diff options
| -rw-r--r-- | sys/net/bpf.h | 3 | ||||
| -rw-r--r-- | sys/net/if_enc.c | 30 | ||||
| -rw-r--r-- | sys/net/if_enc.h | 46 | ||||
| -rw-r--r-- | sys/netinet/ip_ah.c | 34 | ||||
| -rw-r--r-- | sys/netinet/ip_esp.c | 34 | ||||
| -rw-r--r-- | sys/netinet/ip_ip4.c | 4 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 6 |
7 files changed, 124 insertions, 33 deletions
diff --git a/sys/net/bpf.h b/sys/net/bpf.h index ad2ddda2a61..0db69a51dd9 100644 --- a/sys/net/bpf.h +++ b/sys/net/bpf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.h,v 1.6 1998/06/04 23:11:37 deraadt Exp $ */ +/* $OpenBSD: bpf.h,v 1.7 1998/06/10 23:57:09 provos Exp $ */ /* $NetBSD: bpf.h,v 1.15 1996/12/13 07:57:33 mikel Exp $ */ /* @@ -180,6 +180,7 @@ struct bpf_hdr { #define DLT_FDDI 10 /* FDDI */ #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #define DLT_LOOP 12 /* loopback type (af header) */ +#define DLT_ENC 13 /* IPSEC enc type (af header, spi, flags) */ /* * The instruction encondings. diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c index 9281157441d..88065b774f8 100644 --- a/sys/net/if_enc.c +++ b/sys/net/if_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_enc.c,v 1.7 1998/05/18 21:10:19 provos Exp $ */ +/* $OpenBSD: if_enc.c,v 1.8 1998/06/10 23:57:10 provos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -52,6 +52,7 @@ #include <net/netisr.h> #include <net/route.h> #include <net/bpf.h> +#include <net/if_enc.h> #ifdef INET #include <netinet/in.h> @@ -70,8 +71,6 @@ extern struct ifqueue nsintrq; #include "bpfilter.h" -#define ENCMTU (1024+512) - struct ifnet enc_softc; void encattach __P((int)); @@ -98,13 +97,13 @@ encattach(int nenc) enc_softc.if_type = IFT_ENC; enc_softc.if_ioctl = encioctl; enc_softc.if_output = encoutput; - enc_softc.if_hdrlen = 0; + enc_softc.if_hdrlen = ENC_HDRLEN; enc_softc.if_addrlen = 0; if_attach(&enc_softc); #if NBPFILTER > 0 - bpfattach(&(enc_softc.if_bpf), &enc_softc, DLT_NULL, sizeof(u_int32_t)); + bpfattach(&(enc_softc.if_bpf), &enc_softc, DLT_ENC, ENC_HDRLEN); #endif /* Just a bogus entry */ @@ -134,27 +133,6 @@ register struct rtentry *rt; ifp->if_lastchange = time; -#if NBPFILTER > 0 - if (ifp->if_bpf) - { - /* - * We need to prepend the address family as - * a four byte field. Cons up a dummy header - * to pacify bpf. This is safe because bpf - * will only read from the mbuf (i.e., it won't - * try to free it or keep a pointer a to it). - */ - struct mbuf m0; - u_int af = dst->sa_family; - - m0.m_next = m; - m0.m_len = 4; - m0.m_data = (char *) ⁡ - - bpf_mtap(ifp->if_bpf, &m0); - } -#endif - m->m_pkthdr.rcvif = ifp; if (rt && rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)) diff --git a/sys/net/if_enc.h b/sys/net/if_enc.h new file mode 100644 index 00000000000..eb7c340238b --- /dev/null +++ b/sys/net/if_enc.h @@ -0,0 +1,46 @@ +/* + * The authors of this code are John Ioannidis (ji@tla.org), + * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Niels Provos (provos@physnet.uni-hamburg.de). + * + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * in November 1995. + * + * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, + * by Angelos D. Keromytis. + * + * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis + * and Niels Provos. + * + * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis + * and Niels Provos. + * + * Permission to use, copy, and modify this software without fee + * is hereby granted, provided that this entire notice is included in + * all copies of any software which is or includes a copy or + * modification of this software. + * You may use this code under the GNU public license if you so wish. Please + * contribute changes back to the authors under this freer than GPL license + * so that we may further the use of strong encryption without limitations to + * all. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE + * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR + * PURPOSE. + */ + +#ifndef _IF_ENC_H_ +#define _IF_ENC_H_ + +#define ENCMTU (1024+512) +#define ENC_HDRLEN 12 + +struct enchdr { + u_int32_t af; + u_int32_t spi; + u_int32_t flags; +}; + +#endif diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 99d15f827dd..682f4fe3d75 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.15 1998/05/24 22:40:13 provos Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.16 1998/06/10 23:57:13 provos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -53,6 +53,8 @@ #include <net/if.h> #include <net/route.h> #include <net/netisr.h> +#include <net/bpf.h> +#include <net/if_enc.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -71,6 +73,8 @@ #include <sys/syslog.h> +#include "bpfilter.h" + void ah_input __P((struct mbuf *, int)); /* @@ -257,6 +261,34 @@ ah_input(register struct mbuf *m, int iphlen) return; } + /* Packet is authentic */ + m->m_flags |= M_AUTH; + +#if NBPFILTER > 0 + if (enc_softc.if_bpf) + { + /* + * We need to prepend the address family as + * a four byte field. Cons up a dummy header + * to pacify bpf. This is safe because bpf + * will only read from the mbuf (i.e., it won't + * try to free it or keep a pointer a to it). + */ + struct mbuf m0; + struct enchdr hdr; + + hdr.af = AF_INET; + hdr.spi = tdbp->tdb_spi; + hdr.flags = m->m_flags & (M_AUTH|M_CONF|M_TUNNEL); + + m0.m_next = m; + m0.m_len = ENC_HDRLEN; + m0.m_data = (char *) &hdr; + + bpf_mtap(enc_softc.if_bpf, &m0); + } +#endif + /* * Interface pointer is already in first mbuf; chop off the * `outer' header and reschedule. diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c index f8a6ad7e847..dcc6d0c9ad5 100644 --- a/sys/netinet/ip_esp.c +++ b/sys/netinet/ip_esp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.c,v 1.15 1998/05/24 22:40:12 provos Exp $ */ +/* $OpenBSD: ip_esp.c,v 1.16 1998/06/10 23:57:14 provos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -53,6 +53,8 @@ #include <net/if.h> #include <net/route.h> #include <net/netisr.h> +#include <net/bpf.h> +#include <net/if_enc.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -70,6 +72,8 @@ #include <netinet/ip_esp.h> #include <sys/syslog.h> +#include "bpfilter.h" + void esp_input __P((struct mbuf *, int)); /* @@ -256,6 +260,34 @@ esp_input(register struct mbuf *m, int iphlen) return; } + /* Packet is confidental */ + m->m_flags |= M_CONF; + +#if NBPFILTER > 0 + if (enc_softc.if_bpf) + { + /* + * We need to prepend the address family as + * a four byte field. Cons up a dummy header + * to pacify bpf. This is safe because bpf + * will only read from the mbuf (i.e., it won't + * try to free it or keep a pointer a to it). + */ + struct mbuf m0; + struct enchdr hdr; + + hdr.af = AF_INET; + hdr.spi = tdbp->tdb_spi; + hdr.flags = m->m_flags & (M_AUTH|M_CONF|M_TUNNEL); + + m0.m_next = m; + m0.m_len = ENC_HDRLEN; + m0.m_data = (char *) &hdr; + + bpf_mtap(enc_softc.if_bpf, &m0); + } +#endif + /* * Interface pointer is already in first mbuf; chop off the * `outer' header and reschedule. diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c index 2c99421b24c..016689783c9 100644 --- a/sys/netinet/ip_ip4.c +++ b/sys/netinet/ip_ip4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ip4.c,v 1.18 1998/05/22 07:29:20 angelos Exp $ */ +/* $OpenBSD: ip_ip4.c,v 1.19 1998/06/10 23:57:12 provos Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), @@ -167,6 +167,8 @@ ip4_input(m, va_alist) m->m_pkthdr.len -= iphlen; m->m_data += iphlen; + m->m_flags |= M_TUNNEL; + /* * Interface pointer stays the same; if no IPsec processing has * been done (or will be done), this will point to a normal diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 0b87b6bde44..914c6aedbd3 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.6 1997/07/23 02:49:35 denny Exp $ */ +/* $OpenBSD: mbuf.h,v 1.7 1998/06/10 23:57:08 provos Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -125,10 +125,10 @@ struct mbuf { #define M_MCAST 0x0200 /* send/received as link-level multicast */ #define M_CONF 0x0400 /* packet was encrypted (ESP-transport) */ #define M_AUTH 0x0800 /* packet was authenticated (AH) */ -#define M_CTUN 0x1000 /* packet was encrypted (ESP-tunnel) */ +#define M_TUNNEL 0x1000 /* packet was tunneled */ /* flags copied when copying m_pkthdr */ -#define M_COPYFLAGS (M_PKTHDR|M_EOR|M_BCAST|M_MCAST|M_CONF|M_AUTH|M_CTUN) +#define M_COPYFLAGS (M_PKTHDR|M_EOR|M_BCAST|M_MCAST|M_CONF|M_AUTH|M_TUNNEL) /* mbuf types */ #define MT_FREE 0 /* should be on free list */ |