diff options
| author | Joshua Muthii <jmuthii@labn.net> | 2024-10-29 12:08:14 -0400 |
|---|---|---|
| committer | Joshua Muthii <jmuthii@labn.net> | 2024-10-29 13:15:43 -0400 |
| commit | 5718ee37c7717f61094a40168dae18c6d607ec44 (patch) | |
| tree | 2819e16bbe191941caa5a7cd7eb64b402737f413 | |
| parent | d599aa1da6392c5d116df6bf2fa6bbc5b7b879c3 (diff) | |
nhrpd: Modify NHRP authentication feature logging
Modified nhrp_connection_authorized(). Initially, when writing debug
information about incoming NHRP packets with authentication enabled,
the nhrp_connection_authorized() function would print the
passphrase of the incoming packet as if it were a null terminated
string. This meant that if the passphrase on the incoming packet
had non ASCII-complient bytes in it, it would attempt to print those
bytes anyway. There was also no check that the size of the passphrase in
the incoming packet matched the size of the passphrase on the interface.
The changes in this commit log the passphrase on the incoming packet as
well as the passphrase on interface in HEX to avoid issues with ASCII.
It also performs a check that accounts for the sizes of the two different
passphrases
Moved CISCO_PASS_LENGTH_LEN from nhrp_vty.c to nhrp_protocol.h
for easier access to the macro in other files
Signed-off-by: Joshua Muthii <jmuthii@labn.net>
| -rw-r--r-- | nhrpd/nhrp_peer.c | 49 | ||||
| -rw-r--r-- | nhrpd/nhrp_protocol.h | 1 | ||||
| -rw-r--r-- | nhrpd/nhrp_vty.c | 1 |
3 files changed, 42 insertions, 9 deletions
diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c index d2c1a8c401..fa11980c18 100644 --- a/nhrpd/nhrp_peer.c +++ b/nhrpd/nhrp_peer.c @@ -1169,22 +1169,55 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp) struct nhrp_extension_header *ext; struct zbuf *extensions, pl; int cmp = 1; + int pl_pass_length, auth_pass_length; + size_t auth_size, pl_size; extensions = zbuf_alloc(zbuf_used(&pp->extensions)); zbuf_copy_peek(extensions, &pp->extensions, zbuf_used(&pp->extensions)); while ((ext = nhrp_ext_pull(extensions, &pl)) != NULL) { switch (htons(ext->type) & ~NHRP_EXTENSION_FLAG_COMPULSORY) { case NHRP_EXTENSION_AUTHENTICATION: - cmp = memcmp(auth->buf, pl.buf, zbuf_size(auth)); + /* Size of authentication extensions + * (varies based on password length) + */ + auth_size = zbuf_size(auth); + pl_size = zbuf_size(&pl); auth_ext = (struct nhrp_cisco_authentication_extension *) auth->buf; - debugf(NHRP_DEBUG_COMMON, - "Processing Authentication Extension for (%s:%s|%d)", - auth_ext->secret, - ((struct nhrp_cisco_authentication_extension *) - pl.buf) - ->secret, - cmp); + + if (auth_size == pl_size) + cmp = memcmp(auth_ext, pl.buf, auth_size); + else + cmp = 1; + + if (unlikely(debug_flags & NHRP_DEBUG_COMMON)) { + /* 4 bytes in nhrp_cisco_authentication_extension are allocated + * toward the authentication type. The remaining bytes are used for the + * password - so the password length is just the length of the extension - 4 + */ + auth_pass_length = (auth_size - 4); + pl_pass_length = (pl_size - 4); + /* Because characters are to be printed in HEX, (2* the max pass length) + 1 + * is needed for the string representation + */ + char auth_pass[(2 * NHRP_CISCO_PASS_LEN) + 1] = { 0 }, + pl_pass[(2 * NHRP_CISCO_PASS_LEN) + 1] = { 0 }; + /* Converting bytes in buffer to HEX and saving output as a string - + * Passphrase is converted to HEX in order to avoid printing + * non ACII-compliant characters + */ + for (int i = 0; i < (auth_pass_length); i++) + snprintf(auth_pass + (i * 2), 3, "%02X", + auth_ext->secret[i]); + for (int i = 0; i < (pl_pass_length); i++) + snprintf(pl_pass + (i * 2), 3, "%02X", + ((struct nhrp_cisco_authentication_extension *)pl.buf) + ->secret[i]); + + debugf(NHRP_DEBUG_COMMON, + "Processing Authentication Extension for (%s:%s|%d)", + auth_pass, pl_pass, cmp); + } break; default: /* Ignoring all received extensions except Authentication*/ diff --git a/nhrpd/nhrp_protocol.h b/nhrpd/nhrp_protocol.h index 8cf1ebbcd6..a4fb315b0e 100644 --- a/nhrpd/nhrp_protocol.h +++ b/nhrpd/nhrp_protocol.h @@ -73,6 +73,7 @@ /* NHRP Authentication extension types (ala Cisco) */ #define NHRP_AUTHENTICATION_PLAINTEXT 0x00000001 +#define NHRP_CISCO_PASS_LEN 8 /* NHRP Packet Structures */ struct nhrp_packet_header { diff --git a/nhrpd/nhrp_vty.c b/nhrpd/nhrp_vty.c index f202576960..199f4d75d4 100644 --- a/nhrpd/nhrp_vty.c +++ b/nhrpd/nhrp_vty.c @@ -467,7 +467,6 @@ DEFUN(if_no_nhrp_holdtime, if_no_nhrp_holdtime_cmd, return CMD_SUCCESS; } -#define NHRP_CISCO_PASS_LEN 8 DEFPY(if_nhrp_authentication, if_nhrp_authentication_cmd, AFI_CMD "nhrp authentication PASSWORD$password", AFI_STR |