Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys bring in latest KAME ipsec tree.
details: https://anonhg.NetBSD.org/src/rev/8c6ddb6aa930
branches: trunk
changeset: 481443:8c6ddb6aa930
user: itojun <itojun%NetBSD.org@localhost>
date: Mon Jan 31 14:18:52 2000 +0000
description:
bring in latest KAME ipsec tree.
- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited
XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
diffstat:
sys/conf/files | 3 +-
sys/netinet/in_pcb.h | 6 +-
sys/netinet/ip_input.c | 18 +-
sys/netinet/ip_output.c | 27 +-
sys/netinet/raw_ip.c | 4 +-
sys/netinet/tcp_input.c | 23 +-
sys/netinet/tcp_subr.c | 8 +-
sys/netinet/tcp_usrreq.c | 6 +-
sys/netinet/udp_usrreq.c | 4 +-
sys/netinet6/ah.h | 19 +-
sys/netinet6/ah_core.c | 276 +-
sys/netinet6/ah_input.c | 309 +-
sys/netinet6/ah_output.c | 160 +-
sys/netinet6/esp.h | 17 +-
sys/netinet6/in6_pcb.c | 4 +-
sys/netinet6/in6_pcb.h | 7 +-
sys/netinet6/ip6_forward.c | 32 +-
sys/netinet6/ip6_output.c | 27 +-
sys/netinet6/ipcomp_core.c | 16 +-
sys/netinet6/ipcomp_input.c | 99 +-
sys/netinet6/ipcomp_output.c | 84 +-
sys/netinet6/ipsec.c | 1710 +++++++----
sys/netinet6/ipsec.h | 181 +-
sys/netinet6/raw_ip6.c | 4 +-
sys/netinet6/udp6_usrreq.c | 4 +-
sys/netkey/key.c | 5949 +++++++++++++++++++----------------------
sys/netkey/key.h | 68 +-
sys/netkey/key_debug.c | 283 +-
sys/netkey/key_debug.h | 32 +-
sys/netkey/key_var.h | 4 +-
sys/netkey/keydb.c | 215 +
sys/netkey/keydb.h | 161 +-
sys/netkey/keysock.c | 232 +-
sys/netkey/keysock.h | 59 +-
sys/netkey/keyv2.h | 167 +-
35 files changed, 5275 insertions(+), 4943 deletions(-)
diffs (truncated from 16225 to 300 lines):
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/conf/files
--- a/sys/conf/files Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/conf/files Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files,v 1.346 2000/01/26 06:27:33 thorpej Exp $
+# $NetBSD: files,v 1.347 2000/01/31 14:18:52 itojun Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
@@ -602,6 +602,7 @@
file kern/exec_ecoff.c exec_ecoff
file netkey/key.c ipsec
+file netkey/keydb.c ipsec
file netkey/key_debug.c ipsec
file netkey/keysock.c ipsec
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/in_pcb.h
--- a/sys/netinet/in_pcb.h Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/in_pcb.h Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in_pcb.h,v 1.27 1999/07/01 08:12:50 itojun Exp $ */
+/* $NetBSD: in_pcb.h,v 1.28 2000/01/31 14:18:53 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -95,9 +95,7 @@
int inp_errormtu; /* MTU of last xmit status = EMSGSIZE */
struct inpcbtable *inp_table;
#if 1 /*IPSEC*/
- struct secpolicy *inp_sp; /* security policy. It may not be
- * used according to policy selection.
- */
+ struct inpcbpolicy *inp_sp; /* security policy. */
#endif
};
#define inp_faddr inp_ip.ip_dst
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/ip_input.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.94 1999/10/26 09:53:17 itojun Exp $ */
+/* $NetBSD: ip_input.c,v 1.95 2000/01/31 14:18:54 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1430,18 +1430,21 @@
if (ipforward_rt.ro_rt) {
struct secpolicy *sp;
int ipsecerror;
- int ipsechdr;
+ size_t ipsechdr;
struct route *ro;
sp = ipsec4_getpolicybyaddr(mcopy,
- IP_FORWARDING,
- &ipsecerror);
+ IPSEC_DIR_OUTBOUND,
+ IP_FORWARDING,
+ &ipsecerror);
if (sp == NULL)
destifp = ipforward_rt.ro_rt->rt_ifp;
else {
/* count IPsec header size */
- ipsechdr = ipsec4_hdrsiz(mcopy, NULL);
+ ipsechdr = ipsec4_hdrsiz(mcopy,
+ IPSEC_DIR_OUTBOUND,
+ NULL);
/*
* find the correct route for outer IPv4
@@ -1454,8 +1457,9 @@
/*XXX*/
destifp = NULL;
if (sp->req != NULL
- && sp->req->sa != NULL) {
- ro = &sp->req->sa->saidx->sa_route;
+ && sp->req->sav != NULL
+ && sp->req->sav->sah != NULL) {
+ ro = &sp->req->sav->sah->sa_route;
if (ro->ro_rt && ro->ro_rt->rt_ifp) {
dummyifp.if_mtu =
ro->ro_rt->rt_ifp->if_mtu;
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/ip_output.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.65 1999/12/20 05:46:33 itojun Exp $ */
+/* $NetBSD: ip_output.c,v 1.66 2000/01/31 14:18:55 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -434,9 +434,9 @@
#ifdef IPSEC
/* get SP for this packet */
if (so == NULL)
- sp = ipsec4_getpolicybyaddr(m, flags, &error);
+ sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error);
else
- sp = ipsec4_getpolicybysock(m, so, &error);
+ sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
if (sp == NULL) {
ipsecstat.out_inval++;
@@ -939,10 +939,11 @@
#ifdef IPSEC
case IP_IPSEC_POLICY:
- {
+ {
caddr_t req = NULL;
- int len = 0;
+ size_t len = 0;
int priv = 0;
+
#ifdef __NetBSD__
if (p == 0 || suser(p->p_ucred, &p->p_acflag))
priv = 0;
@@ -951,12 +952,11 @@
#else
priv = (in6p->in6p_socket->so_state & SS_PRIV);
#endif
- if (m != 0) {
+ if (m) {
req = mtod(m, caddr_t);
len = m->m_len;
}
- error = ipsec_set_policy(&inp->inp_sp,
- optname, req, len, priv);
+ error = ipsec4_set_policy(inp, optname, req, len, priv);
break;
}
#endif /*IPSEC*/
@@ -1028,8 +1028,17 @@
#ifdef IPSEC
case IP_IPSEC_POLICY:
- error = ipsec_get_policy(inp->inp_sp, mp);
+ {
+ caddr_t req = NULL;
+ size_t len;
+
+ if (m) {
+ req = mtod(m, caddr_t);
+ len = m->m_len;
+ }
+ error = ipsec4_get_policy(inp, req, len, mp);
break;
+ }
#endif /*IPSEC*/
case IP_MULTICAST_IF:
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/raw_ip.c
--- a/sys/netinet/raw_ip.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/raw_ip.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip.c,v 1.47 1999/12/13 15:17:20 itojun Exp $ */
+/* $NetBSD: raw_ip.c,v 1.48 2000/01/31 14:18:55 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -464,7 +464,7 @@
inp = sotoinpcb(so);
inp->inp_ip.ip_p = (long)nam;
#ifdef IPSEC
- error = ipsec_init_policy(&inp->inp_sp);
+ error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0) {
in_pcbdetach(inp);
break;
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/tcp_input.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.101 1999/12/22 04:03:02 itojun Exp $ */
+/* $NetBSD: tcp_input.c,v 1.102 2000/01/31 14:18:56 itojun Exp $ */
/*
%%% portions-copyright-nrl-95
@@ -2890,27 +2890,22 @@
#endif
#ifdef IPSEC
- {
- struct secpolicy *sp;
+ /*
+ * we make a copy of policy, instead of sharing the policy,
+ * for better behavior in terms of SA lookup and dead SA removal.
+ */
if (inp) {
- sp = ipsec_copy_policy(sotoinpcb(oso)->inp_sp);
- if (sp) {
- key_freesp(inp->inp_sp);
- inp->inp_sp = sp;
- } else
+ /* copy old policy into new socket's */
+ if (ipsec_copy_policy(sotoinpcb(oso)->inp_sp, inp->inp_sp))
printf("tcp_input: could not copy policy\n");
}
#ifdef INET6
else if (in6p) {
- sp = ipsec_copy_policy(sotoin6pcb(oso)->in6p_sp);
- if (sp) {
- key_freesp(in6p->in6p_sp);
- in6p->in6p_sp = sp;
- } else
+ /* copy old policy into new socket's */
+ if (ipsec_copy_policy(sotoin6pcb(oso)->in6p_sp, in6p->in6p_sp))
printf("tcp_input: could not copy policy\n");
}
#endif
- }
#endif
/*
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/tcp_subr.c
--- a/sys/netinet/tcp_subr.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/tcp_subr.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_subr.c,v 1.85 1999/12/15 06:28:43 itojun Exp $ */
+/* $NetBSD: tcp_subr.c,v 1.86 2000/01/31 14:18:57 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1657,7 +1657,8 @@
return 0;
switch (tp->t_family) {
case AF_INET:
- hdrsiz = ipsec4_hdrsiz(tp->t_template, inp);
+ /* XXX: should use currect direction. */
+ hdrsiz = ipsec4_hdrsiz(tp->t_template, IPSEC_DIR_OUTBOUND, inp);
break;
default:
hdrsiz = 0;
@@ -1679,7 +1680,8 @@
return 0;
switch (tp->t_family) {
case AF_INET6:
- hdrsiz = ipsec6_hdrsiz(tp->t_template, in6p);
+ /* XXX: should use currect direction. */
+ hdrsiz = ipsec6_hdrsiz(tp->t_template, IPSEC_DIR_OUTBOUND, in6p);
break;
case AF_INET:
/* mapped address case - tricky */
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/tcp_usrreq.c
--- a/sys/netinet/tcp_usrreq.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/tcp_usrreq.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_usrreq.c,v 1.43 1999/12/13 15:17:21 itojun Exp $ */
+/* $NetBSD: tcp_usrreq.c,v 1.44 2000/01/31 14:18:58 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -731,7 +731,7 @@
}
#ifdef IPSEC
if (inp) {
- error = ipsec_init_policy(&inp->inp_sp);
+ error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0) {
in_pcbdetach(inp);
return (error);
@@ -739,7 +739,7 @@
}
#ifdef INET6
else if (in6p) {
- error = ipsec_init_policy(&in6p->in6p_sp);
+ error = ipsec_init_policy(so, &in6p->in6p_sp);
if (error != 0) {
in6_pcbdetach(in6p);
return (error);
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet/udp_usrreq.c
--- a/sys/netinet/udp_usrreq.c Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet/udp_usrreq.c Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udp_usrreq.c,v 1.57 2000/01/31 10:39:26 itojun Exp $ */
+/* $NetBSD: udp_usrreq.c,v 1.58 2000/01/31 14:18:58 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1342,7 +1342,7 @@
inp = sotoinpcb(so);
inp->inp_ip.ip_ttl = ip_defttl;
#ifdef IPSEC
- error = ipsec_init_policy(&inp->inp_sp);
+ error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0) {
in_pcbdetach(inp);
break;
diff -r 01a040e96cbe -r 8c6ddb6aa930 sys/netinet6/ah.h
--- a/sys/netinet6/ah.h Mon Jan 31 14:15:30 2000 +0000
+++ b/sys/netinet6/ah.h Mon Jan 31 14:18:52 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ah.h,v 1.7 2000/01/06 07:31:10 itojun Exp $ */
+/* $NetBSD: ah.h,v 1.8 2000/01/31 14:19:00 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -40,7 +40,7 @@
Home |
Main Index |
Thread Index |
Old Index