Commit Graph

133 Commits

Author SHA1 Message Date
adrianp aaf8e048ae The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.

Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@
2007-10-28 15:48:23 +00:00
ad a2a3828545 machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h 2007-10-19 11:59:34 +00:00
degroote cdb020058a Fix my previous stupid caddr_t fix. 2007-09-22 23:33:18 +00:00
ad 88ab7da936 Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
2007-07-09 20:51:58 +00:00
degroote a382db0aa9 Ansify
Remove useless extern
bzero -> memset, bcopy -> memcpy

No functionnal changes
2007-07-07 18:38:22 +00:00
degroote 4ddfe916ff Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
2007-06-27 20:38:32 +00:00
degroote 5f72dadbd4 Always compute the sp index even if we don't have any sp in spd. It will
let us to choose the right default policy (based on the adress family
requested).

While here, fix an error message
2007-05-08 14:07:42 +00:00
degroote 8ebbd6c4f6 Increase the refcount for the default ipv6 policy so nobody can reclaim it 2007-05-08 14:03:05 +00:00
degroote 6997fa5f35 Choose the good default policy, depending of the adress family of the
desired policy
2007-04-15 14:17:12 +00:00
degroote 20341ba8ef Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar
to the sysctl kame interface.
2007-04-11 22:21:41 +00:00
degroote 68c3173bb4 When we construct an answer for SADB_X_SPDGET, don't use an hardcoded 0 for seq but
the seq used by the request. It will improve consistency with the answer of SADB_GET
request and helps some applications which relies both on seq and pid.

Reported by  Karl Knutsson by pr/36119.
2007-04-11 21:33:40 +00:00
degroote 2a2cd74d79 In spddelete2, if we can't find the sp by this id, return after sending an error message,
don't process the following code with the NULL sp.

Spotted by Matthew Grooms on freebsd-net ML
2007-04-11 21:19:35 +00:00
degroote 0c3809d098 Fix a memleak in key_spdget.
Problem was reported by Karl Knutsson by pr/36119.
2007-04-09 21:07:03 +00:00
degroote 0138b12722 Honor the ip4_ah_offsetmask bits (clear or not the ip->ip_off field for ah
processing).
2007-03-25 22:11:18 +00:00
degroote 46c420f11a Use ip4_ah_cleartos instead of ah_cleartos for consistency 2007-03-25 22:06:33 +00:00
degroote 40cf3d18fa Make an exact match when we are looking for a cached sp for an unconnected
socket. If we don't make an exact match, we may use a cached rule which
has lower priority than a rule that would otherwise have matched the
packet.

Code submitted by Karl Knutsson in PR/36051
2007-03-25 12:46:42 +00:00
degroote 507fd51bd3 Call key_checkspidup with spi in network bit order in order to make correct
comparaison with spi stored into the sadb.

Reported by Karl Knutsson in kern/36038 .
2007-03-21 22:38:34 +00:00
liamjfoy 142de6f17b Allow to build without INET6
Submitted by: Jukka Salmi
2007-03-09 00:40:39 +00:00
liamjfoy 9763fa0590 Add IPv6 Fast Forward:
Add call to ip6flow_invalidate_all()

ok christos, matt, dyoung and joerg
2007-03-07 22:21:45 +00:00
degroote dd86ba7231 Remove useless cast
Use NULL instead of (void*) 0
2007-03-04 21:17:54 +00:00
degroote c252f603d0 Fix fallout from caddr_t changes 2007-03-04 19:54:48 +00:00
christos 53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
degroote f76a162cb7 Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
2007-02-23 19:35:25 +00:00
degroote 9e2b4bf469 Always free the sav, not only in the mature case 2007-02-18 18:58:17 +00:00
degroote 5bf3692f91 Fix the {ah,esp}4_ctlinput code 2007-02-18 14:28:25 +00:00
degroote b7fbb86788 Forgot to remove two useless extern 2007-02-18 14:13:52 +00:00
degroote b0339b36b0 Constify the code following the dyoung change ( the "bug" was hidden by the
extern declaration ).
While here, remove a Kame ifdef which is useless in netipsec code
2007-02-18 13:55:25 +00:00
degroote 0a648e9c8b Remove __P
Remove useless extern
Use ansi declaration
2007-02-18 13:27:31 +00:00
dyoung 5493f188c7 KNF: de-__P, bzero -> memset, bcmp -> memcmp. Remove extraneous
parentheses in return statements.

Cosmetic: don't open-code TAILQ_FOREACH().

Cosmetic: change types of variables to avoid oodles of casts: in
   in6_src.c, avoid casts by changing several route_in6 pointers
   to struct route pointers.  Remove unnecessary casts to caddr_t
   elsewhere.

Pave the way for eliminating address family-specific route caches:
   soon, struct route will not embed a sockaddr, but it will hold
   a reference to an external sockaddr, instead.  We will set the
   destination sockaddr using rtcache_setdst().  (I created a stub
   for it, but it isn't used anywhere, yet.)  rtcache_free() will
   free the sockaddr.  I have extracted from rtcache_free() a helper
   subroutine, rtcache_clear().  rtcache_clear() will "forget" a
   cached route, but it will not forget the destination by releasing
   the sockaddr.  I use rtcache_clear() instead of rtcache_free()
   in rtcache_update(), because rtcache_update() is not supposed
   to forget the destination.

Constify:

   1 Introduce const accessor for route->ro_dst, rtcache_getdst().

   2 Constify the 'dst' argument to ifnet->if_output().  This
     led me to constify a lot of code called by output routines.

   3 Constify the sockaddr argument to protosw->pr_ctlinput.  This
     led me to constify a lot of code called by ctlinput routines.

   4 Introduce const macros for converting from a generic sockaddr
     to family-specific sockaddrs, e.g., sockaddr_in: satocsin6,
     satocsin, et cetera.
2007-02-17 22:34:07 +00:00
degroote fb66d23b5f fixed a unexpected addr/port matching failure in SA management
From cvs rev 1.127 of netkey/key.c
2007-02-11 13:35:00 +00:00
degroote 97d02ceb4b reqid (for unique policy) is u_int16_t quantity.
from rev 1.125 of netkey/key.c
2007-02-11 13:32:18 +00:00
degroote e2211411a4 Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic
2007-02-10 09:43:05 +00:00
dyoung 854c48804d KNF: bzero -> memset. 2007-01-26 19:49:18 +00:00
joerg eb04733c4e Introduce new helper functions to abstract the route caching.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.

Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.

Based on the earlier patch from dyoung@, reviewed and discussed with
him.
2006-12-15 21:18:52 +00:00
dyoung c308b1c661 Here are various changes designed to protect against bad IPv4
routing caused by stale route caches (struct route).  Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).

Stale IPv6 and ISO route caches will be treated by separate patches.

Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.

Here are the details:

Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.

Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.

Chain together all IPv4 route caches where ro_rt != NULL.  Provide
in_rtcache() for adding a route to the chain.  Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches.  In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain.  In in_rtflushall(), walk the chain and remove every route
cache.

In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.

In gif(4), discard the workaround for stale caches that involves
expiring them every so often.

Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).

Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.

Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.

In domain initializers, use .dom_xxx tags.

KNF here and there.
2006-12-09 05:33:04 +00:00
christos 1665d5e960 fix spelling of accommodate; from Zapher. 2006-11-24 19:46:58 +00:00
christos 168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
christos 6c265266c5 more __unused 2006-10-13 20:53:59 +00:00
matt 0b50c4ad5c Make this compile again (hi xtos!). Switch to C99 structure initializations. 2006-08-31 23:21:54 +00:00
ad f474dceb13 Use the LWP cached credentials where sane. 2006-07-23 22:06:03 +00:00
kardel ced596e186 clarify time scale semantic issue 2006-06-10 11:42:07 +00:00
kardel 4eff7fe074 reference time.tv_sec in non timecounter case
missing conversion spotted by Geoff Wing
XXX This code need to be checked whether UTC time
is really the right abstraction. I suspect uptime
would be the correct time scale for measuring life times.
2006-06-10 11:30:37 +00:00
kardel 6aad29aa7b fix a missing conversion for a mono_time reference.
detected by Geoff Wing.
2006-06-10 11:12:09 +00:00
kardel de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
elad 874fef3711 integrate kauth. 2006-05-14 21:19:33 +00:00
pavel 450a020195 The esp_input_cb function used m_copyback, which fails if the mbuf is
read-only. This can actually happen if the packet was received by the
xennet interface, see PR kern/33162. Change it to m_copyback_cow.

AH and IPCOMP probably need similar fixes.

Requested by Jeff Rizzo, tested on Xen with -current by him.
2006-04-28 22:39:02 +00:00
rpaulo 68699904bd Add two new sysctls protected under IPSEC_DEBUG:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
          the same sequence number. This allows to verify if the other side
          has proper replay attacks detection.

  net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
          corrupted HMAC. This allows to verify if the other side properly
          detects modified packets.

(a message will be printed indicating when these sysctls changed)

By Pawel Jakub Dawidek <pjd@FreeBSD.org>.
Discussed with Christos Zoulas and Jonathan Stone.
2006-04-11 20:21:28 +00:00
rpaulo 51a2954a4d FreeBSD SA-06:11 and CVE-2006-0905: update the replay sequence number
or else the anti-reply technique won't work as expected.
2006-03-23 15:25:46 +00:00
wiz 5d1e8b2745 Fix some typos. 2006-02-25 02:28:55 +00:00
perry fbae48b901 Change "inline" back to "__inline" in .h files -- C99 is still too
new, and some apps compile things in C89 mode. C89 keywords stay.

As per core@.
2006-02-16 20:17:12 +00:00