summaryrefslogtreecommitdiff
path: root/sys/net/pfkeyv2.c
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>1999-07-15 14:15:42 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>1999-07-15 14:15:42 +0000
commit893ba3a842c40c7f5d6f9f14837e0d432dd7767f (patch)
treeb143d604f311079eb8a3f83241ef170196a8f67a /sys/net/pfkeyv2.c
parent7bdb8bc6dd617efd36012f956c9992b1cfa8e85c (diff)
From angelos@, edits by me, demand keying for PF_KEY
Diffstat (limited to 'sys/net/pfkeyv2.c')
-rw-r--r--sys/net/pfkeyv2.c164
1 files changed, 110 insertions, 54 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index acf9af33e1a..760eae3e409 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -94,7 +94,7 @@ void import_key(struct ipsecinit *, struct sadb_key *, int);
void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
int pfdatatopacket(void *, int, struct mbuf **);
-int pfkeyv2_acquire(void *);
+int pfkeyv2_acquire(struct tdb *, int);
int pfkeyv2_create(struct socket *);
int pfkeyv2_get(struct tdb *, void **, void **);
int pfkeyv2_release(struct socket *);
@@ -1632,9 +1632,8 @@ realret:
}
int
-pfkeyv2_acquire(void *os)
+pfkeyv2_acquire(struct tdb *tdb, int rekey)
{
-#if 0
int rval = 0;
int i, j;
void *p, *headers[SADB_EXT_MAX+1], *buffer = NULL;
@@ -1644,16 +1643,18 @@ pfkeyv2_acquire(void *os)
goto ret;
}
+ /* How large a buffer do we need... */
i = sizeof(struct sadb_msg) + sizeof(struct sadb_address) +
- PADUP(SA_LEN(&os->src.sa)) + sizeof(struct sadb_address) +
- PADUP(SA_LEN(&os->dst.sa)) + sizeof(struct sadb_prop) +
- os->nproposals * sizeof(struct sadb_comb) +
+ PADUP(SA_LEN(&tdb->tdb_src.sa)) + sizeof(struct sadb_address) +
+ PADUP(SA_LEN(&tdb->tdb_dst.sa)) + sizeof(struct sadb_prop) +
+ 1 * sizeof(struct sadb_comb) + /* XXX We only do one proposal for now */
2 * sizeof(struct sadb_ident);
- if (os->rekeysa)
- i += PADUP(os->rekeysa->srcident.bytes) +
- PADUP(os->rekeysa->dstident.bytes);
+ if (rekey)
+ i += PADUP(tdb->tdb_srcid_len) +
+ PADUP(tdb->tdb_dstid_len);
+ /* Allocate */
if (!(p = malloc(i, M_PFKEY, M_DONTWAIT))) {
rval = ENOMEM;
goto ret;
@@ -1668,76 +1669,133 @@ pfkeyv2_acquire(void *os)
p += sizeof(struct sadb_msg);
((struct sadb_msg *)headers[0])->sadb_msg_version = PF_KEY_V2;
((struct sadb_msg *)headers[0])->sadb_msg_type = SADB_ACQUIRE;
- ((struct sadb_msg *)headers[0])->sadb_msg_satype = os->satype;
((struct sadb_msg *)headers[0])->sadb_msg_len = i / sizeof(uint64_t);
((struct sadb_msg *)headers[0])->sadb_msg_seq = pfkeyv2_seq++;
+ j = tdb->tdb_xform->xf_type;
+ switch (j)
+ {
+ case XF_OLD_AH:
+ j = SADB_X_SATYPE_AH_OLD;
+ break;
+
+ case XF_OLD_ESP:
+ j = SADB_X_SATYPE_ESP_OLD;
+ break;
+
+ case XF_NEW_AH:
+ j = SADB_SATYPE_AH;
+ break;
+
+ case XF_NEW_ESP:
+ j = SADB_SATYPE_ESP;
+ break;
+ }
+
+ ((struct sadb_msg *)headers[0])->sadb_msg_satype = j;
+
headers[SADB_EXT_ADDRESS_SRC] = p;
- p += sizeof(struct sadb_address) + PADUP(SA_LEN(&os->src.sa));
- ((struct sadb_address *)headers[SADB_EXT_ADDRESS_SRC])->sadb_address_len = (sizeof(struct sadb_address) + SA_LEN(&os->src.sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t);
- bcopy(&os->src, headers[SADB_EXT_ADDRESS_SRC] + sizeof(struct sadb_address),
- SA_LEN(&os->src.sa));
+ p += sizeof(struct sadb_address) + PADUP(SA_LEN(&tdb->tdb_src.sa));
+ ((struct sadb_address *)headers[SADB_EXT_ADDRESS_SRC])->sadb_address_len = (sizeof(struct sadb_address) + SA_LEN(&tdb->tdb_src.sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t);
+ bcopy(&tdb->tdb_src, headers[SADB_EXT_ADDRESS_SRC] + sizeof(struct sadb_address), SA_LEN(&tdb->tdb_src.sa));
headers[SADB_EXT_ADDRESS_DST] = p;
- p += sizeof(struct sadb_address) + PADUP(SA_LEN(&os->dst.sa));
- ((struct sadb_address *)headers[SADB_EXT_ADDRESS_DST])->sadb_address_len = (sizeof(struct sadb_address) + SA_LEN(&os->dst.sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t);
- bcopy(&os->dst, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address),
- SA_LEN(&os->dst.sa));
+ p += sizeof(struct sadb_address) + PADUP(SA_LEN(&tdb->tdb_dst.sa));
+ ((struct sadb_address *)headers[SADB_EXT_ADDRESS_DST])->sadb_address_len = (sizeof(struct sadb_address) + SA_LEN(&tdb->tdb_dst.sa) + sizeof(uint64_t) - 1) / sizeof(uint64_t);
+ bcopy(&tdb->tdb_dst, headers[SADB_EXT_ADDRESS_DST] + sizeof(struct sadb_address), SA_LEN(&tdb->tdb_dst.sa));
headers[SADB_EXT_IDENTITY_SRC] = p;
p += sizeof(struct sadb_ident);
- ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_type = os->srcidenttype;
- ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_id = os->srcidentid;
- if (os->rekeysa) {
- ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_len = (sizeof(struct sadb_ident) + PADUP(os->rekeysa->srcident.bytes)) / sizeof(uint64_t);
- bcopy(os->rekeysa->srcident.data, p, os->rekeysa->srcident.bytes);
- p += PADUP(os->rekeysa->srcident.bytes);
+ ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_type = tdb->tdb_srcid_type;
+
+ /* XXX some day we'll have to deal with real ident_ids for users */
+ ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_id = 0;
+
+ if (rekey) {
+ ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_len = (sizeof(struct sadb_ident) + PADUP(tdb->tdb_srcid_len)) / sizeof(uint64_t);
+ bcopy(tdb->tdb_srcid, p, tdb->tdb_srcid_len);
+ p += PADUP(tdb->tdb_srcid_len);
} else
((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_len = (sizeof(struct sadb_ident)) / sizeof(uint64_t);
headers[SADB_EXT_IDENTITY_DST] = p;
p += sizeof(struct sadb_ident);
- ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_type = os->dstidenttype;
- ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_SRC])->sadb_ident_id = os->dstidentid;
- if (os->rekeysa) {
- ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST])->sadb_ident_len = (sizeof(struct sadb_ident) + PADUP(os->rekeysa->dstident.bytes)) / sizeof(uint64_t);
- bcopy(os->rekeysa->dstident.data, p, os->rekeysa->dstident.bytes);
- p += PADUP(os->rekeysa->srcident.bytes);
+ ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST])->sadb_ident_type = tdb->tdb_dstid_type;
+
+ /* XXX some day we'll have to deal with real ident_ids for users */
+ ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST])->sadb_ident_id = 0;
+
+ if (rekey) {
+ ((struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST])->sadb_ident_len = (sizeof(struct sadb_ident) + PADUP(tdb->tdb_dstid_len)) / sizeof(uint64_t);
+ bcopy(tdb->tdb_dstid, p, tdb->tdb_dstid_len);
+ p += PADUP(tdb->tdb_dstid_len);
} else
((struct sadb_ident *)headers[SADB_EXT_IDENTITY_DST])->sadb_ident_len = (sizeof(struct sadb_ident)) / sizeof(uint64_t);
headers[SADB_EXT_PROPOSAL] = p;
p += sizeof(struct sadb_prop);
- ((struct sadb_prop *)headers[SADB_EXT_PROPOSAL])->sadb_prop_len = (sizeof(struct sadb_prop) + sizeof(struct sadb_comb) * os->nproposals) / sizeof(uint64_t);
- ((struct sadb_prop *)headers[SADB_EXT_PROPOSAL])->sadb_prop_num = os->nproposals;
+ ((struct sadb_prop *)headers[SADB_EXT_PROPOSAL])->sadb_prop_len = (sizeof(struct sadb_prop) + sizeof(struct sadb_comb) * 1) / sizeof(uint64_t); /* XXX 1 proposal only */
+ ((struct sadb_prop *)headers[SADB_EXT_PROPOSAL])->sadb_prop_num = 1; /* XXX 1 proposal only */
{
struct sadb_comb *sadb_comb = p;
- struct netsec_sadb_proposal *proposal = os->proposals;
-
- for (j = 0; j < os->nproposals; j++) {
- sadb_comb->sadb_comb_auth = proposal->auth;
- sadb_comb->sadb_comb_encrypt = proposal->encrypt;
- sadb_comb->sadb_comb_flags = proposal->flags;
- sadb_comb->sadb_comb_auth_minbits = proposal->auth_minbits;
- sadb_comb->sadb_comb_auth_maxbits = proposal->auth_maxbits;
- sadb_comb->sadb_comb_encrypt_minbits = proposal->encrypt_minbits;
- sadb_comb->sadb_comb_encrypt_maxbits = proposal->encrypt_maxbits;
- sadb_comb->sadb_comb_soft_allocations = proposal->soft.allocations;
- sadb_comb->sadb_comb_hard_allocations = proposal->hard.allocations;
- sadb_comb->sadb_comb_soft_bytes = proposal->soft.bytes;
- sadb_comb->sadb_comb_hard_bytes = proposal->hard.bytes;
- sadb_comb->sadb_comb_soft_addtime = proposal->soft.addtime;
- sadb_comb->sadb_comb_hard_addtime = proposal->hard.addtime;
- sadb_comb->sadb_comb_soft_usetime = proposal->soft.usetime;
- sadb_comb->sadb_comb_hard_usetime = proposal->hard.usetime;
+
+ /* XXX 1 proposal only */
+ for (j = 0; j < 1; j++) {
+ sadb_comb->sadb_comb_flags = 0;
+
+ if (tdb->tdb_flags & TDBF_PFS)
+ sadb_comb->sadb_comb_flags |= SADB_SAFLAGS_PFS;
+
+ if (tdb->tdb_flags & TDBF_HALFIV)
+ sadb_comb->sadb_comb_flags |= SADB_X_SAFLAGS_HALFIV;
+
+ if (tdb->tdb_flags & TDBF_TUNNELING)
+ sadb_comb->sadb_comb_flags |= SADB_X_SAFLAGS_TUNNEL;
+
+ if (tdb->tdb_authalgxform)
+ {
+ sadb_comb->sadb_comb_auth = tdb->tdb_authalgxform->type;
+ sadb_comb->sadb_comb_auth_minbits = tdb->tdb_authalgxform->keysize * 8;
+ sadb_comb->sadb_comb_auth_maxbits = tdb->tdb_authalgxform->keysize * 8;
+ }
+ else
+ {
+ sadb_comb->sadb_comb_auth = 0;
+ sadb_comb->sadb_comb_auth_minbits = 0;
+ sadb_comb->sadb_comb_auth_maxbits = 0;
+ }
+
+ if (tdb->tdb_encalgxform)
+ {
+ sadb_comb->sadb_comb_encrypt = tdb->tdb_encalgxform->type;
+ sadb_comb->sadb_comb_encrypt_minbits = tdb->tdb_encalgxform->minkey * 8;
+ sadb_comb->sadb_comb_encrypt_maxbits = tdb->tdb_encalgxform->maxkey * 8;
+ }
+ else
+ {
+ sadb_comb->sadb_comb_encrypt = 0;
+ sadb_comb->sadb_comb_encrypt_minbits = 0;
+ sadb_comb->sadb_comb_encrypt_maxbits = 0;
+ }
+
+ sadb_comb->sadb_comb_soft_allocations = tdb->tdb_soft_allocations;
+ sadb_comb->sadb_comb_hard_allocations = tdb->tdb_exp_allocations;
+
+ sadb_comb->sadb_comb_soft_bytes = tdb->tdb_soft_bytes;
+ sadb_comb->sadb_comb_hard_bytes = tdb->tdb_exp_bytes;
+
+ sadb_comb->sadb_comb_soft_addtime = tdb->tdb_soft_timeout;
+ sadb_comb->sadb_comb_hard_addtime = tdb->tdb_exp_timeout;
+
+ sadb_comb->sadb_comb_soft_usetime = tdb->tdb_soft_first_use;
+ sadb_comb->sadb_comb_hard_usetime = tdb->tdb_exp_first_use;
sadb_comb++;
- proposal++;
}
}
if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_REGISTERED,
- NULL, os->satype, count))!= 0)
+ NULL, ((struct sadb_msg *)headers[0])->sadb_msg_satype, 1))!= 0) /* XXX notice count of 1 as last arg -- is that right ? */
goto ret;
rval = 0;
@@ -1748,8 +1806,6 @@ ret:
free(buffer, M_PFKEY);
}
return rval;
-#endif
- return 0;
}
int