src - OpenBSD base system

diff options


context:
space:
mode:

author	Niklas Hallqvist <niklas@cvs.openbsd.org>	1999-04-11 19:41:42 +0000
committer	Niklas Hallqvist <niklas@cvs.openbsd.org>	1999-04-11 19:41:42 +0000
commit	7ab4566c34fb0c170d5805b34cd71d628eb1b501 (patch)
tree	2a3692c04b3c0ed1032a41936fd4cdecb7b23796 /sys/netinet
parent	ecae586b2a272f8463fb63b561d690b87f1d8b4c (diff)

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.

If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.

Diffstat (limited to 'sys/netinet')

-rw-r--r--

sys/netinet/in.h

-rw-r--r--

sys/netinet/in_proto.c

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

sys/netinet/ip_input.c

-rw-r--r--

sys/netinet/ip_ipsp.h

-rw-r--r--

sys/netinet/ip_output.c

9 files changed, 192 insertions, 50 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 089d5e40dcb..24553dff5a6 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: in.h,v 1.22 1999/04/09 23:28:44 niklas Exp $ */

+/* $OpenBSD: in.h,v 1.23 1999/04/11 19:41:36 niklas Exp $ */

/* $NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $ */

@@ -456,7 +456,7 @@ struct in6_pktinfo {

* Third level is protocol number.

* Fourth level is desired variable within that protocol.

-#define IPPROTO_MAXID (IPPROTO_IDP + 1) /* don't list to IPPROTO_MAX */

+#define IPPROTO_MAXID (IPPROTO_AH + 1) /* don't list to IPPROTO_MAX */

#define CTL_IPPROTO_NAMES { \

{ "ip", CTLTYPE_NODE }, \

@@ -481,7 +481,36 @@ struct in6_pktinfo {

{ 0, 0 }, \

- { "idp", CTLTYPE_NODE }, \

+ { 0, 0 }, \

+ { "esp", CTLTYPE_NODE }, \

+ { "ah", CTLTYPE_NODE }, \

}

@@ -500,14 +529,15 @@ struct in6_pktinfo {

#define IPCTL_IPPORT_HIFIRSTAUTO 9

#define IPCTL_IPPORT_HILASTAUTO 10

#define IPCTL_IPPORT_MAXQUEUE 11

-#define IPCTL_MAXID 12

+#define IPCTL_ENCDEBUG 12

+#define IPCTL_MAXID 13

#define IPCTL_NAMES { \

{ 0, 0 }, \

{ "forwarding", CTLTYPE_INT }, \

{ "redirect", CTLTYPE_INT }, \

{ "ttl", CTLTYPE_INT }, \

- { "mtu", CTLTYPE_INT }, \

+ /* { "mtu", CTLTYPE_INT }, */ { 0, 0 }, \

{ "sourceroute", CTLTYPE_INT }, \

{ "directed-broadcast", CTLTYPE_INT }, \

{ "portfirst", CTLTYPE_INT }, \

@@ -515,6 +545,7 @@ struct in6_pktinfo {

{ "porthifirst", CTLTYPE_INT }, \

{ "porthilast", CTLTYPE_INT }, \

{ "maxqueue", CTLTYPE_INT }, \

+ { "encdebug", CTLTYPE_INT }, \

}

#ifndef _KERNEL

diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index 7e9abf88109..9fe63585053 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: in_proto.c,v 1.12 1999/04/09 23:28:45 niklas Exp $ */

+/* $OpenBSD: in_proto.c,v 1.13 1999/04/11 19:41:36 niklas Exp $ */

/* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */

@@ -112,14 +112,9 @@ void iplinit __P((void));

#ifdef IPSEC

#include <netinet/ip_ipsp.h>

+#include <netinet/ip_ah.h>

+#include <netinet/ip_esp.h>

#include <netinet/ip_ip4.h>

-extern void ah_input __P((struct mbuf *, ...));

-extern void esp_input __P((struct mbuf *, ...));

-extern int ah_output __P((struct mbuf *, struct sockaddr_encap *,

- struct tdb *, struct mbuf **));

-extern int esp_output __P((struct mbuf *, struct sockaddr_encap *,

- struct tdb *, struct mbuf **));

#endif

extern struct domain inetdomain;

@@ -201,12 +196,12 @@ struct protosw inetsw[] = {

{ SOCK_RAW, &inetdomain, IPPROTO_AH, PR_ATOMIC|PR_ADDR,

ah_input, rip_output, 0, rip_ctloutput,

rip_usrreq,

- 0, 0, 0, 0,

+ 0, 0, 0, 0, ah_sysctl

{ SOCK_RAW, &inetdomain, IPPROTO_ESP, PR_ATOMIC|PR_ADDR,

esp_input, rip_output, 0, rip_ctloutput,

rip_usrreq,

- 0, 0, 0, 0,

+ 0, 0, 0, 0, esp_sysctl

#endif

#ifdef INET6

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 5045c72c441..5ae21da75fe 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.c,v 1.20 1999/04/09 22:27:54 niklas Exp $ */

+/* $OpenBSD: ip_ah.c,v 1.21 1999/04/11 19:41:36 niklas Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -47,6 +47,7 @@

#include <sys/domain.h>

#include <sys/protosw.h>

#include <sys/socket.h>

+#include <sys/sysctl.h>

#include <sys/errno.h>

#include <sys/time.h>

#include <sys/kernel.h>

@@ -82,15 +83,21 @@ extern struct ifnet enc_softc;

#define DPRINTF(x)

#endif

-void ah_input __P((struct mbuf *, int));

+int ah_enable = 0;

* ah_input gets called when we receive an packet with an AH.

void

-ah_input(register struct mbuf *m, int iphlen)

+#if __STDC__

+ah_input(struct mbuf *m, ...)

+#else

+ah_input(m, va_alist)

+ register struct mbuf *m;

+#endif

{

+ int iphlen;

union sockaddr_union sunion;

struct ifqueue *ifq = NULL;

struct ah_old *ahp, ahn;

@@ -98,9 +105,21 @@ ah_input(register struct mbuf *m, int iphlen)

struct ip *ipo, ipn;

struct tdb *tdbp;

int s;

+ va_list ap;

+ va_start(ap, m);

+ iphlen = va_arg(ap, int);

+ va_end(ap);

ahstat.ahs_input++;

+ if (!ah_enable)

+ {

+ m_freem(m);

+ ahstat.ahs_pdrops++;

+ return;

+ }

* Make sure that at least the fixed part of the AH header is

* in the first mbuf.

@@ -317,3 +336,25 @@ ah_input(register struct mbuf *m, int iphlen)

splx(s);

return;

}

+int

+ah_sysctl(name, namelen, oldp, oldlenp, newp, newlen)

+ int *name;

+ u_int namelen;

+ void *oldp;

+ size_t *oldlenp;

+ void *newp;

+ size_t newlen;

+ /* All sysctl names at this level are terminal. */

+ if (namelen != 1)

+ return (ENOTDIR);

+ switch (name[0]) {

+ case AHCTL_ENABLE:

+ return (sysctl_int(oldp, oldlenp, newp, newlen, &ah_enable));

+ default:

+ return (ENOPROTOOPT);

+ }

+ /* NOTREACHED */

diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h
index 0f4f48d8011..2bf947df5c3 100644
--- a/sys/netinet/ip_ah.h
+++ b/sys/netinet/ip_ah.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ah.h,v 1.15 1999/02/24 23:45:47 angelos Exp $ */

+/* $OpenBSD: ip_ah.h,v 1.16 1999/04/11 19:41:37 niklas Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -68,6 +68,7 @@ struct ahstat

u_int64_t ahs_ibytes; /* input bytes */

u_int64_t ahs_obytes; /* output bytes */

u_int32_t ahs_toobig; /* packet got larger than IP_MAXPACKET */

+ u_int32_t ahs_pdrops; /* packet blocked due to policy */

};

struct ah_new

@@ -82,6 +83,23 @@ struct ah_new

#define AH_NEW_FLENGTH (sizeof(struct ah_new))

+/*

+ * Names for AH sysctl objects

+ */

+#define AHCTL_ENABLE 1 /* Enable AH processing */

+#define AHCTL_MAXID 2

+#define AHCTL_NAMES { \

+ { 0, 0 }, \

+ { "enable", CTLTYPE_INT }, \

#ifdef _KERNEL

+void ah_input __P((struct mbuf *, ...));

+int ah_output __P((struct mbuf *, struct sockaddr_encap *,

+ struct tdb *, struct mbuf **));

+int ah_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));

+extern int ah_enable;

struct ahstat ahstat;

#endif /* _KERNEL */

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index b99460802e1..a09c76481e4 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.c,v 1.20 1999/04/09 22:27:53 niklas Exp $ */

+/* $OpenBSD: ip_esp.c,v 1.21 1999/04/11 19:41:37 niklas Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -47,6 +47,7 @@

#include <sys/domain.h>

#include <sys/protosw.h>

#include <sys/socket.h>

+#include <sys/sysctl.h>

#include <sys/errno.h>

#include <sys/time.h>

#include <sys/kernel.h>

@@ -82,15 +83,21 @@ extern struct ifnet enc_softc;

#define DPRINTF(x)

#endif

-void esp_input __P((struct mbuf *, int));

+int esp_enable = 0;

* esp_input gets called when we receive an packet with an ESP.

void

-esp_input(register struct mbuf *m, int iphlen)

+#if __STDC__

+esp_input(struct mbuf *m, ...)

+#else

+esp_input(m, va_alist)

+ register struct mbuf *m;

+#endif

{

+ int iphlen;

union sockaddr_union sunion;

struct ifqueue *ifq = NULL;

struct expiration *exp;

@@ -98,9 +105,21 @@ esp_input(register struct mbuf *m, int iphlen)

struct tdb *tdbp;

u_int32_t spi;

int s;

+ va_list ap;

+ va_start(ap, m);

+ iphlen = va_arg(ap, int);

+ va_end(ap);

espstat.esps_input++;

+ if (!esp_enable)

+ {

+ m_freem(m);

+ espstat.esps_pdrops++;

+ return;

+ }

* Make sure that at least the SPI is in the same mbuf

@@ -316,3 +335,25 @@ esp_input(register struct mbuf *m, int iphlen)

splx(s);

return;

}

+int

+esp_sysctl(name, namelen, oldp, oldlenp, newp, newlen)

+ int *name;

+ u_int namelen;

+ void *oldp;

+ size_t *oldlenp;

+ void *newp;

+ size_t newlen;

+ /* All sysctl names at this level are terminal. */

+ if (namelen != 1)

+ return (ENOTDIR);

+ switch (name[0]) {

+ case ESPCTL_ENABLE:

+ return (sysctl_int(oldp, oldlenp, newp, newlen, &esp_enable));

+ default:

+ return (ENOPROTOOPT);

+ }

+ /* NOTREACHED */

diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h
index 1b4fe3323f3..6f9d9e76673 100644
--- a/sys/netinet/ip_esp.h
+++ b/sys/netinet/ip_esp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_esp.h,v 1.22 1999/02/24 23:45:49 angelos Exp $ */

+/* $OpenBSD: ip_esp.h,v 1.23 1999/04/11 19:41:38 niklas Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -76,8 +76,26 @@ struct espstat

u_int64_t esps_ibytes; /* input bytes */

u_int64_t esps_obytes; /* output bytes */

u_int32_t esps_toobig; /* packet got larger than IP_MAXPACKET */

+ u_int32_t esps_pdrops; /* packet blocked due to policy */

};

+/*

+ * Names for ESP sysctl objects

+ */

+#define ESPCTL_ENABLE 1 /* Enable ESP processing */

+#define ESPCTL_MAXID 2

+#define ESPCTL_NAMES { \

+ { 0, 0 }, \

+ { "enable", CTLTYPE_INT }, \

#ifdef _KERNEL

+void esp_input __P((struct mbuf *, ...));

+int esp_output __P((struct mbuf *, struct sockaddr_encap *,

+ struct tdb *, struct mbuf **));

+int esp_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));

+extern int esp_enable;

struct espstat espstat;

#endif /* _Kernel */

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index f7ada6e46ff..2e01890273c 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_input.c,v 1.37 1999/02/21 04:01:46 deraadt Exp $ */

+/* $OpenBSD: ip_input.c,v 1.38 1999/04/11 19:41:38 niklas Exp $ */

/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */

@@ -64,6 +64,7 @@

#include <netinet/in_var.h>

#include <netinet/ip_var.h>

#include <netinet/ip_icmp.h>

+#include <netinet/ip_ipsp.h>

#ifndef IPFORWARDING

#ifdef GATEWAY

@@ -1430,6 +1431,8 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)

case IPCTL_IPPORT_MAXQUEUE:

return (sysctl_int(oldp, oldlenp, newp, newlen,

&ip_maxqueue));

+ case IPCTL_ENCDEBUG:

+ return (sysctl_int(oldp, oldlenp, newp, newlen, &encdebug));

default:

return (EOPNOTSUPP);

}

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index e963410849f..f8016b565fb 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_ipsp.h,v 1.28 1999/03/27 21:04:19 provos Exp $ */

+/* $OpenBSD: ip_ipsp.h,v 1.29 1999/04/11 19:41:39 niklas Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

@@ -379,24 +379,6 @@ htonq(u_int64_t q)

#error "Please fix <machine/endian.h>"

#endif

-/*

- * Names for IPsec sysctl objects

- */

-#define IPSECCTL_PFKEY 0

-#define IPSECCTL_MAXID 1

-#define CTL_IPSEC_NAMES {\

- { "pfkey", CTLTYPE_NODE }, \

-#define PFKEYCTL_ENCDEBUG 1

-#define PFKEYCTL_MAXID 2

-#define PFKEYCTL_NAMES {\

- { 0, 0 }, \

- { "encdebug", CTLTYPE_INT }, \

#ifdef _KERNEL

extern int encdebug;

extern int ipsec_in_use;

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 0c0400c0c1a..2f74c801df4 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ip_output.c,v 1.44 1999/03/27 21:04:20 provos Exp $ */

+/* $OpenBSD: ip_output.c,v 1.45 1999/04/11 19:41:39 niklas Exp $ */

/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */

@@ -64,7 +64,8 @@

#include <machine/stdarg.h>

#ifdef IPSEC

-#include <netinet/ip_ipsp.h>

+#include <netinet/ip_ah.h>

+#include <netinet/ip_esp.h>

#include <netinet/udp.h>

#include <netinet/tcp.h>

@@ -167,14 +168,14 @@ ip_output(m0, va_alist)

* Check if the packet needs encapsulation

- if (!(flags & IP_ENCAPSULATED) &&

+ if (!(flags & IP_ENCAPSULATED) &&

(inp == NULL ||

- (inp->inp_seclevel[SL_AUTH] != IPSEC_LEVEL_BYPASS ||

- inp->inp_seclevel[SL_ESP_TRANS] != IPSEC_LEVEL_BYPASS ||

- inp->inp_seclevel[SL_ESP_NETWORK] != IPSEC_LEVEL_BYPASS))) {

+ inp->inp_seclevel[SL_AUTH] != IPSEC_LEVEL_BYPASS ||

+ inp->inp_seclevel[SL_ESP_TRANS] != IPSEC_LEVEL_BYPASS ||

+ inp->inp_seclevel[SL_ESP_NETWORK] != IPSEC_LEVEL_BYPASS)) {

struct route_enc re0, *re = &re0;

struct sockaddr_encap *ddst, *gw;

- struct tdb *tdb;

+ struct tdb *tdb, *t;

u_int8_t sa_require, sa_have = 0;

if (inp == NULL)

@@ -318,6 +319,18 @@ ip_output(m0, va_alist)

goto done;

}

+ for (t = tdb; t != NULL; t = t->tdb_onext)

+ if ((t->tdb_sproto == IPPROTO_ESP && !esp_enable) ||

+ (t->tdb_sproto == IPPROTO_AH && !ah_enable)) {

+ DPRINTF(("ip_output(): IPSec outbound packet dropped due to policy\n"));

+ if (re->re_rt)

+ RTFREE(re->re_rt);

+ error = EHOSTUNREACH;

+ m_freem(m);

+ goto done;

+ }

/* Fix the ip_src field if necessary */

if (ip->ip_src.s_addr == INADDR_ANY) {

if (tdb && tdb->tdb_src.sin.sin_addr.s_addr != 0 &&