diff options
author | Ondrej Zajicek <santiago@crfreenet.org> | 2008-10-26 22:42:39 +0100 |
---|---|---|
committer | Ondrej Zajicek <santiago@crfreenet.org> | 2008-10-26 22:42:39 +0100 |
commit | d51aa2819005a03e4cfb6f62333be6ccadfb3c06 (patch) | |
tree | 2a76b826cfdac4cf1a94a305f9fe416a2df45840 /proto/bgp | |
parent | 11cb620266035ffbe17b21c4a174380cb8b6a521 (diff) |
Implementation of MD5 authentication of BGP sessions.
Diffstat (limited to 'proto/bgp')
-rw-r--r-- | proto/bgp/bgp.c | 19 | ||||
-rw-r--r-- | proto/bgp/bgp.h | 1 | ||||
-rw-r--r-- | proto/bgp/config.Y | 4 |
3 files changed, 22 insertions, 2 deletions
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c index ed2524c8..e1f5ec02 100644 --- a/proto/bgp/bgp.c +++ b/proto/bgp/bgp.c @@ -78,10 +78,14 @@ static void bgp_setup_listen_sk(void); static void -bgp_close(struct bgp_proto *p UNUSED) +bgp_close(struct bgp_proto *p) { ASSERT(bgp_counter); bgp_counter--; + + if (p->cf->password) + sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL); + if (!bgp_counter) { rfree(bgp_listen_sk); @@ -330,6 +334,7 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c bgp_setup_conn(p, conn); bgp_setup_sk(p, conn, s); s->tx_hook = bgp_connected; + s->password = p->cf->password; conn->state = BS_CONNECT; if (sk_open(s)) { @@ -506,6 +511,7 @@ bgp_start(struct proto *P) bgp_counter++; bgp_setup_listen_sk(); + if (!bgp_linpool) bgp_linpool = lp_new(&root_pool, 4080); @@ -523,6 +529,17 @@ bgp_start(struct proto *P) lock->hook = bgp_start_locked; lock->data = p; olock_acquire(lock); + + /* We should create security association after we get a lock not to + * break existing connections. + */ + if (p->cf->password) + { + int rv = sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, p->cf->password); + if (rv < 0) + return PS_STOP; + } + return PS_START; } diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h index aa1bd107..93383244 100644 --- a/proto/bgp/bgp.h +++ b/proto/bgp/bgp.h @@ -33,6 +33,7 @@ struct bgp_config { unsigned error_delay_time_min; /* Time to wait after an error is detected */ unsigned error_delay_time_max; unsigned disable_after_error; /* Disable the protocol when error is detected */ + char *password; /* Password used for MD5 authentication */ }; struct bgp_conn { diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y index 63dfb615..580c008f 100644 --- a/proto/bgp/config.Y +++ b/proto/bgp/config.Y @@ -20,7 +20,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, KEEPALIVE, MULTIHOP, STARTUP, VIA, NEXT, HOP, SELF, DEFAULT, PATH, METRIC, ERROR, START, DELAY, FORGET, WAIT, DISABLE, AFTER, BGP_PATH, BGP_LOCAL_PREF, BGP_MED, BGP_ORIGIN, BGP_NEXT_HOP, - BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS) + BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS, PASSWORD) CF_GRAMMAR @@ -38,6 +38,7 @@ bgp_proto_start: proto_start BGP { BGP_CFG->error_amnesia_time = 300; BGP_CFG->error_delay_time_min = 60; BGP_CFG->error_delay_time_max = 300; + BGP_CFG->password = NULL; } ; @@ -65,6 +66,7 @@ bgp_proto: | bgp_proto ERROR FORGET TIME expr ';' { BGP_CFG->error_amnesia_time = $5; } | bgp_proto ERROR WAIT TIME expr ',' expr ';' { BGP_CFG->error_delay_time_min = $5; BGP_CFG->error_delay_time_max = $7; } | bgp_proto DISABLE AFTER ERROR bool ';' { BGP_CFG->disable_after_error = $5; } + | bgp_proto PASSWORD TEXT ';' { BGP_CFG->password = $3; } ; CF_ADDTO(dynamic_attr, BGP_PATH |