summaryrefslogtreecommitdiff
path: root/sys/netinet/ipsec_input.c
AgeCommit message (Collapse)Author
2000-09-19Lots and lots of changes.Angelos D. Keromytis
2000-09-17Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net andAngelos D. Keromytis
mfranz@cisco.com for finding the problem).
2000-07-11Correctly handle ip_off; angelos@Todd C. Miller
2000-06-20do not play with rcvif, if the traffic is non-IPv4.Jun-ichiro itojun Hagino
by setting rcvif to enc*, we break IPv6 scope considerations.
2000-06-19correct header chasing code. take care of AH length.Jun-ichiro itojun Hagino
2000-06-18Arguments.Angelos D. Keromytis
2000-06-18Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()Angelos D. Keromytis
2000-06-18IPv6 AH/ESP support, inbound side only. tested with KAME.Jun-ichiro itojun Hagino
2000-06-18Remove outdated comment.Angelos D. Keromytis
2000-03-29Be consistent about packet properties.Angelos D. Keromytis
2000-03-29Fix problem with TCP/UDP and ACLs.Angelos D. Keromytis
2000-03-29Minor cleanup.Angelos D. Keromytis
2000-03-17Cryptographic services framework, and software "device driver". TheAngelos D. Keromytis
idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
2000-02-07fix include file path related to ip6.Jun-ichiro itojun Hagino
2000-01-27Merge "old" and "new" ESP and AH in two files (one for each).Angelos D. Keromytis
Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
2000-01-25Ok, so setsoftnet is md.Marc Espie
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h... Nit-fix: / * INET6 */ -> /* INET6 */
2000-01-15Remove unnecessary definition.Angelos D. Keromytis
2000-01-15Add function prototype.Angelos D. Keromytis
2000-01-15Change function type to non-static.Angelos D. Keromytis
2000-01-101) Setup a silent TDB expiration for embryonic SAs.Angelos D. Keromytis
2) Fix check_ipsec_policy() to deal with v6 PCBs. 3) Fix ACL protocol check.
2000-01-10Fix tdbi setup for TCP and UDP packets.Angelos D. Keromytis
2000-01-10Typo.Angelos D. Keromytis
2000-01-10Quick-drop packets (before real processing) if ingress filtering is onAngelos D. Keromytis
and the SA ACL is empty.
2000-01-10Fix error message.Angelos D. Keromytis
2000-01-09Add ingress ACL for IPsec: after being processed, IPsec packets areAngelos D. Keromytis
matched against a list of acceptable packet classes, if sysctl variable net.inet.ip.ipsec-acl is set to 1.
2000-01-08Fix serious crash-and-burn bug I introduced with last revision.Angelos D. Keromytis
2000-01-03Chase down the IPv6 header chain to find the right place swap the NextAngelos D. Keromytis
Payload value. Note to self: it would be nice if we had a very of m_copydata() with memory (so it wouldn't need to start the search from the begining of the mbuf).
2000-01-02Move the requeueing logic from ipsec_input() to ah_input() andAngelos D. Keromytis
esp_input(), since this is only needed for IPv4; IPv6 header processing follows a different approach.
2000-01-02Change ipsec_input() to return error.Angelos D. Keromytis
1999-12-31fix IPv6 ipsec template lossage.Jun-ichiro itojun Hagino
- previous code grabbed new nexthdr mistakingly - parameter passing must follow ip6protows (actually the code will never get called until in6_proto.c is updated) the current code assumes that {AH,ESP} is right next to IPv6 header. the assumption must be removed, but it means that we need to chase header chain...
1999-12-25Change some function prototypes, dont unnecessarily initialize someAngelos D. Keromytis
variables.
1999-12-09So I was lying...unify ESP and AH wrapper-input processing. The newAngelos D. Keromytis
file contains a common routine for massaging the packet, doing peripheral checks, update statistics, etc. common for both AH/ESP, both IPv4/IPv6. Also wrapper routines for AH/ESP-v4/v6, and the sysctl routines from ip_ah.c/ip_esp.c