svn commit: r248726 - user/andre/tcp-ao/sys/netinet

Tue Mar 26 14:36:11 UTC 2013

Author: andre
Date: Tue Mar 26 14:36:11 2013
New Revision: 248726
URL: http://svnweb.freebsd.org/changeset/base/248726

Log:
  Switch from the vectored key setting approach to one key operation
  per setsockopt().  It is much simpler for applications using TCP-AO
  to implement and has only a negligible overhead.
  
  Sponsored by:	Juniper Networks

Modified:
  user/andre/tcp-ao/sys/netinet/tcp_ao.h

Modified: user/andre/tcp-ao/sys/netinet/tcp_ao.h
==============================================================================

--- user/andre/tcp-ao/sys/netinet/tcp_ao.h	Tue Mar 26 14:08:14 2013	(r248725)
+++ user/andre/tcp-ao/sys/netinet/tcp_ao.h	Tue Mar 26 14:36:11 2013	(r248726)
@@ -44,7 +44,7 @@
  * 
  * On a connect all keys except those belonging to that peer are removed.
  *
- * If a key that is changed that is in active use, packet loss may result.
+ * If a key that is in active use is changed, packet loss may result.
  *
  * Keys are not shared between sockets.  Adding and removing keys has to be
  * done on each socket where the peer address applies.  This is not much
@@ -53,14 +53,11 @@
  * Since applications tend to pass the key string unmodified it may be better
  * to specify the socket interface to be in base64 instead of an array of
  * uint8_t.  That would allow a human readable string to represent more bit
- * variance per byte.
+ * variance per byte, though the overall entropy doesn't change for a given
+ * key length.
  *
- * Configured keys on a socket can be retrieved as follows:
- *  getsockopt(so, IPPROTO_TCP, TCP_AO, tcp_ao_sopt, sizeof(*tcp_ao_sopt));
- *
- * All configured peers and key indexs are returned in the supplied vector.
- * If the vector is too small the result is truncated.  The number of keys
- * is returned in tao_keycnt.  No actual keys are returned or exposed.
+ * The active key index on a connected socket can be retrieved as follows:
+ *  getsockopt(so, IPPROTO_TCP, TCP_AO, int, sizeof(int));
  *
  * This interface may continue to evolve as the implementation matures and
  * handling experience is gained.  These structs should be moved to tcp.h
@@ -69,48 +66,36 @@
 
 /*
  * TCP-AO key interface struct passed to setsockopt().
- */
-struct tcp_ao_sopt {
-	int		 tao_flags;		/* flags for this operation */
-	int		 tao_keycnt;		/* number of keys in vector */
-	struct tcp_ao_key *tao_keyv;		/* pointer to key vector */
-};
-
-/*
- * Flags for the tao_flags field.
- */
-#define TAO_SOPT_REPLACE	0x00000001	/* replace full set */
-
-/*
  * Per peer structures referenced from tcp_ao_sopt.
  * The commands normally apply to a particular keyidx and peer combination.
  */
-struct tcp_ao_key {
-	uint8_t		 taok_cmd;		/* command, add, remove key */
-	uint8_t		 taok_flags;		/* flags for key */
-	uint8_t		 taok_algo;		/* MAC algorithm */
-	uint8_t		 taok_keyidx;		/* key index per peer */
-	int		 taok_keylen;		/* length of key */
-	uint8_t		*taok_key;		/* key string */
-	struct sockaddr	*taok_peer;		/* this key applies to ... */
+struct tcp_ao_ssopt {
+	uint16_t	tao_cmd;		/* command, add, remove key */
+	uint16_t	tao_flags;		/* flags */
+	uint8_t		tao_keyidx;		/* key index per peer */
+	uint8_t		tao_algo;		/* MAC algorithm */
+	struct sockaddr_storage
+			tao_peer;		/* this key applies to ... */
+	uint8_t		tao_key[];		/* key string */
 };
 
 /*
- * Commands for the taok_cmd field.
+ * Commands for the tao_cmd field.
  */
-#define TAOK_CMD_ADD			1	/* add or replace key */
-#define TAOK_CMD_DELETE			2	/* delete key keyidx|peer */
-#define TAOK_CMD_DELETEALL		3	/* delete all idx for peer */
+#define TAO_CMD_ADD			1	/* add or replace key */
+#define TAO_CMD_DELIDX			2	/* delete keyidx|peer */
+#define TAO_CMD_DELPEER			3	/* delete all idx for peer */
+#define TAO_CMD_FLUSH			4	/* delete all keys */
 
 /*
- * Flags for the taok_flags field.
+ * Flags for the tao_flags field.
  */
-#define	TAOK_FLAGS_ACTIVE		0x01	/* active key index for SYN */
+#define	TAO_FLAGS_ACTIVE		0x0001	/* active key index for SYN */
 
 /*
- * MAC and KDF pairs for keys.
+ * MAC and KDF pairs for the tao_algo field.
  */
-#define TAOK_ALGO_MD5SIG		1	/* legacy compatibility */
-#define TAOK_ALGO_HMAC-SHA-1-96		2	/* RFC5926, Section 2.2 */
-#define TAOK_ALGO_AES-128-CMAC-96	3	/* RFC5926, Section 2.2 */
+#define TAO_ALGO_MD5SIG			1	/* legacy compatibility */
+#define TAO_ALGO_HMAC-SHA-1-96		2	/* RFC5926, Section 2.2 */
+#define TAO_ALGO_AES-128-CMAC-96	3	/* RFC5926, Section 2.2 */
 
