Age | Commit message (Collapse) | Author | |
---|---|---|---|
2010-01-10 | Fix two bugs in IPsec/HMAC-SHA2: | Markus Friedl | |
(1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt | |||
2009-11-13 | Extend the protosw pr_ctlinput function to include the rdomain. This is | Claudio Jeker | |
needed so that the route and inp lookups done in TCP and UDP know where to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain argument as well for similar reasons. With this tcp seems to be now fully rdomain save and no longer leaks single packets into the main domain. Looks good markus@, henning@ | |||
2009-06-02 | Shuffle function declarations a bit; ipsp_kern doesn't actually exist, | Bret Lambert | |
and tdb_hash is only used in ip_ipsp.c, so there's no need to declare it as extern in ip_ipsp.h ok claudio@ henning@ | |||
2009-02-16 | pfsync v5, mostly written at n2k9, but based on work done at n2k8. | David Gwynne | |
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@ | |||
2008-11-08 | fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiom | David Gwynne | |
ok deraadt@ otto@ | |||
2006-11-24 | add support to tag ipsec traffic belonging to specific IKE-initiated | Reyk Floeter | |
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@ | |||
2006-06-30 | htonq() is not used, at all | Theo de Raadt | |
2006-04-27 | use underscore variants of _BYTE_ORDER macros which are always defined | Ted Unangst | |
ok deraadt millert | |||
2006-01-13 | Path MTU discovery for NAT-T. | Marco Pfatschbacher | |
OK markus@, "looks good" hshoexer@ | |||
2005-11-24 | Remove kernfs, okay deraadt@. | Pedro Martelletto | |
2005-05-28 | Add SA replay counter synchronization to pfsync(4). Required for IPsec | Hakan Olsson | |
failover gateways. ok mcbride@, "looks good" hshoexer@ | |||
2005-05-27 | wrap some comments | Hans-Joerg Hoexer | |
2004-11-19 | Plug memory leak. Found by pat@. Thanks! | Hans-Joerg Hoexer | |
ok myself markus@ | |||
2004-04-14 | simpler ipsp_aux_match() API; ok henning, hshoexer | Markus Friedl | |
2004-01-22 | add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok ↵ | Markus Friedl | |
mcbride@ | |||
2003-12-10 | de-register. deraadt ok | Jun-ichiro itojun Hagino | |
2003-12-02 | UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt) | Markus Friedl | |
ok deraadt@ | |||
2003-07-24 | hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok | Jun-ichiro itojun Hagino | |
2003-05-06 | string cleaning; tedu ok | Theo de Raadt | |
2002-06-09 | whitespace | Jun-ichiro itojun Hagino | |
2002-05-31 | New fields in policy and TDB. | Angelos D. Keromytis | |
2002-03-14 | First round of __P removal in sys | Todd C. Miller | |
2001-08-19 | Pass the interface (if any) to ipip_input(), so it can be used in | Angelos D. Keromytis | |
BPF. Closes PR 2000. | |||
2001-07-05 | Style | Angelos D. Keromytis | |
2001-07-05 | IPComp itself (include files). angelos@ ok. | Jean-Jacques Bernard-Gundol | |
2001-06-27 | When determining whether there's a pending acquire wrt a policy, look | Angelos D. Keromytis | |
at the acquires associated with the policy only. | |||
2001-06-27 | Also link acquire state to the relevant IPsec policy. | Angelos D. Keromytis | |
2001-06-27 | Don't cache packets that hit policies -- we'll do that at the PCB for | Angelos D. Keromytis | |
local packets. | |||
2001-06-26 | Use pool(9) for IPsec policy structures. | Angelos D. Keromytis | |
2001-06-26 | Keep the PFKEY sequence number at the TDB, plus a little bit of KNF | Angelos D. Keromytis | |
2001-06-26 | KNF | Angelos D. Keromytis | |
2001-06-25 | damn greeks desperate for commits... | Bob Beck | |
2001-06-25 | KNF | Angelos D. Keromytis | |
2001-06-25 | Copyright. | Angelos D. Keromytis | |
2001-06-24 | use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok | Michael Shalayeff | |
2001-06-24 | path mtu discovery for ipsec. on receiving a need fragment icmp match | Niels Provos | |
against active tdb and store the ipsec header size corrected mtu | |||
2001-06-24 | remove whitespace | Niels Provos | |
2001-06-08 | IPSP_POLICY_STATIC flag. | Angelos D. Keromytis | |
2001-06-07 | Simplify SPD logic (and correct some input cases). | Angelos D. Keromytis | |
2001-06-01 | ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and | Angelos D. Keromytis | |
creates a tag for each of the ESP/AH headers. This will be used by IPsec-aware NIC device drivers that need to notify IPsec that crypto processing has already been done. There is an excessive amount of m_copydata() calls used by this routine, but there's no way around it that I can think of. | |||
2001-06-01 | The IPsec-aware NIC cards don't pass the ICV for later verification | Angelos D. Keromytis | |
by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC. | |||
2001-05-31 | Structure for NIC IPsec processing status reports. | Angelos D. Keromytis | |
2001-05-30 | IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth | Angelos D. Keromytis | |
in kernfs | |||
2001-05-30 | Forgot to update ipsec_output_done() | Angelos D. Keromytis | |
2001-05-30 | With the tags, we don't need to abuse the IPsec API to do socket keying. | Angelos D. Keromytis | |
2001-05-30 | Keep track of remote authentication material (like public key) as well. | Angelos D. Keromytis | |
2001-05-30 | Fields to store local auth information in policy and TDB. | Angelos D. Keromytis | |
2001-05-29 | Fields on TDB for last used and last SKIPCRYPTO status change. | Angelos D. Keromytis | |
2001-05-29 | Add ipsp_skipcrypto_{mark,unmark}() | Angelos D. Keromytis | |
2001-05-27 | Remove ipsp_copy_ident() prototype. | Angelos D. Keromytis | |