Commit Graph

255 Commits

Author SHA1 Message Date
rmind
7cb08cfdd0 Split IPsec code in ip_input() and ip_forward() into the separate routines
ipsec4_input() and ipsec4_forward().  Tested by christos@.
2013-06-08 13:50:22 +00:00
rmind
e4506547a6 Split IPSec logic from ip_output() into a separate routine - ipsec4_output().
No change to the mechanism intended.  Tested by christos@.
2013-06-08 03:26:05 +00:00
christos
27fe772ddc IPSEC has not come in two speeds for a long time now (IPSEC == kame,
FAST_IPSEC). Make everything refer to IPSEC to avoid confusion.
2013-06-05 19:01:26 +00:00
christos
213e873fd6 PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access
outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.
2013-06-04 22:47:37 +00:00
gdt
0c9c715c58 Fix FAST_IPSEC locking violation.
Without this change, using ESP tunnels with FAST_IPSEC on a 2-cpu i386
machine results in an mbuf leak.  This change was tested in netbsd-6.

When FAST_IPSEC is enabled and a tunnel is set up, after the
outer packet is stripped off, FAST_IPSEC queues the inner
packet on the appropriate queue (ipinstrq or ip6instrq).
These queues require the KERNEL_LOCK to be held before
using the queue, and the FAST_IPSEC code did not take the
KERNEL_LOCK as required.
KERNEL_LOCK and KERNEL_UNLOCK_ONE calls have been added.

If a struct ifnet instance is passed to the if_handoff
function which does this queuing, the interface's
if_start function may be called.  Some hardware devices
require KERNEL_LOCK to be held; others do not.  Looking
at the body of NetBSD code, other places where an if_start
function is called, KERNEL_LOCK is held.  Thus, the lock is
not released in if_handoff until after the if_start function
is called.  In practice, having the kernel lock when
if_start is called makes no difference - there is not
a single instance in all of the NetBSD code where
if_handoff is passed an instance of struct ifnet.

This commit is the work of Bev Schwartz of BBN.

Approved for Public Release, Distribution Unlimited
This material is based upon work supported by the Defense Advanced Research
Projects Agency and Space and Naval Warfare Systems Center, Pacific, under
Contract No. N66001-09-C-2073.
2013-05-09 19:21:50 +00:00
christos
62903782ed rename pcb_sp to policy to avoid:
$SRC/arch/arm/include/pcb.h:#define     pcb_sp          pcb_un.un_32.pcb32_sp
$SRC/arch/arm/include/pcb.h:#define     pcb_sp          pcb_sf.sf_r13
2012-12-07 15:29:38 +00:00
gdt
d2966f6e1d Fix whitespace (mostly removing trailing).
This commit changes only whitespace (trailing, tabs vs spaces,
removing spurious newlines).  From Bev Schwartz of BBN.
2012-09-20 23:50:05 +00:00
drochner
8588929dc5 Add "consttime_bcmp" and "explicit_bzero" functions for both kernel
abd userland, as proposed on tech-security, with explicit_bzero using
a volatile function pointer as suggested by Alan Barrett.
Both do what the name says. For userland, both are prefixed by "__"
to keep them out of the user namespace.
Change some memset/memcmp uses to the new functions where it makes
sense -- these are just some examples, more to come.
2012-08-30 12:16:48 +00:00
drochner
a01fe2e22b g/c unused struct member 2012-08-29 20:37:50 +00:00
dsl
e21a34c25e Add some pre-processor magic to verify that the type of the data item
passed to sysctl_createv() actually matches the declared type for
  the item itself.
In the places where the caller specifies a function and a structure
  address (typically the 'softc') an explicit (void *) cast is now needed.
Fixes bugs in sys/dev/acpi/asus_acpi.c sys/dev/bluetooth/bcsp.c
  sys/kern/vfs_bio.c sys/miscfs/syncfs/sync_subr.c and setting
  AcpiGbl_EnableAmlDebugObject.
(mostly passing the address of a uint64_t when typed as CTLTYPE_INT).
I've test built quite a few kernels, but there may be some unfixed MD
  fallout. Most likely passing &char[] to char *.
Also add CTLFLAG_UNSIGNED for unsiged decimals - not set yet.
2012-06-02 21:36:41 +00:00
drochner
364a06bb29 remove KAME IPSEC, replaced by FAST_IPSEC 2012-03-22 20:34:37 +00:00
elad
0c9d8d15c9 Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

    http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
    http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
    http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
2012-03-13 18:40:26 +00:00
drochner
f9e506933b remove some DPRINTFs which are not just diagnostics but cause noise
even on regular operation
2012-01-26 21:10:24 +00:00
drochner
00cbca9cf5 After IPSEC input processing, pass a decoded/authenticated IPv4 packet
to upper layers through the IP protosw, as done for IPv6.
Before it was reinjected into the IP netisr queue which caused more
overhead and caused artefacts like double IP option processing.
Works well for me, should get more testing and review.
2012-01-25 21:58:10 +00:00
drochner
22beeb59d8 Make sure the mbufs in the input path (only the parts which we are going
to modify in the AH case) are writable/non-shared.
This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient
patch from that time by a radical solution.
(The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c,
so it needs a network driver modification to reproduce it.)
Being here, clarify a bit of ipcomp -- uncompression is done in-place,
the header must be removed explicitly.
2012-01-25 20:31:23 +00:00
drochner
7ccdced9b5 fix pointer/offset mistakes in handling of IPv4 options 2012-01-24 21:57:03 +00:00
drochner
11ce8fbd83 fix build in the (FAST_)IPSEC & TCP_SIGNATURE case 2012-01-11 14:39:08 +00:00
drochner
0d96157461 protect "union sockaddr_union" from being defined twice by a CPP symbol
(copied from FreeBSD), allows coexistence of (FAST_)IPSEC and pf
2012-01-11 14:37:45 +00:00
drochner
cf21c579f1 add patch from Arnaud Degroote to handle IPv6 extended options with
(FAST_)IPSEC, tested lightly with a DSTOPTS header consisting
of PAD1
2012-01-10 20:01:56 +00:00
drochner
e3fa29b8b1 allow the ESP fragment length in the NAT-T case to be reported back
through the pfkey interface, kernel part of PR kern/44952
by Wolfgang Stukenbrock
2012-01-09 15:42:08 +00:00
drochner
d107562abc Make FAST_IPSEC the default IPSEC implementation which is built
into the kernel if the "IPSEC" kernel option is given.
The old implementation is still available as KAME_IPSEC.
Do some minimal manpage adjustment -- kame_ipsec(4) is a copy
of the old ipsec(4) and the latter is now a copy of fast_ipsec(4).
2012-01-09 15:16:30 +00:00
drochner
47a381e15e more IPSEC header cleanup: don't install unneeded headers to userland,
and remove some differences berween KAME and FAST_IPSEC
2012-01-06 14:17:10 +00:00
drochner
8fd6dadaf8 include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))
2012-01-04 16:09:40 +00:00
drochner
3712f81ced -consistently use "char *" for the compiled policy buffer in the
ipsec_*_policy() functions, as it was documented and used by clients
-remove "ipsec_policy_t" which was undocumented and only present
 in the KAME version of the ipsec.h header
-misc cleanup of historical artefacts, and to remove unnecessary
 differences between KAME ans FAST_IPSEC
2012-01-04 15:55:35 +00:00
drochner
23e5beaef1 rename the IPSEC in-kernel CPP variable and config(8) option to
KAME_IPSEC, and make IPSEC define it so that existing kernel
config files work as before
Now the default can be easily be changed to FAST_IPSEC just by
setting the IPSEC alias to FAST_IPSEC.
2011-12-19 11:59:56 +00:00
drochner
25b72c320c as in netkey/key.c, just use cprng_fast() to get a random number
(which is used to choose an SPI), kill the dummy seeding code
2011-12-19 11:47:16 +00:00
drochner
3321ddefb1 add missing rnd_extract->cprng_fast conversion, fixes build of
FAST_IPSEC kernels
2011-11-29 13:15:27 +00:00
plunky
7f3d4048d7 NULL does not need a cast 2011-08-31 18:31:02 +00:00
joerg
3eb244d801 Retire varargs.h support. Move machine/stdarg.h logic into MI
sys/stdarg.h and expect compiler to provide proper builtins, defaulting
to the GCC interface. lint still has a special fallback.
Reduce abuse of _BSD_VA_LIST_ by defining __va_list by default and
derive va_list as required by standards.
2011-07-17 20:54:30 +00:00
drochner
813bea3edb catch a case where an ip6 address with scope embedded was compared with
one without -- interestingly this didn't break the connection but just
caused a useless encapsulation
(this code needs to be rearranged to get it clean)
2011-06-09 21:04:37 +00:00
drochner
2cd69bbbad more "const" 2011-06-09 19:54:18 +00:00
dyoung
b6aa79a388 Fiddle a bit with const's to make FAST_IPSEC compile. 2011-06-08 16:24:50 +00:00
drochner
e4ef78d839 fix tunnel encapsulation in ipsec6_process_packet() -- it is not
completely clean yet, but at least a v6-in-v6 tunnel works now
2011-06-07 15:54:57 +00:00
drochner
7038ebdf09 reindent ipsec6_process_packet() - whitespace changes only 2011-06-07 15:50:42 +00:00
drochner
a46f4db6fd remove a limitation that inner and outer IP version must be equal
for an ESP tunnel, and add some fixes which make v4-in-v6 work
(v6 as inner protocol isn't ready, even v6-in-v6 can never have worked)

being here, fix a statistics counter and kill an unused variable
2011-06-06 16:48:35 +00:00
christos
940f19b42b more malloc style. 2011-06-05 01:45:37 +00:00
christos
dd8772617a - sprinkle const
- malloc style
2011-06-05 01:40:40 +00:00
drochner
0a8dabda40 pull in AES-GCM/GMAC support from OpenBSD
This is still somewhat experimental. Tested between 2 similar boxes
so far. There is much potential for performance improvement. For now,
I've changed the gmac code to accept any data alignment, as the "char *"
pointer suggests. As the code is practically used, 32-bit alignment
can be assumed, at the cost of data copies. I don't know whether
bytewise access or copies are worse performance-wise. For efficient
implementations using SSE2 instructions on x86, even stricter
alignment requirements might arise.
2011-05-26 21:50:02 +00:00
drochner
ebc232a582 copy AES-XCBC-MAC support from KAME IPSEC to FAST_IPSEC
For this to fit, an API change in cryptosoft was adopted from OpenBSD
(addition of a "Setkey" method to hashes) which was done for GCM/GMAC
support there, so it might be useful in the future anyway.
tested against KAME IPSEC
AFAICT, FAST_IPSEC now supports as much as KAME.
2011-05-24 19:10:08 +00:00
drochner
fe35ba177e g/c remainders of IV handling in pfkey code -- this is done in
opencrypto now
2011-05-23 15:17:25 +00:00
drochner
22a8d55c40 allow ESP to use AES-CTR
(pfkey and userland tool support is already there because it has been
in KAME IPSEC all the time)
tested against KAME IPSEC
2011-05-23 13:57:52 +00:00
drochner
5fafa9c424 -in the descriptor for encryption xforms, split the "blocksize" field
into "blocksize" and "IV size"
-add an "reinit" function pointer which, if set, means that the xform
 does its IV handling itself and doesn't want the default CBC handling
 by the framework (poor name, but left that way to avoid unecessary
 differences)
This syncs with Open/FreeBSD, purpose is to allow non-CBC transforms.
Refer to ivsize instead of blocksize where appropriate.
(At this point, blocksize and ivsize are identical.)
2011-05-23 13:46:54 +00:00
drochner
582edd8b2a include the SHA2 hashs into the proposal which goes out with
SADB_ACQUIRE -- this doesn't change much because racoon ignores
the proposal from the kernel anyway and applies its own configuration,
but having MD5 and SHA1 in the list but SHA2 not looks strange
2011-05-18 18:56:02 +00:00
drochner
184e1b20e6 use monotonic time rather than wall time for lifetime related timestamps,
to make key expiration robust against time changes
2011-05-18 18:36:15 +00:00
drochner
8ec435e6ba cleanup some error handling to avoid memory leaks and doube frees,
from Wolfgang Stukenbrock per PR kern/44948, and part of kern/44952
2011-05-17 18:57:02 +00:00
drochner
d1cd4a3eb4 fix lookup of SAs for outgoing packets in the !prefered_oldsa case,
as done in KAME and FAST_IPSEC after NetBSD imported the code
(The default differs: KAME uses the oldest valid SA while FAST_IPSEC
in NetBSD uses the newest one. I'm not changing this -- there is a lack
of specification and behavior can be changed with the "oldsa" sysctl.)
For incoming packets it shouldn't matter but I made it look similar
just to avoid unnecessary differences.
2011-05-17 18:43:02 +00:00
drochner
1234118091 remove redundant declaration 2011-05-16 10:05:23 +00:00
drochner
7c0f80c6a5 remove a useless m_freem() call where the argument is known to be NULL 2011-05-16 10:04:02 +00:00
drochner
06d326df43 use time_t rather than long for timestamps 2011-05-16 10:02:30 +00:00
drochner
48841b961c cosmetical whitespace changes 2011-05-16 10:00:32 +00:00