Age | Commit message (Collapse) | Author | |
---|---|---|---|
2001-08-09 | Don't check the source address on the packet vs. the one on the SA, as | Angelos D. Keromytis | |
this prevents use of ESP in mobility; pointed out on the IETF mailing list by Francis Dupont. | |||
2001-08-08 | Remove IPCOMP option, it's now part of IPSEC option. You still need to | Jean-Jacques Bernard-Gundol | |
enable ipcomp via sysctl to use it. deraadt@ ok. | |||
2001-08-07 | enable ah & esp by default, now that we trust the code more | Theo de Raadt | |
2001-07-06 | Don't use enc0 interface for IPComp. angelos@ ok. | Jean-Jacques Bernard-Gundol | |
2001-07-05 | IPComp support. angelos@ ok. | Jean-Jacques Bernard-Gundol | |
2001-06-26 | KNF | Angelos D. Keromytis | |
2001-06-25 | Copyright. | Angelos D. Keromytis | |
2001-06-24 | path mtu discovery for ipsec. on receiving a need fragment icmp match | Niels Provos | |
against active tdb and store the ipsec header size corrected mtu | |||
2001-06-23 | Remove unneeded ip_id convertions. | Federico G. Schwindt | |
Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment. | |||
2001-06-19 | mop up after angelos | Theo de Raadt | |
2001-06-08 | Trim include files. | Angelos D. Keromytis | |
2001-06-05 | Add a few DPRINTF()'s | Angelos D. Keromytis | |
2001-05-29 | Record last use time for SAs. | Angelos D. Keromytis | |
2001-05-27 | If we are passed a packet tag, it's an IPSEC_IN_CRYPTO_DONE so convert | Angelos D. Keromytis | |
it to IPSEC_IN_DONE, rather than adding a new one. | |||
2001-05-27 | Forgot to convert this tag. | Angelos D. Keromytis | |
2001-05-20 | Use packet tags to signal input IPsec processing to upper layer protocols. | Angelos D. Keromytis | |
2001-05-11 | Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ ok | Aaron Campbell | |
2001-04-06 | Move offsetof define into sys/param.h | Constantine Sapuntzakis | |
2001-03-30 | Protect the IF_XXX macros in the callback routines with splimp(). Doh! | Angelos D. Keromytis | |
Thanks to erik@ipunplugged.com | |||
2001-03-28 | Allow tdbi's to appear in mbufs throughout the stack; this allows | Angelos D. Keromytis | |
security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs. | |||
2001-03-15 | convert SA expirations to the new timeouts. | Michael Shalayeff | |
simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok | |||
2000-09-19 | Lots and lots of changes. | Angelos D. Keromytis | |
2000-09-17 | Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net and | Angelos D. Keromytis | |
mfranz@cisco.com for finding the problem). | |||
2000-07-11 | Correctly handle ip_off; angelos@ | Todd C. Miller | |
2000-06-20 | do not play with rcvif, if the traffic is non-IPv4. | Jun-ichiro itojun Hagino | |
by setting rcvif to enc*, we break IPv6 scope considerations. | |||
2000-06-19 | correct header chasing code. take care of AH length. | Jun-ichiro itojun Hagino | |
2000-06-18 | Arguments. | Angelos D. Keromytis | |
2000-06-18 | Use ip6_sprintf() rather than the home-cooked inet6_ntoa4() | Angelos D. Keromytis | |
2000-06-18 | IPv6 AH/ESP support, inbound side only. tested with KAME. | Jun-ichiro itojun Hagino | |
2000-06-18 | Remove outdated comment. | Angelos D. Keromytis | |
2000-03-29 | Be consistent about packet properties. | Angelos D. Keromytis | |
2000-03-29 | Fix problem with TCP/UDP and ACLs. | Angelos D. Keromytis | |
2000-03-29 | Minor cleanup. | Angelos D. Keromytis | |
2000-03-17 | Cryptographic services framework, and software "device driver". The | Angelos D. Keromytis | |
idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal. | |||
2000-02-07 | fix include file path related to ip6. | Jun-ichiro itojun Hagino | |
2000-01-27 | Merge "old" and "new" ESP and AH in two files (one for each). | Angelos D. Keromytis | |
Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits). | |||
2000-01-25 | Ok, so setsoftnet is md. | Marc Espie | |
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h... Nit-fix: / * INET6 */ -> /* INET6 */ | |||
2000-01-15 | Remove unnecessary definition. | Angelos D. Keromytis | |
2000-01-15 | Add function prototype. | Angelos D. Keromytis | |
2000-01-15 | Change function type to non-static. | Angelos D. Keromytis | |
2000-01-10 | 1) Setup a silent TDB expiration for embryonic SAs. | Angelos D. Keromytis | |
2) Fix check_ipsec_policy() to deal with v6 PCBs. 3) Fix ACL protocol check. | |||
2000-01-10 | Fix tdbi setup for TCP and UDP packets. | Angelos D. Keromytis | |
2000-01-10 | Typo. | Angelos D. Keromytis | |
2000-01-10 | Quick-drop packets (before real processing) if ingress filtering is on | Angelos D. Keromytis | |
and the SA ACL is empty. | |||
2000-01-10 | Fix error message. | Angelos D. Keromytis | |
2000-01-09 | Add ingress ACL for IPsec: after being processed, IPsec packets are | Angelos D. Keromytis | |
matched against a list of acceptable packet classes, if sysctl variable net.inet.ip.ipsec-acl is set to 1. | |||
2000-01-08 | Fix serious crash-and-burn bug I introduced with last revision. | Angelos D. Keromytis | |
2000-01-03 | Chase down the IPv6 header chain to find the right place swap the Next | Angelos D. Keromytis | |
Payload value. Note to self: it would be nice if we had a very of m_copydata() with memory (so it wouldn't need to start the search from the begining of the mbuf). | |||
2000-01-02 | Move the requeueing logic from ipsec_input() to ah_input() and | Angelos D. Keromytis | |
esp_input(), since this is only needed for IPv4; IPv6 header processing follows a different approach. | |||
2000-01-02 | Change ipsec_input() to return error. | Angelos D. Keromytis | |