support TCP-MD5(IPv4) in KAME-IPSEC, too.

MFC after: 3 week
svn path=/head/; revision=137396
2024-12-14 10:09:48 +00:00 · 2004-11-08 18:49:51 +00:00 · 2004-11-08 18:49:51 +00:00 · 3d54848fc2 · 2020-12-20 02:59:44 +00:00
commit 3d54848fc2
parent ed3fdd0e3a
6 changed files with 56 additions and 2 deletions
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -95,6 +95,7 @@
 #ifdef INET6
 #include <netinet6/ipsec6.h>
 #endif
+#include <netkey/key.h>
 #endif /*IPSEC*/

 #ifdef FAST_IPSEC
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@ -95,6 +95,7 @@
 #ifdef INET6
 #include <netinet6/ipsec6.h>
 #endif
+#include <netkey/key.h>
 #endif /*IPSEC*/

 #ifdef FAST_IPSEC
--- a/sys/netinet6/ah_core.c
+++ b/sys/netinet6/ah_core.c
@ -189,6 +189,10 @@ static const struct ah_algorithm ah_algorithms[] = {
 		"aes-xcbc-mac",
 		ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
 		ah_aes_xcbc_mac_result, },
+	{ ah_sumsiz_1216, ah_none_mature, 1, 80, /* TCP_KEYLEN_MIN/MAX */
+		"TCP-MD5",
+		ah_none_init, ah_none_loop,
+		ah_none_result, },
 };

 const struct ah_algorithm *
@ -217,6 +221,8 @@ ah_algorithm_lookup(idx)
 		return &ah_algorithms[8];
 	case SADB_X_AALG_AES_XCBC_MAC:
 		return &ah_algorithms[9];
+	case SADB_X_AALG_TCP_MD5:
+		return &ah_algorithms[10];
 	default:
 		return NULL;
 	}
--- a/sys/netkey/key.c
+++ b/sys/netkey/key.c
@ -3071,6 +3071,7 @@ key_setsaval(sav, m, mhp)
 		switch (mhp->msg->sadb_msg_satype) {
 		case SADB_SATYPE_AH:
 		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_TCPSIGNATURE:
 			if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
 			    sav->alg_auth != SADB_X_AALG_NULL)
 				error = EINVAL;
@ -3126,6 +3127,7 @@ key_setsaval(sav, m, mhp)
 			sav->key_enc = NULL;	/*just in case*/
 			break;
 		case SADB_SATYPE_AH:
+		case SADB_X_SATYPE_TCPSIGNATURE:
 		default:
 			error = EINVAL;
 			break;
@ -3160,6 +3162,7 @@ key_setsaval(sav, m, mhp)
 		break;
 	case SADB_SATYPE_AH:
 	case SADB_X_SATYPE_IPCOMP:
+	case SADB_X_SATYPE_TCPSIGNATURE:
 		break;
 	default:
 		ipseclog((LOG_DEBUG, "key_setsaval: invalid SA type.\n"));
@ -3350,6 +3353,24 @@ key_mature(sav)
 		checkmask = 4;
 		mustmask = 4;
 		break;
+	case IPPROTO_TCP:
+		if (sav->alg_auth != SADB_X_AALG_TCP_MD5) {
+			ipseclog((LOG_DEBUG, "key_mature: unsupported authentication algorithm %u\n",
+			    sav->alg_auth));
+			return (EINVAL);
+		}
+		if (sav->alg_enc != SADB_EALG_NONE) {
+			ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
+				"mismated.\n", __func__));
+			return(EINVAL);
+		}
+		if (sav->spi != htonl(0x1000)) {
+			ipseclog((LOG_DEBUG, "key_mature: SPI must be TCP_SIG_SPI (0x1000)\n"));
+			return (EINVAL);
+		}
+		checkmask = 2;
+		mustmask = 2;
+		break;
 	default:
 		ipseclog((LOG_DEBUG, "key_mature: Invalid satype.\n"));
 		return EPROTONOSUPPORT;
@ -4591,7 +4612,8 @@ key_satype2proto(satype)
 		return IPPROTO_ESP;
 	case SADB_X_SATYPE_IPCOMP:
 		return IPPROTO_IPCOMP;
-		break;
+	case SADB_X_SATYPE_TCPSIGNATURE:
+		return IPPROTO_TCP;
 	default:
 		return 0;
 	}
@ -4614,7 +4636,8 @@ key_proto2satype(proto)
 		return SADB_SATYPE_ESP;
 	case IPPROTO_IPCOMP:
 		return SADB_X_SATYPE_IPCOMP;
-		break;
+	case IPPROTO_TCP:
+		return SADB_X_SATYPE_TCPSIGNATURE;
 	default:
 		return 0;
 	}
@ -6975,6 +6998,7 @@ key_parse(m, so)
 	case SADB_SATYPE_AH:
 	case SADB_SATYPE_ESP:
 	case SADB_X_SATYPE_IPCOMP:
+	case SADB_X_SATYPE_TCPSIGNATURE:
 		switch (msg->sadb_msg_type) {
 		case SADB_X_SPDADD:
 		case SADB_X_SPDDELETE:
--- a/sys/netkey/key.h
+++ b/sys/netkey/key.h
@ -50,6 +50,7 @@ struct sockaddr;
 struct socket;
 struct sadb_msg;
 struct sadb_x_policy;
+union sockaddr_union;

 extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *,
 	u_int);
@ -78,6 +79,15 @@ extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
 extern void key_sa_routechange(struct sockaddr *);
 extern void key_sa_stir_iv(struct secasvar *);

+/* to keep compatibility with FAST_IPSEC */
+#define	KEY_ALLOCSA(dst, proto, spi)	\
+	key_allocsa(((struct sockaddr *)(dst))->sa_family,\
+		    (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
+		    (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
+		    proto, spi)
+#define	KEY_FREESAV(psav)					\
+	key_freesav(*psav)
+
 #ifdef MALLOC_DECLARE
 MALLOC_DECLARE(M_SECA);
 #endif /* MALLOC_DECLARE */
--- a/sys/netkey/keydb.h
+++ b/sys/netkey/keydb.h
@ -37,6 +37,18 @@

 #include <netkey/key_var.h>

+#ifndef _SOCKADDR_UNION_DEFINED
+#define	_SOCKADDR_UNION_DEFINED
+/*
+ * The union of all possible address formats we handle.
+ */
+union sockaddr_union {
+	struct sockaddr		sa;
+	struct sockaddr_in	sin;
+	struct sockaddr_in6	sin6;
+};
+#endif /* _SOCKADDR_UNION_DEFINED */
+
 /* Security Assocciation Index */
 /* NOTE: Ensure to be same address family */
 struct secasindex {