From owner-freebsd-current@FreeBSD.ORG  Thu Nov  4 07:16:30 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BEEB716A4CE
	for <freebsd-current@freebsd.org>;
	Thu,  4 Nov 2004 07:16:30 +0000 (GMT)
Received: from v6.hitachi.co.jp (galilei.v6.hitachi.co.jp [133.145.167.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 385D843D41
	for <freebsd-current@freebsd.org>;
	Thu,  4 Nov 2004 07:16:29 +0000 (GMT)
	(envelope-from suz@crl.hitachi.co.jp)
Received: from flora210w.uki-uki.net (localhost [IPv6:::1])
	by v6.hitachi.co.jp (8.12.11/8.12.11) with ESMTP id iA47GDJA031530;
	Thu, 4 Nov 2004 16:16:14 +0900 (JST)
	(envelope-from suz@crl.hitachi.co.jp)
Date: Thu, 04 Nov 2004 16:16:12 +0900
Message-ID: <x74qk6qe2r.wl%suz@crl.hitachi.co.jp>
From: SUZUKI Shinsuke <suz@kame.net>
To: dgilbert@dclg.ca
X-cite: xcite 1.33
In-Reply-To: <16768.22876.926445.412412@canoe.dclg.ca>
References: <16767.52282.937187.190919@canoe.dclg.ca>
	<6.1.2.0.0.20041027124606.09c40768@64.7.153.2>
	<16767.53956.366966.737912@canoe.dclg.ca>
	<6.1.2.0.0.20041027131824.10140c90@64.7.153.2>
	<m2fz3ztwct.wl@minion.local.neville-neil.com>
	<16768.22876.926445.412412@canoe.dclg.ca>
User-Agent: Wanderlust/2.11.32 (Wonderwall) Emacs/21.3 Mule/5.0 (SAKAKI)
Organization: Network Systems Research Dept., Central Research Laboratory,
	Hitachi, Ltd, Japan
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: multipart/mixed;
 boundary="Multipart_Thu_Nov__4_16:16:12_2004-1"
X-Mailman-Approved-At: Thu, 04 Nov 2004 13:19:47 +0000
cc: gnn@neville-neil.com
cc: freebsd-current@freebsd.org
cc: mike@sentex.net
Subject: Re: IPSec on current.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2004 07:16:30 -0000

--Multipart_Thu_Nov__4_16:16:12_2004-1
Content-Type: text/plain; charset=US-ASCII

>>>>> On Wed, 27 Oct 2004 22:28:44 -0400
>>>>> dgilbert@dclg.ca(David Gilbert)  said:

> It's also possible that the division panic and the GPF panic were with
> and without INET6.  I not on the machine at the momment.
> 
> Not supporting IPv6 is less of a showstopper than not supporting
> FAST_IPSEC as the later is required (for isntance) BGP.

Just FYI.

I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's
working fine.  (I'll work on TCP-MD5(IPv6) later)

Please let me know if you have any objection or comment to the
following patch.  If it's okay, I'd like to commit it to -current.

(it just kicks the existing TCP-MD5 calculation routine, so I believe
it has no effect to the existing functions)

Thanks,
----
SUZUKI, Shinsuke @ KAME Project


--Multipart_Thu_Nov__4_16:16:12_2004-1
Content-Type: text/plain; charset=US-ASCII

diff -ur src/sys/netinet/tcp_subr.c src-53/sys/netinet/tcp_subr.c
--- src/sys/netinet/tcp_subr.c	Thu Oct 21 18:30:47 2004
+++ src-53/sys/netinet/tcp_subr.c	Fri Oct 29 12:53:00 2004
@@ -95,6 +95,7 @@
 #ifdef INET6
 #include <netinet6/ipsec6.h>
 #endif
+#include <netkey/key.h>
 #endif /*IPSEC*/
 
 #ifdef FAST_IPSEC
diff -ur src/sys/netinet6/ah_core.c src-53/sys/netinet6/ah_core.c
--- src/sys/netinet6/ah_core.c	Wed Mar 10 13:56:54 2004
+++ src-53/sys/netinet6/ah_core.c	Sat Oct 30 00:09:02 2004
@@ -189,6 +189,10 @@
 		"aes-xcbc-mac",
 		ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop,
 		ah_aes_xcbc_mac_result, },
+	{ ah_sumsiz_1216, ah_none_mature, 1, 80, /* TCP_KEYLEN_MIN/MAX */
+		"TCP-MD5",
+		ah_none_init, ah_none_loop,
+		ah_none_result, },
 };
 
 const struct ah_algorithm *
@@ -217,6 +221,8 @@
 		return &ah_algorithms[8];
 	case SADB_X_AALG_AES_XCBC_MAC:
 		return &ah_algorithms[9];
+	case SADB_X_AALG_TCP_MD5:
+		return &ah_algorithms[10];
 	default:
 		return NULL;
 	}
diff -ur src/sys/netkey/key.c src-53/sys/netkey/key.c
--- src/sys/netkey/key.c	Sat Oct  2 04:18:55 2004
+++ src-53/sys/netkey/key.c	Sat Oct 30 00:07:31 2004
@@ -3072,6 +3072,7 @@
 		switch (mhp->msg->sadb_msg_satype) {
 		case SADB_SATYPE_AH:
 		case SADB_SATYPE_ESP:
+		case SADB_X_SATYPE_TCPSIGNATURE:
 			if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) &&
 			    sav->alg_auth != SADB_X_AALG_NULL)
 				error = EINVAL;
@@ -3127,6 +3128,7 @@
 			sav->key_enc = NULL;	/*just in case*/
 			break;
 		case SADB_SATYPE_AH:
+		case SADB_X_SATYPE_TCPSIGNATURE:
 		default:
 			error = EINVAL;
 			break;
@@ -3161,6 +3163,7 @@
 		break;
 	case SADB_SATYPE_AH:
 	case SADB_X_SATYPE_IPCOMP:
+	case SADB_X_SATYPE_TCPSIGNATURE:
 		break;
 	default:
 		ipseclog((LOG_DEBUG, "key_setsaval: invalid SA type.\n"));
@@ -3351,6 +3354,24 @@
 		checkmask = 4;
 		mustmask = 4;
 		break;
+	case IPPROTO_TCP:
+		if (sav->alg_auth != SADB_X_AALG_TCP_MD5) {
+			ipseclog((LOG_DEBUG, "key_mature: unsupported authentication algorithm %u\n",
+			    sav->alg_auth));
+			return (EINVAL);
+		}
+		if (sav->alg_enc != SADB_EALG_NONE) {
+			ipseclog((LOG_DEBUG, "%s: protocol and algorithm "
+				"mismated.\n", __func__));
+			return(EINVAL);
+		}
+		if (sav->spi != htonl(0x1000)) {
+			ipseclog((LOG_DEBUG, "key_mature: SPI must be TCP_SIG_SPI (0x1000)\n"));
+			return (EINVAL);
+		}
+		checkmask = 2;
+		mustmask = 2;
+		break;
 	default:
 		ipseclog((LOG_DEBUG, "key_mature: Invalid satype.\n"));
 		return EPROTONOSUPPORT;
@@ -4591,7 +4612,8 @@
 		return IPPROTO_ESP;
 	case SADB_X_SATYPE_IPCOMP:
 		return IPPROTO_IPCOMP;
-		break;
+	case SADB_X_SATYPE_TCPSIGNATURE:
+		return IPPROTO_TCP;
 	default:
 		return 0;
 	}
@@ -4614,7 +4636,8 @@
 		return SADB_SATYPE_ESP;
 	case IPPROTO_IPCOMP:
 		return SADB_X_SATYPE_IPCOMP;
-		break;
+	case IPPROTO_TCP:
+		return SADB_X_SATYPE_TCPSIGNATURE;
 	default:
 		return 0;
 	}
@@ -6975,6 +6998,7 @@
 	case SADB_SATYPE_AH:
 	case SADB_SATYPE_ESP:
 	case SADB_X_SATYPE_IPCOMP:
+	case SADB_X_SATYPE_TCPSIGNATURE:
 		switch (msg->sadb_msg_type) {
 		case SADB_X_SPDADD:
 		case SADB_X_SPDDELETE:
diff -ur src/sys/netkey/key.h src-53/sys/netkey/key.h
--- src/sys/netkey/key.h	Wed Nov  5 01:02:05 2003
+++ src-53/sys/netkey/key.h	Fri Oct 29 23:41:49 2004
@@ -50,6 +50,7 @@
 struct socket;
 struct sadb_msg;
 struct sadb_x_policy;
+union sockaddr_union;
 
 extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *,
 	u_int);
@@ -77,6 +78,15 @@
 extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
 extern void key_sa_routechange(struct sockaddr *);
 extern void key_sa_stir_iv(struct secasvar *);
+
+/* to keep compatibility with FAST_IPSEC */
+#define	KEY_ALLOCSA(dst, proto, spi)	\
+	key_allocsa(((struct sockaddr *)(dst))->sa_family,\
+		    (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
+		    (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\
+		    proto, spi)
+#define	KEY_FREESAV(psav)					\
+	key_freesav(*psav)
 
 #ifdef MALLOC_DECLARE
 MALLOC_DECLARE(M_SECA);
diff -ur src/sys/netkey/keydb.h src-53/sys/netkey/keydb.h
--- src/sys/netkey/keydb.h	Wed Nov  5 01:02:05 2003
+++ src-53/sys/netkey/keydb.h	Fri Oct 29 12:54:15 2004
@@ -37,6 +37,18 @@
 
 #include <netkey/key_var.h>
 
+#ifndef _SOCKADDR_UNION_DEFINED
+#define	_SOCKADDR_UNION_DEFINED
+/*
+ * The union of all possible address formats we handle.
+ */
+union sockaddr_union {
+	struct sockaddr		sa;
+	struct sockaddr_in	sin;
+	struct sockaddr_in6	sin6;
+};
+#endif /* _SOCKADDR_UNION_DEFINED */
+
 /* Security Assocciation Index */
 /* NOTE: Ensure to be same address family */
 struct secasindex {

--Multipart_Thu_Nov__4_16:16:12_2004-1--