Commit Graph

53 Commits

Author SHA1 Message Date
jonathan
887b782b0b Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP).  Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net.  Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct.  Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures.  Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary.  Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
2004-04-25 22:25:03 +00:00
wiz
f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
itojun
2a85abd333 avoid memory leak. hint from Andrew Lunn 2003-11-23 08:33:13 +00:00
itojun
5451f8a14e do not malloc(0). Andrew Lunn 2003-11-23 08:23:02 +00:00
itojun
ffe9fe35e1 realloc error check failure; Greg Troxel, sync w/ kame 2003-10-03 21:53:08 +00:00
itojun
27ed6671c7 correct unsafe use of realloc(). 2003-10-02 19:38:59 +00:00
wiz
cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun
ce87a439ff deal with policy without selector. sync w/ kame 2003-09-08 10:16:31 +00:00
itojun
e4b5e8fb10 protect SADB_X_EXT_TAG with #ifdef 2003-08-26 03:49:05 +00:00
itojun
1bb4de9b71 typo 2003-08-26 03:37:25 +00:00
itojun
182a98314c support new algorithms 2003-07-25 10:06:09 +00:00
itojun
0ee6664ebd support hmac-sha2 2003-07-22 03:33:10 +00:00
itojun
26585fc6b8 don't explicitly clear "reserved" field. instead clear "id" field. 2003-07-22 03:32:58 +00:00
itojun
24389b0290 plug memory leak 2003-07-22 03:32:17 +00:00
itojun
536967658d cosmetic 2003-07-22 03:31:44 +00:00
itojun
7a580d5968 clear malloc'ed memory. sync w/kame 2003-06-27 03:40:44 +00:00
wiz
472351e13d Use
.In header.h
instead of
.Fd #include \*[Lt]header.h\*[Gt]
Much easier to read and write, and supported by groff for ages.
Okayed by ross.
2003-04-16 13:34:34 +00:00
lukem
8bf240ccae use __RCSID() 2003-03-09 01:03:54 +00:00
christos
aa229efdc3 Avoid memory leak. Pointed out by Patrick Latifi <patrickl at secureops dot com> 2003-03-04 18:30:58 +00:00
lukem
ec5dbc56b8 Explicitly move setting of NOxxx and USE_SHLIBDIR to the top of the
Makefile (before including <bsd.own.mk>)
2002-08-19 14:55:14 +00:00
lukem
ebb6fc9eb8 Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path (etc).
(Reduces make output by ~ 20%)
2002-08-19 09:41:27 +00:00
itojun
2cd481ef73 plug memory leak. from ebisawa@iij, sync w/kame 2002-07-31 07:00:22 +00:00
itojun
2169d69bcf correct %d/%u mismatch. sync w/kame 2002-06-27 14:39:45 +00:00
itojun
33fe7af9a4 sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.
2002-05-14 11:24:20 +00:00
itojun
1d965dd4fe typo 2002-05-14 11:03:39 +00:00
ross
814f296b77 Generate <>& symbolically. 2002-02-07 07:00:09 +00:00
wiz
b9661d6129 Whitespace nits. 2002-01-15 02:47:02 +00:00
lukem
efcc9a4c9d * Add user-controlled mk.conf variables
- SHLIBDIR	Location to install shared libraries if ${USE_SHLIBDIR}
			is "yes".  Defaults to "/usr/lib".

	- USE_SHLIBDIR	If "yes", install shared libraries in ${SHLIBDIR}
			instead of ${LIBDIR}.  Defaults to "no".
			Sets ${_LIBSODIR} to the appropriate value.
			This may be set by individual Makefiles as well.

	- SHLINKDIR	Location of shared linker.  Defaults to "/usr/libexec".
			If != "/usr/libexec", change the dynamic-linker
			encoded in shared programs

* Set USE_SHLIBDIR for libraries used by /bin and /sbin:
	libc libcrypt libcrypto libedit libipsec libkvm libm libmi387
	libtermcap libutil libz

* If ${_LIBSODIR} != ${LIBDIR}, add symlinks from ${LIBDIR}/${LIB}.so*
  to ${_LIBSODIR}/${LIB}.so* for compatibility.

* Always install /sbin/init statically (for now)


The net effect of these changes depends on how the variables are set:

  1.)	If nothing is set or changed, there is no change from the
	current behaviour:
		- Static /bin, /sbin, and bits of /usr/*
		- Dynamic rest
		- Shared linker is /usr/libexec/ld*so

  2.)	If the following make variables are set:
		LDSTATIC=
		SHLINKDIR=/lib
		SHLIBDIR=/lib
	Then the behaviour becomes:
		- Dynamic tools
		- .so libraries used by /bin and /sbin are installed to /lib,
		  with symlinks from /usr/lib/lib*so to -> /lib/lib*so
		  where appropriate
		- Shared linker is /lib/ld*so

  3.)	As per 2.), but add the following variable:
		USE_SHLIBDIR=yes
	This forces all .so's to be instaleld in /lib (with compat
	symlinks), not just those tagged by their Makefiles to be.
	Again, compat symlinks are installed
2001-12-28 01:32:37 +00:00
wiz
456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
itojun
89c23ae51c sync manpage with latest kame. 2001-08-31 09:53:23 +00:00
itojun
39e1f5e4ef description for "discard" was missing. sync with kame 2001-04-06 07:04:31 +00:00
agc
6b3108e0aa Revert previous overzealous change, committed in error. 2001-03-30 16:12:44 +00:00
agc
ab498e3d7f Put back prototype of yyparse(), since the function name is modified
by the Makefile

	YPREFIX+=__libyy

setting, and we thus get an unprototyped function.
2001-03-30 15:17:47 +00:00
christos
291a545230 remove redundant declaration of yyparse. 2001-02-04 19:50:51 +00:00
itojun
ffc758331e support rijndael-cbc 2000-10-03 23:00:54 +00:00
itojun
5e8b5a35e4 make ipsec_strerror(3) to return const char *, not char *. sync with kame. 2000-07-30 02:38:35 +00:00
itojun
c8a0922045 do not rely upon algorithm ordering in pfkey spec. sync with kame 2000-07-20 09:51:40 +00:00
itojun
aa0b8be4f4 move ipsec_{hex,bin}dump() into #ifdef wrapper.
libipsec: remove unnecessary #include key_debug.h.
2000-07-04 04:41:54 +00:00
matt
6ac8d1ec06 More include cleanup. Remvoe (p) from #undef in libipsec. 2000-07-03 03:56:20 +00:00
itojun
92e64a4a0d sync with almost-latest KAME IPsec. full changelog would be too big
to mention here.  notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
  it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
  in struct sadb_msg.  we cannot just change these standard structs.
  sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
  these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
  specify it)
- spddelete takes direction specification
2000-06-12 10:40:37 +00:00
thorpej
14dfd80261 Need -I${.CURDIR} for ipsec_strerror.h 2000-05-09 05:52:54 +00:00
itojun
8ab75e23f4 hide shouldn't-be-exported symbols from the outside.
don't compile pfkey*, since we expect tons of changes in the near future.

bump shlib major (due to less exported APIs than before - am I correct here?).
2000-03-13 21:23:55 +00:00
itojun
667dbda449 use proper include path (net/pfkeyv2.h) 2000-02-08 13:17:51 +00:00
itojun
28dacfc3da don't include in6.h directly. 2000-02-08 13:14:35 +00:00
itojun
ffd73d1d87 sorry, forgot to cvs add new files 2000-02-01 03:08:36 +00:00
itojun
e5e6464767 upgrade libipsec to the latest.
- parser now uses yacc/lex (there'll be no symbol conflict).
- outbound policy and inbound policy is now separate
- policy specification for tunnel SA is improved
- api changed, bump shlib major

XXX some of programs will become not buildable - will commit shortly
2000-01-31 14:15:30 +00:00
itojun
320dc0884c s/.Os KAME/.Os/
From: Klaus Klein <kleink@ira.uka.de>
1999-12-21 14:17:18 +00:00
itojun
64061af71d temporary workaround against KAME PR 154.
http://www2.kame.net/dev/query-pr.cgi?pr=154

This allows many keys to be dumped via "setkey -D", or many keys
to be configured by single "setkey -c < foo" command.
1999-09-16 04:20:03 +00:00
itojun
0516428837 add NetBSD RCS ID on the top.
retain KAME RCS ID where there was one.
1999-07-04 01:36:12 +00:00
itojun
834a62973d add LIBRARY section into libipsec manpages.
add ".Lb libipsec" for this.
1999-07-04 01:27:19 +00:00