e8d6b91ebd
charon-cmd: Add Aggressive Mode profiles to man page
2013-06-21 16:04:45 +02:00
0d60489bf8
charon-cmd: Add man page for charon-cmd(8)
2013-06-21 16:04:45 +02:00
295d595b49
charon-cmd: Add --debug argument to set the default log level
2013-06-21 15:55:52 +02:00
4049ec42bf
charon-cmd: Handle simple command line arguments like --help before the others
2013-06-21 15:51:42 +02:00
0d25c4ef87
plugin-loader: Move logging of failed features to status()
...
Still log an error message if critical features fail, as loaded
plugins/features are not logged in that case.
This way loaded plugins are printed before failed features and
the relation is easier to make for users. It also allows programs
to log this message on a different level.
2013-06-21 15:22:46 +02:00
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00
34ee14dd28
plugin-loader: Collect statistics while loading features, print them in case features failed to load
...
There is no need to explicitly search for failed features in critical
plugins as this is now detected while loading the features.
2013-06-21 15:13:25 +02:00
681e53c70c
plugin-loader: Use different log level if failed feature is in critical plugin
2013-06-21 15:13:25 +02:00
13d2d8f634
plugin-loader: Log message when failing to load plugin
2013-06-21 15:13:25 +02:00
51b9d7513d
plugin-loader: Reduce verbosity while loading plugins
2013-06-21 15:13:25 +02:00
0adf165c7e
Fix crash if the initiator has no suitable proposal available
...
Could be triggered with a typo in the ike or esp options when ! is used.
2013-06-21 11:09:03 +02:00
9d6a147c81
Merge branch 'unit-tests-ecdsa'
...
Adds support for testing plugin functionality to test-runner. Introduces some
good/bad tests for ECDSA/RSA which would have caught those RSA/ECDSA signature
vulnerabilities.
2013-06-21 10:53:23 +02:00
092550b03a
leak-detective: (re-)whitelist some OpenSSL functions
...
Some static allocations in plugins won't get freed, because in the test case
process the plugins are not destroyed. If a plugin would clean up allocations
done while just using the plugin, these show up as leak in the child process,
letting tests fail.
2013-06-21 10:53:23 +02:00
ef687db734
unit-tests: load plugins in test-runner from build directory
2013-06-21 10:53:23 +02:00
b950fc48da
unit-tests: link test-runner against -lpthread
2013-06-21 10:53:23 +02:00
1ffdb4f3d0
unit-tester: remove obsolete rsa_gen test, now covered in unit-tests
2013-06-21 10:53:23 +02:00
df1a1a0901
unit-tests: add RSA test cases, very similar to ECDSA
2013-06-21 10:53:23 +02:00
eabf4af0f8
unit-tests: test with /dev/urandom if random plugin is in use
2013-06-21 10:53:22 +02:00
d0c09c84a5
unit-tests: test supported ECDSA schemes only
2013-06-21 10:53:22 +02:00
2bedb0f270
Move test-runners has_feature() function to plugin loader
2013-06-21 10:53:22 +02:00
df76881f11
unit-tests: enforce CET/CEST timezone to properly test non-UTC time formatting
2013-06-21 10:53:22 +02:00
44886a0667
unit-tests: don't use ck_assert() to test a cleared chunk, as it allocates data
...
The new allocation might be in the freed area, affecting the test result.
2013-06-21 10:53:22 +02:00
52bff13848
unit-tests: define 64-bit constats with ULL, fixing compiler warning on 32-bit
2013-06-21 10:53:22 +02:00
a5b63a3e5c
Limit cleanup of .gc{no,da} files to src and scripts subfolders
...
Other folders in the build tree might not be related to the strongSwan tree,
or are not even accessible.
2013-06-21 10:53:21 +02:00
a88cab095d
unit-tests: test some zeroed ECDSA signatures that never should succeed
2013-06-21 10:53:21 +02:00
7e23f53242
unit-tests: perform signing/validation with keys ECDSA keys generated or loaded
2013-06-21 10:53:21 +02:00
eabb0befdc
unit-tests: add an ECDSA test case loading keys
2013-06-21 10:53:21 +02:00
d18ff88faf
unit-tests: perform a first ECDSA test case if ECDSA is supported
2013-06-21 10:53:21 +02:00
200f38ad4c
unit-tests: add a helper function checking if a plugin feature is available
2013-06-21 10:53:21 +02:00
cb1745f7a6
unit-tests: add a test case checking if all test vectors have been passed
2013-06-21 10:53:20 +02:00
e9e4759733
crypto-factory: count the number of test vector failures during registration
2013-06-21 10:53:20 +02:00
3714979427
unit-tests: load all libstrongswan plugins in test-runner
2013-06-21 10:53:20 +02:00
8c88ca0fcf
stroke: Add statusall-nb as alias for statusallnb
2013-06-21 10:51:41 +02:00
4182c86aed
stroke: Add non-blocking versions of up and down
...
stroke up-nb and stroke down-nb do not block until the command has
finished. Instead, they return right after initiating the respective
operation.
2013-06-21 10:49:39 +02:00
9afc6e6a70
starter: Make ipsec.conf path configurable via command line
2013-06-21 10:08:56 +02:00
c0d0391a51
pubkey: Improve comparison of raw public key certificate objects
2013-06-21 10:02:25 +02:00
888dbac50e
ikev2: use protocol of selected proposal to delete a failed CHILD_SA
...
Depending on the failure, the protocol might not yet be set on the CHILD_SA.
2013-06-20 12:09:46 +02:00
47ec2e407b
charon-cmd: use a copy of pid in initiate callback
...
When cancelling a connection that gets established, cmd_connection_t gets
freed before terminate() is called. This results in kill()ing invalid PID.
2013-06-20 11:02:28 +02:00
e044a1a9e5
charon-cmd: add IKEv1 aggressive mode profiles
2013-06-20 11:01:37 +02:00
40b0a15cb5
NEWS: Add first bunch of 5.1.0 highlights
2013-06-20 10:29:25 +02:00
4e8142e8e9
Merge branch 'nat-transport'
...
Enable transport mode in NAT situations when using IKEv2. Additionally brings
an extended leftsubnet format, where each subnet can take a separate protocol
and port.
2013-06-19 16:36:27 +02:00
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
483a258ad8
stroke: support %dynamic in left/rightsubnet for dynamic selectors
...
This has the same meaning as omitting left/rightsubnet, i.e. replace it
by the IKE address. Supporting %dynamic allows configurations with multiple
dynamic selectors in a left/rightsubnet, each with potentially different
proto/port selectors.
2013-06-19 16:36:01 +02:00
3d1af879d2
kernel-netlink: install selectors on SA for transport/BEET mode without proto/port
...
If a transport/BEET SA has different selectors for different proto/ports,
installing just the proto/port of the first SA would break any additional
selector.
2013-06-19 16:36:01 +02:00
4a7c29bf02
stroke: support a specific proto/port for each net defined in left/rightsubnet
2013-06-19 16:36:01 +02:00
ad5ad02ade
ikev2: properly fall back to tunnel mode if transport/BEET mode not configured
2013-06-19 16:36:01 +02:00
975457c4d8
ikev2: support transport mode over NAT
2013-06-19 16:36:01 +02:00
4f88ad669a
Merge branch 'consistent-reqid'
...
Checks if a trap policy exists when installing a CHILD_SA as responder,
reuse that reqid and keeping the trap untouched. This makes auto=route on
both sides more reliable.
In addition, we no prevent to refcount an existing policy if the reqid differs;
this should not happen anymore. We now can properly reject new CHILD_SAs in
such conflicts, instead of silently breaking an existing policy.
2013-06-19 16:31:06 +02:00
a7bc0bf4a6
ike: reuse the reqid of an installed trap having the same config
...
When we have a trap installed, but a CHILD_SA gets established for the same
config from the peer, we should reuse the same reqid. Otherwise we would have
two identical policies using different reqids, what we can't handle in our
kernel backend.
2013-06-19 16:30:40 +02:00
2dcfc6983b
trap-manager: add a method to find reqid for installed traps by config
2013-06-19 16:30:40 +02:00
Tobias Brunner