christos
36b4e0b6e7
Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD
2003-09-30 00:01:18 +00:00
mycroft
ca96c7c4ec
Remove some code that breaks AH tunnels completely. The comment describing
...
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.
NB: This does not fix the fact that IPsec leaks "packet tags."
2003-09-28 04:45:14 +00:00
wiz
cff5e477ad
Process has only one c. From miod@openbsd.
2003-09-26 22:23:58 +00:00
itojun
cd71ebe2f7
mark security policy that should persist in the system "persistent".
...
this should prevent recently-reported kernel panic when "spdflush" is issued.
2003-09-22 04:47:43 +00:00
itojun
7fda10aea9
separate netkey/key* and netipsec/key*
2003-09-20 05:14:41 +00:00
itojun
ca549eaf98
exp is a reserved name under posix
2003-09-16 00:31:23 +00:00
itojun
94da0d16ac
avoid overflow during multiply. David Laight
2003-09-15 23:38:20 +00:00
itojun
71c96a2bb4
correct ru_a/ru_b setup for 20bit case
2003-09-13 21:32:59 +00:00
itojun
8ee5969c3b
change confusing filename
2003-09-12 11:21:36 +00:00
itojun
9f2c0659cd
remove extra blank line
2003-09-12 07:58:25 +00:00
itojun
a84539ea9e
make synchronization w/ PF tag support code easier
2003-09-12 07:53:29 +00:00
itojun
6371ddf557
make it possible to SADB_DUMP via sysctl. request by mrg
2003-09-12 07:38:10 +00:00
itojun
5125995b51
record socket * associated with secpolicy
2003-09-10 22:29:27 +00:00
itojun
494fe70198
lint
2003-09-09 11:39:14 +00:00
itojun
800fe5d178
- prepare for RFC2401bis 64bit sequence number (no behavior change yet)
...
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c. key.c is responsible for refcounting secasvar,
keydb.c is responsible for alloc/free.
2003-09-07 15:59:36 +00:00
itojun
bfa3dccfd7
prototype should have no variable name
2003-09-07 15:50:43 +00:00
itojun
5c9706bb41
correct seed generation. sync w/ kame
2003-09-06 13:47:09 +00:00
itojun
37c3c44062
fix comment, from kame
2003-09-06 13:30:40 +00:00
itojun
680540f194
committed by mistake, sorry
2003-09-06 04:20:57 +00:00
itojun
bce24b4a3e
correct comment
2003-09-06 04:13:50 +00:00
itojun
b0b5b07f8a
fix msb handling. from kame
2003-09-06 03:55:35 +00:00
itojun
32e3deae21
randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability
...
of these fields. ip_id.c is from openbsd. ip6_id.c is adapted by kame.
2003-09-06 03:36:30 +00:00
itojun
175c9afa3f
clarify flowlabel handling
2003-09-06 03:12:51 +00:00
itojun
a245b3dc6d
u_short -> u_int16_t. sync w/ kame.
...
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
2003-09-05 23:20:48 +00:00
itojun
95b95dbc37
call tcp_drain() if IPv4-less kernel
2003-09-05 01:35:08 +00:00
itojun
495906ca8e
revamp inpcb/in6pcb so that they are more aligned with each other.
...
in6pcb lookup now uses hash(9).
2003-09-04 09:16:57 +00:00
itojun
19d8b9bfea
don't use m_cat to mbuf of different types. KAME-PR-495
2003-09-04 03:07:33 +00:00
itojun
725b73043b
simplify rijndael.c API - always schedule encrypt/decrypt key.
...
reviewed by thorpej
2003-08-27 14:23:25 +00:00
itojun
fb5acbcfc6
rijndael encryption context/scheduled key is assymmetric; need to setup two
...
(one for encryption, one for decryption)
2003-08-27 02:42:09 +00:00
thorpej
7b613a568e
Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt()
...
directly. Reviewed by itojun.
2003-08-27 00:08:31 +00:00
thorpej
6de9ce0437
Move the opencrypto CAST-128 implementation to crypto/cast128, removing
...
the old one. Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
2003-08-26 16:37:36 +00:00
thorpej
2957d8dce6
Use the simplified rijndael API (which this was essentially a duplicate
...
of). XXX This file can now be merged into esp_core.c.
2003-08-26 15:18:27 +00:00
itojun
356aebd768
g/c unused member. use in6p_ip6 more effectively.
2003-08-25 00:14:30 +00:00
itojun
9569786c95
deref member in in6p directly, don't rely on existence of macro
2003-08-25 00:11:52 +00:00
itojun
ff512e5035
don't commit value into ip6_ptkopts until the validation is done.
...
(note: the code will be updated with 2292bis definition soon, hopefully)
2003-08-25 00:10:27 +00:00
itojun
4e6aca94c2
correct missing inclusion of opt_ipsec.h
2003-08-22 22:11:44 +00:00
itojun
cabb25918f
no need for opt_ipsec.h any longer
2003-08-22 22:05:11 +00:00
itojun
11ede1ed88
remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output.
2003-08-22 22:00:36 +00:00
itojun
82eb4ce914
change the additional arg to be passed to ip{,6}_output to struct socket *.
...
this fixes KAME policy lookup which was broken by the previous commit.
2003-08-22 21:53:01 +00:00
itojun
9329caaf20
typo in log message
2003-08-22 21:50:42 +00:00
jonathan
e3ec783e41
(Accidentally-omitted change): update for ip6_output() to match commit below.
...
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:49:03 +00:00
jonathan
9339ef0381
Change KAME code for ip_output()/ip6_output() to obtain struct socket*
...
from the explicit inpcb*/in6pcb* argument. set_socket() becomes redundant.
2003-08-22 20:29:00 +00:00
jonathan
902669955f
Replace the set_socket() method of passing an extra struct socket*
...
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:20:09 +00:00
itojun
52f8075c5a
allow userland to specify SPD ID. more readable debugging messages.
2003-08-22 06:22:21 +00:00
jonathan
28b5f5dfab
(fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if
...
configured with ``options FAST_IPSEC''. Kernels with KAME IPsec or
with no IPsec should work as before.
All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.
Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
2003-08-15 03:42:00 +00:00
itojun
fd3f06dabb
enforce ipsec policy on raw wildcard.
2003-08-14 07:57:40 +00:00
itojun
4d754cb259
in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped
...
address. PR kern/22431 from Andreas Gustafsson
2003-08-13 04:59:34 +00:00
agc
aad01611e7
Move UCB-licensed code from 4-clause to 3-clause licence.
...
Patches provided by Joel Baker in PR 22364, verified by myself.
2003-08-07 16:26:28 +00:00
itojun
da53b9c28e
make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame
2003-08-07 08:52:32 +00:00
itojun
256877974a
m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen
...
before m_cat call. from Julian Coleman via kame.
2003-08-06 14:47:32 +00:00