0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-22 01:31:55 +00:00

Nest: Allow MAC algorithms to specify min/max key length

Add min/max key length fields to the MAC algorithm description and
validate configured keys before they are used.
This commit is contained in:
Toke Høiland-Jørgensen 2021-04-15 04:38:49 +02:00 committed by Ondrej Zajicek (work)
parent 35f88b305a
commit 589f7d1e4f
5 changed files with 37 additions and 3 deletions

View File

@ -173,7 +173,7 @@ hmac_final(struct mac_context *ctx)
{ \
name, size/8, sizeof(struct vx##_context), \
vx##_mac_init, vx##_mac_update, vx##_mac_final, \
size/8, VX##_BLOCK_SIZE, NULL, NULL, NULL \
size/8, VX##_BLOCK_SIZE, NULL, NULL, NULL, 0, VX##_SIZE \
}
const struct mac_desc mac_table[ALG_MAX] = {

View File

@ -94,6 +94,8 @@ struct mac_desc {
void (*hash_init)(struct hash_context *ctx);
void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen);
byte *(*hash_final)(struct hash_context *ctx);
uint min_key_length; /* Minimum allowed key length */
uint max_key_length; /* Maximum allowed key length */
};
extern const struct mac_desc mac_table[ALG_MAX];

View File

@ -504,8 +504,8 @@ password_items:
;
password_item:
password_item_begin '{' password_item_params '}'
| password_item_begin
password_item_begin '{' password_item_params '}' password_item_end
| password_item_begin password_item_end
;
password_item_begin:
@ -542,6 +542,11 @@ password_algorithm:
| BLAKE2B512 { $$ = ALG_BLAKE2B_512; }
;
password_item_end:
{
password_validate_length(this_p_item);
};
/* BFD options */

View File

@ -9,6 +9,7 @@
#include "nest/bird.h"
#include "nest/password.h"
#include "conf/conf.h"
#include "lib/string.h"
#include "lib/timer.h"
#include "lib/mac.h"
@ -85,3 +86,28 @@ max_mac_length(list *l)
return val;
}
/**
* password_validate_length - enforce key length restrictions
* @pi: Password item
*
* This is a common MAC algorithm validation function that will enforce that the
* key length constrains specified in the MAC type table.
*/
void
password_validate_length(const struct password_item *pi)
{
if (!pi->alg)
return;
const struct mac_desc *alg = &mac_table[pi->alg];
if (alg->min_key_length && (pi->length < alg->min_key_length))
cf_error("Key length (%u B) below minimum length of %u B for %s",
pi->length, alg->min_key_length, alg->name);
if (alg->max_key_length && (pi->length > alg->max_key_length))
cf_error("Key length (%u B) exceeds maximum length of %u B for %s",
pi->length, alg->max_key_length, alg->name);
}

View File

@ -24,6 +24,7 @@ extern struct password_item *last_password_item;
struct password_item *password_find(list *l, int first_fit);
struct password_item *password_find_by_id(list *l, uint id);
struct password_item *password_find_by_value(list *l, char *pass, uint size);
void password_validate_length(const struct password_item *p);
static inline int password_verify(struct password_item *p1, char *p2, uint size)
{