Age | Commit message (Collapse) | Author | |
---|---|---|---|
2001-08-19 | Pass the interface (if any) to ipip_input(), so it can be used in | Angelos D. Keromytis | |
BPF. Closes PR 2000. | |||
2001-07-05 | Style | Angelos D. Keromytis | |
2001-07-05 | IPComp itself (include files). angelos@ ok. | Jean-Jacques Bernard-Gundol | |
2001-06-27 | When determining whether there's a pending acquire wrt a policy, look | Angelos D. Keromytis | |
at the acquires associated with the policy only. | |||
2001-06-27 | Also link acquire state to the relevant IPsec policy. | Angelos D. Keromytis | |
2001-06-27 | Don't cache packets that hit policies -- we'll do that at the PCB for | Angelos D. Keromytis | |
local packets. | |||
2001-06-26 | Use pool(9) for IPsec policy structures. | Angelos D. Keromytis | |
2001-06-26 | Keep the PFKEY sequence number at the TDB, plus a little bit of KNF | Angelos D. Keromytis | |
2001-06-26 | KNF | Angelos D. Keromytis | |
2001-06-25 | damn greeks desperate for commits... | Bob Beck | |
2001-06-25 | KNF | Angelos D. Keromytis | |
2001-06-25 | Copyright. | Angelos D. Keromytis | |
2001-06-24 | use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ ok | Michael Shalayeff | |
2001-06-24 | path mtu discovery for ipsec. on receiving a need fragment icmp match | Niels Provos | |
against active tdb and store the ipsec header size corrected mtu | |||
2001-06-24 | remove whitespace | Niels Provos | |
2001-06-08 | IPSP_POLICY_STATIC flag. | Angelos D. Keromytis | |
2001-06-07 | Simplify SPD logic (and correct some input cases). | Angelos D. Keromytis | |
2001-06-01 | ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers and | Angelos D. Keromytis | |
creates a tag for each of the ESP/AH headers. This will be used by IPsec-aware NIC device drivers that need to notify IPsec that crypto processing has already been done. There is an excessive amount of m_copydata() calls used by this routine, but there's no way around it that I can think of. | |||
2001-06-01 | The IPsec-aware NIC cards don't pass the ICV for later verification | Angelos D. Keromytis | |
by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC. | |||
2001-05-31 | Structure for NIC IPsec processing status reports. | Angelos D. Keromytis | |
2001-05-30 | IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/auth | Angelos D. Keromytis | |
in kernfs | |||
2001-05-30 | Forgot to update ipsec_output_done() | Angelos D. Keromytis | |
2001-05-30 | With the tags, we don't need to abuse the IPsec API to do socket keying. | Angelos D. Keromytis | |
2001-05-30 | Keep track of remote authentication material (like public key) as well. | Angelos D. Keromytis | |
2001-05-30 | Fields to store local auth information in policy and TDB. | Angelos D. Keromytis | |
2001-05-29 | Fields on TDB for last used and last SKIPCRYPTO status change. | Angelos D. Keromytis | |
2001-05-29 | Add ipsp_skipcrypto_{mark,unmark}() | Angelos D. Keromytis | |
2001-05-27 | Remove ipsp_copy_ident() prototype. | Angelos D. Keromytis | |
2001-05-27 | Change prototype of ipsp_common_input_cb() to also accept a packet tag | Angelos D. Keromytis | |
as the last argument. | |||
2001-05-21 | SKIPCRYPTO flag | Angelos D. Keromytis | |
2001-05-21 | Cosmetic. | Angelos D. Keromytis | |
2001-05-21 | Use int16_t for the type and length of ipsec_ref objects. | Angelos D. Keromytis | |
2001-05-21 | Use a reference-counted structure for IPsec IDs and credentials, so we | Angelos D. Keromytis | |
can cheaply keep copies of them at the PCB. ok deraadt@ | |||
2001-05-05 | Check that SAs also match on the credentials and the IDs. This means | Angelos D. Keromytis | |
that flows with different source/destination ID requirements will cause different SAs to be established by IKE (or whatever other protocol). Also, use the new data types for allocated memory. | |||
2001-05-01 | Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATURE | Federico G. Schwindt | |
option is used. Note that this does not work. | |||
2001-04-14 | Minor changes, preparing for real socket-attached TDBs; also, more | Angelos D. Keromytis | |
information will be stored in the TDB. ok ho@ provos@ | |||
2001-03-28 | Allow tdbi's to appear in mbufs throughout the stack; this allows | Angelos D. Keromytis | |
security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs. | |||
2001-03-27 | Fix a problem with how TDB timeouts were used in pfkeyv2. | Artur Grabowski | |
When we allocated a tdb we did a timeout_add before a timeout_set. This was a problem in itself, but it shouldn't hurt too much. What did hurt was that we did a timeout_set after the timeout_add, timeout_set marked the timeout as not being on the timeout list and if we did a timeout_del (or timeout_add) later (before the timeout fired) we ended up with a chunk of freed memory on the timeout queue or maybe even dangling pointers (or a circular list). This should probably cure the timeout queue corruption some people were seeing lately. | |||
2001-03-15 | convert SA expirations to the new timeouts. | Michael Shalayeff | |
simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok | |||
2001-03-04 | Store peer's credentials in TDB. | Angelos D. Keromytis | |
2001-02-28 | Keep the last packet sent or received that matched an SPD entry, and | Angelos D. Keromytis | |
retransmit if we eventually have an SA setup for that policy. | |||
2001-02-12 | putting #error into an include file is totally wrong | Theo de Raadt | |
2001-02-11 | If IPSEC is defined but not CRYPTO, spit an error; angelos@ ok | Federico G. Schwindt | |
2000-12-24 | Extra argument in the function to tdb_walk(), indicating last TDB. | Angelos D. Keromytis | |
2000-10-14 | ASKPOLICY message; used by key management to inquire about policy | Angelos D. Keromytis | |
triggering an ACQUIRE. | |||
2000-10-09 | AES support. | Angelos D. Keromytis | |
2000-09-20 | Add IDENTITY payloads to flow establishment (and cleanup accordingly) | Angelos D. Keromytis | |
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm). | |||
2000-09-19 | SA bundles. | Angelos D. Keromytis | |
2000-09-19 | Lots and lots of changes. | Angelos D. Keromytis | |
2000-06-18 | Use ip6_sprintf() rather than the home-cooked inet6_ntoa4() | Angelos D. Keromytis | |