Add support for crypt authentication (MD5).

ok and input claudio@

11 files changed, 300 insertions, 59 deletions

diff --git a/usr.sbin/ospfd/auth.c b/usr.sbin/ospfd/auth.c
index a15643c415c..adae8db8e16 100644
--- a/usr.sbin/ospfd/auth.c
+++ b/usr.sbin/ospfd/auth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: auth.c,v 1.2 2005/01/28 17:53:33 norby Exp $ */
+/*	$OpenBSD: auth.c,v 1.3 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -18,6 +18,8 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <md5.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include "ospfd.h"
@@ -26,67 +28,167 @@
 #include "ospfe.h"
 
 int
-auth_validate(struct ospf_hdr *pkt, const struct iface *iface)
+auth_validate(void *buf, u_int16_t len, struct iface *iface, struct nbr *nbr)
 {
-	if (ntohs(pkt->auth_type) != (u_int16_t)iface->auth_type) {
+	MD5_CTX		 hash;
+	u_int8_t	 digest[MD5_DIGEST_LENGTH];
+	u_int8_t	 recv_digest[MD5_DIGEST_LENGTH];
+	struct ospf_hdr	*ospf_hdr = buf;
+	struct auth_md	*md;
+	char		*auth_data;
+
+	if (ntohs(ospf_hdr->auth_type) != (u_int16_t)iface->auth_type) {
 		log_debug("auth_validate: wrong auth type, interface %s",
 		    iface->name);
 		return (-1);
 	}
 
 	switch (iface->auth_type) {
-	case AUTH_NONE:
-		break;
 	case AUTH_SIMPLE:
-		if (bcmp(pkt->auth_key.simple, iface->auth_key,
-		    sizeof(pkt->auth_key.simple))) {
+		if (bcmp(ospf_hdr->auth_key.simple, iface->auth_key,
+		    sizeof(ospf_hdr->auth_key.simple))) {
 			log_debug("auth_validate: wrong password, interface %s",
 			    iface->name);
 			return (-1);
 		}
+		/* FALLTHROUGH */
+	case AUTH_NONE:
 		/* clear the key before chksum */
-		bzero(pkt->auth_key.simple,
-		     sizeof(pkt->auth_key.simple));
+		bzero(ospf_hdr->auth_key.simple,
+		     sizeof(ospf_hdr->auth_key.simple));
+
+		if (in_cksum(ospf_hdr, ntohs(ospf_hdr->len))) {
+			log_debug("recv_packet: invalid checksum, interface %s",
+			    iface->name);
+			return (-1);
+		}
 		break;
 	case AUTH_CRYPT:
-		log_debug("auth_validate: not supported, interface %s",
-		    iface->name);
-		return (-1);
+		if (ospf_hdr->auth_key.crypt.keyid != iface->auth_keyid) {
+			log_debug("auth_validate: invalid key id, "
+			    "interface %s", iface->name);
+			return (-1);
+		}
+
+		if (nbr != NULL && ntohl(ospf_hdr->auth_key.crypt.seq_num) <
+		    nbr->crypt_seq_num) {
+			log_debug("auth_validate: decreasing seq num, "
+			    "interface %s", iface->name);
+			return (-1);
+		}
+
+		if (ospf_hdr->auth_key.crypt.len != MD5_DIGEST_LENGTH) {
+			log_debug("auth_validate: invalid key length, "
+			    "interface %s", iface->name);
+			return (-1);
+		}
+
+		if (len - ntohs(ospf_hdr->len) < MD5_DIGEST_LENGTH) {
+			log_debug("auth_validate: invalid key length, "
+			    "interface %s", iface->name);
+			return (-1);
+		}
+
+		auth_data = buf;
+		auth_data += ntohs(ospf_hdr->len);
+
+		/* save the received digest and clear it in the packet */
+		bcopy(auth_data, recv_digest, sizeof(recv_digest));
+		bzero(auth_data, MD5_DIGEST_LENGTH);
+
+		/* insert plaintext key */
+		if ((md = md_list_find(iface, iface->auth_keyid))
+		    == NULL) {
+			log_debug("auth_validate: keyid %d not configured, "
+			    "interface %s", iface->auth_keyid,
+			    iface->name);
+			return (-1);
+		}
+
+		bzero(digest, MD5_DIGEST_LENGTH);
+		strncpy(digest, md->key, MD5_DIGEST_LENGTH);
+
+		/* calculate MD5 digest */
+		MD5Init(&hash);
+		MD5Update(&hash, buf, ntohs(ospf_hdr->len));
+		MD5Update(&hash, digest, MD5_DIGEST_LENGTH);
+		MD5Final(digest, &hash);
+
+		if (bcmp(recv_digest, digest, sizeof(digest))) {
+			log_debug("auth_validate: invalid MD5 digest, "
+			    "interface %s", iface->name);
+			return (-1);
+		}
+
+		if (nbr != NULL)
+			nbr->crypt_seq_num =
+			    ntohl(ospf_hdr->auth_key.crypt.seq_num);
+		break;
 	default:
 		log_debug("auth_validate: unknown auth type, interface %s",
 		    iface->name);
 		return (-1);
 	}
 
-	if (in_cksum(pkt, ntohs(pkt->len))) {
-		log_debug("recv_packet: invalid checksum, interface %s",
-		    iface->name);
-		return (-1);
-	}
-
 	return (0);
 }
 
 int
-auth_gen(void *buf, u_int16_t len, const struct iface *iface)
+auth_gen(void *buf, u_int16_t len, struct iface *iface)
 {
+	MD5_CTX		 hash;
+	u_int8_t	 digest[MD5_DIGEST_LENGTH];
 	struct ospf_hdr	*ospf_hdr = buf;
+	struct auth_md	*md;
+	char		*auth_data;
 
-	/* update length, and checksum */
+	/* update length */
 	ospf_hdr->len = htons(len);
-	ospf_hdr->chksum = in_cksum(buf, len);
+	/* clear auth_key field */
+	bzero(ospf_hdr->auth_key.simple,
+	    sizeof(ospf_hdr->auth_key.simple));
 
 	switch (iface->auth_type) {
 	case AUTH_NONE:
+		ospf_hdr->chksum = in_cksum(buf, len);
 		break;
 	case AUTH_SIMPLE:
+		ospf_hdr->chksum = in_cksum(buf, len);
+
 		strncpy(ospf_hdr->auth_key.simple, iface->auth_key,
 		    sizeof(ospf_hdr->auth_key.simple));
 		break;
 	case AUTH_CRYPT:
-		log_debug("auth_gen: not supported, interface %s",
-		    iface->name);
-		return (-1);
+		ospf_hdr->chksum = 0;
+		ospf_hdr->auth_key.crypt.keyid = iface->auth_keyid;
+		ospf_hdr->auth_key.crypt.seq_num = htonl(iface->crypt_seq_num);
+		ospf_hdr->auth_key.crypt.len = MD5_DIGEST_LENGTH;
+		iface->crypt_seq_num++;
+
+		/* insert plaintext key */
+		if ((md = md_list_find(iface, iface->auth_keyid))
+		    == NULL) {
+			log_debug("auth_validate: keyid %d not configured, "
+			    "interface %s", iface->auth_keyid, iface->name);
+			return (-1);
+		}
+
+		bzero(digest, MD5_DIGEST_LENGTH);
+		strncpy(digest, md->key, MD5_DIGEST_LENGTH);
+
+		/* calculate MD5 digest */
+		MD5Init(&hash);
+		MD5Update(&hash, buf, len);
+		MD5Update(&hash, digest, MD5_DIGEST_LENGTH);
+		MD5Final(digest, &hash);
+
+		/* insert MD5 digest */
+		/* XXX this will be fixed soon, when we switch to dynamic
+		 * buffers */
+		auth_data = buf;
+		auth_data += len;
+		bcopy(digest, auth_data, sizeof(digest));
+		break;
 	default:
 		log_debug("auth_gen: unknown auth type, interface %s",
 		    iface->name);
@@ -95,3 +197,67 @@ auth_gen(void *buf, u_int16_t len, const struct iface *iface)
 
 	return (0);
 }
+
+/* md list */
+void
+md_list_init(struct iface *iface)
+{
+	TAILQ_INIT(&iface->auth_md_list);
+}
+
+void
+md_list_add(struct iface *iface, u_int8_t keyid, char *key)
+{
+	struct auth_md	*m, *md;
+
+	if ((md = md_list_find(iface, keyid)) != NULL) {
+		/* update key */
+		strncpy(md->key, key, sizeof(md->key));
+		return;
+	}
+
+	if ((md = calloc(1, sizeof(struct auth_md))) == NULL)
+		fatalx("md_list_add");
+
+	md->keyid = keyid;
+	strncpy(md->key, key, sizeof(md->key));
+
+	TAILQ_FOREACH(m, &iface->auth_md_list, entry) {
+		if (m->keyid > keyid) {
+			TAILQ_INSERT_BEFORE(m, md, entry);
+			return;
+		}
+	}
+	TAILQ_INSERT_TAIL(&iface->auth_md_list, md, entry);
+
+	return;
+}
+
+void
+md_list_clr(struct iface *iface)
+{
+	struct auth_md	*m;
+
+	while ((m = TAILQ_FIRST(&iface->auth_md_list)) != NULL) {
+		TAILQ_REMOVE(&iface->auth_md_list, m, entry);
+		free(m);
+	}
+}
+
+int
+md_list_empty(struct iface *iface)
+{
+	return (TAILQ_EMPTY(&iface->auth_md_list));
+}
+
+struct auth_md *
+md_list_find(struct iface *iface, u_int8_t keyid)
+{
+	struct auth_md	*m;
+
+	TAILQ_FOREACH(m, &iface->auth_md_list, entry)
+		if (m->keyid == keyid)
+			return (m);
+
+	return (NULL);
+}
diff --git a/usr.sbin/ospfd/config.c b/usr.sbin/ospfd/config.c
index dbec979d430..f3361676bc8 100644
--- a/usr.sbin/ospfd/config.c
+++ b/usr.sbin/ospfd/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.4 2005/03/29 17:26:35 norby Exp $ */
+/*	$OpenBSD: config.c,v 1.5 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -82,6 +82,7 @@ void
 show_interface(struct iface *iface)
 {
 	struct nbr	*nbr = NULL;
+	struct auth_md	*md;
 
 	log_debug("  interface: %s", iface->name);
 	log_debug("    type: %s", if_type_name(iface->type));
@@ -107,11 +108,11 @@ show_interface(struct iface *iface)
 	log_debug("    metric: %d", iface->metric);
 	log_debug("    rxmt interval: %d", iface->rxmt_interval);
 	log_debug("    auth type: %s", if_auth_name(iface->auth_type));
-	if (iface->auth_type == AUTH_TYPE_SIMPLE) {
-		log_debug("    auth key: '%s'", iface->auth_key);
-	} else {
-		log_debug("    auth key:" );
-	}
+	log_debug("    auth_key: '%s'", iface->auth_key);
+	log_debug("    auth keyid: %d", iface->auth_keyid);
+
+	TAILQ_FOREACH(md, &iface->auth_md_list, entry)
+		log_debug("      keyid: %d key: %s", md->keyid, md->key);
 
 	log_debug("    mtu: %d", iface->mtu);
 	log_debug("    fd: %d", iface->fd);
diff --git a/usr.sbin/ospfd/interface.c b/usr.sbin/ospfd/interface.c
index e179c6c94a0..e5a2d7c4d5c 100644
--- a/usr.sbin/ospfd/interface.c
+++ b/usr.sbin/ospfd/interface.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: interface.c,v 1.13 2005/03/29 17:26:35 norby Exp $ */
+/*	$OpenBSD: interface.c,v 1.14 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org>
@@ -165,6 +165,9 @@ if_new(struct kif *kif)
 
 	LIST_INIT(&iface->nbr_list);
 	TAILQ_INIT(&iface->ls_ack_list);
+	md_list_init(iface);
+
+	iface->crypt_seq_num = arc4random();
 
 	evtimer_set(&iface->lsack_tx_timer, ls_ack_tx_timer, iface);
 
@@ -236,6 +239,8 @@ if_del(struct iface *iface)
 	}
 
 	ls_ack_list_clr(iface);
+	md_list_clr(iface);
+	free(iface->auth_key);
 
 	return (-1);
 }
diff --git a/usr.sbin/ospfd/kroute.c b/usr.sbin/ospfd/kroute.c
index 480abc83687..12d5eb196ae 100644
--- a/usr.sbin/ospfd/kroute.c
+++ b/usr.sbin/ospfd/kroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kroute.c,v 1.12 2005/03/26 13:35:16 claudio Exp $ */
+/*	$OpenBSD: kroute.c,v 1.13 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -320,7 +320,7 @@ kr_ifinfo(char *ifname, pid_t pid)
 			main_imsg_compose_ospfe(IMSG_CTL_IFINFO,
 			    pid, &kif->k, sizeof(kif->k));
 		}
-	
+
 	main_imsg_compose_ospfe(IMSG_CTL_END, pid, NULL, 0);
 }
 
diff --git a/usr.sbin/ospfd/neighbor.c b/usr.sbin/ospfd/neighbor.c
index 2d62444e21f..c7847167297 100644
--- a/usr.sbin/ospfd/neighbor.c
+++ b/usr.sbin/ospfd/neighbor.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: neighbor.c,v 1.13 2005/03/22 22:13:48 norby Exp $ */
+/*	$OpenBSD: neighbor.c,v 1.14 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2005 Claudio Jeker <claudio@openbsd.org>
@@ -597,6 +597,8 @@ nbr_act_delete(struct nbr *nbr)
 	nbr->dr.s_addr = 0;
 	nbr->bdr.s_addr = 0;
 
+	nbr->crypt_seq_num = 0;
+
 	/* schedule kill timer */
 	timerclear(&tv);
 	tv.tv_sec = DEFAULT_NBR_TMOUT;
diff --git a/usr.sbin/ospfd/ospf.h b/usr.sbin/ospfd/ospf.h
index 7dd2b582ff8..f4d3508fa7b 100644
--- a/usr.sbin/ospfd/ospf.h
+++ b/usr.sbin/ospfd/ospf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ospf.h,v 1.9 2005/03/22 22:13:48 norby Exp $ */
+/*	$OpenBSD: ospf.h,v 1.10 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -67,6 +67,9 @@
 #define MIN_SPF_HOLDTIME	1
 #define MAX_SPF_HOLDTIME	5
 
+#define MIN_MD_ID		0
+#define MAX_MD_ID		255
+
 /* OSPF compatibility flags */
 #define OSPF_OPTION_E		0x02
 #define OSPF_OPTION_MC		0x04
@@ -103,6 +106,13 @@
 #define MAX_SEQ_NUM		0x7fffffff
 
 /* OSPF header */
+struct crypt {
+	u_int16_t		dummy;
+	u_int8_t		keyid;
+	u_int8_t		len;
+	u_int32_t		seq_num;
+};
+
 struct ospf_hdr {
 	u_int8_t		version;
 	u_int8_t		type;
@@ -113,7 +123,7 @@ struct ospf_hdr {
 	u_int16_t		auth_type;
 	union {
 		char		simple[8];
-		u_int64_t	crypt;
+		struct crypt	crypt;
 	} auth_key;
 };
 
diff --git a/usr.sbin/ospfd/ospfd.conf.5 b/usr.sbin/ospfd/ospfd.conf.5
index 3979cb1118e..1dfe93c8c1b 100644
--- a/usr.sbin/ospfd/ospfd.conf.5
+++ b/usr.sbin/ospfd/ospfd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ospfd.conf.5,v 1.6 2005/03/11 23:34:41 norby Exp $
+.\"	$OpenBSD: ospfd.conf.5,v 1.7 2005/03/31 19:32:10 norby Exp $
 .\"
 .\" Copyright (c) 2005 Esben Norby <norby@openbsd.org>
 .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
@@ -130,6 +130,13 @@ Interface specific parameters are listed below.
 .It Ic auth-key Ar key
 Set the authentication key.
 If the auth-type is set to simple, up to 8 characters can be specified.
+.It Ic auth-md Ar key-id Ar key
+Set the crypt authentication key.
+If the auth-type is set to crypt, up to 16 characters can be specified.
+Multiple keys may be specified.
+.It Ic auth-md-keyid Ar key-id
+Configure which key-id to use when using crypt authentication.
+The default key-id is 0.
 .It Xo
 .Ic auth-type
 .Po Ic none Ns \&| Ns
diff --git a/usr.sbin/ospfd/ospfd.h b/usr.sbin/ospfd/ospfd.h
index e8dcc8e77d9..7bf1bfb24e0 100644
--- a/usr.sbin/ospfd/ospfd.h
+++ b/usr.sbin/ospfd/ospfd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ospfd.h,v 1.23 2005/03/29 17:26:35 norby Exp $ */
+/*	$OpenBSD: ospfd.h,v 1.24 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004 Esben Norby <norby@openbsd.org>
@@ -24,6 +24,7 @@
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/tree.h>
+#include <md5.h>
 #include <net/if.h>
 #include <netinet/in.h>
 #include <event.h>
@@ -258,6 +259,12 @@ static const char * const path_type_names[] = {
 	"Type 2 ext"
 };
 
+struct auth_md {
+	TAILQ_ENTRY(auth_md)	 entry;
+	char			 key[MD5_DIGEST_LENGTH];
+	u_int8_t		 keyid;
+};
+
 /* lsa list used in RDE and OE */
 TAILQ_HEAD(lsa_head, lsa_entry);
 
@@ -268,6 +275,7 @@ struct iface {
 	struct event		 lsack_tx_timer;
 
 	LIST_HEAD(, nbr)	 nbr_list;
+	TAILQ_HEAD(, auth_md)	 auth_md_list;
 	struct lsa_head		 ls_ack_list;
 
 	char			 name[IF_NAMESIZE];
@@ -284,6 +292,7 @@ struct iface {
 	u_int32_t		 baudrate;
 	u_int32_t		 dead_interval;
 	u_int32_t		 ls_ack_cnt;
+	u_int32_t		 crypt_seq_num;
 	unsigned int		 ifindex;
 	int			 fd;
 	int			 state;
@@ -295,6 +304,7 @@ struct iface {
 	u_int16_t		 metric;
 	enum iface_type		 type;
 	enum auth_type		 auth_type;
+	u_int8_t		 auth_keyid;
 	u_int8_t		 linkstate;
 	u_int8_t		 priority;
 	u_int8_t		 passive;
diff --git a/usr.sbin/ospfd/ospfe.h b/usr.sbin/ospfd/ospfe.h
index 03e95318ffb..268ba23082e 100644
--- a/usr.sbin/ospfd/ospfe.h
+++ b/usr.sbin/ospfd/ospfe.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ospfe.h,v 1.9 2005/03/22 22:13:48 norby Exp $ */
+/*	$OpenBSD: ospfe.h,v 1.10 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -133,6 +133,7 @@ struct nbr {
 	u_int32_t		 dd_pending;
 	u_int32_t		 peerid;	/* unique ID in DB */
 	u_int32_t		 ls_req_cnt;
+	u_int32_t		 crypt_seq_num;
 
 	int			 state;
 	u_int8_t		 link_state;
@@ -144,8 +145,14 @@ struct nbr {
 };
 
 /* auth.c */
-int	 auth_validate(struct ospf_hdr *, const struct iface *);
-int	 auth_gen(void *, u_int16_t, const struct iface *);
+int		 auth_validate(void *buf, u_int16_t len, struct iface *,
+		     struct nbr *);
+int		 auth_gen(void *, u_int16_t, struct iface *);
+void		 md_list_init(struct iface *);
+void		 md_list_add(struct iface *, u_int8_t, char *);
+void		 md_list_clr(struct iface *);
+int		 md_list_empty(struct iface *);
+struct auth_md	*md_list_find(struct iface *, u_int8_t);
 
 /* database.c */
 int	 send_db_description(struct nbr *);
diff --git a/usr.sbin/ospfd/packet.c b/usr.sbin/ospfd/packet.c
index 30b3be1a165..3c95b8a3f28 100644
--- a/usr.sbin/ospfd/packet.c
+++ b/usr.sbin/ospfd/packet.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: packet.c,v 1.5 2005/02/16 15:23:33 norby Exp $ */
+/*	$OpenBSD: packet.c,v 1.6 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -27,6 +27,7 @@
 
 #include <errno.h>
 #include <event.h>
+#include <md5.h>
 #include <stdlib.h>
 #include <strings.h>
 
@@ -64,6 +65,11 @@ send_packet(struct iface *iface, char *pkt, int len, struct sockaddr_in *dst)
 		return (-1);
 	}
 
+	/* XXX I don't like this */
+	/* MD5 digest is _not_ part of the OSPF packet len */
+	if (iface->auth_type == AUTH_CRYPT)
+		len += MD5_DIGEST_LENGTH;
+
 	/* set outgoing interface for multicast traffic */
 	if (IN_MULTICAST(ntohl(dst->sin_addr.s_addr)))
 		if (if_set_mcast(iface) == -1) {
@@ -161,16 +167,21 @@ recv_packet(int fd, short event, void *bula)
 	if ((l = ospf_hdr_sanity_check(&ip_hdr, ospf_hdr, len, iface)) == -1)
 		goto done;
 
+	nbr = nbr_find_id(iface, ospf_hdr->rtr_id);
+	if (ospf_hdr->type != PACKET_TYPE_HELLO && nbr == NULL) {
+		log_debug("recv_packet: unknown neighbor ID");
+		goto done;
+	}
+
+	if (auth_validate(buf, len, iface, nbr)) {
+		log_warnx("recv_packet: authentication error, "
+		    "interface %s", iface->name);
+		goto done;
+	}
+
 	buf += sizeof(*ospf_hdr);
 	len = l - sizeof(*ospf_hdr);
 
-	if (ospf_hdr->type != PACKET_TYPE_HELLO)
-		/* find neighbor */
-		if ((nbr = nbr_find_id(iface, ospf_hdr->rtr_id)) == NULL) {
-			log_debug("recv_packet: unknown neighbor ID");
-			goto done;
-		}
-
 	/* switch OSPF packet type */
 	switch (ospf_hdr->type) {
 	case PACKET_TYPE_HELLO:
@@ -259,12 +270,6 @@ ospf_hdr_sanity_check(const struct ip *ip_hdr, struct ospf_hdr *ospf_hdr,
 		}
 	}
 
-	if (auth_validate(ospf_hdr, iface)) {
-		log_warnx("recv_packet: authentication error, interface %s",
-		    iface->name);
-		return (-1);
-	}
-
 	return (ntohs(ospf_hdr->len));
 }
 
diff --git a/usr.sbin/ospfd/parse.y b/usr.sbin/ospfd/parse.y
index 7465c0e9f5a..2d984e236a7 100644
--- a/usr.sbin/ospfd/parse.y
+++ b/usr.sbin/ospfd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.10 2005/03/29 17:26:35 norby Exp $ */
+/*	$OpenBSD: parse.y,v 1.11 2005/03/31 19:32:10 norby Exp $ */
 
 /*
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
@@ -99,7 +99,7 @@ typedef struct {
 
 %token	AREA INTERFACE ROUTERID FIBUPDATE
 %token	SPFDELAY SPFHOLDTIME
-%token	AUTHKEY AUTHTYPE
+%token	AUTHKEY AUTHTYPE AUTHMD AUTHMDKEYID
 %token	METRIC PASSIVE
 %token	HELLOINTERVAL TRANSMITDELAY
 %token	RETRANSMITINTERVAL ROUTERDEADTIME ROUTERPRIORITY
@@ -251,6 +251,30 @@ conf_main	: METRIC number {
 		}
 		;
 
+authmd		: AUTHMD number STRING {
+			if (iface != NULL) {
+				if ($2 < MIN_MD_ID || $2 > MAX_MD_ID) {
+					yyerror("keyid out of range "
+					    "(%d-%d)", MIN_MD_ID, MAX_MD_ID);
+					free($3);
+					YYERROR;
+				}
+				md_list_add(iface, $2, $3);
+			}
+			free($3);
+		}
+
+authmdkeyid	: AUTHMDKEYID number {
+			if (iface != NULL) {
+				if ($2 < MIN_MD_ID || $2 > MAX_MD_ID) {
+					yyerror("keyid out of range "
+					    "(%d-%d)", MIN_MD_ID, MAX_MD_ID);
+					YYERROR;
+				}
+				iface->auth_keyid = $2;
+			}
+		}
+
 authtype	: AUTHTYPE STRING {
 			enum auth_type	type;
 
@@ -259,7 +283,7 @@ authtype	: AUTHTYPE STRING {
 			else if (!strcmp($2, "simple"))
 				type = AUTH_SIMPLE;
 			else if (!strcmp($2, "crypt"))
-				type = AUTH_SIMPLE;
+				type = AUTH_CRYPT;
 			else {
 				yyerror("unknown auth-type");
 				free($2);
@@ -387,7 +411,9 @@ interfaceopts_l	: interfaceopts_l interfaceoptsl
 		| interfaceoptsl
 		;
 
-interfaceoptsl	: authkey nl
+interfaceoptsl	: authmd nl
+		| authkey nl
+		| authmdkeyid nl
 		| authtype nl
 		| PASSIVE nl		{ iface->passive = 1; }
 		| METRIC number nl {
@@ -478,6 +504,8 @@ lookup(char *s)
 	static const struct keywords keywords[] = {
 		{"area",		AREA},
 		{"auth-key",		AUTHKEY},
+		{"auth-md",		AUTHMD},
+		{"auth-md-keyid",	AUTHMDKEYID},
 		{"auth-type",		AUTHTYPE},
 		{"fib-update",		FIBUPDATE},
 		{"hello-interval",	HELLOINTERVAL},