Browse Source

Fixes to RFC2385/MD5 BGP

* bgpd/bgp_network.c: Fix MD5 listen in IPv4 version of bgp_socket() by
  adding listen socket to listen_sockets list so that MD5 passwords can
  get set.
* lib/sockopt.c: (sockopt_tcp_signature) Fix bogus "% Error while applying
  TCP-Sig to session(s)" / "can't set TCP_MD5SIG option" startup error
  messages by not returning error when there isn't one.
Chris Caputo 11 years ago
parent
commit
2b35ae41c2
2 changed files with 13 additions and 3 deletions
  1. 1 0
      bgpd/bgp_network.c
  2. 12 3
      lib/sockopt.c

+ 1 - 0
bgpd/bgp_network.c

@@ -517,6 +517,7 @@ bgp_socket (struct bgp *bgp, unsigned short port, char *address)
       return ret;
     }
 
+  listnode_add (bm->listen_sockets, (void *)sock);
   thread_add_read (bm->master, bgp_accept, bgp, sock);
 
   return sock;

+ 12 - 3
lib/sockopt.c

@@ -550,8 +550,8 @@ sockopt_tcp_signature (int sock, union sockunion *su, const char *password)
       if (su2->sa.sa_family == AF_INET)
         {
           sockunion_free (susock);
-          return -1;
-        };
+          return 0;
+        }
       
 #ifdef HAVE_IPV6
       /* If this does not work, then all users of this sockopt will need to
@@ -580,7 +580,16 @@ sockopt_tcp_signature (int sock, union sockunion *su, const char *password)
     memcpy (md5sig.tcpm_key, password, keylen);
   sockunion_free (susock);
 #endif /* GNU_LINUX */
-  ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig);
+  if ((ret = setsockopt (sock, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof md5sig)) < 0)
+    {
+      /* ENOENT is harmless.  It is returned when we clear a password for which
+	 one was not previously set. */
+      if (ENOENT == errno)
+	ret = 0;
+      else
+	zlog_err ("sockopt_tcp_signature: setsockopt(%d): %s",
+		  sock, safe_strerror(errno));
+    }
   return ret;
 #else /* HAVE_TCP_MD5SIG */
   return -2;