summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/bgpd/bgpd.h8
-rw-r--r--usr.sbin/bgpd/parse.y50
-rw-r--r--usr.sbin/bgpd/pfkey.c47
-rw-r--r--usr.sbin/bgpd/printconf.c4
-rw-r--r--usr.sbin/bgpd/session.c6
-rw-r--r--usr.sbin/bgpd/session.h8
6 files changed, 60 insertions, 63 deletions
diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h
index 5dd0b7547ea..c5e9d24bd75 100644
--- a/usr.sbin/bgpd/bgpd.h
+++ b/usr.sbin/bgpd/bgpd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bgpd.h,v 1.113 2004/04/27 22:06:54 henning Exp $ */
+/* $OpenBSD: bgpd.h,v 1.114 2004/04/27 22:42:13 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -153,8 +153,9 @@ enum auth_method {
IPSEC_IKE
};
-struct peer_ipsec {
+struct peer_auth {
enum auth_method method;
+ char md5key[TCP_MD5_KEY_LEN];
u_int32_t spi_in;
u_int32_t spi_out;
u_int8_t auth_alg_in;
@@ -191,8 +192,7 @@ struct peer_config {
struct filter_set attrset;
enum announce_type announce_type;
enum enforce_as enforce_as;
- char tcp_md5_key[TCP_MD5_KEY_LEN];
- struct peer_ipsec ipsec;
+ struct peer_auth auth;
u_int8_t capabilities;
enum reconf_action reconf_action;
};
diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index e7c3fdfa798..5cbacb48c57 100644
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.89 2004/04/27 22:06:54 henning Exp $ */
+/* $OpenBSD: parse.y,v 1.90 2004/04/27 22:42:13 henning Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -507,11 +507,11 @@ peeropts : REMOTEAS asnumber {
curpeer->conf.max_prefix = $2;
}
| TCP MD5SIG PASSWORD string {
- if (strlcpy(curpeer->conf.tcp_md5_key, $4,
- sizeof(curpeer->conf.tcp_md5_key)) >=
- sizeof(curpeer->conf.tcp_md5_key)) {
+ if (strlcpy(curpeer->conf.auth.md5key, $4,
+ sizeof(curpeer->conf.auth.md5key)) >=
+ sizeof(curpeer->conf.auth.md5key)) {
yyerror("tcp md5sig password too long: max %u",
- sizeof(curpeer->conf.tcp_md5_key) - 1);
+ sizeof(curpeer->conf.auth.md5key) - 1);
free($4);
YYERROR;
}
@@ -522,7 +522,7 @@ peeropts : REMOTEAS asnumber {
char s[3];
if (strlen($4) / 2 >=
- sizeof(curpeer->conf.tcp_md5_key)) {
+ sizeof(curpeer->conf.auth.md5key)) {
yyerror("key too long");
free($4);
YYERROR;
@@ -543,13 +543,13 @@ peeropts : REMOTEAS asnumber {
free($4);
YYERROR;
}
- curpeer->conf.tcp_md5_key[i] =
+ curpeer->conf.auth.md5key[i] =
strtoul(s, NULL, 16);
}
free($4);
}
| IPSEC IKE {
- curpeer->conf.ipsec.method = IPSEC_IKE;
+ curpeer->conf.auth.method = IPSEC_IKE;
}
| IPSEC ESP inout SPI number STRING STRING encspec {
unsigned i;
@@ -557,7 +557,7 @@ peeropts : REMOTEAS asnumber {
u_int32_t auth_alg;
u_int8_t keylen;
- curpeer->conf.ipsec.method = IPSEC_MANUAL_ESP;
+ curpeer->conf.auth.method = IPSEC_MANUAL_ESP;
if (!strcmp($6, "sha1")) {
auth_alg = SADB_AALG_SHA1HMAC;
@@ -596,34 +596,34 @@ peeropts : REMOTEAS asnumber {
YYERROR;
}
if ($3 == 1)
- curpeer->conf.ipsec.auth_key_in[i] =
+ curpeer->conf.auth.auth_key_in[i] =
strtoul(s, NULL, 16);
else
- curpeer->conf.ipsec.auth_key_out[i] =
+ curpeer->conf.auth.auth_key_out[i] =
strtoul(s, NULL, 16);
}
free($7);
if ($3 == 1) {
- curpeer->conf.ipsec.spi_in = $5;
- curpeer->conf.ipsec.auth_alg_in = auth_alg;
- curpeer->conf.ipsec.enc_alg_in = $8.enc_alg;
- memcpy(&curpeer->conf.ipsec.enc_key_in,
+ curpeer->conf.auth.spi_in = $5;
+ curpeer->conf.auth.auth_alg_in = auth_alg;
+ curpeer->conf.auth.enc_alg_in = $8.enc_alg;
+ memcpy(&curpeer->conf.auth.enc_key_in,
&$8.enc_key,
- sizeof(curpeer->conf.ipsec.enc_key_in));
- curpeer->conf.ipsec.enc_keylen_in =
+ sizeof(curpeer->conf.auth.enc_key_in));
+ curpeer->conf.auth.enc_keylen_in =
$8.enc_key_len;
- curpeer->conf.ipsec.auth_keylen_in = keylen;
+ curpeer->conf.auth.auth_keylen_in = keylen;
} else {
- curpeer->conf.ipsec.spi_out = $5;
- curpeer->conf.ipsec.auth_alg_out = auth_alg;
- curpeer->conf.ipsec.enc_alg_out = $8.enc_alg;
- memcpy(&curpeer->conf.ipsec.enc_key_out,
+ curpeer->conf.auth.spi_out = $5;
+ curpeer->conf.auth.auth_alg_out = auth_alg;
+ curpeer->conf.auth.enc_alg_out = $8.enc_alg;
+ memcpy(&curpeer->conf.auth.enc_key_out,
&$8.enc_key,
- sizeof(curpeer->conf.ipsec.enc_key_out));
- curpeer->conf.ipsec.enc_keylen_out =
+ sizeof(curpeer->conf.auth.enc_key_out));
+ curpeer->conf.auth.enc_keylen_out =
$8.enc_key_len;
- curpeer->conf.ipsec.auth_keylen_out = keylen;
+ curpeer->conf.auth.auth_keylen_out = keylen;
}
}
| ANNOUNCE CAPABILITIES yesno {
diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c
index fee8483bae0..02af2722aef 100644
--- a/usr.sbin/bgpd/pfkey.c
+++ b/usr.sbin/bgpd/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.19 2004/04/27 18:35:48 henning Exp $ */
+/* $OpenBSD: pfkey.c,v 1.20 2004/04/27 22:42:13 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -496,17 +496,17 @@ pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *spi)
int
pfkey_auth_establish(struct peer *p)
{
- if (!p->conf.tcp_md5_key[0])
+ if (p->conf.auth.method != MD5SIG)
return (0);
- if (!p->auth.spi_out)
+ if (!p->conf.auth.spi_out)
if (pfkey_sa_add(&p->conf.local_addr, &p->conf.remote_addr,
- p->conf.tcp_md5_key, &p->auth.spi_out) == -1)
+ p->conf.auth.md5key, &p->conf.auth.spi_out) == -1)
return (-1);
- if (!p->auth.spi_in)
+ if (!p->conf.auth.spi_in)
if (pfkey_sa_add(&p->conf.remote_addr, &p->conf.local_addr,
- p->conf.tcp_md5_key, &p->auth.spi_in) == -1)
+ p->conf.auth.md5key, &p->conf.auth.spi_in) == -1)
return (-1);
return (0);
@@ -515,14 +515,17 @@ pfkey_auth_establish(struct peer *p)
int
pfkey_auth_remove(struct peer *p)
{
- if (p->auth.spi_out)
+ if (p->conf.auth.method != MD5SIG)
+ return (0);
+
+ if (p->conf.auth.spi_out)
if (pfkey_sa_remove(&p->conf.local_addr, &p->conf.remote_addr,
- &p->auth.spi_out) == -1)
+ &p->conf.auth.spi_out) == -1)
return (-1);
- if (p->auth.spi_in)
+ if (p->conf.auth.spi_in)
if (pfkey_sa_remove(&p->conf.remote_addr, &p->conf.local_addr,
- &p->auth.spi_in) == -1)
+ &p->conf.auth.spi_in) == -1)
return (-1);
return (0);
@@ -532,24 +535,24 @@ pfkey_auth_remove(struct peer *p)
int
pfkey_ipsec_establish(struct peer *p)
{
- struct peer_ipsec *ipsec = &p->conf.ipsec;
+ struct peer_auth *auth = &p->conf.auth;
- if (!ipsec->spi_in || !ipsec->spi_out)
+ if (!auth->spi_in || !auth->spi_out)
return (0);
if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_ADD, 0,
&p->conf.local_addr, &p->conf.remote_addr,
- ipsec->spi_out,
- ipsec->auth_alg_out, ipsec->auth_keylen_out, ipsec->auth_key_out,
- ipsec->enc_alg_out, ipsec->enc_keylen_out, ipsec->enc_key_out,
+ auth->spi_out,
+ auth->auth_alg_out, auth->auth_keylen_out, auth->auth_key_out,
+ auth->enc_alg_out, auth->enc_keylen_out, auth->enc_key_out,
0, 0) < 0)
return (-1);
if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_ADD, 0,
&p->conf.remote_addr, &p->conf.local_addr,
- ipsec->spi_in,
- ipsec->auth_alg_in, ipsec->auth_keylen_in, ipsec->auth_key_in,
- ipsec->enc_alg_in, ipsec->enc_keylen_in, ipsec->enc_key_in,
+ auth->spi_in,
+ auth->auth_alg_in, auth->auth_keylen_in, auth->auth_key_in,
+ auth->enc_alg_in, auth->enc_keylen_in, auth->enc_key_in,
0, 0) < 0)
return (-1);
@@ -577,12 +580,12 @@ pfkey_ipsec_remove(struct peer *p)
{
if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_DELETE, 0,
&p->conf.local_addr, &p->conf.remote_addr,
- p->conf.ipsec.spi_out, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+ p->conf.auth.spi_out, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
return (-1);
if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_DELETE, 0,
&p->conf.remote_addr, &p->conf.local_addr,
- p->conf.ipsec.spi_in, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
+ p->conf.auth.spi_in, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0)
return (-1);
if (pfkey_flow(fd, SADB_X_DELFLOW, IPSP_DIRECTION_OUT,
@@ -607,7 +610,7 @@ pfkey_ipsec_remove(struct peer *p)
int
pfkey_establish(struct peer *p)
{
- if (p->conf.ipsec.spi_in)
+ if (p->conf.auth.spi_in)
return (pfkey_ipsec_establish(p));
else
return (pfkey_auth_establish(p));
@@ -616,7 +619,7 @@ pfkey_establish(struct peer *p)
int
pfkey_remove(struct peer *p)
{
- if (p->conf.ipsec.spi_in)
+ if (p->conf.auth.spi_in)
return (pfkey_ipsec_remove(p));
else
return (pfkey_auth_remove(p));
diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c
index 312ecf11a2f..745b7d189b8 100644
--- a/usr.sbin/bgpd/printconf.c
+++ b/usr.sbin/bgpd/printconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: printconf.c,v 1.13 2004/04/26 04:40:11 henning Exp $ */
+/* $OpenBSD: printconf.c,v 1.14 2004/04/27 22:42:13 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -165,7 +165,7 @@ print_peer(struct peer_config *p)
printf("%s\tannounce all\n", c);
else
printf("%s\tannounce ???\n", c);
- if (p->tcp_md5_key[0])
+ if (p->auth.method == MD5SIG)
printf("%s\ttcp md5sig\n", c);
if (p->attrset.flags)
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index 35dc2b1b42e..bab8a4c558d 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.157 2004/04/27 17:41:34 henning Exp $ */
+/* $OpenBSD: session.c,v 1.158 2004/04/27 22:42:13 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -795,7 +795,7 @@ session_accept(int listenfd)
return;
}
}
- if (p->conf.tcp_md5_key[0]) {
+ if (p->conf.auth.method == MD5SIG) {
len = sizeof(opt);
if (getsockopt(connfd, IPPROTO_TCP, TCP_MD5SIG,
&opt, &len) == -1)
@@ -844,7 +844,7 @@ session_connect(struct peer *peer)
return (-1);
}
- if (peer->conf.tcp_md5_key[0])
+ if (peer->conf.auth.method == MD5SIG)
if (setsockopt(peer->sock, IPPROTO_TCP, TCP_MD5SIG,
&opt, sizeof(opt)) == -1) {
log_peer_warn(&peer->conf, "setsockopt md5sig");
diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h
index 2f013d75b20..29c7bf18797 100644
--- a/usr.sbin/bgpd/session.h
+++ b/usr.sbin/bgpd/session.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.h,v 1.46 2004/04/27 03:53:43 henning Exp $ */
+/* $OpenBSD: session.h,v 1.47 2004/04/27 22:42:13 henning Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -145,11 +145,6 @@ struct peer_stats {
time_t last_read;
};
-struct peer_auth {
- u_int32_t spi_in;
- u_int32_t spi_out;
-};
-
struct peer_capa {
u_int8_t announce;
u_int8_t mp_v4; /* multiprotocol extensions, RFC 2858 */
@@ -160,7 +155,6 @@ struct peer_capa {
struct peer {
struct peer_config conf;
struct peer_stats stats;
- struct peer_auth auth;
struct peer_capa capa;
u_int32_t remote_bgpid;
u_int16_t holdtime;