1 /* 2 * WPA Supplicant - Layer2 packet handling with Linux packet sockets 3 * Copyright (c) 2003-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <sys/ioctl.h> 11 #include <netpacket/packet.h> 12 #include <net/if.h> 13 #include <linux/filter.h> 14 15 #include "common.h" 16 #include "eloop.h" 17 #include "crypto/sha1.h" 18 #include "crypto/crypto.h" 19 #include "l2_packet.h" 20 21 22 struct l2_packet_data { 23 int fd; /* packet socket for EAPOL frames */ 24 char ifname[IFNAMSIZ + 1]; 25 int ifindex; 26 u8 own_addr[ETH_ALEN]; 27 void (*rx_callback)(void *ctx, const u8 *src_addr, 28 const u8 *buf, size_t len); 29 void *rx_callback_ctx; 30 int l2_hdr; /* whether to include layer 2 (Ethernet) header data 31 * buffers */ 32 33 /* For working around Linux packet socket behavior and regression. */ 34 int fd_br_rx; 35 int last_from_br; 36 u8 last_hash[SHA1_MAC_LEN]; 37 unsigned int num_rx, num_rx_br; 38 }; 39 40 /* Generated by 'sudo tcpdump -s 3000 -dd greater 278 and ip and udp and 41 * src port bootps and dst port bootpc' 42 */ 43 static struct sock_filter dhcp_sock_filter_insns[] = { 44 { 0x80, 0, 0, 0x00000000 }, 45 { 0x35, 0, 12, 0x00000116 }, 46 { 0x28, 0, 0, 0x0000000c }, 47 { 0x15, 0, 10, 0x00000800 }, 48 { 0x30, 0, 0, 0x00000017 }, 49 { 0x15, 0, 8, 0x00000011 }, 50 { 0x28, 0, 0, 0x00000014 }, 51 { 0x45, 6, 0, 0x00001fff }, 52 { 0xb1, 0, 0, 0x0000000e }, 53 { 0x48, 0, 0, 0x0000000e }, 54 { 0x15, 0, 3, 0x00000043 }, 55 { 0x48, 0, 0, 0x00000010 }, 56 { 0x15, 0, 1, 0x00000044 }, 57 { 0x6, 0, 0, 0x00000bb8 }, 58 { 0x6, 0, 0, 0x00000000 }, 59 }; 60 61 static const struct sock_fprog dhcp_sock_filter = { 62 .len = ARRAY_SIZE(dhcp_sock_filter_insns), 63 .filter = dhcp_sock_filter_insns, 64 }; 65 66 67 /* Generated by 'sudo tcpdump -dd -s 1500 multicast and ip6[6]=58' */ 68 static struct sock_filter ndisc_sock_filter_insns[] = { 69 { 0x30, 0, 0, 0x00000000 }, 70 { 0x45, 0, 5, 0x00000001 }, 71 { 0x28, 0, 0, 0x0000000c }, 72 { 0x15, 0, 3, 0x000086dd }, 73 { 0x30, 0, 0, 0x00000014 }, 74 { 0x15, 0, 1, 0x0000003a }, 75 { 0x6, 0, 0, 0x000005dc }, 76 { 0x6, 0, 0, 0x00000000 }, 77 }; 78 79 static const struct sock_fprog ndisc_sock_filter = { 80 .len = ARRAY_SIZE(ndisc_sock_filter_insns), 81 .filter = ndisc_sock_filter_insns, 82 }; 83 84 85 int l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) 86 { 87 os_memcpy(addr, l2->own_addr, ETH_ALEN); 88 return 0; 89 } 90 91 92 int l2_packet_send(struct l2_packet_data *l2, const u8 *dst_addr, u16 proto, 93 const u8 *buf, size_t len) 94 { 95 int ret; 96 if (l2 == NULL) 97 return -1; 98 if (l2->l2_hdr) { 99 ret = send(l2->fd, buf, len, 0); 100 if (ret < 0) 101 wpa_printf(MSG_ERROR, "l2_packet_send - send: %s", 102 strerror(errno)); 103 } else { 104 struct sockaddr_ll ll; 105 os_memset(&ll, 0, sizeof(ll)); 106 ll.sll_family = AF_PACKET; 107 ll.sll_ifindex = l2->ifindex; 108 ll.sll_protocol = htons(proto); 109 ll.sll_halen = ETH_ALEN; 110 os_memcpy(ll.sll_addr, dst_addr, ETH_ALEN); 111 ret = sendto(l2->fd, buf, len, 0, (struct sockaddr *) &ll, 112 sizeof(ll)); 113 if (ret < 0) { 114 wpa_printf(MSG_ERROR, "l2_packet_send - sendto: %s", 115 strerror(errno)); 116 } 117 } 118 return ret; 119 } 120 121 122 static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) 123 { 124 struct l2_packet_data *l2 = eloop_ctx; 125 u8 buf[2300]; 126 int res; 127 struct sockaddr_ll ll; 128 socklen_t fromlen; 129 130 l2->num_rx++; 131 os_memset(&ll, 0, sizeof(ll)); 132 fromlen = sizeof(ll); 133 res = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *) &ll, 134 &fromlen); 135 if (res < 0) { 136 wpa_printf(MSG_DEBUG, "l2_packet_receive - recvfrom: %s", 137 strerror(errno)); 138 return; 139 } 140 141 wpa_printf(MSG_DEBUG, "%s: src=" MACSTR " len=%d", 142 __func__, MAC2STR(ll.sll_addr), (int) res); 143 144 if (l2->fd_br_rx >= 0) { 145 u8 hash[SHA1_MAC_LEN]; 146 const u8 *addr[1]; 147 size_t len[1]; 148 149 /* 150 * Close the workaround socket if the kernel version seems to be 151 * able to deliver packets through the packet socket before 152 * authorization has been completed (in dormant state). 153 */ 154 if (l2->num_rx_br <= 1) { 155 wpa_printf(MSG_DEBUG, 156 "l2_packet_receive: Main packet socket for %s seems to have working RX - close workaround bridge socket", 157 l2->ifname); 158 eloop_unregister_read_sock(l2->fd_br_rx); 159 close(l2->fd_br_rx); 160 l2->fd_br_rx = -1; 161 } 162 163 addr[0] = buf; 164 len[0] = res; 165 sha1_vector(1, addr, len, hash); 166 if (l2->last_from_br && 167 os_memcmp(hash, l2->last_hash, SHA1_MAC_LEN) == 0) { 168 wpa_printf(MSG_DEBUG, "%s: Drop duplicate RX", 169 __func__); 170 return; 171 } 172 os_memcpy(l2->last_hash, hash, SHA1_MAC_LEN); 173 } 174 175 l2->last_from_br = 0; 176 l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res); 177 } 178 179 180 static void l2_packet_receive_br(int sock, void *eloop_ctx, void *sock_ctx) 181 { 182 struct l2_packet_data *l2 = eloop_ctx; 183 u8 buf[2300]; 184 int res; 185 struct sockaddr_ll ll; 186 socklen_t fromlen; 187 u8 hash[SHA1_MAC_LEN]; 188 const u8 *addr[1]; 189 size_t len[1]; 190 191 l2->num_rx_br++; 192 os_memset(&ll, 0, sizeof(ll)); 193 fromlen = sizeof(ll); 194 res = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *) &ll, 195 &fromlen); 196 if (res < 0) { 197 wpa_printf(MSG_DEBUG, "l2_packet_receive_br - recvfrom: %s", 198 strerror(errno)); 199 return; 200 } 201 202 wpa_printf(MSG_DEBUG, "%s: src=" MACSTR " len=%d", 203 __func__, MAC2STR(ll.sll_addr), (int) res); 204 205 addr[0] = buf; 206 len[0] = res; 207 sha1_vector(1, addr, len, hash); 208 if (!l2->last_from_br && 209 os_memcmp(hash, l2->last_hash, SHA1_MAC_LEN) == 0) { 210 wpa_printf(MSG_DEBUG, "%s: Drop duplicate RX", __func__); 211 return; 212 } 213 l2->last_from_br = 1; 214 os_memcpy(l2->last_hash, hash, SHA1_MAC_LEN); 215 l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res); 216 } 217 218 219 struct l2_packet_data * l2_packet_init( 220 const char *ifname, const u8 *own_addr, unsigned short protocol, 221 void (*rx_callback)(void *ctx, const u8 *src_addr, 222 const u8 *buf, size_t len), 223 void *rx_callback_ctx, int l2_hdr) 224 { 225 struct l2_packet_data *l2; 226 struct ifreq ifr; 227 struct sockaddr_ll ll; 228 229 l2 = os_zalloc(sizeof(struct l2_packet_data)); 230 if (l2 == NULL) 231 return NULL; 232 os_strlcpy(l2->ifname, ifname, sizeof(l2->ifname)); 233 l2->rx_callback = rx_callback; 234 l2->rx_callback_ctx = rx_callback_ctx; 235 l2->l2_hdr = l2_hdr; 236 l2->fd_br_rx = -1; 237 238 l2->fd = socket(PF_PACKET, l2_hdr ? SOCK_RAW : SOCK_DGRAM, 239 htons(protocol)); 240 if (l2->fd < 0) { 241 wpa_printf(MSG_ERROR, "%s: socket(PF_PACKET): %s", 242 __func__, strerror(errno)); 243 os_free(l2); 244 return NULL; 245 } 246 os_memset(&ifr, 0, sizeof(ifr)); 247 os_strlcpy(ifr.ifr_name, l2->ifname, sizeof(ifr.ifr_name)); 248 if (ioctl(l2->fd, SIOCGIFINDEX, &ifr) < 0) { 249 wpa_printf(MSG_ERROR, "%s: ioctl[SIOCGIFINDEX]: %s", 250 __func__, strerror(errno)); 251 close(l2->fd); 252 os_free(l2); 253 return NULL; 254 } 255 l2->ifindex = ifr.ifr_ifindex; 256 257 os_memset(&ll, 0, sizeof(ll)); 258 ll.sll_family = PF_PACKET; 259 ll.sll_ifindex = ifr.ifr_ifindex; 260 ll.sll_protocol = htons(protocol); 261 if (bind(l2->fd, (struct sockaddr *) &ll, sizeof(ll)) < 0) { 262 wpa_printf(MSG_ERROR, "%s: bind[PF_PACKET]: %s", 263 __func__, strerror(errno)); 264 close(l2->fd); 265 os_free(l2); 266 return NULL; 267 } 268 269 if (ioctl(l2->fd, SIOCGIFHWADDR, &ifr) < 0) { 270 wpa_printf(MSG_ERROR, "%s: ioctl[SIOCGIFHWADDR]: %s", 271 __func__, strerror(errno)); 272 close(l2->fd); 273 os_free(l2); 274 return NULL; 275 } 276 os_memcpy(l2->own_addr, ifr.ifr_hwaddr.sa_data, ETH_ALEN); 277 278 eloop_register_read_sock(l2->fd, l2_packet_receive, l2, NULL); 279 280 return l2; 281 } 282 283 284 struct l2_packet_data * l2_packet_init_bridge( 285 const char *br_ifname, const char *ifname, const u8 *own_addr, 286 unsigned short protocol, 287 void (*rx_callback)(void *ctx, const u8 *src_addr, 288 const u8 *buf, size_t len), 289 void *rx_callback_ctx, int l2_hdr) 290 { 291 struct l2_packet_data *l2; 292 struct sock_filter ethertype_sock_filter_insns[] = { 293 /* Load ethertype */ 294 BPF_STMT(BPF_LD | BPF_H | BPF_ABS, 2 * ETH_ALEN), 295 /* Jump over next statement if ethertype does not match */ 296 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, protocol, 0, 1), 297 /* Ethertype match - return all */ 298 BPF_STMT(BPF_RET | BPF_K, ~0), 299 /* No match - drop */ 300 BPF_STMT(BPF_RET | BPF_K, 0) 301 }; 302 const struct sock_fprog ethertype_sock_filter = { 303 .len = ARRAY_SIZE(ethertype_sock_filter_insns), 304 .filter = ethertype_sock_filter_insns, 305 }; 306 struct sockaddr_ll ll; 307 308 l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback, 309 rx_callback_ctx, l2_hdr); 310 if (!l2) 311 return NULL; 312 313 /* 314 * The Linux packet socket behavior has changed over the years and there 315 * is an inconvenient regression in it that breaks RX for a specific 316 * protocol from interfaces in a bridge when that interface is not in 317 * fully operation state (i.e., when in station mode and not completed 318 * authorization). To work around this, register ETH_P_ALL version of 319 * the packet socket bound to the real netdev and use socket filter to 320 * match the ethertype value. This version is less efficient, but 321 * required for functionality with many kernel version. If the main 322 * packet socket is found to be working, this less efficient version 323 * gets closed automatically. 324 */ 325 326 l2->fd_br_rx = socket(PF_PACKET, l2_hdr ? SOCK_RAW : SOCK_DGRAM, 327 htons(ETH_P_ALL)); 328 if (l2->fd_br_rx < 0) { 329 wpa_printf(MSG_DEBUG, "%s: socket(PF_PACKET-fd_br_rx): %s", 330 __func__, strerror(errno)); 331 /* try to continue without the workaround RX socket */ 332 return l2; 333 } 334 335 os_memset(&ll, 0, sizeof(ll)); 336 ll.sll_family = PF_PACKET; 337 ll.sll_ifindex = if_nametoindex(ifname); 338 ll.sll_protocol = htons(ETH_P_ALL); 339 if (bind(l2->fd_br_rx, (struct sockaddr *) &ll, sizeof(ll)) < 0) { 340 wpa_printf(MSG_DEBUG, "%s: bind[PF_PACKET-fd_br_rx]: %s", 341 __func__, strerror(errno)); 342 /* try to continue without the workaround RX socket */ 343 close(l2->fd_br_rx); 344 l2->fd_br_rx = -1; 345 return l2; 346 } 347 348 if (setsockopt(l2->fd_br_rx, SOL_SOCKET, SO_ATTACH_FILTER, 349 ðertype_sock_filter, sizeof(struct sock_fprog))) { 350 wpa_printf(MSG_DEBUG, 351 "l2_packet_linux: setsockopt(SO_ATTACH_FILTER) failed: %s", 352 strerror(errno)); 353 /* try to continue without the workaround RX socket */ 354 close(l2->fd_br_rx); 355 l2->fd_br_rx = -1; 356 return l2; 357 } 358 359 eloop_register_read_sock(l2->fd_br_rx, l2_packet_receive_br, l2, NULL); 360 361 return l2; 362 } 363 364 365 void l2_packet_deinit(struct l2_packet_data *l2) 366 { 367 if (l2 == NULL) 368 return; 369 370 if (l2->fd >= 0) { 371 eloop_unregister_read_sock(l2->fd); 372 close(l2->fd); 373 } 374 375 if (l2->fd_br_rx >= 0) { 376 eloop_unregister_read_sock(l2->fd_br_rx); 377 close(l2->fd_br_rx); 378 } 379 380 os_free(l2); 381 } 382 383 384 int l2_packet_get_ip_addr(struct l2_packet_data *l2, char *buf, size_t len) 385 { 386 int s; 387 struct ifreq ifr; 388 struct sockaddr_in *saddr; 389 size_t res; 390 391 s = socket(PF_INET, SOCK_DGRAM, 0); 392 if (s < 0) { 393 wpa_printf(MSG_ERROR, "%s: socket: %s", 394 __func__, strerror(errno)); 395 return -1; 396 } 397 os_memset(&ifr, 0, sizeof(ifr)); 398 os_strlcpy(ifr.ifr_name, l2->ifname, sizeof(ifr.ifr_name)); 399 if (ioctl(s, SIOCGIFADDR, &ifr) < 0) { 400 if (errno != EADDRNOTAVAIL) 401 wpa_printf(MSG_ERROR, "%s: ioctl[SIOCGIFADDR]: %s", 402 __func__, strerror(errno)); 403 close(s); 404 return -1; 405 } 406 close(s); 407 saddr = aliasing_hide_typecast(&ifr.ifr_addr, struct sockaddr_in); 408 if (saddr->sin_family != AF_INET) 409 return -1; 410 res = os_strlcpy(buf, inet_ntoa(saddr->sin_addr), len); 411 if (res >= len) 412 return -1; 413 return 0; 414 } 415 416 417 void l2_packet_notify_auth_start(struct l2_packet_data *l2) 418 { 419 } 420 421 422 int l2_packet_set_packet_filter(struct l2_packet_data *l2, 423 enum l2_packet_filter_type type) 424 { 425 const struct sock_fprog *sock_filter; 426 427 switch (type) { 428 case L2_PACKET_FILTER_DHCP: 429 sock_filter = &dhcp_sock_filter; 430 break; 431 case L2_PACKET_FILTER_NDISC: 432 sock_filter = &ndisc_sock_filter; 433 break; 434 default: 435 return -1; 436 } 437 438 if (setsockopt(l2->fd, SOL_SOCKET, SO_ATTACH_FILTER, 439 sock_filter, sizeof(struct sock_fprog))) { 440 wpa_printf(MSG_ERROR, 441 "l2_packet_linux: setsockopt(SO_ATTACH_FILTER) failed: %s", 442 strerror(errno)); 443 return -1; 444 } 445 446 return 0; 447 } 448
