#define MINLSARRIVAL (1 S_)
#define LSINFINITY 0xffffff
+#define OSPF_PKT_TYPES 5 /* HELLO_P .. LSACK_P */
+#define OSPF3_CRYPTO_ID 1 /* OSPFv3 Cryptographic Protocol ID */
+
#define OSPF_DEFAULT_TICK 1
#define OSPF_DEFAULT_STUB_COST 1000
#define OSPF_DEFAULT_ECMP_LIMIT 16
u8 merge_external; /* Should i merge external routes? */
u8 asbr; /* May i originate any ext/NSSA lsa? */
u8 ecmp; /* Maximal number of nexthops in ECMP route, or 0 */
+ u64 csn64; /* Last used cryptographic sequence number */
struct ospf_area *backbone; /* If exists */
event *flood_event; /* Event for flooding LS updates */
void *lsab; /* LSA buffer used when originating router LSAs */
struct fib rtr; /* Routing tables for routers */
};
-
-
struct ospf_iface
{
node n;
struct bfd_request *bfd_req; /* BFD request, if BFD is used */
void *ldd_buffer; /* Last database description packet */
u32 ldd_bsize; /* Buffer size for ldd_buffer */
- u32 csn; /* Last received crypt seq number (for MD5) */
+ u32 csn; /* OSPFv2: Last received crypt seq number */
+ u64 csn64[OSPF_PKT_TYPES]; /* OSPFv3: Last received CSN for each type of packet */
};
#define OSPF_AUTH_SIMPLE 1
#define OSPF_AUTH_CRYPT 2
+#define OSPF3_AUTH_HMAC 1 /* HMAC Cryptographic Authentication */
/* OSPF neighbor states */
#define NEIGHBOR_DOWN 0
#define OPT_MC 0x0004 /* Related to MOSPF, not used and obsolete */
#define OPT_N 0x0008 /* Related to NSSA */
#define OPT_P 0x0008 /* OSPFv2, flags P and N share position, see NSSA RFC */
-#define OPT_EA 0x0010 /* OSPFv2, external attributes, not used and obsolete */
+#define OPT_L_V2 0x0010 /* OSPFv2, link-local signaling, not used */
#define OPT_R 0x0010 /* OSPFv3, originator is active router */
#define OPT_DC 0x0020 /* Related to demand circuits, not used */
#define OPT_AF 0x0100 /* OSPFv3 Address Families (RFC 5838) */
+#define OPT_L_V3 0x0200 /* OSPFv3, link-local signaling */
+#define OPT_AT 0x0400 /* OSPFv3, authentication trailer */
/* Router-LSA VEB flags are are stored together with links (OSPFv2) or options (OSPFv3) */
#define OPT_RT_B (0x01 << 24)
u8 autype; /* Undefined for OSPFv3 */
};
+struct ospf_lls
+{
+ u16 checksum;
+ u16 length;
+ byte data[0];
+};
+
struct ospf_auth_crypto
{
u16 zero;
u8 keyid;
u8 len;
- u32 csn;
+ u32 csn; /* Cryptographic sequence number (32-bit) */
};
-union ospf_auth
+union ospf_auth2
{
u8 password[8];
struct ospf_auth_crypto c32;
};
+struct ospf_auth3
+{
+ u16 type; /* Authentication type (OSPF3_AUTH_*) */
+ u16 length; /* Authentication trailer length (header + data) */
+ u16 reserved;
+ u16 sa_id; /* Security association identifier (key_id) */
+ u64 csn; /* Cryptographic sequence number (64-bit) */
+ byte data[0]; /* Authentication data */
+};
+
+
/* Packet types */
#define HELLO_P 1 /* Hello */
#define DBDES_P 2 /* Database description */
#endif
static inline uint ospf_pkt_hdrlen(struct ospf_proto *p)
-{ return ospf_is_v2(p) ? (sizeof(struct ospf_packet) + sizeof(union ospf_auth)) : sizeof(struct ospf_packet); }
+{ return ospf_is_v2(p) ? (sizeof(struct ospf_packet) + sizeof(union ospf_auth2)) : sizeof(struct ospf_packet); }
static inline void * ospf_tx_buffer(struct ospf_iface *ifa)
{ return ifa->sk->tbuf; }
void ospf_send_hello(struct ospf_iface *ifa, int kind, struct ospf_neighbor *dirn);
void ospf_receive_hello(struct ospf_packet *pkt, struct ospf_iface *ifa, struct ospf_neighbor *n, ip_addr faddr);
+uint ospf_hello3_options(struct ospf_packet *pkt);
/* dbdes.c */
void ospf_send_dbdes(struct ospf_proto *p, struct ospf_neighbor *n);
void ospf_rxmt_dbdes(struct ospf_proto *p, struct ospf_neighbor *n);
void ospf_receive_dbdes(struct ospf_packet *pkt, struct ospf_iface *ifa, struct ospf_neighbor *n);
+uint ospf_dbdes3_options(struct ospf_packet *pkt);
/* lsreq.c */
void ospf_send_lsreq(struct ospf_proto *p, struct ospf_neighbor *n);
pkt->areaid = htonl(ifa->oa->areaid);
pkt->checksum = 0;
pkt->instance_id = ifa->instance_id;
- pkt->autype = ifa->autype;
+ pkt->autype = ospf_is_v2(p) ? ifa->autype : 0;
}
/* We assume OSPFv2 in ospf_pkt_finalize() */
static void
-ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen)
+ospf_pkt_finalize2(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen)
{
+ struct ospf_proto *p = ifa->oa->po;
struct password_item *pass = NULL;
- union ospf_auth *auth = (void *) (pkt + 1);
-
- pkt->checksum = 0;
- pkt->autype = ifa->autype;
- bzero(auth, sizeof(union ospf_auth));
+ union ospf_auth2 *auth = (void *) (pkt + 1);
+ memset(auth, 0, sizeof(union ospf_auth2));
/* Compatibility note: auth may contain anything if autype is
none, but nonzero values do not work with Mikrotik OSPF */
+ pkt->checksum = 0;
+ pkt->autype = ifa->autype;
+
switch (ifa->autype)
{
case OSPF_AUTH_SIMPLE:
case OSPF_AUTH_NONE:
{
void *body = (void *) (auth + 1);
- uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth);
+ uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth2);
pkt->checksum = ipsum_calculate(pkt, sizeof(struct ospf_packet), body, blen, NULL);
}
break;
pass = password_find(ifa->passwords, 0);
if (!pass)
{
- log(L_ERR "No suitable password found for authentication");
+ log(L_ERR "%s: No suitable password found for authentication", p->p.name);
return;
}
else
memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
- mac_fill(pass->alg, pass->password, pass->length,
- (byte *) pkt, *plen, auth_tail);
+ mac_fill(pass->alg, pass->password, pass->length, (byte *) pkt, *plen, auth_tail);
break;
default:
}
}
+/*
+ * Return an extra packet size that should be added to a final packet size
+ */
+static void
+ospf_pkt_finalize3(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen, ip_addr src)
+{
+ struct ospf_proto *p = ifa->oa->po;
+ struct ospf_auth3 *auth = (void *) ((byte *) pkt + *plen);
+
+ pkt->checksum = 0;
+ pkt->autype = 0;
+
+ if (ifa->autype != OSPF_AUTH_CRYPT)
+ return;
+
+ struct password_item *pass = password_find(ifa->passwords, 0);
+ if (!pass)
+ {
+ log(L_ERR "%s: No suitable password found for authentication", p->p.name);
+ return;
+ }
+
+ /* FIXME: Ensure persistence */
+ p->csn64++;
+
+ uint mac_len = mac_type_length(pass->alg);
+ uint auth_len = sizeof(struct ospf_auth3) + mac_len;
+ *plen += auth_len;
+
+ ASSERT(*plen < ifa->sk->tbsize);
+
+ memset(auth, 0, sizeof(struct ospf_auth3));
+ auth->type = htons(OSPF3_AUTH_HMAC);
+ auth->length = htons(auth_len);
+ auth->reserved = 0;
+ auth->sa_id = htons(pass->id);
+ put_u64(&auth->csn, p->csn64);
+
+ /* Initialize with src IP address padded with HMAC_MAGIC */
+ put_ip6(auth->data, ipa_to_ip6(src));
+ memset32(auth->data + 16, HMAC_MAGIC, (mac_len - 16) / 4);
+
+ /* Attach OSPFv3 Cryptographic Protocol ID to the key */
+ uint pass_len = pass->length + 2;
+ byte *pass_key = alloca(pass_len);
+ memcpy(pass_key, pass->password, pass->length);
+ put_u16(pass_key + pass->length, OSPF3_CRYPTO_ID);
+
+ mac_fill(pass->alg, pass_key, pass_len, (byte *) pkt, *plen, auth->data);
+}
+
-/* We assume OSPFv2 in ospf_pkt_checkauth() */
static int
-ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len)
+ospf_pkt_checkauth2(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len)
{
struct ospf_proto *p = ifa->oa->po;
- union ospf_auth *auth = (void *) (pkt + 1);
+ union ospf_auth2 *auth = (void *) (pkt + 1);
struct password_item *pass = NULL;
const char *err_dsc = NULL;
uint err_val = 0;
return 0;
}
+static int
+ospf_pkt_checkauth3(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len, ip_addr src)
+{
+ struct ospf_proto *p = ifa->oa->po;
+ const char *err_dsc = NULL;
+ uint err_val = 0;
+
+ uint plen = ntohs(pkt->length);
+ uint opts, lls_present, auth_present;
+
+ /*
+ * When autentication is not enabled, ignore the trailer. This is different
+ * from OSPFv2, but it is necessary in order to support migration modes. Note
+ * that regular authenticated packets do not have valid checksum and will be
+ * dropped by OS on non-authenticated ifaces.
+ */
+ if (ifa->autype != OSPF_AUTH_CRYPT)
+ return 1;
+
+ switch(pkt->type)
+ {
+ case HELLO_P:
+ opts = ospf_hello3_options(pkt);
+ lls_present = opts & OPT_L_V3;
+ auth_present = opts & OPT_AT;
+ break;
+
+ case DBDES_P:
+ opts = ospf_dbdes3_options(pkt);
+ lls_present = opts & OPT_L_V3;
+ auth_present = opts & OPT_AT;
+ break;
+
+ default:
+ lls_present = 0;
+ auth_present = n->options & OPT_AT;
+ }
+
+ if (!auth_present)
+ DROP1("missing authentication trailer");
+
+ if (lls_present)
+ {
+ if ((plen + sizeof(struct ospf_lls)) > len)
+ DROP("packet length mismatch", len);
+
+ struct ospf_lls *lls = (void *) ((byte *) pkt + plen);
+ plen += ntohs(lls->length);
+ }
+
+ if ((plen + sizeof(struct ospf_auth3)) > len)
+ DROP("packet length mismatch", len);
+
+ struct ospf_auth3 *auth = (void *) ((byte *) pkt + plen);
+
+ uint rcv_auth_type = ntohs(auth->type);
+ if (rcv_auth_type != OSPF3_AUTH_HMAC)
+ DROP("authentication method mismatch", rcv_auth_type);
+
+ uint rcv_auth_len = ntohs(auth->length);
+ if (plen + rcv_auth_len > len)
+ DROP("packet length mismatch", len);
+
+ uint rcv_key_id = ntohs(auth->sa_id);
+ struct password_item *pass = password_find_by_id(ifa->passwords, rcv_key_id);
+ if (!pass)
+ DROP("no suitable password found", rcv_key_id);
+
+ uint mac_len = mac_type_length(pass->alg);
+ if (rcv_auth_len != (sizeof(struct ospf_auth3) + mac_len))
+ DROP("wrong authentication length", rcv_auth_len);
+
+ uint pt = pkt->type - 1;
+ u64 rcv_csn = get_u64(&auth->csn);
+ if (n && (rcv_csn <= n->csn64[pt]))
+ {
+ /* We want to report both new and old CSN */
+ LOG_PKT_AUTH("Authentication failed for nbr %R on %s - "
+ "lower sequence number (rcv %u, old %u)",
+ n->rid, ifa->ifname, (uint) rcv_csn, (uint) n->csn64[pt]);
+ return 0;
+ }
+
+ /* Save the received authentication data */
+ byte *auth_data = alloca(mac_len);
+ memcpy(auth_data, auth->data, mac_len);
+
+ /* Initialize with src IP address padded with HMAC_MAGIC */
+ put_ip6(auth->data, ipa_to_ip6(src));
+ memset32(auth->data + 16, HMAC_MAGIC, (mac_len - 16) / 4);
+
+ /* Attach OSPFv3 Cryptographic Protocol ID to the key */
+ uint pass_len = pass->length + 2;
+ byte *pass_key = alloca(pass_len);
+ memcpy(pass_key, pass->password, pass->length);
+ put_u16(pass_key + pass->length, OSPF3_CRYPTO_ID);
+
+ if (!mac_verify(pass->alg, pass_key, pass_len,
+ (byte *) pkt, plen + rcv_auth_len, auth_data))
+ DROP("wrong authentication code", pass->id);
+
+ if (n)
+ n->csn64[pt] = rcv_csn;
+
+ return 1;
+
+drop:
+ LOG_PKT_AUTH("Authentication failed for nbr %R on %s - %s (%u)",
+ (n ? n->rid : ntohl(pkt->routerid)), ifa->ifname, err_dsc, err_val);
+
+ return 0;
+}
+
/**
* ospf_rx_hook
* @sk: socket we received the packet.
if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
{
- uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth);
+ uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2);
uint blen = plen - hlen;
void *body = ((void *) pkt) + hlen;
if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
- DROP1("invalid checksum");
+ DROP("invalid checksum", ntohs(pkt->checksum));
}
/* Third, we resolve associated iface and handle vlinks. */
return 1;
}
+ /* Check packet type here, ospf_pkt_checkauth3() expects valid values */
+ if (pkt->type < HELLO_P || pkt->type > LSACK_P)
+ DROP("invalid packet type", pkt->type);
+
/* ospf_pkt_checkauth() has its own error logging */
- if (ospf_is_v2(p) && !ospf_pkt_checkauth(n, ifa, pkt, len))
+ if ((ospf_is_v2(p) ?
+ !ospf_pkt_checkauth2(n, ifa, pkt, len) :
+ !ospf_pkt_checkauth3(n, ifa, pkt, len, sk->faddr)))
return 1;
switch (pkt->type)
case LSACK_P:
ospf_receive_lsack(pkt, ifa, n);
break;
-
- default:
- DROP("invalid packet type", pkt->type);
};
return 1;
void
ospf_err_hook(sock * sk, int err)
{
- struct ospf_iface *ifa= (struct ospf_iface *) (sk->data);
+ struct ospf_iface *ifa = (struct ospf_iface *) (sk->data);
struct ospf_proto *p = ifa->oa->po;
log(L_ERR "%s: Socket error on %s: %M", p->p.name, ifa->ifname, err);
}
uint plen = ntohs(pkt->length);
if (ospf_is_v2(ifa->oa->po))
- ospf_pkt_finalize(ifa, pkt, &plen);
+ ospf_pkt_finalize2(ifa, pkt, &plen);
+ else
+ ospf_pkt_finalize3(ifa, pkt, &plen, sk->saddr);
int done = sk_send_to(sk, plen, dst, 0);
if (!done)
projects / thirdparty / bird.git / commitdiff
