#
1.37 |
|
01-Sep-2020 |
gnezdo |
Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr
The best-guessed limits will be tested by trial.
|
Revision tags: OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.36 |
|
08-Nov-2017 |
visa |
Make {ah,esp,ipcomp}stat use percpu counters.
OK bluhm@, mpi@
|
#
1.35 |
|
07-Nov-2017 |
visa |
Convert all the fields of {ah,esp,ipcomp}stat to uint64.
This is a preliminary step for using percpu counters with the data.
OK mpi@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
07-Feb-2017 |
bluhm |
IPsec packets could be dropped unaccounted if output after crypto failed. Add a counter for that case. OK dhill@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.33 |
|
10-Jan-2010 |
markus |
Fix two bugs in IPsec/HMAC-SHA2: (1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.32 |
|
14-Dec-2007 |
deraadt |
add sysctl entry points into various network layers, in particular to provide netstat(1) with data it needs; ok claudio reyk
|
Revision tags: OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE SMP_SYNC_A SMP_SYNC_B
|
#
1.31 |
|
17-Feb-2004 |
markus |
switch to sysctl_int_arr(); ok henning, deraadt
|
Revision tags: OPENBSD_3_3_BASE OPENBSD_3_4_BASE UBC_SYNC_A
|
#
1.30 |
|
12-Feb-2003 |
jason |
Remove commons; inspired by netbsd.
|
Revision tags: OPENBSD_3_2_BASE UBC_SYNC_B
|
#
1.29 |
|
09-Jun-2002 |
itojun |
whitespace
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE UBC_BASE
|
#
1.28 |
|
25-Jun-2001 |
angelos |
branches: 1.28.4; Copyright.
|
#
1.27 |
|
09-Jun-2001 |
angelos |
Inclusion protection.
|
Revision tags: OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.26 |
|
19-Sep-2000 |
angelos |
Lots and lots of changes.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.25 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.24 |
|
27-Jan-2000 |
angelos |
branches: 1.24.2; Merge "old" and "new" ESP and AH in two files (one for each). Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed.
Good to be in Canada (land of the free commits).
|
#
1.23 |
|
13-Jan-2000 |
angelos |
Add an ip4_input6() for use with IPv6 (just a wrapper for ip4_input()), add prototype, ifdef include files.
|
#
1.22 |
|
09-Jan-2000 |
angelos |
Add ingress ACL for IPsec: after being processed, IPsec packets are matched against a list of acceptable packet classes, if sysctl variable net.inet.ip.ipsec-acl is set to 1.
|
#
1.21 |
|
31-Dec-1999 |
itojun |
fix IPv6 ipsec template lossage. - previous code grabbed new nexthdr mistakingly - parameter passing must follow ip6protows (actually the code will never get called until in6_proto.c is updated)
the current code assumes that {AH,ESP} is right next to IPv6 header. the assumption must be removed, but it means that we need to chase header chain...
|
#
1.20 |
|
25-Dec-1999 |
angelos |
Change some function prototypes, dont unnecessarily initialize some variables.
|
#
1.19 |
|
09-Dec-1999 |
angelos |
Add v4/v6 wrapper routine definitions.
|
Revision tags: kame_19991208
|
#
1.18 |
|
07-Dec-1999 |
angelos |
New ah_new_input(), protocol-independent processing (still lacking IPv6-specific protocol header processing).
|
#
1.17 |
|
29-Oct-1999 |
angelos |
Get rid of unnecessary third argument in *_output routines of IPsec.
|
Revision tags: OPENBSD_2_5_BASE OPENBSD_2_6_BASE
|
#
1.16 |
|
11-Apr-1999 |
niklas |
Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default. If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
|
#
1.15 |
|
24-Feb-1999 |
angelos |
Update copyright; remove a few annoying debugging printfs.
Btw, OpenBSD hit 25000 commits a couple commits ago.
|
#
1.14 |
|
24-Feb-1999 |
angelos |
Remove encap.h include; saner debugging printfs; fix buglets; work with pfkeyv2.
|
#
1.13 |
|
25-Nov-1998 |
niklas |
Add checks of packets getting to big after transforms. Also make sure some more error conditions get told to the caller.
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.12 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.11 |
|
24-Nov-1997 |
provos |
add ripemd-160 as authentication function.
|
#
1.10 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.9 |
|
14-Jul-1997 |
provos |
global byte counters.
|
#
1.8 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.7 |
|
25-Jun-1997 |
provos |
hard and soft limits for SPI's per absolute timer, relative since establish, relative since first use timers, packet and byte counters. notify key mgmt on soft limits. key mgmt can now specify limits. new encap messages: EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
|
#
1.6 |
|
20-Jun-1997 |
provos |
ah-sha1 + esp-3des + indentation
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.5 |
|
30-Mar-1997 |
mickey |
no more 2(two) md5 libs in kernel! tested for rnd(4).... should work for ip too, since it's the copy of ip_md*. use sys/md5k.h for protos.... std iface forever! hurray!
|
#
1.4 |
|
26-Feb-1997 |
angelos |
I/O packet counters added.
|
#
1.3 |
|
24-Feb-1997 |
angelos |
Beautification.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.36 |
|
08-Nov-2017 |
visa |
Make {ah,esp,ipcomp}stat use percpu counters.
OK bluhm@, mpi@
|
#
1.35 |
|
07-Nov-2017 |
visa |
Convert all the fields of {ah,esp,ipcomp}stat to uint64.
This is a preliminary step for using percpu counters with the data.
OK mpi@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.34 |
|
07-Feb-2017 |
bluhm |
IPsec packets could be dropped unaccounted if output after crypto failed. Add a counter for that case. OK dhill@
|
Revision tags: OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.33 |
|
10-Jan-2010 |
markus |
Fix two bugs in IPsec/HMAC-SHA2: (1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE
|
#
1.32 |
|
14-Dec-2007 |
deraadt |
add sysctl entry points into various network layers, in particular to provide netstat(1) with data it needs; ok claudio reyk
|
Revision tags: OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE OPENBSD_3_8_BASE OPENBSD_3_9_BASE OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE SMP_SYNC_A SMP_SYNC_B
|
#
1.31 |
|
17-Feb-2004 |
markus |
switch to sysctl_int_arr(); ok henning, deraadt
|
Revision tags: OPENBSD_3_3_BASE OPENBSD_3_4_BASE UBC_SYNC_A
|
#
1.30 |
|
12-Feb-2003 |
jason |
Remove commons; inspired by netbsd.
|
Revision tags: OPENBSD_3_2_BASE UBC_SYNC_B
|
#
1.29 |
|
09-Jun-2002 |
itojun |
whitespace
|
Revision tags: OPENBSD_3_0_BASE OPENBSD_3_1_BASE UBC_BASE
|
#
1.28 |
|
25-Jun-2001 |
angelos |
branches: 1.28.4; Copyright.
|
#
1.27 |
|
09-Jun-2001 |
angelos |
Inclusion protection.
|
Revision tags: OPENBSD_2_8_BASE OPENBSD_2_9_BASE
|
#
1.26 |
|
19-Sep-2000 |
angelos |
Lots and lots of changes.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.25 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.24 |
|
27-Jan-2000 |
angelos |
branches: 1.24.2; Merge "old" and "new" ESP and AH in two files (one for each). Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed.
Good to be in Canada (land of the free commits).
|
#
1.23 |
|
13-Jan-2000 |
angelos |
Add an ip4_input6() for use with IPv6 (just a wrapper for ip4_input()), add prototype, ifdef include files.
|
#
1.22 |
|
09-Jan-2000 |
angelos |
Add ingress ACL for IPsec: after being processed, IPsec packets are matched against a list of acceptable packet classes, if sysctl variable net.inet.ip.ipsec-acl is set to 1.
|
#
1.21 |
|
31-Dec-1999 |
itojun |
fix IPv6 ipsec template lossage. - previous code grabbed new nexthdr mistakingly - parameter passing must follow ip6protows (actually the code will never get called until in6_proto.c is updated)
the current code assumes that {AH,ESP} is right next to IPv6 header. the assumption must be removed, but it means that we need to chase header chain...
|
#
1.20 |
|
25-Dec-1999 |
angelos |
Change some function prototypes, dont unnecessarily initialize some variables.
|
#
1.19 |
|
09-Dec-1999 |
angelos |
Add v4/v6 wrapper routine definitions.
|
Revision tags: kame_19991208
|
#
1.18 |
|
07-Dec-1999 |
angelos |
New ah_new_input(), protocol-independent processing (still lacking IPv6-specific protocol header processing).
|
#
1.17 |
|
29-Oct-1999 |
angelos |
Get rid of unnecessary third argument in *_output routines of IPsec.
|
Revision tags: OPENBSD_2_5_BASE OPENBSD_2_6_BASE
|
#
1.16 |
|
11-Apr-1999 |
niklas |
Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default. If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
|
#
1.15 |
|
24-Feb-1999 |
angelos |
Update copyright; remove a few annoying debugging printfs.
Btw, OpenBSD hit 25000 commits a couple commits ago.
|
#
1.14 |
|
24-Feb-1999 |
angelos |
Remove encap.h include; saner debugging printfs; fix buglets; work with pfkeyv2.
|
#
1.13 |
|
25-Nov-1998 |
niklas |
Add checks of packets getting to big after transforms. Also make sure some more error conditions get told to the caller.
|
Revision tags: OPENBSD_2_4_BASE
|
#
1.12 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.11 |
|
24-Nov-1997 |
provos |
add ripemd-160 as authentication function.
|
#
1.10 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.9 |
|
14-Jul-1997 |
provos |
global byte counters.
|
#
1.8 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.7 |
|
25-Jun-1997 |
provos |
hard and soft limits for SPI's per absolute timer, relative since establish, relative since first use timers, packet and byte counters. notify key mgmt on soft limits. key mgmt can now specify limits. new encap messages: EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
|
#
1.6 |
|
20-Jun-1997 |
provos |
ah-sha1 + esp-3des + indentation
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.5 |
|
30-Mar-1997 |
mickey |
no more 2(two) md5 libs in kernel! tested for rnd(4).... should work for ip too, since it's the copy of ip_md*. use sys/md5k.h for protos.... std iface forever! hurray!
|
#
1.4 |
|
26-Feb-1997 |
angelos |
I/O packet counters added.
|
#
1.3 |
|
24-Feb-1997 |
angelos |
Beautification.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|