ospf: Check LLS data block authentication.

nrybowski · nrybowski · commit 4bf4ecab1064 · 2025-06-27T18:26:03.000+02:00
For OSPFv{2,3}, if the authentication is disabled, the LLS
data block checksum is verified.

For OSPFv2, when the authentication is enabled, the CA-TLV
digest is verified.

For OSPFv3, when the authentication is enabled, there is
nothing to do as the LLS data block is included in the
authentication digest.

Signed-off-by: Nicolas Rybowski &lt;nicolas.rybowski@uclouvain.be&gt;
diff --git a/holo-ospf/src/ospfv2/packet/lls.rs b/holo-ospf/src/ospfv2/packet/lls.rs
@@ -5,9 +5,10 @@ use derive_new::new;
 use num_traits::FromPrimitive;
 use serde::{Deserialize, Serialize};
 
+use super::PacketHdrAuth;
 use crate::ospfv2::packet::packet_options;
 use crate::packet::OptionsVersion;
-use crate::packet::auth::{self, AuthEncodeCtx};
+use crate::packet::auth::{self, AuthDecodeCtx, AuthEncodeCtx, AuthMethod};
 use crate::packet::error::{DecodeError, DecodeResult};
 use crate::packet::lls::{
     ExtendedOptionsFlagsTlv, LLS_HDR_SIZE, LlsDbDescData, LlsHelloData,
@@ -76,7 +77,7 @@ impl From<LlsDataBlock> for LlsDbDescData {
 pub struct CryptoAuthTlv {
     pub seqno: u32,
     #[new(default)]
-    pub auth_data: Vec<u32>,
+    pub auth_data: Bytes,
 }
 
 impl CryptoAuthTlv {
@@ -104,12 +105,9 @@ impl CryptoAuthTlv {
             return Err(DecodeError::InvalidTlvLength(tlv_len));
         }
         let seqno = buf.try_get_u32()?;
-        let mut auth_data_len = tlv_len - 4;
-        let mut auth_data = Vec::new();
-        while auth_data_len > 0 {
-            auth_data.push(buf.try_get_u32()?);
-            auth_data_len -= 4;
-        }
+        let auth_data_len = tlv_len - 4;
+        let auth_data = buf.slice(..auth_data_len as usize);
+
         Ok(CryptoAuthTlv { seqno, auth_data })
     }
 }
@@ -140,27 +138,36 @@ impl LlsVersion<Self> for Ospfv2 {
     }
 
     fn decode_lls_block(
-        buf: &[u8],
+        data: &[u8],
         pkt_len: u16,
+        hdr_auth: PacketHdrAuth,
+        auth: Option<AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<LlsDataBlock>> {
         // Test the presence of the L-bit indicating a LLS data block.
-        if packet_options(buf).is_none_or(|options| !options.l_bit()) {
+        if packet_options(data).is_none_or(|options| !options.l_bit()) {
             return Ok(None);
         }
 
-        let mut buf = Bytes::copy_from_slice(&buf[pkt_len as usize..]);
+        let mut buf = Bytes::copy_from_slice(&data[pkt_len as usize..]);
 
         // Sanity check on buffer length.
         if buf.remaining() < LLS_HDR_SIZE as usize {
             return Err(DecodeError::InvalidLength(buf.len() as u16));
         }
 
         // If authentication trailer is embedded, skip it.
+        // The authentication digest has already been verified earlier, so no
+        // need for a double check here.
+        if let PacketHdrAuth::Cryptographic { auth_len, .. } = hdr_auth {
+            buf.advance(auth_len as usize);
+        } else {
+            // Validate LLS block checksum when authentication is disabled.
+            Self::verify_cksum(&buf)?;
+        };
 
-        let mut lls_block = LlsDataBlock::new();
+        let mut data = buf.clone();
 
-        // TODO: Validate LLS block checksum
-        // Self::verify_cksum(buf)?;
+        let mut lls_block = LlsDataBlock::new();
 
         let _cksum = buf.try_get_u16()?;
         let lls_len = buf.try_get_u16()?;
@@ -175,6 +182,7 @@ impl LlsVersion<Self> for Ospfv2 {
             return Err(DecodeError::InvalidLength(block_len as u16));
         }
         buf = buf.slice(0..block_len);
+        data = data.slice(0..block_len + LLS_HDR_SIZE as usize);
 
         while buf.remaining() >= LLS_HDR_SIZE as usize {
             // Parse TLV type.
@@ -198,7 +206,80 @@ impl LlsVersion<Self> for Ospfv2 {
                 }
                 Some(LlsTlvType::CryptoAuth) => {
                     let ca = CryptoAuthTlv::decode(tlv_len, &mut buf_tlv)?;
-                    lls_block.ca = Some(ca);
+
+                    // RFC 5613 Section 2.5 : "The Sequence Number field
+                    // contains the cryptographic sequence number
+                    // that is used to prevent simple replay attacks.  For the
+                    // LLS block to be considered authentic, the Sequence Number
+                    // in the CA-TLV MUST match the Sequence Number in the
+                    // OSPFv2 packet header Authentication field (which MUST be
+                    // present)."
+                    // TODO : check that seqno match
+
+                    if let PacketHdrAuth::Cryptographic {
+                        key_id,
+                        auth_len,
+                        seqno,
+                    } = hdr_auth
+                    {
+                        // Get authentication key.
+                        let auth = auth.as_ref().unwrap();
+                        let auth_key = match auth.method {
+                            AuthMethod::ManualKey(key) => {
+                                // Check if the Key ID matches.
+                                if key.id != key_id as u64 {
+                                    return Err(
+                                        DecodeError::AuthKeyIdNotFound(
+                                            key_id as u32,
+                                        ),
+                                    );
+                                }
+                                key
+                            }
+                            AuthMethod::Keychain(keychain) => keychain
+                                .key_lookup_accept(key_id as u64)
+                                .ok_or(DecodeError::AuthKeyIdNotFound(
+                                    key_id as u32,
+                                ))?,
+                        };
+
+                        // Sanity check.
+                        if auth_key.algo.digest_size() != auth_len {
+                            return Err(DecodeError::AuthLenError(
+                                auth_len as u16,
+                            ));
+                        }
+
+                        // Skip the CA TLV digest
+                        let mut digest_data = BytesMut::from(
+                            &data[..data.len() - ca.auth_data.len()],
+                        );
+
+                        // Remove LLS block length at its unknown upon digest
+                        // encoding.
+                        digest_data[3] = 0;
+
+                        // Remove LLS CA TLV length at its unknown upon digest
+                        // encoding. Per RFC 5613, CA TLV MUST be the last in
+                        // the LLS data block.
+                        let offset = digest_data.len() - 5;
+                        digest_data[offset] = 0;
+
+                        let digest = auth::message_digest(
+                            &digest_data,
+                            auth_key.algo,
+                            &auth_key.string,
+                            None,
+                            None,
+                        );
+
+                        // Check if the received message digest is valid.
+                        if ca.auth_data != digest {
+                            return Err(DecodeError::AuthError);
+                        }
+
+                        lls_block.ca = Some(ca);
+                    }
                 }
                 _ => {
                     // Save unknown TLV.
diff --git a/holo-ospf/src/ospfv2/packet/mod.rs b/holo-ospf/src/ospfv2/packet/mod.rs
@@ -839,7 +839,7 @@ impl PacketVersion<Self> for Ospfv2 {
     fn decode_auth_validate(
         data: &[u8],
         pkt_len: u16,
-        hdr_auth: PacketHdrAuth,
+        hdr_auth: &PacketHdrAuth,
         auth: Option<AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<u64>> {
         // Discard the packet if its authentication type doesn't match the
@@ -864,26 +864,28 @@ impl PacketVersion<Self> for Ospfv2 {
                 let auth_key = match auth.method {
                     AuthMethod::ManualKey(key) => {
                         // Check if the Key ID matches.
-                        if key.id != key_id as u64 {
+                        if key.id != *key_id as u64 {
                             return Err(DecodeError::AuthKeyIdNotFound(
-                                key_id as u32,
+                                *key_id as u32,
                             ));
                         }
                         key
                     }
-                    AuthMethod::Keychain(keychain) => keychain
-                        .key_lookup_accept(key_id as u64)
-                        .ok_or(DecodeError::AuthKeyIdNotFound(key_id as u32))?,
+                    AuthMethod::Keychain(keychain) => {
+                        keychain.key_lookup_accept(*key_id as u64).ok_or(
+                            DecodeError::AuthKeyIdNotFound(*key_id as u32),
+                        )?
+                    }
                 };
 
                 // Sanity check.
-                if auth_key.algo.digest_size() != auth_len {
-                    return Err(DecodeError::AuthLenError(auth_len as u16));
+                if auth_key.algo.digest_size() != *auth_len {
+                    return Err(DecodeError::AuthLenError(*auth_len as u16));
                 }
 
                 // Get the authentication trailer.
                 let auth_trailer = &data
-                    [pkt_len as usize..pkt_len as usize + auth_len as usize];
+                    [pkt_len as usize..pkt_len as usize + *auth_len as usize];
 
                 // Compute message digest.
                 let data = &data[..pkt_len as usize];
@@ -901,7 +903,7 @@ impl PacketVersion<Self> for Ospfv2 {
                 }
 
                 // Authentication succeeded.
-                Ok(Some(seqno.into()))
+                Ok(Some((*seqno).into()))
             }
         }
     }
@@ -939,11 +941,11 @@ pub(crate) fn packet_options(data: &[u8]) -> Option<Options> {
     let pkt_type = PacketType::from_u8(data[1]).unwrap();
     match pkt_type {
         PacketType::Hello => {
-            let options = &data[PacketHdr::LENGTH as usize + 7..];
+            let options = &data[PacketHdr::LENGTH as usize + 6..];
             Some(Options::from_bits_truncate(options[0]))
         }
         PacketType::DbDesc => {
-            let options = &data[PacketHdr::LENGTH as usize + 3..];
+            let options = &data[PacketHdr::LENGTH as usize + 2..];
             Some(Options::from_bits_truncate(options[0]))
         }
         PacketType::LsRequest | PacketType::LsUpdate | PacketType::LsAck => {
diff --git a/holo-ospf/src/ospfv3/packet/lls.rs b/holo-ospf/src/ospfv3/packet/lls.rs
@@ -2,10 +2,10 @@ use bytes::{Buf, Bytes, BytesMut};
 use derive_new::new;
 use num_traits::FromPrimitive;
 
-use super::packet_options;
+use super::{PacketHdrAuth, packet_options};
+use crate::ospfv3::packet::Options;
 use crate::packet::OptionsVersion;
-// use serde::{Deserialize, Serialize};
-use crate::packet::auth::AuthEncodeCtx;
+use crate::packet::auth::{AuthDecodeCtx, AuthEncodeCtx};
 use crate::packet::error::{DecodeError, DecodeResult};
 use crate::packet::lls::{
     ExtendedOptionsFlagsTlv, LLS_HDR_SIZE, LlsDbDescData, LlsHelloData,
@@ -72,9 +72,12 @@ impl LlsVersion<Self> for Ospfv3 {
     fn decode_lls_block(
         buf: &[u8],
         pkt_len: u16,
+        _hdr_auth: PacketHdrAuth,
+        _auth: Option<AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<LlsDataBlock>> {
         // Test the presence of the L-bit indicating a LLS data block.
-        if packet_options(buf).is_none_or(|options| !options.l_bit()) {
+        let options = packet_options(buf);
+        if options.is_none_or(|options| !options.l_bit()) {
             return Ok(None);
         }
 
@@ -85,10 +88,14 @@ impl LlsVersion<Self> for Ospfv3 {
             return Err(DecodeError::InvalidLength(buf.len() as u16));
         }
 
-        let mut lls_block = LlsDataBlock::new();
+        // Validate LLS block checksum when authentication is disabled.
+        if let Some(options) = options
+            && !options.contains(Options::AT)
+        {
+            Self::verify_cksum(&buf)?;
+        }
 
-        // TODO: Validate LLS block checksum
-        // Self::verify_cksum(buf)?;
+        let mut lls_block = LlsDataBlock::new();
 
         let _cksum = buf.try_get_u16()?;
         let lls_len = buf.try_get_u16()?;
diff --git a/holo-ospf/src/ospfv3/packet/mod.rs b/holo-ospf/src/ospfv3/packet/mod.rs
@@ -811,7 +811,7 @@ impl PacketVersion<Self> for Ospfv3 {
     fn decode_auth_validate(
         data: &[u8],
         pkt_len: u16,
-        _hdr_auth: PacketHdrAuth,
+        _hdr_auth: &PacketHdrAuth,
         auth: Option<AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<u64>> {
         let options = packet_options(data);
diff --git a/holo-ospf/src/packet/lls.rs b/holo-ospf/src/packet/lls.rs
@@ -7,6 +7,8 @@ use serde::{self, Deserialize, Serialize};
 use super::auth::AuthEncodeCtx;
 use super::error::{DecodeError, DecodeResult};
 use super::tlv::{tlv_encode_end, tlv_encode_start};
+use crate::ospfv2::packet::PacketHdr;
+use crate::packet::AuthDecodeCtx;
 use crate::version::Version;
 
 // LLS header size.
@@ -26,6 +28,8 @@ pub trait LlsVersion<V: Version> {
     fn decode_lls_block(
         buf: &[u8],
         pkt_len: u16,
+        hdr_auth: V::PacketHdrAuth,
+        auth: Option<AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<V::LlsDataBlock>>;
 
     const CKSUM_RANGE: std::ops::Range<usize> = 0..2;
diff --git a/holo-ospf/src/packet/mod.rs b/holo-ospf/src/packet/mod.rs
@@ -85,7 +85,7 @@ pub trait PacketVersion<V: Version> {
     fn decode_auth_validate(
         data: &[u8],
         pkt_len: u16,
-        hdr_auth: V::PacketHdrAuth,
+        hdr_auth: &V::PacketHdrAuth,
         auth: Option<AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<u64>>;
 
@@ -324,13 +324,17 @@ impl<V: Version> Packet<V> {
         let _span_guard = span.enter();
 
         // Validate the packet authentication.
-        if let Some(auth_seqno) =
-            V::decode_auth_validate(&buf_orig, pkt_len, hdr_auth, auth)?
-        {
+        if let Some(auth_seqno) = V::decode_auth_validate(
+            &buf_orig,
+            pkt_len,
+            &hdr_auth,
+            // TODO : Pass a reference rather than a clone
+            auth.clone(),
+        )? {
             hdr.set_auth_seqno(auth_seqno);
         }
 
-        let lls = V::decode_lls_block(&buf_orig, pkt_len)?;
+        let lls = V::decode_lls_block(&buf_orig, pkt_len, hdr_auth, auth)?;
 
         // Decode the packet body.
         let packet = match hdr.pkt_type() {
