diff options
| author | Michael H. Warfield <mhw@WittsEnd.com> | 2008-04-15 21:49:45 +0000 |
|---|---|---|
| committer | Tom Grennan <tgrennan@vyatta.com> | 2008-04-15 21:59:57 +0000 |
| commit | 4c9782da0f5484e52a00bb769813b5988e857c38 (patch) | |
| tree | 4cea02479b67f00728724727a6c001e05f25a4a3 /lib | |
| parent | c1bdabf8dd2f22a33fdc35b70b93e871f179445d (diff) | |
| download | quagga-4c9782da0f5484e52a00bb769813b5988e857c38.tar.bz2 quagga-4c9782da0f5484e52a00bb769813b5988e857c38.tar.xz | |
TCP MD5SIG patch
from http://www.gossamer-threads.com/lists/quagga/dev/15611
[clear_shim] Re: [quagga-users 9315] New md5 signature patch for bgp... quagga_md5_bsd_linux_v9.diff Remove Highlighting [In reply to]
mhw at wittsend ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Jan 28, 2008, 12:55 PM And, of course, the moment I send off a patch against 0.99.9 and claim
it should patch the CVS, I find out it does not.
Post #2 of 3 (192
views) On Mon, 2008-01-28 at 14:50 -0500, Michael H. Warfield wrote:
Permalink > Hello all!
> Building on the efforts of Leigh Brown and the earlier works on an MD5
> signature patch for bgpd, I've incorporated the autoconf efforts by
> Sargun Dhillon on top of my own changes for IPv6 along with filling in a
> few missing spots in the autoconf stuff myself. Leigh had released a v7
> and I subsequently released a v8 patch for md5 signatures for Linux and
> BSD to deal with conflicts with IPv6. This is now a v9 patch
> incorporating some of the changes from Sargun and adding a few of my own
> to complete the autoconf changes.
> This patch is still against 0.99.9 but should patch cleanly against
> CVS.
Attached is the patch against CVS. It does NOT have a patch for
config.h.in (that was a mistake on my part, it's not in CVS, it's
generated but it's not regenerated if you are working from the releases
and don't rerun autoheader) and fixes a problem with a header file and
some alignments.
[cl] > This adds a configure option, --enable-tcp-md5, to enable tcp md5 [cl]
> signatures. This is not qualified against the operating system on which
> it is being built. The patch should work on BSD and Linux. Other
> operation systems are a crap shoot. I don't know. I presume some other
> errors will occur on other operating systems which do not support MD5
> signatures in this manner. Since they're not supported now, this is no
> great loss. Someone might want to test this in other environments,
> though, and enhance it for those other environments.
>
> Attached...
>
> quagga_md5_bsd_linux_v9.diff
>
> http://www.wittsend.com/mhw/md5sig/quagga_md5_bsd_linux_v9.diff
>
> Is there anything left that needs to be done before this can be
> committed to CVS? Can someone with commit privs please do the honors?
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw[at]WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachments: [unknown] quagga_cvs_md5_bsd_linux_v9.diff (18.4 KB)
<http://www.gossamer-threads.com/lists/engine?do=post_attachment;postatt_id=1184;list=quagga>
[unknown] signature.asc (0.30 KB)
<http://www.gossamer-threads.com/lists/engine?do=post_attachment;postatt_id=1185;list=quagga>
Signed-off-by: Tom Grennan <tgrennan@vyatta.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/sockopt.c | 33 | ||||
| -rw-r--r-- | lib/sockopt.h | 28 |
2 files changed, 61 insertions, 0 deletions
diff --git a/lib/sockopt.c b/lib/sockopt.c index f8fa946e..985c3a38 100644 --- a/lib/sockopt.c +++ b/lib/sockopt.c @@ -480,3 +480,36 @@ sockopt_iphdrincl_swab_systoh (struct ip *iph) iph->ip_id = ntohs(iph->ip_id); } + +#if defined(HAVE_TCP_MD5SIG) +int +sockopt_tcp_signature (int sock, struct sockaddr_in *sin, const char *password) +{ + int keylen = password ? strlen(password) : 0; + +#if defined(GNU_LINUX) + + struct tcp_md5sig md5sig; + + bzero ((char *)&md5sig, sizeof(md5sig)); + memcpy (&md5sig.tcpm_addr, sin, sizeof(*sin)); + md5sig.tcpm_keylen = keylen; + if (keylen) + memcpy (md5sig.tcpm_key, password, keylen); + + return setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig); + +#else /* !GNU_LINUX */ + + int enable = keylen ? (TCP_SIG_SPI_BASE + sin->sin_port) : 0; + + /* + * XXX Need to do PF_KEY operation here to add/remove an SA entry, + * and add/remove an SP entry for this peer's packet flows also. + */ + return setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &enable, + sizeof(enable)); + +#endif /* !GNU_LINUX */ +} +#endif /* HAVE_TCP_MD5SIG */ diff --git a/lib/sockopt.h b/lib/sockopt.h index ebb71430..158f17ac 100644 --- a/lib/sockopt.h +++ b/lib/sockopt.h @@ -98,4 +98,32 @@ extern int getsockopt_ifindex (int, struct msghdr *); extern void sockopt_iphdrincl_swab_htosys (struct ip *iph); extern void sockopt_iphdrincl_swab_systoh (struct ip *iph); +#if defined(HAVE_TCP_MD5SIG) + +#if defined(GNU_LINUX) && !defined(TCP_MD5SIG) + +/* XXX these will come from <linux/tcp.h> eventually */ + +#define TCP_MD5SIG 14 +#define TCP_MD5SIG_MAXKEYLEN 80 + +struct tcp_md5sig { + struct sockaddr_storage tcpm_addr; /* address associated */ + __u16 __tcpm_pad1; /* zero */ + __u16 tcpm_keylen; /* key length */ + __u32 __tcpm_pad2; /* zero */ + __u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* key (binary) */ +}; + +#endif /* defined(GNU_LINUX) && !defined(TCP_MD5SIG) */ + +#if !defined(GNU_LINUX) && !defined(TCP_SIG_SPI_BASE) +#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */ +#endif + +extern int sockopt_tcp_signature(int sock, struct sockaddr_in *sin, + const char *password); + +#endif /* HAVE_TCP_MD5SIG */ + #endif /*_ZEBRA_SOCKOPT_H */ |