| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2013-04-10 | Remove various external variable declaration from sources files and | Martin Pieuchot | |
| move them to the corresponding header with an appropriate comment if necessary. ok guenther@ | |||
| 2012-06-29 | Add support for the Extended (64-bit) Sequence Number as defined | Mike Belopuhov | |
| in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it. Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64. Tested against OpenBSD, Linux (strongswan) and Windows. No objection from the usual suspects. | |||
| 2012-03-28 | pfkey needs some p_p->ps_pid too. OK deraadt@ guenther@ | Claudio Jeker | |
| 2010-07-01 | Allow to specify an alternative enc(4) interface for an SA. All | Reyk Floeter | |
| traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@ | |||
| 2008-10-22 | #if INET => #ifdef INET | Marco Pfatschbacher | |
| #if INET6 => #ifdef INET6 | |||
| 2007-07-30 | With adding ipsec tags and exporting flow filters via sysctl SADB_GET | Hans-Joerg Hoexer | |
| needs to be allowed to export that information too. Thus, adjust sadb_exts_allowed_out[] accordingly. This fixes isakmpd not being able to get the in-kernel last-used-counters of SAs, which are needed for DPD. ok ho@ | |||
| 2006-11-24 | add support to tag ipsec traffic belonging to specific IKE-initiated | Reyk Floeter | |
| phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@ | |||
| 2005-05-28 | Add SA replay counter synchronization to pfsync(4). Required for IPsec | Hakan Olsson | |
| failover gateways. ok mcbride@, "looks good" hshoexer@ | |||
| 2004-08-10 | Add SADB_X_EXT_LIFETIME_LASTUSE for use with isakmpd/DPD, adding this | Hakan Olsson | |
| extends the bitmap to 64bits. Also repair SADB_GET. hshoexer@ ok. | |||
| 2004-03-31 | in the tcp md5sig case allow empty (wildcard) src or dst | Henning Brauer | |
| ok markus@ | |||
| 2003-12-02 | UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt) | Markus Friedl | |
| ok deraadt@ | |||
| 2003-02-16 | KNF | Theo de Raadt | |
| 2003-02-16 | KNF | Jason Wright | |
| 2002-06-07 | FLOW_TYPE in ADD/UPDATE. | Angelos D. Keromytis | |
| 2002-05-31 | Allow auth payloads in ACQUIRE messages. Part of a larger commit to come. | Angelos D. Keromytis | |
| 2002-02-23 | SRC prefix is not required for some operations. | Angelos D. Keromytis | |
| 2001-07-05 | IPComp. angelos@ ok. | Jean-Jacques Bernard-Gundol | |
| 2001-07-03 | Use PADUP() instead of hand-crafted weirdness; also, it's supposed to | Angelos D. Keromytis | |
| be "strlen(c) + 1", not just "strlen(c)". | |||
| 2001-07-01 | Add missing space in debug message. | Angelos D. Keromytis | |
| 2001-07-01 | Fix length check, add some more sanity checks on INET6. | Angelos D. Keromytis | |
| 2001-07-01 | KNF, and add DPRINTFs all over the place. | Angelos D. Keromytis | |
| 2001-06-08 | Yet more include file cleanup. | Angelos D. Keromytis | |
| 2001-06-05 | repair copyright notices for NRL & cmetz; cmetz | Theo de Raadt | |
| 2001-06-05 | Make our pfkeyv2.h more RFC2367 compliant. Also fix some backwards | Niklas Hallqvist | |
| compatibility problems in isakmpd, at least 2.8 stable can compile current isakmpd now. angelos@ ok | |||
| 2001-05-30 | Import/export authentication information for SA. | Angelos D. Keromytis | |
| 2001-05-30 | Check the LOCAL_AUTH payload. | Angelos D. Keromytis | |
| 2001-05-05 | Use the new M_* malloc types | Angelos D. Keromytis | |
| 2001-04-19 | Include NUL-termination in identity extension length computation | Niklas Hallqvist | |
| 2001-04-14 | Minor changes, preparing for real socket-attached TDBs; also, more | Angelos D. Keromytis | |
| information will be stored in the TDB. ok ho@ provos@ | |||
| 2001-03-28 | Allow tdbi's to appear in mbufs throughout the stack; this allows | Angelos D. Keromytis | |
| security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs. | |||
| 2001-03-21 | Don't force sin6_port to be zero. | Angelos D. Keromytis | |
| 2001-03-04 | Import/export credentials from TDB. | Angelos D. Keromytis | |
| 2000-12-14 | sync with pfkey rfc. you need to rebuild ipsecadm and isakmpd after this. | Niels Provos | |
| okay angelos@ | |||
| 2000-10-14 | ASKPOLICY message; used by key management to inquire about policy | Angelos D. Keromytis | |
| triggering an ACQUIRE. | |||
| 2000-09-29 | Don't use an SA payload for ADDFLOW/DELFLOW. | Angelos D. Keromytis | |
| 2000-09-21 | Correctly handle srcid/dstid. | Angelos D. Keromytis | |
| 2000-09-20 | Allow IDENTITY payloads in ADDFLOW messages. | Angelos D. Keromytis | |
| 2000-09-19 | SA bundles. | Angelos D. Keromytis | |
| 2000-09-19 | SPD-driven IPsec. | Angelos D. Keromytis | |
| 2000-01-23 | Allow BITMAP_ADDRESS_DST in ADDFLOW messages. | Angelos D. Keromytis | |
| 1999-12-20 | sockaddr_in6 is padded to 32 bytes. | Angelos D. Keromytis | |
| 1999-07-02 | rename SADB_foo_X_bar to SADB_X_foo_bar | Theo de Raadt | |
| 1999-03-27 | add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing | Niels Provos | |
| SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company. | |||
| 1999-03-05 | restrict replay window size to 32 | Theo de Raadt | |
| 1999-02-25 | Allow PF_KEY kernel message replies for X_ADDFLOW, X_DELFLOW, and X_GRPSPIS | Angelos D. Keromytis | |
| 1999-02-25 | Removed osdep.h dependencies. | Angelos D. Keromytis | |
| 1999-02-24 | PF_KEY_V2, with local extensions for SPD management. | Angelos D. Keromytis | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |