Linux specific TCP-MD5 handling moved to sysdep/linux/sysio.h
FreeBSD coded added. BSD cannot set BGP passwords itself. This has to be done by external command.
This commit is contained in:
parent
1bc4b2cc84
commit
2b70f0742e
3 changed files with 80 additions and 37 deletions
|
@ -74,3 +74,48 @@ sysio_mcast_join(sock * s)
|
|||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
#include <netinet/tcp.h>
|
||||
#ifndef TCP_KEYLEN_MAX
|
||||
#define TCP_KEYLEN_MAX 80
|
||||
#endif
|
||||
#ifndef TCP_SIG_SPI
|
||||
#define TCP_SIG_SPI 0x1000
|
||||
#endif
|
||||
|
||||
/*
|
||||
* FIXME: Passwords has to be set by setkey(8) command. This is the same
|
||||
* behaviour like Quagga. We need to add code for SA/SP entries
|
||||
* management.
|
||||
*/
|
||||
|
||||
static int
|
||||
sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
|
||||
{
|
||||
int enable = 0;
|
||||
if (passwd)
|
||||
{
|
||||
int len = strlen(passwd);
|
||||
|
||||
enable = len ? TCP_SIG_SPI : 0;
|
||||
|
||||
if (len > TCP_KEYLEN_MAX)
|
||||
{
|
||||
log(L_ERR "MD5 password too long");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &enable, sizeof(enable));
|
||||
|
||||
if (rv < 0)
|
||||
{
|
||||
if (errno == ENOPROTOOPT)
|
||||
log(L_ERR "Kernel does not support TCP MD5 signatures");
|
||||
else
|
||||
log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
|
||||
}
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -160,3 +160,38 @@ struct tcp_md5sig {
|
|||
};
|
||||
|
||||
#endif
|
||||
|
||||
static int
|
||||
sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
|
||||
{
|
||||
struct tcp_md5sig md5;
|
||||
|
||||
memset(&md5, 0, sizeof(md5));
|
||||
memcpy(&md5.tcpm_addr, (struct sockaddr *) sa, sizeof(*sa));
|
||||
|
||||
if (passwd)
|
||||
{
|
||||
int len = strlen(passwd);
|
||||
|
||||
if (len > TCP_MD5SIG_MAXKEYLEN)
|
||||
{
|
||||
log(L_ERR "MD5 password too long");
|
||||
return -1;
|
||||
}
|
||||
|
||||
md5.tcpm_keylen = len;
|
||||
memcpy(&md5.tcpm_key, passwd, len);
|
||||
}
|
||||
|
||||
int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));
|
||||
|
||||
if (rv < 0)
|
||||
{
|
||||
if (errno == ENOPROTOOPT)
|
||||
log(L_ERR "Kernel does not support TCP MD5 signatures");
|
||||
else
|
||||
log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
|
||||
}
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -738,43 +738,6 @@ sk_set_ttl(sock *s, int ttl)
|
|||
}
|
||||
|
||||
|
||||
/* FIXME: check portability */
|
||||
|
||||
static int
|
||||
sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
|
||||
{
|
||||
struct tcp_md5sig md5;
|
||||
|
||||
memset(&md5, 0, sizeof(md5));
|
||||
memcpy(&md5.tcpm_addr, (struct sockaddr *) sa, sizeof(*sa));
|
||||
|
||||
if (passwd)
|
||||
{
|
||||
int len = strlen(passwd);
|
||||
|
||||
if (len > TCP_MD5SIG_MAXKEYLEN)
|
||||
{
|
||||
log(L_ERR "MD5 password too long");
|
||||
return -1;
|
||||
}
|
||||
|
||||
md5.tcpm_keylen = len;
|
||||
memcpy(&md5.tcpm_key, passwd, len);
|
||||
}
|
||||
|
||||
int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));
|
||||
|
||||
if (rv < 0)
|
||||
{
|
||||
if (errno == ENOPROTOOPT)
|
||||
log(L_ERR "Kernel does not support TCP MD5 signatures");
|
||||
else
|
||||
log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
|
||||
}
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
||||
/**
|
||||
* sk_set_md5_auth - add / remove MD5 security association for given socket.
|
||||
* @s: socket
|
||||
|
|
Loading…
Reference in a new issue