The NetBSD Project

CVS log for src/sys/netipsec/ipsec_input.c

[BACK] Up to [cvs.NetBSD.org] / src / sys / netipsec

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: MAIN


Revision 1.73 / (download) - annotate - [select for diffs], Thu Nov 15 10:23:56 2018 UTC (6 days, 1 hour ago) by maxv
Branch: MAIN
CVS Tags: HEAD
Changes since 1.72: +3 -3 lines
Diff to previous 1.72 (unified)

Remove the 't' argument from m_tag_find().

Revision 1.72 / (download) - annotate - [select for diffs], Sat Oct 27 05:42:23 2018 UTC (3 weeks, 4 days ago) by maxv
Branch: MAIN
Changes since 1.71: +14 -2 lines
Diff to previous 1.71 (unified)

Localify one function, and switch to C99 types while here.

Revision 1.71 / (download) - annotate - [select for diffs], Fri Sep 14 05:09:51 2018 UTC (2 months, 1 week ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-1020, pgoyette-compat-0930
Changes since 1.70: +4 -12 lines
Diff to previous 1.70 (unified)

Use non-variadic function pointer in protosw::pr_input.

Revision 1.70 / (download) - annotate - [select for diffs], Fri May 18 19:02:49 2018 UTC (6 months ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base, phil-wifi, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521
Changes since 1.69: +4 -4 lines
Diff to previous 1.69 (unified)

IP6_EXTHDR_GET -> M_REGION_GET, no functional change.

Revision 1.69 / (download) - annotate - [select for diffs], Sun Apr 29 14:54:09 2018 UTC (6 months, 3 weeks ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0502
Changes since 1.68: +7 -16 lines
Diff to previous 1.68 (unified)

Remove useless icmp6.h include, remove manual externs and include in6.h
to get proper definitions, and remove duplicate logic in
ipsec6_common_input_cb.

Revision 1.68 / (download) - annotate - [select for diffs], Sun Apr 29 14:35:35 2018 UTC (6 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.67: +2 -154 lines
Diff to previous 1.67 (unified)

Remove obsolete/dead code, the IP-in-IP encapsulation doesn't work this
way anymore (XF_IP4 partly dropped by FAST_IPSEC).

Revision 1.67 / (download) - annotate - [select for diffs], Sat Apr 28 15:45:16 2018 UTC (6 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.66: +2 -4 lines
Diff to previous 1.66 (unified)

Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.

Revision 1.66 / (download) - annotate - [select for diffs], Thu Apr 19 08:27:38 2018 UTC (7 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0422
Changes since 1.65: +3 -3 lines
Diff to previous 1.65 (unified)

Remove extra long file paths from the headers.

Revision 1.65 / (download) - annotate - [select for diffs], Wed Apr 18 07:38:02 2018 UTC (7 months ago) by maxv
Branch: MAIN
Changes since 1.64: +2 -3 lines
Diff to previous 1.64 (unified)

Remove unused malloc.h include.

Revision 1.64 / (download) - annotate - [select for diffs], Tue Apr 17 17:56:08 2018 UTC (7 months ago) by maxv
Branch: MAIN
Changes since 1.63: +5 -5 lines
Diff to previous 1.63 (unified)

fix comments

Revision 1.63 / (download) - annotate - [select for diffs], Sun Apr 15 07:35:49 2018 UTC (7 months, 1 week ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0415
Changes since 1.62: +6 -2 lines
Diff to previous 1.62 (unified)

Introduce a m_verify_packet function, that verifies the mbuf chain of a
packet to ensure it is not malformed. Call this function in "points of
interest", that are the IPv4/IPv6/IPsec entry points. There could be more.

We use M_VERIFY_PACKET(m), declared under DIAGNOSTIC only.

This function should not be called everywhere, especially not in places
that temporarily manipulate (and clobber) the mbuf structure; once they're
done they put the mbuf back in a correct format.

Revision 1.62 / (download) - annotate - [select for diffs], Mon Feb 26 09:04:29 2018 UTC (8 months, 3 weeks ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-base, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315
Branch point for: pgoyette-compat
Changes since 1.61: +4 -4 lines
Diff to previous 1.61 (unified)

Dedup: merge ipsec4_in_reject and ipsec6_in_reject into ipsec_in_reject.
While here fix misleading comment.

ok ozaki-r@

Revision 1.61 / (download) - annotate - [select for diffs], Mon Feb 26 06:58:56 2018 UTC (8 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.60: +24 -23 lines
Diff to previous 1.60 (unified)

If 'skip' is lower than sizeof(struct ip), we are in trouble. So remove a
nonsensical branch, and add a panic at the beginning of the function.

Revision 1.60 / (download) - annotate - [select for diffs], Mon Feb 26 06:53:22 2018 UTC (8 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.59: +10 -21 lines
Diff to previous 1.59 (unified)

m is never allowed to be NULL, so turn the KASSERT (and the null check)
to a panic.

Revision 1.59 / (download) - annotate - [select for diffs], Mon Feb 26 06:17:01 2018 UTC (8 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.58: +24 -26 lines
Diff to previous 1.58 (unified)

Merge some minor (mostly stylistic) changes from last week.

Revision 1.58 / (download) - annotate - [select for diffs], Wed Feb 21 16:48:28 2018 UTC (8 months, 4 weeks ago) by maxv
Branch: MAIN
Changes since 1.57: +6 -7 lines
Diff to previous 1.57 (unified)

Argh, in my previous commit in this file I forgot to fix the IPv6
entry point; apply the same fix there.

Revision 1.57 / (download) - annotate - [select for diffs], Wed Feb 21 16:08:55 2018 UTC (8 months, 4 weeks ago) by maxv
Branch: MAIN
Changes since 1.56: +6 -6 lines
Diff to previous 1.56 (unified)

Extend these #ifdef notyet. The m_copydata's in these branches are wrong,
we are not guaranteed to have enough room for another struct ip, and we
may crash here. Triggerable remotely, but after authentication, by sending
an AH packet that has a one-byte-sized IPIP payload.

Revision 1.56 / (download) - annotate - [select for diffs], Thu Feb 8 20:57:41 2018 UTC (9 months, 1 week ago) by maxv
Branch: MAIN
Changes since 1.55: +2 -4 lines
Diff to previous 1.55 (unified)

Remove unused net_osdep.h include.

Revision 1.55 / (download) - annotate - [select for diffs], Wed Jan 24 14:28:13 2018 UTC (9 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.54: +4 -2 lines
Diff to previous 1.54 (unified)

Fix the iteration: IPPROTO_FRAGMENT options are special, in the sense
that they don't have a 'length' field. It is therefore incorrect to
read ip6e.ip6e_len, it contains garbage.

I'm not sure whether this an exploitable vulnerability. Because of this
bug you could theoretically craft 'protoff', which means that you can
have the kernel patch the nxt value at the wrong place once the packet
is decrypted. Perhaps it can be used in some unusual MITM - a router that
happens to be between two IPsec hosts adds a frag6 option in the outer
IPv6 header to trigger the bug in the receiver -, but I couldn't come up
with anything worrying.

Revision 1.54 / (download) - annotate - [select for diffs], Wed Jan 24 14:01:40 2018 UTC (9 months, 3 weeks ago) by maxv
Branch: MAIN
Changes since 1.53: +4 -2 lines
Diff to previous 1.53 (unified)

ipsec4_fixup_checksum calls m_pullup, so don't forget to do mtod() again,
to prevent use-after-free.

In fact, the m_pullup call is never reached: it is impossible for 'skip'
to be zero in this function, so add an XXX for now.

Revision 1.53 / (download) - annotate - [select for diffs], Tue Jan 23 02:21:49 2018 UTC (9 months, 4 weeks ago) by ozaki-r
Branch: MAIN
Changes since 1.52: +6 -3 lines
Diff to previous 1.52 (unified)

Add missing NULL-checking for m_pullup (CID 1427770: Null pointer dereferences (NULL_RETURNS))

Revision 1.52 / (download) - annotate - [select for diffs], Tue Jan 23 02:18:57 2018 UTC (9 months, 4 weeks ago) by ozaki-r
Branch: MAIN
Changes since 1.51: +44 -44 lines
Diff to previous 1.51 (unified)

KNF: replace soft tabs with hard tabs

Revision 1.51 / (download) - annotate - [select for diffs], Thu Aug 3 06:32:51 2017 UTC (15 months, 2 weeks ago) by ozaki-r
Branch: MAIN
CVS Tags: tls-maxphys-base-20171202, nick-nhusb-base-20170825
Changes since 1.50: +3 -3 lines
Diff to previous 1.50 (unified)

Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future

KEY_SA_UNREF is still key_freesav so no functional change for now.

This change reduces diff of further changes.

Revision 1.50 / (download) - annotate - [select for diffs], Thu Aug 3 04:42:26 2017 UTC (15 months, 2 weeks ago) by ozaki-r
Branch: MAIN
Changes since 1.49: +2 -3 lines
Diff to previous 1.49 (unified)

Remove unnecessary KEY_FREESAV in an error path

sav should be freed (unreferenced) by the caller.

Revision 1.49 / (download) - annotate - [select for diffs], Fri Jul 21 04:55:36 2017 UTC (16 months ago) by ozaki-r
Branch: MAIN
Changes since 1.48: +2 -52 lines
Diff to previous 1.48 (unified)

Stop setting mtag of PACKET_TAG_IPSEC_IN_DONE because there is no users anymore

Revision 1.48 / (download) - annotate - [select for diffs], Wed Jul 12 07:00:40 2017 UTC (16 months, 1 week ago) by ozaki-r
Branch: MAIN
CVS Tags: perseant-stdc-iso10646-base, perseant-stdc-iso10646
Changes since 1.47: +2 -4 lines
Diff to previous 1.47 (unified)

Omit unnecessary NULL checks for sav->sah

Revision 1.47 / (download) - annotate - [select for diffs], Fri Jul 7 01:37:34 2017 UTC (16 months, 2 weeks ago) by ozaki-r
Branch: MAIN
Changes since 1.46: +4 -4 lines
Diff to previous 1.46 (unified)

Rename key_alloc* functions (NFC)

We shouldn't use the term "alloc" for functions that just look up
data and actually don't allocate memory.

Revision 1.46 / (download) - annotate - [select for diffs], Thu Jul 6 09:49:46 2017 UTC (16 months, 2 weeks ago) by ozaki-r
Branch: MAIN
Changes since 1.45: +3 -14 lines
Diff to previous 1.45 (unified)

Simplify; we can assume sav->tdb_xform cannot be NULL while it's valid

Revision 1.45 / (download) - annotate - [select for diffs], Wed Jul 5 03:44:59 2017 UTC (16 months, 2 weeks ago) by ozaki-r
Branch: MAIN
Changes since 1.44: +11 -27 lines
Diff to previous 1.44 (unified)

Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE

It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters
that have IPsec accelerators; a driver sets the mtag to a packet
when its device has already encrypted the packet.

Unfortunately no driver implements such offload features for long
years and seems unlikely to implement them soon. (Note that neither
FreeBSD nor Linux doesn't have such drivers.) Let's remove related
(unused) codes and simplify the IPsec code.

Revision 1.44 / (download) - annotate - [select for diffs], Wed Jun 28 13:12:37 2017 UTC (16 months, 3 weeks ago) by christos
Branch: MAIN
Changes since 1.43: +90 -13 lines
Diff to previous 1.43 (unified)

PR/52346: Frank Kardel: Fix checksumming for NAT-T
See XXX for improvements.

Revision 1.43 / (download) - annotate - [select for diffs], Fri May 19 04:34:09 2017 UTC (18 months ago) by ozaki-r
Branch: MAIN
CVS Tags: netbsd-8-base
Branch point for: netbsd-8
Changes since 1.42: +36 -39 lines
Diff to previous 1.42 (unified)

Introduce IPSECLOG and replace ipseclog and DPRINTF with it

Revision 1.42 / (download) - annotate - [select for diffs], Thu May 11 05:55:14 2017 UTC (18 months, 1 week ago) by ryo
Branch: MAIN
CVS Tags: prg-localcount2-base3
Changes since 1.41: +23 -15 lines
Diff to previous 1.41 (unified)

Make ipsec_address() and ipsec_logsastr() mpsafe.

Revision 1.41 / (download) - annotate - [select for diffs], Wed Apr 19 03:39:14 2017 UTC (19 months ago) by ozaki-r
Branch: MAIN
CVS Tags: prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, pgoyette-localcount-20170426, bouyer-socketcan-base1
Branch point for: prg-localcount2
Changes since 1.40: +2 -4 lines
Diff to previous 1.40 (unified)

Retire ipsec_osdep.h

We don't need to care other OSes (FreeBSD) anymore.

Some macros are alive in ipsec_private.h.

Revision 1.40 / (download) - annotate - [select for diffs], Tue Apr 18 05:26:42 2017 UTC (19 months ago) by ozaki-r
Branch: MAIN
Changes since 1.39: +18 -22 lines
Diff to previous 1.39 (unified)

Convert IPSEC_ASSERT to KASSERT or KASSERTMSG

IPSEC_ASSERT just discarded specified message...

Revision 1.39 / (download) - annotate - [select for diffs], Tue Apr 18 05:25:32 2017 UTC (19 months ago) by ozaki-r
Branch: MAIN
Changes since 1.38: +2 -88 lines
Diff to previous 1.38 (unified)

Remove __FreeBSD__ and __NetBSD__ switches

No functional changes (except for a debug printf).

Note that there remain some __FreeBSD__ for sysctl knobs which counerparts
to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up
requires actual code changes.

Revision 1.38 / (download) - annotate - [select for diffs], Thu Apr 6 09:20:07 2017 UTC (19 months, 2 weeks ago) by ozaki-r
Branch: MAIN
CVS Tags: jdolecek-ncq-base, jdolecek-ncq
Changes since 1.37: +4 -2 lines
Diff to previous 1.37 (unified)

Prepare netipsec for rump-ification

- Include "opt_*.h" only if _KERNEL_OPT is defined
- Allow encapinit to be called twice (by ifinit and ipe4_attach)
  - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called
    it instead), however, on a rump kernel ipe4_attach may not be called
    even if IPSEC is enabled. So we need to allow ifinit to call it anyway
- Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP
- Call ip6flow_invalidate_all in key_spdadd only if in6_present
  - It's possible that a rump kernel loads the ipsec library but not
    the inet6 library

Revision 1.37 / (download) - annotate - [select for diffs], Mon Jan 16 07:33:36 2017 UTC (22 months ago) by ryo
Branch: MAIN
CVS Tags: pgoyette-localcount-20170320, nick-nhusb-base-20170204
Changes since 1.36: +6 -4 lines
Diff to previous 1.36 (unified)

Make ip6_sprintf(), in_fmtaddr(), lla_snprintf() and icmp6_redirect_diag() mpsafe.

Reviewed by ozaki-r@

Revision 1.36 / (download) - annotate - [select for diffs], Fri Jun 10 13:31:44 2016 UTC (2 years, 5 months ago) by ozaki-r
Branch: MAIN
CVS Tags: pgoyette-localcount-base, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, nick-nhusb-base-20161204, nick-nhusb-base-20161004, nick-nhusb-base-20160907, localcount-20160914, bouyer-socketcan-base
Branch point for: pgoyette-localcount, bouyer-socketcan
Changes since 1.35: +4 -3 lines
Diff to previous 1.35 (unified)

Avoid storing a pointer of an interface in a mbuf

Having a pointer of an interface in a mbuf isn't safe if we remove big
kernel locks; an interface object (ifnet) can be destroyed anytime in any
packet processing and accessing such object via a pointer is racy. Instead
we have to get an object from the interface collection (ifindex2ifnet) via
an interface index (if_index) that is stored to a mbuf instead of an
pointer.

The change provides two APIs: m_{get,put}_rcvif_psref that use psref(9)
for sleep-able critical sections and m_{get,put}_rcvif that use
pserialize(9) for other critical sections. The change also adds another
API called m_get_rcvif_NOMPSAFE, that is NOT MP-safe and for transition
moratorium, i.e., it is intended to be used for places where are not
planned to be MP-ified soon.

The change adds some overhead due to psref to performance sensitive paths,
however the overhead is not serious, 2% down at worst.

Proposed on tech-kern and tech-net.

Revision 1.35 / (download) - annotate - [select for diffs], Thu Jan 21 15:41:30 2016 UTC (2 years, 10 months ago) by riastradh
Branch: MAIN
CVS Tags: nick-nhusb-base-20160529, nick-nhusb-base-20160422, nick-nhusb-base-20160319
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (unified)

Revert previous: ran cvs commit when I meant cvs diff.  Sorry!

Hit up-arrow one too few times.

Revision 1.34 / (download) - annotate - [select for diffs], Thu Jan 21 15:27:48 2016 UTC (2 years, 10 months ago) by riastradh
Branch: MAIN
Changes since 1.33: +4 -4 lines
Diff to previous 1.33 (unified)

Give proper prototype to ip_output.

Revision 1.33 / (download) - annotate - [select for diffs], Mon Mar 30 03:51:50 2015 UTC (3 years, 7 months ago) by ozaki-r
Branch: MAIN
CVS Tags: nick-nhusb-base-20151226, nick-nhusb-base-20150921, nick-nhusb-base-20150606, nick-nhusb-base-20150406
Changes since 1.32: +2 -3 lines
Diff to previous 1.32 (unified)

Tidy up opt_ipsec.h inclusions

Some inclusions of opt_ipsec.h were for IPSEC_NAT_T and are now unnecessary.
Add inclusions to some C files for IPSEC_DEBUG.

Revision 1.32 / (download) - annotate - [select for diffs], Sat Mar 8 12:18:04 2014 UTC (4 years, 8 months ago) by ozaki-r
Branch: MAIN
CVS Tags: yamt-pagecache-base9, tls-maxphys-base, tls-earlyentropy-base, tls-earlyentropy, rmind-smpnet-nbase, rmind-smpnet-base, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, nick-nhusb-base, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-1-RELEASE, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE
Branch point for: nick-nhusb, netbsd-7-1, netbsd-7-0, netbsd-7
Changes since 1.31: +3 -3 lines
Diff to previous 1.31 (unified)

Mark a variable __diagused

Revision 1.31 / (download) - annotate - [select for diffs], Sun Nov 3 18:37:10 2013 UTC (5 years ago) by mrg
Branch: MAIN
Changes since 1.30: +3 -3 lines
Diff to previous 1.30 (unified)

- apply some __diagused
- remove unused variables
- move some variables inside their relevant use #ifdef

Revision 1.30 / (download) - annotate - [select for diffs], Tue Jun 4 22:47:37 2013 UTC (5 years, 5 months ago) by christos
Branch: MAIN
CVS Tags: riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2
Branch point for: rmind-smpnet
Changes since 1.29: +5 -13 lines
Diff to previous 1.29 (unified)

PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access
outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.

Revision 1.29 / (download) - annotate - [select for diffs], Wed Jan 25 21:58:10 2012 UTC (6 years, 9 months ago) by drochner
Branch: MAIN
CVS Tags: yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, khorben-n900, jmcneill-usbmp-base9, jmcneill-usbmp-base8, jmcneill-usbmp-base7, jmcneill-usbmp-base6, jmcneill-usbmp-base5, jmcneill-usbmp-base4, jmcneill-usbmp-base3, jmcneill-usbmp-base2, jmcneill-usbmp-base10, agc-symver-base, agc-symver
Branch point for: tls-maxphys, netbsd-6-1, netbsd-6-0, netbsd-6
Changes since 1.28: +21 -37 lines
Diff to previous 1.28 (unified)

After IPSEC input processing, pass a decoded/authenticated IPv4 packet
to upper layers through the IP protosw, as done for IPv6.
Before it was reinjected into the IP netisr queue which caused more
overhead and caused artefacts like double IP option processing.
Works well for me, should get more testing and review.

Revision 1.28 / (download) - annotate - [select for diffs], Sun Jul 17 20:54:54 2011 UTC (7 years, 4 months ago) by joerg
Branch: MAIN
CVS Tags: yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, jmcneill-usbmp-pre-base2, jmcneill-usbmp-base, jmcneill-audiomp3-base, jmcneill-audiomp3
Branch point for: yamt-pagecache, jmcneill-usbmp
Changes since 1.27: +2 -4 lines
Diff to previous 1.27 (unified)

Retire varargs.h support. Move machine/stdarg.h logic into MI
sys/stdarg.h and expect compiler to provide proper builtins, defaulting
to the GCC interface. lint still has a special fallback.
Reduce abuse of _BSD_VA_LIST_ by defining __va_list by default and
derive va_list as required by standards.

Revision 1.27 / (download) - annotate - [select for diffs], Mon Feb 21 22:54:45 2011 UTC (7 years, 9 months ago) by drochner
Branch: MAIN
CVS Tags: rmind-uvmplock-nbase, rmind-uvmplock-base, cherry-xenmp-base, cherry-xenmp, bouyer-quota2-nbase
Changes since 1.26: +7 -4 lines
Diff to previous 1.26 (unified)

adopt a fix from OpenBSD: when scanning the IPv6 header chain, take
into account that the extension header type is not in the extension
header itself but in the previous one -- this makes a difference
because (a) the length field is different for AH than for all others
and (b) the offset of the "next type" field isn't the same in primary
and extension headers.
(I didn't manage to trigger the bug in my tests, no extension headers
besides AH made it to that point. Didn't try hard enough -- the fix
is still valid.)

Revision 1.26 / (download) - annotate - [select for diffs], Fri Feb 18 16:10:11 2011 UTC (7 years, 9 months ago) by drochner
Branch: MAIN
Changes since 1.25: +7 -2 lines
Diff to previous 1.25 (unified)

deal with IPv6 address scope, so that SA lookup for
link-local addresses works
(PR kern/43071 is related, but refers to KAME IPSEC)

Revision 1.25 / (download) - annotate - [select for diffs], Thu Feb 17 20:20:18 2011 UTC (7 years, 9 months ago) by drochner
Branch: MAIN
Changes since 1.24: +7 -3 lines
Diff to previous 1.24 (unified)

handle some unlikely IPv6 error case like everywhere else:
free mbuf, inc statcounter. from OpenBSD
being here, fix a diagnostic output

Revision 1.24 / (download) - annotate - [select for diffs], Wed Feb 16 18:39:33 2011 UTC (7 years, 9 months ago) by drochner
Branch: MAIN
CVS Tags: bouyer-quota2-base
Changes since 1.23: +5 -5 lines
Diff to previous 1.23 (unified)

remove some unnecessary pointer typecasts
(one was wrong on BE systems, but was harmless here because the
result is effectively unused)

Revision 1.23 / (download) - annotate - [select for diffs], Sat Apr 18 14:58:06 2009 UTC (9 years, 7 months ago) by tsutsui
Branch: MAIN
CVS Tags: yamt-nfs-mp-base9, yamt-nfs-mp-base8, yamt-nfs-mp-base7, yamt-nfs-mp-base6, yamt-nfs-mp-base5, yamt-nfs-mp-base4, yamt-nfs-mp-base3, yamt-nfs-mp-base11, yamt-nfs-mp-base10, uebayasi-xip-base4, uebayasi-xip-base3, uebayasi-xip-base2, uebayasi-xip-base1, uebayasi-xip-base, uebayasi-xip, nick-hppapmap-base4, nick-hppapmap-base3, nick-hppapmap-base, matt-premerge-20091211, matt-mips64-premerge-20101231, jymxensuspend-base, jym-xensuspend-nbase, jym-xensuspend-base, jruoho-x86intr-base
Branch point for: rmind-uvmplock, jruoho-x86intr, bouyer-quota2
Changes since 1.22: +4 -4 lines
Diff to previous 1.22 (unified)

Remove extra whitespace added by a stupid tool.
XXX: more in src/sys/arch

Revision 1.22 / (download) - annotate - [select for diffs], Wed Mar 18 17:06:52 2009 UTC (9 years, 8 months ago) by cegger
Branch: MAIN
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (unified)

bcopy -> memcpy

Revision 1.21 / (download) - annotate - [select for diffs], Wed Mar 18 16:00:23 2009 UTC (9 years, 8 months ago) by cegger
Branch: MAIN
Changes since 1.20: +4 -4 lines
Diff to previous 1.20 (unified)

bzero -> memset

Revision 1.20 / (download) - annotate - [select for diffs], Wed Apr 23 06:09:05 2008 UTC (10 years, 7 months ago) by thorpej
Branch: MAIN
CVS Tags: yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-nfs-mp-base2, yamt-nfs-mp-base, wrstuden-revivesa-base-4, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, simonb-wapbl-nbase, simonb-wapbl-base, simonb-wapbl, nick-hppapmap-base2, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, mjf-devfs2-base, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, hpcarm-cleanup-nbase, haad-nbase2, haad-dm-base2, haad-dm-base1, haad-dm-base, haad-dm, ad-audiomp2-base, ad-audiomp2
Branch point for: yamt-nfs-mp, nick-hppapmap, jym-xensuspend
Changes since 1.19: +56 -43 lines
Diff to previous 1.19 (unified)

Make IPSEC and FAST_IPSEC stats per-cpu.  Use <net/net_stats.h> and
netstat_sysctl().

Revision 1.19 / (download) - annotate - [select for diffs], Tue Apr 15 04:43:53 2008 UTC (10 years, 7 months ago) by thorpej
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base
Branch point for: yamt-pf42
Changes since 1.18: +5 -4 lines
Diff to previous 1.18 (unified)

Make ip6 and icmp6 stats per-cpu.

Revision 1.18 / (download) - annotate - [select for diffs], Tue Apr 8 23:37:43 2008 UTC (10 years, 7 months ago) by thorpej
Branch: MAIN
Changes since 1.17: +4 -4 lines
Diff to previous 1.17 (unified)

Change IPv6 stats from a structure to an array of uint64_t's.

Note: This is ABI-compatible with the old ip6stat structure; old netstat
binaries will continue to work properly.

Revision 1.17 / (download) - annotate - [select for diffs], Wed Jun 27 20:38:33 2007 UTC (11 years, 4 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-x86pmap-base4, yamt-x86pmap-base3, yamt-x86pmap-base2, yamt-x86pmap-base, yamt-x86pmap, yamt-lazymbuf-base15, yamt-lazymbuf-base14, yamt-kmem-base3, yamt-kmem-base2, yamt-kmem-base, yamt-kmem, vmlocking2-base3, vmlocking2-base2, vmlocking2-base1, vmlocking2, vmlocking-nbase, vmlocking-base, reinoud-bufcleanup-nbase, reinoud-bufcleanup-base, nick-net80211-sync-base, nick-net80211-sync, nick-csl-alignment-base5, nick-csl-alignment-base, nick-csl-alignment, mjf-ufs-trans-base, mjf-devfs-base, mjf-devfs, matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-nbase, matt-armv6-base, matt-armv6, keiichi-mipv6-nbase, keiichi-mipv6-base, keiichi-mipv6, jmcneill-pm-base, jmcneill-pm, jmcneill-base, hpcarm-cleanup-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf, bouyer-xeni386-nbase, bouyer-xeni386-merge1, bouyer-xeni386-base, bouyer-xeni386, bouyer-xenamd64-base2, bouyer-xenamd64-base, bouyer-xenamd64, ad-socklock-base1
Branch point for: mjf-devfs2
Changes since 1.16: +22 -5 lines
Diff to previous 1.16 (unified)

Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).

No objection on tech-net@

Revision 1.16 / (download) - annotate - [select for diffs], Sun Mar 4 21:17:54 2007 UTC (11 years, 8 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-idlelwp-base8, thorpej-atomic-base, thorpej-atomic, reinoud-bufcleanup
Branch point for: vmlocking, mjf-ufs-trans
Changes since 1.15: +15 -21 lines
Diff to previous 1.15 (unified)

Remove useless cast
Use NULL instead of (void*) 0

Revision 1.15 / (download) - annotate - [select for diffs], Sun Mar 4 06:03:29 2007 UTC (11 years, 8 months ago) by christos
Branch: MAIN
Changes since 1.14: +14 -14 lines
Diff to previous 1.14 (unified)

Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

Revision 1.14 / (download) - annotate - [select for diffs], Sat Feb 10 09:43:05 2007 UTC (11 years, 9 months ago) by degroote
Branch: MAIN
CVS Tags: ad-audiomp-base, ad-audiomp
Branch point for: yamt-idlelwp
Changes since 1.13: +13 -11 lines
Diff to previous 1.13 (unified)

Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic

Revision 1.13 / (download) - annotate - [select for diffs], Thu Nov 16 01:33:49 2006 UTC (12 years ago) by christos
Branch: MAIN
CVS Tags: yamt-splraiseipl-base5, yamt-splraiseipl-base4, yamt-splraiseipl-base3, post-newlock2-merge, newlock2-nbase, newlock2-base, netbsd-4-base
Branch point for: wrstuden-fixsa, netbsd-4
Changes since 1.12: +3 -3 lines
Diff to previous 1.12 (unified)

__unused removal on arguments; approved by core.

Revision 1.12 / (download) - annotate - [select for diffs], Fri Oct 13 20:53:59 2006 UTC (12 years, 1 month ago) by christos
Branch: MAIN
CVS Tags: yamt-splraiseipl-base2
Changes since 1.11: +3 -3 lines
Diff to previous 1.11 (unified)

more __unused

Revision 1.11 / (download) - annotate - [select for diffs], Sun Dec 11 12:25:05 2005 UTC (12 years, 11 months ago) by christos
Branch: MAIN
CVS Tags: yamt-uio_vmspace-base5, yamt-uio_vmspace, yamt-splraiseipl-base, yamt-pdpolicy-base9, yamt-pdpolicy-base8, yamt-pdpolicy-base7, yamt-pdpolicy-base6, yamt-pdpolicy-base5, yamt-pdpolicy-base4, yamt-pdpolicy-base3, yamt-pdpolicy-base2, yamt-pdpolicy-base, yamt-pdpolicy, simonb-timecounters-base, simonb-timecounters, simonb-timcounters-final, rpaulo-netinet-merge-pcb-base, rpaulo-netinet-merge-pcb, peter-altq-base, peter-altq, gdamore-uart-base, gdamore-uart, elad-kernelauth-base, elad-kernelauth, chap-midi-nbase, chap-midi-base, chap-midi, abandoned-netbsd-4-base, abandoned-netbsd-4
Branch point for: yamt-splraiseipl, newlock2
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (unified)

merge ktrace-lwp.

Revision 1.10 / (download) - annotate - [select for diffs], Sat Feb 26 22:45:13 2005 UTC (13 years, 8 months ago) by perry
Branch: MAIN
CVS Tags: yamt-vop-base3, yamt-vop-base2, yamt-vop-base, yamt-vop, yamt-readahead-pervnode, yamt-readahead-perfile, yamt-readahead-base3, yamt-readahead-base2, yamt-readahead-base, yamt-readahead, yamt-km-base4, yamt-km-base3, thorpej-vnode-attr-base, thorpej-vnode-attr, netbsd-3-base, netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0, netbsd-3, ktrace-lwp-base, kent-audio2-base
Branch point for: yamt-lazymbuf
Changes since 1.9: +3 -3 lines
Diff to previous 1.9 (unified)

nuke trailing whitespace

Revision 1.9 / (download) - annotate - [select for diffs], Sat Apr 24 23:28:13 2004 UTC (14 years, 7 months ago) by jonathan
Branch: MAIN
CVS Tags: yamt-km-base2, yamt-km-base, kent-audio1-beforemerge, kent-audio1-base, kent-audio1
Branch point for: yamt-km, ktrace-lwp, kent-audio2
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (unified)

Add `const' to the safety-catch local definition of ip6_protosw,
to maatch sys/netinet6/ip6protosw.

Revision 1.8 / (download) - annotate - [select for diffs], Sat Mar 20 02:57:48 2004 UTC (14 years, 8 months ago) by jonathan
Branch: MAIN
CVS Tags: netbsd-2-base, netbsd-2-1-RELEASE, netbsd-2-1-RC6, netbsd-2-1-RC5, netbsd-2-1-RC4, netbsd-2-1-RC3, netbsd-2-1-RC2, netbsd-2-1-RC1, netbsd-2-1, netbsd-2-0-base, netbsd-2-0-RELEASE, netbsd-2-0-RC5, netbsd-2-0-RC4, netbsd-2-0-RC3, netbsd-2-0-RC2, netbsd-2-0-RC1, netbsd-2-0-3-RELEASE, netbsd-2-0-2-RELEASE, netbsd-2-0-1-RELEASE, netbsd-2-0, netbsd-2
Changes since 1.7: +9 -2 lines
Diff to previous 1.7 (unified)

Temporarily ifdef out sys/netipsec/ipsec_input.c:esp6_ctlinput(),
as there is a duplicate version in (my) ipsec_netbsd.c, with somewhat
newer IP-multicast tests.

Revision 1.7 / (download) - annotate - [select for diffs], Mon Mar 1 23:20:53 2004 UTC (14 years, 8 months ago) by thorpej
Branch: MAIN
Changes since 1.6: +40 -4 lines
Diff to previous 1.6 (unified)

Add missing copyright notices (FreeBSD rev 1.2.4.2).

Revision 1.6 / (download) - annotate - [select for diffs], Mon Oct 6 22:05:15 2003 UTC (15 years, 1 month ago) by tls
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (unified)

Reversion of "netkey merge", part 2 (replacement of removed files in the
repository by christos was part 1).  netipsec should now be back as it
was on 2003-09-11, with some very minor changes:

1) Some residual platform-dependent code was moved from ipsec.h to
   ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined.  ipsec.h
   now includes ipsec_osdep.h

2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has
   been left in place (it's arguable which name is less confusing but the
   rename is pretty harmless).

3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN
   is invalid and GCC 3 won't compile it.

An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now
gets through "make depend" but fails to build with errors in ip_input.c.
But it's better than it was (thank heaven for small favors).

Revision 1.5 / (download) - annotate - [select for diffs], Fri Sep 12 11:20:58 2003 UTC (15 years, 2 months ago) by itojun
Branch: MAIN
Changes since 1.4: +4 -4 lines
Diff to previous 1.4 (unified)

merge netipsec/key* into netkey/key*.  no need for both.
change confusing filename

Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 20 22:33:40 2003 UTC (15 years, 3 months ago) by jonathan
Branch: MAIN
Changes since 1.3: +4 -2 lines
Diff to previous 1.3 (unified)

opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Aug 15 17:14:31 2003 UTC (15 years, 3 months ago) by jonathan
Branch: MAIN
Changes since 1.2: +5 -2 lines
Diff to previous 1.2 (unified)

Fix bug with IP_DF handling which was breaking TCP: on FreeBSD, ip_off
is assumed to be in host byteorder during the input(?) path.  NetBSD
keeps ip_off and ip_len in network order.  Add (or remove) byteswaps
accordingly.  TCP over fast_ipsec now works with PMTU, as well as without.

Revision 1.2 / (download) - annotate - [select for diffs], Fri Aug 15 03:50:21 2003 UTC (15 years, 3 months ago) by jonathan
Branch: MAIN
Changes since 1.1: +4 -4 lines
Diff to previous 1.1 (unified)

Change ipsec4_common_input() to return void (not int with errno,
as in FreeBSD), to match NetBSD protosw prototype.

Revision 1.1 / (download) - annotate - [select for diffs], Wed Aug 13 20:06:50 2003 UTC (15 years, 3 months ago) by jonathan
Branch: MAIN

Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4.
Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the
OpenCryptoFramework (and thus hardware crypto accelerators) and
numerous detailed performance improvements.

This import is (aside from SPL-level names) the FreeBSD source,
imported ``as-is'' as a historical snapshot, for future maintenance
and comparison against the FreeBSD source.  For now, several minor
kernel-API differences are hidden by macros a shim file, ipsec_osdep.h,
which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>