summaryrefslogtreecommitdiffstats
path: root/sys/netkey
Commit message (Collapse)AuthorAgeFilesLines
* In raw and raw-derived socket types, maintain and enforce invariant thatrwatson2006-04-011-2/+1
| | | | | | | the so_pcb pointer on the socket is always non-NULL. This eliminates countless unnecessary error checks, replacing them with assertions. MFC after: 3 months
* Chance protocol switch method pru_detach() so that it returns voidrwatson2006-04-011-14/+7
| | | | | | | | | | | | | | | | | | | | | | | | | rather than an error. Detaches do not "fail", they other occur or the protocol flags SS_PROTOREF to take ownership of the socket. soclose() no longer looks at so_pcb to see if it's NULL, relying entirely on the protocol to decide whether it's time to free the socket or not using SS_PROTOREF. so_pcb is now entirely owned and managed by the protocol code. Likewise, no longer test so_pcb in other socket functions, such as soreceive(), which have no business digging into protocol internals. Protocol detach routines no longer try to free the socket on detach, this is performed in the socket code if the protocol permits it. In rts_detach(), no longer test for rp != NULL in detach, and likewise in other protocols that don't permit a NULL so_pcb, reduce the incidence of testing for it during detach. netinet and netinet6 are not fully updated to this change, which will be in an upcoming commit. In their current state they may leak memory or panic. MFC after: 3 months
* Change protocol switch pru_abort() API so that it returns void ratherrwatson2006-04-011-6/+3
| | | | | | | | | | | | | | than an int, as an error here is not meaningful. Modify soabort() to unconditionally free the socket on the return of pru_abort(), and modify most protocols to no longer conditionally free the socket, since the caller will do this. This commit likely leaves parts of netinet and netinet6 in a situation where they may panic or leak memory, as they have not are not fully updated by this commit. This will be corrected shortly in followup commits to these components. MFC after: 3 months
* Fix stack corruptions on amd64.bz2006-01-212-15/+3
| | | | | | | | | | | | | | | | Vararg functions have a different calling convention than regular functions on amd64. Casting a varag function to a regular one to match the function pointer declaration will hide the varargs from the caller and we will end up with an incorrectly setup stack. Entirely remove the varargs from these functions and change the functions to match the declaration of the function pointers. Remove the now unnecessary casts. Lots of explanations and help from: peter Reviewed by: peter PR: amd64/89261 MFC after: 6 days
* Fix -Wundef from compiling the amd64 LINT.ru2005-12-041-1/+1
|
* Use sparse initializers for "struct domain" and "struct protosw",ru2005-11-091-8/+16
| | | | so they are easier to follow for the human being.
* Normalize a significant number of kernel malloc type names:rwatson2005-10-311-1/+1
| | | | | | | | | | | | | | | | | | | - Prefer '_' to ' ', as it results in more easily parsed results in memory monitoring tools such as vmstat. - Remove punctuation that is incompatible with using memory type names as file names, such as '/' characters. - Disambiguate some collisions by adding subsystem prefixes to some memory types. - Generally prefer lower case to upper case. - If the same type is defined in multiple architecture directories, attempt to use the same name in additional cases. Not all instances were caught in this change, so more work is required to finish this conversion. Similar changes are required for UMA zone names.
* SADB_UPDATE did not return an error when key length is invalid.ume2005-08-221-2/+2
| | | | Obtained from: KAME
* fix build without option INET6.ume2005-07-301-0/+8
| | | | Reported by: Philip M. Gollucci <pgollucci__at__p6m7g8.com>
* scope cleanup. with this changeume2005-07-251-28/+35
| | | | | | | | | | | | | | | | | | | - most of the kernel code will not care about the actual encoding of scope zone IDs and won't touch "s6_addr16[1]" directly. - similarly, most of the kernel code will not care about link-local scoped addresses as a special case. - scope boundary check will be stricter. For example, the current *BSD code allows a packet with src=::1 and dst=(some global IPv6 address) to be sent outside of the node, if the application do: s = socket(AF_INET6); bind(s, "::1"); sendto(s, some_global_IPv6_addr); This is clearly wrong, since ::1 is only meaningful within a single node, but the current implementation of the *BSD kernel cannot reject this attempt. Submitted by: JINMEI Tatuya <jinmei__at__isl.rdc.toshiba.co.jp> Obtained from: KAME
* fixed an unexpected addr/port matching failure in IPv6 SA managementsuz2005-01-101-0/+1
| | | | | PR: kern/72393 MFC after: 3 days
* /* -> /*- for license, minor formatting changesimp2005-01-079-9/+9
|
* support TCP-MD5(IPv4) in KAME-IPSEC, too.suz2004-11-083-2/+48
| | | | MFC after: 3 week
* Initialize struct pr_userreqs in new/sparse style and fill in commonphk2004-11-081-10/+10
| | | | | | default elements in net_init_domain(). This makes it possible to grep these structures and see any bogosities.
* Merge netipsec/key.c:1.17 into KAME pfkey implementation:rwatson2004-09-301-5/+0
| | | | | | | | | | | | | | | date: 2004/09/26 02:01:27; author: sam; state: Exp; lines: +0 -5 Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may split the mbuf due to use of m_pulldown. Discarding the result because of this does not make sense as no subsequent code depends on the entire msg being linearized (only the individual pieces). It's likely something else is wrong here but for now this appears to get things back to a working state. Submitted by: Roselyn Lee This change was also made in the KAME CVS repository as key.c:1.337 by itojun.
* The KAME IPSEC implementation at one point used its own pseudo-randomrwatson2004-09-021-22/+0
| | | | | | | | number generator, which was re-seeded via a timeout. Now centralized randomness/entropy is used, we can garbage collect the timeout and re-seeding code (which was largely a no-op). Discussed with: itojun, suz, JINMEI Tatuya < jinmei at isl dot rdc dot toshiba dot co dot jp >
* Semi-gratuitous white space synchronization with KAME tree: to reducerwatson2004-08-271-10/+12
| | | | | | diffs against #ifdef'd version of IPSEC, use "struct thread *p" rather than "struct proc *p", fix some white space, and make some already inconsistent white space inconsiste differently.
* Diff reduce against KAME: minor white space synchronization to KAMErwatson2004-08-271-4/+4
| | | | tree.
* Merge next step in socket buffer locking:rwatson2004-06-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - sowakeup() now asserts the socket buffer lock on entry. Move the call to KNOTE higher in sowakeup() so that it is made with the socket buffer lock held for consistency with other calls. Release the socket buffer lock prior to calling into pgsigio(), so_upcall(), or aio_swake(). Locking for this event management will need revisiting in the future, but this model avoids lock order reversals when upcalls into other subsystems result in socket/socket buffer operations. Assert that the socket buffer lock is not held at the end of the function. - Wrapper macros for sowakeup(), sorwakeup() and sowwakeup(), now have _locked versions which assert the socket buffer lock on entry. If a wakeup is required by sb_notify(), invoke sowakeup(); otherwise, unconditionally release the socket buffer lock. This results in the socket buffer lock being released whether a wakeup is required or not. - Break out socantsendmore() into socantsendmore_locked() that asserts the socket buffer lock. socantsendmore() unconditionally locks the socket buffer before calling socantsendmore_locked(). Note that both functions return with the socket buffer unlocked as socantsendmore_locked() calls sowwakeup_locked() which has the same properties. Assert that the socket buffer is unlocked on return. - Break out socantrcvmore() into socantrcvmore_locked() that asserts the socket buffer lock. socantrcvmore() unconditionally locks the socket buffer before calling socantrcvmore_locked(). Note that both functions return with the socket buffer unlocked as socantrcvmore_locked() calls sorwakeup_locked() which has similar properties. Assert that the socket buffer is unlocked on return. - Break out sbrelease() into a sbrelease_locked() that asserts the socket buffer lock. sbrelease() unconditionally locks the socket buffer before calling sbrelease_locked(). sbrelease_locked() now invokes sbflush_locked() instead of sbflush(). - Assert the socket buffer lock in socket buffer sanity check functions sblastrecordchk(), sblastmbufchk(). - Assert the socket buffer lock in SBLINKRECORD(). - Break out various sbappend() functions into sbappend_locked() (and variations on that name) that assert the socket buffer lock. The !_locked() variations unconditionally lock the socket buffer before calling their _locked counterparts. Internally, make sure to call _locked() support routines, etc, if already holding the socket buffer lock. - Break out sbinsertoob() into sbinsertoob_locked() that asserts the socket buffer lock. sbinsertoob() unconditionally locks the socket buffer before calling sbinsertoob_locked(). - Break out sbflush() into sbflush_locked() that asserts the socket buffer lock. sbflush() unconditionally locks the socket buffer before calling sbflush_locked(). Update panic strings for new function names. - Break out sbdrop() into sbdrop_locked() that asserts the socket buffer lock. sbdrop() unconditionally locks the socket buffer before calling sbdrop_locked(). - Break out sbdroprecord() into sbdroprecord_locked() that asserts the socket buffer lock. sbdroprecord() unconditionally locks the socket buffer before calling sbdroprecord_locked(). - sofree() now calls socantsendmore_locked() and re-acquires the socket buffer lock on return. It also now calls sbrelease_locked(). - sorflush() now calls socantrcvmore_locked() and re-acquires the socket buffer lock on return. Clean up/mess up other behavior in sorflush() relating to the temporary stack copy of the socket buffer used with dom_dispose by more properly initializing the temporary copy, and selectively bzeroing/copying more carefully to prevent WITNESS from getting confused by improperly initialized mutexes. Annotate why that's necessary, or at least, needed. - soisconnected() now calls sbdrop_locked() before unlocking the socket buffer to avoid locking overhead. Some parts of this change were: Submitted by: sam Sponsored by: FreeBSD Foundation Obtained from: BSD/OS
* avoid duplicate free.ume2004-01-251-3/+3
| | | | | | | (though KAME doesn't decide how to fix it yet, I once commit it to be in time for 5.2.1-RELEASE.) Submitted by: itojun
* invalidate secpolicy pcb cache on key_timehandler. part ofume2004-01-141-0/+3
| | | | | | | http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun
* add missing key_freesp()s. part ofume2004-01-141-1/+4
| | | | | | | | | http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff with some modification. Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun Obtained from: KAME
* don't touch after free.ume2003-12-101-2/+3
|
* use callout_*() rather than timeout().ume2003-12-071-2/+5
|
* missing splx.ume2003-11-281-0/+1
| | | | | | | this is a NOOP change, and primarily merged for consistency with -STABLE. Approved by: re (rwatson)
* Introduce a MAC label reference in 'struct inpcb', which cachesrwatson2003-11-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer. This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check. For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update. Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy. Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* add sysctl MIB net.key.esp_auth which was wrongly droppedume2003-11-131-0/+6
| | | | during recent KAME merge.
* ipsec_esp_auth is unused when IPSEC_ESP is not defined.ume2003-11-111-0/+2
| | | | Reported by: Andre Oppermann <oppermann@pipeline.ch>
* - cleanup SP refcnt issue.ume2003-11-045-544/+771
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME
* correct %d/%u mismatch.ume2003-11-022-11/+11
| | | | Obtained from: KAME
* exit(3) with negative value does not make sense'ume2003-11-021-1/+1
| | | | Obtained from: KAME
* make debugging with "setkey -x" a lot easier.ume2003-11-021-4/+97
| | | | Obtained from: KAME
* cleanup secasvar management; refcnt is key.c responsibility;ume2003-11-023-99/+66
| | | | | | alloc/free is keydb.c responsibility. Obtained from: KAME
* - do not quit from key_sendup() even if writes to non-targetume2003-11-022-95/+10
| | | | | | | | | socket fails. - remove an unneeded function. - fix pfkey stat. - fix comment. Obtained from: KAME
* mib name was changed by fixing a spelling.ume2003-10-281-1/+1
| | | | | | net.key.prefered_oldsa -> net.key.preferred_oldsa Obtained from: KAME
* drop the code of HAVE_NRL_INPCB part. our system doesn'tume2003-10-221-10/+0
| | | | use NRL style INPCB.
* nuke unused ICMPV6CTL_NAMES and KEYCTL_NAMES macros.ume2003-10-071-17/+1
|
* Reduce diffs against KAME. No functional change.ume2003-09-301-15/+7
| | | | Obtained from: KAME
* Reduce diffs against KAME. No functional change.ume2003-09-302-9/+4
| | | | Obtained from: KAME
* Sync style and comments with latest KAME to reduce diffs.ume2003-09-301-71/+64
| | | | | | No functional change. Obtained from: KAME
* add /*CONSTCOND*/ to reduce diffs against latest KAME.ume2003-09-252-8/+8
| | | | Obtained from: KAME
* panic() doesn't need `\n'.ume2003-09-253-72/+72
| | | | Obtained from: KAME
* Use __FBSDID().obrien2003-06-114-4/+12
|
* Introduce an M_ASSERTPKTHDR() macro which performs the very common taskdes2003-04-081-2/+1
| | | | | | | of asserting that an mbuf has a packet header. Use it instead of hand- rolled versions wherever applicable. Submitted by: Hiten Pandya <hiten@unixdaemons.com>
* Back out M_* changes, per decision of the TRB.imp2003-02-192-27/+27
| | | | Approved by: trb
* Comment out srandom():ache2003-02-051-1/+2
| | | | | 1) Already called in init_main.c:proc0_post() 2) Seed is bad
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-212-27/+27
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* "struct route" is not sufficient. NetBSD PR 18751ume2003-01-082-1/+6
| | | | | Obtained from: KAME MFC after: 1 days
* Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,schweikh2003-01-011-4/+4
| | | | especially in troff files.
* o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} andbmilekic2002-12-191-1/+1
| | | | | | | | | | the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}. o Fix a bpf_compat issue where malloc() was defined to just call bpf_alloc() and pass the 'canwait' flag(s) along. It's been changed to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT flag (and only one of those two). Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
OpenPOWER on IntegriCloud