summaryrefslogtreecommitdiffstats
path: root/proto
diff options
context:
space:
mode:
authorOndrej Zajicek <santiago@crfreenet.org>2008-10-26 22:42:39 +0100
committerOndrej Zajicek <santiago@crfreenet.org>2008-10-26 22:42:39 +0100
commitd51aa2819005a03e4cfb6f62333be6ccadfb3c06 (patch)
tree2a76b826cfdac4cf1a94a305f9fe416a2df45840 /proto
parent11cb620266035ffbe17b21c4a174380cb8b6a521 (diff)
downloadbird-d51aa2819005a03e4cfb6f62333be6ccadfb3c06.tar
bird-d51aa2819005a03e4cfb6f62333be6ccadfb3c06.zip
Implementation of MD5 authentication of BGP sessions.
Diffstat (limited to 'proto')
-rw-r--r--proto/bgp/bgp.c19
-rw-r--r--proto/bgp/bgp.h1
-rw-r--r--proto/bgp/config.Y4
3 files changed, 22 insertions, 2 deletions
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index ed2524c..e1f5ec0 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -78,10 +78,14 @@ static void bgp_setup_listen_sk(void);
static void
-bgp_close(struct bgp_proto *p UNUSED)
+bgp_close(struct bgp_proto *p)
{
ASSERT(bgp_counter);
bgp_counter--;
+
+ if (p->cf->password)
+ sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL);
+
if (!bgp_counter)
{
rfree(bgp_listen_sk);
@@ -330,6 +334,7 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c
bgp_setup_conn(p, conn);
bgp_setup_sk(p, conn, s);
s->tx_hook = bgp_connected;
+ s->password = p->cf->password;
conn->state = BS_CONNECT;
if (sk_open(s))
{
@@ -506,6 +511,7 @@ bgp_start(struct proto *P)
bgp_counter++;
bgp_setup_listen_sk();
+
if (!bgp_linpool)
bgp_linpool = lp_new(&root_pool, 4080);
@@ -523,6 +529,17 @@ bgp_start(struct proto *P)
lock->hook = bgp_start_locked;
lock->data = p;
olock_acquire(lock);
+
+ /* We should create security association after we get a lock not to
+ * break existing connections.
+ */
+ if (p->cf->password)
+ {
+ int rv = sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, p->cf->password);
+ if (rv < 0)
+ return PS_STOP;
+ }
+
return PS_START;
}
diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h
index aa1bd10..9338324 100644
--- a/proto/bgp/bgp.h
+++ b/proto/bgp/bgp.h
@@ -33,6 +33,7 @@ struct bgp_config {
unsigned error_delay_time_min; /* Time to wait after an error is detected */
unsigned error_delay_time_max;
unsigned disable_after_error; /* Disable the protocol when error is detected */
+ char *password; /* Password used for MD5 authentication */
};
struct bgp_conn {
diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index 63dfb61..580c008 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -20,7 +20,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, KEEPALIVE,
MULTIHOP, STARTUP, VIA, NEXT, HOP, SELF, DEFAULT, PATH, METRIC,
ERROR, START, DELAY, FORGET, WAIT, DISABLE, AFTER,
BGP_PATH, BGP_LOCAL_PREF, BGP_MED, BGP_ORIGIN, BGP_NEXT_HOP,
- BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS)
+ BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS, PASSWORD)
CF_GRAMMAR
@@ -38,6 +38,7 @@ bgp_proto_start: proto_start BGP {
BGP_CFG->error_amnesia_time = 300;
BGP_CFG->error_delay_time_min = 60;
BGP_CFG->error_delay_time_max = 300;
+ BGP_CFG->password = NULL;
}
;
@@ -65,6 +66,7 @@ bgp_proto:
| bgp_proto ERROR FORGET TIME expr ';' { BGP_CFG->error_amnesia_time = $5; }
| bgp_proto ERROR WAIT TIME expr ',' expr ';' { BGP_CFG->error_delay_time_min = $5; BGP_CFG->error_delay_time_max = $7; }
| bgp_proto DISABLE AFTER ERROR bool ';' { BGP_CFG->disable_after_error = $5; }
+ | bgp_proto PASSWORD TEXT ';' { BGP_CFG->password = $3; }
;
CF_ADDTO(dynamic_attr, BGP_PATH