src/sys/netipsec, branch releng/14.3FreeBSD source treehttps://cgit-dev.freebsd.org/src/atom?h=releng%2F14.32025-03-13T10:21:30Zpfkey2: use correct value for a key length2025-03-13T10:21:30ZAndrey V. Elsukovae@FreeBSD.org2025-03-06T12:18:59Zurn:sha1:72e2ebf642125efb74479fd038f45f49a3e846e4
The length of key data is specified via sadb_key_bits field.
Use specified size for buffer allocation and key copying.
Also add a check that the value of sadb_key_bits is not zero,
as explicitly required in RFC 2367.
PR: 241010
Submitted by: jean-francois.hren at stormshield eu
(cherry picked from commit 04207850a9b988d3c04e904cb5783f33da7fe184)
netipsec: Pass the right mbuf up2025-01-20T00:26:35ZMark Johnstonmarkj@FreeBSD.org2025-01-06T23:20:08Zurn:sha1:65da23709d2047c996fb9434e68c2ce90ecdc1bb
Note that key_spdacquire() is dead code, as the SADB_X_SPDACQUIRE
message handler is not set.
PR: 243057
MFC after: 2 weeks
(cherry picked from commit 378a2b155aaf853933df5b53e174b3880826488c)
pfkey: Fix some checks in kdebug_sadb()2024-12-18T13:43:42ZTobias Heiderme@tobhe.me2024-12-04T01:13:41Zurn:sha1:0c5701ff8fdf9103446f605fcab29608f4715338
Besides not doing any sufficient check that the length of a parsed
message is not bigger than the actual allocated buffer, kdebug_sadb()
incorrectly compares ext->sadb_ext_len, the extension payload size in 8
byte chunks, with tlen, which is the full message payload size in bytes.
This should compare PFKEY_UNUNIT64(ext->sadb_ext_len) with tlen instead.
PR: 277456
MFC after: 2 weeks
(cherry picked from commit 0dab21248bc9fab09e92b0c037303c921ebb1b8d)
ipsec: fix IPv6 over IPv4 tunneling.2024-12-02T10:24:03ZAndrey V. Elsukovae@FreeBSD.org2024-11-25T17:42:00Zurn:sha1:628e76a986b9621199e77730eebfdb8e0e43c945
Properly initialize setdf variable in ipsec_encap().
It is used for AF_INET6 case when IPv6 datagram is going to be
encapsulated into IPv4 datagram.
PR: 282535
Fixes: 4046178557e1
(cherry picked from commit c94d6389e428fac55946bfcdbbc3162c06a9278e)
ipsec esp: avoid dereferencing freed secasindex2024-03-04T00:27:17ZKonstantin Belousovkib@FreeBSD.org2024-02-25T10:30:48Zurn:sha1:7f387adb6996c8fe93a280b97048d41bfd0daa1f
(cherry picked from commit 1a56620b7958cac2b9048589cb730c46958ab539)
sys: Remove $FreeBSD$: one-line .c pattern2023-08-16T17:54:36ZWarner Loshimp@FreeBSD.org2023-08-16T17:54:36Zurn:sha1:685dc743dc3b5645e34836464128e1c0558b404b
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
sys: Remove $FreeBSD$: one-line .c comment pattern2023-08-16T17:54:24ZWarner Loshimp@FreeBSD.org2023-08-16T17:54:24Zurn:sha1:71625ec9ad2a9bc8c09784fbd23b759830e0ee5f
Remove /^/[*/]\s*\$FreeBSD\$.*\n/
sys: Remove $FreeBSD$: two-line .h pattern2023-08-16T17:54:11ZWarner Loshimp@FreeBSD.org2023-08-16T17:54:11Zurn:sha1:95ee2897e98f5d444f26ed2334cc7c439f9c16c6
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
tcp: fix TCP MD5 digest computation for TCP over UDP2023-06-21T20:48:12ZMichael Tuexentuexen@FreeBSD.org2023-06-21T20:48:12Zurn:sha1:0fb0711dba76a32a2202d2f41d64aa1247b5e51d
Skip the UDP header for the computation. This is similar to
skipping IPv6 extension headers.
Reviewed by: cc, rscheff
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D40596
ipsec: Make algorithm tables read-only2023-06-02T17:43:15ZMark Johnstonmarkj@FreeBSD.org2023-06-02T17:22:56Zurn:sha1:056305d3aa2bdb93e57c7a3d369e5742b1b404b8
No functional change intended.
MFC after: 1 week