bring in latest KAME ipsec tree.
- interop issues in ipcomp is fixed - padding type (after ESP) is configurable - key database memory management (need more fixes) - policy specification is revisited XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
This commit is contained in:
parent
e5e6464767
commit
1a2a1e2b1f
@ -1,4 +1,4 @@
|
||||
# $NetBSD: files,v 1.346 2000/01/26 06:27:33 thorpej Exp $
|
||||
# $NetBSD: files,v 1.347 2000/01/31 14:18:52 itojun Exp $
|
||||
|
||||
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
|
||||
|
||||
@ -602,6 +602,7 @@ file kern/exec_conf.c
|
||||
file kern/exec_ecoff.c exec_ecoff
|
||||
|
||||
file netkey/key.c ipsec
|
||||
file netkey/keydb.c ipsec
|
||||
file netkey/key_debug.c ipsec
|
||||
file netkey/keysock.c ipsec
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: in_pcb.h,v 1.27 1999/07/01 08:12:50 itojun Exp $ */
|
||||
/* $NetBSD: in_pcb.h,v 1.28 2000/01/31 14:18:53 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -95,9 +95,7 @@ struct inpcb {
|
||||
int inp_errormtu; /* MTU of last xmit status = EMSGSIZE */
|
||||
struct inpcbtable *inp_table;
|
||||
#if 1 /*IPSEC*/
|
||||
struct secpolicy *inp_sp; /* security policy. It may not be
|
||||
* used according to policy selection.
|
||||
*/
|
||||
struct inpcbpolicy *inp_sp; /* security policy. */
|
||||
#endif
|
||||
};
|
||||
#define inp_faddr inp_ip.ip_dst
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_input.c,v 1.94 1999/10/26 09:53:17 itojun Exp $ */
|
||||
/* $NetBSD: ip_input.c,v 1.95 2000/01/31 14:18:54 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -1430,18 +1430,21 @@ ip_forward(m, srcrt)
|
||||
if (ipforward_rt.ro_rt) {
|
||||
struct secpolicy *sp;
|
||||
int ipsecerror;
|
||||
int ipsechdr;
|
||||
size_t ipsechdr;
|
||||
struct route *ro;
|
||||
|
||||
sp = ipsec4_getpolicybyaddr(mcopy,
|
||||
IP_FORWARDING,
|
||||
&ipsecerror);
|
||||
IPSEC_DIR_OUTBOUND,
|
||||
IP_FORWARDING,
|
||||
&ipsecerror);
|
||||
|
||||
if (sp == NULL)
|
||||
destifp = ipforward_rt.ro_rt->rt_ifp;
|
||||
else {
|
||||
/* count IPsec header size */
|
||||
ipsechdr = ipsec4_hdrsiz(mcopy, NULL);
|
||||
ipsechdr = ipsec4_hdrsiz(mcopy,
|
||||
IPSEC_DIR_OUTBOUND,
|
||||
NULL);
|
||||
|
||||
/*
|
||||
* find the correct route for outer IPv4
|
||||
@ -1454,8 +1457,9 @@ ip_forward(m, srcrt)
|
||||
/*XXX*/
|
||||
destifp = NULL;
|
||||
if (sp->req != NULL
|
||||
&& sp->req->sa != NULL) {
|
||||
ro = &sp->req->sa->saidx->sa_route;
|
||||
&& sp->req->sav != NULL
|
||||
&& sp->req->sav->sah != NULL) {
|
||||
ro = &sp->req->sav->sah->sa_route;
|
||||
if (ro->ro_rt && ro->ro_rt->rt_ifp) {
|
||||
dummyifp.if_mtu =
|
||||
ro->ro_rt->rt_ifp->if_mtu;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip_output.c,v 1.65 1999/12/20 05:46:33 itojun Exp $ */
|
||||
/* $NetBSD: ip_output.c,v 1.66 2000/01/31 14:18:55 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -434,9 +434,9 @@ sendit:
|
||||
#ifdef IPSEC
|
||||
/* get SP for this packet */
|
||||
if (so == NULL)
|
||||
sp = ipsec4_getpolicybyaddr(m, flags, &error);
|
||||
sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error);
|
||||
else
|
||||
sp = ipsec4_getpolicybysock(m, so, &error);
|
||||
sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
|
||||
|
||||
if (sp == NULL) {
|
||||
ipsecstat.out_inval++;
|
||||
@ -939,10 +939,11 @@ ip_ctloutput(op, so, level, optname, mp)
|
||||
|
||||
#ifdef IPSEC
|
||||
case IP_IPSEC_POLICY:
|
||||
{
|
||||
{
|
||||
caddr_t req = NULL;
|
||||
int len = 0;
|
||||
size_t len = 0;
|
||||
int priv = 0;
|
||||
|
||||
#ifdef __NetBSD__
|
||||
if (p == 0 || suser(p->p_ucred, &p->p_acflag))
|
||||
priv = 0;
|
||||
@ -951,12 +952,11 @@ ip_ctloutput(op, so, level, optname, mp)
|
||||
#else
|
||||
priv = (in6p->in6p_socket->so_state & SS_PRIV);
|
||||
#endif
|
||||
if (m != 0) {
|
||||
if (m) {
|
||||
req = mtod(m, caddr_t);
|
||||
len = m->m_len;
|
||||
}
|
||||
error = ipsec_set_policy(&inp->inp_sp,
|
||||
optname, req, len, priv);
|
||||
error = ipsec4_set_policy(inp, optname, req, len, priv);
|
||||
break;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
@ -1028,8 +1028,17 @@ ip_ctloutput(op, so, level, optname, mp)
|
||||
|
||||
#ifdef IPSEC
|
||||
case IP_IPSEC_POLICY:
|
||||
error = ipsec_get_policy(inp->inp_sp, mp);
|
||||
{
|
||||
caddr_t req = NULL;
|
||||
size_t len;
|
||||
|
||||
if (m) {
|
||||
req = mtod(m, caddr_t);
|
||||
len = m->m_len;
|
||||
}
|
||||
error = ipsec4_get_policy(inp, req, len, mp);
|
||||
break;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
|
||||
case IP_MULTICAST_IF:
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: raw_ip.c,v 1.47 1999/12/13 15:17:20 itojun Exp $ */
|
||||
/* $NetBSD: raw_ip.c,v 1.48 2000/01/31 14:18:55 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -464,7 +464,7 @@ rip_usrreq(so, req, m, nam, control, p)
|
||||
inp = sotoinpcb(so);
|
||||
inp->inp_ip.ip_p = (long)nam;
|
||||
#ifdef IPSEC
|
||||
error = ipsec_init_policy(&inp->inp_sp);
|
||||
error = ipsec_init_policy(so, &inp->inp_sp);
|
||||
if (error != 0) {
|
||||
in_pcbdetach(inp);
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: tcp_input.c,v 1.101 1999/12/22 04:03:02 itojun Exp $ */
|
||||
/* $NetBSD: tcp_input.c,v 1.102 2000/01/31 14:18:56 itojun Exp $ */
|
||||
|
||||
/*
|
||||
%%% portions-copyright-nrl-95
|
||||
@ -2890,27 +2890,22 @@ syn_cache_get(src, dst, th, hlen, tlen, so, m)
|
||||
#endif
|
||||
|
||||
#ifdef IPSEC
|
||||
{
|
||||
struct secpolicy *sp;
|
||||
/*
|
||||
* we make a copy of policy, instead of sharing the policy,
|
||||
* for better behavior in terms of SA lookup and dead SA removal.
|
||||
*/
|
||||
if (inp) {
|
||||
sp = ipsec_copy_policy(sotoinpcb(oso)->inp_sp);
|
||||
if (sp) {
|
||||
key_freesp(inp->inp_sp);
|
||||
inp->inp_sp = sp;
|
||||
} else
|
||||
/* copy old policy into new socket's */
|
||||
if (ipsec_copy_policy(sotoinpcb(oso)->inp_sp, inp->inp_sp))
|
||||
printf("tcp_input: could not copy policy\n");
|
||||
}
|
||||
#ifdef INET6
|
||||
else if (in6p) {
|
||||
sp = ipsec_copy_policy(sotoin6pcb(oso)->in6p_sp);
|
||||
if (sp) {
|
||||
key_freesp(in6p->in6p_sp);
|
||||
in6p->in6p_sp = sp;
|
||||
} else
|
||||
/* copy old policy into new socket's */
|
||||
if (ipsec_copy_policy(sotoin6pcb(oso)->in6p_sp, in6p->in6p_sp))
|
||||
printf("tcp_input: could not copy policy\n");
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: tcp_subr.c,v 1.85 1999/12/15 06:28:43 itojun Exp $ */
|
||||
/* $NetBSD: tcp_subr.c,v 1.86 2000/01/31 14:18:57 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -1657,7 +1657,8 @@ ipsec4_hdrsiz_tcp(tp)
|
||||
return 0;
|
||||
switch (tp->t_family) {
|
||||
case AF_INET:
|
||||
hdrsiz = ipsec4_hdrsiz(tp->t_template, inp);
|
||||
/* XXX: should use currect direction. */
|
||||
hdrsiz = ipsec4_hdrsiz(tp->t_template, IPSEC_DIR_OUTBOUND, inp);
|
||||
break;
|
||||
default:
|
||||
hdrsiz = 0;
|
||||
@ -1679,7 +1680,8 @@ ipsec6_hdrsiz_tcp(tp)
|
||||
return 0;
|
||||
switch (tp->t_family) {
|
||||
case AF_INET6:
|
||||
hdrsiz = ipsec6_hdrsiz(tp->t_template, in6p);
|
||||
/* XXX: should use currect direction. */
|
||||
hdrsiz = ipsec6_hdrsiz(tp->t_template, IPSEC_DIR_OUTBOUND, in6p);
|
||||
break;
|
||||
case AF_INET:
|
||||
/* mapped address case - tricky */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: tcp_usrreq.c,v 1.43 1999/12/13 15:17:21 itojun Exp $ */
|
||||
/* $NetBSD: tcp_usrreq.c,v 1.44 2000/01/31 14:18:58 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -731,7 +731,7 @@ tcp_attach(so)
|
||||
}
|
||||
#ifdef IPSEC
|
||||
if (inp) {
|
||||
error = ipsec_init_policy(&inp->inp_sp);
|
||||
error = ipsec_init_policy(so, &inp->inp_sp);
|
||||
if (error != 0) {
|
||||
in_pcbdetach(inp);
|
||||
return (error);
|
||||
@ -739,7 +739,7 @@ tcp_attach(so)
|
||||
}
|
||||
#ifdef INET6
|
||||
else if (in6p) {
|
||||
error = ipsec_init_policy(&in6p->in6p_sp);
|
||||
error = ipsec_init_policy(so, &in6p->in6p_sp);
|
||||
if (error != 0) {
|
||||
in6_pcbdetach(in6p);
|
||||
return (error);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: udp_usrreq.c,v 1.57 2000/01/31 10:39:26 itojun Exp $ */
|
||||
/* $NetBSD: udp_usrreq.c,v 1.58 2000/01/31 14:18:58 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -1342,7 +1342,7 @@ udp_usrreq(so, req, m, nam, control, p)
|
||||
inp = sotoinpcb(so);
|
||||
inp->inp_ip.ip_ttl = ip_defttl;
|
||||
#ifdef IPSEC
|
||||
error = ipsec_init_policy(&inp->inp_sp);
|
||||
error = ipsec_init_policy(so, &inp->inp_sp);
|
||||
if (error != 0) {
|
||||
in_pcbdetach(inp);
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ah.h,v 1.7 2000/01/06 07:31:10 itojun Exp $ */
|
||||
/* $NetBSD: ah.h,v 1.8 2000/01/31 14:19:00 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -40,7 +40,7 @@
|
||||
#include "opt_inet.h"
|
||||
#endif
|
||||
|
||||
#include <netkey/keydb.h> /* for struct secas */
|
||||
#include <netkey/keydb.h> /* for struct secasvar */
|
||||
|
||||
struct ah {
|
||||
u_int8_t ah_nxt; /* Next Header */
|
||||
@ -60,16 +60,16 @@ struct newah {
|
||||
};
|
||||
|
||||
struct ah_algorithm_state {
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
void* foo; /*per algorithm data - maybe*/
|
||||
};
|
||||
|
||||
struct ah_algorithm {
|
||||
int (*sumsiz) __P((struct secas *));
|
||||
int (*mature) __P((struct secas *));
|
||||
int (*sumsiz) __P((struct secasvar *));
|
||||
int (*mature) __P((struct secasvar *));
|
||||
int keymin; /* in bits */
|
||||
int keymax; /* in bits */
|
||||
void (*init) __P((struct ah_algorithm_state *, struct secas *));
|
||||
void (*init) __P((struct ah_algorithm_state *, struct secasvar *));
|
||||
void (*update) __P((struct ah_algorithm_state *, caddr_t, size_t));
|
||||
void (*result) __P((struct ah_algorithm_state *, caddr_t));
|
||||
};
|
||||
@ -85,21 +85,20 @@ struct in6pcb;
|
||||
#endif
|
||||
|
||||
/* cksum routines */
|
||||
extern int ah_hdrlen __P((struct secas *));
|
||||
extern int ah_hdrlen __P((struct secasvar *));
|
||||
|
||||
extern size_t ah_hdrsiz __P((struct ipsecrequest *));
|
||||
extern void ah4_input __P((struct mbuf *, ...));
|
||||
struct secasb;
|
||||
extern int ah4_output __P((struct mbuf *, struct ipsecrequest *));
|
||||
extern int ah4_calccksum __P((struct mbuf *, caddr_t,
|
||||
struct ah_algorithm *, struct secas *));
|
||||
struct ah_algorithm *, struct secasvar *));
|
||||
|
||||
#ifdef INET6
|
||||
extern int ah6_input __P((struct mbuf **, int *, int));
|
||||
extern int ah6_output __P((struct mbuf *, u_char *, struct mbuf *,
|
||||
struct ipsecrequest *));
|
||||
extern int ah6_calccksum __P((struct mbuf *, caddr_t,
|
||||
struct ah_algorithm *, struct secas *));
|
||||
struct ah_algorithm *, struct secasvar *));
|
||||
#endif /* INET6 */
|
||||
|
||||
#endif /*_KERNEL*/
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ah_core.c,v 1.14 2000/01/16 18:06:03 itojun Exp $ */
|
||||
/* $NetBSD: ah_core.c,v 1.15 2000/01/31 14:19:01 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -53,6 +53,7 @@
|
||||
#include <sys/errno.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/syslog.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
@ -61,11 +62,9 @@
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/in_var.h>
|
||||
#include <netinet/in_pcb.h>
|
||||
|
||||
#ifdef INET6
|
||||
#include <netinet6/ip6.h>
|
||||
#include <netinet6/in6_pcb.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#include <netinet6/icmp6.h>
|
||||
#endif
|
||||
@ -77,9 +76,19 @@
|
||||
#endif
|
||||
#include <netkey/keyv2.h>
|
||||
#include <netkey/keydb.h>
|
||||
#ifdef HAVE_MD5
|
||||
#include <sys/md5.h>
|
||||
#else
|
||||
#include <crypto/md5.h>
|
||||
#endif
|
||||
#ifdef HAVE_SHA1
|
||||
#include <sys/sha1.h>
|
||||
#define SHA1_RESULTLEN 20
|
||||
#else
|
||||
#include <crypto/sha1.h>
|
||||
#endif
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
#define HMACSIZE 16
|
||||
|
||||
@ -88,34 +97,34 @@
|
||||
static char zerobuf[ZEROBUFLEN];
|
||||
#endif
|
||||
|
||||
static int ah_sumsiz_1216 __P((struct secas *));
|
||||
static int ah_sumsiz_zero __P((struct secas *));
|
||||
static int ah_none_mature __P((struct secas *));
|
||||
static int ah_sumsiz_1216 __P((struct secasvar *));
|
||||
static int ah_sumsiz_zero __P((struct secasvar *));
|
||||
static int ah_none_mature __P((struct secasvar *));
|
||||
static void ah_none_init __P((struct ah_algorithm_state *,
|
||||
struct secas *));
|
||||
struct secasvar *));
|
||||
static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t));
|
||||
static void ah_none_result __P((struct ah_algorithm_state *, caddr_t));
|
||||
static int ah_keyed_md5_mature __P((struct secas *));
|
||||
static int ah_keyed_md5_mature __P((struct secasvar *));
|
||||
static void ah_keyed_md5_init __P((struct ah_algorithm_state *,
|
||||
struct secas *));
|
||||
struct secasvar *));
|
||||
static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||
size_t));
|
||||
static void ah_keyed_md5_result __P((struct ah_algorithm_state *, caddr_t));
|
||||
static int ah_keyed_sha1_mature __P((struct secas *));
|
||||
static int ah_keyed_sha1_mature __P((struct secasvar *));
|
||||
static void ah_keyed_sha1_init __P((struct ah_algorithm_state *,
|
||||
struct secas *));
|
||||
struct secasvar *));
|
||||
static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||
size_t));
|
||||
static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t));
|
||||
static int ah_hmac_md5_mature __P((struct secas *));
|
||||
static int ah_hmac_md5_mature __P((struct secasvar *));
|
||||
static void ah_hmac_md5_init __P((struct ah_algorithm_state *,
|
||||
struct secas *));
|
||||
struct secasvar *));
|
||||
static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||
size_t));
|
||||
static void ah_hmac_md5_result __P((struct ah_algorithm_state *, caddr_t));
|
||||
static int ah_hmac_sha1_mature __P((struct secas *));
|
||||
static int ah_hmac_sha1_mature __P((struct secasvar *));
|
||||
static void ah_hmac_sha1_init __P((struct ah_algorithm_state *,
|
||||
struct secas *));
|
||||
struct secasvar *));
|
||||
static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
|
||||
size_t));
|
||||
static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, caddr_t));
|
||||
@ -137,41 +146,42 @@ struct ah_algorithm ah_algorithms[] = {
|
||||
};
|
||||
|
||||
static int
|
||||
ah_sumsiz_1216(sa)
|
||||
struct secas *sa;
|
||||
ah_sumsiz_1216(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
if (!sa)
|
||||
if (!sav)
|
||||
return -1;
|
||||
if (sa->flags & SADB_X_EXT_OLD)
|
||||
if (sav->flags & SADB_X_EXT_OLD)
|
||||
return 16;
|
||||
else
|
||||
return 12;
|
||||
}
|
||||
|
||||
static int
|
||||
ah_sumsiz_zero(sa)
|
||||
struct secas *sa;
|
||||
ah_sumsiz_zero(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
if (!sa)
|
||||
if (!sav)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
ah_none_mature(sa)
|
||||
struct secas *sa;
|
||||
ah_none_mature(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
if (sa->type == SADB_SATYPE_AH) {
|
||||
printf("ah_none_mature: protocol and algorithm mismatch.\n");
|
||||
if (sav->sah->saidx.proto == IPPROTO_AH) {
|
||||
ipseclog((LOG_ERR,
|
||||
"ah_none_mature: protocol and algorithm mismatch.\n"));
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
ah_none_init(state, sa)
|
||||
ah_none_init(state, sav)
|
||||
struct ah_algorithm_state *state;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
state->foo = NULL;
|
||||
}
|
||||
@ -192,30 +202,30 @@ ah_none_result(state, addr)
|
||||
}
|
||||
|
||||
static int
|
||||
ah_keyed_md5_mature(sa)
|
||||
struct secas *sa;
|
||||
ah_keyed_md5_mature(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
/* anything is okay */
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
ah_keyed_md5_init(state, sa)
|
||||
ah_keyed_md5_init(state, sav)
|
||||
struct ah_algorithm_state *state;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
if (!state)
|
||||
panic("ah_keyed_md5_init: what?");
|
||||
|
||||
state->sa = sa;
|
||||
state->sav = sav;
|
||||
state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
|
||||
if (state->foo == NULL)
|
||||
panic("ah_keyed_md5_init: what?");
|
||||
MD5Init((MD5_CTX *)state->foo);
|
||||
if (state->sa) {
|
||||
if (state->sav) {
|
||||
MD5Update((MD5_CTX *)state->foo,
|
||||
(u_int8_t *)_KEYBUF(state->sa->key_auth),
|
||||
(u_int)_KEYLEN(state->sa->key_auth));
|
||||
(u_int8_t *)_KEYBUF(state->sav->key_auth),
|
||||
(u_int)_KEYLEN(state->sav->key_auth));
|
||||
|
||||
{
|
||||
/*
|
||||
@ -227,11 +237,11 @@ ah_keyed_md5_init(state, sa)
|
||||
size_t keybitlen;
|
||||
u_int8_t buf[32];
|
||||
|
||||
if (_KEYLEN(state->sa->key_auth) < 56)
|
||||
padlen = 64 - 8 - _KEYLEN(state->sa->key_auth);
|
||||
if (_KEYLEN(state->sav->key_auth) < 56)
|
||||
padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
|
||||
else
|
||||
padlen = 64 + 64 - 8 - _KEYLEN(state->sa->key_auth);
|
||||
keybitlen = _KEYLEN(state->sa->key_auth);
|
||||
padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
|
||||
keybitlen = _KEYLEN(state->sav->key_auth);
|
||||
keybitlen *= 8;
|
||||
|
||||
buf[0] = 0x80;
|
||||
@ -278,10 +288,10 @@ ah_keyed_md5_result(state, addr)
|
||||
if (!state)
|
||||
panic("ah_keyed_md5_result: what?");
|
||||
|
||||
if (state->sa) {
|
||||
if (state->sav) {
|
||||
MD5Update((MD5_CTX *)state->foo,
|
||||
(u_int8_t *)_KEYBUF(state->sa->key_auth),
|
||||
(u_int)_KEYLEN(state->sa->key_auth));
|
||||
(u_int8_t *)_KEYBUF(state->sav->key_auth),
|
||||
(u_int)_KEYLEN(state->sav->key_auth));
|
||||
}
|
||||
MD5Final(&digest[0], (MD5_CTX *)state->foo);
|
||||
free(state->foo, M_TEMP);
|
||||
@ -289,20 +299,21 @@ ah_keyed_md5_result(state, addr)
|
||||
}
|
||||
|
||||
static int
|
||||
ah_keyed_sha1_mature(sa)
|
||||
struct secas *sa;
|
||||
ah_keyed_sha1_mature(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
struct ah_algorithm *algo;
|
||||
|
||||
if (!sa->key_auth) {
|
||||
printf("esp_keyed_sha1_mature: no key is given.\n");
|
||||
if (!sav->key_auth) {
|
||||
ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
|
||||
return 1;
|
||||
}
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
if (sa->key_auth->sadb_key_bits < algo->keymin
|
||||
|| algo->keymax < sa->key_auth->sadb_key_bits) {
|
||||
printf("ah_keyed_sha1_mature: invalid key length %d.\n",
|
||||
sa->key_auth->sadb_key_bits);
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
if (sav->key_auth->sadb_key_bits < algo->keymin
|
||||
|| algo->keymax < sav->key_auth->sadb_key_bits) {
|
||||
ipseclog((LOG_ERR,
|
||||
"ah_keyed_sha1_mature: invalid key length %d.\n",
|
||||
sav->key_auth->sadb_key_bits));
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -310,16 +321,16 @@ ah_keyed_sha1_mature(sa)
|
||||
}
|
||||
|
||||
static void
|
||||
ah_keyed_sha1_init(state, sa)
|
||||
ah_keyed_sha1_init(state, sav)
|
||||
struct ah_algorithm_state *state;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
SHA1_CTX *ctxt;
|
||||
|
||||
if (!state)
|
||||
panic("ah_keyed_sha1_init: what?");
|
||||
|
||||
state->sa = sa;
|
||||
state->sav = sav;
|
||||
state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
|
||||
if (!state->foo)
|
||||
panic("ah_keyed_sha1_init: what?");
|
||||
@ -327,9 +338,9 @@ ah_keyed_sha1_init(state, sa)
|
||||
ctxt = (SHA1_CTX *)state->foo;
|
||||
SHA1Init(ctxt);
|
||||
|
||||
if (state->sa) {
|
||||
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sa->key_auth),
|
||||
(u_int)_KEYLEN(state->sa->key_auth));
|
||||
if (state->sav) {
|
||||
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
|
||||
(u_int)_KEYLEN(state->sav->key_auth));
|
||||
|
||||
{
|
||||
/*
|
||||
@ -339,11 +350,11 @@ ah_keyed_sha1_init(state, sa)
|
||||
size_t keybitlen;
|
||||
u_int8_t buf[32];
|
||||
|
||||
if (_KEYLEN(state->sa->key_auth) < 56)
|
||||
padlen = 64 - 8 - _KEYLEN(state->sa->key_auth);
|
||||
if (_KEYLEN(state->sav->key_auth) < 56)
|
||||
padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
|
||||
else
|
||||
padlen = 64 + 64 - 8 - _KEYLEN(state->sa->key_auth);
|
||||
keybitlen = _KEYLEN(state->sa->key_auth);
|
||||
padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
|
||||
keybitlen = _KEYLEN(state->sav->key_auth);
|
||||
keybitlen *= 8;
|
||||
|
||||
buf[0] = 0x80;
|
||||
@ -395,9 +406,9 @@ ah_keyed_sha1_result(state, addr)
|
||||
panic("ah_keyed_sha1_result: what?");
|
||||
ctxt = (SHA1_CTX *)state->foo;
|
||||
|
||||
if (state->sa) {
|
||||
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sa->key_auth),
|
||||
(u_int)_KEYLEN(state->sa->key_auth));
|
||||
if (state->sav) {
|
||||
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
|
||||
(u_int)_KEYLEN(state->sav->key_auth));
|
||||
}
|
||||
SHA1Final((caddr_t)&digest[0], ctxt);
|
||||
bcopy(&digest[0], (void *)addr, HMACSIZE);
|
||||
@ -406,20 +417,21 @@ ah_keyed_sha1_result(state, addr)
|
||||
}
|
||||
|
||||
static int
|
||||
ah_hmac_md5_mature(sa)
|
||||
struct secas *sa;
|
||||
ah_hmac_md5_mature(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
struct ah_algorithm *algo;
|
||||
|
||||
if (!sa->key_auth) {
|
||||
printf("esp_hmac_md5_mature: no key is given.\n");
|
||||
if (!sav->key_auth) {
|
||||
ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
|
||||
return 1;
|
||||
}
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
if (sa->key_auth->sadb_key_bits < algo->keymin
|
||||
|| algo->keymax < sa->key_auth->sadb_key_bits) {
|
||||
printf("ah_hmac_md5_mature: invalid key length %d.\n",
|
||||
sa->key_auth->sadb_key_bits);
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
if (sav->key_auth->sadb_key_bits < algo->keymin
|
||||
|| algo->keymax < sav->key_auth->sadb_key_bits) {
|
||||
ipseclog((LOG_ERR,
|
||||
"ah_hmac_md5_mature: invalid key length %d.\n",
|
||||
sav->key_auth->sadb_key_bits));
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -427,9 +439,9 @@ ah_hmac_md5_mature(sa)
|
||||
}
|
||||
|
||||
static void
|
||||
ah_hmac_md5_init(state, sa)
|
||||
ah_hmac_md5_init(state, sav)
|
||||
struct ah_algorithm_state *state;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
u_char *ipad;
|
||||
u_char *opad;
|
||||
@ -442,7 +454,7 @@ ah_hmac_md5_init(state, sa)
|
||||
if (!state)
|
||||
panic("ah_hmac_md5_init: what?");
|
||||
|
||||
state->sa = sa;
|
||||
state->sav = sav;
|
||||
state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
|
||||
if (!state->foo)
|
||||
panic("ah_hmac_md5_init: what?");
|
||||
@ -452,16 +464,16 @@ ah_hmac_md5_init(state, sa)
|
||||
ctxt = (MD5_CTX *)(opad + 64);
|
||||
|
||||
/* compress the key if necessery */
|
||||
if (64 < _KEYLEN(state->sa->key_auth)) {
|
||||
if (64 < _KEYLEN(state->sav->key_auth)) {
|
||||
MD5Init(ctxt);
|
||||
MD5Update(ctxt, _KEYBUF(state->sa->key_auth),
|
||||
_KEYLEN(state->sa->key_auth));
|
||||
MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
|
||||
_KEYLEN(state->sav->key_auth));
|
||||
MD5Final(&tk[0], ctxt);
|
||||
key = &tk[0];
|
||||
keylen = 16;
|
||||
} else {
|
||||
key = _KEYBUF(state->sa->key_auth);
|
||||
keylen = _KEYLEN(state->sa->key_auth);
|
||||
key = _KEYBUF(state->sav->key_auth);
|
||||
keylen = _KEYLEN(state->sav->key_auth);
|
||||
}
|
||||
|
||||
bzero(ipad, 64);
|
||||
@ -521,20 +533,21 @@ ah_hmac_md5_result(state, addr)
|
||||
}
|
||||
|
||||
static int
|
||||
ah_hmac_sha1_mature(sa)
|
||||
struct secas *sa;
|
||||
ah_hmac_sha1_mature(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
struct ah_algorithm *algo;
|
||||
|
||||
if (!sa->key_auth) {
|
||||
printf("esp_hmac_sha1_mature: no key is given.\n");
|
||||
if (!sav->key_auth) {
|
||||
ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
|
||||
return 1;
|
||||
}
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
if (sa->key_auth->sadb_key_bits < algo->keymin
|
||||
|| algo->keymax < sa->key_auth->sadb_key_bits) {
|
||||
printf("ah_hmac_sha1_mature: invalid key length %d.\n",
|
||||
sa->key_auth->sadb_key_bits);
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
if (sav->key_auth->sadb_key_bits < algo->keymin
|
||||
|| algo->keymax < sav->key_auth->sadb_key_bits) {
|
||||
ipseclog((LOG_ERR,
|
||||
"ah_hmac_sha1_mature: invalid key length %d.\n",
|
||||
sav->key_auth->sadb_key_bits));
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -542,9 +555,9 @@ ah_hmac_sha1_mature(sa)
|
||||
}
|
||||
|
||||
static void
|
||||
ah_hmac_sha1_init(state, sa)
|
||||
ah_hmac_sha1_init(state, sav)
|
||||
struct ah_algorithm_state *state;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
u_char *ipad;
|
||||
u_char *opad;
|
||||
@ -557,7 +570,7 @@ ah_hmac_sha1_init(state, sa)
|
||||
if (!state)
|
||||
panic("ah_hmac_sha1_init: what?");
|
||||
|
||||
state->sa = sa;
|
||||
state->sav = sav;
|
||||
state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
|
||||
M_TEMP, M_NOWAIT);
|
||||
if (!state->foo)
|
||||
@ -568,16 +581,16 @@ ah_hmac_sha1_init(state, sa)
|
||||
ctxt = (SHA1_CTX *)(opad + 64);
|
||||
|
||||
/* compress the key if necessery */
|
||||
if (64 < _KEYLEN(state->sa->key_auth)) {
|
||||
if (64 < _KEYLEN(state->sav->key_auth)) {
|
||||
SHA1Init(ctxt);
|
||||
SHA1Update(ctxt, _KEYBUF(state->sa->key_auth),
|
||||
_KEYLEN(state->sa->key_auth));
|
||||
SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
|
||||
_KEYLEN(state->sav->key_auth));
|
||||
SHA1Final(&tk[0], ctxt);
|
||||
key = &tk[0];
|
||||
keylen = SHA1_RESULTLEN;
|
||||
} else {
|
||||
key = _KEYBUF(state->sa->key_auth);
|
||||
keylen = _KEYLEN(state->sa->key_auth);
|
||||
key = _KEYBUF(state->sav->key_auth);
|
||||
keylen = _KEYLEN(state->sav->key_auth);
|
||||
}
|
||||
|
||||
bzero(ipad, 64);
|
||||
@ -643,11 +656,11 @@ ah_hmac_sha1_result(state, addr)
|
||||
* go generate the checksum.
|
||||
*/
|
||||
int
|
||||
ah4_calccksum(m0, ahdat, algo, sa)
|
||||
ah4_calccksum(m0, ahdat, algo, sav)
|
||||
struct mbuf *m0;
|
||||
caddr_t ahdat;
|
||||
struct ah_algorithm *algo;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
struct mbuf *m;
|
||||
int hdrtype;
|
||||
@ -664,7 +677,7 @@ ah4_calccksum(m0, ahdat, algo, sa)
|
||||
|
||||
p = mtod(m, u_char *);
|
||||
|
||||
(algo->init)(&algos, sa);
|
||||
(algo->init)(&algos, sav);
|
||||
|
||||
advancewidth = 0; /*safety*/
|
||||
|
||||
@ -728,10 +741,11 @@ again:
|
||||
break;
|
||||
}
|
||||
if (l <= 0 || hlen - i < l) {
|
||||
printf("ah4_input: invalid IP option "
|
||||
"(type=%02x len=%02x)\n",
|
||||
p[i + IPOPT_OPTVAL],
|
||||
p[i + IPOPT_OLEN]);
|
||||
ipseclog((LOG_ERR,
|
||||
"ah4_calccksum: invalid IP option "
|
||||
"(type=%02x len=%02x)\n",
|
||||
p[i + IPOPT_OPTVAL],
|
||||
p[i + IPOPT_OLEN]));
|
||||
break;
|
||||
}
|
||||
if (skip) {
|
||||
@ -758,13 +772,13 @@ again:
|
||||
int siz;
|
||||
int hdrsiz;
|
||||
|
||||
hdrsiz = (sa->flags & SADB_X_EXT_OLD) ?
|
||||
hdrsiz = (sav->flags & SADB_X_EXT_OLD) ?
|
||||
sizeof(struct ah) : sizeof(struct newah);
|
||||
|
||||
(algo->update)(&algos, p, hdrsiz);
|
||||
|
||||
/* key data region. */
|
||||
siz = (*algo->sumsiz)(sa);
|
||||
siz = (*algo->sumsiz)(sav);
|
||||
bzero(&dummy[0], sizeof(dummy));
|
||||
while (sizeof(dummy) <= siz) {
|
||||
(algo->update)(&algos, dummy, sizeof(dummy));
|
||||
@ -775,26 +789,26 @@ again:
|
||||
(algo->update)(&algos, dummy, siz);
|
||||
|
||||
/* padding region, just in case */
|
||||
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sa);
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0)
|
||||
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sav);
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0)
|
||||
siz -= 4; /* sequence number field */
|
||||
if (0 < siz) {
|
||||
/* RFC 1826 */
|
||||
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sa),
|
||||
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sav),
|
||||
siz);
|
||||
}
|
||||
|
||||
hdrtype = ((struct ah *)p)->ah_nxt;
|
||||
advancewidth = hdrsiz;
|
||||
advancewidth += ((struct ah *)p)->ah_len << 2;
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0)
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0)
|
||||
advancewidth -= 4; /* sequence number field */
|
||||
break;
|
||||
}
|
||||
|
||||
default:
|
||||
printf("ah4_calccksum: unexpected hdrtype=%x; "
|
||||
"treating rest as payload\n", hdrtype);
|
||||
ipseclog((LOG_DEBUG, "ah4_calccksum: unexpected hdrtype=%x; "
|
||||
"treating rest as payload\n", hdrtype));
|
||||
/*fall through*/
|
||||
case IPPROTO_ICMP:
|
||||
case IPPROTO_IGMP:
|
||||
@ -831,7 +845,8 @@ again:
|
||||
if (m)
|
||||
p = mtod(m, u_char *);
|
||||
else {
|
||||
printf("ERR: hit the end-of-mbuf...\n");
|
||||
ipseclog((LOG_DEBUG,
|
||||
"hit the end-of-mbuf...\n"));
|
||||
p = NULL;
|
||||
}
|
||||
}
|
||||
@ -843,7 +858,7 @@ again:
|
||||
|
||||
/* for HMAC algorithms... */
|
||||
(algo->result)(&algos, &sumbuf[0]);
|
||||
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sa));
|
||||
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
|
||||
|
||||
return error;
|
||||
}
|
||||
@ -854,11 +869,11 @@ again:
|
||||
* except AH itself.
|
||||
*/
|
||||
int
|
||||
ah6_calccksum(m0, ahdat, algo, sa)
|
||||
ah6_calccksum(m0, ahdat, algo, sav)
|
||||
struct mbuf *m0;
|
||||
caddr_t ahdat;
|
||||
struct ah_algorithm *algo;
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
{
|
||||
struct mbuf *m;
|
||||
int hdrtype;
|
||||
@ -876,7 +891,7 @@ ah6_calccksum(m0, ahdat, algo, sa)
|
||||
|
||||
p = mtod(m, u_char *);
|
||||
|
||||
(algo->init)(&algos, sa);
|
||||
(algo->init)(&algos, sav);
|
||||
|
||||
advancewidth = 0; /*safety*/
|
||||
nest = 0;
|
||||
@ -917,13 +932,13 @@ again:
|
||||
int siz;
|
||||
int hdrsiz;
|
||||
|
||||
hdrsiz = (sa->flags & SADB_X_EXT_OLD) ?
|
||||
hdrsiz = (sav->flags & SADB_X_EXT_OLD) ?
|
||||
sizeof(struct ah) : sizeof(struct newah);
|
||||
|
||||
(algo->update)(&algos, p, hdrsiz);
|
||||
|
||||
/* key data region. */
|
||||
siz = (*algo->sumsiz)(sa);
|
||||
siz = (*algo->sumsiz)(sav);
|
||||
bzero(&dummy[0], 4);
|
||||
while (4 <= siz) {
|
||||
(algo->update)(&algos, dummy, 4);
|
||||
@ -934,18 +949,18 @@ again:
|
||||
(algo->update)(&algos, dummy, siz);
|
||||
|
||||
/* padding region, just in case */
|
||||
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sa);
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0)
|
||||
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sav);
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0)
|
||||
siz -= 4; /* sequence number field */
|
||||
if (0 < siz) {
|
||||
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sa),
|
||||
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sav),
|
||||
siz);
|
||||
}
|
||||
|
||||
hdrtype = ((struct ah *)p)->ah_nxt;
|
||||
advancewidth = hdrsiz;
|
||||
advancewidth += ((struct ah *)p)->ah_len << 2;
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0)
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0)
|
||||
advancewidth -= 4; /* sequence number field */
|
||||
break;
|
||||
}
|
||||
@ -1068,12 +1083,12 @@ again:
|
||||
break;
|
||||
}
|
||||
default:
|
||||
printf("ah6_calccksum: unexpected hdrtype=%x; "
|
||||
"treating rest as payload\n", hdrtype);
|
||||
ipseclog((LOG_DEBUG, "ah6_calccksum: unexpected hdrtype=%x; "
|
||||
"treating rest as payload\n", hdrtype));
|
||||
/*fall through*/
|
||||
case IPPROTO_ICMP:
|
||||
case IPPROTO_IGMP:
|
||||
case IPPROTO_IPIP: /*?*/
|
||||
case IPPROTO_IPIP:
|
||||
case IPPROTO_IPV6:
|
||||
case IPPROTO_ICMPV6:
|
||||
case IPPROTO_UDP:
|
||||
@ -1104,7 +1119,8 @@ again:
|
||||
if (m)
|
||||
p = mtod(m, u_char *);
|
||||
else {
|
||||
printf("ERR: hit the end-of-mbuf...\n");
|
||||
ipseclog((LOG_DEBUG,
|
||||
"hit the end-of-mbuf...\n"));
|
||||
p = NULL;
|
||||
}
|
||||
}
|
||||
@ -1116,7 +1132,7 @@ again:
|
||||
|
||||
/* for HMAC algorithms... */
|
||||
(algo->result)(&algos, &sumbuf[0]);
|
||||
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sa));
|
||||
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
|
||||
|
||||
return(0);
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ah_input.c,v 1.6 2000/01/06 07:31:11 itojun Exp $ */
|
||||
/* $NetBSD: ah_input.c,v 1.7 2000/01/31 14:19:01 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -61,7 +61,6 @@
|
||||
|
||||
#ifdef INET6
|
||||
#include <netinet6/ip6.h>
|
||||
#include <netinet6/in6_pcb.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#include <netinet6/icmp6.h>
|
||||
#endif
|
||||
@ -74,9 +73,7 @@
|
||||
|
||||
#include <machine/stdarg.h>
|
||||
|
||||
#ifdef __NetBSD__
|
||||
#define ovbcopy bcopy
|
||||
#endif
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
#ifdef INET
|
||||
extern struct protosw inetsw[];
|
||||
@ -98,7 +95,7 @@ ah4_input(m, va_alist)
|
||||
size_t siz;
|
||||
size_t siz1;
|
||||
u_char *cksum;
|
||||
struct secas *sa = NULL;
|
||||
struct secasvar *sav = NULL;
|
||||
u_int16_t nxt;
|
||||
size_t hlen;
|
||||
int s;
|
||||
@ -110,11 +107,12 @@ ah4_input(m, va_alist)
|
||||
proto = va_arg(ap, int);
|
||||
va_end(ap);
|
||||
|
||||
#ifndef PULLDOWN_TEST
|
||||
if (m->m_len < off + sizeof(struct newah)) {
|
||||
m = m_pullup(m, off + sizeof(struct newah));
|
||||
if (!m) {
|
||||
printf("IPv4 AH input: can't pullup;"
|
||||
"dropping the packet for simplicity\n");
|
||||
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup;"
|
||||
"dropping the packet for simplicity\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
@ -122,6 +120,16 @@ ah4_input(m, va_alist)
|
||||
|
||||
ip = mtod(m, struct ip *);
|
||||
ah = (struct ah *)(((caddr_t)ip) + off);
|
||||
#else
|
||||
ip = mtod(m, struct ip *);
|
||||
IP6_EXTHDR_GET(ah, struct ah *, m, off, sizeof(struct newah));
|
||||
if (ah == NULL) {
|
||||
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup;"
|
||||
"dropping the packet for simplicity\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
#endif
|
||||
nxt = ah->ah_nxt;
|
||||
#ifdef _IP_VHL
|
||||
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
|
||||
@ -132,37 +140,36 @@ ah4_input(m, va_alist)
|
||||
/* find the sassoc. */
|
||||
spi = ah->ah_spi;
|
||||
|
||||
if ((sa = key_allocsa(AF_INET,
|
||||
if ((sav = key_allocsa(AF_INET,
|
||||
(caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
|
||||
IPPROTO_AH, spi)) == 0) {
|
||||
printf("IPv4 AH input: no key association found for spi %u;"
|
||||
"dropping the packet for simplicity\n",
|
||||
(u_int32_t)ntohl(spi));
|
||||
ipseclog((LOG_WARNING,
|
||||
"IPv4 AH input: no key association found for spi %u\n",
|
||||
(u_int32_t)ntohl(spi)));
|
||||
ipsecstat.in_nosa++;
|
||||
goto fail;
|
||||
}
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ah4_input called to allocate SA:%p\n", sa));
|
||||
if (sa->state != SADB_SASTATE_MATURE
|
||||
&& sa->state != SADB_SASTATE_DYING) {
|
||||
printf("IPv4 AH input: non-mature/dying SA found for spi %u; "
|
||||
"dropping the packet for simplicity\n",
|
||||
(u_int32_t)ntohl(spi));
|
||||
printf("DP ah4_input called to allocate SA:%p\n", sav));
|
||||
if (sav->state != SADB_SASTATE_MATURE
|
||||
&& sav->state != SADB_SASTATE_DYING) {
|
||||
ipseclog((LOG_DEBUG,
|
||||
"IPv4 AH input: non-mature/dying SA found for spi %u\n",
|
||||
(u_int32_t)ntohl(spi)));
|
||||
ipsecstat.in_badspi++;
|
||||
goto fail;
|
||||
}
|
||||
if (sa->alg_auth == SADB_AALG_NONE) {
|
||||
printf("IPv4 AH input: unspecified authentication algorithm "
|
||||
"for spi %u;"
|
||||
"dropping the packet for simplicity\n",
|
||||
(u_int32_t)ntohl(spi));
|
||||
if (sav->alg_auth == SADB_AALG_NONE) {
|
||||
ipseclog((LOG_DEBUG, "IPv4 AH input: "
|
||||
"unspecified authentication algorithm for spi %u\n",
|
||||
(u_int32_t)ntohl(spi)));
|
||||
ipsecstat.in_badspi++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
|
||||
siz = (*algo->sumsiz)(sa);
|
||||
siz = (*algo->sumsiz)(sav);
|
||||
siz1 = ((siz + 3) & ~(4 - 1));
|
||||
|
||||
/*
|
||||
@ -171,22 +178,22 @@ ah4_input(m, va_alist)
|
||||
{
|
||||
int sizoff;
|
||||
|
||||
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
|
||||
if ((ah->ah_len << 2) - sizoff != siz1) {
|
||||
log(LOG_NOTICE, "sum length mismatch in IPv4 AH input "
|
||||
ipseclog((LOG_NOTICE, "sum length mismatch in IPv4 AH input "
|
||||
"(%d should be %u): %s\n",
|
||||
(ah->ah_len << 2) - sizoff, (unsigned int)siz1,
|
||||
ipsec4_logpacketstr(ip, spi));
|
||||
ipsec4_logpacketstr(ip, spi)));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
#ifndef PULLDOWN_TEST
|
||||
if (m->m_len < off + sizeof(struct ah) + sizoff + siz1) {
|
||||
m = m_pullup(m, off + sizeof(struct ah) + sizoff + siz1);
|
||||
if (!m) {
|
||||
printf("IPv4 AH input: can't pullup;"
|
||||
"dropping the packet for simplicity\n");
|
||||
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
@ -194,19 +201,28 @@ ah4_input(m, va_alist)
|
||||
ip = mtod(m, struct ip *);
|
||||
ah = (struct ah *)(((caddr_t)ip) + off);
|
||||
}
|
||||
#else
|
||||
IP6_EXTHDR_GET(ah, struct ah *, m, off,
|
||||
sizeof(struct ah) + sizoff + siz1);
|
||||
if (ah == NULL) {
|
||||
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* check for sequence number.
|
||||
*/
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
|
||||
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sa))
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
|
||||
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
|
||||
; /*okey*/
|
||||
else {
|
||||
ipsecstat.in_ahreplay++;
|
||||
log(LOG_AUTH, "replay packet in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_WARNING,
|
||||
"replay packet in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
@ -217,7 +233,8 @@ ah4_input(m, va_alist)
|
||||
*/
|
||||
cksum = malloc(siz1, M_TEMP, M_NOWAIT);
|
||||
if (!cksum) {
|
||||
printf("IPv4 AH input: couldn't alloc temporary region for cksum\n");
|
||||
ipseclog((LOG_DEBUG, "IPv4 AH input: "
|
||||
"couldn't alloc temporary region for cksum\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
@ -231,12 +248,12 @@ ah4_input(m, va_alist)
|
||||
ip->ip_len = htons(ip->ip_len);
|
||||
ip->ip_off = htons(ip->ip_off);
|
||||
#endif
|
||||
if (ah4_calccksum(m, (caddr_t)cksum, algo, sa)) {
|
||||
if (ah4_calccksum(m, (caddr_t)cksum, algo, sav)) {
|
||||
free(cksum, M_TEMP);
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
ipsecstat.in_ahhist[sa->alg_auth]++;
|
||||
ipsecstat.in_ahhist[sav->alg_auth]++;
|
||||
#if 1
|
||||
/*
|
||||
* flip them back.
|
||||
@ -249,7 +266,7 @@ ah4_input(m, va_alist)
|
||||
{
|
||||
caddr_t sumpos = NULL;
|
||||
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
sumpos = (caddr_t)(ah + 1);
|
||||
} else {
|
||||
@ -258,9 +275,9 @@ ah4_input(m, va_alist)
|
||||
}
|
||||
|
||||
if (bcmp(sumpos, cksum, siz) != 0) {
|
||||
log(LOG_AUTH, "checksum mismatch in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_WARNING,
|
||||
"checksum mismatch in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
|
||||
free(cksum, M_TEMP);
|
||||
ipsecstat.in_ahauthfail++;
|
||||
goto fail;
|
||||
@ -281,14 +298,14 @@ ah4_input(m, va_alist)
|
||||
struct ip *nip;
|
||||
size_t sizoff;
|
||||
|
||||
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
|
||||
if (m->m_len < off + sizeof(struct ah) + sizoff + siz1 + hlen) {
|
||||
m = m_pullup(m, off + sizeof(struct ah)
|
||||
+ sizoff + siz1 + hlen);
|
||||
if (!m) {
|
||||
printf("IPv4 AH input: can't pullup;"
|
||||
"dropping the packet for simplicity\n");
|
||||
ipseclog((LOG_DEBUG,
|
||||
"IPv4 AH input: can't pullup\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
@ -312,27 +329,30 @@ ah4_input(m, va_alist)
|
||||
if (m->m_flags & M_AUTHIPHDR
|
||||
&& m->m_flags & M_AUTHIPDGM) {
|
||||
#if 0
|
||||
printf("IPv4 AH input: authentication succeess\n");
|
||||
#else
|
||||
;
|
||||
ipseclog((LOG_DEBUG,
|
||||
"IPv4 AH input: authentication succeess\n"));
|
||||
#endif
|
||||
ipsecstat.in_ahauthsucc++;
|
||||
} else {
|
||||
log(LOG_AUTH, "authentication failed in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_WARNING,
|
||||
"authentication failed in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
|
||||
ipsecstat.in_ahauthfail++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* update sequence number.
|
||||
*/
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
|
||||
(void)ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sa);
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
|
||||
if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
|
||||
ipsecstat.in_ahreplay++;
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
/* was it transmitted over the IPsec tunnel SA? */
|
||||
if (ipsec4_tunnel_validate(ip, nxt, sa) && nxt == IPPROTO_IPV4) {
|
||||
if (ipsec4_tunnel_validate(ip, nxt, sav) && nxt == IPPROTO_IPV4) {
|
||||
/*
|
||||
* strip off all the headers that precedes AH.
|
||||
* IP xx AH IP' payload -> IP' payload
|
||||
@ -344,7 +364,7 @@ ah4_input(m, va_alist)
|
||||
u_int8_t tos;
|
||||
|
||||
tos = ip->ip_tos;
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
stripsiz = sizeof(struct ah) + siz1;
|
||||
} else {
|
||||
@ -362,11 +382,11 @@ ah4_input(m, va_alist)
|
||||
ip = mtod(m, struct ip *);
|
||||
/* ECN consideration. */
|
||||
ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos);
|
||||
if (!key_checktunnelsanity(sa, AF_INET,
|
||||
if (!key_checktunnelsanity(sav, AF_INET,
|
||||
(caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
|
||||
log(LOG_NOTICE, "ipsec tunnel address mismatch in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
|
||||
"in IPv4 AH input: %s %s\n",
|
||||
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
@ -403,7 +423,7 @@ ah4_input(m, va_alist)
|
||||
m->m_flags &= ~M_AUTHIPDGM;
|
||||
#endif
|
||||
|
||||
key_sa_recordxfer(sa, m);
|
||||
key_sa_recordxfer(sav, m);
|
||||
|
||||
s = splimp();
|
||||
if (IF_QFULL(&ipintrq)) {
|
||||
@ -423,7 +443,7 @@ ah4_input(m, va_alist)
|
||||
*/
|
||||
size_t stripsiz = 0;
|
||||
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
stripsiz = sizeof(struct ah) + siz1;
|
||||
} else {
|
||||
@ -431,6 +451,7 @@ ah4_input(m, va_alist)
|
||||
stripsiz = sizeof(struct newah) + siz1;
|
||||
}
|
||||
|
||||
#ifndef PULLDOWN_TEST
|
||||
ip = mtod(m, struct ip *);
|
||||
ovbcopy((caddr_t)ip, (caddr_t)(((u_char *)ip) + stripsiz), off);
|
||||
m->m_data += stripsiz;
|
||||
@ -447,7 +468,9 @@ ah4_input(m, va_alist)
|
||||
#endif
|
||||
ip->ip_p = nxt;
|
||||
/* forget about IP hdr checksum, the check has already been passed */
|
||||
|
||||
#else
|
||||
off += stripsiz;
|
||||
#endif
|
||||
if (nxt != IPPROTO_DONE)
|
||||
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
|
||||
else
|
||||
@ -455,19 +478,19 @@ ah4_input(m, va_alist)
|
||||
m = NULL;
|
||||
}
|
||||
|
||||
if (sa) {
|
||||
if (sav) {
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ah4_input call free SA:%p\n", sa));
|
||||
key_freesa(sa);
|
||||
printf("DP ah4_input call free SA:%p\n", sav));
|
||||
key_freesav(sav);
|
||||
}
|
||||
ipsecstat.in_success++;
|
||||
return;
|
||||
|
||||
fail:
|
||||
if (sa) {
|
||||
if (sav) {
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ah4_input call free SA:%p\n", sa));
|
||||
key_freesa(sa);
|
||||
printf("DP ah4_input call free SA:%p\n", sav));
|
||||
key_freesav(sav);
|
||||
}
|
||||
if (m)
|
||||
m_freem(m);
|
||||
@ -490,14 +513,23 @@ ah6_input(mp, offp, proto)
|
||||
size_t siz;
|
||||
size_t siz1;
|
||||
u_char *cksum;
|
||||
struct secas *sa = NULL;
|
||||
struct secasvar *sav = NULL;
|
||||
u_int16_t nxt;
|
||||
int s;
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
#ifndef PULLDOWN_TEST
|
||||
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah), IPPROTO_DONE);
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
ah = (struct ah *)(((caddr_t)ip6) + off);
|
||||
#else
|
||||
IP6_EXTHDR_GET(ah, struct ah *, m, off, sizeof(struct newah));
|
||||
if (ah == NULL) {
|
||||
ipseclog((LOG_DEBUG, "IPv6 AH input: can't pullup\n"));
|
||||
ipsecstat.in_inval++;
|
||||
return IPPROTO_DONE;
|
||||
}
|
||||
#endif
|
||||
|
||||
nxt = ah->ah_nxt;
|
||||
|
||||
@ -505,42 +537,42 @@ ah6_input(mp, offp, proto)
|
||||
spi = ah->ah_spi;
|
||||
|
||||
if (ntohs(ip6->ip6_plen) == 0) {
|
||||
printf("IPv6 AH input: AH with IPv6 jumbogram is not supported.\n");
|
||||
ipseclog((LOG_ERR, "IPv6 AH input: "
|
||||
"AH with IPv6 jumbogram is not supported.\n"));
|
||||
ipsec6stat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if ((sa = key_allocsa(AF_INET6,
|
||||
if ((sav = key_allocsa(AF_INET6,
|
||||
(caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
|
||||
IPPROTO_AH, spi)) == 0) {
|
||||
printf("IPv6 AH input: no key association found for spi %u;"
|
||||
"dropping the packet for simplicity\n",
|
||||
(u_int32_t)ntohl(spi));
|
||||
ipseclog((LOG_WARNING,
|
||||
"IPv6 AH input: no key association found for spi %u\n",
|
||||
(u_int32_t)ntohl(spi)));
|
||||
ipsec6stat.in_nosa++;
|
||||
goto fail;
|
||||
}
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ah6_input called to allocate SA:%p\n", sa));
|
||||
if (sa->state != SADB_SASTATE_MATURE
|
||||
&& sa->state != SADB_SASTATE_DYING) {
|
||||
printf("IPv6 AH input: non-mature/dying SA found for spi %u; "
|
||||
"dropping the packet for simplicity\n",
|
||||
(u_int32_t)ntohl(spi));
|
||||
printf("DP ah6_input called to allocate SA:%p\n", sav));
|
||||
if (sav->state != SADB_SASTATE_MATURE
|
||||
&& sav->state != SADB_SASTATE_DYING) {
|
||||
ipseclog((LOG_DEBUG,
|
||||
"IPv6 AH input: non-mature/dying SA found for spi %u; ",
|
||||
(u_int32_t)ntohl(spi)));
|
||||
ipsec6stat.in_badspi++;
|
||||
goto fail;
|
||||
}
|
||||
if (sa->alg_auth == SADB_AALG_NONE) {
|
||||
printf("IPv6 AH input: unspecified authentication algorithm "
|
||||
"for spi %u;"
|
||||
"dropping the packet for simplicity\n",
|
||||
(u_int32_t)ntohl(spi));
|
||||
if (sav->alg_auth == SADB_AALG_NONE) {
|
||||
ipseclog((LOG_DEBUG, "IPv6 AH input: "
|
||||
"unspecified authentication algorithm for spi %u\n",
|
||||
(u_int32_t)ntohl(spi)));
|
||||
ipsec6stat.in_badspi++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
|
||||
siz = (*algo->sumsiz)(sa);
|
||||
siz = (*algo->sumsiz)(sav);
|
||||
siz1 = ((siz + 3) & ~(4 - 1));
|
||||
|
||||
/*
|
||||
@ -549,30 +581,42 @@ ah6_input(mp, offp, proto)
|
||||
{
|
||||
int sizoff;
|
||||
|
||||
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
|
||||
if ((ah->ah_len << 2) - sizoff != siz1) {
|
||||
log(LOG_NOTICE, "sum length mismatch in IPv6 AH input "
|
||||
ipseclog((LOG_NOTICE, "sum length mismatch in IPv6 AH input "
|
||||
"(%d should be %u): %s\n",
|
||||
(ah->ah_len << 2) - sizoff, (unsigned int)siz1,
|
||||
ipsec6_logpacketstr(ip6, spi));
|
||||
ipsec6_logpacketstr(ip6, spi)));
|
||||
ipsec6stat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
#ifndef PULLDOWN_TEST
|
||||
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1, IPPROTO_DONE);
|
||||
#else
|
||||
IP6_EXTHDR_GET(ah, struct ah *, m, off,
|
||||
sizeof(struct ah) + sizoff + siz1);
|
||||
if (ah == NULL) {
|
||||
ipseclog((LOG_NOTICE, "couldn't pullup gather IPv6 AH checksum part"));
|
||||
ipsecstat.in_inval++;
|
||||
m = NULL;
|
||||
goto fail;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* check for sequence number.
|
||||
*/
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
|
||||
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sa))
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
|
||||
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
|
||||
; /*okey*/
|
||||
else {
|
||||
ipsec6stat.in_ahreplay++;
|
||||
log(LOG_AUTH, "replay packet in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_WARNING,
|
||||
"replay packet in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi),
|
||||
ipsec_logsastr(sav)));
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
@ -583,22 +627,23 @@ ah6_input(mp, offp, proto)
|
||||
*/
|
||||
cksum = malloc(siz1, M_TEMP, M_NOWAIT);
|
||||
if (!cksum) {
|
||||
printf("IPv6 AH input: couldn't alloc temporary region for cksum\n");
|
||||
ipseclog((LOG_DEBUG, "IPv6 AH input: "
|
||||
"couldn't alloc temporary region for cksum\n"));
|
||||
ipsec6stat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (ah6_calccksum(m, (caddr_t)cksum, algo, sa)) {
|
||||
if (ah6_calccksum(m, (caddr_t)cksum, algo, sav)) {
|
||||
free(cksum, M_TEMP);
|
||||
ipsec6stat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
ipsec6stat.in_ahhist[sa->alg_auth]++;
|
||||
ipsec6stat.in_ahhist[sav->alg_auth]++;
|
||||
|
||||
{
|
||||
caddr_t sumpos = NULL;
|
||||
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
sumpos = (caddr_t)(ah + 1);
|
||||
} else {
|
||||
@ -607,9 +652,9 @@ ah6_input(mp, offp, proto)
|
||||
}
|
||||
|
||||
if (bcmp(sumpos, cksum, siz) != 0) {
|
||||
log(LOG_AUTH, "checksum mismatch in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_WARNING,
|
||||
"checksum mismatch in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
|
||||
free(cksum, M_TEMP);
|
||||
ipsec6stat.in_ahauthfail++;
|
||||
goto fail;
|
||||
@ -630,7 +675,7 @@ ah6_input(mp, offp, proto)
|
||||
struct ip6_hdr *nip6;
|
||||
size_t sizoff;
|
||||
|
||||
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
|
||||
|
||||
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1
|
||||
+ sizeof(struct ip6_hdr), IPPROTO_DONE);
|
||||
@ -653,27 +698,30 @@ ah6_input(mp, offp, proto)
|
||||
if (m->m_flags & M_AUTHIPHDR
|
||||
&& m->m_flags & M_AUTHIPDGM) {
|
||||
#if 0
|
||||
printf("IPv6 AH input: authentication succeess\n");
|
||||
#else
|
||||
;
|
||||
ipseclog((LOG_DEBUG,
|
||||
"IPv6 AH input: authentication succeess\n"));
|
||||
#endif
|
||||
ipsec6stat.in_ahauthsucc++;
|
||||
} else {
|
||||
log(LOG_AUTH, "authentication failed in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_WARNING,
|
||||
"authentication failed in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
|
||||
ipsec6stat.in_ahauthfail++;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* update sequence number.
|
||||
*/
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
|
||||
(void)ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sa);
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
|
||||
if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
|
||||
ipsec6stat.in_ahreplay++;
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
/* was it transmitted over the IPsec tunnel SA? */
|
||||
if (ipsec6_tunnel_validate(ip6, nxt, sa) && nxt == IPPROTO_IPV6) {
|
||||
if (ipsec6_tunnel_validate(ip6, nxt, sav) && nxt == IPPROTO_IPV6) {
|
||||
/*
|
||||
* strip off all the headers that precedes AH.
|
||||
* IP6 xx AH IP6' payload -> IP6' payload
|
||||
@ -685,7 +733,7 @@ ah6_input(mp, offp, proto)
|
||||
u_int32_t flowinfo; /*net endian*/
|
||||
|
||||
flowinfo = ip6->ip6_flow;
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
stripsiz = sizeof(struct ah) + siz1;
|
||||
} else {
|
||||
@ -707,11 +755,12 @@ ah6_input(mp, offp, proto)
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
/* ECN consideration. */
|
||||
ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow);
|
||||
if (!key_checktunnelsanity(sa, AF_INET6,
|
||||
if (!key_checktunnelsanity(sav, AF_INET6,
|
||||
(caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
|
||||
log(LOG_NOTICE, "ipsec tunnel address mismatch in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi),
|
||||
ipsec_logsastr(sa));
|
||||
ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
|
||||
"in IPv6 AH input: %s %s\n",
|
||||
ipsec6_logpacketstr(ip6, spi),
|
||||
ipsec_logsastr(sav)));
|
||||
ipsec6stat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
@ -733,7 +782,7 @@ ah6_input(mp, offp, proto)
|
||||
m->m_flags &= ~M_AUTHIPDGM;
|
||||
#endif
|
||||
|
||||
key_sa_recordxfer(sa, m);
|
||||
key_sa_recordxfer(sav, m);
|
||||
|
||||
s = splimp();
|
||||
if (IF_QFULL(&ip6intrq)) {
|
||||
@ -752,6 +801,7 @@ ah6_input(mp, offp, proto)
|
||||
* the packet is placed in a single mbuf.
|
||||
*/
|
||||
size_t stripsiz = 0;
|
||||
#ifndef PULLDOWN_TEST
|
||||
char *prvnxtp;
|
||||
|
||||
/*
|
||||
@ -761,8 +811,9 @@ ah6_input(mp, offp, proto)
|
||||
*/
|
||||
prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
|
||||
*prvnxtp = nxt;
|
||||
#endif
|
||||
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
stripsiz = sizeof(struct ah) + siz1;
|
||||
} else {
|
||||
@ -770,6 +821,7 @@ ah6_input(mp, offp, proto)
|
||||
stripsiz = sizeof(struct newah) + siz1;
|
||||
}
|
||||
|
||||
#ifndef PULLDOWN_TEST
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
ovbcopy((caddr_t)ip6, (caddr_t)(((u_char *)ip6) + stripsiz),
|
||||
off);
|
||||
@ -779,26 +831,29 @@ ah6_input(mp, offp, proto)
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
|
||||
#else
|
||||
off += stripsiz;
|
||||
#endif
|
||||
|
||||
key_sa_recordxfer(sa, m);
|
||||
key_sa_recordxfer(sav, m);
|
||||
}
|
||||
|
||||
*offp = off;
|
||||
*mp = m;
|
||||
|
||||
if (sa) {
|
||||
if (sav) {
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ah6_input call free SA:%p\n", sa));
|
||||
key_freesa(sa);
|
||||
printf("DP ah6_input call free SA:%p\n", sav));
|
||||
key_freesav(sav);
|
||||
}
|
||||
ipsec6stat.in_success++;
|
||||
return nxt;
|
||||
|
||||
fail:
|
||||
if (sa) {
|
||||
if (sav) {
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ah6_input call free SA:%p\n", sa));
|
||||
key_freesa(sa);
|
||||
printf("DP ah6_input call free SA:%p\n", sav));
|
||||
key_freesav(sav);
|
||||
}
|
||||
if (m)
|
||||
m_freem(m);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ah_output.c,v 1.5 2000/01/06 07:31:11 itojun Exp $ */
|
||||
/* $NetBSD: ah_output.c,v 1.6 2000/01/31 14:19:02 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -35,8 +35,6 @@
|
||||
|
||||
#include "opt_inet.h"
|
||||
|
||||
#define ahdprintf(x) printf x
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/malloc.h>
|
||||
@ -58,11 +56,9 @@
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/in_var.h>
|
||||
#include <netinet/in_pcb.h>
|
||||
|
||||
#ifdef INET6
|
||||
#include <netinet6/ip6.h>
|
||||
#include <netinet6/in6_pcb.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#include <netinet6/icmp6.h>
|
||||
#endif
|
||||
@ -73,6 +69,8 @@
|
||||
#include <netkey/keydb.h>
|
||||
#include <netkey/key_debug.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
static struct in_addr *ah4_finaldst __P((struct mbuf *));
|
||||
|
||||
/*
|
||||
@ -91,19 +89,19 @@ ah_hdrsiz(isr)
|
||||
if (isr == NULL)
|
||||
panic("ah_hdrsiz: NULL was passed.\n");
|
||||
|
||||
if (isr->proto != IPPROTO_AH)
|
||||
if (isr->saidx.proto != IPPROTO_AH)
|
||||
panic("unsupported mode passed to ah_hdrsiz");
|
||||
|
||||
if (isr->sa == NULL)
|
||||
goto contrive;
|
||||
if (isr->sa->state != SADB_SASTATE_MATURE
|
||||
&& isr->sa->state != SADB_SASTATE_DYING)
|
||||
goto contrive;
|
||||
if (isr->sav == NULL)
|
||||
goto estimate;
|
||||
if (isr->sav->state != SADB_SASTATE_MATURE
|
||||
&& isr->sav->state != SADB_SASTATE_DYING)
|
||||
goto estimate;
|
||||
|
||||
/* we need transport mode AH. */
|
||||
algo = &ah_algorithms[isr->sa->alg_auth];
|
||||
algo = &ah_algorithms[isr->sav->alg_auth];
|
||||
if (!algo)
|
||||
goto contrive;
|
||||
goto estimate;
|
||||
|
||||
/*
|
||||
* XXX
|
||||
@ -112,15 +110,15 @@ ah_hdrsiz(isr)
|
||||
*
|
||||
* XXX variable size padding support
|
||||
*/
|
||||
hdrsiz = (((*algo->sumsiz)(isr->sa) + 3) & ~(4 - 1));
|
||||
if (isr->sa->flags & SADB_X_EXT_OLD)
|
||||
hdrsiz = (((*algo->sumsiz)(isr->sav) + 3) & ~(4 - 1));
|
||||
if (isr->sav->flags & SADB_X_EXT_OLD)
|
||||
hdrsiz += sizeof(struct ah);
|
||||
else
|
||||
hdrsiz += sizeof(struct newah);
|
||||
|
||||
return hdrsiz;
|
||||
|
||||
contrive:
|
||||
estimate:
|
||||
/* ASSUMING:
|
||||
* sizeof(struct newah) > sizeof(struct ah).
|
||||
* 16 = (16 + 3) & ~(4 - 1).
|
||||
@ -140,7 +138,7 @@ ah4_output(m, isr)
|
||||
struct mbuf *m;
|
||||
struct ipsecrequest *isr;
|
||||
{
|
||||
struct secas *sa = isr->sa;
|
||||
struct secasvar *sav = isr->sav;
|
||||
struct ah_algorithm *algo;
|
||||
u_int32_t spi;
|
||||
u_char *ahdrpos;
|
||||
@ -154,34 +152,33 @@ ah4_output(m, isr)
|
||||
int error;
|
||||
|
||||
/* sanity checks */
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0 && !sa->replay) {
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
|
||||
struct ip *ip;
|
||||
|
||||
ip = mtod(m, struct ip *);
|
||||
printf("ah4_output: internal error: "
|
||||
"sa->replay is null: "
|
||||
"%x->%x, SPI=%u\n",
|
||||
ipseclog((LOG_DEBUG, "ah4_output: internal error: "
|
||||
"sav->replay is null: %x->%x, SPI=%u\n",
|
||||
(u_int32_t)ntohl(ip->ip_src.s_addr),
|
||||
(u_int32_t)ntohl(ip->ip_dst.s_addr),
|
||||
(u_int32_t)ntohl(sa->spi));
|
||||
(u_int32_t)ntohl(sav->spi)));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
spi = sa->spi;
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
spi = sav->spi;
|
||||
|
||||
/*
|
||||
* determine the size to grow.
|
||||
*/
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
ahlen = plen + sizeof(struct ah);
|
||||
} else {
|
||||
/* RFC 2402 */
|
||||
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
ahlen = plen + sizeof(struct newah);
|
||||
}
|
||||
|
||||
@ -201,7 +198,8 @@ ah4_output(m, isr)
|
||||
struct mbuf *n;
|
||||
MGET(n, M_DONTWAIT, MT_DATA);
|
||||
if (!n) {
|
||||
printf("ENOBUFS in ah4_output %d\n", __LINE__);
|
||||
ipseclog((LOG_DEBUG, "ENOBUFS in ah4_output %d\n",
|
||||
__LINE__));
|
||||
m_freem(m);
|
||||
return ENOBUFS;
|
||||
}
|
||||
@ -222,7 +220,7 @@ ah4_output(m, isr)
|
||||
/*
|
||||
* initialize AH.
|
||||
*/
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
struct ah *ahdr;
|
||||
|
||||
ahdr = (struct ah *)ahdrpos;
|
||||
@ -241,12 +239,23 @@ ah4_output(m, isr)
|
||||
ahdr->ah_nxt = ip->ip_p;
|
||||
ahdr->ah_reserve = htons(0);
|
||||
ahdr->ah_spi = spi;
|
||||
sa->replay->count++;
|
||||
if (sav->replay->count == ~0) {
|
||||
if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
|
||||
/* XXX Is it noisy ? */
|
||||
ipseclog((LOG_WARNING,
|
||||
"replay counter overflowed. %s\n",
|
||||
ipsec_logsastr(sav)));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
}
|
||||
sav->replay->count++;
|
||||
/*
|
||||
* XXX sequence number must not be cycled, if the SA is
|
||||
* installed by IKE daemon.
|
||||
*/
|
||||
ahdr->ah_seq = htonl(sa->replay->count);
|
||||
ahdr->ah_seq = htonl(sav->replay->count);
|
||||
bzero(ahdr + 1, plen);
|
||||
}
|
||||
|
||||
@ -257,7 +266,7 @@ ah4_output(m, isr)
|
||||
if (ahlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
|
||||
ip->ip_len = htons(ntohs(ip->ip_len) + ahlen);
|
||||
else {
|
||||
printf("IPv4 AH output: size exceeds limit\n");
|
||||
ipseclog((LOG_ERR, "IPv4 AH output: size exceeds limit\n"));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
return EMSGSIZE;
|
||||
@ -280,9 +289,10 @@ ah4_output(m, isr)
|
||||
* calcurate the checksum, based on security association
|
||||
* and the algorithm specified.
|
||||
*/
|
||||
error = ah4_calccksum(m, (caddr_t)ahsumpos, algo, sa);
|
||||
error = ah4_calccksum(m, (caddr_t)ahsumpos, algo, sav);
|
||||
if (error) {
|
||||
printf("error after ah4_calccksum, called from ah4_output");
|
||||
ipseclog((LOG_ERR,
|
||||
"error after ah4_calccksum, called from ah4_output"));
|
||||
m = NULL;
|
||||
ipsecstat.out_inval++;
|
||||
return error;
|
||||
@ -293,28 +303,28 @@ ah4_output(m, isr)
|
||||
ip->ip_dst.s_addr = dst.s_addr;
|
||||
}
|
||||
ipsecstat.out_success++;
|
||||
ipsecstat.out_ahhist[sa->alg_auth]++;
|
||||
key_sa_recordxfer(sa, m);
|
||||
ipsecstat.out_ahhist[sav->alg_auth]++;
|
||||
key_sa_recordxfer(sav, m);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Calculate AH length */
|
||||
int
|
||||
ah_hdrlen(sa)
|
||||
struct secas *sa;
|
||||
ah_hdrlen(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
struct ah_algorithm *algo;
|
||||
int plen, ahlen;
|
||||
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
/* RFC 1826 */
|
||||
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
ahlen = plen + sizeof(struct ah);
|
||||
} else {
|
||||
/* RFC 2402 */
|
||||
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
|
||||
ahlen = plen + sizeof(struct newah);
|
||||
}
|
||||
|
||||
@ -334,7 +344,7 @@ ah6_output(m, nexthdrp, md, isr)
|
||||
{
|
||||
struct mbuf *mprev;
|
||||
struct mbuf *mah;
|
||||
struct secas *sa = isr->sa;
|
||||
struct secasvar *sav = isr->sav;
|
||||
struct ah_algorithm *algo;
|
||||
u_int32_t spi;
|
||||
u_char *ahsumpos = NULL;
|
||||
@ -344,19 +354,19 @@ ah6_output(m, nexthdrp, md, isr)
|
||||
struct ip6_hdr *ip6;
|
||||
|
||||
if (m->m_len < sizeof(struct ip6_hdr)) {
|
||||
printf("ah6_output: first mbuf too short\n");
|
||||
ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
ahlen = ah_hdrlen(sa);
|
||||
ahlen = ah_hdrlen(sav);
|
||||
if (ahlen == 0)
|
||||
return 0;
|
||||
|
||||
for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
|
||||
;
|
||||
if (!mprev || mprev->m_next != md) {
|
||||
printf("ah6_output: md is not in chain\n");
|
||||
ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
@ -381,28 +391,29 @@ ah6_output(m, nexthdrp, md, isr)
|
||||
|
||||
/* fix plen */
|
||||
if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
|
||||
printf("ip6_output: AH with IPv6 jumbogram is not supported\n");
|
||||
ipseclog((LOG_ERR,
|
||||
"ip6_output: AH with IPv6 jumbogram is not supported\n"));
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
|
||||
|
||||
if ((sa->flags & SADB_X_EXT_OLD) == 0 && !sa->replay) {
|
||||
printf("ah6_output: internal error: "
|
||||
"sa->replay is null: SPI=%u\n",
|
||||
(u_int32_t)ntohl(sa->spi));
|
||||
if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
|
||||
ipseclog((LOG_DEBUG, "ah6_output: internal error: "
|
||||
"sav->replay is null: SPI=%u\n",
|
||||
(u_int32_t)ntohl(sav->spi)));
|
||||
ipsec6stat.out_inval++;
|
||||
return 0; /* no change at all */
|
||||
}
|
||||
|
||||
algo = &ah_algorithms[sa->alg_auth];
|
||||
spi = sa->spi;
|
||||
algo = &ah_algorithms[sav->alg_auth];
|
||||
spi = sav->spi;
|
||||
|
||||
/*
|
||||
* initialize AH.
|
||||
*/
|
||||
if (sa->flags & SADB_X_EXT_OLD) {
|
||||
if (sav->flags & SADB_X_EXT_OLD) {
|
||||
struct ah *ahdr = mtod(mah, struct ah *);
|
||||
|
||||
plen = mah->m_len - sizeof(struct ah);
|
||||
@ -423,12 +434,23 @@ ah6_output(m, nexthdrp, md, isr)
|
||||
ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
|
||||
ahdr->ah_reserve = htons(0);
|
||||
ahdr->ah_spi = spi;
|
||||
sa->replay->count++;
|
||||
if (sav->replay->count == ~0) {
|
||||
if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
|
||||
/* XXX Is it noisy ? */
|
||||
ipseclog((LOG_WARNING,
|
||||
"replay counter overflowed. %s\n",
|
||||
ipsec_logsastr(sav)));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
}
|
||||
sav->replay->count++;
|
||||
/*
|
||||
* XXX sequence number must not be cycled, if the SA is
|
||||
* installed by IKE daemon.
|
||||
*/
|
||||
ahdr->ah_seq = htonl(sa->replay->count);
|
||||
ahdr->ah_seq = htonl(sav->replay->count);
|
||||
bzero(ahdr + 1, plen);
|
||||
}
|
||||
|
||||
@ -436,13 +458,13 @@ ah6_output(m, nexthdrp, md, isr)
|
||||
* calcurate the checksum, based on security association
|
||||
* and the algorithm specified.
|
||||
*/
|
||||
error = ah6_calccksum(m, (caddr_t)ahsumpos, algo, sa);
|
||||
error = ah6_calccksum(m, (caddr_t)ahsumpos, algo, sav);
|
||||
if (error)
|
||||
ipsec6stat.out_inval++;
|
||||
else
|
||||
ipsec6stat.out_success++;
|
||||
ipsec6stat.out_ahhist[sa->alg_auth]++;
|
||||
key_sa_recordxfer(sa, m);
|
||||
ipsec6stat.out_ahhist[sav->alg_auth]++;
|
||||
key_sa_recordxfer(sav, m);
|
||||
|
||||
return(error);
|
||||
}
|
||||
@ -472,7 +494,8 @@ ah4_finaldst(m)
|
||||
hlen = (ip->ip_hl << 2);
|
||||
|
||||
if (m->m_len < hlen) {
|
||||
printf("ah4_finaldst: parameter mbuf wrong (not pulled up)\n");
|
||||
ipseclog((LOG_DEBUG,
|
||||
"ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -481,7 +504,8 @@ ah4_finaldst(m)
|
||||
|
||||
optlen = hlen - sizeof(struct ip);
|
||||
if (optlen < 0) {
|
||||
printf("ah4_finaldst: wrong optlen %d\n", optlen);
|
||||
ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
|
||||
optlen));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -499,9 +523,10 @@ ah4_finaldst(m)
|
||||
case IPOPT_SSRR:
|
||||
if (q[i + IPOPT_OLEN] <= 0
|
||||
|| optlen - i < q[i + IPOPT_OLEN]) {
|
||||
printf("ip_finaldst: invalid IP option "
|
||||
"(code=%02x len=%02x)\n",
|
||||
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]);
|
||||
ipseclog((LOG_ERR,
|
||||
"ip_finaldst: invalid IP option "
|
||||
"(code=%02x len=%02x)\n",
|
||||
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
|
||||
return NULL;
|
||||
}
|
||||
i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
|
||||
@ -509,9 +534,10 @@ ah4_finaldst(m)
|
||||
default:
|
||||
if (q[i + IPOPT_OLEN] <= 0
|
||||
|| optlen - i < q[i + IPOPT_OLEN]) {
|
||||
printf("ip_finaldst: invalid IP option "
|
||||
"(code=%02x len=%02x)\n",
|
||||
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]);
|
||||
ipseclog((LOG_ERR,
|
||||
"ip_finaldst: invalid IP option "
|
||||
"(code=%02x len=%02x)\n",
|
||||
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
|
||||
return NULL;
|
||||
}
|
||||
i += q[i + IPOPT_OLEN];
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: esp.h,v 1.6 2000/01/06 07:31:11 itojun Exp $ */
|
||||
/* $NetBSD: esp.h,v 1.7 2000/01/31 14:19:02 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -71,28 +71,27 @@ struct esptail {
|
||||
};
|
||||
|
||||
struct esp_algorithm_state {
|
||||
struct secas *sa;
|
||||
struct secasvar *sav;
|
||||
void* foo; /*per algorithm data - maybe*/
|
||||
};
|
||||
|
||||
/* XXX yet to be defined */
|
||||
struct esp_algorithm {
|
||||
size_t padbound; /* pad boundary, in byte */
|
||||
int (*mature) __P((struct secas *));
|
||||
int (*mature) __P((struct secasvar *));
|
||||
int keymin; /* in bits */
|
||||
int keymax; /* in bits */
|
||||
int (*ivlen) __P((struct secas *));
|
||||
int (*ivlen) __P((struct secasvar *));
|
||||
int (*decrypt) __P((struct mbuf *, size_t,
|
||||
struct secas *, struct esp_algorithm *, int));
|
||||
struct secasvar *, struct esp_algorithm *, int));
|
||||
int (*encrypt) __P((struct mbuf *, size_t, size_t,
|
||||
struct secas *, struct esp_algorithm *, int));
|
||||
struct secasvar *, struct esp_algorithm *, int));
|
||||
};
|
||||
|
||||
#ifdef _KERNEL
|
||||
extern struct esp_algorithm esp_algorithms[];
|
||||
|
||||
/* crypt routines */
|
||||
struct secasb;
|
||||
extern int esp4_output __P((struct mbuf *, struct ipsecrequest *));
|
||||
extern void esp4_input __P((struct mbuf *, ...));
|
||||
extern size_t esp_hdrsiz __P((struct ipsecrequest *));
|
||||
@ -104,8 +103,8 @@ extern int esp6_input __P((struct mbuf **, int *, int));
|
||||
#endif /* INET6 */
|
||||
#endif /*_KERNEL*/
|
||||
|
||||
struct secas;
|
||||
struct secasvar;
|
||||
extern int esp_auth __P((struct mbuf *, size_t, size_t,
|
||||
struct secas *, u_char *));
|
||||
struct secasvar *, u_char *));
|
||||
|
||||
#endif /*_NETINET6_ESP_H_*/
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: in6_pcb.c,v 1.13 2000/01/26 17:06:36 itojun Exp $ */
|
||||
/* $NetBSD: in6_pcb.c,v 1.14 2000/01/31 14:19:02 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -731,8 +731,6 @@ in6_pcbdetach(in6p)
|
||||
struct socket *so = in6p->in6p_socket;
|
||||
|
||||
#ifdef IPSEC
|
||||
if (sotoin6pcb(so) != 0)
|
||||
key_freeso(so);
|
||||
ipsec6_delete_pcbpolicy(in6p);
|
||||
#endif /* IPSEC */
|
||||
sotoin6pcb(so) = 0;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: in6_pcb.h,v 1.7 1999/12/27 06:38:47 itojun Exp $ */
|
||||
/* $NetBSD: in6_pcb.h,v 1.8 2000/01/31 14:19:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -77,6 +77,7 @@
|
||||
* control block.
|
||||
*/
|
||||
struct icmp6_filter;
|
||||
struct inpcbpolicy;
|
||||
|
||||
struct in6pcb {
|
||||
struct in6pcb *in6p_next, *in6p_prev;
|
||||
@ -102,9 +103,7 @@ struct in6pcb {
|
||||
LIST_ENTRY(in6pcb) in6p_hlist; /* hash chain */
|
||||
u_long in6p_hash; /* hash value */
|
||||
#if 1 /*IPSEC*/
|
||||
struct secpolicy *in6p_sp; /* security policy. It may not be
|
||||
* used according to policy selection.
|
||||
*/
|
||||
struct inpcbpolicy *in6p_sp; /* security policy. */
|
||||
#endif
|
||||
struct icmp6_filter *in6p_icmp6filt;
|
||||
int in6p_cksum; /* IPV6_CHECKSUM setsockopt */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip6_forward.c,v 1.6 2000/01/06 15:46:09 itojun Exp $ */
|
||||
/* $NetBSD: ip6_forward.c,v 1.7 2000/01/31 14:19:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -46,6 +46,7 @@
|
||||
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_var.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet6/ip6.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#include <netinet6/icmp6.h>
|
||||
@ -327,8 +328,37 @@ ip6_forward(m, srcrt)
|
||||
in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
|
||||
if (mcopy) {
|
||||
u_long mtu;
|
||||
#ifdef IPSEC_IPV6FWD
|
||||
struct secpolicy *sp;
|
||||
int ipsecerror;
|
||||
size_t ipsechdrsiz;
|
||||
#endif
|
||||
|
||||
mtu = rt->rt_ifp->if_mtu;
|
||||
#ifdef IPSEC_IPV6FWD
|
||||
/*
|
||||
* When we do IPsec tunnel ingress, we need to play
|
||||
* with if_mtu value (decrement IPsec header size
|
||||
* from mtu value). The code is much simpler than v4
|
||||
* case, as we have the outgoing interface for
|
||||
* encapsulated packet as "rt->rt_ifp".
|
||||
*/
|
||||
sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
|
||||
IP_FORWARDING, &ipsecerror);
|
||||
if (sp) {
|
||||
ipsechdrsiz = ipsec6_hdrsiz(mcopy,
|
||||
IPSEC_DIR_OUTBOUND, NULL);
|
||||
if (ipsechdrsiz < mtu)
|
||||
mtu -= ipsechdrsiz;
|
||||
}
|
||||
|
||||
/*
|
||||
* if mtu becomes less than minimum MTU,
|
||||
* tell minimum MTU (and I'll need to fragment it).
|
||||
*/
|
||||
if (mtu < IPV6_MMTU)
|
||||
mtu = IPV6_MMTU;
|
||||
#endif
|
||||
icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
|
||||
}
|
||||
m_freem(m);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip6_output.c,v 1.12 2000/01/26 17:06:37 itojun Exp $ */
|
||||
/* $NetBSD: ip6_output.c,v 1.13 2000/01/31 14:19:03 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -191,9 +191,9 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp)
|
||||
#ifdef IPSEC
|
||||
/* get a security policy for this packet */
|
||||
if (so == NULL)
|
||||
sp = ipsec6_getpolicybyaddr(m, 0, &error);
|
||||
sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
|
||||
else
|
||||
sp = ipsec6_getpolicybysock(m, so, &error);
|
||||
sp = ipsec6_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
|
||||
|
||||
if (sp == NULL) {
|
||||
ipsec6stat.out_inval++;
|
||||
@ -1295,19 +1295,19 @@ ip6_ctloutput(op, so, level, optname, mp)
|
||||
case IPV6_IPSEC_POLICY:
|
||||
{
|
||||
caddr_t req = NULL;
|
||||
int len = 0;
|
||||
size_t len = 0;
|
||||
|
||||
int priv = 0;
|
||||
if (p == 0 || suser(p->p_ucred, &p->p_acflag))
|
||||
priv = 0;
|
||||
else
|
||||
priv = 1;
|
||||
if (m != 0) {
|
||||
if (m) {
|
||||
req = mtod(m, caddr_t);
|
||||
len = m->m_len;
|
||||
}
|
||||
error = ipsec_set_policy(&in6p->in6p_sp,
|
||||
optname, req, len,
|
||||
priv);
|
||||
error = ipsec6_set_policy(in6p,
|
||||
optname, req, len, priv);
|
||||
}
|
||||
break;
|
||||
#endif /* IPSEC */
|
||||
@ -1452,8 +1452,17 @@ ip6_ctloutput(op, so, level, optname, mp)
|
||||
|
||||
#ifdef IPSEC
|
||||
case IPV6_IPSEC_POLICY:
|
||||
error = ipsec_get_policy(in6p->in6p_sp, mp);
|
||||
{
|
||||
caddr_t req = NULL;
|
||||
size_t len = 0;
|
||||
|
||||
if (m) {
|
||||
req = mtod(m, caddr_t);
|
||||
len = m->m_len;
|
||||
}
|
||||
error = ipsec6_get_policy(in6p, req, len, mp);
|
||||
break;
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
|
||||
default:
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipcomp_core.c,v 1.8 2000/01/26 17:08:41 itojun Exp $ */
|
||||
/* $NetBSD: ipcomp_core.c,v 1.9 2000/01/31 14:19:04 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1999 WIDE Project.
|
||||
@ -46,6 +46,7 @@
|
||||
#include <sys/time.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/syslog.h>
|
||||
#include <sys/queue.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
@ -54,6 +55,7 @@
|
||||
#include <machine/cpu.h>
|
||||
|
||||
#include <netinet6/ipcomp.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#include <machine/stdarg.h>
|
||||
|
||||
@ -83,10 +85,6 @@ struct ipcomp_algorithm ipcomp_algorithms[] = {
|
||||
{ NULL, NULL, 90 },
|
||||
};
|
||||
|
||||
#ifdef __NetBSD__
|
||||
#define ovbcopy bcopy
|
||||
#endif
|
||||
|
||||
static void *
|
||||
deflate_alloc(aux, items, siz)
|
||||
void *aux;
|
||||
@ -238,18 +236,18 @@ deflate_common(m, md, lenp, mode)
|
||||
} else if (zerror == Z_STREAM_END)
|
||||
break;
|
||||
else {
|
||||
printf("ipcomp_%scompress: %sflate: %s\n",
|
||||
ipseclog((LOG_ERR, "ipcomp_%scompress: %sflate: %s\n",
|
||||
mode ? "de" : "", mode ? "in" : "de",
|
||||
zs.msg ? zs.msg : "unknown error");
|
||||
zs.msg ? zs.msg : "unknown error"));
|
||||
error = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
zerror = mode ? inflateEnd(&zs) : deflateEnd(&zs);
|
||||
if (zerror != Z_OK) {
|
||||
printf("ipcomp_%scompress: %sflate: %s\n",
|
||||
ipseclog((LOG_ERR, "ipcomp_%scompress: %sflate: %s\n",
|
||||
mode ? "de" : "", mode ? "in" : "de",
|
||||
zs.msg ? zs.msg : "unknown error");
|
||||
zs.msg ? zs.msg : "unknown error"));
|
||||
error = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipcomp_input.c,v 1.7 2000/01/06 15:46:10 itojun Exp $ */
|
||||
/* $NetBSD: ipcomp_input.c,v 1.8 2000/01/31 14:19:05 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1999 WIDE Project.
|
||||
@ -62,7 +62,6 @@
|
||||
|
||||
#ifdef INET6
|
||||
#include <netinet6/ip6.h>
|
||||
#include <netinet6/in6_pcb.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#endif
|
||||
#include <netinet6/ipcomp.h>
|
||||
@ -74,11 +73,9 @@
|
||||
|
||||
#include <machine/stdarg.h>
|
||||
|
||||
#define IPLEN_FLIPPED
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
#ifdef __NetBSD__
|
||||
#define ovbcopy bcopy
|
||||
#endif
|
||||
#define IPLEN_FLIPPED
|
||||
|
||||
#ifdef INET
|
||||
extern struct protosw inetsw[];
|
||||
@ -101,7 +98,7 @@ ipcomp4_input(m, va_alist)
|
||||
size_t hlen;
|
||||
int error;
|
||||
size_t newlen, olen;
|
||||
struct secas *sa = NULL;
|
||||
struct secasvar *sav = NULL;
|
||||
int off, proto;
|
||||
va_list ap;
|
||||
|
||||
@ -112,23 +109,27 @@ ipcomp4_input(m, va_alist)
|
||||
|
||||
if (off + sizeof(struct ipcomp) > MHLEN) {
|
||||
/*XXX the restriction should be relaxed*/
|
||||
printf("IPv4 IPComp input: assumption failed (header too long)\n");
|
||||
ipseclog((LOG_DEBUG, "IPv4 IPComp input: assumption failed "
|
||||
"(header too long)\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
if (m->m_len < off + sizeof(struct ipcomp)) {
|
||||
m = m_pullup(m, off + sizeof(struct ipcomp));
|
||||
if (!m) {
|
||||
printf("IPv4 IPComp input: can't pullup;"
|
||||
"dropping the packet for simplicity\n");
|
||||
ipsecstat.in_inval++;
|
||||
ipseclog((LOG_DEBUG, "IPv4 IPComp input: can't pullup;"
|
||||
"dropping the packet for simplicity\n"));
|
||||
ipsecstat.in_nomem++;
|
||||
goto fail;
|
||||
}
|
||||
} else if (m->m_len > off + sizeof(struct ipcomp)) {
|
||||
/* chop header part from the packet header chain */
|
||||
struct mbuf *n;
|
||||
MGETHDR(n, M_DONTWAIT, MT_HEADER);
|
||||
if (!n)
|
||||
if (!n) {
|
||||
ipsecstat.in_nomem++;
|
||||
goto fail;
|
||||
}
|
||||
M_COPY_PKTHDR(n, m);
|
||||
MH_ALIGN(n, off + sizeof(struct ipcomp));
|
||||
n->m_len = off + sizeof(struct ipcomp);
|
||||
@ -152,12 +153,12 @@ ipcomp4_input(m, va_alist)
|
||||
cpi = ntohs(ipcomp->comp_cpi);
|
||||
|
||||
if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) {
|
||||
sa = key_allocsa(AF_INET, (caddr_t)&ip->ip_src,
|
||||
sav = key_allocsa(AF_INET, (caddr_t)&ip->ip_src,
|
||||
(caddr_t)&ip->ip_dst, IPPROTO_IPCOMP, htonl(cpi));
|
||||
if (sa != NULL
|
||||
&& (sa->state == SADB_SASTATE_MATURE
|
||||
|| sa->state == SADB_SASTATE_DYING)) {
|
||||
cpi = sa->alg_enc; /*XXX*/
|
||||
if (sav != NULL
|
||||
&& (sav->state == SADB_SASTATE_MATURE
|
||||
|| sav->state == SADB_SASTATE_DYING)) {
|
||||
cpi = sav->alg_enc; /*XXX*/
|
||||
/* other parameters to look at? */
|
||||
}
|
||||
}
|
||||
@ -166,8 +167,8 @@ ipcomp4_input(m, va_alist)
|
||||
else
|
||||
algo = NULL;
|
||||
if (!algo) {
|
||||
printf("IPv4 IPComp input: unknown cpi %u; "
|
||||
"dropping the packet for simplicity\n", cpi);
|
||||
ipseclog((LOG_WARNING, "IPv4 IPComp input: unknown cpi %u\n",
|
||||
cpi));
|
||||
ipsecstat.in_nosa++;
|
||||
goto fail;
|
||||
}
|
||||
@ -186,9 +187,14 @@ ipcomp4_input(m, va_alist)
|
||||
newlen = m->m_pkthdr.len - off;
|
||||
error = (*algo->decompress)(m, m->m_next, &newlen);
|
||||
if (error != 0) {
|
||||
if (error == EINVAL)
|
||||
ipsecstat.in_inval++;
|
||||
else if (error == ENOBUFS)
|
||||
ipsecstat.in_nomem++;
|
||||
m = NULL;
|
||||
goto fail;
|
||||
}
|
||||
ipsecstat.in_comphist[cpi]++;
|
||||
|
||||
/*
|
||||
* returning decompressed packet onto icmp is meaningless.
|
||||
@ -224,10 +230,10 @@ ipcomp4_input(m, va_alist)
|
||||
ip->ip_p = nxt;
|
||||
}
|
||||
|
||||
if (sa) {
|
||||
key_sa_recordxfer(sa, m);
|
||||
key_freesa(sa);
|
||||
sa = NULL;
|
||||
if (sav) {
|
||||
key_sa_recordxfer(sav, m);
|
||||
key_freesav(sav);
|
||||
sav = NULL;
|
||||
}
|
||||
|
||||
if (nxt != IPPROTO_DONE)
|
||||
@ -240,8 +246,8 @@ ipcomp4_input(m, va_alist)
|
||||
return;
|
||||
|
||||
fail:
|
||||
if (sa)
|
||||
key_freesa(sa);
|
||||
if (sav)
|
||||
key_freesav(sav);
|
||||
if (m)
|
||||
m_freem(m);
|
||||
return;
|
||||
@ -264,7 +270,7 @@ ipcomp6_input(mp, offp, proto)
|
||||
u_int16_t nxt;
|
||||
int error;
|
||||
size_t newlen;
|
||||
struct secas *sa = NULL;
|
||||
struct secasvar *sav = NULL;
|
||||
|
||||
m = *mp;
|
||||
off = *offp;
|
||||
@ -286,11 +292,13 @@ ipcomp6_input(mp, offp, proto)
|
||||
break;
|
||||
}
|
||||
if (!n) {
|
||||
printf("IPv6 IPComp input: wrong mbuf chain\n");
|
||||
ipseclog((LOG_DEBUG, "IPv6 IPComp input: wrong mbuf chain\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
if (n->m_len < skip + sizeof(struct ipcomp)) {
|
||||
printf("IPv6 IPComp input: wrong mbuf chain\n");
|
||||
ipseclog((LOG_DEBUG, "IPv6 IPComp input: wrong mbuf chain\n"));
|
||||
ipsecstat.in_inval++;
|
||||
goto fail;
|
||||
}
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
@ -300,8 +308,10 @@ ipcomp6_input(mp, offp, proto)
|
||||
/* split mbuf to ease the following steps*/
|
||||
l = n->m_len - (skip + sizeof(struct ipcomp));
|
||||
p = m_copym(n, skip + sizeof(struct ipcomp), l , M_DONTWAIT);
|
||||
if (!p)
|
||||
if (!p) {
|
||||
ipsecstat.in_nomem++;
|
||||
goto fail;
|
||||
}
|
||||
for (q = p; q && q->m_next; q = q->m_next)
|
||||
;
|
||||
q->m_next = n->m_next;
|
||||
@ -316,12 +326,12 @@ ipcomp6_input(mp, offp, proto)
|
||||
cpi = ntohs(ipcomp->comp_cpi);
|
||||
|
||||
if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) {
|
||||
sa = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src,
|
||||
sav = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src,
|
||||
(caddr_t)&ip6->ip6_dst, IPPROTO_IPCOMP, htonl(cpi));
|
||||
if (sa != NULL
|
||||
&& (sa->state == SADB_SASTATE_MATURE
|
||||
|| sa->state == SADB_SASTATE_DYING)) {
|
||||
cpi = sa->alg_enc; /*XXX*/
|
||||
if (sav != NULL
|
||||
&& (sav->state == SADB_SASTATE_MATURE
|
||||
|| sav->state == SADB_SASTATE_DYING)) {
|
||||
cpi = sav->alg_enc; /*XXX*/
|
||||
/* other parameters to look at? */
|
||||
}
|
||||
}
|
||||
@ -330,8 +340,8 @@ ipcomp6_input(mp, offp, proto)
|
||||
else
|
||||
algo = NULL;
|
||||
if (!algo) {
|
||||
printf("IPv6 IPComp input: unknown cpi %u; "
|
||||
"dropping the packet for simplicity\n", cpi);
|
||||
ipseclog((LOG_WARNING, "IPv6 IPComp input: unknown cpi %u; "
|
||||
"dropping the packet for simplicity\n", cpi));
|
||||
ipsec6stat.in_nosa++;
|
||||
goto fail;
|
||||
}
|
||||
@ -339,9 +349,14 @@ ipcomp6_input(mp, offp, proto)
|
||||
newlen = m->m_pkthdr.len - off - sizeof(struct ipcomp);
|
||||
error = (*algo->decompress)(m, md, &newlen);
|
||||
if (error != 0) {
|
||||
if (error == EINVAL)
|
||||
ipsec6stat.in_inval++;
|
||||
else if (error == ENOBUFS)
|
||||
ipsec6stat.in_nomem++;
|
||||
m = NULL;
|
||||
goto fail;
|
||||
}
|
||||
ipsec6stat.in_comphist[cpi]++;
|
||||
m->m_pkthdr.len = off + sizeof(struct ipcomp) + newlen;
|
||||
|
||||
/*
|
||||
@ -367,10 +382,10 @@ ipcomp6_input(mp, offp, proto)
|
||||
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
|
||||
}
|
||||
|
||||
if (sa) {
|
||||
key_sa_recordxfer(sa, m);
|
||||
key_freesa(sa);
|
||||
sa = NULL;
|
||||
if (sav) {
|
||||
key_sa_recordxfer(sav, m);
|
||||
key_freesav(sav);
|
||||
sav = NULL;
|
||||
}
|
||||
*offp = off;
|
||||
*mp = m;
|
||||
@ -380,8 +395,8 @@ ipcomp6_input(mp, offp, proto)
|
||||
fail:
|
||||
if (m)
|
||||
m_freem(m);
|
||||
if (sa)
|
||||
key_freesa(sa);
|
||||
if (sav)
|
||||
key_freesav(sav);
|
||||
return IPPROTO_DONE;
|
||||
}
|
||||
#endif /* INET6 */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipcomp_output.c,v 1.7 2000/01/06 15:46:10 itojun Exp $ */
|
||||
/* $NetBSD: ipcomp_output.c,v 1.8 2000/01/31 14:19:05 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1999 WIDE Project.
|
||||
@ -62,7 +62,6 @@
|
||||
|
||||
#ifdef INET6
|
||||
#include <netinet6/ip6.h>
|
||||
#include <netinet6/in6_pcb.h>
|
||||
#include <netinet6/ip6_var.h>
|
||||
#endif
|
||||
#include <netinet6/ipcomp.h>
|
||||
@ -74,9 +73,7 @@
|
||||
|
||||
#include <machine/stdarg.h>
|
||||
|
||||
#ifdef __NetBSD__
|
||||
#define ovbcopy bcopy
|
||||
#endif
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
static int ipcomp_output __P((struct mbuf *, u_char *, struct mbuf *,
|
||||
struct ipsecrequest *, int));
|
||||
@ -111,7 +108,7 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
struct mbuf *md0;
|
||||
struct mbuf *mprev;
|
||||
struct ipcomp *ipcomp;
|
||||
struct secas *sa = isr->sa;
|
||||
struct secasvar *sav = isr->sav;
|
||||
struct ipcomp_algorithm *algo;
|
||||
u_int16_t cpi; /* host order */
|
||||
size_t plen0, plen; /*payload length to be compressed*/
|
||||
@ -131,22 +128,22 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
printf("ipcomp_output: unsupported af %d\n", af);
|
||||
ipseclog((LOG_ERR, "ipcomp_output: unsupported af %d\n", af));
|
||||
return 0; /* no change at all */
|
||||
}
|
||||
|
||||
/* grab parameters */
|
||||
if ((ntohl(sa->spi) & ~0xffff) != 0 || sa->alg_enc >= IPCOMP_MAX
|
||||
|| ipcomp_algorithms[sa->alg_enc].compress == NULL) {
|
||||
if ((ntohl(sav->spi) & ~0xffff) != 0 || sav->alg_enc >= IPCOMP_MAX
|
||||
|| ipcomp_algorithms[sav->alg_enc].compress == NULL) {
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
return EINVAL;
|
||||
}
|
||||
if ((sa->flags & SADB_X_EXT_RAWCPI) == 0)
|
||||
cpi = sa->alg_enc;
|
||||
if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
|
||||
cpi = sav->alg_enc;
|
||||
else
|
||||
cpi = ntohl(sa->spi) & 0xffff;
|
||||
algo = &ipcomp_algorithms[sa->alg_enc]; /*XXX*/
|
||||
cpi = ntohl(sav->spi) & 0xffff;
|
||||
algo = &ipcomp_algorithms[sav->alg_enc]; /*XXX*/
|
||||
|
||||
/* compute original payload length */
|
||||
plen = 0;
|
||||
@ -172,7 +169,20 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
|
||||
;
|
||||
if (mprev == NULL || mprev->m_next != md) {
|
||||
printf("ipcomp%d_output: md is not in chain\n", afnumber);
|
||||
ipseclog((LOG_DEBUG, "ipcomp%d_output: md is not in chain\n",
|
||||
afnumber));
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ipsecstat.out_inval++;
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
ipsec6stat.out_inval++;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
m_freem(m);
|
||||
m_freem(md0);
|
||||
return EINVAL;
|
||||
@ -188,7 +198,7 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
|
||||
/* compress data part */
|
||||
if ((*algo->compress)(m, md, &plen) || mprev->m_next == NULL) {
|
||||
printf("packet compression failure\n");
|
||||
ipseclog((LOG_ERR, "packet compression failure\n"));
|
||||
m = NULL;
|
||||
m_freem(md0);
|
||||
switch (af) {
|
||||
@ -206,6 +216,18 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
error = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ipsecstat.out_comphist[sav->alg_enc]++;
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
ipsec6stat.out_comphist[sav->alg_enc]++;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
md = mprev->m_next;
|
||||
|
||||
/*
|
||||
@ -292,7 +314,8 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
if (compoff + complen + plen < IP_MAXPACKET)
|
||||
ip->ip_len = htons(compoff + complen + plen);
|
||||
else {
|
||||
printf("IPv4 ESP output: size exceeds limit\n");
|
||||
ipseclog((LOG_ERR,
|
||||
"IPv4 ESP output: size exceeds limit\n"));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
error = EMSGSIZE;
|
||||
@ -309,8 +332,21 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
}
|
||||
|
||||
if (!m) {
|
||||
printf("NULL mbuf after compression in ipcomp%d_output",
|
||||
afnumber);
|
||||
ipseclog((LOG_DEBUG,
|
||||
"NULL mbuf after compression in ipcomp%d_output",
|
||||
afnumber));
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ipsecstat.out_inval++;
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
ipsec6stat.out_inval++;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
} else {
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
@ -329,17 +365,17 @@ ipcomp_output(m, nexthdrp, md, isr, af)
|
||||
switch (af) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
ipsecstat.out_esphist[sa->alg_enc]++;
|
||||
ipsecstat.out_esphist[sav->alg_enc]++;
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
ipsec6stat.out_esphist[sa->alg_enc]++;
|
||||
ipsec6stat.out_esphist[sav->alg_enc]++;
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
key_sa_recordxfer(sa, m);
|
||||
key_sa_recordxfer(sav, m);
|
||||
return 0;
|
||||
|
||||
fail:
|
||||
@ -358,7 +394,8 @@ ipcomp4_output(m, isr)
|
||||
{
|
||||
struct ip *ip;
|
||||
if (m->m_len < sizeof(struct ip)) {
|
||||
printf("ipcomp4_output: first mbuf too short\n");
|
||||
ipseclog((LOG_DEBUG, "ipcomp4_output: first mbuf too short\n"));
|
||||
ipsecstat.out_inval++;
|
||||
m_freem(m);
|
||||
return NULL;
|
||||
}
|
||||
@ -377,7 +414,8 @@ ipcomp6_output(m, nexthdrp, md, isr)
|
||||
struct ipsecrequest *isr;
|
||||
{
|
||||
if (m->m_len < sizeof(struct ip6_hdr)) {
|
||||
printf("ipcomp6_output: first mbuf too short\n");
|
||||
ipseclog((LOG_DEBUG, "ipcomp6_output: first mbuf too short\n"));
|
||||
ipsec6stat.out_inval++;
|
||||
m_freem(m);
|
||||
return NULL;
|
||||
}
|
||||
|
1650
sys/netinet6/ipsec.c
1650
sys/netinet6/ipsec.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec.h,v 1.8 2000/01/06 15:46:10 itojun Exp $ */
|
||||
/* $NetBSD: ipsec.h,v 1.9 2000/01/31 14:19:06 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -45,16 +45,35 @@
|
||||
|
||||
#ifdef _KERNEL
|
||||
|
||||
/*
|
||||
* Security Policy Index
|
||||
* NOTE: Encure to be same address family and upper layer protocol.
|
||||
* NOTE: ul_proto, port number, uid, gid:
|
||||
* ANY: reserved for waldcard.
|
||||
* 0 to (~0 - 1): is one of the number of each value.
|
||||
*/
|
||||
struct secpolicyindex {
|
||||
u_int8_t dir; /* direction of packet flow, see blow */
|
||||
struct sockaddr_storage src; /* IP src address for SP */
|
||||
struct sockaddr_storage dst; /* IP dst address for SP */
|
||||
u_int8_t prefs; /* prefix length in bits for src */
|
||||
u_int8_t prefd; /* prefix length in bits for dst */
|
||||
u_int16_t ul_proto; /* upper layer Protocol */
|
||||
#ifdef notyet
|
||||
uid_t uids;
|
||||
uid_t uidd;
|
||||
gid_t gids;
|
||||
gid_t gidd;
|
||||
#endif
|
||||
};
|
||||
|
||||
/* Security Policy Data Base */
|
||||
struct secpolicy {
|
||||
struct secpolicy *next;
|
||||
struct secpolicy *prev;
|
||||
struct keytree *spt; /* back pointer to the top of SPD */
|
||||
LIST_ENTRY(secpolicy) chain;
|
||||
|
||||
struct secindex idx; /* index */
|
||||
|
||||
int refcnt; /* reference count */
|
||||
u_int state; /* 0: dead, others: alive */
|
||||
int refcnt; /* reference count */
|
||||
struct secpolicyindex spidx; /* selector */
|
||||
u_int state; /* 0: dead, others: alive */
|
||||
#define IPSEC_SPSTATE_DEAD 0
|
||||
#define IPSEC_SPSTATE_ALIVE 1
|
||||
|
||||
@ -68,22 +87,44 @@ struct secpolicy {
|
||||
struct ipsecrequest {
|
||||
struct ipsecrequest *next;
|
||||
/* pointer to next structure */
|
||||
/* If 0, it means end of chain. */
|
||||
|
||||
u_int proto; /* IPPROTO_ESP or IPPROTO_AH */
|
||||
u_int mode; /* mode for security protocol, see below. */
|
||||
/* If NULL, it means the end of chain. */
|
||||
struct secasindex saidx;/* hint for search proper SA */
|
||||
/* if __ss_len == 0 then no address specified.*/
|
||||
u_int level; /* IPsec level defined below. */
|
||||
struct sockaddr *proxy; /* Destination address in Outer IP header. */
|
||||
/* If mode == TRANSPORT, it must be set NULL. */
|
||||
struct secas *sa; /* place holder for the security association */
|
||||
|
||||
struct secasvar *sav; /* place holder of SA for use */
|
||||
struct secpolicy *sp; /* back pointer to SP */
|
||||
};
|
||||
|
||||
/* security policy in PCB */
|
||||
struct inpcbpolicy {
|
||||
struct secpolicy *sp_in;
|
||||
struct secpolicy *sp_out;
|
||||
int priv; /* privileged socket ? */
|
||||
};
|
||||
#endif /*_KERNEL*/
|
||||
|
||||
#define IPSEC_MODE_TRANSPORT 0
|
||||
#define IPSEC_MODE_TUNNEL 1
|
||||
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
|
||||
#define IPSEC_PORT_ANY 0
|
||||
#define IPSEC_ULPROTO_ANY 255
|
||||
#define IPSEC_PROTO_ANY 255
|
||||
|
||||
/* mode of security protocol */
|
||||
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
|
||||
#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
|
||||
#define IPSEC_MODE_TRANSPORT 1
|
||||
#define IPSEC_MODE_TUNNEL 2
|
||||
|
||||
/*
|
||||
* Direction of security policy.
|
||||
* NOTE: Since INVALID is used just as flag.
|
||||
* The other are used for loop counter too.
|
||||
*/
|
||||
#define IPSEC_DIR_ANY 0
|
||||
#define IPSEC_DIR_INBOUND 1
|
||||
#define IPSEC_DIR_OUTBOUND 2
|
||||
#define IPSEC_DIR_MAX 3
|
||||
#define IPSEC_DIR_INVALID 4
|
||||
|
||||
/* Policy level */
|
||||
/*
|
||||
@ -101,15 +142,29 @@ struct ipsecrequest {
|
||||
#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
|
||||
#define IPSEC_LEVEL_USE 1 /* use SA if present. */
|
||||
#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
|
||||
#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
|
||||
|
||||
#define IPSEC_MANUAL_REQID_MAX 0x3fff
|
||||
/*
|
||||
* if security policy level == unique, this id
|
||||
* indicate to a relative SA for use, else is
|
||||
* zero.
|
||||
* 1 - 0x3fff are reserved for manual keying.
|
||||
* 0 are reserved for above reason. Others is
|
||||
* for kernel use.
|
||||
* Note that this id doesn't identify SA
|
||||
* by only itself.
|
||||
*/
|
||||
#define IPSEC_REPLAYWSIZE 32
|
||||
|
||||
/* statistics for ipsec processing */
|
||||
struct ipsecstat {
|
||||
u_quad_t in_success; /* succeeded inbound process */
|
||||
u_quad_t in_polvio; /* security policy violation for inbound process */
|
||||
u_quad_t in_nosa; /* inbound SA is unavailable */
|
||||
u_quad_t in_inval; /* inbound processing failed due to EINVAL */
|
||||
u_quad_t in_success; /* succeeded inbound process */
|
||||
u_quad_t in_polvio;
|
||||
/* security policy violation for inbound process */
|
||||
u_quad_t in_nosa; /* inbound SA is unavailable */
|
||||
u_quad_t in_inval; /* inbound processing failed due to EINVAL */
|
||||
u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
|
||||
u_quad_t in_badspi; /* failed getting a SPI */
|
||||
u_quad_t in_ahreplay; /* AH replay check failed */
|
||||
u_quad_t in_espreplay; /* ESP replay check failed */
|
||||
@ -117,15 +172,19 @@ struct ipsecstat {
|
||||
u_quad_t in_ahauthfail; /* AH authentication failure */
|
||||
u_quad_t in_espauthsucc; /* ESP authentication success */
|
||||
u_quad_t in_espauthfail; /* ESP authentication failure */
|
||||
u_quad_t in_esphist[SADB_EALG_MAX];
|
||||
u_quad_t in_ahhist[SADB_AALG_MAX];
|
||||
u_quad_t in_esphist[256];
|
||||
u_quad_t in_ahhist[256];
|
||||
u_quad_t in_comphist[256];
|
||||
u_quad_t out_success; /* succeeded outbound process */
|
||||
u_quad_t out_polvio; /* security policy violation for outbound process */
|
||||
u_quad_t out_polvio;
|
||||
/* security policy violation for outbound process */
|
||||
u_quad_t out_nosa; /* outbound SA is unavailable */
|
||||
u_quad_t out_inval; /* outbound process failed due to EINVAL */
|
||||
u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
|
||||
u_quad_t out_noroute; /* there is no route */
|
||||
u_quad_t out_esphist[SADB_EALG_MAX];
|
||||
u_quad_t out_ahhist[SADB_AALG_MAX];
|
||||
u_quad_t out_esphist[256];
|
||||
u_quad_t out_ahhist[256];
|
||||
u_quad_t out_comphist[256];
|
||||
};
|
||||
|
||||
/*
|
||||
@ -145,7 +204,8 @@ struct ipsecstat {
|
||||
#define IPSECCTL_AH_OFFSETMASK 9
|
||||
#define IPSECCTL_DFBIT 10
|
||||
#define IPSECCTL_ECN 11
|
||||
#define IPSECCTL_MAXID 12
|
||||
#define IPSECCTL_DEBUG 12
|
||||
#define IPSECCTL_MAXID 13
|
||||
|
||||
#define IPSECCTL_NAMES { \
|
||||
{ 0, 0 }, \
|
||||
@ -160,6 +220,7 @@ struct ipsecstat {
|
||||
{ "ah_offsetmask", CTLTYPE_INT }, \
|
||||
{ "dfbit", CTLTYPE_INT }, \
|
||||
{ "ecn", CTLTYPE_INT }, \
|
||||
{ "debug", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
#define IPSEC6CTL_NAMES { \
|
||||
@ -175,6 +236,7 @@ struct ipsecstat {
|
||||
{ 0, 0 }, \
|
||||
{ 0, 0 }, \
|
||||
{ "ecn", CTLTYPE_INT }, \
|
||||
{ "debug", CTLTYPE_INT }, \
|
||||
}
|
||||
|
||||
#define IPSECCTL_VARS { \
|
||||
@ -190,6 +252,7 @@ struct ipsecstat {
|
||||
&ip4_ah_offsetmask, \
|
||||
&ip4_ipsec_dfbit, \
|
||||
&ip4_ipsec_ecn, \
|
||||
&ipsec_debug, \
|
||||
}
|
||||
|
||||
#define IPSEC6CTL_VARS { \
|
||||
@ -205,6 +268,7 @@ struct ipsecstat {
|
||||
0, \
|
||||
0, \
|
||||
&ip6_ipsec_ecn, \
|
||||
&ipsec_debug, \
|
||||
}
|
||||
|
||||
#ifdef _KERNEL
|
||||
@ -214,6 +278,9 @@ struct ipsec_output_state {
|
||||
struct sockaddr *dst;
|
||||
};
|
||||
|
||||
extern int ipsec_debug;
|
||||
|
||||
#ifdef INET
|
||||
extern struct ipsecstat ipsecstat;
|
||||
extern struct secpolicy ip4_def_policy;
|
||||
extern int ip4_esp_trans_deflev;
|
||||
@ -225,6 +292,7 @@ extern int ip4_ah_cleartos;
|
||||
extern int ip4_ah_offsetmask;
|
||||
extern int ip4_ipsec_dfbit;
|
||||
extern int ip4_ipsec_ecn;
|
||||
#endif
|
||||
|
||||
#ifdef INET6
|
||||
extern struct ipsecstat ipsec6stat;
|
||||
@ -237,54 +305,61 @@ extern int ip6_inbound_call_ike;
|
||||
extern int ip6_ipsec_ecn;
|
||||
#endif
|
||||
|
||||
#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
|
||||
|
||||
extern struct secpolicy *ipsec4_getpolicybysock
|
||||
__P((struct mbuf *, struct socket *, int *));
|
||||
__P((struct mbuf *, u_int, struct socket *, int *));
|
||||
extern struct secpolicy *ipsec4_getpolicybyaddr
|
||||
__P((struct mbuf *, int, int *));
|
||||
__P((struct mbuf *, u_int, int, int *));
|
||||
|
||||
#ifdef INET6
|
||||
extern struct secpolicy *ipsec6_getpolicybysock
|
||||
__P((struct mbuf *, struct socket *, int *));
|
||||
__P((struct mbuf *, u_int, struct socket *, int *));
|
||||
extern struct secpolicy *ipsec6_getpolicybyaddr
|
||||
__P((struct mbuf *, int, int *));
|
||||
__P((struct mbuf *, u_int, int, int *));
|
||||
#endif /*INET6*/
|
||||
|
||||
struct inpcb;
|
||||
#ifdef INET6
|
||||
struct in6pcb;
|
||||
#endif
|
||||
extern int ipsec_init_policy __P((struct secpolicy **));
|
||||
extern struct secpolicy *ipsec_copy_policy __P((struct secpolicy *));
|
||||
extern int ipsec_set_policy __P((struct secpolicy **, int, caddr_t, int, int));
|
||||
extern int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
|
||||
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
|
||||
#ifdef INET6
|
||||
extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
|
||||
#endif
|
||||
extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
|
||||
extern int ipsec_copy_policy
|
||||
__P((struct inpcbpolicy *, struct inpcbpolicy *));
|
||||
extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
|
||||
|
||||
extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
|
||||
caddr_t request, size_t len, int priv));
|
||||
extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
|
||||
size_t len, struct mbuf **mp));
|
||||
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
|
||||
extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
|
||||
extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
|
||||
|
||||
#ifdef INET6
|
||||
extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *));
|
||||
extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
|
||||
extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,
|
||||
caddr_t request, size_t len, int priv));
|
||||
extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,
|
||||
size_t len, struct mbuf **mp));
|
||||
extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *));
|
||||
#endif /*INET6*/
|
||||
|
||||
struct secas;
|
||||
struct tcpcb;
|
||||
struct tcp6cb;
|
||||
extern int ipsec_chkreplay __P((u_int32_t, struct secas *));
|
||||
extern int ipsec_updatereplay __P((u_int32_t, struct secas *));
|
||||
extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
|
||||
extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
|
||||
|
||||
extern size_t ipsec4_hdrsiz __P((struct mbuf *, struct inpcb *));
|
||||
extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
|
||||
extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));
|
||||
#ifdef INET6
|
||||
extern size_t ipsec6_hdrsiz __P((struct mbuf *, struct in6pcb *));
|
||||
#ifdef TCP6
|
||||
extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
|
||||
#else
|
||||
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *));
|
||||
#ifndef TCP6
|
||||
extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));
|
||||
#else
|
||||
extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
|
||||
#endif
|
||||
#endif
|
||||
|
||||
@ -296,7 +371,7 @@ extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
|
||||
#ifdef INET6
|
||||
extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
|
||||
#endif
|
||||
extern const char *ipsec_logsastr __P((struct secas *));
|
||||
extern const char *ipsec_logsastr __P((struct secasvar *));
|
||||
|
||||
extern void ipsec_dumpmbuf __P((struct mbuf *));
|
||||
|
||||
@ -308,10 +383,10 @@ extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
|
||||
extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
|
||||
struct secpolicy *, int));
|
||||
#endif
|
||||
extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secas *));
|
||||
extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secasvar *));
|
||||
#ifdef INET6
|
||||
extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int,
|
||||
struct secas *));
|
||||
struct secasvar *));
|
||||
#endif
|
||||
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
|
||||
|
||||
@ -321,11 +396,11 @@ extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
|
||||
#endif /*_KERNEL*/
|
||||
|
||||
#ifndef _KERNEL
|
||||
extern int ipsec_get_policylen(char *reqstr);
|
||||
extern int ipsec_set_policy(char *buf, int len, char *reqstr);
|
||||
extern char *ipsec_dump_policy(char *buf, char *delimiter);
|
||||
extern caddr_t ipsec_set_policy __P((char *, int));
|
||||
extern int ipsec_get_policylen __P((caddr_t));
|
||||
extern char *ipsec_dump_policy __P((caddr_t, char *));
|
||||
|
||||
extern char *ipsec_strerror(void);
|
||||
extern char *ipsec_strerror __P((void));
|
||||
#endif /*!_KERNEL*/
|
||||
|
||||
#endif /*_NETINET6_IPSEC_H_*/
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: raw_ip6.c,v 1.15 2000/01/06 15:46:11 itojun Exp $ */
|
||||
/* $NetBSD: raw_ip6.c,v 1.16 2000/01/31 14:19:06 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -513,7 +513,7 @@ rip6_usrreq(so, req, m, nam, control, p)
|
||||
in6p->in6p_ip6.ip6_nxt = (long)nam;
|
||||
in6p->in6p_cksum = -1;
|
||||
#ifdef IPSEC
|
||||
error = ipsec_init_policy(&in6p->in6p_sp);
|
||||
error = ipsec_init_policy(so, &in6p->in6p_sp);
|
||||
if (error != 0) {
|
||||
in6_pcbdetach(in6p);
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: udp6_usrreq.c,v 1.18 2000/01/31 10:39:27 itojun Exp $ */
|
||||
/* $NetBSD: udp6_usrreq.c,v 1.19 2000/01/31 14:19:07 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -825,7 +825,7 @@ udp6_usrreq(so, req, m, addr6, control, p)
|
||||
in6p = sotoin6pcb(so);
|
||||
in6p->in6p_cksum = -1; /* just to be sure */
|
||||
#ifdef IPSEC
|
||||
error = ipsec_init_policy(&in6p->in6p_sp);
|
||||
error = ipsec_init_policy(so, &in6p->in6p_sp);
|
||||
if (error != 0) {
|
||||
in6_pcbdetach(in6p);
|
||||
break;
|
||||
|
5773
sys/netkey/key.c
5773
sys/netkey/key.c
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: key.h,v 1.4 1999/07/06 12:23:23 itojun Exp $ */
|
||||
/* $NetBSD: key.h,v 1.5 2000/01/31 14:19:12 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,57 +29,49 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: key.h,v 1.1.6.1.6.1 1999/05/17 17:03:14 itojun Exp */
|
||||
/* KAME Id: key.h,v 1.8 2000/01/29 06:21:01 itojun Exp */
|
||||
|
||||
#ifndef _NETKEY_KEY_H_
|
||||
#define _NETKEY_KEY_H_
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if defined(KERNEL)
|
||||
#ifdef _KERNEL
|
||||
|
||||
extern struct key_cb key_cb;
|
||||
|
||||
struct sadb_address;
|
||||
struct secindex;
|
||||
struct secas;
|
||||
struct secpolicy;
|
||||
struct secpolicyindex;
|
||||
struct ipsecrequest;
|
||||
struct secasvar;
|
||||
struct sockaddr;
|
||||
struct socket;
|
||||
struct secexpire;
|
||||
struct sadb_msg;
|
||||
struct sadb_x_policy;
|
||||
struct ipsecrequest;
|
||||
extern struct secpolicy *key_allocsp __P((struct secindex *));
|
||||
#if 0
|
||||
extern int key_checkpolicy __P((struct secpolicy *));
|
||||
#endif
|
||||
extern int key_checkrequest __P((struct ipsecrequest *));
|
||||
extern struct secas *key_allocsa __P((u_int, caddr_t, caddr_t, u_int, u_int));
|
||||
extern void key_freesp __P((struct secpolicy *));
|
||||
extern void key_freeso __P((struct socket *));
|
||||
extern void key_freesa __P((struct secas *));
|
||||
|
||||
extern struct secpolicy *key_allocsp __P((struct secpolicyindex *spidx,
|
||||
u_int dir));
|
||||
extern int key_checkrequest
|
||||
__P((struct ipsecrequest *isr, struct secasindex *saidx));
|
||||
extern struct secasvar *key_allocsa __P((u_int family, caddr_t src, caddr_t dst,
|
||||
u_int proto, u_int32_t spi));
|
||||
extern void key_freesp __P((struct secpolicy *sp));
|
||||
extern void key_freeso __P((struct socket *so));
|
||||
extern void key_freesav __P((struct secasvar *sav));
|
||||
extern struct secpolicy *key_newsp __P((void));
|
||||
extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *));
|
||||
extern struct sadb_x_policy *key_sp2msg __P((struct secpolicy *));
|
||||
|
||||
extern int key_setsecidx __P((struct sadb_address *, struct sadb_address *,
|
||||
struct secindex *, int));
|
||||
extern void key_delsecidx __P((struct secindex *));
|
||||
extern int key_setexptime __P((struct secas *));
|
||||
extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *xpl0,
|
||||
size_t len, int *error));
|
||||
extern struct mbuf *key_sp2msg __P((struct secpolicy *sp));
|
||||
extern int key_ismyaddr __P((u_int family, caddr_t addr));
|
||||
extern void key_timehandler __P((void));
|
||||
extern void key_srandom __P((void));
|
||||
extern int key_ismyaddr __P((u_int, caddr_t));
|
||||
extern void key_freereg __P((struct socket *));
|
||||
extern int key_parse __P((struct sadb_msg **, struct socket *, int *));
|
||||
extern void key_freereg __P((struct socket *so));
|
||||
extern int key_parse __P((struct sadb_msg **msgp, struct socket *so,
|
||||
int *targetp));
|
||||
extern void key_init __P((void));
|
||||
extern int key_checktunnelsanity __P((struct secas *, u_int, caddr_t, caddr_t));
|
||||
extern void key_sa_recordxfer __P((struct secas *, struct mbuf *));
|
||||
extern void key_sa_routechange __P((struct sockaddr *));
|
||||
extern int key_checktunnelsanity __P((struct secasvar *sav, u_int family,
|
||||
caddr_t src, caddr_t dst));
|
||||
extern void key_sa_recordxfer __P((struct secasvar *sav, struct mbuf *m));
|
||||
extern void key_sa_routechange __P((struct sockaddr *dst));
|
||||
|
||||
#ifdef MALLOC_DECLARE
|
||||
MALLOC_DECLARE(M_SECA);
|
||||
#endif /* MALLOC_DECLARE */
|
||||
@ -88,7 +80,5 @@ MALLOC_DECLARE(M_SECA);
|
||||
extern int key_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
|
||||
#endif
|
||||
|
||||
#endif /* defined(KERNEL) */
|
||||
|
||||
#endif /* defined(_KERNEL) */
|
||||
#endif /* _NETKEY_KEY_H_ */
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: key_debug.c,v 1.7 1999/07/06 12:23:26 itojun Exp $ */
|
||||
/* $NetBSD: key_debug.c,v 1.8 2000/01/31 14:19:12 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,21 +29,15 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: key_debug.c,v 1.1.6.2.4.3 1999/07/06 12:05:13 itojun Exp */
|
||||
/* KAME Id: key_debug.c,v 1.10 2000/01/29 06:21:01 itojun Exp */
|
||||
|
||||
#ifdef _KERNEL
|
||||
# define KERNEL
|
||||
#endif
|
||||
|
||||
#ifdef KERNEL
|
||||
#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || defined(__NetBSD__)
|
||||
#include "opt_inet.h"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#ifdef KERNEL
|
||||
#ifdef _KERNEL
|
||||
#include <sys/systm.h>
|
||||
#include <sys/mbuf.h>
|
||||
#endif
|
||||
@ -58,19 +52,13 @@
|
||||
#include <netinet6/in6.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#if !defined(KERNEL)
|
||||
#ifndef _KERNEL
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#endif /* defined(KERNEL) */
|
||||
#endif /* !_KERNEL */
|
||||
|
||||
#if !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
#if !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))
|
||||
|
||||
static void kdebug_sadb_prop __P((struct sadb_ext *));
|
||||
static void kdebug_sadb_identity __P((struct sadb_ext *));
|
||||
@ -80,11 +68,11 @@ static void kdebug_sadb_sa __P((struct sadb_ext *));
|
||||
static void kdebug_sadb_address __P((struct sadb_ext *));
|
||||
static void kdebug_sadb_key __P((struct sadb_ext *));
|
||||
|
||||
#ifdef KERNEL
|
||||
#ifdef _KERNEL
|
||||
static void kdebug_secreplay __P((struct secreplay *));
|
||||
#endif
|
||||
|
||||
#ifndef KERNEL
|
||||
#ifndef _KERNEL
|
||||
#define panic(param) { printf(param); exit(-1); }
|
||||
#endif
|
||||
|
||||
@ -105,9 +93,11 @@ kdebug_sadb(base)
|
||||
printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
|
||||
base->sadb_msg_version, base->sadb_msg_type,
|
||||
base->sadb_msg_errno, base->sadb_msg_satype);
|
||||
printf(" len=%u reserved=%u seq=%u pid=%u }\n",
|
||||
base->sadb_msg_len, base->sadb_msg_reserved,
|
||||
base->sadb_msg_seq, base->sadb_msg_pid);
|
||||
printf(" len=%u mode=%u seq=%u pid=%u reqid=%u\n",
|
||||
base->sadb_msg_len, base->sadb_msg_mode,
|
||||
base->sadb_msg_seq, base->sadb_msg_pid, base->sadb_msg_reqid);
|
||||
printf(" reserved1=%u reserved2=%u\n",
|
||||
base->sadb_msg_reserved1, base->sadb_msg_reserved2);
|
||||
|
||||
tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
|
||||
ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
|
||||
@ -120,6 +110,10 @@ kdebug_sadb(base)
|
||||
printf("kdebug_sadb: invalid ext_len=0 was passed.\n");
|
||||
return;
|
||||
}
|
||||
if (ext->sadb_ext_len > tlen) {
|
||||
printf("kdebug_sadb: ext_len exceeds end of buffer.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
switch (ext->sadb_ext_type) {
|
||||
case SADB_EXT_SA:
|
||||
@ -228,6 +222,7 @@ kdebug_sadb_identity(ext)
|
||||
{
|
||||
struct sadb_ident *id = (struct sadb_ident *)ext;
|
||||
int len;
|
||||
union sadb_x_ident_id *aid;
|
||||
|
||||
/* sanity check */
|
||||
if (ext == NULL)
|
||||
@ -236,25 +231,40 @@ kdebug_sadb_identity(ext)
|
||||
len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
|
||||
printf("sadb_ident_%s{",
|
||||
id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst");
|
||||
printf(" type=%d id=%lu",
|
||||
id->sadb_ident_type, (u_long)id->sadb_ident_id);
|
||||
if (len) {
|
||||
#ifdef KERNEL
|
||||
ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
|
||||
switch (id->sadb_ident_type) {
|
||||
case SADB_X_IDENTTYPE_ADDR:
|
||||
aid = (union sadb_x_ident_id *)&id->sadb_ident_id;
|
||||
|
||||
printf(" type=%d prefix=%u ul_proto=%u\n",
|
||||
id->sadb_ident_type,
|
||||
aid->sadb_x_ident_id_addr.prefix,
|
||||
aid->sadb_x_ident_id_addr.ul_proto);
|
||||
kdebug_sockaddr((struct sockaddr *)(id + 1));
|
||||
break;
|
||||
|
||||
default:
|
||||
printf(" type=%d id=%lu",
|
||||
id->sadb_ident_type, (u_long)id->sadb_ident_id);
|
||||
if (len) {
|
||||
#ifdef _KERNEL
|
||||
ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
|
||||
#else
|
||||
char *p, *ep;
|
||||
printf("\n str=\"");
|
||||
p = (char *)(id + 1);
|
||||
ep = p + len;
|
||||
for (/*nothing*/; *p && p < ep; p++) {
|
||||
if (isprint(*p))
|
||||
printf("%c", *p & 0xff);
|
||||
else
|
||||
printf("\\%03o", *p & 0xff);
|
||||
}
|
||||
char *p, *ep;
|
||||
printf("\n str=\"");
|
||||
p = (char *)(id + 1);
|
||||
ep = p + len;
|
||||
for (/*nothing*/; *p && p < ep; p++) {
|
||||
if (isprint(*p))
|
||||
printf("%c", *p & 0xff);
|
||||
else
|
||||
printf("\\%03o", *p & 0xff);
|
||||
}
|
||||
#endif
|
||||
printf("\"");
|
||||
printf("\"");
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
printf(" }\n");
|
||||
|
||||
return;
|
||||
@ -356,7 +366,7 @@ kdebug_sadb_key(ext)
|
||||
if (ext == NULL)
|
||||
panic("kdebug_sadb_key: NULL pointer was passed.\n");
|
||||
|
||||
printf("sadb_key{ bits=%u reserved=%u }\n",
|
||||
printf("sadb_key{ bits=%u reserved=%u\n",
|
||||
key->sadb_key_bits, key->sadb_key_reserved);
|
||||
printf(" key=");
|
||||
|
||||
@ -379,72 +389,66 @@ kdebug_sadb_x_policy(ext)
|
||||
struct sadb_ext *ext;
|
||||
{
|
||||
struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
|
||||
struct sockaddr *addr;
|
||||
|
||||
/* sanity check */
|
||||
if (ext == NULL)
|
||||
panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
|
||||
|
||||
printf("sadb_x_policy{ type=%u reserved=%x }\n",
|
||||
xpl->sadb_x_policy_type, xpl->sadb_x_policy_reserved);
|
||||
printf("sadb_x_policy{ type=%u dir=%u reserved=%x }\n",
|
||||
xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
|
||||
xpl->sadb_x_policy_reserved);
|
||||
|
||||
if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
|
||||
int tlen;
|
||||
struct sadb_x_ipsecrequest *xisr;
|
||||
int xxx_len; /* for sanity check */
|
||||
|
||||
tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl
|
||||
+ sizeof(*xpl));
|
||||
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
|
||||
|
||||
while (tlen > 0) {
|
||||
printf(" { len=%u proto=%u mode=%u level=%u",
|
||||
printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n",
|
||||
xisr->sadb_x_ipsecrequest_len,
|
||||
xisr->sadb_x_ipsecrequest_proto,
|
||||
xisr->sadb_x_ipsecrequest_mode,
|
||||
xisr->sadb_x_ipsecrequest_level);
|
||||
xisr->sadb_x_ipsecrequest_level,
|
||||
xisr->sadb_x_ipsecrequest_reqid);
|
||||
|
||||
xxx_len = sizeof(*xisr);
|
||||
|
||||
/* tunnel mode ? */
|
||||
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL){
|
||||
struct sockaddr *addr
|
||||
= (struct sockaddr *)((caddr_t)xisr
|
||||
+ sizeof(*xisr));
|
||||
|
||||
printf("\n");
|
||||
xxx_len += PFKEY_ALIGN8(addr->sa_len);
|
||||
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
|
||||
addr = (struct sockaddr *)(xisr + 1);
|
||||
kdebug_sockaddr(addr);
|
||||
} else
|
||||
printf(" }\n");
|
||||
addr = (struct sockaddr *)((caddr_t)addr
|
||||
+ addr->sa_len);
|
||||
kdebug_sockaddr(addr);
|
||||
}
|
||||
|
||||
/* sanity check */
|
||||
if (xisr->sadb_x_ipsecrequest_len != xxx_len) {
|
||||
printf("kdebug_sadb_x_policy: "
|
||||
"Invalid request length, "
|
||||
"reqlen:%d real:%d\n",
|
||||
xisr->sadb_x_ipsecrequest_len,
|
||||
xxx_len);
|
||||
printf(" }\n");
|
||||
|
||||
/* prevent infinite loop */
|
||||
if (xisr->sadb_x_ipsecrequest_len <= 0) {
|
||||
printf("kdebug_sadb_x_policy: wrong policy struct.\n");
|
||||
return;
|
||||
}
|
||||
/* prevent overflow */
|
||||
if (xisr->sadb_x_ipsecrequest_len > tlen) {
|
||||
printf("invalid ipsec policy length\n");
|
||||
return;
|
||||
}
|
||||
|
||||
tlen -= xisr->sadb_x_ipsecrequest_len;
|
||||
|
||||
/* sanity check */
|
||||
if (tlen < 0) {
|
||||
printf("kdebug_sadb_x_policy: "
|
||||
"becoming tlen < 0.\n");
|
||||
return;
|
||||
}
|
||||
|
||||
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
|
||||
+ xisr->sadb_x_ipsecrequest_len);
|
||||
}
|
||||
|
||||
if (tlen != 0)
|
||||
panic("kdebug_sadb_x_policy: wrong policy struct.\n");
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
#ifdef KERNEL
|
||||
#ifdef _KERNEL
|
||||
/* %%%: about SPD and SAD */
|
||||
void
|
||||
kdebug_secpolicy(sp)
|
||||
@ -457,7 +461,7 @@ kdebug_secpolicy(sp)
|
||||
printf("secpolicy{ refcnt=%u state=%u policy=%u\n",
|
||||
sp->refcnt, sp->state, sp->policy);
|
||||
|
||||
kdebug_secindex(&sp->idx);
|
||||
kdebug_secpolicyindex(&sp->spidx);
|
||||
|
||||
switch (sp->policy) {
|
||||
case IPSEC_POLICY_DISCARD:
|
||||
@ -471,22 +475,11 @@ kdebug_secpolicy(sp)
|
||||
struct ipsecrequest *isr;
|
||||
for (isr = sp->req; isr != NULL; isr = isr->next) {
|
||||
|
||||
printf(" proto=%u mode=%u level=%u\n",
|
||||
isr->proto, isr->mode, isr->level);
|
||||
printf(" level=%u\n", isr->level);
|
||||
kdebug_secasindex(&isr->saidx);
|
||||
|
||||
if (isr->mode == IPSEC_MODE_TUNNEL) {
|
||||
/* sanity check */
|
||||
if (isr->proxy == NULL) {
|
||||
printf("kdebug_secpolicy: "
|
||||
"Specified tunnel mode, "
|
||||
"but proxy points to NULL.\n");
|
||||
continue;
|
||||
}
|
||||
kdebug_sockaddr(isr->proxy);
|
||||
}
|
||||
|
||||
if (isr->sa != NULL)
|
||||
kdebug_secas(isr->sa);
|
||||
if (isr->sav != NULL)
|
||||
kdebug_secasv(isr->sav);
|
||||
}
|
||||
printf(" }\n");
|
||||
}
|
||||
@ -507,65 +500,85 @@ kdebug_secpolicy(sp)
|
||||
}
|
||||
|
||||
void
|
||||
kdebug_secindex(idx)
|
||||
struct secindex *idx;
|
||||
kdebug_secpolicyindex(spidx)
|
||||
struct secpolicyindex *spidx;
|
||||
{
|
||||
/* sanity check */
|
||||
if (idx == NULL)
|
||||
panic("kdebug_secindex: NULL pointer was passed.\n");
|
||||
if (spidx == NULL)
|
||||
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
|
||||
|
||||
printf("secindex{ family=%u prefs=%u prefd=%d\n",
|
||||
idx->family, idx->prefs, idx->prefd);
|
||||
printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
|
||||
spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
|
||||
|
||||
ipsec_hexdump((caddr_t)&idx->src, _INALENBYAF(idx->family));
|
||||
ipsec_hexdump((caddr_t)&spidx->src,
|
||||
((struct sockaddr *)&spidx->src)->sa_len);
|
||||
printf("\n");
|
||||
ipsec_hexdump((caddr_t)&idx->dst, _INALENBYAF(idx->family));
|
||||
printf("\n");
|
||||
|
||||
printf(" proto=%u ports=%u portd=%d }\n",
|
||||
idx->proto, ntohs(idx->ports), ntohs(idx->portd));
|
||||
ipsec_hexdump((caddr_t)&spidx->dst,
|
||||
((struct sockaddr *)&spidx->dst)->sa_len);
|
||||
printf("}\n");
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
kdebug_secas(sa)
|
||||
struct secas *sa;
|
||||
kdebug_secasindex(saidx)
|
||||
struct secasindex *saidx;
|
||||
{
|
||||
/* sanity check */
|
||||
if (sa == NULL)
|
||||
panic("kdebug_secas: NULL pointer was passed.\n");
|
||||
if (saidx == NULL)
|
||||
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
|
||||
|
||||
printf("secasindex{ mode=%u proto=%u\n",
|
||||
saidx->mode, saidx->proto);
|
||||
|
||||
ipsec_hexdump((caddr_t)&saidx->src,
|
||||
((struct sockaddr *)&saidx->src)->sa_len);
|
||||
printf("\n");
|
||||
ipsec_hexdump((caddr_t)&saidx->dst,
|
||||
((struct sockaddr *)&saidx->dst)->sa_len);
|
||||
printf("\n");
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
void
|
||||
kdebug_secasv(sav)
|
||||
struct secasvar *sav;
|
||||
{
|
||||
/* sanity check */
|
||||
if (sav == NULL)
|
||||
panic("kdebug_secasv: NULL pointer was passed.\n");
|
||||
|
||||
printf("secas{");
|
||||
kdebug_secindex(&sa->saidx->idx);
|
||||
kdebug_secasindex(&sav->sah->saidx);
|
||||
|
||||
printf(" refcnt=%u state=%u type=%u auth=%u enc=%u\n",
|
||||
sa->refcnt, sa->state, sa->type, sa->alg_auth, sa->alg_enc);
|
||||
printf(" spi=%lu flags=%u\n", (unsigned long) ntohl(sa->spi),
|
||||
sa->flags);
|
||||
printf(" refcnt=%u state=%u auth=%u enc=%u\n",
|
||||
sav->refcnt, sav->state, sav->alg_auth, sav->alg_enc);
|
||||
printf(" spi=%u flags=%u\n",
|
||||
(u_int32_t)ntohl(sav->spi), sav->flags);
|
||||
|
||||
if (sa->key_auth != NULL)
|
||||
kdebug_sadb_key((struct sadb_ext *)sa->key_auth);
|
||||
if (sa->key_enc != NULL)
|
||||
kdebug_sadb_key((struct sadb_ext *)sa->key_enc);
|
||||
if (sa->iv != NULL) {
|
||||
ipsec_hexdump(sa->iv, sa->ivlen ? sa->ivlen : 8);
|
||||
if (sav->key_auth != NULL)
|
||||
kdebug_sadb_key((struct sadb_ext *)sav->key_auth);
|
||||
if (sav->key_enc != NULL)
|
||||
kdebug_sadb_key((struct sadb_ext *)sav->key_enc);
|
||||
if (sav->iv != NULL) {
|
||||
printf(" iv=");
|
||||
ipsec_hexdump(sav->iv, sav->ivlen ? sav->ivlen : 8);
|
||||
printf("\n");
|
||||
}
|
||||
if (sa->proxy != NULL) {
|
||||
kdebug_sockaddr(sa->proxy);
|
||||
printf("\n");
|
||||
}
|
||||
if (sa->replay != NULL)
|
||||
kdebug_secreplay(sa->replay);
|
||||
if (sa->lft_c != NULL)
|
||||
kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_c);
|
||||
if (sa->lft_h != NULL)
|
||||
kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_h);
|
||||
if (sa->lft_s != NULL)
|
||||
kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_s);
|
||||
|
||||
if (sav->replay != NULL)
|
||||
kdebug_secreplay(sav->replay);
|
||||
if (sav->lft_c != NULL)
|
||||
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_c);
|
||||
if (sav->lft_h != NULL)
|
||||
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_h);
|
||||
if (sav->lft_s != NULL)
|
||||
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_s);
|
||||
|
||||
#if notyet
|
||||
/* XXX: misc[123] ? */
|
||||
#endif
|
||||
|
||||
return;
|
||||
}
|
||||
@ -617,14 +630,6 @@ kdebug_mbufhdr(m)
|
||||
m->m_pkthdr.len, m->m_pkthdr.rcvif);
|
||||
}
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
if (m->m_flags & M_EXT) {
|
||||
printf(" m_ext{ ext_buf:%p ext_free:%p "
|
||||
"ext_size:%u ext_ref:%p }\n",
|
||||
m->m_ext.ext_buf, m->m_ext.ext_free,
|
||||
m->m_ext.ext_size, m->m_ext.ext_ref);
|
||||
}
|
||||
#endif
|
||||
|
||||
return;
|
||||
}
|
||||
@ -651,7 +656,7 @@ kdebug_mbuf(m0)
|
||||
|
||||
return;
|
||||
}
|
||||
#endif /* KERNEL */
|
||||
#endif /* _KERNEL */
|
||||
|
||||
void
|
||||
kdebug_sockaddr(addr)
|
||||
@ -680,7 +685,7 @@ kdebug_sockaddr(addr)
|
||||
return;
|
||||
}
|
||||
|
||||
#endif /* !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG)) */
|
||||
#endif /* !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG)) */
|
||||
|
||||
void
|
||||
ipsec_bindump(buf, len)
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: key_debug.h,v 1.4 1999/07/06 12:23:26 itojun Exp $ */
|
||||
/* $NetBSD: key_debug.h,v 1.5 2000/01/31 14:19:12 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,18 +29,12 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: key_debug.h,v 1.1.6.2.6.1 1999/05/17 17:03:16 itojun Exp */
|
||||
/* KAME Id: key_debug.h,v 1.3 2000/01/29 06:21:02 itojun Exp */
|
||||
|
||||
#ifndef _NETKEY_KEY_DEBUG_H_
|
||||
#define _NETKEY_KEY_DEBUG_H_
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))
|
||||
#if !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))
|
||||
|
||||
/* debug flags */
|
||||
#define KEYDEBUG_STAMP 0x00000001 /* path */
|
||||
@ -63,27 +57,29 @@
|
||||
|
||||
#define KEYDEBUG(lev,arg) if ((key_debug_level & (lev)) == (lev)) { arg; }
|
||||
|
||||
#ifdef KERNEL
|
||||
#ifdef _KERNEL
|
||||
extern u_int32_t key_debug_level;
|
||||
#endif /*KERNEL*/
|
||||
#endif /*_KERNEL*/
|
||||
|
||||
struct sadb_msg;
|
||||
struct sadb_ext;
|
||||
extern void kdebug_sadb __P((struct sadb_msg *));
|
||||
extern void kdebug_sadb_x_policy __P((struct sadb_ext *));
|
||||
|
||||
#ifdef KERNEL
|
||||
#ifdef _KERNEL
|
||||
struct secpolicy;
|
||||
struct secindex;
|
||||
struct secas;
|
||||
struct secpolicyindex;
|
||||
struct secasindex;
|
||||
struct secasvar;
|
||||
struct secreplay;
|
||||
struct mbuf;
|
||||
extern void kdebug_secindex __P((struct secindex *));
|
||||
extern void kdebug_secpolicy __P((struct secpolicy *));
|
||||
extern void kdebug_secas __P((struct secas *));
|
||||
extern void kdebug_secpolicyindex __P((struct secpolicyindex *));
|
||||
extern void kdebug_secasindex __P((struct secasindex *));
|
||||
extern void kdebug_secasv __P((struct secasvar *));
|
||||
extern void kdebug_mbufhdr __P((struct mbuf *));
|
||||
extern void kdebug_mbuf __P((struct mbuf *));
|
||||
#endif /*KERNEL*/
|
||||
#endif /*_KERNEL*/
|
||||
|
||||
struct sockaddr;
|
||||
extern void kdebug_sockaddr __P((struct sockaddr *));
|
||||
@ -92,7 +88,7 @@ extern void kdebug_sockaddr __P((struct sockaddr *));
|
||||
|
||||
#define KEYDEBUG(lev,arg)
|
||||
|
||||
#endif /*!defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))*/
|
||||
#endif /*!defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))*/
|
||||
|
||||
extern void ipsec_hexdump __P((caddr_t, int));
|
||||
extern void ipsec_bindump __P((caddr_t, int));
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: key_var.h,v 1.6 1999/08/24 00:46:13 itojun Exp $ */
|
||||
/* $NetBSD: key_var.h,v 1.7 2000/01/31 14:19:12 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -94,7 +94,7 @@
|
||||
|
||||
#define _INADDR(in) ((struct sockaddr_in *)(in))
|
||||
|
||||
#if defined(INET6)
|
||||
#ifdef INET6
|
||||
#define _IN6ADDR(in6) ((struct sockaddr_in6 *)(in6))
|
||||
#define _SALENBYAF(family) \
|
||||
(((family) == AF_INET) ? \
|
||||
|
215
sys/netkey/keydb.c
Normal file
215
sys/netkey/keydb.c
Normal file
@ -0,0 +1,215 @@
|
||||
/* $NetBSD: keydb.c,v 1.1 2000/01/31 14:19:13 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of the project nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: keydb.c,v 1.58 2000/01/17 14:11:16 itojun Exp */
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/queue.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
|
||||
#include <netkey/keyv2.h>
|
||||
#include <netkey/keydb.h>
|
||||
#include <netinet6/ipsec.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
static void keydb_delsecasvar __P((struct secasvar *));
|
||||
|
||||
/*
|
||||
* secpolicy management
|
||||
*/
|
||||
struct secpolicy *
|
||||
keydb_newsecpolicy()
|
||||
{
|
||||
struct secpolicy *p;
|
||||
|
||||
p = (struct secpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
|
||||
if (!p)
|
||||
return p;
|
||||
bzero(p, sizeof(*p));
|
||||
return p;
|
||||
}
|
||||
|
||||
void
|
||||
keydb_delsecpolicy(p)
|
||||
struct secpolicy *p;
|
||||
{
|
||||
|
||||
free(p, M_SECA);
|
||||
}
|
||||
|
||||
/*
|
||||
* secashead management
|
||||
*/
|
||||
struct secashead *
|
||||
keydb_newsecashead()
|
||||
{
|
||||
struct secashead *p;
|
||||
int i;
|
||||
|
||||
p = (struct secashead *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
|
||||
if (!p)
|
||||
return p;
|
||||
bzero(p, sizeof(*p));
|
||||
for (i = 0; i < sizeof(p->savtree)/sizeof(p->savtree[0]); i++)
|
||||
LIST_INIT(&p->savtree[i]);
|
||||
return p;
|
||||
}
|
||||
|
||||
void
|
||||
keydb_delsecashead(p)
|
||||
struct secashead *p;
|
||||
{
|
||||
|
||||
free(p, M_SECA);
|
||||
}
|
||||
|
||||
/*
|
||||
* secasvar management (reference counted)
|
||||
*/
|
||||
struct secasvar *
|
||||
keydb_newsecasvar()
|
||||
{
|
||||
struct secasvar *p;
|
||||
|
||||
p = (struct secasvar *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
|
||||
if (!p)
|
||||
return p;
|
||||
bzero(p, sizeof(*p));
|
||||
p->refcnt = 1;
|
||||
return p;
|
||||
}
|
||||
|
||||
void
|
||||
keydb_refsecasvar(p)
|
||||
struct secasvar *p;
|
||||
{
|
||||
int s;
|
||||
|
||||
s = splsoftnet();
|
||||
p->refcnt++;
|
||||
splx(s);
|
||||
}
|
||||
|
||||
void
|
||||
keydb_freesecasvar(p)
|
||||
struct secasvar *p;
|
||||
{
|
||||
int s;
|
||||
|
||||
s = splsoftnet();
|
||||
p->refcnt--;
|
||||
if (p->refcnt == 0)
|
||||
keydb_delsecasvar(p);
|
||||
splx(s);
|
||||
}
|
||||
|
||||
static void
|
||||
keydb_delsecasvar(p)
|
||||
struct secasvar *p;
|
||||
{
|
||||
|
||||
if (p->refcnt)
|
||||
panic("keydb_delsecasvar called with refcnt != 0");
|
||||
|
||||
free(p, M_SECA);
|
||||
}
|
||||
|
||||
/*
|
||||
* secreplay management
|
||||
*/
|
||||
struct secreplay *
|
||||
keydb_newsecreplay(wsize)
|
||||
size_t wsize;
|
||||
{
|
||||
struct secreplay *p;
|
||||
|
||||
p = (struct secreplay *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
|
||||
if (!p)
|
||||
return p;
|
||||
|
||||
bzero(p, sizeof(*p));
|
||||
if (wsize != 0) {
|
||||
p->bitmap = (caddr_t)malloc(wsize, M_SECA, M_NOWAIT);
|
||||
if (!p->bitmap) {
|
||||
free(p, M_SECA);
|
||||
return NULL;
|
||||
}
|
||||
bzero(p->bitmap, wsize);
|
||||
}
|
||||
p->wsize = wsize;
|
||||
return p;
|
||||
}
|
||||
|
||||
void
|
||||
keydb_delsecreplay(p)
|
||||
struct secreplay *p;
|
||||
{
|
||||
|
||||
if (p->bitmap)
|
||||
free(p->bitmap, M_SECA);
|
||||
free(p, M_SECA);
|
||||
}
|
||||
|
||||
/*
|
||||
* secreg management
|
||||
*/
|
||||
struct secreg *
|
||||
keydb_newsecreg()
|
||||
{
|
||||
struct secreg *p;
|
||||
|
||||
p = (struct secreg *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
|
||||
if (p)
|
||||
bzero(p, sizeof(*p));
|
||||
return p;
|
||||
}
|
||||
|
||||
void
|
||||
keydb_delsecreg(p)
|
||||
struct secreg *p;
|
||||
{
|
||||
|
||||
free(p, M_SECA);
|
||||
}
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: keydb.h,v 1.3 1999/07/03 21:32:48 thorpej Exp $ */
|
||||
/* $NetBSD: keydb.h,v 1.4 2000/01/31 14:19:13 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -32,119 +32,74 @@
|
||||
#ifndef _NETKEY_KEYDB_H_
|
||||
#define _NETKEY_KEYDB_H_
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifdef KERNEL
|
||||
#ifdef _KERNEL
|
||||
|
||||
#include <netkey/key_var.h>
|
||||
|
||||
/* Must include ipsec.h and keyv2.h before in its use. */
|
||||
|
||||
/* management for the tree and nodes. */
|
||||
struct keytree {
|
||||
struct keynode *head;
|
||||
struct keynode *tail;
|
||||
int len;
|
||||
/* Security Assocciation Index */
|
||||
/* NOTE: Ensure to be same address family */
|
||||
struct secasindex {
|
||||
struct sockaddr_storage src; /* srouce address for SA */
|
||||
struct sockaddr_storage dst; /* destination address for SA */
|
||||
u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
|
||||
u_int8_t mode; /* mode of protocol, see ipsec.h */
|
||||
u_int32_t reqid; /* reqid id who owned this SA */
|
||||
/* see IPSEC_MANUAL_REQID_MAX. */
|
||||
};
|
||||
|
||||
struct keynode {
|
||||
struct keynode *next;
|
||||
struct keynode *prev;
|
||||
struct keytree *back; /* pointer to the keytree */
|
||||
};
|
||||
|
||||
/* index structure for SPD and SAD */
|
||||
/* NOTE: All field are network byte order. */
|
||||
struct secindex {
|
||||
u_int8_t family; /* AF_INET or AF_INET6 */
|
||||
u_int8_t prefs; /* preference for srouce address in bits */
|
||||
u_int8_t prefd; /* preference for destination address in bits */
|
||||
u_int8_t proto; /* upper layer Protocol */
|
||||
u_int16_t ports; /* source port */
|
||||
u_int16_t portd; /* destination port */
|
||||
union {
|
||||
#if 0 /* #include dependency... */
|
||||
struct in_addr src4;
|
||||
struct in6_addr src6;
|
||||
#endif
|
||||
u_int8_t srcany[16]; /*guarantee minimum size*/
|
||||
} src; /* buffer for source address */
|
||||
union {
|
||||
#if 0 /* #include dependency... */
|
||||
struct in_addr dst4;
|
||||
struct in6_addr dst6;
|
||||
#endif
|
||||
u_int8_t dstany[16]; /*guarantee minimum size*/
|
||||
} dst; /* buffer for destination address */
|
||||
};
|
||||
|
||||
/* direction of SA */
|
||||
#define SADB_X_DIR_UNKNOWN 0 /* initial */
|
||||
#define SADB_X_DIR_INBOUND 1
|
||||
#define SADB_X_DIR_OUTBOUND 2
|
||||
#define SADB_X_DIR_BIDIRECT 3 /* including loopback */
|
||||
#define SADB_X_DIR_MAX 4
|
||||
#define SADB_X_DIR_INVALID 4
|
||||
/*
|
||||
* Since X_DIR_INVALID is equal to SADB_X_DIR_MAX,
|
||||
* it can be used just as flag. The other are too
|
||||
* used for loop counter.
|
||||
*/
|
||||
|
||||
/* Security Association Data Base */
|
||||
struct secasindex {
|
||||
struct secasindex *next;
|
||||
struct secasindex *prev;
|
||||
struct keytree *saidxt; /* back pointer to */
|
||||
/* the top of SA index tree */
|
||||
struct secashead {
|
||||
LIST_ENTRY(secashead) chain;
|
||||
|
||||
struct secindex idx; /* security index */
|
||||
struct secasindex saidx;
|
||||
|
||||
struct keytree satree[SADB_SASTATE_MAX+1];
|
||||
struct sadb_ident *idents; /* source identity */
|
||||
struct sadb_ident *identd; /* destination identity */
|
||||
/* XXX I don't know how to use them. */
|
||||
|
||||
u_int8_t state; /* MATURE or DEAD. */
|
||||
LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
|
||||
/* SA chain */
|
||||
/* The first of this list is newer SA */
|
||||
|
||||
struct route sa_route; /* XXX */
|
||||
struct route sa_route; /* route cache */
|
||||
};
|
||||
|
||||
/* Security Association */
|
||||
struct secas {
|
||||
struct secas *next;
|
||||
struct secas *prev;
|
||||
struct keytree *sat; /* back pointer to the top of SA tree */
|
||||
struct secasvar {
|
||||
LIST_ENTRY(secasvar) chain;
|
||||
|
||||
int refcnt; /* reference count */
|
||||
u_int8_t state; /* Status of this Association */
|
||||
u_int8_t type; /* Type of this association: protocol */
|
||||
|
||||
u_int8_t alg_auth; /* Authentication Algorithm Identifier*/
|
||||
u_int8_t alg_enc; /* Cipher Algorithm Identifier */
|
||||
u_int32_t spi; /* SPI Value, network byte order */
|
||||
u_int32_t flags; /* holder for SADB_KEY_FLAGS */
|
||||
|
||||
struct sadb_key *key_auth; /* Key for Authentication */
|
||||
/* length has been shifted up to 3. */
|
||||
struct sadb_key *key_enc; /* Key for Encryption */
|
||||
/* length has been shifted up to 3. */
|
||||
struct sockaddr *proxy; /* Proxy IP address for Destination */
|
||||
caddr_t iv; /* Initilization Vector */
|
||||
u_int ivlen; /* length of IV */
|
||||
#if 0
|
||||
caddr_t misc1;
|
||||
caddr_t misc2;
|
||||
caddr_t misc3;
|
||||
#endif
|
||||
|
||||
struct secreplay *replay; /* replay prevention */
|
||||
u_int32_t tick; /* for lifetime */
|
||||
|
||||
struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
|
||||
struct sadb_lifetime *lft_h; /* HARD lifetime */
|
||||
struct sadb_lifetime *lft_s; /* SOFT lifetime */
|
||||
/* sadb_lifetime_len is in 32 bits. */
|
||||
|
||||
caddr_t iv; /* Initilization Vector */
|
||||
u_int ivlen; /* XXX: quick hack */
|
||||
caddr_t misc1; /* the use for example DES's setkey. */
|
||||
caddr_t misc2;
|
||||
caddr_t misc3;
|
||||
|
||||
u_int32_t seq; /* sequence number */
|
||||
u_int32_t pid; /* pid */
|
||||
pid_t pid; /* message's pid */
|
||||
|
||||
struct secasindex *saidx; /* back pointer to the secasindex */
|
||||
struct secashead *sah; /* back pointer to the secashead */
|
||||
};
|
||||
|
||||
/* replay prevention */
|
||||
@ -154,31 +109,22 @@ struct secreplay {
|
||||
u_int32_t seq; /* used by sender */
|
||||
u_int32_t lastseq; /* used by receiver */
|
||||
caddr_t bitmap; /* used by receiver */
|
||||
int overflow; /* overflow flag */
|
||||
};
|
||||
|
||||
/* socket table due to send PF_KEY messages. */
|
||||
struct secreg {
|
||||
struct secreg *next;
|
||||
struct secreg *prev;
|
||||
struct keytree *regt; /* back pointer to the top of secreg tree */
|
||||
LIST_ENTRY(secreg) chain;
|
||||
|
||||
struct socket *so;
|
||||
};
|
||||
|
||||
#ifndef IPSEC_BLOCK_ACQUIRE
|
||||
#ifndef IPSEC_NONBLOCK_ACQUIRE
|
||||
/* acquiring list table. */
|
||||
struct secacq {
|
||||
struct secacq *next;
|
||||
struct secacq *prev;
|
||||
struct keytree *acqt; /* back pointer to the top of secacq tree */
|
||||
LIST_ENTRY(secacq) chain;
|
||||
|
||||
#if 1
|
||||
struct secindex idx; /* security index */
|
||||
u_int8_t proto; /* Type of this association: IPsec protocol */
|
||||
u_int8_t proxy[16]; /* buffer for proxy address */
|
||||
#else
|
||||
u_int8_t hash[16];
|
||||
#endif
|
||||
struct secasindex saidx;
|
||||
|
||||
u_int32_t seq; /* sequence number */
|
||||
u_int32_t tick; /* for lifetime */
|
||||
@ -196,6 +142,23 @@ struct key_cb {
|
||||
int any_count;
|
||||
};
|
||||
|
||||
#endif /* KERNEL */
|
||||
/* secpolicy */
|
||||
extern struct secpolicy *keydb_newsecpolicy __P((void));
|
||||
extern void keydb_delsecpolicy __P((struct secpolicy *));
|
||||
/* secashead */
|
||||
extern struct secashead *keydb_newsecashead __P((void));
|
||||
extern void keydb_delsecashead __P((struct secashead *));
|
||||
/* secasvar */
|
||||
extern struct secasvar *keydb_newsecasvar __P((void));
|
||||
extern void keydb_refsecasvar __P((struct secasvar *));
|
||||
extern void keydb_freesecasvar __P((struct secasvar *));
|
||||
/* secreplay */
|
||||
extern struct secreplay *keydb_newsecreplay __P((size_t));
|
||||
extern void keydb_delsecreplay __P((struct secreplay *));
|
||||
/* secreg */
|
||||
extern struct secreg *keydb_newsecreg __P((void));
|
||||
extern void keydb_delsecreg __P((struct secreg *));
|
||||
|
||||
#endif /* _KERNEL */
|
||||
|
||||
#endif /* _NETKEY_KEYDB_H_ */
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: keysock.c,v 1.6 1999/07/31 18:41:18 itojun Exp $ */
|
||||
/* $NetBSD: keysock.c,v 1.7 2000/01/31 14:19:13 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,41 +29,24 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: keysock.c,v 1.1.6.4.2.2 1999/07/04 02:06:39 itojun Exp */
|
||||
/* KAME Id: keysock.c,v 1.10 2000/01/29 06:21:02 itojun Exp */
|
||||
|
||||
#if defined(__FreeBSD__) && __FreeBSD__ >= 3
|
||||
#include "opt_inet.h"
|
||||
#endif
|
||||
|
||||
/* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/kernel.h>
|
||||
#ifdef __FreeBSD__
|
||||
#include <sys/sysctl.h>
|
||||
#endif
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/domain.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/errno.h>
|
||||
#ifdef __NetBSD__
|
||||
#include <sys/proc.h>
|
||||
#include <sys/queue.h>
|
||||
#endif
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
#include <machine/spl.h>
|
||||
#endif
|
||||
|
||||
#include <net/raw_cb.h>
|
||||
#include <net/route.h>
|
||||
@ -82,56 +65,26 @@ struct sockproto key_proto = { PF_KEY, PF_KEY_V2 };
|
||||
|
||||
static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
|
||||
|
||||
#if 1
|
||||
#define KMALLOC(p, t, n) \
|
||||
((p) = (t) malloc((unsigned long)(n), M_SECA, M_NOWAIT))
|
||||
#define KFREE(p) \
|
||||
free((caddr_t)(p), M_SECA);
|
||||
#else
|
||||
#define KMALLOC(p, t, n) \
|
||||
do { \
|
||||
((p) = (t)malloc((unsigned long)(n), M_SECA, M_NOWAIT));\
|
||||
printf("%s %d: %p <- KMALLOC(%s, %d)\n", \
|
||||
__FILE__, __LINE__, (p), #t, n); \
|
||||
} while (0)
|
||||
|
||||
#define KFREE(p) \
|
||||
do { \
|
||||
printf("%s %d: %p -> KFREE()\n", __FILE__, __LINE__, (p));\
|
||||
free((caddr_t)(p), M_SECA); \
|
||||
} while (0)
|
||||
#endif
|
||||
struct pfkeystat pfkeystat;
|
||||
|
||||
/*
|
||||
* key_usrreq()
|
||||
* derived from net/rtsock.c:route_usrreq()
|
||||
*/
|
||||
#ifndef __NetBSD__
|
||||
int
|
||||
key_usrreq(so, req, m, nam, control)
|
||||
register struct socket *so;
|
||||
int req;
|
||||
struct mbuf *m, *nam, *control;
|
||||
#else
|
||||
int
|
||||
key_usrreq(so, req, m, nam, control, p)
|
||||
register struct socket *so;
|
||||
int req;
|
||||
struct mbuf *m, *nam, *control;
|
||||
struct proc *p;
|
||||
#endif /*__NetBSD__*/
|
||||
{
|
||||
register int error = 0;
|
||||
register struct keycb *kp = (struct keycb *)sotorawcb(so);
|
||||
int s;
|
||||
|
||||
#ifdef __NetBSD__
|
||||
s = splsoftnet();
|
||||
#else
|
||||
s = splnet();
|
||||
#endif
|
||||
if (req == PRU_ATTACH) {
|
||||
MALLOC(kp, struct keycb *, sizeof(*kp), M_PCB, M_WAITOK);
|
||||
kp = (struct keycb *)malloc(sizeof(*kp), M_PCB, M_WAITOK);
|
||||
so->so_pcb = (caddr_t)kp;
|
||||
if (so->so_pcb)
|
||||
bzero(so->so_pcb, sizeof(*kp));
|
||||
@ -145,17 +98,16 @@ key_usrreq(so, req, m, nam, control, p)
|
||||
key_freereg(so);
|
||||
}
|
||||
|
||||
#ifndef __NetBSD__
|
||||
error = raw_usrreq(so, req, m, nam, control);
|
||||
#else
|
||||
error = raw_usrreq(so, req, m, nam, control, p);
|
||||
#endif
|
||||
m = control = NULL; /* reclaimed in raw_usrreq */
|
||||
kp = (struct keycb *)sotorawcb(so);
|
||||
if (req == PRU_ATTACH && kp) {
|
||||
int af = kp->kp_raw.rcb_proto.sp_protocol;
|
||||
if (error) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_usrreq: key_usrreq results %d\n", error);
|
||||
#endif
|
||||
pfkeystat.sockerr++;
|
||||
free((caddr_t)kp, M_PCB);
|
||||
so->so_pcb = (caddr_t) 0;
|
||||
splx(s);
|
||||
@ -167,43 +119,8 @@ key_usrreq(so, req, m, nam, control, p)
|
||||
if (af == PF_KEY) /* XXX: AF_KEY */
|
||||
key_cb.key_count++;
|
||||
key_cb.any_count++;
|
||||
#ifndef __bsdi__
|
||||
kp->kp_raw.rcb_laddr = &key_src;
|
||||
kp->kp_raw.rcb_faddr = &key_dst;
|
||||
#else
|
||||
/*
|
||||
* XXX rcb_faddr must be dynamically allocated, otherwise
|
||||
* raw_disconnect() will be angry.
|
||||
*/
|
||||
{
|
||||
struct mbuf *m, *n;
|
||||
MGET(m, M_WAITOK, MT_DATA);
|
||||
if (!m) {
|
||||
error = ENOBUFS;
|
||||
printf("key_usrreq: key_usrreq results %d\n", error);
|
||||
free((caddr_t)kp, M_PCB);
|
||||
so->so_pcb = (caddr_t) 0;
|
||||
splx(s);
|
||||
return(error);
|
||||
}
|
||||
MGET(n, M_WAITOK, MT_DATA);
|
||||
if (!n) {
|
||||
error = ENOBUFS;
|
||||
m_freem(m);
|
||||
printf("key_usrreq: key_usrreq results %d\n", error);
|
||||
free((caddr_t)kp, M_PCB);
|
||||
so->so_pcb = (caddr_t) 0;
|
||||
splx(s);
|
||||
return(error);
|
||||
}
|
||||
m->m_len = sizeof(key_src);
|
||||
kp->kp_raw.rcb_laddr = mtod(m, struct sockaddr *);
|
||||
bcopy(&key_src, kp->kp_raw.rcb_laddr, sizeof(key_src));
|
||||
n->m_len = sizeof(key_dst);
|
||||
kp->kp_raw.rcb_faddr = mtod(n, struct sockaddr *);
|
||||
bcopy(&key_dst, kp->kp_raw.rcb_faddr, sizeof(key_dst));
|
||||
}
|
||||
#endif
|
||||
soisconnected(so);
|
||||
so->so_options |= SO_USELOOPBACK;
|
||||
}
|
||||
@ -237,24 +154,44 @@ key_output(m, va_alist)
|
||||
if (m == 0)
|
||||
panic("key_output: NULL pointer was passed.\n");
|
||||
|
||||
if (m->m_len < sizeof(long)
|
||||
&& (m = m_pullup(m, 8)) == 0) {
|
||||
printf("key_output: can't pullup mbuf\n");
|
||||
error = ENOBUFS;
|
||||
pfkeystat.out_total++;
|
||||
pfkeystat.out_bytes += m->m_pkthdr.len;
|
||||
|
||||
len = m->m_pkthdr.len;
|
||||
if (len < sizeof(struct sadb_msg)) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_output: Invalid message length.\n");
|
||||
#endif
|
||||
pfkeystat.out_tooshort++;
|
||||
error = EINVAL;
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (m->m_len < sizeof(struct sadb_msg)) {
|
||||
if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_output: can't pullup mbuf\n");
|
||||
#endif
|
||||
pfkeystat.out_nomem++;
|
||||
error = ENOBUFS;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if ((m->m_flags & M_PKTHDR) == 0)
|
||||
panic("key_output: not M_PKTHDR ??");
|
||||
|
||||
#if defined(IPSEC_DEBUG)
|
||||
#ifdef IPSEC_DEBUG
|
||||
KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
|
||||
#endif /* defined(IPSEC_DEBUG) */
|
||||
|
||||
len = m->m_pkthdr.len;
|
||||
if (len < sizeof(struct sadb_msg)
|
||||
|| len != PFKEY_UNUNIT64(mtod(m, struct sadb_msg *)->sadb_msg_len)) {
|
||||
msg = mtod(m, struct sadb_msg *);
|
||||
pfkeystat.out_msgtype[msg->sadb_msg_type]++;
|
||||
if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_output: Invalid message length.\n");
|
||||
#endif
|
||||
pfkeystat.out_invlen++;
|
||||
error = EINVAL;
|
||||
goto end;
|
||||
}
|
||||
@ -263,23 +200,23 @@ key_output(m, va_alist)
|
||||
* allocate memory for sadb_msg, and copy to sadb_msg from mbuf
|
||||
* XXX: To be processed directly without a copy.
|
||||
*/
|
||||
KMALLOC(msg, struct sadb_msg *, len);
|
||||
if (msg == 0) {
|
||||
msg = (struct sadb_msg *)malloc(len, M_SECA, M_NOWAIT);
|
||||
if (msg == NULL) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_output: No more memory.\n");
|
||||
#endif
|
||||
error = ENOBUFS;
|
||||
pfkeystat.out_nomem++;
|
||||
goto end;
|
||||
/* or do panic ? */
|
||||
}
|
||||
m_copydata(m, 0, len, (caddr_t)msg);
|
||||
|
||||
/*XXX giant lock*/
|
||||
#ifdef __NetBSD__
|
||||
s = splsoftnet();
|
||||
#else
|
||||
s = splnet();
|
||||
#endif
|
||||
if ((len = key_parse(&msg, so, &target)) == 0) {
|
||||
/* discard. i.e. no need to reply. */
|
||||
/* msg has been freed at key_parse() */
|
||||
error = 0;
|
||||
splx(s);
|
||||
goto end;
|
||||
@ -288,7 +225,7 @@ key_output(m, va_alist)
|
||||
/* send up message to the socket */
|
||||
error = key_sendup(so, msg, len, target);
|
||||
splx(s);
|
||||
KFREE(msg);
|
||||
free(msg, M_SECA);
|
||||
end:
|
||||
m_freem(m);
|
||||
return (error);
|
||||
@ -310,7 +247,10 @@ key_sendup0(rp, m, promisc)
|
||||
if (m && m->m_len < sizeof(struct sadb_msg))
|
||||
m = m_pullup(m, sizeof(struct sadb_msg));
|
||||
if (!m) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_sendup0: cannot pullup\n");
|
||||
#endif
|
||||
pfkeystat.in_nomem++;
|
||||
m_freem(m);
|
||||
return ENOBUFS;
|
||||
}
|
||||
@ -322,11 +262,16 @@ key_sendup0(rp, m, promisc)
|
||||
pmsg->sadb_msg_type = SADB_X_PROMISC;
|
||||
pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
|
||||
/* pid and seq? */
|
||||
|
||||
pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
|
||||
}
|
||||
|
||||
if (!sbappendaddr(&rp->rcb_socket->so_rcv,
|
||||
(struct sockaddr *)&key_src, m, NULL)) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_sendup0: sbappendaddr failed\n");
|
||||
#endif
|
||||
pfkeystat.in_nomem++;
|
||||
m_freem(m);
|
||||
return ENOBUFS;
|
||||
}
|
||||
@ -334,6 +279,7 @@ key_sendup0(rp, m, promisc)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* XXX this interface should be obsoleted. */
|
||||
int
|
||||
key_sendup(so, msg, len, target)
|
||||
struct socket *so;
|
||||
@ -342,10 +288,6 @@ key_sendup(so, msg, len, target)
|
||||
int target; /*target of the resulting message*/
|
||||
{
|
||||
struct mbuf *m, *n, *mprev;
|
||||
struct keycb *kp;
|
||||
int sendup;
|
||||
struct rawcb *rp;
|
||||
int error;
|
||||
int tlen;
|
||||
|
||||
/* sanity check */
|
||||
@ -356,6 +298,14 @@ key_sendup(so, msg, len, target)
|
||||
printf("key_sendup: \n");
|
||||
kdebug_sadb(msg));
|
||||
|
||||
/*
|
||||
* we increment statistics here, just in case we have ENOBUFS
|
||||
* in this function.
|
||||
*/
|
||||
pfkeystat.in_total++;
|
||||
pfkeystat.in_bytes += len;
|
||||
pfkeystat.in_msgtype[msg->sadb_msg_type]++;
|
||||
|
||||
/*
|
||||
* Get mbuf chain whenever possible (not clusters),
|
||||
* to save socket buffer. We'll be generating many SADB_ACQUIRE
|
||||
@ -375,13 +325,16 @@ key_sendup(so, msg, len, target)
|
||||
MGET(n, M_DONTWAIT, MT_DATA);
|
||||
n->m_len = MLEN;
|
||||
}
|
||||
if (!n)
|
||||
if (!n) {
|
||||
pfkeystat.in_nomem++;
|
||||
return ENOBUFS;
|
||||
if (tlen > MCLBYTES) { /*XXX better threshold? */
|
||||
}
|
||||
if (tlen >= MCLBYTES) { /*XXX better threshold? */
|
||||
MCLGET(n, M_DONTWAIT);
|
||||
if ((n->m_flags & M_EXT) == 0) {
|
||||
m_free(n);
|
||||
m_freem(m);
|
||||
pfkeystat.in_nomem++;
|
||||
return ENOBUFS;
|
||||
}
|
||||
n->m_len = MCLBYTES;
|
||||
@ -403,11 +356,49 @@ key_sendup(so, msg, len, target)
|
||||
m->m_pkthdr.rcvif = NULL;
|
||||
m_copyback(m, 0, len, (caddr_t)msg);
|
||||
|
||||
#ifndef __NetBSD__
|
||||
for (rp = rawcb.rcb_next; rp != &rawcb; rp = rp->rcb_next)
|
||||
/* avoid duplicated statistics */
|
||||
pfkeystat.in_total--;
|
||||
pfkeystat.in_bytes -= len;
|
||||
pfkeystat.in_msgtype[msg->sadb_msg_type]--;
|
||||
|
||||
return key_sendup_mbuf(so, m, target);
|
||||
}
|
||||
|
||||
int
|
||||
key_sendup_mbuf(so, m, target)
|
||||
struct socket *so;
|
||||
struct mbuf *m;
|
||||
int target;
|
||||
{
|
||||
struct mbuf *n;
|
||||
struct keycb *kp;
|
||||
int sendup;
|
||||
struct rawcb *rp;
|
||||
int error;
|
||||
|
||||
if (so == NULL || m == NULL)
|
||||
panic("key_sendup_mbuf: NULL pointer was passed.\n");
|
||||
|
||||
pfkeystat.in_total++;
|
||||
pfkeystat.in_bytes += m->m_pkthdr.len;
|
||||
if (m->m_len < sizeof(struct sadb_msg)) {
|
||||
#if 1
|
||||
m = m_pullup(m, sizeof(struct sadb_msg));
|
||||
if (m == NULL) {
|
||||
pfkeystat.in_nomem++;
|
||||
return ENOBUFS;
|
||||
}
|
||||
#else
|
||||
for (rp = rawcb.lh_first; rp; rp = rp->rcb_list.le_next)
|
||||
/* don't bother pulling it up just for stats */
|
||||
#endif
|
||||
}
|
||||
if (m->m_len >= sizeof(struct sadb_msg)) {
|
||||
struct sadb_msg *msg;
|
||||
msg = mtod(m, struct sadb_msg *);
|
||||
pfkeystat.in_msgtype[msg->sadb_msg_type]++;
|
||||
}
|
||||
|
||||
for (rp = rawcb.lh_first; rp; rp = rp->rcb_list.le_next)
|
||||
{
|
||||
if (rp->rcb_proto.sp_family != PF_KEY)
|
||||
continue;
|
||||
@ -449,13 +440,17 @@ key_sendup(so, msg, len, target)
|
||||
sendup++;
|
||||
break;
|
||||
}
|
||||
pfkeystat.in_msgtarget[target]++;
|
||||
|
||||
if (!sendup)
|
||||
continue;
|
||||
|
||||
if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
|
||||
#ifdef IPSEC_DEBUG
|
||||
printf("key_sendup: m_copy fail\n");
|
||||
#endif
|
||||
m_freem(m);
|
||||
pfkeystat.in_nomem++;
|
||||
return ENOBUFS;
|
||||
}
|
||||
|
||||
@ -472,10 +467,6 @@ key_sendup(so, msg, len, target)
|
||||
return error;
|
||||
}
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
/* sysctl */
|
||||
SYSCTL_NODE(_net, PF_KEY, key, CTLFLAG_RW, 0, "Key Family");
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Definitions of protocols supported in the KEY domain.
|
||||
@ -488,9 +479,7 @@ struct protosw keysw[] = {
|
||||
0, key_output, raw_ctlinput, 0,
|
||||
key_usrreq,
|
||||
raw_init, 0, 0, 0,
|
||||
#if defined(__bsdi__) || defined(__NetBSD__)
|
||||
key_sysctl,
|
||||
#endif
|
||||
}
|
||||
};
|
||||
|
||||
@ -498,6 +487,3 @@ struct domain keydomain =
|
||||
{ PF_KEY, "key", key_init, 0, 0,
|
||||
keysw, &keysw[sizeof(keysw)/sizeof(keysw[0])] };
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
DOMAIN_SET(key);
|
||||
#endif
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: keysock.h,v 1.4 1999/07/06 12:23:26 itojun Exp $ */
|
||||
/* $NetBSD: keysock.h,v 1.5 2000/01/31 14:19:13 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,41 +29,60 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: keysock.h,v 1.1.6.3.6.1 1999/05/17 17:03:19 itojun Exp */
|
||||
/* KAME Id: keysock.h,v 1.5 2000/01/29 06:21:03 itojun Exp */
|
||||
|
||||
#ifndef _NETKEY_KEYSOCK_H_
|
||||
#define _NETKEY_KEYSOCK_H_
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
/* statistics for pfkey socket */
|
||||
struct pfkeystat {
|
||||
/* kernel -> userland */
|
||||
u_quad_t out_total; /* # of total calls */
|
||||
u_quad_t out_bytes; /* total bytecount */
|
||||
u_quad_t out_msgtype[256]; /* message type histogram */
|
||||
u_quad_t out_invlen; /* invalid length field */
|
||||
u_quad_t out_invver; /* invalid version field */
|
||||
u_quad_t out_invmsgtype; /* invalid message type field */
|
||||
u_quad_t out_tooshort; /* msg too short */
|
||||
u_quad_t out_nomem; /* memory allocation failure */
|
||||
u_quad_t out_dupext; /* duplicate extension */
|
||||
u_quad_t out_invexttype; /* invalid extension type */
|
||||
u_quad_t out_invsatype; /* invalid sa type */
|
||||
u_quad_t out_invaddr; /* invalid address extension */
|
||||
/* userland -> kernel */
|
||||
u_quad_t in_total; /* # of total calls */
|
||||
u_quad_t in_bytes; /* total bytecount */
|
||||
u_quad_t in_msgtype[256]; /* message type histogram */
|
||||
u_quad_t in_msgtarget[3]; /* one/all/registered */
|
||||
u_quad_t in_nomem; /* memory allocation failure */
|
||||
/* others */
|
||||
u_quad_t sockerr; /* # of socket related errors */
|
||||
};
|
||||
|
||||
#if defined(KERNEL)
|
||||
#define KEY_SENDUP_ONE 0
|
||||
#define KEY_SENDUP_ALL 1
|
||||
#define KEY_SENDUP_REGISTERED 2
|
||||
|
||||
#ifdef _KERNEL
|
||||
struct keycb {
|
||||
struct rawcb kp_raw; /* rawcb */
|
||||
int kp_promisc; /* promiscuous mode */
|
||||
int kp_registered; /* registered socket */
|
||||
};
|
||||
|
||||
extern struct pfkeystat pfkeystat;
|
||||
|
||||
extern int key_output __P((struct mbuf *, ...));
|
||||
#ifndef __NetBSD__
|
||||
extern int key_usrreq __P((struct socket *, int, struct mbuf *, struct mbuf *, struct mbuf *));
|
||||
extern int key_usrreq __P((struct socket *,
|
||||
int, struct mbuf *, struct mbuf *, struct mbuf *));
|
||||
#else
|
||||
extern int key_usrreq __P((struct socket *,
|
||||
int, struct mbuf *, struct mbuf *, struct mbuf *, struct proc *));
|
||||
#endif
|
||||
|
||||
#define KEY_SENDUP_ONE 0
|
||||
#define KEY_SENDUP_ALL 1
|
||||
#define KEY_SENDUP_REGISTERED 2
|
||||
|
||||
extern int key_sendup __P((struct socket *, struct sadb_msg *, u_int, int));
|
||||
#else
|
||||
#if 0 /* no library defined for this */
|
||||
extern int key_sendup __P((int, struct sadb_msg *, u_int, int));
|
||||
#endif
|
||||
#endif /* defined(KERNEL) */
|
||||
extern int key_sendup_mbuf __P((struct socket *, struct mbuf *, int));
|
||||
#endif /* _KERNEL */
|
||||
|
||||
#endif _NETKEY_KEYSOCK_H_
|
||||
#endif /*_NETKEY_KEYSOCK_H_*/
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: keyv2.h,v 1.5 1999/07/06 12:23:26 itojun Exp $ */
|
||||
/* $NetBSD: keyv2.h,v 1.6 2000/01/31 14:19:14 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
||||
@ -29,7 +29,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* KAME Id: keyv2.h,v 1.1.6.1.6.4 1999/06/08 05:33:39 itojun Exp */
|
||||
/* KAME Id: keyv2.h,v 1.14 2000/01/29 06:21:03 itojun Exp */
|
||||
|
||||
/*
|
||||
* This file has been derived rfc 2367,
|
||||
@ -40,12 +40,6 @@
|
||||
#ifndef _NETKEY_KEYV2_H_
|
||||
#define _NETKEY_KEYV2_H_
|
||||
|
||||
#ifdef __NetBSD__
|
||||
# ifdef _KERNEL
|
||||
# define KERNEL
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
This file defines structures and symbols for the PF_KEY Version 2
|
||||
key management interface. It was written at the U.S. Naval Research
|
||||
@ -71,11 +65,17 @@ you leave this credit intact on any copies of this file.
|
||||
#define SADB_DUMP 10
|
||||
#define SADB_X_PROMISC 11
|
||||
#define SADB_X_PCHANGE 12
|
||||
#define SADB_X_SPDADD 13
|
||||
#define SADB_X_SPDDELETE 14
|
||||
#define SADB_X_SPDDUMP 15
|
||||
#define SADB_X_SPDFLUSH 16
|
||||
#define SADB_MAX 16
|
||||
|
||||
#define SADB_X_SPDUPDATE 13 /* not yet */
|
||||
#define SADB_X_SPDADD 14
|
||||
#define SADB_X_SPDDELETE 15
|
||||
#define SADB_X_SPDGET 16 /* not yet */
|
||||
#define SADB_X_SPDACQUIRE 17 /* not yet */
|
||||
#define SADB_X_SPDDUMP 18
|
||||
#define SADB_X_SPDFLUSH 19
|
||||
#define SADB_X_SPDSETIDX 20 /* add only SPD selector */
|
||||
#define SADB_X_SPDEXPIRE 21 /* not yet */
|
||||
#define SADB_MAX 21
|
||||
|
||||
struct sadb_msg {
|
||||
u_int8_t sadb_msg_version;
|
||||
@ -83,9 +83,13 @@ struct sadb_msg {
|
||||
u_int8_t sadb_msg_errno;
|
||||
u_int8_t sadb_msg_satype;
|
||||
u_int16_t sadb_msg_len;
|
||||
u_int16_t sadb_msg_reserved;
|
||||
u_int8_t sadb_msg_mode; /* XXX */
|
||||
u_int8_t sadb_msg_reserved1;
|
||||
u_int32_t sadb_msg_seq;
|
||||
u_int32_t sadb_msg_pid;
|
||||
u_int32_t sadb_msg_reqid; /* XXX */
|
||||
/* when policy mng, value is zero. */
|
||||
u_int32_t sadb_msg_reserved2;
|
||||
};
|
||||
|
||||
struct sadb_ext {
|
||||
@ -135,6 +139,15 @@ struct sadb_ident {
|
||||
u_int16_t sadb_ident_reserved;
|
||||
u_int64_t sadb_ident_id;
|
||||
};
|
||||
/* in order to use to divide sadb_ident.sadb_ident_id */
|
||||
union sadb_x_ident_id {
|
||||
u_int64_t sadb_x_ident_id;
|
||||
struct _sadb_x_ident_id_addr {
|
||||
u_int16_t prefix;
|
||||
u_int16_t ul_proto;
|
||||
u_int32_t reserved;
|
||||
} sadb_x_ident_id_addr;
|
||||
};
|
||||
|
||||
struct sadb_sens {
|
||||
u_int16_t sadb_sens_len;
|
||||
@ -206,28 +219,37 @@ struct sadb_x_kmprivate {
|
||||
struct sadb_x_policy {
|
||||
u_int16_t sadb_x_policy_len;
|
||||
u_int16_t sadb_x_policy_exttype;
|
||||
u_int16_t sadb_x_policy_type; /* See ipsec.h */
|
||||
u_int16_t sadb_x_policy_reserved;
|
||||
u_int16_t sadb_x_policy_type; /* See policy type of ipsec.h */
|
||||
u_int8_t sadb_x_policy_dir; /* direction, see ipsec.h */
|
||||
u_int8_t sadb_x_policy_reserved;
|
||||
};
|
||||
/*
|
||||
* followed by some of the ipsec policy request, if policy_type == IPSEC.
|
||||
* When policy_type == IPSEC, it is followed by some of
|
||||
* the ipsec policy request.
|
||||
* [total length of ipsec policy requests]
|
||||
* = (sadb_x_policy_len * sizeof(uint64_t) - sizeof(struct sadb_x_policy))
|
||||
*/
|
||||
|
||||
/* XXX IPsec Policy Request Extension */
|
||||
/*
|
||||
* This structure is aligned 8 bytes. Also it's aligned with proxy address
|
||||
* if present.
|
||||
* This structure is aligned 8 bytes.
|
||||
*/
|
||||
struct sadb_x_ipsecrequest {
|
||||
u_int16_t sadb_x_ipsecrequest_len; /* structure length aligned 8 bytes.
|
||||
u_int16_t sadb_x_ipsecrequest_len; /* structure length aligned to 8 bytes.
|
||||
* This value is true length of bytes.
|
||||
* Not in units of 64 bits. */
|
||||
u_int16_t sadb_x_ipsecrequest_proto; /* See ipsec.h */
|
||||
u_int16_t sadb_x_ipsecrequest_mode; /* See ipsec.h */
|
||||
u_int16_t sadb_x_ipsecrequest_level; /* See ipsec.h */
|
||||
/* If mode != 0, the proxy address encoded struct sockaddr is following. */
|
||||
u_int8_t sadb_x_ipsecrequest_mode; /* See IPSEC_MODE_XX in ipsec.h. */
|
||||
u_int8_t sadb_x_ipsecrequest_level; /* See IPSEC_LEVEL_XX in ipsec.h */
|
||||
u_int16_t sadb_x_ipsecrequest_reqid; /* See ipsec.h */
|
||||
|
||||
/*
|
||||
* followed by source IP address of SA, and immediately followed by
|
||||
* destination IP address of SA. These encoded into two of sockaddr
|
||||
* structure without any padding. Must set each sa_len exactly.
|
||||
* Each of length of the sockaddr structure are not aligned to 64bits,
|
||||
* but sum of x_request and addresses is aligned to 64bits.
|
||||
*/
|
||||
};
|
||||
|
||||
#define SADB_EXT_RESERVED 0
|
||||
@ -295,28 +317,34 @@ struct sadb_x_ipsecrequest {
|
||||
#define SADB_X_CALG_OUI 1
|
||||
#define SADB_X_CALG_DEFLATE 2
|
||||
#define SADB_X_CALG_LZS 3
|
||||
#define SADB_X_CALG_MAX 4
|
||||
#endif
|
||||
|
||||
#define SADB_IDENTTYPE_RESERVED 0
|
||||
#define SADB_IDENTTYPE_PREFIX 1
|
||||
#define SADB_IDENTTYPE_FQDN 2
|
||||
#define SADB_IDENTTYPE_USERFQDN 3
|
||||
#define SADB_IDENTTYPE_MAX 3
|
||||
#define SADB_X_IDENTTYPE_ADDR 4
|
||||
#define SADB_IDENTTYPE_MAX 4
|
||||
|
||||
/* `flags' in SA structure holds followings */
|
||||
/* `flags' in sadb_sa structure holds followings */
|
||||
#define SADB_X_EXT_NONE 0x0000 /* i.e. new format. */
|
||||
#define SADB_X_EXT_OLD 0x0001 /* old format. */
|
||||
|
||||
#define SADB_X_EXT_IV4B 0x0010 /* IV length of 4 bytes in use */
|
||||
#define SADB_X_EXT_DERIV 0x0020 /* DES derived */
|
||||
#define SADB_X_EXT_CYCSEQ 0x0040 /* allowing to cyclic sequence. */
|
||||
/* the followings are exclusive flags */
|
||||
|
||||
/* three of followings are exclusive flags each them */
|
||||
#define SADB_X_EXT_PSEQ 0x0000 /* sequencial padding for ESP */
|
||||
#define SADB_X_EXT_PRAND 0x0100 /* random padding for ESP */
|
||||
#define SADB_X_EXT_PZERO 0x0300 /* zero padding for ESP */
|
||||
#define SADB_X_EXT_PZERO 0x0200 /* zero padding for ESP */
|
||||
#define SADB_X_EXT_PMASK 0x0300 /* mask for padding flag */
|
||||
|
||||
#if 1
|
||||
#define SADB_X_EXT_RAWCPI 0x0080 /* use well known CPI (IPComp) */
|
||||
#endif
|
||||
|
||||
#define SADB_KEY_FLAGS_MAX 0x0fff
|
||||
|
||||
/* SPI size for PF_KEYv2 */
|
||||
@ -351,57 +379,48 @@ struct sadb_x_ipsecrequest {
|
||||
#define PFKEY_UNIT64(a) (a)
|
||||
#endif
|
||||
|
||||
#ifndef KERNEL
|
||||
extern void pfkey_sadump(struct sadb_msg *m);
|
||||
extern void pfkey_spdump(struct sadb_msg *m);
|
||||
#ifndef _KERNEL
|
||||
extern void pfkey_sadump __P((struct sadb_msg *));
|
||||
extern void pfkey_spdump __P((struct sadb_msg *));
|
||||
|
||||
struct sockaddr;
|
||||
extern int ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen);
|
||||
extern int pfkey_check(struct sadb_msg *msg, caddr_t *mhp);
|
||||
extern u_int pfkey_set_softrate(u_int type, u_int rate);
|
||||
extern u_int pfkey_get_softrate(u_int type);
|
||||
extern int pfkey_send_getspi(int so, u_int satype,
|
||||
struct sockaddr *src, u_int prefs,
|
||||
struct sockaddr *dst, u_int prefd, u_int proto,
|
||||
u_int32_t min, u_int32_t max, u_int32_t seq);
|
||||
extern int pfkey_send_update( int so, u_int satype,
|
||||
struct sockaddr *src, u_int prefs,
|
||||
struct sockaddr *dst, u_int prefd, u_int proto,
|
||||
struct sockaddr *proxy,
|
||||
u_int32_t spi, caddr_t keymat,
|
||||
u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
|
||||
u_int flags,
|
||||
u_int32_t l_alloc, u_int32_t l_bytes,
|
||||
u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq);
|
||||
extern int pfkey_send_add( int so, u_int satype,
|
||||
struct sockaddr *src, u_int prefs,
|
||||
struct sockaddr *dst, u_int prefd, u_int proto,
|
||||
struct sockaddr *proxy,
|
||||
u_int32_t spi, caddr_t keymat,
|
||||
u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
|
||||
u_int flags,
|
||||
u_int32_t l_alloc, u_int32_t l_bytes,
|
||||
u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq);
|
||||
extern int pfkey_send_delete( int so, u_int satype,
|
||||
struct sockaddr *src, u_int prefs,
|
||||
struct sockaddr *dst, u_int prefd, u_int proto,
|
||||
u_int32_t spi);
|
||||
extern int pfkey_send_get( int so, u_int satype,
|
||||
struct sockaddr *src, u_int prefs,
|
||||
struct sockaddr *dst, u_int prefd, u_int proto,
|
||||
u_int32_t spi);
|
||||
extern int pfkey_send_register(int so, u_int satype);
|
||||
extern int pfkey_recv_register(int so);
|
||||
extern int pfkey_send_flush(int so, u_int satype);
|
||||
extern int pfkey_send_dump(int so, u_int satype);
|
||||
extern int pfkey_send_promisc_toggle(int so, int flag);
|
||||
int ipsec_check_keylen __P((u_int, u_int, u_int));
|
||||
u_int pfkey_set_softrate __P((u_int, u_int));
|
||||
u_int pfkey_get_softrate __P((u_int));
|
||||
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
|
||||
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
|
||||
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
|
||||
struct sockaddr *, u_int32_t, u_int32_t, u_int,
|
||||
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
|
||||
u_int64_t, u_int64_t, u_int32_t));
|
||||
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
|
||||
struct sockaddr *, u_int32_t, u_int32_t, u_int,
|
||||
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
|
||||
u_int64_t, u_int64_t, u_int32_t));
|
||||
int pfkey_send_delete __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||
int pfkey_send_get __P((int, u_int, u_int,
|
||||
struct sockaddr *, struct sockaddr *, u_int32_t));
|
||||
int pfkey_send_register __P((int, u_int));
|
||||
int pfkey_recv_register __P((int));
|
||||
int pfkey_send_flush __P((int, u_int));
|
||||
int pfkey_send_dump __P((int, u_int));
|
||||
int pfkey_send_promisc_toggle __P((int, int));
|
||||
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
|
||||
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
|
||||
struct sockaddr *, u_int, u_int, u_int32_t));
|
||||
int pfkey_send_spdflush __P((int));
|
||||
int pfkey_send_spddump __P((int));
|
||||
|
||||
extern int pfkey_open(void);
|
||||
extern void pfkey_close(int so);
|
||||
extern struct sadb_msg *pfkey_recv(int so);
|
||||
extern int pfkey_send(int so, struct sadb_msg *msg, int len);
|
||||
int pfkey_open __P((void));
|
||||
void pfkey_close __P((int));
|
||||
struct sadb_msg *pfkey_recv __P((int));
|
||||
int pfkey_send __P((int, struct sadb_msg *, int));
|
||||
int pfkey_align __P((struct sadb_msg *, caddr_t *));
|
||||
int pfkey_check __P((caddr_t *));
|
||||
|
||||
#endif /*!KERNEL*/
|
||||
#endif /*!_KERNEL*/
|
||||
|
||||
#endif /* __PFKEY_V2_H */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user