[Midnightbsd-cvs] src: sys/netinet6: IPV6 and arc4random
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Jan 10 21:40:55 EST 2009
Log Message:
-----------
IPV6 and arc4random
Modified Files:
--------------
src/sys/dev/random:
randomdev.c (r1.2 -> r1.3)
randomdev_soft.c (r1.4 -> r1.5)
src/sys/netinet6:
in6.h (r1.5 -> r1.6)
in6_proto.c (r1.4 -> r1.5)
nd6.h (r1.3 -> r1.4)
nd6_nbr.c (r1.3 -> r1.4)
-------------- next part --------------
Index: randomdev.c
===================================================================
RCS file: /home/cvs/src/sys/dev/random/randomdev.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -L sys/dev/random/randomdev.c -L sys/dev/random/randomdev.c -u -r1.2 -r1.3
--- sys/dev/random/randomdev.c
+++ sys/dev/random/randomdev.c
@@ -90,6 +90,7 @@
&& (securelevel_gt(td->td_ucred, 0) == 0)) {
(*random_systat.reseed)();
random_systat.seeded = 1;
+ arc4rand(NULL, 0, 1); /* Reseed arc4random as well. */
}
return (0);
Index: randomdev_soft.c
===================================================================
RCS file: /home/cvs/src/sys/dev/random/randomdev_soft.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -L sys/dev/random/randomdev_soft.c -L sys/dev/random/randomdev_soft.c -u -r1.4 -r1.5
--- sys/dev/random/randomdev_soft.c
+++ sys/dev/random/randomdev_soft.c
@@ -61,6 +61,7 @@
u_int, u_int, enum esource);
static int random_yarrow_poll(int event,struct thread *td);
static int random_yarrow_block(int flag);
+static void random_yarrow_flush_reseed(void);
struct random_systat random_yarrow = {
.ident = "Software, Yarrow",
@@ -70,7 +71,7 @@
.read = random_yarrow_read,
.write = random_yarrow_write,
.poll = random_yarrow_poll,
- .reseed = random_yarrow_reseed,
+ .reseed = random_yarrow_flush_reseed,
.seeded = 1,
};
@@ -96,7 +97,7 @@
/* Harvested entropy */
static struct entropyfifo harvestfifo[ENTROPYSOURCE];
-/* <0 to end the kthread, 0 to let it run */
+/* <0 to end the kthread, 0 to let it run, 1 to flush the harvest queues */
static int random_kthread_control = 0;
static struct proc *random_kthread_proc;
@@ -241,7 +242,7 @@
local_count = 0;
/* Process until told to stop */
- for (; random_kthread_control == 0;) {
+ for (; random_kthread_control >= 0;) {
active = 0;
@@ -276,6 +277,13 @@
KASSERT(local_count == 0, ("random_kthread: local_count %d",
local_count));
+ /*
+ * If a queue flush was commanded, it has now happened,
+ * and we can mark this by resetting the command.
+ */
+ if (random_kthread_control == 1)
+ random_kthread_control = 0;
+
/* Found nothing, so don't belabour the issue */
if (!active)
pause("-", hz / 10);
@@ -400,3 +408,15 @@
return error;
}
+
+/* Helper routine to perform explicit reseeds */
+static void
+random_yarrow_flush_reseed(void)
+{
+ /* Command a entropy queue flush and wait for it to finish */
+ random_kthread_control = 1;
+ while (random_kthread_control)
+ pause("-", hz / 10);
+
+ random_yarrow_reseed();
+}
Index: in6_proto.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6_proto.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -L sys/netinet6/in6_proto.c -L sys/netinet6/in6_proto.c -u -r1.4 -r1.5
--- sys/netinet6/in6_proto.c
+++ sys/netinet6/in6_proto.c
@@ -393,6 +393,7 @@
#ifdef IPSTEALTH
int ip6stealth = 0;
#endif
+int nd6_onlink_ns_rfc4861 = 0; /* allow 'on-link' nd6 NS (as in RFC 4861) */
/* icmp6 */
/*
@@ -566,3 +567,6 @@
nd6_maxnudhint, CTLFLAG_RW, &nd6_maxnudhint, 0, "");
SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_DEBUG,
nd6_debug, CTLFLAG_RW, &nd6_debug, 0, "");
+SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_ONLINKNSRFC4861,
+ nd6_onlink_ns_rfc4861, CTLFLAG_RW, &nd6_onlink_ns_rfc4861, 0,
+ "Accept 'on-link' nd6 NS in compliance with RFC 4861.");
Index: in6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/in6.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -L sys/netinet6/in6.h -L sys/netinet6/in6.h -u -r1.5 -r1.6
--- sys/netinet6/in6.h
+++ sys/netinet6/in6.h
@@ -600,7 +600,9 @@
/* New entries should be added here from current IPV6CTL_MAXID value. */
/* to define items, should talk with KAME guys first, for *BSD compatibility */
#define IPV6CTL_STEALTH 45
-#define IPV6CTL_MAXID 46
+
+#define ICMPV6CTL_ND6_ONLINKNSRFC4861 47
+#define IPV6CTL_MAXID 48
#endif /* __BSD_VISIBLE */
/*
Index: nd6_nbr.c
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6_nbr.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -L sys/netinet6/nd6_nbr.c -L sys/netinet6/nd6_nbr.c -u -r1.3 -r1.4
--- sys/netinet6/nd6_nbr.c
+++ sys/netinet6/nd6_nbr.c
@@ -144,6 +144,24 @@
"(wrong ip6 dst)\n"));
goto bad;
}
+ } else if (!nd6_onlink_ns_rfc4861) {
+ struct sockaddr_in6 src_sa6;
+
+ /*
+ * According to recent IETF discussions, it is not a good idea
+ * to accept a NS from an address which would not be deemed
+ * to be a neighbor otherwise. This point is expected to be
+ * clarified in future revisions of the specification.
+ */
+ bzero(&src_sa6, sizeof(src_sa6));
+ src_sa6.sin6_family = AF_INET6;
+ src_sa6.sin6_len = sizeof(src_sa6);
+ src_sa6.sin6_addr = saddr6;
+ if (!nd6_is_addr_neighbor(&src_sa6, ifp)) {
+ nd6log((LOG_INFO, "nd6_ns_input: "
+ "NS packet from non-neighbor\n"));
+ goto bad;
+ }
}
if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
Index: nd6.h
===================================================================
RCS file: /home/cvs/src/sys/netinet6/nd6.h,v
retrieving revision 1.3
retrieving revision 1.4
diff -L sys/netinet6/nd6.h -L sys/netinet6/nd6.h -u -r1.3 -r1.4
--- sys/netinet6/nd6.h
+++ sys/netinet6/nd6.h
@@ -340,6 +340,7 @@
extern struct nd_drhead nd_defrouter;
extern struct nd_prhead nd_prefix;
extern int nd6_debug;
+extern int nd6_onlink_ns_rfc4861;
#define nd6log(x) do { if (nd6_debug) log x; } while (/*CONSTCOND*/ 0)
More information about the Midnightbsd-cvs
mailing list