Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
130,643 Commits 606 Branches 0 Tags 3.1 GiB
45d871e0fb
Commit Graph

806 Commits

Author SHA1 Message Date
itojun
8dcc7f31aa typo. 
http://sources.zabbadoz.net/freebsd/patchset/108-ipsec-spelling.diff
 2004-01-13 23:02:00 +00:00
itojun
1101ef17d0 plug memory leak on failure. 
http://sources.zabbadoz.net/freebsd/patchset/109-ipsec-memleak.diff
 2004-01-13 23:01:08 +00:00
itojun
3ffdb9507a avoid deref-after-free. 
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
 2004-01-13 06:17:14 +00:00
wiz
d46bc94200 Niels Provos kindly agreed to drop clauses 3 and 4 from the 
license -- thanks.
Based on OpenBSD commit and hints by itojun.
 2003-12-26 19:04:55 +00:00
lha
2b1cb68e2f Fix ICMPV6CTL_ND6_[DP]RLIST, they broke with new sysctl. 
Makes ndp -r/ndp -p work again, patch from atatat
 2003-12-17 18:49:38 +00:00
itojun
d8ac1c6007 fix cases where pktinfo specifies outgoing interface of "0". 2003-12-10 22:35:35 +00:00
itojun
aa8a6718f0 use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL 
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces.  from kame
 2003-12-10 11:46:33 +00:00
itojun
561720b19b validate set/getsockopt arg more strictly. with previous code privileged 
user can cause kernel crash.
 2003-12-10 09:28:38 +00:00
itojun
c81f32fe6c comment from niels provos; 
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
  the repetition period to 30000)
 2003-12-10 05:22:18 +00:00
atatat
13f8d2ce5f Dynamic sysctl. 
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al.  Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.

Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded.  Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.

All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.

PS - I'm sorry, but there's a distinct lack of documentation at the
moment.  I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
 2003-12-04 19:38:21 +00:00
keihan
b8702f530b netbsd.org -> NetBSD.org 
This was the last commit of this kind to src/sys, which is now totally
"NetBSD.org clean".  Thanks for the patiance, and sorry for all the commits.
 2003-12-04 13:57:30 +00:00
itojun
0864b4939d "seed2" was ruining non-repeating property, so remove it. discussed on tech-net 2003-11-25 18:13:55 +00:00
jonathan
995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm, 
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
 2003-11-17 21:34:27 +00:00
itojun
3107b5dcc0 implement net.inet6.ifq 2003-11-12 15:25:19 +00:00
itojun
ae3e6f6041 correct behavior when ipv6mr_interface is 0. Matthias Drochner 2003-11-06 06:10:51 +00:00
itojun
60dac07656 use hash table for in6_pcbbind(). similar to in_pcb 1.89 -> 1.90 2003-11-05 01:20:56 +00:00
briggs
07a0e27c44 Revert the change in default value of ipv6_v6only. Further discussion 
on this topic is required.  It should be reintroduced and pursued in
the IETF.
 2003-11-03 15:12:06 +00:00
simonb
a2facef339 Remove some assigned-to but otherwise unused variables. 2003-10-30 01:43:08 +00:00
mycroft
2dde0746b6 Do a jump optimization that eliminates some uninitialized variable warnings. 2003-10-29 10:12:43 +00:00
briggs
5a770ba2d8 Toggle the default value of ip6_v6only. Also provide a sample sysctl to 
retain the existing behavior.
 2003-10-28 06:31:28 +00:00
christos
59f2aab1ed fix uninitialized variables 2003-10-25 08:26:14 +00:00
itojun
ba71e93c60 backout previous (ENETREST special handlng) 2003-10-15 22:55:34 +00:00
itojun
90d92fe2d9 ignore ENETRESET on ADDMULTI 2003-10-15 22:16:35 +00:00
itojun
018cb094b4 ignore ENETRESET on ADDMULTI. 2003-10-15 22:15:25 +00:00
itojun
a8d71f892f define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame 2003-10-15 01:28:28 +00:00
itojun
40e6b63c60 fix endian bug in fragment header scanning. 2003-10-14 05:33:04 +00:00
itojun
b5b2092bce no need to clear mbuf flags here; sync w/kame 2003-10-03 22:08:26 +00:00
itojun
98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun
96fda496da use in6_{embed,recover}scope for scoped address manipulation 2003-10-03 08:46:15 +00:00
itojun
140276fde1 shouldn't check scope match when encapsulating packet into tunnel mode. 
iij seil team
 2003-10-03 04:30:31 +00:00
itojun
d451ef2606 do not deref state.ro if it is NULL 2003-10-02 19:32:41 +00:00
itojun
d83af104d4 correctly look at outer IPv6 header when forwarding packet into ipsec tunnel. 
iij seil team
 2003-10-02 12:13:44 +00:00
itojun
364f2d9e12 permit tunnel mode over link-local address. (outer header is link-local) 
iij seil team
 2003-10-02 10:01:11 +00:00
itojun
8184c3658f handle link-local address in ipsec6_tunnel_validate(). from iij seli team 2003-10-02 07:19:37 +00:00
christos
36b4e0b6e7 Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD 2003-09-30 00:01:18 +00:00
mycroft
ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing 
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
 2003-09-28 04:45:14 +00:00
wiz
cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun
cd71ebe2f7 mark security policy that should persist in the system "persistent". 
this should prevent recently-reported kernel panic when "spdflush" is issued.
 2003-09-22 04:47:43 +00:00
itojun
7fda10aea9 separate netkey/key* and netipsec/key* 2003-09-20 05:14:41 +00:00
itojun
ca549eaf98 exp is a reserved name under posix 2003-09-16 00:31:23 +00:00
itojun
94da0d16ac avoid overflow during multiply. David Laight 2003-09-15 23:38:20 +00:00
itojun
71c96a2bb4 correct ru_a/ru_b setup for 20bit case 2003-09-13 21:32:59 +00:00
itojun
8ee5969c3b change confusing filename 2003-09-12 11:21:36 +00:00
itojun
9f2c0659cd remove extra blank line 2003-09-12 07:58:25 +00:00
itojun
a84539ea9e make synchronization w/ PF tag support code easier 2003-09-12 07:53:29 +00:00
itojun
6371ddf557 make it possible to SADB_DUMP via sysctl. request by mrg 2003-09-12 07:38:10 +00:00
itojun
5125995b51 record socket * associated with secpolicy 2003-09-10 22:29:27 +00:00
itojun
494fe70198 lint 2003-09-09 11:39:14 +00:00
itojun
800fe5d178 - prepare for RFC2401bis 64bit sequence number (no behavior change yet) 
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c.  key.c is responsible for refcounting secasvar,
  keydb.c is responsible for alloc/free.
 2003-09-07 15:59:36 +00:00
itojun
bfa3dccfd7 prototype should have no variable name 2003-09-07 15:50:43 +00:00
itojun
5c9706bb41 correct seed generation. sync w/ kame 2003-09-06 13:47:09 +00:00
itojun
37c3c44062 fix comment, from kame 2003-09-06 13:30:40 +00:00
itojun
680540f194 committed by mistake, sorry 2003-09-06 04:20:57 +00:00
itojun
bce24b4a3e correct comment 2003-09-06 04:13:50 +00:00
itojun
b0b5b07f8a fix msb handling. from kame 2003-09-06 03:55:35 +00:00
itojun
32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability 
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
 2003-09-06 03:36:30 +00:00
itojun
175c9afa3f clarify flowlabel handling 2003-09-06 03:12:51 +00:00
itojun
a245b3dc6d u_short -> u_int16_t. sync w/ kame. 
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
 2003-09-05 23:20:48 +00:00
itojun
95b95dbc37 call tcp_drain() if IPv4-less kernel 2003-09-05 01:35:08 +00:00
itojun
495906ca8e revamp inpcb/in6pcb so that they are more aligned with each other. 
in6pcb lookup now uses hash(9).
 2003-09-04 09:16:57 +00:00
itojun
19d8b9bfea don't use m_cat to mbuf of different types. KAME-PR-495 2003-09-04 03:07:33 +00:00
itojun
725b73043b simplify rijndael.c API - always schedule encrypt/decrypt key. 
reviewed by thorpej
 2003-08-27 14:23:25 +00:00
itojun
fb5acbcfc6 rijndael encryption context/scheduled key is assymmetric; need to setup two 
(one for encryption, one for decryption)
 2003-08-27 02:42:09 +00:00
thorpej
7b613a568e Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt() 
directly.  Reviewed by itojun.
 2003-08-27 00:08:31 +00:00
thorpej
6de9ce0437 Move the opencrypto CAST-128 implementation to crypto/cast128, removing 
the old one.  Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
 2003-08-26 16:37:36 +00:00
thorpej
2957d8dce6 Use the simplified rijndael API (which this was essentially a duplicate 
of).  XXX This file can now be merged into esp_core.c.
 2003-08-26 15:18:27 +00:00
itojun
356aebd768 g/c unused member. use in6p_ip6 more effectively. 2003-08-25 00:14:30 +00:00
itojun
9569786c95 deref member in in6p directly, don't rely on existence of macro 2003-08-25 00:11:52 +00:00
itojun
ff512e5035 don't commit value into ip6_ptkopts until the validation is done. 
(note: the code will be updated with 2292bis definition soon, hopefully)
 2003-08-25 00:10:27 +00:00
itojun
4e6aca94c2 correct missing inclusion of opt_ipsec.h 2003-08-22 22:11:44 +00:00
itojun
cabb25918f no need for opt_ipsec.h any longer 2003-08-22 22:05:11 +00:00
itojun
11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun
82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *. 
this fixes KAME policy lookup which was broken by the previous commit.
 2003-08-22 21:53:01 +00:00
itojun
9329caaf20 typo in log message 2003-08-22 21:50:42 +00:00
jonathan
e3ec783e41 (Accidentally-omitted change): update for ip6_output() to match commit below. 
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:49:03 +00:00
jonathan
9339ef0381 Change KAME code for ip_output()/ip6_output() to obtain struct socket* 
from the explicit inpcb*/in6pcb* argument.  set_socket() becomes redundant.
 2003-08-22 20:29:00 +00:00
jonathan
902669955f Replace the set_socket() method of passing an extra struct socket* 
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:20:09 +00:00
itojun
52f8075c5a allow userland to specify SPD ID. more readable debugging messages. 2003-08-22 06:22:21 +00:00
jonathan
28b5f5dfab (fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if 
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
 2003-08-15 03:42:00 +00:00
itojun
fd3f06dabb enforce ipsec policy on raw wildcard. 2003-08-14 07:57:40 +00:00
itojun
4d754cb259 in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped 
address.  PR kern/22431 from Andreas Gustafsson
 2003-08-13 04:59:34 +00:00
agc
aad01611e7 Move UCB-licensed code from 4-clause to 3-clause licence. 
Patches provided by Joel Baker in PR 22364, verified by myself.
 2003-08-07 16:26:28 +00:00
itojun
da53b9c28e make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame 2003-08-07 08:52:32 +00:00
itojun
256877974a m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen 
before m_cat call.  from Julian Coleman via kame.
 2003-08-06 14:47:32 +00:00
itojun
3236f238b3 increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512 2003-08-05 12:20:35 +00:00
itojun
d6c4b6beb6 minor KNF 2003-07-25 10:17:36 +00:00
itojun
969d6f5037 typo 2003-07-25 10:16:28 +00:00
itojun
1270423572 add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH), 
AES counter mode (ESP)
 2003-07-25 10:00:49 +00:00
itojun
4fc37746bf AES XCBC MAC (for AH) 
AES counter mode (for ESP)
 2003-07-25 09:48:17 +00:00
itojun
ee7d78825a comment typo, from markus@openbsd 2003-07-23 00:27:25 +00:00
itojun
c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
itojun
0d84200c22 clear scheduled key before freeing, for safety 2003-07-22 08:54:27 +00:00
itojun
77283a8429 sha2 is needed for AH, not ESP 2003-07-22 03:26:16 +00:00
itojun
d64e1c8d6a add hmac-sha2 support. various cleanups (like avoid hardcoding '16'). 
from kame
 2003-07-22 03:24:23 +00:00
itojun
409ba7efc4 cosmetic 2003-07-22 03:21:21 +00:00
itojun
0445f65670 avoid assuming result buffer size in AH logic. sync w/kame 2003-07-20 18:01:41 +00:00
itojun
92a1800c4d due to previous type change, sav->schedlen never go negative. sync w/kame 2003-07-20 17:17:20 +00:00
itojun
d1931d3717 change ESP xx_schedlen() return type to size_t. sync w/kame 2003-07-20 03:24:03 +00:00
itojun
74182febed remove #if 0 portion 2003-07-18 06:45:33 +00:00
kleink
43694e8d74 assymetric -> asymmetric 2003-07-15 17:37:00 +00:00