diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-03-04 20:50:42 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-03-04 20:50:42 +0000 |
commit | c9a75c1d468e6b6148dbf9d17165b59a3846266c (patch) | |
tree | 6bc2d5750c5daa2fccb7f629cfc41f1837e5f3fc /sys | |
parent | b3552319e0a4fc708f980ca2e241fda39eac5ccf (diff) |
Import/export credentials from TDB.
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pfkeyv2.c | 45 | ||||
-rw-r--r-- | sys/net/pfkeyv2.h | 15 | ||||
-rw-r--r-- | sys/net/pfkeyv2_parsemessage.c | 23 |
3 files changed, 77 insertions, 6 deletions
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c index 7cc139035b7..114f372a5cb 100644 --- a/sys/net/pfkeyv2.c +++ b/sys/net/pfkeyv2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkeyv2.c,v 1.54 2000/12/24 04:18:42 angelos Exp $ */ +/* $OpenBSD: pfkeyv2.c,v 1.55 2001/03/04 20:50:40 angelos Exp $ */ /* %%% copyright-nrl-97 This software is Copyright 1997-1998 by Randall Atkinson, Ronald Lee, @@ -66,6 +66,7 @@ static struct sadb_alg aalgs[] = void export_address(void **, struct sockaddr *); void export_identity(void **, struct tdb *, int); void export_lifetime(void **, struct tdb *, int); +void export_credentials(void **, struct tdb *); void export_sa(void **, struct tdb *); void export_key(void **, struct tdb *, int); @@ -73,6 +74,7 @@ void import_address(struct sockaddr *, struct sadb_address *); void import_identity(struct tdb *, struct sadb_ident *, int); void import_key(struct ipsecinit *, struct sadb_key *, int); void import_lifetime(struct tdb *, struct sadb_lifetime *, int); +void import_credentials(struct tdb *, struct sadb_cred *); void import_sa(struct tdb *, struct sadb_sa *, struct ipsecinit *); int pfkeyv2_create(struct socket *); @@ -484,6 +486,23 @@ export_address(void **p, struct sockaddr *sa) } /* + * Import a set of credentials into the TDB. + */ +void +import_credentials(struct tdb *tdb, struct sadb_cred *sadb_cred) +{ + if (!sadb_cred) + return; + + tdb->tdb_cred_len = EXTLEN(sadb_cred) - sizeof(struct sadb_cred); + tdb->tdb_cred_type = sadb_cred->sadb_cred_type; + MALLOC(tdb->tdb_credentials, caddr_t, tdb->tdb_cred_len, M_XDATA, + M_WAITOK); + bcopy((void *) sadb_cred + sizeof(struct sadb_cred), + tdb->tdb_credentials, tdb->tdb_cred_len); +} + +/* * Import an identity payload into the TDB. */ void @@ -515,6 +534,20 @@ import_identity(struct tdb *tdb, struct sadb_ident *sadb_ident, int type) } void +export_credentials(void **p, struct tdb *tdb) +{ + struct sadb_cred *sadb_cred = (struct sadb_cred *) *p; + + sadb_cred->sadb_cred_len = (sizeof(struct sadb_cred) + + PADUP(tdb->tdb_cred_len)) / + sizeof(uint64_t); + sadb_cred->sadb_cred_type = tdb->tdb_cred_type; + *p += sizeof(struct sadb_cred); + bcopy(tdb->tdb_credentials, *p, tdb->tdb_cred_len); + *p += PADUP(tdb->tdb_cred_len); +} + +void export_identity(void **p, struct tdb *tdb, int type) { struct sadb_ident *sadb_ident = (struct sadb_ident *) *p; @@ -1002,6 +1035,13 @@ pfkeyv2_get(struct tdb *sa, void **headers, void **buffer) export_identity(&p, sa, PFKEYV2_IDENTITY_DST); } + /* Export credentials, if present */ + if (sa->tdb_credentials) + { + headers[SADB_X_EXT_CREDENTIALS] = p; + export_credentials(&p, sa); + } + /* Export authentication key, if present */ if (sa->tdb_amxkey) { @@ -1317,6 +1357,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len) PFKEYV2_IDENTITY_SRC); import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], PFKEYV2_IDENTITY_DST); + import_credentials(newsa, headers[SADB_X_EXT_CREDENTIALS]); headers[SADB_EXT_KEY_AUTH] = NULL; headers[SADB_EXT_KEY_ENCRYPT] = NULL; @@ -1432,6 +1473,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len) import_identity(newsa, headers[SADB_EXT_IDENTITY_DST], PFKEYV2_IDENTITY_DST); + import_credentials(newsa, headers[SADB_X_EXT_CREDENTIALS]); + headers[SADB_EXT_KEY_AUTH] = NULL; headers[SADB_EXT_KEY_ENCRYPT] = NULL; diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index acd5c1bbef8..e1cd7757c0c 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -163,6 +163,13 @@ struct sadb_policy { u_int32_t sadb_policy_seq; }; +struct sadb_cred { + uint16_t sadb_cred_len; + uint16_t sadb_cred_exttype; + uint16_t sadb_cred_type; + uint16_t sadb_cred_reserved; +}; + #define SADB_GETSPROTO(x) ( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\ (x) == SADB_SATYPE_ESP ? IPPROTO_ESP :\ IPPROTO_IPIP ) @@ -193,7 +200,8 @@ struct sadb_policy { #define SADB_X_EXT_SA2 23 #define SADB_X_EXT_DST2 24 #define SADB_X_EXT_POLICY 25 -#define SADB_EXT_MAX 25 +#define SADB_X_EXT_CREDENTIALS 26 +#define SADB_EXT_MAX 26 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */ #define SADB_SATYPE_UNSPEC 0 @@ -274,6 +282,11 @@ struct sadb_policy { #define PFKEYV2_SENDMESSAGE_REGISTERED 2 #define PFKEYV2_SENDMESSAGE_BROADCAST 3 +#define SADB_CREDTYPE_NONE 0 +#define SADB_CREDTYPE_X509 1 +#define SADB_CREDTYPE_KEYNOTE 2 +#define SADB_CREDTYPE_MAX 3 + #define FLOW_X_TYPE_USE 1 #define FLOW_X_TYPE_ACQUIRE 2 #define FLOW_X_TYPE_REQUIRE 3 diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c index 3b8b8441b9e..cb512f5d017 100644 --- a/sys/net/pfkeyv2_parsemessage.c +++ b/sys/net/pfkeyv2_parsemessage.c @@ -60,6 +60,7 @@ you didn't get a copy, you may request one from <license@inner.net>. #define BITMAP_X_SA2 (1 << SADB_X_EXT_SA2) #define BITMAP_X_DST2 (1 << SADB_X_EXT_DST2) #define BITMAP_X_POLICY (1 << SADB_X_EXT_POLICY) +#define BITMAP_X_CREDENTIALS (1 << SADB_X_EXT_CREDENTIALS) uint32_t sadb_exts_allowed_in[SADB_MAX+1] = { @@ -68,9 +69,9 @@ uint32_t sadb_exts_allowed_in[SADB_MAX+1] = /* GETSPI */ BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SPIRANGE, /* UPDATE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS, /* ADD */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_KEY | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS, /* DELETE */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* GET */ @@ -140,9 +141,9 @@ uint32_t sadb_exts_allowed_out[SADB_MAX+1] = /* GETSPI */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* UPDATE */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS, /* ADD */ - BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY, + BITMAP_SA | BITMAP_LIFETIME | BITMAP_ADDRESS | BITMAP_IDENTITY | BITMAP_X_CREDENTIALS, /* DELETE */ BITMAP_SA | BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST, /* GET */ @@ -417,6 +418,20 @@ pfkeyv2_parsemessage(void *p, int len, void **headers) return EINVAL; } break; + case SADB_X_EXT_CREDENTIALS: + { + struct sadb_cred *sadb_cred = (struct sadb_cred *)p; + + if (i < sizeof(struct sadb_cred)) + return EINVAL; + + if (sadb_cred->sadb_cred_type > SADB_CREDTYPE_MAX) + return EINVAL; + + if (sadb_cred->sadb_cred_reserved) + return EINVAL; + } + break; case SADB_EXT_IDENTITY_SRC: case SADB_EXT_IDENTITY_DST: { |