aboutsummaryrefslogtreecommitdiffstats
path: root/src/libipsec
Commit message (Collapse)AuthorAgeFilesLines
* libipsec: Make sure to expire the right SATobias Brunner2017-09-181-2/+9
| | | | | | | | | | | | | | If an IPsec SA is actually replaced with a rekeying its entry in the manager is freed. That means that when the hard expire is triggered a new entry might be found at the cached pointer location. So we have to make sure we trigger the expire only if we found the right SA. We could use SPI and addresses for the lookup, but this here requires a bit less memory and is just a small change. Another option would be to somehow cancel the queued job, but our scheduler doesn't allow that at the moment. Fixes #2399.
* ip-packet: Correctly determine protocol in fragmented IPv6 packetsTobias Brunner2017-09-181-6/+57
| | | | | | We don't attempt to parse the transport headers for fragments, not even for the initial fragment (it's not guaranteed they contain the header, depending on the number and type of extension headers).
* ip-packet: Fix "packet too short" error when parsing fragmented IPv4 packetsTobias Brunner2017-09-181-1/+6
| | | | | Only attempt to parse the transport header of an IPv4 packet if it's not fragmented or the first fragment.
* linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-261-37/+54
| | | | This avoids the unportable five pointer hack.
* libipsec: Enforce a minimum of 256 for SPIsTobias Brunner2017-03-021-3/+4
| | | | | | RFC 4303 reserves the SPIs between 1 and 255 for future use. This also avoids an overflow and a division by zero if spi_min is 0 and spi_max is 0xffffffff.
* libipsec: Fix min/max SPITobias Brunner2017-03-021-2/+2
|
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-021-2/+14
|
* libipsec: Log a packet's ports and protocol in case of a policy mismatchTobias Brunner2017-03-021-5/+7
|
* libipsec: Match IPsec policies against ports of processed packetsTobias Brunner2017-03-021-1/+21
| | | | Fixes #2252.
* libipsec: Add support for AES and Camellia in CCM modeTobias Brunner2017-01-251-3/+16
| | | | Fixes #2172.
* libipsec: Fix Windows build via MinGWTobias Brunner2017-01-253-0/+35
| | | | Fixes #2118.
* Use standard unsigned integer typesAndreas Steffen2016-03-2419-158/+158
|
* libipsec: Pass the same data to del_policy() as to add_policy()Tobias Brunner2016-02-042-8/+12
| | | | | | We already do this for the other kernel interfaces. Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")
* libipsec: Don't attempt deletion of any non-IPsec policiesTobias Brunner2016-02-041-1/+1
| | | | | | | | An example are the fallback drop policies installed when updating SAs. We ignore such policies in add_policy() so there is no point in attempting to remove them. Since they use different priorities than regular policies this did not result in policies getting deleted unintentionally but there was an irritating log message on level 2 that indicated otherwise.
* android: Fix build after updating Linux headersTobias Brunner2015-11-121-1/+0
| | | | | | | | Since we don't use the kernel-netlink plugin anymore and the headers in the NDK are reasonably recent, we don't need this anymore (at least when building the app). Fixes #1172.
* libipsec: Properly support CAMELLIA in CTR modeTobias Brunner2015-10-301-0/+1
|
* libipsec: Fix crypter lookup for AES-CTRTobias Brunner2015-10-301-1/+12
| | | | | | | | | | | | Due to the nonce, the ESP key material is four bytes longer than needed for the actual AES key. The crypto plugins, however, register their AES-CTR implementations with the AES key length, so the lookup here failed. For IKEv2 the key material is allocated after creating a crypter instance with the negotiated AES key size. The length of the actual key material is retrieved via get_key_size(), which adds the four bytes to the AES key length. Fixes #1124.
* libipsec: Add a unit-test for ESP encryption using ChaCha20Poly1305Martin Willi2015-07-123-0/+139
|
* libipsec: Add a unit-test test runnerMartin Willi2015-07-125-8/+93
|
* libipsec: Create AEAD with four byte salt for ChaCha20-Poly1305Martin Willi2015-06-291-0/+1
|
* libipsec: Insert SAs first, so latest SA with the same reqid gets usedTobias Brunner2015-05-211-1/+1
| | | | | This was useful for testing purposes of RADIUS accounting, but OS kernels generally will use the latest SA, so we do the same.
* aead: Create AEAD using traditional transforms with an explicit IV generatorMartin Willi2015-04-131-1/+8
| | | | | | Real AEADs directly provide a suitable IV generator, but traditional crypters do not. For some (stream) ciphers, we should use sequential IVs, for which we pass an appropriate generator to the AEAD wrapper.
* libipsec: Pass separate inbound/update flags to the IPsec SA managerMartin Willi2015-03-092-3/+5
| | | | | Similar to other kernel interfaces, the libipsec backends uses the flag for different purposes, and therefore should get separate flags.
* kernel-interface: Raise expires with a proto/SPI/dst tuple instead of reqidMartin Willi2015-02-204-22/+32
|
* libipsec: Remove unused src/dst_ts parameters from ipsec_sa_mgr_t.add_sa()Martin Willi2015-02-204-14/+5
|
* libipsec: Remove unused reqid parameter from ipsec_sa_mgr_t.get_spi()Martin Willi2015-02-192-7/+4
|
* ip-packet: Fix length in IPv6 header of generated packetsTobias Brunner2014-10-201-1/+1
|
* ip-packet: Fix removal of TFC padding for IPv6Tobias Brunner2014-10-141-1/+1
| | | | | | The IPv6 length field denotes the payload length after the 40 bytes header. Fixes: 293515f95cf5 ("libipsec: remove extra RFC4303 TFC padding appended to inner payload")
* ip-packet: Define our own structs to handle TCP/UDP headersTobias Brunner2014-09-091-2/+27
|
* ip_packet: Add function to easily encode UDP packetsTobias Brunner2014-07-222-0/+29
|
* ip_packet: Apply transport protocol ports when encoding IP packetTobias Brunner2014-07-222-10/+30
|
* ip_packet: Add getter for IP payloadTobias Brunner2014-07-222-5/+25
|
* ip_packet: Allow creation of IP packets from dataTobias Brunner2014-07-222-1/+164
|
* ip_packet: Parse ports from TCP and UDP headersTobias Brunner2014-07-221-7/+63
|
* libipsec: Add support for new policy priority classTobias Brunner2014-06-191-1/+4
|
* libipsec: Avoid name clash with sched.h clone()Martin Willi2014-06-042-4/+4
|
* aead: Support custom AEAD salt sizesMartin Willi2014-03-311-1/+2
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* android: Remove dependency on libvstrTobias Brunner2013-11-131-1/+0
|
* libipsec: Don't print ciphertext with ICV in log messageTobias Brunner2013-10-171-1/+2
|
* libipsec: Properly calculate padding length especially for AES-GCMTobias Brunner2013-10-171-1/+3
|
* iv_gen: Provide external sequence number (IKE, ESP)Tobias Brunner2013-10-111-1/+1
| | | | This prevents duplicate sequential IVs in case of a HA failover.
* ipsec: Use IV generator to encrypt ESP messagesTobias Brunner2013-10-112-9/+7
|
* libipsec: Enforce byte/packet lifetimes on SAsMartin Willi2013-10-113-7/+77
|
* libipsec: remove extra RFC4303 TFC padding appended to inner payloadMartin Willi2013-10-111-0/+6
|
* libipsec: Support usage statistics and query_sa() on IPsec SAsMartin Willi2013-10-115-4/+102
|
* libipsec: fix memory management when cloning ip_packetMartin Willi2013-09-131-1/+1
|
* libipsec: check for a policy with the reqid of the SA on decapsulationMartin Willi2013-09-133-7/+14
| | | | | To prevent a client from sending a packet with a source address of a different client, we require a policy bound via reqid to the decapsulating SA.
* Build all shared libraries with -no-undefined and link them properlyTobias Brunner2013-09-121-1/+5
| | | | | | | | | | The flag is required to convince libtool on Cygwin to build DLLs. But on Windows these shared libraries can not have undefined symbols, so we have to link them explicitly to the libraries they reference. For plugins this is currently not done, so only the monolithic build is supported. The plugin loader wouldn't be able to load DLLs anyway, as it tries to load files that don't exist on Cygwin.
* libipsec: Properly initialize variables when creating AEAD wrapperTobias Brunner2013-09-041-2/+2
|
* libipsec: Don't limit traditional algorithms to AES and SHA1/2Tobias Brunner2013-08-121-25/+7
| | | | Closes #377.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 11:24:45 +0000