nhrpd: add cisco-authentication password support

Taking over this development from https://github.com/FRRouting/frr/pull/14788

This commit addresses 4 issues found in the previous PR

1) FRR would accept messages from a spoke without authentication when FRR NHRP had auth configured.
2) The error indication was not being sent in network byte order
3) The debug print in nhrp_connection_authorized was not correctly printing the received password
4) The addresses portion of the mandatory part of the error indication was invalid on the wire (confirmed in wireshark)

Signed-off-by: Dave LeRoy <dleroy@labn.net>
Co-authored-by: Volodymyr Huti <volodymyr.huti@gmail.com>

3 files changed, 25 insertions, 17 deletions

diff --git a/nhrpd/nhrp_interface.c b/nhrpd/nhrp_interface.c
index 7d0ab9762..e81a2efbb 100644
--- a/nhrpd/nhrp_interface.c
+++ b/nhrpd/nhrp_interface.c
@@ -99,6 +99,8 @@ static int nhrp_if_delete_hook(struct interface *ifp)
 		free(nifp->ipsec_fallback_profile);
 	if (nifp->source)
 		free(nifp->source);
+	if (nifp->auth_token)
+		zbuf_free(nifp->auth_token);
 
 	XFREE(MTYPE_NHRP_IF, ifp->info);
 	return 0;
diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
index 84fcdb069..2414541bf 100644
--- a/nhrpd/nhrp_peer.c
+++ b/nhrpd/nhrp_peer.c
@@ -730,7 +730,7 @@ static void nhrp_handle_registration_request(struct nhrp_packet_parser *p)
 		}
 	}
 
-	// auth ext was validated and copied from the request
+	/* auth ext was validated and copied from the request */
 	nhrp_packet_complete_auth(zb, hdr, ifp, false);
 	nhrp_peer_send(p->peer, zb);
 err:
@@ -1064,7 +1064,6 @@ static void nhrp_peer_forward(struct nhrp_peer *p,
 		nhrp_ext_complete(zb, dst);
 	}
 
-	// XXX: auth already handled ???
 	nhrp_packet_complete_auth(zb, hdr, pp->ifp, false);
 	nhrp_peer_send(p, zb);
 	zbuf_free(zb);
@@ -1121,24 +1120,26 @@ static int nhrp_packet_send_error(struct nhrp_packet_parser *pp,
 		dst_proto = pp->src_proto;
 	}
 	/* Create reply */
-	zb = zbuf_alloc(1500); // XXX: hardcode -> calculation routine
+	zb = zbuf_alloc(1500);
 	hdr = nhrp_packet_push(zb, NHRP_PACKET_ERROR_INDICATION, &pp->src_nbma,
 			       &src_proto, &dst_proto);
 
-	hdr->u.error.code = indication_code;
+	hdr->u.error.code = htons(indication_code);
 	hdr->u.error.offset = htons(offset);
 	hdr->flags = pp->hdr->flags;
-	hdr->hop_count = 0; // XXX: cisco returns 255
+	hdr->hop_count = 0; /* XXX: cisco returns 255 */
 
 	/* Payload is the packet causing error */
 	/* Don`t add extension according to RFC */
-	/* wireshark gives bad checksum, without exts */
-	// pp->hdr->checksum = nhrp_packet_calculate_checksum(zbuf_used(&pp->payload))
 	zbuf_put(zb, pp->hdr, sizeof(*pp->hdr));
-	zbuf_copy(zb, &pp->payload, zbuf_used(&pp->payload));
+	zbuf_put(zb, sockunion_get_addr(&pp->src_nbma),
+		 hdr->src_nbma_address_len);
+	zbuf_put(zb, sockunion_get_addr(&pp->src_proto),
+		 hdr->src_protocol_address_len);
+	zbuf_put(zb, sockunion_get_addr(&pp->dst_proto),
+		 hdr->dst_protocol_address_len);
 	nhrp_packet_complete_auth(zb, hdr, pp->ifp, false);
 
-	/* nhrp_packet_debug(zb, "SEND_ERROR"); */
 	nhrp_peer_send(pp->peer, zb);
 	zbuf_free(zb);
 	return 0;
@@ -1151,8 +1152,7 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp)
 	struct zbuf *auth = nifp->auth_token;
 	struct nhrp_extension_header *ext;
 	struct zbuf *extensions, pl;
-	int cmp = 0;
-
+	int cmp = 1;
 
 	extensions = zbuf_alloc(zbuf_used(&pp->extensions));
 	zbuf_copy_peek(extensions, &pp->extensions, zbuf_used(&pp->extensions));
@@ -1164,7 +1164,14 @@ static bool nhrp_connection_authorized(struct nhrp_packet_parser *pp)
 					   auth->buf;
 			debugf(NHRP_DEBUG_COMMON,
 			       "Processing Authentication Extension for (%s:%s|%d)",
-			       auth_ext->secret, (const char *)pl.buf, cmp);
+			       auth_ext->secret,
+			       ((struct nhrp_cisco_authentication_extension *)
+					pl.buf)
+				       ->secret,
+			       cmp);
+			break;
+		default:
+			/* Ignoring all received extensions except Authentication*/
 			break;
 		}
 	}
diff --git a/nhrpd/nhrp_vty.c b/nhrpd/nhrp_vty.c
index 66659bdcd..b938ae4cf 100644
--- a/nhrpd/nhrp_vty.c
+++ b/nhrpd/nhrp_vty.c
@@ -467,7 +467,7 @@ DEFPY(if_nhrp_authentication, if_nhrp_authentication_cmd,
       AFI_CMD "nhrp authentication PASSWORD$password",
       AFI_STR
       NHRP_STR
-      "Specify plaint text password used for authenticantion\n"
+      "Specify plain text password used for authenticantion\n"
       "Password, plain text, limited to 8 characters\n")
 {
 	VTY_DECLVAR_CONTEXT(interface, ifp);
@@ -490,8 +490,6 @@ DEFPY(if_nhrp_authentication, if_nhrp_authentication_cmd,
 	auth->type = htonl(NHRP_AUTHENTICATION_PLAINTEXT);
 	memcpy(auth->secret, password, pass_len);
 
-	// XXX RFC: reset active (non-authorized) connections?
-	/* vty_out(vty, "NHRP passwd (%s:%s)", nifp->ifp->name, auth->secret); */
 	return CMD_SUCCESS;
 }
 
@@ -501,11 +499,12 @@ DEFPY(if_no_nhrp_authentication, if_no_nhrp_authentication_cmd,
       NO_STR
       AFI_STR
       NHRP_STR
-      "Reset password used for authentication\n"
-      "Password, plain text\n")
+      "Specify plain text password used for authenticantion\n"
+	  "Password, plain text, limited to 8 characters\n")
 {
 	VTY_DECLVAR_CONTEXT(interface, ifp);
 	struct nhrp_interface *nifp = ifp->info;
+
 	if (nifp->auth_token)
 		zbuf_free(nifp->auth_token);
 	return CMD_SUCCESS;