From a7baa09862e6b4856cd66197c6bd74c7df336b8f Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Wed, 13 Apr 2016 14:30:28 +0200
Subject: BSD: Add the IPsec SA/SP database entries control

Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database
at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are
handled automatically on both Linux and FreeBSD.

Based on patches from Pavel Tvrdik.
---
 sysdep/bsd/sysio.h | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

(limited to 'sysdep/bsd/sysio.h')

diff --git a/sysdep/bsd/sysio.h b/sysdep/bsd/sysio.h
index c82d7a1e..6c20733f 100644
--- a/sysdep/bsd/sysio.h
+++ b/sysdep/bsd/sysio.h
@@ -189,30 +189,26 @@ sk_prepare_ip_header(sock *s, void *hdr, int dlen)
 #ifndef TCP_KEYLEN_MAX
 #define TCP_KEYLEN_MAX 80
 #endif
+
 #ifndef TCP_SIG_SPI
 #define TCP_SIG_SPI 0x1000
 #endif
 
-/* 
- * FIXME: Passwords has to be set by setkey(8) command. This is the same
- * behaviour like Quagga. We need to add code for SA/SP entries
- * management.
- */
+#if defined(__FreeBSD__)
+#define USE_MD5SIG_SETKEY
+#include "lib/setkey.h"
+#endif
 
 int
-sk_set_md5_auth(sock *s, ip_addr a, struct iface *ifa, char *passwd)
+sk_set_md5_auth(sock *s, ip_addr local, ip_addr remote, struct iface *ifa, char *passwd, int setkey UNUSED)
 {
-  int enable = 0;
-
-  if (passwd && *passwd)
-  {
-    int len = strlen(passwd);
-    enable = TCP_SIG_SPI;
-
-    if (len > TCP_KEYLEN_MAX)
-      ERR_MSG("MD5 password too long");
-  }
+#ifdef USE_MD5SIG_SETKEY
+  if (setkey)
+    if (sk_set_md5_in_sasp_db(s, local, remote, ifa, passwd) < 0)
+      return -1;
+#endif
 
+  int enable = (passwd && *passwd) ? TCP_SIG_SPI : 0;
   if (setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &enable, sizeof(enable)) < 0)
   {
     if (errno == ENOPROTOOPT)
-- 
cgit v1.2.3