Fix a DoS attack whereby an attacker could cause the replay counter to
advance with unauthenticated packets, thereby causing valid packets to
be discarded as replays. This has been sitting in my tree

Fix a DoS attack whereby an attacker could cause the replay counter to
advance with unauthenticated packets, thereby causing valid packets to
be discarded as replays. This has been sitting in my tree for a while,
and I've forgotten who it was that pointed out the problem.

show more ...

KNF

Copyright.

merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts inside OpenSSL codebase

Use blocksize, not ivmask

Trim include files.

Add a few DPRINTF()'s

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As wel

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.

show more ...

Update to match prototypes.

Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE
on input.

Pass a NULL packet tag for now to ipsp_common_input_cb().

convert mbuf and cluster allocation to pool, mostly from NetBSD
okay art@ miod@

initial cut at /dev/crypto support. takes original mbuf "try, and discard
if we fail" semantics and extends to two varients of data movement: mbuf,
or an iovec style block.

Move bzero() after test for correct allocation (jj@wabbitt.org)

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
a

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

show more ...

Fix slow mbuf leak.

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just lik

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok

show more ...

*HMAC96->*HMAC

AES support.

Lots and lots of changes.

Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're
defined to be the same in mbuf.h)

The callbacks need to set the appropriate spl level now.

What was the offending payload length?