From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: Stephen Hemminger <shemminger@vyatta.com>,
netdev <netdev@vger.kernel.org>
Subject: [PATCH] iproute2: allow to specify truncation bits on auth algo
Date: Tue, 11 Jan 2011 17:32:46 +0100 [thread overview]
Message-ID: <4D2C862E.5000602@6wind.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 541 bytes --]
Hi,
here is a patch against iproute2 to allow user to set a state with a specific
auth length.
Example:
$ ip xfrm state add src 10.16.0.72 dst 10.16.0.121 proto ah spi 0x10000000
auth-trunc "sha256" "azertyuiopqsdfghjklmwxcvbn123456" 96 mode tunnel
$ ip xfrm state
src 10.16.0.72 dst 10.16.0.121
proto ah spi 0x10000000 reqid 0 mode tunnel
replay-window 0
auth-trunc hmac(sha256)
0x617a6572747975696f707173646667686a6b6c6d77786376626e313233343536 96
sel src 0.0.0.0/0 dst 0.0.0.0/0
Regards,
Nicolas
[-- Attachment #2: 0001-iproute2-allow-to-specify-truncation-bits-on-auth-a.patch --]
[-- Type: text/x-patch, Size: 5435 bytes --]
>From 522ed7348cdf3b6f501af2a5a5d989de1696565a Mon Sep 17 00:00:00 2001
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 23 Dec 2010 06:48:12 -0500
Subject: [PATCH] iproute2: allow to specify truncation bits on auth algo
Attribute XFRMA_ALG_AUTH_TRUNC can be used to specify
truncation bits, so we add a new algo type: auth-trunc.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
ip/ipxfrm.c | 28 +++++++++++++++++++++++++++-
ip/xfrm_state.c | 48 ++++++++++++++++++++++++++++++++----------------
2 files changed, 59 insertions(+), 17 deletions(-)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 9753822..e01cadb 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -155,6 +155,7 @@ const char *strxf_xfrmproto(__u8 proto)
static const struct typeent algo_types[]= {
{ "enc", XFRMA_ALG_CRYPT }, { "auth", XFRMA_ALG_AUTH },
{ "comp", XFRMA_ALG_COMP }, { "aead", XFRMA_ALG_AEAD },
+ { "auth-trunc", XFRMA_ALG_AUTH_TRUNC },
{ NULL, -1 }
};
@@ -570,6 +571,25 @@ static void xfrm_aead_print(struct xfrm_algo_aead *algo, int len,
fprintf(fp, "%s", _SL_);
}
+static void xfrm_auth_trunc_print(struct xfrm_algo_auth *algo, int len,
+ FILE *fp, const char *prefix)
+{
+ struct {
+ struct xfrm_algo algo;
+ char key[algo->alg_key_len / 8];
+ } base;
+
+ memcpy(base.algo.alg_name, algo->alg_name, sizeof(base.algo.alg_name));
+ base.algo.alg_key_len = algo->alg_key_len;
+ memcpy(base.algo.alg_key, algo->alg_key, algo->alg_key_len / 8);
+
+ __xfrm_algo_print(&base.algo, XFRMA_ALG_AUTH_TRUNC, len, fp, prefix, 0);
+
+ fprintf(fp, " %d", algo->alg_trunc_len);
+
+ fprintf(fp, "%s", _SL_);
+}
+
static void xfrm_tmpl_print(struct xfrm_user_tmpl *tmpls, int len,
__u16 family, FILE *fp, const char *prefix)
{
@@ -677,12 +697,18 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family,
fprintf(fp, "\tmark %d/0x%x\n", m->v, m->m);
}
- if (tb[XFRMA_ALG_AUTH]) {
+ if (tb[XFRMA_ALG_AUTH] && !tb[XFRMA_ALG_AUTH_TRUNC]) {
struct rtattr *rta = tb[XFRMA_ALG_AUTH];
xfrm_algo_print((struct xfrm_algo *) RTA_DATA(rta),
XFRMA_ALG_AUTH, RTA_PAYLOAD(rta), fp, prefix);
}
+ if (tb[XFRMA_ALG_AUTH_TRUNC]) {
+ struct rtattr *rta = tb[XFRMA_ALG_AUTH_TRUNC];
+ xfrm_auth_trunc_print((struct xfrm_algo_auth *) RTA_DATA(rta),
+ RTA_PAYLOAD(rta), fp, prefix);
+ }
+
if (tb[XFRMA_ALG_AEAD]) {
struct rtattr *rta = tb[XFRMA_ALG_AEAD];
xfrm_aead_print((struct xfrm_algo_aead *)RTA_DATA(rta),
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 38d4039..550a965 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -90,11 +90,12 @@ static void usage(void)
fprintf(stderr, "ALGO-LIST := [ ALGO-LIST ] | [ ALGO ]\n");
fprintf(stderr, "ALGO := ALGO_TYPE ALGO_NAME ALGO_KEY "
- "[ ALGO_ICV_LEN ]\n");
+ "[ ALGO_ICV_LEN | ALGO_TRUNC_LEN ]\n");
fprintf(stderr, "ALGO_TYPE := [ ");
fprintf(stderr, "%s | ", strxf_algotype(XFRMA_ALG_AEAD));
fprintf(stderr, "%s | ", strxf_algotype(XFRMA_ALG_CRYPT));
fprintf(stderr, "%s | ", strxf_algotype(XFRMA_ALG_AUTH));
+ fprintf(stderr, "%s | ", strxf_algotype(XFRMA_ALG_AUTH_TRUNC));
fprintf(stderr, "%s ", strxf_algotype(XFRMA_ALG_COMP));
fprintf(stderr, "]\n");
@@ -340,6 +341,7 @@ static int xfrm_state_modify(int cmd, unsigned flags, int argc, char **argv)
case XFRMA_ALG_AEAD:
case XFRMA_ALG_CRYPT:
case XFRMA_ALG_AUTH:
+ case XFRMA_ALG_AUTH_TRUNC:
case XFRMA_ALG_COMP:
{
/* ALGO */
@@ -347,11 +349,12 @@ static int xfrm_state_modify(int cmd, unsigned flags, int argc, char **argv)
union {
struct xfrm_algo alg;
struct xfrm_algo_aead aead;
+ struct xfrm_algo_auth auth;
} u;
char buf[XFRM_ALGO_KEY_BUF_SIZE];
} alg = {};
int len;
- __u32 icvlen;
+ __u32 icvlen, trunclen;
char *name;
char *key;
char *buf;
@@ -368,6 +371,7 @@ static int xfrm_state_modify(int cmd, unsigned flags, int argc, char **argv)
ealgop = *argv;
break;
case XFRMA_ALG_AUTH:
+ case XFRMA_ALG_AUTH_TRUNC:
if (aalgop)
duparg("ALGOTYPE", *argv);
aalgop = *argv;
@@ -395,21 +399,33 @@ static int xfrm_state_modify(int cmd, unsigned flags, int argc, char **argv)
buf = alg.u.alg.alg_key;
len = sizeof(alg.u.alg);
- if (type != XFRMA_ALG_AEAD)
- goto parse_algo;
-
- if (!NEXT_ARG_OK())
- missarg("ALGOICVLEN");
- NEXT_ARG();
- if (get_u32(&icvlen, *argv, 0))
- invarg("\"aead\" ICV length is invalid",
- *argv);
- alg.u.aead.alg_icv_len = icvlen;
-
- buf = alg.u.aead.alg_key;
- len = sizeof(alg.u.aead);
+ switch (type) {
+ case XFRMA_ALG_AEAD:
+ if (!NEXT_ARG_OK())
+ missarg("ALGOICVLEN");
+ NEXT_ARG();
+ if (get_u32(&icvlen, *argv, 0))
+ invarg("\"aead\" ICV length is invalid",
+ *argv);
+ alg.u.aead.alg_icv_len = icvlen;
+
+ buf = alg.u.aead.alg_key;
+ len = sizeof(alg.u.aead);
+ break;
+ case XFRMA_ALG_AUTH_TRUNC:
+ if (!NEXT_ARG_OK())
+ missarg("ALGOTRUNCLEN");
+ NEXT_ARG();
+ if (get_u32(&trunclen, *argv, 0))
+ invarg("\"auth\" trunc length is invalid",
+ *argv);
+ alg.u.auth.alg_trunc_len = trunclen;
+
+ buf = alg.u.auth.alg_key;
+ len = sizeof(alg.u.auth);
+ break;
+ }
-parse_algo:
xfrm_algo_parse((void *)&alg, type, name, key,
buf, sizeof(alg.buf));
len += alg.u.alg.alg_key_len;
--
1.5.6.5
next reply other threads:[~2011-01-11 16:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-11 16:32 Nicolas Dichtel [this message]
-- strict thread matches above, loose matches on Subject: below --
2011-01-28 4:51 [RFC PATCH] ipsec: fix IPv4 AH alignment on 32 bits Herbert Xu
2011-01-28 8:51 ` Nicolas Dichtel
2011-01-28 19:46 ` David Miller
2011-02-02 16:30 ` [PATCH] iproute2: allow to specify truncation bits on auth algo Nicolas Dichtel
2011-02-02 16:34 ` Nicolas Dichtel
2011-02-28 13:46 ` Nicolas Dichtel
2011-02-28 15:48 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D2C862E.5000602@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=netdev@vger.kernel.org \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.