#
8092cf70 |
| 07-Feb-2017 |
bluhm <bluhm@openbsd.org> |
IPsec packets could be dropped unaccounted if output after crypto failed. Add a counter for that case. OK dhill@
|
#
e410e70d |
| 07-Feb-2017 |
patrick <patrick@openbsd.org> |
Reduce the per-packet allocation costs for crypto operations (cryptop) by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc obj
Reduce the per-packet allocation costs for crypto operations (cryptop) by pre-allocating two cryptodesc objects and storing them in an array instead of a linked list. If more than two cryptodesc objects are required use mallocarray to fetch them. Adapt the drivers to the new API.
This change results in one pool-get per ESP packet instead of three. It also simplifies softraid crypto where more cryptodesc objects are allocated than used.
From, with and ok markus@, ok bluhm@ "looks sane" mpi@
show more ...
|
#
faa5c633 |
| 07-Feb-2017 |
bluhm <bluhm@openbsd.org> |
The return code of crp_callback is never checked, so it is not useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There
The return code of crp_callback is never checked, so it is not useful to propagate the error. When an error occurs in an asynchronous network path, incrementing a counter is the right thing. There are four places where an error is not accounted, just add a comment for now. OK mpi@ visa@
show more ...
|
#
f3f33f6a |
| 09-Jan-2017 |
mpi <mpi@openbsd.org> |
Grab the NET_LOCK() in various callbacks.
Fix an assert reported by Hrvoje Popovski.
ok visa@, mikeb@
|
#
855f6737 |
| 24-Dec-2016 |
mpi <mpi@openbsd.org> |
Grab the NET_LOCK() before calling ipsp_process_done() as it ends up in ip_output().
Found the hardway by and ok kettenis@
|
#
4a4896af |
| 19-Sep-2016 |
tedu <tedu@openbsd.org> |
convert bcopy to memcpy. from david hill.
|
#
5db30710 |
| 13-Sep-2016 |
markus <markus@openbsd.org> |
avoid extensive mbuf allocation for IPsec by replacing m_inject(4) with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@
|
#
2be2e590 |
| 18-Aug-2016 |
dlg <dlg@openbsd.org> |
fix panics caused by replacing m_copym2 with m_dup_pkt.
m_copym2 is fine duplicating an arbitrary chain of mbufs, while m_dup_pkt wants to dup a packet with proper headers in the first mbuf. ipsec c
fix panics caused by replacing m_copym2 with m_dup_pkt.
m_copym2 is fine duplicating an arbitrary chain of mbufs, while m_dup_pkt wants to dup a packet with proper headers in the first mbuf. ipsec copied the tail of an mbuf if any of the clusters are shared or readonly, and swapped that tail with the result of m_copym2.
m_dup_pkt panics cos of that.
this makes ipsec duplicate the whole packet if any of the chain is readonly.
found by naddy@ and mlarkin@ this fix is from visa@ who told me to commit it cos he's afk (sleeping) tested by naddy@
show more ...
|
#
8927f87f |
| 15-Aug-2016 |
dlg <dlg@openbsd.org> |
replace the last uses of m_copym2 with m_dup_pkt.
ok mpi@ visa@
|
#
c799dc6d |
| 07-Mar-2016 |
naddy <naddy@openbsd.org> |
Sync no-argument function declaration and definition by adding (void). ok mpi@ millert@
|
#
0e800071 |
| 09-Dec-2015 |
naddy <naddy@openbsd.org> |
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and q
Remove plain DES encryption from IPsec.
DES is insecure since brute force attacks are practical due to its short key length.
This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
show more ...
|
#
50550fd7 |
| 03-Nov-2015 |
mikeb <mikeb@openbsd.org> |
Plumb Chacha20-Poly1305 into the IPsec/ESP and PF_KEY frameworks
ok naddy
|
#
09284026 |
| 15-Jul-2015 |
deraadt <deraadt@openbsd.org> |
m_freem() can handle NULL, do not check for this condition beforehands. ok stsp mpi
|
#
cfb5f49c |
| 15-Jun-2015 |
mikeb <mikeb@openbsd.org> |
No need for an extra local variable; no functional change.
|
#
6753a1fb |
| 15-Jun-2015 |
mikeb <mikeb@openbsd.org> |
Use proper argument type for crp_callback functions; no functional change.
|
#
0245ebf4 |
| 17-Apr-2015 |
mikeb <mikeb@openbsd.org> |
Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer
|
#
3514aacb |
| 14-Apr-2015 |
mikeb <mikeb@openbsd.org> |
make ipsp_address thread safe; ok mpi
|
#
ad7d1a35 |
| 19-Dec-2014 |
tedu <tedu@openbsd.org> |
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
|
#
0deb6685 |
| 05-Dec-2014 |
mpi <mpi@openbsd.org> |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
3811cf15 |
| 18-Nov-2014 |
tedu <tedu@openbsd.org> |
move arc4random prototype to systm.h. more appropriate for most code to include that than rdnvar.h. ok deraadt dlg
|
#
2ec318bf |
| 22-Jul-2014 |
mpi <mpi@openbsd.org> |
Fewer <netinet/in_systm.h> !
|
#
dd168dc2 |
| 12-Jul-2014 |
tedu <tedu@openbsd.org> |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
73a8458f |
| 09-Jul-2014 |
henning <henning@openbsd.org> |
bpf code surgery / shuffling / simplification. the various bpf_mtap_* are very similiar, they differ in what (and to some extent how) they prepend something, and what copy function they pass to bpf_c
bpf code surgery / shuffling / simplification. the various bpf_mtap_* are very similiar, they differ in what (and to some extent how) they prepend something, and what copy function they pass to bpf_catchpacket. use an internal _bpf_mtap as "backend" for bpf_mtap and friends. extend bpf_mtap_hdr so that it covers all common cases: if dlen is 0, nothing gets prepended. copy function can be given, if NULL the default bpf_mcopy is used. adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn. re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr. re-implement bpf_mtap_ether using bpf_map_hdr re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper ok bluhm benno
show more ...
|
#
f8575965 |
| 09-Jan-2014 |
tedu <tedu@openbsd.org> |
bzero/bcmp -> memset/memcmp. ok matthew
|
#
331bae3d |
| 11-Apr-2013 |
mpi <mpi@openbsd.org> |
Remove the extern keyword from function declarations, document sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change.
No objectio
Remove the extern keyword from function declarations, document sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
show more ...
|