>>>>> On Wed, 27 Oct 2004 22:28:44 -0400 >>>>> dgilbert_at_dclg.ca(David Gilbert) said: > It's also possible that the division panic and the GPF panic were with > and without INET6. I not on the machine at the momment. > > Not supporting IPv6 is less of a showstopper than not supporting > FAST_IPSEC as the later is required (for isntance) BGP. Just FYI. I've just implemented TCP-MD5(IPv4) on KAME-IPSEC and confirmed it's working fine. (I'll work on TCP-MD5(IPv6) later) Please let me know if you have any objection or comment to the following patch. If it's okay, I'd like to commit it to -current. (it just kicks the existing TCP-MD5 calculation routine, so I believe it has no effect to the existing functions) Thanks, ---- SUZUKI, Shinsuke _at_ KAME Project diff -ur src/sys/netinet/tcp_subr.c src-53/sys/netinet/tcp_subr.c --- src/sys/netinet/tcp_subr.c Thu Oct 21 18:30:47 2004 +++ src-53/sys/netinet/tcp_subr.c Fri Oct 29 12:53:00 2004 _at__at_ -95,6 +95,7 _at__at_ #ifdef INET6 #include <netinet6/ipsec6.h> #endif +#include <netkey/key.h> #endif /*IPSEC*/ #ifdef FAST_IPSEC diff -ur src/sys/netinet6/ah_core.c src-53/sys/netinet6/ah_core.c --- src/sys/netinet6/ah_core.c Wed Mar 10 13:56:54 2004 +++ src-53/sys/netinet6/ah_core.c Sat Oct 30 00:09:02 2004 _at__at_ -189,6 +189,10 _at__at_ "aes-xcbc-mac", ah_aes_xcbc_mac_init, ah_aes_xcbc_mac_loop, ah_aes_xcbc_mac_result, }, + { ah_sumsiz_1216, ah_none_mature, 1, 80, /* TCP_KEYLEN_MIN/MAX */ + "TCP-MD5", + ah_none_init, ah_none_loop, + ah_none_result, }, }; const struct ah_algorithm * _at__at_ -217,6 +221,8 _at__at_ return &ah_algorithms[8]; case SADB_X_AALG_AES_XCBC_MAC: return &ah_algorithms[9]; + case SADB_X_AALG_TCP_MD5: + return &ah_algorithms[10]; default: return NULL; } diff -ur src/sys/netkey/key.c src-53/sys/netkey/key.c --- src/sys/netkey/key.c Sat Oct 2 04:18:55 2004 +++ src-53/sys/netkey/key.c Sat Oct 30 00:07:31 2004 _at__at_ -3072,6 +3072,7 _at__at_ switch (mhp->msg->sadb_msg_satype) { case SADB_SATYPE_AH: case SADB_SATYPE_ESP: + case SADB_X_SATYPE_TCPSIGNATURE: if (len == PFKEY_ALIGN8(sizeof(struct sadb_key)) && sav->alg_auth != SADB_X_AALG_NULL) error = EINVAL; _at__at_ -3127,6 +3128,7 _at__at_ sav->key_enc = NULL; /*just in case*/ break; case SADB_SATYPE_AH: + case SADB_X_SATYPE_TCPSIGNATURE: default: error = EINVAL; break; _at__at_ -3161,6 +3163,7 _at__at_ break; case SADB_SATYPE_AH: case SADB_X_SATYPE_IPCOMP: + case SADB_X_SATYPE_TCPSIGNATURE: break; default: ipseclog((LOG_DEBUG, "key_setsaval: invalid SA type.\n")); _at__at_ -3351,6 +3354,24 _at__at_ checkmask = 4; mustmask = 4; break; + case IPPROTO_TCP: + if (sav->alg_auth != SADB_X_AALG_TCP_MD5) { + ipseclog((LOG_DEBUG, "key_mature: unsupported authentication algorithm %u\n", + sav->alg_auth)); + return (EINVAL); + } + if (sav->alg_enc != SADB_EALG_NONE) { + ipseclog((LOG_DEBUG, "%s: protocol and algorithm " + "mismated.\n", __func__)); + return(EINVAL); + } + if (sav->spi != htonl(0x1000)) { + ipseclog((LOG_DEBUG, "key_mature: SPI must be TCP_SIG_SPI (0x1000)\n")); + return (EINVAL); + } + checkmask = 2; + mustmask = 2; + break; default: ipseclog((LOG_DEBUG, "key_mature: Invalid satype.\n")); return EPROTONOSUPPORT; _at__at_ -4591,7 +4612,8 _at__at_ return IPPROTO_ESP; case SADB_X_SATYPE_IPCOMP: return IPPROTO_IPCOMP; - break; + case SADB_X_SATYPE_TCPSIGNATURE: + return IPPROTO_TCP; default: return 0; } _at__at_ -4614,7 +4636,8 _at__at_ return SADB_SATYPE_ESP; case IPPROTO_IPCOMP: return SADB_X_SATYPE_IPCOMP; - break; + case IPPROTO_TCP: + return SADB_X_SATYPE_TCPSIGNATURE; default: return 0; } _at__at_ -6975,6 +6998,7 _at__at_ case SADB_SATYPE_AH: case SADB_SATYPE_ESP: case SADB_X_SATYPE_IPCOMP: + case SADB_X_SATYPE_TCPSIGNATURE: switch (msg->sadb_msg_type) { case SADB_X_SPDADD: case SADB_X_SPDDELETE: diff -ur src/sys/netkey/key.h src-53/sys/netkey/key.h --- src/sys/netkey/key.h Wed Nov 5 01:02:05 2003 +++ src-53/sys/netkey/key.h Fri Oct 29 23:41:49 2004 _at__at_ -50,6 +50,7 _at__at_ struct socket; struct sadb_msg; struct sadb_x_policy; +union sockaddr_union; extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *, u_int); _at__at_ -77,6 +78,15 _at__at_ extern void key_sa_recordxfer(struct secasvar *, struct mbuf *); extern void key_sa_routechange(struct sockaddr *); extern void key_sa_stir_iv(struct secasvar *); + +/* to keep compatibility with FAST_IPSEC */ +#define KEY_ALLOCSA(dst, proto, spi) \ + key_allocsa(((struct sockaddr *)(dst))->sa_family,\ + (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\ + (caddr_t)&(((struct sockaddr_in *)(dst))->sin_addr),\ + proto, spi) +#define KEY_FREESAV(psav) \ + key_freesav(*psav) #ifdef MALLOC_DECLARE MALLOC_DECLARE(M_SECA); diff -ur src/sys/netkey/keydb.h src-53/sys/netkey/keydb.h --- src/sys/netkey/keydb.h Wed Nov 5 01:02:05 2003 +++ src-53/sys/netkey/keydb.h Fri Oct 29 12:54:15 2004 _at__at_ -37,6 +37,18 _at__at_ #include <netkey/key_var.h> +#ifndef _SOCKADDR_UNION_DEFINED +#define _SOCKADDR_UNION_DEFINED +/* + * The union of all possible address formats we handle. + */ +union sockaddr_union { + struct sockaddr sa; + struct sockaddr_in sin; + struct sockaddr_in6 sin6; +}; +#endif /* _SOCKADDR_UNION_DEFINED */ + /* Security Assocciation Index */ /* NOTE: Ensure to be same address family */ struct secasindex {Received on Thu Nov 04 2004 - 06:16:30 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:21 UTC