Date: Thu, 04 Nov 2004 16:16:12 +0900 From: SUZUKI Shinsuke <suz@kame.net> To: dgilbert@dclg.ca Cc: mike@sentex.net Subject: Re: IPSec on current. Message-ID: <x74qk6qe2r.wl%suz@crl.hitachi.co.jp> In-Reply-To: <16768.22876.926445.412412@canoe.dclg.ca> References: <16767.52282.937187.190919@canoe.dclg.ca> <6.1.2.0.0.20041027124606.09c40768@64.7.153.2> <16767.53956.366966.737912@canoe.dclg.ca> <6.1.2.0.0.20041027131824.10140c90@64.7.153.2> <m2fz3ztwct.wl@minion.local.neville-neil.com> <16768.22876.926445.412412@canoe.dclg.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--Multipart_Thu_Nov__4_16:16:12_2004-1
Content-Type: text/plain; charset=US-ASCII
>>>>> On Wed, 27 Oct 2004 22:28:44 -0400
>>>>> dgilbert@dclg.ca(David Gilbert) said:
> It's also possible that the division panic and the GPF panic were with
> and without INET6. I not on the machine at the momment.
>
> Not supporting IPv6 is less of a showstopper than not supporting
> FAST_IPSEC as the later is required (for isntance) BGP.
Just FYI.
I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's
working fine. (I'll work on TCP-MD5(IPv6) later)
Please let me know if you have any objection or comment to the
following patch. If it's okay, I'd like to commit it to -current.
(it just kicks the existing TCP-MD5 calculation routine, so I believe
it has no effect to the existing functions)
Thanks,
----
SUZUKI, Shinsuke @ KAME Project
--Multipart_Thu_Nov__4_16:16:12_2004-1
Content-Type: text/plain; charset=US-ASCII
diff -ur src/sys/netinet/tcp_subr.c src-53/sys/netinet/tcp_subr.c
--- src/sys/netinet/tcp_subr.c Thu Oct 21 18:30:47 2004
+++ src-53/sys/netinet/tcp_subr.c Fri Oct 29 12:53:00 2004
@@ -95,6 +95,7 @@
#ifdef INET6
#include <netinet6/ipsec6.h>
#endif
+#include <netkey/key.h>
#endif /*IPSEC*/
#ifdef FAST_IPSEC
diff -ur src/sys/netinet6/ah_core.c src-53/sys/netinet6/ah_core.c
--- src/sys/netinet6/ah_core.c Wed Mar 10 13:56:54 2004
+++ src-53/sys/netinet6/ah_core.c Sat Oct 30 00:09:02 2004
@@ -189,6 +189,10 @@
"aes-xcbc-mac",
ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
ah_aes_xcbc_mac_result, },
+ { ah_sumsiz_1216, ah_none_mature, 1, 80, /* TCP_KEYLEN_MIN/MAX */
+ "TCP-MD5",
+ ah_none_init, ah_none_loop,
+ ah_none_result, },
};
const struct ah_algorithm *
@@ -217,6 +221,8 @@
return &ah_algorithms[8];
case SADB_X_AALG_AES_XCBC_MAC:
return &ah_algorithms[9];
+ case SADB_X_AALG_TCP_MD5:
+ return &ah_algorithms[10];
default:
return NULL;
}
diff -ur src/sys/netkey/key.c src-53/sys/netkey/key.c
--- src/sys/netkey/key.c Sat Oct 2 04:18:55 2004
+++ src-53/sys/netkey/key.c Sat Oct 30 00:07:31 2004
@@ -3072,6 +3072,7 @@
switch (mhp->msg->sadb_msg_satype) {
case SADB_SATYPE_AH:
case SADB_SATYPE_ESP:
+ case SADB_X_SATYPE_TCPSIGNATURE:
if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
sav->alg_auth != SADB_X_AALG_NULL)
error = EINVAL;
@@ -3127,6 +3128,7 @@
sav->key_enc = NULL; /*just in case*/
break;
case SADB_SATYPE_AH:
+ case SADB_X_SATYPE_TCPSIGNATURE:
default:
error = EINVAL;
break;
@@ -3161,6 +3163,7 @@
break;
case SADB_SATYPE_AH:
case SADB_X_SATYPE_IPCOMP:
+ case SADB_X_SATYPE_TCPSIGNATURE:
break;
default:
ipseclog((LOG_DEBUG, "key_setsaval: invalid SA type.\n"));
@@ -3351,6 +3354,24 @@
checkmask = 4;
mustmask = 4;
break;
+ case IPPROTO_TCP:
+ if (sav->alg_auth != SADB_X_AALG_TCP_MD5) {
+ ipseclog((LOG_DEBUG, "key_mature: unsupported authentication algorithm %u\n",
+ sav->alg_auth));
+ return (EINVAL);
+ }
+ if (sav->alg_enc != SADB_EALG_NONE) {
+ ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
+ "mismated.\n", __func__));
+ return(EINVAL);
+ }
+ if (sav->spi != htonl(0x1000)) {
+ ipseclog((LOG_DEBUG, "key_mature: SPI must be TCP_SIG_SPI (0x1000)\n"));
+ return (EINVAL);
+ }
+ checkmask = 2;
+ mustmask = 2;
+ break;
default:
ipseclog((LOG_DEBUG, "key_mature: Invalid satype.\n"));
return EPROTONOSUPPORT;
@@ -4591,7 +4612,8 @@
return IPPROTO_ESP;
case SADB_X_SATYPE_IPCOMP:
return IPPROTO_IPCOMP;
- break;
+ case SADB_X_SATYPE_TCPSIGNATURE:
+ return IPPROTO_TCP;
default:
return 0;
}
@@ -4614,7 +4636,8 @@
return SADB_SATYPE_ESP;
case IPPROTO_IPCOMP:
return SADB_X_SATYPE_IPCOMP;
- break;
+ case IPPROTO_TCP:
+ return SADB_X_SATYPE_TCPSIGNATURE;
default:
return 0;
}
@@ -6975,6 +6998,7 @@
case SADB_SATYPE_AH:
case SADB_SATYPE_ESP:
case SADB_X_SATYPE_IPCOMP:
+ case SADB_X_SATYPE_TCPSIGNATURE:
switch (msg->sadb_msg_type) {
case SADB_X_SPDADD:
case SADB_X_SPDDELETE:
diff -ur src/sys/netkey/key.h src-53/sys/netkey/key.h
--- src/sys/netkey/key.h Wed Nov 5 01:02:05 2003
+++ src-53/sys/netkey/key.h Fri Oct 29 23:41:49 2004
@@ -50,6 +50,7 @@
struct socket;
struct sadb_msg;
struct sadb_x_policy;
+union sockaddr_union;
extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *,
u_int);
@@ -77,6 +78,15 @@
extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
extern void key_sa_routechange(struct sockaddr *);
extern void key_sa_stir_iv(struct secasvar *);
+
+/* to keep compatibility with FAST_IPSEC */
+#define KEY_ALLOCSA(dst, proto, spi) \
+ key_allocsa(((struct sockaddr *)(dst))->sa_family,\
+ (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
+ (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
+ proto, spi)
+#define KEY_FREESAV(psav) \
+ key_freesav(*psav)
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_SECA);
diff -ur src/sys/netkey/keydb.h src-53/sys/netkey/keydb.h
--- src/sys/netkey/keydb.h Wed Nov 5 01:02:05 2003
+++ src-53/sys/netkey/keydb.h Fri Oct 29 12:54:15 2004
@@ -37,6 +37,18 @@
#include <netkey/key_var.h>
+#ifndef _SOCKADDR_UNION_DEFINED
+#define _SOCKADDR_UNION_DEFINED
+/*
+ * The union of all possible address formats we handle.
+ */
+union sockaddr_union {
+ struct sockaddr sa;
+ struct sockaddr_in sin;
+ struct sockaddr_in6 sin6;
+};
+#endif /* _SOCKADDR_UNION_DEFINED */
+
/* Security Assocciation Index */
/* NOTE: Ensure to be same address family */
struct secasindex {
--Multipart_Thu_Nov__4_16:16:12_2004-1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x74qk6qe2r.wl%suz>