Commit Graph

43 Commits

Author SHA1 Message Date
jonathan c3b09e1e59 Fix key_ismyaddr6() multicast test, as per sys/netkey/key.c NetBSD rev 1.112. 2004-03-17 00:17:45 +00:00
jonathan dc6a77862b Delint ntohl() as argument to a "%lx" format in a log message. 2004-03-16 22:58:54 +00:00
jonathan 046d8e371f #include <net/net_osdep.h>: if INET6 is configured,
ipsec_encapsulate() calls ovbcopy(), which is otherwise deprecated.
2004-03-16 22:48:29 +00:00
jonathan 2061ef0c38 Remove the old, inet4-specific versions of PCB_T, PCB_FAMILY, and PCB_SOCKET,
and the surrounding #ifndef notyet/#else/#endif which had the removed lines
in the #else branch.  The inpcb_hdr versions have been in use for
some time now.
2004-03-16 22:37:46 +00:00
thorpej 076a26a516 Remove some left-over debugging code. 2004-03-02 02:24:02 +00:00
thorpej ce5ecc33b9 Bring the PCB policy cache over from KAME IPsec, including the "hint"
used to short-circuit IPsec processing in other places.

This is enabled only for NetBSD at the moment; in order for it to function
correctly, ipsec_pcbconn() must be called as appropriate.
2004-03-02 02:22:56 +00:00
thorpej 68020cebc0 iipsec4_get_ulp(): Fix a reversed test that would have caused us to access
bogus IP header data if presented with a short mbuf.
2004-03-02 00:50:57 +00:00
thorpej fdbf515ae2 Add missing copyright notice (FreeBSD rev. 1.3.2.2). 2004-03-01 23:30:01 +00:00
thorpej 4f0ad651e0 Add missing copyright notice (FreeBSD rev. 1.1). 2004-03-01 23:28:02 +00:00
thorpej c82e44fc22 Add missing copyright notice (FreeBSD rev. 1.5.2.2). 2004-03-01 23:24:10 +00:00
thorpej 09a25ecbcd Add missing copyright notices (FreeBSD rev 1.2.4.2). 2004-03-01 23:20:53 +00:00
thorpej 31e39503c5 Merge netkey/key.c rev 1.51 (wiz):
va_{start,end} audit:
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).

Improved by comments from enami and christos -- thanks!

Heimdal/krb4/KAME changes already fed back, rest to follow.

Inspired by, but not not based on, OpenBSD.
2004-03-01 18:33:03 +00:00
wiz f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
jonathan 130b3e9f4d Change #endif __FreeBSD__ to #endif /* __FreeBSD__ */ 2004-01-28 01:35:31 +00:00
jonathan 6a3dab3a1a Remove ``#ifdef IPSEC'' include block; they are not appropriate here.
Remove #ifdef FAST_IPSEC/#endif around the inclusion of local
(sys/netipsec) header files; they are always appropriate for
this file (sys/netipsec/ipsec_netbsd.c). At least on NetBSD.

If INET6 is defined, include appropriate header files
(local netipsec/ipsec6.h, netinet6/ip6protosw.h, and icmp6.h
from its standards-compliant location in netinet/).

Will now at least compile and link when ``options INET6' is configured.
2004-01-23 02:39:49 +00:00
jonathan e139b2063a IPv6 mapped adddresses require us to cope with limited polymorphism
(struct in6pcb* versus struct inpcb*) in ipsec_getpolicybysock().

Add new macros (in lieu of an abstract data type) for a ``generic''
PCB_T (points to a struct inpcb* or struct in6pcb*) to ipsec_osdep.h.
Use those new macros in ipsec_getpolicybysock() and elsewhere.

As posted to tech-net for comment/feedback, late  2003.
2004-01-20 22:55:14 +00:00
scw f8d2d740de Fix ipip_output() to always set *mp to NULL on failure, even if 'm'
is NULL, otherwise ipsec4_process_packet() may try to m_freem() a
bad pointer.

In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output()
already did it.
2004-01-16 11:06:27 +00:00
scw 58987a0a55 Since callers of m_getcl() assume it always allocates a cluster, check
that MGETCL() actually succeeded before returning the mbuf.
2004-01-16 09:50:40 +00:00
jonathan 01c51dab61 Split opencrypto configuration into an attribute, usable by inkernel
clients, and a pseudo-device for userspace access.

The attribute is named `opencrypto'. The pseudo-device is renamed to
"crypto", which has a dependency on "opencrypto". The sys/conf/majors
entry and pseudo-device attach entrypoint are updated to match the
new pseudo-device name.

Fast IPsec (sys/netipsec/files.ipsec) now lists a dependency on the
"opencrypto" attribute.  Drivers for crypto accelerators (ubsec,
hifn775x) also pull in opencrypto, as providers of opencrypto transforms.
2003-12-31 16:44:26 +00:00
thorpej 2731c72b47 Cast an expression with sizeof() to long. 2003-12-12 21:36:32 +00:00
scw 6aec1d6812 Make fast-ipsec and ipflow (Fast Forwarding) interoperate.
The idea is that we only clear M_CANFASTFWD if an SPD exists
for the packet. Otherwise, it's safe to add a fast-forward
cache entry for the route.

To make this work properly, we invalidate the entire ipflow
cache if a fast-ipsec key is added or changed.
2003-12-12 21:17:59 +00:00
scw 4b9d54ff56 Add KEYCTL_DUMPSA/KEYCTL_DUMPSP support.
setkey(8)'s -D and -P options now work as expected with fast-ipsec.
2003-12-12 21:04:03 +00:00
atatat 13f8d2ce5f Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al.  Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.

Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded.  Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.

All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.

PS - I'm sorry, but there's a distinct lack of documentation at the
moment.  I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 19:38:21 +00:00
scw fd11abcb03 For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets
only. Decapsulated packets bypass ipfilter. This mimics current behaviour
for Kame IPsec.
2003-11-24 20:54:59 +00:00
jonathan 89d603f9ea This file was derived from FreeBSD, where "in6pcb" is a macro for
"inpcb", and this struct inpcb* and struct inp6cb* are the same type.

On NetBSD they are different types, so we must change the types of
formal argument in IPv6-specific functions from "struct inpcb *" to
"struct in6pcb*".

The code didn't compile on NetBSD beforehand, if both FAST_IPSEC + INET6
were configured. This fix will cause even more short-term breakage for
that case, but its a step in the right direction: it shows up what
still needs to be fixed.
2003-11-20 06:35:09 +00:00
jonathan 995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm,
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
2003-11-17 21:34:27 +00:00
jonathan ae4accd0de Use ip_randomid(), dependent on either __NetBSD__ preprocessor
token or FreeBSD RANDOM_IP_ID config option.
2003-11-14 07:15:28 +00:00
jonathan 79bf8521a5 Change global head-of-local-IP-address list from in_ifaddr to
in_ifaddrhead. Recent changes in struct names caused a namespace
collision in fast-ipsec, which are most cleanly fixed by using
"in_ifaddrhead" as the listhead name.
2003-11-11 20:25:26 +00:00
tls 9355900ec9 Reversion of "netkey merge", part 2 (replacement of removed files in the
repository by christos was part 1).  netipsec should now be back as it
was on 2003-09-11, with some very minor changes:

1) Some residual platform-dependent code was moved from ipsec.h to
   ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined.  ipsec.h
   now includes ipsec_osdep.h

2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has
   been left in place (it's arguable which name is less confusing but the
   rename is pretty harmless).

3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN
   is invalid and GCC 3 won't compile it.

An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now
gets through "make depend" but fails to build with errors in ip_input.c.
But it's better than it was (thank heaven for small favors).
2003-10-06 22:05:15 +00:00
jonathan ffa9f8f5aa No copyrignt notice here (caught by Sam Leffler). Add the same two-clause
copyright I sent to Sam Leffler for the FreeBSD version.
2003-09-29 22:35:43 +00:00
itojun 7fda10aea9 separate netkey/key* and netipsec/key* 2003-09-20 05:14:41 +00:00
itojun eb305c3c3c merge netipsec/key* into netkey/key*. no need for both.
change confusing filename
2003-09-12 11:20:57 +00:00
itojun 3df4458661 use ip_randomid 2003-09-12 11:09:31 +00:00
itojun aecd8615c5 no need for netipsec/key*, they are almost identical to netkey/key* 2003-09-12 11:09:30 +00:00
itojun 82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *.
this fixes KAME policy lookup which was broken by the previous commit.
2003-08-22 21:53:01 +00:00
jonathan c23a2c9c86 opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif. 2003-08-20 22:33:40 +00:00
jonathan 2ea4c76684 Fix bug with IP_DF handling which was breaking TCP: on FreeBSD, ip_off
is assumed to be in host byteorder during the input(?) path.  NetBSD
keeps ip_off and ip_len in network order.  Add (or remove) byteswaps
accordingly.  TCP over fast_ipsec now works with PMTU, as well as without.
2003-08-15 17:14:31 +00:00
jonathan f3ab6286e9 Change ipsec4_common_input() to return void (not int with errno,
as in FreeBSD), to match NetBSD protosw prototype.
2003-08-15 03:50:20 +00:00
jonathan 28b5f5dfab (fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
2003-08-15 03:42:00 +00:00
jonathan 23f68da565 Make sure one (potentially) overlapping copy is safe. 2003-08-13 20:13:59 +00:00
jonathan 740290313e Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4.
Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the
OpenCryptoFramework (and thus hardware crypto accelerators) and
numerous detailed performance improvements.

This import is (aside from SPL-level names) the FreeBSD source,
imported ``as-is'' as a historical snapshot, for future maintenance
and comparison against the FreeBSD source.  For now, several minor
kernel-API differences are hidden by macros a shim file, ipsec_osdep.h,
which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
2003-08-13 20:06:49 +00:00
jonathan 8b2ac878e4 Move the preprocessor/config feature-test macro (FAST_IPSEC) into opt_ipsec.h,
to simplify changes elsehere.

Add dependency on new file netipec/ipsec_netbsd.c, for some NetBSD-specific
required functionality (e.g., differences in ctl-input keydb handling).
2003-08-06 20:29:00 +00:00
jonathan cdfce9ce5e Commit initial NetBSD port of the OpenCrypto Framework (OCF). This
code is derived from Sam Leffler's FreeBSD port of OCF, which is in
turn a port of Angelos Keromytis's OpenBSD work.
Credit to Sam and Angelos, any blame for the NetBSD port to me.
2003-07-25 21:12:39 +00:00