aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
* proposal: Parse modpnone as MODP_NONE(0)Tobias Brunner2016-06-171-0/+1
|
* crypto-factory: Stop after successfully creating one nonce generatorTobias Brunner2016-06-171-0/+4
| | | | Fixes: e2fc09c186c3 ("Add nonce generator interface")
* unit-tests: Defining TESTS_RUNNERS allows to only run specific test runnersTobias Brunner2016-06-172-1/+33
|
* leak-detective: Make sure to actually call malloc() from calloc() hookTobias Brunner2016-06-151-3/+4
| | | | | | | | Newer versions of GCC are too "smart" and replace a call to malloc(X) followed by a call to memset(0,X) with a call co calloc(), which obviously results in an infinite loop when it does that in our own calloc() implementation. Using `volatile` for the variable storing the total size prevents the optimization and we actually call malloc().
* leak-detective: Whitelist __fprintf_chk as seen on newer systemsTobias Brunner2016-06-151-0/+1
|
* configure: Check for and explicitly link against -latomicMartin Willi2016-06-142-2/+4
| | | | | Some C libraries, such as uClibc, require an explicit link for some atomic functions. Check for any libatomic, and explcily link it.
* android: Use non-aliased cipher identifiersTobias Brunner2016-06-131-12/+12
| | | | | | Some of these are also understood by BoringSSL. Fixes #1510.
* ipsec: Add function to compare two ipsec_sa_cfg_t instancesTobias Brunner2016-06-082-0/+25
| | | | | | memeq() is currently used to compare these but if there is padding that is not initialized the same for two instances the comparison fails. Using this function ensures the objects are compared correctly.
* identification: Compare identity types when comparing ID_FQDN/ID_RFC822_ADDR ↵Tobias Brunner2016-06-061-3/+4
| | | | | | identities References #1380.
* x509: Properly wrap keyid in authorityKeyIdentifier in attribute certificatesTobias Brunner2016-06-061-1/+2
| | | | | | | The correct encoding got lost in bdec2e4f5291 ("refactored openac and its attribute certificate factory"). Fixes #1370.
* af-alg: Silently skip probing algorithms if AF_ALG is not supportedMartin Willi2016-05-191-0/+19
| | | | | | If the af-alg plugin is enabled, but kernel support is missing, we get an error line during startup for each probed algorithm. This is way too verbose, so just skip probing if AF_ALG is unsupported.
* mem-cred: Fix memory leak when replacing existing CRLsTobias Brunner2016-05-111-0/+1
| | | | Fixes #1442.
* identification: Add support for dmdName RDN (2.5.4.54)Yannick Cann2016-04-253-0/+5
| | | | | | | It's listed in RFC 2256 but was later removed with RFC 4519, but there are still some certs that use it. Closes strongswan/strongswan#43.
* leak-detective: added _IO_file_doallocate to whitelistAndreas Steffen2016-04-241-0/+1
|
* curl: Add TLS support if libcurl is built against BoringSSLTobias Brunner2016-04-151-1/+2
| | | | | We don't have to rely on the openssl plugin and its threading initialization as BoringSSL is thread-safe out of the box.
* openssl: BoringSSL does not support configurationTobias Brunner2016-04-151-0/+4
| | | | | The other initialization functions are still defined but many are apparently no-ops (this is also true for the threading initialization).
* openssl: The member storing the DH exponent length has been renamed in BoringSSLTobias Brunner2016-04-151-0/+4
|
* openssl: Use proper EVP macro to determine size of a hashTobias Brunner2016-04-152-2/+2
|
* curl: Handle LibreSSL like OpenSSL in regards to multi-threadingTobias Brunner2016-04-151-1/+1
| | | | | LibreSSL is API compatible so our openssl plugin does not need any changes and it works fine with the curl plugin.
* thread: Don't hold mutex when calling cleanup handlers while terminatingTobias Brunner2016-04-131-12/+14
| | | | | | | | | | This could interfere with cleanup handlers that try to acquire mutexes while other threads holding these try to e.g. cancel the threads. As cleanup handlers are only queued by the threads themselves we don't need any synchronization to access the list. Fixes #1401.
* pkcs11: Skip zero-padding of r and s when preparing EC signatureTobias Brunner2016-04-051-3/+9
| | | | | | They are zero padded to fill the buffer. Fixes #1377.
* chunk: Skip all leading zero bytes in chunk_skip_zero() not just the firstTobias Brunner2016-04-042-14/+18
|
* string: Gracefully handle NULL in str*eq() macrosTobias Brunner2016-04-042-4/+82
|
* byteorder: Explicitly check for htoXeXX macrosTobias Brunner2016-03-311-3/+18
| | | | | Some platforms have XetohXX macros instead of XeXXtoh macros, in which case we'd redefine the htoXeXX macros.
* proposal: Use standard integer types for static keywordsTobias Brunner2016-03-311-2/+2
|
* utils: Remove nonsensical typedefs for standard uint typesTobias Brunner2016-03-311-13/+0
|
* Use u_int32_t legacy type in blowfish header fileAndreas Steffen2016-03-241-1/+1
|
* Use standard unsigned integer typesAndreas Steffen2016-03-24131-789/+789
|
* android: Enable build against API level 21Tobias Brunner2016-03-231-0/+17
| | | | | | | While building against this level in general would break our app on older systems, the NDK will automatically use this level for 64-bit ABI builds (which are not supported in older levels). So to build against 64-bit ABIs we have to support this API level.
* Fix some Doxygen issuesTobias Brunner2016-03-112-8/+8
|
* identification: Make `written` signed to fix error checking when printing rangesTobias Brunner2016-03-111-3/+3
|
* Implemented IPv4/IPv6 subnet and range identitiesAndreas Steffen2016-03-102-79/+563
| | | | | | The IKEv1 IPV4_ADDR_SUBNET, IPV6_ADDR_SUBNET, IPV4_ADDR_RANGE and IPV6_ADDR_RANGE identities have been fully implemented and can be used as owners of shared secrets (PSKs).
* auth-cfg: Add a rule to suspend certificate validation constraintsTobias Brunner2016-03-102-0/+18
|
* credential-manager: Check cache queue when destroying trusted certificate ↵Tobias Brunner2016-03-101-1/+2
| | | | | | | | | | enumerator We already do this in the trusted public key enumerator (which internally uses the trusted certificate enumerator) but should do so also when this enumerator is used directly (since the public key enumerator has the read lock the additional call will just be skipped there).
* credential-manager: Make online revocation checks optional for public key ↵Tobias Brunner2016-03-102-3/+9
| | | | enumerator
* library: Add option to register additional namespaces before calling ↵Tobias Brunner2016-03-082-2/+43
| | | | | | | | | | library_init() Because settings are already accessed in library_init(), calling add_fallback() externally after calling library_init() is not ideal. This way namespaces already serve as fallback while library_init() is executed and they are also in the correct order so that libstrongswan is always the last root section.
* linked-list: Add method to compare two lists of objects for equalityTobias Brunner2016-03-083-2/+166
|
* byteorder: Simplify htoun64/untoh64 functionsTobias Brunner2016-03-041-27/+0
|
* byteorder: Always define be64toh/htobe64 macrosTobias Brunner2016-03-041-20/+30
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-045-37/+187
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* ikev2: Diversify signature scheme ruleThomas Egerer2016-03-042-30/+68
| | | | | | | This allows for different signature schemes for IKE authentication and trustchain verification. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* thread: Allow thread ID to be value returned by gettid()Thomas Egerer2016-03-043-14/+32
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* libhydra: Remove empty unused libraryTobias Brunner2016-03-031-1/+0
|
* utils: Add enum name for pseudo log group 'any'Tobias Brunner2016-02-051-2/+4
|
* unit-tests: The pseudonym RDN is now recognized, so use something more exoticTobias Brunner2016-01-281-3/+3
|
* Support pseudonym RDNAndreas Steffen2016-01-273-0/+5
|
* vici: list-cert sends subject, not-before and not-after attributes for pubkeysAndreas Steffen2016-01-091-0/+1
|
* vici: Support of raw public keysAndreas Steffen2016-01-092-0/+15
|
* Apply pubkey and signature constraints in vici pluginAndreas Steffen2015-12-172-0/+117
|
* 128 bit default security strength for IKE and ESP algorithmsAndreas Steffen2015-12-171-19/+19
| | | | | | | | | | | | | | | | | The default ESP cipher suite is now AES_CBC-128/HMAC_SHA2_256_128 and requires SHA-2 HMAC support in the Linux kernel (correctly implemented since 2.6.33). The default IKE cipher suite is now AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 if the openssl plugin is loaded or AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 if ECC is not available. The use of the SHA-1 hash algorithm and the MODP_2048 DH group has been deprecated and ENCR_CHACHA20_POLY1305 has been added to the default IKE AEAD algorithms.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 04:04:16 +0000