Commit 1b9abc4b authored by Juliusz Chroboczek's avatar Juliusz Chroboczek

Replace hmac-verify with accept-bad-signatures.

Its polarity is changed, and it also controls incorrectly signed packets.
parent 3777eb4a
......@@ -469,10 +469,9 @@ otherwise.
Enable HMAC security on this interface, and use the key
.IR id .
.TP
.BR hmac-verify " {" true | false }
Check packet signatures, reject unsigned or incorrectly signed
packets. The default is
.BR true .
.BR accept\-bad\-signatures " {" true | false }
Accept packets with no signature or an incorrect signature. This only has
an effect if a key was configured on an interface. The default is false.
.TP
.SS Filtering rules
A filtering rule is defined by a single line with the following format:
......
......@@ -694,12 +694,12 @@ parse_anonymous_ifconf(int c, gnc_t gnc, void *closure,
}
if_conf->key = key;
free(key_id);
} else if(strcmp(token, "hmac-verify") == 0) {
} else if(strcmp(token, "accept-bad-signatures") == 0) {
int v;
c = getbool(c, &v, gnc, closure);
if(c < -1)
goto error;
if_conf->hmac_verify = v;
if_conf->accept_bad_signatures = v;
} else {
goto error;
}
......@@ -891,7 +891,7 @@ merge_ifconf(struct interface_conf *dest,
MERGE(lq);
MERGE(faraway);
MERGE(unicast);
MERGE(hmac_verify);
MERGE(accept_bad_signatures);
MERGE(channel);
MERGE(enable_timestamps);
MERGE(rfc6126);
......
......@@ -398,11 +398,10 @@ interface_updown(struct interface *ifp, int up)
if(IF_CONF(ifp, unicast) == CONFIG_YES)
ifp->flags |= IF_UNICAST;
if(IF_CONF(ifp, hmac_verify) == CONFIG_YES ||
IF_CONF(ifp, hmac_verify) == CONFIG_DEFAULT)
ifp->flags |= IF_HMAC_VERIFY;
else if(IF_CONF(ifp, hmac_verify) == CONFIG_NO)
ifp->flags &= ~IF_HMAC_VERIFY;
if(IF_CONF(ifp, accept_bad_signatures) == CONFIG_YES)
ifp->flags |= IF_ACCEPT_BAD_SIGNATURES;
else
ifp->flags &= ~IF_ACCEPT_BAD_SIGNATURES;
if(IF_CONF(ifp, hello_interval) > 0)
ifp->hello_interval = IF_CONF(ifp, hello_interval);
else if(type == IF_TYPE_WIRELESS)
......
......@@ -55,7 +55,7 @@ struct interface_conf {
char unicast;
char enable_timestamps;
char rfc6126;
char hmac_verify;
char accept_bad_signatures;
int channel;
unsigned int rtt_decay;
unsigned int rtt_min;
......@@ -85,8 +85,8 @@ struct interface_conf {
#define IF_TIMESTAMPS (1 << 6)
/* Remain compatible with RFC 6126. */
#define IF_RFC6126 (1 << 7)
/* Incoming packets are required to have a valid MAC hash. */
#define IF_HMAC_VERIFY (1 << 8)
/* Accept packets even if incorrectly signed. */
#define IF_ACCEPT_BAD_SIGNATURES (1 << 8)
/* Use Babel over DTLS on this interface. */
#define IF_DTLS (1 << 9)
......
......@@ -631,26 +631,27 @@ parse_packet(const unsigned char *from, struct interface *ifp,
}
if(ifp->key != NULL) {
switch(check_hmac(packet, packetlen, bodylen, from, to, ifp)) {
case -1: /* no mac trailer */
if(!(ifp->flags & IF_HMAC_VERIFY))
break;
/* fallthrough */
case 0:
fputs("Received wrong hmac.\n", stderr);
int rc = check_hmac(packet, packetlen, bodylen, from, to, ifp);
if(rc <= 0) {
if(rc < 0)
debugf("Received unsigned packet.\n");
else
debugf("Received packet with bad signature.\n");
if(!(ifp->flags & IF_ACCEPT_BAD_SIGNATURES))
return;
case 1:
} else {
neigh = preparse_packet(from, ifp, packet, bodylen, to);
if(neigh == NULL) {
fputs("Received wrong PC or failed the challenge.\n", stderr);
debugf("Received packet with wrong PC.\n");
return;
}
}
}
neigh = neigh != NULL ? neigh : find_neighbour(from, ifp);
if(neigh == NULL)
neigh = find_neighbour(from, ifp);
if(neigh == NULL) {
fputs("Couldn't allocate neighbour.\n", stderr);
fprintf(stderr, "Couldn't allocate neighbour.\n");
return;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment