1999-11-17 23:50:41 +08:00
|
|
|
/*
|
|
|
|
* BIRD -- OSPF
|
|
|
|
*
|
2005-03-16 04:51:33 +08:00
|
|
|
* (c) 1999--2005 Ondrej Filip <feela@network.cz>
|
2014-06-26 17:58:57 +08:00
|
|
|
* (c) 2009--2014 Ondrej Zajicek <santiago@crfreenet.org>
|
|
|
|
* (c) 2009--2014 CZ.NIC z.s.p.o.
|
1999-11-17 23:50:41 +08:00
|
|
|
*
|
|
|
|
* Can be freely distributed and used under the terms of the GNU GPL.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "ospf.h"
|
2004-06-27 04:15:34 +08:00
|
|
|
#include "nest/password.h"
|
|
|
|
#include "lib/md5.h"
|
2016-10-25 23:04:17 +08:00
|
|
|
#include "lib/mac.h"
|
2015-11-13 23:08:28 +08:00
|
|
|
#include "lib/socket.h"
|
1999-11-17 23:50:41 +08:00
|
|
|
|
|
|
|
void
|
2004-06-27 04:15:34 +08:00
|
|
|
ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type)
|
1999-11-17 23:50:41 +08:00
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
1999-11-17 23:50:41 +08:00
|
|
|
struct ospf_packet *pkt;
|
|
|
|
|
2003-09-14 21:41:24 +08:00
|
|
|
pkt = (struct ospf_packet *) buf;
|
1999-11-17 23:50:41 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
pkt->version = ospf_get_version(p);
|
2003-09-14 21:41:24 +08:00
|
|
|
pkt->type = h_type;
|
2014-06-26 17:58:57 +08:00
|
|
|
pkt->length = htons(ospf_pkt_maxsize(ifa));
|
|
|
|
pkt->routerid = htonl(p->router_id);
|
2004-07-15 05:46:20 +08:00
|
|
|
pkt->areaid = htonl(ifa->oa->areaid);
|
2003-09-14 21:41:24 +08:00
|
|
|
pkt->checksum = 0;
|
2014-06-26 17:58:57 +08:00
|
|
|
pkt->instance_id = ifa->instance_id;
|
2018-04-25 21:50:57 +08:00
|
|
|
pkt->autype = ospf_is_v2(p) ? ifa->autype : 0;
|
1999-11-17 23:50:41 +08:00
|
|
|
}
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
/* We assume OSPFv2 in ospf_pkt_finalize() */
|
2009-08-21 15:27:52 +08:00
|
|
|
static void
|
2018-04-25 21:50:57 +08:00
|
|
|
ospf_pkt_finalize2(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen)
|
1999-11-17 23:50:41 +08:00
|
|
|
{
|
2018-04-25 21:50:57 +08:00
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
2016-10-28 02:58:21 +08:00
|
|
|
struct password_item *pass = NULL;
|
2018-04-25 21:50:57 +08:00
|
|
|
union ospf_auth2 *auth = (void *) (pkt + 1);
|
|
|
|
memset(auth, 0, sizeof(union ospf_auth2));
|
2011-05-19 07:20:00 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
/* Compatibility note: auth may contain anything if autype is
|
2011-05-19 07:20:00 +08:00
|
|
|
none, but nonzero values do not work with Mikrotik OSPF */
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2018-04-25 21:50:57 +08:00
|
|
|
pkt->checksum = 0;
|
|
|
|
pkt->autype = ifa->autype;
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
switch (ifa->autype)
|
2004-06-27 04:15:34 +08:00
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
case OSPF_AUTH_SIMPLE:
|
2016-10-28 02:58:21 +08:00
|
|
|
pass = password_find(ifa->passwords, 1);
|
|
|
|
if (!pass)
|
2014-06-26 17:58:57 +08:00
|
|
|
{
|
|
|
|
log(L_ERR "No suitable password found for authentication");
|
|
|
|
return;
|
|
|
|
}
|
2016-10-28 02:58:21 +08:00
|
|
|
strncpy(auth->password, pass->password, sizeof(auth->password));
|
2018-09-18 20:21:11 +08:00
|
|
|
/* fallthrough */
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
case OSPF_AUTH_NONE:
|
|
|
|
{
|
|
|
|
void *body = (void *) (auth + 1);
|
2018-04-25 21:50:57 +08:00
|
|
|
uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth2);
|
2014-06-26 17:58:57 +08:00
|
|
|
pkt->checksum = ipsum_calculate(pkt, sizeof(struct ospf_packet), body, blen, NULL);
|
|
|
|
}
|
|
|
|
break;
|
2009-04-09 02:15:01 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
case OSPF_AUTH_CRYPT:
|
2016-10-28 02:58:21 +08:00
|
|
|
pass = password_find(ifa->passwords, 0);
|
|
|
|
if (!pass)
|
2014-06-26 17:58:57 +08:00
|
|
|
{
|
2018-04-25 21:50:57 +08:00
|
|
|
log(L_ERR "%s: No suitable password found for authentication", p->p.name);
|
2014-06-26 17:58:57 +08:00
|
|
|
return;
|
|
|
|
}
|
2009-04-09 02:15:01 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
/* Perhaps use random value to prevent replay attacks after
|
|
|
|
reboot when system does not have independent RTC? */
|
|
|
|
if (!ifa->csn)
|
|
|
|
{
|
2017-06-21 00:03:06 +08:00
|
|
|
ifa->csn = (u32) (current_real_time() TO_S);
|
|
|
|
ifa->csn_use = current_time();
|
2014-06-26 17:58:57 +08:00
|
|
|
}
|
|
|
|
|
2014-07-19 23:28:38 +08:00
|
|
|
/* We must have sufficient delay between sending a packet and increasing
|
2014-06-26 17:58:57 +08:00
|
|
|
CSN to prevent reordering of packets (in a network) with different CSNs */
|
2017-06-21 00:03:06 +08:00
|
|
|
if ((current_time() - ifa->csn_use) > 1 S)
|
2014-06-26 17:58:57 +08:00
|
|
|
ifa->csn++;
|
|
|
|
|
2017-06-21 00:03:06 +08:00
|
|
|
ifa->csn_use = current_time();
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
uint auth_len = mac_type_length(pass->alg);
|
|
|
|
byte *auth_tail = ((byte *) pkt + *plen);
|
|
|
|
*plen += auth_len;
|
|
|
|
|
|
|
|
ASSERT(*plen < ifa->sk->tbsize);
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
auth->c32.zero = 0;
|
|
|
|
auth->c32.keyid = pass->id;
|
|
|
|
auth->c32.len = auth_len;
|
|
|
|
auth->c32.csn = htonl(ifa->csn);
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
/* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
|
|
|
|
if (pass->alg < ALG_HMAC)
|
|
|
|
strncpy(auth_tail, pass->password, auth_len);
|
|
|
|
else
|
|
|
|
memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
|
|
|
|
|
2018-04-25 21:50:57 +08:00
|
|
|
mac_fill(pass->alg, pass->password, pass->length, (byte *) pkt, *plen, auth_tail);
|
2014-06-26 17:58:57 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
bug("Unknown authentication type");
|
2004-06-27 04:15:34 +08:00
|
|
|
}
|
1999-11-17 23:50:41 +08:00
|
|
|
}
|
|
|
|
|
2018-04-25 21:50:57 +08:00
|
|
|
/*
|
|
|
|
* Return an extra packet size that should be added to a final packet size
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
ospf_pkt_finalize3(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen, ip_addr src)
|
|
|
|
{
|
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
|
|
|
struct ospf_auth3 *auth = (void *) ((byte *) pkt + *plen);
|
|
|
|
|
|
|
|
pkt->checksum = 0;
|
|
|
|
pkt->autype = 0;
|
|
|
|
|
|
|
|
if (ifa->autype != OSPF_AUTH_CRYPT)
|
|
|
|
return;
|
|
|
|
|
|
|
|
struct password_item *pass = password_find(ifa->passwords, 0);
|
|
|
|
if (!pass)
|
|
|
|
{
|
|
|
|
log(L_ERR "%s: No suitable password found for authentication", p->p.name);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* FIXME: Ensure persistence */
|
|
|
|
p->csn64++;
|
|
|
|
|
|
|
|
uint mac_len = mac_type_length(pass->alg);
|
|
|
|
uint auth_len = sizeof(struct ospf_auth3) + mac_len;
|
|
|
|
*plen += auth_len;
|
|
|
|
|
|
|
|
ASSERT(*plen < ifa->sk->tbsize);
|
|
|
|
|
|
|
|
memset(auth, 0, sizeof(struct ospf_auth3));
|
|
|
|
auth->type = htons(OSPF3_AUTH_HMAC);
|
|
|
|
auth->length = htons(auth_len);
|
|
|
|
auth->reserved = 0;
|
|
|
|
auth->sa_id = htons(pass->id);
|
|
|
|
put_u64(&auth->csn, p->csn64);
|
|
|
|
|
|
|
|
/* Initialize with src IP address padded with HMAC_MAGIC */
|
|
|
|
put_ip6(auth->data, ipa_to_ip6(src));
|
|
|
|
memset32(auth->data + 16, HMAC_MAGIC, (mac_len - 16) / 4);
|
|
|
|
|
|
|
|
/* Attach OSPFv3 Cryptographic Protocol ID to the key */
|
|
|
|
uint pass_len = pass->length + 2;
|
|
|
|
byte *pass_key = alloca(pass_len);
|
|
|
|
memcpy(pass_key, pass->password, pass->length);
|
|
|
|
put_u16(pass_key + pass->length, OSPF3_CRYPTO_ID);
|
|
|
|
|
|
|
|
mac_fill(pass->alg, pass_key, pass_len, (byte *) pkt, *plen, auth->data);
|
|
|
|
}
|
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
|
2004-06-05 17:58:23 +08:00
|
|
|
static int
|
2018-04-25 21:50:57 +08:00
|
|
|
ospf_pkt_checkauth2(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len)
|
2000-06-06 09:23:03 +08:00
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
2018-04-25 21:50:57 +08:00
|
|
|
union ospf_auth2 *auth = (void *) (pkt + 1);
|
2014-10-24 16:27:21 +08:00
|
|
|
struct password_item *pass = NULL;
|
|
|
|
const char *err_dsc = NULL;
|
|
|
|
uint err_val = 0;
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
uint plen = ntohs(pkt->length);
|
|
|
|
u8 autype = pkt->autype;
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (autype != ifa->autype)
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP("authentication method mismatch", autype);
|
2000-06-06 09:23:03 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
switch (autype)
|
2004-06-27 04:15:34 +08:00
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
case OSPF_AUTH_NONE:
|
|
|
|
return 1;
|
1999-11-17 23:50:41 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
case OSPF_AUTH_SIMPLE:
|
|
|
|
pass = password_find(ifa->passwords, 1);
|
|
|
|
if (!pass)
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP1("no password found");
|
|
|
|
|
|
|
|
if (!password_verify(pass, auth->password, sizeof(auth->password)))
|
|
|
|
DROP("wrong password", pass->id);
|
2009-01-16 17:58:52 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
return 1;
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
case OSPF_AUTH_CRYPT:
|
2016-10-28 02:58:21 +08:00
|
|
|
pass = password_find_by_id(ifa->passwords, auth->c32.keyid);
|
|
|
|
if (!pass)
|
|
|
|
DROP("no suitable password found", auth->c32.keyid);
|
|
|
|
|
|
|
|
uint auth_len = mac_type_length(pass->alg);
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
if (plen + auth->c32.len > len)
|
|
|
|
DROP("packet length mismatch", len);
|
2004-06-27 04:15:34 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
if (auth->c32.len != auth_len)
|
|
|
|
DROP("wrong authentication length", auth->c32.len);
|
|
|
|
|
|
|
|
u32 rcv_csn = ntohl(auth->c32.csn);
|
2014-10-24 16:27:21 +08:00
|
|
|
if (n && (rcv_csn < n->csn))
|
|
|
|
// DROP("lower sequence number", rcv_csn);
|
2014-06-26 17:58:57 +08:00
|
|
|
{
|
2014-10-24 16:27:21 +08:00
|
|
|
/* We want to report both new and old CSN */
|
|
|
|
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - "
|
|
|
|
"lower sequence number (rcv %u, old %u)",
|
|
|
|
n->rid, ifa->ifname, rcv_csn, n->csn);
|
|
|
|
return 0;
|
2014-06-26 17:58:57 +08:00
|
|
|
}
|
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
byte *auth_tail = ((byte *) pkt) + plen;
|
|
|
|
byte *auth_data = alloca(auth_len);
|
|
|
|
memcpy(auth_data, auth_tail, auth_len);
|
2009-08-21 15:27:52 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
/* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
|
|
|
|
if (pass->alg < ALG_HMAC)
|
|
|
|
strncpy(auth_tail, pass->password, auth_len);
|
|
|
|
else
|
|
|
|
memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
|
2009-08-21 15:27:52 +08:00
|
|
|
|
2016-10-28 02:58:21 +08:00
|
|
|
if (!mac_verify(pass->alg, pass->password, pass->length,
|
|
|
|
(byte *) pkt, plen + auth_len, auth_data))
|
|
|
|
DROP("wrong authentication code", pass->id);
|
2014-10-24 16:27:21 +08:00
|
|
|
|
|
|
|
if (n)
|
|
|
|
n->csn = rcv_csn;
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
return 1;
|
2009-08-21 15:27:52 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
default:
|
2014-10-24 16:27:21 +08:00
|
|
|
bug("Unknown authentication type");
|
2014-06-26 17:58:57 +08:00
|
|
|
}
|
2010-02-11 17:23:35 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
drop:
|
|
|
|
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - %s (%u)",
|
|
|
|
(n ? n->rid : ntohl(pkt->routerid)), ifa->ifname, err_dsc, err_val);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2009-08-21 15:27:52 +08:00
|
|
|
|
2018-04-25 21:50:57 +08:00
|
|
|
static int
|
|
|
|
ospf_pkt_checkauth3(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len, ip_addr src)
|
|
|
|
{
|
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
|
|
|
const char *err_dsc = NULL;
|
|
|
|
uint err_val = 0;
|
|
|
|
|
|
|
|
uint plen = ntohs(pkt->length);
|
|
|
|
uint opts, lls_present, auth_present;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* When autentication is not enabled, ignore the trailer. This is different
|
|
|
|
* from OSPFv2, but it is necessary in order to support migration modes. Note
|
|
|
|
* that regular authenticated packets do not have valid checksum and will be
|
|
|
|
* dropped by OS on non-authenticated ifaces.
|
|
|
|
*/
|
|
|
|
if (ifa->autype != OSPF_AUTH_CRYPT)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
switch(pkt->type)
|
|
|
|
{
|
|
|
|
case HELLO_P:
|
|
|
|
opts = ospf_hello3_options(pkt);
|
|
|
|
lls_present = opts & OPT_L_V3;
|
|
|
|
auth_present = opts & OPT_AT;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case DBDES_P:
|
|
|
|
opts = ospf_dbdes3_options(pkt);
|
|
|
|
lls_present = opts & OPT_L_V3;
|
|
|
|
auth_present = opts & OPT_AT;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
lls_present = 0;
|
|
|
|
auth_present = n->options & OPT_AT;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!auth_present)
|
|
|
|
DROP1("missing authentication trailer");
|
|
|
|
|
|
|
|
if (lls_present)
|
|
|
|
{
|
|
|
|
if ((plen + sizeof(struct ospf_lls)) > len)
|
|
|
|
DROP("packet length mismatch", len);
|
|
|
|
|
|
|
|
struct ospf_lls *lls = (void *) ((byte *) pkt + plen);
|
|
|
|
plen += ntohs(lls->length);
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((plen + sizeof(struct ospf_auth3)) > len)
|
|
|
|
DROP("packet length mismatch", len);
|
|
|
|
|
|
|
|
struct ospf_auth3 *auth = (void *) ((byte *) pkt + plen);
|
|
|
|
|
|
|
|
uint rcv_auth_type = ntohs(auth->type);
|
|
|
|
if (rcv_auth_type != OSPF3_AUTH_HMAC)
|
|
|
|
DROP("authentication method mismatch", rcv_auth_type);
|
|
|
|
|
|
|
|
uint rcv_auth_len = ntohs(auth->length);
|
|
|
|
if (plen + rcv_auth_len > len)
|
|
|
|
DROP("packet length mismatch", len);
|
|
|
|
|
|
|
|
uint rcv_key_id = ntohs(auth->sa_id);
|
|
|
|
struct password_item *pass = password_find_by_id(ifa->passwords, rcv_key_id);
|
|
|
|
if (!pass)
|
|
|
|
DROP("no suitable password found", rcv_key_id);
|
|
|
|
|
|
|
|
uint mac_len = mac_type_length(pass->alg);
|
|
|
|
if (rcv_auth_len != (sizeof(struct ospf_auth3) + mac_len))
|
|
|
|
DROP("wrong authentication length", rcv_auth_len);
|
|
|
|
|
|
|
|
uint pt = pkt->type - 1;
|
|
|
|
u64 rcv_csn = get_u64(&auth->csn);
|
|
|
|
if (n && (rcv_csn <= n->csn64[pt]))
|
|
|
|
{
|
|
|
|
/* We want to report both new and old CSN */
|
|
|
|
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - "
|
|
|
|
"lower sequence number (rcv %u, old %u)",
|
|
|
|
n->rid, ifa->ifname, (uint) rcv_csn, (uint) n->csn64[pt]);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Save the received authentication data */
|
|
|
|
byte *auth_data = alloca(mac_len);
|
|
|
|
memcpy(auth_data, auth->data, mac_len);
|
|
|
|
|
|
|
|
/* Initialize with src IP address padded with HMAC_MAGIC */
|
|
|
|
put_ip6(auth->data, ipa_to_ip6(src));
|
|
|
|
memset32(auth->data + 16, HMAC_MAGIC, (mac_len - 16) / 4);
|
|
|
|
|
|
|
|
/* Attach OSPFv3 Cryptographic Protocol ID to the key */
|
|
|
|
uint pass_len = pass->length + 2;
|
|
|
|
byte *pass_key = alloca(pass_len);
|
|
|
|
memcpy(pass_key, pass->password, pass->length);
|
|
|
|
put_u16(pass_key + pass->length, OSPF3_CRYPTO_ID);
|
|
|
|
|
|
|
|
if (!mac_verify(pass->alg, pass_key, pass_len,
|
|
|
|
(byte *) pkt, plen + rcv_auth_len, auth_data))
|
|
|
|
DROP("wrong authentication code", pass->id);
|
|
|
|
|
|
|
|
if (n)
|
|
|
|
n->csn64[pt] = rcv_csn;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
drop:
|
|
|
|
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - %s (%u)",
|
|
|
|
(n ? n->rid : ntohl(pkt->routerid)), ifa->ifname, err_dsc, err_val);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2000-06-08 05:56:32 +08:00
|
|
|
/**
|
|
|
|
* ospf_rx_hook
|
2010-02-11 17:23:35 +08:00
|
|
|
* @sk: socket we received the packet.
|
2016-05-12 23:49:12 +08:00
|
|
|
* @len: length of the packet
|
2000-06-08 05:56:32 +08:00
|
|
|
*
|
2003-08-23 18:42:41 +08:00
|
|
|
* This is the entry point for messages from neighbors. Many checks (like
|
|
|
|
* authentication, checksums, size) are done before the packet is passed to
|
2000-06-08 05:56:32 +08:00
|
|
|
* non generic functions.
|
|
|
|
*/
|
1999-11-17 23:50:41 +08:00
|
|
|
int
|
2016-10-14 21:37:04 +08:00
|
|
|
ospf_rx_hook(sock *sk, uint len)
|
1999-11-17 23:50:41 +08:00
|
|
|
{
|
2014-10-24 16:27:21 +08:00
|
|
|
/* We want just packets from sk->iface. Unfortunately, on BSD we cannot filter
|
|
|
|
out other packets at kernel level and we receive all packets on all sockets */
|
2010-03-12 01:07:24 +08:00
|
|
|
if (sk->lifindex != sk->iface->index)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
DBG("OSPF: RX hook called (iface %s, src %I, dst %I)\n",
|
2015-10-05 18:14:50 +08:00
|
|
|
sk->iface->name, sk->faddr, sk->laddr);
|
2010-03-12 01:07:24 +08:00
|
|
|
|
|
|
|
/* Initially, the packet is associated with the 'master' iface */
|
|
|
|
struct ospf_iface *ifa = sk->data;
|
2014-06-26 17:58:57 +08:00
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
2014-10-24 16:27:21 +08:00
|
|
|
const char *err_dsc = NULL;
|
|
|
|
uint err_val = 0;
|
2010-03-12 01:07:24 +08:00
|
|
|
|
2015-08-19 17:16:23 +08:00
|
|
|
/* Should not happen */
|
|
|
|
if (ifa->state <= OSPF_IS_LOOP)
|
|
|
|
return 1;
|
|
|
|
|
2014-07-19 23:28:38 +08:00
|
|
|
int src_local, dst_local, dst_mcast;
|
2015-11-12 09:03:59 +08:00
|
|
|
src_local = ipa_in_netX(sk->faddr, &ifa->addr->prefix);
|
2011-03-29 07:41:46 +08:00
|
|
|
dst_local = ipa_equal(sk->laddr, ifa->addr->ip);
|
2014-06-26 17:58:57 +08:00
|
|
|
dst_mcast = ipa_equal(sk->laddr, ifa->all_routers) || ipa_equal(sk->laddr, ifa->des_routers);
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (ospf_is_v2(p))
|
|
|
|
{
|
|
|
|
/* First, we eliminate packets with strange address combinations.
|
|
|
|
* In OSPFv2, they might be for other ospf_ifaces (with different IP
|
|
|
|
* prefix) on the same real iface, so we don't log it. We enforce
|
|
|
|
* that (src_local || dst_local), therefore we are eliminating all
|
2014-07-19 23:28:38 +08:00
|
|
|
* such cases.
|
2014-06-26 17:58:57 +08:00
|
|
|
*/
|
|
|
|
if (dst_mcast && !src_local)
|
|
|
|
return 1;
|
|
|
|
if (!dst_mcast && !dst_local)
|
|
|
|
return 1;
|
2010-03-12 01:07:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
/* Ignore my own broadcast packets */
|
|
|
|
if (ifa->cf->real_bcast && ipa_equal(sk->faddr, ifa->addr->ip))
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2014-07-19 23:28:38 +08:00
|
|
|
/* In OSPFv3, src_local and dst_local mean link-local.
|
2014-06-26 17:58:57 +08:00
|
|
|
* RFC 5340 says that local (non-vlink) packets use
|
|
|
|
* link-local src address, but does not enforce it. Strange.
|
|
|
|
*/
|
|
|
|
if (dst_mcast && !src_local)
|
2014-11-03 17:42:55 +08:00
|
|
|
LOG_PKT_WARN("Multicast packet received from non-link-local %I via %s",
|
2014-10-24 16:27:21 +08:00
|
|
|
sk->faddr, ifa->ifname);
|
2014-06-26 17:58:57 +08:00
|
|
|
}
|
2010-03-12 01:07:24 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
/* Second, we check packet length, checksum, and the protocol version */
|
2014-10-24 17:11:43 +08:00
|
|
|
struct ospf_packet *pkt = (void *) sk_rx_buffer(sk, &len);
|
|
|
|
|
2004-07-15 05:46:20 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (pkt == NULL)
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP("bad IP header", len);
|
2009-01-11 17:51:54 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
if (len < sizeof(struct ospf_packet))
|
|
|
|
DROP("too short", len);
|
|
|
|
|
|
|
|
if (pkt->version != ospf_get_version(p))
|
|
|
|
DROP("version mismatch", pkt->version);
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
uint plen = ntohs(pkt->length);
|
2014-02-07 00:46:01 +08:00
|
|
|
if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0))
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP("invalid length", plen);
|
2011-04-13 19:19:37 +08:00
|
|
|
|
2014-02-07 00:46:01 +08:00
|
|
|
if (sk->flags & SKF_TRUNCATED)
|
2004-06-06 17:37:54 +08:00
|
|
|
{
|
2014-02-07 00:46:01 +08:00
|
|
|
/* If we have dynamic buffers and received truncated message, we expand RX buffer */
|
|
|
|
|
|
|
|
uint bs = plen + 256;
|
|
|
|
bs = BIRD_ALIGN(bs, 1024);
|
|
|
|
|
|
|
|
if (!ifa->cf->rx_buffer && (bs > sk->rbsize))
|
|
|
|
sk_set_rbsize(sk, bs);
|
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP("truncated", plen);
|
2004-06-06 17:37:54 +08:00
|
|
|
}
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
if (plen > len)
|
|
|
|
DROP("length mismatch", plen);
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
|
2004-06-06 17:37:54 +08:00
|
|
|
{
|
2018-04-25 21:50:57 +08:00
|
|
|
uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2);
|
2014-06-26 17:58:57 +08:00
|
|
|
uint blen = plen - hlen;
|
|
|
|
void *body = ((void *) pkt) + hlen;
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
|
2018-04-25 21:50:57 +08:00
|
|
|
DROP("invalid checksum", ntohs(pkt->checksum));
|
2014-06-26 17:58:57 +08:00
|
|
|
}
|
2010-02-11 17:23:35 +08:00
|
|
|
|
2010-03-12 01:07:24 +08:00
|
|
|
/* Third, we resolve associated iface and handle vlinks. */
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
u32 areaid = ntohl(pkt->areaid);
|
|
|
|
u32 rid = ntohl(pkt->routerid);
|
|
|
|
u8 instance_id = pkt->instance_id;
|
2010-03-12 01:07:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (areaid == ifa->oa->areaid)
|
2010-03-12 01:07:24 +08:00
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
/* Matching area ID */
|
|
|
|
|
|
|
|
if (instance_id != ifa->instance_id)
|
|
|
|
return 1;
|
|
|
|
|
2010-03-12 01:07:24 +08:00
|
|
|
/* It is real iface, source should be local (in OSPFv2) */
|
2014-06-26 17:58:57 +08:00
|
|
|
if (ospf_is_v2(p) && !src_local)
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP1("strange source address");
|
2010-03-12 01:07:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
goto found;
|
2010-03-12 01:07:24 +08:00
|
|
|
}
|
2014-06-26 17:58:57 +08:00
|
|
|
else if ((areaid == 0) && !dst_mcast)
|
2004-06-06 17:37:54 +08:00
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
/* Backbone area ID and possible vlink packet */
|
|
|
|
|
|
|
|
if ((p->areano == 1) || !oa_is_ext(ifa->oa))
|
|
|
|
return 1;
|
2010-03-12 01:07:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
struct ospf_iface *iff = NULL;
|
|
|
|
WALK_LIST(iff, p->iface_list)
|
2010-02-11 17:23:35 +08:00
|
|
|
{
|
2014-07-19 23:28:38 +08:00
|
|
|
if ((iff->type == OSPF_IT_VLINK) &&
|
2010-03-12 01:07:24 +08:00
|
|
|
(iff->voa == ifa->oa) &&
|
2014-06-26 17:58:57 +08:00
|
|
|
(iff->instance_id == instance_id) &&
|
2010-03-12 01:07:24 +08:00
|
|
|
(iff->vid == rid))
|
2014-06-26 17:58:57 +08:00
|
|
|
{
|
|
|
|
/* Vlink should be UP */
|
|
|
|
if (iff->state != OSPF_IS_PTP)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
ifa = iff;
|
|
|
|
goto found;
|
|
|
|
}
|
2010-02-11 17:23:35 +08:00
|
|
|
}
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
/*
|
|
|
|
* Cannot find matching vlink. It is either misconfigured vlink; NBMA or
|
|
|
|
* PtMP with misconfigured area ID, or packet for some other instance (that
|
|
|
|
* is possible even if instance_id == ifa->instance_id, because it may be
|
|
|
|
* also vlink packet in the other instance, which is different namespace).
|
|
|
|
*/
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Non-matching area ID but cannot be vlink packet */
|
|
|
|
|
|
|
|
if (instance_id != ifa->instance_id)
|
|
|
|
return 1;
|
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP("area mismatch", areaid);
|
2004-06-06 17:37:54 +08:00
|
|
|
}
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
found:
|
2010-02-11 17:23:35 +08:00
|
|
|
if (ifa->stub) /* This shouldn't happen */
|
|
|
|
return 1;
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (ipa_equal(sk->laddr, ifa->des_routers) && (ifa->sk_dr == 0))
|
2009-08-21 15:27:52 +08:00
|
|
|
return 1;
|
|
|
|
|
2017-10-10 03:11:53 +08:00
|
|
|
/* TTL check must be done after instance dispatch */
|
|
|
|
if (ifa->check_ttl && (sk->rcv_ttl < 255))
|
|
|
|
DROP("wrong TTL", sk->rcv_ttl);
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (rid == p->router_id)
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP1("my own router ID");
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2010-03-12 01:07:24 +08:00
|
|
|
if (rid == 0)
|
2014-10-24 16:27:21 +08:00
|
|
|
DROP1("zero router ID");
|
2004-06-07 03:53:52 +08:00
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
/* In OSPFv2, neighbors are identified by either IP or Router ID, based on network type */
|
2014-06-26 17:58:57 +08:00
|
|
|
uint t = ifa->type;
|
2010-04-27 01:08:57 +08:00
|
|
|
struct ospf_neighbor *n;
|
2014-06-26 17:58:57 +08:00
|
|
|
if (ospf_is_v2(p) && ((t == OSPF_IT_BCAST) || (t == OSPF_IT_NBMA) || (t == OSPF_IT_PTMP)))
|
2010-04-27 01:08:57 +08:00
|
|
|
n = find_neigh_by_ip(ifa, sk->faddr);
|
|
|
|
else
|
|
|
|
n = find_neigh(ifa, rid);
|
2004-06-07 03:53:52 +08:00
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
if (!n && (pkt->type != HELLO_P))
|
2004-06-07 03:53:52 +08:00
|
|
|
{
|
2014-11-03 17:42:55 +08:00
|
|
|
OSPF_TRACE(D_PACKETS, "Non-HELLO packet received from unknown nbr %R on %s, src %I",
|
2014-10-24 16:27:21 +08:00
|
|
|
rid, ifa->ifname, sk->faddr);
|
2004-06-07 03:53:52 +08:00
|
|
|
return 1;
|
2004-06-06 17:37:54 +08:00
|
|
|
}
|
2003-09-14 21:41:24 +08:00
|
|
|
|
2018-04-25 21:50:57 +08:00
|
|
|
/* Check packet type here, ospf_pkt_checkauth3() expects valid values */
|
|
|
|
if (pkt->type < HELLO_P || pkt->type > LSACK_P)
|
|
|
|
DROP("invalid packet type", pkt->type);
|
|
|
|
|
2014-10-24 16:27:21 +08:00
|
|
|
/* ospf_pkt_checkauth() has its own error logging */
|
2018-04-25 21:50:57 +08:00
|
|
|
if ((ospf_is_v2(p) ?
|
|
|
|
!ospf_pkt_checkauth2(n, ifa, pkt, len) :
|
|
|
|
!ospf_pkt_checkauth3(n, ifa, pkt, len, sk->faddr)))
|
2004-06-27 04:15:34 +08:00
|
|
|
return 1;
|
|
|
|
|
2014-06-26 17:58:57 +08:00
|
|
|
switch (pkt->type)
|
2004-06-06 17:37:54 +08:00
|
|
|
{
|
|
|
|
case HELLO_P:
|
2014-06-26 17:58:57 +08:00
|
|
|
ospf_receive_hello(pkt, ifa, n, sk->faddr);
|
2004-06-06 17:37:54 +08:00
|
|
|
break;
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2004-06-06 17:37:54 +08:00
|
|
|
case DBDES_P:
|
2014-06-26 17:58:57 +08:00
|
|
|
ospf_receive_dbdes(pkt, ifa, n);
|
2004-06-06 17:37:54 +08:00
|
|
|
break;
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2004-06-06 17:37:54 +08:00
|
|
|
case LSREQ_P:
|
2014-06-26 17:58:57 +08:00
|
|
|
ospf_receive_lsreq(pkt, ifa, n);
|
2004-06-06 17:37:54 +08:00
|
|
|
break;
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2004-06-06 17:37:54 +08:00
|
|
|
case LSUPD_P:
|
2014-06-26 17:58:57 +08:00
|
|
|
ospf_receive_lsupd(pkt, ifa, n);
|
2004-06-06 17:37:54 +08:00
|
|
|
break;
|
2014-06-26 17:58:57 +08:00
|
|
|
|
2004-06-06 17:37:54 +08:00
|
|
|
case LSACK_P:
|
2014-06-26 17:58:57 +08:00
|
|
|
ospf_receive_lsack(pkt, ifa, n);
|
2004-06-06 17:37:54 +08:00
|
|
|
break;
|
|
|
|
};
|
2004-06-07 03:53:52 +08:00
|
|
|
return 1;
|
2014-10-24 16:27:21 +08:00
|
|
|
|
|
|
|
drop:
|
|
|
|
LOG_PKT("Bad packet from %I via %s - %s (%u)",
|
|
|
|
sk->faddr, ifa->ifname, err_dsc, err_val);
|
|
|
|
|
|
|
|
return 1;
|
1999-11-17 23:50:41 +08:00
|
|
|
}
|
|
|
|
|
2014-02-07 00:46:01 +08:00
|
|
|
/*
|
1999-11-17 23:50:41 +08:00
|
|
|
void
|
2004-06-06 17:37:54 +08:00
|
|
|
ospf_tx_hook(sock * sk)
|
1999-11-17 23:50:41 +08:00
|
|
|
{
|
2012-01-22 18:03:30 +08:00
|
|
|
struct ospf_iface *ifa= (struct ospf_iface *) (sk->data);
|
2014-06-26 17:58:57 +08:00
|
|
|
// struct proto *p = (struct proto *) (ifa->oa->p);
|
2014-02-07 00:46:01 +08:00
|
|
|
log(L_ERR "OSPF: TX hook called on %s", ifa->ifname);
|
1999-11-17 23:50:41 +08:00
|
|
|
}
|
2014-02-07 00:46:01 +08:00
|
|
|
*/
|
1999-11-17 23:50:41 +08:00
|
|
|
|
|
|
|
void
|
2005-02-15 05:34:46 +08:00
|
|
|
ospf_err_hook(sock * sk, int err)
|
1999-11-17 23:50:41 +08:00
|
|
|
{
|
2018-04-25 21:50:57 +08:00
|
|
|
struct ospf_iface *ifa = (struct ospf_iface *) (sk->data);
|
2014-06-26 17:58:57 +08:00
|
|
|
struct ospf_proto *p = ifa->oa->po;
|
|
|
|
log(L_ERR "%s: Socket error on %s: %M", p->p.name, ifa->ifname, err);
|
2014-02-07 00:46:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ospf_verr_hook(sock *sk, int err)
|
|
|
|
{
|
2014-06-26 17:58:57 +08:00
|
|
|
struct ospf_proto *p = (struct ospf_proto *) (sk->data);
|
|
|
|
log(L_ERR "%s: Vlink socket error: %M", p->p.name, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ospf_send_to(struct ospf_iface *ifa, ip_addr dst)
|
|
|
|
{
|
|
|
|
sock *sk = ifa->sk;
|
|
|
|
struct ospf_packet *pkt = (struct ospf_packet *) sk->tbuf;
|
2016-10-28 02:58:21 +08:00
|
|
|
uint plen = ntohs(pkt->length);
|
2014-06-26 17:58:57 +08:00
|
|
|
|
|
|
|
if (ospf_is_v2(ifa->oa->po))
|
2018-04-25 21:50:57 +08:00
|
|
|
ospf_pkt_finalize2(ifa, pkt, &plen);
|
|
|
|
else
|
|
|
|
ospf_pkt_finalize3(ifa, pkt, &plen, sk->saddr);
|
2014-06-26 17:58:57 +08:00
|
|
|
|
|
|
|
int done = sk_send_to(sk, plen, dst, 0);
|
|
|
|
if (!done)
|
|
|
|
log(L_WARN "OSPF: TX queue full on %s", ifa->ifname);
|
1999-11-17 23:50:41 +08:00
|
|
|
}
|
|
|
|
|
2000-04-18 09:06:16 +08:00
|
|
|
void
|
2009-09-04 17:06:51 +08:00
|
|
|
ospf_send_to_agt(struct ospf_iface *ifa, u8 state)
|
2000-04-18 09:06:16 +08:00
|
|
|
{
|
|
|
|
struct ospf_neighbor *n;
|
|
|
|
|
2010-02-11 17:23:35 +08:00
|
|
|
WALK_LIST(n, ifa->neigh_list)
|
|
|
|
if (n->state >= state)
|
|
|
|
ospf_send_to(ifa, n->ip);
|
2003-09-14 21:41:24 +08:00
|
|
|
}
|
2000-06-06 08:08:27 +08:00
|
|
|
|
|
|
|
void
|
2009-09-04 17:06:51 +08:00
|
|
|
ospf_send_to_bdr(struct ospf_iface *ifa)
|
2000-06-06 08:08:27 +08:00
|
|
|
{
|
2015-12-24 22:52:03 +08:00
|
|
|
if (ipa_nonzero2(ifa->drip))
|
2009-09-04 17:06:51 +08:00
|
|
|
ospf_send_to(ifa, ifa->drip);
|
2015-12-24 22:52:03 +08:00
|
|
|
if (ipa_nonzero2(ifa->bdrip))
|
2009-09-04 17:06:51 +08:00
|
|
|
ospf_send_to(ifa, ifa->bdrip);
|
2000-06-06 08:08:27 +08:00
|
|
|
}
|