Tobias Brunner
ba10cd3c7f
utils: Move thread-safe strerror replacement to a separate file
...
For some utils _GNU_SOURCE might be needed but that conflicts with the
signature of strerror_r(3).
2014-02-24 12:04:10 +01:00
Tobias Brunner
aa693d763a
stroke: Use dirname(3) correctly
2014-02-24 12:04:10 +01:00
Tobias Brunner
caf1770905
settings: Use dirname(3) correctly
...
dirname(3) may return a pointer to a statically allocated buffer.
So freeing the returned value can result to undefined behavior. This was
noticed on FreeBSD where it caused very strange crashes.
It is also not thread-safe, which will be addressed later.
2014-02-24 12:03:49 +01:00
Andreas Steffen
a21d4096e5
Use logical AND function
2014-02-23 16:44:32 +01:00
Martin Willi
1c667bce3f
pki: Make cmds array static, ensuring that it is zero-initialized
...
As pki --help relies on a zero-terminated array, make the actually non-public
cmds array static to ensure initialization.
2014-02-20 11:45:51 +01:00
Andreas Steffen
e80014f1e8
index limit can be easily computed
2014-02-19 20:18:53 +01:00
Tobias Brunner
ab13364c65
uclibc only defines strndup(3) if _GNU_SOURCE is defined
...
References #516 .
2014-02-19 16:11:47 +01:00
Tobias Brunner
09417da49c
sshkey: uclibc only defines fmemopen(3) if _GNU_SOURCE is defined
...
Fixes #516 .
2014-02-19 15:55:20 +01:00
Tobias Brunner
435aed8287
pki: Fix minor resource leak on failure to read the private key in --req
2014-02-18 16:46:25 +01:00
Tobias Brunner
5a04056295
stroke: Use proper modifiers to print size_t arguments
2014-02-18 16:46:25 +01:00
Andreas Steffen
6dd05e0d58
Created ntru_poly class for sparse trinary polynomials
2014-02-18 16:17:38 +01:00
Tobias Brunner
65ee857a88
android: Don't limit number to packets during EAP-TTLS
2014-02-18 11:32:37 +01:00
Tobias Brunner
7867ae42ab
lookip: Properly return from disconnect callback job
...
References #518 .
2014-02-18 11:21:51 +01:00
Tobias Brunner
4ab38d98a7
Fixed some typos
2014-02-18 10:36:25 +01:00
Tobias Brunner
86865da388
plugin-loader: Escape <ns> in comment as Doxygen sees this as XML tag
2014-02-18 10:18:54 +01:00
Tobias Brunner
1281c297d9
unit-tests: Ignore tests not test_runner
2014-02-18 10:09:30 +01:00
Martin Willi
961409b668
lookip: Disconnect asynchronously to avoid dead-locking watcher unregistration
...
While it really would be desirable to allow stream destruction during on_read()
callbacks, this does not work anymore since e49b2998
. Until we have a proper
solution for this issue, use asynchronous disconnects for the only user doing
so.
Fixes #518 .
2014-02-17 09:48:55 +01:00
Andreas Steffen
1f9e4d029e
Fixed a minor vulnerability in which a malformed ASN.1 length field could cause a crash of the charon daemon if the verbose debug level 3 (raw hex dump) for the asn subsystem is enabled.
2014-02-14 15:06:57 +01:00
Andreas Steffen
f03441c4dd
pacman.sh creates /etc/pts/dists directory if it doesn't exist yet
2014-02-13 13:21:47 +01:00
Tobias Brunner
6477e64a8d
printf-hook-glibc: printf.h on FreeBSD 10 does not include stdargs.h
2014-02-13 10:46:52 +01:00
Tobias Brunner
593251fcf6
array: Fix compilation on FreeBSD
2014-02-13 10:46:46 +01:00
Tobias Brunner
50fdff70e8
libpts: Move settings to <ns>.plugins with fallback to libimcv
2014-02-12 14:34:34 +01:00
Tobias Brunner
1ec3476398
libimcv: Move settings to <ns>.imcv and <ns>.plugins with fallback
2014-02-12 14:34:34 +01:00
Tobias Brunner
abd5c7bea2
libtnccs: Move settings to <ns>.tnc and <ns>.plugins with fallback
2014-02-12 14:34:34 +01:00
Tobias Brunner
505a69eba4
attr: Silently skip over load option
2014-02-12 14:34:34 +01:00
Tobias Brunner
c75acc4c44
conf: Install strongswan.conf template from a separate directory
2014-02-12 14:34:33 +01:00
Tobias Brunner
9925eeabd2
settings: Add support to enumerate sections and key/value pairs with fallbacks
2014-02-12 14:34:33 +01:00
Tobias Brunner
f4da1989cd
settings: Implement subsections and key/value pairs with sorted arrays
...
Is a bit more memory efficient (also due to lazy instantiation) and
lookups for sections with lots of subsections/keys (e.g. charon.plugins) are
faster.
2014-02-12 14:34:33 +01:00
Tobias Brunner
b3613c49a2
array: Add fallback for qsort_r using thread-local value
...
Cygwin for example does not support qsort_r.
2014-02-12 14:34:33 +01:00
Tobias Brunner
190a278854
plugin-loader: Optionally use load option in each plugin section to load plugins
...
This now works because all plugins use the same config namespace.
If <ns>.load_modular is true, the list of plugins to load is determined
via the value of the <ns>.plugins.<name>.load options.
Using includes the following is possible:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
charon-cmd {
load_modular = yes
plugins {
include strongswan.d/charon-cmd/*.conf
}
}
Where each .conf file would contain something like:
<name> {
load = yes
<option> = <value>
}
To increase the priority of individual plugins load = <priority> can be
used (the default is 1). For instance, to use openssl instead of the
built-in crypto plugins set in strongswan.d/charon/openssl.conf:
openssl {
load = 10
}
If two plugins have the same priority their order in the default plugin
list is preserved. Plugins not found in that list are ordered
alphabetically before other plugins with the same priority.
2014-02-12 14:34:33 +01:00
Tobias Brunner
79962d9e99
array: Add array_bsearch function
2014-02-12 14:34:33 +01:00
Tobias Brunner
132b00ce02
array: Add array_sort function
2014-02-12 14:34:33 +01:00
Tobias Brunner
1c306c0ee9
libcharon: Remove unused charon->name
2014-02-12 14:34:33 +01:00
Tobias Brunner
9222bfc695
charon-tkm: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
10c4f4e1fd
libhydra: Remove unused hydra->daemon
2014-02-12 14:34:32 +01:00
Tobias Brunner
d347a130f5
libhydra: Use lib->ns instead of hydra->daemon
2014-02-12 14:34:32 +01:00
Tobias Brunner
409adef43c
libtls: Move settings to <ns>.tls with fallback to libtls
2014-02-12 14:34:32 +01:00
Tobias Brunner
eb9b375aa1
attr-sql: Use namespace for attr-sql config, with fallback
2014-02-12 14:34:32 +01:00
Tobias Brunner
8dc6e71632
lib: All settings use configured namespace
2014-02-12 14:34:32 +01:00
Tobias Brunner
7a684aece4
lib: Add default config fallback for configured namespace
...
All settings in the configured global namespace fall back to libstrongswan.
2014-02-12 14:34:32 +01:00
Tobias Brunner
dbed07782b
unit-tests: Test how settings_t handles some invalid data
2014-02-12 14:34:32 +01:00
Tobias Brunner
1713d88278
settings: Add method that allows to define fallback sections for other sections
...
The fallbacks are currently only used for single value lookups.
Enumerators are not affected by them.
2014-02-12 14:34:32 +01:00
Tobias Brunner
ef72d4cc3f
settings: Make print_key() not rely on null-terminated beginning of key buffer
...
The key to print (e.g. until the next .) still has to be
null-terminated.
2014-02-12 14:34:32 +01:00
Tobias Brunner
24d2bb7793
unit-tests: Add tests for includes and file loading in settings_t
2014-02-12 14:34:32 +01:00
Tobias Brunner
25ee33ba65
settings: Allow empty strings in section key
2014-02-12 14:34:32 +01:00
Tobias Brunner
9f9a6b0681
unit-tests: Add tests for enumerators in settings_t
2014-02-12 14:34:32 +01:00
Tobias Brunner
cd0523e0a4
unit-tests: Add tests for setters in settings_t
2014-02-12 14:34:31 +01:00
Tobias Brunner
9f2870216d
unit-tests: Add basic tests for settings_t
2014-02-12 14:34:31 +01:00
Tobias Brunner
34d3bfcf14
lib: Add global config namespace
2014-02-12 14:34:31 +01:00
Tobias Brunner
4f8bd6d404
pool: Typo in Makefile fixed
2014-02-12 14:34:09 +01:00
Tobias Brunner
6e288ed19c
pool: Install SQL schemas from src/pool
...
This allows us to install the schemas if either the attr-sql or sql
plugin is enabled, since both use the same schema (at least in parts).
2014-02-12 14:21:26 +01:00
Tobias Brunner
b2cd0870a3
sql: Set default values for some fields in addresses table
2014-02-12 14:08:34 +01:00
Tobias Brunner
de7f5305d9
libimcv: Install SQL files in /usr/share/strongswan/templates/database
2014-02-12 14:08:34 +01:00
Tobias Brunner
9ca9d99bc4
sql: Install SQL schemas in /usr/share/strongswan/templates/database
2014-02-12 14:08:34 +01:00
Tobias Brunner
68539c38e2
sql: Remove unused cred.sql snippet
2014-02-12 14:08:34 +01:00
Tobias Brunner
ebc665be4d
asn1: Support dates before 1970-01-01 (i.e. when time_t gets negative)
...
On x86 we allow "overflows" around 1969/1970 but not for other dates.
Fixes #509 .
2014-02-12 13:54:05 +01:00
Tobias Brunner
addc34d5f0
asn1: Add additional validation for parsed ASN.1 date/time values
2014-02-12 13:53:57 +01:00
Tobias Brunner
9e1ce63915
ikev1: Fix config switching due to failed authentication during Aggressive mode
...
The encoded ID payload gets destroyed by the authenticator, which caused
a segmentation fault after the switch.
Fixes #501 .
2014-02-12 13:53:03 +01:00
Tobias Brunner
822b22c96f
kernel-pfroute: Don't cache route entries if installation fails
2014-02-12 13:52:25 +01:00
Tobias Brunner
f0f78b74d4
kernel-netlink: Don't cache route entries if installation fails
...
Fixes #500 .
2014-02-12 13:52:01 +01:00
Tobias Brunner
5e75f50b70
identification: Fix printing of empty RDNs on FreeBSD
...
On FreeBSD (null) is printed for NULL even if the precision is 0.
2014-02-12 13:45:42 +01:00
Tobias Brunner
f8c9c03de0
tests: Fix test for printing NULL on FreeBSD
2014-02-12 13:45:42 +01:00
Andreas Steffen
d9c7fcd0ee
unit-tests: added asn1_parser tests
2014-02-10 21:29:34 +01:00
Andreas Steffen
e62c6b0a24
unit-tests: added some more ASN.1 length tests
2014-02-10 21:29:34 +01:00
Thomas Egerer
b351acfed6
leak_detective: Assign return value of realloc to buf
...
If realloc return a pointer value different from the value to be
reallocated, a double free can occur in this context.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-02-10 17:23:54 +01:00
Martin Willi
7707357227
rdrand: Provide get_features() regardless of RDRAND availability
...
As having no get_features() raises a deprecated warning, we return no features
instead.
2014-02-10 11:22:16 +01:00
Martin Willi
144f1d7041
rdrand: Move RDRAND detection log to level 2
...
When having RDRAND support, these log messages might be confusing when using
pki or other tools.
2014-02-10 11:07:50 +01:00
Martin Willi
ac2dc3b726
updown: Return an empty DNS server enumerator if no IKE_SA available
...
The one existing caller does not handle a NULL return and always expects
an enumerator; and returning FALSE does not make sense anyway.
2014-02-06 16:38:39 +01:00
Martin Willi
e2de972c55
charon-cmd: Request an IPv6 virtual IP if an IPv6 remote subnet given
2014-02-06 15:58:13 +01:00
Martin Willi
fe7269c089
charon-cmd: Document new proposal options in manpage
2014-02-06 15:58:13 +01:00
Martin Willi
c9e85424a8
charon-cmd: Add --esp/--ah-proposal options to specify CHILD_SA proposals
2014-02-06 15:58:07 +01:00
Martin Willi
2796cf59bc
charon-cmd: Add an --ike-proposal option to specify non-default IKE proposals
2014-02-06 15:57:36 +01:00
Martin Willi
1df1430146
charon-cmd: Block SIGUSR1 on worker threads
...
To properly shut down charon-cmd with leak reports, only the main thread
should catch SIGUSR1 to shut down the application. Work threads should ignore
SIGUSR1 to avoid any hard application termination.
2014-02-06 15:57:36 +01:00
Andreas Steffen
0edd13b6c8
Document ipsec attest --session command
2014-02-05 12:06:46 +01:00
Andreas Steffen
24f59868c4
Allow output of session time in UTC
2014-02-05 12:06:22 +01:00
Andreas Steffen
d6804e3041
Added missing semicolon in SQL statements
2014-02-05 10:15:56 +01:00
Andreas Steffen
523c2874fb
Added Android 4.3.1 to products database table
2014-02-04 19:49:34 +01:00
Andreas Steffen
2a43f7fd9e
Added new Android versions to PTS database
2014-02-04 06:59:01 +01:00
Martin Willi
1f4883008e
unit-tests: Add some test cases for HTTP GET/POST fetches
2014-01-31 12:18:32 +01:00
Martin Willi
1691b19900
unit-tests: Fix test_runner_run() apidoc
2014-01-29 13:38:10 +01:00
Tobias Brunner
3114cecdbe
pki: Declare correct section in pki --issue man page
2014-01-24 16:17:46 +01:00
Martin Willi
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
Martin Willi
763e035335
child-sa: Add a getter for CHILD_SA install time
2014-01-23 16:19:22 +01:00
Andrea Bonomi
2312504d1e
xauth-pam: Open/close a PAM session for each connected client
...
Signed-off-by: Andrea Bonomi <a.bonomi@endian.com>
2014-01-23 16:07:04 +01:00
Martin Willi
7dc8bf495b
xauth-pam: Sanitize XAuth attributes before passing them to PAM
2014-01-23 16:07:04 +01:00
Martin Willi
c7c2e24a56
ikev2: Add Cisco FRAGMENTATION vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:04 +01:00
Martin Willi
2c6d204bec
ikev2: Add Cisco Copyright vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:04:01 +01:00
Martin Willi
f84d1cb2f9
ikev2: Add Cisco Delete Reason vendor ID
...
Courtesy of C.J. Adams-Collier, ZeroLag Communications, Inc.
2014-01-23 16:03:55 +01:00
Martin Willi
a8d8e631f9
ikev2: Use a more dynamic vendor ID database, as we use with IKEv1
2014-01-23 16:02:18 +01:00
Martin Willi
853498155e
libpts: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Martin Willi
7ae878c357
tnccs: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Martin Willi
88fa7f62be
pem: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:33 +01:00
Martin Willi
ecdef634aa
stroke: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
b8d0103e31
radattr: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
39badc53cd
libfast: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
69be6a9e05
integrity-checker: Use chunk_map() instead of non-portable mmap()
2014-01-23 15:55:32 +01:00
Martin Willi
b9ee059ca9
chunk: Externalize error reporting in chunk_write()
...
This avoids passing that arbitrary label just for error messages, and gives
greater flexibility in handling errors.
2014-01-23 15:55:32 +01:00
Martin Willi
37374a292a
chunk: Provide a fallback chunk_map() if mmap is not available
2014-01-23 15:55:32 +01:00
Martin Willi
1c4a3459f7
chunk: Use dynamically allocated buffer in chunk_from_fd()
...
When acting on files, we can use fstat() to estimate the buffer size. On
non-file FDs, we dynamically increase an allocated buffer.
Additionally we slightly change the function signature to properly handle
zero-length files and add appropriate unit tests.
2014-01-23 15:55:32 +01:00
Martin Willi
595b6d9a82
chunk: Add functions to map file contents to a chunk
2014-01-23 15:55:32 +01:00
Tobias Brunner
21c18f536d
unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attribute
...
Cisco clients only handle the first such attribute.
2014-01-23 10:35:21 +01:00
Tobias Brunner
f8262aa1a6
unity: Change local TS to 0.0.0.0/0 as responder
...
Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is
used, otherwise Quick Mode fails.
2014-01-23 10:35:21 +01:00
Tobias Brunner
685579d6d8
unity: Send UNITY_SPLIT_INCLUDE attributes with proper padding
...
The additional 6 bytes are not actually padding but are parsed by the
Cisco client as protocol and src and dst ports (each two bytes but
strangely only the first two in network order).
2014-01-23 10:35:21 +01:00
Tobias Brunner
fe2a2d1885
kernel-netlink: Set selector on transport mode IPComp SAs
2014-01-23 10:27:13 +01:00
Tobias Brunner
cc04a6db3e
kernel-netlink: Selectively add selector on SAs that use IPComp
...
Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.
2014-01-23 10:27:12 +01:00
Tobias Brunner
7e3bbcf77a
updown: Increase buffer size for script and environment variables
2014-01-23 10:27:12 +01:00
Tobias Brunner
6d1198e71d
updown: Allow IPIP traffic if IPComp was negotiated
...
The kernel implicitly creates an IPIP SA if an IPComp SA is installed.
This SA is used inbound for small packets that are not compressed.
Since the addresses are different (they are the tunnel addresses not
those of the tunneled traffic) additional rules are required if the
traffic selector does not cover the tunnel addresses (e.g. due to a NAT).
For SAs with multiple traffic selectors duplicate rules will get installed.
2014-01-23 10:27:12 +01:00
Tobias Brunner
cf4a7395aa
updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiated
2014-01-23 10:27:12 +01:00
Tobias Brunner
72a92d4f7d
curl: Replace spaces in URIs with %20
...
cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL
URIs with spaces in them.
Fixes #454 .
2014-01-23 10:19:30 +01:00
Tobias Brunner
ccb6758e5b
utils: Add strreplace function
2014-01-23 10:18:23 +01:00
Tobias Brunner
f44b1eb444
stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminated
...
Otherwise a malicious user could send an unterminated string to cause
unterminated reads.
2014-01-23 10:15:07 +01:00
Tobias Brunner
5ab03863b0
stroke: Add an option to prevent log level changes via stroke socket
2014-01-23 10:15:07 +01:00
Tobias Brunner
040cf911a6
pki: Make sure no command registers too many options
2014-01-23 10:12:24 +01:00
Tobias Brunner
079e6c2b04
pki: Increase MAX_COMMANDS to cover all currently available commands
...
Fixes #452 .
2014-01-23 10:12:15 +01:00
Tobias Brunner
2b8224fce3
pki: Print a warning if MAX_COMMANDS is too low
2014-01-23 10:10:53 +01:00
Tobias Brunner
b0e14fcba6
pki: Properly use ?: when defining option arrays
2014-01-23 10:10:53 +01:00
Tobias Brunner
54ca25800c
agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socket
...
This is also required if charon-cmd is used with capability dropping.
2014-01-23 10:08:23 +01:00
Tobias Brunner
53d2164c5d
ike: Simplify error handling if name resolution failed
...
This avoids a second name resolution attempt just to determine if %any
etc. was configured.
Fixes #440 .
2014-01-23 10:04:19 +01:00
Tobias Brunner
be8af56e7a
ike: Use proper hostname(s) when name resolution failed
...
Was wrong since 0edce68767
.
Fixes #440 .
2014-01-23 10:03:50 +01:00
Tobias Brunner
72ffb20318
ikev2: Wipe (optional) shared secret during CHILD_SA key derivation
2014-01-23 09:54:18 +01:00
Tobias Brunner
e465c006e5
checksum must be the last subdir included
...
Otherwise charon-cmd will not yet be installed when the checksums are
calculated (now from the install dir, not the build dir).
Fixes #496 .
2014-01-23 09:43:45 +01:00
Martin Willi
b034131555
unit-tests: Pass a test suite collection name to print during test execution
...
As we except to get more and more test runners for the different components,
we add a name to easily identify them on the test output.
2014-01-22 15:34:53 +01:00
Martin Willi
589fab2260
array: Add an array_get() function
2014-01-22 15:34:53 +01:00
Martin Willi
027cf7ddcf
watcher: Don't complain if select() syscall got interrupted
2014-01-22 15:34:53 +01:00
Martin Willi
e49b299867
stream: Make sure no watcher callback is active while changing stream callbacks
...
When changing async callbacks on streams, we have to make sure the watcher
callback is not currently active and has temporarily disabled callbacks. This
could have been the case, as we didn't explicitly removed any pending
watcher registration if both callbacks are NULL.
By enforcing the watcher unregistration, we are sure the watcher callback is
not active and currently is not mangling the callback hooks. This should make
sure we avoid any races for the callback variables.
2014-01-22 15:34:53 +01:00
Tobias Brunner
a40c66194e
checksum: Read executables from DESTDIR
...
This allows to recreate the checksums after the installed binaries have
been modified e.g. with strip.
Fixes #491 .
2014-01-21 14:53:46 +01:00
Thomas Egerer
3711f66e54
dhcp: Allow binding of socket to particular interface
...
In certain situations it is desirable to bind the send/receive sockets
for the DHCP address allocation to a particular interface. With this
patch the strongswan.conf option charon.plugins.dhcp.interface can be
used to restrict the DHCP communication to a configurable interface.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-01-20 16:40:34 +01:00
Thomas Egerer
568e302260
proposal: Add possibility to register custom proposal keyword parser
...
If a proposal string cannot be matched to a token using strcmp (e.g. if
you want to register a whole class of algorithms containing their ID,
like my_alg_2342), you can use the provided function to register a
parser that transforms the given string into a proposal token.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-01-20 16:40:34 +01:00
Tobias Brunner
303ec3956c
unit-tests: Add environment variable to reduce the number of generated keys
...
If TESTS_REDUCED_KEYLENGTHS is set RSA and ECDSA keys are only generated
for the lowest configured key length.
Fixes #474 .
2014-01-20 15:40:15 +01:00
Tobias Brunner
3d097e1024
unit-tests: Generate RSA key with 768 bits not 786
2014-01-20 15:40:09 +01:00
Thomas Egerer
b190899473
ike_sa: Defer task manager destruction after child destruction
...
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf
) and allows the access of the task manager in
child_state_change hook.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-01-16 14:16:13 +01:00
Andreas Steffen
eeaa8a2417
Added TPMRA workitem support in PTS database
2014-01-16 01:46:55 +01:00
Martin Willi
2e89bc4b66
printf-hook-builtin: Correctly calculate written bytes in print_in_hook()
...
The hook data counts remaining buffer bytes, not used ones. Counting them
correctly fixes a crash for long hexdumps.
Further, print_in_hook() must return the number of bytes that would have been
written, not the actually written bytes. This is important, as we allocate a
dynamic buffer in bus that relies on the exact byte count. Fixes long hexdumps
that got truncated.
2014-01-15 18:28:43 +01:00
Andreas Steffen
a48d19a3bf
Do PTS measurements only if session initialisation was successful
2014-01-15 12:06:22 +01:00
Andreas Steffen
8b36021b5b
Catch AIK errors
2014-01-13 12:06:18 +01:00
Andreas Steffen
fbddf52c80
Do TPM measurements only if there is a TPMRA workitem
2014-01-13 12:06:18 +01:00
Andreas Steffen
81d49c5cfd
Allow reason strings to be used as workitem result string
2014-01-13 12:06:17 +01:00
Andreas Steffen
6009b6e0dd
Attestation IMV processes TPMRA workitem
2014-01-13 12:06:17 +01:00
Andreas Steffen
3254f8b00a
Added TPM Remote Attestation (TPMRA) workitem
2014-01-10 11:55:21 +01:00
Tobias Brunner
2ff62bee04
checksum: Set rpath including DESTDIR for checksum_builder
...
This way libraries to which checksum_builder does not itself link,
like libtls and libradius, are found during DESTDIR installs.
Fixes #476 .
2014-01-08 11:24:24 +01:00
Tobias Brunner
94e10f15e5
test-asn1: Fix skipping of >2038 tests on i386
...
The two constants overflow time_t on i386 (they also produced a compiler
warning without type suffix) so the comparison with TIME_32_BIT_SIGNED_MAX
did not work as intended.
Fixes #477 .
2014-01-06 18:23:40 +01:00
Tobias Brunner
d62a6ec3f9
chunk: Fix chunk_mac/hash tests on big-endian systems
...
Our SipHash-2-4 implementation returns the result in host order, while
the test vectors are little-endian. Use a custom comparison function to
account for this.
Fixes #478 .
2014-01-06 17:31:07 +01:00
Tobias Brunner
13f2d3a2f6
utils: Fix %T printf hook on big-endian systems
...
The cast to a bool* cut of the actual value on big-endian systems
if bool was shorter than int because the bool argument to printf gets
promoted to an int.
Fixes #479 .
2014-01-06 15:30:02 +01:00
Tobias Brunner
0773c7fd71
checksum: Delay building of checksum_builder until required by make install
...
This ensures PLUGINDIR includes any DESTDIR set during make install.
2014-01-06 14:38:34 +01:00
Tobias Brunner
5d826357b8
checksum: Remove unnecessary pluto symbol
2014-01-06 13:37:12 +01:00
Tobias Brunner
261fd9d33b
stroke: Fix error message if parsing leftsourceip fails
2014-01-06 12:55:45 +01:00
Andreas Steffen
6810388064
Update PCR even if measurement does not equal reference value
2013-12-21 00:40:45 +01:00
Tobias Brunner
bfa2201537
tun-device: Include system headers before our own
...
On CentOS 6.5 the sys/capability.h header file defines _LINUX_TYPES_H
without actually including that header, preventing its later inclusion
here.
As library.h (via which the capabilities headers are included) is not
actually required in tun_device.[ch], moving the inclusion of tun_device.h
would not strictly be necessary. But it's probably a good idea to
include our own headers after system headers anyway, for if one of the
recursively included files at a later point includes library.h we'd have
the same problem again.
2013-12-20 11:33:16 +01:00
Andreas Steffen
f5fd12b932
Fixed check_file_measurement method in pts_database_t
2013-12-13 14:37:31 +01:00
Andreas Steffen
953a922e9b
unit-tests: NTRU test to check a special branch
2013-12-08 10:18:33 +01:00
Andreas Steffen
84814a6b7c
min_MGF_hash_calls parameter is not needed anymore
2013-12-07 23:54:53 +01:00
Andreas Steffen
5da659523e
Optimized MGF1 implementation
2013-12-07 23:29:04 +01:00
Andreas Steffen
abd4797dc1
Implemented ntru_trits class
2013-12-07 23:27:59 +01:00
Andreas Steffen
a978a8194d
Streamlined DRBG and MGF1 debug output
2013-12-07 00:21:28 +01:00
Andreas Steffen
933f3c6e8f
unit-tests: Added crypter tests
2013-12-06 10:09:36 +01:00
Andreas Steffen
fdc6c682b2
Added own MGF1 mask generating function
2013-12-05 22:55:47 +01:00
Andreas Steffen
78affed0a0
unit-tests: Added hasher tests
2013-12-04 23:09:32 +01:00
Andreas Steffen
2006709ec5
Moved test_rng to a test suite of its own
2013-12-04 21:23:30 +01:00
Tobias Brunner
f1e12da7ef
unit-tests: Don't use priority for destructor that unregisters testable functions
...
This fixes coverage reports, at least if leak detective is disabled.
If it is enabled the plugins are not unloaded so the destructor is not
executed until the process is destroyed, which seems not to be covered
by gcov.
2013-12-04 20:33:00 +01:00
Tobias Brunner
d5a0abfa92
unit-tests: Export ntru_drbg_create as testable function so no linking is required
...
This way the plugin does not have to be linked explicitly to the test
runner, which otherwise would require that the plugin is either always
enabled to build the tests or that ifdefs are added to the Makefile.
2013-12-04 20:32:59 +01:00
Tobias Brunner
4cea186b64
unit-tests: Add facility to register testable functions
...
These can be defined in plugins, or other parts of the tested libraries.
They can even be static.
2013-12-04 20:32:59 +01:00
Tobias Brunner
a24eec4649
unit-tests: Move ntru_test_rng_t to a utility class in libtest
2013-12-04 20:32:59 +01:00
Tobias Brunner
6354466a5b
unit-tests: Fix apidoc for libtest
2013-12-04 20:32:59 +01:00
Tobias Brunner
3e8a44c2aa
ntru: Fix compiler warning caused by ++/-- on righthand side of an assignment
...
The behavior of stuff like x = --x; (or x++) is not defined.
2013-12-04 20:32:59 +01:00
Adrian-Ken Rueegsegger
6db7feacf6
charon-tkm: Implement IANA DH Id to TKM Id mapping
...
The TKM Diffie-Hellman plugin now maps IANA DH identifiers to TKM DH
algorithm identifiers. The mapping is specified in the daemon's
'dh_mapping' section in the strongswan.conf file:
dh_mapping {
iana_id1 = tkm_id1
iana_id2 = tkm_id2
iana_id3 = tkm_id3
...
}
Only the mapped IANA IDs are registered as supported DH groups.
2013-12-03 11:58:53 +01:00
Adrian-Ken Rueegsegger
9e8a52003a
charon-tkm: Drop unnecessary include
2013-12-03 11:58:53 +01:00
Tobias Brunner
7c7148b038
ike: Log SK_p consistently on level 4
2013-11-28 19:04:47 +01:00
Andreas Steffen
7d5b9e81a4
Added DRBG automatic reseeding tests
2013-11-27 20:21:41 +01:00
Andreas Steffen
5443762491
Use strongSwan hash plugins for SHA-1 and SHA-256
2013-11-27 20:21:41 +01:00
Andreas Steffen
d993a567b7
Extended NIST SP 800-90A HMAC_DRBG test cases
2013-11-27 20:21:41 +01:00
Andreas Steffen
a7047cda59
Cleaned up ntru-crypto library
2013-11-27 20:21:41 +01:00
Andreas Steffen
98c6421674
Implemented NIST SP 800-90A DRBG_HMAC with SHA-256
2013-11-27 20:21:41 +01:00
Andreas Steffen
798a36dc14
Added NTRU key exchange to default IKE proposal
2013-11-27 20:21:41 +01:00
Andreas Steffen
9013973cc8
unit-tests: Added ntru wrong ciphertext test
2013-11-27 20:21:41 +01:00
Andreas Steffen
885e699b58
unit-tests: Added ntru entropy, retransmission and ciphertext tests
2013-11-27 20:21:41 +01:00
Andreas Steffen
802eaf3789
Any of the four NTRU parameter sets can be selected
2013-11-27 20:21:41 +01:00
Andreas Steffen
1f73969eb5
Make the NTRU parameter set configurable
2013-11-27 20:21:41 +01:00
Andreas Steffen
2c620cb089
unit-tests: first NTRU test case
2013-11-27 20:21:40 +01:00
Andreas Steffen
146ad86be5
Prototype implementation of IKE key exchange via NTRU encryption
2013-11-27 20:21:40 +01:00
Tobias Brunner
0b506edb19
nm: Require the PSK to be at least 20 characters long
2013-11-27 18:36:58 +01:00
Tobias Brunner
692a421aa0
nm: German translation updated
2013-11-27 18:36:58 +01:00
Tobias Brunner
5ae822cfcd
nm: Handle PSK option in NM backend
2013-11-27 18:36:58 +01:00
Tobias Brunner
594878e552
nm: Add PSK option to auth-dialog
2013-11-27 18:36:58 +01:00
Tobias Brunner
63528ebd3f
nm: Add pre-shared key option in GUI
2013-11-27 18:36:58 +01:00
Tobias Brunner
cfaec93111
nm: Make intltool recognize glade files properly
2013-11-27 18:36:58 +01:00
Tobias Brunner
f5feeb04f3
charon-tkm: Don't run tests automatically during 'make check'
...
Due to the external dependencies these tests are quite inconvenient.
They can be run from the charon-tkm directory with 'make check-tkm'.
2013-11-27 18:35:44 +01:00
Reto Buerki
5221a16391
charon-tkm: Add Binder switches to test project to enable exception backtraces
2013-11-27 18:35:44 +01:00
Tobias Brunner
d6032bff8b
charon-tkm: Migrate tests to our own test runner
...
Due to problems with the external libraries tkm_init/deinit can't be
called for each test case. Because of this leak detective has to be
disabled for these tests.
2013-11-27 18:35:44 +01:00
Tobias Brunner
70f4461359
charon-tkm: Support for out-of-tree build added
2013-11-27 18:35:44 +01:00
Tobias Brunner
20a48e4be3
chunk: Fix signedness warnings caused by chunk_from_* macros
...
There are countless other such warnings because e.g. chunk_create() is called
with char*, but at least we prevent users from causing such warnings
inadvertently when using these macros.
2013-11-27 18:28:44 +01:00
Martin Willi
1cbe4e6ce4
tun-device: Include <linux/types.h> before <linux/if_tun.h>
...
Fixes a build error on CentOS 6.4.
2013-11-22 09:09:06 +01:00
Tobias Brunner
c61ca66a39
trap-manager: Reset IKE_SA on bus_t if initiating fails
2013-11-21 13:43:31 +01:00
Tobias Brunner
bb492d80b5
trap-manager: Prevent deadlock when installing trap policies
...
Because the write lock was held while calling add_policies() on
child_sa_t, which finishes with a call to child_state_change() on bus_t,
a deadlock would ensue if CHILD_SAs are concurrently being established,
which also causes a call to child_state_change() that will require
the read lock in trap_manager_t.
No locks are now being held while creating the CHILD_SA and installing the
trap policies.
2013-11-21 11:12:59 +01:00
Martin Willi
07ca25909b
printf-hook-builtin: Don't use %P to print uppercase hex pointers
...
We use %P as custom printf specifier for proposals.
2013-11-20 16:57:28 +01:00
Tobias Brunner
3bff80aee3
openssl: Verify that a peer's ECDH public value is a point on the elliptic curve
...
This check is mandated by RFC 6989. Since we don't reuse DH secrets,
it is mostly a sanity check.
2013-11-19 15:00:28 +01:00
Tobias Brunner
38a4f1964e
kernel-netlink: Enable TFC padding only for tunnel mode ESP SAs
...
The kernel does not allow them for transport mode SAs or IPComp SAs (and
of course not for AH SAs).
Fixes #446 .
2013-11-19 12:44:16 +01:00
Andreas Steffen
b63246c5db
Implemented libstrongswan.plugins.random.strong_equals_true option
2013-11-16 00:11:40 +01:00
Tobias Brunner
85adb98daf
android: New release based on 5.1.1
...
This fixes issues with IVs and padding in ESP handling and removes the
Vstr dependency.
2013-11-13 17:41:24 +01:00
Tobias Brunner
20c99edab9
android: Remove dependency on libvstr
2013-11-13 11:40:47 +01:00