| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2000-06-01 | Use the cached entry for security requirements from the inp. | Angelos D. Keromytis | |
| 2000-06-01 | Use ipsp_spd_lookup() in ip_output() | Angelos D. Keromytis | |
| 2000-05-15 | parse IPv4 options more carefully. make boundary checks against every | Jun-ichiro itojun Hagino | |
| steps (including option type/length field - there were no checks, seems to me 4.4BSD bug) | |||
| 2000-05-04 | Bypass routes only worked for one packet, then they effectively became a | Niklas Hallqvist | |
| filter. | |||
| 2000-04-13 | When fragmenting a packet, inherit the multicast and broadcast flags so that | Artur Grabowski | |
| the link layer can choose the right address. | |||
| 2000-03-30 | Set re_rt to NULL, so we don't double free. | Angelos D. Keromytis | |
| 2000-03-17 | Cryptographic services framework, and software "device driver". The | Angelos D. Keromytis | |
| idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal. | |||
| 2000-01-11 | Correct sa_require handling. | Angelos D. Keromytis | |
| 2000-01-11 | Use default values when requesting dynamic VPNs. | Angelos D. Keromytis | |
| 2000-01-10 | No need for extern definition of pfkeyv2_acquire() | Angelos D. Keromytis | |
| 2000-01-09 | Transport port is in network order... | Angelos D. Keromytis | |
| 1999-12-25 | Move the IPsec packet-processing loop to a separate routine, so we can | Angelos D. Keromytis | |
| reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon. | |||
| 1999-12-21 | Initialize variable. | Angelos D. Keromytis | |
| 1999-12-18 | Fix kernel panic involving multicast packet (patch different from the | Angelos D. Keromytis | |
| one provided by pavlin@catarina.usc.edu) | |||
| 1999-12-10 | Add code to allow for IPv6 IPsec destinations in IPv4 IPsec flows (e.g., | Angelos D. Keromytis | |
| packets from 10.0.0.1 going to 11.0.0.1 should be ESP encrypted to host 1:2:3:4:5:6:7:8). ip6_output() needs to be modified to honor IP_RAWOUTPUT (or some such) and IP_ENCAPSULATED, to not prepend an IPv6 header to the packet, and to not do IPsec processing respectively. | |||
| 1999-12-08 | Fix debugging printf compilation. | Angelos D. Keromytis | |
| 1999-12-08 | bring in KAME IPv6 code, dated 19991208. | Jun-ichiro itojun Hagino | |
| replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support. see sys/netinet6/{TODO,IMPLEMENTATION} for more details. GENERIC configuration should work fine as before. GENERIC.v6 works fine as well, but you'll need KAME userland tools to play with IPv6 (will be bringed into soon). | |||
| 1999-12-06 | New ESP code that's v4 and v6 friendly. | Angelos D. Keromytis | |
| 1999-12-04 | Address independence, IPv6 support, and the -local flag in ipsecadm is | Angelos D. Keromytis | |
| no longer needed. | |||
| 1999-11-04 | pfkeyv2 aquire should not happen when bypassing IPsec. Add missing splx(). | Hakan Olsson | |
| 1999-10-29 | Get rid of unnecessary third argument in *_output routines of IPsec. | Angelos D. Keromytis | |
| 1999-10-29 | Remove unused third argument from ipe4_output() | Angelos D. Keromytis | |
| 1999-07-15 | From angelos@, edits by me, demand keying for PF_KEY | Niklas Hallqvist | |
| 1999-06-15 | handle multicast packets inside ipf too; darren | Theo de Raadt | |
| 1999-05-16 | spltdb introduced, protection for tdb lists and related structures, so | Niklas Hallqvist | |
| they won't disappear behind our back by an expiration. Cleanup expiration logic too. | |||
| 1999-05-14 | A new scalable IPsec SA expiration model. | Niklas Hallqvist | |
| 1999-04-11 | Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default. | Niklas Hallqvist | |
| If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too. | |||
| 1999-03-27 | add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing | Niels Provos | |
| SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company. | |||
| 1999-03-24 | Implement lifetime expiration notifications. Fix some typos. Remove statics. | Niklas Hallqvist | |
| 1999-03-06 | Update IP pointer, when doing multiple transforms. | Angelos D. Keromytis | |
| 1999-02-24 | Update copyright; remove a few annoying debugging printfs. | Angelos D. Keromytis | |
| Btw, OpenBSD hit 25000 commits a couple commits ago. | |||
| 1999-02-24 | Remove encap.h include; saner debugging printfs; fix buglets; work with | Angelos D. Keromytis | |
| pfkeyv2. | |||
| 1999-01-11 | Remove duplicate code. | Angelos D. Keromytis | |
| 1999-01-08 | dont call ip_randomid() in htons(). | Niels Provos | |
| 1998-12-26 | make ip_id random but ensure that ids dont repeat for some period. | Niels Provos | |
| 1998-08-02 | cleanup ipsec error handling | Niels Provos | |
| 1998-08-01 | more careful error handling, some simplification and beautification. | Niels Provos | |
| 1998-07-29 | Proper handling of IP in IP and checksumming. | Angelos D. Keromytis | |
| 1998-07-29 | Don't do checksumming unless we're doing IP-in-IP. | Angelos D. Keromytis | |
| 1998-06-30 | remove unnecessary assignment | Niels Provos | |
| 1998-06-03 | request only auth in notify when vpn ipsec route is found with a different | Niels Provos | |
| security protocol than IPPROTO_ESP. | |||
| 1998-05-24 | allow SAs with non-specified source address | Niels Provos | |
| 1998-05-24 | add support for Virtual Private Networks (VPN). | Niels Provos | |
| 1998-05-19 | Wall for non-IPSEC case | Theo de Raadt | |
| 1998-05-18 | first step to the setsockopt/getsockopt interface as described in | Niels Provos | |
| draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy. | |||
| 1998-03-18 | Fix tunnel mode input processing (use ip4_input instead of ipe4_input), | Niels Provos | |
| fix some old code leftovers in ah_new_input (adjust to variable hash length), avoid double ip encapsulation in tunnel mode. Problems reportd by Petr Novak <petr@internet.cz>. | |||
| 1998-02-03 | bad types; wileyc@sekiya.twics.co.jp | Theo de Raadt | |
| 1997-10-02 | conditional error logging | Theo de Raadt | |
| 1997-09-28 | log() needs a \n | Theo de Raadt | |
| 1997-08-26 | indent | Theo de Raadt | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |