aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
...
* settings: Don't overwrite values in-placeTobias Brunner2014-05-154-36/+52
| | | | | | | This is not thread safe. If threads are reading from pointers to existing values they could get a partially updated invalid value. Refactored assignment to a separate function.
* settings: Add functions to add sections and key/value pairs to a sectionTobias Brunner2014-05-154-68/+82
|
* unit-tests: Update settings tests to match new parserTobias Brunner2014-05-151-59/+124
| | | | | Empty settings are now ignored, strings are supported, newlines are handled properly (e.g. at the end of files) etc.
* settings: Don't enumerate key/value pairs with NULL valueTobias Brunner2014-05-151-1/+1
|
* settings: Use generated parser instead of our ownTobias Brunner2014-05-151-566/+53
|
* settings: Optionally keep track of removed/replaced valuesTobias Brunner2014-05-153-16/+45
|
* settings: Add flex/bison based parser for strongswan.confTobias Brunner2014-05-155-1/+501
| | | | | | | | | | | This parser features several improvements over the existing one. For instance, quoted strings (with escape sequences), unlimited includes, relaxed newline handling (e.g. at the end of files or before/after { and }), and the difference between empty and unset values (key = vs. key = ""). It also complains a lot more about invalid syntax. The current one accepts pretty odd stuff (like settings or sections without name) without any errors or warnings.
* settings: Extract section and key/value pair types and helper functionsTobias Brunner2014-05-154-6/+294
| | | | This allows us to use them in the upcoming parser.
* parser-helper: Add utility class for flex/bison based parsersTobias Brunner2014-05-154-3/+408
|
* settings: Use glob enumerator to load included filesTobias Brunner2014-05-151-32/+13
|
* enumerator: Add enumerator to enumerate files matching a patternTobias Brunner2014-05-152-3/+140
| | | | | | | | | | | | This enumerator is a wrapper around glob(3). If that function is not supported NULL is returned. If no files match or an error occurs during the pattern expansion an error is logged and the enumerator simply returns no items. RFC: if GLOB_ERR is not supplied glob returns GLOB_NOMATCH if e.g. the base directory of the pattern does not exist, which would otherwise result in an error. This way there is at least a clear error message in case of a typo.
* settings: Move to a separate folderTobias Brunner2014-05-156-13/+15
|
* array: Allocate initial data properly if esize is 0Tobias Brunner2014-05-151-1/+1
|
* Implemented PT-EAP protocol (RFC 7171)Andreas Steffen2014-05-122-3/+9
|
* mem-cred: Replace existing equal shared keys during add_shared()Martin Willi2014-05-071-3/+56
|
* mem-cred: Replace existing equal private keys during add_key()Martin Willi2014-05-071-0/+17
|
* watcher: Don't wait for running callback once watcher thread cancelledMartin Willi2014-05-071-1/+8
| | | | | | | | During shutdown, waiting for callbacks might never complete, as queued callbacks might not get executed under certain conditions. Not the clean fix, but works good enough for now. Seen on Windows in vici tests.
* watcher: Avoid queueing multiple watcher callbacks at the same timeMartin Willi2014-05-071-1/+8
| | | | | | | | | While we don't add FDs with an active callback to the watched FDSET, we still can get notifications for callbacks active due the asynchronous processing of the same. To avoid queue multiple callbacks, we check for queued callbacks before activating new ones.
* processor: Flush pending jobs during cancel(), not destroyMartin Willi2014-05-071-1/+11
| | | | | During shutdown, cancel queued jobs earlier to avoid having cleanup functions accessing infrastructure not available anymore, for example watcher.
* utils: Provide a CALLBACK macro, similar to METHOD, but for void* callbacksMartin Willi2014-05-071-0/+13
| | | | | | Using the same mechanism as the METHOD macro, the CALLBACK macro defines a hybrid function signature. It strictly uses a weak void* for the first function parameter, in contrast to the dynamic METHOD object "this" type.
* utils: Enable __atomic* built-ins based on the GCC versionTobias Brunner2014-05-041-0/+7
| | | | | | | | | | | This solves a problem with GNAT when compiling charon-tkm as __atomic* built-ins are only provided in GCC 4.7 and newer. Currently GNAT 4.6 and GCC 4.7.2 is shipped with Debian wheezy (stable), as used in the testing environment. So while the configure script correctly detected the __atomic* built-ins, and defined HAVE_GCC_ATOMIC_OPERATIONS, this define turned out to be incorrect when charon-tkm was later built with GNAT.
* Added PUBKEY_RSA_MODULUS encoding typeAndreas Steffen2014-05-022-12/+37
|
* unit-tests: Document the supported env variablesMartin Willi2014-04-301-1/+7
|
* unit-tests: Support strongswan.conf defined plugin list and base directoryThomas Egerer2014-04-301-2/+8
| | | | | | | tests.load and tests.plugindir to allow the specification of the plugins to be loaded and the directory to load them from. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Allow configuration of libstrongswan via configThomas Egerer2014-04-301-10/+14
| | | | | | | | By setting the environment variable TESTS_STRONGSWAN_CONF, the unit tests can be asked to load a configuration file, thus enabling the tester to make use of the usual configuration settings. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Add a ck_assert_chunk_eq() convenience macroMartin Willi2014-04-301-0/+18
|
* unit-tests: Silence a literal signedness warning raised by GCC 4.6.3Martin Willi2014-04-301-2/+2
|
* sqlite: Allow query arguments to be freed before starting the enumerationTobias Brunner2014-04-301-2/+4
| | | | | By marking the string/blob arguments as transient, SQLite will copy and free them automatically.
* android: Use static version of libcryptoTobias Brunner2014-04-251-1/+1
| | | | | System.loadLibrary() searches in system directories first (at least in recent releases), that is, our own build wouldn't actually get used.
* tun-device: Use SIOCAIFADDR to set IP address on FreeBSD 10Tobias Brunner2014-04-251-2/+90
| | | | | | | | FreeBSD 10 deprecated the SIOCSIFADDR etc. commands, so we use this newer command to set the address and netmask. A destination address is now also required. Fixes #566.
* utils: Use GCC's __atomic built-ins if availableTobias Brunner2014-04-242-3/+22
| | | | | | | | These are available since GCC 4.7 and will eventually replace the __sync operations. They support the memory model defined by C++11. For instance, by using __ATOMIC_RELAXED for some operations on the reference counters we can avoid memory barriers, which are required by __sync operations (whose memory model essentially is __ATOMIC_SEQ_CST).
* utils: Add ref_cur() to retrieve the current value of a reference counterTobias Brunner2014-04-242-3/+24
| | | | | | | | | | On many architectures it is safe to read the value directly (those using cache coherency protocols, and with atomic loads for 32-bit values) but it is not if that's not the case or if we ever decide to make refcount_t 64-bit (load not atomic on x86). So make sure the operation is actually atomic and that users do not have to care about the size of refcount_t.
* x509: Don't include authKeyIdentifier in self-signed certificatesTobias Brunner2014-04-091-1/+1
| | | | | As the comment indicates this was the intention in d7be2906433a7dcfefc1fd732587865688dbfe1b all along.
* x509: Initialize certs when building optionalSignature for OCSP requestsTobias Brunner2014-04-091-1/+1
|
* Added support for msSmartcardLogon EKUAndreas Steffen2014-04-083-14/+23
|
* Added some more OIDsAndreas Steffen2014-04-081-1/+20
|
* Initialize m1 to suppress compiler warningAndreas Steffen2014-04-071-1/+1
|
* Added SHA3 OIDsAndreas Steffen2014-04-041-6/+12
|
* leak-detective: LEAK_DETECTIVE_DISABLE completely disables LDTobias Brunner2014-04-033-17/+23
| | | | | If lib->leak_detective is non-null some code parts (e.g. the plugin loader) assume LD is actually used.
* unit-tests: Verify two bytes at once when testing chunk_clear()Tobias Brunner2014-04-021-3/+6
| | | | | This reduces the chances of arbitrary test failures if the memory area already got overwritten.
* unit-tests: Catch timeouts during test runner deinit functionMartin Willi2014-04-011-6/+18
| | | | | | The test runner deinit function often cancels all threads from the pool. This operation might hang on error conditions, hence we should include that hook in the test timeout to fail properly.
* unit-tests: Prevent a failing worker thread to go wild after it failsMartin Willi2014-04-011-1/+2
| | | | | | A worker raises SIGUSR1 to inform the main thread that the test fails. The main thread then starts cancelling workers, but the offending thread should be terminated immediately to prevent it from test continuation.
* unit-tests: Always load address of testable functionsTobias Brunner2014-03-311-1/+1
| | | | | | | The addresses can actually change as plugins are loaded/unloaded for each test case. Fixes #551.
* settings: Reduce log verbosity if strongswan.conf does not existTobias Brunner2014-03-311-1/+10
| | | | | In some situations we expect strongswan.conf to not exist, for instance, when running the unit tests before installation.
* test-vectors: Renumber AES-GCM test vectors according to original sourceTobias Brunner2014-03-312-16/+100
| | | | Also adds several missing ones.
* aead: Support custom AEAD salt sizesMartin Willi2014-03-3113-38/+100
| | | | | | | | | The salt, or often called implicit nonce, varies between AEAD algorithms and their use in protocols. For IKE and ESP, GCM uses 4 bytes, while CCM uses 3 bytes. With TLS, however, AEAD mode uses 4 bytes for both GCM and CCM. Our GCM backends currently support 4 bytes and CCM 3 bytes only. This is fine until we go for CCM mode support in TLS, which requires 4 byte nonces.
* revocation: Log error if no OCSP signer candidate foundMartin Willi2014-03-311-1/+1
| | | | Fixes evaluation of ikev2/ocsp-untrusted-cert.
* revocation: Restrict OCSP signing to specific certificatesMartin Willi2014-03-311-7/+63
| | | | | | | | | | | | | To avoid considering each cached OCSP response and evaluating its trustchain, we limit the certificates considered for OCSP signing to: - The issuing CA of the checked certificate - A directly delegated signer by the same CA, having the OCSP signer constraint - Any locally installed (trusted) certificate having the OCSP signer constraint The first two options cover the requirements from RFC 6960 2.6. For compatibility with non-conforming CAs, we allow the third option as exception, but require the installation of such certificates locally.
* revocation: Don't merge auth config of CLR/OCSP trustchain validationMartin Willi2014-03-311-39/+24
| | | | | | | | | | This behavior was introduced with 6840a6fb to avoid key/signature strength checking for the revocation trustchain as we do it for end entity certificates. Unfortunately this breaks CA constraint checking under certain conditions, as we merge additional intermediate/CA certificates to the auth config. As key/signature strength checking of the revocation trustchain is a rather exotic requirement we drop support for that to properly enforce CA constraints.
* hashtable: Make key arguments constTobias Brunner2014-03-312-22/+23
| | | | | This allows using const strings etc. for lookups without cast. And keys are not modifiable anyway.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 04:59:45 +0000