mirror of
https://git.rtems.org/rtems-libbsd/
synced 2025-10-14 07:59:07 +08:00
Update to FreeBSD head 2019-09-24
Git mirror commit 6b0307a0a5184339393f555d5d424190d8a8277a.
This commit is contained in:
Sebastian Huber
@@ -218,6 +218,11 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel,
|
||||
SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat,
|
||||
ipsec4stat, "IPsec IPv4 statistics.");
|
||||
|
||||
struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 };
|
||||
SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW,
|
||||
&ipsec_warn_interval,
|
||||
"Delay in seconds between warnings of deprecated IPsec crypto algorithms.");
|
||||
|
||||
#ifdef REGRESSION
|
||||
/*
|
||||
* When set to 1, IPsec will send packets with the same sequence number.
|
||||
@@ -1320,6 +1325,8 @@ ok:
|
||||
__func__, replay->overflow,
|
||||
ipsec_sa2str(sav, buf, sizeof(buf))));
|
||||
}
|
||||
|
||||
replay->count++;
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
||||
@@ -287,6 +287,8 @@ VNET_DECLARE(int, crypto_support);
|
||||
VNET_DECLARE(int, async_crypto);
|
||||
VNET_DECLARE(int, natt_cksum_policy);
|
||||
|
||||
extern struct timeval ipsec_warn_interval;
|
||||
|
||||
#define IPSECSTAT_INC(name) \
|
||||
VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1)
|
||||
#define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev)
|
||||
|
||||
@@ -286,7 +286,7 @@ key_addrprotohash(const union sockaddr_union *src,
|
||||
#endif
|
||||
default:
|
||||
hval = 0;
|
||||
ipseclog((LOG_DEBUG, "%s: unknown address family %d",
|
||||
ipseclog((LOG_DEBUG, "%s: unknown address family %d\n",
|
||||
__func__, dst->sa.sa_family));
|
||||
}
|
||||
return (hval);
|
||||
@@ -2041,8 +2041,8 @@ key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
|
||||
key_freesp(&newsp);
|
||||
} else {
|
||||
key_freesp(&newsp);
|
||||
ipseclog((LOG_DEBUG, "%s: a SP entry exists already.",
|
||||
__func__));
|
||||
ipseclog((LOG_DEBUG,
|
||||
"%s: a SP entry exists already.\n", __func__));
|
||||
return (key_senderror(so, m, EEXIST));
|
||||
}
|
||||
}
|
||||
@@ -4762,34 +4762,10 @@ key_random()
|
||||
{
|
||||
u_long value;
|
||||
|
||||
key_randomfill(&value, sizeof(value));
|
||||
arc4random_buf(&value, sizeof(value));
|
||||
return value;
|
||||
}
|
||||
|
||||
void
|
||||
key_randomfill(void *p, size_t l)
|
||||
{
|
||||
size_t n;
|
||||
u_long v;
|
||||
static int warn = 1;
|
||||
|
||||
n = 0;
|
||||
n = (size_t)read_random(p, (u_int)l);
|
||||
/* last resort */
|
||||
while (n < l) {
|
||||
v = random();
|
||||
bcopy(&v, (u_int8_t *)p + n,
|
||||
l - n < sizeof(v) ? l - n : sizeof(v));
|
||||
n += sizeof(v);
|
||||
|
||||
if (warn) {
|
||||
printf("WARNING: pseudo-random number generator "
|
||||
"used for IPsec processing\n");
|
||||
warn = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* map SADB_SATYPE_* to IPPROTO_*.
|
||||
* if satype == SADB_SATYPE then satype is mapped to ~0.
|
||||
@@ -5435,7 +5411,7 @@ key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
|
||||
}
|
||||
/* saidx should match with SA. */
|
||||
if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) {
|
||||
ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u",
|
||||
ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n",
|
||||
__func__, ntohl(sav->spi)));
|
||||
key_freesav(&sav);
|
||||
return key_senderror(so, m, ESRCH);
|
||||
@@ -6911,14 +6887,14 @@ key_acqdone(const struct secasindex *saidx, uint32_t seq)
|
||||
if (acq != NULL) {
|
||||
if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) {
|
||||
ipseclog((LOG_DEBUG,
|
||||
"%s: Mismatched saidx for ACQ %u", __func__, seq));
|
||||
"%s: Mismatched saidx for ACQ %u\n", __func__, seq));
|
||||
acq = NULL;
|
||||
} else {
|
||||
acq->created = 0;
|
||||
}
|
||||
} else {
|
||||
ipseclog((LOG_DEBUG,
|
||||
"%s: ACQ %u is not found.", __func__, seq));
|
||||
"%s: ACQ %u is not found.\n", __func__, seq));
|
||||
}
|
||||
ACQ_UNLOCK();
|
||||
if (acq == NULL)
|
||||
@@ -7190,7 +7166,7 @@ key_register(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
|
||||
return key_senderror(so, m, ENOBUFS);
|
||||
|
||||
MGETHDR(n, M_NOWAIT, MT_DATA);
|
||||
if (len > MHLEN) {
|
||||
if (n != NULL && len > MHLEN) {
|
||||
if (!(MCLGET(n, M_NOWAIT))) {
|
||||
m_freem(n);
|
||||
n = NULL;
|
||||
|
||||
@@ -78,7 +78,6 @@ void key_unregister_ifnet(struct secpolicy **, u_int);
|
||||
void key_delete_xform(const struct xformsw *);
|
||||
|
||||
extern u_long key_random(void);
|
||||
extern void key_randomfill(void *, size_t);
|
||||
extern void key_freereg(struct socket *);
|
||||
extern int key_parse(struct mbuf *, struct socket *);
|
||||
extern void key_init(void);
|
||||
|
||||
@@ -110,6 +110,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat,
|
||||
#endif
|
||||
|
||||
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
|
||||
static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn;
|
||||
|
||||
static int ah_input_cb(struct cryptop*);
|
||||
static int ah_output_cb(struct cryptop*);
|
||||
@@ -186,6 +187,26 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria)
|
||||
__func__, sav->alg_auth));
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
switch (sav->alg_auth) {
|
||||
case SADB_AALG_MD5HMAC:
|
||||
if (ratecheck(&md5warn, &ipsec_warn_interval))
|
||||
gone_in(13, "MD5-HMAC authenticator for IPsec");
|
||||
break;
|
||||
case SADB_X_AALG_RIPEMD160HMAC:
|
||||
if (ratecheck(&ripewarn, &ipsec_warn_interval))
|
||||
gone_in(13, "RIPEMD160-HMAC authenticator for IPsec");
|
||||
break;
|
||||
case SADB_X_AALG_MD5:
|
||||
if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval))
|
||||
gone_in(13, "Keyed-MD5 authenticator for IPsec");
|
||||
break;
|
||||
case SADB_X_AALG_SHA:
|
||||
if (ratecheck(&kpdksha1warn, &ipsec_warn_interval))
|
||||
gone_in(13, "Keyed-SHA1 authenticator for IPsec");
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify the replay state block allocation is consistent with
|
||||
* the protocol type. We check here so we can make assumptions
|
||||
|
||||
@@ -96,6 +96,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats,
|
||||
struct espstat, espstat,
|
||||
"ESP statistics (struct espstat, netipsec/esp_var.h");
|
||||
|
||||
static struct timeval deswarn, blfwarn, castwarn, camelliawarn;
|
||||
|
||||
static int esp_input_cb(struct cryptop *op);
|
||||
static int esp_output_cb(struct cryptop *crp);
|
||||
|
||||
@@ -158,6 +160,26 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
|
||||
__func__));
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
switch (sav->alg_enc) {
|
||||
case SADB_EALG_DESCBC:
|
||||
if (ratecheck(&deswarn, &ipsec_warn_interval))
|
||||
gone_in(13, "DES cipher for IPsec");
|
||||
break;
|
||||
case SADB_X_EALG_BLOWFISHCBC:
|
||||
if (ratecheck(&blfwarn, &ipsec_warn_interval))
|
||||
gone_in(13, "Blowfish cipher for IPsec");
|
||||
break;
|
||||
case SADB_X_EALG_CAST128CBC:
|
||||
if (ratecheck(&castwarn, &ipsec_warn_interval))
|
||||
gone_in(13, "CAST cipher for IPsec");
|
||||
break;
|
||||
case SADB_X_EALG_CAMELLIACBC:
|
||||
if (ratecheck(&camelliawarn, &ipsec_warn_interval))
|
||||
gone_in(13, "Camellia cipher for IPsec");
|
||||
break;
|
||||
}
|
||||
|
||||
/* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */
|
||||
keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4;
|
||||
if (txform->minkey > keylen || keylen > txform->maxkey) {
|
||||
@@ -770,7 +792,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
|
||||
*/
|
||||
switch (sav->flags & SADB_X_EXT_PMASK) {
|
||||
case SADB_X_EXT_PRAND:
|
||||
(void) read_random(pad, padding - 2);
|
||||
arc4random_buf(pad, padding - 2);
|
||||
break;
|
||||
case SADB_X_EXT_PZERO:
|
||||
bzero(pad, padding - 2);
|
||||
|
||||
Reference in New Issue
Block a user