Babel: Add MAC authentication support - update

			accept to "<date>";

			from "<date>";

			to "<date>";

			algorithm ( hmac sha1 | hmac sha256 | hmac sha384 | hmac

	sha512 | blake2s | blake2b );

			algorithm ( hmac sha1 | hmac sha256 | hmac sha384 |

	hmac sha512 | blake2s128 | blake2s256 | blake2b256 | blake2b512 );

		};

	};

}

      authentication is selected, a key must be specified with the

      <cf/password/ configuration option. Default: none.

      <tag><label id="babel-password">password "<m/text/"</tag> Specifies a

      password used for authentication. See the <ref id="proto-pass"

      <tag><label id="babel-password">password "<m/text/"</tag>

      Specifies a password used for authentication. See the <ref id="proto-pass"

      name="password"> common option for a detailed description. The Babel

      protocol will only accept HMAC-based algorithms or one of the Blake

      algorithms, and the length of the supplied password string must match the

      key size used by the selected algorithm.

</descrip>

<sect1>Attributes

}

static void

babel_auth_send_challenge(struct babel_iface *ifa, struct babel_neighbor *n)

babel_auth_send_challenge_request(struct babel_iface *ifa, struct babel_neighbor *n)

{

  struct babel_proto *p = ifa->proto;

  union babel_msg msg = {};

  TRACE(D_PACKETS, "Sending AUTH challenge to %I on %s",

  TRACE(D_PACKETS, "Sending challenge request to %I on %s",

	n->addr, ifa->ifname);

  random_bytes(n->auth_nonce, BABEL_AUTH_NONCE_LEN);

  n->auth_nonce_expiry = current_time() + BABEL_AUTH_CHALLENGE_TIMEOUT;

  n->auth_next_challenge = current_time() + BABEL_AUTH_CHALLENGE_INTERVAL;

  msg.type = BABEL_TLV_CHALLENGE_REQ;

  msg.type = BABEL_TLV_CHALLENGE_REQUEST;

  msg.challenge.nonce_len = BABEL_AUTH_NONCE_LEN;

  msg.challenge.nonce = n->auth_nonce;

  babel_send_unicast(&msg, ifa, n->addr);

}

static void

babel_auth_send_challenge_reply(struct babel_iface *ifa, struct babel_neighbor *n, struct babel_msg_auth *rcv)

{

  struct babel_proto *p = ifa->proto;

  union babel_msg msg = {};

  TRACE(D_PACKETS, "Sending challenge reply to %I on %s",

	n->addr, ifa->ifname);

  n->auth_next_challenge_reply = current_time() + BABEL_AUTH_CHALLENGE_INTERVAL;

  msg.type = BABEL_TLV_CHALLENGE_REPLY;

  msg.challenge.nonce_len = rcv->challenge_len;

  msg.challenge.nonce = rcv->challenge;

  babel_send_unicast(&msg, ifa, n->addr);

}

int

babel_auth_check_pc(struct babel_iface *ifa, struct babel_msg_auth *msg)

{

  struct babel_proto *p = ifa->proto;

  struct babel_neighbor *n;

  TRACE(D_PACKETS, "Handling MAC check from %I on %s",

        msg->sender,  ifa->ifname);

  /* We create the neighbour entry at this point because it makes it easier to

  /*

   * We create the neighbour entry at this point because it makes it easier to

   * rate limit challenge replies; this is explicitly allowed by the spec (see

   * Section 4.3).

   */

  n = babel_get_neighbor(ifa, msg->sender);

  if (msg->challenge_seen && n->auth_next_challenge_reply <= current_time())

  {

    union babel_msg resp = {};

    TRACE(D_PACKETS, "Sending MAC challenge response to %I", msg->sender);

    resp.type = BABEL_TLV_CHALLENGE_REPLY;

    resp.challenge.nonce_len = msg->challenge_len;

    resp.challenge.nonce = msg->challenge;

    n->auth_next_challenge_reply = current_time() + BABEL_AUTH_CHALLENGE_INTERVAL;

    babel_send_unicast(&resp, ifa, msg->sender);

  }

  /* (3b) Handle challenge request */

  if (msg->challenge_seen && (n->auth_next_challenge_reply <= current_time()))

    babel_auth_send_challenge_reply(ifa, n, msg);

  if (msg->index_len > BABEL_AUTH_INDEX_LEN || !msg->pc_seen)

  /* (4a) If PC TLV is missing, drop the packet */

  if (!msg->pc_seen)

  {

    LOG_PKT_AUTH("Invalid index or no PC from %I on %s",

    LOG_PKT_AUTH("Authentication failed for %I on %s - missing or invalid PC",

                 msg->sender, ifa->ifname);

    return 1;

    return 0;

  }

  /* On successful challenge, update PC and index to current values */

  /* (4b) On successful challenge, update PC and index to current values */

  if (msg->challenge_reply_seen &&

      n->auth_nonce_expiry &&

      n->auth_nonce_expiry >= current_time() &&

      (n->auth_nonce_expiry > current_time()) &&

      !memcmp(msg->challenge_reply, n->auth_nonce, BABEL_AUTH_NONCE_LEN))

  {

    n->auth_index_len = msg->index_len;

    memcpy(n->auth_index, msg->index, msg->index_len);

    n->auth_pc = msg->pc;

    n->auth_expiry = current_time() + BABEL_AUTH_NEIGHBOR_TIMEOUT;

    n->auth_passed = 1;

    return 1;

  }

  /* If index differs, send challenge */

  if ((n->auth_index_len != msg->index_len ||

      memcmp(n->auth_index, msg->index, msg->index_len)) &&

      n->auth_next_challenge <= current_time())

  /* (5) If index differs, send challenge and drop the packet */

  if ((n->auth_index_len != msg->index_len) ||

      memcmp(n->auth_index, msg->index, msg->index_len))

  {

    LOG_PKT_AUTH("Index mismatch from %I on %s; sending challenge",

    TRACE(D_PACKETS, "Index mismatch for packet from %I via %s",

	  msg->sender, ifa->ifname);

    babel_auth_send_challenge(ifa, n);

    return 1;

    if (n->auth_next_challenge <= current_time())

      babel_auth_send_challenge_request(ifa, n);

    return 0;

  }

  /* Index matches; only accept if PC is greater than last */

  /* (6) Index matches; only accept if PC is greater than last */

  if (n->auth_pc >= msg->pc)

  {

    LOG_PKT_AUTH("Packet counter too low from %I on %s",

                 msg->sender, ifa->ifname);

    return 1;

    LOG_PKT_AUTH("Authentication failed for %I on %s - "

		 "lower packet counter (rcv %u, old %u)",

                 msg->sender, ifa->ifname, msg->pc, n->auth_pc);

    return 0;

  }

  n->auth_pc = msg->pc;

  n->auth_expiry = current_time() + BABEL_AUTH_NEIGHBOR_TIMEOUT;

  n->auth_passed = 1;

  return 0;

  return 1;

}

/*

 *	Babel interfaces

 */

  ifa->next_hop_ip4 = ipa_nonzero(new->next_hop_ip4) ? new->next_hop_ip4 : addr4;

  ifa->next_hop_ip6 = ipa_nonzero(new->next_hop_ip6) ? new->next_hop_ip6 : ifa->addr;

  if (new->auth_type != BABEL_AUTH_NONE && old->auth_type != new->auth_type)

  babel_iface_update_buffers(ifa);

  if ((new->auth_type != BABEL_AUTH_NONE) && (new->auth_type != old->auth_type))

    babel_auth_reset_index(ifa);

  if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel)

  if (ifa->next_regular > (current_time() + new->update_interval))

    ifa->next_regular = current_time() + (random() % new->update_interval);

  if ((new->tx_length != old->tx_length) || (new->rx_buffer != old->rx_buffer))

    babel_iface_update_buffers(ifa);

  if (new->check_link != old->check_link)

    babel_iface_update_state(ifa);

#define BABEL_AUTH_NONE			0

#define BABEL_AUTH_MAC			1

#define BABEL_AUTH_NONCE_LEN		10	/* we send 80 bit nonces */

#define BABEL_AUTH_MAX_NONCE_LEN	192	/* max allowed by spec */

#define BABEL_AUTH_INDEX_LEN		32	/* max size in spec */

  BABEL_TLV_SEQNO_REQUEST	= 10,

  BABEL_TLV_MAC			= 16,

  BABEL_TLV_PC			= 17,

  BABEL_TLV_CHALLENGE_REQ	= 18,

  BABEL_TLV_CHALLENGE_REQUEST	= 18,

  BABEL_TLV_CHALLENGE_REPLY	= 19,

  BABEL_TLV_MAX

};

  {

    struct password_item *pass;

    uint len = 0, i = 0;

    WALK_LIST(pass, *BABEL_IFACE->passwords)

    {

      /* Set default crypto algorithm (HMAC-SHA256) */

      if (!pass->alg)

	pass->alg = ALG_HMAC_SHA256;

      if (pass->alg & ALG_HMAC) {

        if (pass->length < mac_type_length(pass->alg) ||

            pass->length > mac_type_block_size(pass->alg))

          cf_error("key length %d is not between output size %d and block size %d for algorithm %s",

                   pass->length, mac_type_length(pass->alg),

                   mac_type_block_size(pass->alg), mac_type_name(pass->alg));

      } else if (!(pass->alg == ALG_BLAKE2S_128 || pass->alg == ALG_BLAKE2S_256 ||

                   pass->alg == ALG_BLAKE2B_256 || pass->alg == ALG_BLAKE2B_512)) {

	cf_error("Only HMAC and Blake algorithms are supported");

      }

      if (!((pass->alg & ALG_HMAC) ||

	    (pass->alg == ALG_BLAKE2S_128) ||

	    (pass->alg == ALG_BLAKE2S_256) ||

	    (pass->alg == ALG_BLAKE2B_256) ||

	    (pass->alg == ALG_BLAKE2B_512)))

	cf_error("Only HMAC and Blake2 algorithms are supported");

      len += mac_type_length(pass->alg);

      i++;

    }

    BABEL_IFACE->mac_num_keys = i;

    BABEL_IFACE->mac_total_len = len;

  }

 | NEXT HOP IPV4 ipa { BABEL_IFACE->next_hop_ip4 = $4; if (!ipa_is_ip4($4)) cf_error("Must be an IPv4 address"); }

 | NEXT HOP IPV6 ipa { BABEL_IFACE->next_hop_ip6 = $4; if (!ipa_is_ip6($4)) cf_error("Must be an IPv6 address"); }

 | AUTHENTICATION NONE { BABEL_IFACE->auth_type = BABEL_AUTH_NONE; }

 | AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; }

 | AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 0; }

 | AUTHENTICATION MAC PERMISSIVE { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 1; }

 | password_list	{ }

 | password_list

 ;

babel_iface_opts:

#include "babel.h"

#include "lib/mac.h"

struct babel_pkt_header {

  u8 magic;

  u8 version;

  u8 addr[0];

} PACKED;

struct babel_tlv_pc {

struct babel_tlv_mac {

  u8 type;

  u8 length;

  u32 pc;

  u8 index[0];

  u8 mac[0];

} PACKED;

struct babel_tlv_mac {

struct babel_tlv_pc {

  u8 type;

  u8 length;

  u8 mac[0];

  u32 pc;

  u8 index[0];

} PACKED;

struct babel_tlv_challenge {

  u8 nonce[0];

} PACKED;

struct babel_mac_pseudohdr {

struct babel_mac_pseudoheader {

  u8 src_addr[16];

  u16 src_port;

  u8 dst_addr[16];

    if ((loop_pos > end) || (loop_pos + tlv->length > end))             \

    {                                                                   \

      LOG_PKT("Bad TLV from %I via %s type %d pos %d - framing error",  \

	      saddr, ifname, tlv->type, (byte *)tlv - (byte *)start);   \

	      saddr, ifname, tlv->type, (int) ((byte *)tlv - (byte *)start)); \

      frame_err = 1;                                                    \

      break;                                                            \

    }

  put_u32(p+4, _I3(addr));

}

/*

 *      Authentication-related functions

 */

uint babel_auth_write_challenge(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);

int babel_auth_add_tlvs(struct babel_iface *ifa, struct babel_tlv *tlv, int max_len);

int babel_auth_add_tlvs(struct babel_iface *ifa, struct babel_tlv *tlv, uint max_len);

int babel_auth_sign(struct babel_iface *ifa, ip_addr dest);

int babel_auth_check(struct babel_iface *ifa,

                     ip_addr saddr, u16 sport,

    babel_write_seqno_request,

    babel_handle_seqno_request

  },

  [BABEL_TLV_CHALLENGE_REQ] = {

    sizeof(struct babel_tlv),

  [BABEL_TLV_CHALLENGE_REQUEST] = {

    sizeof(struct babel_tlv_challenge),

    NULL,

    babel_auth_write_challenge,

    NULL

  },

  [BABEL_TLV_CHALLENGE_REPLY] = {

    sizeof(struct babel_tlv),

    sizeof(struct babel_tlv_challenge),

    NULL,

    babel_auth_write_challenge,

    NULL

  },

};

  return tlv_data[msg->type].write_tlv(hdr, msg, state, max_len);

}

/*

 *	Packet RX/TX functions

 */

/**

 * babel_process_packet - process incoming data packet

 * @ifa: Interface packet was received on.

 * @ifa: Interface packet was received on

 * @pkt: Pointer to the packet data

 * @len: Length of received packet

 * @saddr: Address of packet sender

  TRACE(D_PACKETS, "Packet received from %I via %s",

        saddr, ifa->iface->name);

  if (babel_auth_check(ifa, saddr, sport, daddr, dport, pkt, end, len-plen))

  if (!babel_auth_check(ifa, saddr, sport, daddr, dport, pkt, end, len - plen))

    return;

  init_list(&msgs);

    else /* PARSE_ERROR */

    {

      LOG_PKT("Bad TLV from %I via %s type %d pos %d - parse error",

	      saddr, ifa->iface->name, tlv->type, (byte *)tlv - (byte *)pkt);

	      saddr, ifa->iface->name, tlv->type, (int) ((byte *)tlv - (byte *)pkt));

      sl_free(p->msg_slab, msg);

      break;

    }

{

  struct babel_tlv_pc *tlv = (void *) hdr;

  if (!state->auth.pc_seen)

  {

    state->auth.pc_seen = 1;

  /* RFC 8967 4.3 (3) - If multiple PCs are found, only the first one is used */

  if (state->auth.pc_seen)

    return PARSE_IGNORE;

  uint index_len = TLV_OPT_LENGTH(tlv);

  if (index_len > BABEL_AUTH_INDEX_LEN)

    return PARSE_IGNORE;

  state->auth.pc = get_u32(&tlv->pc);

    state->auth.index_len = TLV_OPT_LENGTH(tlv);

  state->auth.pc_seen = 1;

  state->auth.index_len = index_len;

  state->auth.index = tlv->index;

  }

  state->current_tlv_endpos += index_len;

  return PARSE_IGNORE;

  return PARSE_SUCCESS;

}

static const struct babel_tlv_data pc_tlv_data = {

  struct babel_tlv_challenge *tlv = (void *) hdr;

  if (!state->is_unicast)

  {

    DBG("Ignoring non-unicast challenge request from %I\n", state->saddr);

    return PARSE_IGNORE;

  }

  if (tlv->length > BABEL_AUTH_MAX_NONCE_LEN)

  uint nonce_len = TLV_OPT_LENGTH(tlv);

  if (nonce_len > BABEL_AUTH_MAX_NONCE_LEN)

    return PARSE_IGNORE;

  state->auth.challenge_len = tlv->length;

  if (state->auth.challenge_len)

    memcpy(state->auth.challenge, tlv->nonce, state->auth.challenge_len);

  state->auth.challenge_len = nonce_len;

  bmemcpy(state->auth.challenge, tlv->nonce, nonce_len);

  state->auth.challenge_seen = 1;

  state->current_tlv_endpos += nonce_len;

  return PARSE_IGNORE;

  return PARSE_SUCCESS;

}

static const struct babel_tlv_data challenge_req_tlv_data = {

{

  struct babel_tlv_challenge *tlv = (void *) hdr;

  if (tlv->length != BABEL_AUTH_NONCE_LEN || state->auth.challenge_reply_seen)

  if (state->auth.challenge_reply_seen)

    return PARSE_IGNORE;

  uint nonce_len = TLV_OPT_LENGTH(tlv);

  if (nonce_len != BABEL_AUTH_NONCE_LEN)

    return PARSE_IGNORE;

  state->auth.challenge_reply_seen = 1;

  memcpy(state->auth.challenge_reply, tlv->nonce, BABEL_AUTH_NONCE_LEN);

  state->auth.challenge_reply_seen = 1;

  state->current_tlv_endpos += nonce_len;

  return PARSE_IGNORE;

  return PARSE_SUCCESS;

}

static const struct babel_tlv_data challenge_reply_tlv_data = {

  {

  case BABEL_TLV_PC:

    return &pc_tlv_data;

  case BABEL_TLV_CHALLENGE_REQ:

  case BABEL_TLV_CHALLENGE_REQUEST:

    return &challenge_req_tlv_data;

  case BABEL_TLV_CHALLENGE_REPLY:

    return &challenge_reply_tlv_data;

    return 0;

  TLV_HDR(tlv, msg->type, len);

  memcpy(tlv->nonce, msg->nonce, msg->nonce_len);

  bmemcpy(tlv->nonce, msg->nonce, msg->nonce_len);

  return len;

}

static int

babel_mac_hash(struct password_item *pass,

               struct babel_mac_pseudohdr *phdr,

static void

babel_mac_fill(struct password_item *pass,

	       struct babel_mac_pseudoheader *phdr,

	       byte *pkt, uint pkt_len,

               byte *buf, uint *buf_len)

	       byte *mac)

{

  struct mac_context ctx;

  if (mac_type_length(pass->alg) > *buf_len)

    return 1;

  mac_init(&ctx, pass->alg, pass->password, pass->length);

  mac_update(&ctx, (byte *)phdr, sizeof(*phdr));

  mac_update(&ctx, (byte *)pkt, pkt_len);

  *buf_len = mac_get_length(&ctx);

  memcpy(buf, mac_final(&ctx), *buf_len);

  memcpy(mac, mac_final(&ctx), mac_get_length(&ctx));

  mac_cleanup(&ctx);

  return 0;

}

static void

babel_mac_build_phdr(struct babel_mac_pseudohdr *phdr,

babel_mac_build_phdr(struct babel_mac_pseudoheader *phdr,

                     ip_addr saddr, u16 sport,

                     ip_addr daddr, u16 dport)

{

                     ip_addr saddr, u16 sport,

                     ip_addr daddr, u16 dport)

{

  uint hash_len = (uint)(trailer - pkt);

  struct babel_proto *p = ifa->proto;

  uint pkt_len = (uint)(trailer - pkt);

  byte *end = trailer + trailer_len;

  btime now_ = current_real_time();

  struct babel_mac_pseudohdr phdr;

  struct password_item *pass;

  struct babel_tlv *tlv;

  if (trailer_len < sizeof(*tlv))

  if (trailer_len < sizeof(struct babel_tlv))

  {

    LOG_PKT_AUTH("No MAC signature on packet from %I on %s",

    LOG_PKT_AUTH("Authentication failed for %I on %s - no MAC signature",

                 saddr, ifa->ifname);

    return 1;

    return 0;

  }

  struct babel_mac_pseudoheader phdr;

  babel_mac_build_phdr(&phdr, saddr, sport, daddr, dport);

  struct password_item *pass;

  WALK_LIST(pass, *ifa->cf->passwords)

  {

    byte mac_res[MAX_HASH_SIZE];

    uint mac_len = MAX_HASH_SIZE;

    u8 frame_err = 0;

    byte mac[MAX_HASH_SIZE];

    uint mac_len = mac_type_length(pass->alg);

    uint frame_err = 0;

    if (pass->accfrom > now_ || pass->accto < now_)

      continue;

    if (babel_mac_hash(pass, &phdr,

                       pkt, hash_len,

                       mac_res, &mac_len))

      continue;

    babel_mac_fill(pass, &phdr, pkt, pkt_len, mac);

    WALK_TLVS((void *)trailer, end, tlv, frame_err, saddr, ifa->ifname)

    struct babel_tlv *tlv0;

    WALK_TLVS((void *)trailer, end, tlv0, frame_err, saddr, ifa->ifname)

    {

      struct babel_tlv_mac *mac = (void *)tlv;

      struct babel_tlv_mac *tlv = (void *)tlv0;

      if (tlv->type != BABEL_TLV_MAC)

	continue;

      if (tlv->length == mac_len && !memcmp(mac->mac, mac_res, mac_len))

        return 0;

      if ((TLV_OPT_LENGTH(tlv) == mac_len) && !memcmp(tlv->mac, mac, mac_len))

        return 1;

      DBG("MAC mismatch key id %d pos %d len %d/%d\n",

	  pass->id, (byte *)tlv - (byte *)pkt, mac_len, tlv->length);

	  pass->id, (int) ((byte *)tlv - (byte *)pkt), mac_len, tlv->length);

    }

    WALK_TLVS_END;

    if (frame_err) {

      DBG("MAC trailer TLV framing error\n");

      return 1;

    }

    if (frame_err)

      return 0;

  }

  LOG_PKT_AUTH("No MAC key matching packet from %I found on %s",

  LOG_PKT_AUTH("Authentication failed for %I on %s - no matching key",

               saddr, ifa->ifname);

  return 1;

  return 0;

}

/**

                 struct babel_pkt_header *pkt,

                 byte *trailer, uint trailer_len)

{

  u8 frame_err UNUSED = 0;

  uint frame_err UNUSED = 0;

  struct babel_proto *p = ifa->proto;

  struct babel_tlv *tlv;

  };

  if (ifa->cf->auth_type == BABEL_AUTH_NONE)

    return 0;

    return 1;

  TRACE(D_PACKETS, "Checking packet authentication signature");

  if (babel_auth_check_mac(ifa, (byte *)pkt,

  if (!babel_auth_check_mac(ifa, (byte *)pkt,

                           trailer, trailer_len,

                           saddr, sport,

                           daddr, dport))

    goto fail;

  /* MAC verified; parse packet to check packet counter and challenge */

  WALK_TLVS(FIRST_TLV(pkt), trailer, tlv, frame_err, saddr, ifa->iface->name)

  WALK_TLVS(FIRST_TLV(pkt), trailer, tlv, frame_err, saddr, ifa->ifname)

  {

    union babel_msg msg;

    enum parse_result res;

    res = babel_read_tlv(tlv, &msg, &state);

    if (res == PARSE_ERROR)

    {

      LOG_PKT_AUTH("Bad TLV from %I via %s type %d pos %d - parse error",

                   saddr, ifa->iface->name, tlv->type, (byte *)tlv - (byte *)pkt);

      LOG_PKT("Bad TLV from %I via %s type %d pos %d - parse error",

	      saddr, ifa->ifname, tlv->type, (int) ((byte *)tlv - (byte *)pkt));