History log of /freebsd/sys/netipsec/ipsec_input.c (Results 26 – 50 of 174)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 15df32b4 07-Feb-2017 Enji Cooper <ngie@FreeBSD.org>

MFhead@r313360


# fcf59617 06-Feb-2017 Andrey V. Elsukov <ae@FreeBSD.org>

Merge projects/ipsec into head/.

Small summary
-------------

o Almost all IPsec releated code was moved into sys/netipsec.
o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
option

Merge projects/ipsec into head/.

Small summary
-------------

o Almost all IPsec releated code was moved into sys/netipsec.
o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
option IPSEC_SUPPORT added. It enables support for loading
and unloading of ipsec.ko and tcpmd5.ko kernel modules.
o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by
default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type
support was removed. Added TCP/UDP checksum handling for
inbound packets that were decapsulated by transport mode SAs.
setkey(8) modified to show run-time NAT-T configuration of SA.
o New network pseudo interface if_ipsec(4) added. For now it is
build as part of ipsec.ko module (or with IPSEC kernel).
It implements IPsec virtual tunnels to create route-based VPNs.
o The network stack now invokes IPsec functions using special
methods. The only one header file <netipsec/ipsec_support.h>
should be included to declare all the needed things to work
with IPsec.
o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed.
Now these protocols are handled directly via IPsec methods.
o TCP_SIGNATURE support was reworked to be more close to RFC.
o PF_KEY SADB was reworked:
- now all security associations stored in the single SPI namespace,
and all SAs MUST have unique SPI.
- several hash tables added to speed up lookups in SADB.
- SADB now uses rmlock to protect access, and concurrent threads
can do SA lookups in the same time.
- many PF_KEY message handlers were reworked to reflect changes
in SADB.
- SADB_UPDATE message was extended to support new PF_KEY headers:
SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They
can be used by IKE daemon to change SA addresses.
o ipsecrequest and secpolicy structures were cardinally changed to
avoid locking protection for ipsecrequest. Now we support
only limited number (4) of bundled SAs, but they are supported
for both INET and INET6.
o INPCB security policy cache was introduced. Each PCB now caches
used security policies to avoid SP lookup for each packet.
o For inbound security policies added the mode, when the kernel does
check for full history of applied IPsec transforms.
o References counting rules for security policies and security
associations were changed. The proper SA locking added into xform
code.
o xform code was also changed. Now it is possible to unregister xforms.
tdb_xxx structures were changed and renamed to reflect changes in
SADB/SPDB, and changed rules for locking and refcounting.

Reviewed by: gnn, wblock
Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D9352

show more ...


Revision tags: release/11.0.1, release/11.0.0
# 8f1f370d 01-Sep-2016 Dimitry Andric <dim@FreeBSD.org>

Merge ^/head r305087 through r305219.


# f8fd1a95 01-Sep-2016 Enji Cooper <ngie@FreeBSD.org>

MFhead @ r305170


# 0c127808 31-Aug-2016 Andrey V. Elsukov <ae@FreeBSD.org>

Remove redundant sanity checks from ipsec[46]_common_input_cb().

This check already has been done in the each protocol callback.


Revision tags: release/10.3.0
# b626f5a7 04-Jan-2016 Glen Barber <gjb@FreeBSD.org>

MFH r289384-r293170

Sponsored by: The FreeBSD Foundation


# 8d4f972b 26-Nov-2015 Navdeep Parhar <np@FreeBSD.org>

Catch up with head.


# ef91a976 25-Nov-2015 Andrey V. Elsukov <ae@FreeBSD.org>

Overhaul if_enc(4) and make it loadable in run-time.

Use hhook(9) framework to achieve ability of loading and unloading
if_enc(4) kernel module. INET and INET6 code on initialization registers
two h

Overhaul if_enc(4) and make it loadable in run-time.

Use hhook(9) framework to achieve ability of loading and unloading
if_enc(4) kernel module. INET and INET6 code on initialization registers
two helper hooks points in the kernel. if_enc(4) module uses these helper
hook points and registers its hooks. IPSEC code uses these hhook points
to call helper hooks implemented in if_enc(4).

show more ...


# b5ff185e 12-Sep-2015 Baptiste Daroussin <bapt@FreeBSD.org>

Merge from head


# ab875b71 14-Aug-2015 Navdeep Parhar <np@FreeBSD.org>

Catch up with head, primarily for the 1.14.4.0 firmware.


Revision tags: release/10.2.0
# 8d0f1085 22-Jul-2015 Dimitry Andric <dim@FreeBSD.org>

Merge ^/head r285341 through r285792.


# 705f4d9c 21-Jul-2015 Ermal Luçi <eri@FreeBSD.org>

IPSEC, remove variable argument function its already due.

Differential Revision: https://reviews.freebsd.org/D3080
Reviewed by: gnn, ae
Approved by: gnn(mentor)


# 416ba5c7 22-Jun-2015 Navdeep Parhar <np@FreeBSD.org>

Catch up with HEAD (r280229-r284686).


# 98e0ffae 27-May-2015 Simon J. Gerraty <sjg@FreeBSD.org>

Merge sync of head


# 7757a1b4 03-May-2015 Baptiste Daroussin <bapt@FreeBSD.org>

Merge from head


# de7df74b 01-May-2015 Glen Barber <gjb@FreeBSD.org>

MFH: r281855-r282312

Sponsored by: The FreeBSD Foundation


# 574fde00 28-Apr-2015 Andrey V. Elsukov <ae@FreeBSD.org>

Since PFIL can change mbuf pointer, we should update pointers after
calling ipsec_filter().

Sponsored by: Yandex LLC


# 7263c8c0 22-Apr-2015 Glen Barber <gjb@FreeBSD.org>

MFH: r280643-r281852

Sponsored by: The FreeBSD Foundation


# 7fffcb0d 20-Apr-2015 Glen Barber <gjb@FreeBSD.org>

MFH: r281668 through r281783

Sponsored by: The FreeBSD Foundation


# 962ac6c7 18-Apr-2015 Andrey V. Elsukov <ae@FreeBSD.org>

Change ipsec_address() and ipsec_logsastr() functions to take two
additional arguments - buffer and size of this buffer.

ipsec_address() is used to convert sockaddr structure to presentation
format.

Change ipsec_address() and ipsec_logsastr() functions to take two
additional arguments - buffer and size of this buffer.

ipsec_address() is used to convert sockaddr structure to presentation
format. The IPv6 part of this function returns pointer to the on-stack
buffer and at the moment when it will be used by caller, it becames
invalid. IPv4 version uses 4 static buffers and returns pointer to
new buffer each time when it called. But anyway it is still possible
to get corrupted data when several threads will use this function.

ipsec_logsastr() is used to format string about SA entry. It also
uses static buffer and has the same problem with concurrent threads.

To fix these problems add the buffer pointer and size of this
buffer to arguments. Now each caller will pass buffer and its size
to these functions. Also convert all places where these functions
are used (except disabled code).

And now ipsec_address() uses inet_ntop() function from libkern.

PR: 185996
Differential Revision: https://reviews.freebsd.org/D2321
Reviewed by: gnn
Sponsored by: Yandex LLC

show more ...


# 1d3b268c 18-Apr-2015 Andrey V. Elsukov <ae@FreeBSD.org>

Requeue mbuf via netisr when we use IPSec tunnel mode and IPv6.

ipsec6_common_input_cb() uses partial copy of ip6_input() to parse
headers. But this isn't correct, when we use tunnel mode IPSec.

Wh

Requeue mbuf via netisr when we use IPSec tunnel mode and IPv6.

ipsec6_common_input_cb() uses partial copy of ip6_input() to parse
headers. But this isn't correct, when we use tunnel mode IPSec.

When we stripped outer IPv6 header from the decrypted packet, it
can become IPv4 packet and should be handled by ip_input. Also when
we use tunnel mode IPSec with IPv6 traffic, we should pass decrypted
packet with inner IPv6 header to ip6_input, it will correctly handle
it and also can decide to forward it.

The "skip" variable points to offset where payload starts. In tunnel
mode we reset it to zero after stripping the outer header. So, when
it is zero, we should requeue mbuf via netisr.

Differential Revision: https://reviews.freebsd.org/D2306
Reviewed by: adrian, gnn
Sponsored by: Yandex LLC

show more ...


# 1ae800e7 18-Apr-2015 Andrey V. Elsukov <ae@FreeBSD.org>

Fix handling of scoped IPv6 addresses in IPSec code.

* in ipsec_encap() embed scope zone ids into link-local addresses
in the new IPv6 header, this helps ip6_output() disambiguate the
scope;
* t

Fix handling of scoped IPv6 addresses in IPSec code.

* in ipsec_encap() embed scope zone ids into link-local addresses
in the new IPv6 header, this helps ip6_output() disambiguate the
scope;
* teach key_ismyaddr6() use in6_localip(). in6_localip() is less
strict than key_sockaddrcmp(). It doesn't compare all fileds of
struct sockaddr_in6, but it is faster and it should be safe,
because all SA's data was checked for correctness. Also, since
IPv6 link-local addresses in the &V_in6_ifaddrhead are stored in
kernel-internal form, we need to embed scope zone id from SA into
the address before calling in6_localip.
* in ipsec_common_input() take scope zone id embedded in the address
and use it to initialize sin6_scope_id, then use this sockaddr
structure to lookup SA, because we keep addresses in the SADB without
embedded scope zone id.

Differential Revision: https://reviews.freebsd.org/D2304
Reviewed by: gnn
Sponsored by: Yandex LLC

show more ...


# d899be7d 19-Jan-2015 Glen Barber <gjb@FreeBSD.org>

Reintegrate head: r274132-r277384

Sponsored by: The FreeBSD Foundation


# 8f0ea33f 13-Jan-2015 Glen Barber <gjb@FreeBSD.org>

Reintegrate head revisions r273096-r277147

Sponsored by: The FreeBSD Foundation


# afbe8aa4 18-Dec-2014 Enji Cooper <ngie@FreeBSD.org>

MFhead @ r275911 (also, sort out MK_* flags in BMAKE, etc on this branch)


1234567