diff options
| author | Toke Høiland-Jørgensen <toke@toke.dk> | 2021-04-17 15:04:16 +0200 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2021-06-06 16:28:18 +0200 |
| commit | b218a28f61e1e9a93c3a4f2e180590f85df62e79 (patch) | |
| tree | d0b83010d01eb77fe2c15e4b0c758115dc08bc63 /proto/babel/config.Y | |
| parent | 69d10132a6020e00ea2e8f899fdebf8128329699 (diff) | |
Babel: Add MAC authentication support
This implements support for MAC authentication in the Babel protocol, as
specified by RFC 8967. The implementation seeks to follow the RFC as close
as possible, with the only deliberate deviation being the addition of
support for all the HMAC algorithms already supported by Bird, as well as
the Blake2b variant of the Blake algorithm.
For description of applicability, assumptions and security properties,
see RFC 8967 sections 1.1 and 1.2.
Diffstat (limited to 'proto/babel/config.Y')
| -rw-r--r-- | proto/babel/config.Y | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/proto/babel/config.Y b/proto/babel/config.Y index 2f3b637b..5e0710b5 100644 --- a/proto/babel/config.Y +++ b/proto/babel/config.Y @@ -25,7 +25,7 @@ CF_DECLS CF_KEYWORDS(BABEL, INTERFACE, METRIC, RXCOST, HELLO, UPDATE, INTERVAL, PORT, TYPE, WIRED, WIRELESS, RX, TX, BUFFER, PRIORITY, LENGTH, CHECK, LINK, NEXT, HOP, IPV4, IPV6, BABEL_METRIC, SHOW, INTERFACES, NEIGHBORS, - ENTRIES, RANDOMIZE, ROUTER, ID) + ENTRIES, RANDOMIZE, ROUTER, ID, AUTHENTICATION, NONE, MAC, PERMISSIVE) CF_GRAMMAR @@ -59,6 +59,8 @@ babel_iface_start: this_ipatt = cfg_allocz(sizeof(struct babel_iface_config)); add_tail(&BABEL_CFG->iface_list, NODE this_ipatt); init_list(&this_ipatt->ipn_list); + reset_passwords(); + BABEL_IFACE->port = BABEL_PORT; BABEL_IFACE->type = BABEL_IFACE_TYPE_WIRED; BABEL_IFACE->limit = BABEL_HELLO_LIMIT; @@ -91,6 +93,40 @@ babel_iface_finish: BABEL_IFACE->ihu_interval = MIN_(BABEL_IFACE->hello_interval*BABEL_IHU_INTERVAL_FACTOR, BABEL_MAX_INTERVAL); BABEL_CFG->hold_time = MAX_(BABEL_CFG->hold_time, BABEL_IFACE->update_interval*BABEL_HOLD_TIME_FACTOR); + + BABEL_IFACE->passwords = get_passwords(); + + if (!BABEL_IFACE->auth_type != !BABEL_IFACE->passwords) + cf_error("Authentication and password options should be used together"); + + if (BABEL_IFACE->passwords) + { + struct password_item *pass; + uint len = 0, i = 0; + WALK_LIST(pass, *BABEL_IFACE->passwords) + { + /* Set default crypto algorithm (HMAC-SHA256) */ + if (!pass->alg) + pass->alg = ALG_HMAC_SHA256; + + if (pass->alg & ALG_HMAC) { + if (pass->length < mac_type_length(pass->alg) || + pass->length > mac_type_block_size(pass->alg)) + cf_error("key length %d is not between output size %d and block size %d for algorithm %s", + pass->length, mac_type_length(pass->alg), + mac_type_block_size(pass->alg), mac_type_name(pass->alg)); + } else if (!(pass->alg == ALG_BLAKE2S_128 || pass->alg == ALG_BLAKE2S_256 || + pass->alg == ALG_BLAKE2B_256 || pass->alg == ALG_BLAKE2B_512)) { + cf_error("Only HMAC and Blake algorithms are supported"); + } + + len += mac_type_length(pass->alg); + i++; + } + BABEL_IFACE->mac_num_keys = i; + BABEL_IFACE->mac_total_len = len; + } + }; @@ -109,6 +145,10 @@ babel_iface_item: | CHECK LINK bool { BABEL_IFACE->check_link = $3; } | NEXT HOP IPV4 ipa { BABEL_IFACE->next_hop_ip4 = $4; if (!ipa_is_ip4($4)) cf_error("Must be an IPv4 address"); } | NEXT HOP IPV6 ipa { BABEL_IFACE->next_hop_ip6 = $4; if (!ipa_is_ip6($4)) cf_error("Must be an IPv6 address"); } + | AUTHENTICATION NONE { BABEL_IFACE->auth_type = BABEL_AUTH_NONE; } + | AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; } + | AUTHENTICATION MAC PERMISSIVE { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 1; } + | password_list { } ; babel_iface_opts: |