Tie new "Fast IPsec" code into the build. This involves the usual

configuration stuff as well as conditional code in the IPv4 and IPv6 areas. Everything is conditional on FAST_IPSEC which is mutually exclusive with IPSEC (KAME IPsec implmentation). As noted previously, don't use FAST_IPSEC with INET6 at the moment. Reviewed by: KAME, rwatson Approved by: silence Supported by: Vernier Networks
author: sam <sam@FreeBSD.org> 2002-10-16 02:25:05 +0000
committer: sam <sam@FreeBSD.org> 2002-10-16 02:25:05 +0000
commit: 0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400 (patch)
tree: ae7276b550c8f6a3436b1985ff4cb31e8a826d66 /sys/netinet6
parent: b12d57e66aba52a8bea632c34b458fa9d734aef7 (diff)
download: FreeBSD-src-0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400.zip
FreeBSD-src-0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400.tar.gz
8 files changed, 153 insertions, 4 deletions
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 6c1c1c5..f318d51 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -106,6 +106,12 @@
 #include <netkey/key.h>
 #endif
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
+#define	IPSEC
+#endif
+
 #include <net/net_osdep.h>
 
 #ifdef HAVE_NRL_INPCB
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 2d7baab..963cd9a 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -113,6 +113,13 @@
 #include <netkey/key.h>
 #endif /* IPSEC */
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/key.h>
+#define	IPSEC
+#endif /* FAST_IPSEC */
+
 struct	in6_addr zeroin6_addr;
 
 int
diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
index 98a312e..1e8aeac 100644
--- a/sys/netinet6/in6_proto.c
+++ b/sys/netinet6/in6_proto.c
@@ -126,6 +126,15 @@
 #endif
 #endif /* IPSEC */
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec6.h>
+#define	IPSEC
+#define	IPSEC_ESP
+#define	ah6_input	ipsec6_common_input
+#define	esp6_input	ipsec6_common_input
+#define	ipcomp6_input	ipsec6_common_input
+#endif /* FAST_IPSEC */
+
 #include <netinet6/ip6protosw.h>
 
 #include <net/net_osdep.h>
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 97fa8d6..1e6dde8 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -74,6 +74,13 @@
 #include <netkey/key.h>
 #endif /* IPSEC */
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/key.h>
+#define	IPSEC
+#endif /* FAST_IPSEC */
+
 #include <netinet6/ip6_fw.h>
 
 #include <net/net_osdep.h>
@@ -124,7 +131,9 @@ ip6_forward(m, srcrt)
 	 * before forwarding packet actually.
 	 */
 	if (ipsec6_in_reject(m, NULL)) {
+#if !defined(FAST_IPSEC)
 		ipsec6stat.in_polvio++;
+#endif
 		m_freem(m);
 		return;
 	}
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 3f5d7d5..82c1036 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -117,6 +117,12 @@
 #endif
 #endif
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#define	IPSEC
+#endif /* FAST_IPSEC */
+
 #include <netinet6/ip6_fw.h>
 
 #include <netinet6/ip6protosw.h>
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 63d676d..a45727e 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -105,6 +105,12 @@
 #include <netkey/key.h>
 #endif /* IPSEC */
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/key.h>
+#endif /* FAST_IPSEC */
+
 #include <netinet6/ip6_fw.h>
 
 #include <net/net_osdep.h>
@@ -179,6 +185,12 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 
 	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* IPSEC */
+#ifdef FAST_IPSEC
+	int needipsectun = 0;
+	struct secpolicy *sp = NULL;
+
+	ip6 = mtod(m, struct ip6_hdr *);
+#endif /* FAST_IPSEC */
 
 #define MAKE_EXTHDR(hp, mp)						\
     do {								\
@@ -247,6 +259,49 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 		printf("ip6_output: Invalid policy found. %d\n", sp->policy);
 	}
 #endif /* IPSEC */
+#ifdef FAST_IPSEC
+	/* get a security policy for this packet */
+	if (inp == NULL)
+		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
+	else
+		sp = ipsec_getpolicybysock(m, IPSEC_DIR_OUTBOUND, inp, &error);
+
+	if (sp == NULL) {
+		newipsecstat.ips_out_inval++;
+		goto freehdrs;
+	}
+
+	error = 0;
+
+	/* check policy */
+	switch (sp->policy) {
+	case IPSEC_POLICY_DISCARD:
+		/*
+		 * This packet is just discarded.
+		 */
+		newipsecstat.ips_out_polvio++;
+		goto freehdrs;
+
+	case IPSEC_POLICY_BYPASS:
+	case IPSEC_POLICY_NONE:
+		/* no need to do IPsec. */
+		needipsec = 0;
+		break;
+	
+	case IPSEC_POLICY_IPSEC:
+		if (sp->req == NULL) {
+			/* acquire a policy */
+			error = key_spdacquire(sp);
+			goto freehdrs;
+		}
+		needipsec = 1;
+		break;
+
+	case IPSEC_POLICY_ENTRUST:
+	default:
+		printf("ip6_output: Invalid policy found. %d\n", sp->policy);
+	}
+#endif /* FAST_IPSEC */
 
 	/*
 	 * Calculate the total length of the extension header chain.
@@ -354,7 +409,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 		MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev,
 			   nexthdrp, IPPROTO_ROUTING);
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 		if (!needipsec)
 			goto skip_ipsec2;
 
@@ -485,7 +540,7 @@ skip_ipsec2:;
 			dst->sin6_scope_id = ntohs(dst->sin6_addr.s6_addr16[1]);
 #endif
 	}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	if (needipsec && needipsectun) {
 		struct ipsec_output_state state;
 
@@ -1069,6 +1124,10 @@ done:
 	if (sp != NULL)
 		key_freesp(sp);
 #endif /* IPSEC */
+#ifdef FAST_IPSEC
+	if (sp != NULL)
+		KEY_FREESP(&sp);
+#endif /* FAST_IPSEC */
 
 	return(error);
 
@@ -1480,7 +1539,7 @@ do { \
 				}
 				break;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 			case IPV6_IPSEC_POLICY:
 			    {
 				caddr_t req = NULL;
@@ -1635,7 +1694,7 @@ do { \
 			    }
 				break;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 			case IPV6_IPSEC_POLICY:
 			  {
 				caddr_t req = NULL;
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 6d4cc22..540533b 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -105,6 +105,11 @@
 #include <netinet6/ipsec6.h>
 #endif /*IPSEC*/
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#endif /* FAST_IPSEC */
+
 #include <machine/stdarg.h>
 
 #define	satosin6(sa)	((struct sockaddr_in6 *)(sa))
@@ -181,6 +186,15 @@ rip6_input(mp, offp, proto)
 				/* do not inject data into pcb */
 			} else
 #endif /*IPSEC*/
+#ifdef FAST_IPSEC
+			/*
+			 * Check AH/ESP integrity.
+			 */
+			if (n && ipsec6_in_reject(n, last)) {
+				m_freem(n);
+				/* do not inject data into pcb */
+			} else
+#endif /*FAST_IPSEC*/
 			if (n) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS ||
 				    last->in6p_socket->so_options & SO_TIMESTAMP)
@@ -212,6 +226,16 @@ rip6_input(mp, offp, proto)
 		/* do not inject data into pcb */
 	} else
 #endif /*IPSEC*/
+#ifdef FAST_IPSEC
+	/*
+	 * Check AH/ESP integrity.
+	 */
+	if (last && ipsec6_in_reject(m, last)) {
+		m_freem(m);
+		ip6stat.ip6s_delivered--;
+		/* do not inject data into pcb */
+	} else
+#endif /*FAST_IPSEC*/
 	if (last) {
 		if (last->in6p_flags & IN6P_CONTROLOPTS ||
 		    last->in6p_socket->so_options & SO_TIMESTAMP)
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index a7e46b9..b5a4033 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -109,6 +109,11 @@
 #include <netinet6/ipsec6.h>
 #endif /* IPSEC */
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#endif /* FAST_IPSEC */
+
 /*
  * UDP protocol inplementation.
  * Per RFC 768, August, 1980.
@@ -261,6 +266,14 @@ udp6_input(mp, offp, proto)
 					/* do not inject data into pcb */
 				else
 #endif /* IPSEC */
+#ifdef FAST_IPSEC
+				/*
+				 * Check AH/ESP integrity.
+				 */
+				if (ipsec6_in_reject(m, last))
+					;
+				else
+#endif /* FAST_IPSEC */
 				if ((n = m_copy(m, 0, M_COPYALL)) != NULL) {
 					/*
 					 * KAME NOTE: do not
@@ -320,6 +333,14 @@ udp6_input(mp, offp, proto)
 			goto bad;
 		}
 #endif /* IPSEC */
+#ifdef FAST_IPSEC
+		/*
+		 * Check AH/ESP integrity.
+		 */
+		if (ipsec6_in_reject(m, last)) {
+			goto bad;
+		}
+#endif /* FAST_IPSEC */
 		if (last->in6p_flags & IN6P_CONTROLOPTS
 		    || last->in6p_socket->so_options & SO_TIMESTAMP)
 			ip6_savecontrol(last, &opts, ip6, m);
@@ -368,6 +389,14 @@ udp6_input(mp, offp, proto)
 		goto bad;
 	}
 #endif /* IPSEC */
+#ifdef FAST_IPSEC
+	/*
+	 * Check AH/ESP integrity.
+	 */
+	if (ipsec6_in_reject(m, in6p)) {
+		goto bad;
+	}
+#endif /* FAST_IPSEC */
 
 	/*
 	 * Construct sockaddr format source address.
author	sam <sam@FreeBSD.org>	2002-10-16 02:25:05 +0000
committer	sam <sam@FreeBSD.org>	2002-10-16 02:25:05 +0000
commit	0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400 (patch)
tree	ae7276b550c8f6a3436b1985ff4cb31e8a826d66 /sys/netinet6
parent	b12d57e66aba52a8bea632c34b458fa9d734aef7 (diff)
download	FreeBSD-src-0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400.zip FreeBSD-src-0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400.tar.gz