| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
OK bluhm@, mpi@
|
| |
|
|
|
|
| |
This is a preliminary step for using percpu counters with the data.
OK mpi@
|
| |
|
|
|
| |
failed. Add a counter for that case.
OK dhill@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
| |
|
|
| |
provide netstat(1) with data it needs; ok claudio reyk
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.
|
| |
|
|
|
|
|
|
| |
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.
Good to be in Canada (land of the free commits).
|
| |
|
|
| |
ip4_input()), add prototype, ifdef include files.
|
| |
|
|
|
| |
matched against a list of acceptable packet classes, if
sysctl variable net.inet.ip.ipsec-acl is set to 1.
|
| |
|
|
|
|
|
|
|
|
| |
- previous code grabbed new nexthdr mistakingly
- parameter passing must follow ip6protows
(actually the code will never get called until in6_proto.c is updated)
the current code assumes that {AH,ESP} is right next to IPv6 header.
the assumption must be removed, but it means that we need to chase
header chain...
|
| |
|
|
| |
variables.
|
| | |
|
| |
|
|
| |
IPv6-specific protocol header processing).
|
| | |
|
| |
|
|
|
|
| |
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.
|
| |
|
|
| |
Btw, OpenBSD hit 25000 commits a couple commits ago.
|
| |
|
|
| |
pfkeyv2.
|
| |
|
|
| |
Also make sure some more error conditions get told to the caller.
|
| |
|
|
|
|
|
| |
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.
|
| | |
|
| |
|
|
| |
encryption. some more info for kernfs/ipsec.
|
| | |
|
| |
|
|
| |
generalised way of handling transforms.
|
| |
|
|
|
|
| |
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
|
| | |
|
| |
|
|
|
|
|
| |
tested for rnd(4).... should work for ip too, since it's
the copy of ip_md*.
use sys/md5k.h for protos.... std iface forever!
hurray!
|
| | |
|
| | |
|
| | |
|
|
|
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
visa
bluhm
markus
deraadt
jason
itojun
angelos
niklas
provos
mickey