59f2aab1ed
fix uninitialized variables
2003-10-25 08:26:14 +00:00
ba71e93c60
backout previous (ENETREST special handlng)
2003-10-15 22:55:34 +00:00
90d92fe2d9
ignore ENETRESET on ADDMULTI
2003-10-15 22:16:35 +00:00
018cb094b4
ignore ENETRESET on ADDMULTI.
2003-10-15 22:15:25 +00:00
a8d71f892f
define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame
2003-10-15 01:28:28 +00:00
40e6b63c60
fix endian bug in fragment header scanning.
2003-10-14 05:33:04 +00:00
b5b2092bce
no need to clear mbuf flags here; sync w/kame
2003-10-03 22:08:26 +00:00
98d5598feb
when dropping M_PKTHDR, need to free m_tag associated with it.
2003-10-03 20:56:11 +00:00
96fda496da
use in6_{embed,recover}scope for scoped address manipulation
2003-10-03 08:46:15 +00:00
140276fde1
shouldn't check scope match when encapsulating packet into tunnel mode.
...
iij seil team
2003-10-03 04:30:31 +00:00
d451ef2606
do not deref state.ro if it is NULL
2003-10-02 19:32:41 +00:00
d83af104d4
correctly look at outer IPv6 header when forwarding packet into ipsec tunnel.
...
iij seil team
2003-10-02 12:13:44 +00:00
364f2d9e12
permit tunnel mode over link-local address. (outer header is link-local)
...
iij seil team
2003-10-02 10:01:11 +00:00
8184c3658f
handle link-local address in ipsec6_tunnel_validate(). from iij seli team
2003-10-02 07:19:37 +00:00
36b4e0b6e7
Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD
2003-09-30 00:01:18 +00:00
ca96c7c4ec
Remove some code that breaks AH tunnels completely. The comment describing
...
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.
NB: This does not fix the fact that IPsec leaks "packet tags."
2003-09-28 04:45:14 +00:00
cff5e477ad
Process has only one c. From miod@openbsd.
2003-09-26 22:23:58 +00:00
cd71ebe2f7
mark security policy that should persist in the system "persistent".
...
this should prevent recently-reported kernel panic when "spdflush" is issued.
2003-09-22 04:47:43 +00:00
7fda10aea9
separate netkey/key* and netipsec/key*
2003-09-20 05:14:41 +00:00
ca549eaf98
exp is a reserved name under posix
2003-09-16 00:31:23 +00:00
94da0d16ac
avoid overflow during multiply. David Laight
2003-09-15 23:38:20 +00:00
71c96a2bb4
correct ru_a/ru_b setup for 20bit case
2003-09-13 21:32:59 +00:00
8ee5969c3b
change confusing filename
2003-09-12 11:21:36 +00:00
9f2c0659cd
remove extra blank line
2003-09-12 07:58:25 +00:00
a84539ea9e
make synchronization w/ PF tag support code easier
2003-09-12 07:53:29 +00:00
6371ddf557
make it possible to SADB_DUMP via sysctl. request by mrg
2003-09-12 07:38:10 +00:00
5125995b51
record socket * associated with secpolicy
2003-09-10 22:29:27 +00:00
494fe70198
lint
2003-09-09 11:39:14 +00:00
800fe5d178
- prepare for RFC2401bis 64bit sequence number (no behavior change yet)
...
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c. key.c is responsible for refcounting secasvar,
keydb.c is responsible for alloc/free.
2003-09-07 15:59:36 +00:00
bfa3dccfd7
prototype should have no variable name
2003-09-07 15:50:43 +00:00
5c9706bb41
correct seed generation. sync w/ kame
2003-09-06 13:47:09 +00:00
37c3c44062
fix comment, from kame
2003-09-06 13:30:40 +00:00
680540f194
committed by mistake, sorry
2003-09-06 04:20:57 +00:00
bce24b4a3e
correct comment
2003-09-06 04:13:50 +00:00
b0b5b07f8a
fix msb handling. from kame
2003-09-06 03:55:35 +00:00
32e3deae21
randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability
...
of these fields. ip_id.c is from openbsd. ip6_id.c is adapted by kame.
2003-09-06 03:36:30 +00:00
175c9afa3f
clarify flowlabel handling
2003-09-06 03:12:51 +00:00
a245b3dc6d
u_short -> u_int16_t. sync w/ kame.
...
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
2003-09-05 23:20:48 +00:00
95b95dbc37
call tcp_drain() if IPv4-less kernel
2003-09-05 01:35:08 +00:00
495906ca8e
revamp inpcb/in6pcb so that they are more aligned with each other.
...
in6pcb lookup now uses hash(9).
2003-09-04 09:16:57 +00:00
19d8b9bfea
don't use m_cat to mbuf of different types. KAME-PR-495
2003-09-04 03:07:33 +00:00
725b73043b
simplify rijndael.c API - always schedule encrypt/decrypt key.
...
reviewed by thorpej
2003-08-27 14:23:25 +00:00
fb5acbcfc6
rijndael encryption context/scheduled key is assymmetric; need to setup two
...
(one for encryption, one for decryption)
2003-08-27 02:42:09 +00:00
7b613a568e
Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt()
...
directly. Reviewed by itojun.
2003-08-27 00:08:31 +00:00
6de9ce0437
Move the opencrypto CAST-128 implementation to crypto/cast128, removing
...
the old one. Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
2003-08-26 16:37:36 +00:00
2957d8dce6
Use the simplified rijndael API (which this was essentially a duplicate
...
of). XXX This file can now be merged into esp_core.c.
2003-08-26 15:18:27 +00:00
356aebd768
g/c unused member. use in6p_ip6 more effectively.
2003-08-25 00:14:30 +00:00
9569786c95
deref member in in6p directly, don't rely on existence of macro
2003-08-25 00:11:52 +00:00
ff512e5035
don't commit value into ip6_ptkopts until the validation is done.
...
(note: the code will be updated with 2292bis definition soon, hopefully)
2003-08-25 00:10:27 +00:00
4e6aca94c2
correct missing inclusion of opt_ipsec.h
2003-08-22 22:11:44 +00:00
cabb25918f
no need for opt_ipsec.h any longer
2003-08-22 22:05:11 +00:00
11ede1ed88
remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output.
2003-08-22 22:00:36 +00:00
82eb4ce914
change the additional arg to be passed to ip{,6}_output to struct socket *.
...
this fixes KAME policy lookup which was broken by the previous commit.
2003-08-22 21:53:01 +00:00
9329caaf20
typo in log message
2003-08-22 21:50:42 +00:00
e3ec783e41
(Accidentally-omitted change): update for ip6_output() to match commit below.
...
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:49:03 +00:00
9339ef0381
Change KAME code for ip_output()/ip6_output() to obtain struct socket*
...
from the explicit inpcb*/in6pcb* argument. set_socket() becomes redundant.
2003-08-22 20:29:00 +00:00
902669955f
Replace the set_socket() method of passing an extra struct socket*
...
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:20:09 +00:00
52f8075c5a
allow userland to specify SPD ID. more readable debugging messages.
2003-08-22 06:22:21 +00:00
28b5f5dfab
(fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if
...
configured with ``options FAST_IPSEC''. Kernels with KAME IPsec or
with no IPsec should work as before.
All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.
Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
2003-08-15 03:42:00 +00:00
fd3f06dabb
enforce ipsec policy on raw wildcard.
2003-08-14 07:57:40 +00:00
4d754cb259
in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped
...
address. PR kern/22431 from Andreas Gustafsson
2003-08-13 04:59:34 +00:00
aad01611e7
Move UCB-licensed code from 4-clause to 3-clause licence.
...
Patches provided by Joel Baker in PR 22364, verified by myself.
2003-08-07 16:26:28 +00:00
da53b9c28e
make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame
2003-08-07 08:52:32 +00:00
256877974a
m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen
...
before m_cat call. from Julian Coleman via kame.
2003-08-06 14:47:32 +00:00
3236f238b3
increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512
2003-08-05 12:20:35 +00:00
d6c4b6beb6
minor KNF
2003-07-25 10:17:36 +00:00
969d6f5037
typo
2003-07-25 10:16:28 +00:00
1270423572
add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH),
...
AES counter mode (ESP)
2003-07-25 10:00:49 +00:00
4fc37746bf
AES XCBC MAC (for AH)
...
AES counter mode (for ESP)
2003-07-25 09:48:17 +00:00
ee7d78825a
comment typo, from markus@openbsd
2003-07-23 00:27:25 +00:00
c8ebadb000
unifdef -U_IP_VHL
2003-07-22 11:18:24 +00:00
0d84200c22
clear scheduled key before freeing, for safety
2003-07-22 08:54:27 +00:00
77283a8429
sha2 is needed for AH, not ESP
2003-07-22 03:26:16 +00:00
d64e1c8d6a
add hmac-sha2 support. various cleanups (like avoid hardcoding '16').
...
from kame
2003-07-22 03:24:23 +00:00
409ba7efc4
cosmetic
2003-07-22 03:21:21 +00:00
0445f65670
avoid assuming result buffer size in AH logic. sync w/kame
2003-07-20 18:01:41 +00:00
92a1800c4d
due to previous type change, sav->schedlen never go negative. sync w/kame
2003-07-20 17:17:20 +00:00
d1931d3717
change ESP xx_schedlen() return type to size_t. sync w/kame
2003-07-20 03:24:03 +00:00
74182febed
remove #if 0 portion
2003-07-18 06:45:33 +00:00
43694e8d74
assymetric -> asymmetric
2003-07-15 17:37:00 +00:00
7b74887942
rijndael is assymmetric, correction from markus@openbsd
2003-07-15 15:25:13 +00:00
281d9d13a5
simplify and update rijndael code. markus@openbsd
2003-07-15 11:00:36 +00:00
8e90cd9ce4
KNF
2003-07-12 15:16:50 +00:00
3eaa5b9c93
no longer needed (#define _KERNEL)
2003-07-12 15:12:45 +00:00
7649b12429
remove obsolete comment on the use of m_pullup
2003-07-09 04:05:59 +00:00
0463e41004
on interface detach, clear multicast forwarding table. from kame
2003-07-08 10:20:45 +00:00
91b11e1eba
prototype must not have variable name
2003-07-08 07:13:50 +00:00
fc401b7586
fix missing check for taillen against pkthdr.len. markus@openbsd
2003-07-04 00:49:18 +00:00
022df20c75
minor KNF
2003-07-03 05:03:53 +00:00
d8976f36ac
typo. found by markus@openbsd
2003-07-02 13:55:13 +00:00
2317e81b85
avoid ICMPv6 redirect if the packet filter rewrite dst addr to an address
...
on the incoming interface. cedric@openbsd
2003-06-30 08:00:59 +00:00
842d3bee32
KNF
2003-06-30 03:30:50 +00:00
d5aece61d6
Back out the lwp/ktrace changes. They contained a lot of colateral damage,
...
and need to be examined and discussed more.
2003-06-29 22:28:00 +00:00
960df3c8d1
Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
...
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.
Bump the kernel rev up to 1.6V
2003-06-28 14:20:43 +00:00
2cadb8ca7a
split ND6 cache timer management to per-entry. increased accuracy,
...
no O(N) loop. sync w/ kame
2003-06-27 08:41:08 +00:00
6d4a3c4191
remove unneeded checks of accept_rtadv. from kame
2003-06-24 07:54:47 +00:00
adb5d5afb4
* kame/sys/netinet6/nd6.c (nd6_rtrequest): changed a condition to
...
decide whether to create an empty llinfo stricter so that a user
can manually change the link-layer address of an existing neighbor
cache.
Pointed out by: KIU Shueng Chuan
from kame
2003-06-24 07:49:03 +00:00
455b7679d4
typo
2003-06-24 07:43:44 +00:00
194f048bd9
use time.tv_sec directly
2003-06-24 07:39:24 +00:00
5b0c3f9506
clear ln_hold earlier. from kame
2003-06-24 07:32:03 +00:00
d505b18964
Make sure to include opt_foo.h if a defflag option FOO is used.
2003-06-23 11:00:59 +00:00
7a5741651c
- sync up MLD declaration with RFC3542 (s/MLD6/MLD/)
...
- routing header declaration with RFC3542
(note: sizeof(ip6_rthdr0) has changed!)
also, sync up with RFC2460 routing header definition (no "strict" source
routing mode any more)
part of advanced API update (RFC2292 -> 3542).
2003-06-06 08:13:43 +00:00
a07ae6a9df
don't try to forward multicast packet to mif that went away; kame
2003-06-06 06:52:29 +00:00
5c0f142820
remove assumption on redirect header option processing. from kame
2003-06-03 05:20:06 +00:00
f46a719b5c
can't use M_WAIT here, i believe.
2003-05-27 22:36:38 +00:00
63715bec6b
backout previous. (sys/net/if.c fixed)
2003-05-16 16:57:35 +00:00
d36e610a01
nd6_rtmsg: If called during if_detach(), TAILQ_FIRST(if_addrlist)
...
could be NULL. This is not a common case, but as nd6_rtmsg()
will be called during if_detach(), we need to check for the
case. reported by kanaoka-san.
2003-05-16 16:19:45 +00:00
4008ec1218
use strlcpy
2003-05-16 03:56:49 +00:00
4d9a92e2a2
remove duplicate. masanori kanaoka
2003-05-16 02:53:28 +00:00
9cf18f13b5
rt->rt_ifp may not always be available. masanori kanaoka via kame
2003-05-15 14:57:58 +00:00
a5d8a0a4f6
check version before computing checksum. checksum is more expensive operation.
2003-05-15 13:46:15 +00:00
19b1e87da3
KNF
2003-05-14 17:02:59 +00:00
6e0f23e7f6
KNF
2003-05-14 17:00:22 +00:00
f77518e2f5
KNF
2003-05-14 14:41:33 +00:00
5eaf3c3113
do not use m_pulldown() to parse intermediate extension headers (like routing).
...
we don't want to drop packets due to extension header parsing. KAME rev 1.59.
(performance may suck, but it is slowpath anyways)
2003-05-14 14:34:14 +00:00
de87ca793d
constant usually has two n.
2003-05-14 12:45:06 +00:00
346e0198f0
always use PULLDOWN_TEST codepath.
2003-05-14 06:47:33 +00:00
9787457fbe
bring a small amount of code out of an if() statement that was doing
...
the same thing for both cases.
2003-05-10 13:23:07 +00:00
874e6573c4
fix invalid pointer setting on RA reception. from kiu shueng chuan via kame
2003-05-08 20:08:52 +00:00
a617975d48
print how big the mtu needs to be for ipv6 ppp.
2003-05-04 13:43:09 +00:00
4be7a2dcf3
Add a new feature-test macro, _NETBSD_SOURCE. If this is defined
...
by the application, all NetBSD interfaces are made visible, even
if some other feature-test macro (like _POSIX_C_SOURCE) is defined.
<sys/featuretest.h> defined _NETBSD_SOURCE if none of _ANSI_SOURCE,
_POSIX_C_SOURCE and _XOPEN_SOURCE is defined, so as to preserve
existing behaviour.
This has two major advantages:
+ Programs that require non-POSIX facilities but define _POSIX_C_SOURCE
can trivially be overruled by putting -D_NETBSD_SOURCE in their CFLAGS.
+ It makes most of the #ifs simpler, in that they're all now ORs of the
various macros, rather than having checks for (!defined(_ANSI_SOURCE) ||
!defined(_POSIX_C_SOURCE) || !defined(_XOPEN_SOURCE)) all over the place.
I've tried not to change the semantics of the headers in any case where
_NETBSD_SOURCE wasn't defined, but there were some places where the
current semantics were clearly mad, and retaining them was harder than
correcting them. In particular, I've mostly normalised things so that
_ANSI_SOURCE gets you the smallest set of stuff, then _POSIX_C_SOURCE,
_XOPEN_SOURCE and _NETBSD_SOURCE in that order.
Tested by building for vax, encouraged by thorpej, and uncontested in
tech-userlevel for a week.
2003-04-28 23:16:11 +00:00
b2fcce1997
style
2003-04-22 10:08:33 +00:00
ee5b1a7c61
Protect the definition of offsetof().
2003-04-17 19:58:57 +00:00
a81c2be8be
avoid mbuf leak in redirect header option attachment. more complete
...
fix to come. from kame
2003-03-31 23:55:46 +00:00
452610ea39
Add in6_localaddr(). From KAME via FreeBSD.
2003-02-27 22:06:38 +00:00
eb5e5b35c1
Make sure to initialize callout structs.
2003-02-25 22:17:47 +00:00
8c1eaadb7a
automatic aggregates are evil. make it static const.
2003-02-24 03:01:03 +00:00
b193480908
Add extensible malloc types, adapted from FreeBSD. This turns
...
malloc types into a structure, a pointer to which is passed around,
instead of an int constant. Allow the limit to be adjusted when the
malloc type is defined, or with a function call, as suggested by
Jonathan Stone.
2003-02-01 06:23:35 +00:00
9115df8c49
success, not sucess. Noted by mjl.
2003-01-28 22:35:02 +00:00
276fd1665c
The Double-Semi-Colon Police.
2003-01-20 05:29:53 +00:00
0efc092563
Remove variable that is only assigned too but not referenced.
2003-01-20 00:39:30 +00:00
40606ab8f2
switch from kame-based m_aux mbuf auxiliary data, to openbsd m_tag
...
implementation. it will simplify porting across *bsd (such as kame/altq),
and make us more synchronized. from Joel Wilsson
2003-01-17 08:11:49 +00:00
177ed24b8b
allocate route_in6 in struct secashead, to avoid mistakenly overrun
...
the end of secashead. Fixes PR18751.
2003-01-08 05:46:49 +00:00
be9a8d8e2f
recover original stanford copyright. sync w/kame
2002-11-27 05:09:36 +00:00
0635de35a3
Remove KDIR=, since SYS_INCLUDE=symlinks and KDIR are not supported any more.
2002-11-26 23:30:07 +00:00
d6f8cc841d
Avoid strict-alias warnings.
2002-11-25 01:55:21 +00:00
c8a8326600
make USE_ENCAPCHECK (in netinet*/*gif.c) to global option, GIF_ENCAPCHECK.
...
#ifdef out unneeded code when possible.
From: Krister Walfridsson <cato@df.lth.se>
2002-11-11 18:35:27 +00:00
1e8dadc8f9
pmtu_probe is not used anywhere (it is used in KAME TCP6-only code).
...
From: Krister Walfridsson <cato@df.lth.se>
2002-11-11 18:26:42 +00:00
6f28503927
need icmp6.h for MULTICAST_PMTUD case. sync w/kame
2002-11-09 03:12:05 +00:00
eab4bb9593
include opt_inet.h -- found by David Laight
2002-11-05 21:46:42 +00:00
29ef3e950d
improve gif lookup performance, when there are many of those,
...
by using radix tree for lookups. tested by yshimizu@iij.
2002-11-05 16:58:11 +00:00
4f27ab21b8
/*CONTCOND*/ while (0)'ed macros
2002-11-02 07:30:55 +00:00
ad337ee31a
plug a memory leak. from sam leffler. sync w/kame
2002-10-31 17:36:16 +00:00
02a04fd9fc
increase correct stat. KAME pr 445
2002-10-28 16:42:44 +00:00
5fc1c3b058
do not differentiate manually configured address from autoconfigured ones
...
wrt prefix management;
- always earn a reference to the prefix when an address is configured
(by ioctl).
- always delete the prefix when an address that has the last referene
is manually removed.
The change should solve the problem raised in KAME-snap 6989.
sync w/kame
2002-10-17 00:07:44 +00:00
d9ae0a6eb1
IPSEC_ESP depends on the "des", "blowfish", "cast128", and "rijndael"
...
attributes.
2002-10-12 15:41:24 +00:00
5b2b587c85
Move netinet, netinet6, ipsec, and ipfilter config defns to
...
netinet/files.ipfilter, etinet/files.netinet, netinet6/files.netinet6,
and netinet6/files.netipsec.
XXX There are still a few stragglers in conf/files, which are entangled
with other network protocols.
2002-10-10 22:45:45 +00:00
b15fea2610
suppress too noisy log by default (can be re-enabled by sysctl). sync w/kame
2002-10-09 20:22:16 +00:00
0f09ed48a5
remove trailing \n in panic(). approved perry.
2002-09-27 15:35:29 +00:00
ce1bd42a2c
length field on PADN option, before jumbo payload option was wrong.
...
sync w/kame
2002-09-23 13:28:55 +00:00
christos