summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_ipsp.h
AgeCommit message (Collapse)Author
2001-08-19Pass the interface (if any) to ipip_input(), so it can be used inAngelos D. Keromytis
BPF. Closes PR 2000.
2001-07-05StyleAngelos D. Keromytis
2001-07-05IPComp itself (include files). angelos@ ok.Jean-Jacques Bernard-Gundol
2001-06-27When determining whether there's a pending acquire wrt a policy, lookAngelos D. Keromytis
at the acquires associated with the policy only.
2001-06-27Also link acquire state to the relevant IPsec policy.Angelos D. Keromytis
2001-06-27Don't cache packets that hit policies -- we'll do that at the PCB forAngelos D. Keromytis
local packets.
2001-06-26Use pool(9) for IPsec policy structures.Angelos D. Keromytis
2001-06-26Keep the PFKEY sequence number at the TDB, plus a little bit of KNFAngelos D. Keromytis
2001-06-26KNFAngelos D. Keromytis
2001-06-25damn greeks desperate for commits...Bob Beck
2001-06-25KNFAngelos D. Keromytis
2001-06-25Copyright.Angelos D. Keromytis
2001-06-24use new timeouts for spd expirations (hmm cvs did not pick up the file); ho@ okMichael Shalayeff
2001-06-24path mtu discovery for ipsec. on receiving a need fragment icmp matchNiels Provos
against active tdb and store the ipsec header size corrected mtu
2001-06-24remove whitespaceNiels Provos
2001-06-08IPSP_POLICY_STATIC flag.Angelos D. Keromytis
2001-06-07Simplify SPD logic (and correct some input cases).Angelos D. Keromytis
2001-06-01ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers andAngelos D. Keromytis
creates a tag for each of the ESP/AH headers. This will be used by IPsec-aware NIC device drivers that need to notify IPsec that crypto processing has already been done. There is an excessive amount of m_copydata() calls used by this routine, but there's no way around it that I can think of.
2001-06-01The IPsec-aware NIC cards don't pass the ICV for later verificationAngelos D. Keromytis
by the stack; that means, if we have a tag it means the ICV was successfully verified and we don't need to do anything else. As well, we don't need any other status information from the NIC.
2001-05-31Structure for NIC IPsec processing status reports.Angelos D. Keromytis
2001-05-30IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/authAngelos D. Keromytis
in kernfs
2001-05-30Forgot to update ipsec_output_done()Angelos D. Keromytis
2001-05-30With the tags, we don't need to abuse the IPsec API to do socket keying.Angelos D. Keromytis
2001-05-30Keep track of remote authentication material (like public key) as well.Angelos D. Keromytis
2001-05-30Fields to store local auth information in policy and TDB.Angelos D. Keromytis
2001-05-29Fields on TDB for last used and last SKIPCRYPTO status change.Angelos D. Keromytis
2001-05-29Add ipsp_skipcrypto_{mark,unmark}()Angelos D. Keromytis
2001-05-27Remove ipsp_copy_ident() prototype.Angelos D. Keromytis
2001-05-27Change prototype of ipsp_common_input_cb() to also accept a packet tagAngelos D. Keromytis
as the last argument.
2001-05-21SKIPCRYPTO flagAngelos D. Keromytis
2001-05-21Cosmetic.Angelos D. Keromytis
2001-05-21Use int16_t for the type and length of ipsec_ref objects.Angelos D. Keromytis
2001-05-21Use a reference-counted structure for IPsec IDs and credentials, so weAngelos D. Keromytis
can cheaply keep copies of them at the PCB. ok deraadt@
2001-05-05Check that SAs also match on the credentials and the IDs. This meansAngelos D. Keromytis
that flows with different source/destination ID requirements will cause different SAs to be established by IKE (or whatever other protocol). Also, use the new data types for allocated memory.
2001-05-01Fix tcp_signature_tdb_input decl; kernel compiles again if TCP_SIGNATUREFederico G. Schwindt
option is used. Note that this does not work.
2001-04-14Minor changes, preparing for real socket-attached TDBs; also, moreAngelos D. Keromytis
information will be stored in the TDB. ok ho@ provos@
2001-03-28Allow tdbi's to appear in mbufs throughout the stack; this allowsAngelos D. Keromytis
security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
2001-03-27Fix a problem with how TDB timeouts were used in pfkeyv2.Artur Grabowski
When we allocated a tdb we did a timeout_add before a timeout_set. This was a problem in itself, but it shouldn't hurt too much. What did hurt was that we did a timeout_set after the timeout_add, timeout_set marked the timeout as not being on the timeout list and if we did a timeout_del (or timeout_add) later (before the timeout fired) we ended up with a chunk of freed memory on the timeout queue or maybe even dangling pointers (or a circular list). This should probably cure the timeout queue corruption some people were seeing lately.
2001-03-15convert SA expirations to the new timeouts.Michael Shalayeff
simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
2001-03-04Store peer's credentials in TDB.Angelos D. Keromytis
2001-02-28Keep the last packet sent or received that matched an SPD entry, andAngelos D. Keromytis
retransmit if we eventually have an SA setup for that policy.
2001-02-12putting #error into an include file is totally wrongTheo de Raadt
2001-02-11If IPSEC is defined but not CRYPTO, spit an error; angelos@ okFederico G. Schwindt
2000-12-24Extra argument in the function to tdb_walk(), indicating last TDB.Angelos D. Keromytis
2000-10-14ASKPOLICY message; used by key management to inquire about policyAngelos D. Keromytis
triggering an ACQUIRE.
2000-10-09AES support.Angelos D. Keromytis
2000-09-20Add IDENTITY payloads to flow establishment (and cleanup accordingly)Angelos D. Keromytis
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm).
2000-09-19SA bundles.Angelos D. Keromytis
2000-09-19Lots and lots of changes.Angelos D. Keromytis
2000-06-18Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()Angelos D. Keromytis