Add TCP-MD5 application level support to the FreeBSD quagga port.

Note that this still requires the network administrator to set up TCP-MD5
SAs in the system SADB via setkey(8).

9 files changed, 287 insertions, 1 deletions

diff --git a/net/quagga/Makefile b/net/quagga/Makefile
index 2f82894a930..ebf565b6a13 100644
--- a/net/quagga/Makefile
+++ b/net/quagga/Makefile
@@ -125,6 +125,7 @@ pre-everything::
 	@${ECHO} "   RTADV            IPv6 Router Advertisements"
 	@${ECHO} "   SNMP             SNMP support"
 	@${ECHO} "   TCPSOCKETS       Use TCP/IP sockets for protocol daemons"
+	@${ECHO} "   TCPMD5           TCP-MD5 support for BGP sessions"
 
 pre-configure:
 	@(cd ${CONFIGURE_WRKSRC} && ${SETENV} ${AUTOMAKE_ENV} ${ACLOCAL} )
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c
new file mode 100644
index 00000000000..31ce42a802f
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_network.c
@@ -0,0 +1,42 @@
+--- bgpd/bgp_network.c.orig	Wed Aug 27 05:09:14 2003
++++ bgpd/bgp_network.c	Wed Jan  7 14:24:34 2004
+@@ -35,6 +35,10 @@
+ #include "bgpd/bgp_debug.h"
+ #include "bgpd/bgp_network.h"
+ 
++#ifndef TCP_SIG_SPI_BASE
++#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */
++#endif
++
+ extern struct zebra_privs_t bgpd_privs;
+ 
+ 
+@@ -141,6 +145,15 @@
+       return ret;
+     }
+ #endif /* SO_BINDTODEVICE */
++
++#ifdef TCP_MD5SIG
++  if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE))
++    sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd,
++      TCP_SIG_SPI_BASE + peer->port);
++  else
++    sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, 0);
++#endif /* TCP_MD5SIG */
++
+   return 0;
+ }
+ 
+@@ -243,6 +256,12 @@
+   if (peer->ifname)
+     ifindex = if_nametoindex (peer->ifname);
+ #endif /* HAVE_IPV6 */
++
++#ifdef TCP_MD5SIG
++  if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE))
++    sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd,
++      TCP_SIG_SPI_BASE + peer->port);
++#endif /* TCP_MD5SIG */
+ 
+   if (BGP_DEBUG (events, EVENTS))
+     plog_info (peer->log, "%s [Event] Connect start to %s fd %d",
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c
new file mode 100644
index 00000000000..4f70b147c48
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgp_vty.c
@@ -0,0 +1,59 @@
+--- bgpd/bgp_vty.c.orig	Fri Oct 24 19:49:09 2003
++++ bgpd/bgp_vty.c	Mon Jan  5 08:34:08 2004
+@@ -1352,6 +1352,45 @@
+        "AS number used as local AS\n"
+        "Do not prepend local-as to updates from ebgp peers\n")
+ 
++#ifdef TCP_MD5SIG
++DEFUN (neighbor_password,
++       neighbor_password_cmd,
++       NEIGHBOR_CMD2 "password WORD",
++       NEIGHBOR_STR
++       NEIGHBOR_ADDR_STR2
++       "Specify a password for TCPMD5 authentication with this peer\n")
++{
++  struct peer *peer;
++  int ret;
++
++  peer = peer_and_group_lookup_vty (vty, argv[0]);
++  if (! peer)
++    return CMD_WARNING;
++
++  ret = peer_password_set (peer, argv[1]);
++  return bgp_vty_return (vty, ret);
++}
++
++DEFUN (no_neighbor_password,
++       no_neighbor_password_cmd,
++       NO_NEIGHBOR_CMD2 "password",
++       NO_STR
++       NEIGHBOR_STR
++       NEIGHBOR_ADDR_STR2
++       "Disable TCPMD5 authentication with this peer\n")
++{
++  struct peer *peer;
++  int ret;
++
++  peer = peer_and_group_lookup_vty (vty, argv[0]);
++  if (! peer)
++    return CMD_WARNING;
++
++  ret = peer_password_unset (peer);
++  return bgp_vty_return (vty, ret);
++}
++#endif /* TCP_MD5SIG */
++
+ DEFUN (neighbor_activate,
+        neighbor_activate_cmd,
+        NEIGHBOR_CMD2 "activate",
+@@ -7857,6 +7896,10 @@
+   install_element (BGP_NODE, &no_neighbor_local_as_cmd);
+   install_element (BGP_NODE, &no_neighbor_local_as_val_cmd);
+   install_element (BGP_NODE, &no_neighbor_local_as_val2_cmd);
++
++  /* "neighbor password" commands. */
++  install_element (BGP_NODE, &neighbor_password_cmd);
++  install_element (BGP_NODE, &no_neighbor_password_cmd);
+ 
+   /* "neighbor activate" commands. */
+   install_element (BGP_NODE, &neighbor_activate_cmd);
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c
new file mode 100644
index 00000000000..60b3b5b2137
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.c
@@ -0,0 +1,82 @@
+--- bgpd/bgpd.c.orig	Wed Aug 27 05:09:16 2003
++++ bgpd/bgpd.c	Wed Jan  7 14:20:48 2004
+@@ -59,6 +59,9 @@
+ #ifdef HAVE_SNMP
+ #include "bgpd/bgp_snmp.h"
+ #endif /* HAVE_SNMP */
++#ifndef TCP_SIG_SPI_BASE
++#define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */
++#endif
+ 
+ /* BGP process wide configuration.  */
+ static struct bgp_master bgp_master;
+@@ -3063,6 +3066,55 @@
+   return 0;
+ }
+ 
++#ifdef TCP_MD5SIG
++/* Set password for authenticating with the peer. */
++int
++peer_password_set (struct peer *peer, char *password)
++{
++  struct bgp *bgp = peer->bgp;
++  int len;
++
++  len = strlen(password);
++
++  if ((len < PEER_PASSWORD_MINLEN) || (len > PEER_PASSWORD_MAXLEN))
++    return BGP_ERR_INVALID_VALUE;
++
++  memcpy(peer->password, password, len);
++
++  /*
++   * XXX Need to do PF_KEY operation here to add an SA entry,
++   * and add an SP entry for this peer's packet flows also.
++   */
++
++  SET_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE);
++
++  if (peer->fd >= 0)
++    sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, TCP_SIG_SPI_BASE +
++      peer->port);
++
++  return 0;
++}
++
++int
++peer_password_unset (struct peer *peer)
++{
++  struct bgp *bgp = peer->bgp;
++
++  UNSET_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE);
++  /* Paranoia. */
++  memset(peer->password, 0, sizeof(peer->password));
++
++  if (peer->fd >= 0)
++    sockopt_tcp_signature (peer->su.sa.sa_family, peer->fd, 0);
++
++  /*
++   * XXX Need to do PF_KEY operation here to remove the SA and SP.
++   */
++
++  return 0;
++}
++#endif /* TCP_MD5SIG */
++
+ /* Set distribute list to the peer. */
+ int
+ peer_distribute_set (struct peer *peer, afi_t afi, safi_t safi, int direct, 
+@@ -4041,6 +4093,13 @@
+       if (peer->desc)
+ 	vty_out (vty, " neighbor %s description %s%s", addr, peer->desc,
+ 		 VTY_NEWLINE);
++
++#ifdef TCP_MD5SIG
++      /* tcp-md5 session password. XXX the password should be obfuscated */
++      if (CHECK_FLAG (peer->flags, PEER_FLAG_TCP_SIGNATURE))
++	vty_out (vty, " neighbor %s password %s%s", addr, peer->password,
++		 VTY_NEWLINE);
++#endif /* TCP_MD5SIG */
+ 
+       /* Shutdown. */
+       if (CHECK_FLAG (peer->flags, PEER_FLAG_SHUTDOWN))
diff --git a/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h
new file mode 100644
index 00000000000..4edd976fccf
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-bgpd::bgpd.h
@@ -0,0 +1,38 @@
+--- bgpd/bgpd.h.orig	Wed Aug 27 05:09:16 2003
++++ bgpd/bgpd.h	Wed Jan  7 14:28:38 2004
+@@ -312,6 +312,9 @@
+ #define PEER_FLAG_DYNAMIC_CAPABILITY        (1 << 6) /* dynamic capability */
+ #define PEER_FLAG_ENFORCE_MULTIHOP          (1 << 7) /* enforce-multihop */
+ #define PEER_FLAG_LOCAL_AS_NO_PREPEND       (1 << 8) /* local-as no-prepend */
++#ifdef TCP_MD5SIG /* XXX should move to AF_INET/SFI_UNICAST below */
++#define PEER_FLAG_TCP_SIGNATURE             (1 << 9) /* use TCP-MD5 digest */
++#endif /* TCP_MD5SIG */
+ 
+   /* Per AF configuration flags. */
+   u_int32_t af_flags[AFI_MAX][SAFI_MAX];
+@@ -441,6 +444,13 @@
+ #define PEER_RMAP_TYPE_REDISTRIBUTE   (1 << 3) /* redistribute route-map */
+ #define PEER_RMAP_TYPE_DEFAULT        (1 << 4) /* default-originate route-map */
+ #define PEER_RMAP_TYPE_NOSET          (1 << 5) /* not allow to set commands */
++
++#ifdef TCP_MD5SIG
++  /* TCP-MD5 Password Support -- bms */
++#define PEER_PASSWORD_MINLEN		1
++#define PEER_PASSWORD_MAXLEN		80	/* width of password field */
++ char password[PEER_PASSWORD_MAXLEN];
++#endif /* TCP_MD5SIG */
+ };
+ 
+ /* This structure's member directly points incoming packet data
+@@ -815,6 +825,11 @@
+ 
+ int peer_local_as_set (struct peer *, as_t, int);
+ int peer_local_as_unset (struct peer *);
++
++#ifdef TCP_MD5SIG
++int peer_password_set (struct peer *, char *);
++int peer_password_unset (struct peer *);
++#endif /* TCP_MD5SIG */
+ 
+ int peer_prefix_list_set (struct peer *, afi_t, safi_t, int, char *);
+ int peer_prefix_list_unset (struct peer *, afi_t, safi_t, int);
diff --git a/net/quagga/files/extra-tcpmd5-patch-configure.ac b/net/quagga/files/extra-tcpmd5-patch-configure.ac
new file mode 100644
index 00000000000..5ca3d52ffad
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-configure.ac
@@ -0,0 +1,16 @@
+--- configure.ac.orig	Thu May 20 12:31:22 2004
++++ configure.ac	Thu May 20 12:33:06 2004
+@@ -163,6 +163,13 @@
+   AC_MSG_RESULT(no)
+ fi
+ 
++AC_ARG_ENABLE(tcp-signature,
++[  --enable-tcp-signature        enable TCP MD5 checksum capability])
++
++if test "${enable_tcp_signature}" = "yes"; then
++  AC_DEFINE(TCP_MD5SIG,,TCP signatures)
++fi
++
+ if test "${enable_user}" = "yes" || test x"${enable_user}" = x""; then
+   enable_user="quagga"
+ elif test "${enable_user}" = "no"; then
diff --git a/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c
new file mode 100644
index 00000000000..511cf9ef8a6
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.c
@@ -0,0 +1,32 @@
+--- lib/sockopt.c.orig	Fri Dec 13 20:15:29 2002
++++ lib/sockopt.c	Mon Jan  5 08:25:17 2004
+@@ -197,3 +197,29 @@
+ #endif /* #if OS_TYPE */
+ 
+ }
++
++int
++sockopt_tcp_signature (int family, int sock, int enable)
++{
++  int ret;
++
++#ifdef TCP_MD5SIG
++  if (family == AF_INET)
++    {
++      ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG,
++                        (void *) &enable, sizeof (int));
++      if (ret < 0)
++        {
++          zlog (NULL, LOG_WARNING, "can't set sockopt TCP_MD5SIG %d to socket %d", enable, sock);
++          return -1;
++        }
++      return 0;
++    }
++#endif /* TCP_MD5SIG */
++
++  /* fallthrough */
++
++  zlog (NULL, LOG_WARNING, "can't set sockopt TCP_MD5SIG on socket %d with family %d",
++                 sock, family);
++  return -1;
++}
diff --git a/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h
new file mode 100644
index 00000000000..0f439db920d
--- /dev/null
+++ b/net/quagga/files/extra-tcpmd5-patch-lib::sockopt.h
@@ -0,0 +1,11 @@
+--- lib/sockopt.h.orig	Fri Dec 13 20:15:29 2002
++++ lib/sockopt.h	Mon Jan  5 08:25:17 2004
+@@ -37,5 +37,8 @@
+ 			     unsigned int mcast_addr,
+ 			     unsigned int ifindex);
+ 
++#ifdef TCP_MD5SIG
++int sockopt_tcp_signature(int family, int sock, int enable);
++#endif /* TCP_MD5SIG */
+ 
+ #endif /*_ZEBRA_SOCKOPT_H */
diff --git a/net/quagga/scripts/configure.quagga b/net/quagga/scripts/configure.quagga
index 938423229e6..b79b432b2a7 100644
--- a/net/quagga/scripts/configure.quagga
+++ b/net/quagga/scripts/configure.quagga
@@ -3,7 +3,7 @@
 # configure - quagga compile time option configurator
 # by Bruce M Simpson <bms@FreeBSD.org>
 #
-# $FreeBSD: /tmp/pcvs/ports/net/quagga/scripts/Attic/configure.quagga,v 1.4 2004-03-02 04:02:52 bms Exp $
+# $FreeBSD: /tmp/pcvs/ports/net/quagga/scripts/Attic/configure.quagga,v 1.5 2004-05-20 11:51:44 bms Exp $
 
 if [ -f ${WRKDIRPREFIX}${CURDIR}/Makefile.inc ]; then
 	exit
@@ -29,6 +29,7 @@ OSPF_OPAQUE_LSA	"OSPF Opaque-LSA with OSPFAPI support (RFC2370)"	"$status_OSPF_O
 RTADV		"IPv6 Router Advertisements"	"$status_RTADV" \
 SNMP		"SNMP support"			"$status_SNMP" \
 TCPSOCKETS	"Use TCP/IP sockets for protocol daemons"	"$status_TCPSOCKETS" \
+TCPMD5		"Support TCP-MD5 for BGP sessions"	"$status_TCPMD5" \
 2> $tempfile
 
 	retval=$?
@@ -76,6 +77,10 @@ while [ "$1" ]; do
 			echo 'LIB_DEPENDS+=netsnmp.6:${PORTSDIR}/net-mgmt/net-snmp:install'
 		fi
 		;;
+	TCPMD5)
+		echo 'CONFIGURE_ARGS+=	--enable-tcp-signature'
+		echo 'EXTRA_PATCHES+=	${PATCHDIR}/extra-tcpmd5-patch-configure.ac ${PATCHDIR}/extra-tcpmd5-patch-bgpd::bgp_network.c ${PATCHDIR}/extra-tcpmd5-patch-bgpd::bgp_vty.c ${PATCHDIR}/extra-tcpmd5-patch-bgpd::bgpd.c ${PATCHDIR}/extra-tcpmd5-patch-bgpd::bgpd.h ${PATCHDIR}/extra-tcpmd5-patch-lib::sockopt.c ${PATCHDIR}/extra-tcpmd5-patch-lib::sockopt.h'
+		;;
 	TCPSOCKETS)
 		echo 'CONFIGURE_ARGS+=	--enable-tcp-zebra'
 		;;