From 0c29576efd81314fc09c1ce5fbaafba24691de15 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Wed, 29 Apr 2015 14:03:05 +0200 Subject: [PATCH 1/4] ggatec: Allow to specify a custom magic --- sbin/ggate/ggatec/ggatec.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/sbin/ggate/ggatec/ggatec.c b/sbin/ggate/ggatec/ggatec.c index a013dd4..46d27c2 100644 --- a/sbin/ggate/ggatec/ggatec.c +++ b/sbin/ggate/ggatec/ggatec.c @@ -67,6 +67,7 @@ static unsigned port = G_GATE_PORT; static char *socks_dest = NULL; static unsigned dest_port = 3080; static off_t mediasize; +static const char *magic = GGATE_MAGIC; static unsigned sectorsize = 0; static unsigned timeout = G_GATE_TIMEOUT; static int sendfd, recvfd; @@ -377,8 +378,8 @@ handshake(int dir) * Create and send version packet. */ g_gate_log(LOG_DEBUG, "Sending version packet."); - assert(strlen(GGATE_MAGIC) == sizeof(ver.gv_magic)); - bcopy(GGATE_MAGIC, ver.gv_magic, sizeof(ver.gv_magic)); + assert(strlen(magic) == sizeof(ver.gv_magic)); + bcopy(magic, ver.gv_magic, sizeof(ver.gv_magic)); ver.gv_version = GGATE_VERSION; ver.gv_error = 0; g_gate_swap2n_version(&ver); @@ -609,7 +610,7 @@ main(int argc, char *argv[]) int ch; char *p; - ch = getopt(argc, argv, "fno:p:q:R:S:s:t:T:u:v"); + ch = getopt(argc, argv, "fm:no:p:q:R:S:s:t:T:u:v"); if (ch == -1) break; switch (ch) { @@ -618,6 +619,15 @@ main(int argc, char *argv[]) usage(); force = 1; break; + case 'm': + if (action != CREATE && action != RESCUE) + usage(); + magic = optarg; + if (strlen(magic) != strlen(GGATE_MAGIC)) { + errx(EXIT_FAILURE, "Magic length %lu != %lu.", + strlen(magic), strlen(GGATE_MAGIC)); + } + break; case 'n': if (action != CREATE && action != RESCUE) usage(); -- 2.4.2 From 1898e2b22a658ea6c9429c575991b12169181109 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Wed, 29 Apr 2015 14:19:23 +0200 Subject: [PATCH 2/4] ggatec.8: Document the -m option --- sbin/ggate/ggatec/ggatec.8 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sbin/ggate/ggatec/ggatec.8 b/sbin/ggate/ggatec/ggatec.8 index be4fbfd..ca6b82c 100644 --- a/sbin/ggate/ggatec/ggatec.8 +++ b/sbin/ggate/ggatec/ggatec.8 @@ -35,6 +35,7 @@ .Cm create .Op Fl n .Op Fl v +.Op Fl m Ar magic_bytes .Op Fl o Cm ro | wo | rw .Op Fl p Ar port .Op Fl q Ar queue_size @@ -50,6 +51,7 @@ .Cm rescue .Op Fl n .Op Fl v +.Op Fl m Ar magic_bytes .Op Fl o Cm ro | wo | rw .Op Fl p Ar port .Op Fl R Ar rcvbuf @@ -108,6 +110,13 @@ Available options: Forcibly destroy .Nm ggate provider (cancels all pending requests). +.It Fl m Ar magic_bytes +Deviate from the "standard" protocol by using the specified magic bytes. +The required length is 16 and the nul byte is prohibited. +A +.Xr ggated 8 +daemon may require non-standard magic bytes as an additional +authentication measure. .It Fl n Do not use .Dv TCP_NODELAY -- 2.4.2 From ce13ea0f8d82f16124efd2a2e51fb7230d066e36 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Wed, 29 Apr 2015 14:34:25 +0200 Subject: [PATCH 3/4] ggated: Add a -m option to specify non-standard magic bytes --- sbin/ggate/ggated/ggated.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sbin/ggate/ggated/ggated.c b/sbin/ggate/ggated/ggated.c index 347a862..4d45c44 100644 --- a/sbin/ggate/ggated/ggated.c +++ b/sbin/ggate/ggated/ggated.c @@ -91,6 +91,7 @@ struct ggd_export { }; static const char *exports_file = GGATED_EXPORT_FILE; +static const char *magic = GGATE_MAGIC; static int got_sighup = 0; static in_addr_t bindaddr; @@ -901,7 +902,8 @@ handshake(struct sockaddr *from, int sfd) return (0); } g_gate_log(LOG_DEBUG, "Version packet received."); - if (memcmp(ver.gv_magic, GGATE_MAGIC, strlen(GGATE_MAGIC)) != 0) { + /* Comparing in constant-time would be nice. */ + if (memcmp(ver.gv_magic, magic, strlen(magic)) != 0) { g_gate_log(LOG_WARNING, "Invalid magic field."); return (0); } @@ -1021,6 +1023,13 @@ main(int argc, char *argv[]) "Invalid IP/host name to bind to."); } break; + case 'm': + magic = optarg; + if (strlen(magic) != strlen(GGATE_MAGIC)) { + errx(EXIT_FAILURE, "Magic length %lu != %lu.", + strlen(magic), strlen(GGATE_MAGIC)); + } + break; case 'n': nagle = 0; break; -- 2.4.2 From b5a7afd4b32a6b024f1cfd35bd99dc3ce5319279 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Wed, 29 Apr 2015 14:34:49 +0200 Subject: [PATCH 4/4] ggated.8: Document the -m option --- sbin/ggate/ggated/ggated.8 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sbin/ggate/ggated/ggated.8 b/sbin/ggate/ggated/ggated.8 index 3560fe0..0704fc5 100644 --- a/sbin/ggate/ggated/ggated.8 +++ b/sbin/ggate/ggated/ggated.8 @@ -36,6 +36,7 @@ .Op Fl n .Op Fl v .Op Fl a Ar address +.Op Fl m Ar magic_bytes .Op Fl p Ar port .Op Fl R Ar rcvbuf .Op Fl S Ar sndbuf @@ -58,6 +59,11 @@ Available options: Specifies an IP address to bind to. .It Fl h Print available options. +.It Fl p Ar port +Deviate from the "standard" protocol and by using the specified magic bytes +before serving a client connection. +The required length is 16 and the nul byte is prohibited. +This option can be used as additional (weak) authentication measure. .It Fl n Do not use .Dv TCP_NODELAY -- 2.4.2