diff options
author | bms <bms@FreeBSD.org> | 2004-05-20 19:51:44 +0800 |
---|---|---|
committer | bms <bms@FreeBSD.org> | 2004-05-20 19:51:44 +0800 |
commit | fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97 (patch) | |
tree | 67957e6b91a9b176400927838ee4be120f01ef11 /net/quagga/files | |
parent | 034b6a1a743d4d1f470bc44331acb6115da4a4de (diff) | |
download | freebsd-ports-gnome-fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97.tar.gz freebsd-ports-gnome-fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97.tar.zst freebsd-ports-gnome-fdec4f9ce5b3e5fbc1da33133b7fa816ad58dd97.zip |
Add TCP-MD5 application level support to the FreeBSD quagga port.
Note that this still requires the network administrator to set up TCP-MD5
SAs in the system SADB via setkey(8).
Diffstat (limited to 'net/quagga/files')
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c | 42 | ||||
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c | 59 | ||||
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c | 82 | ||||
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h | 38 | ||||
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-configure.ac | 16 | ||||
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c | 32 | ||||
-rw-r--r-- | net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h | 11 |
7 files changed, 280 insertions, 0 deletions
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c new file mode 100644 index 000000000000..31ce42a802fb --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c @@ -0,0 +1,42 @@ +--- bgpd/bgp_network.c.orig Wed Aug 27 05:09:14 2003 ++++ bgpd/bgp_network.c Wed Jan 7 14:24:34 2004 +@@ -35,6 +35,10 @@ + #include "bgpd/bgp_debug.h" + #include "bgpd/bgp_network.h" + ++#ifndef TCP_SIG_SPI_BASE ++#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */ ++#endif ++ + extern struct zebra_privs_t bgpd_privs; + + +@@ -141,6 +145,15 @@ + return ret; + } + #endif /* SO_BINDTODEVICE */ ++ ++#ifdef TCP_MD5SIG ++ if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE)) ++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, ++ TCP_SIG_SPI_BASE + peer->port); ++ else ++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, 0); ++#endif /* TCP_MD5SIG */ ++ + return 0; + } + +@@ -243,6 +256,12 @@ + if (peer->ifname) + ifindex = if_nametoindex (peer->ifname); + #endif /* HAVE_IPV6 */ ++ ++#ifdef TCP_MD5SIG ++ if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE)) ++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, ++ TCP_SIG_SPI_BASE + peer->port); ++#endif /* TCP_MD5SIG */ + + if (BGP_DEBUG (events, EVENTS)) + plog_info (peer->log, "%s [Event] Connect start to %s fd %d", diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c new file mode 100644 index 000000000000..4f70b147c488 --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c @@ -0,0 +1,59 @@ +--- bgpd/bgp_vty.c.orig Fri Oct 24 19:49:09 2003 ++++ bgpd/bgp_vty.c Mon Jan 5 08:34:08 2004 +@@ -1352,6 +1352,45 @@ + "AS number used as local AS\n" + "Do not prepend local-as to updates from ebgp peers\n") + ++#ifdef TCP_MD5SIG ++DEFUN (neighbor_password, ++ neighbor_password_cmd, ++ NEIGHBOR_CMD2 "password WORD", ++ NEIGHBOR_STR ++ NEIGHBOR_ADDR_STR2 ++ "Specify a password for TCPMD5 authentication with this peer\n") ++{ ++ struct peer *peer; ++ int ret; ++ ++ peer = peer_and_group_lookup_vty (vty, argv[0]); ++ if (! peer) ++ return CMD_WARNING; ++ ++ ret = peer_password_set (peer, argv[1]); ++ return bgp_vty_return (vty, ret); ++} ++ ++DEFUN (no_neighbor_password, ++ no_neighbor_password_cmd, ++ NO_NEIGHBOR_CMD2 "password", ++ NO_STR ++ NEIGHBOR_STR ++ NEIGHBOR_ADDR_STR2 ++ "Disable TCPMD5 authentication with this peer\n") ++{ ++ struct peer *peer; ++ int ret; ++ ++ peer = peer_and_group_lookup_vty (vty, argv[0]); ++ if (! peer) ++ return CMD_WARNING; ++ ++ ret = peer_password_unset (peer); ++ return bgp_vty_return (vty, ret); ++} ++#endif /* TCP_MD5SIG */ ++ + DEFUN (neighbor_activate, + neighbor_activate_cmd, + NEIGHBOR_CMD2 "activate", +@@ -7857,6 +7896,10 @@ + install_element (BGP_NODE, &no_neighbor_local_as_cmd); + install_element (BGP_NODE, &no_neighbor_local_as_val_cmd); + install_element (BGP_NODE, &no_neighbor_local_as_val2_cmd); ++ ++ /* "neighbor password" commands. */ ++ install_element (BGP_NODE, &neighbor_password_cmd); ++ install_element (BGP_NODE, &no_neighbor_password_cmd); + + /* "neighbor activate" commands. */ + install_element (BGP_NODE, &neighbor_activate_cmd); diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c new file mode 100644 index 000000000000..60b3b5b21376 --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c @@ -0,0 +1,82 @@ +--- bgpd/bgpd.c.orig Wed Aug 27 05:09:16 2003 ++++ bgpd/bgpd.c Wed Jan 7 14:20:48 2004 +@@ -59,6 +59,9 @@ + #ifdef HAVE_SNMP + #include "bgpd/bgp_snmp.h" + #endif /* HAVE_SNMP */ ++#ifndef TCP_SIG_SPI_BASE ++#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */ ++#endif + + /* BGP process wide configuration. */ + static struct bgp_master bgp_master; +@@ -3063,6 +3066,55 @@ + return 0; + } + ++#ifdef TCP_MD5SIG ++/* Set password for authenticating with the peer. */ ++int ++peer_password_set (struct peer *peer, char *password) ++{ ++ struct bgp *bgp = peer->bgp; ++ int len; ++ ++ len = strlen(password); ++ ++ if ((len < PEER_PASSWORD_MINLEN) || (len > PEER_PASSWORD_MAXLEN)) ++ return BGP_ERR_INVALID_VALUE; ++ ++ memcpy(peer->password, password, len); ++ ++ /* ++ * XXX Need to do PF_KEY operation here to add an SA entry, ++ * and add an SP entry for this peer's packet flows also. ++ */ ++ ++ SET_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE); ++ ++ if (peer->fd >= 0) ++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, TCP_SIG_SPI_BASE + ++ peer->port); ++ ++ return 0; ++} ++ ++int ++peer_password_unset (struct peer *peer) ++{ ++ struct bgp *bgp = peer->bgp; ++ ++ UNSET_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE); ++ /* Paranoia. */ ++ memset(peer->password, 0, sizeof(peer->password)); ++ ++ if (peer->fd >= 0) ++ sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, 0); ++ ++ /* ++ * XXX Need to do PF_KEY operation here to remove the SA and SP. ++ */ ++ ++ return 0; ++} ++#endif /* TCP_MD5SIG */ ++ + /* Set distribute list to the peer. */ + int + peer_distribute_set (struct peer *peer, afi_t afi, safi_t safi, int direct, +@@ -4041,6 +4093,13 @@ + if (peer->desc) + vty_out (vty, " neighbor %s description %s%s", addr, peer->desc, + VTY_NEWLINE); ++ ++#ifdef TCP_MD5SIG ++ /* tcp-md5 session password. XXX the password should be obfuscated */ ++ if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE)) ++ vty_out (vty, " neighbor %s password %s%s", addr, peer->password, ++ VTY_NEWLINE); ++#endif /* TCP_MD5SIG */ + + /* Shutdown. */ + if (CHECK_FLAG (peer->flags, PEER_FLAG_SHUTDOWN)) diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h new file mode 100644 index 000000000000..4edd976fccf2 --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h @@ -0,0 +1,38 @@ +--- bgpd/bgpd.h.orig Wed Aug 27 05:09:16 2003 ++++ bgpd/bgpd.h Wed Jan 7 14:28:38 2004 +@@ -312,6 +312,9 @@ + #define PEER_FLAG_DYNAMIC_CAPABILITY (1 << 6) /* dynamic capability */ + #define PEER_FLAG_ENFORCE_MULTIHOP (1 << 7) /* enforce-multihop */ + #define PEER_FLAG_LOCAL_AS_NO_PREPEND (1 << 8) /* local-as no-prepend */ ++#ifdef TCP_MD5SIG /* XXX should move to AF_INET/SFI_UNICAST below */ ++#define PEER_FLAG_TCP_SIGNATURE (1 << 9) /* use TCP-MD5 digest */ ++#endif /* TCP_MD5SIG */ + + /* Per AF configuration flags. */ + u_int32_t af_flags[AFI_MAX][SAFI_MAX]; +@@ -441,6 +444,13 @@ + #define PEER_RMAP_TYPE_REDISTRIBUTE (1 << 3) /* redistribute route-map */ + #define PEER_RMAP_TYPE_DEFAULT (1 << 4) /* default-originate route-map */ + #define PEER_RMAP_TYPE_NOSET (1 << 5) /* not allow to set commands */ ++ ++#ifdef TCP_MD5SIG ++ /* TCP-MD5 Password Support -- bms */ ++#define PEER_PASSWORD_MINLEN 1 ++#define PEER_PASSWORD_MAXLEN 80 /* width of password field */ ++ char password[PEER_PASSWORD_MAXLEN]; ++#endif /* TCP_MD5SIG */ + }; + + /* This structure's member directly points incoming packet data +@@ -815,6 +825,11 @@ + + int peer_local_as_set (struct peer *, as_t, int); + int peer_local_as_unset (struct peer *); ++ ++#ifdef TCP_MD5SIG ++int peer_password_set (struct peer *, char *); ++int peer_password_unset (struct peer *); ++#endif /* TCP_MD5SIG */ + + int peer_prefix_list_set (struct peer *, afi_t, safi_t, int, char *); + int peer_prefix_list_unset (struct peer *, afi_t, safi_t, int); diff --git a/net/quagga/files/extra-tcpmd5-patch-configure.ac b/net/quagga/files/extra-tcpmd5-patch-configure.ac new file mode 100644 index 000000000000..5ca3d52ffad9 --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-configure.ac @@ -0,0 +1,16 @@ +--- configure.ac.orig Thu May 20 12:31:22 2004 ++++ configure.ac Thu May 20 12:33:06 2004 +@@ -163,6 +163,13 @@ + AC_MSG_RESULT(no) + fi + ++AC_ARG_ENABLE(tcp-signature, ++[ --enable-tcp-signature enable TCP MD5 checksum capability]) ++ ++if test "${enable_tcp_signature}" = "yes"; then ++ AC_DEFINE(TCP_MD5SIG,,TCP signatures) ++fi ++ + if test "${enable_user}" = "yes" || test x"${enable_user}" = x""; then + enable_user="quagga" + elif test "${enable_user}" = "no"; then diff --git a/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c new file mode 100644 index 000000000000..511cf9ef8a64 --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c @@ -0,0 +1,32 @@ +--- lib/sockopt.c.orig Fri Dec 13 20:15:29 2002 ++++ lib/sockopt.c Mon Jan 5 08:25:17 2004 +@@ -197,3 +197,29 @@ + #endif /* #if OS_TYPE */ + + } ++ ++int ++sockopt_tcp_signature (int family, int sock, int enable) ++{ ++ int ret; ++ ++#ifdef TCP_MD5SIG ++ if (family == AF_INET) ++ { ++ ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, ++ (void *) &enable, sizeof (int)); ++ if (ret < 0) ++ { ++ zlog (NULL, LOG_WARNING, "can't set sockopt TCP_MD5SIG %d to socket %d", enable, sock); ++ return -1; ++ } ++ return 0; ++ } ++#endif /* TCP_MD5SIG */ ++ ++ /* fallthrough */ ++ ++ zlog (NULL, LOG_WARNING, "can't set sockopt TCP_MD5SIG on socket %d with family %d", ++ sock, family); ++ return -1; ++} diff --git a/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h new file mode 100644 index 000000000000..0f439db920d3 --- /dev/null +++ b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h @@ -0,0 +1,11 @@ +--- lib/sockopt.h.orig Fri Dec 13 20:15:29 2002 ++++ lib/sockopt.h Mon Jan 5 08:25:17 2004 +@@ -37,5 +37,8 @@ + unsigned int mcast_addr, + unsigned int ifindex); + ++#ifdef TCP_MD5SIG ++int sockopt_tcp_signature(int family, int sock, int enable); ++#endif /* TCP_MD5SIG */ + + #endif /*_ZEBRA_SOCKOPT_H */ |