#
80044c78 |
|
16-Jan-2024 |
Xavier Beaudouin <xavier.beaudouin@klarasystems.com> |
Add UDP encapsulation of ESP in IPv6 This patch provides UDP encapsulation of ESP packets over IPv6. Ports the IPv4 code to IPv6 and adds support for IPv6 in udpencap.c As required by the RFC and unlike in IPv4 encapsulation, UDP checksums are calculated. Co-authored-by: Aurelien Cazuc <aurelien.cazuc.external@stormshield.eu> Sponsored-by: Stormshield Sponsored-by: Wiktel Sponsored-by: Klara, Inc.
|
#
71625ec9 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c comment pattern Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
#
056305d3 |
|
02-Jun-2023 |
Mark Johnston <markj@FreeBSD.org> |
ipsec: Make algorithm tables read-only No functional change intended. MFC after: 1 week
|
#
04d815f1 |
|
02-Aug-2021 |
Konstantin Belousov <kib@FreeBSD.org> |
netipsec/key.c: use designated initializers for arrays Also de-expand nitems() use in related asserts, and fix maxsize array name in the assert message. Sponsored by: NVidia networking
|
#
fcc7aabd |
|
30-Jul-2021 |
Konstantin Belousov <kib@FreeBSD.org> |
netipsec: some style Sponsored by: NVidia networking
|
#
889a9acc |
|
08-Feb-2023 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: only update lastused when it changes to limit cache-line bouncing. Note that as there is no atomic_store we are hoping the compiler wont speculatively do the store. It is not employed because the size depends on target arch. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D38433
|
#
8a949551 |
|
16-Jan-2023 |
Mark Johnston <markj@FreeBSD.org> |
ipsec: Clear pad bytes in PF_KEY messages Various handlers for SADB messages will allocate a new mbuf and populate some structures in it. Some of these structures, such as struct sadb_supported, contain small reserved fields that are not initialized and are thus leaked to userspace. Fix the problem by adding a helper to allocate zeroed mbufs. This reduces code duplication and the overhead of zeroing these messages isn't harmful. Reviewed by: zlei, melifaro Reported by: KMSAN Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D38068
|
#
c1bfe8c5 |
|
07-Sep-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: add key_havesp_any Saves on work in a common case of checking both directions. Note further work in the area is impending to elide these in the common case to begin with. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36485
|
#
86104d3e |
|
07-Sep-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: prohibit unknown directions in key_havesp Eliminates a branch checking for its validity. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36485
|
#
9f8f3a8e |
|
18-Oct-2022 |
Kristof Provost <kp@FreeBSD.org> |
ipsec: add support for CHACHA20POLY1305 Based on a patch by ae@. Reviewed by: gbe (man page), pauamma (man page) Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D37180
|
#
ea7be129 |
|
11-Aug-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
keysock: do not use raw socket code This makes key socket implementation self contained and removes one of the last dependencies on the raw socket code and pr_output method. There are very subtle API visible changes: - now key socket would return EOPNOTSUPP instead of EINVAL on syscalls that are not supposed to be called on a key socket. - key socket buffer sizes are now controlled by net.key sysctls instead of net.raw. The latter were not documented anywhere, and even Internet search doesn't find any references or discussions related to them. Reviewed by: melifaro Differential revision: https://reviews.freebsd.org/D36123
|
#
8bd2887b |
|
26-Jul-2022 |
Dimitry Andric <dim@FreeBSD.org> |
Adjust function definitions in netipsec's key.c to avoid clang 15 warnings With clang 15, the following -Werror warnings are produced: sys/netipsec/key.c:6432:15: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] key_getcomb_ah() ^ void sys/netipsec/key.c:6489:19: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] key_getcomb_ipcomp() ^ void This is because key_getcomb_ah() and key_getcomb_ipcomp() are declared with (void) argument lists, but defined with empty argument lists. Make the definitions match the declarations. MFC after: 3 days
|
#
0361f165 |
|
23-Jun-2022 |
Kristof Provost <kp@FreeBSD.org> |
ipsec: replace SECASVAR mtx by rmlock This mutex is a significant point of contention in the ipsec code, and can be relatively trivially replaced by a read-mostly lock. It does require a separate lock for the replay protection, which we do here by adding a separate mutex. This improves throughput (without replay protection) by 10-15%. MFC after: 3 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D35763
|
#
8a9269ed |
|
17-Feb-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: sprinkle CURVNET_ASSERT_SET Reviewed by: ae Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34314
|
#
9880323a |
|
03-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
netipsec: use SYSINIT(9) instead of dom_init/dom_destroy While here, use just static initializer for key_cb. Differential revision: https://reviews.freebsd.org/D33539
|
#
246982c1 |
|
16-Dec-2021 |
John Baldwin <jhb@FreeBSD.org> |
crypto: Consistently use AES instead of Rijndael128 for the AES-CBC cipher. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33486
|
#
509f1a0f |
|
24-Nov-2021 |
Wenfeng Liu <266lwf@163.com> |
ipsec: fix a logic error in key_do_getnewspi
|
#
fc21aafe |
|
03-Dec-2021 |
Robert Wing <rew@FreeBSD.org> |
ipsec: fix a panic with INVARIANTS When adding an SPD entry that already exists, a refcount wraparound panic is encountered. This was caused from dropping a reference on the wrong security policy. Fixes: 4920e38fecc3 ("ipsec: fix race condition in key.c") Reviewed by: wma Sponsored by: Klara Inc. Differential Revision: https://reviews.freebsd.org/D33100
|
#
84c04882 |
|
03-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: make sure the lock allocated in key_newsav does not false-share Reviewed by: ae Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32828
|
#
e469b16d |
|
03-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: fix edge case detection in key_getnewspid Same comparison problem as in key_do_getnewspi. Reviewed by: ae Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32827
|
#
10ea195f |
|
03-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: add a lock encompassing SPI allocation SPIs get allocated and inserted in separate steps. Prior to the change there was nothing preventing 2 differnet threads from ending up with the same one. PR: 258849 Reported by: Herbie.Robinson@stratus.com Reviewed by: ae Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32826
|
#
626bd097 |
|
03-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: fix edge case detection in key_do_getnewspi The 'count' variable would end up being -1 post loop, while the following condition would check for 0 instead. PR: 258849 Reported by: Herbie.Robinson@stratus.com Reviewed by: ae Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D32826
|
#
4920e38f |
|
12-Aug-2021 |
Wojciech Macek <wma@FreeBSD.org> |
ipsec: fix race condition in key.c Small patch that fixes a race condition in sys/netipsec/key.c Obtained from: Stormshield Differential revision: https://reviews.freebsd.org/D31271
|
#
8b000bf5 |
|
02-Aug-2021 |
Konstantin Belousov <kib@FreeBSD.org> |
netipsec/key.c: Use ANSI C definition for key_random() Sponsored by: NVIDIA Networking MFC after: 3 days
|
#
e0893890 |
|
24-Jun-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: globalize lft zone and zero out buffers at allocation time Creation of a zone is expensive and there is no need to have one for every vnet. Moreover, this wastes memory as these separate zones cannot use the same per-cpu caches. Finally, this is a step towards replacing the custom zone with pcpu-16. Two counter_u64_zero calls induce back-to-back IPIs to zero everything out. Instead, pass the M_ZERO flag to let uma just iterate all buffers. The counter(9) API abstraction is already violated by not using counter_u64_alloc. Reviewed by: ae Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30916
|
#
ac152c14 |
|
16-Oct-2020 |
Marcin Wojtas <mw@FreeBSD.org> |
Trigger soft lifetime expiration on sequence number This patch adds 80% of UINT32_MAX limit on sequence number. When sequence number reaches limit kernel sends SADB_EXPIRE message to IKE daemon which is responsible to perform rekeying. Submitted by: Patryk Duda <pdk@semihalf.com> Reviewed by: ae Differential revision: https://reviews.freebsd.org/D22370 Obtained from: Semihalf Sponsored by: Stormshield
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
dae61c9d |
|
25-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Simplify IPsec transform-specific teardown. - Rename from the teardown callback from 'zeroize' to 'cleanup' since this no longer zeroes keys. - Change the callback return type to void. Nothing checked the return value and it was always zero. - Don't have esp call into ah since it no longer needs to depend on this to clear the auth key. Instead, both are now private and self-contained. Reviewed by: delphij Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25443
|
#
20869b25 |
|
25-Jun-2020 |
John Baldwin <jhb@FreeBSD.org> |
Use zfree() to explicitly zero IPsec keys. Reviewed by: delphij Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D25442
|
#
16aabb76 |
|
01-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Remove support for IPsec algorithms deprecated in r348205 and r360202. Examples of depecrated algorithms in manual pages and sample configs are updated where relevant. I removed the one example of combining ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this combination is NOT RECOMMENDED. Specifically, this removes support for the following ciphers: - des-cbc - 3des-cbc - blowfish-cbc - cast128-cbc - des-deriv - des-32iv - camellia-cbc This also removes support for the following authentication algorithms: - hmac-md5 - keyed-md5 - keyed-sha1 - hmac-ripemd160 Reviewed by: cem, gnn (older verisons) Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24342
|
#
7029da5c |
|
26-Feb-2020 |
Pawel Biernacki <kaktus@FreeBSD.org> |
Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718
|
#
9fd552ad |
|
12-Feb-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
netipsec: fix a mismatched uma_zfree -> uma_zfree_pcpu PR: 244077 Reported by: lwhsu Fixes: r357805 ("amd64: store per-cpu allocations subtracted by __pcpu")
|
#
bf1a213c |
|
09-Aug-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add missing new line in several log messages. PR: 239694 MFC after: 1 week
|
#
0e2464ea |
|
25-Jun-2019 |
Ryan Libby <rlibby@FreeBSD.org> |
netipsec key_register: check for M_NOWAIT alloc failure Reviewed by: ae, cem Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D20742
|
#
a8a16c71 |
|
03-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
Replace read_random(9) with more appropriate arc4rand(9) KPIs Reviewed by: ae, delphij Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19760
|
#
adc7bb22 |
|
21-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add sadb_x_sa2 extension to SADB_ACQUIRE requests. SADB_ACQUIRE requests are send by kernel, when security policy doesn't have corresponding security association for outbound packet. IKE daemon usually registers its handler for such messages and when the kernel asks for SA it can handle this request. Now such requests will contain additional fields that can help IKE daemon to create SA. And IKE now can create SAs using only information from SADB_ACQUIRE request, this is useful when many if_ipsec(4) interfaces are in use and IKE doesn track security policies that was installed by kernel. Obtained from: Yandex LLC MFC after: 3 weeks Sponsored by: Yandex LLC
|
#
0ddfd867 |
|
26-Sep-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix witness warning in xform_init(). Do not call crypto_newsession() while holding xforms_lock mutex. Release mutex before invoking crypto_newsession(), and use ipsec_kmod_enter()/ipsec_kmod_exit() functions to protect from doing access to unloaded kernel module memory. Move xform-releated functions into subr_ipsec.c to be able use ipsec_kmod_* functions. Also unconditionally build ipsec_kmod_* functions, since now they are always used by IPSec code. Add xf_cntr field to struct xformsw, it is used by ipsec_kmod_* functions. Also constify xf_name field, since it is not expected to be modified. Approved by: re (kib) Differential Revision: https://reviews.freebsd.org/D17302
|
#
5f901c92 |
|
24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables. Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
#
4e180881 |
|
08-Jun-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
uma: implement provisional api for per-cpu zones Per-cpu zone allocations are very rarely done compared to regular zones. The intent is to avoid pessimizing the latter case with per-cpu specific code. In particular contrary to the claim in r334824, M_ZERO is sometimes being used for such zones. But the zeroing method is completely different and braching on it in the fast path for regular zones is a waste of time.
|
#
33c1b2bd |
|
28-May-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Temporary disable SPDCACHE statistic accounting until proper fix will be committed. This fixes the kernel build without option IPSEC.
|
#
c82dfce3 |
|
24-May-2018 |
Matt Macy <mmacy@FreeBSD.org> |
netipsec/!VIMAGE: don't declare/define spdcache_destroy on non-VIMAGE builds this breaks MIPS compiles in universe
|
#
f8e73c47 |
|
22-May-2018 |
Fabien Thomas <fabient@FreeBSD.org> |
Add a SPD cache to speed up lookups. When large SPDs are used, we face two problems: - too many CPU cycles are spent during the linear searches in the SPD for each packet - too much contention on multi socket systems, since we use a single shared lock. Main changes: - added the sysctl tree 'net.key.spdcache' to control the SPD cache (disabled by default). - cache the sp indexes that are used to perform SP lookups. - use a range of dedicated mutexes to protect the cache lines. Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D15050
|
#
151ba793 |
|
24-Dec-2017 |
Alexander Kabaev <kan@FreeBSD.org> |
Do pass removing some write-only variables from the kernel. This reduces noise when kernel is compiled by newer GCC versions, such as one used by external toolchain ports. Reviewed by: kib, andrew(sys/arm and sys/arm64), emaste(partial), erj(partial) Reviewed by: jhb (sys/dev/pci/* sys/kern/vfs_aio.c and sys/kern/kern_synch.c) Differential Revision: https://reviews.freebsd.org/D10385
|
#
d8ba1ddc |
|
01-Dec-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Do better cleaning in key_destroy() for VIMAGE case. SPDB was cleaned using TAILQ_CONCAT() instead of calling key_unlink() for each SP, thus we need to properly clean lists in each bucket of V_sphashtbl to avoid panic in hashdestroy() when INVARIANTS is enabled. Do the same for V_acqaddrhashtbl and V_acqseqhashtbl. When we are called in DEFAULT_VNET, destroy also all global locks and drain key_timer callout. Reported by: kp Tested by: kp MFC after: 1 week
|
#
51369649 |
|
20-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: further adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point.
|
#
f95f6841 |
|
15-Nov-2017 |
Conrad Meyer <cem@FreeBSD.org> |
ipsec: Use the same keysize values for HMAC as prior to r324017 The HMAC construction natively permits any key size between 0 and the input block length. Before r324017, the auth_hash 'keysize' member was the hash output length, which was used by ipsec for key sizes. (Non-ipsec consumers need the ability to use other keysizes, hence, r324017.) The ipsec SADB code blindly uses the auth_hash 'keysize' member for both minimum and maximum key size, which is wrong (from an HMAC perspective). For now, just switch it to 'hashsize', which matches the existing expectations. Instead it should probably use the range [0, keysize]. But there may be other broken code in ipsec that rejects hashes with too small a minimum key size. Reported by: olivier@ Reviewed by: olivier, no objection from ae Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D12770
|
#
cd48d883 |
|
03-Nov-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use correct pointer in key_updateaddresses() when updating NAT-T config. key_updateaddresses() is used to update SA addresses and NAT-T configuration in SADB_UPDATE message. This is done using cloning SA content from old SA into new one. But addresses and NAT-T configuration are taking from SADB_UPDATE message. Use newsa pointer to set NAT-T properties into cloned SA. PR: 223382 MFC after: 1 week
|
#
e5464792 |
|
09-Aug-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Make user supplied data checks a bit stricter. key_msg2sp() is used for parsing data from setsockopt(IP[V6]_IPSEC_POLICY) call. This socket option is usually used to configure IPsec bypass for socket. Only privileged user can set this socket option. The message syntax is described here http://www.kame.net/newsletter/20021210/ and our libipsec is usually used to create the correct request. Add additional checks: * that sadb_x_ipsecrequest_len is not out of bounds of user supplied buffer * that src/dst's sa_len is the same * that 2*sa_len is not out of bounds of user supplied buffer * that 2*sa_len fits into bounds of sadb_x_ipsecrequest Reported by: Ilja van Sprundel MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D11796
|
#
9c2b99b9 |
|
04-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
When we are doing SA lookup for TCP-MD5, check both source and destination addresses. Previous code has used only destination address for lookup. But for inbound packets the source address was used as SA destination address. Thus only outbound SA were used for both directions. Now we use addresses from a packet as is, thus SAs for both directions are needed. Reported by: Mike Tancsa MFC after: 1 week
|
#
8291fb89 |
|
29-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix bug in r308972 that leads to panic when non-compressed IPComp packet is received. Reported by: Denis Ahrens <denis h3q com> MFC after: 3 days
|
#
22986c67 |
|
06-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Introduce the concept of IPsec security policies scope. Currently are defined three scopes: global, ifnet, and pcb. Generic security policies that IKE daemon can add via PF_KEY interface or an administrator creates with setkey(8) utility have GLOBAL scope. Such policies can be applied by the kernel to outgoing packets and checked agains inbound packets after IPsec processing. Security policies created by if_ipsec(4) interfaces have IFNET scope. Such policies are applied to packets that are passed through if_ipsec(4) interface. And security policies created by application using setsockopt() IP_IPSEC_POLICY option have PCB scope. Such policies are applied to packets related to specific socket. Currently there is no way to list PCB policies via setkey(8) utility. Modify setkey(8) and libipsec(3) to be able distinguish the scope of security policies in the `setkey -DP` listing. Add two optional flags: '-t' to list only policies related to virtual *tunneling* interfaces, i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL scope. By default policies from all scopes are listed. To implement this PF_KEY's sadb_x_policy structure was modified. sadb_x_policy_reserved field is used to pass the policy scope from the kernel to userland. SADB_SPDDUMP message extended to support filtering by scope: sadb_msg_satype field is used to specify bit mask of requested scopes. For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy is used to pass if_ipsec's interface if_index to the userland. For GLOBAL policies sadb_x_policy_priority is used only to manage order of security policies in the SPDB. For IFNET policies it is not used, so it can be used to keep if_index. After this change the output of `setkey -DP` now looks like: # setkey -DPt 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:145 spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0 refcnt=1 # setkey -DPg ::/0 ::/0 icmp6 135,0 out none spid=5 seq=1 pid=872 scope=global refcnt=1 No objection from: #network Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9805
|
#
fcf59617 |
|
06-Feb-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Merge projects/ipsec into head/. Small summary ------------- o Almost all IPsec releated code was moved into sys/netipsec. o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel option IPSEC_SUPPORT added. It enables support for loading and unloading of ipsec.ko and tcpmd5.ko kernel modules. o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type support was removed. Added TCP/UDP checksum handling for inbound packets that were decapsulated by transport mode SAs. setkey(8) modified to show run-time NAT-T configuration of SA. o New network pseudo interface if_ipsec(4) added. For now it is build as part of ipsec.ko module (or with IPSEC kernel). It implements IPsec virtual tunnels to create route-based VPNs. o The network stack now invokes IPsec functions using special methods. The only one header file <netipsec/ipsec_support.h> should be included to declare all the needed things to work with IPsec. o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. Now these protocols are handled directly via IPsec methods. o TCP_SIGNATURE support was reworked to be more close to RFC. o PF_KEY SADB was reworked: - now all security associations stored in the single SPI namespace, and all SAs MUST have unique SPI. - several hash tables added to speed up lookups in SADB. - SADB now uses rmlock to protect access, and concurrent threads can do SA lookups in the same time. - many PF_KEY message handlers were reworked to reflect changes in SADB. - SADB_UPDATE message was extended to support new PF_KEY headers: SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They can be used by IKE daemon to change SA addresses. o ipsecrequest and secpolicy structures were cardinally changed to avoid locking protection for ipsecrequest. Now we support only limited number (4) of bundled SAs, but they are supported for both INET and INET6. o INPCB security policy cache was introduced. Each PCB now caches used security policies to avoid SP lookup for each packet. o For inbound security policies added the mode, when the kernel does check for full history of applied IPsec transforms. o References counting rules for security policies and security associations were changed. The proper SA locking added into xform code. o xform code was also changed. Now it is possible to unregister xforms. tdb_xxx structures were changed and renamed to reflect changes in SADB/SPDB, and changed rules for locking and refcounting. Reviewed by: gnn, wblock Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9352
|
#
bf435626 |
|
25-Nov-2016 |
Fabien Thomas <fabient@FreeBSD.org> |
IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets. Since the previous algorithm, based on bit shifting, does not scale with large replay windows, the algorithm used here is based on RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting. The replay window will be fast to be updated, but will cost as many bits in RAM as its size. The previous implementation did not provide a lock on the replay window, which may lead to replay issues. Reviewed by: ae Obtained from: emeric.poupon@stormshield.eu Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D8468
|
#
ab11d379 |
|
10-May-2016 |
Conrad Meyer <cem@FreeBSD.org> |
netipsec: Fix minor style nit Coverity points out that 'continue' is equivalent to 'break' in a do {} while(false) loop. Reported by: Coverity CID: 1354983 Sponsored by: EMC / Isilon Storage Division
|
#
a4641f4e |
|
03-May-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/net*: minor spelling fixes. No functional change.
|
#
3cbd4ec3 |
|
24-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Handle non-compressed packets for IPComp in tunnel mode. RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062
|
#
02abd400 |
|
19-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
kernel: use our nitems() macro when it is available through param.h. No functional change, only trivial cases are done in this sweep, Discussed in: freebsd-current
|
#
155d72c4 |
|
15-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/net* : for pointers replace 0 with NULL. Mostly cosmetical, no functional change. Found with devel/coccinelle.
|
#
bc84fc89 |
|
13-Mar-2016 |
Robert Watson <rwatson@FreeBSD.org> |
Put IPSec's anouncement of its successful intialisation under bootverbose: now that it's a default kernel option, we don't really need to tell the world about it on every boot, especially as it won't be used by most users.
|
#
3543e138 |
|
01-Mar-2016 |
Mark Johnston <markj@FreeBSD.org> |
Set tres to NULL to avoid a double free if the m_pullup() below fails. Reviewed by: glebius MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5497
|
#
b833ff5a |
|
23-Feb-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix useless check. m_pkthdr.len should be equal to orglen. MFC after: 2 weeks
|
#
d6d3f248 |
|
17-Nov-2015 |
Fabien Thomas <fabient@FreeBSD.org> |
Implement the sadb_x_policy_priority field as it is done in Linux: lower priority policies are inserted first. Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae Sponsored by: Stormshield
|
#
0c80e7df |
|
16-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use explicitly specified ivsize instead of blocksize when we mean IV size. Set zero ivsize for enc_xform_null and remove special handling from xform_esp.c. Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D1503
|
#
a2bc81bf |
|
04-Aug-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec defines the keys differently than NIST does, so we have to muck with key lengths and nonce/IVs to be standard compliant... Remove the iv from secasvar as it was unused... Add a counter protected by a mutex to ensure that the counter for GCM and ICM will never be repeated.. This is a requirement for security.. I would use atomics, but we don't have a 64bit one on all platforms.. Fix a bug where IPsec was depending upon the OCF to ensure that the blocksize was always at least 4 bytes to maintain alignment... Move this logic into IPsec so changes to OCF won't break IPsec... In one place, espx was always non-NULL, so don't test that it's non-NULL before doing work.. minor style cleanups... drop setting key and klen as they were not used... Enforce that OCF won't pass invalid key lengths to AES that would panic the machine... This was has been tested by others too... I tested this against NetBSD 6.1.5 using mini-test suite in https://github.com/jmgurney/ipseccfgs and the only things that don't pass are keyed md5 and sha1, and 3des-deriv (setkey syntax error), all other modes listed in setkey's man page... The nice thing is that NetBSD uses setkey, so same config files were used on both... Reviewed by: gnn
|
#
280d77a3 |
|
05-Jul-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fill the port and protocol information in the SADB_ACQUIRE message in case when security policy has it as required by RFC 2367. PR: 192774 Differential Revision: https://reviews.freebsd.org/D2972 MFC after: 1 week
|
#
49672bcc |
|
11-Jun-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
drop key_sa_stir_iv as it isn't used... Reviewed by: eri, ae
|
#
fd90e2ed |
|
22-May-2015 |
Jung-uk Kim <jkim@FreeBSD.org> |
CALLOUT_MPSAFE has lost its meaning since r141428, i.e., for more than ten years for head. However, it is continuously misused as the mpsafe argument for callout_init(9). Deprecate the flag and clean up callout_init() calls to make them more consistent. Differential Revision: https://reviews.freebsd.org/D2613 Reviewed by: jhb MFC after: 2 weeks
|
#
dc4ea824 |
|
20-May-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
In the reply to SADB_X_SPDGET message use the same sequence number that was in the request. Some IKE deamons expect it will the same. Linux and NetBSD also follow this behaviour. PR: 137309 MFC after: 2 weeks
|
#
5bae2b34 |
|
19-May-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Change SA's state before sending SADB_EXPIRE message. This state will be reported to keying daemon. MFC after: 2 weeks
|
#
66480211 |
|
19-May-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD extension header type. The key_flush_sad() now will send SADB_EXPIRE message when HARD lifetime expires. This is required by RFC 2367 and some keying daemons rely on these messages. HARD lifetime messages have precedence over SOFT lifetime messages, so now they will be checked first. Also now SADB_EXPIRE messages will be send even the SA has not been used, because keying daemons might want to rekey such SA. PR: 200282, 200283 Submitted by: Tobias Brunner <tobias at strongswan dot org> MFC after: 2 weeks
|
#
1ae800e7 |
|
18-Apr-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix handling of scoped IPv6 addresses in IPSec code. * in ipsec_encap() embed scope zone ids into link-local addresses in the new IPv6 header, this helps ip6_output() disambiguate the scope; * teach key_ismyaddr6() use in6_localip(). in6_localip() is less strict than key_sockaddrcmp(). It doesn't compare all fileds of struct sockaddr_in6, but it is faster and it should be safe, because all SA's data was checked for correctness. Also, since IPv6 link-local addresses in the &V_in6_ifaddrhead are stored in kernel-internal form, we need to embed scope zone id from SA into the address before calling in6_localip. * in ipsec_common_input() take scope zone id embedded in the address and use it to initialize sin6_scope_id, then use this sockaddr structure to lookup SA, because we keep addresses in the SADB without embedded scope zone id. Differential Revision: https://reviews.freebsd.org/D2304 Reviewed by: gnn Sponsored by: Yandex LLC
|
#
ba76ce40 |
|
07-Mar-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove extra '&'. sin6 is already a pointer. PR: 195011 MFC after: 1 week
|
#
47568136 |
|
24-Feb-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix possible memory leak and several races in the IPsec policy management code. Resurrect the state field in the struct secpolicy, it has IPSEC_SPSTATE_ALIVE value when security policy linked in the chain, and IPSEC_SPSTATE_DEAD value in all other cases. This field protects from trying to unlink one security policy several times from the different threads. Take additional reference in the key_flush_spd() to be sure that policy won't be freed from the different thread while we are sending SPDEXPIRE message. Add KEY_FREESP() call to the key_unlink() to release additional reference that we take when use key_getsp*() functions. Differential Revision: https://reviews.freebsd.org/D1914 Tested by: Emeric POUPON <emeric.poupon at stormshield dot eu> Reviewed by: hrs Sponsored by: Yandex LLC
|
#
b489a49f |
|
27-Jan-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
key_spdget uses key_setdumpsp() without SPTREE_RLOCK held (it uses referenced pointer to sp). Remove SPTREE_RLOCK_ASSERT from key_setdumpsp() to fix wrong assertion. Reported by: Emeric POUPON Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
2a8c860f |
|
05-Jan-2015 |
Robert Watson <rwatson@FreeBSD.org> |
In order to reduce use of M_EXT outside of the mbuf allocator and socket-buffer implementations, introduce a return value for MCLGET() (and m_cljget() that underlies it) to allow the caller to avoid testing M_EXT itself. Update all callers to use the return value. With this change, very few network device drivers remain aware of M_EXT; the primary exceptions lie in mbuf-chain pretty printers for debugging, and in a few cases, custom mbuf and cluster allocation implementations. NB: This is a difficult-to-test change as it touches many drivers for which I don't have physical devices. Instead we've gone for intensive review, but further post-commit review would definitely be appreciated to spot errors where changes could not easily be made mechanically, but were largely mechanical in nature. Differential Revision: https://reviews.freebsd.org/D1440 Reviewed by: adrian, bz, gnn Sponsored by: EMC / Isilon Storage Division
|
#
fe07a9d0 |
|
25-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix VIMAGE build.
|
#
93201211 |
|
24-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rename ip4_def_policy variable to def_policy. It is used by both IPv4 and IPv6. Initialize it only once in def_policy_init(). Remove its initialization from key_init() and make it static. Remove several fields from struct secpolicy: * lock - it isn't so useful having mutex in the structure, but the only thing we do with it is initialization and destroying. * state - it has only two values - DEAD and ALIVE. Instead of take a lock and change the state to DEAD, then take lock again in GC function and delete policy from the chain - keep in the chain only ALIVE policies. * scangen - it was used in GC function to protect from sending several SADB_SPDEXPIRE messages for one SPD entry. Now we don't keep DEAD entries in the chain and there is no need to have scangen variable. Use TAILQ to implement SPD entries chain. Use rmlock to protect access to SPD entries chain. Protect all SP lookup with RLOCK, and use WLOCK when we are inserting (or removing) SP entry in the chain. Instead of using pattern "LOCK(); refcnt++; UNLOCK();", use refcount(9) API to implement refcounting in SPD. Merge code from key_delsp() and _key_delsp() into _key_freesp(). And use KEY_FREESP() macro in all cases when we want to release reference or just delete SP entry. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
42682121 |
|
06-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
key_getspacq() returns holding the spacq_lock. Unlock it in all cases. MFC after: 1 week Sponsored by: Yandex LLC
|
#
18961126 |
|
02-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove __P() macro. Suggested by: kevlo Sponsored by: Yandex LLC
|
#
2e84e6ea |
|
02-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
ANSIfy function declarations. Sponsored by: Yandex LLC
|
#
2d957916 |
|
01-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove route chaching support from ipsec code. It isn't used for some time. * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
|
#
6df8a710 |
|
07-Nov-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed. Sponsored by: Nginx, Inc.
|
#
f5196a58 |
|
30-Oct-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use in_localip() instead of handmade implementation. MFC after: 1 week Sponsored by: Yandex LLC
|
#
a4432e6b |
|
23-Oct-2014 |
John Baldwin <jhb@FreeBSD.org> |
Use a static callout to drive key_timehandler() instead of timeout(). While here, make key_timehandler() private to key.c. Submitted by: bz (2) Tested by: bz
|
#
799653be |
|
24-May-2014 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Only do a ports check if this is a NAT-T SA. Otherwise other lookups providing ports may get unexpected results. MFC After: 2 weeks
|
#
76039bc8 |
|
26-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
a04d64d8 |
|
20-Jun-2013 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP, PFKEY. MFC after: 2 weeks
|
#
dcba52a5 |
|
15-Mar-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Use m_get2() + m_align() instead of hand made key_alloc_mbuf(). Code examination shows, that although key_alloc_mbuf() could return chains, the callers never use chains, so m_get2() should suffice. Sponsored by: Nginx, Inc.
|
#
eb1b1807 |
|
05-Dec-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Mechanically substitute flags from historic mbuf allocator with malloc(9) flags within sys. Exceptions: - sys/contrib not touched - sys/mbuf.h edited manually
|
#
c9b652e3 |
|
18-Oct-2012 |
Andre Oppermann <andre@FreeBSD.org> |
Mechanically remove the last stray remains of spl* calls from net*/*. They have been Noop's for a long time now.
|
#
d1b83520 |
|
11-Sep-2012 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
In NAT-T transport mode, allow a client to open a new connection just after closing another. It worked only in tunnel mode before. Submitted by: Andreas Longwitz <longwitz@incore.de> MFC after: 1M
|
#
2541fcd9 |
|
17-Aug-2012 |
John Baldwin <jhb@FreeBSD.org> |
Unexpand a couple of TAILQ_FOREACH()s.
|
#
4795003b |
|
07-Oct-2011 |
Christian Brueffer <brueffer@FreeBSD.org> |
Add missing va_end() in an error case to clean up after va_start() (already done in the non-error case). CID: 4726 Found with: Coverity Prevent(tm) MFC after: 1 week
|
#
568fac6f |
|
09-May-2011 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Release SP's refcount in key_get_spdbyid(). PR: 156676 Submitted by: Tobias Brunner (tobias@strongswan.org) MFC after: 1 week
|
#
db178eb8 |
|
27-Apr-2011 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Make IPsec compile without INET adding appropriate #ifdef checks. Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c to not need three different versions depending on INET, INET6 or both. Mark two places preparing for not yet supported functionality with IPv6. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
|
#
73171433 |
|
31-Mar-2011 |
Fabien Thomas <fabient@FreeBSD.org> |
Optimisation in IPSEC(4): - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback. Gain on 6 cores CPU with SHA1/AES128 can be up to 30%. Reviewed by: vanhu MFC after: 1 month
|
#
442da28a |
|
18-Feb-2011 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant. This will break interoperability with all older versions of FreeBSD for those algorithms. Reviewed by: bz, gnn Obtained from: NETASQ MFC after: 1w
|
#
3e288e62 |
|
22-Nov-2010 |
Dimitry Andric <dim@FreeBSD.org> |
After some off-list discussion, revert a number of changes to the DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various people working on the affected files. A better long-term solution is still being considered. This reversal may give some modules empty set_pcpu or set_vnet sections, but these are harmless. Changes reverted: ------------------------------------------------------------------------ r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines Instead of unconditionally emitting .globl's for the __start_set_xxx and __stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu sections are actually defined. ------------------------------------------------------------------------ r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout the tree. ------------------------------------------------------------------------ r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
|
#
31c6a003 |
|
14-Nov-2010 |
Dimitry Andric <dim@FreeBSD.org> |
Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout the tree.
|
#
4a85b5e2 |
|
23-Oct-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Make the IPsec SADB embedded route cache a union to be able to hold both the legacy and IPv6 route destination address. Previously in case of IPv6, there was a memory overwrite due to not enough space for the IPv6 address. PR: kern/122565 MFC After: 2 weeks
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
0b4ae73d |
|
17-May-2010 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
MFC: Locks SPTREE when setting some SP entries to state DEAD. This can prevent kernel panics when updating SPs while there is some traffic for them. Obtained from: NETASQ
|
#
6a7674cc |
|
12-May-2010 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
MFC: Set/update SA's NAT-T stuff before calling key_mature() in key_add() and key_update(), as the SA may be used as soon as key_mature() has been called Obtained from: NETASQ
|
#
480d7c6c |
|
06-May-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r207369: MFP4: @176978-176982, 176984, 176990-176994, 177441 "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
|
#
2e8d55c4 |
|
05-May-2010 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Set SA's natt_type before calling key_mature() in key_add(), as the SA may be used as soon as key_mature() has been done. Obtained from: NETASQ MFC after: 1 week
|
#
2d2a2083 |
|
05-May-2010 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Update SA's NAT-T stuff before calling key_mature() in key_update(), as SA may be used as soon as key_mature() has been called. Obtained from: NETASQ MFC after: 1 week
|
#
82cea7e6 |
|
29-Apr-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFP4: @176978-176982, 176984, 176990-176994, 177441 "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH MFC after: 6 days
|
#
61f73308 |
|
14-Apr-2010 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Locks SPTREE when setting some SP entries to state DEAD. This can prevent kernel panics when updating SPs while there is some traffic for them. Obtained from: NETASQ MFC after: 1m
|
#
ac28297b |
|
02-Apr-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r205789: When tearing down IPsec as part of a (virtual) network stack, do not try to free the same list twice but free both the acquiring list and the security policy acquiring list. Reviewed by: anchie
|
#
8b7893b0 |
|
28-Mar-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
When tearing down IPsec as part of a (virtual) network stack, do not try to free the same list twice but free both the acquiring list and the security policy acquiring list. Reviewed by: anchie MFC after: 3 days
|
#
3e6265f1 |
|
17-Nov-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
fixed two race conditions when inserting/removing SAs via PFKey, which can both lead to a kernel panic when adding/removing quickly a lot of SAs. Obtained from: NETASQ MFC after: 2w (MFC on 8 before 8.0 release ???)
|
#
22c125a1 |
|
16-Sep-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
When checking traffic endpoint's adresses families in key_spdadd(), compare them together instead of comparing each one with respective tunnel endpoint. PR: kern/138439 Submitted by: aurelien.ansel@netasq.com Obtained from: NETASQ MFC after: 1 m
|
#
fc79063e |
|
06-Sep-2009 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Silent gcc? Yeah, you wish. What I ment was to silence gcc. Spotted by: julian
|
#
3b02c4a3 |
|
06-Sep-2009 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Initialize state_valid and arraysize variable so gcc won't complain. Reported by: bz
|
#
950ab2f8 |
|
06-Sep-2009 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Improve code a bit by eliminating goto and having one unlock per lock.
|
#
530c0060 |
|
01-Aug-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Merge the remainder of kern_vimage.c and vimage.h into vnet.c and vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
|
#
5ee847d3 |
|
19-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Reimplement and/or implement vnet list locking by replacing a mostly unused custom mutex/condvar-based sleep locks with two locks: an rwlock (for non-sleeping use) and sxlock (for sleeping use). Either acquired for read is sufficient to stabilize the vnet list, but both must be acquired for write to modify the list. Replace previous no-op read locking macros, used in various places in the stack, with actual locking to prevent race conditions. Callers must declare when they may perform unbounded sleeps or not when selecting how to lock. Refactor vnet sysinits so that the vnet list and locks are initialized before kernel modules are linked, as the kernel linker will use them for modules loaded by the boot loader. Update various consumers of these KPIs based on whether they may sleep or not. Reviewed by: bz Approved by: re (kib)
|
#
1e77c105 |
|
16-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Remove unused VNET_SET() and related macros; only VNET_GET() is ever actually used. Rename VNET_GET() to VNET() to shorten variable references. Discussed with: bz, julian Reviewed by: bz Approved by: re (kensmith, kib)
|
#
eddfbb76 |
|
14-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
|
#
d1da0a06 |
|
25-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add address list locking for in6_ifaddrhead/ia_link: as with locking for in_ifaddrhead, we stick with an rwlock for the time being, which we will revisit in the future with a possible move to rmlocks. Some pieces of code require significant further reworking to be safe from all classes of writer-writer races. Reviewed by: bz MFC after: 6 weeks
|
#
2d9cfaba |
|
25-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new global rwlock, in_ifaddr_lock, which will synchronize use of the in_ifaddrhead and INADDR_HASH address lists. Previously, these lists were used unsynchronized as they were effectively never changed in steady state, but we've seen increasing reports of writer-writer races on very busy VPN servers as core count has gone up (and similar configurations where address lists change frequently and concurrently). For the time being, use rwlocks rather than rmlocks in order to take advantage of their better lock debugging support. As a result, we don't enable ip_input()'s read-locking of INADDR_HASH until an rmlock conversion is complete and a performance analysis has been done. This means that one class of reader-writer races still exists. MFC after: 6 weeks Reviewed by: bz
|
#
80af0152 |
|
24-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Convert netinet6 to using queue(9) rather than hand-crafted linked lists for the global IPv6 address list (in6_ifaddr -> in6_ifaddrhead). Adopt the code styles and conventions present in netinet where possible. Reviewed by: gnn, bz MFC after: 6 weeks (possibly not MFCable?)
|
#
57700c9e |
|
19-Jun-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Move setting of ports from NAT-T below key_getsah() and actually below key_setsaval(). Without that, the lookup for the SA had failed as we were looking for a SA with the new, updated port numbers instead of the old ones and were comparing the ports in key_cmpsaidx(). This makes updating the remote -> local SA on the initiator work again. Problem introduced with: p4 changeset 152114
|
#
7b495c44 |
|
12-Jun-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Added support for NAT-Traversal (RFC 3948) in IPsec stack. Thanks to (no special order) Emmanuel Dreyfus (manu@netbsd.org), Larry Baird (lab@gta.com), gnn, bz, and other FreeBSD devs, Julien Vanherzeele (julien.vanherzeele@netasq.com, for years of bug reporting), the PFSense team, and all people who used / tried the NAT-T patch for years and reported bugs, patches, etc... X-MFC: never Reviewed by: bz Approved by: gnn(mentor) Obtained from: NETASQ
|
#
bc29160d |
|
08-Jun-2009 |
Marko Zec <zec@FreeBSD.org> |
Introduce an infrastructure for dismantling vnet instances. Vnet modules and protocol domains may now register destructor functions to clean up and release per-module state. The destructor mechanisms can be triggered by invoking "vimage -d", or a future equivalent command which will be provided via the new jail framework. While this patch introduces numerous placeholder destructor functions, many of those are currently incomplete, thus leaking memory or (even worse) failing to stop all running timers. Many of such issues are already known and will be incrementaly fixed over the next weeks in smaller incremental commits. Apart from introducing new fields in structs ifnet, domain, protosw and vnet_net, which requires the kernel and modules to be rebuilt, this change should have no impact on nooptions VIMAGE builds, since vnet destructors can only be called in VIMAGE kernels. Moreover, destructor functions should be in general compiled in only in options VIMAGE builds, except for kernel modules which can be safely kldunloaded at run time. Bump __FreeBSD_version to 800097. Reviewed by: bz, julian Approved by: rwatson, kib (re), julian (mentor)
|
#
aa1faa5f |
|
27-May-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Lock SPTREE before parsing it in key_spddump() Approved by: gnn(mentor) Obtained from: NETASQ MFC after: 2 weeks
|
#
cff5821a |
|
27-May-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Only decrease refcnt once when flushing SPD entries, to avoid flushing entries which are still used. Approved by: gnn(mentor) Obtained from: NETASQ MFC after: 1 month
|
#
d9cc2ca2 |
|
29-Apr-2009 |
Bruce M Simpson <bms@FreeBSD.org> |
Stub out IN6_LOOKUP_MULTI() for GETSPI requests, for now. This has the effect that IPv6 multicast traffic won't trigger an SPI allocation when IPSEC is in use, however, this obviously needs to stomp on locks, and IN6_LOOKUP_MULTI() is about to go away. This definitely needs to be revisited before 8.x is branched as a release branch.
|
#
f4ad3139 |
|
27-Apr-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
key_gettunnel() has been unsued with FAST_IPSEC (now IPSEC). KAME had explicit checks at one point using it, so just hide it behind #if 0 for now until we are sure if we can completely dump it or not. MFC after: 1 month
|
#
1ed81b73 |
|
06-Apr-2009 |
Marko Zec <zec@FreeBSD.org> |
First pass at separating per-vnet initializer functions from existing functions for initializing global state. At this stage, the new per-vnet initializer functions are directly called from the existing global initialization code, which should in most cases result in compiler inlining those new functions, hence yielding a near-zero functional change. Modify the existing initializer functions which are invoked via protosw, like ip_init() et. al., to allow them to be invoked multiple times, i.e. per each vnet. Global state, if any, is initialized only if such functions are called within the context of vnet0, which will be determined via the IS_DEFAULT_VNET(curvnet) check (currently always true). While here, V_irtualize a few remaining global UMA zones used by net/netinet/netipsec networking code. While it is not yet clear to me or anybody else whether this is the right thing to do, at this stage this makes the code more readable, and makes it easier to track uncollected UMA-zone-backed objects on vnet removal. In the long run, it's quite possible that some form of shared use of UMA zone pools among multiple vnets should be considered. Bump __FreeBSD_version due to changes in layout of structs vnet_ipfw, vnet_inet and vnet_net. Approved by: julian (mentor)
|
#
485cf782 |
|
23-Mar-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Fixed comments so it stays in 80 chars by line with hard tabs of 8 chars.... Approved by: gnn(mentor)
|
#
039b1e5d |
|
20-Mar-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Spelling fix in a comment Approved by: gnn(mentor)
|
#
d802e23c |
|
19-Mar-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Fixed style for some comments Approved by: gnn(mentor)
|
#
bf777da6 |
|
19-Mar-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Fixed style for some comments Approved by: gnn(mentor)
|
#
e0a9f200 |
|
18-Mar-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Fixed deletion of sav entries in key_delsah() Approved by: gnn(mentor) Obtained from: NETASQ MFC after: 1 month
|
#
e985f4e0 |
|
05-Mar-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
SAs are valid (but dying) when they reached soft lifetime, even if they have never been used. Approved by: gnn(mentor) MFC after: 2 weeks
|
#
af83f5d7 |
|
24-Feb-2009 |
Roman Divacky <rdivacky@FreeBSD.org> |
Change the functions to ANSI in those cases where it breaks promotion to int rule. See ISO C Standard: SS6.7.5.3:15. Approved by: kib (mentor) Reviewed by: warner Tested by: silence on -current
|
#
fc384fa5 |
|
15-Dec-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Another step assimilating IPv[46] PCB code - directly use the inpcb names rather than the following IPv6 compat macros: in6pcb,in6p_sp, in6p_ip6_nxt,in6p_flowinfo,in6p_vflag, in6p_flags,in6p_socket,in6p_lport,in6p_fport,in6p_ppcb and sotoin6pcb(). Apart from removing duplicate code in netipsec, this is a pure whitespace, not a functional change. Discussed with: rwatson Reviewed by: rwatson (version before review requested changes) MFC after: 4 weeks (set the timer and see then)
|
#
4b79449e |
|
02-Dec-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Rather than using hidden includes (with cicular dependencies), directly include only the header files needed. This reduces the unneeded spamming of various headers into lots of files. For now, this leaves us with very few modules including vnet.h and thus needing to depend on opt_route.h. Reviewed by: brooks, gnn, des, zec, imp Sponsored by: The FreeBSD Foundation
|
#
97021c24 |
|
26-Nov-2008 |
Marko Zec <zec@FreeBSD.org> |
Merge more of currently non-functional (i.e. resolving to whitespace) macros from p4/vimage branch. Do a better job at enclosing all instantiations of globals scheduled for virtualization in #ifdef VIMAGE_GLOBALS blocks. De-virtualize and mark as const saorder_state_alive and saorder_state_any arrays from ipsec code, given that they are never updated at runtime, so virtualizing them would be pointless. Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
44e33a07 |
|
19-Nov-2008 |
Marko Zec <zec@FreeBSD.org> |
Change the initialization methodology for global variables scheduled for virtualization. Instead of initializing the affected global variables at instatiation, assign initial values to them in initializer functions. As a rule, initialization at instatiation for such variables should never be introduced again from now on. Furthermore, enclose all instantiations of such global variables in #ifdef VIMAGE_GLOBALS blocks. Essentialy, this change should have zero functional impact. In the next phase of merging network stack virtualization infrastructure from p4/vimage branch, the new initialization methology will allow us to switch between using global variables and their counterparts residing in virtualization containers with minimum code churn, and in the long run allow us to intialize multiple instances of such container structures. Discussed at: devsummit Strassburg Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
8b615593 |
|
02-Oct-2008 |
Marko Zec <zec@FreeBSD.org> |
Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
603724d3 |
|
17-Aug-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
|
#
b7881306 |
|
05-Aug-2008 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Add lifetime informations to generated SPD entries when SPDDUMP Approved by: gnn (mentor) MFC after: 4 weeks
|
#
c2ff90ef |
|
28-Jun-2008 |
Julian Elischer <julian@FreeBSD.org> |
Enter the 1990s. Use real function declaration.
|
#
44c92dbb |
|
24-Mar-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Fix a bug that when getting/dumping the soft lifetime we reported the hard lifetime instead. MFC after: 3 days
|
#
fdcc0789 |
|
24-Mar-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Import change from KAME, rev. 1.362 kame/kame/sys/netkey/key.c In case of "new SA", we must check the hard lifetime of the old SA to find out if it is not permanent and we can delete it. Submitted by: sakane via gnn MFC after: 3 days
|
#
4e8a7c9a |
|
14-Mar-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Remove the "Fast " from the "Fast IPsec: Initialized Security Association Processing." printf. People kept asking questions about this after the IPsec shuffle. This still is the Fast IPsec implementation so no worries that it would be any slower now. There are no functional changes. Discussed with: sam MFC after: 4 days
|
#
208b3a93 |
|
02-Mar-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Fix bugs when allocating and passing information of current lifetime and soft lifetime [1] introduced in rev. 1.21 of key.c. Along with that, fix a related problem in key_debug printing the correct data. While there replace a printf by panic in a sanity check. PR: 120751 Submitted by: Kazuaki ODA (kazuaki aliceblue.jp) [1] MFC after: 5 days
|
#
2cb64cb2 |
|
01-Jul-2007 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Commit IPv6 support for FAST_IPSEC to the tree. This commit includes only the kernel files, the rest of the files will follow in a second commit. Reviewed by: bz Approved by: re Supported by: Secure Computing
|
#
8db2374f |
|
16-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
'spi' and the return value of ntohl are unsigned. Remove the extra >=0 check which was always true. Document the special meaning of spi values of 0 and 1-255 with a comment. Found with: Coverity Prevent(tm) CID: 2047
|
#
dde4978f |
|
15-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
In case of failure we can directly return ENOBUFS because 'result' is still NULL and we do not need to free anything. That allows us to gc the entire goto parts and a now unused variable. Found with: Coverity Prevent(tm) CID: 2519
|
#
3a3a7607 |
|
15-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add a missing return so that we drop out in case of an error and do not continue with a NULL pointer. [1] While here change the return of the error handling code path above. I cannot see why we should always return 0 there. Neither does KAME nor do we in here for the similar check in all the other functions. Found with: Coverity Prevent(tm) [1] CID: 2521
|
#
91c7ac67 |
|
15-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
With the current code 'src' is never NULL. Nevertheless move the check for NULL before dereferencing the pointer. Found with: Coverity Prevent(tm) CID: 2528
|
#
c2f03ee6 |
|
29-May-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add missing break; so when comparing AF_INET6 addresses, scope and ports we do not run into the default case and return 'no match' instead of 'match'.
|
#
95708c5f |
|
20-May-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Prevent disappearing SAD entries by implementing MPsafe refcounting. "Why didn't he use SECASVAR_LOCK()/SECASVAR_UNLOCK() macros to synchronize access to the secasvar structure's fields?" one may ask. There were two reasons: 1. refcount(9) is faster then mutex(9) synchronization (one atomic operation instead of two). 2. Those macros are not used now at all, so at some point we may decide to remove them entirely. OK'ed by: gnn MFC after: 2 weeks
|
#
a0196c3c |
|
25-Mar-2006 |
George V. Neville-Neil <gnn@FreeBSD.org> |
First steps towards IPSec cleanup. Make the kernel side of FAST_IPSEC not depend on the shared structures defined in /usr/include/net/pfkeyv2.h The kernel now defines all the necessary in kernel structures in sys/netipsec/keydb.h and does the proper massaging when moving messages around. Sponsored By: Secure Computing
|
#
c398230b |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for license, minor formatting changes
|
#
1bfe7907 |
|
01-Oct-2004 |
Sam Leffler <sam@FreeBSD.org> |
Remove extraneous SECPOLICY_LOCK_DESTROY calls that cause the mutex to be destroyed twice. Submitted by: Roselyn Lee
|
#
422e4f5b |
|
29-Sep-2004 |
Sam Leffler <sam@FreeBSD.org> |
Add missing locking for secpolicy refcnt manipulations. Submitted by: Roselyn Lee
|
#
6f9bd550 |
|
25-Sep-2004 |
Sam Leffler <sam@FreeBSD.org> |
Correct handling of SADB_UPDATE and SADB_ADD requests. key_align may split the mbuf due to use of m_pulldown. Discarding the result because of this does not make sense as no subsequent code depends on the entire msg being linearized (only the individual pieces). It's likely something else is wrong here but for now this appears to get things back to a working state. Submitted by: Roselyn Lee
|
#
171ed093 |
|
22-Jun-2004 |
Bruce M Simpson <bms@FreeBSD.org> |
Fix a paste-o in key_cmpspidx_withmask(). PR: misc/67013 Submitted by: Zhenmin <zli4@cs.uiuc.edu>
|
#
2c561642 |
|
02-May-2004 |
Sam Leffler <sam@FreeBSD.org> |
use correct address for SADB_EXT_ADDRESS_DST in key_do_allocsa_policy (was using src instead of dst) Submitted by: Bjoern A. Zeeb Obtained from: KAME MFC after: 1 day
|
#
9826472d |
|
02-May-2004 |
Sam Leffler <sam@FreeBSD.org> |
correct behaviour of key_getsavbyspi broken in rev 1.7; corrects problems with removing specific SPIs Submitted by: Bjoern A. Zeeb
|
#
09a6afb5 |
|
02-May-2004 |
Sam Leffler <sam@FreeBSD.org> |
add support to prefer old SA to new SA during allocation (makes net.key.preferred_oldsa work as for KAME) Submitted by: gabor@sentex.net Reviewed by: Bjoern A. Zeeb MFC after: 1 day
|
#
2bf11a99 |
|
06-Apr-2004 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Unbreak FAST_IPSEC build on 64 bit archs with INVARIANTS. Approved by: sam
|
#
517dbe66 |
|
16-Feb-2004 |
Guido van Rooij <guido@FreeBSD.org> |
Fix type in a sysctl. It used to be: net.key.prefered_oldsa and is corrected to net.key.preferred_oldsa This makes it consistent with the KAME IPsec implementation. Approved by: sam
|
#
1cfd4b53 |
|
10-Feb-2004 |
Bruce M Simpson <bms@FreeBSD.org> |
Initial import of RFC 2385 (TCP-MD5) digest support. This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC. For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence. Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB. There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity. Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem. This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment. Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request. Sponsored by: sentex.net
|
#
9b705967 |
|
05-Feb-2004 |
Sam Leffler <sam@FreeBSD.org> |
must convert protocol to sa type when preparing a DELETE message Submitted by: Roselyn Lee <rosel@verniernetworks.com> MFC after: 1 week
|
#
9ffa9677 |
|
29-Sep-2003 |
Sam Leffler <sam@FreeBSD.org> |
MFp4: portability work, general cleanup, locking fixes change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb chnage 38685 o fix locking for bundled SA's and for when key exchange is required change 38770 o eliminate recursion on the SAHTREE lock change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code There is still much to do here but for now things look to be working again. Supported by: FreeBSD Foundation
|
#
6464079f |
|
31-Aug-2003 |
Sam Leffler <sam@FreeBSD.org> |
Locking and misc cleanups; most of which I've been running for >4 months: o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
|
#
82a6d6ac |
|
29-Jun-2003 |
Sam Leffler <sam@FreeBSD.org> |
plug xform memory leaks: o add missing zeroize op when deleting an SA o don't re-initialize an xform for an SA that already has one Submitted by: Doug Ambrisko <ambrisko@verniernetworks.com> MFC after: 1 day
|
#
a163d034 |
|
18-Feb-2003 |
Warner Losh <imp@FreeBSD.org> |
Back out M_* changes, per decision of the TRB. Approved by: trb
|
#
24a701b2 |
|
05-Feb-2003 |
Andrey A. Chernov <ache@FreeBSD.org> |
Comment out srandom(): 1) Already called in init_main.c:proc0_post() 2) Seed is bad
|
#
44956c98 |
|
21-Jan-2003 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
9d5abbdd |
|
01-Jan-2003 |
Jens Schweikhardt <schweikh@FreeBSD.org> |
Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, especially in troff files.
|
#
88768458 |
|
15-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks
|