diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2005-04-04 13:49:14 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2005-04-04 13:49:14 +0000 |
| commit | 6a59aa7b5929cea5235a304cd1ab3cd27bcdbf49 (patch) | |
| tree | 332a207c8ae50d9236dcc6d4d7bd9a8b893c7510 /usr.sbin | |
| parent | 20802e6cd7036869ce765c19c32ecab153a24f70 (diff) | |
On auth crypt verify not only the main key is allowed but all configured keys.
This makes changing keys a piece of cake -- if ospfd would support reloads.
Found and patch from Jason Ackley.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ospfd/auth.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/usr.sbin/ospfd/auth.c b/usr.sbin/ospfd/auth.c index adae8db8e16..0b7615be1b9 100644 --- a/usr.sbin/ospfd/auth.c +++ b/usr.sbin/ospfd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.3 2005/03/31 19:32:10 norby Exp $ */ +/* $OpenBSD: auth.c,v 1.4 2005/04/04 13:49:13 claudio Exp $ */ /* * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org> @@ -64,9 +64,17 @@ auth_validate(void *buf, u_int16_t len, struct iface *iface, struct nbr *nbr) } break; case AUTH_CRYPT: - if (ospf_hdr->auth_key.crypt.keyid != iface->auth_keyid) { - log_debug("auth_validate: invalid key id, " - "interface %s", iface->name); + /* + * We must allow keys that are configured on the interface + * but not necessarily set as the transmit key + * (iface->auth_keyid). This allows for key rotation to new + * keys without taking down the network. + */ + if ((md = md_list_find(iface, ospf_hdr->auth_key.crypt.keyid)) + == NULL) { + log_debug("auth_validate: keyid %d not configured, " + "interface %s", ospf_hdr->auth_key.crypt.keyid, + iface->name); return (-1); } @@ -97,14 +105,6 @@ auth_validate(void *buf, u_int16_t len, struct iface *iface, struct nbr *nbr) bzero(auth_data, MD5_DIGEST_LENGTH); /* insert plaintext key */ - if ((md = md_list_find(iface, iface->auth_keyid)) - == NULL) { - log_debug("auth_validate: keyid %d not configured, " - "interface %s", iface->auth_keyid, - iface->name); - return (-1); - } - bzero(digest, MD5_DIGEST_LENGTH); strncpy(digest, md->key, MD5_DIGEST_LENGTH); |