[PATCH v3 5/7] config: Allow MAC algorithms to specify a function to validate their keys
Toke Høiland-Jørgensen
toke at toke.dk
Tue Nov 24 16:21:52 CET 2020
From: Toke Høiland-Jørgensen <toke at toke.dk>
This adds a new field to the MAC algorithm description which is a pointer
that will allow an algorithm to validate a key before it is used. Add this
validate to the Blake algorithms, validating that the key length is exactly
equal to their respective output sizes.
Signed-off-by: Toke Høiland-Jørgensen <toke at toke.dk>
---
lib/mac.c | 19 ++++++++++++++++++-
lib/mac.h | 7 +++++++
nest/config.Y | 8 ++++++--
nest/password.c | 6 ++++++
nest/password.h | 1 +
5 files changed, 38 insertions(+), 3 deletions(-)
diff --git a/lib/mac.c b/lib/mac.c
index f780b54c9..dfdaf3c65 100644
--- a/lib/mac.c
+++ b/lib/mac.c
@@ -151,6 +151,23 @@ hmac_final(struct mac_context *ctx)
}
+/**
+ * mac_validate_key_length_to_output - enforce that the key length matches the MAC output
+ * @id: MAC algorithm ID,
+ * @key: key to verify
+ * @keylen: length of key
+ *
+ * This is a common MAC algorithm validation function that will enforce that the
+ * key length matches the MAC output length.
+ */
+static void
+mac_validate_key_length_to_output(uint id, const byte *key UNUSED, uint keylen)
+{
+ if (keylen != mac_type_length(id))
+ cf_error("Key size %d does not match required size of %d bytes for %s",
+ keylen, mac_type_length(id), mac_type_name(id));
+}
+
/*
* Common code
*/
@@ -167,7 +184,7 @@ hmac_final(struct mac_context *ctx)
{ \
name, size/8, sizeof(struct vx##_context), vx##_bird_init, \
vx##_bird_update, vx##_bird_final, size/8, \
- VX##_BLOCK_SIZE, NULL, NULL, NULL \
+ VX##_BLOCK_SIZE, NULL, NULL, NULL, mac_validate_key_length_to_output \
}
const struct mac_desc mac_table[ALG_MAX] = {
diff --git a/lib/mac.h b/lib/mac.h
index e3847239e..7a73465e9 100644
--- a/lib/mac.h
+++ b/lib/mac.h
@@ -91,6 +91,7 @@ struct mac_desc {
void (*hash_init)(struct hash_context *ctx);
void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen);
byte *(*hash_final)(struct hash_context *ctx);
+ void (*validate_key)(uint id, const byte *key, uint keylen);
};
extern const struct mac_desc mac_table[ALG_MAX];
@@ -101,6 +102,12 @@ static inline const char *mac_type_name(uint id)
static inline uint mac_type_length(uint id)
{ return mac_table[id].mac_length; }
+static inline void mac_validate_key(uint id, const byte *key, uint keylen)
+{
+ if (mac_table[id].validate_key)
+ mac_table[id].validate_key(id, key, keylen);
+}
+
static inline const char *mac_get_name(struct mac_context *ctx)
{ return ctx->type->name; }
diff --git a/nest/config.Y b/nest/config.Y
index 82c2194fa..5043a3ece 100644
--- a/nest/config.Y
+++ b/nest/config.Y
@@ -491,8 +491,8 @@ password_items:
;
password_item:
- password_item_begin '{' password_item_params '}'
- | password_item_begin
+ password_item_begin '{' password_item_params '}' password_item_end
+ | password_item_begin password_item_end
;
password_item_begin:
@@ -529,6 +529,10 @@ password_algorithm:
| BLAKE2B512 { $$ = ALG_BLAKE2B_512; }
;
+password_item_end:
+{
+ password_validate_config(this_p_item);
+};
/* BFD options */
diff --git a/nest/password.c b/nest/password.c
index 6f87af218..3fb342e96 100644
--- a/nest/password.c
+++ b/nest/password.c
@@ -85,3 +85,9 @@ max_mac_length(list *l)
return val;
}
+
+void
+password_validate_config(struct password_item *p)
+{
+ mac_validate_key(p->alg, p->password, p->length);
+}
diff --git a/nest/password.h b/nest/password.h
index 8a0da2237..818bdf2b9 100644
--- a/nest/password.h
+++ b/nest/password.h
@@ -24,6 +24,7 @@ extern struct password_item *last_password_item;
struct password_item *password_find(list *l, int first_fit);
struct password_item *password_find_by_id(list *l, uint id);
struct password_item *password_find_by_value(list *l, char *pass, uint size);
+void password_validate_config(struct password_item *p);
static inline int password_verify(struct password_item *p1, char *p2, uint size)
{
More information about the Bird-users
mailing list