/* After TCP connection is established. Get local address and port. */
int bgp_getsockname(struct peer *peer)
{
if (peer->su_local) {
sockunion_free(peer->su_local);
peer->su_local = NULL;
}
if (peer->su_remote) {
sockunion_free(peer->su_remote);
peer->su_remote = NULL;
}
peer->su_local = sockunion_getsockname(peer->fd);
if (!peer->su_local)
return -1;
peer->su_remote = sockunion_getpeername(peer->fd);
if (!peer->su_remote)
return -1;
if (!bgp_zebra_nexthop_set(peer->su_local, peer->su_remote,
&peer->nexthop, peer)) {
flog_err(EC_BGP_NH_UPD,
"%s: nexthop_set failed, resetting connection - intf %p",
peer->host, peer->nexthop.ifp);
return -1;
}
return 0;
}
/* After TCP connection is established. Get local address and port. */
void
bgp_getsockname (struct peer *peer)
{
if (peer->su_local)
{
sockunion_free (peer->su_local);
peer->su_local = NULL;
}
if (peer->su_remote)
{
sockunion_free (peer->su_remote);
peer->su_remote = NULL;
}
peer->su_local = sockunion_getsockname (peer->fd);
peer->su_remote = sockunion_getpeername (peer->fd);
bgp_nexthop_set (peer->su_local, peer->su_remote, &peer->nexthop, peer);
}
int
sockopt_tcp_signature (int sock, union sockunion *su, const char *password)
{
#define CONFIG_TCP_MD5SIG 1
#define TCP_MD5SIG 14
#define GNU_LINUX 1
#if defined(HAVE_TCP_MD5_LINUX24) && defined(GNU_LINUX)
/* Support for the old Linux 2.4 TCP-MD5 patch, taken from Hasso Tepper's
* version of the Quagga patch (based on work by Rick Payne, and Bruce
* Simpson)
*/
#define TCP_MD5_AUTH 13
#define TCP_MD5_AUTH_ADD 1
#define TCP_MD5_AUTH_DEL 2
struct tcp_rfc2385_cmd {
u_int8_t command; /* Command - Add/Delete */
u_int32_t address; /* IPV4 address associated */
u_int8_t keylen; /* MD5 Key len (do NOT assume 0 terminated ascii) */
void *key; /* MD5 Key */
} cmd;
struct in_addr *addr = &su->sin.sin_addr;
cmd.command = (password != NULL ? TCP_MD5_AUTH_ADD : TCP_MD5_AUTH_DEL);
cmd.address = addr->s_addr;
cmd.keylen = (password != NULL ? strlen (password) : 0);
cmd.key = password;
return setsockopt (sock, IPPROTO_TCP, TCP_MD5_AUTH, &cmd, sizeof cmd);
#elif CONFIG_TCP_MD5SIG
int ret;
#ifndef GNU_LINUX
/*
* XXX Need to do PF_KEY operation here to add/remove an SA entry,
* and add/remove an SP entry for this peer's packet flows also.
*/
int md5sig = password && *password ? 1 : 0;
#else
struct {
struct {
unsigned short ss_family;
char __data[128 - sizeof(unsigned short)];
} tcpm_addr; /* address associated */
__u16 __tcpm_pad1; /* zero */
__u16 tcpm_keylen; /* key length */
__u32 __tcpm_pad2; /* zero */
__u8 tcpm_key[80]; /* key (binary) */
} md5sig;
//struct tcp_md5sig md5sig;
int keylen = 0;
union sockunion *su2, *susock;
if(NULL != password)
keylen = strlen(password) ;
/* Figure out whether the socket and the sockunion are the same family..
* adding AF_INET to AF_INET6 needs to be v4 mapped, you'd think..
*/
susock = XCALLOC (MTYPE_SOCKUNION, sizeof (union sockunion));
if(NULL == susock)
{
return -1;
}
if (!( sockunion_getsockname (sock, susock)))
return -1;
if (susock->sa.sa_family == su->sa.sa_family)
su2 = su;
else
{
/* oops.. */
su2 = susock;
if (su2->sa.sa_family == AF_INET)
{
sockunion_free (susock);
return 0;
}
#ifdef HAVE_IPV6
/* If this does not work, then all users of this sockopt will need to
* differentiate between IPv4 and IPv6, and keep seperate sockets for
* each.
*
* Sadly, it doesn't seem to work at present. It's unknown whether
* this is a bug or not.
*/
if (su2->sa.sa_family == AF_INET6
&& su->sa.sa_family == AF_INET)
{
su2->sin6.sin6_family = AF_INET6;
/* V4Map the address */
memset (&su2->sin6.sin6_addr, 0, sizeof (struct in6_addr));
su2->sin6.sin6_addr.s6_addr32[2] = htonl(0xffff);
memcpy (&su2->sin6.sin6_addr.s6_addr32[3], &su->sin.sin_addr, 4);
}
#endif
}
memset (&md5sig, 0, sizeof (md5sig));
memcpy (&md5sig.tcpm_addr, su2, sizeof (*su2));
md5sig.tcpm_keylen = keylen;
if (keylen)
memcpy (md5sig.tcpm_key, password, keylen);
sockunion_free (susock);
#endif /* GNU_LINUX */
if ((ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig)) < 0)
{
/* ENOENT is harmless. It is returned when we clear a password for which
one was not previously set. */
if (ENOENT == errno)
ret = 0;
else
zlog_err ("sockopt_tcp_signature: setsockopt(%d): %s",
sock, safe_strerror(errno));
}
return ret;
#else /* HAVE_TCP_MD5SIG */
return -2;
#endif /* !HAVE_TCP_MD5SIG */
}
int
sockopt_tcp_signature (int sock, union sockunion *su, const char *password)
{
#if HAVE_DECL_TCP_MD5SIG
int ret;
#ifndef GNU_LINUX
/*
* XXX Need to do PF_KEY operation here to add/remove an SA entry,
* and add/remove an SP entry for this peer's packet flows also.
*/
int md5sig = password && *password ? 1 : 0;
#else
int keylen = password ? strlen (password) : 0;
struct tcp_md5sig md5sig;
union sockunion *su2, *susock;
/* Figure out whether the socket and the sockunion are the same family..
* adding AF_INET to AF_INET6 needs to be v4 mapped, you'd think..
*/
if (!(susock = sockunion_getsockname (sock)))
return -1;
if (susock->sa.sa_family == su->sa.sa_family)
su2 = su;
else
{
/* oops.. */
su2 = susock;
if (su2->sa.sa_family == AF_INET)
{
sockunion_free (susock);
return -1;
};
/* If this does not work, then all users of this sockopt will need to
* differentiate between IPv4 and IPv6, and keep seperate sockets for
* each.
*
* Sadly, it doesn't seem to work at present. It's unknown whether
* this is a bug or not.
*/
if (su2->sa.sa_family == AF_INET6
&& su->sa.sa_family == AF_INET)
{
su2->sin6.sin6_family = AF_INET6;
/* V4Map the address */
memset (&su2->sin6.sin6_addr, 0, sizeof (struct in6_addr));
su2->sin6.sin6_addr.s6_addr32[2] = htonl(0xffff);
memcpy (&su2->sin6.sin6_addr.s6_addr32[3], &su->sin.sin_addr, 4);
}
}
memset (&md5sig, 0, sizeof (md5sig));
memcpy (&md5sig.tcpm_addr, su2, sizeof (*su2));
md5sig.tcpm_keylen = keylen;
if (keylen)
memcpy (md5sig.tcpm_key, password, keylen);
sockunion_free (susock);
#endif /* GNU_LINUX */
ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig);
return ret;
#else /* HAVE_TCP_MD5SIG */
return -2;
#endif /* HAVE_TCP_MD5SIG */
}
