Commit Graph

138 Commits

Author SHA1 Message Date
itojun 2169d69bcf correct %d/%u mismatch. sync w/kame 2002-06-27 14:39:45 +00:00
itojun c1808f02bf cache pcb policy as much as possible. in fact, if policy is not
IPSEC_POLICY_IPSEC we don't need to compare spidx.  sync w/kame
2002-06-14 14:47:24 +00:00
itojun dc96111483 deep-copy pcb policy if it is an ipsec policy. assign ID field to all
SPD entries.  make it possible for racoon to grab SPD entry on pcb
(racoon side needs some changes).  sync w/kame
2002-06-12 17:56:45 +00:00
itojun cc8fe8c179 make function static 2002-06-12 03:46:16 +00:00
itojun bad1f500a7 remove unused functions 2002-06-12 03:37:14 +00:00
itojun 3489976392 do not copy policy-on-socket at all. avoid copying packet header value to
struct spindex.  should reduce memory usage per socket/pcb, and should speedup
ipsec processing.  sync w/kame
2002-06-12 01:47:34 +00:00
itojun fa53d749ff share policy-on-pcb for listening socket. sync w/kame
todo: share even more, avoid frequent updates of spidx
2002-06-11 19:39:59 +00:00
itojun 52d0ba15c8 reduce unneeded #ifdef 2002-05-30 05:51:21 +00:00
itojun d208a22daa use arc4random() where possible.
XXX is it necessary to do microtime() on tcp syn cache?
2002-05-28 10:11:49 +00:00
itojun 12bdf036e2 pull in SPD lifetime management code. fix refcnt for SPD entries.
sync w/kame
XXX dead SPD entry lifetime - undergoing sakane's review
2002-05-19 08:22:12 +00:00
itojun 9244bd8154 document net.key.* sysctl. provide sysctl MIB for controlling
proposal payload on ACQUIRE message.  sync w/kame
2002-05-19 08:12:55 +00:00
itojun 691d519c66 remove unneeded decl for __ss_{len,family} 2002-05-19 07:54:05 +00:00
itojun 0c85427e40 remove unneeded #if 2002-03-21 04:41:03 +00:00
itojun 53a52c0ad8 pfkey statistics was presented in wrong direction. 2002-03-21 04:23:36 +00:00
itojun 418fefdef0 remove a function no longer in use 2002-03-21 04:10:21 +00:00
itojun 900347e4d0 comment wording 2002-03-21 02:27:50 +00:00
itojun 8e4fadc28a missing splx 2002-03-01 04:19:42 +00:00
itojun 3edb75b9d5 unifdef -D__NetBSD__ 2002-03-01 04:16:38 +00:00
itojun 88123ecf38 change key_timehandler to take void * as argument. sync with kame.
PR 14351
2002-01-31 07:05:43 +00:00
itojun 867ce59a46 use ipseclog() instead of #ifdef IPSEC_DEBUG, to make it possible to
turn on/off debugging messages at runtime.  sync with kame
2002-01-31 06:35:25 +00:00
itojun 8297f55292 change SPDUPDATE's behavior to meet with the latest KAME kit.
(there's no need to have policy before SPDUPDATE)
2002-01-31 06:17:03 +00:00
lukem 2565646230 don't need <sys/types.h> when including <sys/param.h> 2001-11-15 09:47:59 +00:00
lukem 4f2ad95259 add RCSIDs 2001-11-13 00:56:55 +00:00
simonb 5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h>
anymore.
2001-10-29 07:02:30 +00:00
itojun 07b78861d0 sync with kame:
fixed the value of the prefixlen in the sadb_address structure.
when pfkey message relative to SA is sent, the prefixlen was incorrect.
2001-10-19 01:57:20 +00:00
wiz 4c99916337 va_{start,end} audit:
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).

Improved by comments from enami and christos -- thanks!

Heimdal/krb4/KAME changes already fed back, rest to follow.

Inspired by, but not not based on, OpenBSD.
2001-09-24 13:22:25 +00:00
wiz 456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
itojun fd048b8ff1 avoid symbol conflict with "sin()". 2001-08-16 14:28:54 +00:00
itojun 99c5195929 remove "#ifdef IPSEC_DEBUG" conditional from from key_debug.h
(headers must have no #if).  sync with kame
2001-08-12 11:52:43 +00:00
itojun 984d46bbc4 there is no KEY_DEBBUG. use IPSEC_DEBUG 2001-08-12 11:48:27 +00:00
itojun 57030e2f12 cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed,
especially when it is a connected SOCK_STREAM in6?pcb.  sync with kame.
2001-08-06 10:25:00 +00:00
itojun ce781443e0 pass replay sequence number on sadb_x_sa2 (it's outside of PF_KEY standard
anyways).
2001-08-02 12:10:14 +00:00
itojun b26591525e remove "register" variable specifier. sync with kame 2001-08-02 11:32:14 +00:00
itojun 182b1e5191 do not #ifdef KEY_DEBUG in header. sync with kame 2001-07-27 04:48:13 +00:00
mrg 8a49f07b1b avoid assigning to policy_id twice. fixes more gcc 3.0 prerelease errors. 2001-06-04 21:38:28 +00:00
mrg c13e3a6693 use _KERNEL_OPT 2001-05-30 11:40:35 +00:00
wiz 14dbdf5518 Negative exit code cleanup: Replace exit(-x) with exit(x).
As seen on tech-userlevel.
2001-04-06 11:13:45 +00:00
jdolecek 522f569810 make some more constant arrays 'const' 2001-02-21 21:39:52 +00:00
thorpej 786149d624 When processing an SADB_DELETE message, allow SADB_EXT_SA to be
blank.  In this case, we delete all non-LARVAL SAs that match the
src/dst/protocol.  This is particularly useful in IKE INITIAL-CONTACT
processing.  Idea from Bill Sommerfeld <sommerfeld@east.sun.com>, who
implemented it in post-Solaris8.
2001-02-16 23:53:59 +00:00
itojun a688af5edf if 2nd parameter of key_acquire() is NULL it panics.
key_acquire () does not really require 2nd argument.
1.179 -> 1.180 on kame.
2001-01-10 18:52:51 +00:00
itojun 8b5ceae516 don't waste entropy by use of key_random(). use key_randomfill() for
IV initialization.
2000-10-07 12:08:33 +00:00
itojun a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9).
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun 8a9f93dc37 update ip compression algorithm lookup.
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net).  sync with kame
2000-09-26 08:40:23 +00:00
itojun 89f53512af use real wallclock (got by microtime) to compute IPsec database lifetimes.
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun fd5d3908d3 wake up socket even with socket recieve buffer is full. otherwise,
we will have lots of pending mbufs on heavy SADB_ACQUIRE traffic.
KAME 1.22 -> 1.23
2000-09-22 08:28:56 +00:00
itojun 5f3d7ea2b5 suppress debugging message in key_acquire2(). this is purely for debugging,
not useful/no interest from normal use.  KAME 1.155 -> 1.156
2000-09-21 20:35:09 +00:00
itojun 6aadfa317f on SADB_UPDATE, check SPI range only for AH/ESP, not IPComp.
endian/signedness fix for debug messages.
KAME 1.154 -> 1.155
2000-09-20 19:55:05 +00:00
itojun 1e79c22464 repair SADB_ADD/UPDATE for ipcomp. no encryption key will be attached to
ipcomp.  (KAME 1.53 -> 1.54)
2000-09-20 00:42:47 +00:00
itojun 6a4cd1c5f9 make proposal/combination PF_KEY message on SADB_ACQUIRE optional, to
support ipcomp ACQUIRE messages (again).
it violates RFC2367 slightly.  RFC2367 does not suport ipcomp at all
so we have no choice.
(KAME 1.151 -> 1.152)

do not leave dangling pointer after KFREE().  caused kernel panic with
certain PF_KEY message (error case) - only root can open PF_KEY socket
so it is not security issue.
(KAME 1.152 -> 1.153)
2000-09-20 00:08:42 +00:00
itojun bb8d535cc5 use per-block cipher function + esp_cbc_{de,en}crypt. do not use
cbc-over-mbuf functions in sys/crypto.

the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.

XXX: it looks that past blowfish-cbc code was buggy.  i ran some test pattern,
and new blowfish-cbc code looks more correct.  there's no interoperability
between the old code (before the commit) and the new code (after the commit).

XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun e101febc8f make sure to stir ESP IV. pool allocator gives me almost constant
value.  we may need to do an advisory...
2000-08-27 17:41:12 +00:00
itojun 9e0a696a8a remove #ifdef notdef part. sync with kame. 2000-07-26 07:40:52 +00:00
itojun 411ff12b27 pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
sync with kame.

loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun 65d37eff7f correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
sync from kame.

WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun aa0b8be4f4 move ipsec_{hex,bin}dump() into #ifdef wrapper.
libipsec: remove unnecessary #include key_debug.h.
2000-07-04 04:41:54 +00:00
itojun d407c7e3ec nuke sadb_x_ident_id, wihich violates pfkey standard.
correct get/set SA handling.
(from kame)
2000-07-01 01:01:34 +00:00
mrg 577e415862 <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:29:45 +00:00
thorpej ee01b6fae0 Clean up some NULL vs. 0 confusion, and fix a bogus comparison. 2000-06-24 00:15:52 +00:00
itojun 43eb8dd0d2 correct compilation without IPSEC_ESP.
From: Matthias Drochner <M.Drochner@fz-juelich.de>
2000-06-15 13:44:22 +00:00
itojun f982a33213 correct ordering mistake in SADB_DUMP.
correct bug in key length management in SA database.
improbe mbuf printing (for debugging only).
2000-06-15 12:37:07 +00:00
itojun 00dc400bb3 correct port number matching (src/dst mixup). 2000-06-15 05:50:22 +00:00
itojun 186948075c remove too strong assumption on mbuf length.
the previous code choked if large policy entry is injected with "spdadd"
subcommand in setkey(8).
2000-06-14 03:16:23 +00:00
itojun 92e64a4a0d sync with almost-latest KAME IPsec. full changelog would be too big
to mention here.  notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
  it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
  in struct sadb_msg.  we cannot just change these standard structs.
  sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
  these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
  specify it)
- spddelete takes direction specification
2000-06-12 10:40:37 +00:00
itojun 93b2b4e693 remove include files in nonstandard path
(has been #error for couple of months).
2000-06-04 11:52:06 +00:00
thorpej f636538446 NULL != 0 2000-05-19 04:34:39 +00:00
thorpej e0d0cba239 Remove junk at the end of #undef. 2000-05-08 18:31:10 +00:00
augustss 8529438fe6 Remove register declarations. 2000-03-30 12:51:13 +00:00
thorpej fc96443d15 New callout mechanism with two major improvements over the old
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
  resource allocation.
- Insertion and removal of callouts is constant time, important as
  this facility is used quite a lot in the kernel.

The old timeout()/untimeout() API has been removed from the kernel.
2000-03-23 07:01:25 +00:00
itojun eb95b863d0 correct IPsec SA lookup, so that we can always get/use
proper SA.  cached SA can be wrong, specifically when you use sendto().
sync with KAME change, From: Greg Troxel <gdt@ir.bbn.com>
2000-03-05 05:42:33 +00:00
itojun 541b446bfa for more strict rfc2367 conformance, move netkey/keyv2.h into net/pfkeyv2.h
(net/pfkeyv2.h used to just include netkey/keyv2.h).

netkey/keyv2.h includes #error only for several days, to inform
of file path change.  after that I plan to nuke the file.
2000-02-09 03:27:29 +00:00
itojun 90736ab608 fix include pathname for better rfc2292 compliance. 2000-02-06 12:49:37 +00:00
itojun 1a2a1e2b1f bring in latest KAME ipsec tree.
- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited

XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
2000-01-31 14:18:52 +00:00
itojun 6118e5d8d2 allow any SPI value to be used, if well-known ipcomp CPI is used.
From: Laine Stump <lainestump@rcn.com>
To: current-users@netbsd.org
Message-Id: <3.0.3.32.19990907020809.0091fc90@pop.rcn.com>
Date: Tue, 07 Sep 1999 02:08:09 -0400
1999-09-07 07:41:45 +00:00
itojun fd8ab6e67c sync with recent KAME.
bark when bogus prefix length (> 32 for IPv4, for exapmle) is specified.
1999-08-24 00:46:12 +00:00
itojun 70ada0957e sync with recent KAME.
- loosen ipsec restriction on packet diredtion.
- revise icmp6 redirect handling on IsRouter bit.
- tcp/udp notification processing (link-local address case)
- cosmetic fixes (better code share across *BSD).
1999-07-31 18:41:15 +00:00
thorpej 267920eb1a defopt INET6, and put it in opt_inet.h (most places already include this
file, which is why the file list is so short).
1999-07-09 23:41:16 +00:00
thorpej f9a7668b3f defopt IPSEC and IPSEC_ESP (both into opt_ipsec.h). 1999-07-09 22:57:15 +00:00
itojun dcc13cdd33 sync with KAME/NetBSD 1.4, SNAP kit 19990705.
key changes are:
- icmp6 redirect fix (dst check)
- revised ip6 multicast check for loopback i/f
- several RCS ID cleanups
1999-07-06 12:23:19 +00:00
cjs 5108aad9a8 ntohl() doesn't return long, so cast it. 1999-07-05 08:15:39 +00:00
itojun 9b74747370 s/splnet/splsoftnet/ in IPv6/IPsec part.
hope I made no mistake (the kernel works fine but I need a regress test)

Suggested by: thorpej
1999-07-04 02:01:15 +00:00
thorpej cd3a345ea0 RCS ID police. 1999-07-03 21:24:45 +00:00
lukem bd99d900df spell Association correctly 1999-07-03 04:45:53 +00:00
itojun e208c5c64a enable IPSEC_ESP build (still needs manual symlink).
commit to cryptosrc-intl will follow.
1999-07-02 19:58:27 +00:00
thorpej 8328f07bda Fix printf format on LP64. 1999-07-01 22:47:56 +00:00
itojun afb0d8e6e1 less warning on userland compilation. 1999-07-01 20:10:27 +00:00
itojun 118d2b1d4f IPv6 kernel code, based on KAME/NetBSD 1.4, SNAP kit 19990628.
(Sorry for a big commit, I can't separate this into several pieces...)
Pls check sys/netinet6/TODO and sys/netinet6/IMPLEMENTATION for details.

- sys/kern: do not assume single mbuf, accept chained mbuf on passing
  data from userland to kernel (or other way round).
- "midway" ATM card: ATM PVC pseudo device support, like those done in ALTQ
  package (ftp://ftp.csl.sony.co.jp/pub/kjc/).
- sys/netinet/tcp*: IPv4/v6 dual stack tcp support.
- sys/netinet/{ip6,icmp6}.h, sys/net/pfkeyv2.h: IETF document assumes those
  file to be there so we patch it up.
- sys/netinet: IPsec additions are here and there.
- sys/netinet6/*: most of IPv6 code sits here.
- sys/netkey: IPsec key management code
- dev/pci/pcidevs: regen

In my understanding no code here is subject to export control so it
should be safe.
1999-07-01 08:12:45 +00:00
itojun 74d3c214ec KAME/NetBSD 1.4 SNAP kit, dated 19990628.
NOTE: this branch (kame) is used just for refernce.  this may not compile
due to multiple reasons.
1999-06-28 06:36:47 +00:00