Commit Graph

175 Commits

Author SHA1 Message Date
degroote
6997fa5f35 Choose the good default policy, depending of the adress family of the
desired policy
2007-04-15 14:17:12 +00:00
degroote
20341ba8ef Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar
to the sysctl kame interface.
2007-04-11 22:21:41 +00:00
degroote
68c3173bb4 When we construct an answer for SADB_X_SPDGET, don't use an hardcoded 0 for seq but
the seq used by the request. It will improve consistency with the answer of SADB_GET
request and helps some applications which relies both on seq and pid.

Reported by  Karl Knutsson by pr/36119.
2007-04-11 21:33:40 +00:00
degroote
2a2cd74d79 In spddelete2, if we can't find the sp by this id, return after sending an error message,
don't process the following code with the NULL sp.

Spotted by Matthew Grooms on freebsd-net ML
2007-04-11 21:19:35 +00:00
degroote
0c3809d098 Fix a memleak in key_spdget.
Problem was reported by Karl Knutsson by pr/36119.
2007-04-09 21:07:03 +00:00
degroote
0138b12722 Honor the ip4_ah_offsetmask bits (clear or not the ip->ip_off field for ah
processing).
2007-03-25 22:11:18 +00:00
degroote
46c420f11a Use ip4_ah_cleartos instead of ah_cleartos for consistency 2007-03-25 22:06:33 +00:00
degroote
40cf3d18fa Make an exact match when we are looking for a cached sp for an unconnected
socket. If we don't make an exact match, we may use a cached rule which
has lower priority than a rule that would otherwise have matched the
packet.

Code submitted by Karl Knutsson in PR/36051
2007-03-25 12:46:42 +00:00
degroote
507fd51bd3 Call key_checkspidup with spi in network bit order in order to make correct
comparaison with spi stored into the sadb.

Reported by Karl Knutsson in kern/36038 .
2007-03-21 22:38:34 +00:00
liamjfoy
142de6f17b Allow to build without INET6
Submitted by: Jukka Salmi
2007-03-09 00:40:39 +00:00
liamjfoy
9763fa0590 Add IPv6 Fast Forward:
Add call to ip6flow_invalidate_all()

ok christos, matt, dyoung and joerg
2007-03-07 22:21:45 +00:00
degroote
dd86ba7231 Remove useless cast
Use NULL instead of (void*) 0
2007-03-04 21:17:54 +00:00
degroote
c252f603d0 Fix fallout from caddr_t changes 2007-03-04 19:54:48 +00:00
christos
53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
degroote
f76a162cb7 Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
2007-02-23 19:35:25 +00:00
degroote
9e2b4bf469 Always free the sav, not only in the mature case 2007-02-18 18:58:17 +00:00
degroote
5bf3692f91 Fix the {ah,esp}4_ctlinput code 2007-02-18 14:28:25 +00:00
degroote
b7fbb86788 Forgot to remove two useless extern 2007-02-18 14:13:52 +00:00
degroote
b0339b36b0 Constify the code following the dyoung change ( the "bug" was hidden by the
extern declaration ).
While here, remove a Kame ifdef which is useless in netipsec code
2007-02-18 13:55:25 +00:00
degroote
0a648e9c8b Remove __P
Remove useless extern
Use ansi declaration
2007-02-18 13:27:31 +00:00
dyoung
5493f188c7 KNF: de-__P, bzero -> memset, bcmp -> memcmp. Remove extraneous
parentheses in return statements.

Cosmetic: don't open-code TAILQ_FOREACH().

Cosmetic: change types of variables to avoid oodles of casts: in
   in6_src.c, avoid casts by changing several route_in6 pointers
   to struct route pointers.  Remove unnecessary casts to caddr_t
   elsewhere.

Pave the way for eliminating address family-specific route caches:
   soon, struct route will not embed a sockaddr, but it will hold
   a reference to an external sockaddr, instead.  We will set the
   destination sockaddr using rtcache_setdst().  (I created a stub
   for it, but it isn't used anywhere, yet.)  rtcache_free() will
   free the sockaddr.  I have extracted from rtcache_free() a helper
   subroutine, rtcache_clear().  rtcache_clear() will "forget" a
   cached route, but it will not forget the destination by releasing
   the sockaddr.  I use rtcache_clear() instead of rtcache_free()
   in rtcache_update(), because rtcache_update() is not supposed
   to forget the destination.

Constify:

   1 Introduce const accessor for route->ro_dst, rtcache_getdst().

   2 Constify the 'dst' argument to ifnet->if_output().  This
     led me to constify a lot of code called by output routines.

   3 Constify the sockaddr argument to protosw->pr_ctlinput.  This
     led me to constify a lot of code called by ctlinput routines.

   4 Introduce const macros for converting from a generic sockaddr
     to family-specific sockaddrs, e.g., sockaddr_in: satocsin6,
     satocsin, et cetera.
2007-02-17 22:34:07 +00:00
degroote
fb66d23b5f fixed a unexpected addr/port matching failure in SA management
From cvs rev 1.127 of netkey/key.c
2007-02-11 13:35:00 +00:00
degroote
97d02ceb4b reqid (for unique policy) is u_int16_t quantity.
from rev 1.125 of netkey/key.c
2007-02-11 13:32:18 +00:00
degroote
e2211411a4 Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic
2007-02-10 09:43:05 +00:00
dyoung
854c48804d KNF: bzero -> memset. 2007-01-26 19:49:18 +00:00
joerg
eb04733c4e Introduce new helper functions to abstract the route caching.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.

Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.

Based on the earlier patch from dyoung@, reviewed and discussed with
him.
2006-12-15 21:18:52 +00:00
dyoung
c308b1c661 Here are various changes designed to protect against bad IPv4
routing caused by stale route caches (struct route).  Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).

Stale IPv6 and ISO route caches will be treated by separate patches.

Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.

Here are the details:

Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.

Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.

Chain together all IPv4 route caches where ro_rt != NULL.  Provide
in_rtcache() for adding a route to the chain.  Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches.  In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain.  In in_rtflushall(), walk the chain and remove every route
cache.

In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.

In gif(4), discard the workaround for stale caches that involves
expiring them every so often.

Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).

Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.

Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.

In domain initializers, use .dom_xxx tags.

KNF here and there.
2006-12-09 05:33:04 +00:00
christos
1665d5e960 fix spelling of accommodate; from Zapher. 2006-11-24 19:46:58 +00:00
christos
168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
christos
6c265266c5 more __unused 2006-10-13 20:53:59 +00:00
matt
0b50c4ad5c Make this compile again (hi xtos!). Switch to C99 structure initializations. 2006-08-31 23:21:54 +00:00
ad
f474dceb13 Use the LWP cached credentials where sane. 2006-07-23 22:06:03 +00:00
kardel
ced596e186 clarify time scale semantic issue 2006-06-10 11:42:07 +00:00
kardel
4eff7fe074 reference time.tv_sec in non timecounter case
missing conversion spotted by Geoff Wing
XXX This code need to be checked whether UTC time
is really the right abstraction. I suspect uptime
would be the correct time scale for measuring life times.
2006-06-10 11:30:37 +00:00
kardel
6aad29aa7b fix a missing conversion for a mono_time reference.
detected by Geoff Wing.
2006-06-10 11:12:09 +00:00
kardel
de4337ab21 merge FreeBSD timecounters from branch simonb-timecounters
- struct timeval time is gone
  time.tv_sec -> time_second
- struct timeval mono_time is gone
  mono_time.tv_sec -> time_uptime
- access to time via
	{get,}{micro,nano,bin}time()
	get* versions are fast but less precise
- support NTP nanokernel implementation (NTP API 4)
- further reading:
  Timecounter Paper: http://phk.freebsd.dk/pubs/timecounter.pdf
  NTP Nanokernel: http://www.eecis.udel.edu/~mills/ntp/html/kern.html
2006-06-07 22:33:33 +00:00
elad
874fef3711 integrate kauth. 2006-05-14 21:19:33 +00:00
pavel
450a020195 The esp_input_cb function used m_copyback, which fails if the mbuf is
read-only. This can actually happen if the packet was received by the
xennet interface, see PR kern/33162. Change it to m_copyback_cow.

AH and IPCOMP probably need similar fixes.

Requested by Jeff Rizzo, tested on Xen with -current by him.
2006-04-28 22:39:02 +00:00
rpaulo
68699904bd Add two new sysctls protected under IPSEC_DEBUG:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
          the same sequence number. This allows to verify if the other side
          has proper replay attacks detection.

  net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
          corrupted HMAC. This allows to verify if the other side properly
          detects modified packets.

(a message will be printed indicating when these sysctls changed)

By Pawel Jakub Dawidek <pjd@FreeBSD.org>.
Discussed with Christos Zoulas and Jonathan Stone.
2006-04-11 20:21:28 +00:00
rpaulo
51a2954a4d FreeBSD SA-06:11 and CVE-2006-0905: update the replay sequence number
or else the anti-reply technique won't work as expected.
2006-03-23 15:25:46 +00:00
wiz
5d1e8b2745 Fix some typos. 2006-02-25 02:28:55 +00:00
perry
fbae48b901 Change "inline" back to "__inline" in .h files -- C99 is still too
new, and some apps compile things in C89 mode. C89 keywords stay.

As per core@.
2006-02-16 20:17:12 +00:00
perry
0f0296d88a Remove leading __ from __(const|inline|signed|volatile) -- it is obsolete. 2005-12-24 20:45:08 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
elad
adf9419c9a Multiple inclusion protection, as suggested by christos@ on tech-kern@
few days ago.
2005-12-10 23:44:08 +00:00
christos
3b9c87155a Merge the 3 copies of m_getcl() so that fast ipsec compiles again together
with net80211. XXX: We don't really have an m_getcl(), we just emulate it.
2005-12-04 19:15:21 +00:00
christos
9152d0e109 PR/31478: YOMURA Masanori: Inconsistent default value of net.inet.ipsec.dfbit
Changed to match netinet6 (0->2)
2005-10-05 12:59:24 +00:00
yamt
2e85eff671 - introduce M_MOVE_PKTHDR and use it where appropriate.
intended to be mostly API compatible with openbsd/freebsd.
- remove a glue #define in netipsec/ipsec_osdep.h.
2005-08-18 00:30:58 +00:00
atatat
df13e3579e Change the rest of the sysctl subsystem to use const consistently.
The __UNCONST macro is now used only where necessary and the RW macros
are gone.  Most of the changes here are consumers of the
sysctl_createv(9) interface that now takes a pair of const pointers
which used not to be.
2005-06-20 02:49:18 +00:00
christos
f1171a425e constify and unshadow. 2005-06-10 13:22:42 +00:00
martin
71d020f371 Since we decided "const struct mbuf *" would not do the right thing (tm),
remove ~all const from mbuf pointers.
2005-06-06 06:06:50 +00:00
seanb
7ce7d7cb4c - Discrepency between malloc / free types with init vector (see free
in netipsec/key.c).
- Reviewed by christos.
2005-05-27 22:30:03 +00:00
christos
8dc75b1c08 Panic strings should not end with \n. 2005-05-08 18:44:39 +00:00
christos
761bd09636 PR/30154: YAMAMOTO Takashi: tcp_close locking botch
chgsbsize() as mentioned in the PR can be called from an interrupt context
via tcp_close(). Avoid calling uid_find() in chgsbsize().
- Instead of storing so_uid in struct socketvar, store *so_uidinfo
- Add a simple lock to struct uidinfo.
2005-05-07 17:42:09 +00:00
jonathan
f00865a2d9 Repair references to nonexistent structs in sys/netipsec/key.c after
NAT-T changes. Matches changes to reference non-nonexistent structs in
sys/netkey.

I have no clue if this is correct, but it matches the style in
sys/netkey, and (unlike the previous two revisions) it actually compiles...
2005-02-28 17:47:50 +00:00
perry
f07677dd81 nuke trailing whitespace 2005-02-26 22:45:09 +00:00
manu
5c217c1a67 Add support for IPsec Network Address Translator traversal (NAT-T), as
described by RFC 3947 and 3948.
2005-02-12 12:31:07 +00:00
matt
d341be30f4 Change initialzie of domains to use link sets. Switch to using STAILQ.
Add a convenience macro DOMAIN_FOREACH to interate through the domain.
2005-01-23 18:41:56 +00:00
jonathan
2bee2ad85f Fix missing break; Emmanuel Dreyfus.
C.f. sys/netinet6/ipsec.c rev 1.97 -> 1.98, but does not include the
gratutious change for a case which (the comment says) should not occur.
2004-10-27 23:10:13 +00:00
atatat
fe2724d030 Remove redundant instantiation of esp_net_deflev sysctl node. Not
sure how this happened, but it didn't harm anything either way.

Addresses PR kern/26672.
2004-08-15 19:10:26 +00:00
atatat
14eee8f4cc Rework sys/netipsec/ipsec_netbsd.c to present a more consistent tree.
Rework usr.bin/netstat/fast_ipsec.c to find the stats nodes under the
new names (Kame uses the name stats so we use different ones), as well
as setting slen appropriately between calls to sysctlbyname(), and
providing forward compatibility when actually retrieving stats via
sysctlbyname().

And correct a spelling error.
2004-07-17 16:36:39 +00:00
jonathan
37b1ad2317 Commit changes to make ACQUIRE messages -- actually, all messages
to ``registered'' sockets -- be treated ``specially'', as suggested
by RFC-2367.

The "special" treatment sys/netipsec now gives such messages is that
we use sbappendaddrchain() to deliver the (single) kernel-generated
message to each registered PF_KEY socket, with an sbprio argument of
SB_PRIO_BESTEFFORT, thus by-passing

For now, we check for registered messages, set a local `sbprio'
argument, and call sbappendaddrchain() (as opposed to sbappendaddr())
if and only if sbprio is non-NULL. As noted, we can rework
key_sendup_mbuf(), and all its callers, to pass the sbprio argument;
pending consensus (and hopeful KAME buy-back).
2004-06-10 01:39:59 +00:00
jonathan
121767b691 Fix oversight from re-using reworked sysctl() code for unicast SPD,SADB dump:
because the sysctl() code wasn't setting the requestor-pid field in dump
responses, the reworked unicast dump wasn't setting the requestor pid, either.
More exaclty, the pid field was set to 0.

No problem for setkey(8), but racoon reportedly ignores SADB dump-responses
with any pid (including 0) which doesn't match its own pid. A private bug
report says the 0-valued pid field broke racoon code which attempts to recover
from death of a prior racoon process, by dumping the SADB at startup.

Fix by revising sys/netipsec, so that both the new unicast PF_KEY dump
responses and the sysctl code set the requestor pid field in all
response mesages to DUMP requests.
2004-06-10 01:28:25 +00:00
jonathan
d25d3eb263 Rework to make FAST_IPSEC PF_KEY dumps unicast and reliable:
Introduce new socket-layer function sbappendaddrchain() to
sys/kern/uipc_socket2.c: like sbappendaddr(), only takes a chain of
records and appends the entire chain in one pass. sbappendaddrchain()
also takes an `sbprio' argument, which indicates the caller requires
special `reliable' handling of the socket-buffer.  `sbprio' is
described in sys/sys/socketvar.h, although (for now) the different
levels are not yet implemented.

Rework sys/netipsec/key.c PF_KEY DUMP responses to build a chain of
mbuf records, one record per dump response. Unicast the entire chain
to the requestor, with all-or-none semantics.

Changed files;
 	sys/socketvar.h kern/uipc_socket2.c netipsec/key.c
Reviewed by:
	Jason Thorpe, Thor Lancelot Simon, post to tech-kern.

Todo: request pullup to 2.0 branch.  Post-2.0, rework sysctl() API for
dumps to use new record-chain constructors. Actually implement
the distinct service levels in sbappendaddrchain() so we can use them
to make PF_KEY ACQUIRE messages more reliable.
2004-05-27 19:19:00 +00:00
jonathan
10c711c569 Fix bugs in SPD refcounts due to PCBpolicy cache, by backporting the
KAME sys/netkey/key.c rev 1.119 ke_sp_unlink()/key_sp_dead() logic.

I have been running a similar version for about 10 days now, and it
fixes the PCB-cache refcount problems for me.

Checked in as a candidate for pullup to the 2.0 branch.
2004-05-26 23:16:25 +00:00
jonathan
527a13d4b5 Thanks to Andrew Brown for the heads-up that fast_ipsec still had
key_prefered_oldsa, defaulted to 1 (on): preferring old SAs, based on
the ill-concieved Jenkins I-D, is broken by design.  For now, just
turn it off, as the simplest way to fix this in the 2.0 branch.

Next step is to rip it out entirely: it was always a bad idea.
2004-05-26 22:14:18 +00:00
atatat
100394ee13 The FAST_IPSEC code actually supports KEYCTL_PREFERED_OLDSA, so export
it via sysctl.
2004-05-25 04:00:33 +00:00
jonathan
85b3ba5bf1 Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)
2004-05-07 00:55:14 +00:00
jonathan
e128743cff Commit an old diff for AH which has been in my personal tree since
August 2003:

On NetBSD, when we get to ah_massage_headers(), ip->ip_len is in
network byte order and includes all bytes in the input packet.
Therefore we don't need to byte-swap it or to add `skip' back in,
before verifying the receive-side hash.

With this change, AH transport mode works against FreeBSD 4.9 fast-ipsec
(which also works against Win2k, &c., &c.).
2004-05-01 03:00:42 +00:00
jonathan
d45a8b054b Minimal cleanup of sys/netipsec/ipsec{,_osdep}.h, to allow compiling
FAST_IPSEC headers (with declarations of stats structures) in
userspace code. I haven't checked for strict POSIX conformance, but
Sam Leffler's FreeBS `ipsecstats' tool will now compile, if you
manually make and populate usr/include/sys/netipsec.

Committed as-is for Andrew Brown to check more of the sys/netipsec sysctls.
2004-04-30 04:12:29 +00:00
jonathan
f233c99a3c Fix for setkey(8) to dump SPD and SAdb via sysctl:
#1. Fix an off-by-one error in sysctl_net_key_dumpsa(), which was
passing sysctl argument name[1] to a helper.  According to Andrew
Brown's revised dynamic sysctl schmea, it must instead pass name[0].

2.  There is a naming glitch in using sysctl() for setkey(8): setkey
queries the same sysctl MIB numbers to dump IPsec database state,
irrepesctive of the underlying IPsec is KAME or FAST_IPSEC.
For this to work as expected, sys/netipsec must export net.key.dumpsa
and net.key.dumpsp via the identical MIB numbers  used by sys/netkey.
``Make it so''. For now, renumber the sys/netipsec/key.c nodes;
post-2.0 we can use sysctl aliases.

3.  For as-yet-unexplained reasons, the PF_KEY_V2 nodes are never
shown (or queried?) by sysctl(8). For 2.0, I am following an earlier
suggestion from Andrew Brown, and renumbering allthe FAST_IPSEC sysctl
nodes to appear under net.key at MIB number { CTL_NET, PF_KEY }. Since
the renumbering may change, the renumbering is done via a level of
indirection in the C preprocessor.

The nett result is that setkey(8) can find the nodes it needs for
setkey -D and setkey -PD: and that sysctl(8) finds all the FAST_IPSEC
sysctl nodes relatedy to IPsec keying, under net.key.  Andrew Brown
has reviewed this patch and tentatively approved the changes, though
we may rework some of the changes in -current in the near future.
2004-04-30 01:08:35 +00:00
jonathan
496077ab25 Update sys/netipsec/key.c to check for attempts to add IPv6-related
SPDs, and to warn about and reject any such attempts.

Addresses a security concern, that the (eas-yet incomplete, experimental)
FAST_IPSEC+INET6 does not honour IPv6 SPDs.  The security risk is that
Naive users may not realize this, and their data may get leaked in
cleartext, rather than IPsec'ed, if they use IPv6.

Security issue raised by: Thor Lancelot Simon
reviewed and OKed by: Thor Lancelot Simon

2.0 Pullup request after: 24 hours for further public comment.
2004-04-27 23:57:19 +00:00
itojun
d798d64879 xform_tcp.c is needed only with FAST_IPSEC 2004-04-26 03:50:57 +00:00
matt
e06794e93a Remove #else of #if __STDC__ 2004-04-26 01:41:15 +00:00
jonathan
887b782b0b Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP).  Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net.  Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct.  Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures.  Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary.  Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
2004-04-25 22:25:03 +00:00
jonathan
cf1c72d3a5 Add `const' to the safety-catch local definition of ip6_protosw,
to maatch sys/netinet6/ip6protosw.
2004-04-24 23:28:13 +00:00
itojun
d2f1c029b9 kill sprintf, use snprintf 2004-04-21 18:40:37 +00:00
keihan
fef14e4cd8 s/netbsd.org/NetBSD.org/g 2004-04-06 08:48:55 +00:00
atatat
19af35fd0d Tango on sysctl_createv() and flags. The flags have all been renamed,
and sysctl_createv() now uses more arguments.
2004-03-24 15:34:46 +00:00
jonathan
5093b79faa Delint for compiling with INET6:
Add 'XXX FIXME' comments to ah4_ctlinput(), esp4_ctlinput()
ipcode-paths merely cast away local variables ip, ah/esp, sav; the
fast-ipsec IPv4 code appears to work even so.

In espv6_ctlinput(), call the fast-ipsec KEY_ALLOCSA()/KEY_FREESA()
macros, not the KAME-native key_allocsa()/key_freesa() functions.
Cast sa6_src/sa6_dst to void; the fast-ipsec API does not (yet) pass
both src and dst addrs to  KEY_d-ALLOCSA/KEY_FREESA.

Make sure 'off' is set to 0 on the branch where it was formerly
used-before-set.

Will now compile with ``options INET6'' (as in
sys/arch/i386/conf/GENERIC.FAST_IPSEC), but is not yet
expected to acutally work with IPv6.
2004-03-20 03:08:55 +00:00
jonathan
def672af05 Temporarily ifdef out sys/netipsec/ipsec_input.c:esp6_ctlinput(),
as there is a duplicate version in (my) ipsec_netbsd.c, with somewhat
newer IP-multicast tests.
2004-03-20 02:57:48 +00:00
jonathan
60f87b2f99 sys/netinet6/ip6_ecn.h is reportedly a FreeBSD-ism; NetBSD has
prototypes for the IPv6 ECN ingress/egress functions in sys/netinet/ip_ecn.h,
inside an #ifdef INET6 wrapper.   So, wrap sys/netipsec ocurrences of
	#include <netinet6/ip6_ecn.h>
in #ifdef __FreeBSD__/#endif, until both camps can agree on this
teensy little piece of namespace. Affects:
    ipsec_output.c xform_ah.c xform_esp.c xform_ipip.c
2004-03-17 00:21:43 +00:00
jonathan
c3b09e1e59 Fix key_ismyaddr6() multicast test, as per sys/netkey/key.c NetBSD rev 1.112. 2004-03-17 00:17:45 +00:00
jonathan
dc6a77862b Delint ntohl() as argument to a "%lx" format in a log message. 2004-03-16 22:58:54 +00:00
jonathan
046d8e371f #include <net/net_osdep.h>: if INET6 is configured,
ipsec_encapsulate() calls ovbcopy(), which is otherwise deprecated.
2004-03-16 22:48:29 +00:00
jonathan
2061ef0c38 Remove the old, inet4-specific versions of PCB_T, PCB_FAMILY, and PCB_SOCKET,
and the surrounding #ifndef notyet/#else/#endif which had the removed lines
in the #else branch.  The inpcb_hdr versions have been in use for
some time now.
2004-03-16 22:37:46 +00:00
thorpej
076a26a516 Remove some left-over debugging code. 2004-03-02 02:24:02 +00:00
thorpej
ce5ecc33b9 Bring the PCB policy cache over from KAME IPsec, including the "hint"
used to short-circuit IPsec processing in other places.

This is enabled only for NetBSD at the moment; in order for it to function
correctly, ipsec_pcbconn() must be called as appropriate.
2004-03-02 02:22:56 +00:00
thorpej
68020cebc0 iipsec4_get_ulp(): Fix a reversed test that would have caused us to access
bogus IP header data if presented with a short mbuf.
2004-03-02 00:50:57 +00:00
thorpej
fdbf515ae2 Add missing copyright notice (FreeBSD rev. 1.3.2.2). 2004-03-01 23:30:01 +00:00
thorpej
4f0ad651e0 Add missing copyright notice (FreeBSD rev. 1.1). 2004-03-01 23:28:02 +00:00
thorpej
c82e44fc22 Add missing copyright notice (FreeBSD rev. 1.5.2.2). 2004-03-01 23:24:10 +00:00
thorpej
09a25ecbcd Add missing copyright notices (FreeBSD rev 1.2.4.2). 2004-03-01 23:20:53 +00:00
thorpej
31e39503c5 Merge netkey/key.c rev 1.51 (wiz):
va_{start,end} audit:
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).

Improved by comments from enami and christos -- thanks!

Heimdal/krb4/KAME changes already fed back, rest to follow.

Inspired by, but not not based on, OpenBSD.
2004-03-01 18:33:03 +00:00
wiz
f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
jonathan
130b3e9f4d Change #endif __FreeBSD__ to #endif /* __FreeBSD__ */ 2004-01-28 01:35:31 +00:00
jonathan
6a3dab3a1a Remove ``#ifdef IPSEC'' include block; they are not appropriate here.
Remove #ifdef FAST_IPSEC/#endif around the inclusion of local
(sys/netipsec) header files; they are always appropriate for
this file (sys/netipsec/ipsec_netbsd.c). At least on NetBSD.

If INET6 is defined, include appropriate header files
(local netipsec/ipsec6.h, netinet6/ip6protosw.h, and icmp6.h
from its standards-compliant location in netinet/).

Will now at least compile and link when ``options INET6' is configured.
2004-01-23 02:39:49 +00:00
jonathan
e139b2063a IPv6 mapped adddresses require us to cope with limited polymorphism
(struct in6pcb* versus struct inpcb*) in ipsec_getpolicybysock().

Add new macros (in lieu of an abstract data type) for a ``generic''
PCB_T (points to a struct inpcb* or struct in6pcb*) to ipsec_osdep.h.
Use those new macros in ipsec_getpolicybysock() and elsewhere.

As posted to tech-net for comment/feedback, late  2003.
2004-01-20 22:55:14 +00:00
scw
f8d2d740de Fix ipip_output() to always set *mp to NULL on failure, even if 'm'
is NULL, otherwise ipsec4_process_packet() may try to m_freem() a
bad pointer.

In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output()
already did it.
2004-01-16 11:06:27 +00:00
scw
58987a0a55 Since callers of m_getcl() assume it always allocates a cluster, check
that MGETCL() actually succeeded before returning the mbuf.
2004-01-16 09:50:40 +00:00