TCP MD5SIG patch

from http://www.gossamer-threads.com/lists/quagga/dev/15611

     [clear_shim]           Re: [quagga-users 9315] New md5 signature patch for bgp... quagga_md5_bsd_linux_v9.diff Remove Highlighting [In reply to]
     mhw at wittsend        ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

     Jan 28, 2008, 12:55 PM And, of course, the moment I send off a patch against 0.99.9 and claim
                            it should patch the CVS, I find out it does not.
     Post #2 of 3 (192
     views)                 On Mon, 2008-01-28 at 14:50 -0500, Michael H. Warfield wrote:
     Permalink              > Hello all!

                            > Building on the efforts of Leigh Brown and the earlier works on an MD5
                            > signature patch for bgpd, I've incorporated the autoconf efforts by
                            > Sargun Dhillon on top of my own changes for IPv6 along with filling in a
                            > few missing spots in the autoconf stuff myself. Leigh had released a v7
                            > and I subsequently released a v8 patch for md5 signatures for Linux and
                            > BSD to deal with conflicts with IPv6. This is now a v9 patch
                            > incorporating some of the changes from Sargun and adding a few of my own
                            > to complete the autoconf changes.

                            > This patch is still against 0.99.9 but should patch cleanly against
                            > CVS.

                            Attached is the patch against CVS. It does NOT have a patch for
                            config.h.in (that was a mistake on my part, it's not in CVS, it's
                            generated but it's not regenerated if you are working from the releases
                            and don't rerun autoheader) and fixes a problem with a header file and
                            some alignments.

[cl]                        > This adds a configure option, --enable-tcp-md5, to enable tcp md5                                                             [cl]
                            > signatures. This is not qualified against the operating system on which
                            > it is being built. The patch should work on BSD and Linux. Other
                            > operation systems are a crap shoot. I don't know. I presume some other
                            > errors will occur on other operating systems which do not support MD5
                            > signatures in this manner. Since they're not supported now, this is no
                            > great loss. Someone might want to test this in other environments,
                            > though, and enhance it for those other environments.
                            >
                            > Attached...
                            >
                            > quagga_md5_bsd_linux_v9.diff
                            >
                            > http://www.wittsend.com/mhw/md5sig/quagga_md5_bsd_linux_v9.diff
                            >
                            > Is there anything left that needs to be done before this can be
                            > committed to CVS? Can someone with commit privs please do the honors?

                            Mike
                            --
                            Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw[at]WittsEnd.com
                            /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
                            NIC whois: MHW9 | An optimist believes we live in the best of all
                            PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

               Attachments: [unknown] quagga_cvs_md5_bsd_linux_v9.diff (18.4 KB)
<http://www.gossamer-threads.com/lists/engine?do=post_attachment;postatt_id=1184;list=quagga>
                            [unknown] signature.asc (0.30 KB)
<http://www.gossamer-threads.com/lists/engine?do=post_attachment;postatt_id=1185;list=quagga>

Signed-off-by: Tom Grennan <tgrennan@vyatta.com>

1 files changed, 33 insertions, 0 deletions

diff --git a/lib/sockopt.c b/lib/sockopt.c
index f8fa946e..985c3a38 100644
--- a/lib/sockopt.c
+++ b/lib/sockopt.c
@@ -480,3 +480,36 @@ sockopt_iphdrincl_swab_systoh (struct ip *iph)
 
   iph->ip_id = ntohs(iph->ip_id);
 }
+
+#if defined(HAVE_TCP_MD5SIG)
+int
+sockopt_tcp_signature (int sock, struct sockaddr_in *sin, const char *password)
+{
+  int keylen = password ? strlen(password) : 0;
+
+#if defined(GNU_LINUX)
+
+  struct tcp_md5sig md5sig;
+
+  bzero ((char *)&md5sig, sizeof(md5sig));
+  memcpy (&md5sig.tcpm_addr, sin, sizeof(*sin));
+  md5sig.tcpm_keylen = keylen;
+  if (keylen)
+    memcpy (md5sig.tcpm_key, password, keylen);
+
+  return setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig);
+
+#else /* !GNU_LINUX */
+
+  int enable = keylen ? (TCP_SIG_SPI_BASE + sin->sin_port) : 0;
+
+  /*
+   * XXX Need to do PF_KEY operation here to add/remove an SA entry,
+   * and add/remove an SP entry for this peer's packet flows also.
+   */
+  return setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &enable,
+		     sizeof(enable));
+
+#endif /* !GNU_LINUX */
+}
+#endif /* HAVE_TCP_MD5SIG */