![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / netinet
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.278 / (download) - annotate - [select for diffs], Sun Dec 3 10:50:25 2023 UTC (6 months, 1 week ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.277: +3 -2 lines
Diff to previous 1.277 (colored)
Make ipsp_ids_gc() timeout(9) handler mpsafe. `ipsec_flows_mtx' mutex(9) protects related data. ok bluhm
Revision 1.277 / (download) - annotate - [select for diffs], Wed Oct 11 22:13:16 2023 UTC (8 months ago) by tobhe
Branch: MAIN
Changes since 1.276: +18 -1 lines
Diff to previous 1.276 (colored)
Prevent deref-after-free when tdb_timeout() fires on invalid new tdb. When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can fail in tdb_init(), which causes the tdb to not get added to the global tdb list and an immediate dereference. If a lifetime timeout triggers on this tdb, it will unconditionally try to remove it from the list and in the process deref once more than allowed, causing a one bit corruption in the already freed up slot in the tdb pool. We resolve this issue by moving timeout_add() after tdb_init() just before puttdb(). This means tdbs failing initialization get discarded immediately as they only hold a single reference. Valid tdbs get their timeouts activated just before we add them to the tdb list, meaning the timeout can safely assume they are linked. Feedback from mvs@ and millert@ ok mvs@ mbuhl@
Revision 1.276 / (download) - annotate - [select for diffs], Mon Aug 7 03:43:57 2023 UTC (10 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.275: +37 -17 lines
Diff to previous 1.275 (colored)
add the glue between ipsec security associations and sec(4) interfaces. if TDBF_IFACE is set on a tdb, the ipsec stack will pass it to the sec(4) driver to keep track of instead of wiring it up for security associations to use. when sec(4) transmits a packet, it will look up it's list of tdbs to find the right SA to encrypt and send the packet out with. if an incoming ipsec packet arrives with TDBF_IFACE set, it's passed to sec(4) to be injected back into the network stack as if it was received on the sec interface, instead of being reinjected into the IP stack like normal SA/SPD processing does. note that this means you do not have to configure tunnel endpoints on sec(4) interfaces, instead you line the interface unit number in the ipsec config up with the minor number of the sec(4) interfaces. the peer IPs used on the SAs are what's used as the traffic endpoints. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.275 / (download) - annotate - [select for diffs], Fri Nov 11 18:09:58 2022 UTC (18 months, 4 weeks ago) by cheloha
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.274: +2 -2 lines
Diff to previous 1.274 (colored)
timeout(9): remove timeout_set_kclock(), TIMEOUT_INITIALIZER_KCLOCK() We have too many timeout(9) initialization functions and macros. Let's slim it down and combine some interfaces. - Remove timeout_set_kclock(), TIMEOUT_INITIALIZER_KCLOCK(). - Expand timeout_set_flags(), TIMEOUT_INITIALIZER_FLAGS() to accept an additional "kclock" parameter. - Reimplement timeout_set(), timeout_set_proc() with timeout_set_flags(). - Reimplement TIMEOUT_INITIALIZER() with TIMEOUT_INITIALIZER_FLAGS(). - Update the sole timeout_set_flags() user to pass a kclock parameter. - Update the sole timeout_set_kclock() user to call timeout_set_flags(). - Update the sole TIMEOUT_INITIALIZER_FLAGS() user to provide a kclock parameter. The timeout(9) code is now a bit out of sync with the manpage. This will be corrected in a subsequent commit. ok kn@
Revision 1.274 / (download) - annotate - [select for diffs], Sat Nov 5 22:33:11 2022 UTC (19 months ago) by jan
Branch: MAIN
Changes since 1.273: +2 -2 lines
Diff to previous 1.273 (colored)
Fix kernel build without IPSEC option. ok deraadt@
Revision 1.273 / (download) - annotate - [select for diffs], Sat Aug 6 15:57:59 2022 UTC (22 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.272: +2 -2 lines
Diff to previous 1.272 (colored)
Clean up the netlock macros. Merge NET_RLOCK_IN_SOFTNET and NET_RLOCK_IN_IOCTL, which have the same implementation. The R and W are hard to see, call the new macro NET_LOCK_SHARED. Rename the opposite assertion from NET_ASSERT_WLOCKED to NET_ASSERT_LOCKED_EXCLUSIVE. Update some outdated comments about net locking. OK mpi@ mvs@
Revision 1.272 / (download) - annotate - [select for diffs], Thu Jul 14 13:52:10 2022 UTC (22 months, 4 weeks ago) by mvs
Branch: MAIN
Changes since 1.271: +9 -9 lines
Diff to previous 1.271 (colored)
Use capital letters for global ipsec(4) locks description. Use 'D' instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase. No functional changes. ok bluhm@
Revision 1.271 / (download) - annotate - [select for diffs], Tue Jun 28 09:32:27 2022 UTC (23 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.270: +2 -2 lines
Diff to previous 1.270 (colored)
Use btrace(8) to debug reference counting. dt(4) provides a static tracepoint for each type of refcnt we have. As a start, add inpcb and tdb refcnt. When the counter changes, btrace may print the actual object, the current counter, the change value and optionally the stack trace. discussed with visa@; OK mpi@
Revision 1.269.2.1 / (download) - annotate - [select for diffs], Tue May 3 16:13:16 2022 UTC (2 years, 1 month ago) by bluhm
Branch: OPENBSD_7_1
Changes since 1.269: +13 -6 lines
Diff to previous 1.269 (colored) next main 1.270 (colored)
When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do `id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list' list modifications, otherwise concurrent ipsp_ids_insert() could remove this dying `ids' from the list before if was placed there by ipsp_ids_free(). This makes atomic operations with `id_refcount' useless. Also prevent ipsp_ids_lookup() to return dying `ids'. from mvs@; OK bluhm@ this is errata/7.1/002_ipsec.patch.sig
Revision 1.270 / (download) - annotate - [select for diffs], Sat Apr 30 13:28:53 2022 UTC (2 years, 1 month ago) by mvs
Branch: MAIN
Changes since 1.269: +13 -6 lines
Diff to previous 1.269 (colored)
When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do `id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list' list modifications, otherwise concurrent ipsp_ids_insert() could remove this dying `ids' from the list before if was placed there by ipsp_ids_free(). This makes atomic operations with `id_refcount' useless. Also prevent ipsp_ids_lookup() to return dying `ids'. ok bluhm@
Revision 1.269 / (download) - annotate - [select for diffs], Thu Mar 10 15:21:08 2022 UTC (2 years, 3 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE
Branch point for: OPENBSD_7_1
Changes since 1.268: +3 -3 lines
Diff to previous 1.268 (colored)
Use atomic load and store functions to access refcnt and wait variables. Although not necessary everywhere, using atomic functions exclusively for variables marked as atomic is clearer. OK mvs@ visa@
Revision 1.268 / (download) - annotate - [select for diffs], Tue Jan 4 06:32:39 2022 UTC (2 years, 5 months ago) by yasuoka
Branch: MAIN
Changes since 1.267: +40 -16 lines
Diff to previous 1.267 (colored)
Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and trees. ipsp_ids_lookup() returns `ids' with bumped reference counter. original diff from mvs ok mvs
Revision 1.267 / (download) - annotate - [select for diffs], Mon Dec 20 15:59:09 2021 UTC (2 years, 5 months ago) by mvs
Branch: MAIN
Changes since 1.266: +6 -1 lines
Diff to previous 1.266 (colored)
Use per-CPU counters for tunnel descriptor block (TDB) statistics. 'tdb_data' struct became unused and was removed. Tested by Hrvoje Popovski. ok bluhm@
Revision 1.266 / (download) - annotate - [select for diffs], Sun Dec 19 23:30:08 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.265: +22 -34 lines
Diff to previous 1.265 (colored)
There are occasions where the walker function in tdb_walk() might sleep. So holding the tdb_sadb_mtx() when calling walker() is not allowed. Move the TDB from the TDB-Hash to a temporary list that is protected by netlock. Then unlock tdb_sadb_mtx and traverse the list to call the walker. OK mvs@
Revision 1.265 / (download) - annotate - [select for diffs], Tue Dec 14 17:50:37 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.264: +3 -1 lines
Diff to previous 1.264 (colored)
To cache lookups, the policy ipo is linked to its SA tdb. There is also a list of SAs that belong to a policy. To make it MP safe, protect these pointers with a mutex. tested by Hrvoje Popovski; OK mvs@
Revision 1.264 / (download) - annotate - [select for diffs], Sat Dec 11 16:33:47 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.263: +23 -8 lines
Diff to previous 1.263 (colored)
Protect the write access to the TDB flags field with a mutex per TDB. Clearing the timeout flags just before pool put in tdb_free() does not make sense. Move this to tdb_delete(). While there make the parentheses in the flag check consistent. tested by Hrvoje Popovski; OK tobhe@
Revision 1.263 / (download) - annotate - [select for diffs], Wed Dec 8 14:24:18 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.262: +10 -13 lines
Diff to previous 1.262 (colored)
Start documenting the locking strategy of struct tdb fields. Note that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in udpencap_ctlinput() to protect the access to tdb_snext. Make the braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED() into the functions where the read access happens. OK mvs@
Revision 1.262 / (download) - annotate - [select for diffs], Tue Dec 7 17:28:46 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.261: +17 -10 lines
Diff to previous 1.261 (colored)
In ipo_tdb the flow contains a reference counted TDB cache. This may prevent that tdb_free() is called. It is not a real leak as ipsecctl -F or termination of iked flush this cache when they remove the IPsec policy. Move the code from tdb_free() to tdb_delete(), then the kernel does the cleanup itself. OK mvs@ tobhe@
Revision 1.261 / (download) - annotate - [select for diffs], Fri Dec 3 19:04:49 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.260: +20 -3 lines
Diff to previous 1.260 (colored)
Add tdb_delete_locked() to replace duplicate tdb deletion code in pfkey_flush(). ok bluhm@ mvs@
Revision 1.260 / (download) - annotate - [select for diffs], Thu Dec 2 12:39:15 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.259: +5 -1 lines
Diff to previous 1.259 (colored)
Allow to build kernel without IPSEC or INET6 defines. OK mpi@ mvs@
Revision 1.259 / (download) - annotate - [select for diffs], Wed Dec 1 22:34:31 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.258: +7 -13 lines
Diff to previous 1.258 (colored)
Reintroduce the TDBF_DELETED flag. Checking next pointer to figure out whether the TDB is linked to the hash bucket does not work. This fixes removal of SAs that could not be flushed with ipsecctl -F. OK tobhe@
Revision 1.258 / (download) - annotate - [select for diffs], Mon Nov 29 19:19:00 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.257: +2 -2 lines
Diff to previous 1.257 (colored)
The network stack currently uses IPL_SOFTNET. Consistently initialize the TDB sadb mutex with that. The old IPL_NET was chosen by accident. OK mpi@
Revision 1.257 / (download) - annotate - [select for diffs], Mon Nov 29 15:39:59 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.256: +2 -2 lines
Diff to previous 1.256 (colored)
Using a void pointer for temporary allocated TDB in pfkeyv2 does not make sense. Do not use the freeme pointer for TDB in pfkeyv2_send(). The pattern is tdb_alloc() and tdb_unref() in case of error. Replace tdb_free() in reserve_spi() with tdb_unref() to keep this consistent. Only tdb_unref() should call tdb_free(). OK mvs@
Revision 1.256 / (download) - annotate - [select for diffs], Fri Nov 26 19:24:41 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.255: +3 -1 lines
Diff to previous 1.255 (colored)
Put a mutex assert locked into puttdb_locked(). OK tobhe@
Revision 1.255 / (download) - annotate - [select for diffs], Fri Nov 26 16:16:35 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.254: +21 -10 lines
Diff to previous 1.254 (colored)
Replace TDBF_DELETED flag with check if tdb was already unlinked. Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex. Tested by Hrvoje Popovski ok bluhm@ mvs@
Revision 1.254 / (download) - annotate - [select for diffs], Thu Nov 25 13:46:02 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.253: +95 -27 lines
Diff to previous 1.253 (colored)
Implement reference counting for IPsec tdbs. Not all cases are covered yet, more ref counts to come. The timeouts are protected, so the racy tdb_reaper() gets retired. The tdb_policy_head, onext and inext lists are protected. All gettdb...() functions return a tdb that is ref counted and has to be unrefed later. A flag ensures that tdb_delete() is called only once. Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@
Revision 1.253 / (download) - annotate - [select for diffs], Sun Nov 21 16:17:48 2021 UTC (2 years, 6 months ago) by mvs
Branch: MAIN
Changes since 1.252: +7 -3 lines
Diff to previous 1.252 (colored)
Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the userland the TDBs which exceeded hard limit. Also the `ipsec_notdb' counter description in header doesn't math to netstat(1) description. We never count `ipsec_notdb' and the netstat(1) description looks more appropriate so it's used to avoid confusion with the new counter. ok bluhm@
Revision 1.252 / (download) - annotate - [select for diffs], Sun Nov 21 02:54:56 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.251: +4 -4 lines
Diff to previous 1.251 (colored)
Fix whitespace and long lines.
Revision 1.251 / (download) - annotate - [select for diffs], Thu Nov 18 11:04:10 2021 UTC (2 years, 6 months ago) by sthen
Branch: MAIN
Changes since 1.250: +3 -3 lines
Diff to previous 1.250 (colored)
printing udpencap_port in ddb requires ntohs not ntohl. use better format string. help claudio@ ok bluhm@
Revision 1.250 / (download) - annotate - [select for diffs], Tue Nov 16 13:53:14 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.249: +82 -3 lines
Diff to previous 1.249 (colored)
To debug IPsec and tdb refcounting it is useful to have "show tdb" and "show all tdbs" in ddb. tested by Hrvoje Popovski; OK mvs@
Revision 1.249 / (download) - annotate - [select for diffs], Wed Oct 27 16:58:44 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.248: +7 -1 lines
Diff to previous 1.248 (colored)
The crypto layer needs the kernel lock. ah_zeroize() takes it when called from tdb_walk(). tdb_walk() needs mutex tdb_sadb_mtx to protect the loop traversal. First take the kernel lock in tdb_walk() to preserve lock order. found by witness OK tobhe@ mvs@
Revision 1.248 / (download) - annotate - [select for diffs], Mon Oct 25 18:25:01 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.247: +11 -3 lines
Diff to previous 1.247 (colored)
Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a mutex locking against myself panic introduced by my previous commit. OK beck@ patrick@
Revision 1.247 / (download) - annotate - [select for diffs], Mon Oct 25 16:00:12 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.246: +61 -66 lines
Diff to previous 1.246 (colored)
Protect the tdb hashes with a mutex. Move initialization out of the processing path. If rehashing fails due to low memory, just keep the old hash buckets. OK tobhe@
Revision 1.246 / (download) - annotate - [select for diffs], Wed Oct 13 14:36:31 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.245: +2 -2 lines
Diff to previous 1.245 (colored)
The function ipip_output() was registered as .xf_output() xform function. But was is never called via this pointer. It would have immediatley crashed as mp is always NULL when called via .xf_output(). Do not set .xf_output to ipip_output. This allows to pass only the parameters which are actually needed and the control flow is clearer. OK mpi@
Revision 1.245 / (download) - annotate - [select for diffs], Wed Sep 29 22:08:13 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.244: +8 -7 lines
Diff to previous 1.244 (colored)
Global variables to track initialisation behave poorly with MP. Move the tdb pool init into an init function. OK mvs@
Revision 1.244 / (download) - annotate - [select for diffs], Tue Jul 27 17:13:03 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.243: +1 -6 lines
Diff to previous 1.243 (colored)
Revert "Use per-CPU counters for tunnel descriptor block" diff. Panic reported by Hrvoje Popovski.
Revision 1.243 / (download) - annotate - [select for diffs], Mon Jul 26 23:17:06 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.242: +6 -1 lines
Diff to previous 1.242 (colored)
Use per-CPU counters for tunnel descriptor block (tdb) statistics. 'tdb_data' struct became unused and was removed. ok bluhm@
Revision 1.242 / (download) - annotate - [select for diffs], Mon Jul 19 14:49:55 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.241: +3 -2 lines
Diff to previous 1.241 (colored)
Remove `ids' from `ipsec_ids_tree' while following ipsp_ids_insert() error path. This fixes use-after-free issue. Also fix debug message mistype pointed by bluhm@ in error path. ok millert@ bluhm@
Revision 1.241 / (download) - annotate - [select for diffs], Sun Jul 18 18:19:22 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.240: +52 -20 lines
Diff to previous 1.240 (colored)
Introduce and use garbage collector for 'ipsec_ids' struct entities destruction instead of using per-entity timeout. This fixes the races between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout(). ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is already running and awaiting netlock to be released, so reused `ids' will be silently removed in this case. ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler running because timeout_del(9) called by ipsp_ids_insert() clears it's triggered state. So ipsp_ids_timeout() could be scheduled to run twice in this case. Also hrvoje@ reported about ipsec(4) throughput increased with this diff so it seems we caught significant count of ipsp_ids_insert() races. tests and feedback by hrvoje@ ok bluhm@
Revision 1.240 / (download) - annotate - [select for diffs], Thu Jul 8 21:07:19 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.239: +4 -4 lines
Diff to previous 1.239 (colored)
The xformsw array never changes. Declare struct xformsw constant and map data read only. OK deraadt@ mvs@ mpi@
Revision 1.239 / (download) - annotate - [select for diffs], Thu Jul 8 15:13:14 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.238: +19 -13 lines
Diff to previous 1.238 (colored)
Debug printfs in encdebug were inconsistent, some missing newlines produced ugly output. Move the function name and the newline into the DPRINTF macro. This simplifies the debug statements. OK tobhe@
Revision 1.238 / (download) - annotate - [select for diffs], Wed Mar 10 10:21:49 2021 UTC (3 years, 3 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.237: +2 -2 lines
Diff to previous 1.237 (colored)
spelling ok gnezdo@ semarie@ mpi@
Revision 1.237 / (download) - annotate - [select for diffs], Tue Feb 23 19:43:54 2021 UTC (3 years, 3 months ago) by tobhe
Branch: MAIN
Changes since 1.236: +12 -3 lines
Diff to previous 1.236 (colored)
Use pool to allocate tdbs. ok patrick@ bluhm@
Revision 1.236 / (download) - annotate - [select for diffs], Wed Jun 24 22:03:43 2020 UTC (3 years, 11 months ago) by cheloha
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.235: +3 -3 lines
Diff to previous 1.235 (colored)
kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9) time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
Revision 1.235 / (download) - annotate - [select for diffs], Thu Apr 23 19:38:08 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.234: +30 -37 lines
Diff to previous 1.234 (colored)
Add support for autmatically moving traffic between rdomains on ipsec(4) encryption or decryption. This allows us to keep plaintext and encrypted network traffic seperated and reduces the attack surface for network sidechannel attacks. The only way to reach the inner rdomain from outside is by successful decryption and integrity verification through the responsible Security Association (SA). The only way for internal traffic to get out is getting encrypted and moved through the outgoing SA. Multiple plaintext rdomains can share the same encrypted rdomain while the unencrypted packets are still kept seperate. The encrypted and unencrypted rdomains can have different default routes. The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'. If this differs from 'tdb_rdomain' then the packet is moved to 'tdb_rdomain_post' afer IPsec processing. Flows and outgoing IPsec SAs are installed in the plaintext rdomain, incoming IPsec SAs are installed in the encrypted rdomain. IPCOMP SAs are always installed in the plaintext rdomain. They can be viewed with 'route -T X exec ipsecctl -sa' where X is the rdomain ID. As the kernel does not create encX devices automatically when creating rdomains they have to be added by hand with ifconfig for IPsec to work in non-default rdomains. discussed with chris@ and kn@ ok markus@, patrick@
Revision 1.234 / (download) - annotate - [select for diffs], Sat May 11 17:16:21 2019 UTC (5 years, 1 month ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.233: +5 -1 lines
Diff to previous 1.233 (colored)
unbreak the build without IPSEC. ok claudio@ deraadt@
Revision 1.233 / (download) - annotate - [select for diffs], Mon Oct 22 15:32:19 2018 UTC (5 years, 7 months ago) by cheloha
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.232: +2 -2 lines
Diff to previous 1.232 (colored)
ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@
Revision 1.232 / (download) - annotate - [select for diffs], Tue Aug 28 15:15:02 2018 UTC (5 years, 9 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.231: +8 -1 lines
Diff to previous 1.231 (colored)
Add per-TDB counters and a new SADB extension to export them to userland. Inputs from markus@, ok sthen@
Revision 1.229.2.1 / (download) - annotate - [select for diffs], Tue Jul 24 09:36:00 2018 UTC (5 years, 10 months ago) by bluhm
Branch: OPENBSD_6_3
Changes since 1.229: +46 -40 lines
Diff to previous 1.229 (colored) next main 1.230 (colored)
Introduce a tdb_reaper() function to prevent a use-after-free when a timeout is blocking on the NET_LOCK(). reported by Harald Dunkel; from mpi@; ok visa@ bluhm@ OpenBSD 6.3 errata 013
Revision 1.231 / (download) - annotate - [select for diffs], Sat May 19 12:34:35 2018 UTC (6 years ago) by mpi
Branch: MAIN
Changes since 1.230: +46 -40 lines
Diff to previous 1.230 (colored)
Introduce a tdb_reaper() function to prevent a use-after-free when a timeout is blocking on the NET_LOCK(). Issue reported by Harald Dunkel, ok visa@, bluhm@
Revision 1.230 / (download) - annotate - [select for diffs], Wed May 16 13:19:00 2018 UTC (6 years ago) by reyk
Branch: MAIN
Changes since 1.229: +3 -1 lines
Diff to previous 1.229 (colored)
Fix kernel builds without IPSEC. OK mikeb@
Revision 1.229 / (download) - annotate - [select for diffs], Mon Nov 6 15:12:43 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE
Branch point for: OPENBSD_6_3
Changes since 1.228: +2 -2 lines
Diff to previous 1.228 (colored)
Use %s and __func__ in DPRINTF() to reduce false positive with grep(1). ok kettenis@, dhill@, visa@, jca@
Revision 1.228 / (download) - annotate - [select for diffs], Mon Oct 16 08:22:25 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.227: +22 -7 lines
Diff to previous 1.227 (colored)
Last changes before running IPsec w/o KERNEL_LOCK(). Put more NET_ASSERT_LOCK() and document which globals it protects. Add a mutex for pfkeyv2 globals. Convert ipsp_delete_acquire() to timeout_set_proc(). Tested by Hrvoje Popovski, ok bluhm@ visa@
Revision 1.227 / (download) - annotate - [select for diffs], Wed Oct 11 13:44:49 2017 UTC (6 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.226: +1 -4 lines
Diff to previous 1.226 (colored)
Remove lie talking about splsoftclock().
Revision 1.226 / (download) - annotate - [select for diffs], Fri Aug 11 21:24:20 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.225: +11 -16 lines
Diff to previous 1.225 (colored)
Remove NET_LOCK()'s argument. Tested by Hrvoje Popovski, ok bluhm@
Revision 1.225 / (download) - annotate - [select for diffs], Mon Jun 26 09:08:00 2017 UTC (6 years, 11 months ago) by patrick
Branch: MAIN
Changes since 1.224: +11 -3 lines
Diff to previous 1.224 (colored)
Split a part of tdb_delete() into tdb_unlink() so that we can remove a TDB from the hash table without actually free()ing it. That way we can modify the TDB and then put it back in using puttdb(). ok claudio@
Revision 1.224 / (download) - annotate - [select for diffs], Thu May 18 10:56:45 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.223: +2 -1 lines
Diff to previous 1.223 (colored)
The function name ip4_input() is confusing as it also handles IPv6 packets. This is the IP in IP protocol input function, so call it ipip_input(). Rename the existing ipip_input() to ipip_input_gif() as it is the input function used by the gif interface. Pass the address family to make it consistent with pr_input. Use __func__ in debug print and panic messages. Move all ipip prototypes to the ip_ipip.h header file. OK dhill@ mpi@
Revision 1.223 / (download) - annotate - [select for diffs], Tue May 16 12:24:01 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.222: +7 -7 lines
Diff to previous 1.222 (colored)
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED(). ok visa@
Revision 1.222 / (download) - annotate - [select for diffs], Sat May 6 15:55:15 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.221: +51 -18 lines
Diff to previous 1.221 (colored)
Convert the xformsw definition to C99 style initializer. Also fix the function declaration of ipe4_input() and avoid a wrong cast. OK mikeb@ dhill@
Revision 1.221 / (download) - annotate - [select for diffs], Fri May 5 11:04:18 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.220: +10 -10 lines
Diff to previous 1.220 (colored)
Expand SA_LEN(), there is no benefit for using the macro in the kernel. It was only used in IPsec sources. No binary change OK deraadt@
Revision 1.220 / (download) - annotate - [select for diffs], Tue Feb 14 09:51:46 2017 UTC (7 years, 3 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.219: +18 -27 lines
Diff to previous 1.219 (colored)
Get rid of recursive splsoftnet()/splx() dances and convert a timeout to the timeout_set_proc(9) variant to take the NET_LOCK(). ok mikeb@, bluhm@
Revision 1.219 / (download) - annotate - [select for diffs], Mon Dec 19 08:36:49 2016 UTC (7 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.218: +9 -9 lines
Diff to previous 1.218 (colored)
Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts of the network stack that are not yet ready to be executed in parallel or where new sleeping points are not possible. This first pass replace all the entry points leading to ip_output(). This is done to not introduce new sleeping points when trying to acquire ART's write lock, needed when a new L2 entry is created via the RT_RESOLVE. Inputs from and ok bluhm@, ok dlg@
Revision 1.218 / (download) - annotate - [select for diffs], Tue Nov 15 09:48:03 2016 UTC (7 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.217: +5 -5 lines
Diff to previous 1.217 (colored)
TDB timers need a context process, so convert them to timeout_set_proc(9). ok phessler@, bluhm@ as part of a larger diff
Revision 1.217 / (download) - annotate - [select for diffs], Tue Sep 20 14:01:04 2016 UTC (7 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.216: +13 -1 lines
Diff to previous 1.216 (colored)
Sprinkle splsoftnets in TDB timeout callbacks; ok bluhm
Revision 1.216 / (download) - annotate - [select for diffs], Mon Sep 19 18:09:22 2016 UTC (7 years, 8 months ago) by tedu
Branch: MAIN
Changes since 1.215: +3 -3 lines
Diff to previous 1.215 (colored)
convert bcopy to memcpy. from david hill.
Revision 1.215 / (download) - annotate - [select for diffs], Thu Sep 15 03:37:09 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.214: +18 -16 lines
Diff to previous 1.214 (colored)
move from RB macros to RBT functions shaves a bunch of bytes off kernels
Revision 1.214 / (download) - annotate - [select for diffs], Sat May 23 12:38:53 2015 UTC (9 years ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9,
OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.213: +133 -42 lines
Diff to previous 1.213 (colored)
introduce ipsec-id bundles and use them for ipsecflowinfo, fixes rekeying for l2tp/ipsec against multiple windows clients and saves memory (for many SAs to same peers); feedback and ok mikeb@
Revision 1.213 / (download) - annotate - [select for diffs], Fri Apr 17 11:04:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.212: +1 -31 lines
Diff to previous 1.212 (colored)
Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer
Revision 1.212 / (download) - annotate - [select for diffs], Fri Apr 17 10:08:07 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.211: +1 -219 lines
Diff to previous 1.211 (colored)
Remove unused ipsp_parse_headers that was supposed to parse packets returned by IPsec-enabled NICs; OK markus, hshoexer
Revision 1.211 / (download) - annotate - [select for diffs], Thu Apr 16 19:24:13 2015 UTC (9 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.210: +1 -81 lines
Diff to previous 1.210 (colored)
remove unfinished/unused support for socket-attached ipsec-policies ok mikeb
Revision 1.210 / (download) - annotate - [select for diffs], Tue Apr 14 14:20:01 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.209: +12 -16 lines
Diff to previous 1.209 (colored)
make ipsp_address thread safe; ok mpi
Revision 1.209 / (download) - annotate - [select for diffs], Tue Apr 14 12:22:15 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.208: +11 -44 lines
Diff to previous 1.208 (colored)
Remove support for storing credentials and auth information in the kernel. This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
Revision 1.208 / (download) - annotate - [select for diffs], Mon Apr 13 16:52:26 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.207: +3 -2 lines
Diff to previous 1.207 (colored)
Make filter argument to ipsp_aux_match optional like the rest of them. OK markus, hshoexer
Revision 1.207 / (download) - annotate - [select for diffs], Mon Apr 13 16:48:01 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.206: +26 -23 lines
Diff to previous 1.206 (colored)
Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi
Revision 1.206 / (download) - annotate - [select for diffs], Mon Apr 13 16:45:52 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.205: +4 -5 lines
Diff to previous 1.205 (colored)
Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi
Revision 1.205 / (download) - annotate - [select for diffs], Fri Apr 10 12:31:55 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.204: +11 -27 lines
Diff to previous 1.204 (colored)
replace the guts of tdb_hash with SipHash24 tested by (including some statistical measurement) and ok mikeb@
Revision 1.204 / (download) - annotate - [select for diffs], Sat Mar 14 03:38:52 2015 UTC (9 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.203: +1 -2 lines
Diff to previous 1.203 (colored)
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
Revision 1.203 / (download) - annotate - [select for diffs], Sat Jan 24 00:29:06 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.202: +7 -9 lines
Diff to previous 1.202 (colored)
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
Revision 1.202 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.201: +1 -18 lines
Diff to previous 1.201 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.201 / (download) - annotate - [select for diffs], Tue Dec 9 07:05:06 2014 UTC (9 years, 6 months ago) by doug
Branch: MAIN
Changes since 1.200: +8 -8 lines
Diff to previous 1.200 (colored)
More malloc() -> mallocarray() in the kernel. ok deraadt@ tedu@
Revision 1.200 / (download) - annotate - [select for diffs], Tue Nov 18 02:37:31 2014 UTC (9 years, 6 months ago) by tedu
Branch: MAIN
Changes since 1.199: +1 -2 lines
Diff to previous 1.199 (colored)
move arc4random prototype to systm.h. more appropriate for most code to include that than rdnvar.h. ok deraadt dlg
Revision 1.199 / (download) - annotate - [select for diffs], Sun Sep 14 14:17:26 2014 UTC (9 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.198: +1 -2 lines
Diff to previous 1.198 (colored)
remove uneeded proc.h includes ok mpi@ kspillner@
Revision 1.198 / (download) - annotate - [select for diffs], Mon Sep 8 06:24:13 2014 UTC (9 years, 9 months ago) by jsg
Branch: MAIN
Changes since 1.197: +1 -2 lines
Diff to previous 1.197 (colored)
remove uneeded route.h includes ok miod@ mpi@
Revision 1.197 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:10 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.196: +1 -2 lines
Diff to previous 1.196 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.196 / (download) - annotate - [select for diffs], Sat Jul 12 18:44:23 2014 UTC (9 years, 11 months ago) by tedu
Branch: MAIN
Changes since 1.195: +6 -6 lines
Diff to previous 1.195 (colored)
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
Revision 1.195 / (download) - annotate - [select for diffs], Tue Jul 8 17:19:26 2014 UTC (9 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)
decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.h don't need to be married. ok guenther miod beck jsing kettenis
Revision 1.194 / (download) - annotate - [select for diffs], Mon Apr 14 09:06:42 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.193: +3 -3 lines
Diff to previous 1.193 (colored)
"struct pkthdr" holds a routing table ID, not a routing domain one. Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
Revision 1.193 / (download) - annotate - [select for diffs], Thu Jan 9 06:29:06 2014 UTC (10 years, 5 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.192: +15 -15 lines
Diff to previous 1.192 (colored)
bzero/bcmp -> memset/memcmp. ok matthew
Revision 1.192 / (download) - annotate - [select for diffs], Mon Nov 11 09:15:34 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.191: +13 -19 lines
Diff to previous 1.191 (colored)
Replace most of our formating functions to convert IPv4/6 addresses from network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
Revision 1.191 / (download) - annotate - [select for diffs], Thu Oct 24 11:31:43 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.190: +1 -2 lines
Diff to previous 1.190 (colored)
Remove the number of in6_var.h inclusions by moving some functions and global variables to in6.h. ok deraadt@
Revision 1.190 / (download) - annotate - [select for diffs], Thu Jul 4 09:48:48 2013 UTC (10 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.189: +3 -1 lines
Diff to previous 1.189 (colored)
These functions are only used in debug code, so put them under ifdef ENCDEBUG to make sure we don't use them elsewhere.
Revision 1.189 / (download) - annotate - [select for diffs], Thu Apr 11 12:06:25 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.188: +1 -4 lines
Diff to previous 1.188 (colored)
Remove the extern keyword from function declarations, document sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
Revision 1.188 / (download) - annotate - [select for diffs], Wed Apr 10 08:50:59 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.187: +2 -2 lines
Diff to previous 1.187 (colored)
Remove various external variable declaration from sources files and move them to the corresponding header with an appropriate comment if necessary. ok guenther@
Revision 1.187 / (download) - annotate - [select for diffs], Tue Apr 9 08:35:38 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.186: +8 -9 lines
Diff to previous 1.186 (colored)
Remove read-only ipsec variables and directly use defines instead. ok mikeb@, markus@
Revision 1.186 / (download) - annotate - [select for diffs], Thu Mar 28 23:10:05 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.185: +2 -1 lines
Diff to previous 1.185 (colored)
code that calls timeout functions should include timeout.h slipped by on i386, but the zaurus doesn't automagically pick it up. spotted by patrick
Revision 1.185 / (download) - annotate - [select for diffs], Thu Sep 20 10:25:03 2012 UTC (11 years, 8 months ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.184: +11 -11 lines
Diff to previous 1.184 (colored)
spltdb() was really just #define'd to be splsoftnet(); replace the former with the latter no change in md5 checksum of generated files ok claudio@ henning@
Revision 1.184 / (download) - annotate - [select for diffs], Tue Sep 18 09:24:45 2012 UTC (11 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.183: +2 -17 lines
Diff to previous 1.183 (colored)
remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
Revision 1.183 / (download) - annotate - [select for diffs], Wed May 11 07:37:04 2011 UTC (13 years, 1 month ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.182: +8 -5 lines
Diff to previous 1.182 (colored)
Pre-allocate memory to avoid sleeping after performing a lookup, which may lead to a race. ok markus@ mikeb@
Revision 1.182 / (download) - annotate - [select for diffs], Thu Mar 31 10:36:42 2011 UTC (13 years, 2 months ago) by jasper
Branch: MAIN
Changes since 1.181: +2 -2 lines
Diff to previous 1.181 (colored)
- use nitems(); no binary change ok claudio@
Revision 1.181 / (download) - annotate - [select for diffs], Fri Jul 9 16:58:06 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9,
OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.180: +58 -32 lines
Diff to previous 1.180 (colored)
Add support for using IPsec in multiple rdomains. This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
Revision 1.180 / (download) - annotate - [select for diffs], Tue Apr 20 22:05:43 2010 UTC (14 years, 1 month ago) by tedu
Branch: MAIN
Changes since 1.179: +2 -1 lines
Diff to previous 1.179 (colored)
remove proc.h include from uvm_map.h. This has far reaching effects, as sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
Revision 1.179 / (download) - annotate - [select for diffs], Sun Jan 10 12:43:07 2010 UTC (14 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.178: +2 -2 lines
Diff to previous 1.178 (colored)
Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
Revision 1.178 / (download) - annotate - [select for diffs], Wed Aug 12 00:13:43 2009 UTC (14 years, 10 months ago) by martynas
Branch: MAIN
Changes since 1.177: +2 -2 lines
Diff to previous 1.177 (colored)
don't confuse chars with strings; ok oga@
Revision 1.177 / (download) - annotate - [select for diffs], Tue Jun 2 21:28:36 2009 UTC (15 years ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.176: +2 -2 lines
Diff to previous 1.176 (colored)
Shuffle function declarations a bit; ipsp_kern doesn't actually exist, and tdb_hash is only used in ip_ipsp.c, so there's no need to declare it as extern in ip_ipsp.h ok claudio@ henning@
Revision 1.176 / (download) - annotate - [select for diffs], Tue Jun 2 11:05:09 2009 UTC (15 years ago) by oga
Branch: MAIN
Changes since 1.175: +8 -6 lines
Diff to previous 1.175 (colored)
Fix an off-by-one in the ddb-only debugging function tdb_hashstats. when we check if a hash chain is over 15 long, we would access one past the end of the array. change the static array size to a define because it makes this checking easier to verify. Found by Parfait. ok deraadt@.
Revision 1.175 / (download) - annotate - [select for diffs], Mon Feb 16 00:31:25 2009 UTC (15 years, 3 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.174: +11 -1 lines
Diff to previous 1.174 (colored)
pfsync v5, mostly written at n2k9, but based on work done at n2k8. WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
Revision 1.174 / (download) - annotate - [select for diffs], Wed Oct 22 23:04:45 2008 UTC (15 years, 7 months ago) by mpf
Branch: MAIN
Changes since 1.173: +3 -3 lines
Diff to previous 1.173 (colored)
#if INET => #ifdef INET #if INET6 => #ifdef INET6
Revision 1.173 / (download) - annotate - [select for diffs], Mon Sep 15 21:46:01 2008 UTC (15 years, 8 months ago) by chl
Branch: MAIN
Changes since 1.172: +1 -7 lines
Diff to previous 1.172 (colored)
remove dead stores and newly created unused variables. Found by LLVM/Clang Static Analyzer. ok mpf@ looks good mk@ ok henning@
Revision 1.172 / (download) - annotate - [select for diffs], Wed Sep 10 14:01:23 2008 UTC (15 years, 9 months ago) by blambert
Branch: MAIN
Changes since 1.171: +3 -3 lines
Diff to previous 1.171 (colored)
Convert timeout_add() calls using multiples of hz to timeout_add_sec() Really just the low-hanging fruit of (hopefully) forthcoming timeout conversions. ok art@, krw@
Revision 1.171 / (download) - annotate - [select for diffs], Fri Apr 18 06:42:20 2008 UTC (16 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.170: +2 -2 lines
Diff to previous 1.170 (colored)
use arc4random_uniform() for random number requests that are not a power of two. use arc4random_bytes() when requesting more than a word of PRNG output. ok deraadt@
Revision 1.170 / (download) - annotate - [select for diffs], Mon Oct 29 16:19:23 2007 UTC (16 years, 7 months ago) by chl
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.169: +2 -2 lines
Diff to previous 1.169 (colored)
MALLOC/FREE -> malloc/free ok krw@
Revision 1.169 / (download) - annotate - [select for diffs], Tue Oct 9 01:49:30 2007 UTC (16 years, 8 months ago) by krw
Branch: MAIN
Changes since 1.168: +18 -30 lines
Diff to previous 1.168 (colored)
MALLOC+bzero -> malloc+M_ZERO. Don't forget FREE->free this time. As with many of the last commits, looked at by chl@ in an earlier version.
Revision 1.168 / (download) - annotate - [select for diffs], Wed Feb 14 00:53:48 2007 UTC (17 years, 4 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.167: +2 -2 lines
Diff to previous 1.167 (colored)
Consistently spell FALLTHROUGH to appease lint. ok kettenis@ cloder@ tom@ henning@
Revision 1.167 / (download) - annotate - [select for diffs], Thu Jan 18 20:00:19 2007 UTC (17 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.166: +3 -1 lines
Diff to previous 1.166 (colored)
allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC to compile and work. need to register pfkey whenever tcp md5 or ipsec is defined, and the various ipsec encapsulations only if ipsec is defined. ok theo
Revision 1.166 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:14 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.165: +14 -1 lines
Diff to previous 1.165 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.165 / (download) - annotate - [select for diffs], Fri Jan 13 10:11:23 2006 UTC (18 years, 5 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0,
OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.164: +1 -3 lines
Diff to previous 1.164 (colored)
Path MTU discovery for NAT-T. OK markus@, "looks good" hshoexer@
Revision 1.164 / (download) - annotate - [select for diffs], Thu Nov 24 12:08:16 2005 UTC (18 years, 6 months ago) by pedro
Branch: MAIN
Changes since 1.163: +1 -379 lines
Diff to previous 1.163 (colored)
Remove kernfs, okay deraadt@.
Revision 1.163 / (download) - annotate - [select for diffs], Sat May 28 15:10:07 2005 UTC (19 years ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.162: +2 -6 lines
Diff to previous 1.162 (colored)
Add SA replay counter synchronization to pfsync(4). Required for IPsec failover gateways. ok mcbride@, "looks good" hshoexer@
Revision 1.162 / (download) - annotate - [select for diffs], Fri May 27 19:33:56 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.161: +151 -76 lines
Diff to previous 1.161 (colored)
long overdue snprintf cleanup in kernfs related code ok cloder
Revision 1.161 / (download) - annotate - [select for diffs], Thu Apr 21 08:56:24 2005 UTC (19 years, 1 month ago) by hshoexer
Branch: MAIN
Changes since 1.160: +3 -1 lines
Diff to previous 1.160 (colored)
handle return value of snprintf correctly ok deraadt@
Revision 1.160 / (download) - annotate - [select for diffs], Fri Nov 19 10:11:52 2004 UTC (19 years, 6 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.159: +45 -40 lines
Diff to previous 1.159 (colored)
Plug memory leak. Found by pat@. Thanks! ok myself markus@
Revision 1.159 / (download) - annotate - [select for diffs], Mon Jun 21 23:50:37 2004 UTC (19 years, 11 months ago) by tholo
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.158: +14 -14 lines
Diff to previous 1.158 (colored)
First step towards more sane time handling in the kernel -- this changes things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Revision 1.79.2.10 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:25 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.79.2.9: +48 -27 lines
Diff to previous 1.79.2.9 (colored) to branchpoint 1.79 (colored) next main 1.80 (colored)
Merge with the trunk
Revision 1.158 / (download) - annotate - [select for diffs], Wed Apr 14 20:10:04 2004 UTC (20 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: SMP_SYNC_B,
SMP_SYNC_A
Changes since 1.157: +25 -23 lines
Diff to previous 1.157 (colored)
simpler ipsp_aux_match() API; ok henning, hshoexer
Revision 1.157 / (download) - annotate - [select for diffs], Wed Mar 31 10:21:37 2004 UTC (20 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.156: +21 -3 lines
Diff to previous 1.156 (colored)
in gettdbbysrcdst(), allow matching with either src or dst beeing a wildcard (emtpy) entry ok markus@
Revision 1.79.2.9 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:24 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.79.2.8: +37 -1 lines
Diff to previous 1.79.2.8 (colored) to branchpoint 1.79 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.156 / (download) - annotate - [select for diffs], Sun Feb 15 12:44:24 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.155: +5 -4 lines
Diff to previous 1.155 (colored)
check TDBF_INVALID for TCP MD5 SA lookups; ok mcbride, henning
Revision 1.155 / (download) - annotate - [select for diffs], Tue Jan 27 09:29:22 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.154: +8 -6 lines
Diff to previous 1.154 (colored)
in gettdbbysrcdst(): hash by SRC and lookup SA in the tdbsrc[] hash table with hshoexer@
Revision 1.154 / (download) - annotate - [select for diffs], Thu Jan 22 14:38:28 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.153: +28 -1 lines
Diff to previous 1.153 (colored)
add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@
Revision 1.153 / (download) - annotate - [select for diffs], Tue Dec 2 23:16:28 2003 UTC (20 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.152: +8 -1 lines
Diff to previous 1.152 (colored)
UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt) ok deraadt@
Revision 1.144.2.3 / (download) - annotate - [select for diffs], Mon May 19 22:40:41 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.144.2.2: +161 -99 lines
Diff to previous 1.144.2.2 (colored) to branchpoint 1.144 (colored) next main 1.145 (colored)
sync
Revision 1.79.2.8 / (download) - annotate - [select for diffs], Tue May 13 19:36:17 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.79.2.7: +154 -92 lines
Diff to previous 1.79.2.7 (colored) to branchpoint 1.79 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.152 / (download) - annotate - [select for diffs], Fri May 9 14:59:19 2003 UTC (21 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: UBC_SYNC_A,
OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.151: +122 -76 lines
Diff to previous 1.151 (colored)
string cleaning; ok tedu
Revision 1.151 / (download) - annotate - [select for diffs], Tue May 6 07:28:39 2003 UTC (21 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.150: +66 -50 lines
Diff to previous 1.150 (colored)
string cleaning; tedu ok
Revision 1.79.2.7 / (download) - annotate - [select for diffs], Fri Mar 28 00:06:54 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.79.2.6: +96 -91 lines
Diff to previous 1.79.2.6 (colored) to branchpoint 1.79 (colored)
Sync the SMP branch with 3.3
Revision 1.150 / (download) - annotate - [select for diffs], Tue Nov 19 18:34:41 2002 UTC (21 years, 6 months ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.149: +8 -8 lines
Diff to previous 1.149 (colored)
Use queue.h macros
Revision 1.144.2.2 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:47 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.144.2.1: +4 -4 lines
Diff to previous 1.144.2.1 (colored) to branchpoint 1.144 (colored)
sync to -current
Revision 1.144.2.1 / (download) - annotate - [select for diffs], Tue Jun 11 03:31:36 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.144: +98 -89 lines
Diff to previous 1.144 (colored)
Sync UBC branch to -current
Revision 1.149 / (download) - annotate - [select for diffs], Sun Jun 9 16:26:10 2002 UTC (22 years ago) by itojun
Branch: MAIN
CVS Tags: UBC_SYNC_B,
OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.148: +4 -4 lines
Diff to previous 1.148 (colored)
whitespace
Revision 1.148 / (download) - annotate - [select for diffs], Sun Jun 9 04:22:40 2002 UTC (22 years ago) by angelos
Branch: MAIN
Changes since 1.147: +15 -13 lines
Diff to previous 1.147 (colored)
Comment out currently-unused code (it's there for the ethernet-ipsec cards, none of which we support at the moment).
Revision 1.147 / (download) - annotate - [select for diffs], Fri May 31 02:41:08 2002 UTC (22 years ago) by angelos
Branch: MAIN
Changes since 1.146: +73 -70 lines
Diff to previous 1.146 (colored)
Move some common code to separate routines; also, fix the problem of using the same SA for different traffic classes. Now, different SAs will be renegotiated as needed. XXX It's a sub-optimal (but correct) solution, as it looks for an exact match -- it should be checking for subset/subnet. One of these days...
Revision 1.79.2.6 / (download) - annotate - [select for diffs], Thu Mar 28 14:56:45 2002 UTC (22 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.79.2.5: +7 -7 lines
Diff to previous 1.79.2.5 (colored) to branchpoint 1.79 (colored)
Merge in -current from roughly a week ago
Revision 1.146 / (download) - annotate - [select for diffs], Thu Mar 14 01:27:11 2002 UTC (22 years, 3 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.145: +8 -8 lines
Diff to previous 1.145 (colored)
First round of __P removal in sys
Revision 1.79.2.5 / (download) - annotate - [select for diffs], Wed Mar 6 02:15:07 2002 UTC (22 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.79.2.4: +27 -24 lines
Diff to previous 1.79.2.4 (colored) to branchpoint 1.79 (colored)
Merge in trunk
Revision 1.145 / (download) - annotate - [select for diffs], Sat Feb 23 22:16:13 2002 UTC (22 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.144: +5 -1 lines
Diff to previous 1.144 (colored)
Print compression algorithm name too.
Revision 1.144 / (download) - annotate - [select for diffs], Wed Dec 5 10:00:46 2001 UTC (22 years, 6 months ago) by deraadt
Branch: MAIN
CVS Tags: UBC_BASE
Branch point for: UBC
Changes since 1.143: +23 -24 lines
Diff to previous 1.143 (colored)
KNF whack
Revision 1.79.2.4 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:03 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.79.2.3: +43 -23 lines
Diff to previous 1.79.2.3 (colored) to branchpoint 1.79 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.143 / (download) - annotate - [select for diffs], Wed Oct 3 02:08:41 2001 UTC (22 years, 8 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.142: +5 -9 lines
Diff to previous 1.142 (colored)
If the TDB doesn't have an attached src/dst ID, it can be used for any type of traffic.
Revision 1.142 / (download) - annotate - [select for diffs], Wed Sep 5 19:22:23 2001 UTC (22 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.141: +14 -14 lines
Diff to previous 1.141 (colored)
use %ll instead of %q
Revision 1.141 / (download) - annotate - [select for diffs], Wed Aug 8 15:07:04 2001 UTC (22 years, 10 months ago) by jjbg
Branch: MAIN
Changes since 1.140: +1 -3 lines
Diff to previous 1.140 (colored)
Remove IPCOMP option, it's now part of IPSEC option. You still need to enable ipcomp via sysctl to use it. deraadt@ ok.
Revision 1.140 / (download) - annotate - [select for diffs], Thu Jul 5 16:45:54 2001 UTC (22 years, 11 months ago) by jjbg
Branch: MAIN
Changes since 1.139: +28 -2 lines
Diff to previous 1.139 (colored)
IPComp support. angelos@ ok.
Revision 1.79.2.3 / (download) - annotate - [select for diffs], Wed Jul 4 10:54:51 2001 UTC (22 years, 11 months ago) by niklas
Branch: SMP
Changes since 1.79.2.2: +1045 -752 lines
Diff to previous 1.79.2.2 (colored) to branchpoint 1.79 (colored)
Merge in -current from two days ago in the SMP branch. As usual with merges, they do not indicate progress, so do not hold your breath for working SMP, and do not mail me and ask about the state of it. It has not changed. There is work ongoing, but very, very slowly. The commit is done in parts as to not lock up the tree in too big chunks at a time.
Revision 1.139 / (download) - annotate - [select for diffs], Wed Jun 27 02:32:58 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.138: +50 -45 lines
Diff to previous 1.138 (colored)
Minor nits.
Revision 1.138 / (download) - annotate - [select for diffs], Wed Jun 27 01:34:07 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.137: +7 -12 lines
Diff to previous 1.137 (colored)
Don't cache packets that hit policies -- we'll do that at the PCB for local packets.
Revision 1.137 / (download) - annotate - [select for diffs], Tue Jun 26 18:34:39 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.136: +3 -2 lines
Diff to previous 1.136 (colored)
Keep the PFKEY sequence number at the TDB, plus a little bit of KNF
Revision 1.136 / (download) - annotate - [select for diffs], Tue Jun 26 03:52:40 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.135: +929 -973 lines
Diff to previous 1.135 (colored)
KNF
Revision 1.135 / (download) - annotate - [select for diffs], Mon Jun 25 05:11:58 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.134: +3 -3 lines
Diff to previous 1.134 (colored)
Copyright.
Revision 1.134 / (download) - annotate - [select for diffs], Sun Jun 24 23:11:45 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.133: +6 -1 lines
Diff to previous 1.133 (colored)
print mtu of tdb if discovered
Revision 1.133 / (download) - annotate - [select for diffs], Sun Jun 24 21:14:33 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.132: +2 -1 lines
Diff to previous 1.132 (colored)
Print TDBF_USEDTUNNEL in ipsp_kern()
Revision 1.132 / (download) - annotate - [select for diffs], Sat Jun 23 04:39:34 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.131: +12 -12 lines
Diff to previous 1.131 (colored)
Having to update queue(3) for DLIST_* is a major PITA; thus, just use SLIST and be done with it.
Revision 1.131 / (download) - annotate - [select for diffs], Sat Jun 23 04:01:57 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.130: +12 -12 lines
Diff to previous 1.130 (colored)
Use DLIST for tags.
Revision 1.130 / (download) - annotate - [select for diffs], Fri Jun 8 03:13:14 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.129: +2 -10 lines
Diff to previous 1.129 (colored)
Trim include files.
Revision 1.129 / (download) - annotate - [select for diffs], Thu Jun 7 16:19:47 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.128: +24 -54 lines
Diff to previous 1.128 (colored)
Simplify SPD logic (and correct some input cases).
Revision 1.128 / (download) - annotate - [select for diffs], Tue Jun 5 11:31:31 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.127: +1 -4 lines
Diff to previous 1.127 (colored)
That DPRINTF() is not needed.
Revision 1.127 / (download) - annotate - [select for diffs], Tue Jun 5 09:21:38 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.126: +3 -2 lines
Diff to previous 1.126 (colored)
Clear acquires only if TDB was established correctly.
Revision 1.126 / (download) - annotate - [select for diffs], Tue Jun 5 06:38:07 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.125: +13 -17 lines
Diff to previous 1.125 (colored)
Correct credential matching logic.
Revision 1.125 / (download) - annotate - [select for diffs], Mon Jun 4 18:38:12 2001 UTC (23 years ago) by mickey
Branch: MAIN
Changes since 1.124: +2 -5 lines
Diff to previous 1.124 (colored)
use a faster arc4random() for random spi generation; angelos@ ok
Revision 1.124 / (download) - annotate - [select for diffs], Fri Jun 1 08:18:27 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.123: +17 -8 lines
Diff to previous 1.123 (colored)
Merge two m_copydata() calls into one, and (hopefully) correct the self-describing padding verification.
Revision 1.123 / (download) - annotate - [select for diffs], Fri Jun 1 07:56:46 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.122: +221 -1 lines
Diff to previous 1.122 (colored)
ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and creates a tag for each of the ESP/AH headers. This will be used by IPsec-aware NIC device drivers that need to notify IPsec that crypto processing has already been done. There is an excessive amount of m_copydata() calls used by this routine, but there's no way around it that I can think of.
Revision 1.122 / (download) - annotate - [select for diffs], Wed May 30 16:43:11 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.121: +13 -1 lines
Diff to previous 1.121 (colored)
IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth in kernfs
Revision 1.121 / (download) - annotate - [select for diffs], Wed May 30 11:15:37 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.120: +7 -1 lines
Diff to previous 1.120 (colored)
Free remote authentication material on TDB free.
Revision 1.120 / (download) - annotate - [select for diffs], Wed May 30 10:56:46 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.119: +7 -1 lines
Diff to previous 1.119 (colored)
Free local auth on TDB free.
Revision 1.119 / (download) - annotate - [select for diffs], Tue May 29 01:17:24 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.118: +18 -3 lines
Diff to previous 1.118 (colored)
Keep track of when a TDB was last marked/unmared as SKIPCRYPTO, and print the relevant information on KERNFS.
Revision 1.118 / (download) - annotate - [select for diffs], Tue May 29 01:03:00 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.117: +27 -1 lines
Diff to previous 1.117 (colored)
Add ipsp_skipcrypto_{mark,unmark}()
Revision 1.117 / (download) - annotate - [select for diffs], Sun May 27 05:16:32 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.116: +1 -23 lines
Diff to previous 1.116 (colored)
ipsp_copy_ident() no longer needed.
Revision 1.116 / (download) - annotate - [select for diffs], Tue May 22 02:55:49 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.115: +22 -71 lines
Diff to previous 1.115 (colored)
Simplify option printing. ok deraadt@
Revision 1.115 / (download) - annotate - [select for diffs], Mon May 21 03:02:19 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.114: +50 -32 lines
Diff to previous 1.114 (colored)
Use a reference-counted structure for IPsec IDs and credentials, so we can cheaply keep copies of them at the PCB. ok deraadt@
Revision 1.79.2.2 / (download) - annotate - [select for diffs], Mon May 14 22:40:11 2001 UTC (23 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.79.2.1: +475 -1316 lines
Diff to previous 1.79.2.1 (colored) to branchpoint 1.79 (colored)
merge in approximately 2.9 into SMP branch
Revision 1.114 / (download) - annotate - [select for diffs], Sat May 5 00:31:19 2001 UTC (23 years, 1 month ago) by angelos
Branch: MAIN
Changes since 1.113: +160 -24 lines
Diff to previous 1.113 (colored)
Check that SAs also match on the credentials and the IDs. This means that flows with different source/destination ID requirements will cause different SAs to be established by IKE (or whatever other protocol). Also, use the new data types for allocated memory.
Revision 1.113 / (download) - annotate - [select for diffs], Fri Apr 6 04:42:08 2001 UTC (23 years, 2 months ago) by csapuntz
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE,
OPENBSD_2_9
Changes since 1.112: +1 -5 lines
Diff to previous 1.112 (colored)
Move offsetof define into sys/param.h
Revision 1.112 / (download) - annotate - [select for diffs], Wed Mar 28 20:34:03 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.111: +3 -2 lines
Diff to previous 1.111 (colored)
tdb_inp -> (tdb_inp_in, tdb_inp_out)
Revision 1.111 / (download) - annotate - [select for diffs], Wed Mar 28 20:03:04 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.110: +69 -34 lines
Diff to previous 1.110 (colored)
Allow tdbi's to appear in mbufs throughout the stack; this allows security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
Revision 1.110 / (download) - annotate - [select for diffs], Tue Mar 27 14:45:22 2001 UTC (23 years, 2 months ago) by art
Branch: MAIN
Changes since 1.109: +32 -27 lines
Diff to previous 1.109 (colored)
Fix a problem with how TDB timeouts were used in pfkeyv2. When we allocated a tdb we did a timeout_add before a timeout_set. This was a problem in itself, but it shouldn't hurt too much. What did hurt was that we did a timeout_set after the timeout_add, timeout_set marked the timeout as not being on the timeout list and if we did a timeout_del (or timeout_add) later (before the timeout fired) we ended up with a chunk of freed memory on the timeout queue or maybe even dangling pointers (or a circular list). This should probably cure the timeout queue corruption some people were seeing lately.
Revision 1.109 / (download) - annotate - [select for diffs], Thu Mar 15 06:30:59 2001 UTC (23 years, 3 months ago) by mickey
Branch: MAIN
Changes since 1.108: +92 -265 lines
Diff to previous 1.108 (colored)
convert SA expirations to the new timeouts. simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
Revision 1.108 / (download) - annotate - [select for diffs], Tue Mar 13 01:23:18 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.107: +2 -1 lines
Diff to previous 1.107 (colored)
Force a new search for an SA if the latched one is deleted.
Revision 1.107 / (download) - annotate - [select for diffs], Sun Mar 4 20:34:00 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.106: +7 -1 lines
Diff to previous 1.106 (colored)
Store peer's credentials in TDB.
Revision 1.106 / (download) - annotate - [select for diffs], Wed Feb 28 04:16:57 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.105: +10 -10 lines
Diff to previous 1.105 (colored)
Keep the last packet sent or received that matched an SPD entry, and retransmit if we eventually have an SA setup for that policy.
Revision 1.105 / (download) - annotate - [select for diffs], Thu Dec 28 21:34:03 2000 UTC (23 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.104: +1 -4 lines
Diff to previous 1.104 (colored)
Remove unused and confusing reporting line.
Revision 1.104 / (download) - annotate - [select for diffs], Sun Dec 24 04:18:05 2000 UTC (23 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.103: +6 -3 lines
Diff to previous 1.103 (colored)
Extra argument in the function to tdb_walk(), indicating last TDB.
Revision 1.103 / (download) - annotate - [select for diffs], Mon Dec 18 16:45:32 2000 UTC (23 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.102: +5 -1 lines
Diff to previous 1.102 (colored)
Minor sanity check.
Revision 1.102 / (download) - annotate - [select for diffs], Fri Dec 15 06:24:03 2000 UTC (23 years, 6 months ago) by provos
Branch: MAIN
Changes since 1.101: +4 -9 lines
Diff to previous 1.101 (colored)
send expire messages also for sa's that do not have been used. okay angelos@
Revision 1.101 / (download) - annotate - [select for diffs], Tue Sep 19 08:38:59 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE,
OPENBSD_2_8
Changes since 1.100: +23 -1 lines
Diff to previous 1.100 (colored)
SA bundles.
Revision 1.100 / (download) - annotate - [select for diffs], Tue Sep 19 03:20:58 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.99: +333 -1356 lines
Diff to previous 1.99 (colored)
Lots and lots of changes.
Revision 1.99 / (download) - annotate - [select for diffs], Thu Aug 3 08:31:39 2000 UTC (23 years, 10 months ago) by angelos
Branch: MAIN
Changes since 1.98: +1 -2 lines
Diff to previous 1.98 (colored)
Don't even need to reset ip_sum, if we're not going to compute it here but in ip_output()
Revision 1.98 / (download) - annotate - [select for diffs], Thu Aug 3 08:29:55 2000 UTC (23 years, 10 months ago) by angelos
Branch: MAIN
Changes since 1.97: +1 -2 lines
Diff to previous 1.97 (colored)
Avoid unnecessary call to in_cksum().
Revision 1.97 / (download) - annotate - [select for diffs], Thu Aug 3 08:12:33 2000 UTC (23 years, 10 months ago) by angelos
Branch: MAIN
Changes since 1.96: +3 -1 lines
Diff to previous 1.96 (colored)
Zeroize ip_sum before computing checksum (just general paranoia).
Revision 1.96 / (download) - annotate - [select for diffs], Mon Jun 19 03:43:15 2000 UTC (23 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.95: +28 -12 lines
Diff to previous 1.95 (colored)
IPv6 IPsec, outbound direction. restriction: if there's any extension header (except fragment) and outbound packet matches tdb, we can't encrypt it. packet will not go out of the node (dropped).
Revision 1.95 / (download) - annotate - [select for diffs], Sun Jun 18 19:48:54 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.94: +2 -2 lines
Diff to previous 1.94 (colored)
Correct function declaration.
Revision 1.94 / (download) - annotate - [select for diffs], Sun Jun 18 19:10:07 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.93: +5 -4 lines
Diff to previous 1.93 (colored)
Pull in the right header for ip6_sprintf(), fix argument.
Revision 1.93 / (download) - annotate - [select for diffs], Sun Jun 18 19:05:46 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.92: +4 -24 lines
Diff to previous 1.92 (colored)
Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()
Revision 1.92 / (download) - annotate - [select for diffs], Sun Jun 18 05:54:37 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.91: +3 -3 lines
Diff to previous 1.91 (colored)
Print++
Revision 1.91 / (download) - annotate - [select for diffs], Tue Jun 6 04:49:29 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.90: +1 -12 lines
Diff to previous 1.90 (colored)
Get rid of tdb_ref, keep indirect pointer to TDB.
Revision 1.90 / (download) - annotate - [select for diffs], Thu Jun 1 06:11:08 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.89: +2 -2 lines
Diff to previous 1.89 (colored)
Fix the German's comment typos.
Revision 1.89 / (download) - annotate - [select for diffs], Thu Jun 1 05:46:12 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.88: +2 -2 lines
Diff to previous 1.88 (colored)
Should learn how to count...
Revision 1.88 / (download) - annotate - [select for diffs], Thu Jun 1 05:33:08 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.87: +11 -10 lines
Diff to previous 1.87 (colored)
Oops, remove bogus comment.
Revision 1.87 / (download) - annotate - [select for diffs], Thu Jun 1 05:08:42 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.86: +12 -12 lines
Diff to previous 1.86 (colored)
Beautify a little bit.
Revision 1.86 / (download) - annotate - [select for diffs], Thu Jun 1 04:38:34 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored)
Use ipsp_spd_lookup() in ip_output()
Revision 1.85 / (download) - annotate - [select for diffs], Thu Jun 1 04:24:26 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.84: +114 -175 lines
Diff to previous 1.84 (colored)
ipsp_acquire_sa()
Revision 1.84 / (download) - annotate - [select for diffs], Thu Jun 1 04:02:32 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.83: +351 -1 lines
Diff to previous 1.83 (colored)
ipsp_spd_lookup()
Revision 1.83 / (download) - annotate - [select for diffs], Wed Apr 19 03:37:35 2000 UTC (24 years, 1 month ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE,
OPENBSD_2_7
Changes since 1.82: +4 -2 lines
Diff to previous 1.82 (colored)
tdb_ref should be signed, this avoid a problem with flushing the TDB table causing repeated allocations of bypass TDBs.
Revision 1.82 / (download) - annotate - [select for diffs], Tue Mar 28 07:04:02 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.81: +2 -2 lines
Diff to previous 1.81 (colored)
Allow authentication-only ESP (must have broken it in the previous round of commits).
Revision 1.81 / (download) - annotate - [select for diffs], Tue Mar 28 06:58:14 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.80: +29 -17 lines
Diff to previous 1.80 (colored)
Set the protocol family in the destination address of bypass flows.
Revision 1.79.2.1 / (download) - annotate - [select for diffs], Fri Mar 24 09:09:37 2000 UTC (24 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.79: +253 -179 lines
Diff to previous 1.79 (colored)
Sync with -current
Revision 1.80 / (download) - annotate - [select for diffs], Fri Mar 17 10:25:22 2000 UTC (24 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.79: +253 -179 lines
Diff to previous 1.79 (colored)
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
Revision 1.79 / (download) - annotate - [select for diffs], Wed Feb 9 04:19:19 2000 UTC (24 years, 4 months ago) by itojun
Branch: MAIN
CVS Tags: SMP_BASE
Branch point for: SMP
Changes since 1.78: +1 -2 lines
Diff to previous 1.78 (colored)
don't need netinet6/in6.h
Revision 1.78 / (download) - annotate - [select for diffs], Mon Feb 7 06:09:09 2000 UTC (24 years, 4 months ago) by itojun
Branch: MAIN
Changes since 1.77: +4 -2 lines
Diff to previous 1.77 (colored)
fix include file path related to ip6.
Revision 1.77 / (download) - annotate - [select for diffs], Thu Jan 27 08:09:12 2000 UTC (24 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.76: +27 -14 lines
Diff to previous 1.76 (colored)
Merge "old" and "new" ESP and AH in two files (one for each). Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
Revision 1.76 / (download) - annotate - [select for diffs], Fri Jan 21 03:15:05 2000 UTC (24 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.75: +3 -3 lines
Diff to previous 1.75 (colored)
Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not affected by net.inet.ipip.allow (the sysctl formerly known as net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.
Revision 1.75 / (download) - annotate - [select for diffs], Thu Jan 13 05:30:11 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.74: +7 -1 lines
Diff to previous 1.74 (colored)
Print number of ingress flows in /kern/ipsec
Revision 1.74 / (download) - annotate - [select for diffs], Thu Jan 13 00:34:31 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.73: +43 -30 lines
Diff to previous 1.73 (colored)
put_flow(), find_flow(), and delete_flow() get a third argument (for ingress or egress flow)
Revision 1.73 / (download) - annotate - [select for diffs], Tue Jan 11 03:10:04 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.72: +8 -3 lines
Diff to previous 1.72 (colored)
Correct sa_require handling.
Revision 1.72 / (download) - annotate - [select for diffs], Tue Jan 11 01:39:10 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.71: +3 -3 lines
Diff to previous 1.71 (colored)
Fix check for sen_type.
Revision 1.71 / (download) - annotate - [select for diffs], Tue Jan 11 01:03:22 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.70: +2 -2 lines
Diff to previous 1.70 (colored)
Use default values when requesting dynamic VPNs.
Revision 1.70 / (download) - annotate - [select for diffs], Tue Jan 11 00:44:32 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.69: +24 -9 lines
Diff to previous 1.69 (colored)
Only use defaults if they have sane values.
Revision 1.69 / (download) - annotate - [select for diffs], Mon Jan 10 06:59:22 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.68: +45 -8 lines
Diff to previous 1.68 (colored)
Add 10 new ipsec-related sysctl variables...they are currently under net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
Revision 1.68 / (download) - annotate - [select for diffs], Mon Jan 10 05:35:09 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.67: +41 -2 lines
Diff to previous 1.67 (colored)
Some more code for dealing with socket IPsec options.
Revision 1.67 / (download) - annotate - [select for diffs], Mon Jan 10 04:37:42 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.66: +8 -5 lines
Diff to previous 1.66 (colored)
Only setup an expiration for embryonic SAs if net.inet.ip.ipsec-invalid-life >=0
Revision 1.66 / (download) - annotate - [select for diffs], Mon Jan 10 04:30:52 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.65: +3 -3 lines
Diff to previous 1.65 (colored)
Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
Revision 1.65 / (download) - annotate - [select for diffs], Mon Jan 10 04:16:52 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.64: +112 -44 lines
Diff to previous 1.64 (colored)
1) Setup a silent TDB expiration for embryonic SAs. 2) Fix check_ipsec_policy() to deal with v6 PCBs. 3) Fix ACL protocol check.
Revision 1.64 / (download) - annotate - [select for diffs], Mon Jan 10 01:19:16 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.63: +4 -1 lines
Diff to previous 1.63 (colored)
Free ACL when deleting TDB.
Revision 1.63 / (download) - annotate - [select for diffs], Sun Jan 9 23:02:15 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.62: +3 -3 lines
Diff to previous 1.62 (colored)
Ports in network order...
Revision 1.62 / (download) - annotate - [select for diffs], Mon Dec 27 03:05:52 1999 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.61: +5 -1 lines
Diff to previous 1.61 (colored)
Print associated interface, if present.
Revision 1.61 / (download) - annotate - [select for diffs], Sat Dec 25 07:09:42 1999 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.60: +9 -12 lines
Diff to previous 1.60 (colored)
Change some function prototypes, dont unnecessarily initialize some variables.
Revision 1.60 / (download) - annotate - [select for diffs], Sat Dec 25 04:48:16 1999 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.59: +240 -7 lines
Diff to previous 1.59 (colored)
Move the IPsec packet-processing loop to a separate routine, so we can reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon.
Revision 1.59 / (download) - annotate - [select for diffs], Wed Dec 8 06:06:43 1999 UTC (24 years, 6 months ago) by itojun
Branch: MAIN
CVS Tags: kame_19991208
Changes since 1.58: +3 -3 lines
Diff to previous 1.58 (colored)
comment out call to inet_ntoa6() as we don't have the code yet.
Revision 1.58 / (download) - annotate - [select for diffs], Mon Dec 6 07:14:36 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
New ESP code that's v4 and v6 friendly.
Revision 1.57 / (download) - annotate - [select for diffs], Sun Dec 5 22:09:18 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.56: +8 -2 lines
Diff to previous 1.56 (colored)
Fix an INET6 dependency (niklas@)
Revision 1.56 / (download) - annotate - [select for diffs], Sat Dec 4 23:20:21 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.55: +94 -27 lines
Diff to previous 1.55 (colored)
Address independence, IPv6 support, and the -local flag in ipsecadm is no longer needed.
Revision 1.55 / (download) - annotate - [select for diffs], Thu Nov 4 11:20:05 1999 UTC (24 years, 7 months ago) by ho
Branch: MAIN
Changes since 1.54: +50 -7 lines
Diff to previous 1.54 (colored)
Add tdb for IPsec bypass flows. gettdb() should be called at spltdb().
Revision 1.54 / (download) - annotate - [select for diffs], Fri Sep 3 13:52:34 1999 UTC (24 years, 9 months ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE,
OPENBSD_2_6
Changes since 1.53: +3 -3 lines
Diff to previous 1.53 (colored)
inet_ntoa4 should manage 4-calls, not just 2
Revision 1.53 / (download) - annotate - [select for diffs], Tue Aug 10 11:35:26 1999 UTC (24 years, 10 months ago) by ho
Branch: MAIN
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)
Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb
Revision 1.52 / (download) - annotate - [select for diffs], Thu Aug 5 21:58:15 1999 UTC (24 years, 10 months ago) by ho
Branch: MAIN
Changes since 1.51: +62 -2 lines
Diff to previous 1.51 (colored)
Add tdb_walk. tdb_delete() should clean up routes when deleting flows.
Revision 1.51 / (download) - annotate - [select for diffs], Sat Jul 17 00:41:52 1999 UTC (24 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.50: +19 -14 lines
Diff to previous 1.50 (colored)
A good hashing function for IPsec SAs that should remove the risks of running out of memory when adding SPIs.
Revision 1.50 / (download) - annotate - [select for diffs], Thu Jul 15 14:46:05 1999 UTC (24 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.49: +102 -34 lines
Diff to previous 1.49 (colored)
Protect better against rehashing make the kernel run out of resources
Revision 1.49 / (download) - annotate - [select for diffs], Thu Jul 15 14:15:41 1999 UTC (24 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.48: +37 -22 lines
Diff to previous 1.48 (colored)
From angelos@, edits by me, demand keying for PF_KEY
Revision 1.48 / (download) - annotate - [select for diffs], Tue Jul 6 20:54:03 1999 UTC (24 years, 11 months ago) by ho
Branch: MAIN
Changes since 1.47: +3 -4 lines
Diff to previous 1.47 (colored)
ipsec_in_use could get out of sync. (Also niklas@. angelos@ ok)
Revision 1.47 / (download) - annotate - [select for diffs], Tue Jul 6 20:17:52 1999 UTC (24 years, 11 months ago) by cmetz
Branch: MAIN
Changes since 1.46: +7 -1 lines
Diff to previous 1.46 (colored)
Added support for TCP MD5 option (RFC 2385).
Revision 1.46 / (download) - annotate - [select for diffs], Mon Jun 7 07:20:38 1999 UTC (25 years ago) by angelos
Branch: MAIN
Changes since 1.45: +5 -2 lines
Diff to previous 1.45 (colored)
Fix use of uninitialized TDB hash table in tdb_delete(), introduced along with the dynamically-resized TDB table (report and fix suggestion by henric@ncal.verio.com)
Revision 1.45 / (download) - annotate - [select for diffs], Fri Jun 4 22:40:36 1999 UTC (25 years ago) by provos
Branch: MAIN
Changes since 1.44: +2 -1 lines
Diff to previous 1.44 (colored)
forgot to zero sunion
Revision 1.44 / (download) - annotate - [select for diffs], Sun May 23 09:04:46 1999 UTC (25 years ago) by niklas
Branch: MAIN
Changes since 1.43: +65 -13 lines
Diff to previous 1.43 (colored)
SA hash table resizing
Revision 1.43 / (download) - annotate - [select for diffs], Thu May 20 12:52:35 1999 UTC (25 years ago) by niklas
Branch: MAIN
Changes since 1.42: +80 -18 lines
Diff to previous 1.42 (colored)
Fix a bug where the ordered expiration list could get out of order. Add invariant checking of the lists when DIAGNOSTIC compiled. Extend the critical region to cover all of tdb_expiration so the tdb won't disappear behind our back.
Revision 1.42 / (download) - annotate - [select for diffs], Sun May 16 21:48:35 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.41: +324 -249 lines
Diff to previous 1.41 (colored)
spltdb introduced, protection for tdb lists and related structures, so they won't disappear behind our back by an expiration. Cleanup expiration logic too.
Revision 1.41 / (download) - annotate - [select for diffs], Fri May 14 23:36:18 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.40: +105 -124 lines
Diff to previous 1.40 (colored)
A new scalable IPsec SA expiration model.
Revision 1.40 / (download) - annotate - [select for diffs], Mon Apr 12 03:17:09 1999 UTC (25 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_5_BASE,
OPENBSD_2_5
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
move encdebug to a useful place
Revision 1.39 / (download) - annotate - [select for diffs], Sat Mar 27 21:04:19 1999 UTC (25 years, 2 months ago) by provos
Branch: MAIN
Changes since 1.38: +104 -45 lines
Diff to previous 1.38 (colored)
add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company.
Revision 1.38 / (download) - annotate - [select for diffs], Wed Mar 24 17:00:47 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.37: +9 -15 lines
Diff to previous 1.37 (colored)
Implement lifetime expiration notifications. Fix some typos. Remove statics.
Revision 1.37 / (download) - annotate - [select for diffs], Thu Mar 4 21:51:27 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.36: +5 -7 lines
Diff to previous 1.36 (colored)
be more careful with freeing TDBs
Revision 1.36 / (download) - annotate - [select for diffs], Thu Mar 4 20:30:36 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.35: +3 -4 lines
Diff to previous 1.35 (colored)
more paranoid maintenance
Revision 1.35 / (download) - annotate - [select for diffs], Thu Feb 25 22:37:29 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.34: +10 -8 lines
Diff to previous 1.34 (colored)
Prettier reporting, report number of flows in use per SA.
Revision 1.34 / (download) - annotate - [select for diffs], Thu Feb 25 20:21:07 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.33: +20 -22 lines
Diff to previous 1.33 (colored)
Print more information in /kern/ipsec
Revision 1.33 / (download) - annotate - [select for diffs], Wed Feb 24 23:45:51 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.32: +5 -3 lines
Diff to previous 1.32 (colored)
Update copyright; remove a few annoying debugging printfs. Btw, OpenBSD hit 25000 commits a couple commits ago.
Revision 1.32 / (download) - annotate - [select for diffs], Wed Feb 24 22:33:05 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.31: +452 -299 lines
Diff to previous 1.31 (colored)
Remove encap.h include; saner debugging printfs; fix buglets; work with pfkeyv2.
Revision 1.31 / (download) - annotate - [select for diffs], Mon Jan 11 22:52:10 1999 UTC (25 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.30: +12 -17 lines
Diff to previous 1.30 (colored)
remove panic() calls, consistent error reporting
Revision 1.30 / (download) - annotate - [select for diffs], Mon Nov 16 08:02:59 1998 UTC (25 years, 7 months ago) by niklas
Branch: MAIN
Changes since 1.29: +5 -3 lines
Diff to previous 1.29 (colored)
Please GCC
Revision 1.29 / (download) - annotate - [select for diffs], Mon Nov 16 08:00:43 1998 UTC (25 years, 7 months ago) by niklas
Branch: MAIN
Changes since 1.28: +40 -13 lines
Diff to previous 1.28 (colored)
Break long lines. Use correct format for expiry times Present "first use" expirations correctly.
Revision 1.28 / (download) - annotate - [select for diffs], Mon Nov 16 04:06:45 1998 UTC (25 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
SPIs are kept in network byte order
Revision 1.27 / (download) - annotate - [select for diffs], Tue Oct 13 06:49:46 1998 UTC (25 years, 8 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_4_BASE,
OPENBSD_2_4
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
Remove NULL deref condition
Revision 1.26 / (download) - annotate - [select for diffs], Mon May 18 21:10:57 1998 UTC (26 years, 1 month ago) by provos
Branch: MAIN
Changes since 1.25: +184 -17 lines
Diff to previous 1.25 (colored)
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
Revision 1.25 / (download) - annotate - [select for diffs], Sun May 17 16:52:56 1998 UTC (26 years, 1 month ago) by provos
Branch: MAIN
Changes since 1.24: +5 -1 lines
Diff to previous 1.24 (colored)
fix tdb_delete() when using SPI chains.
Revision 1.24 / (download) - annotate - [select for diffs], Sun Feb 22 01:23:33 1998 UTC (26 years, 3 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_3_BASE,
OPENBSD_2_3
Changes since 1.23: +6 -2 lines
Diff to previous 1.23 (colored)
Changes made for GCC 2.8 -Wall pleasures
Revision 1.23 / (download) - annotate - [select for diffs], Tue Nov 4 09:11:15 1997 UTC (26 years, 7 months ago) by provos
Branch: MAIN
Changes since 1.22: +14 -2 lines
Diff to previous 1.22 (colored)
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
Revision 1.22 / (download) - annotate - [select for diffs], Thu Oct 2 02:31:06 1997 UTC (26 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_2_BASE,
OPENBSD_2_2
Changes since 1.21: +6 -5 lines
Diff to previous 1.21 (colored)
conditional error logging
Revision 1.21 / (download) - annotate - [select for diffs], Wed Oct 1 02:34:06 1997 UTC (26 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.20: +17 -17 lines
Diff to previous 1.20 (colored)
should report unsigned quantities
Revision 1.20 / (download) - annotate - [select for diffs], Sun Sep 28 22:57:50 1997 UTC (26 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.19: +4 -4 lines
Diff to previous 1.19 (colored)
log() needs a \n
Revision 1.19 / (download) - annotate - [select for diffs], Tue Sep 23 21:42:21 1997 UTC (26 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.18: +17 -5 lines
Diff to previous 1.18 (colored)
AH changes, after interoperating at the ANX bakeoff.
Revision 1.18 / (download) - annotate - [select for diffs], Mon Jul 28 18:55:33 1997 UTC (26 years, 10 months ago) by provos
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
make it compile
Revision 1.17 / (download) - annotate - [select for diffs], Sun Jul 27 23:30:36 1997 UTC (26 years, 10 months ago) by niklas
Branch: MAIN
Changes since 1.16: +290 -9 lines
Diff to previous 1.16 (colored)
expiration messages, fixes, updates, all sorts of things
Revision 1.16 / (download) - annotate - [select for diffs], Thu Jul 24 01:45:29 1997 UTC (26 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
bail properly if malloc fails
Revision 1.15 / (download) - annotate - [select for diffs], Fri Jul 18 18:09:56 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
enablespi/disablespi in encap + print spi's in hostorder
Revision 1.14 / (download) - annotate - [select for diffs], Tue Jul 15 23:11:10 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.13: +3 -1 lines
Diff to previous 1.13 (colored)
flags for tunnels and replacing existing routes, sysctl! + tiny bug fix
Revision 1.13 / (download) - annotate - [select for diffs], Fri Jul 11 23:37:58 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.12: +128 -113 lines
Diff to previous 1.12 (colored)
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
Revision 1.12 / (download) - annotate - [select for diffs], Wed Jul 2 06:58:42 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.11: +30 -14 lines
Diff to previous 1.11 (colored)
fix neglected _FLEN's + reserve_spi + output reserved spi's without alg. correctly.
Revision 1.11 / (download) - annotate - [select for diffs], Tue Jul 1 22:12:51 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.10: +35 -35 lines
Diff to previous 1.10 (colored)
major restructuring
Revision 1.10 / (download) - annotate - [select for diffs], Wed Jun 25 07:53:28 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.9: +56 -5 lines
Diff to previous 1.9 (colored)
hard and soft limits for SPI's per absolute timer, relative since establish, relative since first use timers, packet and byte counters. notify key mgmt on soft limits. key mgmt can now specify limits. new encap messages: EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jun 24 12:15:25 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (colored)
handle IP options in AH + allow IP options in outgoing encapsulated packets + usage counters for later use with keymanagement processes
Revision 1.8 / (download) - annotate - [select for diffs], Sat Jun 21 00:09:19 1997 UTC (26 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)
u_int32_t changes, need testing
Revision 1.7 / (download) - annotate - [select for diffs], Fri Jun 20 05:41:53 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.6: +86 -80 lines
Diff to previous 1.6 (colored)
ah-sha1 + esp-3des + indentation
Revision 1.6 / (download) - annotate - [select for diffs], Mon Feb 24 14:06:42 1997 UTC (27 years, 3 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_1_BASE,
OPENBSD_2_1
Changes since 1.5: +5 -0 lines
Diff to previous 1.5 (colored)
OpenBSD tags + some prototyping police
Revision 1.5 / (download) - annotate - [select for diffs], Fri Feb 21 09:35:03 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.4: +0 -2 lines
Diff to previous 1.4 (colored)
Removed no longer necessary cautionary comment.
Revision 1.4 / (download) - annotate - [select for diffs], Fri Feb 21 08:42:32 1997 UTC (27 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.3: +0 -2 lines
Diff to previous 1.3 (colored)
-nostdinc and big endian cleanup
Revision 1.3 / (download) - annotate - [select for diffs], Fri Feb 21 08:26:08 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.2: +2 -5 lines
Diff to previous 1.2 (colored)
Fixed error introduced with last patch.
Revision 1.2 / (download) - annotate - [select for diffs], Fri Feb 21 02:54:26 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.1: +10 -14 lines
Diff to previous 1.1 (colored)
Removed some of the ugliness in ipsp_kern().
Revision 1.1 / (download) - annotate - [select for diffs], Thu Feb 20 01:08:00 1997 UTC (27 years, 3 months ago) by deraadt
Branch: MAIN
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz