// SPDX-License-Identifier: GPL-2.0-or-later /* PASST - Plug A Simple Socket Transport * for qemu/UNIX domain socket mode * * PASTA - Pack A Subtle Tap Abstraction * for network namespace/tap device mode * * dhcp.c - Minimalistic DHCP server for PASST * * Copyright (c) 2020-2021 Red Hat GmbH * Author: Stefano Brivio */ #include #include #include #include #include #include #include #include #include #include #include #include "util.h" #include "ip.h" #include "checksum.h" #include "packet.h" #include "passt.h" #include "tap.h" #include "log.h" #include "dhcp.h" /** * dhcp_opt_types - Maps option code to RFC 2132 value type, indexed by code */ static const enum dhcp_opt_type dhcp_opt_types[256] = { [1] = DHCP_OPT_IPV4, /* Subnet Mask */ [2] = DHCP_OPT_INTEGER, /* Time Offset */ [3] = DHCP_OPT_IPV4_LIST, /* Router */ [4] = DHCP_OPT_IPV4_LIST, /* Time Server */ [5] = DHCP_OPT_IPV4_LIST, /* Name Server */ [6] = DHCP_OPT_IPV4_LIST, /* Domain Name Server */ [7] = DHCP_OPT_IPV4_LIST, /* Log Server */ [8] = DHCP_OPT_IPV4_LIST, /* Cookie Server */ [9] = DHCP_OPT_IPV4_LIST, /* LPR Server */ [10] = DHCP_OPT_IPV4_LIST, /* Impress Server */ [11] = DHCP_OPT_IPV4_LIST, /* Resource Location Server */ [12] = DHCP_OPT_STR, /* Host Name */ [13] = DHCP_OPT_INTEGER, /* Boot File Size */ [15] = DHCP_OPT_STR, /* Domain Name */ [16] = DHCP_OPT_IPV4, /* Swap Server */ [17] = DHCP_OPT_STR, /* Root Path */ [19] = DHCP_OPT_INTEGER, /* IP Forwarding */ [23] = DHCP_OPT_INTEGER, /* Default IP TTL */ [26] = DHCP_OPT_INTEGER, /* Interface MTU */ [28] = DHCP_OPT_IPV4, /* Broadcast Address */ [33] = DHCP_OPT_IPV4_LIST, /* Static Routes */ [37] = DHCP_OPT_INTEGER, /* TCP Default TTL */ [38] = DHCP_OPT_INTEGER, /* TCP Keepalive Interval */ [40] = DHCP_OPT_STR, /* NIS Domain Name */ [41] = DHCP_OPT_IPV4_LIST, /* NIS Servers */ [42] = DHCP_OPT_IPV4_LIST, /* NTP Servers */ [44] = DHCP_OPT_IPV4_LIST, /* NetBIOS Name Server */ [50] = DHCP_OPT_IPV4, /* Requested IP Address */ [51] = DHCP_OPT_INTEGER, /* IP Address Lease Time */ [53] = DHCP_OPT_INTEGER, /* DHCP Message Type */ [54] = DHCP_OPT_IPV4, /* Server Identifier */ [55] = DHCP_OPT_STR, /* Parameter Request List */ [57] = DHCP_OPT_INTEGER, /* Max DHCP Message Size */ [58] = DHCP_OPT_INTEGER, /* Renewal (T1) Time */ [59] = DHCP_OPT_INTEGER, /* Rebinding (T2) Time */ [60] = DHCP_OPT_STR, /* Vendor Class Identifier */ [61] = DHCP_OPT_STR, /* Client Identifier */ [66] = DHCP_OPT_STR, /* TFTP Server Name */ [67] = DHCP_OPT_STR, /* Bootfile Name */ [119] = DHCP_OPT_STR, /* Domain Search List */ [252] = DHCP_OPT_STR, /* WPAD URL */ }; /** * dhcp_opt_int_width - Integer width in bytes for INTEGER-typed options */ static const uint8_t dhcp_opt_int_width[256] = { [2] = 4, /* Time Offset */ [13] = 2, /* Boot File Size */ [19] = 1, /* IP Forwarding */ [23] = 1, /* Default IP TTL */ [26] = 2, /* Interface MTU */ [37] = 1, /* TCP Default TTL */ [38] = 4, /* TCP Keepalive Interval */ [51] = 4, /* IP Address Lease Time */ [53] = 1, /* DHCP Message Type */ [57] = 2, /* Max DHCP Message Size */ [58] = 4, /* Renewal (T1) Time */ [59] = 4, /* Rebinding (T2) Time */ }; #define DHCP_OPT_PARSE_BUF 1024 /** * dhcp_opt_parse() - Parse a DHCP option value * @code: DHCP option code * @str: DHCP Value string from command line * @buf: Output buffer * @buf_len: Size of output buffer * * Return: number of bytes written to @buf, or -1 on error */ int dhcp_opt_parse(uint8_t code, const char *str, uint8_t *buf, size_t buf_len) { enum dhcp_opt_type type = dhcp_opt_types[code]; char tmp[DHCP_OPT_PARSE_BUF]; char *tok, *saveptr, *end; struct in_addr addr; unsigned long val; unsigned int i; uint8_t width; size_t slen; int len; switch (type) { case DHCP_OPT_NONE: die("Unsupported DHCP option: %u," " see passt(1) for supported codes", code); case DHCP_OPT_IPV4: if (inet_pton(AF_INET, str, &addr) != 1) return -1; if (buf_len < sizeof(addr)) return -1; memcpy(buf, &addr, sizeof(addr)); return sizeof(addr); case DHCP_OPT_IPV4_LIST: len = 0; if (snprintf_check(tmp, sizeof(tmp), "%s", str)) return -1; for (tok = strtok_r(tmp, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr)) { if (inet_pton(AF_INET, tok, &addr) != 1) return -1; if (len + (int)sizeof(addr) > (int)buf_len) return -1; memcpy(buf + len, &addr, sizeof(addr)); len += sizeof(addr); } return len; case DHCP_OPT_INTEGER: width = dhcp_opt_int_width[code]; val = strtoul(str, &end, 0); if (*end || buf_len < width) return -1; if (width < 4 && val >= (1UL << (width * 8))) return -1; for (i = 0; i < width; i++) buf[i] = (val >> ((width - 1 - i) * 8)) & 0xff; return width; case DHCP_OPT_STR: slen = strlen(str); if (!slen || slen >= buf_len) return -1; strncpy((char *)buf, str, buf_len); return slen; } return -1; } /** * struct opt - DHCP option * @sent: Convenience flag, set while filling replies * @slen: Length of option defined for server, -1 if not going to be sent * @s: Option payload from server * @clen: Length of option received from client, -1 if not received * @c: Option payload from client */ struct opt { int sent; int slen; uint8_t s[255]; int clen; uint8_t c[255]; }; static struct opt opts[255]; #define DHCPDISCOVER 1 #define DHCPOFFER 2 #define DHCPREQUEST 3 #define DHCPDECLINE 4 #define DHCPACK 5 #define DHCPNAK 6 #define DHCPRELEASE 7 #define DHCPINFORM 8 #define DHCPFORCERENEW 9 #define OPT_MIN 60 /* RFC 951 */ /* Total option size (excluding end option) is 576 (RFC 2131), minus * offset of options (268), minus end option (1). */ #define OPT_MAX 307 /** * dhcp_init() - Initialise DHCP options */ void dhcp_init(void) { int i; for (i = 0; i < ARRAY_SIZE(opts); i++) opts[i].slen = -1; opts[1] = (struct opt) { 0, 4, { 0 }, 0, { 0 }, }; /* Mask */ opts[3] = (struct opt) { 0, 4, { 0 }, 0, { 0 }, }; /* Router */ opts[51] = (struct opt) { 0, 4, { 0xff, 0xff, 0xff, 0xff }, 0, { 0 }, }; /* Lease time */ opts[53] = (struct opt) { 0, 1, { 0 }, 0, { 0 }, }; /* Type */ opts[54] = (struct opt) { 0, 4, { 0 }, 0, { 0 }, }; /* Server ID */ } /** * struct msg - BOOTP/DHCP message * @op: BOOTP message type * @htype: Hardware address type * @hlen: Hardware address length * @hops: DHCP relay hops * @xid: Transaction ID randomly chosen by client * @secs: Seconds elapsed since beginning of acquisition or renewal * @flags: DHCP message flags * @ciaddr: Client IP address in BOUND, RENEW, REBINDING * @yiaddr: IP address being offered or assigned * @siaddr: Next server to use in bootstrap * @giaddr: Relay agent IP address * @chaddr: Client hardware address * @sname: Server host name * @file: Boot file name * @magic: Magic cookie prefix before options * @o: Options */ struct msg { uint8_t op; #define BOOTREQUEST 1 #define BOOTREPLY 2 uint8_t htype; uint8_t hlen; uint8_t hops; uint32_t xid; uint16_t secs; uint16_t flags; #define FLAG_BROADCAST htons_constant(0x8000) uint32_t ciaddr; struct in_addr yiaddr; uint32_t siaddr; uint32_t giaddr; uint8_t chaddr[16]; uint8_t sname[64]; uint8_t file[128]; uint32_t magic; uint8_t o[OPT_MAX + 1 /* End option */ ]; } __attribute__((__packed__)); /** * fill_one() - Fill a single option into a buffer * @buf: Buffer to write option * @size: Usable size of @buf (excluding end marker) * @o: Option number * @offset: Current offset within @buf, updated on insertion * * Return: false if @buf has space to write the option, true otherwise */ static bool fill_one(uint8_t *buf, size_t size, int o, int *offset) { size_t slen = opts[o].slen; if (*offset + 2 + slen > size) return true; buf[*offset] = o; buf[*offset + 1] = slen; *offset += 2; memcpy(&buf[*offset], opts[o].s, slen); opts[o].sent = 1; *offset += slen; return false; } #define DHCP_OVERLOAD_FILE 1 #define DHCP_OVERLOAD_SNAME 2 /** * fill_overflow() - Fill remaining options into file and sname fields * @m: Message whose file/sname fields may be used for overflow * * Return: option 52 overload value: 0 if no overflow, * DHCP_OVERLOAD_FILE for file, DHCP_OVERLOAD_SNAME for sname, * or both OR'd together */ static int fill_overflow(struct msg *m) { int file_off = 0, sname_off = 0, overload = 0; int o; for (o = 0; o < 255; o++) { if (opts[o].slen == -1 || opts[o].sent) continue; fill_one(m->file, sizeof(m->file) - 1, o, &file_off); } for (o = 0; o < 255; o++) { if (opts[o].slen == -1 || opts[o].sent) continue; if (fill_one(m->sname, sizeof(m->sname) - 1, o, &sname_off)) debug("DHCP: skipping option %i (overload full)", o); } if (file_off) { m->file[file_off] = 255; overload |= DHCP_OVERLOAD_FILE; } if (sname_off) { m->sname[sname_off] = 255; overload |= DHCP_OVERLOAD_SNAME; } return overload; } /** * fill() - Fill options in message, with overload into file/sname if needed * @m: Message to fill * @overload: Set to option 52 value (0 if none, 1/2/3 per RFC 2132) * * Return: current size of options field */ static int fill(struct msg *m, int *overload) { /* Reserve 3 bytes for option 52 (overload) if needed */ size_t size = OPT_MAX - 3; int i, o, offset = 0; for (o = 0; o < 255; o++) opts[o].sent = 0; /* Some clients (wattcp32, mTCP, maybe some others) expect * option 53 at the beginning of the list. * Put it there explicitly, unless requested via option 55. */ if (opts[55].clen > 0 && !memchr(opts[55].c, 53, opts[55].clen)) fill_one(m->o, size, 53, &offset); for (i = 0; i < opts[55].clen; i++) { o = opts[55].c[i]; if (opts[o].slen != -1) fill_one(m->o, size, o, &offset); } for (o = 0; o < 255; o++) { if (opts[o].slen != -1 && !opts[o].sent) fill_one(m->o, size, o, &offset); } *overload = fill_overflow(m); if (*overload) { m->o[offset++] = 52; m->o[offset++] = 1; m->o[offset++] = *overload; } m->o[offset++] = 255; if (offset < OPT_MIN) { memset(&m->o[offset], 0, OPT_MIN - offset); offset = OPT_MIN; } return offset; } /** * opt_dns_search_dup_ptr() - Look for possible domain name compression pointer * @buf: Current option buffer with existing labels * @cmp: Portion of domain name being added * @len: Length of current option buffer * * Return: offset to corresponding compression pointer if any, -1 if not found */ static int opt_dns_search_dup_ptr(unsigned char *buf, const char *cmp, size_t len) { unsigned int i; for (i = 0; i < len; i++) { if (buf[i] == 0 && len - i - 1 >= strlen(cmp) && !memcmp(buf + i + 1, cmp, strlen(cmp))) return i; if ((buf[i] & 0xc0) == 0xc0 && len - i - 2 >= strlen(cmp) && !memcmp(buf + i + 2, cmp, strlen(cmp))) return i + 1; } return -1; } /** * opt_set_dns_search() - Fill data and set length for Domain Search option * @c: Execution context * @max_len: Maximum total length of option buffer */ static void opt_set_dns_search(const struct ctx *c, size_t max_len) { char buf[NS_MAXDNAME]; int i; opts[119].slen = 0; for (i = 0; i < 255; i++) max_len -= opts[i].slen; for (i = 0; *c->dns_search[i].n; i++) { unsigned int n; int count = -1; const char *p; buf[0] = 0; for (p = c->dns_search[i].n, n = 1; *p; p++) { if (*p == '.') { /* RFC 1035 4.1.4 Message compression */ count = opt_dns_search_dup_ptr(opts[119].s, p + 1, opts[119].slen); if (count >= 0) { buf[n++] = '\xc0'; buf[n++] = count; break; } buf[n++] = '.'; } else { buf[n++] = *p; } } /* The compression pointer is also an end of label */ if (count < 0) buf[n++] = 0; if (n >= max_len) break; memcpy(opts[119].s + opts[119].slen, buf, n); opts[119].slen += n; max_len -= n; } for (i = 0; i < opts[119].slen; i++) { if (!opts[119].s[i] || opts[119].s[i] == '.') { opts[119].s[i] = strcspn((char *)opts[119].s + i + 1, ".\xc0"); } } if (!opts[119].slen) opts[119].slen = -1; } /** * dhcp() - Check if this is a DHCP message, reply as needed * @c: Execution context * @data: Single packet with Ethernet buffer * * Return: 0 if it's not a DHCP message, 1 if handled, -1 on failure */ int dhcp(const struct ctx *c, struct iov_tail *data) { char macstr[ETH_ADDRSTRLEN]; size_t mlen, dlen, opt_len; struct in_addr mask, dst; struct ethhdr eh_storage; struct iphdr iph_storage; struct udphdr uh_storage; const struct ethhdr *eh; const struct iphdr *iph; const struct udphdr *uh; struct msg m_storage; struct msg const *m; struct msg reply; unsigned int i; int overload; eh = IOV_REMOVE_HEADER(data, eh_storage); iph = IOV_PEEK_HEADER(data, iph_storage); if (!eh || !iph) return -1; if (!iov_drop_header(data, iph->ihl * 4UL)) return -1; uh = IOV_REMOVE_HEADER(data, uh_storage); if (!uh) return -1; if (uh->dest != htons(67)) return 0; if (c->no_dhcp) return 1; mlen = iov_tail_size(data); m = (struct msg const *)iov_remove_header_(data, &m_storage, offsetof(struct msg, o), __alignof__(struct msg)); if (!m || mlen != ntohs(uh->len) - sizeof(*uh) || mlen < offsetof(struct msg, o) || m->op != BOOTREQUEST) return -1; reply.op = BOOTREPLY; reply.htype = m->htype; reply.hlen = m->hlen; reply.hops = 0; reply.xid = m->xid; reply.secs = 0; reply.flags = m->flags; reply.ciaddr = m->ciaddr; reply.yiaddr = c->ip4.addr; reply.siaddr = 0; reply.giaddr = m->giaddr; memcpy(&reply.chaddr, m->chaddr, sizeof(reply.chaddr)); memset(&reply.sname, 0, sizeof(reply.sname)); memset(&reply.file, 0, sizeof(reply.file)); reply.magic = m->magic; for (i = 0; i < ARRAY_SIZE(opts); i++) opts[i].clen = -1; opt_len = iov_tail_size(data); while (opt_len >= 2) { uint8_t olen_storage, type_storage; const uint8_t *olen; uint8_t *type; type = IOV_REMOVE_HEADER(data, type_storage); olen = IOV_REMOVE_HEADER(data, olen_storage); if (!type || !olen) return -1; opt_len = iov_tail_size(data); if (opt_len < *olen) return -1; iov_to_buf(&data->iov[0], data->cnt, data->off, &opts[*type].c, *olen); opts[*type].clen = *olen; iov_drop_header(data, *olen); opt_len -= *olen; } opts[80].slen = -1; if (opts[53].clen > 0 && opts[53].c[0] == DHCPDISCOVER) { if (opts[80].clen == -1) { info("DHCP: offer to discover"); opts[53].s[0] = DHCPOFFER; } else { info("DHCP: ack to discover (Rapid Commit)"); opts[53].s[0] = DHCPACK; opts[80].slen = 0; } } else if (opts[53].clen <= 0 || opts[53].c[0] == DHCPREQUEST) { info("%s: ack to request", /* DHCP needs a valid message type */ (opts[53].clen <= 0) ? "BOOTP" : "DHCP"); opts[53].s[0] = DHCPACK; } else { return -1; } info(" from %s", eth_ntop(m->chaddr, macstr, sizeof(macstr))); mask.s_addr = htonl(0xffffffff << (32 - c->ip4.prefix_len)); memcpy(opts[1].s, &mask, sizeof(mask)); memcpy(opts[3].s, &c->ip4.guest_gw, sizeof(c->ip4.guest_gw)); memcpy(opts[54].s, &c->ip4.our_tap_addr, sizeof(c->ip4.our_tap_addr)); /* If the gateway is not on the assigned subnet, send an option 121 * (Classless Static Routing) adding a dummy route to it. */ if ((c->ip4.addr.s_addr & mask.s_addr) != (c->ip4.guest_gw.s_addr & mask.s_addr)) { /* a.b.c.d/32:0.0.0.0, 0:a.b.c.d */ opts[121].slen = 14; opts[121].s[0] = 32; memcpy(opts[121].s + 1, &c->ip4.guest_gw, sizeof(c->ip4.guest_gw)); memcpy(opts[121].s + 10, &c->ip4.guest_gw, sizeof(c->ip4.guest_gw)); } if (c->mtu) { opts[26].slen = 2; opts[26].s[0] = c->mtu / 256; opts[26].s[1] = c->mtu % 256; } for (i = 0, opts[6].slen = 0; !c->no_dhcp_dns && i < ARRAY_SIZE(c->ip4.dns); i++) { if (IN4_IS_ADDR_UNSPECIFIED(&c->ip4.dns[i])) break; ((struct in_addr *)opts[6].s)[i] = c->ip4.dns[i]; opts[6].slen += sizeof(uint32_t); } if (!opts[6].slen) opts[6].slen = -1; opt_len = strlen(c->hostname); if (opt_len > 0) { opts[12].slen = opt_len; memcpy(opts[12].s, &c->hostname, opt_len); } opt_len = strlen(c->fqdn); if (opt_len > 0) { opt_len += 3 /* flags */ + 2; /* Length byte for first label, and terminator */ if (sizeof(opts[81].s) >= opt_len) { opts[81].s[0] = 0x4; /* flags (E) */ opts[81].s[1] = 0xff; /* RCODE1 */ opts[81].s[2] = 0xff; /* RCODE2 */ encode_domain_name((char *)opts[81].s + 3, c->fqdn); opts[81].slen = opt_len; } else { debug("DHCP: client FQDN option doesn't fit, skipping"); } } if (!c->no_dhcp_dns_search) opt_set_dns_search(c, sizeof(m->o)); for (i = 0; i < (unsigned int)c->custom_opts_count; i++) { uint8_t code = c->custom_opts[i].code; opts[code].slen = c->custom_opts[i].len; memcpy(opts[code].s, c->custom_opts[i].val, c->custom_opts[i].len); } dlen = offsetof(struct msg, o) + fill(&reply, &overload); /* Copy boot file name into the file field for legacy PXE clients, * unless the file field is already used for option overload. */ if (!(overload & DHCP_OVERLOAD_FILE) && opts[67].slen > 0 && (size_t)opts[67].slen < sizeof(reply.file)) memcpy(&reply.file, opts[67].s, opts[67].slen + 1); if (m->flags & FLAG_BROADCAST) dst = in4addr_broadcast; else dst = c->ip4.addr; tap_udp4_send(c, c->ip4.our_tap_addr, 67, dst, 68, &reply, dlen); return 1; }