Commit Graph

42 Commits

Author SHA1 Message Date
VANHULLEBUS Yvan
e985f4e07c SAs are valid (but dying) when they reached soft lifetime,
even if they have never been used.

Approved by:	gnn(mentor)
MFC after:	2 weeks
2009-03-05 16:22:32 +00:00
Roman Divacky
af83f5d77c Change the functions to ANSI in those cases where it breaks promotion
to int rule. See ISO C Standard: SS6.7.5.3:15.

Approved by:	kib (mentor)
Reviewed by:	warner
Tested by:	silence on -current
2009-02-24 18:09:31 +00:00
Bjoern A. Zeeb
fc384fa5d6 Another step assimilating IPv[46] PCB code - directly use
the inpcb names rather than the following IPv6 compat macros:
in6pcb,in6p_sp, in6p_ip6_nxt,in6p_flowinfo,in6p_vflag,
in6p_flags,in6p_socket,in6p_lport,in6p_fport,in6p_ppcb and
sotoin6pcb().

Apart from removing duplicate code in netipsec, this is a pure
whitespace, not a functional change.

Discussed with:	rwatson
Reviewed by:	rwatson (version before review requested changes)
MFC after:	4 weeks (set the timer and see then)
2008-12-15 21:50:54 +00:00
Bjoern A. Zeeb
4b79449e2f Rather than using hidden includes (with cicular dependencies),
directly include only the header files needed. This reduces the
unneeded spamming of various headers into lots of files.

For now, this leaves us with very few modules including vnet.h
and thus needing to depend on opt_route.h.

Reviewed by:	brooks, gnn, des, zec, imp
Sponsored by:	The FreeBSD Foundation
2008-12-02 21:37:28 +00:00
Marko Zec
97021c2464 Merge more of currently non-functional (i.e. resolving to
whitespace) macros from p4/vimage branch.

Do a better job at enclosing all instantiations of globals
scheduled for virtualization in #ifdef VIMAGE_GLOBALS blocks.

De-virtualize and mark as const saorder_state_alive and
saorder_state_any arrays from ipsec code, given that they are never
updated at runtime, so virtualizing them would be pointless.

Reviewed by:  bz, julian
Approved by:  julian (mentor)
Obtained from:        //depot/projects/vimage-commit2/...
X-MFC after:  never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-11-26 22:32:07 +00:00
Marko Zec
44e33a0758 Change the initialization methodology for global variables scheduled
for virtualization.

Instead of initializing the affected global variables at instatiation,
assign initial values to them in initializer functions.  As a rule,
initialization at instatiation for such variables should never be
introduced again from now on.  Furthermore, enclose all instantiations
of such global variables in #ifdef VIMAGE_GLOBALS blocks.

Essentialy, this change should have zero functional impact.  In the next
phase of merging network stack virtualization infrastructure from
p4/vimage branch, the new initialization methology will allow us to
switch between using global variables and their counterparts residing in
virtualization containers with minimum code churn, and in the long run
allow us to intialize multiple instances of such container structures.

Discussed at:	devsummit Strassburg
Reviewed by:	bz, julian
Approved by:	julian (mentor)
Obtained from:	//depot/projects/vimage-commit2/...
X-MFC after:	never
Sponsored by:	NLnet Foundation, The FreeBSD Foundation
2008-11-19 09:39:34 +00:00
Marko Zec
8b615593fc Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit

Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.

Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().

Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).

All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).

(*) netipsec/keysock.c did not validate depending on compile time options.

Implemented by:	julian, bz, brooks, zec
Reviewed by:	julian, bz, brooks, kris, rwatson, ...
Approved by:	julian (mentor)
Obtained from:	//depot/projects/vimage-commit2/...
X-MFC after:	never
Sponsored by:	NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
Bjoern A. Zeeb
603724d3ab Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).

This is the first in a series of commits over the course
of the next few weeks.

Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.

We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.

Obtained from:	//depot/projects/vimage-commit2/...
Reviewed by:	brooks, des, ed, mav, julian,
		jamie, kris, rwatson, zec, ...
		(various people I forgot, different versions)
		md5 (with a bit of help)
Sponsored by:	NLnet Foundation, The FreeBSD Foundation
X-MFC after:	never
V_Commit_Message_Reviewed_By:	more people than the patch
2008-08-17 23:27:27 +00:00
VANHULLEBUS Yvan
b78813061c Add lifetime informations to generated SPD entries when SPDDUMP
Approved by: gnn (mentor)
MFC after:	4 weeks
2008-08-05 15:36:50 +00:00
Julian Elischer
c2ff90ef96 Enter the 1990s. Use real function declaration. 2008-06-29 00:49:50 +00:00
Bjoern A. Zeeb
44c92dbb34 Fix a bug that when getting/dumping the soft lifetime we reported
the hard lifetime instead.

MFC after:	3 days
2008-03-24 15:01:20 +00:00
Bjoern A. Zeeb
fdcc0789fb Import change from KAME, rev. 1.362 kame/kame/sys/netkey/key.c
In case of "new SA", we must check the hard lifetime of the old SA
to find out if it is not permanent and we can delete it.

Submitted by:	sakane via gnn
MFC after:	3 days
2008-03-24 14:55:09 +00:00
Bjoern A. Zeeb
4e8a7c9ae1 Remove the "Fast " from the
"Fast IPsec: Initialized Security Association Processing." printf.
People kept asking questions about this after the IPsec shuffle.

This still is the Fast IPsec implementation so no worries that it would
be any slower now. There are no functional changes.

Discussed with:	sam
MFC after:	4 days
2008-03-14 16:25:40 +00:00
Bjoern A. Zeeb
208b3a93ac Fix bugs when allocating and passing information of current lifetime and
soft lifetime [1] introduced in rev. 1.21 of key.c.

Along with that, fix a related problem in key_debug
printing the correct data.
While there replace a printf by panic in a sanity check.

PR:		120751
Submitted by:	Kazuaki ODA (kazuaki aliceblue.jp) [1]
MFC after:	5 days
2008-03-02 17:12:28 +00:00
George V. Neville-Neil
2cb64cb272 Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes only the kernel files, the rest of the files
will follow in a second commit.

Reviewed by:    bz
Approved by:    re
Supported by:   Secure Computing
2007-07-01 11:41:27 +00:00
Bjoern A. Zeeb
8db2374fc4 'spi' and the return value of ntohl are unsigned. Remove the extra >=0
check which was always true.
Document the special meaning of spi values of 0 and 1-255 with a comment.

Found with:	Coverity Prevent(tm)
CID:		2047
2007-06-16 09:25:23 +00:00
Bjoern A. Zeeb
dde4978ffe In case of failure we can directly return ENOBUFS because
'result' is still NULL and we do not need to free anything.
That allows us to gc the entire goto parts and a now unused variable.

Found with:	Coverity Prevent(tm)
CID:		2519
2007-06-16 00:15:14 +00:00
Bjoern A. Zeeb
3a3a760769 Add a missing return so that we drop out in case of an error and
do not continue with a NULL pointer. [1]

While here change the return of the error handling code path above.
I cannot see why we should always return 0 there. Neither does KAME
nor do we in here for the similar check in all the other functions.

Found with:	Coverity Prevent(tm) [1]
CID:		2521
2007-06-15 23:45:39 +00:00
Bjoern A. Zeeb
91c7ac6740 With the current code 'src' is never NULL. Nevertheless move the check for
NULL before dereferencing the pointer.

Found with:	Coverity Prevent(tm)
CID:		2528
2007-06-15 22:35:59 +00:00
Bjoern A. Zeeb
c2f03ee6e6 Add missing
break;
so when comparing AF_INET6 addresses, scope and ports we do not run into
the default case and return 'no match' instead of 'match'.
2007-05-29 22:18:44 +00:00
Pawel Jakub Dawidek
95708c5fe3 Prevent disappearing SAD entries by implementing MPsafe refcounting.
"Why didn't he use SECASVAR_LOCK()/SECASVAR_UNLOCK() macros to
 synchronize access to the secasvar structure's fields?" one may ask.
There were two reasons:
1. refcount(9) is faster then mutex(9) synchronization (one atomic
   operation instead of two).
2. Those macros are not used now at all, so at some point we may decide
   to remove them entirely.

OK'ed by:	gnn
MFC after:	2 weeks
2006-05-20 15:35:36 +00:00
George V. Neville-Neil
a0196c3c89 First steps towards IPSec cleanup.
Make the kernel side of FAST_IPSEC not depend on the shared
structures defined in /usr/include/net/pfkeyv2.h  The kernel now
defines all the necessary in kernel structures in sys/netipsec/keydb.h
and does the proper massaging when moving messages around.

Sponsored By: Secure Computing
2006-03-25 13:38:52 +00:00
Warner Losh
c398230b64 /* -> /*- for license, minor formatting changes 2005-01-07 01:45:51 +00:00
Sam Leffler
1bfe790716 Remove extraneous SECPOLICY_LOCK_DESTROY calls that cause the mutex to be
destroyed twice.

Submitted by:	Roselyn Lee
2004-10-02 00:19:05 +00:00
Sam Leffler
422e4f5b5b Add missing locking for secpolicy refcnt manipulations.
Submitted by:	Roselyn Lee
2004-09-30 01:08:02 +00:00
Sam Leffler
6f9bd550cc Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may split
the mbuf due to use of m_pulldown.  Discarding the result because of this
does not make sense as no subsequent code depends on the entire msg being
linearized (only the individual pieces).  It's likely something else is wrong
here but for now this appears to get things back to a working state.

Submitted by:	Roselyn Lee
2004-09-26 02:01:27 +00:00
Bruce M Simpson
171ed0933c Fix a paste-o in key_cmpspidx_withmask().
PR:		misc/67013
Submitted by:	Zhenmin <zli4@cs.uiuc.edu>
2004-06-22 17:17:44 +00:00
Sam Leffler
2c5616421b use correct address for SADB_EXT_ADDRESS_DST in key_do_allocsa_policy
(was using src instead of dst)

Submitted by:	Bjoern A. Zeeb
Obtained from:	KAME
MFC after:	1 day
2004-05-03 05:15:53 +00:00
Sam Leffler
9826472d13 correct behaviour of key_getsavbyspi broken in rev 1.7; corrects problems with
removing specific SPIs

Submitted by:	Bjoern A. Zeeb
2004-05-03 05:11:40 +00:00
Sam Leffler
09a6afb586 add support to prefer old SA to new SA during allocation
(makes net.key.preferred_oldsa work as for KAME)

Submitted by:	gabor@sentex.net
Reviewed by:	Bjoern A. Zeeb
MFC after:	1 day
2004-05-03 03:29:21 +00:00
Pawel Jakub Dawidek
2bf11a9911 Unbreak FAST_IPSEC build on 64 bit archs with INVARIANTS.
Approved by:	sam
2004-04-07 00:19:02 +00:00
Guido van Rooij
517dbe6673 Fix type in a sysctl. It used to be: net.key.prefered_oldsa
and is corrected to net.key.preferred_oldsa
This makes it consistent with the KAME IPsec implementation.

Approved by:	sam
2004-02-16 17:09:53 +00:00
Bruce M Simpson
1cfd4b5326 Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.

For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.

Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.

There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.

Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.

This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.

Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.

Sponsored by:	sentex.net
2004-02-11 04:26:04 +00:00
Sam Leffler
9b705967d2 must convert protocol to sa type when preparing a DELETE message
Submitted by:	Roselyn Lee <rosel@verniernetworks.com>
MFC after:	1 week
2004-02-05 23:19:17 +00:00
Sam Leffler
9ffa96777e MFp4: portability work, general cleanup, locking fixes
change 38496
o add ipsec_osdep.h that holds os-specific definitions for portability
o s/KASSERT/IPSEC_ASSERT/ for portability
o s/SPLASSERT/IPSEC_SPLASSERT/ for portability
o remove function names from ASSERT strings since line#+file pinpints
  the location
o use __func__ uniformly to reduce string storage
o convert some random #ifdef DIAGNOSTIC code to assertions
o remove some debuggging assertions no longer needed

change 38498
o replace numerous bogus panic's with equally bogus assertions
  that at least go away on a production system

change 38502 + 38530
o change explicit mtx operations to #defines to simplify
  future changes to a different lock type

change 38531
o hookup ipv4 ctlinput paths to a noop routine; we should be
  handling path mtu changes at least
o correct potential null pointer deref in ipsec4_common_input_cb

chnage 38685
o fix locking for bundled SA's and for when key exchange is required

change 38770
o eliminate recursion on the SAHTREE lock

change 38804
o cleanup some types: long -> time_t
o remove refrence to dead #define

change 38805
o correct some types: long -> time_t
o add scan generation # to secpolicy to deal with locking issues

change 38806
o use LIST_FOREACH_SAFE instead of handrolled code
o change key_flush_spd to drop the sptree lock before purging
  an entry to avoid lock recursion and to avoid holding the lock
  over a long-running operation
o misc cleanups of tangled and twisty code

There is still much to do here but for now things look to be
working again.

Supported by:	FreeBSD Foundation
2003-09-29 22:57:43 +00:00
Sam Leffler
6464079f10 Locking and misc cleanups; most of which I've been running for >4 months:
o add locking
o strip irrelevant spl's
o split malloc types to better account for memory use
o remove unused IPSEC_NONBLOCK_ACQUIRE code
o remove dead code

Sponsored by:	FreeBSD Foundation
2003-09-01 05:35:55 +00:00
Sam Leffler
82a6d6aca5 plug xform memory leaks:
o add missing zeroize op when deleting an SA
o don't re-initialize an xform for an SA that already has one

Submitted by:	Doug Ambrisko <ambrisko@verniernetworks.com>
MFC after:	1 day
2003-06-29 23:58:38 +00:00
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Andrey A. Chernov
24a701b269 Comment out srandom():
1) Already called in init_main.c:proc0_post()
2) Seed is bad
2003-02-05 15:32:24 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Jens Schweikhardt
9d5abbddbf Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
2003-01-01 18:49:04 +00:00
Sam Leffler
88768458d2 "Fast IPsec": this is an experimental IPsec implementation that is derived
from the KAME IPsec implementation, but with heavy borrowing and influence
of openbsd.  A key feature of this implementation is that it uses the kernel
crypto framework to do all crypto work so when h/w crypto support is present
IPsec operation is automatically accelerated.  Otherwise the protocol
implementations are rather differet while the SADB and policy management
code is very similar to KAME (for the moment).

Note that this implementation is enabled with a FAST_IPSEC option.  With this
you get all protocols; i.e. there is no FAST_IPSEC_ESP option.

FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a
single system.

This software is well tested with IPv4 but should be considered very
experimental (i.e. do not deploy in production environments).  This software
does NOT currently support IPv6.  In fact do not configure FAST_IPSEC and
INET6 in the same system.

Obtained from:	KAME + openbsd
Supported by:	Vernier Networks
2002-10-16 02:10:08 +00:00