aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
Commit message (Collapse)AuthorAgeFilesLines
...
* windows: Provide a read(2) wrapper that uses recv(2) on socketsMartin Willi2014-11-212-0/+25
|
* unit-tests: Test cancellability of some cancellation points we rely onMartin Willi2014-11-211-0/+192
|
* thread: Test for pending cancellation requests before poll()ing on OS XMartin Willi2014-11-211-0/+20
| | | | | As we are now using poll(2) instead of select(2), we need the work-around from 76dc329e for poll() as well.
* watcher: Use poll(2) instead of selectMartin Willi2014-11-211-24/+38
|
* tun-device: Read from tun to buffer on stack to avoid over-allocation of packetsMartin Willi2014-11-211-8/+6
| | | | | | | Instead of allocating MTU-sized buffers for each packet, read to a stack buffer and copy to an allocation of the actual packet size. While it requires an additional copy on non-Apple platforms, this should make allocation more efficient for small packets.
* tun-device: Remove the superfluous use of select() before read()Martin Willi2014-11-212-19/+6
|
* windows: Provide a poll(2) wrapper calling WSAPoll()Martin Willi2014-11-213-0/+40
|
* host: Ignore spaces around - when parsing rangesTobias Brunner2014-10-303-9/+23
|
* host: Add function to create two hosts from a range definitionTobias Brunner2014-10-303-0/+124
|
* constraints: Add permitted/excludedNameConstraints checkMartin Willi2014-10-303-0/+400
|
* constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
* constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
|
* constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
* constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|
* identification: Support custom types in string constructor prefixesMartin Willi2014-10-303-0/+48
|
* identification: Support prefixes in string constructors for an explicit typeMartin Willi2014-10-303-0/+58
|
* unit-tests: Re-align identification_create_from_string() unit test table dataMartin Willi2014-10-301-52/+52
|
* threading: Support rwlock try_write_lock() on WindowsMartin Willi2014-10-301-2/+0
| | | | | | | | | | | We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer toolchain works fine. While try_write_lock() obviously can fail, not supporting it is not really an option, as some algorithms depend on occasionally successful calls. Certificate caching in the certificate manager and the cred_set cache rely on successful try_write_lock()ing.
* threading: Add a more explicit rwlock try_write_lock() testingMartin Willi2014-10-301-0/+44
|
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* unit-tests: Fix internet checksum tests on big-endian systemsTobias Brunner2014-10-231-4/+9
| | | | | | | We actually need to do a byte-swap, which ntohs() only does on little-endian systems. Fixes #747.
* chunk: Fix internet checksum calculation on big-endian systemsTobias Brunner2014-10-231-1/+1
| | | | | | | ntohs() might be defined as noop (#define ntohs(x) (x)) so we have to manually shorten the negated value (gets promoted to an int). Fixes #747.
* backtrace: Fix symbol lookup in dynamic symtab via libbfdTobias Brunner2014-10-141-0/+1
|
* thread: Test for pending cancellation requests before select()ing on OS XMartin Willi2014-10-141-0/+28
| | | | | | This fixes some vici test cases on OS X, where the test thread tries to cancel the watcher thread during cleanup, but fails as select() does not honor the pre-issued cancellation request.
* process: Don't use the shells built-in echo in testsMartin Willi2014-10-141-1/+1
| | | | On OS X, the /bin/sh built-in echo does not support -n.
* process: Don't use absolute path names for true/false/cat in unit testsMartin Willi2014-10-141-4/+10
| | | | | But use the (builtin) shell commands instead, as on OS X true/false are under /usr/bin.
* process: Include missing <signal.h> for raise(3)Martin Willi2014-10-141-0/+1
| | | | Fixes OS X build.
* watcher: Doxygen comment fixedTobias Brunner2014-10-131-1/+1
|
* packet: Define a global default maximum size for IKE packetsTobias Brunner2014-10-101-0/+5
|
* process: Add a wrapper to invoke a command under the system default shellMartin Willi2014-10-063-0/+110
|
* process: Port child process spawning to the Windows platformMartin Willi2014-10-062-1/+315
|
* process: Provide an abstraction to spawn child processes with redirected I/OMartin Willi2014-10-067-3/+490
|
* library: Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF ↵Shea Levy2014-10-021-1/+1
| | | | env var
* curl: For SSL features, depend on thread-safety provided by our crypto pluginsMartin Willi2014-09-243-7/+57
| | | | | | | | | To use SSL in curl, we need to initialize the SSL library in a thread-safe manner and provide the appropriate callbacks. As we already do that in our crypto plugins using these libraries, we depend on these features. This implies that we need the same plugin enabled (openssl, gcrypt) as the curl backend is configured to use to fetch from HTTPS URIs.
* curl: Dynamically query supported protocols and register appropriate featuresMartin Willi2014-09-241-10/+64
|
* leak-detective: Whitelist libssl SSL_COMP_get_compression_methods()Martin Willi2014-09-241-0/+2
| | | | | This function is called by libcurl initialization with SSL, and uses a static allocation of compression algorithms not freed.
* curl: Try to initialize with SSL support to handle https:// URIsMartin Willi2014-09-241-1/+6
| | | | If initialization fails, we fall back to the old behavior.
* watcher: Add a method to query the watcher stateMartin Willi2014-09-242-7/+45
| | | | | This allows a user to check if the watcher is actually running, and potentially perform read operations directly instead of relying on watcher.
* plugin-loader: Support a reload() callback for static featuresMartin Willi2014-09-222-4/+35
|
* settings: Make loading a NULL or empty pattern a (nop-)successMartin Willi2014-09-221-1/+1
|
* settings: Use strongswan.conf used during library initialization for reloadMartin Willi2014-09-221-3/+1
| | | | | | | | Since 4b670a20 we require an explicit strongswan.conf to re-load configurations. However, the define was missing in the build, breaking SIGHUP based config reloading. Fixes #651.
* library: Store the used root strongswan.conf configurationMartin Willi2014-09-222-7/+12
|
* chunk: Fix Doxygen comments for chunk_internet_checksum[_inc]Tobias Brunner2014-09-111-2/+2
|
* auth-cfg: Fix crash after several reauthentications with multiple ↵Tobias Brunner2014-09-111-1/+1
| | | | | | | | | | authentication rounds Due to the issue described in c641974, purge() inadvertently destroyed CA certificates that should have been kept (while the pointer to these objects remained in the array). This lead to incorrect reference counts and after a few reauthentications with multiple authentication rounds, which cause calls to purge(TRUE), to crashes.
* array: Adjust negative index before calling remove_head|tail()Tobias Brunner2014-09-111-4/+4
| | | | For ARRAY_TAIL we most often want to call remove_tail() not remove_head().
* array: Warn about caveat with array_remove_at() and value based arraysTobias Brunner2014-09-111-0/+5
| | | | | | | | | | | | | | | | Because enumerate() for value based arrays returns a pointer directly to the internal array elements and because array_remove_at() or rather the called array_remove() may move elements over the element at the currently enumerated position, the pointer passed to enumerate() will point to a different array element after the array_remove_at() call. The caller will thus operate on the wrong element if that pointer is accessed again before calling enumerate(). For performance reasons we currently don't change the implementation to copy each array element during enumeration to a private member of the enumerator and return a pointer to that. Similarly, due to the danger of subtle bugs we don't remember the pointer passed to enumerate() to later redirect it to a copy created during the array_remove_at() call.
* asn1: Try to fill the available binary OID buffer if possibleTobias Brunner2014-09-091-11/+24
|
* unit-tests: Give worker threads time to clean up when testing thread_t.detach()Tobias Brunner2014-09-091-2/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-21 22:04:01 +0000