aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * ikev2: Use a more dynamic vendor ID database, as we use with IKEv1Martin Willi2014-01-231-16/+57
|/
* Merge branch 'chunk-mmap'Martin Willi2014-01-2321-270/+475
|\ | | | | | | | | Introduces file mmap/munmap() wrappers and provides a fallback if mmap() is not supported. Replaces all mmap() uses by the new functions.
| * libpts: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-29/+5
| |
| * tnccs: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-232-27/+6
| |
| * pem: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-29/+6
| |
| * stroke: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-30/+6
| |
| * radattr: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-40/+8
| |
| * libfast: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-29/+10
| |
| * integrity-checker: Use chunk_map() instead of non-portable mmap()Martin Willi2014-01-231-31/+6
| |
| * chunk: Externalize error reporting in chunk_write()Martin Willi2014-01-236-30/+52
| | | | | | | | | | This avoids passing that arbitrary label just for error messages, and gives greater flexibility in handling errors.
| * chunk: Provide a fallback chunk_map() if mmap is not availableMartin Willi2014-01-232-2/+47
| |
| * chunk: Use dynamically allocated buffer in chunk_from_fd()Martin Willi2014-01-2310-25/+183
| | | | | | | | | | | | | | | | When acting on files, we can use fstat() to estimate the buffer size. On non-file FDs, we dynamically increase an allocated buffer. Additionally we slightly change the function signature to properly handle zero-length files and add appropriate unit tests.
| * chunk: Add functions to map file contents to a chunkMartin Willi2014-01-233-1/+149
|/
* Merge branch 'unity-fixes'Tobias Brunner2014-01-232-34/+54
|\ | | | | | | | | | | Improves compatibility with the Cisco and Shrew clients. Fixes #445.
| * unity: Send all traffic selectors in a single UNITY_SPLIT_INCLUDE attributeTobias Brunner2014-01-231-35/+47
| | | | | | | | Cisco clients only handle the first such attribute.
| * unity: Change local TS to 0.0.0.0/0 as responderTobias Brunner2014-01-231-4/+7
| | | | | | | | | | Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is used, otherwise Quick Mode fails.
| * unity: Send UNITY_SPLIT_INCLUDE attributes with proper paddingTobias Brunner2014-01-231-11/+16
|/ | | | | | The additional 6 bytes are not actually padding but are parsed by the Cisco client as protocol and src and dst ports (each two bytes but strangely only the first two in network order).
* Merge branch 'ipcomp'Tobias Brunner2014-01-2341-11/+522
|\ | | | | | | | | | | | | | | Fixes compatibility issues between firewall rules (leftfirewall=yes) and IPComp (compress=yes), plus issues with IPComp when used with multiple subnets in left|rightsubnet. Fixes #436.
| * testing: Add ikev2/host2host-transport-nat scenarioTobias Brunner2014-01-239-0/+146
| |
| * testing: Add ipv6/rw-compress-ikev2 scenarioTobias Brunner2014-01-239-0/+125
| |
| * testing: Add ikev2/compress-nat scenarioTobias Brunner2014-01-2312-0/+187
| |
| * testing: Enable firewall for ikev2/compress scenarioTobias Brunner2014-01-238-7/+14
| | | | | | | | | | Additionally, send a regular (small) ping as the kernel does not compress small packets and handles those differently inbound.
| * kernel-netlink: Set selector on transport mode IPComp SAsTobias Brunner2014-01-231-1/+1
| |
| * kernel-netlink: Selectively add selector on SAs that use IPCompTobias Brunner2014-01-231-1/+7
| | | | | | | | | | | | Don't add a selector to tunnel mode SAs, these might serve multiple traffic selectors but with only one selector on the SA only the traffic matching the first one would actually get tunneled.
| * updown: Increase buffer size for script and environment variablesTobias Brunner2014-01-231-1/+1
| |
| * updown: Allow IPIP traffic if IPComp was negotiatedTobias Brunner2014-01-231-0/+31
| | | | | | | | | | | | | | | | | | | | | | The kernel implicitly creates an IPIP SA if an IPComp SA is installed. This SA is used inbound for small packets that are not compressed. Since the addresses are different (they are the tunnel addresses not those of the tunneled traffic) additional rules are required if the traffic selector does not cover the tunnel addresses (e.g. due to a NAT). For SAs with multiple traffic selectors duplicate rules will get installed.
| * updown: Add PLUTO_IPCOMP to indicate if IPComp was negotiatedTobias Brunner2014-01-232-1/+10
|/
* curl: Replace spaces in URIs with %20Tobias Brunner2014-01-231-3/+14
| | | | | | | cURL requires the URIs to be URL-encoded. Apparently, some CAs encode CRL URIs with spaces in them. Fixes #454.
* utils: Add strreplace functionTobias Brunner2014-01-233-2/+155
|
* stroke: Ensure the buffer of strings in a stroke_msg_t is null-terminatedTobias Brunner2014-01-231-2/+5
| | | | | Otherwise a malicious user could send an unterminated string to cause unterminated reads.
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-232-2/+18
|
* pki: Make sure no command registers too many optionsTobias Brunner2014-01-232-4/+11
|
* pki: Increase MAX_COMMANDS to cover all currently available commandsTobias Brunner2014-01-231-2/+2
| | | | Fixes #452.
* pki: Print a warning if MAX_COMMANDS is too lowTobias Brunner2014-01-231-0/+7
|
* pki: Properly use ?: when defining option arraysTobias Brunner2014-01-231-2/+2
|
* configure: Add -Wno-format-security to default CFLAGSTobias Brunner2014-01-231-1/+1
| | | | | | Either due to a change in Ubuntu 13.10 or GCC 4.8 -Wno-format has no effect if -Wformat-security is enabled (which it is on Ubuntu) so we also disable the latter by default.
* agent: Keep CAP_DAC_OVERRIDE to connect to ssh-agent socketTobias Brunner2014-01-234-14/+10
| | | | This is also required if charon-cmd is used with capability dropping.
* ike: Simplify error handling if name resolution failedTobias Brunner2014-01-231-16/+3
| | | | | | | This avoids a second name resolution attempt just to determine if %any etc. was configured. Fixes #440.
* ike: Use proper hostname(s) when name resolution failedTobias Brunner2014-01-231-1/+1
| | | | | | Was wrong since 0edce687675df8f10f4026fa12a8fc3b3dd003f5. Fixes #440.
* ikev2: Wipe (optional) shared secret during CHILD_SA key derivationTobias Brunner2014-01-231-11/+14
|
* checksum must be the last subdir includedTobias Brunner2014-01-231-4/+4
| | | | | | | Otherwise charon-cmd will not yet be installed when the checksums are calculated (now from the install dir, not the build dir). Fixes #496.
* unit-tests: Pass a test suite collection name to print during test executionMartin Willi2014-01-224-9/+12
| | | | | As we except to get more and more test runners for the different components, we add a name to easily identify them on the test output.
* array: Add an array_get() functionMartin Willi2014-01-223-3/+44
|
* watcher: Don't complain if select() syscall got interruptedMartin Willi2014-01-221-1/+1
|
* stream: Make sure no watcher callback is active while changing stream callbacksMartin Willi2014-01-221-14/+3
| | | | | | | | | | | When changing async callbacks on streams, we have to make sure the watcher callback is not currently active and has temporarily disabled callbacks. This could have been the case, as we didn't explicitly removed any pending watcher registration if both callbacks are NULL. By enforcing the watcher unregistration, we are sure the watcher callback is not active and currently is not mangling the callback hooks. This should make sure we avoid any races for the callback variables.
* checksum: Read executables from DESTDIRTobias Brunner2014-01-211-7/+7
| | | | | | | This allows to recreate the checksums after the installed binaries have been modified e.g. with strip. Fixes #491.
* man: Add documentation of the dhcp interface optionThomas Egerer2014-01-201-0/+5
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* dhcp: Allow binding of socket to particular interfaceThomas Egerer2014-01-201-0/+34
| | | | | | | | | In certain situations it is desirable to bind the send/receive sockets for the DHCP address allocation to a particular interface. With this patch the strongswan.conf option charon.plugins.dhcp.interface can be used to restrict the DHCP communication to a configurable interface. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* proposal: Add possibility to register custom proposal keyword parserThomas Egerer2014-01-202-2/+66
| | | | | | | | | If a proposal string cannot be matched to a token using strcmp (e.g. if you want to register a whole class of algorithms containing their ID, like my_alg_2342), you can use the provided function to register a parser that transforms the given string into a proposal token. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Add environment variable to reduce the number of generated keysTobias Brunner2014-01-202-2/+14
| | | | | | | If TESTS_REDUCED_KEYLENGTHS is set RSA and ECDSA keys are only generated for the lowest configured key length. Fixes #474.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 07:24:48 +0000