0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-11-14 15:18:44 +00:00
bird/proto/ospf/packet.c
Ondrej Zajicek (work) dc8d9dec4a OSPF: Skip out-of-state packets earlier
Sometimes multicast OSPF packet is received when neighbor adjacency is
not established. Such packet should be ignored earlier in packet
processing as otherwise it causes strange error messages when OSPFv3
authentication is enabled.
2020-08-12 19:42:44 +02:00

685 lines
18 KiB
C

/*
* BIRD -- OSPF
*
* (c) 1999--2005 Ondrej Filip <feela@network.cz>
* (c) 2009--2014 Ondrej Zajicek <santiago@crfreenet.org>
* (c) 2009--2014 CZ.NIC z.s.p.o.
*
* Can be freely distributed and used under the terms of the GNU GPL.
*/
#include "ospf.h"
#include "nest/password.h"
#include "lib/md5.h"
#include "lib/mac.h"
#include "lib/socket.h"
const char * const ospf_pkt_names[] = {
[HELLO_P] = "HELLO",
[DBDES_P] = "DBDES",
[LSREQ_P] = "LSREQ",
[LSUPD_P] = "LSUPD",
[LSACK_P] = "LSACK",
};
void
ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type)
{
struct ospf_proto *p = ifa->oa->po;
struct ospf_packet *pkt;
pkt = (struct ospf_packet *) buf;
pkt->version = ospf_get_version(p);
pkt->type = h_type;
pkt->length = htons(ospf_pkt_maxsize(ifa));
pkt->routerid = htonl(p->router_id);
pkt->areaid = htonl(ifa->oa->areaid);
pkt->checksum = 0;
pkt->instance_id = ifa->instance_id;
pkt->autype = ospf_is_v2(p) ? ifa->autype : 0;
}
/* We assume OSPFv2 in ospf_pkt_finalize() */
static void
ospf_pkt_finalize2(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen)
{
struct ospf_proto *p = ifa->oa->po;
struct password_item *pass = NULL;
union ospf_auth2 *auth = (void *) (pkt + 1);
memset(auth, 0, sizeof(union ospf_auth2));
/* Compatibility note: auth may contain anything if autype is
none, but nonzero values do not work with Mikrotik OSPF */
pkt->checksum = 0;
pkt->autype = ifa->autype;
switch (ifa->autype)
{
case OSPF_AUTH_SIMPLE:
pass = password_find(ifa->passwords, 1);
if (!pass)
{
log(L_ERR "No suitable password found for authentication");
return;
}
strncpy(auth->password, pass->password, sizeof(auth->password));
/* fallthrough */
case OSPF_AUTH_NONE:
{
void *body = (void *) (auth + 1);
uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth2);
pkt->checksum = ipsum_calculate(pkt, sizeof(struct ospf_packet), body, blen, NULL);
}
break;
case OSPF_AUTH_CRYPT:
pass = password_find(ifa->passwords, 0);
if (!pass)
{
log(L_ERR "%s: No suitable password found for authentication", p->p.name);
return;
}
/* Perhaps use random value to prevent replay attacks after
reboot when system does not have independent RTC? */
if (!ifa->csn)
{
ifa->csn = (u32) (current_real_time() TO_S);
ifa->csn_use = current_time();
}
/* We must have sufficient delay between sending a packet and increasing
CSN to prevent reordering of packets (in a network) with different CSNs */
if ((current_time() - ifa->csn_use) > 1 S)
ifa->csn++;
ifa->csn_use = current_time();
uint auth_len = mac_type_length(pass->alg);
byte *auth_tail = ((byte *) pkt + *plen);
*plen += auth_len;
ASSERT(*plen < ifa->sk->tbsize);
auth->c32.zero = 0;
auth->c32.keyid = pass->id;
auth->c32.len = auth_len;
auth->c32.csn = htonl(ifa->csn);
/* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
if (pass->alg < ALG_HMAC)
strncpy(auth_tail, pass->password, auth_len);
else
memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
mac_fill(pass->alg, pass->password, pass->length, (byte *) pkt, *plen, auth_tail);
break;
default:
bug("Unknown authentication type");
}
}
/*
* Return an extra packet size that should be added to a final packet size
*/
static void
ospf_pkt_finalize3(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen, ip_addr src)
{
struct ospf_proto *p = ifa->oa->po;
struct ospf_auth3 *auth = (void *) ((byte *) pkt + *plen);
pkt->checksum = 0;
pkt->autype = 0;
if (ifa->autype != OSPF_AUTH_CRYPT)
return;
struct password_item *pass = password_find(ifa->passwords, 0);
if (!pass)
{
log(L_ERR "%s: No suitable password found for authentication", p->p.name);
return;
}
/* FIXME: Ensure persistence */
p->csn64++;
uint mac_len = mac_type_length(pass->alg);
uint auth_len = sizeof(struct ospf_auth3) + mac_len;
*plen += auth_len;
ASSERT(*plen < ifa->sk->tbsize);
memset(auth, 0, sizeof(struct ospf_auth3));
auth->type = htons(OSPF3_AUTH_HMAC);
auth->length = htons(auth_len);
auth->reserved = 0;
auth->sa_id = htons(pass->id);
put_u64(&auth->csn, p->csn64);
/* Initialize with src IP address padded with HMAC_MAGIC */
put_ip6(auth->data, ipa_to_ip6(src));
memset32(auth->data + 16, HMAC_MAGIC, (mac_len - 16) / 4);
/* Attach OSPFv3 Cryptographic Protocol ID to the key */
uint pass_len = pass->length + 2;
byte *pass_key = alloca(pass_len);
memcpy(pass_key, pass->password, pass->length);
put_u16(pass_key + pass->length, OSPF3_CRYPTO_ID);
mac_fill(pass->alg, pass_key, pass_len, (byte *) pkt, *plen, auth->data);
}
static int
ospf_pkt_checkauth2(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len)
{
struct ospf_proto *p = ifa->oa->po;
union ospf_auth2 *auth = (void *) (pkt + 1);
struct password_item *pass = NULL;
const char *err_dsc = NULL;
uint err_val = 0;
uint plen = ntohs(pkt->length);
u8 autype = pkt->autype;
if (autype != ifa->autype)
DROP("authentication method mismatch", autype);
switch (autype)
{
case OSPF_AUTH_NONE:
return 1;
case OSPF_AUTH_SIMPLE:
pass = password_find(ifa->passwords, 1);
if (!pass)
DROP1("no password found");
if (!password_verify(pass, auth->password, sizeof(auth->password)))
DROP("wrong password", pass->id);
return 1;
case OSPF_AUTH_CRYPT:
pass = password_find_by_id(ifa->passwords, auth->c32.keyid);
if (!pass)
DROP("no suitable password found", auth->c32.keyid);
uint auth_len = mac_type_length(pass->alg);
if (plen + auth->c32.len > len)
DROP("packet length mismatch", len);
if (auth->c32.len != auth_len)
DROP("wrong authentication length", auth->c32.len);
u32 rcv_csn = ntohl(auth->c32.csn);
if (n && (rcv_csn < n->csn))
// DROP("lower sequence number", rcv_csn);
{
/* We want to report both new and old CSN */
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - "
"lower sequence number (rcv %u, old %u)",
n->rid, ifa->ifname, rcv_csn, n->csn);
return 0;
}
byte *auth_tail = ((byte *) pkt) + plen;
byte *auth_data = alloca(auth_len);
memcpy(auth_data, auth_tail, auth_len);
/* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
if (pass->alg < ALG_HMAC)
strncpy(auth_tail, pass->password, auth_len);
else
memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
if (!mac_verify(pass->alg, pass->password, pass->length,
(byte *) pkt, plen + auth_len, auth_data))
DROP("wrong authentication code", pass->id);
if (n)
n->csn = rcv_csn;
return 1;
default:
bug("Unknown authentication type");
}
drop:
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - %s (%u)",
(n ? n->rid : ntohl(pkt->routerid)), ifa->ifname, err_dsc, err_val);
return 0;
}
static int
ospf_pkt_checkauth3(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len, ip_addr src)
{
struct ospf_proto *p = ifa->oa->po;
const char *err_dsc = NULL;
uint err_val = 0;
uint plen = ntohs(pkt->length);
uint opts, lls_present, auth_present;
/*
* When autentication is not enabled, ignore the trailer. This is different
* from OSPFv2, but it is necessary in order to support migration modes. Note
* that regular authenticated packets do not have valid checksum and will be
* dropped by OS on non-authenticated ifaces.
*/
if (ifa->autype != OSPF_AUTH_CRYPT)
return 1;
switch(pkt->type)
{
case HELLO_P:
opts = ospf_hello3_options(pkt);
lls_present = opts & OPT_L_V3;
auth_present = opts & OPT_AT;
break;
case DBDES_P:
opts = ospf_dbdes3_options(pkt);
lls_present = opts & OPT_L_V3;
auth_present = opts & OPT_AT;
break;
default:
lls_present = 0;
auth_present = n->options & OPT_AT;
}
if (!auth_present)
DROP1("missing authentication trailer");
if (lls_present)
{
if ((plen + sizeof(struct ospf_lls)) > len)
DROP("packet length mismatch", len);
struct ospf_lls *lls = (void *) ((byte *) pkt + plen);
plen += ntohs(lls->length);
}
if ((plen + sizeof(struct ospf_auth3)) > len)
DROP("packet length mismatch", len);
struct ospf_auth3 *auth = (void *) ((byte *) pkt + plen);
uint rcv_auth_type = ntohs(auth->type);
if (rcv_auth_type != OSPF3_AUTH_HMAC)
DROP("authentication method mismatch", rcv_auth_type);
uint rcv_auth_len = ntohs(auth->length);
if (plen + rcv_auth_len > len)
DROP("packet length mismatch", len);
uint rcv_key_id = ntohs(auth->sa_id);
struct password_item *pass = password_find_by_id(ifa->passwords, rcv_key_id);
if (!pass)
DROP("no suitable password found", rcv_key_id);
uint mac_len = mac_type_length(pass->alg);
if (rcv_auth_len != (sizeof(struct ospf_auth3) + mac_len))
DROP("wrong authentication length", rcv_auth_len);
uint pt = pkt->type - 1;
u64 rcv_csn = get_u64(&auth->csn);
if (n && (rcv_csn <= n->csn64[pt]))
{
/* We want to report both new and old CSN */
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - "
"lower sequence number (rcv %u, old %u)",
n->rid, ifa->ifname, (uint) rcv_csn, (uint) n->csn64[pt]);
return 0;
}
/* Save the received authentication data */
byte *auth_data = alloca(mac_len);
memcpy(auth_data, auth->data, mac_len);
/* Initialize with src IP address padded with HMAC_MAGIC */
put_ip6(auth->data, ipa_to_ip6(src));
memset32(auth->data + 16, HMAC_MAGIC, (mac_len - 16) / 4);
/* Attach OSPFv3 Cryptographic Protocol ID to the key */
uint pass_len = pass->length + 2;
byte *pass_key = alloca(pass_len);
memcpy(pass_key, pass->password, pass->length);
put_u16(pass_key + pass->length, OSPF3_CRYPTO_ID);
if (!mac_verify(pass->alg, pass_key, pass_len,
(byte *) pkt, plen + rcv_auth_len, auth_data))
DROP("wrong authentication code", pass->id);
if (n)
n->csn64[pt] = rcv_csn;
return 1;
drop:
LOG_PKT_AUTH("Authentication failed for nbr %R on %s - %s (%u)",
(n ? n->rid : ntohl(pkt->routerid)), ifa->ifname, err_dsc, err_val);
return 0;
}
/**
* ospf_rx_hook
* @sk: socket we received the packet.
* @len: length of the packet
*
* This is the entry point for messages from neighbors. Many checks (like
* authentication, checksums, size) are done before the packet is passed to
* non generic functions.
*/
int
ospf_rx_hook(sock *sk, uint len)
{
/* We want just packets from sk->iface. Unfortunately, on BSD we cannot filter
out other packets at kernel level and we receive all packets on all sockets */
if (sk->lifindex != sk->iface->index)
return 1;
DBG("OSPF: RX hook called (iface %s, src %I, dst %I)\n",
sk->iface->name, sk->faddr, sk->laddr);
/* Initially, the packet is associated with the 'master' iface */
struct ospf_iface *ifa = sk->data;
struct ospf_proto *p = ifa->oa->po;
const char *err_dsc = NULL;
uint err_val = 0;
/* Should not happen */
if (ifa->state <= OSPF_IS_LOOP)
return 1;
int src_local, dst_local, dst_mcast;
src_local = ipa_in_netX(sk->faddr, &ifa->addr->prefix);
dst_local = ipa_equal(sk->laddr, ifa->addr->ip);
dst_mcast = ipa_equal(sk->laddr, ifa->all_routers) || ipa_equal(sk->laddr, ifa->des_routers);
if (ospf_is_v2(p))
{
/* First, we eliminate packets with strange address combinations.
* In OSPFv2, they might be for other ospf_ifaces (with different IP
* prefix) on the same real iface, so we don't log it. We enforce
* that (src_local || dst_local), therefore we are eliminating all
* such cases.
*/
if (dst_mcast && !src_local)
return 1;
if (!dst_mcast && !dst_local)
return 1;
/* Ignore my own broadcast packets */
if (ifa->cf->real_bcast && ipa_equal(sk->faddr, ifa->addr->ip))
return 1;
}
else
{
/* In OSPFv3, src_local and dst_local mean link-local.
* RFC 5340 says that local (non-vlink) packets use
* link-local src address, but does not enforce it. Strange.
*/
if (dst_mcast && !src_local)
LOG_PKT_WARN("Multicast packet received from non-link-local %I via %s",
sk->faddr, ifa->ifname);
}
/* Second, we check packet length, checksum, and the protocol version */
struct ospf_packet *pkt = (void *) sk_rx_buffer(sk, &len);
if (pkt == NULL)
DROP("bad IP header", len);
if (len < sizeof(struct ospf_packet))
DROP("too short", len);
if (pkt->version != ospf_get_version(p))
DROP("version mismatch", pkt->version);
uint plen = ntohs(pkt->length);
uint hlen = sizeof(struct ospf_packet) + (ospf_is_v2(p) ? sizeof(union ospf_auth2) : 0);
if ((plen < hlen) || ((plen % 4) != 0))
DROP("invalid length", plen);
if (sk->flags & SKF_TRUNCATED)
{
/* If we have dynamic buffers and received truncated message, we expand RX buffer */
uint bs = plen + 256;
bs = BIRD_ALIGN(bs, 1024);
if (!ifa->cf->rx_buffer && (bs > sk->rbsize))
sk_set_rbsize(sk, bs);
DROP("truncated", plen);
}
if (plen > len)
DROP("length mismatch", plen);
if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
{
void *body = ((void *) pkt) + hlen;
uint blen = plen - hlen;
if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
DROP("invalid checksum", ntohs(pkt->checksum));
}
/* Third, we resolve associated iface and handle vlinks. */
u32 areaid = ntohl(pkt->areaid);
u32 rid = ntohl(pkt->routerid);
u8 instance_id = pkt->instance_id;
if (areaid == ifa->oa->areaid)
{
/* Matching area ID */
if (instance_id != ifa->instance_id)
return 1;
/* It is real iface, source should be local (in OSPFv2) */
if (ospf_is_v2(p) && !src_local)
DROP1("strange source address");
goto found;
}
else if ((areaid == 0) && !dst_mcast)
{
/* Backbone area ID and possible vlink packet */
if ((p->areano == 1) || !oa_is_ext(ifa->oa))
return 1;
struct ospf_iface *iff = NULL;
WALK_LIST(iff, p->iface_list)
{
if ((iff->type == OSPF_IT_VLINK) &&
(iff->voa == ifa->oa) &&
(iff->instance_id == instance_id) &&
(iff->vid == rid))
{
/* Vlink should be UP */
if (iff->state != OSPF_IS_PTP)
return 1;
ifa = iff;
goto found;
}
}
/*
* Cannot find matching vlink. It is either misconfigured vlink; NBMA or
* PtMP with misconfigured area ID, or packet for some other instance (that
* is possible even if instance_id == ifa->instance_id, because it may be
* also vlink packet in the other instance, which is different namespace).
*/
return 1;
}
else
{
/* Non-matching area ID but cannot be vlink packet */
if (instance_id != ifa->instance_id)
return 1;
DROP("area mismatch", areaid);
}
found:
if (ifa->stub) /* This shouldn't happen */
return 1;
if (ipa_equal(sk->laddr, ifa->des_routers) && (ifa->sk_dr == 0))
return 1;
/* TTL check must be done after instance dispatch */
if (ifa->check_ttl && (sk->rcv_ttl < 255))
DROP("wrong TTL", sk->rcv_ttl);
if (rid == p->router_id)
DROP1("my own router ID");
if (rid == 0)
DROP1("zero router ID");
/* Check packet type here, ospf_pkt_checkauth3() expects valid values */
if (pkt->type < HELLO_P || pkt->type > LSACK_P)
DROP("invalid packet type", pkt->type);
/* In OSPFv2, neighbors are identified by either IP or Router ID, based on network type */
uint t = ifa->type;
struct ospf_neighbor *n;
if (ospf_is_v2(p) && ((t == OSPF_IT_BCAST) || (t == OSPF_IT_NBMA) || (t == OSPF_IT_PTMP)))
n = find_neigh_by_ip(ifa, sk->faddr);
else
n = find_neigh(ifa, rid);
if (!n && (pkt->type != HELLO_P))
{
OSPF_TRACE(D_PACKETS, "Non-HELLO packet received from unknown nbr %R on %s, src %I",
rid, ifa->ifname, sk->faddr);
return 1;
}
/* We need to ignore out-of-state packets before ospf_pkt_checkauth3() */
if ((pkt->type > DBDES_P) && (n->state < NEIGHBOR_EXCHANGE))
{
OSPF_TRACE(D_PACKETS, "%s packet ignored - lesser state than Exchange",
ospf_pkt_names[pkt->type]);
return 1;
}
/* ospf_pkt_checkauthX() has its own error logging */
if ((ospf_is_v2(p) ?
!ospf_pkt_checkauth2(n, ifa, pkt, len) :
!ospf_pkt_checkauth3(n, ifa, pkt, len, sk->faddr)))
return 1;
switch (pkt->type)
{
case HELLO_P:
ospf_receive_hello(pkt, ifa, n, sk->faddr);
break;
case DBDES_P:
ospf_receive_dbdes(pkt, ifa, n);
break;
case LSREQ_P:
ospf_receive_lsreq(pkt, ifa, n);
break;
case LSUPD_P:
ospf_receive_lsupd(pkt, ifa, n);
break;
case LSACK_P:
ospf_receive_lsack(pkt, ifa, n);
break;
};
return 1;
drop:
LOG_PKT("Bad packet from %I via %s - %s (%u)",
sk->faddr, ifa->ifname, err_dsc, err_val);
return 1;
}
/*
void
ospf_tx_hook(sock * sk)
{
struct ospf_iface *ifa= (struct ospf_iface *) (sk->data);
// struct proto *p = (struct proto *) (ifa->oa->p);
log(L_ERR "OSPF: TX hook called on %s", ifa->ifname);
}
*/
void
ospf_err_hook(sock * sk, int err)
{
struct ospf_iface *ifa = (struct ospf_iface *) (sk->data);
struct ospf_proto *p = ifa->oa->po;
log(L_ERR "%s: Socket error on %s: %M", p->p.name, ifa->ifname, err);
}
void
ospf_verr_hook(sock *sk, int err)
{
struct ospf_proto *p = (struct ospf_proto *) (sk->data);
log(L_ERR "%s: Vlink socket error: %M", p->p.name, err);
}
void
ospf_send_to(struct ospf_iface *ifa, ip_addr dst)
{
sock *sk = ifa->sk;
struct ospf_packet *pkt = (struct ospf_packet *) sk->tbuf;
uint plen = ntohs(pkt->length);
if (ospf_is_v2(ifa->oa->po))
ospf_pkt_finalize2(ifa, pkt, &plen);
else
ospf_pkt_finalize3(ifa, pkt, &plen, sk->saddr);
int done = sk_send_to(sk, plen, dst, 0);
if (!done)
log(L_WARN "OSPF: TX queue full on %s", ifa->ifname);
}
void
ospf_send_to_agt(struct ospf_iface *ifa, u8 state)
{
struct ospf_neighbor *n;
WALK_LIST(n, ifa->neigh_list)
if (n->state >= state)
ospf_send_to(ifa, n->ip);
}
void
ospf_send_to_bdr(struct ospf_iface *ifa)
{
if (ipa_nonzero2(ifa->drip))
ospf_send_to(ifa, ifa->drip);
if (ipa_nonzero2(ifa->bdrip))
ospf_send_to(ifa, ifa->bdrip);
}