1 /* 2 * WPA Supplicant - Layer2 packet handling with Linux packet sockets 3 * Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <sys/ioctl.h> 11 #include <netpacket/packet.h> 12 #include <net/if.h> 13 #include <linux/filter.h> 14 15 #include "common.h" 16 #include "eloop.h" 17 #include "crypto/sha1.h" 18 #include "crypto/crypto.h" 19 #include "l2_packet.h" 20 21 22 struct l2_packet_data { 23 int fd; /* packet socket for EAPOL frames */ 24 char ifname[IFNAMSIZ + 1]; 25 int ifindex; 26 u8 own_addr[ETH_ALEN]; 27 void (*rx_callback)(void *ctx, const u8 *src_addr, 28 const u8 *buf, size_t len); 29 void *rx_callback_ctx; 30 int l2_hdr; /* whether to include layer 2 (Ethernet) header data 31 * buffers */ 32 33 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 34 /* For working around Linux packet socket behavior and regression. */ 35 int fd_br_rx; 36 int last_from_br, last_from_br_prev; 37 u8 last_hash[SHA1_MAC_LEN]; 38 u8 last_hash_prev[SHA1_MAC_LEN]; 39 unsigned int num_rx_br; 40 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 41 }; 42 43 /* Generated by 'sudo tcpdump -s 3000 -dd greater 278 and ip and udp and 44 * src port bootps and dst port bootpc' 45 */ 46 static struct sock_filter dhcp_sock_filter_insns[] = { 47 { 0x80, 0, 0, 0x00000000 }, 48 { 0x35, 0, 12, 0x00000116 }, 49 { 0x28, 0, 0, 0x0000000c }, 50 { 0x15, 0, 10, 0x00000800 }, 51 { 0x30, 0, 0, 0x00000017 }, 52 { 0x15, 0, 8, 0x00000011 }, 53 { 0x28, 0, 0, 0x00000014 }, 54 { 0x45, 6, 0, 0x00001fff }, 55 { 0xb1, 0, 0, 0x0000000e }, 56 { 0x48, 0, 0, 0x0000000e }, 57 { 0x15, 0, 3, 0x00000043 }, 58 { 0x48, 0, 0, 0x00000010 }, 59 { 0x15, 0, 1, 0x00000044 }, 60 { 0x6, 0, 0, 0x00000bb8 }, 61 { 0x6, 0, 0, 0x00000000 }, 62 }; 63 64 static const struct sock_fprog dhcp_sock_filter = { 65 .len = ARRAY_SIZE(dhcp_sock_filter_insns), 66 .filter = dhcp_sock_filter_insns, 67 }; 68 69 70 /* Generated by 'sudo tcpdump -dd -s 1500 multicast and ip6[6]=58' */ 71 static struct sock_filter ndisc_sock_filter_insns[] = { 72 { 0x30, 0, 0, 0x00000000 }, 73 { 0x45, 0, 5, 0x00000001 }, 74 { 0x28, 0, 0, 0x0000000c }, 75 { 0x15, 0, 3, 0x000086dd }, 76 { 0x30, 0, 0, 0x00000014 }, 77 { 0x15, 0, 1, 0x0000003a }, 78 { 0x6, 0, 0, 0x000005dc }, 79 { 0x6, 0, 0, 0x00000000 }, 80 }; 81 82 static const struct sock_fprog ndisc_sock_filter = { 83 .len = ARRAY_SIZE(ndisc_sock_filter_insns), 84 .filter = ndisc_sock_filter_insns, 85 }; 86 87 /* drop packet if skb->pkt_type is PACKET_OTHERHOST (0x03). Generated by: 88 * $ bpfc - <<EOF 89 * > ldb #type 90 * > jeq #0x03, drop 91 * > pass: ret #-1 92 * > drop: ret #0 93 * > EOF 94 */ 95 static struct sock_filter pkt_type_filter_insns[] = { 96 { 0x30, 0, 0, 0xfffff004 }, 97 { 0x15, 1, 0, 0x00000003 }, 98 { 0x6, 0, 0, 0xffffffff }, 99 { 0x6, 0, 0, 0x00000000 }, 100 }; 101 102 static const struct sock_fprog pkt_type_sock_filter = { 103 .len = ARRAY_SIZE(pkt_type_filter_insns), 104 .filter = pkt_type_filter_insns, 105 }; 106 107 108 int l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) 109 { 110 os_memcpy(addr, l2->own_addr, ETH_ALEN); 111 return 0; 112 } 113 114 115 int l2_packet_send(struct l2_packet_data *l2, const u8 *dst_addr, u16 proto, 116 const u8 *buf, size_t len) 117 { 118 int ret; 119 120 if (TEST_FAIL()) 121 return -1; 122 if (l2 == NULL) 123 return -1; 124 if (l2->l2_hdr) { 125 ret = send(l2->fd, buf, len, 0); 126 if (ret < 0) 127 wpa_printf(MSG_ERROR, "l2_packet_send - send: %s", 128 strerror(errno)); 129 } else { 130 struct sockaddr_ll ll; 131 os_memset(&ll, 0, sizeof(ll)); 132 ll.sll_family = AF_PACKET; 133 ll.sll_ifindex = l2->ifindex; 134 ll.sll_protocol = htons(proto); 135 ll.sll_halen = ETH_ALEN; 136 os_memcpy(ll.sll_addr, dst_addr, ETH_ALEN); 137 ret = sendto(l2->fd, buf, len, 0, (struct sockaddr *) &ll, 138 sizeof(ll)); 139 if (ret < 0) { 140 wpa_printf(MSG_ERROR, "l2_packet_send - sendto: %s", 141 strerror(errno)); 142 } 143 } 144 return ret; 145 } 146 147 148 static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) 149 { 150 struct l2_packet_data *l2 = eloop_ctx; 151 u8 buf[2300]; 152 int res; 153 struct sockaddr_ll ll; 154 socklen_t fromlen; 155 156 os_memset(&ll, 0, sizeof(ll)); 157 fromlen = sizeof(ll); 158 res = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *) &ll, 159 &fromlen); 160 if (res < 0) { 161 wpa_printf(MSG_DEBUG, "l2_packet_receive - recvfrom: %s", 162 strerror(errno)); 163 return; 164 } 165 166 wpa_printf(MSG_DEBUG, "%s: src=" MACSTR " len=%d", 167 __func__, MAC2STR(ll.sll_addr), (int) res); 168 169 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 170 if (l2->fd_br_rx >= 0) { 171 u8 hash[SHA1_MAC_LEN]; 172 const u8 *addr[1]; 173 size_t len[1]; 174 const struct l2_ethhdr *eth = (const struct l2_ethhdr *) buf; 175 176 /* 177 * Close the workaround socket if the kernel version seems to be 178 * able to deliver packets through the packet socket before 179 * authorization has been completed (in dormant state). 180 */ 181 if (l2->num_rx_br <= 1 && 182 (os_memcmp(eth->h_dest, l2->own_addr, ETH_ALEN) == 0 || 183 is_multicast_ether_addr(eth->h_dest))) { 184 wpa_printf(MSG_DEBUG, 185 "l2_packet_receive: Main packet socket for %s seems to have working RX - close workaround bridge socket", 186 l2->ifname); 187 eloop_unregister_read_sock(l2->fd_br_rx); 188 close(l2->fd_br_rx); 189 l2->fd_br_rx = -1; 190 } 191 192 addr[0] = buf; 193 len[0] = res; 194 sha1_vector(1, addr, len, hash); 195 if (l2->last_from_br && 196 os_memcmp(hash, l2->last_hash, SHA1_MAC_LEN) == 0) { 197 wpa_printf(MSG_DEBUG, "%s: Drop duplicate RX", 198 __func__); 199 return; 200 } 201 if (l2->last_from_br_prev && 202 os_memcmp(hash, l2->last_hash_prev, SHA1_MAC_LEN) == 0) { 203 wpa_printf(MSG_DEBUG, "%s: Drop duplicate RX(prev)", 204 __func__); 205 return; 206 } 207 os_memcpy(l2->last_hash_prev, l2->last_hash, SHA1_MAC_LEN); 208 l2->last_from_br_prev = l2->last_from_br; 209 os_memcpy(l2->last_hash, hash, SHA1_MAC_LEN); 210 } 211 212 l2->last_from_br = 0; 213 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 214 l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res); 215 } 216 217 218 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 219 static void l2_packet_receive_br(int sock, void *eloop_ctx, void *sock_ctx) 220 { 221 struct l2_packet_data *l2 = eloop_ctx; 222 u8 buf[2300]; 223 int res; 224 struct sockaddr_ll ll; 225 socklen_t fromlen; 226 u8 hash[SHA1_MAC_LEN]; 227 const u8 *addr[1]; 228 size_t len[1]; 229 230 l2->num_rx_br++; 231 os_memset(&ll, 0, sizeof(ll)); 232 fromlen = sizeof(ll); 233 res = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *) &ll, 234 &fromlen); 235 if (res < 0) { 236 wpa_printf(MSG_DEBUG, "l2_packet_receive_br - recvfrom: %s", 237 strerror(errno)); 238 return; 239 } 240 241 wpa_printf(MSG_DEBUG, "%s: src=" MACSTR " len=%d", 242 __func__, MAC2STR(ll.sll_addr), (int) res); 243 244 if (os_memcmp(ll.sll_addr, l2->own_addr, ETH_ALEN) == 0) { 245 wpa_printf(MSG_DEBUG, "%s: Drop RX of own frame", __func__); 246 return; 247 } 248 249 addr[0] = buf; 250 len[0] = res; 251 sha1_vector(1, addr, len, hash); 252 if (!l2->last_from_br && 253 os_memcmp(hash, l2->last_hash, SHA1_MAC_LEN) == 0) { 254 wpa_printf(MSG_DEBUG, "%s: Drop duplicate RX", __func__); 255 return; 256 } 257 if (!l2->last_from_br_prev && 258 os_memcmp(hash, l2->last_hash_prev, SHA1_MAC_LEN) == 0) { 259 wpa_printf(MSG_DEBUG, "%s: Drop duplicate RX(prev)", __func__); 260 return; 261 } 262 os_memcpy(l2->last_hash_prev, l2->last_hash, SHA1_MAC_LEN); 263 l2->last_from_br_prev = l2->last_from_br; 264 l2->last_from_br = 1; 265 os_memcpy(l2->last_hash, hash, SHA1_MAC_LEN); 266 l2->rx_callback(l2->rx_callback_ctx, ll.sll_addr, buf, res); 267 } 268 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 269 270 271 struct l2_packet_data * l2_packet_init( 272 const char *ifname, const u8 *own_addr, unsigned short protocol, 273 void (*rx_callback)(void *ctx, const u8 *src_addr, 274 const u8 *buf, size_t len), 275 void *rx_callback_ctx, int l2_hdr) 276 { 277 struct l2_packet_data *l2; 278 struct ifreq ifr; 279 struct sockaddr_ll ll; 280 281 l2 = os_zalloc(sizeof(struct l2_packet_data)); 282 if (l2 == NULL) 283 return NULL; 284 os_strlcpy(l2->ifname, ifname, sizeof(l2->ifname)); 285 l2->rx_callback = rx_callback; 286 l2->rx_callback_ctx = rx_callback_ctx; 287 l2->l2_hdr = l2_hdr; 288 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 289 l2->fd_br_rx = -1; 290 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 291 292 l2->fd = socket(PF_PACKET, l2_hdr ? SOCK_RAW : SOCK_DGRAM, 293 htons(protocol)); 294 if (l2->fd < 0) { 295 wpa_printf(MSG_ERROR, "%s: socket(PF_PACKET): %s", 296 __func__, strerror(errno)); 297 os_free(l2); 298 return NULL; 299 } 300 os_memset(&ifr, 0, sizeof(ifr)); 301 os_strlcpy(ifr.ifr_name, l2->ifname, sizeof(ifr.ifr_name)); 302 if (ioctl(l2->fd, SIOCGIFINDEX, &ifr) < 0) { 303 wpa_printf(MSG_ERROR, "%s: ioctl[SIOCGIFINDEX]: %s", 304 __func__, strerror(errno)); 305 close(l2->fd); 306 os_free(l2); 307 return NULL; 308 } 309 l2->ifindex = ifr.ifr_ifindex; 310 311 os_memset(&ll, 0, sizeof(ll)); 312 ll.sll_family = PF_PACKET; 313 ll.sll_ifindex = ifr.ifr_ifindex; 314 ll.sll_protocol = htons(protocol); 315 if (rx_callback && 316 bind(l2->fd, (struct sockaddr *) &ll, sizeof(ll)) < 0) { 317 wpa_printf(MSG_ERROR, "%s: bind[PF_PACKET]: %s", 318 __func__, strerror(errno)); 319 close(l2->fd); 320 os_free(l2); 321 return NULL; 322 } 323 324 if (ioctl(l2->fd, SIOCGIFHWADDR, &ifr) < 0) { 325 wpa_printf(MSG_ERROR, "%s: ioctl[SIOCGIFHWADDR]: %s", 326 __func__, strerror(errno)); 327 close(l2->fd); 328 os_free(l2); 329 return NULL; 330 } 331 os_memcpy(l2->own_addr, ifr.ifr_hwaddr.sa_data, ETH_ALEN); 332 333 if (rx_callback) 334 eloop_register_read_sock(l2->fd, l2_packet_receive, l2, NULL); 335 336 return l2; 337 } 338 339 340 struct l2_packet_data * l2_packet_init_bridge( 341 const char *br_ifname, const char *ifname, const u8 *own_addr, 342 unsigned short protocol, 343 void (*rx_callback)(void *ctx, const u8 *src_addr, 344 const u8 *buf, size_t len), 345 void *rx_callback_ctx, int l2_hdr) 346 { 347 struct l2_packet_data *l2; 348 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 349 struct sock_filter ethertype_sock_filter_insns[] = { 350 /* Load ethertype */ 351 BPF_STMT(BPF_LD | BPF_H | BPF_ABS, 2 * ETH_ALEN), 352 /* Jump over next statement if ethertype does not match */ 353 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, protocol, 0, 1), 354 /* Ethertype match - return all */ 355 BPF_STMT(BPF_RET | BPF_K, ~0), 356 /* No match - drop */ 357 BPF_STMT(BPF_RET | BPF_K, 0) 358 }; 359 const struct sock_fprog ethertype_sock_filter = { 360 .len = ARRAY_SIZE(ethertype_sock_filter_insns), 361 .filter = ethertype_sock_filter_insns, 362 }; 363 struct sockaddr_ll ll; 364 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 365 366 l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback, 367 rx_callback_ctx, l2_hdr); 368 if (!l2) 369 return NULL; 370 371 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 372 /* 373 * The Linux packet socket behavior has changed over the years and there 374 * is an inconvenient regression in it that breaks RX for a specific 375 * protocol from interfaces in a bridge when that interface is not in 376 * fully operation state (i.e., when in station mode and not completed 377 * authorization). To work around this, register ETH_P_ALL version of 378 * the packet socket bound to the real netdev and use socket filter to 379 * match the ethertype value. This version is less efficient, but 380 * required for functionality with many kernel version. If the main 381 * packet socket is found to be working, this less efficient version 382 * gets closed automatically. 383 */ 384 385 l2->fd_br_rx = socket(PF_PACKET, l2_hdr ? SOCK_RAW : SOCK_DGRAM, 386 htons(ETH_P_ALL)); 387 if (l2->fd_br_rx < 0) { 388 wpa_printf(MSG_DEBUG, "%s: socket(PF_PACKET-fd_br_rx): %s", 389 __func__, strerror(errno)); 390 /* try to continue without the workaround RX socket */ 391 return l2; 392 } 393 394 os_memset(&ll, 0, sizeof(ll)); 395 ll.sll_family = PF_PACKET; 396 ll.sll_ifindex = if_nametoindex(ifname); 397 ll.sll_protocol = htons(ETH_P_ALL); 398 if (bind(l2->fd_br_rx, (struct sockaddr *) &ll, sizeof(ll)) < 0) { 399 wpa_printf(MSG_DEBUG, "%s: bind[PF_PACKET-fd_br_rx]: %s", 400 __func__, strerror(errno)); 401 /* try to continue without the workaround RX socket */ 402 close(l2->fd_br_rx); 403 l2->fd_br_rx = -1; 404 return l2; 405 } 406 407 if (setsockopt(l2->fd_br_rx, SOL_SOCKET, SO_ATTACH_FILTER, 408 ðertype_sock_filter, sizeof(struct sock_fprog))) { 409 wpa_printf(MSG_DEBUG, 410 "l2_packet_linux: setsockopt(SO_ATTACH_FILTER) failed: %s", 411 strerror(errno)); 412 /* try to continue without the workaround RX socket */ 413 close(l2->fd_br_rx); 414 l2->fd_br_rx = -1; 415 return l2; 416 } 417 418 eloop_register_read_sock(l2->fd_br_rx, l2_packet_receive_br, l2, NULL); 419 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 420 421 return l2; 422 } 423 424 425 void l2_packet_deinit(struct l2_packet_data *l2) 426 { 427 if (l2 == NULL) 428 return; 429 430 if (l2->fd >= 0) { 431 eloop_unregister_read_sock(l2->fd); 432 close(l2->fd); 433 } 434 435 #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR 436 if (l2->fd_br_rx >= 0) { 437 eloop_unregister_read_sock(l2->fd_br_rx); 438 close(l2->fd_br_rx); 439 } 440 #endif /* CONFIG_NO_LINUX_PACKET_SOCKET_WAR */ 441 442 os_free(l2); 443 } 444 445 446 int l2_packet_get_ip_addr(struct l2_packet_data *l2, char *buf, size_t len) 447 { 448 int s; 449 struct ifreq ifr; 450 struct sockaddr_in *saddr; 451 size_t res; 452 453 s = socket(PF_INET, SOCK_DGRAM, 0); 454 if (s < 0) { 455 wpa_printf(MSG_ERROR, "%s: socket: %s", 456 __func__, strerror(errno)); 457 return -1; 458 } 459 os_memset(&ifr, 0, sizeof(ifr)); 460 os_strlcpy(ifr.ifr_name, l2->ifname, sizeof(ifr.ifr_name)); 461 if (ioctl(s, SIOCGIFADDR, &ifr) < 0) { 462 if (errno != EADDRNOTAVAIL) 463 wpa_printf(MSG_ERROR, "%s: ioctl[SIOCGIFADDR]: %s", 464 __func__, strerror(errno)); 465 close(s); 466 return -1; 467 } 468 close(s); 469 saddr = aliasing_hide_typecast(&ifr.ifr_addr, struct sockaddr_in); 470 if (saddr->sin_family != AF_INET) 471 return -1; 472 res = os_strlcpy(buf, inet_ntoa(saddr->sin_addr), len); 473 if (res >= len) 474 return -1; 475 return 0; 476 } 477 478 479 void l2_packet_notify_auth_start(struct l2_packet_data *l2) 480 { 481 } 482 483 484 int l2_packet_set_packet_filter(struct l2_packet_data *l2, 485 enum l2_packet_filter_type type) 486 { 487 const struct sock_fprog *sock_filter; 488 489 if (TEST_FAIL()) 490 return -1; 491 492 switch (type) { 493 case L2_PACKET_FILTER_DHCP: 494 sock_filter = &dhcp_sock_filter; 495 break; 496 case L2_PACKET_FILTER_NDISC: 497 sock_filter = &ndisc_sock_filter; 498 break; 499 case L2_PACKET_FILTER_PKTTYPE: 500 sock_filter = &pkt_type_sock_filter; 501 break; 502 default: 503 return -1; 504 } 505 506 if (setsockopt(l2->fd, SOL_SOCKET, SO_ATTACH_FILTER, 507 sock_filter, sizeof(struct sock_fprog))) { 508 wpa_printf(MSG_ERROR, 509 "l2_packet_linux: setsockopt(SO_ATTACH_FILTER) failed: %s", 510 strerror(errno)); 511 return -1; 512 } 513 514 return 0; 515 } 516