Nest: Allow MAC algorithms to specify min/max key length
Add min/max key length fields to the MAC algorithm description and validate configured keys before they are used.
This commit is contained in:
parent
35f88b305a
commit
589f7d1e4f
5 changed files with 37 additions and 3 deletions
|
@ -173,7 +173,7 @@ hmac_final(struct mac_context *ctx)
|
||||||
{ \
|
{ \
|
||||||
name, size/8, sizeof(struct vx##_context), \
|
name, size/8, sizeof(struct vx##_context), \
|
||||||
vx##_mac_init, vx##_mac_update, vx##_mac_final, \
|
vx##_mac_init, vx##_mac_update, vx##_mac_final, \
|
||||||
size/8, VX##_BLOCK_SIZE, NULL, NULL, NULL \
|
size/8, VX##_BLOCK_SIZE, NULL, NULL, NULL, 0, VX##_SIZE \
|
||||||
}
|
}
|
||||||
|
|
||||||
const struct mac_desc mac_table[ALG_MAX] = {
|
const struct mac_desc mac_table[ALG_MAX] = {
|
||||||
|
|
|
@ -94,6 +94,8 @@ struct mac_desc {
|
||||||
void (*hash_init)(struct hash_context *ctx);
|
void (*hash_init)(struct hash_context *ctx);
|
||||||
void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen);
|
void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen);
|
||||||
byte *(*hash_final)(struct hash_context *ctx);
|
byte *(*hash_final)(struct hash_context *ctx);
|
||||||
|
uint min_key_length; /* Minimum allowed key length */
|
||||||
|
uint max_key_length; /* Maximum allowed key length */
|
||||||
};
|
};
|
||||||
|
|
||||||
extern const struct mac_desc mac_table[ALG_MAX];
|
extern const struct mac_desc mac_table[ALG_MAX];
|
||||||
|
|
|
@ -504,8 +504,8 @@ password_items:
|
||||||
;
|
;
|
||||||
|
|
||||||
password_item:
|
password_item:
|
||||||
password_item_begin '{' password_item_params '}'
|
password_item_begin '{' password_item_params '}' password_item_end
|
||||||
| password_item_begin
|
| password_item_begin password_item_end
|
||||||
;
|
;
|
||||||
|
|
||||||
password_item_begin:
|
password_item_begin:
|
||||||
|
@ -542,6 +542,11 @@ password_algorithm:
|
||||||
| BLAKE2B512 { $$ = ALG_BLAKE2B_512; }
|
| BLAKE2B512 { $$ = ALG_BLAKE2B_512; }
|
||||||
;
|
;
|
||||||
|
|
||||||
|
password_item_end:
|
||||||
|
{
|
||||||
|
password_validate_length(this_p_item);
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
/* BFD options */
|
/* BFD options */
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
|
|
||||||
#include "nest/bird.h"
|
#include "nest/bird.h"
|
||||||
#include "nest/password.h"
|
#include "nest/password.h"
|
||||||
|
#include "conf/conf.h"
|
||||||
#include "lib/string.h"
|
#include "lib/string.h"
|
||||||
#include "lib/timer.h"
|
#include "lib/timer.h"
|
||||||
#include "lib/mac.h"
|
#include "lib/mac.h"
|
||||||
|
@ -85,3 +86,28 @@ max_mac_length(list *l)
|
||||||
|
|
||||||
return val;
|
return val;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* password_validate_length - enforce key length restrictions
|
||||||
|
* @pi: Password item
|
||||||
|
*
|
||||||
|
* This is a common MAC algorithm validation function that will enforce that the
|
||||||
|
* key length constrains specified in the MAC type table.
|
||||||
|
*/
|
||||||
|
|
||||||
|
void
|
||||||
|
password_validate_length(const struct password_item *pi)
|
||||||
|
{
|
||||||
|
if (!pi->alg)
|
||||||
|
return;
|
||||||
|
|
||||||
|
const struct mac_desc *alg = &mac_table[pi->alg];
|
||||||
|
|
||||||
|
if (alg->min_key_length && (pi->length < alg->min_key_length))
|
||||||
|
cf_error("Key length (%u B) below minimum length of %u B for %s",
|
||||||
|
pi->length, alg->min_key_length, alg->name);
|
||||||
|
|
||||||
|
if (alg->max_key_length && (pi->length > alg->max_key_length))
|
||||||
|
cf_error("Key length (%u B) exceeds maximum length of %u B for %s",
|
||||||
|
pi->length, alg->max_key_length, alg->name);
|
||||||
|
}
|
||||||
|
|
|
@ -24,6 +24,7 @@ extern struct password_item *last_password_item;
|
||||||
struct password_item *password_find(list *l, int first_fit);
|
struct password_item *password_find(list *l, int first_fit);
|
||||||
struct password_item *password_find_by_id(list *l, uint id);
|
struct password_item *password_find_by_id(list *l, uint id);
|
||||||
struct password_item *password_find_by_value(list *l, char *pass, uint size);
|
struct password_item *password_find_by_value(list *l, char *pass, uint size);
|
||||||
|
void password_validate_length(const struct password_item *p);
|
||||||
|
|
||||||
static inline int password_verify(struct password_item *p1, char *p2, uint size)
|
static inline int password_verify(struct password_item *p1, char *p2, uint size)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue