a7047cda59
Cleaned up ntru-crypto library
2013-11-27 20:21:41 +01:00
98c6421674
Implemented NIST SP 800-90A DRBG_HMAC with SHA-256
2013-11-27 20:21:41 +01:00
9013973cc8
unit-tests: Added ntru wrong ciphertext test
2013-11-27 20:21:41 +01:00
885e699b58
unit-tests: Added ntru entropy, retransmission and ciphertext tests
2013-11-27 20:21:41 +01:00
802eaf3789
Any of the four NTRU parameter sets can be selected
2013-11-27 20:21:41 +01:00
1f73969eb5
Make the NTRU parameter set configurable
2013-11-27 20:21:41 +01:00
2c620cb089
unit-tests: first NTRU test case
2013-11-27 20:21:40 +01:00
146ad86be5
Prototype implementation of IKE key exchange via NTRU encryption
2013-11-27 20:21:40 +01:00
20a48e4be3
chunk: Fix signedness warnings caused by chunk_from_* macros
...
There are countless other such warnings because e.g. chunk_create() is called
with char*, but at least we prevent users from causing such warnings
inadvertently when using these macros.
2013-11-27 18:28:44 +01:00
1cbe4e6ce4
tun-device: Include <linux/types.h> before <linux/if_tun.h>
...
Fixes a build error on CentOS 6.4.
2013-11-22 09:09:06 +01:00
07ca25909b
printf-hook-builtin: Don't use %P to print uppercase hex pointers
...
We use %P as custom printf specifier for proposals.
2013-11-20 16:57:28 +01:00
3bff80aee3
openssl: Verify that a peer's ECDH public value is a point on the elliptic curve
...
This check is mandated by RFC 6989. Since we don't reuse DH secrets,
it is mostly a sanity check.
2013-11-19 15:00:28 +01:00
b63246c5db
Implemented libstrongswan.plugins.random.strong_equals_true option
2013-11-16 00:11:40 +01:00
20c99edab9
android: Remove dependency on libvstr
2013-11-13 11:40:47 +01:00
334f44cd29
unit-tests: Initialize tests with a callback
2013-11-06 10:31:07 +01:00
8d2450d8b8
plugin-loader: Convenience function added to add plugin dirs in build tree
2013-11-06 10:31:07 +01:00
09d0c9030a
unit-tests: Separate test runner to a library, reusable by other tests
...
Other users may make use of the noinst libtest.la helper library to implement
unit tests. For libstrongswan, tests.[ch] provide the configuration for test
runner to perform unit tests in a simple manner.
2013-11-06 10:31:07 +01:00
5a3230a250
unit-tests: Use some include magic to define test suite constructors
...
Avoid editing of several files when creating test suites by using a single
header file to define test suite constructor functions.
2013-11-06 10:31:07 +01:00
d9d0eef92b
unit-tests: Check printing of strings having zero length
2013-11-06 10:31:07 +01:00
61934203e2
unit-tests: Add some basic tests if PRI* printf specifiers work as expected
2013-11-06 10:31:06 +01:00
a4cbda35ce
unit-tests: Add a semaphore wait cancel test
2013-11-06 10:31:06 +01:00
fae1b85223
unit-tests: Add a semaphore absolute timed wait test
2013-11-06 10:31:06 +01:00
a14935ea4b
unit-tests: Add a semaphore timed wait test case
2013-11-06 10:31:06 +01:00
ffab2e0c95
unit-tests: Add a simple semaphore test
2013-11-06 10:31:06 +01:00
b1bfe59560
unit-tests: Add a spinlock test case
2013-11-06 10:31:06 +01:00
478dc0257c
unit-tests: Add a rwlock condvar thread cancel test
2013-11-06 10:31:05 +01:00
b92c173b28
unit-tests: Add a rwlock condvar absolute timed wait test
2013-11-06 10:31:05 +01:00
af19213c54
unit-tests: Add a rwlock condvar wait test
2013-11-06 10:31:05 +01:00
1032f52d68
unit-tests: Add a rwlock condvar broadcast test
2013-11-06 10:31:05 +01:00
f644b9e853
unit-tests: Add a rwlock condvar test
2013-11-06 10:31:05 +01:00
dac31fe1a0
unit-tests: Add a rwlock test case
2013-11-06 10:31:05 +01:00
8b25b5c36f
unit-tests: Add a condvar test where wait gets cancelled
2013-11-06 10:31:04 +01:00
b7db393d01
unit-tests: Add a condvar test working on a recursive mutex
2013-11-06 10:31:04 +01:00
8699a32b74
unit-tests: Add a condvar absolute timed wait test
2013-11-06 10:31:04 +01:00
31f9f777b3
unit-tests: Add a condvar timed wait test
2013-11-06 10:31:04 +01:00
9a0a891e6b
unit-tests: Add condvar broadcast test
2013-11-06 10:31:04 +01:00
13183a74d4
unit-tests: Add a simple condvar test
2013-11-06 10:31:04 +01:00
21df985148
unit-tests: Add a thread local storage cleanup test
2013-11-06 10:31:03 +01:00
0b00e63e49
unit-tests: Add a thread local storage fuzzer test
2013-11-06 10:31:03 +01:00
fd26b7ff1b
unit-tests: Add a thread cleanup pop test
2013-11-06 10:31:03 +01:00
4aec0c5543
unit-tests: Add cleanup test cases for different thread exit situations
2013-11-06 10:31:03 +01:00
e5b34086f1
unit-tests: Add a test for thread_cancellation_point()
2013-11-06 10:31:03 +01:00
49e6848bd0
unit-tests: Add thread cancellability testing
2013-11-06 10:31:03 +01:00
855747eab7
unit-tests: Add a simple thread_cancel() test
2013-11-06 10:31:02 +01:00
c320c61160
unit-tests: Add thread_exit() tests to both join and detach test cases
2013-11-06 10:31:02 +01:00
274e6beb00
unit-tests: Add a simple thread detach test
2013-11-06 10:31:02 +01:00
5d4a882f45
unit-tests: Add a simple thread join() test
2013-11-06 10:31:02 +01:00
b942528419
unit-tests: Add test suite for streams and services
2013-11-06 10:31:02 +01:00
8eda87af86
unit-tests: Add a few test cases for watcher
2013-11-06 10:31:02 +01:00
23b8f9bf86
unit-tests: Support testing multi-threaded code
2013-11-06 10:31:01 +01:00
f23fd4c59b
unit-tests: Use a home-brew thread barrier to remove pthread dependency
2013-11-06 10:31:01 +01:00
b74b8addf8
unit-tests: Show how many test vectors have failed on test failure
2013-11-06 10:31:01 +01:00
b4d43a542f
unit-tests: Skip fmemopen() based printf() tests if not available
2013-11-06 10:31:01 +01:00
45766923b8
unit-tests: Avoid name clash with clone() from <sched.h>
2013-11-06 10:31:01 +01:00
1254ad01b9
unit-tests: Fix a compiler warning in identification tests
2013-11-06 10:31:01 +01:00
382fa8b419
unit-tests: Clean up memory in new asn1 unit tests
...
Test runner checks for leaks when leak detective is enabled.
2013-11-06 10:31:00 +01:00
712940d161
unit-tests: Pass linked_list->invoke* varargs as uintptr_t
...
Passing integers of unspecified length may result in passing an integer shorter
than uintptr_t. When reading them back, we might get more data than passed,
resulting in a failure.
2013-11-06 10:31:00 +01:00
f7b8396af0
unit-tests: Initialize backtracing before printing any backtraces
2013-11-06 10:31:00 +01:00
bbb62267e0
thread: Note that tread_cancellation_point temporarily activates cancelability
2013-11-06 10:31:00 +01:00
7a13990964
backtrace: Support backtracing even if library is not initialized
...
But of course backtracing must be initialized anyway using backtrace_init().
2013-11-06 10:31:00 +01:00
a5860cddae
unit-tests: Enable libstrongswan tests even if --enable-unit-tests not set
...
As we don't depend on the check framework anymore, we can enable the unit tests
by default. These are built/executed with "make check" only, so it makes no
sense to disable them.
2013-11-06 10:31:00 +01:00
35e8eb93a0
unit-tests: Implement testing framework without "check"
2013-11-06 10:30:59 +01:00
56866ecf3d
leak-detective: Call {gm,local}time_r() to allocate static buffer
...
On OS X Mavericks, these functions use a static allocation and are hard
to whitelist using other means.
2013-11-06 10:30:59 +01:00
ef6d78d6ef
leak-detective: Register OS X specific hooks just once
...
If we initialize libstrongswan more than once in the same process, we may
not register the hooks twice.
2013-11-06 10:30:59 +01:00
f192526c3f
leak-detective: Reset leak list during cleanup
...
This resets leak detective state should it get created/destroyed more than once.
2013-11-06 10:30:59 +01:00
a426851f63
leak-detective: Use callback functions to report leaks and usage information
...
This is more flexible than printing reports to a FILE.
2013-11-06 10:30:59 +01:00
9ae1140118
unit-tests: Move test suites to its own subfolder
2013-11-06 10:30:58 +01:00
2da887da35
unit-tests: completed asn1_suite
2013-11-04 18:35:25 +01:00
79b8a384b5
Updated test_runner.h with new suites
2013-11-03 21:34:42 +01:00
7817d88e1a
unit-tests: 100% function coverage for asn1.c
2013-11-03 17:40:51 +01:00
54bce665c4
unit-tests: 12 asn1 functions tested
2013-11-02 21:20:04 +01:00
c3103700fc
Some minor refactoring in asn1.c
2013-11-02 21:17:46 +01:00
1347c936bd
Do not free zero-length integer
2013-11-02 02:11:32 +01:00
a40c4bc28c
unit-tests: Added tests for pen_type_t
2013-11-01 22:29:29 +01:00
7f4a13fffb
identification: Properly check length before comparing for binary DN equality
...
Fixes CVE-2013-6075.
2013-10-31 21:57:07 +01:00
ed3eb62723
unit-tests: Additionally do reverse match checking with empty identities
2013-10-31 21:57:07 +01:00
e02b12e374
unit-tests: Test matching against some empty data identities
2013-10-31 21:57:07 +01:00
df12b3a61f
unit-tests: Test for equality against some empty data identities
2013-10-31 21:57:07 +01:00
c409be2506
unit-tests: Let identity equality test fail if a->equals(b) != b->equals(a)
2013-10-31 21:57:07 +01:00
5ac29360fc
utils: Include stdio.h for fmemopen() replacement
...
This might now be required because Vstr is not necessarily required
anymore, which means stdio.h might not be pulled in by prinf_hook.h.
2013-10-29 16:18:35 +01:00
60ddf6284f
Use exact mask when calling umask(2)
...
Due to the previous negation the high bits of the mask were set, which
at least some versions of the Android build system prevent with a compile-time
check.
2013-10-29 16:01:55 +01:00
1dd58b0e21
Fixed some typos
2013-10-29 11:44:23 +01:00
9df621d21f
utils: Fix check for fmemopen() fallback implementation
2013-10-24 15:58:49 +02:00
8465514157
unit-tests: Set sa_len in sockaddr template data, if required
2013-10-24 15:37:21 +02:00
e71c57467c
printf-hook-builtin: Don't rely on isinf() return value signedness
...
Many systems don't return a negative value for negative infinities; so do
a separate check.
2013-10-24 15:37:20 +02:00
5ce3c9b15a
watcher: Rebuild fdset when select() fails
...
This should make sure we refresh the fdset if a user closes an FD it just
removed. Some selects() seem to complain about the bad FD before signaling the
notification pipe.
2013-10-24 15:37:20 +02:00
1a20a22d09
rwlock: Disable thread cancelability while waiting in (fallback) rwlock
...
An rwlock wait is not a thread cancellation point. As a canceled thread
would not have released the mutex, the rwlock would have been left in unusable
state.
2013-10-24 14:53:53 +02:00
181d071363
rwlock: Don't use buggy pthread_rwlock on OS X
...
Recursive read locks don't seem to work properly, at least on 10.9.
2013-10-24 14:53:47 +02:00
2077d996a9
utils: Provide a fmemopen(3) fallback using BSD funopen()
2013-10-24 13:17:05 +02:00
71c9565a3a
pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB
...
This allows more than one builder to try parsing the data read from STDIN.
2013-10-23 17:20:39 +02:00
46cded2627
chunk: Add helper function to create a chunk from data read from a file descriptor
2013-10-23 17:20:39 +02:00
b08292a520
semaphore: Support cancellation in wait functions of semaphore fallback
...
Semaphore wait functions should be a thread cancellation point, but did
not properly release the mutex in the fallback implementation.
2013-10-23 16:08:40 +02:00
47c76c1b05
rwlock: Re-acquire rwlock even if condvar wait times out
...
A caller expects that the associated rwlock is held, whether the condvar
gets signaled or the wait times out.
2013-10-23 11:52:26 +02:00
000235f1c5
traffic-selector: Print ICMP[v6] message type and code in a more readable way
2013-10-17 16:57:39 +02:00
4bebe45abb
traffic-selector: Store ICMP[v6] message type and code properly
...
We now store them as defined in RFC 4301, section 4.4.1.1.
2013-10-17 16:57:39 +02:00
d6a1960d34
traffic-selector: Move class to its own Doxygen group
2013-10-17 16:57:38 +02:00
606aae3aa1
openssl: Add workaround if ECC Brainpool curves are not defined
2013-10-17 13:36:08 +02:00
3c29d2822f
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
...
OpenSSL does not include them in releases before 1.0.2.
2013-10-17 13:36:08 +02:00
cca372465d
ecc: Added ECC Brainpool ECDH groups as registered with IANA
2013-10-17 11:57:04 +02:00
be97277bdb
unit-tests: Make test for bio_writer_t more portable
2013-10-17 11:44:03 +02:00
812ae898bf
utils: Add utility function to calculate padding length
2013-10-17 10:25:34 +02:00
dd438ee22c
Doxygen fixes
2013-10-15 11:25:55 +02:00
6623dfa84d
Revert refactoring which broke CentOS build
2013-10-13 19:56:04 +02:00
0f6f7ba22c
ccm: Add missing comma in get_iv_gen method signature
2013-10-11 17:42:25 +02:00
bfeb8b5c47
iv-gen: Add missing header files to Makefile.am
2013-10-11 17:42:05 +02:00
0c6f6c4e34
iv_gen: Mask sequential IVs with a random salt
...
This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.
2013-10-11 15:55:40 +02:00
e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
ed72f2d65e
printf-hook: Write to output stream instead of the FD directly when using Vstr
...
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
2013-09-24 08:44:00 +02:00
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
9af44ef5d9
Build all shared libraries with -no-undefined and link them properly
...
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
2013-09-12 01:44:49 +02:00
bf32cdfbf6
tun_device: Add warning if TUN devices are not supported by platform
2013-09-12 01:44:49 +02:00
7bda0f0c8b
Added tzset memory leak to whitelist
2013-08-28 22:51:17 +02:00
f0c54e8c15
chunk: Print chunks without separator if + modifier is used
2013-08-24 16:22:51 +02:00
32a145fdbd
utils: Add case-insensitive version of strpfx()
2013-08-24 16:22:51 +02:00
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
84044f9c73
utils: add round_up/down() helper functions
2013-07-29 09:00:48 +02:00
1f2d9c7688
watcher: Made notify array initialization compatible with older GCC versions
2013-07-25 16:57:42 +02:00
Andreas Steffen