diff options
61 files changed, 798 insertions, 2373 deletions
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 4fd0bcdd4693..235144f40e3d 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -3592,6 +3592,25 @@ OLD_FILES+=usr/libdata/msdosfs/koi8u2dos # - usr/share/tmac/mm/se_locale # - var/yp/Makefile +# 20070610: KAME IPSec removal +OLD_FILES+=usr/include/netinet6/ah.h +OLD_FILES+=usr/include/netinet6/ah6.h +OLD_FILES+=usr/include/netinet6/ah_aesxcbcmac.h +OLD_FILES+=usr/include/netinet6/esp.h +OLD_FILES+=usr/include/netinet6/esp6.h +OLD_FILES+=usr/include/netinet6/esp_aesctr.h +OLD_FILES+=usr/include/netinet6/esp_camellia.h +OLD_FILES+=usr/include/netinet6/esp_rijndael.h +OLD_FILES+=usr/include/netinet6/ipsec.h +OLD_FILES+=usr/include/netinet6/ipsec6.h +OLD_FILES+=usr/include/netinet6/ipcomp.h +OLD_FILES+=usr/include/netinet6/ipcomp6.h +OLD_FILES+=usr/include/netkey/key.h +OLD_FILES+=usr/include/netkey/key_debug.h +OLD_FILES+=usr/include/netkey/key_var.h +OLD_FILES+=usr/include/netkey/keydb.h +OLD_FILES+=usr/include/netkey/keysock.h +OLD_DIRS+=usr/include/netkey # 20070519: GCC 4.2 OLD_LIBS+=usr/lib/libg2c.a OLD_LIBS+=usr/lib/libg2c.so @@ -22,6 +22,14 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW: to maximize performance. 20070701: + Remove KAME IPsec in favor of FAST_IPSEC, which is now the + only IPsec supported by FreeBSD. The new IPsec stack + supports both IPv4 and IPv6. The kernel option will change + after the code changes have settled in. For now the kernel + option IPSEC is deprecated and FAST_IPSEC is the only option, that + will change after some settling time. + +20070701: The wicontrol(8) utility has been removed from the base system. wi(4) cards should be configured using ifconfig(8), see the man page for more information. diff --git a/sys/Makefile b/sys/Makefile index 9b20b8c853e4..48c6bf5f92c4 100644 --- a/sys/Makefile +++ b/sys/Makefile @@ -10,7 +10,7 @@ SUBDIR= boot # Directories to include in cscope name file and TAGS. CSCOPEDIRS= bsm cam coda compat conf contrib crypto ddb dev fs geom gnu \ i4b isa kern libkern modules net net80211 netatalk netatm \ - netgraph netinet netinet6 netipx netkey netnatm netncp \ + netgraph netinet netinet6 netipx netnatm netncp \ netsmb nfs nfsclient nfs4client rpc pccard pci security sys \ ufs vm ${ARCHDIR} diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 6ff0d7ae5bf0..665145cc7840 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -495,9 +495,9 @@ options HWPMC_HOOKS # Other necessary kernel hooks # options INET #Internet communications protocols options INET6 #IPv6 communications protocols -options IPSEC #IP security -options IPSEC_ESP #IP security (crypto; define w/ IPSEC) -options IPSEC_DEBUG #debug for IP security +#options IPSEC #IP security +#options IPSEC_ESP #IP security (crypto; define w/ IPSEC) +#options IPSEC_DEBUG #debug for IP security # # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel # to be processed by any configured packet filtering (ipfw, ipf). @@ -509,7 +509,7 @@ options IPSEC_DEBUG #debug for IP security # #options IPSEC_FILTERGIF #filter ipsec packets from a tunnel -#options FAST_IPSEC #new IPsec (cannot define w/ IPSEC) +options FAST_IPSEC #new IPsec (cannot define w/ IPSEC) options IPX #IPX/SPX communications protocols diff --git a/sys/conf/files b/sys/conf/files index ff2ac88a1f19..d3b4bb008539 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1829,7 +1829,6 @@ netinet/ip_fw2.c optional ipfirewall netinet/ip_fw_pfil.c optional ipfirewall netinet/ip_icmp.c optional inet netinet/ip_input.c optional inet -netinet/ip_ipsec.c optional ipsec netinet/ip_ipsec.c optional fast_ipsec netinet/ip_mroute.c optional mrouting inet | mrouting inet6 netinet/ip_options.c optional inet @@ -1865,16 +1864,7 @@ netinet/libalias/alias_db.c optional libalias | netgraph_nat netinet/libalias/alias_mod.c optional libalias | netgraph_nat netinet/libalias/alias_proxy.c optional libalias | netgraph_nat netinet/libalias/alias_util.c optional libalias | netgraph_nat -netinet6/ah_aesxcbcmac.c optional ipsec -netinet6/ah_core.c optional ipsec -netinet6/ah_input.c optional ipsec -netinet6/ah_output.c optional ipsec netinet6/dest6.c optional inet6 -netinet6/esp_aesctr.c optional ipsec ipsec_esp -netinet6/esp_core.c optional ipsec ipsec_esp -netinet6/esp_input.c optional ipsec ipsec_esp -netinet6/esp_output.c optional ipsec ipsec_esp -netinet6/esp_rijndael.c optional ipsec ipsec_esp netinet6/esp_camellia.c optional ipsec ipsec_esp netinet6/frag6.c optional inet6 netinet6/icmp6.c optional inet6 @@ -1891,10 +1881,7 @@ netinet6/ip6_id.c optional inet6 netinet6/ip6_input.c optional inet6 netinet6/ip6_mroute.c optional mrouting inet6 netinet6/ip6_output.c optional inet6 -netinet6/ipcomp_core.c optional ipsec -netinet6/ipcomp_input.c optional ipsec -netinet6/ipcomp_output.c optional ipsec -netinet6/ipsec.c optional ipsec +netinet6/ip6_ipsec.c optional fast_ipsec netinet6/mld6.c optional inet6 netinet6/nd6.c optional inet6 netinet6/nd6_nbr.c optional inet6 @@ -1926,10 +1913,6 @@ netipx/ipx_proto.c optional ipx netipx/ipx_usrreq.c optional ipx netipx/spx_debug.c optional ipx netipx/spx_usrreq.c optional ipx -netkey/key.c optional ipsec -netkey/key_debug.c optional ipsec -netkey/keydb.c optional ipsec -netkey/keysock.c optional ipsec netnatm/natm.c optional natm netnatm/natm_pcb.c optional natm netnatm/natm_proto.c optional natm diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index e91ac55a96ab..edb7702fdd77 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -73,16 +73,8 @@ #include <netinet6/ip6_var.h> #endif /* INET6 */ -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#endif /* IPSEC */ #ifdef FAST_IPSEC -#if defined(IPSEC) || defined(IPSEC_ESP) -#error "Bad idea: don't compile with both IPSEC and FAST_IPSEC!" -#endif - #include <netipsec/ipsec.h> #include <netipsec/key.h> #endif /* FAST_IPSEC */ @@ -200,15 +192,12 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) mac_create_inpcb_from_socket(so, inp); SOCK_UNLOCK(so); #endif -#if defined(IPSEC) || defined(FAST_IPSEC) + #ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); -#else - error = ipsec_init_pcbpolicy(so, &inp->inp_sp); -#endif if (error != 0) goto out; -#endif /*IPSEC*/ +#endif /*FAST_IPSEC*/ #ifdef INET6 if (INP_SOCKAF(so) == AF_INET6) { inp->inp_vflag |= INP_IPV6PROTO; @@ -226,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) INP_LOCK(inp); inp->inp_gencnt = ++pcbinfo->ipi_gencnt; -#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC) +#if defined(FAST_IPSEC) || defined(MAC) out: if (error != 0) uma_zfree(pcbinfo->ipi_zone, inp); @@ -535,10 +524,7 @@ in_pcbconnect(struct inpcb *inp, struct sockaddr *nam, struct ucred *cred) inp->inp_faddr.s_addr = faddr; inp->inp_fport = fport; in_pcbrehash(inp); -#ifdef IPSEC - if (inp->inp_socket->so_type == SOCK_STREAM) - ipsec_pcbconn(inp->inp_sp); -#endif + if (anonport) inp->inp_flags |= INP_ANONPORT; return (0); @@ -698,9 +684,6 @@ in_pcbdisconnect(struct inpcb *inp) inp->inp_faddr.s_addr = INADDR_ANY; inp->inp_fport = 0; in_pcbrehash(inp); -#ifdef IPSEC - ipsec_pcbdisconn(inp->inp_sp); -#endif } /* @@ -728,9 +711,9 @@ in_pcbfree(struct inpcb *inp) INP_INFO_WLOCK_ASSERT(ipi); INP_LOCK_ASSERT(inp); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC ipsec4_delete_pcbpolicy(inp); -#endif /*IPSEC*/ +#endif /*FAST_IPSEC*/ inp->inp_gencnt = ++ipi->ipi_gencnt; in_pcbremlists(inp); if (inp->inp_options) diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index 1467b6a6dd04..0ae913f04a18 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -125,7 +125,7 @@ struct inpcb { struct label *inp_label; /* MAC label */ int inp_flags; /* generic IP/datagram flags */ - struct inpcbpolicy *inp_sp; /* for IPSEC */ + struct inpcbpolicy *inp_sp; /* for IPSEC */ u_char inp_vflag; /* IP version flag (v4/v6) */ #define INP_IPV4 0x1 #define INP_IPV6 0x2 diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index dbf96901dfe7..21d741341eae 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -69,15 +69,6 @@ static struct pr_usrreqs nousrreqs; -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netinet6/ah.h> -#ifdef IPSEC_ESP -#include <netinet6/esp.h> -#endif -#include <netinet6/ipcomp.h> -#endif /* IPSEC */ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #endif /* FAST_IPSEC */ @@ -219,34 +210,6 @@ struct protosw inetsw[] = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }, -#ifdef IPSEC -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_AH, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ah4_input, - .pr_usrreqs = &nousrreqs -}, -#ifdef IPSEC_ESP -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_ESP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = esp4_input, - .pr_usrreqs = &nousrreqs -}, -#endif -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_IPCOMP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipcomp4_input, - .pr_usrreqs = &nousrreqs -}, -#endif /* IPSEC */ #ifdef FAST_IPSEC { .pr_type = SOCK_RAW, @@ -412,11 +375,7 @@ SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH"); SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP"); SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP"); SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP"); -#else -#ifdef IPSEC -SYSCTL_NODE(_net_inet, IPPROTO_AH, ipsec, CTLFLAG_RW, 0, "IPSEC"); -#endif /* IPSEC */ -#endif /* !FAST_IPSEC */ +#endif /* FAST_IPSEC */ SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW"); #ifdef DEV_PFSYNC SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC"); diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 1ee19086b291..367d67cafef3 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -93,10 +93,6 @@ #include <altq/if_altq.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif - #include <netinet/ip6.h> #include <netinet/icmp6.h> #ifdef INET6 @@ -3151,9 +3147,6 @@ check_body: match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); #endif -#ifdef IPSEC - match = (ipsec_getnhist(m) != 0); -#endif /* otherwise no match */ break; diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 2ccd6bd7924c..c1a2ae44515c 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -59,15 +59,9 @@ #include <netinet/tcpip.h> #include <netinet/icmp_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#endif - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> -#define IPSEC #endif #include <machine/in_cksum.h> @@ -585,7 +579,7 @@ reflect: (struct sockaddr *)0, RTF_GATEWAY | RTF_HOST, (struct sockaddr *)&icmpgw); pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc); -#ifdef IPSEC +#ifdef FAST_IPSEC key_sa_routechange((struct sockaddr *)&icmpsrc); #endif break; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 640bce70c865..9a1023040be4 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -70,9 +70,9 @@ #ifdef DEV_CARP #include <netinet/ip_carp.h> #endif -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC #include <netinet/ip_ipsec.h> -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ #include <sys/socketvar.h> @@ -391,13 +391,13 @@ tooshort: } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * Bypass packet filtering for packets from a tunnel (gif). */ if (ip_ipsec_filtergif(m)) goto passin; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * Run through list of hooks for input packets. @@ -601,10 +601,10 @@ passin: ipstat.ips_cantforward++; m_freem(m); } else { -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC if (ip_ipsec_fwd(m)) goto bad; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ ip_forward(m, dchg); } return; @@ -645,7 +645,7 @@ ours: */ ip->ip_len -= hlen; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -653,7 +653,7 @@ ours: */ if (ip_ipsec_input(m)) goto bad; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * Switch out to protocol's input routine. @@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt) type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC mtu = ip_ipsec_mtu(m); -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * If the MTU wasn't set before use the interface mtu or * fall back to the next smaller mtu step compared to the diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 296da693a0be..f240b41bde4f 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -55,16 +55,6 @@ #include <machine/in_cksum.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#ifdef IPSEC_DEBUG -#include <netkey/key_debug.h> -#else -#define KEYDEBUG(lev,arg) -#endif -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -81,13 +71,6 @@ extern struct protosw inetsw[]; int ip_ipsec_filtergif(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) - /* - * Bypass packet filtering for packets from a tunnel (gif). - */ - if (ipsec_getnhist(m)) - return 1; -#endif #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) /* * Bypass packet filtering for packets from a tunnel (gif). @@ -112,17 +95,7 @@ ip_ipsec_fwd(struct mbuf *m) struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* - * Enforce inbound IPsec SPD. - */ - if (ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - return 1; - } -#endif /* IPSEC */ -#ifdef FAST_IPSEC + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); s = splnet(); if (mtag != NULL) { @@ -169,20 +142,6 @@ ip_ipsec_input(struct mbuf *m) struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && - ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - return 1; - } -#endif -#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -243,17 +202,10 @@ ip_ipsec_mtu(struct mbuf *m) int ipsecerror; int ipsechdr; struct route *ro; -#ifdef IPSEC - sp = ipsec4_getpolicybyaddr(m, - IPSEC_DIR_OUTBOUND, - IP_FORWARDING, - &ipsecerror); -#else /* FAST_IPSEC */ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); -#endif if (sp != NULL) { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(m, @@ -276,11 +228,7 @@ ip_ipsec_mtu(struct mbuf *m) mtu -= ipsechdr; } } -#ifdef IPSEC - key_freesp(sp); -#else /* FAST_IPSEC */ KEY_FREESP(&sp); -#endif } return mtu; } @@ -296,152 +244,12 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, struct route **ro, struct route *iproute, struct sockaddr_in **dst, struct in_ifaddr **ia, struct ifnet **ifp) { +#ifdef FAST_IPSEC struct secpolicy *sp = NULL; struct ip *ip = mtod(*m, struct ip *); -#ifdef IPSEC - struct ipsec_output_state state; -#endif -#ifdef FAST_IPSEC struct tdb_ident *tdbi; struct m_tag *mtag; int s; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* get SP for this packet */ - if (inp == NULL) - sp = ipsec4_getpolicybyaddr(*m, IPSEC_DIR_OUTBOUND, - *flags, error); - else - sp = ipsec4_getpolicybypcb(*m, IPSEC_DIR_OUTBOUND, inp, error); - - if (sp == NULL) { - ipsecstat.out_inval++; - goto bad; - } - - /* check policy */ - switch (sp->policy) { - case IPSEC_POLICY_DISCARD: - /* - * This packet is just discarded. - */ - ipsecstat.out_polvio++; - goto bad; - - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - case IPSEC_POLICY_TCP: - /* no need to do IPsec. */ - goto done; - - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) { - /* acquire a policy */ - *error = key_spdacquire(sp); - goto bad; - } - break; - - case IPSEC_POLICY_ENTRUST: - default: - printf("%s: Invalid policy found. %d\n", __func__, sp->policy); - } - - bzero(&state, sizeof(state)); - state.m = *m; - if (*flags & IP_ROUTETOIF) { - state.ro = iproute; - bzero(iproute, sizeof(iproute)); - } else - state.ro = *ro; - state.dst = (struct sockaddr *)(*dst); - - ip->ip_sum = 0; - - /* - * XXX - * delayed checksums are not currently compatible with IPsec - */ - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { - in_delayed_cksum(*m); - (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } - - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); - - *error = ipsec4_output(&state, sp, *flags); - - *m = state.m; - if (*flags & IP_ROUTETOIF) { - /* - * if we have tunnel mode SA, we may need to ignore - * IP_ROUTETOIF. - */ - if (state.ro != iproute || state.ro->ro_rt != NULL) { - *flags &= ~IP_ROUTETOIF; - *ro = state.ro; - } - } else - *ro = state.ro; - *dst = (struct sockaddr_in *)state.dst; - if (*error != 0) { - /* mbuf is already reclaimed in ipsec4_output. */ - *m = NULL; - switch (*error) { - case EHOSTUNREACH: - case ENETUNREACH: - case EMSGSIZE: - case ENOBUFS: - case ENOMEM: - break; - default: - printf("ip4_output (ipsec): error code %d\n", *error); - /*fall through*/ - case ENOENT: - /* don't show these error codes to the user */ - *error = 0; - break; - } - goto bad; - } - - /* be sure to update variables that are affected by ipsec4_output() */ - if ((*ro)->ro_rt == NULL) { - if ((*flags & IP_ROUTETOIF) == 0) { - printf("ip_output: " - "can't update route after IPsec processing\n"); - *error = EHOSTUNREACH; /*XXX*/ - goto bad; - } - } else { - if (state.encap) { - *ia = ifatoia((*ro)->ro_rt->rt_ifa); - *ifp = (*ro)->ro_rt->rt_ifp; - } - } - ip = mtod(*m, struct ip *); - - /* make it flipped, again. */ - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - -done: - if (sp != NULL) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ip_output call free SP:%p\n", sp)); - key_freesp(sp); - } - return 0; -bad: - if (sp != NULL) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ip_output call free SP:%p\n", sp)); - key_freesp(sp); - } - return 1; -#endif /*IPSEC*/ -#ifdef FAST_IPSEC /* * Check the security policy (SP) for the packet and, if * required, do IPsec-related processing. There are two diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 2b800dc35e56..90a21ef28e11 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -59,15 +59,10 @@ #include <netinet/ip_var.h> #include <netinet/ip_options.h> -#if defined(IPSEC) || defined(FAST_IPSEC) -#include <netinet/ip_ipsec.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif #ifdef FAST_IPSEC +#include <netinet/ip_ipsec.h> #include <netipsec/ipsec.h> -#endif -#endif /*IPSEC*/ +#endif /* FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -417,7 +412,7 @@ again: } sendit: -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) { case 1: goto bad; @@ -430,7 +425,7 @@ sendit: /* Update variables that are affected by ipsec4_output(). */ ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* Jump over all PFIL processing if hooks are not active. */ if (!PFIL_HOOKED(&inet_pfil_hook)) @@ -539,10 +534,6 @@ passout: ia->ia_ifa.if_opackets++; ia->ia_ifa.if_obytes += m->m_pkthdr.len; } -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif #ifdef MBUF_STRESS_TEST if (mbuf_frag_size && m->m_pkthdr.len > mbuf_frag_size) m = m_fragment(m, M_DONTWAIT, mbuf_frag_size); @@ -575,10 +566,6 @@ passout: for (; m; m = m0) { m0 = m->m_nextpkt; m->m_nextpkt = 0; -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif if (error == 0) { /* Record statistics for this interface address. */ if (ia != NULL) { @@ -979,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) INP_UNLOCK(inp); break; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC case IP_IPSEC_POLICY: { caddr_t req; @@ -1013,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) m_freem(m); break; } -#endif /*IPSEC*/ +#endif /* FAST_IPSEC */ default: error = ENOPROTOOPT; @@ -1117,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) error = inp_getmoptions(inp, sopt); break; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC case IP_IPSEC_POLICY: { struct mbuf *m = NULL; @@ -1135,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) m_freem(m); break; } -#endif /*IPSEC*/ +#endif /* FAST_IPSEC */ default: error = ENOPROTOOPT; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 5329c6c2df6f..cd0f64a372b4 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -70,10 +70,6 @@ #include <netipsec/ipsec.h> #endif /*FAST_IPSEC*/ -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif /*IPSEC*/ - #include <security/mac/mac_framework.h> struct inpcbhead ripcb; @@ -159,16 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) INP_LOCK_ASSERT(last); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { policyfail = 1; -#ifdef IPSEC - ipsecstat.in_polvio++; -#endif /*IPSEC*/ - /* do not inject data to pcb */ } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ #ifdef MAC if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index ad2f13687427..a66369b478b5 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -4878,14 +4878,14 @@ sctp_skip_csum_4: } else if (stcb == NULL) { refcount_up = 1; } -#ifdef IPSEC +#ifdef FAST_IPSEC /* * I very much doubt any of the IPSEC stuff will work but I have no * idea, so I will leave it in place. */ if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { - ipsecstat.in_polvio++; + ipsec4stat.in_polvio++; SCTP_STAT_INCR(sctps_hdrops); goto bad; } diff --git a/sys/netinet/sctp_os_bsd.h b/sys/netinet/sctp_os_bsd.h index a159e9857cb3..d3d6064981c5 100644 --- a/sys/netinet/sctp_os_bsd.h +++ b/sys/netinet/sctp_os_bsd.h @@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$"); #include <netinet/icmp_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> +#ifdef FAST_IPSEC +#include <netipsec/ipsec.h> +#include <netipsec/key.h> #endif /* IPSEC */ #ifdef INET6 #include <sys/domain.h> -#ifdef IPSEC +#ifdef FAST_IPSEC #include <netinet6/ipsec6.h> #endif #include <netinet/ip6.h> diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 6ec0f3011bd5..91d509cc5dd8 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -1807,11 +1807,11 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT; inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT; -#ifdef IPSEC +#ifdef FAST_IPSEC { struct inpcbpolicy *pcb_sp = NULL; - error = ipsec_init_pcbpolicy(so, &pcb_sp); + error = ipsec_init_policy(so, &pcb_sp); /* Arrange to share the policy */ inp->ip_inp.inp.inp_sp = pcb_sp; ((struct in6pcb *)(&inp->ip_inp.inp))->in6p_sp = pcb_sp; @@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) SCTP_INP_INFO_WUNLOCK(); return error; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ SCTP_INCR_EP_COUNT(); inp->ip_inp.inp.inp_ip_ttl = ip_defttl; SCTP_INP_INFO_WUNLOCK(); @@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from) */ cnt = 0; if (so) { -#ifdef IPSEC +#ifdef FAST_IPSEC ipsec4_delete_pcbpolicy(ip_pcb); -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* Unlocks not needed since the socket is gone now */ } diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index 39a459eb25ae..446036bcdf0f 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -485,9 +485,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p) int error; uint32_t vrf_id = SCTP_DEFAULT_VRFID; -#ifdef IPSEC +#ifdef FAST_IPSEC uint32_t flags; - #endif inp = (struct sctp_inpcb *)so->so_pcb; if (inp != 0) { @@ -509,8 +508,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p) ip_inp->inp_vflag |= INP_IPV4; ip_inp->inp_ip_ttl = ip_defttl; -#ifdef IPSEC - error = ipsec_init_pcbpolicy(so, &ip_inp->inp_sp); +#ifdef FAST_IPSEC + error = ipsec_init_policy(so, &ip_inp->inp_sp); #ifdef SCTP_LOG_CLOSING sctp_log_closing(inp, NULL, 17); #endif @@ -529,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p) } return error; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ SCTP_INP_WUNLOCK(inp); return 0; } diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 82e36db68d61..9d31c79303f3 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -87,12 +87,6 @@ #include <netipsec/ipsec6.h> #endif /*FAST_IPSEC*/ -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netinet6/ipsec6.h> -#include <netkey/key.h> -#endif /*IPSEC*/ - #include <machine/in_cksum.h> #include <security/mac/mac_framework.h> @@ -451,22 +445,18 @@ findpcb: m->m_pkthdr.rcvif); } -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC #ifdef INET6 if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) { -#ifdef IPSEC ipsec6stat.in_polvio++; -#endif goto dropunlock; } else #endif /* INET6 */ if (inp != NULL && ipsec4_in_reject(m, inp)) { -#ifdef IPSEC - ipsecstat.in_polvio++; -#endif + ipsec4stat.in_polvio++; goto dropunlock; } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ /* * If the INPCB does not exist then all data in the incoming diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index da3081379129..d80254add52c 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -72,13 +72,8 @@ #include <netinet/tcp_debug.h> #endif -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> -#define IPSEC #endif /*FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -700,7 +695,7 @@ send: offsetof(struct ipoption, ipopt_list); else ipoptlen = 0; -#ifdef IPSEC +#ifdef FAST_IPSEC ipoptlen += ipsec_hdrsiz_tcp(tp); #endif diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 64c53641360b..589714fc4c78 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -91,14 +91,6 @@ #endif #include <netinet6/ip6protosw.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#include <netkey/key.h> -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -106,7 +98,6 @@ #include <netipsec/ipsec6.h> #endif #include <netipsec/key.h> -#define IPSEC #endif /*FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -1643,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags) } #endif /* INET6 */ -#ifdef IPSEC +#ifdef FAST_IPSEC /* compute ESP/AH header size for TCP, including outer IP header. */ size_t ipsec_hdrsiz_tcp(struct tcpcb *tp) @@ -1684,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp) m_free(m); return (hdrsiz); } -#endif /*IPSEC*/ +#endif /* FAST_IPSEC */ /* * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 9d1d12d763a6..9e03f32db9e8 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -80,13 +80,6 @@ #include <netinet6/tcp6_var.h> #endif -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #ifdef INET6 @@ -628,11 +621,6 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m) inp->inp_lport = 0; goto abort; } -#ifdef IPSEC - /* Copy old policy into new socket's. */ - if (ipsec_copy_pcbpolicy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) - printf("syncache_socket: could not copy policy\n"); -#endif #ifdef FAST_IPSEC /* Copy old policy into new socket's. */ if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 04a44348889a..ae03b547968d 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -82,10 +82,6 @@ #include <netipsec/ipsec.h> #endif -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif - #include <machine/in_cksum.h> #include <security/mac/mac_framework.h> @@ -499,16 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, INP_LOCK_ASSERT(inp); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { -#ifdef IPSEC - ipsecstat.in_polvio++; -#endif + ipsec4stat.in_polvio++; m_freem(n); return; } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ #ifdef MAC if (mac_check_inpcb_deliver(inp, n) != 0) { m_freem(n); diff --git a/sys/netinet6/ah.h b/sys/netinet6/ah.h deleted file mode 100644 index 6335208593f1..000000000000 --- a/sys/netinet6/ah.h +++ /dev/null @@ -1,94 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: ah.h,v 1.20 2003/08/05 12:21:15 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * RFC1826/2402 authentication header. - */ - -#ifndef _NETINET6_AH_H_ -#define _NETINET6_AH_H_ - -#if defined(_KERNEL) && !defined(_LKM) -#include "opt_inet.h" -#endif - -struct ah { - u_int8_t ah_nxt; /* Next Header */ - u_int8_t ah_len; /* Length of data, in 32bit */ - u_int16_t ah_reserve; /* Reserved for future use */ - u_int32_t ah_spi; /* Security parameter index */ - /* variable size, 32bit bound*/ /* Authentication data */ -}; - -struct newah { - u_int8_t ah_nxt; /* Next Header */ - u_int8_t ah_len; /* Length of data + 1, in 32bit */ - u_int16_t ah_reserve; /* Reserved for future use */ - u_int32_t ah_spi; /* Security parameter index */ - u_int32_t ah_seq; /* Sequence number field */ - /* variable size, 32bit bound*/ /* Authentication data */ -}; - -#ifdef _KERNEL -struct secasvar; - -struct ah_algorithm_state { - struct secasvar *sav; - void* foo; /* per algorithm data - maybe */ -}; - -struct ah_algorithm { - int (*sumsiz) __P((struct secasvar *)); - int (*mature) __P((struct secasvar *)); - int keymin; /* in bits */ - int keymax; /* in bits */ - const char *name; - int (*init) __P((struct ah_algorithm_state *, struct secasvar *)); - void (*update) __P((struct ah_algorithm_state *, u_int8_t *, size_t)); - void (*result) __P((struct ah_algorithm_state *, u_int8_t *, size_t)); -}; - -#define AH_MAXSUMSIZE (512 / 8) - -extern const struct ah_algorithm *ah_algorithm_lookup __P((int)); - -/* cksum routines */ -extern int ah_hdrlen __P((struct secasvar *)); - -extern size_t ah_hdrsiz __P((struct ipsecrequest *)); -extern void ah4_input __P((struct mbuf *, int)); -extern int ah4_output __P((struct mbuf *, struct ipsecrequest *)); -extern int ah4_calccksum __P((struct mbuf *, u_int8_t *, size_t, - const struct ah_algorithm *, struct secasvar *)); -#endif /* _KERNEL */ - -#endif /* _NETINET6_AH_H_ */ diff --git a/sys/netinet6/ah6.h b/sys/netinet6/ah6.h deleted file mode 100644 index 0aa98d8cee9e..000000000000 --- a/sys/netinet6/ah6.h +++ /dev/null @@ -1,52 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: ah.h,v 1.13 2000/10/18 21:28:00 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * RFC1826/2402 authentication header. - */ - -#ifndef _NETINET6_AH6_H_ -#define _NETINET6_AH6_H_ - -#ifdef _KERNEL -struct secasvar; - -extern int ah6_input __P((struct mbuf **, int *, int)); -extern int ah6_output __P((struct mbuf *, u_char *, struct mbuf *, - struct ipsecrequest *)); -extern int ah6_calccksum __P((struct mbuf *, u_int8_t *, size_t, - const struct ah_algorithm *, struct secasvar *)); - -extern void ah6_ctlinput __P((int, struct sockaddr *, void *)); -#endif - -#endif /*_NETINET6_AH6_H_*/ diff --git a/sys/netinet6/esp.h b/sys/netinet6/esp.h deleted file mode 100644 index bfeb69f720e4..000000000000 --- a/sys/netinet6/esp.h +++ /dev/null @@ -1,109 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: esp.h,v 1.19 2001/09/04 08:43:19 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * RFC1827/2406 Encapsulated Security Payload. - */ - -#ifndef _NETINET6_ESP_H_ -#define _NETINET6_ESP_H_ - -#if defined(_KERNEL) && !defined(_LKM) -#include "opt_inet.h" -#endif - -struct esp { - u_int32_t esp_spi; /* ESP */ - /* variable size, 32bit bound */ /* Initialization Vector */ - /* variable size */ /* Payload data */ - /* variable size */ /* padding */ - /* 8bit */ /* pad size */ - /* 8bit */ /* next header */ - /* 8bit */ /* next header */ - /* variable size, 32bit bound */ /* Authentication data (new IPsec) */ -}; - -struct newesp { - u_int32_t esp_spi; /* ESP */ - u_int32_t esp_seq; /* Sequence number */ - /* variable size */ /* (IV and) Payload data */ - /* variable size */ /* padding */ - /* 8bit */ /* pad size */ - /* 8bit */ /* next header */ - /* 8bit */ /* next header */ - /* variable size, 32bit bound *//* Authentication data */ -}; - -struct esptail { - u_int8_t esp_padlen; /* pad length */ - u_int8_t esp_nxt; /* Next header */ - /* variable size, 32bit bound *//* Authentication data (new IPsec)*/ -}; - -#ifdef _KERNEL -struct secasvar; - -struct esp_algorithm { - size_t padbound; /* pad boundary, in byte */ - int ivlenval; /* iv length, in byte */ - int (*mature) __P((struct secasvar *)); - int keymin; /* in bits */ - int keymax; /* in bits */ - size_t (*schedlen) __P((const struct esp_algorithm *)); - const char *name; - int (*ivlen) __P((const struct esp_algorithm *, struct secasvar *)); - int (*decrypt) __P((struct mbuf *, size_t, - struct secasvar *, const struct esp_algorithm *, int)); - int (*encrypt) __P((struct mbuf *, size_t, size_t, - struct secasvar *, const struct esp_algorithm *, int)); - /* not supposed to be called directly */ - int (*schedule) __P((const struct esp_algorithm *, struct secasvar *)); - int (*blockdecrypt) __P((const struct esp_algorithm *, - struct secasvar *, u_int8_t *, u_int8_t *)); - int (*blockencrypt) __P((const struct esp_algorithm *, - struct secasvar *, u_int8_t *, u_int8_t *)); -}; - -extern const struct esp_algorithm *esp_algorithm_lookup __P((int)); -extern int esp_max_ivlen __P((void)); - -/* crypt routines */ -extern int esp4_output __P((struct mbuf *, struct ipsecrequest *)); -extern void esp4_input __P((struct mbuf *, int)); -extern size_t esp_hdrsiz __P((struct ipsecrequest *)); - -extern int esp_schedule __P((const struct esp_algorithm *, struct secasvar *)); -extern int esp_auth __P((struct mbuf *, size_t, size_t, - struct secasvar *, u_char *)); -#endif /* _KERNEL */ - -#endif /* _NETINET6_ESP_H_ */ diff --git a/sys/netinet6/esp6.h b/sys/netinet6/esp6.h deleted file mode 100644 index c995f644ca31..000000000000 --- a/sys/netinet6/esp6.h +++ /dev/null @@ -1,48 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: esp.h,v 1.16 2000/10/18 21:28:00 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * RFC1827/2406 Encapsulated Security Payload. - */ - -#ifndef _NETINET6_ESP6_H_ -#define _NETINET6_ESP6_H_ - -#ifdef _KERNEL -extern int esp6_output __P((struct mbuf *, u_char *, struct mbuf *, - struct ipsecrequest *)); -extern int esp6_input __P((struct mbuf **, int *, int)); - -extern void esp6_ctlinput __P((int, struct sockaddr *, void *)); -#endif /*_KERNEL*/ - -#endif /*_NETINET6_ESP6_H_*/ diff --git a/sys/netinet6/esp_aesctr.h b/sys/netinet6/esp_aesctr.h deleted file mode 100644 index f638d6280c56..000000000000 --- a/sys/netinet6/esp_aesctr.h +++ /dev/null @@ -1,42 +0,0 @@ -/* $KAME: esp_aesctr.h,v 1.2 2003/07/20 00:29:38 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -extern int esp_aesctr_mature __P((struct secasvar *)); -extern size_t esp_aesctr_schedlen __P((const struct esp_algorithm *)); -extern int esp_aesctr_schedule __P((const struct esp_algorithm *, - struct secasvar *)); -extern int esp_aesctr_decrypt __P((struct mbuf *, size_t, - struct secasvar *, const struct esp_algorithm *, int)); -extern int esp_aesctr_encrypt __P((struct mbuf *, size_t, size_t, - struct secasvar *, const struct esp_algorithm *, int)); - diff --git a/sys/netinet6/esp_rijndael.h b/sys/netinet6/esp_rijndael.h deleted file mode 100644 index 680a44a304d8..000000000000 --- a/sys/netinet6/esp_rijndael.h +++ /dev/null @@ -1,39 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: esp_rijndael.h,v 1.2 2003/01/20 00:55:27 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -size_t esp_rijndael_schedlen __P((const struct esp_algorithm *)); -int esp_rijndael_schedule __P((const struct esp_algorithm *, - struct secasvar *)); -int esp_rijndael_blockdecrypt __P((const struct esp_algorithm *, - struct secasvar *, u_int8_t *, u_int8_t *)); -int esp_rijndael_blockencrypt __P((const struct esp_algorithm *, - struct secasvar *, u_int8_t *, u_int8_t *)); diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 6c2a0a86ba08..0023c6456f77 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -99,11 +99,6 @@ #include <netinet6/mld6_var.h> #include <netinet6/nd6.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#endif - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> @@ -2232,7 +2227,7 @@ icmp6_redirect_input(m, off) struct mbuf *m; int off; { - struct ifnet *ifp = m->m_pkthdr.rcvif; + struct ifnet *ifp; struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); struct nd_redirect *nd_rd; int icmp6len = ntohs(ip6->ip6_plen); @@ -2249,7 +2244,12 @@ icmp6_redirect_input(m, off) union nd_opts ndopts; char ip6buf[INET6_ADDRSTRLEN]; - if (!m || !ifp) + if (!m) + return; + + ifp = m->m_pkthdr.rcvif; + + if (!ifp) return; /* XXX if we are router, we don't update route by icmp6 redirect */ @@ -2417,9 +2417,9 @@ icmp6_redirect_input(m, off) sdst.sin6_len = sizeof(struct sockaddr_in6); bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr)); pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC key_sa_routechange((struct sockaddr *)&sdst); -#endif +#endif /* FAST_IPSEC */ } freeit: diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index 380b8c3410e9..432938bc4ce1 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -409,9 +409,10 @@ struct route_in6 { #define IPV6_BINDV6ONLY IPV6_V6ONLY #endif -#if 1 /* IPSEC */ +#ifdef FAST_IPSEC #define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */ -#endif +#endif /* FAST_IPSEC */ + #define IPV6_FAITH 29 /* bool; accept FAITH'ed connections */ #if 1 /* IPV6FIREWALL */ diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index 863e53fd1659..bae1a0735b1f 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -99,18 +99,6 @@ #include <netinet6/in6_pcb.h> #include <netinet6/scope6_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#include <netinet6/ah.h> -#ifdef INET6 -#include <netinet6/ah6.h> -#endif -#include <netkey/key.h> -#endif /* IPSEC */ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> @@ -402,10 +390,7 @@ in6_pcbconnect(inp, nam, cred) (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK); in_pcbrehash(inp); -#ifdef IPSEC - if (inp->inp_socket->so_type == SOCK_STREAM) - ipsec_pcbconn(inp->inp_sp); -#endif + return (0); } @@ -422,9 +407,6 @@ in6_pcbdisconnect(inp) /* clear flowinfo - draft-itojun-ipv6-flowlabel-api-00 */ inp->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK; in_pcbrehash(inp); -#ifdef IPSEC - ipsec_pcbdisconn(inp->inp_sp); -#endif } void @@ -445,10 +427,10 @@ in6_pcbfree(struct inpcb *inp) INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo); INP_LOCK_ASSERT(inp); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC if (inp->in6p_sp != NULL) ipsec6_delete_pcbpolicy(inp); -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ inp->inp_gencnt = ++ipi->ipi_gencnt; in_pcbremlists(inp); ip6_freepcbopts(inp->in6p_outputopts); diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index e80cdccaca5c..df208570d049 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -103,27 +103,6 @@ #include <netinet6/pim6_var.h> #include <netinet6/nd6.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#include <netinet6/ah.h> -#ifdef INET6 -#include <netinet6/ah6.h> -#endif -#ifdef IPSEC_ESP -#include <netinet6/esp.h> -#ifdef INET6 -#include <netinet6/esp6.h> -#endif -#endif -#include <netinet6/ipcomp.h> -#ifdef INET6 -#include <netinet6/ipcomp6.h> -#endif -#endif /* IPSEC */ - #ifdef DEV_CARP #include <netinet/ip_carp.h> #endif @@ -137,12 +116,8 @@ #endif /* SCTP */ #ifdef FAST_IPSEC +#include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> -#define IPSEC -#define IPSEC_ESP -#define ah6_input ipsec6_common_input -#define esp6_input ipsec6_common_input -#define ipcomp6_input ipsec6_common_input #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -277,35 +252,33 @@ struct ip6protosw inet6sw[] = { .pr_input = frag6_input, .pr_usrreqs = &nousrreqs }, -#ifdef IPSEC +#ifdef FAST_IPSEC { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_AH, .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ah6_input, + .pr_input = ipsec6_common_input, .pr_usrreqs = &nousrreqs, }, -#ifdef IPSEC_ESP { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_ESP, .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = esp6_input, + .pr_input = ipsec6_common_input, .pr_ctlinput = esp6_ctlinput, .pr_usrreqs = &nousrreqs, }, -#endif { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_IPCOMP, .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipcomp6_input, + .pr_input = ipsec6_common_input, .pr_usrreqs = &nousrreqs, }, -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ #ifdef INET { .pr_type = SOCK_RAW, @@ -465,9 +438,9 @@ SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6"); #ifdef SCTP SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6"); #endif -#ifdef IPSEC +#ifdef FAST_IPSEC SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6"); -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* net.inet6.ip6 */ static int diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index ece39b13331b..241c2756fe83 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -65,19 +65,10 @@ #include <netinet/in_pcb.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#include <netkey/key.h> -#endif /* IPSEC */ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> #include <netipsec/key.h> -#define IPSEC #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -110,7 +101,7 @@ ip6_forward(m, srcrt) struct ifnet *origifp; /* maybe unnecessary */ u_int32_t inzone, outzone; struct in6_addr src_in6, dst_in6; -#ifdef IPSEC +#ifdef FAST_IPSEC struct secpolicy *sp = NULL; int ipsecrt = 0; #endif @@ -118,7 +109,7 @@ ip6_forward(m, srcrt) GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */ -#ifdef IPSEC +#ifdef FAST_IPSEC /* * Check AH/ESP integrity. */ @@ -127,13 +118,11 @@ ip6_forward(m, srcrt) * before forwarding packet actually. */ if (ipsec6_in_reject(m, NULL)) { -#if !defined(FAST_IPSEC) ipsec6stat.in_polvio++; -#endif m_freem(m); return; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * Do not forward packets to multicast destination (should be handled @@ -186,9 +175,9 @@ ip6_forward(m, srcrt) */ mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); -#ifdef IPSEC +#ifdef FAST_IPSEC /* get a security policy for this packet */ - sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error); if (sp == NULL) { ipsec6stat.out_inval++; @@ -214,7 +203,7 @@ ip6_forward(m, srcrt) */ ipsec6stat.out_polvio++; ip6stat.ip6s_cantforward++; - key_freesp(sp); + KEY_FREESP(&sp); if (mcopy) { #if 0 /* XXX: what icmp ? */ @@ -228,7 +217,7 @@ ip6_forward(m, srcrt) case IPSEC_POLICY_BYPASS: case IPSEC_POLICY_NONE: /* no need to do IPsec. */ - key_freesp(sp); + KEY_FREESP(&sp); goto skip_ipsec; case IPSEC_POLICY_IPSEC: @@ -236,7 +225,7 @@ ip6_forward(m, srcrt) /* XXX should be panic ? */ printf("ip6_forward: No IPsec request specified.\n"); ip6stat.ip6s_cantforward++; - key_freesp(sp); + KEY_FREESP(&sp); if (mcopy) { #if 0 /* XXX: what icmp ? */ @@ -254,7 +243,7 @@ ip6_forward(m, srcrt) default: /* should be panic ?? */ printf("ip6_forward: Invalid policy found. %d\n", sp->policy); - key_freesp(sp); + KEY_FREESP(&sp); goto skip_ipsec; } @@ -301,7 +290,7 @@ ip6_forward(m, srcrt) error = ipsec6_output_tunnel(&state, sp, 0); m = state.m; - key_freesp(sp); + KEY_FREESP(&sp); if (error) { /* mbuf is already reclaimed in ipsec6_output_tunnel. */ @@ -329,9 +318,18 @@ ip6_forward(m, srcrt) } m_freem(m); return; + } else { + /* + * In the FAST IPSec case we have already + * re-injected the packet and it has been freed + * by the ipsec_done() function. So, just clean + * up after ourselves. + */ + m = NULL; + goto freecopy; } - if (ip6 != mtod(m, struct ip6_hdr *)) { + if ((m != NULL) && (ip6 != mtod(m, struct ip6_hdr *)) ){ /* * now tunnel mode headers are added. we are originating * packet instead of forwarding the packet. @@ -348,9 +346,9 @@ ip6_forward(m, srcrt) ipsecrt = 1; } skip_ipsec: -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ -#ifdef IPSEC +#ifdef FAST_IPSEC if (ipsecrt) goto skip_routing; #endif @@ -403,7 +401,7 @@ ip6_forward(m, srcrt) } } rt = ip6_forward_rt.ro_rt; -#ifdef IPSEC +#ifdef FAST_IPSEC skip_routing:; #endif @@ -431,7 +429,7 @@ ip6_forward(m, srcrt) return; } if (inzone != outzone -#ifdef IPSEC +#ifdef FAST_IPSEC && !ipsecrt #endif ) { @@ -477,14 +475,14 @@ ip6_forward(m, srcrt) in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); if (mcopy) { u_long mtu; -#ifdef IPSEC +#ifdef FAST_IPSEC struct secpolicy *sp; int ipsecerror; size_t ipsechdrsiz; -#endif +#endif /* FAST_IPSEC */ mtu = IN6_LINKMTU(rt->rt_ifp); -#ifdef IPSEC +#ifdef FAST_IPSEC /* * When we do IPsec tunnel ingress, we need to play * with the link value (decrement IPsec header size @@ -492,7 +490,7 @@ ip6_forward(m, srcrt) * case, as we have the outgoing interface for * encapsulated packet as "rt->rt_ifp". */ - sp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND, + sp = ipsec_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); if (sp) { ipsechdrsiz = ipsec6_hdrsiz(mcopy, @@ -507,7 +505,7 @@ ip6_forward(m, srcrt) */ if (mtu < IPV6_MMTU) mtu = IPV6_MMTU; -#endif +#endif /* FAST_IPSEC */ icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu); } m_freem(m); @@ -527,9 +525,9 @@ ip6_forward(m, srcrt) * modified by a redirect. */ if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt && -#ifdef IPSEC +#ifdef FAST_IPSEC !ipsecrt && -#endif +#endif /* FAST_IPSEC */ (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) { if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) { /* diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index aa604bd78841..96e78505a4ad 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -101,17 +101,10 @@ #include <netinet6/in6_ifattach.h> #include <netinet6/nd6.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#endif - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> +#include <netinet6/ip6_ipsec.h> #include <netipsec/ipsec6.h> -#define IPSEC #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -230,16 +223,18 @@ ip6_input(m) int srcrt = 0; GIANT_REQUIRED; /* XXX for now */ -#ifdef IPSEC + +#ifdef FAST_IPSEC /* * should the inner packet be considered authentic? * see comment in ah4_input(). + * NB: m cannot be NULL when passed to the input routine */ - if (m) { - m->m_flags &= ~M_AUTHIPHDR; - m->m_flags &= ~M_AUTHIPDGM; - } -#endif + + m->m_flags &= ~M_AUTHIPHDR; + m->m_flags &= ~M_AUTHIPDGM; + +#endif /* FAST_IPSEC */ /* * make sure we don't have onion peering information into m_tag. @@ -766,18 +761,15 @@ passin: goto bad; } -#ifdef IPSEC +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && - ipsec6_in_reject(m, NULL)) { - ipsec6stat.in_polvio++; + if (ip6_ipsec_input(m, nxt)) goto bad; - } -#endif +#endif /* FAST_IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); } return; diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c new file mode 100644 index 000000000000..f1c529faa085 --- /dev/null +++ b/sys/netinet6/ip6_ipsec.c @@ -0,0 +1,369 @@ +/*- + * Copyright (c) 1982, 1986, 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include "opt_ipsec.h" + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/mac.h> +#include <sys/malloc.h> +#include <sys/mbuf.h> +#include <sys/protosw.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/route.h> + +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/in_var.h> +#include <netinet/ip.h> +#include <netinet/in_pcb.h> +#include <netinet/ip_var.h> +#include <netinet/ip_options.h> + +#include <machine/in_cksum.h> + +#ifdef FAST_IPSEC +#include <netipsec/ipsec.h> +#include <netipsec/ipsec6.h> +#include <netipsec/xform.h> +#include <netipsec/key.h> +#ifdef IPSEC_DEBUG +#include <netipsec/key_debug.h> +#else +#define KEYDEBUG(lev,arg) +#endif +#endif /*FAST_IPSEC*/ + +#include <netinet6/ip6_ipsec.h> + +extern struct protosw inet6sw[]; + +/* + * Check if we have to jump over firewall processing for this packet. + * Called from ip_input(). + * 1 = jump over firewall, 0 = packet goes through firewall. + */ +int +ip6_ipsec_filtergif(struct mbuf *m) +{ +#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) + /* + * Bypass packet filtering for packets from a tunnel (gif). + */ + if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + return 1; +#endif + return 0; +} + +/* + * Check if this packet has an active SA and needs to be dropped instead + * of forwarded. + * Called from ip_input(). + * 1 = drop packet, 0 = forward packet. + */ +int +ip6_ipsec_fwd(struct mbuf *m) +{ +#ifdef FAST_IPSEC + struct m_tag *mtag; + struct tdb_ident *tdbi; + struct secpolicy *sp; + int s, error; + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + s = splnet(); + if (mtag != NULL) { + tdbi = (struct tdb_ident *)(mtag + 1); + sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); + } else { + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); + } + if (sp == NULL) { /* NB: can happen if error */ + splx(s); + /*XXX error stat???*/ + DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ + return 1; + } + + /* + * Check security policy against packet attributes. + */ + error = ipsec_in_reject(sp, m); + KEY_FREESP(&sp); + splx(s); + if (error) { + ipstat.ips_cantforward++; + return 1; + } +#endif /* FAST_IPSEC */ + return 0; +} + +/* + * Check if protocol type doesn't have a further header and do IPSEC + * decryption or reject right now. Protocols with further headers get + * their IPSEC treatment within the protocol specific processing. + * Called from ip_input(). + * 1 = drop packet, 0 = continue processing packet. + */ +int +ip6_ipsec_input(struct mbuf *m, int nxt) + +{ +#ifdef FAST_IPSEC + struct m_tag *mtag; + struct tdb_ident *tdbi; + struct secpolicy *sp; + int s, error; + /* + * enforce IPsec policy checking if we are seeing last header. + * note that we do not visit this with protocols with pcb layer + * code - like udp/tcp/raw ip. + */ + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && + ipsec6_in_reject(m, NULL)) { + + /* + * Check if the packet has already had IPsec processing + * done. If so, then just pass it along. This tag gets + * set during AH, ESP, etc. input handling, before the + * packet is returned to the ip input queue for delivery. + */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + s = splnet(); + if (mtag != NULL) { + tdbi = (struct tdb_ident *)(mtag + 1); + sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); + } else { + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, + IP_FORWARDING, &error); + } + if (sp != NULL) { + /* + * Check security policy against packet attributes. + */ + error = ipsec_in_reject(sp, m); + KEY_FREESP(&sp); + } else { + /* XXX error stat??? */ + error = EINVAL; + DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ + return 1; + } + splx(s); + if (error) + return 1; + } +#endif /* FAST_IPSEC */ + return 0; +} + +/* + * Called from ip6_output(). + * 1 = drop packet, 0 = continue processing packet, + * -1 = packet was reinjected and stop processing packet (FAST_IPSEC only) + */ + +int +ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, + struct ifnet **ifp, struct secpolicy **sp) +{ +#ifdef FAST_IPSEC + struct tdb_ident *tdbi; + struct m_tag *mtag; + int s; + if (sp == NULL) + return 1; + mtag = m_tag_find(*m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); + if (mtag != NULL) { + tdbi = (struct tdb_ident *)(mtag + 1); + *sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND); + if (*sp == NULL) + *error = -EINVAL; /* force silent drop */ + m_tag_delete(*m, mtag); + } else { + *sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, + error, inp); + } + + /* + * There are four return cases: + * sp != NULL apply IPsec policy + * sp == NULL, error == 0 no IPsec handling needed + * sp == NULL, error == -EINVAL discard packet w/o error + * sp == NULL, error != 0 discard packet, report error + */ + if (*sp != NULL) { + /* Loop detection, check if ipsec processing already done */ + KASSERT((*sp)->req != NULL, ("ip_output: no ipsec request")); + for (mtag = m_tag_first(*m); mtag != NULL; + mtag = m_tag_next(*m, mtag)) { + if (mtag->m_tag_cookie != MTAG_ABI_COMPAT) + continue; + if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE && + mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED) + continue; + /* + * Check if policy has an SA associated with it. + * This can happen when an SP has yet to acquire + * an SA; e.g. on first reference. If it occurs, + * then we let ipsec4_process_packet do its thing. + */ + if ((*sp)->req->sav == NULL) + break; + tdbi = (struct tdb_ident *)(mtag + 1); + if (tdbi->spi == (*sp)->req->sav->spi && + tdbi->proto == (*sp)->req->sav->sah->saidx.proto && + bcmp(&tdbi->dst, &(*sp)->req->sav->sah->saidx.dst, + sizeof (union sockaddr_union)) == 0) { + /* + * No IPsec processing is needed, free + * reference to SP. + * + * NB: null pointer to avoid free at + * done: below. + */ + KEY_FREESP(sp), sp = NULL; + splx(s); + goto done; + } + } + + /* + * Do delayed checksums now because we send before + * this is done in the normal processing path. + */ + if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { + in_delayed_cksum(*m); + (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; + } + + /* + * Preserve KAME behaviour: ENOENT can be returned + * when an SA acquire is in progress. Don't propagate + * this to user-level; it confuses applications. + * + * XXX this will go away when the SADB is redone. + */ + if (*error == ENOENT) + *error = 0; + goto do_ipsec; + } else { /* sp == NULL */ + if (*error != 0) { + /* + * Hack: -EINVAL is used to signal that a packet + * should be silently discarded. This is typically + * because we asked key management for an SA and + * it was delayed (e.g. kicked up to IKE). + */ + if (*error == -EINVAL) + *error = 0; + goto bad; + } else { + /* No IPsec processing for this packet. */ + } + } +done: + if (sp != NULL) + if (*sp != NULL) + KEY_FREESP(sp); + return 0; +do_ipsec: + return -1; +bad: + if (sp != NULL) + if (*sp != NULL) + KEY_FREESP(sp); + return 1; +#endif /* FAST_IPSEC */ + return 0; +} + +/* + * Compute the MTU for a forwarded packet that gets IPSEC encapsulated. + * Called from ip_forward(). + * Returns MTU suggestion for ICMP needfrag reply. + */ +int +ip6_ipsec_mtu(struct mbuf *m) +{ + int mtu = 0; + /* + * If the packet is routed over IPsec tunnel, tell the + * originator the tunnel MTU. + * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz + * XXX quickhack!!! + */ + struct secpolicy *sp = NULL; + int ipsecerror; + int ipsechdr; + struct route *ro; +#ifdef FAST_IPSEC + sp = ipsec_getpolicybyaddr(m, + IPSEC_DIR_OUTBOUND, + IP_FORWARDING, + &ipsecerror); +#endif /* FAST_IPSEC */ + if (sp != NULL) { + /* count IPsec header size */ + ipsechdr = ipsec4_hdrsiz(m, + IPSEC_DIR_OUTBOUND, + NULL); + + /* + * find the correct route for outer IPv4 + * header, compute tunnel MTU. + */ + if (sp->req != NULL && + sp->req->sav != NULL && + sp->req->sav->sah != NULL) { + ro = &sp->req->sav->sah->sa_route; + if (ro->ro_rt && ro->ro_rt->rt_ifp) { + mtu = + ro->ro_rt->rt_rmx.rmx_mtu ? + ro->ro_rt->rt_rmx.rmx_mtu : + ro->ro_rt->rt_ifp->if_mtu; + mtu -= ipsechdr; + } + } +#ifdef FAST_IPSEC + KEY_FREESP(&sp); +#endif /* FAST_IPSEC */ + } + return mtu; +} + diff --git a/sys/netinet6/ah_aesxcbcmac.h b/sys/netinet6/ip6_ipsec.h index 8874f24515a0..c3ff8c06b534 100644 --- a/sys/netinet6/ah_aesxcbcmac.h +++ b/sys/netinet6/ip6_ipsec.h @@ -1,8 +1,6 @@ -/* $KAME: ah_aesxcbcmac.h,v 1.3 2003/07/20 18:01:20 itojun Exp $ */ - /*- - * Copyright (C) 1995, 1996, 1997, 1998 and 2003 WIDE Project. - * All rights reserved. + * Copyright (c) 1982, 1986, 1988, 1993 + * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -12,14 +10,14 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors + * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) @@ -31,10 +29,13 @@ * $FreeBSD$ */ -extern int ah_aes_xcbc_mac_init __P((struct ah_algorithm_state *, - struct secasvar *)); -extern void ah_aes_xcbc_mac_loop __P((struct ah_algorithm_state *, u_int8_t *, - size_t)); -extern void ah_aes_xcbc_mac_result __P((struct ah_algorithm_state *, - u_int8_t *, size_t)); +#ifndef _NETINET_IP6_IPSEC_H_ +#define _NETINET_IP6_IPSEC_H_ +int ip6_ipsec_filtergif(struct mbuf *); +int ip6_ipsec_fwd(struct mbuf *); +int ip6_ipsec_input(struct mbuf *, int); +int ip6_ipsec_mtu(struct mbuf *); +int ip6_ipsec_output(struct mbuf **, struct inpcb *, int *, int *, + struct ifnet **, struct secpolicy **sp); +#endif diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 9175e104947c..b08862adab70 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -91,18 +91,11 @@ #include <netinet/tcp_var.h> #include <netinet6/nd6.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#include <netkey/key.h> -#endif /* IPSEC */ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> #include <netipsec/key.h> +#include <netinet6/ip6_ipsec.h> #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -139,6 +132,42 @@ static int copypktopts __P((struct ip6_pktopts *, struct ip6_pktopts *, int)); /* + * Make an extension header from option data. hp is the source, and + * mp is the destination. + */ +#define MAKE_EXTHDR(hp, mp) \ + do { \ + if (hp) { \ + struct ip6_ext *eh = (struct ip6_ext *)(hp); \ + error = ip6_copyexthdr((mp), (caddr_t)(hp), \ + ((eh)->ip6e_len + 1) << 3); \ + if (error) \ + goto freehdrs; \ + } \ + } while (/*CONSTCOND*/ 0) + +/* + * Form a chain of extension headers. + * m is the extension header mbuf + * mp is the previous mbuf in the chain + * p is the next header + * i is the type of option. + */ +#define MAKE_CHAIN(m, mp, p, i)\ + do {\ + if (m) {\ + if (!hdrsplit) \ + panic("assumption failed: hdr not split"); \ + *mtod((m), u_char *) = *(p);\ + *(p) = (i);\ + p = mtod((m), u_char *);\ + (m)->m_next = (mp)->m_next;\ + (mp)->m_next = (m);\ + (mp) = (m);\ + }\ + } while (/*CONSTCOND*/ 0) + +/* * IP6 output. The packet in mbuf chain m contains a skeletal IP6 * header (with pri, len, nxt, hlim, src, dst). * This function may modify ver and hlim only. @@ -162,6 +191,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) struct ip6_hdr *ip6, *mhip6; struct ifnet *ifp, *origifp; struct mbuf *m = m0; + struct mbuf *mprev = NULL; int hlen, tlen, len, off; struct route_in6 ip6route; struct rtentry *rt = NULL; @@ -178,25 +208,22 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) struct route_in6 *ro_pmtu = NULL; int hdrsplit = 0; int needipsec = 0; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC + struct ipsec_output_state state; + struct ip6_rthdr *rh = NULL; int needipsectun = 0; + int segleft_org = 0; struct secpolicy *sp = NULL; -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ ip6 = mtod(m, struct ip6_hdr *); + if (ip6 == NULL) { + printf ("ip6 is NULL"); + goto bad; + } + finaldst = ip6->ip6_dst; -#define MAKE_EXTHDR(hp, mp) \ - do { \ - if (hp) { \ - struct ip6_ext *eh = (struct ip6_ext *)(hp); \ - error = ip6_copyexthdr((mp), (caddr_t)(hp), \ - ((eh)->ip6e_len + 1) << 3); \ - if (error) \ - goto freehdrs; \ - } \ - } while (/*CONSTCOND*/ 0) - bzero(&exthdrs, sizeof(exthdrs)); if (opt) { @@ -206,7 +233,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) if (opt->ip6po_rthdr) { /* * Destination options header(1st part) - * This only makes sence with a routing header. + * This only makes sense with a routing header. * See Section 9.2 of RFC 3542. * Disabling this part just for MIP6 convenience is * a bad idea. We need to think carefully about a @@ -222,90 +249,20 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) MAKE_EXTHDR(opt->ip6po_dest2, &exthdrs.ip6e_dest2); } -#ifdef IPSEC - /* get a security policy for this packet */ - if (inp == NULL) - sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error); - else - sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error); - - if (sp == NULL) { - ipsec6stat.out_inval++; - goto freehdrs; - } - - error = 0; - - /* check policy */ - switch (sp->policy) { - case IPSEC_POLICY_DISCARD: - /* - * This packet is just discarded. - */ - ipsec6stat.out_polvio++; - goto freehdrs; - - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - /* no need to do IPsec. */ - needipsec = 0; - break; - - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) { - /* acquire a policy */ - error = key_spdacquire(sp); - goto freehdrs; - } - needipsec = 1; - break; - - case IPSEC_POLICY_ENTRUST: - default: - printf("ip6_output: Invalid policy found. %d\n", sp->policy); - } -#endif /* IPSEC */ + /* + * IPSec checking which handles several cases. + * FAST IPSEC: We re-injected the packet. + */ #ifdef FAST_IPSEC - /* get a security policy for this packet */ - if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error); - else - sp = ipsec_getpolicybysock(m, IPSEC_DIR_OUTBOUND, inp, &error); - - if (sp == NULL) { - newipsecstat.ips_out_inval++; - goto freehdrs; - } - - error = 0; - - /* check policy */ - switch (sp->policy) { - case IPSEC_POLICY_DISCARD: - /* - * This packet is just discarded. - */ - newipsecstat.ips_out_polvio++; + switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp)) + { + case 1: /* Bad packet */ goto freehdrs; - - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - /* no need to do IPsec. */ - needipsec = 0; - break; - - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) { - /* acquire a policy */ - error = key_spdacquire(sp); - goto freehdrs; - } - needipsec = 1; - break; - - case IPSEC_POLICY_ENTRUST: + case -1: /* Do IPSec */ + needipsec = 1; + case 0: /* No IPSec */ default: - printf("ip6_output: Invalid policy found. %d\n", sp->policy); + break; } #endif /* FAST_IPSEC */ @@ -314,12 +271,17 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) * Keep the length of the unfragmentable part for fragmentation. */ optlen = 0; - if (exthdrs.ip6e_hbh) optlen += exthdrs.ip6e_hbh->m_len; - if (exthdrs.ip6e_dest1) optlen += exthdrs.ip6e_dest1->m_len; - if (exthdrs.ip6e_rthdr) optlen += exthdrs.ip6e_rthdr->m_len; + if (exthdrs.ip6e_hbh) + optlen += exthdrs.ip6e_hbh->m_len; + if (exthdrs.ip6e_dest1) + optlen += exthdrs.ip6e_dest1->m_len; + if (exthdrs.ip6e_rthdr) + optlen += exthdrs.ip6e_rthdr->m_len; unfragpartlen = optlen + sizeof(struct ip6_hdr); + /* NOTE: we don't add AH/ESP length here. do that later. */ - if (exthdrs.ip6e_dest2) optlen += exthdrs.ip6e_dest2->m_len; + if (exthdrs.ip6e_dest2) + optlen += exthdrs.ip6e_dest2->m_len; /* * If we need IPsec, or there is at least one extension header, @@ -369,106 +331,94 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) * during the header composing process, "m" points to IPv6 header. * "mprev" points to an extension header prior to esp. */ - { - u_char *nexthdrp = &ip6->ip6_nxt; - struct mbuf *mprev = m; - - /* - * we treat dest2 specially. this makes IPsec processing - * much easier. the goal here is to make mprev point the - * mbuf prior to dest2. - * - * result: IPv6 dest2 payload - * m and mprev will point to IPv6 header. - */ - if (exthdrs.ip6e_dest2) { - if (!hdrsplit) - panic("assumption failed: hdr not split"); - exthdrs.ip6e_dest2->m_next = m->m_next; - m->m_next = exthdrs.ip6e_dest2; - *mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt; - ip6->ip6_nxt = IPPROTO_DSTOPTS; - } - -#define MAKE_CHAIN(m, mp, p, i)\ - do {\ - if (m) {\ - if (!hdrsplit) \ - panic("assumption failed: hdr not split"); \ - *mtod((m), u_char *) = *(p);\ - *(p) = (i);\ - p = mtod((m), u_char *);\ - (m)->m_next = (mp)->m_next;\ - (mp)->m_next = (m);\ - (mp) = (m);\ - }\ - } while (/*CONSTCOND*/ 0) - /* - * result: IPv6 hbh dest1 rthdr dest2 payload - * m will point to IPv6 header. mprev will point to the - * extension header prior to dest2 (rthdr in the above case). - */ - MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS); - MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp, - IPPROTO_DSTOPTS); - MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp, - IPPROTO_ROUTING); - -#if defined(IPSEC) || defined(FAST_IPSEC) - if (!needipsec) - goto skip_ipsec2; - - /* - * pointers after IPsec headers are not valid any more. - * other pointers need a great care too. - * (IPsec routines should not mangle mbufs prior to AH/ESP) - */ - exthdrs.ip6e_dest2 = NULL; - - { - struct ip6_rthdr *rh = NULL; - int segleft_org = 0; - struct ipsec_output_state state; - - if (exthdrs.ip6e_rthdr) { - rh = mtod(exthdrs.ip6e_rthdr, struct ip6_rthdr *); - segleft_org = rh->ip6r_segleft; - rh->ip6r_segleft = 0; - } - - bzero(&state, sizeof(state)); - state.m = m; - error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags, - &needipsectun); - m = state.m; - if (error) { - /* mbuf is already reclaimed in ipsec6_output_trans. */ - m = NULL; - switch (error) { - case EHOSTUNREACH: - case ENETUNREACH: - case EMSGSIZE: - case ENOBUFS: - case ENOMEM: - break; - default: - printf("ip6_output (ipsec): error code %d\n", error); - /* FALLTHROUGH */ - case ENOENT: - /* don't show these error codes to the user */ - error = 0; - break; - } - goto bad; - } - if (exthdrs.ip6e_rthdr) { - /* ah6_output doesn't modify mbuf chain */ - rh->ip6r_segleft = segleft_org; + u_char *nexthdrp = &ip6->ip6_nxt; + mprev = m; + + /* + * we treat dest2 specially. this makes IPsec processing + * much easier. the goal here is to make mprev point the + * mbuf prior to dest2. + * + * result: IPv6 dest2 payload + * m and mprev will point to IPv6 header. + */ + if (exthdrs.ip6e_dest2) { + if (!hdrsplit) + panic("assumption failed: hdr not split"); + exthdrs.ip6e_dest2->m_next = m->m_next; + m->m_next = exthdrs.ip6e_dest2; + *mtod(exthdrs.ip6e_dest2, u_char *) = ip6->ip6_nxt; + ip6->ip6_nxt = IPPROTO_DSTOPTS; + } + + /* + * result: IPv6 hbh dest1 rthdr dest2 payload + * m will point to IPv6 header. mprev will point to the + * extension header prior to dest2 (rthdr in the above case). + */ + MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS); + MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp, + IPPROTO_DSTOPTS); + MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp, + IPPROTO_ROUTING); + +#ifdef FAST_IPSEC + if (!needipsec) + goto skip_ipsec2; + + /* + * pointers after IPsec headers are not valid any more. + * other pointers need a great care too. + * (IPsec routines should not mangle mbufs prior to AH/ESP) + */ + exthdrs.ip6e_dest2 = NULL; + + if (exthdrs.ip6e_rthdr) { + rh = mtod(exthdrs.ip6e_rthdr, struct ip6_rthdr *); + segleft_org = rh->ip6r_segleft; + rh->ip6r_segleft = 0; + } + + bzero(&state, sizeof(state)); + state.m = m; + error = ipsec6_output_trans(&state, nexthdrp, mprev, sp, flags, + &needipsectun); + m = state.m; + if (error) { + /* mbuf is already reclaimed in ipsec6_output_trans. */ + m = NULL; + switch (error) { + case EHOSTUNREACH: + case ENETUNREACH: + case EMSGSIZE: + case ENOBUFS: + case ENOMEM: + break; + default: + printf("ip6_output (ipsec): error code %d\n", error); + /* FALLTHROUGH */ + case ENOENT: + /* don't show these error codes to the user */ + error = 0; + break; } - } -skip_ipsec2:; -#endif + goto bad; + } else if (!needipsectun) { + /* + * In the FAST IPSec case we have already + * re-injected the packet and it has been freed + * by the ipsec_done() function. So, just clean + * up after ourselves. + */ + m = NULL; + goto done; + } + if (exthdrs.ip6e_rthdr) { + /* ah6_output doesn't modify mbuf chain */ + rh->ip6r_segleft = segleft_org; } +skip_ipsec2:; +#endif /* FAST_IPSEC */ /* * If there is a routing header, replace the destination address field @@ -572,7 +522,13 @@ again: ip6->ip6_hlim = ip6_defmcasthlim; } -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC + /* + * Same as similar comment above. + * We only want to do regular IPSEC here and leave this pure + * in the case that we're using FAST_IPSEC which uses + * this code to re-inject packets. + */ if (needipsec && needipsectun) { struct ipsec_output_state state; @@ -617,11 +573,20 @@ again: break; } goto bad; + } else { + /* + * In the FAST IPSec case we have already + * re-injected the packet and it has been freed + * by the ipsec_done() function. So, just clean + * up after ourselves. + */ + m = NULL; + goto done; } exthdrs.ip6e_ip6 = m; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* adjust pointer */ ip6 = mtod(m, struct ip6_hdr *); @@ -965,10 +930,6 @@ passout: ia6->ia_ifa.if_opackets++; ia6->ia_ifa.if_obytes += m->m_pkthdr.len; } -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif error = nd6_output(ifp, origifp, m, dst, ro->ro_rt); goto done; } @@ -991,10 +952,7 @@ passout: struct ip6_frag *ip6f; u_int32_t id = htonl(ip6_randomid()); u_char nextproto; -#if 0 - struct ip6ctlparam ip6cp; - u_int32_t mtu32; -#endif + int qslots = ifp->if_snd.ifq_maxlen - ifp->if_snd.ifq_len; /* @@ -1006,25 +964,6 @@ passout: if (mtu > IPV6_MAXPACKET) mtu = IPV6_MAXPACKET; -#if 0 - /* - * It is believed this code is a leftover from the - * development of the IPV6_RECVPATHMTU sockopt and - * associated work to implement RFC3542. - * It's not entirely clear what the intent of the API - * is at this point, so disable this code for now. - * The IPV6_RECVPATHMTU sockopt and/or IPV6_DONTFRAG - * will send notifications if the application requests. - */ - - /* Notify a proper path MTU to applications. */ - mtu32 = (u_int32_t)mtu; - bzero(&ip6cp, sizeof(ip6cp)); - ip6cp.ip6c_cmdarg = (void *)&mtu32; - pfctlinput2(PRC_MSGSIZE, (struct sockaddr *)&ro_pmtu->ro_dst, - (void *)&ip6cp); -#endif - len = (mtu - hlen - sizeof(struct ip6_frag)) & ~7; if (len < 8) { error = EMSGSIZE; @@ -1130,10 +1069,6 @@ sendorfree: ia->ia_ifa.if_opackets++; ia->ia_ifa.if_obytes += m->m_pkthdr.len; } -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif error = nd6_output(ifp, origifp, m, dst, ro->ro_rt); } else m_freem(m); @@ -1149,15 +1084,6 @@ done: RTFREE(ro_pmtu->ro_rt); } -#ifdef IPSEC - if (sp != NULL) - key_freesp(sp); -#endif /* IPSEC */ -#ifdef FAST_IPSEC - if (sp != NULL) - KEY_FREESP(&sp); -#endif /* FAST_IPSEC */ - return (error); freehdrs: @@ -1167,7 +1093,8 @@ freehdrs: m_freem(exthdrs.ip6e_dest2); /* FALLTHROUGH */ bad: - m_freem(m); + if (m) + m_freem(m); goto done; } @@ -1847,7 +1774,7 @@ do { \ } break; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC case IPV6_IPSEC_POLICY: { caddr_t req = NULL; @@ -1867,7 +1794,7 @@ do { \ m_freem(m); } break; -#endif /* KAME IPSEC */ +#endif /* FAST_IPSEC */ default: error = ENOPROTOOPT; @@ -2064,7 +1991,7 @@ do { \ } break; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC case IPV6_IPSEC_POLICY: { caddr_t req = NULL; @@ -2093,7 +2020,7 @@ do { \ m_freem(m); break; } -#endif /* KAME IPSEC */ +#endif /* FAST_IPSEC */ default: error = ENOPROTOOPT; @@ -2449,7 +2376,7 @@ copypktopts(dst, src, canwait) if (src->ip6po_pktinfo) { dst->ip6po_pktinfo = malloc(sizeof(*dst->ip6po_pktinfo), M_IP6OPT, canwait); - if (dst->ip6po_pktinfo == NULL && canwait == M_NOWAIT) + if (dst->ip6po_pktinfo == NULL) goto bad; *dst->ip6po_pktinfo = *src->ip6po_pktinfo; } @@ -2487,7 +2414,7 @@ ip6_copypktopts(src, canwait) struct ip6_pktopts *dst; dst = malloc(sizeof(*dst), M_IP6OPT, canwait); - if (dst == NULL && canwait == M_NOWAIT) + if (dst == NULL) return (NULL); ip6_initpktopts(dst); diff --git a/sys/netinet6/ipcomp.h b/sys/netinet6/ipcomp.h deleted file mode 100644 index 943cd36c1525..000000000000 --- a/sys/netinet6/ipcomp.h +++ /dev/null @@ -1,71 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: ipcomp.h,v 1.11 2001/09/04 08:43:19 itojun Exp $ */ - -/*- - * Copyright (C) 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * RFC2393 IP payload compression protocol (IPComp). - */ - -#ifndef _NETINET6_IPCOMP_H_ -#define _NETINET6_IPCOMP_H_ - -#if defined(_KERNEL) && !defined(_LKM) -#include "opt_inet.h" -#endif - -struct ipcomp { - u_int8_t comp_nxt; /* Next Header */ - u_int8_t comp_flags; /* reserved, must be zero */ - u_int16_t comp_cpi; /* Compression parameter index */ -}; - -/* well-known algorithm number (in CPI), from RFC2409 */ -#define IPCOMP_OUI 1 /* vendor specific */ -#define IPCOMP_DEFLATE 2 /* RFC2394 */ -#define IPCOMP_LZS 3 /* RFC2395 */ -#define IPCOMP_MAX 4 - -#define IPCOMP_CPI_NEGOTIATE_MIN 256 - -#ifdef _KERNEL -struct ipcomp_algorithm { - int (*compress) __P((struct mbuf *, struct mbuf *, size_t *)); - int (*decompress) __P((struct mbuf *, struct mbuf *, size_t *)); - size_t minplen; /* minimum required length for compression */ -}; - -struct ipsecrequest; -extern const struct ipcomp_algorithm *ipcomp_algorithm_lookup __P((int)); -extern void ipcomp4_input __P((struct mbuf *, int)); -extern int ipcomp4_output __P((struct mbuf *, struct ipsecrequest *)); -#endif /* KERNEL */ - -#endif /* _NETINET6_IPCOMP_H_ */ diff --git a/sys/netinet6/ipsec.h b/sys/netinet6/ipsec.h deleted file mode 100644 index 7b677aefb98f..000000000000 --- a/sys/netinet6/ipsec.h +++ /dev/null @@ -1,388 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: ipsec.h,v 1.69 2003/09/10 23:49:11 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * IPsec controller part. - */ - -#ifndef _NETINET6_IPSEC_H_ -#define _NETINET6_IPSEC_H_ - -#if defined(_KERNEL) && !defined(_LKM) && !defined(KLD_MODULE) -#include "opt_inet.h" -#include "opt_ipsec.h" -#endif - -#include <net/pfkeyv2.h> -#include <netkey/keydb.h> - -#ifdef _KERNEL - -/* - * Security Policy Index - * Ensure that both address families in the "src" and "dst" are same. - * When the value of the ul_proto is ICMPv6, the port field in "src" - * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code. - */ -struct secpolicyindex { - struct sockaddr_storage src; /* IP src address for SP */ - struct sockaddr_storage dst; /* IP dst address for SP */ - u_int8_t prefs; /* prefix length in bits for src */ - u_int8_t prefd; /* prefix length in bits for dst */ - u_int16_t ul_proto; /* upper layer Protocol */ -#ifdef notyet - uid_t uids; - uid_t uidd; - gid_t gids; - gid_t gidd; -#endif -}; - -/* Security Policy Data Base */ -struct secpolicy { - TAILQ_ENTRY(secpolicy) tailq; /* all SPD entries, both pcb/table */ - LIST_ENTRY(secpolicy) chain; /* SPD entries on table */ - - u_int8_t dir; /* direction of packet flow */ - int readonly; /* write prohibited */ - int persist; /* will never be removed */ - int refcnt; /* reference count */ - struct secpolicyindex *spidx; /* selector - NULL if not valid */ - u_int32_t id; /* it identifies a policy in the SPD. */ -#define IPSEC_MANUAL_POLICYID_MAX 0x3fff - /* - * 1 - 0x3fff are reserved for user operation. - * 0 are reserved. Others are for kernel use. - */ - struct socket *so; /* backpointer to per-socket policy */ - u_int state; /* 0: dead, others: alive */ -#define IPSEC_SPSTATE_DEAD 0 -#define IPSEC_SPSTATE_ALIVE 1 - - int policy; /* DISCARD, NONE or IPSEC, see below */ - struct ipsecrequest *req; - /* pointer to the ipsec request tree, */ - /* if policy == IPSEC else this value == NULL.*/ - - /* - * lifetime handler. - * the policy can be used without limitiation if both lifetime and - * validtime are zero. - * "lifetime" is passed by sadb_lifetime.sadb_lifetime_addtime. - * "validtime" is passed by sadb_lifetime.sadb_lifetime_usetime. - */ - long created; /* time created the policy */ - long lastused; /* updated every when kernel sends a packet */ - long lifetime; /* duration of the lifetime of this policy */ - long validtime; /* duration this policy is valid without use */ -}; - -/* Request for IPsec */ -struct ifnet; -struct ipsecrequest { - struct ipsecrequest *next; - /* pointer to next structure */ - /* If NULL, it means the end of chain. */ - struct secasindex saidx;/* hint for search proper SA */ - /* if __ss_len == 0 then no address specified.*/ - u_int level; /* IPsec level defined below. */ - - struct secasvar *sav; /* place holder of SA for use */ - struct secpolicy *sp; /* back pointer to SP */ - - struct ifnet *tunifp; /* interface for tunnelling */ -}; - -/* security policy in PCB */ -struct inpcbpolicy { - struct secpolicy *sp_in; - struct secpolicy *sp_out; - int priv; /* privileged socket ? */ - - /* cached policy */ - /* XXX 3 == IPSEC_DIR_MAX */ - struct secpolicy *cache[3]; - struct secpolicyindex cacheidx[3]; - int cachegen[3]; /* cache generation #, the time we filled it */ - int cacheflags; -#define IPSEC_PCBSP_CONNECTED 1 -}; - -/* SP acquiring list table. */ -struct secspacq { - LIST_ENTRY(secspacq) chain; - - struct secpolicyindex spidx; - - long created; /* for lifetime */ - int count; /* for lifetime */ - /* XXX: here is mbuf place holder to be sent ? */ -}; - -struct ipsecaux { - int hdrs; /* # of ipsec headers */ -}; -#endif /* _KERNEL */ - -/* according to IANA assignment, port 0x0000 and proto 0xff are reserved. */ -#define IPSEC_PORT_ANY 0 -#define IPSEC_ULPROTO_ANY 255 -#define IPSEC_PROTO_ANY 255 - -/* mode of security protocol */ -/* NOTE: DON'T use IPSEC_MODE_ANY at SPD. It's only use in SAD */ -#define IPSEC_MODE_ANY 0 /* i.e. wildcard. */ -#define IPSEC_MODE_TRANSPORT 1 -#define IPSEC_MODE_TUNNEL 2 -#define IPSEC_MODE_TCPMD5 3 /* TCP MD5 mode */ - -/* - * Direction of security policy. - * NOTE: Since INVALID is used just as flag. - * The other are used for loop counter too. - */ -#define IPSEC_DIR_ANY 0 -#define IPSEC_DIR_INBOUND 1 -#define IPSEC_DIR_OUTBOUND 2 -#define IPSEC_DIR_MAX 3 -#define IPSEC_DIR_INVALID 4 - -/* Policy level */ -/* - * IPSEC, ENTRUST and BYPASS are allowed for setsockopt() in PCB, - * DISCARD, IPSEC and NONE are allowed for setkey() in SPD. - * DISCARD and NONE are allowed for system default. - */ -#define IPSEC_POLICY_DISCARD 0 /* discard the packet */ -#define IPSEC_POLICY_NONE 1 /* bypass IPsec engine */ -#define IPSEC_POLICY_IPSEC 2 /* pass to IPsec */ -#define IPSEC_POLICY_ENTRUST 3 /* consulting SPD if present. */ -#define IPSEC_POLICY_BYPASS 4 /* only for privileged socket. */ -#define IPSEC_POLICY_TCP 5 /* TCP MD5 policy */ - -/* Security protocol level */ -#define IPSEC_LEVEL_DEFAULT 0 /* reference to system default */ -#define IPSEC_LEVEL_USE 1 /* use SA if present. */ -#define IPSEC_LEVEL_REQUIRE 2 /* require SA. */ -#define IPSEC_LEVEL_UNIQUE 3 /* unique SA. */ - -#define IPSEC_MANUAL_REQID_MAX 0x3fff - /* - * if security policy level == unique, this id - * indicate to a relative SA for use, else is - * zero. - * 1 - 0x3fff are reserved for manual keying. - * 0 are reserved for above reason. Others is - * for kernel use. - * Note that this id doesn't identify SA - * by only itself. - */ -#define IPSEC_REPLAYWSIZE 32 - -/* statistics for ipsec processing */ -struct ipsecstat { - u_quad_t in_success; /* succeeded inbound process */ - u_quad_t in_polvio; - /* security policy violation for inbound process */ - u_quad_t in_nosa; /* inbound SA is unavailable */ - u_quad_t in_inval; /* inbound processing failed due to EINVAL */ - u_quad_t in_nomem; /* inbound processing failed due to ENOBUFS */ - u_quad_t in_badspi; /* failed getting a SPI */ - u_quad_t in_ahreplay; /* AH replay check failed */ - u_quad_t in_espreplay; /* ESP replay check failed */ - u_quad_t in_ahauthsucc; /* AH authentication success */ - u_quad_t in_ahauthfail; /* AH authentication failure */ - u_quad_t in_espauthsucc; /* ESP authentication success */ - u_quad_t in_espauthfail; /* ESP authentication failure */ - u_quad_t in_esphist[256]; - u_quad_t in_ahhist[256]; - u_quad_t in_comphist[256]; - u_quad_t out_success; /* succeeded outbound process */ - u_quad_t out_polvio; - /* security policy violation for outbound process */ - u_quad_t out_nosa; /* outbound SA is unavailable */ - u_quad_t out_inval; /* outbound process failed due to EINVAL */ - u_quad_t out_nomem; /* inbound processing failed due to ENOBUFS */ - u_quad_t out_noroute; /* there is no route */ - u_quad_t out_esphist[256]; - u_quad_t out_ahhist[256]; - u_quad_t out_comphist[256]; - - u_quad_t spdcachelookup; - u_quad_t spdcachemiss; -}; - -/* - * Definitions for IPsec & Key sysctl operations. - */ -/* - * Names for IPsec & Key sysctl objects - */ -#define IPSECCTL_STATS 1 /* stats */ -#define IPSECCTL_DEF_POLICY 2 -#define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */ -#define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */ -#define IPSECCTL_DEF_AH_TRANSLEV 5 /* int; AH transport mode */ -#define IPSECCTL_DEF_AH_NETLEV 6 /* int; AH tunnel mode */ -#if 0 /* obsolete, do not reuse */ -#define IPSECCTL_INBOUND_CALL_IKE 7 -#endif -#define IPSECCTL_AH_CLEARTOS 8 -#define IPSECCTL_AH_OFFSETMASK 9 -#define IPSECCTL_DFBIT 10 -#define IPSECCTL_ECN 11 -#define IPSECCTL_DEBUG 12 -#define IPSECCTL_ESP_RANDPAD 13 -#define IPSECCTL_MAXID 14 - -#define IPSECCTL_NAMES { \ - { 0, 0 }, \ - { 0, 0 }, \ - { "def_policy", CTLTYPE_INT }, \ - { "esp_trans_deflev", CTLTYPE_INT }, \ - { "esp_net_deflev", CTLTYPE_INT }, \ - { "ah_trans_deflev", CTLTYPE_INT }, \ - { "ah_net_deflev", CTLTYPE_INT }, \ - { 0, 0 }, \ - { "ah_cleartos", CTLTYPE_INT }, \ - { "ah_offsetmask", CTLTYPE_INT }, \ - { "dfbit", CTLTYPE_INT }, \ - { "ecn", CTLTYPE_INT }, \ - { "debug", CTLTYPE_INT }, \ - { "esp_randpad", CTLTYPE_INT }, \ -} - -#define IPSEC6CTL_NAMES { \ - { 0, 0 }, \ - { 0, 0 }, \ - { "def_policy", CTLTYPE_INT }, \ - { "esp_trans_deflev", CTLTYPE_INT }, \ - { "esp_net_deflev", CTLTYPE_INT }, \ - { "ah_trans_deflev", CTLTYPE_INT }, \ - { "ah_net_deflev", CTLTYPE_INT }, \ - { 0, 0 }, \ - { 0, 0 }, \ - { 0, 0 }, \ - { 0, 0 }, \ - { "ecn", CTLTYPE_INT }, \ - { "debug", CTLTYPE_INT }, \ - { "esp_randpad", CTLTYPE_INT }, \ -} - -#ifdef _KERNEL -struct ipsec_output_state { - struct mbuf *m; - struct route *ro; - struct sockaddr *dst; - int encap; -}; - -struct ipsec_history { - int ih_proto; - u_int32_t ih_spi; -}; - -extern int ipsec_debug; - -#ifdef INET -extern struct ipsecstat ipsecstat; -extern struct secpolicy *ip4_def_policy; -extern int ip4_esp_trans_deflev; -extern int ip4_esp_net_deflev; -extern int ip4_ah_trans_deflev; -extern int ip4_ah_net_deflev; -extern int ip4_ah_cleartos; -extern int ip4_ah_offsetmask; -extern int ip4_ipsec_dfbit; -extern int ip4_ipsec_ecn; -extern int ip4_esp_randpad; -#endif - -#define ipseclog(x) do { if (ipsec_debug) log x; } while (/*CONSTCOND*/ 0) - -extern int ipsec_pcbconn __P((struct inpcbpolicy *)); -extern int ipsec_pcbdisconn __P((struct inpcbpolicy *)); -extern int ipsec_invalpcbcacheall __P((void)); - -struct inpcb; -extern struct secpolicy *ipsec4_getpolicybypcb - __P((struct mbuf *, u_int, struct inpcb *, int *)); -extern struct secpolicy *ipsec4_getpolicybyaddr - __P((struct mbuf *, u_int, int, int *)); - -extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **)); -extern int ipsec_copy_pcbpolicy - __P((struct inpcbpolicy *, struct inpcbpolicy *)); -extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int)); - -extern int ipsec4_set_policy __P((struct inpcb *, int, caddr_t, size_t, int)); -extern int ipsec4_get_policy __P((struct inpcb *, caddr_t, size_t, - struct mbuf **)); -extern int ipsec4_delete_pcbpolicy __P((struct inpcb *)); -extern int ipsec4_in_reject __P((struct mbuf *, struct inpcb *)); - -struct secas; -struct tcpcb; -struct tcp6cb; -extern int ipsec_chkreplay __P((u_int32_t, struct secasvar *)); -extern int ipsec_updatereplay __P((u_int32_t, struct secasvar *)); - -extern size_t ipsec4_hdrsiz __P((struct mbuf *, u_int, struct inpcb *)); -extern size_t ipsec_hdrsiz_tcp __P((struct tcpcb *)); - -struct ip; -extern const char *ipsec4_logpacketstr __P((struct ip *, u_int32_t)); -extern const char *ipsec_logsastr __P((struct secasvar *)); - -extern void ipsec_dumpmbuf __P((struct mbuf *)); - -extern int ipsec4_output __P((struct ipsec_output_state *, struct secpolicy *, - int)); -extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int, - struct secasvar *)); -extern struct mbuf *ipsec_copypkt __P((struct mbuf *)); -extern void ipsec_delaux __P((struct mbuf *)); -extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t)); -extern int ipsec_getnhist __P((struct mbuf *)); -extern void ipsec_clearhist __P((struct mbuf *)); - -#endif /* _KERNEL */ - -#ifndef _KERNEL -extern caddr_t ipsec_set_policy __P((char *, int)); -extern int ipsec_get_policylen __P((caddr_t)); -extern char *ipsec_dump_policy __P((caddr_t, char *)); - -extern const char *ipsec_strerror __P((void)); -#endif /* !_KERNEL */ - -#endif /* _NETINET6_IPSEC_H_ */ diff --git a/sys/netinet6/ipsec6.h b/sys/netinet6/ipsec6.h deleted file mode 100644 index 6a1547f1c3a6..000000000000 --- a/sys/netinet6/ipsec6.h +++ /dev/null @@ -1,80 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * IPsec controller part. - */ - -#ifndef _NETINET6_IPSEC6_H_ -#define _NETINET6_IPSEC6_H_ - -#include <net/pfkeyv2.h> -#include <netkey/keydb.h> - -#ifdef _KERNEL -extern struct ipsecstat ipsec6stat; -extern struct secpolicy *ip6_def_policy; -extern int ip6_esp_trans_deflev; -extern int ip6_esp_net_deflev; -extern int ip6_ah_trans_deflev; -extern int ip6_ah_net_deflev; -extern int ip6_ipsec_ecn; -extern int ip6_esp_randpad; - -struct inpcb; -extern struct secpolicy *ipsec6_getpolicybypcb - __P((struct mbuf *, u_int, struct inpcb *, int *)); -extern struct secpolicy *ipsec6_getpolicybyaddr - __P((struct mbuf *, u_int, int, int *)); - -extern int ipsec6_delete_pcbpolicy __P((struct inpcb *)); -extern int ipsec6_set_policy __P((struct inpcb *, int, caddr_t, size_t, int)); -extern int ipsec6_get_policy __P((struct inpcb *, caddr_t, size_t, - struct mbuf **)); -extern int ipsec6_in_reject __P((struct mbuf *, struct inpcb *)); - -struct tcp6cb; - -extern size_t ipsec6_hdrsiz __P((struct mbuf *, u_int, struct inpcb *)); - -struct ip6_hdr; -extern const char *ipsec6_logpacketstr __P((struct ip6_hdr *, u_int32_t)); - -extern int ipsec6_output_trans __P((struct ipsec_output_state *, u_char *, - struct mbuf *, struct secpolicy *, int, int *)); -extern int ipsec6_output_tunnel __P((struct ipsec_output_state *, - struct secpolicy *, int)); -extern int ipsec6_tunnel_validate __P((struct mbuf *, int, u_int, - struct secasvar *)); -#endif /*_KERNEL*/ - -#endif /*_NETINET6_IPSEC6_H_*/ diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index d1a5e83cc4a0..7d6e7881705d 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -2144,11 +2144,6 @@ again: goto bad; } -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif - #ifdef MAC mac_create_mbuf_linklayer(ifp, m); #endif diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index 3e9b31e6a235..ca737273a857 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -823,7 +823,7 @@ nd6_na_input(m, off, icmp6len) * prevent a ln_hold lookup in nd6_output() * (wouldn't happen, though...) */ - for (m_hold = ln->ln_hold, ln->ln_hold = NULL; + for (m_hold = ln->ln_hold; m_hold; m_hold = m_hold_next) { m_hold_next = m_hold->m_nextpkt; m_hold->m_nextpkt = NULL; @@ -834,6 +834,7 @@ nd6_na_input(m, off, icmp6len) nd6_output(ifp, ifp, m_hold, (struct sockaddr_in6 *)rt_key(rt), rt); } + ln->ln_hold = NULL; } freeit: diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 006f7d66e8a7..3b2937568703 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -95,11 +95,6 @@ #include <netinet6/raw_ip6.h> #include <netinet6/scope6_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netinet6/ipsec6.h> -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> @@ -186,18 +181,16 @@ docontinue: if (last) { struct mbuf *n = m_copy(m, 0, (int)M_COPYALL); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * Check AH/ESP integrity. */ if (n && ipsec6_in_reject(n, last)) { m_freem(n); -#ifdef IPSEC ipsec6stat.in_polvio++; -#endif /*IPSEC*/ /* do not inject data into pcb */ } else -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ if (n) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) @@ -219,20 +212,18 @@ docontinue: } last = in6p; } -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * Check AH/ESP integrity. */ if (last && ipsec6_in_reject(m, last)) { m_freem(m); -#ifdef IPSEC ipsec6stat.in_polvio++; -#endif /*IPSEC*/ ip6stat.ip6s_delivered--; /* do not inject data into pcb */ INP_UNLOCK(last); } else -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ if (last) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) diff --git a/sys/netinet6/sctp6_usrreq.c b/sys/netinet6/sctp6_usrreq.c index 92c23f7166ee..58833aab16a0 100644 --- a/sys/netinet6/sctp6_usrreq.c +++ b/sys/netinet6/sctp6_usrreq.c @@ -52,6 +52,12 @@ __FBSDID("$FreeBSD$"); #include <netinet/sctp_output.h> #include <netinet/sctp_bsd_addr.h> +#ifdef FAST_IPSEC +#include <netipsec/ipsec.h> +#if defined(INET6) +#include <netipsec/ipsec6.h> +#endif /* INET6 */ +#endif /* FAST_IPSEC */ extern struct protosw inetsw[]; @@ -201,7 +207,7 @@ sctp_skip_csum: refcount_up = 1; } in6p_ip = (struct inpcb *)in6p; -#ifdef IPSEC +#ifdef FAST_IPSEC /* * Check AH/ESP integrity. */ @@ -210,7 +216,7 @@ sctp_skip_csum: ipsec6stat.in_polvio++; goto bad; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * CONTROL chunk processing diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c index 7643373458ae..1dcade6c20da 100644 --- a/sys/netinet6/udp6_output.c +++ b/sys/netinet6/udp6_output.c @@ -98,13 +98,6 @@ #include <netinet6/ip6protosw.h> #include <netinet6/scope6_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#endif /* IPSEC */ - /* * UDP protocol inplementation. * Per RFC 768, August, 1980. diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index ba17f39a162a..4cf0e1339123 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -102,11 +102,6 @@ #include <netinet6/udp6_var.h> #include <netinet6/scope6_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netinet6/ipsec6.h> -#endif /* IPSEC */ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> @@ -129,18 +124,16 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off, /* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */ -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * Check AH/ESP integrity. */ if (ipsec6_in_reject(n, in6p)) { m_freem(n); -#ifdef IPSEC ipsec6stat.in_polvio++; -#endif /* IPSEC */ return; } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ opts = NULL; if (in6p->in6p_flags & IN6P_CONTROLOPTS || diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 101c2847183f..1f8e6abb594b 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -76,6 +76,7 @@ #include <netinet/icmp6.h> #endif +#include <sys/types.h> #include <netipsec/ipsec.h> #ifdef INET6 #include <netipsec/ipsec6.h> @@ -102,7 +103,7 @@ int ipsec_debug = 0; #endif /* NB: name changed so netstat doesn't use it */ -struct newipsecstat newipsecstat; +struct ipsecstat ipsec4stat; int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; @@ -149,7 +150,7 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support, CTLFLAG_RW, &crypto_support,0, ""); SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, - ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, ""); + ipsecstats, CTLFLAG_RD, &ipsec4stat, ipsecstat, ""); #ifdef REGRESSION /* @@ -168,7 +169,8 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); #endif -#ifdef INET6 +#ifdef INET6 +struct ipsecstat ipsec6stat; int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; int ip6_esp_net_deflev = IPSEC_LEVEL_USE; int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; @@ -199,6 +201,8 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_RW, &ipsec_debug, 0, ""); SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); +SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, + ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); #endif /* INET6 */ static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb)); @@ -451,7 +455,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp) sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - newipsecstat.ips_out_inval++; + ipsec4stat.ips_out_inval++; return NULL; } IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); @@ -461,7 +465,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp) printf("%s: invalid policy %u\n", __func__, sp->policy); /* fall thru... */ case IPSEC_POLICY_DISCARD: - newipsecstat.ips_out_polvio++; + ipsec4stat.ips_out_polvio++; *error = -EINVAL; /* packet is discarded by caller */ break; case IPSEC_POLICY_BYPASS: @@ -1462,7 +1466,7 @@ ipsec4_in_reject(m, inp) if (sp != NULL) { result = ipsec_in_reject(sp, m); if (result) - newipsecstat.ips_in_polvio++; + ipsec4stat.ips_in_polvio++; KEY_FREESP(&sp); } else { result = 0; /* XXX should be panic ? @@ -1502,7 +1506,7 @@ ipsec6_in_reject(m, inp) if (sp != NULL) { result = ipsec_in_reject(sp, m); if (result) - newipsecstat.ips_in_polvio++; + ipsec6stat.ips_in_polvio++; KEY_FREESP(&sp); } else { result = 0; diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index e514ce5d2eb3..14640149dc4e 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -205,7 +205,7 @@ struct secspacq { */ #define IPSEC_REPLAYWSIZE 32 -/* old statistics for ipsec processing */ +/* statistics for ipsec processing */ struct ipsecstat { u_quad_t in_success; /* succeeded inbound process */ u_quad_t in_polvio; @@ -236,10 +236,7 @@ struct ipsecstat { u_quad_t spdcachelookup; u_quad_t spdcachemiss; -}; -/* statistics for ipsec processing */ -struct newipsecstat { u_int32_t ips_in_polvio; /* input: sec policy violation */ u_int32_t ips_out_polvio; /* output: sec policy violation */ u_int32_t ips_out_nosa; /* output: SA unavailable */ @@ -335,7 +332,7 @@ extern int ipsec_replay; extern int ipsec_integrity; #endif -extern struct newipsecstat newipsecstat; +extern struct ipsecstat ipsec4stat; extern struct secpolicy ip4_def_policy; extern int ip4_esp_trans_deflev; extern int ip4_esp_net_deflev; @@ -352,10 +349,6 @@ extern int crypto_support; /* for openbsd compatibility */ #define DPRINTF(x) do { if (ipsec_debug) printf x; } while (0) -/* XXX for KAME code compatibility */ -#define ipsec_pcbconn(_x) -#define ipsec_pcbdisconn(_x) - extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h index 84c3c8aa8fc5..32b2b83f883e 100644 --- a/sys/netipsec/ipsec6.h +++ b/sys/netipsec/ipsec6.h @@ -41,6 +41,7 @@ #include <netipsec/keydb.h> #ifdef _KERNEL +extern struct ipsecstat ipsec6stat; extern int ip6_esp_trans_deflev; extern int ip6_esp_net_deflev; extern int ip6_ah_trans_deflev; @@ -50,15 +51,6 @@ extern int ip6_esp_randpad; struct inpcb; -/* KAME compatibility shims */ -#define ipsec6_getpolicybyaddr ipsec_getpolicybyaddr -#define ipsec6_getpolicybysock ipsec_getpolicybysock -#define ipsec6stat newipsecstat -#define out_inval ips_out_inval -#define in_polvio ips_in_polvio -#define out_polvio ips_out_polvio -#define key_freesp(_x) KEY_FREESP(&_x) - extern int ipsec6_delete_pcbpolicy __P((struct inpcb *)); extern int ipsec6_set_policy __P((struct inpcb *inp, int optname, caddr_t request, size_t len, int priv)); diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index b63a5afc8f3b..d4ec42ae53a9 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -88,7 +88,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) return (NULL); n->m_next = m->m_next; /* splice new mbuf */ m->m_next = n; - newipsecstat.ips_mbinserted++; + ipsec4stat.ips_mbinserted++; if (hlen <= M_TRAILINGSPACE(m) + remain) { /* * New header fits in the old mbuf if we copy @@ -122,7 +122,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) /* splice in second mbuf */ n2->m_next = n->m_next; n->m_next = n2; - newipsecstat.ips_mbinserted++; + ipsec4stat.ips_mbinserted++; } else { memcpy(mtod(n, caddr_t) + hlen, mtod(m, caddr_t) + skip, remain); @@ -238,7 +238,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) /* Remove the header and associated data from the mbuf. */ if (roff == 0) { /* The header was at the beginning of the mbuf */ - newipsecstat.ips_input_front++; + ipsec4stat.ips_input_front++; m_adj(m1, hlen); if ((m1->m_flags & M_PKTHDR) == 0) m->m_pkthdr.len -= hlen; @@ -250,7 +250,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * so first let's remove the remainder of the header from * the beginning of the remainder of the mbuf chain, if any. */ - newipsecstat.ips_input_end++; + ipsec4stat.ips_input_end++; if (roff + hlen > m1->m_len) { /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); @@ -275,7 +275,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * The header lies in the "middle" of the mbuf; copy * the remainder of the mbuf down over the header. */ - newipsecstat.ips_input_middle++; + ipsec4stat.ips_input_middle++; bcopy(mtod(m1, u_char *) + roff + hlen, mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 4f9b8c59171b..7a1ec83e66e8 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -155,7 +155,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) * doing further processing. */ if (isr->next) { - newipsecstat.ips_out_bundlesa++; + ipsec4stat.ips_out_bundlesa++; return ipsec4_process_packet(m, isr->next, 0, 0); } key_sa_recordxfer(sav, m); /* record data transfer */ @@ -281,7 +281,7 @@ again: * this packet because it is responsibility for * upper layer to retransmit the packet. */ - newipsecstat.ips_out_nosa++; + ipsec4stat.ips_out_nosa++; goto bad; } sav = isr->sav; @@ -572,6 +572,7 @@ ipsec6_output_trans( *tun = 0; m = state->m; + IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error); if (isr == NULL) { #ifdef notdef @@ -591,10 +592,15 @@ ipsec6_output_trans( goto bad; } - return (*isr->sav->tdb_xform->xf_output)(m, isr, NULL, - sizeof (struct ip6_hdr), - offsetof(struct ip6_hdr, ip6_nxt)); + error = (*isr->sav->tdb_xform->xf_output)(m, isr, NULL, + sizeof (struct ip6_hdr), + offsetof(struct ip6_hdr, + ip6_nxt)); + IPSECREQUEST_UNLOCK(isr); + return error; bad: + if (isr) + IPSECREQUEST_UNLOCK(isr); if (m) m_freem(m); state->m = NULL; @@ -614,7 +620,7 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) m_freem(m); return EINVAL; } - IPSEC_ASSERT(m->m_len != sizeof (struct ip6_hdr), + IPSEC_ASSERT(m->m_len == sizeof (struct ip6_hdr), ("mbuf wrong size; len %u", m->m_len)); @@ -658,8 +664,8 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) /* ip6->ip6_plen will be updated in ip6_output() */ } ip6->ip6_nxt = IPPROTO_IPV6; - sav->sah->saidx.src.sin6.sin6_addr = ip6->ip6_src; - sav->sah->saidx.dst.sin6.sin6_addr = ip6->ip6_dst; + ip6->ip6_src = sav->sah->saidx.src.sin6.sin6_addr; + ip6->ip6_dst = sav->sah->saidx.dst.sin6.sin6_addr; ip6->ip6_hlim = IPV6_DEFHLIM; /* XXX Should ip6_src be updated later ? */ @@ -699,7 +705,6 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int } IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ - isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error); if (isr == NULL) goto bad; @@ -717,14 +722,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int ipseclog((LOG_ERR, "%s: family mismatched between " "inner and outer, spi=%u\n", __func__, ntohl(isr->sav->spi))); - newipsecstat.ips_out_inval++; + ipsec6stat.ips_out_inval++; error = EAFNOSUPPORT; goto bad; } m = ipsec6_splithdr(m); if (!m) { - newipsecstat.ips_out_nomem++; + ipsec6stat.ips_out_nomem++; error = ENOMEM; goto bad; } @@ -753,7 +758,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int } if (state->ro->ro_rt == 0) { ip6stat.ip6s_noroute++; - newipsecstat.ips_out_noroute++; + ipsec6stat.ips_out_noroute++; error = EHOSTUNREACH; goto bad; } @@ -767,7 +772,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int m = ipsec6_splithdr(m); if (!m) { - newipsecstat.ips_out_nomem++; + ipsec6stat.ips_out_nomem++; error = ENOMEM; goto bad; } diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index cb0284cd2e19..5dfc32f4df41 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -2145,8 +2145,6 @@ key_spddelete2(so, m, mhp) /* create new sadb_msg to reply. */ len = PFKEY_ALIGN8(sizeof(struct sadb_msg)); - if (len > MCLBYTES) - return key_senderror(so, m, ENOBUFS); MGETHDR(n, M_DONTWAIT, MT_DATA); if (n && len > MHLEN) { MCLGET(n, M_DONTWAIT); @@ -4518,8 +4516,6 @@ key_getspi(so, m, mhp) /* create new sadb_msg to reply. */ len = PFKEY_ALIGN8(sizeof(struct sadb_msg)) + PFKEY_ALIGN8(sizeof(struct sadb_sa)); - if (len > MCLBYTES) - return key_senderror(so, m, ENOBUFS); MGETHDR(n, M_DONTWAIT, MT_DATA); if (len > MHLEN) { @@ -7299,7 +7295,6 @@ key_setkey(struct seckey *src, u_int16_t exttype) return NULL; len = PFKEY_ALIGN8(sizeof(struct sadb_key) + _KEYLEN(src)); - m = key_alloc_mbuf(len); if (m == NULL) return NULL; diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index 97294f3067e7..7252ea0c6f90 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -73,7 +73,7 @@ static void kdebug_secreplay __P((struct secreplay *)); #endif #ifndef _KERNEL -#define panic(param) { printf(param); exit(-1); } +#define panic(fmt, ...) { printf(fmt, ## __VA_ARGS__); exit(-1); } #endif /* NOTE: host byte order */ diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index ee3495eb2fec..21539f120376 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -81,7 +81,6 @@ key_output(struct mbuf *m, struct socket *so) { struct sadb_msg *msg; int len, error = 0; - int s; if (m == 0) panic("%s: NULL pointer was passed.\n", __func__); @@ -116,11 +115,8 @@ key_output(struct mbuf *m, struct socket *so) goto end; } - /*XXX giant lock*/ - s = splnet(); error = key_parse(m, so); m = NULL; - splx(s); end: if (m) m_freem(m); @@ -213,15 +209,19 @@ key_sendup(so, msg, len, target) while (tlen > 0) { if (tlen == len) { MGETHDR(n, M_DONTWAIT, MT_DATA); + if (n == NULL) { + pfkeystat.in_nomem++; + return ENOBUFS; + } n->m_len = MHLEN; } else { MGET(n, M_DONTWAIT, MT_DATA); + if (n == NULL) { + pfkeystat.in_nomem++; + return ENOBUFS; + } n->m_len = MLEN; } - if (!n) { - pfkeystat.in_nomem++; - return ENOBUFS; - } if (tlen >= MCLBYTES) { /*XXX better threshold? */ MCLGET(n, M_DONTWAIT); if ((n->m_flags & M_EXT) == 0) { @@ -278,22 +278,18 @@ key_sendup_mbuf(so, m, target) pfkeystat.in_total++; pfkeystat.in_bytes += m->m_pkthdr.len; if (m->m_len < sizeof(struct sadb_msg)) { -#if 1 m = m_pullup(m, sizeof(struct sadb_msg)); if (m == NULL) { pfkeystat.in_nomem++; return ENOBUFS; } -#else - /* don't bother pulling it up just for stats */ -#endif } if (m->m_len >= sizeof(struct sadb_msg)) { struct sadb_msg *msg; msg = mtod(m, struct sadb_msg *); pfkeystat.in_msgtype[msg->sadb_msg_type]++; } - + mtx_lock(&rawcb_mtx); LIST_FOREACH(rp, &rawcb_list, list) { if (rp->rcb_proto.sp_family != PF_KEY) @@ -344,11 +340,13 @@ key_sendup_mbuf(so, m, target) if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) { m_freem(m); pfkeystat.in_nomem++; + mtx_unlock(&rawcb_mtx); return ENOBUFS; } if ((error = key_sendup0(rp, n, 0)) != 0) { m_freem(m); + mtx_unlock(&rawcb_mtx); return error; } @@ -362,6 +360,7 @@ key_sendup_mbuf(so, m, target) error = 0; m_freem(m); } + mtx_unlock(&rawcb_mtx); return error; } @@ -372,7 +371,6 @@ key_sendup_mbuf(so, m, target) static void key_abort(struct socket *so) { - raw_usrreqs.pru_abort(so); } @@ -384,29 +382,21 @@ static int key_attach(struct socket *so, int proto, struct thread *td) { struct keycb *kp; - int s, error; + int error; + + KASSERT(so->so_pcb == NULL, ("key_attach: so_pcb != NULL")); - if (sotorawcb(so) != 0) - return EISCONN; /* XXX panic? */ - kp = (struct keycb *)malloc(sizeof *kp, M_PCB, M_WAITOK|M_ZERO); /* XXX */ + /* XXX */ + MALLOC(kp, struct keycb *, sizeof *kp, M_PCB, M_WAITOK | M_ZERO); if (kp == 0) return ENOBUFS; - /* - * The splnet() is necessary to block protocols from sending - * error notifications (like RTM_REDIRECT or RTM_LOSING) while - * this PCB is extant but incompletely initialized. - * Probably we should try to do more of this work beforehand and - * eliminate the spl. - */ - s = splnet(); so->so_pcb = (caddr_t)kp; - error = raw_usrreqs.pru_attach(so, proto, td); + error = raw_attach(so, proto); kp = (struct keycb *)sotorawcb(so); if (error) { free(kp, M_PCB); so->so_pcb = (caddr_t) 0; - splx(s); return error; } @@ -420,7 +410,6 @@ key_attach(struct socket *so, int proto, struct thread *td) soisconnected(so); so->so_options |= SO_USELOOPBACK; - splx(s); return 0; } @@ -431,11 +420,7 @@ key_attach(struct socket *so, int proto, struct thread *td) static int key_bind(struct socket *so, struct sockaddr *nam, struct thread *td) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_bind(so, nam, td); /* xxx just EINVAL */ - splx(s); - return error; + return EINVAL; } /* @@ -456,11 +441,7 @@ key_close(struct socket *so) static int key_connect(struct socket *so, struct sockaddr *nam, struct thread *td) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_connect(so, nam, td); /* XXX just EINVAL */ - splx(s); - return error; + return EINVAL; } /* @@ -489,11 +470,7 @@ key_detach(struct socket *so) static int key_disconnect(struct socket *so) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_disconnect(so); - splx(s); - return error; + return(raw_usrreqs.pru_disconnect(so)); } /* @@ -503,11 +480,7 @@ key_disconnect(struct socket *so) static int key_peeraddr(struct socket *so, struct sockaddr **nam) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_peeraddr(so, nam); - splx(s); - return error; + return(raw_usrreqs.pru_peeraddr(so, nam)); } /* @@ -518,11 +491,7 @@ static int key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam, struct mbuf *control, struct thread *td) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_send(so, flags, m, nam, control, td); - splx(s); - return error; + return(raw_usrreqs.pru_send(so, flags, m, nam, control, td)); } /* @@ -532,11 +501,7 @@ key_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam, static int key_shutdown(struct socket *so) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_shutdown(so); - splx(s); - return error; + return(raw_usrreqs.pru_shutdown(so)); } /* @@ -546,11 +511,7 @@ key_shutdown(struct socket *so) static int key_sockaddr(struct socket *so, struct sockaddr **nam) { - int s, error; - s = splnet(); - error = raw_usrreqs.pru_sockaddr(so, nam); - splx(s); - return error; + return(raw_usrreqs.pru_sockaddr(so, nam)); } struct pr_usrreqs key_usrreqs = { diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 6114908279d7..da8f6665e53b 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -110,7 +110,7 @@ static int ah_output_cb(struct cryptop*); struct auth_hash * ah_algorithm_lookup(int alg) { - if (alg >= AH_ALG_MAX) + if (alg > SADB_AALG_MAX) return NULL; switch (alg) { case SADB_X_AALG_NULL: diff --git a/sys/netkey/key.h b/sys/netkey/key.h deleted file mode 100644 index e4cfe4bbd118..000000000000 --- a/sys/netkey/key.h +++ /dev/null @@ -1,96 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: key.h,v 1.32 2003/09/07 05:25:20 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _NETKEY_KEY_H_ -#define _NETKEY_KEY_H_ - -#ifdef _KERNEL - -#include <sys/queue.h> - -extern struct key_cb key_cb; - -extern TAILQ_HEAD(_satailq, secasvar) satailq; -extern TAILQ_HEAD(_sptailq, secpolicy) sptailq; - -struct secpolicy; -struct secpolicyindex; -struct ipsecrequest; -struct secasvar; -struct sockaddr; -struct socket; -struct sadb_msg; -struct sadb_x_policy; -union sockaddr_union; - -extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *, - u_int); -extern struct secpolicy *key_gettunnel(struct sockaddr *, - struct sockaddr *, struct sockaddr *, struct sockaddr *); -extern int key_checkrequest - (struct ipsecrequest *isr, struct secasindex *); -extern struct secasvar *key_allocsa(u_int, caddr_t, caddr_t, u_int, u_int32_t); -extern void key_freesp(struct secpolicy *); -extern void key_freesav(struct secasvar *); -extern struct secpolicy *key_newsp(u_int32_t); -extern struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *); -extern struct mbuf *key_sp2msg(struct secpolicy *); -extern int key_cmpspidx_exactly - (struct secpolicyindex *, struct secpolicyindex *); -extern int key_cmpspidx_withmask - (struct secpolicyindex *, struct secpolicyindex *); -extern int key_spdacquire(struct secpolicy *); -extern void key_timehandler(void *); -extern void key_randomfill(void *, size_t); -extern void key_freereg(struct socket *); -extern int key_parse(struct mbuf *, struct socket *); -extern void key_init(void); -extern int key_checktunnelsanity(struct secasvar *, u_int, caddr_t, caddr_t); -extern void key_sa_recordxfer(struct secasvar *, struct mbuf *); -extern void key_sa_routechange(struct sockaddr *); -extern void key_sa_stir_iv(struct secasvar *); - -/* to keep compatibility with FAST_IPSEC */ -#define KEY_ALLOCSA(dst, proto, spi) \ - key_allocsa(((struct sockaddr *)(dst))->sa_family,\ - (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\ - (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\ - proto, spi) -#define KEY_FREESAV(psav) \ - key_freesav(*psav) - -#ifdef MALLOC_DECLARE -MALLOC_DECLARE(M_SECA); -#endif /* MALLOC_DECLARE */ - -#endif /* defined(_KERNEL) */ -#endif /* _NETKEY_KEY_H_ */ diff --git a/sys/netkey/key_debug.h b/sys/netkey/key_debug.h deleted file mode 100644 index 435d9232f7f9..000000000000 --- a/sys/netkey/key_debug.h +++ /dev/null @@ -1,88 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: key_debug.h,v 1.11 2002/11/05 03:48:34 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _NETKEY_KEY_DEBUG_H_ -#define _NETKEY_KEY_DEBUG_H_ - -#ifdef _KERNEL -/* debug flags */ -#define KEYDEBUG_STAMP 0x00000001 /* path */ -#define KEYDEBUG_DATA 0x00000002 /* data */ -#define KEYDEBUG_DUMP 0x00000004 /* dump */ - -#define KEYDEBUG_KEY 0x00000010 /* key processing */ -#define KEYDEBUG_ALG 0x00000020 /* ciph & auth algorithm */ -#define KEYDEBUG_IPSEC 0x00000040 /* ipsec processing */ - -#define KEYDEBUG_KEY_STAMP (KEYDEBUG_KEY | KEYDEBUG_STAMP) -#define KEYDEBUG_KEY_DATA (KEYDEBUG_KEY | KEYDEBUG_DATA) -#define KEYDEBUG_KEY_DUMP (KEYDEBUG_KEY | KEYDEBUG_DUMP) -#define KEYDEBUG_ALG_STAMP (KEYDEBUG_ALG | KEYDEBUG_STAMP) -#define KEYDEBUG_ALG_DATA (KEYDEBUG_ALG | KEYDEBUG_DATA) -#define KEYDEBUG_ALG_DUMP (KEYDEBUG_ALG | KEYDEBUG_DUMP) -#define KEYDEBUG_IPSEC_STAMP (KEYDEBUG_IPSEC | KEYDEBUG_STAMP) -#define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA) -#define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP) - -#define KEYDEBUG(lev,arg) \ - do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (/*CONSTCOND*/ 0) - -extern u_int32_t key_debug_level; -#endif /*_KERNEL*/ - -struct sadb_msg; -struct sadb_ext; -extern void kdebug_sadb(struct sadb_msg *); -extern void kdebug_sadb_x_policy(struct sadb_ext *); - -#ifdef _KERNEL -struct secpolicy; -struct secpolicyindex; -struct secasindex; -struct secasvar; -struct secreplay; -struct mbuf; -extern void kdebug_secpolicy(struct secpolicy *); -extern void kdebug_secpolicyindex(struct secpolicyindex *); -extern void kdebug_secasindex(struct secasindex *); -extern void kdebug_secasv(struct secasvar *); -extern void kdebug_mbufhdr(struct mbuf *); -extern void kdebug_mbuf(struct mbuf *); -#endif /*_KERNEL*/ - -struct sockaddr; -extern void kdebug_sockaddr(struct sockaddr *); - -extern void ipsec_hexdump(caddr_t, int); -extern void ipsec_bindump(caddr_t, int); - -#endif /* _NETKEY_KEY_DEBUG_H_ */ diff --git a/sys/netkey/key_var.h b/sys/netkey/key_var.h deleted file mode 100644 index 91b5d3bb1f7e..000000000000 --- a/sys/netkey/key_var.h +++ /dev/null @@ -1,58 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: key_var.h,v 1.12 2001/11/06 03:48:29 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _NETKEY_KEY_VAR_H_ -#define _NETKEY_KEY_VAR_H_ - -/* sysctl */ -#define KEYCTL_DEBUG_LEVEL 1 -#define KEYCTL_SPI_TRY 2 -#define KEYCTL_SPI_MIN_VALUE 3 -#define KEYCTL_SPI_MAX_VALUE 4 -#define KEYCTL_RANDOM_INT 5 -#define KEYCTL_LARVAL_LIFETIME 6 -#define KEYCTL_BLOCKACQ_COUNT 7 -#define KEYCTL_BLOCKACQ_LIFETIME 8 -#define KEYCTL_ESP_KEYMIN 9 -#define KEYCTL_ESP_AUTH 10 -#define KEYCTL_AH_KEYMIN 11 -#define KEYCTL_PREFERED_OLDSA 12 -#define KEYCTL_MAXID 13 - -#ifdef _KERNEL -#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0])) -#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3)) -#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits)) -#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key))) -#endif /*_KERNEL*/ - -#endif /* _NETKEY_KEY_VAR_H_ */ diff --git a/sys/netkey/keydb.h b/sys/netkey/keydb.h deleted file mode 100644 index b32536206feb..000000000000 --- a/sys/netkey/keydb.h +++ /dev/null @@ -1,184 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: keydb.h,v 1.24 2003/09/07 15:12:10 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _NETKEY_KEYDB_H_ -#define _NETKEY_KEYDB_H_ - -#ifdef _KERNEL - -#include <netkey/key_var.h> - -#ifndef _SOCKADDR_UNION_DEFINED -#define _SOCKADDR_UNION_DEFINED -/* - * The union of all possible address formats we handle. - */ -union sockaddr_union { - struct sockaddr sa; - struct sockaddr_in sin; - struct sockaddr_in6 sin6; -}; -#endif /* _SOCKADDR_UNION_DEFINED */ - -/* Security Assocciation Index */ -/* NOTE: Ensure to be same address family */ -struct secasindex { - struct sockaddr_storage src; /* srouce address for SA */ - struct sockaddr_storage dst; /* destination address for SA */ - u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ - u_int8_t mode; /* mode of protocol, see ipsec.h */ - u_int32_t reqid; /* reqid id who owned this SA */ - /* see IPSEC_MANUAL_REQID_MAX. */ -}; - -/* Security Association Data Base */ -struct secashead { - LIST_ENTRY(secashead) chain; - - struct secasindex saidx; - - struct sadb_ident *idents; /* source identity */ - struct sadb_ident *identd; /* destination identity */ - /* XXX I don't know how to use them. */ - - u_int8_t state; /* MATURE or DEAD. */ - LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; - /* SA chain */ - /* The first of this list is newer SA */ - - union { - struct route sau_route; - struct route_in6 sau_route6; - } sa_u; -#define sa_route sa_u.sau_route -}; - -/* Security Association */ -struct secasvar { - TAILQ_ENTRY(secasvar) tailq; - LIST_ENTRY(secasvar) chain; - LIST_ENTRY(secasvar) spihash; - - int refcnt; /* reference count */ - u_int8_t state; /* Status of this Association */ - - u_int8_t alg_auth; /* Authentication Algorithm Identifier*/ - u_int8_t alg_enc; /* Cipher Algorithm Identifier */ - u_int32_t spi; /* SPI Value, network byte order */ - u_int32_t flags; /* holder for SADB_KEY_FLAGS */ - - struct sadb_key *key_auth; /* Key for Authentication */ - struct sadb_key *key_enc; /* Key for Encryption */ - caddr_t iv; /* Initilization Vector */ - u_int ivlen; /* length of IV */ - void *sched; /* intermediate encryption key */ - size_t schedlen; - - struct secreplay *replay; /* replay prevention */ - long created; /* for lifetime */ - - struct sadb_lifetime *lft_c; /* CURRENT lifetime, it's constant. */ - struct sadb_lifetime *lft_h; /* HARD lifetime */ - struct sadb_lifetime *lft_s; /* SOFT lifetime */ - - u_int64_t seq; /* sequence number */ - pid_t pid; /* message's pid */ - - struct secashead *sah; /* back pointer to the secashead */ - - u_int32_t id; /* SA id */ -}; - -/* replay prevention */ -struct secreplay { - u_int64_t count; - u_int wsize; /* window size, i.g. 4 bytes */ - u_int64_t seq; /* used by sender */ - u_int64_t lastseq; /* used by receiver */ - u_int8_t *bitmap; /* used by receiver */ - int overflow; /* what round does the counter take. */ -}; - -/* socket table due to send PF_KEY messages. */ -struct secreg { - LIST_ENTRY(secreg) chain; - - struct socket *so; -}; - -#ifndef IPSEC_NONBLOCK_ACQUIRE -/* acquiring list table. */ -struct secacq { - LIST_ENTRY(secacq) chain; - - struct secasindex saidx; - - u_int32_t seq; /* sequence number */ - long created; /* for lifetime */ - int count; /* for lifetime */ -}; -#endif - -/* Sensitivity Level Specification */ -/* nothing */ - -#define SADB_KILL_INTERVAL 600 /* six seconds */ - -struct key_cb { - int key_count; - int any_count; -}; - -/* secpolicy */ -struct secpolicy; -struct secpolicyindex; -extern struct secpolicy *keydb_newsecpolicy(void); -extern u_int32_t keydb_newspid(void); -extern void keydb_delsecpolicy(struct secpolicy *); -extern int keydb_setsecpolicyindex - (struct secpolicy *, struct secpolicyindex *); -/* secashead */ -extern struct secashead *keydb_newsecashead(void); -extern void keydb_delsecashead(struct secashead *); -/* secasvar */ -extern struct secasvar *keydb_newsecasvar(void); -extern void keydb_delsecasvar(struct secasvar *); -/* secreplay */ -extern struct secreplay *keydb_newsecreplay(size_t); -extern void keydb_delsecreplay(struct secreplay *); -/* secreg */ -extern struct secreg *keydb_newsecreg(void); -extern void keydb_delsecreg(struct secreg *); - -#endif /* _KERNEL */ - -#endif /* _NETKEY_KEYDB_H_ */ diff --git a/sys/netkey/keysock.h b/sys/netkey/keysock.h deleted file mode 100644 index 0422517c8291..000000000000 --- a/sys/netkey/keysock.h +++ /dev/null @@ -1,81 +0,0 @@ -/* $FreeBSD$ */ -/* $KAME: keysock.h,v 1.9 2002/03/21 14:00:14 itojun Exp $ */ - -/*- - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _NETKEY_KEYSOCK_H_ -#define _NETKEY_KEYSOCK_H_ - -/* statistics for pfkey socket */ -struct pfkeystat { - /* userland -> kernel */ - u_quad_t out_total; /* # of total calls */ - u_quad_t out_bytes; /* total bytecount */ - u_quad_t out_msgtype[256]; /* message type histogram */ - u_quad_t out_invlen; /* invalid length field */ - u_quad_t out_invver; /* invalid version field */ - u_quad_t out_invmsgtype; /* invalid message type field */ - u_quad_t out_tooshort; /* msg too short */ - u_quad_t out_nomem; /* memory allocation failure */ - u_quad_t out_dupext; /* duplicate extension */ - u_quad_t out_invexttype; /* invalid extension type */ - u_quad_t out_invsatype; /* invalid sa type */ - u_quad_t out_invaddr; /* invalid address extension */ - /* kernel -> userland */ - u_quad_t in_total; /* # of total calls */ - u_quad_t in_bytes; /* total bytecount */ - u_quad_t in_msgtype[256]; /* message type histogram */ - u_quad_t in_msgtarget[3]; /* one/all/registered */ - u_quad_t in_nomem; /* memory allocation failure */ - /* others */ - u_quad_t sockerr; /* # of socket related errors */ -}; - -#define KEY_SENDUP_ONE 0 -#define KEY_SENDUP_ALL 1 -#define KEY_SENDUP_REGISTERED 2 - -#ifdef _KERNEL -struct keycb { - struct rawcb kp_raw; /* rawcb */ - int kp_promisc; /* promiscuous mode */ - int kp_registered; /* registered socket */ -}; - -extern struct pfkeystat pfkeystat; - -extern int key_output(struct mbuf *m, struct socket *so); -extern int key_usrreq(struct socket *, - int, struct mbuf *, struct mbuf *, struct mbuf *); - -extern int key_sendup_mbuf(struct socket *, struct mbuf *, int); -#endif /* _KERNEL */ - -#endif /*_NETKEY_KEYSOCK_H_*/ |