diff options
| author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2021-06-06 15:22:59 +0200 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2021-06-06 16:28:18 +0200 |
| commit | b174cc0abc0a9d7e84cc6fae46d9e19b714fbcfb (patch) | |
| tree | 8bb6d9099e7139a38634e230b8d7ec003cba298d /proto/babel/config.Y | |
| parent | b218a28f61e1e9a93c3a4f2e180590f85df62e79 (diff) | |
Babel: Add MAC authentication support - update
Some cleanups and bugfixes to the previous patch, including:
- Fix rate limiting in index mismatch check
- Fix missing BABEL_AUTH_INDEX_LEN in auth_tx_overhead computation
- Fix missing auth_tx_overhead recalculation during reconfiguration
- Fix pseudoheader construction in babel_auth_sign() (sport vs fport)
- Fix typecasts for ptrdiffs in log messages
- Make auth log messages similar to corresponding RIP/OSPF ones
- Change auth log messages for events that happen during regular
operation to debug messages
- Switch meaning of babel_auth_check*() functions for consistency
with corresponding RIP/OSPF ones
- Remove requirement for min/max key length, only those required by
given MAC code are enforced
Diffstat (limited to 'proto/babel/config.Y')
| -rw-r--r-- | proto/babel/config.Y | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/proto/babel/config.Y b/proto/babel/config.Y index 5e0710b5..05210fa4 100644 --- a/proto/babel/config.Y +++ b/proto/babel/config.Y @@ -103,26 +103,24 @@ babel_iface_finish: { struct password_item *pass; uint len = 0, i = 0; + WALK_LIST(pass, *BABEL_IFACE->passwords) { /* Set default crypto algorithm (HMAC-SHA256) */ if (!pass->alg) pass->alg = ALG_HMAC_SHA256; - if (pass->alg & ALG_HMAC) { - if (pass->length < mac_type_length(pass->alg) || - pass->length > mac_type_block_size(pass->alg)) - cf_error("key length %d is not between output size %d and block size %d for algorithm %s", - pass->length, mac_type_length(pass->alg), - mac_type_block_size(pass->alg), mac_type_name(pass->alg)); - } else if (!(pass->alg == ALG_BLAKE2S_128 || pass->alg == ALG_BLAKE2S_256 || - pass->alg == ALG_BLAKE2B_256 || pass->alg == ALG_BLAKE2B_512)) { - cf_error("Only HMAC and Blake algorithms are supported"); - } + if (!((pass->alg & ALG_HMAC) || + (pass->alg == ALG_BLAKE2S_128) || + (pass->alg == ALG_BLAKE2S_256) || + (pass->alg == ALG_BLAKE2B_256) || + (pass->alg == ALG_BLAKE2B_512))) + cf_error("Only HMAC and Blake2 algorithms are supported"); len += mac_type_length(pass->alg); i++; } + BABEL_IFACE->mac_num_keys = i; BABEL_IFACE->mac_total_len = len; } @@ -146,9 +144,9 @@ babel_iface_item: | NEXT HOP IPV4 ipa { BABEL_IFACE->next_hop_ip4 = $4; if (!ipa_is_ip4($4)) cf_error("Must be an IPv4 address"); } | NEXT HOP IPV6 ipa { BABEL_IFACE->next_hop_ip6 = $4; if (!ipa_is_ip6($4)) cf_error("Must be an IPv6 address"); } | AUTHENTICATION NONE { BABEL_IFACE->auth_type = BABEL_AUTH_NONE; } - | AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; } + | AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 0; } | AUTHENTICATION MAC PERMISSIVE { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 1; } - | password_list { } + | password_list ; babel_iface_opts: |