From: Roy Marples Date: Tue, 3 Jun 2014 12:49:48 +0000 (+0000) Subject: Only one place should decide how netiface and netid are formed X-Git-Tag: v6.4.0~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab517b62048be6b2d9a7421511d41b99e81aa903;p=thirdparty%2Fdhcpcd.git Only one place should decide how netiface and netid are formed for generating stable private addresses. Ensure that dhcpcd.secret is readable only by dhcpcd. --- diff --git a/ipv6.c b/ipv6.c index a09788dc..5098da9e 100644 --- a/ipv6.c +++ b/ipv6.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include @@ -238,7 +239,11 @@ ipv6_readsecret(struct dhcpcd_ctx *ctx) } - if (!(fp = fopen(SECRET, "w"))) + /* Ensure that only the dhcpcd user can read the secret. + * Write permission is also denied as chaning it would remove + * it's stability. */ + if ((fp = fopen(SECRET, "w")) == NULL || + chmod(SECRET, S_IRUSR) == -1) goto eexit; x = fprintf(fp, "%s\n", hwaddr_ntoa(ctx->secret, ctx->secret_len, line, sizeof(line))); @@ -254,8 +259,8 @@ eexit: } /* RFC7217 */ -int -ipv6_makestableprivate(struct in6_addr *addr, +static int +ipv6_makestableprivate1(struct in6_addr *addr, const struct in6_addr *prefix, int prefix_len, const unsigned char *netiface, size_t netiface_len, const char *netid, size_t netid_len, @@ -308,6 +313,23 @@ ipv6_makestableprivate(struct in6_addr *addr, return 0; } +int +ipv6_makestableprivate(struct in6_addr *addr, + const struct in6_addr *prefix, int prefix_len, + const struct interface *ifp, + uint32_t dad_counter) +{ + + /* For our implementation, we shall set the hardware address + * as the interface identifier */ + + return ipv6_makestableprivate1(addr, prefix, prefix_len, + ifp->hwaddr, ifp->hwlen, + ifp->ssid, strlen(ifp->ssid), + dad_counter, + ifp->ctx->secret, ifp->ctx->secret_len); +} + int ipv6_makeaddr(struct in6_addr *addr, const struct interface *ifp, const struct in6_addr *prefix, int prefix_len) @@ -324,11 +346,8 @@ ipv6_makeaddr(struct in6_addr *addr, const struct interface *ifp, if (ipv6_readsecret(ifp->ctx) == -1) return -1; } - if (ipv6_makestableprivate(addr, prefix, prefix_len, - ifp->options->iaid, sizeof(ifp->options->iaid), - ifp->ssid, strlen(ifp->ssid), - 0, /* DAD counter starts at 0 */ - ifp->ctx->secret, ifp->ctx->secret_len) == -1) + if (ipv6_makestableprivate(addr, + prefix, prefix_len, ifp, 0) == -1) return -1; return 0; } diff --git a/ipv6.h b/ipv6.h index de9fc42b..bb89fc61 100644 --- a/ipv6.h +++ b/ipv6.h @@ -167,10 +167,7 @@ struct ipv6_ctx *ipv6_init(struct dhcpcd_ctx *); ssize_t ipv6_printaddr(char *, size_t, const uint8_t *, const char *); int ipv6_makestableprivate(struct in6_addr *addr, const struct in6_addr *prefix, int prefix_len, - const unsigned char *netiface, size_t netiface_len, - const char *netid, size_t netid_len, - uint32_t dad_counter, - const unsigned char *secret, size_t secret_len); + const struct interface *ifp, uint32_t dad_counter); int ipv6_makeaddr(struct in6_addr *, const struct interface *, const struct in6_addr *, int); int ipv6_makeprefix(struct in6_addr *, const struct in6_addr *, int); diff --git a/ipv6nd.c b/ipv6nd.c index b98c11e3..04d31fa4 100644 --- a/ipv6nd.c +++ b/ipv6nd.c @@ -612,10 +612,7 @@ ipv6nd_dadcallback(void *arg) syslog(LOG_ERR, "if_deladdress6: %m"); if (ipv6_makestableprivate(&ap->addr, &ap->prefix, ap->prefix_len, - ifp->options->iaid, sizeof(ifp->options->iaid), - ifp->ssid, strlen(ifp->ssid), - ap->dadcounter, - ifp->ctx->secret, ifp->ctx->secret_len) == -1) + ifp, ap->dadcounter) == -1) { syslog(LOG_ERR, "%s: ipv6_makestableprivate: %m",