Commit Graph

133 Commits

Author SHA1 Message Date
itojun
3489976392 do not copy policy-on-socket at all. avoid copying packet header value to
struct spindex.  should reduce memory usage per socket/pcb, and should speedup
ipsec processing.  sync w/kame
2002-06-12 01:47:34 +00:00
itojun
fa53d749ff share policy-on-pcb for listening socket. sync w/kame
todo: share even more, avoid frequent updates of spidx
2002-06-11 19:39:59 +00:00
itojun
52d0ba15c8 reduce unneeded #ifdef 2002-05-30 05:51:21 +00:00
itojun
d208a22daa use arc4random() where possible.
XXX is it necessary to do microtime() on tcp syn cache?
2002-05-28 10:11:49 +00:00
itojun
12bdf036e2 pull in SPD lifetime management code. fix refcnt for SPD entries.
sync w/kame
XXX dead SPD entry lifetime - undergoing sakane's review
2002-05-19 08:22:12 +00:00
itojun
9244bd8154 document net.key.* sysctl. provide sysctl MIB for controlling
proposal payload on ACQUIRE message.  sync w/kame
2002-05-19 08:12:55 +00:00
itojun
691d519c66 remove unneeded decl for __ss_{len,family} 2002-05-19 07:54:05 +00:00
itojun
0c85427e40 remove unneeded #if 2002-03-21 04:41:03 +00:00
itojun
53a52c0ad8 pfkey statistics was presented in wrong direction. 2002-03-21 04:23:36 +00:00
itojun
418fefdef0 remove a function no longer in use 2002-03-21 04:10:21 +00:00
itojun
900347e4d0 comment wording 2002-03-21 02:27:50 +00:00
itojun
8e4fadc28a missing splx 2002-03-01 04:19:42 +00:00
itojun
3edb75b9d5 unifdef -D__NetBSD__ 2002-03-01 04:16:38 +00:00
itojun
88123ecf38 change key_timehandler to take void * as argument. sync with kame.
PR 14351
2002-01-31 07:05:43 +00:00
itojun
867ce59a46 use ipseclog() instead of #ifdef IPSEC_DEBUG, to make it possible to
turn on/off debugging messages at runtime.  sync with kame
2002-01-31 06:35:25 +00:00
itojun
8297f55292 change SPDUPDATE's behavior to meet with the latest KAME kit.
(there's no need to have policy before SPDUPDATE)
2002-01-31 06:17:03 +00:00
lukem
2565646230 don't need <sys/types.h> when including <sys/param.h> 2001-11-15 09:47:59 +00:00
lukem
4f2ad95259 add RCSIDs 2001-11-13 00:56:55 +00:00
simonb
5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h>
anymore.
2001-10-29 07:02:30 +00:00
itojun
07b78861d0 sync with kame:
fixed the value of the prefixlen in the sadb_address structure.
when pfkey message relative to SA is sent, the prefixlen was incorrect.
2001-10-19 01:57:20 +00:00
wiz
4c99916337 va_{start,end} audit:
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).

Improved by comments from enami and christos -- thanks!

Heimdal/krb4/KAME changes already fed back, rest to follow.

Inspired by, but not not based on, OpenBSD.
2001-09-24 13:22:25 +00:00
wiz
456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
itojun
fd048b8ff1 avoid symbol conflict with "sin()". 2001-08-16 14:28:54 +00:00
itojun
99c5195929 remove "#ifdef IPSEC_DEBUG" conditional from from key_debug.h
(headers must have no #if).  sync with kame
2001-08-12 11:52:43 +00:00
itojun
984d46bbc4 there is no KEY_DEBBUG. use IPSEC_DEBUG 2001-08-12 11:48:27 +00:00
itojun
57030e2f12 cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed,
especially when it is a connected SOCK_STREAM in6?pcb.  sync with kame.
2001-08-06 10:25:00 +00:00
itojun
ce781443e0 pass replay sequence number on sadb_x_sa2 (it's outside of PF_KEY standard
anyways).
2001-08-02 12:10:14 +00:00
itojun
b26591525e remove "register" variable specifier. sync with kame 2001-08-02 11:32:14 +00:00
itojun
182b1e5191 do not #ifdef KEY_DEBUG in header. sync with kame 2001-07-27 04:48:13 +00:00
mrg
8a49f07b1b avoid assigning to policy_id twice. fixes more gcc 3.0 prerelease errors. 2001-06-04 21:38:28 +00:00
mrg
c13e3a6693 use _KERNEL_OPT 2001-05-30 11:40:35 +00:00
wiz
14dbdf5518 Negative exit code cleanup: Replace exit(-x) with exit(x).
As seen on tech-userlevel.
2001-04-06 11:13:45 +00:00
jdolecek
522f569810 make some more constant arrays 'const' 2001-02-21 21:39:52 +00:00
thorpej
786149d624 When processing an SADB_DELETE message, allow SADB_EXT_SA to be
blank.  In this case, we delete all non-LARVAL SAs that match the
src/dst/protocol.  This is particularly useful in IKE INITIAL-CONTACT
processing.  Idea from Bill Sommerfeld <sommerfeld@east.sun.com>, who
implemented it in post-Solaris8.
2001-02-16 23:53:59 +00:00
itojun
a688af5edf if 2nd parameter of key_acquire() is NULL it panics.
key_acquire () does not really require 2nd argument.
1.179 -> 1.180 on kame.
2001-01-10 18:52:51 +00:00
itojun
8b5ceae516 don't waste entropy by use of key_random(). use key_randomfill() for
IV initialization.
2000-10-07 12:08:33 +00:00
itojun
a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9).
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun
dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun
8a9f93dc37 update ip compression algorithm lookup.
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net).  sync with kame
2000-09-26 08:40:23 +00:00
itojun
89f53512af use real wallclock (got by microtime) to compute IPsec database lifetimes.
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun
fd5d3908d3 wake up socket even with socket recieve buffer is full. otherwise,
we will have lots of pending mbufs on heavy SADB_ACQUIRE traffic.
KAME 1.22 -> 1.23
2000-09-22 08:28:56 +00:00
itojun
5f3d7ea2b5 suppress debugging message in key_acquire2(). this is purely for debugging,
not useful/no interest from normal use.  KAME 1.155 -> 1.156
2000-09-21 20:35:09 +00:00
itojun
6aadfa317f on SADB_UPDATE, check SPI range only for AH/ESP, not IPComp.
endian/signedness fix for debug messages.
KAME 1.154 -> 1.155
2000-09-20 19:55:05 +00:00
itojun
1e79c22464 repair SADB_ADD/UPDATE for ipcomp. no encryption key will be attached to
ipcomp.  (KAME 1.53 -> 1.54)
2000-09-20 00:42:47 +00:00
itojun
6a4cd1c5f9 make proposal/combination PF_KEY message on SADB_ACQUIRE optional, to
support ipcomp ACQUIRE messages (again).
it violates RFC2367 slightly.  RFC2367 does not suport ipcomp at all
so we have no choice.
(KAME 1.151 -> 1.152)

do not leave dangling pointer after KFREE().  caused kernel panic with
certain PF_KEY message (error case) - only root can open PF_KEY socket
so it is not security issue.
(KAME 1.152 -> 1.153)
2000-09-20 00:08:42 +00:00
itojun
bb8d535cc5 use per-block cipher function + esp_cbc_{de,en}crypt. do not use
cbc-over-mbuf functions in sys/crypto.

the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.

XXX: it looks that past blowfish-cbc code was buggy.  i ran some test pattern,
and new blowfish-cbc code looks more correct.  there's no interoperability
between the old code (before the commit) and the new code (after the commit).

XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun
e101febc8f make sure to stir ESP IV. pool allocator gives me almost constant
value.  we may need to do an advisory...
2000-08-27 17:41:12 +00:00
itojun
9e0a696a8a remove #ifdef notdef part. sync with kame. 2000-07-26 07:40:52 +00:00
itojun
411ff12b27 pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
sync with kame.

loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun
65d37eff7f correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
sync from kame.

WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun
aa0b8be4f4 move ipsec_{hex,bin}dump() into #ifdef wrapper.
libipsec: remove unnecessary #include key_debug.h.
2000-07-04 04:41:54 +00:00
itojun
d407c7e3ec nuke sadb_x_ident_id, wihich violates pfkey standard.
correct get/set SA handling.
(from kame)
2000-07-01 01:01:34 +00:00
mrg
577e415862 <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:29:45 +00:00
thorpej
ee01b6fae0 Clean up some NULL vs. 0 confusion, and fix a bogus comparison. 2000-06-24 00:15:52 +00:00
itojun
43eb8dd0d2 correct compilation without IPSEC_ESP.
From: Matthias Drochner <M.Drochner@fz-juelich.de>
2000-06-15 13:44:22 +00:00
itojun
f982a33213 correct ordering mistake in SADB_DUMP.
correct bug in key length management in SA database.
improbe mbuf printing (for debugging only).
2000-06-15 12:37:07 +00:00
itojun
00dc400bb3 correct port number matching (src/dst mixup). 2000-06-15 05:50:22 +00:00
itojun
186948075c remove too strong assumption on mbuf length.
the previous code choked if large policy entry is injected with "spdadd"
subcommand in setkey(8).
2000-06-14 03:16:23 +00:00
itojun
92e64a4a0d sync with almost-latest KAME IPsec. full changelog would be too big
to mention here.  notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
  it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
  in struct sadb_msg.  we cannot just change these standard structs.
  sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
  these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
  specify it)
- spddelete takes direction specification
2000-06-12 10:40:37 +00:00
itojun
93b2b4e693 remove include files in nonstandard path
(has been #error for couple of months).
2000-06-04 11:52:06 +00:00
thorpej
f636538446 NULL != 0 2000-05-19 04:34:39 +00:00
thorpej
e0d0cba239 Remove junk at the end of #undef. 2000-05-08 18:31:10 +00:00
augustss
8529438fe6 Remove register declarations. 2000-03-30 12:51:13 +00:00
thorpej
fc96443d15 New callout mechanism with two major improvements over the old
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
  resource allocation.
- Insertion and removal of callouts is constant time, important as
  this facility is used quite a lot in the kernel.

The old timeout()/untimeout() API has been removed from the kernel.
2000-03-23 07:01:25 +00:00
itojun
eb95b863d0 correct IPsec SA lookup, so that we can always get/use
proper SA.  cached SA can be wrong, specifically when you use sendto().
sync with KAME change, From: Greg Troxel <gdt@ir.bbn.com>
2000-03-05 05:42:33 +00:00
itojun
541b446bfa for more strict rfc2367 conformance, move netkey/keyv2.h into net/pfkeyv2.h
(net/pfkeyv2.h used to just include netkey/keyv2.h).

netkey/keyv2.h includes #error only for several days, to inform
of file path change.  after that I plan to nuke the file.
2000-02-09 03:27:29 +00:00
itojun
90736ab608 fix include pathname for better rfc2292 compliance. 2000-02-06 12:49:37 +00:00
itojun
1a2a1e2b1f bring in latest KAME ipsec tree.
- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited

XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
2000-01-31 14:18:52 +00:00
itojun
6118e5d8d2 allow any SPI value to be used, if well-known ipcomp CPI is used.
From: Laine Stump <lainestump@rcn.com>
To: current-users@netbsd.org
Message-Id: <3.0.3.32.19990907020809.0091fc90@pop.rcn.com>
Date: Tue, 07 Sep 1999 02:08:09 -0400
1999-09-07 07:41:45 +00:00
itojun
fd8ab6e67c sync with recent KAME.
bark when bogus prefix length (> 32 for IPv4, for exapmle) is specified.
1999-08-24 00:46:12 +00:00
itojun
70ada0957e sync with recent KAME.
- loosen ipsec restriction on packet diredtion.
- revise icmp6 redirect handling on IsRouter bit.
- tcp/udp notification processing (link-local address case)
- cosmetic fixes (better code share across *BSD).
1999-07-31 18:41:15 +00:00
thorpej
267920eb1a defopt INET6, and put it in opt_inet.h (most places already include this
file, which is why the file list is so short).
1999-07-09 23:41:16 +00:00
thorpej
f9a7668b3f defopt IPSEC and IPSEC_ESP (both into opt_ipsec.h). 1999-07-09 22:57:15 +00:00
itojun
dcc13cdd33 sync with KAME/NetBSD 1.4, SNAP kit 19990705.
key changes are:
- icmp6 redirect fix (dst check)
- revised ip6 multicast check for loopback i/f
- several RCS ID cleanups
1999-07-06 12:23:19 +00:00
cjs
5108aad9a8 ntohl() doesn't return long, so cast it. 1999-07-05 08:15:39 +00:00
itojun
9b74747370 s/splnet/splsoftnet/ in IPv6/IPsec part.
hope I made no mistake (the kernel works fine but I need a regress test)

Suggested by: thorpej
1999-07-04 02:01:15 +00:00
thorpej
cd3a345ea0 RCS ID police. 1999-07-03 21:24:45 +00:00
lukem
bd99d900df spell Association correctly 1999-07-03 04:45:53 +00:00
itojun
e208c5c64a enable IPSEC_ESP build (still needs manual symlink).
commit to cryptosrc-intl will follow.
1999-07-02 19:58:27 +00:00
thorpej
8328f07bda Fix printf format on LP64. 1999-07-01 22:47:56 +00:00
itojun
afb0d8e6e1 less warning on userland compilation. 1999-07-01 20:10:27 +00:00
itojun
118d2b1d4f IPv6 kernel code, based on KAME/NetBSD 1.4, SNAP kit 19990628.
(Sorry for a big commit, I can't separate this into several pieces...)
Pls check sys/netinet6/TODO and sys/netinet6/IMPLEMENTATION for details.

- sys/kern: do not assume single mbuf, accept chained mbuf on passing
  data from userland to kernel (or other way round).
- "midway" ATM card: ATM PVC pseudo device support, like those done in ALTQ
  package (ftp://ftp.csl.sony.co.jp/pub/kjc/).
- sys/netinet/tcp*: IPv4/v6 dual stack tcp support.
- sys/netinet/{ip6,icmp6}.h, sys/net/pfkeyv2.h: IETF document assumes those
  file to be there so we patch it up.
- sys/netinet: IPsec additions are here and there.
- sys/netinet6/*: most of IPv6 code sits here.
- sys/netkey: IPsec key management code
- dev/pci/pcidevs: regen

In my understanding no code here is subject to export control so it
should be safe.
1999-07-01 08:12:45 +00:00
itojun
74d3c214ec KAME/NetBSD 1.4 SNAP kit, dated 19990628.
NOTE: this branch (kame) is used just for refernce.  this may not compile
due to multiple reasons.
1999-06-28 06:36:47 +00:00