mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-22 09:41:54 +00:00
Obvious bugs in authentication fixed.
This commit is contained in:
parent
7db7b7db60
commit
ac40c888c2
@ -49,8 +49,8 @@ int i;
|
|||||||
callme ( 7, 2, );
|
callme ( 7, 2, );
|
||||||
|
|
||||||
print "done";
|
print "done";
|
||||||
quitbird;
|
# quitbird;
|
||||||
print "*** FAIL: this is unreachable";
|
# print "*** FAIL: this is unreachable";
|
||||||
}
|
}
|
||||||
|
|
||||||
filter testf
|
filter testf
|
||||||
@ -67,12 +67,13 @@ protocol rip MyRIP_test {
|
|||||||
port 1520;
|
port 1520;
|
||||||
period 5;
|
period 5;
|
||||||
garbagetime 30;
|
garbagetime 30;
|
||||||
interface "*";
|
interface "*" { mode broadcast; };
|
||||||
export filter testf;
|
export filter testf;
|
||||||
honour neighbour;
|
honour neighbour;
|
||||||
passwords { password "ahoj" from 0 to 10;
|
passwords { password "ahoj" from 0 to 10;
|
||||||
password "nazdar" from 10 to 20;
|
password "nazdar" from 10;
|
||||||
}
|
}
|
||||||
|
authentication md5;
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol device {
|
protocol device {
|
||||||
|
@ -159,7 +159,7 @@ password_begin:
|
|||||||
last_password_item = cfg_alloc(sizeof (struct password_item));
|
last_password_item = cfg_alloc(sizeof (struct password_item));
|
||||||
last_password_item->password = $2;
|
last_password_item->password = $2;
|
||||||
last_password_item->from = 0;
|
last_password_item->from = 0;
|
||||||
last_password_item->to = ~0;
|
last_password_item->to = 2000000000;
|
||||||
last_password_item->id = 0;
|
last_password_item->id = 0;
|
||||||
last_password_item->next = NULL;
|
last_password_item->next = NULL;
|
||||||
$$=last_password_item;
|
$$=last_password_item;
|
||||||
@ -177,8 +177,8 @@ password_items:
|
|||||||
password_list:
|
password_list:
|
||||||
/* empty */ { $$ = NULL; }
|
/* empty */ { $$ = NULL; }
|
||||||
| password_begin password_items ';' password_list {
|
| password_begin password_items ';' password_list {
|
||||||
last_password_item->next = $4;
|
$1->next = $4;
|
||||||
$$ = last_password_item;
|
$$ = $1;
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
|
||||||
|
@ -35,6 +35,7 @@ get_best_password(struct password_item *head, int flags)
|
|||||||
good = cur;
|
good = cur;
|
||||||
best = head;
|
best = head;
|
||||||
}
|
}
|
||||||
|
head=head->next;
|
||||||
}
|
}
|
||||||
return best;
|
return best;
|
||||||
}
|
}
|
||||||
|
@ -61,8 +61,10 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, stru
|
|||||||
head = P_CF->passwords;
|
head = P_CF->passwords;
|
||||||
while (head) {
|
while (head) {
|
||||||
/* FIXME: should check serial numbers, somehow */
|
/* FIXME: should check serial numbers, somehow */
|
||||||
|
DBG( "time, " );
|
||||||
if ((head->from > now) || (head->to < now))
|
if ((head->from > now) || (head->to < now))
|
||||||
continue;
|
goto skip;
|
||||||
|
DBG( "check, " );
|
||||||
if (head->id == block->keyid) {
|
if (head->id == block->keyid) {
|
||||||
struct MD5Context ctxt;
|
struct MD5Context ctxt;
|
||||||
char md5sum_packet[16];
|
char md5sum_packet[16];
|
||||||
@ -77,7 +79,9 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, stru
|
|||||||
|
|
||||||
if (memcmp(md5sum_packet, md5sum_computed, 16))
|
if (memcmp(md5sum_packet, md5sum_computed, 16))
|
||||||
return 1;
|
return 1;
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
skip:
|
||||||
head = head->next;
|
head = head->next;
|
||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
|
@ -60,6 +60,7 @@ rip_tx( sock *s )
|
|||||||
struct rip_packet *packet = (void *) s->tbuf;
|
struct rip_packet *packet = (void *) s->tbuf;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
DBG( "Sending to %I\n", s->daddr );
|
||||||
do {
|
do {
|
||||||
|
|
||||||
if (c->done) {
|
if (c->done) {
|
||||||
@ -285,7 +286,11 @@ rip_process_packet( struct proto *p, struct rip_packet *packet, int num, ip_addr
|
|||||||
|
|
||||||
if (!neigh_find( p, &whotoldme, 0 )) {
|
if (!neigh_find( p, &whotoldme, 0 )) {
|
||||||
log( L_ERR "%I send me routing info but he is not my neighbour", whotoldme );
|
log( L_ERR "%I send me routing info but he is not my neighbour", whotoldme );
|
||||||
|
#if 0
|
||||||
return 0;
|
return 0;
|
||||||
|
#else
|
||||||
|
log( L_ERR "...ignoring" );
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i=0; i<num; i++) {
|
for (i=0; i<num; i++) {
|
||||||
@ -294,7 +299,8 @@ rip_process_packet( struct proto *p, struct rip_packet *packet, int num, ip_addr
|
|||||||
if (!i) {
|
if (!i) {
|
||||||
if (rip_incoming_authentication(p, (void *) block, packet, num))
|
if (rip_incoming_authentication(p, (void *) block, packet, num))
|
||||||
BAD( "Authentication failed" );
|
BAD( "Authentication failed" );
|
||||||
} else BAD( "Authentication is not the first!" );
|
}
|
||||||
|
/* FIXME: Need to reject packets which have no authentication */
|
||||||
ipa_ntoh( block->network );
|
ipa_ntoh( block->network );
|
||||||
ipa_ntoh( block->netmask );
|
ipa_ntoh( block->netmask );
|
||||||
ipa_ntoh( block->nexthop );
|
ipa_ntoh( block->nexthop );
|
||||||
@ -500,8 +506,10 @@ new_iface(struct proto *p, struct iface *new, unsigned long flags, struct iface_
|
|||||||
|
|
||||||
if (flags & IF_BROADCAST)
|
if (flags & IF_BROADCAST)
|
||||||
rif->sock->daddr = new->addr->brd;
|
rif->sock->daddr = new->addr->brd;
|
||||||
if (flags & IF_UNNUMBERED) /* Hmm, rip is not defined over unnumbered links */
|
if (flags & IF_UNNUMBERED) {
|
||||||
rif->sock->daddr = new->addr->opposite;
|
rif->sock->daddr = new->addr->opposite;
|
||||||
|
log( L_WARN "RIP/%s: rip is not defined over unnumbered links\n", P_NAME );
|
||||||
|
}
|
||||||
if (want_multicast) {
|
if (want_multicast) {
|
||||||
rif->sock->daddr = ipa_from_u32(0xe0000009);
|
rif->sock->daddr = ipa_from_u32(0xe0000009);
|
||||||
rif->sock->saddr = ipa_from_u32(0xe0000009);
|
rif->sock->saddr = ipa_from_u32(0xe0000009);
|
||||||
@ -516,7 +524,7 @@ new_iface(struct proto *p, struct iface *new, unsigned long flags, struct iface_
|
|||||||
/* Don't try to transmit into this one? Well, why not? This should not happen, anyway :-) */
|
/* Don't try to transmit into this one? Well, why not? This should not happen, anyway :-) */
|
||||||
}
|
}
|
||||||
|
|
||||||
log( L_DEBUG "RIP/%s: listening on %s, port %d, mode %s", P_NAME, rif->iface ? rif->iface->name : "(dummy)", P_CF->port, want_multicast ? "multicast" : "broadcast" );
|
log( L_DEBUG "RIP/%s: listening on %s, port %d, mode %s (%I)", P_NAME, rif->iface ? rif->iface->name : "(dummy)", P_CF->port, want_multicast ? "multicast" : "broadcast", rif->sock->daddr );
|
||||||
|
|
||||||
return rif;
|
return rif;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user