Commit Graph

13 Commits

Author SHA1 Message Date
christos
53524e44ef Kill caddr_t; there will be some MI fallout, but it will be fixed shortly. 2007-03-04 05:59:00 +00:00
christos
168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
christos
6c265266c5 more __unused 2006-10-13 20:53:59 +00:00
pavel
450a020195 The esp_input_cb function used m_copyback, which fails if the mbuf is
read-only. This can actually happen if the packet was received by the
xennet interface, see PR kern/33162. Change it to m_copyback_cow.

AH and IPCOMP probably need similar fixes.

Requested by Jeff Rizzo, tested on Xen with -current by him.
2006-04-28 22:39:02 +00:00
rpaulo
68699904bd Add two new sysctls protected under IPSEC_DEBUG:
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
          the same sequence number. This allows to verify if the other side
          has proper replay attacks detection.

  net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
          corrupted HMAC. This allows to verify if the other side properly
          detects modified packets.

(a message will be printed indicating when these sysctls changed)

By Pawel Jakub Dawidek <pjd@FreeBSD.org>.
Discussed with Christos Zoulas and Jonathan Stone.
2006-04-11 20:21:28 +00:00
rpaulo
51a2954a4d FreeBSD SA-06:11 and CVE-2006-0905: update the replay sequence number
or else the anti-reply technique won't work as expected.
2006-03-23 15:25:46 +00:00
christos
95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
seanb
7ce7d7cb4c - Discrepency between malloc / free types with init vector (see free
in netipsec/key.c).
- Reviewed by christos.
2005-05-27 22:30:03 +00:00
jonathan
60f87b2f99 sys/netinet6/ip6_ecn.h is reportedly a FreeBSD-ism; NetBSD has
prototypes for the IPv6 ECN ingress/egress functions in sys/netinet/ip_ecn.h,
inside an #ifdef INET6 wrapper.   So, wrap sys/netipsec ocurrences of
	#include <netinet6/ip6_ecn.h>
in #ifdef __FreeBSD__/#endif, until both camps can agree on this
teensy little piece of namespace. Affects:
    ipsec_output.c xform_ah.c xform_esp.c xform_ipip.c
2004-03-17 00:21:43 +00:00
tls
9355900ec9 Reversion of "netkey merge", part 2 (replacement of removed files in the
repository by christos was part 1).  netipsec should now be back as it
was on 2003-09-11, with some very minor changes:

1) Some residual platform-dependent code was moved from ipsec.h to
   ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined.  ipsec.h
   now includes ipsec_osdep.h

2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has
   been left in place (it's arguable which name is less confusing but the
   rename is pretty harmless).

3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN
   is invalid and GCC 3 won't compile it.

An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now
gets through "make depend" but fails to build with errors in ip_input.c.
But it's better than it was (thank heaven for small favors).
2003-10-06 22:05:15 +00:00
itojun
eb305c3c3c merge netipsec/key* into netkey/key*. no need for both.
change confusing filename
2003-09-12 11:20:57 +00:00
jonathan
c23a2c9c86 opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif. 2003-08-20 22:33:40 +00:00
jonathan
740290313e Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4.
Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the
OpenCryptoFramework (and thus hardware crypto accelerators) and
numerous detailed performance improvements.

This import is (aside from SPL-level names) the FreeBSD source,
imported ``as-is'' as a historical snapshot, for future maintenance
and comparison against the FreeBSD source.  For now, several minor
kernel-API differences are hidden by macros a shim file, ipsec_osdep.h,
which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
2003-08-13 20:06:49 +00:00