blank. In this case, we delete all non-LARVAL SAs that match the
src/dst/protocol. This is particularly useful in IKE INITIAL-CONTACT
processing. Idea from Bill Sommerfeld <sommerfeld@east.sun.com>, who
implemented it in post-Solaris8.
if there's no rnd(4), random(9) will be used with one-time warning printf(9).
XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
support ipcomp ACQUIRE messages (again).
it violates RFC2367 slightly. RFC2367 does not suport ipcomp at all
so we have no choice.
(KAME 1.151 -> 1.152)
do not leave dangling pointer after KFREE(). caused kernel panic with
certain PF_KEY message (error case) - only root can open PF_KEY socket
so it is not security issue.
(KAME 1.152 -> 1.153)
cbc-over-mbuf functions in sys/crypto.
the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.
XXX: it looks that past blowfish-cbc code was buggy. i ran some test pattern,
and new blowfish-cbc code looks more correct. there's no interoperability
between the old code (before the commit) and the new code (after the commit).
XXX: need serious interop tests before move it into 1.5 branch
sync with kame.
loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
to mention here. notable changes are like below.
kernel:
- make PF_KEY kernel interface more robust against broken input stream.
it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
in struct sadb_msg. we cannot just change these standard structs.
sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
these functions are not supplied in /usr/lib.
setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
specify it)
- spddelete takes direction specification
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
resource allocation.
- Insertion and removal of callouts is constant time, important as
this facility is used quite a lot in the kernel.
The old timeout()/untimeout() API has been removed from the kernel.
(net/pfkeyv2.h used to just include netkey/keyv2.h).
netkey/keyv2.h includes #error only for several days, to inform
of file path change. after that I plan to nuke the file.
- interop issues in ipcomp is fixed
- padding type (after ESP) is configurable
- key database memory management (need more fixes)
- policy specification is revisited
XXX m->m_pkthdr.rcvif is still overloaded - hope to fix it soon