Tobias Brunner
e8d6b91ebd
charon-cmd: Add Aggressive Mode profiles to man page
2013-06-21 16:04:45 +02:00
Tobias Brunner
0d60489bf8
charon-cmd: Add man page for charon-cmd(8)
2013-06-21 16:04:45 +02:00
Tobias Brunner
295d595b49
charon-cmd: Add --debug argument to set the default log level
2013-06-21 15:55:52 +02:00
Tobias Brunner
4049ec42bf
charon-cmd: Handle simple command line arguments like --help before the others
2013-06-21 15:51:42 +02:00
Tobias Brunner
0d25c4ef87
plugin-loader: Move logging of failed features to status()
...
Still log an error message if critical features fail, as loaded
plugins/features are not logged in that case.
This way loaded plugins are printed before failed features and
the relation is easier to make for users. It also allows programs
to log this message on a different level.
2013-06-21 15:22:46 +02:00
Tobias Brunner
607f8e9906
plugin-loader: Add method to print loaded plugins on a given log level
2013-06-21 15:17:53 +02:00
Tobias Brunner
34ee14dd28
plugin-loader: Collect statistics while loading features, print them in case features failed to load
...
There is no need to explicitly search for failed features in critical
plugins as this is now detected while loading the features.
2013-06-21 15:13:25 +02:00
Tobias Brunner
681e53c70c
plugin-loader: Use different log level if failed feature is in critical plugin
2013-06-21 15:13:25 +02:00
Tobias Brunner
13d2d8f634
plugin-loader: Log message when failing to load plugin
2013-06-21 15:13:25 +02:00
Tobias Brunner
51b9d7513d
plugin-loader: Reduce verbosity while loading plugins
2013-06-21 15:13:25 +02:00
Tobias Brunner
0adf165c7e
Fix crash if the initiator has no suitable proposal available
...
Could be triggered with a typo in the ike or esp options when ! is used.
2013-06-21 11:09:03 +02:00
Martin Willi
9d6a147c81
Merge branch 'unit-tests-ecdsa'
...
Adds support for testing plugin functionality to test-runner. Introduces some
good/bad tests for ECDSA/RSA which would have caught those RSA/ECDSA signature
vulnerabilities.
2013-06-21 10:53:23 +02:00
Martin Willi
092550b03a
leak-detective: (re-)whitelist some OpenSSL functions
...
Some static allocations in plugins won't get freed, because in the test case
process the plugins are not destroyed. If a plugin would clean up allocations
done while just using the plugin, these show up as leak in the child process,
letting tests fail.
2013-06-21 10:53:23 +02:00
Martin Willi
ef687db734
unit-tests: load plugins in test-runner from build directory
2013-06-21 10:53:23 +02:00
Martin Willi
b950fc48da
unit-tests: link test-runner against -lpthread
2013-06-21 10:53:23 +02:00
Martin Willi
1ffdb4f3d0
unit-tester: remove obsolete rsa_gen test, now covered in unit-tests
2013-06-21 10:53:23 +02:00
Martin Willi
df1a1a0901
unit-tests: add RSA test cases, very similar to ECDSA
2013-06-21 10:53:23 +02:00
Martin Willi
eabf4af0f8
unit-tests: test with /dev/urandom if random plugin is in use
2013-06-21 10:53:22 +02:00
Martin Willi
d0c09c84a5
unit-tests: test supported ECDSA schemes only
2013-06-21 10:53:22 +02:00
Martin Willi
2bedb0f270
Move test-runners has_feature() function to plugin loader
2013-06-21 10:53:22 +02:00
Martin Willi
df76881f11
unit-tests: enforce CET/CEST timezone to properly test non-UTC time formatting
2013-06-21 10:53:22 +02:00
Martin Willi
44886a0667
unit-tests: don't use ck_assert() to test a cleared chunk, as it allocates data
...
The new allocation might be in the freed area, affecting the test result.
2013-06-21 10:53:22 +02:00
Martin Willi
52bff13848
unit-tests: define 64-bit constats with ULL, fixing compiler warning on 32-bit
2013-06-21 10:53:22 +02:00
Martin Willi
a5b63a3e5c
Limit cleanup of .gc{no,da} files to src and scripts subfolders
...
Other folders in the build tree might not be related to the strongSwan tree,
or are not even accessible.
2013-06-21 10:53:21 +02:00
Martin Willi
a88cab095d
unit-tests: test some zeroed ECDSA signatures that never should succeed
2013-06-21 10:53:21 +02:00
Martin Willi
7e23f53242
unit-tests: perform signing/validation with keys ECDSA keys generated or loaded
2013-06-21 10:53:21 +02:00
Martin Willi
eabb0befdc
unit-tests: add an ECDSA test case loading keys
2013-06-21 10:53:21 +02:00
Martin Willi
d18ff88faf
unit-tests: perform a first ECDSA test case if ECDSA is supported
2013-06-21 10:53:21 +02:00
Martin Willi
200f38ad4c
unit-tests: add a helper function checking if a plugin feature is available
2013-06-21 10:53:21 +02:00
Martin Willi
cb1745f7a6
unit-tests: add a test case checking if all test vectors have been passed
2013-06-21 10:53:20 +02:00
Martin Willi
e9e4759733
crypto-factory: count the number of test vector failures during registration
2013-06-21 10:53:20 +02:00
Martin Willi
3714979427
unit-tests: load all libstrongswan plugins in test-runner
2013-06-21 10:53:20 +02:00
Tobias Brunner
8c88ca0fcf
stroke: Add statusall-nb as alias for statusallnb
2013-06-21 10:51:41 +02:00
Tobias Brunner
4182c86aed
stroke: Add non-blocking versions of up and down
...
stroke up-nb and stroke down-nb do not block until the command has
finished. Instead, they return right after initiating the respective
operation.
2013-06-21 10:49:39 +02:00
Tobias Brunner
9afc6e6a70
starter: Make ipsec.conf path configurable via command line
2013-06-21 10:08:56 +02:00
Tobias Brunner
c0d0391a51
pubkey: Improve comparison of raw public key certificate objects
2013-06-21 10:02:25 +02:00
Martin Willi
888dbac50e
ikev2: use protocol of selected proposal to delete a failed CHILD_SA
...
Depending on the failure, the protocol might not yet be set on the CHILD_SA.
2013-06-20 12:09:46 +02:00
Martin Willi
47ec2e407b
charon-cmd: use a copy of pid in initiate callback
...
When cancelling a connection that gets established, cmd_connection_t gets
freed before terminate() is called. This results in kill()ing invalid PID.
2013-06-20 11:02:28 +02:00
Martin Willi
e044a1a9e5
charon-cmd: add IKEv1 aggressive mode profiles
2013-06-20 11:01:37 +02:00
Martin Willi
40b0a15cb5
NEWS: Add first bunch of 5.1.0 highlights
2013-06-20 10:29:25 +02:00
Martin Willi
4e8142e8e9
Merge branch 'nat-transport'
...
Enable transport mode in NAT situations when using IKEv2. Additionally brings
an extended leftsubnet format, where each subnet can take a separate protocol
and port.
2013-06-19 16:36:27 +02:00
Martin Willi
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
Martin Willi
483a258ad8
stroke: support %dynamic in left/rightsubnet for dynamic selectors
...
This has the same meaning as omitting left/rightsubnet, i.e. replace it
by the IKE address. Supporting %dynamic allows configurations with multiple
dynamic selectors in a left/rightsubnet, each with potentially different
proto/port selectors.
2013-06-19 16:36:01 +02:00
Martin Willi
3d1af879d2
kernel-netlink: install selectors on SA for transport/BEET mode without proto/port
...
If a transport/BEET SA has different selectors for different proto/ports,
installing just the proto/port of the first SA would break any additional
selector.
2013-06-19 16:36:01 +02:00
Martin Willi
4a7c29bf02
stroke: support a specific proto/port for each net defined in left/rightsubnet
2013-06-19 16:36:01 +02:00
Martin Willi
ad5ad02ade
ikev2: properly fall back to tunnel mode if transport/BEET mode not configured
2013-06-19 16:36:01 +02:00
Martin Willi
975457c4d8
ikev2: support transport mode over NAT
2013-06-19 16:36:01 +02:00
Martin Willi
4f88ad669a
Merge branch 'consistent-reqid'
...
Checks if a trap policy exists when installing a CHILD_SA as responder,
reuse that reqid and keeping the trap untouched. This makes auto=route on
both sides more reliable.
In addition, we no prevent to refcount an existing policy if the reqid differs;
this should not happen anymore. We now can properly reject new CHILD_SAs in
such conflicts, instead of silently breaking an existing policy.
2013-06-19 16:31:06 +02:00
Martin Willi
a7bc0bf4a6
ike: reuse the reqid of an installed trap having the same config
...
When we have a trap installed, but a CHILD_SA gets established for the same
config from the peer, we should reuse the same reqid. Otherwise we would have
two identical policies using different reqids, what we can't handle in our
kernel backend.
2013-06-19 16:30:40 +02:00
Martin Willi
2dcfc6983b
trap-manager: add a method to find reqid for installed traps by config
2013-06-19 16:30:40 +02:00