From: Toke Høiland-Jørgensen <[email protected]> This adds a new field to the MAC algorithm description which is a pointer that will allow an algorithm to validate a key before it is used. Add this validate to the Blake algorithms, validating that the key length is exactly equal to their respective output sizes.
Signed-off-by: Toke Høiland-Jørgensen <[email protected]> --- lib/mac.c | 19 ++++++++++++++++++- lib/mac.h | 7 +++++++ nest/config.Y | 8 ++++++-- nest/password.c | 6 ++++++ nest/password.h | 1 + 5 files changed, 38 insertions(+), 3 deletions(-) diff --git a/lib/mac.c b/lib/mac.c index f780b54c9..dfdaf3c65 100644 --- a/lib/mac.c +++ b/lib/mac.c @@ -151,6 +151,23 @@ hmac_final(struct mac_context *ctx) } +/** + * mac_validate_key_length_to_output - enforce that the key length matches the MAC output + * @id: MAC algorithm ID, + * @key: key to verify + * @keylen: length of key + * + * This is a common MAC algorithm validation function that will enforce that the + * key length matches the MAC output length. + */ +static void +mac_validate_key_length_to_output(uint id, const byte *key UNUSED, uint keylen) +{ + if (keylen != mac_type_length(id)) + cf_error("Key size %d does not match required size of %d bytes for %s", + keylen, mac_type_length(id), mac_type_name(id)); +} + /* * Common code */ @@ -167,7 +184,7 @@ hmac_final(struct mac_context *ctx) { \ name, size/8, sizeof(struct vx##_context), vx##_bird_init, \ vx##_bird_update, vx##_bird_final, size/8, \ - VX##_BLOCK_SIZE, NULL, NULL, NULL \ + VX##_BLOCK_SIZE, NULL, NULL, NULL, mac_validate_key_length_to_output \ } const struct mac_desc mac_table[ALG_MAX] = { diff --git a/lib/mac.h b/lib/mac.h index e3847239e..7a73465e9 100644 --- a/lib/mac.h +++ b/lib/mac.h @@ -91,6 +91,7 @@ struct mac_desc { void (*hash_init)(struct hash_context *ctx); void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen); byte *(*hash_final)(struct hash_context *ctx); + void (*validate_key)(uint id, const byte *key, uint keylen); }; extern const struct mac_desc mac_table[ALG_MAX]; @@ -101,6 +102,12 @@ static inline const char *mac_type_name(uint id) static inline uint mac_type_length(uint id) { return mac_table[id].mac_length; } +static inline void mac_validate_key(uint id, const byte *key, uint keylen) +{ + if (mac_table[id].validate_key) + mac_table[id].validate_key(id, key, keylen); +} + static inline const char *mac_get_name(struct mac_context *ctx) { return ctx->type->name; } diff --git a/nest/config.Y b/nest/config.Y index 82c2194fa..5043a3ece 100644 --- a/nest/config.Y +++ b/nest/config.Y @@ -491,8 +491,8 @@ password_items: ; password_item: - password_item_begin '{' password_item_params '}' - | password_item_begin + password_item_begin '{' password_item_params '}' password_item_end + | password_item_begin password_item_end ; password_item_begin: @@ -529,6 +529,10 @@ password_algorithm: | BLAKE2B512 { $$ = ALG_BLAKE2B_512; } ; +password_item_end: +{ + password_validate_config(this_p_item); +}; /* BFD options */ diff --git a/nest/password.c b/nest/password.c index 6f87af218..3fb342e96 100644 --- a/nest/password.c +++ b/nest/password.c @@ -85,3 +85,9 @@ max_mac_length(list *l) return val; } + +void +password_validate_config(struct password_item *p) +{ + mac_validate_key(p->alg, p->password, p->length); +} diff --git a/nest/password.h b/nest/password.h index 8a0da2237..818bdf2b9 100644 --- a/nest/password.h +++ b/nest/password.h @@ -24,6 +24,7 @@ extern struct password_item *last_password_item; struct password_item *password_find(list *l, int first_fit); struct password_item *password_find_by_id(list *l, uint id); struct password_item *password_find_by_value(list *l, char *pass, uint size); +void password_validate_config(struct password_item *p); static inline int password_verify(struct password_item *p1, char *p2, uint size) {
