Index: lib/libipsec/pfkey_dump.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/lib/libipsec/pfkey_dump.c,v retrieving revision 1.1 diff -c -r1.1 pfkey_dump.c *** lib/libipsec/pfkey_dump.c 12 Dec 2001 09:17:08 -0000 1.1 --- lib/libipsec/pfkey_dump.c 27 Feb 2002 13:48:50 -0000 *************** *** 361,366 **** --- 361,377 ---- /* XXX DEBUG */ printf("refcnt=%u\n", m->sadb_msg_reserved); + if(m_sens) { + printf("\tMAC label: DPD=%x, sens_level=%d, integ_level=%d\n", + m_sens->sadb_sens_dpd, m_sens->sadb_sens_sens_level, + m_sens->sadb_sens_integ_level); + printf("\tcompartments: {"); + ipsec_hexdump((caddr_t)m_sens + sizeof(struct sadb_sens), + m_sens->sadb_sens_sens_len + + m_sens->sadb_sens_integ_len); + printf(" }\n"); + } + return; } Index: sys/netinet6/ah_core.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/ah_core.c,v retrieving revision 1.2 diff -c -r1.2 ah_core.c *** sys/netinet6/ah_core.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/ah_core.c 28 Feb 2002 12:51:07 -0000 *************** *** 39,44 **** --- 39,45 ---- #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" + #include "opt_mac.h" #include #include Index: sys/netinet6/ah_input.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/ah_input.c,v retrieving revision 1.2 diff -c -r1.2 ah_input.c *** sys/netinet6/ah_input.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/ah_input.c 28 Feb 2002 13:00:00 -0000 *************** *** 36,41 **** --- 36,42 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include *************** *** 49,54 **** --- 50,57 ---- #include #include + #include + #include #include #include *************** *** 114,119 **** --- 117,123 ---- size_t hlen; int proto; size_t stripsiz = 0; + struct mac maclabel; #ifndef PULLDOWN_TEST if (m->m_len < off + sizeof(struct newah)) { *************** *** 536,541 **** --- 540,561 ---- goto fail; } + #if defined(MAC_BIBA) || defined(MAC_MLS) + mac_init_object(&maclabel); + mac_copy_label(&m->m_pkthdr.label, &maclabel); + /* SADB entry has only single level label */ + maclabel.m_biba.mb_flags = MAC_BIBA_FLAG_SINGLE; + maclabel.m_biba.mb_single.mbe_type = MAC_BIBA_TYPE_GRADE; + maclabel.m_biba.mb_single.mbe_grade = sav->sah->saidx.sls.integ_level; + maclabel.m_mls.mm_flags = MAC_MLS_FLAG_SINGLE; + maclabel.m_mls.mm_single.mme_type = MAC_MLS_TYPE_LEVEL; + maclabel.m_mls.mm_single.mme_level = sav->sah->saidx.sls.sens_level; + + /* compartment code here! */ + + mac_copy_label(&maclabel, &m->m_pkthdr.label); + /**********/ + #endif /* MAC */ if (nxt != IPPROTO_DONE) { if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec4_in_reject(m, NULL)) { Index: sys/netinet6/ah_output.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/ah_output.c,v retrieving revision 1.2 diff -c -r1.2 ah_output.c *** sys/netinet6/ah_output.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/ah_output.c 28 Feb 2002 12:51:29 -0000 *************** *** 36,41 **** --- 36,42 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include Index: sys/netinet6/esp_core.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/esp_core.c,v retrieving revision 1.3 diff -c -r1.3 esp_core.c *** sys/netinet6/esp_core.c 12 Dec 2001 10:44:40 -0000 1.3 --- sys/netinet6/esp_core.c 28 Feb 2002 12:51:45 -0000 *************** *** 32,37 **** --- 32,38 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include Index: sys/netinet6/esp_input.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/esp_input.c,v retrieving revision 1.2 diff -c -r1.2 esp_input.c *** sys/netinet6/esp_input.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/esp_input.c 28 Feb 2002 13:00:14 -0000 *************** *** 36,41 **** --- 36,42 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include *************** *** 48,53 **** --- 49,56 ---- #include #include + #include + #include #include #include *************** *** 117,122 **** --- 120,126 ---- size_t hlen; size_t esplen; int proto; + struct mac maclabel; /* sanity check for alignment. */ if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { *************** *** 430,435 **** --- 434,456 ---- goto bad; } + #if defined(MAC_BIBA) || defined(MAC_MLS) + /* XXXMAC */ + mac_init_object(&maclabel); + mac_copy_label(&m->m_pkthdr.label, &maclabel); + /* SADB entry has only single level label */ + maclabel.m_biba.mb_flags = MAC_BIBA_FLAG_SINGLE; + maclabel.m_biba.mb_single.mbe_type = MAC_BIBA_TYPE_GRADE; + maclabel.m_biba.mb_single.mbe_grade = sav->sah->saidx.sls.integ_level; + maclabel.m_mls.mm_flags = MAC_MLS_FLAG_SINGLE; + maclabel.m_mls.mm_single.mme_type = MAC_MLS_TYPE_LEVEL; + maclabel.m_mls.mm_single.mme_level = sav->sah->saidx.sls.sens_level; + + /* compartment code here! */ + + mac_copy_label(&maclabel, &m->m_pkthdr.label); + /**********/ + #endif /* MAC */ if (nxt != IPPROTO_DONE) { if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec4_in_reject(m, NULL)) { Index: sys/netinet6/esp_output.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/esp_output.c,v retrieving revision 1.2 diff -c -r1.2 esp_output.c *** sys/netinet6/esp_output.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/esp_output.c 28 Feb 2002 12:52:07 -0000 *************** *** 32,37 **** --- 32,38 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" /* * RFC1827/2406 Encapsulated Security Payload. Index: sys/netinet6/ipcomp_input.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/ipcomp_input.c,v retrieving revision 1.2 diff -c -r1.2 ipcomp_input.c *** sys/netinet6/ipcomp_input.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/ipcomp_input.c 28 Feb 2002 12:52:31 -0000 *************** *** 36,41 **** --- 36,42 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include Index: sys/netinet6/ipcomp_output.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/ipcomp_output.c,v retrieving revision 1.2 diff -c -r1.2 ipcomp_output.c *** sys/netinet6/ipcomp_output.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/ipcomp_output.c 28 Feb 2002 12:52:45 -0000 *************** *** 36,41 **** --- 36,42 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include Index: sys/netinet6/ipsec.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netinet6/ipsec.c,v retrieving revision 1.2 diff -c -r1.2 ipsec.c *** sys/netinet6/ipsec.c 12 Dec 2001 09:48:10 -0000 1.2 --- sys/netinet6/ipsec.c 28 Feb 2002 13:05:41 -0000 *************** *** 37,42 **** --- 37,43 ---- #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" + #include "opt_mac.h" #include #include *************** *** 2486,2491 **** --- 2487,2495 ---- int error; struct sockaddr_in *dst4; struct sockaddr_in *sin; + #if defined(MAC_MLS) || defined(MAC_BIBA) + struct sens_lvl_spec *sls; + #endif if (!state) panic("state == NULL in ipsec4_output"); *************** *** 2534,2539 **** --- 2538,2552 ---- bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr)); } + + #if defined(MAC_MLS) || defined(MAC_BIBA) + /* fill in sls field of saidx from mbuf(state->m) label */ + sls = key_parse_mbuf_label(state->m); + if(sls) { + key_setsecasidx_sls(&saidx, sls); + key_free_sls(sls); + } + #endif if ((error = key_checkrequest(isr, &saidx)) != 0) { /* Index: sys/netkey/key.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netkey/key.c,v retrieving revision 1.2 diff -c -r1.2 key.c *** sys/netkey/key.c 12 Dec 2001 18:54:21 -0000 1.2 --- sys/netkey/key.c 1 Mar 2002 13:13:19 -0000 *************** *** 37,42 **** --- 37,43 ---- #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" + #include "opt_mac.h" #include #include *************** *** 341,347 **** --- 342,362 ---- /* * set parameters into secasindex buffer. * Must allocate secasindex buffer before calling this function. + * struct sens_lvl_spec *sls; */ + + #if defined(MAC_MLS) || defined(MAC_BIBA) + #define KEY_SETSECASIDX(p, m, r, s, d, sls, idx) \ + do { \ + bzero((idx), sizeof(struct secasindex)); \ + (idx)->proto = (p); \ + (idx)->mode = (m); \ + (idx)->reqid = (r); \ + bcopy((s), &(idx)->src, ((struct sockaddr *)(s))->sa_len); \ + bcopy((d), &(idx)->dst, ((struct sockaddr *)(d))->sa_len); \ + key_setsecasidx_sls(idx,sls); \ + } while (0) + #else /* NOT (MAC_MLS || MAC_BIBA) */ #define KEY_SETSECASIDX(p, m, r, s, d, idx) \ do { \ bzero((idx), sizeof(struct secasindex)); \ *************** *** 351,356 **** --- 366,372 ---- bcopy((s), &(idx)->src, ((struct sockaddr *)(s))->sa_len); \ bcopy((d), &(idx)->dst, ((struct sockaddr *)(d))->sa_len); \ } while (0) + #endif /* (MAC_MLS || MAC_BIBA) */ /* key statistics */ struct _keystat { *************** *** 408,413 **** --- 424,436 ---- static struct mbuf *key_setsadbsa __P((struct secasvar *)); static struct mbuf *key_setsadbaddr __P((u_int16_t, struct sockaddr *, u_int8_t, u_int16_t)); + #if defined(MAC_MLS) || defined(MAC_BIBA) + static struct mbuf *key_setsadbsens __P((u_int16_t, struct sens_lvl_spec *)); + struct sens_lvl_spec * key_parse_sens_label __P((struct sadb_sens *)); + struct sens_lvl_spec * key_parse_mbuf_label __P((struct mbuf *)); + int key_setsecasidx_sls __P(( struct secasindex *, struct sens_lvl_spec *)); + void key_free_sls __P((struct sens_lvl_spec *)); + #endif #if 0 static struct mbuf *key_setsadbident __P((u_int16_t, u_int16_t, caddr_t, int, u_int64_t)); *************** *** 739,751 **** LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; ! if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) goto found; } return NULL; found: /* search valid state */ for (stateidx = 0; --- 762,777 ---- LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; ! if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) { goto found; + } } + printf("key_allocsa_policy() not found\n"); return NULL; found: + printf("key_allocsa_policy() found\n"); /* search valid state */ for (stateidx = 0; *************** *** 2654,2659 **** --- 2680,2697 ---- if (__LIST_CHAINED(sah)) LIST_REMOVE(sah, chain); + #if defined(MAC_MLS) || defined(MAC_BIBA) + if (sah->saidx.sls.sens_bitmap) { + KFREE(sah->saidx.sls.sens_bitmap); + /* sens_bitmap and integ_bitmap are allocated as a continious region to + * sens_bitmap. Maybe it is a bug! + KFREE(sav->sls->integ_bitmap); + */ + sah->saidx.sls.integ_bitmap = NULL; + sah->saidx.sls.sens_bitmap = NULL; + } + #endif /* MAC_MLS || MAC_BIBA */ + KFREE(sah); splx(s); *************** *** 2828,2837 **** LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; ! if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) return sah; } return NULL; } --- 2866,2878 ---- LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; ! if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) { ! printf("key_getsah() found\n"); return sah; + } } + printf("key_getsah() not found\n"); return NULL; } *************** *** 3455,3461 **** --- 3496,3515 ---- case SADB_EXT_IDENTITY_SRC: case SADB_EXT_IDENTITY_DST: /* XXX: should we brought from SPD ? */ + continue; case SADB_EXT_SENSITIVITY: + /* XXXMAC */ + #if defined(MAC_MLS) || defined(MAC_BIBA) + if(sav->sah->saidx.sls.dpd != 0) { + m = key_setsadbsens(SADB_EXT_SENSITIVITY, + (struct sens_lvl_spec *)&sav->sah->saidx.sls); + if (!m) + goto fail; + break; + } + #endif + continue; + default: continue; } *************** *** 3910,3915 **** --- 3964,4015 ---- } } + /* MACXXX */ + /* Now i've set a direct rule comparison */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + + printf("key_cmpsaidx():\n"); + printf("saidx0 dpd=%x\t| saidx1 dpd=%x\n", + saidx0->sls.dpd, saidx1->sls.dpd); + printf("saidx0 sens_level=%d\t| saidx1 sens_level=%d\n", + saidx0->sls.sens_level, saidx1->sls.sens_level); + printf("saidx0 sens_len=%d\t| saidx1 sens_len=%d\n", + saidx0->sls.sens_len, saidx1->sls.sens_len); + printf("saidx0 integ_level=%d\t| saidx1 integ_level=%d\n", + saidx0->sls.integ_level, saidx1->sls.integ_level); + printf("saidx0 integ_len=%d\t| saidx1 integ_len=%d\n", + saidx0->sls.integ_len, saidx1->sls.integ_len); + /* printf("saidx0 sens_bitmap: "); + ipsec_hexdump((caddr_t)saidx0->sls.sens_bitmap, + saidx0->sls.sens_len + saidx0->sls.integ_len); + printf("\nsaidx1 sens_bitmap: "); + ipsec_hexdump((caddr_t)saidx1->sls.sens_bitmap, + saidx1->sls.sens_len + saidx1->sls.integ_len); + printf("\n");*/ + + if(saidx0->sls.dpd != 0 && saidx1->sls.dpd != 0) { + if(saidx0->sls.dpd != saidx1->sls.dpd) + return 0; + if(saidx0->sls.sens_level != saidx1->sls.sens_level) + return 0; + if(saidx0->sls.integ_level != saidx1->sls.integ_level) + return 0; + /*if(saidx0->sls.sens_len != saidx1->sls.sens_len) + return 0; + if(saidx0->sls.integ_len != saidx1->sls.integ_len) + return 0; + if(bcmp(saidx0->sls.sens_bitmap, saidx1->sls.sens_bitmap, + saidx1->sls.sens_len) != 0 || + bcmp(saidx0->sls.integ_bitmap, saidx1->sls.integ_bitmap, + saidx1->sls.integ_len) != 0 ) + return 0;*/ + } else if(saidx0->sls.dpd == saidx1->sls.dpd == 0) { + /* saidx do not use sensitivity - dpd = 0 ! */ + } else + return 0; + #endif + /* ****** */ + return 1; } *************** *** 4600,4606 **** --- 4700,4711 ---- } /* XXX boundary check against sa_len */ + /* MACXXX: should i pass NULL or some value ? */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, NULL, &saidx); + #else KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + #endif /* SPI allocation */ spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], *************** *** 4806,4811 **** --- 4911,4919 ---- struct secasindex saidx; struct secashead *sah; struct secasvar *sav; + #if defined(MAC_BIBA) || defined(MAC_MLS) + struct sens_lvl_spec *sls = NULL; + #endif u_int16_t proto; u_int8_t mode; u_int32_t reqid; *************** *** 4854,4861 **** --- 4962,4977 ---- src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); + /* MACXXX ??? */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + if(mhp->ext[SADB_EXT_SENSITIVITY]) + sls = key_parse_sens_label((struct sadb_sens *)mhp->ext[SADB_EXT_SENSITIVITY]); + KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, sls, &saidx); + key_free_sls(sls); + #else /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + #endif /* get a SA header */ if ((sah = key_getsah(&saidx)) == NULL) { *************** *** 5001,5006 **** --- 5117,5125 ---- struct secasindex saidx; struct secashead *newsah; struct secasvar *newsav; + #if defined(MAC_BIBA) || defined(MAC_MLS) + struct sens_lvl_spec *sls = NULL; + #endif u_int16_t proto; u_int8_t mode; u_int32_t reqid; *************** *** 5049,5056 **** --- 5168,5183 ---- src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; + #if defined(MAC_BIBA) || defined(MAC_MLS) + /* MACXXX ??? */ + if(mhp->ext[SADB_EXT_SENSITIVITY]) + sls = key_parse_sens_label((struct sabd_sens *)mhp->ext[SADB_EXT_SENSITIVITY]); + KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, sls, &saidx); + key_free_sls(sls); + #else /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + #endif /* get a SA header */ if ((newsah = key_getsah(&saidx)) == NULL) { *************** *** 5276,5283 **** --- 5403,5416 ---- src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); + /* MACXXX ??? */ + /* XXX boundary check against sa_len */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, NULL, &saidx); + #else KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); + #endif /* get a SA header */ LIST_FOREACH(sah, &sahtree, chain) { *************** *** 5343,5350 **** --- 5476,5489 ---- src0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_SRC]); dst0 = (struct sadb_address *)(mhp->ext[SADB_EXT_ADDRESS_DST]); + /* MACXXX ??? */ + /* XXX boundary check against sa_len */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, NULL, &saidx); + #else KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); + #endif LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) *************** *** 5452,5459 **** --- 5591,5603 ---- src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; + /* MACXXX ??? */ /* XXX boundary check against sa_len */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, NULL, &saidx); + #else KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); + #endif /* get a SA header */ LIST_FOREACH(sah, &sahtree, chain) { *************** *** 5896,5901 **** --- 6040,6053 ---- /* XXX sensitivity (optional) */ + /*m = key_setsadbsens(SADB_EXT_ADDRESS_DST, + NULL); + if (!m) { + error = ENOBUFS; + goto fail; + } + m_cat(result, m);*/ + /* create proposal/combination extension */ m = key_getprop(saidx); #if 0 *************** *** 6061,6066 **** --- 6213,6221 ---- const struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; + #if defined(MAC_BIBA) || defined(MAC_MLS) + struct sens_lvl_spec *sls = NULL; + #endif u_int16_t proto; int error; *************** *** 6132,6139 **** --- 6287,6302 ---- src0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_SRC]; dst0 = (struct sadb_address *)mhp->ext[SADB_EXT_ADDRESS_DST]; + /* MACXXX ??? */ + #if defined(MAC_BIBA) || defined(MAC_MLS) + if(mhp->ext[SADB_EXT_SENSITIVITY]) + sls = key_parse_sens_label((struct sadb_sens *)mhp->ext[SADB_EXT_SENSITIVITY]); + KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, sls, &saidx); + key_free_sls(sls); + #else /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); + #endif /* get a SA index */ LIST_FOREACH(sah, &sahtree, chain) { *************** *** 6770,6776 **** if (m == NULL || so == NULL) panic("key_parse: NULL pointer is passed.\n"); ! #if 0 /*kdebug_sadb assumes msg in linear buffer*/ KEYDEBUG(KEYDEBUG_KEY_DUMP, ipseclog((LOG_DEBUG, "key_parse: passed sadb_msg\n")); kdebug_sadb(msg)); --- 6933,6939 ---- if (m == NULL || so == NULL) panic("key_parse: NULL pointer is passed.\n"); ! #if 1 /*kdebug_sadb assumes msg in linear buffer*/ KEYDEBUG(KEYDEBUG_KEY_DUMP, ipseclog((LOG_DEBUG, "key_parse: passed sadb_msg\n")); kdebug_sadb(msg)); *************** *** 7460,7462 **** --- 7623,7792 ---- return m; } + + #if defined(MAC_MLS) || defined(MAC_BIBA) + + /* + * set data into sadb_sens. + * key_setsadbsens(SADB_EXT_SENSITIVITY, (struct sens_lvl_spec *)sav->sls); + */ + static struct mbuf * + key_setsadbsens(exttype, sls) + u_int16_t exttype; + struct sens_lvl_spec *sls; + { + struct mbuf *m; + struct sadb_sens *p; + size_t len; + + len = PFKEY_ALIGN8(sizeof(struct sadb_sens)) + + PFKEY_ALIGN8(sls->sens_len + sls->integ_len); + m = key_alloc_mbuf(len); + if (!m || m->m_next) { /*XXX*/ + if (m) + m_freem(m); + return NULL; + } + + p = mtod(m, struct sadb_sens *); + + bzero(p, len); + /**** XXX ****/ + + p->sadb_sens_len = PFKEY_UNIT64(len); + p->sadb_sens_exttype = exttype; + p->sadb_sens_dpd = sls->dpd; + p->sadb_sens_sens_level = sls->sens_level; + p->sadb_sens_sens_len = sls->sens_len; + p->sadb_sens_integ_level = sls->integ_level; + p->sadb_sens_integ_len = sls->integ_len; + p->sadb_sens_reserved = 0; + + /********** XXX *****************/ + /* + * sens_bitmap and integ_bitmap are allocated in continious region + * so i just copy data from sens_bitmap pointer with the length of + * sens_bitmap and integ_bitmap. Maybe it is wrong! + */ + /* Should be bcopy, but there is no compartments right now + bcopy((caddr_t)sls->sens_bitmap, + mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_sens)), + sls->sens_len + sls->integ_len); + */ + bzero( mtod(m, caddr_t) + PFKEY_ALIGN8(sizeof(struct sadb_sens)), + sls->sens_len + sls->integ_len); + + return m; + } + + + /* This function parse sadb_sens message into sens_lvl_spec struct */ + struct sens_lvl_spec * key_parse_mbuf_label(m) + struct mbuf *m; + { + struct sens_lvl_spec *sls; + + KMALLOC(sls, struct sens_lvl_spec *, sizeof(struct sens_lvl_spec)); + if(sls == NULL) + return NULL; + sls->dpd = 0xFFFFFFFF; /* MACXXX FreeBSD default */ + /* MAC label should be SINGLE. I don't know how to handle ranges, + * because IPSec doesn't have such primitive + */ + if(m->m_pkthdr.label.m_mls.mm_single.mme_type == MAC_MLS_TYPE_LEVEL) + sls->sens_level = m->m_pkthdr.label.m_mls.mm_single.mme_level; + else + sls->sens_level = 0; + if(m->m_pkthdr.label.m_biba.mb_single.mbe_type == MAC_BIBA_TYPE_GRADE) + sls->integ_level = m->m_pkthdr.label.m_biba.mb_single.mbe_grade; + else + sls->integ_level = 0; + sls->sens_len = sls->integ_len = 4; /* MACXXX: DIRTY HACK !!! */ + sls->integ_bitmap = sls->sens_bitmap = NULL; + + KMALLOC(sls->sens_bitmap , caddr_t, sls->sens_len + sls->integ_len); + if(sls->sens_bitmap == NULL) { + key_free_sls(sls); + return NULL; + } + + /* Should be compartments processing here */ + bzero((caddr_t)sls->sens_bitmap, sls->sens_len + sls->integ_len); + sls->integ_bitmap = sls->sens_bitmap + sls->sens_len; + + return (sls); + + } + + struct sens_lvl_spec * key_parse_sens_label(sens) + struct sadb_sens *sens; + { + struct sens_lvl_spec *sls; + + KMALLOC(sls, struct sens_lvl_spec *, sizeof(struct sens_lvl_spec)); + if(sls == NULL) + return NULL; + sls->dpd = sens->sadb_sens_dpd; + sls->sens_level = sens->sadb_sens_sens_level; + sls->sens_len = sens->sadb_sens_sens_len; + sls->integ_level = sens->sadb_sens_integ_level; + sls->integ_len = sens->sadb_sens_integ_len; + sls->integ_bitmap = sls->sens_bitmap = NULL; + + KMALLOC(sls->sens_bitmap , caddr_t, sls->sens_len + sls->integ_len); + if(sls->sens_bitmap == NULL) { + key_free_sls(sls); + return NULL; + } + + /* Should be bcopy, but there is no compartments right now + bcopy((caddr_t)sens + sizeof(struct sadb_sens), + (caddr_t)sls->sens_bitmap, sls->sens_len + sls->integ_len); + */ + bzero((caddr_t)sls->sens_bitmap, sls->sens_len + sls->integ_len); + sls->integ_bitmap = sls->sens_bitmap + sls->sens_len; + + return (sls); + + } + + int key_setsecasidx_sls(idx, sls) + struct secasindex *idx; + struct sens_lvl_spec *sls; + { + if(sls) { /* sls is not NULL */ + idx->sls.dpd = sls->dpd; + idx->sls.sens_level = sls->sens_level; + idx->sls.sens_len = sls->sens_len; + idx->sls.integ_level = sls->integ_level; + idx->sls.integ_len = sls->integ_len; + KMALLOC(idx->sls.sens_bitmap , caddr_t, sls->sens_len + + sls->integ_len); + + if(idx->sls.sens_bitmap == NULL) { + ipseclog((LOG_DEBUG, + "key_setsecasidx: No more memory.\n")); + panic("key_setsecasidx()"); + } + /* Should be bcopy, but there is no compartments right now + bcopy((caddr_t)sls->sens_bitmap, (caddr_t)idx->sls.sens_bitmap, + idx->sls.sens_len + idx->sls.integ_len); + */ + bzero( (caddr_t)idx->sls.sens_bitmap, + idx->sls.sens_len + idx->sls.integ_len); + idx->sls.integ_bitmap = idx->sls.sens_bitmap + + idx->sls.sens_len; + } else /* if sls is NULL */ + idx->sls.dpd = 0; + return 0; + } + + void key_free_sls(sls) + struct sens_lvl_spec *sls; + { + if(sls) { + KFREE(sls->sens_bitmap); + KFREE(sls); + } + } + #endif Index: sys/netkey/key_debug.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netkey/key_debug.c,v retrieving revision 1.1 diff -c -r1.1 key_debug.c *** sys/netkey/key_debug.c 12 Dec 2001 09:34:58 -0000 1.1 --- sys/netkey/key_debug.c 28 Feb 2002 12:53:44 -0000 *************** *** 34,39 **** --- 34,40 ---- #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" + #include "opt_mac.h" #endif #include *************** *** 136,141 **** --- 137,143 ---- kdebug_sadb_identity(ext); break; case SADB_EXT_SENSITIVITY: + kdebug_sadb_sens(ext); break; case SADB_EXT_PROPOSAL: kdebug_sadb_prop(ext); *************** *** 745,747 **** --- 747,767 ---- return; } + + void + kdebug_sadb_sens(ext) + struct sadb_ext *ext; + { + struct sadb_sens *sens = (struct sadb_sens *)ext; + + /* sanity check */ + if (ext == NULL) + panic("kdebug_sadb_sens: NULL pointer was passed.\n"); + + printf("IPSec sensitivity bitmaps { "); + ipsec_hexdump((caddr_t)sens + sizeof(struct sadb_sens), + sens->sadb_sens_sens_len + sens->sadb_sens_integ_len); + printf(" }\n"); + return; + } + Index: sys/netkey/key_debug.h =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netkey/key_debug.h,v retrieving revision 1.1 diff -c -r1.1 key_debug.h *** sys/netkey/key_debug.h 12 Dec 2001 09:34:58 -0000 1.1 --- sys/netkey/key_debug.h 27 Feb 2002 13:48:50 -0000 *************** *** 63,68 **** --- 63,69 ---- struct sadb_ext; extern void kdebug_sadb __P((struct sadb_msg *)); extern void kdebug_sadb_x_policy __P((struct sadb_ext *)); + extern void kdebug_sadb_sens __P((struct sadb_ext *)); #ifdef _KERNEL struct secpolicy; Index: sys/netkey/keydb.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netkey/keydb.c,v retrieving revision 1.1 diff -c -r1.1 keydb.c *** sys/netkey/keydb.c 12 Dec 2001 09:34:58 -0000 1.1 --- sys/netkey/keydb.c 28 Feb 2002 12:53:56 -0000 *************** *** 32,37 **** --- 32,38 ---- #include "opt_inet.h" #include "opt_inet6.h" + #include "opt_mac.h" #include #include Index: sys/netkey/keydb.h =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netkey/keydb.h,v retrieving revision 1.1 diff -c -r1.1 keydb.h *** sys/netkey/keydb.h 12 Dec 2001 09:34:58 -0000 1.1 --- sys/netkey/keydb.h 28 Feb 2002 12:54:30 -0000 *************** *** 37,42 **** --- 37,56 ---- #include + #if defined(MAC_MLS) || defined(MAC_BIBA) + /* Sensitivity Level Specification */ + /* If dpd = 0, sensitivity is not used */ + struct sens_lvl_spec { + u_int32_t dpd; + u_int8_t sens_level; + u_int8_t sens_len; + caddr_t sens_bitmap; + u_int8_t integ_level; + u_int8_t integ_len; + caddr_t integ_bitmap; + }; + #endif /* MAC_MLS || MAC_BIBA */ + /* Security Assocciation Index */ /* NOTE: Ensure to be same address family */ struct secasindex { *************** *** 46,51 **** --- 60,68 ---- u_int8_t mode; /* mode of protocol, see ipsec.h */ u_int32_t reqid; /* reqid id who owned this SA */ /* see IPSEC_MANUAL_REQID_MAX. */ + #if defined(MAC_MLS) || defined(MAC_BIBA) + struct sens_lvl_spec sls; /* Sensivity level specification */ + #endif }; /* Security Association Data Base */ *************** *** 128,134 **** }; #endif - /* Sensitivity Level Specification */ /* nothing */ #define SADB_KILL_INTERVAL 600 /* six seconds */ --- 145,150 ---- Index: sys/netkey/keysock.c =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/sys/netkey/keysock.c,v retrieving revision 1.1 diff -c -r1.1 keysock.c *** sys/netkey/keysock.c 12 Dec 2001 09:34:58 -0000 1.1 --- sys/netkey/keysock.c 27 Feb 2002 13:48:50 -0000 *************** *** 31,36 **** --- 31,37 ---- */ #include "opt_ipsec.h" + #include "opt_mac.h" /* This code has derived from sys/net/rtsock.c on FreeBSD2.2.5 */ Index: usr.sbin/setkey/parse.y =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/usr.sbin/setkey/parse.y,v retrieving revision 1.1 diff -c -r1.1 parse.y *** usr.sbin/setkey/parse.y 12 Dec 2001 09:44:54 -0000 1.1 --- usr.sbin/setkey/parse.y 1 Mar 2002 09:01:26 -0000 *************** *** 33,38 **** --- 33,39 ---- %{ #include #include + #include #include #include *************** *** 65,70 **** --- 66,74 ---- u_int p_key_enc_len, p_key_auth_len; caddr_t p_key_enc, p_key_auth; time_t p_lt_hard, p_lt_soft; + caddr_t p_sens_label_text; + mac_t p_sens_label; + u_int p_sens_label_len; u_int p_policy_len; char *p_policy; *************** *** 107,112 **** --- 111,117 ---- %token F_EXT EXTENSION NOCYCLICSEQ %token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP %token F_LIFETIME_HARD F_LIFETIME_SOFT + %token F_SENS %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY /* SPD management */ %token SPDADD SPDDELETE SPDDUMP SPDFLUSH *************** *** 407,412 **** --- 412,425 ---- } | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; } | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; } + | F_SENS label_string + ; + + label_string + : QUOTEDSTRING + { + p_sens_label_text = $1.buf; + } ; /* definition about command for SPD management */ *************** *** 683,688 **** --- 696,758 ---- memcpy(m_buf + m_len, &m_lt, len); m_len += len; } + + /* If we've got correct sensivity label, then we will set it! + * sensc - sensitivity compartments, should be in mac_t + * integc - integrity compartments, should be in mac_t + * slen - length of sensitivity compartments field. bogus + * ilen - length of integrity compartments field. bogus + * All this values should be changed, when we'll got the real compartment mode + * support in all labels. Should also check correctness of label, but do not do + * so right now - BUG XXX !!! + */ + if (p_sens_label_text != NULL) { + struct sadb_sens m_sens; + u_char buf[64]; + u_int32_t sensc, integc; + u_int len, slen, ilen, i; + + p_sens_label = mac_from_text(p_sens_label_text); + if(p_sens_label == NULL) + perror("can't decode sensivity label"); + else { + sensc = htonl(0x01234567); + integc = htonl(0x89ABCDEF); + slen = sizeof(sensc); + ilen = sizeof(integc); + len = sizeof(m_sens) + PFKEY_ALIGN8(slen) + + PFKEY_ALIGN8(ilen); + + memcpy(buf, &sensc, slen); + memcpy(buf + PFKEY_ALIGN8(slen), &integc, ilen); + + bzero(buf,sizeof(buf)); /* XXX !!! */ + + m_sens.sadb_sens_len = PFKEY_UNIT64(len); + m_sens.sadb_sens_exttype = SADB_EXT_SENSITIVITY; + m_sens.sadb_sens_dpd = 0xFFFFFFFF; + if(p_sens_label->m_mls.mm_single.mme_type == + MAC_MLS_TYPE_LEVEL) + m_sens.sadb_sens_sens_level = + p_sens_label->m_mls.mm_single.mme_level; + else + m_sens.sadb_sens_sens_level = 0; + m_sens.sadb_sens_sens_len = PFKEY_ALIGN8(slen); + if(p_sens_label->m_biba.mb_single.mbe_type == + MAC_BIBA_TYPE_GRADE) + m_sens.sadb_sens_integ_level = + p_sens_label->m_biba.mb_single.mbe_grade; + else + m_sens.sadb_sens_integ_level = 0; + m_sens.sadb_sens_integ_len = PFKEY_ALIGN8(ilen); + m_sens.sadb_sens_reserved = 0; + + setvarbuf(&m_len, + (struct sadb_ext *)&m_sens, sizeof(m_sens), + (caddr_t)buf, + PFKEY_ALIGN8(slen) + PFKEY_ALIGN8(ilen)); + } + } /* FALLTHROUGH */ case SADB_DELETE: *************** *** 915,920 **** --- 985,993 ---- p_policy_len = 0; p_policy = NULL; + p_sens_label_text = NULL; + p_sens_label = NULL; + memset(cmdarg, 0, sizeof(cmdarg)); return; *************** *** 927,932 **** --- 1000,1007 ---- if (p_dst) free(p_dst); if (p_key_enc) free(p_key_enc); if (p_key_auth) free(p_key_auth); + if (p_sens_label) mac_free(p_sens_label); + if (p_sens_label_text) mac_free(p_sens_label_text); return; } Index: usr.sbin/setkey/setkey.8 =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/usr.sbin/setkey/setkey.8,v retrieving revision 1.1 diff -c -r1.1 setkey.8 *** usr.sbin/setkey/setkey.8 12 Dec 2001 09:44:54 -0000 1.1 --- usr.sbin/setkey/setkey.8 27 Feb 2002 13:48:50 -0000 *************** *** 275,280 **** --- 275,283 ---- .It Fl lh Ar time .It Fl ls Ar time Specify hard/soft life time duration of the SA. + .\" + .It Fl s Ar maclabel + Specify maclabel for this SA. .El .\" .Pp *************** *** 617,622 **** --- 620,626 ---- .\" .Sh SEE ALSO .Xr ipsec_set_policy 3 , + .Xr mac_text 3 , .Xr racoon 8 , .Xr sysctl 8 .\" Index: usr.sbin/setkey/token.l =================================================================== RCS file: /mnt/cvs/TrustedBSD/projects/trustedbsd/mac/usr.sbin/setkey/token.l,v retrieving revision 1.1 diff -c -r1.1 token.l *** usr.sbin/setkey/token.l 12 Dec 2001 09:44:54 -0000 1.1 --- usr.sbin/setkey/token.l 27 Feb 2002 13:48:50 -0000 *************** *** 203,208 **** --- 203,209 ---- {hyphen}r { PREPROC; return(F_REPLAY); } {hyphen}lh { PREPROC; return(F_LIFETIME_HARD); } {hyphen}ls { PREPROC; return(F_LIFETIME_SOFT); } + {hyphen}s { PREPROC; return(F_SENS); } /* ... */ any { PREPROC; return(ANY); }