bring in latest KAME ipsec tree.

- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited

XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
This commit is contained in:
itojun 2000-01-31 14:18:52 +00:00
parent e5e6464767
commit 1a2a1e2b1f
35 changed files with 5154 additions and 4822 deletions

View File

@ -1,4 +1,4 @@
# $NetBSD: files,v 1.346 2000/01/26 06:27:33 thorpej Exp $
# $NetBSD: files,v 1.347 2000/01/31 14:18:52 itojun Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
@ -602,6 +602,7 @@ file kern/exec_conf.c
file kern/exec_ecoff.c exec_ecoff
file netkey/key.c ipsec
file netkey/keydb.c ipsec
file netkey/key_debug.c ipsec
file netkey/keysock.c ipsec

View File

@ -1,4 +1,4 @@
/* $NetBSD: in_pcb.h,v 1.27 1999/07/01 08:12:50 itojun Exp $ */
/* $NetBSD: in_pcb.h,v 1.28 2000/01/31 14:18:53 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -95,9 +95,7 @@ struct inpcb {
int inp_errormtu; /* MTU of last xmit status = EMSGSIZE */
struct inpcbtable *inp_table;
#if 1 /*IPSEC*/
struct secpolicy *inp_sp; /* security policy. It may not be
* used according to policy selection.
*/
struct inpcbpolicy *inp_sp; /* security policy. */
#endif
};
#define inp_faddr inp_ip.ip_dst

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_input.c,v 1.94 1999/10/26 09:53:17 itojun Exp $ */
/* $NetBSD: ip_input.c,v 1.95 2000/01/31 14:18:54 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1430,18 +1430,21 @@ ip_forward(m, srcrt)
if (ipforward_rt.ro_rt) {
struct secpolicy *sp;
int ipsecerror;
int ipsechdr;
size_t ipsechdr;
struct route *ro;
sp = ipsec4_getpolicybyaddr(mcopy,
IP_FORWARDING,
&ipsecerror);
IPSEC_DIR_OUTBOUND,
IP_FORWARDING,
&ipsecerror);
if (sp == NULL)
destifp = ipforward_rt.ro_rt->rt_ifp;
else {
/* count IPsec header size */
ipsechdr = ipsec4_hdrsiz(mcopy, NULL);
ipsechdr = ipsec4_hdrsiz(mcopy,
IPSEC_DIR_OUTBOUND,
NULL);
/*
* find the correct route for outer IPv4
@ -1454,8 +1457,9 @@ ip_forward(m, srcrt)
/*XXX*/
destifp = NULL;
if (sp->req != NULL
&& sp->req->sa != NULL) {
ro = &sp->req->sa->saidx->sa_route;
&& sp->req->sav != NULL
&& sp->req->sav->sah != NULL) {
ro = &sp->req->sav->sah->sa_route;
if (ro->ro_rt && ro->ro_rt->rt_ifp) {
dummyifp.if_mtu =
ro->ro_rt->rt_ifp->if_mtu;

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_output.c,v 1.65 1999/12/20 05:46:33 itojun Exp $ */
/* $NetBSD: ip_output.c,v 1.66 2000/01/31 14:18:55 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -434,9 +434,9 @@ sendit:
#ifdef IPSEC
/* get SP for this packet */
if (so == NULL)
sp = ipsec4_getpolicybyaddr(m, flags, &error);
sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error);
else
sp = ipsec4_getpolicybysock(m, so, &error);
sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
if (sp == NULL) {
ipsecstat.out_inval++;
@ -939,10 +939,11 @@ ip_ctloutput(op, so, level, optname, mp)
#ifdef IPSEC
case IP_IPSEC_POLICY:
{
{
caddr_t req = NULL;
int len = 0;
size_t len = 0;
int priv = 0;
#ifdef __NetBSD__
if (p == 0 || suser(p->p_ucred, &p->p_acflag))
priv = 0;
@ -951,12 +952,11 @@ ip_ctloutput(op, so, level, optname, mp)
#else
priv = (in6p->in6p_socket->so_state & SS_PRIV);
#endif
if (m != 0) {
if (m) {
req = mtod(m, caddr_t);
len = m->m_len;
}
error = ipsec_set_policy(&inp->inp_sp,
optname, req, len, priv);
error = ipsec4_set_policy(inp, optname, req, len, priv);
break;
}
#endif /*IPSEC*/
@ -1028,8 +1028,17 @@ ip_ctloutput(op, so, level, optname, mp)
#ifdef IPSEC
case IP_IPSEC_POLICY:
error = ipsec_get_policy(inp->inp_sp, mp);
{
caddr_t req = NULL;
size_t len;
if (m) {
req = mtod(m, caddr_t);
len = m->m_len;
}
error = ipsec4_get_policy(inp, req, len, mp);
break;
}
#endif /*IPSEC*/
case IP_MULTICAST_IF:

View File

@ -1,4 +1,4 @@
/* $NetBSD: raw_ip.c,v 1.47 1999/12/13 15:17:20 itojun Exp $ */
/* $NetBSD: raw_ip.c,v 1.48 2000/01/31 14:18:55 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -464,7 +464,7 @@ rip_usrreq(so, req, m, nam, control, p)
inp = sotoinpcb(so);
inp->inp_ip.ip_p = (long)nam;
#ifdef IPSEC
error = ipsec_init_policy(&inp->inp_sp);
error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0) {
in_pcbdetach(inp);
break;

View File

@ -1,4 +1,4 @@
/* $NetBSD: tcp_input.c,v 1.101 1999/12/22 04:03:02 itojun Exp $ */
/* $NetBSD: tcp_input.c,v 1.102 2000/01/31 14:18:56 itojun Exp $ */
/*
%%% portions-copyright-nrl-95
@ -2890,27 +2890,22 @@ syn_cache_get(src, dst, th, hlen, tlen, so, m)
#endif
#ifdef IPSEC
{
struct secpolicy *sp;
/*
* we make a copy of policy, instead of sharing the policy,
* for better behavior in terms of SA lookup and dead SA removal.
*/
if (inp) {
sp = ipsec_copy_policy(sotoinpcb(oso)->inp_sp);
if (sp) {
key_freesp(inp->inp_sp);
inp->inp_sp = sp;
} else
/* copy old policy into new socket's */
if (ipsec_copy_policy(sotoinpcb(oso)->inp_sp, inp->inp_sp))
printf("tcp_input: could not copy policy\n");
}
#ifdef INET6
else if (in6p) {
sp = ipsec_copy_policy(sotoin6pcb(oso)->in6p_sp);
if (sp) {
key_freesp(in6p->in6p_sp);
in6p->in6p_sp = sp;
} else
/* copy old policy into new socket's */
if (ipsec_copy_policy(sotoin6pcb(oso)->in6p_sp, in6p->in6p_sp))
printf("tcp_input: could not copy policy\n");
}
#endif
}
#endif
/*

View File

@ -1,4 +1,4 @@
/* $NetBSD: tcp_subr.c,v 1.85 1999/12/15 06:28:43 itojun Exp $ */
/* $NetBSD: tcp_subr.c,v 1.86 2000/01/31 14:18:57 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1657,7 +1657,8 @@ ipsec4_hdrsiz_tcp(tp)
return 0;
switch (tp->t_family) {
case AF_INET:
hdrsiz = ipsec4_hdrsiz(tp->t_template, inp);
/* XXX: should use currect direction. */
hdrsiz = ipsec4_hdrsiz(tp->t_template, IPSEC_DIR_OUTBOUND, inp);
break;
default:
hdrsiz = 0;
@ -1679,7 +1680,8 @@ ipsec6_hdrsiz_tcp(tp)
return 0;
switch (tp->t_family) {
case AF_INET6:
hdrsiz = ipsec6_hdrsiz(tp->t_template, in6p);
/* XXX: should use currect direction. */
hdrsiz = ipsec6_hdrsiz(tp->t_template, IPSEC_DIR_OUTBOUND, in6p);
break;
case AF_INET:
/* mapped address case - tricky */

View File

@ -1,4 +1,4 @@
/* $NetBSD: tcp_usrreq.c,v 1.43 1999/12/13 15:17:21 itojun Exp $ */
/* $NetBSD: tcp_usrreq.c,v 1.44 2000/01/31 14:18:58 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -731,7 +731,7 @@ tcp_attach(so)
}
#ifdef IPSEC
if (inp) {
error = ipsec_init_policy(&inp->inp_sp);
error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0) {
in_pcbdetach(inp);
return (error);
@ -739,7 +739,7 @@ tcp_attach(so)
}
#ifdef INET6
else if (in6p) {
error = ipsec_init_policy(&in6p->in6p_sp);
error = ipsec_init_policy(so, &in6p->in6p_sp);
if (error != 0) {
in6_pcbdetach(in6p);
return (error);

View File

@ -1,4 +1,4 @@
/* $NetBSD: udp_usrreq.c,v 1.57 2000/01/31 10:39:26 itojun Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.58 2000/01/31 14:18:58 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1342,7 +1342,7 @@ udp_usrreq(so, req, m, nam, control, p)
inp = sotoinpcb(so);
inp->inp_ip.ip_ttl = ip_defttl;
#ifdef IPSEC
error = ipsec_init_policy(&inp->inp_sp);
error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0) {
in_pcbdetach(inp);
break;

View File

@ -1,4 +1,4 @@
/* $NetBSD: ah.h,v 1.7 2000/01/06 07:31:10 itojun Exp $ */
/* $NetBSD: ah.h,v 1.8 2000/01/31 14:19:00 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -40,7 +40,7 @@
#include "opt_inet.h"
#endif
#include <netkey/keydb.h> /* for struct secas */
#include <netkey/keydb.h> /* for struct secasvar */
struct ah {
u_int8_t ah_nxt; /* Next Header */
@ -60,16 +60,16 @@ struct newah {
};
struct ah_algorithm_state {
struct secas *sa;
struct secasvar *sav;
void* foo; /*per algorithm data - maybe*/
};
struct ah_algorithm {
int (*sumsiz) __P((struct secas *));
int (*mature) __P((struct secas *));
int (*sumsiz) __P((struct secasvar *));
int (*mature) __P((struct secasvar *));
int keymin; /* in bits */
int keymax; /* in bits */
void (*init) __P((struct ah_algorithm_state *, struct secas *));
void (*init) __P((struct ah_algorithm_state *, struct secasvar *));
void (*update) __P((struct ah_algorithm_state *, caddr_t, size_t));
void (*result) __P((struct ah_algorithm_state *, caddr_t));
};
@ -85,21 +85,20 @@ struct in6pcb;
#endif
/* cksum routines */
extern int ah_hdrlen __P((struct secas *));
extern int ah_hdrlen __P((struct secasvar *));
extern size_t ah_hdrsiz __P((struct ipsecrequest *));
extern void ah4_input __P((struct mbuf *, ...));
struct secasb;
extern int ah4_output __P((struct mbuf *, struct ipsecrequest *));
extern int ah4_calccksum __P((struct mbuf *, caddr_t,
struct ah_algorithm *, struct secas *));
struct ah_algorithm *, struct secasvar *));
#ifdef INET6
extern int ah6_input __P((struct mbuf **, int *, int));
extern int ah6_output __P((struct mbuf *, u_char *, struct mbuf *,
struct ipsecrequest *));
extern int ah6_calccksum __P((struct mbuf *, caddr_t,
struct ah_algorithm *, struct secas *));
struct ah_algorithm *, struct secasvar *));
#endif /* INET6 */
#endif /*_KERNEL*/

View File

@ -1,4 +1,4 @@
/* $NetBSD: ah_core.c,v 1.14 2000/01/16 18:06:03 itojun Exp $ */
/* $NetBSD: ah_core.c,v 1.15 2000/01/31 14:19:01 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -53,6 +53,7 @@
#include <sys/errno.h>
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/syslog.h>
#include <net/if.h>
#include <net/route.h>
@ -61,11 +62,9 @@
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/in_var.h>
#include <netinet/in_pcb.h>
#ifdef INET6
#include <netinet6/ip6.h>
#include <netinet6/in6_pcb.h>
#include <netinet6/ip6_var.h>
#include <netinet6/icmp6.h>
#endif
@ -77,9 +76,19 @@
#endif
#include <netkey/keyv2.h>
#include <netkey/keydb.h>
#ifdef HAVE_MD5
#include <sys/md5.h>
#else
#include <crypto/md5.h>
#endif
#ifdef HAVE_SHA1
#include <sys/sha1.h>
#define SHA1_RESULTLEN 20
#else
#include <crypto/sha1.h>
#endif
#include <net/net_osdep.h>
#define HMACSIZE 16
@ -88,34 +97,34 @@
static char zerobuf[ZEROBUFLEN];
#endif
static int ah_sumsiz_1216 __P((struct secas *));
static int ah_sumsiz_zero __P((struct secas *));
static int ah_none_mature __P((struct secas *));
static int ah_sumsiz_1216 __P((struct secasvar *));
static int ah_sumsiz_zero __P((struct secasvar *));
static int ah_none_mature __P((struct secasvar *));
static void ah_none_init __P((struct ah_algorithm_state *,
struct secas *));
struct secasvar *));
static void ah_none_loop __P((struct ah_algorithm_state *, caddr_t, size_t));
static void ah_none_result __P((struct ah_algorithm_state *, caddr_t));
static int ah_keyed_md5_mature __P((struct secas *));
static int ah_keyed_md5_mature __P((struct secasvar *));
static void ah_keyed_md5_init __P((struct ah_algorithm_state *,
struct secas *));
struct secasvar *));
static void ah_keyed_md5_loop __P((struct ah_algorithm_state *, caddr_t,
size_t));
static void ah_keyed_md5_result __P((struct ah_algorithm_state *, caddr_t));
static int ah_keyed_sha1_mature __P((struct secas *));
static int ah_keyed_sha1_mature __P((struct secasvar *));
static void ah_keyed_sha1_init __P((struct ah_algorithm_state *,
struct secas *));
struct secasvar *));
static void ah_keyed_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
size_t));
static void ah_keyed_sha1_result __P((struct ah_algorithm_state *, caddr_t));
static int ah_hmac_md5_mature __P((struct secas *));
static int ah_hmac_md5_mature __P((struct secasvar *));
static void ah_hmac_md5_init __P((struct ah_algorithm_state *,
struct secas *));
struct secasvar *));
static void ah_hmac_md5_loop __P((struct ah_algorithm_state *, caddr_t,
size_t));
static void ah_hmac_md5_result __P((struct ah_algorithm_state *, caddr_t));
static int ah_hmac_sha1_mature __P((struct secas *));
static int ah_hmac_sha1_mature __P((struct secasvar *));
static void ah_hmac_sha1_init __P((struct ah_algorithm_state *,
struct secas *));
struct secasvar *));
static void ah_hmac_sha1_loop __P((struct ah_algorithm_state *, caddr_t,
size_t));
static void ah_hmac_sha1_result __P((struct ah_algorithm_state *, caddr_t));
@ -137,41 +146,42 @@ struct ah_algorithm ah_algorithms[] = {
};
static int
ah_sumsiz_1216(sa)
struct secas *sa;
ah_sumsiz_1216(sav)
struct secasvar *sav;
{
if (!sa)
if (!sav)
return -1;
if (sa->flags & SADB_X_EXT_OLD)
if (sav->flags & SADB_X_EXT_OLD)
return 16;
else
return 12;
}
static int
ah_sumsiz_zero(sa)
struct secas *sa;
ah_sumsiz_zero(sav)
struct secasvar *sav;
{
if (!sa)
if (!sav)
return -1;
return 0;
}
static int
ah_none_mature(sa)
struct secas *sa;
ah_none_mature(sav)
struct secasvar *sav;
{
if (sa->type == SADB_SATYPE_AH) {
printf("ah_none_mature: protocol and algorithm mismatch.\n");
if (sav->sah->saidx.proto == IPPROTO_AH) {
ipseclog((LOG_ERR,
"ah_none_mature: protocol and algorithm mismatch.\n"));
return 1;
}
return 0;
}
static void
ah_none_init(state, sa)
ah_none_init(state, sav)
struct ah_algorithm_state *state;
struct secas *sa;
struct secasvar *sav;
{
state->foo = NULL;
}
@ -192,30 +202,30 @@ ah_none_result(state, addr)
}
static int
ah_keyed_md5_mature(sa)
struct secas *sa;
ah_keyed_md5_mature(sav)
struct secasvar *sav;
{
/* anything is okay */
return 0;
}
static void
ah_keyed_md5_init(state, sa)
ah_keyed_md5_init(state, sav)
struct ah_algorithm_state *state;
struct secas *sa;
struct secasvar *sav;
{
if (!state)
panic("ah_keyed_md5_init: what?");
state->sa = sa;
state->sav = sav;
state->foo = (void *)malloc(sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
if (state->foo == NULL)
panic("ah_keyed_md5_init: what?");
MD5Init((MD5_CTX *)state->foo);
if (state->sa) {
if (state->sav) {
MD5Update((MD5_CTX *)state->foo,
(u_int8_t *)_KEYBUF(state->sa->key_auth),
(u_int)_KEYLEN(state->sa->key_auth));
(u_int8_t *)_KEYBUF(state->sav->key_auth),
(u_int)_KEYLEN(state->sav->key_auth));
{
/*
@ -227,11 +237,11 @@ ah_keyed_md5_init(state, sa)
size_t keybitlen;
u_int8_t buf[32];
if (_KEYLEN(state->sa->key_auth) < 56)
padlen = 64 - 8 - _KEYLEN(state->sa->key_auth);
if (_KEYLEN(state->sav->key_auth) < 56)
padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
else
padlen = 64 + 64 - 8 - _KEYLEN(state->sa->key_auth);
keybitlen = _KEYLEN(state->sa->key_auth);
padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
keybitlen = _KEYLEN(state->sav->key_auth);
keybitlen *= 8;
buf[0] = 0x80;
@ -278,10 +288,10 @@ ah_keyed_md5_result(state, addr)
if (!state)
panic("ah_keyed_md5_result: what?");
if (state->sa) {
if (state->sav) {
MD5Update((MD5_CTX *)state->foo,
(u_int8_t *)_KEYBUF(state->sa->key_auth),
(u_int)_KEYLEN(state->sa->key_auth));
(u_int8_t *)_KEYBUF(state->sav->key_auth),
(u_int)_KEYLEN(state->sav->key_auth));
}
MD5Final(&digest[0], (MD5_CTX *)state->foo);
free(state->foo, M_TEMP);
@ -289,20 +299,21 @@ ah_keyed_md5_result(state, addr)
}
static int
ah_keyed_sha1_mature(sa)
struct secas *sa;
ah_keyed_sha1_mature(sav)
struct secasvar *sav;
{
struct ah_algorithm *algo;
if (!sa->key_auth) {
printf("esp_keyed_sha1_mature: no key is given.\n");
if (!sav->key_auth) {
ipseclog((LOG_ERR, "ah_keyed_sha1_mature: no key is given.\n"));
return 1;
}
algo = &ah_algorithms[sa->alg_auth];
if (sa->key_auth->sadb_key_bits < algo->keymin
|| algo->keymax < sa->key_auth->sadb_key_bits) {
printf("ah_keyed_sha1_mature: invalid key length %d.\n",
sa->key_auth->sadb_key_bits);
algo = &ah_algorithms[sav->alg_auth];
if (sav->key_auth->sadb_key_bits < algo->keymin
|| algo->keymax < sav->key_auth->sadb_key_bits) {
ipseclog((LOG_ERR,
"ah_keyed_sha1_mature: invalid key length %d.\n",
sav->key_auth->sadb_key_bits));
return 1;
}
@ -310,16 +321,16 @@ ah_keyed_sha1_mature(sa)
}
static void
ah_keyed_sha1_init(state, sa)
ah_keyed_sha1_init(state, sav)
struct ah_algorithm_state *state;
struct secas *sa;
struct secasvar *sav;
{
SHA1_CTX *ctxt;
if (!state)
panic("ah_keyed_sha1_init: what?");
state->sa = sa;
state->sav = sav;
state->foo = (void *)malloc(sizeof(SHA1_CTX), M_TEMP, M_NOWAIT);
if (!state->foo)
panic("ah_keyed_sha1_init: what?");
@ -327,9 +338,9 @@ ah_keyed_sha1_init(state, sa)
ctxt = (SHA1_CTX *)state->foo;
SHA1Init(ctxt);
if (state->sa) {
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sa->key_auth),
(u_int)_KEYLEN(state->sa->key_auth));
if (state->sav) {
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
(u_int)_KEYLEN(state->sav->key_auth));
{
/*
@ -339,11 +350,11 @@ ah_keyed_sha1_init(state, sa)
size_t keybitlen;
u_int8_t buf[32];
if (_KEYLEN(state->sa->key_auth) < 56)
padlen = 64 - 8 - _KEYLEN(state->sa->key_auth);
if (_KEYLEN(state->sav->key_auth) < 56)
padlen = 64 - 8 - _KEYLEN(state->sav->key_auth);
else
padlen = 64 + 64 - 8 - _KEYLEN(state->sa->key_auth);
keybitlen = _KEYLEN(state->sa->key_auth);
padlen = 64 + 64 - 8 - _KEYLEN(state->sav->key_auth);
keybitlen = _KEYLEN(state->sav->key_auth);
keybitlen *= 8;
buf[0] = 0x80;
@ -395,9 +406,9 @@ ah_keyed_sha1_result(state, addr)
panic("ah_keyed_sha1_result: what?");
ctxt = (SHA1_CTX *)state->foo;
if (state->sa) {
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sa->key_auth),
(u_int)_KEYLEN(state->sa->key_auth));
if (state->sav) {
SHA1Update(ctxt, (u_int8_t *)_KEYBUF(state->sav->key_auth),
(u_int)_KEYLEN(state->sav->key_auth));
}
SHA1Final((caddr_t)&digest[0], ctxt);
bcopy(&digest[0], (void *)addr, HMACSIZE);
@ -406,20 +417,21 @@ ah_keyed_sha1_result(state, addr)
}
static int
ah_hmac_md5_mature(sa)
struct secas *sa;
ah_hmac_md5_mature(sav)
struct secasvar *sav;
{
struct ah_algorithm *algo;
if (!sa->key_auth) {
printf("esp_hmac_md5_mature: no key is given.\n");
if (!sav->key_auth) {
ipseclog((LOG_ERR, "ah_hmac_md5_mature: no key is given.\n"));
return 1;
}
algo = &ah_algorithms[sa->alg_auth];
if (sa->key_auth->sadb_key_bits < algo->keymin
|| algo->keymax < sa->key_auth->sadb_key_bits) {
printf("ah_hmac_md5_mature: invalid key length %d.\n",
sa->key_auth->sadb_key_bits);
algo = &ah_algorithms[sav->alg_auth];
if (sav->key_auth->sadb_key_bits < algo->keymin
|| algo->keymax < sav->key_auth->sadb_key_bits) {
ipseclog((LOG_ERR,
"ah_hmac_md5_mature: invalid key length %d.\n",
sav->key_auth->sadb_key_bits));
return 1;
}
@ -427,9 +439,9 @@ ah_hmac_md5_mature(sa)
}
static void
ah_hmac_md5_init(state, sa)
ah_hmac_md5_init(state, sav)
struct ah_algorithm_state *state;
struct secas *sa;
struct secasvar *sav;
{
u_char *ipad;
u_char *opad;
@ -442,7 +454,7 @@ ah_hmac_md5_init(state, sa)
if (!state)
panic("ah_hmac_md5_init: what?");
state->sa = sa;
state->sav = sav;
state->foo = (void *)malloc(64 + 64 + sizeof(MD5_CTX), M_TEMP, M_NOWAIT);
if (!state->foo)
panic("ah_hmac_md5_init: what?");
@ -452,16 +464,16 @@ ah_hmac_md5_init(state, sa)
ctxt = (MD5_CTX *)(opad + 64);
/* compress the key if necessery */
if (64 < _KEYLEN(state->sa->key_auth)) {
if (64 < _KEYLEN(state->sav->key_auth)) {
MD5Init(ctxt);
MD5Update(ctxt, _KEYBUF(state->sa->key_auth),
_KEYLEN(state->sa->key_auth));
MD5Update(ctxt, _KEYBUF(state->sav->key_auth),
_KEYLEN(state->sav->key_auth));
MD5Final(&tk[0], ctxt);
key = &tk[0];
keylen = 16;
} else {
key = _KEYBUF(state->sa->key_auth);
keylen = _KEYLEN(state->sa->key_auth);
key = _KEYBUF(state->sav->key_auth);
keylen = _KEYLEN(state->sav->key_auth);
}
bzero(ipad, 64);
@ -521,20 +533,21 @@ ah_hmac_md5_result(state, addr)
}
static int
ah_hmac_sha1_mature(sa)
struct secas *sa;
ah_hmac_sha1_mature(sav)
struct secasvar *sav;
{
struct ah_algorithm *algo;
if (!sa->key_auth) {
printf("esp_hmac_sha1_mature: no key is given.\n");
if (!sav->key_auth) {
ipseclog((LOG_ERR, "ah_hmac_sha1_mature: no key is given.\n"));
return 1;
}
algo = &ah_algorithms[sa->alg_auth];
if (sa->key_auth->sadb_key_bits < algo->keymin
|| algo->keymax < sa->key_auth->sadb_key_bits) {
printf("ah_hmac_sha1_mature: invalid key length %d.\n",
sa->key_auth->sadb_key_bits);
algo = &ah_algorithms[sav->alg_auth];
if (sav->key_auth->sadb_key_bits < algo->keymin
|| algo->keymax < sav->key_auth->sadb_key_bits) {
ipseclog((LOG_ERR,
"ah_hmac_sha1_mature: invalid key length %d.\n",
sav->key_auth->sadb_key_bits));
return 1;
}
@ -542,9 +555,9 @@ ah_hmac_sha1_mature(sa)
}
static void
ah_hmac_sha1_init(state, sa)
ah_hmac_sha1_init(state, sav)
struct ah_algorithm_state *state;
struct secas *sa;
struct secasvar *sav;
{
u_char *ipad;
u_char *opad;
@ -557,7 +570,7 @@ ah_hmac_sha1_init(state, sa)
if (!state)
panic("ah_hmac_sha1_init: what?");
state->sa = sa;
state->sav = sav;
state->foo = (void *)malloc(64 + 64 + sizeof(SHA1_CTX),
M_TEMP, M_NOWAIT);
if (!state->foo)
@ -568,16 +581,16 @@ ah_hmac_sha1_init(state, sa)
ctxt = (SHA1_CTX *)(opad + 64);
/* compress the key if necessery */
if (64 < _KEYLEN(state->sa->key_auth)) {
if (64 < _KEYLEN(state->sav->key_auth)) {
SHA1Init(ctxt);
SHA1Update(ctxt, _KEYBUF(state->sa->key_auth),
_KEYLEN(state->sa->key_auth));
SHA1Update(ctxt, _KEYBUF(state->sav->key_auth),
_KEYLEN(state->sav->key_auth));
SHA1Final(&tk[0], ctxt);
key = &tk[0];
keylen = SHA1_RESULTLEN;
} else {
key = _KEYBUF(state->sa->key_auth);
keylen = _KEYLEN(state->sa->key_auth);
key = _KEYBUF(state->sav->key_auth);
keylen = _KEYLEN(state->sav->key_auth);
}
bzero(ipad, 64);
@ -643,11 +656,11 @@ ah_hmac_sha1_result(state, addr)
* go generate the checksum.
*/
int
ah4_calccksum(m0, ahdat, algo, sa)
ah4_calccksum(m0, ahdat, algo, sav)
struct mbuf *m0;
caddr_t ahdat;
struct ah_algorithm *algo;
struct secas *sa;
struct secasvar *sav;
{
struct mbuf *m;
int hdrtype;
@ -664,7 +677,7 @@ ah4_calccksum(m0, ahdat, algo, sa)
p = mtod(m, u_char *);
(algo->init)(&algos, sa);
(algo->init)(&algos, sav);
advancewidth = 0; /*safety*/
@ -728,10 +741,11 @@ again:
break;
}
if (l <= 0 || hlen - i < l) {
printf("ah4_input: invalid IP option "
"(type=%02x len=%02x)\n",
p[i + IPOPT_OPTVAL],
p[i + IPOPT_OLEN]);
ipseclog((LOG_ERR,
"ah4_calccksum: invalid IP option "
"(type=%02x len=%02x)\n",
p[i + IPOPT_OPTVAL],
p[i + IPOPT_OLEN]));
break;
}
if (skip) {
@ -758,13 +772,13 @@ again:
int siz;
int hdrsiz;
hdrsiz = (sa->flags & SADB_X_EXT_OLD) ?
hdrsiz = (sav->flags & SADB_X_EXT_OLD) ?
sizeof(struct ah) : sizeof(struct newah);
(algo->update)(&algos, p, hdrsiz);
/* key data region. */
siz = (*algo->sumsiz)(sa);
siz = (*algo->sumsiz)(sav);
bzero(&dummy[0], sizeof(dummy));
while (sizeof(dummy) <= siz) {
(algo->update)(&algos, dummy, sizeof(dummy));
@ -775,26 +789,26 @@ again:
(algo->update)(&algos, dummy, siz);
/* padding region, just in case */
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sa);
if ((sa->flags & SADB_X_EXT_OLD) == 0)
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sav);
if ((sav->flags & SADB_X_EXT_OLD) == 0)
siz -= 4; /* sequence number field */
if (0 < siz) {
/* RFC 1826 */
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sa),
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sav),
siz);
}
hdrtype = ((struct ah *)p)->ah_nxt;
advancewidth = hdrsiz;
advancewidth += ((struct ah *)p)->ah_len << 2;
if ((sa->flags & SADB_X_EXT_OLD) == 0)
if ((sav->flags & SADB_X_EXT_OLD) == 0)
advancewidth -= 4; /* sequence number field */
break;
}
default:
printf("ah4_calccksum: unexpected hdrtype=%x; "
"treating rest as payload\n", hdrtype);
ipseclog((LOG_DEBUG, "ah4_calccksum: unexpected hdrtype=%x; "
"treating rest as payload\n", hdrtype));
/*fall through*/
case IPPROTO_ICMP:
case IPPROTO_IGMP:
@ -831,7 +845,8 @@ again:
if (m)
p = mtod(m, u_char *);
else {
printf("ERR: hit the end-of-mbuf...\n");
ipseclog((LOG_DEBUG,
"hit the end-of-mbuf...\n"));
p = NULL;
}
}
@ -843,7 +858,7 @@ again:
/* for HMAC algorithms... */
(algo->result)(&algos, &sumbuf[0]);
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sa));
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
return error;
}
@ -854,11 +869,11 @@ again:
* except AH itself.
*/
int
ah6_calccksum(m0, ahdat, algo, sa)
ah6_calccksum(m0, ahdat, algo, sav)
struct mbuf *m0;
caddr_t ahdat;
struct ah_algorithm *algo;
struct secas *sa;
struct secasvar *sav;
{
struct mbuf *m;
int hdrtype;
@ -876,7 +891,7 @@ ah6_calccksum(m0, ahdat, algo, sa)
p = mtod(m, u_char *);
(algo->init)(&algos, sa);
(algo->init)(&algos, sav);
advancewidth = 0; /*safety*/
nest = 0;
@ -917,13 +932,13 @@ again:
int siz;
int hdrsiz;
hdrsiz = (sa->flags & SADB_X_EXT_OLD) ?
hdrsiz = (sav->flags & SADB_X_EXT_OLD) ?
sizeof(struct ah) : sizeof(struct newah);
(algo->update)(&algos, p, hdrsiz);
/* key data region. */
siz = (*algo->sumsiz)(sa);
siz = (*algo->sumsiz)(sav);
bzero(&dummy[0], 4);
while (4 <= siz) {
(algo->update)(&algos, dummy, 4);
@ -934,18 +949,18 @@ again:
(algo->update)(&algos, dummy, siz);
/* padding region, just in case */
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sa);
if ((sa->flags & SADB_X_EXT_OLD) == 0)
siz = (((struct ah *)p)->ah_len << 2) - (*algo->sumsiz)(sav);
if ((sav->flags & SADB_X_EXT_OLD) == 0)
siz -= 4; /* sequence number field */
if (0 < siz) {
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sa),
(algo->update)(&algos, p + hdrsiz + (*algo->sumsiz)(sav),
siz);
}
hdrtype = ((struct ah *)p)->ah_nxt;
advancewidth = hdrsiz;
advancewidth += ((struct ah *)p)->ah_len << 2;
if ((sa->flags & SADB_X_EXT_OLD) == 0)
if ((sav->flags & SADB_X_EXT_OLD) == 0)
advancewidth -= 4; /* sequence number field */
break;
}
@ -1068,12 +1083,12 @@ again:
break;
}
default:
printf("ah6_calccksum: unexpected hdrtype=%x; "
"treating rest as payload\n", hdrtype);
ipseclog((LOG_DEBUG, "ah6_calccksum: unexpected hdrtype=%x; "
"treating rest as payload\n", hdrtype));
/*fall through*/
case IPPROTO_ICMP:
case IPPROTO_IGMP:
case IPPROTO_IPIP: /*?*/
case IPPROTO_IPIP:
case IPPROTO_IPV6:
case IPPROTO_ICMPV6:
case IPPROTO_UDP:
@ -1104,7 +1119,8 @@ again:
if (m)
p = mtod(m, u_char *);
else {
printf("ERR: hit the end-of-mbuf...\n");
ipseclog((LOG_DEBUG,
"hit the end-of-mbuf...\n"));
p = NULL;
}
}
@ -1116,7 +1132,7 @@ again:
/* for HMAC algorithms... */
(algo->result)(&algos, &sumbuf[0]);
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sa));
bcopy(&sumbuf[0], ahdat, (*algo->sumsiz)(sav));
return(0);

View File

@ -1,4 +1,4 @@
/* $NetBSD: ah_input.c,v 1.6 2000/01/06 07:31:11 itojun Exp $ */
/* $NetBSD: ah_input.c,v 1.7 2000/01/31 14:19:01 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,6 @@
#ifdef INET6
#include <netinet6/ip6.h>
#include <netinet6/in6_pcb.h>
#include <netinet6/ip6_var.h>
#include <netinet6/icmp6.h>
#endif
@ -74,9 +73,7 @@
#include <machine/stdarg.h>
#ifdef __NetBSD__
#define ovbcopy bcopy
#endif
#include <net/net_osdep.h>
#ifdef INET
extern struct protosw inetsw[];
@ -98,7 +95,7 @@ ah4_input(m, va_alist)
size_t siz;
size_t siz1;
u_char *cksum;
struct secas *sa = NULL;
struct secasvar *sav = NULL;
u_int16_t nxt;
size_t hlen;
int s;
@ -110,11 +107,12 @@ ah4_input(m, va_alist)
proto = va_arg(ap, int);
va_end(ap);
#ifndef PULLDOWN_TEST
if (m->m_len < off + sizeof(struct newah)) {
m = m_pullup(m, off + sizeof(struct newah));
if (!m) {
printf("IPv4 AH input: can't pullup;"
"dropping the packet for simplicity\n");
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup;"
"dropping the packet for simplicity\n"));
ipsecstat.in_inval++;
goto fail;
}
@ -122,6 +120,16 @@ ah4_input(m, va_alist)
ip = mtod(m, struct ip *);
ah = (struct ah *)(((caddr_t)ip) + off);
#else
ip = mtod(m, struct ip *);
IP6_EXTHDR_GET(ah, struct ah *, m, off, sizeof(struct newah));
if (ah == NULL) {
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup;"
"dropping the packet for simplicity\n"));
ipsecstat.in_inval++;
goto fail;
}
#endif
nxt = ah->ah_nxt;
#ifdef _IP_VHL
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
@ -132,37 +140,36 @@ ah4_input(m, va_alist)
/* find the sassoc. */
spi = ah->ah_spi;
if ((sa = key_allocsa(AF_INET,
if ((sav = key_allocsa(AF_INET,
(caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst,
IPPROTO_AH, spi)) == 0) {
printf("IPv4 AH input: no key association found for spi %u;"
"dropping the packet for simplicity\n",
(u_int32_t)ntohl(spi));
ipseclog((LOG_WARNING,
"IPv4 AH input: no key association found for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsecstat.in_nosa++;
goto fail;
}
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah4_input called to allocate SA:%p\n", sa));
if (sa->state != SADB_SASTATE_MATURE
&& sa->state != SADB_SASTATE_DYING) {
printf("IPv4 AH input: non-mature/dying SA found for spi %u; "
"dropping the packet for simplicity\n",
(u_int32_t)ntohl(spi));
printf("DP ah4_input called to allocate SA:%p\n", sav));
if (sav->state != SADB_SASTATE_MATURE
&& sav->state != SADB_SASTATE_DYING) {
ipseclog((LOG_DEBUG,
"IPv4 AH input: non-mature/dying SA found for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsecstat.in_badspi++;
goto fail;
}
if (sa->alg_auth == SADB_AALG_NONE) {
printf("IPv4 AH input: unspecified authentication algorithm "
"for spi %u;"
"dropping the packet for simplicity\n",
(u_int32_t)ntohl(spi));
if (sav->alg_auth == SADB_AALG_NONE) {
ipseclog((LOG_DEBUG, "IPv4 AH input: "
"unspecified authentication algorithm for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsecstat.in_badspi++;
goto fail;
}
algo = &ah_algorithms[sa->alg_auth];
algo = &ah_algorithms[sav->alg_auth];
siz = (*algo->sumsiz)(sa);
siz = (*algo->sumsiz)(sav);
siz1 = ((siz + 3) & ~(4 - 1));
/*
@ -171,22 +178,22 @@ ah4_input(m, va_alist)
{
int sizoff;
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
if ((ah->ah_len << 2) - sizoff != siz1) {
log(LOG_NOTICE, "sum length mismatch in IPv4 AH input "
ipseclog((LOG_NOTICE, "sum length mismatch in IPv4 AH input "
"(%d should be %u): %s\n",
(ah->ah_len << 2) - sizoff, (unsigned int)siz1,
ipsec4_logpacketstr(ip, spi));
ipsec4_logpacketstr(ip, spi)));
ipsecstat.in_inval++;
goto fail;
}
#ifndef PULLDOWN_TEST
if (m->m_len < off + sizeof(struct ah) + sizoff + siz1) {
m = m_pullup(m, off + sizeof(struct ah) + sizoff + siz1);
if (!m) {
printf("IPv4 AH input: can't pullup;"
"dropping the packet for simplicity\n");
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup\n"));
ipsecstat.in_inval++;
goto fail;
}
@ -194,19 +201,28 @@ ah4_input(m, va_alist)
ip = mtod(m, struct ip *);
ah = (struct ah *)(((caddr_t)ip) + off);
}
#else
IP6_EXTHDR_GET(ah, struct ah *, m, off,
sizeof(struct ah) + sizoff + siz1);
if (ah == NULL) {
ipseclog((LOG_DEBUG, "IPv4 AH input: can't pullup\n"));
ipsecstat.in_inval++;
goto fail;
}
#endif
}
/*
* check for sequence number.
*/
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sa))
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
; /*okey*/
else {
ipsecstat.in_ahreplay++;
log(LOG_AUTH, "replay packet in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi),
ipsec_logsastr(sa));
ipseclog((LOG_WARNING,
"replay packet in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
goto fail;
}
}
@ -217,7 +233,8 @@ ah4_input(m, va_alist)
*/
cksum = malloc(siz1, M_TEMP, M_NOWAIT);
if (!cksum) {
printf("IPv4 AH input: couldn't alloc temporary region for cksum\n");
ipseclog((LOG_DEBUG, "IPv4 AH input: "
"couldn't alloc temporary region for cksum\n"));
ipsecstat.in_inval++;
goto fail;
}
@ -231,12 +248,12 @@ ah4_input(m, va_alist)
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
#endif
if (ah4_calccksum(m, (caddr_t)cksum, algo, sa)) {
if (ah4_calccksum(m, (caddr_t)cksum, algo, sav)) {
free(cksum, M_TEMP);
ipsecstat.in_inval++;
goto fail;
}
ipsecstat.in_ahhist[sa->alg_auth]++;
ipsecstat.in_ahhist[sav->alg_auth]++;
#if 1
/*
* flip them back.
@ -249,7 +266,7 @@ ah4_input(m, va_alist)
{
caddr_t sumpos = NULL;
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
sumpos = (caddr_t)(ah + 1);
} else {
@ -258,9 +275,9 @@ ah4_input(m, va_alist)
}
if (bcmp(sumpos, cksum, siz) != 0) {
log(LOG_AUTH, "checksum mismatch in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi),
ipsec_logsastr(sa));
ipseclog((LOG_WARNING,
"checksum mismatch in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
free(cksum, M_TEMP);
ipsecstat.in_ahauthfail++;
goto fail;
@ -281,14 +298,14 @@ ah4_input(m, va_alist)
struct ip *nip;
size_t sizoff;
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
if (m->m_len < off + sizeof(struct ah) + sizoff + siz1 + hlen) {
m = m_pullup(m, off + sizeof(struct ah)
+ sizoff + siz1 + hlen);
if (!m) {
printf("IPv4 AH input: can't pullup;"
"dropping the packet for simplicity\n");
ipseclog((LOG_DEBUG,
"IPv4 AH input: can't pullup\n"));
ipsecstat.in_inval++;
goto fail;
}
@ -312,27 +329,30 @@ ah4_input(m, va_alist)
if (m->m_flags & M_AUTHIPHDR
&& m->m_flags & M_AUTHIPDGM) {
#if 0
printf("IPv4 AH input: authentication succeess\n");
#else
;
ipseclog((LOG_DEBUG,
"IPv4 AH input: authentication succeess\n"));
#endif
ipsecstat.in_ahauthsucc++;
} else {
log(LOG_AUTH, "authentication failed in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi),
ipsec_logsastr(sa));
ipseclog((LOG_WARNING,
"authentication failed in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
ipsecstat.in_ahauthfail++;
goto fail;
}
/*
* update sequence number.
*/
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
(void)ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sa);
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
ipsecstat.in_ahreplay++;
goto fail;
}
}
/* was it transmitted over the IPsec tunnel SA? */
if (ipsec4_tunnel_validate(ip, nxt, sa) && nxt == IPPROTO_IPV4) {
if (ipsec4_tunnel_validate(ip, nxt, sav) && nxt == IPPROTO_IPV4) {
/*
* strip off all the headers that precedes AH.
* IP xx AH IP' payload -> IP' payload
@ -344,7 +364,7 @@ ah4_input(m, va_alist)
u_int8_t tos;
tos = ip->ip_tos;
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
stripsiz = sizeof(struct ah) + siz1;
} else {
@ -362,11 +382,11 @@ ah4_input(m, va_alist)
ip = mtod(m, struct ip *);
/* ECN consideration. */
ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos);
if (!key_checktunnelsanity(sa, AF_INET,
if (!key_checktunnelsanity(sav, AF_INET,
(caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) {
log(LOG_NOTICE, "ipsec tunnel address mismatch in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi),
ipsec_logsastr(sa));
ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
"in IPv4 AH input: %s %s\n",
ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav)));
ipsecstat.in_inval++;
goto fail;
}
@ -403,7 +423,7 @@ ah4_input(m, va_alist)
m->m_flags &= ~M_AUTHIPDGM;
#endif
key_sa_recordxfer(sa, m);
key_sa_recordxfer(sav, m);
s = splimp();
if (IF_QFULL(&ipintrq)) {
@ -423,7 +443,7 @@ ah4_input(m, va_alist)
*/
size_t stripsiz = 0;
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
stripsiz = sizeof(struct ah) + siz1;
} else {
@ -431,6 +451,7 @@ ah4_input(m, va_alist)
stripsiz = sizeof(struct newah) + siz1;
}
#ifndef PULLDOWN_TEST
ip = mtod(m, struct ip *);
ovbcopy((caddr_t)ip, (caddr_t)(((u_char *)ip) + stripsiz), off);
m->m_data += stripsiz;
@ -447,7 +468,9 @@ ah4_input(m, va_alist)
#endif
ip->ip_p = nxt;
/* forget about IP hdr checksum, the check has already been passed */
#else
off += stripsiz;
#endif
if (nxt != IPPROTO_DONE)
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
else
@ -455,19 +478,19 @@ ah4_input(m, va_alist)
m = NULL;
}
if (sa) {
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah4_input call free SA:%p\n", sa));
key_freesa(sa);
printf("DP ah4_input call free SA:%p\n", sav));
key_freesav(sav);
}
ipsecstat.in_success++;
return;
fail:
if (sa) {
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah4_input call free SA:%p\n", sa));
key_freesa(sa);
printf("DP ah4_input call free SA:%p\n", sav));
key_freesav(sav);
}
if (m)
m_freem(m);
@ -490,14 +513,23 @@ ah6_input(mp, offp, proto)
size_t siz;
size_t siz1;
u_char *cksum;
struct secas *sa = NULL;
struct secasvar *sav = NULL;
u_int16_t nxt;
int s;
ip6 = mtod(m, struct ip6_hdr *);
#ifndef PULLDOWN_TEST
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah), IPPROTO_DONE);
ip6 = mtod(m, struct ip6_hdr *);
ah = (struct ah *)(((caddr_t)ip6) + off);
#else
IP6_EXTHDR_GET(ah, struct ah *, m, off, sizeof(struct newah));
if (ah == NULL) {
ipseclog((LOG_DEBUG, "IPv6 AH input: can't pullup\n"));
ipsecstat.in_inval++;
return IPPROTO_DONE;
}
#endif
nxt = ah->ah_nxt;
@ -505,42 +537,42 @@ ah6_input(mp, offp, proto)
spi = ah->ah_spi;
if (ntohs(ip6->ip6_plen) == 0) {
printf("IPv6 AH input: AH with IPv6 jumbogram is not supported.\n");
ipseclog((LOG_ERR, "IPv6 AH input: "
"AH with IPv6 jumbogram is not supported.\n"));
ipsec6stat.in_inval++;
goto fail;
}
if ((sa = key_allocsa(AF_INET6,
if ((sav = key_allocsa(AF_INET6,
(caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst,
IPPROTO_AH, spi)) == 0) {
printf("IPv6 AH input: no key association found for spi %u;"
"dropping the packet for simplicity\n",
(u_int32_t)ntohl(spi));
ipseclog((LOG_WARNING,
"IPv6 AH input: no key association found for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsec6stat.in_nosa++;
goto fail;
}
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah6_input called to allocate SA:%p\n", sa));
if (sa->state != SADB_SASTATE_MATURE
&& sa->state != SADB_SASTATE_DYING) {
printf("IPv6 AH input: non-mature/dying SA found for spi %u; "
"dropping the packet for simplicity\n",
(u_int32_t)ntohl(spi));
printf("DP ah6_input called to allocate SA:%p\n", sav));
if (sav->state != SADB_SASTATE_MATURE
&& sav->state != SADB_SASTATE_DYING) {
ipseclog((LOG_DEBUG,
"IPv6 AH input: non-mature/dying SA found for spi %u; ",
(u_int32_t)ntohl(spi)));
ipsec6stat.in_badspi++;
goto fail;
}
if (sa->alg_auth == SADB_AALG_NONE) {
printf("IPv6 AH input: unspecified authentication algorithm "
"for spi %u;"
"dropping the packet for simplicity\n",
(u_int32_t)ntohl(spi));
if (sav->alg_auth == SADB_AALG_NONE) {
ipseclog((LOG_DEBUG, "IPv6 AH input: "
"unspecified authentication algorithm for spi %u\n",
(u_int32_t)ntohl(spi)));
ipsec6stat.in_badspi++;
goto fail;
}
algo = &ah_algorithms[sa->alg_auth];
algo = &ah_algorithms[sav->alg_auth];
siz = (*algo->sumsiz)(sa);
siz = (*algo->sumsiz)(sav);
siz1 = ((siz + 3) & ~(4 - 1));
/*
@ -549,30 +581,42 @@ ah6_input(mp, offp, proto)
{
int sizoff;
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
if ((ah->ah_len << 2) - sizoff != siz1) {
log(LOG_NOTICE, "sum length mismatch in IPv6 AH input "
ipseclog((LOG_NOTICE, "sum length mismatch in IPv6 AH input "
"(%d should be %u): %s\n",
(ah->ah_len << 2) - sizoff, (unsigned int)siz1,
ipsec6_logpacketstr(ip6, spi));
ipsec6_logpacketstr(ip6, spi)));
ipsec6stat.in_inval++;
goto fail;
}
#ifndef PULLDOWN_TEST
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1, IPPROTO_DONE);
#else
IP6_EXTHDR_GET(ah, struct ah *, m, off,
sizeof(struct ah) + sizoff + siz1);
if (ah == NULL) {
ipseclog((LOG_NOTICE, "couldn't pullup gather IPv6 AH checksum part"));
ipsecstat.in_inval++;
m = NULL;
goto fail;
}
#endif
}
/*
* check for sequence number.
*/
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sa))
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
if (ipsec_chkreplay(ntohl(((struct newah *)ah)->ah_seq), sav))
; /*okey*/
else {
ipsec6stat.in_ahreplay++;
log(LOG_AUTH, "replay packet in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sa));
ipseclog((LOG_WARNING,
"replay packet in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sav)));
goto fail;
}
}
@ -583,22 +627,23 @@ ah6_input(mp, offp, proto)
*/
cksum = malloc(siz1, M_TEMP, M_NOWAIT);
if (!cksum) {
printf("IPv6 AH input: couldn't alloc temporary region for cksum\n");
ipseclog((LOG_DEBUG, "IPv6 AH input: "
"couldn't alloc temporary region for cksum\n"));
ipsec6stat.in_inval++;
goto fail;
}
if (ah6_calccksum(m, (caddr_t)cksum, algo, sa)) {
if (ah6_calccksum(m, (caddr_t)cksum, algo, sav)) {
free(cksum, M_TEMP);
ipsec6stat.in_inval++;
goto fail;
}
ipsec6stat.in_ahhist[sa->alg_auth]++;
ipsec6stat.in_ahhist[sav->alg_auth]++;
{
caddr_t sumpos = NULL;
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
sumpos = (caddr_t)(ah + 1);
} else {
@ -607,9 +652,9 @@ ah6_input(mp, offp, proto)
}
if (bcmp(sumpos, cksum, siz) != 0) {
log(LOG_AUTH, "checksum mismatch in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sa));
ipseclog((LOG_WARNING,
"checksum mismatch in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
free(cksum, M_TEMP);
ipsec6stat.in_ahauthfail++;
goto fail;
@ -630,7 +675,7 @@ ah6_input(mp, offp, proto)
struct ip6_hdr *nip6;
size_t sizoff;
sizoff = (sa->flags & SADB_X_EXT_OLD) ? 0 : 4;
sizoff = (sav->flags & SADB_X_EXT_OLD) ? 0 : 4;
IP6_EXTHDR_CHECK(m, off, sizeof(struct ah) + sizoff + siz1
+ sizeof(struct ip6_hdr), IPPROTO_DONE);
@ -653,27 +698,30 @@ ah6_input(mp, offp, proto)
if (m->m_flags & M_AUTHIPHDR
&& m->m_flags & M_AUTHIPDGM) {
#if 0
printf("IPv6 AH input: authentication succeess\n");
#else
;
ipseclog((LOG_DEBUG,
"IPv6 AH input: authentication succeess\n"));
#endif
ipsec6stat.in_ahauthsucc++;
} else {
log(LOG_AUTH, "authentication failed in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sa));
ipseclog((LOG_WARNING,
"authentication failed in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav)));
ipsec6stat.in_ahauthfail++;
goto fail;
}
/*
* update sequence number.
*/
if ((sa->flags & SADB_X_EXT_OLD) == 0 && sa->replay) {
(void)ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sa);
if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) {
if (ipsec_updatereplay(ntohl(((struct newah *)ah)->ah_seq), sav)) {
ipsec6stat.in_ahreplay++;
goto fail;
}
}
/* was it transmitted over the IPsec tunnel SA? */
if (ipsec6_tunnel_validate(ip6, nxt, sa) && nxt == IPPROTO_IPV6) {
if (ipsec6_tunnel_validate(ip6, nxt, sav) && nxt == IPPROTO_IPV6) {
/*
* strip off all the headers that precedes AH.
* IP6 xx AH IP6' payload -> IP6' payload
@ -685,7 +733,7 @@ ah6_input(mp, offp, proto)
u_int32_t flowinfo; /*net endian*/
flowinfo = ip6->ip6_flow;
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
stripsiz = sizeof(struct ah) + siz1;
} else {
@ -707,11 +755,12 @@ ah6_input(mp, offp, proto)
ip6 = mtod(m, struct ip6_hdr *);
/* ECN consideration. */
ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow);
if (!key_checktunnelsanity(sa, AF_INET6,
if (!key_checktunnelsanity(sav, AF_INET6,
(caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) {
log(LOG_NOTICE, "ipsec tunnel address mismatch in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sa));
ipseclog((LOG_NOTICE, "ipsec tunnel address mismatch "
"in IPv6 AH input: %s %s\n",
ipsec6_logpacketstr(ip6, spi),
ipsec_logsastr(sav)));
ipsec6stat.in_inval++;
goto fail;
}
@ -733,7 +782,7 @@ ah6_input(mp, offp, proto)
m->m_flags &= ~M_AUTHIPDGM;
#endif
key_sa_recordxfer(sa, m);
key_sa_recordxfer(sav, m);
s = splimp();
if (IF_QFULL(&ip6intrq)) {
@ -752,6 +801,7 @@ ah6_input(mp, offp, proto)
* the packet is placed in a single mbuf.
*/
size_t stripsiz = 0;
#ifndef PULLDOWN_TEST
char *prvnxtp;
/*
@ -761,8 +811,9 @@ ah6_input(mp, offp, proto)
*/
prvnxtp = ip6_get_prevhdr(m, off); /* XXX */
*prvnxtp = nxt;
#endif
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
stripsiz = sizeof(struct ah) + siz1;
} else {
@ -770,6 +821,7 @@ ah6_input(mp, offp, proto)
stripsiz = sizeof(struct newah) + siz1;
}
#ifndef PULLDOWN_TEST
ip6 = mtod(m, struct ip6_hdr *);
ovbcopy((caddr_t)ip6, (caddr_t)(((u_char *)ip6) + stripsiz),
off);
@ -779,26 +831,29 @@ ah6_input(mp, offp, proto)
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
#else
off += stripsiz;
#endif
key_sa_recordxfer(sa, m);
key_sa_recordxfer(sav, m);
}
*offp = off;
*mp = m;
if (sa) {
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah6_input call free SA:%p\n", sa));
key_freesa(sa);
printf("DP ah6_input call free SA:%p\n", sav));
key_freesav(sav);
}
ipsec6stat.in_success++;
return nxt;
fail:
if (sa) {
if (sav) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ah6_input call free SA:%p\n", sa));
key_freesa(sa);
printf("DP ah6_input call free SA:%p\n", sav));
key_freesav(sav);
}
if (m)
m_freem(m);

View File

@ -1,4 +1,4 @@
/* $NetBSD: ah_output.c,v 1.5 2000/01/06 07:31:11 itojun Exp $ */
/* $NetBSD: ah_output.c,v 1.6 2000/01/31 14:19:02 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -35,8 +35,6 @@
#include "opt_inet.h"
#define ahdprintf(x) printf x
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
@ -58,11 +56,9 @@
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/in_var.h>
#include <netinet/in_pcb.h>
#ifdef INET6
#include <netinet6/ip6.h>
#include <netinet6/in6_pcb.h>
#include <netinet6/ip6_var.h>
#include <netinet6/icmp6.h>
#endif
@ -73,6 +69,8 @@
#include <netkey/keydb.h>
#include <netkey/key_debug.h>
#include <net/net_osdep.h>
static struct in_addr *ah4_finaldst __P((struct mbuf *));
/*
@ -91,19 +89,19 @@ ah_hdrsiz(isr)
if (isr == NULL)
panic("ah_hdrsiz: NULL was passed.\n");
if (isr->proto != IPPROTO_AH)
if (isr->saidx.proto != IPPROTO_AH)
panic("unsupported mode passed to ah_hdrsiz");
if (isr->sa == NULL)
goto contrive;
if (isr->sa->state != SADB_SASTATE_MATURE
&& isr->sa->state != SADB_SASTATE_DYING)
goto contrive;
if (isr->sav == NULL)
goto estimate;
if (isr->sav->state != SADB_SASTATE_MATURE
&& isr->sav->state != SADB_SASTATE_DYING)
goto estimate;
/* we need transport mode AH. */
algo = &ah_algorithms[isr->sa->alg_auth];
algo = &ah_algorithms[isr->sav->alg_auth];
if (!algo)
goto contrive;
goto estimate;
/*
* XXX
@ -112,15 +110,15 @@ ah_hdrsiz(isr)
*
* XXX variable size padding support
*/
hdrsiz = (((*algo->sumsiz)(isr->sa) + 3) & ~(4 - 1));
if (isr->sa->flags & SADB_X_EXT_OLD)
hdrsiz = (((*algo->sumsiz)(isr->sav) + 3) & ~(4 - 1));
if (isr->sav->flags & SADB_X_EXT_OLD)
hdrsiz += sizeof(struct ah);
else
hdrsiz += sizeof(struct newah);
return hdrsiz;
contrive:
estimate:
/* ASSUMING:
* sizeof(struct newah) > sizeof(struct ah).
* 16 = (16 + 3) & ~(4 - 1).
@ -140,7 +138,7 @@ ah4_output(m, isr)
struct mbuf *m;
struct ipsecrequest *isr;
{
struct secas *sa = isr->sa;
struct secasvar *sav = isr->sav;
struct ah_algorithm *algo;
u_int32_t spi;
u_char *ahdrpos;
@ -154,34 +152,33 @@ ah4_output(m, isr)
int error;
/* sanity checks */
if ((sa->flags & SADB_X_EXT_OLD) == 0 && !sa->replay) {
if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
struct ip *ip;
ip = mtod(m, struct ip *);
printf("ah4_output: internal error: "
"sa->replay is null: "
"%x->%x, SPI=%u\n",
ipseclog((LOG_DEBUG, "ah4_output: internal error: "
"sav->replay is null: %x->%x, SPI=%u\n",
(u_int32_t)ntohl(ip->ip_src.s_addr),
(u_int32_t)ntohl(ip->ip_dst.s_addr),
(u_int32_t)ntohl(sa->spi));
(u_int32_t)ntohl(sav->spi)));
ipsecstat.out_inval++;
m_freem(m);
return EINVAL;
}
algo = &ah_algorithms[sa->alg_auth];
spi = sa->spi;
algo = &ah_algorithms[sav->alg_auth];
spi = sav->spi;
/*
* determine the size to grow.
*/
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
ahlen = plen + sizeof(struct ah);
} else {
/* RFC 2402 */
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
ahlen = plen + sizeof(struct newah);
}
@ -201,7 +198,8 @@ ah4_output(m, isr)
struct mbuf *n;
MGET(n, M_DONTWAIT, MT_DATA);
if (!n) {
printf("ENOBUFS in ah4_output %d\n", __LINE__);
ipseclog((LOG_DEBUG, "ENOBUFS in ah4_output %d\n",
__LINE__));
m_freem(m);
return ENOBUFS;
}
@ -222,7 +220,7 @@ ah4_output(m, isr)
/*
* initialize AH.
*/
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
struct ah *ahdr;
ahdr = (struct ah *)ahdrpos;
@ -241,12 +239,23 @@ ah4_output(m, isr)
ahdr->ah_nxt = ip->ip_p;
ahdr->ah_reserve = htons(0);
ahdr->ah_spi = spi;
sa->replay->count++;
if (sav->replay->count == ~0) {
if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
/* XXX Is it noisy ? */
ipseclog((LOG_WARNING,
"replay counter overflowed. %s\n",
ipsec_logsastr(sav)));
ipsecstat.out_inval++;
m_freem(m);
return EINVAL;
}
}
sav->replay->count++;
/*
* XXX sequence number must not be cycled, if the SA is
* installed by IKE daemon.
*/
ahdr->ah_seq = htonl(sa->replay->count);
ahdr->ah_seq = htonl(sav->replay->count);
bzero(ahdr + 1, plen);
}
@ -257,7 +266,7 @@ ah4_output(m, isr)
if (ahlen < (IP_MAXPACKET - ntohs(ip->ip_len)))
ip->ip_len = htons(ntohs(ip->ip_len) + ahlen);
else {
printf("IPv4 AH output: size exceeds limit\n");
ipseclog((LOG_ERR, "IPv4 AH output: size exceeds limit\n"));
ipsecstat.out_inval++;
m_freem(m);
return EMSGSIZE;
@ -280,9 +289,10 @@ ah4_output(m, isr)
* calcurate the checksum, based on security association
* and the algorithm specified.
*/
error = ah4_calccksum(m, (caddr_t)ahsumpos, algo, sa);
error = ah4_calccksum(m, (caddr_t)ahsumpos, algo, sav);
if (error) {
printf("error after ah4_calccksum, called from ah4_output");
ipseclog((LOG_ERR,
"error after ah4_calccksum, called from ah4_output"));
m = NULL;
ipsecstat.out_inval++;
return error;
@ -293,28 +303,28 @@ ah4_output(m, isr)
ip->ip_dst.s_addr = dst.s_addr;
}
ipsecstat.out_success++;
ipsecstat.out_ahhist[sa->alg_auth]++;
key_sa_recordxfer(sa, m);
ipsecstat.out_ahhist[sav->alg_auth]++;
key_sa_recordxfer(sav, m);
return 0;
}
/* Calculate AH length */
int
ah_hdrlen(sa)
struct secas *sa;
ah_hdrlen(sav)
struct secasvar *sav;
{
struct ah_algorithm *algo;
int plen, ahlen;
algo = &ah_algorithms[sa->alg_auth];
if (sa->flags & SADB_X_EXT_OLD) {
algo = &ah_algorithms[sav->alg_auth];
if (sav->flags & SADB_X_EXT_OLD) {
/* RFC 1826 */
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
ahlen = plen + sizeof(struct ah);
} else {
/* RFC 2402 */
plen = ((*algo->sumsiz)(sa) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
plen = ((*algo->sumsiz)(sav) + 3) & ~(4 - 1); /*XXX pad to 8byte?*/
ahlen = plen + sizeof(struct newah);
}
@ -334,7 +344,7 @@ ah6_output(m, nexthdrp, md, isr)
{
struct mbuf *mprev;
struct mbuf *mah;
struct secas *sa = isr->sa;
struct secasvar *sav = isr->sav;
struct ah_algorithm *algo;
u_int32_t spi;
u_char *ahsumpos = NULL;
@ -344,19 +354,19 @@ ah6_output(m, nexthdrp, md, isr)
struct ip6_hdr *ip6;
if (m->m_len < sizeof(struct ip6_hdr)) {
printf("ah6_output: first mbuf too short\n");
ipseclog((LOG_DEBUG, "ah6_output: first mbuf too short\n"));
m_freem(m);
return EINVAL;
}
ahlen = ah_hdrlen(sa);
ahlen = ah_hdrlen(sav);
if (ahlen == 0)
return 0;
for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
;
if (!mprev || mprev->m_next != md) {
printf("ah6_output: md is not in chain\n");
ipseclog((LOG_DEBUG, "ah6_output: md is not in chain\n"));
m_freem(m);
return EINVAL;
}
@ -381,28 +391,29 @@ ah6_output(m, nexthdrp, md, isr)
/* fix plen */
if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
printf("ip6_output: AH with IPv6 jumbogram is not supported\n");
ipseclog((LOG_ERR,
"ip6_output: AH with IPv6 jumbogram is not supported\n"));
m_freem(m);
return EINVAL;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
if ((sa->flags & SADB_X_EXT_OLD) == 0 && !sa->replay) {
printf("ah6_output: internal error: "
"sa->replay is null: SPI=%u\n",
(u_int32_t)ntohl(sa->spi));
if ((sav->flags & SADB_X_EXT_OLD) == 0 && !sav->replay) {
ipseclog((LOG_DEBUG, "ah6_output: internal error: "
"sav->replay is null: SPI=%u\n",
(u_int32_t)ntohl(sav->spi)));
ipsec6stat.out_inval++;
return 0; /* no change at all */
}
algo = &ah_algorithms[sa->alg_auth];
spi = sa->spi;
algo = &ah_algorithms[sav->alg_auth];
spi = sav->spi;
/*
* initialize AH.
*/
if (sa->flags & SADB_X_EXT_OLD) {
if (sav->flags & SADB_X_EXT_OLD) {
struct ah *ahdr = mtod(mah, struct ah *);
plen = mah->m_len - sizeof(struct ah);
@ -423,12 +434,23 @@ ah6_output(m, nexthdrp, md, isr)
ahdr->ah_len = (plen >> 2) + 1; /* plus one for seq# */
ahdr->ah_reserve = htons(0);
ahdr->ah_spi = spi;
sa->replay->count++;
if (sav->replay->count == ~0) {
if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0) {
/* XXX Is it noisy ? */
ipseclog((LOG_WARNING,
"replay counter overflowed. %s\n",
ipsec_logsastr(sav)));
ipsecstat.out_inval++;
m_freem(m);
return EINVAL;
}
}
sav->replay->count++;
/*
* XXX sequence number must not be cycled, if the SA is
* installed by IKE daemon.
*/
ahdr->ah_seq = htonl(sa->replay->count);
ahdr->ah_seq = htonl(sav->replay->count);
bzero(ahdr + 1, plen);
}
@ -436,13 +458,13 @@ ah6_output(m, nexthdrp, md, isr)
* calcurate the checksum, based on security association
* and the algorithm specified.
*/
error = ah6_calccksum(m, (caddr_t)ahsumpos, algo, sa);
error = ah6_calccksum(m, (caddr_t)ahsumpos, algo, sav);
if (error)
ipsec6stat.out_inval++;
else
ipsec6stat.out_success++;
ipsec6stat.out_ahhist[sa->alg_auth]++;
key_sa_recordxfer(sa, m);
ipsec6stat.out_ahhist[sav->alg_auth]++;
key_sa_recordxfer(sav, m);
return(error);
}
@ -472,7 +494,8 @@ ah4_finaldst(m)
hlen = (ip->ip_hl << 2);
if (m->m_len < hlen) {
printf("ah4_finaldst: parameter mbuf wrong (not pulled up)\n");
ipseclog((LOG_DEBUG,
"ah4_finaldst: parameter mbuf wrong (not pulled up)\n"));
return NULL;
}
@ -481,7 +504,8 @@ ah4_finaldst(m)
optlen = hlen - sizeof(struct ip);
if (optlen < 0) {
printf("ah4_finaldst: wrong optlen %d\n", optlen);
ipseclog((LOG_DEBUG, "ah4_finaldst: wrong optlen %d\n",
optlen));
return NULL;
}
@ -499,9 +523,10 @@ ah4_finaldst(m)
case IPOPT_SSRR:
if (q[i + IPOPT_OLEN] <= 0
|| optlen - i < q[i + IPOPT_OLEN]) {
printf("ip_finaldst: invalid IP option "
"(code=%02x len=%02x)\n",
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]);
ipseclog((LOG_ERR,
"ip_finaldst: invalid IP option "
"(code=%02x len=%02x)\n",
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
return NULL;
}
i += q[i + IPOPT_OLEN] - sizeof(struct in_addr);
@ -509,9 +534,10 @@ ah4_finaldst(m)
default:
if (q[i + IPOPT_OLEN] <= 0
|| optlen - i < q[i + IPOPT_OLEN]) {
printf("ip_finaldst: invalid IP option "
"(code=%02x len=%02x)\n",
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]);
ipseclog((LOG_ERR,
"ip_finaldst: invalid IP option "
"(code=%02x len=%02x)\n",
q[i + IPOPT_OPTVAL], q[i + IPOPT_OLEN]));
return NULL;
}
i += q[i + IPOPT_OLEN];

View File

@ -1,4 +1,4 @@
/* $NetBSD: esp.h,v 1.6 2000/01/06 07:31:11 itojun Exp $ */
/* $NetBSD: esp.h,v 1.7 2000/01/31 14:19:02 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -71,28 +71,27 @@ struct esptail {
};
struct esp_algorithm_state {
struct secas *sa;
struct secasvar *sav;
void* foo; /*per algorithm data - maybe*/
};
/* XXX yet to be defined */
struct esp_algorithm {
size_t padbound; /* pad boundary, in byte */
int (*mature) __P((struct secas *));
int (*mature) __P((struct secasvar *));
int keymin; /* in bits */
int keymax; /* in bits */
int (*ivlen) __P((struct secas *));
int (*ivlen) __P((struct secasvar *));
int (*decrypt) __P((struct mbuf *, size_t,
struct secas *, struct esp_algorithm *, int));
struct secasvar *, struct esp_algorithm *, int));
int (*encrypt) __P((struct mbuf *, size_t, size_t,
struct secas *, struct esp_algorithm *, int));
struct secasvar *, struct esp_algorithm *, int));
};
#ifdef _KERNEL
extern struct esp_algorithm esp_algorithms[];
/* crypt routines */
struct secasb;
extern int esp4_output __P((struct mbuf *, struct ipsecrequest *));
extern void esp4_input __P((struct mbuf *, ...));
extern size_t esp_hdrsiz __P((struct ipsecrequest *));
@ -104,8 +103,8 @@ extern int esp6_input __P((struct mbuf **, int *, int));
#endif /* INET6 */
#endif /*_KERNEL*/
struct secas;
struct secasvar;
extern int esp_auth __P((struct mbuf *, size_t, size_t,
struct secas *, u_char *));
struct secasvar *, u_char *));
#endif /*_NETINET6_ESP_H_*/

View File

@ -1,4 +1,4 @@
/* $NetBSD: in6_pcb.c,v 1.13 2000/01/26 17:06:36 itojun Exp $ */
/* $NetBSD: in6_pcb.c,v 1.14 2000/01/31 14:19:02 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -731,8 +731,6 @@ in6_pcbdetach(in6p)
struct socket *so = in6p->in6p_socket;
#ifdef IPSEC
if (sotoin6pcb(so) != 0)
key_freeso(so);
ipsec6_delete_pcbpolicy(in6p);
#endif /* IPSEC */
sotoin6pcb(so) = 0;

View File

@ -1,4 +1,4 @@
/* $NetBSD: in6_pcb.h,v 1.7 1999/12/27 06:38:47 itojun Exp $ */
/* $NetBSD: in6_pcb.h,v 1.8 2000/01/31 14:19:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -77,6 +77,7 @@
* control block.
*/
struct icmp6_filter;
struct inpcbpolicy;
struct in6pcb {
struct in6pcb *in6p_next, *in6p_prev;
@ -102,9 +103,7 @@ struct in6pcb {
LIST_ENTRY(in6pcb) in6p_hlist; /* hash chain */
u_long in6p_hash; /* hash value */
#if 1 /*IPSEC*/
struct secpolicy *in6p_sp; /* security policy. It may not be
* used according to policy selection.
*/
struct inpcbpolicy *in6p_sp; /* security policy. */
#endif
struct icmp6_filter *in6p_icmp6filt;
int in6p_cksum; /* IPV6_CHECKSUM setsockopt */

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip6_forward.c,v 1.6 2000/01/06 15:46:09 itojun Exp $ */
/* $NetBSD: ip6_forward.c,v 1.7 2000/01/31 14:19:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -46,6 +46,7 @@
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet/ip_var.h>
#include <netinet6/ip6.h>
#include <netinet6/ip6_var.h>
#include <netinet6/icmp6.h>
@ -327,8 +328,37 @@ ip6_forward(m, srcrt)
in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
if (mcopy) {
u_long mtu;
#ifdef IPSEC_IPV6FWD
struct secpolicy *sp;
int ipsecerror;
size_t ipsechdrsiz;
#endif
mtu = rt->rt_ifp->if_mtu;
#ifdef IPSEC_IPV6FWD
/*
* When we do IPsec tunnel ingress, we need to play
* with if_mtu value (decrement IPsec header size
* from mtu value). The code is much simpler than v4
* case, as we have the outgoing interface for
* encapsulated packet as "rt->rt_ifp".
*/
sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
IP_FORWARDING, &ipsecerror);
if (sp) {
ipsechdrsiz = ipsec6_hdrsiz(mcopy,
IPSEC_DIR_OUTBOUND, NULL);
if (ipsechdrsiz < mtu)
mtu -= ipsechdrsiz;
}
/*
* if mtu becomes less than minimum MTU,
* tell minimum MTU (and I'll need to fragment it).
*/
if (mtu < IPV6_MMTU)
mtu = IPV6_MMTU;
#endif
icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
}
m_freem(m);

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip6_output.c,v 1.12 2000/01/26 17:06:37 itojun Exp $ */
/* $NetBSD: ip6_output.c,v 1.13 2000/01/31 14:19:03 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -191,9 +191,9 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp)
#ifdef IPSEC
/* get a security policy for this packet */
if (so == NULL)
sp = ipsec6_getpolicybyaddr(m, 0, &error);
sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
else
sp = ipsec6_getpolicybysock(m, so, &error);
sp = ipsec6_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
if (sp == NULL) {
ipsec6stat.out_inval++;
@ -1295,19 +1295,19 @@ ip6_ctloutput(op, so, level, optname, mp)
case IPV6_IPSEC_POLICY:
{
caddr_t req = NULL;
int len = 0;
size_t len = 0;
int priv = 0;
if (p == 0 || suser(p->p_ucred, &p->p_acflag))
priv = 0;
else
priv = 1;
if (m != 0) {
if (m) {
req = mtod(m, caddr_t);
len = m->m_len;
}
error = ipsec_set_policy(&in6p->in6p_sp,
optname, req, len,
priv);
error = ipsec6_set_policy(in6p,
optname, req, len, priv);
}
break;
#endif /* IPSEC */
@ -1452,8 +1452,17 @@ ip6_ctloutput(op, so, level, optname, mp)
#ifdef IPSEC
case IPV6_IPSEC_POLICY:
error = ipsec_get_policy(in6p->in6p_sp, mp);
{
caddr_t req = NULL;
size_t len = 0;
if (m) {
req = mtod(m, caddr_t);
len = m->m_len;
}
error = ipsec6_get_policy(in6p, req, len, mp);
break;
}
#endif /* IPSEC */
default:

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipcomp_core.c,v 1.8 2000/01/26 17:08:41 itojun Exp $ */
/* $NetBSD: ipcomp_core.c,v 1.9 2000/01/31 14:19:04 itojun Exp $ */
/*
* Copyright (C) 1999 WIDE Project.
@ -46,6 +46,7 @@
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/syslog.h>
#include <sys/queue.h>
#include <net/if.h>
#include <net/route.h>
@ -54,6 +55,7 @@
#include <machine/cpu.h>
#include <netinet6/ipcomp.h>
#include <netinet6/ipsec.h>
#include <machine/stdarg.h>
@ -83,10 +85,6 @@ struct ipcomp_algorithm ipcomp_algorithms[] = {
{ NULL, NULL, 90 },
};
#ifdef __NetBSD__
#define ovbcopy bcopy
#endif
static void *
deflate_alloc(aux, items, siz)
void *aux;
@ -238,18 +236,18 @@ deflate_common(m, md, lenp, mode)
} else if (zerror == Z_STREAM_END)
break;
else {
printf("ipcomp_%scompress: %sflate: %s\n",
ipseclog((LOG_ERR, "ipcomp_%scompress: %sflate: %s\n",
mode ? "de" : "", mode ? "in" : "de",
zs.msg ? zs.msg : "unknown error");
zs.msg ? zs.msg : "unknown error"));
error = EINVAL;
goto fail;
}
}
zerror = mode ? inflateEnd(&zs) : deflateEnd(&zs);
if (zerror != Z_OK) {
printf("ipcomp_%scompress: %sflate: %s\n",
ipseclog((LOG_ERR, "ipcomp_%scompress: %sflate: %s\n",
mode ? "de" : "", mode ? "in" : "de",
zs.msg ? zs.msg : "unknown error");
zs.msg ? zs.msg : "unknown error"));
error = EINVAL;
goto fail;
}

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipcomp_input.c,v 1.7 2000/01/06 15:46:10 itojun Exp $ */
/* $NetBSD: ipcomp_input.c,v 1.8 2000/01/31 14:19:05 itojun Exp $ */
/*
* Copyright (C) 1999 WIDE Project.
@ -62,7 +62,6 @@
#ifdef INET6
#include <netinet6/ip6.h>
#include <netinet6/in6_pcb.h>
#include <netinet6/ip6_var.h>
#endif
#include <netinet6/ipcomp.h>
@ -74,11 +73,9 @@
#include <machine/stdarg.h>
#define IPLEN_FLIPPED
#include <net/net_osdep.h>
#ifdef __NetBSD__
#define ovbcopy bcopy
#endif
#define IPLEN_FLIPPED
#ifdef INET
extern struct protosw inetsw[];
@ -101,7 +98,7 @@ ipcomp4_input(m, va_alist)
size_t hlen;
int error;
size_t newlen, olen;
struct secas *sa = NULL;
struct secasvar *sav = NULL;
int off, proto;
va_list ap;
@ -112,23 +109,27 @@ ipcomp4_input(m, va_alist)
if (off + sizeof(struct ipcomp) > MHLEN) {
/*XXX the restriction should be relaxed*/
printf("IPv4 IPComp input: assumption failed (header too long)\n");
ipseclog((LOG_DEBUG, "IPv4 IPComp input: assumption failed "
"(header too long)\n"));
ipsecstat.in_inval++;
goto fail;
}
if (m->m_len < off + sizeof(struct ipcomp)) {
m = m_pullup(m, off + sizeof(struct ipcomp));
if (!m) {
printf("IPv4 IPComp input: can't pullup;"
"dropping the packet for simplicity\n");
ipsecstat.in_inval++;
ipseclog((LOG_DEBUG, "IPv4 IPComp input: can't pullup;"
"dropping the packet for simplicity\n"));
ipsecstat.in_nomem++;
goto fail;
}
} else if (m->m_len > off + sizeof(struct ipcomp)) {
/* chop header part from the packet header chain */
struct mbuf *n;
MGETHDR(n, M_DONTWAIT, MT_HEADER);
if (!n)
if (!n) {
ipsecstat.in_nomem++;
goto fail;
}
M_COPY_PKTHDR(n, m);
MH_ALIGN(n, off + sizeof(struct ipcomp));
n->m_len = off + sizeof(struct ipcomp);
@ -152,12 +153,12 @@ ipcomp4_input(m, va_alist)
cpi = ntohs(ipcomp->comp_cpi);
if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) {
sa = key_allocsa(AF_INET, (caddr_t)&ip->ip_src,
sav = key_allocsa(AF_INET, (caddr_t)&ip->ip_src,
(caddr_t)&ip->ip_dst, IPPROTO_IPCOMP, htonl(cpi));
if (sa != NULL
&& (sa->state == SADB_SASTATE_MATURE
|| sa->state == SADB_SASTATE_DYING)) {
cpi = sa->alg_enc; /*XXX*/
if (sav != NULL
&& (sav->state == SADB_SASTATE_MATURE
|| sav->state == SADB_SASTATE_DYING)) {
cpi = sav->alg_enc; /*XXX*/
/* other parameters to look at? */
}
}
@ -166,8 +167,8 @@ ipcomp4_input(m, va_alist)
else
algo = NULL;
if (!algo) {
printf("IPv4 IPComp input: unknown cpi %u; "
"dropping the packet for simplicity\n", cpi);
ipseclog((LOG_WARNING, "IPv4 IPComp input: unknown cpi %u\n",
cpi));
ipsecstat.in_nosa++;
goto fail;
}
@ -186,9 +187,14 @@ ipcomp4_input(m, va_alist)
newlen = m->m_pkthdr.len - off;
error = (*algo->decompress)(m, m->m_next, &newlen);
if (error != 0) {
if (error == EINVAL)
ipsecstat.in_inval++;
else if (error == ENOBUFS)
ipsecstat.in_nomem++;
m = NULL;
goto fail;
}
ipsecstat.in_comphist[cpi]++;
/*
* returning decompressed packet onto icmp is meaningless.
@ -224,10 +230,10 @@ ipcomp4_input(m, va_alist)
ip->ip_p = nxt;
}
if (sa) {
key_sa_recordxfer(sa, m);
key_freesa(sa);
sa = NULL;
if (sav) {
key_sa_recordxfer(sav, m);
key_freesav(sav);
sav = NULL;
}
if (nxt != IPPROTO_DONE)
@ -240,8 +246,8 @@ ipcomp4_input(m, va_alist)
return;
fail:
if (sa)
key_freesa(sa);
if (sav)
key_freesav(sav);
if (m)
m_freem(m);
return;
@ -264,7 +270,7 @@ ipcomp6_input(mp, offp, proto)
u_int16_t nxt;
int error;
size_t newlen;
struct secas *sa = NULL;
struct secasvar *sav = NULL;
m = *mp;
off = *offp;
@ -286,11 +292,13 @@ ipcomp6_input(mp, offp, proto)
break;
}
if (!n) {
printf("IPv6 IPComp input: wrong mbuf chain\n");
ipseclog((LOG_DEBUG, "IPv6 IPComp input: wrong mbuf chain\n"));
ipsecstat.in_inval++;
goto fail;
}
if (n->m_len < skip + sizeof(struct ipcomp)) {
printf("IPv6 IPComp input: wrong mbuf chain\n");
ipseclog((LOG_DEBUG, "IPv6 IPComp input: wrong mbuf chain\n"));
ipsecstat.in_inval++;
goto fail;
}
ip6 = mtod(m, struct ip6_hdr *);
@ -300,8 +308,10 @@ ipcomp6_input(mp, offp, proto)
/* split mbuf to ease the following steps*/
l = n->m_len - (skip + sizeof(struct ipcomp));
p = m_copym(n, skip + sizeof(struct ipcomp), l , M_DONTWAIT);
if (!p)
if (!p) {
ipsecstat.in_nomem++;
goto fail;
}
for (q = p; q && q->m_next; q = q->m_next)
;
q->m_next = n->m_next;
@ -316,12 +326,12 @@ ipcomp6_input(mp, offp, proto)
cpi = ntohs(ipcomp->comp_cpi);
if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) {
sa = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src,
sav = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src,
(caddr_t)&ip6->ip6_dst, IPPROTO_IPCOMP, htonl(cpi));
if (sa != NULL
&& (sa->state == SADB_SASTATE_MATURE
|| sa->state == SADB_SASTATE_DYING)) {
cpi = sa->alg_enc; /*XXX*/
if (sav != NULL
&& (sav->state == SADB_SASTATE_MATURE
|| sav->state == SADB_SASTATE_DYING)) {
cpi = sav->alg_enc; /*XXX*/
/* other parameters to look at? */
}
}
@ -330,8 +340,8 @@ ipcomp6_input(mp, offp, proto)
else
algo = NULL;
if (!algo) {
printf("IPv6 IPComp input: unknown cpi %u; "
"dropping the packet for simplicity\n", cpi);
ipseclog((LOG_WARNING, "IPv6 IPComp input: unknown cpi %u; "
"dropping the packet for simplicity\n", cpi));
ipsec6stat.in_nosa++;
goto fail;
}
@ -339,9 +349,14 @@ ipcomp6_input(mp, offp, proto)
newlen = m->m_pkthdr.len - off - sizeof(struct ipcomp);
error = (*algo->decompress)(m, md, &newlen);
if (error != 0) {
if (error == EINVAL)
ipsec6stat.in_inval++;
else if (error == ENOBUFS)
ipsec6stat.in_nomem++;
m = NULL;
goto fail;
}
ipsec6stat.in_comphist[cpi]++;
m->m_pkthdr.len = off + sizeof(struct ipcomp) + newlen;
/*
@ -367,10 +382,10 @@ ipcomp6_input(mp, offp, proto)
ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
}
if (sa) {
key_sa_recordxfer(sa, m);
key_freesa(sa);
sa = NULL;
if (sav) {
key_sa_recordxfer(sav, m);
key_freesav(sav);
sav = NULL;
}
*offp = off;
*mp = m;
@ -380,8 +395,8 @@ ipcomp6_input(mp, offp, proto)
fail:
if (m)
m_freem(m);
if (sa)
key_freesa(sa);
if (sav)
key_freesav(sav);
return IPPROTO_DONE;
}
#endif /* INET6 */

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipcomp_output.c,v 1.7 2000/01/06 15:46:10 itojun Exp $ */
/* $NetBSD: ipcomp_output.c,v 1.8 2000/01/31 14:19:05 itojun Exp $ */
/*
* Copyright (C) 1999 WIDE Project.
@ -62,7 +62,6 @@
#ifdef INET6
#include <netinet6/ip6.h>
#include <netinet6/in6_pcb.h>
#include <netinet6/ip6_var.h>
#endif
#include <netinet6/ipcomp.h>
@ -74,9 +73,7 @@
#include <machine/stdarg.h>
#ifdef __NetBSD__
#define ovbcopy bcopy
#endif
#include <net/net_osdep.h>
static int ipcomp_output __P((struct mbuf *, u_char *, struct mbuf *,
struct ipsecrequest *, int));
@ -111,7 +108,7 @@ ipcomp_output(m, nexthdrp, md, isr, af)
struct mbuf *md0;
struct mbuf *mprev;
struct ipcomp *ipcomp;
struct secas *sa = isr->sa;
struct secasvar *sav = isr->sav;
struct ipcomp_algorithm *algo;
u_int16_t cpi; /* host order */
size_t plen0, plen; /*payload length to be compressed*/
@ -131,22 +128,22 @@ ipcomp_output(m, nexthdrp, md, isr, af)
break;
#endif
default:
printf("ipcomp_output: unsupported af %d\n", af);
ipseclog((LOG_ERR, "ipcomp_output: unsupported af %d\n", af));
return 0; /* no change at all */
}
/* grab parameters */
if ((ntohl(sa->spi) & ~0xffff) != 0 || sa->alg_enc >= IPCOMP_MAX
|| ipcomp_algorithms[sa->alg_enc].compress == NULL) {
if ((ntohl(sav->spi) & ~0xffff) != 0 || sav->alg_enc >= IPCOMP_MAX
|| ipcomp_algorithms[sav->alg_enc].compress == NULL) {
ipsecstat.out_inval++;
m_freem(m);
return EINVAL;
}
if ((sa->flags & SADB_X_EXT_RAWCPI) == 0)
cpi = sa->alg_enc;
if ((sav->flags & SADB_X_EXT_RAWCPI) == 0)
cpi = sav->alg_enc;
else
cpi = ntohl(sa->spi) & 0xffff;
algo = &ipcomp_algorithms[sa->alg_enc]; /*XXX*/
cpi = ntohl(sav->spi) & 0xffff;
algo = &ipcomp_algorithms[sav->alg_enc]; /*XXX*/
/* compute original payload length */
plen = 0;
@ -172,7 +169,20 @@ ipcomp_output(m, nexthdrp, md, isr, af)
for (mprev = m; mprev && mprev->m_next != md; mprev = mprev->m_next)
;
if (mprev == NULL || mprev->m_next != md) {
printf("ipcomp%d_output: md is not in chain\n", afnumber);
ipseclog((LOG_DEBUG, "ipcomp%d_output: md is not in chain\n",
afnumber));
switch (af) {
#ifdef INET
case AF_INET:
ipsecstat.out_inval++;
break;
#endif
#ifdef INET6
case AF_INET6:
ipsec6stat.out_inval++;
break;
#endif
}
m_freem(m);
m_freem(md0);
return EINVAL;
@ -188,7 +198,7 @@ ipcomp_output(m, nexthdrp, md, isr, af)
/* compress data part */
if ((*algo->compress)(m, md, &plen) || mprev->m_next == NULL) {
printf("packet compression failure\n");
ipseclog((LOG_ERR, "packet compression failure\n"));
m = NULL;
m_freem(md0);
switch (af) {
@ -206,6 +216,18 @@ ipcomp_output(m, nexthdrp, md, isr, af)
error = EINVAL;
goto fail;
}
switch (af) {
#ifdef INET
case AF_INET:
ipsecstat.out_comphist[sav->alg_enc]++;
break;
#endif
#ifdef INET6
case AF_INET6:
ipsec6stat.out_comphist[sav->alg_enc]++;
break;
#endif
}
md = mprev->m_next;
/*
@ -292,7 +314,8 @@ ipcomp_output(m, nexthdrp, md, isr, af)
if (compoff + complen + plen < IP_MAXPACKET)
ip->ip_len = htons(compoff + complen + plen);
else {
printf("IPv4 ESP output: size exceeds limit\n");
ipseclog((LOG_ERR,
"IPv4 ESP output: size exceeds limit\n"));
ipsecstat.out_inval++;
m_freem(m);
error = EMSGSIZE;
@ -309,8 +332,21 @@ ipcomp_output(m, nexthdrp, md, isr, af)
}
if (!m) {
printf("NULL mbuf after compression in ipcomp%d_output",
afnumber);
ipseclog((LOG_DEBUG,
"NULL mbuf after compression in ipcomp%d_output",
afnumber));
switch (af) {
#ifdef INET
case AF_INET:
ipsecstat.out_inval++;
break;
#endif
#ifdef INET6
case AF_INET6:
ipsec6stat.out_inval++;
break;
#endif
}
} else {
switch (af) {
#ifdef INET
@ -329,17 +365,17 @@ ipcomp_output(m, nexthdrp, md, isr, af)
switch (af) {
#ifdef INET
case AF_INET:
ipsecstat.out_esphist[sa->alg_enc]++;
ipsecstat.out_esphist[sav->alg_enc]++;
break;
#endif
#ifdef INET6
case AF_INET6:
ipsec6stat.out_esphist[sa->alg_enc]++;
ipsec6stat.out_esphist[sav->alg_enc]++;
break;
#endif
}
#endif
key_sa_recordxfer(sa, m);
key_sa_recordxfer(sav, m);
return 0;
fail:
@ -358,7 +394,8 @@ ipcomp4_output(m, isr)
{
struct ip *ip;
if (m->m_len < sizeof(struct ip)) {
printf("ipcomp4_output: first mbuf too short\n");
ipseclog((LOG_DEBUG, "ipcomp4_output: first mbuf too short\n"));
ipsecstat.out_inval++;
m_freem(m);
return NULL;
}
@ -377,7 +414,8 @@ ipcomp6_output(m, nexthdrp, md, isr)
struct ipsecrequest *isr;
{
if (m->m_len < sizeof(struct ip6_hdr)) {
printf("ipcomp6_output: first mbuf too short\n");
ipseclog((LOG_DEBUG, "ipcomp6_output: first mbuf too short\n"));
ipsec6stat.out_inval++;
m_freem(m);
return NULL;
}

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.h,v 1.8 2000/01/06 15:46:10 itojun Exp $ */
/* $NetBSD: ipsec.h,v 1.9 2000/01/31 14:19:06 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -45,16 +45,35 @@
#ifdef _KERNEL
/*
* Security Policy Index
* NOTE: Encure to be same address family and upper layer protocol.
* NOTE: ul_proto, port number, uid, gid:
* ANY: reserved for waldcard.
* 0 to (~0 - 1): is one of the number of each value.
*/
struct secpolicyindex {
u_int8_t dir; /* direction of packet flow, see blow */
struct sockaddr_storage src; /* IP src address for SP */
struct sockaddr_storage dst; /* IP dst address for SP */
u_int8_t prefs; /* prefix length in bits for src */
u_int8_t prefd; /* prefix length in bits for dst */
u_int16_t ul_proto; /* upper layer Protocol */
#ifdef notyet
uid_t uids;
uid_t uidd;
gid_t gids;
gid_t gidd;
#endif
};
/* Security Policy Data Base */
struct secpolicy {
struct secpolicy *next;
struct secpolicy *prev;
struct keytree *spt; /* back pointer to the top of SPD */
LIST_ENTRY(secpolicy) chain;
struct secindex idx; /* index */
int refcnt; /* reference count */
u_int state; /* 0: dead, others: alive */
int refcnt; /* reference count */
struct secpolicyindex spidx; /* selector */
u_int state; /* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD 0
#define IPSEC_SPSTATE_ALIVE 1
@ -68,22 +87,44 @@ struct secpolicy {
struct ipsecrequest {
struct ipsecrequest *next;
/* pointer to next structure */
/* If 0, it means end of chain. */
u_int proto; /* IPPROTO_ESP or IPPROTO_AH */
u_int mode; /* mode for security protocol, see below. */
/* If NULL, it means the end of chain. */
struct secasindex saidx;/* hint for search proper SA */
/* if __ss_len == 0 then no address specified.*/
u_int level; /* IPsec level defined below. */
struct sockaddr *proxy; /* Destination address in Outer IP header. */
/* If mode == TRANSPORT, it must be set NULL. */
struct secas *sa; /* place holder for the security association */
struct secasvar *sav; /* place holder of SA for use */
struct secpolicy *sp; /* back pointer to SP */
};
/* security policy in PCB */
struct inpcbpolicy {
struct secpolicy *sp_in;
struct secpolicy *sp_out;
int priv; /* privileged socket ? */
};
#endif /*_KERNEL*/
#define IPSEC_MODE_TRANSPORT 0
#define IPSEC_MODE_TUNNEL 1
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY 0
#define IPSEC_ULPROTO_ANY 255
#define IPSEC_PROTO_ANY 255
/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
#define IPSEC_MODE_TRANSPORT 1
#define IPSEC_MODE_TUNNEL 2
/*
* Direction of security policy.
* NOTE: Since INVALID is used just as flag.
* The other are used for loop counter too.
*/
#define IPSEC_DIR_ANY 0
#define IPSEC_DIR_INBOUND 1
#define IPSEC_DIR_OUTBOUND 2
#define IPSEC_DIR_MAX 3
#define IPSEC_DIR_INVALID 4
/* Policy level */
/*
@ -101,15 +142,29 @@ struct ipsecrequest {
#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
#define IPSEC_LEVEL_USE 1 /* use SA if present. */
#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
#define IPSEC_MANUAL_REQID_MAX 0x3fff
/*
* if security policy level == unique, this id
* indicate to a relative SA for use, else is
* zero.
* 1 - 0x3fff are reserved for manual keying.
* 0 are reserved for above reason. Others is
* for kernel use.
* Note that this id doesn't identify SA
* by only itself.
*/
#define IPSEC_REPLAYWSIZE 32
/* statistics for ipsec processing */
struct ipsecstat {
u_quad_t in_success; /* succeeded inbound process */
u_quad_t in_polvio; /* security policy violation for inbound process */
u_quad_t in_nosa; /* inbound SA is unavailable */
u_quad_t in_inval; /* inbound processing failed due to EINVAL */
u_quad_t in_success; /* succeeded inbound process */
u_quad_t in_polvio;
/* security policy violation for inbound process */
u_quad_t in_nosa; /* inbound SA is unavailable */
u_quad_t in_inval; /* inbound processing failed due to EINVAL */
u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
u_quad_t in_badspi; /* failed getting a SPI */
u_quad_t in_ahreplay; /* AH replay check failed */
u_quad_t in_espreplay; /* ESP replay check failed */
@ -117,15 +172,19 @@ struct ipsecstat {
u_quad_t in_ahauthfail; /* AH authentication failure */
u_quad_t in_espauthsucc; /* ESP authentication success */
u_quad_t in_espauthfail; /* ESP authentication failure */
u_quad_t in_esphist[SADB_EALG_MAX];
u_quad_t in_ahhist[SADB_AALG_MAX];
u_quad_t in_esphist[256];
u_quad_t in_ahhist[256];
u_quad_t in_comphist[256];
u_quad_t out_success; /* succeeded outbound process */
u_quad_t out_polvio; /* security policy violation for outbound process */
u_quad_t out_polvio;
/* security policy violation for outbound process */
u_quad_t out_nosa; /* outbound SA is unavailable */
u_quad_t out_inval; /* outbound process failed due to EINVAL */
u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
u_quad_t out_noroute; /* there is no route */
u_quad_t out_esphist[SADB_EALG_MAX];
u_quad_t out_ahhist[SADB_AALG_MAX];
u_quad_t out_esphist[256];
u_quad_t out_ahhist[256];
u_quad_t out_comphist[256];
};
/*
@ -145,7 +204,8 @@ struct ipsecstat {
#define IPSECCTL_AH_OFFSETMASK 9
#define IPSECCTL_DFBIT 10
#define IPSECCTL_ECN 11
#define IPSECCTL_MAXID 12
#define IPSECCTL_DEBUG 12
#define IPSECCTL_MAXID 13
#define IPSECCTL_NAMES { \
{ 0, 0 }, \
@ -160,6 +220,7 @@ struct ipsecstat {
{ "ah_offsetmask", CTLTYPE_INT }, \
{ "dfbit", CTLTYPE_INT }, \
{ "ecn", CTLTYPE_INT }, \
{ "debug", CTLTYPE_INT }, \
}
#define IPSEC6CTL_NAMES { \
@ -175,6 +236,7 @@ struct ipsecstat {
{ 0, 0 }, \
{ 0, 0 }, \
{ "ecn", CTLTYPE_INT }, \
{ "debug", CTLTYPE_INT }, \
}
#define IPSECCTL_VARS { \
@ -190,6 +252,7 @@ struct ipsecstat {
&ip4_ah_offsetmask, \
&ip4_ipsec_dfbit, \
&ip4_ipsec_ecn, \
&ipsec_debug, \
}
#define IPSEC6CTL_VARS { \
@ -205,6 +268,7 @@ struct ipsecstat {
0, \
0, \
&ip6_ipsec_ecn, \
&ipsec_debug, \
}
#ifdef _KERNEL
@ -214,6 +278,9 @@ struct ipsec_output_state {
struct sockaddr *dst;
};
extern int ipsec_debug;
#ifdef INET
extern struct ipsecstat ipsecstat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
@ -225,6 +292,7 @@ extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
#endif
#ifdef INET6
extern struct ipsecstat ipsec6stat;
@ -237,54 +305,61 @@ extern int ip6_inbound_call_ike;
extern int ip6_ipsec_ecn;
#endif
#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
extern struct secpolicy *ipsec4_getpolicybysock
__P((struct mbuf *, struct socket *, int *));
__P((struct mbuf *, u_int, struct socket *, int *));
extern struct secpolicy *ipsec4_getpolicybyaddr
__P((struct mbuf *, int, int *));
__P((struct mbuf *, u_int, int, int *));
#ifdef INET6
extern struct secpolicy *ipsec6_getpolicybysock
__P((struct mbuf *, struct socket *, int *));
__P((struct mbuf *, u_int, struct socket *, int *));
extern struct secpolicy *ipsec6_getpolicybyaddr
__P((struct mbuf *, int, int *));
__P((struct mbuf *, u_int, int, int *));
#endif /*INET6*/
struct inpcb;
#ifdef INET6
struct in6pcb;
#endif
extern int ipsec_init_policy __P((struct secpolicy **));
extern struct secpolicy *ipsec_copy_policy __P((struct secpolicy *));
extern int ipsec_set_policy __P((struct secpolicy **, int, caddr_t, int, int));
extern int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
#ifdef INET6
extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
#endif
extern int ipsec_init_policy __P((struct socket *so, struct inpcbpolicy **));
extern int ipsec_copy_policy
__P((struct inpcbpolicy *, struct inpcbpolicy *));
extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *));
extern int ipsec4_set_policy __P((struct inpcb *inp, int optname,
caddr_t request, size_t len, int priv));
extern int ipsec4_get_policy __P((struct inpcb *inpcb, caddr_t request,
size_t len, struct mbuf **mp));
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec4_in_reject_so __P((struct mbuf *, struct socket *));
extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
#ifdef INET6
extern int ipsec6_in_reject_so __P((struct mbuf *, struct socket *));
extern int ipsec6_delete_pcbpolicy __P((struct in6pcb *));
extern int ipsec6_set_policy __P((struct in6pcb *in6p, int optname,
caddr_t request, size_t len, int priv));
extern int ipsec6_get_policy __P((struct in6pcb *in6p, caddr_t request,
size_t len, struct mbuf **mp));
extern int ipsec6_in_reject __P((struct mbuf *, struct in6pcb *));
#endif /*INET6*/
struct secas;
struct tcpcb;
struct tcp6cb;
extern int ipsec_chkreplay __P((u_int32_t, struct secas *));
extern int ipsec_updatereplay __P((u_int32_t, struct secas *));
extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
extern size_t ipsec4_hdrsiz __P((struct mbuf *, struct inpcb *));
extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
extern size_t ipsec4_hdrsiz_tcp __P((struct tcpcb *));
#ifdef INET6
extern size_t ipsec6_hdrsiz __P((struct mbuf *, struct in6pcb *));
#ifdef TCP6
extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
#else
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct in6pcb *));
#ifndef TCP6
extern size_t ipsec6_hdrsiz_tcp __P((struct tcpcb *));
#else
extern size_t ipsec6_hdrsiz_tcp __P((struct tcp6cb *));
#endif
#endif
@ -296,7 +371,7 @@ extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
#ifdef INET6
extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
#endif
extern const char *ipsec_logsastr __P((struct secas *));
extern const char *ipsec_logsastr __P((struct secasvar *));
extern void ipsec_dumpmbuf __P((struct mbuf *));
@ -308,10 +383,10 @@ extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
struct secpolicy *, int));
#endif
extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secas *));
extern int ipsec4_tunnel_validate __P((struct ip *, u_int, struct secasvar *));
#ifdef INET6
extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int,
struct secas *));
struct secasvar *));
#endif
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
@ -321,11 +396,11 @@ extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
#endif /*_KERNEL*/
#ifndef _KERNEL
extern int ipsec_get_policylen(char *reqstr);
extern int ipsec_set_policy(char *buf, int len, char *reqstr);
extern char *ipsec_dump_policy(char *buf, char *delimiter);
extern caddr_t ipsec_set_policy __P((char *, int));
extern int ipsec_get_policylen __P((caddr_t));
extern char *ipsec_dump_policy __P((caddr_t, char *));
extern char *ipsec_strerror(void);
extern char *ipsec_strerror __P((void));
#endif /*!_KERNEL*/
#endif /*_NETINET6_IPSEC_H_*/

View File

@ -1,4 +1,4 @@
/* $NetBSD: raw_ip6.c,v 1.15 2000/01/06 15:46:11 itojun Exp $ */
/* $NetBSD: raw_ip6.c,v 1.16 2000/01/31 14:19:06 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -513,7 +513,7 @@ rip6_usrreq(so, req, m, nam, control, p)
in6p->in6p_ip6.ip6_nxt = (long)nam;
in6p->in6p_cksum = -1;
#ifdef IPSEC
error = ipsec_init_policy(&in6p->in6p_sp);
error = ipsec_init_policy(so, &in6p->in6p_sp);
if (error != 0) {
in6_pcbdetach(in6p);
break;

View File

@ -1,4 +1,4 @@
/* $NetBSD: udp6_usrreq.c,v 1.18 2000/01/31 10:39:27 itojun Exp $ */
/* $NetBSD: udp6_usrreq.c,v 1.19 2000/01/31 14:19:07 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -825,7 +825,7 @@ udp6_usrreq(so, req, m, addr6, control, p)
in6p = sotoin6pcb(so);
in6p->in6p_cksum = -1; /* just to be sure */
#ifdef IPSEC
error = ipsec_init_policy(&in6p->in6p_sp);
error = ipsec_init_policy(so, &in6p->in6p_sp);
if (error != 0) {
in6_pcbdetach(in6p);
break;

File diff suppressed because it is too large Load Diff

View File

@ -1,4 +1,4 @@
/* $NetBSD: key.h,v 1.4 1999/07/06 12:23:23 itojun Exp $ */
/* $NetBSD: key.h,v 1.5 2000/01/31 14:19:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,57 +29,49 @@
* SUCH DAMAGE.
*/
/* KAME Id: key.h,v 1.1.6.1.6.1 1999/05/17 17:03:14 itojun Exp */
/* KAME Id: key.h,v 1.8 2000/01/29 06:21:01 itojun Exp */
#ifndef _NETKEY_KEY_H_
#define _NETKEY_KEY_H_
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
#if defined(KERNEL)
#ifdef _KERNEL
extern struct key_cb key_cb;
struct sadb_address;
struct secindex;
struct secas;
struct secpolicy;
struct secpolicyindex;
struct ipsecrequest;
struct secasvar;
struct sockaddr;
struct socket;
struct secexpire;
struct sadb_msg;
struct sadb_x_policy;
struct ipsecrequest;
extern struct secpolicy *key_allocsp __P((struct secindex *));
#if 0
extern int key_checkpolicy __P((struct secpolicy *));
#endif
extern int key_checkrequest __P((struct ipsecrequest *));
extern struct secas *key_allocsa __P((u_int, caddr_t, caddr_t, u_int, u_int));
extern void key_freesp __P((struct secpolicy *));
extern void key_freeso __P((struct socket *));
extern void key_freesa __P((struct secas *));
extern struct secpolicy *key_allocsp __P((struct secpolicyindex *spidx,
u_int dir));
extern int key_checkrequest
__P((struct ipsecrequest *isr, struct secasindex *saidx));
extern struct secasvar *key_allocsa __P((u_int family, caddr_t src, caddr_t dst,
u_int proto, u_int32_t spi));
extern void key_freesp __P((struct secpolicy *sp));
extern void key_freeso __P((struct socket *so));
extern void key_freesav __P((struct secasvar *sav));
extern struct secpolicy *key_newsp __P((void));
extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *));
extern struct sadb_x_policy *key_sp2msg __P((struct secpolicy *));
extern int key_setsecidx __P((struct sadb_address *, struct sadb_address *,
struct secindex *, int));
extern void key_delsecidx __P((struct secindex *));
extern int key_setexptime __P((struct secas *));
extern struct secpolicy *key_msg2sp __P((struct sadb_x_policy *xpl0,
size_t len, int *error));
extern struct mbuf *key_sp2msg __P((struct secpolicy *sp));
extern int key_ismyaddr __P((u_int family, caddr_t addr));
extern void key_timehandler __P((void));
extern void key_srandom __P((void));
extern int key_ismyaddr __P((u_int, caddr_t));
extern void key_freereg __P((struct socket *));
extern int key_parse __P((struct sadb_msg **, struct socket *, int *));
extern void key_freereg __P((struct socket *so));
extern int key_parse __P((struct sadb_msg **msgp, struct socket *so,
int *targetp));
extern void key_init __P((void));
extern int key_checktunnelsanity __P((struct secas *, u_int, caddr_t, caddr_t));
extern void key_sa_recordxfer __P((struct secas *, struct mbuf *));
extern void key_sa_routechange __P((struct sockaddr *));
extern int key_checktunnelsanity __P((struct secasvar *sav, u_int family,
caddr_t src, caddr_t dst));
extern void key_sa_recordxfer __P((struct secasvar *sav, struct mbuf *m));
extern void key_sa_routechange __P((struct sockaddr *dst));
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_SECA);
#endif /* MALLOC_DECLARE */
@ -88,7 +80,5 @@ MALLOC_DECLARE(M_SECA);
extern int key_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
#endif
#endif /* defined(KERNEL) */
#endif /* defined(_KERNEL) */
#endif /* _NETKEY_KEY_H_ */

View File

@ -1,4 +1,4 @@
/* $NetBSD: key_debug.c,v 1.7 1999/07/06 12:23:26 itojun Exp $ */
/* $NetBSD: key_debug.c,v 1.8 2000/01/31 14:19:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,21 +29,15 @@
* SUCH DAMAGE.
*/
/* KAME Id: key_debug.c,v 1.1.6.2.4.3 1999/07/06 12:05:13 itojun Exp */
/* KAME Id: key_debug.c,v 1.10 2000/01/29 06:21:01 itojun Exp */
#ifdef _KERNEL
# define KERNEL
#endif
#ifdef KERNEL
#if (defined(__FreeBSD__) && __FreeBSD__ >= 3) || defined(__NetBSD__)
#include "opt_inet.h"
#endif
#endif
#include <sys/types.h>
#include <sys/param.h>
#ifdef KERNEL
#ifdef _KERNEL
#include <sys/systm.h>
#include <sys/mbuf.h>
#endif
@ -58,19 +52,13 @@
#include <netinet6/in6.h>
#include <netinet6/ipsec.h>
#if !defined(KERNEL)
#ifndef _KERNEL
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#endif /* defined(KERNEL) */
#endif /* !_KERNEL */
#if !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
#if !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))
static void kdebug_sadb_prop __P((struct sadb_ext *));
static void kdebug_sadb_identity __P((struct sadb_ext *));
@ -80,11 +68,11 @@ static void kdebug_sadb_sa __P((struct sadb_ext *));
static void kdebug_sadb_address __P((struct sadb_ext *));
static void kdebug_sadb_key __P((struct sadb_ext *));
#ifdef KERNEL
#ifdef _KERNEL
static void kdebug_secreplay __P((struct secreplay *));
#endif
#ifndef KERNEL
#ifndef _KERNEL
#define panic(param) { printf(param); exit(-1); }
#endif
@ -105,9 +93,11 @@ kdebug_sadb(base)
printf("sadb_msg{ version=%u type=%u errno=%u satype=%u\n",
base->sadb_msg_version, base->sadb_msg_type,
base->sadb_msg_errno, base->sadb_msg_satype);
printf(" len=%u reserved=%u seq=%u pid=%u }\n",
base->sadb_msg_len, base->sadb_msg_reserved,
base->sadb_msg_seq, base->sadb_msg_pid);
printf(" len=%u mode=%u seq=%u pid=%u reqid=%u\n",
base->sadb_msg_len, base->sadb_msg_mode,
base->sadb_msg_seq, base->sadb_msg_pid, base->sadb_msg_reqid);
printf(" reserved1=%u reserved2=%u\n",
base->sadb_msg_reserved1, base->sadb_msg_reserved2);
tlen = PFKEY_UNUNIT64(base->sadb_msg_len) - sizeof(struct sadb_msg);
ext = (struct sadb_ext *)((caddr_t)base + sizeof(struct sadb_msg));
@ -120,6 +110,10 @@ kdebug_sadb(base)
printf("kdebug_sadb: invalid ext_len=0 was passed.\n");
return;
}
if (ext->sadb_ext_len > tlen) {
printf("kdebug_sadb: ext_len exceeds end of buffer.\n");
return;
}
switch (ext->sadb_ext_type) {
case SADB_EXT_SA:
@ -228,6 +222,7 @@ kdebug_sadb_identity(ext)
{
struct sadb_ident *id = (struct sadb_ident *)ext;
int len;
union sadb_x_ident_id *aid;
/* sanity check */
if (ext == NULL)
@ -236,25 +231,40 @@ kdebug_sadb_identity(ext)
len = PFKEY_UNUNIT64(id->sadb_ident_len) - sizeof(*id);
printf("sadb_ident_%s{",
id->sadb_ident_exttype == SADB_EXT_IDENTITY_SRC ? "src" : "dst");
printf(" type=%d id=%lu",
id->sadb_ident_type, (u_long)id->sadb_ident_id);
if (len) {
#ifdef KERNEL
ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
switch (id->sadb_ident_type) {
case SADB_X_IDENTTYPE_ADDR:
aid = (union sadb_x_ident_id *)&id->sadb_ident_id;
printf(" type=%d prefix=%u ul_proto=%u\n",
id->sadb_ident_type,
aid->sadb_x_ident_id_addr.prefix,
aid->sadb_x_ident_id_addr.ul_proto);
kdebug_sockaddr((struct sockaddr *)(id + 1));
break;
default:
printf(" type=%d id=%lu",
id->sadb_ident_type, (u_long)id->sadb_ident_id);
if (len) {
#ifdef _KERNEL
ipsec_hexdump((caddr_t)(id + 1), len); /*XXX cast ?*/
#else
char *p, *ep;
printf("\n str=\"");
p = (char *)(id + 1);
ep = p + len;
for (/*nothing*/; *p && p < ep; p++) {
if (isprint(*p))
printf("%c", *p & 0xff);
else
printf("\\%03o", *p & 0xff);
}
char *p, *ep;
printf("\n str=\"");
p = (char *)(id + 1);
ep = p + len;
for (/*nothing*/; *p && p < ep; p++) {
if (isprint(*p))
printf("%c", *p & 0xff);
else
printf("\\%03o", *p & 0xff);
}
#endif
printf("\"");
printf("\"");
}
break;
}
printf(" }\n");
return;
@ -356,7 +366,7 @@ kdebug_sadb_key(ext)
if (ext == NULL)
panic("kdebug_sadb_key: NULL pointer was passed.\n");
printf("sadb_key{ bits=%u reserved=%u }\n",
printf("sadb_key{ bits=%u reserved=%u\n",
key->sadb_key_bits, key->sadb_key_reserved);
printf(" key=");
@ -379,72 +389,66 @@ kdebug_sadb_x_policy(ext)
struct sadb_ext *ext;
{
struct sadb_x_policy *xpl = (struct sadb_x_policy *)ext;
struct sockaddr *addr;
/* sanity check */
if (ext == NULL)
panic("kdebug_sadb_x_policy: NULL pointer was passed.\n");
printf("sadb_x_policy{ type=%u reserved=%x }\n",
xpl->sadb_x_policy_type, xpl->sadb_x_policy_reserved);
printf("sadb_x_policy{ type=%u dir=%u reserved=%x }\n",
xpl->sadb_x_policy_type, xpl->sadb_x_policy_dir,
xpl->sadb_x_policy_reserved);
if (xpl->sadb_x_policy_type == IPSEC_POLICY_IPSEC) {
int tlen;
struct sadb_x_ipsecrequest *xisr;
int xxx_len; /* for sanity check */
tlen = PFKEY_UNUNIT64(xpl->sadb_x_policy_len) - sizeof(*xpl);
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xpl
+ sizeof(*xpl));
xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
while (tlen > 0) {
printf(" { len=%u proto=%u mode=%u level=%u",
printf(" { len=%u proto=%u mode=%u level=%u reqid=%u\n",
xisr->sadb_x_ipsecrequest_len,
xisr->sadb_x_ipsecrequest_proto,
xisr->sadb_x_ipsecrequest_mode,
xisr->sadb_x_ipsecrequest_level);
xisr->sadb_x_ipsecrequest_level,
xisr->sadb_x_ipsecrequest_reqid);
xxx_len = sizeof(*xisr);
/* tunnel mode ? */
if (xisr->sadb_x_ipsecrequest_mode ==IPSEC_MODE_TUNNEL){
struct sockaddr *addr
= (struct sockaddr *)((caddr_t)xisr
+ sizeof(*xisr));
printf("\n");
xxx_len += PFKEY_ALIGN8(addr->sa_len);
if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
addr = (struct sockaddr *)(xisr + 1);
kdebug_sockaddr(addr);
} else
printf(" }\n");
addr = (struct sockaddr *)((caddr_t)addr
+ addr->sa_len);
kdebug_sockaddr(addr);
}
/* sanity check */
if (xisr->sadb_x_ipsecrequest_len != xxx_len) {
printf("kdebug_sadb_x_policy: "
"Invalid request length, "
"reqlen:%d real:%d\n",
xisr->sadb_x_ipsecrequest_len,
xxx_len);
printf(" }\n");
/* prevent infinite loop */
if (xisr->sadb_x_ipsecrequest_len <= 0) {
printf("kdebug_sadb_x_policy: wrong policy struct.\n");
return;
}
/* prevent overflow */
if (xisr->sadb_x_ipsecrequest_len > tlen) {
printf("invalid ipsec policy length\n");
return;
}
tlen -= xisr->sadb_x_ipsecrequest_len;
/* sanity check */
if (tlen < 0) {
printf("kdebug_sadb_x_policy: "
"becoming tlen < 0.\n");
return;
}
xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
+ xisr->sadb_x_ipsecrequest_len);
}
if (tlen != 0)
panic("kdebug_sadb_x_policy: wrong policy struct.\n");
}
return;
}
#ifdef KERNEL
#ifdef _KERNEL
/* %%%: about SPD and SAD */
void
kdebug_secpolicy(sp)
@ -457,7 +461,7 @@ kdebug_secpolicy(sp)
printf("secpolicy{ refcnt=%u state=%u policy=%u\n",
sp->refcnt, sp->state, sp->policy);
kdebug_secindex(&sp->idx);
kdebug_secpolicyindex(&sp->spidx);
switch (sp->policy) {
case IPSEC_POLICY_DISCARD:
@ -471,22 +475,11 @@ kdebug_secpolicy(sp)
struct ipsecrequest *isr;
for (isr = sp->req; isr != NULL; isr = isr->next) {
printf(" proto=%u mode=%u level=%u\n",
isr->proto, isr->mode, isr->level);
printf(" level=%u\n", isr->level);
kdebug_secasindex(&isr->saidx);
if (isr->mode == IPSEC_MODE_TUNNEL) {
/* sanity check */
if (isr->proxy == NULL) {
printf("kdebug_secpolicy: "
"Specified tunnel mode, "
"but proxy points to NULL.\n");
continue;
}
kdebug_sockaddr(isr->proxy);
}
if (isr->sa != NULL)
kdebug_secas(isr->sa);
if (isr->sav != NULL)
kdebug_secasv(isr->sav);
}
printf(" }\n");
}
@ -507,65 +500,85 @@ kdebug_secpolicy(sp)
}
void
kdebug_secindex(idx)
struct secindex *idx;
kdebug_secpolicyindex(spidx)
struct secpolicyindex *spidx;
{
/* sanity check */
if (idx == NULL)
panic("kdebug_secindex: NULL pointer was passed.\n");
if (spidx == NULL)
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
printf("secindex{ family=%u prefs=%u prefd=%d\n",
idx->family, idx->prefs, idx->prefd);
printf("secpolicyindex{ dir=%u prefs=%u prefd=%u ul_proto=%u\n",
spidx->dir, spidx->prefs, spidx->prefd, spidx->ul_proto);
ipsec_hexdump((caddr_t)&idx->src, _INALENBYAF(idx->family));
ipsec_hexdump((caddr_t)&spidx->src,
((struct sockaddr *)&spidx->src)->sa_len);
printf("\n");
ipsec_hexdump((caddr_t)&idx->dst, _INALENBYAF(idx->family));
printf("\n");
printf(" proto=%u ports=%u portd=%d }\n",
idx->proto, ntohs(idx->ports), ntohs(idx->portd));
ipsec_hexdump((caddr_t)&spidx->dst,
((struct sockaddr *)&spidx->dst)->sa_len);
printf("}\n");
return;
}
void
kdebug_secas(sa)
struct secas *sa;
kdebug_secasindex(saidx)
struct secasindex *saidx;
{
/* sanity check */
if (sa == NULL)
panic("kdebug_secas: NULL pointer was passed.\n");
if (saidx == NULL)
panic("kdebug_secpolicyindex: NULL pointer was passed.\n");
printf("secasindex{ mode=%u proto=%u\n",
saidx->mode, saidx->proto);
ipsec_hexdump((caddr_t)&saidx->src,
((struct sockaddr *)&saidx->src)->sa_len);
printf("\n");
ipsec_hexdump((caddr_t)&saidx->dst,
((struct sockaddr *)&saidx->dst)->sa_len);
printf("\n");
return;
}
void
kdebug_secasv(sav)
struct secasvar *sav;
{
/* sanity check */
if (sav == NULL)
panic("kdebug_secasv: NULL pointer was passed.\n");
printf("secas{");
kdebug_secindex(&sa->saidx->idx);
kdebug_secasindex(&sav->sah->saidx);
printf(" refcnt=%u state=%u type=%u auth=%u enc=%u\n",
sa->refcnt, sa->state, sa->type, sa->alg_auth, sa->alg_enc);
printf(" spi=%lu flags=%u\n", (unsigned long) ntohl(sa->spi),
sa->flags);
printf(" refcnt=%u state=%u auth=%u enc=%u\n",
sav->refcnt, sav->state, sav->alg_auth, sav->alg_enc);
printf(" spi=%u flags=%u\n",
(u_int32_t)ntohl(sav->spi), sav->flags);
if (sa->key_auth != NULL)
kdebug_sadb_key((struct sadb_ext *)sa->key_auth);
if (sa->key_enc != NULL)
kdebug_sadb_key((struct sadb_ext *)sa->key_enc);
if (sa->iv != NULL) {
ipsec_hexdump(sa->iv, sa->ivlen ? sa->ivlen : 8);
if (sav->key_auth != NULL)
kdebug_sadb_key((struct sadb_ext *)sav->key_auth);
if (sav->key_enc != NULL)
kdebug_sadb_key((struct sadb_ext *)sav->key_enc);
if (sav->iv != NULL) {
printf(" iv=");
ipsec_hexdump(sav->iv, sav->ivlen ? sav->ivlen : 8);
printf("\n");
}
if (sa->proxy != NULL) {
kdebug_sockaddr(sa->proxy);
printf("\n");
}
if (sa->replay != NULL)
kdebug_secreplay(sa->replay);
if (sa->lft_c != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_c);
if (sa->lft_h != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_h);
if (sa->lft_s != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sa->lft_s);
if (sav->replay != NULL)
kdebug_secreplay(sav->replay);
if (sav->lft_c != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_c);
if (sav->lft_h != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_h);
if (sav->lft_s != NULL)
kdebug_sadb_lifetime((struct sadb_ext *)sav->lft_s);
#if notyet
/* XXX: misc[123] ? */
#endif
return;
}
@ -617,14 +630,6 @@ kdebug_mbufhdr(m)
m->m_pkthdr.len, m->m_pkthdr.rcvif);
}
#ifdef __FreeBSD__
if (m->m_flags & M_EXT) {
printf(" m_ext{ ext_buf:%p ext_free:%p "
"ext_size:%u ext_ref:%p }\n",
m->m_ext.ext_buf, m->m_ext.ext_free,
m->m_ext.ext_size, m->m_ext.ext_ref);
}
#endif
return;
}
@ -651,7 +656,7 @@ kdebug_mbuf(m0)
return;
}
#endif /* KERNEL */
#endif /* _KERNEL */
void
kdebug_sockaddr(addr)
@ -680,7 +685,7 @@ kdebug_sockaddr(addr)
return;
}
#endif /* !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG)) */
#endif /* !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG)) */
void
ipsec_bindump(buf, len)

View File

@ -1,4 +1,4 @@
/* $NetBSD: key_debug.h,v 1.4 1999/07/06 12:23:26 itojun Exp $ */
/* $NetBSD: key_debug.h,v 1.5 2000/01/31 14:19:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,18 +29,12 @@
* SUCH DAMAGE.
*/
/* KAME Id: key_debug.h,v 1.1.6.2.6.1 1999/05/17 17:03:16 itojun Exp */
/* KAME Id: key_debug.h,v 1.3 2000/01/29 06:21:02 itojun Exp */
#ifndef _NETKEY_KEY_DEBUG_H_
#define _NETKEY_KEY_DEBUG_H_
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
#if !defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))
#if !defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))
/* debug flags */
#define KEYDEBUG_STAMP 0x00000001 /* path */
@ -63,27 +57,29 @@
#define KEYDEBUG(lev,arg) if ((key_debug_level & (lev)) == (lev)) { arg; }
#ifdef KERNEL
#ifdef _KERNEL
extern u_int32_t key_debug_level;
#endif /*KERNEL*/
#endif /*_KERNEL*/
struct sadb_msg;
struct sadb_ext;
extern void kdebug_sadb __P((struct sadb_msg *));
extern void kdebug_sadb_x_policy __P((struct sadb_ext *));
#ifdef KERNEL
#ifdef _KERNEL
struct secpolicy;
struct secindex;
struct secas;
struct secpolicyindex;
struct secasindex;
struct secasvar;
struct secreplay;
struct mbuf;
extern void kdebug_secindex __P((struct secindex *));
extern void kdebug_secpolicy __P((struct secpolicy *));
extern void kdebug_secas __P((struct secas *));
extern void kdebug_secpolicyindex __P((struct secpolicyindex *));
extern void kdebug_secasindex __P((struct secasindex *));
extern void kdebug_secasv __P((struct secasvar *));
extern void kdebug_mbufhdr __P((struct mbuf *));
extern void kdebug_mbuf __P((struct mbuf *));
#endif /*KERNEL*/
#endif /*_KERNEL*/
struct sockaddr;
extern void kdebug_sockaddr __P((struct sockaddr *));
@ -92,7 +88,7 @@ extern void kdebug_sockaddr __P((struct sockaddr *));
#define KEYDEBUG(lev,arg)
#endif /*!defined(KERNEL) || (defined(KERNEL) && defined(IPSEC_DEBUG))*/
#endif /*!defined(_KERNEL) || (defined(_KERNEL) && defined(IPSEC_DEBUG))*/
extern void ipsec_hexdump __P((caddr_t, int));
extern void ipsec_bindump __P((caddr_t, int));

View File

@ -1,4 +1,4 @@
/* $NetBSD: key_var.h,v 1.6 1999/08/24 00:46:13 itojun Exp $ */
/* $NetBSD: key_var.h,v 1.7 2000/01/31 14:19:12 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -94,7 +94,7 @@
#define _INADDR(in) ((struct sockaddr_in *)(in))
#if defined(INET6)
#ifdef INET6
#define _IN6ADDR(in6) ((struct sockaddr_in6 *)(in6))
#define _SALENBYAF(family) \
(((family) == AF_INET) ? \

215
sys/netkey/keydb.c Normal file
View File

@ -0,0 +1,215 @@
/* $NetBSD: keydb.c,v 1.1 2000/01/31 14:19:13 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* KAME Id: keydb.c,v 1.58 2000/01/17 14:11:16 itojun Exp */
#include "opt_inet.h"
#include "opt_ipsec.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/errno.h>
#include <sys/queue.h>
#include <net/if.h>
#include <net/route.h>
#include <netinet/in.h>
#include <netkey/keyv2.h>
#include <netkey/keydb.h>
#include <netinet6/ipsec.h>
#include <net/net_osdep.h>
static void keydb_delsecasvar __P((struct secasvar *));
/*
* secpolicy management
*/
struct secpolicy *
keydb_newsecpolicy()
{
struct secpolicy *p;
p = (struct secpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
if (!p)
return p;
bzero(p, sizeof(*p));
return p;
}
void
keydb_delsecpolicy(p)
struct secpolicy *p;
{
free(p, M_SECA);
}
/*
* secashead management
*/
struct secashead *
keydb_newsecashead()
{
struct secashead *p;
int i;
p = (struct secashead *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
if (!p)
return p;
bzero(p, sizeof(*p));
for (i = 0; i < sizeof(p->savtree)/sizeof(p->savtree[0]); i++)
LIST_INIT(&p->savtree[i]);
return p;
}
void
keydb_delsecashead(p)
struct secashead *p;
{
free(p, M_SECA);
}
/*
* secasvar management (reference counted)
*/
struct secasvar *
keydb_newsecasvar()
{
struct secasvar *p;
p = (struct secasvar *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
if (!p)
return p;
bzero(p, sizeof(*p));
p->refcnt = 1;
return p;
}
void
keydb_refsecasvar(p)
struct secasvar *p;
{
int s;
s = splsoftnet();
p->refcnt++;
splx(s);
}
void
keydb_freesecasvar(p)
struct secasvar *p;
{
int s;
s = splsoftnet();
p->refcnt--;
if (p->refcnt == 0)
keydb_delsecasvar(p);
splx(s);
}
static void
keydb_delsecasvar(p)
struct secasvar *p;
{
if (p->refcnt)
panic("keydb_delsecasvar called with refcnt != 0");
free(p, M_SECA);
}
/*
* secreplay management
*/
struct secreplay *
keydb_newsecreplay(wsize)
size_t wsize;
{
struct secreplay *p;
p = (struct secreplay *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
if (!p)
return p;
bzero(p, sizeof(*p));
if (wsize != 0) {
p->bitmap = (caddr_t)malloc(wsize, M_SECA, M_NOWAIT);
if (!p->bitmap) {
free(p, M_SECA);
return NULL;
}
bzero(p->bitmap, wsize);
}
p->wsize = wsize;
return p;
}
void
keydb_delsecreplay(p)
struct secreplay *p;
{
if (p->bitmap)
free(p->bitmap, M_SECA);
free(p, M_SECA);
}
/*
* secreg management
*/
struct secreg *
keydb_newsecreg()
{
struct secreg *p;
p = (struct secreg *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
if (p)
bzero(p, sizeof(*p));
return p;
}
void
keydb_delsecreg(p)
struct secreg *p;
{
free(p, M_SECA);
}

View File

@ -1,4 +1,4 @@
/* $NetBSD: keydb.h,v 1.3 1999/07/03 21:32:48 thorpej Exp $ */
/* $NetBSD: keydb.h,v 1.4 2000/01/31 14:19:13 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -32,119 +32,74 @@
#ifndef _NETKEY_KEYDB_H_
#define _NETKEY_KEYDB_H_
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
#ifdef KERNEL
#ifdef _KERNEL
#include <netkey/key_var.h>
/* Must include ipsec.h and keyv2.h before in its use. */
/* management for the tree and nodes. */
struct keytree {
struct keynode *head;
struct keynode *tail;
int len;
/* Security Assocciation Index */
/* NOTE: Ensure to be same address family */
struct secasindex {
struct sockaddr_storage src; /* srouce address for SA */
struct sockaddr_storage dst; /* destination address for SA */
u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
u_int8_t mode; /* mode of protocol, see ipsec.h */
u_int32_t reqid; /* reqid id who owned this SA */
/* see IPSEC_MANUAL_REQID_MAX. */
};
struct keynode {
struct keynode *next;
struct keynode *prev;
struct keytree *back; /* pointer to the keytree */
};
/* index structure for SPD and SAD */
/* NOTE: All field are network byte order. */
struct secindex {
u_int8_t family; /* AF_INET or AF_INET6 */
u_int8_t prefs; /* preference for srouce address in bits */
u_int8_t prefd; /* preference for destination address in bits */
u_int8_t proto; /* upper layer Protocol */
u_int16_t ports; /* source port */
u_int16_t portd; /* destination port */
union {
#if 0 /* #include dependency... */
struct in_addr src4;
struct in6_addr src6;
#endif
u_int8_t srcany[16]; /*guarantee minimum size*/
} src; /* buffer for source address */
union {
#if 0 /* #include dependency... */
struct in_addr dst4;
struct in6_addr dst6;
#endif
u_int8_t dstany[16]; /*guarantee minimum size*/
} dst; /* buffer for destination address */
};
/* direction of SA */
#define SADB_X_DIR_UNKNOWN 0 /* initial */
#define SADB_X_DIR_INBOUND 1
#define SADB_X_DIR_OUTBOUND 2
#define SADB_X_DIR_BIDIRECT 3 /* including loopback */
#define SADB_X_DIR_MAX 4
#define SADB_X_DIR_INVALID 4
/*
* Since X_DIR_INVALID is equal to SADB_X_DIR_MAX,
* it can be used just as flag. The other are too
* used for loop counter.
*/
/* Security Association Data Base */
struct secasindex {
struct secasindex *next;
struct secasindex *prev;
struct keytree *saidxt; /* back pointer to */
/* the top of SA index tree */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secindex idx; /* security index */
struct secasindex saidx;
struct keytree satree[SADB_SASTATE_MAX+1];
struct sadb_ident *idents; /* source identity */
struct sadb_ident *identd; /* destination identity */
/* XXX I don't know how to use them. */
u_int8_t state; /* MATURE or DEAD. */
LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
/* SA chain */
/* The first of this list is newer SA */
struct route sa_route; /* XXX */
struct route sa_route; /* route cache */
};
/* Security Association */
struct secas {
struct secas *next;
struct secas *prev;
struct keytree *sat; /* back pointer to the top of SA tree */
struct secasvar {
LIST_ENTRY(secasvar) chain;
int refcnt; /* reference count */
u_int8_t state; /* Status of this Association */
u_int8_t type; /* Type of this association: protocol */
u_int8_t alg_auth; /* Authentication Algorithm Identifier*/
u_int8_t alg_enc; /* Cipher Algorithm Identifier */
u_int32_t spi; /* SPI Value, network byte order */
u_int32_t flags; /* holder for SADB_KEY_FLAGS */
struct sadb_key *key_auth; /* Key for Authentication */
/* length has been shifted up to 3. */
struct sadb_key *key_enc; /* Key for Encryption */
/* length has been shifted up to 3. */
struct sockaddr *proxy; /* Proxy IP address for Destination */
caddr_t iv; /* Initilization Vector */
u_int ivlen; /* length of IV */
#if 0
caddr_t misc1;
caddr_t misc2;
caddr_t misc3;
#endif
struct secreplay *replay; /* replay prevention */
u_int32_t tick; /* for lifetime */
struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
struct sadb_lifetime *lft_h; /* HARD lifetime */
struct sadb_lifetime *lft_s; /* SOFT lifetime */
/* sadb_lifetime_len is in 32 bits. */
caddr_t iv; /* Initilization Vector */
u_int ivlen; /* XXX: quick hack */
caddr_t misc1; /* the use for example DES's setkey. */
caddr_t misc2;
caddr_t misc3;
u_int32_t seq; /* sequence number */
u_int32_t pid; /* pid */
pid_t pid; /* message's pid */
struct secasindex *saidx; /* back pointer to the secasindex */
struct secashead *sah; /* back pointer to the secashead */
};
/* replay prevention */
@ -154,31 +109,22 @@ struct secreplay {
u_int32_t seq; /* used by sender */
u_int32_t lastseq; /* used by receiver */
caddr_t bitmap; /* used by receiver */
int overflow; /* overflow flag */
};
/* socket table due to send PF_KEY messages. */
struct secreg {
struct secreg *next;
struct secreg *prev;
struct keytree *regt; /* back pointer to the top of secreg tree */
LIST_ENTRY(secreg) chain;
struct socket *so;
};
#ifndef IPSEC_BLOCK_ACQUIRE
#ifndef IPSEC_NONBLOCK_ACQUIRE
/* acquiring list table. */
struct secacq {
struct secacq *next;
struct secacq *prev;
struct keytree *acqt; /* back pointer to the top of secacq tree */
LIST_ENTRY(secacq) chain;
#if 1
struct secindex idx; /* security index */
u_int8_t proto; /* Type of this association: IPsec protocol */
u_int8_t proxy[16]; /* buffer for proxy address */
#else
u_int8_t hash[16];
#endif
struct secasindex saidx;
u_int32_t seq; /* sequence number */
u_int32_t tick; /* for lifetime */
@ -196,6 +142,23 @@ struct key_cb {
int any_count;
};
#endif /* KERNEL */
/* secpolicy */
extern struct secpolicy *keydb_newsecpolicy __P((void));
extern void keydb_delsecpolicy __P((struct secpolicy *));
/* secashead */
extern struct secashead *keydb_newsecashead __P((void));
extern void keydb_delsecashead __P((struct secashead *));
/* secasvar */
extern struct secasvar *keydb_newsecasvar __P((void));
extern void keydb_refsecasvar __P((struct secasvar *));
extern void keydb_freesecasvar __P((struct secasvar *));
/* secreplay */
extern struct secreplay *keydb_newsecreplay __P((size_t));
extern void keydb_delsecreplay __P((struct secreplay *));
/* secreg */
extern struct secreg *keydb_newsecreg __P((void));
extern void keydb_delsecreg __P((struct secreg *));
#endif /* _KERNEL */
#endif /* _NETKEY_KEYDB_H_ */

View File

@ -1,4 +1,4 @@
/* $NetBSD: keysock.c,v 1.6 1999/07/31 18:41:18 itojun Exp $ */
/* $NetBSD: keysock.c,v 1.7 2000/01/31 14:19:13 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,41 +29,24 @@
* SUCH DAMAGE.
*/
/* KAME Id: keysock.c,v 1.1.6.4.2.2 1999/07/04 02:06:39 itojun Exp */
/* KAME Id: keysock.c,v 1.10 2000/01/29 06:21:02 itojun Exp */
#if defined(__FreeBSD__) && __FreeBSD__ >= 3
#include "opt_inet.h"
#endif
/* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#ifdef __FreeBSD__
#include <sys/sysctl.h>
#endif
#include <sys/mbuf.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/domain.h>
#include <sys/protosw.h>
#include <sys/errno.h>
#ifdef __NetBSD__
#include <sys/proc.h>
#include <sys/queue.h>
#endif
#ifdef __FreeBSD__
#include <machine/spl.h>
#endif
#include <net/raw_cb.h>
#include <net/route.h>
@ -82,56 +65,26 @@ struct sockproto key_proto = { PF_KEY, PF_KEY_V2 };
static int key_sendup0 __P((struct rawcb *, struct mbuf *, int));
#if 1
#define KMALLOC(p, t, n) \
((p) = (t) malloc((unsigned long)(n), M_SECA, M_NOWAIT))
#define KFREE(p) \
free((caddr_t)(p), M_SECA);
#else
#define KMALLOC(p, t, n) \
do { \
((p) = (t)malloc((unsigned long)(n), M_SECA, M_NOWAIT));\
printf("%s %d: %p <- KMALLOC(%s, %d)\n", \
__FILE__, __LINE__, (p), #t, n); \
} while (0)
#define KFREE(p) \
do { \
printf("%s %d: %p -> KFREE()\n", __FILE__, __LINE__, (p));\
free((caddr_t)(p), M_SECA); \
} while (0)
#endif
struct pfkeystat pfkeystat;
/*
* key_usrreq()
* derived from net/rtsock.c:route_usrreq()
*/
#ifndef __NetBSD__
int
key_usrreq(so, req, m, nam, control)
register struct socket *so;
int req;
struct mbuf *m, *nam, *control;
#else
int
key_usrreq(so, req, m, nam, control, p)
register struct socket *so;
int req;
struct mbuf *m, *nam, *control;
struct proc *p;
#endif /*__NetBSD__*/
{
register int error = 0;
register struct keycb *kp = (struct keycb *)sotorawcb(so);
int s;
#ifdef __NetBSD__
s = splsoftnet();
#else
s = splnet();
#endif
if (req == PRU_ATTACH) {
MALLOC(kp, struct keycb *, sizeof(*kp), M_PCB, M_WAITOK);
kp = (struct keycb *)malloc(sizeof(*kp), M_PCB, M_WAITOK);
so->so_pcb = (caddr_t)kp;
if (so->so_pcb)
bzero(so->so_pcb, sizeof(*kp));
@ -145,17 +98,16 @@ key_usrreq(so, req, m, nam, control, p)
key_freereg(so);
}
#ifndef __NetBSD__
error = raw_usrreq(so, req, m, nam, control);
#else
error = raw_usrreq(so, req, m, nam, control, p);
#endif
m = control = NULL; /* reclaimed in raw_usrreq */
kp = (struct keycb *)sotorawcb(so);
if (req == PRU_ATTACH && kp) {
int af = kp->kp_raw.rcb_proto.sp_protocol;
if (error) {
#ifdef IPSEC_DEBUG
printf("key_usrreq: key_usrreq results %d\n", error);
#endif
pfkeystat.sockerr++;
free((caddr_t)kp, M_PCB);
so->so_pcb = (caddr_t) 0;
splx(s);
@ -167,43 +119,8 @@ key_usrreq(so, req, m, nam, control, p)
if (af == PF_KEY) /* XXX: AF_KEY */
key_cb.key_count++;
key_cb.any_count++;
#ifndef __bsdi__
kp->kp_raw.rcb_laddr = &key_src;
kp->kp_raw.rcb_faddr = &key_dst;
#else
/*
* XXX rcb_faddr must be dynamically allocated, otherwise
* raw_disconnect() will be angry.
*/
{
struct mbuf *m, *n;
MGET(m, M_WAITOK, MT_DATA);
if (!m) {
error = ENOBUFS;
printf("key_usrreq: key_usrreq results %d\n", error);
free((caddr_t)kp, M_PCB);
so->so_pcb = (caddr_t) 0;
splx(s);
return(error);
}
MGET(n, M_WAITOK, MT_DATA);
if (!n) {
error = ENOBUFS;
m_freem(m);
printf("key_usrreq: key_usrreq results %d\n", error);
free((caddr_t)kp, M_PCB);
so->so_pcb = (caddr_t) 0;
splx(s);
return(error);
}
m->m_len = sizeof(key_src);
kp->kp_raw.rcb_laddr = mtod(m, struct sockaddr *);
bcopy(&key_src, kp->kp_raw.rcb_laddr, sizeof(key_src));
n->m_len = sizeof(key_dst);
kp->kp_raw.rcb_faddr = mtod(n, struct sockaddr *);
bcopy(&key_dst, kp->kp_raw.rcb_faddr, sizeof(key_dst));
}
#endif
soisconnected(so);
so->so_options |= SO_USELOOPBACK;
}
@ -237,24 +154,44 @@ key_output(m, va_alist)
if (m == 0)
panic("key_output: NULL pointer was passed.\n");
if (m->m_len < sizeof(long)
&& (m = m_pullup(m, 8)) == 0) {
printf("key_output: can't pullup mbuf\n");
error = ENOBUFS;
pfkeystat.out_total++;
pfkeystat.out_bytes += m->m_pkthdr.len;
len = m->m_pkthdr.len;
if (len < sizeof(struct sadb_msg)) {
#ifdef IPSEC_DEBUG
printf("key_output: Invalid message length.\n");
#endif
pfkeystat.out_tooshort++;
error = EINVAL;
goto end;
}
if (m->m_len < sizeof(struct sadb_msg)) {
if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) {
#ifdef IPSEC_DEBUG
printf("key_output: can't pullup mbuf\n");
#endif
pfkeystat.out_nomem++;
error = ENOBUFS;
goto end;
}
}
if ((m->m_flags & M_PKTHDR) == 0)
panic("key_output: not M_PKTHDR ??");
#if defined(IPSEC_DEBUG)
#ifdef IPSEC_DEBUG
KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m));
#endif /* defined(IPSEC_DEBUG) */
len = m->m_pkthdr.len;
if (len < sizeof(struct sadb_msg)
|| len != PFKEY_UNUNIT64(mtod(m, struct sadb_msg *)->sadb_msg_len)) {
msg = mtod(m, struct sadb_msg *);
pfkeystat.out_msgtype[msg->sadb_msg_type]++;
if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) {
#ifdef IPSEC_DEBUG
printf("key_output: Invalid message length.\n");
#endif
pfkeystat.out_invlen++;
error = EINVAL;
goto end;
}
@ -263,23 +200,23 @@ key_output(m, va_alist)
* allocate memory for sadb_msg, and copy to sadb_msg from mbuf
* XXX: To be processed directly without a copy.
*/
KMALLOC(msg, struct sadb_msg *, len);
if (msg == 0) {
msg = (struct sadb_msg *)malloc(len, M_SECA, M_NOWAIT);
if (msg == NULL) {
#ifdef IPSEC_DEBUG
printf("key_output: No more memory.\n");
#endif
error = ENOBUFS;
pfkeystat.out_nomem++;
goto end;
/* or do panic ? */
}
m_copydata(m, 0, len, (caddr_t)msg);
/*XXX giant lock*/
#ifdef __NetBSD__
s = splsoftnet();
#else
s = splnet();
#endif
if ((len = key_parse(&msg, so, &target)) == 0) {
/* discard. i.e. no need to reply. */
/* msg has been freed at key_parse() */
error = 0;
splx(s);
goto end;
@ -288,7 +225,7 @@ key_output(m, va_alist)
/* send up message to the socket */
error = key_sendup(so, msg, len, target);
splx(s);
KFREE(msg);
free(msg, M_SECA);
end:
m_freem(m);
return (error);
@ -310,7 +247,10 @@ key_sendup0(rp, m, promisc)
if (m && m->m_len < sizeof(struct sadb_msg))
m = m_pullup(m, sizeof(struct sadb_msg));
if (!m) {
#ifdef IPSEC_DEBUG
printf("key_sendup0: cannot pullup\n");
#endif
pfkeystat.in_nomem++;
m_freem(m);
return ENOBUFS;
}
@ -322,11 +262,16 @@ key_sendup0(rp, m, promisc)
pmsg->sadb_msg_type = SADB_X_PROMISC;
pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len);
/* pid and seq? */
pfkeystat.in_msgtype[pmsg->sadb_msg_type]++;
}
if (!sbappendaddr(&rp->rcb_socket->so_rcv,
(struct sockaddr *)&key_src, m, NULL)) {
#ifdef IPSEC_DEBUG
printf("key_sendup0: sbappendaddr failed\n");
#endif
pfkeystat.in_nomem++;
m_freem(m);
return ENOBUFS;
}
@ -334,6 +279,7 @@ key_sendup0(rp, m, promisc)
return 0;
}
/* XXX this interface should be obsoleted. */
int
key_sendup(so, msg, len, target)
struct socket *so;
@ -342,10 +288,6 @@ key_sendup(so, msg, len, target)
int target; /*target of the resulting message*/
{
struct mbuf *m, *n, *mprev;
struct keycb *kp;
int sendup;
struct rawcb *rp;
int error;
int tlen;
/* sanity check */
@ -356,6 +298,14 @@ key_sendup(so, msg, len, target)
printf("key_sendup: \n");
kdebug_sadb(msg));
/*
* we increment statistics here, just in case we have ENOBUFS
* in this function.
*/
pfkeystat.in_total++;
pfkeystat.in_bytes += len;
pfkeystat.in_msgtype[msg->sadb_msg_type]++;
/*
* Get mbuf chain whenever possible (not clusters),
* to save socket buffer. We'll be generating many SADB_ACQUIRE
@ -375,13 +325,16 @@ key_sendup(so, msg, len, target)
MGET(n, M_DONTWAIT, MT_DATA);
n->m_len = MLEN;
}
if (!n)
if (!n) {
pfkeystat.in_nomem++;
return ENOBUFS;
if (tlen > MCLBYTES) { /*XXX better threshold? */
}
if (tlen >= MCLBYTES) { /*XXX better threshold? */
MCLGET(n, M_DONTWAIT);
if ((n->m_flags & M_EXT) == 0) {
m_free(n);
m_freem(m);
pfkeystat.in_nomem++;
return ENOBUFS;
}
n->m_len = MCLBYTES;
@ -403,11 +356,49 @@ key_sendup(so, msg, len, target)
m->m_pkthdr.rcvif = NULL;
m_copyback(m, 0, len, (caddr_t)msg);
#ifndef __NetBSD__
for (rp = rawcb.rcb_next; rp != &rawcb; rp = rp->rcb_next)
/* avoid duplicated statistics */
pfkeystat.in_total--;
pfkeystat.in_bytes -= len;
pfkeystat.in_msgtype[msg->sadb_msg_type]--;
return key_sendup_mbuf(so, m, target);
}
int
key_sendup_mbuf(so, m, target)
struct socket *so;
struct mbuf *m;
int target;
{
struct mbuf *n;
struct keycb *kp;
int sendup;
struct rawcb *rp;
int error;
if (so == NULL || m == NULL)
panic("key_sendup_mbuf: NULL pointer was passed.\n");
pfkeystat.in_total++;
pfkeystat.in_bytes += m->m_pkthdr.len;
if (m->m_len < sizeof(struct sadb_msg)) {
#if 1
m = m_pullup(m, sizeof(struct sadb_msg));
if (m == NULL) {
pfkeystat.in_nomem++;
return ENOBUFS;
}
#else
for (rp = rawcb.lh_first; rp; rp = rp->rcb_list.le_next)
/* don't bother pulling it up just for stats */
#endif
}
if (m->m_len >= sizeof(struct sadb_msg)) {
struct sadb_msg *msg;
msg = mtod(m, struct sadb_msg *);
pfkeystat.in_msgtype[msg->sadb_msg_type]++;
}
for (rp = rawcb.lh_first; rp; rp = rp->rcb_list.le_next)
{
if (rp->rcb_proto.sp_family != PF_KEY)
continue;
@ -449,13 +440,17 @@ key_sendup(so, msg, len, target)
sendup++;
break;
}
pfkeystat.in_msgtarget[target]++;
if (!sendup)
continue;
if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
#ifdef IPSEC_DEBUG
printf("key_sendup: m_copy fail\n");
#endif
m_freem(m);
pfkeystat.in_nomem++;
return ENOBUFS;
}
@ -472,10 +467,6 @@ key_sendup(so, msg, len, target)
return error;
}
#ifdef __FreeBSD__
/* sysctl */
SYSCTL_NODE(_net, PF_KEY, key, CTLFLAG_RW, 0, "Key Family");
#endif
/*
* Definitions of protocols supported in the KEY domain.
@ -488,9 +479,7 @@ struct protosw keysw[] = {
0, key_output, raw_ctlinput, 0,
key_usrreq,
raw_init, 0, 0, 0,
#if defined(__bsdi__) || defined(__NetBSD__)
key_sysctl,
#endif
}
};
@ -498,6 +487,3 @@ struct domain keydomain =
{ PF_KEY, "key", key_init, 0, 0,
keysw, &keysw[sizeof(keysw)/sizeof(keysw[0])] };
#ifdef __FreeBSD__
DOMAIN_SET(key);
#endif

View File

@ -1,4 +1,4 @@
/* $NetBSD: keysock.h,v 1.4 1999/07/06 12:23:26 itojun Exp $ */
/* $NetBSD: keysock.h,v 1.5 2000/01/31 14:19:13 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,41 +29,60 @@
* SUCH DAMAGE.
*/
/* KAME Id: keysock.h,v 1.1.6.3.6.1 1999/05/17 17:03:19 itojun Exp */
/* KAME Id: keysock.h,v 1.5 2000/01/29 06:21:03 itojun Exp */
#ifndef _NETKEY_KEYSOCK_H_
#define _NETKEY_KEYSOCK_H_
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
/* statistics for pfkey socket */
struct pfkeystat {
/* kernel -> userland */
u_quad_t out_total; /* # of total calls */
u_quad_t out_bytes; /* total bytecount */
u_quad_t out_msgtype[256]; /* message type histogram */
u_quad_t out_invlen; /* invalid length field */
u_quad_t out_invver; /* invalid version field */
u_quad_t out_invmsgtype; /* invalid message type field */
u_quad_t out_tooshort; /* msg too short */
u_quad_t out_nomem; /* memory allocation failure */
u_quad_t out_dupext; /* duplicate extension */
u_quad_t out_invexttype; /* invalid extension type */
u_quad_t out_invsatype; /* invalid sa type */
u_quad_t out_invaddr; /* invalid address extension */
/* userland -> kernel */
u_quad_t in_total; /* # of total calls */
u_quad_t in_bytes; /* total bytecount */
u_quad_t in_msgtype[256]; /* message type histogram */
u_quad_t in_msgtarget[3]; /* one/all/registered */
u_quad_t in_nomem; /* memory allocation failure */
/* others */
u_quad_t sockerr; /* # of socket related errors */
};
#if defined(KERNEL)
#define KEY_SENDUP_ONE 0
#define KEY_SENDUP_ALL 1
#define KEY_SENDUP_REGISTERED 2
#ifdef _KERNEL
struct keycb {
struct rawcb kp_raw; /* rawcb */
int kp_promisc; /* promiscuous mode */
int kp_registered; /* registered socket */
};
extern struct pfkeystat pfkeystat;
extern int key_output __P((struct mbuf *, ...));
#ifndef __NetBSD__
extern int key_usrreq __P((struct socket *, int, struct mbuf *, struct mbuf *, struct mbuf *));
extern int key_usrreq __P((struct socket *,
int, struct mbuf *, struct mbuf *, struct mbuf *));
#else
extern int key_usrreq __P((struct socket *,
int, struct mbuf *, struct mbuf *, struct mbuf *, struct proc *));
#endif
#define KEY_SENDUP_ONE 0
#define KEY_SENDUP_ALL 1
#define KEY_SENDUP_REGISTERED 2
extern int key_sendup __P((struct socket *, struct sadb_msg *, u_int, int));
#else
#if 0 /* no library defined for this */
extern int key_sendup __P((int, struct sadb_msg *, u_int, int));
#endif
#endif /* defined(KERNEL) */
extern int key_sendup_mbuf __P((struct socket *, struct mbuf *, int));
#endif /* _KERNEL */
#endif _NETKEY_KEYSOCK_H_
#endif /*_NETKEY_KEYSOCK_H_*/

View File

@ -1,4 +1,4 @@
/* $NetBSD: keyv2.h,v 1.5 1999/07/06 12:23:26 itojun Exp $ */
/* $NetBSD: keyv2.h,v 1.6 2000/01/31 14:19:14 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -29,7 +29,7 @@
* SUCH DAMAGE.
*/
/* KAME Id: keyv2.h,v 1.1.6.1.6.4 1999/06/08 05:33:39 itojun Exp */
/* KAME Id: keyv2.h,v 1.14 2000/01/29 06:21:03 itojun Exp */
/*
* This file has been derived rfc 2367,
@ -40,12 +40,6 @@
#ifndef _NETKEY_KEYV2_H_
#define _NETKEY_KEYV2_H_
#ifdef __NetBSD__
# ifdef _KERNEL
# define KERNEL
# endif
#endif
/*
This file defines structures and symbols for the PF_KEY Version 2
key management interface. It was written at the U.S. Naval Research
@ -71,11 +65,17 @@ you leave this credit intact on any copies of this file.
#define SADB_DUMP 10
#define SADB_X_PROMISC 11
#define SADB_X_PCHANGE 12
#define SADB_X_SPDADD 13
#define SADB_X_SPDDELETE 14
#define SADB_X_SPDDUMP 15
#define SADB_X_SPDFLUSH 16
#define SADB_MAX 16
#define SADB_X_SPDUPDATE 13 /* not yet */
#define SADB_X_SPDADD 14
#define SADB_X_SPDDELETE 15
#define SADB_X_SPDGET 16 /* not yet */
#define SADB_X_SPDACQUIRE 17 /* not yet */
#define SADB_X_SPDDUMP 18
#define SADB_X_SPDFLUSH 19
#define SADB_X_SPDSETIDX 20 /* add only SPD selector */
#define SADB_X_SPDEXPIRE 21 /* not yet */
#define SADB_MAX 21
struct sadb_msg {
u_int8_t sadb_msg_version;
@ -83,9 +83,13 @@ struct sadb_msg {
u_int8_t sadb_msg_errno;
u_int8_t sadb_msg_satype;
u_int16_t sadb_msg_len;
u_int16_t sadb_msg_reserved;
u_int8_t sadb_msg_mode; /* XXX */
u_int8_t sadb_msg_reserved1;
u_int32_t sadb_msg_seq;
u_int32_t sadb_msg_pid;
u_int32_t sadb_msg_reqid; /* XXX */
/* when policy mng, value is zero. */
u_int32_t sadb_msg_reserved2;
};
struct sadb_ext {
@ -135,6 +139,15 @@ struct sadb_ident {
u_int16_t sadb_ident_reserved;
u_int64_t sadb_ident_id;
};
/* in order to use to divide sadb_ident.sadb_ident_id */
union sadb_x_ident_id {
u_int64_t sadb_x_ident_id;
struct _sadb_x_ident_id_addr {
u_int16_t prefix;
u_int16_t ul_proto;
u_int32_t reserved;
} sadb_x_ident_id_addr;
};
struct sadb_sens {
u_int16_t sadb_sens_len;
@ -206,28 +219,37 @@ struct sadb_x_kmprivate {
struct sadb_x_policy {
u_int16_t sadb_x_policy_len;
u_int16_t sadb_x_policy_exttype;
u_int16_t sadb_x_policy_type; /* See ipsec.h */
u_int16_t sadb_x_policy_reserved;
u_int16_t sadb_x_policy_type; /* See policy type of ipsec.h */
u_int8_t sadb_x_policy_dir; /* direction, see ipsec.h */
u_int8_t sadb_x_policy_reserved;
};
/*
* followed by some of the ipsec policy request, if policy_type == IPSEC.
* When policy_type == IPSEC, it is followed by some of
* the ipsec policy request.
* [total length of ipsec policy requests]
* = (sadb_x_policy_len * sizeof(uint64_t) - sizeof(struct sadb_x_policy))
*/
/* XXX IPsec Policy Request Extension */
/*
* This structure is aligned 8 bytes. Also it's aligned with proxy address
* if present.
* This structure is aligned 8 bytes.
*/
struct sadb_x_ipsecrequest {
u_int16_t sadb_x_ipsecrequest_len; /* structure length aligned 8 bytes.
u_int16_t sadb_x_ipsecrequest_len; /* structure length aligned to 8 bytes.
* This value is true length of bytes.
* Not in units of 64 bits. */
u_int16_t sadb_x_ipsecrequest_proto; /* See ipsec.h */
u_int16_t sadb_x_ipsecrequest_mode; /* See ipsec.h */
u_int16_t sadb_x_ipsecrequest_level; /* See ipsec.h */
/* If mode != 0, the proxy address encoded struct sockaddr is following. */
u_int8_t sadb_x_ipsecrequest_mode; /* See IPSEC_MODE_XX in ipsec.h. */
u_int8_t sadb_x_ipsecrequest_level; /* See IPSEC_LEVEL_XX in ipsec.h */
u_int16_t sadb_x_ipsecrequest_reqid; /* See ipsec.h */
/*
* followed by source IP address of SA, and immediately followed by
* destination IP address of SA. These encoded into two of sockaddr
* structure without any padding. Must set each sa_len exactly.
* Each of length of the sockaddr structure are not aligned to 64bits,
* but sum of x_request and addresses is aligned to 64bits.
*/
};
#define SADB_EXT_RESERVED 0
@ -295,28 +317,34 @@ struct sadb_x_ipsecrequest {
#define SADB_X_CALG_OUI 1
#define SADB_X_CALG_DEFLATE 2
#define SADB_X_CALG_LZS 3
#define SADB_X_CALG_MAX 4
#endif
#define SADB_IDENTTYPE_RESERVED 0
#define SADB_IDENTTYPE_PREFIX 1
#define SADB_IDENTTYPE_FQDN 2
#define SADB_IDENTTYPE_USERFQDN 3
#define SADB_IDENTTYPE_MAX 3
#define SADB_X_IDENTTYPE_ADDR 4
#define SADB_IDENTTYPE_MAX 4
/* `flags' in SA structure holds followings */
/* `flags' in sadb_sa structure holds followings */
#define SADB_X_EXT_NONE 0x0000 /* i.e. new format. */
#define SADB_X_EXT_OLD 0x0001 /* old format. */
#define SADB_X_EXT_IV4B 0x0010 /* IV length of 4 bytes in use */
#define SADB_X_EXT_DERIV 0x0020 /* DES derived */
#define SADB_X_EXT_CYCSEQ 0x0040 /* allowing to cyclic sequence. */
/* the followings are exclusive flags */
/* three of followings are exclusive flags each them */
#define SADB_X_EXT_PSEQ 0x0000 /* sequencial padding for ESP */
#define SADB_X_EXT_PRAND 0x0100 /* random padding for ESP */
#define SADB_X_EXT_PZERO 0x0300 /* zero padding for ESP */
#define SADB_X_EXT_PZERO 0x0200 /* zero padding for ESP */
#define SADB_X_EXT_PMASK 0x0300 /* mask for padding flag */
#if 1
#define SADB_X_EXT_RAWCPI 0x0080 /* use well known CPI (IPComp) */
#endif
#define SADB_KEY_FLAGS_MAX 0x0fff
/* SPI size for PF_KEYv2 */
@ -351,57 +379,48 @@ struct sadb_x_ipsecrequest {
#define PFKEY_UNIT64(a) (a)
#endif
#ifndef KERNEL
extern void pfkey_sadump(struct sadb_msg *m);
extern void pfkey_spdump(struct sadb_msg *m);
#ifndef _KERNEL
extern void pfkey_sadump __P((struct sadb_msg *));
extern void pfkey_spdump __P((struct sadb_msg *));
struct sockaddr;
extern int ipsec_check_keylen(u_int supported, u_int alg_id, u_int keylen);
extern int pfkey_check(struct sadb_msg *msg, caddr_t *mhp);
extern u_int pfkey_set_softrate(u_int type, u_int rate);
extern u_int pfkey_get_softrate(u_int type);
extern int pfkey_send_getspi(int so, u_int satype,
struct sockaddr *src, u_int prefs,
struct sockaddr *dst, u_int prefd, u_int proto,
u_int32_t min, u_int32_t max, u_int32_t seq);
extern int pfkey_send_update( int so, u_int satype,
struct sockaddr *src, u_int prefs,
struct sockaddr *dst, u_int prefd, u_int proto,
struct sockaddr *proxy,
u_int32_t spi, caddr_t keymat,
u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
u_int flags,
u_int32_t l_alloc, u_int32_t l_bytes,
u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq);
extern int pfkey_send_add( int so, u_int satype,
struct sockaddr *src, u_int prefs,
struct sockaddr *dst, u_int prefd, u_int proto,
struct sockaddr *proxy,
u_int32_t spi, caddr_t keymat,
u_int e_type, u_int e_keylen, u_int a_type, u_int a_keylen,
u_int flags,
u_int32_t l_alloc, u_int32_t l_bytes,
u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq);
extern int pfkey_send_delete( int so, u_int satype,
struct sockaddr *src, u_int prefs,
struct sockaddr *dst, u_int prefd, u_int proto,
u_int32_t spi);
extern int pfkey_send_get( int so, u_int satype,
struct sockaddr *src, u_int prefs,
struct sockaddr *dst, u_int prefd, u_int proto,
u_int32_t spi);
extern int pfkey_send_register(int so, u_int satype);
extern int pfkey_recv_register(int so);
extern int pfkey_send_flush(int so, u_int satype);
extern int pfkey_send_dump(int so, u_int satype);
extern int pfkey_send_promisc_toggle(int so, int flag);
int ipsec_check_keylen __P((u_int, u_int, u_int));
u_int pfkey_set_softrate __P((u_int, u_int));
u_int pfkey_get_softrate __P((u_int));
int pfkey_send_getspi __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int32_t, u_int32_t));
int pfkey_send_update __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_add __P((int, u_int, u_int, struct sockaddr *,
struct sockaddr *, u_int32_t, u_int32_t, u_int,
caddr_t, u_int, u_int, u_int, u_int, u_int, u_int32_t, u_int64_t,
u_int64_t, u_int64_t, u_int32_t));
int pfkey_send_delete __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_get __P((int, u_int, u_int,
struct sockaddr *, struct sockaddr *, u_int32_t));
int pfkey_send_register __P((int, u_int));
int pfkey_recv_register __P((int));
int pfkey_send_flush __P((int, u_int));
int pfkey_send_dump __P((int, u_int));
int pfkey_send_promisc_toggle __P((int, int));
int pfkey_send_spdadd __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, caddr_t, int, u_int32_t));
int pfkey_send_spddelete __P((int, struct sockaddr *, u_int,
struct sockaddr *, u_int, u_int, u_int32_t));
int pfkey_send_spdflush __P((int));
int pfkey_send_spddump __P((int));
extern int pfkey_open(void);
extern void pfkey_close(int so);
extern struct sadb_msg *pfkey_recv(int so);
extern int pfkey_send(int so, struct sadb_msg *msg, int len);
int pfkey_open __P((void));
void pfkey_close __P((int));
struct sadb_msg *pfkey_recv __P((int));
int pfkey_send __P((int, struct sadb_msg *, int));
int pfkey_align __P((struct sadb_msg *, caddr_t *));
int pfkey_check __P((caddr_t *));
#endif /*!KERNEL*/
#endif /*!_KERNEL*/
#endif /* __PFKEY_V2_H */