summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_ipsp.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* introduce ipsec-id bundles and use them for ipsecflowinfo,markus2015-05-231-42/+133
| | | | | fixes rekeying for l2tp/ipsec against multiple windows clients and saves memory (for many SAs to same peers); feedback and ok mikeb@
* Stubs and support code for NIC-enabled IPsec bite the dust.mikeb2015-04-171-31/+1
| | | | No objection from reyk@, OK markus, hshoexer
* Remove unused ipsp_parse_headers that was supposed to parse packetsmikeb2015-04-171-219/+1
| | | | returned by IPsec-enabled NICs; OK markus, hshoexer
* remove unfinished/unused support for socket-attached ipsec-policiesmarkus2015-04-161-81/+1
| | | | ok mikeb
* make ipsp_address thread safe; ok mpimikeb2015-04-141-16/+12
|
* Remove support for storing credentials and auth information in the kernel.mikeb2015-04-141-44/+11
| | | | | | | | | This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
* Make filter argument to ipsp_aux_match optional like the rest of them.mikeb2015-04-131-2/+3
| | | | OK markus, hshoexer
* Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpimikeb2015-04-131-23/+26
|
* Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpimikeb2015-04-131-5/+4
|
* replace the guts of tdb_hash with SipHash24dlg2015-04-101-27/+11
| | | | tested by (including some statistical measurement) and ok mikeb@
* Remove some includes include-what-you-use claims don'tjsg2015-03-141-2/+1
| | | | | | | have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
* Userland (base & ports) was adapted to always include <netinet/in.h>deraadt2015-01-241-9/+7
| | | | | | before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
* unifdef INET in net code as a precursor to removing the pretend option.tedu2014-12-191-18/+1
| | | | | long live the one true internet. ok henning mikeb
* More malloc() -> mallocarray() in the kernel.doug2014-12-091-8/+8
| | | | ok deraadt@ tedu@
* move arc4random prototype to systm.h. more appropriate for most codetedu2014-11-181-2/+1
| | | | to include that than rdnvar.h. ok deraadt dlg
* remove uneeded proc.h includesjsg2014-09-141-2/+1
| | | | ok mpi@ kspillner@
* remove uneeded route.h includesjsg2014-09-081-2/+1
| | | | ok miod@ mpi@
* Fewer <netinet/in_systm.h> !mpi2014-07-221-2/+1
|
* add a size argument to free. will be used soon, but for now default to 0.tedu2014-07-121-6/+6
| | | | after discussions with beck deraadt kettenis.
* decouple struct uvmexp into a new file, so that uvm_extern.h and sysctl.hderaadt2014-07-081-2/+2
| | | | | don't need to be married. ok guenther miod beck jsing kettenis
* "struct pkthdr" holds a routing table ID, not a routing domain one.mpi2014-04-141-3/+3
| | | | | | | | | | | | | | Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
* bzero/bcmp -> memset/memcmp. ok matthewtedu2014-01-091-15/+15
|
* Replace most of our formating functions to convert IPv4/6 addresses frommpi2013-11-111-19/+13
| | | | | | | | network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
* Remove the number of in6_var.h inclusions by moving some functions andmpi2013-10-241-2/+1
| | | | | | global variables to in6.h. ok deraadt@
* These functions are only used in debug code, so put them undermpi2013-07-041-1/+3
| | | | ifdef ENCDEBUG to make sure we don't use them elsewhere.
* Remove the extern keyword from function declarations, documentmpi2013-04-111-4/+1
| | | | | | | sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
* Remove various external variable declaration from sources files andmpi2013-04-101-2/+2
| | | | | | | move them to the corresponding header with an appropriate comment if necessary. ok guenther@
* Remove read-only ipsec variables and directly use defines instead.mpi2013-04-091-9/+8
| | | | ok mikeb@, markus@
* code that calls timeout functions should include timeout.htedu2013-03-281-1/+2
| | | | | slipped by on i386, but the zaurus doesn't automagically pick it up. spotted by patrick
* spltdb() was really just #define'd to be splsoftnet(); replace the formerblambert2012-09-201-11/+11
| | | | | | | | with the latter no change in md5 checksum of generated files ok claudio@ henning@
* remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not setmarkus2012-09-181-17/+2
| | | | | anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code. ok mikeb@
* Pre-allocate memory to avoid sleeping after performing a lookup, whichblambert2011-05-111-5/+8
| | | | | | may lead to a race. ok markus@ mikeb@
* - use nitems(); no binary changejasper2011-03-311-2/+2
| | | | ok claudio@
* Add support for using IPsec in multiple rdomains.reyk2010-07-091-32/+58
| | | | | | | | | | | | | | | | | This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
* remove proc.h include from uvm_map.h. This has far reaching effects, astedu2010-04-201-1/+2
| | | | | | sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
* Fix two bugs in IPsec/HMAC-SHA2:markus2010-01-101-2/+2
| | | | | | | | | | | | | | | (1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt
* don't confuse chars with strings; ok oga@martynas2009-08-121-2/+2
|
* Shuffle function declarations a bit; ipsp_kern doesn't actually exist,blambert2009-06-021-2/+2
| | | | | | | and tdb_hash is only used in ip_ipsp.c, so there's no need to declare it as extern in ip_ipsp.h ok claudio@ henning@
* Fix an off-by-one in the ddb-only debugging function tdb_hashstats.oga2009-06-021-6/+8
| | | | | | | | | | when we check if a hash chain is over 15 long, we would access one past the end of the array. change the static array size to a define because it makes this checking easier to verify. Found by Parfait. ok deraadt@.
* pfsync v5, mostly written at n2k9, but based on work done at n2k8.dlg2009-02-161-1/+11
| | | | | | | | | | | | | | | | | WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
* #if INET => #ifdef INETmpf2008-10-221-3/+3
| | | | #if INET6 => #ifdef INET6
* remove dead stores and newly created unused variables.chl2008-09-151-7/+1
| | | | | | Found by LLVM/Clang Static Analyzer. ok mpf@ looks good mk@ ok henning@
* Convert timeout_add() calls using multiples of hz to timeout_add_sec()blambert2008-09-101-3/+3
| | | | | | | Really just the low-hanging fruit of (hopefully) forthcoming timeout conversions. ok art@, krw@
* use arc4random_uniform() for random number requests that are not adjm2008-04-181-2/+2
| | | | | | | | | power of two. use arc4random_bytes() when requesting more than a word of PRNG output. ok deraadt@
* MALLOC/FREE -> malloc/freechl2007-10-291-2/+2
| | | | ok krw@
* MALLOC+bzero -> malloc+M_ZERO. Don't forget FREE->free this time.krw2007-10-091-30/+18
| | | | | As with many of the last commits, looked at by chl@ in an earlier version.
* Consistently spell FALLTHROUGH to appease lint.jsg2007-02-141-2/+2
| | | | ok kettenis@ cloder@ tom@ henning@
* allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC tohenning2007-01-181-1/+3
| | | | | | compile and work. need to register pfkey whenever tcp md5 or ipsec is defined, and the various ipsec encapsulations only if ipsec is defined. ok theo
* add support to tag ipsec traffic belonging to specific IKE-initiatedreyk2006-11-241-1/+14
| | | | | | | | | | | phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
* Path MTU discovery for NAT-T.mpf2006-01-131-3/+1
| | | | OK markus@, "looks good" hshoexer@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.