aboutsummaryrefslogtreecommitdiffstats
path: root/net/quagga/files
diff options
context:
space:
mode:
authorbms <bms@FreeBSD.org>2004-05-20 19:51:44 +0800
committerbms <bms@FreeBSD.org>2004-05-20 19:51:44 +0800
commitfdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97 (patch)
tree67957e6b91a9b176400927838ee4be120f01ef11 /net/quagga/files
parent034b6a1a743d4d1f470bc44331acb6115da4a4de (diff)
downloadfreebsd-ports-gnome-fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97.tar.gz
freebsd-ports-gnome-fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97.tar.zst
freebsd-ports-gnome-fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97.zip
Add TCP-MD5 application level support to the FreeBSD quagga port.
Note that this still requires the network administrator to set up TCP-MD5 SAs in the system SADB via setkey(8).
Diffstat (limited to 'net/quagga/files')
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c42
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c59
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c82
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h38
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-configure.ac16
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c32
-rw-r--r--net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h11
7 files changed, 280 insertions, 0 deletions
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c
new file mode 100644
index 000000000000..31ce42a802fb
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c
@@ -0,0 +1,42 @@
+--- bgpd/bgp_network.c.orig Wed Aug 27 05:09:14 2003
++++ bgpd/bgp_network.c Wed Jan 7 14:24:34 2004
+@@ -35,6 +35,10 @@
+ #include "bgpd/bgp_debug.h"
+ #include "bgpd/bgp_network.h"
+
++#ifndef TCP_SIG_SPI_BASE
++#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */
++#endif
++
+ extern struct zebra_privs_t bgpd_privs;
+
+
+@@ -141,6 +145,15 @@
+ return ret;
+ }
+ #endif /* SO_BINDTODEVICE */
++
++#ifdef TCP_MD5SIG
++ if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE))
++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd,
++ TCP_SIG_SPI_BASE + peer->port);
++ else
++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, 0);
++#endif /* TCP_MD5SIG */
++
+ return 0;
+ }
+
+@@ -243,6 +256,12 @@
+ if (peer->ifname)
+ ifindex = if_nametoindex (peer->ifname);
+ #endif /* HAVE_IPV6 */
++
++#ifdef TCP_MD5SIG
++ if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE))
++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd,
++ TCP_SIG_SPI_BASE + peer->port);
++#endif /* TCP_MD5SIG */
+
+ if (BGP_DEBUG (events, EVENTS))
+ plog_info (peer->log, "%s [Event] Connect start to %s fd %d",
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c
new file mode 100644
index 000000000000..4f70b147c488
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c
@@ -0,0 +1,59 @@
+--- bgpd/bgp_vty.c.orig Fri Oct 24 19:49:09 2003
++++ bgpd/bgp_vty.c Mon Jan 5 08:34:08 2004
+@@ -1352,6 +1352,45 @@
+ "AS number used as local AS\n"
+ "Do not prepend local-as to updates from ebgp peers\n")
+
++#ifdef TCP_MD5SIG
++DEFUN (neighbor_password,
++ neighbor_password_cmd,
++ NEIGHBOR_CMD2 "password WORD",
++ NEIGHBOR_STR
++ NEIGHBOR_ADDR_STR2
++ "Specify a password for TCPMD5 authentication with this peer\n")
++{
++ struct peer *peer;
++ int ret;
++
++ peer = peer_and_group_lookup_vty (vty, argv[0]);
++ if (! peer)
++ return CMD_WARNING;
++
++ ret = peer_password_set (peer, argv[1]);
++ return bgp_vty_return (vty, ret);
++}
++
++DEFUN (no_neighbor_password,
++ no_neighbor_password_cmd,
++ NO_NEIGHBOR_CMD2 "password",
++ NO_STR
++ NEIGHBOR_STR
++ NEIGHBOR_ADDR_STR2
++ "Disable TCPMD5 authentication with this peer\n")
++{
++ struct peer *peer;
++ int ret;
++
++ peer = peer_and_group_lookup_vty (vty, argv[0]);
++ if (! peer)
++ return CMD_WARNING;
++
++ ret = peer_password_unset (peer);
++ return bgp_vty_return (vty, ret);
++}
++#endif /* TCP_MD5SIG */
++
+ DEFUN (neighbor_activate,
+ neighbor_activate_cmd,
+ NEIGHBOR_CMD2 "activate",
+@@ -7857,6 +7896,10 @@
+ install_element (BGP_NODE, &no_neighbor_local_as_cmd);
+ install_element (BGP_NODE, &no_neighbor_local_as_val_cmd);
+ install_element (BGP_NODE, &no_neighbor_local_as_val2_cmd);
++
++ /* "neighbor password" commands. */
++ install_element (BGP_NODE, &neighbor_password_cmd);
++ install_element (BGP_NODE, &no_neighbor_password_cmd);
+
+ /* "neighbor activate" commands. */
+ install_element (BGP_NODE, &neighbor_activate_cmd);
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c
new file mode 100644
index 000000000000..60b3b5b21376
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c
@@ -0,0 +1,82 @@
+--- bgpd/bgpd.c.orig Wed Aug 27 05:09:16 2003
++++ bgpd/bgpd.c Wed Jan 7 14:20:48 2004
+@@ -59,6 +59,9 @@
+ #ifdef HAVE_SNMP
+ #include "bgpd/bgp_snmp.h"
+ #endif /* HAVE_SNMP */
++#ifndef TCP_SIG_SPI_BASE
++#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */
++#endif
+
+ /* BGP process wide configuration. */
+ static struct bgp_master bgp_master;
+@@ -3063,6 +3066,55 @@
+ return 0;
+ }
+
++#ifdef TCP_MD5SIG
++/* Set password for authenticating with the peer. */
++int
++peer_password_set (struct peer *peer, char *password)
++{
++ struct bgp *bgp = peer->bgp;
++ int len;
++
++ len = strlen(password);
++
++ if ((len < PEER_PASSWORD_MINLEN) || (len > PEER_PASSWORD_MAXLEN))
++ return BGP_ERR_INVALID_VALUE;
++
++ memcpy(peer->password, password, len);
++
++ /*
++ * XXX Need to do PF_KEY operation here to add an SA entry,
++ * and add an SP entry for this peer's packet flows also.
++ */
++
++ SET_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE);
++
++ if (peer->fd >= 0)
++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, TCP_SIG_SPI_BASE +
++ peer->port);
++
++ return 0;
++}
++
++int
++peer_password_unset (struct peer *peer)
++{
++ struct bgp *bgp = peer->bgp;
++
++ UNSET_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE);
++ /* Paranoia. */
++ memset(peer->password, 0, sizeof(peer->password));
++
++ if (peer->fd >= 0)
++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, 0);
++
++ /*
++ * XXX Need to do PF_KEY operation here to remove the SA and SP.
++ */
++
++ return 0;
++}
++#endif /* TCP_MD5SIG */
++
+ /* Set distribute list to the peer. */
+ int
+ peer_distribute_set (struct peer *peer, afi_t afi, safi_t safi, int direct,
+@@ -4041,6 +4093,13 @@
+ if (peer->desc)
+ vty_out (vty, " neighbor %s description %s%s", addr, peer->desc,
+ VTY_NEWLINE);
++
++#ifdef TCP_MD5SIG
++ /* tcp-md5 session password. XXX the password should be obfuscated */
++ if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE))
++ vty_out (vty, " neighbor %s password %s%s", addr, peer->password,
++ VTY_NEWLINE);
++#endif /* TCP_MD5SIG */
+
+ /* Shutdown. */
+ if (CHECK_FLAG (peer->flags, PEER_FLAG_SHUTDOWN))
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h
new file mode 100644
index 000000000000..4edd976fccf2
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h
@@ -0,0 +1,38 @@
+--- bgpd/bgpd.h.orig Wed Aug 27 05:09:16 2003
++++ bgpd/bgpd.h Wed Jan 7 14:28:38 2004
+@@ -312,6 +312,9 @@
+ #define PEER_FLAG_DYNAMIC_CAPABILITY (1 << 6) /* dynamic capability */
+ #define PEER_FLAG_ENFORCE_MULTIHOP (1 << 7) /* enforce-multihop */
+ #define PEER_FLAG_LOCAL_AS_NO_PREPEND (1 << 8) /* local-as no-prepend */
++#ifdef TCP_MD5SIG /* XXX should move to AF_INET/SFI_UNICAST below */
++#define PEER_FLAG_TCP_SIGNATURE (1 << 9) /* use TCP-MD5 digest */
++#endif /* TCP_MD5SIG */
+
+ /* Per AF configuration flags. */
+ u_int32_t af_flags[AFI_MAX][SAFI_MAX];
+@@ -441,6 +444,13 @@
+ #define PEER_RMAP_TYPE_REDISTRIBUTE (1 << 3) /* redistribute route-map */
+ #define PEER_RMAP_TYPE_DEFAULT (1 << 4) /* default-originate route-map */
+ #define PEER_RMAP_TYPE_NOSET (1 << 5) /* not allow to set commands */
++
++#ifdef TCP_MD5SIG
++ /* TCP-MD5 Password Support -- bms */
++#define PEER_PASSWORD_MINLEN 1
++#define PEER_PASSWORD_MAXLEN 80 /* width of password field */
++ char password[PEER_PASSWORD_MAXLEN];
++#endif /* TCP_MD5SIG */
+ };
+
+ /* This structure's member directly points incoming packet data
+@@ -815,6 +825,11 @@
+
+ int peer_local_as_set (struct peer *, as_t, int);
+ int peer_local_as_unset (struct peer *);
++
++#ifdef TCP_MD5SIG
++int peer_password_set (struct peer *, char *);
++int peer_password_unset (struct peer *);
++#endif /* TCP_MD5SIG */
+
+ int peer_prefix_list_set (struct peer *, afi_t, safi_t, int, char *);
+ int peer_prefix_list_unset (struct peer *, afi_t, safi_t, int);
diff --git a/net/quagga/files/extra-tcpmd5-patch-configure.ac b/net/quagga/files/extra-tcpmd5-patch-configure.ac
new file mode 100644
index 000000000000..5ca3d52ffad9
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-configure.ac
@@ -0,0 +1,16 @@
+--- configure.ac.orig Thu May 20 12:31:22 2004
++++ configure.ac Thu May 20 12:33:06 2004
+@@ -163,6 +163,13 @@
+ AC_MSG_RESULT(no)
+ fi
+
++AC_ARG_ENABLE(tcp-signature,
++[ --enable-tcp-signature enable TCP MD5 checksum capability])
++
++if test "${enable_tcp_signature}" = "yes"; then
++ AC_DEFINE(TCP_MD5SIG,,TCP signatures)
++fi
++
+ if test "${enable_user}" = "yes" || test x"${enable_user}" = x""; then
+ enable_user="quagga"
+ elif test "${enable_user}" = "no"; then
diff --git a/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c
new file mode 100644
index 000000000000..511cf9ef8a64
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c
@@ -0,0 +1,32 @@
+--- lib/sockopt.c.orig Fri Dec 13 20:15:29 2002
++++ lib/sockopt.c Mon Jan 5 08:25:17 2004
+@@ -197,3 +197,29 @@
+ #endif /* #if OS_TYPE */
+
+ }
++
++int
++sockopt_tcp_signature (int family, int sock, int enable)
++{
++ int ret;
++
++#ifdef TCP_MD5SIG
++ if (family == AF_INET)
++ {
++ ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG,
++ (void *) &enable, sizeof (int));
++ if (ret < 0)
++ {
++ zlog (NULL, LOG_WARNING, "can't set sockopt TCP_MD5SIG %d to socket %d", enable, sock);
++ return -1;
++ }
++ return 0;
++ }
++#endif /* TCP_MD5SIG */
++
++ /* fallthrough */
++
++ zlog (NULL, LOG_WARNING, "can't set sockopt TCP_MD5SIG on socket %d with family %d",
++ sock, family);
++ return -1;
++}
diff --git a/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h
new file mode 100644
index 000000000000..0f439db920d3
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h
@@ -0,0 +1,11 @@
+--- lib/sockopt.h.orig Fri Dec 13 20:15:29 2002
++++ lib/sockopt.h Mon Jan 5 08:25:17 2004
+@@ -37,5 +37,8 @@
+ unsigned int mcast_addr,
+ unsigned int ifindex);
+
++#ifdef TCP_MD5SIG
++int sockopt_tcp_signature(int family, int sock, int enable);
++#endif /* TCP_MD5SIG */
+
+ #endif /*_ZEBRA_SOCKOPT_H */