Tobias Brunner
e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
Tobias Brunner
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
Tobias Brunner
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
Tobias Brunner
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
Tobias Brunner
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
Tobias Brunner
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
Tobias Brunner
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
Tobias Brunner
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
Tobias Brunner
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
Tobias Brunner
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
Tobias Brunner
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
Tobias Brunner
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
Tobias Brunner
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
Tobias Brunner
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
Tobias Brunner
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
Tobias Brunner
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
Tobias Brunner
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
Martin Willi
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
Martin Willi
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
Martin Willi
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
Martin Willi
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
Martin Willi
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
Martin Willi
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
Martin Willi
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
Martin Willi
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
Tobias Brunner
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
Tobias Brunner
ed72f2d65e
printf-hook: Write to output stream instead of the FD directly when using Vstr
...
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
2013-09-24 08:44:00 +02:00
Tobias Brunner
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
Tobias Brunner
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
Tobias Brunner
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
Tobias Brunner
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
Tobias Brunner
9af44ef5d9
Build all shared libraries with -no-undefined and link them properly
...
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
2013-09-12 01:44:49 +02:00
Tobias Brunner
bf32cdfbf6
tun_device: Add warning if TUN devices are not supported by platform
2013-09-12 01:44:49 +02:00
Andreas Steffen
7bda0f0c8b
Added tzset memory leak to whitelist
2013-08-28 22:51:17 +02:00
Tobias Brunner
f0c54e8c15
chunk: Print chunks without separator if + modifier is used
2013-08-24 16:22:51 +02:00
Tobias Brunner
32a145fdbd
utils: Add case-insensitive version of strpfx()
2013-08-24 16:22:51 +02:00
Martin Willi
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
Tobias Brunner
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
Tobias Brunner
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
Martin Willi
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
Martin Willi
84044f9c73
utils: add round_up/down() helper functions
2013-07-29 09:00:48 +02:00
Tobias Brunner
1f2d9c7688
watcher: Made notify array initialization compatible with older GCC versions
2013-07-25 16:57:42 +02:00
Tobias Brunner
ebb4ad1baa
unit-tests: Add additional tests for host_t
2013-07-25 11:28:26 +02:00
Tobias Brunner
116363e5c6
array: Number of items in get_size() is unsigned
...
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
2013-07-25 11:28:01 +02:00
Tobias Brunner
d7dc4fedd1
stream: Ensure UNIX socket path is null terminated
2013-07-24 16:17:23 +02:00
Tobias Brunner
cfca183d55
pkcs5: Add missing break statements when checking crypto primitives
2013-07-24 16:17:22 +02:00
Tobias Brunner
5baec6448d
unit-tests: Add test for host_create_netmask()
2013-07-24 16:17:21 +02:00
Tobias Brunner
6e2ec33f9d
host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128
2013-07-24 16:17:03 +02:00
Tobias Brunner
cfdd23b967
capabilities: Proper error handling when reading groups
2013-07-24 10:54:26 +02:00
Martin Willi
dcd5129c25
processor: force synchronous execute_job() if set_threads(0) has been called
...
During daemon shutdown, some idle threads might be lingering around even if
set_threads(0) already has been called. To avoid any races, we enforce
synchronous execution of the job.
2013-07-19 15:30:22 +02:00
Tobias Brunner
8f1b44b40c
keychain: Use AM_CPPFLAGS instead of INCLUDES
2013-07-19 09:01:39 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Martin Willi
cb6c4e0430
identification: parse identities having a "@@" prefix as ID_RFC822_ADDR
...
Original patch by Gerald Richter.
2013-07-18 16:45:10 +02:00
Martin Willi
b4b3959b22
stream-service: move CAP_CHOWN check from plugins to service constructor
...
A plugin service can be a TCP socket now, so it does not make much sense
to strictly check for CAP_CHOWN.
2013-07-18 16:00:31 +02:00
Martin Willi
1897dd730f
processor: remove the now unused get_threads() method again
2013-07-18 16:00:31 +02:00
Martin Willi
ea009869e9
watcher: use processors new execute_job() to notify FDs
...
Just queueing is problematic, as all threads might be busy waiting for events
that the queued (but never executed) job delivers.
2013-07-18 16:00:31 +02:00
Martin Willi
6653e6c13e
processor: add an execute_job() method to directly execute an important job
...
If all worker threads are busy and waiting for an event, we must ensure that
a job delivering that event gets executed. This new method has this property
for CRITICAL jobs, using a worker if we have one, but executing the job directly
if not.
2013-07-18 16:00:31 +02:00
Martin Willi
55240835b0
watcher: properly support multiple watch callback types for the same FD
2013-07-18 16:00:31 +02:00
Martin Willi
d0c25a3f23
watcher: read multiple notifications if available
...
Use non-blocking I/O on the read end of the notify pipe. This also makes sure
the read does not block should select() signal data while there is none.
2013-07-18 16:00:31 +02:00
Martin Willi
4d7a762871
credmgr: introduce a hook function to catch trust chain validation errors
2013-07-18 16:00:30 +02:00
Martin Willi
4701929266
stream: allow async read/write callback to destroy the stream explicitly
2013-07-18 16:00:29 +02:00
Martin Willi
c9d1742b5d
stream: don't close underlying socket when creating a stream from it
2013-07-18 16:00:29 +02:00
Martin Willi
58d0dadddc
watcher: add some debugging statements
2013-07-18 16:00:29 +02:00
Martin Willi
91a2ae644c
watcher: if the processor has no threads, execute the job with watcher thread
...
This is important during shutdown, where we might need to signal some FDs while
all idle threads are gone already.
2013-07-18 16:00:29 +02:00
Martin Willi
50720d7ce9
processor: add a getter for the threads passed to set_threads()
2013-07-18 16:00:29 +02:00
Martin Willi
a0e3a7363f
watcher: unregister a watcher FD if its thread gets cancelled
2013-07-18 16:00:29 +02:00
Martin Willi
a558ba16f3
watcher: release threads waiting in remove() when watcher thread gets cancelled
...
During daemon shutdown, users might call remove() after processor.set_threads(0)
has been called. This gets problematic, as a watch event might be unable
to signal completion when no threads are available anymore. Work around this
issue by cancelling waiters once processor.cancel() has been called.
2013-07-18 16:00:29 +02:00
Martin Willi
e6e8a2b2e0
stream: support keeping the service alive outside of service callback
2013-07-18 16:00:28 +02:00
Martin Willi
d57b9e7c82
stream: add read/write_all() methods to stream
2013-07-18 16:00:28 +02:00
Martin Willi
1d1ef9e7ca
stream: support cancellation of stream service callback
2013-07-18 16:00:28 +02:00
Martin Willi
047a190600
stream: use a service constructor to create services
...
It does not make much sense to reference running services in the manager,
especially as unregistration would need the URI (which a user would have to
store instead of the service reference).
2013-07-18 16:00:28 +02:00
Martin Willi
fbdc65debb
stream: replace print/vprint() convenience functions by a FILE* getter
...
While this will complicate the implementation of streams not based on a fd,
it allows us to unleash the full power of FILE based convenience functions.
2013-07-18 16:00:28 +02:00
Martin Willi
70d1ccec96
stream: add a concurrency option to services, limiting parallel callbacks
2013-07-18 16:00:28 +02:00
Martin Willi
db0e160ba2
stream: add a job priority option to stream services
2013-07-18 16:00:28 +02:00
Martin Willi
441bb9e7b7
stream: add backlog option to stream services, forward to listen()
2013-07-18 16:00:28 +02:00
Martin Willi
c5597a4b56
stream: add support for TCP stream services
2013-07-18 16:00:28 +02:00
Martin Willi
db1c8aa460
stream: add support for TCP streams
2013-07-18 16:00:28 +02:00
Martin Willi
f04746d9b4
stream: add support for UNIX stream services
2013-07-18 16:00:28 +02:00
Martin Willi
b785cfe05b
stream: add support for UNIX streams
2013-07-18 16:00:28 +02:00
Martin Willi
c1fd8c22ce
stream: support async operation using watcher
2013-07-18 16:00:28 +02:00
Martin Willi
7a23588195
stream: add printf()-style covenience functions
2013-07-18 16:00:28 +02:00
Martin Willi
2ba276017d
stream: create library instance of stream-manager
2013-07-18 16:00:28 +02:00
Martin Willi
d6ff53940f
stream: add a manager to dynamically register streams and services
2013-07-18 16:00:28 +02:00
Martin Willi
daf1880b39
stream: add a stream service class abstracting services using BSD sockets
2013-07-18 16:00:27 +02:00
Martin Willi
b6b940001a
stream: add a stream class abstracting BSD sockets
...
Currently only synchronous operation is supported, but this will be extended
with asynchronous methods using the new watcher.
2013-07-18 16:00:27 +02:00
Martin Willi
32b2a5e04b
watcher: add a centralized an generic facility to monitor file descriptors
2013-07-18 16:00:27 +02:00
Tobias Brunner
027676f750
capabilities: Add function to check if a capability is held, without keeping it
...
This can be useful if capabilities are not required anymore after
dropping privileges.
2013-07-18 15:25:35 +02:00
Martin Willi
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
Martin Willi
2d5a20061a
soup: omit deprecated g_type_init() when using >= GLIB 2.36
2013-07-18 14:20:57 +02:00
Martin Willi
55dacbfac2
keychain: flush certificate cache after reloading System keychain
2013-07-18 12:17:54 +02:00
Martin Willi
57dce77ba6
keychain: monitor changes in the system keychain, reload when necessary
2013-07-18 12:17:54 +02:00
Martin Willi
dcd8bdde4f
keychain: use SearchCopyNext keychain enumeration for System certs as well
...
SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.
2013-07-18 12:17:54 +02:00
Martin Willi
0bdd453392
keychain: load certificates from System Roots Keychain
2013-07-18 12:17:54 +02:00
Martin Willi
bc6c7bf39e
keychain: load certificates only once during startup, improving performance
2013-07-18 12:17:54 +02:00
Martin Willi
6f00ddb90c
keychain: support on-the-fly enumeration of trusted/untrusted certificates
2013-07-18 12:17:54 +02:00
Martin Willi
7b8edabd8a
keychain: add a stub for a credential plugin using OS X Keychain Services
2013-07-18 12:17:54 +02:00
Martin Willi
5d36f04ee2
credmgr: stop querying for secrets once we get a perfect match
2013-07-18 12:17:54 +02:00
Martin Willi
69039e83f8
credmgr: don't use pointers for id_match_t enum values
2013-07-18 12:17:54 +02:00
Martin Willi
c3e7b3de0b
openssl: parse X.509 extended key usage from extension parsing loop
...
Otherwise parsing gets aborted if unknown critical extensions are handled as
error.
2013-07-18 12:17:53 +02:00
Martin Willi
3f55f203ee
openssl: show which critical X.509 extension is not supported
2013-07-18 12:17:53 +02:00
Martin Willi
437a6feb07
hashtable: add common hashtable hash/equals functions for pointer/string keys
2013-07-18 12:17:53 +02:00
Martin Willi
01c0267778
thread: implicitly create thread_t if an external thread calls thread_current()
2013-07-18 12:17:53 +02:00
Tobias Brunner
84693a3d79
linked-list: Remove barely used has_more() method
...
This required some refactoring when handling encrypted payloads.
Also changed log messages so that "encrypted payload" is logged instead
of "encryption payload" (even if we internally still call it that) as
that's the name used in RFC 5996.
2013-07-17 17:42:53 +02:00
Tobias Brunner
1a9528f916
linked-list: Don't require an argument for the item when enumerating
2013-07-17 17:42:53 +02:00
Tobias Brunner
cf4172637a
linked-list: Remove unused clone_function() method
2013-07-17 17:42:53 +02:00
Tobias Brunner
0f3ddbd189
linked-list: Remove barely used find_last() method
2013-07-17 17:42:53 +02:00
Tobias Brunner
be3c09d020
linked-list: Remove unused replace() method
...
Its functionality can be replicated by calling insert_before() followed
by remove_at(). Not the other way around, though, because remove_at()
changes the enumerator position.
2013-07-17 17:42:53 +02:00
Martin Willi
926776ec80
auth-cfg: use array instead of linked list
...
Saves another 4 linked lists (1KB) per IKE_SA
2013-07-17 17:20:18 +02:00
Martin Willi
4730c4b32b
unit-tests: implement tests for array collection
2013-07-17 17:20:17 +02:00
Martin Willi
2621ff4d40
array: introduce an array collection storing elements very efficiently
...
Currently we use the very versatile linked-list collection to store elements
with variable count. This is fine, but very inefficient: Due to the many
methods in the linked list, on 64-bit platforms an empty list alone is more
than 200 bytes. As we currently have about 50 lists per IKE_SA/CHILD_SA pair,
this takes up to 10KB just for managing the empty lists. This is about the
half of memory used by an IKE_SA/CHILD_SA pair, and obviously way too much.
The new array type is not an object, but a collection of functions on an
abstract type.
The following lists are per IKE_SA and should be considered for a replacement
with more efficient arrays (this uses load-testers on-demand created dynamic
configurations, other scenarios have different lists):
14 -> ike_sa_create() @ src/libcharon/sa/ike_sa.c:2198
10 -> auth_cfg_create() @ src/libstrongswan/credentials/auth_cfg.c:1088
6 -> task_manager_v2_create() @ src/libcharon/sa/ikev2/task_manager_v2.c:1505
6 -> proposal_create() @ src/libcharon/config/proposal.c:592
5 -> peer_cfg_create() @ src/libcharon/config/peer_cfg.c:657
4 -> child_sa_create() @ src/libcharon/sa/child_sa.c:1090
2 -> child_cfg_create() @ src/libcharon/config/child_cfg.c:536
1 -> ike_cfg_create() @ src/libcharon/config/ike_cfg.c:330
1 -> put_connected_peers() @ src/libcharon/sa/ike_sa_manager.c:854
2013-07-17 17:20:17 +02:00
Tobias Brunner
e0b868f79e
pkcs12: Add plugin dependencies with soft dependencies on the most common algorithms
2013-07-15 10:48:19 +02:00
Martin Willi
1e54e40f5d
leak-detective: remove hdr entry when reallocating zero bytes
2013-07-12 20:00:16 +02:00
Martin Willi
c93cf85356
leak-detective: print total of allocated/leaked bytes in usage/report
2013-07-12 20:00:14 +02:00
Andreas Steffen
126778679f
Recognize critical IssuingDistributionPoint CRL extension
2013-07-12 09:00:47 +02:00
Martin Willi
81959e6406
leak-detective: add a usage threshold option based on the number of allocations
2013-07-10 17:28:45 +02:00
Martin Willi
82d0317be6
leak-detective: set_state() only affects the calling thread
...
The only user (bfd backtraces) is fine with that, and we really should not
mess the enable flag while doing allocations with other threads.
2013-07-10 17:28:32 +02:00
Martin Willi
f960b39061
leak-detective: take a copy of backtrace while printing traces
...
As we don't want to hold the lock, we must make sure backtraces keep valid
while printing them.
2013-07-10 17:28:24 +02:00
Martin Willi
d9c459e855
backtrace: add a clone() method
2013-07-10 17:28:18 +02:00
Martin Willi
3b26f04cf4
leak-detective: remove hdr from the allocation list during realloc()
...
If realloc moves an allocation, the original allocation gets freed. We
therefore must remove the hdr from the list, as it is invalid. We can add it
afterwards once it has been updated, allowing us to unlock the list during
reallocation.
2013-07-10 16:37:08 +02:00
Tobias Brunner
d27f225d9a
Use strpfx() helper where appropriate
2013-07-08 18:49:30 +02:00
Tobias Brunner
f460facdca
utils: Add helper function to check a string for a given prefix
2013-07-08 18:49:30 +02:00
Tobias Brunner
985dcab1c2
utils: Convert string helper macros to static inline functions
2013-07-08 18:49:29 +02:00
Martin Willi
324b90cc46
openssl: RAND_pseudo_bytes() returns 0 if bytes are not cryptographically strong
...
For our purposes with RNG_WEAK this is fine, so accept a zero return value.
2013-07-04 11:09:54 +02:00
Tobias Brunner
b1b0cce396
processor: Simplified the main loop
2013-06-28 17:02:06 +02:00
Tobias Brunner
6ca25ccc04
processor: Don't hold the lock while destroying jobs
...
If a lock is held when queue_job() is called and the same lock is
required during the destruction of a job, holding the internal lock
in the processor while calling destroy() could result in a deadlock.
2013-06-28 17:02:05 +02:00
Tobias Brunner
f95205f580
integrity-checker: Use chunk_hash_static() to calculate checksums
2013-06-28 17:00:29 +02:00
Tobias Brunner
ed235dbbf2
chunk: Add predictable hash function
...
Since chunk_hash() is randomized its output is not predictable, that is,
it is only within the same process.
2013-06-28 17:00:29 +02:00
Tobias Brunner
b18a531715
plugin-loader: Removed unused path argument of load() method
...
Multiple additional search paths can be added with the add_path()
method.
2013-06-28 10:44:15 +02:00
Tobias Brunner
75ff252324
integrity-checker: Fix checksum calculation after randomizing chunk_hash()
2013-06-27 15:34:08 +02:00
Tobias Brunner
fcc33c0cd4
unit-tests: Print loaded plugins
2013-06-27 11:27:13 +02:00
Tobias Brunner
a6357a62b4
unit-tests: RSA key generation might take longer than 4 seconds
...
Check uses a default timeout of 4 seconds for each test case, generating
keys of 6 different key sizes might take longer than that.
2013-06-27 11:06:47 +02:00
Tobias Brunner
65d23c7c90
tests: Properly load plugins from build directory
...
Calling load() incrementally does not really work as dependencies
wouldn't be resolved properly if a required feature was to be provided
by a plugin that is loaded later with a separate call to load().
2013-06-27 11:06:47 +02:00
Tobias Brunner
f2086e42ff
plugin-loader: Method added to provide additional search paths for plugins
2013-06-27 10:27:24 +02:00
Tobias Brunner
ac2ffde4ae
capabilities: Return effective UID/GID if user did not configure anything
2013-06-25 17:16:33 +02:00
Tobias Brunner
5e80e387bd
capabilities: Report effective UID/GID after dropping capabilities
2013-06-25 17:16:33 +02:00
Tobias Brunner
1937538440
capabilities: Handle CAP_CHOWN specially as it might not be required
2013-06-25 17:16:33 +02:00
Tobias Brunner
9c354c659f
capabilities: Check effective UID as fallback if capabilities are not supported
2013-06-25 17:16:33 +02:00
Tobias Brunner
6f15f5e632
dhcp: Require CAP_NET_BIND_SERVICE and CAP_NET_RAW to open/bind sockets
2013-06-25 17:16:32 +02:00
Tobias Brunner
1dd61bf13d
socket-default: Require CAP_NET_BIND_SERVICE for ports < 1024
...
Since we don't know which ports are used with socket-dynamic we can't
demand the capability there, but it might still be required.
2013-06-25 17:16:32 +02:00
Tobias Brunner
41b8546ac0
capabilities: Only plugins that require CAP_NET_ADMIN demand it
...
The daemon as such does not require this capability.
2013-06-25 17:16:32 +02:00
Tobias Brunner
a2eb581781
capabilities: Move global capabilities_t instance to libstrongswan
2013-06-25 17:16:32 +02:00
Tobias Brunner
2e21bac19a
capabilities: Ensure required capabilities are actually held by the process/user
2013-06-25 17:16:32 +02:00
Tobias Brunner
66aaabf342
tun-device: Packets sent over utun devices on Mac OS X have the protocol family prepended
2013-06-21 17:03:21 +02:00
Tobias Brunner
c8a56512a6
tun-device: Avoid opening /dev/tunX multiple times (e.g. on FreeBSD)
2013-06-21 17:03:21 +02:00
Tobias Brunner
0d2ad63fe2
printf-hook: Avoid double-free when freeing Vstr config
...
Thread-specific objects get freed when the thread value object is
destroyed (wasn't the case earlier, i.e. before 2b19dd35
), which
may cause the second call to vstr_free_conf() to fail in an assert
in Vstr (depending on how it was built).
2013-06-21 17:03:20 +02:00
Tobias Brunner
0d25c4ef87
plugin-loader: Move logging of failed features to status()
...
Still log an error message if critical features fail, as loaded
plugins/features are not logged in that case.
This way loaded plugins are printed before failed features and
the relation is easier to make for users. It also allows programs
to log this message on a different level.
2013-06-21 15:22:46 +02:00
Tobias Brunner
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00
Tobias Brunner
34ee14dd28
plugin-loader: Collect statistics while loading features, print them in case features failed to load
...
There is no need to explicitly search for failed features in critical
plugins as this is now detected while loading the features.
2013-06-21 15:13:25 +02:00
Tobias Brunner
681e53c70c
plugin-loader: Use different log level if failed feature is in critical plugin
2013-06-21 15:13:25 +02:00
Tobias Brunner
13d2d8f634
plugin-loader: Log message when failing to load plugin
2013-06-21 15:13:25 +02:00
Tobias Brunner
51b9d7513d
plugin-loader: Reduce verbosity while loading plugins
2013-06-21 15:13:25 +02:00
Martin Willi
092550b03a
leak-detective: (re-)whitelist some OpenSSL functions
...
Some static allocations in plugins won't get freed, because in the test case
process the plugins are not destroyed. If a plugin would clean up allocations
done while just using the plugin, these show up as leak in the child process,
letting tests fail.
2013-06-21 10:53:23 +02:00
Martin Willi
ef687db734
unit-tests: load plugins in test-runner from build directory
2013-06-21 10:53:23 +02:00
Martin Willi
b950fc48da
unit-tests: link test-runner against -lpthread
2013-06-21 10:53:23 +02:00
Martin Willi
df1a1a0901
unit-tests: add RSA test cases, very similar to ECDSA
2013-06-21 10:53:23 +02:00
Martin Willi
eabf4af0f8
unit-tests: test with /dev/urandom if random plugin is in use
2013-06-21 10:53:22 +02:00
Martin Willi
d0c09c84a5
unit-tests: test supported ECDSA schemes only
2013-06-21 10:53:22 +02:00
Martin Willi
2bedb0f270
Move test-runners has_feature() function to plugin loader
2013-06-21 10:53:22 +02:00
Martin Willi
df76881f11
unit-tests: enforce CET/CEST timezone to properly test non-UTC time formatting
2013-06-21 10:53:22 +02:00
Martin Willi
44886a0667
unit-tests: don't use ck_assert() to test a cleared chunk, as it allocates data
...
The new allocation might be in the freed area, affecting the test result.
2013-06-21 10:53:22 +02:00
Martin Willi
52bff13848
unit-tests: define 64-bit constats with ULL, fixing compiler warning on 32-bit
2013-06-21 10:53:22 +02:00
Martin Willi
a88cab095d
unit-tests: test some zeroed ECDSA signatures that never should succeed
2013-06-21 10:53:21 +02:00
Martin Willi
7e23f53242
unit-tests: perform signing/validation with keys ECDSA keys generated or loaded
2013-06-21 10:53:21 +02:00
Martin Willi
eabb0befdc
unit-tests: add an ECDSA test case loading keys
2013-06-21 10:53:21 +02:00
Martin Willi
d18ff88faf
unit-tests: perform a first ECDSA test case if ECDSA is supported
2013-06-21 10:53:21 +02:00
Martin Willi
200f38ad4c
unit-tests: add a helper function checking if a plugin feature is available
2013-06-21 10:53:21 +02:00
Martin Willi
cb1745f7a6
unit-tests: add a test case checking if all test vectors have been passed
2013-06-21 10:53:20 +02:00
Martin Willi
e9e4759733
crypto-factory: count the number of test vector failures during registration
2013-06-21 10:53:20 +02:00
Martin Willi
3714979427
unit-tests: load all libstrongswan plugins in test-runner
2013-06-21 10:53:20 +02:00
Tobias Brunner
c0d0391a51
pubkey: Improve comparison of raw public key certificate objects
2013-06-21 10:02:25 +02:00
Martin Willi
ad58246f53
backtrace: use backtrace_symbols() only if we have backtrace() and dladdr() fails
2013-06-19 16:09:31 +02:00
Tobias Brunner
4d04e2c63b
utils: Remove volatile qualifier from refcount_t typedef
...
It's not really required anymore (if it ever was) and may cause compiler
warnings when using the non atomic versions of ref_get/ref_put.
2013-06-19 09:28:30 +02:00
Martin Willi
3160b92adb
utils: ref_get() returns the new value of the reference counter
...
This allows us to use ref_get() for getting unique values.
2013-06-11 15:54:27 +02:00
Martin Willi
fe20f752f1
curl: add an option to fetch bound to a local source address
2013-06-11 15:54:26 +02:00
Martin Willi
0adfffb6dd
fetcher: add missing "continue" when handling FETCH_CALLBACK
2013-06-11 15:54:25 +02:00
Tobias Brunner
f5f7053bcd
leak-detective: Resolve hooked functions during initialization
...
If uses of dlopen(), e.g. when loading plugins, produce errors an error
string could get allocated dynamically. At this point realloc() might not
yet be resolved and when dlsym() is later called by leak detective to do
so the error string might get freed while leak detective is disabled and
real_free() will be called with a pointer into one of leak detective's
memory blocks instead of a pointer to the block itself, causing a SIGSEGV.
2013-06-11 15:48:26 +02:00
Tobias Brunner
49d7a98f47
Refactored plugin-loader with improved dependency resolution
...
With the new implementation the plugins don't have to be listed in any
special order, dependencies are properly resolved. The order only
matters if two plugins provide the same feature.
2013-06-11 11:18:19 +02:00
Tobias Brunner
da04914933
test-vectors: Use plugin features
2013-06-11 11:18:18 +02:00
Tobias Brunner
17f00db6d6
revocation: Use plugin features with soft dependencies on fetcher and en-/decoding
2013-06-11 11:18:18 +02:00
Tobias Brunner
25da1943b3
padlock: Use plugin features to properly register algorithms
2013-06-11 11:18:18 +02:00
Tobias Brunner
7756c0383e
pkcs11: Use plugin_features_add() in get_features()
2013-06-11 11:18:18 +02:00
Tobias Brunner
886a40d75e
plugin-feature: Added helper function to extend arrays of plugin features
2013-06-11 11:18:18 +02:00
Tobias Brunner
c172a92bfb
constraints: Use plugin features with soft dependency on X.509 decoding
2013-06-11 11:18:18 +02:00
Tobias Brunner
e3bdf03af4
blowfish: Use plugin features to properly register crypter
2013-06-11 11:18:18 +02:00
Tobias Brunner
d895721489
unbound: Use plugin features and provide RESOLVER
2013-06-11 11:18:18 +02:00
Tobias Brunner
f5bd1a5e09
plugin-feature: Add feature for DNSSEC-enabled resolvers
2013-06-11 11:18:18 +02:00
Tobias Brunner
8a6cc1e35f
plugin-feature: Function added to exactly compare plugin features
2013-06-11 11:18:17 +02:00
Tobias Brunner
bde35a6fb2
Suppress log messages during tests
2013-06-11 11:03:13 +02:00
Tobias Brunner
f2eeb54e8b
Remove explicit leak detective checks as these are now done for all tests
2013-06-11 11:03:13 +02:00
Tobias Brunner
95e9915074
Enable leak detective for all test cases
2013-06-11 11:03:13 +02:00
Tobias Brunner
2b4902973b
Added tests for bio_writer_t
2013-06-11 11:03:13 +02:00
Tobias Brunner
eeb73dec79
Ensure buffer in bio_writer_t is properly increased
...
The previous code was problematic if bufsize/increase was smaller than 8
and an u_int64_t was written when the buffer was too small. Also, for
large chunks and small bufsizes realloc() was called several times
instead of just once.
2013-06-11 11:03:13 +02:00
Tobias Brunner
b4029a4aae
Added tests for bio_reader_t
2013-06-11 11:03:13 +02:00
Tobias Brunner
01e15ab5c7
Add getter for the number of leaks to leak_detective_t
2013-06-11 11:03:13 +02:00
Tobias Brunner
80d9a9b722
Added tests for utils/enum.c
2013-06-11 11:03:13 +02:00
Tobias Brunner
9947a1f2f4
Gracefully handle NULL as argument for enum_from_name()
2013-06-11 11:03:13 +02:00
Tobias Brunner
06f6d80245
Additional tests for identification_t added
2013-06-11 11:03:13 +02:00
Tobias Brunner
b1abf22bd0
Fail DN parsing if OID is unterminated
...
This is the case if the last OID is not followed by a = or if the string
starts with a =.
2013-06-11 11:03:12 +02:00
Tobias Brunner
f00c350688
Fix DN printing if last RDN has an empty value
2013-06-11 11:03:12 +02:00
Tobias Brunner
10584df24f
Fix DN parsing if last RDN has an empty value
2013-06-11 11:03:12 +02:00
Tobias Brunner
c04498b608
Fix output of ASN.1 GN
2013-06-11 11:03:12 +02:00
Tobias Brunner
78c37de15a
Use chunk_from_str in identification_from_string
...
We always have a non-empty string in those cases as "" is now handled
as ID_ANY.
2013-06-11 11:03:12 +02:00
Tobias Brunner
c1be5d66cd
Use local variable in chunk_from_str()
...
This allows using strdup() or other string functions as argument
without calling them twice.
2013-06-11 11:03:12 +02:00
Tobias Brunner
456a31e895
Parse empty string as ID_ANY
2013-06-11 11:03:12 +02:00
Tobias Brunner
af67613ed6
Added tests for utils/utils.[ch]
2013-06-11 11:03:12 +02:00
Tobias Brunner
7b91011d6e
Allow memstr() to be called with NULL arguments
2013-06-11 11:03:12 +02:00
Tobias Brunner
438a6693ca
Removed unused clalloc() function
2013-06-11 11:03:12 +02:00
Tobias Brunner
819c02dbc6
timeval_add_ms() fixed
...
1000000us are exactly 1s so.
2013-06-11 11:03:12 +02:00
Tobias Brunner
c2dba63bd4
Additional tests for chunk_t
2013-06-11 11:03:12 +02:00
Tobias Brunner
ab73ae67d3
Also capture coverage data for tests but filter them from the result
...
Otherwise calls from test cases to static inline functions are not captured.
2013-06-11 11:03:12 +02:00
Tobias Brunner
9a8c873e90
Add tests for lib->get|set
2013-06-11 11:03:12 +02:00
Tobias Brunner
0e55270aea
Remove dead code in token enumerator
...
Since we always search for the nearest separator (and strip them from
the front of the next token) there can't be any separators left at the
end of a token.
2013-06-11 11:03:12 +02:00
Tobias Brunner
7e9f6b276b
Additional and improved enumerator_t tests
2013-06-11 11:03:11 +02:00
Tobias Brunner
0713c90927
Test remove and remove_at of hashtable_t if all items are in the same bucket
2013-06-11 11:03:11 +02:00
Tobias Brunner
c721d6b6a3
Add test cases for invoke_* and clone_* of linked_list_t
2013-06-11 11:03:11 +02:00
Tobias Brunner
afb6d9c301
Improve tests for linked_list_t.replace()
2013-06-11 11:03:11 +02:00
Tobias Brunner
cca70ed331
Add additional tests for linked_list_t
2013-06-11 11:03:11 +02:00
Tobias Brunner
bc90b3dd0a
Improved test for linked_list_t.insert_before()
2013-06-11 11:03:11 +02:00
Tobias Brunner
01a3ba9e0f
Enable coverage report for libstrongswan
2013-06-11 11:03:11 +02:00
Tobias Brunner
952073b8a7
Use proper type for enumerator_t/linked_list_t tests
...
Worked with -O2 but not with -O0.
2013-06-11 11:03:11 +02:00
Tobias Brunner
de42bf35f9
Converted test for recursive mutex_t
2013-06-11 11:03:11 +02:00
Tobias Brunner
bed4bc1327
Randomly allocate chunk_hash() key during first use
...
This avoids hash flooding attacks.
2013-06-11 11:03:11 +02:00
Tobias Brunner
d1953fe403
Replace chunk_hash() with output from chunk_mac()
...
The quality is way better, the calculation is a bit slower though.
The key is statically initialized to zero, which will be changed later
to prevent hash flooding.
2013-06-11 11:03:11 +02:00
Tobias Brunner
1255de5a20
Adding chunk_mac() which calculates a 64-bit MAC using SipHash-2-4
2013-06-11 11:03:11 +02:00
Tobias Brunner
4e67f19528
Converted tests for chunk_t
2013-06-11 11:03:11 +02:00
Tobias Brunner
e09461bf77
Converted and added tests for hashtable_t
2013-06-11 11:03:10 +02:00
Tobias Brunner
0298be5705
Converted tests for identification_t
2013-06-11 11:03:10 +02:00
Tobias Brunner
26e8375b14
Add tests combining linked_list_t and enumerators
2013-06-11 11:03:10 +02:00
Tobias Brunner
d3b06618f8
Some minor Doxygen fixes for linked_list_t
2013-06-11 11:03:10 +02:00
Tobias Brunner
ff8f12298f
Add basic tests for linked_list_t
2013-06-11 11:03:10 +02:00
Tobias Brunner
0d67c8329b
Redirect test runner output to stderr
...
This allows redirecting stdout of 'make check' to /dev/null.
2013-06-11 11:03:10 +02:00
Tobias Brunner
f15fcdc9d8
Add tests for enumerator_t
2013-06-11 11:03:10 +02:00
Tobias Brunner
156dcbc12e
Add test runner for unit tests in libstrongswan
2013-06-11 11:03:10 +02:00
Tobias Brunner
5d52087b54
Added missing string for full-length HMAC-SHA512 signer
2013-06-10 11:48:18 +02:00
Martin Willi
bc1c92c9e9
Strictly memwipe_check() for magic only in the affected buffer
...
Passing back the buffer address we memwipe() is not ideal, as it could, in
theory, change the behavior of the compiler and not-optimize memwipe(). But
as checking a larger stack is very difficult for different architectures
and compilers, we do it nonetheless for now.
2013-06-05 15:02:18 +02:00
Tobias Brunner
c480b5f458
Allow memwipe() to be called with NULL argument
2013-05-27 18:41:16 +02:00
Michael Rossberg
5e4b1ad20a
openssl: add support for IP addr blocks in X.509 certificates
2013-05-24 15:09:47 +02:00
Volker Rümelin
f8298b9f98
host-resolver: don't try to resolve a plain v4 address to an IPv6 address
...
Suppress 'Address family for hostname not supported' errors if a IPv6
client connects in a mixed IPv4/IPv6 environment.
2013-05-16 11:03:37 +02:00
Martin Willi
21bade294b
traffic-selector: inet_pton is successful only if it returns 1
2013-05-16 11:01:27 +02:00
Martin Willi
e8b2ce1e72
capabilities: leak-detective using dlsym() does not need CAP_SYS_NICE anymore
2013-05-15 17:20:47 +02:00
Martin Willi
b1bd63547b
capabilities: initialize supplementary groups only when doing a setuid()
2013-05-15 17:20:47 +02:00
Martin Willi
2e9201f4ef
af-alg: fix number of signers after adding untruncated HMAC-SHA-512 ( 1f2a34d6
)
2013-05-15 17:20:36 +02:00
Tobias Brunner
bd538e8c4a
openssl: Only warn about unavailable FIPS mode if the user requested it
2013-05-08 15:23:14 +02:00
Tobias Brunner
904390e887
openssl: Cleanup thread specific error buffer
2013-05-08 15:02:40 +02:00
Tobias Brunner
3ee2af97bf
openssl: Don't use deprecated CRYPTO_set_id_callback() with OpenSSL >= 1.0.0
2013-05-08 15:02:40 +02:00
Tobias Brunner
780900ab0e
openssl: Add PKCS#12 parsing via OpenSSL
2013-05-08 15:02:40 +02:00
Tobias Brunner
651d5ab8e7
openssl: Properly cleanup OpenSSL library
2013-05-08 15:02:40 +02:00
Tobias Brunner
3bd498284e
PEM plugin loads PKCS#12 containers from (DER-encoded) files
...
It is not actually able to handle PEM encoded PKCS#12 files produced
by OpenSSL.
2013-05-08 15:02:40 +02:00