rework how tcp md5 signatures are configured.

previously ldpd only allowed tcp md5 to be configured against a
neighbor (by ldp router id), but other vendors supported configuring
tcp md5sig by prefix as well as neighbor. this reworks the config
so auth is maintained globally as a list of prefixes that you do
and do not want to do tcp md5sig auth with.

the config statements look more like what is in bgpd.conf now too.

an example of the new config for interoperating with my baby cisco
test network:

on ios:

	mpls ldp password required for MPLS
	mpls ldp password option 1 for MPLS key-chain LDPAUTH

	key chain LDPAUTH
	 key 1
	  key-string secret

	interface Loopback0
	 ip address 192.168.0.0 255.255.255.255
	end

	ip prefix-list MPLS seq 5 permit 192.168.0.0/24
	ip access-list standard MPLS

	mpls ldp router-id Loopback0 force

and in ldpd.conf:

	router-id 192.168.0.25
	tcp md5sig password secret 192.168.0.0/24
	address-family ipv4 { interface vmx1 }

this still supports specifying tcp md5sig on neighbors, but that
is syntactic sugar around adding entries to the list of auths.

ok (and lots of help from) claudio@

1 files changed, 29 insertions, 12 deletions

diff --git a/usr.sbin/ldpd/ldpd.conf.5 b/usr.sbin/ldpd/ldpd.conf.5
index c9d7706702c..2c797649be6 100644
--- a/usr.sbin/ldpd/ldpd.conf.5
+++ b/usr.sbin/ldpd/ldpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ldpd.conf.5,v 1.36 2018/08/06 17:25:11 mestre Exp $
+.\"	$OpenBSD: ldpd.conf.5,v 1.37 2019/01/23 02:02:04 dlg Exp $
 .\"
 .\" Copyright (c) 2013, 2016 Renato Westphal <renato@openbsd.org>
 .\" Copyright (c) 2009 Michele Marchetto <michele@openbsd.org>
@@ -19,7 +19,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 6 2018 $
+.Dd $Mdocdate: January 23 2019 $
 .Dt LDPD.CONF 5
 .Os
 .Sh NAME
@@ -72,14 +72,6 @@ and may contain any of those characters.
 Macro names may not be reserved words (for example,
 .Ic neighbor ) .
 Macros are not expanded inside quotes.
-.Pp
-For example:
-.Bd -literal -offset indent
-peer1="10.0.1.5"
-neighbor $peer1 {
-	password "openbsd"
-}
-.Ed
 .Sh GLOBAL CONFIGURATION
 Several settings can be configured globally or within a more restricted scope,
 like per address-family or per interface.
@@ -119,6 +111,27 @@ Set the router ID; in combination with labelspace it forms the LSR-ID.
 If not specified, the numerically lowest IP address of the router will be used.
 .Pp
 .It Xo
+.Ic tcp md5sig password Ar secret
+.Op Ar lsr-id Ns Op / Ns Ar prefix
+.Xc
+.It Xo
+.Ic tcp md5sig key Ar secret
+.Op Ar lsr-id Ns Op / Ns Ar prefix
+.Xc
+.It Xo
+.Ic no tcp md5sig
+.Op Ar lsr-id Ns Op / Ns Ar prefix
+.Xc
+Enable or disable TCP MD5 signatures per RFC 5036.
+The shared secret can either be given as a password or hexadecimal key.
+An optional prefix may be specified to scope the key configuration to a
+set of neighbors with the specified LSR-IDs.
+.Bd -literal -offset indent
+tcp md5sig password mekmitasdigoat 192.168.0.0/24
+no tcp md5sig 192.168.0.25
+.Ed
+.Pp
+.It Xo
 .Ic transport-preference
 .Pq Ic ipv4 Ns | Ns Ic ipv6
 .Xc
@@ -278,8 +291,12 @@ When GTSM is enabled for this neighbor, incoming packets are required to have
 a TTL/hop limit of 256 minus this value, ensuring they have not passed
 through more than the expected number of hops.
 The default value is 1; valid range is 1\-255.
-.It Ic password Ar secret
-Enable TCP MD5 signatures per RFC 5036.
+.It Ic tcp md5sig password Ar secret
+Enable TCP MD5 signatures per RFC 5036 with the specified password.
+.It Ic tcp md5sig key Ar secret
+Enable TCP MD5 signatures per RFC 5036 with the specified hexadecimal key.
+.It Ic no tcp md5sig
+Disable the use of TCP MD5 signatures.
 .El
 .Sh LAYER 2 VPNS
 .Xr ldpd 8