r4sas
/
ts3init_linux_netfilter_module
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

initial commit

pull/1/head
Niels Werensteijn 8 years ago
commit
6f72e024ca
8 changed files with 677 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      src/Makefile
  2. 8
      src/Makefile.xtables
  3. 215
      src/libxt_ts3init.c
  4. 92
      src/ts3init_cookie.c
  5. 15
      src/ts3init_cookie.h
  6. 249
      src/ts3init_match.c
  7. 43
      src/ts3init_match.h
  8. 37
      src/xt_ts3init.c

18
src/Makefile
Unescape View File

@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
# -*- Makefile -*-
MODULES_DIR := /lib/modules/$(shell uname -r)
KERNEL_DIR := ${MODULES_DIR}/build
obj-m += xt_ts3init.o
all:
make -C ${KERNEL_DIR} M=$$PWD;
modules:
make -C ${KERNEL_DIR} M=$$PWD $@;
modules_install:
make -C ${KERNEL_DIR} M=$$PWD $@;
clean:
make -C ${KERNEL_DIR} M=$$PWD $@;

8
src/Makefile.xtables
Unescape View File

@ -0,0 +1,8 @@ @@ -0,0 +1,8 @@
CFLAGS = -O2 -Wall
lib%.so: lib%.o
gcc -shared -fPIC -o $@ $^;
lib%.o: lib%.c
gcc ${CFLAGS} -D_INIT=lib$*_init -fPIC -c -o $@ $<;

215
src/libxt_ts3init.c
Unescape View File

@ -0,0 +1,215 @@ @@ -0,0 +1,215 @@
/*
* "ts3init" match extension for iptables
* Niels Werensteijn <niels werensteijn [at] teamspeak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include <stdbool.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <getopt.h>
#include <xtables.h>
#include "ts3init_match.h"
/*
#include "compat_user.h"
*/
#define param_act(t, s, f) xtables_param_act((t), "ts3init", (s), (f))
static void ts3init_help(void)
{
printf(
"ts3init match options:\n"
" --get-cookie Check if packet is 'get-cookie' request.\n"
" --get-puzzle Check if packet is 'get-puzzle' request.\n"
" --min-client n The sending client needs to be at least version n.\n"
"\n"
"get-cookie options:\n"
" --check-time sec Check packet send time request. May be off by sec seconds.\n"
"\n"
"get-puzzle options:\n"
" --check-cookie seed Check the cookie. Assume it was generated with seed.\n"
" seed is a 64 byte random number in lowecase hex. Could be\n"
" generated with sha512 of something.\n"
);
}
static const struct option ts3init_opts[] = {
{.name = "get-cookie", .has_arg = false, .val = '1'},
{.name = "get-puzzle", .has_arg = false, .val = '2'},
{.name = "min-client", .has_arg = true, .val = '3'},
{.name = "check-time", .has_arg = true, .val = '4'},
{.name = "check-cookie", .has_arg = true, .val = '5'},
{NULL},
};
static bool hex2int_seed(const char *src, __u8* dst)
{
for (int i = 0; i < 64; ++i)
{
int v = 0;
for (int j = 0; j < 2; ++j)
{
uint8_t byte = *src++;
if (byte >= '0' && byte <= '9') byte = byte - '0';
else if (byte >= 'a' && byte <='f') byte = byte - 'a' + 10;
else if (byte >= 'A' && byte <='F') byte = byte - 'A' + 10;
else return false;
v = (v << 4) | byte;
}
*dst++ = v;
}
return true;
}
static int ts3init_parse(int c, char **argv, int invert, unsigned int *flags,
const void *entry, struct xt_entry_match **match)
{
struct xt_ts3init_mtinfo *info = (void *)(*match)->data;
int client_version;
int time_offset;
switch (c) {
case '1':
param_act(XTF_ONLY_ONCE, "--get-cookie", (*flags & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE);
param_act(XTF_NO_INVERT, "--get-cookie", invert);
if ((*flags & COMMAND_MASK) == COMMAND_CHECK_GET_PUZZLE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: use `--get-cookie' OR `--get-puzzle' but not both of them!");
*flags |= COMMAND_CHECK_GET_COOKIE;
info->command_check_and_options |= COMMAND_CHECK_GET_COOKIE;
return true;
case '2':
param_act(XTF_ONLY_ONCE, "--get-puzzle", (*flags & COMMAND_MASK) == COMMAND_CHECK_GET_PUZZLE);
param_act(XTF_NO_INVERT, "--get-puzzle", invert);
if ((*flags & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: use `--get-cookie' OR `--get-puzzle' but not both of them!");
*flags |= COMMAND_CHECK_GET_PUZZLE;
info->command_check_and_options |= COMMAND_CHECK_GET_PUZZLE;
return true;
case '3':
param_act(XTF_ONLY_ONCE, "--min-client", *flags & CHK_COMMON_CLIENT_VERSION);
param_act(XTF_NO_INVERT, "--min-client", invert);
client_version = atoi(optarg);
if (client_version <= 0)
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid min-client version");
*flags |= CHK_COMMON_CLIENT_VERSION;
info->command_check_and_options |= CHK_COMMON_CLIENT_VERSION;
info->min_client_version = client_version;
return true;
case '4':
param_act(XTF_ONLY_ONCE, "--check-time", *flags & CHK_GET_COOKIE_CHECK_TIMESTAMP);
param_act(XTF_NO_INVERT, "--check-time", invert);
if ((*flags & COMMAND_MASK) != COMMAND_CHECK_GET_COOKIE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: --check-time can only work together with --get-cookie");
time_offset = atoi(optarg);
if (time_offset <= 0)
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid time offset");
*flags |= CHK_GET_COOKIE_CHECK_TIMESTAMP;
info->command_check_and_options |= CHK_GET_COOKIE_CHECK_TIMESTAMP;
info->get_cookie_opts.max_utc_offset = time_offset;
return true;
case '5':
param_act(XTF_ONLY_ONCE, "--check-cookie", *flags & CHK_GET_PUZZLE_CHECK_COOKIE);
param_act(XTF_NO_INVERT, "--check-cookie", invert);
if ((*flags & COMMAND_MASK) != COMMAND_CHECK_GET_PUZZLE)
xtables_error(PARAMETER_PROBLEM,
"ts3init: --check-cookie can only work together with --get-puzzle");
if (strlen(optarg) != 128)
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid cookie-seed length");
if (!hex2int_seed(optarg, info->get_puzzle_opts.cookie_seed))
xtables_error(PARAMETER_PROBLEM,
"ts3init: invalid cookie-seed. (not lowercase hex)");
*flags |= CHK_GET_PUZZLE_CHECK_COOKIE;
info->command_check_and_options |= CHK_GET_PUZZLE_CHECK_COOKIE;
return true;
default:
return false;
}
}
static void ts3init_check(unsigned int flags)
{
if ((flags & COMMAND_MASK) == 0)
xtables_error(PARAMETER_PROBLEM,
"TS3init match: must specify --get-cookie or --get-puzzle");
}
static void ts3init_save(const void *ip, const struct xt_entry_match *match)
{
const struct xt_ts3init_mtinfo *info = (const void *)match->data;
if ((info->command_check_and_options & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE)
{
printf("--get-cookie ");
}
else
{
printf("--get-puzzle ");
}
if (info->command_check_and_options & CHK_COMMON_CLIENT_VERSION)
{
printf("--min-client %u ", info->min_client_version);
}
if ((info->command_check_and_options & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE)
{
if (info->command_check_and_options & CHK_GET_COOKIE_CHECK_TIMESTAMP)
{
printf("--check-time %u ", info->get_cookie_opts.max_utc_offset);
}
}
else
{
if (info->command_check_and_options & CHK_GET_PUZZLE_CHECK_COOKIE)
{
printf("--check-cookie ");
for (int i = 0; i < 64; i++)
{
printf("%02X", info->get_puzzle_opts.cookie_seed[i]);
}
printf(" ");
}
}
}
static void ts3init_print(const void *ip, const struct xt_entry_match *match,
int numeric)
{
printf(" -m ts3init ");
ts3init_save(ip, match);
}
static struct xtables_match ts3init_mt_reg = {
.name = "ts3init",
.revision = 0,
.family = NFPROTO_UNSPEC,
.version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_ts3init_mtinfo)),
.userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_mtinfo)),
.help = ts3init_help,
.parse = ts3init_parse,
.final_check = ts3init_check,
.print = ts3init_print,
.save = ts3init_save,
.extra_opts = ts3init_opts,
};
static __attribute__((constructor)) void ts3init_mt_ldr(void)
{
xtables_register_match(&ts3init_mt_reg);
}

92
src/ts3init_cookie.c
Unescape View File

@ -0,0 +1,92 @@ @@ -0,0 +1,92 @@
/*
* "ts3init" extension for Xtables
*
* Description: A module to aid in ts3 spoof protection
* This is the "cookie" related code
*
* Authors:
* Niels Werensteijn <niels werensteijn [at] teampseak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/time.h>
#include <linux/crypto.h>
#include <linux/err.h>
#include <linux/scatterlist.h>
#include "ts3init_cookie.h"
static void check_update_seed_cache(time_t time, __u8 index,
struct xt_ts3init_cookie_cache* cache,
const __u8* cookie_seed)
{
struct hash_desc desc;
struct scatterlist sg[2];
int ret;
__le32 seed_hash_time;
if (time == cache->time[index]) return;
/* We need to update the cache. */
/* seed = sha512(cookie_seed[60] + __le32 time) */
seed_hash_time = cpu_to_le32( (__u32)time);
sg_init_table(sg, ARRAY_SIZE(sg));
sg_set_buf(&sg[0], cookie_seed, 60);
sg_set_buf(&sg[1], &seed_hash_time, 4);
desc.tfm = crypto_alloc_hash("sha512", 0, 0);
desc.flags = 0;
if (IS_ERR(desc.tfm))
{
printk(KERN_ERR KBUILD_MODNAME ": could not alloc sha512\n");
return;
}
ret = crypto_hash_init(&desc);
if (ret != 0)
{
printk(KERN_ERR KBUILD_MODNAME ": could not initalize sha512\n");
return;
}
ret = crypto_hash_digest(&desc, sg, 64, cache->seed + index * SHA512_SIZE);
if (ret != 0)
{
printk(KERN_ERR KBUILD_MODNAME ": could not digest sha512\n");
return;
}
crypto_free_hash(desc.tfm);
}
static __u8* get_cookie_seed(time_t current_time, __u8 packet_index,
struct xt_ts3init_cookie_cache* cache,
const __u8* cookie_seed)
{
__u8 current_cache_index;
__u8 packet_cache_index;
time_t current_cache_time;
time_t packet_cache_time;
if (packet_index >= 8) return NULL;
current_cache_index = (current_time >> 2) & 1;
packet_cache_index = packet_index >> 2 /* &1 */;
/* get cache time of packet */
current_cache_time = current_time & ~((time_t)3);
packet_cache_time = current_cache_index == packet_cache_index ?
current_cache_time : current_cache_time - (1*4);
/* make sure the cache is up-to-date */
check_update_seed_cache(packet_cache_time, packet_cache_index, cache,
cookie_seed);
/* return the proper seed */
return cache->seed + (SIP_KEY_SIZE * packet_index );
}

15
src/ts3init_cookie.h
Unescape View File

@ -0,0 +1,15 @@ @@ -0,0 +1,15 @@
#ifndef _TS3INIT_COOKIE_H
#define _TS3INIT_COOKIE_H
enum {
SHA512_SIZE = 64,
SIP_KEY_SIZE = 16
};
struct xt_ts3init_cookie_cache
{
time_t time[2];
__u8 __attribute__((aligned(8))) seed[SHA512_SIZE*2];
};
#endif /* _TS3INIT_COOKIE_H */

249
src/ts3init_match.c
Unescape View File

@ -0,0 +1,249 @@ @@ -0,0 +1,249 @@
/*
* "ts3init" extension for Xtables
*
* Description: A module to aid in ts3 spoof protection
* This is the "match" code
*
* Authors:
* Niels Werensteijn <niels werensteijn [at] teampseak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/netfilter/x_tables.h>
#include <linux/skbuff.h>
#include <linux/udp.h>
#include <linux/jiffies.h>
#include <linux/time.h>
#include <linux/percpu.h>
#include "ts3init_match.h"
#include "ts3init_cookie.h"
struct ts3init_cache_t
{
unsigned long saved_jiffies;
time_t unix_time;
struct xt_ts3init_cookie_cache cookie_cache;
};
struct ts3_init_header_tag
{
union {
char tag8[8];
__aligned_u64 tag64;
};
};
struct ts3_init_header
{
struct ts3_init_header_tag tag;
__be16 packet_id;
__be16 client_id;
__u8 flags;
__u8 client_version_0;
__u8 client_version_1;
__u8 client_version_2;
__u8 client_version_3;
__u8 command;
__u8 payload[20];
};
static const __u16 packet_payload_size[2] = { 34, 38 };
static const struct ts3_init_header_tag header_tag_signature =
{ .tag8 = {'T', 'S', '3', 'I', 'N', 'I', 'T', '1'} };
DEFINE_PER_CPU(struct ts3init_cache_t, ts3init_cache);
static inline void update_cache_time(unsigned long jifs,
struct ts3init_cache_t* cache)
{
if (((long)jifs - (long)cache->saved_jiffies) >= HZ)
{
/* it's been 1 second sinds last time update.
* Get the new unix time and cache it*/
struct timeval tv;
cache->saved_jiffies = jifs;
do_gettimeofday(&tv);
cache->unix_time = tv.tv_sec;
}
}
static bool
ts3init_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct udphdr *udp, udp_buf;
struct ts3init_cache_t* cache;
unsigned int data_len;
unsigned long jifs;
time_t current_unix_time, packet_unix_time;
struct ts3_init_header* ts3_header, ts3_header_buf;
const struct xt_ts3init_mtinfo *info = par->matchinfo;
__u8* cookie_seed;
__u8 cookie[8];
__u8 command = info->command_check_and_options & COMMAND_MASK;
udp = skb_header_pointer(skb, par->thoff, sizeof(*udp), &udp_buf);
data_len = be16_to_cpu(udp->len) - sizeof(*udp);
if (data_len != packet_payload_size[command-1]) return false;
ts3_header = (struct ts3_init_header*) skb_header_pointer(skb,
par->thoff + sizeof(*udp), data_len, &ts3_header_buf);
if (!ts3_header) return false;
if (ts3_header->tag.tag64 != header_tag_signature.tag64) return false;
if (ts3_header->packet_id != cpu_to_be16(101)) return false;
if (ts3_header->client_id != 0) return false;
if (ts3_header->flags != 0x88) return false;
/* TODO: check min_client_version if needed */
switch (command)
{
case COMMAND_CHECK_GET_COOKIE:
{
if (ts3_header->command != 0) return false;
if (info->command_check_and_options & CHK_GET_COOKIE_CHECK_TIMESTAMP)
{
jifs = jiffies;
cache = &get_cpu_var(ts3init_cache);
update_cache_time(jifs, cache);
current_unix_time = cache->unix_time;
put_cpu_var(ts3init_cache);
packet_unix_time =
ts3_header->payload[0] << 24 |
ts3_header->payload[1] << 16 |
ts3_header->payload[2] << 8 |
ts3_header->payload[3];
if (abs(current_unix_time - packet_unix_time) >
info->get_cookie_opts.max_utc_offset) return false;
}
return true;
}
case COMMAND_CHECK_GET_PUZZLE:
{
if (ts3_header->command != 2) return false;
if (info->command_check_and_options & CHK_GET_PUZZLE_CHECK_COOKIE)
{
jifs = jiffies;
cache = &get_cpu_var(ts3init_cache);
update_cache_time(jifs, cache);
current_unix_time = cache->unix_time;
cookie_seed = get_cookie_seed(current_unix_time,
ts3_header->payload[8], &cache->cookie_cache,
info->get_puzzle_opts.cookie_seed);
if (!cookie_seed)
{
put_cpu_var(ts3init_cache);
return false;
}
/* use cookie_seed and ipaddress and port to create a hash
* (cookie) for this connection */
/* TODO: implement using sipHash */
put_cpu_var(ts3init_cache);
/* compare cookie with payload bytes 0-7. if equal, cookie
* is valid */
/*if (memcmp(cookie, ts3_header->payload, 8) != 0) return false;*/
}
return true;
}
default:
return false;
};
}
static int ts3init_mt_check(const struct xt_mtchk_param *par)
{
struct xt_ts3init_mtinfo *info = par->matchinfo;
__u8 command;
if (info->command_check_and_options &
~(COMMAND_AND_CHK_COMMON_MASK | COMMAND_SPECIFIC_OPTIONS_MASK))
{
printk(KERN_INFO KBUILD_MODNAME ": invalid command or common options\n");
return -EINVAL;
}
command = info->command_check_and_options & COMMAND_MASK;
switch (command)
{
case COMMAND_CHECK_GET_COOKIE:
{
if (info->command_check_and_options &
~(COMMAND_AND_CHK_COMMON_MASK | CHK_GET_COOKIE_MASK))
{
printk(KERN_INFO KBUILD_MODNAME ": invalid get_cookie options\n");
return -EINVAL;
}
return 0;
}
case COMMAND_CHECK_GET_PUZZLE:
{
if (info->command_check_and_options &
~(COMMAND_AND_CHK_COMMON_MASK | CHK_GET_PUZZLE_MASK))
{
printk(KERN_INFO KBUILD_MODNAME ": invalid get_puzzle options\n");
return -EINVAL;
}
return 0;
}
default:
{
printk(KERN_INFO KBUILD_MODNAME ": invalid command value\n");
return -EINVAL;
}
}
}
static void ts3init_mt_destroy(const struct xt_mtdtor_param *par)
{
}
static struct xt_match ts3init_mt_reg[] __read_mostly = {
{
.name = "ts3init",
.revision = 0,
.family = NFPROTO_IPV4,
.proto = IPPROTO_UDP,
.matchsize = sizeof(struct xt_ts3init_mtinfo),
.match = ts3init_mt,
.checkentry = ts3init_mt_check,
.destroy = ts3init_mt_destroy,
.me = THIS_MODULE,
},
{
.name = "ts3init",
.revision = 0,
.family = NFPROTO_IPV6,
.proto = IPPROTO_UDP,
.matchsize = sizeof(struct xt_ts3init_mtinfo),
.match = ts3init_mt,
.checkentry = ts3init_mt_check,
.destroy = ts3init_mt_destroy,
.me = THIS_MODULE,
},
};

43
src/ts3init_match.h
Unescape View File

@ -0,0 +1,43 @@ @@ -0,0 +1,43 @@
#ifndef _TS3INIT_MATCH_H
#define _TS3INIT_MATCH_H
enum {
SEED_SHA512_LEN = 512 / 8
};
enum {
COMMAND_CHECK_GET_COOKIE = 1,
COMMAND_CHECK_GET_PUZZLE = 2,
COMMAND_MASK = 3,
CHK_COMMON_CLIENT_VERSION = 1 << 2,
CHK_COMMON_MASK = 1 << 2,
COMMAND_AND_CHK_COMMON_MASK = COMMAND_MASK | CHK_COMMON_MASK,
COMMAND_SPECIFIC_OPTIONS_MASK = 0xf0
};
enum {
CHK_GET_COOKIE_CHECK_TIMESTAMP = 1 << 4,
CHK_GET_COOKIE_MASK = 1 << 4
};
enum{
CHK_GET_PUZZLE_CHECK_COOKIE = 1 << 4,
CHK_GET_PUZZLE_MASK = 1 << 4
};
struct xt_ts3init_mtinfo {
__u8 command_check_and_options;
__u32 min_client_version;
union{
struct {
__u32 max_utc_offset;
} get_cookie_opts;
struct {
__u8 cookie_seed[SEED_SHA512_LEN];
} get_puzzle_opts;
};
};
#endif /* _TS3INIT_MATCH_H */

37
src/xt_ts3init.c
Unescape View File

@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
/*
* "ts3init" extension for Xtables
*
* Description: A module to aid in ts3 spoof protection
* This file just includes the actual code files so that
* we do not have to export unneed symbols to the kernel
* while stil organizing code into logical files.
*
* Authors:
* Niels Werensteijn <niels werensteijn [at] teampseak com>, 2016-10-03
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License; either version 2
* or 3 of the License, as published by the Free Software Foundation.
*/
#include "ts3init_cookie.c"
#include "ts3init_match.c"
MODULE_AUTHOR("Niels Werensteijn <niels.werensteijn@teamspeak.com>");
MODULE_DESCRIPTION("A module to aid in ts3 spoof protection");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_ts3init");
MODULE_ALIAS("ip6t_ts3init");
static int __init ts3init_mt_init(void)
{
return xt_register_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg));
}
static void __exit ts3init_mt_exit(void)
{
xt_unregister_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg));
}
module_init(ts3init_mt_init);
module_exit(ts3init_mt_exit);
Write Preview
Loading…
Cancel
Save