tteras/strongswan/src/libipsec, branch master

libipsec: Make sure to expire the right SA

2017-09-18T08:51:39+00:00

If an IPsec SA is actually replaced with a rekeying its entry in the
manager is freed. That means that when the hard expire is triggered a
new entry might be found at the cached pointer location.  So we have
to make sure we trigger the expire only if we found the right SA.

We could use SPI and addresses for the lookup, but this here requires
a bit less memory and is just a small change. Another option would be to
somehow cancel the queued job, but our scheduler doesn't allow that at
the moment.

Fixes #2399.

ip-packet: Correctly determine protocol in fragmented IPv6 packets

2017-09-18T08:28:54+00:00

We don't attempt to parse the transport headers for fragments, not even
for the initial fragment (it's not guaranteed they contain the header,
depending on the number and type of extension headers).

ip-packet: Fix "packet too short" error when parsing fragmented IPv4 packets

2017-09-18T08:28:54+00:00

Only attempt to parse the transport header of an IPv4 packet if it's
not fragmented or the first fragment.

linked-list: Change return value of find_first() and signature of its callback

2017-05-26T11:56:44+00:00

This avoids the unportable five pointer hack.

libipsec: Enforce a minimum of 256 for SPIs

2017-03-02T10:54:39+00:00

RFC 4303 reserves the SPIs between 1 and 255 for future use.  This also
avoids an overflow and a division by zero if spi_min is 0 and spi_max is
0xffffffff.

libipsec: Fix min/max SPI

2017-03-02T09:11:32+00:00

kernel: Make range of SPIs for IPsec SAs configurable

2017-03-02T07:52:56+00:00

libipsec: Log a packet's ports and protocol in case of a policy mismatch

2017-03-02T07:27:31+00:00

libipsec: Match IPsec policies against ports of processed packets

2017-03-02T07:27:21+00:00

Fixes #2252.

libipsec: Add support for AES and Camellia in CCM mode

2017-01-25T16:26:45+00:00

Fixes #2172.