summaryrefslogtreecommitdiffstats
path: root/sys/net/pfkeyv2.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Make sure that the address families of a flow's source address,tobhe2020-12-141-2/+2
| | | | | | destination address and their netmasks match, otherwise return EINVAL. ok bluhm@ patrick@
* Enable support for ASN1_DN ipsec identifiers.phessler2020-11-051-2/+3
| | | | | | | Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
* pfkey_get may allocate more memory than is needed to hold the SAtobhe2020-08-071-2/+2
| | | | | | information. Make sure to only copy out actually used memory. ok patrick@
* Add size to free(9) callskn2020-07-181-2/+2
| | | | | | | | | | | pfkeyv2_send() allocates multiple buffers using the same variable `i' to calculate their sizes, use dedicated size variables for each buffer to reuse them with free(9). For this, make pfkeyv2_policy() pass back the size of its freshly allocated buffer. Tested, feedback and OK tobhe
* Add support for autmatically moving traffic between rdomains on ipsec(4)tobhe2020-04-231-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | encryption or decryption. This allows us to keep plaintext and encrypted network traffic seperated and reduces the attack surface for network sidechannel attacks. The only way to reach the inner rdomain from outside is by successful decryption and integrity verification through the responsible Security Association (SA). The only way for internal traffic to get out is getting encrypted and moved through the outgoing SA. Multiple plaintext rdomains can share the same encrypted rdomain while the unencrypted packets are still kept seperate. The encrypted and unencrypted rdomains can have different default routes. The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'. If this differs from 'tdb_rdomain' then the packet is moved to 'tdb_rdomain_post' afer IPsec processing. Flows and outgoing IPsec SAs are installed in the plaintext rdomain, incoming IPsec SAs are installed in the encrypted rdomain. IPCOMP SAs are always installed in the plaintext rdomain. They can be viewed with 'route -T X exec ipsecctl -sa' where X is the rdomain ID. As the kernel does not create encX devices automatically when creating rdomains they have to be added by hand with ifconfig for IPsec to work in non-default rdomains. discussed with chris@ and kn@ ok markus@, patrick@
* Add padding to struct sadb_x_counter to make it comply withstsp2019-03-041-1/+2
| | | | | | alignment constraints documented in RFC 2367 section 2.2. Fixes 'ipsecctl -ss' segfault observed on i386. with and ok deraadt@ visa@ mikeb@
* Add per-TDB counters and a new SADB extension to export them tompi2018-08-281-2/+17
| | | | | | userland. Inputs from markus@, ok sthen@
* Flush flows using the radix-tree instead of a global list.mpi2017-11-201-2/+1
| | | | | | This will allows us to get rid of the list. ok visa@
* Dump IPsec flows by iterating over the rafdix-tree.mpi2017-10-271-3/+1
| | | | | | This enforces an order and will allow us to get rid of the global list. ok millert@, visa@, markus@
* Kill struct pfkey_version and move struct pfkeyv2_socket & dump_stateclaudio2017-05-291-23/+1
| | | | | to pfkeyv2.c. These structs are nowhere else needed. OK gcc
* PFKEY version 2 is the only pfkey version supported. No need for extraclaudio2017-05-291-5/+1
| | | | | abstraction. First step of making PF_KEY a bit more like PF_ROUTE. OK mpi@
* There is only one version of pfkey in OpenBSD and this will not change anyclaudio2017-05-261-5/+1
| | | | | time soon so remove all the code to support multiple pfkey versions. OK mpi@
* Depending on the addresses, ipsecctl(8) automatically groups sabluhm2017-02-281-2/+4
| | | | | | | | | | bundles together. Extend the kernel interface to export the bundle information to userland. Then ipsecctl -ss -v can show the internal relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it consistently. OK hshoexer@ markus@
* A space here, a space there. Soon we're talking real whitespacekrw2017-01-241-9/+9
| | | | rectification.
* Remove plain DES encryption from IPsec.naddy2015-12-091-2/+1
| | | | | | | | | | DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
* remove unimplemented PF_KEY algorithms; ok sthen@ mpi@ mikeb@naddy2015-12-021-8/+1
|
* Plumb Chacha20-Poly1305 into the IPsec/ESP and PF_KEY frameworksmikeb2015-11-031-3/+5
| | | | ok naddy
* introduce ipsec-id bundles and use them for ipsecflowinfo,markus2015-05-231-3/+4
| | | | | fixes rekeying for l2tp/ipsec against multiple windows clients and saves memory (for many SAs to same peers); feedback and ok mikeb@
* Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexermikeb2015-04-171-3/+2
|
* change {import,export}_identity so it can be used for policies; ok mikebmarkus2015-04-161-3/+3
| | | | (fixes sadb_ident_type conversion for policies)
* Remove support for storing credentials and auth information in the kernel.mikeb2015-04-141-30/+1
| | | | | | | | | This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
* remove KPDK. not really used, and a bad choice anyway. ok naddytedu2014-12-281-4/+2
|
* Move more stuff under _KERNELderaadt2013-10-241-1/+2
| | | | ok claudio
* normalize structure definitionsderaadt2013-03-091-7/+4
|
* remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not setmarkus2012-09-181-4/+1
| | | | | anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code. ok mikeb@
* Add support for the Extended (64-bit) Sequence Number as definedmikeb2012-06-291-9/+10
| | | | | | | | | | | | in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects.
* Retire Skipjackmikeb2010-10-061-3/+2
| | | | | | | | | | | There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
* Add AES-GCM Transform Identifiers as specified by IANA inmikeb2010-09-221-1/+8
| | | | | | | | | RFC 4106 and 4543. Please note that although IKEv1 and IKEv2 identifiers are different for ESP_NULL_AUTH_AES-GMAC (SADB_X_EALG_AESGMAC), we use the IKEv2 one only (which is 21). ipsecctl(8) will be taught to handle exported SA correctly.
* Add support for using IPsec in multiple rdomains.reyk2010-07-091-3/+4
| | | | | | | | | | | | | | | | | This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
* Allow to specify an alternative enc(4) interface for an SA. Allreyk2010-07-011-2/+11
| | | | | | | | | | | | | | | | | | | traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
* add support to tag ipsec traffic belonging to specific IKE-initiatedreyk2006-11-241-2/+11
| | | | | | | | | | | phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
* Use export_flow() to wrap policies retrieved via sysctl in pfkey messagehshoexer2005-05-271-2/+8
| | | | ok ho markus
* AESCTR support for ESP (RFC 3686); ok hshoexermarkus2005-05-251-1/+2
|
* Add sysctl for dumping the SPDhshoexer2005-04-041-1/+2
| | | | ok deraadt, ok markus some time ago
* implement net.key.v2.sadb_dump.{unspec,esp,ah,...} sysctl subtreemarkus2004-11-261-2/+5
| | | | and use sysctl for 'ipsecadm show'; ok deraadt
* Add SADB_X_EXT_LIFETIME_LASTUSE for use with isakmpd/DPD, adding thisho2004-08-101-2/+4
| | | | extends the bitmap to 64bits. Also repair SADB_GET. hshoexer@ ok.
* don't convert tcpmd5 to ip-over-ip in SADB_X_GETSPROTO; from hshoexermarkus2004-01-271-1/+2
|
* UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)markus2003-12-021-2/+13
| | | | ok deraadt@
* conform to RFC2367 on SADB_xx naming (local name must be prefixed withitojun2003-07-241-7/+7
| | | | SADB_X_xx)
* SADB_X_CALG_MAX is supposed to be the highest numbered supported algorithmjason2003-02-241-2/+2
| | | | (prevents a crash in the debugging code in pfkeyv2_parsemessage.c)
* KNFderaadt2003-02-161-5/+5
|
* KNFjason2003-02-161-105/+104
|
* s/LSZ/LZS (consistent with linux and isakmpd *.cst)jason2003-02-151-2/+2
|
* Add flow type arg to import_flow()ho2002-06-071-2/+2
|
* import_flow() prototypeangelos2002-05-311-1/+4
|
* NRL license cleaningderaadt2001-12-181-11/+40
|
* $OpenBSD$ tagangelos2001-07-051-1/+1
|
* Include files for IPComp support. angelos@ ok.jjbg2001-07-051-2/+12
|
* By popular demand, protect from multiple inclusion, and fix to use theangelos2001-06-091-3/+3
| | | | same naming style.
* Flag field for flows.angelos2001-06-081-1/+4
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.