Commit Graph

77 Commits

Author SHA1 Message Date
pjd
501751fbc7 Change '#if INET' and '#if INET6' to '#ifdef INET' and '#ifdef INET6'.
This unbreaks compiling a kernel with FAST_IPSEC and no INET6.
2006-06-04 19:32:32 +00:00
gnn
fe27631048 Extend the notdef #ifdef to cover the packet copy as there is no point in doing that if we're not doing the rest of the work.
Submitted by:	thompsa
MFC after: 1 week
2006-06-04 03:11:09 +00:00
pjd
c1590119a6 Prevent disappearing SAD entries by implementing MPsafe refcounting.
"Why didn't he use SECASVAR_LOCK()/SECASVAR_UNLOCK() macros to
 synchronize access to the secasvar structure's fields?" one may ask.
There were two reasons:
1. refcount(9) is faster then mutex(9) synchronization (one atomic
   operation instead of two).
2. Those macros are not used now at all, so at some point we may decide
   to remove them entirely.

OK'ed by:	gnn
MFC after:	2 weeks
2006-05-20 15:35:36 +00:00
pjd
1f7868c704 - The authsize field from auth_hash structure was removed.
- Define that we want to receive only 96 bits of HMAC.
- Names of the structues have no longer _96 suffix.

Reviewed by:	sam
2006-05-17 18:30:28 +00:00
pjd
98fc9938af Hide net.inet.ipsec.test_{replay,integrity} sysctls under #ifdef REGRESSION.
Requested by:	sam, rwatson
2006-04-10 15:04:36 +00:00
pjd
0501edbc66 Introduce two new sysctls:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
	the same sequence number. This allows to verify if the other side
	has proper replay attacks detection.

net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
	corrupted HMAC. This allows to verify if the other side properly
	detects modified packets.

I used the first one to discover that we don't have proper replay attacks
detection in ESP (in fast_ipsec(4)).
2006-04-09 19:11:45 +00:00
pjd
b9b788a576 Be consistent with the rest of the code. 2006-04-09 19:00:23 +00:00
dd
264a13426d Remove unused variables s and error in key_detach. The previous
revision removed their usage but did not remove the declaration. This
caused a warning in my build, which was fatal with -Werror.
2006-04-04 10:11:15 +00:00
gnn
60609380bc Remove unintended DEBUG flag setting. 2006-04-04 03:12:21 +00:00
rwatson
5479e5d692 Chance protocol switch method pru_detach() so that it returns void
rather than an error.  Detaches do not "fail", they other occur or
the protocol flags SS_PROTOREF to take ownership of the socket.

soclose() no longer looks at so_pcb to see if it's NULL, relying
entirely on the protocol to decide whether it's time to free the
socket or not using SS_PROTOREF.  so_pcb is now entirely owned and
managed by the protocol code.  Likewise, no longer test so_pcb in
other socket functions, such as soreceive(), which have no business
digging into protocol internals.

Protocol detach routines no longer try to free the socket on detach,
this is performed in the socket code if the protocol permits it.

In rts_detach(), no longer test for rp != NULL in detach, and
likewise in other protocols that don't permit a NULL so_pcb, reduce
the incidence of testing for it during detach.

netinet and netinet6 are not fully updated to this change, which
will be in an upcoming commit.  In their current state they may leak
memory or panic.

MFC after:	3 months
2006-04-01 15:42:02 +00:00
rwatson
8622e776f9 Change protocol switch pru_abort() API so that it returns void rather
than an int, as an error here is not meaningful.  Modify soabort() to
unconditionally free the socket on the return of pru_abort(), and
modify most protocols to no longer conditionally free the socket,
since the caller will do this.

This commit likely leaves parts of netinet and netinet6 in a situation
where they may panic or leak memory, as they have not are not fully
updated by this commit.  This will be corrected shortly in followup
commits to these components.

MFC after:      3 months
2006-04-01 15:15:05 +00:00
bz
17b93d79f6 Fix more stack corruptions on amd64.
Vararg functions have a different calling convention than regular
functions on amd64. Casting a varag function to a regular one to
match the function pointer declaration will hide the varargs from
the caller and we will end up with an incorrectly setup stack.

Entirely remove the varargs from these functions and change the
functions to match the declaration of the function pointers.
Remove the now unnecessary casts.

Also change static struct ipprotosw[] to two independent
protosw/ip6protosw definitions to remove an unnecessary cast.

PR:				amd64/95008
Submitted and tested by:	Mats Palmgren
Reviewed by:			rwatson
MFC after:			3 days
2006-03-30 18:57:04 +00:00
gnn
4a5d9d5dd3 First steps towards IPSec cleanup.
Make the kernel side of FAST_IPSEC not depend on the shared
structures defined in /usr/include/net/pfkeyv2.h  The kernel now
defines all the necessary in kernel structures in sys/netipsec/keydb.h
and does the proper massaging when moving messages around.

Sponsored By: Secure Computing
2006-03-25 13:38:52 +00:00
pjd
7d617251cc Allow to use fast_ipsec(4) on debug.mpsafenet=0 and INVARIANTS-enabled
systems. Without the change it will panic on assertions.

MFC after:	2 weeks
2006-03-23 23:26:34 +00:00
cperciva
e66460b894 Add missing code needed for the detection of IPSec packet replays. [1]
Correctly identify the user running opiepasswd(1) when the login name
differs from the account name. [2]

Security:	FreeBSD-SA-06:11.ipsec [1]
Security:	FreeBSD-SA-06:12.opie [2]
2006-03-22 16:00:42 +00:00
sam
bf44b23991 promote fast ipsec's m_clone routine for public use; it is renamed
m_unshare and the caller can now control how mbufs are allocated

Reviewed by:	andre, luigi, mlaier
MFC after:	1 week
2006-03-15 21:11:11 +00:00
bz
6d9ab80fce Fix stack corruptions on amd64.
Vararg functions have a different calling convention than regular
functions on amd64. Casting a varag function to a regular one to
match the function pointer declaration will hide the varargs from
the caller and we will end up with an incorrectly setup stack.

Entirely remove the varargs from these functions and change the
functions to match the declaration of the function pointers.
Remove the now unnecessary casts.

Lots of explanations and help from:     peter
Reviewed by:                            peter
PR:                                     amd64/89261
MFC after:                              6 days
2006-01-21 10:44:34 +00:00
ru
9b19d72862 Fix -Wundef warnings found when compiling i386 LINT, GENERIC and
custom kernels.
2005-12-05 11:58:35 +00:00
ru
dcace5669d Use sparse initializers for "struct domain" and "struct protosw",
so they are easier to follow for the human being.
2005-11-09 13:29:16 +00:00
andre
0df84f5a83 Retire MT_HEADER mbuf type and change its users to use MT_DATA.
Having an additional MT_HEADER mbuf type is superfluous and redundant
as nothing depends on it.  It only adds a layer of confusion.  The
distinction between header mbuf's and data mbuf's is solely done
through the m->m_flags M_PKTHDR flag.

Non-native code is not changed in this commit.  For compatibility
MT_HEADER is mapped to MT_DATA.

Sponsored by:	TCP/IP Optimization Fundraise 2005
2005-11-02 13:46:32 +00:00
andre
41f17dbd3a Replace custom mbuf writeability test with generic M_WRITABLE() test
covering all edge cases too.

Sponsored by:	TCP/IP Optimization Fundraise 2005
2005-09-26 20:35:45 +00:00
hmp
96eb8edf03 Correct typo in a comment describing vshiftl(). 2005-06-02 23:56:10 +00:00
sam
291aff4a04 correct space check
Submitted by:	ume
2005-03-09 15:28:48 +00:00
imp
a50ffc2912 /* -> /*- for license, minor formatting changes 2005-01-07 01:45:51 +00:00
phk
027fce30f5 Initialize struct pr_userreqs in new/sparse style and fill in common
default elements in net_init_domain().

This makes it possible to grep these structures and see any bogosities.
2004-11-08 14:44:54 +00:00
sam
9cd015b873 Remove extraneous SECPOLICY_LOCK_DESTROY calls that cause the mutex to be
destroyed twice.

Submitted by:	Roselyn Lee
2004-10-02 00:19:05 +00:00
sam
3234aae2af Add missing locking for secpolicy refcnt manipulations.
Submitted by:	Roselyn Lee
2004-09-30 01:08:02 +00:00
sam
806751e928 Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may split
the mbuf due to use of m_pulldown.  Discarding the result because of this
does not make sense as no subsequent code depends on the entire msg being
linearized (only the individual pieces).  It's likely something else is wrong
here but for now this appears to get things back to a working state.

Submitted by:	Roselyn Lee
2004-09-26 02:01:27 +00:00
mlaier
83e80bafba Protect sockaddr_union definitions with a protecting define. This allows to
build kernels with FAST_IPSEC and PF. This is the least disruptive fix.

PR:		kern/71836
Reviewed by:	bms, various mailing lists
MFC after:	3 days
2004-09-23 12:44:40 +00:00
andre
2126402238 Apply error and success logic consistently to the function netisr_queue() and
its users.

netisr_queue() now returns (0) on success and ERRNO on failure.  At the
moment ENXIO (netisr queue not functional) and ENOBUFS (netisr queue full)
are supported.

Previously it would return (1) on success but the return value of IF_HANDOFF()
was interpreted wrongly and (0) was actually returned on success.  Due to this
schednetisr() was never called to kick the scheduling of the isr.  However this
was masked by other normal packets coming through netisr_dispatch() causing the
dequeueing of waiting packets.

PR:		kern/70988
Found by:	MOROHOSHI Akihiko <moro@remus.dti.ne.jp>
MFC after:	3 days
2004-08-27 18:33:08 +00:00
dwmalone
5df13d37b2 Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
2004-08-14 15:32:40 +00:00
bms
7e064ac98c Add required includes for post-sorwakeup() change to fix FAST_IPSEC
compilation.
2004-06-23 01:58:22 +00:00
bms
211ce911d5 Fix a paste-o in key_cmpspidx_withmask().
PR:		misc/67013
Submitted by:	Zhenmin <zli4@cs.uiuc.edu>
2004-06-22 17:17:44 +00:00
sam
047c730594 use correct address for SADB_EXT_ADDRESS_DST in key_do_allocsa_policy
(was using src instead of dst)

Submitted by:	Bjoern A. Zeeb
Obtained from:	KAME
MFC after:	1 day
2004-05-03 05:15:53 +00:00
sam
7cd921a9fc correct behaviour of key_getsavbyspi broken in rev 1.7; corrects problems with
removing specific SPIs

Submitted by:	Bjoern A. Zeeb
2004-05-03 05:11:40 +00:00
sam
7f15aed8bd add support to prefer old SA to new SA during allocation
(makes net.key.preferred_oldsa work as for KAME)

Submitted by:	gabor@sentex.net
Reviewed by:	Bjoern A. Zeeb
MFC after:	1 day
2004-05-03 03:29:21 +00:00
bms
3641ef4e5f Fix a debugging printf snafu. 2004-04-20 14:53:35 +00:00
luigi
38e63897ce use native names for if_link, ifa_link, if_addrhead.
Change for (...) to TAILQ_FOREACH(...)

Ok'ed by: sam
2004-04-17 23:29:25 +00:00
pjd
91d40e47d6 Unbreak FAST_IPSEC build on 64 bit archs with INVARIANTS.
Approved by:	sam
2004-04-07 00:19:02 +00:00
bms
e2445bb257 This file was erroneously removed from HEAD when TCP-MD5 support was MFC'd;
correct this lameness.
2004-04-03 05:31:38 +00:00
guido
349bb30cb9 Fix type in a sysctl. It used to be: net.key.prefered_oldsa
and is corrected to net.key.preferred_oldsa
This makes it consistent with the KAME IPsec implementation.

Approved by:	sam
2004-02-16 17:09:53 +00:00
bms
903cdeea1a Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.

For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.

Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.

There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.

Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.

This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.

Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.

Sponsored by:	sentex.net
2004-02-11 04:26:04 +00:00
sam
02e3f74868 must convert protocol to sa type when preparing a DELETE message
Submitted by:	Roselyn Lee <rosel@verniernetworks.com>
MFC after:	1 week
2004-02-05 23:19:17 +00:00
sam
8908e99bdb o add missing break
o remove extraneous bzero
o add SYSINIT to properly initialize ip4_def_policy

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Submitted by:	gnn@neville-neil.com
2004-01-27 17:45:28 +00:00
sam
89b2bd490f change SYSINIT starting point to be consistent with other modules 2004-01-27 17:43:49 +00:00
sam
174fb2f804 add spdcachelookup and spdcachemiss to our version of struct ipsecstat so
netstat works properly

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
2004-01-27 17:42:57 +00:00
sam
0ac3a99bac Fix ipip_output() to always set *mp to NULL on failure, even if 'm'
is NULL, otherwise ipsec4_process_packet() may try to m_freem() a
bad pointer.

In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output()
already did it.

Obtained from:	netbsd
2004-01-20 22:45:10 +00:00
sam
d37c54b3a9 fix build after KAME changes 2004-01-20 22:44:21 +00:00
bms
3eb53d90ef Push m_apply() and m_getptr() up into the colleciton of standard mbuf
routines, and purge them from opencrypto.

Reviewed by:	sam
Obtained from:	NetBSD
Sponsored by:	spc.org
2003-12-15 21:49:41 +00:00
rwatson
9c969b771a Introduce a MAC label reference in 'struct inpcb', which caches
the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00