summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-03-04 20:50:42 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-03-04 20:50:42 +0000
commitc9a75c1d468e6b6148dbf9d17165b59a3846266c (patch)
tree6bc2d5750c5daa2fccb7f629cfc41f1837e5f3fc /sys
parentb3552319e0a4fc708f980ca2e241fda39eac5ccf (diff)
Import/export credentials from TDB.
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pfkeyv2.c45
-rw-r--r--sys/net/pfkeyv2.h15
-rw-r--r--sys/net/pfkeyv2_parsemessage.c23
3 files changed, 77 insertions, 6 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index 7cc139035b7..114f372a5cb 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.54 2000/12/24 04:18:42 angelos Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.55 2001/03/04 20:50:40 angelos Exp $ */
/*
%%% copyright-nrl-97
This software is Copyright 1997-1998 by Randall Atkinson, Ronald Lee,
@@ -66,6 +66,7 @@ static struct sadb_alg aalgs[] =
void export_address(void **, struct sockaddr *);
void export_identity(void **, struct tdb *, int);
void export_lifetime(void **, struct tdb *, int);
+void export_credentials(void **, struct tdb *);
void export_sa(void **, struct tdb *);
void export_key(void **, struct tdb *, int);
@@ -73,6 +74,7 @@ void import_address(struct sockaddr *, struct sadb_address *);
void import_identity(struct tdb *, struct sadb_ident *, int);
void import_key(struct ipsecinit *, struct sadb_key *, int);
void import_lifetime(struct tdb *, struct sadb_lifetime *, int);
+void import_credentials(struct tdb *, struct sadb_cred *);
void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *);
int pfkeyv2_create(struct socket *);
@@ -484,6 +486,23 @@ export_address(void **p, struct sockaddr *sa)
}
/*
+ * Import a set of credentials into the TDB.
+ */
+void
+import_credentials(struct tdb *tdb, struct sadb_cred *sadb_cred)
+{
+ if (!sadb_cred)
+ return;
+
+ tdb->tdb_cred_len = EXTLEN(sadb_cred) - sizeof(struct sadb_cred);
+ tdb->tdb_cred_type = sadb_cred->sadb_cred_type;
+ MALLOC(tdb->tdb_credentials, caddr_t, tdb->tdb_cred_len, M_XDATA,
+ M_WAITOK);
+ bcopy((void *) sadb_cred + sizeof(struct sadb_cred),
+ tdb->tdb_credentials, tdb->tdb_cred_len);
+}
+
+/*
* Import an identity payload into the TDB.
*/
void
@@ -515,6 +534,20 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type)
}
void
+export_credentials(void **p, struct tdb *tdb)
+{
+ struct sadb_cred *sadb_cred = (struct sadb_cred *) *p;
+
+ sadb_cred->sadb_cred_len = (sizeof(struct sadb_cred) +
+ PADUP(tdb->tdb_cred_len)) /
+ sizeof(uint64_t);
+ sadb_cred->sadb_cred_type = tdb->tdb_cred_type;
+ *p += sizeof(struct sadb_cred);
+ bcopy(tdb->tdb_credentials, *p, tdb->tdb_cred_len);
+ *p += PADUP(tdb->tdb_cred_len);
+}
+
+void
export_identity(void **p, struct tdb *tdb, int type)
{
struct sadb_ident *sadb_ident = (struct sadb_ident *) *p;
@@ -1002,6 +1035,13 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer)
export_identity(&p, sa, PFKEYV2_IDENTITY_DST);
}
+ /* Export credentials, if present */
+ if (sa->tdb_credentials)
+ {
+ headers[SADB_X_EXT_CREDENTIALS] = p;
+ export_credentials(&p, sa);
+ }
+
/* Export authentication key, if present */
if (sa->tdb_amxkey)
{
@@ -1317,6 +1357,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
PFKEYV2_IDENTITY_SRC);
import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
PFKEYV2_IDENTITY_DST);
+ import_credentials(newsa, headers[SADB_X_EXT_CREDENTIALS]);
headers[SADB_EXT_KEY_AUTH] = NULL;
headers[SADB_EXT_KEY_ENCRYPT] = NULL;
@@ -1432,6 +1473,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
import_identity(newsa, headers[SADB_EXT_IDENTITY_DST],
PFKEYV2_IDENTITY_DST);
+ import_credentials(newsa, headers[SADB_X_EXT_CREDENTIALS]);
+
headers[SADB_EXT_KEY_AUTH] = NULL;
headers[SADB_EXT_KEY_ENCRYPT] = NULL;
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index acd5c1bbef8..e1cd7757c0c 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -163,6 +163,13 @@ struct sadb_policy {
u_int32_t sadb_policy_seq;
};
+struct sadb_cred {
+ uint16_t sadb_cred_len;
+ uint16_t sadb_cred_exttype;
+ uint16_t sadb_cred_type;
+ uint16_t sadb_cred_reserved;
+};
+
#define SADB_GETSPROTO(x) ( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\
(x) == SADB_SATYPE_ESP ? IPPROTO_ESP :\
IPPROTO_IPIP )
@@ -193,7 +200,8 @@ struct sadb_policy {
#define SADB_X_EXT_SA2 23
#define SADB_X_EXT_DST2 24
#define SADB_X_EXT_POLICY 25
-#define SADB_EXT_MAX 25
+#define SADB_X_EXT_CREDENTIALS 26
+#define SADB_EXT_MAX 26
/* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */
#define SADB_SATYPE_UNSPEC 0
@@ -274,6 +282,11 @@ struct sadb_policy {
#define PFKEYV2_SENDMESSAGE_REGISTERED 2
#define PFKEYV2_SENDMESSAGE_BROADCAST 3
+#define SADB_CREDTYPE_NONE 0
+#define SADB_CREDTYPE_X509 1
+#define SADB_CREDTYPE_KEYNOTE 2
+#define SADB_CREDTYPE_MAX 3
+
#define FLOW_X_TYPE_USE 1
#define FLOW_X_TYPE_ACQUIRE 2
#define FLOW_X_TYPE_REQUIRE 3
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index 3b8b8441b9e..cb512f5d017 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -60,6 +60,7 @@ you didn't get a copy, you may request one from <license@inner.net>.
#define BITMAP_X_SA2 (1 << SADB_X_EXT_SA2)
#define BITMAP_X_DST2 (1 << SADB_X_EXT_DST2)
#define BITMAP_X_POLICY (1 << SADB_X_EXT_POLICY)
+#define BITMAP_X_CREDENTIALS (1 << SADB_X_EXT_CREDENTIALS)
uint32_t sadb_exts_allowed_in[SADB_MAX+1] =
{
@@ -68,9 +69,9 @@ uint32_t sadb_exts_allowed_in[SADB_MAX+1] =
/* GETSPI */
BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE,
/* UPDATE */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS,
/* ADD */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS,
/* DELETE */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* GET */
@@ -140,9 +141,9 @@ uint32_t sadb_exts_allowed_out[SADB_MAX+1] =
/* GETSPI */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* UPDATE */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS,
/* ADD */
- BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY,
+ BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS,
/* DELETE */
BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST,
/* GET */
@@ -417,6 +418,20 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
return EINVAL;
}
break;
+ case SADB_X_EXT_CREDENTIALS:
+ {
+ struct sadb_cred *sadb_cred = (struct sadb_cred *)p;
+
+ if (i < sizeof(struct sadb_cred))
+ return EINVAL;
+
+ if (sadb_cred->sadb_cred_type > SADB_CREDTYPE_MAX)
+ return EINVAL;
+
+ if (sadb_cred->sadb_cred_reserved)
+ return EINVAL;
+ }
+ break;
case SADB_EXT_IDENTITY_SRC:
case SADB_EXT_IDENTITY_DST:
{