[PATCH v3 0/7] Add MAC authentication support to the Babel protocol
Toke Høiland-Jørgensen
toke at toke.dk
Tue Nov 24 16:21:46 CET 2020
This series adds MAC authentication support to the Babel protocol as specified
in by the IETF Babel working group in draft-babel-hmac-10:
https://tools.ietf.org/html/draft-ietf-babel-hmac-10
I have performed basic interoperability testing between this implementation and
the current babeld HMAC implementation[1]. The two implementations were able to
successfully exchange authenticated messages with both HMAC-256 and Blake2s-256
keys.
Given the above, and the close-to-final state of the specification at the IETF,
I believe this series is ready for merging (subject to review, of course). For
those wanting to test the code, a version of Bird with this series applied is
available on Github[2] for easy consumption.
[1] https://github.com/jech/babeld/pull/52
[2] https://github.com/tohojo/bird/tree/babel-mac-03
Changelog:
v3:
- Add variants with smaller digest sizes for blake2s and blake2b.
- Rebase on current master
v2:
- Don't reinvent AC_CHECK_FUNCS() for configure
- Make sure random_bytes() never fails (without taking the whole daemon with it)
- Use existing endianness defines in blake2s code
- Just leave MAC-related code in babel.c/packets.c instead of adding a new file
- Add blake2s test vectors (new patch 3)
- Support supplying mac keys as raw hexadecimal bytes and allow algorithms to
validate keys on configure (new patches 4-5)
v1:
- Add wrapper function to bird sysdep code to pick a suitable source of random
bytes
- Import reference Blake2 implementations into lib/
- Rename function names and data structures to use an auth_ prefix instead of hmac_
- Perform a separate authentication pass before parsing the packet, and move the
authentication-related code to its own source file
- Enforce key length recommendation from the specification
- Add a 'permissive' configuration mode where outgoing packets are signed but
incoming packets are accepted even though they fail authentication
- Add user documentation for the authentication configuration, and function
docstrings to the main authentication functions
- Fix a bunch of nits and code style issues
---
Toke Høiland-Jørgensen (7):
sysdep: Add wrapper to get random bytes
nest: Add Blake2s and Blake2b hash functions
mac_test: Add tests for blake2s and blake2b
nest: Allow specifying security keys as hex bytes as well as strings
config: Allow MAC algorithms to specify a function to validate their keys
babel: Refactor TLV parsing code for easier reuse
babel: Add MAC authentication support
conf/cf-lex.l | 31 +
conf/conf.h | 5 +
conf/confbase.Y | 2 +
doc/bird.sgml | 47 +-
lib/Makefile | 2 +-
lib/blake2-impl.h | 160 ++
lib/blake2-kat.h | 4111 +++++++++++++++++++++++++++++++++++++++++
lib/blake2-ref.h | 112 ++
lib/blake2.c | 48 +
lib/blake2.h | 67 +
lib/blake2b-ref.c | 270 +++
lib/blake2s-ref.c | 263 +++
lib/mac.c | 31 +-
lib/mac.h | 14 +
lib/mac_test.c | 91 +
lib/string.h | 1 +
lib/strtoul.c | 27 +
nest/config.Y | 54 +-
nest/password.c | 6 +
nest/password.h | 1 +
proto/babel/Makefile | 2 +-
proto/babel/babel.c | 156 +-
proto/babel/babel.h | 66 +-
proto/babel/config.Y | 46 +-
proto/babel/packets.c | 661 ++++++-
25 files changed, 6161 insertions(+), 113 deletions(-)
create mode 100644 lib/blake2-impl.h
create mode 100644 lib/blake2-kat.h
create mode 100644 lib/blake2-ref.h
create mode 100644 lib/blake2.c
create mode 100644 lib/blake2.h
create mode 100644 lib/blake2b-ref.c
create mode 100644 lib/blake2s-ref.c
More information about the Bird-users
mailing list