summaryrefslogtreecommitdiffstats
path: root/sys/netkey/key.c
Commit message (Collapse)AuthorAgeFilesLines
* Removing old, dead, KAME IPsec files as part of the move to thegnn2007-07-021-7647/+0
| | | | | | | new FAST_IPSEC based IPsec stack. Approved by: re Reviewed by: bz
* With exception of the if_name() macro, all definitions in net_osdep.hbrooks2006-08-041-2/+0
| | | | | | | | were unused or already in if_var.h so add if_name() to if_var.h and remove net_osdep.h along with all references to it. Longer term we may want to kill off if_name() entierly since all modern BSDs have if_xname variables rendering it unnecessicary.
* SADB_UPDATE did not return an error when key length is invalid.ume2005-08-221-2/+2
| | | | Obtained from: KAME
* fix build without option INET6.ume2005-07-301-0/+8
| | | | Reported by: Philip M. Gollucci <pgollucci__at__p6m7g8.com>
* scope cleanup. with this changeume2005-07-251-28/+35
| | | | | | | | | | | | | | | | | | | - most of the kernel code will not care about the actual encoding of scope zone IDs and won't touch "s6_addr16[1]" directly. - similarly, most of the kernel code will not care about link-local scoped addresses as a special case. - scope boundary check will be stricter. For example, the current *BSD code allows a packet with src=::1 and dst=(some global IPv6 address) to be sent outside of the node, if the application do: s = socket(AF_INET6); bind(s, "::1"); sendto(s, some_global_IPv6_addr); This is clearly wrong, since ::1 is only meaningful within a single node, but the current implementation of the *BSD kernel cannot reject this attempt. Submitted by: JINMEI Tatuya <jinmei__at__isl.rdc.toshiba.co.jp> Obtained from: KAME
* fixed an unexpected addr/port matching failure in IPv6 SA managementsuz2005-01-101-0/+1
| | | | | PR: kern/72393 MFC after: 3 days
* /* -> /*- for license, minor formatting changesimp2005-01-071-1/+1
|
* support TCP-MD5(IPv4) in KAME-IPSEC, too.suz2004-11-081-2/+26
| | | | MFC after: 3 week
* Merge netipsec/key.c:1.17 into KAME pfkey implementation:rwatson2004-09-301-5/+0
| | | | | | | | | | | | | | | date: 2004/09/26 02:01:27; author: sam; state: Exp; lines: +0 -5 Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may split the mbuf due to use of m_pulldown. Discarding the result because of this does not make sense as no subsequent code depends on the entire msg being linearized (only the individual pieces). It's likely something else is wrong here but for now this appears to get things back to a working state. Submitted by: Roselyn Lee This change was also made in the KAME CVS repository as key.c:1.337 by itojun.
* The KAME IPSEC implementation at one point used its own pseudo-randomrwatson2004-09-021-22/+0
| | | | | | | | number generator, which was re-seeded via a timeout. Now centralized randomness/entropy is used, we can garbage collect the timeout and re-seeding code (which was largely a no-op). Discussed with: itojun, suz, JINMEI Tatuya < jinmei at isl dot rdc dot toshiba dot co dot jp >
* Diff reduce against KAME: minor white space synchronization to KAMErwatson2004-08-271-4/+4
| | | | tree.
* avoid duplicate free.ume2004-01-251-3/+3
| | | | | | | (though KAME doesn't decide how to fix it yet, I once commit it to be in time for 5.2.1-RELEASE.) Submitted by: itojun
* invalidate secpolicy pcb cache on key_timehandler. part ofume2004-01-141-0/+3
| | | | | | | http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun
* add missing key_freesp()s. part ofume2004-01-141-1/+4
| | | | | | | | | http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff with some modification. Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun Obtained from: KAME
* don't touch after free.ume2003-12-101-2/+3
|
* use callout_*() rather than timeout().ume2003-12-071-2/+5
|
* missing splx.ume2003-11-281-0/+1
| | | | | | | this is a NOOP change, and primarily merged for consistency with -STABLE. Approved by: re (rwatson)
* add sysctl MIB net.key.esp_auth which was wrongly droppedume2003-11-131-0/+6
| | | | during recent KAME merge.
* ipsec_esp_auth is unused when IPSEC_ESP is not defined.ume2003-11-111-0/+2
| | | | Reported by: Andre Oppermann <oppermann@pipeline.ch>
* - cleanup SP refcnt issue.ume2003-11-041-515/+652
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME
* correct %d/%u mismatch.ume2003-11-021-7/+7
| | | | Obtained from: KAME
* cleanup secasvar management; refcnt is key.c responsibility;ume2003-11-021-66/+65
| | | | | | alloc/free is keydb.c responsibility. Obtained from: KAME
* mib name was changed by fixing a spelling.ume2003-10-281-1/+1
| | | | | | net.key.prefered_oldsa -> net.key.preferred_oldsa Obtained from: KAME
* drop the code of HAVE_NRL_INPCB part. our system doesn'tume2003-10-221-10/+0
| | | | use NRL style INPCB.
* Reduce diffs against KAME. No functional change.ume2003-09-301-15/+7
| | | | Obtained from: KAME
* Sync style and comments with latest KAME to reduce diffs.ume2003-09-301-71/+64
| | | | | | No functional change. Obtained from: KAME
* add /*CONSTCOND*/ to reduce diffs against latest KAME.ume2003-09-251-7/+7
| | | | Obtained from: KAME
* panic() doesn't need `\n'.ume2003-09-251-52/+52
| | | | Obtained from: KAME
* Use __FBSDID().obrien2003-06-111-1/+3
|
* Back out M_* changes, per decision of the TRB.imp2003-02-191-22/+22
| | | | Approved by: trb
* Comment out srandom():ache2003-02-051-1/+2
| | | | | 1) Already called in init_main.c:proc0_post() 2) Seed is bad
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-211-22/+22
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,schweikh2003-01-011-4/+4
| | | | especially in troff files.
* - fixed the order of searching SA table for packets.ume2002-07-101-20/+47
| | | | | | | | - comment about deletion of SA that has not been used by reaching soft lifetime. Obtained from: KAME MFC after: 2 week
* pacify gcc-3.1's -Wunused checking.peter2002-05-241-1/+4
|
* Remove __P.alfred2002-03-201-111/+111
|
* missing splxume2002-03-011-0/+1
| | | | | Obtained from: KAME MFC after: 1 week
* (when new sa is preferred than old sa)ume2002-03-011-9/+9
| | | | | | | even if we fail to send pfkey message, remove the old sa. Obtained from: KAME MFC after: 1 week
* Fix warningspeter2002-02-281-7/+7
|
* Lock struct pgrp, session and sigio.tanimura2002-02-231-4/+14
| | | | | | | | | | | | | | | | | | | | | | | | | New locks are: - pgrpsess_lock which locks the whole pgrps and sessions, - pg_mtx which protects the pgrp members, and - s_mtx which protects the session members. Please refer to sys/proc.h for the coverage of these locks. Changes on the pgrp/session interface: - pgfind() needs the pgrpsess_lock held. - The caller of enterpgrp() is responsible to allocate a new pgrp and session. - Call enterthispgrp() in order to enter an existing pgrp. - pgsignal() requires a pgrp lock held. Reviewed by: jhb, alfred Tested on: cvsup.jp.FreeBSD.org (which is a quad-CPU machine running -current)
* Newer SA is prefered for a out-bound packet than old oneume2001-12-051-5/+85
| | | | | | | when net.key.prefered_oldsa is set to zero. Obtained from: KAME MFC after: 1 week
* Fixed the behavior when there is no inbound policy for the ipsecume2001-11-061-22/+0
| | | | | | | | | | | | | tunneled packet. When there is no suitable inbound policy for the packet of the ipsec tunnel mode, the kernel never decapsulate the tunneled packet as the ipsec tunnel mode even when the system wide policy is "none". Then the kernel leaves the generic tunnel module to process this packet. If there is no rule of the generic tunnel, the packet is rejected and the statistics will be counted up. Obtained from: KAME MFC after: 1 week
* - net.inet.ipsec.esp_auth hasn't been thereume2001-11-051-459/+217
| | | | | | | | | | | - nuke all debug printfs, which are unneeded by now. - get rid of #ifdef IPSEC_DEBUG in headers - now that key_debug_level is always defined, there's no need for #ifdef IPSEC_DEBUG around sysctl MIB code (net.key.debug). - switch all debug printf() to ipseclog(). Obtained from: KAME MFC after: 1 week
* Unbreak build without INET6.ume2001-11-031-0/+2
| | | | | Reported by: Christopher N . Harrell <cnh@netvmg.com> MFC after: 1 week
* System wide policy should be returned when no policy found in the SPD.ume2001-10-291-0/+26
| | | | | | | The packet was rejected in ipsec[46]_tunnel_validate(). Obtained from: KAME MFC after: 1 week
* Fixed the value of the prefixlen in the sadb_address structure.ume2001-10-221-8/+20
| | | | | | | When pfkey message relative to SA is sent, the prefixlen was incorrect. Obtained from: KAME MFC after: 1 week
* The behavior of SPDUPDATE has been changed.ume2001-10-171-10/+6
| | | | | | | | SPDUPDATE doesn't depend on whether there is a SP or not. This change makes `generate_policy on' of racoon work. Obtained from: KAME MFC after: 1 week
* printed current sequence number of the SA. accordingly, changedume2001-08-061-6/+9
| | | | | | | | into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2 structure. Also the output of setkey is changed. sequence number of the sadb is replaced to the end of the output. Obtained from: KAME
* do not play too much trick with evaluation order. from netbsdume2001-08-061-2/+2
| | | | Obtained from: KAME
* fixed to make a response in key_spdadd(). reported by <R.P.Koster@kpn.com>ume2001-08-061-2/+2
| | | | Obtained from: KAME
OpenPOWER on IntegriCloud