mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-23 10:11:53 +00:00
526 lines
13 KiB
C
526 lines
13 KiB
C
/*
|
|
* BIRD Internet Routing Daemon -- Linux Multicasting and Network Includes
|
|
*
|
|
* (c) 1998--2000 Martin Mares <mj@ucw.cz>
|
|
*
|
|
* Can be freely distributed and used under the terms of the GNU GPL.
|
|
*/
|
|
|
|
#include "sysdep/linux/tcp-ao.h"
|
|
|
|
|
|
#ifndef IPV6_MINHOPCOUNT
|
|
#define IPV6_MINHOPCOUNT 73
|
|
#endif
|
|
|
|
#ifndef IPV6_FREEBIND
|
|
#define IPV6_FREEBIND 78
|
|
#endif
|
|
|
|
#ifndef TCP_MD5SIG_EXT
|
|
#define TCP_MD5SIG_EXT 32
|
|
#endif
|
|
|
|
#ifndef TCP_MD5SIG_FLAG_PREFIX
|
|
#define TCP_MD5SIG_FLAG_PREFIX 1
|
|
#endif
|
|
|
|
#ifndef TCP_AO_ADD_KEY
|
|
#define TCP_AO_ADD_KEY 38 /* Add/Set MKT */
|
|
#define TCP_AO_DEL_KEY 39 /* Delete MKT */
|
|
#define TCP_AO_INFO 40 /* Set/list TCP-AO per-socket options */
|
|
#define TCP_AO_GET_KEYS 41 /* List MKT(s) */
|
|
#define TCP_AO_REPAIR 42 /* Get/Set SNEs and ISNs */
|
|
|
|
#endif
|
|
|
|
/* We redefine the tcp_md5sig structure with different name to avoid collision with older headers */
|
|
struct tcp_md5sig_ext {
|
|
struct sockaddr_storage tcpm_addr; /* Address associated */
|
|
u8 tcpm_flags; /* Extension flags */
|
|
u8 tcpm_prefixlen; /* Address prefix */
|
|
u16 tcpm_keylen; /* Key length */
|
|
u32 __tcpm_pad2; /* Zero */
|
|
u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* Key (binary) */
|
|
};
|
|
|
|
|
|
/* Linux does not care if sa_len is larger than needed */
|
|
#define SA_LEN(x) sizeof(sockaddr)
|
|
|
|
|
|
/*
|
|
* Linux IPv4 multicast syscalls
|
|
*/
|
|
|
|
#define INIT_MREQ4(maddr,ifa) \
|
|
{ .imr_multiaddr = ipa_to_in4(maddr), .imr_ifindex = ifa->index }
|
|
|
|
static inline int
|
|
sk_setup_multicast4(sock *s)
|
|
{
|
|
struct ip_mreqn mr = { .imr_ifindex = s->iface->index };
|
|
int ttl = s->ttl;
|
|
int n = 0;
|
|
|
|
/* This defines where should we send _outgoing_ multicasts */
|
|
if (setsockopt(s->fd, SOL_IP, IP_MULTICAST_IF, &mr, sizeof(mr)) < 0)
|
|
ERR("IP_MULTICAST_IF");
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_MULTICAST_TTL, &ttl, sizeof(ttl)) < 0)
|
|
ERR("IP_MULTICAST_TTL");
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_MULTICAST_LOOP, &n, sizeof(n)) < 0)
|
|
ERR("IP_MULTICAST_LOOP");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_join_group4(sock *s, ip_addr maddr)
|
|
{
|
|
struct ip_mreqn mr = INIT_MREQ4(maddr, s->iface);
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_ADD_MEMBERSHIP, &mr, sizeof(mr)) < 0)
|
|
ERR("IP_ADD_MEMBERSHIP");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_leave_group4(sock *s, ip_addr maddr)
|
|
{
|
|
struct ip_mreqn mr = INIT_MREQ4(maddr, s->iface);
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_DROP_MEMBERSHIP, &mr, sizeof(mr)) < 0)
|
|
ERR("IP_DROP_MEMBERSHIP");
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* Linux IPv4 packet control messages
|
|
*/
|
|
|
|
/* Mostly similar to standardized IPv6 code */
|
|
|
|
#define CMSG4_SPACE_PKTINFO CMSG_SPACE(sizeof(struct in_pktinfo))
|
|
#define CMSG4_SPACE_TTL CMSG_SPACE(sizeof(int))
|
|
|
|
static inline int
|
|
sk_request_cmsg4_pktinfo(sock *s)
|
|
{
|
|
int y = 1;
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_PKTINFO, &y, sizeof(y)) < 0)
|
|
ERR("IP_PKTINFO");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_request_cmsg4_ttl(sock *s)
|
|
{
|
|
int y = 1;
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_RECVTTL, &y, sizeof(y)) < 0)
|
|
ERR("IP_RECVTTL");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline void
|
|
sk_process_cmsg4_pktinfo(sock *s, struct cmsghdr *cm)
|
|
{
|
|
if (cm->cmsg_type == IP_PKTINFO)
|
|
{
|
|
struct in_pktinfo *pi = (struct in_pktinfo *) CMSG_DATA(cm);
|
|
s->laddr = ipa_from_in4(pi->ipi_addr);
|
|
s->lifindex = pi->ipi_ifindex;
|
|
}
|
|
}
|
|
|
|
static inline void
|
|
sk_process_cmsg4_ttl(sock *s, struct cmsghdr *cm)
|
|
{
|
|
if (cm->cmsg_type == IP_TTL)
|
|
s->rcv_ttl = * (int *) CMSG_DATA(cm);
|
|
}
|
|
|
|
static inline void
|
|
sk_prepare_cmsgs4(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen)
|
|
{
|
|
struct cmsghdr *cm;
|
|
struct in_pktinfo *pi;
|
|
int controllen = 0;
|
|
|
|
msg->msg_control = cbuf;
|
|
msg->msg_controllen = cbuflen;
|
|
|
|
cm = CMSG_FIRSTHDR(msg);
|
|
cm->cmsg_level = SOL_IP;
|
|
cm->cmsg_type = IP_PKTINFO;
|
|
cm->cmsg_len = CMSG_LEN(sizeof(*pi));
|
|
controllen += CMSG_SPACE(sizeof(*pi));
|
|
|
|
pi = (struct in_pktinfo *) CMSG_DATA(cm);
|
|
pi->ipi_ifindex = s->iface ? s->iface->index : 0;
|
|
pi->ipi_spec_dst = ipa_to_in4(s->saddr);
|
|
pi->ipi_addr = ipa_to_in4(IPA_NONE);
|
|
|
|
msg->msg_controllen = controllen;
|
|
}
|
|
|
|
|
|
/*
|
|
* Miscellaneous Linux socket syscalls
|
|
*/
|
|
int
|
|
sk_set_md5_auth(sock *s, ip_addr local UNUSED, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int setkey UNUSED)
|
|
{
|
|
struct tcp_md5sig_ext md5;
|
|
log("md5 password is %i, socket fd %i", passwd, s->fd);
|
|
|
|
memset(&md5, 0, sizeof(md5));
|
|
sockaddr_fill((sockaddr *) &md5.tcpm_addr, s->af, remote, ifa, 0);
|
|
|
|
if (passwd)
|
|
{
|
|
int len = strlen(passwd);
|
|
|
|
if (len > TCP_MD5SIG_MAXKEYLEN)
|
|
ERR_MSG("The password for TCP MD5 Signature is too long");
|
|
|
|
md5.tcpm_keylen = len;
|
|
memcpy(&md5.tcpm_key, passwd, len);
|
|
}
|
|
|
|
if (pxlen < 0)
|
|
{
|
|
if (setsockopt(s->fd, SOL_TCP, TCP_MD5SIG_EXT, &md5, sizeof(md5)) < 0)
|
|
if (errno == ENOPROTOOPT)
|
|
ERR_MSG("Kernel does not support TCP MD5 signatures");
|
|
else
|
|
ERR("TCP_MD5SIG");
|
|
}
|
|
else
|
|
{
|
|
md5.tcpm_flags = TCP_MD5SIG_FLAG_PREFIX;
|
|
md5.tcpm_prefixlen = pxlen;
|
|
|
|
if (setsockopt(s->fd, SOL_TCP, TCP_MD5SIG_EXT, &md5, sizeof(md5)) < 0)
|
|
{
|
|
if (errno == ENOPROTOOPT)
|
|
ERR_MSG("Kernel does not support extended TCP MD5 signatures");
|
|
else
|
|
ERR("TCP_MD5SIG_EXT");
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void log_tcp_ao_info(int sock_fd)
|
|
{
|
|
struct tcp_ao_info_opt_ext tmp;
|
|
memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext));
|
|
socklen_t len = sizeof(tmp);
|
|
log("socket: fd %i", sock_fd);
|
|
|
|
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len))
|
|
{
|
|
log("log tcp ao info failed with err code %i", errno);
|
|
return;
|
|
}
|
|
else
|
|
log("current key id %i (rem), next key %i (loc),\n set current %i, ao required %i\n good packets %i, bad packets %i",
|
|
tmp.current_key, tmp.rnext, tmp.set_current, tmp.ao_required, tmp.pkt_good, tmp.pkt_bad);
|
|
}
|
|
|
|
int get_current_key_id(int sock_fd)
|
|
{
|
|
struct tcp_ao_info_opt_ext tmp;
|
|
memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext));
|
|
socklen_t len = sizeof(tmp);
|
|
|
|
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len))
|
|
{
|
|
log("get current ao key failed %i", errno);
|
|
return -1;
|
|
}
|
|
else
|
|
return tmp.current_key;
|
|
}
|
|
|
|
int get_rnext_key_id(int sock_fd)
|
|
{
|
|
struct tcp_ao_info_opt_ext tmp;
|
|
memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext));
|
|
socklen_t len = sizeof(tmp);
|
|
|
|
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len))
|
|
{
|
|
log("get rnext ao key failed %i", errno);
|
|
return -1;
|
|
}
|
|
else
|
|
return tmp.rnext;
|
|
}
|
|
|
|
int get_num_ao_keys(int sock_fd)
|
|
{
|
|
struct tcp_ao_getsockopt_ext tmp;
|
|
memset(&tmp, 0, sizeof(struct tcp_ao_getsockopt_ext));
|
|
socklen_t len = sizeof(tmp);
|
|
tmp.nkeys = 1;
|
|
tmp.get_all = 1;
|
|
|
|
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, &tmp, &len))
|
|
{
|
|
log("tcp ao get keys failed with err code %i", errno);
|
|
return -1;
|
|
}
|
|
return tmp.nkeys;
|
|
}
|
|
|
|
void
|
|
log_tcp_ao_get_key(int sock_fd)
|
|
{
|
|
int nkeys = get_num_ao_keys(sock_fd);
|
|
if (nkeys < 0)
|
|
return;
|
|
struct tcp_ao_getsockopt_ext tm_all[nkeys];
|
|
socklen_t len = sizeof(struct tcp_ao_getsockopt_ext);
|
|
memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys);
|
|
tm_all[0].nkeys = nkeys;
|
|
tm_all[0].get_all = 1;
|
|
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, tm_all, &len)) // len should be still size of one struct. Because kernel net/ipv4/tcp_ao.c line 2165
|
|
{
|
|
log("log tcp ao get keys failed with err code %i", errno);
|
|
return;
|
|
}
|
|
log("keys %i %i", nkeys, tm_all[0].nkeys);
|
|
for (int i = 0; i < nkeys; i++)
|
|
{
|
|
log("sndid %i rcvid %i, %s %s, cipher %s key %s (%i/%i)", tm_all[i].sndid, tm_all[i].rcvid, tm_all[i].is_current ? "current" : "", tm_all[i].is_rnext ? "rnext" : "", tm_all[i].alg_name, tm_all[i].key, i+1, tm_all[0].nkeys);
|
|
}
|
|
}
|
|
|
|
int
|
|
sk_set_ao_auth(sock *s, ip_addr local UNUSED, ip_addr remote, int pxlen, struct iface *ifa, const char *passwd, int passwd_id_loc, int passwd_id_rem, const char* cipher, int set_current)
|
|
{
|
|
struct tcp_ao_add_ext ao;
|
|
memset(&ao, 0, sizeof(struct tcp_ao_add_ext));
|
|
log(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>in sk set ao, pass %s fd %i sk %i %i", passwd, s->fd, s);
|
|
/* int af;
|
|
if (ipa_is_ip4(remote))
|
|
af = AF_INET;
|
|
else
|
|
a = AF_INET6;*/
|
|
sockaddr_fill((sockaddr *) &ao.addr, s->af, remote, ifa, 0);
|
|
if (set_current)
|
|
{
|
|
ao.set_rnext = 1;
|
|
ao.set_current = 1;
|
|
}
|
|
if (pxlen >= 0)
|
|
ao.prefix = pxlen;
|
|
else if(s->af == AF_INET)
|
|
ao.prefix = 32;
|
|
else
|
|
ao.prefix = 128;
|
|
ao.sndid = passwd_id_rem;
|
|
ao.rcvid = passwd_id_loc;
|
|
ao.maclen = 0;
|
|
ao.keyflags = 0;
|
|
ao.ifindex = 0;
|
|
|
|
strncpy(ao.alg_name, (cipher) ? cipher : DEFAULT_TEST_ALGO, 64);
|
|
|
|
ao.keylen = strlen(passwd);
|
|
memcpy(ao.key, passwd, (strlen(passwd) > TCP_AO_MAXKEYLEN_) ? TCP_AO_MAXKEYLEN_ : strlen(passwd));
|
|
|
|
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_ADD_KEY, &ao, sizeof(ao)) < 0)
|
|
{
|
|
if (errno == ENOPROTOOPT)
|
|
ERR_MSG("Kernel does not support extended TCP AO signatures");
|
|
else
|
|
ERR("TCP_AOSIG_EXT");
|
|
}
|
|
|
|
s->use_ao = 1;
|
|
if (set_current)
|
|
s->desired_ao_key = passwd_id_rem;
|
|
log_tcp_ao_get_key(s->fd);
|
|
return 0;
|
|
}
|
|
|
|
void
|
|
ao_delete_key(sock *s, ip_addr remote, int pxlen, struct iface *ifa, int passwd_id_loc, int passwd_id_rem)
|
|
{
|
|
struct tcp_ao_del_ext del;
|
|
memset(&del, 0, sizeof(struct tcp_ao_del_ext));
|
|
sockaddr_fill((sockaddr *) &del.addr, s->af, remote, ifa, 0);
|
|
del.sndid = passwd_id_rem;
|
|
del.rcvid = passwd_id_loc;
|
|
if (pxlen >= 0)
|
|
del.prefix = pxlen;
|
|
else if(s->af == AF_INET)
|
|
del.prefix = 32;
|
|
else
|
|
del.prefix = 128;
|
|
|
|
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_DEL_KEY, &del, sizeof(del)) < 0)
|
|
{
|
|
log("log keys for debug delete error key %i %i", passwd_id_loc, passwd_id_rem);
|
|
log_tcp_ao_get_key(s->fd);
|
|
bug("tcp ao deletion err %i", errno);
|
|
}
|
|
log("tcp ao key %i %i deleted", passwd_id_loc, passwd_id_rem);
|
|
}
|
|
|
|
void
|
|
ao_try_change_master(sock *s, int next_master_id_loc, int next_master_id_rem)
|
|
{
|
|
struct tcp_ao_info_opt_ext tmp;
|
|
memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext));
|
|
tmp.set_rnext = 1;
|
|
tmp.rnext = next_master_id_loc;
|
|
|
|
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, sizeof(tmp)))
|
|
{
|
|
log(" tcp ao change master key failed with err code %i", errno);
|
|
log_tcp_ao_get_key(s->fd);
|
|
return;
|
|
}
|
|
else
|
|
log("tried to change master");
|
|
s->desired_ao_key = next_master_id_rem;
|
|
|
|
}
|
|
|
|
int check_ao_keys_id(int sock_fd, struct ao_key *keys)
|
|
{
|
|
int errors = 0;
|
|
int expected_keys[256]; //can not have char, because we must support 0 key id
|
|
memset(expected_keys, 0, sizeof(int)*256);
|
|
for (struct ao_key *key = keys; key; key = key->next_key)
|
|
expected_keys[key->local_id] = key->remote_id + 1; // the + 1 because we do not want 0 id be 0
|
|
int nkeys = get_num_ao_keys(sock_fd);
|
|
if(nkeys == -1)
|
|
{
|
|
cf_warn("TCP AO: unable to get num of keys");
|
|
return 1;
|
|
}
|
|
struct tcp_ao_getsockopt_ext tm_all[nkeys];
|
|
socklen_t len = sizeof(struct tcp_ao_getsockopt_ext);
|
|
memset(tm_all, 0, sizeof(struct tcp_ao_getsockopt_ext)*nkeys);
|
|
tm_all[0].nkeys = nkeys;
|
|
tm_all[0].get_all = 1;
|
|
if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_GET_KEYS, tm_all, &len)) // len should be still size of one struct. Because kernel net/ipv4/tcp_ao.c line 2165
|
|
{
|
|
cf_warn("log tcp ao get keys failed with err code %i", errno);
|
|
return 1;
|
|
}
|
|
for (int i = 0; i< nkeys; i++)
|
|
{
|
|
struct tcp_ao_getsockopt_ext sock_key = tm_all[i];
|
|
if (expected_keys[sock_key.rcvid] - 1 != sock_key.sndid)
|
|
{
|
|
if (expected_keys[sock_key.rcvid] == 0)
|
|
cf_warn("TCP AO: unexpected ao key %i %i", sock_key.rcvid, sock_key.sndid);
|
|
else
|
|
cf_warn("TCP AO: expected key local id %i has different remote id than expected (%i vs %i)", sock_key.rcvid, expected_keys[sock_key.rcvid] - 1, sock_key.sndid);
|
|
errors++;
|
|
}
|
|
expected_keys[sock_key.rcvid] = 0;
|
|
}
|
|
for (int i = 0; i < 256; i++)
|
|
{
|
|
if (expected_keys[i] != 0)
|
|
{
|
|
cf_warn("TCP AO: key %i %i is not in socket", i, expected_keys - 1);
|
|
errors++;
|
|
}
|
|
}
|
|
return errors;
|
|
}
|
|
|
|
static inline int
|
|
sk_set_min_ttl4(sock *s, int ttl)
|
|
{
|
|
if (setsockopt(s->fd, SOL_IP, IP_MINTTL, &ttl, sizeof(ttl)) < 0)
|
|
{
|
|
if (errno == ENOPROTOOPT)
|
|
ERR_MSG("Kernel does not support IPv4 TTL security");
|
|
else
|
|
ERR("IP_MINTTL");
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_set_min_ttl6(sock *s, int ttl)
|
|
{
|
|
if (setsockopt(s->fd, SOL_IPV6, IPV6_MINHOPCOUNT, &ttl, sizeof(ttl)) < 0)
|
|
{
|
|
if (errno == ENOPROTOOPT)
|
|
ERR_MSG("Kernel does not support IPv6 TTL security");
|
|
else
|
|
ERR("IPV6_MINHOPCOUNT");
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_disable_mtu_disc4(sock *s)
|
|
{
|
|
int dont = IP_PMTUDISC_DONT;
|
|
|
|
if (setsockopt(s->fd, SOL_IP, IP_MTU_DISCOVER, &dont, sizeof(dont)) < 0)
|
|
ERR("IP_MTU_DISCOVER");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_disable_mtu_disc6(sock *s)
|
|
{
|
|
int dont = IPV6_PMTUDISC_DONT;
|
|
|
|
if (setsockopt(s->fd, SOL_IPV6, IPV6_MTU_DISCOVER, &dont, sizeof(dont)) < 0)
|
|
ERR("IPV6_MTU_DISCOVER");
|
|
|
|
return 0;
|
|
}
|
|
|
|
int sk_priority_control = 7;
|
|
|
|
static inline int
|
|
sk_set_priority(sock *s, int prio)
|
|
{
|
|
if (setsockopt(s->fd, SOL_SOCKET, SO_PRIORITY, &prio, sizeof(prio)) < 0)
|
|
ERR("SO_PRIORITY");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline int
|
|
sk_set_freebind(sock *s)
|
|
{
|
|
int y = 1;
|
|
|
|
if (sk_is_ipv4(s))
|
|
if (setsockopt(s->fd, SOL_IP, IP_FREEBIND, &y, sizeof(y)) < 0)
|
|
ERR("IP_FREEBIND");
|
|
|
|
if (sk_is_ipv6(s))
|
|
if (setsockopt(s->fd, SOL_IPV6, IPV6_FREEBIND, &y, sizeof(y)) < 0)
|
|
ERR("IPV6_FREEBIND");
|
|
|
|
return 0;
|
|
}
|