Date: Tue, 26 Mar 2013 14:36:11 +0000 (UTC) From: Andre Oppermann <andre@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r248726 - user/andre/tcp-ao/sys/netinet Message-ID: <201303261436.r2QEaBlv089386@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: andre Date: Tue Mar 26 14:36:11 2013 New Revision: 248726 URL: http://svnweb.freebsd.org/changeset/base/248726 Log: Switch from the vectored key setting approach to one key operation per setsockopt(). It is much simpler for applications using TCP-AO to implement and has only a negligible overhead. Sponsored by: Juniper Networks Modified: user/andre/tcp-ao/sys/netinet/tcp_ao.h Modified: user/andre/tcp-ao/sys/netinet/tcp_ao.h ============================================================================== --- user/andre/tcp-ao/sys/netinet/tcp_ao.h Tue Mar 26 14:08:14 2013 (r248725) +++ user/andre/tcp-ao/sys/netinet/tcp_ao.h Tue Mar 26 14:36:11 2013 (r248726) @@ -44,7 +44,7 @@ * * On a connect all keys except those belonging to that peer are removed. * - * If a key that is changed that is in active use, packet loss may result. + * If a key that is in active use is changed, packet loss may result. * * Keys are not shared between sockets. Adding and removing keys has to be * done on each socket where the peer address applies. This is not much @@ -53,14 +53,11 @@ * Since applications tend to pass the key string unmodified it may be better * to specify the socket interface to be in base64 instead of an array of * uint8_t. That would allow a human readable string to represent more bit - * variance per byte. + * variance per byte, though the overall entropy doesn't change for a given + * key length. * - * Configured keys on a socket can be retrieved as follows: - * getsockopt(so, IPPROTO_TCP, TCP_AO, tcp_ao_sopt, sizeof(*tcp_ao_sopt)); - * - * All configured peers and key indexs are returned in the supplied vector. - * If the vector is too small the result is truncated. The number of keys - * is returned in tao_keycnt. No actual keys are returned or exposed. + * The active key index on a connected socket can be retrieved as follows: + * getsockopt(so, IPPROTO_TCP, TCP_AO, int, sizeof(int)); * * This interface may continue to evolve as the implementation matures and * handling experience is gained. These structs should be moved to tcp.h @@ -69,48 +66,36 @@ /* * TCP-AO key interface struct passed to setsockopt(). - */ -struct tcp_ao_sopt { - int tao_flags; /* flags for this operation */ - int tao_keycnt; /* number of keys in vector */ - struct tcp_ao_key *tao_keyv; /* pointer to key vector */ -}; - -/* - * Flags for the tao_flags field. - */ -#define TAO_SOPT_REPLACE 0x00000001 /* replace full set */ - -/* * Per peer structures referenced from tcp_ao_sopt. * The commands normally apply to a particular keyidx and peer combination. */ -struct tcp_ao_key { - uint8_t taok_cmd; /* command, add, remove key */ - uint8_t taok_flags; /* flags for key */ - uint8_t taok_algo; /* MAC algorithm */ - uint8_t taok_keyidx; /* key index per peer */ - int taok_keylen; /* length of key */ - uint8_t *taok_key; /* key string */ - struct sockaddr *taok_peer; /* this key applies to ... */ +struct tcp_ao_ssopt { + uint16_t tao_cmd; /* command, add, remove key */ + uint16_t tao_flags; /* flags */ + uint8_t tao_keyidx; /* key index per peer */ + uint8_t tao_algo; /* MAC algorithm */ + struct sockaddr_storage + tao_peer; /* this key applies to ... */ + uint8_t tao_key[]; /* key string */ }; /* - * Commands for the taok_cmd field. + * Commands for the tao_cmd field. */ -#define TAOK_CMD_ADD 1 /* add or replace key */ -#define TAOK_CMD_DELETE 2 /* delete key keyidx|peer */ -#define TAOK_CMD_DELETEALL 3 /* delete all idx for peer */ +#define TAO_CMD_ADD 1 /* add or replace key */ +#define TAO_CMD_DELIDX 2 /* delete keyidx|peer */ +#define TAO_CMD_DELPEER 3 /* delete all idx for peer */ +#define TAO_CMD_FLUSH 4 /* delete all keys */ /* - * Flags for the taok_flags field. + * Flags for the tao_flags field. */ -#define TAOK_FLAGS_ACTIVE 0x01 /* active key index for SYN */ +#define TAO_FLAGS_ACTIVE 0x0001 /* active key index for SYN */ /* - * MAC and KDF pairs for keys. + * MAC and KDF pairs for the tao_algo field. */ -#define TAOK_ALGO_MD5SIG 1 /* legacy compatibility */ -#define TAOK_ALGO_HMAC-SHA-1-96 2 /* RFC5926, Section 2.2 */ -#define TAOK_ALGO_AES-128-CMAC-96 3 /* RFC5926, Section 2.2 */ +#define TAO_ALGO_MD5SIG 1 /* legacy compatibility */ +#define TAO_ALGO_HMAC-SHA-1-96 2 /* RFC5926, Section 2.2 */ +#define TAO_ALGO_AES-128-CMAC-96 3 /* RFC5926, Section 2.2 */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303261436.r2QEaBlv089386>