aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * child-rekey: Add method to check for the redundant SA created in a collisionTobias Brunner2016-06-172-18/+37
| |
| * unit-tests: Test for rekeying if INVALID_KE_PAYLOAD notifies are receivedTobias Brunner2016-06-171-0/+253
| |
| * child-rekey: Don't change state to INSTALLED if it was already REKEYINGTobias Brunner2016-06-171-3/+5
| | | | | | | | | | This happens if there is a rekey collision and the peers disagree on the DH group.
| * unit-tests: Make IKE and ESP proposals configurableTobias Brunner2016-06-174-44/+116
| |
| * unit-tests: Add tests for CHILD_SA rekeying/deletion collisionsTobias Brunner2016-06-171-1/+288
| |
| * unit-tests: Add asserts against job schedulingTobias Brunner2016-06-172-0/+60
| |
| * ikev2: Use CHILD_REKEYED for replaced CHILD_SAs after rekeyingTobias Brunner2016-06-173-15/+17
| | | | | | | | This allows handling collisions better, in particular with deletions.
| * unit-tests: Add asserts against task queues of IKE_SAsTobias Brunner2016-06-171-0/+32
| |
| * child-rekey: Use more appropriate error notifies if CHILD_SA is not found or ↵Tobias Brunner2016-06-171-3/+8
| | | | | | | | | | | | getting deleted These are the notifies we should return according to RFC 7296.
| * child-rekey: Recreate the CHILD_SA if we receive a CHILD_SA_NOT_FOUND notifyTobias Brunner2016-06-171-0/+28
| |
| * child-create: Handle TEMPORARY_FAILURE notify as failureTobias Brunner2016-06-172-4/+5
| | | | | | | | | | We will later add code to retry creating the CHILD_SA if we are not rekeying. Rekeying is already rescheduled as with any other errors.
| * unit-tests: Add unit tests for basic CHILD_SA rekeyingTobias Brunner2016-06-173-0/+237
| |
| * unit-tests: Add asserts against ike|child_rekey hooksTobias Brunner2016-06-172-0/+82
| |
| * unit-tests: Match in and outbound SPIs in SA assertsTobias Brunner2016-06-171-2/+15
| | | | | | | | Since we use unique sequential SPIs that should be OK.
| * unit-tests: Register nonce generator and make first nonce byte configurableTobias Brunner2016-06-172-1/+19
| |
| * crypto-factory: Stop after successfully creating one nonce generatorTobias Brunner2016-06-171-0/+4
| | | | | | | | Fixes: e2fc09c186c3 ("Add nonce generator interface")
| * unit-tests: Add mock nonce generatorTobias Brunner2016-06-173-0/+129
| | | | | | | | | | We don't make the full nonces configurable but only the first byte, which should be enough to force a nonce to be smaller than others.
| * unit-tests: Make message asserts more flexibleTobias Brunner2016-06-172-26/+106
| |
| * unit-tests: Add another CHILD_SA delete collisionTobias Brunner2016-06-171-1/+56
| |
| * unit-tests: Register mock DH implementation as static plugin featureTobias Brunner2016-06-171-0/+11
| |
| * unit-tests: Add mock DH implementation that's basically a noopTobias Brunner2016-06-173-0/+125
| | | | | | | | | | If the openssl plugin is built DH isn't that much of an overhead as ecp256 is used, but the default MODP group is now modp3072.
| * unit-tests: Make IKE SPIs predictableTobias Brunner2016-06-171-0/+14
| |
| * unit-tests: Call methods on IKE_SAs in their contextTobias Brunner2016-06-173-9/+18
| |
| * unit-tests: Add a unit test for CHILD_SA DELETE collisionsTobias Brunner2016-06-173-0/+149
| |
| * child-delete: Remove unnecessary call to destroy_child_sa()Tobias Brunner2016-06-171-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | Generally, we will not find the CHILD_SA by searching for it with the outbound SPI (the initiator of the DELETE sent its inbound SPI) - and if we found a CHILD_SA it would most likely be the wrong one (one in which we used the same inbound SPI as the peer used for the one it deletes). And we don't actually want to destroy the CHILD_SA at this point as we know we already initiated a DELETE ourselves, which means that task still has a reference to it and will destroy the CHILD_SA when it receives the response from the other peer.
| * unit-tests: Add asserts against hooks on listener_t and messages captured thereTobias Brunner2016-06-173-0/+364
| |
| * unit-tests: Add asserts against SAs (e.g. their states)Tobias Brunner2016-06-172-0/+56
| |
| * unit-tests: Add separate test runner to test IKEv2 exchangesTobias Brunner2016-06-173-4/+100
| | | | | | | | This allows proper initialization of the daemon and the helper object.
| * unit-tests: Add helper class/object to test IKE exchangesTobias Brunner2016-06-173-0/+331
| |
| * unit-tests: Add mock kernel_ipsec_t implementation for unit testsTobias Brunner2016-06-173-0/+165
| | | | | | | | Provides predictable sequential SPIs.
| * unit-tests: Add mock sender_t implementation for unit testingTobias Brunner2016-06-174-0/+153
| | | | | | | | | | This allows to retrieve packets sent by an IKE_SA and pass it to another IKE_SA directly via process_message().
| * unit-tests: Defining TESTS_RUNNERS allows to only run specific test runnersTobias Brunner2016-06-172-1/+33
| |
| * unit-tests: Don't unload plugins before calling libcharon_deinit()Tobias Brunner2016-06-171-3/+0
|/ | | | | | | libcharon_deinit() already calls all the functions we called manually. Unloading the plugins will not work if charon->initialize() is called as charon's static plugin features would already be unloaded before the destroyed members are accessed in destroy() to flush them.
* kernel-netlink: Don't set replay window for outbound SAsTobias Brunner2016-06-171-0/+6
| | | | | It's not necessary and might waste memory. However, if ESN is used we set the window to 1 as the kernel rejects the attribute otherwise.
* kernel-pfkey: Only set the replay window for inbound SAsTobias Brunner2016-06-171-3/+8
| | | | | It is not necessary for outbound SAs and might waste memory when large window sizes are used.
* testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenarioTobias Brunner2016-06-172-3/+1
| | | | | | | | | | aacf84d837e7 ("testing: Add expect-connection calls for all tests and hosts") removed the expect-connection call for the non-existing aaa connection. However, because the credentials were loaded asynchronously via start-script the clients might have been connecting when the secrets were not yet loaded. As `swanctl --load-creds` is a synchronous call this change avoids that issue without having to add a sleep or failing expect-connection call.
* daemon: Don't hold settings lock while executing start/stop scriptsTobias Brunner2016-06-171-20/+43
| | | | | | | If a called script interacts with the daemon or one of its plugins another thread might have to acquire the write lock (e.g. to configure a fallback or set a value). Holding the read lock prevents that, potentially resulting in a deadlock.
* testing: Use TLS 1.2 in RADIUS test casesTobias Brunner2016-06-172-0/+6
| | | | | | | | | This took a while as in the OpenSSL package shipped with Debian and on which our FIPS-enabled package is based, the function SSL_export_keying_material(), which is used by FreeRADIUS to derive the MSK, did not use the correct digest to calculate the result when TLS 1.2 was used. This caused IKE to fail with "verification of AUTH payload with EAP MSK failed". The fix was only backported to jessie recently.
* testing: Update FreeRADIUS to 2.2.8Tobias Brunner2016-06-172-3/+3
| | | | | | | | | While this is not the latest 2.x release it is the latest in /old. Upgrading to 3.0 might be possible, not sure if the TNC-FHH patches could be easily updated, though. Upgrading to 3.1 will definitely not be possible directly as that version removes the EAP-TNC module. So we'd first have to get rid of the TNC-FHH stuff.
* Revert "configure: Cache result of pthread_condattr_setclock() check"Tobias Brunner2016-06-171-22/+18
| | | | | | | This reverts commit 8d79bfa8318ddd1b9b863241fe0e637be73af5f4 as it does not provide any advantage over setting ac_cv_func_pthread_condattr_setclock=no. References #1502.
* configure: Cache result of pthread_condattr_setclock() checkTobias Brunner2016-06-171-18/+22
| | | | | | | | | | | | | | Even if not using caching when running the configure script (-C) this allows pre-defining the result by setting the environment variable ss_cv_func_pthread_condattr_setclock_monotonic=yes|no|unknown before/while running the script. As the check requires running a test program this might be helpful when cross-compiling to disable using monotonic time if pthread_condattr_setclock() is defined but not actually usable with CLOCK_MONOTONIC. References #1502.
* configure: Fix typo in pthread_condattr_setclock() checkTobias Brunner2016-06-171-2/+2
|
* quick-mode: Fix reporting lifebytes if lifetime is configuredTobias Brunner2016-06-171-2/+2
|
* load-tester: Fix load-tester on platforms where plain `char` is signedTobias Brunner2016-06-171-1/+1
| | | | | | | | fgetc() returns an int and EOF is usually -1 so when this gets casted to a char the result depends on whether `char` means `signed char` or `unsigned char` (the C standard does not specify it). If it is unsigned then its value is 0xff so the comparison with EOF will fail as that is an implicit signed int.
* testing: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenarioTobias Brunner2016-06-171-2/+2
|
* Merge branch 'testing-jessie'Tobias Brunner2016-06-16504-716/+1329
|\ | | | | | | | | | | | | | | | | Updates the default Debian image used for the test environment from wheezy to jessie. Also adds a script that allows chrooting to an image (base, root or one of the guests). In pretty much all test scenarios expect-connection is used to make test runs more reliable. Fixes #1382.
| * testing: Build hostapd from sourcesTobias Brunner2016-06-163-1/+78
| | | | | | | | | | | | | | | | There is a bug (fix at [1]) in hostapd 2.1-2.3 that let it crash when used with the wired driver. The package in jessie (and sid) is affected, so we build it from sources (same, older, version as wpa_supplicant). [1] http://w1.fi/cgit/hostap/commit/?id=e9b783d58c23a7bb50b2f25bce7157f1f3
| * testing: Update download URL for wpa_supplicantTobias Brunner2016-06-161-1/+1
| |
| * testing: Wait for packets to be processed by tcpdumpTobias Brunner2016-06-161-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sometimes tcpdump fails to process all packets during the short running time of a scenario: 0 packets captured 18 packets received by filter 0 packets dropped by kernel So 18 packets were captured by libpcap but tcpdump did not yet process and print them. This tries to use --immediate-mode if supported by tcpdump (the one currently in jessie or wheezy does not, but the one in jessie-backports does), which disables the buffering in libpcap. However, even with immediate mode there are cases where it takes a while longer for all packets to get processed. And without it we also need a workaround (even though the version in wheezy actually works fine). That's why there now is a loop checking for differences in captured vs. received packets. There are actually cases where these numbers are not equal but we still captured all packets we're interested in, so we abort after 1s of retrying. But sometimes it could still happen that packets we expected got lost somewhere ("packets dropped by kernel" is not always 0 either).
| * testing: Fix expect-connection for tkm testsTobias Brunner2016-06-161-1/+1
| | | | | | | | We don't use swanctl there but there is no load statement either.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 22:55:21 +0000