d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Commit IPv6 support for FAST_IPSEC to the tree.

Browse Source 
This commit includes only the kernel files, the rest of the files
will follow in a second commit.

Reviewed by:    bz
Approved by:    re
Supported by:   Secure Computing
This commit is contained in:
George V. Neville-Neil 2007-07-01 11:41:27 +00:00
parent 069441f718
commit 2cb64cb272
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=171133
61 changed files with 799 additions and 2374 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ObsoleteFiles.inc
View File

@ -3592,6 +3592,25 @@ OLD_FILES+=usr/libdata/msdosfs/koi8u2dos
# - usr/share/tmac/mm/se_locale
# - var/yp/Makefile
# 20070610: KAME IPSec removal
OLD_FILES+=usr/include/netinet6/ah.h
OLD_FILES+=usr/include/netinet6/ah6.h
OLD_FILES+=usr/include/netinet6/ah_aesxcbcmac.h
OLD_FILES+=usr/include/netinet6/esp.h
OLD_FILES+=usr/include/netinet6/esp6.h
OLD_FILES+=usr/include/netinet6/esp_aesctr.h
OLD_FILES+=usr/include/netinet6/esp_camellia.h
OLD_FILES+=usr/include/netinet6/esp_rijndael.h
OLD_FILES+=usr/include/netinet6/ipsec.h
OLD_FILES+=usr/include/netinet6/ipsec6.h
OLD_FILES+=usr/include/netinet6/ipcomp.h
OLD_FILES+=usr/include/netinet6/ipcomp6.h
OLD_FILES+=usr/include/netkey/key.h
OLD_FILES+=usr/include/netkey/key_debug.h
OLD_FILES+=usr/include/netkey/key_var.h
OLD_FILES+=usr/include/netkey/keydb.h
OLD_FILES+=usr/include/netkey/keysock.h
OLD_DIRS+=usr/include/netkey
# 20070519: GCC 4.2
OLD_LIBS+=usr/lib/libg2c.a
OLD_LIBS+=usr/lib/libg2c.so

8
UPDATING
View File

@ -21,6 +21,14 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW:
developers choose to disable these features on build machines
to maximize performance.
20070701:
Remove KAME IPsec in favor of FAST_IPSEC, which is now the
only IPsec supported by FreeBSD. The new IPsec stack
supports both IPv4 and IPv6. The kernel option will change
after the code changes have settled in. For now the kernel
option IPSEC is deprecated and FAST_IPSEC is the only option, that
will change after some settling time.
20070701:
The wicontrol(8) utility has been removed from the base system. wi(4)
cards should be configured using ifconfig(8), see the man page for more

2
sys/Makefile
View File

@ -10,7 +10,7 @@ SUBDIR= boot
# Directories to include in cscope name file and TAGS.
CSCOPEDIRS= bsm cam coda compat conf contrib crypto ddb dev fs geom gnu \
i4b isa kern libkern modules net net80211 netatalk netatm \
netgraph netinet netinet6 netipx netkey netnatm netncp \
netgraph netinet netinet6 netipx netnatm netncp \
netsmb nfs nfsclient nfs4client rpc pccard pci security sys \
ufs vm ${ARCHDIR}

8
sys/conf/NOTES
View File

@ -495,9 +495,9 @@ options HWPMC_HOOKS # Other necessary kernel hooks
#
options INET #Internet communications protocols
options INET6 #IPv6 communications protocols
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security
#options IPSEC #IP security
#options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
#options IPSEC_DEBUG #debug for IP security
#
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
# to be processed by any configured packet filtering (ipfw, ipf).
@ -509,7 +509,7 @@ options IPSEC_DEBUG #debug for IP security
#
#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
#options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
options IPX #IPX/SPX communications protocols

19
sys/conf/files
View File

@ -1829,7 +1829,6 @@ netinet/ip_fw2.c optional ipfirewall
netinet/ip_fw_pfil.c optional ipfirewall
netinet/ip_icmp.c optional inet
netinet/ip_input.c optional inet
netinet/ip_ipsec.c optional ipsec
netinet/ip_ipsec.c optional fast_ipsec
netinet/ip_mroute.c optional mrouting inet | mrouting inet6
netinet/ip_options.c optional inet
@ -1865,16 +1864,7 @@ netinet/libalias/alias_db.c optional libalias | netgraph_nat
netinet/libalias/alias_mod.c optional libalias | netgraph_nat
netinet/libalias/alias_proxy.c optional libalias | netgraph_nat
netinet/libalias/alias_util.c optional libalias | netgraph_nat
netinet6/ah_aesxcbcmac.c optional ipsec
netinet6/ah_core.c optional ipsec
netinet6/ah_input.c optional ipsec
netinet6/ah_output.c optional ipsec
netinet6/dest6.c optional inet6
netinet6/esp_aesctr.c optional ipsec ipsec_esp
netinet6/esp_core.c optional ipsec ipsec_esp
netinet6/esp_input.c optional ipsec ipsec_esp
netinet6/esp_output.c optional ipsec ipsec_esp
netinet6/esp_rijndael.c optional ipsec ipsec_esp
netinet6/esp_camellia.c optional ipsec ipsec_esp
netinet6/frag6.c optional inet6
netinet6/icmp6.c optional inet6
@ -1891,10 +1881,7 @@ netinet6/ip6_id.c optional inet6
netinet6/ip6_input.c optional inet6
netinet6/ip6_mroute.c optional mrouting inet6
netinet6/ip6_output.c optional inet6
netinet6/ipcomp_core.c optional ipsec
netinet6/ipcomp_input.c optional ipsec
netinet6/ipcomp_output.c optional ipsec
netinet6/ipsec.c optional ipsec
netinet6/ip6_ipsec.c optional fast_ipsec
netinet6/mld6.c optional inet6
netinet6/nd6.c optional inet6
netinet6/nd6_nbr.c optional inet6
@ -1926,10 +1913,6 @@ netipx/ipx_proto.c optional ipx
netipx/ipx_usrreq.c optional ipx
netipx/spx_debug.c optional ipx
netipx/spx_usrreq.c optional ipx
netkey/key.c optional ipsec
netkey/key_debug.c optional ipsec
netkey/keydb.c optional ipsec
netkey/keysock.c optional ipsec
netnatm/natm.c optional natm
netnatm/natm_pcb.c optional natm
netnatm/natm_proto.c optional natm

29
sys/netinet/in_pcb.c
View File

@ -73,16 +73,8 @@
#include <netinet6/ip6_var.h>
#endif /* INET6 */
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#if defined(IPSEC) || defined(IPSEC_ESP)
#error "Bad idea: don't compile with both IPSEC and FAST_IPSEC!"
#endif
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#endif /* FAST_IPSEC */
@ -200,15 +192,12 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
mac_create_inpcb_from_socket(so, inp);
SOCK_UNLOCK(so);
#endif
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
error = ipsec_init_policy(so, &inp->inp_sp);
#else
error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
#endif
if (error != 0)
goto out;
#endif /*IPSEC*/
#endif /*FAST_IPSEC*/
#ifdef INET6
if (INP_SOCKAF(so) == AF_INET6) {
inp->inp_vflag |= INP_IPV6PROTO;
@ -226,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
INP_LOCK(inp);
inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC)
#if defined(FAST_IPSEC) || defined(MAC)
out:
if (error != 0)
uma_zfree(pcbinfo->ipi_zone, inp);
@ -535,10 +524,7 @@ in_pcbconnect(struct inpcb *inp, struct sockaddr *nam, struct ucred *cred)
inp->inp_faddr.s_addr = faddr;
inp->inp_fport = fport;
in_pcbrehash(inp);
#ifdef IPSEC
if (inp->inp_socket->so_type == SOCK_STREAM)
ipsec_pcbconn(inp->inp_sp);
#endif
if (anonport)
inp->inp_flags |= INP_ANONPORT;
return (0);
@ -698,9 +684,6 @@ in_pcbdisconnect(struct inpcb *inp)
inp->inp_faddr.s_addr = INADDR_ANY;
inp->inp_fport = 0;
in_pcbrehash(inp);
#ifdef IPSEC
ipsec_pcbdisconn(inp->inp_sp);
#endif
}
/*
@ -728,9 +711,9 @@ in_pcbfree(struct inpcb *inp)
INP_INFO_WLOCK_ASSERT(ipi);
INP_LOCK_ASSERT(inp);
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
ipsec4_delete_pcbpolicy(inp);
#endif /*IPSEC*/
#endif /*FAST_IPSEC*/
inp->inp_gencnt = ++ipi->ipi_gencnt;
in_pcbremlists(inp);
if (inp->inp_options)

2
sys/netinet/in_pcb.h
View File

@ -125,7 +125,7 @@ struct inpcb {
struct label *inp_label; /* MAC label */
int inp_flags; /* generic IP/datagram flags */
struct inpcbpolicy *inp_sp; /* for IPSEC */
struct inpcbpolicy *inp_sp; /* for IPSEC */
u_char inp_vflag; /* IP version flag (v4/v6) */
#define INP_IPV4 0x1
#define INP_IPV6 0x2

43
sys/netinet/in_proto.c
View File

@ -69,15 +69,6 @@
static struct pr_usrreqs nousrreqs;
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netinet6/ah.h>
#ifdef IPSEC_ESP
#include <netinet6/esp.h>
#endif
#include <netinet6/ipcomp.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#endif /* FAST_IPSEC */
@ -219,34 +210,6 @@ struct protosw inetsw[] = {
.pr_ctloutput = rip_ctloutput,
.pr_usrreqs = &rip_usrreqs
},
#ifdef IPSEC
{
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
.pr_protocol = IPPROTO_AH,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = ah4_input,
.pr_usrreqs = &nousrreqs
},
#ifdef IPSEC_ESP
{
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
.pr_protocol = IPPROTO_ESP,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = esp4_input,
.pr_usrreqs = &nousrreqs
},
#endif
{
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
.pr_protocol = IPPROTO_IPCOMP,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = ipcomp4_input,
.pr_usrreqs = &nousrreqs
},
#endif /* IPSEC */
#ifdef FAST_IPSEC
{
.pr_type = SOCK_RAW,
@ -412,11 +375,7 @@ SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH");
SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP");
SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP");
SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP");
#else
#ifdef IPSEC
SYSCTL_NODE(_net_inet, IPPROTO_AH, ipsec, CTLFLAG_RW, 0, "IPSEC");
#endif /* IPSEC */
#endif /* !FAST_IPSEC */
#endif /* FAST_IPSEC */
SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW");
#ifdef DEV_PFSYNC
SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC");

7
sys/netinet/ip_fw2.c
View File

@ -93,10 +93,6 @@
#include <altq/if_altq.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#endif
#include <netinet/ip6.h>
#include <netinet/icmp6.h>
#ifdef INET6
@ -3150,9 +3146,6 @@ do { \
#ifdef FAST_IPSEC
match = (m_tag_find(m,
PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
#endif
#ifdef IPSEC
match = (ipsec_getnhist(m) != 0);
#endif
/* otherwise no match */
break;

8
sys/netinet/ip_icmp.c
View File

@ -59,15 +59,9 @@
#include <netinet/tcpip.h>
#include <netinet/icmp_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#endif
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#define IPSEC
#endif
#include <machine/in_cksum.h>
@ -585,7 +579,7 @@ icmp_input(struct mbuf *m, int off)
(struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
(struct sockaddr *)&icmpgw);
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
#ifdef IPSEC
#ifdef FAST_IPSEC
key_sa_routechange((struct sockaddr *)&icmpsrc);
#endif
break;

20
sys/netinet/ip_input.c
View File

@ -70,9 +70,9 @@
#ifdef DEV_CARP
#include <netinet/ip_carp.h>
#endif
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
#include <netinet/ip_ipsec.h>
#endif /* IPSEC */
#endif /* FAST_IPSEC */
#include <sys/socketvar.h>
@ -391,13 +391,13 @@ ip_input(struct mbuf *m)
} else
m_adj(m, ip->ip_len - m->m_pkthdr.len);
}
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/*
* Bypass packet filtering for packets from a tunnel (gif).
*/
if (ip_ipsec_filtergif(m))
goto passin;
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/*
* Run through list of hooks for input packets.
@ -601,10 +601,10 @@ ip_input(struct mbuf *m)
ipstat.ips_cantforward++;
m_freem(m);
} else {
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
if (ip_ipsec_fwd(m))
goto bad;
#endif /* IPSEC */
#endif /* FAST_IPSEC */
ip_forward(m, dchg);
}
return;
@ -645,7 +645,7 @@ ip_input(struct mbuf *m)
*/
ip->ip_len -= hlen;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
@ -653,7 +653,7 @@ ip_input(struct mbuf *m)
*/
if (ip_ipsec_input(m))
goto bad;
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/*
* Switch out to protocol's input routine.
@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt)
type = ICMP_UNREACH;
code = ICMP_UNREACH_NEEDFRAG;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
mtu = ip_ipsec_mtu(m);
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/*
* If the MTU wasn't set before use the interface mtu or
* fall back to the next smaller mtu step compared to the

196
sys/netinet/ip_ipsec.c
View File

@ -55,16 +55,6 @@
#include <machine/in_cksum.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#ifdef IPSEC_DEBUG
#include <netkey/key_debug.h>
#else
#define KEYDEBUG(lev,arg)
#endif
#endif /*IPSEC*/
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@ -81,13 +71,6 @@ extern struct protosw inetsw[];
int
ip_ipsec_filtergif(struct mbuf *m)
{
#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
/*
* Bypass packet filtering for packets from a tunnel (gif).
*/
if (ipsec_getnhist(m))
return 1;
#endif
#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
/*
* Bypass packet filtering for packets from a tunnel (gif).
@ -112,17 +95,7 @@ ip_ipsec_fwd(struct mbuf *m)
struct tdb_ident *tdbi;
struct secpolicy *sp;
int s, error;
#endif /* FAST_IPSEC */
#ifdef IPSEC
/*
* Enforce inbound IPsec SPD.
*/
if (ipsec4_in_reject(m, NULL)) {
ipsecstat.in_polvio++;
return 1;
}
#endif /* IPSEC */
#ifdef FAST_IPSEC
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splnet();
if (mtag != NULL) {
@ -169,20 +142,6 @@ ip_ipsec_input(struct mbuf *m)
struct tdb_ident *tdbi;
struct secpolicy *sp;
int s, error;
#endif /* FAST_IPSEC */
#ifdef IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
ipsec4_in_reject(m, NULL)) {
ipsecstat.in_polvio++;
return 1;
}
#endif
#ifdef FAST_IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
@ -243,17 +202,10 @@ ip_ipsec_mtu(struct mbuf *m)
int ipsecerror;
int ipsechdr;
struct route *ro;
#ifdef IPSEC
sp = ipsec4_getpolicybyaddr(m,
IPSEC_DIR_OUTBOUND,
IP_FORWARDING,
&ipsecerror);
#else /* FAST_IPSEC */
sp = ipsec_getpolicybyaddr(m,
IPSEC_DIR_OUTBOUND,
IP_FORWARDING,
&ipsecerror);
#endif
if (sp != NULL) {
/* count IPsec header size */
ipsechdr = ipsec4_hdrsiz(m,
@ -276,11 +228,7 @@ ip_ipsec_mtu(struct mbuf *m)
mtu -= ipsechdr;
}
}
#ifdef IPSEC
key_freesp(sp);
#else /* FAST_IPSEC */
KEY_FREESP(&sp);
#endif
}
return mtu;
}
@ -296,152 +244,12 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
struct route **ro, struct route *iproute, struct sockaddr_in **dst,
struct in_ifaddr **ia, struct ifnet **ifp)
{
#ifdef FAST_IPSEC
struct secpolicy *sp = NULL;
struct ip *ip = mtod(*m, struct ip *);
#ifdef IPSEC
struct ipsec_output_state state;
#endif
#ifdef FAST_IPSEC
struct tdb_ident *tdbi;
struct m_tag *mtag;
int s;
#endif /* FAST_IPSEC */
#ifdef IPSEC
/* get SP for this packet */
if (inp == NULL)
sp = ipsec4_getpolicybyaddr(*m, IPSEC_DIR_OUTBOUND,
*flags, error);
else
sp = ipsec4_getpolicybypcb(*m, IPSEC_DIR_OUTBOUND, inp, error);
if (sp == NULL) {
ipsecstat.out_inval++;
goto bad;
}
/* check policy */
switch (sp->policy) {
case IPSEC_POLICY_DISCARD:
/*
* This packet is just discarded.
*/
ipsecstat.out_polvio++;
goto bad;
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_NONE:
case IPSEC_POLICY_TCP:
/* no need to do IPsec. */
goto done;
case IPSEC_POLICY_IPSEC:
if (sp->req == NULL) {
/* acquire a policy */
*error = key_spdacquire(sp);
goto bad;
}
break;
case IPSEC_POLICY_ENTRUST:
default:
printf("%s: Invalid policy found. %d\n", __func__, sp->policy);
}
bzero(&state, sizeof(state));
state.m = *m;
if (*flags & IP_ROUTETOIF) {
state.ro = iproute;
bzero(iproute, sizeof(iproute));
} else
state.ro = *ro;
state.dst = (struct sockaddr *)(*dst);
ip->ip_sum = 0;
/*
* XXX
* delayed checksums are not currently compatible with IPsec
*/
if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
in_delayed_cksum(*m);
(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
}
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
*error = ipsec4_output(&state, sp, *flags);
*m = state.m;
if (*flags & IP_ROUTETOIF) {
/*
* if we have tunnel mode SA, we may need to ignore
* IP_ROUTETOIF.
*/
if (state.ro != iproute || state.ro->ro_rt != NULL) {
*flags &= ~IP_ROUTETOIF;
*ro = state.ro;
}
} else
*ro = state.ro;
*dst = (struct sockaddr_in *)state.dst;
if (*error != 0) {
/* mbuf is already reclaimed in ipsec4_output. */
*m = NULL;
switch (*error) {
case EHOSTUNREACH:
case ENETUNREACH:
case EMSGSIZE:
case ENOBUFS:
case ENOMEM:
break;
default:
printf("ip4_output (ipsec): error code %d\n", *error);
/*fall through*/
case ENOENT:
/* don't show these error codes to the user */
*error = 0;
break;
}
goto bad;
}
/* be sure to update variables that are affected by ipsec4_output() */
if ((*ro)->ro_rt == NULL) {
if ((*flags & IP_ROUTETOIF) == 0) {
printf("ip_output: "
"can't update route after IPsec processing\n");
*error = EHOSTUNREACH; /*XXX*/
goto bad;
}
} else {
if (state.encap) {
*ia = ifatoia((*ro)->ro_rt->rt_ifa);
*ifp = (*ro)->ro_rt->rt_ifp;
}
}
ip = mtod(*m, struct ip *);
/* make it flipped, again. */
ip->ip_len = ntohs(ip->ip_len);
ip->ip_off = ntohs(ip->ip_off);
done:
if (sp != NULL) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ip_output call free SP:%p\n", sp));
key_freesp(sp);
}
return 0;
bad:
if (sp != NULL) {
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP ip_output call free SP:%p\n", sp));
key_freesp(sp);
}
return 1;
#endif /*IPSEC*/
#ifdef FAST_IPSEC
/*
* Check the security policy (SP) for the packet and, if
* required, do IPsec-related processing. There are two

29
sys/netinet/ip_output.c
View File

@ -59,15 +59,10 @@
#include <netinet/ip_var.h>
#include <netinet/ip_options.h>
#if defined(IPSEC) || defined(FAST_IPSEC)
#include <netinet/ip_ipsec.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#endif
#ifdef FAST_IPSEC
#include <netinet/ip_ipsec.h>
#include <netipsec/ipsec.h>
#endif
#endif /*IPSEC*/
#endif /* FAST_IPSEC*/
#include <machine/in_cksum.h>
@ -417,7 +412,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
}
sendit:
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) {
case 1:
goto bad;
@ -430,7 +425,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
/* Update variables that are affected by ipsec4_output(). */
ip = mtod(m, struct ip *);
hlen = ip->ip_hl << 2;
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/* Jump over all PFIL processing if hooks are not active. */
if (!PFIL_HOOKED(&inet_pfil_hook))
@ -539,10 +534,6 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
ia->ia_ifa.if_opackets++;
ia->ia_ifa.if_obytes += m->m_pkthdr.len;
}
#ifdef IPSEC
/* clean ipsec history once it goes out of the node */
ipsec_delaux(m);
#endif
#ifdef MBUF_STRESS_TEST
if (mbuf_frag_size && m->m_pkthdr.len > mbuf_frag_size)
m = m_fragment(m, M_DONTWAIT, mbuf_frag_size);
@ -575,10 +566,6 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
for (; m; m = m0) {
m0 = m->m_nextpkt;
m->m_nextpkt = 0;
#ifdef IPSEC
/* clean ipsec history once it goes out of the node */
ipsec_delaux(m);
#endif
if (error == 0) {
/* Record statistics for this interface address. */
if (ia != NULL) {
@ -979,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
INP_UNLOCK(inp);
break;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
case IP_IPSEC_POLICY:
{
caddr_t req;
@ -1013,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
m_freem(m);
break;
}
#endif /*IPSEC*/
#endif /* FAST_IPSEC */
default:
error = ENOPROTOOPT;
@ -1117,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
error = inp_getmoptions(inp, sopt);
break;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
case IP_IPSEC_POLICY:
{
struct mbuf *m = NULL;
@ -1135,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
m_freem(m);
break;
}
#endif /*IPSEC*/
#endif /* FAST_IPSEC */
default:
error = ENOPROTOOPT;

12
sys/netinet/raw_ip.c
View File

@ -70,10 +70,6 @@
#include <netipsec/ipsec.h>
#endif /*FAST_IPSEC*/
#ifdef IPSEC
#include <netinet6/ipsec.h>
#endif /*IPSEC*/
#include <security/mac/mac_framework.h>
struct inpcbhead ripcb;
@ -159,16 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
INP_LOCK_ASSERT(last);
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, last)) {
policyfail = 1;
#ifdef IPSEC
ipsecstat.in_polvio++;
#endif /*IPSEC*/
/* do not inject data to pcb */
}
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
#ifdef MAC
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
policyfail = 1;

4
sys/netinet/sctp_input.c
View File

@ -4878,14 +4878,14 @@ sctp_input(i_pak, off)
} else if (stcb == NULL) {
refcount_up = 1;
}
#ifdef IPSEC
#ifdef FAST_IPSEC
/*
* I very much doubt any of the IPSEC stuff will work but I have no
* idea, so I will leave it in place.
*/
if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
ipsecstat.in_polvio++;
ipsec4stat.in_polvio++;
SCTP_STAT_INCR(sctps_hdrops);
goto bad;
}

8
sys/netinet/sctp_os_bsd.h
View File

@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$");
#include <netinet/icmp_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#endif /* IPSEC */
#ifdef INET6
#include <sys/domain.h>
#ifdef IPSEC
#ifdef FAST_IPSEC
#include <netinet6/ipsec6.h>
#endif
#include <netinet/ip6.h>

10
sys/netinet/sctp_pcb.c
View File

@ -1807,11 +1807,11 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT;
inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT;
#ifdef IPSEC
#ifdef FAST_IPSEC
{
struct inpcbpolicy *pcb_sp = NULL;
error = ipsec_init_pcbpolicy(so, &pcb_sp);
error = ipsec_init_policy(so, &pcb_sp);
/* Arrange to share the policy */
inp->ip_inp.inp.inp_sp = pcb_sp;
((struct in6pcb *)(&inp->ip_inp.inp))->in6p_sp = pcb_sp;
@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
SCTP_INP_INFO_WUNLOCK();
return error;
}
#endif /* IPSEC */
#endif /* FAST_IPSEC */
SCTP_INCR_EP_COUNT();
inp->ip_inp.inp.inp_ip_ttl = ip_defttl;
SCTP_INP_INFO_WUNLOCK();
@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
*/
cnt = 0;
if (so) {
#ifdef IPSEC
#ifdef FAST_IPSEC
ipsec4_delete_pcbpolicy(ip_pcb);
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/* Unlocks not needed since the socket is gone now */
}

9
sys/netinet/sctp_usrreq.c
View File

@ -485,9 +485,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
int error;
uint32_t vrf_id = SCTP_DEFAULT_VRFID;
#ifdef IPSEC
#ifdef FAST_IPSEC
uint32_t flags;
#endif
inp = (struct sctp_inpcb *)so->so_pcb;
if (inp != 0) {
@ -509,8 +508,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
ip_inp->inp_vflag |= INP_IPV4;
ip_inp->inp_ip_ttl = ip_defttl;
#ifdef IPSEC
error = ipsec_init_pcbpolicy(so, &ip_inp->inp_sp);
#ifdef FAST_IPSEC
error = ipsec_init_policy(so, &ip_inp->inp_sp);
#ifdef SCTP_LOG_CLOSING
sctp_log_closing(inp, NULL, 17);
#endif
@ -529,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
}
return error;
}
#endif /* IPSEC */
#endif /* FAST_IPSEC */
SCTP_INP_WUNLOCK(inp);
return 0;
}

16
sys/netinet/tcp_input.c
View File

@ -87,12 +87,6 @@
#include <netipsec/ipsec6.h>
#endif /*FAST_IPSEC*/
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netinet6/ipsec6.h>
#include <netkey/key.h>
#endif /*IPSEC*/
#include <machine/in_cksum.h>
#include <security/mac/mac_framework.h>
@ -451,22 +445,18 @@ tcp_input(struct mbuf *m, int off0)
m->m_pkthdr.rcvif);
}
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
#ifdef INET6
if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) {
#ifdef IPSEC
ipsec6stat.in_polvio++;
#endif
goto dropunlock;
} else
#endif /* INET6 */
if (inp != NULL && ipsec4_in_reject(m, inp)) {
#ifdef IPSEC
ipsecstat.in_polvio++;
#endif
ipsec4stat.in_polvio++;
goto dropunlock;
}
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
/*
* If the INPCB does not exist then all data in the incoming

7
sys/netinet/tcp_output.c
View File

@ -72,13 +72,8 @@
#include <netinet/tcp_debug.h>
#endif
#ifdef IPSEC
#include <netinet6/ipsec.h>
#endif /*IPSEC*/
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#define IPSEC
#endif /*FAST_IPSEC*/
#include <machine/in_cksum.h>
@ -700,7 +695,7 @@ tcp_output(struct tcpcb *tp)
offsetof(struct ipoption, ipopt_list);
else
ipoptlen = 0;
#ifdef IPSEC
#ifdef FAST_IPSEC
ipoptlen += ipsec_hdrsiz_tcp(tp);
#endif

13
sys/netinet/tcp_subr.c
View File

@ -91,14 +91,6 @@
#endif
#include <netinet6/ip6protosw.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netkey/key.h>
#endif /*IPSEC*/
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@ -106,7 +98,6 @@
#include <netipsec/ipsec6.h>
#endif
#include <netipsec/key.h>
#define IPSEC
#endif /*FAST_IPSEC*/
#include <machine/in_cksum.h>
@ -1643,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags)
}
#endif /* INET6 */
#ifdef IPSEC
#ifdef FAST_IPSEC
/* compute ESP/AH header size for TCP, including outer IP header. */
size_t
ipsec_hdrsiz_tcp(struct tcpcb *tp)
@ -1684,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp)
m_free(m);
return (hdrsiz);
}
#endif /*IPSEC*/
#endif /* FAST_IPSEC */
/*
* TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING

12
sys/netinet/tcp_syncache.c
View File

@ -80,13 +80,6 @@
#include <netinet6/tcp6_var.h>
#endif
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#endif /*IPSEC*/
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#ifdef INET6
@ -628,11 +621,6 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
inp->inp_lport = 0;
goto abort;
}
#ifdef IPSEC
/* Copy old policy into new socket's. */
if (ipsec_copy_pcbpolicy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
printf("syncache_socket: could not copy policy\n");
#endif
#ifdef FAST_IPSEC
/* Copy old policy into new socket's. */
if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))

12
sys/netinet/udp_usrreq.c
View File

@ -82,10 +82,6 @@
#include <netipsec/ipsec.h>
#endif
#ifdef IPSEC
#include <netinet6/ipsec.h>
#endif
#include <machine/in_cksum.h>
#include <security/mac/mac_framework.h>
@ -499,16 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
INP_LOCK_ASSERT(inp);
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, inp)) {
#ifdef IPSEC
ipsecstat.in_polvio++;
#endif
ipsec4stat.in_polvio++;
m_freem(n);
return;
}
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
#ifdef MAC
if (mac_check_inpcb_deliver(inp, n) != 0) {
m_freem(n);

94
sys/netinet6/ah.h
View File

@ -1,94 +0,0 @@
/* $FreeBSD$ */
/* $KAME: ah.h,v 1.20 2003/08/05 12:21:15 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* RFC1826/2402 authentication header.
*/
#ifndef _NETINET6_AH_H_
#define _NETINET6_AH_H_
#if defined(_KERNEL) && !defined(_LKM)
#include "opt_inet.h"
#endif
struct ah {
u_int8_t ah_nxt; /* Next Header */
u_int8_t ah_len; /* Length of data, in 32bit */
u_int16_t ah_reserve; /* Reserved for future use */
u_int32_t ah_spi; /* Security parameter index */
/* variable size, 32bit bound*/ /* Authentication data */
};
struct newah {
u_int8_t ah_nxt; /* Next Header */
u_int8_t ah_len; /* Length of data + 1, in 32bit */
u_int16_t ah_reserve; /* Reserved for future use */
u_int32_t ah_spi; /* Security parameter index */
u_int32_t ah_seq; /* Sequence number field */
/* variable size, 32bit bound*/ /* Authentication data */
};
#ifdef _KERNEL
struct secasvar;
struct ah_algorithm_state {
struct secasvar *sav;
void* foo; /* per algorithm data - maybe */
};
struct ah_algorithm {
int (*sumsiz) __P((struct secasvar *));
int (*mature) __P((struct secasvar *));
int keymin; /* in bits */
int keymax; /* in bits */
const char *name;
int (*init) __P((struct ah_algorithm_state *, struct secasvar *));
void (*update) __P((struct ah_algorithm_state *, u_int8_t *, size_t));
void (*result) __P((struct ah_algorithm_state *, u_int8_t *, size_t));
};
#define AH_MAXSUMSIZE (512 / 8)
extern const struct ah_algorithm *ah_algorithm_lookup __P((int));
/* cksum routines */
extern int ah_hdrlen __P((struct secasvar *));
extern size_t ah_hdrsiz __P((struct ipsecrequest *));
extern void ah4_input __P((struct mbuf *, int));
extern int ah4_output __P((struct mbuf *, struct ipsecrequest *));
extern int ah4_calccksum __P((struct mbuf *, u_int8_t *, size_t,
const struct ah_algorithm *, struct secasvar *));
#endif /* _KERNEL */
#endif /* _NETINET6_AH_H_ */

52
sys/netinet6/ah6.h
View File

@ -1,52 +0,0 @@
/* $FreeBSD$ */
/* $KAME: ah.h,v 1.13 2000/10/18 21:28:00 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* RFC1826/2402 authentication header.
*/
#ifndef _NETINET6_AH6_H_
#define _NETINET6_AH6_H_
#ifdef _KERNEL
struct secasvar;
extern int ah6_input __P((struct mbuf **, int *, int));
extern int ah6_output __P((struct mbuf *, u_char *, struct mbuf *,
struct ipsecrequest *));
extern int ah6_calccksum __P((struct mbuf *, u_int8_t *, size_t,
const struct ah_algorithm *, struct secasvar *));
extern void ah6_ctlinput __P((int, struct sockaddr *, void *));
#endif
#endif /*_NETINET6_AH6_H_*/

109
sys/netinet6/esp.h
View File

@ -1,109 +0,0 @@
/* $FreeBSD$ */
/* $KAME: esp.h,v 1.19 2001/09/04 08:43:19 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* RFC1827/2406 Encapsulated Security Payload.
*/
#ifndef _NETINET6_ESP_H_
#define _NETINET6_ESP_H_
#if defined(_KERNEL) && !defined(_LKM)
#include "opt_inet.h"
#endif
struct esp {
u_int32_t esp_spi; /* ESP */
/* variable size, 32bit bound */ /* Initialization Vector */
/* variable size */ /* Payload data */
/* variable size */ /* padding */
/* 8bit */ /* pad size */
/* 8bit */ /* next header */
/* 8bit */ /* next header */
/* variable size, 32bit bound */ /* Authentication data (new IPsec) */
};
struct newesp {
u_int32_t esp_spi; /* ESP */
u_int32_t esp_seq; /* Sequence number */
/* variable size */ /* (IV and) Payload data */
/* variable size */ /* padding */
/* 8bit */ /* pad size */
/* 8bit */ /* next header */
/* 8bit */ /* next header */
/* variable size, 32bit bound *//* Authentication data */
};
struct esptail {
u_int8_t esp_padlen; /* pad length */
u_int8_t esp_nxt; /* Next header */
/* variable size, 32bit bound *//* Authentication data (new IPsec)*/
};
#ifdef _KERNEL
struct secasvar;
struct esp_algorithm {
size_t padbound; /* pad boundary, in byte */
int ivlenval; /* iv length, in byte */
int (*mature) __P((struct secasvar *));
int keymin; /* in bits */
int keymax; /* in bits */
size_t (*schedlen) __P((const struct esp_algorithm *));
const char *name;
int (*ivlen) __P((const struct esp_algorithm *, struct secasvar *));
int (*decrypt) __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
int (*encrypt) __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));
/* not supposed to be called directly */
int (*schedule) __P((const struct esp_algorithm *, struct secasvar *));
int (*blockdecrypt) __P((const struct esp_algorithm *,
struct secasvar *, u_int8_t *, u_int8_t *));
int (*blockencrypt) __P((const struct esp_algorithm *,
struct secasvar *, u_int8_t *, u_int8_t *));
};
extern const struct esp_algorithm *esp_algorithm_lookup __P((int));
extern int esp_max_ivlen __P((void));
/* crypt routines */
extern int esp4_output __P((struct mbuf *, struct ipsecrequest *));
extern void esp4_input __P((struct mbuf *, int));
extern size_t esp_hdrsiz __P((struct ipsecrequest *));
extern int esp_schedule __P((const struct esp_algorithm *, struct secasvar *));
extern int esp_auth __P((struct mbuf *, size_t, size_t,
struct secasvar *, u_char *));
#endif /* _KERNEL */
#endif /* _NETINET6_ESP_H_ */

48
sys/netinet6/esp6.h
View File

@ -1,48 +0,0 @@
/* $FreeBSD$ */
/* $KAME: esp.h,v 1.16 2000/10/18 21:28:00 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* RFC1827/2406 Encapsulated Security Payload.
*/
#ifndef _NETINET6_ESP6_H_
#define _NETINET6_ESP6_H_
#ifdef _KERNEL
extern int esp6_output __P((struct mbuf *, u_char *, struct mbuf *,
struct ipsecrequest *));
extern int esp6_input __P((struct mbuf **, int *, int));
extern void esp6_ctlinput __P((int, struct sockaddr *, void *));
#endif /*_KERNEL*/
#endif /*_NETINET6_ESP6_H_*/

42
sys/netinet6/esp_aesctr.h
View File

@ -1,42 +0,0 @@
/* $KAME: esp_aesctr.h,v 1.2 2003/07/20 00:29:38 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
extern int esp_aesctr_mature __P((struct secasvar *));
extern size_t esp_aesctr_schedlen __P((const struct esp_algorithm *));
extern int esp_aesctr_schedule __P((const struct esp_algorithm *,
struct secasvar *));
extern int esp_aesctr_decrypt __P((struct mbuf *, size_t,
struct secasvar *, const struct esp_algorithm *, int));
extern int esp_aesctr_encrypt __P((struct mbuf *, size_t, size_t,
struct secasvar *, const struct esp_algorithm *, int));

39
sys/netinet6/esp_rijndael.h
View File

@ -1,39 +0,0 @@
/* $FreeBSD$ */
/* $KAME: esp_rijndael.h,v 1.2 2003/01/20 00:55:27 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
size_t esp_rijndael_schedlen __P((const struct esp_algorithm *));
int esp_rijndael_schedule __P((const struct esp_algorithm *,
struct secasvar *));
int esp_rijndael_blockdecrypt __P((const struct esp_algorithm *,
struct secasvar *, u_int8_t *, u_int8_t *));
int esp_rijndael_blockencrypt __P((const struct esp_algorithm *,
struct secasvar *, u_int8_t *, u_int8_t *));

18
sys/netinet6/icmp6.c
View File

@ -99,11 +99,6 @@
#include <netinet6/mld6_var.h>
#include <netinet6/nd6.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netkey/key.h>
#endif
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
@ -2232,7 +2227,7 @@ icmp6_redirect_input(m, off)
struct mbuf *m;
int off;
{
struct ifnet *ifp = m->m_pkthdr.rcvif;
struct ifnet *ifp;
struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
struct nd_redirect *nd_rd;
int icmp6len = ntohs(ip6->ip6_plen);
@ -2249,7 +2244,12 @@ icmp6_redirect_input(m, off)
union nd_opts ndopts;
char ip6buf[INET6_ADDRSTRLEN];
if (!m || !ifp)
if (!m)
return;
ifp = m->m_pkthdr.rcvif;
if (!ifp)
return;
/* XXX if we are router, we don't update route by icmp6 redirect */
@ -2417,9 +2417,9 @@ icmp6_redirect_input(m, off)
sdst.sin6_len = sizeof(struct sockaddr_in6);
bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
key_sa_routechange((struct sockaddr *)&sdst);
#endif
#endif /* FAST_IPSEC */
}
freeit:

5
sys/netinet6/in6.h
View File

@ -409,9 +409,10 @@ struct route_in6 {
#define IPV6_BINDV6ONLY IPV6_V6ONLY
#endif
#if 1 /* IPSEC */
#ifdef FAST_IPSEC
#define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */
#endif
#endif /* FAST_IPSEC */
#define IPV6_FAITH 29 /* bool; accept FAITH'ed connections */
#if 1 /* IPV6FIREWALL */

24
sys/netinet6/in6_pcb.c
View File

@ -99,18 +99,6 @@
#include <netinet6/in6_pcb.h>
#include <netinet6/scope6_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netinet6/ah.h>
#ifdef INET6
#include <netinet6/ah6.h>
#endif
#include <netkey/key.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
@ -402,10 +390,7 @@ in6_pcbconnect(inp, nam, cred)
(htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
in_pcbrehash(inp);
#ifdef IPSEC
if (inp->inp_socket->so_type == SOCK_STREAM)
ipsec_pcbconn(inp->inp_sp);
#endif
return (0);
}
@ -422,9 +407,6 @@ in6_pcbdisconnect(inp)
/* clear flowinfo - draft-itojun-ipv6-flowlabel-api-00 */
inp->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
in_pcbrehash(inp);
#ifdef IPSEC
ipsec_pcbdisconn(inp->inp_sp);
#endif
}
void
@ -445,10 +427,10 @@ in6_pcbfree(struct inpcb *inp)
INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo);
INP_LOCK_ASSERT(inp);
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
if (inp->in6p_sp != NULL)
ipsec6_delete_pcbpolicy(inp);
#endif /* IPSEC */
#endif /* FAST_IPSEC */
inp->inp_gencnt = ++ipi->ipi_gencnt;
in_pcbremlists(inp);
ip6_freepcbopts(inp->in6p_outputopts);

43
sys/netinet6/in6_proto.c
View File

@ -103,27 +103,6 @@
#include <netinet6/pim6_var.h>
#include <netinet6/nd6.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netinet6/ah.h>
#ifdef INET6
#include <netinet6/ah6.h>
#endif
#ifdef IPSEC_ESP
#include <netinet6/esp.h>
#ifdef INET6
#include <netinet6/esp6.h>
#endif
#endif
#include <netinet6/ipcomp.h>
#ifdef INET6
#include <netinet6/ipcomp6.h>
#endif
#endif /* IPSEC */
#ifdef DEV_CARP
#include <netinet/ip_carp.h>
#endif
@ -137,12 +116,8 @@
#endif /* SCTP */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#define IPSEC
#define IPSEC_ESP
#define ah6_input ipsec6_common_input
#define esp6_input ipsec6_common_input
#define ipcomp6_input ipsec6_common_input
#endif /* FAST_IPSEC */
#include <netinet6/ip6protosw.h>
@ -277,35 +252,33 @@ struct ip6protosw inet6sw[] = {
.pr_input = frag6_input,
.pr_usrreqs = &nousrreqs
},
#ifdef IPSEC
#ifdef FAST_IPSEC
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
.pr_protocol = IPPROTO_AH,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = ah6_input,
.pr_input = ipsec6_common_input,
.pr_usrreqs = &nousrreqs,
},
#ifdef IPSEC_ESP
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
.pr_protocol = IPPROTO_ESP,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = esp6_input,
.pr_input = ipsec6_common_input,
.pr_ctlinput = esp6_ctlinput,
.pr_usrreqs = &nousrreqs,
},
#endif
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
.pr_protocol = IPPROTO_IPCOMP,
.pr_flags = PR_ATOMIC|PR_ADDR,
.pr_input = ipcomp6_input,
.pr_input = ipsec6_common_input,
.pr_usrreqs = &nousrreqs,
},
#endif /* IPSEC */
#endif /* FAST_IPSEC */
#ifdef INET
{
.pr_type = SOCK_RAW,
@ -465,9 +438,9 @@ SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6");
#ifdef SCTP
SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6");
#endif
#ifdef IPSEC
#ifdef FAST_IPSEC
SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6");
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/* net.inet6.ip6 */
static int

64
sys/netinet6/ip6_forward.c
View File

@ -65,19 +65,10 @@
#include <netinet/in_pcb.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netkey/key.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
#define IPSEC
#endif /* FAST_IPSEC */
#include <netinet6/ip6protosw.h>
@ -110,7 +101,7 @@ ip6_forward(m, srcrt)
struct ifnet *origifp; /* maybe unnecessary */
u_int32_t inzone, outzone;
struct in6_addr src_in6, dst_in6;
#ifdef IPSEC
#ifdef FAST_IPSEC
struct secpolicy *sp = NULL;
int ipsecrt = 0;
#endif
@ -118,7 +109,7 @@ ip6_forward(m, srcrt)
GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */
#ifdef IPSEC
#ifdef FAST_IPSEC
/*
* Check AH/ESP integrity.
*/
@ -127,13 +118,11 @@ ip6_forward(m, srcrt)
* before forwarding packet actually.
*/
if (ipsec6_in_reject(m, NULL)) {
#if !defined(FAST_IPSEC)
ipsec6stat.in_polvio++;
#endif
m_freem(m);
return;
}
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/*
* Do not forward packets to multicast destination (should be handled
@ -186,9 +175,9 @@ ip6_forward(m, srcrt)
*/
mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
#ifdef IPSEC
#ifdef FAST_IPSEC
/* get a security policy for this packet */
sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
IP_FORWARDING, &error);
if (sp == NULL) {
ipsec6stat.out_inval++;
@ -214,7 +203,7 @@ ip6_forward(m, srcrt)
*/
ipsec6stat.out_polvio++;
ip6stat.ip6s_cantforward++;
key_freesp(sp);
KEY_FREESP(&sp);
if (mcopy) {
#if 0
/* XXX: what icmp ? */
@ -228,7 +217,7 @@ ip6_forward(m, srcrt)
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_NONE:
/* no need to do IPsec. */
key_freesp(sp);
KEY_FREESP(&sp);
goto skip_ipsec;
case IPSEC_POLICY_IPSEC:
@ -236,7 +225,7 @@ ip6_forward(m, srcrt)
/* XXX should be panic ? */
printf("ip6_forward: No IPsec request specified.\n");
ip6stat.ip6s_cantforward++;
key_freesp(sp);
KEY_FREESP(&sp);
if (mcopy) {
#if 0
/* XXX: what icmp ? */
@ -254,7 +243,7 @@ ip6_forward(m, srcrt)
default:
/* should be panic ?? */
printf("ip6_forward: Invalid policy found. %d\n", sp->policy);
key_freesp(sp);
KEY_FREESP(&sp);
goto skip_ipsec;
}
@ -301,7 +290,7 @@ ip6_forward(m, srcrt)
error = ipsec6_output_tunnel(&state, sp, 0);
m = state.m;
key_freesp(sp);
KEY_FREESP(&sp);
if (error) {
/* mbuf is already reclaimed in ipsec6_output_tunnel. */
@ -329,9 +318,18 @@ ip6_forward(m, srcrt)
}
m_freem(m);
return;
} else {
/*
* In the FAST IPSec case we have already
* re-injected the packet and it has been freed
* by the ipsec_done() function. So, just clean
* up after ourselves.
*/
m = NULL;
goto freecopy;
}
if (ip6 != mtod(m, struct ip6_hdr *)) {
if ((m != NULL) && (ip6 != mtod(m, struct ip6_hdr *)) ){
/*
* now tunnel mode headers are added. we are originating
* packet instead of forwarding the packet.
@ -348,9 +346,9 @@ ip6_forward(m, srcrt)
ipsecrt = 1;
}
skip_ipsec:
#endif /* IPSEC */
#endif /* FAST_IPSEC */
#ifdef IPSEC
#ifdef FAST_IPSEC
if (ipsecrt)
goto skip_routing;
#endif
@ -403,7 +401,7 @@ ip6_forward(m, srcrt)
}
}
rt = ip6_forward_rt.ro_rt;
#ifdef IPSEC
#ifdef FAST_IPSEC
skip_routing:;
#endif
@ -431,7 +429,7 @@ ip6_forward(m, srcrt)
return;
}
if (inzone != outzone
#ifdef IPSEC
#ifdef FAST_IPSEC
&& !ipsecrt
#endif
) {
@ -477,14 +475,14 @@ ip6_forward(m, srcrt)
in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
if (mcopy) {
u_long mtu;
#ifdef IPSEC
#ifdef FAST_IPSEC
struct secpolicy *sp;
int ipsecerror;
size_t ipsechdrsiz;
#endif
#endif /* FAST_IPSEC */
mtu = IN6_LINKMTU(rt->rt_ifp);
#ifdef IPSEC
#ifdef FAST_IPSEC
/*
* When we do IPsec tunnel ingress, we need to play
* with the link value (decrement IPsec header size
@ -492,7 +490,7 @@ ip6_forward(m, srcrt)
* case, as we have the outgoing interface for
* encapsulated packet as "rt->rt_ifp".
*/
sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
sp = ipsec_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
IP_FORWARDING, &ipsecerror);
if (sp) {
ipsechdrsiz = ipsec6_hdrsiz(mcopy,
@ -507,7 +505,7 @@ ip6_forward(m, srcrt)
*/
if (mtu < IPV6_MMTU)
mtu = IPV6_MMTU;
#endif
#endif /* FAST_IPSEC */
icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
}
m_freem(m);
@ -527,9 +525,9 @@ ip6_forward(m, srcrt)
* modified by a redirect.
*/
if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
#ifdef IPSEC
#ifdef FAST_IPSEC
!ipsecrt &&
#endif
#endif /* FAST_IPSEC */
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
/*

32
sys/netinet6/ip6_input.c
View File

@ -101,17 +101,10 @@
#include <netinet6/in6_ifattach.h>
#include <netinet6/nd6.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#endif
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netinet6/ip6_ipsec.h>
#include <netipsec/ipsec6.h>
#define IPSEC
#endif /* FAST_IPSEC */
#include <netinet6/ip6protosw.h>
@ -230,16 +223,18 @@ ip6_input(m)
int srcrt = 0;
GIANT_REQUIRED; /* XXX for now */
#ifdef IPSEC
#ifdef FAST_IPSEC
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
* NB: m cannot be NULL when passed to the input routine
*/
if (m) {
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
}
#endif
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
#endif /* FAST_IPSEC */
/*
* make sure we don't have onion peering information into m_tag.
@ -766,18 +761,15 @@ ip6_input(m)
goto bad;
}
#ifdef IPSEC
#ifdef FAST_IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
ipsec6stat.in_polvio++;
if (ip6_ipsec_input(m, nxt))
goto bad;
}
#endif
#endif /* FAST_IPSEC */
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
}
return;

369
sys/netinet6/ip6_ipsec.c Normal file
View File

@ -0,0 +1,369 @@
/*-
* Copyright (c) 1982, 1986, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include "opt_ipsec.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <net/if.h>
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <netinet/ip_options.h>
#include <machine/in_cksum.h>
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/xform.h>
#include <netipsec/key.h>
#ifdef IPSEC_DEBUG
#include <netipsec/key_debug.h>
#else
#define KEYDEBUG(lev,arg)
#endif
#endif /*FAST_IPSEC*/
#include <netinet6/ip6_ipsec.h>
extern struct protosw inet6sw[];
/*
* Check if we have to jump over firewall processing for this packet.
* Called from ip_input().
* 1 = jump over firewall, 0 = packet goes through firewall.
*/
int
ip6_ipsec_filtergif(struct mbuf *m)
{
#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
/*
* Bypass packet filtering for packets from a tunnel (gif).
*/
if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
return 1;
#endif
return 0;
}
/*
* Check if this packet has an active SA and needs to be dropped instead
* of forwarded.
* Called from ip_input().
* 1 = drop packet, 0 = forward packet.
*/
int
ip6_ipsec_fwd(struct mbuf *m)
{
#ifdef FAST_IPSEC
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
int s, error;
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splnet();
if (mtag != NULL) {
tdbi = (struct tdb_ident *)(mtag + 1);
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
} else {
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
IP_FORWARDING, &error);
}
if (sp == NULL) { /* NB: can happen if error */
splx(s);
/*XXX error stat???*/
DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/
return 1;
}
/*
* Check security policy against packet attributes.
*/
error = ipsec_in_reject(sp, m);
KEY_FREESP(&sp);
splx(s);
if (error) {
ipstat.ips_cantforward++;
return 1;
}
#endif /* FAST_IPSEC */
return 0;
}
/*
* Check if protocol type doesn't have a further header and do IPSEC
* decryption or reject right now. Protocols with further headers get
* their IPSEC treatment within the protocol specific processing.
* Called from ip_input().
* 1 = drop packet, 0 = continue processing packet.
*/
int
ip6_ipsec_input(struct mbuf *m, int nxt)
{
#ifdef FAST_IPSEC
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
int s, error;
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec6_in_reject(m, NULL)) {
/*
* Check if the packet has already had IPsec processing
* done. If so, then just pass it along. This tag gets
* set during AH, ESP, etc. input handling, before the
* packet is returned to the ip input queue for delivery.
*/
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splnet();
if (mtag != NULL) {
tdbi = (struct tdb_ident *)(mtag + 1);
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
} else {
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
IP_FORWARDING, &error);
}
if (sp != NULL) {
/*
* Check security policy against packet attributes.
*/
error = ipsec_in_reject(sp, m);
KEY_FREESP(&sp);
} else {
/* XXX error stat??? */
error = EINVAL;
DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
return 1;
}
splx(s);
if (error)
return 1;
}
#endif /* FAST_IPSEC */
return 0;
}
/*
* Called from ip6_output().
* 1 = drop packet, 0 = continue processing packet,
* -1 = packet was reinjected and stop processing packet (FAST_IPSEC only)
*/
int
ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
struct ifnet **ifp, struct secpolicy **sp)
{
#ifdef FAST_IPSEC
struct tdb_ident *tdbi;
struct m_tag *mtag;
int s;
if (sp == NULL)
return 1;
mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
if (mtag != NULL) {
tdbi = (struct tdb_ident *)(mtag + 1);
*sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
if (*sp == NULL)
*error = -EINVAL; /* force silent drop */
m_tag_delete(*m, mtag);
} else {
*sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags,
error, inp);
}
/*
* There are four return cases:
* sp != NULL apply IPsec policy
* sp == NULL, error == 0 no IPsec handling needed
* sp == NULL, error == -EINVAL discard packet w/o error
* sp == NULL, error != 0 discard packet, report error
*/
if (*sp != NULL) {
/* Loop detection, check if ipsec processing already done */
KASSERT((*sp)->req != NULL, ("ip_output: no ipsec request"));
for (mtag = m_tag_first(*m); mtag != NULL;
mtag = m_tag_next(*m, mtag)) {
if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
continue;
if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
continue;
/*
* Check if policy has an SA associated with it.
* This can happen when an SP has yet to acquire
* an SA; e.g. on first reference. If it occurs,
* then we let ipsec4_process_packet do its thing.
*/
if ((*sp)->req->sav == NULL)
break;
tdbi = (struct tdb_ident *)(mtag + 1);
if (tdbi->spi == (*sp)->req->sav->spi &&
tdbi->proto == (*sp)->req->sav->sah->saidx.proto &&
bcmp(&tdbi->dst, &(*sp)->req->sav->sah->saidx.dst,
sizeof (union sockaddr_union)) == 0) {
/*
* No IPsec processing is needed, free
* reference to SP.
*
* NB: null pointer to avoid free at
* done: below.
*/
KEY_FREESP(sp), sp = NULL;
splx(s);
goto done;
}
}
/*
* Do delayed checksums now because we send before
* this is done in the normal processing path.
*/
if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
in_delayed_cksum(*m);
(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
}
/*
* Preserve KAME behaviour: ENOENT can be returned
* when an SA acquire is in progress. Don't propagate
* this to user-level; it confuses applications.
*
* XXX this will go away when the SADB is redone.
*/
if (*error == ENOENT)
*error = 0;
goto do_ipsec;
} else { /* sp == NULL */
if (*error != 0) {
/*
* Hack: -EINVAL is used to signal that a packet
* should be silently discarded. This is typically
* because we asked key management for an SA and
* it was delayed (e.g. kicked up to IKE).
*/
if (*error == -EINVAL)
*error = 0;
goto bad;
} else {
/* No IPsec processing for this packet. */
}
}
done:
if (sp != NULL)
if (*sp != NULL)
KEY_FREESP(sp);
return 0;
do_ipsec:
return -1;
bad:
if (sp != NULL)
if (*sp != NULL)
KEY_FREESP(sp);
return 1;
#endif /* FAST_IPSEC */
return 0;
}
/*
* Compute the MTU for a forwarded packet that gets IPSEC encapsulated.
* Called from ip_forward().
* Returns MTU suggestion for ICMP needfrag reply.
*/
int
ip6_ipsec_mtu(struct mbuf *m)
{
int mtu = 0;
/*
* If the packet is routed over IPsec tunnel, tell the
* originator the tunnel MTU.
* tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
* XXX quickhack!!!
*/
struct secpolicy *sp = NULL;
int ipsecerror;
int ipsechdr;
struct route *ro;
#ifdef FAST_IPSEC
sp = ipsec_getpolicybyaddr(m,
IPSEC_DIR_OUTBOUND,
IP_FORWARDING,
&ipsecerror);
#endif /* FAST_IPSEC */
if (sp != NULL) {
/* count IPsec header size */
ipsechdr = ipsec4_hdrsiz(m,
IPSEC_DIR_OUTBOUND,
NULL);
/*
* find the correct route for outer IPv4
* header, compute tunnel MTU.
*/
if (sp->req != NULL &&
sp->req->sav != NULL &&
sp->req->sav->sah != NULL) {
ro = &sp->req->sav->sah->sa_route;
if (ro->ro_rt && ro->ro_rt->rt_ifp) {
mtu =
ro->ro_rt->rt_rmx.rmx_mtu ?
ro->ro_rt->rt_rmx.rmx_mtu :
ro->ro_rt->rt_ifp->if_mtu;
mtu -= ipsechdr;
}
}
#ifdef FAST_IPSEC
KEY_FREESP(&sp);
#endif /* FAST_IPSEC */
}
return mtu;
}

27
sys/netinet6/ah_aesxcbcmac.h → sys/netinet6/ip6_ipsec.h
View File

@ -1,8 +1,6 @@
/* $KAME: ah_aesxcbcmac.h,v 1.3 2003/07/20 18:01:20 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project.
* All rights reserved.
* Copyright (c) 1982, 1986, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -12,14 +10,14 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@ -31,10 +29,13 @@
* $FreeBSD$
*/
extern int ah_aes_xcbc_mac_init __P((struct ah_algorithm_state *,
struct secasvar *));
extern void ah_aes_xcbc_mac_loop __P((struct ah_algorithm_state *, u_int8_t *,
size_t));
extern void ah_aes_xcbc_mac_result __P((struct ah_algorithm_state *,
u_int8_t *, size_t));
#ifndef _NETINET_IP6_IPSEC_H_
#define _NETINET_IP6_IPSEC_H_
int ip6_ipsec_filtergif(struct mbuf *);
int ip6_ipsec_fwd(struct mbuf *);
int ip6_ipsec_input(struct mbuf *, int);
int ip6_ipsec_mtu(struct mbuf *);
int ip6_ipsec_output(struct mbuf **, struct inpcb *, int *, int *,
struct ifnet **, struct secpolicy **sp);
#endif

437
sys/netinet6/ip6_output.c
View File

@ -91,18 +91,11 @@
#include <netinet/tcp_var.h>
#include <netinet6/nd6.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#include <netkey/key.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
#include <netinet6/ip6_ipsec.h>
#endif /* FAST_IPSEC */
#include <netinet6/ip6protosw.h>
@ -138,6 +131,42 @@ static int ip6_getpmtu __P((struct route_in6 *, struct route_in6 *,
static int copypktopts __P((struct ip6_pktopts *, struct ip6_pktopts *, int));
/*
* Make an extension header from option data. hp is the source, and
* mp is the destination.
*/
#define MAKE_EXTHDR(hp, mp) \
do { \
if (hp) { \
struct ip6_ext *eh = (struct ip6_ext *)(hp); \
error = ip6_copyexthdr((mp), (caddr_t)(hp), \
((eh)->ip6e_len + 1) << 3); \
if (error) \
goto freehdrs; \
} \
} while (/*CONSTCOND*/ 0)
/*
* Form a chain of extension headers.
* m is the extension header mbuf
* mp is the previous mbuf in the chain
* p is the next header
* i is the type of option.
*/
#define MAKE_CHAIN(m, mp, p, i)\
do {\
if (m) {\
if (!hdrsplit) \
panic("assumption failed: hdr not split"); \
*mtod((m), u_char *) = *(p);\
*(p) = (i);\
p = mtod((m), u_char *);\
(m)->m_next = (mp)->m_next;\
(mp)->m_next = (m);\
(mp) = (m);\
}\
} while (/*CONSTCOND*/ 0)
/*
* IP6 output. The packet in mbuf chain m contains a skeletal IP6
* header (with pri, len, nxt, hlim, src, dst).
@ -162,6 +191,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
struct ip6_hdr *ip6, *mhip6;
struct ifnet *ifp, *origifp;
struct mbuf *m = m0;
struct mbuf *mprev = NULL;
int hlen, tlen, len, off;
struct route_in6 ip6route;
struct rtentry *rt = NULL;
@ -178,25 +208,22 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
struct route_in6 *ro_pmtu = NULL;
int hdrsplit = 0;
int needipsec = 0;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
struct ipsec_output_state state;
struct ip6_rthdr *rh = NULL;
int needipsectun = 0;
int segleft_org = 0;
struct secpolicy *sp = NULL;
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
ip6 = mtod(m, struct ip6_hdr *);
if (ip6 == NULL) {
printf ("ip6 is NULL");
goto bad;
}
finaldst = ip6->ip6_dst;
#define MAKE_EXTHDR(hp, mp) \
do { \
if (hp) { \
struct ip6_ext *eh = (struct ip6_ext *)(hp); \
error = ip6_copyexthdr((mp), (caddr_t)(hp), \
((eh)->ip6e_len + 1) << 3); \
if (error) \
goto freehdrs; \
} \
} while (/*CONSTCOND*/ 0)
bzero(&exthdrs, sizeof(exthdrs));
if (opt) {
@ -206,7 +233,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
if (opt->ip6po_rthdr) {
/*
* Destination options header(1st part)
* This only makes sence with a routing header.
* This only makes sense with a routing header.
* See Section 9.2 of RFC 3542.
* Disabling this part just for MIP6 convenience is
* a bad idea. We need to think carefully about a
@ -222,90 +249,20 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
MAKE_EXTHDR(opt->ip6po_dest2, &exthdrs.ip6e_dest2);
}
#ifdef IPSEC
/* get a security policy for this packet */
if (inp == NULL)
sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
else
sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error);
if (sp == NULL) {
ipsec6stat.out_inval++;
goto freehdrs;
}
error = 0;
/* check policy */
switch (sp->policy) {
case IPSEC_POLICY_DISCARD:
/*
* This packet is just discarded.
*/
ipsec6stat.out_polvio++;
goto freehdrs;
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_NONE:
/* no need to do IPsec. */
needipsec = 0;
break;
case IPSEC_POLICY_IPSEC:
if (sp->req == NULL) {
/* acquire a policy */
error = key_spdacquire(sp);
goto freehdrs;
}
needipsec = 1;
break;
case IPSEC_POLICY_ENTRUST:
default:
printf("ip6_output: Invalid policy found. %d\n", sp->policy);
}
#endif /* IPSEC */
/*
* IPSec checking which handles several cases.
* FAST IPSEC: We re-injected the packet.
*/
#ifdef FAST_IPSEC
/* get a security policy for this packet */
if (inp == NULL)
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
else
sp = ipsec_getpolicybysock(m, IPSEC_DIR_OUTBOUND, inp, &error);
if (sp == NULL) {
newipsecstat.ips_out_inval++;
switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp))
{
case 1: /* Bad packet */
goto freehdrs;
}
error = 0;
/* check policy */
switch (sp->policy) {
case IPSEC_POLICY_DISCARD:
/*
* This packet is just discarded.
*/
newipsecstat.ips_out_polvio++;
goto freehdrs;
case IPSEC_POLICY_BYPASS:
case IPSEC_POLICY_NONE:
/* no need to do IPsec. */
needipsec = 0;
break;
case IPSEC_POLICY_IPSEC:
if (sp->req == NULL) {
/* acquire a policy */
error = key_spdacquire(sp);
goto freehdrs;
}
needipsec = 1;
break;
case IPSEC_POLICY_ENTRUST:
case -1: /* Do IPSec */
needipsec = 1;
case 0: /* No IPSec */
default:
printf("ip6_output: Invalid policy found. %d\n", sp->policy);
break;
}
#endif /* FAST_IPSEC */
@ -314,12 +271,17 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
* Keep the length of the unfragmentable part for fragmentation.
*/
optlen = 0;
if (exthdrs.ip6e_hbh) optlen += exthdrs.ip6e_hbh->m_len;
if (exthdrs.ip6e_dest1) optlen += exthdrs.ip6e_dest1->m_len;
if (exthdrs.ip6e_rthdr) optlen += exthdrs.ip6e_rthdr->m_len;
if (exthdrs.ip6e_hbh)
optlen += exthdrs.ip6e_hbh->m_len;
if (exthdrs.ip6e_dest1)
optlen += exthdrs.ip6e_dest1->m_len;
if (exthdrs.ip6e_rthdr)
optlen += exthdrs.ip6e_rthdr->m_len;
unfragpartlen = optlen + sizeof(struct ip6_hdr);
/* NOTE: we don't add AH/ESP length here. do that later. */
if (exthdrs.ip6e_dest2) optlen += exthdrs.ip6e_dest2->m_len;
if (exthdrs.ip6e_dest2)
optlen += exthdrs.ip6e_dest2->m_len;
/*
* If we need IPsec, or there is at least one extension header,
@ -369,106 +331,94 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
* during the header composing process, "m" points to IPv6 header.
* "mprev" points to an extension header prior to esp.
*/
{
u_char *nexthdrp = &ip6->ip6_nxt;
struct mbuf *mprev = m;
/*
* we treat dest2 specially. this makes IPsec processing
* much easier. the goal here is to make mprev point the
* mbuf prior to dest2.
*
* result: IPv6 dest2 payload
* m and mprev will point to IPv6 header.
*/
if (exthdrs.ip6e_dest2) {
if (!hdrsplit)
panic("assumption failed: hdr not split");
exthdrs.ip6e_dest2->m_next = m->m_next;
m->m_next = exthdrs.ip6e_dest2;
*mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt;
ip6->ip6_nxt = IPPROTO_DSTOPTS;
}
#define MAKE_CHAIN(m, mp, p, i)\
do {\
if (m) {\
if (!hdrsplit) \
panic("assumption failed: hdr not split"); \
*mtod((m), u_char *) = *(p);\
*(p) = (i);\
p = mtod((m), u_char *);\
(m)->m_next = (mp)->m_next;\
(mp)->m_next = (m);\
(mp) = (m);\
}\
} while (/*CONSTCOND*/ 0)
/*
* result: IPv6 hbh dest1 rthdr dest2 payload
* m will point to IPv6 header. mprev will point to the
* extension header prior to dest2 (rthdr in the above case).
*/
MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS);
MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp,
IPPROTO_DSTOPTS);
MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
IPPROTO_ROUTING);
#if defined(IPSEC) || defined(FAST_IPSEC)
if (!needipsec)
goto skip_ipsec2;
/*
* pointers after IPsec headers are not valid any more.
* other pointers need a great care too.
* (IPsec routines should not mangle mbufs prior to AH/ESP)
*/
exthdrs.ip6e_dest2 = NULL;
{
struct ip6_rthdr *rh = NULL;
int segleft_org = 0;
struct ipsec_output_state state;
if (exthdrs.ip6e_rthdr) {
rh = mtod(exthdrs.ip6e_rthdr, struct ip6_rthdr *);
segleft_org = rh->ip6r_segleft;
rh->ip6r_segleft = 0;
}
bzero(&state, sizeof(state));
state.m = m;
error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags,
&needipsectun);
m = state.m;
if (error) {
/* mbuf is already reclaimed in ipsec6_output_trans. */
m = NULL;
switch (error) {
case EHOSTUNREACH:
case ENETUNREACH:
case EMSGSIZE:
case ENOBUFS:
case ENOMEM:
break;
default:
printf("ip6_output (ipsec): error code %d\n", error);
/* FALLTHROUGH */
case ENOENT:
/* don't show these error codes to the user */
error = 0;
break;
}
goto bad;
}
if (exthdrs.ip6e_rthdr) {
/* ah6_output doesn't modify mbuf chain */
rh->ip6r_segleft = segleft_org;
}
}
skip_ipsec2:;
#endif
u_char *nexthdrp = &ip6->ip6_nxt;
mprev = m;
/*
* we treat dest2 specially. this makes IPsec processing
* much easier. the goal here is to make mprev point the
* mbuf prior to dest2.
*
* result: IPv6 dest2 payload
* m and mprev will point to IPv6 header.
*/
if (exthdrs.ip6e_dest2) {
if (!hdrsplit)
panic("assumption failed: hdr not split");
exthdrs.ip6e_dest2->m_next = m->m_next;
m->m_next = exthdrs.ip6e_dest2;
*mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt;
ip6->ip6_nxt = IPPROTO_DSTOPTS;
}
/*
* result: IPv6 hbh dest1 rthdr dest2 payload
* m will point to IPv6 header. mprev will point to the
* extension header prior to dest2 (rthdr in the above case).
*/
MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS);
MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp,
IPPROTO_DSTOPTS);
MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
IPPROTO_ROUTING);
#ifdef FAST_IPSEC
if (!needipsec)
goto skip_ipsec2;
/*
* pointers after IPsec headers are not valid any more.
* other pointers need a great care too.
* (IPsec routines should not mangle mbufs prior to AH/ESP)
*/
exthdrs.ip6e_dest2 = NULL;
if (exthdrs.ip6e_rthdr) {
rh = mtod(exthdrs.ip6e_rthdr, struct ip6_rthdr *);
segleft_org = rh->ip6r_segleft;
rh->ip6r_segleft = 0;
}
bzero(&state, sizeof(state));
state.m = m;
error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags,
&needipsectun);
m = state.m;
if (error) {
/* mbuf is already reclaimed in ipsec6_output_trans. */
m = NULL;
switch (error) {
case EHOSTUNREACH:
case ENETUNREACH:
case EMSGSIZE:
case ENOBUFS:
case ENOMEM:
break;
default:
printf("ip6_output (ipsec): error code %d\n", error);
/* FALLTHROUGH */
case ENOENT:
/* don't show these error codes to the user */
error = 0;
break;
}
goto bad;
} else if (!needipsectun) {
/*
* In the FAST IPSec case we have already
* re-injected the packet and it has been freed
* by the ipsec_done() function. So, just clean
* up after ourselves.
*/
m = NULL;
goto done;
}
if (exthdrs.ip6e_rthdr) {
/* ah6_output doesn't modify mbuf chain */
rh->ip6r_segleft = segleft_org;
}
skip_ipsec2:;
#endif /* FAST_IPSEC */
/*
* If there is a routing header, replace the destination address field
@ -572,7 +522,13 @@ skip_ipsec2:;
ip6->ip6_hlim = ip6_defmcasthlim;
}
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/*
* Same as similar comment above.
* We only want to do regular IPSEC here and leave this pure
* in the case that we're using FAST_IPSEC which uses
* this code to re-inject packets.
*/
if (needipsec && needipsectun) {
struct ipsec_output_state state;
@ -617,11 +573,20 @@ skip_ipsec2:;
break;
}
goto bad;
} else {
/*
* In the FAST IPSec case we have already
* re-injected the packet and it has been freed
* by the ipsec_done() function. So, just clean
* up after ourselves.
*/
m = NULL;
goto done;
}
exthdrs.ip6e_ip6 = m;
}
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/* adjust pointer */
ip6 = mtod(m, struct ip6_hdr *);
@ -965,10 +930,6 @@ skip_ipsec2:;
ia6->ia_ifa.if_opackets++;
ia6->ia_ifa.if_obytes += m->m_pkthdr.len;
}
#ifdef IPSEC
/* clean ipsec history once it goes out of the node */
ipsec_delaux(m);
#endif
error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
goto done;
}
@ -991,10 +952,7 @@ skip_ipsec2:;
struct ip6_frag *ip6f;
u_int32_t id = htonl(ip6_randomid());
u_char nextproto;
#if 0
struct ip6ctlparam ip6cp;
u_int32_t mtu32;
#endif
int qslots = ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len;
/*
@ -1006,25 +964,6 @@ skip_ipsec2:;
if (mtu > IPV6_MAXPACKET)
mtu = IPV6_MAXPACKET;
#if 0
/*
* It is believed this code is a leftover from the
* development of the IPV6_RECVPATHMTU sockopt and
* associated work to implement RFC3542.
* It's not entirely clear what the intent of the API
* is at this point, so disable this code for now.
* The IPV6_RECVPATHMTU sockopt and/or IPV6_DONTFRAG
* will send notifications if the application requests.
*/
/* Notify a proper path MTU to applications. */
mtu32 = (u_int32_t)mtu;
bzero(&ip6cp, sizeof(ip6cp));
ip6cp.ip6c_cmdarg = (void *)&mtu32;
pfctlinput2(PRC_MSGSIZE, (struct sockaddr *)&ro_pmtu->ro_dst,
(void *)&ip6cp);
#endif
len = (mtu - hlen - sizeof(struct ip6_frag)) & ~7;
if (len < 8) {
error = EMSGSIZE;
@ -1130,10 +1069,6 @@ skip_ipsec2:;
ia->ia_ifa.if_opackets++;
ia->ia_ifa.if_obytes += m->m_pkthdr.len;
}
#ifdef IPSEC
/* clean ipsec history once it goes out of the node */
ipsec_delaux(m);
#endif
error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
} else
m_freem(m);
@ -1149,15 +1084,6 @@ skip_ipsec2:;
RTFREE(ro_pmtu->ro_rt);
}
#ifdef IPSEC
if (sp != NULL)
key_freesp(sp);
#endif /* IPSEC */
#ifdef FAST_IPSEC
if (sp != NULL)
KEY_FREESP(&sp);
#endif /* FAST_IPSEC */
return (error);
freehdrs:
@ -1167,7 +1093,8 @@ skip_ipsec2:;
m_freem(exthdrs.ip6e_dest2);
/* FALLTHROUGH */
bad:
m_freem(m);
if (m)
m_freem(m);
goto done;
}
@ -1847,7 +1774,7 @@ do { \
}
break;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
case IPV6_IPSEC_POLICY:
{
caddr_t req = NULL;
@ -1867,7 +1794,7 @@ do { \
m_freem(m);
}
break;
#endif /* KAME IPSEC */
#endif /* FAST_IPSEC */
default:
error = ENOPROTOOPT;
@ -2064,7 +1991,7 @@ do { \
}
break;
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
case IPV6_IPSEC_POLICY:
{
caddr_t req = NULL;
@ -2093,7 +2020,7 @@ do { \
m_freem(m);
break;
}
#endif /* KAME IPSEC */
#endif /* FAST_IPSEC */
default:
error = ENOPROTOOPT;
@ -2449,7 +2376,7 @@ copypktopts(dst, src, canwait)
if (src->ip6po_pktinfo) {
dst->ip6po_pktinfo = malloc(sizeof(*dst->ip6po_pktinfo),
M_IP6OPT, canwait);
if (dst->ip6po_pktinfo == NULL && canwait == M_NOWAIT)
if (dst->ip6po_pktinfo == NULL)
goto bad;
*dst->ip6po_pktinfo = *src->ip6po_pktinfo;
}
@ -2487,7 +2414,7 @@ ip6_copypktopts(src, canwait)
struct ip6_pktopts *dst;
dst = malloc(sizeof(*dst), M_IP6OPT, canwait);
if (dst == NULL && canwait == M_NOWAIT)
if (dst == NULL)
return (NULL);
ip6_initpktopts(dst);

71
sys/netinet6/ipcomp.h
View File

@ -1,71 +0,0 @@
/* $FreeBSD$ */
/* $KAME: ipcomp.h,v 1.11 2001/09/04 08:43:19 itojun Exp $ */
/*-
* Copyright (C) 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* RFC2393 IP payload compression protocol (IPComp).
*/
#ifndef _NETINET6_IPCOMP_H_
#define _NETINET6_IPCOMP_H_
#if defined(_KERNEL) && !defined(_LKM)
#include "opt_inet.h"
#endif
struct ipcomp {
u_int8_t comp_nxt; /* Next Header */
u_int8_t comp_flags; /* reserved, must be zero */
u_int16_t comp_cpi; /* Compression parameter index */
};
/* well-known algorithm number (in CPI), from RFC2409 */
#define IPCOMP_OUI 1 /* vendor specific */
#define IPCOMP_DEFLATE 2 /* RFC2394 */
#define IPCOMP_LZS 3 /* RFC2395 */
#define IPCOMP_MAX 4
#define IPCOMP_CPI_NEGOTIATE_MIN 256
#ifdef _KERNEL
struct ipcomp_algorithm {
int (*compress) __P((struct mbuf *, struct mbuf *, size_t *));
int (*decompress) __P((struct mbuf *, struct mbuf *, size_t *));
size_t minplen; /* minimum required length for compression */
};
struct ipsecrequest;
extern const struct ipcomp_algorithm *ipcomp_algorithm_lookup __P((int));
extern void ipcomp4_input __P((struct mbuf *, int));
extern int ipcomp4_output __P((struct mbuf *, struct ipsecrequest *));
#endif /* KERNEL */
#endif /* _NETINET6_IPCOMP_H_ */

388
sys/netinet6/ipsec.h
View File

@ -1,388 +0,0 @@
/* $FreeBSD$ */
/* $KAME: ipsec.h,v 1.69 2003/09/10 23:49:11 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* IPsec controller part.
*/
#ifndef _NETINET6_IPSEC_H_
#define _NETINET6_IPSEC_H_
#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE)
#include "opt_inet.h"
#include "opt_ipsec.h"
#endif
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
#ifdef _KERNEL
/*
* Security Policy Index
* Ensure that both address families in the "src" and "dst" are same.
* When the value of the ul_proto is ICMPv6, the port field in "src"
* specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code.
*/
struct secpolicyindex {
struct sockaddr_storage src; /* IP src address for SP */
struct sockaddr_storage dst; /* IP dst address for SP */
u_int8_t prefs; /* prefix length in bits for src */
u_int8_t prefd; /* prefix length in bits for dst */
u_int16_t ul_proto; /* upper layer Protocol */
#ifdef notyet
uid_t uids;
uid_t uidd;
gid_t gids;
gid_t gidd;
#endif
};
/* Security Policy Data Base */
struct secpolicy {
TAILQ_ENTRY(secpolicy) tailq; /* all SPD entries, both pcb/table */
LIST_ENTRY(secpolicy) chain; /* SPD entries on table */
u_int8_t dir; /* direction of packet flow */
int readonly; /* write prohibited */
int persist; /* will never be removed */
int refcnt; /* reference count */
struct secpolicyindex *spidx; /* selector - NULL if not valid */
u_int32_t id; /* it identifies a policy in the SPD. */
#define IPSEC_MANUAL_POLICYID_MAX 0x3fff
/*
* 1 - 0x3fff are reserved for user operation.
* 0 are reserved. Others are for kernel use.
*/
struct socket *so; /* backpointer to per-socket policy */
u_int state; /* 0: dead, others: alive */
#define IPSEC_SPSTATE_DEAD 0
#define IPSEC_SPSTATE_ALIVE 1
int policy; /* DISCARD, NONE or IPSEC, see below */
struct ipsecrequest *req;
/* pointer to the ipsec request tree, */
/* if policy == IPSEC else this value == NULL.*/
/*
* lifetime handler.
* the policy can be used without limitiation if both lifetime and
* validtime are zero.
* "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime.
* "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime.
*/
long created; /* time created the policy */
long lastused; /* updated every when kernel sends a packet */
long lifetime; /* duration of the lifetime of this policy */
long validtime; /* duration this policy is valid without use */
};
/* Request for IPsec */
struct ifnet;
struct ipsecrequest {
struct ipsecrequest *next;
/* pointer to next structure */
/* If NULL, it means the end of chain. */
struct secasindex saidx;/* hint for search proper SA */
/* if __ss_len == 0 then no address specified.*/
u_int level; /* IPsec level defined below. */
struct secasvar *sav; /* place holder of SA for use */
struct secpolicy *sp; /* back pointer to SP */
struct ifnet *tunifp; /* interface for tunnelling */
};
/* security policy in PCB */
struct inpcbpolicy {
struct secpolicy *sp_in;
struct secpolicy *sp_out;
int priv; /* privileged socket ? */
/* cached policy */
/* XXX 3 == IPSEC_DIR_MAX */
struct secpolicy *cache[3];
struct secpolicyindex cacheidx[3];
int cachegen[3]; /* cache generation #, the time we filled it */
int cacheflags;
#define IPSEC_PCBSP_CONNECTED 1
};
/* SP acquiring list table. */
struct secspacq {
LIST_ENTRY(secspacq) chain;
struct secpolicyindex spidx;
long created; /* for lifetime */
int count; /* for lifetime */
/* XXX: here is mbuf place holder to be sent ? */
};
struct ipsecaux {
int hdrs; /* # of ipsec headers */
};
#endif /* _KERNEL */
/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */
#define IPSEC_PORT_ANY 0
#define IPSEC_ULPROTO_ANY 255
#define IPSEC_PROTO_ANY 255
/* mode of security protocol */
/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */
#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */
#define IPSEC_MODE_TRANSPORT 1
#define IPSEC_MODE_TUNNEL 2
#define IPSEC_MODE_TCPMD5 3 /* TCP MD5 mode */
/*
* Direction of security policy.
* NOTE: Since INVALID is used just as flag.
* The other are used for loop counter too.
*/
#define IPSEC_DIR_ANY 0
#define IPSEC_DIR_INBOUND 1
#define IPSEC_DIR_OUTBOUND 2
#define IPSEC_DIR_MAX 3
#define IPSEC_DIR_INVALID 4
/* Policy level */
/*
* IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB,
* DISCARD, IPSEC and NONE are allowed for setkey() in SPD.
* DISCARD and NONE are allowed for system default.
*/
#define IPSEC_POLICY_DISCARD 0 /* discard the packet */
#define IPSEC_POLICY_NONE 1 /* bypass IPsec engine */
#define IPSEC_POLICY_IPSEC 2 /* pass to IPsec */
#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */
#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */
#define IPSEC_POLICY_TCP 5 /* TCP MD5 policy */
/* Security protocol level */
#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */
#define IPSEC_LEVEL_USE 1 /* use SA if present. */
#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */
#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */
#define IPSEC_MANUAL_REQID_MAX 0x3fff
/*
* if security policy level == unique, this id
* indicate to a relative SA for use, else is
* zero.
* 1 - 0x3fff are reserved for manual keying.
* 0 are reserved for above reason. Others is
* for kernel use.
* Note that this id doesn't identify SA
* by only itself.
*/
#define IPSEC_REPLAYWSIZE 32
/* statistics for ipsec processing */
struct ipsecstat {
u_quad_t in_success; /* succeeded inbound process */
u_quad_t in_polvio;
/* security policy violation for inbound process */
u_quad_t in_nosa; /* inbound SA is unavailable */
u_quad_t in_inval; /* inbound processing failed due to EINVAL */
u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */
u_quad_t in_badspi; /* failed getting a SPI */
u_quad_t in_ahreplay; /* AH replay check failed */
u_quad_t in_espreplay; /* ESP replay check failed */
u_quad_t in_ahauthsucc; /* AH authentication success */
u_quad_t in_ahauthfail; /* AH authentication failure */
u_quad_t in_espauthsucc; /* ESP authentication success */
u_quad_t in_espauthfail; /* ESP authentication failure */
u_quad_t in_esphist[256];
u_quad_t in_ahhist[256];
u_quad_t in_comphist[256];
u_quad_t out_success; /* succeeded outbound process */
u_quad_t out_polvio;
/* security policy violation for outbound process */
u_quad_t out_nosa; /* outbound SA is unavailable */
u_quad_t out_inval; /* outbound process failed due to EINVAL */
u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */
u_quad_t out_noroute; /* there is no route */
u_quad_t out_esphist[256];
u_quad_t out_ahhist[256];
u_quad_t out_comphist[256];
u_quad_t spdcachelookup;
u_quad_t spdcachemiss;
};
/*
* Definitions for IPsec & Key sysctl operations.
*/
/*
* Names for IPsec & Key sysctl objects
*/
#define IPSECCTL_STATS 1 /* stats */
#define IPSECCTL_DEF_POLICY 2
#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */
#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */
#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */
#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */
#if 0 /* obsolete, do not reuse */
#define IPSECCTL_INBOUND_CALL_IKE 7
#endif
#define IPSECCTL_AH_CLEARTOS 8
#define IPSECCTL_AH_OFFSETMASK 9
#define IPSECCTL_DFBIT 10
#define IPSECCTL_ECN 11
#define IPSECCTL_DEBUG 12
#define IPSECCTL_ESP_RANDPAD 13
#define IPSECCTL_MAXID 14
#define IPSECCTL_NAMES { \
{ 0, 0 }, \
{ 0, 0 }, \
{ "def_policy", CTLTYPE_INT }, \
{ "esp_trans_deflev", CTLTYPE_INT }, \
{ "esp_net_deflev", CTLTYPE_INT }, \
{ "ah_trans_deflev", CTLTYPE_INT }, \
{ "ah_net_deflev", CTLTYPE_INT }, \
{ 0, 0 }, \
{ "ah_cleartos", CTLTYPE_INT }, \
{ "ah_offsetmask", CTLTYPE_INT }, \
{ "dfbit", CTLTYPE_INT }, \
{ "ecn", CTLTYPE_INT }, \
{ "debug", CTLTYPE_INT }, \
{ "esp_randpad", CTLTYPE_INT }, \
}
#define IPSEC6CTL_NAMES { \
{ 0, 0 }, \
{ 0, 0 }, \
{ "def_policy", CTLTYPE_INT }, \
{ "esp_trans_deflev", CTLTYPE_INT }, \
{ "esp_net_deflev", CTLTYPE_INT }, \
{ "ah_trans_deflev", CTLTYPE_INT }, \
{ "ah_net_deflev", CTLTYPE_INT }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ 0, 0 }, \
{ "ecn", CTLTYPE_INT }, \
{ "debug", CTLTYPE_INT }, \
{ "esp_randpad", CTLTYPE_INT }, \
}
#ifdef _KERNEL
struct ipsec_output_state {
struct mbuf *m;
struct route *ro;
struct sockaddr *dst;
int encap;
};
struct ipsec_history {
int ih_proto;
u_int32_t ih_spi;
};
extern int ipsec_debug;
#ifdef INET
extern struct ipsecstat ipsecstat;
extern struct secpolicy *ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
extern int ip4_ah_trans_deflev;
extern int ip4_ah_net_deflev;
extern int ip4_ah_cleartos;
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
extern int ip4_esp_randpad;
#endif
#define ipseclog(x) do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0)
extern int ipsec_pcbconn __P((struct inpcbpolicy *));
extern int ipsec_pcbdisconn __P((struct inpcbpolicy *));
extern int ipsec_invalpcbcacheall __P((void));
struct inpcb;
extern struct secpolicy *ipsec4_getpolicybypcb
__P((struct mbuf *, u_int, struct inpcb *, int *));
extern struct secpolicy *ipsec4_getpolicybyaddr
__P((struct mbuf *, u_int, int, int *));
extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **));
extern int ipsec_copy_pcbpolicy
__P((struct inpcbpolicy *, struct inpcbpolicy *));
extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int));
extern int ipsec4_set_policy __P((struct inpcb *, int, caddr_t, size_t, int));
extern int ipsec4_get_policy __P((struct inpcb *, caddr_t, size_t,
struct mbuf **));
extern int ipsec4_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *));
struct secas;
struct tcpcb;
struct tcp6cb;
extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *));
extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *));
extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *));
struct ip;
extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t));
extern const char *ipsec_logsastr __P((struct secasvar *));
extern void ipsec_dumpmbuf __P((struct mbuf *));
extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *,
int));
extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int,
struct secasvar *));
extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
extern void ipsec_delaux __P((struct mbuf *));
extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t));
extern int ipsec_getnhist __P((struct mbuf *));
extern void ipsec_clearhist __P((struct mbuf *));
#endif /* _KERNEL */
#ifndef _KERNEL
extern caddr_t ipsec_set_policy __P((char *, int));
extern int ipsec_get_policylen __P((caddr_t));
extern char *ipsec_dump_policy __P((caddr_t, char *));
extern const char *ipsec_strerror __P((void));
#endif /* !_KERNEL */
#endif /* _NETINET6_IPSEC_H_ */

80
sys/netinet6/ipsec6.h
View File

@ -1,80 +0,0 @@
/* $FreeBSD$ */
/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* IPsec controller part.
*/
#ifndef _NETINET6_IPSEC6_H_
#define _NETINET6_IPSEC6_H_
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
#ifdef _KERNEL
extern struct ipsecstat ipsec6stat;
extern struct secpolicy *ip6_def_policy;
extern int ip6_esp_trans_deflev;
extern int ip6_esp_net_deflev;
extern int ip6_ah_trans_deflev;
extern int ip6_ah_net_deflev;
extern int ip6_ipsec_ecn;
extern int ip6_esp_randpad;
struct inpcb;
extern struct secpolicy *ipsec6_getpolicybypcb
__P((struct mbuf *, u_int, struct inpcb *, int *));
extern struct secpolicy *ipsec6_getpolicybyaddr
__P((struct mbuf *, u_int, int, int *));
extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec6_set_policy __P((struct inpcb *, int, caddr_t, size_t, int));
extern int ipsec6_get_policy __P((struct inpcb *, caddr_t, size_t,
struct mbuf **));
extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *));
struct tcp6cb;
extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *));
struct ip6_hdr;
extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t));
extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *,
struct mbuf *, struct secpolicy *, int, int *));
extern int ipsec6_output_tunnel __P((struct ipsec_output_state *,
struct secpolicy *, int));
extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int,
struct secasvar *));
#endif /*_KERNEL*/
#endif /*_NETINET6_IPSEC6_H_*/

5
sys/netinet6/nd6.c
View File

@ -2144,11 +2144,6 @@ nd6_output(ifp, origifp, m0, dst, rt0)
goto bad;
}
#ifdef IPSEC
/* clean ipsec history once it goes out of the node */
ipsec_delaux(m);
#endif
#ifdef MAC
mac_create_mbuf_linklayer(ifp, m);
#endif

3
sys/netinet6/nd6_nbr.c
View File

@ -823,7 +823,7 @@ nd6_na_input(m, off, icmp6len)
* prevent a ln_hold lookup in nd6_output()
* (wouldn't happen, though...)
*/
for (m_hold = ln->ln_hold, ln->ln_hold = NULL;
for (m_hold = ln->ln_hold;
m_hold; m_hold = m_hold_next) {
m_hold_next = m_hold->m_nextpkt;
m_hold->m_nextpkt = NULL;
@ -834,6 +834,7 @@ nd6_na_input(m, off, icmp6len)
nd6_output(ifp, ifp, m_hold,
(struct sockaddr_in6 *)rt_key(rt), rt);
}
ln->ln_hold = NULL;
}
freeit:

17
sys/netinet6/raw_ip6.c
View File

@ -95,11 +95,6 @@
#include <netinet6/raw_ip6.h>
#include <netinet6/scope6_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netinet6/ipsec6.h>
#endif /*IPSEC*/
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
@ -186,18 +181,16 @@ rip6_input(mp, offp, proto)
if (last) {
struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/*
* Check AH/ESP integrity.
*/
if (n && ipsec6_in_reject(n, last)) {
m_freem(n);
#ifdef IPSEC
ipsec6stat.in_polvio++;
#endif /*IPSEC*/
/* do not inject data into pcb */
} else
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
if (n) {
if (last->in6p_flags & IN6P_CONTROLOPTS ||
last->in6p_socket->so_options & SO_TIMESTAMP)
@ -219,20 +212,18 @@ rip6_input(mp, offp, proto)
}
last = in6p;
}
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/*
* Check AH/ESP integrity.
*/
if (last && ipsec6_in_reject(m, last)) {
m_freem(m);
#ifdef IPSEC
ipsec6stat.in_polvio++;
#endif /*IPSEC*/
ip6stat.ip6s_delivered--;
/* do not inject data into pcb */
INP_UNLOCK(last);
} else
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
if (last) {
if (last->in6p_flags & IN6P_CONTROLOPTS ||
last->in6p_socket->so_options & SO_TIMESTAMP)

10
sys/netinet6/sctp6_usrreq.c
View File

@ -52,6 +52,12 @@ __FBSDID("$FreeBSD$");
#include <netinet/sctp_output.h>
#include <netinet/sctp_bsd_addr.h>
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#if defined(INET6)
#include <netipsec/ipsec6.h>
#endif /* INET6 */
#endif /* FAST_IPSEC */
extern struct protosw inetsw[];
@ -201,7 +207,7 @@ sctp6_input(i_pak, offp, proto)
refcount_up = 1;
}
in6p_ip = (struct inpcb *)in6p;
#ifdef IPSEC
#ifdef FAST_IPSEC
/*
* Check AH/ESP integrity.
*/
@ -210,7 +216,7 @@ sctp6_input(i_pak, offp, proto)
ipsec6stat.in_polvio++;
goto bad;
}
#endif /* IPSEC */
#endif /* FAST_IPSEC */
/*
* CONTROL chunk processing

7
sys/netinet6/udp6_output.c
View File

@ -98,13 +98,6 @@
#include <netinet6/ip6protosw.h>
#include <netinet6/scope6_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
#endif /* IPSEC */
/*
* UDP protocol inplementation.
* Per RFC 768, August, 1980.

11
sys/netinet6/udp6_usrreq.c
View File

@ -102,11 +102,6 @@
#include <netinet6/udp6_var.h>
#include <netinet6/scope6_var.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netinet6/ipsec6.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
@ -129,18 +124,16 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off,
/* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
/*
* Check AH/ESP integrity.
*/
if (ipsec6_in_reject(n, in6p)) {
m_freem(n);
#ifdef IPSEC
ipsec6stat.in_polvio++;
#endif /* IPSEC */
return;
}
#endif /*IPSEC || FAST_IPSEC*/
#endif /* FAST_IPSEC */
opts = NULL;
if (in6p->in6p_flags & IN6P_CONTROLOPTS ||

18
sys/netipsec/ipsec.c
View File

@ -76,6 +76,7 @@
#include <netinet/icmp6.h>
#endif
#include <sys/types.h>
#include <netipsec/ipsec.h>
#ifdef INET6
#include <netipsec/ipsec6.h>
@ -102,7 +103,7 @@ int ipsec_debug = 0;
#endif
/* NB: name changed so netstat doesn't use it */
struct newipsecstat newipsecstat;
struct ipsecstat ipsec4stat;
int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
@ -149,7 +150,7 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
crypto_support, CTLFLAG_RW, &crypto_support,0, "");
SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, "");
ipsecstats, CTLFLAG_RD, &ipsec4stat, ipsecstat, "");
#ifdef REGRESSION
/*
@ -168,7 +169,8 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
&ipsec_integrity, 0, "Emulate man-in-the-middle attack");
#endif
#ifdef INET6
#ifdef INET6
struct ipsecstat ipsec6stat;
int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
@ -199,6 +201,8 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
debug, CTLFLAG_RW, &ipsec_debug, 0, "");
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
#endif /* INET6 */
static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
@ -451,7 +455,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp)
sp = ipsec_getpolicybysock(m, dir, inp, error);
if (sp == NULL) {
IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
newipsecstat.ips_out_inval++;
ipsec4stat.ips_out_inval++;
return NULL;
}
IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
@ -461,7 +465,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp)
printf("%s: invalid policy %u\n", __func__, sp->policy);
/* fall thru... */
case IPSEC_POLICY_DISCARD:
newipsecstat.ips_out_polvio++;
ipsec4stat.ips_out_polvio++;
*error = -EINVAL; /* packet is discarded by caller */
break;
case IPSEC_POLICY_BYPASS:
@ -1462,7 +1466,7 @@ ipsec4_in_reject(m, inp)
if (sp != NULL) {
result = ipsec_in_reject(sp, m);
if (result)
newipsecstat.ips_in_polvio++;
ipsec4stat.ips_in_polvio++;
KEY_FREESP(&sp);
} else {
result = 0; /* XXX should be panic ?
@ -1502,7 +1506,7 @@ ipsec6_in_reject(m, inp)
if (sp != NULL) {
result = ipsec_in_reject(sp, m);
if (result)
newipsecstat.ips_in_polvio++;
ipsec6stat.ips_in_polvio++;
KEY_FREESP(&sp);
} else {
result = 0;

11
sys/netipsec/ipsec.h
View File

@ -205,7 +205,7 @@ struct secspacq {
*/
#define IPSEC_REPLAYWSIZE 32
/* old statistics for ipsec processing */
/* statistics for ipsec processing */
struct ipsecstat {
u_quad_t in_success; /* succeeded inbound process */
u_quad_t in_polvio;
@ -236,10 +236,7 @@ struct ipsecstat {
u_quad_t spdcachelookup;
u_quad_t spdcachemiss;
};
/* statistics for ipsec processing */
struct newipsecstat {
u_int32_t ips_in_polvio; /* input: sec policy violation */
u_int32_t ips_out_polvio; /* output: sec policy violation */
u_int32_t ips_out_nosa; /* output: SA unavailable */
@ -335,7 +332,7 @@ extern int ipsec_replay;
extern int ipsec_integrity;
#endif
extern struct newipsecstat newipsecstat;
extern struct ipsecstat ipsec4stat;
extern struct secpolicy ip4_def_policy;
extern int ip4_esp_trans_deflev;
extern int ip4_esp_net_deflev;
@ -352,10 +349,6 @@ extern int crypto_support;
/* for openbsd compatibility */
#define DPRINTF(x) do { if (ipsec_debug) printf x; } while (0)
/* XXX for KAME code compatibility */
#define ipsec_pcbconn(_x)
#define ipsec_pcbdisconn(_x)
extern struct ipsecrequest *ipsec_newisr(void);
extern void ipsec_delisr(struct ipsecrequest *);

10
sys/netipsec/ipsec6.h
View File

@ -41,6 +41,7 @@
#include <netipsec/keydb.h>
#ifdef _KERNEL
extern struct ipsecstat ipsec6stat;
extern int ip6_esp_trans_deflev;
extern int ip6_esp_net_deflev;
extern int ip6_ah_trans_deflev;
@ -50,15 +51,6 @@ extern int ip6_esp_randpad;
struct inpcb;
/* KAME compatibility shims */
#define ipsec6_getpolicybyaddr ipsec_getpolicybyaddr
#define ipsec6_getpolicybysock ipsec_getpolicybysock
#define ipsec6stat newipsecstat
#define out_inval ips_out_inval
#define in_polvio ips_in_polvio
#define out_polvio ips_out_polvio
#define key_freesp(_x) KEY_FREESP(&_x)
extern int ipsec6_delete_pcbpolicy __P((struct inpcb *));
extern int ipsec6_set_policy __P((struct inpcb *inp, int optname,
caddr_t request, size_t len, int priv));

10
sys/netipsec/ipsec_mbuf.c
View File

@ -88,7 +88,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
return (NULL);
n->m_next = m->m_next; /* splice new mbuf */
m->m_next = n;
newipsecstat.ips_mbinserted++;
ipsec4stat.ips_mbinserted++;
if (hlen <= M_TRAILINGSPACE(m) + remain) {
/*
* New header fits in the old mbuf if we copy
@ -122,7 +122,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
/* splice in second mbuf */
n2->m_next = n->m_next;
n->m_next = n2;
newipsecstat.ips_mbinserted++;
ipsec4stat.ips_mbinserted++;
} else {
memcpy(mtod(n, caddr_t) + hlen,
mtod(m, caddr_t) + skip, remain);
@ -238,7 +238,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
/* Remove the header and associated data from the mbuf. */
if (roff == 0) {
/* The header was at the beginning of the mbuf */
newipsecstat.ips_input_front++;
ipsec4stat.ips_input_front++;
m_adj(m1, hlen);
if ((m1->m_flags & M_PKTHDR) == 0)
m->m_pkthdr.len -= hlen;
@ -250,7 +250,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
* so first let's remove the remainder of the header from
* the beginning of the remainder of the mbuf chain, if any.
*/
newipsecstat.ips_input_end++;
ipsec4stat.ips_input_end++;
if (roff + hlen > m1->m_len) {
/* Adjust the next mbuf by the remainder */
m_adj(m1->m_next, roff + hlen - m1->m_len);
@ -275,7 +275,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen)
* The header lies in the "middle" of the mbuf; copy
* the remainder of the mbuf down over the header.
*/
newipsecstat.ips_input_middle++;
ipsec4stat.ips_input_middle++;
bcopy(mtod(m1, u_char *) + roff + hlen,
mtod(m1, u_char *) + roff,
m1->m_len - (roff + hlen));

31
sys/netipsec/ipsec_output.c
View File

@ -155,7 +155,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
* doing further processing.
*/
if (isr->next) {
newipsecstat.ips_out_bundlesa++;
ipsec4stat.ips_out_bundlesa++;
return ipsec4_process_packet(m, isr->next, 0, 0);
}
key_sa_recordxfer(sav, m); /* record data transfer */
@ -281,7 +281,7 @@ ipsec_nextisr(
* this packet because it is responsibility for
* upper layer to retransmit the packet.
*/
newipsecstat.ips_out_nosa++;
ipsec4stat.ips_out_nosa++;
goto bad;
}
sav = isr->sav;
@ -572,6 +572,7 @@ ipsec6_output_trans(
*tun = 0;
m = state->m;
IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */
isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error);
if (isr == NULL) {
#ifdef notdef
@ -591,10 +592,15 @@ ipsec6_output_trans(
goto bad;
}
return (*isr->sav->tdb_xform->xf_output)(m, isr, NULL,
sizeof (struct ip6_hdr),
offsetof(struct ip6_hdr, ip6_nxt));
error = (*isr->sav->tdb_xform->xf_output)(m, isr, NULL,
sizeof (struct ip6_hdr),
offsetof(struct ip6_hdr,
ip6_nxt));
IPSECREQUEST_UNLOCK(isr);
return error;
bad:
if (isr)
IPSECREQUEST_UNLOCK(isr);
if (m)
m_freem(m);
state->m = NULL;
@ -614,7 +620,7 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
m_freem(m);
return EINVAL;
}
IPSEC_ASSERT(m->m_len != sizeof (struct ip6_hdr),
IPSEC_ASSERT(m->m_len == sizeof (struct ip6_hdr),
("mbuf wrong size; len %u", m->m_len));
@ -658,8 +664,8 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
/* ip6->ip6_plen will be updated in ip6_output() */
}
ip6->ip6_nxt = IPPROTO_IPV6;
sav->sah->saidx.src.sin6.sin6_addr = ip6->ip6_src;
sav->sah->saidx.dst.sin6.sin6_addr = ip6->ip6_dst;
ip6->ip6_src = sav->sah->saidx.src.sin6.sin6_addr;
ip6->ip6_dst = sav->sah->saidx.dst.sin6.sin6_addr;
ip6->ip6_hlim = IPV6_DEFHLIM;
/* XXX Should ip6_src be updated later ? */
@ -699,7 +705,6 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
}
IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */
isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error);
if (isr == NULL)
goto bad;
@ -717,14 +722,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
ipseclog((LOG_ERR, "%s: family mismatched between "
"inner and outer, spi=%u\n", __func__,
ntohl(isr->sav->spi)));
newipsecstat.ips_out_inval++;
ipsec6stat.ips_out_inval++;
error = EAFNOSUPPORT;
goto bad;
}
m = ipsec6_splithdr(m);
if (!m) {
newipsecstat.ips_out_nomem++;
ipsec6stat.ips_out_nomem++;
error = ENOMEM;
goto bad;
}
@ -753,7 +758,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
}
if (state->ro->ro_rt == 0) {
ip6stat.ip6s_noroute++;
newipsecstat.ips_out_noroute++;
ipsec6stat.ips_out_noroute++;
error = EHOSTUNREACH;
goto bad;
}
@ -767,7 +772,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
m = ipsec6_splithdr(m);
if (!m) {
newipsecstat.ips_out_nomem++;
ipsec6stat.ips_out_nomem++;
error = ENOMEM;
goto bad;
}

5
sys/netipsec/key.c
View File

@ -2145,8 +2145,6 @@ key_spddelete2(so, m, mhp)
/* create new sadb_msg to reply. */
len = PFKEY_ALIGN8(sizeof(struct sadb_msg));
if (len > MCLBYTES)
return key_senderror(so, m, ENOBUFS);
MGETHDR(n, M_DONTWAIT, MT_DATA);
if (n && len > MHLEN) {
MCLGET(n, M_DONTWAIT);
@ -4518,8 +4516,6 @@ key_getspi(so, m, mhp)
/* create new sadb_msg to reply. */
len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) +
PFKEY_ALIGN8(sizeof(struct sadb_sa));
if (len > MCLBYTES)
return key_senderror(so, m, ENOBUFS);
MGETHDR(n, M_DONTWAIT, MT_DATA);
if (len > MHLEN) {
@ -7299,7 +7295,6 @@ key_setkey(struct seckey *src, u_int16_t exttype)
return NULL;
len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src));
m = key_alloc_mbuf(len);
if (m == NULL)
return NULL;

2
sys/netipsec/key_debug.c
View File

@ -73,7 +73,7 @@ static void kdebug_secreplay __P((struct secreplay *));
#endif
#ifndef _KERNEL
#define panic(param) { printf(param); exit(-1); }
#define panic(fmt, ...) { printf(fmt, ## __VA_ARGS__); exit(-1); }
#endif
/* NOTE: host byte order */

89
sys/netipsec/keysock.c
View File

@ -81,7 +81,6 @@ key_output(struct mbuf *m, struct socket *so)
{
struct sadb_msg *msg;
int len, error = 0;
int s;
if (m == 0)
panic("%s: NULL pointer was passed.\n", __func__);
@ -116,11 +115,8 @@ key_output(struct mbuf *m, struct socket *so)
goto end;
}
/*XXX giant lock*/
s = splnet();
error = key_parse(m, so);
m = NULL;
splx(s);
end:
if (m)
m_freem(m);
@ -213,15 +209,19 @@ key_sendup(so, msg, len, target)
while (tlen > 0) {
if (tlen == len) {
MGETHDR(n, M_DONTWAIT, MT_DATA);
if (n == NULL) {
pfkeystat.in_nomem++;
return ENOBUFS;
}
n->m_len = MHLEN;
} else {
MGET(n, M_DONTWAIT, MT_DATA);
if (n == NULL) {
pfkeystat.in_nomem++;
return ENOBUFS;
}
n->m_len = MLEN;
}
if (!n) {
pfkeystat.in_nomem++;
return ENOBUFS;
}
if (tlen >= MCLBYTES) { /*XXX better threshold? */
MCLGET(n, M_DONTWAIT);
if ((n->m_flags & M_EXT) == 0) {
@ -278,22 +278,18 @@ key_sendup_mbuf(so, m, target)
pfkeystat.in_total++;
pfkeystat.in_bytes += m->m_pkthdr.len;
if (m->m_len < sizeof(struct sadb_msg)) {
#if 1
m = m_pullup(m, sizeof(struct sadb_msg));
if (m == NULL) {
pfkeystat.in_nomem++;
return ENOBUFS;
}
#else
/* don't bother pulling it up just for stats */
#endif
}
if (m->m_len >= sizeof(struct sadb_msg)) {
struct sadb_msg *msg;
msg = mtod(m, struct sadb_msg *);
pfkeystat.in_msgtype[msg->sadb_msg_type]++;
}
mtx_lock(&rawcb_mtx);
LIST_FOREACH(rp, &rawcb_list, list)
{
if (rp->rcb_proto.sp_family != PF_KEY)
@ -344,11 +340,13 @@ key_sendup_mbuf(so, m, target)
if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) {
m_freem(m);
pfkeystat.in_nomem++;
mtx_unlock(&rawcb_mtx);
return ENOBUFS;
}
if ((error = key_sendup0(rp, n, 0)) != 0) {
m_freem(m);
mtx_unlock(&rawcb_mtx);
return error;
}
@ -362,6 +360,7 @@ key_sendup_mbuf(so, m, target)
error = 0;
m_freem(m);
}
mtx_unlock(&rawcb_mtx);
return error;
}
@ -372,7 +371,6 @@ key_sendup_mbuf(so, m, target)
static void
key_abort(struct socket *so)
{
raw_usrreqs.pru_abort(so);
}
@ -384,29 +382,21 @@ static int
key_attach(struct socket *so, int proto, struct thread *td)
{
struct keycb *kp;
int s, error;
int error;
if (sotorawcb(so) != 0)
return EISCONN; /* XXX panic? */
kp = (struct keycb *)malloc(sizeof *kp, M_PCB, M_WAITOK|M_ZERO); /* XXX */
KASSERT(so->so_pcb == NULL, ("key_attach: so_pcb != NULL"));
/* XXX */
MALLOC(kp, struct keycb *, sizeof *kp, M_PCB, M_WAITOK | M_ZERO);
if (kp == 0)
return ENOBUFS;
/*
* The splnet() is necessary to block protocols from sending
* error notifications (like RTM_REDIRECT or RTM_LOSING) while
* this PCB is extant but incompletely initialized.
* Probably we should try to do more of this work beforehand and
* eliminate the spl.
*/
s = splnet();
so->so_pcb = (caddr_t)kp;
error = raw_usrreqs.pru_attach(so, proto, td);
error = raw_attach(so, proto);
kp = (struct keycb *)sotorawcb(so);
if (error) {
free(kp, M_PCB);
so->so_pcb = (caddr_t) 0;
splx(s);
return error;
}
@ -420,7 +410,6 @@ key_attach(struct socket *so, int proto, struct thread *td)
soisconnected(so);
so->so_options |= SO_USELOOPBACK;
splx(s);
return 0;
}
@ -431,11 +420,7 @@ key_attach(struct socket *so, int proto, struct thread *td)
static int
key_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_bind(so, nam, td); /* xxx just EINVAL */
splx(s);
return error;
return EINVAL;
}
/*
@ -456,11 +441,7 @@ key_close(struct socket *so)
static int
key_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_connect(so, nam, td); /* XXX just EINVAL */
splx(s);
return error;
return EINVAL;
}
/*
@ -489,11 +470,7 @@ key_detach(struct socket *so)
static int
key_disconnect(struct socket *so)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_disconnect(so);
splx(s);
return error;
return(raw_usrreqs.pru_disconnect(so));
}
/*
@ -503,11 +480,7 @@ key_disconnect(struct socket *so)
static int
key_peeraddr(struct socket *so, struct sockaddr **nam)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_peeraddr(so, nam);
splx(s);
return error;
return(raw_usrreqs.pru_peeraddr(so, nam));
}
/*
@ -518,11 +491,7 @@ static int
key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
struct mbuf *control, struct thread *td)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_send(so, flags, m, nam, control, td);
splx(s);
return error;
return(raw_usrreqs.pru_send(so, flags, m, nam, control, td));
}
/*
@ -532,11 +501,7 @@ key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
static int
key_shutdown(struct socket *so)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_shutdown(so);
splx(s);
return error;
return(raw_usrreqs.pru_shutdown(so));
}
/*
@ -546,11 +511,7 @@ key_shutdown(struct socket *so)
static int
key_sockaddr(struct socket *so, struct sockaddr **nam)
{
int s, error;
s = splnet();
error = raw_usrreqs.pru_sockaddr(so, nam);
splx(s);
return error;
return(raw_usrreqs.pru_sockaddr(so, nam));
}
struct pr_usrreqs key_usrreqs = {

2
sys/netipsec/xform_ah.c
View File

@ -110,7 +110,7 @@ static int ah_output_cb(struct cryptop*);
struct auth_hash *
ah_algorithm_lookup(int alg)
{
if (alg >= AH_ALG_MAX)
if (alg > SADB_AALG_MAX)
return NULL;
switch (alg) {
case SADB_X_AALG_NULL:

96
sys/netkey/key.h
View File

@ -1,96 +0,0 @@
/* $FreeBSD$ */
/* $KAME: key.h,v 1.32 2003/09/07 05:25:20 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _NETKEY_KEY_H_
#define _NETKEY_KEY_H_
#ifdef _KERNEL
#include <sys/queue.h>
extern struct key_cb key_cb;
extern TAILQ_HEAD(_satailq, secasvar) satailq;
extern TAILQ_HEAD(_sptailq, secpolicy) sptailq;
struct secpolicy;
struct secpolicyindex;
struct ipsecrequest;
struct secasvar;
struct sockaddr;
struct socket;
struct sadb_msg;
struct sadb_x_policy;
union sockaddr_union;
extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *,
u_int);
extern struct secpolicy *key_gettunnel(struct sockaddr *,
struct sockaddr *, struct sockaddr *, struct sockaddr *);
extern int key_checkrequest
(struct ipsecrequest *isr, struct secasindex *);
extern struct secasvar *key_allocsa(u_int, caddr_t, caddr_t, u_int, u_int32_t);
extern void key_freesp(struct secpolicy *);
extern void key_freesav(struct secasvar *);
extern struct secpolicy *key_newsp(u_int32_t);
extern struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *);
extern struct mbuf *key_sp2msg(struct secpolicy *);
extern int key_cmpspidx_exactly
(struct secpolicyindex *, struct secpolicyindex *);
extern int key_cmpspidx_withmask
(struct secpolicyindex *, struct secpolicyindex *);
extern int key_spdacquire(struct secpolicy *);
extern void key_timehandler(void *);
extern void key_randomfill(void *, size_t);
extern void key_freereg(struct socket *);
extern int key_parse(struct mbuf *, struct socket *);
extern void key_init(void);
extern int key_checktunnelsanity(struct secasvar *, u_int, caddr_t, caddr_t);
extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
extern void key_sa_routechange(struct sockaddr *);
extern void key_sa_stir_iv(struct secasvar *);
/* to keep compatibility with FAST_IPSEC */
#define KEY_ALLOCSA(dst, proto, spi) \
key_allocsa(((struct sockaddr *)(dst))->sa_family,\
(caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
(caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
proto, spi)
#define KEY_FREESAV(psav) \
key_freesav(*psav)
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_SECA);
#endif /* MALLOC_DECLARE */
#endif /* defined(_KERNEL) */
#endif /* _NETKEY_KEY_H_ */

88
sys/netkey/key_debug.h
View File

@ -1,88 +0,0 @@
/* $FreeBSD$ */
/* $KAME: key_debug.h,v 1.11 2002/11/05 03:48:34 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _NETKEY_KEY_DEBUG_H_
#define _NETKEY_KEY_DEBUG_H_
#ifdef _KERNEL
/* debug flags */
#define KEYDEBUG_STAMP 0x00000001 /* path */
#define KEYDEBUG_DATA 0x00000002 /* data */
#define KEYDEBUG_DUMP 0x00000004 /* dump */
#define KEYDEBUG_KEY 0x00000010 /* key processing */
#define KEYDEBUG_ALG 0x00000020 /* ciph & auth algorithm */
#define KEYDEBUG_IPSEC 0x00000040 /* ipsec processing */
#define KEYDEBUG_KEY_STAMP (KEYDEBUG_KEY | KEYDEBUG_STAMP)
#define KEYDEBUG_KEY_DATA (KEYDEBUG_KEY | KEYDEBUG_DATA)
#define KEYDEBUG_KEY_DUMP (KEYDEBUG_KEY | KEYDEBUG_DUMP)
#define KEYDEBUG_ALG_STAMP (KEYDEBUG_ALG | KEYDEBUG_STAMP)
#define KEYDEBUG_ALG_DATA (KEYDEBUG_ALG | KEYDEBUG_DATA)
#define KEYDEBUG_ALG_DUMP (KEYDEBUG_ALG | KEYDEBUG_DUMP)
#define KEYDEBUG_IPSEC_STAMP (KEYDEBUG_IPSEC | KEYDEBUG_STAMP)
#define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA)
#define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
#define KEYDEBUG(lev,arg) \
do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (/*CONSTCOND*/ 0)
extern u_int32_t key_debug_level;
#endif /*_KERNEL*/
struct sadb_msg;
struct sadb_ext;
extern void kdebug_sadb(struct sadb_msg *);
extern void kdebug_sadb_x_policy(struct sadb_ext *);
#ifdef _KERNEL
struct secpolicy;
struct secpolicyindex;
struct secasindex;
struct secasvar;
struct secreplay;
struct mbuf;
extern void kdebug_secpolicy(struct secpolicy *);
extern void kdebug_secpolicyindex(struct secpolicyindex *);
extern void kdebug_secasindex(struct secasindex *);
extern void kdebug_secasv(struct secasvar *);
extern void kdebug_mbufhdr(struct mbuf *);
extern void kdebug_mbuf(struct mbuf *);
#endif /*_KERNEL*/
struct sockaddr;
extern void kdebug_sockaddr(struct sockaddr *);
extern void ipsec_hexdump(caddr_t, int);
extern void ipsec_bindump(caddr_t, int);
#endif /* _NETKEY_KEY_DEBUG_H_ */

58
sys/netkey/key_var.h
View File

@ -1,58 +0,0 @@
/* $FreeBSD$ */
/* $KAME: key_var.h,v 1.12 2001/11/06 03:48:29 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _NETKEY_KEY_VAR_H_
#define _NETKEY_KEY_VAR_H_
/* sysctl */
#define KEYCTL_DEBUG_LEVEL 1
#define KEYCTL_SPI_TRY 2
#define KEYCTL_SPI_MIN_VALUE 3
#define KEYCTL_SPI_MAX_VALUE 4
#define KEYCTL_RANDOM_INT 5
#define KEYCTL_LARVAL_LIFETIME 6
#define KEYCTL_BLOCKACQ_COUNT 7
#define KEYCTL_BLOCKACQ_LIFETIME 8
#define KEYCTL_ESP_KEYMIN 9
#define KEYCTL_ESP_AUTH 10
#define KEYCTL_AH_KEYMIN 11
#define KEYCTL_PREFERED_OLDSA 12
#define KEYCTL_MAXID 13
#ifdef _KERNEL
#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
#endif /*_KERNEL*/
#endif /* _NETKEY_KEY_VAR_H_ */

184
sys/netkey/keydb.h
View File

@ -1,184 +0,0 @@
/* $FreeBSD$ */
/* $KAME: keydb.h,v 1.24 2003/09/07 15:12:10 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _NETKEY_KEYDB_H_
#define _NETKEY_KEYDB_H_
#ifdef _KERNEL
#include <netkey/key_var.h>
#ifndef _SOCKADDR_UNION_DEFINED
#define _SOCKADDR_UNION_DEFINED
/*
* The union of all possible address formats we handle.
*/
union sockaddr_union {
struct sockaddr sa;
struct sockaddr_in sin;
struct sockaddr_in6 sin6;
};
#endif /* _SOCKADDR_UNION_DEFINED */
/* Security Assocciation Index */
/* NOTE: Ensure to be same address family */
struct secasindex {
struct sockaddr_storage src; /* srouce address for SA */
struct sockaddr_storage dst; /* destination address for SA */
u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
u_int8_t mode; /* mode of protocol, see ipsec.h */
u_int32_t reqid; /* reqid id who owned this SA */
/* see IPSEC_MANUAL_REQID_MAX. */
};
/* Security Association Data Base */
struct secashead {
LIST_ENTRY(secashead) chain;
struct secasindex saidx;
struct sadb_ident *idents; /* source identity */
struct sadb_ident *identd; /* destination identity */
/* XXX I don't know how to use them. */
u_int8_t state; /* MATURE or DEAD. */
LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
/* SA chain */
/* The first of this list is newer SA */
union {
struct route sau_route;
struct route_in6 sau_route6;
} sa_u;
#define sa_route sa_u.sau_route
};
/* Security Association */
struct secasvar {
TAILQ_ENTRY(secasvar) tailq;
LIST_ENTRY(secasvar) chain;
LIST_ENTRY(secasvar) spihash;
int refcnt; /* reference count */
u_int8_t state; /* Status of this Association */
u_int8_t alg_auth; /* Authentication Algorithm Identifier*/
u_int8_t alg_enc; /* Cipher Algorithm Identifier */
u_int32_t spi; /* SPI Value, network byte order */
u_int32_t flags; /* holder for SADB_KEY_FLAGS */
struct sadb_key *key_auth; /* Key for Authentication */
struct sadb_key *key_enc; /* Key for Encryption */
caddr_t iv; /* Initilization Vector */
u_int ivlen; /* length of IV */
void *sched; /* intermediate encryption key */
size_t schedlen;
struct secreplay *replay; /* replay prevention */
long created; /* for lifetime */
struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */
struct sadb_lifetime *lft_h; /* HARD lifetime */
struct sadb_lifetime *lft_s; /* SOFT lifetime */
u_int64_t seq; /* sequence number */
pid_t pid; /* message's pid */
struct secashead *sah; /* back pointer to the secashead */
u_int32_t id; /* SA id */
};
/* replay prevention */
struct secreplay {
u_int64_t count;
u_int wsize; /* window size, i.g. 4 bytes */
u_int64_t seq; /* used by sender */
u_int64_t lastseq; /* used by receiver */
u_int8_t *bitmap; /* used by receiver */
int overflow; /* what round does the counter take. */
};
/* socket table due to send PF_KEY messages. */
struct secreg {
LIST_ENTRY(secreg) chain;
struct socket *so;
};
#ifndef IPSEC_NONBLOCK_ACQUIRE
/* acquiring list table. */
struct secacq {
LIST_ENTRY(secacq) chain;
struct secasindex saidx;
u_int32_t seq; /* sequence number */
long created; /* for lifetime */
int count; /* for lifetime */
};
#endif
/* Sensitivity Level Specification */
/* nothing */
#define SADB_KILL_INTERVAL 600 /* six seconds */
struct key_cb {
int key_count;
int any_count;
};
/* secpolicy */
struct secpolicy;
struct secpolicyindex;
extern struct secpolicy *keydb_newsecpolicy(void);
extern u_int32_t keydb_newspid(void);
extern void keydb_delsecpolicy(struct secpolicy *);
extern int keydb_setsecpolicyindex
(struct secpolicy *, struct secpolicyindex *);
/* secashead */
extern struct secashead *keydb_newsecashead(void);
extern void keydb_delsecashead(struct secashead *);
/* secasvar */
extern struct secasvar *keydb_newsecasvar(void);
extern void keydb_delsecasvar(struct secasvar *);
/* secreplay */
extern struct secreplay *keydb_newsecreplay(size_t);
extern void keydb_delsecreplay(struct secreplay *);
/* secreg */
extern struct secreg *keydb_newsecreg(void);
extern void keydb_delsecreg(struct secreg *);
#endif /* _KERNEL */
#endif /* _NETKEY_KEYDB_H_ */

81
sys/netkey/keysock.h
View File

@ -1,81 +0,0 @@
/* $FreeBSD$ */
/* $KAME: keysock.h,v 1.9 2002/03/21 14:00:14 itojun Exp $ */
/*-
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _NETKEY_KEYSOCK_H_
#define _NETKEY_KEYSOCK_H_
/* statistics for pfkey socket */
struct pfkeystat {
/* userland -> kernel */
u_quad_t out_total; /* # of total calls */
u_quad_t out_bytes; /* total bytecount */
u_quad_t out_msgtype[256]; /* message type histogram */
u_quad_t out_invlen; /* invalid length field */
u_quad_t out_invver; /* invalid version field */
u_quad_t out_invmsgtype; /* invalid message type field */
u_quad_t out_tooshort; /* msg too short */
u_quad_t out_nomem; /* memory allocation failure */
u_quad_t out_dupext; /* duplicate extension */
u_quad_t out_invexttype; /* invalid extension type */
u_quad_t out_invsatype; /* invalid sa type */
u_quad_t out_invaddr; /* invalid address extension */
/* kernel -> userland */
u_quad_t in_total; /* # of total calls */
u_quad_t in_bytes; /* total bytecount */
u_quad_t in_msgtype[256]; /* message type histogram */
u_quad_t in_msgtarget[3]; /* one/all/registered */
u_quad_t in_nomem; /* memory allocation failure */
/* others */
u_quad_t sockerr; /* # of socket related errors */
};
#define KEY_SENDUP_ONE 0
#define KEY_SENDUP_ALL 1
#define KEY_SENDUP_REGISTERED 2
#ifdef _KERNEL
struct keycb {
struct rawcb kp_raw; /* rawcb */
int kp_promisc; /* promiscuous mode */
int kp_registered; /* registered socket */
};
extern struct pfkeystat pfkeystat;
extern int key_output(struct mbuf *m, struct socket *so);
extern int key_usrreq(struct socket *,
int, struct mbuf *, struct mbuf *, struct mbuf *);
extern int key_sendup_mbuf(struct socket *, struct mbuf *, int);
#endif /* _KERNEL */
#endif /*_NETKEY_KEYSOCK_H_*/