aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* testing: Report time required for all scenarios on test overview pageTobias Brunner2015-11-091-4/+13
|
* ike-sa-manager: Signal entries that we don't actually check outTobias Brunner2015-11-091-1/+8
| | | | | | | | | In some cases we call wait_for_entry() but don't actually check out the entry afterwards (e.g. because it doesn't match certain criteria). So there won't be a call to checkin() for such entries causing waiting threads to get signaled. Instead, such threads would be blocked until another thread properly checks out/in the entry (or does a blocking enumeration).
* ike-sa-manager: Signal waiting threads after check out/in for uniqueness checkTobias Brunner2015-11-091-0/+3
| | | | Fixes 758b1caa0e75 ("ikev1: Prevent deadlock when checking for duplicate IKEv1 SAs")
* testing: Remove old SWID tags when building from repositoryTobias Brunner2015-11-091-0/+3
| | | | This fixes the TNC-PDP scenarios.
* testing: Don't log anything to the console if auth.log or daemon.log do not ↵Tobias Brunner2015-11-091-2/+2
| | | | exist
* testing: Simplify fetching of swanctl --list-* outputTobias Brunner2015-11-091-20/+8
|
* testing: Don't run redundant crypto tests in sql/rw-cert scenarioTobias Brunner2015-11-091-4/+1
| | | | | They run in all other rw-cert scenarios but in the SQL version there is no change in the loaded crypto plugins.
* testing: Fix CRL URIs in ipv6/net2net-ip4-in-ip6-ikev* scenariosTobias Brunner2015-11-092-2/+2
|
* testing: Speed up OCSP scenariosTobias Brunner2015-11-093-4/+4
| | | | | Don't make clients wait for the TCP connections to timeout by dropping packets. By rejecting them the OCSP requests fail immediately.
* testing: Speed up ifdown calls in ikev2/mobike scenariosTobias Brunner2015-11-093-1/+13
| | | | | | ifdown calls bind's rndc, which tries to access TCP port 953 on lo. If these packets are dropped by the firewall we have to wait for the TCP connections to time out, which takes quite a while.
* testing: Avoid delays with ping by using -W and -i optionsTobias Brunner2015-11-0933-55/+55
| | | | | | With -W we reduce timeouts when we don't expect a response. With -i the interval between pings is reduced (mostly in case of auto=route where the first ping yields no reply).
* testing: Remove nearly all sleep calls from pretest and posttest scriptsTobias Brunner2015-11-09303-452/+500
| | | | | By consistently using the `expect-connection` helper we can avoid pretty much all previously needed calls to sleep.
* ikev1: Fix calculation of DPD timeoutTobias Brunner2015-11-091-0/+2
| | | | | A DPD timeout job is queued whenever a DPD is sent, i.e. after the DPD delay already has elapsed, so we have to compensate for that.
* testing: Adapt tests to retransmission settings and reduce DPD delay/timeoutTobias Brunner2015-11-0926-43/+43
|
* ipsec: Quit script quicker for ipsec stopTobias Brunner2015-11-091-2/+2
| | | | | | | It rarely takes 1 second or longer to terminate the daemon. This decreases the runtime of the post test step a lot where `ipsec stop` is called for multiple hosts in each test case (10-15 minutes over all test cases).
* testing: Only send two retransmits after 1 second each to fail negative ↵Tobias Brunner2015-11-091-0/+6
| | | | tests earlier
* testing: Add a base strongswan.conf file used by all hosts in all scenariosTobias Brunner2015-11-092-0/+2
| | | | | | We will use this to set some defaults (e.g. timeouts to make testing negative tests quicker). We don't want these settings to show up in the configs of the actual scenarios though.
* xauth: Call authorize() hook also when xauth-noauth is usedTobias Brunner2015-11-091-2/+8
| | | | Fixes #1138.
* libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()Tobias Brunner2015-11-093-4/+16
|
* plugin-loader: Optionally use RTLD_NOW with dlopen()Tobias Brunner2015-11-092-6/+15
| | | | | | | | | This can be useful when writing custom plugins as typos or missing linker flags that result in unresolved symbols in the shared object could otherwise cause late crashes. In particular, if such a symbol is used in a code path that is rarely executed. During development and testing using RTLD_NOW instead of RTLD_LAZY will prevent the plugin from getting loaded and makes the error visible immediately.
* windows: Define RTLD_NOW, even if it is not usedTobias Brunner2015-11-091-0/+5
|
* kernel-pfkey: Enable ENCR_AES_CTR when it's availableRenato Botelho2015-11-091-1/+3
| | | | | | Obtained-from: pfSense Sponsored-by: Rubicon Communications (Netgate) Closes strongswan/strongswan#17.
* vici: Add NAT information when listing IKE_SAsTobias Brunner2015-11-092-0/+21
| | | | | | | | | | The `nat-local` and `nat-remote` keys contain information on the NAT status of the local and remote IKE endpoints, respectively. If a responder did not detect a NAT but is configured to fake a NAT situation this is indicated by `nat-fake` (if an initiator fakes a NAT situation `nat-local` is set). If any NAT is detected or faked `nat-any` is set. Closes strongswan/strongswan#16.
* Merge branch 'iv-gen-null-encr'Tobias Brunner2015-11-0916-1/+1348
|\ | | | | | | | | | | Fixes NULL encryption in libipsec. Fixes #1174.
| * testing: Add libipsec/net2net-null scenarioTobias Brunner2015-11-0911-0/+1245
| |
| * iv-gen: Use NULL IV generator for NULL encryptionTobias Brunner2015-11-091-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | We don't need an IV for NULL encryption, so we wouldn't technically need an IV generator. But some of the code currently relies on an IV generator to be present. So we don't have to change that code and handle IV size == 0 specially we use the new NULL IV generator, which handles this transparently to the existing code. Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms with an explicit IV generator") iv_gen_rand_t was used for NULL encryption, which would work too but this way it's clearer.
| * crypto: Add NULL IV generatorTobias Brunner2015-11-094-1/+98
|/ | | | | This does not actually allocate an IV and only accepts requests for size == 0.
* configure: Load sha1 and random plugins in manager by defaultTobias Brunner2015-11-091-3/+3
| | | | | | | | | If the openssl plugin is not enabled we need these to generate session IDs and to authenticate the users. The md4 plugin is not needed in the manager. Fixes #1168.
* stroke: Make down-nb actually non-blockingTobias Brunner2015-11-091-31/+40
| | | | Fixes #1191.
* Version bump to 5.3.4dr2Andreas Steffen2015-11-061-1/+1
|
* testing: Updated hasher testsAndreas Steffen2015-11-062-4/+83
|
* Explicitly mention SHA2 algorithm in BLISS OIDs and signature schemesAndreas Steffen2015-11-0612-89/+109
|
* Version bump to 5.3.4dr15.3.4dr1Andreas Steffen2015-11-042-1/+10
|
* Use word-aligned XOR in sha3_absorb()Andreas Steffen2015-11-031-4/+47
|
* testing: BLISS CA uses SHA-3 in its CRLAndreas Steffen2015-11-038-5/+9
|
* Support BLISS signatures with SHA-3 hashAndreas Steffen2015-11-0310-9/+52
|
* Implemented SHA-3 hash algorithm including test vectorsAndreas Steffen2015-11-0310-1/+1034
|
* Defined SHA-3 hashersAndreas Steffen2015-11-033-10/+59
|
* testing: Update tkm to version 0.1.3Tobias Brunner2015-10-301-1/+1
| | | | | | Adds XFRM state/policy flush when terminating which caused tests to fail due to the check added with 9086f060d35a ("testing: Let test scenarios fail if IPsec SAs or policies are not removed").
* libipsec: Properly support CAMELLIA in CTR modeTobias Brunner2015-10-301-0/+1
|
* ikev2: Fix size of key material for CAMELLIA-CTRTobias Brunner2015-10-301-0/+1
| | | | Like AES in CTR mode it includes a 4 byte nonce.
* libipsec: Fix crypter lookup for AES-CTRTobias Brunner2015-10-301-1/+12
| | | | | | | | | | | | Due to the nonce, the ESP key material is four bytes longer than needed for the actual AES key. The crypto plugins, however, register their AES-CTR implementations with the AES key length, so the lookup here failed. For IKEv2 the key material is allocated after creating a crypter instance with the negotiated AES key size. The length of the actual key material is retrieved via get_key_size(), which adds the four bytes to the AES key length. Fixes #1124.
* ike-mobike: Send retransmits to the current local and remote addressesTobias Brunner2015-10-301-1/+5
| | | | | | These might have changed by a peer-initiated MOBIKE address update. Fixes #1125.
* Merge branch 'ikev1-cache-informational'Tobias Brunner2015-10-301-15/+81
|\ | | | | | | | | | | | | | | | | | | | | | | | | With these changes an INFORMATIONAL message (e.g. with an INITIAL_CONTACT notify) that arrives while a responder is waiting for the last Aggressive Mode request gets queued and delivered later. Previously such messages caused the IKE_SA to fail as some tasks waiting for the last AM message fail when trying to handle the INFORMATIONAL message. Therefore, all other messages, such as TRANSACTION and QUICK_MODE requests, are now dropped until AM is complete. These don't have to be cached as they get retransmitted by the other peer. Fixes #1130.
| * ikev1: Handle queued INFORMATIONAL message after receiving the last AM requestTobias Brunner2015-10-301-0/+16
| |
| * ikev1: Queue INFORMATIONAL request if AM is not complete yetTobias Brunner2015-10-301-6/+13
| |
| * ikev1: Handle queued TRANSACTION messages only after processing repliesTobias Brunner2015-10-301-1/+2
| |
| * ikev1: Extract queueing of TRANSACTIONAL requests when MM is not complete yetTobias Brunner2015-10-301-17/+27
| |
| * ikev1: Drop TRANSACTION/QUICK_MODE requests until we received the last AM ↵Tobias Brunner2015-10-301-0/+32
|/ | | | message
* ikev1: Make maximum number of IKEv1 phase 2 exchanges we keep state about ↵Tobias Brunner2015-10-302-9/+15
| | | | | | configurable Fixes #1128.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 12:04:01 +0000