Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

This implements support for MAC authentication in the Babel protocol, as
specified by RFC 8967. The implementation seeks to follow the RFC as close
as possible, with the only deliberate deviation being the addition of
support for all the HMAC algorithms already supported by Bird, as well as
the Blake2b variant of the Blake algorithm.

For description of applicability, assumptions and security properties,
see RFC 8967 sections 1.1 and 1.2.

Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

In preparation for adding authentication checks, refactor the TLV
walking code so it can be reused for a separate pass of the packet
for authentication checks.

Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

Add min/max key length fields to the MAC algorithm description and
validate configured keys before they are used.

Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

Add support for specifying a password in hexadecimal format, The result
is the same whether a password is specified as a quoted string or a
hex-encoded byte string, this just makes it more convenient to input
high-entropy byte strings as MAC keys.

Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

Import the blake2-kat.h header with test vector output from the blake
reference implementation, and add tests to mac_test.c to compare the
output of the Bird MAC algorithm implementations with that reference
output.

Since the reference implementation only has test vectors for the full
output size, there are no tests for the smaller-sized output variants.

Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

The Babel MAC authentication RFC recommends implementing Blake2s as one of
the supported algorithms. In order to achieve do this, add the blake2b and
blake2s hash functions for MAC authentication. The hashing function
implementations are the reference implementations from blake2.net.

The Blake2 algorithms allow specifying an arbitrary output size, and the
Babel MAC spec says to implement Blake2s with 128-bit output. To satisfy
this, we add two different variants of each of the algorithms, one using
the default size (256 bits for Blake2s, 512 bits for Blake2b), and one
using half the default output size.

Update to BIRD coding style done by committer.

Simplify the code and fix an issue with getentropy() return value.

Toke Høiland-Jørgensen authored 4 years ago and Ondřej Zajíček committed 3 years ago

Add a wrapper function in sysdep to get random bytes, and required checks
in configure.ac to select how to do it. The configure script tries, in
order, getrandom(), getentropy() and reading from /dev/urandom.

Routes from downed protocols stay in rtable (until next rtable prune
cycle ends) and may be even exported to another protocol. In BGP case,
source BGP protocol is examined, although dynamic parts (including
neighbor entries) are already freed. That may lead to crash under some
race conditions. Ensure that freed neighbor entry is not accessed to
avoid this issue.

Babel: Seqno requests are properly decoupled from neighbors when the underlying interface disappears

When an interface disappears, all the neighbors are freed as well. Seqno
requests were anyway not decoupled from them, leading to strange
segfaults. This fix adds a proper seqno request list inside neighbors to
make sure that no pointer to neighbor is kept after free.

Some area handling code got confused by IPv4 setup in OSPFv3 mode.

Matous Holinka authored 3 years ago and Ondřej Zajíček committed 3 years ago

.gitlab-ci.yml:
+ pkg targets for some distros added
+ artifacts added
- some distros were commented out (due to errors).

misc/docker/*:
+ Dockerfiles updated with the necessary packages.

Also temporarily disable cf-ospf-auth, as there is some problem with it.

Use git-archive to avoid unrelated and temporary files and fix some
minor issues (e.g. dependency on bash as system shell).

Jakub Ružička authored 3 years ago and Ondřej Zajíček committed 3 years ago

init-system-helpers (>= 1.56~) can't be satisfied on:

* Ubuntu 18.04 (1.51)
* Ubuntu 16.04 (1.29)
* Debian 9 (1.48)

Remove the specific version requirement in order to enable build on
older platforms.

Jakub Ružička authored 3 years ago and Ondřej Zajíček committed 3 years ago

SUSE is more strict about .spec.

* use SPDX license id
* add missing %ghost file directive

Jakub Ružička authored 3 years ago and Ondřej Zajíček committed 3 years ago

Adressing following FTBFS on all older debian/ubuntu distros:

    Can't locate LinuxDocTools/Data/Latin1ToSgml.pm in @INC (you may need to install the LinuxDocTools::Data::Latin1ToSgml module)

Jakub Ružička authored 4 years ago and Ondřej Zajíček committed 3 years ago

Files in a single new distro/ dir allow apkg to build BIRD packages for
various distros directly from upstream sources as well as from upstream
archives.

Please see distro/README.md for more detail as well as apkg docs:

https://apkg.rtfd.io

I've used these files to build bird-2.0.8 on all currently supported
releases of following distros:

* Debian
* Ubuntu
* Fedora
* CentOS
* openSUSE

Please note that latest apkg with accumulated fixes for bird is needed:
packaging/apkg!35

For numeric operators, comma is used for disjunction in expressions like
"10, 20, 30..40". But for bitmask operators, comma is used for
conjunction in a way that does not really make much sense. Use always
explicit logical operators (&& and ||) to connect bitmask operators.

Thanks to Matt Corallo for the bugreport.

Trisha Biswas authored 3 years ago and Ondřej Zajíček committed 3 years ago

Add support to set or read outgoing MPLS labels using filters. Currently
this supports the addition of one label per route for the first next hop.

Minor changes by committer.

RFC 8955 is pretty clear that 000 is false and 111 is true.

Implement function flow_explicate_part() to convert flowspec numeric
expressions to a simple list of (disjoint, sorted) intervals. That could
be used in filters to build f_tree-based int-sets from them.

The babel protocol code checks whether iface supports multicast, and
whether it has a link-local address assigned. However, it doesn not give
any feedback if any of those checks fail, it just silently ignores the
interface. Fix this by explicitly logging when multicast check fails.

Based on patch from Toke Høiland-Jørgensen, thanks!

Toke Høiland-Jørgensen authored 3 years ago and Ondřej Zajíček committed 3 years ago

The BSD code did not propagate the OS-level IFF_MULTICAST flag to the
Bird-internal IF_MULTICAST flag, which causes problems with Wireguard
interfaces on FreeBSD. The Linux sysdep code does propagate the flag
already, so just copy over the same check and flag update.

Ifaces with host address (/32) were forced to be stubby, but now they
can be used as PtP or PtMP. For these ifaces we need to:

 - Do not force stub mode
 - Accept packets from any IP as local
 - Accept any configured neighbor as local
 - Detect ifaces properly as unnumbered
 - Use ONLINK flag for nexthops

As specified in RFC 2328 8.1: "On physical point-to-point networks,
the IP destination is always set to the address AllSPFRouters."

Note that this likely break setups with multiple neighbors on a network
configured as PtP, which worked before. These should be configured as
PtMP.

Thanks to Senthil Kumar Nagappan for the original patch and to Joakim
Tjernlund for suggestions.

Common behavior for LSupd and delayed LSack moved to ospf_send_to_iface()
and other minor changes.

BIRD uses hacked LinuxDocTools for building documentation, keeping some
parts locally and using remaining parts from system-installed one. This
setup breaks when LinuxDocTools makes some internal changes and is hard
to keep consistent.

Just include full LinuxDocTools code (both hacked and unmodified parts)
to avoid consistency issues. Note that we still need some binaries from
LinuxDocTools, so it still needs to be installed to build documentation.

/misc/docker/:
+ debian 11 (i386+amd64) added,
+ fedora 32 added,
+ fedora 33 added,
+ fedora 34 added,
+ opensuse 15.2 added,
+ opensuse 15.3 added,
+ ubuntu 20.04 added,
+ ubuntu 20.10 added,
+ ubuntu 21.04 added,
- ubuntu 19.10 removed.

/.gitlab-ci.yml:
+ stages 'image' and 'build' updated.

This fixes an internal table cleanup bug introduced
in ff397df7.

Stefan Haller authored 3 years ago and Ondřej Zajíček committed 3 years ago

For logging purposes a stack allocated net_addr struct was passed by
value as vararg (instead of the expected pointer). This resulted in
a segfault when the specific error condition got logged.

The code in tm_format_real_time() mixed up two buffers and their
sizes, which may cause crash in MRT dumping code.

Thanks to Piotr Wydrych for the bugreport.