Commit 35f88b30 authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by Ondrej Zajicek (work)
Browse files

Nest: Allow specifying security keys as hex bytes as well as strings 

Add support for specifying a password in hexadecimal format, The result
is the same whether a password is specified as a quoted string or a
hex-encoded byte string, this just makes it more convenient to input
high-entropy byte strings as MAC keys.
parent f1a82419

conf/cf-lex.l

+31 −0
Original line number Diff line number Diff line
@@ -255,6 +255,37 @@ WHITE [ \t] 
  return IP4;

}



{XIGIT}{2}(:{XIGIT}{2}|{XIGIT}{2}){15,} {

  char *s = yytext;

  size_t len = 0, i;

  struct bytestring *bytes;

  byte *b;



  while (*s) {

    len++;

    s += 2;

    if (*s == ':')

      s++;

  }

  bytes = cfg_allocz(sizeof(*bytes) + len);



  bytes->length = len;

  b = &bytes->data[0];

  s = yytext;

  errno = 0;

  for (i = 0; i < len; i++) {

    *b = bstrtobyte16(s);

    if (errno == ERANGE)

      cf_error("Invalid hex string");

    b++;

    s += 2;

    if (*s == ':')

      s++;

  }

  cf_lval.bs = bytes;

  return BYTESTRING;

}



({XIGIT}*::|({XIGIT}*:){3,})({XIGIT}*|{DIGIT}+\.{DIGIT}+\.{DIGIT}+\.{DIGIT}+) {

  if (!ip6_pton(yytext, &cf_lval.ip6))

    cf_error("Invalid IPv6 address %s", yytext);

conf/conf.h

+5 −0
Original line number Diff line number Diff line
@@ -136,6 +136,11 @@ struct sym_scope { 
  int active;				/* Currently entered */

};



struct bytestring {

  size_t length;

  byte data[];

};



#define SYM_MAX_LEN 64



/* Remember to update cf_symbol_class_name() */

conf/confbase.Y

+2 −0
Original line number Diff line number Diff line
@@ -92,6 +92,7 @@ CF_DECLS 
  struct channel_limit cl;

  struct timeformat *tf;

  mpls_label_stack *mls;

  struct bytestring *bs;

}



%token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT
@@ -103,6 +104,7 @@ CF_DECLS 
%token <i64> VPN_RD

%token <s> CF_SYM_KNOWN CF_SYM_UNDEFINED

%token <t> TEXT

%token <bs> BYTESTRING

%type <iface> ipa_scope



%type <i> expr bool pxlen4

doc/bird.sgml

+6 −1
Original line number Diff line number Diff line
@@ -776,7 +776,7 @@ agreement"). 
	protocol packets are processed in the local TX queues. This option is

	Linux specific. Default value is 7 (highest priority, privileged traffic).



	<tag><label id="proto-pass">password "<m/password/" [ { <m>password options</m> } ]</tag>

	<tag><label id="proto-pass">password "<m/password/" | <m/hex_key/ [ { <m>password options</m> } ] </tag>

	Specifies a password that can be used by the protocol as a shared secret

	key. Password option can be used more times to specify more passwords.

	If more passwords are specified, it is a protocol-dependent decision
@@ -784,6 +784,11 @@ agreement"). 
	authentication is enabled, authentication can be enabled by separate,

	protocol-dependent <cf/authentication/ option.



        A password can also be specified as a hexadecimal key. <m/hex_key/ is a

        sequence of hexadecimal digit pairs, optionally colon-separated. A key

        specified this way must be at least 16 bytes (32 digits) long (although

        specific algorithms can impose other restrictions).



	This option is allowed in BFD, OSPF and RIP protocols. BGP has also

	<cf/password/ option, but it is slightly different and described

	separately.

lib/string.h

+1 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ void buffer_puts(buffer *buf, const char *str); 


u64 bstrtoul10(const char *str, char **end);

u64 bstrtoul16(const char *str, char **end);

byte bstrtobyte16(const char *str);



int patmatch(const byte *pat, const byte *str);

CRA Git | Maintained and supported by SUSTech CRA and CCSE