| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
ramfs
|
|
|
|
| |
This saves about 50%-70% of the time needed for scenarios that use a DB.
|
|
|
|
|
| |
Changed with a88d958933ef ("Explicitly mention SHA2 algorithm in BLISS
OIDs and signature schemes").
|
| |
|
|
|
|
|
|
|
|
|
| |
If the job gets queued for a newly created IKE_SA it might not yet be
checked in when the job is running, reschedule the job in that case.
This should fix the two p2pnat test scenarios, which occasionally
failed because one of the peers did not initiate the connection to
the mediation server.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
In some cases we call wait_for_entry() but don't actually check out the
entry afterwards (e.g. because it doesn't match certain criteria). So
there won't be a call to checkin() for such entries causing waiting
threads to get signaled. Instead, such threads would be blocked until
another thread properly checks out/in the entry (or does a blocking
enumeration).
|
|
|
|
| |
Fixes 758b1caa0e75 ("ikev1: Prevent deadlock when checking for duplicate IKEv1 SAs")
|
|
|
|
| |
This fixes the TNC-PDP scenarios.
|
|
|
|
| |
exist
|
| |
|
|
|
|
|
| |
They run in all other rw-cert scenarios but in the SQL version there is
no change in the loaded crypto plugins.
|
| |
|
|
|
|
|
| |
Don't make clients wait for the TCP connections to timeout by dropping
packets. By rejecting them the OCSP requests fail immediately.
|
|
|
|
|
|
| |
ifdown calls bind's rndc, which tries to access TCP port 953 on lo.
If these packets are dropped by the firewall we have to wait for the TCP
connections to time out, which takes quite a while.
|
|
|
|
|
|
| |
With -W we reduce timeouts when we don't expect a response. With -i the
interval between pings is reduced (mostly in case of auto=route where
the first ping yields no reply).
|
|
|
|
|
| |
By consistently using the `expect-connection` helper we can avoid pretty
much all previously needed calls to sleep.
|
|
|
|
|
| |
A DPD timeout job is queued whenever a DPD is sent, i.e. after the
DPD delay already has elapsed, so we have to compensate for that.
|
| |
|
|
|
|
|
|
|
| |
It rarely takes 1 second or longer to terminate the daemon. This
decreases the runtime of the post test step a lot where `ipsec stop`
is called for multiple hosts in each test case (10-15 minutes over all
test cases).
|
|
|
|
| |
tests earlier
|
|
|
|
|
|
| |
We will use this to set some defaults (e.g. timeouts to make testing
negative tests quicker). We don't want these settings to show up in the
configs of the actual scenarios though.
|
|
|
|
| |
Fixes #1138.
|
| |
|
|
|
|
|
|
|
|
|
| |
This can be useful when writing custom plugins as typos or missing
linker flags that result in unresolved symbols in the shared object
could otherwise cause late crashes. In particular, if such a symbol
is used in a code path that is rarely executed. During development
and testing using RTLD_NOW instead of RTLD_LAZY will prevent the
plugin from getting loaded and makes the error visible immediately.
|
| |
|
|
|
|
|
|
| |
Obtained-from: pfSense
Sponsored-by: Rubicon Communications (Netgate)
Closes strongswan/strongswan#17.
|
|
|
|
|
|
|
|
|
|
| |
The `nat-local` and `nat-remote` keys contain information on the NAT
status of the local and remote IKE endpoints, respectively. If a
responder did not detect a NAT but is configured to fake a NAT situation
this is indicated by `nat-fake` (if an initiator fakes a NAT situation
`nat-local` is set). If any NAT is detected or faked `nat-any` is set.
Closes strongswan/strongswan#16.
|
|\
| |
| |
| |
| |
| | |
Fixes NULL encryption in libipsec.
Fixes #1174.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We don't need an IV for NULL encryption, so we wouldn't technically need
an IV generator. But some of the code currently relies on an IV
generator to be present. So we don't have to change that code and
handle IV size == 0 specially we use the new NULL IV generator, which
handles this transparently to the existing code.
Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms
with an explicit IV generator") iv_gen_rand_t was used for NULL
encryption, which would work too but this way it's clearer.
|
|/
|
|
|
| |
This does not actually allocate an IV and only accepts requests
for size == 0.
|
|
|
|
|
|
|
|
|
| |
If the openssl plugin is not enabled we need these to generate session
IDs and to authenticate the users.
The md4 plugin is not needed in the manager.
Fixes #1168.
|
|
|
|
| |
Fixes #1191.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Adds XFRM state/policy flush when terminating which caused tests to fail
due to the check added with 9086f060d35a ("testing: Let test scenarios
fail if IPsec SAs or policies are not removed").
|
| |
|
|
|
|
| |
Like AES in CTR mode it includes a 4 byte nonce.
|