aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Version bump to 5.6.1dr15.6.1dr1Andreas Steffen2017-09-013-2/+15
|
* imv-os: Updated security update evaluationAndreas Steffen2017-09-017-38/+39
|
* libimcv: Updated database schemeAndreas Steffen2017-09-011-5/+11
|
* sec-updater: Checks for security updatesAndreas Steffen2017-09-0110-362/+269
| | | | | | sec-updater checks for security updates and backports in Debian/ Ubuntu repositories and sets the security flags in the strongTNC policy database accordingly.
* imv-attestation: Fixed file hash measurementsAndreas Steffen2017-09-019-49/+131
| | | | | | The introduction of file versions broke file hash measurements. This has been fixed by using a generic product versions having an empty package name.
* ike-cfg: Fix memory leak when checking for configured addressTobias Brunner2017-08-291-0/+1
|
* sw-collector.8: Some cleanupsAndreas Steffen2017-08-251-9/+9
|
* kernel-netlink: Set usable state whenever an interface appearsTobias Brunner2017-08-231-2/+2
| | | | | | | | If an interface is renamed we already have an entry (based on the ifindex) allocated but previously only set the usable state once based on the original name. Fixes #2403.
* libimcv: Updated Android.mk after move of swid-gen(-info)Tobias Brunner2017-08-211-0/+2
|
* coverage: Use absolute path when removing paths with lcovTobias Brunner2017-08-211-1/+1
| | | | | | There is a bug in some versions of lcov that causes it to fail writing to files via relative paths after it issued warnings (e.g. due to negative counts in the tracefile).
* traffic-selector: Use single buffer for both address familiesTobias Brunner2017-08-172-159/+102
| | | | | | | | The generic field of size 0 in the union that was used previously triggered index-out-of-bounds errors with the UBSAN sanitizer that's used on OSS-Fuzz. Since the two family specific union members don't really provide any advantage, we can just use a single buffer for both families to avoid the errors.
* testing: Make removal of SWID tags work with different releasesTobias Brunner2017-08-161-2/+1
| | | | The regid.2004-03.org.strongswan directory might not exist in new images.
* fuzzing: Also run input that previously caused crashesTobias Brunner2017-08-151-0/+2
|
* configure: Detect mpz_powm_sec() when built with -WerrorTobias Brunner2017-08-151-2/+2
|
* travis: Use the same ASAN_OPTIONS as used by OSS-FuzzTobias Brunner2017-08-151-0/+8
|
* plugin-loader: Move indent variables into !USE_FUZZING blockTobias Brunner2017-08-151-2/+2
| | | | This avoids compile errors on Travis.
* travis: Run fuzz targetsTobias Brunner2017-08-152-0/+15
|
* fuzzing: Run local fuzz targets on given corpora during `make check`Tobias Brunner2017-08-151-0/+7
| | | | The base directory of the corpora must be set in FUZZING_CORPORA.
* fuzzing: Add driver to run fuzz targets on a given list of filesTobias Brunner2017-08-153-5/+80
| | | | | This is enabled if the path to libFuzzer.a is not specified when running the configure script.
* charon-tkm: Build fix for kernel SAD testsAdrian-Ken Rueegsegger2017-08-141-2/+2
| | | | | Commit 7729577... added a flag to the get_esa_id function but the unit tests were not adjusted.
* Version bump to 5.6.05.6.0Andreas Steffen2017-08-142-2/+2
|
* NEWS: Add info about CVE-2017-11185Tobias Brunner2017-08-141-0/+9
|
* gmp: Fix RSA signature verification for m >= nTobias Brunner2017-08-141-3/+9
| | | | | | | | By definition, m must be <= n-1, we didn't enforce that and because mpz_export() returns NULL if the passed value is zero a crash could have been triggered with m == n. Fixes CVE-2017-11185.
* Version bump to 5.6.0rc25.6.0rc2Andreas Steffen2017-08-092-2/+2
|
* sw-collector: Moved info class to libimcvAndreas Steffen2017-08-098-77/+72
|
* NEWS: Added some newsTobias Brunner2017-08-081-1/+13
|
* conf: Descriptions of several settings updatedTobias Brunner2017-08-083-12/+25
|
* libimcv: Cast chunk length to int when printing as stringTobias Brunner2017-08-082-2/+4
|
* sw-collector: Cast chunk length to int when printing as stringTobias Brunner2017-08-081-7/+7
|
* sw-collector: Fix memory leak after failing to open DBTobias Brunner2017-08-081-0/+1
|
* sw-collector: Use correct variable to report failure to open history fileTobias Brunner2017-08-081-4/+5
|
* Revert "apidoc: Update Doxyfile"Tobias Brunner2017-08-071-276/+149
| | | | | | | This reverts commit 8ec979fd64bca07e73f6f255a7cf26e587bb55d8. Mainly because Travis is still on Trusty and this generates lots of warnings.
* Version bump to 5.6.0rc15.6.0rc1Andreas Steffen2017-08-072-2/+2
|
* imv-database: Improve performance by creating file_hashes indexAndreas Steffen2017-08-071-0/+2
|
* sw-collector: Add missing Doxygen groupTobias Brunner2017-08-073-3/+5
| | | | Fix location of two classes.
* libimcv: Add missing Doxgen group for SWIMA-related classesTobias Brunner2017-08-072-1/+4
| | | | Fix location of swima_error_t.
* apidoc: Update DoxyfileTobias Brunner2017-08-071-149/+276
|
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-0713-17/+17
|
* testing: Add -v option to do-tests to prefix commands with timestampsTobias Brunner2017-08-071-6/+25
|
* testing: Move collector.db in tnc/tnccs-20-ev-pt-tls scenario to /etc/db.dTobias Brunner2017-08-0714-47/+5
| | | | | Also move initialization to the pretest script (it's way faster in the in-memory database).
* kernel-netlink: Wipe buffer used to read Netlink messagesTobias Brunner2017-08-071-2/+12
| | | | | | | | | When querying SAs the keys will end up in this buffer (the allocated messages that are returned are already wiped). The kernel also returns XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish this here as we only see the response. References #2388.
* sha2: Write final hash directly to output bufferTobias Brunner2017-08-071-56/+26
| | | | | | This avoids having the last output in internal memory that's not wiped. References #2388.
* prf-plus: Wipe seed and internal bufferTobias Brunner2017-08-071-2/+2
| | | | | | | The buffer contains key material we handed out last and the seed can contain the DH secret. References #2388.
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-075-11/+50
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* conf: Match more characters in _ and **Tobias Brunner2017-08-071-1/+1
| | | | \w does not match e.g. / but \S does.
* trap-manager: Don't require that remote is resolvable during installationTobias Brunner2017-08-071-10/+49
| | | | | | | | Initiation might later fail, of course, but we don't really require an IP address when installing, that is, unless the remote traffic selector is dynamic. As that would result in installing a 0.0.0.0/0 remote TS which is not ideal when a single IP is expected as remote.
* child-create: Don't log CHILD_SA initiation until we know the unique IDTobias Brunner2017-08-071-11/+13
|
* child-rekey: Add CHILD_SA name and unique ID to collision log messagesTobias Brunner2017-08-071-8/+13
|
* child-sa: Suppress CHILD_SA state changes if there is no changeTobias Brunner2017-08-071-6/+9
|
* Merge commit 'child-sa-rekey-tkm'Tobias Brunner2017-08-0747-250/+708
|\ | | | | | | | | | | | | | | | | | | | | | | This fixes CHILD_SA rekeying with TKM and changes how we switch to the outbound IPsec SA with Netlink/XFRM (using SPIs on the outbound policy instead of installing the outbound SA delayed). For charon-tkm it changes when esa_select() and esa_reset() are called, now with the outbound policy and the inbound SA, respectively, instead of the outbound SA in both cases. Also fixed is a potential traffic loss when a rekey collision is lost.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 04:25:45 +0000