diff options
author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2019-09-24 11:05:03 +0200 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2019-11-13 10:47:04 +0100 |
commit | a5ddb0ea69f21c16b7697a935d7a0c16bb3cffcf (patch) | |
tree | db091fb0f7d091804482156c9f3f55879ac93d5b /freebsd/sys/netipsec | |
parent | test/syscalls01: Fix sporadic test failures (diff) | |
download | rtems-libbsd-a5ddb0ea69f21c16b7697a935d7a0c16bb3cffcf.tar.bz2 |
Update to FreeBSD head 2019-09-24
Git mirror commit 6b0307a0a5184339393f555d5d424190d8a8277a.
Diffstat (limited to 'freebsd/sys/netipsec')
-rw-r--r-- | freebsd/sys/netipsec/ipsec.c | 7 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/key.c | 40 | ||||
-rw-r--r-- | freebsd/sys/netipsec/key.h | 1 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ah.c | 21 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_esp.c | 24 |
6 files changed, 61 insertions, 34 deletions
diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c index 116557ed..f5c3967c 100644 --- a/freebsd/sys/netipsec/ipsec.c +++ b/freebsd/sys/netipsec/ipsec.c @@ -218,6 +218,11 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); +struct timeval ipsec_warn_interval = { .tv_sec = 1, .tv_usec = 0 }; +SYSCTL_TIMEVAL_SEC(_net_inet_ipsec, OID_AUTO, crypto_warn_interval, CTLFLAG_RW, + &ipsec_warn_interval, + "Delay in seconds between warnings of deprecated IPsec crypto algorithms."); + #ifdef REGRESSION /* * When set to 1, IPsec will send packets with the same sequence number. @@ -1320,6 +1325,8 @@ ok: __func__, replay->overflow, ipsec_sa2str(sav, buf, sizeof(buf)))); } + + replay->count++; return (0); } diff --git a/freebsd/sys/netipsec/ipsec.h b/freebsd/sys/netipsec/ipsec.h index eed2d077..b9b6eca2 100644 --- a/freebsd/sys/netipsec/ipsec.h +++ b/freebsd/sys/netipsec/ipsec.h @@ -287,6 +287,8 @@ VNET_DECLARE(int, crypto_support); VNET_DECLARE(int, async_crypto); VNET_DECLARE(int, natt_cksum_policy); +extern struct timeval ipsec_warn_interval; + #define IPSECSTAT_INC(name) \ VNET_PCPUSTAT_ADD(struct ipsecstat, ipsec4stat, name, 1) #define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev) diff --git a/freebsd/sys/netipsec/key.c b/freebsd/sys/netipsec/key.c index 4b79f881..062fbf28 100644 --- a/freebsd/sys/netipsec/key.c +++ b/freebsd/sys/netipsec/key.c @@ -286,7 +286,7 @@ key_addrprotohash(const union sockaddr_union *src, #endif default: hval = 0; - ipseclog((LOG_DEBUG, "%s: unknown address family %d", + ipseclog((LOG_DEBUG, "%s: unknown address family %d\n", __func__, dst->sa.sa_family)); } return (hval); @@ -2041,8 +2041,8 @@ key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) key_freesp(&newsp); } else { key_freesp(&newsp); - ipseclog((LOG_DEBUG, "%s: a SP entry exists already.", - __func__)); + ipseclog((LOG_DEBUG, + "%s: a SP entry exists already.\n", __func__)); return (key_senderror(so, m, EEXIST)); } } @@ -4762,34 +4762,10 @@ key_random() { u_long value; - key_randomfill(&value, sizeof(value)); + arc4random_buf(&value, sizeof(value)); return value; } -void -key_randomfill(void *p, size_t l) -{ - size_t n; - u_long v; - static int warn = 1; - - n = 0; - n = (size_t)read_random(p, (u_int)l); - /* last resort */ - while (n < l) { - v = random(); - bcopy(&v, (u_int8_t *)p + n, - l - n < sizeof(v) ? l - n : sizeof(v)); - n += sizeof(v); - - if (warn) { - printf("WARNING: pseudo-random number generator " - "used for IPsec processing\n"); - warn = 0; - } - } -} - /* * map SADB_SATYPE_* to IPPROTO_*. * if satype == SADB_SATYPE then satype is mapped to ~0. @@ -5435,7 +5411,7 @@ key_update(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) } /* saidx should match with SA. */ if (key_cmpsaidx(&sav->sah->saidx, &saidx, CMP_MODE_REQID) == 0) { - ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u", + ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n", __func__, ntohl(sav->spi))); key_freesav(&sav); return key_senderror(so, m, ESRCH); @@ -6911,14 +6887,14 @@ key_acqdone(const struct secasindex *saidx, uint32_t seq) if (acq != NULL) { if (key_cmpsaidx(&acq->saidx, saidx, CMP_EXACTLY) == 0) { ipseclog((LOG_DEBUG, - "%s: Mismatched saidx for ACQ %u", __func__, seq)); + "%s: Mismatched saidx for ACQ %u\n", __func__, seq)); acq = NULL; } else { acq->created = 0; } } else { ipseclog((LOG_DEBUG, - "%s: ACQ %u is not found.", __func__, seq)); + "%s: ACQ %u is not found.\n", __func__, seq)); } ACQ_UNLOCK(); if (acq == NULL) @@ -7190,7 +7166,7 @@ key_register(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp) return key_senderror(so, m, ENOBUFS); MGETHDR(n, M_NOWAIT, MT_DATA); - if (len > MHLEN) { + if (n != NULL && len > MHLEN) { if (!(MCLGET(n, M_NOWAIT))) { m_freem(n); n = NULL; diff --git a/freebsd/sys/netipsec/key.h b/freebsd/sys/netipsec/key.h index 7d7ae69f..2ee7c208 100644 --- a/freebsd/sys/netipsec/key.h +++ b/freebsd/sys/netipsec/key.h @@ -78,7 +78,6 @@ void key_unregister_ifnet(struct secpolicy **, u_int); void key_delete_xform(const struct xformsw *); extern u_long key_random(void); -extern void key_randomfill(void *, size_t); extern void key_freereg(struct socket *); extern int key_parse(struct mbuf *, struct socket *); extern void key_init(void); diff --git a/freebsd/sys/netipsec/xform_ah.c b/freebsd/sys/netipsec/xform_ah.c index 84ba6c16..618fbd9b 100644 --- a/freebsd/sys/netipsec/xform_ah.c +++ b/freebsd/sys/netipsec/xform_ah.c @@ -110,6 +110,7 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_ah, IPSECCTL_STATS, stats, struct ahstat, #endif static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ +static struct timeval md5warn, ripewarn, kpdkmd5warn, kpdksha1warn; static int ah_input_cb(struct cryptop*); static int ah_output_cb(struct cryptop*); @@ -186,6 +187,26 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) __func__, sav->alg_auth)); return EINVAL; } + + switch (sav->alg_auth) { + case SADB_AALG_MD5HMAC: + if (ratecheck(&md5warn, &ipsec_warn_interval)) + gone_in(13, "MD5-HMAC authenticator for IPsec"); + break; + case SADB_X_AALG_RIPEMD160HMAC: + if (ratecheck(&ripewarn, &ipsec_warn_interval)) + gone_in(13, "RIPEMD160-HMAC authenticator for IPsec"); + break; + case SADB_X_AALG_MD5: + if (ratecheck(&kpdkmd5warn, &ipsec_warn_interval)) + gone_in(13, "Keyed-MD5 authenticator for IPsec"); + break; + case SADB_X_AALG_SHA: + if (ratecheck(&kpdksha1warn, &ipsec_warn_interval)) + gone_in(13, "Keyed-SHA1 authenticator for IPsec"); + break; + } + /* * Verify the replay state block allocation is consistent with * the protocol type. We check here so we can make assumptions diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c index f8473575..388fe499 100644 --- a/freebsd/sys/netipsec/xform_esp.c +++ b/freebsd/sys/netipsec/xform_esp.c @@ -96,6 +96,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet_esp, IPSECCTL_STATS, stats, struct espstat, espstat, "ESP statistics (struct espstat, netipsec/esp_var.h"); +static struct timeval deswarn, blfwarn, castwarn, camelliawarn; + static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); @@ -158,6 +160,26 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) __func__)); return EINVAL; } + + switch (sav->alg_enc) { + case SADB_EALG_DESCBC: + if (ratecheck(&deswarn, &ipsec_warn_interval)) + gone_in(13, "DES cipher for IPsec"); + break; + case SADB_X_EALG_BLOWFISHCBC: + if (ratecheck(&blfwarn, &ipsec_warn_interval)) + gone_in(13, "Blowfish cipher for IPsec"); + break; + case SADB_X_EALG_CAST128CBC: + if (ratecheck(&castwarn, &ipsec_warn_interval)) + gone_in(13, "CAST cipher for IPsec"); + break; + case SADB_X_EALG_CAMELLIACBC: + if (ratecheck(&camelliawarn, &ipsec_warn_interval)) + gone_in(13, "Camellia cipher for IPsec"); + break; + } + /* subtract off the salt, RFC4106, 8.1 and RFC3686, 5.1 */ keylen = _KEYLEN(sav->key_enc) - SAV_ISCTRORGCM(sav) * 4; if (txform->minkey > keylen || keylen > txform->maxkey) { @@ -770,7 +792,7 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, */ switch (sav->flags & SADB_X_EXT_PMASK) { case SADB_X_EXT_PRAND: - (void) read_random(pad, padding - 2); + arc4random_buf(pad, padding - 2); break; case SADB_X_EXT_PZERO: bzero(pad, padding - 2); |