summaryrefslogtreecommitdiff
path: root/sysdep/unix/io.c
diff options
context:
space:
mode:
authorOndrej Zajicek (work) <santiago@crfreenet.org>2016-04-13 14:30:28 +0200
committerOndrej Zajicek (work) <santiago@crfreenet.org>2016-04-13 14:37:09 +0200
commita7baa09862e6b4856cd66197c6bd74c7df336b8f (patch)
tree323e453c150273bb6d15bb19881affc8b43b6edf /sysdep/unix/io.c
parent43fc6bb0fb720762f12124076e2241855741ceb5 (diff)
BSD: Add the IPsec SA/SP database entries control
Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are handled automatically on both Linux and FreeBSD. Based on patches from Pavel Tvrdik.
Diffstat (limited to 'sysdep/unix/io.c')
-rw-r--r--sysdep/unix/io.c25
1 files changed, 17 insertions, 8 deletions
diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c
index 5955dbfe..d918d321 100644
--- a/sysdep/unix/io.c
+++ b/sysdep/unix/io.c
@@ -951,23 +951,32 @@ sk_set_min_ttl(sock *s, int ttl)
/**
* sk_set_md5_auth - add / remove MD5 security association for given socket
* @s: socket
- * @a: IP address of the other side
+ * @local: IP address of local side
+ * @remote: IP address of remote side
* @ifa: Interface for link-local IP address
- * @passwd: password used for MD5 authentication
+ * @passwd: Password used for MD5 authentication
+ * @setkey: Update also system SA/SP database
*
- * In TCP MD5 handling code in kernel, there is a set of pairs (address,
- * password) used to choose password according to address of the other side.
- * This function is useful for listening socket, for active sockets it is enough
- * to set s->password field.
+ * In TCP MD5 handling code in kernel, there is a set of security associations
+ * used for choosing password and other authentication parameters according to
+ * the local and remote address. This function is useful for listening socket,
+ * for active sockets it may be enough to set s->password field.
*
* When called with passwd != NULL, the new pair is added,
* When called with passwd == NULL, the existing pair is removed.
*
+ * Note that while in Linux, the MD5 SAs are specific to socket, in BSD they are
+ * stored in global SA/SP database (but the behavior also must be enabled on
+ * per-socket basis). In case of multiple sockets to the same neighbor, the
+ * socket-specific state must be configured for each socket while global state
+ * just once per src-dst pair. The @setkey argument controls whether the global
+ * state (SA/SP database) is also updated.
+ *
* Result: 0 for success, -1 for an error.
*/
int
-sk_set_md5_auth(sock *s, ip_addr a, struct iface *ifa, char *passwd)
+sk_set_md5_auth(sock *s, ip_addr local, ip_addr remote, struct iface *ifa, char *passwd, int setkey)
{ DUMMY; }
#endif
@@ -1437,7 +1446,7 @@ sk_open(sock *s)
}
if (s->password)
- if (sk_set_md5_auth(s, s->daddr, s->iface, s->password) < 0)
+ if (sk_set_md5_auth(s, s->saddr, s->daddr, s->iface, s->password, 0) < 0)
goto err;
switch (s->type)