| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
MFC after: 3 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
date: 2004/09/26 02:01:27; author: sam; state: Exp; lines: +0 -5
Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may
split the mbuf due to use of m_pulldown. Discarding the result because
of this does not make sense as no subsequent code depends on the entire
msg being linearized (only the individual pieces). It's likely
something else is wrong here but for now this appears to get things back
to a working state.
Submitted by: Roselyn Lee
This change was also made in the KAME CVS repository as key.c:1.337 by
itojun.
|
|
|
|
|
|
|
|
| |
number generator, which was re-seeded via a timeout. Now centralized
randomness/entropy is used, we can garbage collect the timeout and
re-seeding code (which was largely a no-op).
Discussed with: itojun, suz, JINMEI Tatuya < jinmei at isl dot rdc dot toshiba dot co dot jp >
|
|
|
|
| |
tree.
|
|
|
|
|
|
|
| |
(though KAME doesn't decide how to fix it yet, I once commit it
to be in time for 5.2.1-RELEASE.)
Submitted by: itojun
|
|
|
|
|
|
|
| |
http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reviewed by: itojun
|
|
|
|
|
|
|
|
|
| |
http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
with some modification.
Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reviewed by: itojun
Obtained from: KAME
|
| |
|
| |
|
|
|
|
|
|
|
| |
this is a NOOP change, and primarily merged for consistency with
-STABLE.
Approved by: re (rwatson)
|
|
|
|
| |
during recent KAME merge.
|
|
|
|
| |
Reported by: Andre Oppermann <oppermann@pipeline.ch>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all. secpolicy no longer contain
spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy. assign ID field to
all SPD entries. make it possible for racoon to grab SPD entry on
pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header. a mode is always needed
to compare them.
- fixed that the incorrect time was set to
sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
XXX in theory refcnt should do the right thing, however, we have
"spdflush" which would touch all SPs. another solution would be to
de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion. ipsec_*_policy ->
ipsec_*_pcbpolicy.
- avoid variable name confusion.
(struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
"src" of the spidx specifies ICMP type, and the port field in "dst"
of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
kernel forwards the packets.
Tested by: nork
Obtained from: KAME
|
|
|
|
| |
Obtained from: KAME
|
|
|
|
|
|
| |
alloc/free is keydb.c responsibility.
Obtained from: KAME
|
|
|
|
|
|
| |
net.key.prefered_oldsa -> net.key.preferred_oldsa
Obtained from: KAME
|
|
|
|
| |
use NRL style INPCB.
|
|
|
|
| |
Obtained from: KAME
|
|
|
|
|
|
| |
No functional change.
Obtained from: KAME
|
|
|
|
| |
Obtained from: KAME
|
|
|
|
| |
Obtained from: KAME
|
| |
|
|
|
|
| |
Approved by: trb
|
|
|
|
|
| |
1) Already called in init_main.c:proc0_post()
2) Seed is bad
|
|
|
|
| |
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
|
|
|
| |
especially in troff files.
|
|
|
|
|
|
|
|
| |
- comment about deletion of SA that has not been used by reaching
soft lifetime.
Obtained from: KAME
MFC after: 2 week
|
| |
|
| |
|
|
|
|
|
| |
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
|
|
| |
even if we fail to send pfkey message, remove the old sa.
Obtained from: KAME
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New locks are:
- pgrpsess_lock which locks the whole pgrps and sessions,
- pg_mtx which protects the pgrp members, and
- s_mtx which protects the session members.
Please refer to sys/proc.h for the coverage of these locks.
Changes on the pgrp/session interface:
- pgfind() needs the pgrpsess_lock held.
- The caller of enterpgrp() is responsible to allocate a new pgrp and
session.
- Call enterthispgrp() in order to enter an existing pgrp.
- pgsignal() requires a pgrp lock held.
Reviewed by: jhb, alfred
Tested on: cvsup.jp.FreeBSD.org
(which is a quad-CPU machine running -current)
|
|
|
|
|
|
|
| |
when net.key.prefered_oldsa is set to zero.
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tunneled packet.
When there is no suitable inbound policy for the packet of the ipsec
tunnel mode, the kernel never decapsulate the tunneled packet
as the ipsec tunnel mode even when the system wide policy is "none".
Then the kernel leaves the generic tunnel module to process this
packet. If there is no rule of the generic tunnel, the packet
is rejected and the statistics will be counted up.
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
| |
- nuke all debug printfs, which are unneeded by now.
- get rid of #ifdef IPSEC_DEBUG in headers
- now that key_debug_level is always defined, there's no need for
#ifdef IPSEC_DEBUG around sysctl MIB code (net.key.debug).
- switch all debug printf() to ipseclog().
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
| |
Reported by: Christopher N . Harrell <cnh@netvmg.com>
MFC after: 1 week
|
|
|
|
|
|
|
| |
The packet was rejected in ipsec[46]_tunnel_validate().
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
|
|
| |
When pfkey message relative to SA is sent, the prefixlen was incorrect.
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
|
|
|
| |
SPDUPDATE doesn't depend on whether there is a SP or not.
This change makes `generate_policy on' of racoon work.
Obtained from: KAME
MFC after: 1 week
|
|
|
|
|
|
|
|
| |
into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2
structure. Also the output of setkey is changed. sequence number
of the sadb is replaced to the end of the output.
Obtained from: KAME
|
|
|
|
| |
Obtained from: KAME
|
|
|
|
| |
Obtained from: KAME
|
|
|
|
| |
Obtained from: KAME
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks
|
|
|
|
|
|
| |
key_acquire() does not require a secpolicy structure.
Obtained from: KAME
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
because it only takes a struct tag which makes it impossible to
use unions, typedefs etc.
Define __offsetof() in <machine/ansi.h>
Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h>
Remove myriad of local offsetof() definitions.
Remove includes of <stddef.h> in kernel code.
NB: Kernelcode should *never* include from /usr/include !
Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API.
Deprecate <struct.h> with a warning. The warning turns into an error on
01-12-2000 and the file gets removed entirely on 01-01-2001.
Paritials reviews by: various.
Significant brucifications by: bde
|