]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-address-generation.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network/link: shorten code a bit
[thirdparty/systemd.git] / src / network / networkd-address-generation.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <net/if_arp.h>
4
5 #include "sd-id128.h"
6
7 #include "arphrd-util.h"
8 #include "id128-util.h"
9 #include "memory-util.h"
10 #include "networkd-address-generation.h"
11 #include "networkd-link.h"
12 #include "networkd-network.h"
13 #include "string-util.h"
14
15 #define DAD_CONFLICTS_IDGEN_RETRIES_RFC7217 3
16
17 /* https://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xml */
18 #define SUBNET_ROUTER_ANYCAST_ADDRESS ((const struct in6_addr) { .s6_addr = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } })
19 #define SUBNET_ROUTER_ANYCAST_PREFIXLEN 64
20 #define RESERVED_INTERFACE_IDENTIFIERS_ADDRESS ((const struct in6_addr) { .s6_addr = { 0x02, 0x00, 0x5E, 0xFF, 0xFE } })
21 #define RESERVED_INTERFACE_IDENTIFIERS_PREFIXLEN 40
22 #define RESERVED_SUBNET_ANYCAST_ADDRESSES ((const struct in6_addr) { .s6_addr = { 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80 } })
23 #define RESERVED_SUBNET_ANYCAST_PREFIXLEN 57
24
25 #define DHCP_PD_APP_ID SD_ID128_MAKE(fb,b9,37,ca,4a,ed,4a,4d,b0,70,7f,aa,71,c0,c9,85)
26 #define NDISC_APP_ID SD_ID128_MAKE(13,ac,81,a7,d5,3f,49,78,92,79,5d,0c,29,3a,bc,7e)
27 #define RADV_APP_ID SD_ID128_MAKE(1f,1e,90,c8,5c,78,4f,dc,8e,61,2d,59,0d,53,c1,25)
28
29 typedef enum AddressGenerationType {
30 ADDRESS_GENERATION_EUI64,
31 ADDRESS_GENERATION_STATIC,
32 ADDRESS_GENERATION_PREFIXSTABLE,
33 _ADDRESS_GENERATION_TYPE_MAX,
34 _ADDRESS_GENERATION_TYPE_INVALID = -EINVAL,
35 } AddressGenerationType;
36
37 typedef struct IPv6Token {
38 AddressGenerationType type;
39 struct in6_addr address;
40 sd_id128_t secret_key;
41 } IPv6Token;
42
43 static int generate_eui64_address(const Link *link, const struct in6_addr *prefix, struct in6_addr *ret) {
44 assert(link);
45 assert(prefix);
46 assert(ret);
47
48 memcpy(ret->s6_addr, prefix, 8);
49
50 switch (link->iftype) {
51 case ARPHRD_INFINIBAND:
52 /* Use last 8 byte. See RFC4391 section 8 */
53 memcpy(&ret->s6_addr[8], &link->hw_addr.infiniband[INFINIBAND_ALEN - 8], 8);
54 break;
55 case ARPHRD_ETHER:
56 /* see RFC4291 section 2.5.1 */
57 ret->s6_addr[8] = link->hw_addr.ether.ether_addr_octet[0];
58 ret->s6_addr[9] = link->hw_addr.ether.ether_addr_octet[1];
59 ret->s6_addr[10] = link->hw_addr.ether.ether_addr_octet[2];
60 ret->s6_addr[11] = 0xff;
61 ret->s6_addr[12] = 0xfe;
62 ret->s6_addr[13] = link->hw_addr.ether.ether_addr_octet[3];
63 ret->s6_addr[14] = link->hw_addr.ether.ether_addr_octet[4];
64 ret->s6_addr[15] = link->hw_addr.ether.ether_addr_octet[5];
65 break;
66 default:
67 return log_link_debug_errno(link, SYNTHETIC_ERRNO(EINVAL),
68 "Token=eui64 is not supported for interface type %s, ignoring.",
69 strna(arphrd_to_name(link->iftype)));
70 }
71
72 ret->s6_addr[8] ^= 1 << 1;
73 return 0;
74 }
75
76 static bool stable_private_address_is_valid(const struct in6_addr *addr) {
77 assert(addr);
78
79 /* According to rfc4291, generated address should not be in the following ranges. */
80
81 if (in6_addr_prefix_covers(&SUBNET_ROUTER_ANYCAST_ADDRESS, SUBNET_ROUTER_ANYCAST_PREFIXLEN, addr))
82 return false;
83
84 if (in6_addr_prefix_covers(&RESERVED_INTERFACE_IDENTIFIERS_ADDRESS, RESERVED_INTERFACE_IDENTIFIERS_PREFIXLEN, addr))
85 return false;
86
87 if (in6_addr_prefix_covers(&RESERVED_SUBNET_ANYCAST_ADDRESSES, RESERVED_SUBNET_ANYCAST_PREFIXLEN, addr))
88 return false;
89
90 return true;
91 }
92
93 static void generate_stable_private_address_one(
94 Link *link,
95 const sd_id128_t *secret_key,
96 const struct in6_addr *prefix,
97 uint8_t dad_counter,
98 struct in6_addr *ret) {
99
100 struct siphash state;
101 uint64_t rid;
102
103 assert(link);
104 assert(secret_key);
105 assert(prefix);
106 assert(ret);
107
108 /* According to RFC7217 section 5.1
109 * RID = F(Prefix, Net_Iface, Network_ID, DAD_Counter, secret_key) */
110
111 siphash24_init(&state, secret_key->bytes);
112
113 siphash24_compress(prefix, 8, &state);
114 siphash24_compress_string(link->ifname, &state);
115 if (link->iftype == ARPHRD_INFINIBAND)
116 /* Only last 8 bytes of IB MAC are stable */
117 siphash24_compress(&link->hw_addr.infiniband[INFINIBAND_ALEN - 8], 8, &state);
118 else
119 siphash24_compress(link->hw_addr.bytes, link->hw_addr.length, &state);
120
121 if (link->ssid)
122 siphash24_compress_string(link->ssid, &state);
123
124 siphash24_compress_typesafe(dad_counter, &state);
125
126 rid = htole64(siphash24_finalize(&state));
127
128 memcpy(ret->s6_addr, prefix->s6_addr, 8);
129 memcpy(ret->s6_addr + 8, &rid, 8);
130 }
131
132 static int generate_stable_private_address(
133 Link *link,
134 const sd_id128_t *app_id,
135 const sd_id128_t *secret_key,
136 const struct in6_addr *prefix,
137 struct in6_addr *ret) {
138
139 sd_id128_t secret_machine_key;
140 struct in6_addr addr;
141 uint8_t i;
142 int r;
143
144 assert(link);
145 assert(app_id);
146 assert(secret_key);
147 assert(prefix);
148 assert(ret);
149
150 if (sd_id128_is_null(*secret_key)) {
151 r = sd_id128_get_machine_app_specific(*app_id, &secret_machine_key);
152 if (r < 0)
153 return log_link_debug_errno(link, r, "Failed to generate secret key for IPv6 stable private address: %m");
154
155 secret_key = &secret_machine_key;
156 }
157
158 /* While this loop uses dad_counter and a retry limit as specified in RFC 7217, the loop does
159 * not actually attempt Duplicate Address Detection; the counter will be incremented only when
160 * the address generation algorithm produces an invalid address, and the loop may exit with an
161 * address which ends up being unusable due to duplication on the link. */
162 for (i = 0; i < DAD_CONFLICTS_IDGEN_RETRIES_RFC7217; i++) {
163 generate_stable_private_address_one(link, secret_key, prefix, i, &addr);
164
165 if (stable_private_address_is_valid(&addr))
166 break;
167 }
168 if (i >= DAD_CONFLICTS_IDGEN_RETRIES_RFC7217)
169 /* propagate recognizable errors. */
170 return log_link_debug_errno(link, SYNTHETIC_ERRNO(ENOANO),
171 "Failed to generate stable private address.");
172
173 *ret = addr;
174 return 0;
175 }
176
177 static int generate_addresses(
178 Link *link,
179 Set *tokens,
180 const sd_id128_t *app_id,
181 const struct in6_addr *prefix,
182 uint8_t prefixlen,
183 Set **ret) {
184
185 _cleanup_set_free_ Set *addresses = NULL;
186 struct in6_addr masked;
187 IPv6Token *j;
188 int r;
189
190 assert(link);
191 assert(app_id);
192 assert(prefix);
193 assert(prefixlen > 0 && prefixlen <= 64);
194 assert(ret);
195
196 masked = *prefix;
197 in6_addr_mask(&masked, prefixlen);
198
199 SET_FOREACH(j, tokens) {
200 struct in6_addr addr, *copy;
201
202 switch (j->type) {
203 case ADDRESS_GENERATION_EUI64:
204 if (generate_eui64_address(link, &masked, &addr) < 0)
205 continue;
206 break;
207
208 case ADDRESS_GENERATION_STATIC:
209 memcpy(addr.s6_addr, masked.s6_addr, 8);
210 memcpy(addr.s6_addr + 8, j->address.s6_addr + 8, 8);
211 break;
212
213 case ADDRESS_GENERATION_PREFIXSTABLE:
214 if (in6_addr_is_set(&j->address) && !in6_addr_equal(&j->address, &masked))
215 continue;
216
217 if (generate_stable_private_address(link, app_id, &j->secret_key, &masked, &addr) < 0)
218 continue;
219
220 break;
221
222 default:
223 assert_not_reached();
224 }
225
226 copy = newdup(struct in6_addr, &addr, 1);
227 if (!copy)
228 return -ENOMEM;
229
230 r = set_ensure_consume(&addresses, &in6_addr_hash_ops_free, copy);
231 if (r < 0)
232 return r;
233 }
234
235 /* fall back to EUI-64 if no token is provided */
236 if (set_isempty(addresses)) {
237 _cleanup_free_ struct in6_addr *addr = NULL;
238
239 addr = new(struct in6_addr, 1);
240 if (!addr)
241 return -ENOMEM;
242
243 if (IN_SET(link->iftype, ARPHRD_ETHER, ARPHRD_INFINIBAND))
244 r = generate_eui64_address(link, &masked, addr);
245 else
246 r = generate_stable_private_address(link, app_id, &SD_ID128_NULL, &masked, addr);
247 if (r < 0)
248 return r;
249
250 r = set_ensure_consume(&addresses, &in6_addr_hash_ops_free, TAKE_PTR(addr));
251 if (r < 0)
252 return r;
253 }
254
255 *ret = TAKE_PTR(addresses);
256 return 0;
257 }
258
259 int dhcp_pd_generate_addresses(Link *link, const struct in6_addr *prefix, Set **ret) {
260 return generate_addresses(link, link->network->dhcp_pd_tokens, &DHCP_PD_APP_ID, prefix, 64, ret);
261 }
262
263 int ndisc_generate_addresses(Link *link, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret) {
264 return generate_addresses(link, link->network->ndisc_tokens, &NDISC_APP_ID, prefix, prefixlen, ret);
265 }
266
267 int radv_generate_addresses(Link *link, Set *tokens, const struct in6_addr *prefix, uint8_t prefixlen, Set **ret) {
268 return generate_addresses(link, tokens, &RADV_APP_ID, prefix, prefixlen, ret);
269 }
270
271 static void ipv6_token_hash_func(const IPv6Token *p, struct siphash *state) {
272 siphash24_compress_typesafe(p->type, state);
273 siphash24_compress_typesafe(p->address, state);
274 id128_hash_func(&p->secret_key, state);
275 }
276
277 static int ipv6_token_compare_func(const IPv6Token *a, const IPv6Token *b) {
278 int r;
279
280 r = CMP(a->type, b->type);
281 if (r != 0)
282 return r;
283
284 r = memcmp(&a->address, &b->address, sizeof(struct in6_addr));
285 if (r != 0)
286 return r;
287
288 return id128_compare_func(&a->secret_key, &b->secret_key);
289 }
290
291 DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
292 ipv6_token_hash_ops,
293 IPv6Token,
294 ipv6_token_hash_func,
295 ipv6_token_compare_func,
296 free);
297
298 static int ipv6_token_add(Set **tokens, AddressGenerationType type, const struct in6_addr *addr, const sd_id128_t *secret_key) {
299 IPv6Token *p;
300
301 assert(tokens);
302 assert(type >= 0 && type < _ADDRESS_GENERATION_TYPE_MAX);
303 assert(addr);
304 assert(secret_key);
305
306 p = new(IPv6Token, 1);
307 if (!p)
308 return -ENOMEM;
309
310 *p = (IPv6Token) {
311 .type = type,
312 .address = *addr,
313 .secret_key = *secret_key,
314 };
315
316 return set_ensure_consume(tokens, &ipv6_token_hash_ops, p);
317 }
318
319 int config_parse_address_generation_type(
320 const char *unit,
321 const char *filename,
322 unsigned line,
323 const char *section,
324 unsigned section_line,
325 const char *lvalue,
326 int ltype,
327 const char *rvalue,
328 void *data,
329 void *userdata) {
330
331 _cleanup_free_ char *addr_alloc = NULL;
332 sd_id128_t secret_key = SD_ID128_NULL;
333 union in_addr_union buffer = {};
334 AddressGenerationType type;
335 Set **tokens = ASSERT_PTR(data);
336 const char *addr;
337 int r;
338
339 assert(filename);
340 assert(lvalue);
341 assert(rvalue);
342
343 if (isempty(rvalue)) {
344 *tokens = set_free(*tokens);
345 return 0;
346 }
347
348 if ((addr = startswith(rvalue, "prefixstable"))) {
349 const char *comma;
350
351 type = ADDRESS_GENERATION_PREFIXSTABLE;
352
353 if (*addr == ':') {
354 addr++;
355
356 comma = strchr(addr, ',');
357 if (comma) {
358 addr_alloc = strndup(addr, comma - addr);
359 if (!addr_alloc)
360 return log_oom();
361
362 addr = addr_alloc;
363 }
364 } else if (*addr == ',')
365 comma = TAKE_PTR(addr);
366 else if (*addr == '\0') {
367 comma = NULL;
368 addr = NULL;
369 } else {
370 log_syntax(unit, LOG_WARNING, filename, line, 0,
371 "Invalid IPv6 token mode in %s=, ignoring assignment: %s",
372 lvalue, rvalue);
373 return 0;
374 }
375
376 if (comma) {
377 r = id128_from_string_nonzero(comma + 1, &secret_key);
378 if (r < 0) {
379 log_syntax(unit, LOG_WARNING, filename, line, r,
380 r == -ENXIO ? "Secret key in %s= cannot be null, ignoring assignment: %s"
381 : "Failed to parse secret key in %s=, ignoring assignment: %s",
382 lvalue, rvalue);
383 return 0;
384 }
385 }
386
387 } else if (streq(rvalue, "eui64")) {
388 type = ADDRESS_GENERATION_EUI64;
389 addr = NULL;
390 } else {
391 type = ADDRESS_GENERATION_STATIC;
392
393 addr = startswith(rvalue, "static:");
394 if (!addr)
395 addr = rvalue;
396 }
397
398 if (addr) {
399 r = in_addr_from_string(AF_INET6, addr, &buffer);
400 if (r < 0) {
401 log_syntax(unit, LOG_WARNING, filename, line, r,
402 "Failed to parse IP address in %s=, ignoring assignment: %s",
403 lvalue, rvalue);
404 return 0;
405 }
406 }
407
408 switch (type) {
409 case ADDRESS_GENERATION_EUI64:
410 assert(in6_addr_is_null(&buffer.in6));
411 break;
412
413 case ADDRESS_GENERATION_STATIC:
414 /* Only last 64 bits are used. */
415 memzero(buffer.in6.s6_addr, 8);
416
417 if (in6_addr_is_null(&buffer.in6)) {
418 log_syntax(unit, LOG_WARNING, filename, line, 0,
419 "IPv6 address in %s= cannot be the ANY address, ignoring assignment: %s",
420 lvalue, rvalue);
421 return 0;
422 }
423 break;
424
425 case ADDRESS_GENERATION_PREFIXSTABLE:
426 /* At most, the initial 64 bits are used. */
427 (void) in6_addr_mask(&buffer.in6, 64);
428 break;
429
430 default:
431 assert_not_reached();
432 }
433
434 r = ipv6_token_add(tokens, type, &buffer.in6, &secret_key);
435 if (r < 0)
436 return log_oom();
437
438 return 0;
439 }
Unnamed repository; edit this file 'description' to name the repository.