From b43bb4133806b7e9071477884afb178e158ee9cc Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Wed, 28 Jan 2004 23:31:29 +0000 Subject: implement tcp md5sig password so that the key can be given in ascii, what unfortunately limits the key space (cisco/juniper compat...) we keep the ability to specify the key in hex whithout these limits. help & ok markus --- usr.sbin/bgpd/bgpd.h | 6 +++--- usr.sbin/bgpd/parse.y | 37 +++++++++++++++++++++++++++++-------- usr.sbin/bgpd/pfkey.c | 26 ++++++-------------------- 3 files changed, 38 insertions(+), 31 deletions(-) (limited to 'usr.sbin/bgpd') diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index 89b3f4f6577..c5a513dd513 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.87 2004/01/28 17:27:55 henning Exp $ */ +/* $OpenBSD: bgpd.h,v 1.88 2004/01/28 23:31:28 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -33,7 +33,7 @@ #define CONFFILE "/etc/bgpd.conf" #define BGPD_USER "_bgpd" #define PEER_DESCR_LEN 32 -#define TCP_SIGN_KEY_LEN 32 +#define TCP_MD5_KEY_LEN 80 #define MAX_PKTSIZE 4096 #define MIN_HOLDTIME 3 @@ -137,7 +137,7 @@ struct peer_config { u_int16_t holdtime; u_int16_t min_holdtime; enum announce_type announce_type; - char tcp_sign_key[TCP_SIGN_KEY_LEN]; + char tcp_md5_key[TCP_MD5_KEY_LEN]; enum reconf_action reconf_action; }; diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index e99e5d8bf9b..d2c027faa69 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.42 2004/01/27 16:49:53 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.43 2004/01/28 23:31:28 henning Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -92,7 +92,7 @@ typedef struct { %token REMOTEAS DESCR LOCALADDR MULTIHOP PASSIVE MAXPREFIX ANNOUNCE %token DUMP MSG IN TABLE %token LOG UPDATES -%token TCP MD5SIG KEY +%token TCP MD5SIG PASSWORD KEY %token ERROR %token STRING %type number optnumber yesno @@ -343,16 +343,36 @@ peeropts : REMOTEAS number { | MAXPREFIX number { curpeer->conf.max_prefix = $2; } + | TCP MD5SIG PASSWORD string { + strlcpy(curpeer->conf.tcp_md5_key, $4, + sizeof(curpeer->conf.tcp_md5_key)); + } | TCP MD5SIG KEY string { - unsigned i; + unsigned i; + char s[3]; + + if (strlen($4) / 2 >= + sizeof(curpeer->conf.tcp_md5_key)) { + yyerror("key too long"); + YYERROR; + } - for (i = 0; i < strlen($4); i++) - if (!isxdigit($4[i])) { - yyerror("key should be in hex"); + if (strlen($4) % 2) { + yyerror("key must be of even length"); + YYERROR; + } + + for (i = 0; i < strlen($4) / 2; i++) { + s[0] = $4[2*i]; + s[1] = $4[2*i + 1]; + s[2] = 0; + if (!isxdigit(s[0]) || !isxdigit(s[1])) { + yyerror("key must be specified in hex"); YYERROR; } - strlcpy(curpeer->conf.tcp_sign_key, $4, - sizeof(curpeer->conf.tcp_sign_key)); + curpeer->conf.tcp_md5_key[i] = + strtoul(s, NULL, 16); + } } ; @@ -411,6 +431,7 @@ lookup(char *s) { "network", NETWORK}, { "on", ON}, { "passive", PASSIVE}, + { "password", PASSWORD}, { "remote-as", REMOTEAS}, { "router-id", ROUTERID}, { "table", TABLE}, diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c index 156ea8c127e..78841906cdc 100644 --- a/usr.sbin/bgpd/pfkey.c +++ b/usr.sbin/bgpd/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.11 2004/01/28 20:03:30 henning Exp $ */ +/* $OpenBSD: pfkey.c,v 1.12 2004/01/28 23:31:28 henning Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -58,10 +58,7 @@ pfkey_send(int sd, uint8_t mtype, struct bgpd_addr *src, ssize_t n; int klen = 0; int len = 0; - int i; int iov_cnt; - char realkey[TCP_SIGN_KEY_LEN]; - char s[3]; struct sockaddr_storage ssrc, sdst; /* we need clean sockaddr... no ports set */ @@ -134,22 +131,11 @@ pfkey_send(int sd, uint8_t mtype, struct bgpd_addr *src, case SADB_ADD: case SADB_UPDATE: bzero(&sa_key, sizeof(sa_key)); - klen = strlen(key) / 2; + klen = strlen(key); sa_key.sadb_key_exttype = SADB_EXT_KEY_AUTH; sa_key.sadb_key_len = (sizeof(sa_key) + ((klen + 7) / 8) * 8) / 8; sa_key.sadb_key_bits = 8 * klen; - - for (i = 0; i < klen; i++) { - s[0] = key[2*i]; - s[1] = key[2*i + 1]; - s[2] = 0; - if (!isxdigit(s[0]) || !isxdigit(s[1])) { - log_warnx("tcpmd5 must be specified in hex"); - return (-1); - } - realkey[i] = strtoul(s, NULL, 16); - } break; } @@ -204,7 +190,7 @@ pfkey_send(int sd, uint8_t mtype, struct bgpd_addr *src, iov[iov_cnt].iov_base = &sa_key; iov[iov_cnt].iov_len = sizeof(sa_key); iov_cnt++; - iov[iov_cnt].iov_base = realkey; + iov[iov_cnt].iov_base = key; iov[iov_cnt].iov_len = ((klen + 7) / 8) * 8; smsg.sadb_msg_len += sa_key.sadb_key_len; iov_cnt++; @@ -306,17 +292,17 @@ pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *spi) int pfkey_auth_establish(struct peer *p) { - if (!p->conf.tcp_sign_key[0]) + if (!p->conf.tcp_md5_key[0]) return (0); if (!p->auth.spi_out) if (pfkey_sa_add(&p->conf.local_addr, &p->conf.remote_addr, - p->conf.tcp_sign_key, &p->auth.spi_out) == -1) + p->conf.tcp_md5_key, &p->auth.spi_out) == -1) return (-1); if (!p->auth.spi_in) if (pfkey_sa_add(&p->conf.remote_addr, &p->conf.local_addr, - p->conf.tcp_sign_key, &p->auth.spi_in) == -1) + p->conf.tcp_md5_key, &p->auth.spi_in) == -1) return (-1); return (0); -- cgit v1.2.3