aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Version bump to 5.5.35.5.3Andreas Steffen2017-05-292-4/+4
|
* NEWS: Add info about CVE-2017-9022/23Tobias Brunner2017-05-291-0/+12
|
* x509: nameConstraints sequence does not require a loopAndreas Steffen2017-05-291-2/+1
| | | | Fixes: CVE-2017-9023
* unit-tests: Updated asn1-parser testsAndreas Steffen2017-05-291-1/+105
|
* asn1-parser: Fix CHOICE parsingAndreas Steffen2017-05-293-75/+134
| | | | Fixes: CVE-2017-9023
* gmp: Make sure the modulus is odd and the exponent not zeroTobias Brunner2017-05-291-1/+6
| | | | | | | | | Unlike mpz_powm() its secure replacement mpz_powm_sec() has the additional requirement that the exponent must be > 0 and the modulus has to be odd. Otherwise, it will crash with a floating-point exception. Fixes: CVE-2017-9022 Fixes: 3e35a6e7a1b0 ("Use side-channel secured mpz_powm_sec of libgmp 5, if available")
* imv-swid: Fixed memory leak in http REST interfaceAndreas Steffen2017-05-291-17/+19
|
* leak-detective: Whitelisted memory leaks in FHH IMCs and IMVsAndreas Steffen2017-05-291-0/+3
|
* imv-test: Fixed memory leak in server retry use caseAndreas Steffen2017-05-291-0/+2
|
* libtnccs: Fixed memory leak of global variables in libxml2Andreas Steffen2017-05-291-1/+4
|
* ike-cfg: Fix memory leak when matching against rangesTobias Brunner2017-05-291-1/+1
| | | | | | | traffic_selector_t::to_subnet() always sets the net/host (unless the address family was invalid). Fixes: 3070697f9f7c ("ike: support multiple addresses, ranges and subnets in IKE address config")
* NEWS: Added some newsTobias Brunner2017-05-261-0/+40
|
* ike: Apply retransmission_limit before applying the jitterTobias Brunner2017-05-262-8/+8
|
* eap-sim-file: Remove redundant enumerator allocationTobias Brunner2017-05-261-1/+1
|
* sql: Remove redundant enumerator allocationTobias Brunner2017-05-261-1/+1
| | | | | | Interestingly, this doesn't show up in the regression tests because the compiler removes the first assignment (and thus the allocation) due to -O2 that's included in our default CFLAGS.
* testing: Add wrapper around service commandTobias Brunner2017-05-261-0/+22
| | | | | | | | When charon is started via service command LEAK_DETECTIVE_LOG is not set because the command strips the environment. Since we only want the variable to be set during the automated test runs we can't just set it in /etc/default/charon. Instead, we do so in this wrapper when charon is started and remove the variable again when it is stopped.
* Fixed some typos, courtesy of codespellTobias Brunner2017-05-2610-13/+13
|
* apidoc: Add legacy README so links get properly resolvedTobias Brunner2017-05-262-2/+2
| | | | | Also reorders the input files so the READMEs are listed first in the navigation menu on the left.
* testing: Added swanctl/rw-eap-md5-id-rsa scenarioAndreas Steffen2017-05-269-0/+160
|
* README: Converted to swanctl configuration schemeAndreas Steffen2017-05-262-1146/+1842
|
* Merge branch 'variadic-enumerators'Tobias Brunner2017-05-26128-1961/+2911
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds several changes to enumerator_t and linked_list_t to improve portability. In particular to Apple's ARM64 iOS platform, whose calling convention for variadic and regular functions are different. This means that assigning a non-variadic function to a variadic function pointer, as we did with our enumerator_t::enumerate() implementations and several callbacks, will result in crashes as the called function will access the arguments differently than the caller provided them. To avoid this issue the enumerator_t interface is now fully variadic. A new mandatory method is added, venumerate(), that takes a va_list with the arguments provided while enumerating. enumerate() is replaced with a generic implementation that prepares a va_list and calls the enumerator's venumerate() implementation. As this allows passing the arguments of one enumerator to another it avoids the five pointer hack used by enumerator_create_nested() and enumerator_create_cleaner(). To simplify the implementation of venumerate() a helper macro is provided that assigns values from a given va_list to local variables. The signature of the callback passed to enumerator_create_filter() has also changed significantly. It's now required to enumerate over the original enumerator in the callback as this avoids the previous in/out pointer hack. The arguments to the outer enumerator are provided in a va_list. Similar changes to avoid such five pointer hacks affect the signatures of the callbacks for linked_list_t's invoke_function() and find_first() methods. For the latter the return type also changed from status_t to bool, which is important as SUCCESS is defined as 0, so checks for == SUCCESS will now fail.
| * linked-list: Change return value of find_first() and signature of its callbackTobias Brunner2017-05-2629-397/+525
| | | | | | | | This avoids the unportable five pointer hack.
| * linked-list: Change interface of callback for invoke_function()Tobias Brunner2017-05-269-54/+98
| | | | | | | | This avoids the unportable five pointer hack.
| * linked-list: invoke_offset() doesn't take any additional arguments anymoreTobias Brunner2017-05-263-18/+16
| |
| * Change interface for enumerator_create_filter() callbackTobias Brunner2017-05-2650-929/+1331
| | | | | | | | | | This avoids the unportable 5 pointer hack, but requires enumerating in the callback.
| * Migrate all enumerators to venumerate() interface changeTobias Brunner2017-05-2668-560/+851
| |
| * enumerator: Add venumerate() method to enumerator_t that takes a va_listTobias Brunner2017-05-262-8/+51
| | | | | | | | | | | | | | | | | | | | This will allow us to implement e.g. enumerator_cleaner without having to use that unportable 5 pointer forwarding or having to define a callback for each instance. A generic implementation for enumerate() is provided so only venumerate() has to be implemented, which may be simplified by using the VA_ARGS_VGET() macro.
| * utils: Add helper macros to read variadic arguments into local variablesTobias Brunner2017-05-261-2/+46
|/
* testing: Fix ikev2/two-certs scenarioTobias Brunner2017-05-261-1/+1
| | | | | | | Since 6a8a44be88b0 the certificate received by the client is verified first, before checking the cached certificates for any with matching identities. So we usually don't have to attempt to verify the signature with wrong certificates first and can avoid this message.
* Merge branch 'sha-256-96'Tobias Brunner2017-05-2613-1/+48
|\ | | | | | | | | | | | | | | | | Adds an option to locally configure 96-bit truncation for HMAC-SHA256 when negotiated using the official algorithm identifier. This is for compatibility with peers that incorrectly use this shorter truncation (like Linux does by default). Fixes #1353.
| * vici: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-262-0/+20
| |
| * stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-269-1/+17
| |
| * child-cfg: Optionally use 96-bit truncation for HMAC-SHA-256Tobias Brunner2017-05-262-0/+11
|/ | | | | | | | The correct truncation is 128-bit but some implementations insist on using 96-bit truncation. With strongSwan this can be negotiated using an algorithm identifier from a private range. But this doesn't work with third-party implementations. This adds an option to use 96-bit truncation even if the official identifier is used.
* android-log: Link against liblogTobias Brunner2017-05-261-0/+1
|
* unit-tests: Fix test_chunk_eq() if arguments have side-effectsTobias Brunner2017-05-241-1/+1
|
* Merge branch 'avoid-rekey-loss'Tobias Brunner2017-05-2317-395/+1667
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the behavior during IKEv2 CHILD_SA rekeyings to avoid traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA the responder already has everything available to install and use the new CHILD_SA. However, this could lead to lost traffic as the initiator won't be able to process inbound packets until it processed the CREATE_CHILD_SA response and updated the inbound SA. To avoid this the responder now only installs the new inbound SA and delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. The messages transporting these DELETEs could reach the peer before packets sent with the deleted outbound SAs reach the respective peer. To reduce the chance of traffic loss due to this the inbound SA of the replaced CHILD_SA is not removed for a configurable amount of seconds after the DELETE has been processed. Fixes #1291.
| * unit-tests: Check installed IPsec SAs in child-rekey testsTobias Brunner2017-05-231-3/+94
| |
| * unit-tests: Add assert to check for installed IPsec SAsTobias Brunner2017-05-232-3/+115
| |
| * unit-tests: Migrate cached IPsec SAs to new IKE_SAs during rekeyingTobias Brunner2017-05-231-0/+42
| |
| * unit-tests: Keep track of installed IPsec SAs in mock kernel_ipsec_t ↵Tobias Brunner2017-05-232-4/+136
| | | | | | | | implementation
| * child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-234-128/+422
| | | | | | | | | | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
| * delete-child-sa-job: Add new constructor that takes the unique ID of a CHILD_SATobias Brunner2017-05-232-13/+69
| | | | | | | | | | This makes sure we delete the right SA in case the addresses got updated in the mean time.
| * child-sa: Remove state to track installation of half the SA againTobias Brunner2017-05-236-62/+47
| |
| * unit-tests: Overload helper macro to check for outbound SA stateTobias Brunner2017-05-231-2/+30
| |
| * child-sa: Expose state of the outbound SATobias Brunner2017-05-232-17/+61
| |
| * child-sa: Add method to remove the outbound SA and policiesTobias Brunner2017-05-232-5/+78
| |
| * child-sa: Keep track whether the outbound SA has been installed or notTobias Brunner2017-05-231-8/+13
| |
| * child-delete: Track flags per individual CHILD_SATobias Brunner2017-05-231-47/+78
| |
| * ikev2: Delay installation of outbound SAs during rekeying on the responderTobias Brunner2017-05-234-30/+124
| | | | | | | | | | | | | | | | The responder has all the information needed to install both SAs before the initiator does. So if the responder immediately installs the outbound SA it might send packets using the new SA which the initiator is not yet able to process. This can be avoided by delaying the installation of the outbound SA until the replaced SA is deleted.
| * child-sa: Add log message for CHILD_SA state changesTobias Brunner2017-05-231-0/+4
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-06 20:50:06 +0000