diff options
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.c | 79 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 1 | ||||
-rw-r--r-- | sys/netipsec/key.c | 60 | ||||
-rw-r--r-- | sys/netipsec/keysock.c | 8 | ||||
-rw-r--r-- | sys/netipsec/xform_ah.c | 10 | ||||
-rw-r--r-- | sys/netipsec/xform_esp.c | 9 | ||||
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 6 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 7 |
8 files changed, 129 insertions, 51 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index b752a67..a686f43 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -97,23 +97,19 @@ #include <opencrypto/cryptodev.h> -#ifdef IPSEC_DEBUG -int ipsec_debug = 1; -#else -int ipsec_debug = 0; -#endif - +#ifdef VIMAGE_GLOBALS /* NB: name changed so netstat doesn't use it */ struct ipsecstat ipsec4stat; -int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ -int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ -int ip4_esp_trans_deflev = IPSEC_LEVEL_USE; -int ip4_esp_net_deflev = IPSEC_LEVEL_USE; -int ip4_ah_trans_deflev = IPSEC_LEVEL_USE; -int ip4_ah_net_deflev = IPSEC_LEVEL_USE; struct secpolicy ip4_def_policy; -int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -int ip4_esp_randpad = -1; +int ipsec_debug; +int ip4_ah_offsetmask; +int ip4_ipsec_dfbit; +int ip4_esp_trans_deflev; +int ip4_esp_net_deflev; +int ip4_ah_trans_deflev; +int ip4_ah_net_deflev; +int ip4_ipsec_ecn; +int ip4_esp_randpad; /* * Crypto support requirements: * @@ -121,7 +117,8 @@ int ip4_esp_randpad = -1; * -1 require software support * 0 take anything */ -int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; +int crypto_support; +#endif /* VIMAGE_GLOBALS */ SYSCTL_DECL(_net_inet_ipsec); @@ -164,29 +161,33 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, "IPsec IPv4 statistics."); #ifdef REGRESSION +#ifdef VIMAGE_GLOBALS +int ipsec_replay; +int ipsec_integrity; +#endif /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. */ -int ipsec_replay = 0; SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ -int ipsec_integrity = 0; SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); #endif #ifdef INET6 +#ifdef VIMAGE_GLOBALS struct ipsecstat ipsec6stat; -int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; -int ip6_esp_net_deflev = IPSEC_LEVEL_USE; -int ip6_ah_trans_deflev = IPSEC_LEVEL_USE; -int ip6_ah_net_deflev = IPSEC_LEVEL_USE; -int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +int ip6_esp_trans_deflev; +int ip6_esp_net_deflev; +int ip6_ah_trans_deflev; +int ip6_ah_net_deflev; +int ip6_ipsec_ecn; +#endif SYSCTL_DECL(_net_inet6_ipsec6); @@ -242,6 +243,40 @@ static size_t ipsec_hdrsiz __P((struct secpolicy *)); MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); +void +ipsec_init(void) +{ + INIT_VNET_IPSEC(curvnet); + +#ifdef IPSEC_DEBUG + V_ipsec_debug = 1; +#else + V_ipsec_debug = 0; +#endif + + V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ + V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ + V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ + V_ip4_esp_randpad = -1; + + V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; + +#ifdef REGRESSION + V_ipsec_replay = 0; + V_ipsec_integrity = 0; +#endif + + V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +} + /* * Return a held reference to the default SP. */ diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index f6346f8..3bc6bc9 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -359,6 +359,7 @@ extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; +extern void ipsec_init(void); extern struct secpolicy *ipsec_getpolicy __P((struct tdb_ident*, u_int)); struct inpcb; extern struct secpolicy *ipsec4_checkpolicy __P((struct mbuf *, u_int, u_int, diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index c3cba60..db79f59 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -113,20 +113,31 @@ * field hits 0 (= no external reference other than from SA header. */ -u_int32_t key_debug_level = 0; -static u_int key_spi_trycnt = 1000; -static u_int32_t key_spi_minval = 0x100; -static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */ -static u_int32_t policy_id = 0; -static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/ -static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ -static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ -static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ -static int key_preferred_oldsa = 1; /* preferred old sa rather than new sa.*/ - -static u_int32_t acq_seq = 0; +#ifdef VIMAGE_GLOBALS +u_int32_t key_debug_level; +static u_int key_spi_trycnt; +static u_int32_t key_spi_minval; +static u_int32_t key_spi_maxval; +static u_int32_t policy_id; +static u_int key_int_random; +static u_int key_larval_lifetime; +static int key_blockacq_count; +static int key_blockacq_lifetime; +static int key_preferred_oldsa; + +static u_int32_t acq_seq; + +static int ipsec_esp_keymin; +static int ipsec_esp_auth; +static int ipsec_ah_keymin; static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */ +static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ +static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; +static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ +static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ +#endif /* VIMAGE_GLOBALS */ + static struct mtx sptree_lock; #define SPTREE_LOCK_INIT() \ mtx_init(&sptree_lock, "sptree", \ @@ -136,7 +147,6 @@ static struct mtx sptree_lock; #define SPTREE_UNLOCK() mtx_unlock(&sptree_lock) #define SPTREE_LOCK_ASSERT() mtx_assert(&sptree_lock, MA_OWNED) -static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */ static struct mtx sahtree_lock; #define SAHTREE_LOCK_INIT() \ mtx_init(&sahtree_lock, "sahtree", \ @@ -147,7 +157,6 @@ static struct mtx sahtree_lock; #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) /* registed list */ -static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; static struct mtx regtree_lock; #define REGTREE_LOCK_INIT() \ mtx_init(®tree_lock, "regtree", "fast ipsec regtree", MTX_DEF) @@ -156,7 +165,6 @@ static struct mtx regtree_lock; #define REGTREE_UNLOCK() mtx_unlock(®tree_lock) #define REGTREE_LOCK_ASSERT() mtx_assert(®tree_lock, MA_OWNED) -static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */ static struct mtx acq_lock; #define ACQ_LOCK_INIT() \ mtx_init(&acq_lock, "acqtree", "fast ipsec acquire list", MTX_DEF) @@ -165,7 +173,6 @@ static struct mtx acq_lock; #define ACQ_UNLOCK() mtx_unlock(&acq_lock) #define ACQ_LOCK_ASSERT() mtx_assert(&acq_lock, MA_OWNED) -static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */ static struct mtx spacq_lock; #define SPACQ_LOCK_INIT() \ mtx_init(&spacq_lock, "spacqtree", \ @@ -236,10 +243,6 @@ static const int maxsize[] = { sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ }; -static int ipsec_esp_keymin = 256; -static int ipsec_esp_auth = 0; -static int ipsec_ah_keymin = 128; - #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); #endif @@ -7184,6 +7187,23 @@ key_init(void) INIT_VNET_IPSEC(curvnet); int i; + V_key_debug_level = 0; + V_key_spi_trycnt = 1000; + V_key_spi_minval = 0x100; + V_key_spi_maxval = 0x0fffffff; /* XXX */ + V_policy_id = 0; + V_key_int_random = 60; /*interval to initialize randseed,1(m)*/ + V_key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/ + V_key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/ + V_key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/ + V_key_preferred_oldsa = 1; /* preferred old sa rather than new sa*/ + + V_acq_seq = 0; + + V_ipsec_esp_keymin = 256; + V_ipsec_esp_auth = 0; + V_ipsec_ah_keymin = 128; + SPTREE_LOCK_INIT(); REGTREE_LOCK_INIT(); SAHTREE_LOCK_INIT(); diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index 882aed4..6d5c4bc 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -70,14 +70,16 @@ struct key_cb { int key_count; int any_count; }; + +#ifdef VIMAGE_GLOBALS static struct key_cb key_cb; +struct pfkeystat pfkeystat; +#endif static struct sockaddr key_src = { 2, PF_KEY, }; static int key_sendup0 __P((struct rawcb *, struct mbuf *, int)); -struct pfkeystat pfkeystat; - /* * key_output() */ @@ -570,7 +572,9 @@ static void key_init0(void) { INIT_VNET_IPSEC(curvnet); + bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); + ipsec_init(); key_init(); } diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index c5b3697..3a4c7dc 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -88,9 +88,11 @@ #define AUTHSIZE(sav) \ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) -int ah_enable = 1; /* control flow of packets with AH */ -int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ +#ifdef VIMAGE_GLOBALS +int ah_enable; +int ah_cleartos; struct ahstat ahstat; +#endif SYSCTL_DECL(_net_inet_ah); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, @@ -1217,6 +1219,10 @@ static struct xformsw ah_xformsw = { static void ah_attach(void) { + + V_ah_enable = 1; /* control flow of packets with AH */ + V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ + xform_register(&ah_xformsw); } SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 21cc82f..98a2240 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -76,8 +76,11 @@ #include <opencrypto/cryptodev.h> #include <opencrypto/xform.h> -int esp_enable = 1; +#ifdef VIMAGE_GLOBALS struct espstat espstat; +static int esp_max_ivlen; /* max iv length over all algorithms */ +int esp_enable; +#endif SYSCTL_DECL(_net_inet_esp); SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, @@ -85,8 +88,6 @@ SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, stats, CTLFLAG_RD, espstat, espstat, ""); -static int esp_max_ivlen; /* max iv length over all algorithms */ - static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -993,7 +994,9 @@ esp_attach(void) if (xform.blocksize > V_esp_max_ivlen) \ V_esp_max_ivlen = xform.blocksize \ + V_esp_enable = 1; V_esp_max_ivlen = 0; + MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 3492924..d64abf0f 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -67,8 +67,10 @@ #include <opencrypto/deflate.h> #include <opencrypto/xform.h> -int ipcomp_enable = 0; +#ifdef VIMAGE_GLOBALS +int ipcomp_enable; struct ipcompstat ipcompstat; +#endif SYSCTL_DECL(_net_inet_ipcomp); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, @@ -597,6 +599,8 @@ static struct xformsw ipcomp_xformsw = { static void ipcomp_attach(void) { + + V_ipcomp_enable = 0; xform_register(&ipcomp_xformsw); } SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 568d42e..610f984 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -91,8 +91,10 @@ * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ -int ipip_allow = 0; +#ifdef VIMAGE_GLOBALS +int ipip_allow; struct ipipstat ipipstat; +#endif SYSCTL_DECL(_net_inet_ipip); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO, @@ -694,6 +696,9 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) static void ipe4_attach(void) { + + V_ipip_allow = 0; + xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */ |