Commit Graph

55 Commits

Author SHA1 Message Date
manu be15b99c92 Define SADB_X_EALG_AESCBC=SADB_X_EALG_AES, as we define SADB_X_EALG_AES
in <net/pfkeyv2.h> while ipsec-tools uses SADB_X_EALG_AESCBC in the code.
2005-02-24 13:45:08 +00:00
thorpej c5aea678b7 Additional cleanup pass. 2005-02-19 16:58:26 +00:00
thorpej 354f2a1004 Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.
2005-02-19 16:55:02 +00:00
xtraeme 0b39b8da10 Kill __P(), use ANSI function declarations. 2005-02-17 15:17:44 +00:00
dsl 404e35b651 Add (unsigned char) cast to ctype function, reworked to fit on one line 2004-10-29 19:32:22 +00:00
yamt 5272b4dd6e ignore promiscuous messages by checking sadb_msg_pid.
ok'ed by itojun.
2004-07-23 12:47:55 +00:00
wiz 6819fbfefc Bump date for previous. 2004-04-29 12:46:06 +00:00
jonathan 887b782b0b Initial commit of a port of the FreeBSD implementation of RFC 2385
(MD5 signatures for TCP, as used with BGP).  Credit for original
FreeBSD code goes to Bruce M. Simpson, with FreeBSD sponsorship
credited to sentex.net.  Shortening of the setsockopt() name
attributed to Vincent Jardin.

This commit is a minimal, working version of the FreeBSD code, as
MFC'ed to FreeBSD-4. It has received minimal testing with a ttcp
modified to set the TCP-MD5 option; BMS's additions to tcpdump-current
(tcpdump -M) confirm that the MD5 signatures are correct.  Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).


NOTE: This version has two potential flaws. First, I do see any code
that verifies recieved TCP-MD5 signatures.  Second, the TCP-MD5
options are internally padded and assumed to be 32-bit aligned. A more
space-efficient scheme is to pack all TCP options densely (and
possibly unaligned) into the TCP header ; then do one final padding to
a 4-byte boundary.  Pre-existing comments note that accounting for
TCP-option space when we add SACK is yet to be done. For now, I'm
punting on that; we can solve it properly, in a way that will handle
SACK blocks, as a separate exercise.

In case a pullup to NetBSD-2 is requested, this adds sys/netipsec/xform_tcp.c
,and modifies:

sys/net/pfkeyv2.h,v 1.15
sys/netinet/files.netinet,v 1.5
sys/netinet/ip.h,v 1.25
sys/netinet/tcp.h,v 1.15
sys/netinet/tcp_input.c,v 1.200
sys/netinet/tcp_output.c,v 1.109
sys/netinet/tcp_subr.c,v 1.165
sys/netinet/tcp_usrreq.c,v 1.89
sys/netinet/tcp_var.h,v 1.109
sys/netipsec/files.netipsec,v 1.3
sys/netipsec/ipsec.c,v 1.11
sys/netipsec/ipsec.h,v 1.7
sys/netipsec/key.c,v 1.11
share/man/man4/tcp.4,v 1.16
lib/libipsec/pfkey.c,v 1.20
lib/libipsec/pfkey_dump.c,v 1.17
lib/libipsec/policy_token.l,v 1.8
sbin/setkey/parse.y,v 1.14
sbin/setkey/setkey.8,v 1.27
sbin/setkey/token.l,v 1.15

Note that the preceding two revisions to tcp.4 will be
required to cleanly apply this diff.
2004-04-25 22:25:03 +00:00
jmmv b635f565e7 Homogenize usage messages: make the 'usage' word all lowercase, as this seems
to be the most common practice in our tree.
2004-01-05 23:23:32 +00:00
itojun dda2494d07 aes-xcbc-mac is now an RFC. bump date. 2003-10-21 07:20:11 +00:00
fvdl 83c93c70ba Don't assign NULL to a char. 2003-10-21 02:38:15 +00:00
itojun e1d953a832 support DUMP by sysctl 2003-09-12 07:45:21 +00:00
itojun 0398a95f59 make it possible to use /kern/ipsec{sp,sa} for dumping policy/SA. it will
workaround the issue with socket buffer size in PF_KEY SADB_DUMP.
2003-09-08 12:34:29 +00:00
wiz da332882ea Add file ... mode to usage. 2003-09-08 07:09:53 +00:00
wiz c557470784 Punctuation nit; bump date for previous. 2003-09-08 07:09:13 +00:00
itojun 4380703631 make it possible to process files. 2003-09-08 06:18:49 +00:00
itojun 9effb481fb "tagged" policy is not introduced to netbsd-current yet 2003-09-07 22:21:01 +00:00
itojun 967747c406 committed by mistake 2003-09-07 22:20:05 +00:00
itojun 643b0ddea3 warn that port-number does not work for gateway config. PR kern/22715
add reference.  bump date.
2003-09-07 22:18:58 +00:00
mrg 5a777a5e59 add another (void *) cast to appease gcc3.3 2003-07-26 15:28:24 +00:00
itojun 182a98314c support new algorithms 2003-07-25 10:06:09 +00:00
itojun aada1051de support hmac-sha2 2003-07-22 03:38:14 +00:00
itojun 453e29a18a cleanup 2003-07-22 03:37:59 +00:00
wiz 6e047dae78 Bump date for last. 2003-07-04 13:09:58 +00:00
itojun 5af08a4965 more error traps on malloc failure. accept "-E null".
various pedantic checks.  from kame
2003-07-01 07:20:12 +00:00
wiz 9f3dc3febc Remove unnecessary space before dot. 2003-06-30 11:48:05 +00:00
itojun 1fc7a4943e correct bad RFC ref. KAME problem report 480 2003-05-27 02:37:24 +00:00
itojun eb44a81d7f permit scoped addr notation in policy string (-P esp/tunnel/foo%scope-bar%scope/use). from francis dupont. sync w/kame 2003-05-22 04:01:49 +00:00
itojun 781846fcdb use NI_MAX*. 10 is not enough for port number. sync w/kame 2003-04-15 07:32:06 +00:00
wiz 4163cb2aee Fix some typos. From Igor Sobrado in PR 20722. 2003-03-15 22:25:37 +00:00
thorpej 92896efa64 Avoid strict alias warnings. 2002-12-06 02:20:43 +00:00
lukem 7360d7b6ae Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path 2002-08-19 10:16:51 +00:00
itojun 33fe7af9a4 sync with latest kame setkey(8), modulo icmp6 hack.
pfkey.c is now more picky about buffer length validation.
spddump (setkey -DP) will print lifetime information.
2002-05-14 11:24:20 +00:00
wiz 83634e4e14 Slightly improve markup in two places, sort sections. 2001-11-16 12:10:06 +00:00
wiz 4ce43ae0cd Whitespace nits 2001-11-16 10:25:42 +00:00
lukem 895db4cb83 fix -Wshadow warnings 2001-11-02 03:57:25 +00:00
toshii 0ea3ab3e14 Fix a typo which prevented manual keying from working. 2001-09-20 00:01:10 +00:00
itojun 3fdd7a9bab upgrade to the latest KAME setkey(8). allows FQDN hostname in commands.
"add localhost localhost esp 9999 -E des-cbc hogehoge" adds two keys,
for 127.0.0.1 and ::1
2001-09-07 04:12:10 +00:00
itojun 733748c930 we have never supported lzs. sync with kame 2001-08-16 06:39:09 +00:00
itojun f0a37a3a91 sync with latest kame. clarifies hex key and other things. 2001-08-12 09:38:18 +00:00
wiz cbd2a2a6a6 Drop trailing dot in Nd. 2001-06-05 12:46:08 +00:00
kleink 017a840cd9 getopt(3): EOF -> -1. 2001-05-07 14:51:46 +00:00
thorpej 617bd311bc Add a "deleteall" command that takes a src/dst/protocol. 2001-02-16 23:55:05 +00:00
christos 180360ac44 remove redundant decl 2001-02-04 21:56:11 +00:00
cgd 2ed72303ae avoid use of ANSI C trigraph ??/ 2000-12-20 01:05:22 +00:00
itojun 00f86cf2f4 use YHEADER, not YFLAGS+=-d. from kre 2000-10-29 12:32:06 +00:00
itojun 055f6cd999 have description on -v. sync with kame 2000-10-15 13:43:51 +00:00
itojun 4bfd9169a9 support rijndael-cbc. 2000-10-03 21:48:33 +00:00
gmcgarry 69a9911e49 Fix spelling. 2000-09-20 22:08:01 +00:00
kleink 2caf6aacdd For commands and utilities, use EXIT STATUS rather than RETURN VALUES as
appropriate (and documented in mdoc(7)).
2000-09-04 07:30:07 +00:00