Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src Initial commit of a port of the FreeBSD implementation of RF...



details:   https://anonhg.NetBSD.org/src/rev/2d8c97e735aa
branches:  trunk
changeset: 566032:2d8c97e735aa
user:      jonathan <jonathan%NetBSD.org@localhost>
date:      Sun Apr 25 22:25:03 2004 +0000

description:
Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP).  Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net.  Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct.  Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures.  Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary.  Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.

diffstat:

 lib/libipsec/pfkey.c        |   19 ++++-
 lib/libipsec/pfkey_dump.c   |    7 +-
 lib/libipsec/policy_token.l |    3 +-
 sbin/setkey/parse.y         |   19 +++-
 sbin/setkey/setkey.8        |    9 ++-
 sbin/setkey/token.l         |    4 +-
 share/man/man4/tcp.4        |   28 ++++++-
 sys/net/pfkeyv2.h           |    6 +-
 sys/netinet/files.netinet   |    4 +-
 sys/netinet/ip.h            |   14 +++-
 sys/netinet/tcp.h           |    8 +-
 sys/netinet/tcp_input.c     |   58 ++++++++++++++-
 sys/netinet/tcp_output.c    |   44 ++++++++++-
 sys/netinet/tcp_subr.c      |  145 +++++++++++++++++++++++++++++++++++-
 sys/netinet/tcp_usrreq.c    |   29 ++++++-
 sys/netinet/tcp_var.h       |   25 ++++++-
 sys/netipsec/files.netipsec |    4 +-
 sys/netipsec/ipsec.c        |    7 +-
 sys/netipsec/ipsec.h        |    7 +-
 sys/netipsec/key.c          |   24 +++++-
 sys/netipsec/xform_tcp.c    |  174 ++++++++++++++++++++++++++++++++++++++++++++
 21 files changed, 597 insertions(+), 41 deletions(-)

diffs (truncated from 1221 to 300 lines):

diff -r c8872dbd5c9f -r 2d8c97e735aa lib/libipsec/pfkey.c
--- a/lib/libipsec/pfkey.c      Sun Apr 25 22:21:17 2004 +0000
+++ b/lib/libipsec/pfkey.c      Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pfkey.c,v 1.20 2004/02/24 15:12:51 wiz Exp $   */
+/*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/lib/libipsec/pfkey.c,v 1.1.2.3 2004/02/14 22:28:29 bms Exp $       */
 /*     $KAME: pfkey.c,v 1.46 2003/08/26 03:37:06 itojun Exp $  */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: pfkey.c,v 1.20 2004/02/24 15:12:51 wiz Exp $");
+__RCSID("$NetBSD: pfkey.c,v 1.21 2004/04/25 22:25:05 jonathan Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -80,12 +80,13 @@
 /*
  * make and search supported algorithm structure.
  */
-static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, };
+static struct sadb_supported *ipsec_supported[] = { NULL, NULL, NULL, NULL };
 
 static int supported_map[] = {
        SADB_SATYPE_AH,
        SADB_SATYPE_ESP,
        SADB_X_SATYPE_IPCOMP,
+       SADB_X_SATYPE_TCPSIGNATURE
 };
 
 static int
@@ -1170,6 +1171,16 @@
                        return -1;
                }
                break;
+       case SADB_X_SATYPE_TCPSIGNATURE:
+               if (e_type != SADB_EALG_NONE) {
+                       __ipsec_errcode = EIPSEC_INVAL_ALGS;
+                       return -1;
+               }
+               if (a_type != SADB_X_AALG_TCP_MD5) {
+                       __ipsec_errcode = EIPSEC_INVAL_ALGS;
+                       return -1;
+               }
+               break;
        default:
                __ipsec_errcode = EIPSEC_INVAL_SATYPE;
                return -1;
@@ -1380,6 +1391,7 @@
                case SADB_SATYPE_AH:
                case SADB_SATYPE_ESP:
                case SADB_X_SATYPE_IPCOMP:
+               case SADB_X_SATYPE_TCPSIGNATURE:
                        break;
                default:
                        __ipsec_errcode = EIPSEC_INVAL_SATYPE;
@@ -1842,6 +1854,7 @@
        case SADB_SATYPE_ESP:
        case SADB_SATYPE_AH:
        case SADB_X_SATYPE_IPCOMP:
+       case SADB_X_SATYPE_TCPSIGNATURE:
                switch (msg->sadb_msg_type) {
                case SADB_X_SPDADD:
                case SADB_X_SPDDELETE:
diff -r c8872dbd5c9f -r 2d8c97e735aa lib/libipsec/pfkey_dump.c
--- a/lib/libipsec/pfkey_dump.c Sun Apr 25 22:21:17 2004 +0000
+++ b/lib/libipsec/pfkey_dump.c Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pfkey_dump.c,v 1.17 2003/09/08 10:16:31 itojun Exp $   */
+/*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/lib/libipsec/pfkey_dump.c,v 1.1.2.5 2004/02/14 22:28:29 bms Exp $  */
 /*     $KAME: pfkey_dump.c,v 1.45 2003/09/08 10:14:56 itojun Exp $     */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: pfkey_dump.c,v 1.17 2003/09/08 10:16:31 itojun Exp $");
+__RCSID("$NetBSD: pfkey_dump.c,v 1.18 2004/04/25 22:25:05 jonathan Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -104,6 +104,8 @@
        "ripv2",
        "mip",
        "ipcomp",
+       "policy",
+       "tcp"
 };
 
 static char *str_mode[] = {
@@ -126,6 +128,7 @@
        { SADB_X_AALG_MD5, "md5", },
        { SADB_X_AALG_SHA, "sha", },
        { SADB_X_AALG_NULL, "null", },
+       { SADB_X_AALG_TCP_MD5, "tcp-md5", },
        { SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
        { SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
        { SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
diff -r c8872dbd5c9f -r 2d8c97e735aa lib/libipsec/policy_token.l
--- a/lib/libipsec/policy_token.l       Sun Apr 25 22:21:17 2004 +0000
+++ b/lib/libipsec/policy_token.l       Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: policy_token.l,v 1.8 2003/07/22 03:32:17 itojun Exp $  */
+/*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/lib/libipsec/policy_token.l,v 1.2.2.3 2004/02/14 22:28:29 bms Exp $        */
 /*     $KAME: policy_token.l,v 1.13 2003/05/09 05:19:55 sakane Exp $   */
 
 /*
@@ -101,6 +101,7 @@
 esp            { yylval.num = IPPROTO_ESP; return(PROTOCOL); }
 ah             { yylval.num = IPPROTO_AH; return(PROTOCOL); }
 ipcomp         { yylval.num = IPPROTO_IPCOMP; return(PROTOCOL); }
+tcp            { yylval.num = IPPROTO_TCP; return(PROTOCOL); }
 
 transport      { yylval.num = IPSEC_MODE_TRANSPORT; return(MODE); }
 tunnel         { yylval.num = IPSEC_MODE_TUNNEL; return(MODE); }
diff -r c8872dbd5c9f -r 2d8c97e735aa sbin/setkey/parse.y
--- a/sbin/setkey/parse.y       Sun Apr 25 22:21:17 2004 +0000
+++ b/sbin/setkey/parse.y       Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: parse.y,v 1.14 2003/09/12 07:45:21 itojun Exp $        */
+/*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/usr.sbin/setkey/parse.y,v 1.1.2.4 2004/04/06 10:02:12 bms Exp $    */
 /*     $KAME: parse.y,v 1.80 2003/06/27 07:15:45 itojun Exp $  */
 
 /*
@@ -96,7 +96,7 @@
 
 %token EOT SLASH BLCL ELCL
 %token ADD GET DELETE DELETEALL FLUSH DUMP
-%token PR_ESP PR_AH PR_IPCOMP
+%token PR_ESP PR_AH PR_IPCOMP PR_TCP
 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
 %token F_MODE MODE F_REQID
 %token F_EXT EXTENSION NOCYCLICSEQ
@@ -115,7 +115,7 @@
 %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
 %type <num> ALG_AUTH ALG_AUTH_NOKEY
 %type <num> ALG_COMP
-%type <num> PR_ESP PR_AH PR_IPCOMP
+%type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
 %type <num> EXTENSION MODE
 %type <ulnum> DECSTRING
 %type <val> PL_REQUESTS portstr key_string
@@ -252,8 +252,12 @@
                {
                        $$ = SADB_X_SATYPE_IPCOMP;
                }
+       |       PR_TCP
+               {
+                       $$ = SADB_X_SATYPE_TCPSIGNATURE;
+               }
        ;
-       
+
 spi
        :       DECSTRING { p_spi = $1; }
        |       HEXSTRING
@@ -402,7 +406,11 @@
 
                        p_key_auth_len = $2.len;
                        p_key_auth = $2.buf;
-                       if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
+                       if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
+                               if ((p_key_auth_len < 1) || (p_key_auth_len >
+                                   80))
+                               return -1;
+                       } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
                            p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
                                yyerror(ipsec_strerror());
                                return -1;
@@ -654,6 +662,7 @@
 upper_spec
        :       DECSTRING { $$ = $1; }
        |       ANY { $$ = IPSEC_ULPROTO_ANY; }
+       |       PR_TCP { $$ = IPPROTO_TCP; }
        |       STRING
                {
                        struct protoent *ent;
diff -r c8872dbd5c9f -r 2d8c97e735aa sbin/setkey/setkey.8
--- a/sbin/setkey/setkey.8      Sun Apr 25 22:21:17 2004 +0000
+++ b/sbin/setkey/setkey.8      Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: setkey.8,v 1.27 2003/10/21 07:20:11 itojun Exp $
+.\"    $NetBSD: setkey.8,v 1.28 2004/04/25 22:25:05 jonathan Exp $
 .\"    $KAME: setkey.8,v 1.90 2003/09/08 06:10:43 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
@@ -265,6 +265,8 @@
 AH based on rfc1826
 .It Li ipcomp
 IPComp
+.It Li tcp
+TCP-MD5 based on rfc2385
 .El
 .\"
 .Pp
@@ -278,6 +280,8 @@
 prefix.
 SPI values between 0 and 255 are reserved for future use by IANA
 and they cannot be used.
+TCP-MD5 associations must use 0x1000 and therefore only have per-host
+granularity at this time.
 .\"
 .Pp
 .It Ar extensions
@@ -586,6 +590,7 @@
                                ah-old: 128bit ICV (no document)
 aes-xcbc-mac   128             ah: 96bit ICV (RFC3566)
                128             ah-old: 128bit ICV (no document)
+tcp-md5                8 to 640        tcp: rfc2385
 .Ed
 .Pp
 Followings are the list of encryption algorithms that can be used as
@@ -650,6 +655,8 @@
 spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
        -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;
 
+add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;
+
 .Ed
 .\"
 .Sh SEE ALSO
diff -r c8872dbd5c9f -r 2d8c97e735aa sbin/setkey/token.l
--- a/sbin/setkey/token.l       Sun Apr 25 22:21:17 2004 +0000
+++ b/sbin/setkey/token.l       Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: token.l,v 1.15 2003/10/21 02:38:15 fvdl Exp $  */
+/*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/usr.sbin/setkey/token.l,v 1.2.2.4 2004/02/14 22:28:29 bms Exp $    */
 /*     $KAME: token.l,v 1.43 2003/07/25 09:35:28 itojun Exp $  */
 
 /*
@@ -143,6 +143,7 @@
 ah-old         { yylval.num = 1; return(PR_AH); }
 esp-old                { yylval.num = 1; return(PR_ESP); }
 ipcomp         { yylval.num = 0; return(PR_IPCOMP); }
+tcp            { yylval.num = 0; return(PR_TCP); }
 
        /* authentication alogorithm */
 {hyphen}A      { BEGIN S_AUTHALG; return(F_AUTH); }
@@ -155,6 +156,7 @@
 <S_AUTHALG>hmac-sha2-512 { yylval.num = SADB_X_AALG_SHA2_512; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>hmac-ripemd160 { yylval.num = SADB_X_AALG_RIPEMD160HMAC; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>aes-xcbc-mac { yylval.num = SADB_X_AALG_AES_XCBC_MAC; BEGIN INITIAL; return(ALG_AUTH); }
+<S_AUTHALG>tcp-md5     { yylval.num = SADB_X_AALG_TCP_MD5; BEGIN INITIAL; return(ALG_AUTH); }
 <S_AUTHALG>null { yylval.num = SADB_X_AALG_NULL; BEGIN INITIAL; return(ALG_AUTH_NOKEY); }
 
        /* encryption alogorithm */
diff -r c8872dbd5c9f -r 2d8c97e735aa share/man/man4/tcp.4
--- a/share/man/man4/tcp.4      Sun Apr 25 22:21:17 2004 +0000
+++ b/share/man/man4/tcp.4      Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,5 @@
-.\"    $NetBSD: tcp.4,v 1.16 2004/04/25 02:48:10 snj Exp $
+.\"    $NetBSD: tcp.4,v 1.17 2004/04/25 22:25:05 jonathan Exp $
+.\"    $FreeBSD: tcp.4,v 1.11.2.16 2004/02/16 22:21:47 bms Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -133,6 +134,31 @@
 .Dv TCP_MAXSEG
 option allows the user to determine the result of this negotiation,
 and to reduce it if desired.
+.It Dv TCP_MD5SIG
+This option enables the use of MD5 digests (also known as TCP-MD5)
+on writes to the specified socket.
+In the current release, only outgoing traffic is digested;
+digests on incoming traffic are not verified.
+The current default behavior for the system is to respond to a system
+advertising this option with TCP-MD5; this may change.
+.Pp
+One common use for this in a FreeBSD router deployment is to enable
+based routers to interwork with Cisco equipment at peering points.
+Support for this feature conforms to RFC 2385.
+Only IPv4 (AF_INET) sessions are supported.
+.Pp
+In order for this option to function correctly, it is necessary for the
+administrator to add a tcp-md5 key entry to the system's security
+associations database (SADB) using the
+.Xr setkey 8
+utility.
+This entry must have an SPI of 0x1000 and can therefore only be specified
+on a per-host basis at this time.
+.Pp
+If an SADB entry cannot be found for the destination, the outgoing traffic
+will have an invalid digest option prepended, and the following error message
+will be visible on the system console:
+.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" .
 .El
 .Pp
 The option level for the
diff -r c8872dbd5c9f -r 2d8c97e735aa sys/net/pfkeyv2.h
--- a/sys/net/pfkeyv2.h Sun Apr 25 22:21:17 2004 +0000
+++ b/sys/net/pfkeyv2.h Sun Apr 25 22:25:03 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pfkeyv2.h,v 1.15 2003/08/15 03:42:00 jonathan Exp $    */
+/*     $NetBSD: pfkeyv2.h,v 1.16 2004/04/25 22:25:03 jonathan Exp $    */
 /*     $KAME: pfkeyv2.h,v 1.36 2003/07/25 09:33:37 itojun Exp $        */
 
 /*



Home | Main Index | Thread Index | Old Index