diff options
-rw-r--r-- | usr.sbin/bgpd/bgpd.h | 8 | ||||
-rw-r--r-- | usr.sbin/bgpd/parse.y | 50 | ||||
-rw-r--r-- | usr.sbin/bgpd/pfkey.c | 47 | ||||
-rw-r--r-- | usr.sbin/bgpd/printconf.c | 4 | ||||
-rw-r--r-- | usr.sbin/bgpd/session.c | 6 | ||||
-rw-r--r-- | usr.sbin/bgpd/session.h | 8 |
6 files changed, 60 insertions, 63 deletions
diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index 5dd0b7547ea..c5e9d24bd75 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.113 2004/04/27 22:06:54 henning Exp $ */ +/* $OpenBSD: bgpd.h,v 1.114 2004/04/27 22:42:13 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -153,8 +153,9 @@ enum auth_method { IPSEC_IKE }; -struct peer_ipsec { +struct peer_auth { enum auth_method method; + char md5key[TCP_MD5_KEY_LEN]; u_int32_t spi_in; u_int32_t spi_out; u_int8_t auth_alg_in; @@ -191,8 +192,7 @@ struct peer_config { struct filter_set attrset; enum announce_type announce_type; enum enforce_as enforce_as; - char tcp_md5_key[TCP_MD5_KEY_LEN]; - struct peer_ipsec ipsec; + struct peer_auth auth; u_int8_t capabilities; enum reconf_action reconf_action; }; diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index e7c3fdfa798..5cbacb48c57 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.89 2004/04/27 22:06:54 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.90 2004/04/27 22:42:13 henning Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -507,11 +507,11 @@ peeropts : REMOTEAS asnumber { curpeer->conf.max_prefix = $2; } | TCP MD5SIG PASSWORD string { - if (strlcpy(curpeer->conf.tcp_md5_key, $4, - sizeof(curpeer->conf.tcp_md5_key)) >= - sizeof(curpeer->conf.tcp_md5_key)) { + if (strlcpy(curpeer->conf.auth.md5key, $4, + sizeof(curpeer->conf.auth.md5key)) >= + sizeof(curpeer->conf.auth.md5key)) { yyerror("tcp md5sig password too long: max %u", - sizeof(curpeer->conf.tcp_md5_key) - 1); + sizeof(curpeer->conf.auth.md5key) - 1); free($4); YYERROR; } @@ -522,7 +522,7 @@ peeropts : REMOTEAS asnumber { char s[3]; if (strlen($4) / 2 >= - sizeof(curpeer->conf.tcp_md5_key)) { + sizeof(curpeer->conf.auth.md5key)) { yyerror("key too long"); free($4); YYERROR; @@ -543,13 +543,13 @@ peeropts : REMOTEAS asnumber { free($4); YYERROR; } - curpeer->conf.tcp_md5_key[i] = + curpeer->conf.auth.md5key[i] = strtoul(s, NULL, 16); } free($4); } | IPSEC IKE { - curpeer->conf.ipsec.method = IPSEC_IKE; + curpeer->conf.auth.method = IPSEC_IKE; } | IPSEC ESP inout SPI number STRING STRING encspec { unsigned i; @@ -557,7 +557,7 @@ peeropts : REMOTEAS asnumber { u_int32_t auth_alg; u_int8_t keylen; - curpeer->conf.ipsec.method = IPSEC_MANUAL_ESP; + curpeer->conf.auth.method = IPSEC_MANUAL_ESP; if (!strcmp($6, "sha1")) { auth_alg = SADB_AALG_SHA1HMAC; @@ -596,34 +596,34 @@ peeropts : REMOTEAS asnumber { YYERROR; } if ($3 == 1) - curpeer->conf.ipsec.auth_key_in[i] = + curpeer->conf.auth.auth_key_in[i] = strtoul(s, NULL, 16); else - curpeer->conf.ipsec.auth_key_out[i] = + curpeer->conf.auth.auth_key_out[i] = strtoul(s, NULL, 16); } free($7); if ($3 == 1) { - curpeer->conf.ipsec.spi_in = $5; - curpeer->conf.ipsec.auth_alg_in = auth_alg; - curpeer->conf.ipsec.enc_alg_in = $8.enc_alg; - memcpy(&curpeer->conf.ipsec.enc_key_in, + curpeer->conf.auth.spi_in = $5; + curpeer->conf.auth.auth_alg_in = auth_alg; + curpeer->conf.auth.enc_alg_in = $8.enc_alg; + memcpy(&curpeer->conf.auth.enc_key_in, &$8.enc_key, - sizeof(curpeer->conf.ipsec.enc_key_in)); - curpeer->conf.ipsec.enc_keylen_in = + sizeof(curpeer->conf.auth.enc_key_in)); + curpeer->conf.auth.enc_keylen_in = $8.enc_key_len; - curpeer->conf.ipsec.auth_keylen_in = keylen; + curpeer->conf.auth.auth_keylen_in = keylen; } else { - curpeer->conf.ipsec.spi_out = $5; - curpeer->conf.ipsec.auth_alg_out = auth_alg; - curpeer->conf.ipsec.enc_alg_out = $8.enc_alg; - memcpy(&curpeer->conf.ipsec.enc_key_out, + curpeer->conf.auth.spi_out = $5; + curpeer->conf.auth.auth_alg_out = auth_alg; + curpeer->conf.auth.enc_alg_out = $8.enc_alg; + memcpy(&curpeer->conf.auth.enc_key_out, &$8.enc_key, - sizeof(curpeer->conf.ipsec.enc_key_out)); - curpeer->conf.ipsec.enc_keylen_out = + sizeof(curpeer->conf.auth.enc_key_out)); + curpeer->conf.auth.enc_keylen_out = $8.enc_key_len; - curpeer->conf.ipsec.auth_keylen_out = keylen; + curpeer->conf.auth.auth_keylen_out = keylen; } } | ANNOUNCE CAPABILITIES yesno { diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c index fee8483bae0..02af2722aef 100644 --- a/usr.sbin/bgpd/pfkey.c +++ b/usr.sbin/bgpd/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.19 2004/04/27 18:35:48 henning Exp $ */ +/* $OpenBSD: pfkey.c,v 1.20 2004/04/27 22:42:13 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -496,17 +496,17 @@ pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *spi) int pfkey_auth_establish(struct peer *p) { - if (!p->conf.tcp_md5_key[0]) + if (p->conf.auth.method != MD5SIG) return (0); - if (!p->auth.spi_out) + if (!p->conf.auth.spi_out) if (pfkey_sa_add(&p->conf.local_addr, &p->conf.remote_addr, - p->conf.tcp_md5_key, &p->auth.spi_out) == -1) + p->conf.auth.md5key, &p->conf.auth.spi_out) == -1) return (-1); - if (!p->auth.spi_in) + if (!p->conf.auth.spi_in) if (pfkey_sa_add(&p->conf.remote_addr, &p->conf.local_addr, - p->conf.tcp_md5_key, &p->auth.spi_in) == -1) + p->conf.auth.md5key, &p->conf.auth.spi_in) == -1) return (-1); return (0); @@ -515,14 +515,17 @@ pfkey_auth_establish(struct peer *p) int pfkey_auth_remove(struct peer *p) { - if (p->auth.spi_out) + if (p->conf.auth.method != MD5SIG) + return (0); + + if (p->conf.auth.spi_out) if (pfkey_sa_remove(&p->conf.local_addr, &p->conf.remote_addr, - &p->auth.spi_out) == -1) + &p->conf.auth.spi_out) == -1) return (-1); - if (p->auth.spi_in) + if (p->conf.auth.spi_in) if (pfkey_sa_remove(&p->conf.remote_addr, &p->conf.local_addr, - &p->auth.spi_in) == -1) + &p->conf.auth.spi_in) == -1) return (-1); return (0); @@ -532,24 +535,24 @@ pfkey_auth_remove(struct peer *p) int pfkey_ipsec_establish(struct peer *p) { - struct peer_ipsec *ipsec = &p->conf.ipsec; + struct peer_auth *auth = &p->conf.auth; - if (!ipsec->spi_in || !ipsec->spi_out) + if (!auth->spi_in || !auth->spi_out) return (0); if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_ADD, 0, &p->conf.local_addr, &p->conf.remote_addr, - ipsec->spi_out, - ipsec->auth_alg_out, ipsec->auth_keylen_out, ipsec->auth_key_out, - ipsec->enc_alg_out, ipsec->enc_keylen_out, ipsec->enc_key_out, + auth->spi_out, + auth->auth_alg_out, auth->auth_keylen_out, auth->auth_key_out, + auth->enc_alg_out, auth->enc_keylen_out, auth->enc_key_out, 0, 0) < 0) return (-1); if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_ADD, 0, &p->conf.remote_addr, &p->conf.local_addr, - ipsec->spi_in, - ipsec->auth_alg_in, ipsec->auth_keylen_in, ipsec->auth_key_in, - ipsec->enc_alg_in, ipsec->enc_keylen_in, ipsec->enc_key_in, + auth->spi_in, + auth->auth_alg_in, auth->auth_keylen_in, auth->auth_key_in, + auth->enc_alg_in, auth->enc_keylen_in, auth->enc_key_in, 0, 0) < 0) return (-1); @@ -577,12 +580,12 @@ pfkey_ipsec_remove(struct peer *p) { if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_DELETE, 0, &p->conf.local_addr, &p->conf.remote_addr, - p->conf.ipsec.spi_out, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) + p->conf.auth.spi_out, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) return (-1); if (pfkey_send(fd, SADB_SATYPE_ESP, SADB_DELETE, 0, &p->conf.remote_addr, &p->conf.local_addr, - p->conf.ipsec.spi_in, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) + p->conf.auth.spi_in, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) return (-1); if (pfkey_flow(fd, SADB_X_DELFLOW, IPSP_DIRECTION_OUT, @@ -607,7 +610,7 @@ pfkey_ipsec_remove(struct peer *p) int pfkey_establish(struct peer *p) { - if (p->conf.ipsec.spi_in) + if (p->conf.auth.spi_in) return (pfkey_ipsec_establish(p)); else return (pfkey_auth_establish(p)); @@ -616,7 +619,7 @@ pfkey_establish(struct peer *p) int pfkey_remove(struct peer *p) { - if (p->conf.ipsec.spi_in) + if (p->conf.auth.spi_in) return (pfkey_ipsec_remove(p)); else return (pfkey_auth_remove(p)); diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c index 312ecf11a2f..745b7d189b8 100644 --- a/usr.sbin/bgpd/printconf.c +++ b/usr.sbin/bgpd/printconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printconf.c,v 1.13 2004/04/26 04:40:11 henning Exp $ */ +/* $OpenBSD: printconf.c,v 1.14 2004/04/27 22:42:13 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -165,7 +165,7 @@ print_peer(struct peer_config *p) printf("%s\tannounce all\n", c); else printf("%s\tannounce ???\n", c); - if (p->tcp_md5_key[0]) + if (p->auth.method == MD5SIG) printf("%s\ttcp md5sig\n", c); if (p->attrset.flags) diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 35dc2b1b42e..bab8a4c558d 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.157 2004/04/27 17:41:34 henning Exp $ */ +/* $OpenBSD: session.c,v 1.158 2004/04/27 22:42:13 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -795,7 +795,7 @@ session_accept(int listenfd) return; } } - if (p->conf.tcp_md5_key[0]) { + if (p->conf.auth.method == MD5SIG) { len = sizeof(opt); if (getsockopt(connfd, IPPROTO_TCP, TCP_MD5SIG, &opt, &len) == -1) @@ -844,7 +844,7 @@ session_connect(struct peer *peer) return (-1); } - if (peer->conf.tcp_md5_key[0]) + if (peer->conf.auth.method == MD5SIG) if (setsockopt(peer->sock, IPPROTO_TCP, TCP_MD5SIG, &opt, sizeof(opt)) == -1) { log_peer_warn(&peer->conf, "setsockopt md5sig"); diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h index 2f013d75b20..29c7bf18797 100644 --- a/usr.sbin/bgpd/session.h +++ b/usr.sbin/bgpd/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.46 2004/04/27 03:53:43 henning Exp $ */ +/* $OpenBSD: session.h,v 1.47 2004/04/27 22:42:13 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -145,11 +145,6 @@ struct peer_stats { time_t last_read; }; -struct peer_auth { - u_int32_t spi_in; - u_int32_t spi_out; -}; - struct peer_capa { u_int8_t announce; u_int8_t mp_v4; /* multiprotocol extensions, RFC 2858 */ @@ -160,7 +155,6 @@ struct peer_capa { struct peer { struct peer_config conf; struct peer_stats stats; - struct peer_auth auth; struct peer_capa capa; u_int32_t remote_bgpid; u_int16_t holdtime; |