support TCP-MD5(IPv4) in KAME-IPSEC, too.

MFC after: 3 week
This commit is contained in:
SUZUKI Shinsuke 2004-11-08 18:49:51 +00:00
parent ed3fdd0e3a
commit 3d54848fc2
6 changed files with 56 additions and 2 deletions

View File

@ -95,6 +95,7 @@
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netkey/key.h>
#endif /*IPSEC*/
#ifdef FAST_IPSEC

View File

@ -95,6 +95,7 @@
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netkey/key.h>
#endif /*IPSEC*/
#ifdef FAST_IPSEC

View File

@ -189,6 +189,10 @@ static const struct ah_algorithm ah_algorithms[] = {
"aes-xcbc-mac",
ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
ah_aes_xcbc_mac_result, },
{ ah_sumsiz_1216, ah_none_mature, 1, 80, /* TCP_KEYLEN_MIN/MAX */
"TCP-MD5",
ah_none_init, ah_none_loop,
ah_none_result, },
};
const struct ah_algorithm *
@ -217,6 +221,8 @@ ah_algorithm_lookup(idx)
return &ah_algorithms[8];
case SADB_X_AALG_AES_XCBC_MAC:
return &ah_algorithms[9];
case SADB_X_AALG_TCP_MD5:
return &ah_algorithms[10];
default:
return NULL;
}

View File

@ -3071,6 +3071,7 @@ key_setsaval(sav, m, mhp)
switch (mhp->msg->sadb_msg_satype) {
case SADB_SATYPE_AH:
case SADB_SATYPE_ESP:
case SADB_X_SATYPE_TCPSIGNATURE:
if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
sav->alg_auth != SADB_X_AALG_NULL)
error = EINVAL;
@ -3126,6 +3127,7 @@ key_setsaval(sav, m, mhp)
sav->key_enc = NULL; /*just in case*/
break;
case SADB_SATYPE_AH:
case SADB_X_SATYPE_TCPSIGNATURE:
default:
error = EINVAL;
break;
@ -3160,6 +3162,7 @@ key_setsaval(sav, m, mhp)
break;
case SADB_SATYPE_AH:
case SADB_X_SATYPE_IPCOMP:
case SADB_X_SATYPE_TCPSIGNATURE:
break;
default:
ipseclog((LOG_DEBUG, "key_setsaval: invalid SA type.\n"));
@ -3350,6 +3353,24 @@ key_mature(sav)
checkmask = 4;
mustmask = 4;
break;
case IPPROTO_TCP:
if (sav->alg_auth != SADB_X_AALG_TCP_MD5) {
ipseclog((LOG_DEBUG, "key_mature: unsupported authentication algorithm %u\n",
sav->alg_auth));
return (EINVAL);
}
if (sav->alg_enc != SADB_EALG_NONE) {
ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
"mismated.\n", __func__));
return(EINVAL);
}
if (sav->spi != htonl(0x1000)) {
ipseclog((LOG_DEBUG, "key_mature: SPI must be TCP_SIG_SPI (0x1000)\n"));
return (EINVAL);
}
checkmask = 2;
mustmask = 2;
break;
default:
ipseclog((LOG_DEBUG, "key_mature: Invalid satype.\n"));
return EPROTONOSUPPORT;
@ -4591,7 +4612,8 @@ key_satype2proto(satype)
return IPPROTO_ESP;
case SADB_X_SATYPE_IPCOMP:
return IPPROTO_IPCOMP;
break;
case SADB_X_SATYPE_TCPSIGNATURE:
return IPPROTO_TCP;
default:
return 0;
}
@ -4614,7 +4636,8 @@ key_proto2satype(proto)
return SADB_SATYPE_ESP;
case IPPROTO_IPCOMP:
return SADB_X_SATYPE_IPCOMP;
break;
case IPPROTO_TCP:
return SADB_X_SATYPE_TCPSIGNATURE;
default:
return 0;
}
@ -6975,6 +6998,7 @@ key_parse(m, so)
case SADB_SATYPE_AH:
case SADB_SATYPE_ESP:
case SADB_X_SATYPE_IPCOMP:
case SADB_X_SATYPE_TCPSIGNATURE:
switch (msg->sadb_msg_type) {
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:

View File

@ -50,6 +50,7 @@ struct sockaddr;
struct socket;
struct sadb_msg;
struct sadb_x_policy;
union sockaddr_union;
extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *,
u_int);
@ -78,6 +79,15 @@ extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
extern void key_sa_routechange(struct sockaddr *);
extern void key_sa_stir_iv(struct secasvar *);
/* to keep compatibility with FAST_IPSEC */
#define KEY_ALLOCSA(dst, proto, spi) \
key_allocsa(((struct sockaddr *)(dst))->sa_family,\
(caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
(caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
proto, spi)
#define KEY_FREESAV(psav) \
key_freesav(*psav)
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_SECA);
#endif /* MALLOC_DECLARE */

View File

@ -37,6 +37,18 @@
#include <netkey/key_var.h>
#ifndef _SOCKADDR_UNION_DEFINED
#define _SOCKADDR_UNION_DEFINED
/*
* The union of all possible address formats we handle.
*/
union sockaddr_union {
struct sockaddr sa;
struct sockaddr_in sin;
struct sockaddr_in6 sin6;
};
#endif /* _SOCKADDR_UNION_DEFINED */
/* Security Assocciation Index */
/* NOTE: Ensure to be same address family */
struct secasindex {