summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_ipsp.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Enable support for ASN1_DN ipsec identifiers.phessler2020-11-051-1/+2
| | | | | | | Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
* Convert *_sysctl in ipsec_input.c to sysctl_bounded_arrgnezdo2020-09-011-29/+1
| | | | The best-guessed limits will be tested by trial.
* Add support for autmatically moving traffic between rdomains on ipsec(4)tobhe2020-04-231-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | encryption or decryption. This allows us to keep plaintext and encrypted network traffic seperated and reduces the attack surface for network sidechannel attacks. The only way to reach the inner rdomain from outside is by successful decryption and integrity verification through the responsible Security Association (SA). The only way for internal traffic to get out is getting encrypted and moved through the outgoing SA. Multiple plaintext rdomains can share the same encrypted rdomain while the unencrypted packets are still kept seperate. The encrypted and unencrypted rdomains can have different default routes. The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'. If this differs from 'tdb_rdomain' then the packet is moved to 'tdb_rdomain_post' afer IPsec processing. Flows and outgoing IPsec SAs are installed in the plaintext rdomain, incoming IPsec SAs are installed in the encrypted rdomain. IPCOMP SAs are always installed in the plaintext rdomain. They can be viewed with 'route -T X exec ipsecctl -sa' where X is the rdomain ID. As the kernel does not create encX devices automatically when creating rdomains they have to be added by hand with ifconfig for IPsec to work in non-default rdomains. discussed with chris@ and kn@ ok markus@, patrick@
* Add per-TDB counters and a new SADB extension to export them tompi2018-08-281-1/+31
| | | | | | userland. Inputs from markus@, ok sthen@
* Introduce ipsec_output_cb() to merge duplicate code and account formpi2018-07-121-1/+8
| | | | | | | | dropped packets in the output path. While here fix a memory leak when compression is not needed w/ IPcomp. ok markus@
* Convert AH & IPcomp to ipsec_input_cb() and count drops on input.mpi2018-07-111-2/+4
| | | | ok markus@
* Introduce new IPsec (per-CPU) statistics and refactor ESP inputmpi2018-07-101-7/+57
| | | | | | | | | | callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
* Keep kernel defines under #ifdef _KERNEL.mpi2017-11-201-8/+3
| | | | ok bluhm@
* Unbreak ENCDEBUG kernels by declaring `encdebug' in ip_ipsp.hmpi2017-11-151-1/+2
|
* Introduce ipsec_sysctl() and move IPsec tunables where they belong.mpi2017-11-141-1/+47
| | | | ok bluhm@, visa@
* Make {ah,esp,ipcomp}stat use percpu counters.visa2017-11-081-1/+2
| | | | OK bluhm@, mpi@
* Dump IPsec flows by iterating over the rafdix-tree.mpi2017-10-271-1/+3
| | | | | | This enforces an order and will allow us to get rid of the global list. ok millert@, visa@, markus@
* Last changes before running IPsec w/o KERNEL_LOCK().mpi2017-10-161-2/+1
| | | | | | | | | | Put more NET_ASSERT_LOCK() and document which globals it protects. Add a mutex for pfkeyv2 globals. Convert ipsp_delete_acquire() to timeout_set_proc(). Tested by Hrvoje Popovski, ok bluhm@ visa@
* Split a part of tdb_delete() into tdb_unlink() so that we can removepatrick2017-06-261-1/+2
| | | | | | | a TDB from the hash table without actually free()ing it. That way we can modify the TDB and then put it back in using puttdb(). ok claudio@
* Move IPsec forward and local policy check functions to ipsec_input.cbluhm2017-05-221-1/+3
| | | | | and give them better names. input and OK mikeb@
* The function name ip4_input() is confusing as it also handles IPv6bluhm2017-05-181-5/+1
| | | | | | | | | | packets. This is the IP in IP protocol input function, so call it ipip_input(). Rename the existing ipip_input() to ipip_input_gif() as it is the input function used by the gif interface. Pass the address family to make it consistent with pr_input. Use __func__ in debug print and panic messages. Move all ipip prototypes to the ip_ipip.h header file. OK dhill@ mpi@
* Convert the xformsw definition to C99 style initializer. Also fixbluhm2017-05-061-2/+2
| | | | | the function declaration of ipe4_input() and avoid a wrong cast. OK mikeb@ dhill@
* Pass down the address family through the pr_input calls. Thisbluhm2017-04-141-8/+8
| | | | | allows to simplify code used for both IPv4 and IPv6. OK mikeb@ deraadt@
* Error propagation does neither make sense for ip input path nor forbluhm2017-02-071-2/+2
| | | | | | asynchronous callbacks. Make the IPsec functions void, there is already a counter in the error path. OK mpi@
* Change the IPv4 pr_input function to the way IPv6 is implemented,bluhm2017-01-291-12/+6
| | | | | | | to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_input functions cannot be called anyway, so remove them. OK visa@ mpi@
* Reduce the difference between struct protosw and ip6protosw. Thebluhm2017-01-261-4/+4
| | | | | | IPv4 pr_ctlinput functions did return a void pointer that was always NULL and never used. Make all functions void like in the IPv6 case. OK mpi@
* Since raw_input() and route_input() are gone from pr_input, we canbluhm2017-01-251-6/+6
| | | | | | make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@ millert@
* move from RB macros to RBT functionsdlg2016-09-151-5/+5
| | | | shaves a bunch of bytes off kernels
* remove some unused defines. ok mikebtedu2015-12-031-9/+1
|
* correct #if/#endif guard commentderaadt2015-08-251-2/+2
|
* manage spd entries by using the radix api directly instead ofblambert2015-07-171-1/+7
| | | | | | | | reaching around through the routing table original diff by myself, much improved by mikeb@ and mpi@ ok and testing mikeb@ mpi@
* introduce ipsec-id bundles and use them for ipsecflowinfo,markus2015-05-231-15/+27
| | | | | fixes rekeying for l2tp/ipsec against multiple windows clients and saves memory (for many SAs to same peers); feedback and ok mikeb@
* Stubs and support code for NIC-enabled IPsec bite the dust.mikeb2015-04-171-7/+2
| | | | No objection from reyk@, OK markus, hshoexer
* Remove unsupported SADB_X_IDENTTYPE_CONNECTION; OK markus, hshoexermikeb2015-04-171-2/+1
|
* ipa_inp_next is unused; via mikeb@markus2015-04-161-2/+1
|
* remove unfinished/unused support for socket-attached ipsec-policiesmarkus2015-04-161-39/+1
| | | | ok mikeb
* make ipsp_address thread safe; ok mpimikeb2015-04-141-2/+2
|
* Remove support for storing credentials and auth information in the kernel.mikeb2015-04-141-20/+3
| | | | | | | | | This code is largely unfinished and is not used for anything. The change leaves identities as only objects referenced by ipsec_ref structure and their handling requires some changes to support more advanced matching of IPsec connections. No objections from reyk and hshoexer, with and OK markus.
* Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpimikeb2015-04-131-3/+3
|
* Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpimikeb2015-04-131-5/+4
|
* Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?mikeb2015-03-261-2/+1
| | | | ok markus, hshoexer
* mikeb points out that 'struct ipsec_policy' can also be hidden by _KERNELderaadt2015-01-191-5/+1
|
* First step of hiding many kernel-only parts of <netinet/ip_ipsp.h>deraadt2015-01-191-2/+12
| | | | | | under _KERNEL, and adjust the one consumer (netstat) so that it requests the exposure. Will take a few more rounds to get this right. ok mikeb
* unifdef some more INET. v4 4life.tedu2014-12-231-9/+1
|
* The proliferation of "struct route" in all its flavors didn't makempi2014-11-251-13/+1
| | | | | | | | | | | | | | any good to our network stack. The most visible effect is the maze of #ifdef's and casts. But the real problem is the very fragile way of checking if a (cached) route entry is still valid or not. What should we do if the route jumped to another ifaddr or if its gateway has been changed? This change start the dance of "struct route" & friends removal by sending the completly useless "struct route_enc" to the bucket. Tweak & ok claudio@
* Replace most of our formating functions to convert IPv4/6 addresses frommpi2013-11-111-3/+2
| | | | | | | | network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
* These functions are only used in debug code, so put them undermpi2013-07-041-1/+3
| | | | ifdef ENCDEBUG to make sure we don't use them elsewhere.
* Remove the extern keyword from function declarations, documentmpi2013-04-111-128/+102
| | | | | | | sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
* Merge of an original work by markus@ and gerhard@ to increasemikeb2013-02-141-2/+5
| | | | | the anti-replay window size to 2100 entries; plus small ESN related improvements. ok markus
* simplify checkreplaywindow() API; make call/return code handling consistentmarkus2012-10-181-3/+2
| | | | ok mikeb@
* Forward declare struct m_tag in netinet/ip_ipsp.h so we don't need tocamield2012-10-081-1/+3
| | | | | | include sys/mbuf.h in net/pfvar.h. Flagged by and ok guenther@
* spltdb() was really just #define'd to be splsoftnet(); replace the formerblambert2012-09-201-10/+2
| | | | | | | | with the latter no change in md5 checksum of generated files ok claudio@ henning@
* remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not setmarkus2012-09-181-4/+1
| | | | | anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code. ok mikeb@
* add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)markus2012-07-161-2/+2
| | | | | | | can use this to select the IPsec tunnel for sending L2TP packets. this fixes Windows (always binding to 1701) and Android clients (negotiating wildcard flows); feedback mpf@ and yasuoka@; ok henning@ and yasuoka@; ok jmc@ for the manpage
* Add support for the Extended (64-bit) Sequence Number as definedmikeb2012-06-291-5/+6
| | | | | | | | | | | | in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.