Linux specific TCP-MD5 handling moved to sysdep/linux/sysio.h (2b70f074) · Commits · 戴 / Bird

sysdep/bsd/sysio.h

+45 −0

Original line number	Diff line number	Diff line
		@@ -74,3 +74,48 @@ sysio_mcast_join(sock * s)
		}

		#endif


		#include <netinet/tcp.h>
		#ifndef TCP_KEYLEN_MAX
		#define TCP_KEYLEN_MAX 80
		#endif
		#ifndef TCP_SIG_SPI
		#define TCP_SIG_SPI 0x1000
		#endif

		/*
		* FIXME: Passwords has to be set by setkey(8) command. This is the same
		* behaviour like Quagga. We need to add code for SA/SP entries
		* management.
		*/

		static int
		sk_set_md5_auth_int(sock s, sockaddr sa, char *passwd)
		{
		int enable = 0;
		if (passwd)
		{
		int len = strlen(passwd);

		enable = len ? TCP_SIG_SPI : 0;

		if (len > TCP_KEYLEN_MAX)
		{
		log(L_ERR "MD5 password too long");
		return -1;
		}
		}

		int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &enable, sizeof(enable));

		if (rv < 0)
		{
		if (errno == ENOPROTOOPT)
		log(L_ERR "Kernel does not support TCP MD5 signatures");
		else
		log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
		}

		return rv;
		}

+35 −0

Original line number	Diff line number	Diff line
		@@ -160,3 +160,38 @@ struct tcp_md5sig {
		};

		#endif

		static int
		sk_set_md5_auth_int(sock s, sockaddr sa, char *passwd)
		{
		struct tcp_md5sig md5;

		memset(&md5, 0, sizeof(md5));
		memcpy(&md5.tcpm_addr, (struct sockaddr ) sa, sizeof(sa));

		if (passwd)
		{
		int len = strlen(passwd);

		if (len > TCP_MD5SIG_MAXKEYLEN)
		{
		log(L_ERR "MD5 password too long");
		return -1;
		}

		md5.tcpm_keylen = len;
		memcpy(&md5.tcpm_key, passwd, len);
		}

		int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));

		if (rv < 0)
		{
		if (errno == ENOPROTOOPT)
		log(L_ERR "Kernel does not support TCP MD5 signatures");
		else
		log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
		}

		return rv;
		}

+0 −37

Original line number	Diff line number	Diff line
		@@ -738,43 +738,6 @@ sk_set_ttl(sock *s, int ttl)
		}


		/* FIXME: check portability */

		static int
		sk_set_md5_auth_int(sock s, sockaddr sa, char *passwd)
		{
		struct tcp_md5sig md5;

		memset(&md5, 0, sizeof(md5));
		memcpy(&md5.tcpm_addr, (struct sockaddr ) sa, sizeof(sa));

		if (passwd)
		{
		int len = strlen(passwd);

		if (len > TCP_MD5SIG_MAXKEYLEN)
		{
		log(L_ERR "MD5 password too long");
		return -1;
		}

		md5.tcpm_keylen = len;
		memcpy(&md5.tcpm_key, passwd, len);
		}

		int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));

		if (rv < 0)
		{
		if (errno == ENOPROTOOPT)
		log(L_ERR "Kernel does not support TCP MD5 signatures");
		else
		log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
		}

		return rv;
		}

		/**
		* sk_set_md5_auth - add / remove MD5 security association for given socket.
		* @s: socket