From 7d46c3c1c382a96ae8bcfcd3d0e759c3c9121260 Mon Sep 17 00:00:00 2001 From: Matthieu Baerts Date: Fri, 23 Apr 2021 18:04:33 +0200 Subject: [PATCH] tlv: add write Cookie TLV support This is linked to "Cookie TLV" section from RFC8803: https://www.rfc-editor.org/rfc/rfc8803.html#name-the-cookie-tlv The Cookie TLV (Figure 21) is an optional TLV that is similar to the TCP Fast Open Cookie [RFC7413]. A Transport Converter may want to verify that a Client can receive the packets that it sends to prevent attacks from spoofed addresses. This verification can be done by using a Cookie that is bound to, for example, the IP address(es) of the Client. This Cookie can be configured on the Client by means that are outside of this document or provided by the Transport Converter. A Transport Converter that has been configured to use the optional Cookie TLV MUST verify the presence of this TLV in the payload of the received SYN. If this TLV is present, the Transport Converter MUST validate the Cookie by means similar to those in Section 4.1.2 of [RFC7413] (i.e., IsCookieValid). If the Cookie is valid, the connection establishment procedure can continue. Otherwise, the Transport Converter MUST return an Error TLV set to "Not Authorized" and close the connection. If the received SYN did not contain a Cookie TLV, and cookie validation is required, the Transport Converter MAY compute a Cookie bound to this Client address. In such case, the Transport Converter MUST return an Error TLV set to "Missing Cookie" and the computed Cookie and close the connection. The Client will react to this error by first issuing a reset to terminate the connection. It also stores the received Cookie in its cache and attempts to reestablish a new connection to the Transport Converter that includes the Cookie TLV. The format of the Cookie TLV is shown in Figure 21. 0 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | Type=0x16 | Length | Zero | +---------------+---------------+-------------------------------+ / Opaque Cookie / / ... / +---------------------------------------------------------------+ Figure 21: The Cookie TLV In this commit, only the write part has been added. The parsing has been done in the previous commit. Signed-off-by: Matthieu Baerts --- convert_util.c | 19 ++++++++++++++++++- tests/check_convert_util.c | 5 +++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/convert_util.c b/convert_util.c index 8ec725f..127c5a6 100644 --- a/convert_util.c +++ b/convert_util.c @@ -238,6 +238,23 @@ _convert_write_tlv_extended_tcp_hdr(uint8_t *buff, size_t buff_len, return length; } +static ssize_t +_convert_write_tlv_cookie(uint8_t *buff, size_t buff_len, + const struct convert_opts *opts) +{ + struct convert_cookie * cookie = (struct convert_cookie *)buff; + size_t length = CONVERT_ALIGN(sizeof(*cookie) + + opts->cookie_len); + + if (buff_len < length) + return -1; + + memset(cookie, '\0', length); + memcpy(cookie->opaque, opts->cookie_data, opts->cookie_len); + + return length; +} + static struct { uint32_t flag; uint8_t type; @@ -267,7 +284,7 @@ static struct { [_CONVERT_F_COOKIE] = { .flag = CONVERT_F_COOKIE, .type = CONVERT_COOKIE, - .cb = _convert_write_tlv_not_supp, + .cb = _convert_write_tlv_cookie, }, [_CONVERT_F_ERROR] = { .flag = CONVERT_F_ERROR, diff --git a/tests/check_convert_util.c b/tests/check_convert_util.c index 5f06840..0e69774 100644 --- a/tests/check_convert_util.c +++ b/tests/check_convert_util.c @@ -316,10 +316,11 @@ END_TEST START_TEST (test_convert_write_tlvs) { unsigned int i; - uint8_t * (*tlv_builders[3])(size_t *len) = { + uint8_t * (*tlv_builders[4])(size_t *len) = { (uint8_t * (*)(size_t *))sample_convert_connect_tlv, (uint8_t * (*)(size_t *))sample_convert_error_tlv, - (uint8_t * (*)(size_t *))sample_convert_tcp_ext_hdr_tlv + (uint8_t * (*)(size_t *))sample_convert_tcp_ext_hdr_tlv, + (uint8_t * (*)(size_t *))sample_convert_cookie_tlv, }; /* For each TLV type, we expect convert_write(convert_read(TLV)) == TLV,