summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/bgpd/parse.y287
-rw-r--r--usr.sbin/bgpd/printconf.c64
2 files changed, 187 insertions, 164 deletions
diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index 166c0e79438..954bc5c882a 100644
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.469 2024/10/01 11:49:24 claudio Exp $ */
+/* $OpenBSD: parse.y,v 1.470 2024/10/09 10:01:29 claudio Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -187,6 +187,7 @@ static int push_unary_numop(enum comp_ops, long long);
static int push_binary_numop(enum comp_ops, long long, long long);
static int geticmptypebyname(char *, uint8_t);
static int geticmpcodebyname(u_long, char *, uint8_t);
+static int merge_auth_conf(struct auth_config *, struct auth_config *);
static struct bgpd_config *conf;
static struct network_head *netconf;
@@ -228,6 +229,7 @@ typedef struct {
} prefix;
struct filter_prefixlen prefixlen;
struct prefixset_item *prefixset_item;
+ struct auth_config authconf;
struct {
enum auth_enc_alg enc_alg;
uint8_t enc_key_len;
@@ -293,6 +295,7 @@ typedef struct {
%type <v.filter_prefix> filter_prefix filter_prefix_l filter_prefix_h
%type <v.filter_prefix> filter_prefix_m
%type <v.u8> unaryop equalityop binaryop filter_as_type
+%type <v.authconf> authconf
%type <v.encspec> encspec
%type <v.aspa_elm> aspa_tas aspa_tas_l
%%
@@ -732,6 +735,10 @@ rtropt : DESCR STRING {
}
currtr->min_version = $2;
}
+ | authconf {
+ if (merge_auth_conf(&currtr->auth, &$1) == 0)
+ YYERROR;
+ }
;
conf_main : AS as4number {
@@ -2075,142 +2082,9 @@ peeropts : REMOTEAS as4number {
curpeer->conf.max_out_prefix = $2;
curpeer->conf.max_out_prefix_restart = $4;
}
- | TCP MD5SIG PASSWORD string {
- if (curpeer->auth_conf.method) {
- yyerror("auth method cannot be redefined");
- free($4);
- YYERROR;
- }
- if (strlcpy(curpeer->auth_conf.md5key, $4,
- sizeof(curpeer->auth_conf.md5key)) >=
- sizeof(curpeer->auth_conf.md5key)) {
- yyerror("tcp md5sig password too long: max %zu",
- sizeof(curpeer->auth_conf.md5key) - 1);
- free($4);
- YYERROR;
- }
- curpeer->auth_conf.method = AUTH_MD5SIG;
- curpeer->auth_conf.md5key_len = strlen($4);
- free($4);
- }
- | TCP MD5SIG KEY string {
- if (curpeer->auth_conf.method) {
- yyerror("auth method cannot be redefined");
- free($4);
- YYERROR;
- }
-
- if (str2key($4, curpeer->auth_conf.md5key,
- sizeof(curpeer->auth_conf.md5key)) == -1) {
- free($4);
- YYERROR;
- }
- curpeer->auth_conf.method = AUTH_MD5SIG;
- curpeer->auth_conf.md5key_len = strlen($4) / 2;
- free($4);
- }
- | IPSEC espah IKE {
- if (curpeer->auth_conf.method) {
- yyerror("auth method cannot be redefined");
- YYERROR;
- }
- if ($2)
- curpeer->auth_conf.method = AUTH_IPSEC_IKE_ESP;
- else
- curpeer->auth_conf.method = AUTH_IPSEC_IKE_AH;
- }
- | IPSEC espah inout SPI NUMBER STRING STRING encspec {
- enum auth_alg auth_alg;
- uint8_t keylen;
-
- if (curpeer->auth_conf.method &&
- (((curpeer->auth_conf.spi_in && $3 == 1) ||
- (curpeer->auth_conf.spi_out && $3 == 0)) ||
- ($2 == 1 && curpeer->auth_conf.method !=
- AUTH_IPSEC_MANUAL_ESP) ||
- ($2 == 0 && curpeer->auth_conf.method !=
- AUTH_IPSEC_MANUAL_AH))) {
- yyerror("auth method cannot be redefined");
- free($6);
- free($7);
- YYERROR;
- }
-
- if (!strcmp($6, "sha1")) {
- auth_alg = AUTH_AALG_SHA1HMAC;
- keylen = 20;
- } else if (!strcmp($6, "md5")) {
- auth_alg = AUTH_AALG_MD5HMAC;
- keylen = 16;
- } else {
- yyerror("unknown auth algorithm \"%s\"", $6);
- free($6);
- free($7);
+ | authconf {
+ if (merge_auth_conf(&curpeer->auth_conf, &$1) == 0)
YYERROR;
- }
- free($6);
-
- if (strlen($7) / 2 != keylen) {
- yyerror("auth key len: must be %u bytes, "
- "is %zu bytes", keylen, strlen($7) / 2);
- free($7);
- YYERROR;
- }
-
- if ($2)
- curpeer->auth_conf.method =
- AUTH_IPSEC_MANUAL_ESP;
- else {
- if ($8.enc_alg) {
- yyerror("\"ipsec ah\" doesn't take "
- "encryption keys");
- free($7);
- YYERROR;
- }
- curpeer->auth_conf.method =
- AUTH_IPSEC_MANUAL_AH;
- }
-
- if ($5 <= SPI_RESERVED_MAX || $5 > UINT_MAX) {
- yyerror("bad spi number %lld", $5);
- free($7);
- YYERROR;
- }
-
- if ($3 == 1) {
- if (str2key($7, curpeer->auth_conf.auth_key_in,
- sizeof(curpeer->auth_conf.auth_key_in)) ==
- -1) {
- free($7);
- YYERROR;
- }
- curpeer->auth_conf.spi_in = $5;
- curpeer->auth_conf.auth_alg_in = auth_alg;
- curpeer->auth_conf.enc_alg_in = $8.enc_alg;
- memcpy(&curpeer->auth_conf.enc_key_in,
- &$8.enc_key,
- sizeof(curpeer->auth_conf.enc_key_in));
- curpeer->auth_conf.enc_keylen_in =
- $8.enc_key_len;
- curpeer->auth_conf.auth_keylen_in = keylen;
- } else {
- if (str2key($7, curpeer->auth_conf.auth_key_out,
- sizeof(curpeer->auth_conf.auth_key_out)) ==
- -1) {
- free($7);
- YYERROR;
- }
- curpeer->auth_conf.spi_out = $5;
- curpeer->auth_conf.auth_alg_out = auth_alg;
- curpeer->auth_conf.enc_alg_out = $8.enc_alg;
- memcpy(&curpeer->auth_conf.enc_key_out,
- &$8.enc_key,
- sizeof(curpeer->auth_conf.enc_key_out));
- curpeer->auth_conf.enc_keylen_out =
- $8.enc_key_len;
- curpeer->auth_conf.auth_keylen_out = keylen;
- }
- free($7);
}
| TTLSECURITY yesno {
curpeer->conf.ttlsec = $2;
@@ -2357,6 +2231,111 @@ nettype : STATIC { $$ = 1; }
| CONNECTED { $$ = 0; }
;
+authconf : TCP MD5SIG PASSWORD string {
+ memset(&$$, 0, sizeof($$));
+ if (strlcpy($$.md5key, $4, sizeof($$.md5key)) >=
+ sizeof($$.md5key)) {
+ yyerror("tcp md5sig password too long: max %zu",
+ sizeof($$.md5key) - 1);
+ free($4);
+ YYERROR;
+ }
+ $$.method = AUTH_MD5SIG;
+ $$.md5key_len = strlen($4);
+ free($4);
+ }
+ | TCP MD5SIG KEY string {
+ memset(&$$, 0, sizeof($$));
+ if (str2key($4, $$.md5key, sizeof($$.md5key)) == -1) {
+ free($4);
+ YYERROR;
+ }
+ $$.method = AUTH_MD5SIG;
+ $$.md5key_len = strlen($4) / 2;
+ free($4);
+ }
+ | IPSEC espah IKE {
+ memset(&$$, 0, sizeof($$));
+ if ($2)
+ $$.method = AUTH_IPSEC_IKE_ESP;
+ else
+ $$.method = AUTH_IPSEC_IKE_AH;
+ }
+ | IPSEC espah inout SPI NUMBER STRING STRING encspec {
+ enum auth_alg auth_alg;
+ uint8_t keylen;
+
+ memset(&$$, 0, sizeof($$));
+ if (!strcmp($6, "sha1")) {
+ auth_alg = AUTH_AALG_SHA1HMAC;
+ keylen = 20;
+ } else if (!strcmp($6, "md5")) {
+ auth_alg = AUTH_AALG_MD5HMAC;
+ keylen = 16;
+ } else {
+ yyerror("unknown auth algorithm \"%s\"", $6);
+ free($6);
+ free($7);
+ YYERROR;
+ }
+ free($6);
+
+ if (strlen($7) / 2 != keylen) {
+ yyerror("auth key len: must be %u bytes, "
+ "is %zu bytes", keylen, strlen($7) / 2);
+ free($7);
+ YYERROR;
+ }
+
+ if ($2)
+ $$.method = AUTH_IPSEC_MANUAL_ESP;
+ else {
+ if ($8.enc_alg) {
+ yyerror("\"ipsec ah\" doesn't take "
+ "encryption keys");
+ free($7);
+ YYERROR;
+ }
+ $$.method = AUTH_IPSEC_MANUAL_AH;
+ }
+
+ if ($5 <= SPI_RESERVED_MAX || $5 > UINT_MAX) {
+ yyerror("bad spi number %lld", $5);
+ free($7);
+ YYERROR;
+ }
+
+ if ($3 == 1) {
+ if (str2key($7, $$.auth_key_in,
+ sizeof($$.auth_key_in)) == -1) {
+ free($7);
+ YYERROR;
+ }
+ $$.spi_in = $5;
+ $$.auth_alg_in = auth_alg;
+ $$.enc_alg_in = $8.enc_alg;
+ memcpy(&$$.enc_key_in, &$8.enc_key,
+ sizeof($$.enc_key_in));
+ $$.enc_keylen_in = $8.enc_key_len;
+ $$.auth_keylen_in = keylen;
+ } else {
+ if (str2key($7, $$.auth_key_out,
+ sizeof($$.auth_key_out)) == -1) {
+ free($7);
+ YYERROR;
+ }
+ $$.spi_out = $5;
+ $$.auth_alg_out = auth_alg;
+ $$.enc_alg_out = $8.enc_alg;
+ memcpy(&$$.enc_key_out, &$8.enc_key,
+ sizeof($$.enc_key_out));
+ $$.enc_keylen_out = $8.enc_key_len;
+ $$.auth_keylen_out = keylen;
+ }
+ free($7);
+ }
+ ;
+
espah : ESP { $$ = 1; }
| AH { $$ = 0; }
;
@@ -6033,3 +6012,39 @@ geticmpcodebyname(u_long type, char *w, uint8_t aid)
}
return -1;
}
+
+static int
+merge_auth_conf(struct auth_config *to, struct auth_config *from)
+{
+ if (to->method != 0) {
+ /* extra magic for manual ipsec rules */
+ if (to->method == from->method &&
+ (to->method == AUTH_IPSEC_MANUAL_ESP ||
+ to->method == AUTH_IPSEC_MANUAL_AH)) {
+ if (to->spi_in == 0 && from->spi_in != 0) {
+ to->spi_in = from->spi_in;
+ to->auth_alg_in = from->auth_alg_in;
+ to->enc_alg_in = from->enc_alg_in;
+ memcpy(to->enc_key_in, from->enc_key_in,
+ sizeof(to->enc_key_in));
+ to->enc_keylen_in = from->enc_keylen_in;
+ to->auth_keylen_in = from->auth_keylen_in;
+ return 1;
+ } else if (to->spi_out == 0 && from->spi_out != 0) {
+ to->spi_out = from->spi_out;
+ to->auth_alg_out = from->auth_alg_out;
+ to->enc_alg_out = from->enc_alg_out;
+ memcpy(to->enc_key_out, from->enc_key_out,
+ sizeof(to->enc_key_out));
+ to->enc_keylen_out = from->enc_keylen_out;
+ to->auth_keylen_out = from->auth_keylen_out;
+ return 1;
+ }
+ }
+ yyerror("auth method cannot be redefined");
+ return 0;
+ }
+ *to = *from;
+ return 1;
+}
+
diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c
index e34380ffd38..a62311e7b62 100644
--- a/usr.sbin/bgpd/printconf.c
+++ b/usr.sbin/bgpd/printconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: printconf.c,v 1.175 2024/10/01 11:49:24 claudio Exp $ */
+/* $OpenBSD: printconf.c,v 1.176 2024/10/09 10:01:29 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -712,6 +712,39 @@ print_aspa(struct aspa_tree *a)
printf("\n}\n\n");
}
+static void
+print_auth(struct auth_config *auth, const char *c)
+{
+ char *method;
+
+ if (auth->method == AUTH_MD5SIG)
+ printf("%s\ttcp md5sig\n", c);
+ else if (auth->method == AUTH_IPSEC_MANUAL_ESP ||
+ auth->method == AUTH_IPSEC_MANUAL_AH) {
+ if (auth->method == AUTH_IPSEC_MANUAL_ESP)
+ method = "esp";
+ else
+ method = "ah";
+
+ printf("%s\tipsec %s in spi %u %s XXXXXX", c, method,
+ auth->spi_in, print_auth_alg(auth->auth_alg_in));
+ if (auth->enc_alg_in)
+ printf(" %s XXXXXX", print_enc_alg(auth->enc_alg_in));
+ printf("\n");
+
+ printf("%s\tipsec %s out spi %u %s XXXXXX", c, method,
+ auth->spi_out, print_auth_alg(auth->auth_alg_out));
+ if (auth->enc_alg_out)
+ printf(" %s XXXXXX",
+ print_enc_alg(auth->enc_alg_out));
+ printf("\n");
+ } else if (auth->method == AUTH_IPSEC_IKE_AH)
+ printf("%s\tipsec ah ike\n", c);
+ else if (auth->method == AUTH_IPSEC_IKE_ESP)
+ printf("%s\tipsec esp ike\n", c);
+
+}
+
void
print_rtrs(struct rtr_config_head *rh)
{
@@ -723,6 +756,7 @@ print_rtrs(struct rtr_config_head *rh)
printf("\tport %u\n", r->remote_port);
if (r->local_addr.aid != AID_UNSPEC)
printf("local-addr %s\n", log_addr(&r->local_addr));
+ print_auth(&r->auth, "");
printf("}\n\n");
}
}
@@ -731,9 +765,7 @@ void
print_peer(struct peer *peer, struct bgpd_config *conf, const char *c)
{
struct in_addr ina;
- char *method;
struct peer_config *p = &peer->conf;
- struct auth_config *auth = &peer->auth_conf;
if ((p->remote_addr.aid == AID_INET && p->remote_masklen != 32) ||
(p->remote_addr.aid == AID_INET6 && p->remote_masklen != 128))
@@ -832,31 +864,7 @@ print_peer(struct peer *peer, struct bgpd_config *conf, const char *c)
if (p->flags & PEERFLAG_LOG_UPDATES)
printf("%s\tlog updates\n", c);
- if (auth->method == AUTH_MD5SIG)
- printf("%s\ttcp md5sig\n", c);
- else if (auth->method == AUTH_IPSEC_MANUAL_ESP ||
- auth->method == AUTH_IPSEC_MANUAL_AH) {
- if (auth->method == AUTH_IPSEC_MANUAL_ESP)
- method = "esp";
- else
- method = "ah";
-
- printf("%s\tipsec %s in spi %u %s XXXXXX", c, method,
- auth->spi_in, print_auth_alg(auth->auth_alg_in));
- if (auth->enc_alg_in)
- printf(" %s XXXXXX", print_enc_alg(auth->enc_alg_in));
- printf("\n");
-
- printf("%s\tipsec %s out spi %u %s XXXXXX", c, method,
- auth->spi_out, print_auth_alg(auth->auth_alg_out));
- if (auth->enc_alg_out)
- printf(" %s XXXXXX",
- print_enc_alg(auth->enc_alg_out));
- printf("\n");
- } else if (auth->method == AUTH_IPSEC_IKE_AH)
- printf("%s\tipsec ah ike\n", c);
- else if (auth->method == AUTH_IPSEC_IKE_ESP)
- printf("%s\tipsec esp ike\n", c);
+ print_auth(&peer->auth_conf, c);
if (p->ttlsec)
printf("%s\tttl-security yes\n", c);