summaryrefslogtreecommitdiff
path: root/sys/net/pfkeyv2.c
AgeCommit message (Collapse)Author
2013-03-09re-arrange the pre-accounting of the objects in the buffer so itTheo de Raadt
is clearer; ok sthen
2013-02-26Reserve space for source and destination addresses unconditionally ratherStuart Henderson
than checking if they're zero - export_address() is always called for these. Fixes memory corruption when doing ipsecctl -ssa with md5sig. Debugging hints from deraadt@, ok kettenis@ deraadt@
2012-12-28change the malloc(9) flags from M_DONTWAIT to M_NOWAIT; OK millert@Gleydson Soares
2012-09-26add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys)Markus Friedl
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
2012-09-20spltdb() was really just #define'd to be splsoftnet(); replace the formerBret Lambert
with the latter no change in md5 checksum of generated files ok claudio@ henning@
2012-03-28pfkey needs some p_p->ps_pid too. OK deraadt@ guenther@Claudio Jeker
2011-01-12Never include SADB_X_EXT_REMOTE_AUTH (which is either aMike Belopuhov
passphrase or an RSA key) in the reply message. There's nothing that justifies this behavior and PF_KEY RFC prefers to exclude keys and other sensitive material from replies. Discussed with reyk, no objections from deraadt.
2010-10-06Retire SkipjackMike Belopuhov
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
2010-09-27a pool_get() assuming that PR_NOWAIT is 0 (not anymore!); run into by naddyTheo de Raadt
2010-07-09Add support for using IPsec in multiple rdomains.Reyk Floeter
This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
2010-07-01Allow to specify an alternative enc(4) interface for an SA. AllReyk Floeter
traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
2008-05-09replace rtrequest() with corresponding rtrequest1() replacement.Claudio Jeker
OK henning@
2007-11-24some spelling fixes from Martynas VenckusJason McIntyre
2007-09-13Convert MALLOC/FREE to malloc/free and use M_ZERO where applicable.Hans-Joerg Hoexer
ok krw@
2007-09-01since theHenning Brauer
MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
2007-06-22export the flow/filter information attached to the SA, too; ok hshoexer@Markus Friedl
2007-02-14Consistently spell FALLTHROUGH to appease lint.Jonathan Gray
ok kettenis@ cloder@ tom@ henning@
2007-01-18allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC toHenning Brauer
compile and work. need to register pfkey whenever tcp md5 or ipsec is defined, and the various ipsec encapsulations only if ipsec is defined. ok theo
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-06-16adjust functions dealing with the routing table to take a table ID asHenning Brauer
parameter so they can work on alternate tables. table 0 hardcoded for many callers yet, that will be adapted step by step. input + ok claudio norby hshoexer
2006-05-06Fix bracketing messed up in KNF commit 1.86, allows sasyncd to reliablyRyan Thomas McBride
set up pfkey promiscuous mode. Diff from Nathanael <list-openbsd-tech at polymorpheus dot com>
2005-12-06export ipip flows, too; ok hshoexerMarkus Friedl
2005-06-01when dumping policies, skip those attached to a socket.Hans-Joerg Hoexer
ok ho
2005-05-28Only protect IDs by suser()Hans-Joerg Hoexer
ok ho
2005-05-27Must convert back from IPPROTO_x to SADB_SATYPE_x. hshoexer@ okHakan Olsson
2005-05-27Use export_flow() to wrap policies retrieved via sysctl in pfkey messageHans-Joerg Hoexer
ok ho markus
2005-05-25AESCTR support for ESP (RFC 3686); ok hshoexerMarkus Friedl
2005-05-24Make sure all fields in the SADB_DUMP header are zeroed properly. hshoexer@ ok.Hakan Olsson
2005-05-10support NULL encryption for ESP; ok hshoexer, hoMarkus Friedl
2005-04-04Add sysctl for dumping the SPDHans-Joerg Hoexer
ok deraadt, ok markus some time ago
2005-01-13protect pfkeyv2_dump_walker with spltdb(). Noticed by mpech@, thanks!Hans-Joerg Hoexer
ok ho@ markus@
2004-12-11SADB_X_EXT_LIFETIME_LASTUSE is always definedMarkus Friedl
2004-12-11pass out the correct lifetime type on expireMarkus Friedl
2004-12-11count SADB_REGISTER only once per socketMarkus Friedl
2004-12-10fix ipsec crash from pr 4025, Stefan Miltchev; ok hshoexer@Markus Friedl
2004-11-29tiny knf, no binary change.Hans-Joerg Hoexer
ok otto jsg henning pat markus deraadt fgs
2004-11-26implement net.key.v2.sadb_dump.{unspec,esp,ah,...} sysctl subtreeMarkus Friedl
and use sysctl for 'ipsecadm show'; ok deraadt
2004-11-19Plug memory leak. Found by pat@. Thanks!Hans-Joerg Hoexer
ok myself markus@
2004-08-10Add SADB_X_EXT_LIFETIME_LASTUSE for use with isakmpd/DPD, adding thisHakan Olsson
extends the bitmap to 64bits. Also repair SADB_GET. hshoexer@ ok.
2004-06-21don't accept SADB_X_EXT_UDPENCAP if encapsulation is disabled; ok ho@Markus Friedl
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-07-24conform to RFC2367 on SADB_xx naming (local name must be prefixed withJun-ichiro itojun Hagino
SADB_X_xx)
2003-07-24hmac-sha2-{256,384,512} support in AH/ESP auth. markus okJun-ichiro itojun Hagino
2003-02-16KNFTheo de Raadt
2003-02-16KNFJason Wright
2003-02-15skeleton support for LZS compressionJason Wright
2002-07-31fix potential NULL pointer deref. From: tedu <grendel@zeitbombe.org>Jun-ichiro itojun Hagino
2002-06-07Add flow type arg to import_flow()Hakan Olsson
2002-05-31Pass authentication information (if available) in ACQUIRE message.Angelos D. Keromytis
2002-03-03Fix crashes associated with SADB_GET/SADB_DUMP --- memory was notAngelos D. Keromytis
allocated on outgoing message for encryption/authentication keys --- from umaraghunath@hotmail.com
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 17:18:36 +0000