| Age | Commit message (Collapse) | Author |
|---|
|
Fix comment
|
|
ipsec.h: Merge with EOM 1.33
pf_encap.c: Merge with EOM 1.52
pf_key_v2.c: Merge with EOM 1.3
Fix case of missing client ID payloads, a case the standards allow. Thanks
to Michael Paddon (mwp@aba.net.au) for the diffs I based my fix upon. His
diff also made me realize I stored the address information in host order in
internal structures where I had planned to use network order. Fix this,
and remove the XXXes I had due to this elsewhere. Add commentary.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use flow replacment openbsd extension. Deleted flows when deleting SAs.
Handle expirations. General cleanup.
|
|
new exchange establishment API, byteorder fix to debug printout. Fix a long
standing logic error related to saving SA bodies that ElectricFence found
for me.
|
|
Do not overwrite the last-sent-message of phase 1 with last-sent dittos
of phase2. Add some debugging. Make exchange finalization accept added
hooks to run. Try to protect better against multiple equal exchanges
getting started concurrently. Set the SA names from the exchange name up
early. Change "Attributes" to "Flags" to not be mistaken for ISAKMP
attributes. Let phase 2 exchanges take finalization functions too.
|
|
Do not overwrite the last-sent-message of phase 1 with last-sent dittos
of phase2. Add some debugging. Make exchange finalization accept added
hooks to run. Try to protect better against multiple equal exchanges
getting started concurrently. Set the SA names from the exchange name up
early. Change "Attributes" to "Flags" to not be mistaken for ISAKMP
attributes. Let phase 2 exchanges take finalization functions too.
|
|
|
|
the SA replace flag
|
|
Add debugging. Provide a way to say an SA has been replaced wrt the flows.
Do not free the flow information before calling the sysdep delete_spi
routine, as it may use it.
|
|
Async PF_ENCAP messages might be handled earlier so recheck readability in
the handler. Remove some XXX comments. Fix some byte order conversions in
debugging output.
|
|
Documet IPSec SA flags
|
|
Mark replaced SAs as such. Move SA naming earlier. Reorder & comment funcs.
|
|
Do not deref after free, thanks ElectricFence
|
|
Append to LDADD and DPADD, not replace
|
|
|
|
SCSI_NCR_DFLT_TAGS
|
|
|
|
when recalculating the ip checksum. cp is not guaranteed to
be aligned. It now doesn't matter that cp isn't aligned as
the caller does another mbuf_Alloc() regardless.
|
|
code from op21@squish.org
|
|
|
|
|
|
to new one), and update my email and the current FTP addresses.
|
|
need to process a signal (usually a SIGALRM). Check to see
if we need to process a signal both before *and* after calling
select() as older (pre-2.0) versions of ppp used to.
This handles the possibility that ppp may block at some
point (maybe due to an open() of a misconfigured device).
Previously, we'd potentially lock up in select().
The `necessary' marker reduces the increased signal checking
overhead so that at full speed with no compression transferring
an 83Mb file via a ``!ppp -direct'' device, we get a 1%
throughput gain.
|
|
|
|
|
|
Also document the NGROUPS limit.
|
|
|
|
|
|
|
|
ACCMAP being REQuested by the peer, also increment our FSM
id so that we don't end up sending out a new REQ with the
same ID and different data (the changed ACCMAP).
|
|
is aligned for non-i386 architectures.
|
|
|
|
previously were shipping machine specific header files for other processors
in addition to the correct one.
|
|
remove perl headers files for files previously incorrectly installed.
|
|
link.h or dlfcn.h
|
|
|
|
|
|
example.
Submitted by: MALCOLM BOFF <Malcolm_Boff@compuserve.com>
|
|
|
|
outgoing SA-pairs, fix a bug in SPI generation. the daemon registers
with pfkey but does not yet handle expiration or acquire messages. well,
there are NO acquire messages at the moment, so dynamic keyed vpn or
stuff does not work :-\ - all this done in canada. thanks again to
dugsong and linh for the ride. linh is sleeping now.
|
|
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.
|
|
|
|
|
