diff options
| author |   ho <ho@openbsd.org> | 2005-05-28 15:10:07 +0000 |
|---|---|---|
| committer | ho <ho@openbsd.org> | 2005-05-28 15:10:07 +0000 |
| commit | c45b24e7e39a84ca8e974533b1439ffb569e1ee7 (patch) | |
| tree | 5ad3c289c82afd962eea749ffce2d348c0927938 /sys/netinet | |
| parent | enable IFCAP_VLAN_MTU because IEEE 802.11 defines a MTU of about 2290. (diff) | |
| download | wireguard-openbsd-c45b24e7e39a84ca8e974533b1439ffb569e1ee7.tar.xz wireguard-openbsd-c45b24e7e39a84ca8e974533b1439ffb569e1ee7.zip | |
Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_ah.c | 19 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 16 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.c | 8 | ||||
| -rw-r--r-- | sys/netinet/ip_ipsp.h | 3 |
4 files changed, 36 insertions, 10 deletions
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index b6ca4aabb67..be91d8fd650 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.80 2005/05/27 18:23:18 markus Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.81 2005/05/28 15:10:07 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -36,6 +36,8 @@ * PURPOSE. */ +#include "pfsync.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/mbuf.h> @@ -48,6 +50,7 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> +#include <netinet/ip_var.h> #endif /* INET */ #ifdef INET6 @@ -62,6 +65,11 @@ #include <net/pfkeyv2.h> #include <net/if_enc.h> +#if NPFSYNC > 0 +#include <net/pfvar.h> +#include <net/if_pfsync.h> +#endif /* NPFSYNC > 0 */ + #include <crypto/cryptodev.h> #include <crypto/xform.h> @@ -805,6 +813,9 @@ ah_input_cb(void *op) switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl), tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) { case 0: /* All's well. */ +#if NPFSYNC > 0 + pfsync_update_tdb(tdb); +#endif break; case 1: @@ -1100,8 +1111,12 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, /* Zeroize authenticator. */ m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes); - if (!(tdb->tdb_flags & TDBF_NOREPLAY)) + if (!(tdb->tdb_flags & TDBF_NOREPLAY)) { ah->ah_rpl = htonl(tdb->tdb_rpl++); +#if NPFSYNC > 0 + pfsync_update_tdb(tdb); +#endif + } /* Get crypto descriptors. */ crp = crypto_getreq(1); diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index de2894d89c6..35e41b62708 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.91 2005/05/27 18:23:18 markus Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.92 2005/05/28 15:10:07 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -35,6 +35,8 @@ * PURPOSE. */ +#include "pfsync.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/mbuf.h> @@ -49,6 +51,7 @@ #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> +#include <netinet/ip_var.h> #endif /* INET */ #ifdef INET6 @@ -63,6 +66,11 @@ #include <net/pfkeyv2.h> #include <net/if_enc.h> +#if NPFSYNC > 0 +#include <net/pfvar.h> +#include <net/if_pfsync.h> +#endif /* NPFSYNC > 0 */ + #include <crypto/cryptodev.h> #include <crypto/xform.h> @@ -573,6 +581,9 @@ esp_input_cb(void *op) switch (checkreplaywindow32(btsx, 0, &(tdb->tdb_rpl), tdb->tdb_wnd, &(tdb->tdb_bitmap), 1)) { case 0: /* All's well */ +#if NPFSYNC > 0 + pfsync_update_tdb(tdb); +#endif break; case 1: @@ -875,6 +886,9 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip, u_int32_t replay = htonl(tdb->tdb_rpl++); bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t), sizeof(u_int32_t)); +#if NPFSYNC > 0 + pfsync_update_tdb(tdb); +#endif } /* diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c index 663309466d4..3bd169e6014 100644 --- a/sys/netinet/ip_ipsp.c +++ b/sys/netinet/ip_ipsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.c,v 1.162 2005/05/27 19:33:56 hshoexer Exp $ */ +/* $OpenBSD: ip_ipsp.c,v 1.163 2005/05/28 15:10:07 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -76,10 +76,6 @@ void tdb_hashstats(void); #define DPRINTF(x) #endif -#ifdef __GNUC__ -#define INLINE static __inline -#endif - int ipsp_kern(int, char **, int); u_int8_t get_sa_require(struct inpcb *); void tdb_rehash(void); @@ -145,7 +141,7 @@ static int tdb_count; * Our hashing function needs to stir things with a non-zero random multiplier * so we cannot be DoS-attacked via choosing of the data to hash. */ -INLINE int +int tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) { static u_int32_t mult1 = 0, mult2 = 0; diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index f089c4179b4..a68c8186ae0 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.129 2005/05/27 19:32:31 hshoexer Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.130 2005/05/28 15:10:07 ho Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -541,6 +541,7 @@ extern void puttdb(struct tdb *); extern void tdb_delete(struct tdb *); extern struct tdb *tdb_alloc(void); extern void tdb_free(struct tdb *); +extern int tdb_hash(u_int32_t, union sockaddr_union *, u_int8_t); extern int tdb_init(struct tdb *, u_int16_t, struct ipsecinit *); extern int tdb_walk(int (*)(struct tdb *, void *, int), void *); |