svn commit: r248726 - user/andre/tcp-ao/sys/netinet
Andre Oppermann
andre at FreeBSD.org
Tue Mar 26 14:36:11 UTC 2013
Author: andre
Date: Tue Mar 26 14:36:11 2013
New Revision: 248726
URL: http://svnweb.freebsd.org/changeset/base/248726
Log:
Switch from the vectored key setting approach to one key operation
per setsockopt(). It is much simpler for applications using TCP-AO
to implement and has only a negligible overhead.
Sponsored by: Juniper Networks
Modified:
user/andre/tcp-ao/sys/netinet/tcp_ao.h
Modified: user/andre/tcp-ao/sys/netinet/tcp_ao.h
==============================================================================
--- user/andre/tcp-ao/sys/netinet/tcp_ao.h Tue Mar 26 14:08:14 2013 (r248725)
+++ user/andre/tcp-ao/sys/netinet/tcp_ao.h Tue Mar 26 14:36:11 2013 (r248726)
@@ -44,7 +44,7 @@
*
* On a connect all keys except those belonging to that peer are removed.
*
- * If a key that is changed that is in active use, packet loss may result.
+ * If a key that is in active use is changed, packet loss may result.
*
* Keys are not shared between sockets. Adding and removing keys has to be
* done on each socket where the peer address applies. This is not much
@@ -53,14 +53,11 @@
* Since applications tend to pass the key string unmodified it may be better
* to specify the socket interface to be in base64 instead of an array of
* uint8_t. That would allow a human readable string to represent more bit
- * variance per byte.
+ * variance per byte, though the overall entropy doesn't change for a given
+ * key length.
*
- * Configured keys on a socket can be retrieved as follows:
- * getsockopt(so, IPPROTO_TCP, TCP_AO, tcp_ao_sopt, sizeof(*tcp_ao_sopt));
- *
- * All configured peers and key indexs are returned in the supplied vector.
- * If the vector is too small the result is truncated. The number of keys
- * is returned in tao_keycnt. No actual keys are returned or exposed.
+ * The active key index on a connected socket can be retrieved as follows:
+ * getsockopt(so, IPPROTO_TCP, TCP_AO, int, sizeof(int));
*
* This interface may continue to evolve as the implementation matures and
* handling experience is gained. These structs should be moved to tcp.h
@@ -69,48 +66,36 @@
/*
* TCP-AO key interface struct passed to setsockopt().
- */
-struct tcp_ao_sopt {
- int tao_flags; /* flags for this operation */
- int tao_keycnt; /* number of keys in vector */
- struct tcp_ao_key *tao_keyv; /* pointer to key vector */
-};
-
-/*
- * Flags for the tao_flags field.
- */
-#define TAO_SOPT_REPLACE 0x00000001 /* replace full set */
-
-/*
* Per peer structures referenced from tcp_ao_sopt.
* The commands normally apply to a particular keyidx and peer combination.
*/
-struct tcp_ao_key {
- uint8_t taok_cmd; /* command, add, remove key */
- uint8_t taok_flags; /* flags for key */
- uint8_t taok_algo; /* MAC algorithm */
- uint8_t taok_keyidx; /* key index per peer */
- int taok_keylen; /* length of key */
- uint8_t *taok_key; /* key string */
- struct sockaddr *taok_peer; /* this key applies to ... */
+struct tcp_ao_ssopt {
+ uint16_t tao_cmd; /* command, add, remove key */
+ uint16_t tao_flags; /* flags */
+ uint8_t tao_keyidx; /* key index per peer */
+ uint8_t tao_algo; /* MAC algorithm */
+ struct sockaddr_storage
+ tao_peer; /* this key applies to ... */
+ uint8_t tao_key[]; /* key string */
};
/*
- * Commands for the taok_cmd field.
+ * Commands for the tao_cmd field.
*/
-#define TAOK_CMD_ADD 1 /* add or replace key */
-#define TAOK_CMD_DELETE 2 /* delete key keyidx|peer */
-#define TAOK_CMD_DELETEALL 3 /* delete all idx for peer */
+#define TAO_CMD_ADD 1 /* add or replace key */
+#define TAO_CMD_DELIDX 2 /* delete keyidx|peer */
+#define TAO_CMD_DELPEER 3 /* delete all idx for peer */
+#define TAO_CMD_FLUSH 4 /* delete all keys */
/*
- * Flags for the taok_flags field.
+ * Flags for the tao_flags field.
*/
-#define TAOK_FLAGS_ACTIVE 0x01 /* active key index for SYN */
+#define TAO_FLAGS_ACTIVE 0x0001 /* active key index for SYN */
/*
- * MAC and KDF pairs for keys.
+ * MAC and KDF pairs for the tao_algo field.
*/
-#define TAOK_ALGO_MD5SIG 1 /* legacy compatibility */
-#define TAOK_ALGO_HMAC-SHA-1-96 2 /* RFC5926, Section 2.2 */
-#define TAOK_ALGO_AES-128-CMAC-96 3 /* RFC5926, Section 2.2 */
+#define TAO_ALGO_MD5SIG 1 /* legacy compatibility */
+#define TAO_ALGO_HMAC-SHA-1-96 2 /* RFC5926, Section 2.2 */
+#define TAO_ALGO_AES-128-CMAC-96 3 /* RFC5926, Section 2.2 */
More information about the svn-src-user
mailing list