nhrpd: Modify NHRP authentication feature logging

Modified nhrp_connection_authorized(). Initially, when writing debug
information about incoming NHRP packets with authentication enabled,
the nhrp_connection_authorized() function would print the
passphrase of the incoming packet as if it were a null terminated
string. This meant that if the passphrase on the incoming packet
had non ASCII-complient bytes in it, it would attempt to print those
bytes anyway. There was also no check that the size of the passphrase in
the incoming packet matched the size of the passphrase on the interface.
The changes in this commit log the passphrase on the incoming packet as
well as the passphrase on interface in HEX to avoid issues with ASCII.
It also performs a check that accounts for the sizes of the two different
passphrases

Moved CISCO_PASS_LENGTH_LEN from nhrp_vty.c to nhrp_protocol.h
for easier access  to the macro in other files

Signed-off-by: Joshua Muthii <jmuthii@labn.net>
(cherry picked from commit 5718ee37c7717f61094a40168dae18c6d607ec44)

diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index d2c1a8c40154c30c3f6f8446a81f502baceb0712..fa11980c18ff0469ead03b6960ff9160d6739899 100644 (file)
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -1169,22 +1169,55 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp)
        struct nhrp_extension_header *ext;
        struct zbuf *extensions, pl;
        int cmp = 1;
+       int pl_pass_length, auth_pass_length;
+       size_t auth_size, pl_size;
 
        extensions = zbuf_alloc(zbuf_used(&pp->extensions));
        zbuf_copy_peek(extensions, &pp->extensions, zbuf_used(&pp->extensions));
        while ((ext = nhrp_ext_pull(extensions, &pl)) != NULL) {
                switch (htons(ext->type) & ~NHRP_EXTENSION_FLAG_COMPULSORY) {
                case NHRP_EXTENSION_AUTHENTICATION:
-                       cmp = memcmp(auth->buf, pl.buf, zbuf_size(auth));
+                       /* Size of authentication extensions
+                        * (varies based on password length)
+                        */
+                       auth_size = zbuf_size(auth);
+                       pl_size = zbuf_size(&pl);
                        auth_ext = (struct nhrp_cisco_authentication_extension *)
                                           auth->buf;
-                       debugf(NHRP_DEBUG_COMMON,
-                              "Processing Authentication Extension for (%s:%s|%d)",
-                              auth_ext->secret,
-                              ((struct nhrp_cisco_authentication_extension *)
-                                       pl.buf)
-                                      ->secret,
-                              cmp);
+
+                       if (auth_size == pl_size)
+                               cmp = memcmp(auth_ext, pl.buf, auth_size);
+                       else
+                               cmp = 1;
+
+                       if (unlikely(debug_flags & NHRP_DEBUG_COMMON)) {
+                               /* 4 bytes in nhrp_cisco_authentication_extension are allocated
+                                * toward the authentication type. The remaining bytes are used for the
+                                * password - so the password length is just the length of the extension - 4
+                                */
+                               auth_pass_length = (auth_size - 4);
+                               pl_pass_length = (pl_size - 4);
+                               /* Because characters are to be printed in HEX, (2* the max pass length) + 1
+                                * is needed for the string representation
+                                */
+                               char auth_pass[(2 * NHRP_CISCO_PASS_LEN) + 1] = { 0 },
+                                              pl_pass[(2 * NHRP_CISCO_PASS_LEN) + 1] = { 0 };
+                               /* Converting bytes in buffer to HEX and saving output as a string -
+                                * Passphrase is converted to HEX in order to avoid printing
+                                * non ACII-compliant characters
+                                */
+                               for (int i = 0; i < (auth_pass_length); i++)
+                                       snprintf(auth_pass + (i * 2), 3, "%02X",
+                                                auth_ext->secret[i]);
+                               for (int i = 0; i < (pl_pass_length); i++)
+                                       snprintf(pl_pass + (i * 2), 3, "%02X",
+                                                ((struct nhrp_cisco_authentication_extension *)pl.buf)
+                                                        ->secret[i]);
+
+                               debugf(NHRP_DEBUG_COMMON,
+                                      "Processing Authentication Extension for (%s:%s|%d)",
+                                      auth_pass, pl_pass, cmp);
+                       }
                        break;
                default:
                        /* Ignoring all received extensions except Authentication*/

diff --git a/nhrpd/nhrp_protocol.h b/nhrpd/nhrp_protocol.h
index 8cf1ebbcd60efa9f9e6df1a0b6bee6e7fa265c8f..a4fb315b0e76b9e7f83886eda3d8962d381b28a0 100644 (file)
--- a/nhrpd/nhrp_protocol.h
+++ b/nhrpd/nhrp_protocol.h
@@ -73,6 +73,7 @@
 
 /* NHRP Authentication extension types (ala Cisco) */
 #define NHRP_AUTHENTICATION_PLAINTEXT          0x00000001
+#define NHRP_CISCO_PASS_LEN                    8
 
 /* NHRP Packet Structures */
 struct nhrp_packet_header {

diff --git a/nhrpd/nhrp_vty.c b/nhrpd/nhrp_vty.c
index f2025769609eac6546797d3195b504fc6b0bbcc5..199f4d75d4ecbbc2f54598d6bafac98344336dd4 100644 (file)
--- a/nhrpd/nhrp_vty.c
+++ b/nhrpd/nhrp_vty.c
@@ -467,7 +467,6 @@ DEFUN(if_no_nhrp_holdtime, if_no_nhrp_holdtime_cmd,
        return CMD_SUCCESS;
 }
 
-#define NHRP_CISCO_PASS_LEN 8
 DEFPY(if_nhrp_authentication, if_nhrp_authentication_cmd,
       AFI_CMD "nhrp authentication PASSWORD$password",
       AFI_STR