#
1.75 |
|
19-Oct-2022 |
christos |
PR/56836: Andrew Cagney: IPv6 ESN tunneling IPcomp has corrupt header
Always always send / expect CPI in IPcomp header
Fixes kern/56836 where an IPsec interop combining compression and ESP|AH would fail.
Since fast ipsec, the outgoing IPcomp header has contained the compression algorithm instead of the CPI. Adding the SADB_X_EXT_RAWCPI flag worked around this but ...
The IPcomp's SADB was unconditionally hashed using the compression algorithm instead of the CPI. This meant that an incoming packet with a valid CPI could never match its SADB.
|
Revision tags: bouyer-sunxi-drm-base
|
#
1.74 |
|
22-May-2022 |
riastradh |
opencrypto: crypto_dispatch never fails now. Make it return void.
Same with crypto_kdispatch.
|
#
1.73 |
|
22-May-2022 |
riastradh |
opencrypto: Rip out EAGAIN logic when unregistering crypto drivers.
I'm pretty sure this never worked reliably based on code inspection, and it's unlikely to have ever been tested because it only applies when unregistering a driver -- but we have no crypto drivers for removable devices, so it would only apply if we went out of our way to trigger detach with drvctl.
Instead, just make the operation fail with ENODEV, and remove all the callback logic to resubmit the request on EAGAIN. (Maybe this should be ENXIO, but crypto_kdispatch already does ENODEV.)
|
#
1.72 |
|
22-May-2022 |
riastradh |
opencrypto: Make crypto_freesession return void.
No callers use the return value. It is not sensible to allow this to fail.
|
#
1.71 |
|
22-May-2022 |
riastradh |
netipsec: Nothing uses xf_zeroize return value. Nix it.
|
#
1.70 |
|
22-May-2022 |
riastradh |
opencrypto: Make crp_callback, krp_callback return void.
Nothing uses the return values inside opencrypto, so let's stop making users return them.
|
Revision tags: thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3 ad-namecache-base2 ad-namecache-base1 ad-namecache-base phil-wifi-20191119
|
#
1.69 |
|
01-Nov-2019 |
knakahara |
Fix ipsecif(4) IPV6_MINMTU does not work correctly.
|
Revision tags: netbsd-9-3-RELEASE netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base
|
#
1.68 |
|
12-Jun-2019 |
christos |
make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.
|
Revision tags: phil-wifi-20190609 isaki-audio2-base
|
#
1.67 |
|
27-Jan-2019 |
pgoyette |
Merge the [pgoyette-compat] branch
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
|
#
1.66 |
|
13-May-2018 |
maxv |
branches: 1.66.2; Remove unused calls to nat_t_ports_get.
|
#
1.65 |
|
07-May-2018 |
maxv |
Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit.
|
Revision tags: pgoyette-compat-0502
|
#
1.64 |
|
01-May-2018 |
maxv |
Remove double include, opencrypto/xform.h is already included in netipsec/xform.h.
|
#
1.63 |
|
28-Apr-2018 |
maxv |
Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.
|
Revision tags: pgoyette-compat-0422
|
#
1.62 |
|
19-Apr-2018 |
maxv |
Remove extra long file paths from the headers.
|
#
1.61 |
|
19-Apr-2018 |
maxv |
Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts).
|
Revision tags: pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.60 |
|
10-Mar-2018 |
maxv |
Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen.
|
Revision tags: pgoyette-compat-base
|
#
1.59 |
|
16-Feb-2018 |
maxv |
branches: 1.59.2; Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. Discussed with ozaki-r@.
|
#
1.58 |
|
16-Feb-2018 |
maxv |
Remove some more FreeBSD sysctl declarations that already have NetBSD counterparts. Discussed with ozaki-r@.
|
#
1.57 |
|
15-Feb-2018 |
maxv |
Style and simplify.
|
#
1.56 |
|
15-Feb-2018 |
ozaki-r |
Don't relook up an SP/SA in opencrpyto callbacks
We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one.
|
#
1.55 |
|
14-Feb-2018 |
ozaki-r |
Dedup common codes in error paths (NFCI)
|
#
1.54 |
|
14-Feb-2018 |
ozaki-r |
Fix mbuf leaks on error paths
Pointed out by maxv@
|
Revision tags: tls-maxphys-base-20171202
|
#
1.53 |
|
03-Oct-2017 |
ozaki-r |
Constify isr at many places (NFC)
|
Revision tags: nick-nhusb-base-20170825
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
branches: 1.38.2; Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.6; 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.74 |
|
22-May-2022 |
riastradh |
opencrypto: crypto_dispatch never fails now. Make it return void.
Same with crypto_kdispatch.
|
#
1.73 |
|
22-May-2022 |
riastradh |
opencrypto: Rip out EAGAIN logic when unregistering crypto drivers.
I'm pretty sure this never worked reliably based on code inspection, and it's unlikely to have ever been tested because it only applies when unregistering a driver -- but we have no crypto drivers for removable devices, so it would only apply if we went out of our way to trigger detach with drvctl.
Instead, just make the operation fail with ENODEV, and remove all the callback logic to resubmit the request on EAGAIN. (Maybe this should be ENXIO, but crypto_kdispatch already does ENODEV.)
|
#
1.72 |
|
22-May-2022 |
riastradh |
opencrypto: Make crypto_freesession return void.
No callers use the return value. It is not sensible to allow this to fail.
|
#
1.71 |
|
22-May-2022 |
riastradh |
netipsec: Nothing uses xf_zeroize return value. Nix it.
|
#
1.70 |
|
22-May-2022 |
riastradh |
opencrypto: Make crp_callback, krp_callback return void.
Nothing uses the return values inside opencrypto, so let's stop making users return them.
|
Revision tags: thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3 ad-namecache-base2 ad-namecache-base1 ad-namecache-base phil-wifi-20191119
|
#
1.69 |
|
01-Nov-2019 |
knakahara |
Fix ipsecif(4) IPV6_MINMTU does not work correctly.
|
Revision tags: netbsd-9-2-RELEASE netbsd-9-1-RELEASE netbsd-9-0-RELEASE netbsd-9-0-RC2 netbsd-9-0-RC1 netbsd-9-base
|
#
1.68 |
|
12-Jun-2019 |
christos |
make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.
|
Revision tags: phil-wifi-20190609 isaki-audio2-base
|
#
1.67 |
|
27-Jan-2019 |
pgoyette |
Merge the [pgoyette-compat] branch
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
|
#
1.66 |
|
13-May-2018 |
maxv |
branches: 1.66.2; Remove unused calls to nat_t_ports_get.
|
#
1.65 |
|
07-May-2018 |
maxv |
Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit.
|
Revision tags: pgoyette-compat-0502
|
#
1.64 |
|
01-May-2018 |
maxv |
Remove double include, opencrypto/xform.h is already included in netipsec/xform.h.
|
#
1.63 |
|
28-Apr-2018 |
maxv |
Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.
|
Revision tags: pgoyette-compat-0422
|
#
1.62 |
|
19-Apr-2018 |
maxv |
Remove extra long file paths from the headers.
|
#
1.61 |
|
19-Apr-2018 |
maxv |
Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts).
|
Revision tags: pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.60 |
|
10-Mar-2018 |
maxv |
Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen.
|
Revision tags: pgoyette-compat-base
|
#
1.59 |
|
16-Feb-2018 |
maxv |
branches: 1.59.2; Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. Discussed with ozaki-r@.
|
#
1.58 |
|
16-Feb-2018 |
maxv |
Remove some more FreeBSD sysctl declarations that already have NetBSD counterparts. Discussed with ozaki-r@.
|
#
1.57 |
|
15-Feb-2018 |
maxv |
Style and simplify.
|
#
1.56 |
|
15-Feb-2018 |
ozaki-r |
Don't relook up an SP/SA in opencrpyto callbacks
We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one.
|
#
1.55 |
|
14-Feb-2018 |
ozaki-r |
Dedup common codes in error paths (NFCI)
|
#
1.54 |
|
14-Feb-2018 |
ozaki-r |
Fix mbuf leaks on error paths
Pointed out by maxv@
|
Revision tags: tls-maxphys-base-20171202
|
#
1.53 |
|
03-Oct-2017 |
ozaki-r |
Constify isr at many places (NFC)
|
Revision tags: nick-nhusb-base-20170825
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
branches: 1.38.2; Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.6; 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.69 |
|
01-Nov-2019 |
knakahara |
Fix ipsecif(4) IPV6_MINMTU does not work correctly.
|
Revision tags: netbsd-9-base
|
#
1.68 |
|
12-Jun-2019 |
christos |
make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.
|
Revision tags: phil-wifi-20190609 isaki-audio2-base
|
#
1.67 |
|
27-Jan-2019 |
pgoyette |
Merge the [pgoyette-compat] branch
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
|
#
1.66 |
|
13-May-2018 |
maxv |
branches: 1.66.2; Remove unused calls to nat_t_ports_get.
|
#
1.65 |
|
07-May-2018 |
maxv |
Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit.
|
Revision tags: pgoyette-compat-0502
|
#
1.64 |
|
01-May-2018 |
maxv |
Remove double include, opencrypto/xform.h is already included in netipsec/xform.h.
|
#
1.63 |
|
28-Apr-2018 |
maxv |
Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.
|
Revision tags: pgoyette-compat-0422
|
#
1.62 |
|
19-Apr-2018 |
maxv |
Remove extra long file paths from the headers.
|
#
1.61 |
|
19-Apr-2018 |
maxv |
Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts).
|
Revision tags: pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.60 |
|
10-Mar-2018 |
maxv |
Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen.
|
Revision tags: pgoyette-compat-base
|
#
1.59 |
|
16-Feb-2018 |
maxv |
branches: 1.59.2; Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. Discussed with ozaki-r@.
|
#
1.58 |
|
16-Feb-2018 |
maxv |
Remove some more FreeBSD sysctl declarations that already have NetBSD counterparts. Discussed with ozaki-r@.
|
#
1.57 |
|
15-Feb-2018 |
maxv |
Style and simplify.
|
#
1.56 |
|
15-Feb-2018 |
ozaki-r |
Don't relook up an SP/SA in opencrpyto callbacks
We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one.
|
#
1.55 |
|
14-Feb-2018 |
ozaki-r |
Dedup common codes in error paths (NFCI)
|
#
1.54 |
|
14-Feb-2018 |
ozaki-r |
Fix mbuf leaks on error paths
Pointed out by maxv@
|
Revision tags: tls-maxphys-base-20171202
|
#
1.53 |
|
03-Oct-2017 |
ozaki-r |
Constify isr at many places (NFC)
|
Revision tags: nick-nhusb-base-20170825
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
branches: 1.38.2; Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.6; 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.68 |
|
12-Jun-2019 |
christos |
make DPRINTF use varyadic cpp macros, and merge with IPSECLOG.
|
Revision tags: phil-wifi-20190609 isaki-audio2-base
|
#
1.67 |
|
27-Jan-2019 |
pgoyette |
Merge the [pgoyette-compat] branch
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
|
#
1.66 |
|
13-May-2018 |
maxv |
branches: 1.66.2; Remove unused calls to nat_t_ports_get.
|
#
1.65 |
|
07-May-2018 |
maxv |
Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit.
|
Revision tags: pgoyette-compat-0502
|
#
1.64 |
|
01-May-2018 |
maxv |
Remove double include, opencrypto/xform.h is already included in netipsec/xform.h.
|
#
1.63 |
|
28-Apr-2018 |
maxv |
Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.
|
Revision tags: pgoyette-compat-0422
|
#
1.62 |
|
19-Apr-2018 |
maxv |
Remove extra long file paths from the headers.
|
#
1.61 |
|
19-Apr-2018 |
maxv |
Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts).
|
Revision tags: pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.60 |
|
10-Mar-2018 |
maxv |
Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen.
|
Revision tags: pgoyette-compat-base
|
#
1.59 |
|
16-Feb-2018 |
maxv |
branches: 1.59.2; Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. Discussed with ozaki-r@.
|
#
1.58 |
|
16-Feb-2018 |
maxv |
Remove some more FreeBSD sysctl declarations that already have NetBSD counterparts. Discussed with ozaki-r@.
|
#
1.57 |
|
15-Feb-2018 |
maxv |
Style and simplify.
|
#
1.56 |
|
15-Feb-2018 |
ozaki-r |
Don't relook up an SP/SA in opencrpyto callbacks
We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one.
|
#
1.55 |
|
14-Feb-2018 |
ozaki-r |
Dedup common codes in error paths (NFCI)
|
#
1.54 |
|
14-Feb-2018 |
ozaki-r |
Fix mbuf leaks on error paths
Pointed out by maxv@
|
Revision tags: tls-maxphys-base-20171202
|
#
1.53 |
|
03-Oct-2017 |
ozaki-r |
Constify isr at many places (NFC)
|
Revision tags: nick-nhusb-base-20170825
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
branches: 1.38.2; Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.6; 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
Revision tags: isaki-audio2-base
|
#
1.67 |
|
27-Jan-2019 |
pgoyette |
Merge the [pgoyette-compat] branch
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
|
#
1.66 |
|
13-May-2018 |
maxv |
Remove unused calls to nat_t_ports_get.
|
#
1.65 |
|
07-May-2018 |
maxv |
Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit.
|
Revision tags: pgoyette-compat-0502
|
#
1.64 |
|
01-May-2018 |
maxv |
Remove double include, opencrypto/xform.h is already included in netipsec/xform.h.
|
#
1.63 |
|
28-Apr-2018 |
maxv |
Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.
|
Revision tags: pgoyette-compat-0422
|
#
1.62 |
|
19-Apr-2018 |
maxv |
Remove extra long file paths from the headers.
|
#
1.61 |
|
19-Apr-2018 |
maxv |
Add a KASSERT (which is not triggerable since ipsec_common_input already ensures 8 bytes are present), add an XXX (about the fact that it is better to use m_copydata, because it is faster and less error-prone), and improve two m_copybacks (remove useless casts).
|
Revision tags: pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.60 |
|
10-Mar-2018 |
maxv |
Fix the computation. Normally that's harmless since ip6_output recomputes ip6_plen.
|
Revision tags: pgoyette-compat-base
|
#
1.59 |
|
16-Feb-2018 |
maxv |
branches: 1.59.2; Add [ah/esp/ipcomp]_enable sysctls, and remove the FreeBSD #ifdefs. Discussed with ozaki-r@.
|
#
1.58 |
|
16-Feb-2018 |
maxv |
Remove some more FreeBSD sysctl declarations that already have NetBSD counterparts. Discussed with ozaki-r@.
|
#
1.57 |
|
15-Feb-2018 |
maxv |
Style and simplify.
|
#
1.56 |
|
15-Feb-2018 |
ozaki-r |
Don't relook up an SP/SA in opencrpyto callbacks
We don't need to do so because we have a reference to it. And also relooking-up one there may return an sp/sav that has different parameters from an original one.
|
#
1.55 |
|
14-Feb-2018 |
ozaki-r |
Dedup common codes in error paths (NFCI)
|
#
1.54 |
|
14-Feb-2018 |
ozaki-r |
Fix mbuf leaks on error paths
Pointed out by maxv@
|
Revision tags: tls-maxphys-base-20171202
|
#
1.53 |
|
03-Oct-2017 |
ozaki-r |
Constify isr at many places (NFC)
|
Revision tags: nick-nhusb-base-20170825
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
branches: 1.38.2; Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: netbsd-7-2-RELEASE netbsd-7-1-2-RELEASE netbsd-7-1-1-RELEASE pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.6; 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.53 |
|
03-Oct-2017 |
ozaki-r |
Constify isr at many places (NFC)
|
Revision tags: nick-nhusb-base-20170825
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.6; 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.52 |
|
10-Aug-2017 |
ozaki-r |
Use pool_cache(9) instead of pool(9) for tdb_crypto objects
The change improves network throughput especially on multi-core systems.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.51 |
|
09-Aug-2017 |
ozaki-r |
MP-ify SAD (savlist)
localcount(9) is used to protect savlist of sah. The basic design is similar to MP-ifications of SPD and SAD sahlist. Please read the locking notes of SAD for more details.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.50 |
|
03-Aug-2017 |
ozaki-r |
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future
KEY_SA_UNREF is still key_freesav so no functional change for now.
This change reduces diff of further changes.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.49 |
|
02-Aug-2017 |
ozaki-r |
Make IPsec SPD MP-safe
We use localcount(9), not psref(9), to make the sptree and secpolicy (SP) entries MP-safe because SPs need to be referenced over opencrypto processing that executes a callback in a different context.
SPs on sockets aren't managed by the sptree and can be destroyed in softint. localcount_drain cannot be used in softint so we delay the destruction of such SPs to a thread context. To do so, a list to manage such SPs is added (key_socksplist) and key_timehandler_spd deletes dead SPs in the list.
For more details please read the locking notes in key.c.
Proposed on tech-kern@ and tech-net@
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.48 |
|
27-Jul-2017 |
ozaki-r |
Don't acquire global locks for IPsec if NET_MPSAFE
Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.47 |
|
20-Jul-2017 |
ozaki-r |
Use pool to allocate tdb_crypto
For ESP and AH, we need to allocate an extra variable space in addition to struct tdb_crypto. The fixed size of pool items may be larger than an actual requisite size of a buffer, but still the performance improvement by replacing malloc with pool wins.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.46 |
|
19-Jul-2017 |
ozaki-r |
Hold a reference to an SP during opencrypto processing
An SP has a list of isr (ipsecrequest) that represents a sequence of IPsec encryption/authentication processing. One isr corresponds to one opencrypto processing. The lifetime of an isr follows its SP.
We pass an isr to a callback function of opencrypto to continue to a next encryption/authentication processing. However nobody guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.
In order to avoid such unexpected destruction of isr, hold a reference to its SP during opencrypto processing.
|
#
1.45 |
|
19-Jul-2017 |
ozaki-r |
Don't bother the case of crp->crp_buf == NULL in callbacks
|
#
1.44 |
|
19-Jul-2017 |
ozaki-r |
Don't release sav if calling crypto_dispatch again
|
Revision tags: perseant-stdc-iso10646-base
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.43 |
|
14-Jul-2017 |
ozaki-r |
Prepare to stop using isr->sav
isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav.
However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|
#
1.42 |
|
14-Jul-2017 |
ozaki-r |
Pass sav directly to opencrypto callback
In a callback, use a passed sav as-is by default and look up a sav only if the passed sav is dead.
|
#
1.41 |
|
07-Jul-2017 |
ozaki-r |
Rename key_alloc* functions (NFC)
We shouldn't use the term "alloc" for functions that just look up data and actually don't allocate memory.
|
#
1.40 |
|
05-Jul-2017 |
ozaki-r |
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE
It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters that have IPsec accelerators; a driver sets the mtag to a packet when its device has already encrypted the packet.
Unfortunately no driver implements such offload features for long years and seems unlikely to implement them soon. (Note that neither FreeBSD nor Linux doesn't have such drivers.) Let's remove related (unused) codes and simplify the IPsec code.
|
#
1.39 |
|
29-Jun-2017 |
ozaki-r |
Apply C99-style struct initialization to xformsw
|
Revision tags: netbsd-8-base prg-localcount2-base3
|
#
1.38 |
|
11-May-2017 |
ryo |
Make ipsec_address() and ipsec_logsastr() mpsafe.
|
Revision tags: prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1
|
#
1.37 |
|
19-Apr-2017 |
ozaki-r |
branches: 1.37.2; Retire ipsec_osdep.h
We don't need to care other OSes (FreeBSD) anymore.
Some macros are alive in ipsec_private.h.
|
#
1.36 |
|
18-Apr-2017 |
ozaki-r |
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG
IPSEC_ASSERT just discarded specified message...
|
#
1.35 |
|
18-Apr-2017 |
ozaki-r |
Remove __FreeBSD__ and __NetBSD__ switches
No functional changes (except for a debug printf).
Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
|
#
1.34 |
|
15-Apr-2017 |
christos |
cosmetic fixes: - __func__ in printfs - no space after sizeof - eliminate useless casts - u_intX_t -> uintX_t
|
#
1.33 |
|
13-Apr-2017 |
christos |
Redo the statistics through an indirection array and put the definitions of the arrays in pfkeyv2.h so that they are next to the index definitions. Remove "bogus" comment about compressing the statistics which is now fixed.
|
Revision tags: jdolecek-ncq-base
|
#
1.32 |
|
06-Apr-2017 |
ozaki-r |
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined - Allow encapinit to be called twice (by ifinit and ipe4_attach) - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called it instead), however, on a rump kernel ipe4_attach may not be called even if IPSEC is enabled. So we need to allow ifinit to call it anyway - Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP - Call ip6flow_invalidate_all in key_spdadd only if in6_present - It's possible that a rump kernel loads the ipsec library but not the inet6 library
|
Revision tags: pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 nick-nhusb-base-20170204 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 nick-nhusb-base-20161204 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE nick-nhusb-base-20161004 localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base nick-nhusb-base-20160907 nick-nhusb-base-20160529 netbsd-7-0-1-RELEASE nick-nhusb-base-20160422 nick-nhusb-base-20160319 nick-nhusb-base-20151226 netbsd-7-0-RELEASE nick-nhusb-base-20150921 netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 nick-nhusb-base-20150606 nick-nhusb-base-20150406 nick-nhusb-base netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 rmind-smpnet-nbase rmind-smpnet-base tls-maxphys-base
|
#
1.31 |
|
03-Nov-2013 |
mrg |
branches: 1.31.10; 1.31.14; - apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
|
Revision tags: riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base
|
#
1.30 |
|
04-Jun-2013 |
christos |
branches: 1.30.2; PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
|
Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 jmcneill-usbmp-base10 yamt-pagecache-base5 jmcneill-usbmp-base9 yamt-pagecache-base4 jmcneill-usbmp-base8 jmcneill-usbmp-base7 jmcneill-usbmp-base6 jmcneill-usbmp-base5 jmcneill-usbmp-base4 jmcneill-usbmp-base3 jmcneill-usbmp-base2 netbsd-6-base
|
#
1.29 |
|
25-Jan-2012 |
drochner |
branches: 1.29.6; Make sure the mbufs in the input path (only the parts which we are going to modify in the AH case) are writable/non-shared. This addresses PR kern/33162 by Jeff Rizzo, and replaces the insufficient patch from that time by a radical solution. (The PR's problem had been worked around by rev.1.3 of xennetback_xenbus.c, so it needs a network driver modification to reproduce it.) Being here, clarify a bit of ipcomp -- uncompression is done in-place, the header must be removed explicitly.
|
Revision tags: jmcneill-usbmp-pre-base2 jmcneill-usbmp-base jmcneill-audiomp3-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base rmind-uvmplock-nbase cherry-xenmp-base rmind-uvmplock-base
|
#
1.28 |
|
06-May-2011 |
drochner |
branches: 1.28.4; 1.28.8; As a first step towards more fine-grained locking, don't require crypto_{new.free}session() to be called with the "crypto_mtx" spinlock held. This doesn't change much for now because these functions acquire the said mutex first on entry now, but at least it keeps the nasty locks local to the opencrypto core.
|
#
1.27 |
|
05-May-2011 |
drochner |
fix C&P botch in diagnostic printfs
|
#
1.26 |
|
01-Apr-2011 |
spz |
mitigation for CVE-2011-1547
|
Revision tags: bouyer-quota2-nbase
|
#
1.25 |
|
24-Feb-2011 |
drochner |
small modifications in dealing with the unknown result size of compression/ decompression: -seperate the IPCOMP specific rule that compression must not grow the data from general compression semantics: Introduce a special name CRYPTO_DEFLATE_COMP_NOGROW/comp_algo_deflate_nogrow to describe the IPCOMP semantics and use it there. (being here, fix the check so that equal size is considered failure as well as required by RFC2393) Customers of CRYPTO_DEFLATE_COMP/comp_algo_deflate now always get deflated data back, even if they are not smaller than the original. -allow to pass a "size hint" to the DEFLATE decompression function which is used for the initial buffer allocation. Due to the changes done there, additional allocations and extra copies are avoided if the initial allocation is sufficient. Set the size hint to MCLBYTES (=2k) in IPCOMP which should be good for many use cases.
|
#
1.24 |
|
18-Feb-2011 |
drochner |
more "const"
|
#
1.23 |
|
18-Feb-2011 |
drochner |
sprinkle some "const", documenting that the SA is not supposed to change during an xform operation
|
Revision tags: bouyer-quota2-base
|
#
1.22 |
|
14-Feb-2011 |
drochner |
change locking order, to make sure the cpu is at splsoftnet() before the softnet_lock (adaptive) mutex is acquired, from Wolfgang Stukenbrock, should fix a recursive lock panic
|
#
1.21 |
|
10-Feb-2011 |
drochner |
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
|
Revision tags: jruoho-x86intr-base matt-mips64-premerge-20101231 uebayasi-xip-base4 uebayasi-xip-base3 yamt-nfs-mp-base11
|
#
1.20 |
|
21-Sep-2010 |
degroote |
branches: 1.20.2; 1.20.4; Fix ipcomp input counter
Reported Wolfgang Stukenbrock in pr/43250.
|
Revision tags: uebayasi-xip-base2 yamt-nfs-mp-base10 uebayasi-xip-base1 yamt-nfs-mp-base9 uebayasi-xip-base matt-premerge-20091211 yamt-nfs-mp-base8 yamt-nfs-mp-base7 jymxensuspend-base yamt-nfs-mp-base6 yamt-nfs-mp-base5 yamt-nfs-mp-base4 jym-xensuspend-nbase yamt-nfs-mp-base3 nick-hppapmap-base4 nick-hppapmap-base3 jym-xensuspend-base nick-hppapmap-base
|
#
1.19 |
|
18-Mar-2009 |
cegger |
branches: 1.19.2; 1.19.4; bzero -> memset
|
Revision tags: matt-nb5-mips64-premerge-20101231 matt-nb5-pq3-base netbsd-5-1-RELEASE netbsd-5-1-RC4 matt-nb5-mips64-k15 netbsd-5-1-RC3 netbsd-5-1-RC2 netbsd-5-1-RC1 netbsd-5-0-2-RELEASE matt-nb5-mips64-premerge-20091211 matt-nb5-mips64-u2-k2-k4-k7-k8-k9 matt-nb4-mips64-k7-u2a-k9b matt-nb5-mips64-u1-k1-k5 netbsd-5-0-1-RELEASE netbsd-5-0-RELEASE netbsd-5-0-RC4 netbsd-5-0-RC3 nick-hppapmap-base2 netbsd-5-0-RC2 netbsd-5-0-RC1 haad-dm-base2 haad-nbase2 ad-audiomp2-base netbsd-5-base matt-mips64-base2 haad-dm-base1 wrstuden-revivesa-base-4 wrstuden-revivesa-base-3 wrstuden-revivesa-base-2 haad-dm-base wrstuden-revivesa-base-1 simonb-wapbl-nbase yamt-pf42-base4 simonb-wapbl-base yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-base2 yamt-nfs-mp-base2 wrstuden-revivesa-base yamt-nfs-mp-base mjf-devfs2-base
|
#
1.18 |
|
23-Apr-2008 |
thorpej |
branches: 1.18.2; 1.18.10; 1.18.12; 1.18.16; 1.18.18; 1.18.22; Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
|
Revision tags: yamt-pf42-baseX yamt-pf42-base ad-socklock-base1 yamt-lazymbuf-base15 yamt-lazymbuf-base14 keiichi-mipv6-nbase nick-net80211-sync-base keiichi-mipv6-base matt-armv6-nbase mjf-devfs-base hpcarm-cleanup-base
|
#
1.17 |
|
04-Feb-2008 |
tls |
branches: 1.17.6; 1.17.8; Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto" (actually splnet) and condvars instead of tsleep/wakeup. Fix a few miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some point after this code came from FreeBSD -- it made it impossible to wait properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct. Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before the kthread had a chance to dequeue it and call its callback -- this was letting requests stick on the queues before even though done and copied out.
Callers of crypto_newsession() or crypto_freesession() must now take the mutex. Change netipsec to do so. Dispatch takes the mutex itself as needed.
This was tested fairly extensively with the cryptosoft backend and lightly with a new hardware driver. It has not been tested with FAST_IPSEC; I am unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the right direction several times in the course of this. Remaining bugs are mine alone.
|
Revision tags: bouyer-xeni386-nbase bouyer-xeni386-base matt-armv6-base
|
#
1.16 |
|
29-Dec-2007 |
degroote |
Add some statistics for case where compression is not useful (when len(compressed packet) > len(initial packet))
|
Revision tags: vmlocking2-base3 yamt-kmem-base3 cube-autoconf-base yamt-kmem-base2 yamt-kmem-base vmlocking2-base2 reinoud-bufcleanup-nbase vmlocking2-base1 jmcneill-base bouyer-xenamd64-base2 vmlocking-nbase yamt-x86pmap-base4 bouyer-xenamd64-base yamt-x86pmap-base3 yamt-x86pmap-base2 yamt-x86pmap-base jmcneill-pm-base reinoud-bufcleanup-base vmlocking-base
|
#
1.15 |
|
22-Sep-2007 |
degroote |
branches: 1.15.6; 1.15.12; Fix my previous stupid caddr_t fix.
|
Revision tags: nick-csl-alignment-base5 matt-mips64-base nick-csl-alignment-base mjf-ufs-trans-base
|
#
1.14 |
|
27-Jun-2007 |
degroote |
branches: 1.14.6; 1.14.8; Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
|
Revision tags: yamt-idlelwp-base8 thorpej-atomic-base
|
#
1.13 |
|
04-Mar-2007 |
degroote |
branches: 1.13.2; 1.13.4; Remove useless cast Use NULL instead of (void*) 0
|
#
1.12 |
|
04-Mar-2007 |
degroote |
Fix fallout from caddr_t changes
|
#
1.11 |
|
04-Mar-2007 |
christos |
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
|
Revision tags: ad-audiomp-base
|
#
1.10 |
|
23-Feb-2007 |
degroote |
Oops, I forgot to commit some bits last time
fast_ipsec and ipcomp works better now.
|
#
1.9 |
|
10-Feb-2007 |
degroote |
branches: 1.9.2; Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
|
Revision tags: post-newlock2-merge newlock2-nbase yamt-splraiseipl-base5 yamt-splraiseipl-base4 yamt-splraiseipl-base3 newlock2-base netbsd-4-base
|
#
1.8 |
|
16-Nov-2006 |
christos |
branches: 1.8.2; 1.8.4; __unused removal on arguments; approved by core.
|
Revision tags: yamt-splraiseipl-base2
|
#
1.7 |
|
13-Oct-2006 |
christos |
more __unused
|
Revision tags: abandoned-netbsd-4-base yamt-splraiseipl-base yamt-pdpolicy-base9 yamt-pdpolicy-base8 yamt-pdpolicy-base7 yamt-pdpolicy-base6 chap-midi-nbase gdamore-uart-base simonb-timcounters-final yamt-pdpolicy-base5 chap-midi-base yamt-pdpolicy-base4 yamt-pdpolicy-base3 peter-altq-base yamt-pdpolicy-base2 elad-kernelauth-base yamt-pdpolicy-base yamt-uio_vmspace-base5 simonb-timecounters-base rpaulo-netinet-merge-pcb-base
|
#
1.6 |
|
11-Dec-2005 |
christos |
branches: 1.6.20; 1.6.22; merge ktrace-lwp.
|
Revision tags: netbsd-3-1-1-RELEASE netbsd-3-0-3-RELEASE netbsd-3-1-RELEASE netbsd-3-0-2-RELEASE netbsd-3-1-RC4 netbsd-3-1-RC3 netbsd-3-1-RC2 netbsd-3-1-RC1 netbsd-3-0-1-RELEASE netbsd-3-0-RELEASE netbsd-3-0-RC6 yamt-readahead-base3 netbsd-3-0-RC5 netbsd-3-0-RC4 netbsd-3-0-RC3 yamt-readahead-base2 netbsd-3-0-RC2 yamt-readahead-pervnode yamt-readahead-perfile yamt-readahead-base netbsd-3-0-RC1 yamt-vop-base3 yamt-vop-base2 thorpej-vnode-attr-base yamt-vop-base yamt-km-base4 yamt-km-base3 netbsd-3-base kent-audio2-base ktrace-lwp-base
|
#
1.5 |
|
26-Feb-2005 |
perry |
branches: 1.5.4; nuke trailing whitespace
|
Revision tags: netbsd-2-0-3-RELEASE netbsd-2-1-RELEASE netbsd-2-1-RC6 netbsd-2-1-RC5 netbsd-2-1-RC4 netbsd-2-1-RC3 netbsd-2-1-RC2 netbsd-2-1-RC1 netbsd-2-0-2-RELEASE yamt-km-base2 yamt-km-base netbsd-2-0-1-RELEASE kent-audio1-beforemerge netbsd-2-base kent-audio1-base netbsd-2-0-RELEASE netbsd-2-0-RC5 netbsd-2-0-RC4 netbsd-2-0-RC3 netbsd-2-0-RC2 netbsd-2-0-RC1 netbsd-2-0-base
|
#
1.4 |
|
06-Oct-2003 |
tls |
branches: 1.4.4; 1.4.10; 1.4.12; Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes:
1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h
2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless).
3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it.
An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
|
#
1.3 |
|
12-Sep-2003 |
itojun |
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
|
#
1.2 |
|
20-Aug-2003 |
jonathan |
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
|
#
1.1 |
|
13-Aug-2003 |
jonathan |
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements.
This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.
|