0c85427e40
remove unneeded #if
2002-03-21 04:41:03 +00:00
53a52c0ad8
pfkey statistics was presented in wrong direction.
2002-03-21 04:23:36 +00:00
418fefdef0
remove a function no longer in use
2002-03-21 04:10:21 +00:00
900347e4d0
comment wording
2002-03-21 02:27:50 +00:00
8e4fadc28a
missing splx
2002-03-01 04:19:42 +00:00
3edb75b9d5
unifdef -D__NetBSD__
2002-03-01 04:16:38 +00:00
88123ecf38
change key_timehandler to take void * as argument. sync with kame.
...
PR 14351
2002-01-31 07:05:43 +00:00
867ce59a46
use ipseclog() instead of #ifdef IPSEC_DEBUG, to make it possible to
...
turn on/off debugging messages at runtime. sync with kame
2002-01-31 06:35:25 +00:00
8297f55292
change SPDUPDATE's behavior to meet with the latest KAME kit.
...
(there's no need to have policy before SPDUPDATE)
2002-01-31 06:17:03 +00:00
2565646230
don't need <sys/types.h> when including <sys/param.h>
2001-11-15 09:47:59 +00:00
4f2ad95259
add RCSIDs
2001-11-13 00:56:55 +00:00
5f717f7c33
Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h>
...
anymore.
2001-10-29 07:02:30 +00:00
07b78861d0
sync with kame:
...
fixed the value of the prefixlen in the sadb_address structure.
when pfkey message relative to SA is sent, the prefixlen was incorrect.
2001-10-19 01:57:20 +00:00
4c99916337
va_{start,end} audit:
...
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).
Improved by comments from enami and christos -- thanks!
Heimdal/krb4/KAME changes already fed back, rest to follow.
Inspired by, but not not based on, OpenBSD.
2001-09-24 13:22:25 +00:00
456dff6cb8
Spell 'occurred' with two 'r's.
2001-09-16 16:34:23 +00:00
fd048b8ff1
avoid symbol conflict with "sin()".
2001-08-16 14:28:54 +00:00
99c5195929
remove "#ifdef IPSEC_DEBUG" conditional from from key_debug.h
...
(headers must have no #if). sync with kame
2001-08-12 11:52:43 +00:00
984d46bbc4
there is no KEY_DEBBUG. use IPSEC_DEBUG
2001-08-12 11:48:27 +00:00
57030e2f12
cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed,
...
especially when it is a connected SOCK_STREAM in6?pcb. sync with kame.
2001-08-06 10:25:00 +00:00
ce781443e0
pass replay sequence number on sadb_x_sa2 (it's outside of PF_KEY standard
...
anyways).
2001-08-02 12:10:14 +00:00
b26591525e
remove "register" variable specifier. sync with kame
2001-08-02 11:32:14 +00:00
182b1e5191
do not #ifdef KEY_DEBUG in header. sync with kame
2001-07-27 04:48:13 +00:00
8a49f07b1b
avoid assigning to policy_id twice. fixes more gcc 3.0 prerelease errors.
2001-06-04 21:38:28 +00:00
c13e3a6693
use _KERNEL_OPT
2001-05-30 11:40:35 +00:00
14dbdf5518
Negative exit code cleanup: Replace exit(-x) with exit(x).
...
As seen on tech-userlevel.
2001-04-06 11:13:45 +00:00
522f569810
make some more constant arrays 'const'
2001-02-21 21:39:52 +00:00
786149d624
When processing an SADB_DELETE message, allow SADB_EXT_SA to be
...
blank. In this case, we delete all non-LARVAL SAs that match the
src/dst/protocol. This is particularly useful in IKE INITIAL-CONTACT
processing. Idea from Bill Sommerfeld <sommerfeld@east.sun.com>, who
implemented it in post-Solaris8.
2001-02-16 23:53:59 +00:00
a688af5edf
if 2nd parameter of key_acquire() is NULL it panics.
...
key_acquire () does not really require 2nd argument.
1.179 -> 1.180 on kame.
2001-01-10 18:52:51 +00:00
8b5ceae516
don't waste entropy by use of key_random(). use key_randomfill() for
...
IV initialization.
2000-10-07 12:08:33 +00:00
a6f9652adf
always use rnd(4) for IPsec random number source. avoid random(9).
...
if there's no rnd(4), random(9) will be used with one-time warning printf(9).
XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
dcfe05e7c1
fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
...
sync with kame.
2000-10-02 03:55:41 +00:00
8a9f93dc37
update ip compression algorithm lookup.
...
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net ). sync with kame
2000-09-26 08:40:23 +00:00
89f53512af
use real wallclock (got by microtime) to compute IPsec database lifetimes.
...
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
fd5d3908d3
wake up socket even with socket recieve buffer is full. otherwise,
...
we will have lots of pending mbufs on heavy SADB_ACQUIRE traffic.
KAME 1.22 -> 1.23
2000-09-22 08:28:56 +00:00
5f3d7ea2b5
suppress debugging message in key_acquire2(). this is purely for debugging,
...
not useful/no interest from normal use. KAME 1.155 -> 1.156
2000-09-21 20:35:09 +00:00
6aadfa317f
on SADB_UPDATE, check SPI range only for AH/ESP, not IPComp.
...
endian/signedness fix for debug messages.
KAME 1.154 -> 1.155
2000-09-20 19:55:05 +00:00
1e79c22464
repair SADB_ADD/UPDATE for ipcomp. no encryption key will be attached to
...
ipcomp. (KAME 1.53 -> 1.54)
2000-09-20 00:42:47 +00:00
6a4cd1c5f9
make proposal/combination PF_KEY message on SADB_ACQUIRE optional, to
...
support ipcomp ACQUIRE messages (again).
it violates RFC2367 slightly. RFC2367 does not suport ipcomp at all
so we have no choice.
(KAME 1.151 -> 1.152)
do not leave dangling pointer after KFREE(). caused kernel panic with
certain PF_KEY message (error case) - only root can open PF_KEY socket
so it is not security issue.
(KAME 1.152 -> 1.153)
2000-09-20 00:08:42 +00:00
bb8d535cc5
use per-block cipher function + esp_cbc_{de,en}crypt. do not use
...
cbc-over-mbuf functions in sys/crypto.
the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.
XXX: it looks that past blowfish-cbc code was buggy. i ran some test pattern,
and new blowfish-cbc code looks more correct. there's no interoperability
between the old code (before the commit) and the new code (after the commit).
XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
e101febc8f
make sure to stir ESP IV. pool allocator gives me almost constant
...
value. we may need to do an advisory...
2000-08-27 17:41:12 +00:00
9e0a696a8a
remove #ifdef notdef part. sync with kame.
2000-07-26 07:40:52 +00:00
411ff12b27
pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
...
sync with kame.
loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
65d37eff7f
correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
...
sync from kame.
WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
aa0b8be4f4
move ipsec_{hex,bin}dump() into #ifdef wrapper.
...
libipsec: remove unnecessary #include key_debug.h.
2000-07-04 04:41:54 +00:00
d407c7e3ec
nuke sadb_x_ident_id, wihich violates pfkey standard.
...
correct get/set SA handling.
(from kame)
2000-07-01 01:01:34 +00:00
577e415862
<vm/vm.h> -> <uvm/uvm_extern.h>
2000-06-28 03:29:45 +00:00
ee01b6fae0
Clean up some NULL vs. 0 confusion, and fix a bogus comparison.
2000-06-24 00:15:52 +00:00
43eb8dd0d2
correct compilation without IPSEC_ESP.
...
From: Matthias Drochner <M.Drochner@fz-juelich.de>
2000-06-15 13:44:22 +00:00
f982a33213
correct ordering mistake in SADB_DUMP.
...
correct bug in key length management in SA database.
improbe mbuf printing (for debugging only).
2000-06-15 12:37:07 +00:00
00dc400bb3
correct port number matching (src/dst mixup).
2000-06-15 05:50:22 +00:00
itojun