3ffdb9507a
avoid deref-after-free.
...
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
2004-01-13 06:17:14 +00:00
d46bc94200
Niels Provos kindly agreed to drop clauses 3 and 4 from the
...
license -- thanks.
Based on OpenBSD commit and hints by itojun.
2003-12-26 19:04:55 +00:00
2b1cb68e2f
Fix ICMPV6CTL_ND6_[DP]RLIST, they broke with new sysctl.
...
Makes ndp -r/ndp -p work again, patch from atatat
2003-12-17 18:49:38 +00:00
d8ac1c6007
fix cases where pktinfo specifies outgoing interface of "0".
2003-12-10 22:35:35 +00:00
aa8a6718f0
use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL
...
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces. from kame
2003-12-10 11:46:33 +00:00
561720b19b
validate set/getsockopt arg more strictly. with previous code privileged
...
user can cause kernel crash.
2003-12-10 09:28:38 +00:00
c81f32fe6c
comment from niels provos;
...
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
the repetition period to 30000)
2003-12-10 05:22:18 +00:00
13f8d2ce5f
Dynamic sysctl.
...
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 19:38:21 +00:00
b8702f530b
netbsd.org -> NetBSD.org
...
This was the last commit of this kind to src/sys, which is now totally
"NetBSD.org clean". Thanks for the patiance, and sorry for all the commits.
2003-12-04 13:57:30 +00:00
0864b4939d
"seed2" was ruining non-repeating property, so remove it. discussed on tech-net
2003-11-25 18:13:55 +00:00
995c532c33
Revert the (default) ip_id algorithm to the pre-randomid algorithm,
...
due to demonstrated low-period repeated IDs from the randomized IP_id
code. Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.
Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be provided.
This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
2003-11-17 21:34:27 +00:00
3107b5dcc0
implement net.inet6.ifq
2003-11-12 15:25:19 +00:00
ae3e6f6041
correct behavior when ipv6mr_interface is 0. Matthias Drochner
2003-11-06 06:10:51 +00:00
60dac07656
use hash table for in6_pcbbind(). similar to in_pcb 1.89 -> 1.90
2003-11-05 01:20:56 +00:00
07a0e27c44
Revert the change in default value of ipv6_v6only. Further discussion
...
on this topic is required. It should be reintroduced and pursued in
the IETF.
2003-11-03 15:12:06 +00:00
a2facef339
Remove some assigned-to but otherwise unused variables.
2003-10-30 01:43:08 +00:00
2dde0746b6
Do a jump optimization that eliminates some uninitialized variable warnings.
2003-10-29 10:12:43 +00:00
5a770ba2d8
Toggle the default value of ip6_v6only. Also provide a sample sysctl to
...
retain the existing behavior.
2003-10-28 06:31:28 +00:00
59f2aab1ed
fix uninitialized variables
2003-10-25 08:26:14 +00:00
ba71e93c60
backout previous (ENETREST special handlng)
2003-10-15 22:55:34 +00:00
90d92fe2d9
ignore ENETRESET on ADDMULTI
2003-10-15 22:16:35 +00:00
018cb094b4
ignore ENETRESET on ADDMULTI.
2003-10-15 22:15:25 +00:00
a8d71f892f
define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame
2003-10-15 01:28:28 +00:00
40e6b63c60
fix endian bug in fragment header scanning.
2003-10-14 05:33:04 +00:00
b5b2092bce
no need to clear mbuf flags here; sync w/kame
2003-10-03 22:08:26 +00:00
98d5598feb
when dropping M_PKTHDR, need to free m_tag associated with it.
2003-10-03 20:56:11 +00:00
96fda496da
use in6_{embed,recover}scope for scoped address manipulation
2003-10-03 08:46:15 +00:00
140276fde1
shouldn't check scope match when encapsulating packet into tunnel mode.
...
iij seil team
2003-10-03 04:30:31 +00:00
d451ef2606
do not deref state.ro if it is NULL
2003-10-02 19:32:41 +00:00
d83af104d4
correctly look at outer IPv6 header when forwarding packet into ipsec tunnel.
...
iij seil team
2003-10-02 12:13:44 +00:00
364f2d9e12
permit tunnel mode over link-local address. (outer header is link-local)
...
iij seil team
2003-10-02 10:01:11 +00:00
8184c3658f
handle link-local address in ipsec6_tunnel_validate(). from iij seli team
2003-10-02 07:19:37 +00:00
36b4e0b6e7
Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD
2003-09-30 00:01:18 +00:00
ca96c7c4ec
Remove some code that breaks AH tunnels completely. The comment describing
...
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.
NB: This does not fix the fact that IPsec leaks "packet tags."
2003-09-28 04:45:14 +00:00
cff5e477ad
Process has only one c. From miod@openbsd.
2003-09-26 22:23:58 +00:00
cd71ebe2f7
mark security policy that should persist in the system "persistent".
...
this should prevent recently-reported kernel panic when "spdflush" is issued.
2003-09-22 04:47:43 +00:00
7fda10aea9
separate netkey/key* and netipsec/key*
2003-09-20 05:14:41 +00:00
ca549eaf98
exp is a reserved name under posix
2003-09-16 00:31:23 +00:00
94da0d16ac
avoid overflow during multiply. David Laight
2003-09-15 23:38:20 +00:00
71c96a2bb4
correct ru_a/ru_b setup for 20bit case
2003-09-13 21:32:59 +00:00
8ee5969c3b
change confusing filename
2003-09-12 11:21:36 +00:00
9f2c0659cd
remove extra blank line
2003-09-12 07:58:25 +00:00
a84539ea9e
make synchronization w/ PF tag support code easier
2003-09-12 07:53:29 +00:00
6371ddf557
make it possible to SADB_DUMP via sysctl. request by mrg
2003-09-12 07:38:10 +00:00
5125995b51
record socket * associated with secpolicy
2003-09-10 22:29:27 +00:00
494fe70198
lint
2003-09-09 11:39:14 +00:00
800fe5d178
- prepare for RFC2401bis 64bit sequence number (no behavior change yet)
...
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c. key.c is responsible for refcounting secasvar,
keydb.c is responsible for alloc/free.
2003-09-07 15:59:36 +00:00
bfa3dccfd7
prototype should have no variable name
2003-09-07 15:50:43 +00:00
5c9706bb41
correct seed generation. sync w/ kame
2003-09-06 13:47:09 +00:00
37c3c44062
fix comment, from kame
2003-09-06 13:30:40 +00:00
680540f194
committed by mistake, sorry
2003-09-06 04:20:57 +00:00
bce24b4a3e
correct comment
2003-09-06 04:13:50 +00:00
b0b5b07f8a
fix msb handling. from kame
2003-09-06 03:55:35 +00:00
32e3deae21
randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability
...
of these fields. ip_id.c is from openbsd. ip6_id.c is adapted by kame.
2003-09-06 03:36:30 +00:00
175c9afa3f
clarify flowlabel handling
2003-09-06 03:12:51 +00:00
a245b3dc6d
u_short -> u_int16_t. sync w/ kame.
...
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
2003-09-05 23:20:48 +00:00
95b95dbc37
call tcp_drain() if IPv4-less kernel
2003-09-05 01:35:08 +00:00
495906ca8e
revamp inpcb/in6pcb so that they are more aligned with each other.
...
in6pcb lookup now uses hash(9).
2003-09-04 09:16:57 +00:00
19d8b9bfea
don't use m_cat to mbuf of different types. KAME-PR-495
2003-09-04 03:07:33 +00:00
725b73043b
simplify rijndael.c API - always schedule encrypt/decrypt key.
...
reviewed by thorpej
2003-08-27 14:23:25 +00:00
fb5acbcfc6
rijndael encryption context/scheduled key is assymmetric; need to setup two
...
(one for encryption, one for decryption)
2003-08-27 02:42:09 +00:00
7b613a568e
Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt()
...
directly. Reviewed by itojun.
2003-08-27 00:08:31 +00:00
6de9ce0437
Move the opencrypto CAST-128 implementation to crypto/cast128, removing
...
the old one. Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
2003-08-26 16:37:36 +00:00
2957d8dce6
Use the simplified rijndael API (which this was essentially a duplicate
...
of). XXX This file can now be merged into esp_core.c.
2003-08-26 15:18:27 +00:00
356aebd768
g/c unused member. use in6p_ip6 more effectively.
2003-08-25 00:14:30 +00:00
9569786c95
deref member in in6p directly, don't rely on existence of macro
2003-08-25 00:11:52 +00:00
ff512e5035
don't commit value into ip6_ptkopts until the validation is done.
...
(note: the code will be updated with 2292bis definition soon, hopefully)
2003-08-25 00:10:27 +00:00
4e6aca94c2
correct missing inclusion of opt_ipsec.h
2003-08-22 22:11:44 +00:00
cabb25918f
no need for opt_ipsec.h any longer
2003-08-22 22:05:11 +00:00
11ede1ed88
remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output.
2003-08-22 22:00:36 +00:00
82eb4ce914
change the additional arg to be passed to ip{,6}_output to struct socket *.
...
this fixes KAME policy lookup which was broken by the previous commit.
2003-08-22 21:53:01 +00:00
9329caaf20
typo in log message
2003-08-22 21:50:42 +00:00
e3ec783e41
(Accidentally-omitted change): update for ip6_output() to match commit below.
...
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:49:03 +00:00
9339ef0381
Change KAME code for ip_output()/ip6_output() to obtain struct socket*
...
from the explicit inpcb*/in6pcb* argument. set_socket() becomes redundant.
2003-08-22 20:29:00 +00:00
902669955f
Replace the set_socket() method of passing an extra struct socket*
...
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:20:09 +00:00
52f8075c5a
allow userland to specify SPD ID. more readable debugging messages.
2003-08-22 06:22:21 +00:00
28b5f5dfab
(fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if
...
configured with ``options FAST_IPSEC''. Kernels with KAME IPsec or
with no IPsec should work as before.
All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.
Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
2003-08-15 03:42:00 +00:00
fd3f06dabb
enforce ipsec policy on raw wildcard.
2003-08-14 07:57:40 +00:00
4d754cb259
in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped
...
address. PR kern/22431 from Andreas Gustafsson
2003-08-13 04:59:34 +00:00
aad01611e7
Move UCB-licensed code from 4-clause to 3-clause licence.
...
Patches provided by Joel Baker in PR 22364, verified by myself.
2003-08-07 16:26:28 +00:00
da53b9c28e
make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame
2003-08-07 08:52:32 +00:00
256877974a
m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen
...
before m_cat call. from Julian Coleman via kame.
2003-08-06 14:47:32 +00:00
3236f238b3
increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512
2003-08-05 12:20:35 +00:00
d6c4b6beb6
minor KNF
2003-07-25 10:17:36 +00:00
969d6f5037
typo
2003-07-25 10:16:28 +00:00
1270423572
add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH),
...
AES counter mode (ESP)
2003-07-25 10:00:49 +00:00
4fc37746bf
AES XCBC MAC (for AH)
...
AES counter mode (for ESP)
2003-07-25 09:48:17 +00:00
ee7d78825a
comment typo, from markus@openbsd
2003-07-23 00:27:25 +00:00
c8ebadb000
unifdef -U_IP_VHL
2003-07-22 11:18:24 +00:00
0d84200c22
clear scheduled key before freeing, for safety
2003-07-22 08:54:27 +00:00
77283a8429
sha2 is needed for AH, not ESP
2003-07-22 03:26:16 +00:00
d64e1c8d6a
add hmac-sha2 support. various cleanups (like avoid hardcoding '16').
...
from kame
2003-07-22 03:24:23 +00:00
409ba7efc4
cosmetic
2003-07-22 03:21:21 +00:00
0445f65670
avoid assuming result buffer size in AH logic. sync w/kame
2003-07-20 18:01:41 +00:00
92a1800c4d
due to previous type change, sav->schedlen never go negative. sync w/kame
2003-07-20 17:17:20 +00:00
d1931d3717
change ESP xx_schedlen() return type to size_t. sync w/kame
2003-07-20 03:24:03 +00:00
74182febed
remove #if 0 portion
2003-07-18 06:45:33 +00:00
43694e8d74
assymetric -> asymmetric
2003-07-15 17:37:00 +00:00
7b74887942
rijndael is assymmetric, correction from markus@openbsd
2003-07-15 15:25:13 +00:00
281d9d13a5
simplify and update rijndael code. markus@openbsd
2003-07-15 11:00:36 +00:00
itojun