aboutsummaryrefslogtreecommitdiffstats
path: root/src/libipsec
Commit message (Collapse)AuthorAgeFilesLines
...
* automake: replace INCLUDES by AM_CPPFLAGSMartin Willi2013-07-181-2/+1
| | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only.
* libipsec: Properly handle expiration if no lifetime is setTobias Brunner2013-07-011-0/+5
|
* libipsec: Add initiator flag to definition of ipsec_sa_mgr_t.add_sa()Tobias Brunner2013-06-131-2/+4
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* libipsec: Fix memory leak in event relayTobias Brunner2013-05-031-0/+1
|
* libipsec: Add support for AES-GCMTobias Brunner2013-05-031-3/+45
|
* libipsec: Wrap traditional algorithms in AEAD wrapperTobias Brunner2013-05-033-110/+91
|
* Fix detection and use of netinet/ip6.h on FreeBSDTobias Brunner2013-03-271-0/+1
|
* android: Remove/filter header files from LOCAL_SRC_FILESTobias Brunner2013-03-201-1/+3
| | | | This avoids huge warnings when building the native code.
* ipsec: Increased log level for message in case no outbound policy is foundTobias Brunner2013-03-201-1/+1
| | | | | | | This might happen on Android if sockets are bound to the physical IP address but packets are still routed via TUN device. Since it seems to happen quite often (or for stuff that requires regular traffic) this hides these messages from the default log.
* Add a DSCP value with getter/setter on packet_tMartin Willi2013-02-061-0/+14
|
* Moved debug.[ch] to utils folderTobias Brunner2012-10-2410-10/+10
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-245-7/+7
|
* Moved packet_t and tun_device_t to networking folderTobias Brunner2012-10-242-2/+2
|
* Moved host_t and host_resolver_t to a new networking subfolderTobias Brunner2012-10-246-6/+6
|
* Log IP addresses for discarded inbound IPsec packetsTobias Brunner2012-10-161-1/+3
|
* Use pointers for lookups in IPsec SA managerTobias Brunner2012-10-161-16/+16
|
* IPsec SA manager implements update_sa()Tobias Brunner2012-10-162-0/+60
|
* Setter for src and destination address of ipsec_sa_t addedTobias Brunner2012-10-162-0/+30
|
* Fix parsing of IPv6 headers in ip_packet_tTobias Brunner2012-09-281-0/+1
|
* struct iphdr is Linux specific use struct ip insteadTobias Brunner2012-08-291-6/+6
|
* Include stdint.h for UINT32_MAX on FreeBSDTobias Brunner2012-08-291-0/+1
|
* Fixed ip_packet_t if IPv6 is not availableTobias Brunner2012-08-081-0/+4
|
* Added IPsec processor which is responsible for handling in- and outbound packetsTobias Brunner2012-08-086-0/+449
| | | | | | Two callbacks can be registered that get called when new inbound plaintext and outbound ESP packets have been processed. Inbound ESP and outbound plaintext packets can be queued for processing with two other methods.
* Represent the payload of an ESP packet as ip_packet_t instead of a chunk_tTobias Brunner2012-08-082-41/+76
|
* IPsec policies can be looked up based on an IP packetTobias Brunner2012-08-084-1/+62
|
* ip_packet_t parses the header of IP packetsTobias Brunner2012-08-084-0/+286
|
* Order IPsec policies by a pseudo-priority based on the traffic selectorsTobias Brunner2012-08-081-28/+127
| | | | | This allows a simple lookup, i.e. just use the first policy that matches a given IP packet.
* Implemented a checkout/checkin mechanism for IPsec SAsTobias Brunner2012-08-082-25/+285
| | | | | SAs can only be checked out by a single thread and all other threads block until the SA is checked in again.
* IPsec policy manager addedTobias Brunner2012-08-086-0/+278
| | | | This version only provides the very simplest management functions.
* Method added to easily compare IPsec policiesTobias Brunner2012-08-082-0/+29
|
* Class representing an IPsec policy addedTobias Brunner2012-08-084-0/+302
|
* Schedule and relay expiration events for created IPsec SAsTobias Brunner2012-08-081-0/+95
|
* Added class to relay IPsec events (like expiration) to listenersTobias Brunner2012-08-087-0/+332
| | | | | Currently, only expiration of IPsec SAs is supported. Later other events for e.g. acquires or changed NAT endpoints could be added.
* Added IPsec SA managerTobias Brunner2012-08-086-7/+458
|
* Add methods to easily compare IPsec SAsTobias Brunner2012-08-082-0/+51
|
* Class representing an IPsec SA addedTobias Brunner2012-08-084-2/+356
| | | | The IPsec SA also manages the respective ESP context.
* Moved types used by kernel_ipsec_t interface (and libipsec) to libstrongswanTobias Brunner2012-08-082-4/+2
| | | | This avoids a dependency of libipsec to libhydra.
* esp_packet_t implements packet_t interfaceTobias Brunner2012-08-082-66/+100
| | | | This should allow to avoid unnecessary cloning of packet data.
* Headers from libhydra (kernel interface related) are required in libipsecTobias Brunner2012-08-081-1/+3
|
* ESP packet wrapper added, handles encryption/decryption/verification etc.Tobias Brunner2012-08-084-2/+554
|
* Adding class to manage ESP context (crypto, sequence numbers)Tobias Brunner2012-08-084-2/+414
|
* Stub library for user space IPsec implementation added.Tobias Brunner2012-08-084-0/+174
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-28 06:30:53 +0000