BSD: Add the IPsec SA/SP database entries control

Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are handled automatically on both Linux and FreeBSD. Based on patches from Pavel Tvrdik.
2024-05-11 16:54:54 +00:00 · 2016-04-13 14:30:28 +02:00
parent 43fc6bb0fb
commit a7baa09862
10 changed files with 226 additions and 34 deletions
--- a/sysdep/bsd/sysio.h
+++ b/sysdep/bsd/sysio.h
@@ -189,30 +189,26 @@ sk_prepare_ip_header(sock *s, void *hdr, int dlen)
 #ifndef TCP_KEYLEN_MAX
 #define TCP_KEYLEN_MAX 80
 #endif
+
 #ifndef TCP_SIG_SPI
 #define TCP_SIG_SPI 0x1000
 #endif

-/* 
- * FIXME: Passwords has to be set by setkey(8) command. This is the same
- * behaviour like Quagga. We need to add code for SA/SP entries
- * management.
- */
+#if defined(__FreeBSD__)
+#define USE_MD5SIG_SETKEY
+#include "lib/setkey.h"
+#endif

 int
-sk_set_md5_auth(sock *s, ip_addr a, struct iface *ifa, char *passwd)
+sk_set_md5_auth(sock *s, ip_addr local, ip_addr remote, struct iface *ifa, char *passwd, int setkey UNUSED)
 {
-  int enable = 0;
-
-  if (passwd && *passwd)
-  {
-    int len = strlen(passwd);
-    enable = TCP_SIG_SPI;
-
-    if (len > TCP_KEYLEN_MAX)
-      ERR_MSG("MD5 password too long");
-  }
+#ifdef USE_MD5SIG_SETKEY
+  if (setkey)
+    if (sk_set_md5_in_sasp_db(s, local, remote, ifa, passwd) < 0)
+      return -1;
+#endif

+  int enable = (passwd && *passwd) ? TCP_SIG_SPI : 0;
  if (setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &enable, sizeof(enable)) < 0)
  {
    if (errno == ENOPROTOOPT)