Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/perseant-stdc-iso10646]: src/sys/netipsec 3199078
details: https://anonhg.NetBSD.org/src/rev/5d4aec2bbdf8
branches: perseant-stdc-iso10646
changeset: 850669:5d4aec2bbdf8
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Tue Jul 18 02:10:34 2017 +0000
description:
3199078
diffstat:
sys/netipsec/key.c | 8258 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 8258 insertions(+), 0 deletions(-)
diffs (truncated from 8262 to 300 lines):
diff -r ec7b4ed5f9ff -r 5d4aec2bbdf8 sys/netipsec/key.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/netipsec/key.c Tue Jul 18 02:10:34 2017 +0000
@@ -0,0 +1,8258 @@
+/* $NetBSD: key.c,v 1.188.2.2 2017/07/18 02:10:34 ozaki-r Exp $ */
+/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
+/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.188.2.2 2017/07/18 02:10:34 ozaki-r Exp $");
+
+/*
+ * This code is referd to RFC 2367
+ */
+
+#if defined(_KERNEL_OPT)
+#include "opt_inet.h"
+#include "opt_ipsec.h"
+#include "opt_gateway.h"
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/callout.h>
+#include <sys/kernel.h>
+#include <sys/mbuf.h>
+#include <sys/domain.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+#include <sys/errno.h>
+#include <sys/proc.h>
+#include <sys/queue.h>
+#include <sys/syslog.h>
+#include <sys/once.h>
+#include <sys/cprng.h>
+#include <sys/psref.h>
+#include <sys/lwp.h>
+#include <sys/workqueue.h>
+#include <sys/kmem.h>
+#include <sys/cpu.h>
+#include <sys/atomic.h>
+
+#include <net/if.h>
+#include <net/route.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/in_var.h>
+#ifdef INET
+#include <netinet/ip_var.h>
+#endif
+
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet6/in6_var.h>
+#include <netinet6/ip6_var.h>
+#endif /* INET6 */
+
+#ifdef INET
+#include <netinet/in_pcb.h>
+#endif
+#ifdef INET6
+#include <netinet6/in6_pcb.h>
+#endif /* INET6 */
+
+#include <net/pfkeyv2.h>
+#include <netipsec/keydb.h>
+#include <netipsec/key.h>
+#include <netipsec/keysock.h>
+#include <netipsec/key_debug.h>
+
+#include <netipsec/ipsec.h>
+#ifdef INET6
+#include <netipsec/ipsec6.h>
+#endif
+#include <netipsec/ipsec_private.h>
+
+#include <netipsec/xform.h>
+#include <netipsec/ipcomp.h>
+
+
+#include <net/net_osdep.h>
+
+#define FULLMASK 0xff
+#define _BITS(bytes) ((bytes) << 3)
+
+#define PORT_NONE 0
+#define PORT_LOOSE 1
+#define PORT_STRICT 2
+
+percpu_t *pfkeystat_percpu;
+
+/*
+ * Note on SA reference counting:
+ * - SAs that are not in DEAD state will have (total external reference + 1)
+ * following value in reference count field. they cannot be freed and are
+ * referenced from SA header.
+ * - SAs that are in DEAD state will have (total external reference)
+ * in reference count field. they are ready to be freed. reference from
+ * SA header will be removed in key_delsav(), when the reference count
+ * field hits 0 (= no external reference other than from SA header.
+ */
+
+u_int32_t key_debug_level = 0;
+static u_int key_spi_trycnt = 1000;
+static u_int32_t key_spi_minval = 0x100;
+static u_int32_t key_spi_maxval = 0x0fffffff; /* XXX */
+static u_int32_t policy_id = 0;
+static u_int key_int_random = 60; /*interval to initialize randseed,1(m)*/
+static u_int key_larval_lifetime = 30; /* interval to expire acquiring, 30(s)*/
+static int key_blockacq_count = 10; /* counter for blocking SADB_ACQUIRE.*/
+static int key_blockacq_lifetime = 20; /* lifetime for blocking SADB_ACQUIRE.*/
+static int key_prefered_oldsa = 0; /* prefered old sa rather than new sa.*/
+
+static u_int32_t acq_seq = 0;
+
+static LIST_HEAD(_sptree, secpolicy) sptree[IPSEC_DIR_MAX]; /* SPD */
+static LIST_HEAD(_sahtree, secashead) sahtree; /* SAD */
+static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1];
+ /* registed list */
+#ifndef IPSEC_NONBLOCK_ACQUIRE
+static LIST_HEAD(_acqtree, secacq) acqtree; /* acquiring list */
+#endif
+#ifdef notyet
+static LIST_HEAD(_spacqtree, secspacq) spacqtree; /* SP acquiring list */
+#endif
+
+/*
+ * Protect regtree, acqtree and items stored in the lists.
+ */
+static kmutex_t key_mtx __cacheline_aligned;
+
+/* search order for SAs */
+ /*
+ * This order is important because we must select the oldest SA
+ * for outbound processing. For inbound, This is not important.
+ */
+static const u_int saorder_state_valid_prefer_old[] = {
+ SADB_SASTATE_DYING, SADB_SASTATE_MATURE,
+};
+static const u_int saorder_state_valid_prefer_new[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+};
+
+static const u_int saorder_state_alive[] = {
+ /* except DEAD */
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING, SADB_SASTATE_LARVAL
+};
+static const u_int saorder_state_any[] = {
+ SADB_SASTATE_MATURE, SADB_SASTATE_DYING,
+ SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD
+};
+
+#define SASTATE_ALIVE_FOREACH(s) \
+ for (int _i = 0; \
+ _i < __arraycount(saorder_state_alive) ? \
+ (s) = saorder_state_alive[_i], true : false; \
+ _i++)
+#define SASTATE_ANY_FOREACH(s) \
+ for (int _i = 0; \
+ _i < __arraycount(saorder_state_any) ? \
+ (s) = saorder_state_any[_i], true : false; \
+ _i++)
+
+static const int minsize[] = {
+ sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
+ sizeof(struct sadb_sa), /* SADB_EXT_SA */
+ sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */
+ sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */
+ sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */
+ sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_SRC */
+ sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_DST */
+ sizeof(struct sadb_address), /* SADB_EXT_ADDRESS_PROXY */
+ sizeof(struct sadb_key), /* SADB_EXT_KEY_AUTH */
+ sizeof(struct sadb_key), /* SADB_EXT_KEY_ENCRYPT */
+ sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_SRC */
+ sizeof(struct sadb_ident), /* SADB_EXT_IDENTITY_DST */
+ sizeof(struct sadb_sens), /* SADB_EXT_SENSITIVITY */
+ sizeof(struct sadb_prop), /* SADB_EXT_PROPOSAL */
+ sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_AUTH */
+ sizeof(struct sadb_supported), /* SADB_EXT_SUPPORTED_ENCRYPT */
+ sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */
+ 0, /* SADB_X_EXT_KMPRIVATE */
+ sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */
+ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
+ sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */
+ sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */
+ sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */
+ sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAI */
+ sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OAR */
+ sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */
+};
+static const int maxsize[] = {
+ sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */
+ sizeof(struct sadb_sa), /* SADB_EXT_SA */
+ sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_CURRENT */
+ sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_HARD */
+ sizeof(struct sadb_lifetime), /* SADB_EXT_LIFETIME_SOFT */
+ 0, /* SADB_EXT_ADDRESS_SRC */
+ 0, /* SADB_EXT_ADDRESS_DST */
+ 0, /* SADB_EXT_ADDRESS_PROXY */
+ 0, /* SADB_EXT_KEY_AUTH */
+ 0, /* SADB_EXT_KEY_ENCRYPT */
+ 0, /* SADB_EXT_IDENTITY_SRC */
+ 0, /* SADB_EXT_IDENTITY_DST */
+ 0, /* SADB_EXT_SENSITIVITY */
+ 0, /* SADB_EXT_PROPOSAL */
+ 0, /* SADB_EXT_SUPPORTED_AUTH */
+ 0, /* SADB_EXT_SUPPORTED_ENCRYPT */
+ sizeof(struct sadb_spirange), /* SADB_EXT_SPIRANGE */
+ 0, /* SADB_X_EXT_KMPRIVATE */
+ 0, /* SADB_X_EXT_POLICY */
+ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */
+ sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */
+ sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */
+ sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */
+ 0, /* SADB_X_EXT_NAT_T_OAI */
+ 0, /* SADB_X_EXT_NAT_T_OAR */
+ sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */
+};
+
+static int ipsec_esp_keymin = 256;
+static int ipsec_esp_auth = 0;
+static int ipsec_ah_keymin = 128;
+
+#ifdef SYSCTL_DECL
+SYSCTL_DECL(_net_key);
+#endif
+
+#ifdef SYSCTL_INT
+SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \
+ &key_debug_level, 0, "");
+
+/* max count of trial for the decision of spi value */
+SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \
+ &key_spi_trycnt, 0, "");
+
+/* minimum spi value to allocate automatically. */
+SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, CTLFLAG_RW, \
+ &key_spi_minval, 0, "");
+
+/* maximun spi value to allocate automatically. */
+SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, CTLFLAG_RW, \
+ &key_spi_maxval, 0, "");
+
+/* interval to initialize randseed */
+SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, CTLFLAG_RW, \
+ &key_int_random, 0, "");
+
+/* lifetime for larval SA */
+SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, CTLFLAG_RW, \
+ &key_larval_lifetime, 0, "");
+
+/* counter for blocking to send SADB_ACQUIRE to IKEd */
+SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \
+ &key_blockacq_count, 0, "");
+
+/* lifetime for blocking to send SADB_ACQUIRE to IKEd */
+SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \
+ &key_blockacq_lifetime, 0, "");
+
+/* ESP auth */
+SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \
+ &ipsec_esp_auth, 0, "");
+
+/* minimum ESP key length */
+SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \
+ &ipsec_esp_keymin, 0, "");
Home |
Main Index |
Thread Index |
Old Index