summaryrefslogtreecommitdiff
path: root/nest
diff options
context:
space:
mode:
authorToke Høiland-Jørgensen <toke@toke.dk>2021-04-15 04:38:49 +0200
committerOndrej Zajicek (work) <santiago@crfreenet.org>2021-06-06 16:28:18 +0200
commit589f7d1e4f3aaca3fec6c38474bb962a9c578ebe (patch)
tree8c7ed1d80769f9fea6a1189c5577eebf24dbc460 /nest
parent35f88b305ab6a0e27b5ff1b445f63f544986e14e (diff)
Nest: Allow MAC algorithms to specify min/max key length
Add min/max key length fields to the MAC algorithm description and validate configured keys before they are used.
Diffstat (limited to 'nest')
-rw-r--r--nest/config.Y9
-rw-r--r--nest/password.c26
-rw-r--r--nest/password.h1
3 files changed, 34 insertions, 2 deletions
diff --git a/nest/config.Y b/nest/config.Y
index 8bd89de0..45d18679 100644
--- a/nest/config.Y
+++ b/nest/config.Y
@@ -504,8 +504,8 @@ password_items:
;
password_item:
- password_item_begin '{' password_item_params '}'
- | password_item_begin
+ password_item_begin '{' password_item_params '}' password_item_end
+ | password_item_begin password_item_end
;
password_item_begin:
@@ -542,6 +542,11 @@ password_algorithm:
| BLAKE2B512 { $$ = ALG_BLAKE2B_512; }
;
+password_item_end:
+{
+ password_validate_length(this_p_item);
+};
+
/* BFD options */
diff --git a/nest/password.c b/nest/password.c
index 6f87af21..34e2a61e 100644
--- a/nest/password.c
+++ b/nest/password.c
@@ -9,6 +9,7 @@
#include "nest/bird.h"
#include "nest/password.h"
+#include "conf/conf.h"
#include "lib/string.h"
#include "lib/timer.h"
#include "lib/mac.h"
@@ -85,3 +86,28 @@ max_mac_length(list *l)
return val;
}
+
+/**
+ * password_validate_length - enforce key length restrictions
+ * @pi: Password item
+ *
+ * This is a common MAC algorithm validation function that will enforce that the
+ * key length constrains specified in the MAC type table.
+ */
+
+void
+password_validate_length(const struct password_item *pi)
+{
+ if (!pi->alg)
+ return;
+
+ const struct mac_desc *alg = &mac_table[pi->alg];
+
+ if (alg->min_key_length && (pi->length < alg->min_key_length))
+ cf_error("Key length (%u B) below minimum length of %u B for %s",
+ pi->length, alg->min_key_length, alg->name);
+
+ if (alg->max_key_length && (pi->length > alg->max_key_length))
+ cf_error("Key length (%u B) exceeds maximum length of %u B for %s",
+ pi->length, alg->max_key_length, alg->name);
+}
diff --git a/nest/password.h b/nest/password.h
index 8a0da223..53168bb7 100644
--- a/nest/password.h
+++ b/nest/password.h
@@ -24,6 +24,7 @@ extern struct password_item *last_password_item;
struct password_item *password_find(list *l, int first_fit);
struct password_item *password_find_by_id(list *l, uint id);
struct password_item *password_find_by_value(list *l, char *pass, uint size);
+void password_validate_length(const struct password_item *p);
static inline int password_verify(struct password_item *p1, char *p2, uint size)
{