Commit Graph

104 Commits

Author SHA1 Message Date
Hajimu UMEMOTO
b1a6f1d8a2 SADB_UPDATE did not return an error when key length is invalid.
Obtained from:	KAME
2005-08-22 07:05:14 +00:00
Hajimu UMEMOTO
e1d274a25d fix build without option INET6.
Reported by:	Philip M. Gollucci <pgollucci__at__p6m7g8.com>
2005-07-30 20:10:31 +00:00
Hajimu UMEMOTO
a1f7e5f8ee scope cleanup. with this change
- most of the kernel code will not care about the actual encoding of
  scope zone IDs and won't touch "s6_addr16[1]" directly.
- similarly, most of the kernel code will not care about link-local
  scoped addresses as a special case.
- scope boundary check will be stricter.  For example, the current
  *BSD code allows a packet with src=::1 and dst=(some global IPv6
  address) to be sent outside of the node, if the application do:
    s = socket(AF_INET6);
    bind(s, "::1");
    sendto(s, some_global_IPv6_addr);
  This is clearly wrong, since ::1 is only meaningful within a single
  node, but the current implementation of the *BSD kernel cannot
  reject this attempt.

Submitted by:	JINMEI Tatuya <jinmei__at__isl.rdc.toshiba.co.jp>
Obtained from:	KAME
2005-07-25 12:31:43 +00:00
SUZUKI Shinsuke
6910b9ebdb fixed an unexpected addr/port matching failure in IPv6 SA management
PR: kern/72393
MFC after: 3 days
2005-01-10 13:06:42 +00:00
Warner Losh
c398230b64 /* -> /*- for license, minor formatting changes 2005-01-07 01:45:51 +00:00
SUZUKI Shinsuke
3d54848fc2 support TCP-MD5(IPv4) in KAME-IPSEC, too.
MFC after: 3 week
2004-11-08 18:49:51 +00:00
Poul-Henning Kamp
756d52a195 Initialize struct pr_userreqs in new/sparse style and fill in common
default elements in net_init_domain().

This makes it possible to grep these structures and see any bogosities.
2004-11-08 14:44:54 +00:00
Robert Watson
dbfb9a4ee6 Merge netipsec/key.c:1.17 into KAME pfkey implementation:
date: 2004/09/26 02:01:27;  author: sam;  state: Exp;  lines: +0 -5
  Correct handling of SADB_UPDATE and SADB_ADD requests.  key_align may
  split the mbuf due to use of m_pulldown.  Discarding the result because
  of this does not make sense as no subsequent code depends on the entire
  msg being linearized (only the individual pieces).  It's likely
  something else is wrong here but for now this appears to get things back
  to a working state.

  Submitted by:   Roselyn Lee

This change was also made in the KAME CVS repository as key.c:1.337 by
itojun.
2004-09-30 00:49:55 +00:00
Robert Watson
71182fbeb6 The KAME IPSEC implementation at one point used its own pseudo-random
number generator, which was re-seeded via a timeout.  Now centralized
randomness/entropy is used, we can garbage collect the timeout and
re-seeding code (which was largely a no-op).

Discussed with:	itojun, suz, JINMEI Tatuya < jinmei at isl dot rdc dot toshiba dot co dot jp >
2004-09-02 20:14:03 +00:00
Robert Watson
24114d445c Semi-gratuitous white space synchronization with KAME tree: to reduce
diffs against #ifdef'd version of IPSEC, use "struct thread *p"
rather than "struct proc *p", fix some white space, and make some
already inconsistent white space inconsiste differently.
2004-08-27 18:41:41 +00:00
Robert Watson
3713458b99 Diff reduce against KAME: minor white space synchronization to KAME
tree.
2004-08-27 18:24:59 +00:00
Robert Watson
a34b704666 Merge next step in socket buffer locking:
- sowakeup() now asserts the socket buffer lock on entry.  Move
  the call to KNOTE higher in sowakeup() so that it is made with
  the socket buffer lock held for consistency with other calls.
  Release the socket buffer lock prior to calling into pgsigio(),
  so_upcall(), or aio_swake().  Locking for this event management
  will need revisiting in the future, but this model avoids lock
  order reversals when upcalls into other subsystems result in
  socket/socket buffer operations.  Assert that the socket buffer
  lock is not held at the end of the function.

- Wrapper macros for sowakeup(), sorwakeup() and sowwakeup(), now
  have _locked versions which assert the socket buffer lock on
  entry.  If a wakeup is required by sb_notify(), invoke
  sowakeup(); otherwise, unconditionally release the socket buffer
  lock.  This results in the socket buffer lock being released
  whether a wakeup is required or not.

- Break out socantsendmore() into socantsendmore_locked() that
  asserts the socket buffer lock.  socantsendmore()
  unconditionally locks the socket buffer before calling
  socantsendmore_locked().  Note that both functions return with
  the socket buffer unlocked as socantsendmore_locked() calls
  sowwakeup_locked() which has the same properties.  Assert that
  the socket buffer is unlocked on return.

- Break out socantrcvmore() into socantrcvmore_locked() that
  asserts the socket buffer lock.  socantrcvmore() unconditionally
  locks the socket buffer before calling socantrcvmore_locked().
  Note that both functions return with the socket buffer unlocked
  as socantrcvmore_locked() calls sorwakeup_locked() which has
  similar properties.  Assert that the socket buffer is unlocked
  on return.

- Break out sbrelease() into a sbrelease_locked() that asserts the
  socket buffer lock.  sbrelease() unconditionally locks the
  socket buffer before calling sbrelease_locked().
  sbrelease_locked() now invokes sbflush_locked() instead of
  sbflush().

- Assert the socket buffer lock in socket buffer sanity check
  functions sblastrecordchk(), sblastmbufchk().

- Assert the socket buffer lock in SBLINKRECORD().

- Break out various sbappend() functions into sbappend_locked()
  (and variations on that name) that assert the socket buffer
  lock.  The !_locked() variations unconditionally lock the socket
  buffer before calling their _locked counterparts.  Internally,
  make sure to call _locked() support routines, etc, if already
  holding the socket buffer lock.

- Break out sbinsertoob() into sbinsertoob_locked() that asserts
  the socket buffer lock.  sbinsertoob() unconditionally locks the
  socket buffer before calling sbinsertoob_locked().

- Break out sbflush() into sbflush_locked() that asserts the
  socket buffer lock.  sbflush() unconditionally locks the socket
  buffer before calling sbflush_locked().  Update panic strings
  for new function names.

- Break out sbdrop() into sbdrop_locked() that asserts the socket
  buffer lock.  sbdrop() unconditionally locks the socket buffer
  before calling sbdrop_locked().

- Break out sbdroprecord() into sbdroprecord_locked() that asserts
  the socket buffer lock.  sbdroprecord() unconditionally locks
  the socket buffer before calling sbdroprecord_locked().

- sofree() now calls socantsendmore_locked() and re-acquires the
  socket buffer lock on return.  It also now calls
  sbrelease_locked().

- sorflush() now calls socantrcvmore_locked() and re-acquires the
  socket buffer lock on return.  Clean up/mess up other behavior
  in sorflush() relating to the temporary stack copy of the socket
  buffer used with dom_dispose by more properly initializing the
  temporary copy, and selectively bzeroing/copying more carefully
  to prevent WITNESS from getting confused by improperly
  initialized mutexes.  Annotate why that's necessary, or at
  least, needed.

- soisconnected() now calls sbdrop_locked() before unlocking the
  socket buffer to avoid locking overhead.

Some parts of this change were:

Submitted by:	sam
Sponsored by:	FreeBSD Foundation
Obtained from:	BSD/OS
2004-06-21 00:20:43 +00:00
Hajimu UMEMOTO
a8938746a3 avoid duplicate free.
(though KAME doesn't decide how to fix it yet, I once commit it
to be in time for 5.2.1-RELEASE.)

Submitted by:	itojun
2004-01-25 17:18:12 +00:00
Hajimu UMEMOTO
3b0105ca30 invalidate secpolicy pcb cache on key_timehandler. part of
http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reviewed by:	itojun
2004-01-14 04:39:40 +00:00
Hajimu UMEMOTO
e9c8752e56 add missing key_freesp()s. part of
http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
with some modification.

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reviewed by:	itojun
Obtained from:	KAME
2004-01-14 04:10:28 +00:00
Hajimu UMEMOTO
869a467690 don't touch after free. 2003-12-10 05:01:41 +00:00
Hajimu UMEMOTO
7c1da7529a use callout_*() rather than timeout(). 2003-12-07 11:23:59 +00:00
Hajimu UMEMOTO
dd8b0111cb missing splx.
this is a NOOP change, and primarily merged for consistency with
-STABLE.

Approved by:	re (rwatson)
2003-11-28 14:34:42 +00:00
Robert Watson
a557af222b Introduce a MAC label reference in 'struct inpcb', which caches
the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
Hajimu UMEMOTO
313ab6b4d5 add sysctl MIB net.key.esp_auth which was wrongly dropped
during recent KAME merge.
2003-11-13 12:26:55 +00:00
Hajimu UMEMOTO
331bf4e6f7 ipsec_esp_auth is unused when IPSEC_ESP is not defined.
Reported by:	Andre Oppermann <oppermann@pipeline.ch>
2003-11-11 17:25:45 +00:00
Hajimu UMEMOTO
0f9ade718d - cleanup SP refcnt issue.
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all.  secpolicy no longer contain
  spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy.  assign ID field to
  all SPD entries.  make it possible for racoon to grab SPD entry on
  pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header.  a mode is always needed
  to compare them.
- fixed that the incorrect time was set to
  sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
  because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
  alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
  XXX in theory refcnt should do the right thing, however, we have
  "spdflush" which would touch all SPs.  another solution would be to
  de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion.  ipsec_*_policy ->
  ipsec_*_pcbpolicy.
- avoid variable name confusion.
  (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
  secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
  can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
  "src" of the spidx specifies ICMP type, and the port field in "dst"
  of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
  kernel forwards the packets.

Tested by:	nork
Obtained from:	KAME
2003-11-04 16:02:05 +00:00
Hajimu UMEMOTO
2dc334e089 correct %d/%u mismatch.
Obtained from:	KAME
2003-11-02 12:28:04 +00:00
Hajimu UMEMOTO
b67d3260ea exit(3) with negative value does not make sense'
Obtained from:	KAME
2003-11-02 11:43:07 +00:00
Hajimu UMEMOTO
c7ebbcde04 make debugging with "setkey -x" a lot easier.
Obtained from:	KAME
2003-11-02 11:26:42 +00:00
Hajimu UMEMOTO
9712142383 cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.

Obtained from:	KAME
2003-11-02 10:49:47 +00:00
Hajimu UMEMOTO
8f27541d2a - do not quit from key_sendup() even if writes to non-target
socket fails.
- remove an unneeded function.
- fix pfkey stat.
- fix comment.

Obtained from:	KAME
2003-11-02 09:13:33 +00:00
Hajimu UMEMOTO
46b35e11be mib name was changed by fixing a spelling.
net.key.prefered_oldsa -> net.key.preferred_oldsa

Obtained from:	KAME
2003-10-28 16:16:04 +00:00
Hajimu UMEMOTO
66bb118edd drop the code of HAVE_NRL_INPCB part. our system doesn't
use NRL style INPCB.
2003-10-22 18:52:57 +00:00
Hajimu UMEMOTO
1ae02d474a nuke unused ICMPV6CTL_NAMES and KEYCTL_NAMES macros. 2003-10-07 15:14:33 +00:00
Hajimu UMEMOTO
386caafbf7 Reduce diffs against KAME. No functional change.
Obtained from:	KAME
2003-09-30 10:52:49 +00:00
Hajimu UMEMOTO
a7012295b4 Reduce diffs against KAME. No functional change.
Obtained from:	KAME
2003-09-30 09:06:58 +00:00
Hajimu UMEMOTO
aa73b85dc8 Sync style and comments with latest KAME to reduce diffs.
No functional change.

Obtained from:	KAME
2003-09-30 07:57:05 +00:00
Hajimu UMEMOTO
5c6ebad8f6 add /*CONSTCOND*/ to reduce diffs against latest KAME.
Obtained from:	KAME
2003-09-25 13:40:06 +00:00
Hajimu UMEMOTO
4bcf9f8e6f panic() doesn't need `\n'.
Obtained from:	KAME
2003-09-25 13:36:51 +00:00
David E. O'Brien
ab0de15baf Use __FBSDID(). 2003-06-11 05:37:42 +00:00
Dag-Erling Smørgrav
fe58453891 Introduce an M_ASSERTPKTHDR() macro which performs the very common task
of asserting that an mbuf has a packet header.  Use it instead of hand-
rolled versions wherever applicable.

Submitted by:	Hiten Pandya <hiten@unixdaemons.com>
2003-04-08 14:25:47 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Andrey A. Chernov
24a701b269 Comment out srandom():
1) Already called in init_main.c:proc0_post()
2) Seed is bad
2003-02-05 15:32:24 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Hajimu UMEMOTO
a5c8d51908 "struct route" is not sufficient. NetBSD PR 18751
Obtained from:	KAME
MFC after:	1 days
2003-01-08 17:59:24 +00:00
Jens Schweikhardt
9d5abbddbf Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
2003-01-01 18:49:04 +00:00
Bosko Milekic
86fea6be59 o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} and
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
  bpf_alloc() and pass the 'canwait' flag(s) along.  It's been changed
  to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
  flag (and only one of those two).

Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
2002-12-19 22:58:27 +00:00
Hajimu UMEMOTO
1116a8c98e - fixed the order of searching SA table for packets.
- comment about deletion of SA that has not been used by reaching
  soft lifetime.

Obtained from:	KAME
MFC after:	2 week
2002-07-10 16:39:38 +00:00
Seigo Tanimura
03e4918190 Remove so*_locked(), which were backed out by mistake. 2002-06-18 07:42:02 +00:00
Seigo Tanimura
4cc20ab1f0 Back out my lats commit of locking down a socket, it conflicts with hsu's work.
Requested by:	hsu
2002-05-31 11:52:35 +00:00
Peter Wemm
3b688a9484 pacify gcc-3.1's -Wunused checking. 2002-05-24 05:53:57 +00:00
Seigo Tanimura
243917fe3b Lock down a socket, milestone 1.
o Add a mutex (sb_mtx) to struct sockbuf. This protects the data in a
  socket buffer. The mutex in the receive buffer also protects the data
  in struct socket.

o Determine the lock strategy for each members in struct socket.

o Lock down the following members:

  - so_count
  - so_options
  - so_linger
  - so_state

o Remove *_locked() socket APIs.  Make the following socket APIs
  touching the members above now require a locked socket:

 - sodisconnect()
 - soisconnected()
 - soisconnecting()
 - soisdisconnected()
 - soisdisconnecting()
 - sofree()
 - soref()
 - sorele()
 - sorwakeup()
 - sotryfree()
 - sowakeup()
 - sowwakeup()

Reviewed by:	alfred
2002-05-20 05:41:09 +00:00
Alfred Perlstein
f132072368 Redo the sigio locking.
Turn the sigio sx into a mutex.

Sigio lock is really only needed to protect interrupts from dereferencing
the sigio pointer in an object when the sigio itself is being destroyed.

In order to do this in the most unintrusive manner change pgsigio's
sigio * argument into a **, that way we can lock internally to the
function.
2002-05-01 20:44:46 +00:00
Seigo Tanimura
960ed29c4b Revert the change of #includes in sys/filedesc.h and sys/socketvar.h.
Requested by:	bde

Since locking sigio_lock is usually followed by calling pgsigio(),
move the declaration of sigio_lock and the definitions of SIGIO_*() to
sys/signalvar.h.

While I am here, sort include files alphabetically, where possible.
2002-04-30 01:54:54 +00:00