diff options
Diffstat (limited to 'nest')
-rw-r--r-- | nest/config.Y | 9 | ||||
-rw-r--r-- | nest/password.c | 26 | ||||
-rw-r--r-- | nest/password.h | 1 |
3 files changed, 34 insertions, 2 deletions
diff --git a/nest/config.Y b/nest/config.Y index 8bd89de0..45d18679 100644 --- a/nest/config.Y +++ b/nest/config.Y @@ -504,8 +504,8 @@ password_items: ; password_item: - password_item_begin '{' password_item_params '}' - | password_item_begin + password_item_begin '{' password_item_params '}' password_item_end + | password_item_begin password_item_end ; password_item_begin: @@ -542,6 +542,11 @@ password_algorithm: | BLAKE2B512 { $$ = ALG_BLAKE2B_512; } ; +password_item_end: +{ + password_validate_length(this_p_item); +}; + /* BFD options */ diff --git a/nest/password.c b/nest/password.c index 6f87af21..34e2a61e 100644 --- a/nest/password.c +++ b/nest/password.c @@ -9,6 +9,7 @@ #include "nest/bird.h" #include "nest/password.h" +#include "conf/conf.h" #include "lib/string.h" #include "lib/timer.h" #include "lib/mac.h" @@ -85,3 +86,28 @@ max_mac_length(list *l) return val; } + +/** + * password_validate_length - enforce key length restrictions + * @pi: Password item + * + * This is a common MAC algorithm validation function that will enforce that the + * key length constrains specified in the MAC type table. + */ + +void +password_validate_length(const struct password_item *pi) +{ + if (!pi->alg) + return; + + const struct mac_desc *alg = &mac_table[pi->alg]; + + if (alg->min_key_length && (pi->length < alg->min_key_length)) + cf_error("Key length (%u B) below minimum length of %u B for %s", + pi->length, alg->min_key_length, alg->name); + + if (alg->max_key_length && (pi->length > alg->max_key_length)) + cf_error("Key length (%u B) exceeds maximum length of %u B for %s", + pi->length, alg->max_key_length, alg->name); +} diff --git a/nest/password.h b/nest/password.h index 8a0da223..53168bb7 100644 --- a/nest/password.h +++ b/nest/password.h @@ -24,6 +24,7 @@ extern struct password_item *last_password_item; struct password_item *password_find(list *l, int first_fit); struct password_item *password_find_by_id(list *l, uint id); struct password_item *password_find_by_value(list *l, char *pass, uint size); +void password_validate_length(const struct password_item *p); static inline int password_verify(struct password_item *p1, char *p2, uint size) { |