diff options
author | Ondrej Filip <feela@network.cz> | 2004-06-26 22:11:14 +0200 |
---|---|---|
committer | Ondrej Filip <feela@network.cz> | 2004-06-26 22:11:14 +0200 |
commit | 5236fb03afecd3d7a6ec6e96712c79a31be32132 (patch) | |
tree | afee4d3766107cdc205d7da70a66d09014aa1ef6 /proto/rip | |
parent | 98ac61766d81d9f20c4a7c7e12859c3b82b24f4c (diff) | |
download | bird-5236fb03afecd3d7a6ec6e96712c79a31be32132.tar bird-5236fb03afecd3d7a6ec6e96712c79a31be32132.zip |
Password management redesigned (untested).
Diffstat (limited to 'proto/rip')
-rw-r--r-- | proto/rip/auth.c | 84 | ||||
-rw-r--r-- | proto/rip/config.Y | 2 | ||||
-rw-r--r-- | proto/rip/rip.c | 3 | ||||
-rw-r--r-- | proto/rip/rip.h | 2 |
4 files changed, 42 insertions, 49 deletions
diff --git a/proto/rip/auth.c b/proto/rip/auth.c index 3d4b91c..bc0cc4b 100644 --- a/proto/rip/auth.c +++ b/proto/rip/auth.c @@ -2,6 +2,7 @@ * Rest in pieces - RIP protocol * * Copyright (c) 1999 Pavel Machek <pavel@ucw.cz> + * Copyright (c) 2004 Ondrej Filip <feela@network.cz> * * Bug fixes by Eric Leblond <eleblond@init-sys.com>, April 2003 * @@ -38,7 +39,7 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, stru switch (ntohs(block->authtype)) { /* Authentication type */ case AT_PLAINTEXT: { - struct password_item *passwd = get_best_password( P_CF->passwords, 0 ); + struct password_item *passwd = password_find(P_CF->passwords); DBG( "Plaintext passwd" ); if (!passwd) { log( L_AUTH "No passwords set and password authentication came" ); @@ -50,12 +51,18 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, stru return 1; } } - return 0; + break; case AT_MD5: DBG( "md5 password" ); { - struct password_item *head; + struct password_item *pass = NULL, *ptmp; struct rip_md5_tail *tail; + struct MD5Context ctxt; + char md5sum_packet[16]; + char md5sum_computed[16]; + struct neighbor *neigh = neigh_find(p, &whotoldme, 0); + list *l = P_CF->passwords; + if (ntohs(block->packetlen) != PACKETLEN(num) - sizeof(struct rip_md5_tail) ) { log( L_ERR "Packet length in MD5 does not match computed value" ); return 1; @@ -67,44 +74,34 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, stru return 1; } - head = P_CF->passwords; - while (head) { - DBG( "time, " ); - if ((head->from > now) || (head->to < now)) - goto skip; - if (block->seq) { - struct neighbor *neigh = neigh_find(p, &whotoldme, 0); - if (!neigh) { - log( L_AUTH "Non-neighbour MD5 checksummed packet?" ); - } else { - if (neigh->aux > block->seq) { - log( L_AUTH "MD5 protected packet with lower numbers" ); - return 0; - } - neigh->aux = block->seq; - } - } - DBG( "check, " ); - if (head->id == block->keyid) { - struct MD5Context ctxt; - char md5sum_packet[16]; - char md5sum_computed[16]; - - memset(md5sum_packet,0,16); - memcpy(md5sum_packet, tail->md5, 16); - password_strncpy(tail->md5, head->password, 16); - - MD5Init(&ctxt); - MD5Update(&ctxt, (char *) packet, ntohs(block->packetlen) + sizeof(struct rip_block_auth) ); - MD5Final(md5sum_computed, &ctxt); - if (memcmp(md5sum_packet, md5sum_computed, 16)) - return 1; - return 0; - } - skip: - head = head->next; + WALK_LIST(ptmp, *l) + { + if (block->keyid != pass->id) continue; + if ((pass->genfrom > now) || (pass->gento < now)) continue; + pass = ptmp; + break; + } + + if(!pass) return 1; + + if (!neigh) { + log( L_AUTH "Non-neighbour MD5 checksummed packet?" ); + } else { + if (neigh->aux > block->seq) { + log( L_AUTH "MD5 protected packet with lower numbers" ); + return 1; + } + neigh->aux = block->seq; } - return 1; + + memcpy(md5sum_packet, tail->md5, 16); + password_cpy(tail->md5, pass->password, 16); + + MD5Init(&ctxt); + MD5Update(&ctxt, (char *) packet, ntohs(block->packetlen) + sizeof(struct rip_block_auth) ); + MD5Final(md5sum_computed, &ctxt); + if (memcmp(md5sum_packet, md5sum_computed, 16)) + return 1; } } @@ -118,7 +115,7 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, stru int rip_outgoing_authentication( struct proto *p, struct rip_block_auth *block, struct rip_packet *packet, int num ) { - struct password_item *passwd = get_best_password( P_CF->passwords, 0 ); + struct password_item *passwd = password_find( P_CF->passwords); if (!P_CF->authtype) return PACKETLEN(num); @@ -134,7 +131,7 @@ rip_outgoing_authentication( struct proto *p, struct rip_block_auth *block, stru block->mustbeFFFF = 0xffff; switch (P_CF->authtype) { case AT_PLAINTEXT: - password_strncpy( (char *) (&block->packetlen), passwd->password, 16); + password_cpy( (char *) (&block->packetlen), passwd->password, 16); return PACKETLEN(num); case AT_MD5: { @@ -159,8 +156,7 @@ rip_outgoing_authentication( struct proto *p, struct rip_block_auth *block, stru tail->mustbeFFFF = 0xffff; tail->mustbe0001 = 0x0100; - memset(tail->md5,0,16); - password_strncpy( tail->md5, passwd->password, 16 ); + password_cpy(tail->md5, passwd->password, 16); MD5Init(&ctxt); MD5Update(&ctxt, (char *) packet, PACKETLEN(num) + sizeof(struct rip_md5_tail)); MD5Final(tail->md5, &ctxt); diff --git a/proto/rip/config.Y b/proto/rip/config.Y index 00d68f7..4a352c6 100644 --- a/proto/rip/config.Y +++ b/proto/rip/config.Y @@ -51,7 +51,7 @@ rip_cfg: | rip_cfg GARBAGE TIME expr ';' { RIP_CFG->garbage_time = $4; } | rip_cfg TIMEOUT TIME expr ';' { RIP_CFG->timeout_time = $4; } | rip_cfg AUTHENTICATION rip_auth ';' {RIP_CFG->authtype = $3; } - | rip_cfg PASSWORDS '{' password_list '}' {RIP_CFG->passwords = $4; } + | rip_cfg password_list ';' {RIP_CFG->passwords = $2; } | rip_cfg HONOR ALWAYS ';' { RIP_CFG->honor = HO_ALWAYS; } | rip_cfg HONOR NEIGHBOR ';' { RIP_CFG->honor = HO_NEIGHBOR; } | rip_cfg HONOR NEVER ';' { RIP_CFG->honor = HO_NEVER; } diff --git a/proto/rip/rip.c b/proto/rip/rip.c index 8c7b37c..05525e9 100644 --- a/proto/rip/rip.c +++ b/proto/rip/rip.c @@ -981,9 +981,6 @@ rip_reconfigure(struct proto *p, struct proto_config *c) if (!iface_patts_equal(&P_CF->iface_list, &new->iface_list, (void *) rip_pat_compare)) return 0; - if (!password_same(P_CF->passwords, - new->passwords)) - return 0; return !memcmp(((byte *) P_CF) + generic, ((byte *) new) + generic, sizeof(struct rip_proto_config) - generic); diff --git a/proto/rip/rip.h b/proto/rip/rip.h index e01a4bd..5a6e36d 100644 --- a/proto/rip/rip.h +++ b/proto/rip/rip.h @@ -121,7 +121,7 @@ struct rip_patt { struct rip_proto_config { struct proto_config c; list iface_list; /* Patterns configured -- keep it first; see rip_reconfigure why */ - struct password_item *passwords; /* Passwords, keep second */ + list *passwords; /* Passwords, keep second */ int infinity; /* User configurable data; must be comparable with memcmp */ int port; |