sk->type = SK_TCP_PASSIVE;
sk->ttl = 255;
sk->saddr = addr;
- // sk->daddr = p->remote_ip;
sk->sport = port;
sk->iface = ifa;
sk->vrf = p->p.vrf;
sk->tbsize = BGP_TX_BUFFER_SIZE;
sk->rx_hook = bgp_incoming_connection;
sk->err_hook = bgp_listen_sock_err;
- //sk->password = p->cf->password;
- log("passive connect p %i, c cf %i %s", p, p->cf, p->cf->password ? p->cf->password : "no password");
if (sk_open(sk) < 0)
goto err;
-
+
+ log("____________________________________________________________________________%i %i", sk->fd, sk->ao_key);
bs = mb_allocz(proto_pool, sizeof(struct bgp_socket));
bs->sk = sk;
bs->uc = 1;
{
log("set ao auth [%s]", p->cf->ao_key->master_key);
struct ao_key *key = p->cf->ao_key;
+ p->sock->sk->ao_key = key;
do {
rv = sk_set_ao_auth(p->sock->sk,
p->cf->local_ip, prefix, pxlen, p->cf->iface,
conn->channels_to_send = 0;
conn->last_channel = 0;
conn->last_channel_count = 0;
+ conn->last_used_ao_key = -1;
conn->connect_timer = tm_new_init(p->p.pool, bgp_connect_timeout, conn, 0, 0);
conn->hold_timer = tm_new_init(p->p.pool, bgp_hold_timeout, conn, 0, 0);
bgp_setup_sk(conn, s);
bgp_conn_set_state(conn, BS_CONNECT);
- log("active open p %i, c cf %i %s ", p, p->cf, p->cf->password ? p->cf->password : "no password");
if (sk_open(s) < 0)
goto err;
- //int rv = sk_set_ao_auth(s, p->local_ip, p->remote_ip, -1, s->iface, s->password ? s->password : "d3f4u1t", 1);
+ log("a..........................................................................................fd %i key %i %I", s->fd, s->ao_key, s->daddr);
+
/* Set minimal receive TTL if needed */
if (p->cf->ttl_security)
if (sk_set_min_ttl(s, 256 - hops) < 0)
log("in reconf ao");
sock *s_passiv = old_proto.sock->sk;
sock *s_activ = old_proto.conn->sk;
- int key_in_use = get_current_key_id(s_activ->fd);
+ int key_in_use_rem = get_current_key_id(s_activ->fd);
- if (key_in_use == -1)
+ if (key_in_use_rem == -1)
{
log("Unable to detect currently used key");
return 0;
struct ao_key *old_aos[256];
memset(&old_aos, 0, sizeof(struct ao_key*)*256);
+ struct ao_key *old_rem_id[256];
+ memset(&old_rem_id, 0, sizeof(struct ao_key*)*256);
+
for(struct ao_key *ao_key = old_proto.cf->ao_key; ao_key; ao_key = ao_key->next_key)
{
old_aos[ao_key->local_id] = ao_key;
+ old_rem_id[ao_key->remote_id] = ao_key;
}
+ int key_in_use = old_rem_id[key_in_use_rem]->local_id;
for(struct ao_key *ao_key = new.ao_key; ao_key; ao_key = ao_key->next_key)
{
if(old_aos[ao_key->local_id])
if(compare_aos(ao_key, old_aos[ao_key->local_id]))
{
struct ao_key *o = old_aos[ao_key->local_id];
- log("%i %i %i %i %s %s %s %s", ao_key->local_id, o->local_id, ao_key->remote_id, o->remote_id, ao_key->cipher, o->cipher, ao_key->master_key, o->master_key);
+ log("%i %i (master %i) %i %i %s %s %s %s", ao_key->local_id, o->local_id, key_in_use, ao_key->remote_id, o->remote_id, ao_key->cipher, o->cipher, ao_key->master_key, o->master_key);
if (ao_key->local_id == key_in_use)
{
- //struct ao_key *o = old_aos[ao_key->local_id];
- //log("%i %i %i %i %s %s %s %s", ao_key->local_id, o->local_id, ao_key->remote_id, o->remote_id, ao_key->cipher, o->cipher, ao_key->master_key, o->master_key);
- log("Currently used master key part update. This is not allowed.");
+ cf_warn("TCP AO reconfiguration: Currently used master key (%i) part update. This is not allowed.", ao_key->local_id);
return 0;
}
- log("Reusing key id. Not nice. Lets try to update.");
+ cf_warn("TCP AO reconfiguration: Reusing or manipulating key with id %i. This might break connection.", ao_key->local_id);
struct ao_key *old_key = old_aos[ao_key->local_id];
ao_delete_key(s_activ, old_proto.remote_ip, -1, s_activ->iface, old_key->local_id, old_key->remote_id);
}
else
{
+ if (old_rem_id[ao_key->remote_id])
+ cf_warn("TCP AO reconfiguration: Reusing remote id %i with new local id %i. This might break your connection.", ao_key->remote_id, ao_key->local_id);
sk_set_ao_auth(s_activ, old_proto.local_ip, old_proto.remote_ip, -1, s_activ->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, ao_key->required == 1);
sk_set_ao_auth(s_passiv, old_proto.local_ip, old_proto.remote_ip, -1, s_passiv->iface, ao_key->master_key, ao_key->local_id, ao_key->remote_id, ao_key->cipher, 0);
}
+ s_activ->ao_key = new.ao_key;
+ s_passiv->ao_key = new.ao_key;
- if (ao_key->required == 1)
+ if (ao_key->required == 1 && (ao_key->local_id != get_rnext_key_id(s_activ->fd)))
{
- ao_try_change_master(s_activ->fd, ao_key->local_id); // or remote id?
+ ao_try_change_master(s_activ->fd, ao_key->local_id);
+ if (old_proto.conn->hold_timer->expires != 0)
+ bgp_schedule_packet(old_proto.conn, NULL, PKT_KEEPALIVE); // According to RFC we should not send keepalive shortly after another, but since reconfiguration is rare, this is harmless
}
}
for(int i = 0; i<256; i++)
{
if (i == key_in_use)
{
- log("Currently used key deletion. This is not allowed.");
+ cf_warn("TCP AO reconfiguration: Currently used key (id %i) deletion. This is not allowed.", i);
return 0;
}
ao_delete_key(s_activ, old_proto.remote_ip, -1, s_activ->iface, old_aos[i]->local_id, old_aos[i]->remote_id);
ao_delete_key(s_passiv, old_proto.remote_ip, -1, s_passiv->iface, old_aos[i]->local_id, old_aos[i]->remote_id);
}
}
- log("no changes in ao");
+ log("no big changes in ao");
return 1;
}
ao_first_item:
LOCAL ID expr ';' {
+ if($3 >= 256)
+ cf_error("Key ids ust be in range 0 - 255");
if (!BGP_CFG->ao_lp)
BGP_CFG->ao_lp = lp_new(rp_new(&root_pool, "ao struct pool"));
struct ao_key *new_key = lp_alloc(BGP_CFG->ao_lp, sizeof(struct ao_key));
BGP_CFG->ao_key = new_key;
BGP_CFG->ao_key->required = 0;
BGP_CFG->ao_key->local_id = $3;
+ BGP_CFG->ao_key->remote_id = -1;
}
;
ao_item:
- REMOTE ID expr ';' {log("remote id %i", $3); BGP_CFG->ao_key->remote_id = $3; }
- | CIPHER text ';' { char *c = lp_alloc(BGP_CFG->ao_lp, strlen($2));
+ REMOTE ID expr ';' {
+ if ($3 > 255)
+ cf_error("TCP AO: Key id must be in range 0 - 255");
+ BGP_CFG->ao_key->remote_id = $3; }
+ | CIPHER text ';' {
+ if (strcmp($2, "cmac(aes128)") & strcmp($2, "hmac(sha1)") & strcmp($2, "hmac(sha224)") & strcmp($2, "hmac(sha256)") & strcmp($2, "hmac(sha384)") & strcmp($2, "hmac(sha512)")& strcmp($2, "hmac(md5)"))
+ cf_error("TCP AO: Here are ciphers 'cmac(aes128)', 'hmac(md5)', 'hmac(sha1)', 'hmac(sha224)', 'hmac(sha256)', 'hmac(sha384)' and 'hmac(sha512)' hardcoded. If there is another cipher available in kernel, please contact BIRD developers.");
+ char *c = lp_alloc(BGP_CFG->ao_lp, strlen($2));
memcpy(c, $2, strlen($2));
BGP_CFG->ao_key->cipher = c;
- log("ciph[%s]", $2); }
+ }
| MASTER KEY text ';' {
char *k = lp_alloc(BGP_CFG->ao_lp, strlen($3));
memcpy(k, $3, strlen($3));
BGP_CFG->ao_key->master_key = k;
- log("key[%s]", BGP_CFG->ao_key->master_key);}
+ }
| DEPRECATED ';' { BGP_CFG->ao_key->required = -1; }
| REQUIRED ';' { BGP_CFG->ao_key->required = 1; }
;
while (key)
{
if (used_aos_id_loc[key->local_id])
- cf_error("Reused local key id");
+ cf_error("TCP AO: Reused local key id %i", key->local_id);
used_aos_id_loc[key->local_id] = 1;
+ if (key->remote_id == -1)
+ cf_error("TCP AO: No remote key id for local id %i", key->local_id);
if (used_aos_id_rem[key->remote_id])
- cf_error("Reused remote key id");
+ cf_error("TCP AO: Reused remote key id %i", key->remote_id);
used_aos_id_rem[key->remote_id] = 1;
+ if (!key->cipher)
+ cf_error("TCP AO: No cipher given for key id %i.", key->local_id);
+ if (!key->master_key)
+ cf_error("TCP AO: No master key given for key id %i.", key->local_id);
if (key->required == 1)
{
if (required_found)
- cf_error("How do you want to use two keys at once? Check 'REQUIRED'");
+ cf_error("TCP AO: How do you want to use two keys at once? Check 'REQUIRED'");
required_found = 1;
}
key = key->next_key;
}
if (required_found == 0)
- cf_error("Missing 'REQUIRED'. Which key should be used?");
+ cf_error("TCP AO: Missing 'REQUIRED'. Which key should be used?");
}
bgp_channel_start: bgp_afi
return tmp.current_key;
}
+int get_rnext_key_id(int sock_fd)
+{
+ struct tcp_ao_info_opt_ext tmp;
+ memset(&tmp, 0, sizeof(struct tcp_ao_info_opt_ext));
+ socklen_t len = sizeof(tmp);
+
+ if (getsockopt(sock_fd, IPPROTO_TCP, TCP_AO_INFO, &tmp, &len))
+ {
+ log("get rnext ao key failed %i", errno);
+ return -1;
+ }
+ else
+ return tmp.rnext;
+}
+
void
log_tcp_ao_get_key(int sock_fd)
{
{
struct tcp_ao_add_ext ao;
memset(&ao, 0, sizeof(struct tcp_ao_add_ext));
- log("in sk set ao, pass %s", passwd);
+ if (!s->ao_key)
+ bug("no ao key");
+ log(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>in sk set ao, pass %s fd %i sk %i %i", passwd, s->fd, s, s->ao_key);
/* int af;
if (ipa_is_ip4(remote))
af = AF_INET;
ao.keylen = strlen(passwd);
memcpy(ao.key, passwd, (strlen(passwd) > TCP_AO_MAXKEYLEN_) ? TCP_AO_MAXKEYLEN_ : strlen(passwd));
-
- int IPPROTO_TCP_ = 6;
+
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_ADD_KEY, &ao, sizeof(ao)) < 0)
bug("tcp ao err %i", errno);
del.prefix = 32;
else
del.prefix = 128;
- int IPPROTO_TCP_ = 6;
+
if (setsockopt(s->fd, IPPROTO_TCP, TCP_AO_DEL_KEY, &del, sizeof(del)) < 0)
bug("tcp ao deletion err %i", errno);
log("tcp ao key %i %i deleted", passwd_id_loc, passwd_id_rem);
projects / thirdparty / bird.git / commitdiff
