Nest: Allow MAC algorithms to specify min/max key length

Add min/max key length fields to the MAC algorithm description and validate configured keys before they are used.
2024-05-11 16:54:54 +00:00 · 2021-04-15 04:38:49 +02:00
parent 35f88b305a
commit 589f7d1e4f
5 changed files with 37 additions and 3 deletions
--- a/nest/password.c
+++ b/nest/password.c
@@ -9,6 +9,7 @@

 #include "nest/bird.h"
 #include "nest/password.h"
+#include "conf/conf.h"
 #include "lib/string.h"
 #include "lib/timer.h"
 #include "lib/mac.h"
@@ -85,3 +86,28 @@ max_mac_length(list *l)

  return val;
 }
+
+/**
+ * password_validate_length - enforce key length restrictions
+ * @pi: Password item
+ *
+ * This is a common MAC algorithm validation function that will enforce that the
+ * key length constrains specified in the MAC type table.
+ */
+
+void
+password_validate_length(const struct password_item *pi)
+{
+  if (!pi->alg)
+    return;
+
+  const struct mac_desc *alg = &mac_table[pi->alg];
+
+  if (alg->min_key_length && (pi->length < alg->min_key_length))
+    cf_error("Key length (%u B) below minimum length of %u B for %s",
+             pi->length, alg->min_key_length, alg->name);
+
+  if (alg->max_key_length && (pi->length > alg->max_key_length))
+    cf_error("Key length (%u B) exceeds maximum length of %u B for %s",
+             pi->length, alg->max_key_length, alg->name);
+}