diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 1997-06-25 07:53:30 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 1997-06-25 07:53:30 +0000 |
| commit | 2c9ded294a4d953f480eee2306fa97f79e827527 (patch) | |
| tree | 082b2f37de03d91c07920aaef2b13e620ab25793 /sys | |
| parent | eb51828dafd060aca283723aefa09b27ede1e79b (diff) | |
hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/encap.c | 668 | ||||
| -rw-r--r-- | sys/net/encap.h | 196 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.c | 17 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.h | 3 | ||||
| -rw-r--r-- | sys/netinet/ip_ahhmacmd5.c | 28 | ||||
| -rw-r--r-- | sys/netinet/ip_ahhmacsha1.c | 24 | ||||
| -rw-r--r-- | sys/netinet/ip_ahmd5.c | 26 | ||||
| -rw-r--r-- | sys/netinet/ip_ahsha1.c | 22 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 18 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.h | 26 | ||||
| -rw-r--r-- | sys/netinet/ip_esp3des.c | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_esp3desmd5.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_espdes.c | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_espdesmd5.c | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_ip4.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_ip4.h | 14 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 61 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 33 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 41 |
19 files changed, 772 insertions, 455 deletions
diff --git a/sys/net/encap.c b/sys/net/encap.c index acd9a4e179c..898ff599dcf 100644 --- a/sys/net/encap.c +++ b/sys/net/encap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encap.c,v 1.4 1997/06/17 23:25:53 deraadt Exp $ */ +/* $OpenBSD: encap.c,v 1.5 1997/06/25 07:53:19 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -62,65 +62,65 @@ struct sockaddr encap_src = { 2, PF_ENCAP, }; struct sockproto encap_proto = { PF_ENCAP, }; struct protosw encapsw[] = { -{ SOCK_RAW, &encapdomain, 0, PR_ATOMIC|PR_ADDR, - raw_input, encap_output, raw_ctlinput, 0, - encap_usrreq, - encap_init, 0, 0, 0, -}, + { SOCK_RAW, &encapdomain, 0, PR_ATOMIC|PR_ADDR, + raw_input, encap_output, raw_ctlinput, 0, + encap_usrreq, + encap_init, 0, 0, 0, + }, }; struct domain encapdomain = - { AF_ENCAP, "encapsulation", 0, 0, 0, - encapsw, &encapsw[sizeof(encapsw)/sizeof(encapsw[0])], 0, - rn_inithead, 16, sizeof(struct sockaddr_encap)}; +{ AF_ENCAP, "encapsulation", 0, 0, 0, + encapsw, &encapsw[sizeof(encapsw)/sizeof(encapsw[0])], 0, + rn_inithead, 16, sizeof(struct sockaddr_encap)}; void encap_init() { - struct xformsw *xsp; - - for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) - { - printf("encap_init: attaching <%s>\n", xsp->xf_name); - (*(xsp->xf_attach))(); - } + struct xformsw *xsp; + + for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) + { + printf("encap_init: attaching <%s>\n", xsp->xf_name); + (*(xsp->xf_attach))(); + } } /*ARGSUSED*/ int encap_usrreq(register struct socket *so, int req, struct mbuf *m, struct mbuf *nam, struct mbuf *control) { - register int error = 0; - register struct rawcb *rp = sotorawcb(so); - int s; - - if (req == PRU_ATTACH) - { - MALLOC(rp, struct rawcb *, sizeof(*rp), M_PCB, M_WAITOK); - if ((so->so_pcb = (caddr_t)rp)) - bzero(so->so_pcb, sizeof(*rp)); - - } - s = splnet(); - error = raw_usrreq(so, req, m, nam, control); - rp = sotorawcb(so); - if ((req == PRU_ATTACH) && rp) + register int error = 0; + register struct rawcb *rp = sotorawcb(so); + int s; + + if (req == PRU_ATTACH) + { + MALLOC(rp, struct rawcb *, sizeof(*rp), M_PCB, M_WAITOK); + if ((so->so_pcb = (caddr_t)rp)) + bzero(so->so_pcb, sizeof(*rp)); + } + + s = splnet(); + error = raw_usrreq(so, req, m, nam, control); + rp = sotorawcb(so); + if ((req == PRU_ATTACH) && rp) + { + /* int af = rp->rcb_proto.sp_protocol; */ + + if (error) { - /* int af = rp->rcb_proto.sp_protocol; */ - - if (error) - { - free((caddr_t)rp, M_PCB); - splx(s); - return error; - } - rp->rcb_faddr = &encap_src; - soisconnected(so); - so->so_options |= SO_USELOOPBACK; + free((caddr_t)rp, M_PCB); + splx(s); + return error; } - splx(s); - return error; + rp->rcb_faddr = &encap_src; + soisconnected(so); + so->so_options |= SO_USELOOPBACK; + } + splx(s); + return error; } int @@ -128,264 +128,376 @@ int encap_output(struct mbuf *m, ...) #else encap_output(m, va_alist) - register struct mbuf *m; - va_dcl +register struct mbuf *m; +va_dcl #endif { #define SENDERR(e) do { error = e; goto flush;} while (0) - struct socket *so; - int len, emlen, error = 0, nspis, i; - struct encap_msghdr *emp; - struct ifnet *ifp; - struct ifaddr *ifa; - struct sockaddr_encap *sen, *sen2; - struct sockaddr_in *sin; - struct tdb *tdbp, *tprev; - va_list ap; - - va_start(ap, m); - so = va_arg(ap, struct socket *); - va_end(ap); - - if ((m == 0) || ((m->m_len < sizeof(int32_t)) && - (m = m_pullup(m, sizeof(int32_t))) == 0)) - return ENOBUFS; - - if ((m->m_flags & M_PKTHDR) == 0) - panic("encap_output"); - - len = m->m_pkthdr.len; - emp = mtod(m, struct encap_msghdr *); - emlen = emp->em_msglen; - if ((len < emlen)) - SENDERR(EINVAL); - - if (m->m_len < emlen) - { - m = m_pullup(m, emlen); - if (m == NULL) - SENDERR(ENOBUFS); + struct socket *so; + int len, emlen, error = 0, nspis, i; + struct encap_msghdr *emp; + struct ifnet *ifp; + struct ifaddr *ifa; + struct sockaddr_encap *sen, *sen2; + struct sockaddr_in *sin; + struct tdb *tdbp, *tprev; + va_list ap; + u_int32_t spi; + + va_start(ap, m); + so = va_arg(ap, struct socket *); + va_end(ap); + + if ((m == 0) || ((m->m_len < sizeof(int32_t)) && + (m = m_pullup(m, sizeof(int32_t))) == 0)) + return ENOBUFS; + + if ((m->m_flags & M_PKTHDR) == 0) + panic("encap_output"); + + len = m->m_pkthdr.len; + emp = mtod(m, struct encap_msghdr *); + emlen = emp->em_msglen; + if ((len < emlen)) + SENDERR(EINVAL); + + if (m->m_len < emlen) + { + m = m_pullup(m, emlen); + if (m == NULL) + SENDERR(ENOBUFS); - emp = mtod(m, struct encap_msghdr *); - } + emp = mtod(m, struct encap_msghdr *); + } - switch (emp->em_type) - { - case EMT_IFADDR: - if (emp->em_ifn >= nencap) - SENDERR(ENODEV); - /* - * Set the default source address for an encap interface - */ - - ifp = &(enc_softc[emp->em_ifn].enc_if); + switch (emp->em_type) + { + case EMT_IFADDR: + if (emp->em_ifn >= nencap) + SENDERR(ENODEV); + + /* + * Set the default source address for an encap interface + */ + + ifp = &(enc_softc[emp->em_ifn].enc_if); - if ((ifp->if_addrlist.tqh_first == NULL) || - (ifp->if_addrlist.tqh_first->ifa_addr == NULL) || - (ifp->if_addrlist.tqh_first->ifa_addr->sa_family != AF_ENCAP)) - { - MALLOC(ifa, struct ifaddr *, sizeof (struct ifaddr) + 2*SENT_DEFIF_LEN, M_IFADDR, M_WAITOK); - if (ifa == NULL) - SENDERR(ENOBUFS); - bzero((caddr_t)ifa, sizeof (struct ifaddr) + 2*SENT_DEFIF_LEN); - sen = (struct sockaddr_encap *)(ifa + 1); - sen2 = (struct sockaddr_encap *)((caddr_t)sen + SENT_DEFIF_LEN); - ifa->ifa_addr = (struct sockaddr *)sen; - ifa->ifa_dstaddr = (struct sockaddr *)sen2; - ifa->ifa_ifp = ifp; - TAILQ_INSERT_HEAD(&(ifp->if_addrlist), ifa, ifa_list); - } - else - { - sen = (struct sockaddr_encap *)((&(ifp->if_addrlist))->tqh_first->ifa_addr); - sen2 = (struct sockaddr_encap *)((&(ifp->if_addrlist))->tqh_first->ifa_dstaddr); - } - - sen->sen_family = AF_ENCAP; - sen->sen_len = SENT_DEFIF_LEN; - sen->sen_type = SENT_DEFIF; - sin = (struct sockaddr_in *) &(sen->sen_dfl); - sin->sin_len = sizeof(*sin); - sin->sin_family = AF_INET; - sin->sin_addr = emp->em_ifa; - - *sen2 = *sen; + if ((ifp->if_addrlist.tqh_first == NULL) || + (ifp->if_addrlist.tqh_first->ifa_addr == NULL) || + (ifp->if_addrlist.tqh_first->ifa_addr->sa_family != AF_ENCAP)) + { + MALLOC(ifa, struct ifaddr *, sizeof (struct ifaddr) + + 2 * SENT_DEFIF_LEN, M_IFADDR, M_WAITOK); + if (ifa == NULL) + SENDERR(ENOBUFS); - break; + bzero((caddr_t)ifa, sizeof (struct ifaddr) + + 2 * SENT_DEFIF_LEN); + sen = (struct sockaddr_encap *)(ifa + 1); + sen2 = (struct sockaddr_encap *)((caddr_t)sen + + SENT_DEFIF_LEN); + ifa->ifa_addr = (struct sockaddr *)sen; + ifa->ifa_dstaddr = (struct sockaddr *)sen2; + ifa->ifa_ifp = ifp; + TAILQ_INSERT_HEAD(&(ifp->if_addrlist), ifa, ifa_list); + } + else + { + sen = (struct sockaddr_encap *)((&(ifp->if_addrlist))->tqh_first->ifa_addr); + sen2 = (struct sockaddr_encap *)((&(ifp->if_addrlist))->tqh_first->ifa_dstaddr); + } + + sen->sen_family = AF_ENCAP; + sen->sen_len = SENT_DEFIF_LEN; + sen->sen_type = SENT_DEFIF; + sin = (struct sockaddr_in *) &(sen->sen_dfl); + sin->sin_len = sizeof(*sin); + sin->sin_family = AF_INET; + sin->sin_addr = emp->em_ifa; + + *sen2 = *sen; + + break; - case EMT_SETSPI: - if (emp->em_if >= nencap) - SENDERR(ENODEV); - tdbp = gettdb(emp->em_spi, emp->em_dst); + case EMT_SETSPI: + if (emp->em_if >= nencap) + SENDERR(ENODEV); + tdbp = gettdb(emp->em_spi, emp->em_dst); + if (tdbp == NULL) + { + MALLOC(tdbp, struct tdb *, sizeof (*tdbp), M_TDB, M_WAITOK); if (tdbp == NULL) - { - MALLOC(tdbp, struct tdb *, sizeof (*tdbp), M_TDB, M_WAITOK); - if (tdbp == NULL) - SENDERR(ENOBUFS); - - bzero((caddr_t)tdbp, sizeof(*tdbp)); - - tdbp->tdb_spi = emp->em_spi; - tdbp->tdb_dst = emp->em_dst; - tdbp->tdb_rcvif = &(enc_softc[emp->em_if].enc_if); - puttdb(tdbp); - } - else - (*tdbp->tdb_xform->xf_zeroize)(tdbp); - - error = tdb_init(tdbp, m); - ipspkernfs_dirty = 1; - break; + SENDERR(ENOBUFS); - case EMT_DELSPI: - if (emp->em_if >= nencap) - SENDERR(ENODEV); - tdbp = gettdb(emp->em_spi, emp->em_dst); - if (tdbp == NULL) - { - error = EINVAL; - break; - } - - if (emp->em_alg != tdbp->tdb_xform->xf_type) - { - error = EINVAL; - break; - } - - error = tdb_delete(tdbp, 0); + bzero((caddr_t)tdbp, sizeof(*tdbp)); + + tdbp->tdb_spi = emp->em_spi; + tdbp->tdb_dst = emp->em_dst; + tdbp->tdb_rcvif = &(enc_softc[emp->em_if].enc_if); + + puttdb(tdbp); + } + else + (*tdbp->tdb_xform->xf_zeroize)(tdbp); + + /* Various timers/counters */ + if (emp->em_relative_hard != 0) + { + tdbp->tdb_exp_relative = emp->em_relative_hard; + tdbp->tdb_flags |= TDBF_RELATIVE; + } + + if (emp->em_relative_soft != 0) + { + tdbp->tdb_soft_relative = emp->em_relative_soft; + tdbp->tdb_flags |= TDBF_SOFT_RELATIVE; + } + + if (emp->em_first_use_hard != 0) + { + tdbp->tdb_exp_first_use = emp->em_first_use_hard; + tdbp->tdb_flags |= TDBF_FIRSTUSE; + } + + if (emp->em_first_use_soft != 0) + { + tdbp->tdb_soft_first_use = emp->em_first_use_soft; + tdbp->tdb_flags |= TDBF_SOFT_FIRSTUSE; + } + + if (emp->em_expire_hard != 0) + { + tdbp->tdb_exp_timeout = emp->em_expire_hard; + tdbp->tdb_flags |= TDBF_TIMER; + } + + if (emp->em_expire_soft != 0) + { + tdbp->tdb_soft_timeout = emp->em_expire_soft; + tdbp->tdb_flags |= TDBF_SOFT_TIMER; + } + + if (emp->em_bytes_hard != 0) + { + tdbp->tdb_exp_bytes = emp->em_bytes_hard; + tdbp->tdb_flags |= TDBF_BYTES; + } + + if (emp->em_bytes_soft != 0) + { + tdbp->tdb_soft_bytes = emp->em_bytes_soft; + tdbp->tdb_flags |= TDBF_SOFT_BYTES; + } + + if (emp->em_packets_hard != 0) + { + tdbp->tdb_exp_packets = emp->em_packets_hard; + tdbp->tdb_flags |= TDBF_PACKETS; + } + + if (emp->em_packets_soft != 0) + { + tdbp->tdb_soft_packets = emp->em_packets_soft; + tdbp->tdb_flags |= TDBF_SOFT_PACKETS; + } + + error = tdb_init(tdbp, m); + ipspkernfs_dirty = 1; + break; + + case EMT_DELSPI: + if (emp->em_if >= nencap) + SENDERR(ENODEV); + tdbp = gettdb(emp->em_spi, emp->em_dst); + if (tdbp == NULL) + { + error = EINVAL; break; + } - case EMT_DELSPICHAIN: - if (emp->em_if >= nencap) - SENDERR(ENODEV); - tdbp = gettdb(emp->em_spi, emp->em_dst); - if (tdbp == NULL) - { - error = EINVAL; - break; - } - - if (emp->em_alg != tdbp->tdb_xform->xf_type) - { - error = EINVAL; - break; - } - - error = tdb_delete(tdbp, 1); - break; - - case EMT_GRPSPIS: - nspis = (emlen - 4) / 12; - if (nspis * 12 + 4 != emlen) - SENDERR(EINVAL); - - for (i = 0; i < nspis; i++) - if ((tdbp = gettdb(emp->em_rel[i].emr_spi, emp->em_rel[i].emr_dst)) == NULL) - SENDERR(ENOENT); - else - emp->em_rel[i].emr_tdb = tdbp; - tprev = emp->em_rel[0].emr_tdb; - tprev->tdb_inext = NULL; - for (i = 1; i < nspis; i++) - { - tdbp = emp->em_rel[i].emr_tdb; - tprev->tdb_onext = tdbp; - tdbp->tdb_inext = tprev; - tprev = tdbp; - } - tprev->tdb_onext = NULL; - ipspkernfs_dirty = 1; - error = 0; + if (emp->em_alg != tdbp->tdb_xform->xf_type) + { + error = EINVAL; break; + } + + error = tdb_delete(tdbp, 0); + break; + + case EMT_DELSPICHAIN: + if (emp->em_if >= nencap) + SENDERR(ENODEV); + tdbp = gettdb(emp->em_spi, emp->em_dst); + if (tdbp == NULL) + { + error = EINVAL; + break; + } - default: + if (emp->em_alg != tdbp->tdb_xform->xf_type) + { + error = EINVAL; + break; + } + + error = tdb_delete(tdbp, 1); + break; + + case EMT_GRPSPIS: + nspis = (emlen - 4) / 12; + if (nspis * 12 + 4 != emlen) + SENDERR(EINVAL); + + for (i = 0; i < nspis; i++) + if ((tdbp = gettdb(emp->em_rel[i].emr_spi, emp->em_rel[i].emr_dst)) == NULL) + SENDERR(ENOENT); + else + emp->em_rel[i].emr_tdb = tdbp; + + tprev = emp->em_rel[0].emr_tdb; + tprev->tdb_inext = NULL; + for (i = 1; i < nspis; i++) + { + tdbp = emp->em_rel[i].emr_tdb; + tprev->tdb_onext = tdbp; + tdbp->tdb_inext = tprev; + tprev = tdbp; + } + tprev->tdb_onext = NULL; + ipspkernfs_dirty = 1; + error = 0; + break; + + case EMT_RESERVESPI: + spi = reserve_spi(emp->em_spi, emp->em_dst); + if (spi == 0) + if (emp->em_spi == 0) + SENDERR(ENOBUFS); + else SENDERR(EINVAL); - } - - return error; - flush: - if (m) - m_freem(m); - return error; + emp->em_spi = spi; + + /* Send it back to us */ + if (sbappendaddr(&so->so_rcv, &encap_src, m, + (struct mbuf *)0) == 0) + SENDERR(ENOBUFS); + else + sorwakeup(so); /* wakeup */ + + error = 0; + + break; + + case EMT_ENABLESPI: + tdbp = gettdb(emp->em_spi, emp->em_dst); + if (tdbp == NULL) + SENDERR(ENOENT); + + /* Clear the INVALID flag */ + tdbp->tdb_flags &= (~TDBF_INVALID); + error = 0; + + break; + + case EMT_DISABLESPI: + tdbp = gettdb(emp->em_spi, emp->em_dst); + if (tdbp == NULL) + SENDERR(ENOENT); + + /* Set the INVALID flag */ + tdbp->tdb_flags |= TDBF_INVALID; + error = 0; + + break; + + default: + SENDERR(EINVAL); + } + + return error; + +flush: + if (m) + m_freem(m); + return error; } struct ifaddr * encap_findgwifa(struct sockaddr *gw) { - struct sockaddr_encap *egw = (struct sockaddr_encap *)gw; - u_char *op = (u_char *)gw; - int i, j; - struct ifaddr *retval = loif.if_addrlist.tqh_first; - union - { - struct in_addr ia; - u_char io[4]; - } iao; + struct sockaddr_encap *egw = (struct sockaddr_encap *)gw; + u_char *op = (u_char *)gw; + int i, j; + struct ifaddr *retval = loif.if_addrlist.tqh_first; + union + { + struct in_addr ia; + u_char io[4]; + } iao; - switch (egw->sen_type) - { - case SENT_IPSP: - return enc_softc[egw->sen_ipsp_ifn].enc_if.if_addrlist.tqh_first; - break; - - case SENT_IP4: - /* - * Pretty-much standard options walking code. - * Repeated elsewhere as necessary - */ - - for (i = SENT_IP4_LEN; i < egw->sen_len;) - switch (op[i]) - { - case SENO_EOL: - goto opt_done; - - case SENO_NOP: - i++; - continue; + switch (egw->sen_type) + { + case SENT_IPSP: + return enc_softc[egw->sen_ipsp_ifn].enc_if.if_addrlist.tqh_first; + break; + + case SENT_IP4: + /* + * Pretty-much standard options walking code. + * Repeated elsewhere as necessary + */ + + for (i = SENT_IP4_LEN; i < egw->sen_len;) + switch (op[i]) + { + case SENO_EOL: + goto opt_done; + + case SENO_NOP: + i++; + continue; + + case SENO_IFN: + if (op[i+1] != 3) + { + return NULL; + } + retval = enc_softc[op[i+2]].enc_if.if_addrlist.tqh_first; + goto opt_done; + + case SENO_IFIP4A: + if (op[i+1] != 6) /* XXX -- IPv4 address */ + { + return NULL; + } + iao.io[0] = op[i+2]; + iao.io[1] = op[i+3]; + iao.io[2] = op[i+4]; + iao.io[3] = op[i+5]; + + for (j = 0; j < nencap; j++) + { + struct ifaddr *ia = (struct ifaddr *)enc_softc[j].enc_if.if_addrlist.tqh_first; - case SENO_IFN: - if (op[i+1] != 3) - { - return NULL; - } - retval = enc_softc[op[i+2]].enc_if.if_addrlist.tqh_first; - goto opt_done; + struct sockaddr_in *si = (struct sockaddr_in *)ia->ifa_addr; - case SENO_IFIP4A: - if (op[i+1] != 6) /* XXX -- IPv4 address */ + if ((si->sin_family == AF_INET) && (si->sin_addr.s_addr == iao.ia.s_addr)) { - return NULL; + retval = ia; + goto opt_done; } - iao.io[0] = op[i+2]; - iao.io[1] = op[i+3]; - iao.io[2] = op[i+4]; - iao.io[3] = op[i+5]; - - for (j = 0; j < nencap; j++) - { - struct ifaddr *ia = (struct ifaddr *)enc_softc[j].enc_if.if_addrlist.tqh_first; - - struct sockaddr_in *si = (struct sockaddr_in *)ia->ifa_addr; - - if ((si->sin_family == AF_INET) && (si->sin_addr.s_addr == iao.ia.s_addr)) - { - retval = ia; - goto opt_done; - } - } - i += 6; - break; - - default: - if (op[i+1] == 0) - return NULL; - i += op[i+i]; - } - opt_done: - break; - } - return retval; + } + i += 6; + break; + + default: + if (op[i+1] == 0) + return NULL; + i += op[i+i]; + } + opt_done: + break; + } + return retval; } diff --git a/sys/net/encap.h b/sys/net/encap.h index 328d29eabe7..d5b28c8a942 100644 --- a/sys/net/encap.h +++ b/sys/net/encap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: encap.h,v 1.3 1997/06/17 23:25:54 deraadt Exp $ */ +/* $OpenBSD: encap.h,v 1.4 1997/06/25 07:53:20 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -49,43 +49,44 @@ struct sockaddr_encap { - u_int8_t sen_len; /* length */ - u_int8_t sen_family; /* AF_ENCAP */ - u_int16_t sen_type; /* see SENT_* */ - union + u_int8_t sen_len; /* length */ + u_int8_t sen_family; /* AF_ENCAP */ + u_int16_t sen_type; /* see SENT_* */ + union + { + u_int8_t Data[16]; /* other stuff mapped here */ + struct sockaddr Dfl; /* SENT_DEFIF */ + struct /* SENT_SA */ { - u_int8_t Data[16]; /* other stuff mapped here */ - struct sockaddr Dfl; /* SENT_DEFIF */ - struct /* SENT_SA */ - { - struct sockaddr Src; - struct sockaddr Dst; - } Sa; + struct sockaddr Src; + struct sockaddr Dst; + } Sa; #ifdef INET - struct /* SENT_SAIN */ - { - struct sockaddr_in Src; - struct sockaddr_in Dst; - } Sin; - struct /* SENT_IP4 */ - { - struct in_addr Src; - struct in_addr Dst; - u_int16_t Sport; - u_int16_t Dport; - u_int8_t Proto; - u_int8_t Filler[3]; - } Sip4; - struct /* SENT_IPSP */ - { - struct in_addr Src; - struct in_addr Dst; - u_int32_t Spi; - u_int8_t Ifn; - u_int8_t Filler[3]; - } Sipsp; + struct /* SENT_SAIN */ + { + struct sockaddr_in Src; + struct sockaddr_in Dst; + } Sin; + struct /* SENT_IP4 */ + { + struct in_addr Src; + struct in_addr Dst; + u_int16_t Sport; + u_int16_t Dport; + u_int8_t Proto; + u_int8_t Filler[3]; + } Sip4; + struct /* SENT_IPSP */ + { + struct in_addr Src; + struct in_addr Dst; + u_int32_t Spi; + u_int8_t Ifn; + u_int8_t Filler[3]; + } Sipsp; + #endif - } Sen; + } Sen; }; #define sen_data Sen.Data @@ -170,37 +171,92 @@ struct enc_softc struct encap_msghdr { - u_int16_t em_msglen; /* message length */ - u_int8_t em_version; /* for future expansion */ - u_int8_t em_type; /* message type */ - union + u_int16_t em_msglen; /* message length */ + u_int8_t em_version; /* for future expansion */ + u_int8_t em_type; /* message type */ + union + { + struct + { + struct in_addr Ia; + u_int8_t Ifn; + u_int8_t xxx[3]; /* makes life a lot easier */ + } Ifa; + + struct { - struct - { - struct in_addr Ia; - u_int8_t Ifn; - u_int8_t xxx[3]; /* makes life a lot easier */ - } Ifa; - - struct - { - u_int32_t Spi; /* SPI */ - struct in_addr Dst; /* Destination address */ - u_int32_t If; /* enc i/f for input */ - int32_t Alg; /* Algorithm to use */ - u_int8_t Dat[1]; /* Data */ - } Xfm; - - struct - { - u_int32_t emr_spi; /* SPI */ - struct in_addr emr_dst; /* Dest */ - struct tdb * emr_tdb; /* used internally! */ - - } Rel[EM_MAXRELSPIS]; - } Eu; + u_int32_t Spi; /* SPI */ + struct in_addr Dst; /* Destination address */ + u_int64_t Relative_Hard; /* Expire relative to creation */ + u_int64_t Relative_Soft; + u_int64_t First_Use_Hard; /* Expire relative to first use */ + u_int64_t First_Use_Soft; + u_int64_t Expire_Hard; /* Expire at fixed point in time */ + u_int64_t Expire_Soft; + u_int64_t Bytes_Hard; /* Expire after bytes recved/sent */ + u_int64_t Bytes_Soft; + u_int64_t Packets_Hard; /* Expire after packets recved/sent */ + u_int64_t Packets_Soft; + u_int32_t If; /* enc i/f for input */ + int32_t Alg; /* Algorithm to use */ + u_int8_t Dat[1]; /* Data */ + } Xfm; + + /* + * For expiration notifications, the kernel fills in + * Notification_Type, Spi and Dst. No direct response is expected. + * + * For SA Requests, the kernel fills in + * Notification_Type, MsgID, Spi, Seclevel, Dst (and optionally + * Protocol, Src, Sport, Dport and UserID). + * + * The response should have the same values in all the fields + * and: + * Spi/Spi2/Spi3 will hold the SPIs for the three seclevels + * UserID can optionally hold the peer's UserID (if applicable) + */ + struct /* kernel->userland notifications */ + { + u_int32_t Notification_Type; +#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ +#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ +#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ + u_int32_t MsgID; /* Request ID */ + u_int32_t Spi; + u_int32_t Spi2; + u_int32_t Spi3; + u_int8_t Seclevel[3]; /* see netinet/in_pcb.h */ + u_int8_t Protocol; /* Transport mode for which protocol */ + struct in_addr Dst; /* Peer */ + struct in_addr Src; /* Might have our local address */ + u_int16_t Sport; /* Source port */ + u_int16_t Dport; /* Destination port */ + u_int8_t UserID[1]; /* Might be used to indicate user */ + } Notify; + + struct + { + u_int32_t emr_spi; /* SPI */ + struct in_addr emr_dst; /* Dest */ + struct tdb *emr_tdb; /* used internally! */ + + } Rel[EM_MAXRELSPIS]; + } Eu; }; +#define em_not_type Eu.Notify.Notification_Type +#define em_not_spi Eu.Notify.Spi +#define em_not_spi2 Eu.Notify.Spi2 +#define em_not_spi3 Eu.Notify.Spi3 +#define em_not_src Eu.Notify.Src +#define em_not_dst Eu.Notify.Dst +#define em_not_seclevel Eu.Notify.Seclevel +#define em_not_userid Eu.Notify.UserID +#define em_not_msgid Eu.Notify.MsgID +#define em_not_sport Eu.Notify.Sport +#define em_not_dport Eu.Notify.Dport +#define em_not_protocol Eu.Notify.Protocol + #define em_ifa Eu.Ifa.Ia #define em_ifn Eu.Ifa.Ifn @@ -209,6 +265,16 @@ struct encap_msghdr #define em_if Eu.Xfm.If #define em_alg Eu.Xfm.Alg #define em_dat Eu.Xfm.Dat +#define em_relative_hard Eu.Xfm.Relative_Hard +#define em_relative_soft Eu.Xfm.Relative_Soft +#define em_first_use_hard Eu.Xfm.First_Use_Hard +#define em_first_use_soft Eu.Xfm.First_Use_Soft +#define em_expire_hard Eu.Xfm.Expire_Hard +#define em_expire_soft Eu.Xfm.Expire_Soft +#define em_bytes_hard Eu.Xfm.Bytes_Hard +#define em_bytes_soft Eu.Xfm.Bytes_Soft +#define em_packets_hard Eu.Xfm.Packets_Hard +#define em_packets_soft Eu.Xfm.Packets_Soft #define em_rel Eu.Rel @@ -217,6 +283,10 @@ struct encap_msghdr #define EMT_GRPSPIS 3 /* Group SPIs (output order) */ #define EMT_DELSPI 4 /* delete an SPI */ #define EMT_DELSPICHAIN 5 /* delete an SPI chain starting from */ +#define EMT_RESERVESPI 6 /* Give us an SPI */ +#define EMT_ENABLESPI 7 /* Enable an SA */ +#define EMT_DISABLESPI 8 /* Disable an SA */ +#define EMT_NOTIFY 9 /* kernel->userland key mgmt not. */ #define EM_MINLEN 8 /* count!!! */ #define EMT_IFADDR_LEN 12 diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index cd550282775..d012fbdeba8 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.5 1997/06/24 12:15:19 provos Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.6 1997/06/25 07:53:21 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -123,6 +123,17 @@ ah_input(register struct mbuf *m, int iphlen) return; } + if (tdbp->tdb_flags & TDBF_INVALID) + { +#ifdef ENCDEBUG + if (encdebug) + printf("ah_input: spi=%x is no longer/yet valid\n", ahp->ah_spi); +#endif /* ENCDEBUG */ + m_freem(m); + ahstat.ahs_invalid++; + return; + } + if (tdbp->tdb_xform == NULL) { #ifdef ENCDEBUG @@ -136,6 +147,10 @@ ah_input(register struct mbuf *m, int iphlen) m->m_pkthdr.rcvif = tdbp->tdb_rcvif; + /* Register first use */ + if (tdbp->tdb_first_use == 0) + tdbp->tdb_first_use = time.tv_sec; + m = (*(tdbp->tdb_xform->xf_input))(m, tdbp); if (m == NULL) diff --git a/sys/netinet/ip_ah.h b/sys/netinet/ip_ah.h index 25af64cf1a8..da9840e14e7 100644 --- a/sys/netinet/ip_ah.h +++ b/sys/netinet/ip_ah.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.h,v 1.6 1997/06/20 05:41:47 provos Exp $ */ +/* $OpenBSD: ip_ah.h,v 1.7 1997/06/25 07:53:21 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -55,6 +55,7 @@ struct ahstat u_int32_t ahs_badauthl; /* bad authenticator length */ u_int32_t ahs_input; /* Input AH packets */ u_int32_t ahs_output; /* Output AH packets */ + u_int32_t ahs_invalid; /* Trying to use an invalid TDB */ }; #define AHHMACMD5_KMAX 64 /* max 512 bits key */ diff --git a/sys/netinet/ip_ahhmacmd5.c b/sys/netinet/ip_ahhmacmd5.c index 243c5b6e408..3a3bd949caf 100644 --- a/sys/netinet/ip_ahhmacmd5.c +++ b/sys/netinet/ip_ahhmacmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahhmacmd5.c,v 1.11 1997/06/24 20:57:24 provos Exp $ */ +/* $OpenBSD: ip_ahhmacmd5.c,v 1.12 1997/06/25 07:53:22 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -239,24 +239,28 @@ ahhmacmd5_input(struct mbuf *m, struct tdb *tdb) switch (optval) { case IPOPT_EOL: + MD5Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: MD5Update(&ctx, ipseczeroes, 1); off++; - continue; - + break; + case IPOPT_SECURITY: case 133: case 134: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; - + break; + default: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -360,8 +364,8 @@ ahhmacmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -511,11 +515,11 @@ ahhmacmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, str *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; if (xd->amx_wnd >= 0) - tdb->tdb_bytes -= HMACMD5_RPLENGTH; + tdb->tdb_cur_bytes -= HMACMD5_RPLENGTH; return 0; } diff --git a/sys/netinet/ip_ahhmacsha1.c b/sys/netinet/ip_ahhmacsha1.c index bd2003e52fe..ac9b056a010 100644 --- a/sys/netinet/ip_ahhmacsha1.c +++ b/sys/netinet/ip_ahhmacsha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahhmacsha1.c,v 1.9 1997/06/24 20:57:25 provos Exp $ */ +/* $OpenBSD: ip_ahhmacsha1.c,v 1.10 1997/06/25 07:53:22 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -240,10 +240,14 @@ ahhmacsha1_input(struct mbuf *m, struct tdb *tdb) switch (optval) { case IPOPT_EOL: + SHA1Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: SHA1Update(&ctx, ipseczeroes, 1); off++; - continue; + break; case IPOPT_SECURITY: case 133: @@ -251,13 +255,13 @@ ahhmacsha1_input(struct mbuf *m, struct tdb *tdb) optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; + break; default: optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -363,8 +367,8 @@ ahhmacsha1_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -516,11 +520,11 @@ ahhmacsha1_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, st *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; if (xd->amx_wnd >= 0) - tdb->tdb_bytes -= HMACSHA1_RPLENGTH; + tdb->tdb_cur_bytes -= HMACSHA1_RPLENGTH; return 0; } diff --git a/sys/netinet/ip_ahmd5.c b/sys/netinet/ip_ahmd5.c index ce3a9143220..e19b596f172 100644 --- a/sys/netinet/ip_ahmd5.c +++ b/sys/netinet/ip_ahmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahmd5.c,v 1.8 1997/06/24 20:57:25 provos Exp $ */ +/* $OpenBSD: ip_ahmd5.c,v 1.9 1997/06/25 07:53:23 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -195,24 +195,28 @@ ahmd5_input(struct mbuf *m, struct tdb *tdb) switch (optval) { case IPOPT_EOL: + MD5Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: MD5Update(&ctx, ipseczeroes, 1); off++; - continue; - + break; + case IPOPT_SECURITY: case 133: case 134: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; - + break; + default: optval = ((u_int8_t *)ip)[off + 1]; MD5Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -280,8 +284,8 @@ ahmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -403,9 +407,9 @@ ahmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; return 0; } diff --git a/sys/netinet/ip_ahsha1.c b/sys/netinet/ip_ahsha1.c index b7cc04425f0..61bece49bc2 100644 --- a/sys/netinet/ip_ahsha1.c +++ b/sys/netinet/ip_ahsha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ahsha1.c,v 1.4 1997/06/24 20:57:26 provos Exp $ */ +/* $OpenBSD: ip_ahsha1.c,v 1.5 1997/06/25 07:53:23 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -194,10 +194,14 @@ ahsha1_input(struct mbuf *m, struct tdb *tdb) switch (IPOPT_NUMBER(optval)) { case IPOPT_EOL: + SHA1Update(&ctx, ipseczeroes, 1); + off = ip->ip_hl << 2; + break; + case IPOPT_NOP: SHA1Update(&ctx, ipseczeroes, 1); off++; - continue; + break; case IPOPT_SECURITY: case 133: @@ -205,13 +209,13 @@ ahsha1_input(struct mbuf *m, struct tdb *tdb) optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, (u_int8_t *)ip + off, optval); off += optval; - continue; + break; default: optval = ((u_int8_t *)ip)[off + 1]; SHA1Update(&ctx, ipseczeroes, optval); off += optval; - continue; + break; } } @@ -279,8 +283,8 @@ ahsha1_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2); return m; } @@ -402,9 +406,9 @@ ahsha1_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - - xd->amx_alen; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ip->ip_len - (ip->ip_hl << 2) - AH_FLENGTH - + xd->amx_alen; return 0; } diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index 0c76415d20c..dad0caaaa96 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.5 1997/06/21 00:09:16 deraadt Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.6 1997/06/25 07:53:24 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -120,6 +120,17 @@ esp_input(register struct mbuf *m, int iphlen) return; } + if (tdbp->tdb_flags & TDBF_INVALID) + { +#ifdef ENCDEBUG + if (encdebug); + printf("esp_input: spi=%x is not longer/yet valid\n", spi); +#endif + m_freem(m); + espstat.esps_invalid++; + return; + } + if (tdbp->tdb_xform == NULL) { #ifdef ENCDEBUG @@ -133,6 +144,11 @@ esp_input(register struct mbuf *m, int iphlen) m->m_pkthdr.rcvif = tdbp->tdb_rcvif; + /* Register first use */ + if (tdbp->tdb_first_use == 0) + tdbp->tdb_first_use = time.tv_sec; + + m = (*(tdbp->tdb_xform->xf_input))(m, tdbp); if (m == NULL) diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h index 10a5b7d3aff..e7798ff8d04 100644 --- a/sys/netinet/ip_esp.h +++ b/sys/netinet/ip_esp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.h,v 1.6 1997/06/20 05:41:50 provos Exp $ */ +/* $OpenBSD: ip_esp.h,v 1.7 1997/06/25 07:53:24 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -72,17 +72,18 @@ struct esp struct espstat { - u_long esps_hdrops; /* packet shorter than header shows */ - u_long esps_notdb; - u_long esps_badkcr; - u_long esps_qfull; - u_long esps_noxform; - u_long esps_badilen; - u_long esps_wrap; /* Replay counter wrapped around */ - u_long esps_badauth; /* Only valid for transforms with auth */ - u_long esps_replay; /* Possible packet replay detected */ - u_long esps_input; /* Input ESP packets */ - u_long esps_output; /* Output ESP packets */ + u_int32_t esps_hdrops; /* packet shorter than header shows */ + u_int32_t esps_notdb; + u_int32_t esps_badkcr; + u_int32_t esps_qfull; + u_int32_t esps_noxform; + u_int32_t esps_badilen; + u_int32_t esps_wrap; /* Replay counter wrapped around */ + u_int32_t esps_badauth; /* Only valid for transforms with auth */ + u_int32_t esps_replay; /* Possible packet replay detected */ + u_int32_t esps_input; /* Input ESP packets */ + u_int32_t esps_output; /* Output ESP packets */ + u_int32_t esps_invalid; /* Trying to use an invalid TDB */ }; struct espdes_xdata @@ -202,4 +203,3 @@ struct esp3desmd5_xdata struct espstat espstat; #endif - diff --git a/sys/netinet/ip_esp3des.c b/sys/netinet/ip_esp3des.c index 3cb89280283..175a2594c8a 100644 --- a/sys/netinet/ip_esp3des.c +++ b/sys/netinet/ip_esp3des.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp3des.c,v 1.5 1997/06/24 20:57:27 provos Exp $ */ +/* $OpenBSD: ip_esp3des.c,v 1.6 1997/06/25 07:53:25 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -300,8 +300,8 @@ esp3des_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; return m; } @@ -476,8 +476,8 @@ esp3des_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struc *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; return 0; } diff --git a/sys/netinet/ip_esp3desmd5.c b/sys/netinet/ip_esp3desmd5.c index d6f1ecb3eed..d52969c457b 100644 --- a/sys/netinet/ip_esp3desmd5.c +++ b/sys/netinet/ip_esp3desmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp3desmd5.c,v 1.9 1997/06/24 20:57:28 provos Exp $ */ +/* $OpenBSD: ip_esp3desmd5.c,v 1.10 1997/06/25 07:53:25 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -509,9 +509,9 @@ esp3desmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + - 2 + ESP3DESMD5_ALEN; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + + 2 + ESP3DESMD5_ALEN; return m; } @@ -772,8 +772,8 @@ esp3desmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, st *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; return 0; } diff --git a/sys/netinet/ip_espdes.c b/sys/netinet/ip_espdes.c index fd85253f793..d0b925c4aa0 100644 --- a/sys/netinet/ip_espdes.c +++ b/sys/netinet/ip_espdes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_espdes.c,v 1.7 1997/06/24 20:57:28 provos Exp $ */ +/* $OpenBSD: ip_espdes.c,v 1.8 1997/06/25 07:53:26 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -287,8 +287,8 @@ espdes_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + blk[6] + 2; return m; } @@ -460,8 +460,8 @@ espdes_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; return 0; } diff --git a/sys/netinet/ip_espdesmd5.c b/sys/netinet/ip_espdesmd5.c index 7ef8b91bc08..2700e34b888 100644 --- a/sys/netinet/ip_espdesmd5.c +++ b/sys/netinet/ip_espdesmd5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_espdesmd5.c,v 1.9 1997/06/24 20:57:29 provos Exp $ */ +/* $OpenBSD: ip_espdesmd5.c,v 1.10 1997/06/25 07:53:26 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -493,9 +493,9 @@ espdesmd5_input(struct mbuf *m, struct tdb *tdb) ip->ip_sum = in_cksum(m, sizeof (struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + - 2 + ESPDESMD5_ALEN; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + padsize + + 2 + ESPDESMD5_ALEN; return m; } @@ -754,8 +754,8 @@ espdesmd5_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, str iphlen - sizeof(struct ip)); /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += rlen + padding; + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += rlen + padding; *mp = m; return 0; diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c index ba5cedcc307..ff113083e91 100644 --- a/sys/netinet/ip_ip4.c +++ b/sys/netinet/ip_ip4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.c,v 1.8 1997/06/24 12:15:25 provos Exp $ */ +/* $OpenBSD: ip_ip4.c,v 1.9 1997/06/25 07:53:27 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -208,8 +208,8 @@ ipe4_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, struct m *mp = m; /* Update the counters */ - tdb->tdb_packets++; - tdb->tdb_bytes += ntohs(ipo->ip_len) - (ipo->ip_hl << 2); + tdb->tdb_cur_packets++; + tdb->tdb_cur_bytes += ntohs(ipo->ip_len) - (ipo->ip_hl << 2); return 0; diff --git a/sys/netinet/ip_ip4.h b/sys/netinet/ip_ip4.h index 1912e858097..d489d3c1dc3 100644 --- a/sys/netinet/ip_ip4.h +++ b/sys/netinet/ip_ip4.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.h,v 1.5 1997/06/20 05:41:52 provos Exp $ */ +/* $OpenBSD: ip_ip4.h,v 1.6 1997/06/25 07:53:27 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -40,12 +40,12 @@ struct ip4_xencap struct ip4stat { - u_long ip4s_ipackets; /* total input packets */ - u_long ip4s_opackets; /* total output packets */ - u_long ip4s_hdrops; /* packet shorter than header shows */ - u_long ip4s_badlen; - u_long ip4s_notip4; - u_long ip4s_qfull; + u_int32_t ip4s_ipackets; /* total input packets */ + u_int32_t ip4s_opackets; /* total output packets */ + u_int32_t ip4s_hdrops; /* packet shorter than header shows */ + u_int32_t ip4s_badlen; + u_int32_t ip4s_notip4; + u_int32_t ip4s_qfull; }; #define IP4_SAME_TTL 0 diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 1388be11ed6..99bbddb5ebe 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.9 1997/06/24 12:15:25 provos Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.10 1997/06/25 07:53:28 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -57,6 +57,8 @@ #include <netinet/ip_ah.h> #include <netinet/ip_esp.h> +#include <dev/rndvar.h> + int tdb_init __P((struct tdb *, struct mbuf *)); int ipsp_kern __P((int, char **, int)); @@ -71,7 +73,8 @@ int encdebug = 1; struct xformsw xformsw[] = { { XF_IP4, 0, "IPv4 Simple Encapsulation", ipe4_attach, ipe4_init, ipe4_zeroize, - (struct mbuf * (*)(struct mbuf *, struct tdb *))ipe4_input, ipe4_output, }, + (struct mbuf * (*)(struct mbuf *, struct tdb *))ipe4_input, + ipe4_output, }, { XF_AHMD5, XFT_AUTH, "Keyed MD5 Authentication", ahmd5_attach, ahmd5_init, ahmd5_zeroize, ahmd5_input, ahmd5_output, }, @@ -106,6 +109,49 @@ static char *ipspkernfs = NULL; int ipspkernfs_dirty = 1; /* + * Reserve an SPI; the SA is not valid yet though. Zero is reserved as + * an error return value. If tspi is not zero, we try to allocate that + * SPI. + */ + +u_int32_t +reserve_spi(u_int32_t tspi, struct in_addr src) +{ + struct tdb *tdbp; + u_int32_t spi = tspi; /* Don't change */ + + while (1) + { + while (spi == 0) /* Get a new SPI */ + get_random_bytes((void *)&spi, sizeof(spi)); + + /* Check whether we're using this SPI already */ + if (gettdb(spi, src) != (struct tdb *) NULL) + { + if (tspi != 0) /* If one was proposed, report error */ + return 0; + + spi = 0; + continue; + } + + MALLOC(tdbp, struct tdb *, sizeof(*tdbp), M_TDB, M_WAITOK); + if (tdbp == NULL) + return 0; + + bzero((caddr_t)tdbp, sizeof(*tdbp)); + + tdbp->tdb_spi = spi; + tdbp->tdb_dst = src; + tdbp->tdb_flags |= TDBF_INVALID; + + puttdb(tdbp); + + return spi; + } +} + +/* * An IPSP SAID is really the concatenation of the SPI found in the * packet and the destination address of the packet. When we receive * an IPSP packet, we need to look up its tunnel descriptor block, @@ -132,9 +178,11 @@ void puttdb(struct tdb *tdbp) { int hashval; + hashval = ((tdbp->tdb_spi + tdbp->tdb_dst.s_addr) % TDB_HASHMOD); tdbp->tdb_hnext = tdbh[hashval]; tdbh[hashval] = tdbp; + ipspkernfs_dirty = 1; } @@ -188,14 +236,17 @@ tdb_init(struct tdb *tdbp, struct mbuf *m) #ifdef ENCDEBUG if (encdebug) - printf("tdbinit: no alg %d for spi %x, addr %x\n", alg, tdbp->tdb_spi, ntohl(tdbp->tdb_dst.s_addr)); + printf("tdbinit: no alg %d for spi %x, addr %x\n", alg, tdbp->tdb_spi, + ntohl(tdbp->tdb_dst.s_addr)); #endif - + + /* Record establishment time */ + tdbp->tdb_established = time.tv_sec; + m_freem(m); return EINVAL; } - int ipsp_kern(int off, char **bufp, int len) { diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index b9c9c27e64d..2bf82d5b554 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.7 1997/06/24 12:15:26 provos Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.8 1997/06/25 07:53:28 provos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -34,20 +34,34 @@ struct tdb /* tunnel descriptor block */ struct tdb *tdb_inext; /* next in input (prev!) */ u_int32_t tdb_spi; /* SPI to use */ u_int32_t tdb_flags; /* Flags related to this TDB */ -#define TDBF_UNIQUE 0x0001 /* This should not be used by others */ -#define TDBF_TIMER 0x0002 /* Check the timers */ -#define TDBF_BYTES 0x0004 /* Check the byte counters */ -#define TDBF_PACKETS 0x0008 /* Check the packet counters */ -#define TDBF_INVALID 0x0010 /* This SPI is no longer valid */ - u_int64_t tdb_packets; /* Expire after so many packets s|r */ +#define TDBF_UNIQUE 0x00001 /* This should not be used by others */ +#define TDBF_TIMER 0x00002 /* Absolute expiration timer in use */ +#define TDBF_BYTES 0x00004 /* Check the byte counters */ +#define TDBF_PACKETS 0x00008 /* Check the packet counters */ +#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */ +#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */ +#define TDBF_RELATIVE 0x00040 /* Expire after X secs from establ. */ +#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */ +#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */ +#define TDBF_SOFT_PACKETS 0x00200 /* Soft expiration */ +#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */ +#define TDBF_SOFT_RELATIVE 0x00800 /* Soft expiration */ + u_int64_t tdb_exp_packets; /* Expire after so many packets s|r */ u_int64_t tdb_soft_packets; /* Expiration warning */ u_int64_t tdb_cur_packets; /* Current number of packets s|r'ed */ - u_int64_t tdb_bytes; /* Expire after so many bytes passed */ + u_int64_t tdb_exp_bytes; /* Expire after so many bytes passed */ u_int64_t tdb_soft_bytes; /* Expiration warning */ u_int64_t tdb_cur_bytes; /* Current count of bytes */ - u_int64_t tdb_timeout; /* When does the SPI expire */ + u_int64_t tdb_exp_timeout; /* When does the SPI expire */ u_int64_t tdb_soft_timeout; /* Send a soft-expire warning */ u_int64_t tdb_established; /* When was the SPI established */ + u_int64_t tdb_soft_relative ; /* Soft warning */ + u_int64_t tdb_exp_relative; /* Expire if tdb_established + + tdb_exp_relative <= curtime */ + u_int64_t tdb_first_use; /* When was it first used */ + u_int64_t tdb_soft_first_use; /* Soft warning */ + u_int64_t tdb_exp_first_use; /* Expire if tdb_first_use + + tdb_exp_first_use <= curtime */ struct in_addr tdb_dst; /* dest address for this SPI */ struct ifnet *tdb_rcvif; /* related rcv encap interface */ struct xformsw *tdb_xform; /* transformation to use */ @@ -116,6 +130,7 @@ extern int encdebug; struct tdb *tdbh[TDB_HASHMOD]; extern struct xformsw xformsw[], *xformswNXFORMSW; +extern u_int32_t reserve_spi(u_int32_t, struct in_addr); extern struct tdb *gettdb(u_int32_t, struct in_addr); extern void puttdb(struct tdb *); extern int tdb_delete(struct tdb *, int); diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e82ca8a8592..d420438f7dc 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.13 1997/06/24 12:15:27 provos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.14 1997/06/25 07:53:29 provos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -44,6 +44,7 @@ #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/systm.h> +#include <sys/kernel.h> #include <net/if.h> #include <net/route.h> @@ -161,8 +162,8 @@ ip_output(m0, va_alist) dst->sen_ip_dst = ip->ip_dst; dst->sen_proto = ip->ip_p; - if (m->m_len < hlen + 2*sizeof(u_int16_t)) { - if ((m = m_pullup(m, hlen + 2*sizeof(u_int16_t))) == 0) + if (m->m_len < hlen + 2 * sizeof(u_int16_t)) { + if ((m = m_pullup(m, hlen + 2 * sizeof(u_int16_t))) == 0) goto bad; ip = mtod(m, struct ip *); } @@ -191,7 +192,7 @@ ip_output(m0, va_alist) #ifdef ENCDEBUG if (encdebug) printf("ip_output: no gw or gw data not IPSP\n"); -#endif ENCDEBUG +#endif /* ENCDEBUG */ m_freem(m); RTFREE(re->re_rt); return EHOSTUNREACH; @@ -211,7 +212,9 @@ ip_output(m0, va_alist) if (encdebug) printf("ip_output: interface %s has no default address\n", ifp->if_xname); -#endif ENCDEBUG +#endif /* ENCDEBUG */ + m_freem(m); + RTFREE(re->re_rt); return ENXIO; } @@ -220,7 +223,7 @@ ip_output(m0, va_alist) if (encdebug) printf("ip_output: %s does not have AF_ENCAP address\n", ifp->if_xname); -#endif ENCDEBUG +#endif /* ENCDEBUG */ m_freem(m); RTFREE(re->re_rt); return EHOSTDOWN; @@ -231,7 +234,7 @@ ip_output(m0, va_alist) if (encdebug) printf("ip_output: %s does not have SENT_DEFIF address\n", ifp->if_xname); -#endif ENCDEBUG +#endif /* ENCDEBUG */ m_freem(m); RTFREE(re->re_rt); return EHOSTDOWN; @@ -280,15 +283,33 @@ ip_output(m0, va_alist) #ifdef ENCDEBUG if (encdebug) printf("ip_output: tdb=0x%x, tdb->tdb_xform=0x%x, tdb->tdb_xform->xf_output=%x\n", tdb, tdb->tdb_xform, tdb->tdb_xform->xf_output); -#endif ENCDEBUG +#endif /* ENCDEBUG */ while (tdb && tdb->tdb_xform) { m0 = NULL; + + /* Check if the SPI is invalid */ + if (tdb->tdb_flags & TDBF_INVALID) + { +#ifdef ENCDEBUG + if (encdebug) + printf("ip_output: attempt to use invalid SPI %08x", tdb->tdb_spi); +#endif /* ENCDEBUG */ + m_freem(m); + RTFREE(re->re_rt); + return ENXIO; + } + #ifdef ENCDEBUG if (encdebug) printf("ip_output: calling %s\n", tdb->tdb_xform->xf_name); -#endif ENCDEBUG +#endif /* ENCDEBUG */ + + /* Register first use */ + if (tdb->tdb_first_use == 0) + tdb->tdb_first_use = time.tv_sec; + error = (*(tdb->tdb_xform->xf_output))(m, gw, tdb, &mp); if (mp == NULL) error = EFAULT; @@ -335,7 +356,7 @@ no_encap: * and is still up. If not, free it and try again. */ if (ro->ro_rt && ((ro->ro_rt->rt_flags & RTF_UP) == 0 || - dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { + dst->sin_addr.s_addr != ip->ip_dst.s_addr)) { RTFREE(ro->ro_rt); ro->ro_rt = (struct rtentry *)0; } |