diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2004-01-30 11:40:42 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2004-01-30 11:40:42 +0000 |
commit | 2a9cfa391be34b1db56b78069452fa036254d2d8 (patch) | |
tree | f978f507e177ca9167cd8bc3cdd75892f4967c0f /usr.sbin | |
parent | 0e3f40a1191a16cadc1c62cae8d885362c7eee6c (diff) |
-enable md5sig on the listening socket
-on connections we just accepted, check wether md5sig is configured for that
peer, and check wether the connection is md5sig'd too. if not, refuse
tested against cisco 7200.
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/bgpd/session.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index df64ee801ef..90ae940ffdf 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.104 2004/01/29 20:38:22 henning Exp $ */ +/* $OpenBSD: session.c,v 1.105 2004/01/30 11:40:41 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -115,7 +115,11 @@ setup_listener(void) return (fd); opt = 1; - setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); + if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)) == -1) + fatal("setsockopt SO_REUSEPORT"); + if (setsockopt(fd, IPPROTO_TCP, TCP_SIGNATURE_ENABLE, &opt, + sizeof(opt)) == -1) + fatal("setsockopt TCPSIGNATURE_ENABLE"); if (bind(fd, (struct sockaddr *)&conf->listen_addr, sizeof(conf->listen_addr))) { @@ -701,6 +705,7 @@ void session_accept(int listenfd) { int connfd; + int opt; socklen_t len; struct sockaddr_in cliaddr; struct peer *p = NULL; @@ -723,6 +728,19 @@ session_accept(int listenfd) close(connfd); return; } + if (p->conf.tcp_md5_key[0]) { + len = sizeof(opt); + if (getsockopt(connfd, IPPROTO_TCP, + TCP_SIGNATURE_ENABLE, &opt, &len) == -1) + fatal("getsockopt TCP_SIGNATURE_ENABLE"); + if (!opt) { /* non-md5'd connection! */ + log_peer_warnx(&p->conf, + "connection attempt without md5 signature"); + shutdown(connfd, SHUT_RDWR); + close(connfd); + return; + } + } p->sock = p->wbuf.sock = connfd; if (session_setup_socket(p)) { shutdown(connfd, SHUT_RDWR); |