aboutsummaryrefslogtreecommitdiffstats
path: root/src/libipsec
Commit message (Collapse)AuthorAgeFilesLines
* android: Remove dependency on libvstrTobias Brunner2013-11-131-1/+0
|
* libipsec: Don't print ciphertext with ICV in log messageTobias Brunner2013-10-171-1/+2
|
* libipsec: Properly calculate padding length especially for AES-GCMTobias Brunner2013-10-171-1/+3
|
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-111-1/+1
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ipsec: Use IV generator to encrypt ESP messagesTobias Brunner2013-10-112-9/+7
|
* libipsec: Enforce byte/packet lifetimes on SAsMartin Willi2013-10-113-7/+77
|
* libipsec: remove extra RFC4303 TFC padding appended to inner payloadMartin Willi2013-10-111-0/+6
|
* libipsec: Support usage statistics and query_sa() on IPsec SAsMartin Willi2013-10-115-4/+102
|
* libipsec: fix memory management when cloning ip_packetMartin Willi2013-09-131-1/+1
|
* libipsec: check for a policy with the reqid of the SA on decapsulationMartin Willi2013-09-133-7/+14
| | | | | To prevent a client from sending a packet with a source address of a different client, we require a policy bound via reqid to the decapsulating SA.
* Build all shared libraries with -no-undefined and link them properlyTobias Brunner2013-09-121-1/+5
| | | | | | | | | | The flag is required to convince libtool on Cygwin to build DLLs. But on Windows these shared libraries can not have undefined symbols, so we have to link them explicitly to the libraries they reference. For plugins this is currently not done, so only the monolithic build is supported. The plugin loader wouldn't be able to load DLLs anyway, as it tries to load files that don't exist on Cygwin.
* libipsec: Properly initialize variables when creating AEAD wrapperTobias Brunner2013-09-041-2/+2
|
* libipsec: Don't limit traditional algorithms to AES and SHA1/2Tobias Brunner2013-08-121-25/+7
| | | | Closes #377.
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-2/+1
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* libipsec: Properly handle expiration if no lifetime is setTobias Brunner2013-07-011-0/+5
|
* libipsec: Add initiator flag to definition of ipsec_sa_mgr_t.add_sa()Tobias Brunner2013-06-131-2/+4
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* libipsec: Fix memory leak in event relayTobias Brunner2013-05-031-0/+1
|
* libipsec: Add support for AES-GCMTobias Brunner2013-05-031-3/+45
|
* libipsec: Wrap traditional algorithms in AEAD wrapperTobias Brunner2013-05-033-110/+91
|
* Fix detection and use of netinet/ip6.h on FreeBSDTobias Brunner2013-03-271-0/+1
|
* android: Remove/filter header files from LOCAL_SRC_FILESTobias Brunner2013-03-201-1/+3
| | | | This avoids huge warnings when building the native code.
* ipsec: Increased log level for message in case no outbound policy is foundTobias Brunner2013-03-201-1/+1
| | | | | | | This might happen on Android if sockets are bound to the physical IP address but packets are still routed via TUN device. Since it seems to happen quite often (or for stuff that requires regular traffic) this hides these messages from the default log.
* Add a DSCP value with getter/setter on packet_tMartin Willi2013-02-061-0/+14
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-2410-10/+10
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-245-7/+7
|
* Moved packet_t and tun_device_t to networking folderTobias Brunner2012-10-242-2/+2
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-246-6/+6
|
* Log IP addresses for discarded inbound IPsec packetsTobias Brunner2012-10-161-1/+3
|
* Use pointers for lookups in IPsec SA managerTobias Brunner2012-10-161-16/+16
|
* IPsec SA manager implements update_sa()Tobias Brunner2012-10-162-0/+60
|
* Setter for src and destination address of ipsec_sa_t addedTobias Brunner2012-10-162-0/+30
|
* Fix parsing of IPv6 headers in ip_packet_tTobias Brunner2012-09-281-0/+1
|
* struct iphdr is Linux specific use struct ip insteadTobias Brunner2012-08-291-6/+6
|
* Include stdint.h for UINT32_MAX on FreeBSDTobias Brunner2012-08-291-0/+1
|
* Fixed ip_packet_t if IPv6 is not availableTobias Brunner2012-08-081-0/+4
|
* Added IPsec processor which is responsible for handling in- and outbound packetsTobias Brunner2012-08-086-0/+449
| | | | | | Two callbacks can be registered that get called when new inbound plaintext and outbound ESP packets have been processed. Inbound ESP and outbound plaintext packets can be queued for processing with two other methods.
* Represent the payload of an ESP packet as ip_packet_t instead of a chunk_tTobias Brunner2012-08-082-41/+76
|
* IPsec policies can be looked up based on an IP packetTobias Brunner2012-08-084-1/+62
|
* ip_packet_t parses the header of IP packetsTobias Brunner2012-08-084-0/+286
|
* Order IPsec policies by a pseudo-priority based on the traffic selectorsTobias Brunner2012-08-081-28/+127
| | | | | This allows a simple lookup, i.e. just use the first policy that matches a given IP packet.
* Implemented a checkout/checkin mechanism for IPsec SAsTobias Brunner2012-08-082-25/+285
| | | | | SAs can only be checked out by a single thread and all other threads block until the SA is checked in again.
* IPsec policy manager addedTobias Brunner2012-08-086-0/+278
| | | | This version only provides the very simplest management functions.
* Method added to easily compare IPsec policiesTobias Brunner2012-08-082-0/+29
|
* Class representing an IPsec policy addedTobias Brunner2012-08-084-0/+302
|
* Schedule and relay expiration events for created IPsec SAsTobias Brunner2012-08-081-0/+95
|
* Added class to relay IPsec events (like expiration) to listenersTobias Brunner2012-08-087-0/+332
| | | | | Currently, only expiration of IPsec SAs is supported. Later other events for e.g. acquires or changed NAT endpoints could be added.
* Added IPsec SA managerTobias Brunner2012-08-086-7/+458
|
* Add methods to easily compare IPsec SAsTobias Brunner2012-08-082-0/+51
|
* Class representing an IPsec SA addedTobias Brunner2012-08-084-2/+356
| | | | The IPsec SA also manages the respective ESP context.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 23:22:29 +0000