Commit Graph

287 Commits

Author SHA1 Message Date
itojun e452bf6c6b save a little bit of CPU time (avoid computing CBC IV we do not use).
sync with kame.
2000-11-08 04:57:57 +00:00
itojun 47bce75f00 check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec
tunnel mode packet.  decapsulate only if we got a tunnel mode SA.
KAME PR 296.
2000-11-06 00:58:34 +00:00
itojun ef8a34f5c3 fix IPv4 TTL selection with AF_INET6 API. sync with kame. From: jdc 2000-11-06 00:50:12 +00:00
onoe e83458422f First Prototype implementation of network interface part for IEEE1394 (if_fw).
Current status:
	Only OHCI chip is supported (fwohci).
	ping (IPv4) works with Sony's implementation (SmartConnect) on Win98.
	sometimes works but not stable.
Not implemented yet:
	IRM (Isochronous Resource Manager) functionality.
	Link layer fragmentation.
	Topology map.
More to do:
	clean ups
	MCAP
	charactor device part
	dhcp

There is no entry in GENERIC config file yet.
Follow sys/dev/ieee1394/IMPLEMENTATION to enable if_fw.
2000-11-05 17:17:12 +00:00
itojun 731744bcc2 avoid possible align issue 2000-11-02 12:28:45 +00:00
itojun 9b55c15642 [13]des fix for big endian machines. from: shigeru@iij.ad.jp 2000-11-02 12:25:01 +00:00
itojun 73b4766cf2 do not panic on "ifconfig inet6 fe80::1 -alias". from Todd Fries.
KAME PR 295.
2000-10-28 03:46:21 +00:00
itojun cb1745c4f9 make IFA_STATS really work on IPv6. 2000-10-23 03:45:25 +00:00
itojun 9183e2dc4e remove #ifdef TCP6. it is not likely for us to bring in sys/netinet6/tcp6*.c
(separate TCP/IPv6 stack) into netbsd-current.
2000-10-19 20:22:59 +00:00
itojun d11a1f9bae kame 1.32 -> 1.33
in add_m6fc(), set interface list for all cases.
in response to a report from Hoerdt Mickael.

kame 1.31 -> 1.32
discard PIM register if the version of the inner packet is incorrect (i.e. IPv6)
(according to clarfication of recent discussion in the IETF pim ML)
2000-10-19 03:15:48 +00:00
itojun edd876a35d validate ICMPv6 too big message.
XXX too restrictive given frequent uses of sendto(2)
2000-10-19 01:14:13 +00:00
itojun 9288750911 memcpy -> bcopy, for sync with kame tree 2000-10-19 00:40:44 +00:00
itojun 23a03329ef verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
TODO: udp6, and sendto consideration.  as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
thorpej ea9b5a9106 Restructure the Path MTU Discovery code somewhat to avoid
entering rtentry's for hosts we're not actually communicating
with.

Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
	* TCP -- Lookup the connection based on the address/port
	  pairs in the ICMP message.
	* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.

If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc().  icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes.  For TCP, this is where we now
refresh cached routes and re-enter slow-start.

As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.

XXX Note, this is only a fix for the IPv4 case.  For the IPv6
XXX case, we need to wait for the KAME folks.

Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org.
2000-10-18 17:09:14 +00:00
itojun 3fe32f0197 use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>
(we don't ansify it for kame code sharing)
2000-10-17 21:46:42 +00:00
itojun d7a216bb96 suppress warning on nd6_storelladdr failure. the failure could happen
easily when we have routing table with too many entries.  sync with kame.
2000-10-15 15:39:11 +00:00
itojun 6e3a9bc311 validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system.  sync with kame.
2000-10-13 17:53:44 +00:00
itojun 8fa0e6b9f7 sync with kame ($KAME$) 2000-10-10 16:26:43 +00:00
enami 0b9cbefe70 Don't initialize TCP twice on v4/v6 dual stack kernel. 2000-10-10 13:25:28 +00:00
itojun 654a1d9555 remove obsolete handling code for SIOCSIFPHY*. they are now in ifioctl().
sync with kame.
2000-10-06 05:07:41 +00:00
itojun a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9).
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun dabed37e1c correct merge failure in key size validation. 2000-10-02 23:49:02 +00:00
itojun 89af64e5e3 remove #ifdef freebsd 2000-10-02 17:23:49 +00:00
itojun e9536f86fa add ESP rijndael logic. yet to be usable (until algorithm # is assigned) 2000-10-02 17:21:24 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun b2366d4898 add missing \n. sync with kame. 2000-10-01 10:56:02 +00:00
itojun 8a9f93dc37 update ip compression algorithm lookup.
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net).  sync with kame
2000-09-26 08:40:23 +00:00
itojun 78f9775c35 do not hardcode maximum IV length. 2000-09-26 08:37:38 +00:00
itojun 2c8b266751 make ip6_ext available for non-IPv6 compilation
(needed for header chain parsing).  (redo of 1.25 -> 1.26)
2000-09-25 15:00:08 +00:00
martin 4e675359ad Make kernels with IPSec but without IPv6 compile again.
This may break IPPROTO_AH - someone with a clue should double-check
this, please.
2000-09-25 12:35:53 +00:00
itojun 89f53512af use real wallclock (got by microtime) to compute IPsec database lifetimes.
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun e0bb769d4e on ipsec policy lookup, do not try to lookup port numbers for forwarded packet.
sync with kame.
2000-09-22 05:50:23 +00:00
itojun aa5339554d cleanup ipsec policy lookup. specifically, repair the following cases:
- use of IPv4 mapped address on outbound socket
- explicit port numbers via sendto().
	old code grabbed port number from inpcb/in6pcb.
in the above case, old code failed to lookup ipsec policy (oops).
sync with kame.
2000-09-22 05:49:46 +00:00
itojun 10cc02200a - repair too strong assumption on mbuf chain.
- correct byte lifetime computation to conform to RFC2401 p23 (use
  packet BEFORE compression)
- stabilize deflate calls
- present error messages better
2000-09-21 20:28:52 +00:00
itojun 9c55bd3b1a repair infinite loop in ipcomp packet generation. oops. 2000-09-21 06:08:26 +00:00
itojun cb4931c8e7 repair cut-and-paste bug. from: francis dupont. sync with kame 2000-09-20 23:35:51 +00:00
itojun d2c6420404 do not inject empty mbuf to zlib. 2000-09-20 23:35:16 +00:00
itojun 3ad679d8fd call {de,in}flateEnd on failure, otherwise obsolete state will be kept. 2000-09-20 22:34:24 +00:00
itojun ffb333a57c plug mbuf leak (error case). need more investigation. 2000-09-20 21:43:52 +00:00
itojun e485f6527e pullup IPv6 and subsequent headers, on IPv6 IPsec transport mode input.
(not normally visited - we have switched to m_pulldown.  just for completeness)
2000-09-18 22:18:00 +00:00
itojun 303fcdf765 repair blowfish-cbc. BF_encrypt() takes value in host byteorder, yuck!
(no effect to 1.5 branch)
2000-09-18 21:57:35 +00:00
itojun 691fdbb4f0 kame sys/netinet6/icmp6.c 1.140 -> 1.144
>   in the check for the incoming redirect message, examine the gateway
>   (from the routing table) only when the address family of the gateway is
>   AF_INET6.
2000-09-16 10:12:22 +00:00
itojun 2192675fb1 move file static variable into auto variable, for better thread safety.
(not really required for big lock MP).  sync with kame
2000-09-09 16:15:47 +00:00
itojun f8481d085e add attribute(packed).
From: Alfred Perlstein <bright@wintelcom.net>
2000-09-09 11:42:22 +00:00
itojun dc23ec9971 add missing \n on log(). sync with kame 2000-08-31 07:35:44 +00:00
itojun 65fbdbe744 repair DES on LP64. past code did not interoperate with non-LP64, due to
incorrect computed results.
remove unnecessary #ifdef/#define.  sync with kame.
2000-08-31 07:33:04 +00:00
itojun 58c93e23cf LP64 fix (cast to u_long when printing size_t) 2000-08-30 14:58:33 +00:00
itojun 2af85c262b improve code sharing for esp_schedule(). add some diagnostics cases
for esp_cbc_{en,de}crypt().  sync with kame.
2000-08-29 11:32:21 +00:00
itojun 6fe60cce5f do not forward packets with unspecified source address (::).
this is clarification recently made to RFC2460.  sync with kame.
2000-08-29 09:19:43 +00:00
itojun bb8d535cc5 use per-block cipher function + esp_cbc_{de,en}crypt. do not use
cbc-over-mbuf functions in sys/crypto.

the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.

XXX: it looks that past blowfish-cbc code was buggy.  i ran some test pattern,
and new blowfish-cbc code looks more correct.  there's no interoperability
between the old code (before the commit) and the new code (after the commit).

XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00