scratch/lwip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import lwIP contrib rep

Browse Source 
... from http://git.savannah.gnu.org/cgit/lwip/lwip-contrib.git/ into contrib/ subdir, STABLE-2_1_0_RELEASE tag
lwIP contrib is now officially frozen
TODO: Fix build
This commit is contained in:
Dirk Ziegelmeier
2018-10-02 12:17:31 +02:00
parent dd1ab2bf59
commit ac46e42aa2
310 changed files with 58603 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
contrib/addons/ipv6_static_routing/README Normal file
View File

@@ -0,0 +1,43 @@
A simple routing table implementation for addition, deletion and lookup of IPv6 routes. 
APIs are:
1) s8_t ip6_add_route_entry(struct ip6_prefix *ip6_prefix,
                            struct netif *netif,
                            ip6_addr_t *gateway,
                            s8_t *index);
2) err_t ip6_remove_route_entry(struct ip6_prefix *ip6_prefix);
3) s8_t ip6_find_route_entry(ip6_addr_t *ip6_dest_addr);
4) struct netif *ip6_static_route(ip6_addr_t *src, ip6_addr_t *dest);
5) ip6_addr_t *ip6_get_gateway(struct netif *netif, ip6_addr_t *dest);
6) struct ip6_route_entry *ip6_get_route_table(void);
For route lookup from the table, The LWIP_HOOK_IP6_ROUTE hook in ip6_route(..) of ip6.c
could be assigned to the ip6_static_route() API of this implementation to return the
appropriate netif.
-- The application can add routes using the API ip6_add_route_entry(..). 
   This API adds the ip6 prefix route into the static route table while
   keeping all entries sorted in decreasing order of prefix length.
   Subsequently, a linear search down the list can be performed to retrieve a
   matching route entry for a Longest Prefix Match.
   The prefix length is expected to be at an 8-bit boundary. While this is 
   a limitation, it would serve most practical purposes.
-- The application can remove routes using the API ip6_remove_route_entry(..).
-- The application can find a route entry for a specific address using the 
   ip6_find_route_entry() function which returns the index of the found entry. 
   This is used internally by the route lookup function ip6_static_route() API.
-- To fetch the gateway IPv6 address for a specific destination IPv6 
   address and target netif, the application can call ip6_get_gateway(..).
This API could be assigned to the LWIP_HOOK_ND6_GET_GW() if a gateway has
been added as part of the ip6_add_route_entry().
-- To fetch a pointer to the head of the table, the application can call 
   ip6_get_route_table().

248
contrib/addons/ipv6_static_routing/ip6_route_table.c Normal file
View File

@@ -0,0 +1,248 @@
/**
* @file
* IPv6 static route table.
*/
/*
* Copyright (c) 2015 Nest Labs, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* Author: Pradip De <pradipd@google.com>
*
*
* Please coordinate changes and requests with Pradip De
* <pradipd@google.com>
*/
#include "lwip/opt.h"
#if LWIP_IPV6 /* don't build if not configured for use in lwipopts.h */
#include "ip6_route_table.h"
#include "lwip/def.h"
#include "lwip/mem.h"
#include "lwip/netif.h"
#include "lwip/ip6.h"
#include "lwip/ip6_addr.h"
#include "lwip/nd6.h"
#include "lwip/debug.h"
#include "lwip/stats.h"
#include "string.h"
static struct ip6_route_entry static_route_table[LWIP_IPV6_NUM_ROUTE_ENTRIES];
/**
* Add the ip6 prefix route and target netif into the static route table while
* keeping all entries sorted in decreasing order of prefix length.
* 1. Search from the last entry up to find the correct slot to insert while
* moving entries one position down to create room.
* 2. Insert into empty slot created.
*
* Subsequently, a linear search down the list can be performed to retrieve a
* matching route entry for a Longest Prefix Match.
*
* @param ip6_prefix the route prefix entry to add.
* @param netif pointer to target netif.
* @param gateway the gateway address to use to send through. Has to be link local.
* @param idx return value argument of index where route entry was added in table.
* @return ERR_OK if addition was successful.
* ERR_MEM if table is already full.
* ERR_ARG if passed argument is bad or route already exists in table.
*/
err_t
ip6_add_route_entry(const struct ip6_prefix *ip6_prefix, struct netif *netif, const ip6_addr_t *gateway, s8_t *idx)
{
s8_t i = -1;
err_t retval = ERR_OK;
if (!ip6_prefix_valid(ip6_prefix->prefix_len) || (netif == NULL)) {
retval = ERR_ARG;
goto exit;
}
/* Check if an entry already exists with matching prefix; If so, replace it. */
for (i = 0; i < LWIP_IPV6_NUM_ROUTE_ENTRIES; i++) {
if ((ip6_prefix->prefix_len == static_route_table[i].prefix.prefix_len) &&
memcmp(&ip6_prefix->addr, &static_route_table[i].prefix.addr,
ip6_prefix->prefix_len / 8) == 0) {
/* Prefix matches; replace the netif with the one being added. */
goto insert;
}
}
/* Check if the table is full */
if (static_route_table[LWIP_IPV6_NUM_ROUTE_ENTRIES - 1].netif != NULL) {
retval = ERR_MEM;
goto exit;
}
/* Shift all entries down the table until slot is found */
for (i = LWIP_IPV6_NUM_ROUTE_ENTRIES - 1;
i > 0 && (ip6_prefix->prefix_len > static_route_table[i - 1].prefix.prefix_len); i--) {
SMEMCPY(&static_route_table[i], &static_route_table[i - 1], sizeof(struct ip6_route_entry));
}
insert:
/* Insert into the slot selected */
SMEMCPY(&static_route_table[i].prefix, ip6_prefix, sizeof(struct ip6_prefix));
static_route_table[i].netif = netif;
/* Add gateway to route table */
static_route_table[i].gateway = gateway;
if (idx != NULL) {
*idx = i;
}
exit:
return retval;
}
/**
* Removes the route entry from the static route table.
*
* @param ip6_prefix the route prefix entry to delete.
*/
void
ip6_remove_route_entry(const struct ip6_prefix *ip6_prefix)
{
int i, pos = -1;
for (i = 0; i < LWIP_IPV6_NUM_ROUTE_ENTRIES; i++) {
/* compare prefix to find position to delete */
if (ip6_prefix->prefix_len == static_route_table[i].prefix.prefix_len &&
memcmp(&ip6_prefix->addr, &static_route_table[i].prefix.addr,
ip6_prefix->prefix_len / 8) == 0) {
pos = i;
break;
}
}
if (pos >= 0) {
/* Shift everything beyond pos one slot up */
for (i = pos; i < LWIP_IPV6_NUM_ROUTE_ENTRIES - 1; i++) {
SMEMCPY(&static_route_table[i], &static_route_table[i+1], sizeof(struct ip6_route_entry));
if (static_route_table[i].netif == NULL) {
break;
}
}
/* Zero the remaining entries */
for (; i < LWIP_IPV6_NUM_ROUTE_ENTRIES; i++) {
ip6_addr_set_zero((&static_route_table[i].prefix.addr));
static_route_table[i].netif = NULL;
}
}
}
/**
* Finds the appropriate route entry in the static route table corresponding to the given
* destination IPv6 address. Since the entries in the route table are kept sorted in decreasing
* order of prefix length, a linear search down the list is performed to retrieve a matching
* index.
*
* @param ip6_dest_addr the destination address to match
* @return the idx of the found route entry; -1 if not found.
*/
s8_t
ip6_find_route_entry(const ip6_addr_t *ip6_dest_addr)
{
s8_t i, idx = -1;
/* Search prefix in the sorted(decreasing order of prefix length) list */
for(i = 0; i < LWIP_IPV6_NUM_ROUTE_ENTRIES; i++) {
if (memcmp(ip6_dest_addr, &static_route_table[i].prefix.addr,
static_route_table[i].prefix.prefix_len / 8) == 0) {
idx = i;
break;
}
}
return idx;
}
/**
* Finds the appropriate network interface for a given IPv6 address from a routing table with
* static IPv6 routes.
*
* @param src the source IPv6 address, if known
* @param dest the destination IPv6 address for which to find the route
* @return the netif on which to send to reach dest
*/
struct netif *
ip6_static_route(const ip6_addr_t *src, const ip6_addr_t *dest)
{
int i;
LWIP_UNUSED_ARG(src);
/* Perform table lookup */
i = ip6_find_route_entry(dest);
if (i >= 0) {
return static_route_table[i].netif;
} else {
return NULL;
}
}
/**
* Finds the gateway IP6 address for a given destination IPv6 address and target netif
* from a routing table with static IPv6 routes.
*
* @param netif the netif used for sending
* @param dest the destination IPv6 address
* @return the ip6 address of the gateway to forward packet to
*/
const ip6_addr_t *
ip6_get_gateway(struct netif *netif, const ip6_addr_t *dest)
{
const ip6_addr_t *ret_gw = NULL;
const int i = ip6_find_route_entry(dest);
LWIP_UNUSED_ARG(netif);
if (i >= 0) {
if (static_route_table[i].gateway != NULL) {
ret_gw = static_route_table[i].gateway;
}
}
return ret_gw;
}
/**
* Returns the top of the route table.
* This should be used for debug printing only.
*
* @return the top of the route table.
*/
const struct ip6_route_entry *
ip6_get_route_table(void)
{
return static_route_table;
}
#endif /* LWIP_IPV6 */

94
contrib/addons/ipv6_static_routing/ip6_route_table.h Normal file
View File

@@ -0,0 +1,94 @@
/**
* @file
*
* IPv6 static route table.
*/
/*
* Copyright (c) 2015 Nest Labs, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* Author: Pradip De <pradipd@google.com>
*
*
* Please coordinate changes and requests with Pradip De
* <pradipd@google.com>
*/
#ifndef __LWIP_IP6_ROUTE_TABLE_H__
#define __LWIP_IP6_ROUTE_TABLE_H__
#include "lwip/opt.h"
#if LWIP_IPV6 /* don't build if not configured for use in lwipopts.h */
#include "lwip/ip6_addr.h"
#include "lwip/err.h"
#ifdef __cplusplus
extern "C" {
#endif
struct netif;
/**
* LWIP_IPV6_NUM_ROUTES: Number of IPV6 routes that can be kept in the static route table.
*/
#ifndef LWIP_IPV6_NUM_ROUTE_ENTRIES
#define LWIP_IPV6_NUM_ROUTE_ENTRIES (8)
#endif
#define IP6_MAX_PREFIX_LEN (128)
#define IP6_PREFIX_ALLOWED_GRANULARITY (8)
/* Prefix length cannot be greater than 128 bits and needs to be at a byte boundary */
#define ip6_prefix_valid(prefix_len) (((prefix_len) <= IP6_MAX_PREFIX_LEN) && \
(((prefix_len) % IP6_PREFIX_ALLOWED_GRANULARITY) == 0))
struct ip6_prefix {
ip6_addr_t addr;
u8_t prefix_len; /* prefix length in bits at byte boundaries */
};
struct ip6_route_entry {
struct ip6_prefix prefix;
struct netif *netif;
const ip6_addr_t *gateway;
};
err_t ip6_add_route_entry(const struct ip6_prefix *ip6_prefix, struct netif *netif,
const ip6_addr_t *gateway, s8_t *idx);
void ip6_remove_route_entry(const struct ip6_prefix *ip6_prefix);
s8_t ip6_find_route_entry(const ip6_addr_t *ip6_dest_addr);
struct netif *ip6_static_route(const ip6_addr_t *src, const ip6_addr_t *dest);
const ip6_addr_t *ip6_get_gateway(struct netif *netif, const ip6_addr_t *dest);
const struct ip6_route_entry *ip6_get_route_table(void);
#ifdef __cplusplus
}
#endif
#endif /* LWIP_IPV6 */
#endif /* __LWIP_IP6_ROUTE_TABLE_H__ */

164
contrib/addons/netconn/external_resolve/dnssd.c Normal file
View File

@@ -0,0 +1,164 @@
/**
* @file
* DNS-SD APIs used by LWIP_HOOK_NETCONN_EXTERNAL_RESOLVE
*
* This implementation assumes the DNS-SD API implementation (most likely provided by
* mDNSResponder) is implemented in the same process space as LwIP and can directly
* invoke the callback for DNSServiceGetAddrInfo. This is the typical deployment in
* an embedded environment where as a traditional OS requires pumping the callback results
* through an IPC mechanism (see DNSServiceRefSockFD/DNSServiceProcessResult)
*
* @defgroup dnssd DNS-SD
* @ingroup dns
*/
/*
* Copyright (c) 2017 Joel Cunningham, Garmin International, Inc. <joel.cunningham@garmin.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Joel Cunningham <joel.cunningham@me.com>
*
*/
#include "lwip/opt.h"
#include "lwip/err.h"
#include "lwip/inet.h"
#include "lwip/sockets.h"
#include "lwip/sys.h"
#include "dnssd.h"
/* External headers */
#include <string.h>
#include <dns_sd.h>
/* This timeout should allow for multiple queries.
mDNSResponder has the following query timeline:
Query 1: time = 0s
Query 2: time = 1s
Query 3: time = 4s
*/
#define GETADDR_TIMEOUT_MS 5000
#define LOCAL_DOMAIN ".local"
/* Only consume .local hosts */
#ifndef CONSUME_LOCAL_ONLY
#define CONSUME_LOCAL_ONLY 1
#endif
struct addr_clbk_msg {
sys_sem_t sem;
struct sockaddr_storage addr;
err_t err;
};
static void addr_info_callback(DNSServiceRef ref, DNSServiceFlags flags, u32_t interface_index,
DNSServiceErrorType error_code, char const* hostname,
const struct sockaddr* address, u32_t ttl, void* context);
int
lwip_dnssd_gethostbyname(const char *name, ip_addr_t *addr, u8_t addrtype, err_t *err)
{
DNSServiceErrorType result;
DNSServiceRef ref;
struct addr_clbk_msg msg;
char *p;
/* @todo: use with IPv6 */
LWIP_UNUSED_ARG(addrtype);
#if CONSUME_LOCAL_ONLY
/* check if this is a .local host. If it is, then we consume the query */
p = strstr(name, LOCAL_DOMAIN);
if (p == NULL) {
return 0; /* not consumed */
}
p += (sizeof(LOCAL_DOMAIN) - 1);
/* check to make sure .local isn't a substring (only allow .local\0 or .local.\0) */
if ((*p != '.' && *p != '\0') ||
(*p == '.' && *(p + 1) != '\0')) {
return 0; /* not consumed */
}
#endif /* CONSUME_LOCAL_ONLY */
msg.err = sys_sem_new(&msg.sem, 0);
if (msg.err != ERR_OK) {
goto query_done;
}
msg.err = ERR_TIMEOUT;
result = DNSServiceGetAddrInfo(&ref, 0, 0, kDNSServiceProtocol_IPv4, name, addr_info_callback, &msg);
if (result == kDNSServiceErr_NoError) {
sys_arch_sem_wait(&msg.sem, GETADDR_TIMEOUT_MS);
DNSServiceRefDeallocate(ref);
/* We got a response */
if (msg.err == ERR_OK) {
struct sockaddr_in* addr_in = (struct sockaddr_in *)&msg.addr;
if (addr_in->sin_family == AF_INET) {
inet_addr_to_ip4addr(ip_2_ip4(addr), &addr_in->sin_addr);
} else {
/* @todo add IPv6 support */
msg.err = ERR_VAL;
}
}
}
sys_sem_free(&msg.sem);
/* Query has been consumed and is finished */
query_done:
*err = msg.err;
return 1;
}
static void
addr_info_callback(DNSServiceRef ref, DNSServiceFlags flags, u32_t interface_index,
DNSServiceErrorType error_code, char const* hostname,
const struct sockaddr* address, u32_t ttl, void* context)
{
struct addr_clbk_msg* msg = (struct addr_clbk_msg*)context;
struct sockaddr_in* addr_in = (struct sockaddr_in *)address;
LWIP_UNUSED_ARG(ref);
LWIP_UNUSED_ARG(flags);
LWIP_UNUSED_ARG(interface_index);
LWIP_UNUSED_ARG(hostname);
LWIP_UNUSED_ARG(ttl);
LWIP_UNUSED_ARG(context);
if ((error_code == kDNSServiceErr_NoError) &&
(addr_in->sin_family == AF_INET)) {
MEMCPY(&msg->addr, addr_in, sizeof(*addr_in));
msg->err = ERR_OK;
}
else {
/* @todo add IPv6 support */
msg->err = ERR_VAL;
}
sys_sem_signal(&msg->sem);
} /* addr_info_callback() */

50
contrib/addons/netconn/external_resolve/dnssd.h Normal file
View File

@@ -0,0 +1,50 @@
/**
* @file
* DNS-SD APIs used by LWIP_HOOK_NETCONN_EXTERNAL_RESOLVE
*
* @defgroup dnssd DNS-SD
* @ingroup dns
*/
/*
* Copyright (c) 2017 Joel Cunningham, Garmin International, Inc. <joel.cunningham@garmin.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* This file is part of the lwIP TCP/IP stack.
*
* Author: Joel Cunningham <joel.cunningham@me.com>
*
*/
#include "lwip/opt.h"
#ifndef LWIP_HDR_DNSSD_H
#define LWIP_HDR_DNSSD_H
#include "lwip/err.h"
#include "lwip/ip_addr.h"
int lwip_dnssd_gethostbyname(const char *name, ip_addr_t *addr, u8_t addrtype, err_t *err);
#endif /* LWIP_HDR_DNSSD_H */

182
contrib/addons/tcp_isn/tcp_isn.c Normal file
View File

@@ -0,0 +1,182 @@
/**
* @file
*
* Reference implementation of the TCP ISN algorithm standardized in RFC 6528.
* Produce TCP Initial Sequence Numbers by combining an MD5-generated hash
* based on the new TCP connection's identity and a stable secret, with the
* current time at 4-microsecond granularity.
*
* Specifically, the implementation uses MD5 to compute a hash of the input
* buffer, which contains both the four-tuple of the new TCP connection (local
* and remote IP address and port), as well as a 16-byte secret to make the
* results unpredictable to external parties. The secret must be given at
* initialization time and should ideally remain the same across system
* reboots. To be sure: the spoofing-resistance of the resulting ISN depends
* mainly on the strength of the supplied secret!
*
* The implementation takes 32 bits from the computed hash, and adds to it the
* current time, in 4-microsecond units. The current time is computed from a
* boot time given at initialization, and the current uptime as provided by
* sys_now(). Thus, it assumes that sys_now() returns a time value that is
* relative to the boot time, i.e., that it starts at 0 at system boot, and
* only ever increases monotonically.
*
* For efficiency reasons, a single MD5 input buffer is used, and partially
* filled in at initialization time. Specifically, of this 64-byte buffer, the
* first 36 bytes are used for the four-way TCP tuple data, followed by the
* 16-byte secret, followed by 12-byte zero padding. The 64-byte size of the
* buffer should achieve the best performance for the actual MD5 computation.
*
* Basic usage:
*
* 1. in your lwipopts.h, add the following lines:
*
* #include <lwip/arch.h>
* struct ip_addr;
* u32_t lwip_hook_tcp_isn(const struct ip_addr *local_ip, u16_t local_port,
* const struct ip_addr *remote_ip, u16_t remote_port);
* "#define LWIP_HOOK_TCP_ISN lwip_hook_tcp_isn";
*
* 2. from your own code, call lwip_init_tcp_isn() at initialization time, with
* appropriate parameters.
*/
/*
* Copyright (c) 2016 The MINIX 3 Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* Author: David van Moolenbroek <david@minix3.org>
*/
#include "tcp_isn.h"
#include "lwip/ip_addr.h"
#include "lwip/sys.h"
#include <string.h>
#ifdef LWIP_HOOK_TCP_ISN
/* pull in md5 of ppp? */
#include "netif/ppp/ppp_opts.h"
#if !PPP_SUPPORT || (!LWIP_USE_EXTERNAL_POLARSSL && !LWIP_USE_EXTERNAL_MBEDTLS)
#undef LWIP_INCLUDED_POLARSSL_MD5
#define LWIP_INCLUDED_POLARSSL_MD5 1
#include "netif/ppp/polarssl/md5.h"
#endif
static u8_t input[64];
static u32_t base_time;
/**
* Initialize the TCP ISN module, with the boot time and a secret.
*
* @param boot_time Wall clock boot time of the system, in seconds.
* @param secret_16_bytes A 16-byte secret used to randomize the TCP ISNs.
*/
void
lwip_init_tcp_isn(u32_t boot_time, const u8_t *secret_16_bytes)
{
/* Initialize the input buffer with the secret and trailing zeroes. */
memset(input, 0, sizeof(input));
MEMCPY(&input[36], secret_16_bytes, 16);
/* Save the boot time in 4-us units. Overflow is no problem here. */
base_time = boot_time * 250000;
}
/**
* Hook to generate an Initial Sequence Number (ISN) for a new TCP connection.
*
* @param local_ip The local IP address.
* @param local_port The local port number, in host-byte order.
* @param remote_ip The remote IP address.
* @param remote_port The remote port number, in host-byte order.
* @return The ISN to use for the new TCP connection.
*/
u32_t
lwip_hook_tcp_isn(const ip_addr_t *local_ip, u16_t local_port,
const ip_addr_t *remote_ip, u16_t remote_port)
{
md5_context ctx;
u8_t output[16];
u32_t isn;
#if LWIP_IPV4 && LWIP_IPV6
if (IP_IS_V6(local_ip))
#endif /* LWIP_IPV4 && LWIP_IPV6 */
#if LWIP_IPV6
{
const ip6_addr_t *local_ip6, *remote_ip6;
local_ip6 = ip_2_ip6(local_ip);
remote_ip6 = ip_2_ip6(remote_ip);
SMEMCPY(&input[0], &local_ip6->addr, 16);
SMEMCPY(&input[16], &remote_ip6->addr, 16);
}
#endif /* LWIP_IPV6 */
#if LWIP_IPV4 && LWIP_IPV6
else
#endif /* LWIP_IPV4 && LWIP_IPV6 */
#if LWIP_IPV4
{
const ip4_addr_t *local_ip4, *remote_ip4;
local_ip4 = ip_2_ip4(local_ip);
remote_ip4 = ip_2_ip4(remote_ip);
/* Represent IPv4 addresses as IPv4-mapped IPv6 addresses, to ensure that
* the IPv4 and IPv6 address spaces are completely disjoint. */
memset(&input[0], 0, 10);
input[10] = 0xff;
input[11] = 0xff;
SMEMCPY(&input[12], &local_ip4->addr, 4);
memset(&input[16], 0, 10);
input[26] = 0xff;
input[27] = 0xff;
SMEMCPY(&input[28], &remote_ip4->addr, 4);
}
#endif /* LWIP_IPV4 */
input[32] = (u8_t)(local_port >> 8);
input[33] = (u8_t)(local_port & 0xff);
input[34] = (u8_t)(remote_port >> 8);
input[35] = (u8_t)(remote_port & 0xff);
/* The secret and padding are already filled in. */
/* Generate the hash, using MD5. */
md5_starts(&ctx);
md5_update(&ctx, input, sizeof(input));
md5_finish(&ctx, output);
/* Arbitrarily take the first 32 bits from the generated hash. */
MEMCPY(&isn, output, sizeof(isn));
/* Add the current time in 4-microsecond units. */
return isn + base_time + sys_now() * 250;
}
#endif /* LWIP_HOOK_TCP_ISN */

48
contrib/addons/tcp_isn/tcp_isn.h Normal file
View File

@@ -0,0 +1,48 @@
/*
* Copyright (c) 2016 The MINIX 3 Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* Author: David van Moolenbroek <david@minix3.org>
*/
#ifndef LWIP_HDR_CONTRIB_ADDONS_TCP_ISN_H
#define LWIP_HDR_CONTRIB_ADDONS_TCP_ISN_H
#include "lwip/opt.h"
#include "lwip/ip_addr.h"
#ifdef __cplusplus
extern "C" {
#endif
void lwip_init_tcp_isn(u32_t boot_time, const u8_t *secret_16_bytes);
u32_t lwip_hook_tcp_isn(const ip_addr_t *local_ip, u16_t local_port,
const ip_addr_t *remote_ip, u16_t remote_port);
#ifdef __cplusplus
}
#endif
#endif /* LWIP_HDR_CONTRIB_ADDONS_TCP_ISN_H */

27
contrib/addons/tcp_md5/README Normal file
View File

@@ -0,0 +1,27 @@
This folder provides an example implementation of how to add custom tcp header
options and custom socket options.
It does this by implementing the (seldom used) tcp md5 signature.
To enable it, add an LWIP_HOOK_FILENAME hook file, include tcp_md5.h in it and
define these hooks:
#define LWIP_HOOK_TCP_INPACKET_PCB(pcb, hdr, optlen, opt1len, opt2, p) tcp_md5_check_inpacket(pcb, hdr, optlen, opt1len, opt2, p)
#define LWIP_HOOK_TCP_OPT_LENGTH_SEGMENT(pcb, internal_len) tcp_md5_get_additional_option_length(pcb, internal_len)
#define LWIP_HOOK_TCP_ADD_TX_OPTIONS(p, hdr, pcb, opts) tcp_md5_add_tx_options(p, hdr, pcb, opts)
#define LWIP_HOOK_SOCKETS_SETSOCKOPT(s, sock, level, optname, optval, optlen, err) tcp_md5_setsockopt_hook(sock, level, optname, optval, optlen, err)
Then, in your sockets application, enable md5 signature on a socket like this:
struct tcp_md5sig md5;
struct sockaddr_storage addr_remote; /* Initialize this to remote address and port */
memcpy(&md5.tcpm_addr, &addr_remote, sizeof(addr_remote));
strcpy(md5.tcpm_key, key); /* this is the md5 key per connection */
md5.tcpm_keylen = strlen(key);
if ((ret = setsockopt(sockfd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5))) < 0) {
perror("setsockopt TCP_MD5SIG");
return;
}
After that, your connection (client) or all incoming connections (server) require
tcp md5 signatures.

534
contrib/addons/tcp_md5/tcp_md5.c Normal file
View File

@@ -0,0 +1,534 @@
/**
* @file: An implementation of TCP MD5 signatures by using various hooks in
* lwIP to implement custom tcp options and custom socket options.
*/
/*
* Copyright (c) 2018 Simon Goldschmidt
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* Author: Simon Goldschmidt <goldsimon@gmx.de>
*/
#include "tcp_md5.h"
#include "lwip/ip_addr.h"
#include "lwip/sys.h"
#include "lwip/prot/tcp.h"
#include "lwip/priv/tcp_priv.h"
#include "lwip/sockets.h"
#include "lwip/priv/sockets_priv.h"
#include "lwip/api.h"
#include <string.h>
/* pull in md5 of ppp? */
#include "netif/ppp/ppp_opts.h"
#if !PPP_SUPPORT || (!LWIP_USE_EXTERNAL_POLARSSL && !LWIP_USE_EXTERNAL_MBEDTLS)
#undef LWIP_INCLUDED_POLARSSL_MD5
#define LWIP_INCLUDED_POLARSSL_MD5 1
#include "netif/ppp/polarssl/md5.h"
#endif
#if !LWIP_TCP_PCB_NUM_EXT_ARGS
#error tcp_md5 needs LWIP_TCP_PCB_NUM_EXT_ARGS
#endif
#define LWIP_TCP_OPT_MD5 19 /* number of the md5 option */
#define LWIP_TCP_OPT_LEN_MD5 18 /* length of the md5 option */
#define LWIP_TCP_OPT_LEN_MD5_OUT 20 /* 18 + alignment */
#define LWIP_TCP_MD5_DIGEST_LEN 16
/* This keeps the md5 state internally */
struct tcp_md5_conn_info {
struct tcp_md5_conn_info *next;
ip_addr_t remote_addr;
u16_t remote_port;
u8_t key[TCP_MD5SIG_MAXKEYLEN];
u16_t key_len;
};
/* Callback function prototypes: */
static void tcp_md5_extarg_destroy(u8_t id, void *data);
static err_t tcp_md5_extarg_passive_open(u8_t id, struct tcp_pcb_listen *lpcb, struct tcp_pcb *cpcb);
/* Define our tcp ext arg callback structure: */
const struct tcp_ext_arg_callbacks tcp_md5_ext_arg_callbacks = {
tcp_md5_extarg_destroy,
tcp_md5_extarg_passive_open
};
static u8_t tcp_md5_extarg_id = LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID;
static u8_t tcp_md5_opts_buf[40];
/** Initialize this module (allocates a tcp ext arg id) */
void
tcp_md5_init(void)
{
tcp_md5_extarg_id = tcp_ext_arg_alloc_id();
}
/* Create a conn-info structure that holds the md5 state per connection */
static struct tcp_md5_conn_info *
tcp_md5_conn_info_alloc(void)
{
return (struct tcp_md5_conn_info *)mem_malloc(sizeof(struct tcp_md5_conn_info));
}
/* Frees a conn-info structure that holds the md5 state per connection */
static void
tcp_md5_conn_info_free(struct tcp_md5_conn_info *info)
{
mem_free(info);
}
/* A pcb is about to be destroyed. Free its extdata */
static void
tcp_md5_extarg_destroy(u8_t id, void *data)
{
struct tcp_md5_conn_info *iter;
LWIP_ASSERT("tcp_md5_extarg_id != LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID",
tcp_md5_extarg_id != LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID);
LWIP_ASSERT("id == tcp_md5_extarg_id", id == tcp_md5_extarg_id);
LWIP_UNUSED_ARG(id);
iter = (struct tcp_md5_conn_info *)data;
while (iter != NULL) {
struct tcp_md5_conn_info *info = iter;
iter = iter->next;
tcp_md5_conn_info_free(info);
}
}
/* Try to find an md5 connection info for the specified remote connection */
static struct tcp_md5_conn_info *
tcp_md5_get_info(const struct tcp_pcb *pcb, const ip_addr_t *remote_ip, u16_t remote_port)
{
if (pcb != NULL) {
struct tcp_md5_conn_info *info = (struct tcp_md5_conn_info *)tcp_ext_arg_get(pcb, tcp_md5_extarg_id);
while (info != NULL) {
if (ip_addr_cmp(&info->remote_addr, remote_ip)) {
if (info->remote_port == remote_port) {
return info;
}
}
info = info->next;
}
}
return NULL;
}
/* Passive open: copy md5 connection info from listen pcb to connection pcb
* or return error (connection will be closed)
*/
static err_t
tcp_md5_extarg_passive_open(u8_t id, struct tcp_pcb_listen *lpcb, struct tcp_pcb *cpcb)
{
struct tcp_md5_conn_info *iter;
LWIP_ASSERT("lpcb != NULL", lpcb != NULL);
LWIP_ASSERT("cpcb != NULL", cpcb != NULL);
LWIP_ASSERT("tcp_md5_extarg_id != LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID",
tcp_md5_extarg_id != LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID);
LWIP_ASSERT("id == tcp_md5_extarg_id", id == tcp_md5_extarg_id);
LWIP_UNUSED_ARG(id);
iter = (struct tcp_md5_conn_info *)tcp_ext_arg_get((struct tcp_pcb *)lpcb, id);
while (iter != NULL) {
if (iter->remote_port == cpcb->remote_port) {
if (ip_addr_cmp(&iter->remote_addr, &cpcb->remote_ip)) {
struct tcp_md5_conn_info *info = tcp_md5_conn_info_alloc();
if (info != NULL) {
memcpy(info, iter, sizeof(struct tcp_md5_conn_info));
tcp_ext_arg_set(cpcb, id, info);
tcp_ext_arg_set_callbacks(cpcb, id, &tcp_md5_ext_arg_callbacks);
return ERR_OK;
} else {
return ERR_MEM;
}
}
}
iter = iter->next;
}
/* remote connection not found */
return ERR_VAL;
}
/* Parse tcp header options and return 1 if an md5 signature option was found */
static int
tcp_md5_parseopt(const u8_t *opts, u16_t optlen, u8_t *md5_digest_out)
{
u8_t data;
u16_t optidx;
/* Parse the TCP MSS option, if present. */
if (optlen != 0) {
for (optidx = 0; optidx < optlen; ) {
u8_t opt = opts[optidx++];
switch (opt) {
case LWIP_TCP_OPT_EOL:
/* End of options. */
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: EOL\n"));
return 0;
case LWIP_TCP_OPT_NOP:
/* NOP option. */
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: NOP\n"));
break;
case LWIP_TCP_OPT_MD5:
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: MD5\n"));
if (opts[optidx++] != LWIP_TCP_OPT_LEN_MD5 || (optidx - 2 + LWIP_TCP_OPT_LEN_MD5) > optlen) {
/* Bad length */
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: bad length\n"));
return 0;
}
/* An MD5 option with the right option length. */
memcpy(md5_digest_out, &opts[optidx], LWIP_TCP_MD5_DIGEST_LEN);
/* no need to process the options further */
return 1;
break;
default:
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: other\n"));
data = opts[optidx++];
if (data < 2) {
LWIP_DEBUGF(TCP_INPUT_DEBUG, ("tcp_parseopt: bad length\n"));
/* If the length field is zero, the options are malformed
and we don't process them further. */
return 0;
}
/* All other options have a length field, so that we easily
can skip past them. */
optidx += data - 2;
}
}
}
return 0;
}
/* Get tcp options into contiguous memory. May be required if input pbufs
* are chained.
*/
static const u8_t*
tcp_md5_options_singlebuf(struct tcp_hdr *hdr, u16_t optlen, u16_t opt1len, u8_t *opt2)
{
const u8_t *opts;
LWIP_ASSERT("hdr != NULL", hdr != NULL);
LWIP_ASSERT("optlen >= opt1len", optlen >= opt1len);
opts = (const u8_t *)hdr + TCP_HLEN;
if (optlen == opt1len) {
/* arleady in one piece */
return opts;
}
if (optlen > sizeof(tcp_md5_opts_buf)) {
/* options too long */
return NULL;
}
LWIP_ASSERT("opt2 != NULL", opt2 != NULL);
/* copy first part */
memcpy(tcp_md5_opts_buf, opts, opt1len);
/* copy second part */
memcpy(&tcp_md5_opts_buf[opt1len], opt2, optlen - opt1len);
return tcp_md5_opts_buf;
}
/* Create the md5 digest for a given segment */
static int
tcp_md5_create_digest(const ip_addr_t *ip_src, const ip_addr_t *ip_dst, const struct tcp_hdr *hdr,
const u8_t *key, size_t key_len, u8_t *digest_out, struct pbuf *p)
{
md5_context ctx;
u8_t tmp8;
u16_t tmp16;
const size_t addr_len = IP_ADDR_RAW_SIZE(*ip_src);
if (p != NULL) {
LWIP_ASSERT("pbuf must not point to tcp header here!", (const void *)hdr != p->payload);
}
/* Generate the hash, using MD5. */
md5_starts(&ctx);
/* 1. the TCP pseudo-header (in the order: source IP address,
destination IP address, zero-padded protocol number, and
segment length) */
md5_update(&ctx, (const unsigned char*)ip_src, addr_len);
md5_update(&ctx, (const unsigned char*)ip_dst, addr_len);
tmp8 = 0; /* zero-padded */
md5_update(&ctx, &tmp8, 1);
tmp8 = IP_PROTO_TCP;
md5_update(&ctx, &tmp8, 1);
tmp16 = lwip_htons(TCPH_HDRLEN_BYTES(hdr) + (p ? p->tot_len : 0));
md5_update(&ctx, (const unsigned char*)&tmp16, 2);
/* 2. the TCP header, excluding options, and assuming a checksum of
zero */
md5_update(&ctx, (const unsigned char*)hdr, sizeof(struct tcp_hdr));
/* 3. the TCP segment data (if any) */
if ((p != NULL) && (p->tot_len != 0)) {
struct pbuf *q;
for (q = p; q != NULL; q = q->next) {
md5_update(&ctx, (const unsigned char*)q->payload, q->len);
}
}
/* 4. an independently-specified key or password, known to both TCPs
and presumably connection-specific */
md5_update(&ctx, key, key_len);
md5_finish(&ctx, digest_out);
return 1;
}
/* Duplicate a tcp header and make sure the fields are in network byte order */
static void
tcp_md5_dup_tcphdr(struct tcp_hdr *tcphdr_copy, const struct tcp_hdr *tcphdr_in, int tcphdr_in_is_host_order)
{
memcpy(tcphdr_copy, tcphdr_in, sizeof(struct tcp_hdr));
tcphdr_copy->chksum = 0; /* checksum is zero for the pseudo header */
if (tcphdr_in_is_host_order) {
/* lwIP writes the TCP header values back to the buffer, we need to invert that here: */
tcphdr_copy->src = lwip_htons(tcphdr_copy->src);
tcphdr_copy->dest = lwip_htons(tcphdr_copy->dest);
tcphdr_copy->seqno = lwip_htonl(tcphdr_copy->seqno);
tcphdr_copy->ackno = lwip_htonl(tcphdr_copy->ackno);
tcphdr_copy->wnd = lwip_htons(tcphdr_copy->wnd);
tcphdr_copy->urgp = lwip_htons(tcphdr_copy->urgp);
}
}
/* Check if md5 is enabled on a given pcb */
static int
tcp_md5_is_enabled_on_pcb(const struct tcp_pcb *pcb)
{
if (tcp_md5_extarg_id != LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID) {
struct tcp_md5_conn_info *info = (struct tcp_md5_conn_info *)tcp_ext_arg_get(pcb, tcp_md5_extarg_id);
if (info != NULL) {
return 1;
}
}
return 0;
}
/* Check if md5 is enabled on a given listen pcb */
static int
tcp_md5_is_enabled_on_lpcb(const struct tcp_pcb_listen *lpcb)
{
/* same as for connection pcbs */
return tcp_md5_is_enabled_on_pcb((const struct tcp_pcb *)lpcb);
}
/* Hook implementation for LWIP_HOOK_TCP_OPT_LENGTH_SEGMENT */
u8_t
tcp_md5_get_additional_option_length(const struct tcp_pcb *pcb, u8_t internal_option_length)
{
if ((pcb != NULL) && tcp_md5_is_enabled_on_pcb(pcb)) {
u8_t new_option_length = internal_option_length + LWIP_TCP_OPT_LEN_MD5_OUT;
LWIP_ASSERT("overflow", new_option_length > internal_option_length);
LWIP_ASSERT("options too long", new_option_length <= TCP_MAX_OPTION_BYTES);
return new_option_length;
}
return internal_option_length;
}
/* Hook implementation for LWIP_HOOK_TCP_INPACKET_PCB when called for listen pcbs */
static err_t
tcp_md5_check_listen(struct tcp_pcb_listen* lpcb, struct tcp_hdr *hdr, u16_t optlen, u16_t opt1len, u8_t *opt2)
{
LWIP_ASSERT("lpcb != NULL", lpcb != NULL);
if (tcp_md5_is_enabled_on_lpcb(lpcb)) {
const u8_t *opts;
u8_t digest_received[LWIP_TCP_MD5_DIGEST_LEN];
u8_t digest_calculated[LWIP_TCP_MD5_DIGEST_LEN];
const struct tcp_md5_conn_info *info = tcp_md5_get_info((struct tcp_pcb *)lpcb, ip_current_src_addr(), hdr->src);
if (info != NULL) {
opts = tcp_md5_options_singlebuf(hdr, optlen, opt1len, opt2);
if (opts != NULL) {
if (tcp_md5_parseopt(opts, optlen, digest_received)) {
struct tcp_hdr tcphdr_copy;
tcp_md5_dup_tcphdr(&tcphdr_copy, hdr, 1);
if (tcp_md5_create_digest(ip_current_src_addr(), ip_current_dest_addr(), &tcphdr_copy, info->key, info->key_len, digest_calculated, NULL)) {
/* everything set up, compare the digests */
if (!memcmp(digest_received, digest_calculated, LWIP_TCP_MD5_DIGEST_LEN)) {
/* equal */
return ERR_OK;
}
/* not equal */
}
}
}
}
/* md5 enabled on this pcb but no match or other error -> fail */
return ERR_VAL;
}
return ERR_OK;
}
/* Hook implementation for LWIP_HOOK_TCP_INPACKET_PCB */
err_t
tcp_md5_check_inpacket(struct tcp_pcb* pcb, struct tcp_hdr *hdr, u16_t optlen, u16_t opt1len, u8_t *opt2, struct pbuf *p)
{
LWIP_ASSERT("pcb != NULL", pcb != NULL);
if (pcb->state == LISTEN) {
return tcp_md5_check_listen((struct tcp_pcb_listen *)pcb, hdr, optlen, opt1len, opt2);
}
if (tcp_md5_is_enabled_on_pcb(pcb)) {
const struct tcp_md5_conn_info *info = tcp_md5_get_info(pcb, ip_current_src_addr(), hdr->src);
if (info != NULL) {
const u8_t *opts;
u8_t digest_received[LWIP_TCP_MD5_DIGEST_LEN];
u8_t digest_calculated[LWIP_TCP_MD5_DIGEST_LEN];
opts = tcp_md5_options_singlebuf(hdr, optlen, opt1len, opt2);
if (opts != NULL) {
if (tcp_md5_parseopt(opts, optlen, digest_received)) {
struct tcp_hdr hdr_copy;
tcp_md5_dup_tcphdr(&hdr_copy, hdr, 1);
if (tcp_md5_create_digest(&pcb->remote_ip, &pcb->local_ip, &hdr_copy, info->key, info->key_len, digest_calculated, p)) {
/* everything set up, compare the digests */
if (!memcmp(digest_received, digest_calculated, LWIP_TCP_MD5_DIGEST_LEN)) {
/* equal */
return ERR_OK;
}
/* not equal */
}
}
}
}
/* md5 enabled on this pcb but no match or other error -> fail */
return ERR_VAL;
}
return ERR_OK;
}
/* Hook implementation for LWIP_HOOK_TCP_ADD_TX_OPTIONS */
u32_t *
tcp_md5_add_tx_options(struct pbuf *p, struct tcp_hdr *hdr, const struct tcp_pcb *pcb, u32_t *opts)
{
LWIP_ASSERT("p != NULL", p != NULL);
LWIP_ASSERT("hdr != NULL", hdr != NULL);
LWIP_ASSERT("pcb != NULL", pcb != NULL);
LWIP_ASSERT("opts != NULL", opts != NULL);
if (tcp_md5_is_enabled_on_pcb(pcb)) {
u8_t digest_calculated[LWIP_TCP_MD5_DIGEST_LEN];
u32_t *opts_ret = opts + 5; /* we use 20 bytes: 2 bytes padding + 18 bytes for this option */
u8_t *ptr = (u8_t*)opts;
const struct tcp_md5_conn_info *info = tcp_md5_get_info(pcb, &pcb->remote_ip, pcb->remote_port);
if (info != NULL) {
struct tcp_hdr hdr_copy;
size_t hdrsize = TCPH_HDRLEN_BYTES(hdr);
tcp_md5_dup_tcphdr(&hdr_copy, hdr, 0);
/* p->payload points to the tcp header */
LWIP_ASSERT("p->payload == hdr", p->payload == hdr);
if (!pbuf_remove_header(p, hdrsize)) {
u8_t ret;
if (!tcp_md5_create_digest(&pcb->local_ip, &pcb->remote_ip, &hdr_copy, info->key, info->key_len, digest_calculated, p)) {
info = NULL;
}
ret = pbuf_add_header_force(p, hdrsize);
LWIP_ASSERT("tcp_md5_add_tx_options: pbuf_add_header_force failed", !ret);
LWIP_UNUSED_ARG(ret);
} else {
LWIP_ASSERT("error", 0);
}
}
if (info == NULL) {
/* create an invalid signature by zeroing the digest */
memset(&digest_calculated, 0, sizeof(digest_calculated));
}
*ptr++ = LWIP_TCP_OPT_NOP;
*ptr++ = LWIP_TCP_OPT_NOP;
*ptr++ = LWIP_TCP_OPT_MD5;
*ptr++ = LWIP_TCP_OPT_LEN_MD5;
memcpy(ptr, digest_calculated, LWIP_TCP_MD5_DIGEST_LEN);
ptr += LWIP_TCP_MD5_DIGEST_LEN;
LWIP_ASSERT("ptr == opts_ret", ptr == (u8_t *)opts_ret);
return opts_ret;
}
return opts;
}
/* Hook implementation for LWIP_HOOK_SOCKETS_SETSOCKOPT */
int
tcp_md5_setsockopt_hook(struct lwip_sock *sock, int level, int optname, const void *optval, socklen_t optlen, int *err)
{
LWIP_ASSERT("sock != NULL", sock != NULL);
LWIP_ASSERT("err != NULL", err != NULL);
if ((level == IPPROTO_TCP) && (optname == TCP_MD5SIG)) {
const struct tcp_md5sig *md5 = (const struct tcp_md5sig*)optval;
if ((optval == NULL) || (optlen < sizeof(struct tcp_md5sig))) {
*err = EINVAL;
} else {
if (sock->conn && (NETCONNTYPE_GROUP(netconn_type(sock->conn)) == NETCONN_TCP) && (sock->conn->pcb.tcp != NULL)) {
if (tcp_md5_extarg_id == LWIP_TCP_PCB_NUM_EXT_ARG_ID_INVALID) {
/* not initialized */
*err = EINVAL;
} else {
struct tcp_md5_conn_info *info = tcp_md5_conn_info_alloc();
if (info == NULL) {
*err = ENOMEM;
} else {
int addr_valid = 0;
/* OK, fill and link this request */
memcpy(info->key, md5->tcpm_key, TCP_MD5SIG_MAXKEYLEN);
info->key_len = md5->tcpm_keylen;
memset(&info->remote_addr, 0, sizeof(info->remote_addr));
if (md5->tcpm_addr.ss_family == AF_INET) {
#if LWIP_IPV4
const struct sockaddr_in *sin = (const struct sockaddr_in *)&md5->tcpm_addr;
memcpy(&info->remote_addr, &sin->sin_addr, sizeof(sin->sin_addr));
IP_SET_TYPE_VAL(info->remote_addr, IPADDR_TYPE_V4);
info->remote_port = lwip_htons(sin->sin_port);
addr_valid = 1;
#endif /* LWIP_IPV4 */
} else if (md5->tcpm_addr.ss_family == AF_INET6) {
#if LWIP_IPV6
const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)&md5->tcpm_addr;
memcpy(&info->remote_addr, &sin6->sin6_addr, sizeof(sin6->sin6_addr));
IP_SET_TYPE_VAL(info->remote_addr, IPADDR_TYPE_V6);
info->remote_port = lwip_htons(sin6->sin6_port);
addr_valid = 1;
#endif /* LWIP_IPV6 */
}
if (addr_valid) {
/* store it */
tcp_ext_arg_set_callbacks(sock->conn->pcb.tcp, tcp_md5_extarg_id, &tcp_md5_ext_arg_callbacks);
info->next = (struct tcp_md5_conn_info *)tcp_ext_arg_get(sock->conn->pcb.tcp, tcp_md5_extarg_id);
tcp_ext_arg_set(sock->conn->pcb.tcp, tcp_md5_extarg_id, info);
} else {
*err = EINVAL;
tcp_md5_conn_info_free(info);
}
}
}
} else {
/* not a tcp netconn */
*err = EINVAL;
}
}
return 1;
}
return 0;
}

84
contrib/addons/tcp_md5/tcp_md5.h Normal file
View File

@@ -0,0 +1,84 @@
/*
* Copyright (c) 2018 Simon Goldschmidt
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
* SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
* OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
* OF SUCH DAMAGE.
*
* Author: Simon Goldschmidt <goldsimon@gmx.de>
*
* To use the hooks in this file, make sure this file is included in LWIP_HOOK_FILENAME
* and define these hooks:
*
* #define LWIP_HOOK_TCP_INPACKET_PCB(pcb, hdr, optlen, opt1len, opt2, p) tcp_md5_check_inpacket(pcb, hdr, optlen, opt1len, opt2, p)
* #define LWIP_HOOK_TCP_OPT_LENGTH_SEGMENT(pcb, internal_len) tcp_md5_get_additional_option_length(pcb, internal_len)
* #define LWIP_HOOK_TCP_ADD_TX_OPTIONS(p, hdr, pcb, opts) tcp_md5_add_tx_options(p, hdr, pcb, opts)
*
* #define LWIP_HOOK_SOCKETS_SETSOCKOPT(s, sock, level, optname, optval, optlen, err) tcp_md5_setsockopt_hook(sock, level, optname, optval, optlen, err)
*/
#ifndef LWIP_HDR_CONTRIB_ADDONS_TCP_MD5_H
#define LWIP_HDR_CONTRIB_ADDONS_TCP_MD5_H
#include "lwip/opt.h"
#include "lwip/ip_addr.h"
#include "lwip/err.h"
#include "lwip/priv/sockets_priv.h"
#include "lwip/priv/tcp_priv.h"
#ifdef __cplusplus
extern "C" {
#endif
/* setsockopt definitions and structs: */
/* This is the optname (for level = IPPROTO_TCP) */
#ifndef TCP_MD5SIG
#define TCP_MD5SIG 14
#endif
#define TCP_MD5SIG_MAXKEYLEN 80
/* This is the optval type */
struct tcp_md5sig {
struct sockaddr_storage tcpm_addr;
u16_t __tcpm_pad1;
u16_t tcpm_keylen;
u32_t __tcpm_pad2;
u8_t tcpm_key[TCP_MD5SIG_MAXKEYLEN];
};
/* socket setsockopt hook: */
int tcp_md5_setsockopt_hook(struct lwip_sock *sock, int level, int optname, const void *optval, u32_t optlen, int *err);
/* Internal hook functions */
void tcp_md5_init(void);
err_t tcp_md5_check_inpacket(struct tcp_pcb* pcb, struct tcp_hdr *hdr, u16_t optlen, u16_t opt1len, u8_t *opt2, struct pbuf *p);
u8_t tcp_md5_get_additional_option_length(const struct tcp_pcb *pcb, u8_t internal_option_length);
u32_t *tcp_md5_add_tx_options(struct pbuf *p, struct tcp_hdr *hdr, const struct tcp_pcb *pcb, u32_t *opts);
#ifdef __cplusplus
}
#endif
#endif /* LWIP_HDR_CONTRIB_ADDONS_TCP_MD5_H */