| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
abstraction. First step of making PF_KEY a bit more like PF_ROUTE.
OK mpi@
|
| |
|
|
|
|
| |
Only pfkeyv2_send() needs the NET_LOCK() so grab it at the start and release
at the end. This should allow to push the locks down in other places.
OK mpi@, bluhm@
|
| |
|
|
|
| |
time soon so remove all the code to support multiple pfkey versions.
OK mpi@
|
| |
|
|
| |
ok visa@
|
| |
|
|
|
| |
kernel. It was only used in IPsec sources. No binary change
OK deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
| |
|
|
| |
OK millert@
|
| |
|
|
| |
ok mikeb@, bluhm@
|
| |
|
|
| |
rectification.
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
|
|
|
|
|
| |
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
| |
|
|
|
|
|
|
| |
reaching around through the routing table
original diff by myself, much improved by mikeb@ and mpi@
ok and testing mikeb@ mpi@
|
| |
|
|
|
| |
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@
|
| |
|
|
| |
ok mikeb
|
| |
|
|
| |
(fixes sadb_ident_type conversion for policies)
|
| |
|
|
|
|
|
|
|
| |
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
there's no need to do it in m_devget(9).
Stop passing an ``ifp'' will help for upcoming interface pointer -> index
conversion.
While here remove unused ``ifp'' argument from m_clget(9) and kill two
birds^W layer violations in one commit.
ok henning@
|
| |
|
|
| |
ok markus, hshoexer
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
any good to our network stack.
The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?
This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.
Tweak & ok claudio@
|
| |
|
|
|
|
| |
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
| |
|
|
|
|
| |
kill the macro.
ok mikeb@, henning@
|
| |
|
|
|
|
| |
rely on "struct route" that should die.
ok claudio@
|
| |
|
|
| |
after discussions with beck deraadt kettenis.
|
| |
|
|
|
| |
reduce stack space requirements.
ok mikeb mpi
|
| |
|
|
|
|
|
|
|
| |
alternative to bcopy since noone uses it.
while there use memcpy instead of bcopy because we know the memory cannot
overlap.
ok henning@ matthew@ mikeb@ deraadt@
|
| |
|
|
| |
is clearer; ok sthen
|
| |
|
|
|
|
| |
than checking if they're zero - export_address() is always called for these.
Fixes memory corruption when doing ipsecctl -ssa with md5sig. Debugging
hints from deraadt@, ok kettenis@ deraadt@
|
| | |
|
| |
|
|
| |
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
|
| |
|
|
|
|
|
|
| |
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
| | |
|
| |
|
|
|
|
|
|
| |
passphrase or an RSA key) in the reply message. There's
nothing that justifies this behavior and PF_KEY RFC prefers
to exclude keys and other sensitive material from replies.
Discussed with reyk, no objections from deraadt.
|
| |
|
|
|
|
|
|
|
|
|
| |
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
| |
|
|
| |
OK henning@
|
| | |
|
| |
|
|
| |
ok krw@
|
| |
|
|
|
|
| |
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
| | |
|
| |
|
|
| |
ok kettenis@ cloder@ tom@ henning@
|
| |
|
|
|
|
| |
compile and work. need to register pfkey whenever tcp md5 or ipsec is
defined, and the various ipsec encapsulations only if ipsec is defined.
ok theo
|
| |
|
|
|
|
|
|
|
|
|
| |
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
| |
|
|
|
|
| |
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer
|
| |
|
|
|
|
| |
set up pfkey promiscuous mode.
Diff from Nathanael <list-openbsd-tech at polymorpheus dot com>
|
| | |
|
claudio
mpi
bluhm
krw
dlg
naddy
blambert
markus
mikeb
tedu
deraadt
sthen
gsoares
reyk
jmc
hshoexer
henning
jsg
mcbride