mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-22 09:41:54 +00:00
Implementation of MD5 authentication of BGP sessions.
This commit is contained in:
parent
11cb620266
commit
d51aa28190
@ -39,6 +39,7 @@ typedef struct birdsock {
|
|||||||
int fd; /* System-dependent data */
|
int fd; /* System-dependent data */
|
||||||
node n;
|
node n;
|
||||||
void *rbuf_alloc, *tbuf_alloc;
|
void *rbuf_alloc, *tbuf_alloc;
|
||||||
|
char *password; /* Password for MD5 authentication */
|
||||||
} sock;
|
} sock;
|
||||||
|
|
||||||
sock *sk_new(pool *); /* Allocate new socket */
|
sock *sk_new(pool *); /* Allocate new socket */
|
||||||
@ -47,6 +48,7 @@ int sk_send(sock *, unsigned len); /* Send data, <0=err, >0=ok, 0=sleep */
|
|||||||
int sk_send_to(sock *, unsigned len, ip_addr to, unsigned port); /* sk_send to given destination */
|
int sk_send_to(sock *, unsigned len, ip_addr to, unsigned port); /* sk_send to given destination */
|
||||||
void sk_reallocate(sock *); /* Free and allocate tbuf & rbuf */
|
void sk_reallocate(sock *); /* Free and allocate tbuf & rbuf */
|
||||||
void sk_dump_all(void);
|
void sk_dump_all(void);
|
||||||
|
int sk_set_md5_auth(sock *s, ip_addr a, char *passwd); /* Add or remove security associations for given passive socket */
|
||||||
|
|
||||||
static inline int
|
static inline int
|
||||||
sk_send_buffer_empty(sock *sk)
|
sk_send_buffer_empty(sock *sk)
|
||||||
|
@ -78,10 +78,14 @@ static void bgp_setup_listen_sk(void);
|
|||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
bgp_close(struct bgp_proto *p UNUSED)
|
bgp_close(struct bgp_proto *p)
|
||||||
{
|
{
|
||||||
ASSERT(bgp_counter);
|
ASSERT(bgp_counter);
|
||||||
bgp_counter--;
|
bgp_counter--;
|
||||||
|
|
||||||
|
if (p->cf->password)
|
||||||
|
sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL);
|
||||||
|
|
||||||
if (!bgp_counter)
|
if (!bgp_counter)
|
||||||
{
|
{
|
||||||
rfree(bgp_listen_sk);
|
rfree(bgp_listen_sk);
|
||||||
@ -330,6 +334,7 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c
|
|||||||
bgp_setup_conn(p, conn);
|
bgp_setup_conn(p, conn);
|
||||||
bgp_setup_sk(p, conn, s);
|
bgp_setup_sk(p, conn, s);
|
||||||
s->tx_hook = bgp_connected;
|
s->tx_hook = bgp_connected;
|
||||||
|
s->password = p->cf->password;
|
||||||
conn->state = BS_CONNECT;
|
conn->state = BS_CONNECT;
|
||||||
if (sk_open(s))
|
if (sk_open(s))
|
||||||
{
|
{
|
||||||
@ -506,6 +511,7 @@ bgp_start(struct proto *P)
|
|||||||
|
|
||||||
bgp_counter++;
|
bgp_counter++;
|
||||||
bgp_setup_listen_sk();
|
bgp_setup_listen_sk();
|
||||||
|
|
||||||
if (!bgp_linpool)
|
if (!bgp_linpool)
|
||||||
bgp_linpool = lp_new(&root_pool, 4080);
|
bgp_linpool = lp_new(&root_pool, 4080);
|
||||||
|
|
||||||
@ -523,6 +529,17 @@ bgp_start(struct proto *P)
|
|||||||
lock->hook = bgp_start_locked;
|
lock->hook = bgp_start_locked;
|
||||||
lock->data = p;
|
lock->data = p;
|
||||||
olock_acquire(lock);
|
olock_acquire(lock);
|
||||||
|
|
||||||
|
/* We should create security association after we get a lock not to
|
||||||
|
* break existing connections.
|
||||||
|
*/
|
||||||
|
if (p->cf->password)
|
||||||
|
{
|
||||||
|
int rv = sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, p->cf->password);
|
||||||
|
if (rv < 0)
|
||||||
|
return PS_STOP;
|
||||||
|
}
|
||||||
|
|
||||||
return PS_START;
|
return PS_START;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,6 +33,7 @@ struct bgp_config {
|
|||||||
unsigned error_delay_time_min; /* Time to wait after an error is detected */
|
unsigned error_delay_time_min; /* Time to wait after an error is detected */
|
||||||
unsigned error_delay_time_max;
|
unsigned error_delay_time_max;
|
||||||
unsigned disable_after_error; /* Disable the protocol when error is detected */
|
unsigned disable_after_error; /* Disable the protocol when error is detected */
|
||||||
|
char *password; /* Password used for MD5 authentication */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct bgp_conn {
|
struct bgp_conn {
|
||||||
|
@ -20,7 +20,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, KEEPALIVE,
|
|||||||
MULTIHOP, STARTUP, VIA, NEXT, HOP, SELF, DEFAULT, PATH, METRIC,
|
MULTIHOP, STARTUP, VIA, NEXT, HOP, SELF, DEFAULT, PATH, METRIC,
|
||||||
ERROR, START, DELAY, FORGET, WAIT, DISABLE, AFTER,
|
ERROR, START, DELAY, FORGET, WAIT, DISABLE, AFTER,
|
||||||
BGP_PATH, BGP_LOCAL_PREF, BGP_MED, BGP_ORIGIN, BGP_NEXT_HOP,
|
BGP_PATH, BGP_LOCAL_PREF, BGP_MED, BGP_ORIGIN, BGP_NEXT_HOP,
|
||||||
BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS)
|
BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS, PASSWORD)
|
||||||
|
|
||||||
CF_GRAMMAR
|
CF_GRAMMAR
|
||||||
|
|
||||||
@ -38,6 +38,7 @@ bgp_proto_start: proto_start BGP {
|
|||||||
BGP_CFG->error_amnesia_time = 300;
|
BGP_CFG->error_amnesia_time = 300;
|
||||||
BGP_CFG->error_delay_time_min = 60;
|
BGP_CFG->error_delay_time_min = 60;
|
||||||
BGP_CFG->error_delay_time_max = 300;
|
BGP_CFG->error_delay_time_max = 300;
|
||||||
|
BGP_CFG->password = NULL;
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
|
||||||
@ -65,6 +66,7 @@ bgp_proto:
|
|||||||
| bgp_proto ERROR FORGET TIME expr ';' { BGP_CFG->error_amnesia_time = $5; }
|
| bgp_proto ERROR FORGET TIME expr ';' { BGP_CFG->error_amnesia_time = $5; }
|
||||||
| bgp_proto ERROR WAIT TIME expr ',' expr ';' { BGP_CFG->error_delay_time_min = $5; BGP_CFG->error_delay_time_max = $7; }
|
| bgp_proto ERROR WAIT TIME expr ',' expr ';' { BGP_CFG->error_delay_time_min = $5; BGP_CFG->error_delay_time_max = $7; }
|
||||||
| bgp_proto DISABLE AFTER ERROR bool ';' { BGP_CFG->disable_after_error = $5; }
|
| bgp_proto DISABLE AFTER ERROR bool ';' { BGP_CFG->disable_after_error = $5; }
|
||||||
|
| bgp_proto PASSWORD TEXT ';' { BGP_CFG->password = $3; }
|
||||||
;
|
;
|
||||||
|
|
||||||
CF_ADDTO(dynamic_attr, BGP_PATH
|
CF_ADDTO(dynamic_attr, BGP_PATH
|
||||||
|
@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(sock *s)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include <linux/socket.h>
|
||||||
|
#include <linux/tcp.h>
|
||||||
|
|
||||||
|
/* For the case that we have older kernel headers */
|
||||||
|
/* Copied from Linux kernel file include/linux/tcp.h */
|
||||||
|
|
||||||
|
#ifndef TCP_MD5SIG
|
||||||
|
|
||||||
|
#define TCP_MD5SIG 14
|
||||||
|
#define TCP_MD5SIG_MAXKEYLEN 80
|
||||||
|
|
||||||
|
struct tcp_md5sig {
|
||||||
|
struct __kernel_sockaddr_storage tcpm_addr; /* address associated */
|
||||||
|
__u16 __tcpm_pad1; /* zero */
|
||||||
|
__u16 tcpm_keylen; /* key length */
|
||||||
|
__u32 __tcpm_pad2; /* zero */
|
||||||
|
__u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* key (binary) */
|
||||||
|
};
|
||||||
|
|
||||||
|
#endif
|
||||||
|
@ -546,6 +546,7 @@ sk_new(pool *p)
|
|||||||
s->err_hook = NULL;
|
s->err_hook = NULL;
|
||||||
s->fd = -1;
|
s->fd = -1;
|
||||||
s->rbuf_alloc = s->tbuf_alloc = NULL;
|
s->rbuf_alloc = s->tbuf_alloc = NULL;
|
||||||
|
s->password = NULL;
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -642,6 +643,71 @@ bad:
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* FIXME: check portability */
|
||||||
|
|
||||||
|
static int
|
||||||
|
sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
|
||||||
|
{
|
||||||
|
struct tcp_md5sig md5;
|
||||||
|
|
||||||
|
memset(&md5, 0, sizeof(md5));
|
||||||
|
memcpy(&md5.tcpm_addr, (struct sockaddr *) sa, sizeof(*sa));
|
||||||
|
|
||||||
|
if (passwd)
|
||||||
|
{
|
||||||
|
int len = strlen(passwd);
|
||||||
|
|
||||||
|
if (len > TCP_MD5SIG_MAXKEYLEN)
|
||||||
|
{
|
||||||
|
log(L_ERR "MD5 password too long");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
md5.tcpm_keylen = len;
|
||||||
|
memcpy(&md5.tcpm_key, passwd, len);
|
||||||
|
}
|
||||||
|
|
||||||
|
int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));
|
||||||
|
|
||||||
|
if (rv < 0)
|
||||||
|
{
|
||||||
|
if (errno == ENOPROTOOPT)
|
||||||
|
log(L_ERR "Kernel does not support TCP MD5 signatures");
|
||||||
|
else
|
||||||
|
log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
|
||||||
|
}
|
||||||
|
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* sk_set_md5_auth - add / remove MD5 security association for given socket.
|
||||||
|
* @s: socket
|
||||||
|
* @a: IP address of the other side
|
||||||
|
* @passwd: password used for MD5 authentication
|
||||||
|
*
|
||||||
|
* In TCP MD5 handling code in kernel, there is a set of pairs
|
||||||
|
* (address, password) used to choose password according to
|
||||||
|
* address of the other side. This function is useful for
|
||||||
|
* listening socket, for active sockets it is enough to set
|
||||||
|
* s->password field.
|
||||||
|
*
|
||||||
|
* When called with passwd != NULL, the new pair is added,
|
||||||
|
* When called with passwd == NULL, the existing pair is removed.
|
||||||
|
*
|
||||||
|
* Result: 0 for success, -1 for an error.
|
||||||
|
*/
|
||||||
|
|
||||||
|
int
|
||||||
|
sk_set_md5_auth(sock *s, ip_addr a, char *passwd)
|
||||||
|
{
|
||||||
|
sockaddr sa;
|
||||||
|
fill_in_sockaddr(&sa, a, 0);
|
||||||
|
return sk_set_md5_auth_int(s, &sa, passwd);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
sk_tcp_connected(sock *s)
|
sk_tcp_connected(sock *s)
|
||||||
{
|
{
|
||||||
@ -805,6 +871,14 @@ sk_open(sock *s)
|
|||||||
ERR("bind");
|
ERR("bind");
|
||||||
}
|
}
|
||||||
fill_in_sockaddr(&sa, s->daddr, s->dport);
|
fill_in_sockaddr(&sa, s->daddr, s->dport);
|
||||||
|
|
||||||
|
if (s->password)
|
||||||
|
{
|
||||||
|
int rv = sk_set_md5_auth_int(s, &sa, s->password);
|
||||||
|
if (rv < 0)
|
||||||
|
goto bad_no_log;
|
||||||
|
}
|
||||||
|
|
||||||
switch (type)
|
switch (type)
|
||||||
{
|
{
|
||||||
case SK_TCP_ACTIVE:
|
case SK_TCP_ACTIVE:
|
||||||
@ -846,6 +920,7 @@ sk_open(sock *s)
|
|||||||
|
|
||||||
bad:
|
bad:
|
||||||
log(L_ERR "sk_open: %s: %m", err);
|
log(L_ERR "sk_open: %s: %m", err);
|
||||||
|
bad_no_log:
|
||||||
close(fd);
|
close(fd);
|
||||||
s->fd = -1;
|
s->fd = -1;
|
||||||
return -1;
|
return -1;
|
||||||
|
Loading…
Reference in New Issue
Block a user