Commit Graph

697 Commits

Author SHA1 Message Date
Nicholas J. Kain
99ce918a31 Use a coroutine instead of several callback state machines.
This change makes it much easier to reason about ndhc's behavior
and properly handle errors.

It is a very large changeset, but there is no way to make this
sort of change incrementally.  Lease acquisition is tested to
work.

It is highly likely that some bugs were both introduced and
squashed here.  Some obvious code cleanups will quickly follow.
2015-02-18 05:31:13 -05:00
Nicholas J. Kain
37aa866ae4 Move action dispatch out of main epoll loop. 2015-02-15 06:48:49 -05:00
Nicholas J. Kain
61387408d0 Separate event state gathering from action dispatch in main epoll loop.
This is the first step towards using coroutines.
2015-02-15 06:38:03 -05:00
Nicholas J. Kain
658d2954b8 Reduce log spam. 2015-02-15 02:58:51 -05:00
Nicholas J. Kain
e874373dcd Check link carrier via ifch and netlink instead of ioctl.
Thus, ioctl can once again be removed from the ndhc seccomp whitelist.
2015-02-15 02:50:29 -05:00
Nicholas J. Kain
6c9ca9eecd If ifchd commands fail, propagate the failure back to ndhc. 2015-02-15 02:29:37 -05:00
Nicholas J. Kain
33aa5b13de Recommend using a process supervisor for high reliability in README. 2015-02-14 20:50:46 -05:00
Nicholas J. Kain
5b82be8b00 If ifchd interactions fail, terminate.
Ideally we would pause and resume state, but for now just bail out.
If ndhc is process-supervised, it will recover to the proper state
quickly.
2015-02-14 20:47:14 -05:00
Nicholas J. Kain
170f87c0e7 Propagate returns through ifchange_(deconfig|bind).
While doing so remove unnecessary argument null checks and
make sure not to alter the stored interface state if the
ifch requests failed.
2015-02-14 19:10:23 -05:00
Nicholas J. Kain
44175bd77c Make ifch requests synchronous just like sockd requests.
This change paves the way for allowing ifch to notify the core ndhc
about failures.  It would be far too difficult to reason about the
state machine if the requests to ifch were asynchronous.

Currently ndhc assumes that ifch requests never fail, but this
is not always true because of eg, rfkill.
2015-02-14 16:49:50 -05:00
Nicholas J. Kain
61a48b0fb6 Fix the rfkill waiting. 2015-02-14 15:33:02 -05:00
Nicholas J. Kain
56cc05599a Add error handling for un-notified carrier downs in ifup_action. 2015-02-14 05:39:15 -05:00
Nicholas J. Kain
b6b778831c Add error handling for un-notified carrier downs when sending packets.
If a packet send failed because the carrier went down without a
netlink notification, then assume the hardware carrier was lost while
the machine was suspended (eg, ethernet cable pulled during suspend).

Simulate a netlink carrier down event and freeze the dhcp state
machine until a netlink carrier up event is received.

The ARP code is not yet handling this issue everywhere, but the
window of opportunity for it to happen there is much shorter.
2015-02-14 05:20:04 -05:00
Nicholas J. Kain
d0d8bcf3ff options.[ch] must still be valid C++11 because it is used in ndhs.
That means the [static 1] arg specifier cannot be used.
2015-02-14 02:14:30 -05:00
Nicholas J. Kain
00c9479c4c Mark more pointer arguments as never being null. 2015-02-14 01:46:02 -05:00
Nicholas J. Kain
0535b36534 dhcp.c: Make init_packet() not return a struct.
Just work via a pointer to not rely on the compiler being intelligent
and inlining.
2015-02-14 01:41:52 -05:00
Nicholas J. Kain
70c750f50c get_raw_packet: The read length check is stricter than necessary.
Allow reads with excess data beyond the packet to succeed if the
packet is still well-formed.
2015-02-14 01:40:06 -05:00
Nicholas J. Kain
a7cb063f0c state.c: cosmetic cleanups and a constification 2015-02-14 00:44:21 -05:00
Nicholas J. Kain
04840c261d Fix some c99 struct initializer uninitialized member warnings
that clang detects and GCC misses.
2015-02-13 23:25:42 -05:00
Nicholas J. Kain
702d8b0c5b Mark pointer arguments that cannot ever be null as [static 1].
Also constify some cases, too.
2015-02-13 23:14:08 -05:00
Nicholas J. Kain
cc806acc0b Indicate that client_state_t and client_config_t pointer args
cannot ever be null.

Could possibly improve code generation, and makes the intention clear.
2015-02-13 22:29:03 -05:00
Nicholas J. Kain
b6554c2931 Quiet the 'UDP length [] does not match header length' message.
It is triggered frequently when discarding invalid packets that were
received on the DHCP port and it seems to have little significance.
2015-02-13 21:56:34 -05:00
Nicholas J. Kain
b4b6ed8fd5 Check for carrier before sendto() or write() on interface fd.
Linux will quietly proceed as if the data were sent even if the carrier
is down and nothing actually happened.  There is still a tiny race
condition where the carrier could drop between the check and the actual
write, but we really can't do anything about that and it is a very
small race.
2015-02-13 21:53:15 -05:00
Nicholas J. Kain
911d4cc58e Fix the dhcp state bootstrapping when rfkill is set #3. 2015-02-13 19:08:50 -05:00
Nicholas J. Kain
2e679ed491 Fix the dhcp state bootstrapping when rfkill is set #2. 2015-02-13 18:35:44 -05:00
Nicholas J. Kain
a8af406307 Fix the dhcp state bootstrapping when rfkill is set. 2015-02-13 18:07:14 -05:00
Nicholas J. Kain
79a97131bc Handle the case where the rfkill is set when ndhc is initializing. 2015-02-13 17:50:24 -05:00
Nicholas J. Kain
5b050ba498 If the rfkill switch is enabled, do not react to netlink notifications
until the rfkill is disabled.  They will mostly fail outright.
2015-02-13 17:20:36 -05:00
Nicholas J. Kain
cf81573082 Fix a dumb typo in the previous commit. 2015-02-13 16:56:56 -05:00
Nicholas J. Kain
e3d4d4c1aa rfkill: Add support for reacting to radio kill switch events.
In order for this to work, the correct rfkill index must be specified
with the rfkill-idx option.

It might be possible to auto-detect the corresponding rfkill-idx option,
but I'm not sure if there's a guaranteed mapping between rfkill name and
interface name, as it seems that rfkills should represent phy devices
and not wlan devices.

The rfkill indexes can be found by checking
/sys/class/rfkill/rfkill<IDX>.
2015-02-13 16:25:36 -05:00
Nicholas J. Kain
3421f0c585 CMAKE_CROSSCOMPILE should be CMAKE_CROSSCOMPILING. 2015-02-13 05:12:55 -05:00
Nicholas J. Kain
c58a071f52 Update copyright dates. 2015-02-13 01:54:57 -05:00
Nicholas J. Kain
7cb5506487 Spelling correction in README. 2015-02-13 01:48:00 -05:00
Nicholas J. Kain
27c9e2c553 Improve fingerprinting to support DHCP relay agents.
Mostly reverts the previous commit and instead teaches ndhc to properly
handle the case when it is communicating with a DHCP relay agent on
its local segment rather than directly with a DHCP server.
2015-02-12 23:28:54 -05:00
Nicholas J. Kain
a395234a67 Support networks with relay agents that have the DHCP server on a
different segment.

The network fingerprinting would never complete if the DHCP server was
on a different segment before this change, since it would be impossible
for the ARP messages sent by ndhc to ever reach the DHCP server
(and vice-versa).

Now just give up trying to find the hardware address after two tries
and assume that the DHCP server cannot be reached by ARP.

An alternative would be to fingerprint the relay agent instead, but
to do so would require a lot more work as the giaddr field is only
meaningful in the client->server message path, not in the
server->client path.  Thus it would require gathering the source IP
for DHCP replies sent by unicast or broadcast and ferrying along
this information to the ARP checking code where it would be used
in place of the DHCP server address.

This is entirely possible to do, but is quite a bit more work.
2015-02-12 20:49:40 -05:00
Nicholas J. Kain
03fc696267 Update the man page and correct some formatting errors. 2015-02-12 19:03:09 -05:00
Nicholas J. Kain
9d8d653877 CMake: Do not try to test for the glibc version when cross-compiling. 2015-02-12 18:46:44 -05:00
Nicholas J. Kain
b792162113 Add CROSSCOMPILE_MACHINENAME environment variable for CMake that
will allow the host machine type detection to be skipped and
the target MACHINENAME to be manually defined.
2015-02-12 13:35:50 -05:00
Nicholas J. Kain
8e4ea0be72 CMake: Only add -lrt link dependency if glibc is detected. 2015-02-12 13:05:30 -05:00
Nicholas J. Kain
6f6aad211e Documentation update. 2015-01-10 18:34:51 -05:00
Nicholas J. Kain
9f87bd8b30 udp_checksum(): Clamp the value of the UDP packet header length.
Without this change, it is possible for malicious UDP packets to
make the function read past the end of a buffer.

If this was ever a possibility in ndhc, the previous commit fixed
that issue, but there is no reason for udp_checksum() to have
such a subtle precondition to proper use.  This change also makes
it easier to audit correctness.
2015-01-06 07:07:08 -05:00
Nicholas J. Kain
6548b5ce54 get_raw_packet(): Perform the UDP checksum after the packet length
checks.

This change makes it easier to verify that there can be no reads
beyond a buffer end by udp_checksum().
2015-01-06 04:32:58 -05:00
Nicholas J. Kain
c8dcf5a06b Make sure that received DHCP packets have a valid options end marker. 2015-01-06 04:02:52 -05:00
Nicholas J. Kain
94c107d465 Make sure all sockets are set NONBLOCK so that writes do not block. 2014-08-19 11:09:59 -04:00
Nicholas J. Kain
12114c9bae Add more explicit length checks for get_raw_packet. 2014-07-25 20:34:01 -04:00
Nicholas J. Kain
2518e0a2bc Use SO_LOCK_FILTER to ensure that BPF filters cannot be removed once attached.
This facility was added to Linux in early 2013.  If it is not available,
the BPF will still be installed, but redundant checks will be performed
to guard against the BPF possibly being removed by an attacker.
2014-06-13 22:37:37 -04:00
Nicholas J. Kain
56e30a0923 Fix the return value for nlmsg_get_error(). 2014-06-13 22:35:57 -04:00
Nicholas J. Kain
ae03b6dd8f Move the ip checksum code out to ncmlib. 2014-06-08 20:34:34 -04:00
Nicholas J. Kain
4a083d3367 get_dhcp_opt() didx argument should be passed as a reference rather
than relying on the caller re-assigning to didx.  The previous
didx += get_dhcp_opt(...) was wrong and should have used =.
2014-05-10 21:38:45 -04:00
Nicholas J. Kain
99e21004ea arp_min_close_fd() will always force the arp fd to be equal to -1, so
there is no need to check force_reopen twice.
2014-05-10 21:13:24 -04:00