#
71625ec9 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c comment pattern Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
#
c1bfe8c5 |
|
07-Sep-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
ipsec: add key_havesp_any Saves on work in a common case of checking both directions. Note further work in the area is impending to elide these in the common case to begin with. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36485
|
#
9880323a |
|
03-Jan-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
netipsec: use SYSINIT(9) instead of dom_init/dom_destroy While here, use just static initializer for key_cb. Differential revision: https://reviews.freebsd.org/D33539
|
#
a8a16c71 |
|
03-Apr-2019 |
Conrad Meyer <cem@FreeBSD.org> |
Replace read_random(9) with more appropriate arc4rand(9) KPIs Reviewed by: ae, delphij Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D19760
|
#
0ddfd867 |
|
26-Sep-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix witness warning in xform_init(). Do not call crypto_newsession() while holding xforms_lock mutex. Release mutex before invoking crypto_newsession(), and use ipsec_kmod_enter()/ipsec_kmod_exit() functions to protect from doing access to unloaded kernel module memory. Move xform-releated functions into subr_ipsec.c to be able use ipsec_kmod_* functions. Also unconditionally build ipsec_kmod_* functions, since now they are always used by IPSec code. Add xf_cntr field to struct xformsw, it is used by ipsec_kmod_* functions. Also constify xf_name field, since it is not expected to be modified. Approved by: re (kib) Differential Revision: https://reviews.freebsd.org/D17302
|
#
51369649 |
|
20-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: further adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point.
|
#
fcf59617 |
|
06-Feb-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Merge projects/ipsec into head/. Small summary ------------- o Almost all IPsec releated code was moved into sys/netipsec. o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel option IPSEC_SUPPORT added. It enables support for loading and unloading of ipsec.ko and tcpmd5.ko kernel modules. o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type support was removed. Added TCP/UDP checksum handling for inbound packets that were decapsulated by transport mode SAs. setkey(8) modified to show run-time NAT-T configuration of SA. o New network pseudo interface if_ipsec(4) added. For now it is build as part of ipsec.ko module (or with IPSEC kernel). It implements IPsec virtual tunnels to create route-based VPNs. o The network stack now invokes IPsec functions using special methods. The only one header file <netipsec/ipsec_support.h> should be included to declare all the needed things to work with IPsec. o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. Now these protocols are handled directly via IPsec methods. o TCP_SIGNATURE support was reworked to be more close to RFC. o PF_KEY SADB was reworked: - now all security associations stored in the single SPI namespace, and all SAs MUST have unique SPI. - several hash tables added to speed up lookups in SADB. - SADB now uses rmlock to protect access, and concurrent threads can do SA lookups in the same time. - many PF_KEY message handlers were reworked to reflect changes in SADB. - SADB_UPDATE message was extended to support new PF_KEY headers: SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They can be used by IKE daemon to change SA addresses. o ipsecrequest and secpolicy structures were cardinally changed to avoid locking protection for ipsecrequest. Now we support only limited number (4) of bundled SAs, but they are supported for both INET and INET6. o INPCB security policy cache was introduced. Each PCB now caches used security policies to avoid SP lookup for each packet. o For inbound security policies added the mode, when the kernel does check for full history of applied IPsec transforms. o References counting rules for security policies and security associations were changed. The proper SA locking added into xform code. o xform code was also changed. Now it is possible to unregister xforms. tdb_xxx structures were changed and renamed to reflect changes in SADB/SPDB, and changed rules for locking and refcounting. Reviewed by: gnn, wblock Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9352
|
#
3cbd4ec3 |
|
24-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Handle non-compressed packets for IPComp in tunnel mode. RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062
|
#
49672bcc |
|
11-Jun-2015 |
John-Mark Gurney <jmg@FreeBSD.org> |
drop key_sa_stir_iv as it isn't used... Reviewed by: eri, ae
|
#
18961126 |
|
02-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove __P() macro. Suggested by: kevlo Sponsored by: Yandex LLC
|
#
2d957916 |
|
01-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove route chaching support from ipsec code. It isn't used for some time. * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
|
#
a4432e6b |
|
23-Oct-2014 |
John Baldwin <jhb@FreeBSD.org> |
Use a static callout to drive key_timehandler() instead of timeout(). While here, make key_timehandler() private to key.c. Submitted by: bz (2) Tested by: bz
|
#
73171433 |
|
31-Mar-2011 |
Fabien Thomas <fabient@FreeBSD.org> |
Optimisation in IPSEC(4): - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback. Gain on 6 cores CPU with SHA1/AES128 can be up to 30%. Reviewed by: vanhu MFC after: 1 month
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
7b495c44 |
|
12-Jun-2009 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Added support for NAT-Traversal (RFC 3948) in IPsec stack. Thanks to (no special order) Emmanuel Dreyfus (manu@netbsd.org), Larry Baird (lab@gta.com), gnn, bz, and other FreeBSD devs, Julien Vanherzeele (julien.vanherzeele@netasq.com, for years of bug reporting), the PFSense team, and all people who used / tried the NAT-T patch for years and reported bugs, patches, etc... X-MFC: never Reviewed by: bz Approved by: gnn(mentor) Obtained from: NETASQ
|
#
bc29160d |
|
08-Jun-2009 |
Marko Zec <zec@FreeBSD.org> |
Introduce an infrastructure for dismantling vnet instances. Vnet modules and protocol domains may now register destructor functions to clean up and release per-module state. The destructor mechanisms can be triggered by invoking "vimage -d", or a future equivalent command which will be provided via the new jail framework. While this patch introduces numerous placeholder destructor functions, many of those are currently incomplete, thus leaking memory or (even worse) failing to stop all running timers. Many of such issues are already known and will be incrementaly fixed over the next weeks in smaller incremental commits. Apart from introducing new fields in structs ifnet, domain, protosw and vnet_net, which requires the kernel and modules to be rebuilt, this change should have no impact on nooptions VIMAGE builds, since vnet destructors can only be called in VIMAGE kernels. Moreover, destructor functions should be in general compiled in only in options VIMAGE builds, except for kernel modules which can be safely kldunloaded at run time. Bump __FreeBSD_version to 800097. Reviewed by: bz, julian Approved by: rwatson, kib (re), julian (mentor)
|
#
f4ad3139 |
|
27-Apr-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
key_gettunnel() has been unsued with FAST_IPSEC (now IPSEC). KAME had explicit checks at one point using it, so just hide it behind #if 0 for now until we are sure if we can completely dump it or not. MFC after: 1 month
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
c398230b |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for license, minor formatting changes
|
#
422e4f5b |
|
29-Sep-2004 |
Sam Leffler <sam@FreeBSD.org> |
Add missing locking for secpolicy refcnt manipulations. Submitted by: Roselyn Lee
|
#
6464079f |
|
31-Aug-2003 |
Sam Leffler <sam@FreeBSD.org> |
Locking and misc cleanups; most of which I've been running for >4 months: o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
|
#
88768458 |
|
15-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks
|