summaryrefslogtreecommitdiffstats
path: root/sys/netipsec/xform_esp.c
Commit message (Collapse)AuthorAgeFilesLines
* - The authsize field from auth_hash structure was removed.pjd2006-05-171-4/+4
| | | | | | | - Define that we want to receive only 96 bits of HMAC. - Names of the structues have no longer _96 suffix. Reviewed by: sam
* Hide net.inet.ipsec.test_{replay,integrity} sysctls under #ifdef REGRESSION.pjd2006-04-101-0/+4
| | | | Requested by: sam, rwatson
* Introduce two new sysctls:pjd2006-04-091-1/+22
| | | | | | | | | | | | | net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with the same sequence number. This allows to verify if the other side has proper replay attacks detection. net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with corrupted HMAC. This allows to verify if the other side properly detects modified packets. I used the first one to discover that we don't have proper replay attacks detection in ESP (in fast_ipsec(4)).
* Be consistent with the rest of the code.pjd2006-04-091-1/+1
|
* First steps towards IPSec cleanup.gnn2006-03-251-6/+6
| | | | | | | | | Make the kernel side of FAST_IPSEC not depend on the shared structures defined in /usr/include/net/pfkeyv2.h The kernel now defines all the necessary in kernel structures in sys/netipsec/keydb.h and does the proper massaging when moving messages around. Sponsored By: Secure Computing
* Allow to use fast_ipsec(4) on debug.mpsafenet=0 and INVARIANTS-enabledpjd2006-03-231-3/+14
| | | | | | systems. Without the change it will panic on assertions. MFC after: 2 weeks
* Add missing code needed for the detection of IPSec packet replays. [1]cperciva2006-03-221-0/+17
| | | | | | | | Correctly identify the user running opiepasswd(1) when the login name differs from the account name. [2] Security: FreeBSD-SA-06:11.ipsec [1] Security: FreeBSD-SA-06:12.opie [2]
* promote fast ipsec's m_clone routine for public use; it is renamedsam2006-03-151-1/+1
| | | | | | | m_unshare and the caller can now control how mbufs are allocated Reviewed by: andre, luigi, mlaier MFC after: 1 week
* /* -> /*- for license, minor formatting changesimp2005-01-071-1/+1
|
* change SYSINIT starting point to be consistent with other modulessam2004-01-271-1/+1
|
* MFp4: portability work, general cleanup, locking fixessam2003-09-291-71/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb chnage 38685 o fix locking for bundled SA's and for when key exchange is required change 38770 o eliminate recursion on the SAHTREE lock change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code There is still much to do here but for now things look to be working again. Supported by: FreeBSD Foundation
* Locking and misc cleanups; most of which I've been running for >4 months:sam2003-09-011-12/+7
| | | | | | | | | | o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
* consolidate callback optimization check in one location by adding a flagsam2003-06-301-20/+2
| | | | | | | for crypto operations that indicates the crypto code should do the check in crypto_done MFC after: 1 day
* Check crypto driver capabilities and if the driver operates synchronouslysam2003-06-271-0/+18
| | | | | | | mark crypto requests with ``callback immediately'' to avoid doing a context switch to return crypto results. This completes the work to eliminate context switches for using software crypto via the crypto subsystem (with symmetric crypto ops).
* o add a CRYPTO_F_CBIMM flag to symmetric ops to indicate the callbacksam2003-02-231-1/+1
| | | | | | | | | | | | | | | | | | should be done in crypto_done rather than in the callback thread o use this flag to mark operations from /dev/crypto since the callback routine just does a wakeup; this eliminates the last unneeded ctx switch o change CRYPTO_F_NODELAY to CRYPTO_F_BATCH with an inverted meaning so "0" becomes the default/desired setting (needed for user-mode compatibility with openbsd) o change crypto_dispatch to honor CRYPTO_F_BATCH instead of always dispatching immediately o remove uses of CRYPTO_F_NODELAY o define COP_F_BATCH for ops submitted through /dev/crypto and pass this on to the op that is submitted Similar changes and more eventually coming for asymmetric ops. MFC if re gives approval.
* Back out M_* changes, per decision of the TRB.imp2003-02-191-1/+1
| | | | Approved by: trb
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-211-1/+1
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* "Fast IPsec": this is an experimental IPsec implementation that is derivedsam2002-10-161-0/+966
from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks
OpenPOWER on IntegriCloud