mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-12 08:48:48 +00:00
[IPSEC]: Sync series - acquire insert
This introduces a feature similar to the one described in RFC 2367: " ... the application needing an SA sends a PF_KEY SADB_ACQUIRE message down to the Key Engine, which then either returns an error or sends a similar SADB_ACQUIRE message up to one or more key management applications capable of creating such SAs. ... ... The third is where an application-layer consumer of security associations (e.g. an OSPFv2 or RIPv2 daemon) needs a security association. Send an SADB_ACQUIRE message from a user process to the kernel. <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> The kernel returns an SADB_ACQUIRE message to registered sockets. <base, address(SD), (address(P),) (identity(SD),) (sensitivity,) proposal> The user-level consumer waits for an SADB_UPDATE or SADB_ADD message for its particular type, and then can use that association by using SADB_GET messages. " An app such as OSPF could then use ipsec KM to get keys Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
d51d081d65
commit
980ebd2579
@ -214,10 +214,10 @@ extern int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
|
|||||||
extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
|
extern int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
|
||||||
extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
|
extern void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c);
|
||||||
extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
|
extern void km_state_notify(struct xfrm_state *x, struct km_event *c);
|
||||||
|
|
||||||
#define XFRM_ACQ_EXPIRES 30
|
#define XFRM_ACQ_EXPIRES 30
|
||||||
|
|
||||||
struct xfrm_tmpl;
|
struct xfrm_tmpl;
|
||||||
|
extern int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
|
||||||
struct xfrm_state_afinfo {
|
struct xfrm_state_afinfo {
|
||||||
unsigned short family;
|
unsigned short family;
|
||||||
rwlock_t lock;
|
rwlock_t lock;
|
||||||
|
@ -57,7 +57,7 @@ static int __xfrm_state_delete(struct xfrm_state *x);
|
|||||||
static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
|
static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned short family);
|
||||||
static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
|
static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
|
||||||
|
|
||||||
static int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
|
int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
|
||||||
static void km_state_expired(struct xfrm_state *x, int hard);
|
static void km_state_expired(struct xfrm_state *x, int hard);
|
||||||
|
|
||||||
static void xfrm_state_gc_destroy(struct xfrm_state *x)
|
static void xfrm_state_gc_destroy(struct xfrm_state *x)
|
||||||
@ -925,7 +925,7 @@ void km_state_expired(struct xfrm_state *x, int hard)
|
|||||||
* We send to all registered managers regardless of failure
|
* We send to all registered managers regardless of failure
|
||||||
* We are happy with one success
|
* We are happy with one success
|
||||||
*/
|
*/
|
||||||
static int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
|
int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
|
||||||
{
|
{
|
||||||
int err = -EINVAL, acqret;
|
int err = -EINVAL, acqret;
|
||||||
struct xfrm_mgr *km;
|
struct xfrm_mgr *km;
|
||||||
@ -939,6 +939,7 @@ static int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_polic
|
|||||||
read_unlock(&xfrm_km_lock);
|
read_unlock(&xfrm_km_lock);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
EXPORT_SYMBOL(km_query);
|
||||||
|
|
||||||
int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport)
|
int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport)
|
||||||
{
|
{
|
||||||
|
@ -1232,6 +1232,58 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **x
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
|
||||||
|
{
|
||||||
|
struct xfrm_policy *xp;
|
||||||
|
struct xfrm_user_tmpl *ut;
|
||||||
|
int i;
|
||||||
|
struct rtattr *rt = xfrma[XFRMA_TMPL-1];
|
||||||
|
|
||||||
|
struct xfrm_user_acquire *ua = NLMSG_DATA(nlh);
|
||||||
|
struct xfrm_state *x = xfrm_state_alloc();
|
||||||
|
int err = -ENOMEM;
|
||||||
|
|
||||||
|
if (!x)
|
||||||
|
return err;
|
||||||
|
|
||||||
|
err = verify_newpolicy_info(&ua->policy);
|
||||||
|
if (err) {
|
||||||
|
printk("BAD policy passed\n");
|
||||||
|
kfree(x);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* build an XP */
|
||||||
|
xp = xfrm_policy_construct(&ua->policy, (struct rtattr **) xfrma, &err); if (!xp) {
|
||||||
|
kfree(x);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
memcpy(&x->id, &ua->id, sizeof(ua->id));
|
||||||
|
memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr));
|
||||||
|
memcpy(&x->sel, &ua->sel, sizeof(ua->sel));
|
||||||
|
|
||||||
|
ut = RTA_DATA(rt);
|
||||||
|
/* extract the templates and for each call km_key */
|
||||||
|
for (i = 0; i < xp->xfrm_nr; i++, ut++) {
|
||||||
|
struct xfrm_tmpl *t = &xp->xfrm_vec[i];
|
||||||
|
memcpy(&x->id, &t->id, sizeof(x->id));
|
||||||
|
x->props.mode = t->mode;
|
||||||
|
x->props.reqid = t->reqid;
|
||||||
|
x->props.family = ut->family;
|
||||||
|
t->aalgos = ua->aalgos;
|
||||||
|
t->ealgos = ua->ealgos;
|
||||||
|
t->calgos = ua->calgos;
|
||||||
|
err = km_query(x, t, xp);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
kfree(x);
|
||||||
|
kfree(xp);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
#define XMSGSIZE(type) NLMSG_LENGTH(sizeof(struct type))
|
#define XMSGSIZE(type) NLMSG_LENGTH(sizeof(struct type))
|
||||||
|
|
||||||
@ -1243,6 +1295,7 @@ static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = {
|
|||||||
[XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id),
|
[XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id),
|
||||||
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id),
|
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_id),
|
||||||
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info),
|
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userspi_info),
|
||||||
|
[XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_acquire),
|
||||||
[XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info),
|
[XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_info),
|
||||||
[XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info),
|
[XFRM_MSG_UPDSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_info),
|
||||||
[XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush),
|
[XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = XMSGSIZE(xfrm_usersa_flush),
|
||||||
@ -1266,6 +1319,7 @@ static struct xfrm_link {
|
|||||||
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
|
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
|
||||||
.dump = xfrm_dump_policy },
|
.dump = xfrm_dump_policy },
|
||||||
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
|
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
|
||||||
|
[XFRM_MSG_ACQUIRE - XFRM_MSG_BASE] = { .doit = xfrm_add_acquire },
|
||||||
[XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
|
[XFRM_MSG_UPDPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
|
||||||
[XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa },
|
[XFRM_MSG_UPDSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa },
|
||||||
[XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa },
|
[XFRM_MSG_FLUSHSA - XFRM_MSG_BASE] = { .doit = xfrm_flush_sa },
|
||||||
|
Loading…
x
Reference in New Issue
Block a user