aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* mem-pool: Document reassign_online optionTobias Brunner2015-02-121-0/+4
|
* man: Document IKEv2 fragmentation in ipsec.conf(5)Tobias Brunner2015-02-101-4/+5
|
* configure: Load SQL backends after crypto pluginsTobias Brunner2015-02-101-2/+2
| | | | | | | | | If the MySQL client library is linked against OpenSSL the mysql plugin will cause a segmentation fault when it is unloaded after the openssl plugin has already been deinitialized. This is very similar to the issues with curl (see 44b6a34d438f). Fixes #814.
* stroke: Double the stroke message string buffer sizeMartin Willi2015-02-061-1/+1
|
* starter: Fail sending stroke message if a string exceeds the buffer sizeMartin Willi2015-02-061-1/+13
| | | | | | | Instead of silently setting the string value to NULL, we fail completely in sending the message to notify the user. Fixes #844.
* x509: Fix public key reference leak if authority key identifier does not matchMartin Willi2015-02-061-10/+12
|
* vici: Fix ruby gem author emailMartin Willi2015-01-221-1/+1
|
* trusted_enumerate requires an additional argumentAndreas Steffen2015-01-211-1/+1
|
* vici: Fix README example encoding element type values, off by oneMartin Willi2015-01-211-10/+10
| | | | | | | While we fixed the wrong values in the description with d39e04b5, the example values are still off by one. Fixes #828.
* libtls: Check for CHANGE_CIPHER_SPEC type only if upper layer returns NEED_MOREMartin Willi2015-01-121-6/+5
| | | | | | | A type is returned only if upper layers successfully created a record, that is returns NEED_MORE. If we do not check for the return value, we might check a previous record or the uninitialized type variable and falsely reset the sequence number.
* starter: Fix mark_out.mask in starter_cmp_conn()Maks Naumov2015-01-121-1/+1
|
* _updown: Remove obsolete man pagesTobias Brunner2015-01-054-33/+0
|
* Updated RFC3779 certificates5.2.2Andreas Steffen2014-12-2832-309/+440
|
* Version bump to 5.2.2Andreas Steffen2014-12-231-1/+1
|
* unit-tests: Adapted to coverity fixesAndreas Steffen2014-12-232-12/+27
|
* Fixed bad bit shift and sign extension errorsAndreas Steffen2014-12-234-10/+34
|
* bliss: Remove unnecessary cast to doubleTobias Brunner2014-12-231-1/+1
| | | | | | Coverity is still not happy when the result of an integer division is assigned to a double (without e.g. casting the result to an int first to indicate the intent). The shift should avoid this issue.
* bliss: Log type if unsupportedTobias Brunner2014-12-231-1/+1
|
* bliss: Make sure sampler exists after checking for it earlierTobias Brunner2014-12-231-2/+2
|
* pts: Do not override status with SUCCESS if length is invalidTobias Brunner2014-12-231-1/+2
|
* NEWS: Added info about CVE-2014-9221Tobias Brunner2014-12-231-0/+8
|
* ikev2: Only touch the DH object if we have a matching proposalTobias Brunner2014-12-231-11/+17
|
* crypto: Define MODP_CUSTOM outside of IKE DH rangeTobias Brunner2014-12-239-14/+17
| | | | | | | | | Before this fix it was possible to crash charon with an IKE_SA_INIT message containing a KE payload with DH group MODP_CUSTOM(1025). Defining MODP_CUSTOM outside of the two byte IKE DH identifier range prevents it from getting negotiated. Fixes CVE-2014-9221.
* pki: Document correct output formats for --pkcs12 --exportTobias Brunner2014-12-191-2/+2
|
* pki: Properly clean up if output format for --pkcs12 is wrongTobias Brunner2014-12-191-0/+2
|
* kernel-netlink: Add missing documentation for two optionsTobias Brunner2014-12-191-0/+6
|
* Merge branch 'osx-app'Martin Willi2014-12-1834-21/+4742
|\ | | | | | | | | Mainline the OS X App providing the graphical user interface for the charon-xpc privileged helper.
| * osx: Update the README with App related bitsMartin Willi2014-12-171-9/+15
| |
| * osx: Initial import of the Objective-C App graphical user interfaceMartin Willi2014-12-1727-9/+4681
| |
| * apple: Redefine some additional clashing Mach typesMartin Willi2014-12-164-3/+13
| | | | | | | | | | | | While they usually are not included in a normal strongSwan build, the XPC header indirectly defines these Mach types. To build charon-xpc, which uses both XPC and strongSwan includes, we have to redefine these types.
| * kernel-pfroute: If a new interface appears, slightly delay address enumerationMartin Willi2014-12-161-0/+9
| | | | | | | | | | | | | | On OS X 10.10, when installing a virtual IP on a tun device, there is a chance that a RTM_IFANNOUNCE is sent before the IP is ready on that link when calling getifaddrs(). As we don't get an RTM_NEWADDR event either, that race lets us miss the virtual IP install event, failing the add_ip() call.
| * charon-xpc: Add a work-around to trigger IP address add events after bootMartin Willi2014-12-161-0/+24
|/
* mgf1: Use correct Doxygen groupsTobias Brunner2014-12-152-4/+4
|
* bliss: Fix Doxygen commentsTobias Brunner2014-12-152-6/+6
|
* Fixed some typos, courtesy of codespellTobias Brunner2014-12-153-4/+4
|
* kernel-pfkey: Fix replay window size on FreeBSD and Mac OS XTobias Brunner2014-12-151-0/+6
| | | | | | | | | The FreeBSD and Mac OS X kernels interpret sadb_sa_replay as the size of the replay window in bytes. Linux on the other hand does the same for PF_KEY it does for XFRM so sadb_sa_replay denotes the number of packets/bits in the window. Similarly, the window size on Linux is limited to 32 by the four byte default bitmap used for IPsec SAs (may only be changed with XFRMA_REPLAY_ESN_VAL), which is not the case on the other platforms.
* Updated BLISS CA certificate in ikev2/rw-ntru-bliss scenario5.2.2rc1Andreas Steffen2014-12-123-0/+0
|
* Also initialize s_signAndreas Steffen2014-12-121-1/+1
|
* pem: Handle BER indefinite length encoding as binary ASN.1Martin Willi2014-12-121-1/+24
| | | | | | While our ASN.1 parser can't handle BER indefinite length encoding, the OpenSSL backend can. Some PKCS#12 containers get encoded this way, so we should support loading such files in the pem plugin.
* pki: Add command to export certificates and keys from PKCS#12 containersTobias Brunner2014-12-122-9/+112
|
* pki: Reformat PKCS#12 output and add an index for each certificate/keyTobias Brunner2014-12-122-14/+17
|
* pki: Add simple PKCS#12 display commandTobias Brunner2014-12-125-1/+204
|
* pki: Load hmac plugin which is required to decrypt PKCS#12 containersTobias Brunner2014-12-121-1/+1
|
* pki: Cache entered secrets in case they are needed more than onceTobias Brunner2014-12-121-2/+23
|
* ike: Allow creation of internally used payloadsTobias Brunner2014-12-121-1/+1
| | | | | | | Since 42e0a317c64b ("ike: Only parse payloads valid for the current IKE version") payload types are checked before creating objects. This check failed for internally used payload types (e.g. proposal substructures), which have a type >= 256, i.e. outside the IKE payload type range.
* Cache only support fingerprint typesAndreas Steffen2014-12-121-2/+4
|
* Fix ambiguities and gcc compiler warningAndreas Steffen2014-12-121-3/+3
|
* apple: Use precancelable poll() to wrap accept/recvmsg callsMartin Willi2014-12-121-1/+5
| | | | | | To make accept/recvmsg cancelable, we wrap them with poll. As poll itself does not honor pending cancellations when entering the function, we use our variant that checks for pending cancellation requests before entering poll().
* Version bump to 5.2.2rc1Andreas Steffen2014-12-121-1/+1
|
* Updated BLISS scenario keys and certificates to new formatAndreas Steffen2014-12-128-0/+0
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-16 14:00:29 +0000