Revision 29239ba2

View differences:

proto/ospf/config.Y
42 42

  
43 43
  if ((ip->autype == OSPF_AUTH_NONE) && (ip->passwords != NULL))
44 44
    log(L_WARN "Password option without authentication option does not make sense");
45

  
46
  if (ip->passwords)
47
  {
48
    struct password_item *pass;
49
    WALK_LIST(pass, *ip->passwords)
50
    {
51
      if (pass->alg && (ip->autype != OSPF_AUTH_CRYPT))
52
	cf_error("Password algorithm option requires cryptographic authentication");
53

  
54
      /* Set default OSPF crypto algorithms */
55
      if (!pass->alg && (ip->autype == OSPF_AUTH_CRYPT))
56
	pass->alg = ospf_cfg_is_v2() ? ALG_MD5 : ALG_HMAC_SHA256;
57
    }
58
  }
45 59
}
46 60

  
47 61
static void
proto/ospf/iface.c
9 9
 */
10 10

  
11 11
#include "ospf.h"
12
#include "nest/password.h"
12 13

  
13 14

  
14 15
const char *ospf_is_names[] = {
......
52 53
}
53 54

  
54 55
static inline uint
56
ifa_tx_hdrlen(struct ospf_iface *ifa)
57
{
58
  uint hlen = SIZE_OF_IP_HEADER;
59

  
60
  /* Relevant just for OSPFv2 */
61
  if (ifa->autype == OSPF_AUTH_CRYPT)
62
    hlen += max_mac_length(ifa->passwords);
63

  
64
  return hlen;
65
}
66

  
67
static inline uint
55 68
ifa_bufsize(struct ospf_iface *ifa)
56 69
{
57 70
  uint bsize = ifa->cf->rx_buffer ?: ifa->iface->mtu;
......
67 80
int
68 81
ospf_iface_assure_bufsize(struct ospf_iface *ifa, uint plen)
69 82
{
70
  plen += SIZE_OF_IP_HEADER;
71

  
72
  /* This is relevant just for OSPFv2 */
73
  if (ifa->autype == OSPF_AUTH_CRYPT)
74
    plen += OSPF_AUTH_CRYPT_SIZE;
83
  plen += ifa->tx_hdrlen;
75 84

  
76 85
  if (plen <= ifa->sk->tbsize)
77 86
    return 0;
......
574 583
  ifa->stub = ospf_iface_stubby(ip, addr);
575 584
  ifa->ioprob = OSPF_I_OK;
576 585
  ifa->tx_length = ifa_tx_length(ifa);
586
  ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
577 587
  ifa->check_link = ip->check_link;
578 588
  ifa->ecmp_weight = ip->ecmp_weight;
579 589
  ifa->check_ttl = (ip->ttl_security == 1);
......
684 694
  ifa->deadint = ip->deadint;
685 695
  ifa->inftransdelay = ip->inftransdelay;
686 696
  ifa->tx_length = ospf_is_v2(p) ? IP4_MIN_MTU : IP6_MIN_MTU;
697
  ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
687 698
  ifa->autype = ip->autype;
688 699
  ifa->passwords = ip->passwords;
689 700
  ifa->instance_id = ip->instance_id;
......
824 835
  /* Update passwords */
825 836
  ifa->passwords = new->passwords;
826 837

  
838
  /* Update header length */
839
  ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
840

  
827 841
  /* Remaining options are just for proper interfaces */
828 842
  if (ifa->type == OSPF_IT_VLINK)
829 843
    return 1;
proto/ospf/ospf.h
180 180

  
181 181
#define OSPF_RXBUF_MINSIZE 256	/* Minimal allowed size */
182 182
  u8 instance_id;
183
  u8 autype;			/* Not really used in OSPFv3 */
184
#define OSPF_AUTH_NONE 0
185
#define OSPF_AUTH_SIMPLE 1
186
#define OSPF_AUTH_CRYPT 2
187
#define OSPF_AUTH_CRYPT_SIZE 16
183
  u8 autype;			/* OSPF_AUTH_*, not really used in OSPFv3 */
188 184
  u8 strictnbma;
189 185
  u8 check_link;
190 186
  u8 ecmp_weight;
......
334 330
  u8 marked;			/* Used in OSPF reconfigure, 2 for force restart */
335 331
  u16 rxbuf;			/* Buffer size */
336 332
  u16 tx_length;		/* Soft TX packet length limit, usually MTU */
333
  u16 tx_hdrlen;		/* Expected packet header length, less than tx_length */
337 334
  u8 check_link;		/* Whether iface link change is used */
338 335
  u8 ecmp_weight;		/* Weight used for ECMP */
339 336
  u8 link_lsa_suppression;	/* Suppression of Link-LSA origination */
......
424 421
#define ISM_UNLOOP	5	/* Link up */
425 422
#define ISM_DOWN	6	/* Interface down */
426 423

  
424
/* OSPF authentication types */
425
#define OSPF_AUTH_NONE	0
426
#define OSPF_AUTH_SIMPLE 1
427
#define OSPF_AUTH_CRYPT	2
428

  
427 429

  
428 430
/* OSPF neighbor states */
429 431
#define NEIGHBOR_DOWN	0
......
455 457
#define TRANS_WAIT	2	/* Waiting before the end of translation */
456 458

  
457 459

  
458

  
459 460
/* Generic option flags */
460 461
#define OPT_V6		0x01	/* OSPFv3, LSA relevant for IPv6 routing calculation */
461 462
#define OPT_E		0x02	/* Related to AS-external LSAs */
......
491 492
  u8 autype;			/* Undefined for OSPFv3 */
492 493
};
493 494

  
494
struct ospf_md5
495
struct ospf_auth_crypto
495 496
{
496 497
  u16 zero;
497 498
  u8 keyid;
......
502 503
union ospf_auth
503 504
{
504 505
  u8 password[8];
505
  struct ospf_md5 md5;
506
  struct ospf_auth_crypto c32;
506 507
};
507 508

  
508 509
/* Packet types */
......
896 897

  
897 898
/* packet.c */
898 899
void ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type);
899
uint ospf_pkt_maxsize(struct ospf_iface *ifa);
900 900
int ospf_rx_hook(sock * sk, uint size);
901 901
// void ospf_tx_hook(sock * sk);
902 902
void ospf_err_hook(sock * sk, int err);
......
905 905
void ospf_send_to_agt(struct ospf_iface *ifa, u8 state);
906 906
void ospf_send_to_bdr(struct ospf_iface *ifa);
907 907

  
908
static inline uint ospf_pkt_maxsize(struct ospf_iface *ifa)
909
{ return ifa->tx_length - ifa->tx_hdrlen; }
910

  
908 911
static inline void ospf_send_to_all(struct ospf_iface *ifa)
909 912
{ ospf_send_to(ifa, ifa->all_routers); }
910 913

  
proto/ospf/packet.c
32 32
  pkt->autype = ifa->autype;
33 33
}
34 34

  
35
uint
36
ospf_pkt_maxsize(struct ospf_iface *ifa)
37
{
38
  uint headers = SIZE_OF_IP_HEADER;
39

  
40
  /* Relevant just for OSPFv2 */
41
  if (ifa->autype == OSPF_AUTH_CRYPT)
42
    headers += OSPF_AUTH_CRYPT_SIZE;
43

  
44
  return ifa->tx_length - headers;
45
}
46

  
47 35
/* We assume OSPFv2 in ospf_pkt_finalize() */
48 36
static void
49
ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt)
37
ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen)
50 38
{
51
  struct password_item *passwd = NULL;
39
  struct password_item *pass = NULL;
52 40
  union ospf_auth *auth = (void *) (pkt + 1);
53
  uint plen = ntohs(pkt->length);
54 41

  
55 42
  pkt->checksum = 0;
56 43
  pkt->autype = ifa->autype;
......
62 49
  switch (ifa->autype)
63 50
  {
64 51
  case OSPF_AUTH_SIMPLE:
65
    passwd = password_find(ifa->passwords, 1);
66
    if (!passwd)
52
    pass = password_find(ifa->passwords, 1);
53
    if (!pass)
67 54
    {
68 55
      log(L_ERR "No suitable password found for authentication");
69 56
      return;
70 57
    }
71
    strncpy(auth->password, passwd->password, sizeof(auth->password));
58
    strncpy(auth->password, pass->password, sizeof(auth->password));
72 59

  
73 60
  case OSPF_AUTH_NONE:
74 61
    {
75 62
      void *body = (void *) (auth + 1);
76
      uint blen = plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth);
63
      uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth);
77 64
      pkt->checksum = ipsum_calculate(pkt, sizeof(struct ospf_packet), body, blen, NULL);
78 65
    }
79 66
    break;
80 67

  
81 68
  case OSPF_AUTH_CRYPT:
82
    passwd = password_find(ifa->passwords, 0);
83
    if (!passwd)
69
    pass = password_find(ifa->passwords, 0);
70
    if (!pass)
84 71
    {
85 72
      log(L_ERR "No suitable password found for authentication");
86 73
      return;
......
101 88

  
102 89
    ifa->csn_use = now;
103 90

  
104
    auth->md5.zero = 0;
105
    auth->md5.keyid = passwd->id;
106
    auth->md5.len = OSPF_AUTH_CRYPT_SIZE;
107
    auth->md5.csn = htonl(ifa->csn);
91
    uint auth_len = mac_type_length(pass->alg);
92
    byte *auth_tail = ((byte *) pkt + *plen);
93
    *plen += auth_len;
94

  
95
    ASSERT(*plen < ifa->sk->tbsize);
108 96

  
109
    void *tail = ((void *) pkt) + plen;
110
    char password[OSPF_AUTH_CRYPT_SIZE];
111
    strncpy(password, passwd->password, sizeof(password));
97
    auth->c32.zero = 0;
98
    auth->c32.keyid = pass->id;
99
    auth->c32.len = auth_len;
100
    auth->c32.csn = htonl(ifa->csn);
112 101

  
113
    struct hash_context ctx;
114
    md5_init(&ctx);
115
    md5_update(&ctx, (char *) pkt, plen);
116
    md5_update(&ctx, password, OSPF_AUTH_CRYPT_SIZE);
117
    memcpy((byte *) tail, md5_final(&ctx), MD5_SIZE);
102
    /* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
103
    if (pass->alg < ALG_HMAC)
104
      strncpy(auth_tail, pass->password, auth_len);
105
    else
106
      memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
107

  
108
    mac_fill(pass->alg, pass->password, pass->length,
109
	     (byte *) pkt, *plen, auth_tail);
118 110
    break;
119 111

  
120 112
  default:
......
155 147
    return 1;
156 148

  
157 149
  case OSPF_AUTH_CRYPT:
158
    if (auth->md5.len != OSPF_AUTH_CRYPT_SIZE)
159
      DROP("invalid MD5 digest length", auth->md5.len);
150
    pass = password_find_by_id(ifa->passwords, auth->c32.keyid);
151
    if (!pass)
152
      DROP("no suitable password found", auth->c32.keyid);
153

  
154
    uint auth_len = mac_type_length(pass->alg);
160 155

  
161
    if (plen + OSPF_AUTH_CRYPT_SIZE > len)
162
      DROP("length mismatch", len);
156
    if (plen + auth->c32.len > len)
157
      DROP("packet length mismatch", len);
163 158

  
164
    u32 rcv_csn = ntohl(auth->md5.csn);
159
    if (auth->c32.len != auth_len)
160
      DROP("wrong authentication length", auth->c32.len);
161

  
162
    u32 rcv_csn = ntohl(auth->c32.csn);
165 163
    if (n && (rcv_csn < n->csn))
166 164
      // DROP("lower sequence number", rcv_csn);
167 165
    {
......
172 170
      return 0;
173 171
    }
174 172

  
175
    pass = password_find_by_id(ifa->passwords, auth->md5.keyid);
176
    if (!pass)
177
      DROP("no suitable password found", auth->md5.keyid);
178

  
179
    byte *tail = ((byte *) pkt) + plen;
180
    char received[OSPF_AUTH_CRYPT_SIZE];
181
    memcpy(received, tail, OSPF_AUTH_CRYPT_SIZE);
182
    strncpy(tail, pass->password, OSPF_AUTH_CRYPT_SIZE);
173
    byte *auth_tail = ((byte *) pkt) + plen;
174
    byte *auth_data = alloca(auth_len);
175
    memcpy(auth_data, auth_tail, auth_len);
183 176

  
184
    struct hash_context ctx;
185
    md5_init(&ctx);
186
    md5_update(&ctx, (byte *) pkt, plen + OSPF_AUTH_CRYPT_SIZE);
187
    char *computed = md5_final(&ctx);
177
    /* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
178
    if (pass->alg < ALG_HMAC)
179
      strncpy(auth_tail, pass->password, auth_len);
180
    else
181
      memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
188 182

  
189
    if (memcmp(received, computed, OSPF_AUTH_CRYPT_SIZE))
190
      DROP("wrong MD5 digest", pass->id);
183
    if (!mac_verify(pass->alg, pass->password, pass->length,
184
		    (byte *) pkt, plen + auth_len, auth_data))
185
      DROP("wrong authentication code", pass->id);
191 186

  
192 187
    if (n)
193 188
      n->csn = rcv_csn;
......
473 468
{
474 469
  sock *sk = ifa->sk;
475 470
  struct ospf_packet *pkt = (struct ospf_packet *) sk->tbuf;
476
  int plen = ntohs(pkt->length);
471
  uint plen = ntohs(pkt->length);
477 472

  
478 473
  if (ospf_is_v2(ifa->oa->po))
479
  {
480
    if (ifa->autype == OSPF_AUTH_CRYPT)
481
      plen += OSPF_AUTH_CRYPT_SIZE;
482

  
483
    ospf_pkt_finalize(ifa, pkt);
484
  }
474
    ospf_pkt_finalize(ifa, pkt, &plen);
485 475

  
486 476
  int done = sk_send_to(sk, plen, dst, 0);
487 477
  if (!done)

Also available in: Unified diff