aboutsummaryrefslogtreecommitdiffstats
path: root/src/libipsec
Commit message (Collapse)AuthorAgeFilesLines
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-204-22/+32
|
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-204-14/+5
|
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-192-7/+4
|
* ip-packet: Fix length in IPv6 header of generated packetsTobias Brunner2014-10-201-1/+1
|
* ip-packet: Fix removal of TFC padding for IPv6Tobias Brunner2014-10-141-1/+1
| | | | | | The IPv6 length field denotes the payload length after the 40 bytes header. Fixes: 293515f95cf5 ("libipsec: remove extra RFC4303 TFC padding appended to inner payload")
* ip-packet: Define our own structs to handle TCP/UDP headersTobias Brunner2014-09-091-2/+27
|
* ip_packet: Add function to easily encode UDP packetsTobias Brunner2014-07-222-0/+29
|
* ip_packet: Apply transport protocol ports when encoding IP packetTobias Brunner2014-07-222-10/+30
|
* ip_packet: Add getter for IP payloadTobias Brunner2014-07-222-5/+25
|
* ip_packet: Allow creation of IP packets from dataTobias Brunner2014-07-222-1/+164
|
* ip_packet: Parse ports from TCP and UDP headersTobias Brunner2014-07-221-7/+63
|
* libipsec: Add support for new policy priority classTobias Brunner2014-06-191-1/+4
|
* libipsec: Avoid name clash with sched.h clone()Martin Willi2014-06-042-4/+4
|
* aead: Support custom AEAD salt sizesMartin Willi2014-03-311-1/+2
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* android: Remove dependency on libvstrTobias Brunner2013-11-131-1/+0
|
* libipsec: Don't print ciphertext with ICV in log messageTobias Brunner2013-10-171-1/+2
|
* libipsec: Properly calculate padding length especially for AES-GCMTobias Brunner2013-10-171-1/+3
|
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-111-1/+1
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ipsec: Use IV generator to encrypt ESP messagesTobias Brunner2013-10-112-9/+7
|
* libipsec: Enforce byte/packet lifetimes on SAsMartin Willi2013-10-113-7/+77
|
* libipsec: remove extra RFC4303 TFC padding appended to inner payloadMartin Willi2013-10-111-0/+6
|
* libipsec: Support usage statistics and query_sa() on IPsec SAsMartin Willi2013-10-115-4/+102
|
* libipsec: fix memory management when cloning ip_packetMartin Willi2013-09-131-1/+1
|
* libipsec: check for a policy with the reqid of the SA on decapsulationMartin Willi2013-09-133-7/+14
| | | | | To prevent a client from sending a packet with a source address of a different client, we require a policy bound via reqid to the decapsulating SA.
* Build all shared libraries with -no-undefined and link them properlyTobias Brunner2013-09-121-1/+5
| | | | | | | | | | The flag is required to convince libtool on Cygwin to build DLLs. But on Windows these shared libraries can not have undefined symbols, so we have to link them explicitly to the libraries they reference. For plugins this is currently not done, so only the monolithic build is supported. The plugin loader wouldn't be able to load DLLs anyway, as it tries to load files that don't exist on Cygwin.
* libipsec: Properly initialize variables when creating AEAD wrapperTobias Brunner2013-09-041-2/+2
|
* libipsec: Don't limit traditional algorithms to AES and SHA1/2Tobias Brunner2013-08-121-25/+7
| | | | Closes #377.
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-2/+1
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* libipsec: Properly handle expiration if no lifetime is setTobias Brunner2013-07-011-0/+5
|
* libipsec: Add initiator flag to definition of ipsec_sa_mgr_t.add_sa()Tobias Brunner2013-06-131-2/+4
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* libipsec: Fix memory leak in event relayTobias Brunner2013-05-031-0/+1
|
* libipsec: Add support for AES-GCMTobias Brunner2013-05-031-3/+45
|
* libipsec: Wrap traditional algorithms in AEAD wrapperTobias Brunner2013-05-033-110/+91
|
* Fix detection and use of netinet/ip6.h on FreeBSDTobias Brunner2013-03-271-0/+1
|
* android: Remove/filter header files from LOCAL_SRC_FILESTobias Brunner2013-03-201-1/+3
| | | | This avoids huge warnings when building the native code.
* ipsec: Increased log level for message in case no outbound policy is foundTobias Brunner2013-03-201-1/+1
| | | | | | | This might happen on Android if sockets are bound to the physical IP address but packets are still routed via TUN device. Since it seems to happen quite often (or for stuff that requires regular traffic) this hides these messages from the default log.
* Add a DSCP value with getter/setter on packet_tMartin Willi2013-02-061-0/+14
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-2410-10/+10
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-245-7/+7
|
* Moved packet_t and tun_device_t to networking folderTobias Brunner2012-10-242-2/+2
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-246-6/+6
|
* Log IP addresses for discarded inbound IPsec packetsTobias Brunner2012-10-161-1/+3
|
* Use pointers for lookups in IPsec SA managerTobias Brunner2012-10-161-16/+16
|
* IPsec SA manager implements update_sa()Tobias Brunner2012-10-162-0/+60
|
* Setter for src and destination address of ipsec_sa_t addedTobias Brunner2012-10-162-0/+30
|
* Fix parsing of IPv6 headers in ip_packet_tTobias Brunner2012-09-281-0/+1
|
* struct iphdr is Linux specific use struct ip insteadTobias Brunner2012-08-291-6/+6
|
* Include stdint.h for UINT32_MAX on FreeBSDTobias Brunner2012-08-291-0/+1
|
* Fixed ip_packet_t if IPv6 is not availableTobias Brunner2012-08-081-0/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-01 10:38:15 +0000