The NetBSD Project

CVS log for src/sys/netipsec/xform_ipcomp.c

[BACK] Up to [cvs.NetBSD.org] / src / sys / netipsec

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: MAIN


Revision 1.69 / (download) - annotate - [select for diffs], Fri Nov 1 04:23:21 2019 UTC (23 months, 3 weeks ago) by knakahara
Branch: MAIN
CVS Tags: thorpej-i2c-spi-conf2-base, thorpej-i2c-spi-conf2, thorpej-i2c-spi-conf-base, thorpej-i2c-spi-conf, thorpej-futex2-base, thorpej-futex2, thorpej-futex-base, thorpej-futex, thorpej-cfargs2-base, thorpej-cfargs2, thorpej-cfargs-base, thorpej-cfargs, phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, is-mlppp-base, is-mlppp, cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x, bouyer-xenpvh-base2, bouyer-xenpvh-base1, bouyer-xenpvh-base, bouyer-xenpvh, ad-namecache-base3, ad-namecache-base2, ad-namecache-base1, ad-namecache-base, ad-namecache, HEAD
Changes since 1.68: +8 -6 lines
Diff to previous 1.68 (colored)

Fix ipsecif(4) IPV6_MINMTU does not work correctly.

Revision 1.68 / (download) - annotate - [select for diffs], Wed Jun 12 22:23:50 2019 UTC (2 years, 4 months ago) by christos
Branch: MAIN
CVS Tags: netbsd-9-base, netbsd-9-2-RELEASE, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-9
Changes since 1.67: +31 -34 lines
Diff to previous 1.67 (colored)

make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.

Revision 1.67 / (download) - annotate - [select for diffs], Sun Jan 27 02:08:48 2019 UTC (2 years, 8 months ago) by pgoyette
Branch: MAIN
CVS Tags: phil-wifi-20190609, isaki-audio2-base, isaki-audio2
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored)

Merge the [pgoyette-compat] branch

Revision 1.66 / (download) - annotate - [select for diffs], Sun May 13 18:34:59 2018 UTC (3 years, 5 months ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521
Branch point for: phil-wifi
Changes since 1.65: +2 -7 lines
Diff to previous 1.65 (colored)

Remove unused calls to nat_t_ports_get.

Revision 1.65 / (download) - annotate - [select for diffs], Mon May 7 09:16:46 2018 UTC (3 years, 5 months ago) by maxv
Branch: MAIN
Changes since 1.64: +3 -3 lines
Diff to previous 1.64 (colored)

Remove unused 'mp' argument from all the xf_output functions. Also clean
up xform.h a bit.

Revision 1.64 / (download) - annotate - [select for diffs], Tue May 1 08:13:37 2018 UTC (3 years, 5 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0502
Changes since 1.63: +2 -3 lines
Diff to previous 1.63 (colored)

Remove double include, opencrypto/xform.h is already included in
netipsec/xform.h.

Revision 1.63 / (download) - annotate - [select for diffs], Sat Apr 28 15:45:16 2018 UTC (3 years, 5 months ago) by maxv
Branch: MAIN
Changes since 1.62: +2 -4 lines
Diff to previous 1.62 (colored)

Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.

Revision 1.62 / (download) - annotate - [select for diffs], Thu Apr 19 08:27:39 2018 UTC (3 years, 6 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0422
Changes since 1.61: +3 -3 lines
Diff to previous 1.61 (colored)

Remove extra long file paths from the headers.

Revision 1.61 / (download) - annotate - [select for diffs], Thu Apr 19 07:58:26 2018 UTC (3 years, 6 months ago) by maxv
Branch: MAIN
Changes since 1.60: +11 -6 lines
Diff to previous 1.60 (colored)

Add a KASSERT (which is not triggerable since ipsec_common_input already
ensures 8 bytes are present), add an XXX (about the fact that it is
better to use m_copydata, because it is faster and less error-prone), and
improve two m_copybacks (remove useless casts).

Revision 1.60 / (download) - annotate - [select for diffs], Sat Mar 10 17:48:32 2018 UTC (3 years, 7 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315
Changes since 1.59: +3 -3 lines
Diff to previous 1.59 (colored)

Fix the computation. Normally that's harmless since ip6_output recomputes
ip6_plen.

Revision 1.59 / (download) - annotate - [select for diffs], Fri Feb 16 09:24:55 2018 UTC (3 years, 8 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-base
Branch point for: pgoyette-compat
Changes since 1.58: +2 -8 lines
Diff to previous 1.58 (colored)

Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs.
Discussed with ozaki-r@.

Revision 1.58 / (download) - annotate - [select for diffs], Fri Feb 16 09:07:50 2018 UTC (3 years, 8 months ago) by maxv
Branch: MAIN
Changes since 1.57: +2 -4 lines
Diff to previous 1.57 (colored)

Remove some more FreeBSD sysctl declarations that already have NetBSD
counterparts. Discussed with ozaki-r@.

Revision 1.57 / (download) - annotate - [select for diffs], Thu Feb 15 13:51:32 2018 UTC (3 years, 8 months ago) by maxv
Branch: MAIN
Changes since 1.56: +37 -38 lines
Diff to previous 1.56 (colored)

Style and simplify.

Revision 1.56 / (download) - annotate - [select for diffs], Thu Feb 15 04:24:32 2018 UTC (3 years, 8 months ago) by ozaki-r
Branch: MAIN
Changes since 1.55: +2 -32 lines
Diff to previous 1.55 (colored)

Don't relook up an SP/SA in opencrpyto callbacks

We don't need to do so because we have a reference to it. And also
relooking-up one there may return an sp/sav that has different
parameters from an original one.

Revision 1.55 / (download) - annotate - [select for diffs], Wed Feb 14 09:13:03 2018 UTC (3 years, 8 months ago) by ozaki-r
Branch: MAIN
Changes since 1.54: +20 -20 lines
Diff to previous 1.54 (colored)

Dedup common codes in error paths (NFCI)

Revision 1.54 / (download) - annotate - [select for diffs], Wed Feb 14 08:59:23 2018 UTC (3 years, 8 months ago) by ozaki-r
Branch: MAIN
Changes since 1.53: +3 -2 lines
Diff to previous 1.53 (colored)

Fix mbuf leaks on error paths

Pointed out by maxv@

Revision 1.53 / (download) - annotate - [select for diffs], Tue Oct 3 08:56:52 2017 UTC (4 years ago) by ozaki-r
Branch: MAIN
CVS Tags: tls-maxphys-base-20171202
Changes since 1.52: +4 -4 lines
Diff to previous 1.52 (colored)

Constify isr at many places (NFC)

Revision 1.52 / (download) - annotate - [select for diffs], Thu Aug 10 06:33:51 2017 UTC (4 years, 2 months ago) by ozaki-r
Branch: MAIN
CVS Tags: nick-nhusb-base-20170825
Changes since 1.51: +15 -14 lines
Diff to previous 1.51 (colored)

Use pool_cache(9) instead of pool(9) for tdb_crypto objects

The change improves network throughput especially on multi-core systems.

Revision 1.51 / (download) - annotate - [select for diffs], Wed Aug 9 09:48:11 2017 UTC (4 years, 2 months ago) by ozaki-r
Branch: MAIN
Changes since 1.50: +25 -5 lines
Diff to previous 1.50 (colored)

MP-ify SAD (savlist)

localcount(9) is used to protect savlist of sah. The basic design is
similar to MP-ifications of SPD and SAD sahlist. Please read the
locking notes of SAD for more details.

Revision 1.50 / (download) - annotate - [select for diffs], Thu Aug 3 06:32:51 2017 UTC (4 years, 2 months ago) by ozaki-r
Branch: MAIN
Changes since 1.49: +9 -9 lines
Diff to previous 1.49 (colored)

Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future

KEY_SA_UNREF is still key_freesav so no functional change for now.

This change reduces diff of further changes.

Revision 1.49 / (download) - annotate - [select for diffs], Wed Aug 2 01:28:03 2017 UTC (4 years, 2 months ago) by ozaki-r
Branch: MAIN
Changes since 1.48: +20 -5 lines
Diff to previous 1.48 (colored)

Make IPsec SPD MP-safe

We use localcount(9), not psref(9), to make the sptree and secpolicy (SP)
entries MP-safe because SPs need to be referenced over opencrypto
processing that executes a callback in a different context.

SPs on sockets aren't managed by the sptree and can be destroyed in softint.
localcount_drain cannot be used in softint so we delay the destruction of
such SPs to a thread context. To do so, a list to manage such SPs is added
(key_socksplist) and key_timehandler_spd deletes dead SPs in the list.

For more details please read the locking notes in key.c.

Proposed on tech-kern@ and tech-net@

Revision 1.48 / (download) - annotate - [select for diffs], Thu Jul 27 06:59:28 2017 UTC (4 years, 2 months ago) by ozaki-r
Branch: MAIN
Changes since 1.47: +14 -21 lines
Diff to previous 1.47 (colored)

Don't acquire global locks for IPsec if NET_MPSAFE

Note that the change is just to make testing easy and IPsec isn't MP-safe yet.

Revision 1.47 / (download) - annotate - [select for diffs], Thu Jul 20 08:07:14 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.46: +15 -9 lines
Diff to previous 1.46 (colored)

Use pool to allocate tdb_crypto

For ESP and AH, we need to allocate an extra variable space in addition
to struct tdb_crypto. The fixed size of pool items may be larger than
an actual requisite size of a buffer, but still the performance
improvement by replacing malloc with pool wins.

Revision 1.46 / (download) - annotate - [select for diffs], Wed Jul 19 10:26:09 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.45: +13 -2 lines
Diff to previous 1.45 (colored)

Hold a reference to an SP during opencrypto processing

An SP has a list of isr (ipsecrequest) that represents a sequence
of IPsec encryption/authentication processing. One isr corresponds
to one opencrypto processing. The lifetime of an isr follows its SP.

We pass an isr to a callback function of opencrypto to continue
to a next encryption/authentication processing. However nobody
guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.

In order to avoid such unexpected destruction of isr, hold a reference
to its SP during opencrypto processing.

Revision 1.45 / (download) - annotate - [select for diffs], Wed Jul 19 09:38:57 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.44: +4 -16 lines
Diff to previous 1.44 (colored)

Don't bother the case of crp->crp_buf == NULL in callbacks

Revision 1.44 / (download) - annotate - [select for diffs], Wed Jul 19 09:03:08 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.43: +2 -3 lines
Diff to previous 1.43 (colored)

Don't release sav if calling crypto_dispatch again

Revision 1.43 / (download) - annotate - [select for diffs], Fri Jul 14 12:26:26 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
CVS Tags: perseant-stdc-iso10646-base, perseant-stdc-iso10646
Changes since 1.42: +6 -8 lines
Diff to previous 1.42 (colored)

Prepare to stop using isr->sav

isr is a shared resource and using isr->sav as a temporal storage
for each packet processing is racy. And also having a reference from
isr to sav makes the lifetime of sav non-deterministic; such a reference
is removed when a packet is processed and isr->sav is overwritten by
new one. Let's have a sav locally for each packet processing instead of
using shared isr->sav.

However this change doesn't stop using isr->sav yet because there are
some users of isr->sav. isr->sav will be removed after the users find
a way to not use isr->sav.

Revision 1.42 / (download) - annotate - [select for diffs], Fri Jul 14 01:24:23 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.41: +29 -16 lines
Diff to previous 1.41 (colored)

Pass sav directly to opencrypto callback

In a callback, use a passed sav as-is by default and look up a sav
only if the passed sav is dead.

Revision 1.41 / (download) - annotate - [select for diffs], Fri Jul 7 01:37:34 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.40: +4 -4 lines
Diff to previous 1.40 (colored)

Rename key_alloc* functions (NFC)

We shouldn't use the term "alloc" for functions that just look up
data and actually don't allocate memory.

Revision 1.40 / (download) - annotate - [select for diffs], Wed Jul 5 03:44:59 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.39: +8 -10 lines
Diff to previous 1.39 (colored)

Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE

It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters
that have IPsec accelerators; a driver sets the mtag to a packet
when its device has already encrypted the packet.

Unfortunately no driver implements such offload features for long
years and seems unlikely to implement them soon. (Note that neither
FreeBSD nor Linux doesn't have such drivers.) Let's remove related
(unused) codes and simplify the IPsec code.

Revision 1.39 / (download) - annotate - [select for diffs], Thu Jun 29 07:13:41 2017 UTC (4 years, 3 months ago) by ozaki-r
Branch: MAIN
Changes since 1.38: +10 -6 lines
Diff to previous 1.38 (colored)

Apply C99-style struct initialization to xformsw

Revision 1.38 / (download) - annotate - [select for diffs], Thu May 11 05:55:14 2017 UTC (4 years, 5 months ago) by ryo
Branch: MAIN
CVS Tags: prg-localcount2-base3, netbsd-8-base
Branch point for: netbsd-8
Changes since 1.37: +16 -12 lines
Diff to previous 1.37 (colored)

Make ipsec_address() and ipsec_logsastr() mpsafe.

Revision 1.37 / (download) - annotate - [select for diffs], Wed Apr 19 03:39:14 2017 UTC (4 years, 6 months ago) by ozaki-r
Branch: MAIN
CVS Tags: prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, pgoyette-localcount-20170426, bouyer-socketcan-base1
Branch point for: prg-localcount2
Changes since 1.36: +3 -5 lines
Diff to previous 1.36 (colored)

Retire ipsec_osdep.h

We don't need to care other OSes (FreeBSD) anymore.

Some macros are alive in ipsec_private.h.

Revision 1.36 / (download) - annotate - [select for diffs], Tue Apr 18 05:26:42 2017 UTC (4 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.35: +10 -13 lines
Diff to previous 1.35 (colored)

Convert IPSEC_ASSERT to KASSERT or KASSERTMSG

IPSEC_ASSERT just discarded specified message...

Revision 1.35 / (download) - annotate - [select for diffs], Tue Apr 18 05:25:32 2017 UTC (4 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.34: +2 -9 lines
Diff to previous 1.34 (colored)

Remove __FreeBSD__ and __NetBSD__ switches

No functional changes (except for a debug printf).

Note that there remain some __FreeBSD__ for sysctl knobs which counerparts
to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up
requires actual code changes.

Revision 1.34 / (download) - annotate - [select for diffs], Sat Apr 15 22:01:57 2017 UTC (4 years, 6 months ago) by christos
Branch: MAIN
Changes since 1.33: +60 -54 lines
Diff to previous 1.33 (colored)

cosmetic fixes:
	- __func__ in printfs
	- no space after sizeof
	- eliminate useless casts
	- u_intX_t -> uintX_t

Revision 1.33 / (download) - annotate - [select for diffs], Thu Apr 13 16:38:32 2017 UTC (4 years, 6 months ago) by christos
Branch: MAIN
Changes since 1.32: +6 -6 lines
Diff to previous 1.32 (colored)

Redo the statistics through an indirection array and put the definitions
of the arrays in pfkeyv2.h so that they are next to the index definitions.
Remove "bogus" comment about compressing the statistics which is now fixed.

Revision 1.32 / (download) - annotate - [select for diffs], Thu Apr 6 09:20:07 2017 UTC (4 years, 6 months ago) by ozaki-r
Branch: MAIN
CVS Tags: jdolecek-ncq-base, jdolecek-ncq
Changes since 1.31: +4 -2 lines
Diff to previous 1.31 (colored)

Prepare netipsec for rump-ification

- Include "opt_*.h" only if _KERNEL_OPT is defined
- Allow encapinit to be called twice (by ifinit and ipe4_attach)
  - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called
    it instead), however, on a rump kernel ipe4_attach may not be called
    even if IPSEC is enabled. So we need to allow ifinit to call it anyway
- Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP
- Call ip6flow_invalidate_all in key_spdadd only if in6_present
  - It's possible that a rump kernel loads the ipsec library but not
    the inet6 library

Revision 1.31 / (download) - annotate - [select for diffs], Sun Nov 3 18:37:10 2013 UTC (7 years, 11 months ago) by mrg
Branch: MAIN
CVS Tags: yamt-pagecache-base9, tls-maxphys-base, tls-earlyentropy-base, tls-earlyentropy, rmind-smpnet-nbase, rmind-smpnet-base, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, pgoyette-localcount-base, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, nick-nhusb-base-20170204, nick-nhusb-base-20161204, nick-nhusb-base-20161004, nick-nhusb-base-20160907, nick-nhusb-base-20160529, nick-nhusb-base-20160422, nick-nhusb-base-20160319, nick-nhusb-base-20151226, nick-nhusb-base-20150921, nick-nhusb-base-20150606, nick-nhusb-base-20150406, nick-nhusb-base, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, localcount-20160914, bouyer-socketcan-base
Branch point for: pgoyette-localcount, nick-nhusb, bouyer-socketcan
Changes since 1.30: +3 -8 lines
Diff to previous 1.30 (colored)

- apply some __diagused
- remove unused variables
- move some variables inside their relevant use #ifdef

Revision 1.30 / (download) - annotate - [select for diffs], Tue Jun 4 22:47:37 2013 UTC (8 years, 4 months ago) by christos
Branch: MAIN
CVS Tags: riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2
Branch point for: rmind-smpnet
Changes since 1.29: +5 -13 lines
Diff to previous 1.29 (colored)

PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access
outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.

Revision 1.29 / (download) - annotate - [select for diffs], Wed Jan 25 20:31:23 2012 UTC (9 years, 9 months ago) by drochner
Branch: MAIN
CVS Tags: yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, khorben-n900, jmcneill-usbmp-base9, jmcneill-usbmp-base8, jmcneill-usbmp-base7, jmcneill-usbmp-base6, jmcneill-usbmp-base5, jmcneill-usbmp-base4, jmcneill-usbmp-base3, jmcneill-usbmp-base2, jmcneill-usbmp-base10, agc-symver-base, agc-symver
Branch point for: tls-maxphys
Changes since 1.28: +15 -4 lines
Diff to previous 1.28 (colored)

Make sure the mbufs in the input path (only the parts which we are going
to modify in the AH case) are writable/non-shared.
This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient
patch from that time by a radical solution.
(The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c,
so it needs a network driver modification to reproduce it.)
Being here, clarify a bit of ipcomp -- uncompression is done in-place,
the header must be removed explicitly.

Revision 1.28 / (download) - annotate - [select for diffs], Fri May 6 21:48:46 2011 UTC (10 years, 5 months ago) by drochner
Branch: MAIN
CVS Tags: yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, rmind-uvmplock-nbase, rmind-uvmplock-base, jmcneill-usbmp-pre-base2, jmcneill-usbmp-base, jmcneill-audiomp3-base, jmcneill-audiomp3, cherry-xenmp-base, cherry-xenmp
Branch point for: yamt-pagecache, jmcneill-usbmp
Changes since 1.27: +2 -6 lines
Diff to previous 1.27 (colored)

As a first step towards more fine-grained locking, don't require
crypto_{new.free}session() to be called with the "crypto_mtx"
spinlock held.
This doesn't change much for now because these functions acquire
the said mutex first on entry now, but at least it keeps the nasty
locks local to the opencrypto core.

Revision 1.27 / (download) - annotate - [select for diffs], Thu May 5 20:15:15 2011 UTC (10 years, 5 months ago) by drochner
Branch: MAIN
Changes since 1.26: +3 -3 lines
Diff to previous 1.26 (colored)

fix C&P botch in diagnostic printfs

Revision 1.26 / (download) - annotate - [select for diffs], Fri Apr 1 08:29:29 2011 UTC (10 years, 6 months ago) by spz
Branch: MAIN
Changes since 1.25: +10 -2 lines
Diff to previous 1.25 (colored)

mitigation for CVE-2011-1547

Revision 1.25 / (download) - annotate - [select for diffs], Thu Feb 24 20:03:41 2011 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
CVS Tags: bouyer-quota2-nbase
Changes since 1.24: +4 -3 lines
Diff to previous 1.24 (colored)

small modifications in dealing with the unknown result size of compression/
decompression:
-seperate the IPCOMP specific rule that compression must not grow the
 data from general compression semantics: Introduce a special name
 CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe
 the IPCOMP semantics and use it there. (being here, fix the check
 so that equal size is considered failure as well as required by
 RFC2393)
 Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get
 deflated data back, even if they are not smaller than the original.
-allow to pass a "size hint" to the DEFLATE decompression function
 which is used for the initial buffer allocation. Due to the changes
 done there, additional allocations and extra copies are avoided if the
 initial allocation is sufficient. Set the size hint to MCLBYTES (=2k)
 in IPCOMP which should be good for many use cases.

Revision 1.24 / (download) - annotate - [select for diffs], Fri Feb 18 20:40:58 2011 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.23: +6 -6 lines
Diff to previous 1.23 (colored)

more "const"

Revision 1.23 / (download) - annotate - [select for diffs], Fri Feb 18 19:06:45 2011 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.22: +4 -4 lines
Diff to previous 1.22 (colored)

sprinkle some "const", documenting that the SA is not supposed to
change during an xform operation

Revision 1.22 / (download) - annotate - [select for diffs], Mon Feb 14 13:43:45 2011 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
CVS Tags: bouyer-quota2-base
Changes since 1.21: +10 -10 lines
Diff to previous 1.21 (colored)

change locking order, to make sure the cpu is at splsoftnet()
before the softnet_lock (adaptive) mutex is acquired, from
Wolfgang Stukenbrock, should fix a recursive lock panic

Revision 1.21 / (download) - annotate - [select for diffs], Thu Feb 10 20:24:27 2011 UTC (10 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.20: +11 -2 lines
Diff to previous 1.20 (colored)

-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock
 everywhere splsoftnet() was used before, to fix MP concurrency problems
-pull KERNEL_LOCK where ip(6)_output() is called, as this is what
 the network stack (unfortunately) expects, in particular to avoid
 races for packets in the interface send queues
From Wolfgang Stukenbrock per PR kern/44418, with the application
of KERNEL_LOCK to what I think are the essential points, tested
on a dual-core i386.

Revision 1.20 / (download) - annotate - [select for diffs], Tue Sep 21 13:41:18 2010 UTC (11 years, 1 month ago) by degroote
Branch: MAIN
CVS Tags: yamt-nfs-mp-base11, uebayasi-xip-base4, uebayasi-xip-base3, matt-mips64-premerge-20101231, jruoho-x86intr-base
Branch point for: jruoho-x86intr, bouyer-quota2
Changes since 1.19: +6 -2 lines
Diff to previous 1.19 (colored)

Fix ipcomp input counter

Reported Wolfgang Stukenbrock in pr/43250.

Revision 1.19 / (download) - annotate - [select for diffs], Wed Mar 18 16:00:23 2009 UTC (12 years, 7 months ago) by cegger
Branch: MAIN
CVS Tags: yamt-nfs-mp-base9, yamt-nfs-mp-base8, yamt-nfs-mp-base7, yamt-nfs-mp-base6, yamt-nfs-mp-base5, yamt-nfs-mp-base4, yamt-nfs-mp-base3, yamt-nfs-mp-base10, uebayasi-xip-base2, uebayasi-xip-base1, uebayasi-xip-base, nick-hppapmap-base4, nick-hppapmap-base3, nick-hppapmap-base, matt-premerge-20091211, jymxensuspend-base, jym-xensuspend-nbase, jym-xensuspend-base
Branch point for: uebayasi-xip, rmind-uvmplock
Changes since 1.18: +3 -3 lines
Diff to previous 1.18 (colored)

bzero -> memset

Revision 1.18 / (download) - annotate - [select for diffs], Wed Apr 23 06:09:05 2008 UTC (13 years, 6 months ago) by thorpej
Branch: MAIN
CVS Tags: yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-nfs-mp-base2, yamt-nfs-mp-base, wrstuden-revivesa-base-4, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, simonb-wapbl-nbase, simonb-wapbl-base, simonb-wapbl, nick-hppapmap-base2, netbsd-5-base, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, mjf-devfs2-base, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, hpcarm-cleanup-nbase, haad-nbase2, haad-dm-base2, haad-dm-base1, haad-dm-base, haad-dm, ad-audiomp2-base, ad-audiomp2
Branch point for: yamt-nfs-mp, nick-hppapmap, netbsd-5-1, netbsd-5-0, netbsd-5, jym-xensuspend
Changes since 1.17: +29 -26 lines
Diff to previous 1.17 (colored)

Make IPSEC and FAST_IPSEC stats per-cpu.  Use <net/net_stats.h> and
netstat_sysctl().

Revision 1.17 / (download) - annotate - [select for diffs], Mon Feb 4 00:35:35 2008 UTC (13 years, 8 months ago) by tls
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base, yamt-lazymbuf-base15, yamt-lazymbuf-base14, nick-net80211-sync-base, nick-net80211-sync, mjf-devfs-base, matt-armv6-nbase, keiichi-mipv6-nbase, keiichi-mipv6-base, keiichi-mipv6, hpcarm-cleanup-base, ad-socklock-base1
Branch point for: yamt-pf42, mjf-devfs2
Changes since 1.16: +9 -3 lines
Diff to previous 1.16 (colored)

Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto"
(actually splnet) and condvars instead of tsleep/wakeup.  Fix a few
miscellaneous problems and add some debugging printfs while there.

Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some
point after this code came from FreeBSD -- it made it impossible to wait
properly for a condition.

Add flags analogous to the "crp" flags to the key operation's krp struct.
Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before
the kthread had a chance to dequeue it and call its callback -- this was
letting requests stick on the queues before even though done and copied
out.

Callers of crypto_newsession() or crypto_freesession() must now take the
mutex.  Change netipsec to do so.  Dispatch takes the mutex itself as
needed.

This was tested fairly extensively with the cryptosoft backend and lightly
with a new hardware driver.  It has not been tested with FAST_IPSEC; I am
unable to ascertain whether FAST_IPSEC currently works at all in our tree.

pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the
right direction several times in the course of this.  Remaining bugs
are mine alone.

Revision 1.16 / (download) - annotate - [select for diffs], Sat Dec 29 14:56:35 2007 UTC (13 years, 9 months ago) by degroote
Branch: MAIN
CVS Tags: matt-armv6-base, bouyer-xeni386-nbase, bouyer-xeni386-base
Changes since 1.15: +6 -3 lines
Diff to previous 1.15 (colored)

Add some statistics for case where compression is not useful
(when len(compressed packet) > len(initial packet))

Revision 1.15 / (download) - annotate - [select for diffs], Sat Sep 22 23:33:18 2007 UTC (14 years, 1 month ago) by degroote
Branch: MAIN
CVS Tags: yamt-x86pmap-base4, yamt-x86pmap-base3, yamt-x86pmap-base2, yamt-x86pmap-base, yamt-x86pmap, yamt-kmem-base3, yamt-kmem-base2, yamt-kmem-base, yamt-kmem, vmlocking2-base3, vmlocking2-base2, vmlocking2-base1, vmlocking2, vmlocking-nbase, vmlocking-base, reinoud-bufcleanup-nbase, reinoud-bufcleanup-base, jmcneill-pm-base, jmcneill-base, cube-autoconf-base, cube-autoconf, bouyer-xenamd64-base2, bouyer-xenamd64-base, bouyer-xenamd64
Branch point for: mjf-devfs, bouyer-xeni386
Changes since 1.14: +3 -3 lines
Diff to previous 1.14 (colored)

Fix my previous stupid caddr_t fix.

Revision 1.14 / (download) - annotate - [select for diffs], Wed Jun 27 20:38:33 2007 UTC (14 years, 4 months ago) by degroote
Branch: MAIN
CVS Tags: nick-csl-alignment-base5, nick-csl-alignment-base, nick-csl-alignment, mjf-ufs-trans-base, matt-mips64-base, matt-mips64, hpcarm-cleanup
Branch point for: matt-armv6, jmcneill-pm
Changes since 1.13: +17 -4 lines
Diff to previous 1.13 (colored)

Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).

No objection on tech-net@

Revision 1.13 / (download) - annotate - [select for diffs], Sun Mar 4 21:17:55 2007 UTC (14 years, 7 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-idlelwp-base8, thorpej-atomic-base, thorpej-atomic, reinoud-bufcleanup
Branch point for: vmlocking, mjf-ufs-trans
Changes since 1.12: +6 -6 lines
Diff to previous 1.12 (colored)

Remove useless cast
Use NULL instead of (void*) 0

Revision 1.12 / (download) - annotate - [select for diffs], Sun Mar 4 19:54:49 2007 UTC (14 years, 7 months ago) by degroote
Branch: MAIN
Changes since 1.11: +4 -4 lines
Diff to previous 1.11 (colored)

Fix fallout from caddr_t changes

Revision 1.11 / (download) - annotate - [select for diffs], Sun Mar 4 06:03:30 2007 UTC (14 years, 7 months ago) by christos
Branch: MAIN
Changes since 1.10: +9 -9 lines
Diff to previous 1.10 (colored)

Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

Revision 1.10 / (download) - annotate - [select for diffs], Fri Feb 23 19:35:25 2007 UTC (14 years, 8 months ago) by degroote
Branch: MAIN
CVS Tags: ad-audiomp-base, ad-audiomp
Changes since 1.9: +4 -3 lines
Diff to previous 1.9 (colored)

Oops, I forgot to commit some bits last time

fast_ipsec and ipcomp works better now.

Revision 1.9 / (download) - annotate - [select for diffs], Sat Feb 10 09:43:05 2007 UTC (14 years, 8 months ago) by degroote
Branch: MAIN
Branch point for: yamt-idlelwp
Changes since 1.8: +59 -46 lines
Diff to previous 1.8 (colored)

Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic

Revision 1.8 / (download) - annotate - [select for diffs], Thu Nov 16 01:33:49 2006 UTC (14 years, 11 months ago) by christos
Branch: MAIN
CVS Tags: yamt-splraiseipl-base5, yamt-splraiseipl-base4, yamt-splraiseipl-base3, post-newlock2-merge, newlock2-nbase, newlock2-base, netbsd-4-base
Branch point for: wrstuden-fixsa, netbsd-4
Changes since 1.7: +3 -3 lines
Diff to previous 1.7 (colored)

__unused removal on arguments; approved by core.

Revision 1.7 / (download) - annotate - [select for diffs], Fri Oct 13 20:53:59 2006 UTC (15 years ago) by christos
Branch: MAIN
CVS Tags: yamt-splraiseipl-base2
Changes since 1.6: +9 -8 lines
Diff to previous 1.6 (colored)

more __unused

Revision 1.6 / (download) - annotate - [select for diffs], Sun Dec 11 12:25:06 2005 UTC (15 years, 10 months ago) by christos
Branch: MAIN
CVS Tags: yamt-uio_vmspace-base5, yamt-uio_vmspace, yamt-splraiseipl-base, yamt-pdpolicy-base9, yamt-pdpolicy-base8, yamt-pdpolicy-base7, yamt-pdpolicy-base6, yamt-pdpolicy-base5, yamt-pdpolicy-base4, yamt-pdpolicy-base3, yamt-pdpolicy-base2, yamt-pdpolicy-base, yamt-pdpolicy, simonb-timecounters-base, simonb-timecounters, simonb-timcounters-final, rpaulo-netinet-merge-pcb-base, rpaulo-netinet-merge-pcb, peter-altq-base, peter-altq, gdamore-uart-base, gdamore-uart, elad-kernelauth-base, elad-kernelauth, chap-midi-nbase, chap-midi-base, chap-midi, abandoned-netbsd-4-base, abandoned-netbsd-4
Branch point for: yamt-splraiseipl, newlock2
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)

merge ktrace-lwp.

Revision 1.5 / (download) - annotate - [select for diffs], Sat Feb 26 22:45:13 2005 UTC (16 years, 8 months ago) by perry
Branch: MAIN
CVS Tags: yamt-vop-base3, yamt-vop-base2, yamt-vop-base, yamt-vop, yamt-readahead-pervnode, yamt-readahead-perfile, yamt-readahead-base3, yamt-readahead-base2, yamt-readahead-base, yamt-readahead, yamt-km-base4, yamt-km-base3, thorpej-vnode-attr-base, thorpej-vnode-attr, netbsd-3-base, netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0, netbsd-3, ktrace-lwp-base, kent-audio2-base
Branch point for: yamt-lazymbuf
Changes since 1.4: +6 -6 lines
Diff to previous 1.4 (colored)

nuke trailing whitespace

Revision 1.4 / (download) - annotate - [select for diffs], Mon Oct 6 22:05:15 2003 UTC (18 years ago) by tls
Branch: MAIN
CVS Tags: yamt-km-base2, yamt-km-base, netbsd-2-base, netbsd-2-1-RELEASE, netbsd-2-1-RC6, netbsd-2-1-RC5, netbsd-2-1-RC4, netbsd-2-1-RC3, netbsd-2-1-RC2, netbsd-2-1-RC1, netbsd-2-1, netbsd-2-0-base, netbsd-2-0-RELEASE, netbsd-2-0-RC5, netbsd-2-0-RC4, netbsd-2-0-RC3, netbsd-2-0-RC2, netbsd-2-0-RC1, netbsd-2-0-3-RELEASE, netbsd-2-0-2-RELEASE, netbsd-2-0-1-RELEASE, netbsd-2-0, netbsd-2, kent-audio1-beforemerge, kent-audio1-base, kent-audio1
Branch point for: yamt-km, ktrace-lwp, kent-audio2
Changes since 1.3: +5 -5 lines
Diff to previous 1.3 (colored)

Reversion of "netkey merge", part 2 (replacement of removed files in the
repository by christos was part 1).  netipsec should now be back as it
was on 2003-09-11, with some very minor changes:

1) Some residual platform-dependent code was moved from ipsec.h to
   ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined.  ipsec.h
   now includes ipsec_osdep.h

2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has
   been left in place (it's arguable which name is less confusing but the
   rename is pretty harmless).

3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN
   is invalid and GCC 3 won't compile it.

An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now
gets through "make depend" but fails to build with errors in ip_input.c.
But it's better than it was (thank heaven for small favors).

Revision 1.3 / (download) - annotate - [select for diffs], Fri Sep 12 11:21:00 2003 UTC (18 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.2: +4 -4 lines
Diff to previous 1.2 (colored)

merge netipsec/key* into netkey/key*.  no need for both.
change confusing filename

Revision 1.2 / (download) - annotate - [select for diffs], Wed Aug 20 22:33:41 2003 UTC (18 years, 2 months ago) by jonathan
Branch: MAIN
Changes since 1.1: +4 -2 lines
Diff to previous 1.1 (colored)

opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.

Revision 1.1 / (download) - annotate - [select for diffs], Wed Aug 13 20:06:52 2003 UTC (18 years, 2 months ago) by jonathan
Branch: MAIN

Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4.
Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the
OpenCryptoFramework (and thus hardware crypto accelerators) and
numerous detailed performance improvements.

This import is (aside from SPL-level names) the FreeBSD source,
imported ``as-is'' as a historical snapshot, for future maintenance
and comparison against the FreeBSD source.  For now, several minor
kernel-API differences are hidden by macros a shim file, ipsec_osdep.h,
which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>