Enable support for ASN1_DN ipsec identifiers.

Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked
as the server.

OK tobhe@ sthen@ kn@

5 files changed, 17 insertions, 6 deletions

diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index 5b8d6a487bd..b8812f884e2 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.71 2020/09/09 21:25:42 tobhe Exp $	*/
+/*	$OpenBSD: pfkey.c,v 1.72 2020/11/05 19:28:27 phessler Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -1524,6 +1524,8 @@ pfkey_id2ident(struct iked_id *id, unsigned int exttype)
 		type = SADB_IDENTTYPE_PREFIX;
 		break;
 	case IKEV2_ID_ASN1_DN:
+		type = SADB_IDENTTYPE_ASN1_DN;
+		break;
 	case IKEV2_ID_ASN1_GN:
 	case IKEV2_ID_KEY_ID:
 	case IKEV2_ID_NONE:
diff --git a/sbin/ipsecctl/pfkdump.c b/sbin/ipsecctl/pfkdump.c
index 00ddbd8bb19..4d7d3da7797 100644
--- a/sbin/ipsecctl/pfkdump.c
+++ b/sbin/ipsecctl/pfkdump.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkdump.c,v 1.51 2020/06/01 21:00:51 tobhe Exp $	*/
+/*	$OpenBSD: pfkdump.c,v 1.52 2020/11/05 19:28:27 phessler Exp $	*/
 
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
@@ -198,6 +198,7 @@ struct idname identity_types[] = {
 	{ SADB_IDENTTYPE_PREFIX,	"prefix",		NULL },
 	{ SADB_IDENTTYPE_FQDN,		"fqdn",			NULL },
 	{ SADB_IDENTTYPE_USERFQDN,	"ufqdn",		NULL },
+	{ SADB_IDENTTYPE_ASN1_DN,	"asn1_dn",		NULL },
 	{ 0,				NULL,			NULL }
 };
 
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index 0c16f9dd751..6bf38870029 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.84 2020/08/07 20:12:15 tobhe Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.85 2020/11/05 19:28:27 phessler Exp $ */
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
  *
@@ -351,7 +351,8 @@ struct sadb_x_counter {
 #define SADB_IDENTTYPE_PREFIX       1
 #define SADB_IDENTTYPE_FQDN         2
 #define SADB_IDENTTYPE_USERFQDN     3
-#define SADB_IDENTTYPE_MAX          3
+#define SADB_IDENTTYPE_ASN1_DN      4
+#define SADB_IDENTTYPE_MAX          4
 
 #define SADB_KEY_FLAGS_MAX 0
 
diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 1d3487b2eb5..1d79e925c6c 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.68 2020/07/18 15:10:03 kn Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.69 2020/11/05 19:28:28 phessler Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -721,6 +721,9 @@ import_identity(struct ipsec_id **id, struct sadb_ident *sadb_ident,
 	case SADB_IDENTTYPE_USERFQDN:
 		(*id)->type = IPSP_IDENTITY_USERFQDN;
 		break;
+	case SADB_IDENTTYPE_ASN1_DN:
+		(*id)->type = IPSP_IDENTITY_ASN1_DN;
+		break;
 	default:
 		free(*id, M_CREDENTIALS, *id_sz);
 		*id = NULL;
@@ -769,6 +772,9 @@ export_identity(void **p, struct ipsec_id *id)
 	case IPSP_IDENTITY_USERFQDN:
 		sadb_ident->sadb_ident_type = SADB_IDENTTYPE_USERFQDN;
 		break;
+	case IPSP_IDENTITY_ASN1_DN:
+		sadb_ident->sadb_ident_type = SADB_IDENTTYPE_ASN1_DN;
+		break;
 	}
 	*p += sizeof(struct sadb_ident);
 	bcopy(id + 1, *p, id->len);
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 1c434a92f9f..1bea23e1e2b 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.195 2020/09/01 01:53:34 gnezdo Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.196 2020/11/05 19:28:28 phessler Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -303,6 +303,7 @@ struct ipsec_policy {
 #define	IPSP_IDENTITY_PREFIX		1
 #define	IPSP_IDENTITY_FQDN		2
 #define	IPSP_IDENTITY_USERFQDN		3
+#define	IPSP_IDENTITY_ASN1_DN		4
 
 struct tdb {				/* tunnel descriptor block */
 	/*