Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
103,299 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

95 Commits

Author SHA1 Message Date
itojun 61da54e3c0 port spec is not permitted to tunnel mode policy, as we don't reassemble 
fragments.  perform more strict check against af match for tunnels.  sync w/kame
 2002-10-04 05:45:22 +00:00
provos 0f09ed48a5 remove trailing \n in panic(). approved perry. 2002-09-27 15:35:29 +00:00
itojun 01965cd2e0 fix signed/unsigned pointer mixup 2002-09-23 13:43:42 +00:00
itojun 9401012487 KNF - return is not a function. sync w/kame. 2002-09-11 02:46:42 +00:00
itojun 6dedde045a correct signedness mixup in pointer passing. sync w/kame 2002-09-11 02:41:19 +00:00
itojun 88122ef746 should return error code from key_senderror(). sync w/kame 2002-08-20 08:17:02 +00:00
itojun ccc183b4d1 fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. 
sync w/kame
 2002-08-20 06:20:26 +00:00
itojun 2169d69bcf correct %d/%u mismatch. sync w/kame 2002-06-27 14:39:45 +00:00
itojun c1808f02bf cache pcb policy as much as possible. in fact, if policy is not 
IPSEC_POLICY_IPSEC we don't need to compare spidx.  sync w/kame
 2002-06-14 14:47:24 +00:00
itojun dc96111483 deep-copy pcb policy if it is an ipsec policy. assign ID field to all 
SPD entries.  make it possible for racoon to grab SPD entry on pcb
(racoon side needs some changes).  sync w/kame
 2002-06-12 17:56:45 +00:00
itojun cc8fe8c179 make function static 2002-06-12 03:46:16 +00:00
itojun bad1f500a7 remove unused functions 2002-06-12 03:37:14 +00:00
itojun 3489976392 do not copy policy-on-socket at all. avoid copying packet header value to 
struct spindex.  should reduce memory usage per socket/pcb, and should speedup
ipsec processing.  sync w/kame
 2002-06-12 01:47:34 +00:00
itojun fa53d749ff share policy-on-pcb for listening socket. sync w/kame 
todo: share even more, avoid frequent updates of spidx
 2002-06-11 19:39:59 +00:00
itojun 52d0ba15c8 reduce unneeded #ifdef 2002-05-30 05:51:21 +00:00
itojun d208a22daa use arc4random() where possible. 
XXX is it necessary to do microtime() on tcp syn cache?
 2002-05-28 10:11:49 +00:00
itojun 12bdf036e2 pull in SPD lifetime management code. fix refcnt for SPD entries. 
sync w/kame
XXX dead SPD entry lifetime - undergoing sakane's review
 2002-05-19 08:22:12 +00:00
itojun 9244bd8154 document net.key.* sysctl. provide sysctl MIB for controlling 
proposal payload on ACQUIRE message.  sync w/kame
 2002-05-19 08:12:55 +00:00
itojun 691d519c66 remove unneeded decl for __ss_{len,family} 2002-05-19 07:54:05 +00:00
itojun 0c85427e40 remove unneeded #if 2002-03-21 04:41:03 +00:00
itojun 53a52c0ad8 pfkey statistics was presented in wrong direction. 2002-03-21 04:23:36 +00:00
itojun 418fefdef0 remove a function no longer in use 2002-03-21 04:10:21 +00:00
itojun 900347e4d0 comment wording 2002-03-21 02:27:50 +00:00
itojun 8e4fadc28a missing splx 2002-03-01 04:19:42 +00:00
itojun 3edb75b9d5 unifdef -D__NetBSD__ 2002-03-01 04:16:38 +00:00
itojun 88123ecf38 change key_timehandler to take void * as argument. sync with kame. 
PR 14351
 2002-01-31 07:05:43 +00:00
itojun 867ce59a46 use ipseclog() instead of #ifdef IPSEC_DEBUG, to make it possible to 
turn on/off debugging messages at runtime.  sync with kame
 2002-01-31 06:35:25 +00:00
itojun 8297f55292 change SPDUPDATE's behavior to meet with the latest KAME kit. 
(there's no need to have policy before SPDUPDATE)
 2002-01-31 06:17:03 +00:00
lukem 2565646230 don't need <sys/types.h> when including <sys/param.h> 2001-11-15 09:47:59 +00:00
lukem 4f2ad95259 add RCSIDs 2001-11-13 00:56:55 +00:00
simonb 5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h> 
anymore.
 2001-10-29 07:02:30 +00:00
itojun 07b78861d0 sync with kame: 
fixed the value of the prefixlen in the sadb_address structure.
when pfkey message relative to SA is sent, the prefixlen was incorrect.
 2001-10-19 01:57:20 +00:00
wiz 4c99916337 va_{start,end} audit: 
Make sure that each va_start has one and only one matching va_end,
especially in error cases.
If the va_list is used multiple times, do multiple va_starts/va_ends.
If a function gets va_list as argument, don't let it use va_end (since
it's the callers responsibility).

Improved by comments from enami and christos -- thanks!

Heimdal/krb4/KAME changes already fed back, rest to follow.

Inspired by, but not not based on, OpenBSD.
 2001-09-24 13:22:25 +00:00
wiz 456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
itojun fd048b8ff1 avoid symbol conflict with "sin()". 2001-08-16 14:28:54 +00:00
itojun 99c5195929 remove "#ifdef IPSEC_DEBUG" conditional from from key_debug.h 
(headers must have no #if).  sync with kame
 2001-08-12 11:52:43 +00:00
itojun 984d46bbc4 there is no KEY_DEBBUG. use IPSEC_DEBUG 2001-08-12 11:48:27 +00:00
itojun 57030e2f12 cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed, 
especially when it is a connected SOCK_STREAM in6?pcb.  sync with kame.
 2001-08-06 10:25:00 +00:00
itojun ce781443e0 pass replay sequence number on sadb_x_sa2 (it's outside of PF_KEY standard 
anyways).
 2001-08-02 12:10:14 +00:00
itojun b26591525e remove "register" variable specifier. sync with kame 2001-08-02 11:32:14 +00:00
itojun 182b1e5191 do not #ifdef KEY_DEBUG in header. sync with kame 2001-07-27 04:48:13 +00:00
mrg 8a49f07b1b avoid assigning to policy_id twice. fixes more gcc 3.0 prerelease errors. 2001-06-04 21:38:28 +00:00
mrg c13e3a6693 use _KERNEL_OPT 2001-05-30 11:40:35 +00:00
wiz 14dbdf5518 Negative exit code cleanup: Replace exit(-x) with exit(x). 
As seen on tech-userlevel.
 2001-04-06 11:13:45 +00:00
jdolecek 522f569810 make some more constant arrays 'const' 2001-02-21 21:39:52 +00:00
thorpej 786149d624 When processing an SADB_DELETE message, allow SADB_EXT_SA to be 
blank.  In this case, we delete all non-LARVAL SAs that match the
src/dst/protocol.  This is particularly useful in IKE INITIAL-CONTACT
processing.  Idea from Bill Sommerfeld <sommerfeld@east.sun.com>, who
implemented it in post-Solaris8.
 2001-02-16 23:53:59 +00:00
itojun a688af5edf if 2nd parameter of key_acquire() is NULL it panics. 
key_acquire () does not really require 2nd argument.
1.179 -> 1.180 on kame.
 2001-01-10 18:52:51 +00:00
itojun 8b5ceae516 don't waste entropy by use of key_random(). use key_randomfill() for 
IV initialization.
 2000-10-07 12:08:33 +00:00
itojun a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9). 
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
 2000-10-05 04:49:17 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat. 
sync with kame.
 2000-10-02 03:55:41 +00:00