#
fb8de0f1 |
| 03-May-2022 |
claudio <claudio@openbsd.org> |
Retire CRYPTO_F_MPSAFE it is no longer of any use. The crypto framework no longer uses a callback and so there is no need to define the callback as MPSAFE. OK bluhm@
|
#
41d7544a |
| 20-Jan-2022 |
bluhm <bluhm@openbsd.org> |
Shifting signed integers left by 31 is undefined behavior in C. found by kubsan; joint work with tobhe@; OK miod@
|
#
c068f513 |
| 23-Dec-2021 |
bluhm <bluhm@openbsd.org> |
Remove unused variables and assignments in ah and esp output. found by clang 13; OK tobhe@
|
#
5ee194bc |
| 23-Dec-2021 |
bluhm <bluhm@openbsd.org> |
IPsec is not MP safe yet. To allow forwarding in parallel without dirty hacks, it is better to protect IPsec input and output with kernel lock. Not much is lost as crypto needs the kernel lock anyw
IPsec is not MP safe yet. To allow forwarding in parallel without dirty hacks, it is better to protect IPsec input and output with kernel lock. Not much is lost as crypto needs the kernel lock anyway. From here we can refine the lock later. Note that there is no kernel lock in the SPD lockup path. Goal is to keep that lock free to allow fast forwarding with non IPsec traffic. tested by Hrvoje Popovski; OK tobhe@
show more ...
|
#
00f8a0bd |
| 20-Dec-2021 |
tobhe <tobhe@openbsd.org> |
Remove unused variable 'clen'.
ok bluhm@
|
#
d997d144 |
| 20-Dec-2021 |
mvs <mvs@openbsd.org> |
Use per-CPU counters for tunnel descriptor block (TDB) statistics. 'tdb_data' struct became unused and was removed.
Tested by Hrvoje Popovski. ok bluhm@
|
#
59b9936b |
| 11-Dec-2021 |
bluhm <bluhm@openbsd.org> |
Protect the write access to the TDB flags field with a mutex per TDB. Clearing the timeout flags just before pool put in tdb_free() does not make sense. Move this to tdb_delete(). While there make
Protect the write access to the TDB flags field with a mutex per TDB. Clearing the timeout flags just before pool put in tdb_free() does not make sense. Move this to tdb_delete(). While there make the parentheses in the flag check consistent. tested by Hrvoje Popovski; OK tobhe@
show more ...
|
#
6b86e016 |
| 21-Nov-2021 |
mvs <mvs@openbsd.org> |
Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the userland the TDBs which exceeded hard limit.
Also the `ipsec_notdb' counter description in header doesn't math to netstat(1) de
Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the userland the TDBs which exceeded hard limit.
Also the `ipsec_notdb' counter description in header doesn't math to netstat(1) description. We never count `ipsec_notdb' and the netstat(1) description looks more appropriate so it's used to avoid confusion with the new counter.
ok bluhm@
show more ...
|
#
bec0ed23 |
| 11-Nov-2021 |
bluhm <bluhm@openbsd.org> |
Do not call ip_deliver() recursively from IPsec. As there is no crypto task anymore, it is possible to return the next protocol. Then ip_deliver() will walk the header chain in its loop. IPsec bridg
Do not call ip_deliver() recursively from IPsec. As there is no crypto task anymore, it is possible to return the next protocol. Then ip_deliver() will walk the header chain in its loop. IPsec bridge(4) tested by jan@ OK mvs@ tobhe@ jan@
show more ...
|
#
81edd27c |
| 08-Nov-2021 |
tobhe <tobhe@openbsd.org> |
Use plen consistently.
ok patrick@
|
#
eebf22aa |
| 04-Nov-2021 |
tobhe <tobhe@openbsd.org> |
The authenticator is removed elsewhere.
ok patrick@
|
#
a73fdee2 |
| 24-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Merge esp_input_cb() intp esp_input().
ok bluhm@
|
#
e63ce21b |
| 24-Oct-2021 |
bluhm <bluhm@openbsd.org> |
There are more m_pullup() in IPsec input. Pass down the pointer to the mbuf to update it globally. At the end it will reach ip_deliver() which expects a pointer to an mbuf. OK sashan@
|
#
0b84e471 |
| 24-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Remove 'struct tdb_crypto' allocations from esp_input() and esp_output(). This was needed to pass arguments to the callback function, but is no longer necessary after the API makeover.
ok bluhm@
|
#
87edded1 |
| 24-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Remove crp_etype and return errors directly from crypto_invoke()
ok patrick@
|
#
2ea1c0c8 |
| 24-Oct-2021 |
bluhm <bluhm@openbsd.org> |
Pass the error of the IPsec callback to the caller. The dropped counter is handled there. OK tobhe@
|
#
d5072c26 |
| 23-Oct-2021 |
bluhm <bluhm@openbsd.org> |
There is an m_pullup() down in AH input. As it may free or change the mbuf, the callers must be careful. Although there is no bug, use the common pattern to handle this. Pass down an mbuf pointer
There is an m_pullup() down in AH input. As it may free or change the mbuf, the callers must be careful. Although there is no bug, use the common pattern to handle this. Pass down an mbuf pointer mp and let m_pullup() update the pointer in all callers. It looks like the tcp signature functions should not be called. Avoid an mbuf leak and return an error. OK mvs@
show more ...
|
#
12758001 |
| 23-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Retire asynchronous crypto API as it is no longer required by any driver and adds unnecessary complexity. Dedicated crypto offloading devices are not common anymore. Modern CPU crypto acceleration
Retire asynchronous crypto API as it is no longer required by any driver and adds unnecessary complexity. Dedicated crypto offloading devices are not common anymore. Modern CPU crypto acceleration works synchronously, eliminating the need for callbacks.
Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is blocking and only returns after the operation has completed or an error occured. Invoke callback functions directly from the consumer (e.g. IPsec, softraid) instead of relying on the crypto driver to call crypto_done().
ok bluhm@ mvs@ patrick@
show more ...
|
#
bc489a1c |
| 22-Oct-2021 |
bluhm <bluhm@openbsd.org> |
Make error handling in IPsec consistent. Pass errors to the callers. OK tobhe@
|
#
42abd1cf |
| 21-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Remove code to run crypto operations in a task queue. The code was not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.
ok patrick@ mvs@ bluhm@
|
#
46fc8350 |
| 21-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Remove duplicate variable ibytes, use plen instead.
ok bluhm@
|
#
b092f79b |
| 13-Oct-2021 |
bluhm <bluhm@openbsd.org> |
The function crypto_dispatch() never returns an error. Make it void and remove error handling in the callers. OK patrick@ mvs@
|
#
ead5a062 |
| 13-Oct-2021 |
bluhm <bluhm@openbsd.org> |
The function ipip_output() was registered as .xf_output() xform function. But was is never called via this pointer. It would have immediatley crashed as mp is always NULL when called via .xf_output
The function ipip_output() was registered as .xf_output() xform function. But was is never called via this pointer. It would have immediatley crashed as mp is always NULL when called via .xf_output(). Do not set .xf_output to ipip_output. This allows to pass only the parameters which are actually needed and the control flow is clearer. OK mpi@
show more ...
|
#
1ff726c6 |
| 27-Jul-2021 |
mvs <mvs@openbsd.org> |
Revert "Use per-CPU counters for tunnel descriptor block" diff.
Panic reported by Hrvoje Popovski.
|
#
5a1e2cae |
| 26-Jul-2021 |
mvs <mvs@openbsd.org> |
Use per-CPU counters for tunnel descriptor block (tdb) statistics. 'tdb_data' struct became unused and was removed.
ok bluhm@
|