r4sas/ts3init_linux_netfilter_module
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Niels Werensteijn 2016-10-07 14:20:59 +02:00
commit 6f72e024ca
8 changed files with 677 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/Makefile Normal file
View File

@ -0,0 +1,18 @@
# -*- Makefile -*-
MODULES_DIR := /lib/modules/$(shell uname -r)
KERNEL_DIR := ${MODULES_DIR}/build
obj-m += xt_ts3init.o
all:
make -C ${KERNEL_DIR} M=$$PWD;
modules:
make -C ${KERNEL_DIR} M=$$PWD $@;
modules_install:
make -C ${KERNEL_DIR} M=$$PWD $@;
clean:
make -C ${KERNEL_DIR} M=$$PWD $@;

8
src/Makefile.xtables Normal file
View File

@ -0,0 +1,8 @@
CFLAGS = -O2 -Wall
lib%.so: lib%.o
gcc -shared -fPIC -o $@ $^;
lib%.o: lib%.c
gcc ${CFLAGS} -D_INIT=lib$*_init -fPIC -c -o $@ $<;

215
src/libxt_ts3init.c Normal file
View File

@ -0,0 +1,215 @@
/*
* "ts3init" match extension for iptables
* Niels Werensteijn <niels werensteijn [at] teamspeak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include <stdbool.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <getopt.h>
#include <xtables.h>
#include "ts3init_match.h"
/*
#include "compat_user.h"
*/
#define param_act(t, s, f) xtables_param_act((t), "ts3init", (s), (f))
static void ts3init_help(void)
{
printf(
"ts3init match options:\n"
" --get-cookie Check if packet is 'get-cookie' request.\n"
" --get-puzzle Check if packet is 'get-puzzle' request.\n"
" --min-client n The sending client needs to be at least version n.\n"
"\n"
"get-cookie options:\n"
" --check-time sec Check packet send time request. May be off by sec seconds.\n"
"\n"
"get-puzzle options:\n"
" --check-cookie seed Check the cookie. Assume it was generated with seed.\n"
" seed is a 64 byte random number in lowecase hex. Could be\n"
" generated with sha512 of something.\n"
);
}
static const struct option ts3init_opts[] = {
{.name = "get-cookie", .has_arg = false, .val = '1'},
{.name = "get-puzzle", .has_arg = false, .val = '2'},
{.name = "min-client", .has_arg = true, .val = '3'},
{.name = "check-time", .has_arg = true, .val = '4'},
{.name = "check-cookie", .has_arg = true, .val = '5'},
{NULL},
};
static bool hex2int_seed(const char *src, __u8* dst)
{
for (int i = 0; i < 64; ++i)
{
int v = 0;
for (int j = 0; j < 2; ++j)
{
uint8_t byte = *src++;
if (byte >= '0' && byte <= '9') byte = byte - '0';
else if (byte >= 'a' && byte <='f') byte = byte - 'a' + 10;
else if (byte >= 'A' && byte <='F') byte = byte - 'A' + 10;
else return false;
v = (v << 4) | byte;
}
*dst++ = v;
}
return true;
}
static int ts3init_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_ts3init_mtinfo *info = (void *)(*match)->data;
int client_version;
int time_offset;
switch (c) {
case '1':
param_act(XTF_ONLY_ONCE, "--get-cookie", (*flags & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE);
param_act(XTF_NO_INVERT, "--get-cookie", invert);
if ((*flags & COMMAND_MASK) == COMMAND_CHECK_GET_PUZZLE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: use `--get-cookie' OR `--get-puzzle' but not both of them!");
*flags |= COMMAND_CHECK_GET_COOKIE;
info->command_check_and_options |= COMMAND_CHECK_GET_COOKIE;
return true;
case '2':
param_act(XTF_ONLY_ONCE, "--get-puzzle", (*flags & COMMAND_MASK) == COMMAND_CHECK_GET_PUZZLE);
param_act(XTF_NO_INVERT, "--get-puzzle", invert);
if ((*flags & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: use `--get-cookie' OR `--get-puzzle' but not both of them!");
*flags |= COMMAND_CHECK_GET_PUZZLE;
info->command_check_and_options |= COMMAND_CHECK_GET_PUZZLE;
return true;
case '3':
param_act(XTF_ONLY_ONCE, "--min-client", *flags & CHK_COMMON_CLIENT_VERSION);
param_act(XTF_NO_INVERT, "--min-client", invert);
client_version = atoi(optarg);
if (client_version <= 0)
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid min-client version");
*flags |= CHK_COMMON_CLIENT_VERSION;
info->command_check_and_options |= CHK_COMMON_CLIENT_VERSION;
info->min_client_version = client_version;
return true;
case '4':
param_act(XTF_ONLY_ONCE, "--check-time", *flags & CHK_GET_COOKIE_CHECK_TIMESTAMP);
param_act(XTF_NO_INVERT, "--check-time", invert);
if ((*flags & COMMAND_MASK) != COMMAND_CHECK_GET_COOKIE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: --check-time can only work together with --get-cookie");
time_offset = atoi(optarg);
if (time_offset <= 0)
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid time offset");
*flags |= CHK_GET_COOKIE_CHECK_TIMESTAMP;
info->command_check_and_options |= CHK_GET_COOKIE_CHECK_TIMESTAMP;
info->get_cookie_opts.max_utc_offset = time_offset;
return true;
case '5':
param_act(XTF_ONLY_ONCE, "--check-cookie", *flags & CHK_GET_PUZZLE_CHECK_COOKIE);
param_act(XTF_NO_INVERT, "--check-cookie", invert);
if ((*flags & COMMAND_MASK) != COMMAND_CHECK_GET_PUZZLE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: --check-cookie can only work together with --get-puzzle");
if (strlen(optarg) != 128)
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid cookie-seed length");
if (!hex2int_seed(optarg, info->get_puzzle_opts.cookie_seed))
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid cookie-seed. (not lowercase hex)");
*flags |= CHK_GET_PUZZLE_CHECK_COOKIE;
info->command_check_and_options |= CHK_GET_PUZZLE_CHECK_COOKIE;
return true;
default:
return false;
}
}
static void ts3init_check(unsigned int flags)
{
if ((flags & COMMAND_MASK) == 0)
xtables_error(PARAMETER_PROBLEM,
"TS3init match: must specify --get-cookie or --get-puzzle");
}
static void ts3init_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_ts3init_mtinfo *info = (const void *)match->data;
if ((info->command_check_and_options & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE)
{
printf("--get-cookie ");
}
else
{
printf("--get-puzzle ");
}
if (info->command_check_and_options & CHK_COMMON_CLIENT_VERSION)
{
printf("--min-client %u ", info->min_client_version);
}
if ((info->command_check_and_options & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE)
{
if (info->command_check_and_options & CHK_GET_COOKIE_CHECK_TIMESTAMP)
{
printf("--check-time %u ", info->get_cookie_opts.max_utc_offset);
}
}
else
{
if (info->command_check_and_options & CHK_GET_PUZZLE_CHECK_COOKIE)
{
printf("--check-cookie ");
for (int i = 0; i < 64; i++)
{
printf("%02X", info->get_puzzle_opts.cookie_seed[i]);
}
printf(" ");
}
}
}
static void ts3init_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m ts3init ");
ts3init_save(ip, match);
}
static struct xtables_match ts3init_mt_reg = {
.name = "ts3init",
.revision = 0,
.family = NFPROTO_UNSPEC,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_ts3init_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_mtinfo)),
.help = ts3init_help,
.parse = ts3init_parse,
.final_check = ts3init_check,
.print = ts3init_print,
.save = ts3init_save,
.extra_opts = ts3init_opts,
};
static __attribute__((constructor)) void ts3init_mt_ldr(void)
{
xtables_register_match(&ts3init_mt_reg);
}

92
src/ts3init_cookie.c Normal file
View File

@ -0,0 +1,92 @@
/*
* "ts3init" extension for Xtables
*
* Description: A module to aid in ts3 spoof protection
* This is the "cookie" related code
*
* Authors:
* Niels Werensteijn <niels werensteijn [at] teampseak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/time.h>
#include <linux/crypto.h>
#include <linux/err.h>
#include <linux/scatterlist.h>
#include "ts3init_cookie.h"
static void check_update_seed_cache(time_t time, __u8 index,
struct xt_ts3init_cookie_cache* cache,
const __u8* cookie_seed)
{
struct hash_desc desc;
struct scatterlist sg[2];
int ret;
__le32 seed_hash_time;
if (time == cache->time[index]) return;
/* We need to update the cache. */
/* seed = sha512(cookie_seed[60] + __le32 time) */
seed_hash_time = cpu_to_le32( (__u32)time);
sg_init_table(sg, ARRAY_SIZE(sg));
sg_set_buf(&sg[0], cookie_seed, 60);
sg_set_buf(&sg[1], &seed_hash_time, 4);
desc.tfm = crypto_alloc_hash("sha512", 0, 0);
desc.flags = 0;
if (IS_ERR(desc.tfm))
{
printk(KERN_ERR KBUILD_MODNAME ": could not alloc sha512\n");
return;
}
ret = crypto_hash_init(&desc);
if (ret != 0)
{
printk(KERN_ERR KBUILD_MODNAME ": could not initalize sha512\n");
return;
}
ret = crypto_hash_digest(&desc, sg, 64, cache->seed + index * SHA512_SIZE);
if (ret != 0)
{
printk(KERN_ERR KBUILD_MODNAME ": could not digest sha512\n");
return;
}
crypto_free_hash(desc.tfm);
}
static __u8* get_cookie_seed(time_t current_time, __u8 packet_index,
struct xt_ts3init_cookie_cache* cache,
const __u8* cookie_seed)
{
__u8 current_cache_index;
__u8 packet_cache_index;
time_t current_cache_time;
time_t packet_cache_time;
if (packet_index >= 8) return NULL;
current_cache_index = (current_time >> 2) & 1;
packet_cache_index = packet_index >> 2 /* &1 */;
/* get cache time of packet */
current_cache_time = current_time & ~((time_t)3);
packet_cache_time = current_cache_index == packet_cache_index ?
current_cache_time : current_cache_time - (1*4);
/* make sure the cache is up-to-date */
check_update_seed_cache(packet_cache_time, packet_cache_index, cache,
cookie_seed);
/* return the proper seed */
return cache->seed + (SIP_KEY_SIZE * packet_index );
}

15
src/ts3init_cookie.h Normal file
View File

@ -0,0 +1,15 @@
#ifndef _TS3INIT_COOKIE_H
#define _TS3INIT_COOKIE_H
enum {
SHA512_SIZE = 64,
SIP_KEY_SIZE = 16
};
struct xt_ts3init_cookie_cache
{
time_t time[2];
__u8 __attribute__((aligned(8))) seed[SHA512_SIZE*2];
};
#endif /* _TS3INIT_COOKIE_H */

249
src/ts3init_match.c Normal file
View File

@ -0,0 +1,249 @@
/*
* "ts3init" extension for Xtables
*
* Description: A module to aid in ts3 spoof protection
* This is the "match" code
*
* Authors:
* Niels Werensteijn <niels werensteijn [at] teampseak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/netfilter/x_tables.h>
#include <linux/skbuff.h>
#include <linux/udp.h>
#include <linux/jiffies.h>
#include <linux/time.h>
#include <linux/percpu.h>
#include "ts3init_match.h"
#include "ts3init_cookie.h"
struct ts3init_cache_t
{
unsigned long saved_jiffies;
time_t unix_time;
struct xt_ts3init_cookie_cache cookie_cache;
};
struct ts3_init_header_tag
{
union {
char tag8[8];
__aligned_u64 tag64;
};
};
struct ts3_init_header
{
struct ts3_init_header_tag tag;
__be16 packet_id;
__be16 client_id;
__u8 flags;
__u8 client_version_0;
__u8 client_version_1;
__u8 client_version_2;
__u8 client_version_3;
__u8 command;
__u8 payload[20];
};
static const __u16 packet_payload_size[2] = { 34, 38 };
static const struct ts3_init_header_tag header_tag_signature =
{ .tag8 = {'T', 'S', '3', 'I', 'N', 'I', 'T', '1'} };
DEFINE_PER_CPU(struct ts3init_cache_t, ts3init_cache);
static inline void update_cache_time(unsigned long jifs,
struct ts3init_cache_t* cache)
{
if (((long)jifs - (long)cache->saved_jiffies) >= HZ)
{
/* it's been 1 second sinds last time update.
* Get the new unix time and cache it*/
struct timeval tv;
cache->saved_jiffies = jifs;
do_gettimeofday(&tv);
cache->unix_time = tv.tv_sec;
}
}
static bool
ts3init_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct udphdr *udp, udp_buf;
struct ts3init_cache_t* cache;
unsigned int data_len;
unsigned long jifs;
time_t current_unix_time, packet_unix_time;
struct ts3_init_header* ts3_header, ts3_header_buf;
const struct xt_ts3init_mtinfo *info = par->matchinfo;
__u8* cookie_seed;
__u8 cookie[8];
__u8 command = info->command_check_and_options & COMMAND_MASK;
udp = skb_header_pointer(skb, par->thoff, sizeof(*udp), &udp_buf);
data_len = be16_to_cpu(udp->len) - sizeof(*udp);
if (data_len != packet_payload_size[command-1]) return false;
ts3_header = (struct ts3_init_header*) skb_header_pointer(skb,
par->thoff + sizeof(*udp), data_len, &ts3_header_buf);
if (!ts3_header) return false;
if (ts3_header->tag.tag64 != header_tag_signature.tag64) return false;
if (ts3_header->packet_id != cpu_to_be16(101)) return false;
if (ts3_header->client_id != 0) return false;
if (ts3_header->flags != 0x88) return false;
/* TODO: check min_client_version if needed */
switch (command)
{
case COMMAND_CHECK_GET_COOKIE:
{
if (ts3_header->command != 0) return false;
if (info->command_check_and_options & CHK_GET_COOKIE_CHECK_TIMESTAMP)
{
jifs = jiffies;
cache = &get_cpu_var(ts3init_cache);
update_cache_time(jifs, cache);
current_unix_time = cache->unix_time;
put_cpu_var(ts3init_cache);
packet_unix_time =
ts3_header->payload[0] << 24 |
ts3_header->payload[1] << 16 |
ts3_header->payload[2] << 8 |
ts3_header->payload[3];
if (abs(current_unix_time - packet_unix_time) >
info->get_cookie_opts.max_utc_offset) return false;
}
return true;
}
case COMMAND_CHECK_GET_PUZZLE:
{
if (ts3_header->command != 2) return false;
if (info->command_check_and_options & CHK_GET_PUZZLE_CHECK_COOKIE)
{
jifs = jiffies;
cache = &get_cpu_var(ts3init_cache);
update_cache_time(jifs, cache);
current_unix_time = cache->unix_time;
cookie_seed = get_cookie_seed(current_unix_time,
ts3_header->payload[8], &cache->cookie_cache,
info->get_puzzle_opts.cookie_seed);
if (!cookie_seed)
{
put_cpu_var(ts3init_cache);
return false;
}
/* use cookie_seed and ipaddress and port to create a hash
* (cookie) for this connection */
/* TODO: implement using sipHash */
put_cpu_var(ts3init_cache);
/* compare cookie with payload bytes 0-7. if equal, cookie
* is valid */
/*if (memcmp(cookie, ts3_header->payload, 8) != 0) return false;*/
}
return true;
}
default:
return false;
};
}
static int ts3init_mt_check(const struct xt_mtchk_param *par)
{
struct xt_ts3init_mtinfo *info = par->matchinfo;
__u8 command;
if (info->command_check_and_options &
~(COMMAND_AND_CHK_COMMON_MASK | COMMAND_SPECIFIC_OPTIONS_MASK))
{
printk(KERN_INFO KBUILD_MODNAME ": invalid command or common options\n");
return -EINVAL;
}
command = info->command_check_and_options & COMMAND_MASK;
switch (command)
{
case COMMAND_CHECK_GET_COOKIE:
{
if (info->command_check_and_options &
~(COMMAND_AND_CHK_COMMON_MASK | CHK_GET_COOKIE_MASK))
{
printk(KERN_INFO KBUILD_MODNAME ": invalid get_cookie options\n");
return -EINVAL;
}
return 0;
}
case COMMAND_CHECK_GET_PUZZLE:
{
if (info->command_check_and_options &
~(COMMAND_AND_CHK_COMMON_MASK | CHK_GET_PUZZLE_MASK))
{
printk(KERN_INFO KBUILD_MODNAME ": invalid get_puzzle options\n");
return -EINVAL;
}
return 0;
}
default:
{
printk(KERN_INFO KBUILD_MODNAME ": invalid command value\n");
return -EINVAL;
}
}
}
static void ts3init_mt_destroy(const struct xt_mtdtor_param *par)
{
}
static struct xt_match ts3init_mt_reg[] __read_mostly = {
{
.name = "ts3init",
.revision = 0,
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.matchsize = sizeof(struct xt_ts3init_mtinfo),
.match = ts3init_mt,
.checkentry = ts3init_mt_check,
.destroy = ts3init_mt_destroy,
.me = THIS_MODULE,
},
{
.name = "ts3init",
.revision = 0,
.family = NFPROTO_IPV6,
.proto = IPPROTO_UDP,
.matchsize = sizeof(struct xt_ts3init_mtinfo),
.match = ts3init_mt,
.checkentry = ts3init_mt_check,
.destroy = ts3init_mt_destroy,
.me = THIS_MODULE,
},
};

43
src/ts3init_match.h Normal file
View File

@ -0,0 +1,43 @@
#ifndef _TS3INIT_MATCH_H
#define _TS3INIT_MATCH_H
enum {
SEED_SHA512_LEN = 512 / 8
};
enum {
COMMAND_CHECK_GET_COOKIE = 1,
COMMAND_CHECK_GET_PUZZLE = 2,
COMMAND_MASK = 3,
CHK_COMMON_CLIENT_VERSION = 1 << 2,
CHK_COMMON_MASK = 1 << 2,
COMMAND_AND_CHK_COMMON_MASK = COMMAND_MASK | CHK_COMMON_MASK,
COMMAND_SPECIFIC_OPTIONS_MASK = 0xf0
};
enum {
CHK_GET_COOKIE_CHECK_TIMESTAMP = 1 << 4,
CHK_GET_COOKIE_MASK = 1 << 4
};
enum{
CHK_GET_PUZZLE_CHECK_COOKIE = 1 << 4,
CHK_GET_PUZZLE_MASK = 1 << 4
};
struct xt_ts3init_mtinfo {
__u8 command_check_and_options;
__u32 min_client_version;
union{
struct {
__u32 max_utc_offset;
} get_cookie_opts;
struct {
__u8 cookie_seed[SEED_SHA512_LEN];
} get_puzzle_opts;
};
};
#endif /* _TS3INIT_MATCH_H */

37
src/xt_ts3init.c Normal file
View File

@ -0,0 +1,37 @@
/*
* "ts3init" extension for Xtables
*
* Description: A module to aid in ts3 spoof protection
* This file just includes the actual code files so that
* we do not have to export unneed symbols to the kernel
* while stil organizing code into logical files.
*
* Authors:
* Niels Werensteijn <niels werensteijn [at] teampseak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include "ts3init_cookie.c"
#include "ts3init_match.c"
MODULE_AUTHOR("Niels Werensteijn <niels.werensteijn@teamspeak.com>");
MODULE_DESCRIPTION("A module to aid in ts3 spoof protection");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ts3init");
MODULE_ALIAS("ip6t_ts3init");
static int __init ts3init_mt_init(void)
{
return xt_register_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg));
}
static void __exit ts3init_mt_exit(void)
{
xt_unregister_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg));
}
module_init(ts3init_mt_init);
module_exit(ts3init_mt_exit);