diff options
author | Venkat Yekkirala <vyekkirala@TrustedCS.com> | 2006-07-25 02:31:14 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-09-22 17:53:26 -0400 |
commit | 4e2ba18eae7f370c7c3ed96eaca747cc9b39f917 (patch) | |
tree | 9165d8c0fea650e3cf226d4e0bb3c153978f8ae0 | |
parent | 0d681623d30c6565e8b62889f3aa3f4d4662c3e8 (diff) |
[MLSXFRM]: Add security context to acquire messages using PF_KEY
This includes the security context of a security association created
for use by IKE in the acquire messages sent to IKE daemons using
PF_KEY. This would allow the daemons to include the security context
in the negotiation, so that the resultant association is unique to
that security context.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/key/af_key.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c index 3a95b2ee4690..a065e1a67773 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c | |||
@@ -2708,6 +2708,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct | |||
2708 | #endif | 2708 | #endif |
2709 | int sockaddr_size; | 2709 | int sockaddr_size; |
2710 | int size; | 2710 | int size; |
2711 | struct sadb_x_sec_ctx *sec_ctx; | ||
2712 | struct xfrm_sec_ctx *xfrm_ctx; | ||
2713 | int ctx_size = 0; | ||
2711 | 2714 | ||
2712 | sockaddr_size = pfkey_sockaddr_size(x->props.family); | 2715 | sockaddr_size = pfkey_sockaddr_size(x->props.family); |
2713 | if (!sockaddr_size) | 2716 | if (!sockaddr_size) |
@@ -2723,6 +2726,11 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct | |||
2723 | else if (x->id.proto == IPPROTO_ESP) | 2726 | else if (x->id.proto == IPPROTO_ESP) |
2724 | size += count_esp_combs(t); | 2727 | size += count_esp_combs(t); |
2725 | 2728 | ||
2729 | if ((xfrm_ctx = x->security)) { | ||
2730 | ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len); | ||
2731 | size += sizeof(struct sadb_x_sec_ctx) + ctx_size; | ||
2732 | } | ||
2733 | |||
2726 | skb = alloc_skb(size + 16, GFP_ATOMIC); | 2734 | skb = alloc_skb(size + 16, GFP_ATOMIC); |
2727 | if (skb == NULL) | 2735 | if (skb == NULL) |
2728 | return -ENOMEM; | 2736 | return -ENOMEM; |
@@ -2818,6 +2826,20 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct | |||
2818 | else if (x->id.proto == IPPROTO_ESP) | 2826 | else if (x->id.proto == IPPROTO_ESP) |
2819 | dump_esp_combs(skb, t); | 2827 | dump_esp_combs(skb, t); |
2820 | 2828 | ||
2829 | /* security context */ | ||
2830 | if (xfrm_ctx) { | ||
2831 | sec_ctx = (struct sadb_x_sec_ctx *) skb_put(skb, | ||
2832 | sizeof(struct sadb_x_sec_ctx) + ctx_size); | ||
2833 | sec_ctx->sadb_x_sec_len = | ||
2834 | (sizeof(struct sadb_x_sec_ctx) + ctx_size) / sizeof(uint64_t); | ||
2835 | sec_ctx->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX; | ||
2836 | sec_ctx->sadb_x_ctx_doi = xfrm_ctx->ctx_doi; | ||
2837 | sec_ctx->sadb_x_ctx_alg = xfrm_ctx->ctx_alg; | ||
2838 | sec_ctx->sadb_x_ctx_len = xfrm_ctx->ctx_len; | ||
2839 | memcpy(sec_ctx + 1, xfrm_ctx->ctx_str, | ||
2840 | xfrm_ctx->ctx_len); | ||
2841 | } | ||
2842 | |||
2821 | return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); | 2843 | return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL); |
2822 | } | 2844 | } |
2823 | 2845 | ||