bird/proto/babel/config.Y
Ondrej Zajicek (work) b174cc0abc Babel: Add MAC authentication support - update
Some cleanups and bugfixes to the previous patch, including:

 - Fix rate limiting in index mismatch check

 - Fix missing BABEL_AUTH_INDEX_LEN in auth_tx_overhead computation

 - Fix missing auth_tx_overhead recalculation during reconfiguration

 - Fix pseudoheader construction in babel_auth_sign() (sport vs fport)

 - Fix typecasts for ptrdiffs in log messages

 - Make auth log messages similar to corresponding RIP/OSPF ones

 - Change auth log messages for events that happen during regular
   operation to debug messages

 - Switch meaning of babel_auth_check*() functions for consistency
   with corresponding RIP/OSPF ones

 - Remove requirement for min/max key length, only those required by
   given MAC code are enforced
2021-06-06 16:28:18 +02:00

184 lines
6.2 KiB
Text

/*
* BIRD -- Babel Configuration
*
* Copyright (c) 2015-2016 Toke Hoiland-Jorgensen
* (c) 2016--2017 Ondrej Zajicek <santiago@crfreenet.org>
* (c) 2016--2017 CZ.NIC z.s.p.o.
*
* Can be freely distributed and used under the terms of the GNU GPL.
*/
CF_HDR
#include "proto/babel/babel.h"
#include "nest/iface.h"
CF_DEFINES
#define BABEL_CFG ((struct babel_config *) this_proto)
#define BABEL_IFACE ((struct babel_iface_config *) this_ipatt)
CF_DECLS
CF_KEYWORDS(BABEL, INTERFACE, METRIC, RXCOST, HELLO, UPDATE, INTERVAL, PORT,
TYPE, WIRED, WIRELESS, RX, TX, BUFFER, PRIORITY, LENGTH, CHECK, LINK,
NEXT, HOP, IPV4, IPV6, BABEL_METRIC, SHOW, INTERFACES, NEIGHBORS,
ENTRIES, RANDOMIZE, ROUTER, ID, AUTHENTICATION, NONE, MAC, PERMISSIVE)
CF_GRAMMAR
proto: babel_proto ;
babel_proto_start: proto_start BABEL
{
this_proto = proto_config_new(&proto_babel, $1);
init_list(&BABEL_CFG->iface_list);
BABEL_CFG->hold_time = 1 S_;
};
babel_proto_item:
proto_item
| proto_channel
| INTERFACE babel_iface
| RANDOMIZE ROUTER ID bool { BABEL_CFG->randomize_router_id = $4; }
;
babel_proto_opts:
/* empty */
| babel_proto_opts babel_proto_item ';'
;
babel_proto:
babel_proto_start proto_name '{' babel_proto_opts '}';
babel_iface_start:
{
this_ipatt = cfg_allocz(sizeof(struct babel_iface_config));
add_tail(&BABEL_CFG->iface_list, NODE this_ipatt);
init_list(&this_ipatt->ipn_list);
reset_passwords();
BABEL_IFACE->port = BABEL_PORT;
BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRED;
BABEL_IFACE->limit = BABEL_HELLO_LIMIT;
BABEL_IFACE->tx_tos = IP_PREC_INTERNET_CONTROL;
BABEL_IFACE->tx_priority = sk_priority_control;
BABEL_IFACE->check_link = 1;
};
babel_iface_finish:
{
if (BABEL_IFACE->type == BABEL_IFACE_TYPE_WIRELESS)
{
if (!BABEL_IFACE->hello_interval)
BABEL_IFACE->hello_interval = BABEL_HELLO_INTERVAL_WIRELESS;
if (!BABEL_IFACE->rxcost)
BABEL_IFACE->rxcost = BABEL_RXCOST_WIRELESS;
}
else
{
if (!BABEL_IFACE->hello_interval)
BABEL_IFACE->hello_interval = BABEL_HELLO_INTERVAL_WIRED;
if (!BABEL_IFACE->rxcost)
BABEL_IFACE->rxcost = BABEL_RXCOST_WIRED;
}
/* Make sure we do not overflow the 16-bit centisec fields */
if (!BABEL_IFACE->update_interval)
BABEL_IFACE->update_interval = MIN_(BABEL_IFACE->hello_interval*BABEL_UPDATE_INTERVAL_FACTOR, BABEL_MAX_INTERVAL);
BABEL_IFACE->ihu_interval = MIN_(BABEL_IFACE->hello_interval*BABEL_IHU_INTERVAL_FACTOR, BABEL_MAX_INTERVAL);
BABEL_CFG->hold_time = MAX_(BABEL_CFG->hold_time, BABEL_IFACE->update_interval*BABEL_HOLD_TIME_FACTOR);
BABEL_IFACE->passwords = get_passwords();
if (!BABEL_IFACE->auth_type != !BABEL_IFACE->passwords)
cf_error("Authentication and password options should be used together");
if (BABEL_IFACE->passwords)
{
struct password_item *pass;
uint len = 0, i = 0;
WALK_LIST(pass, *BABEL_IFACE->passwords)
{
/* Set default crypto algorithm (HMAC-SHA256) */
if (!pass->alg)
pass->alg = ALG_HMAC_SHA256;
if (!((pass->alg & ALG_HMAC) ||
(pass->alg == ALG_BLAKE2S_128) ||
(pass->alg == ALG_BLAKE2S_256) ||
(pass->alg == ALG_BLAKE2B_256) ||
(pass->alg == ALG_BLAKE2B_512)))
cf_error("Only HMAC and Blake2 algorithms are supported");
len += mac_type_length(pass->alg);
i++;
}
BABEL_IFACE->mac_num_keys = i;
BABEL_IFACE->mac_total_len = len;
}
};
babel_iface_item:
| PORT expr { BABEL_IFACE->port = $2; if (($2<1) || ($2>65535)) cf_error("Invalid port number"); }
| RXCOST expr { BABEL_IFACE->rxcost = $2; if (($2<1) || ($2>65535)) cf_error("Invalid rxcost"); }
| LIMIT expr { BABEL_IFACE->limit = $2; if (($2<1) || ($2>16)) cf_error("Limit must be in range 1-16"); }
| TYPE WIRED { BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRED; }
| TYPE WIRELESS { BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRELESS; }
| HELLO INTERVAL expr_us { BABEL_IFACE->hello_interval = $3; if (($3<BABEL_MIN_INTERVAL) || ($3>BABEL_MAX_INTERVAL)) cf_error("Hello interval must be in range 10 ms - 655 s"); }
| UPDATE INTERVAL expr_us { BABEL_IFACE->update_interval = $3; if (($3<BABEL_MIN_INTERVAL) || ($3>BABEL_MAX_INTERVAL)) cf_error("Update interval must be in range 10 ms - 655 s"); }
| RX BUFFER expr { BABEL_IFACE->rx_buffer = $3; if (($3<256) || ($3>65535)) cf_error("RX buffer must be in range 256-65535"); }
| TX LENGTH expr { BABEL_IFACE->tx_length = $3; if (($3<256) || ($3>65535)) cf_error("TX length must be in range 256-65535"); }
| TX tos { BABEL_IFACE->tx_tos = $2; }
| TX PRIORITY expr { BABEL_IFACE->tx_priority = $3; }
| CHECK LINK bool { BABEL_IFACE->check_link = $3; }
| NEXT HOP IPV4 ipa { BABEL_IFACE->next_hop_ip4 = $4; if (!ipa_is_ip4($4)) cf_error("Must be an IPv4 address"); }
| NEXT HOP IPV6 ipa { BABEL_IFACE->next_hop_ip6 = $4; if (!ipa_is_ip6($4)) cf_error("Must be an IPv6 address"); }
| AUTHENTICATION NONE { BABEL_IFACE->auth_type = BABEL_AUTH_NONE; }
| AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 0; }
| AUTHENTICATION MAC PERMISSIVE { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 1; }
| password_list
;
babel_iface_opts:
/* empty */
| babel_iface_opts babel_iface_item ';'
;
babel_iface_opt_list:
/* empty */
| '{' babel_iface_opts '}'
;
babel_iface:
babel_iface_start iface_patt_list_nopx babel_iface_opt_list babel_iface_finish;
dynamic_attr: BABEL_METRIC { $$ = f_new_dynamic_attr(EAF_TYPE_INT, T_INT, EA_BABEL_METRIC); } ;
CF_CLI_HELP(SHOW BABEL, ..., [[Show information about Babel protocol]]);
CF_CLI(SHOW BABEL INTERFACES, optproto opttext, [<name>] [\"<interface>\"], [[Show information about Babel interfaces]])
{ PROTO_WALK_CMD($4, &proto_babel, p) babel_show_interfaces(p, $5); };
CF_CLI(SHOW BABEL NEIGHBORS, optproto opttext, [<name>] [\"<interface>\"], [[Show information about Babel neighbors]])
{ PROTO_WALK_CMD($4, &proto_babel, p) babel_show_neighbors(p, $5); };
CF_CLI(SHOW BABEL ENTRIES, optproto opttext, [<name>], [[Show information about Babel prefix entries]])
{ PROTO_WALK_CMD($4, &proto_babel, p) babel_show_entries(p); };
CF_CLI(SHOW BABEL ROUTES, optproto opttext, [<name>], [[Show information about Babel route entries]])
{ PROTO_WALK_CMD($4, &proto_babel, p) babel_show_routes(p); };
CF_CODE
CF_END