Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
127,215 Commits 606 Branches 0 Tags 3.1 GiB
1c16a590ec
Commit Graph

788 Commits

Author SHA1 Message Date
mycroft
2dde0746b6 Do a jump optimization that eliminates some uninitialized variable warnings. 2003-10-29 10:12:43 +00:00
briggs
5a770ba2d8 Toggle the default value of ip6_v6only. Also provide a sample sysctl to 
retain the existing behavior.
 2003-10-28 06:31:28 +00:00
christos
59f2aab1ed fix uninitialized variables 2003-10-25 08:26:14 +00:00
itojun
ba71e93c60 backout previous (ENETREST special handlng) 2003-10-15 22:55:34 +00:00
itojun
90d92fe2d9 ignore ENETRESET on ADDMULTI 2003-10-15 22:16:35 +00:00
itojun
018cb094b4 ignore ENETRESET on ADDMULTI. 2003-10-15 22:15:25 +00:00
itojun
a8d71f892f define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame 2003-10-15 01:28:28 +00:00
itojun
40e6b63c60 fix endian bug in fragment header scanning. 2003-10-14 05:33:04 +00:00
itojun
b5b2092bce no need to clear mbuf flags here; sync w/kame 2003-10-03 22:08:26 +00:00
itojun
98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun
96fda496da use in6_{embed,recover}scope for scoped address manipulation 2003-10-03 08:46:15 +00:00
itojun
140276fde1 shouldn't check scope match when encapsulating packet into tunnel mode. 
iij seil team
 2003-10-03 04:30:31 +00:00
itojun
d451ef2606 do not deref state.ro if it is NULL 2003-10-02 19:32:41 +00:00
itojun
d83af104d4 correctly look at outer IPv6 header when forwarding packet into ipsec tunnel. 
iij seil team
 2003-10-02 12:13:44 +00:00
itojun
364f2d9e12 permit tunnel mode over link-local address. (outer header is link-local) 
iij seil team
 2003-10-02 10:01:11 +00:00
itojun
8184c3658f handle link-local address in ipsec6_tunnel_validate(). from iij seli team 2003-10-02 07:19:37 +00:00
christos
36b4e0b6e7 Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD 2003-09-30 00:01:18 +00:00
mycroft
ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing 
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
 2003-09-28 04:45:14 +00:00
wiz
cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun
cd71ebe2f7 mark security policy that should persist in the system "persistent". 
this should prevent recently-reported kernel panic when "spdflush" is issued.
 2003-09-22 04:47:43 +00:00
itojun
7fda10aea9 separate netkey/key* and netipsec/key* 2003-09-20 05:14:41 +00:00
itojun
ca549eaf98 exp is a reserved name under posix 2003-09-16 00:31:23 +00:00
itojun
94da0d16ac avoid overflow during multiply. David Laight 2003-09-15 23:38:20 +00:00
itojun
71c96a2bb4 correct ru_a/ru_b setup for 20bit case 2003-09-13 21:32:59 +00:00
itojun
8ee5969c3b change confusing filename 2003-09-12 11:21:36 +00:00
itojun
9f2c0659cd remove extra blank line 2003-09-12 07:58:25 +00:00
itojun
a84539ea9e make synchronization w/ PF tag support code easier 2003-09-12 07:53:29 +00:00
itojun
6371ddf557 make it possible to SADB_DUMP via sysctl. request by mrg 2003-09-12 07:38:10 +00:00
itojun
5125995b51 record socket * associated with secpolicy 2003-09-10 22:29:27 +00:00
itojun
494fe70198 lint 2003-09-09 11:39:14 +00:00
itojun
800fe5d178 - prepare for RFC2401bis 64bit sequence number (no behavior change yet) 
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c.  key.c is responsible for refcounting secasvar,
  keydb.c is responsible for alloc/free.
 2003-09-07 15:59:36 +00:00
itojun
bfa3dccfd7 prototype should have no variable name 2003-09-07 15:50:43 +00:00
itojun
5c9706bb41 correct seed generation. sync w/ kame 2003-09-06 13:47:09 +00:00
itojun
37c3c44062 fix comment, from kame 2003-09-06 13:30:40 +00:00
itojun
680540f194 committed by mistake, sorry 2003-09-06 04:20:57 +00:00
itojun
bce24b4a3e correct comment 2003-09-06 04:13:50 +00:00
itojun
b0b5b07f8a fix msb handling. from kame 2003-09-06 03:55:35 +00:00
itojun
32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability 
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
 2003-09-06 03:36:30 +00:00
itojun
175c9afa3f clarify flowlabel handling 2003-09-06 03:12:51 +00:00
itojun
a245b3dc6d u_short -> u_int16_t. sync w/ kame. 
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
 2003-09-05 23:20:48 +00:00
itojun
95b95dbc37 call tcp_drain() if IPv4-less kernel 2003-09-05 01:35:08 +00:00
itojun
495906ca8e revamp inpcb/in6pcb so that they are more aligned with each other. 
in6pcb lookup now uses hash(9).
 2003-09-04 09:16:57 +00:00
itojun
19d8b9bfea don't use m_cat to mbuf of different types. KAME-PR-495 2003-09-04 03:07:33 +00:00
itojun
725b73043b simplify rijndael.c API - always schedule encrypt/decrypt key. 
reviewed by thorpej
 2003-08-27 14:23:25 +00:00
itojun
fb5acbcfc6 rijndael encryption context/scheduled key is assymmetric; need to setup two 
(one for encryption, one for decryption)
 2003-08-27 02:42:09 +00:00
thorpej
7b613a568e Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt() 
directly.  Reviewed by itojun.
 2003-08-27 00:08:31 +00:00
thorpej
6de9ce0437 Move the opencrypto CAST-128 implementation to crypto/cast128, removing 
the old one.  Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
 2003-08-26 16:37:36 +00:00
thorpej
2957d8dce6 Use the simplified rijndael API (which this was essentially a duplicate 
of).  XXX This file can now be merged into esp_core.c.
 2003-08-26 15:18:27 +00:00
itojun
356aebd768 g/c unused member. use in6p_ip6 more effectively. 2003-08-25 00:14:30 +00:00
itojun
9569786c95 deref member in in6p directly, don't rely on existence of macro 2003-08-25 00:11:52 +00:00
itojun
ff512e5035 don't commit value into ip6_ptkopts until the validation is done. 
(note: the code will be updated with 2292bis definition soon, hopefully)
 2003-08-25 00:10:27 +00:00
itojun
4e6aca94c2 correct missing inclusion of opt_ipsec.h 2003-08-22 22:11:44 +00:00
itojun
cabb25918f no need for opt_ipsec.h any longer 2003-08-22 22:05:11 +00:00
itojun
11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun
82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *. 
this fixes KAME policy lookup which was broken by the previous commit.
 2003-08-22 21:53:01 +00:00
itojun
9329caaf20 typo in log message 2003-08-22 21:50:42 +00:00
jonathan
e3ec783e41 (Accidentally-omitted change): update for ip6_output() to match commit below. 
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:49:03 +00:00
jonathan
9339ef0381 Change KAME code for ip_output()/ip6_output() to obtain struct socket* 
from the explicit inpcb*/in6pcb* argument.  set_socket() becomes redundant.
 2003-08-22 20:29:00 +00:00
jonathan
902669955f Replace the set_socket() method of passing an extra struct socket* 
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:20:09 +00:00
itojun
52f8075c5a allow userland to specify SPD ID. more readable debugging messages. 2003-08-22 06:22:21 +00:00
jonathan
28b5f5dfab (fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if 
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
 2003-08-15 03:42:00 +00:00
itojun
fd3f06dabb enforce ipsec policy on raw wildcard. 2003-08-14 07:57:40 +00:00
itojun
4d754cb259 in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped 
address.  PR kern/22431 from Andreas Gustafsson
 2003-08-13 04:59:34 +00:00
agc
aad01611e7 Move UCB-licensed code from 4-clause to 3-clause licence. 
Patches provided by Joel Baker in PR 22364, verified by myself.
 2003-08-07 16:26:28 +00:00
itojun
da53b9c28e make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame 2003-08-07 08:52:32 +00:00
itojun
256877974a m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen 
before m_cat call.  from Julian Coleman via kame.
 2003-08-06 14:47:32 +00:00
itojun
3236f238b3 increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512 2003-08-05 12:20:35 +00:00
itojun
d6c4b6beb6 minor KNF 2003-07-25 10:17:36 +00:00
itojun
969d6f5037 typo 2003-07-25 10:16:28 +00:00
itojun
1270423572 add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH), 
AES counter mode (ESP)
 2003-07-25 10:00:49 +00:00
itojun
4fc37746bf AES XCBC MAC (for AH) 
AES counter mode (for ESP)
 2003-07-25 09:48:17 +00:00
itojun
ee7d78825a comment typo, from markus@openbsd 2003-07-23 00:27:25 +00:00
itojun
c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
itojun
0d84200c22 clear scheduled key before freeing, for safety 2003-07-22 08:54:27 +00:00
itojun
77283a8429 sha2 is needed for AH, not ESP 2003-07-22 03:26:16 +00:00
itojun
d64e1c8d6a add hmac-sha2 support. various cleanups (like avoid hardcoding '16'). 
from kame
 2003-07-22 03:24:23 +00:00
itojun
409ba7efc4 cosmetic 2003-07-22 03:21:21 +00:00
itojun
0445f65670 avoid assuming result buffer size in AH logic. sync w/kame 2003-07-20 18:01:41 +00:00
itojun
92a1800c4d due to previous type change, sav->schedlen never go negative. sync w/kame 2003-07-20 17:17:20 +00:00
itojun
d1931d3717 change ESP xx_schedlen() return type to size_t. sync w/kame 2003-07-20 03:24:03 +00:00
itojun
74182febed remove #if 0 portion 2003-07-18 06:45:33 +00:00
kleink
43694e8d74 assymetric -> asymmetric 2003-07-15 17:37:00 +00:00
itojun
7b74887942 rijndael is assymmetric, correction from markus@openbsd 2003-07-15 15:25:13 +00:00
itojun
281d9d13a5 simplify and update rijndael code. markus@openbsd 2003-07-15 11:00:36 +00:00
itojun
8e90cd9ce4 KNF 2003-07-12 15:16:50 +00:00
itojun
3eaa5b9c93 no longer needed (#define _KERNEL) 2003-07-12 15:12:45 +00:00
itojun
7649b12429 remove obsolete comment on the use of m_pullup 2003-07-09 04:05:59 +00:00
itojun
0463e41004 on interface detach, clear multicast forwarding table. from kame 2003-07-08 10:20:45 +00:00
itojun
91b11e1eba prototype must not have variable name 2003-07-08 07:13:50 +00:00
itojun
fc401b7586 fix missing check for taillen against pkthdr.len. markus@openbsd 2003-07-04 00:49:18 +00:00
itojun
022df20c75 minor KNF 2003-07-03 05:03:53 +00:00
itojun
d8976f36ac typo. found by markus@openbsd 2003-07-02 13:55:13 +00:00
itojun
2317e81b85 avoid ICMPv6 redirect if the packet filter rewrite dst addr to an address 
on the incoming interface.  cedric@openbsd
 2003-06-30 08:00:59 +00:00
itojun
842d3bee32 KNF 2003-06-30 03:30:50 +00:00
fvdl
d5aece61d6 Back out the lwp/ktrace changes. They contained a lot of colateral damage, 
and need to be examined and discussed more.
 2003-06-29 22:28:00 +00:00
darrenr
960df3c8d1 Pass lwp pointers throughtout the kernel, as required, so that the lwpid can 
be inserted into ktrace records.  The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V
 2003-06-28 14:20:43 +00:00
itojun
2cadb8ca7a split ND6 cache timer management to per-entry. increased accuracy, 
no O(N) loop.   sync w/ kame
 2003-06-27 08:41:08 +00:00
itojun
6d4a3c4191 remove unneeded checks of accept_rtadv. from kame 2003-06-24 07:54:47 +00:00
itojun
adb5d5afb4 * kame/sys/netinet6/nd6.c (nd6_rtrequest): changed a condition to 
decide whether to create an empty llinfo stricter so that a user
can manually change the link-layer address of an existing neighbor
cache.
Pointed out by: KIU Shueng Chuan

from kame
 2003-06-24 07:49:03 +00:00
itojun
455b7679d4 typo 2003-06-24 07:43:44 +00:00