summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2004-01-30 11:40:42 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2004-01-30 11:40:42 +0000
commit2a9cfa391be34b1db56b78069452fa036254d2d8 (patch)
treef978f507e177ca9167cd8bc3cdd75892f4967c0f /usr.sbin
parent0e3f40a1191a16cadc1c62cae8d885362c7eee6c (diff)
-enable md5sig on the listening socket
-on connections we just accepted, check wether md5sig is configured for that peer, and check wether the connection is md5sig'd too. if not, refuse tested against cisco 7200.
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/bgpd/session.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index df64ee801ef..90ae940ffdf 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.104 2004/01/29 20:38:22 henning Exp $ */
+/* $OpenBSD: session.c,v 1.105 2004/01/30 11:40:41 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -115,7 +115,11 @@ setup_listener(void)
return (fd);
opt = 1;
- setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
+ if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)) == -1)
+ fatal("setsockopt SO_REUSEPORT");
+ if (setsockopt(fd, IPPROTO_TCP, TCP_SIGNATURE_ENABLE, &opt,
+ sizeof(opt)) == -1)
+ fatal("setsockopt TCPSIGNATURE_ENABLE");
if (bind(fd, (struct sockaddr *)&conf->listen_addr,
sizeof(conf->listen_addr))) {
@@ -701,6 +705,7 @@ void
session_accept(int listenfd)
{
int connfd;
+ int opt;
socklen_t len;
struct sockaddr_in cliaddr;
struct peer *p = NULL;
@@ -723,6 +728,19 @@ session_accept(int listenfd)
close(connfd);
return;
}
+ if (p->conf.tcp_md5_key[0]) {
+ len = sizeof(opt);
+ if (getsockopt(connfd, IPPROTO_TCP,
+ TCP_SIGNATURE_ENABLE, &opt, &len) == -1)
+ fatal("getsockopt TCP_SIGNATURE_ENABLE");
+ if (!opt) { /* non-md5'd connection! */
+ log_peer_warnx(&p->conf,
+ "connection attempt without md5 signature");
+ shutdown(connfd, SHUT_RDWR);
+ close(connfd);
+ return;
+ }
+ }
p->sock = p->wbuf.sock = connfd;
if (session_setup_socket(p)) {
shutdown(connfd, SHUT_RDWR);