still size of one struct. Because kernel net/ipv4/tcp_ao.c line 2165 { log("log tcp ao get keys failed with err code %i", errno); return; } log("keys %i %i", nkeys, tm_all[0].nkeys); for (int i = 0; i < nkeys; i++) { log("sndid %i rcvid %i, %s %s, cipher %s key %s (%i/%i)", tm_all[i].sndid, tm_all[i].rcvid, tm_all[i].is_current ? "current" : "", tm_all[i].is_rnext ? "rnext" : "", tm_all[i].alg_name, tm_all[i].key, i+1, tm_all[0].nkeys); } } int sk_set_ao_auth(sock *s, ip_addr local UNUSED, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int passwd_id_loc, int passwd_id_rem, const char* cipher, int set_current) { struct tcp_ao_add_ext ao; memset(&ao, 0, sizeof(struct tcp_ao_add_ext)); log(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>in sk set ao, pass %s fd %i sk %i %i", passwd, s->fd, s); /* int af; if (ipa_is_ip4(remote)) af = AF_INET; else a = AF_INET6;*/ sockaddr_fill((sockaddr *) &ao.addr, s->af, remote, ifa, 0); if (set_current) { ao.set_rnext = 1; ao.set_current = 1; } if (pxlen >= 0) ao.prefix = pxlen; else if(s->af == AF_INET) ao.prefix = 32; else ao.prefix = 128; ao.sndid = passwd_id_rem; ao.rcvid = passwd_id_loc; ao.maclen = 0; ao.keyflags = 0; ao.ifindex = 0; strncpy(ao.alg_name, (cipher) ? cipher : DEFAULT_TEST_ALGO, 64); ao.keylen = strlen(passwd); memcpy(ao.key, passwd, (strlen(passwd) > TCP_AO_MAXKEYLEN_) ? TCP_AO_MAXKEYLEN_ : strlen(passwd)); if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_ADD_KEY, &ao, sizeof(ao)) < 0) { if (errno == ENOPROTOOPT) ERR_MSG("Kernel does not support extended TCP AO signatures"); else ERR("TCP_AOSIG_EXT"); } s->use_ao = 1; if (set_current) s->desired_ao_key = passwd_id_rem; log_tcp_ao_get_key(s->fd); return 0; } void ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_id_loc, int passwd_id_rem) { struct tcp_ao_del_ext del; memset(&del, 0, sizeof(struct tcp_ao_del_ext)); sockaddr_fill((sockaddr *) &del.addr, s->af, remote, ifa, 0); del.sndid = passwd_id_rem; del.rcvid = passwd_id_loc; if (pxlen >= 0) del.prefix = pxlen; else if(s->af == AF_INET) del.prefix = 32; else del.prefix = 128; if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_DEL_KEY, &del, sizeof(del)) < 0) { log("log keys for debug delete error key %i %i", passwd_id_loc, passwd_id_rem); log_tcp_ao_get_key(s->fd); bug("tcp ao deletion err %i", errno); } log("tcp ao key %i %i deleted", passwd_id_loc, passwd_id_rem); } void ao_try_change_master(sock *s, int next_master_id_loc, int next_master_id_rem) { struct tcp_ao_info_opt_ext tmp; memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext)); tmp.set_rnext = 1; tmp.rnext = next_master_id_loc; if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, sizeof(tmp))) { log(" tcp ao change master key failed with err code %i", errno); log_tcp_ao_get_key(s->fd); return; } else log("tried to change master"); s->desired_ao_key = next_master_id_rem; } int check_ao_keys_id(int sock_fd, struct ao_key *keys) { int errors = 0; int expected_keys[256]; //can not have char, because we must support 0 key id memset(expected_keys, 0, sizeof(int)*256); for (struct ao_key *key = keys; key; key = key->next_key) expected_keys[key->local_id] = key->remote_id + 1; // the + 1 because we do not want 0 id be 0 int nkeys = get_num_ao_keys(sock_fd); if(nkeys == -1) { cf_warn("TCP AO: unable to get num of keys"); return 1; } struct tcp_ao_getsockopt_ext tm_all[nkeys]; socklen_t len = sizeof(struct tcp_ao_getsockopt_ext); memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys); tm_all[0].nkeys = nkeys; tm_all[0].get_all = 1; if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, tm_all, &len)) // len should be still size of one struct. Because kernel net/ipv4/tcp_ao.c line 2165 { cf_warn("log tcp ao get keys failed with err code %i", errno); return 1; } for (int i = 0; i< nkeys; i++) { struct tcp_ao_getsockopt_ext sock_key = tm_all[i]; if (expected_keys[sock_key.rcvid] - 1 != sock_key.sndid) { if (expected_keys[sock_key.rcvid] == 0) cf_warn("TCP AO: unexpected ao key %i %i", sock_key.rcvid, sock_key.sndid); else cf_warn("TCP AO: expected key local id %i has different remote id than expected (%i vs %i)", sock_key.rcvid, expected_keys[sock_key.rcvid] - 1, sock_key.sndid); errors++; } expected_keys[sock_key.rcvid] = 0; } for (int i = 0; i < 256; i++) { if (expected_keys[i] != 0) { cf_warn("TCP AO: key %i %i is not in socket", i, expected_keys - 1); errors++; } } return errors; } static inline int sk_set_min_ttl4(sock *s, int ttl) { if (setsockopt(s->fd, SOL_IP, IP_MINTTL, &ttl, sizeof(ttl)) < 0) { if (errno == ENOPROTOOPT) ERR_MSG("Kernel does not support IPv4 TTL security"); else ERR("IP_MINTTL"); } return 0; } static inline int sk_set_min_ttl6(sock *s, int ttl) { if (setsockopt(s->fd, SOL_IPV6, IPV6_MINHOPCOUNT, &ttl, sizeof(ttl)) < 0) { if (errno == ENOPROTOOPT) ERR_MSG("Kernel does not support IPv6 TTL security"); else ERR("IPV6_MINHOPCOUNT"); } return 0; } static inline int sk_disable_mtu_disc4(sock *s) { int dont = IP_PMTUDISC_DONT; if (setsockopt(s->fd, SOL_IP, IP_MTU_DISCOVER, &dont, sizeof(dont)) < 0) ERR("IP_MTU_DISCOVER"); return 0; } static inline int sk_disable_mtu_disc6(sock *s) { int dont = IPV6_PMTUDISC_DONT; if (setsockopt(s->fd, SOL_IPV6, IPV6_MTU_DISCOVER, &dont, sizeof(dont)) < 0) ERR("IPV6_MTU_DISCOVER"); return 0; } int sk_priority_control = 7; static inline int sk_set_priority(sock *s, int prio) { if (setsockopt(s->fd, SOL_SOCKET, SO_PRIORITY, &prio, sizeof(prio)) < 0) ERR("SO_PRIORITY"); return 0; } static inline int sk_set_freebind(sock *s) { int y = 1; if (sk_is_ipv4(s)) if (setsockopt(s->fd, SOL_IP, IP_FREEBIND, &y, sizeof(y)) < 0) ERR("IP_FREEBIND"); if (sk_is_ipv6(s)) if (setsockopt(s->fd, SOL_IPV6, IPV6_FREEBIND, &y, sizeof(y)) < 0) ERR("IPV6_FREEBIND"); return 0; }