ospf: Preparation work for RFC 5613.

nrybowski · nrybowski · commit 9238c1a7e864 · 2025-06-30T17:05:48.000+02:00
- Update V::decode_auth_validate() signature to use references rather
than taking ownership of PacketHdrAuth and AuthDecodeCtx. These
structures are required for OSPFv2 LLS data blocks authentication

- Extend PacketVersion interface with  function to retrieve Options
field from Hello and DbDesc packets.

- Move digest validation logic in a separate function as it will be
required for LLS CA-TLV authentication.

Signed-off-by: Nicolas Rybowski &lt;nicolas.rybowski@uclouvain.be&gt;
diff --git a/holo-ospf/src/ospfv2/packet/mod.rs b/holo-ospf/src/ospfv2/packet/mod.rs
@@ -804,8 +804,8 @@ impl PacketVersion<Self> for Ospfv2 {
     fn decode_auth_validate(
         data: &[u8],
         pkt_len: u16,
-        hdr_auth: PacketHdrAuth,
-        auth: Option<AuthDecodeCtx<'_>>,
+        hdr_auth: &PacketHdrAuth,
+        auth: Option<&AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<u64>> {
         // Discard the packet if its authentication type doesn't match the
         // interface's configured authentication type.
@@ -824,49 +824,17 @@ impl PacketVersion<Self> for Ospfv2 {
                 auth_len,
                 seqno,
             } => {
-                // Get authentication key.
-                let auth = auth.as_ref().unwrap();
-                let auth_key = match auth.method {
-                    AuthMethod::ManualKey(key) => {
-                        // Check if the Key ID matches.
-                        if key.id != key_id as u64 {
-                            return Err(DecodeError::AuthKeyIdNotFound(
-                                key_id as u32,
-                            ));
-                        }
-                        key
-                    }
-                    AuthMethod::Keychain(keychain) => keychain
-                        .key_lookup_accept(key_id as u64)
-                        .ok_or(DecodeError::AuthKeyIdNotFound(key_id as u32))?,
-                };
-
-                // Sanity check.
-                if auth_key.algo.digest_size() != auth_len {
-                    return Err(DecodeError::AuthLenError(auth_len as u16));
-                }
-
                 // Get the authentication trailer.
                 let auth_trailer = &data
-                    [pkt_len as usize..pkt_len as usize + auth_len as usize];
+                    [pkt_len as usize..pkt_len as usize + *auth_len as usize];
 
                 // Compute message digest.
                 let data = &data[..pkt_len as usize];
-                let digest = auth::message_digest(
-                    data,
-                    auth_key.algo,
-                    &auth_key.string,
-                    None,
-                    None,
-                );
 
-                // Check if the received message digest is valid.
-                if *auth_trailer != digest {
-                    return Err(DecodeError::AuthError);
-                }
+                validate_digest(*key_id, *auth_len, auth, auth_trailer, data)?;
 
                 // Authentication succeeded.
-                Ok(Some(seqno.into()))
+                Ok(Some((*seqno).into()))
             }
         }
     }
@@ -881,4 +849,62 @@ impl PacketVersion<Self> for Ospfv2 {
         );
         buf.put_slice(&digest);
     }
+
+    fn packet_options(data: &[u8]) -> Option<Options> {
+        let pkt_type = PacketType::from_u8(data[1]).unwrap();
+        match pkt_type {
+            PacketType::Hello => {
+                let options = &data[PacketHdr::LENGTH as usize + 6..];
+                Some(Options::from_bits_truncate(options[0]))
+            }
+            PacketType::DbDesc => {
+                let options = &data[PacketHdr::LENGTH as usize + 2..];
+                Some(Options::from_bits_truncate(options[0]))
+            }
+            PacketType::LsRequest
+            | PacketType::LsUpdate
+            | PacketType::LsAck => None,
+        }
+    }
+}
+
+// ===== helper functions =====
+
+pub(crate) fn validate_digest(
+    key_id: u8,
+    auth_len: u8,
+    auth: Option<&AuthDecodeCtx<'_>>,
+    digest_rx: &[u8],
+    data: &[u8],
+) -> DecodeResult<()> {
+    // Get authentication key.
+    let auth = auth.as_ref().unwrap();
+    let auth_key = match auth.method {
+        AuthMethod::ManualKey(key) => {
+            // Check if the Key ID matches.
+            if key.id != key_id as u64 {
+                return Err(DecodeError::AuthKeyIdNotFound(key_id as u32));
+            }
+            key
+        }
+        AuthMethod::Keychain(keychain) => keychain
+            .key_lookup_accept(key_id as u64)
+            .ok_or(DecodeError::AuthKeyIdNotFound(key_id as u32))?,
+    };
+
+    // Sanity check.
+    if auth_key.algo.digest_size() != auth_len {
+        return Err(DecodeError::AuthLenError(auth_len as u16));
+    }
+
+    // Compute message digest.
+    let digest =
+        auth::message_digest(data, auth_key.algo, &auth_key.string, None, None);
+
+    // Check if the received message digest is valid.
+    if *digest_rx != digest {
+        return Err(DecodeError::AuthError);
+    }
+
+    Ok(())
 }
diff --git a/holo-ospf/src/ospfv3/packet/mod.rs b/holo-ospf/src/ospfv3/packet/mod.rs
@@ -780,10 +780,10 @@ impl PacketVersion<Self> for Ospfv3 {
     fn decode_auth_validate(
         data: &[u8],
         pkt_len: u16,
-        _hdr_auth: PacketHdrAuth,
-        auth: Option<AuthDecodeCtx<'_>>,
+        _hdr_auth: &PacketHdrAuth,
+        auth: Option<&AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<u64>> {
-        let options = packet_options(data);
+        let options = Self::packet_options(data);
 
         // Check for authentication type mismatch.
         //
@@ -905,28 +905,23 @@ impl PacketVersion<Self> for Ospfv3 {
         );
         buf.put_slice(&digest);
     }
-}
-
-// ===== helper functions =====
 
-// Retrieves the Options field from Hello and Database Description packets.
-//
-// Assumes the packet length has been validated beforehand.
-fn packet_options(data: &[u8]) -> Option<Options> {
-    let pkt_type = PacketType::from_u8(data[1]).unwrap();
-    match pkt_type {
-        PacketType::Hello => {
-            let options = &data[PacketHdr::LENGTH as usize + 6..];
-            let options = ((options[0] as u16) << 8) | options[1] as u16;
-            Some(Options::from_bits_truncate(options))
-        }
-        PacketType::DbDesc => {
-            let options = &data[PacketHdr::LENGTH as usize + 2..];
-            let options = ((options[0] as u16) << 8) | options[1] as u16;
-            Some(Options::from_bits_truncate(options))
-        }
-        PacketType::LsRequest | PacketType::LsUpdate | PacketType::LsAck => {
-            None
+    fn packet_options(data: &[u8]) -> Option<Options> {
+        let pkt_type = PacketType::from_u8(data[1]).unwrap();
+        match pkt_type {
+            PacketType::Hello => {
+                let options = &data[PacketHdr::LENGTH as usize + 6..];
+                let options = ((options[0] as u16) << 8) | options[1] as u16;
+                Some(Options::from_bits_truncate(options))
+            }
+            PacketType::DbDesc => {
+                let options = &data[PacketHdr::LENGTH as usize + 2..];
+                let options = ((options[0] as u16) << 8) | options[1] as u16;
+                Some(Options::from_bits_truncate(options))
+            }
+            PacketType::LsRequest
+            | PacketType::LsUpdate
+            | PacketType::LsAck => None,
         }
     }
 }
diff --git a/holo-ospf/src/packet/mod.rs b/holo-ospf/src/packet/mod.rs
@@ -83,12 +83,17 @@ pub trait PacketVersion<V: Version> {
     fn decode_auth_validate(
         data: &[u8],
         pkt_len: u16,
-        hdr_auth: V::PacketHdrAuth,
-        auth: Option<AuthDecodeCtx<'_>>,
+        hdr_auth: &V::PacketHdrAuth,
+        auth: Option<&AuthDecodeCtx<'_>>,
     ) -> DecodeResult<Option<u64>>;
 
     // Encode the authentication trailer.
     fn encode_auth_trailer(buf: &mut BytesMut, auth: AuthEncodeCtx<'_>);
+
+    // Retrieves the Options field from Hello and Database Description packets.
+    //
+    // Assumes the packet length has been validated beforehand.
+    fn packet_options(data: &[u8]) -> Option<Self::PacketOptions>;
 }
 
 // OSPF version-specific code.
@@ -307,9 +312,12 @@ impl<V: Version> Packet<V> {
         let _span_guard = span.enter();
 
         // Validate the packet authentication.
-        if let Some(auth_seqno) =
-            V::decode_auth_validate(buf_orig.as_ref(), pkt_len, hdr_auth, auth)?
-        {
+        if let Some(auth_seqno) = V::decode_auth_validate(
+            buf_orig.as_ref(),
+            pkt_len,
+            &hdr_auth,
+            auth.as_ref(),
+        )? {
             hdr.set_auth_seqno(auth_seqno);
         }
 
