src/lib/libipsec, branch release/13.1.0

src/lib/libipsec, branch release/13.1.0 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F13.1.0 2021-08-13T09:34:42Z ipsec_set_policy(3): fix sentence 2021-08-13T09:34:42Z Konstantin Belousov kib@FreeBSD.org 2021-08-09T10:37:41Z urn:sha1:c24e3f5d44b7a88690913655de20cb4e26b01af6 (cherry picked from commit ba3896e16913fd6f9f227d84038171f1fdf5496b) Refer to AES-CBC as "aes-cbc" rather than "rijndael-cbc" for IPsec. 2020-06-04T22:58:37Z John Baldwin jhb@FreeBSD.org 2020-06-04T22:58:37Z urn:sha1:00a4311adc197c3518f5d60c69e00c4e80d065fd At this point, AES is the more common name for Rijndael128. setkey(8) will still accept the old name, and old constants remain for compatiblity. Reviewed by: cem, bcr (manpages) MFC after: 2 weeks Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24964 Remove support for IPsec algorithms deprecated in r348205 and r360202. 2020-05-02T00:06:58Z John Baldwin jhb@FreeBSD.org 2020-05-02T00:06:58Z urn:sha1:16aabb761c0a8e5fb120594fcce4f2bf79fad61e Examples of depecrated algorithms in manual pages and sample configs are updated where relevant. I removed the one example of combining ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this combination is NOT RECOMMENDED. Specifically, this removes support for the following ciphers: - des-cbc - 3des-cbc - blowfish-cbc - cast128-cbc - des-deriv - des-32iv - camellia-cbc This also removes support for the following authentication algorithms: - hmac-md5 - keyed-md5 - keyed-sha1 - hmac-ripemd160 Reviewed by: cem, gnn (older verisons) Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24342 Update Makefile.depend files 2019-12-11T17:37:53Z Simon J. Gerraty sjg@FreeBSD.org 2019-12-11T17:37:53Z urn:sha1:2c9a9dfc187d171de6b92654d71b977f067ed641 Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494 libipsec: correct a typo 2019-11-09T21:59:29Z Bjoern A. Zeeb bz@FreeBSD.org 2019-11-09T21:59:29Z urn:sha1:1802a6b5b87888277c30873610dd7dc6f70eef9e Correct a typo in the ipsec_errlist and replicated in a comment. No functional changes. MFC after: 3 weeks pkgbase: Put a lot of binaries and lib in FreeBSD-runtime 2019-09-05T14:13:08Z Emmanuel Vadot manu@FreeBSD.org 2019-09-05T14:13:08Z urn:sha1:a7b5a3d48640f3f5898b05328d71c2949b6b7098 All of them are needed to be able to boot to single user and be able to repair a existing FreeBSD installation so put them directly into FreeBSD-runtime. Reviewed by: bapt, gjb Differential Revision: https://reviews.freebsd.org/D21503 Update pfkey_open() function to set socket's write buffer size to 2018-03-11T19:26:34Z Andrey V. Elsukov ae@FreeBSD.org 2018-03-11T19:26:34Z urn:sha1:d570044ce1552a68faccc81562a6209afd0f5e65 128k and receive buffer size to 2MB. In case if system has bigger default values, do not lower them. This should partially solve the problem, when setkey(8) returns EAGAIN error on systems with many SAs or SPs. PR: 88336 Obtained from: NetBSD/ipsec-tools MFC after: 2 weeks General further adoption of SPDX licensing ID tags. 2017-11-20T19:49:47Z Pedro F. Giffuni pfg@FreeBSD.org 2017-11-20T19:49:47Z urn:sha1:8a16b7a18f5d0b031f09832fd7752fba717e2a97 Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point. DIRDEPS_BUILD: Update dependencies. 2017-10-31T00:07:04Z Bryan Drewery bdrewery@FreeBSD.org 2017-10-31T00:07:04Z urn:sha1:ea825d02749f382c3f7e17f28247f20a48733eab Sponsored by: Dell EMC Isilon Add large replay widow support to setkey(8) and libipsec. 2017-04-13T14:44:17Z Andrey V. Elsukov ae@FreeBSD.org 2017-04-13T14:44:17Z urn:sha1:4e0e8f3107affbfd2cffa8ae92535e3a0cbdce31 When the replay window size is large than UINT8_MAX, add to the request the SADB_X_EXT_SA_REPLAY extension header that was added in r309144. Also add support of SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT, SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI, SADB_X_EXT_NAT_T_OAR, SADB_X_EXT_SA_REPLAY, SADB_X_EXT_NEW_ADDRESS_SRC, SADB_X_EXT_NEW_ADDRESS_DST extension headers to the key_debug that is used by `setkey -x`. Modify kdebug_sockaddr() to use inet_ntop() for IP addresses formatting. And modify kdebug_sadb_x_policy() to show policy scope and priority. Reviewed by: gnn, Emeric Poupon MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D10375