Commit Graph

105 Commits

Author SHA1 Message Date
ae
cb2e09362f Add large replay widow support to setkey(8) and libipsec.
When the replay window size is large than UINT8_MAX, add to the request
the SADB_X_EXT_SA_REPLAY extension header that was added in r309144.

Also add support of SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT,
SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR,
SADB_X_EXT_SA_REPLAY, SADB_X_EXT_NEW_ADDRESS_SRC, SADB_X_EXT_NEW_ADDRESS_DST
extension headers to the key_debug that is used by `setkey -x`.

Modify kdebug_sockaddr() to use inet_ntop() for IP addresses formatting.
And modify kdebug_sadb_x_policy() to show policy scope and priority.

Reviewed by:	gnn, Emeric Poupon
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D10375
2017-04-13 14:44:17 +00:00
bcr
ba9cb725b9 Make setkey(8) more clear about anti-replay window size option semantics.
PR:			172913
Submitted by:		john@saltant.com
Reviewed by:		ae@
MFC after:		2 weeks
Differential Revision:	https://reviews.freebsd.org/D10304
2017-04-09 15:17:55 +00:00
ae
eeabfe4bc2 Use unique SPI.
MFC after:	1 week
2017-04-04 23:30:05 +00:00
ae
fefa8a6940 In the example section show that TCP-MD5 connection needs SA for both
directions.

Submitted by:	Mike Tancsa <mike at sentex net>
MFC after:	1 week
2017-04-04 23:28:22 +00:00
ngie
1a7bb4a7a9 Fix CFLAGS for including netipsec headers #includes
The netipsec headers are referenced via netipsec/..., not ./... .
Thus, assuming that the netipsec/... is nested under ${SRCTOP}/sys/netipsec
is wrong.

This tripped up some individuals building ^/head on systems pre-r314812.

MFC after:	1 week
Reported by:	Roberto Rodriguez Jr <rob.rodz.jr9@gmail.com>
Sponsored by:	Dell EMC Isilon
2017-03-13 01:05:25 +00:00
ngie
f5809ea627 Delete duplicate -I <SRCTOP>/lib/libipsec added in r171135
It's already handled earlier on in the Makefile, per the change made
in r80029.

MFC after:	1 month
Sponsored by:	Dell EMC Isilon
2017-03-12 02:21:16 +00:00
ae
749be37c28 Introduce the concept of IPsec security policies scope.
Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an administrator creates with setkey(8) utility have GLOBAL scope.
Such policies can be applied by the kernel to outgoing packets and checked
agains inbound packets after IPsec processing.
Security policies created by if_ipsec(4) interfaces have IFNET scope.
Such policies are applied to packets that are passed through if_ipsec(4)
interface.
And security policies created by application using setsockopt()
IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
packets related to specific socket. Currently there is no way to list
PCB policies via setkey(8) utility.

Modify setkey(8) and libipsec(3) to be able distinguish the scope of
security policies in the `setkey -DP` listing. Add two optional flags:
'-t' to list only policies related to virtual *tunneling* interfaces,
i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
scope. By default policies from all scopes are listed.

To implement this PF_KEY's sadb_x_policy structure was modified.
sadb_x_policy_reserved field is used to pass the policy scope from the
kernel to userland. SADB_SPDDUMP message extended to support filtering
by scope: sadb_msg_satype field is used to specify bit mask of requested
scopes.

For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
policies sadb_x_policy_priority is used only to manage order of security
policies in the SPDB. For IFNET policies it is not used, so it can be used
to keep if_index.

After this change the output of `setkey -DP` now looks like:
# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
	out none
	spid=5 seq=1 pid=872 scope=global
	refcnt=1

No objection from:	#network
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9805
2017-03-07 00:13:53 +00:00
ngie
3c4b37d990 sbin: normalize paths using SRCTOP-relative paths or :H when possible
This simplifies make logic/output

MFC after:	1 month
Sponsored by:	Dell EMC Isilon
2017-03-04 11:33:01 +00:00
ae
0f1f4af770 Document that the size of AH ICV for HMAC-SHA2-NNN should be half of
NNN bits as described in RFC4868.

PR:		215978
2017-02-27 15:30:27 +00:00
ae
0fb6ad528e Merge projects/ipsec into head/.
Small summary
 -------------

o Almost all IPsec releated code was moved into sys/netipsec.
o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
  option IPSEC_SUPPORT added. It enables support for loading
  and unloading of ipsec.ko and tcpmd5.ko kernel modules.
o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by
  default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type
  support was removed. Added TCP/UDP checksum handling for
  inbound packets that were decapsulated by transport mode SAs.
  setkey(8) modified to show run-time NAT-T configuration of SA.
o New network pseudo interface if_ipsec(4) added. For now it is
  build as part of ipsec.ko module (or with IPSEC kernel).
  It implements IPsec virtual tunnels to create route-based VPNs.
o The network stack now invokes IPsec functions using special
  methods. The only one header file <netipsec/ipsec_support.h>
  should be included to declare all the needed things to work
  with IPsec.
o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed.
  Now these protocols are handled directly via IPsec methods.
o TCP_SIGNATURE support was reworked to be more close to RFC.
o PF_KEY SADB was reworked:
  - now all security associations stored in the single SPI namespace,
    and all SAs MUST have unique SPI.
  - several hash tables added to speed up lookups in SADB.
  - SADB now uses rmlock to protect access, and concurrent threads
    can do SA lookups in the same time.
  - many PF_KEY message handlers were reworked to reflect changes
    in SADB.
  - SADB_UPDATE message was extended to support new PF_KEY headers:
    SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They
    can be used by IKE daemon to change SA addresses.
o ipsecrequest and secpolicy structures were cardinally changed to
  avoid locking protection for ipsecrequest. Now we support
  only limited number (4) of bundled SAs, but they are supported
  for both INET and INET6.
o INPCB security policy cache was introduced. Each PCB now caches
  used security policies to avoid SP lookup for each packet.
o For inbound security policies added the mode, when the kernel does
  check for full history of applied IPsec transforms.
o References counting rules for security policies and security
  associations were changed. The proper SA locking added into xform
  code.
o xform code was also changed. Now it is possible to unregister xforms.
  tdb_xxx structures were changed and renamed to reflect changes in
  SADB/SPDB, and changed rules for locking and refcounting.

Reviewed by:	gnn, wblock
Obtained from:	Yandex LLC
Relnotes:	yes
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9352
2017-02-06 08:49:57 +00:00
sevan
21757e3a35 setkey appeared in FreeBSD 4.0
PR:		212551
Approved by:	bcr (mentor)
MFC after:	4 days
Differential Revision:	https://reviews.freebsd.org/D8105
2016-10-03 00:42:25 +00:00
araujo
400b711861 Use nitems() from sys/param.h.
MFC after:	2 weeks.
2016-04-19 09:43:51 +00:00
gjb
955ce29ea3 MFH
Sponsored by:	The FreeBSD Foundation
2016-03-02 16:14:46 +00:00
bdrewery
2a891f1feb DIRDEPS_BUILD: Regenerate without local dependencies.
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by:	EMC / Isilon Storage Division
2016-02-24 17:20:11 +00:00
gjb
4e38aaedb8 Explicitly add more files to the 'runtime' package.
Sponsored by:	The FreeBSD Foundation
2016-02-09 20:19:31 +00:00
gnn
526fd31fd3 Add support for keys that include 4 byte SALT values,
including GCM and ICM/CTR modes for AES.

Reviewed by:	jmg
MFC after:	1 week
Sponsored by:	Rubicon Communications (Netgate)
2015-07-31 23:40:18 +00:00
gnn
a2deec2ed0 Summary: Remove unsupported 3des-deriv encryption algorithm from documentation. 2015-07-31 17:41:53 +00:00
gnn
9854b22dd7 Update the date on the manual page.
Noticed by: bz
2015-07-03 20:42:31 +00:00
gnn
ea302f3ee6 New AES modes for IPSec, user space components.
Update setkey and libipsec to understand aes-gcm-16 as an
encryption method.

A partial commit of the work in review D2936.

Submitted by:	eri
Reviewed by:	jmg
MFC after:	2 weeks
Sponsored by:	Rubicon Communications (Netgate)
2015-07-03 20:09:14 +00:00
gnn
2971c30634 Fix support for the null encryption algorithm which now requires
a key.

Sponsored by: Rubicon Communications (Netgate)
2015-06-25 18:38:58 +00:00
sjg
008d7c831f Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
sjg
75a137820d dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
sjg
65145fa4c8 Merge sync of head 2015-05-27 01:19:58 +00:00
bapt
6fdc031751 Convert sbin/ to LIBADD
Reduce overlinking
2014-11-25 11:23:12 +00:00
sjg
d7cd1d425c Merge head from 7/28 2014-08-19 06:50:54 +00:00
wblock
bdf1998fc1 Fix spelling of Camellia algorithm. While here, replace blank lines
between examples with actual .Pp breaks.

PR:		192067
Submitted by:	dmitry2004@yandex.ru
MFC after:	1 week
2014-07-25 17:09:48 +00:00
sjg
5860f0d106 Updated dependencies 2014-05-16 14:09:51 +00:00
sjg
1a7e48acf1 Updated dependencies 2014-05-10 05:16:28 +00:00
sjg
ed3fc70bf5 Merge from head 2014-05-08 23:54:15 +00:00
imp
2118f42afd Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
sjg
6d37b86f2b Updated dependencies 2013-03-11 17:21:52 +00:00
sjg
0ee5295509 Updated dependencies 2013-02-16 01:23:54 +00:00
obrien
3028e3f8ab Sync with HEAD. 2013-02-08 16:10:16 +00:00
eadler
7284572ae6 Correct prefix for "locally installed things"
Approved by:	cperciva
MFC After:	3 days
2013-01-16 05:03:46 +00:00
eadler
ba44c5a926 Minor wording improvments to some manual pages
Approved by:	bcr (mentor)
Obtained from:	DragonflyBSD (a5294ca835317c68c919ab43936da4f05ab6e926)
MFC after:	3 days
2012-12-16 23:00:13 +00:00
sjg
778e93c51a Sync from head 2012-11-04 02:52:03 +00:00
marcel
9dd41e3647 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
joel
1ecf065a6c Minor mdoc improvements. 2012-06-03 07:45:42 +00:00
joel
82a81c78d9 Minor mdoc nits. 2012-05-13 14:16:04 +00:00
joel
906214101c mdoc: correct .Bd/.Bl arguments.
Reviewed by:	brueffer
2012-03-26 21:22:53 +00:00
joel
495c9c025f Remove superfluous paragraph macro. 2012-03-25 09:21:09 +00:00
uqs
1c9f17fc8b mdoc: fix markup 2011-06-02 09:56:42 +00:00
uqs
7fc6083fed mdoc: drop even more redundant .Pp calls
No change in rendered output, less mandoc lint warnings.

Tool provided by:	Nobuyuki Koganemaru n-kogane at syd.odn.ne.jp
2010-10-19 12:35:40 +00:00
maxim
2652efe7b0 o Fix typo.
PR:		docs/145031
Submitted by:	olgeni
MFC after:	1 week
2010-03-26 05:35:25 +00:00
ru
fdf6718f33 Use the newly brought %U macro. 2010-01-15 16:01:22 +00:00
maxim
872571654b o Add missed dot. 2008-09-29 05:31:27 +00:00
maxim
d501f78b50 o Allow setkey(8) to recognize esp as a protocoal name for spdadd.
PR:		bin/107392
Submitted by:	Eugene Grosbein
MFC after:	1 month
2008-01-12 20:00:23 +00:00
kevlo
fa3791e1a7 Cleanup of userland __P use 2007-11-07 10:53:41 +00:00
gnn
f5875f045c Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes all remaining changes for the time being including
user space updates.

Submitted by:    bz
Approved by:    re
2007-07-01 12:08:08 +00:00
gnn
38b76f0623 Integrate the Camellia Block Cipher. For more information see RFC 4132
and its bibliography.

Submitted by:   Tomoyuki Okazaki <okazaki at kick dot gr dot jp>
MFC after:      1 month
2007-05-09 19:37:02 +00:00