#
303975 |
|
11-Aug-2016 |
gjb |
Copy stable/11@r303970 to releng/11.0 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, and rename it to RC1.
Update __FreeBSD_version.
Use the quarterly branch for the default FreeBSD.conf pkg(8) repo and the dvd1.iso packages population.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
302408 |
|
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
290982 |
|
17-Nov-2015 |
fabient |
Implement the sadb_x_policy_priority field as it is done in Linux: lower priority policies are inserted first.
Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae Sponsored by: Stormshield
|
#
286213 |
|
02-Aug-2015 |
jmg |
looks like all archs either have clang or cdefs included before.. drop this include as unnecessary..
Requested by: bde
|
#
286168 |
|
02-Aug-2015 |
jmg |
convert to C11's _Static_assert, and pull in sys/cdefs.h for compatibility w/ older non-C11 compilers...
passed make tinerdbox..
Suggested by: imp
|
#
286110 |
|
31-Jul-2015 |
jmg |
temporarily fix build.. This isn't the final fix, and testing is still on going, but it has passed world for mips and powerpc...
I know this has an extra semicolon, but this is the patch that is tested...
Looks like better fix is to use _Static_assert...
|
#
286100 |
|
31-Jul-2015 |
jmg |
Clean up this header file...
use CTASSERTs now that we have them...
Replace a draft w/ RFC that's over 10 years old.
Note that _AALG and _EALG do not need to match what the IKE daemons think they should be.. This is part of the KABI... I decided to renumber AESCTR, but since we've never had working AESCTR mode, I'm not really breaking anything.. and it shortens a loop by quite a bit..
remove SKIPJACK IPsec support... SKIPJACK never made it out of draft (in 1999), only has 80bit key, NIST recommended it stop being used after 2010, and setkey nor any of the IKE daemons I checked supported it...
jmgurney/ipsecgcm: a357a33, c75808b, e008669, b27b6d6
Reviewed by: gnn (earlier version)
|
#
285108 |
|
03-Jul-2015 |
gnn |
New AES modes for IPSec, user space components. Update setkey and libipsec to understand aes-gcm-16 as an encryption method.
A partial commit of the work in review D2936.
Submitted by: eri Reviewed by: jmg MFC after: 2 weeks Sponsored by: Rubicon Communications (Netgate)
|
#
194062 |
|
12-Jun-2009 |
vanhu |
Added support for NAT-Traversal (RFC 3948) in IPsec stack.
Thanks to (no special order) Emmanuel Dreyfus (manu@netbsd.org), Larry Baird (lab@gta.com), gnn, bz, and other FreeBSD devs, Julien Vanherzeele (julien.vanherzeele@netasq.com, for years of bug reporting), the PFSense team, and all people who used / tried the NAT-T patch for years and reported bugs, patches, etc...
X-MFC: never
Reviewed by: bz Approved by: gnn(mentor) Obtained from: NETASQ
|
#
171167 |
|
03-Jul-2007 |
gnn |
Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSEC option is now deprecated, as well as the KAME IPsec code. What was FAST_IPSEC is now IPSEC.
Approved by: re Sponsored by: Secure Computing
|
#
169425 |
|
09-May-2007 |
gnn |
Integrate the Camellia Block Cipher. For more information see RFC 4132 and its bibliography.
Submitted by: Tomoyuki Okazaki <okazaki at kick dot gr dot jp> MFC after: 1 month
|
#
139823 |
|
07-Jan-2005 |
imp |
/* -> /*- for license, minor formatting changes
|
#
125680 |
|
11-Feb-2004 |
bms |
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request.
Sponsored by: sentex.net
|
#
122683 |
|
14-Nov-2003 |
ume |
fix comments.
Obtained from: KAME
|
#
121071 |
|
13-Oct-2003 |
ume |
- support AES counter mode for ESP. - use size_t as return type of schedlen(), as there's no error check needed. - clear key schedule buffer before freeing.
Obtained from: KAME
|
#
121061 |
|
13-Oct-2003 |
ume |
- support AES XCBC MAC for AH - correct SADB_X_AALG_RIPEMD160HMAC to 8
Obtained from: KAME
|
#
105198 |
|
16-Oct-2002 |
sam |
add definitions for RIPEMD-160 HMAC and Skipjack encryption algorithms, for use by "Fast IPsec"
|
#
105176 |
|
15-Oct-2002 |
ume |
Correct the definitions of SADB_* to be compatible with RFC2407/IANA assignment. This change breaks binary compatibility. So, you need to recompile IPsec related applications.
|
#
81215 |
|
06-Aug-2001 |
ume |
printed current sequence number of the SA. accordingly, changed into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2 structure. Also the output of setkey is changed. sequence number of the sadb is replaced to the end of the output.
Obtained from: KAME
|
#
78064 |
|
11-Jun-2001 |
ume |
Sync with recent KAME. This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge.
TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT.
Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks
|
#
62587 |
|
04-Jul-2000 |
itojun |
sync with kame tree as of july00. tons of bug fixes/improvements.
API changes: - additional IPv6 ioctls - IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8). (also syntax change)
|
#
56014 |
|
15-Jan-2000 |
shin |
cosmetic change: sort function prototypes
Specified by: bde
|
#
56013 |
|
15-Jan-2000 |
shin |
-K&R fix for some prototype declaration -fix some comments for #endif to match them with their #ifndef
Submitted by: bde
|
#
55205 |
|
29-Dec-1999 |
peter |
Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" is an application space macro and the applications are supposed to be free to use it as they please (but cannot). This is consistant with the other BSD's who made this change quite some time ago. More commits to come.
|
#
53541 |
|
22-Nov-1999 |
shin |
KAME netinet6 basic part(no IPsec,no V6 Multicast Forwarding, no UDP/TCP for IPv6 yet)
With this patch, you can assigne IPv6 addr automatically, and can reply to IPv6 ping.
Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
|