diff options
| author | Toke Høiland-Jørgensen <toke@toke.dk> | 2021-04-15 04:38:49 +0200 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2021-06-06 16:28:18 +0200 |
| commit | 589f7d1e4f3aaca3fec6c38474bb962a9c578ebe (patch) | |
| tree | 8c7ed1d80769f9fea6a1189c5577eebf24dbc460 /nest/password.c | |
| parent | 35f88b305ab6a0e27b5ff1b445f63f544986e14e (diff) | |
Nest: Allow MAC algorithms to specify min/max key length
Add min/max key length fields to the MAC algorithm description and
validate configured keys before they are used.
Diffstat (limited to 'nest/password.c')
| -rw-r--r-- | nest/password.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/nest/password.c b/nest/password.c index 6f87af21..34e2a61e 100644 --- a/nest/password.c +++ b/nest/password.c @@ -9,6 +9,7 @@ #include "nest/bird.h" #include "nest/password.h" +#include "conf/conf.h" #include "lib/string.h" #include "lib/timer.h" #include "lib/mac.h" @@ -85,3 +86,28 @@ max_mac_length(list *l) return val; } + +/** + * password_validate_length - enforce key length restrictions + * @pi: Password item + * + * This is a common MAC algorithm validation function that will enforce that the + * key length constrains specified in the MAC type table. + */ + +void +password_validate_length(const struct password_item *pi) +{ + if (!pi->alg) + return; + + const struct mac_desc *alg = &mac_table[pi->alg]; + + if (alg->min_key_length && (pi->length < alg->min_key_length)) + cf_error("Key length (%u B) below minimum length of %u B for %s", + pi->length, alg->min_key_length, alg->name); + + if (alg->max_key_length && (pi->length > alg->max_key_length)) + cf_error("Key length (%u B) exceeds maximum length of %u B for %s", + pi->length, alg->max_key_length, alg->name); +} |