Nest: Allow MAC algorithms to specify min/max key length
Add min/max key length fields to the MAC algorithm description and validate configured keys before they are used.
This commit is contained in:
Toke Høiland-Jørgensen
Ondrej Zajicek (work)
parent
35f88b305a
commit
589f7d1e4f
|
|
@ -173,7 +173,7 @@ hmac_final(struct mac_context *ctx)
|
|||
{ \
|
||||
name, size/8, sizeof(struct vx##_context), \
|
||||
vx##_mac_init, vx##_mac_update, vx##_mac_final, \
|
||||
size/8, VX##_BLOCK_SIZE, NULL, NULL, NULL \
|
||||
size/8, VX##_BLOCK_SIZE, NULL, NULL, NULL, 0, VX##_SIZE \
|
||||
}
|
||||
|
||||
const struct mac_desc mac_table[ALG_MAX] = {
|
||||
|
|
|
|||
|
|
@ -94,6 +94,8 @@ struct mac_desc {
|
|||
void (*hash_init)(struct hash_context *ctx);
|
||||
void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen);
|
||||
byte *(*hash_final)(struct hash_context *ctx);
|
||||
uint min_key_length; /* Minimum allowed key length */
|
||||
uint max_key_length; /* Maximum allowed key length */
|
||||
};
|
||||
|
||||
extern const struct mac_desc mac_table[ALG_MAX];
|
||||
|
|
|
|||
|
|
@ -504,8 +504,8 @@ password_items:
|
|||
;
|
||||
|
||||
password_item:
|
||||
password_item_begin '{' password_item_params '}'
|
||||
| password_item_begin
|
||||
password_item_begin '{' password_item_params '}' password_item_end
|
||||
| password_item_begin password_item_end
|
||||
;
|
||||
|
||||
password_item_begin:
|
||||
|
|
@ -542,6 +542,11 @@ password_algorithm:
|
|||
| BLAKE2B512 { $$ = ALG_BLAKE2B_512; }
|
||||
;
|
||||
|
||||
password_item_end:
|
||||
{
|
||||
password_validate_length(this_p_item);
|
||||
};
|
||||
|
||||
|
||||
/* BFD options */
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
|
||||
#include "nest/bird.h"
|
||||
#include "nest/password.h"
|
||||
#include "conf/conf.h"
|
||||
#include "lib/string.h"
|
||||
#include "lib/timer.h"
|
||||
#include "lib/mac.h"
|
||||
|
|
@ -85,3 +86,28 @@ max_mac_length(list *l)
|
|||
|
||||
return val;
|
||||
}
|
||||
|
||||
/**
|
||||
* password_validate_length - enforce key length restrictions
|
||||
* @pi: Password item
|
||||
*
|
||||
* This is a common MAC algorithm validation function that will enforce that the
|
||||
* key length constrains specified in the MAC type table.
|
||||
*/
|
||||
|
||||
void
|
||||
password_validate_length(const struct password_item *pi)
|
||||
{
|
||||
if (!pi->alg)
|
||||
return;
|
||||
|
||||
const struct mac_desc *alg = &mac_table[pi->alg];
|
||||
|
||||
if (alg->min_key_length && (pi->length < alg->min_key_length))
|
||||
cf_error("Key length (%u B) below minimum length of %u B for %s",
|
||||
pi->length, alg->min_key_length, alg->name);
|
||||
|
||||
if (alg->max_key_length && (pi->length > alg->max_key_length))
|
||||
cf_error("Key length (%u B) exceeds maximum length of %u B for %s",
|
||||
pi->length, alg->max_key_length, alg->name);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ extern struct password_item *last_password_item;
|
|||
struct password_item *password_find(list *l, int first_fit);
|
||||
struct password_item *password_find_by_id(list *l, uint id);
|
||||
struct password_item *password_find_by_value(list *l, char *pass, uint size);
|
||||
void password_validate_length(const struct password_item *p);
|
||||
|
||||
static inline int password_verify(struct password_item *p1, char *p2, uint size)
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue