Commit Graph

39 Commits

Author SHA1 Message Date
rpaulo 78678b130a Better support of IPv6 scoped addresses.
- most of the kernel code will not care about the actual encoding of
  scope zone IDs and won't touch "s6_addr16[1]" directly.
- similarly, most of the kernel code will not care about link-local
  scoped addresses as a special case.
- scope boundary check will be stricter.  For example, the current
  *BSD code allows a packet with src=::1 and dst=(some global IPv6
  address) to be sent outside of the node, if the application do:
    s = socket(AF_INET6);
    bind(s, "::1");
    sendto(s, some_global_IPv6_addr);
  This is clearly wrong, since ::1 is only meaningful within a single
  node, but the current implementation of the *BSD kernel cannot
  reject this attempt.
- and, while there, don't try to remove the ff02::/32 interface route
  entry in in6_ifdetach() as it's already gone.

This also includes some level of support for the standard source
address selection algorithm defined in RFC3484, which will be
completed on in the future.

From the KAME project via JINMEI Tatuya.
Approved by core@.
2006-01-21 00:15:35 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
tron d5da0b0c38 Remove unnecessary bzero() calls before calling the algorithm specific
init function.
2005-07-21 16:59:20 +00:00
itojun 721292cf12 constify AH algorithm function table. suggested by robert watson 2004-03-10 03:45:04 +00:00
itojun d6c4b6beb6 minor KNF 2003-07-25 10:17:36 +00:00
itojun 969d6f5037 typo 2003-07-25 10:16:28 +00:00
itojun 1270423572 add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH),
AES counter mode (ESP)
2003-07-25 10:00:49 +00:00
itojun c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
itojun d64e1c8d6a add hmac-sha2 support. various cleanups (like avoid hardcoding '16').
from kame
2003-07-22 03:24:23 +00:00
itojun 0445f65670 avoid assuming result buffer size in AH logic. sync w/kame 2003-07-20 18:01:41 +00:00
itojun b2fcce1997 style 2003-04-22 10:08:33 +00:00
itojun 8808abb7b8 correct pointer signedness mixups. sync w/kame 2002-09-11 03:45:44 +00:00
itojun e4f39ff86f panic() if NULL is passed to ah_sumsiz_xx. suggested by sam leffler, sync w/kame 2002-06-07 23:42:41 +00:00
lukem 4f2ad95259 add RCSIDs 2001-11-13 00:56:55 +00:00
itojun 7b1918bdc8 always check extension header length. 2001-10-29 05:23:17 +00:00
itojun 99d25b4e8a reduce diff with kame. whitespace changes only. 2001-10-15 03:55:37 +00:00
itojun 52f2cece9f tighten AH IPv4 option chasing more. drop too short (< 2) option.
sync with kame.
2001-02-21 01:27:58 +00:00
itojun 26a76076be correct IPv4 option header chasing. the old code may overrun the buffer
if the option header is truncated.  sync with kame
2001-02-19 03:47:01 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun 65d37eff7f correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
sync from kame.

WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun dafb757588 add algorithm name into algorithm table. (commit to crypto-intl will follow) 2000-06-14 11:27:35 +00:00
itojun e0b65589f1 sync with more recent kame. cope with malloc failure more gracefully
some cosmetics.
2000-06-02 18:20:15 +00:00
itojun fadbd2b29a cleanup AH/policy processing.
- parse IPv6 header by using common function, ip6_{last,next}hdr.
- fix behaivior in multiple AH cases.
  make strict boundary checks on mbuf chasing.
(sync with latest kame)
2000-03-21 23:53:30 +00:00
itojun 90736ab608 fix include pathname for better rfc2292 compliance. 2000-02-06 12:49:37 +00:00
itojun 1a2a1e2b1f bring in latest KAME ipsec tree.
- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited

XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon
2000-01-31 14:18:52 +00:00
itojun 08e76e0086 add missing ipcomp cases. 2000-01-16 18:06:03 +00:00
itojun ec63b40402 remove too much portability code in KAME, to improve readability. 2000-01-06 07:31:07 +00:00
itojun abddb5f851 do not overwrite traffic class field when we write IPv6 version field. 1999-12-15 06:28:43 +00:00
itojun b3d9b0130c eliminate unnecessary splnet(). 1999-09-17 12:26:04 +00:00
itojun 5a219342f2 sync with kame; typo in comment. 1999-08-26 11:11:51 +00:00
itojun 4e69e908fe fix AH computation for HbB options. 1999-08-25 17:47:47 +00:00
itojun 70ada0957e sync with recent KAME.
- loosen ipsec restriction on packet diredtion.
- revise icmp6 redirect handling on IsRouter bit.
- tcp/udp notification processing (link-local address case)
- cosmetic fixes (better code share across *BSD).
1999-07-31 18:41:15 +00:00
itojun 06c350054d remove reference to in6_systm.h (file itself will be removed afterwords) 1999-07-30 10:35:34 +00:00
thorpej f9a7668b3f defopt IPSEC and IPSEC_ESP (both into opt_ipsec.h). 1999-07-09 22:57:15 +00:00
itojun f3c72d8503 fix IPSEC (but not INET6) build.
PR: 7921, 7922, 7924
From: rafal@mediaone.net
1999-07-06 05:09:22 +00:00
itojun 9b74747370 s/splnet/splsoftnet/ in IPv6/IPsec part.
hope I made no mistake (the kernel works fine but I need a regress test)

Suggested by: thorpej
1999-07-04 02:01:15 +00:00
thorpej cd3a345ea0 RCS ID police. 1999-07-03 21:24:45 +00:00
itojun 118d2b1d4f IPv6 kernel code, based on KAME/NetBSD 1.4, SNAP kit 19990628.
(Sorry for a big commit, I can't separate this into several pieces...)
Pls check sys/netinet6/TODO and sys/netinet6/IMPLEMENTATION for details.

- sys/kern: do not assume single mbuf, accept chained mbuf on passing
  data from userland to kernel (or other way round).
- "midway" ATM card: ATM PVC pseudo device support, like those done in ALTQ
  package (ftp://ftp.csl.sony.co.jp/pub/kjc/).
- sys/netinet/tcp*: IPv4/v6 dual stack tcp support.
- sys/netinet/{ip6,icmp6}.h, sys/net/pfkeyv2.h: IETF document assumes those
  file to be there so we patch it up.
- sys/netinet: IPsec additions are here and there.
- sys/netinet6/*: most of IPv6 code sits here.
- sys/netkey: IPsec key management code
- dev/pci/pcidevs: regen

In my understanding no code here is subject to export control so it
should be safe.
1999-07-01 08:12:45 +00:00
itojun 74d3c214ec KAME/NetBSD 1.4 SNAP kit, dated 19990628.
NOTE: this branch (kame) is used just for refernce.  this may not compile
due to multiple reasons.
1999-06-28 06:36:47 +00:00