e8229ad558
iv_gen: Provide external sequence number (IKE, ESP)
...
This prevents duplicate sequential IVs in case of a HA failover.
2013-10-11 15:55:40 +02:00
50bd28d549
iv_gen: aead_t implementations provide an IV generator
2013-10-11 15:55:40 +02:00
b3e1eb2afe
iv_gen: Add IV generator that allocates IVs sequentially
2013-10-11 15:55:40 +02:00
53d1f2dbfd
iv_gen: Add IV generator that allocates IVs randomly
...
Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.
2013-10-11 15:55:40 +02:00
403057aa5a
crypto: Add generic interface for IV generators
2013-10-11 15:55:40 +02:00
b38f7f703b
apidoc: Move mac_prf to prf Doxygen group
2013-10-11 15:55:40 +02:00
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
434e530f75
ipsec_types: Add utility function to parse mark_t from strings
2013-10-11 15:32:44 +02:00
b283a6e9ef
database: Add support for serializable transactions
2013-10-11 15:29:10 +02:00
fad11d602d
sqlite: Implement transaction handling
2013-10-11 15:16:05 +02:00
f3cb889c9b
mysql: Implement transaction handling
2013-10-11 15:16:04 +02:00
947b76cda8
database: Add interface to handle transactions
2013-10-11 15:16:04 +02:00
5f6a40827e
mysql: Ensure connections are properly released in multi-threaded environments
2013-10-11 15:16:04 +02:00
ec91f15e3b
crypto-factory: Try next available RNG implementation if constructor fails
2013-10-11 15:13:25 +02:00
2e22333fbc
crypto-factory: Order entries by algorithm identifier and (optionally) speed
2013-10-11 15:13:25 +02:00
e2c9a03d15
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway
2013-10-11 15:13:25 +02:00
3473cbab9c
vstr: Forward actual field width
...
fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.
2013-10-11 15:12:16 +02:00
fc566632da
unit-tests: support testing when leak-detective has not been enabled
2013-10-11 15:12:16 +02:00
795cbb98c6
printf-hook-builtin: Print NaN/Infinity floating point values as such
2013-10-11 11:06:09 +02:00
8af9bf70f5
printf-hook-builtin: Correctly round up floating point values
2013-10-11 11:06:09 +02:00
edc7a3d02f
printf-hook-builtin: Add some preliminary floating point support
...
This minimalistic implementation has no aspiration for completeness or
accuracy, and just provides what we need.
2013-10-11 11:06:09 +02:00
7e6a4cdc84
printf-hook-builtin: Support GNU %m specifier
2013-10-11 11:06:09 +02:00
cabe5c0ff4
printf-hook-builtin: Add a new "builtin" backend using its own printf() routines
...
Overloads printf C library functions by a self-contained implementation,
based on klibc. Does not yet feature all the required default formatters,
including those for floating point values.
2013-10-11 11:06:02 +02:00
ebca34d782
printf-hook: Add some basic printf() string/integer test functions
2013-10-11 11:05:37 +02:00
243048248b
printf-hook: Move glibc/vstr printf hook backends to separate files
2013-10-11 11:05:30 +02:00
c8f34ba7b6
openssl: Properly log FIPS mode when enabled via openssl.conf
...
Enabling FIPS mode twice will fail, so if it is enabled in openssl.conf
it should be disabled in strongswan.conf (or the other way around).
Either way, we should log whether FIPS mode is enabled or not.
References #412 .
2013-09-27 09:24:03 +02:00
ed72f2d65e
printf-hook: Write to output stream instead of the FD directly when using Vstr
...
This avoids problems when other stdio functions are used (fputs,
fwrite) as writes via Vstr/FD were always unbuffered.
2013-09-24 08:44:00 +02:00
075e80368b
sshkey: Add support for parsing keys from files
2013-09-13 15:23:49 +02:00
b2a5317596
sshkey: Add encoding for ECDSA keys
2013-09-13 15:23:49 +02:00
d6b3cc87ca
openssl: Add support for generic encoding of EC public keys
2013-09-13 15:23:49 +02:00
f40e9f4d16
sshkey: Add encoder for RSA keys
2013-09-13 15:23:49 +02:00
3b939e20a9
openssl: Add generic RSA public key encoding
2013-09-13 15:23:49 +02:00
b5cc7053c8
openssl: Add helper function to convert BIGNUMs to chunks
2013-09-13 15:23:49 +02:00
9af44ef5d9
Build all shared libraries with -no-undefined and link them properly
...
The flag is required to convince libtool on Cygwin to build DLLs. But on
Windows these shared libraries can not have undefined symbols, so we have to
link them explicitly to the libraries they reference.
For plugins this is currently not done, so only the monolithic build is
supported. The plugin loader wouldn't be able to load DLLs anyway, as
it tries to load files that don't exist on Cygwin.
2013-09-12 01:44:49 +02:00
bf32cdfbf6
tun_device: Add warning if TUN devices are not supported by platform
2013-09-12 01:44:49 +02:00
7bda0f0c8b
Added tzset memory leak to whitelist
2013-08-28 22:51:17 +02:00
f0c54e8c15
chunk: Print chunks without separator if + modifier is used
2013-08-24 16:22:51 +02:00
32a145fdbd
utils: Add case-insensitive version of strpfx()
2013-08-24 16:22:51 +02:00
a24515c515
backtrace: rename clone() method clashing with system call
...
Fixes #376 .
2013-08-09 09:13:39 +02:00
ed0efaef4c
host: Properly initialize struct sockaddr_in[6] when parsing strings
...
Otherwise struct members like sin6_flowinfo or sin6_scope_id might be
set to bogus values.
2013-07-31 22:16:58 +02:00
b3393c88c1
asn1: Fix handling of invalid ASN.1 length in is_asn1()
...
Fixes CVE-2013-5018.
2013-07-31 22:16:58 +02:00
83a0b74da8
keychain: be less verbose when loading certificates
2013-07-31 11:41:16 +02:00
84044f9c73
utils: add round_up/down() helper functions
2013-07-29 09:00:48 +02:00
1f2d9c7688
watcher: Made notify array initialization compatible with older GCC versions
2013-07-25 16:57:42 +02:00
ebb4ad1baa
unit-tests: Add additional tests for host_t
2013-07-25 11:28:26 +02:00
116363e5c6
array: Number of items in get_size() is unsigned
...
Otherwise, array->esize is promoted to int and if array->esize * num
results in a value > 0x7fffffff the return value would be incorrect due
the implicit sign extension when getting cast to size_t.
2013-07-25 11:28:01 +02:00
d7dc4fedd1
stream: Ensure UNIX socket path is null terminated
2013-07-24 16:17:23 +02:00
cfca183d55
pkcs5: Add missing break statements when checking crypto primitives
2013-07-24 16:17:22 +02:00
5baec6448d
unit-tests: Add test for host_create_netmask()
2013-07-24 16:17:21 +02:00
6e2ec33f9d
host: Prevent overflow in host_create_netmask() if mask is 0 or 32/128
2013-07-24 16:17:03 +02:00
cfdd23b967
capabilities: Proper error handling when reading groups
2013-07-24 10:54:26 +02:00
dcd5129c25
processor: force synchronous execute_job() if set_threads(0) has been called
...
During daemon shutdown, some idle threads might be lingering around even if
set_threads(0) already has been called. To avoid any races, we enforce
synchronous execution of the job.
2013-07-19 15:30:22 +02:00
8f1b44b40c
keychain: Use AM_CPPFLAGS instead of INCLUDES
2013-07-19 09:01:39 +02:00
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
cb6c4e0430
identification: parse identities having a "@@" prefix as ID_RFC822_ADDR
...
Original patch by Gerald Richter.
2013-07-18 16:45:10 +02:00
b4b3959b22
stream-service: move CAP_CHOWN check from plugins to service constructor
...
A plugin service can be a TCP socket now, so it does not make much sense
to strictly check for CAP_CHOWN.
2013-07-18 16:00:31 +02:00
1897dd730f
processor: remove the now unused get_threads() method again
2013-07-18 16:00:31 +02:00
ea009869e9
watcher: use processors new execute_job() to notify FDs
...
Just queueing is problematic, as all threads might be busy waiting for events
that the queued (but never executed) job delivers.
2013-07-18 16:00:31 +02:00
6653e6c13e
processor: add an execute_job() method to directly execute an important job
...
If all worker threads are busy and waiting for an event, we must ensure that
a job delivering that event gets executed. This new method has this property
for CRITICAL jobs, using a worker if we have one, but executing the job directly
if not.
2013-07-18 16:00:31 +02:00
55240835b0
watcher: properly support multiple watch callback types for the same FD
2013-07-18 16:00:31 +02:00
d0c25a3f23
watcher: read multiple notifications if available
...
Use non-blocking I/O on the read end of the notify pipe. This also makes sure
the read does not block should select() signal data while there is none.
2013-07-18 16:00:31 +02:00
4d7a762871
credmgr: introduce a hook function to catch trust chain validation errors
2013-07-18 16:00:30 +02:00
4701929266
stream: allow async read/write callback to destroy the stream explicitly
2013-07-18 16:00:29 +02:00
c9d1742b5d
stream: don't close underlying socket when creating a stream from it
2013-07-18 16:00:29 +02:00
58d0dadddc
watcher: add some debugging statements
2013-07-18 16:00:29 +02:00
91a2ae644c
watcher: if the processor has no threads, execute the job with watcher thread
...
This is important during shutdown, where we might need to signal some FDs while
all idle threads are gone already.
2013-07-18 16:00:29 +02:00
50720d7ce9
processor: add a getter for the threads passed to set_threads()
2013-07-18 16:00:29 +02:00
a0e3a7363f
watcher: unregister a watcher FD if its thread gets cancelled
2013-07-18 16:00:29 +02:00
a558ba16f3
watcher: release threads waiting in remove() when watcher thread gets cancelled
...
During daemon shutdown, users might call remove() after processor.set_threads(0)
has been called. This gets problematic, as a watch event might be unable
to signal completion when no threads are available anymore. Work around this
issue by cancelling waiters once processor.cancel() has been called.
2013-07-18 16:00:29 +02:00
e6e8a2b2e0
stream: support keeping the service alive outside of service callback
2013-07-18 16:00:28 +02:00
d57b9e7c82
stream: add read/write_all() methods to stream
2013-07-18 16:00:28 +02:00
1d1ef9e7ca
stream: support cancellation of stream service callback
2013-07-18 16:00:28 +02:00
047a190600
stream: use a service constructor to create services
...
It does not make much sense to reference running services in the manager,
especially as unregistration would need the URI (which a user would have to
store instead of the service reference).
2013-07-18 16:00:28 +02:00
fbdc65debb
stream: replace print/vprint() convenience functions by a FILE* getter
...
While this will complicate the implementation of streams not based on a fd,
it allows us to unleash the full power of FILE based convenience functions.
2013-07-18 16:00:28 +02:00
70d1ccec96
stream: add a concurrency option to services, limiting parallel callbacks
2013-07-18 16:00:28 +02:00
db0e160ba2
stream: add a job priority option to stream services
2013-07-18 16:00:28 +02:00
441bb9e7b7
stream: add backlog option to stream services, forward to listen()
2013-07-18 16:00:28 +02:00
c5597a4b56
stream: add support for TCP stream services
2013-07-18 16:00:28 +02:00
db1c8aa460
stream: add support for TCP streams
2013-07-18 16:00:28 +02:00
f04746d9b4
stream: add support for UNIX stream services
2013-07-18 16:00:28 +02:00
b785cfe05b
stream: add support for UNIX streams
2013-07-18 16:00:28 +02:00
c1fd8c22ce
stream: support async operation using watcher
2013-07-18 16:00:28 +02:00
7a23588195
stream: add printf()-style covenience functions
2013-07-18 16:00:28 +02:00
2ba276017d
stream: create library instance of stream-manager
2013-07-18 16:00:28 +02:00
d6ff53940f
stream: add a manager to dynamically register streams and services
2013-07-18 16:00:28 +02:00
daf1880b39
stream: add a stream service class abstracting services using BSD sockets
2013-07-18 16:00:27 +02:00
b6b940001a
stream: add a stream class abstracting BSD sockets
...
Currently only synchronous operation is supported, but this will be extended
with asynchronous methods using the new watcher.
2013-07-18 16:00:27 +02:00
32b2a5e04b
watcher: add a centralized an generic facility to monitor file descriptors
2013-07-18 16:00:27 +02:00
027676f750
capabilities: Add function to check if a capability is held, without keeping it
...
This can be useful if capabilities are not required anymore after
dropping privileges.
2013-07-18 15:25:35 +02:00
19cb07b890
automake: replace INCLUDES by AM_CPPFLAGS
...
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
2013-07-18 14:59:19 +02:00
2d5a20061a
soup: omit deprecated g_type_init() when using >= GLIB 2.36
2013-07-18 14:20:57 +02:00
55dacbfac2
keychain: flush certificate cache after reloading System keychain
2013-07-18 12:17:54 +02:00
57dce77ba6
keychain: monitor changes in the system keychain, reload when necessary
2013-07-18 12:17:54 +02:00
dcd8bdde4f
keychain: use SearchCopyNext keychain enumeration for System certs as well
...
SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.
2013-07-18 12:17:54 +02:00
0bdd453392
keychain: load certificates from System Roots Keychain
2013-07-18 12:17:54 +02:00
bc6c7bf39e
keychain: load certificates only once during startup, improving performance
2013-07-18 12:17:54 +02:00
6f00ddb90c
keychain: support on-the-fly enumeration of trusted/untrusted certificates
2013-07-18 12:17:54 +02:00
7b8edabd8a
keychain: add a stub for a credential plugin using OS X Keychain Services
2013-07-18 12:17:54 +02:00
5d36f04ee2
credmgr: stop querying for secrets once we get a perfect match
2013-07-18 12:17:54 +02:00
69039e83f8
credmgr: don't use pointers for id_match_t enum values
2013-07-18 12:17:54 +02:00
c3e7b3de0b
openssl: parse X.509 extended key usage from extension parsing loop
...
Otherwise parsing gets aborted if unknown critical extensions are handled as
error.
2013-07-18 12:17:53 +02:00
3f55f203ee
openssl: show which critical X.509 extension is not supported
2013-07-18 12:17:53 +02:00
437a6feb07
hashtable: add common hashtable hash/equals functions for pointer/string keys
2013-07-18 12:17:53 +02:00
01c0267778
thread: implicitly create thread_t if an external thread calls thread_current()
2013-07-18 12:17:53 +02:00
84693a3d79
linked-list: Remove barely used has_more() method
...
This required some refactoring when handling encrypted payloads.
Also changed log messages so that "encrypted payload" is logged instead
of "encryption payload" (even if we internally still call it that) as
that's the name used in RFC 5996.
2013-07-17 17:42:53 +02:00
1a9528f916
linked-list: Don't require an argument for the item when enumerating
2013-07-17 17:42:53 +02:00
cf4172637a
linked-list: Remove unused clone_function() method
2013-07-17 17:42:53 +02:00
0f3ddbd189
linked-list: Remove barely used find_last() method
2013-07-17 17:42:53 +02:00
be3c09d020
linked-list: Remove unused replace() method
...
Its functionality can be replicated by calling insert_before() followed
by remove_at(). Not the other way around, though, because remove_at()
changes the enumerator position.
2013-07-17 17:42:53 +02:00
926776ec80
auth-cfg: use array instead of linked list
...
Saves another 4 linked lists (1KB) per IKE_SA
2013-07-17 17:20:18 +02:00
4730c4b32b
unit-tests: implement tests for array collection
2013-07-17 17:20:17 +02:00
2621ff4d40
array: introduce an array collection storing elements very efficiently
...
Currently we use the very versatile linked-list collection to store elements
with variable count. This is fine, but very inefficient: Due to the many
methods in the linked list, on 64-bit platforms an empty list alone is more
than 200 bytes. As we currently have about 50 lists per IKE_SA/CHILD_SA pair,
this takes up to 10KB just for managing the empty lists. This is about the
half of memory used by an IKE_SA/CHILD_SA pair, and obviously way too much.
The new array type is not an object, but a collection of functions on an
abstract type.
The following lists are per IKE_SA and should be considered for a replacement
with more efficient arrays (this uses load-testers on-demand created dynamic
configurations, other scenarios have different lists):
14 -> ike_sa_create() @ src/libcharon/sa/ike_sa.c:2198
10 -> auth_cfg_create() @ src/libstrongswan/credentials/auth_cfg.c:1088
6 -> task_manager_v2_create() @ src/libcharon/sa/ikev2/task_manager_v2.c:1505
6 -> proposal_create() @ src/libcharon/config/proposal.c:592
5 -> peer_cfg_create() @ src/libcharon/config/peer_cfg.c:657
4 -> child_sa_create() @ src/libcharon/sa/child_sa.c:1090
2 -> child_cfg_create() @ src/libcharon/config/child_cfg.c:536
1 -> ike_cfg_create() @ src/libcharon/config/ike_cfg.c:330
1 -> put_connected_peers() @ src/libcharon/sa/ike_sa_manager.c:854
2013-07-17 17:20:17 +02:00
e0b868f79e
pkcs12: Add plugin dependencies with soft dependencies on the most common algorithms
2013-07-15 10:48:19 +02:00
1e54e40f5d
leak-detective: remove hdr entry when reallocating zero bytes
2013-07-12 20:00:16 +02:00
c93cf85356
leak-detective: print total of allocated/leaked bytes in usage/report
2013-07-12 20:00:14 +02:00
126778679f
Recognize critical IssuingDistributionPoint CRL extension
2013-07-12 09:00:47 +02:00
81959e6406
leak-detective: add a usage threshold option based on the number of allocations
2013-07-10 17:28:45 +02:00
82d0317be6
leak-detective: set_state() only affects the calling thread
...
The only user (bfd backtraces) is fine with that, and we really should not
mess the enable flag while doing allocations with other threads.
2013-07-10 17:28:32 +02:00
f960b39061
leak-detective: take a copy of backtrace while printing traces
...
As we don't want to hold the lock, we must make sure backtraces keep valid
while printing them.
2013-07-10 17:28:24 +02:00
d9c459e855
backtrace: add a clone() method
2013-07-10 17:28:18 +02:00
3b26f04cf4
leak-detective: remove hdr from the allocation list during realloc()
...
If realloc moves an allocation, the original allocation gets freed. We
therefore must remove the hdr from the list, as it is invalid. We can add it
afterwards once it has been updated, allowing us to unlock the list during
reallocation.
2013-07-10 16:37:08 +02:00
d27f225d9a
Use strpfx() helper where appropriate
2013-07-08 18:49:30 +02:00
f460facdca
utils: Add helper function to check a string for a given prefix
2013-07-08 18:49:30 +02:00
985dcab1c2
utils: Convert string helper macros to static inline functions
2013-07-08 18:49:29 +02:00
324b90cc46
openssl: RAND_pseudo_bytes() returns 0 if bytes are not cryptographically strong
...
For our purposes with RNG_WEAK this is fine, so accept a zero return value.
2013-07-04 11:09:54 +02:00
b1b0cce396
processor: Simplified the main loop
2013-06-28 17:02:06 +02:00
6ca25ccc04
processor: Don't hold the lock while destroying jobs
...
If a lock is held when queue_job() is called and the same lock is
required during the destruction of a job, holding the internal lock
in the processor while calling destroy() could result in a deadlock.
2013-06-28 17:02:05 +02:00
f95205f580
integrity-checker: Use chunk_hash_static() to calculate checksums
2013-06-28 17:00:29 +02:00
ed235dbbf2
chunk: Add predictable hash function
...
Since chunk_hash() is randomized its output is not predictable, that is,
it is only within the same process.
2013-06-28 17:00:29 +02:00
b18a531715
plugin-loader: Removed unused path argument of load() method
...
Multiple additional search paths can be added with the add_path()
method.
2013-06-28 10:44:15 +02:00
75ff252324
integrity-checker: Fix checksum calculation after randomizing chunk_hash()
2013-06-27 15:34:08 +02:00
fcc33c0cd4
unit-tests: Print loaded plugins
2013-06-27 11:27:13 +02:00
a6357a62b4
unit-tests: RSA key generation might take longer than 4 seconds
...
Check uses a default timeout of 4 seconds for each test case, generating
keys of 6 different key sizes might take longer than that.
2013-06-27 11:06:47 +02:00
65d23c7c90
tests: Properly load plugins from build directory
...
Calling load() incrementally does not really work as dependencies
wouldn't be resolved properly if a required feature was to be provided
by a plugin that is loaded later with a separate call to load().
2013-06-27 11:06:47 +02:00
f2086e42ff
plugin-loader: Method added to provide additional search paths for plugins
2013-06-27 10:27:24 +02:00
ac2ffde4ae
capabilities: Return effective UID/GID if user did not configure anything
2013-06-25 17:16:33 +02:00
5e80e387bd
capabilities: Report effective UID/GID after dropping capabilities
2013-06-25 17:16:33 +02:00
1937538440
capabilities: Handle CAP_CHOWN specially as it might not be required
2013-06-25 17:16:33 +02:00
9c354c659f
capabilities: Check effective UID as fallback if capabilities are not supported
2013-06-25 17:16:33 +02:00
6f15f5e632
dhcp: Require CAP_NET_BIND_SERVICE and CAP_NET_RAW to open/bind sockets
2013-06-25 17:16:32 +02:00
1dd61bf13d
socket-default: Require CAP_NET_BIND_SERVICE for ports < 1024
...
Since we don't know which ports are used with socket-dynamic we can't
demand the capability there, but it might still be required.
2013-06-25 17:16:32 +02:00
41b8546ac0
capabilities: Only plugins that require CAP_NET_ADMIN demand it
...
The daemon as such does not require this capability.
2013-06-25 17:16:32 +02:00
a2eb581781
capabilities: Move global capabilities_t instance to libstrongswan
2013-06-25 17:16:32 +02:00
2e21bac19a
capabilities: Ensure required capabilities are actually held by the process/user
2013-06-25 17:16:32 +02:00
66aaabf342
tun-device: Packets sent over utun devices on Mac OS X have the protocol family prepended
2013-06-21 17:03:21 +02:00
c8a56512a6
tun-device: Avoid opening /dev/tunX multiple times (e.g. on FreeBSD)
2013-06-21 17:03:21 +02:00
0d2ad63fe2
printf-hook: Avoid double-free when freeing Vstr config
...
Thread-specific objects get freed when the thread value object is
destroyed (wasn't the case earlier, i.e. before 2b19dd35
2013-06-21 17:03:20 +02:00
0d25c4ef87
plugin-loader: Move logging of failed features to status()
...
Still log an error message if critical features fail, as loaded
plugins/features are not logged in that case.
This way loaded plugins are printed before failed features and
the relation is easier to make for users. It also allows programs
to log this message on a different level.
2013-06-21 15:22:46 +02:00
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00
34ee14dd28
plugin-loader: Collect statistics while loading features, print them in case features failed to load
...
There is no need to explicitly search for failed features in critical
plugins as this is now detected while loading the features.
2013-06-21 15:13:25 +02:00
681e53c70c
plugin-loader: Use different log level if failed feature is in critical plugin
2013-06-21 15:13:25 +02:00
13d2d8f634
plugin-loader: Log message when failing to load plugin
2013-06-21 15:13:25 +02:00
51b9d7513d
plugin-loader: Reduce verbosity while loading plugins
2013-06-21 15:13:25 +02:00
092550b03a
leak-detective: (re-)whitelist some OpenSSL functions
...
Some static allocations in plugins won't get freed, because in the test case
process the plugins are not destroyed. If a plugin would clean up allocations
done while just using the plugin, these show up as leak in the child process,
letting tests fail.
2013-06-21 10:53:23 +02:00
ef687db734
unit-tests: load plugins in test-runner from build directory
2013-06-21 10:53:23 +02:00
b950fc48da
unit-tests: link test-runner against -lpthread
2013-06-21 10:53:23 +02:00
df1a1a0901
unit-tests: add RSA test cases, very similar to ECDSA
2013-06-21 10:53:23 +02:00
eabf4af0f8
unit-tests: test with /dev/urandom if random plugin is in use
2013-06-21 10:53:22 +02:00
d0c09c84a5
unit-tests: test supported ECDSA schemes only
2013-06-21 10:53:22 +02:00
2bedb0f270
Move test-runners has_feature() function to plugin loader
2013-06-21 10:53:22 +02:00
df76881f11
unit-tests: enforce CET/CEST timezone to properly test non-UTC time formatting
2013-06-21 10:53:22 +02:00
44886a0667
unit-tests: don't use ck_assert() to test a cleared chunk, as it allocates data
...
The new allocation might be in the freed area, affecting the test result.
2013-06-21 10:53:22 +02:00
52bff13848
unit-tests: define 64-bit constats with ULL, fixing compiler warning on 32-bit
2013-06-21 10:53:22 +02:00
a88cab095d
unit-tests: test some zeroed ECDSA signatures that never should succeed
2013-06-21 10:53:21 +02:00
7e23f53242
unit-tests: perform signing/validation with keys ECDSA keys generated or loaded
2013-06-21 10:53:21 +02:00
eabb0befdc
unit-tests: add an ECDSA test case loading keys
2013-06-21 10:53:21 +02:00
d18ff88faf
unit-tests: perform a first ECDSA test case if ECDSA is supported
2013-06-21 10:53:21 +02:00
200f38ad4c
unit-tests: add a helper function checking if a plugin feature is available
2013-06-21 10:53:21 +02:00
cb1745f7a6
unit-tests: add a test case checking if all test vectors have been passed
2013-06-21 10:53:20 +02:00
e9e4759733
crypto-factory: count the number of test vector failures during registration
2013-06-21 10:53:20 +02:00
3714979427
unit-tests: load all libstrongswan plugins in test-runner
2013-06-21 10:53:20 +02:00
c0d0391a51
pubkey: Improve comparison of raw public key certificate objects
2013-06-21 10:02:25 +02:00
ad58246f53
backtrace: use backtrace_symbols() only if we have backtrace() and dladdr() fails
2013-06-19 16:09:31 +02:00
4d04e2c63b
utils: Remove volatile qualifier from refcount_t typedef
...
It's not really required anymore (if it ever was) and may cause compiler
warnings when using the non atomic versions of ref_get/ref_put.
2013-06-19 09:28:30 +02:00
3160b92adb
utils: ref_get() returns the new value of the reference counter
...
This allows us to use ref_get() for getting unique values.
2013-06-11 15:54:27 +02:00
fe20f752f1
curl: add an option to fetch bound to a local source address
2013-06-11 15:54:26 +02:00
0adfffb6dd
fetcher: add missing "continue" when handling FETCH_CALLBACK
2013-06-11 15:54:25 +02:00
f5f7053bcd
leak-detective: Resolve hooked functions during initialization
...
If uses of dlopen(), e.g. when loading plugins, produce errors an error
string could get allocated dynamically. At this point realloc() might not
yet be resolved and when dlsym() is later called by leak detective to do
so the error string might get freed while leak detective is disabled and
real_free() will be called with a pointer into one of leak detective's
memory blocks instead of a pointer to the block itself, causing a SIGSEGV.
2013-06-11 15:48:26 +02:00
49d7a98f47
Refactored plugin-loader with improved dependency resolution
...
With the new implementation the plugins don't have to be listed in any
special order, dependencies are properly resolved. The order only
matters if two plugins provide the same feature.
2013-06-11 11:18:19 +02:00
da04914933
test-vectors: Use plugin features
2013-06-11 11:18:18 +02:00
17f00db6d6
revocation: Use plugin features with soft dependencies on fetcher and en-/decoding
2013-06-11 11:18:18 +02:00
25da1943b3
padlock: Use plugin features to properly register algorithms
2013-06-11 11:18:18 +02:00
7756c0383e
pkcs11: Use plugin_features_add() in get_features()
2013-06-11 11:18:18 +02:00
886a40d75e
plugin-feature: Added helper function to extend arrays of plugin features
2013-06-11 11:18:18 +02:00
c172a92bfb
constraints: Use plugin features with soft dependency on X.509 decoding
2013-06-11 11:18:18 +02:00
e3bdf03af4
blowfish: Use plugin features to properly register crypter
2013-06-11 11:18:18 +02:00
d895721489
unbound: Use plugin features and provide RESOLVER
2013-06-11 11:18:18 +02:00
f5bd1a5e09
plugin-feature: Add feature for DNSSEC-enabled resolvers
2013-06-11 11:18:18 +02:00
8a6cc1e35f
plugin-feature: Function added to exactly compare plugin features
2013-06-11 11:18:17 +02:00
bde35a6fb2
Suppress log messages during tests
2013-06-11 11:03:13 +02:00
f2eeb54e8b
Remove explicit leak detective checks as these are now done for all tests
2013-06-11 11:03:13 +02:00
95e9915074
Enable leak detective for all test cases
2013-06-11 11:03:13 +02:00
2b4902973b
Added tests for bio_writer_t
2013-06-11 11:03:13 +02:00
eeb73dec79
Ensure buffer in bio_writer_t is properly increased
...
The previous code was problematic if bufsize/increase was smaller than 8
and an u_int64_t was written when the buffer was too small. Also, for
large chunks and small bufsizes realloc() was called several times
instead of just once.
2013-06-11 11:03:13 +02:00
b4029a4aae
Added tests for bio_reader_t
2013-06-11 11:03:13 +02:00
01e15ab5c7
Add getter for the number of leaks to leak_detective_t
2013-06-11 11:03:13 +02:00
80d9a9b722
Added tests for utils/enum.c
2013-06-11 11:03:13 +02:00
9947a1f2f4
Gracefully handle NULL as argument for enum_from_name()
2013-06-11 11:03:13 +02:00
06f6d80245
Additional tests for identification_t added
2013-06-11 11:03:13 +02:00
b1abf22bd0
Fail DN parsing if OID is unterminated
...
This is the case if the last OID is not followed by a = or if the string
starts with a =.
2013-06-11 11:03:12 +02:00
f00c350688
Fix DN printing if last RDN has an empty value
2013-06-11 11:03:12 +02:00
10584df24f
Fix DN parsing if last RDN has an empty value
2013-06-11 11:03:12 +02:00
c04498b608
Fix output of ASN.1 GN
2013-06-11 11:03:12 +02:00
78c37de15a
Use chunk_from_str in identification_from_string
...
We always have a non-empty string in those cases as "" is now handled
as ID_ANY.
2013-06-11 11:03:12 +02:00
c1be5d66cd
Use local variable in chunk_from_str()
...
This allows using strdup() or other string functions as argument
without calling them twice.
2013-06-11 11:03:12 +02:00
456a31e895
Parse empty string as ID_ANY
2013-06-11 11:03:12 +02:00
af67613ed6
Added tests for utils/utils.[ch]
2013-06-11 11:03:12 +02:00
7b91011d6e
Allow memstr() to be called with NULL arguments
2013-06-11 11:03:12 +02:00
438a6693ca
Removed unused clalloc() function
2013-06-11 11:03:12 +02:00
819c02dbc6
timeval_add_ms() fixed
...
1000000us are exactly 1s so.
2013-06-11 11:03:12 +02:00
c2dba63bd4
Additional tests for chunk_t
2013-06-11 11:03:12 +02:00
ab73ae67d3
Also capture coverage data for tests but filter them from the result
...
Otherwise calls from test cases to static inline functions are not captured.
2013-06-11 11:03:12 +02:00
9a8c873e90
Add tests for lib->get|set
2013-06-11 11:03:12 +02:00
0e55270aea
Remove dead code in token enumerator
...
Since we always search for the nearest separator (and strip them from
the front of the next token) there can't be any separators left at the
end of a token.
2013-06-11 11:03:12 +02:00
7e9f6b276b
Additional and improved enumerator_t tests
2013-06-11 11:03:11 +02:00
0713c90927
Test remove and remove_at of hashtable_t if all items are in the same bucket
2013-06-11 11:03:11 +02:00
c721d6b6a3
Add test cases for invoke_* and clone_* of linked_list_t
2013-06-11 11:03:11 +02:00
afb6d9c301
Improve tests for linked_list_t.replace()
2013-06-11 11:03:11 +02:00
cca70ed331
Add additional tests for linked_list_t
2013-06-11 11:03:11 +02:00
bc90b3dd0a
Improved test for linked_list_t.insert_before()
2013-06-11 11:03:11 +02:00
01a3ba9e0f
Enable coverage report for libstrongswan
2013-06-11 11:03:11 +02:00
952073b8a7
Use proper type for enumerator_t/linked_list_t tests
...
Worked with -O2 but not with -O0.
2013-06-11 11:03:11 +02:00
de42bf35f9
Converted test for recursive mutex_t
2013-06-11 11:03:11 +02:00
bed4bc1327
Randomly allocate chunk_hash() key during first use
...
This avoids hash flooding attacks.
2013-06-11 11:03:11 +02:00
d1953fe403
Replace chunk_hash() with output from chunk_mac()
...
The quality is way better, the calculation is a bit slower though.
The key is statically initialized to zero, which will be changed later
to prevent hash flooding.
2013-06-11 11:03:11 +02:00
1255de5a20
Adding chunk_mac() which calculates a 64-bit MAC using SipHash-2-4
2013-06-11 11:03:11 +02:00
4e67f19528
Converted tests for chunk_t
2013-06-11 11:03:11 +02:00
e09461bf77
Converted and added tests for hashtable_t
2013-06-11 11:03:10 +02:00
0298be5705
Converted tests for identification_t
2013-06-11 11:03:10 +02:00
26e8375b14
Add tests combining linked_list_t and enumerators
2013-06-11 11:03:10 +02:00
d3b06618f8
Some minor Doxygen fixes for linked_list_t
2013-06-11 11:03:10 +02:00
ff8f12298f
Add basic tests for linked_list_t
2013-06-11 11:03:10 +02:00
0d67c8329b
Redirect test runner output to stderr
...
This allows redirecting stdout of 'make check' to /dev/null.
2013-06-11 11:03:10 +02:00
f15fcdc9d8
Add tests for enumerator_t
2013-06-11 11:03:10 +02:00
156dcbc12e
Add test runner for unit tests in libstrongswan
2013-06-11 11:03:10 +02:00
5d52087b54
Added missing string for full-length HMAC-SHA512 signer
2013-06-10 11:48:18 +02:00
bc1c92c9e9
Strictly memwipe_check() for magic only in the affected buffer
...
Passing back the buffer address we memwipe() is not ideal, as it could, in
theory, change the behavior of the compiler and not-optimize memwipe(). But
as checking a larger stack is very difficult for different architectures
and compilers, we do it nonetheless for now.
2013-06-05 15:02:18 +02:00
c480b5f458
Allow memwipe() to be called with NULL argument
2013-05-27 18:41:16 +02:00
5e4b1ad20a
openssl: add support for IP addr blocks in X.509 certificates
2013-05-24 15:09:47 +02:00
f8298b9f98
host-resolver: don't try to resolve a plain v4 address to an IPv6 address
...
Suppress 'Address family for hostname not supported' errors if a IPv6
client connects in a mixed IPv4/IPv6 environment.
2013-05-16 11:03:37 +02:00
21bade294b
traffic-selector: inet_pton is successful only if it returns 1
2013-05-16 11:01:27 +02:00
e8b2ce1e72
capabilities: leak-detective using dlsym() does not need CAP_SYS_NICE anymore
2013-05-15 17:20:47 +02:00
b1bd63547b
capabilities: initialize supplementary groups only when doing a setuid()
2013-05-15 17:20:47 +02:00
2e9201f4ef
af-alg: fix number of signers after adding untruncated HMAC-SHA-512 ( 1f2a34d6)
2013-05-15 17:20:36 +02:00
bd538e8c4a
openssl: Only warn about unavailable FIPS mode if the user requested it
2013-05-08 15:23:14 +02:00
904390e887
openssl: Cleanup thread specific error buffer
2013-05-08 15:02:40 +02:00
3ee2af97bf
openssl: Don't use deprecated CRYPTO_set_id_callback() with OpenSSL >= 1.0.0
2013-05-08 15:02:40 +02:00
780900ab0e
openssl: Add PKCS#12 parsing via OpenSSL
2013-05-08 15:02:40 +02:00
651d5ab8e7
openssl: Properly cleanup OpenSSL library
2013-05-08 15:02:40 +02:00
3bd498284e
PEM plugin loads PKCS#12 containers from (DER-encoded) files
...
It is not actually able to handle PEM encoded PKCS#12 files produced
by OpenSSL.
2013-05-08 15:02:40 +02:00
Tobias Brunner