KEY is the actual message digest key, of up to 16 chars (larger strings will
be truncated), and is associated with the given KEYID.
+.. clicmd:: ip ospf authentication key-chain KEYCHAIN
+
+ Specify that HMAC cryptographic authentication must be used on this interface
+ using a key chain. Overrides any authentication enabled on a per-area basis
+ (:clicmd:`area A.B.C.D authentication message-digest`)
+
+ * ``KEYCHAIN``: Specifies the name of the key chain that contains the authentication
+ key(s) and cryptographic algorithms to be used for OSPF authentication. The key chain
+ is a logical container that holds one or more authentication keys,
+ allowing for key rotation and management.
+
+ Note that OSPF HMAC cryptographic authentication requires that time never go backwards
+ (correct time is NOT important, only that it never goes backwards), even
+ across resets, if ospfd is to be able to promptly reestablish adjacencies
+ with its neighbours after restarts/reboots. The host should have system time
+ be set at boot from an external or non-volatile source (e.g. battery backed
+ clock, NTP, etc.) or else the system clock should be periodically saved to
+ non-volatile storage and restored at boot if HMAC cryptographic authentication is to be
+ expected to work reliably.
+
+ Example:
+
+ .. code:: frr
+
+ r1(config)#key chain temp
+ r1(config-keychain)#key 13
+ r1(config-keychain-key)#key-string ospf
+ r1(config-keychain-key)#cryptographic-algorithm hmac-sha-256
+ r1(config)#int eth0
+ r1(config-if)#ip ospf authentication key-chain temp
+ r1(config-if)#ip ospf area 0
+
.. clicmd:: ip ospf cost (1-65535)
--- /dev/null
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2023 Amnesh Inc.
+ * Mahdi Varasteh
+ */
+
+#include <zebra.h>
+
+#include "linklist.h"
+#include "if.h"
+#include "checksum.h"
+
+#include "ospfd/ospfd.h"
+#include "ospfd/ospf_errors.h"
+#include "ospfd/ospf_interface.h"
+#include "ospfd/ospf_asbr.h"
+#include "ospfd/ospf_lsa.h"
+#include "ospfd/ospf_lsdb.h"
+#include "ospfd/ospf_neighbor.h"
+#include "ospfd/ospf_auth.h"
+#include "ospfd/ospf_nsm.h"
+#include "ospfd/ospf_dump.h"
+#include "ospfd/ospf_packet.h"
+#include "ospfd/ospf_network.h"
+#include "ospfd/ospf_flood.h"
+#include "ospfd/ospf_dump.h"
+#include "ospfd/ospf_bfd.h"
+#include "ospfd/ospf_gr.h"
+#ifdef CRYPTO_INTERNAL
+#include "sha256.h"
+#include "md5.h"
+#endif
+
+const uint8_t ospf_auth_apad[KEYCHAIN_MAX_HASH_SIZE] = {
+ 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1,
+ 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F,
+ 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87,
+ 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3,
+ 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1,
+ 0xF3, 0x87, 0x8F, 0xE1, 0xF3, 0x87, 0x8F, 0xE1, 0xF3
+};
+
+static int ospf_check_sum(struct ospf_header *ospfh)
+{
+ uint32_t ret;
+ uint16_t sum;
+
+ /* clear auth_data for checksum. */
+ memset(ospfh->u.auth_data, 0, OSPF_AUTH_SIMPLE_SIZE);
+
+ /* keep checksum and clear. */
+ sum = ospfh->checksum;
+ memset(&ospfh->checksum, 0, sizeof(uint16_t));
+
+ /* calculate checksum. */
+ ret = in_cksum(ospfh, ntohs(ospfh->length));
+
+ if (ret != sum) {
+ zlog_info("%s: checksum mismatch, my %X, his %X", __func__, ret,
+ sum);
+ return 0;
+ }
+
+ return 1;
+}
+
+#ifdef CRYPTO_OPENSSL
+static const EVP_MD *ospf_auth_get_openssl_evp_md_from_key(struct key *key)
+{
+ if (key->hash_algo == KEYCHAIN_ALGO_HMAC_SHA1)
+ return EVP_get_digestbyname("sha1");
+ else if (key->hash_algo == KEYCHAIN_ALGO_HMAC_SHA256)
+ return EVP_get_digestbyname("sha256");
+ else if (key->hash_algo == KEYCHAIN_ALGO_HMAC_SHA384)
+ return EVP_get_digestbyname("sha384");
+ else if (key->hash_algo == KEYCHAIN_ALGO_HMAC_SHA512)
+ return EVP_get_digestbyname("sha512");
+ return NULL;
+}
+#endif
+
+static int ospf_auth_check_hmac_sha_digest(struct ospf_interface *oi,
+ struct ospf_header *ospfh,
+ struct ip *iph,
+ struct key *key)
+{
+ unsigned char digest[KEYCHAIN_MAX_HASH_SIZE];
+ struct ospf_neighbor *nbr;
+ uint16_t length = ntohs(ospfh->length);
+ uint16_t hash_length = keychain_get_hash_len(key->hash_algo);
+#ifdef CRYPTO_OPENSSL
+ unsigned int openssl_hash_length = hash_length;
+ HMAC_CTX *ctx;
+ const EVP_MD *md_alg = ospf_auth_get_openssl_evp_md_from_key(key);
+
+ if (!md_alg) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: invalid HMAC algorithm, Router-ID: %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+#elif CRYPTO_INTERNAL
+ HMAC_SHA256_CTX ctx;
+
+ if (key->hash_algo != KEYCHAIN_ALGO_HMAC_SHA256) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: HMAC algorithm not supported, Router-ID: %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+#endif
+ /* check crypto seqnum. */
+ nbr = ospf_nbr_lookup(oi, iph, ospfh);
+
+ if (nbr &&
+ ntohl(nbr->crypt_seqnum) > ntohl(ospfh->u.crypt.crypt_seqnum)) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: ospf_check_hmac_sha bad sequence %u (expect %d), Router-ID: %pI4",
+ IF_NAME(oi), ntohl(ospfh->u.crypt.crypt_seqnum),
+ ntohl(nbr->crypt_seqnum), &ospfh->router_id);
+ return 0;
+ }
+#ifdef CRYPTO_OPENSSL
+ ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key->string, strlen(key->string), md_alg, NULL);
+ HMAC_Update(ctx, (const unsigned char *)ospfh, length);
+ HMAC_Update(ctx, (const unsigned char *)ospf_auth_apad, hash_length);
+ HMAC_Final(ctx, digest, &openssl_hash_length);
+ HMAC_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
+ memset(&ctx, 0, sizeof(ctx));
+ HMAC__SHA256_Init(&ctx, key->string, strlen(key->string));
+ HMAC__SHA256_Update(&ctx, ospfh, length);
+ HMAC__SHA256_Update(&ctx, ospf_auth_apad, hash_length);
+ HMAC__SHA256_Final(digest, &ctx);
+#endif
+ if (memcmp((caddr_t)ospfh + length, digest, hash_length)) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: ospf_check_hmac_sha checksum mismatch %u, Router-ID: %pI4",
+ IF_NAME(oi), length, &ospfh->router_id);
+ return 0;
+ }
+ if (nbr)
+ nbr->crypt_seqnum = ospfh->u.crypt.crypt_seqnum;
+ return 1;
+}
+
+static int ospf_auth_check_md5_digest(struct ospf_interface *oi,
+ struct ospf_header *ospfh, struct ip *iph, struct key *key)
+{
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#elif CRYPTO_INTERNAL
+ MD5_CTX ctx;
+#endif
+ char auth_key[OSPF_AUTH_MD5_SIZE + 1];
+ unsigned char digest[OSPF_AUTH_MD5_SIZE];
+ struct ospf_neighbor *nbr;
+ struct crypt_key *ck = NULL;
+ uint16_t length = ntohs(ospfh->length);
+
+ if (key == NULL) {
+ ck = ospf_crypt_key_lookup(OSPF_IF_PARAM(oi, auth_crypt),
+ ospfh->u.crypt.key_id);
+ if (ck == NULL) {
+ flog_warn(
+ EC_OSPF_AUTH,
+ "interface %s: %s no key %d, Router-ID: %pI4",
+ IF_NAME(oi), __func__, ospfh->u.crypt.key_id, &ospfh->router_id);
+ return 0;
+ }
+ }
+ /* check crypto seqnum. */
+ nbr = ospf_nbr_lookup(oi, iph, ospfh);
+
+ if (nbr &&
+ ntohl(nbr->crypt_seqnum) > ntohl(ospfh->u.crypt.crypt_seqnum)) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: %s bad sequence %d (expect %d), Router-ID: %pI4",
+ IF_NAME(oi), __func__, ntohl(ospfh->u.crypt.crypt_seqnum),
+ ntohl(nbr->crypt_seqnum), &ospfh->router_id);
+ return 0;
+ }
+
+ memset(auth_key, 0, OSPF_AUTH_MD5_SIZE + 1);
+ if (ck == NULL)
+ strlcpy(auth_key, key->string, OSPF_AUTH_MD5_SIZE + 1);
+ else
+ strlcpy(auth_key, (char *)ck->auth_key, OSPF_AUTH_MD5_SIZE + 1);
+ /* Generate a digest for the ospf packet - their digest + our digest. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ospfh, length);
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
+ memset(&ctx, 0, sizeof(ctx));
+ MD5Init(&ctx);
+ MD5Update(&ctx, ospfh, length);
+ MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ MD5Final(digest, &ctx);
+#endif
+
+ /* compare the two */
+ if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: ospf_check_md5 checksum mismatch, Router-ID: %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+
+ /* save neighbor's crypt_seqnum */
+ if (nbr)
+ nbr->crypt_seqnum = ospfh->u.crypt.crypt_seqnum;
+ return 1;
+}
+
+static int ospf_auth_make_md5_digest(struct ospf_interface *oi,
+ struct ospf_packet *op, struct key *key)
+{
+ void *ibuf;
+ struct ospf_header *ospfh;
+ unsigned char digest[OSPF_AUTH_MD5_SIZE];
+ uint16_t length;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#elif CRYPTO_INTERNAL
+ MD5_CTX ctx;
+#endif
+ char auth_key[OSPF_AUTH_MD5_SIZE + 1];
+
+ memset(auth_key, 0, OSPF_AUTH_MD5_SIZE + 1);
+ strlcpy(auth_key, key->string, OSPF_AUTH_MD5_SIZE + 1);
+ ibuf = STREAM_DATA(op->s);
+ ospfh = (struct ospf_header *)ibuf;
+ length = ntohs(ospfh->length);
+ /* Generate a digest for the ospf packet - their digest + our digest. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ospfh, length);
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
+ memset(&ctx, 0, sizeof(ctx));
+ MD5Init(&ctx);
+ MD5Update(&ctx, ospfh, length);
+ MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ MD5Final(digest, &ctx);
+#endif
+
+ stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
+
+ op->length = ntohs(ospfh->length) + OSPF_AUTH_MD5_SIZE;
+
+ if (stream_get_endp(op->s) != op->length)
+ /* XXX size_t */
+ flog_warn(EC_OSPF_AUTH,
+ "%s: length mismatch stream %lu ospf_packet %u, Router-ID %pI4",
+ __func__, (unsigned long)stream_get_endp(op->s),
+ op->length, &ospfh->router_id);
+
+ return OSPF_AUTH_MD5_SIZE;
+}
+
+static int ospf_auth_make_hmac_sha_digest(struct ospf_interface *oi,
+ struct ospf_packet *op,
+ struct key *key)
+{
+ void *ibuf;
+ struct ospf_header *ospfh;
+ unsigned char digest[KEYCHAIN_MAX_HASH_SIZE] = { 0 };
+ uint16_t hash_length = keychain_get_hash_len(key->hash_algo);
+
+ ibuf = STREAM_DATA(op->s);
+ ospfh = (struct ospf_header *)ibuf;
+#ifdef CRYPTO_OPENSSL
+ unsigned int openssl_hash_length = hash_length;
+ HMAC_CTX *ctx;
+ const EVP_MD *md_alg = ospf_auth_get_openssl_evp_md_from_key(key);
+
+ if (!md_alg) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: invalid HMAC algorithm, Router-ID: %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+#elif CRYPTO_INTERNAL
+ HMAC_SHA256_CTX ctx;
+
+ if (key->hash_algo != KEYCHAIN_ALGO_HMAC_SHA256) {
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: HMAC algorithm not supported, Router-ID: %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+#endif
+#ifdef CRYPTO_OPENSSL
+ ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key->string, strlen(key->string), md_alg, NULL);
+ HMAC_Update(ctx, (const unsigned char *)ospfh, ntohs(ospfh->length));
+ HMAC_Update(ctx, (const unsigned char *)ospf_auth_apad, hash_length);
+ HMAC_Final(ctx, digest, &openssl_hash_length);
+ HMAC_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
+ memset(&ctx, 0, sizeof(ctx));
+ HMAC__SHA256_Init(&ctx, key->string, strlen(key->string));
+ HMAC__SHA256_Update(&ctx, ospfh, ntohs(ospfh->length));
+ HMAC__SHA256_Update(&ctx, ospf_auth_apad, hash_length);
+ HMAC__SHA256_Final(digest, &ctx);
+#endif
+ stream_put(op->s, digest, hash_length);
+
+ op->length = ntohs(ospfh->length) + hash_length;
+
+ if (stream_get_endp(op->s) != op->length)
+ /* XXX size_t */
+ flog_warn(EC_OSPF_AUTH,
+ "%s: length mismatch stream %lu ospf_packet %u, Router-ID %pI4",
+ __func__, (unsigned long)stream_get_endp(op->s),
+ op->length, &ospfh->router_id);
+
+ return hash_length;
+}
+
+int ospf_auth_check_digest(struct ospf_interface *oi, struct ip *iph, struct ospf_header *ospfh)
+{
+ struct keychain *keychain = NULL;
+ struct key *key = NULL;
+ int key_id = ospfh->u.crypt.key_id;
+ uint8_t auth_data_len = ospfh->u.crypt.auth_data_len;
+
+ if (!OSPF_IF_PARAM(oi, keychain_name))
+ return ospf_auth_check_md5_digest(oi, ospfh, iph, NULL);
+
+ keychain = keychain_lookup(OSPF_IF_PARAM(oi, keychain_name));
+ if (!keychain) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Keychain %s is not available, Router-ID %pI4",
+ IF_NAME(oi), OSPF_IF_PARAM(oi, keychain_name),
+ &ospfh->router_id);
+ return 0;
+ }
+
+ key = key_lookup_for_accept(keychain, key_id);
+ if (!key) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Key ID %d not found in keychain %s, Router-ID %pI4",
+ IF_NAME(oi), key_id, keychain->name,
+ &ospfh->router_id);
+ return 0;
+ }
+
+ if (key->string == NULL || key->hash_algo == KEYCHAIN_ALGO_NULL) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Key ID %d in keychain %s is incomplete, Router-ID %pI4",
+ IF_NAME(oi), key_id, keychain->name,
+ &ospfh->router_id);
+ return 0;
+ }
+
+ if (keychain_get_hash_len(key->hash_algo) != auth_data_len) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Key ID %d in keychain %s hash length mismatch, Router-ID %pI4",
+ IF_NAME(oi), key_id, keychain->name,
+ &ospfh->router_id);
+ return 0;
+ }
+
+ /* Backward compatibility with RFC 2328 keyed-MD5 authentication */
+ if (key->hash_algo == KEYCHAIN_ALGO_MD5)
+ return ospf_auth_check_md5_digest(oi, ospfh, iph, key);
+
+ return ospf_auth_check_hmac_sha_digest(oi, ospfh, iph, key);
+}
+
+int ospf_auth_make_digest(struct ospf_interface *oi, struct ospf_packet *op)
+{
+ struct ospf_header *ospfh;
+ void *ibuf;
+ struct keychain *keychain = NULL;
+ struct key *key = NULL;
+ int key_id;
+
+ ibuf = STREAM_DATA(op->s);
+ ospfh = (struct ospf_header *)ibuf;
+
+ key_id = ospfh->u.crypt.key_id;
+
+ if (!OSPF_IF_PARAM(oi, keychain_name)) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Keychain is not set, Router-ID %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+
+ keychain = oi->keychain;
+ if (!keychain) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, SEND))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Keychain %s is not available to send, Router-ID %pI4",
+ IF_NAME(oi), OSPF_IF_PARAM(oi, keychain_name),
+ &ospfh->router_id);
+ return 0;
+ }
+
+ key = oi->key;
+ if (!key) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, SEND))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Key ID %d not found in keychain %s, Router-ID %pI4",
+ IF_NAME(oi), key_id, keychain->name,
+ &ospfh->router_id);
+ return 0;
+ }
+
+ if (key->string == NULL || key->hash_algo == KEYCHAIN_ALGO_NULL) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, SEND))
+ flog_warn(EC_OSPF_AUTH,
+ "interface %s: Key ID %d in keychain %s is incomplete, Router-ID %pI4",
+ IF_NAME(oi), key_id, keychain->name,
+ &ospfh->router_id);
+ return 0;
+ }
+
+ /* Backward compatibility with RFC 2328 keyed-MD5 authentication */
+ if (key->hash_algo == KEYCHAIN_ALGO_MD5)
+ return ospf_auth_make_md5_digest(oi, op, key);
+ else
+ return ospf_auth_make_hmac_sha_digest(oi, op, key);
+}
+
+/* This function is called from ospf_write(), it will detect the
+ * authentication scheme and if it is MD5, it will change the sequence
+ * and update the MD5 digest.
+ */
+
+int ospf_auth_make(struct ospf_interface *oi, struct ospf_packet *op)
+{
+ struct ospf_header *ospfh;
+ unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#elif CRYPTO_INTERNAL
+ MD5_CTX ctx;
+#endif
+ void *ibuf;
+ uint32_t t;
+ struct crypt_key *ck;
+ const uint8_t *auth_key = NULL;
+
+ ibuf = STREAM_DATA(op->s);
+ ospfh = (struct ospf_header *)ibuf;
+
+ if (ntohs(ospfh->auth_type) != OSPF_AUTH_CRYPTOGRAPHIC)
+ return 0;
+
+ /* We do this here so when we dup a packet, we don't have to
+ * waste CPU rewriting other headers.
+
+ Note that frr_time /deliberately/ is not used here.
+ */
+ t = (time(NULL) & 0xFFFFFFFF);
+ if (t > oi->crypt_seqnum)
+ oi->crypt_seqnum = t;
+ else
+ oi->crypt_seqnum++;
+
+ ospfh->u.crypt.crypt_seqnum = htonl(oi->crypt_seqnum);
+
+ /* Get MD5 Authentication key from auth_key list. */
+ if (list_isempty(OSPF_IF_PARAM(oi, auth_crypt)) && OSPF_IF_PARAM(oi, keychain_name) == NULL)
+ auth_key = (const uint8_t *)digest;
+ else if (!list_isempty(OSPF_IF_PARAM(oi, auth_crypt))) {
+ ck = listgetdata(listtail(OSPF_IF_PARAM(oi, auth_crypt)));
+ auth_key = ck->auth_key;
+ }
+
+ if (auth_key) {
+ /* Generate a digest for the entire packet + our secret key. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
+ memset(&ctx, 0, sizeof(ctx));
+ MD5Init(&ctx);
+ MD5Update(&ctx, ibuf, ntohs(ospfh->length));
+ MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ MD5Final(digest, &ctx);
+#endif
+
+ /* Append md5 digest to the end of the stream. */
+ stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
+
+ /* We do *NOT* increment the OSPF header length. */
+ op->length = ntohs(ospfh->length) + OSPF_AUTH_MD5_SIZE;
+
+ if (stream_get_endp(op->s) != op->length)
+ /* XXX size_t */
+ flog_warn(
+ EC_OSPF_AUTH,
+ "%s: length mismatch stream %lu ospf_packet %u, Router-ID %pI4",
+ __func__, (unsigned long)stream_get_endp(op->s),
+ op->length, &ospfh->router_id);
+
+ return OSPF_AUTH_MD5_SIZE;
+ } else
+ return ospf_auth_make_digest(oi, op);
+}
+
+/* Return 1, if the packet is properly authenticated and checksummed,
+ * 0 otherwise. In particular, check that AuType header field is valid and
+ * matches the locally configured AuType, and that D.5 requirements are met.
+ */
+int ospf_auth_check(struct ospf_interface *oi, struct ip *iph,
+ struct ospf_header *ospfh)
+{
+ uint16_t iface_auth_type;
+ uint16_t pkt_auth_type = ntohs(ospfh->auth_type);
+
+ iface_auth_type = ospf_auth_type(oi);
+
+ switch (pkt_auth_type) {
+ case OSPF_AUTH_NULL: /* RFC2328 D.5.1 */
+ if (iface_auth_type != OSPF_AUTH_NULL) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: auth-type mismatch, local %s, rcvd Null, Router-ID %pI4",
+ IF_NAME(oi),
+ lookup_msg(ospf_auth_type_str,
+ iface_auth_type, NULL),
+ &ospfh->router_id);
+ return 0;
+ }
+ if (!ospf_check_sum(ospfh)) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: Null auth OK, but checksum error, Router-ID %pI4",
+ IF_NAME(oi),
+ &ospfh->router_id);
+ return 0;
+ }
+ return 1;
+ case OSPF_AUTH_SIMPLE: /* RFC2328 D.5.2 */
+ if (iface_auth_type != OSPF_AUTH_SIMPLE) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: auth-type mismatch, local %s, rcvd Simple, Router-ID %pI4",
+ IF_NAME(oi),
+ lookup_msg(ospf_auth_type_str,
+ iface_auth_type, NULL),
+ &ospfh->router_id);
+ return 0;
+ }
+ if (memcmp(OSPF_IF_PARAM(oi, auth_simple), ospfh->u.auth_data,
+ OSPF_AUTH_SIMPLE_SIZE)) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: Simple auth failed, Router-ID %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+ if (!ospf_check_sum(ospfh)) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: Simple auth OK, checksum error, Router-ID %pI4",
+ IF_NAME(oi),
+ &ospfh->router_id);
+ return 0;
+ }
+ return 1;
+ case OSPF_AUTH_CRYPTOGRAPHIC: /* RFC2328 D.5.3 */
+ if (iface_auth_type != OSPF_AUTH_CRYPTOGRAPHIC) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: auth-type mismatch, local %s, rcvd Cryptographic, Router-ID %pI4",
+ IF_NAME(oi),
+ lookup_msg(ospf_auth_type_str,
+ iface_auth_type, NULL),
+ &ospfh->router_id);
+ return 0;
+ }
+ if (ospfh->checksum) {
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: OSPF header checksum is not 0, Router-ID %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ }
+ /* If `authentication message-digest` key is not set, we try keychain crypto */
+ if (OSPF_IF_PARAM(oi, keychain_name) || !list_isempty(OSPF_IF_PARAM(oi, auth_crypt)))
+ return ospf_auth_check_digest(oi, iph, ospfh);
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_AUTH,
+ "interface %s: MD5 auth failed, Router-ID %pI4",
+ IF_NAME(oi), &ospfh->router_id);
+ return 0;
+ default:
+ if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
+ flog_warn(
+ EC_OSPF_PACKET,
+ "interface %s: invalid packet auth-type (%02x), Router-ID %pI4",
+ IF_NAME(oi), pkt_auth_type, &ospfh->router_id);
+ return 0;
+ }
+}
+
+/* OSPF authentication checking function */
+int ospf_auth_type(struct ospf_interface *oi)
+{
+ int auth_type;
+
+ if (OSPF_IF_PARAM(oi, auth_type) == OSPF_AUTH_NOTSET)
+ auth_type = oi->area->auth_type;
+ else
+ auth_type = OSPF_IF_PARAM(oi, auth_type);
+
+ /* Handle case where MD5 key list, or a key-chain, is not configured aka Cisco */
+ if (auth_type == OSPF_AUTH_CRYPTOGRAPHIC
+ && (list_isempty(OSPF_IF_PARAM(oi, auth_crypt))
+ && OSPF_IF_PARAM(oi, keychain_name) == NULL))
+ return OSPF_AUTH_NULL;
+
+ return auth_type;
+}
+
+/* Make Authentication Data. */
+int ospf_auth_make_data(struct ospf_interface *oi, struct ospf_header *ospfh)
+{
+ struct crypt_key *ck;
+
+ switch (ospf_auth_type(oi)) {
+ case OSPF_AUTH_NULL:
+ /* memset (ospfh->u.auth_data, 0, sizeof(ospfh->u.auth_data));
+ */
+ break;
+ case OSPF_AUTH_SIMPLE:
+ memcpy(ospfh->u.auth_data, OSPF_IF_PARAM(oi, auth_simple),
+ OSPF_AUTH_SIMPLE_SIZE);
+ break;
+ case OSPF_AUTH_CRYPTOGRAPHIC:
+ if (OSPF_IF_PARAM(oi, keychain_name)) {
+ oi->keychain = keychain_lookup(OSPF_IF_PARAM(oi, keychain_name));
+ if (oi->keychain)
+ oi->key = key_lookup_for_send(oi->keychain);
+ if (oi->key) {
+ ospfh->u.crypt.zero = 0;
+ ospfh->u.crypt.key_id = oi->key->index;
+ ospfh->u.crypt.auth_data_len = keychain_get_hash_len(oi->key->hash_algo);
+ } else {
+ /* If key is not set, then set 0. */
+ ospfh->u.crypt.zero = 0;
+ ospfh->u.crypt.key_id = 0;
+ ospfh->u.crypt.auth_data_len = OSPF_AUTH_MD5_SIZE;
+ }
+ } else {
+ /* If key is not set, then set 0. */
+ if (list_isempty(OSPF_IF_PARAM(oi, auth_crypt))) {
+ ospfh->u.crypt.zero = 0;
+ ospfh->u.crypt.key_id = 0;
+ ospfh->u.crypt.auth_data_len = OSPF_AUTH_MD5_SIZE;
+ } else {
+ ck = listgetdata(
+ listtail(OSPF_IF_PARAM(oi, auth_crypt)));
+ ospfh->u.crypt.zero = 0;
+ ospfh->u.crypt.key_id = ck->key_id;
+ ospfh->u.crypt.auth_data_len = OSPF_AUTH_MD5_SIZE;
+ }
+ }
+ /* note: the seq is done in ospf_auth_make() */
+ break;
+ default:
+ /* memset (ospfh->u.auth_data, 0, sizeof(ospfh->u.auth_data));
+ */
+ break;
+ }
+
+ return 0;
+}
--- /dev/null
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2023 Amnesh Inc.
+ * Mahdi Varasteh
+ */
+
+#ifndef _ZEBRA_OSPF_AUTH_H
+#define _ZEBRA_OSPF_AUTH_H
+
+#include <ospfd/ospf_gr.h>
+#include <ospfd/ospf_packet.h>
+
+int ospf_auth_check(struct ospf_interface *oi, struct ip *iph, struct ospf_header *ospfh);
+int ospf_auth_check_digest(struct ospf_interface *oi, struct ip *iph, struct ospf_header *ospfh);
+int ospf_auth_make(struct ospf_interface *oi, struct ospf_packet *op);
+int ospf_auth_make_digest(struct ospf_interface *oi, struct ospf_packet *op);
+int ospf_auth_type(struct ospf_interface *oi);
+int ospf_auth_make_data(struct ospf_interface *oi, struct ospf_header *ospfh);
+
+#endif /* _ZEBRA_OSPF_AUTH_H */
.suggestion = "Do not use this particular set command for an ospf route-map",
},
{
- .code = EC_OSPF_MD5,
- .title = "OSPF has noticed a MD5 issue",
- .description = "Something has gone wrong with the calculation of the MD5 data",
+ .code = EC_OSPF_AUTH,
+ .title = "OSPF has noticed an authentication issue",
+ .description = "Something has gone wrong with the calculation of the authentication data",
.suggestion = "Ensure your key is correct, gather log data from this side as well as peer and open an Issue",
},
{
EC_OSPF_INVALID_ALGORITHM,
EC_OSPF_FSM_INVALID_STATE,
EC_OSPF_SET_METRIC_PLUS,
- EC_OSPF_MD5,
+ EC_OSPF_AUTH,
EC_OSPF_PACKET,
EC_OSPF_LARGE_LSA,
EC_OSPF_LSA_UNEXPECTED,
UNSET_IF_PARAM(oip, auth_type);
UNSET_IF_PARAM(oip, if_area);
UNSET_IF_PARAM(oip, opaque_capable);
+ UNSET_IF_PARAM(oip, keychain_name);
oip->auth_crypt = list_new();
struct ospf_if_params *oip)
{
list_delete(&oip->auth_crypt);
+ XFREE(MTYPE_OSPF_IF_PARAMS, oip->keychain_name);
ospf_interface_disable_bfd(ifp, oip);
ldp_sync_info_free(&(oip->ldp_sync_info));
XFREE(MTYPE_OSPF_IF_PARAMS, oip);
!OSPF_IF_PARAM_CONFIGURED(oip, if_area) &&
!OSPF_IF_PARAM_CONFIGURED(oip, opaque_capable) &&
!OSPF_IF_PARAM_CONFIGURED(oip, prefix_suppression) &&
+ !OSPF_IF_PARAM_CONFIGURED(oip, keychain_name) &&
listcount(oip->auth_crypt) == 0) {
ospf_del_if_params(ifp, oip);
rn->info = NULL;
#include "lib/bfd.h"
#include "qobj.h"
#include "hook.h"
+#include "keychain.h"
#include "ospfd/ospf_packet.h"
#include "ospfd/ospf_spf.h"
auth_crypt); /* List of Auth cryptographic data. */
DECLARE_IF_PARAM(int, auth_type); /* OSPF authentication type */
+ DECLARE_IF_PARAM(char*, keychain_name); /* OSPF HMAC Cryptographic Authentication*/
+
/* Other, non-configuration state */
uint32_t network_lsa_seqnum; /* Network LSA seqnum */
uint32_t full_nbrs;
+ /* Buffered values for keychain and key */
+ struct keychain *keychain;
+ struct key *key;
+
QOBJ_FIELDS;
};
DECLARE_QOBJ_TYPE(ospf_interface);
#include "vrf.h"
#include "libfrr.h"
#include "routemap.h"
+#include "keychain.h"
#include "ospfd/ospfd.h"
#include "ospfd/ospf_interface.h"
access_list_init();
prefix_list_init();
+ keychain_init();
/* Configuration processing callback initialization. */
cmd_init_config_callbacks(ospf_config_start, ospf_config_end);
#include "ospfd/ospf_errors.h"
#include "ospfd/ospf_zebra.h"
#include "ospfd/ospf_gr.h"
+#include "ospfd/ospf_auth.h"
/*
* OSPF Fragmentation / fragmented writes
OSPF_OPAQUE_LSA_MIN_SIZE, /* OSPF_OPAQUE_AS_LSA */
};
-/* for ospf_check_auth() */
-static int ospf_check_sum(struct ospf_header *);
-
-/* OSPF authentication checking function */
-static int ospf_auth_type(struct ospf_interface *oi)
-{
- int auth_type;
-
- if (OSPF_IF_PARAM(oi, auth_type) == OSPF_AUTH_NOTSET)
- auth_type = oi->area->auth_type;
- else
- auth_type = OSPF_IF_PARAM(oi, auth_type);
-
- /* Handle case where MD5 key list is not configured aka Cisco */
- if (auth_type == OSPF_AUTH_CRYPTOGRAPHIC
- && list_isempty(OSPF_IF_PARAM(oi, auth_crypt)))
- return OSPF_AUTH_NULL;
-
- return auth_type;
-}
-
static struct ospf_packet *ospf_packet_new(size_t size)
{
struct ospf_packet *new;
"ospf_packet_dup stream %lu ospf_packet %u size mismatch",
(unsigned long)STREAM_SIZE(op->s), op->length);
- /* Reserve space for MD5 authentication that may be added later. */
- new = ospf_packet_new(stream_get_endp(op->s) + OSPF_AUTH_MD5_SIZE);
+ /* Reserve space for MD5/HMAC SHA authentication that may be added later. */
+ new = ospf_packet_new(stream_get_endp(op->s) + KEYCHAIN_MAX_HASH_SIZE);
stream_copy(new->s, op->s);
new->dst = op->dst;
int auth = 0;
if (ospf_auth_type(oi) == OSPF_AUTH_CRYPTOGRAPHIC)
- auth = OSPF_AUTH_MD5_SIZE;
+ auth = KEYCHAIN_MAX_HASH_SIZE;
return auth;
}
return max;
}
-
-static int ospf_check_md5_digest(struct ospf_interface *oi,
- struct ospf_header *ospfh)
-{
-#ifdef CRYPTO_OPENSSL
- EVP_MD_CTX *ctx;
-#elif CRYPTO_INTERNAL
- MD5_CTX ctx;
-#endif
- unsigned char digest[OSPF_AUTH_MD5_SIZE];
- struct crypt_key *ck;
- struct ospf_neighbor *nbr;
- uint16_t length = ntohs(ospfh->length);
-
- /* Get secret key. */
- ck = ospf_crypt_key_lookup(OSPF_IF_PARAM(oi, auth_crypt),
- ospfh->u.crypt.key_id);
- if (ck == NULL) {
- flog_warn(
- EC_OSPF_MD5,
- "interface %s: ospf_check_md5 no key %d, Router-ID: %pI4",
- IF_NAME(oi), ospfh->u.crypt.key_id, &ospfh->router_id);
- return 0;
- }
-
- /* check crypto seqnum. */
- nbr = ospf_nbr_lookup_by_routerid(oi->nbrs, &ospfh->router_id);
-
- if (nbr
- && ntohl(nbr->crypt_seqnum) > ntohl(ospfh->u.crypt.crypt_seqnum)) {
- flog_warn(
- EC_OSPF_MD5,
- "interface %s: ospf_check_md5 bad sequence %d (expect %d), Router-ID: %pI4",
- IF_NAME(oi), ntohl(ospfh->u.crypt.crypt_seqnum),
- ntohl(nbr->crypt_seqnum), &ospfh->router_id);
- return 0;
- }
-
- /* Generate a digest for the ospf packet - their digest + our digest. */
-#ifdef CRYPTO_OPENSSL
- unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
- ctx = EVP_MD_CTX_new();
- EVP_DigestInit(ctx, EVP_md5());
- EVP_DigestUpdate(ctx, ospfh, length);
- EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
- EVP_DigestFinal(ctx, digest, &md5_size);
- EVP_MD_CTX_free(ctx);
-#elif CRYPTO_INTERNAL
- memset(&ctx, 0, sizeof(ctx));
- MD5Init(&ctx);
- MD5Update(&ctx, ospfh, length);
- MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
- MD5Final(digest, &ctx);
-#endif
-
- /* compare the two */
- if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
- flog_warn(
- EC_OSPF_MD5,
- "interface %s: ospf_check_md5 checksum mismatch, Router-ID: %pI4",
- IF_NAME(oi), &ospfh->router_id);
- return 0;
- }
-
- /* save neighbor's crypt_seqnum */
- if (nbr)
- nbr->crypt_seqnum = ospfh->u.crypt.crypt_seqnum;
- return 1;
-}
-
-/* This function is called from ospf_write(), it will detect the
- authentication scheme and if it is MD5, it will change the sequence
- and update the MD5 digest. */
-static int ospf_make_md5_digest(struct ospf_interface *oi,
- struct ospf_packet *op)
-{
- struct ospf_header *ospfh;
- unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
-#ifdef CRYPTO_OPENSSL
- EVP_MD_CTX *ctx;
-#elif CRYPTO_INTERNAL
- MD5_CTX ctx;
-#endif
- void *ibuf;
- uint32_t t;
- struct crypt_key *ck;
- const uint8_t *auth_key;
-
- ibuf = STREAM_DATA(op->s);
- ospfh = (struct ospf_header *)ibuf;
-
- if (ntohs(ospfh->auth_type) != OSPF_AUTH_CRYPTOGRAPHIC)
- return 0;
-
- /* We do this here so when we dup a packet, we don't have to
- waste CPU rewriting other headers.
-
- Note that frr_time /deliberately/ is not used here */
- t = (time(NULL) & 0xFFFFFFFF);
- if (t > oi->crypt_seqnum)
- oi->crypt_seqnum = t;
- else
- oi->crypt_seqnum++;
-
- ospfh->u.crypt.crypt_seqnum = htonl(oi->crypt_seqnum);
-
- /* Get MD5 Authentication key from auth_key list. */
- if (list_isempty(OSPF_IF_PARAM(oi, auth_crypt)))
- auth_key = (const uint8_t *)digest;
- else {
- ck = listgetdata(listtail(OSPF_IF_PARAM(oi, auth_crypt)));
- auth_key = ck->auth_key;
- }
-
- /* Generate a digest for the entire packet + our secret key. */
-#ifdef CRYPTO_OPENSSL
- unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
- ctx = EVP_MD_CTX_new();
- EVP_DigestInit(ctx, EVP_md5());
- EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
- EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
- EVP_DigestFinal(ctx, digest, &md5_size);
- EVP_MD_CTX_free(ctx);
-#elif CRYPTO_INTERNAL
- memset(&ctx, 0, sizeof(ctx));
- MD5Init(&ctx);
- MD5Update(&ctx, ibuf, ntohs(ospfh->length));
- MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
- MD5Final(digest, &ctx);
-#endif
-
- /* Append md5 digest to the end of the stream. */
- stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
-
- /* We do *NOT* increment the OSPF header length. */
- op->length = ntohs(ospfh->length) + OSPF_AUTH_MD5_SIZE;
-
- if (stream_get_endp(op->s) != op->length)
- /* XXX size_t */
- flog_warn(
- EC_OSPF_MD5,
- "%s: length mismatch stream %lu ospf_packet %u, Router-ID %pI4",
- __func__, (unsigned long)stream_get_endp(op->s),
- op->length, &ospfh->router_id);
-
- return OSPF_AUTH_MD5_SIZE;
-}
-
-
static void ospf_ls_req_timer(struct event *thread)
{
struct ospf_neighbor *nbr;
ospf_if_ipmulticast(fd, oi->address, oi->ifp->ifindex);
/* Rewrite the md5 signature & update the seq */
- ospf_make_md5_digest(oi, op);
+ ospf_auth_make(oi, op);
/* Retrieve OSPF packet type. */
stream_set_getp(op->s, 1);
return 0;
}
-/* Return 1, if the packet is properly authenticated and checksummed,
- 0 otherwise. In particular, check that AuType header field is valid and
- matches the locally configured AuType, and that D.5 requirements are met. */
-static int ospf_check_auth(struct ospf_interface *oi, struct ospf_header *ospfh)
-{
- struct crypt_key *ck;
- uint16_t iface_auth_type;
- uint16_t pkt_auth_type = ntohs(ospfh->auth_type);
-
- switch (pkt_auth_type) {
- case OSPF_AUTH_NULL: /* RFC2328 D.5.1 */
- if (OSPF_AUTH_NULL != (iface_auth_type = ospf_auth_type(oi))) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: auth-type mismatch, local %s, rcvd Null, Router-ID %pI4",
- IF_NAME(oi),
- lookup_msg(ospf_auth_type_str,
- iface_auth_type, NULL),
- &ospfh->router_id);
- return 0;
- }
- if (!ospf_check_sum(ospfh)) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: Null auth OK, but checksum error, Router-ID %pI4",
- IF_NAME(oi),
- &ospfh->router_id);
- return 0;
- }
- return 1;
- case OSPF_AUTH_SIMPLE: /* RFC2328 D.5.2 */
- if (OSPF_AUTH_SIMPLE
- != (iface_auth_type = ospf_auth_type(oi))) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: auth-type mismatch, local %s, rcvd Simple, Router-ID %pI4",
- IF_NAME(oi),
- lookup_msg(ospf_auth_type_str,
- iface_auth_type, NULL),
- &ospfh->router_id);
- return 0;
- }
- if (memcmp(OSPF_IF_PARAM(oi, auth_simple), ospfh->u.auth_data,
- OSPF_AUTH_SIMPLE_SIZE)) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: Simple auth failed, Router-ID %pI4",
- IF_NAME(oi), &ospfh->router_id);
- return 0;
- }
- if (!ospf_check_sum(ospfh)) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: Simple auth OK, checksum error, Router-ID %pI4",
- IF_NAME(oi),
- &ospfh->router_id);
- return 0;
- }
- return 1;
- case OSPF_AUTH_CRYPTOGRAPHIC: /* RFC2328 D.5.3 */
- if (OSPF_AUTH_CRYPTOGRAPHIC
- != (iface_auth_type = ospf_auth_type(oi))) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: auth-type mismatch, local %s, rcvd Cryptographic, Router-ID %pI4",
- IF_NAME(oi),
- lookup_msg(ospf_auth_type_str,
- iface_auth_type, NULL),
- &ospfh->router_id);
- return 0;
- }
- if (ospfh->checksum) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: OSPF header checksum is not 0, Router-ID %pI4",
- IF_NAME(oi), &ospfh->router_id);
- return 0;
- }
- /* only MD5 crypto method can pass ospf_packet_examin() */
- if (NULL == (ck = listgetdata(
- listtail(OSPF_IF_PARAM(oi, auth_crypt))))
- || ospfh->u.crypt.key_id != ck->key_id ||
- /* Condition above uses the last key ID on the list,
- which is
- different from what ospf_crypt_key_lookup() does. A
- bug? */
- !ospf_check_md5_digest(oi, ospfh)) {
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_MD5,
- "interface %s: MD5 auth failed, Router-ID %pI4",
- IF_NAME(oi), &ospfh->router_id);
- return 0;
- }
- return 1;
- default:
- if (IS_DEBUG_OSPF_PACKET(ospfh->type - 1, RECV))
- flog_warn(
- EC_OSPF_PACKET,
- "interface %s: invalid packet auth-type (%02x), Router-ID %pI4",
- IF_NAME(oi), pkt_auth_type, &ospfh->router_id);
- return 0;
- }
-}
-
-static int ospf_check_sum(struct ospf_header *ospfh)
-{
- uint32_t ret;
- uint16_t sum;
-
- /* clear auth_data for checksum. */
- memset(ospfh->u.auth_data, 0, OSPF_AUTH_SIMPLE_SIZE);
-
- /* keep checksum and clear. */
- sum = ospfh->checksum;
- memset(&ospfh->checksum, 0, sizeof(uint16_t));
-
- /* calculate checksum. */
- ret = in_cksum(ospfh, ntohs(ospfh->length));
-
- if (ret != sum) {
- zlog_info("%s: checksum mismatch, my %X, his %X", __func__, ret,
- sum);
- return 0;
- }
-
- return 1;
-}
-
/* Verify, that given link/TOS records are properly sized/aligned and match
Router-LSA "# links" and "# TOS" fields as specified in RFC2328 A.4.2. */
static unsigned ospf_router_lsa_links_examin(struct router_lsa_link *link,
if (ntohs(oh->auth_type) != OSPF_AUTH_CRYPTOGRAPHIC)
bytesauth = 0;
else {
- if (oh->u.crypt.auth_data_len != OSPF_AUTH_MD5_SIZE) {
+ if (oh->u.crypt.auth_data_len > KEYCHAIN_MAX_HASH_SIZE) {
if (IS_DEBUG_OSPF_PACKET(0, RECV))
zlog_debug(
"%s: unsupported crypto auth length (%u B)",
__func__, oh->u.crypt.auth_data_len);
return MSG_NG;
}
- bytesauth = OSPF_AUTH_MD5_SIZE;
+ bytesauth = oh->u.crypt.auth_data_len;
}
if (bytesdeclared + bytesauth > bytesonwire) {
if (IS_DEBUG_OSPF_PACKET(0, RECV))
/* Check authentication. The function handles logging actions, where
* required. */
- if (!ospf_check_auth(oi, ospfh))
+ if (!ospf_auth_check(oi, iph, ospfh))
return -1;
return 0;
stream_forward_endp(s, OSPF_HEADER_SIZE);
}
-/* Make Authentication Data. */
-static int ospf_make_auth(struct ospf_interface *oi, struct ospf_header *ospfh)
-{
- struct crypt_key *ck;
-
- switch (ospf_auth_type(oi)) {
- case OSPF_AUTH_NULL:
- /* memset (ospfh->u.auth_data, 0, sizeof(ospfh->u.auth_data));
- */
- break;
- case OSPF_AUTH_SIMPLE:
- memcpy(ospfh->u.auth_data, OSPF_IF_PARAM(oi, auth_simple),
- OSPF_AUTH_SIMPLE_SIZE);
- break;
- case OSPF_AUTH_CRYPTOGRAPHIC:
- /* If key is not set, then set 0. */
- if (list_isempty(OSPF_IF_PARAM(oi, auth_crypt))) {
- ospfh->u.crypt.zero = 0;
- ospfh->u.crypt.key_id = 0;
- ospfh->u.crypt.auth_data_len = OSPF_AUTH_MD5_SIZE;
- } else {
- ck = listgetdata(
- listtail(OSPF_IF_PARAM(oi, auth_crypt)));
- ospfh->u.crypt.zero = 0;
- ospfh->u.crypt.key_id = ck->key_id;
- ospfh->u.crypt.auth_data_len = OSPF_AUTH_MD5_SIZE;
- }
- /* note: the seq is done in ospf_make_md5_digest() */
- break;
- default:
- /* memset (ospfh->u.auth_data, 0, sizeof(ospfh->u.auth_data));
- */
- break;
- }
-
- return 0;
-}
-
/* Fill rest of OSPF header. */
static void ospf_fill_header(struct ospf_interface *oi, struct stream *s,
uint16_t length)
ospfh->checksum = 0;
/* Add Authentication Data. */
- ospf_make_auth(oi, ospfh);
+ oi->keychain = NULL;
+ oi->key = NULL;
+ ospf_auth_make_data(oi, ospfh);
}
static int ospf_make_hello(struct ospf_interface *oi, struct stream *s)
#include <lib/json.h>
#include "defaults.h"
#include "lib/printfrr.h"
+#include "keychain.h"
#include "ospfd/ospfd.h"
#include "ospfd/ospf_asbr.h"
#include "ospfd/ospf_bfd.h"
#include "ospfd/ospf_ldp_sync.h"
#include "ospfd/ospf_network.h"
+#include "ospfd/ospf_memory.h"
FRR_CFG_DEFAULT_BOOL(OSPF_LOG_ADJACENCY_CHANGES,
{ .val_bool = true, .match_profile = "datacenter", },
char *auth_key; /* simple password if present */
int crypto_key_id; /* Cryptographic key ID */
char *md5_key; /* MD5 authentication key */
+ char *keychain; /* Cryptographic keychain */
+ int del_keychain;
int hello_interval; /* Obvious what these are... */
int retransmit_interval;
int transmit_delay;
strlcpy((char *)IF_DEF_PARAMS(ifp)->auth_simple,
vl_config->auth_key,
sizeof(IF_DEF_PARAMS(ifp)->auth_simple));
+ } else if (vl_config->keychain) {
+ SET_IF_PARAM(IF_DEF_PARAMS(ifp), keychain_name);
+ XFREE(MTYPE_OSPF_IF_PARAMS, IF_DEF_PARAMS(ifp)->keychain_name);
+ IF_DEF_PARAMS(ifp)->keychain_name = XSTRDUP(MTYPE_OSPF_IF_PARAMS, vl_config->keychain);
} else if (vl_config->md5_key) {
if (ospf_crypt_key_lookup(IF_DEF_PARAMS(ifp)->auth_crypt,
vl_config->crypto_key_id)
ospf_crypt_key_delete(IF_DEF_PARAMS(ifp)->auth_crypt,
vl_config->crypto_key_id);
+ } else if (vl_config->del_keychain) {
+ UNSET_IF_PARAM(IF_DEF_PARAMS(ifp), keychain_name);
+ XFREE(MTYPE_OSPF_IF_PARAMS, IF_DEF_PARAMS(ifp)->keychain_name);
}
return CMD_SUCCESS;
DEFUN (ospf_area_vlink,
ospf_area_vlink_cmd,
- "area <A.B.C.D|(0-4294967295)> virtual-link A.B.C.D [authentication [<message-digest|null>]] [<message-digest-key (1-255) md5 KEY|authentication-key AUTH_KEY>]",
+ "area <A.B.C.D|(0-4294967295)> virtual-link A.B.C.D [authentication [<key-chain KEYCHAIN_NAME|message-digest|null>]] [<message-digest-key (1-255) md5 KEY|authentication-key AUTH_KEY>]",
VLINK_HELPSTR_IPADDR
"Enable authentication on this virtual link\n"
+ "Use a key-chain for cryptographic authentication keys\n"
+ "Key-chain name\n"
"Use message-digest authentication\n"
"Use null authentication\n"
VLINK_HELPSTR_AUTH_MD5
vl_config.auth_type = OSPF_AUTH_SIMPLE;
}
- if (argv_find(argv, argc, "message-digest", &idx)) {
+ if (argv_find(argv, argc, "key-chain", &idx)) {
+ vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ vl_config.keychain = argv[idx+1]->arg;
+ } else if (argv_find(argv, argc, "message-digest", &idx)) {
/* authentication message-digest */
vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
} else if (argv_find(argv, argc, "null", &idx)) {
DEFUN (no_ospf_area_vlink,
no_ospf_area_vlink_cmd,
- "no area <A.B.C.D|(0-4294967295)> virtual-link A.B.C.D [authentication [<message-digest|null>]] [<message-digest-key (1-255) md5 KEY|authentication-key AUTH_KEY>]",
+ "no area <A.B.C.D|(0-4294967295)> virtual-link A.B.C.D [authentication [<key-chain KEYCHAIN_NAME|message-digest|null>]] [<message-digest-key (1-255) md5 KEY|authentication-key AUTH_KEY>]",
NO_STR
VLINK_HELPSTR_IPADDR
"Enable authentication on this virtual link\n"
+ "Use a key-chain for cryptographic authentication keys\n"
+ "Key-chain name\n"
"Use message-digest authentication\n"
"Use null authentication\n"
VLINK_HELPSTR_AUTH_MD5
vl_config.auth_type = OSPF_AUTH_NOTSET;
}
+ if (argv_find(argv, argc, "key-chain", &idx)) {
+ vl_config.del_keychain = 1;
+ vl_config.keychain = NULL;
+ }
+
if (argv_find(argv, argc, "message-digest-key", &idx)) {
vl_config.md5_key = NULL;
vl_config.crypto_key_id = strtol(argv[idx + 1]->arg, NULL, 10);
case OSPF_AUTH_CRYPTOGRAPHIC: {
struct crypt_key *ckey;
- if (list_isempty(OSPF_IF_PARAM(oi, auth_crypt)))
- return;
-
- ckey = listgetdata(listtail(OSPF_IF_PARAM(oi, auth_crypt)));
- if (ckey) {
+ if (OSPF_IF_PARAM(oi, keychain_name)) {
if (use_json) {
json_object_string_add(json, "authentication",
- "authenticationMessageDigest");
+ "authenticationKeyChain");
+ json_object_string_add(json, "keychain",
+ OSPF_IF_PARAM(oi, keychain_name));
} else {
vty_out(vty,
" Cryptographic authentication enabled\n");
- vty_out(vty, " Algorithm:MD5\n");
+ struct keychain *keychain = keychain_lookup(OSPF_IF_PARAM(oi, keychain_name));
+
+ if (keychain) {
+ struct key *key = key_lookup_for_send(keychain);
+
+ if (key) {
+ vty_out(vty, " Sending SA: Key %u, Algorithm %s - key chain %s\n",
+ key->index, keychain_get_algo_name_by_id(key->hash_algo),
+ OSPF_IF_PARAM(oi, keychain_name));
+ }
+ }
+ }
+ } else {
+ if (list_isempty(OSPF_IF_PARAM(oi, auth_crypt)))
+ return;
+
+ ckey = listgetdata(listtail(OSPF_IF_PARAM(oi, auth_crypt)));
+ if (ckey) {
+ if (use_json) {
+ json_object_string_add(json, "authentication",
+ "authenticationMessageDigest");
+ } else {
+ vty_out(vty,
+ " Cryptographic authentication enabled\n");
+ vty_out(vty, " Algorithm:MD5\n");
+ }
}
}
break;
DEFUN (ip_ospf_authentication_args,
ip_ospf_authentication_args_addr_cmd,
- "ip ospf authentication <null|message-digest> [A.B.C.D]",
+ "ip ospf authentication <null|message-digest|key-chain KEYCHAIN_NAME> [A.B.C.D]",
"IP Information\n"
"OSPF interface commands\n"
"Enable authentication on this interface\n"
"Use null authentication\n"
"Use message-digest authentication\n"
+ "Use a key-chain for cryptographic authentication keys\n"
+ "Key-chain name\n"
"Address of interface\n")
{
VTY_DECLVAR_CONTEXT(interface, ifp);
int idx_encryption = 3;
- int idx_ipv4 = 4;
+ int idx_ipv4 = argc-1;
struct in_addr addr;
int ret;
struct ospf_if_params *params;
params = IF_DEF_PARAMS(ifp);
- if (argc == 5) {
+ if (argv[idx_ipv4]->type == IPV4_TKN) {
ret = inet_aton(argv[idx_ipv4]->arg, &addr);
if (!ret) {
vty_out(vty,
if (argv[idx_encryption]->arg[0] == 'm') {
SET_IF_PARAM(params, auth_type);
params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ UNSET_IF_PARAM(params, keychain_name);
+ XFREE(MTYPE_OSPF_IF_PARAMS, params->keychain_name);
+ return CMD_SUCCESS;
+ }
+
+ if (argv[idx_encryption]->arg[0] == 'k') {
+ SET_IF_PARAM(params, auth_type);
+ params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ SET_IF_PARAM(params, keychain_name);
+ params->keychain_name = XSTRDUP(MTYPE_OSPF_IF_PARAMS, argv[idx_encryption+1]->arg);
+ UNSET_IF_PARAM(params, auth_crypt);
return CMD_SUCCESS;
}
DEFUN (no_ip_ospf_authentication_args,
no_ip_ospf_authentication_args_addr_cmd,
- "no ip ospf authentication <null|message-digest> [A.B.C.D]",
+ "no ip ospf authentication <null|message-digest|key-chain [KEYCHAIN_NAME]> [A.B.C.D]",
NO_STR
"IP Information\n"
"OSPF interface commands\n"
"Enable authentication on this interface\n"
"Use null authentication\n"
"Use message-digest authentication\n"
+ "Use a key-chain for cryptographic authentication keys\n"
+ "Key-chain name\n"
"Address of interface\n")
{
VTY_DECLVAR_CONTEXT(interface, ifp);
int idx_encryption = 4;
- int idx_ipv4 = 5;
+ int idx_ipv4 = argc-1;
struct in_addr addr;
int ret;
struct ospf_if_params *params;
params = IF_DEF_PARAMS(ifp);
- if (argc == 6) {
+ if (argv[idx_ipv4]->type == IPV4_TKN) {
ret = inet_aton(argv[idx_ipv4]->arg, &addr);
if (!ret) {
vty_out(vty,
}
params->auth_type = OSPF_AUTH_NOTSET;
UNSET_IF_PARAM(params, auth_type);
+
+ XFREE(MTYPE_OSPF_IF_PARAMS, params->keychain_name);
+ UNSET_IF_PARAM(params, keychain_name);
+
if (params != IF_DEF_PARAMS(ifp)) {
ospf_free_if_params(ifp, addr);
ospf_if_update_params(ifp, addr);
} else {
if (argv[idx_encryption]->arg[0] == 'n') {
auth_type = OSPF_AUTH_NULL;
- } else if (argv[idx_encryption]->arg[0] == 'm') {
+ } else if (argv[idx_encryption]->arg[0] == 'm' ||
+ argv[idx_encryption]->arg[0] == 'k') {
auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
} else {
vty_out(vty, "Unexpected input encountered\n");
if (params->auth_type == auth_type) {
params->auth_type = OSPF_AUTH_NOTSET;
UNSET_IF_PARAM(params, auth_type);
+ XFREE(MTYPE_OSPF_IF_PARAMS, params->keychain_name);
+ UNSET_IF_PARAM(params, keychain_name);
}
for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn;
if (params->auth_type == auth_type) {
params->auth_type = OSPF_AUTH_NOTSET;
UNSET_IF_PARAM(params, auth_type);
+ XFREE(MTYPE_OSPF_IF_PARAMS, params->keychain_name);
+ UNSET_IF_PARAM(params, keychain_name);
if (params != IF_DEF_PARAMS(ifp)) {
ospf_free_if_params(
ifp, rn->p.u.prefix4);
"loopback"
};
-static const char *interface_config_auth_str(struct ospf_if_params *params)
+static int interface_config_auth_str(struct ospf_if_params *params, char *buf)
{
if (!OSPF_IF_PARAM_CONFIGURED(params, auth_type)
|| params->auth_type == OSPF_AUTH_NOTSET)
- return NULL;
+ return 0;
/* Translation tables are not that much help
* here due to syntax
switch (params->auth_type) {
case OSPF_AUTH_NULL:
- return " null";
+ snprintf(buf, BUFSIZ, " null");
+ break;
case OSPF_AUTH_SIMPLE:
- return "";
+ snprintf(buf, BUFSIZ, " ");
+ break;
case OSPF_AUTH_CRYPTOGRAPHIC:
- return " message-digest";
+ if (OSPF_IF_PARAM_CONFIGURED(params, keychain_name))
+ snprintf(buf, BUFSIZ, " key-chain %s", params->keychain_name);
+ else
+ snprintf(buf, BUFSIZ, " message-digest");
+ break;
}
- return "";
+ return 1;
}
static int config_write_interface_one(struct vty *vty, struct vrf *vrf)
struct crypt_key *ck;
struct route_node *rn = NULL;
struct ospf_if_params *params;
- const char *auth_str;
+ char buf[BUFSIZ];
+ int ret = 0;
int write = 0;
FOR_ALL_INTERFACES (vrf, ifp) {
}
/* OSPF interface authentication print */
- auth_str = interface_config_auth_str(params);
- if (auth_str) {
+ ret = interface_config_auth_str(params, buf);
+ if (ret) {
vty_out(vty, " ip ospf authentication%s",
- auth_str);
+ buf);
if (params != IF_DEF_PARAMS(ifp) && rn)
vty_out(vty, " %pI4",
&rn->p.u.prefix4);
{
struct listnode *node;
struct ospf_vl_data *vl_data;
- const char *auth_str;
char buf[INET_ADDRSTRLEN];
+ char buf2[BUFSIZ];
+ int ret = 0;
/* Virtual-Link print */
for (ALL_LIST_ELEMENTS_RO(ospf->vlinks, node, vl_data)) {
vty_out(vty, " area %s virtual-link %pI4\n", buf,
&vl_data->vl_peer);
/* Auth type */
- auth_str = interface_config_auth_str(
- IF_DEF_PARAMS(oi->ifp));
- if (auth_str)
+ ret = interface_config_auth_str(
+ IF_DEF_PARAMS(oi->ifp), buf2);
+ if (ret)
vty_out(vty,
" area %s virtual-link %pI4 authentication%s\n",
- buf, &vl_data->vl_peer, auth_str);
+ buf, &vl_data->vl_peer, buf2);
/* Auth key */
if (IF_DEF_PARAMS(vl_data->vl_oi->ifp)->auth_simple[0]
!= '\0')
ospfd/ospf_zebra.c \
ospfd/ospfd.c \
ospfd/ospf_gr_helper.c \
+ ospfd/ospf_auth.c \
# end
if OSPFD
ospfd/ospf_te.h \
ospfd/ospf_vty.h \
ospfd/ospf_zebra.h \
+ ospfd/ospf_auth.h \
# end
ospfd_ospfd_LDADD = ospfd/libfrrospf.a ospfd/libfrrospfclient.a lib/libfrr.la $(LIBCAP) $(LIBM)
"lib/filter.c": "VTYSH_ACL",
"lib/filter_cli.c": "VTYSH_ACL",
"lib/if.c": "VTYSH_INTERFACE",
- "lib/keychain.c": "VTYSH_RIPD|VTYSH_EIGRPD|VTYSH_OSPF6D",
+ "lib/keychain.c": "VTYSH_KEYS",
"lib/mgmt_be_client.c": "VTYSH_STATICD",
"lib/mgmt_fe_client.c": "VTYSH_MGMTD",
"lib/lib_vty.c": "VTYSH_ALL",
cmd = "ip ospf authentication null"
elif data_ospf_auth == "message-digest":
cmd = "ip ospf authentication message-digest"
+ elif data_ospf_auth == "key-chain":
+ cmd = "ip ospf authentication key-chain {}".format(
+ ospf_data["keychain"]
+ )
else:
cmd = "ip ospf authentication"
TESTCASES =
1. Verify ospf authentication with Simple password authentication.
2. Verify ospf authentication with MD5 authentication.
-3. Verify ospf authentication with different authentication methods.
+3. Verify ospf authentication with MD5 keychain authentication.
+4. Verify ospf authentication with SHA256 keychain authentication.
+5. Verify ospf authentication with different authentication methods.
"""
write_test_footer(tc_name)
-def test_ospf_authentication_different_auths_tc30_p1(request):
+def test_ospf_authentication_md5_keychain_tc30_p1(request):
+ """
+ OSPF Authentication - Verify ospf authentication with MD5 authentication.
+
+ """
+ tc_name = request.node.name
+ write_test_header(tc_name)
+ tgen = get_topogen()
+ global topo
+ step("Bring up the base config.")
+ reset_config_on_routers(tgen)
+ step(
+ "Configure ospf with on R1 and R2, enable ospf on R1 interface "
+ "connected to R2 with message-digest authentication using ip "
+ "ospf authentication key-chain cmd."
+ )
+
+ router1 = tgen.gears["r1"]
+ router2 = tgen.gears["r2"]
+
+ router1.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm md5"""
+ )
+
+ r1_ospf_auth = {
+ "r1": {
+ "links": {
+ "r2": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r1_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step("Verify that the neighbour is not FULL between R1 and R2.")
+ # wait for dead time expiry.
+ sleep(6)
+ dut = "r1"
+ ospf_covergence = verify_ospf_neighbor(
+ tgen, topo, dut=dut, expected=False, retry_timeout=6
+ )
+ assert ospf_covergence is not True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step(
+ "On R2 enable ospf on interface with message-digest authentication"
+ " using ip ospf authentication message-digest password cmd."
+ )
+
+ router2.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm md5"""
+ )
+
+ r2_ospf_auth = {
+ "r2": {
+ "links": {
+ "r1": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r2_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 "
+ "using show ip ospf neighbor cmd."
+ )
+
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step(
+ "Disable message-digest authentication on R2 using no ip ospf "
+ "authentication key-chain cmd."
+ )
+
+ r2_ospf_auth = {
+ "r2": {
+ "links": {
+ "r1": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ "del_action": True,
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r2_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step("Verify on R1 ,nbr is deleted for R2 after dead interval expiry")
+ # wait till the dead timer expiry
+ sleep(6)
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(
+ tgen, topo, dut=dut, expected=False, retry_timeout=10
+ )
+ assert ospf_covergence is not True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step("Again On R2 enable ospf on interface with key-chain auth")
+ r2_ospf_auth = {
+ "r2": {
+ "links": {
+ "r1": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r2_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 using"
+ " show ip ospf neighbor cmd."
+ )
+
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step("Shut no shut interface on R1")
+ dut = "r1"
+ intf = topo["routers"]["r1"]["links"]["r2"]["interface"]
+ shutdown_bringup_interface(tgen, dut, intf, False)
+
+ dut = "r2"
+ step(
+ "Verify that the neighbour is not FULL between R1 and R2 using "
+ "show ip ospf neighbor cmd."
+ )
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut, expected=False)
+ assert ospf_covergence is not True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ dut = "r1"
+ shutdown_bringup_interface(tgen, dut, intf, True)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 using "
+ "show ip ospf neighbor cmd."
+ )
+
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step("Change Ip address on R1 and R2")
+
+ topo_modify_change_ip = deepcopy(topo)
+
+ intf_ip = topo_modify_change_ip["routers"]["r1"]["links"]["r2"]["ipv4"]
+
+ topo_modify_change_ip["routers"]["r1"]["links"]["r2"]["ipv4"] = str(
+ IPv4Address(frr_unicode(intf_ip.split("/")[0])) + 3
+ ) + "/{}".format(intf_ip.split("/")[1])
+
+ build_config_from_json(tgen, topo_modify_change_ip, save_bkup=False)
+
+ reset_config_on_routers(tgen, routerName="r1")
+ dut = "r1"
+ intf = topo["routers"]["r1"]["links"]["r2"]["interface"]
+ shutdown_bringup_interface(tgen, dut, intf, False)
+ shutdown_bringup_interface(tgen, dut, intf, True)
+ clear_ospf(tgen, "r1")
+ router1.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm md5"""
+ )
+ r1_ospf_auth = {
+ "r1": {
+ "links": {
+ "r2": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r1_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 with new "
+ "ip address using show ip ospf "
+ )
+
+ dut = "r1"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ write_test_footer(tc_name)
+
+
+def test_ospf_authentication_sha256_keychain_tc32_p1(request):
+ """
+ OSPF Authentication - Verify ospf authentication with MD5 authentication.
+
+ """
+ tc_name = request.node.name
+ write_test_header(tc_name)
+ tgen = get_topogen()
+ global topo
+ step("Bring up the base config.")
+ reset_config_on_routers(tgen)
+ step(
+ "Configure ospf with on R1 and R2, enable ospf on R1 interface "
+ "connected to R2 with message-digest authentication using ip "
+ "ospf authentication key-chain cmd."
+ )
+
+ router1 = tgen.gears["r1"]
+ router2 = tgen.gears["r2"]
+
+ router1.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm hmac-sha-256"""
+ )
+
+ r1_ospf_auth = {
+ "r1": {
+ "links": {
+ "r2": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r1_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step("Verify that the neighbour is not FULL between R1 and R2.")
+ # wait for dead time expiry.
+ sleep(6)
+ dut = "r1"
+ ospf_covergence = verify_ospf_neighbor(
+ tgen, topo, dut=dut, expected=False, retry_timeout=6
+ )
+ assert ospf_covergence is not True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step(
+ "On R2 enable ospf on interface with message-digest authentication"
+ " using ip ospf authentication message-digest password cmd."
+ )
+
+ router2.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm hmac-sha-256"""
+ )
+
+ r2_ospf_auth = {
+ "r2": {
+ "links": {
+ "r1": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r2_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 "
+ "using show ip ospf neighbor cmd."
+ )
+
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step(
+ "Disable message-digest authentication on R2 using no ip ospf "
+ "authentication key-chain cmd."
+ )
+
+ r2_ospf_auth = {
+ "r2": {
+ "links": {
+ "r1": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ "del_action": True,
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r2_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step("Verify on R1 ,nbr is deleted for R2 after dead interval expiry")
+ # wait till the dead timer expiry
+ sleep(6)
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(
+ tgen, topo, dut=dut, expected=False, retry_timeout=10
+ )
+ assert ospf_covergence is not True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step("Again On R2 enable ospf on interface with key-chain auth")
+ r2_ospf_auth = {
+ "r2": {
+ "links": {
+ "r1": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r2_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 using"
+ " show ip ospf neighbor cmd."
+ )
+
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step("Shut no shut interface on R1")
+ dut = "r1"
+ intf = topo["routers"]["r1"]["links"]["r2"]["interface"]
+ shutdown_bringup_interface(tgen, dut, intf, False)
+
+ dut = "r2"
+ step(
+ "Verify that the neighbour is not FULL between R1 and R2 using "
+ "show ip ospf neighbor cmd."
+ )
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut, expected=False)
+ assert ospf_covergence is not True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ dut = "r1"
+ shutdown_bringup_interface(tgen, dut, intf, True)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 using "
+ "show ip ospf neighbor cmd."
+ )
+
+ dut = "r2"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ step("Change Ip address on R1 and R2")
+
+ topo_modify_change_ip = deepcopy(topo)
+
+ intf_ip = topo_modify_change_ip["routers"]["r1"]["links"]["r2"]["ipv4"]
+
+ topo_modify_change_ip["routers"]["r1"]["links"]["r2"]["ipv4"] = str(
+ IPv4Address(frr_unicode(intf_ip.split("/")[0])) + 3
+ ) + "/{}".format(intf_ip.split("/")[1])
+
+ build_config_from_json(tgen, topo_modify_change_ip, save_bkup=False)
+
+ reset_config_on_routers(tgen, routerName="r1")
+ dut = "r1"
+ intf = topo["routers"]["r1"]["links"]["r2"]["interface"]
+ shutdown_bringup_interface(tgen, dut, intf, False)
+ shutdown_bringup_interface(tgen, dut, intf, True)
+ clear_ospf(tgen, "r1")
+ router1.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm hmac-sha-256"""
+ )
+ r1_ospf_auth = {
+ "r1": {
+ "links": {
+ "r2": {
+ "ospf": {
+ "authentication": "key-chain",
+ "keychain": "auth",
+ }
+ }
+ }
+ }
+ }
+ result = config_ospf_interface(tgen, topo, r1_ospf_auth)
+ assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+
+ step(
+ "Verify that the neighbour is FULL between R1 and R2 with new "
+ "ip address using show ip ospf "
+ )
+
+ dut = "r1"
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
+
+ write_test_footer(tc_name)
+
+
+def test_ospf_authentication_different_auths_tc35_p1(request):
"""
OSPF Authentication - Verify ospf authentication with different
authentication methods.
"ospf authentication message-digest cmd."
)
+ router1 = tgen.gears["r1"]
+ router2 = tgen.gears["r2"]
+
r1_ospf_auth = {
"r1": {
"links": {
ospf_covergence
)
- step("Enable Md5 authentication on the interface")
+ step("Enable SHA-256 authentication on the interface")
+
+ router1.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm hmac-sha-256"""
+ )
r1_ospf_auth = {
"r1": {
"links": {
"r2": {
"ospf": {
- "authentication": "message-digest",
- "authentication-key": "ospf",
- "message-digest-key": "10",
+ "authentication": "key-chain",
+ "keychain": "auth",
}
}
}
result = config_ospf_interface(tgen, topo, r1_ospf_auth)
assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+ router2.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string ospf
+ cryptographic-algorithm hmac-sha-256"""
+ )
+
r2_ospf_auth = {
"r2": {
"links": {
"r1": {
"ospf": {
- "authentication": "message-digest",
- "authentication-key": "ospf",
- "message-digest-key": "10",
+ "authentication": "key-chain",
+ "keychain": "auth",
}
}
}
ospf_covergence
)
- step("Change the MD5 authentication password")
+ step("Change the SHA-256 authentication password")
- r1_ospf_auth = {
- "r1": {
- "links": {
- "r2": {
- "ospf": {
- "authentication": "message-digest",
- "authentication-key": "OSPFv4",
- "message-digest-key": "10",
- }
- }
- }
- }
- }
- result = config_ospf_interface(tgen, topo, r1_ospf_auth)
- assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+ router1.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string OSPFv4
+ cryptographic-algorithm hmac-sha-512"""
+ )
- r2_ospf_auth = {
- "r2": {
- "links": {
- "r1": {
- "ospf": {
- "authentication": "message-digest",
- "authentication-key": "OSPFv4",
- "message-digest-key": "10",
- }
- }
- }
- }
- }
- result = config_ospf_interface(tgen, topo, r2_ospf_auth)
- assert result is True, "Testcase {} :Failed \n Error: {}".format(tc_name, result)
+ router2.vtysh_cmd(
+ """configure terminal
+ key chain auth
+ key 10
+ key-string OSPFv4
+ cryptographic-algorithm hmac-sha-512"""
+ )
+ ospf_covergence = verify_ospf_neighbor(tgen, topo, dut=dut)
+ assert ospf_covergence is True, "Testcase Failed \n Error {}".format(
+ ospf_covergence
+ )
write_test_footer(tc_name)
VTYSH_VRRPD
#define VTYSH_INTERFACE VTYSH_INTERFACE_SUBSET | VTYSH_BGPD
#define VTYSH_VRF VTYSH_INTERFACE_SUBSET | VTYSH_MGMTD
-#define VTYSH_KEYS VTYSH_RIPD | VTYSH_EIGRPD | VTYSH_OSPF6D
+#define VTYSH_KEYS VTYSH_RIPD | VTYSH_EIGRPD | VTYSH_OSPF6D | VTYSH_OSPFD
/* Daemons who can process nexthop-group configs */
#define VTYSH_NH_GROUP VTYSH_PBRD|VTYSH_SHARPD
#define VTYSH_SR VTYSH_ZEBRA|VTYSH_PATHD
projects / mirror / frr.git / commitdiff