| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2000-06-21 | Fix gateway function; ok angelos@ | Oleg Safiullin | |
| angelos, be more careful :) | |||
| 2000-06-20 | Big oops on my previous commit, broke gateway function; patch from | Angelos D. Keromytis | |
| form@openbsd.ru | |||
| 2000-06-18 | Oops on checking inp_tdb etc. (itojun@) | Angelos D. Keromytis | |
| 2000-06-18 | sanity check: panic if AF_INET6 inpcb is passed to ip_output | Jun-ichiro itojun Hagino | |
| 2000-06-18 | remove obsolete IP_DF handling from KAME tree (#if 0'ed all the time) | Jun-ichiro itojun Hagino | |
| 2000-06-18 | for mcdonald-simple-ipsec-api get/setsockopt, variable size was mixed up. | Jun-ichiro itojun Hagino | |
| in some place sizeof(u_char), and in some place sizeof(int) were used. previous code can cause problem in big endian machines. now it always uses "int" (isakmpd uses int, so it should be okay) set m_len properly on mcdonald-simple-ipsec-api getsockopt. | |||
| 2000-06-17 | Change processing sequence: | Angelos D. Keromytis | |
| - if the source IP address if unset (INADDR_ANY) - if higher level protocol has cached the SA to use, and the SA specifies the source address, use that - otherwise, do a routing lookup to determine our outgoing interface and fix the source address - do an SPD lookup (which is why we needed the source address) - if no IPsec is needed, proceed to multicast processing (if necessary), IPF, etc. -- transmit the packet as usual; use the routing information from before (if routing lookup was performed), or do a routing lookup at this point. - if IPsec is needed, do multicast processing (if needed), then do IPsec processing, then call ip_output() recursively. Currently, the second invocation does not do another SPD lookup (it will be changed to do so in the near future, to support independent nested tunnels without infinite loops). Note that if the inner packet (the one that will have IPsec applied to) is multicast or broadcast, the interface flags are not checked (since it's not clear what their meaning is in this case). If the IPsec destination address is multicast/broadcast, the interface flags are checked of course. It is no longer necessary to have routing entries for private networks on IPsec gateways (or default routing entries if they're not needed, for that matter). Finally, this patch solves a problem with ever-increasing reference counts on routing entries when doing IPsec processing. | |||
| 2000-06-01 | Use the cached entry for security requirements from the inp. | Angelos D. Keromytis | |
| 2000-06-01 | Use ipsp_spd_lookup() in ip_output() | Angelos D. Keromytis | |
| 2000-05-15 | parse IPv4 options more carefully. make boundary checks against every | Jun-ichiro itojun Hagino | |
| steps (including option type/length field - there were no checks, seems to me 4.4BSD bug) | |||
| 2000-05-04 | Bypass routes only worked for one packet, then they effectively became a | Niklas Hallqvist | |
| filter. | |||
| 2000-04-13 | When fragmenting a packet, inherit the multicast and broadcast flags so that | Artur Grabowski | |
| the link layer can choose the right address. | |||
| 2000-03-30 | Set re_rt to NULL, so we don't double free. | Angelos D. Keromytis | |
| 2000-03-17 | Cryptographic services framework, and software "device driver". The | Angelos D. Keromytis | |
| idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal. | |||
| 2000-01-11 | Correct sa_require handling. | Angelos D. Keromytis | |
| 2000-01-11 | Use default values when requesting dynamic VPNs. | Angelos D. Keromytis | |
| 2000-01-10 | No need for extern definition of pfkeyv2_acquire() | Angelos D. Keromytis | |
| 2000-01-09 | Transport port is in network order... | Angelos D. Keromytis | |
| 1999-12-25 | Move the IPsec packet-processing loop to a separate routine, so we can | Angelos D. Keromytis | |
| reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon. | |||
| 1999-12-21 | Initialize variable. | Angelos D. Keromytis | |
| 1999-12-18 | Fix kernel panic involving multicast packet (patch different from the | Angelos D. Keromytis | |
| one provided by pavlin@catarina.usc.edu) | |||
| 1999-12-10 | Add code to allow for IPv6 IPsec destinations in IPv4 IPsec flows (e.g., | Angelos D. Keromytis | |
| packets from 10.0.0.1 going to 11.0.0.1 should be ESP encrypted to host 1:2:3:4:5:6:7:8). ip6_output() needs to be modified to honor IP_RAWOUTPUT (or some such) and IP_ENCAPSULATED, to not prepend an IPv6 header to the packet, and to not do IPsec processing respectively. | |||
| 1999-12-08 | Fix debugging printf compilation. | Angelos D. Keromytis | |
| 1999-12-08 | bring in KAME IPv6 code, dated 19991208. | Jun-ichiro itojun Hagino | |
| replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support. see sys/netinet6/{TODO,IMPLEMENTATION} for more details. GENERIC configuration should work fine as before. GENERIC.v6 works fine as well, but you'll need KAME userland tools to play with IPv6 (will be bringed into soon). | |||
| 1999-12-06 | New ESP code that's v4 and v6 friendly. | Angelos D. Keromytis | |
| 1999-12-04 | Address independence, IPv6 support, and the -local flag in ipsecadm is | Angelos D. Keromytis | |
| no longer needed. | |||
| 1999-11-04 | pfkeyv2 aquire should not happen when bypassing IPsec. Add missing splx(). | Hakan Olsson | |
| 1999-10-29 | Get rid of unnecessary third argument in *_output routines of IPsec. | Angelos D. Keromytis | |
| 1999-10-29 | Remove unused third argument from ipe4_output() | Angelos D. Keromytis | |
| 1999-07-15 | From angelos@, edits by me, demand keying for PF_KEY | Niklas Hallqvist | |
| 1999-06-15 | handle multicast packets inside ipf too; darren | Theo de Raadt | |
| 1999-05-16 | spltdb introduced, protection for tdb lists and related structures, so | Niklas Hallqvist | |
| they won't disappear behind our back by an expiration. Cleanup expiration logic too. | |||
| 1999-05-14 | A new scalable IPsec SA expiration model. | Niklas Hallqvist | |
| 1999-04-11 | Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default. | Niklas Hallqvist | |
| If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too. | |||
| 1999-03-27 | add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing | Niels Provos | |
| SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company. | |||
| 1999-03-24 | Implement lifetime expiration notifications. Fix some typos. Remove statics. | Niklas Hallqvist | |
| 1999-03-06 | Update IP pointer, when doing multiple transforms. | Angelos D. Keromytis | |
| 1999-02-24 | Update copyright; remove a few annoying debugging printfs. | Angelos D. Keromytis | |
| Btw, OpenBSD hit 25000 commits a couple commits ago. | |||
| 1999-02-24 | Remove encap.h include; saner debugging printfs; fix buglets; work with | Angelos D. Keromytis | |
| pfkeyv2. | |||
| 1999-01-11 | Remove duplicate code. | Angelos D. Keromytis | |
| 1999-01-08 | dont call ip_randomid() in htons(). | Niels Provos | |
| 1998-12-26 | make ip_id random but ensure that ids dont repeat for some period. | Niels Provos | |
| 1998-08-02 | cleanup ipsec error handling | Niels Provos | |
| 1998-08-01 | more careful error handling, some simplification and beautification. | Niels Provos | |
| 1998-07-29 | Proper handling of IP in IP and checksumming. | Angelos D. Keromytis | |
| 1998-07-29 | Don't do checksumming unless we're doing IP-in-IP. | Angelos D. Keromytis | |
| 1998-06-30 | remove unnecessary assignment | Niels Provos | |
| 1998-06-03 | request only auth in notify when vpn ipsec route is found with a different | Niels Provos | |
| security protocol than IPPROTO_ESP. | |||
| 1998-05-24 | allow SAs with non-specified source address | Niels Provos | |
| 1998-05-24 | add support for Virtual Private Networks (VPN). | Niels Provos | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |