r4sas/ts3init_linux_netfilter_module
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

the cookie-seed used in ts3init_get_puzzle and TS3INIT_SET_COOKIE can be loaded from file now.

Browse Source 
Added new parameters --seed and --seed-file to ts3init_get_puzzle and TS3INIT_SET_COOKIE.
This commit is contained in:
Maximilian Münchow 2016-10-12 17:32:07 +02:00
parent f7181d65d0
commit 7c8d64811f
8 changed files with 170 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -26,10 +26,11 @@ The second match extension is called *ts3init_get_puzzle*. It matches if the pac
$ iptables -m ts3init_get_puzzle -h
<..>
ts3init_get_puzzle match options:
--min-client n The sending client needs to be at least version n.
--check-cookie seed Check the cookie. Assume it was generated with seed.
seed is a 60 byte random number in hex. A source
could be /dev/random.
--min-client n The sending client needs to be at least version.
--check-cookie Check that the cookie was generated by same seed.
--seed <seed> Seed is a 60 byte lowercase hex number in.
A source could be /dev/random.
--seed-file <file> Read the seed from a file.
```
The min-client parameter is the same as above. The check-cookie parameter matches if it matches the cookie that was generated in the netfilter target extension ts3init_set_cookie. To match the seed needs to be exactly the same of course. It is possible to check cookies that were generated on a different machine, provided that those machines have the same date and time, and the seem seed specified. In other words: The cookie is created in a deterministic way, depending only on the current time and the seed.

3
src/libxt_TS3INIT_RESET.c
View File

@ -14,6 +14,9 @@
#include <string.h>
#include <getopt.h>
#include <xtables.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include "ts3init_cookie_seed.h"
#include "ts3init_target.h"

62
src/libxt_TS3INIT_SET_COOKIE.c
View File

@ -14,6 +14,9 @@
#include <string.h>
#include <getopt.h>
#include <xtables.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include "ts3init_cookie_seed.h"
#include "ts3init_target.h"
@ -22,15 +25,17 @@
static void ts3init_set_cookie_tg_help(void)
{
printf(
"TS3INIT_SET_COOKIE match options:\n"
" --zero-random-sequence Always return 0 as random sequence.\n"
" --cookie-seed seed Seed is a 60 byte random number in\n"
" hex. A source could be /dev/random.\n");
"TS3INIT_SET_COOKIE target options:\n"
" --zero-random-sequence Always return 0 as random sequence.\n"
" --seed <seed> Seed is a 60 byte lowercase hex number in.\n"
" A source could be /dev/random.\n"
" --seed-file <file> Read the seed from a file.\n");
}
static const struct option ts3init_set_cookie_tg_opts[] = {
{.name = "zero-random-sequence", .has_arg = false, .val = '1'},
{.name = "cookie-seed", .has_arg = true, .val = '2'},
{.name = "seed", .has_arg = true, .val = '2'},
{.name = "seed-file", .has_arg = true, .val = '3'},
{NULL},
};
@ -42,20 +47,30 @@ static int ts3init_set_cookie_tg_parse(int c, char **argv,
switch (c) {
case '1':
param_act(XTF_ONLY_ONCE, "--zero-random-sequence", info->specific_options & TARGET_SET_COOKIE_ZERO_RANDOM_SEQUENCE);
param_act(XTF_NO_INVERT, "--check-time", invert);
param_act(XTF_NO_INVERT, "--zero-random-sequence", invert);
info->specific_options |= TARGET_SET_COOKIE_ZERO_RANDOM_SEQUENCE;
return true;
case '2':
param_act(XTF_ONLY_ONCE, "--cookie-seed", info->specific_options & TARGET_SET_COOKIE_SEED);
param_act(XTF_NO_INVERT, "--cookie-seed", invert);
param_act(XTF_ONLY_ONCE, "--seed", *flags & TARGET_SET_COOKIE_SEED_FROM_ARGUMENT);
param_act(XTF_NO_INVERT, "--seed", invert);
if (strlen(optarg) != (COOKIE_SEED_LEN * 2))
xtables_error(PARAMETER_PROBLEM,
"TS3INIT_SET_COOKIE: invalid cookie-seed length");
"TS3INIT_SET_COOKIE: invalid seed length");
if (!hex2int_seed(optarg, info->cookie_seed))
xtables_error(PARAMETER_PROBLEM,
"TS3INIT_SET_COOKIE: invalid cookie-seed. (not lowercase hex)");
info->specific_options |= TARGET_SET_COOKIE_SEED;
*flags |= TARGET_SET_COOKIE_SEED;
"TS3INIT_SET_COOKIE: invalid seed. (not lowercase hex)");
info->specific_options |= TARGET_SET_COOKIE_SEED_FROM_ARGUMENT;
*flags |= TARGET_SET_COOKIE_SEED_FROM_ARGUMENT;
return true;
case '3':
param_act(XTF_ONLY_ONCE, "--seed-file", *flags & TARGET_SET_COOKIE_SEED_FROM_FILE);
param_act(XTF_NO_INVERT, "--seed-file", invert);
if (read_cookie_seed_from_file("TS3INIT_SET_COOKIE", optarg, info->cookie_seed))
memcpy(info->cookie_seed_path, optarg, strlen(optarg) + 1);
info->specific_options |= TARGET_SET_COOKIE_SEED_FROM_FILE;
*flags |= TARGET_SET_COOKIE_SEED_FROM_FILE;
return true;
default:
@ -70,15 +85,19 @@ static void ts3init_set_cookie_tg_save(const void *ip, const struct xt_entry_tar
{
printf("--zero-random-sequence ");
}
if (info->specific_options & TARGET_SET_COOKIE_SEED)
if (info->specific_options & TARGET_SET_COOKIE_SEED_FROM_ARGUMENT)
{
printf("--cookie-seed ");
printf("--seed ");
for (int i = 0; i < COOKIE_SEED_LEN; i++)
{
printf("%02X", info->cookie_seed[i]);
}
printf(" ");
}
if (info->specific_options & TARGET_SET_COOKIE_SEED_FROM_FILE)
{
printf("--seed-file \"%s\" ", info->cookie_seed_path);
}
}
static void ts3init_set_cookie_tg_print(const void *ip, const struct xt_entry_target *target,
@ -90,10 +109,19 @@ static void ts3init_set_cookie_tg_print(const void *ip, const struct xt_entry_ta
static void ts3init_set_cookie_tg_check(unsigned int flags)
{
if ((flags & TARGET_SET_COOKIE_SEED) == 0)
bool seed_from_argument = flags & TARGET_SET_COOKIE_SEED_FROM_ARGUMENT;
bool seed_from_file = flags & TARGET_SET_COOKIE_SEED_FROM_FILE;
if (seed_from_argument && seed_from_file)
{
xtables_error(PARAMETER_PROBLEM,
"TS3INIT_SET_COOKIE: --cookie-seed must be specified");
xtables_error(PARAMETER_PROBLEM,
"TS3INIT_SET_COOKIE: --seed and --seed-file "
"can not be specified at the same time");
}
if (!seed_from_argument && !seed_from_file)
{
xtables_error(PARAMETER_PROBLEM,
"TS3INIT_SET_COOKIE: either --seed or --seed-file "
"must be specified");
}
}

3
src/libxt_ts3init_get_cookie.c
View File

@ -14,6 +14,9 @@
#include <string.h>
#include <getopt.h>
#include <xtables.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include "ts3init_cookie_seed.h"
#include "ts3init_match.h"

75
src/libxt_ts3init_get_puzzle.c
View File

@ -14,6 +14,9 @@
#include <string.h>
#include <getopt.h>
#include <xtables.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include "ts3init_cookie_seed.h"
#include "ts3init_match.h"
@ -24,16 +27,19 @@ static void ts3init_get_puzzle_help(void)
{
printf(
"ts3init_get_puzzle match options:\n"
" --min-client n The sending client needs to be at least version n.\n"
" --check-cookie seed Check the cookie. Assume it was generated with seed.\n"
" seed is a 60 byte random number in hex. A source\n"
" could be /dev/random.\n"
);
" --min-client n The sending client needs to be at least version.\n"
" --check-cookie Check that the cookie was generated by same seed.\n"
" --seed <seed> Seed is a 60 byte lowercase hex number in.\n"
" A source could be /dev/random.\n"
" --seed-file <file> Read the seed from a file.\n"
);
}
static const struct option ts3init_get_puzzle_opts[] = {
{.name = "min-client", .has_arg = true, .val = '1'},
{.name = "check-cookie", .has_arg = true, .val = '2'},
{.name = "min-client", .has_arg = true, .val = '1'},
{.name = "check-cookie", .has_arg = false, .val = '2'},
{.name = "seed", .has_arg = true, .val = '3'},
{.name = "seed-file", .has_arg = true, .val = '4'},
{NULL},
};
@ -58,13 +64,31 @@ static int ts3init_get_puzzle_parse(int c, char **argv, int invert, unsigned int
case '2':
param_act(XTF_ONLY_ONCE, "--check-cookie", info->specific_options & CHK_GET_PUZZLE_CHECK_COOKIE);
param_act(XTF_NO_INVERT, "--check-cookie", invert);
info->specific_options |= CHK_GET_PUZZLE_CHECK_COOKIE;
*flags |= CHK_GET_PUZZLE_CHECK_COOKIE;
return true;
case '3':
param_act(XTF_ONLY_ONCE, "--seed", info->specific_options & CHK_GET_PUZZLE_SEED_FROM_ARGUMENT);
param_act(XTF_NO_INVERT, "--seed", invert);
if (strlen(optarg) != (COOKIE_SEED_LEN * 2))
xtables_error(PARAMETER_PROBLEM,
"ts3init_get_puzzle: invalid cookie-seed length");
"ts3init_get_puzzle: invalid seed length");
if (!hex2int_seed(optarg, info->cookie_seed))
xtables_error(PARAMETER_PROBLEM,
"ts3init_get_puzzle: invalid cookie-seed. (not lowercase hex)");
info->specific_options |= CHK_GET_PUZZLE_CHECK_COOKIE;
"ts3init_get_puzzle: invalid seed. (not lowercase hex)");
info->specific_options |= CHK_GET_PUZZLE_SEED_FROM_ARGUMENT;
*flags |= CHK_GET_PUZZLE_SEED_FROM_ARGUMENT;
return true;
case '4':
param_act(XTF_ONLY_ONCE, "--seed-file", info->specific_options & CHK_GET_PUZZLE_SEED_FROM_FILE);
param_act(XTF_NO_INVERT, "--seed-file", invert);
if (read_cookie_seed_from_file("ts3init_get_puzzle", optarg, info->cookie_seed))
memcpy(info->cookie_seed_path, optarg, strlen(optarg) + 1);
info->specific_options |= CHK_GET_PUZZLE_SEED_FROM_FILE;
*flags |= CHK_GET_PUZZLE_SEED_FROM_FILE;
return true;
default:
@ -82,12 +106,20 @@ static void ts3init_get_puzzle_save(const void *ip, const struct xt_entry_match
if (info->specific_options & CHK_GET_PUZZLE_CHECK_COOKIE)
{
printf("--check-cookie ");
}
if (info->specific_options & CHK_GET_PUZZLE_SEED_FROM_ARGUMENT)
{
printf("--seed ");
for (int i = 0; i < COOKIE_SEED_LEN; i++)
{
printf("%02X", info->cookie_seed[i]);
}
printf(" ");
}
if (info->specific_options & CHK_GET_PUZZLE_SEED_FROM_FILE)
{
printf("--seed-file \"%s\" ", info->cookie_seed_path);
}
}
static void ts3init_get_puzzle_print(const void *ip, const struct xt_entry_match *match,
@ -97,6 +129,27 @@ static void ts3init_get_puzzle_print(const void *ip, const struct xt_entry_match
ts3init_get_puzzle_save(ip, match);
}
static void ts3init_get_puzzle_check(unsigned int flags)
{
bool seed_from_argument = flags & CHK_GET_PUZZLE_SEED_FROM_ARGUMENT;
bool seed_from_file = flags & CHK_GET_PUZZLE_SEED_FROM_FILE;
if (seed_from_argument && seed_from_file)
{
xtables_error(PARAMETER_PROBLEM,
"ts3init_get_puzzle: --seed and --seed-file "
"can not be specified at the same time");
}
if (flags & CHK_GET_PUZZLE_CHECK_COOKIE)
{
if (!seed_from_argument && !seed_from_file)
{
xtables_error(PARAMETER_PROBLEM,
"ts3init_get_puzzle: --check-cookie requires either "
"--seed or --seed-file");
}
}
}
/* register and init */
static struct xtables_match ts3init_mt_reg[] =
{
@ -112,6 +165,7 @@ static struct xtables_match ts3init_mt_reg[] =
.print = ts3init_get_puzzle_print,
.save = ts3init_get_puzzle_save,
.extra_opts = ts3init_get_puzzle_opts,
.final_check = ts3init_get_puzzle_check,
},
{
.name = "ts3init_get_puzzle",
@ -125,6 +179,7 @@ static struct xtables_match ts3init_mt_reg[] =
.print = ts3init_get_puzzle_print,
.save = ts3init_get_puzzle_save,
.extra_opts = ts3init_get_puzzle_opts,
.final_check = ts3init_get_puzzle_check,
}
};

41
src/ts3init_cookie_seed.h
View File

@ -2,7 +2,8 @@
#define _TS3INIT_COOKIE_SEED_H
enum {
COOKIE_SEED_LEN = 60
COOKIE_SEED_LEN = 60,
COOKIE_PATH_MAX = 256,
};
static inline bool hex2int_seed(const char *src, __u8* dst)
@ -25,4 +26,42 @@ static inline bool hex2int_seed(const char *src, __u8* dst)
return true;
}
#ifndef __KERNEL__
static inline bool read_cookie_seed_from_file(const char *module_name, const char *path, __u8* dst)
{
int n, fd;
char text[COOKIE_SEED_LEN * 2], error_message[256];
if (strlen(path) > COOKIE_PATH_MAX)
{
xtables_error(PARAMETER_PROBLEM, "%s: path is too long.", module_name);
return false;
}
fd = open(path, O_RDONLY);
if (fd == -1) goto io_error;
if (lseek(fd, 0, SEEK_END) == sizeof(text))
{
xtables_error(PARAMETER_PROBLEM, "%s: %s must contain exactly %lu characters", module_name, path, sizeof(text));
return false;
}
if (lseek(fd, 0, SEEK_SET) == -1) goto io_error;
n = read(fd, text, sizeof(text));
if (n == -1) goto io_error;
else if (n != sizeof(text) || hex2int_seed(text, dst) == false)
{
xtables_error(PARAMETER_PROBLEM, "%s: %s must contain exactly %lu lowercase hex characters", module_name, path, sizeof(text));
return false;
}
return true;
io_error:
strerror_r(errno, error_message, sizeof(error_message));
xtables_error(PARAMETER_PROBLEM, "%s: %s.",
module_name,
error_message);
return false;
}
#endif /* __KERNEL__ */
#endif /* _TS3INIT_COOKIE_SEED_H */

7
src/ts3init_match.h
View File

@ -30,8 +30,10 @@ struct xt_ts3init_get_cookie_mtinfo
/* Enums and structs for get_puzzle */
enum
{
CHK_GET_PUZZLE_CHECK_COOKIE = 1 << 0,
CHK_GET_PUZZLE_VALID_MASK = (1 << 1) - 1,
CHK_GET_PUZZLE_CHECK_COOKIE = 1 << 0,
CHK_GET_PUZZLE_SEED_FROM_ARGUMENT = 1 << 1,
CHK_GET_PUZZLE_SEED_FROM_FILE = 1 << 2,
CHK_GET_PUZZLE_VALID_MASK = (1 << 3) - 1,
};
struct xt_ts3init_get_puzzle_mtinfo
@ -41,6 +43,7 @@ struct xt_ts3init_get_puzzle_mtinfo
__u16 reserved1;
__u32 min_client_version;
__u8 cookie_seed[COOKIE_SEED_LEN];
char cookie_seed_path[COOKIE_PATH_MAX];
};
#endif /* _TS3INIT_MATCH_H */

6
src/ts3init_target.h
View File

@ -11,8 +11,9 @@ enum
enum
{
TARGET_SET_COOKIE_ZERO_RANDOM_SEQUENCE = 1 << 0,
TARGET_SET_COOKIE_SEED = 1 << 1,
TARGET_SET_COOKIE_VALID_MASK = (1 << 2) - 1
TARGET_SET_COOKIE_SEED_FROM_ARGUMENT = 1 << 1,
TARGET_SET_COOKIE_SEED_FROM_FILE = 1 << 2,
TARGET_SET_COOKIE_VALID_MASK = (1 << 3) - 1
};
@ -22,6 +23,7 @@ struct xt_ts3init_set_cookie_tginfo
__u8 specific_options;
__u16 reserved1;
__u8 cookie_seed[COOKIE_SEED_LEN];
char cookie_seed_path[COOKIE_PATH_MAX];
};
#endif /* _TS3INIT_TARGET_H */