![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / netinet
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.245 / (download) - annotate - [select for diffs], Wed Apr 17 20:48:51 2024 UTC (7 weeks, 5 days ago) by bluhm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.244: +9 -2 lines
Diff to previous 1.244 (colored)
Use struct ipsec_level within inpcb. Instead of passing around u_char[4], introduce struct ipsec_level that contains 4 ipsec levels. This provides better type safety. The embedding struct inpcb is globally visible for netstat(1), so put struct ipsec_level outside of #ifdef _KERNEL. OK deraadt@ mvs@
Revision 1.244 / (download) - annotate - [select for diffs], Sun Nov 26 22:08:10 2023 UTC (6 months, 2 weeks ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.243: +2 -2 lines
Diff to previous 1.243 (colored)
Remove inp parameter from ip_output(). ip_output() received inp as parameter. This is only used to lookup the IPsec level of the socket. Reasoning about MP locking is much easier if only relevant data is passed around. Convert ip_output() to receive constant inp_seclevel as argument and mark it as protected by net lock. OK mvs@
Revision 1.243 / (download) - annotate - [select for diffs], Wed Oct 11 22:13:16 2023 UTC (8 months ago) by tobhe
Branch: MAIN
Changes since 1.242: +2 -1 lines
Diff to previous 1.242 (colored)
Prevent deref-after-free when tdb_timeout() fires on invalid new tdb. When receiving a pfkeyv2 SADB_ADD message, a newly created tdb can fail in tdb_init(), which causes the tdb to not get added to the global tdb list and an immediate dereference. If a lifetime timeout triggers on this tdb, it will unconditionally try to remove it from the list and in the process deref once more than allowed, causing a one bit corruption in the already freed up slot in the tdb pool. We resolve this issue by moving timeout_add() after tdb_init() just before puttdb(). This means tdbs failing initialization get discarded immediately as they only hold a single reference. Valid tdbs get their timeouts activated just before we add them to the tdb list, meaning the timeout can safely assume they are linked. Feedback from mvs@ and millert@ ok mvs@ mbuhl@
Revision 1.242 / (download) - annotate - [select for diffs], Mon Aug 7 01:44:51 2023 UTC (10 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.241: +5 -2 lines
Diff to previous 1.241 (colored)
start adding support for route-based ipsec vpns. rather than use ipsec flows (aka, entries in the ipsec security policy database) to decide which traffic should be encapsulated in ipsec and sent to a peer, this tweaks security associations (SAs) so they can refer to a tunnel interface. when traffic is routed over that tunnel interface, an ipsec SA is looked up and used to encapsulate traffic before being sent to the peer on the SA. When traffic is received from a peer using an interface SA, the specified interface is looked up and the packet is handed to it so it looks like packets come out of the tunnel. to support this, SAs get a TDBF_IFACE flag and iface and iface_dir fields. When TDBF_IFACE is set the iface and dir fields are considered valid, and the tdb/SA should be used with the tunnel interface instead of the SPD. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.241 / (download) - annotate - [select for diffs], Thu Jul 6 04:55:05 2023 UTC (11 months ago) by dlg
Branch: MAIN
Changes since 1.240: +4 -4 lines
Diff to previous 1.240 (colored)
big update to pfsync to try and clean up locking in particular. moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is. the big headliner changes in this diff are: - pfsync specific locks this is the whole reason for this diff. rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now has it's own locks to protect it's internal data structures. this is important because pfsync runs a bunch of timeouts and tasks to push pfsync packets out on the wire, or when it's handling requests generated by incoming pfsync packets, both of which happen outside pf itself running. having pfsync specific locks around pfsync data structures makes the mutations of these data structures a lot more explicit and auditable. - partitioning to enable future parallelisation of the network stack, this rewrite includes support for pfsync to partition states into different "slices". these slices run independently, ie, the states collected by one slice are serialised into a separate packet to the states collected and serialised by another slice. states are mapped to pfsync slices based on the pf state hash, which is the same hash that the rest of the network stack and multiq hardware uses. - no more pfsync called from netisr pfsync used to be called from netisr to try and bundle packets, but now that there's multiple pfsync slices this doesnt make sense. instead it uses tasks in softnet tqs. - improved bulk transfer handling there's shiny new state machines around both the bulk transmit and receive handling. pfsync used to do horrible things to carp demotion counters, but now it is very predictable and returns the counters back where they started. - better tdb handling the tdb handling was pretty hairy, but hrvoje has kicked this around a lot with ipsec and sasyncd and we've found and fixed a bunch of issues as a result of that testing. - mpsafe pf state purges this was committed previously, but because the locks pfsync relied on weren't clear this just caused a ton of bugs. as part of this diff it's now reliable, and moves a big chunk of work out from under KERNEL_LOCK, which in turn improves the responsiveness and throughput of a firewall even if you're not using pfsync. there's a bunch of other little changes along the way, but the above are the big ones. hrvoje has done performance testing with this diff and notes a big improvement when pfsync is not in use. performance when pfsync is enabled is about the same, but im hoping the slices means we can scale along with pf as it improves. lots (months) of testing by me and hrvoje on pfsync boxes tests and ok sashan@ deraadt@ says this is a good time to put it in
Revision 1.240 / (download) - annotate - [select for diffs], Thu Jul 14 13:52:10 2022 UTC (22 months, 4 weeks ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.239: +10 -10 lines
Diff to previous 1.239 (colored)
Use capital letters for global ipsec(4) locks description. Use 'D' instead of 's' for `tdb_sadb_mtx' mutex(9) because this is 'D'atabase. No functional changes. ok bluhm@
Revision 1.239 / (download) - annotate - [select for diffs], Sat Apr 30 13:28:53 2022 UTC (2 years, 1 month ago) by mvs
Branch: MAIN
Changes since 1.238: +2 -2 lines
Diff to previous 1.238 (colored)
When performing ipsp_ids_free(), grab `ipsec_flows_mtx' mutex(9) before do `id_refcount' decrement. This should be consistent with `ipsp_ids_gc_list' list modifications, otherwise concurrent ipsp_ids_insert() could remove this dying `ids' from the list before if was placed there by ipsp_ids_free(). This makes atomic operations with `id_refcount' useless. Also prevent ipsp_ids_lookup() to return dying `ids'. ok bluhm@
Revision 1.238 / (download) - annotate - [select for diffs], Thu Apr 21 15:22:50 2022 UTC (2 years, 1 month ago) by sashan
Branch: MAIN
Changes since 1.237: +3 -1 lines
Diff to previous 1.237 (colored)
Introduce a dedicated link entries for snapshots in pfsync(4). The purpose of snapshots is to allow pfsync(4) to move items from global lists to local lists (a.k.a. snapshots) under a mutex protection. Snapshots are then processed without holding any mutexes. Such idea does not fly well if link entry is currently used for global lists as well as snapshots. Feedback by bluhm@ Credits also goes to hrvoje@ for extensive testing. OK bluhm@
Revision 1.237 / (download) - annotate - [select for diffs], Sun Mar 13 21:38:32 2022 UTC (2 years, 2 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.236: +12 -7 lines
Diff to previous 1.236 (colored)
Hrvoje has hit a crash with IPsec acquire while testing the parallel IP forwarding diff. Add mutex and refcount to make memory management of struct ipsec_acquire MP safe. testing Hrvoje Popovski; input sashan@; OK mvs@
Revision 1.236 / (download) - annotate - [select for diffs], Tue Mar 8 22:30:38 2022 UTC (2 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.235: +2 -2 lines
Diff to previous 1.235 (colored)
In IPsec policy replace integer refcount with atomic refcount. OK tobhe@ mvs@
Revision 1.235 / (download) - annotate - [select for diffs], Wed Mar 2 20:16:43 2022 UTC (2 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.234: +6 -11 lines
Diff to previous 1.234 (colored)
Merge two comments describing the locks into one.
Revision 1.234 / (download) - annotate - [select for diffs], Tue Jan 4 06:32:39 2022 UTC (2 years, 5 months ago) by yasuoka
Branch: MAIN
Changes since 1.233: +18 -14 lines
Diff to previous 1.233 (colored)
Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and trees. ipsp_ids_lookup() returns `ids' with bumped reference counter. original diff from mvs ok mvs
Revision 1.233 / (download) - annotate - [select for diffs], Mon Dec 20 15:59:10 2021 UTC (2 years, 5 months ago) by mvs
Branch: MAIN
Changes since 1.232: +33 -21 lines
Diff to previous 1.232 (colored)
Use per-CPU counters for tunnel descriptor block (TDB) statistics. 'tdb_data' struct became unused and was removed. Tested by Hrvoje Popovski. ok bluhm@
Revision 1.232 / (download) - annotate - [select for diffs], Sun Dec 19 23:30:08 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.231: +2 -2 lines
Diff to previous 1.231 (colored)
There are occasions where the walker function in tdb_walk() might sleep. So holding the tdb_sadb_mtx() when calling walker() is not allowed. Move the TDB from the TDB-Hash to a temporary list that is protected by netlock. Then unlock tdb_sadb_mtx and traverse the list to call the walker. OK mvs@
Revision 1.231 / (download) - annotate - [select for diffs], Tue Dec 14 17:50:37 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.230: +11 -5 lines
Diff to previous 1.230 (colored)
To cache lookups, the policy ipo is linked to its SA tdb. There is also a list of SAs that belong to a policy. To make it MP safe, protect these pointers with a mutex. tested by Hrvoje Popovski; OK mvs@
Revision 1.230 / (download) - annotate - [select for diffs], Sat Dec 11 16:33:47 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.229: +4 -2 lines
Diff to previous 1.229 (colored)
Protect the write access to the TDB flags field with a mutex per TDB. Clearing the timeout flags just before pool put in tdb_free() does not make sense. Move this to tdb_delete(). While there make the parentheses in the flag check consistent. tested by Hrvoje Popovski; OK tobhe@
Revision 1.229 / (download) - annotate - [select for diffs], Wed Dec 8 14:24:18 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.228: +16 -10 lines
Diff to previous 1.228 (colored)
Start documenting the locking strategy of struct tdb fields. Note that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in udpencap_ctlinput() to protect the access to tdb_snext. Make the braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED() into the functions where the read access happens. OK mvs@
Revision 1.228 / (download) - annotate - [select for diffs], Tue Dec 7 17:28:46 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.227: +2 -1 lines
Diff to previous 1.227 (colored)
In ipo_tdb the flow contains a reference counted TDB cache. This may prevent that tdb_free() is called. It is not a real leak as ipsecctl -F or termination of iked flush this cache when they remove the IPsec policy. Move the code from tdb_free() to tdb_delete(), then the kernel does the cleanup itself. OK mvs@ tobhe@
Revision 1.227 / (download) - annotate - [select for diffs], Fri Dec 3 19:04:49 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.226: +2 -1 lines
Diff to previous 1.226 (colored)
Add tdb_delete_locked() to replace duplicate tdb deletion code in pfkey_flush(). ok bluhm@ mvs@
Revision 1.226 / (download) - annotate - [select for diffs], Wed Dec 1 22:34:31 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.225: +5 -4 lines
Diff to previous 1.225 (colored)
Reintroduce the TDBF_DELETED flag. Checking next pointer to figure out whether the TDB is linked to the hash bucket does not work. This fixes removal of SAs that could not be flushed with ipsecctl -F. OK tobhe@
Revision 1.225 / (download) - annotate - [select for diffs], Wed Dec 1 12:51:09 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.224: +3 -3 lines
Diff to previous 1.224 (colored)
Let ipsp_spd_lookup() return an error instead of a TDB. The TDB is not always needed, but the error value is necessary for the caller. As TDB should be refcounted, it makes not sense to always return it. Pass an output pointer for the TDB which can be NULL. OK mvs@ tobhe@
Revision 1.224 / (download) - annotate - [select for diffs], Tue Nov 30 13:17:43 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.223: +1 -3 lines
Diff to previous 1.223 (colored)
Remove unused parameter from ipsp_spd_inp(). OK mvs@ yasuoka@
Revision 1.223 / (download) - annotate - [select for diffs], Fri Nov 26 16:16:35 2021 UTC (2 years, 6 months ago) by tobhe
Branch: MAIN
Changes since 1.222: +7 -5 lines
Diff to previous 1.222 (colored)
Replace TDBF_DELETED flag with check if tdb was already unlinked. Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex. Tested by Hrvoje Popovski ok bluhm@ mvs@
Revision 1.222 / (download) - annotate - [select for diffs], Thu Nov 25 13:46:02 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.221: +9 -2 lines
Diff to previous 1.221 (colored)
Implement reference counting for IPsec tdbs. Not all cases are covered yet, more ref counts to come. The timeouts are protected, so the racy tdb_reaper() gets retired. The tdb_policy_head, onext and inext lists are protected. All gettdb...() functions return a tdb that is ref counted and has to be unrefed later. A flag ensures that tdb_delete() is called only once. Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@
Revision 1.221 / (download) - annotate - [select for diffs], Sun Nov 21 16:17:48 2021 UTC (2 years, 6 months ago) by mvs
Branch: MAIN
Changes since 1.220: +4 -2 lines
Diff to previous 1.220 (colored)
Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the userland the TDBs which exceeded hard limit. Also the `ipsec_notdb' counter description in header doesn't math to netstat(1) description. We never count `ipsec_notdb' and the netstat(1) description looks more appropriate so it's used to avoid confusion with the new counter. ok bluhm@
Revision 1.220 / (download) - annotate - [select for diffs], Tue Nov 16 13:53:14 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.219: +11 -3 lines
Diff to previous 1.219 (colored)
To debug IPsec and tdb refcounting it is useful to have "show tdb" and "show all tdbs" in ddb. tested by Hrvoje Popovski; OK mvs@
Revision 1.219 / (download) - annotate - [select for diffs], Mon Oct 25 18:25:01 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.218: +2 -1 lines
Diff to previous 1.218 (colored)
Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a mutex locking against myself panic introduced by my previous commit. OK beck@ patrick@
Revision 1.218 / (download) - annotate - [select for diffs], Sun Oct 24 23:33:37 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.217: +1 -3 lines
Diff to previous 1.217 (colored)
Merge esp_input_cb() intp esp_input(). ok bluhm@
Revision 1.217 / (download) - annotate - [select for diffs], Sun Oct 24 22:59:47 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.216: +6 -15 lines
Diff to previous 1.216 (colored)
Remove code duplication by merging the v4 and v6 input functions for ah, esp, and ipcomp. Move common code into ipsec_protoff() which finds the offset of the next protocol field in the previous header. OK tobhe@
Revision 1.216 / (download) - annotate - [select for diffs], Sun Oct 24 22:34:19 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.215: +1 -4 lines
Diff to previous 1.215 (colored)
Refactor ah_input() and ah_output() for new crypto API. ok bluhm@
Revision 1.215 / (download) - annotate - [select for diffs], Sun Oct 24 18:15:58 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.214: +1 -4 lines
Diff to previous 1.214 (colored)
Refactor ipcomp_input() and ipcomp_output(). Remove obsolete code related to old crypto API. ok bluhm@
Revision 1.214 / (download) - annotate - [select for diffs], Sun Oct 24 17:08:27 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.213: +6 -5 lines
Diff to previous 1.213 (colored)
There are more m_pullup() in IPsec input. Pass down the pointer to the mbuf to update it globally. At the end it will reach ip_deliver() which expects a pointer to an mbuf. OK sashan@
Revision 1.213 / (download) - annotate - [select for diffs], Sun Oct 24 15:47:39 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.212: +2 -4 lines
Diff to previous 1.212 (colored)
Remove 'struct tdb_crypto' allocations from esp_input() and esp_output(). This was needed to pass arguments to the callback function, but is no longer necessary after the API makeover. ok bluhm@
Revision 1.212 / (download) - annotate - [select for diffs], Sat Oct 23 22:19:37 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.211: +8 -8 lines
Diff to previous 1.211 (colored)
There is an m_pullup() down in AH input. As it may free or change the mbuf, the callers must be careful. Although there is no bug, use the common pattern to handle this. Pass down an mbuf pointer mp and let m_pullup() update the pointer in all callers. It looks like the tcp signature functions should not be called. Avoid an mbuf leak and return an error. OK mvs@
Revision 1.211 / (download) - annotate - [select for diffs], Sat Oct 23 15:42:35 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.210: +1 -3 lines
Diff to previous 1.210 (colored)
Retire asynchronous crypto API as it is no longer required by any driver and adds unnecessary complexity. Dedicated crypto offloading devices are not common anymore. Modern CPU crypto acceleration works synchronously, eliminating the need for callbacks. Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is blocking and only returns after the operation has completed or an error occured. Invoke callback functions directly from the consumer (e.g. IPsec, softraid) instead of relying on the crypto driver to call crypto_done(). ok bluhm@ mvs@ patrick@
Revision 1.210 / (download) - annotate - [select for diffs], Wed Oct 13 14:36:31 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.209: +7 -9 lines
Diff to previous 1.209 (colored)
The function ipip_output() was registered as .xf_output() xform function. But was is never called via this pointer. It would have immediatley crashed as mp is always NULL when called via .xf_output(). Do not set .xf_output to ipip_output. This allows to pass only the parameters which are actually needed and the control flow is clearer. OK mpi@
Revision 1.209 / (download) - annotate - [select for diffs], Tue Oct 5 11:45:26 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.208: +7 -1 lines
Diff to previous 1.208 (colored)
Cleanup the error handling in ipsec ipip_output() and consistently goto drop instead of return. An ENOBUFS should be EINVAL in IPv6 case. Also use combined packet and byte counter. OK sthen@ dlg@
Revision 1.208 / (download) - annotate - [select for diffs], Tue Oct 5 11:34:34 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.207: +2 -1 lines
Diff to previous 1.207 (colored)
Move setting ipsec mtu into a function. The NULL and invalid check in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu() does that anyway. udpencap_ctlinput() did not work for bundled SA, this also needs the loop in ipsec_set_mtu(). OK sthen@
Revision 1.207 / (download) - annotate - [select for diffs], Wed Sep 29 22:08:13 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.206: +2 -1 lines
Diff to previous 1.206 (colored)
Global variables to track initialisation behave poorly with MP. Move the tdb pool init into an init function. OK mvs@
Revision 1.206 / (download) - annotate - [select for diffs], Tue Aug 10 21:29:53 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.205: +1 -2 lines
Diff to previous 1.205 (colored)
Remove unused `ipa_pcb' from 'ipsec_acquire' structure. ok gnezdo@
Revision 1.205 / (download) - annotate - [select for diffs], Tue Jul 27 17:13:03 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.204: +21 -33 lines
Diff to previous 1.204 (colored)
Revert "Use per-CPU counters for tunnel descriptor block" diff. Panic reported by Hrvoje Popovski.
Revision 1.204 / (download) - annotate - [select for diffs], Mon Jul 26 23:17:07 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.203: +33 -21 lines
Diff to previous 1.203 (colored)
Use per-CPU counters for tunnel descriptor block (tdb) statistics. 'tdb_data' struct became unused and was removed. ok bluhm@
Revision 1.203 / (download) - annotate - [select for diffs], Sun Jul 18 18:19:22 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.202: +3 -2 lines
Diff to previous 1.202 (colored)
Introduce and use garbage collector for 'ipsec_ids' struct entities destruction instead of using per-entity timeout. This fixes the races between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout(). ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is already running and awaiting netlock to be released, so reused `ids' will be silently removed in this case. ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler running because timeout_del(9) called by ipsp_ids_insert() clears it's triggered state. So ipsp_ids_timeout() could be scheduled to run twice in this case. Also hrvoje@ reported about ipsec(4) throughput increased with this diff so it seems we caught significant count of ipsp_ids_insert() races. tests and feedback by hrvoje@ ok bluhm@
Revision 1.202 / (download) - annotate - [select for diffs], Sun Jul 18 14:38:20 2021 UTC (2 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.201: +5 -4 lines
Diff to previous 1.201 (colored)
The IPsec authentication before decryption used a different replay counter than after decryption. This could result in "esp_input_cb: authentication failed for packet in SA" errors. As we run crypto operations async, thousands of packets are stored in the crypto task. During the queueing the replay counter of the tdb can change. Then the higher 32 bits may increment although the lower 32 bits did not wrap. checkreplaywindow() must be called twice per packet with the same replay counter. Store the value in struct tdb_crypto while dangling in the task queue and doing crypto operations. tested by Hrvoje Popovski; joint work with tobhe@
Revision 1.201 / (download) - annotate - [select for diffs], Tue Jul 13 08:16:17 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.200: +2 -6 lines
Diff to previous 1.200 (colored)
Remove unused `PolicyHead' from 'sockaddr_encap' structure. ok tobhe@
Revision 1.200 / (download) - annotate - [select for diffs], Thu Jul 8 21:07:19 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.199: +9 -8 lines
Diff to previous 1.199 (colored)
The xformsw array never changes. Declare struct xformsw constant and map data read only. OK deraadt@ mvs@ mpi@
Revision 1.199 / (download) - annotate - [select for diffs], Thu Jul 8 09:22:30 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.198: +4 -15 lines
Diff to previous 1.198 (colored)
The properties of the crypto algorithms never change. Declare them constant. Then they are mapped as read only. OK deraadt@ dlg@
Revision 1.198 / (download) - annotate - [select for diffs], Wed Jul 7 18:03:46 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.197: +8 -8 lines
Diff to previous 1.197 (colored)
Fix whitespaces in IPsec code.
Revision 1.197 / (download) - annotate - [select for diffs], Tue May 4 09:28:04 2021 UTC (3 years, 1 month ago) by mvs
Branch: MAIN
Changes since 1.196: +1 -2 lines
Diff to previous 1.196 (colored)
Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that in runtime within pfkeyv2_send(). Also set it's interrupt protection level to IPL_SOFTNET. ok bluhm@ mpi@
Revision 1.196 / (download) - annotate - [select for diffs], Thu Nov 5 19:28:28 2020 UTC (3 years, 7 months ago) by phessler
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.195: +1 -0 lines
Diff to previous 1.195 (colored)
Enable support for ASN1_DN ipsec identifiers. Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
Revision 1.195 / (download) - annotate - [select for diffs], Tue Sep 1 01:53:34 2020 UTC (3 years, 9 months ago) by gnezdo
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.194: +1 -29 lines
Diff to previous 1.194 (colored)
Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr The best-guessed limits will be tested by trial.
Revision 1.194 / (download) - annotate - [select for diffs], Thu Apr 23 19:38:08 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.193: +9 -4 lines
Diff to previous 1.193 (colored)
Add support for autmatically moving traffic between rdomains on ipsec(4) encryption or decryption. This allows us to keep plaintext and encrypted network traffic seperated and reduces the attack surface for network sidechannel attacks. The only way to reach the inner rdomain from outside is by successful decryption and integrity verification through the responsible Security Association (SA). The only way for internal traffic to get out is getting encrypted and moved through the outgoing SA. Multiple plaintext rdomains can share the same encrypted rdomain while the unencrypted packets are still kept seperate. The encrypted and unencrypted rdomains can have different default routes. The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'. If this differs from 'tdb_rdomain' then the packet is moved to 'tdb_rdomain_post' afer IPsec processing. Flows and outgoing IPsec SAs are installed in the plaintext rdomain, incoming IPsec SAs are installed in the encrypted rdomain. IPCOMP SAs are always installed in the plaintext rdomain. They can be viewed with 'route -T X exec ipsecctl -sa' where X is the rdomain ID. As the kernel does not create encX devices automatically when creating rdomains they have to be added by hand with ifconfig for IPsec to work in non-default rdomains. discussed with chris@ and kn@ ok markus@, patrick@
Revision 1.193 / (download) - annotate - [select for diffs], Tue Aug 28 15:15:02 2018 UTC (5 years, 9 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.192: +31 -1 lines
Diff to previous 1.192 (colored)
Add per-TDB counters and a new SADB extension to export them to userland. Inputs from markus@, ok sthen@
Revision 1.192 / (download) - annotate - [select for diffs], Thu Jul 12 15:51:50 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.191: +8 -1 lines
Diff to previous 1.191 (colored)
Introduce ipsec_output_cb() to merge duplicate code and account for dropped packets in the output path. While here fix a memory leak when compression is not needed w/ IPcomp. ok markus@
Revision 1.191 / (download) - annotate - [select for diffs], Wed Jul 11 09:07:59 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.190: +4 -2 lines
Diff to previous 1.190 (colored)
Convert AH & IPcomp to ipsec_input_cb() and count drops on input. ok markus@
Revision 1.190 / (download) - annotate - [select for diffs], Tue Jul 10 11:34:12 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.189: +57 -7 lines
Diff to previous 1.189 (colored)
Introduce new IPsec (per-CPU) statistics and refactor ESP input callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
Revision 1.189 / (download) - annotate - [select for diffs], Mon Nov 20 14:14:26 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.188: +3 -8 lines
Diff to previous 1.188 (colored)
Keep kernel defines under #ifdef _KERNEL. ok bluhm@
Revision 1.188 / (download) - annotate - [select for diffs], Wed Nov 15 11:48:59 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.187: +2 -1 lines
Diff to previous 1.187 (colored)
Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.h
Revision 1.187 / (download) - annotate - [select for diffs], Tue Nov 14 09:30:17 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.186: +47 -1 lines
Diff to previous 1.186 (colored)
Introduce ipsec_sysctl() and move IPsec tunables where they belong. ok bluhm@, visa@
Revision 1.186 / (download) - annotate - [select for diffs], Wed Nov 8 16:29:20 2017 UTC (6 years, 7 months ago) by visa
Branch: MAIN
Changes since 1.185: +2 -1 lines
Diff to previous 1.185 (colored)
Make {ah,esp,ipcomp}stat use percpu counters.
OK bluhm@, mpi@
Revision 1.185 / (download) - annotate - [select for diffs], Fri Oct 27 08:27:14 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.184: +3 -1 lines
Diff to previous 1.184 (colored)
Dump IPsec flows by iterating over the rafdix-tree. This enforces an order and will allow us to get rid of the global list. ok millert@, visa@, markus@
Revision 1.184 / (download) - annotate - [select for diffs], Mon Oct 16 08:22:25 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.183: +1 -2 lines
Diff to previous 1.183 (colored)
Last changes before running IPsec w/o KERNEL_LOCK(). Put more NET_ASSERT_LOCK() and document which globals it protects. Add a mutex for pfkeyv2 globals. Convert ipsp_delete_acquire() to timeout_set_proc(). Tested by Hrvoje Popovski, ok bluhm@ visa@
Revision 1.183 / (download) - annotate - [select for diffs], Mon Jun 26 09:08:00 2017 UTC (6 years, 11 months ago) by patrick
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.182: +2 -1 lines
Diff to previous 1.182 (colored)
Split a part of tdb_delete() into tdb_unlink() so that we can remove a TDB from the hash table without actually free()ing it. That way we can modify the TDB and then put it back in using puttdb(). ok claudio@
Revision 1.182 / (download) - annotate - [select for diffs], Mon May 22 22:23:11 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.181: +3 -1 lines
Diff to previous 1.181 (colored)
Move IPsec forward and local policy check functions to ipsec_input.c and give them better names. input and OK mikeb@
Revision 1.181 / (download) - annotate - [select for diffs], Thu May 18 10:56:45 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.180: +1 -5 lines
Diff to previous 1.180 (colored)
The function name ip4_input() is confusing as it also handles IPv6 packets. This is the IP in IP protocol input function, so call it ipip_input(). Rename the existing ipip_input() to ipip_input_gif() as it is the input function used by the gif interface. Pass the address family to make it consistent with pr_input. Use __func__ in debug print and panic messages. Move all ipip prototypes to the ip_ipip.h header file. OK dhill@ mpi@
Revision 1.180 / (download) - annotate - [select for diffs], Sat May 6 15:55:15 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.179: +2 -2 lines
Diff to previous 1.179 (colored)
Convert the xformsw definition to C99 style initializer. Also fix the function declaration of ipe4_input() and avoid a wrong cast. OK mikeb@ dhill@
Revision 1.179 / (download) - annotate - [select for diffs], Fri Apr 14 20:46:31 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.178: +8 -8 lines
Diff to previous 1.178 (colored)
Pass down the address family through the pr_input calls. This allows to simplify code used for both IPv4 and IPv6. OK mikeb@ deraadt@
Revision 1.178 / (download) - annotate - [select for diffs], Tue Feb 7 22:28:37 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.177: +2 -2 lines
Diff to previous 1.177 (colored)
Error propagation does neither make sense for ip input path nor for asynchronous callbacks. Make the IPsec functions void, there is already a counter in the error path. OK mpi@
Revision 1.177 / (download) - annotate - [select for diffs], Sun Jan 29 19:58:47 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.176: +6 -12 lines
Diff to previous 1.176 (colored)
Change the IPv4 pr_input function to the way IPv6 is implemented, to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_input functions cannot be called anyway, so remove them. OK visa@ mpi@
Revision 1.176 / (download) - annotate - [select for diffs], Thu Jan 26 13:03:47 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.175: +4 -4 lines
Diff to previous 1.175 (colored)
Reduce the difference between struct protosw and ip6protosw. The IPv4 pr_ctlinput functions did return a void pointer that was always NULL and never used. Make all functions void like in the IPv6 case. OK mpi@
Revision 1.175 / (download) - annotate - [select for diffs], Wed Jan 25 17:34:31 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.174: +6 -6 lines
Diff to previous 1.174 (colored)
Since raw_input() and route_input() are gone from pr_input, we can make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@ millert@
Revision 1.174 / (download) - annotate - [select for diffs], Thu Sep 15 03:37:09 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.173: +5 -5 lines
Diff to previous 1.173 (colored)
move from RB macros to RBT functions shaves a bunch of bytes off kernels
Revision 1.173 / (download) - annotate - [select for diffs], Thu Dec 3 13:12:20 2015 UTC (8 years, 6 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.172: +1 -9 lines
Diff to previous 1.172 (colored)
remove some unused defines. ok mikeb
Revision 1.172 / (download) - annotate - [select for diffs], Tue Aug 25 11:50:14 2015 UTC (8 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.171: +2 -2 lines
Diff to previous 1.171 (colored)
correct #if/#endif guard comment
Revision 1.171 / (download) - annotate - [select for diffs], Fri Jul 17 18:31:08 2015 UTC (8 years, 10 months ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.170: +7 -1 lines
Diff to previous 1.170 (colored)
manage spd entries by using the radix api directly instead of reaching around through the routing table original diff by myself, much improved by mikeb@ and mpi@ ok and testing mikeb@ mpi@
Revision 1.170 / (download) - annotate - [select for diffs], Sat May 23 12:38:53 2015 UTC (9 years ago) by markus
Branch: MAIN
Changes since 1.169: +27 -15 lines
Diff to previous 1.169 (colored)
introduce ipsec-id bundles and use them for ipsecflowinfo, fixes rekeying for l2tp/ipsec against multiple windows clients and saves memory (for many SAs to same peers); feedback and ok mikeb@
Revision 1.169 / (download) - annotate - [select for diffs], Fri Apr 17 11:04:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.168: +2 -7 lines
Diff to previous 1.168 (colored)
Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer
Revision 1.168 / (download) - annotate - [select for diffs], Fri Apr 17 10:04:37 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.167: +1 -2 lines
Diff to previous 1.167 (colored)
Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexer
Revision 1.167 / (download) - annotate - [select for diffs], Thu Apr 16 19:44:01 2015 UTC (9 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.166: +1 -2 lines
Diff to previous 1.166 (colored)
ipa_inp_next is unused; via mikeb@
Revision 1.166 / (download) - annotate - [select for diffs], Thu Apr 16 19:24:13 2015 UTC (9 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.165: +1 -39 lines
Diff to previous 1.165 (colored)
remove unfinished/unused support for socket-attached ipsec-policies ok mikeb
Revision 1.165 / (download) - annotate - [select for diffs], Tue Apr 14 14:20:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.164: +2 -2 lines
Diff to previous 1.164 (colored)
make ipsp_address thread safe; ok mpi
Revision 1.164 / (download) - annotate - [select for diffs], Tue Apr 14 12:22:15 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.163: +3 -20 lines
Diff to previous 1.163 (colored)
Remove support for storing credentials and auth information in the kernel. This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
Revision 1.163 / (download) - annotate - [select for diffs], Mon Apr 13 16:48:01 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.162: +3 -3 lines
Diff to previous 1.162 (colored)
Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi
Revision 1.162 / (download) - annotate - [select for diffs], Mon Apr 13 16:45:52 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.161: +4 -5 lines
Diff to previous 1.161 (colored)
Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi
Revision 1.161 / (download) - annotate - [select for diffs], Thu Mar 26 12:21:37 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.160: +1 -2 lines
Diff to previous 1.160 (colored)
Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone? ok markus, hshoexer
Revision 1.160 / (download) - annotate - [select for diffs], Mon Jan 19 18:36:51 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.159: +1 -5 lines
Diff to previous 1.159 (colored)
mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNEL
Revision 1.159 / (download) - annotate - [select for diffs], Mon Jan 19 16:49:05 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.158: +12 -2 lines
Diff to previous 1.158 (colored)
First step of hiding many kernel-only parts of <netinet/ip_ipsp.h> under _KERNEL, and adjust the one consumer (netstat) so that it requests the exposure. Will take a few more rounds to get this right. ok mikeb
Revision 1.158 / (download) - annotate - [select for diffs], Tue Dec 23 03:24:08 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.157: +1 -9 lines
Diff to previous 1.157 (colored)
unifdef some more INET. v4 4life.
Revision 1.157 / (download) - annotate - [select for diffs], Tue Nov 25 13:10:03 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.156: +1 -13 lines
Diff to previous 1.156 (colored)
The proliferation of "struct route" in all its flavors didn't make any good to our network stack. The most visible effect is the maze of #ifdef's and casts. But the real problem is the very fragile way of checking if a (cached) route entry is still valid or not. What should we do if the route jumped to another ifaddr or if its gateway has been changed? This change start the dance of "struct route" & friends removal by sending the completly useless "struct route_enc" to the bucket. Tweak & ok claudio@
Revision 1.156 / (download) - annotate - [select for diffs], Mon Nov 11 09:15:35 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.155: +2 -3 lines
Diff to previous 1.155 (colored)
Replace most of our formating functions to convert IPv4/6 addresses from network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
Revision 1.155 / (download) - annotate - [select for diffs], Thu Jul 4 09:48:49 2013 UTC (10 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.154: +3 -1 lines
Diff to previous 1.154 (colored)
These functions are only used in debug code, so put them under ifdef ENCDEBUG to make sure we don't use them elsewhere.
Revision 1.154 / (download) - annotate - [select for diffs], Thu Apr 11 12:06:25 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.153: +102 -128 lines
Diff to previous 1.153 (colored)
Remove the extern keyword from function declarations, document sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
Revision 1.153 / (download) - annotate - [select for diffs], Thu Feb 14 16:22:34 2013 UTC (11 years, 3 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.152: +5 -2 lines
Diff to previous 1.152 (colored)
Merge of an original work by markus@ and gerhard@ to increase the anti-replay window size to 2100 entries; plus small ESN related improvements. ok markus
Revision 1.152 / (download) - annotate - [select for diffs], Thu Oct 18 10:49:48 2012 UTC (11 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.151: +2 -3 lines
Diff to previous 1.151 (colored)
simplify checkreplaywindow() API; make call/return code handling consistent ok mikeb@
Revision 1.151 / (download) - annotate - [select for diffs], Mon Oct 8 17:41:55 2012 UTC (11 years, 8 months ago) by camield
Branch: MAIN
Changes since 1.150: +3 -1 lines
Diff to previous 1.150 (colored)
Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need to include sys/mbuf.h in net/pfvar.h. Flagged by and ok guenther@
Revision 1.150 / (download) - annotate - [select for diffs], Thu Sep 20 10:25:03 2012 UTC (11 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.149: +2 -10 lines
Diff to previous 1.149 (colored)
spltdb() was really just #define'd to be splsoftnet(); replace the former with the latter no change in md5 checksum of generated files ok claudio@ henning@
Revision 1.149 / (download) - annotate - [select for diffs], Tue Sep 18 09:24:45 2012 UTC (11 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.148: +1 -4 lines
Diff to previous 1.148 (colored)
remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
Revision 1.148 / (download) - annotate - [select for diffs], Mon Jul 16 18:05:36 2012 UTC (11 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.147: +2 -2 lines
Diff to previous 1.147 (colored)
add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4) can use this to select the IPsec tunnel for sending L2TP packets. this fixes Windows (always binding to 1701) and Android clients (negotiating wildcard flows); feedback mpf@ and yasuoka@; ok henning@ and yasuoka@; ok jmc@ for the manpage
Revision 1.147 / (download) - annotate - [select for diffs], Fri Jun 29 14:48:04 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.146: +6 -5 lines
Diff to previous 1.146 (colored)
Add support for the Extended (64-bit) Sequence Number as defined in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects.
Revision 1.146 / (download) - annotate - [select for diffs], Wed Oct 6 22:19:20 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.145: +1 -2 lines
Diff to previous 1.145 (colored)
Retire Skipjack There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
Revision 1.145 / (download) - annotate - [select for diffs], Thu Sep 23 16:34:09 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.144: +1 -4 lines
Diff to previous 1.144 (colored)
remove m_pad in favor of m_inject as it's equivalent to m_inject with an offset equal to the actual data length. ok henning blambert
Revision 1.144 / (download) - annotate - [select for diffs], Fri Jul 9 16:58:06 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.143: +14 -9 lines
Diff to previous 1.143 (colored)
Add support for using IPsec in multiple rdomains. This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
Revision 1.143 / (download) - annotate - [select for diffs], Thu Jul 1 02:09:45 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.142: +1 -0 lines
Diff to previous 1.142 (colored)
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
Revision 1.142 / (download) - annotate - [select for diffs], Tue May 11 09:36:07 2010 UTC (14 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.141: +2 -7 lines
Diff to previous 1.141 (colored)
Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output() where it is not necessary to guess protocols by looking at the first nibble. in_gif_output() will encapsulate the packet but not send it. Because of etherip support and the way the bridge works a minimal hack is needed in gif_start() to ensure that the bridged packets are encapsulated as well. This actually started with the idea to add MPLS support but that turned out to be not as simple as in the gre(4) case. Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6) OK sthen@
Revision 1.141 / (download) - annotate - [select for diffs], Fri May 7 13:33:17 2010 UTC (14 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.140: +2 -1 lines
Diff to previous 1.140 (colored)
Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1 accept flags for report and nocloning. Move the rtableid into struct route (with a minor twist for now) and make a few more codepathes rdomain aware. Appart from the pf.c and route.c bits the diff is mostly mechanical. More to come... OK michele, henning
Revision 1.140 / (download) - annotate - [select for diffs], Sun Jan 10 12:43:07 2010 UTC (14 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.139: +2 -2 lines
Diff to previous 1.139 (colored)
Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
Revision 1.139 / (download) - annotate - [select for diffs], Fri Nov 13 20:54:05 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.138: +4 -4 lines
Diff to previous 1.138 (colored)
Extend the protosw pr_ctlinput function to include the rdomain. This is needed so that the route and inp lookups done in TCP and UDP know where to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain argument as well for similar reasons. With this tcp seems to be now fully rdomain save and no longer leaks single packets into the main domain. Looks good markus@, henning@
Revision 1.138 / (download) - annotate - [select for diffs], Tue Jun 2 21:28:36 2009 UTC (15 years ago) by blambert
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.137: +1 -2 lines
Diff to previous 1.137 (colored)
Shuffle function declarations a bit; ipsp_kern doesn't actually exist, and tdb_hash is only used in ip_ipsp.c, so there's no need to declare it as extern in ip_ipsp.h ok claudio@ henning@
Revision 1.137 / (download) - annotate - [select for diffs], Mon Feb 16 00:31:25 2009 UTC (15 years, 3 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.136: +5 -1 lines
Diff to previous 1.136 (colored)
pfsync v5, mostly written at n2k9, but based on work done at n2k8. WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
Revision 1.136 / (download) - annotate - [select for diffs], Sat Nov 8 12:54:58 2008 UTC (15 years, 7 months ago) by dlg
Branch: MAIN
Changes since 1.135: +14 -13 lines
Diff to previous 1.135 (colored)
fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom
ok deraadt@ otto@
Revision 1.135 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:14 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3,
OPENBSD_4_2_BASE,
OPENBSD_4_2,
OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.134: +4 -2 lines
Diff to previous 1.134 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.134 / (download) - annotate - [select for diffs], Fri Jun 30 21:41:12 2006 UTC (17 years, 11 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.133: +1 -23 lines
Diff to previous 1.133 (colored)
htonq() is not used, at all
Revision 1.133 / (download) - annotate - [select for diffs], Thu Apr 27 02:19:32 2006 UTC (18 years, 1 month ago) by tedu
Branch: MAIN
Changes since 1.132: +3 -3 lines
Diff to previous 1.132 (colored)
use underscore variants of _BYTE_ORDER macros which are always defined ok deraadt millert
Revision 1.132 / (download) - annotate - [select for diffs], Fri Jan 13 10:11:23 2006 UTC (18 years, 5 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.131: +2 -1 lines
Diff to previous 1.131 (colored)
Path MTU discovery for NAT-T. OK markus@, "looks good" hshoexer@
Revision 1.131 / (download) - annotate - [select for diffs], Thu Nov 24 12:08:16 2005 UTC (18 years, 6 months ago) by pedro
Branch: MAIN
Changes since 1.130: +1 -3 lines
Diff to previous 1.130 (colored)
Remove kernfs, okay deraadt@.
Revision 1.130 / (download) - annotate - [select for diffs], Sat May 28 15:10:07 2005 UTC (19 years ago) by ho
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.129: +2 -1 lines
Diff to previous 1.129 (colored)
Add SA replay counter synchronization to pfsync(4). Required for IPsec failover gateways. ok mcbride@, "looks good" hshoexer@
Revision 1.129 / (download) - annotate - [select for diffs], Fri May 27 19:32:31 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.128: +8 -6 lines
Diff to previous 1.128 (colored)
wrap some comments
Revision 1.128 / (download) - annotate - [select for diffs], Fri Nov 19 10:11:52 2004 UTC (19 years, 6 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.127: +2 -1 lines
Diff to previous 1.127 (colored)
Plug memory leak. Found by pat@. Thanks! ok myself markus@
Revision 1.60.2.10 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:25 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.60.2.9: +3 -4 lines
Diff to previous 1.60.2.9 (colored) to branchpoint 1.60 (colored) next main 1.61 (colored)
Merge with the trunk
Revision 1.127 / (download) - annotate - [select for diffs], Wed Apr 14 20:10:04 2004 UTC (20 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: SMP_SYNC_B,
SMP_SYNC_A,
OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.126: +4 -5 lines
Diff to previous 1.126 (colored)
simpler ipsp_aux_match() API; ok henning, hshoexer
Revision 1.60.2.9 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:24 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.60.2.8: +15 -3 lines
Diff to previous 1.60.2.8 (colored) to branchpoint 1.60 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.126 / (download) - annotate - [select for diffs], Thu Jan 22 14:38:28 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.125: +3 -1 lines
Diff to previous 1.125 (colored)
add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok mcbride@
Revision 1.125 / (download) - annotate - [select for diffs], Wed Dec 10 07:22:43 2003 UTC (20 years, 6 months ago) by itojun
Branch: MAIN
Changes since 1.124: +2 -2 lines
Diff to previous 1.124 (colored)
de-register. deraadt ok
Revision 1.124 / (download) - annotate - [select for diffs], Tue Dec 2 23:16:29 2003 UTC (20 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.123: +5 -1 lines
Diff to previous 1.123 (colored)
UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt) ok deraadt@
Revision 1.123 / (download) - annotate - [select for diffs], Thu Jul 24 08:03:20 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.122: +8 -2 lines
Diff to previous 1.122 (colored)
hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok
Revision 1.118.4.3 / (download) - annotate - [select for diffs], Mon May 19 22:40:41 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.118.4.2: +2 -2 lines
Diff to previous 1.118.4.2 (colored) to branchpoint 1.118 (colored) next main 1.119 (colored)
sync
Revision 1.60.2.8 / (download) - annotate - [select for diffs], Tue May 13 19:36:17 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.60.2.7: +2 -2 lines
Diff to previous 1.60.2.7 (colored) to branchpoint 1.60 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.122 / (download) - annotate - [select for diffs], Tue May 6 07:28:39 2003 UTC (21 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.121: +2 -2 lines
Diff to previous 1.121 (colored)
string cleaning; tedu ok
Revision 1.60.2.7 / (download) - annotate - [select for diffs], Fri Mar 28 00:06:54 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.60.2.6: +34 -21 lines
Diff to previous 1.60.2.6 (colored) to branchpoint 1.60 (colored)
Sync the SMP branch with 3.3
Revision 1.118.4.2 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:47 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.118.4.1: +2 -2 lines
Diff to previous 1.118.4.1 (colored) to branchpoint 1.118 (colored)
sync to -current
Revision 1.118.4.1 / (download) - annotate - [select for diffs], Tue Jun 11 03:31:36 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.118: +62 -49 lines
Diff to previous 1.118 (colored)
Sync UBC branch to -current
Revision 1.121 / (download) - annotate - [select for diffs], Sun Jun 9 16:26:10 2002 UTC (22 years ago) by itojun
Branch: MAIN
CVS Tags: UBC_SYNC_B,
OPENBSD_3_3_BASE,
OPENBSD_3_3,
OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.120: +2 -2 lines
Diff to previous 1.120 (colored)
whitespace
Revision 1.120 / (download) - annotate - [select for diffs], Fri May 31 02:39:53 2002 UTC (22 years ago) by angelos
Branch: MAIN
Changes since 1.119: +35 -22 lines
Diff to previous 1.119 (colored)
New fields in policy and TDB.
Revision 1.60.2.6 / (download) - annotate - [select for diffs], Thu Mar 28 14:56:45 2002 UTC (22 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.60.2.5: +28 -28 lines
Diff to previous 1.60.2.5 (colored) to branchpoint 1.60 (colored)
Merge in -current from roughly a week ago
Revision 1.119 / (download) - annotate - [select for diffs], Thu Mar 14 01:27:11 2002 UTC (22 years, 3 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.118: +28 -28 lines
Diff to previous 1.118 (colored)
First round of __P removal in sys
Revision 1.60.2.5 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:03 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.60.2.4: +39 -3 lines
Diff to previous 1.60.2.4 (colored) to branchpoint 1.60 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.118 / (download) - annotate - [select for diffs], Sun Aug 19 06:31:56 2001 UTC (22 years, 9 months ago) by angelos
Branch: MAIN
CVS Tags: UBC_BASE,
OPENBSD_3_0_BASE,
OPENBSD_3_0
Branch point for: UBC
Changes since 1.117: +2 -2 lines
Diff to previous 1.117 (colored)
Pass the interface (if any) to ipip_input(), so it can be used in BPF. Closes PR 2000.
Revision 1.117 / (download) - annotate - [select for diffs], Thu Jul 5 08:42:57 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.116: +4 -4 lines
Diff to previous 1.116 (colored)
Style
Revision 1.116 / (download) - annotate - [select for diffs], Thu Jul 5 08:31:48 2001 UTC (22 years, 11 months ago) by jjbg
Branch: MAIN
Changes since 1.115: +38 -2 lines
Diff to previous 1.115 (colored)
IPComp itself (include files). angelos@ ok.
Revision 1.60.2.4 / (download) - annotate - [select for diffs], Wed Jul 4 10:54:52 2001 UTC (22 years, 11 months ago) by niklas
Branch: SMP
Changes since 1.60.2.3: +358 -336 lines
Diff to previous 1.60.2.3 (colored) to branchpoint 1.60 (colored)
Merge in -current from two days ago in the SMP branch. As usual with merges, they do not indicate progress, so do not hold your breath for working SMP, and do not mail me and ask about the state of it. It has not changed. There is work ongoing, but very, very slowly. The commit is done in parts as to not lock up the tree in too big chunks at a time.
Revision 1.115 / (download) - annotate - [select for diffs], Wed Jun 27 04:44:03 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.114: +3 -2 lines
Diff to previous 1.114 (colored)
When determining whether there's a pending acquire wrt a policy, look at the acquires associated with the policy only.
Revision 1.114 / (download) - annotate - [select for diffs], Wed Jun 27 04:39:11 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.113: +4 -1 lines
Diff to previous 1.113 (colored)
Also link acquire state to the relevant IPsec policy.
Revision 1.113 / (download) - annotate - [select for diffs], Wed Jun 27 01:34:07 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.112: +3 -5 lines
Diff to previous 1.112 (colored)
Don't cache packets that hit policies -- we'll do that at the PCB for local packets.
Revision 1.112 / (download) - annotate - [select for diffs], Tue Jun 26 18:56:30 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.111: +3 -1 lines
Diff to previous 1.111 (colored)
Use pool(9) for IPsec policy structures.
Revision 1.111 / (download) - annotate - [select for diffs], Tue Jun 26 18:34:40 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.110: +14 -15 lines
Diff to previous 1.110 (colored)
Keep the PFKEY sequence number at the TDB, plus a little bit of KNF
Revision 1.110 / (download) - annotate - [select for diffs], Tue Jun 26 03:52:42 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.109: +2 -1 lines
Diff to previous 1.109 (colored)
KNF
Revision 1.109 / (download) - annotate - [select for diffs], Mon Jun 25 23:18:08 2001 UTC (22 years, 11 months ago) by beck
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)
damn greeks desperate for commits...
Revision 1.108 / (download) - annotate - [select for diffs], Mon Jun 25 23:08:24 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.107: +322 -330 lines
Diff to previous 1.107 (colored)
KNF
Revision 1.107 / (download) - annotate - [select for diffs], Mon Jun 25 05:11:59 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.106: +3 -3 lines
Diff to previous 1.106 (colored)
Copyright.
Revision 1.106 / (download) - annotate - [select for diffs], Sun Jun 24 21:52:28 2001 UTC (22 years, 11 months ago) by mickey
Branch: MAIN
Changes since 1.105: +3 -4 lines
Diff to previous 1.105 (colored)
use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok
Revision 1.105 / (download) - annotate - [select for diffs], Sun Jun 24 18:22:47 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.104: +8 -0 lines
Diff to previous 1.104 (colored)
path mtu discovery for ipsec. on receiving a need fragment icmp match against active tdb and store the ipsec header size corrected mtu
Revision 1.104 / (download) - annotate - [select for diffs], Sun Jun 24 18:15:38 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.103: +11 -11 lines
Diff to previous 1.103 (colored)
remove whitespace
Revision 1.103 / (download) - annotate - [select for diffs], Fri Jun 8 19:40:09 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.102: +2 -1 lines
Diff to previous 1.102 (colored)
IPSP_POLICY_STATIC flag.
Revision 1.102 / (download) - annotate - [select for diffs], Thu Jun 7 16:19:47 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.101: +2 -3 lines
Diff to previous 1.101 (colored)
Simplify SPD logic (and correct some input cases).
Revision 1.101 / (download) - annotate - [select for diffs], Fri Jun 1 07:56:46 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.100: +2 -1 lines
Diff to previous 1.100 (colored)
ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and creates a tag for each of the ESP/AH headers. This will be used by IPsec-aware NIC device drivers that need to notify IPsec that crypto processing has already been done. There is an excessive amount of m_copydata() calls used by this routine, but there's no way around it that I can think of.
Revision 1.100 / (download) - annotate - [select for diffs], Fri Jun 1 00:09:24 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.99: +1 -11 lines
Diff to previous 1.99 (colored)
The IPsec-aware NIC cards don't pass the ICV for later verification by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC.
Revision 1.99 / (download) - annotate - [select for diffs], Thu May 31 23:45:50 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.98: +11 -1 lines
Diff to previous 1.98 (colored)
Structure for NIC IPsec processing status reports.
Revision 1.98 / (download) - annotate - [select for diffs], Wed May 30 16:43:12 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.97: +2 -2 lines
Diff to previous 1.97 (colored)
IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth in kernfs
Revision 1.97 / (download) - annotate - [select for diffs], Wed May 30 12:24:39 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.96: +2 -2 lines
Diff to previous 1.96 (colored)
Forgot to update ipsec_output_done()
Revision 1.96 / (download) - annotate - [select for diffs], Wed May 30 12:20:20 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.95: +7 -15 lines
Diff to previous 1.95 (colored)
With the tags, we don't need to abuse the IPsec API to do socket keying.
Revision 1.95 / (download) - annotate - [select for diffs], Wed May 30 11:14:42 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.94: +9 -1 lines
Diff to previous 1.94 (colored)
Keep track of remote authentication material (like public key) as well.
Revision 1.94 / (download) - annotate - [select for diffs], Wed May 30 10:55:06 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.93: +13 -1 lines
Diff to previous 1.93 (colored)
Fields to store local auth information in policy and TDB.
Revision 1.93 / (download) - annotate - [select for diffs], Tue May 29 01:12:27 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.92: +5 -1 lines
Diff to previous 1.92 (colored)
Fields on TDB for last used and last SKIPCRYPTO status change.
Revision 1.92 / (download) - annotate - [select for diffs], Tue May 29 01:03:01 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.91: +3 -1 lines
Diff to previous 1.91 (colored)
Add ipsp_skipcrypto_{mark,unmark}()
Revision 1.91 / (download) - annotate - [select for diffs], Sun May 27 05:17:07 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.90: +1 -2 lines
Diff to previous 1.90 (colored)
Remove ipsp_copy_ident() prototype.
Revision 1.90 / (download) - annotate - [select for diffs], Sun May 27 03:48:15 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.89: +5 -3 lines
Diff to previous 1.89 (colored)
Change prototype of ipsp_common_input_cb() to also accept a packet tag as the last argument.
Revision 1.89 / (download) - annotate - [select for diffs], Mon May 21 06:01:34 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.88: +2 -1 lines
Diff to previous 1.88 (colored)
SKIPCRYPTO flag
Revision 1.88 / (download) - annotate - [select for diffs], Mon May 21 03:27:48 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.87: +2 -4 lines
Diff to previous 1.87 (colored)
Cosmetic.
Revision 1.87 / (download) - annotate - [select for diffs], Mon May 21 03:23:36 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.86: +5 -5 lines
Diff to previous 1.86 (colored)
Use int16_t for the type and length of ipsec_ref objects.
Revision 1.86 / (download) - annotate - [select for diffs], Mon May 21 03:02:19 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.85: +17 -23 lines
Diff to previous 1.85 (colored)
Use a reference-counted structure for IPsec IDs and credentials, so we can cheaply keep copies of them at the PCB. ok deraadt@
Revision 1.60.2.3 / (download) - annotate - [select for diffs], Mon May 14 22:40:11 2001 UTC (23 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.60.2.2: +161 -121 lines
Diff to previous 1.60.2.2 (colored) to branchpoint 1.60 (colored)
merge in approximately 2.9 into SMP branch
Revision 1.85 / (download) - annotate - [select for diffs], Sat May 5 00:31:20 2001 UTC (23 years, 1 month ago) by angelos
Branch: MAIN
Changes since 1.84: +14 -9 lines
Diff to previous 1.84 (colored)
Check that SAs also match on the credentials and the IDs. This means that flows with different source/destination ID requirements will cause different SAs to be established by IKE (or whatever other protocol). Also, use the new data types for allocated memory.
Revision 1.84 / (download) - annotate - [select for diffs], Tue May 1 18:31:35 2001 UTC (23 years, 1 month ago) by fgsch
Branch: MAIN
Changes since 1.83: +3 -2 lines
Diff to previous 1.83 (colored)
Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE option is used. Note that this does not work.
Revision 1.83 / (download) - annotate - [select for diffs], Sat Apr 14 00:30:59 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE,
OPENBSD_2_9
Changes since 1.82: +14 -7 lines
Diff to previous 1.82 (colored)
Minor changes, preparing for real socket-attached TDBs; also, more information will be stored in the TDB. ok ho@ provos@
Revision 1.82 / (download) - annotate - [select for diffs], Wed Mar 28 20:03:04 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.81: +11 -7 lines
Diff to previous 1.81 (colored)
Allow tdbi's to appear in mbufs throughout the stack; this allows security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
Revision 1.81 / (download) - annotate - [select for diffs], Tue Mar 27 14:45:22 2001 UTC (23 years, 2 months ago) by art
Branch: MAIN
Changes since 1.80: +2 -1 lines
Diff to previous 1.80 (colored)
Fix a problem with how TDB timeouts were used in pfkeyv2. When we allocated a tdb we did a timeout_add before a timeout_set. This was a problem in itself, but it shouldn't hurt too much. What did hurt was that we did a timeout_set after the timeout_add, timeout_set marked the timeout as not being on the timeout list and if we did a timeout_del (or timeout_add) later (before the timeout fired) we ended up with a chunk of freed memory on the timeout queue or maybe even dangling pointers (or a circular list). This should probably cure the timeout queue corruption some people were seeing lately.
Revision 1.80 / (download) - annotate - [select for diffs], Thu Mar 15 06:31:00 2001 UTC (23 years, 3 months ago) by mickey
Branch: MAIN
Changes since 1.79: +14 -19 lines
Diff to previous 1.79 (colored)
convert SA expirations to the new timeouts. simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
Revision 1.79 / (download) - annotate - [select for diffs], Sun Mar 4 20:34:00 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.78: +5 -2 lines
Diff to previous 1.78 (colored)
Store peer's credentials in TDB.
Revision 1.78 / (download) - annotate - [select for diffs], Wed Feb 28 04:16:57 2001 UTC (23 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.77: +8 -3 lines
Diff to previous 1.77 (colored)
Keep the last packet sent or received that matched an SPD entry, and retransmit if we eventually have an SA setup for that policy.
Revision 1.77 / (download) - annotate - [select for diffs], Mon Feb 12 06:57:19 2001 UTC (23 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.76: +0 -3 lines
Diff to previous 1.76 (colored)
putting #error into an include file is totally wrong
Revision 1.76 / (download) - annotate - [select for diffs], Sun Feb 11 16:25:37 2001 UTC (23 years, 4 months ago) by fgsch
Branch: MAIN
Changes since 1.75: +4 -1 lines
Diff to previous 1.75 (colored)
If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok
Revision 1.75 / (download) - annotate - [select for diffs], Sun Dec 24 04:18:04 2000 UTC (23 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored)
Extra argument in the function to tdb_walk(), indicating last TDB.
Revision 1.74 / (download) - annotate - [select for diffs], Sat Oct 14 06:23:52 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE,
OPENBSD_2_8
Changes since 1.73: +8 -4 lines
Diff to previous 1.73 (colored)
ASKPOLICY message; used by key management to inquire about policy triggering an ACQUIRE.
Revision 1.73 / (download) - annotate - [select for diffs], Mon Oct 9 22:20:41 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.72: +2 -2 lines
Diff to previous 1.72 (colored)
AES support.
Revision 1.72 / (download) - annotate - [select for diffs], Wed Sep 20 19:13:17 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.71: +9 -1 lines
Diff to previous 1.71 (colored)
Add IDENTITY payloads to flow establishment (and cleanup accordingly) -- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm).
Revision 1.71 / (download) - annotate - [select for diffs], Tue Sep 19 08:38:59 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.70: +3 -1 lines
Diff to previous 1.70 (colored)
SA bundles.
Revision 1.70 / (download) - annotate - [select for diffs], Tue Sep 19 03:20:59 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.69: +89 -86 lines
Diff to previous 1.69 (colored)
Lots and lots of changes.
Revision 1.69 / (download) - annotate - [select for diffs], Sun Jun 18 19:05:49 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.68: +1 -5 lines
Diff to previous 1.68 (colored)
Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()
Revision 1.68 / (download) - annotate - [select for diffs], Sun Jun 18 05:58:46 2000 UTC (23 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.67: +3 -3 lines
Diff to previous 1.67 (colored)
IPv6 AH/ESP support, inbound side only. tested with KAME.
Revision 1.67 / (download) - annotate - [select for diffs], Tue Jun 6 04:49:29 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.66: +10 -2 lines
Diff to previous 1.66 (colored)
Get rid of tdb_ref, keep indirect pointer to TDB.
Revision 1.66 / (download) - annotate - [select for diffs], Thu Jun 1 04:24:26 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.65: +2 -1 lines
Diff to previous 1.65 (colored)
ipsp_acquire_sa()
Revision 1.65 / (download) - annotate - [select for diffs], Thu Jun 1 04:01:54 2000 UTC (24 years ago) by angelos
Branch: MAIN
Changes since 1.64: +2 -1 lines
Diff to previous 1.64 (colored)
Prototype for ipsp_spd_lookup()
Revision 1.64 / (download) - annotate - [select for diffs], Wed Apr 19 03:37:36 2000 UTC (24 years, 1 month ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE,
OPENBSD_2_7
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)
tdb_ref should be signed, this avoid a problem with flushing the TDB table causing repeated allocations of bypass TDBs.
Revision 1.63 / (download) - annotate - [select for diffs], Wed Mar 29 07:09:57 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.62: +3 -1 lines
Diff to previous 1.62 (colored)
Conform to crypto framework changes for IVs.
Revision 1.60.2.2 / (download) - annotate - [select for diffs], Fri Mar 24 09:09:37 2000 UTC (24 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.60.2.1: +24 -91 lines
Diff to previous 1.60.2.1 (colored) to branchpoint 1.60 (colored)
Sync with -current
Revision 1.62 / (download) - annotate - [select for diffs], Fri Mar 17 10:25:22 2000 UTC (24 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.61: +25 -92 lines
Diff to previous 1.61 (colored)
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
Revision 1.60.2.1 / (download) - annotate - [select for diffs], Thu Mar 2 07:04:42 2000 UTC (24 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.60: +6 -6 lines
Diff to previous 1.60 (colored)
Sync with -current
Revision 1.61 / (download) - annotate - [select for diffs], Mon Feb 28 23:13:07 2000 UTC (24 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.60: +6 -6 lines
Diff to previous 1.60 (colored)
move crypto code
Revision 1.60 / (download) - annotate - [select for diffs], Thu Jan 27 08:09:12 2000 UTC (24 years, 4 months ago) by angelos
Branch: MAIN
CVS Tags: SMP_BASE
Branch point for: SMP
Changes since 1.59: +41 -36 lines
Diff to previous 1.59 (colored)
Merge "old" and "new" ESP and AH in two files (one for each). Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
Revision 1.59 / (download) - annotate - [select for diffs], Fri Jan 21 03:15:05 2000 UTC (24 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.58: +6 -2 lines
Diff to previous 1.58 (colored)
Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not affected by net.inet.ipip.allow (the sysctl formerly known as net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input.
Revision 1.58 / (download) - annotate - [select for diffs], Thu Jan 13 06:02:31 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
mbuf **, not mbuf * you twit...
Revision 1.57 / (download) - annotate - [select for diffs], Thu Jan 13 05:03:45 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.56: +5 -1 lines
Diff to previous 1.56 (colored)
Add an ip4_input6() for use with IPv6 (just a wrapper for ip4_input()), add prototype, ifdef include files.
Revision 1.56 / (download) - annotate - [select for diffs], Thu Jan 13 00:34:31 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.55: +7 -4 lines
Diff to previous 1.55 (colored)
put_flow(), find_flow(), and delete_flow() get a third argument (for ingress or egress flow)
Revision 1.55 / (download) - annotate - [select for diffs], Mon Jan 10 06:59:23 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.54: +35 -2 lines
Diff to previous 1.54 (colored)
Add 10 new ipsec-related sysctl variables...they are currently under net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
Revision 1.54 / (download) - annotate - [select for diffs], Mon Jan 10 04:30:53 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.53: +5 -1 lines
Diff to previous 1.53 (colored)
Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
Revision 1.53 / (download) - annotate - [select for diffs], Sun Jan 9 22:31:07 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.52: +4 -2 lines
Diff to previous 1.52 (colored)
externalize ipsec_acl
Revision 1.52 / (download) - annotate - [select for diffs], Wed Dec 29 20:27:55 1999 UTC (24 years, 5 months ago) by mickey
Branch: MAIN
Changes since 1.51: +3 -3 lines
Diff to previous 1.51 (colored)
fix _input/_output proto changes for tcp_signature; angelos@ ok
Revision 1.51 / (download) - annotate - [select for diffs], Sat Dec 25 04:48:16 1999 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.50: +5 -1 lines
Diff to previous 1.50 (colored)
Move the IPsec packet-processing loop to a separate routine, so we can reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon.
Revision 1.50 / (download) - annotate - [select for diffs], Wed Dec 8 12:10:25 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
Fix debugging printf compilation.
Revision 1.49 / (download) - annotate - [select for diffs], Wed Dec 8 06:16:56 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
CVS Tags: kame_19991208
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)
IPv6 header handling, improve IPv4 option handling support.
Revision 1.48 / (download) - annotate - [select for diffs], Mon Dec 6 07:14:36 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.47: +18 -13 lines
Diff to previous 1.47 (colored)
New ESP code that's v4 and v6 friendly.
Revision 1.47 / (download) - annotate - [select for diffs], Sat Dec 4 23:20:21 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.46: +49 -11 lines
Diff to previous 1.46 (colored)
Address independence, IPv6 support, and the -local flag in ipsecadm is no longer needed.
Revision 1.46 / (download) - annotate - [select for diffs], Fri Oct 29 05:20:46 1999 UTC (24 years, 7 months ago) by angelos
Branch: MAIN
Changes since 1.45: +2 -1 lines
Diff to previous 1.45 (colored)
New field in tdb, to be used with bridging.
Revision 1.45 / (download) - annotate - [select for diffs], Fri Oct 29 02:10:02 1999 UTC (24 years, 7 months ago) by angelos
Branch: MAIN
Changes since 1.44: +7 -13 lines
Diff to previous 1.44 (colored)
Get rid of unnecessary third argument in *_output routines of IPsec.
Revision 1.44 / (download) - annotate - [select for diffs], Fri Oct 29 02:02:33 1999 UTC (24 years, 7 months ago) by angelos
Branch: MAIN
Changes since 1.43: +3 -5 lines
Diff to previous 1.43 (colored)
Remove unnecessary argument from ipe4_output() and etherip_output()
Revision 1.43 / (download) - annotate - [select for diffs], Thu Oct 28 03:08:34 1999 UTC (24 years, 7 months ago) by angelos
Branch: MAIN
Changes since 1.42: +6 -1 lines
Diff to previous 1.42 (colored)
Add Ethernet-IP encapsulation handling.
Revision 1.42 / (download) - annotate - [select for diffs], Wed Sep 29 09:11:21 1999 UTC (24 years, 8 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE,
OPENBSD_2_6
Changes since 1.41: +5 -3 lines
Diff to previous 1.41 (colored)
Critical reliability fix for IPsec. On i386 splsoftclock is not a perfect emulation of a "real" architecture's splsoftclock, as it assumes it is only invoked from higher spl levels. Use splsoftnet instead.
Revision 1.41 / (download) - annotate - [select for diffs], Tue Aug 10 11:35:26 1999 UTC (24 years, 10 months ago) by ho
Branch: MAIN
Changes since 1.40: +3 -2 lines
Diff to previous 1.40 (colored)
Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb
Revision 1.40 / (download) - annotate - [select for diffs], Thu Aug 5 21:58:15 1999 UTC (24 years, 10 months ago) by ho
Branch: MAIN
Changes since 1.39: +3 -2 lines
Diff to previous 1.39 (colored)
Add tdb_walk. tdb_delete() should clean up routes when deleting flows.
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jul 15 14:15:41 1999 UTC (24 years, 11 months ago) by niklas
Branch: MAIN
Changes since 1.38: +6 -1 lines
Diff to previous 1.38 (colored)
From angelos@, edits by me, demand keying for PF_KEY
Revision 1.38 / (download) - annotate - [select for diffs], Tue Jul 6 20:17:52 1999 UTC (24 years, 11 months ago) by cmetz
Branch: MAIN
Changes since 1.37: +12 -1 lines
Diff to previous 1.37 (colored)
Added support for TCP MD5 option (RFC 2385).
Revision 1.37 / (download) - annotate - [select for diffs], Wed Jun 30 17:23:59 1999 UTC (24 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.36: +12 -1 lines
Diff to previous 1.36 (colored)
remove final low-level crypto knowledge from base ipsec code
Revision 1.36 / (download) - annotate - [select for diffs], Fri Jun 18 07:24:07 1999 UTC (25 years ago) by deraadt
Branch: MAIN
Changes since 1.35: +3 -1 lines
Diff to previous 1.35 (colored)
split out transforms; some debugging done but there may still be bugs in the new key init/zero functions
Revision 1.35 / (download) - annotate - [select for diffs], Sun Jun 6 23:53:02 1999 UTC (25 years ago) by angelos
Branch: MAIN
Changes since 1.34: +4 -4 lines
Diff to previous 1.34 (colored)
Ident.
Revision 1.34 / (download) - annotate - [select for diffs], Sun May 23 09:04:46 1999 UTC (25 years ago) by niklas
Branch: MAIN
Changes since 1.33: +1 -4 lines
Diff to previous 1.33 (colored)
SA hash table resizing
Revision 1.33 / (download) - annotate - [select for diffs], Thu May 20 12:52:35 1999 UTC (25 years ago) by niklas
Branch: MAIN
Changes since 1.32: +3 -3 lines
Diff to previous 1.32 (colored)
Fix a bug where the ordered expiration list could get out of order. Add invariant checking of the lists when DIAGNOSTIC compiled. Extend the critical region to cover all of tdb_expiration so the tdb won't disappear behind our back.
Revision 1.32 / (download) - annotate - [select for diffs], Sun May 16 21:48:37 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.31: +17 -5 lines
Diff to previous 1.31 (colored)
spltdb introduced, protection for tdb lists and related structures, so they won't disappear behind our back by an expiration. Cleanup expiration logic too.
Revision 1.31 / (download) - annotate - [select for diffs], Fri May 14 23:36:21 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.30: +16 -22 lines
Diff to previous 1.30 (colored)
A new scalable IPsec SA expiration model.
Revision 1.30 / (download) - annotate - [select for diffs], Tue May 11 22:57:17 1999 UTC (25 years, 1 month ago) by niklas
Branch: MAIN
Changes since 1.29: +1 -2 lines
Diff to previous 1.29 (colored)
Remove cruft that wasted space en masse in the IPsec subsystem
Revision 1.29 / (download) - annotate - [select for diffs], Sun Apr 11 19:41:39 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_5_BASE,
OPENBSD_2_5
Changes since 1.28: +1 -19 lines
Diff to previous 1.28 (colored)
Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.
Revision 1.28 / (download) - annotate - [select for diffs], Sat Mar 27 21:04:19 1999 UTC (25 years, 2 months ago) by provos
Branch: MAIN
Changes since 1.27: +14 -1 lines
Diff to previous 1.27 (colored)
add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company.
Revision 1.27 / (download) - annotate - [select for diffs], Thu Feb 25 01:30:49 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.26: +16 -3 lines
Diff to previous 1.26 (colored)
Move union sockaddr_union to ip_ipsp.h
Revision 1.26 / (download) - annotate - [select for diffs], Wed Feb 24 23:45:52 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.25: +5 -3 lines
Diff to previous 1.25 (colored)
Update copyright; remove a few annoying debugging printfs. Btw, OpenBSD hit 25000 commits a couple commits ago.
Revision 1.25 / (download) - annotate - [select for diffs], Wed Feb 24 23:07:20 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.24: +4 -1 lines
Diff to previous 1.24 (colored)
add skipjack support back
Revision 1.24 / (download) - annotate - [select for diffs], Wed Feb 24 22:33:06 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.23: +317 -131 lines
Diff to previous 1.23 (colored)
Remove encap.h include; saner debugging printfs; fix buglets; work with pfkeyv2.
Revision 1.23 / (download) - annotate - [select for diffs], Wed Feb 17 20:39:17 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.22: +14 -13 lines
Diff to previous 1.22 (colored)
ipsec skipjack, based on free .fi code (some .gov type will test this for me)
Revision 1.22 / (download) - annotate - [select for diffs], Wed Feb 17 18:10:38 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.21: +77 -71 lines
Diff to previous 1.21 (colored)
indent
Revision 1.21 / (download) - annotate - [select for diffs], Fri Jan 8 21:40:28 1999 UTC (25 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
do not use random bits when not necessary, remove 8-byte block dependence
Revision 1.20 / (download) - annotate - [select for diffs], Wed Nov 25 11:47:17 1998 UTC (25 years, 6 months ago) by niklas
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
typo in comment
Revision 1.19 / (download) - annotate - [select for diffs], Mon May 18 21:10:59 1998 UTC (26 years, 1 month ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_2_4_BASE,
OPENBSD_2_4
Changes since 1.18: +36 -10 lines
Diff to previous 1.18 (colored)
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
Revision 1.18 / (download) - annotate - [select for diffs], Wed Mar 18 10:51:38 1998 UTC (26 years, 3 months ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_2_3_BASE,
OPENBSD_2_3
Changes since 1.17: +1 -1 lines
Diff to previous 1.17 (colored)
adapt function arguments to get the expected prototype.
Revision 1.17 / (download) - annotate - [select for diffs], Wed Mar 18 10:16:29 1998 UTC (26 years, 3 months ago) by provos
Branch: MAIN
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)
Fix tunnel mode input processing (use ip4_input instead of ipe4_input), fix some old code leftovers in ah_new_input (adjust to variable hash length), avoid double ip encapsulation in tunnel mode. Problems reportd by Petr Novak <petr@internet.cz>.
Revision 1.16 / (download) - annotate - [select for diffs], Mon Nov 24 19:14:15 1997 UTC (26 years, 6 months ago) by provos
Branch: MAIN
Changes since 1.15: +2 -1 lines
Diff to previous 1.15 (colored)
add ripemd-160 as authentication function.
Revision 1.15 / (download) - annotate - [select for diffs], Tue Nov 4 09:11:17 1997 UTC (26 years, 7 months ago) by provos
Branch: MAIN
Changes since 1.14: +10 -2 lines
Diff to previous 1.14 (colored)
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
Revision 1.14 / (download) - annotate - [select for diffs], Sun Jul 27 23:30:37 1997 UTC (26 years, 10 months ago) by niklas
Branch: MAIN
CVS Tags: OPENBSD_2_2_BASE,
OPENBSD_2_2
Changes since 1.13: +25 -9 lines
Diff to previous 1.13 (colored)
expiration messages, fixes, updates, all sorts of things
Revision 1.13 / (download) - annotate - [select for diffs], Tue Jul 15 23:11:10 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.12: +3 -31 lines
Diff to previous 1.12 (colored)
flags for tunnels and replacing existing routes, sysctl! + tiny bug fix
Revision 1.12 / (download) - annotate - [select for diffs], Mon Jul 14 08:46:38 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.11: +32 -5 lines
Diff to previous 1.11 (colored)
sysctl...
Revision 1.11 / (download) - annotate - [select for diffs], Fri Jul 11 23:37:59 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.10: +98 -54 lines
Diff to previous 1.10 (colored)
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
Revision 1.10 / (download) - annotate - [select for diffs], Wed Jul 2 06:58:43 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)
fix neglected _FLEN's + reserve_spi + output reserved spi's without alg. correctly.
Revision 1.9 / (download) - annotate - [select for diffs], Tue Jul 1 22:12:52 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.8: +16 -3 lines
Diff to previous 1.8 (colored)
major restructuring
Revision 1.8 / (download) - annotate - [select for diffs], Wed Jun 25 07:53:28 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.7: +24 -9 lines
Diff to previous 1.7 (colored)
hard and soft limits for SPI's per absolute timer, relative since establish, relative since first use timers, packet and byte counters. notify key mgmt on soft limits. key mgmt can now specify limits. new encap messages: EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
Revision 1.7 / (download) - annotate - [select for diffs], Tue Jun 24 12:15:26 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.6: +9 -3 lines
Diff to previous 1.6 (colored)
handle IP options in AH + allow IP options in outgoing encapsulated packets + usage counters for later use with keymanagement processes
Revision 1.6 / (download) - annotate - [select for diffs], Sat Jun 21 00:09:19 1997 UTC (26 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
u_int32_t changes, need testing
Revision 1.5 / (download) - annotate - [select for diffs], Fri Jun 20 05:41:53 1997 UTC (26 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.4: +40 -23 lines
Diff to previous 1.4 (colored)
ah-sha1 + esp-3des + indentation
Revision 1.4 / (download) - annotate - [select for diffs], Fri Feb 28 02:55:33 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_1_BASE,
OPENBSD_2_1
Changes since 1.3: +3 -1 lines
Diff to previous 1.3 (colored)
Added flags field in the TDB structure.
Revision 1.3 / (download) - annotate - [select for diffs], Mon Feb 24 14:06:42 1997 UTC (27 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.2: +2 -0 lines
Diff to previous 1.2 (colored)
OpenBSD tags + some prototyping police
Revision 1.2 / (download) - annotate - [select for diffs], Fri Feb 21 08:42:32 1997 UTC (27 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.1: +3 -7 lines
Diff to previous 1.1 (colored)
-nostdinc and big endian cleanup
Revision 1.1 / (download) - annotate - [select for diffs], Thu Feb 20 01:08:01 1997 UTC (27 years, 3 months ago) by deraadt
Branch: MAIN
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz