![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / netinet
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.196 / (download) - annotate - [select for diffs], Fri Jun 7 13:15:25 2024 UTC (3 days, 10 hours ago) by jsg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.195: +1 -3 lines
Diff to previous 1.195 (colored)
remove MAXBUFSIZ define, unused since rev 1.33
Revision 1.195 / (download) - annotate - [select for diffs], Tue May 3 09:18:11 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.194: +3 -3 lines
Diff to previous 1.194 (colored)
Retire CRYPTO_F_MPSAFE it is no longer of any use. The crypto framework no longer uses a callback and so there is no need to define the callback as MPSAFE. OK bluhm@
Revision 1.194 / (download) - annotate - [select for diffs], Thu Jan 20 11:06:57 2022 UTC (2 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.193: +2 -2 lines
Diff to previous 1.193 (colored)
Shifting signed integers left by 31 is undefined behavior in C. found by kubsan; joint work with tobhe@; OK miod@
Revision 1.193 / (download) - annotate - [select for diffs], Thu Dec 23 22:35:11 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.192: +2 -5 lines
Diff to previous 1.192 (colored)
Remove unused variables and assignments in ah and esp output. found by clang 13; OK tobhe@
Revision 1.192 / (download) - annotate - [select for diffs], Thu Dec 23 12:21:48 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.191: +1 -5 lines
Diff to previous 1.191 (colored)
IPsec is not MP safe yet. To allow forwarding in parallel without dirty hacks, it is better to protect IPsec input and output with kernel lock. Not much is lost as crypto needs the kernel lock anyway. From here we can refine the lock later. Note that there is no kernel lock in the SPD lockup path. Goal is to keep that lock free to allow fast forwarding with non IPsec traffic. tested by Hrvoje Popovski; OK tobhe@
Revision 1.191 / (download) - annotate - [select for diffs], Mon Dec 20 17:09:18 2021 UTC (2 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.190: +2 -4 lines
Diff to previous 1.190 (colored)
Remove unused variable 'clen'. ok bluhm@
Revision 1.190 / (download) - annotate - [select for diffs], Mon Dec 20 15:59:09 2021 UTC (2 years, 5 months ago) by mvs
Branch: MAIN
Changes since 1.189: +2 -2 lines
Diff to previous 1.189 (colored)
Use per-CPU counters for tunnel descriptor block (TDB) statistics. 'tdb_data' struct became unused and was removed. Tested by Hrvoje Popovski. ok bluhm@
Revision 1.189 / (download) - annotate - [select for diffs], Sat Dec 11 16:33:47 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.188: +17 -9 lines
Diff to previous 1.188 (colored)
Protect the write access to the TDB flags field with a mutex per TDB. Clearing the timeout flags just before pool put in tdb_free() does not make sense. Move this to tdb_delete(). While there make the parentheses in the flag check consistent. tested by Hrvoje Popovski; OK tobhe@
Revision 1.188 / (download) - annotate - [select for diffs], Sun Nov 21 16:17:48 2021 UTC (2 years, 6 months ago) by mvs
Branch: MAIN
Changes since 1.187: +3 -1 lines
Diff to previous 1.187 (colored)
Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the userland the TDBs which exceeded hard limit. Also the `ipsec_notdb' counter description in header doesn't math to netstat(1) description. We never count `ipsec_notdb' and the netstat(1) description looks more appropriate so it's used to avoid confusion with the new counter. ok bluhm@
Revision 1.187 / (download) - annotate - [select for diffs], Thu Nov 11 18:08:18 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.186: +2 -18 lines
Diff to previous 1.186 (colored)
Do not call ip_deliver() recursively from IPsec. As there is no crypto task anymore, it is possible to return the next protocol. Then ip_deliver() will walk the header chain in its loop. IPsec bridge(4) tested by jan@ OK mvs@ tobhe@ jan@
Revision 1.186 / (download) - annotate - [select for diffs], Mon Nov 8 22:36:18 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.185: +2 -2 lines
Diff to previous 1.185 (colored)
Use plen consistently. ok patrick@
Revision 1.185 / (download) - annotate - [select for diffs], Thu Nov 4 14:45:07 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.184: +2 -2 lines
Diff to previous 1.184 (colored)
The authenticator is removed elsewhere. ok patrick@
Revision 1.184 / (download) - annotate - [select for diffs], Sun Oct 24 23:33:37 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.183: +30 -51 lines
Diff to previous 1.183 (colored)
Merge esp_input_cb() intp esp_input(). ok bluhm@
Revision 1.183 / (download) - annotate - [select for diffs], Sun Oct 24 17:08:27 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.182: +7 -6 lines
Diff to previous 1.182 (colored)
There are more m_pullup() in IPsec input. Pass down the pointer to the mbuf to update it globally. At the end it will reach ip_deliver() which expects a pointer to an mbuf. OK sashan@
Revision 1.182 / (download) - annotate - [select for diffs], Sun Oct 24 15:47:39 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.181: +13 -74 lines
Diff to previous 1.181 (colored)
Remove 'struct tdb_crypto' allocations from esp_input() and esp_output(). This was needed to pass arguments to the callback function, but is no longer necessary after the API makeover. ok bluhm@
Revision 1.181 / (download) - annotate - [select for diffs], Sun Oct 24 14:50:42 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.180: +7 -13 lines
Diff to previous 1.180 (colored)
Remove crp_etype and return errors directly from crypto_invoke() ok patrick@
Revision 1.180 / (download) - annotate - [select for diffs], Sun Oct 24 14:24:29 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.179: +3 -15 lines
Diff to previous 1.179 (colored)
Pass the error of the IPsec callback to the caller. The dropped counter is handled there. OK tobhe@
Revision 1.179 / (download) - annotate - [select for diffs], Sat Oct 23 22:19:37 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.178: +4 -3 lines
Diff to previous 1.178 (colored)
There is an m_pullup() down in AH input. As it may free or change the mbuf, the callers must be careful. Although there is no bug, use the common pattern to handle this. Pass down an mbuf pointer mp and let m_pullup() update the pointer in all callers. It looks like the tcp signature functions should not be called. Avoid an mbuf leak and return an error. OK mvs@
Revision 1.178 / (download) - annotate - [select for diffs], Sat Oct 23 15:42:35 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.177: +58 -9 lines
Diff to previous 1.177 (colored)
Retire asynchronous crypto API as it is no longer required by any driver and adds unnecessary complexity. Dedicated crypto offloading devices are not common anymore. Modern CPU crypto acceleration works synchronously, eliminating the need for callbacks. Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is blocking and only returns after the operation has completed or an error occured. Invoke callback functions directly from the consumer (e.g. IPsec, softraid) instead of relying on the crypto driver to call crypto_done(). ok bluhm@ mvs@ patrick@
Revision 1.177 / (download) - annotate - [select for diffs], Fri Oct 22 15:44:20 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.176: +6 -6 lines
Diff to previous 1.176 (colored)
Make error handling in IPsec consistent. Pass errors to the callers. OK tobhe@
Revision 1.176 / (download) - annotate - [select for diffs], Thu Oct 21 22:59:07 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.175: +3 -3 lines
Diff to previous 1.175 (colored)
Remove code to run crypto operations in a task queue. The code was not reachable because all callers had set the CRYPTO_F_NOQUEUE flag. ok patrick@ mvs@ bluhm@
Revision 1.175 / (download) - annotate - [select for diffs], Thu Oct 21 08:39:33 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.174: +4 -6 lines
Diff to previous 1.174 (colored)
Remove duplicate variable ibytes, use plen instead. ok bluhm@
Revision 1.174 / (download) - annotate - [select for diffs], Wed Oct 13 22:43:44 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.173: +5 -5 lines
Diff to previous 1.173 (colored)
The function crypto_dispatch() never returns an error. Make it void and remove error handling in the callers. OK patrick@ mvs@
Revision 1.173 / (download) - annotate - [select for diffs], Wed Oct 13 14:36:31 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.172: +2 -3 lines
Diff to previous 1.172 (colored)
The function ipip_output() was registered as .xf_output() xform function. But was is never called via this pointer. It would have immediatley crashed as mp is always NULL when called via .xf_output(). Do not set .xf_output to ipip_output. This allows to pass only the parameters which are actually needed and the control flow is clearer. OK mpi@
Revision 1.172 / (download) - annotate - [select for diffs], Tue Jul 27 17:13:03 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.171: +2 -2 lines
Diff to previous 1.171 (colored)
Revert "Use per-CPU counters for tunnel descriptor block" diff. Panic reported by Hrvoje Popovski.
Revision 1.171 / (download) - annotate - [select for diffs], Mon Jul 26 23:17:06 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)
Use per-CPU counters for tunnel descriptor block (tdb) statistics. 'tdb_data' struct became unused and was removed. ok bluhm@
Revision 1.170 / (download) - annotate - [select for diffs], Mon Jul 26 21:27:57 2021 UTC (2 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.169: +3 -7 lines
Diff to previous 1.169 (colored)
Do not queue crypto operations for IPsec. The packet entries in task queues were unlimited and could overflow during havy traffic. Even if we still use hardware drivers that sleep, softnet task instead of soft interrupt can handle this now. Without queues net lock is inherited and kernel lock is only needed once per packet. This results in less lock contention and faster IPsec. Also protect tdb drop counters with net lock and avoid a leak in crypto dispatch error handling. intense testing Hrvoje Popovski; OK mpi@
Revision 1.169 / (download) - annotate - [select for diffs], Sun Jul 18 14:38:20 2021 UTC (2 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.168: +10 -6 lines
Diff to previous 1.168 (colored)
The IPsec authentication before decryption used a different replay counter than after decryption. This could result in "esp_input_cb: authentication failed for packet in SA" errors. As we run crypto operations async, thousands of packets are stored in the crypto task. During the queueing the replay counter of the tdb can change. Then the higher 32 bits may increment although the lower 32 bits did not wrap. checkreplaywindow() must be called twice per packet with the same replay counter. Store the value in struct tdb_crypto while dangling in the task queue and doing crypto operations. tested by Hrvoje Popovski; joint work with tobhe@
Revision 1.168 / (download) - annotate - [select for diffs], Fri Jul 16 15:08:39 2021 UTC (2 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.167: +7 -7 lines
Diff to previous 1.167 (colored)
Improve comments in IPsec replay window calculation. OK tobhe@
Revision 1.167 / (download) - annotate - [select for diffs], Thu Jul 8 21:07:19 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.166: +2 -2 lines
Diff to previous 1.166 (colored)
The xformsw array never changes. Declare struct xformsw constant and map data read only. OK deraadt@ mvs@ mpi@
Revision 1.166 / (download) - annotate - [select for diffs], Thu Jul 8 15:13:14 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.165: +83 -86 lines
Diff to previous 1.165 (colored)
Debug printfs in encdebug were inconsistent, some missing newlines produced ugly output. Move the function name and the newline into the DPRINTF macro. This simplifies the debug statements. OK tobhe@
Revision 1.165 / (download) - annotate - [select for diffs], Thu Jul 8 09:22:30 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.164: +9 -9 lines
Diff to previous 1.164 (colored)
The properties of the crypto algorithms never change. Declare them constant. Then they are mapped as read only. OK deraadt@ dlg@
Revision 1.164 / (download) - annotate - [select for diffs], Wed Jul 7 18:03:46 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.163: +2 -2 lines
Diff to previous 1.163 (colored)
Fix whitespaces in IPsec code.
Revision 1.163 / (download) - annotate - [select for diffs], Fri Jun 18 15:34:21 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.162: +19 -7 lines
Diff to previous 1.162 (colored)
The crypto(9) framework used by IPsec runs on a kernel task that is protected by kernel lock. There were crashes in swcr_authenc() when it was accessing swcr_sessions. As a quick fix, protect all calls from network stack to crypto with kernel lock. This also covers the rekeying case that is called from pfkey via tdb_init(). OK mvs@
Revision 1.162 / (download) - annotate - [select for diffs], Thu Feb 25 02:48:21 2021 UTC (3 years, 3 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.161: +4 -4 lines
Diff to previous 1.161 (colored)
we don't have to cast to caddr_t when calling m_copydata anymore. the first cut of this diff was made with coccinelle using this spatch: @rule@ type caddr_t; expression m, off, len, cp; @@ -m_copydata(m, off, len, (caddr_t)cp) +m_copydata(m, off, len, cp) i had fix it's opinionated idea of formatting by hand though, so i'm not sure it was worth it. ok deraadt@ bluhm@
Revision 1.161 / (download) - annotate - [select for diffs], Fri Dec 18 12:30:23 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.160: +6 -5 lines
Diff to previous 1.160 (colored)
Make sure the first packet of an SA has sequence number 1 (as described in RFC 4302 and RFC 4303). It seems this was changed by accident when support for 64 bit sequence numbers was added. ok bluhm@ patrick@
Revision 1.160 / (download) - annotate - [select for diffs], Wed Dec 16 19:28:59 2020 UTC (3 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.159: +10 -2 lines
Diff to previous 1.159 (colored)
Use ESP sequence number as IV for AES-CTR, AES-GCM and Chacha20. This eliminates the risk for IV reuse because of random collisions and increases performance a little. ok patrick@ markus@
Revision 1.159 / (download) - annotate - [select for diffs], Mon Sep 30 01:53:05 2019 UTC (4 years, 8 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.158: +2 -2 lines
Diff to previous 1.158 (colored)
remove the "copy function" argument to bpf_mtap_hdr. it was previously (ab)used by pflog, which has since been fixed. apart from that nothing else used it, so we can trim the cruft. ok kn@ claudio@ visa@ visa@ also made sure i fixed ipw(4) so i386 won't break.
Revision 1.158 / (download) - annotate - [select for diffs], Tue Aug 28 15:15:02 2018 UTC (5 years, 9 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.157: +6 -3 lines
Diff to previous 1.157 (colored)
Add per-TDB counters and a new SADB extension to export them to userland. Inputs from markus@, ok sthen@
Revision 1.157 / (download) - annotate - [select for diffs], Thu Jul 12 15:51:50 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.156: +9 -57 lines
Diff to previous 1.156 (colored)
Introduce ipsec_output_cb() to merge duplicate code and account for dropped packets in the output path. While here fix a memory leak when compression is not needed w/ IPcomp. ok markus@
Revision 1.156 / (download) - annotate - [select for diffs], Wed Jul 11 09:07:59 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.155: +2 -2 lines
Diff to previous 1.155 (colored)
Convert AH & IPcomp to ipsec_input_cb() and count drops on input. ok markus@
Revision 1.155 / (download) - annotate - [select for diffs], Tue Jul 10 11:34:12 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.154: +8 -47 lines
Diff to previous 1.154 (colored)
Introduce new IPsec (per-CPU) statistics and refactor ESP input callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
Revision 1.154 / (download) - annotate - [select for diffs], Wed May 9 16:00:28 2018 UTC (6 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.153: +79 -84 lines
Diff to previous 1.153 (colored)
Cleanup IPsec ESP error handling with consistent goto drop. with and OK markus@
Revision 1.152.2.1 / (download) - annotate - [select for diffs], Thu May 3 16:40:27 2018 UTC (6 years, 1 month ago) by bluhm
Branch: OPENBSD_6_3
Changes since 1.152: +20 -7 lines
Diff to previous 1.152 (colored) next main 1.153 (colored)
Do not assume that mbufs within a chain do not have M_PKTHDR set. This could happen during fragment reassembly. Better check if we are dealing with the first mbuf of the chain. m_adj() changes the length of the mbuf, obviously. So when using this length to calulate the amount of adjustment, do not calculate it again after m_adj() with wrong input. Use a temporary variable to save the value. found by Maxime Villard; from NetBSD; OK markus@ claudio@ OpenBSD 6.3 errata 006
Revision 1.150.4.1 / (download) - annotate - [select for diffs], Thu May 3 16:38:57 2018 UTC (6 years, 1 month ago) by bluhm
Branch: OPENBSD_6_2
Changes since 1.150: +20 -7 lines
Diff to previous 1.150 (colored) next main 1.151 (colored)
Do not assume that mbufs within a chain do not have M_PKTHDR set. This could happen during fragment reassembly. Better check if we are dealing with the first mbuf of the chain. m_adj() changes the length of the mbuf, obviously. So when using this length to calulate the amount of adjustment, do not calculate it again after m_adj() with wrong input. Use a temporary variable to save the value. found by Maxime Villard; from NetBSD; OK markus@ claudio@ OpenBSD 6.2 errata 013
Revision 1.153 / (download) - annotate - [select for diffs], Wed May 2 21:28:01 2018 UTC (6 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.152: +20 -7 lines
Diff to previous 1.152 (colored)
Do not assume that mbufs within a chain do not have M_PKTHDR set. This could happen during fragment reassembly. Better check if we are dealing with the first mbuf of the chain. m_adj() changes the length of the mbuf, obviously. So when using this length to calulate the amount of adjustment, do not calculate it again after m_adj() with wrong input. Use a temporary variable to save the value. from Maxime Villard, NetBSD; OK markus@ claudio@
Revision 1.152 / (download) - annotate - [select for diffs], Wed Nov 8 16:29:20 2017 UTC (6 years, 7 months ago) by visa
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE
Branch point for: OPENBSD_6_3
Changes since 1.151: +34 -36 lines
Diff to previous 1.151 (colored)
Make {ah,esp,ipcomp}stat use percpu counters.
OK bluhm@, mpi@
Revision 1.151 / (download) - annotate - [select for diffs], Mon Nov 6 15:12:43 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.150: +48 -49 lines
Diff to previous 1.150 (colored)
Use %s and __func__ in DPRINTF() to reduce false positive with grep(1). ok kettenis@, dhill@, visa@, jca@
Revision 1.150 / (download) - annotate - [select for diffs], Fri Aug 11 21:24:20 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE
Branch point for: OPENBSD_6_2
Changes since 1.149: +13 -14 lines
Diff to previous 1.149 (colored)
Remove NET_LOCK()'s argument. Tested by Hrvoje Popovski, ok bluhm@
Revision 1.149 / (download) - annotate - [select for diffs], Tue May 30 16:07:22 2017 UTC (7 years ago) by deraadt
Branch: MAIN
Changes since 1.148: +3 -3 lines
Diff to previous 1.148 (colored)
add sizes to free() calls
Revision 1.148 / (download) - annotate - [select for diffs], Tue May 2 11:44:32 2017 UTC (7 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.147: +2 -2 lines
Diff to previous 1.147 (colored)
Switch OCF and IPsec over to the new AES ok djm
Revision 1.147 / (download) - annotate - [select for diffs], Thu Apr 6 17:36:18 2017 UTC (7 years, 2 months ago) by dhill
Branch: MAIN
Changes since 1.146: +7 -6 lines
Diff to previous 1.146 (colored)
Convert bcopy to memcpy where the memory does not overlap, otherwise, use memmove. While here, change some previous conversions to a simple assignment. ok deraadt@
Revision 1.146 / (download) - annotate - [select for diffs], Tue Feb 7 18:18:16 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.145: +3 -3 lines
Diff to previous 1.145 (colored)
IPsec packets could be dropped unaccounted if output after crypto failed. Add a counter for that case. OK dhill@
Revision 1.145 / (download) - annotate - [select for diffs], Tue Feb 7 17:25:46 2017 UTC (7 years, 4 months ago) by patrick
Branch: MAIN
Changes since 1.144: +7 -7 lines
Diff to previous 1.144 (colored)
Reduce the per-packet allocation costs for crypto operations (cryptop) by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc objects are required use mallocarray to fetch them. Adapt the drivers to the new API. This change results in one pool-get per ESP packet instead of three. It also simplifies softraid crypto where more cryptodesc objects are allocated than used. From, with and ok markus@, ok bluhm@ "looks sane" mpi@
Revision 1.144 / (download) - annotate - [select for diffs], Tue Feb 7 15:10:48 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.143: +21 -31 lines
Diff to previous 1.143 (colored)
The return code of crp_callback is never checked, so it is not useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There are four places where an error is not accounted, just add a comment for now. OK mpi@ visa@
Revision 1.143 / (download) - annotate - [select for diffs], Mon Jan 9 17:10:03 2017 UTC (7 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.142: +8 -8 lines
Diff to previous 1.142 (colored)
Grab the NET_LOCK() in various callbacks. Fix an assert reported by Hrvoje Popovski. ok visa@, mikeb@
Revision 1.142 / (download) - annotate - [select for diffs], Sat Dec 24 11:17:35 2016 UTC (7 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.141: +5 -5 lines
Diff to previous 1.141 (colored)
Grab the NET_LOCK() before calling ipsp_process_done() as it ends up in ip_output(). Found the hardway by and ok kettenis@
Revision 1.141 / (download) - annotate - [select for diffs], Mon Sep 19 18:09:22 2016 UTC (7 years, 8 months ago) by tedu
Branch: MAIN
Changes since 1.140: +8 -8 lines
Diff to previous 1.140 (colored)
convert bcopy to memcpy. from david hill.
Revision 1.140 / (download) - annotate - [select for diffs], Tue Sep 13 19:56:55 2016 UTC (7 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.139: +9 -8 lines
Diff to previous 1.139 (colored)
avoid extensive mbuf allocation for IPsec by replacing m_inject(4) with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@
Revision 1.139 / (download) - annotate - [select for diffs], Thu Aug 18 06:01:10 2016 UTC (7 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.138: +6 -14 lines
Diff to previous 1.138 (colored)
fix panics caused by replacing m_copym2 with m_dup_pkt. m_copym2 is fine duplicating an arbitrary chain of mbufs, while m_dup_pkt wants to dup a packet with proper headers in the first mbuf. ipsec copied the tail of an mbuf if any of the clusters are shared or readonly, and swapped that tail with the result of m_copym2. m_dup_pkt panics cos of that. this makes ipsec duplicate the whole packet if any of the chain is readonly. found by naddy@ and mlarkin@ this fix is from visa@ who told me to commit it cos he's afk (sleeping) tested by naddy@
Revision 1.138 / (download) - annotate - [select for diffs], Mon Aug 15 11:35:25 2016 UTC (7 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.137: +2 -2 lines
Diff to previous 1.137 (colored)
replace the last uses of m_copym2 with m_dup_pkt. ok mpi@ visa@
Revision 1.137 / (download) - annotate - [select for diffs], Mon Mar 7 18:44:00 2016 UTC (8 years, 3 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.136: +2 -2 lines
Diff to previous 1.136 (colored)
Sync no-argument function declaration and definition by adding (void). ok mpi@ millert@
Revision 1.136 / (download) - annotate - [select for diffs], Wed Dec 9 21:41:50 2015 UTC (8 years, 6 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.135: +1 -5 lines
Diff to previous 1.135 (colored)
Remove plain DES encryption from IPsec. DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Revision 1.135 / (download) - annotate - [select for diffs], Tue Nov 3 01:50:36 2015 UTC (8 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.134: +19 -3 lines
Diff to previous 1.134 (colored)
Plumb Chacha20-Poly1305 into the IPsec/ESP and PF_KEY frameworks ok naddy
Revision 1.134 / (download) - annotate - [select for diffs], Wed Jul 15 22:16:42 2015 UTC (8 years, 10 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.133: +3 -5 lines
Diff to previous 1.133 (colored)
m_freem() can handle NULL, do not check for this condition beforehands. ok stsp mpi
Revision 1.133 / (download) - annotate - [select for diffs], Mon Jun 15 12:59:37 2015 UTC (8 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.132: +9 -11 lines
Diff to previous 1.132 (colored)
No need for an extra local variable; no functional change.
Revision 1.132 / (download) - annotate - [select for diffs], Mon Jun 15 12:37:37 2015 UTC (8 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.131: +11 -15 lines
Diff to previous 1.131 (colored)
Use proper argument type for crp_callback functions; no functional change.
Revision 1.131 / (download) - annotate - [select for diffs], Fri Apr 17 11:04:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.130: +22 -58 lines
Diff to previous 1.130 (colored)
Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer
Revision 1.130 / (download) - annotate - [select for diffs], Tue Apr 14 14:20:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.129: +74 -33 lines
Diff to previous 1.129 (colored)
make ipsp_address thread safe; ok mpi
Revision 1.129 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.128: +1 -8 lines
Diff to previous 1.128 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.128 / (download) - annotate - [select for diffs], Fri Dec 5 15:50:04 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.127: +2 -1 lines
Diff to previous 1.127 (colored)
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>. ok mikeb@, krw@, bluhm@, tedu@
Revision 1.127 / (download) - annotate - [select for diffs], Tue Nov 18 02:37:31 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.126: +1 -3 lines
Diff to previous 1.126 (colored)
move arc4random prototype to systm.h. more appropriate for most code to include that than rdnvar.h. ok deraadt dlg
Revision 1.126 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:10 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.125: +1 -2 lines
Diff to previous 1.125 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.125 / (download) - annotate - [select for diffs], Sat Jul 12 18:44:23 2014 UTC (9 years, 11 months ago) by tedu
Branch: MAIN
Changes since 1.124: +12 -12 lines
Diff to previous 1.124 (colored)
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
Revision 1.124 / (download) - annotate - [select for diffs], Wed Jul 9 09:30:49 2014 UTC (9 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.123: +1 -1 lines
Diff to previous 1.123 (colored)
bpf code surgery / shuffling / simplification. the various bpf_mtap_* are very similiar, they differ in what (and to some extent how) they prepend something, and what copy function they pass to bpf_catchpacket. use an internal _bpf_mtap as "backend" for bpf_mtap and friends. extend bpf_mtap_hdr so that it covers all common cases: if dlen is 0, nothing gets prepended. copy function can be given, if NULL the default bpf_mcopy is used. adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn. re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr. re-implement bpf_mtap_ether using bpf_map_hdr re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper ok bluhm benno
Revision 1.123 / (download) - annotate - [select for diffs], Thu Jan 9 06:29:06 2014 UTC (10 years, 5 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.122: +8 -8 lines
Diff to previous 1.122 (colored)
bzero/bcmp -> memset/memcmp. ok matthew
Revision 1.122 / (download) - annotate - [select for diffs], Thu Apr 11 12:06:25 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.121: +4 -1 lines
Diff to previous 1.121 (colored)
Remove the extern keyword from function declarations, document sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
Revision 1.121 / (download) - annotate - [select for diffs], Thu Feb 14 16:22:34 2013 UTC (11 years, 3 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.120: +43 -52 lines
Diff to previous 1.120 (colored)
Merge of an original work by markus@ and gerhard@ to increase the anti-replay window size to 2100 entries; plus small ESN related improvements. ok markus
Revision 1.120 / (download) - annotate - [select for diffs], Thu Oct 18 10:49:48 2012 UTC (11 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.119: +44 -22 lines
Diff to previous 1.119 (colored)
simplify checkreplaywindow() API; make call/return code handling consistent ok mikeb@
Revision 1.119 / (download) - annotate - [select for diffs], Thu Sep 20 10:25:03 2012 UTC (11 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.118: +3 -3 lines
Diff to previous 1.118 (colored)
spltdb() was really just #define'd to be splsoftnet(); replace the former with the latter no change in md5 checksum of generated files ok claudio@ henning@
Revision 1.118 / (download) - annotate - [select for diffs], Tue Sep 18 09:24:45 2012 UTC (11 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.117: +25 -82 lines
Diff to previous 1.117 (colored)
remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
Revision 1.117 / (download) - annotate - [select for diffs], Fri Jun 29 14:48:04 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.116: +137 -45 lines
Diff to previous 1.116 (colored)
Add support for the Extended (64-bit) Sequence Number as defined in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects.
Revision 1.116 / (download) - annotate - [select for diffs], Tue Jan 11 15:42:05 2011 UTC (13 years, 5 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.115: +3 -3 lines
Diff to previous 1.115 (colored)
for key material that is being being discarded, convert bzero() to explicit_bzero() where required ok markus mikeb
Revision 1.115 / (download) - annotate - [select for diffs], Tue Dec 21 14:45:57 2010 UTC (13 years, 5 months ago) by markus
Branch: MAIN
Changes since 1.114: +2 -1 lines
Diff to previous 1.114 (colored)
don't leak mbuf if padding failes; ok mikeb@
Revision 1.114 / (download) - annotate - [select for diffs], Wed Oct 6 22:19:20 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.113: +1 -5 lines
Diff to previous 1.113 (colored)
Retire Skipjack There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
Revision 1.113 / (download) - annotate - [select for diffs], Thu Sep 23 16:33:48 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.112: +5 -77 lines
Diff to previous 1.112 (colored)
remove m_pad in favor of m_inject as it's equivalent to m_inject with an offset equal to the actual data length. ok henning blambert
Revision 1.112 / (download) - annotate - [select for diffs], Wed Sep 22 13:40:05 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.111: +61 -9 lines
Diff to previous 1.111 (colored)
Support for AES-GCM-16 and ENCR_NULL_AUTH_AES_GMAC in ESP as per RFC 4106 and 4543. Authentication hash key is set to be the same as an encryption key. The length that is specified for the authentication hash descriptor denotes the the length of Additional Authentication Data (AAD). The encryption transformation descriptor length denotes the length of the payload (to be encrypted and authenticated). ENCR_NULL_AUTH_AES_GMAC treats all input as AAD, thus the encryption length is set to zero. This also fixes padding for stream ciphers, so that payload will be 4-byte aligned.
Revision 1.111 / (download) - annotate - [select for diffs], Tue Jul 20 15:36:03 2010 UTC (13 years, 10 months ago) by matthew
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.110: +2 -2 lines
Diff to previous 1.110 (colored)
Switch some obvious network stack MAC comparisons from bcmp() to timingsafe_bcmp(). ok deraadt@; committed over WPA.
Revision 1.110 / (download) - annotate - [select for diffs], Fri Jul 9 16:58:06 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.109: +8 -5 lines
Diff to previous 1.109 (colored)
Add support for using IPsec in multiple rdomains. This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
Revision 1.109 / (download) - annotate - [select for diffs], Fri Jul 2 02:40:16 2010 UTC (13 years, 11 months ago) by blambert
Branch: MAIN
Changes since 1.108: +4 -4 lines
Diff to previous 1.108 (colored)
m_copyback can fail to allocate memory, but is a void fucntion so gymnastics are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
Revision 1.108 / (download) - annotate - [select for diffs], Thu Jul 1 02:09:45 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.107: +2 -2 lines
Diff to previous 1.107 (colored)
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
Revision 1.107 / (download) - annotate - [select for diffs], Tue Jun 29 21:28:37 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.106: +20 -18 lines
Diff to previous 1.106 (colored)
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
Revision 1.106 / (download) - annotate - [select for diffs], Sun Jan 10 12:43:07 2010 UTC (14 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.105: +7 -15 lines
Diff to previous 1.105 (colored)
Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
Revision 1.105 / (download) - annotate - [select for diffs], Mon Jun 9 07:07:17 2008 UTC (16 years ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.104: +2 -2 lines
Diff to previous 1.104 (colored)
rename arc4random_bytes => arc4random_buf to match libc's nicer name; ok deraadt@
Revision 1.104 / (download) - annotate - [select for diffs], Mon Nov 19 11:03:21 2007 UTC (16 years, 6 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.103: +1 -2 lines
Diff to previous 1.103 (colored)
Remove the #define ENCDEBUG that slipped through somehow. OK hshoexer@
Revision 1.103 / (download) - annotate - [select for diffs], Wed Oct 17 20:01:26 2007 UTC (16 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.102: +7 -6 lines
Diff to previous 1.102 (colored)
Convert MALLOC/FREE to malloc/free. ok gilles@
Revision 1.102 / (download) - annotate - [select for diffs], Sat Oct 6 02:18:38 2007 UTC (16 years, 8 months ago) by krw
Branch: MAIN
Changes since 1.101: +10 -10 lines
Diff to previous 1.101 (colored)
Oops. Forgot to do FREE -> free when I did MALLOC -> malloc.
Revision 1.101 / (download) - annotate - [select for diffs], Wed Oct 3 10:52:11 2007 UTC (16 years, 8 months ago) by krw
Branch: MAIN
Changes since 1.100: +4 -9 lines
Diff to previous 1.100 (colored)
MALLOC+bzero -> malloc+M_ZERO. In ip_esp.c all allocated memory is now zero'd in the "malloc(sizeof(*tc) + alen ..." case. The +alen memory was not initialized by the bzero() call. Noticed by chl@. "Looks good" art@ "seems ok" chl@
Revision 1.100 / (download) - annotate - [select for diffs], Fri Dec 15 09:32:30 2006 UTC (17 years, 6 months ago) by otto
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.99: +4 -1 lines
Diff to previous 1.99 (colored)
make enc(4) count; ok markus@ henning@ deraadt@
Revision 1.99 / (download) - annotate - [select for diffs], Thu Sep 21 11:10:52 2006 UTC (17 years, 8 months ago) by otto
Branch: MAIN
Changes since 1.98: +5 -5 lines
Diff to previous 1.98 (colored)
ugly trailing ws; from bret dot lambert at gmail
Revision 1.98 / (download) - annotate - [select for diffs], Sun May 28 02:04:15 2006 UTC (18 years ago) by mcbride
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.97: +3 -3 lines
Diff to previous 1.97 (colored)
Only preemptively increase the replay counter for outbound TDBs. Another ipsec failover fix from nathanael at polymorpheus dot com. ok hshoexer@
Revision 1.97 / (download) - annotate - [select for diffs], Sat Mar 25 22:41:48 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
Changes since 1.96: +3 -2 lines
Diff to previous 1.96 (colored)
allow bpf(4) to ignore packets based on their direction (inbound or outbound), using a new BIOCSDIRFILT ioctl; guidance, feedback and ok canacar@
Revision 1.96 / (download) - annotate - [select for diffs], Tue Dec 20 13:36:28 2005 UTC (18 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.95: +4 -5 lines
Diff to previous 1.95 (colored)
use M_READONLY when trying to find out whether we have to copy the mbuf before encryption. otherwise mbufs with M_EXT but w/o M_CLUSTER get modified; ok hshoexer
Revision 1.95 / (download) - annotate - [select for diffs], Fri Aug 5 12:16:13 2005 UTC (18 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.94: +7 -1 lines
Diff to previous 1.94 (colored)
don't panic for SADB_ADD w/o enc/auth, with and ok hshoexer@
Revision 1.94 / (download) - annotate - [select for diffs], Tue Aug 2 10:51:47 2005 UTC (18 years, 10 months ago) by djm
Branch: MAIN
Changes since 1.93: +2 -2 lines
Diff to previous 1.93 (colored)
use arc4random for random packet padding (largely acedemic because it is deprecated anyway); ok hshoexer@
Revision 1.93 / (download) - annotate - [select for diffs], Sun Jul 31 03:52:19 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.92: +5 -14 lines
Diff to previous 1.92 (colored)
Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@
Revision 1.92 / (download) - annotate - [select for diffs], Sat May 28 15:10:07 2005 UTC (19 years ago) by ho
Branch: MAIN
Changes since 1.91: +15 -1 lines
Diff to previous 1.91 (colored)
Add SA replay counter synchronization to pfsync(4). Required for IPsec failover gateways. ok mcbride@, "looks good" hshoexer@
Revision 1.91 / (download) - annotate - [select for diffs], Fri May 27 18:23:18 2005 UTC (19 years ago) by markus
Branch: MAIN
Changes since 1.90: +7 -2 lines
Diff to previous 1.90 (colored)
comment out unused PACKET_TAG_IPSEC_IN_CRYPTO_DONE code; ok hshoexer
Revision 1.90 / (download) - annotate - [select for diffs], Wed May 25 05:47:53 2005 UTC (19 years ago) by markus
Branch: MAIN
Changes since 1.89: +6 -5 lines
Diff to previous 1.89 (colored)
AESCTR support for ESP (RFC 3686); ok hshoexer
Revision 1.89 / (download) - annotate - [select for diffs], Tue May 10 13:42:11 2005 UTC (19 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.88: +9 -2 lines
Diff to previous 1.88 (colored)
support NULL encryption for ESP; ok hshoexer, ho
Revision 1.32.2.6 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:23 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.32.2.5: +38 -26 lines
Diff to previous 1.32.2.5 (colored) to branchpoint 1.32 (colored) next main 1.33 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.88 / (download) - annotate - [select for diffs], Wed Dec 10 07:22:43 2003 UTC (20 years, 6 months ago) by itojun
Branch: MAIN
CVS Tags: SMP_SYNC_B,
SMP_SYNC_A,
OPENBSD_3_7_BASE,
OPENBSD_3_7,
OPENBSD_3_6_BASE,
OPENBSD_3_6,
OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.87: +3 -3 lines
Diff to previous 1.87 (colored)
de-register. deraadt ok
Revision 1.87 / (download) - annotate - [select for diffs], Thu Aug 14 19:00:12 2003 UTC (20 years, 10 months ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored)
m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.
Revision 1.86 / (download) - annotate - [select for diffs], Thu Jul 24 09:59:02 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.85: +5 -5 lines
Diff to previous 1.85 (colored)
conform to RFC2367 on SADB_xx naming (local name must be prefixed with SADB_X_xx)
Revision 1.85 / (download) - annotate - [select for diffs], Thu Jul 24 08:03:20 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
Changes since 1.84: +13 -1 lines
Diff to previous 1.84 (colored)
hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok
Revision 1.84 / (download) - annotate - [select for diffs], Wed Jul 9 18:21:16 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.83: +22 -22 lines
Diff to previous 1.83 (colored)
fix whitespace
Revision 1.69.4.3 / (download) - annotate - [select for diffs], Mon May 19 22:40:40 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.69.4.2: +49 -46 lines
Diff to previous 1.69.4.2 (colored) to branchpoint 1.69 (colored) next main 1.70 (colored)
sync
Revision 1.32.2.5 / (download) - annotate - [select for diffs], Tue May 13 19:36:17 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.32.2.4: +30 -33 lines
Diff to previous 1.32.2.4 (colored) to branchpoint 1.32 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.83 / (download) - annotate - [select for diffs], Sat May 3 01:43:07 2003 UTC (21 years, 1 month ago) by itojun
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.82: +2 -1 lines
Diff to previous 1.82 (colored)
just as a safety measure, set m_flags to 0 for mbufs allocated on stack. dhartmei ok
Revision 1.82 / (download) - annotate - [select for diffs], Wed Apr 2 20:09:26 2003 UTC (21 years, 2 months ago) by millert
Branch: MAIN
Changes since 1.81: +22 -21 lines
Diff to previous 1.81 (colored)
o sanity check mbuf earlier. o return errno, not NULL. o add some missing error values o proper crypto_freereq() in ip_ipcomp.c From Patrick Latifi; OK angelos@
Revision 1.81 / (download) - annotate - [select for diffs], Mon Mar 31 20:52:06 2003 UTC (21 years, 2 months ago) by millert
Branch: MAIN
Changes since 1.80: +8 -13 lines
Diff to previous 1.80 (colored)
Avoid using FREEd data when we get a crypto error; Patrick Latifi Also move the session ID reset into the crp_etype == EAGAIN case (noticed by angelos@). OK jason@ and angelos@
Revision 1.32.2.4 / (download) - annotate - [select for diffs], Fri Mar 28 00:06:54 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.32.2.3: +133 -134 lines
Diff to previous 1.32.2.3 (colored) to branchpoint 1.32 (colored)
Sync the SMP branch with 3.3
Revision 1.80 / (download) - annotate - [select for diffs], Fri Feb 28 21:42:56 2003 UTC (21 years, 3 months ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.79: +7 -6 lines
Diff to previous 1.79 (colored)
Based on several comments from tedu: - two variables 'err' and 'error', whacked - missing initialization in the error path for the case where an SA expired while off in crypto land. - a small bit of knf.
Revision 1.79 / (download) - annotate - [select for diffs], Fri Feb 21 20:50:58 2003 UTC (21 years, 3 months ago) by tedu
Branch: MAIN
Changes since 1.78: +2 -7 lines
Diff to previous 1.78 (colored)
kill unused variables ok jason@
Revision 1.78 / (download) - annotate - [select for diffs], Wed Feb 12 14:41:07 2003 UTC (21 years, 4 months ago) by jason
Branch: MAIN
Changes since 1.77: +3 -1 lines
Diff to previous 1.77 (colored)
Remove commons; inspired by netbsd.
Revision 1.77 / (download) - annotate - [select for diffs], Sat Feb 1 14:11:40 2003 UTC (21 years, 4 months ago) by dhartmei
Branch: MAIN
Changes since 1.76: +2 -1 lines
Diff to previous 1.76 (colored)
m_pad() is expected to have free'd the mbuf if it returns NULL, so free it in one (rare) error condition. ok angelos@
Revision 1.69.6.1 / (download) - annotate - [select for diffs], Wed Jan 22 23:49:42 2003 UTC (21 years, 4 months ago) by miod
Branch: OPENBSD_3_1
Changes since 1.69: +10 -3 lines
Diff to previous 1.69 (colored) next main 1.70 (colored)
Pull in patch from current: Fix (ho): Check for invalid payload lengths also for NULL enc.
Revision 1.75.2.1 / (download) - annotate - [select for diffs], Fri Nov 8 00:08:27 2002 UTC (21 years, 7 months ago) by jason
Branch: OPENBSD_3_2
Changes since 1.75: +10 -3 lines
Diff to previous 1.75 (colored) next main 1.76 (colored)
Pull in patch from current: Fix (ho): Check for invalid payload lengths also for NULL enc. markus@, angelos@ ok.
Revision 1.76 / (download) - annotate - [select for diffs], Thu Nov 7 15:16:39 2002 UTC (21 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.75: +10 -3 lines
Diff to previous 1.75 (colored)
Check for invalid payload lengths also for NULL enc. markus@, angelos@ ok.
Revision 1.69.4.2 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:47 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.69.4.1: +70 -106 lines
Diff to previous 1.69.4.1 (colored) to branchpoint 1.69 (colored)
sync to -current
Revision 1.75 / (download) - annotate - [select for diffs], Tue Jul 30 19:09:36 2002 UTC (21 years, 10 months ago) by jason
Branch: MAIN
CVS Tags: UBC_SYNC_B,
OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored)
Be sure to check the integrity verifier for packets that didn't have it done in hardware; from angelos
Revision 1.74 / (download) - annotate - [select for diffs], Fri Jul 5 23:20:53 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.73: +5 -3 lines
Diff to previous 1.73 (colored)
Free crp_opaque only after we've determined we're not going to re-submit it. From sam@errno.com
Revision 1.73 / (download) - annotate - [select for diffs], Tue Jun 18 23:03:26 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.72: +58 -102 lines
Diff to previous 1.72 (colored)
KNF
Revision 1.72 / (download) - annotate - [select for diffs], Tue Jun 18 22:48:16 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.71: +2 -1 lines
Diff to previous 1.71 (colored)
Initialize mo to NULL, for good measure -- sam@errno.com
Revision 1.71 / (download) - annotate - [select for diffs], Tue Jun 18 19:25:48 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.70: +8 -3 lines
Diff to previous 1.70 (colored)
Same as with ip_ah.c (fix unreachable reference-after-free)
Revision 1.69.4.1 / (download) - annotate - [select for diffs], Tue Jun 11 03:31:36 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.69: +52 -23 lines
Diff to previous 1.69 (colored)
Sync UBC branch to -current
Revision 1.70 / (download) - annotate - [select for diffs], Fri May 31 02:22:21 2002 UTC (22 years ago) by angelos
Branch: MAIN
Changes since 1.69: +52 -23 lines
Diff to previous 1.69 (colored)
Fix a DoS attack whereby an attacker could cause the replay counter to advance with unauthenticated packets, thereby causing valid packets to be discarded as replays. This has been sitting in my tree for a while, and I've forgotten who it was that pointed out the problem.
Revision 1.32.2.3 / (download) - annotate - [select for diffs], Wed Jul 4 10:54:40 2001 UTC (22 years, 11 months ago) by niklas
Branch: SMP
Changes since 1.32.2.2: +956 -983 lines
Diff to previous 1.32.2.2 (colored) to branchpoint 1.32 (colored)
Merge in -current from two days ago in the SMP branch. As usual with merges, they do not indicate progress, so do not hold your breath for working SMP, and do not mail me and ask about the state of it. It has not changed. There is work ongoing, but very, very slowly. The commit is done in parts as to not lock up the tree in too big chunks at a time.
Revision 1.69 / (download) - annotate - [select for diffs], Tue Jun 26 06:18:59 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
CVS Tags: UBC_BASE,
OPENBSD_3_1_BASE,
OPENBSD_3_0_BASE,
OPENBSD_3_0
Branch point for: UBC,
OPENBSD_3_1
Changes since 1.68: +946 -963 lines
Diff to previous 1.68 (colored)
KNF
Revision 1.68 / (download) - annotate - [select for diffs], Mon Jun 25 05:11:58 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.67: +3 -3 lines
Diff to previous 1.67 (colored)
Copyright.
Revision 1.67 / (download) - annotate - [select for diffs], Sat Jun 23 18:30:38 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored)
merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts inside OpenSSL codebase
Revision 1.66 / (download) - annotate - [select for diffs], Wed Jun 13 13:42:02 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.65: +2 -2 lines
Diff to previous 1.65 (colored)
Use blocksize, not ivmask
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jun 8 03:13:14 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.64: +2 -15 lines
Diff to previous 1.64 (colored)
Trim include files.
Revision 1.64 / (download) - annotate - [select for diffs], Tue Jun 5 11:10:10 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.63: +3 -1 lines
Diff to previous 1.63 (colored)
Add a few DPRINTF()'s
Revision 1.63 / (download) - annotate - [select for diffs], Fri Jun 1 00:09:23 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.62: +21 -33 lines
Diff to previous 1.62 (colored)
The IPsec-aware NIC cards don't pass the ICV for later verification by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC.
Revision 1.62 / (download) - annotate - [select for diffs], Wed May 30 12:29:04 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.61: +4 -13 lines
Diff to previous 1.61 (colored)
Update to match prototypes.
Revision 1.61 / (download) - annotate - [select for diffs], Wed May 30 12:13:58 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.60: +67 -43 lines
Diff to previous 1.60 (colored)
Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE on input.
Revision 1.60 / (download) - annotate - [select for diffs], Sun May 27 03:48:34 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)
Pass a NULL packet tag for now to ipsp_common_input_cb().
Revision 1.59 / (download) - annotate - [select for diffs], Thu May 17 18:41:47 2001 UTC (23 years ago) by provos
Branch: MAIN
Changes since 1.58: +2 -4 lines
Diff to previous 1.58 (colored)
convert mbuf and cluster allocation to pool, mostly from NetBSD okay art@ miod@
Revision 1.32.2.2 / (download) - annotate - [select for diffs], Mon May 14 22:40:09 2001 UTC (23 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.32.2.1: +265 -181 lines
Diff to previous 1.32.2.1 (colored) to branchpoint 1.32 (colored)
merge in approximately 2.9 into SMP branch
Revision 1.58 / (download) - annotate - [select for diffs], Sun May 13 15:39:27 2001 UTC (23 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
initial cut at /dev/crypto support. takes original mbuf "try, and discard if we fail" semantics and extends to two varients of data movement: mbuf, or an iovec style block.
Revision 1.57 / (download) - annotate - [select for diffs], Sat May 12 18:09:02 2001 UTC (23 years, 1 month ago) by angelos
Branch: MAIN
Changes since 1.56: +3 -3 lines
Diff to previous 1.56 (colored)
Move bzero() after test for correct allocation (jj@wabbitt.org)
Revision 1.56 / (download) - annotate - [select for diffs], Sat Apr 14 00:30:59 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE,
OPENBSD_2_9
Changes since 1.55: +16 -6 lines
Diff to previous 1.55 (colored)
Minor changes, preparing for real socket-attached TDBs; also, more information will be stored in the TDB. ok ho@ provos@
Revision 1.55 / (download) - annotate - [select for diffs], Fri Apr 6 04:42:08 2001 UTC (23 years, 2 months ago) by csapuntz
Branch: MAIN
Changes since 1.54: +1 -5 lines
Diff to previous 1.54 (colored)
Move offsetof define into sys/param.h
Revision 1.54 / (download) - annotate - [select for diffs], Wed Mar 28 20:03:03 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.53: +2 -5 lines
Diff to previous 1.53 (colored)
Allow tdbi's to appear in mbufs throughout the stack; this allows security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
Revision 1.53 / (download) - annotate - [select for diffs], Fri Mar 23 04:27:33 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.52: +15 -2 lines
Diff to previous 1.52 (colored)
Fix slow mbuf leak.
Revision 1.52 / (download) - annotate - [select for diffs], Thu Mar 15 06:30:59 2001 UTC (23 years, 3 months ago) by mickey
Branch: MAIN
Changes since 1.51: +17 -17 lines
Diff to previous 1.51 (colored)
convert SA expirations to the new timeouts. simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
Revision 1.51 / (download) - annotate - [select for diffs], Fri Nov 17 04:15:42 2000 UTC (23 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.50: +4 -4 lines
Diff to previous 1.50 (colored)
*HMAC96->*HMAC
Revision 1.50 / (download) - annotate - [select for diffs], Mon Oct 9 22:20:40 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE,
OPENBSD_2_8
Changes since 1.49: +5 -1 lines
Diff to previous 1.49 (colored)
AES support.
Revision 1.49 / (download) - annotate - [select for diffs], Tue Sep 19 03:20:58 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.48: +12 -13 lines
Diff to previous 1.48 (colored)
Lots and lots of changes.
Revision 1.48 / (download) - annotate - [select for diffs], Sun Jun 18 08:23:48 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.47: +4 -4 lines
Diff to previous 1.47 (colored)
Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're defined to be the same in mbuf.h)
Revision 1.47 / (download) - annotate - [select for diffs], Sun Jun 18 03:07:25 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.46: +31 -9 lines
Diff to previous 1.46 (colored)
The callbacks need to set the appropriate spl level now.
Revision 1.46 / (download) - annotate - [select for diffs], Thu Jun 15 00:30:12 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)
What was the offending payload length?
Revision 1.45 / (download) - annotate - [select for diffs], Wed Jun 14 04:42:10 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.44: +6 -2 lines
Diff to previous 1.44 (colored)
Initialize tc_ptr to zero if authentication is not used.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Jun 6 04:49:29 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.43: +70 -57 lines
Diff to previous 1.43 (colored)
Get rid of tdb_ref, keep indirect pointer to TDB.
Revision 1.43 / (download) - annotate - [select for diffs], Thu Jun 1 05:40:41 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.42: +33 -33 lines
Diff to previous 1.42 (colored)
Check for invalid TDBs right away in the callbacks.
Revision 1.42 / (download) - annotate - [select for diffs], Mon May 15 03:36:34 2000 UTC (24 years, 1 month ago) by angelos
Branch: MAIN
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)
Fix sanity check that caused really short packets (ICMPs with less than 8 bytes of payload) to be dropped. Did not affect TCP/UDP packets and most ICMP packets.
Revision 1.41 / (download) - annotate - [select for diffs], Tue Apr 25 02:53:45 2000 UTC (24 years, 1 month ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE,
OPENBSD_2_7
Changes since 1.40: +4 -3 lines
Diff to previous 1.40 (colored)
when fixing up the header, copy from the right sized datatype (fixes IPsec on big-endian machines)
Revision 1.40 / (download) - annotate - [select for diffs], Thu Apr 6 16:08:22 2000 UTC (24 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.39: +2 -7 lines
Diff to previous 1.39 (colored)
only call get_random_bytes() once in m_pad()
Revision 1.39 / (download) - annotate - [select for diffs], Thu Mar 30 06:17:56 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.38: +15 -14 lines
Diff to previous 1.38 (colored)
Only allocate space for a copy of the authenticator if authentication is in use.
Revision 1.38 / (download) - annotate - [select for diffs], Wed Mar 29 07:19:50 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.37: +18 -22 lines
Diff to previous 1.37 (colored)
Note to self: test before committing.
Revision 1.37 / (download) - annotate - [select for diffs], Wed Mar 29 07:09:57 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.36: +34 -4 lines
Diff to previous 1.36 (colored)
Conform to crypto framework changes for IVs.
Revision 1.36 / (download) - annotate - [select for diffs], Tue Mar 28 07:04:02 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.35: +38 -35 lines
Diff to previous 1.35 (colored)
Allow authentication-only ESP (must have broken it in the previous round of commits).
Revision 1.35 / (download) - annotate - [select for diffs], Sat Mar 25 04:57:51 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)
Fix typo causing crash if ESP was used with only authentication or encryption (not both). Problem noted by jason@openbsd.org
Revision 1.32.2.1 / (download) - annotate - [select for diffs], Fri Mar 24 09:09:36 2000 UTC (24 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.32: +480 -507 lines
Diff to previous 1.32 (colored)
Sync with -current
Revision 1.34 / (download) - annotate - [select for diffs], Tue Mar 21 21:00:09 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.33: +5 -5 lines
Diff to previous 1.33 (colored)
Fix casting so it compiles on alphas (testing by janjaap@stack.nl, closing pr #1150)
Revision 1.33 / (download) - annotate - [select for diffs], Fri Mar 17 10:25:22 2000 UTC (24 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.32: +480 -507 lines
Diff to previous 1.32 (colored)
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
Revision 1.32 / (download) - annotate - [select for diffs], Mon Feb 7 06:09:09 2000 UTC (24 years, 4 months ago) by itojun
Branch: MAIN
CVS Tags: SMP_BASE
Branch point for: SMP
Changes since 1.31: +5 -3 lines
Diff to previous 1.31 (colored)
fix include file path related to ip6.
Revision 1.31 / (download) - annotate - [select for diffs], Thu Jan 27 08:09:09 2000 UTC (24 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.30: +959 -345 lines
Diff to previous 1.30 (colored)
Merge "old" and "new" ESP and AH in two files (one for each). Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
Revision 1.30, Thu Dec 9 10:13:46 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.29: +1 -1 lines
FILE REMOVED
Ok, no more IPsec for OpenBSD...I've had enough with it.
Revision 1.29 / (download) - annotate - [select for diffs], Thu Dec 9 03:46:03 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.28: +279 -105 lines
Diff to previous 1.28 (colored)
IPv6 support should now be complete (well, we need the right hooks in ip6_input())
Revision 1.28 / (download) - annotate - [select for diffs], Tue Dec 7 08:58:00 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
CVS Tags: kame_19991208
Changes since 1.27: +2 -7 lines
Diff to previous 1.27 (colored)
New ah_new_input(), protocol-independent processing (still lacking IPv6-specific protocol header processing).
Revision 1.27 / (download) - annotate - [select for diffs], Mon Dec 6 07:14:35 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.26: +17 -2 lines
Diff to previous 1.26 (colored)
New ESP code that's v4 and v6 friendly.
Revision 1.26 / (download) - annotate - [select for diffs], Thu Nov 4 11:23:43 1999 UTC (24 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
gettdb() should be at spltdb().
Revision 1.25 / (download) - annotate - [select for diffs], Fri Oct 29 05:21:45 1999 UTC (24 years, 7 months ago) by angelos
Branch: MAIN
Changes since 1.24: +10 -6 lines
Diff to previous 1.24 (colored)
Support multiple enc interfaces.
Revision 1.24 / (download) - annotate - [select for diffs], Mon Jul 5 20:17:06 1999 UTC (24 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE,
OPENBSD_2_6
Changes since 1.23: +5 -5 lines
Diff to previous 1.23 (colored)
remove bogus entry from if_enc address list; and rename enc_softc to encif
Revision 1.23 / (download) - annotate - [select for diffs], Sun May 16 21:48:33 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.22: +5 -2 lines
Diff to previous 1.22 (colored)
spltdb introduced, protection for tdb lists and related structures, so they won't disappear behind our back by an expiration. Cleanup expiration logic too.
Revision 1.22 / (download) - annotate - [select for diffs], Fri May 14 23:36:17 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.21: +2 -23 lines
Diff to previous 1.21 (colored)
A new scalable IPsec SA expiration model.
Revision 1.21 / (download) - annotate - [select for diffs], Sun Apr 11 19:41:37 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_5_BASE,
OPENBSD_2_5
Changes since 1.20: +44 -3 lines
Diff to previous 1.20 (colored)
Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.
Revision 1.20 / (download) - annotate - [select for diffs], Fri Apr 9 22:27:53 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.19: +6 -6 lines
Diff to previous 1.19 (colored)
Make the tdbi handling more robust, removes a panic case
Revision 1.19 / (download) - annotate - [select for diffs], Sat Mar 27 21:04:19 1999 UTC (25 years, 2 months ago) by provos
Branch: MAIN
Changes since 1.18: +29 -1 lines
Diff to previous 1.18 (colored)
add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company.
Revision 1.18 / (download) - annotate - [select for diffs], Wed Feb 24 23:45:49 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.17: +5 -3 lines
Diff to previous 1.17 (colored)
Update copyright; remove a few annoying debugging printfs. Btw, OpenBSD hit 25000 commits a couple commits ago.
Revision 1.17 / (download) - annotate - [select for diffs], Wed Feb 24 22:33:01 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.16: +50 -78 lines
Diff to previous 1.16 (colored)
Remove encap.h include; saner debugging printfs; fix buglets; work with pfkeyv2.
Revision 1.16 / (download) - annotate - [select for diffs], Wed Jun 10 23:57:14 1998 UTC (26 years ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_2_4_BASE,
OPENBSD_2_4
Changes since 1.15: +33 -1 lines
Diff to previous 1.15 (colored)
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
Revision 1.15 / (download) - annotate - [select for diffs], Sun May 24 22:40:12 1998 UTC (26 years ago) by provos
Branch: MAIN
Changes since 1.14: +34 -12 lines
Diff to previous 1.14 (colored)
avoid source address spoofing for mutual hostile hosts which have SAs to us, reported by Craig Metz <cmetz@inner.net>.
Revision 1.14 / (download) - annotate - [select for diffs], Mon May 18 21:10:40 1998 UTC (26 years ago) by provos
Branch: MAIN
Changes since 1.13: +16 -10 lines
Diff to previous 1.13 (colored)
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
Revision 1.13 / (download) - annotate - [select for diffs], Tue Nov 4 09:11:09 1997 UTC (26 years, 7 months ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_2_3_BASE,
OPENBSD_2_3
Changes since 1.12: +6 -2 lines
Diff to previous 1.12 (colored)
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
Revision 1.12 / (download) - annotate - [select for diffs], Thu Oct 2 02:31:04 1997 UTC (26 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_2_BASE,
OPENBSD_2_2
Changes since 1.11: +19 -11 lines
Diff to previous 1.11 (colored)
conditional error logging
Revision 1.11 / (download) - annotate - [select for diffs], Sun Sep 28 22:57:46 1997 UTC (26 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +8 -10 lines
Diff to previous 1.10 (colored)
log() needs a \n
Revision 1.10 / (download) - annotate - [select for diffs], Sun Jul 27 23:30:35 1997 UTC (26 years, 10 months ago) by niklas
Branch: MAIN
Changes since 1.9: +72 -3 lines
Diff to previous 1.9 (colored)
expiration messages, fixes, updates, all sorts of things
Revision 1.9 / (download) - annotate - [select for diffs], Fri Jul 18 18:09:54 1997 UTC (26 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.8: +5 -5 lines
Diff to previous 1.8 (colored)
enablespi/disablespi in encap + print spi's in hostorder
Revision 1.8 / (download) - annotate - [select for diffs], Fri Jul 11 23:37:56 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.7: +27 -30 lines
Diff to previous 1.7 (colored)
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
Revision 1.7 / (download) - annotate - [select for diffs], Tue Jul 1 22:12:45 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
major restructuring
Revision 1.6 / (download) - annotate - [select for diffs], Wed Jun 25 07:53:24 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.5: +17 -1 lines
Diff to previous 1.5 (colored)
hard and soft limits for SPI's per absolute timer, relative since establish, relative since first use timers, packet and byte counters. notify key mgmt on soft limits. key mgmt can now specify limits. new encap messages: EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
Revision 1.5 / (download) - annotate - [select for diffs], Sat Jun 21 00:09:16 1997 UTC (26 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)
u_int32_t changes, need testing
Revision 1.4 / (download) - annotate - [select for diffs], Fri Jun 20 05:41:49 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.3: +77 -77 lines
Diff to previous 1.3 (colored)
ah-sha1 + esp-3des + indentation
Revision 1.3 / (download) - annotate - [select for diffs], Wed Feb 26 20:53:09 1997 UTC (27 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_1_BASE,
OPENBSD_2_1
Changes since 1.2: +3 -1 lines
Diff to previous 1.2 (colored)
count input/output packets for esp
Revision 1.2 / (download) - annotate - [select for diffs], Mon Feb 24 14:06:39 1997 UTC (27 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.1: +4 -0 lines
Diff to previous 1.1 (colored)
OpenBSD tags + some prototyping police
Revision 1.1 / (download) - annotate - [select for diffs], Thu Feb 20 01:07:53 1997 UTC (27 years, 3 months ago) by deraadt
Branch: MAIN
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz