From bb0fbf5a2b772b13228ff62c3343f64c6a7fea8c Mon Sep 17 00:00:00 2001 From: Dave LeRoy Date: Wed, 5 Jun 2024 12:10:11 -0700 Subject: [PATCH] nhrpd: add cisco-authentication password support Taking over this development from https://github.com/FRRouting/frr/pull/14788 This commit addresses 4 issues found in the previous PR 1) FRR would accept messages from a spoke without authentication when FRR NHRP had auth configured. 2) The error indication was not being sent in network byte order 3) The debug print in nhrp_connection_authorized was not correctly printing the received password 4) The addresses portion of the mandatory part of the error indication was invalid on the wire (confirmed in wireshark) Signed-off-by: Dave LeRoy --- nhrpd/nhrp_interface.c | 2 ++ nhrpd/nhrp_peer.c | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/nhrpd/nhrp_interface.c b/nhrpd/nhrp_interface.c index 7d0ab9762f71..e81a2efbb685 100644 --- a/nhrpd/nhrp_interface.c +++ b/nhrpd/nhrp_interface.c @@ -99,6 +99,8 @@ static int nhrp_if_delete_hook(struct interface *ifp) free(nifp->ipsec_fallback_profile); if (nifp->source) free(nifp->source); + if (nifp->auth_token) + zbuf_free(nifp->auth_token); XFREE(MTYPE_NHRP_IF, ifp->info); return 0; diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c index 84fcdb069744..acae5bfa8389 100644 --- a/nhrpd/nhrp_peer.c +++ b/nhrpd/nhrp_peer.c @@ -1125,7 +1125,7 @@ static int nhrp_packet_send_error(struct nhrp_packet_parser *pp, hdr = nhrp_packet_push(zb, NHRP_PACKET_ERROR_INDICATION, &pp->src_nbma, &src_proto, &dst_proto); - hdr->u.error.code = indication_code; + hdr->u.error.code = htons(indication_code); hdr->u.error.offset = htons(offset); hdr->flags = pp->hdr->flags; hdr->hop_count = 0; // XXX: cisco returns 255 @@ -1135,7 +1135,12 @@ static int nhrp_packet_send_error(struct nhrp_packet_parser *pp, /* wireshark gives bad checksum, without exts */ // pp->hdr->checksum = nhrp_packet_calculate_checksum(zbuf_used(&pp->payload)) zbuf_put(zb, pp->hdr, sizeof(*pp->hdr)); - zbuf_copy(zb, &pp->payload, zbuf_used(&pp->payload)); + zbuf_put(zb, sockunion_get_addr(&pp->src_nbma), + hdr->src_nbma_address_len); + zbuf_put(zb, sockunion_get_addr(&pp->src_proto), + hdr->src_protocol_address_len); + zbuf_put(zb, sockunion_get_addr(&pp->dst_proto), + hdr->dst_protocol_address_len); nhrp_packet_complete_auth(zb, hdr, pp->ifp, false); /* nhrp_packet_debug(zb, "SEND_ERROR"); */ @@ -1151,7 +1156,7 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp) struct zbuf *auth = nifp->auth_token; struct nhrp_extension_header *ext; struct zbuf *extensions, pl; - int cmp = 0; + int cmp = 1; extensions = zbuf_alloc(zbuf_used(&pp->extensions)); @@ -1164,7 +1169,11 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp) auth->buf; debugf(NHRP_DEBUG_COMMON, "Processing Authentication Extension for (%s:%s|%d)", - auth_ext->secret, (const char *)pl.buf, cmp); + auth_ext->secret, + ((struct nhrp_cisco_authentication_extension *) + pl.buf) + ->secret, + cmp); break; } }