| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
IPSEC_SPLASSERT_SOFTNET which has been 'unused' since FreeBSD 5.0.
|
|
|
|
| |
Reviewed By: bz
|
|
|
|
|
|
| |
the hard lifetime instead.
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
In case of "new SA", we must check the hard lifetime of the old SA
to find out if it is not permanent and we can delete it.
Submitted by: sakane via gnn
MFC after: 3 days
|
|
|
|
|
|
| |
Not noticed by tb as TCP_SIGNATURE is not in LINT.
MFC after: 1 month
|
|
|
|
|
|
|
|
|
| |
after each SYSINIT() macro invocation. This makes a number of
lightweight C parsers much happier with the FreeBSD kernel
source, including cflow's prcc and lxr.
MFC after: 1 month
Discussed with: imp, rink
|
|
|
|
|
|
|
|
|
| |
In that case return an continue processing the packet without IPsec.
PR: 121384
MFC after: 5 days
Reported by: Cyrus Rahman (crahman gmail.com)
Tested by: Cyrus Rahman (crahman gmail.com) [slightly older version]
|
|
|
|
|
|
|
|
|
|
|
| |
"Fast IPsec: Initialized Security Association Processing." printf.
People kept asking questions about this after the IPsec shuffle.
This still is the Fast IPsec implementation so no worries that it would
be any slower now. There are no functional changes.
Discussed with: sam
MFC after: 4 days
|
|
|
|
|
|
|
|
|
|
|
|
| |
soft lifetime [1] introduced in rev. 1.21 of key.c.
Along with that, fix a related problem in key_debug
printing the correct data.
While there replace a printf by panic in a sanity check.
PR: 120751
Submitted by: Kazuaki ODA (kazuaki aliceblue.jp) [1]
MFC after: 5 days
|
|
|
|
|
|
|
|
| |
ipsec*_set_policy and do the privilege check only if needed.
Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy.
Reviewed by: rwatson
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpf will see inner and outer headers or just inner or outer
headers for incoming and outgoing IPsec packets.
This is useful in bpf to not have over long lines for debugging
or selcting packets based on the inner headers.
It also properly defines the behavior of what the firewalls see.
Last but not least it gives you if_enc(4) for IPv6 as well.
[ As some auxiliary state was not available in the later
input path we save it in the tdbi. That way tcpdump can give a
consistent view of either of (authentic,confidential) for both
before and after states. ]
Discussed with: thompsa (2007-04-25, basic idea of unifying paths)
Reviewed by: thompsa, gnn
|
|
|
|
|
|
| |
Make clear that this is not a good idea when called from
tcp_output()->ipsec_hdrsiz_tcp()->ipsec4_hdrsize_tcp()
as we do not know if IPsec processing is needed at that point.
|
|
|
|
|
|
|
|
| |
In case attach fails because of the priv check we leaked the
memory and left so_pcb as fodder for invariants.
Reported by: Pawel Worach
Reviewed by: rwatson
|
|
|
|
|
|
|
|
|
|
|
|
| |
from messing with the spdb and sadb.
Problem sneaked in with the fast_ipsec+v6->ipsec merger by no
longer going via raw_usrreqs.pr_attach.
Reported by: Pawel Worach
Identified by: rwatson
Reviewed by: rwatson
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
The control input routine passes a NULL as its void argument when it
has reached the innermost header, which terminates the loop.
Reported by: Pawel Worach <pawel.worach@gmail.com>
Approved by: re
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
previously conditionally acquired Giant based on debug.mpsafenet. As that
has now been removed, they are no longer required. Removing them
significantly simplifies error-handling in the socket layer, eliminated
quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used
for the NET_WITH_GIANT kernel option. Clean up some related gotos for
consistency.
Reviewed by: bz, csjp
Tested by: kris
Approved by: re (kensmith)
|
|
|
|
| |
Approved by: re (hrs)
|
|
|
|
|
|
|
|
| |
option is now deprecated, as well as the KAME IPsec code.
What was FAST_IPSEC is now IPSEC.
Approved by: re
Sponsored by: Secure Computing
|
|
|
|
|
|
|
|
|
| |
This commit includes only the kernel files, the rest of the files
will follow in a second commit.
Reviewed by: bz
Approved by: re
Supported by: Secure Computing
|
|
|
|
|
|
|
|
| |
check which was always true.
Document the special meaning of spi values of 0 and 1-255 with a comment.
Found with: Coverity Prevent(tm)
CID: 2047
|
|
|
|
|
|
|
|
| |
'result' is still NULL and we do not need to free anything.
That allows us to gc the entire goto parts and a now unused variable.
Found with: Coverity Prevent(tm)
CID: 2519
|
|
|
|
|
|
|
|
|
|
|
| |
do not continue with a NULL pointer. [1]
While here change the return of the error handling code path above.
I cannot see why we should always return 0 there. Neither does KAME
nor do we in here for the similar check in all the other functions.
Found with: Coverity Prevent(tm) [1]
CID: 2521
|
|
|
|
|
|
|
| |
NULL before dereferencing the pointer.
Found with: Coverity Prevent(tm)
CID: 2528
|
|
|
|
|
|
|
|
|
| |
without an mtag in ipsec4_common_input_cb.
So in case of !IPCOMP (AH,ESP) only change the m_tag_id if an mtag
was passed to ipsec4_common_input_cb.
Found with: Coverity Prevent(tm)
CID: 2523
|
|
|
|
| |
No functional change.
|
|
|
|
|
|
|
|
| |
handle, document those sprotos using an IPSEC_ASSERT so that it will
be clear that 'spi' will always be initialized when used the first time.
Found with: Coverity Prevent(tm)
CID: 2533
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
some cases, move to priv_check() if it was an operation on a thread and
no other flags were present.
Eliminate caller-side jail exception checking (also now-unused); jail
privilege exception code now goes solely in kern_jail.c.
We can't yet eliminate suser() due to some cases in the KAME code where
a privilege check is performed and then used in many different deferred
paths. Do, however, move those prototypes to priv.h.
Reviewed by: csjp
Obtained from: TrustedBSD Project
|
|
|
|
|
| |
The same would apply to ipsec6_output_trans() but there is a larger patch
around which already corrected that case. Do not interfere with that one.
|
| |
|
|
|
|
|
| |
This is needed to make security policies work correctly if ICMPv6 type
and/or code are given. See setkey(8) 'upperspec' para. for details.
|
|
|
|
|
|
| |
break;
so when comparing AF_INET6 addresses, scope and ports we do not run into
the default case and return 'no match' instead of 'match'.
|
|
|
|
|
|
|
| |
and its bibliography.
Submitted by: Tomoyuki Okazaki <okazaki at kick dot gr dot jp>
MFC after: 1 month
|
|
|
|
| |
priv_check().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o make all crypto drivers have a device_t; pseudo drivers like the s/w
crypto driver synthesize one
o change the api between the crypto subsystem and drivers to use kobj;
cryptodev_if.m defines this api
o use the fact that all crypto drivers now have a device_t to add support
for specifying which of several potential devices to use when doing
crypto operations
o add new ioctls that allow user apps to select a specific crypto device
to use (previous ioctls maintained for compatibility)
o overhaul crypto subsystem code to eliminate lots of cruft and hide
implementation details from drivers
o bring in numerous fixes from Michale Richardson/hifn; mostly for
795x parts
o add an optional mechanism for mmap'ing the hifn 795x public key h/w
to user space for use by openssl (not enabled by default)
o update crypto test tools to use new ioctl's and add cmd line options
to specify a device to use for tests
These changes will also enable much future work on improving the core
crypto subsystem; including proper load balancing and interposing code
between the core and drivers to dispatch small operations to the s/w
driver as appropriate.
These changes were instigated by the work of Michael Richardson.
Reviewed by: pjd
Approved by: re
|
|
|
|
|
|
| |
This unbreaks the build for FAST_IPSEC && !INET6 and was wrong anyway.
Reported by: Dmitry Pryanishnikov <dmitry atlantis.dp.ua>
|
|
|
|
|
|
|
| |
In ip6_sprintf no longer use and return one of eight static buffers
for printing/logging ipv6 addresses.
The caller now has to hand in a sufficiently large buffer as first
argument.
|
|
|
|
|
|
| |
LINT due to a conflict with KAME IPSEC.
Submitted by: Pawel Worach <pawel dot worach at gmail dot com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
specific privilege names to a broad range of privileges. These may
require some future tweaking.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
Discussed on: arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
Alex Lyashkov <umka at sevcity dot net>,
Skip Ford <skip dot ford at verizon dot net>,
Antoine Brodin <antoine dot brodin at laposte dot net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
function, pru_close, to notify protocols that the file descriptor or
other consumer of a socket is closing the socket. pru_abort is now a
notification of close also, and no longer detaches. pru_detach is no
longer used to notify of close, and will be called during socket
tear-down by sofree() when all references to a socket evaporate after
an earlier call to abort or close the socket. This means detach is now
an unconditional teardown of a socket, whereas previously sockets could
persist after detach of the protocol retained a reference.
This faciliates sharing mutexes between layers of the network stack as
the mutex is required during the checking and removal of references at
the head of sofree(). With this change, pru_detach can now assume that
the mutex will no longer be required by the socket layer after
completion, whereas before this was not necessarily true.
Reviewed by: gnn
|
|
|
|
|
|
| |
- Compare pointer with NULL.
Reviewed by: rwatson
|
|
|
|
|
|
|
|
|
|
|
| |
encryption. There are two functions, a bpf tap which has a basic header with
the SPI number which our current tcpdump knows how to display, and handoff to
pfil(9) for packet filtering.
Obtained from: OpenBSD
Based on: kern/94829
No objections: arch, net
MFC after: 1 month
|
|
|
|
| |
This unbreaks compiling a kernel with FAST_IPSEC and no INET6.
|
|
|
|
|
|
|
| |
doing that if we're not doing the rest of the work.
Submitted by: thompsa
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"Why didn't he use SECASVAR_LOCK()/SECASVAR_UNLOCK() macros to
synchronize access to the secasvar structure's fields?" one may ask.
There were two reasons:
1. refcount(9) is faster then mutex(9) synchronization (one atomic
operation instead of two).
2. Those macros are not used now at all, so at some point we may decide
to remove them entirely.
OK'ed by: gnn
MFC after: 2 weeks
|
|
|
|
|
|
|
| |
- Define that we want to receive only 96 bits of HMAC.
- Names of the structues have no longer _96 suffix.
Reviewed by: sam
|
|
|
|
| |
Requested by: sam, rwatson
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with
the same sequence number. This allows to verify if the other side
has proper replay attacks detection.
net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with
corrupted HMAC. This allows to verify if the other side properly
detects modified packets.
I used the first one to discover that we don't have proper replay attacks
detection in ESP (in fast_ipsec(4)).
|
| |
|