Age | Commit message (Collapse) | Author | |
---|---|---|---|
2000-10-14 | ASKPOLICY message; used by key management to inquire about policy | Angelos D. Keromytis | |
triggering an ACQUIRE. | |||
2000-10-09 | AES support. | Angelos D. Keromytis | |
2000-09-20 | Add IDENTITY payloads to flow establishment (and cleanup accordingly) | Angelos D. Keromytis | |
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm). | |||
2000-09-19 | SA bundles. | Angelos D. Keromytis | |
2000-09-19 | Lots and lots of changes. | Angelos D. Keromytis | |
2000-06-18 | Use ip6_sprintf() rather than the home-cooked inet6_ntoa4() | Angelos D. Keromytis | |
2000-06-18 | IPv6 AH/ESP support, inbound side only. tested with KAME. | Jun-ichiro itojun Hagino | |
2000-06-06 | Get rid of tdb_ref, keep indirect pointer to TDB. | Angelos D. Keromytis | |
2000-06-01 | ipsp_acquire_sa() | Angelos D. Keromytis | |
2000-06-01 | Prototype for ipsp_spd_lookup() | Angelos D. Keromytis | |
2000-04-19 | tdb_ref should be signed, this avoid a problem with flushing the TDB | Angelos D. Keromytis | |
table causing repeated allocations of bypass TDBs. | |||
2000-03-29 | Conform to crypto framework changes for IVs. | Angelos D. Keromytis | |
2000-03-17 | Cryptographic services framework, and software "device driver". The | Angelos D. Keromytis | |
idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal. | |||
2000-02-28 | move crypto code | Theo de Raadt | |
2000-01-27 | Merge "old" and "new" ESP and AH in two files (one for each). | Angelos D. Keromytis | |
Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits). | |||
2000-01-21 | Rename the ip4_* routines to ipip_*, make it so GIF tunnels are not | Angelos D. Keromytis | |
affected by net.inet.ipip.allow (the sysctl formerly known as net.inet.ip4.allow), rename the VIF ipip_input to ipip_mroute_input. | |||
2000-01-13 | mbuf **, not mbuf * you twit... | Angelos D. Keromytis | |
2000-01-13 | Add an ip4_input6() for use with IPv6 (just a wrapper for | Angelos D. Keromytis | |
ip4_input()), add prototype, ifdef include files. | |||
2000-01-13 | put_flow(), find_flow(), and delete_flow() get a third argument (for | Angelos D. Keromytis | |
ingress or egress flow) | |||
2000-01-10 | Add 10 new ipsec-related sysctl variables...they are currently under | Angelos D. Keromytis | |
net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such. | |||
2000-01-10 | Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the | Angelos D. Keromytis | |
amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management). | |||
2000-01-09 | externalize ipsec_acl | Angelos D. Keromytis | |
1999-12-29 | fix _input/_output proto changes for tcp_signature; angelos@ ok | Michael Shalayeff | |
1999-12-25 | Move the IPsec packet-processing loop to a separate routine, so we can | Angelos D. Keromytis | |
reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon. | |||
1999-12-08 | Fix debugging printf compilation. | Angelos D. Keromytis | |
1999-12-08 | IPv6 header handling, improve IPv4 option handling support. | Angelos D. Keromytis | |
1999-12-06 | New ESP code that's v4 and v6 friendly. | Angelos D. Keromytis | |
1999-12-04 | Address independence, IPv6 support, and the -local flag in ipsecadm is | Angelos D. Keromytis | |
no longer needed. | |||
1999-10-29 | New field in tdb, to be used with bridging. | Angelos D. Keromytis | |
1999-10-29 | Get rid of unnecessary third argument in *_output routines of IPsec. | Angelos D. Keromytis | |
1999-10-29 | Remove unnecessary argument from ipe4_output() and etherip_output() | Angelos D. Keromytis | |
1999-10-28 | Add Ethernet-IP encapsulation handling. | Angelos D. Keromytis | |
1999-09-29 | Critical reliability fix for IPsec. On i386 splsoftclock is not | Niklas Hallqvist | |
a perfect emulation of a "real" architecture's splsoftclock, as it assumes it is only invoked from higher spl levels. Use splsoftnet instead. | |||
1999-08-10 | Add tdb_satype (PF_KEY SADB_SATYPE_<XXX>) to struct tdb | Hakan Olsson | |
1999-08-05 | Add tdb_walk. tdb_delete() should clean up routes when deleting flows. | Hakan Olsson | |
1999-07-15 | From angelos@, edits by me, demand keying for PF_KEY | Niklas Hallqvist | |
1999-07-06 | Added support for TCP MD5 option (RFC 2385). | cmetz | |
1999-06-30 | remove final low-level crypto knowledge from base ipsec code | Theo de Raadt | |
1999-06-18 | split out transforms; some debugging done but there may still be bugs in | Theo de Raadt | |
the new key init/zero functions | |||
1999-06-06 | Ident. | Angelos D. Keromytis | |
1999-05-23 | SA hash table resizing | Niklas Hallqvist | |
1999-05-20 | Fix a bug where the ordered expiration list could get out of order. Add | Niklas Hallqvist | |
invariant checking of the lists when DIAGNOSTIC compiled. Extend the critical region to cover all of tdb_expiration so the tdb won't disappear behind our back. | |||
1999-05-16 | spltdb introduced, protection for tdb lists and related structures, so | Niklas Hallqvist | |
they won't disappear behind our back by an expiration. Cleanup expiration logic too. | |||
1999-05-14 | A new scalable IPsec SA expiration model. | Niklas Hallqvist | |
1999-05-11 | Remove cruft that wasted space en masse in the IPsec subsystem | Niklas Hallqvist | |
1999-04-11 | Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default. | Niklas Hallqvist | |
If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too. | |||
1999-03-27 | add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing | Niels Provos | |
SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company. | |||
1999-02-25 | Move union sockaddr_union to ip_ipsp.h | Angelos D. Keromytis | |
1999-02-24 | Update copyright; remove a few annoying debugging printfs. | Angelos D. Keromytis | |
Btw, OpenBSD hit 25000 commits a couple commits ago. | |||
1999-02-24 | add skipjack support back | Theo de Raadt | |