[PATCH 0/4] Add MAC authentication support to the Babel protocol
This series adds MAC authentication support to the Babel protocol as specified in by the IETF Babel working group in draft-babel-hmac-10: https://tools.ietf.org/html/draft-ietf-babel-hmac-10 An initial RFC patch series was posted here in July 2018[0]. Since then, the protocol specification has progressed through the IETF, to the point where it is now in the IESG publication queue as a proposed standard RFC. This version of the patch series updates the implementation to correspond to the final version of the draft, and also addresses the review comments from the initial RFC patch. The major changes are: Major updates to the specification (for a full list see the draft appendix): - Added Blake2s as a recommended algorithm - Updated terminology to use MAC everywhere instead of HMAC (since Blake is not an HMAC algorithm). - Added expiration of neighbours and rate limiting of challenge replies - Update TLV type numbers after IANA allocation In addition, the following changes have been made to the implementation: - Add wrapper function to bird sysdep code to pick a suitable source of random bytes - Import reference Blake2 implementations into lib/ - Rename function names and data structures to use an auth_ prefix instead of hmac_ - Perform a separate authentication pass before parsing the packet, and move the authentication-related code to its own source file - Enforce key length recommendation from the specification - Add a 'permissive' configuration mode where outgoing packets are signed but incoming packets are accepted even though they fail authentication - Add user documentation for the authentication configuration, and function docstrings to the main authentication functions - Fix a bunch of nits and code style issues I have performed basic interoperability testing between this implementation and the current babeld HMAC implementation[1]. The two implementations were able to successfully exchange authenticated messages with both HMAC-256 and Blake2s keys. Given the above, and the close-to-final state of the specification at the IETF, I believe this series is ready for merging (subject to review, of course). For those wanting to test the code, a version of Bird with this series applied is available on Github[2] for easy consumption. Cheers, -Toke [0] http://trubka.network.cz/pipermail/bird-users/2018-July/012536.html [1] https://github.com/jech/babeld/pull/52 [2] https://github.com/tohojo/bird/tree/babel-mac-01 --- Toke Høiland-Jørgensen (4): sysdep: Add wrapper to get random bytes nest: Add Blake2s and Blake2b hash functions babel: Refactor packet parsing code for reuse in authentication checks babel: Add MAC authentication support aclocal.m4 | 49 ++++ conf/conf.c | 1 configure.ac | 15 + doc/bird.sgml | 38 +++ lib/Makefile | 2 lib/birdlib.h | 2 lib/blake2-impl.h | 160 +++++++++++++ lib/blake2-ref.h | 112 +++++++++ lib/blake2.c | 46 ++++ lib/blake2.h | 67 ++++++ lib/blake2b-ref.c | 270 ++++++++++++++++++++++ lib/blake2s-ref.c | 263 ++++++++++++++++++++++ lib/mac.c | 7 + lib/mac.h | 2 nest/config.Y | 4 proto/babel/Doc | 1 proto/babel/Makefile | 4 proto/babel/auth.c | 593 +++++++++++++++++++++++++++++++++++++++++++++++++ proto/babel/babel.c | 33 ++- proto/babel/babel.h | 54 ++++ proto/babel/config.Y | 38 +++ proto/babel/packets.c | 294 +++++++++++++----------- proto/babel/packets.h | 96 ++++++++ sysdep/unix/random.c | 78 ++++++ 24 files changed, 2068 insertions(+), 161 deletions(-) create mode 100644 lib/blake2-impl.h create mode 100644 lib/blake2-ref.h create mode 100644 lib/blake2.c create mode 100644 lib/blake2.h create mode 100644 lib/blake2b-ref.c create mode 100644 lib/blake2s-ref.c create mode 100644 proto/babel/auth.c create mode 100644 proto/babel/packets.h
From: Toke Høiland-Jørgensen <toke@toke.dk> The Babel authentication code added by a subsequent commit needs a way to get random bytes for generating nonces. This patch adds a wrapper function in sysdep to get random bytes, and the required checks in configure.ac to select how to do it. The configure script tries, in order, getrandom(), syscall(SYS_getrandom), getentropy() and reading from /dev/urandom. The order and methods corresponds to how CPython implements its corresponding randomness functions. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> --- aclocal.m4 | 49 +++++++++++++++++++++++++++++++ conf/conf.c | 1 + configure.ac | 15 ++++++++++ lib/birdlib.h | 2 + sysdep/unix/random.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 145 insertions(+) diff --git a/aclocal.m4 b/aclocal.m4 index 1613d680..0a1608cb 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -239,3 +239,52 @@ AC_DEFUN([BIRD_CHECK_BISON_VERSION], ;; esac ]) + +# BIRD_CHECK_GETRANDOM_SYSCALL +# Check for the getrandom syscall - borrowed from Python +AC_DEFUN([BIRD_CHECK_GETRANDOM_SYSCALL], [{ + # check if the Linux getrandom() syscall is available + # borrowed from the Python sources + AC_MSG_CHECKING(for the Linux getrandom() syscall) + AC_LINK_IFELSE( + [ + AC_LANG_SOURCE([[ + #include <unistd.h> + #include <sys/syscall.h> + #include <linux/random.h> + + int main() { + char buffer[1]; + const size_t buflen = sizeof(buffer); + const int flags = GRND_NONBLOCK; + int res = syscall(SYS_getrandom, buffer, buflen, flags); + return res == 0 ? 0 : 1; + } + ]]) + ],[have_getrandom_syscall=yes],[have_getrandom_syscall=no]) + AC_MSG_RESULT($have_getrandom_syscall) +}]) + +# BIRD_CHECK_GETRANDOM +# Check for the getrandom function - borrowed from Python +AC_DEFUN([BIRD_CHECK_GETRANDOM], [{ + # check if the Linux getrandom() syscall is available + # borrowed from the Python sources + AC_MSG_CHECKING(for the getrandom() function) + AC_LINK_IFELSE( + [ + AC_LANG_SOURCE([[ + #include <sys/random.h> + + int main() { + char buffer[1]; + const size_t buflen = sizeof(buffer); + const int flags = 0; + int res = getrandom(buffer, buflen, flags); + return res == 0 ? 0 : 1; + } + ]]) + ],[have_getrandom=yes],[have_getrandom=no]) + AC_MSG_RESULT($have_getrandom) +}]) + diff --git a/conf/conf.c b/conf/conf.c index b21d5213..65445579 100644 --- a/conf/conf.c +++ b/conf/conf.c @@ -515,6 +515,7 @@ order_shutdown(int gr) c->gr_down = gr; config_commit(c, RECONFIG_HARD, 0); + close_urandom(); shutting_down = 1; } diff --git a/configure.ac b/configure.ac index da8546a6..4ebddfc3 100644 --- a/configure.ac +++ b/configure.ac @@ -364,6 +364,21 @@ elif test "$bird_cv_lib_log" != yes ; then LIBS="$LIBS $bird_cv_lib_log" fi +BIRD_CHECK_GETRANDOM_SYSCALL +if test "$have_getrandom_syscall" = yes; then + AC_DEFINE(HAVE_GETRANDOM_SYSCALL, 1, + [Define to 1 if the Linux getrandom() syscall is available]) +fi + +BIRD_CHECK_GETRANDOM +if test "$have_getrandom" = yes; then + AC_DEFINE(HAVE_GETRANDOM, 1, + [Define to 1 if the getrandom() function is available]) +fi + +AC_CHECK_FUNCS(getentropy) +AC_CHECK_HEADERS(sys/random.h) + if test "$enable_debug" = yes ; then AC_DEFINE([DEBUGGING], [1], [Define to 1 if debugging is enabled]) LDFLAGS="$LDFLAGS -rdynamic" diff --git a/lib/birdlib.h b/lib/birdlib.h index 5202b0c8..7ce5fe3c 100644 --- a/lib/birdlib.h +++ b/lib/birdlib.h @@ -180,5 +180,7 @@ asm( /* Pseudorandom numbers */ u32 random_u32(void); +int random_bytes(char *buf, size_t size); +void close_urandom(void); #endif diff --git a/sysdep/unix/random.c b/sysdep/unix/random.c index b1f5086f..6c8945fc 100644 --- a/sysdep/unix/random.c +++ b/sysdep/unix/random.c @@ -7,6 +7,23 @@ */ #include <stdlib.h> +#include <fcntl.h> +#include <unistd.h> + +#include "sysdep/config.h" + +#ifdef HAVE_SYS_STAT_H +# include <sys/stat.h> +#endif +#ifdef HAVE_LINUX_RANDOM_H +# include <linux/random.h> +#endif +#if defined(HAVE_SYS_RANDOM_H) && (defined(HAVE_GETRANDOM) || defined(HAVE_GETENTROPY)) +# include <sys/random.h> +#endif +#if !defined(HAVE_GETRANDOM) && defined(HAVE_GETRANDOM_SYSCALL) +# include <sys/syscall.h> +#endif #include "nest/bird.h" @@ -19,3 +36,64 @@ random_u32(void) rand_high = random(); return (rand_low & 0xffff) | ((rand_high & 0xffff) << 16); } + +#if defined(HAVE_GETRANDOM) || defined(HAVE_GETRANDOM_SYSCALL) || defined(HAVE_GENTROPY) +int +random_bytes(char *buf, size_t size) +{ + int n; + int flags = 0; + while (0 < size) { +#if defined(HAVE_GETRANDOM) + n = getrandom(buf, size, flags); +#elif defined(HAVE_GETRANDOM_SYSCALL) + n = syscall(SYS_getrandom, buf, size, flags); +#else + n = getentropy(buf, size); +#endif + if (n < 0) + return -1; + buf += n; + size -= n; + } + + return 0; +} + +void close_urandom(void) {} + +#else + +static int urandom_fd = -1; +int random_bytes(char *buf, size_t size) +{ + int n; + + if (urandom_fd < 0) + { + urandom_fd = open("/dev/urandom", O_RDONLY); + if (urandom_fd < 0) + return -1; + } + + do + { + n = read(urandom_fd, buf, size); + if (n <= 0) + return -1; + buf += n; + size -= n; + } while (size > 0); + + return 0; +} + +void +close_urandom(void) +{ + if (urandom_fd >= 0) { + close(urandom_fd); + urandom_fd = -1; + } +} +#endif
From: Toke Høiland-Jørgensen <toke@toke.dk> The Babel MAC authentication draft recommends implementing Blake2s as one of the supported algorithms. In order to achieve do this, add the blake2b and blake2s hash functions for MAC authentication. The hashing function implementations are the reference implementations from blake2.net, which are imported wholesale along with the required wrapper functions to conform to the algorithm abstraction in lib/. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> --- doc/bird.sgml | 2 lib/Makefile | 2 lib/blake2-impl.h | 160 +++++++++++++++++++++++++++++++ lib/blake2-ref.h | 112 ++++++++++++++++++++++ lib/blake2.c | 46 +++++++++ lib/blake2.h | 67 +++++++++++++ lib/blake2b-ref.c | 270 +++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/blake2s-ref.c | 263 ++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/mac.c | 7 + lib/mac.h | 2 nest/config.Y | 4 + 11 files changed, 932 insertions(+), 3 deletions(-) create mode 100644 lib/blake2-impl.h create mode 100644 lib/blake2-ref.h create mode 100644 lib/blake2.c create mode 100644 lib/blake2.h create mode 100644 lib/blake2b-ref.c create mode 100644 lib/blake2s-ref.c diff --git a/doc/bird.sgml b/doc/bird.sgml index b965da87..64860e6f 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -808,7 +808,7 @@ agreement"). <tag><label id="proto-pass-to">to "<m/time/"</tag> Shorthand for setting both <cf/generate to/ and <cf/accept to/. - <tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 )</tag> + <tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 | blake2s | blake2b )</tag> The message authentication algorithm for the password when cryptographic authentication is enabled. The default value depends on the protocol. For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 diff --git a/lib/Makefile b/lib/Makefile index 5c78b2a9..27fd39c2 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,4 +1,4 @@ -src := bitmap.c bitops.c checksum.c event.c flowspec.c idm.c ip.c lists.c mac.c md5.c mempool.c net.c patmatch.c printf.c resource.c sha1.c sha256.c sha512.c slab.c slists.c strtoul.c tbf.c timer.c xmalloc.c +src := bitmap.c bitops.c blake2s-ref.c blake2b-ref.c blake2.c checksum.c event.c flowspec.c idm.c ip.c lists.c mac.c md5.c mempool.c net.c patmatch.c printf.c resource.c sha1.c sha256.c sha512.c slab.c slists.c strtoul.c tbf.c timer.c xmalloc.c obj := $(src-o-files) $(all-daemon) diff --git a/lib/blake2-impl.h b/lib/blake2-impl.h new file mode 100644 index 00000000..c1df82e0 --- /dev/null +++ b/lib/blake2-impl.h @@ -0,0 +1,160 @@ +/* + BLAKE2 reference source code package - reference C implementations + + Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the + terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + your option. The terms of these licenses can be found at: + + - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + - OpenSSL license : https://www.openssl.org/source/license.html + - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + + More information about the BLAKE2 hash function can be found at + https://blake2.net. +*/ +#ifndef BLAKE2_IMPL_H +#define BLAKE2_IMPL_H + +#include <stdint.h> +#include <string.h> + +#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L) + #if defined(_MSC_VER) + #define BLAKE2_INLINE __inline + #elif defined(__GNUC__) + #define BLAKE2_INLINE __inline__ + #else + #define BLAKE2_INLINE + #endif +#else + #define BLAKE2_INLINE inline +#endif + +static BLAKE2_INLINE uint32_t load32( const void *src ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + uint32_t w; + memcpy(&w, src, sizeof w); + return w; +#else + const uint8_t *p = ( const uint8_t * )src; + return (( uint32_t )( p[0] ) << 0) | + (( uint32_t )( p[1] ) << 8) | + (( uint32_t )( p[2] ) << 16) | + (( uint32_t )( p[3] ) << 24) ; +#endif +} + +static BLAKE2_INLINE uint64_t load64( const void *src ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + uint64_t w; + memcpy(&w, src, sizeof w); + return w; +#else + const uint8_t *p = ( const uint8_t * )src; + return (( uint64_t )( p[0] ) << 0) | + (( uint64_t )( p[1] ) << 8) | + (( uint64_t )( p[2] ) << 16) | + (( uint64_t )( p[3] ) << 24) | + (( uint64_t )( p[4] ) << 32) | + (( uint64_t )( p[5] ) << 40) | + (( uint64_t )( p[6] ) << 48) | + (( uint64_t )( p[7] ) << 56) ; +#endif +} + +static BLAKE2_INLINE uint16_t load16( const void *src ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + uint16_t w; + memcpy(&w, src, sizeof w); + return w; +#else + const uint8_t *p = ( const uint8_t * )src; + return ( uint16_t )((( uint32_t )( p[0] ) << 0) | + (( uint32_t )( p[1] ) << 8)); +#endif +} + +static BLAKE2_INLINE void store16( void *dst, uint16_t w ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + memcpy(dst, &w, sizeof w); +#else + uint8_t *p = ( uint8_t * )dst; + *p++ = ( uint8_t )w; w >>= 8; + *p++ = ( uint8_t )w; +#endif +} + +static BLAKE2_INLINE void store32( void *dst, uint32_t w ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + memcpy(dst, &w, sizeof w); +#else + uint8_t *p = ( uint8_t * )dst; + p[0] = (uint8_t)(w >> 0); + p[1] = (uint8_t)(w >> 8); + p[2] = (uint8_t)(w >> 16); + p[3] = (uint8_t)(w >> 24); +#endif +} + +static BLAKE2_INLINE void store64( void *dst, uint64_t w ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + memcpy(dst, &w, sizeof w); +#else + uint8_t *p = ( uint8_t * )dst; + p[0] = (uint8_t)(w >> 0); + p[1] = (uint8_t)(w >> 8); + p[2] = (uint8_t)(w >> 16); + p[3] = (uint8_t)(w >> 24); + p[4] = (uint8_t)(w >> 32); + p[5] = (uint8_t)(w >> 40); + p[6] = (uint8_t)(w >> 48); + p[7] = (uint8_t)(w >> 56); +#endif +} + +static BLAKE2_INLINE uint64_t load48( const void *src ) +{ + const uint8_t *p = ( const uint8_t * )src; + return (( uint64_t )( p[0] ) << 0) | + (( uint64_t )( p[1] ) << 8) | + (( uint64_t )( p[2] ) << 16) | + (( uint64_t )( p[3] ) << 24) | + (( uint64_t )( p[4] ) << 32) | + (( uint64_t )( p[5] ) << 40) ; +} + +static BLAKE2_INLINE void store48( void *dst, uint64_t w ) +{ + uint8_t *p = ( uint8_t * )dst; + p[0] = (uint8_t)(w >> 0); + p[1] = (uint8_t)(w >> 8); + p[2] = (uint8_t)(w >> 16); + p[3] = (uint8_t)(w >> 24); + p[4] = (uint8_t)(w >> 32); + p[5] = (uint8_t)(w >> 40); +} + +static BLAKE2_INLINE uint32_t rotr32( const uint32_t w, const unsigned c ) +{ + return ( w >> c ) | ( w << ( 32 - c ) ); +} + +static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c ) +{ + return ( w >> c ) | ( w << ( 64 - c ) ); +} + +/* prevents compiler optimizing out memset() */ +static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n) +{ + static void *(*const volatile memset_v)(void *, int, size_t) = &memset; + memset_v(v, 0, n); +} + +#endif diff --git a/lib/blake2-ref.h b/lib/blake2-ref.h new file mode 100644 index 00000000..8e9fb884 --- /dev/null +++ b/lib/blake2-ref.h @@ -0,0 +1,112 @@ +/* + BLAKE2 reference source code package - reference C implementations + + Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the + terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + your option. The terms of these licenses can be found at: + + - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + - OpenSSL license : https://www.openssl.org/source/license.html + - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + + More information about the BLAKE2 hash function can be found at + https://blake2.net. +*/ +#ifndef BLAKE2_REF_H +#define BLAKE2_REF_H + +#include <stddef.h> +#include <stdint.h> + +#define BLAKE2_PACKED(x) x __attribute__((packed)) + + enum blake2s_constant + { + BLAKE2S_BLOCKBYTES = 64, + BLAKE2S_OUTBYTES = 32, + BLAKE2S_KEYBYTES = 32, + BLAKE2S_SALTBYTES = 8, + BLAKE2S_PERSONALBYTES = 8 + }; + + enum blake2b_constant + { + BLAKE2B_BLOCKBYTES = 128, + BLAKE2B_OUTBYTES = 64, + BLAKE2B_KEYBYTES = 64, + BLAKE2B_SALTBYTES = 16, + BLAKE2B_PERSONALBYTES = 16 + }; + +/* state structs moved to blake2.h */ +#include "blake2.h" +#undef S + + BLAKE2_PACKED(struct blake2s_param__ + { + uint8_t digest_length; /* 1 */ + uint8_t key_length; /* 2 */ + uint8_t fanout; /* 3 */ + uint8_t depth; /* 4 */ + uint32_t leaf_length; /* 8 */ + uint32_t node_offset; /* 12 */ + uint16_t xof_length; /* 14 */ + uint8_t node_depth; /* 15 */ + uint8_t inner_length; /* 16 */ + /* uint8_t reserved[0]; */ + uint8_t salt[BLAKE2S_SALTBYTES]; /* 24 */ + uint8_t personal[BLAKE2S_PERSONALBYTES]; /* 32 */ + }); + + typedef struct blake2s_param__ blake2s_param; + + BLAKE2_PACKED(struct blake2b_param__ + { + uint8_t digest_length; /* 1 */ + uint8_t key_length; /* 2 */ + uint8_t fanout; /* 3 */ + uint8_t depth; /* 4 */ + uint32_t leaf_length; /* 8 */ + uint32_t node_offset; /* 12 */ + uint32_t xof_length; /* 16 */ + uint8_t node_depth; /* 17 */ + uint8_t inner_length; /* 18 */ + uint8_t reserved[14]; /* 32 */ + uint8_t salt[BLAKE2B_SALTBYTES]; /* 48 */ + uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */ + }); + + typedef struct blake2b_param__ blake2b_param; + + typedef struct blake2xs_state__ + { + blake2s_state S[1]; + blake2s_param P[1]; + } blake2xs_state; + + typedef struct blake2xb_state__ + { + blake2b_state S[1]; + blake2b_param P[1]; + } blake2xb_state; + + /* Padded structs result in a compile-time error */ + enum { + BLAKE2_DUMMY_1 = 1/(sizeof(blake2s_param) == BLAKE2S_OUTBYTES), + BLAKE2_DUMMY_2 = 1/(sizeof(blake2b_param) == BLAKE2B_OUTBYTES) + }; + + /* Streaming API */ + int blake2s_init( blake2s_state *S, size_t outlen ); + int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ); + int blake2s_init_param( blake2s_state *S, const blake2s_param *P ); + int blake2s_update( blake2s_state *S, const void *in, size_t inlen ); + int blake2s_final( blake2s_state *S, void *out, size_t outlen ); + + int blake2b_init( blake2b_state *S, size_t outlen ); + int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ); + int blake2b_init_param( blake2b_state *S, const blake2b_param *P ); + int blake2b_update( blake2b_state *S, const void *in, size_t inlen ); + int blake2b_final( blake2b_state *S, void *out, size_t outlen ); + +#endif diff --git a/lib/blake2.c b/lib/blake2.c new file mode 100644 index 00000000..a2c54fcc --- /dev/null +++ b/lib/blake2.c @@ -0,0 +1,46 @@ +/* + * BIRD Library -- Blake2 hash function wrappers + * + * (c) 2018 Toke Høiland-Jørgensen + * + * Can be freely distributed and used under the terms of the GNU GPL. + */ + + +#include "blake2-ref.h" + +void blake2s_bird_init(struct mac_context *mac, const byte *key, uint keylen) +{ + struct blake2s_context *ctx = (void *) mac; + blake2s_init_key(&ctx->state, BLAKE2S_SIZE, key, keylen); +} + +void blake2s_bird_update(struct mac_context *mac, const byte *buf, uint len) +{ + struct blake2s_context *ctx = (void *) mac; + blake2s_update(&ctx->state, buf, len); +} + +byte *blake2s_bird_final(struct mac_context *mac) +{ + struct blake2s_context *ctx = (void *) mac; + blake2s_final(&ctx->state, ctx->buf, BLAKE2S_SIZE); + return ctx->buf; +} + +void blake2b_bird_init(struct mac_context *mac, const byte *key, uint keylen) +{ + struct blake2b_context *ctx = (void *) mac; + blake2b_init_key(&ctx->state, BLAKE2B_SIZE, key, keylen); +} +void blake2b_bird_update(struct mac_context *mac, const byte *buf, uint len) +{ + struct blake2s_context *ctx = (void *) mac; + blake2s_update(&ctx->state, buf, len); +} +byte *blake2b_bird_final(struct mac_context *mac) +{ + struct blake2b_context *ctx = (void *) mac; + blake2b_final(&ctx->state, ctx->buf, BLAKE2B_SIZE); + return ctx->buf; +} diff --git a/lib/blake2.h b/lib/blake2.h new file mode 100644 index 00000000..eaff5867 --- /dev/null +++ b/lib/blake2.h @@ -0,0 +1,67 @@ +/* + * BIRD Library -- Blake2 hash function wrappers + * + * (c) 2018 Toke Høiland-Jørgensen + * + * Can be freely distributed and used under the terms of the GNU GPL. + */ + +#ifndef _BIRD_BLAKE2_H_ +#define _BIRD_BLAKE2_H_ + +#include "nest/bird.h" +struct mac_context; + +#define BLAKE2S_SIZE 32 // BLAKE2S_KEYBYTES +#define BLAKE2S_HEX_SIZE 65 +#define BLAKE2S_BLOCK_SIZE 64 // BLAKE2S_BLOCKBYTES + +#define BLAKE2B_SIZE 64 // BLAKE2B_KEYBYTES +#define BLAKE2B_HEX_SIZE 129 +#define BLAKE2B_BLOCK_SIZE 128 // BLAKE2B_BLOCKBYTEs + +typedef struct blake2s_state__ +{ + uint32_t h[8]; + uint32_t t[2]; + uint32_t f[2]; + uint8_t buf[BLAKE2S_BLOCK_SIZE]; + size_t buflen; + size_t outlen; + uint8_t last_node; +} blake2s_state; + +typedef struct blake2b_state__ +{ + uint64_t h[8]; + uint64_t t[2]; + uint64_t f[2]; + uint8_t buf[BLAKE2B_BLOCK_SIZE]; + size_t buflen; + size_t outlen; + uint8_t last_node; +} blake2b_state; + +struct hash_context; + +struct blake2s_context { + const struct mac_desc *type; + blake2s_state state; + byte buf[BLAKE2B_SIZE]; +}; +struct blake2b_context { + const struct mac_desc *type; + blake2b_state state; + byte buf[BLAKE2B_SIZE]; +}; + +void blake2s_bird_init(struct mac_context *ctx, const byte *key, uint keylen); +void blake2s_bird_update(struct mac_context *ctx, const byte *buf, uint len); +byte *blake2s_bird_final(struct mac_context *ctx); + +void blake2b_bird_init(struct mac_context *ctx, const byte *key, uint keylen); +void blake2b_bird_update(struct mac_context *ctx, const byte *buf, uint len); +byte *blake2b_bird_final(struct mac_context *ctx); + + +#endif /* _BIRD_BLAKE2_H_ */ diff --git a/lib/blake2b-ref.c b/lib/blake2b-ref.c new file mode 100644 index 00000000..db0111a6 --- /dev/null +++ b/lib/blake2b-ref.c @@ -0,0 +1,270 @@ +/* + BLAKE2 reference source code package - reference C implementations + + Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the + terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + your option. The terms of these licenses can be found at: + + - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + - OpenSSL license : https://www.openssl.org/source/license.html + - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + + More information about the BLAKE2 hash function can be found at + https://blake2.net. +*/ + +#include <stdint.h> +#include <string.h> +#include <stdio.h> + +#include "blake2-ref.h" +#include "blake2-impl.h" + +static const uint64_t blake2b_IV[8] = +{ + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +}; + +static const uint8_t blake2b_sigma[12][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + + +static void blake2b_set_lastnode( blake2b_state *S ) +{ + S->f[1] = (uint64_t)-1; +} + +/* Some helper functions, not necessarily useful */ +static int blake2b_is_lastblock( const blake2b_state *S ) +{ + return S->f[0] != 0; +} + +static void blake2b_set_lastblock( blake2b_state *S ) +{ + if( S->last_node ) blake2b_set_lastnode( S ); + + S->f[0] = (uint64_t)-1; +} + +static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc ) +{ + S->t[0] += inc; + S->t[1] += ( S->t[0] < inc ); +} + +static void blake2b_init0( blake2b_state *S ) +{ + size_t i; + memset( S, 0, sizeof( blake2b_state ) ); + + for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i]; +} + +/* init xors IV with input parameter block */ +int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) +{ + const uint8_t *p = ( const uint8_t * )( P ); + size_t i; + + blake2b_init0( S ); + + /* IV XOR ParamBlock */ + for( i = 0; i < 8; ++i ) + S->h[i] ^= load64( p + sizeof( S->h[i] ) * i ); + + S->outlen = P->digest_length; + return 0; +} + + + +int blake2b_init( blake2b_state *S, size_t outlen ) +{ + blake2b_param P[1]; + + if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1; + + P->digest_length = (uint8_t)outlen; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32( &P->leaf_length, 0 ); + store32( &P->node_offset, 0 ); + store32( &P->xof_length, 0 ); + P->node_depth = 0; + P->inner_length = 0; + memset( P->reserved, 0, sizeof( P->reserved ) ); + memset( P->salt, 0, sizeof( P->salt ) ); + memset( P->personal, 0, sizeof( P->personal ) ); + return blake2b_init_param( S, P ); +} + + +int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ) +{ + blake2b_param P[1]; + + if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1; + + if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1; + + P->digest_length = (uint8_t)outlen; + P->key_length = (uint8_t)keylen; + P->fanout = 1; + P->depth = 1; + store32( &P->leaf_length, 0 ); + store32( &P->node_offset, 0 ); + store32( &P->xof_length, 0 ); + P->node_depth = 0; + P->inner_length = 0; + memset( P->reserved, 0, sizeof( P->reserved ) ); + memset( P->salt, 0, sizeof( P->salt ) ); + memset( P->personal, 0, sizeof( P->personal ) ); + + if( blake2b_init_param( S, P ) < 0 ) return -1; + + { + uint8_t block[BLAKE2B_BLOCKBYTES]; + memset( block, 0, BLAKE2B_BLOCKBYTES ); + memcpy( block, key, keylen ); + blake2b_update( S, block, BLAKE2B_BLOCKBYTES ); + secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */ + } + return 0; +} + +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ + d = rotr64(d ^ a, 32); \ + c = c + d; \ + b = rotr64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ + d = rotr64(d ^ a, 16); \ + c = c + d; \ + b = rotr64(b ^ c, 63); \ + } while(0) + +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + +static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ) +{ + uint64_t m[16]; + uint64_t v[16]; + size_t i; + + for( i = 0; i < 16; ++i ) { + m[i] = load64( block + i * sizeof( m[i] ) ); + } + + for( i = 0; i < 8; ++i ) { + v[i] = S->h[i]; + } + + v[ 8] = blake2b_IV[0]; + v[ 9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = blake2b_IV[4] ^ S->t[0]; + v[13] = blake2b_IV[5] ^ S->t[1]; + v[14] = blake2b_IV[6] ^ S->f[0]; + v[15] = blake2b_IV[7] ^ S->f[1]; + + ROUND( 0 ); + ROUND( 1 ); + ROUND( 2 ); + ROUND( 3 ); + ROUND( 4 ); + ROUND( 5 ); + ROUND( 6 ); + ROUND( 7 ); + ROUND( 8 ); + ROUND( 9 ); + ROUND( 10 ); + ROUND( 11 ); + + for( i = 0; i < 8; ++i ) { + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; + } +} + +#undef G +#undef ROUND + +int blake2b_update( blake2b_state *S, const void *pin, size_t inlen ) +{ + const unsigned char * in = (const unsigned char *)pin; + if( inlen > 0 ) + { + size_t left = S->buflen; + size_t fill = BLAKE2B_BLOCKBYTES - left; + if( inlen > fill ) + { + S->buflen = 0; + memcpy( S->buf + left, in, fill ); /* Fill buffer */ + blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES ); + blake2b_compress( S, S->buf ); /* Compress */ + in += fill; inlen -= fill; + while(inlen > BLAKE2B_BLOCKBYTES) { + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); + blake2b_compress( S, in ); + in += BLAKE2B_BLOCKBYTES; + inlen -= BLAKE2B_BLOCKBYTES; + } + } + memcpy( S->buf + S->buflen, in, inlen ); + S->buflen += inlen; + } + return 0; +} + +int blake2b_final( blake2b_state *S, void *out, size_t outlen ) +{ + uint8_t buffer[BLAKE2B_OUTBYTES] = {0}; + size_t i; + + if( out == NULL || outlen < S->outlen ) + return -1; + + if( blake2b_is_lastblock( S ) ) + return -1; + + blake2b_increment_counter( S, S->buflen ); + blake2b_set_lastblock( S ); + memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */ + blake2b_compress( S, S->buf ); + + for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ + store64( buffer + sizeof( S->h[i] ) * i, S->h[i] ); + + memcpy( out, buffer, S->outlen ); + secure_zero_memory(buffer, sizeof(buffer)); + return 0; +} diff --git a/lib/blake2s-ref.c b/lib/blake2s-ref.c new file mode 100644 index 00000000..55f8a2a0 --- /dev/null +++ b/lib/blake2s-ref.c @@ -0,0 +1,263 @@ +/* + BLAKE2 reference source code package - reference C implementations + + Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the + terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + your option. The terms of these licenses can be found at: + + - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + - OpenSSL license : https://www.openssl.org/source/license.html + - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + + More information about the BLAKE2 hash function can be found at + https://blake2.net. +*/ + +#include <stdint.h> +#include <string.h> +#include <stdio.h> + +#include "blake2-ref.h" +#include "blake2-impl.h" + +static const uint32_t blake2s_IV[8] = +{ + 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, + 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL +}; + +static const uint8_t blake2s_sigma[10][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , +}; + +static void blake2s_set_lastnode( blake2s_state *S ) +{ + S->f[1] = (uint32_t)-1; +} + +/* Some helper functions, not necessarily useful */ +static int blake2s_is_lastblock( const blake2s_state *S ) +{ + return S->f[0] != 0; +} + +static void blake2s_set_lastblock( blake2s_state *S ) +{ + if( S->last_node ) blake2s_set_lastnode( S ); + + S->f[0] = (uint32_t)-1; +} + +static void blake2s_increment_counter( blake2s_state *S, const uint32_t inc ) +{ + S->t[0] += inc; + S->t[1] += ( S->t[0] < inc ); +} + +static void blake2s_init0( blake2s_state *S ) +{ + size_t i; + memset( S, 0, sizeof( blake2s_state ) ); + + for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i]; +} + +/* init2 xors IV with input parameter block */ +int blake2s_init_param( blake2s_state *S, const blake2s_param *P ) +{ + const unsigned char *p = ( const unsigned char * )( P ); + size_t i; + + blake2s_init0( S ); + + /* IV XOR ParamBlock */ + for( i = 0; i < 8; ++i ) + S->h[i] ^= load32( &p[i * 4] ); + + S->outlen = P->digest_length; + return 0; +} + + +/* Sequential blake2s initialization */ +int blake2s_init( blake2s_state *S, size_t outlen ) +{ + blake2s_param P[1]; + + /* Move interval verification here? */ + if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1; + + P->digest_length = (uint8_t)outlen; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + store32( &P->leaf_length, 0 ); + store32( &P->node_offset, 0 ); + store16( &P->xof_length, 0 ); + P->node_depth = 0; + P->inner_length = 0; + /* memset(P->reserved, 0, sizeof(P->reserved) ); */ + memset( P->salt, 0, sizeof( P->salt ) ); + memset( P->personal, 0, sizeof( P->personal ) ); + return blake2s_init_param( S, P ); +} + +int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ) +{ + blake2s_param P[1]; + + if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1; + + if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return -1; + + P->digest_length = (uint8_t)outlen; + P->key_length = (uint8_t)keylen; + P->fanout = 1; + P->depth = 1; + store32( &P->leaf_length, 0 ); + store32( &P->node_offset, 0 ); + store16( &P->xof_length, 0 ); + P->node_depth = 0; + P->inner_length = 0; + /* memset(P->reserved, 0, sizeof(P->reserved) ); */ + memset( P->salt, 0, sizeof( P->salt ) ); + memset( P->personal, 0, sizeof( P->personal ) ); + + if( blake2s_init_param( S, P ) < 0 ) return -1; + + { + uint8_t block[BLAKE2S_BLOCKBYTES]; + memset( block, 0, BLAKE2S_BLOCKBYTES ); + memcpy( block, key, keylen ); + blake2s_update( S, block, BLAKE2S_BLOCKBYTES ); + secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */ + } + return 0; +} + +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2s_sigma[r][2*i+0]]; \ + d = rotr32(d ^ a, 16); \ + c = c + d; \ + b = rotr32(b ^ c, 12); \ + a = a + b + m[blake2s_sigma[r][2*i+1]]; \ + d = rotr32(d ^ a, 8); \ + c = c + d; \ + b = rotr32(b ^ c, 7); \ + } while(0) + +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + +static void blake2s_compress( blake2s_state *S, const uint8_t in[BLAKE2S_BLOCKBYTES] ) +{ + uint32_t m[16]; + uint32_t v[16]; + size_t i; + + for( i = 0; i < 16; ++i ) { + m[i] = load32( in + i * sizeof( m[i] ) ); + } + + for( i = 0; i < 8; ++i ) { + v[i] = S->h[i]; + } + + v[ 8] = blake2s_IV[0]; + v[ 9] = blake2s_IV[1]; + v[10] = blake2s_IV[2]; + v[11] = blake2s_IV[3]; + v[12] = S->t[0] ^ blake2s_IV[4]; + v[13] = S->t[1] ^ blake2s_IV[5]; + v[14] = S->f[0] ^ blake2s_IV[6]; + v[15] = S->f[1] ^ blake2s_IV[7]; + + ROUND( 0 ); + ROUND( 1 ); + ROUND( 2 ); + ROUND( 3 ); + ROUND( 4 ); + ROUND( 5 ); + ROUND( 6 ); + ROUND( 7 ); + ROUND( 8 ); + ROUND( 9 ); + + for( i = 0; i < 8; ++i ) { + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; + } +} + +#undef G +#undef ROUND + +int blake2s_update( blake2s_state *S, const void *pin, size_t inlen ) +{ + const unsigned char * in = (const unsigned char *)pin; + if( inlen > 0 ) + { + size_t left = S->buflen; + size_t fill = BLAKE2S_BLOCKBYTES - left; + if( inlen > fill ) + { + S->buflen = 0; + memcpy( S->buf + left, in, fill ); /* Fill buffer */ + blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES ); + blake2s_compress( S, S->buf ); /* Compress */ + in += fill; inlen -= fill; + while(inlen > BLAKE2S_BLOCKBYTES) { + blake2s_increment_counter(S, BLAKE2S_BLOCKBYTES); + blake2s_compress( S, in ); + in += BLAKE2S_BLOCKBYTES; + inlen -= BLAKE2S_BLOCKBYTES; + } + } + memcpy( S->buf + S->buflen, in, inlen ); + S->buflen += inlen; + } + return 0; +} + +int blake2s_final( blake2s_state *S, void *out, size_t outlen ) +{ + uint8_t buffer[BLAKE2S_OUTBYTES] = {0}; + size_t i; + + if( out == NULL || outlen < S->outlen ) + return -1; + + if( blake2s_is_lastblock( S ) ) + return -1; + + blake2s_increment_counter( S, ( uint32_t )S->buflen ); + blake2s_set_lastblock( S ); + memset( S->buf + S->buflen, 0, BLAKE2S_BLOCKBYTES - S->buflen ); /* Padding */ + blake2s_compress( S, S->buf ); + + for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ + store32( buffer + sizeof( S->h[i] ) * i, S->h[i] ); + + memcpy( out, buffer, outlen ); + secure_zero_memory(buffer, sizeof(buffer)); + return 0; +} diff --git a/lib/mac.c b/lib/mac.c index 977d6559..ca02beff 100644 --- a/lib/mac.c +++ b/lib/mac.c @@ -32,6 +32,7 @@ #include "lib/sha1.h" #include "lib/sha256.h" #include "lib/sha512.h" +#include "lib/blake2.h" /* @@ -169,6 +170,12 @@ const struct mac_desc mac_table[ALG_MAX] = { [ALG_SHA256] = HASH_DESC("Keyed SHA-256", sha256, SHA256), [ALG_SHA384] = HASH_DESC("Keyed SHA-384", sha384, SHA384), [ALG_SHA512] = HASH_DESC("Keyed SHA-512", sha512, SHA512), + [ALG_BLAKE2S] = {"Blake2s", BLAKE2S_SIZE, sizeof(struct blake2s_context), + blake2s_bird_init, blake2s_bird_update, + blake2s_bird_final, BLAKE2S_SIZE, BLAKE2S_BLOCK_SIZE}, + [ALG_BLAKE2B] = {"Blake2b", BLAKE2B_SIZE, sizeof(struct blake2b_context), + blake2b_bird_init, blake2b_bird_update, + blake2b_bird_final, BLAKE2B_SIZE, BLAKE2B_BLOCK_SIZE}, [ALG_HMAC_MD5] = HMAC_DESC("HMAC-MD5", md5, MD5), [ALG_HMAC_SHA1] = HMAC_DESC("HMAC-SHA-1", sha1, SHA1), [ALG_HMAC_SHA224] = HMAC_DESC("HMAC-SHA-224", sha224, SHA224), diff --git a/lib/mac.h b/lib/mac.h index b6f3af52..add6d794 100644 --- a/lib/mac.h +++ b/lib/mac.h @@ -21,6 +21,8 @@ #define ALG_SHA256 0x04 #define ALG_SHA384 0x05 #define ALG_SHA512 0x06 +#define ALG_BLAKE2S 0x07 +#define ALG_BLAKE2B 0x08 #define ALG_HMAC 0x10 #define ALG_HMAC_MD5 0x11 #define ALG_HMAC_SHA1 0x12 diff --git a/nest/config.Y b/nest/config.Y index bd1157c6..d0189082 100644 --- a/nest/config.Y +++ b/nest/config.Y @@ -69,7 +69,7 @@ CF_KEYWORDS(INTERFACE, IMPORT, EXPORT, FILTER, NONE, VRF, DEFAULT, TABLE, STATES CF_KEYWORDS(IPV4, IPV6, VPN4, VPN6, ROA4, ROA6, FLOW4, FLOW6, SADR, MPLS) CF_KEYWORDS(RECEIVE, LIMIT, ACTION, WARN, BLOCK, RESTART, DISABLE, KEEP, FILTERED) CF_KEYWORDS(PASSWORD, FROM, PASSIVE, TO, ID, EVENTS, PACKETS, PROTOCOLS, INTERFACES) -CF_KEYWORDS(ALGORITHM, KEYED, HMAC, MD5, SHA1, SHA256, SHA384, SHA512) +CF_KEYWORDS(ALGORITHM, KEYED, HMAC, MD5, SHA1, SHA256, SHA384, SHA512, BLAKE2S, BLAKE2B) CF_KEYWORDS(PRIMARY, STATS, COUNT, BY, FOR, COMMANDS, PREEXPORT, NOEXPORT, EXPORTED, GENERATE) CF_KEYWORDS(BGP, PASSWORDS, DESCRIPTION, SORTED) CF_KEYWORDS(RELOAD, IN, OUT, MRTDUMP, MESSAGES, RESTRICT, MEMORY, IGP_METRIC, CLASS, DSCP) @@ -495,6 +495,8 @@ password_algorithm: | HMAC SHA256 { $$ = ALG_HMAC_SHA256; } | HMAC SHA384 { $$ = ALG_HMAC_SHA384; } | HMAC SHA512 { $$ = ALG_HMAC_SHA512; } + | BLAKE2S { $$ = ALG_BLAKE2S; } + | BLAKE2B { $$ = ALG_BLAKE2B; } ; /* Core commands */
From: Toke Høiland-Jørgensen <toke@toke.dk> The subsequent commit will add authentication support to the Babel protocol, which also requires parsing the packet TLVs. To make this easier, this commit refactors the packet parsing code by adding a helper macro to loop over TLVs, and generalising the babel_read_tlv function so it can be reused for parsing authentication data. The reusable definitions are moved into a header file which can be included from the authentication code. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> --- proto/babel/packets.c | 250 +++++++++++++++++++++++-------------------------- proto/babel/packets.h | 96 +++++++++++++++++++ 2 files changed, 213 insertions(+), 133 deletions(-) create mode 100644 proto/babel/packets.h diff --git a/proto/babel/packets.c b/proto/babel/packets.c index d4ecf649..50a22612 100644 --- a/proto/babel/packets.c +++ b/proto/babel/packets.c @@ -11,19 +11,7 @@ */ #include "babel.h" - - -struct babel_pkt_header { - u8 magic; - u8 version; - u16 length; -} PACKED; - -struct babel_tlv { - u8 type; - u8 length; - u8 value[0]; -} PACKED; +#include "packets.h" struct babel_tlv_ack_req { u8 type; @@ -122,9 +110,7 @@ struct babel_subtlv_source_prefix { struct babel_parse_state { - struct babel_proto *proto; - struct babel_iface *ifa; - ip_addr saddr; + struct babel_read_state rstate; /* Keep as first entry */ ip_addr next_hop_ip4; ip_addr next_hop_ip6; u64 router_id; /* Router ID used in subsequent updates */ @@ -133,16 +119,9 @@ struct babel_parse_state { u8 router_id_seen; /* router_id field is valid */ u8 def_ip6_prefix_seen; /* def_ip6_prefix is valid */ u8 def_ip4_prefix_seen; /* def_ip4_prefix is valid */ - u8 current_tlv_endpos; /* End of self-terminating TLVs (offset from start) */ u8 sadr_enabled; }; -enum parse_result { - PARSE_SUCCESS, - PARSE_ERROR, - PARSE_IGNORE, -}; - struct babel_write_state { u64 router_id; u8 router_id_seen; @@ -155,17 +134,8 @@ struct babel_write_state { #define DROP(DSC,VAL) do { err_dsc = DSC; err_val = VAL; goto drop; } while(0) #define DROP1(DSC) do { err_dsc = DSC; goto drop; } while(0) -#define LOG_PKT(msg, args...) \ - log_rl(&p->log_pkt_tbf, L_REMOTE "%s: " msg, p->p.name, args) - -#define FIRST_TLV(p) ((struct babel_tlv *) (((struct babel_pkt_header *) p) + 1)) -#define NEXT_TLV(t) ((struct babel_tlv *) (((byte *) t) + TLV_LENGTH(t))) -#define TLV_LENGTH(t) (t->type == BABEL_TLV_PAD1 ? 1 : t->length + sizeof(struct babel_tlv)) -#define TLV_OPT_LENGTH(t) (t->length + sizeof(struct babel_tlv) - sizeof(*t)) -#define TLV_HDR(tlv,t,l) ({ tlv->type = t; tlv->length = l - sizeof(struct babel_tlv); }) -#define TLV_HDR0(tlv,t) TLV_HDR(tlv, t, tlv_data[t].min_length) -#define NET_SIZE(n) BYTES(net_pxlen(n)) +#define TO_PARSE_STATE(_s,_r) struct babel_parse_state *_s = ((struct babel_parse_state *)_r) static inline uint bytes_equal(u8 *b1, u8 *b2, uint maxlen) @@ -237,15 +207,15 @@ put_ip6_ll(void *p, ip6_addr addr) * TLV read/write functions */ -static int babel_read_ack_req(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_ihu(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_router_id(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_update(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_read_source_prefix(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); +static int babel_read_ack_req(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_ihu(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_router_id(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_update(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); +static int babel_read_source_prefix(struct babel_tlv *hdr, union babel_msg *msg, struct babel_read_state *state); static uint babel_write_ack(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); static uint babel_write_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); @@ -255,13 +225,6 @@ static uint babel_write_route_request(struct babel_tlv *hdr, union babel_msg *ms static uint babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); static int babel_write_source_prefix(struct babel_tlv *hdr, net_addr *net, uint max_len); -struct babel_tlv_data { - u8 min_length; - int (*read_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_parse_state *state); - uint (*write_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_write_state *state, uint max_len); - void (*handle_tlv)(union babel_msg *m, struct babel_iface *ifa); -}; - static const struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = { [BABEL_TLV_ACK_REQ] = { sizeof(struct babel_tlv_ack_req), @@ -319,17 +282,42 @@ static const struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = { }, }; +static const struct babel_tlv_data *get_packet_tlv_data(u8 type) +{ + return type < sizeof(tlv_data) / sizeof(*tlv_data) ? &tlv_data[type] : NULL; +} + +static const struct babel_tlv_data source_prefix_tlv_data = { + sizeof(struct babel_subtlv_source_prefix), + babel_read_source_prefix, + NULL, + NULL +}; + +static const struct babel_tlv_data *get_packet_subtlv_data(u8 type) +{ + switch(type) + { + case BABEL_SUBTLV_SOURCE_PREFIX: + return &source_prefix_tlv_data; + + default: + return NULL; + } +} + static int babel_read_ack_req(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_ack_req *tlv = (void *) hdr; struct babel_msg_ack_req *msg = &m->ack_req; + TO_PARSE_STATE(state, rstate); msg->type = BABEL_TLV_ACK_REQ; msg->nonce = get_u16(&tlv->nonce); msg->interval = get_time16(&tlv->interval); - msg->sender = state->saddr; + msg->sender = state->rstate.saddr; if (!msg->interval) return PARSE_ERROR; @@ -352,10 +340,11 @@ babel_write_ack(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_hello(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_hello *tlv = (void *) hdr; struct babel_msg_hello *msg = &m->hello; + TO_PARSE_STATE(state, rstate); /* We currently don't support unicast Hello */ u16 flags = get_u16(&tlv->flags); @@ -365,7 +354,7 @@ babel_read_hello(struct babel_tlv *hdr, union babel_msg *m, msg->type = BABEL_TLV_HELLO; msg->seqno = get_u16(&tlv->seqno); msg->interval = get_time16(&tlv->interval); - msg->sender = state->saddr; + msg->sender = state->rstate.saddr; return PARSE_SUCCESS; } @@ -386,17 +375,18 @@ babel_write_hello(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_ihu *tlv = (void *) hdr; struct babel_msg_ihu *msg = &m->ihu; + TO_PARSE_STATE(state, rstate); msg->type = BABEL_TLV_IHU; msg->ae = tlv->ae; msg->rxcost = get_u16(&tlv->rxcost); msg->interval = get_time16(&tlv->interval); msg->addr = IPA_NONE; - msg->sender = state->saddr; + msg->sender = state->rstate.saddr; if (msg->ae >= BABEL_AE_MAX) return PARSE_IGNORE; @@ -412,13 +402,13 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m, case BABEL_AE_IP4: if (TLV_OPT_LENGTH(tlv) < 4) return PARSE_ERROR; - state->current_tlv_endpos += 4; + state->rstate.current_tlv_endpos += 4; break; case BABEL_AE_IP6: if (TLV_OPT_LENGTH(tlv) < 16) return PARSE_ERROR; - state->current_tlv_endpos += 16; + state->rstate.current_tlv_endpos += 16; break; case BABEL_AE_IP6_LL: @@ -426,7 +416,7 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m, return PARSE_ERROR; msg->addr = ipa_from_ip6(get_ip6_ll(&tlv->addr)); - state->current_tlv_endpos += 8; + state->rstate.current_tlv_endpos += 8; break; } @@ -460,9 +450,10 @@ babel_write_ihu(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_router_id(struct babel_tlv *hdr, union babel_msg *m UNUSED, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_router_id *tlv = (void *) hdr; + TO_PARSE_STATE(state, rstate); state->router_id = get_u64(&tlv->router_id); state->router_id_seen = 1; @@ -490,9 +481,10 @@ babel_write_router_id(struct babel_tlv *hdr, u64 router_id, static int babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *m UNUSED, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_next_hop *tlv = (void *) hdr; + TO_PARSE_STATE(state, rstate); switch (tlv->ae) { @@ -504,7 +496,7 @@ babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *m UNUSED, return PARSE_ERROR; state->next_hop_ip4 = ipa_from_ip4(get_ip4(&tlv->addr)); - state->current_tlv_endpos += sizeof(ip4_addr); + state->rstate.current_tlv_endpos += sizeof(ip4_addr); return PARSE_IGNORE; case BABEL_AE_IP6: @@ -512,7 +504,7 @@ babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *m UNUSED, return PARSE_ERROR; state->next_hop_ip6 = ipa_from_ip6(get_ip6(&tlv->addr)); - state->current_tlv_endpos += sizeof(ip6_addr); + state->rstate.current_tlv_endpos += sizeof(ip6_addr); return PARSE_IGNORE; case BABEL_AE_IP6_LL: @@ -520,7 +512,7 @@ babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *m UNUSED, return PARSE_ERROR; state->next_hop_ip6 = ipa_from_ip6(get_ip6_ll(&tlv->addr)); - state->current_tlv_endpos += 8; + state->rstate.current_tlv_endpos += 8; return PARSE_IGNORE; default: @@ -577,10 +569,12 @@ babel_write_next_hop(struct babel_tlv *hdr, ip_addr addr, static int babel_read_update(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_update *tlv = (void *) hdr; struct babel_msg_update *msg = &m->update; + TO_PARSE_STATE(state, rstate); + msg->type = BABEL_TLV_UPDATE; msg->interval = get_time16(&tlv->interval); @@ -685,8 +679,8 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m, } msg->router_id = state->router_id; - msg->sender = state->saddr; - state->current_tlv_endpos += len; + msg->sender = state->rstate.saddr; + state->rstate.current_tlv_endpos += len; return PARSE_SUCCESS; } @@ -797,10 +791,11 @@ babel_write_update(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_route_request *tlv = (void *) hdr; struct babel_msg_route_request *msg = &m->route_request; + TO_PARSE_STATE(state, rstate); msg->type = BABEL_TLV_ROUTE_REQUEST; @@ -822,7 +817,7 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m, return PARSE_ERROR; read_ip4_px(&msg->net, tlv->addr, tlv->plen); - state->current_tlv_endpos += BYTES(tlv->plen); + state->rstate.current_tlv_endpos += BYTES(tlv->plen); return PARSE_SUCCESS; case BABEL_AE_IP6: @@ -833,7 +828,7 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m, return PARSE_ERROR; read_ip6_px(&msg->net, tlv->addr, tlv->plen); - state->current_tlv_endpos += BYTES(tlv->plen); + state->rstate.current_tlv_endpos += BYTES(tlv->plen); if (state->sadr_enabled) net_make_ip6_sadr(&msg->net); @@ -896,16 +891,17 @@ babel_write_route_request(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_read_state *rstate) { struct babel_tlv_seqno_request *tlv = (void *) hdr; struct babel_msg_seqno_request *msg = &m->seqno_request; + TO_PARSE_STATE(state, rstate); msg->type = BABEL_TLV_SEQNO_REQUEST; msg->seqno = get_u16(&tlv->seqno); msg->hop_count = tlv->hop_count; msg->router_id = get_u64(&tlv->router_id); - msg->sender = state->saddr; + msg->sender = state->rstate.saddr; if (tlv->hop_count == 0) return PARSE_ERROR; @@ -923,7 +919,7 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m, return PARSE_ERROR; read_ip4_px(&msg->net, tlv->addr, tlv->plen); - state->current_tlv_endpos += BYTES(tlv->plen); + state->rstate.current_tlv_endpos += BYTES(tlv->plen); return PARSE_SUCCESS; case BABEL_AE_IP6: @@ -934,7 +930,7 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m, return PARSE_ERROR; read_ip6_px(&msg->net, tlv->addr, tlv->plen); - state->current_tlv_endpos += BYTES(tlv->plen); + state->rstate.current_tlv_endpos += BYTES(tlv->plen); if (state->sadr_enabled) net_make_ip6_sadr(&msg->net); @@ -996,7 +992,7 @@ babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_source_prefix(struct babel_tlv *hdr, union babel_msg *msg, - struct babel_parse_state *state UNUSED) + struct babel_read_state *state UNUSED) { struct babel_subtlv_source_prefix *tlv = (void *) hdr; net_addr_ip6_sadr *net; @@ -1083,70 +1079,68 @@ babel_write_source_prefix(struct babel_tlv *hdr, net_addr *n, uint max_len) return len; } - static inline int babel_read_subtlvs(struct babel_tlv *hdr, union babel_msg *msg, - struct babel_parse_state *state) + struct babel_read_state *state) { + const struct babel_tlv_data *tlv_data; + struct babel_proto *p = state->proto; struct babel_tlv *tlv; - byte *pos, *end = (byte *) hdr + TLV_LENGTH(hdr); + byte *end = (byte *) hdr + TLV_LENGTH(hdr); int res; - for (tlv = (void *) hdr + state->current_tlv_endpos; - (byte *) tlv < end; - tlv = NEXT_TLV(tlv)) + WALK_TLVS(hdr + state->current_tlv_endpos, end, tlv, + state->saddr, state->ifa->ifname) { - /* Ugly special case */ - if (tlv->type == BABEL_TLV_PAD1) + if (tlv->type == BABEL_SUBTLV_PADN) continue; - /* The end of the common TLV header */ - pos = (byte *)tlv + sizeof(struct babel_tlv); - if ((pos > end) || (pos + tlv->length > end)) - return PARSE_ERROR; - - /* - * The subtlv type space is non-contiguous (due to the mandatory bit), so - * use a switch for dispatch instead of the mapping array we use for TLVs - */ - switch (tlv->type) + if (!state->get_subtlv_data || + !(tlv_data = state->get_subtlv_data(tlv->type)) || + !tlv_data->read_tlv) { - case BABEL_SUBTLV_SOURCE_PREFIX: - res = babel_read_source_prefix(tlv, msg, state); - if (res != PARSE_SUCCESS) - return res; - break; - - case BABEL_SUBTLV_PADN: - default: /* Unknown mandatory subtlv; PARSE_IGNORE ignores the whole TLV */ if (tlv->type >= 128) - return PARSE_IGNORE; - break; + return PARSE_IGNORE; + continue; } + + res = tlv_data->read_tlv(tlv, msg, state); + if (res != PARSE_SUCCESS) + return res; } + WALK_TLVS_END; return PARSE_SUCCESS; + +frame_err: + return PARSE_ERROR; } -static inline int +int babel_read_tlv(struct babel_tlv *hdr, union babel_msg *msg, - struct babel_parse_state *state) + struct babel_read_state *state) { + const struct babel_tlv_data *tlv_data; + if ((hdr->type <= BABEL_TLV_PADN) || - (hdr->type >= BABEL_TLV_MAX) || - !tlv_data[hdr->type].read_tlv) + (hdr->type >= BABEL_TLV_MAX)) return PARSE_IGNORE; - if (TLV_LENGTH(hdr) < tlv_data[hdr->type].min_length) + tlv_data = state->get_tlv_data(hdr->type); + + if (!tlv_data || !tlv_data->read_tlv) + return PARSE_IGNORE; + + if (TLV_LENGTH(hdr) < tlv_data->min_length) return PARSE_ERROR; - state->current_tlv_endpos = tlv_data[hdr->type].min_length; + state->current_tlv_endpos = tlv_data->min_length; memset(msg, 0, sizeof(*msg)); - int res = tlv_data[hdr->type].read_tlv(hdr, msg, state); + int res = tlv_data->read_tlv(hdr, msg, state); if (res != PARSE_SUCCESS) return res; @@ -1171,7 +1165,6 @@ babel_write_tlv(struct babel_tlv *hdr, return tlv_data[msg->type].write_tlv(hdr, msg, state, max_len); } - /* * Packet RX/TX functions */ @@ -1337,15 +1330,18 @@ babel_process_packet(struct babel_pkt_header *pkt, int len, int res; int plen = sizeof(struct babel_pkt_header) + get_u16(&pkt->length); - byte *pos; byte *end = (byte *)pkt + plen; struct babel_parse_state state = { - .proto = p, - .ifa = ifa, - .saddr = saddr, - .next_hop_ip6 = saddr, - .sadr_enabled = babel_sadr_enabled(p), + .rstate = { + .get_tlv_data = &get_packet_tlv_data, + .get_subtlv_data = &get_packet_subtlv_data, + .proto = p, + .ifa = ifa, + .saddr = saddr, + }, + .next_hop_ip6 = saddr, + .sadr_enabled = babel_sadr_enabled(p), }; if ((pkt->magic != BABEL_MAGIC) || (pkt->version != BABEL_VERSION)) @@ -1369,25 +1365,10 @@ babel_process_packet(struct babel_pkt_header *pkt, int len, /* First pass through the packet TLV by TLV, parsing each into internal data structures. */ - for (tlv = FIRST_TLV(pkt); - (byte *)tlv < end; - tlv = NEXT_TLV(tlv)) + WALK_TLVS(FIRST_TLV(pkt), end, tlv, saddr, ifa->iface->name) { - /* Ugly special case */ - if (tlv->type == BABEL_TLV_PAD1) - continue; - - /* The end of the common TLV header */ - pos = (byte *)tlv + sizeof(struct babel_tlv); - if ((pos > end) || (pos + tlv->length > end)) - { - LOG_PKT("Bad TLV from %I via %s type %d pos %d - framing error", - saddr, ifa->iface->name, tlv->type, (byte *)tlv - (byte *)pkt); - break; - } - msg = sl_alloc(p->msg_slab); - res = babel_read_tlv(tlv, &msg->msg, &state); + res = babel_read_tlv(tlv, &msg->msg, &state.rstate); if (res == PARSE_SUCCESS) { add_tail(&msgs, NODE msg); @@ -1405,6 +1386,9 @@ babel_process_packet(struct babel_pkt_header *pkt, int len, break; } } + WALK_TLVS_END; + +frame_err: /* Parsing done, handle all parsed TLVs */ WALK_LIST_FIRST(msg, msgs) diff --git a/proto/babel/packets.h b/proto/babel/packets.h new file mode 100644 index 00000000..391b0936 --- /dev/null +++ b/proto/babel/packets.h @@ -0,0 +1,96 @@ +/* + * BIRD -- The Babel protocol + * + * Copyright (c) 2020 Toke Hoiland-Jorgensen + * + * Can be freely distributed and used under the terms of the GNU GPL. + * + * This file contains packet parsing-related data structures for the Babel protocol + */ + +#ifndef _BIRD_BABEL_PACKETS_H_ +#define _BIRD_BABEL_PACKETS_H_ + +#include "nest/bird.h" + +struct babel_pkt_header { + u8 magic; + u8 version; + u16 length; +} PACKED; + +struct babel_tlv { + u8 type; + u8 length; + u8 value[0]; +} PACKED; + +enum parse_result { + PARSE_SUCCESS, + PARSE_ERROR, + PARSE_IGNORE, +}; + +#define FIRST_TLV(p) ((struct babel_tlv *) (((struct babel_pkt_header *) p) + 1)) +#define NEXT_TLV(t) ((struct babel_tlv *) (((byte *) t) + TLV_LENGTH(t))) +#define TLV_LENGTH(t) (t->type == BABEL_TLV_PAD1 ? 1 : t->length + sizeof(struct babel_tlv)) +#define TLV_OPT_LENGTH(t) (t->length + sizeof(struct babel_tlv) - sizeof(*t)) +#define TLV_HDR(tlv,t,l) ({ tlv->type = t; tlv->length = l - sizeof(struct babel_tlv); }) +#define TLV_HDR0(tlv,t) TLV_HDR(tlv, t, tlv_data[t].min_length) + +#define NET_SIZE(n) BYTES(net_pxlen(n)) + +#define LOG_PKT(msg, args...) \ + log_rl(&p->log_pkt_tbf, L_REMOTE "%s: " msg, p->p.name, args) +#define LOG_WARN(msg, args...) \ + log_rl(&p->log_pkt_tbf, L_WARN "%s: " msg, p->p.name, args) + +/* Helper macros to loop over a series of TLVs. + * @start pointer to first TLV + * @end byte * pointer to TLV stream end + * @tlv struct babel_tlv pointer used as iterator + */ +#define WALK_TLVS(start, end, tlv, saddr, ifname) \ + for (tlv = (void *)start; \ + (byte *)tlv < end; \ + tlv = NEXT_TLV(tlv)) \ + { \ + byte *loop_pos; \ + /* Ugly special case */ \ + if (tlv->type == BABEL_TLV_PAD1) \ + continue; \ + \ + /* The end of the common TLV header */ \ + loop_pos = (byte *)tlv + sizeof(struct babel_tlv); \ + if ((loop_pos > end) || (loop_pos + tlv->length > end)) \ + { \ + LOG_PKT("Bad TLV from %I via %s type %d pos %d - framing error", \ + saddr, ifname, tlv->type, (byte *)tlv - (byte *)start); \ + goto frame_err; \ + } + +#define WALK_TLVS_END } + +struct babel_read_state; +struct babel_write_state; + +struct babel_tlv_data { + u8 min_length; + int (*read_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_read_state *state); + uint (*write_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_write_state *state, uint max_len); + void (*handle_tlv)(union babel_msg *m, struct babel_iface *ifa); +}; + +struct babel_read_state { + const struct babel_tlv_data* (*get_tlv_data)(u8 type); + const struct babel_tlv_data* (*get_subtlv_data)(u8 type); + struct babel_proto *proto; + struct babel_iface *ifa; + ip_addr saddr; + u8 current_tlv_endpos; /* End of self-terminating TLVs (offset from start) */ +}; + +int babel_read_tlv(struct babel_tlv *hdr, + union babel_msg *msg, + struct babel_read_state *state); +#endif
From: Toke Høiland-Jørgensen <toke@toke.dk> This implements support for MAC authentication in the Babel protocol, as specified by draft-babel-hmac-10. The implementation seeks to follow the draft as close as possible, with the only deliberate deviation being the addition of support for all the HMAC algorithms already supported by Bird, as well as the Blake2b variant of the Blake algorithm. The draft describes the applicability of the MAC authentication scheme as follows: 1.1. Applicability The protocol defined in this document assumes that all interfaces on a given link are equally trusted and share a small set of symmetric keys (usually just one, and two during key rotation). The protocol is inapplicable in situations where asymmetric keying is required, where the trust relationship is partial, or where large numbers of trusted keys are provisioned on a single link at the same time. This protocol supports incremental deployment (where an insecure Babel network is made secure with no service interruption), and it supports graceful key rotation (where the set of keys is changed with no service interruption). This protocol does not require synchronised clocks, it does not require persistently monotonic clocks, and it does not require persistent storage except for what might be required for storing cryptographic keys. 1.2. Assumptions and security properties The correctness of the protocol relies on the following assumptions: o that the Message Authentication Code (MAC) being used is invulnerable to pre-image attacks, i.e., that an attacker is unable to generate a packet with a correct MAC without access to the secret key; o that a node never generates the same index or nonce twice over the lifetime of a key. The first assumption is a property of the MAC being used. The second assumption can be met either by using a robust random number generator and sufficiently large indices and nonces, by using a reliable hardware clock, or by rekeying often enough that collisions are unlikely. If the assumptions above are met, the protocol described in this document has the following properties: o it is invulnerable to spoofing: any Babel packet accepted as authentic is the exact copy of a packet originally sent by an authorised node; o locally to a single node, it is invulnerable to replay: if a node has previously accepted a given packet, then it will never again accept a copy of this packet or an earlier packet from the same sender; o among different nodes, it is only vulnerable to immediate replay: if a node A has accepted an authentic packet from C, then a node B will only accept a copy of that packet if B has accepted an older packet from C and B has received no later packet from C. While this protocol makes efforts to mitigate the effects of a denial of service attack, it does not fully protect against such attacks. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> --- doc/bird.sgml | 36 +++ proto/babel/Doc | 1 proto/babel/Makefile | 4 proto/babel/auth.c | 593 +++++++++++++++++++++++++++++++++++++++++++++++++ proto/babel/babel.c | 33 ++- proto/babel/babel.h | 54 ++++ proto/babel/config.Y | 38 +++ proto/babel/packets.c | 44 +++- 8 files changed, 778 insertions(+), 25 deletions(-) create mode 100644 proto/babel/auth.c diff --git a/doc/bird.sgml b/doc/bird.sgml index 64860e6f..7682286e 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -811,8 +811,8 @@ agreement"). <tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 | blake2s | blake2b )</tag> The message authentication algorithm for the password when cryptographic authentication is enabled. The default value depends on the protocol. - For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 - protocol it is HMAC-SHA-256. + For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 and + Babel it is HMAC-SHA-256. </descrip> @@ -1757,6 +1757,19 @@ protocol babel [<name>] { check link <switch>; next hop ipv4 <address>; next hop ipv6 <address>; + authentication none|mac [permissive]; + password "<text>"; + password "<text>" { + id <num>; + generate from "<date>"; + generate to "<date>"; + accept from "<date>"; + accept to "<date>"; + from "<date>"; + to "<date>"; + algorithm ( hmac sha1 | hmac sha256 | hmac sha384 | hmac + sha512 | blake2s | blake2b ); + }; }; } </code> @@ -1847,6 +1860,25 @@ protocol babel [<name>] { interface. If not set, the same link-local address that is used as the source for Babel packets will be used. In normal operation, it should not be necessary to set this option. + + <tag><label id="babel-authentication">authentication none|mac [permissive]</tag> + Selects authentication method to be used. <cf/none/ means that packets + are not authenticated at all, <cf/mac/ means MAC authentication is + performed as described in draft-ietf-babel-hmac. If MAC authentication is + selected, the <cf/permissive/ suffix can be used to select an operation + mode where outgoing packets are signed, but incoming packets will be + accepted even if they fail authentication. This can be useful for + incremental deployment of MAC authentication across a network. If MAC + authentication is selected, a key must be specified with the + <cf/password/ configuration option. Default: none. + + <tag><label id="babel-password">password "<m/text/"</tag> Specifies a + password used for authentication. See the <ref id="proto-pass" + name="password"> common option for a detailed description. The Babel + protocol will only accept HMAC-based algorithms or one of the Blake + algorithms, and the length of the supplied password string must match the + key size used by the selected algorithm. + </descrip> <sect1>Attributes diff --git a/proto/babel/Doc b/proto/babel/Doc index 80026f91..2ce8e233 100644 --- a/proto/babel/Doc +++ b/proto/babel/Doc @@ -1,2 +1,3 @@ S babel.c S packets.c +S auth.c diff --git a/proto/babel/Makefile b/proto/babel/Makefile index a5b4a13b..a78e2c03 100644 --- a/proto/babel/Makefile +++ b/proto/babel/Makefile @@ -1,6 +1,6 @@ -src := babel.c packets.c +src := babel.c packets.c auth.c obj := $(src-o-files) $(all-daemon) $(cf-local) -tests_objs := $(tests_objs) $(src-o-files) \ No newline at end of file +tests_objs := $(tests_objs) $(src-o-files) diff --git a/proto/babel/auth.c b/proto/babel/auth.c new file mode 100644 index 00000000..945bc72e --- /dev/null +++ b/proto/babel/auth.c @@ -0,0 +1,593 @@ +/* + * BIRD -- The Babel protocol + * + * Copyright (c) 2020 Toke Hoiland-Jorgensen + * + * Can be freely distributed and used under the terms of the GNU GPL. + * + * This file contains the authentication code for the Babel protocol + */ + +#include "nest/bird.h" +#include "lib/mac.h" +#include "babel.h" +#include "packets.h" + +struct babel_tlv_pc { + u8 type; + u8 length; + u32 pc; + u8 index[0]; +} PACKED; + +struct babel_tlv_mac { + u8 type; + u8 length; + u8 mac[0]; +} PACKED; + +struct babel_tlv_challenge { + u8 type; + u8 length; + u8 nonce[0]; +} PACKED; + +struct babel_mac_pseudohdr { + u8 src_addr[16]; + u16 src_port; + u8 dst_addr[16]; + u16 dst_port; +} PACKED; + +struct babel_auth_state { + struct babel_read_state rstate; + u32 pc; + u8 pc_seen; + u8 index_len; + u8 *index; + u8 challenge_reply_seen; + u8 challenge_reply[BABEL_AUTH_NONCE_LEN]; + u8 challenge_seen; + u8 challenge_len; + u8 challenge[BABEL_AUTH_MAX_NONCE_LEN]; + u8 is_unicast; +}; + +#define LOG_PKT_AUTH(msg, args...) \ + log_rl(&p->log_pkt_tbf, L_AUTH "%s: " msg, p->p.name, args) + +#define TO_AUTH_STATE(_s,_r) struct babel_auth_state *_s = ((struct babel_auth_state *)_r) + +static int +babel_read_pc(struct babel_tlv *hdr, union babel_msg *m UNUSED, + struct babel_read_state *rstate) +{ + struct babel_tlv_pc *tlv = (void *) hdr; + TO_AUTH_STATE(state, rstate); + + if (!state->pc_seen) + { + state->pc_seen = 1; + state->pc = get_u32(&tlv->pc); + state->index_len = TLV_OPT_LENGTH(tlv); + state->index = tlv->index; + } + + return PARSE_IGNORE; +} + +static const struct babel_tlv_data pc_tlv_data = { + .min_length = sizeof(struct babel_tlv_pc), + .read_tlv = &babel_read_pc +}; + +static int +babel_read_challenge_req(struct babel_tlv *hdr, union babel_msg *m UNUSED, + struct babel_read_state *rstate) +{ + struct babel_tlv_challenge *tlv = (void *) hdr; + TO_AUTH_STATE(state, rstate); + + if (!state->is_unicast) + { + DBG("Ignoring non-unicast challenge request from %I\n", state->rstate.saddr); + return PARSE_IGNORE; + } + + if (tlv->length > BABEL_AUTH_MAX_NONCE_LEN) + return PARSE_IGNORE; + + state->challenge_len = tlv->length; + if (state->challenge_len) + memcpy(state->challenge, tlv->nonce, state->challenge_len); + state->challenge_seen = 1; + + return PARSE_IGNORE; +} + +static const struct babel_tlv_data challenge_req_tlv_data = { + .min_length = sizeof(struct babel_tlv_challenge), + .read_tlv = &babel_read_challenge_req, +}; + +static int +babel_read_challenge_reply(struct babel_tlv *hdr, union babel_msg *m UNUSED, + struct babel_read_state *rstate) +{ + struct babel_tlv_challenge *tlv = (void *) hdr; + TO_AUTH_STATE(state, rstate); + + if (tlv->length != BABEL_AUTH_NONCE_LEN || state->challenge_reply_seen) + return PARSE_IGNORE; + + state->challenge_reply_seen = 1; + memcpy(state->challenge_reply, tlv->nonce, BABEL_AUTH_NONCE_LEN); + + return PARSE_IGNORE; +} + +static const struct babel_tlv_data challenge_reply_tlv_data = { + .min_length = sizeof(struct babel_tlv_challenge), + .read_tlv = &babel_read_challenge_reply, +}; + +static const struct babel_tlv_data * +get_auth_tlv_data(u8 type) +{ + switch(type) + { + case BABEL_TLV_PC: + return &pc_tlv_data; + case BABEL_TLV_CHALLENGE_REQ: + return &challenge_req_tlv_data; + case BABEL_TLV_CHALLENGE_REPLY: + return &challenge_reply_tlv_data; + default: + return NULL; + } +} + +uint +babel_auth_write_challenge(struct babel_tlv *hdr, union babel_msg *m, + struct babel_write_state *state UNUSED,uint max_len) +{ + struct babel_tlv_challenge *tlv = (void *) hdr; + struct babel_msg_challenge *msg = &m->challenge; + + uint len = sizeof(struct babel_tlv_challenge) + msg->nonce_len; + + if (len > max_len) + return 0; + + TLV_HDR(tlv, msg->type, len); + memcpy(tlv->nonce, msg->nonce, msg->nonce_len); + + return len; +} + +static void +babel_auth_send_challenge(struct babel_iface *ifa, struct babel_neighbor *n) +{ + struct babel_proto *p = ifa->proto; + union babel_msg msg = {}; + + TRACE(D_PACKETS, "Sending AUTH challenge to %I on %s", + n->addr, ifa->ifname); + + random_bytes(n->auth_nonce, BABEL_AUTH_NONCE_LEN); + n->auth_nonce_expiry = current_time() + BABEL_AUTH_CHALLENGE_TIMEOUT; + n->auth_next_challenge = current_time() + BABEL_AUTH_CHALLENGE_INTERVAL; + + msg.type = BABEL_TLV_CHALLENGE_REQ; + msg.challenge.nonce_len = BABEL_AUTH_NONCE_LEN; + msg.challenge.nonce = n->auth_nonce; + + babel_send_unicast(&msg, ifa, n->addr); +} + +static int +babel_mac_hash(struct password_item *pass, + struct babel_mac_pseudohdr *phdr, + byte *pkt, uint pkt_len, + byte *buf, uint *buf_len) +{ + struct mac_context ctx; + + if (mac_type_length(pass->alg) > *buf_len) + return 1; + + mac_init(&ctx, pass->alg, pass->password, pass->length); + mac_update(&ctx, (byte *)phdr, sizeof(*phdr)); + mac_update(&ctx, (byte *)pkt, pkt_len); + + *buf_len = mac_get_length(&ctx); + memcpy(buf, mac_final(&ctx), *buf_len); + + mac_cleanup(&ctx); + + return 0; +} + +static void +babel_mac_build_phdr(struct babel_mac_pseudohdr *phdr, + ip_addr saddr, u16 sport, + ip_addr daddr, u16 dport) +{ + memset(phdr, 0, sizeof(*phdr)); + put_ip6(phdr->src_addr, saddr); + put_u16(&phdr->src_port, sport); + put_ip6(phdr->dst_addr, daddr); + put_u16(&phdr->dst_port, dport); + DBG("MAC pseudo-header: %I %d %I %d\n", saddr, sport, daddr, dport); +} + +static int +babel_auth_check_mac(struct babel_iface *ifa, byte *pkt, + byte *trailer, uint trailer_len, + ip_addr saddr, u16 sport, + ip_addr daddr, u16 dport) +{ + uint hash_len = (uint)(trailer - pkt); + struct babel_proto *p = ifa->proto; + byte *end = trailer + trailer_len; + btime now_ = current_real_time(); + struct babel_mac_pseudohdr phdr; + struct password_item *pass; + struct babel_tlv *tlv; + + if (trailer_len < sizeof(*tlv)) + { + LOG_PKT_AUTH("No MAC signature on packet from %I on %s", + saddr, ifa->ifname); + return 1; + } + + babel_mac_build_phdr(&phdr, saddr, sport, daddr, dport); + + WALK_LIST(pass, *ifa->cf->passwords) + { + byte mac_res[MAX_HASH_SIZE]; + uint mac_len = MAX_HASH_SIZE; + + if (pass->accfrom > now_ || pass->accto < now_) + continue; + + if (babel_mac_hash(pass, &phdr, + pkt, hash_len, + mac_res, &mac_len)) + continue; + + WALK_TLVS(trailer, end, tlv, saddr, ifa->ifname) + { + struct babel_tlv_mac *mac = (void *)tlv; + + if (tlv->type != BABEL_TLV_MAC) + continue; + + if (tlv->length == mac_len && !memcmp(mac->mac, mac_res, mac_len)) + return 0; + + DBG("MAC mismatch key id %d pos %d len %d/%d\n", + pass->id, (byte *)tlv - (byte *)pkt, mac_len, tlv->length); + } + WALK_TLVS_END; + } + + LOG_PKT_AUTH("No MAC key matching packet from %I found on %s", + saddr, ifa->ifname); + return 1; + +frame_err: + DBG("MAC trailer TLV framing error\n"); + return 1; +} + +static int +babel_auth_check_pc(struct babel_iface *ifa, struct babel_auth_state *state) +{ + struct babel_proto *p = ifa->proto; + struct babel_neighbor *n; + + TRACE(D_PACKETS, "Handling MAC check from %I on %s", + state->rstate.saddr, ifa->ifname); + + /* We create the neighbour entry at this point because it makes it easier to + * rate limit challenge replies; this is explicitly allowed by the spec (see + * Section 4.3). + */ + n = babel_get_neighbor(ifa, state->rstate.saddr); + + if (state->challenge_seen && n->auth_next_challenge_reply <= current_time()) + { + union babel_msg resp = {}; + TRACE(D_PACKETS, "Sending MAC challenge response to %I", state->rstate.saddr); + resp.type = BABEL_TLV_CHALLENGE_REPLY; + resp.challenge.nonce_len = state->challenge_len; + resp.challenge.nonce = state->challenge; + n->auth_next_challenge_reply = current_time() + BABEL_AUTH_CHALLENGE_INTERVAL; + babel_send_unicast(&resp, ifa, state->rstate.saddr); + } + + if (state->index_len > BABEL_AUTH_INDEX_LEN || !state->pc_seen) + { + LOG_PKT_AUTH("Invalid index or no PC from %I on %s", + state->rstate.saddr, ifa->ifname); + return 1; + } + + /* On successful challenge, update PC and index to current values */ + if (state->challenge_reply_seen && + n->auth_nonce_expiry && + n->auth_nonce_expiry >= current_time() && + !memcmp(state->challenge_reply, n->auth_nonce, BABEL_AUTH_NONCE_LEN)) + { + n->auth_index_len = state->index_len; + memcpy(n->auth_index, state->index, state->index_len); + n->auth_pc = state->pc; + } + + /* If index differs, send challenge */ + if ((n->auth_index_len != state->index_len || + memcmp(n->auth_index, state->index, state->index_len)) && + n->auth_next_challenge <= current_time()) + { + LOG_PKT_AUTH("Index mismatch from %I on %s; sending challenge", + state->rstate.saddr, ifa->ifname); + babel_auth_send_challenge(ifa, n); + return 1; + } + + /* Index matches; only accept if PC is greater than last */ + if (n->auth_pc >= state->pc) + { + LOG_PKT_AUTH("Packet counter too low from %I on %s", + state->rstate.saddr, ifa->ifname); + return 1; + } + + n->auth_pc = state->pc; + n->auth_expiry = current_time() + BABEL_AUTH_NEIGHBOR_TIMEOUT; + n->auth_passed = 1; + return 0; +} + +/** + * babel_auth_check - Check authentication for a packet + * @ifa: Interface holding the transmission buffer + * @saddr: Source address the packet was received from + * @sport: Source port the packet was received from + * @daddr: Destination address the packet was sent to + * @dport: Destination port the packet was sent to + * @pkt: Pointer to start of the packet data + * @trailer: Pointer to the packet trailer + * @trailer_len: Length of the packet trailer + * + * This function performs any necessary authentication checks on a packet and + * returns 0 if the packet should be accepted (either because it has been + * successfully authenticated or because authentication is disabled or + * configured in permissive mode), or 1 if the packet should be dropped without + * further processing. + */ +int +babel_auth_check(struct babel_iface *ifa, + ip_addr saddr, u16 sport, + ip_addr daddr, u16 dport, + struct babel_pkt_header *pkt, + byte *trailer, uint trailer_len) +{ + struct babel_proto *p = ifa->proto; + struct babel_tlv *tlv; + + struct babel_auth_state state = { + .rstate = { + .get_tlv_data = &get_auth_tlv_data, + .proto = p, + .ifa = ifa, + .saddr = saddr, + }, + .is_unicast = !(ipa_classify(daddr) & IADDR_MULTICAST), + }; + + if (ifa->cf->auth_type == BABEL_AUTH_NONE) + return 0; + + TRACE(D_PACKETS, "Checking packet authentication signature"); + + if (babel_auth_check_mac(ifa, (byte *)pkt, + trailer, trailer_len, + saddr, sport, + daddr, dport)) + goto fail; + + /* MAC verified; parse packet to check packet counter and challenge */ + WALK_TLVS(FIRST_TLV(pkt), trailer, tlv, saddr, ifa->iface->name) + { + union babel_msg msg; + enum parse_result res; + + res = babel_read_tlv(tlv, &msg, &state.rstate); + if (res == PARSE_ERROR) + { + LOG_PKT_AUTH("Bad TLV from %I via %s type %d pos %d - parse error", + saddr, ifa->iface->name, tlv->type, (byte *)tlv - (byte *)pkt); + goto fail; + } + } + WALK_TLVS_END; + +frame_err: + + if (babel_auth_check_pc(ifa, &state)) + goto fail; + + TRACE(D_PACKETS, "Packet from %I via %s authenticated successfully", + saddr, ifa->ifname); + return 0; + +fail: + LOG_PKT_AUTH("Packet from %I via %s failed authentication%s", + saddr, ifa->ifname, + ifa->cf->auth_permissive ? " but accepted in permissive mode" : ""); + + return !ifa->cf->auth_permissive; +} + +/** + * babel_auth_add_tlvs - Add authentication-related TLVs to a packet + * @ifa: Interface holding the transmission buffer + * @tlv: Pointer to the place where any new TLVs should be added + * @max_len: Maximum length available for adding new TLVs + * + * This function adds any new TLVs required by the authentication mode to a + * packet before it is shipped out. For MAC authentication, this is the packet + * counter TLV that must be included in every packet. + */ +int +babel_auth_add_tlvs(struct babel_iface *ifa, struct babel_tlv *tlv, int max_len) +{ + struct babel_proto *p = ifa->proto; + struct babel_tlv_pc *msg; + int len; + + if (ifa->cf->auth_type == BABEL_AUTH_NONE) + return 0; + + msg = (void *)tlv; + len = sizeof(*msg) + BABEL_AUTH_INDEX_LEN; + max_len += ifa->auth_tx_overhead; + + if (len > max_len) + { + LOG_WARN("Insufficient space to add MAC seqno TLV on iface %s: %d < %d", + ifa->ifname, max_len, len); + return 0; + } + + msg->type = BABEL_TLV_PC; + msg->length = len - sizeof(struct babel_tlv); + put_u32(&msg->pc, ifa->auth_pc++); + memcpy(msg->index, ifa->auth_index, BABEL_AUTH_INDEX_LEN); + + /* Reset index on overflow to 0 */ + if (!ifa->auth_pc) + babel_auth_reset_index(ifa); + + return len; +} + +/** + * babel_auth_sign - Sign an outgoing packet before transmission + * @ifa: Interface holding the transmission buffer + * @dest: Destination address of the packet + * + * This function adds authentication signature(s) to the packet trailer for each + * of the configured authentication keys on the interface. + */ +int +babel_auth_sign(struct babel_iface *ifa, ip_addr dest) +{ + struct babel_proto *p = ifa->proto; + struct babel_mac_pseudohdr phdr; + struct babel_pkt_header *hdr; + struct password_item *pass; + int tot_len = 0, i = 0; + struct babel_tlv *tlv; + sock *sk = ifa->sk; + byte *pos, *end; + btime now_; + int len; + + if (ifa->cf->auth_type == BABEL_AUTH_NONE) + return 0; + + hdr = (void *) sk->tbuf; + len = get_u16(&hdr->length) + sizeof(struct babel_pkt_header); + + pos = (byte *)hdr + len; + end = (byte *)hdr + ifa->tx_length + ifa->auth_tx_overhead; + tlv = (void *)pos; + now_ = current_real_time(); + + babel_mac_build_phdr(&phdr, sk->saddr, sk->fport, dest, sk->dport); + + WALK_LIST(pass, *ifa->cf->passwords) + { + struct babel_tlv_mac *msg = (void *)tlv; + uint buf_len = (uint) (end - (byte *)msg - sizeof(*msg)); + + if (pass->genfrom > now_ || pass->gento < now_) + continue; + + if (babel_mac_hash(pass, &phdr, + (byte *)hdr, len, + msg->mac, &buf_len)) + { + LOG_WARN("Insufficient space for MAC signatures on iface %s dest %I", + ifa->ifname, dest); + break; + } + + msg->type = BABEL_TLV_MAC; + msg->length = buf_len; + + tlv = NEXT_TLV(tlv); + tot_len += buf_len + sizeof(*msg); + i++; + } + + DBG("Added %d MAC signatures (%d bytes) on ifa %s for dest %I\n", + i, tot_len, ifa->ifname, dest); + + return tot_len; +} + +/** + * babel_auth_reset_index - Reset authentication index on interface + * @ifa: Interface to reset + * + * This function resets the authentication index and packet counter for an + * interface, and should be called on interface configuration, or when the + * packet counter overflows. + */ +void +babel_auth_reset_index(struct babel_iface *ifa) +{ + random_bytes(ifa->auth_index, BABEL_AUTH_INDEX_LEN); + ifa->auth_pc = 1; +} + +/** + * babel_auth_set_tx_overhead - Set interface TX overhead for authentication + * @ifa: Interface to configure + * + * This function sets the TX overhead for an interface based on its + * authentication configuration. + */ +void +babel_auth_set_tx_overhead(struct babel_iface *ifa) +{ + if (ifa->cf->auth_type == BABEL_AUTH_NONE) + { + ifa->auth_tx_overhead = 0; + return; + } + + ifa->auth_tx_overhead = (sizeof(struct babel_tlv_pc) + + sizeof(struct babel_tlv_mac) * ifa->cf->mac_num_keys + + ifa->cf->mac_total_len); + ifa->tx_length -= ifa->auth_tx_overhead; +} + +/** + * babel_auth_init_neighbor - Initialise authentication data for neighbor + * @n: Neighbor to initialise + * + * This function initialises the authentication-related state for a new neighbor + * that has just been created. + */ +void +babel_auth_init_neighbor(struct babel_neighbor *n) +{ + if (n->ifa->cf->auth_type != BABEL_AUTH_NONE) + n->auth_expiry = current_time() + BABEL_AUTH_NEIGHBOR_TIMEOUT; +} diff --git a/proto/babel/babel.c b/proto/babel/babel.c index 177ff3a3..ea9376e7 100644 --- a/proto/babel/babel.c +++ b/proto/babel/babel.c @@ -410,7 +410,7 @@ babel_find_neighbor(struct babel_iface *ifa, ip_addr addr) return NULL; } -static struct babel_neighbor * +struct babel_neighbor * babel_get_neighbor(struct babel_iface *ifa, ip_addr addr) { struct babel_proto *p = ifa->proto; @@ -430,6 +430,7 @@ babel_get_neighbor(struct babel_iface *ifa, ip_addr addr) init_list(&nbr->routes); babel_lock_neighbor(nbr); add_tail(&ifa->neigh_list, NODE nbr); + babel_auth_init_neighbor(nbr); return nbr; } @@ -504,6 +505,9 @@ babel_expire_neighbors(struct babel_proto *p) if (nbr->hello_expiry && nbr->hello_expiry <= now_) babel_expire_hello(p, nbr, now_); + + if (nbr->auth_expiry && nbr->auth_expiry <= now_) + babel_flush_neighbor(p, nbr); } } } @@ -1543,6 +1547,8 @@ babel_iface_update_buffers(struct babel_iface *ifa) sk_set_tbsize(ifa->sk, tbsize); ifa->tx_length = tbsize - BABEL_OVERHEAD; + + babel_auth_set_tx_overhead(ifa); } static struct babel_iface* @@ -1602,6 +1608,9 @@ babel_add_iface(struct babel_proto *p, struct iface *new, struct babel_iface_con init_list(&ifa->neigh_list); ifa->hello_seqno = 1; + if (ic->auth_type != BABEL_AUTH_NONE) + babel_auth_reset_index(ifa); + ifa->timer = tm_new_init(ifa->pool, babel_iface_timer, ifa, 0, 0); init_list(&ifa->msg_queue); @@ -1698,6 +1707,9 @@ babel_reconfigure_iface(struct babel_proto *p, struct babel_iface *ifa, struct b ifa->next_hop_ip4 = ipa_nonzero(new->next_hop_ip4) ? new->next_hop_ip4 : addr4; ifa->next_hop_ip6 = ipa_nonzero(new->next_hop_ip6) ? new->next_hop_ip6 : ifa->addr; + if (new->auth_type != BABEL_AUTH_NONE && old->auth_type != new->auth_type) + babel_auth_reset_index(ifa); + if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel) log(L_WARN "%s: Missing IPv4 next hop address for %s", p->p.name, ifa->ifname); @@ -1888,8 +1900,8 @@ babel_show_interfaces(struct proto *P, char *iff) } cli_msg(-1023, "%s:", p->p.name); - cli_msg(-1023, "%-10s %-6s %7s %6s %7s %-15s %s", - "Interface", "State", "RX cost", "Nbrs", "Timer", + cli_msg(-1023, "%-10s %-6s %-5s %7s %6s %7s %-15s %s", + "Interface", "State", "Auth", "RX cost", "Nbrs", "Timer", "Next hop (v4)", "Next hop (v6)"); WALK_LIST(ifa, p->interfaces) @@ -1902,8 +1914,10 @@ babel_show_interfaces(struct proto *P, char *iff) nbrs++; btime timer = MIN(ifa->next_regular, ifa->next_hello) - current_time(); - cli_msg(-1023, "%-10s %-6s %7u %6u %7t %-15I %I", + cli_msg(-1023, "%-10s %-6s %-5s %7u %6u %7t %-15I %I", ifa->iface->name, (ifa->up ? "Up" : "Down"), + (ifa->cf->auth_type == BABEL_AUTH_MAC ? + (ifa->cf->auth_permissive ? "Perm" : "Yes") : "No"), ifa->cf->rxcost, nbrs, MAX(timer, 0), ifa->next_hop_ip4, ifa->next_hop_ip6); } @@ -1927,8 +1941,8 @@ babel_show_neighbors(struct proto *P, char *iff) } cli_msg(-1024, "%s:", p->p.name); - cli_msg(-1024, "%-25s %-10s %6s %6s %6s %7s", - "IP address", "Interface", "Metric", "Routes", "Hellos", "Expires"); + cli_msg(-1024, "%-25s %-10s %6s %6s %6s %7s %4s", + "IP address", "Interface", "Metric", "Routes", "Hellos", "Expires", "Auth"); WALK_LIST(ifa, p->interfaces) { @@ -1942,9 +1956,10 @@ babel_show_neighbors(struct proto *P, char *iff) rts++; uint hellos = u32_popcount(n->hello_map); - btime timer = n->hello_expiry - current_time(); - cli_msg(-1024, "%-25I %-10s %6u %6u %6u %7t", - n->addr, ifa->iface->name, n->cost, rts, hellos, MAX(timer, 0)); + btime timer = (n->hello_expiry ?: n->auth_expiry) - current_time(); + cli_msg(-1024, "%-25I %-10s %6u %6u %6u %7t %-4s", + n->addr, ifa->iface->name, n->cost, rts, hellos, MAX(timer, 0), + n->auth_passed ? "Yes" : "No"); } } diff --git a/proto/babel/babel.h b/proto/babel/babel.h index 14765c60..15e8007d 100644 --- a/proto/babel/babel.h +++ b/proto/babel/babel.h @@ -19,6 +19,7 @@ #include "nest/route.h" #include "nest/protocol.h" #include "nest/locks.h" +#include "nest/password.h" #include "lib/resource.h" #include "lib/lists.h" #include "lib/socket.h" @@ -60,6 +61,14 @@ #define BABEL_OVERHEAD (IP6_HEADER_LENGTH+UDP_HEADER_LENGTH) #define BABEL_MIN_MTU (512 + BABEL_OVERHEAD) +#define BABEL_AUTH_NONE 0 +#define BABEL_AUTH_MAC 1 +#define BABEL_AUTH_NONCE_LEN 10 /* we send 80 bit nonces */ +#define BABEL_AUTH_MAX_NONCE_LEN 192 /* max allowed by spec */ +#define BABEL_AUTH_INDEX_LEN 32 /* max size in spec */ +#define BABEL_AUTH_NEIGHBOR_TIMEOUT (300 S_) +#define BABEL_AUTH_CHALLENGE_TIMEOUT (30 S_) +#define BABEL_AUTH_CHALLENGE_INTERVAL (300 MS_) /* used for both challenges and replies */ enum babel_tlv_type { BABEL_TLV_PAD1 = 0, @@ -73,13 +82,10 @@ enum babel_tlv_type { BABEL_TLV_UPDATE = 8, BABEL_TLV_ROUTE_REQUEST = 9, BABEL_TLV_SEQNO_REQUEST = 10, - /* extensions - not implemented - BABEL_TLV_TS_PC = 11, - BABEL_TLV_HMAC = 12, - BABEL_TLV_SS_UPDATE = 13, - BABEL_TLV_SS_REQUEST = 14, - BABEL_TLV_SS_SEQNO_REQUEST = 15, - */ + BABEL_TLV_MAC = 16, + BABEL_TLV_PC = 17, + BABEL_TLV_CHALLENGE_REQ = 18, + BABEL_TLV_CHALLENGE_REPLY = 19, BABEL_TLV_MAX }; @@ -137,6 +143,12 @@ struct babel_iface_config { ip_addr next_hop_ip4; ip_addr next_hop_ip6; + + u8 auth_type; /* Authentication type (BABEL_AUTH_*) */ + u8 auth_permissive; /* Don't drop packets failing auth check */ + uint mac_num_keys; /* Number of configured HMAC keys */ + uint mac_total_len; /* Total digest length for all configured keys */ + list *passwords; /* Passwords for authentication */ }; struct babel_proto { @@ -184,6 +196,10 @@ struct babel_iface { u16 hello_seqno; /* To be increased on each hello */ + u32 auth_pc; + int auth_tx_overhead; + u8 auth_index[BABEL_AUTH_INDEX_LEN]; + btime next_hello; btime next_regular; btime next_triggered; @@ -207,9 +223,20 @@ struct babel_neighbor { u16 hello_map; u16 next_hello_seqno; uint last_hello_int; + + u32 auth_pc; + u8 auth_passed; + u8 auth_index_len; + u8 auth_index[BABEL_AUTH_INDEX_LEN]; + u8 auth_nonce[BABEL_AUTH_NONCE_LEN]; + btime auth_nonce_expiry; + btime auth_next_challenge; + btime auth_next_challenge_reply; + /* expiry timers */ btime hello_expiry; btime ihu_expiry; + btime auth_expiry; list routes; /* Routes this neighbour has sent us (struct babel_route) */ }; @@ -339,6 +366,12 @@ struct babel_msg_seqno_request { ip_addr sender; }; +struct babel_msg_challenge { + u8 type; + u8 nonce_len; + u8 *nonce; +}; + union babel_msg { u8 type; struct babel_msg_ack_req ack_req; @@ -348,6 +381,7 @@ union babel_msg { struct babel_msg_update update; struct babel_msg_route_request route_request; struct babel_msg_seqno_request seqno_request; + struct babel_msg_challenge challenge; }; struct babel_msg_node { @@ -367,6 +401,7 @@ void babel_handle_router_id(union babel_msg *msg, struct babel_iface *ifa); void babel_handle_update(union babel_msg *msg, struct babel_iface *ifa); void babel_handle_route_request(union babel_msg *msg, struct babel_iface *ifa); void babel_handle_seqno_request(union babel_msg *msg, struct babel_iface *ifa); +struct babel_neighbor * babel_get_neighbor(struct babel_iface *ifa, ip_addr addr); void babel_show_interfaces(struct proto *P, char *iff); void babel_show_neighbors(struct proto *P, char *iff); @@ -379,5 +414,10 @@ void babel_send_unicast(union babel_msg *msg, struct babel_iface *ifa, ip_addr d int babel_open_socket(struct babel_iface *ifa); void babel_send_queue(void *arg); +/* auth.c */ +void babel_auth_reset_index(struct babel_iface *ifa); +void babel_auth_set_tx_overhead(struct babel_iface *ifa); +void babel_auth_init_neighbor(struct babel_neighbor *n); + #endif diff --git a/proto/babel/config.Y b/proto/babel/config.Y index b6bc70fa..fe5485df 100644 --- a/proto/babel/config.Y +++ b/proto/babel/config.Y @@ -25,7 +25,7 @@ CF_DECLS CF_KEYWORDS(BABEL, INTERFACE, METRIC, RXCOST, HELLO, UPDATE, INTERVAL, PORT, TYPE, WIRED, WIRELESS, RX, TX, BUFFER, PRIORITY, LENGTH, CHECK, LINK, NEXT, HOP, IPV4, IPV6, BABEL_METRIC, SHOW, INTERFACES, NEIGHBORS, - ENTRIES, RANDOMIZE, ROUTER, ID) + ENTRIES, RANDOMIZE, ROUTER, ID, AUTHENTICATION, NONE, MAC, PERMISSIVE) CF_GRAMMAR @@ -59,6 +59,8 @@ babel_iface_start: this_ipatt = cfg_allocz(sizeof(struct babel_iface_config)); add_tail(&BABEL_CFG->iface_list, NODE this_ipatt); init_list(&this_ipatt->ipn_list); + reset_passwords(); + BABEL_IFACE->port = BABEL_PORT; BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRED; BABEL_IFACE->limit = BABEL_HELLO_LIMIT; @@ -91,6 +93,36 @@ babel_iface_finish: BABEL_IFACE->ihu_interval = MIN_(BABEL_IFACE->hello_interval*BABEL_IHU_INTERVAL_FACTOR, BABEL_MAX_INTERVAL); BABEL_CFG->hold_time = MAX_(BABEL_CFG->hold_time, BABEL_IFACE->update_interval*BABEL_HOLD_TIME_FACTOR); + + BABEL_IFACE->passwords = get_passwords(); + + if (!BABEL_IFACE->auth_type != !BABEL_IFACE->passwords) + cf_error("Authentication and password options should be used together"); + + if (BABEL_IFACE->passwords) + { + struct password_item *pass; + uint len = 0, i = 0; + WALK_LIST(pass, *BABEL_IFACE->passwords) + { + /* Set default crypto algorithm (HMAC-SHA256) */ + if (!pass->alg) + pass->alg = ALG_HMAC_SHA256; + + if (!(pass->alg & ALG_HMAC) && pass->alg != ALG_BLAKE2S && pass->alg != ALG_BLAKE2B) + cf_error("Only HMAC and Blake algorithms are supported"); + + if (pass->length != mac_type_length(pass->alg)) + cf_error("Key length %d does not match hash size %d of algorithm %s", + pass->length, mac_type_length(pass->alg), mac_type_name(pass->alg)); + + len += mac_type_length(pass->alg); + i++; + } + BABEL_IFACE->mac_num_keys = i; + BABEL_IFACE->mac_total_len = len; + } + }; @@ -109,6 +141,10 @@ babel_iface_item: | CHECK LINK bool { BABEL_IFACE->check_link = $3; } | NEXT HOP IPV4 ipa { BABEL_IFACE->next_hop_ip4 = $4; if (!ipa_is_ip4($4)) cf_error("Must be an IPv4 address"); } | NEXT HOP IPV6 ipa { BABEL_IFACE->next_hop_ip6 = $4; if (!ipa_is_ip6($4)) cf_error("Must be an IPv6 address"); } + | AUTHENTICATION NONE { BABEL_IFACE->auth_type = BABEL_AUTH_NONE; } + | AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; } + | AUTHENTICATION MAC PERMISSIVE { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 1; } + | password_list { } ; babel_iface_opts: diff --git a/proto/babel/packets.c b/proto/babel/packets.c index 50a22612..b326a961 100644 --- a/proto/babel/packets.c +++ b/proto/babel/packets.c @@ -202,6 +202,17 @@ put_ip6_ll(void *p, ip6_addr addr) put_u32(p+4, _I3(addr)); } +/* + * Authentication-related functions - implementations are in auth.c + */ +uint babel_auth_write_challenge(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); +int babel_auth_add_tlvs(struct babel_iface *ifa, struct babel_tlv *tlv, int max_len); +int babel_auth_sign(struct babel_iface *ifa, ip_addr dest); +int babel_auth_check(struct babel_iface *ifa, + ip_addr saddr, u16 sport, + ip_addr daddr, u16 dport, + struct babel_pkt_header *pkt, + byte *start, uint len); /* * TLV read/write functions @@ -280,6 +291,16 @@ static const struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = { babel_write_seqno_request, babel_handle_seqno_request }, + [BABEL_TLV_CHALLENGE_REQ] = { + sizeof(struct babel_tlv), + NULL, + babel_auth_write_challenge, + }, + [BABEL_TLV_CHALLENGE_REPLY] = { + sizeof(struct babel_tlv), + NULL, + babel_auth_write_challenge, + }, }; static const struct babel_tlv_data *get_packet_tlv_data(u8 type) @@ -1176,6 +1197,8 @@ babel_send_to(struct babel_iface *ifa, ip_addr dest) struct babel_pkt_header *hdr = (void *) sk->tbuf; int len = get_u16(&hdr->length) + sizeof(struct babel_pkt_header); + len += babel_auth_sign(ifa, dest); + DBG("Babel: Sending %d bytes to %I\n", len, dest); return sk_send_to(sk, len, dest, 0); } @@ -1228,6 +1251,8 @@ babel_write_queue(struct babel_iface *ifa, list *queue) sl_free(p->msg_slab, msg); } + pos += babel_auth_add_tlvs(ifa, (struct babel_tlv *) pos, end-pos); + uint plen = pos - (byte *) pkt; put_u16(&pkt->length, plen - sizeof(struct babel_pkt_header)); @@ -1305,10 +1330,13 @@ babel_enqueue(union babel_msg *msg, struct babel_iface *ifa) /** * babel_process_packet - process incoming data packet + * @ifa: Interface packet was received on. * @pkt: Pointer to the packet data * @len: Length of received packet * @saddr: Address of packet sender - * @ifa: Interface packet was received on. + * @sport: Packet source port + * @daddr: Destination address of packet + * @dport: Packet destination port * * This function is the main processing hook of incoming Babel packets. It * checks that the packet header is well-formed, then processes the TLVs @@ -1320,8 +1348,10 @@ babel_enqueue(union babel_msg *msg, struct babel_iface *ifa) * order. */ static void -babel_process_packet(struct babel_pkt_header *pkt, int len, - ip_addr saddr, struct babel_iface *ifa) +babel_process_packet(struct babel_iface *ifa, + struct babel_pkt_header *pkt, int len, + ip_addr saddr, u16 sport, + ip_addr daddr, u16 dport) { struct babel_proto *p = ifa->proto; struct babel_tlv *tlv; @@ -1361,6 +1391,9 @@ babel_process_packet(struct babel_pkt_header *pkt, int len, TRACE(D_PACKETS, "Packet received from %I via %s", saddr, ifa->iface->name); + if (babel_auth_check(ifa, saddr, sport, daddr, dport, pkt, end, len-plen)) + return; + init_list(&msgs); /* First pass through the packet TLV by TLV, parsing each into internal data @@ -1453,7 +1486,10 @@ babel_rx_hook(sock *sk, uint len) if (sk->flags & SKF_TRUNCATED) DROP("truncated", len); - babel_process_packet((struct babel_pkt_header *) sk->rbuf, len, sk->faddr, ifa); + babel_process_packet(ifa, + (struct babel_pkt_header *) sk->rbuf, len, + sk->faddr, sk->fport, + sk->laddr, sk->dport); return 1; drop:
On Sun, Feb 23, 2020 at 11:56:33PM +0100, Toke Høiland-Jørgensen wrote:
This series adds MAC authentication support to the Babel protocol as specified in by the IETF Babel working group in draft-babel-hmac-10:
https://tools.ietf.org/html/draft-ietf-babel-hmac-10
An initial RFC patch series was posted here in July 2018[0]. Since then, the protocol specification has progressed through the IETF, to the point where it is now in the IESG publication queue as a proposed standard RFC. This version of the patch series updates the implementation to correspond to the final version of the draft, and also addresses the review comments from the initial RFC patch. The major changes are:
Major updates to the specification (for a full list see the draft appendix):
- Added Blake2s as a recommended algorithm - Updated terminology to use MAC everywhere instead of HMAC (since Blake is not an HMAC algorithm). - Added expiration of neighbours and rate limiting of challenge replies - Update TLV type numbers after IANA allocation
Hi Thanks for the patch, i plan to review it soon. Just did a quick look and have a few questions: 1) The documentation says: protocol will only accept HMAC-based algorithms or one of the Blake algorithms, and the length of the supplied password string must match the key size used by the selected algorithm. This is not true for regular HMAC scheme, which does hashing of key as a part of HMAC computation, so you can have longer password, and generally should have, as you want password entropy (not its length) matching the key size of the algorithm. I am not familiar with used MAC scheme (as it seems Blake is just a hash function and one needs some scheme to convert it to MAC algorithm). Does it really require matching key size? That was the case in the keyed-hash scheme used in old OSPF authentication and it is one reason why HMAC is better than old keyed-hash scheme. 2) The code calls kernel getrandom() (or equivalent) for every handshake. I wonder whether it is a good approach, or whether it would be better to use internal cryptographic pseudorandom number generator just seeded from getrandom() during start / first reguest. Not sure what is best practice. But i definitely would accept the existing code with the current approach, as it is something that could be easily changed later. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Sun, Feb 23, 2020 at 11:56:33PM +0100, Toke Høiland-Jørgensen wrote:
This series adds MAC authentication support to the Babel protocol as specified in by the IETF Babel working group in draft-babel-hmac-10:
https://tools.ietf.org/html/draft-ietf-babel-hmac-10
An initial RFC patch series was posted here in July 2018[0]. Since then, the protocol specification has progressed through the IETF, to the point where it is now in the IESG publication queue as a proposed standard RFC. This version of the patch series updates the implementation to correspond to the final version of the draft, and also addresses the review comments from the initial RFC patch. The major changes are:
Major updates to the specification (for a full list see the draft appendix):
- Added Blake2s as a recommended algorithm - Updated terminology to use MAC everywhere instead of HMAC (since Blake is not an HMAC algorithm). - Added expiration of neighbours and rate limiting of challenge replies - Update TLV type numbers after IANA allocation
Hi
Thanks for the patch, i plan to review it soon.
Awesome, thanks! :)
Just did a quick look and have a few questions:
1) The documentation says:
protocol will only accept HMAC-based algorithms or one of the Blake algorithms, and the length of the supplied password string must match the key size used by the selected algorithm.
This is not true for regular HMAC scheme, which does hashing of key as a part of HMAC computation, so you can have longer password, and generally should have, as you want password entropy (not its length) matching the key size of the algorithm.
Well, I was just taking this advice from the 'security considerations' of the Babel MAC draft literally (section 7, 5th paragraph): This protocol exposes large numbers of packets and their MACs to an attacker that is able to capture packets; it is therefore vulnerable to brute-force attacks. Keys must be chosen in a manner that makes them difficult to guess. Ideally, they should have a length of 32 octets (both for HMAC-SHA256 and Blake2s), and be chosen randomly. If, for some reason, it is necessary to derive keys from a human- readable passphrase, it is recommended to use a key derivation function that hampers dictionary attacks, such as PBKDF2 [RFC2898], bcrypt [BCRYPT] or scrypt [RFC7914]. In that case, only the derived keys should be communicated to the routers; the original passphrase itself should be kept on the host used to perform the key generation (e.g., an administators secure laptop computer). I guess we could interpret it as a *minimum* size of 32 bytes?
I am not familiar with used MAC scheme (as it seems Blake is just a hash function and one needs some scheme to convert it to MAC algorithm). Does it really require matching key size? That was the case in the keyed-hash scheme used in old OSPF authentication and it is one reason why HMAC is better than old keyed-hash scheme.
The Blake2 algorithm itself does not allow key sizes larger than the key block size (32 bytes for Blake2s, 64 bytes for Blake2b). See details in Section 2.9 of https://blake2.net/blake2.pdf. I guess the Bird wrapper could do the hashing before initialising the Blake2 state, similar to what hmac_init() already does? I guess we need to deal with that anyway, otherwise blake2s_bird_init() can silently fail :/ So how about this: I'll change the config enforcement to just enforce a static minimum key length of 32 bytes (in line with the spec), and fix the blake*_bird_init() functions to hash the key first if it is longer?
2) The code calls kernel getrandom() (or equivalent) for every handshake.
I wonder whether it is a good approach, or whether it would be better to use internal cryptographic pseudorandom number generator just seeded from getrandom() during start / first reguest. Not sure what is best practice. But i definitely would accept the existing code with the current approach, as it is something that could be easily changed later.
I wouldn't worry too much about that, at least not on Linux. getrandom() is nonblocking (even at boot these days; see https://lwn.net/Articles/802360/), so the amount of randomness needed to generate nonces should be trivial. With the rate limiting it's at most three challenges per second per peer, which comes to ~266 bps of randomness. And since the sender address is part of the MAC (which is checked before any challenges issued), there is no risk of arbitrary spoofing from someone who doesn't know the key. -Toke
On Tue, Feb 25, 2020 at 05:35:50PM +0100, Toke Høiland-Jørgensen wrote:
1) The documentation says:
protocol will only accept HMAC-based algorithms or one of the Blake algorithms, and the length of the supplied password string must match the key size used by the selected algorithm.
This is not true for regular HMAC scheme, which does hashing of key as a part of HMAC computation, so you can have longer password, and generally should have, as you want password entropy (not its length) matching the key size of the algorithm.
Well, I was just taking this advice from the 'security considerations' of the Babel MAC draft literally (section 7, 5th paragraph):
This protocol exposes large numbers of packets and their MACs to an attacker that is able to capture packets; it is therefore vulnerable to brute-force attacks. Keys must be chosen in a manner that makes them difficult to guess. Ideally, they should have a length of 32 octets (both for HMAC-SHA256 and Blake2s), and be chosen randomly. If, for some reason, it is necessary to derive keys from a human- readable passphrase, it is recommended to use a key derivation function that hampers dictionary attacks, such as PBKDF2 [RFC2898], bcrypt [BCRYPT] or scrypt [RFC7914]. In that case, only the derived keys should be communicated to the routers; the original passphrase itself should be kept on the host used to perform the key generation (e.g., an administators secure laptop computer).
I guess we could interpret it as a *minimum* size of 32 bytes?
Hmm, it seems that Babel MAC draft is commited to entropy-dense human-unreadable keys. And unfortunately, i did not notice any suggested canonical way of human-readable encoding for these keys (e.g. some hexadecimal blocks), so it is possible that we end with different implementations using different encodings/representations.
I am not familiar with used MAC scheme (as it seems Blake is just a hash function and one needs some scheme to convert it to MAC algorithm). Does it really require matching key size? That was the case in the keyed-hash scheme used in old OSPF authentication and it is one reason why HMAC is better than old keyed-hash scheme.
The Blake2 algorithm itself does not allow key sizes larger than the key block size (32 bytes for Blake2s, 64 bytes for Blake2b). See details in Section 2.9 of https://blake2.net/blake2.pdf.
I guess the Bird wrapper could do the hashing before initialising the Blake2 state, similar to what hmac_init() already does? I guess we need to deal with that anyway, otherwise blake2s_bird_init() can silently fail :/
So how about this: I'll change the config enforcement to just enforce a static minimum key length of 32 bytes (in line with the spec), and fix the blake*_bird_init() functions to hash the key first if it is longer?
The initial hashing in hmac_init() is a part of HMAC algorithm. If this MAC algorithm does not do hashing, then we should not do additional hashing, otherwise we would have interoperability issues. For blake2s_bird_init(), IMHO it should behave like other keyed-hash, i.e. pad with zeroes (for shorter) or ignore rest (for longer). Perhaps we should have some hook or flag in MAC auth description structure that is used to validate keys based on used algorithm (so it would warn for bad-length keys for Blake2, but only for short keys for HMAC based ones. It seems to me that in order to handle Blake2s MACs (and other MACs that require entropy-dense keys), the proper solution is to have a option to specify a key in some form of binary-to-text encoding (e.g. hexadecimal): password 70:61:73:73:77:64 instead of: password "passwd" -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Tue, Feb 25, 2020 at 05:35:50PM +0100, Toke Høiland-Jørgensen wrote:
1) The documentation says:
protocol will only accept HMAC-based algorithms or one of the Blake algorithms, and the length of the supplied password string must match the key size used by the selected algorithm.
This is not true for regular HMAC scheme, which does hashing of key as a part of HMAC computation, so you can have longer password, and generally should have, as you want password entropy (not its length) matching the key size of the algorithm.
Well, I was just taking this advice from the 'security considerations' of the Babel MAC draft literally (section 7, 5th paragraph):
This protocol exposes large numbers of packets and their MACs to an attacker that is able to capture packets; it is therefore vulnerable to brute-force attacks. Keys must be chosen in a manner that makes them difficult to guess. Ideally, they should have a length of 32 octets (both for HMAC-SHA256 and Blake2s), and be chosen randomly. If, for some reason, it is necessary to derive keys from a human- readable passphrase, it is recommended to use a key derivation function that hampers dictionary attacks, such as PBKDF2 [RFC2898], bcrypt [BCRYPT] or scrypt [RFC7914]. In that case, only the derived keys should be communicated to the routers; the original passphrase itself should be kept on the host used to perform the key generation (e.g., an administators secure laptop computer).
I guess we could interpret it as a *minimum* size of 32 bytes?
Hmm, it seems that Babel MAC draft is commited to entropy-dense human-unreadable keys. And unfortunately, i did not notice any suggested canonical way of human-readable encoding for these keys (e.g. some hexadecimal blocks), so it is possible that we end with different implementations using different encodings/representations.
Yeah, I did realise that might end up being an issue, without really figuring out what to do about it. For testing I have been using a key like this: password "testtesttesttesttesttesttesttest" { algorithm hmac sha256; }; which is input to babeld like this: key id 1 type hmac-sha256 value 7465737474657374746573747465737474657374746573747465737474657374
I am not familiar with used MAC scheme (as it seems Blake is just a hash function and one needs some scheme to convert it to MAC algorithm). Does it really require matching key size? That was the case in the keyed-hash scheme used in old OSPF authentication and it is one reason why HMAC is better than old keyed-hash scheme.
The Blake2 algorithm itself does not allow key sizes larger than the key block size (32 bytes for Blake2s, 64 bytes for Blake2b). See details in Section 2.9 of https://blake2.net/blake2.pdf.
I guess the Bird wrapper could do the hashing before initialising the Blake2 state, similar to what hmac_init() already does? I guess we need to deal with that anyway, otherwise blake2s_bird_init() can silently fail :/
So how about this: I'll change the config enforcement to just enforce a static minimum key length of 32 bytes (in line with the spec), and fix the blake*_bird_init() functions to hash the key first if it is longer?
The initial hashing in hmac_init() is a part of HMAC algorithm. If this MAC algorithm does not do hashing, then we should not do additional hashing, otherwise we would have interoperability issues.
Oh, right, good point.
For blake2s_bird_init(), IMHO it should behave like other keyed-hash, i.e. pad with zeroes (for shorter) or ignore rest (for longer).
Perhaps we should have some hook or flag in MAC auth description structure that is used to validate keys based on used algorithm (so it would warn for bad-length keys for Blake2, but only for short keys for HMAC based ones.
The Blake2 implementation already 0-pads short keys. But I'm not sure if it's a good idea to allow that; even if it's zero-padded it's still a low amount of entropy, no?
It seems to me that in order to handle Blake2s MACs (and other MACs that require entropy-dense keys), the proper solution is to have a option to specify a key in some form of binary-to-text encoding (e.g. hexadecimal):
password 70:61:73:73:77:64
instead of:
password "passwd"
Yes, I think this is a good idea (or, well, we could allow both). Should we use the colon-separated format, or a straight hex string for easy copy-paste to babeld? E.g., password 0x7465737474657374746573747465737474657374746573747465737474657374 could be synonymous with password "testtesttesttesttesttesttesttest"? Or even drop the 0x prefix and just interpret a non-quoted string directly as hex bytes? -Toke
On Tue, Feb 25, 2020 at 07:30:46PM +0100, Toke Høiland-Jørgensen wrote:
Ondrej Zajicek <santiago@crfreenet.org> writes:
For blake2s_bird_init(), IMHO it should behave like other keyed-hash, i.e. pad with zeroes (for shorter) or ignore rest (for longer).
Perhaps we should have some hook or flag in MAC auth description structure that is used to validate keys based on used algorithm (so it would warn for bad-length keys for Blake2, but only for short keys for HMAC based ones.
The Blake2 implementation already 0-pads short keys. But I'm not sure if it's a good idea to allow that; even if it's zero-padded it's still a low amount of entropy, no?
Yes, but such validation should be in independent function, applied during config-parse time. Functions computing MAC (including *_init()) should just handle any key length to avoid corner cases and failures there.
It seems to me that in order to handle Blake2s MACs (and other MACs that require entropy-dense keys), the proper solution is to have a option to specify a key in some form of binary-to-text encoding (e.g. hexadecimal):
password 70:61:73:73:77:64
instead of:
password "passwd"
Yes, I think this is a good idea (or, well, we could allow both).
Yes, there should be both.
Should we use the colon-separated format, or a straight hex string for easy copy-paste to babeld? E.g.,
password 0x7465737474657374746573747465737474657374746573747465737474657374
I have no strong preference for specific format (but i would prefer hexadecimal based formats over Base64 / Base58 based ones). I think it is useful to have some separators (space, colon, or dash), but perhaps it could be optional. Also note that the key is not a number, but a byte sequence - initial zeroes are significant. So perhaps it should be a different token (and there is no reason for 0x). -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Tue, Feb 25, 2020 at 07:30:46PM +0100, Toke Høiland-Jørgensen wrote:
Ondrej Zajicek <santiago@crfreenet.org> writes:
For blake2s_bird_init(), IMHO it should behave like other keyed-hash, i.e. pad with zeroes (for shorter) or ignore rest (for longer).
Perhaps we should have some hook or flag in MAC auth description structure that is used to validate keys based on used algorithm (so it would warn for bad-length keys for Blake2, but only for short keys for HMAC based ones.
The Blake2 implementation already 0-pads short keys. But I'm not sure if it's a good idea to allow that; even if it's zero-padded it's still a low amount of entropy, no?
Yes, but such validation should be in independent function, applied during config-parse time. Functions computing MAC (including *_init()) should just handle any key length to avoid corner cases and failures there.
Right, sure.
It seems to me that in order to handle Blake2s MACs (and other MACs that require entropy-dense keys), the proper solution is to have a option to specify a key in some form of binary-to-text encoding (e.g. hexadecimal):
password 70:61:73:73:77:64
instead of:
password "passwd"
Yes, I think this is a good idea (or, well, we could allow both).
Yes, there should be both.
Should we use the colon-separated format, or a straight hex string for easy copy-paste to babeld? E.g.,
password 0x7465737474657374746573747465737474657374746573747465737474657374
I have no strong preference for specific format (but i would prefer hexadecimal based formats over Base64 / Base58 based ones).
I think it is useful to have some separators (space, colon, or dash), but perhaps it could be optional.
Also note that the key is not a number, but a byte sequence - initial zeroes are significant. So perhaps it should be a different token (and there is no reason for 0x).
Fine with me; I'll take a look at this for the next version. I'll hold off on sending a v2 until you've had a chance to review the rest of the patch, though :) -Toke
On Sun, Feb 23, 2020 at 11:56:33PM +0100, Toke Høiland-Jørgensen wrote:
This series adds MAC authentication support to the Babel protocol as specified in by the IETF Babel working group in draft-babel-hmac-10:
Hi Some more comments / questions: 1/4: BIRD_CHECK_GETRANDOM_SYSCALL - direct syscall case seems unnecessary, as we can fallback to /dev/urandom anyways. BIRD_CHECK_GETRANDOM - just use generic AC_CHECK_FUNCS / AC_SEARCH_LIBS ? I think that random_bytes() should not fail. 2/4: blake2 - We definitely need unit tests here. Ideally there should exist some reference data / hash pairs for blake2. See mac_test.c There are '#if defined(NATIVE_LITTLE_ENDIAN)' in the code, does anybody define these? 3/4: What is point of separating babel_parse_state and babel_read_state? Why export packet/TLV structures from packets.c? General pattern in BIRD (including Babel) is that wire format details is hidden in packets.c and more abstract structures are exported outside (e.g. union babel_msg). Seems to me that it would make sense to have low-level auth code (TLV read/write code, packet signing/verifying) directly in packets.c, while high-level code (challenge response mechanism) in babel.c. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Sun, Feb 23, 2020 at 11:56:33PM +0100, Toke Høiland-Jørgensen wrote:
This series adds MAC authentication support to the Babel protocol as specified in by the IETF Babel working group in draft-babel-hmac-10:
Hi
Some more comments / questions:
1/4:
BIRD_CHECK_GETRANDOM_SYSCALL - direct syscall case seems unnecessary, as we can fallback to /dev/urandom anyways.
BIRD_CHECK_GETRANDOM - just use generic AC_CHECK_FUNCS / AC_SEARCH_LIBS ?
OK.
I think that random_bytes() should not fail.
Preferably not; but we don't really have any guarantees that the syscall will succeed, do we? I guess I can add some sanity checks on startup and bail out if (e.g.) /dev/urandom cannot be opened. It would still be possible for read() or getrandom() to fail later on, though, no?
2/4:
blake2 - We definitely need unit tests here. Ideally there should exist some reference data / hash pairs for blake2. See mac_test.c
Yup, there does seem to be some test vectors in the blake2 repository; will add those.
There are '#if defined(NATIVE_LITTLE_ENDIAN)' in the code, does anybody define these?
Hmm, probably not? The FreeBSD Blake implementation seems to have a #define based on __BYTE_ORDER, so guess we could just add something like that as well?
3/4:
What is point of separating babel_parse_state and babel_read_state?
Why export packet/TLV structures from packets.c?
Well, I did both of these to be able to have all the auth-related code in a separate file, while still reusing the packet parsing macros etc...
General pattern in BIRD (including Babel) is that wire format details is hidden in packets.c and more abstract structures are exported outside (e.g. union babel_msg). Seems to me that it would make sense to have low-level auth code (TLV read/write code, packet signing/verifying) directly in packets.c, while high-level code (challenge response mechanism) in babel.c.
Hmm, I could have sworn that I got the idea of splitting it into its own file from one of the other protocols, but looking at them now that does not actually seem to be the case. So I guess I'll just move everything back into {packets,babel}.c :) -Toke
On Tue, Mar 10, 2020 at 04:58:26PM +0100, Toke Høiland-Jørgensen wrote:
I think that random_bytes() should not fail.
Preferably not; but we don't really have any guarantees that the syscall will succeed, do we? I guess I can add some sanity checks on startup and bail out if (e.g.) /dev/urandom cannot be opened. It would still be possible for read() or getrandom() to fail later on, though, no?
It is mostly whether we want error handling directly in random_bytes(), or in caller code. If we could have some reasonable error handling code in the caller (e.g. log error message and drop packet), then we can do that, but otherwise (as there are no error handling code in Babel patch) it seems better to just die() directly in random_bytes() code if underlying syscalls fail. Definitely, we should not silently ignore these errors. It seems getrandom() and getentropy() should not fail for buflen <= 256, so we may die() for unexpected errors from these syscalls. For read() from /dev/urandom, it might be good to handle EINTR, but we may die() for other errors.
There are '#if defined(NATIVE_LITTLE_ENDIAN)' in the code, does anybody define these?
Hmm, probably not? The FreeBSD Blake implementation seems to have a #define based on __BYTE_ORDER, so guess we could just add something like that as well?
We already have CPU_BIG_ENDIAN in BIRD, so perhaps just use that. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Tue, Mar 10, 2020 at 04:58:26PM +0100, Toke Høiland-Jørgensen wrote:
I think that random_bytes() should not fail.
Preferably not; but we don't really have any guarantees that the syscall will succeed, do we? I guess I can add some sanity checks on startup and bail out if (e.g.) /dev/urandom cannot be opened. It would still be possible for read() or getrandom() to fail later on, though, no?
It is mostly whether we want error handling directly in random_bytes(), or in caller code. If we could have some reasonable error handling code in the caller (e.g. log error message and drop packet), then we can do that, but otherwise (as there are no error handling code in Babel patch) it seems better to just die() directly in random_bytes() code if underlying syscalls fail.
Definitely, we should not silently ignore these errors.
It seems getrandom() and getentropy() should not fail for buflen <= 256, so we may die() for unexpected errors from these syscalls.
For read() from /dev/urandom, it might be good to handle EINTR, but we may die() for other errors.
Right, sure. I think we can handle it from the caller (but did realise I didn't do that in this version of the patch). Will fix that, and also handle EINTR.
There are '#if defined(NATIVE_LITTLE_ENDIAN)' in the code, does anybody define these?
Hmm, probably not? The FreeBSD Blake implementation seems to have a #define based on __BYTE_ORDER, so guess we could just add something like that as well?
We already have CPU_BIG_ENDIAN in BIRD, so perhaps just use that.
ACK, will do. Thanks for your comments; I'll see if I can't get a revised version ready soonish (certainly sooner than the 1.5 years it took me to do this version ;)). -Toke
participants (2)
-
Ondrej Zajicek -
Toke Høiland-Jørgensen