Commit Graph

43 Commits

Author SHA1 Message Date
Hajimu UMEMOTO
1116a8c98e - fixed the order of searching SA table for packets.
- comment about deletion of SA that has not been used by reaching
  soft lifetime.

Obtained from:	KAME
MFC after:	2 week
2002-07-10 16:39:38 +00:00
Peter Wemm
3b688a9484 pacify gcc-3.1's -Wunused checking. 2002-05-24 05:53:57 +00:00
Alfred Perlstein
96abb1618a Remove __P. 2002-03-20 02:39:27 +00:00
Hajimu UMEMOTO
e4c606a0ca missing splx
Obtained from:	KAME
MFC after:	1 week
2002-03-01 13:13:17 +00:00
Hajimu UMEMOTO
ab101c5598 (when new sa is preferred than old sa)
even if we fail to send pfkey message, remove the old sa.

Obtained from:	KAME
MFC after:	1 week
2002-03-01 12:17:21 +00:00
Peter Wemm
d5362546cf Fix warnings 2002-02-28 02:56:29 +00:00
Seigo Tanimura
f591779bb5 Lock struct pgrp, session and sigio.
New locks are:

- pgrpsess_lock which locks the whole pgrps and sessions,
- pg_mtx which protects the pgrp members, and
- s_mtx which protects the session members.

Please refer to sys/proc.h for the coverage of these locks.

Changes on the pgrp/session interface:

- pgfind() needs the pgrpsess_lock held.

- The caller of enterpgrp() is responsible to allocate a new pgrp and
  session.

- Call enterthispgrp() in order to enter an existing pgrp.

- pgsignal() requires a pgrp lock held.

Reviewed by:	jhb, alfred
Tested on:	cvsup.jp.FreeBSD.org
		(which is a quad-CPU machine running -current)
2002-02-23 11:12:57 +00:00
Hajimu UMEMOTO
8d6337d059 Newer SA is prefered for a out-bound packet than old one
when net.key.prefered_oldsa is set to zero.

Obtained from:	KAME
MFC after:	1 week
2001-12-05 05:40:49 +00:00
Hajimu UMEMOTO
e9d3164d29 Fixed the behavior when there is no inbound policy for the ipsec
tunneled packet.
When there is no suitable inbound policy for the packet of the ipsec
tunnel mode, the kernel never decapsulate the tunneled packet
as the ipsec tunnel mode even when the system wide policy is "none".
Then the kernel leaves the generic tunnel module to process this
packet.  If there is no rule of the generic tunnel, the packet
is rejected and the statistics will be counted up.

Obtained from:	KAME
MFC after:	1 week
2001-11-06 22:45:29 +00:00
Hajimu UMEMOTO
3bc1038274 - net.inet.ipsec.esp_auth hasn't been there
- nuke all debug printfs, which are unneeded by now.
- get rid of #ifdef IPSEC_DEBUG in headers
- now that key_debug_level is always defined, there's no need for
  #ifdef IPSEC_DEBUG around sysctl MIB code (net.key.debug).
- switch all debug printf() to ipseclog().

Obtained from:	KAME
MFC after:	1 week
2001-11-05 16:46:24 +00:00
Hajimu UMEMOTO
794ffde89e Unbreak build without INET6.
Reported by:	Christopher N . Harrell <cnh@netvmg.com>
MFC after:	1 week
2001-11-03 20:47:50 +00:00
Hajimu UMEMOTO
af109ffd14 System wide policy should be returned when no policy found in the SPD.
The packet was rejected in ipsec[46]_tunnel_validate().

Obtained from:	KAME
MFC after:	1 week
2001-10-29 16:29:41 +00:00
Hajimu UMEMOTO
9f833c5b5a Fixed the value of the prefixlen in the sadb_address structure.
When pfkey message relative to SA is sent, the prefixlen was incorrect.

Obtained from:	KAME
MFC after:	1 week
2001-10-22 20:19:47 +00:00
Hajimu UMEMOTO
56a87de33f The behavior of SPDUPDATE has been changed.
SPDUPDATE doesn't depend on whether there is a SP or not.
This change makes `generate_policy on' of racoon work.

Obtained from:	KAME
MFC after:	1 week
2001-10-17 13:01:39 +00:00
Hajimu UMEMOTO
232bdaf61f printed current sequence number of the SA. accordingly, changed
into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2
structure.  Also the output of setkey is changed.  sequence number
of the sadb is replaced to the end of the output.

Obtained from:	KAME
2001-08-06 19:40:01 +00:00
Hajimu UMEMOTO
e51e1807bd do not play too much trick with evaluation order. from netbsd
Obtained from:	KAME
2001-08-06 19:34:41 +00:00
Hajimu UMEMOTO
910e7df8bb fixed to make a response in key_spdadd(). reported by <R.P.Koster@kpn.com>
Obtained from:	KAME
2001-08-06 19:32:47 +00:00
Hajimu UMEMOTO
b8f2e55112 merged key_cmpsaidx_*.
Obtained from:	KAME
2001-08-06 19:31:13 +00:00
Hajimu UMEMOTO
3384154590 Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
  - The definitions of SADB_* in sys/net/pfkeyv2.h are still different
    from RFC2407/IANA assignment because of binary compatibility
    issue.  It should be fixed under 5-CURRENT.
  - ip6po_m member of struct ip6_pktopts is no longer used.  But, it
    is still there because of binary compatibility issue.  It should
    be removed under 5-CURRENT.

Reviewed by:	itojun
Obtained from:	KAME
MFC after:	3 weeks
2001-06-11 12:39:29 +00:00
Hajimu UMEMOTO
f788b00b22 fixed possibility of panic at key_acquire().
key_acquire() does not require a secpolicy structure.

Obtained from:	KAME
2001-01-14 17:25:08 +00:00
Kris Kennaway
d8740da240 Revert previous commit after discussion with phk. 2000-10-30 09:13:46 +00:00
Poul-Henning Kamp
53ce36d17a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
Poul-Henning Kamp
46aa3347cb Convert all users of fldoff() to offsetof(). fldoff() is bad
because it only takes a struct tag which makes it impossible to
use unions, typedefs etc.

Define __offsetof() in <machine/ansi.h>

Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h>

Remove myriad of local offsetof() definitions.

Remove includes of <stddef.h> in kernel code.

NB: Kernelcode should *never* include from /usr/include !

Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API.

Deprecate <struct.h> with a warning.  The warning turns into an error on
01-12-2000 and the file gets removed entirely on 01-01-2001.

Paritials reviews by:   various.
Significant brucifications by:  bde
2000-10-27 11:45:49 +00:00
Hajimu UMEMOTO
222e221abc make sure we have IV that is random enough. memory allocator on
some of platforms give us almost constant number (oops).

Obtained from:	KAME
2000-08-28 08:24:46 +00:00
Jun-ichiro itojun Hagino
686cdd19b1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
Jake Burkholder
e39756439c Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
Jake Burkholder
740a1973a6 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
Yoshinobu Inoue
5d60ed0e69 Change struct sockaddr_storage member name, because following change
is very likely to become consensus as recent ietf/ipng mailing list
discussion. Also recent KAME repository and other KAME patched BSDs
also applied it.

  s/__ss_family/ss_family/
  s/__ss_len/ss_len/

Makeworld is confirmed, and no application should be affected by this change
yet.
2000-01-13 14:52:53 +00:00
Yoshinobu Inoue
6a800098cc IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-22 19:13:38 +00:00
Eivind Eklund
f210792ad4 #ifdef out unused function key_freetables. 1999-01-12 12:38:31 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Peter Wemm
a7017d7f9e Really make this compile..
Pointed out by: bde
1998-04-06 05:11:42 +00:00
Peter Wemm
48e88c192e Maybe fix netkey. I am not sure how to test this.. 1998-04-05 05:19:00 +00:00
Poul-Henning Kamp
c90cdf29ba Substitute a panic for a undefined function so LINT will compile. 1998-04-04 18:07:01 +00:00
Poul-Henning Kamp
227ee8a188 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
Bruce Evans
3c1300a6b3 Removed unused #includes. 1998-03-28 13:25:01 +00:00
Jun-ichiro itojun Hagino
6d8df845b0 key_getspi() bugfix.
Submitted by:	k-sugyou@ccs.mt.nec.co.jp
1998-03-23 14:49:12 +00:00
Jun-ichiro itojun Hagino
1ed882e558 polish the code.
use tradictional decls.  tabify.  remove bogus #defines.  prototypes.
1998-02-27 11:10:18 +00:00
Jun-ichiro itojun Hagino
751bf650a8 make sys/netkey/key{,_debug}.c compile. I believe it works but not tested.
I'll polish the code later on.
1998-02-27 10:02:49 +00:00
Bruce Evans
edc693217c Added a used #include.
"options KEY" is not in LINT, and consequently doesn't actually compile,
even with this change.
1998-02-25 06:41:47 +00:00
Poul-Henning Kamp
a1c995b626 Last major round (Unless Bruce thinks of somthing :-) of malloc changes.
Distribute all but the most fundamental malloc types.  This time I also
remembered the trick to making things static:  Put "static" in front of
them.

A couple of finer points by:	bde
1997-10-12 20:26:33 +00:00
Poul-Henning Kamp
55166637cd Distribute and statizice a lot of the malloc M_* types.
Substantial input from:	bde
1997-10-11 18:31:40 +00:00
Garrett Wollman
bd22f58e11 This is the `netkey' kernel key-management service (the PF_KEY analogue
to PF_ROUTE) from NRL's IPv6 distribution, heavily modified by me for
better source layout, formatting, and textual conventions.  I am told
that this code is no longer under active development, but it's a useful
hack for those interested in doing work on network security, key management,
etc.  This code has only been tested twice, so it should be considered
highly experimental.

Obtained from: ftp.ripe.net
1996-06-14 17:22:18 +00:00