diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-20 19:13:19 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-20 19:13:19 +0000 |
| commit | abf01d6b129a731585d61dc43c365ce2fb5e79f3 (patch) | |
| tree | da8aee049dd6b7679edf0ae467ba2ca1624f4b0f | |
| parent | 7a7287079d5b646997b9a902697cbacc1f74d5c5 (diff) | |
Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).
| -rw-r--r-- | sys/net/pfkeyv2.c | 119 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_spd.c | 6 |
3 files changed, 122 insertions, 13 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 20e1ed50741..7019724c4b6 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.42 2000/09/19 08:38:58 angelos Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.43 2000/09/20 19:13:16 angelos Exp $ */ /* %%% copyright-nrl-97 This software is Copyright 1997-1998 by Randall Atkinson, Ronald Lee, @@ -977,6 +977,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) struct sadb_spirange *sprng; struct sadb_sa *ssa; struct sadb_supported *ssup; + struct sadb_ident *sid; /* Verify that we received this over a legitimate pfkeyv2 socket */ bzero(headers, sizeof(headers)); @@ -1668,7 +1669,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) if (!exists) FREE(ipo, M_TDB); else - ipo->ipo_tdb = ktdb; /* Reset */ + ipsec_delete_policy(ipo); rval = ESRCH; goto splxret; } @@ -1713,15 +1714,11 @@ pfkeyv2_send(struct socket *socket, void *message, int len) if (!exists) FREE(ipo, M_TDB); else - { - if (ipo->ipo_tdb) - TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, - ipo_tdb_next); - if (ktdb) - TAILQ_INSERT_HEAD(&ktdb->tdb_policy_head, - ipo, ipo_tdb_next); - ipo->ipo_tdb = ktdb; - } + { + s = spltdb(); + ipsec_delete_policy(ipo); + splx(s); + } rval = EINVAL; goto ret; @@ -1746,6 +1743,69 @@ pfkeyv2_send(struct socket *socket, void *message, int len) } ipo->ipo_sproto = SADB_GETSPROTO(smsg->sadb_msg_satype); + if (ipo->ipo_srcid) + FREE(ipo->ipo_srcid, M_TEMP); + if (ipo->ipo_dstid) + FREE(ipo->ipo_dstid, M_TEMP); + + if ((sid = headers[SADB_EXT_IDENTITY_SRC]) != NULL) + { + MALLOC(ipo->ipo_srcid, u_int8_t *, ipo->ipo_srcid_len, + M_TEMP, M_DONTWAIT); + if (ipo->ipo_srcid == NULL) + { + if (exists) + { + s = spltdb(); + ipsec_delete_policy(ipo); + splx(s); + } + else + FREE(ipo, M_TDB); + rval = ENOBUFS; + goto ret; + } + + ipo->ipo_srcid_type = sid->sadb_ident_type; + ipo->ipo_srcid_len = sid->sadb_ident_len - + sizeof(struct sadb_ident); + + bcopy(headers[SADB_EXT_IDENTITY_SRC] + + sizeof(struct sadb_ident), ipo->ipo_srcid, + ipo->ipo_srcid_len); + } + + if ((sid = headers[SADB_EXT_IDENTITY_DST]) != NULL) + { + MALLOC(ipo->ipo_dstid, u_int8_t *, ipo->ipo_dstid_len, + M_TEMP, M_DONTWAIT); + if (ipo->ipo_dstid == NULL) + { + if (exists) + { + s = spltdb(); + ipsec_delete_policy(ipo); + splx(s); + } + else + { + if (ipo->ipo_srcid) + FREE(ipo->ipo_srcid, M_TEMP); + FREE(ipo, M_TDB); + } + + rval = ENOBUFS; + goto ret; + } + + ipo->ipo_dstid_type = sid->sadb_ident_type; + ipo->ipo_dstid_len = sid->sadb_ident_len - + sizeof(struct sadb_ident); + + bcopy(headers[SADB_EXT_IDENTITY_SRC] + + sizeof(struct sadb_ident), ipo->ipo_dstid, + ipo->ipo_dstid_len); + } /* Flow type */ if (!exists) @@ -1766,6 +1826,10 @@ pfkeyv2_send(struct socket *socket, void *message, int len) splx(s); } + if (ipo->ipo_srcid) + FREE(ipo->ipo_srcid, M_TEMP); + if (ipo->ipo_dstid) + FREE(ipo->ipo_dstid, M_TEMP); FREE(ipo, M_TDB); /* Free policy entry */ goto ret; } @@ -1883,6 +1947,7 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, union sockaddr_union *laddr) { void *p, *headers[SADB_EXT_MAX + 1], *buffer = NULL; + struct sadb_ident *srcid, *dstid; struct sadb_comb *sadb_comb; struct sadb_address *sadd; struct sadb_prop *sa_prop; @@ -1903,6 +1968,12 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, sizeof(struct sadb_address) + PADUP(SA_LEN(&gw->sa)) + sizeof(struct sadb_prop) + 1 * sizeof(struct sadb_comb); + if (ipo->ipo_srcid) + i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid_len); + + if (ipo->ipo_dstid) + i += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid_len); + /* Allocate */ if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) { @@ -1951,6 +2022,32 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, bcopy(gw, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address), SA_LEN(&gw->sa)); + if (ipo->ipo_srcid) + { + headers[SADB_EXT_IDENTITY_SRC] = p; + p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_srcid_len); + srcid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_SRC]; + srcid->sadb_ident_len = (sizeof(struct sadb_ident) + + PADUP(ipo->ipo_srcid_len)) / + sizeof(u_int64_t); + srcid->sadb_ident_type = ipo->ipo_srcid_type; + bcopy(ipo->ipo_srcid, headers[SADB_EXT_IDENTITY_SRC] + + sizeof(struct sadb_ident), ipo->ipo_srcid_len); + } + + if (ipo->ipo_dstid) + { + headers[SADB_EXT_IDENTITY_DST] = p; + p += sizeof(struct sadb_ident) + PADUP(ipo->ipo_dstid_len); + dstid = (struct sadb_ident *) headers[SADB_EXT_IDENTITY_DST]; + dstid->sadb_ident_len = (sizeof(struct sadb_ident) + + PADUP(ipo->ipo_dstid_len)) / + sizeof(u_int64_t); + dstid->sadb_ident_type = ipo->ipo_dstid_type; + bcopy(ipo->ipo_dstid, headers[SADB_EXT_IDENTITY_DST] + + sizeof(struct sadb_ident), ipo->ipo_dstid_len); + } + headers[SADB_EXT_PROPOSAL] = p; p += sizeof(struct sadb_prop); sa_prop = (struct sadb_prop *) headers[SADB_EXT_PROPOSAL]; diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index 13df8e78727..f0f0854a8df 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.71 2000/09/19 08:38:59 angelos Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.72 2000/09/20 19:13:17 angelos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -183,6 +183,14 @@ struct ipsec_policy struct tdb *ipo_tdb; /* Cached entry */ + u_int16_t ipo_srcid_len; + u_int16_t ipo_dstid_len; + u_int16_t ipo_srcid_type; + u_int16_t ipo_dstid_type; + + u_int8_t *ipo_srcid; + u_int8_t *ipo_dstid; + TAILQ_ENTRY(ipsec_policy) ipo_tdb_next; /* List of policies on TDB */ TAILQ_ENTRY(ipsec_policy) ipo_list; /* List of all policy entries */ }; diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index c5500b15bb5..8fa4535a0d8 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.1 2000/09/19 03:20:59 angelos Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.2 2000/09/20 19:13:18 angelos Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) @@ -667,6 +667,10 @@ ipsec_delete_policy(struct ipsec_policy *ipo) TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, ipo_tdb_next); TAILQ_REMOVE(&ipsec_policy_head, ipo, ipo_list); + if (ipo->ipo_srcid) + FREE(ipo->ipo_srcid, M_TEMP); + if (ipo->ipo_dstid) + FREE(ipo->ipo_dstid, M_TEMP); FREE(ipo, M_TDB); ipsec_in_use--; |