diff options
| author | Jean-Jacques Bernard-Gundol <jjbg@cvs.openbsd.org> | 2001-07-05 16:48:05 +0000 |
|---|---|---|
| committer | Jean-Jacques Bernard-Gundol <jjbg@cvs.openbsd.org> | 2001-07-05 16:48:05 +0000 |
| commit | d6dce2ee07499fccdf3d7d3091953680a369d015 (patch) | |
| tree | 95cdc5ce180e17016b4203f5ab75a89e11d6dd94 | |
| parent | 948fec4e04ff4b485f61f0ce7fa4a2c1d40e1704 (diff) | |
IPComp. angelos@ ok.
| -rw-r--r-- | sys/net/pfkeyv2.c | 57 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_convert.c | 12 | ||||
| -rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 11 |
3 files changed, 73 insertions, 7 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index fa97d3c529a..8b0c1bd37d7 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.73 2001/06/27 05:29:10 angelos Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.74 2001/07/05 16:48:03 jjbg Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -80,6 +80,7 @@ #include <net/pfkeyv2.h> #include <netinet/ip_ah.h> #include <netinet/ip_esp.h> +#include <netinet/ip_ipcomp.h> #include <crypto/blf.h> #define PFKEYV2_PROTOCOL 2 @@ -109,6 +110,11 @@ static struct sadb_alg aalgs[] = { SADB_AALG_RIPEMD160HMAC, 0, 160, 160 } }; +static struct sadb_alg calgs[] = +{ + { SADB_X_CALG_DEFLATE, 0, 0, 0}, +}; + extern uint32_t sadb_exts_allowed_out[SADB_MAX+1]; extern uint32_t sadb_exts_required_out[SADB_MAX+1]; @@ -743,6 +749,17 @@ pfkeyv2_get_proto_alg(u_int8_t satype, u_int8_t *sproto, int *alg) break; + case SADB_X_SATYPE_IPCOMP: + if (!ipcomp_enable) + return EOPNOTSUPP; + + *sproto = IPPROTO_IPCOMP; + + if(alg != NULL) + *alg = satype = XF_IPCOMP; + + break; + #ifdef TCP_SIGNATURE case SADB_X_SATYPE_TCPSIGNATURE: *sproto = IPPROTO_TCP; @@ -1214,6 +1231,27 @@ pfkeyv2_send(struct socket *socket, void *message, int len) headers[SADB_EXT_SUPPORTED_AUTH] = freeme; + i = sizeof(struct sadb_supported) + sizeof(calgs); + + if (!(freeme = malloc(i, M_PFKEY, M_DONTWAIT))) + { + rval = ENOMEM; + goto ret; + } + + bzero(freeme, i); + + ssup = (struct sadb_supported *) freeme; + ssup->sadb_supported_len = i / sizeof(uint64_t); + + { + void *p = freeme + sizeof(struct sadb_supported); + + bcopy(&calgs[0], p, sizeof(calgs)); + } + + headers[SADB_X_EXT_SUPPORTED_COMP] = freeme; + break; case SADB_ACQUIRE: @@ -1236,6 +1274,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) case SADB_SATYPE_AH: case SADB_SATYPE_ESP: case SADB_X_SATYPE_IPIP: + case SADB_X_SATYPE_IPCOMP: #ifdef TCP_SIGNATURE case SADB_X_SATYPE_TCPSIGNATURE: #endif /* TCP_SIGNATURE */ @@ -1851,8 +1890,10 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, if (ipo->ipo_sproto == IPPROTO_ESP) smsg->sadb_msg_satype = SADB_SATYPE_ESP; - else + else if (ipo->ipo_sproto == IPPROTO_AH) smsg->sadb_msg_satype = SADB_SATYPE_AH; + else if (ipo->ipo_sproto == IPPROTO_IPCOMP) + smsg->sadb_msg_satype = SADB_X_SATYPE_IPCOMP; if (laddr) { @@ -1969,6 +2010,17 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw, } } + else if (ipo->ipo_sproto == IPPROTO_IPCOMP) + { + /* Set the compression algorithm */ + if (!strncasecmp(ipsec_def_comp, "deflate", sizeof("deflate"))) + { + sadb_comb->sadb_comb_encrypt = SADB_X_CALG_DEFLATE; + sadb_comb->sadb_comb_encrypt = 0; + sadb_comb->sadb_comb_encrypt = 0; + } + } + /* Set the authentication algorithm */ if (!strncasecmp(ipsec_def_auth, "hmac-sha1", sizeof("hmac-sha1"))) { @@ -2039,6 +2091,7 @@ pfkeyv2_expire(struct tdb *sa, u_int16_t type) case IPPROTO_AH: case IPPROTO_ESP: case IPPROTO_IPIP: + case IPPROTO_IPCOMP: #ifdef TCP_SIGNATURE case IPPROTO_TCP: #endif /* TCP_SIGNATURE */ diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c index 40f6eae71cc..42bacf26994 100644 --- a/sys/net/pfkeyv2_convert.c +++ b/sys/net/pfkeyv2_convert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_convert.c,v 1.4 2001/06/26 06:10:20 angelos Exp $ */ +/* $OpenBSD: pfkeyv2_convert.c,v 1.5 2001/07/05 16:48:04 jjbg Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@keromytis.org) * @@ -115,6 +115,7 @@ import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii) if (ii) { ii->ii_encalg = sadb_sa->sadb_sa_encrypt; ii->ii_authalg = sadb_sa->sadb_sa_auth; + ii->ii_compalg = sadb_sa->sadb_sa_encrypt; /* Yeurk! */ tdb->tdb_spi = sadb_sa->sadb_sa_spi; tdb->tdb_wnd = sadb_sa->sadb_sa_replay; @@ -155,6 +156,15 @@ export_sa(void **p, struct tdb *tdb) if (tdb->tdb_flags & TDBF_INVALID) sadb_sa->sadb_sa_state = SADB_SASTATE_LARVAL; + if (tdb->tdb_sproto == IPPROTO_IPCOMP) { + switch (tdb->tdb_compalgxform->type) + { + case CRYPTO_DEFLATE_COMP: + sadb_sa->sadb_sa_encrypt = SADB_X_CALG_DEFLATE; + break; + } + } + if (tdb->tdb_authalgxform) { switch (tdb->tdb_authalgxform->type) { case CRYPTO_MD5_HMAC: diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index 8e8a4d57a07..00a98a9caf7 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.30 2001/07/03 05:16:09 angelos Exp $ */ +/* $OpenBSD: pfkeyv2_parsemessage.c,v 1.31 2001/07/05 16:48:04 jjbg Exp $ */ /* * @(#)COPYRIGHT 1.1 (NRL) 17 January 1995 @@ -120,6 +120,7 @@ extern int encdebug; #define BITMAP_X_REMOTE_AUTH (1 << SADB_X_EXT_REMOTE_AUTH) #define BITMAP_X_CREDENTIALS (BITMAP_X_LOCAL_CREDENTIALS | BITMAP_X_REMOTE_CREDENTIALS | BITMAP_X_LOCAL_AUTH | BITMAP_X_REMOTE_AUTH) #define BITMAP_X_FLOW (BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW) +#define BITMAP_X_SUPPORTED_COMP (1 << SADB_X_EXT_SUPPORTED_COMP) uint32_t sadb_exts_allowed_in[SADB_MAX+1] = { @@ -210,7 +211,7 @@ uint32_t sadb_exts_allowed_out[SADB_MAX+1] = /* ACQUIRE */ BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_IDENTITY | BITMAP_PROPOSAL, /* REGISTER */ - BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT, + BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, /* EXPIRE */ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS, /* FLUSH */ @@ -246,7 +247,7 @@ uint32_t sadb_exts_required_out[SADB_MAX+1] = /* ACQUIRE */ 0, /* REGISTER */ - BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT, + BITMAP_SUPPORTED_AUTH | BITMAP_SUPPORTED_ENCRYPT | BITMAP_X_SUPPORTED_COMP, /* EXPIRE */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* FLUSH */ @@ -839,6 +840,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) break; case SADB_EXT_SUPPORTED_AUTH: case SADB_EXT_SUPPORTED_ENCRYPT: + case SADB_X_EXT_SUPPORTED_COMP: { struct sadb_supported *sadb_supported = (struct sadb_supported *)p; @@ -865,7 +867,8 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) int max_alg; max_alg = sadb_ext->sadb_ext_type == SADB_EXT_SUPPORTED_AUTH ? - SADB_AALG_MAX : SADB_EALG_MAX; + SADB_AALG_MAX : SADB_EXT_SUPPORTED_ENCRYPT ? + SADB_EALG_MAX : SADB_X_CALG_MAX; for (j = 0; j < sadb_supported->sadb_supported_len - 1; j++) { if (sadb_alg->sadb_alg_id > max_alg) { |