Skip to content

Commit

Permalink
Upgrade CBMA to v0.1.7: Increase MTU overhead + add nodst + log fix
Browse files Browse the repository at this point in the history
  • Loading branch information
pentestiing committed Jun 6, 2024
1 parent 03097d8 commit 8b60649
Show file tree
Hide file tree
Showing 11 changed files with 74 additions and 33 deletions.
21 changes: 11 additions & 10 deletions modules/sc-mesh-secure-deployment/src/nats/cbma/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,6 @@ ip link set wlp1s0 up
# Connect wlp1s0 to the mesh if it isn't - Need a working wpa_supplicant_11s.conf
wpa_supplicant -i wlp1s0 -c wpa_supplicant_11s.conf -D nl80211 -B

# Prepare lower-batman interface (using wlp1s0 locally administered MAC)
ip link del bat0 2>/dev/null
ip link add name bat0 type batadv
ip link set bat0 address $(read a < /sys/class/net/wlp1s0/address && printf "%02x${a:2}\n" $(( 0x${a:0:2} ^ 0x2 )))
ip link set bat0 up

# Create upper-batman inteface
ip link del bat1 2>/dev/null
ip link add name bat1 type batadv

# Install Python dependencies - Recommended to create + activate a venv before
$ python3 -m pip install -r requirements.txt

Expand All @@ -45,6 +35,17 @@ $ python3 standalone.py -i wlp1s0 # Runs lower-CBMA by default
$ python3 standalone.py -i bat0 -b bat1 # Add -u if lower-CBMA wasn't established beforehand
# NOTE: if bat0 doesn't have the same MAC as any of its attached interfaces (like LA wlp1s0 one)
# you will have to generate certificates for it as a workaround

# Optional - Now done automatically by standalone.py
# Prepare lower-batman interface (using wlp1s0 locally administered MAC)
ip link del bat0 2>/dev/null
ip link add name bat0 type batadv
ip link set bat0 address $(read a < /sys/class/net/wlp1s0/address && printf "%02x${a:2}\n" $(( 0x${a:0:2} ^ 0x2 )))
ip link set bat0 up

# Create upper-batman inteface
ip link del bat1 2>/dev/null
ip link add name bat1 type batadv
```


Expand Down
8 changes: 4 additions & 4 deletions modules/sc-mesh-secure-deployment/src/nats/cbma/VERSION
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
GIT_VERSION=v0.0.0-old_requirements_fixes
GIT_SHA=261e1b95dbe8a8a99af7cb56ad7abac90fd26884
EPOCH_TIMESTAMP=1714545575
PRECISE_DATE_TIMESTAMP="2024-05-01 - 06:39:35.164044574"
GIT_VERSION=v0.1.7-old_requirements_fixes
GIT_SHA=2b333ce8b4308663fd7901d87add93b731314f56
EPOCH_TIMESTAMP=1717686203
PRECISE_DATE_TIMESTAMP="2024-06-06 - 15:03:23.866091572"
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash


export SCN='/sys/class/net'
source "${BASH_SOURCE%/*}/constants.rc"

cleanup_bridge_if_needed()
{
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
#! /bin/bash
#!/bin/bash



export SCN='/sys/class/net'

source "${BASH_SOURCE%/*}/constants.rc"

cleanup_macscbpad_interface()
{
Expand Down Expand Up @@ -33,6 +31,7 @@ cleanup_macsec_interface()

cleanup_macvlan_interface()
{
[ -e "$SCN/$MACVLAN_NAME" ] || return 0
cleanup_macscbub_interface
cleanup_macsec_interface
ip link delete "$MACVLAN_NAME"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
export MACSEC_OVERHEAD=16

# needs more testing, an overhead of 32 might even occur if batman-adv uses 4 address mode
export BATMAN_OVERHEAD=24
export BATMAN_OVERHEAD=48

export HOPEFULLY1500=1500
export SCN='/sys/class/net'
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ random_mac_address()

create_macvlan_interface()
{
if ! ip link add link "$BASE_INTERFACE_NAME" name "$MACVLAN_NAME" address "$LOCAL_MAC" mtu "$MACVLAN_MTU" type macvlan mode source bcqueuelen 0 \
if ! ip link add link "$BASE_INTERFACE_NAME" name "$MACVLAN_NAME" address "$LOCAL_MAC" mtu "$MACVLAN_MTU" type macvlan mode source nodst bcqueuelen 0 \
|| ! ip link set link dev "$MACVLAN_NAME" type macvlan macaddr add "$REMOTE_MAC"; then
return `false`
fi
Expand Down Expand Up @@ -216,12 +216,12 @@ create_macvlan_interface()
create_bridge_if_needed()
{
if [ ! -e "$SCN/$MACBR_NAME/bridge" ]; then
>&2 echo "Error: creation has been moved to create_bridge.sh, $MACBR_NAME should exist"
return `false`
>&2 echo "WARN: $MACBR_NAME doesn't exist when it should, recreating it but something is misbehaving"
"${BASH_SOURCE%/*}/create_bridge.sh" "$L_OR_U" "$BASE_INTERFACE_NAME" || return $?
fi
create_macvlan_interface || return `false`
REMOTE_EUI64=`mac_to_eui64 "$REMOTE_MAC"`
REMOTE_LLA="fe80::$REMOTE_EUI64"
REMOTE_LLA="fe80::$REMOTE_EUI64"
ip neigh replace "$REMOTE_LLA" lladdr "$REMOTE_MAC" dev "$MACBR_NAME"
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ KEYPAIR_TYPE="rsa" # Can be ecdsa, eddsa, or rsa

DEFAULT_LOG_LEVEL="INFO"

BASE_MTU="1400"
BASE_MTU="1500"

CBMA_DEBUG=0
BAT_DEBUG=0
Expand Down Expand Up @@ -104,8 +104,7 @@ setup_wlan() {
# ip netns exec "$I" ip link set dev "$WLAN" name "wlp1s${I}"
# ip netns exec "$I" iw dev "wlp1s${I}" set type mesh

# NOTE - No need to set MTU for now
# ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80))
ip netns exec "$I" ip link set dev "wlp1s${I}" mtu $((BASE_MTU + 80))

ip netns exec "$I" ip link set dev "wlp1s${I}" address "00:20:91:0${I}:0${I}:0${I}"
ip netns exec "$I" ip link set dev "wlp1s${I}" up
Expand All @@ -126,7 +125,7 @@ setup_eth() {
ip link add "$ETH" type veth peer name "eth${I}" netns "$I"

# NOTE - No need to set MTU for now
# ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108))
ip netns exec "$I" ip link set dev "eth${I}" mtu $((BASE_MTU + 108))
ip netns exec "$I" ip link set dev "eth${I}" address "00:20:91:${I}0:${I}0:${I}0"

ip link set "$ETH" up
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ cleanup_mdm_agent_files() {
command ssh ${ID_RSA:+-i "$ID_RSA"} $SSH_OPTIONS "root@$IP" bash <<-EOF || exit 6
rm -f /opt/certs_uploaded
rm -rf /opt/certs || :
rm -rf /opt/mdm || :
EOF
}

Expand Down Expand Up @@ -122,6 +123,6 @@ fi
stop_mdm_agent "$IP" "$ID_RSA"
cleanup_logs "$IP" "$ID_RSA"
cleanup_mdm_agent_files "$IP" "$ID_RSA"
upgrade_cbma "$CBMA" "$IP" "$ID_RSA"
# upgrade_cbma "$CBMA" "$IP" "$ID_RSA"
# upgrade_birthcerts "$IP" "$ID_RSA"
start_mdm_agent "$IP" "$ID_RSA"
43 changes: 41 additions & 2 deletions modules/sc-mesh-secure-deployment/src/nats/cbma/standalone.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import os
import sys
import argparse

Expand All @@ -14,8 +15,9 @@


BATMAN_ROUTING_ALG = 'BATMAN_V'
CBMA_ROOT = os.path.normpath(os.path.dirname(__file__))

def get_interface_locally_administed_mac(interface: str) -> str:
def get_interface_locally_administered_mac(interface: str) -> str:
mac = get_interface_mac_address(interface)
mac_bytes = bytearray.fromhex(mac.replace(':', ''))
mac_bytes[0] ^= 0x2 # Locally administered bit
Expand All @@ -35,6 +37,32 @@ def destroy_batman(batman: str) -> None:
destroy_batman_str = f"ip link del {batman}"
run_command_retcode(destroy_batman_str.split())

def get_mtu_from_constants_rc(exclude: list[str] = []) -> int:
mtu = 0
constants_rc = f"{CBMA_ROOT}/scripts/mess/constants.rc"
with open(constants_rc, 'r') as f:
for line in f.readlines():
if line.startswith('#') or not '=' in line \
or not ('OVERHEAD' in line or 'HOPEFULLY' in line):
continue
for e in exclude:
if e in line:
break
else:
try:
mtu += int(line.split('=')[-1].strip())
except ValueError:
logger.warning(f"Ignoring '{line.strip()}' for MTU calculation")
if not mtu:
logger.error(f"Unable to get MTU value from {constants_rc}")
sys.exit(255)

return mtu

def set_interface_mtu(interface: str, mtu: int) -> bool:
cmd_str = f"ip link set {interface} mtu {mtu}"
return not run_command_retcode(cmd_str.split())


if __name__ == '__main__':
parser = argparse.ArgumentParser(description='CBMA standalone parameters')
Expand Down Expand Up @@ -101,6 +129,17 @@ def destroy_batman(batman: str) -> None:
certificates = CBMACertificates(cert_dir, key, chain, ca)

is_upper = args.upper or any('bat' in i and glob(f"/sys/class/net/*/upper_{i}") for i in interfaces)

mtu_base = get_mtu_from_constants_rc(exclude=['OVERHEAD'])
mtu_overhead = get_mtu_from_constants_rc(exclude=['HOPEFULLY'])
if not is_upper:
mtu_overhead *= 2
mtu = mtu_base + mtu_overhead

for i in interfaces:
if not set_interface_mtu(i, mtu):
sys.exit(255)

enable_macsec_encryption = is_upper
try:
controller = CBMAController(args.port,
Expand All @@ -113,7 +152,7 @@ def destroy_batman(batman: str) -> None:
sys.exit(255)

if not (existing_batman := f"/sys/class/net/{args.batman}" in glob("/sys/class/net/*")):
mac = get_interface_locally_administed_mac(interfaces[0])
mac = get_interface_locally_administered_mac(interfaces[0])
create_batman(args.batman, mac)
try:
logger.info(f"Adding {interfaces} to the CBMAController")
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
import os
import sys

from OpenSSL import SSL

sys.path.insert(0, os.path.normpath(os.path.join(os.path.dirname(__file__), os.pardir)))

from secure_socket.secure_socket import FileBasedSecureSocket
from models.certificates import CBMACertificates

Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
from struct import Struct
from ipaddress import IPv6Address

from . import logging, common
from . import common


LLA_PREFIX = 'fe80'

pack_ipv6 = Struct('!16s').pack
logger = logging.get_logger()


def get_interface_mac_address(interface: str) -> str:
Expand Down

0 comments on commit 8b60649

Please sign in to comment.