bfd: set password per proto repaired

nest/config.Y

@@ -628,6 +628,7 @@ bfd_items:
  ;
 
 bfd_opts:
+   { reset_passwords(); }
    '{' bfd_items '}' bfd_opts_pass_finish
  ;
 

proto/bfd/bfd.c

@@ -136,7 +136,9 @@ bfd_merge_options(const struct bfd_iface_config *cf, const struct bfd_options *o
     .min_tx_int = opts->min_tx_int ?: cf->min_tx_int,
     .idle_tx_int = opts->idle_tx_int ?: cf->idle_tx_int,
     .multiplier = opts->multiplier ?: cf->multiplier,
-    .passive = opts->passive_set ? opts->passive : cf->passive
+    .passive = opts->passive_set ? opts->passive : cf->passive,
+    .auth_type = cf->auth_type ? cf->auth_type : opts->auth_type,
+    .passwords = cf->passwords ? cf->passwords : opts->passwords
   };
 }
 

proto/bfd/bfd.h

@@ -70,6 +70,8 @@ struct bfd_session_config
   u32 idle_tx_int;
   u8 multiplier;
   u8 passive;
+  u8 auth_type;				/* Authentication type (BFD_AUTH_*) */
+  list *passwords;			/* Passwords for authentication */
 };
 
 struct bfd_neighbor

proto/bfd/packets.c

@@ -109,15 +109,8 @@ const u8 bfd_auth_type_to_hash_alg[] = {
 static void
 bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt)
 {
-  struct bfd_iface_config *cf = s->ifa->cf;
-  struct bfd_request *req = SKIP_BACK(struct bfd_request, n, HEAD(s->request_list));  //todo password has to be valid
-  struct password_item *pass = password_find(req->opts.passwords, 0);
-  u8 auth_type = req->opts.auth_type;
-  if (pass == NULL)
-  {
-    pass = password_find(cf->passwords, 0);
-    auth_type = cf->auth_type;
-  }
+  struct bfd_session_config *cf = &s->cf;
+  struct password_item *pass = password_find(cf->passwords, 0);
   uint meticulous = 0;
 
   if (!pass)
@@ -127,7 +120,7 @@ bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_c
     return;
   }
 
-  switch (auth_type)
+  switch (cf->auth_type)
   {
   case BFD_AUTH_SIMPLE:
   {
@@ -167,7 +160,7 @@ bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_c
 
     DBG("[%I] CSN: %u\n", s->addr, s->last_tx_csn);
 
-    auth->type = auth_type;
+    auth->type = cf->auth_type;
     auth->length = sizeof(struct bfd_crypto_auth) + hash_len;
     auth->key_id = pass->id;
     auth->zero = 0;
@@ -186,21 +179,12 @@ bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_c
 static int
 bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt)
 {
-  struct bfd_iface_config *cf = s->ifa->cf;
+  struct bfd_session_config *cf = &s->cf;
   const char *err_dsc = NULL;
   uint err_val = 0;
   uint auth_type = 0;
   uint meticulous = 0;
 
-  struct bfd_request *req = SKIP_BACK(struct bfd_request, n, HEAD(s->request_list));  //todo password has to be valid
-  struct password_item *pass_cf = password_find(req->opts.passwords, 0);
-  u8 auth_type_cf = req->opts.auth_type;
-  if (auth_type_cf == 0)
-  {
-    pass_cf = password_find(cf->passwords, 0);
-    auth_type_cf = cf->auth_type;
-  }
-
   if (pkt->flags & BFD_FLAG_AP)
   {
     struct bfd_auth *auth = (void *) (pkt + 1);
@@ -216,7 +200,7 @@ bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_
     auth_type = auth->type;
   }
 
-  if (auth_type != auth_type_cf)
+  if (auth_type != cf->auth_type)
     DROP("authentication method mismatch", auth_type);
 
   switch (auth_type)
@@ -231,14 +215,15 @@ bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_
     if (auth->length < sizeof(struct bfd_simple_auth))
       DROP("wrong authentication length", auth->length);
 
-    if (!pass_cf)
+    struct password_item *pass = password_find_by_id(cf->passwords, auth->key_id);
+    if (!pass)
       DROP("no suitable password found", auth->key_id);
 
-    uint pass_len = MIN(pass_cf->length, BFD_MAX_PASSWORD_LENGTH);
+    uint pass_len = MIN(pass->length, BFD_MAX_PASSWORD_LENGTH);
     uint auth_len = sizeof(struct bfd_simple_auth) + pass_len;
 
-    if ((auth->length != auth_len) || memcmp(auth->password, pass_cf->password, pass_len))
-      DROP("wrong password", pass_cf->id);
+    if ((auth->length != auth_len) || memcmp(auth->password, pass->password, pass_len))
+      DROP("wrong password", pass->id);
 
     return 1;
   }
@@ -258,7 +243,8 @@ bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_
     if (auth->length != (sizeof(struct bfd_crypto_auth) + hash_len))
       DROP("wrong authentication length", auth->length);
 
-    if (!pass_cf)
+    struct password_item *pass = password_find_by_id(cf->passwords, auth->key_id);
+    if (!pass)
       DROP("no suitable password found", auth->key_id);
 
     /* BFD CSNs are in 32-bit circular number space */
@@ -276,10 +262,10 @@ bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_
 
     byte *auth_data = alloca(hash_len);
     memcpy(auth_data, auth->data, hash_len);
-    strncpy(auth->data, pass_cf->password, hash_len);
+    strncpy(auth->data, pass->password, hash_len);
 
     if (!mac_verify(hash_alg, NULL, 0, (byte *) pkt, pkt->length, auth_data))
-      DROP("wrong authentication code", pass_cf->id);
+      DROP("wrong authentication code", pass->id);
 
     s->rx_csn = csn;
     s->rx_csn_known = 1;