src - OpenBSD base system

Age	Commit message (Collapse)	Author
2001-06-26	KNF	Angelos D. Keromytis

2001-06-25	Copyright.	Angelos D. Keromytis

2001-06-23	merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts ↵	Theo de Raadt
	inside OpenSSL codebase
2001-06-23	Remove unneeded ip_id convertions.	Federico G. Schwindt
	Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment.
2001-06-08	Trim include files.	Angelos D. Keromytis

2001-06-01	The IPsec-aware NIC cards don't pass the ICV for later verification	Angelos D. Keromytis
	by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC.
2001-05-30	Update to match prototypes.	Angelos D. Keromytis

2001-05-30	Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE	Angelos D. Keromytis
	on input.
2001-05-27	Probably a good idea to pass the NULL to the correct function...	Angelos D. Keromytis

2001-05-27	Pass a NULL packet tag for now to ipsp_common_input_cb().	Angelos D. Keromytis

2001-05-17	convert mbuf and cluster allocation to pool, mostly from NetBSD	Niels Provos
	okay art@ miod@
2001-05-13	initial cut at /dev/crypto support. takes original mbuf "try, and discard	Theo de Raadt
	if we fail" semantics and extends to two varients of data movement: mbuf, or an iovec style block.
2001-05-12	Move bzero() after test for correct allocation (jj@wabbitt.org)	Angelos D. Keromytis

2001-04-14	Minor changes, preparing for real socket-attached TDBs; also, more	Angelos D. Keromytis
	information will be stored in the TDB. ok ho@ provos@
2001-04-06	Move offsetof define into sys/param.h	Constantine Sapuntzakis

2001-03-28	Allow tdbi's to appear in mbufs throughout the stack; this allows	Angelos D. Keromytis
	security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
2001-03-15	convert SA expirations to the new timeouts.	Michael Shalayeff
	simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
2001-02-20	tighten IPv4 option header processing (we may want to do more).	Jun-ichiro itojun Hagino
	reviewed by angelos.
2000-11-17	HMAC96->HMAC	Angelos D. Keromytis

2000-09-19	Lots and lots of changes.	Angelos D. Keromytis

2000-08-03	Careful with ip_off	Angelos D. Keromytis

2000-06-20	try to cope with AH6 with scoped address case better.	Jun-ichiro itojun Hagino

2000-06-18	Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're	Angelos D. Keromytis
	defined to be the same in mbuf.h)
2000-06-18	The callbacks need to set the appropriate spl level now.	Angelos D. Keromytis

2000-06-06	Get rid of tdb_ref, keep indirect pointer to TDB.	Angelos D. Keromytis

2000-06-01	Check for invalid TDBs right away in the callbacks.	Angelos D. Keromytis

2000-04-25	when fixing up the header, copy from the right sized datatype (fixes IPsec	Jason Wright
	on big-endian machines)
2000-03-21	Fix casting so it compiles on alphas (testing by janjaap@stack.nl,	Angelos D. Keromytis
	closing pr #1150)
2000-03-17	Cryptographic services framework, and software "device driver". The	Angelos D. Keromytis
	idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
2000-02-07	fix include file path related to ip6.	Jun-ichiro itojun Hagino

2000-01-27	Merge "old" and "new" ESP and AH in two files (one for each).	Angelos D. Keromytis
	Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets before being processed, and all incoming packets after being processed. Good to be in Canada (land of the free commits).
1999-12-09	Ok, no more IPsec for OpenBSD...I've had enough with it.	Angelos D. Keromytis

1999-12-07	Forgot a printf...	Angelos D. Keromytis

1999-12-07	New ah_new_input(), protocol-independent processing (still lacking	Angelos D. Keromytis
	IPv6-specific protocol header processing).
1999-12-06	Oops, typo.	Angelos D. Keromytis

1999-12-06	Some preliminiries to AH revamping (similar to ESP)...	Angelos D. Keromytis

1999-12-06	New ESP code that's v4 and v6 friendly.	Angelos D. Keromytis

1999-11-04	gettdb() should be at spltdb().	Hakan Olsson

1999-10-29	Support multiple enc interfaces.	Angelos D. Keromytis

1999-07-05	remove bogus entry from if_enc address list; and rename enc_softc to encif	Theo de Raadt

1999-05-16	spltdb introduced, protection for tdb lists and related structures, so	Niklas Hallqvist
	they won't disappear behind our back by an expiration. Cleanup expiration logic too.
1999-05-14	A new scalable IPsec SA expiration model.	Niklas Hallqvist

1999-04-11	Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.	Niklas Hallqvist
	If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
1999-04-09	Make the tdbi handling more robust, removes a panic case	Niklas Hallqvist

1999-03-27	add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing	Niels Provos
	SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company.
1999-02-24	Update copyright; remove a few annoying debugging printfs.	Angelos D. Keromytis
	Btw, OpenBSD hit 25000 commits a couple commits ago.
1999-02-24	Remove encap.h include; saner debugging printfs; fix buglets; work with	Angelos D. Keromytis
	pfkeyv2.
1998-06-10	make the packets which were successfully processed by IPSec available to	Niels Provos
	bpf via the enc0 interface, using linktype DLT_ENC.
1998-05-24	avoid source address spoofing for mutual hostile hosts which have SAs to	Niels Provos
	us, reported by Craig Metz <cmetz@inner.net>.
1998-05-18	first step to the setsockopt/getsockopt interface as described in	Niels Provos
	draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.