SA bundles.

6 files changed, 107 insertions, 7 deletions

diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index b3dfdd3ee20..20e1ed50741 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.41 2000/09/19 04:23:13 angelos Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.42 2000/09/19 08:38:58 angelos Exp $ */
 /*
 %%% copyright-nrl-97
 This software is Copyright 1997-1998 by Randall Atkinson, Ronald Lee,
@@ -1407,7 +1407,63 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 	 break;
 
-	
+	case SADB_X_GRPSPIS:
+	{
+	    struct tdb *tdb1, *tdb2, *tdb3;
+	    struct sadb_protocol *sa_proto;
+
+	    ssa = (struct sadb_sa *) headers[SADB_EXT_SA];
+	    sunionp = (union sockaddr_union *) (headers[SADB_EXT_ADDRESS_DST] +
+						sizeof(struct sadb_address));
+
+	    s = spltdb();
+
+	    tdb1 = gettdb(ssa->sadb_sa_spi, sunionp,
+			  SADB_GETSPROTO(smsg->sadb_msg_satype));
+	    if (tdb1 == NULL)
+	    {
+		rval = ESRCH;
+		goto splxret;
+	    }
+
+	    ssa = (struct sadb_sa *) headers[SADB_X_EXT_SA2];
+	    sunionp = (union sockaddr_union *) (headers[SADB_X_EXT_DST2] +
+						sizeof(struct sadb_address));
+	    sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]);
+
+	    tdb2 = gettdb(ssa->sadb_sa_spi, sunionp,
+			  SADB_GETSPROTO(sa_proto->sadb_protocol_proto));
+	    if (tdb2 == NULL)
+	    {
+		rval = ESRCH;
+		goto splxret;
+	    }
+
+	    /* Detect cycles */
+	    for (tdb3 = tdb2; tdb3; tdb3 = tdb3->tdb_onext)
+	      if (tdb3 == tdb1)
+	      {
+		  rval = ESRCH;
+		  goto splxret;
+	      }
+
+	    /* Maintenance */
+	    if ((tdb1->tdb_onext) &&
+		(tdb1->tdb_onext->tdb_inext == tdb1))
+	      tdb1->tdb_onext->tdb_inext = NULL;
+
+	    if ((tdb2->tdb_inext) &&
+		(tdb2->tdb_inext->tdb_onext == tdb2))
+	      tdb2->tdb_inext->tdb_onext = NULL;
+
+	    /* Link them */
+	    tdb1->tdb_onext = tdb2;
+	    tdb2->tdb_inext = tdb1;
+
+	    splx(s);
+	}
+	 break;
+	 
 	case SADB_X_DELFLOW:
 	    delflag = 1;   /* fall through */
 	
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index 9a6fcb9a300..1346d73e677 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -28,7 +28,8 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>.
 #define SADB_X_PROMISC     11
 #define SADB_X_ADDFLOW     12
 #define SADB_X_DELFLOW     13
-#define SADB_MAX           13
+#define SADB_X_GRPSPIS     14
+#define SADB_MAX           14
 
 struct sadb_msg {
   uint8_t sadb_msg_version;
@@ -183,7 +184,9 @@ struct sadb_protocol {
 #define SADB_X_EXT_FLOW_TYPE          19
 #define SADB_X_EXT_SRC_FLOW           20
 #define SADB_X_EXT_DST_FLOW           21
-#define SADB_EXT_MAX                  21
+#define SADB_X_EXT_SA2                22
+#define SADB_X_EXT_DST2               23
+#define SADB_EXT_MAX                  23
 
 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */
 #define SADB_SATYPE_UNSPEC		 0
diff --git a/sys/net/pfkeyv2_parsemessage.c b/sys/net/pfkeyv2_parsemessage.c
index 907c26cfb61..157e46609ec 100644
--- a/sys/net/pfkeyv2_parsemessage.c
+++ b/sys/net/pfkeyv2_parsemessage.c
@@ -56,6 +56,8 @@ you didn't get a copy, you may request one from <license@inner.net>.
 #define BITMAP_X_SRC_FLOW              (1 << SADB_X_EXT_SRC_FLOW)
 #define BITMAP_X_DST_FLOW              (1 << SADB_X_EXT_DST_FLOW)
 #define BITMAP_X_FLOW_TYPE             (1 << SADB_X_EXT_FLOW_TYPE)
+#define BITMAP_X_SA2                   (1 << SADB_X_EXT_SA2)
+#define BITMAP_X_DST2                  (1 << SADB_X_EXT_DST2)
 
 uint32_t sadb_exts_allowed_in[SADB_MAX+1] =
 {
@@ -87,6 +89,8 @@ uint32_t sadb_exts_allowed_in[SADB_MAX+1] =
   BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SA | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE,
   /* X_DELFLOW */
   BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_SA | BITMAP_ADDRESS_DST | BITMAP_X_FLOW_TYPE,
+  /* X_GRPSPIS */
+  BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL,
 };
 
 uint32_t sadb_exts_required_in[SADB_MAX+1] =
@@ -119,6 +123,8 @@ uint32_t sadb_exts_required_in[SADB_MAX+1] =
   BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE,
   /* X_DELFLOW */
   BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE,
+  /* X_GRPSPIS */
+  BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL,
 };
 
 uint32_t sadb_exts_allowed_out[SADB_MAX+1] =
@@ -151,6 +157,8 @@ uint32_t sadb_exts_allowed_out[SADB_MAX+1] =
   BITMAP_ADDRESS_SRC | BITMAP_ADDRESS_DST | BITMAP_SA | BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE,
   /* X_DELFLOW */
   BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_PROTOCOL | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_SA | BITMAP_ADDRESS_DST | BITMAP_X_FLOW_TYPE,
+  /* X_GRPSPIS */
+  BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL,
 };
 
 uint32_t sadb_exts_required_out[SADB_MAX+1] =
@@ -183,6 +191,8 @@ uint32_t sadb_exts_required_out[SADB_MAX+1] =
   BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE,
   /* X_DELFLOW */
   BITMAP_X_SRC_MASK | BITMAP_X_DST_MASK | BITMAP_X_SRC_FLOW | BITMAP_X_DST_FLOW | BITMAP_X_FLOW_TYPE,
+  /* X_GRPSPIS */
+  BITMAP_SA | BITMAP_X_SA2 | BITMAP_X_DST2 | BITMAP_ADDRESS_DST | BITMAP_X_PROTOCOL,
 };
 
 int pfkeyv2_parsemessage(void *, int, void **);
@@ -259,6 +269,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
 
     switch (sadb_ext->sadb_ext_type) {
       case SADB_EXT_SA:
+      case SADB_X_EXT_SA2:
 	{
 	  struct sadb_sa *sadb_sa = (struct sadb_sa *)p;
 
@@ -300,6 +311,7 @@ pfkeyv2_parsemessage(void *p, int len, void **headers)
       case SADB_X_EXT_DST_MASK:
       case SADB_X_EXT_SRC_FLOW:
       case SADB_X_EXT_DST_FLOW:
+      case SADB_X_EXT_DST2:
       case SADB_EXT_ADDRESS_PROXY:
 	{
 	  struct sadb_address *sadb_address = (struct sadb_address *)p;
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 2ef04505cee..e949ccece06 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.100 2000/09/19 03:20:58 angelos Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.101 2000/09/19 08:38:59 angelos Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -916,6 +916,12 @@ tdb_delete(struct tdb *tdbp, int expflags)
 	tdbp->tdb_dstid = NULL;
     }
 
+    if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp))
+      tdbp->tdb_onext->tdb_inext = NULL;
+
+    if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp))
+      tdbp->tdb_inext->tdb_onext = NULL;
+
     FREE(tdbp, M_TDB);
     tdb_count--;
 
@@ -1103,6 +1109,22 @@ ipsp_kern(int off, char **bufp, int len)
 		l += sprintf(buffer + l, "\t\tAuthentication = <%s>\n",
 			     tdb->tdb_authalgxform->name);
 
+	      if (tdb->tdb_onext)
+		l += sprintf(buffer + l,
+			     "\tNext SA: SPI = %08x, "
+			     "Destination = %s, Sproto = %u\n",
+			     ntohl(tdb->tdb_onext->tdb_spi),
+			     ipsp_address(tdb->tdb_onext->tdb_dst),
+			     tdb->tdb_onext->tdb_sproto);
+
+	      if (tdb->tdb_inext)
+		l += sprintf(buffer + l,
+			     "\tPrevious SA: SPI = %08x, "
+			     "Destination = %s, Sproto = %u\n",
+			     ntohl(tdb->tdb_inext->tdb_spi),
+			     ipsp_address(tdb->tdb_inext->tdb_dst),
+			     tdb->tdb_inext->tdb_sproto);
+
 	      if (tdb->tdb_interface)
 		l += sprintf(buffer + l, "\tAssociated interface = <%s>\n",
 			     ((struct ifnet *) tdb->tdb_interface)->if_xname);
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 6c2dc18231d..13df8e78727 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.70 2000/09/19 03:20:59 angelos Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.71 2000/09/19 08:38:59 angelos Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -229,6 +229,8 @@ struct tdb				/* tunnel descriptor block */
     struct tdb	     *tdb_hnext;   /* dst/spi/sproto table */
     struct tdb       *tdb_anext;   /* dst/sproto table */
     struct tdb       *tdb_snext;   /* src/sproto table */
+    struct tdb       *tdb_inext;
+    struct tdb       *tdb_onext;
 
     struct xformsw   *tdb_xform;	/* Transformation to use */
     struct enc_xform *tdb_encalgxform;  /* Encryption algorithm xform */
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 26bccf8fa6a..3bc9239757c 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_output.c,v 1.1 2000/09/19 03:20:59 angelos Exp $ */
+/*	$OpenBSD: ipsec_output.c,v 1.2 2000/09/19 08:38:59 angelos Exp $ */
 
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -330,6 +330,11 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb)
 	    return ENXIO;
     }
 
+    /* If there's another (bundled) TDB to apply, do so */
+    if (tdb->tdb_onext)
+      return ipsp_process_packet(m, tdb->tdb_onext,
+				 tdb->tdb_onext->tdb_dst.sa.sa_family, 0);
+
     /*
      * We're done with IPsec processing, transmit the packet using the
      * appropriate network protocol (IP or IPv6). SPD lookup will be