aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
...
* Added PUBKEY_RSA_MODULUS encoding typeAndreas Steffen2014-05-022-12/+37
|
* unit-tests: Document the supported env variablesMartin Willi2014-04-301-1/+7
|
* unit-tests: Support strongswan.conf defined plugin list and base directoryThomas Egerer2014-04-301-2/+8
| | | | | | | tests.load and tests.plugindir to allow the specification of the plugins to be loaded and the directory to load them from. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Allow configuration of libstrongswan via configThomas Egerer2014-04-301-10/+14
| | | | | | | | By setting the environment variable TESTS_STRONGSWAN_CONF, the unit tests can be asked to load a configuration file, thus enabling the tester to make use of the usual configuration settings. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Add a ck_assert_chunk_eq() convenience macroMartin Willi2014-04-301-0/+18
|
* unit-tests: Silence a literal signedness warning raised by GCC 4.6.3Martin Willi2014-04-301-2/+2
|
* sqlite: Allow query arguments to be freed before starting the enumerationTobias Brunner2014-04-301-2/+4
| | | | | By marking the string/blob arguments as transient, SQLite will copy and free them automatically.
* android: Use static version of libcryptoTobias Brunner2014-04-251-1/+1
| | | | | System.loadLibrary() searches in system directories first (at least in recent releases), that is, our own build wouldn't actually get used.
* tun-device: Use SIOCAIFADDR to set IP address on FreeBSD 10Tobias Brunner2014-04-251-2/+90
| | | | | | | | FreeBSD 10 deprecated the SIOCSIFADDR etc. commands, so we use this newer command to set the address and netmask. A destination address is now also required. Fixes #566.
* utils: Use GCC's __atomic built-ins if availableTobias Brunner2014-04-242-3/+22
| | | | | | | | These are available since GCC 4.7 and will eventually replace the __sync operations. They support the memory model defined by C++11. For instance, by using __ATOMIC_RELAXED for some operations on the reference counters we can avoid memory barriers, which are required by __sync operations (whose memory model essentially is __ATOMIC_SEQ_CST).
* utils: Add ref_cur() to retrieve the current value of a reference counterTobias Brunner2014-04-242-3/+24
| | | | | | | | | | On many architectures it is safe to read the value directly (those using cache coherency protocols, and with atomic loads for 32-bit values) but it is not if that's not the case or if we ever decide to make refcount_t 64-bit (load not atomic on x86). So make sure the operation is actually atomic and that users do not have to care about the size of refcount_t.
* x509: Don't include authKeyIdentifier in self-signed certificatesTobias Brunner2014-04-091-1/+1
| | | | | As the comment indicates this was the intention in d7be2906433a7dcfefc1fd732587865688dbfe1b all along.
* x509: Initialize certs when building optionalSignature for OCSP requestsTobias Brunner2014-04-091-1/+1
|
* Added support for msSmartcardLogon EKUAndreas Steffen2014-04-083-14/+23
|
* Added some more OIDsAndreas Steffen2014-04-081-1/+20
|
* Initialize m1 to suppress compiler warningAndreas Steffen2014-04-071-1/+1
|
* Added SHA3 OIDsAndreas Steffen2014-04-041-6/+12
|
* leak-detective: LEAK_DETECTIVE_DISABLE completely disables LDTobias Brunner2014-04-033-17/+23
| | | | | If lib->leak_detective is non-null some code parts (e.g. the plugin loader) assume LD is actually used.
* unit-tests: Verify two bytes at once when testing chunk_clear()Tobias Brunner2014-04-021-3/+6
| | | | | This reduces the chances of arbitrary test failures if the memory area already got overwritten.
* unit-tests: Catch timeouts during test runner deinit functionMartin Willi2014-04-011-6/+18
| | | | | | The test runner deinit function often cancels all threads from the pool. This operation might hang on error conditions, hence we should include that hook in the test timeout to fail properly.
* unit-tests: Prevent a failing worker thread to go wild after it failsMartin Willi2014-04-011-1/+2
| | | | | | A worker raises SIGUSR1 to inform the main thread that the test fails. The main thread then starts cancelling workers, but the offending thread should be terminated immediately to prevent it from test continuation.
* unit-tests: Always load address of testable functionsTobias Brunner2014-03-311-1/+1
| | | | | | | The addresses can actually change as plugins are loaded/unloaded for each test case. Fixes #551.
* settings: Reduce log verbosity if strongswan.conf does not existTobias Brunner2014-03-311-1/+10
| | | | | In some situations we expect strongswan.conf to not exist, for instance, when running the unit tests before installation.
* test-vectors: Renumber AES-GCM test vectors according to original sourceTobias Brunner2014-03-312-16/+100
| | | | Also adds several missing ones.
* aead: Support custom AEAD salt sizesMartin Willi2014-03-3113-38/+100
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* revocation: Log error if no OCSP signer candidate foundMartin Willi2014-03-311-1/+1
| | | | Fixes evaluation of ikev2/ocsp-untrusted-cert.
* revocation: Restrict OCSP signing to specific certificatesMartin Willi2014-03-311-7/+63
| | | | | | | | | | | | | To avoid considering each cached OCSP response and evaluating its trustchain, we limit the certificates considered for OCSP signing to: - The issuing CA of the checked certificate - A directly delegated signer by the same CA, having the OCSP signer constraint - Any locally installed (trusted) certificate having the OCSP signer constraint The first two options cover the requirements from RFC 6960 2.6. For compatibility with non-conforming CAs, we allow the third option as exception, but require the installation of such certificates locally.
* revocation: Don't merge auth config of CLR/OCSP trustchain validationMartin Willi2014-03-311-39/+24
| | | | | | | | | | This behavior was introduced with 6840a6fb to avoid key/signature strength checking for the revocation trustchain as we do it for end entity certificates. Unfortunately this breaks CA constraint checking under certain conditions, as we merge additional intermediate/CA certificates to the auth config. As key/signature strength checking of the revocation trustchain is a rather exotic requirement we drop support for that to properly enforce CA constraints.
* hashtable: Make key arguments constTobias Brunner2014-03-312-22/+23
| | | | | This allows using const strings etc. for lookups without cast. And keys are not modifiable anyway.
* Properly hash pointers for hash tables where appropriateTobias Brunner2014-03-311-17/+2
| | | | | Simply using the pointer is not optimal for our hash table implementation, which simply masks the key to determine the bucket.
* x509: CERT_DECODE actually requires KEY_ANYTobias Brunner2014-03-311-3/+1
| | | | | More specific decoders might still be needed, but the x509 plugin should not care which ones.
* pkcs1: KEY_ANY public key decoder soft depends on specific decodersTobias Brunner2014-03-311-0/+3
|
* auth-cfg: Declare an attribute certificate helper type to exchange acertsMartin Willi2014-03-313-2/+15
|
* acert: Implement a plugin finding, validating and evaluating attribute certsMartin Willi2014-03-316-0/+363
| | | | | | This validator checks for any attribute certificate it can find for validated end entity certificates and tries to extract group membership information used for connection authorization rules.
* x509: Match acert has_subject() against entityName or holder serialMartin Willi2014-03-311-5/+25
| | | | | This allows us to find attribute certificates for a subject certificate in credential sets.
* pem: Support encoding of attribute certificatesMartin Willi2014-03-311-1/+6
| | | | | | | While there is no widely used PEM header for attribute certificates, at least IAIK-JCE uses BEGIN ATTRIBUTE CERTIFICATE: http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/utils/Util.html#toPemString(iaik.x509.attr.AttributeCertificate)
* x509: Replace the comma separated string AC group builder with a list based oneMartin Willi2014-03-313-9/+8
|
* x509: Integrate IETF attribute handling, and obsolete ietf_attributes_tMartin Willi2014-03-316-639/+186
| | | | | The ietf_attributes_t class is used for attribute certificates only these days, and integrating them to x509_ac_t simplifies things significantly.
* x509: Replace fixed acert group string getter by a more dynamic group enumeratorMartin Willi2014-03-314-53/+63
|
* x509: Skip parsing of acert chargingIdentity, as we don't use it anywayMartin Willi2014-03-311-9/+1
|
* x509: Fix some whitespaces and do some minor style cleanups in acertMartin Willi2014-03-311-72/+76
|
* ac: Remove unimplemented equals_holder() method from ac_tMartin Willi2014-03-311-8/+0
|
* unit-tests: Fix filtered enumerator tests on 64-bit big-endian platformsTobias Brunner2014-03-271-12/+12
| | | | | In case of sizeof(void*) == 8 and sizeof(int) == 4 on big-endian hosts the tests failed as the actual integer value got cut off.
* unit-tests: Fix memory leak in ntru testsTobias Brunner2014-03-271-3/+5
|
* unit-test: added missing TEST_FUNCTION macrosAndreas Steffen2014-03-221-8/+16
|
* openssl: Add default fallback when calculating fingerprints of RSA keysTobias Brunner2014-03-221-1/+15
| | | | | | We still try to calculate these directly as it can avoid a dependency on the pkcs1 or other plugins. But for e.g. PGPv3 keys we need to delegate the actual fingerprint calculation to the pgp plugin.
* Completed integration of ntru_crypto library into ntru pluginAndreas Steffen2014-03-2221-1711/+1227
|
* crypto-tester: Don't fail if key size is not supportedTobias Brunner2014-03-201-6/+3
| | | | | | | | The Blowfish and Twofish implementations provided by the gcrypt plugin only support specific key lengths, which we don't know when testing against vectors (either during unit tests or during algorithm registration). The on_create test with a specific key length will be skipped anyway, so there is no point in treating this failure differently.
* unit-tests: Add an option to increase the verbosity when running testsTobias Brunner2014-03-201-1/+9
| | | | | The TESTS_VERBOSITY option takes an integer from -1 to 4 that sets the default debug level.
* unit-tests: Add an option to run only a subset of all test suitesTobias Brunner2014-03-201-8/+54
| | | | | The TESTS_SUITES environment variable can contain a comma separated list of names of test suites to run.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 03:21:04 +0000