bird/proto/rip/auth.c

/*
 *	Rest in pieces - RIP protocol
 *
 *	Copyright (c) 1999 Pavel Machek <pavel@ucw.cz>
 *
 *	Can be freely distributed and used under the terms of the GNU GPL.
 *
 */

#define LOCAL_DEBUG

#include <string.h>
#include <stdlib.h>

#include "nest/bird.h"
#include "nest/iface.h"
#include "nest/protocol.h"
#include "nest/route.h"
#include "lib/socket.h"
#include "lib/resource.h"
#include "lib/lists.h"
#include "lib/timer.h"
#include "lib/md5.h"

#include "rip.h"

#define P ((struct rip_proto *) p)
#define P_CF ((struct rip_proto_config *)p->cf)

#define PACKETLEN(num) (num * sizeof(struct rip_block) + sizeof(struct rip_packet_heading))

/* 1 == failed, 0 == ok */
int
rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, struct rip_packet *packet, int num, ip_addr whotoldme )
{
  DBG( "Incoming authentication: " );
  switch (block->authtype) {	/* Authentication type */
  case AT_PLAINTEXT: 
    {
      struct password_item *passwd = get_best_password( P_CF->passwords, 0 );
      DBG( "Plaintext passwd" );
      if (!passwd) {
	log( L_AUTH "no passwords set and password authentication came\n" );
	return 1;
      }
      if (strncmp( (char *) (&block->packetlen), passwd->password, 16)) {
	log( L_AUTH "Passwd authentication failed!\n" );
	DBG( "Expected %s, got %s\n", passwd->password, &block->packetlen );
	return 1;
      }
    }
    return 0;
  case AT_MD5:
    DBG( "md5 password" );
    {
      struct password_item *head;
      struct rip_md5_tail *tail;

      if (block->packetlen != PACKETLEN(num)) {
	log( L_ERR "packetlen in md5 does not match computed value\n" );
	return 1;
      }

      tail = (struct rip_md5_tail *) ((char *) packet + (block->packetlen - sizeof(struct rip_block_auth)));
      if ((tail->mustbeFFFF != 0xffff) || (tail->mustbe0001 != 0x0001)) {
	log( L_ERR "md5 tail signature is not there\n" );
	return 1;
      }

      head = P_CF->passwords;
      while (head) {
	/* FIXME: should check serial numbers, somehow */
	DBG( "time, " );
	if ((head->from > now) || (head->to < now))
	  goto skip;
	if (block->seq) {
	  struct neighbor *neigh = neigh_find(p, &whotoldme, 0);
	  if (!neigh) {
	    log( L_AUTH "Non-neighbour md5 checksummed packet?\n" );
	  } else {
	    if (neigh->aux > block->seq) {
	      log( L_AUTH "md5 prottected packet with lower numbers\n" );
	      return 0;
	    }
	    neigh->aux = block->seq;
	  }
	}
	DBG( "check, " );
	if (head->id == block->keyid) {
	  struct MD5Context ctxt;
	  char md5sum_packet[16];
	  char md5sum_computed[16];

	  memcpy(md5sum_packet, tail->md5, 16);
	  password_strncpy(tail->md5, head->password, 16);

	  MD5Init(&ctxt);
	  MD5Update(&ctxt, (char *) packet, block->packetlen );
	  MD5Final(md5sum_computed, &ctxt);

	  if (memcmp(md5sum_packet, md5sum_computed, 16))
	    return 1;
	  return 0;
	}
      skip:
	head = head->next;
      }
      return 1;
    }
  }
    
  return 0;
}

int
rip_outgoing_authentication( struct proto *p, struct rip_block_auth *block, struct rip_packet *packet, int num )
{
  struct password_item *passwd = get_best_password( P_CF->passwords, 0 );

  if (!P_CF->authtype)
    return PACKETLEN(num);

  DBG( "Outgoing authentication: " );

  if (!passwd) {
    log( L_ERR "no suitable password found for authentication\n" );
    return PACKETLEN(num);
  }

  block->authtype = P_CF->authtype;
  block->mustbeFFFF = 0xffff;
  switch (P_CF->authtype) {
  case AT_PLAINTEXT:
    password_strncpy( (char *) (&block->packetlen), passwd->password, 16);
    return PACKETLEN(num);
  case AT_MD5:
    {
      struct rip_md5_tail *tail;
      struct MD5Context ctxt;
      static int sequence = 0;

      if (num > PACKET_MD5_MAX)
	bug(  "we can not add MD5 authentication to this long packet\n" );

      block->keyid = passwd->id;
      block->authlen = 20;
      block->seq = sequence++;
      block->zero0 = 0;
      block->zero1 = 0;
      block->packetlen = PACKETLEN(num) + block->authlen;

      tail = (struct rip_md5_tail *) ((char *) packet + (block->packetlen - sizeof(struct rip_block_auth)));
      tail->mustbeFFFF = 0xffff;
      tail->mustbe0001 = 0x0001;
      password_strncpy( (char *) (&tail->md5), passwd->password, 16 );

      MD5Init(&ctxt);
      MD5Update(&ctxt, (char *) packet, block->packetlen );
      MD5Final((char *) (&tail->md5), &ctxt);
      return PACKETLEN(num) + block->authlen;
    }
  default:
    bug( "Uknown authtype in outgoing authentication?\n" );
  }
}
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`/*`
			`* Rest in pieces - RIP protocol`
			`*`
			`* Copyright (c) 1999 Pavel Machek <pavel@ucw.cz>`
			`*`
			`* Can be freely distributed and used under the terms of the GNU GPL.`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`*`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`*/`

			`#define LOCAL_DEBUG`

			`#include <string.h>`
			`#include <stdlib.h>`

			`#include "nest/bird.h"`
			`#include "nest/iface.h"`
			`#include "nest/protocol.h"`
			`#include "nest/route.h"`
			`#include "lib/socket.h"`
			`#include "lib/resource.h"`
			`#include "lib/lists.h"`
			`#include "lib/timer.h"`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00			`#include "lib/md5.h"`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00
			`#include "rip.h"`

			`#define P ((struct rip_proto *) p)`
			`#define P_CF ((struct rip_proto_config *)p->cf)`

Few FIXME's removed from auth, few FIXME's added to filter. 1999-08-20 17:59:39 +08:00			`#define PACKETLEN(num) (num * sizeof(struct rip_block) + sizeof(struct rip_packet_heading))`

Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`/* 1 == failed, 0 == ok */`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`int`
Actually check sequence numbers. 1999-12-01 20:52:57 +08:00			`rip_incoming_authentication( struct proto p, struct rip_block_auth block, struct rip_packet *packet, int num, ip_addr whotoldme )`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`{`
			`DBG( "Incoming authentication: " );`
Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`switch (block->authtype) { /* Authentication type */`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`case AT_PLAINTEXT:`
			`{`
			`struct password_item *passwd = get_best_password( P_CF->passwords, 0 );`
			`DBG( "Plaintext passwd" );`
			`if (!passwd) {`
			`log( L_AUTH "no passwords set and password authentication came\n" );`
			`return 1;`
			`}`
			`if (strncmp( (char *) (&block->packetlen), passwd->password, 16)) {`
			`log( L_AUTH "Passwd authentication failed!\n" );`
			`DBG( "Expected %s, got %s\n", passwd->password, &block->packetlen );`
			`return 1;`
			`}`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`}`
			`return 0;`
Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`case AT_MD5:`
			`DBG( "md5 password" );`
			`{`
			`struct password_item *head;`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00			`struct rip_md5_tail *tail;`

md5 authentication seems to work. 1999-11-25 23:03:12 +08:00			`if (block->packetlen != PACKETLEN(num)) {`
Few FIXME's removed from auth, few FIXME's added to filter. 1999-08-20 17:59:39 +08:00			`log( L_ERR "packetlen in md5 does not match computed value\n" );`
			`return 1;`
			`}`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00
Cleanup of warnings 1999-06-01 03:22:40 +08:00			`tail = (struct rip_md5_tail ) ((char ) packet + (block->packetlen - sizeof(struct rip_block_auth)));`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`if ((tail->mustbeFFFF != 0xffff) \|\| (tail->mustbe0001 != 0x0001)) {`
			`log( L_ERR "md5 tail signature is not there\n" );`
			`return 1;`
			`}`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00
Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`head = P_CF->passwords;`
Few FIXME's removed from auth, few FIXME's added to filter. 1999-08-20 17:59:39 +08:00			`while (head) {`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`/* FIXME: should check serial numbers, somehow */`
Obvious bugs in authentication fixed. 1999-10-02 18:44:48 +08:00			`DBG( "time, " );`
Few FIXME's removed from auth, few FIXME's added to filter. 1999-08-20 17:59:39 +08:00			`if ((head->from > now) \|\| (head->to < now))`
Obvious bugs in authentication fixed. 1999-10-02 18:44:48 +08:00			`goto skip;`
Actually check sequence numbers. 1999-12-01 20:52:57 +08:00			`if (block->seq) {`
			`struct neighbor *neigh = neigh_find(p, &whotoldme, 0);`
			`if (!neigh) {`
			`log( L_AUTH "Non-neighbour md5 checksummed packet?\n" );`
			`} else {`
			`if (neigh->aux > block->seq) {`
			`log( L_AUTH "md5 prottected packet with lower numbers\n" );`
			`return 0;`
			`}`
			`neigh->aux = block->seq;`
			`}`
			`}`
Obvious bugs in authentication fixed. 1999-10-02 18:44:48 +08:00			`DBG( "check, " );`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00			`if (head->id == block->keyid) {`
			`struct MD5Context ctxt;`
			`char md5sum_packet[16];`
			`char md5sum_computed[16];`

Cleanup of warnings 1999-06-01 03:22:40 +08:00			`memcpy(md5sum_packet, tail->md5, 16);`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00			`password_strncpy(tail->md5, head->password, 16);`

			`MD5Init(&ctxt);`
Cleanup of warnings 1999-06-01 03:22:40 +08:00			`MD5Update(&ctxt, (char *) packet, block->packetlen );`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00			`MD5Final(md5sum_computed, &ctxt);`

			`if (memcmp(md5sum_packet, md5sum_computed, 16))`
			`return 1;`
Obvious bugs in authentication fixed. 1999-10-02 18:44:48 +08:00			`return 0;`
Incoming side of authentication done but untested. Right handling of filters in rip. 1999-06-01 03:16:22 +08:00			`}`
Obvious bugs in authentication fixed. 1999-10-02 18:44:48 +08:00			`skip:`
Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`head = head->next;`
			`}`
			`return 1;`
			`}`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`}`

			`return 0;`
			`}`

Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`int`
Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`rip_outgoing_authentication( struct proto p, struct rip_block_auth block, struct rip_packet *packet, int num )`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`{`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`struct password_item *passwd = get_best_password( P_CF->passwords, 0 );`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00
			`if (!P_CF->authtype)`
			`return PACKETLEN(num);`

Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`DBG( "Outgoing authentication: " );`

Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`if (!passwd) {`
			`log( L_ERR "no suitable password found for authentication\n" );`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`return PACKETLEN(num);`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`}`

Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`block->authtype = P_CF->authtype;`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`block->mustbeFFFF = 0xffff;`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`switch (P_CF->authtype) {`
			`case AT_PLAINTEXT:`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`password_strncpy( (char *) (&block->packetlen), passwd->password, 16);`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`return PACKETLEN(num);`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00			`case AT_MD5:`
			`{`
			`struct rip_md5_tail *tail;`
			`struct MD5Context ctxt;`
			`static int sequence = 0;`

			`if (num > PACKET_MD5_MAX)`
			`bug( "we can not add MD5 authentication to this long packet\n" );`

			`block->keyid = passwd->id;`
			`block->authlen = 20;`
			`block->seq = sequence++;`
			`block->zero0 = 0;`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`block->zero1 = 0;`
			`block->packetlen = PACKETLEN(num) + block->authlen;`
Few fixme's fixed in rip (will not crash any more on request for sending routing table - hopefully). Next few steps in md5 authentication (not yet complete). 1999-08-18 21:19:33 +08:00
			`tail = (struct rip_md5_tail ) ((char ) packet + (block->packetlen - sizeof(struct rip_block_auth)));`
			`tail->mustbeFFFF = 0xffff;`
			`tail->mustbe0001 = 0x0001;`
			`password_strncpy( (char *) (&tail->md5), passwd->password, 16 );`

			`MD5Init(&ctxt);`
			`MD5Update(&ctxt, (char *) packet, block->packetlen );`
			`MD5Final((char *) (&tail->md5), &ctxt);`
md5 authentication seems to work. 1999-11-25 23:03:12 +08:00			`return PACKETLEN(num) + block->authlen;`
Modified rip to new password handling in nest. Now it at least compiles. 1999-06-01 01:12:38 +08:00			`}`
Bugfixes: select right password for password authentication, do not try to process authentication blocks as datablocks, make it possible to add data at end of packet. Password authentication should actually work. 1999-11-25 22:54:08 +08:00			`default:`
			`bug( "Uknown authtype in outgoing authentication?\n" );`
Mensi updaty do ripu. Pridana passwd autentikace (netestovano). 1999-05-11 17:53:45 +08:00			`}`
			`}`