diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 1997-06-25 07:53:30 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 1997-06-25 07:53:30 +0000 |
| commit | 2c9ded294a4d953f480eee2306fa97f79e827527 (patch) | |
| tree | 082b2f37de03d91c07920aaef2b13e620ab25793 /sys/netinet | |
| parent | eb51828dafd060aca283723aefa09b27ede1e79b (diff) | |
hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_ah.c | 17 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.h | 3 | ||||
| -rw-r--r-- | sys/netinet/ip_ahhmacmd5.c | 28 | ||||
| -rw-r--r-- | sys/netinet/ip_ahhmacsha1.c | 24 | ||||
| -rw-r--r-- | sys/netinet/ip_ahmd5.c | 26 | ||||
| -rw-r--r-- | sys/netinet/ip_ahsha1.c | 22 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 18 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.h | 26 | ||||
| -rw-r--r-- | sys/netinet/ip_esp3des.c | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_esp3desmd5.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_espdes.c | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_espdesmd5.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_ip4.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ip4.h | 14 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 61 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 33 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 41 |
17 files changed, 249 insertions, 114 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index cd550282775..d012fbdeba8 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.5 1997/06/24 12:15:19 provos Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.6 1997/06/25 07:53:21 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -123,6 +123,17 @@ ah_input(register struct mbuf *m, int iphlen) return; } + if (tdbp->tdb_flags & TDBF_INVALID) + { +#ifdef ENCDEBUG + if (encdebug) + printf("ah_input: spi=%x is no longer/yet valid\n", ahp->ah_spi); +#endif /* ENCDEBUG */ + m_freem(m); + ahstat.ahs_invalid++; + return; + } + if (tdbp->tdb_xform == NULL) { #ifdef ENCDEBUG @@ -136,6 +147,10 @@ ah_input(register struct mbuf *m, int iphlen) m->m_pkthdr.rcvif = tdbp->tdb_rcvif; + /* Register first use */ + if (tdbp->tdb_first_use == 0) + tdbp->tdb_first_use = time.tv_sec; + m = (*(tdbp->tdb_xform->xf_input))(m, tdbp); if (m == NULL) diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h index 25af64cf1a8..da9840e14e7 100644 --- a/sys/netinet/ip_ah.h +++ b/sys/netinet/ip_ah.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.h,v 1.6 1997/06/20 05:41:47 provos Exp $ */ +/* $OpenBSD: ip_ah.h,v 1.7 1997/06/25 07:53:21 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -55,6 +55,7 @@ struct ahstat u_int32_t ahs_badauthl; /* bad authenticator length */ u_int32_t ahs_input; /* Input AH packets */ u_int32_t ahs_output; /* Output AH packets */ + u_int32_t ahs_invalid; /* Trying to use an invalid TDB */ }; #define AHHMACMD5_KMAX 64 /* max 512 bits key */ diff --git a/sys/netinet/ip_ahhmacmd5.c b/sys/netinet/ip_ahhmacmd5.c index 243c5b6e408..3a3bd949caf 100644 --- a/sys/netinet/ip_ahhmacmd5.c +++ b/sys/netinet/ip_ahhmacmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahhmacmd5.c,v 1.11 1997/06/24 20:57:24 provos Exp $ */ +/* $OpenBSD: ip_ahhmacmd5.c,v 1.12 1997/06/25 07:53:22 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -239,24 +239,28 @@ ahhmacmd5_input(struct mbuf *m, struct tdb *tdb) switch (optval) { case IPOPT_EOL: + MD5Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: MD5Update(&ctx, ipseczeroes, 1); off++; - continue; - + break; + case IPOPT_SECURITY: case 133: case 134: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; - + break; + default: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -360,8 +364,8 @@ ahhmacmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -511,11 +515,11 @@ ahhmacmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, str *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; if (xd->amx_wnd >= 0) - tdb->tdb_bytes -= HMACMD5_RPLENGTH; + tdb->tdb_cur_bytes -= HMACMD5_RPLENGTH; return 0; } diff --git a/sys/netinet/ip_ahhmacsha1.c b/sys/netinet/ip_ahhmacsha1.c index bd2003e52fe..ac9b056a010 100644 --- a/sys/netinet/ip_ahhmacsha1.c +++ b/sys/netinet/ip_ahhmacsha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahhmacsha1.c,v 1.9 1997/06/24 20:57:25 provos Exp $ */ +/* $OpenBSD: ip_ahhmacsha1.c,v 1.10 1997/06/25 07:53:22 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -240,10 +240,14 @@ ahhmacsha1_input(struct mbuf *m, struct tdb *tdb) switch (optval) { case IPOPT_EOL: + SHA1Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: SHA1Update(&ctx, ipseczeroes, 1); off++; - continue; + break; case IPOPT_SECURITY: case 133: @@ -251,13 +255,13 @@ ahhmacsha1_input(struct mbuf *m, struct tdb *tdb) optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; + break; default: optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -363,8 +367,8 @@ ahhmacsha1_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -516,11 +520,11 @@ ahhmacsha1_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, st *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; if (xd->amx_wnd >= 0) - tdb->tdb_bytes -= HMACSHA1_RPLENGTH; + tdb->tdb_cur_bytes -= HMACSHA1_RPLENGTH; return 0; } diff --git a/sys/netinet/ip_ahmd5.c b/sys/netinet/ip_ahmd5.c index ce3a9143220..e19b596f172 100644 --- a/sys/netinet/ip_ahmd5.c +++ b/sys/netinet/ip_ahmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahmd5.c,v 1.8 1997/06/24 20:57:25 provos Exp $ */ +/* $OpenBSD: ip_ahmd5.c,v 1.9 1997/06/25 07:53:23 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -195,24 +195,28 @@ ahmd5_input(struct mbuf *m, struct tdb *tdb) switch (optval) { case IPOPT_EOL: + MD5Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: MD5Update(&ctx, ipseczeroes, 1); off++; - continue; - + break; + case IPOPT_SECURITY: case 133: case 134: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; - + break; + default: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -280,8 +284,8 @@ ahmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -403,9 +407,9 @@ ahmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; return 0; } diff --git a/sys/netinet/ip_ahsha1.c b/sys/netinet/ip_ahsha1.c index b7cc04425f0..61bece49bc2 100644 --- a/sys/netinet/ip_ahsha1.c +++ b/sys/netinet/ip_ahsha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahsha1.c,v 1.4 1997/06/24 20:57:26 provos Exp $ */ +/* $OpenBSD: ip_ahsha1.c,v 1.5 1997/06/25 07:53:23 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -194,10 +194,14 @@ ahsha1_input(struct mbuf *m, struct tdb *tdb) switch (IPOPT_NUMBER(optval)) { case IPOPT_EOL: + SHA1Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: SHA1Update(&ctx, ipseczeroes, 1); off++; - continue; + break; case IPOPT_SECURITY: case 133: @@ -205,13 +209,13 @@ ahsha1_input(struct mbuf *m, struct tdb *tdb) optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; + break; default: optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -279,8 +283,8 @@ ahsha1_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -402,9 +406,9 @@ ahsha1_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; return 0; } diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 0c76415d20c..dad0caaaa96 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.5 1997/06/21 00:09:16 deraadt Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.6 1997/06/25 07:53:24 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -120,6 +120,17 @@ esp_input(register struct mbuf *m, int iphlen) return; } + if (tdbp->tdb_flags & TDBF_INVALID) + { +#ifdef ENCDEBUG + if (encdebug); + printf("esp_input: spi=%x is not longer/yet valid\n", spi); +#endif + m_freem(m); + espstat.esps_invalid++; + return; + } + if (tdbp->tdb_xform == NULL) { #ifdef ENCDEBUG @@ -133,6 +144,11 @@ esp_input(register struct mbuf *m, int iphlen) m->m_pkthdr.rcvif = tdbp->tdb_rcvif; + /* Register first use */ + if (tdbp->tdb_first_use == 0) + tdbp->tdb_first_use = time.tv_sec; + + m = (*(tdbp->tdb_xform->xf_input))(m, tdbp); if (m == NULL) diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h index 10a5b7d3aff..e7798ff8d04 100644 --- a/sys/netinet/ip_esp.h +++ b/sys/netinet/ip_esp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.h,v 1.6 1997/06/20 05:41:50 provos Exp $ */ +/* $OpenBSD: ip_esp.h,v 1.7 1997/06/25 07:53:24 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -72,17 +72,18 @@ struct esp struct espstat { - u_long esps_hdrops; /* packet shorter than header shows */ - u_long esps_notdb; - u_long esps_badkcr; - u_long esps_qfull; - u_long esps_noxform; - u_long esps_badilen; - u_long esps_wrap; /* Replay counter wrapped around */ - u_long esps_badauth; /* Only valid for transforms with auth */ - u_long esps_replay; /* Possible packet replay detected */ - u_long esps_input; /* Input ESP packets */ - u_long esps_output; /* Output ESP packets */ + u_int32_t esps_hdrops; /* packet shorter than header shows */ + u_int32_t esps_notdb; + u_int32_t esps_badkcr; + u_int32_t esps_qfull; + u_int32_t esps_noxform; + u_int32_t esps_badilen; + u_int32_t esps_wrap; /* Replay counter wrapped around */ + u_int32_t esps_badauth; /* Only valid for transforms with auth */ + u_int32_t esps_replay; /* Possible packet replay detected */ + u_int32_t esps_input; /* Input ESP packets */ + u_int32_t esps_output; /* Output ESP packets */ + u_int32_t esps_invalid; /* Trying to use an invalid TDB */ }; struct espdes_xdata @@ -202,4 +203,3 @@ struct esp3desmd5_xdata struct espstat espstat; #endif - diff --git a/sys/netinet/ip_esp3des.c b/sys/netinet/ip_esp3des.c index 3cb89280283..175a2594c8a 100644 --- a/sys/netinet/ip_esp3des.c +++ b/sys/netinet/ip_esp3des.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp3des.c,v 1.5 1997/06/24 20:57:27 provos Exp $ */ +/* $OpenBSD: ip_esp3des.c,v 1.6 1997/06/25 07:53:25 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -300,8 +300,8 @@ esp3des_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; return m; } @@ -476,8 +476,8 @@ esp3des_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struc *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; return 0; } diff --git a/sys/netinet/ip_esp3desmd5.c b/sys/netinet/ip_esp3desmd5.c index d6f1ecb3eed..d52969c457b 100644 --- a/sys/netinet/ip_esp3desmd5.c +++ b/sys/netinet/ip_esp3desmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp3desmd5.c,v 1.9 1997/06/24 20:57:28 provos Exp $ */ +/* $OpenBSD: ip_esp3desmd5.c,v 1.10 1997/06/25 07:53:25 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -509,9 +509,9 @@ esp3desmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + - 2 + ESP3DESMD5_ALEN; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + + 2 + ESP3DESMD5_ALEN; return m; } @@ -772,8 +772,8 @@ esp3desmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, st *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; return 0; } diff --git a/sys/netinet/ip_espdes.c b/sys/netinet/ip_espdes.c index fd85253f793..d0b925c4aa0 100644 --- a/sys/netinet/ip_espdes.c +++ b/sys/netinet/ip_espdes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_espdes.c,v 1.7 1997/06/24 20:57:28 provos Exp $ */ +/* $OpenBSD: ip_espdes.c,v 1.8 1997/06/25 07:53:26 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -287,8 +287,8 @@ espdes_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; return m; } @@ -460,8 +460,8 @@ espdes_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; return 0; } diff --git a/sys/netinet/ip_espdesmd5.c b/sys/netinet/ip_espdesmd5.c index 7ef8b91bc08..2700e34b888 100644 --- a/sys/netinet/ip_espdesmd5.c +++ b/sys/netinet/ip_espdesmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_espdesmd5.c,v 1.9 1997/06/24 20:57:29 provos Exp $ */ +/* $OpenBSD: ip_espdesmd5.c,v 1.10 1997/06/25 07:53:26 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -493,9 +493,9 @@ espdesmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + - 2 + ESPDESMD5_ALEN; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + + 2 + ESPDESMD5_ALEN; return m; } @@ -754,8 +754,8 @@ espdesmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, str iphlen - sizeof(struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; *mp = m; return 0; diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c index ba5cedcc307..ff113083e91 100644 --- a/sys/netinet/ip_ip4.c +++ b/sys/netinet/ip_ip4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.c,v 1.8 1997/06/24 12:15:25 provos Exp $ */ +/* $OpenBSD: ip_ip4.c,v 1.9 1997/06/25 07:53:27 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -208,8 +208,8 @@ ipe4_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct m *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ipo->ip_len) - (ipo->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ipo->ip_len) - (ipo->ip_hl << 2); return 0; diff --git a/sys/netinet/ip_ip4.h b/sys/netinet/ip_ip4.h index 1912e858097..d489d3c1dc3 100644 --- a/sys/netinet/ip_ip4.h +++ b/sys/netinet/ip_ip4.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.h,v 1.5 1997/06/20 05:41:52 provos Exp $ */ +/* $OpenBSD: ip_ip4.h,v 1.6 1997/06/25 07:53:27 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -40,12 +40,12 @@ struct ip4_xencap struct ip4stat { - u_long ip4s_ipackets; /* total input packets */ - u_long ip4s_opackets; /* total output packets */ - u_long ip4s_hdrops; /* packet shorter than header shows */ - u_long ip4s_badlen; - u_long ip4s_notip4; - u_long ip4s_qfull; + u_int32_t ip4s_ipackets; /* total input packets */ + u_int32_t ip4s_opackets; /* total output packets */ + u_int32_t ip4s_hdrops; /* packet shorter than header shows */ + u_int32_t ip4s_badlen; + u_int32_t ip4s_notip4; + u_int32_t ip4s_qfull; }; #define IP4_SAME_TTL 0 diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 1388be11ed6..99bbddb5ebe 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.9 1997/06/24 12:15:25 provos Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.10 1997/06/25 07:53:28 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -57,6 +57,8 @@ #include <netinet/ip_ah.h> #include <netinet/ip_esp.h> +#include <dev/rndvar.h> + int tdb_init __P((struct tdb *, struct mbuf *)); int ipsp_kern __P((int, char **, int)); @@ -71,7 +73,8 @@ int encdebug = 1; struct xformsw xformsw[] = { { XF_IP4, 0, "IPv4 Simple Encapsulation", ipe4_attach, ipe4_init, ipe4_zeroize, - (struct mbuf * (*)(struct mbuf *, struct tdb *))ipe4_input, ipe4_output, }, + (struct mbuf * (*)(struct mbuf *, struct tdb *))ipe4_input, + ipe4_output, }, { XF_AHMD5, XFT_AUTH, "Keyed MD5 Authentication", ahmd5_attach, ahmd5_init, ahmd5_zeroize, ahmd5_input, ahmd5_output, }, @@ -106,6 +109,49 @@ static char *ipspkernfs = NULL; int ipspkernfs_dirty = 1; /* + * Reserve an SPI; the SA is not valid yet though. Zero is reserved as + * an error return value. If tspi is not zero, we try to allocate that + * SPI. + */ + +u_int32_t +reserve_spi(u_int32_t tspi, struct in_addr src) +{ + struct tdb *tdbp; + u_int32_t spi = tspi; /* Don't change */ + + while (1) + { + while (spi == 0) /* Get a new SPI */ + get_random_bytes((void *)&spi, sizeof(spi)); + + /* Check whether we're using this SPI already */ + if (gettdb(spi, src) != (struct tdb *) NULL) + { + if (tspi != 0) /* If one was proposed, report error */ + return 0; + + spi = 0; + continue; + } + + MALLOC(tdbp, struct tdb *, sizeof(*tdbp), M_TDB, M_WAITOK); + if (tdbp == NULL) + return 0; + + bzero((caddr_t)tdbp, sizeof(*tdbp)); + + tdbp->tdb_spi = spi; + tdbp->tdb_dst = src; + tdbp->tdb_flags |= TDBF_INVALID; + + puttdb(tdbp); + + return spi; + } +} + +/* * An IPSP SAID is really the concatenation of the SPI found in the * packet and the destination address of the packet. When we receive * an IPSP packet, we need to look up its tunnel descriptor block, @@ -132,9 +178,11 @@ void puttdb(struct tdb *tdbp) { int hashval; + hashval = ((tdbp->tdb_spi + tdbp->tdb_dst.s_addr) % TDB_HASHMOD); tdbp->tdb_hnext = tdbh[hashval]; tdbh[hashval] = tdbp; + ipspkernfs_dirty = 1; } @@ -188,14 +236,17 @@ tdb_init(struct tdb *tdbp, struct mbuf *m) #ifdef ENCDEBUG if (encdebug) - printf("tdbinit: no alg %d for spi %x, addr %x\n", alg, tdbp->tdb_spi, ntohl(tdbp->tdb_dst.s_addr)); + printf("tdbinit: no alg %d for spi %x, addr %x\n", alg, tdbp->tdb_spi, + ntohl(tdbp->tdb_dst.s_addr)); #endif - + + /* Record establishment time */ + tdbp->tdb_established = time.tv_sec; + m_freem(m); return EINVAL; } - int ipsp_kern(int off, char **bufp, int len) { diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index b9c9c27e64d..2bf82d5b554 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.7 1997/06/24 12:15:26 provos Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.8 1997/06/25 07:53:28 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -34,20 +34,34 @@ struct tdb /* tunnel descriptor block */ struct tdb *tdb_inext; /* next in input (prev!) */ u_int32_t tdb_spi; /* SPI to use */ u_int32_t tdb_flags; /* Flags related to this TDB */ -#define TDBF_UNIQUE 0x0001 /* This should not be used by others */ -#define TDBF_TIMER 0x0002 /* Check the timers */ -#define TDBF_BYTES 0x0004 /* Check the byte counters */ -#define TDBF_PACKETS 0x0008 /* Check the packet counters */ -#define TDBF_INVALID 0x0010 /* This SPI is no longer valid */ - u_int64_t tdb_packets; /* Expire after so many packets s|r */ +#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ +#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ +#define TDBF_BYTES 0x00004 /* Check the byte counters */ +#define TDBF_PACKETS 0x00008 /* Check the packet counters */ +#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ +#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ +#define TDBF_RELATIVE 0x00040 /* Expire after X secs from establ. */ +#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ +#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ +#define TDBF_SOFT_PACKETS 0x00200 /* Soft expiration */ +#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ +#define TDBF_SOFT_RELATIVE 0x00800 /* Soft expiration */ + u_int64_t tdb_exp_packets; /* Expire after so many packets s|r */ u_int64_t tdb_soft_packets; /* Expiration warning */ u_int64_t tdb_cur_packets; /* Current number of packets s|r'ed */ - u_int64_t tdb_bytes; /* Expire after so many bytes passed */ + u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ u_int64_t tdb_soft_bytes; /* Expiration warning */ u_int64_t tdb_cur_bytes; /* Current count of bytes */ - u_int64_t tdb_timeout; /* When does the SPI expire */ + u_int64_t tdb_exp_timeout; /* When does the SPI expire */ u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */ u_int64_t tdb_established; /* When was the SPI established */ + u_int64_t tdb_soft_relative ; /* Soft warning */ + u_int64_t tdb_exp_relative; /* Expire if tdb_established + + tdb_exp_relative <= curtime */ + u_int64_t tdb_first_use; /* When was it first used */ + u_int64_t tdb_soft_first_use; /* Soft warning */ + u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + + tdb_exp_first_use <= curtime */ struct in_addr tdb_dst; /* dest address for this SPI */ struct ifnet *tdb_rcvif; /* related rcv encap interface */ struct xformsw *tdb_xform; /* transformation to use */ @@ -116,6 +130,7 @@ extern int encdebug; struct tdb *tdbh[TDB_HASHMOD]; extern struct xformsw xformsw[], *xformswNXFORMSW; +extern u_int32_t reserve_spi(u_int32_t, struct in_addr); extern struct tdb *gettdb(u_int32_t, struct in_addr); extern void puttdb(struct tdb *); extern int tdb_delete(struct tdb *, int); diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e82ca8a8592..d420438f7dc 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.13 1997/06/24 12:15:27 provos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.14 1997/06/25 07:53:29 provos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -44,6 +44,7 @@ #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/systm.h> +#include <sys/kernel.h> #include <net/if.h> #include <net/route.h> @@ -161,8 +162,8 @@ ip_output(m0, va_alist) dst->sen_ip_dst = ip->ip_dst; dst->sen_proto = ip->ip_p; - if (m->m_len < hlen + 2*sizeof(u_int16_t)) { - if ((m = m_pullup(m, hlen + 2*sizeof(u_int16_t))) == 0) + if (m->m_len < hlen + 2 * sizeof(u_int16_t)) { + if ((m = m_pullup(m, hlen + 2 * sizeof(u_int16_t))) == 0) goto bad; ip = mtod(m, struct ip *); } @@ -191,7 +192,7 @@ ip_output(m0, va_alist) #ifdef ENCDEBUG if (encdebug) printf("ip_output: no gw or gw data not IPSP\n"); -#endif ENCDEBUG +#endif /* ENCDEBUG */ m_freem(m); RTFREE(re->re_rt); return EHOSTUNREACH; @@ -211,7 +212,9 @@ ip_output(m0, va_alist) if (encdebug) printf("ip_output: interface %s has no default address\n", ifp->if_xname); -#endif ENCDEBUG +#endif /* ENCDEBUG */ + m_freem(m); + RTFREE(re->re_rt); return ENXIO; } @@ -220,7 +223,7 @@ ip_output(m0, va_alist) if (encdebug) printf("ip_output: %s does not have AF_ENCAP address\n", ifp->if_xname); -#endif ENCDEBUG +#endif /* ENCDEBUG */ m_freem(m); RTFREE(re->re_rt); return EHOSTDOWN; @@ -231,7 +234,7 @@ ip_output(m0, va_alist) if (encdebug) printf("ip_output: %s does not have SENT_DEFIF address\n", ifp->if_xname); -#endif ENCDEBUG +#endif /* ENCDEBUG */ m_freem(m); RTFREE(re->re_rt); return EHOSTDOWN; @@ -280,15 +283,33 @@ ip_output(m0, va_alist) #ifdef ENCDEBUG if (encdebug) printf("ip_output: tdb=0x%x, tdb->tdb_xform=0x%x, tdb->tdb_xform->xf_output=%x\n", tdb, tdb->tdb_xform, tdb->tdb_xform->xf_output); -#endif ENCDEBUG +#endif /* ENCDEBUG */ while (tdb && tdb->tdb_xform) { m0 = NULL; + + /* Check if the SPI is invalid */ + if (tdb->tdb_flags & TDBF_INVALID) + { +#ifdef ENCDEBUG + if (encdebug) + printf("ip_output: attempt to use invalid SPI %08x", tdb->tdb_spi); +#endif /* ENCDEBUG */ + m_freem(m); + RTFREE(re->re_rt); + return ENXIO; + } + #ifdef ENCDEBUG if (encdebug) printf("ip_output: calling %s\n", tdb->tdb_xform->xf_name); -#endif ENCDEBUG +#endif /* ENCDEBUG */ + + /* Register first use */ + if (tdb->tdb_first_use == 0) + tdb->tdb_first_use = time.tv_sec; + error = (*(tdb->tdb_xform->xf_output))(m, gw, tdb, &mp); if (mp == NULL) error = EFAULT; @@ -335,7 +356,7 @@ no_encap: * and is still up. If not, free it and try again. */ if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || - dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { + dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { RTFREE(ro->ro_rt); ro->ro_rt = (struct rtentry *)0; } |