aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
...
* constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
* constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
|
* constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
* constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|
* identification: Support custom types in string constructor prefixesMartin Willi2014-10-303-0/+48
|
* identification: Support prefixes in string constructors for an explicit typeMartin Willi2014-10-303-0/+58
|
* unit-tests: Re-align identification_create_from_string() unit test table dataMartin Willi2014-10-301-52/+52
|
* threading: Support rwlock try_write_lock() on WindowsMartin Willi2014-10-301-2/+0
| | | | | | | | | | | We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer toolchain works fine. While try_write_lock() obviously can fail, not supporting it is not really an option, as some algorithms depend on occasionally successful calls. Certificate caching in the certificate manager and the cred_set cache rely on successful try_write_lock()ing.
* threading: Add a more explicit rwlock try_write_lock() testingMartin Willi2014-10-301-0/+44
|
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* unit-tests: Fix internet checksum tests on big-endian systemsTobias Brunner2014-10-231-4/+9
| | | | | | | We actually need to do a byte-swap, which ntohs() only does on little-endian systems. Fixes #747.
* chunk: Fix internet checksum calculation on big-endian systemsTobias Brunner2014-10-231-1/+1
| | | | | | | ntohs() might be defined as noop (#define ntohs(x) (x)) so we have to manually shorten the negated value (gets promoted to an int). Fixes #747.
* backtrace: Fix symbol lookup in dynamic symtab via libbfdTobias Brunner2014-10-141-0/+1
|
* thread: Test for pending cancellation requests before select()ing on OS XMartin Willi2014-10-141-0/+28
| | | | | | This fixes some vici test cases on OS X, where the test thread tries to cancel the watcher thread during cleanup, but fails as select() does not honor the pre-issued cancellation request.
* process: Don't use the shells built-in echo in testsMartin Willi2014-10-141-1/+1
| | | | On OS X, the /bin/sh built-in echo does not support -n.
* process: Don't use absolute path names for true/false/cat in unit testsMartin Willi2014-10-141-4/+10
| | | | | But use the (builtin) shell commands instead, as on OS X true/false are under /usr/bin.
* process: Include missing <signal.h> for raise(3)Martin Willi2014-10-141-0/+1
| | | | Fixes OS X build.
* watcher: Doxygen comment fixedTobias Brunner2014-10-131-1/+1
|
* packet: Define a global default maximum size for IKE packetsTobias Brunner2014-10-101-0/+5
|
* process: Add a wrapper to invoke a command under the system default shellMartin Willi2014-10-063-0/+110
|
* process: Port child process spawning to the Windows platformMartin Willi2014-10-062-1/+315
|
* process: Provide an abstraction to spawn child processes with redirected I/OMartin Willi2014-10-067-3/+490
|
* library: Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF ↵Shea Levy2014-10-021-1/+1
| | | | env var
* curl: For SSL features, depend on thread-safety provided by our crypto pluginsMartin Willi2014-09-243-7/+57
| | | | | | | | | To use SSL in curl, we need to initialize the SSL library in a thread-safe manner and provide the appropriate callbacks. As we already do that in our crypto plugins using these libraries, we depend on these features. This implies that we need the same plugin enabled (openssl, gcrypt) as the curl backend is configured to use to fetch from HTTPS URIs.
* curl: Dynamically query supported protocols and register appropriate featuresMartin Willi2014-09-241-10/+64
|
* leak-detective: Whitelist libssl SSL_COMP_get_compression_methods()Martin Willi2014-09-241-0/+2
| | | | | This function is called by libcurl initialization with SSL, and uses a static allocation of compression algorithms not freed.
* curl: Try to initialize with SSL support to handle https:// URIsMartin Willi2014-09-241-1/+6
| | | | If initialization fails, we fall back to the old behavior.
* watcher: Add a method to query the watcher stateMartin Willi2014-09-242-7/+45
| | | | | This allows a user to check if the watcher is actually running, and potentially perform read operations directly instead of relying on watcher.
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-222-4/+35
|
* settings: Make loading a NULL or empty pattern a (nop-)successMartin Willi2014-09-221-1/+1
|
* settings: Use strongswan.conf used during library initialization for reloadMartin Willi2014-09-221-3/+1
| | | | | | | | Since 4b670a20 we require an explicit strongswan.conf to re-load configurations. However, the define was missing in the build, breaking SIGHUP based config reloading. Fixes #651.
* library: Store the used root strongswan.conf configurationMartin Willi2014-09-222-7/+12
|
* chunk: Fix Doxygen comments for chunk_internet_checksum[_inc]Tobias Brunner2014-09-111-2/+2
|
* auth-cfg: Fix crash after several reauthentications with multiple ↵Tobias Brunner2014-09-111-1/+1
| | | | | | | | | | authentication rounds Due to the issue described in c641974, purge() inadvertently destroyed CA certificates that should have been kept (while the pointer to these objects remained in the array). This lead to incorrect reference counts and after a few reauthentications with multiple authentication rounds, which cause calls to purge(TRUE), to crashes.
* array: Adjust negative index before calling remove_head|tail()Tobias Brunner2014-09-111-4/+4
| | | | For ARRAY_TAIL we most often want to call remove_tail() not remove_head().
* array: Warn about caveat with array_remove_at() and value based arraysTobias Brunner2014-09-111-0/+5
| | | | | | | | | | | | | | | | Because enumerate() for value based arrays returns a pointer directly to the internal array elements and because array_remove_at() or rather the called array_remove() may move elements over the element at the currently enumerated position, the pointer passed to enumerate() will point to a different array element after the array_remove_at() call. The caller will thus operate on the wrong element if that pointer is accessed again before calling enumerate(). For performance reasons we currently don't change the implementation to copy each array element during enumeration to a private member of the enumerator and return a pointer to that. Similarly, due to the danger of subtle bugs we don't remember the pointer passed to enumerate() to later redirect it to a copy created during the array_remove_at() call.
* asn1: Try to fill the available binary OID buffer if possibleTobias Brunner2014-09-091-11/+24
|
* unit-tests: Give worker threads time to clean up when testing thread_t.detach()Tobias Brunner2014-09-091-2/+4
|
* stream-service: Prevent race conditions due to blocking call to destroy()Tobias Brunner2014-09-091-5/+62
| | | | | | | | In the previous implementation queued jobs could prevent a service from getting destroyed. This could have lead to a deadlock when the processor is cancelled. Now destroy() still blocks, but waits only for actually running tasks. The service instance is reference counted so that queued jobs can safely be destroyed.
* stream-service: Do not accept or re-register when service is terminatedTobias Brunner2014-09-091-2/+10
|
* stream-service: Restart accepting without blockingTobias Brunner2014-09-091-2/+7
| | | | | | | | | | | | Calling on_accept() sometimes lead to deadlocks when service->destroy() was called concurrently. That is, two threads waiting in on_accept() but the last worker would only wake one due to the call to signal(). Calling broadcast() wouldn't help either as that could lead to crashes if the thread that called destroy() is woken first. This is also more efficient as a constant pool of concurrent workers can be maintained, otherwise peaks at the limit were followed by only a single worker being active.
* asn1: Make sure not to exceed buffer for binary OIDTobias Brunner2014-09-091-1/+1
|
* mutex: Use atomics to set current thread in recursive mutexTobias Brunner2014-09-091-9/+12
| | | | | | | | Because this->thread is also read by threads that don't hold the mutex the previous implementation was problematic (especially since pthread_t is an opaque type of unknown length). Fixes #654.
* curl: Log error code tooTobias Brunner2014-09-091-2/+5
| | | | It seems libcurl does not always return an error message.
* unit-tests: Add option to exclude specific test suitesTobias Brunner2014-09-092-14/+32
| | | | | Listing test suites in TESTS_SUITES_EXCLUDE allows excluding specific test suites from running.
* openssl: Report correct key length for EC keys when not using NIST curvesTobias Brunner2014-09-022-22/+2
| | | | Fixes #688.
* credmgr: Fix copy and paste error in add_validatorThomas Egerer2014-08-291-1/+1
| | | | | | | | | This won't hurt as long as sets and validators are of the same class. But as soon as one of the object's class is changed this will cause either a compile error (best option), or result (most likely) in a crash. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* utils: Check if the parameter passed to countof() is actually an array typeMartin Willi2014-08-251-1/+2
| | | | This should avoid errors such as the one fixed with 118b2879.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 02:18:07 +0000