commit 6f72e024ca50de4a038d33901b52fd97cc7a9280 Author: Niels Werensteijn Date: Fri Oct 7 14:20:59 2016 +0200 initial commit diff --git a/src/Makefile b/src/Makefile new file mode 100644 index 0000000..8c188f7 --- /dev/null +++ b/src/Makefile @@ -0,0 +1,18 @@ +# -*- Makefile -*- +MODULES_DIR := /lib/modules/$(shell uname -r) +KERNEL_DIR := ${MODULES_DIR}/build + +obj-m += xt_ts3init.o + +all: + make -C ${KERNEL_DIR} M=$$PWD; + +modules: + make -C ${KERNEL_DIR} M=$$PWD $@; + +modules_install: + make -C ${KERNEL_DIR} M=$$PWD $@; + +clean: + make -C ${KERNEL_DIR} M=$$PWD $@; + diff --git a/src/Makefile.xtables b/src/Makefile.xtables new file mode 100644 index 0000000..d46caf2 --- /dev/null +++ b/src/Makefile.xtables @@ -0,0 +1,8 @@ +CFLAGS = -O2 -Wall + +lib%.so: lib%.o + gcc -shared -fPIC -o $@ $^; + +lib%.o: lib%.c + gcc ${CFLAGS} -D_INIT=lib$*_init -fPIC -c -o $@ $<; + diff --git a/src/libxt_ts3init.c b/src/libxt_ts3init.c new file mode 100644 index 0000000..b2b49fa --- /dev/null +++ b/src/libxt_ts3init.c @@ -0,0 +1,215 @@ +/* + * "ts3init" match extension for iptables + * Niels Werensteijn , 2016-10-03 + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License; either version 2 + * or 3 of the License, as published by the Free Software Foundation. + */ + +#include +#include +#include +#include +#include +#include +#include +#include "ts3init_match.h" +/* +#include "compat_user.h" +*/ +#define param_act(t, s, f) xtables_param_act((t), "ts3init", (s), (f)) + +static void ts3init_help(void) +{ + printf( +"ts3init match options:\n" +" --get-cookie Check if packet is 'get-cookie' request.\n" +" --get-puzzle Check if packet is 'get-puzzle' request.\n" +" --min-client n The sending client needs to be at least version n.\n" +"\n" +"get-cookie options:\n" +" --check-time sec Check packet send time request. May be off by sec seconds.\n" +"\n" +"get-puzzle options:\n" +" --check-cookie seed Check the cookie. Assume it was generated with seed.\n" +" seed is a 64 byte random number in lowecase hex. Could be\n" +" generated with sha512 of something.\n" +); +} + +static const struct option ts3init_opts[] = { + {.name = "get-cookie", .has_arg = false, .val = '1'}, + {.name = "get-puzzle", .has_arg = false, .val = '2'}, + {.name = "min-client", .has_arg = true, .val = '3'}, + {.name = "check-time", .has_arg = true, .val = '4'}, + {.name = "check-cookie", .has_arg = true, .val = '5'}, + {NULL}, +}; + +static bool hex2int_seed(const char *src, __u8* dst) +{ + for (int i = 0; i < 64; ++i) + { + int v = 0; + for (int j = 0; j < 2; ++j) + { + uint8_t byte = *src++; + if (byte >= '0' && byte <= '9') byte = byte - '0'; + else if (byte >= 'a' && byte <='f') byte = byte - 'a' + 10; + else if (byte >= 'A' && byte <='F') byte = byte - 'A' + 10; + else return false; + v = (v << 4) | byte; + } + *dst++ = v; + } + return true; +} + +static int ts3init_parse(int c, char **argv, int invert, unsigned int *flags, + const void *entry, struct xt_entry_match **match) +{ + struct xt_ts3init_mtinfo *info = (void *)(*match)->data; + int client_version; + int time_offset; + + switch (c) { + case '1': + param_act(XTF_ONLY_ONCE, "--get-cookie", (*flags & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE); + param_act(XTF_NO_INVERT, "--get-cookie", invert); + if ((*flags & COMMAND_MASK) == COMMAND_CHECK_GET_PUZZLE) + xtables_error(PARAMETER_PROBLEM, + "ts3init: use `--get-cookie' OR `--get-puzzle' but not both of them!"); + *flags |= COMMAND_CHECK_GET_COOKIE; + info->command_check_and_options |= COMMAND_CHECK_GET_COOKIE; + return true; + + case '2': + param_act(XTF_ONLY_ONCE, "--get-puzzle", (*flags & COMMAND_MASK) == COMMAND_CHECK_GET_PUZZLE); + param_act(XTF_NO_INVERT, "--get-puzzle", invert); + if ((*flags & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE) + xtables_error(PARAMETER_PROBLEM, + "ts3init: use `--get-cookie' OR `--get-puzzle' but not both of them!"); + *flags |= COMMAND_CHECK_GET_PUZZLE; + info->command_check_and_options |= COMMAND_CHECK_GET_PUZZLE; + return true; + + case '3': + param_act(XTF_ONLY_ONCE, "--min-client", *flags & CHK_COMMON_CLIENT_VERSION); + param_act(XTF_NO_INVERT, "--min-client", invert); + client_version = atoi(optarg); + if (client_version <= 0) + xtables_error(PARAMETER_PROBLEM, + "ts3init: invalid min-client version"); + *flags |= CHK_COMMON_CLIENT_VERSION; + info->command_check_and_options |= CHK_COMMON_CLIENT_VERSION; + info->min_client_version = client_version; + return true; + + case '4': + param_act(XTF_ONLY_ONCE, "--check-time", *flags & CHK_GET_COOKIE_CHECK_TIMESTAMP); + param_act(XTF_NO_INVERT, "--check-time", invert); + if ((*flags & COMMAND_MASK) != COMMAND_CHECK_GET_COOKIE) + xtables_error(PARAMETER_PROBLEM, + "ts3init: --check-time can only work together with --get-cookie"); + time_offset = atoi(optarg); + if (time_offset <= 0) + xtables_error(PARAMETER_PROBLEM, + "ts3init: invalid time offset"); + *flags |= CHK_GET_COOKIE_CHECK_TIMESTAMP; + info->command_check_and_options |= CHK_GET_COOKIE_CHECK_TIMESTAMP; + info->get_cookie_opts.max_utc_offset = time_offset; + return true; + + case '5': + param_act(XTF_ONLY_ONCE, "--check-cookie", *flags & CHK_GET_PUZZLE_CHECK_COOKIE); + param_act(XTF_NO_INVERT, "--check-cookie", invert); + if ((*flags & COMMAND_MASK) != COMMAND_CHECK_GET_PUZZLE) + xtables_error(PARAMETER_PROBLEM, + "ts3init: --check-cookie can only work together with --get-puzzle"); + if (strlen(optarg) != 128) + xtables_error(PARAMETER_PROBLEM, + "ts3init: invalid cookie-seed length"); + if (!hex2int_seed(optarg, info->get_puzzle_opts.cookie_seed)) + xtables_error(PARAMETER_PROBLEM, + "ts3init: invalid cookie-seed. (not lowercase hex)"); + *flags |= CHK_GET_PUZZLE_CHECK_COOKIE; + info->command_check_and_options |= CHK_GET_PUZZLE_CHECK_COOKIE; + return true; + + default: + return false; + } +} + +static void ts3init_check(unsigned int flags) +{ + if ((flags & COMMAND_MASK) == 0) + xtables_error(PARAMETER_PROBLEM, + "TS3init match: must specify --get-cookie or --get-puzzle"); +} + +static void ts3init_save(const void *ip, const struct xt_entry_match *match) +{ + const struct xt_ts3init_mtinfo *info = (const void *)match->data; + if ((info->command_check_and_options & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE) + { + printf("--get-cookie "); + } + else + { + printf("--get-puzzle "); + } + if (info->command_check_and_options & CHK_COMMON_CLIENT_VERSION) + { + printf("--min-client %u ", info->min_client_version); + } + if ((info->command_check_and_options & COMMAND_MASK) == COMMAND_CHECK_GET_COOKIE) + { + if (info->command_check_and_options & CHK_GET_COOKIE_CHECK_TIMESTAMP) + { + printf("--check-time %u ", info->get_cookie_opts.max_utc_offset); + } + } + else + { + if (info->command_check_and_options & CHK_GET_PUZZLE_CHECK_COOKIE) + { + printf("--check-cookie "); + for (int i = 0; i < 64; i++) + { + printf("%02X", info->get_puzzle_opts.cookie_seed[i]); + } + printf(" "); + } + } + +} + +static void ts3init_print(const void *ip, const struct xt_entry_match *match, + int numeric) +{ + printf(" -m ts3init "); + ts3init_save(ip, match); +} + +static struct xtables_match ts3init_mt_reg = { + .name = "ts3init", + .revision = 0, + .family = NFPROTO_UNSPEC, + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_ts3init_mtinfo)), + .userspacesize = XT_ALIGN(sizeof(struct xt_ts3init_mtinfo)), + .help = ts3init_help, + .parse = ts3init_parse, + .final_check = ts3init_check, + .print = ts3init_print, + .save = ts3init_save, + .extra_opts = ts3init_opts, +}; + +static __attribute__((constructor)) void ts3init_mt_ldr(void) +{ + xtables_register_match(&ts3init_mt_reg); +} + diff --git a/src/ts3init_cookie.c b/src/ts3init_cookie.c new file mode 100644 index 0000000..a3b2f0e --- /dev/null +++ b/src/ts3init_cookie.c @@ -0,0 +1,92 @@ +/* + * "ts3init" extension for Xtables + * + * Description: A module to aid in ts3 spoof protection + * This is the "cookie" related code + * + * Authors: + * Niels Werensteijn , 2016-10-03 + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License; either version 2 + * or 3 of the License, as published by the Free Software Foundation. + */ +#include +#include +#include +#include +#include +#include "ts3init_cookie.h" + +static void check_update_seed_cache(time_t time, __u8 index, + struct xt_ts3init_cookie_cache* cache, + const __u8* cookie_seed) +{ + struct hash_desc desc; + struct scatterlist sg[2]; + int ret; + __le32 seed_hash_time; + + if (time == cache->time[index]) return; + + /* We need to update the cache. */ + /* seed = sha512(cookie_seed[60] + __le32 time) */ + seed_hash_time = cpu_to_le32( (__u32)time); + sg_init_table(sg, ARRAY_SIZE(sg)); + sg_set_buf(&sg[0], cookie_seed, 60); + sg_set_buf(&sg[1], &seed_hash_time, 4); + + desc.tfm = crypto_alloc_hash("sha512", 0, 0); + desc.flags = 0; + + if (IS_ERR(desc.tfm)) + { + printk(KERN_ERR KBUILD_MODNAME ": could not alloc sha512\n"); + return; + } + + ret = crypto_hash_init(&desc); + if (ret != 0) + { + printk(KERN_ERR KBUILD_MODNAME ": could not initalize sha512\n"); + return; + } + + ret = crypto_hash_digest(&desc, sg, 64, cache->seed + index * SHA512_SIZE); + if (ret != 0) + { + printk(KERN_ERR KBUILD_MODNAME ": could not digest sha512\n"); + return; + } + + crypto_free_hash(desc.tfm); +} + +static __u8* get_cookie_seed(time_t current_time, __u8 packet_index, + struct xt_ts3init_cookie_cache* cache, + const __u8* cookie_seed) +{ + + __u8 current_cache_index; + __u8 packet_cache_index; + time_t current_cache_time; + time_t packet_cache_time; + + if (packet_index >= 8) return NULL; + + current_cache_index = (current_time >> 2) & 1; + packet_cache_index = packet_index >> 2 /* &1 */; + + /* get cache time of packet */ + current_cache_time = current_time & ~((time_t)3); + packet_cache_time = current_cache_index == packet_cache_index ? + current_cache_time : current_cache_time - (1*4); + + /* make sure the cache is up-to-date */ + check_update_seed_cache(packet_cache_time, packet_cache_index, cache, + cookie_seed); + + /* return the proper seed */ + return cache->seed + (SIP_KEY_SIZE * packet_index ); +} + diff --git a/src/ts3init_cookie.h b/src/ts3init_cookie.h new file mode 100644 index 0000000..ca27dc1 --- /dev/null +++ b/src/ts3init_cookie.h @@ -0,0 +1,15 @@ +#ifndef _TS3INIT_COOKIE_H +#define _TS3INIT_COOKIE_H + +enum { + SHA512_SIZE = 64, + SIP_KEY_SIZE = 16 +}; + +struct xt_ts3init_cookie_cache +{ + time_t time[2]; + __u8 __attribute__((aligned(8))) seed[SHA512_SIZE*2]; +}; + +#endif /* _TS3INIT_COOKIE_H */ diff --git a/src/ts3init_match.c b/src/ts3init_match.c new file mode 100644 index 0000000..35b3f8e --- /dev/null +++ b/src/ts3init_match.c @@ -0,0 +1,249 @@ +/* + * "ts3init" extension for Xtables + * + * Description: A module to aid in ts3 spoof protection + * This is the "match" code + * + * Authors: + * Niels Werensteijn , 2016-10-03 + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License; either version 2 + * or 3 of the License, as published by the Free Software Foundation. + */ + +#include +#include +#include +#include +#include +#include +#include +#include "ts3init_match.h" +#include "ts3init_cookie.h" + +struct ts3init_cache_t +{ + unsigned long saved_jiffies; + time_t unix_time; + struct xt_ts3init_cookie_cache cookie_cache; +}; + +struct ts3_init_header_tag +{ + union { + char tag8[8]; + __aligned_u64 tag64; + }; +}; + +struct ts3_init_header +{ + struct ts3_init_header_tag tag; + __be16 packet_id; + __be16 client_id; + __u8 flags; + __u8 client_version_0; + __u8 client_version_1; + __u8 client_version_2; + __u8 client_version_3; + __u8 command; + __u8 payload[20]; +}; + +static const __u16 packet_payload_size[2] = { 34, 38 }; + +static const struct ts3_init_header_tag header_tag_signature = + { .tag8 = {'T', 'S', '3', 'I', 'N', 'I', 'T', '1'} }; + +DEFINE_PER_CPU(struct ts3init_cache_t, ts3init_cache); + +static inline void update_cache_time(unsigned long jifs, + struct ts3init_cache_t* cache) +{ + if (((long)jifs - (long)cache->saved_jiffies) >= HZ) + { + /* it's been 1 second sinds last time update. + * Get the new unix time and cache it*/ + struct timeval tv; + cache->saved_jiffies = jifs; + do_gettimeofday(&tv); + cache->unix_time = tv.tv_sec; + } +} + +static bool +ts3init_mt(const struct sk_buff *skb, struct xt_action_param *par) +{ + struct udphdr *udp, udp_buf; + struct ts3init_cache_t* cache; + unsigned int data_len; + unsigned long jifs; + time_t current_unix_time, packet_unix_time; + struct ts3_init_header* ts3_header, ts3_header_buf; + const struct xt_ts3init_mtinfo *info = par->matchinfo; + __u8* cookie_seed; + __u8 cookie[8]; + + __u8 command = info->command_check_and_options & COMMAND_MASK; + + udp = skb_header_pointer(skb, par->thoff, sizeof(*udp), &udp_buf); + data_len = be16_to_cpu(udp->len) - sizeof(*udp); + + if (data_len != packet_payload_size[command-1]) return false; + + ts3_header = (struct ts3_init_header*) skb_header_pointer(skb, + par->thoff + sizeof(*udp), data_len, &ts3_header_buf); + + if (!ts3_header) return false; + + if (ts3_header->tag.tag64 != header_tag_signature.tag64) return false; + if (ts3_header->packet_id != cpu_to_be16(101)) return false; + if (ts3_header->client_id != 0) return false; + if (ts3_header->flags != 0x88) return false; + + /* TODO: check min_client_version if needed */ + + switch (command) + { + case COMMAND_CHECK_GET_COOKIE: + { + if (ts3_header->command != 0) return false; + + if (info->command_check_and_options & CHK_GET_COOKIE_CHECK_TIMESTAMP) + { + jifs = jiffies; + + cache = &get_cpu_var(ts3init_cache); + + update_cache_time(jifs, cache); + + current_unix_time = cache->unix_time; + + put_cpu_var(ts3init_cache); + + packet_unix_time = + ts3_header->payload[0] << 24 | + ts3_header->payload[1] << 16 | + ts3_header->payload[2] << 8 | + ts3_header->payload[3]; + + if (abs(current_unix_time - packet_unix_time) > + info->get_cookie_opts.max_utc_offset) return false; + } + return true; + } + + case COMMAND_CHECK_GET_PUZZLE: + { + if (ts3_header->command != 2) return false; + + if (info->command_check_and_options & CHK_GET_PUZZLE_CHECK_COOKIE) + { + jifs = jiffies; + cache = &get_cpu_var(ts3init_cache); + + update_cache_time(jifs, cache); + + current_unix_time = cache->unix_time; + + cookie_seed = get_cookie_seed(current_unix_time, + ts3_header->payload[8], &cache->cookie_cache, + info->get_puzzle_opts.cookie_seed); + + if (!cookie_seed) + { + put_cpu_var(ts3init_cache); + return false; + } + + /* use cookie_seed and ipaddress and port to create a hash + * (cookie) for this connection */ + /* TODO: implement using sipHash */ + put_cpu_var(ts3init_cache); + + /* compare cookie with payload bytes 0-7. if equal, cookie + * is valid */ + /*if (memcmp(cookie, ts3_header->payload, 8) != 0) return false;*/ + + } + return true; + } + + default: + return false; + }; +} + +static int ts3init_mt_check(const struct xt_mtchk_param *par) +{ + struct xt_ts3init_mtinfo *info = par->matchinfo; + __u8 command; + + if (info->command_check_and_options & + ~(COMMAND_AND_CHK_COMMON_MASK | COMMAND_SPECIFIC_OPTIONS_MASK)) + { + printk(KERN_INFO KBUILD_MODNAME ": invalid command or common options\n"); + return -EINVAL; + } + + command = info->command_check_and_options & COMMAND_MASK; + switch (command) + { + case COMMAND_CHECK_GET_COOKIE: + { + if (info->command_check_and_options & + ~(COMMAND_AND_CHK_COMMON_MASK | CHK_GET_COOKIE_MASK)) + { + printk(KERN_INFO KBUILD_MODNAME ": invalid get_cookie options\n"); + return -EINVAL; + } + return 0; + } + case COMMAND_CHECK_GET_PUZZLE: + { + if (info->command_check_and_options & + ~(COMMAND_AND_CHK_COMMON_MASK | CHK_GET_PUZZLE_MASK)) + { + printk(KERN_INFO KBUILD_MODNAME ": invalid get_puzzle options\n"); + return -EINVAL; + } + return 0; + } + default: + { + printk(KERN_INFO KBUILD_MODNAME ": invalid command value\n"); + return -EINVAL; + } + } +} + +static void ts3init_mt_destroy(const struct xt_mtdtor_param *par) +{ +} + +static struct xt_match ts3init_mt_reg[] __read_mostly = { + { + .name = "ts3init", + .revision = 0, + .family = NFPROTO_IPV4, + .proto = IPPROTO_UDP, + .matchsize = sizeof(struct xt_ts3init_mtinfo), + .match = ts3init_mt, + .checkentry = ts3init_mt_check, + .destroy = ts3init_mt_destroy, + .me = THIS_MODULE, + }, + { + .name = "ts3init", + .revision = 0, + .family = NFPROTO_IPV6, + .proto = IPPROTO_UDP, + .matchsize = sizeof(struct xt_ts3init_mtinfo), + .match = ts3init_mt, + .checkentry = ts3init_mt_check, + .destroy = ts3init_mt_destroy, + .me = THIS_MODULE, + }, +}; + diff --git a/src/ts3init_match.h b/src/ts3init_match.h new file mode 100644 index 0000000..5e5152e --- /dev/null +++ b/src/ts3init_match.h @@ -0,0 +1,43 @@ +#ifndef _TS3INIT_MATCH_H +#define _TS3INIT_MATCH_H + +enum { + SEED_SHA512_LEN = 512 / 8 +}; + +enum { + COMMAND_CHECK_GET_COOKIE = 1, + COMMAND_CHECK_GET_PUZZLE = 2, + COMMAND_MASK = 3, + + CHK_COMMON_CLIENT_VERSION = 1 << 2, + CHK_COMMON_MASK = 1 << 2, + + COMMAND_AND_CHK_COMMON_MASK = COMMAND_MASK | CHK_COMMON_MASK, + COMMAND_SPECIFIC_OPTIONS_MASK = 0xf0 +}; + +enum { + CHK_GET_COOKIE_CHECK_TIMESTAMP = 1 << 4, + CHK_GET_COOKIE_MASK = 1 << 4 +}; + +enum{ + CHK_GET_PUZZLE_CHECK_COOKIE = 1 << 4, + CHK_GET_PUZZLE_MASK = 1 << 4 +}; + +struct xt_ts3init_mtinfo { + __u8 command_check_and_options; + __u32 min_client_version; + union{ + struct { + __u32 max_utc_offset; + } get_cookie_opts; + struct { + __u8 cookie_seed[SEED_SHA512_LEN]; + } get_puzzle_opts; + }; +}; + +#endif /* _TS3INIT_MATCH_H */ diff --git a/src/xt_ts3init.c b/src/xt_ts3init.c new file mode 100644 index 0000000..31bbd6a --- /dev/null +++ b/src/xt_ts3init.c @@ -0,0 +1,37 @@ +/* + * "ts3init" extension for Xtables + * + * Description: A module to aid in ts3 spoof protection + * This file just includes the actual code files so that + * we do not have to export unneed symbols to the kernel + * while stil organizing code into logical files. + * + * Authors: + * Niels Werensteijn , 2016-10-03 + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License; either version 2 + * or 3 of the License, as published by the Free Software Foundation. + */ + +#include "ts3init_cookie.c" +#include "ts3init_match.c" + +MODULE_AUTHOR("Niels Werensteijn "); +MODULE_DESCRIPTION("A module to aid in ts3 spoof protection"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_ts3init"); +MODULE_ALIAS("ip6t_ts3init"); + +static int __init ts3init_mt_init(void) +{ + return xt_register_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg)); +} + +static void __exit ts3init_mt_exit(void) +{ + xt_unregister_matches(ts3init_mt_reg, ARRAY_SIZE(ts3init_mt_reg)); +} + +module_init(ts3init_mt_init); +module_exit(ts3init_mt_exit);