Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 138436 Details for
Bug 202221
net-misc/quagga - md5 patch for 2.6.22+ kernels
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
The Patch
out.patch (text/plain), 14.93 KB, created by
sargun dhillon
on 2007-12-14 09:31:03 UTC
(
hide
)
Description:
The Patch
Filename:
MIME Type:
Creator:
sargun dhillon
Created:
2007-12-14 09:31:03 UTC
Size:
14.93 KB
patch
obsolete
>? MD5.Patch >? out.patch >? quagga_md5_bsd_linux_v8.diff >? quagga_md5_bsd_linux_v8.diff.1 >? bgpd/bgpd.conf.sample.sav >? doc/quagga.info-1 >? doc/quagga.info-2 >? zebra/testzebra >Index: configure.ac >=================================================================== >RCS file: /var/cvsroot/quagga/configure.ac,v >retrieving revision 1.139 >diff -r1.139 configure.ac >213a214,215 >> AC_ARG_ENABLE(tcp-md5, >> [ --enable-tcp-md5 enable TCP/IP md5 in BGPd]) >283a286 >> >529a533,538 >> >> if test "${enable_tcp_md5}" = "yes"; then >> if test x"$opsys" = x"gnu-linux"; then >> AC_DEFINE(HAVE_TCP_MD5SIG,1,Enable TCP Signing) >> fi >> fi >Index: bgpd/bgp_network.c >=================================================================== >RCS file: /var/cvsroot/quagga/bgpd/bgp_network.c,v >retrieving revision 1.15 >diff -r1.15 bgp_network.c >24a25 >> #include "sockopt.h" >40a42,69 >> #if defined(HAVE_TCP_MD5SIG) >> /* >> * Set MD5 key for the socket, for the given IPv4 peer address. >> * If the password is NULL or zero-length, the option will be disabled. >> */ >> int >> bgp_md5_set (int sock, struct sockaddr_in *sin, const char *password) >> { >> int ret, en; >> >> if ( bgpd_privs.change (ZPRIVS_RAISE) ) >> zlog_err ("bgp_md5_set: could not raise privs"); >> >> ret = sockopt_tcp_signature (sock, sin, password); >> en = errno; >> >> if (bgpd_privs.change (ZPRIVS_LOWER) ) >> zlog_err ("bgp_md5_set: could not lower privs"); >> >> if (ret < 0) >> zlog (NULL, LOG_WARNING, "can't set TCP_MD5SIG option on socket %d: %s", >> sock, safe_strerror (en)); >> >> return ret; >> } >> >> #endif /* HAVE_TCP_MD5SIG */ >> >240a270,275 >> #ifdef HAVE_TCP_MD5SIG >> if (CHECK_FLAG (peer->flags, PEER_FLAG_PASSWORD)) >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (peer->fd, &peer->su.sin, peer->password); >> #endif /* HAVE_TCP_MD5SIG */ >> >290a326,329 >> #if defined(HAVE_TCP_MD5SIG) && defined(IPV6_V6ONLY) >> struct sockaddr_in sin; >> int socklen, on = 1; >> #endif >325a365,379 >> #if defined(HAVE_TCP_MD5SIG) && defined(IPV6_V6ONLY) >> /* We can not apply MD5SIG to an IPv6 socket. If this is an AF_INET6 >> socket, we'll have to create another socket for IPv4*/ >> >> if (ainfo->ai_family == AF_INET6) { >> /* Mark this one for IPv6 only */ >> ret = setsockopt (sock, IPPROTO_IPV6, IPV6_V6ONLY, >> (void *) &on, sizeof (on)); >> if( ret < 0 ) { >> en = errno; >> zlog_err ("setsockopt V6ONLY: %s", safe_strerror (en)); >> } >> } >> #endif >> >348a403,459 >> #if defined(HAVE_TCP_MD5SIG) && defined(IPV6_V6ONLY) >> thread_add_read (master, bgp_accept, bgp, sock); >> >> if (ainfo->ai_family != AF_INET6) >> continue; >> >> /* If first socket was an IPv6 socket, we need to create an IPv4 >> socket for use by the TCP_MD5SIG logic. This code is blatently >> copied and modified from the alternate IPv4 only code from below... */ >> >> sock = socket (AF_INET, SOCK_STREAM, 0); >> if (sock < 0) >> { >> zlog_err ("socket: %s", safe_strerror (errno)); >> continue; >> } >> >> sockopt_reuseaddr (sock); >> sockopt_reuseport (sock); >> >> memset (&sin, 0, sizeof (struct sockaddr_in)); >> >> sin.sin_family = AF_INET; >> sin.sin_port = htons (port); >> socklen = sizeof (struct sockaddr_in); >> #ifdef HAVE_STRUCT_SOCKADDR_IN_SIN_LEN >> sin.sin_len = socklen; >> #endif /* HAVE_STRUCT_SOCKADDR_IN_SIN_LEN */ >> >> if ( bgpd_privs.change (ZPRIVS_RAISE) ) >> zlog_err ("bgp_socket: could not raise privs"); >> >> ret = bind (sock, (struct sockaddr *) &sin, socklen); >> en = errno; >> if (bgpd_privs.change (ZPRIVS_LOWER) ) >> zlog_err ("bgp_bind_address: could not lower privs"); >> >> if (ret < 0) >> { >> zlog_err ("bind: %s", safe_strerror (en)); >> close(sock); >> continue; >> } >> >> ret = listen (sock, 3); >> if (ret < 0) >> { >> zlog_err ("listen: %s", safe_strerror (errno)); >> close (sock); >> continue; >> } >> #endif >> >> #ifdef HAVE_TCP_MD5SIG >> bm->sock = sock; >> #endif /* HAVE_TCP_MD5SIG */ >> >349a461 >> >408a521,523 >> #ifdef HAVE_TCP_MD5SIG >> bm->sock = sock; >> #endif /* HAVE_TCP_MD5SIG */ >Index: bgpd/bgp_network.h >=================================================================== >RCS file: /var/cvsroot/quagga/bgpd/bgp_network.h,v >retrieving revision 1.3 >diff -r1.3 bgp_network.h >23a24,27 >> #if defined(HAVE_TCP_MD5SIG) >> extern int bgp_md5_set (int, struct sockaddr_in *, const char *); >> #endif /* HAVE_TCP_MD5SIG */ >> >Index: bgpd/bgp_vty.c >=================================================================== >RCS file: /var/cvsroot/quagga/bgpd/bgp_vty.c,v >retrieving revision 1.37 >diff -r1.37 bgp_vty.c >1481a1482,1521 >> #ifdef HAVE_TCP_MD5SIG >> DEFUN (neighbor_password, >> neighbor_password_cmd, >> NEIGHBOR_CMD2 "password LINE", >> NEIGHBOR_STR >> NEIGHBOR_ADDR_STR2 >> "Set a password\n" >> "The password\n") >> { >> struct peer *peer; >> int ret; >> >> peer = peer_and_group_lookup_vty (vty, argv[0]); >> if (! peer) >> return CMD_WARNING; >> >> ret = peer_password_set (peer, argv[1]); >> return bgp_vty_return (vty, ret); >> } >> >> DEFUN (no_neighbor_password, >> no_neighbor_password_cmd, >> NO_NEIGHBOR_CMD2 "password", >> NO_STR >> NEIGHBOR_STR >> NEIGHBOR_ADDR_STR2 >> "Set a password\n") >> { >> struct peer *peer; >> int ret; >> >> peer = peer_and_group_lookup_vty (vty, argv[0]); >> if (! peer) >> return CMD_WARNING; >> >> ret = peer_password_unset (peer); >> return bgp_vty_return (vty, ret); >> } >> #endif /* HAVE_TCP_MD5SIG */ >> >8898a8939,8944 >> >> #ifdef HAVE_TCP_MD5SIG >> /* "neighbor password" commands. */ >> install_element (BGP_NODE, &neighbor_password_cmd); >> install_element (BGP_NODE, &no_neighbor_password_cmd); >> #endif /* HAVE_TCP_MD5SIG */ >Index: bgpd/bgpd.c >=================================================================== >RCS file: /var/cvsroot/quagga/bgpd/bgpd.c,v >retrieving revision 1.37 >diff -r1.37 bgpd.c >790a791 >> peer->password = NULL; >1204a1206,1219 >> >> #ifdef HAVE_TCP_MD5SIG >> /* Password configuration */ >> if (peer->password) >> { >> free (peer->password); >> peer->password = NULL; >> >> if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP) >> && sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, NULL); >> } >> #endif /* HAVE_TCP_MD5SIG */ >> >1419a1435,1455 >> #ifdef HAVE_TCP_MD5SIG >> /* password apply */ >> if (CHECK_FLAG (conf->flags, PEER_FLAG_PASSWORD)) >> { >> if (peer->password) >> free (peer->password); >> peer->password = strdup (conf->password); >> >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, peer->password); >> } >> else if (peer->password) >> { >> free (peer->password); >> peer->password = NULL; >> >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, NULL); >> } >> #endif /* HAVE_TCP_MD5SIG */ >> >3381a3418,3536 >> #ifdef HAVE_TCP_MD5SIG >> /* Set password for authenticating with the peer. */ >> int >> peer_password_set (struct peer *peer, const char *password) >> { >> struct peer_group *group; >> struct listnode *nn, *nnode; >> int len = password ? strlen(password) : 0; >> >> if ((len < PEER_PASSWORD_MINLEN) || (len > PEER_PASSWORD_MAXLEN)) >> return BGP_ERR_INVALID_VALUE; >> >> if (peer->password && strcmp (peer->password, password) == 0 >> && ! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP)) >> return 0; >> >> SET_FLAG (peer->flags, PEER_FLAG_PASSWORD); >> if (peer->password) >> free (peer->password); >> peer->password = strdup (password); >> >> if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP)) >> { >> if (peer->status == Established) >> bgp_notify_send (peer, BGP_NOTIFY_CEASE, BGP_NOTIFY_CEASE_CONFIG_CHANGE); >> else >> BGP_EVENT_ADD (peer, BGP_Stop); >> >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, peer->password); >> return 0; >> } >> >> group = peer->group; >> /* #42# LIST_LOOP (group->peer, peer, nn) */ >> for (ALL_LIST_ELEMENTS (group->peer, nn, nnode, peer)) >> { >> if (peer->password && strcmp (peer->password, password) == 0) >> continue; >> >> SET_FLAG (peer->flags, PEER_FLAG_PASSWORD); >> if (peer->password) >> free (peer->password); >> peer->password = strdup (password); >> >> if (peer->status == Established) >> bgp_notify_send (peer, BGP_NOTIFY_CEASE, BGP_NOTIFY_CEASE_CONFIG_CHANGE); >> else >> BGP_EVENT_ADD (peer, BGP_Stop); >> >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, peer->password); >> } >> >> return 0; >> } >> >> int >> peer_password_unset (struct peer *peer) >> { >> struct peer_group *group; >> struct listnode *nn, *nnode; >> >> if (! CHECK_FLAG (peer->flags, PEER_FLAG_PASSWORD) >> && ! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP)) >> return 0; >> >> if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP)) >> { >> if (peer_group_active (peer) >> && CHECK_FLAG (peer->group->conf->flags, PEER_FLAG_PASSWORD)) >> return BGP_ERR_PEER_GROUP_HAS_THE_FLAG; >> >> if (peer->status == Established) >> bgp_notify_send (peer, BGP_NOTIFY_CEASE, BGP_NOTIFY_CEASE_CONFIG_CHANGE); >> else >> BGP_EVENT_ADD (peer, BGP_Stop); >> >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, NULL); >> >> UNSET_FLAG (peer->flags, PEER_FLAG_PASSWORD); >> if (peer->password) >> free (peer->password); >> peer->password = NULL; >> >> return 0; >> } >> >> UNSET_FLAG (peer->flags, PEER_FLAG_PASSWORD); >> if (peer->password) >> free (peer->password); >> peer->password = NULL; >> >> group = peer->group; >> /* #42# LIST_LOOP (group->peer, peer, nn) */ >> for (ALL_LIST_ELEMENTS (group->peer, nn, nnode, peer)) >> { >> if (! CHECK_FLAG (peer->flags, PEER_FLAG_PASSWORD)) >> continue; >> >> if (peer->status == Established) >> bgp_notify_send (peer, BGP_NOTIFY_CEASE, BGP_NOTIFY_CEASE_CONFIG_CHANGE); >> else >> BGP_EVENT_ADD (peer, BGP_Stop); >> >> if (sockunion_family (&peer->su) == AF_INET) >> bgp_md5_set (bm->sock, &peer->su.sin, NULL); >> >> UNSET_FLAG (peer->flags, PEER_FLAG_PASSWORD); >> if (peer->password) >> free (peer->password); >> peer->password = NULL; >> } >> >> return 0; >> } >> #endif /* HAVE_TCP_MD5SIG */ >> >4418a4574,4583 >> #ifdef HAVE_TCP_MD5SIG >> /* Password. */ >> if (CHECK_FLAG (peer->flags, PEER_FLAG_PASSWORD)) >> if (! peer_group_active (peer) >> || ! CHECK_FLAG (g_peer->flags, PEER_FLAG_PASSWORD) >> || strcmp (peer->password, g_peer->password) != 0) >> vty_out (vty, " neighbor %s password %s%s", addr, peer->password, >> VTY_NEWLINE); >> #endif /* HAVE_TCP_MD5SIG */ >> >4953a5119,5121 >> #ifdef HAVE_TCP_MD5SIG >> bm->sock = -1; >> #endif /* HAVE_TCP_MD5SIG */ >Index: bgpd/bgpd.conf.sample >=================================================================== >RCS file: /var/cvsroot/quagga/bgpd/bgpd.conf.sample,v >retrieving revision 1.1.1.1 >diff -r1.1.1.1 bgpd.conf.sample >1d0 >< ! -*- bgp -*- >3,5c2,3 >< ! BGPd sample configuratin file >< ! >< ! $Id: bgpd.conf.sample,v 1.1.1.1 2002/12/13 20:15:29 paul Exp $ >--- >> ! Zebra configuration saved from vty >> ! 2007/10/23 00:16:48 >9,21c7,8 >< !enable password please-set-at-here >< ! >< !bgp mulitple-instance >< ! >< router bgp 7675 >< ! bgp router-id 10.0.0.1 >< ! network 10.0.0.0/8 >< ! neighbor 10.0.0.2 remote-as 7675 >< ! neighbor 10.0.0.2 route-map set-nexthop out >< ! neighbor 10.0.0.2 ebgp-multihop >< ! neighbor 10.0.0.2 next-hop-self >< ! >< ! access-list all permit any >--- >> enable password zebra >> log stdout >23,25c10,14 >< !route-map set-nexthop permit 10 >< ! match ip address all >< ! set ip next-hop 10.0.0.1 >--- >> router bgp 65502 >> bgp router-id 10.80.0.2 >> timers bgp 1 3 >> neighbor 10.80.0.1 remote-as 65500 >> neighbor 10.80.0.1 timers connect 1 >27c16 >< !log file bgpd.log >--- >> line vty >29d17 >< log stdout >Index: bgpd/bgpd.h >=================================================================== >RCS file: /var/cvsroot/quagga/bgpd/bgpd.h,v >retrieving revision 1.30 >diff -r1.30 bgpd.h >55a56,60 >> >> #ifdef HAVE_TCP_MD5SIG >> /* bgp receive socket */ >> int sock; >> #endif /* HAVE_TCP_MD5SIG */ >357a363 >> #define PEER_FLAG_PASSWORD (1 << 9) /* password */ >378a385,387 >> /* MD5 password */ >> char *password; >> >533a543,549 >> #if defined(HAVE_TCP_MD5SIG) >> >> #define PEER_PASSWORD_MINLEN (1) >> #define PEER_PASSWORD_MAXLEN (80) >> >> #endif /* HAVE_TCP_MD5SIG */ >> >923a940,944 >> #ifdef HAVE_TCP_MD5SIG >> extern int peer_password_set (struct peer *, const char *); >> extern int peer_password_unset (struct peer *); >> #endif /* HAVE_TCP_MD5SIG */ >> >Index: lib/sockopt.c >=================================================================== >RCS file: /var/cvsroot/quagga/lib/sockopt.c,v >retrieving revision 1.24 >diff -r1.24 sockopt.c >482a483,515 >> >> #if defined(HAVE_TCP_MD5SIG) >> int >> sockopt_tcp_signature (int sock, struct sockaddr_in *sin, const char *password) >> { >> int keylen = password ? strlen(password) : 0; >> >> #if defined(GNU_LINUX) >> >> struct tcp_md5sig md5sig; >> >> bzero ((char *)&md5sig, sizeof(md5sig)); >> memcpy (&md5sig.tcpm_addr, sin, sizeof(*sin)); >> md5sig.tcpm_keylen = keylen; >> if (keylen) >> memcpy (md5sig.tcpm_key, password, keylen); >> >> return setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig); >> >> #else /* !GNU_LINUX */ >> >> int enable = keylen ? (TCP_SIG_SPI_BASE + sin->sin_port) : 0; >> >> /* >> * XXX Need to do PF_KEY operation here to add/remove an SA entry, >> * and add/remove an SP entry for this peer's packet flows also. >> */ >> return setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &enable, >> sizeof(enable)); >> >> #endif /* !GNU_LINUX */ >> } >> #endif /* HAVE_TCP_MD5SIG */ >Index: lib/sockopt.h >=================================================================== >RCS file: /var/cvsroot/quagga/lib/sockopt.h,v >retrieving revision 1.13 >diff -r1.13 sockopt.h >100a101,128 >> #if defined(HAVE_TCP_MD5SIG) >> >> #if defined(GNU_LINUX) && !defined(TCP_MD5SIG) >> >> /* XXX these will come from <linux/tcp.h> eventually */ >> >> #define TCP_MD5SIG 14 >> #define TCP_MD5SIG_MAXKEYLEN 80 >> >> struct tcp_md5sig { >> struct sockaddr_storage tcpm_addr; /* address associated */ >> __u16 __tcpm_pad1; /* zero */ >> __u16 tcpm_keylen; /* key length */ >> __u32 __tcpm_pad2; /* zero */ >> __u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* key (binary) */ >> }; >> >> #endif /* defined(GNU_LINUX) && !defined(TCP_MD5SIG) */ >> >> #if !defined(GNU_LINUX) && !defined(TCP_SIG_SPI_BASE) >> #define TCP_SIG_SPI_BASE 1000 /* XXX this will go away */ >> #endif >> >> extern int sockopt_tcp_signature(int sock, struct sockaddr_in *sin, >> const char *password); >> >> #endif /* HAVE_TCP_MD5SIG */ >>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 202221
: 138436