Commit Graph

51 Commits

Author SHA1 Message Date
christos
3d6520b363 cosmetic fixes:
- __func__ in printfs
	- no space after sizeof
	- eliminate useless casts
	- u_intX_t -> uintX_t
2017-04-15 22:01:57 +00:00
christos
62446aa148 Redo the statistics through an indirection array and put the definitions
of the arrays in pfkeyv2.h so that they are next to the index definitions.
Remove "bogus" comment about compressing the statistics which is now fixed.
2017-04-13 16:38:31 +00:00
ozaki-r
61c284b0f0 Fix that ah_algorithm_lookup and esp_algorithm_lookup don't handle some algorithms
Unrelated upper limit values, AH_ALG_MAX and ESP_ALG_MAX, prevented some
algorithms from being looked up.
2017-04-13 01:32:57 +00:00
christos
b12f0138d5 PR/52150: Ryota Ozaki: ipsec: kernel panic on adding a key with an invalid
length.
2017-04-10 14:19:22 +00:00
ozaki-r
80d40a78b4 Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined
- Allow encapinit to be called twice (by ifinit and ipe4_attach)
  - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called
    it instead), however, on a rump kernel ipe4_attach may not be called
    even if IPSEC is enabled. So we need to allow ifinit to call it anyway
- Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP
- Call ip6flow_invalidate_all in key_spdadd only if in6_present
  - It's possible that a rump kernel loads the ipsec library but not
    the inet6 library
2017-04-06 09:20:07 +00:00
ozaki-r
48b3acd885 Tidy up opt_ipsec.h inclusions
Some inclusions of opt_ipsec.h were for IPSEC_NAT_T and are now unnecessary.
Add inclusions to some C files for IPSEC_DEBUG.
2015-03-30 03:51:50 +00:00
mrg
a370d57c87 - apply some __diagused
- remove unused variables
- move some variables inside their relevant use #ifdef
2013-11-03 18:37:10 +00:00
riastradh
cc79193075 Fix sense of consttime_memequal and update all callers.
Now it returns true (nonzero) to mean equal and false (zero) to mean
inequal, as the name suggests.

As promised on tech-userlevel back in June:

https://mail-index.netbsd.org/tech-userlevel/2013/06/24/msg007843.html
2013-08-28 15:24:41 +00:00
riastradh
82db4b9858 Replace consttime_bcmp/explicit_bzero by consttime_memequal/explicit_memset.
consttime_memequal is the same as the old consttime_bcmp.
explicit_memset is to memset as explicit_bzero was to bcmp.

Passes amd64 release and i386/ALL, but I'm sure I missed some spots,
so please let me know.
2013-06-24 04:21:19 +00:00
christos
213e873fd6 PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access
outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.
2013-06-04 22:47:37 +00:00
drochner
8588929dc5 Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.
2012-08-30 12:16:48 +00:00
drochner
22beeb59d8 Make sure the mbufs in the input path (only the parts which we are going
to modify in the AH case) are writable/non-shared.
This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient
patch from that time by a radical solution.
(The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c,
so it needs a network driver modification to reproduce it.)
Being here, clarify a bit of ipcomp -- uncompression is done in-place,
the header must be removed explicitly.
2012-01-25 20:31:23 +00:00
plunky
7f3d4048d7 NULL does not need a cast 2011-08-31 18:31:02 +00:00
drochner
0a8dabda40 pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
2011-05-26 21:50:02 +00:00
drochner
fe35ba177e g/c remainders of IV handling in pfkey code -- this is done in
opencrypto now
2011-05-23 15:17:25 +00:00
drochner
22a8d55c40 allow ESP to use AES-CTR
(pfkey and userland tool support is already there because it has been
in KAME IPSEC all the time)
tested against KAME IPSEC
2011-05-23 13:57:52 +00:00
drochner
5fafa9c424 -in the descriptor for encryption xforms, split the "blocksize" field
into "blocksize" and "IV size"
-add an "reinit" function pointer which, if set, means that the xform
 does its IV handling itself and doesn't want the default CBC handling
 by the framework (poor name, but left that way to avoid unecessary
 differences)
This syncs with Open/FreeBSD, purpose is to allow non-CBC transforms.
Refer to ivsize instead of blocksize where appropriate.
(At this point, blocksize and ivsize are identical.)
2011-05-23 13:46:54 +00:00
drochner
d26dda3d0d As a first step towards more fine-grained locking, don't require
crypto_{new.free}session() to be called with the "crypto_mtx"
spinlock held.
This doesn't change much for now because these functions acquire
the said mutex first on entry now, but at least it keeps the nasty
locks local to the opencrypto core.
2011-05-06 21:48:46 +00:00
drochner
41fde2494b fix C&P botch in diagnostic printfs 2011-05-05 20:15:14 +00:00
drochner
08355b198c support camellia-cbc as ESP cipher 2011-05-05 17:48:29 +00:00
spz
2fbfb83e1b fix compiling with IPSEC_DEBUG:
it's authsize not authlen in struct auth_hash
2011-03-27 21:56:57 +00:00
drochner
b4da53f1e6 make the use of SHA2-HMAC by FAST_IPSEC compliant to current standards:
-RFC2104 says that the block size of the hash algorithm must be used
 for key/ipad/opad calculations. While formerly all ciphers used a block
 length of 64, SHA384 and SHA512 use 128 bytes. So we can't use the
 HMAC_BLOCK_LEN constant anymore. Add a new field to "struct auth_hash"
 for the per-cipher blocksize.
-Due to this, there can't be a single "CRYPTO_SHA2_HMAC" external name
 anymore. Replace this by 3 for the 3 different keysizes.
 This was done by Open/FreeBSD before.
-Also fix the number of authenticator bits used tor ESP and AH to
 conform to RFC4868, and remove uses of AH_HMAC_HASHLEN which did
 assume a fixed authenticator size of 12 bytes.

FAST_IPSEC will not interoperate with KAME IPSEC anymore if sha2 is used,
because the latter doesn't implement these standards. It should
interoperate with at least modern Free/OpenBSD now.
(I've only tested with NetBSD-current/FAST_IPSEC on both ends.)
2011-02-25 20:13:10 +00:00
degroote
de55cbd2df Fix a missing const in FAST_IPSEC && IPSEC_DEBUG 2011-02-19 18:26:50 +00:00
drochner
909a8e8346 more "const" 2011-02-18 19:56:01 +00:00
drochner
bbd82ed172 sprinkle some "const", documenting that the SA is not supposed to
change during an xform operation
2011-02-18 19:06:45 +00:00
drochner
6ed51462a6 one more botched statistics counter (could increment semi-random locations) 2011-02-14 18:49:31 +00:00
drochner
254b02f7fb fix output bytecount statcounter 2011-02-14 16:34:43 +00:00
drochner
72fa9245cb change locking order, to make sure the cpu is at splsoftnet()
before the softnet_lock (adaptive) mutex is acquired, from
Wolfgang Stukenbrock, should fix a recursive lock panic
2011-02-14 13:43:45 +00:00
drochner
6c21d3ecdd -in opencrypto callbacks (which run in a kernel thread), pull softnet_lock
everywhere splsoftnet() was used before, to fix MP concurrency problems
-pull KERNEL_LOCK where ip(6)_output() is called, as this is what
 the network stack (unfortunately) expects, in particular to avoid
 races for packets in the interface send queues
From Wolfgang Stukenbrock per PR kern/44418, with the application
of KERNEL_LOCK to what I think are the essential points, tested
on a dual-core i386.
2011-02-10 20:24:27 +00:00
cegger
4f9cf8aa30 Correct bungled bcopy() -> memcpy() conversion 2009-03-20 05:26:37 +00:00
cegger
e2cb85904d bcopy -> memcpy 2009-03-18 17:06:41 +00:00
cegger
c363a9cb62 bzero -> memset 2009-03-18 16:00:08 +00:00
cegger
35fb64746b bcmp -> memcmp 2009-03-18 15:14:29 +00:00
thorpej
caf49ea572 Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and
netstat_sysctl().
2008-04-23 06:09:04 +00:00
tls
e5bd2a127e Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto"
(actually splnet) and condvars instead of tsleep/wakeup.  Fix a few
miscellaneous problems and add some debugging printfs while there.

Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some
point after this code came from FreeBSD -- it made it impossible to wait
properly for a condition.

Add flags analogous to the "crp" flags to the key operation's krp struct.
Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before
the kthread had a chance to dequeue it and call its callback -- this was
letting requests stick on the queues before even though done and copied
out.

Callers of crypto_newsession() or crypto_freesession() must now take the
mutex.  Change netipsec to do so.  Dispatch takes the mutex itself as
needed.

This was tested fairly extensively with the cryptosoft backend and lightly
with a new hardware driver.  It has not been tested with FAST_IPSEC; I am
unable to ascertain whether FAST_IPSEC currently works at all in our tree.

pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the
right direction several times in the course of this.  Remaining bugs
are mine alone.
2008-02-04 00:35:34 +00:00
degroote
4ddfe916ff Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
2007-06-27 20:38:32 +00:00
degroote
dd86ba7231 Remove useless cast
Use NULL instead of (void*) 0
2007-03-04 21:17:54 +00:00
degroote
c252f603d0 Fix fallout from caddr_t changes 2007-03-04 19:54:48 +00:00
christos
53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
christos
168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
christos
6c265266c5 more __unused 2006-10-13 20:53:59 +00:00
pavel
450a020195 The esp_input_cb function used m_copyback, which fails if the mbuf is
read-only. This can actually happen if the packet was received by the
xennet interface, see PR kern/33162. Change it to m_copyback_cow.

AH and IPCOMP probably need similar fixes.

Requested by Jeff Rizzo, tested on Xen with -current by him.
2006-04-28 22:39:02 +00:00
rpaulo
68699904bd Add two new sysctls protected under IPSEC_DEBUG:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
          the same sequence number. This allows to verify if the other side
          has proper replay attacks detection.

  net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
          corrupted HMAC. This allows to verify if the other side properly
          detects modified packets.

(a message will be printed indicating when these sysctls changed)

By Pawel Jakub Dawidek <pjd@FreeBSD.org>.
Discussed with Christos Zoulas and Jonathan Stone.
2006-04-11 20:21:28 +00:00
rpaulo
51a2954a4d FreeBSD SA-06:11 and CVE-2006-0905: update the replay sequence number
or else the anti-reply technique won't work as expected.
2006-03-23 15:25:46 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
seanb
7ce7d7cb4c - Discrepency between malloc / free types with init vector (see free
in netipsec/key.c).
- Reviewed by christos.
2005-05-27 22:30:03 +00:00
jonathan
60f87b2f99 sys/netinet6/ip6_ecn.h is reportedly a FreeBSD-ism; NetBSD has
prototypes for the IPv6 ECN ingress/egress functions in sys/netinet/ip_ecn.h,
inside an #ifdef INET6 wrapper.   So, wrap sys/netipsec ocurrences of
	#include <netinet6/ip6_ecn.h>
in #ifdef __FreeBSD__/#endif, until both camps can agree on this
teensy little piece of namespace. Affects:
    ipsec_output.c xform_ah.c xform_esp.c xform_ipip.c
2004-03-17 00:21:43 +00:00
tls
9355900ec9 Reversion of "netkey merge", part 2 (replacement of removed files in the
repository by christos was part 1).  netipsec should now be back as it
was on 2003-09-11, with some very minor changes:

1) Some residual platform-dependent code was moved from ipsec.h to
   ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined.  ipsec.h
   now includes ipsec_osdep.h

2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has
   been left in place (it's arguable which name is less confusing but the
   rename is pretty harmless).

3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN
   is invalid and GCC 3 won't compile it.

An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now
gets through "make depend" but fails to build with errors in ip_input.c.
But it's better than it was (thank heaven for small favors).
2003-10-06 22:05:15 +00:00
itojun
eb305c3c3c merge netipsec/key* into netkey/key*. no need for both.
change confusing filename
2003-09-12 11:20:57 +00:00
jonathan
c23a2c9c86 opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif. 2003-08-20 22:33:40 +00:00