Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nhrpd: fix passphrase handling, add topotest for resolution request #17115

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 41 additions & 8 deletions nhrpd/nhrp_peer.c
Original file line number Diff line number Diff line change
Expand Up @@ -1169,22 +1169,55 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp)
struct nhrp_extension_header *ext;
struct zbuf *extensions, pl;
int cmp = 1;
int pl_pass_length, auth_pass_length;
size_t auth_size, pl_size;

extensions = zbuf_alloc(zbuf_used(&pp->extensions));
zbuf_copy_peek(extensions, &pp->extensions, zbuf_used(&pp->extensions));
while ((ext = nhrp_ext_pull(extensions, &pl)) != NULL) {
switch (htons(ext->type) & ~NHRP_EXTENSION_FLAG_COMPULSORY) {
case NHRP_EXTENSION_AUTHENTICATION:
cmp = memcmp(auth->buf, pl.buf, zbuf_size(auth));
/* Size of authentication extensions
* (varies based on password length)
*/
auth_size = zbuf_size(auth);
pl_size = zbuf_size(&pl);
auth_ext = (struct nhrp_cisco_authentication_extension *)
auth->buf;
debugf(NHRP_DEBUG_COMMON,
"Processing Authentication Extension for (%s:%s|%d)",
auth_ext->secret,
((struct nhrp_cisco_authentication_extension *)
pl.buf)
->secret,
cmp);

if (auth_size == pl_size)
cmp = memcmp(auth_ext, pl.buf, auth_size);
else
cmp = 1;

if (unlikely(debug_flags & NHRP_DEBUG_COMMON)) {
/* 4 bytes in nhrp_cisco_authentication_extension are allocated
* toward the authentication type. The remaining bytes are used for the
* password - so the password length is just the length of the extension - 4
*/
auth_pass_length = (auth_size - 4);
pl_pass_length = (pl_size - 4);
/* Because characters are to be printed in HEX, (2* the max pass length) + 1
* is needed for the string representation
*/
char auth_pass[(2 * NHRP_CISCO_PASS_LEN) + 1] = { 0 },
pl_pass[(2 * NHRP_CISCO_PASS_LEN) + 1] = { 0 };
/* Converting bytes in buffer to HEX and saving output as a string -
* Passphrase is converted to HEX in order to avoid printing
* non ACII-compliant characters
*/
for (int i = 0; i < (auth_pass_length); i++)
snprintf(auth_pass + (i * 2), 3, "%02X",
auth_ext->secret[i]);
for (int i = 0; i < (pl_pass_length); i++)
snprintf(pl_pass + (i * 2), 3, "%02X",
((struct nhrp_cisco_authentication_extension *)pl.buf)
->secret[i]);

debugf(NHRP_DEBUG_COMMON,
"Processing Authentication Extension for (%s:%s|%d)",
auth_pass, pl_pass, cmp);
}
break;
default:
/* Ignoring all received extensions except Authentication*/
Expand Down
1 change: 1 addition & 0 deletions nhrpd/nhrp_protocol.h
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@

/* NHRP Authentication extension types (ala Cisco) */
#define NHRP_AUTHENTICATION_PLAINTEXT 0x00000001
#define NHRP_CISCO_PASS_LEN 8

/* NHRP Packet Structures */
struct nhrp_packet_header {
Expand Down
1 change: 0 additions & 1 deletion nhrpd/nhrp_vty.c
Original file line number Diff line number Diff line change
Expand Up @@ -467,7 +467,6 @@ DEFUN(if_no_nhrp_holdtime, if_no_nhrp_holdtime_cmd,
return CMD_SUCCESS;
}

#define NHRP_CISCO_PASS_LEN 8
DEFPY(if_nhrp_authentication, if_nhrp_authentication_cmd,
AFI_CMD "nhrp authentication PASSWORD$password",
AFI_STR
Expand Down
14 changes: 14 additions & 0 deletions tests/topotests/nhrp_topo/r1/nhrp_shortcut_present.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"attr":{
"entriesCount":1
},
"table":[
{
"type":"dynamic",
"prefix":"192.168.4.0\/24",
"via":"10.255.255.4",
"identity":""
}
]
}

1 change: 1 addition & 0 deletions tests/topotests/nhrp_topo/r1/zebra.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ exit
interface r1-eth1
ip address 192.168.1.1/24
!
ip route 0.0.0.0/0 10.255.255.2
13 changes: 12 additions & 1 deletion tests/topotests/nhrp_topo/r2/nhrp4_cache.json
Original file line number Diff line number Diff line change
@@ -1,8 +1,19 @@
{
"attr":{
"entriesCount":2
"entriesCount":3
},
"table":[
{
"interface":"r2-gre0",
"type":"dynamic",
"protocol":"10.255.255.4",
"nbma":"10.1.1.4",
"claimed_nbma":"10.1.1.4",
"used":false,
"timeout":true,
"auth":false,
"identity":""
},
{
"interface":"r2-gre0",
"type":"local",
Expand Down
26 changes: 25 additions & 1 deletion tests/topotests/nhrp_topo/r2/nhrp_route4.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,31 @@
"installed":true,
"internalNextHopNum":1,
"internalNextHopActiveNum":1,
"nexthops":[
"nexthops": [
{
"fib":true,
"directlyConnected":true,
"interfaceName":"r2-gre0",
"active":true
}
]
}
],
"10.255.255.4\/32": [
{
"prefix":"10.255.255.4\/32",
"prefixLen":32,
"protocol":"nhrp",
"vrfId":0,
"vrfName":"default",
"selected":true,
"destSelected":true,
"distance":10,
"metric":0,
"installed":true,
"internalNextHopNum":1,
"internalNextHopActiveNum":1,
"nexthops": [
{
"fib":true,
"directlyConnected":true,
Expand Down
3 changes: 3 additions & 0 deletions tests/topotests/nhrp_topo/r2/zebra.conf
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
ip forwarding
interface r2-eth0
ip address 10.2.1.2/24
!
Expand All @@ -10,3 +11,5 @@ interface r2-gre0
interface r2-eth1
ip address 192.168.2.2/24
!
ip route 192.168.4.4/24 10.255.255.4
ip route 192.168.1.1/24 10.255.255.1
30 changes: 30 additions & 0 deletions tests/topotests/nhrp_topo/r4/nhrp4_cache.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"attr":{
"entriesCount":2
},
"table":[
{
"interface":"r4-gre0",
"type":"local",
"protocol":"10.255.255.4",
"nbma":"10.1.1.4",
"claimed_nbma":"10.1.1.4",
"used":false,
"timeout":false,
"auth":false,
"identity":"-"
},
{
"interface":"r4-gre0",
"type":"nhs",
"protocol":"10.255.255.2",
"nbma":"10.2.1.2",
"claimed_nbma":"10.2.1.2",
"used":false,
"timeout":true,
"auth":false,
"identity":""
}
]
}

26 changes: 26 additions & 0 deletions tests/topotests/nhrp_topo/r4/nhrp_route4.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{
"10.255.255.2\/32": [
{
"prefix": "10.255.255.2\/32",
"prefixLen": 32,
"protocol": "nhrp",
"vrfId": 0,
"vrfName": "default",
"selected": true,
"destSelected": true,
"distance": 10,
"metric": 0,
"installed": true,
"internalNextHopNum": 1,
"internalNextHopActiveNum": 1,
"nexthops": [
{
"fib": true,
"directlyConnected": true,
"interfaceName": "r4-gre0",
"active": true
}
]
}
]
}
11 changes: 11 additions & 0 deletions tests/topotests/nhrp_topo/r4/nhrpd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
log stdout debugging
debug nhrp all
interface r4-gre0
ip nhrp authentication secret
ip nhrp holdtime 10
ip nhrp shortcut
ip nhrp network-id 42
ip nhrp nhs dynamic nbma 10.2.1.2
ip nhrp registration no-unique
tunnel source r4-eth0
exit
13 changes: 13 additions & 0 deletions tests/topotests/nhrp_topo/r4/zebra.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
interface r4-eth0
ip address 10.1.1.4/24
!
ip route 10.2.1.0/24 10.1.1.3
interface r4-gre0
ip address 10.255.255.4/32
no link-detect
ipv6 nd suppress-ra
exit
interface r4-eth1
ip address 192.168.4.4/24
!
ip route 0.0.0.0/0 10.255.255.2
Loading
Loading