aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* pki: Print and document the name constraint type for DNS or email constraintsMartin Willi2014-10-303-6/+46
| | | | | As email constraints may be for a specific host, it is not clear from the name itself if it is a DNS or email constraint.
* constraints: Add permitted/excludedNameConstraints checkMartin Willi2014-10-303-0/+400
|
* constraints: Use a more specific FQDN/email name constraint matchingMartin Willi2014-10-301-22/+73
| | | | | | | While RFC 5280 is not very specific about the matching rules of subjectAltNames, it has some examples how to match email and FQDN constraints. We try to follow these examples, and restrict DNS names to subdomain matching and email to full email, host or domain matching.
* constraints: Add requireExplicitPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitAnyPolicy testsMartin Willi2014-10-301-0/+44
|
* constraints: Add inhibitPolicyMapping testsMartin Willi2014-10-301-4/+83
|
* constraints: Don't reject certificates with invalid certificate policiesMartin Willi2014-10-301-25/+97
| | | | | | | | | | | | Instead of rejecting the certificate completely if a certificate has a policy OID that is actually not allowed by the issuer CA, we accept it. However, the certificate policy itself is still considered invalid, and is not returned in the auth config resulting from trust chain operations. A user must make sure to rely on the returned auth config certificate policies instead of the policies contained in the certificate; even if the certificate is valid, the policy OID itself in the certificate are not to be trusted anymore.
* constraints: Add certificate policy and policy mapping unit testsMartin Willi2014-10-303-0/+472
|
* swanctl: Document identity type prefixesMartin Willi2014-10-301-3/+18
|
* identification: Support custom types in string constructor prefixesMartin Willi2014-10-303-0/+48
|
* identification: Support prefixes in string constructors for an explicit typeMartin Willi2014-10-303-0/+58
|
* unit-tests: Re-align identification_create_from_string() unit test table dataMartin Willi2014-10-301-52/+52
|
* threading: Support rwlock try_write_lock() on WindowsMartin Willi2014-10-301-2/+0
| | | | | | | | | | | We explicitly avoided TryAcquireSRWLockExclusive() because of crashes. This issue was caused by a MinGW-w64 bug (mingw-w64 fix 46f77afc). Using a newer toolchain works fine. While try_write_lock() obviously can fail, not supporting it is not really an option, as some algorithms depend on occasionally successful calls. Certificate caching in the certificate manager and the cred_set cache rely on successful try_write_lock()ing.
* threading: Add a more explicit rwlock try_write_lock() testingMartin Willi2014-10-301-0/+44
|
* message: Include encrypted fragment payload in payload (order) rulesTobias Brunner2014-10-291-0/+12
| | | | | | | | | Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted because they don't contain an SA payload. It also prevents a warning when ordering payloads. Fixes #752.
* cert-cache: Prevent that a cached issuer is freed too earlyTobias Brunner2014-10-241-7/+10
| | | | | | | | Previously we got no reference to the cached issuer certificate before releasing the lock of the cache line, this allowed other threads, or even the same thread if it replaces a cache line, to destroy that issuer certificate in cache() (or flush()) before get_ref() for the issuer certificate is finally called.
* unit-tests: Fix internet checksum tests on big-endian systemsTobias Brunner2014-10-231-4/+9
| | | | | | | We actually need to do a byte-swap, which ntohs() only does on little-endian systems. Fixes #747.
* chunk: Fix internet checksum calculation on big-endian systemsTobias Brunner2014-10-231-1/+1
| | | | | | | ntohs() might be defined as noop (#define ntohs(x) (x)) so we have to manually shorten the negated value (gets promoted to an int). Fixes #747.
* updown: Explicitly pass caller PATH to updown scriptMartin Willi2014-10-221-0/+1
| | | | | | | | | When invoking /bin/sh, its default PATH is used. On some systems, that does not include the PATH where the ipsec script is installed, as charon is invoked with a custom PATH. Explicitly setting the PATH of charon should fix this case, properly invoking the (default) updown script. Fixes #745.
* ip-packet: Fix length in IPv6 header of generated packetsTobias Brunner2014-10-201-1/+1
|
* Remove unneeded get_count() methodAndreas Steffen2014-10-171-1/+0
|
* Process TCG/PTS File Measurement attribute incrementallyAndreas Steffen2014-10-171-37/+77
|
* Exempt TCG/SEG attributes from unsupported case statementAndreas Steffen2014-10-162-4/+11
|
* Request IF-M segmentation contract for TCG/PTS subtypeAndreas Steffen2014-10-161-0/+27
|
* tls: Fix an invalid free on CBC encryption failureMartin Willi2014-10-151-1/+0
|
* tls: Fix a memory leak if AEAD encryption failsMartin Willi2014-10-151-0/+1
|
* tls: Check all bytes of the padding if they equal the padding lengthMartin Willi2014-10-152-0/+16
|
* android: Fix PA-TNC construction based on data passed via JNITobias Brunner2014-10-151-3/+2
|
* libimcv: Add generic constructor for PA-TNC attributesTobias Brunner2014-10-152-0/+51
|
* backtrace: Fix symbol lookup in dynamic symtab via libbfdTobias Brunner2014-10-141-0/+1
|
* swid-inventory: Remove unused variable end_of_tagTobias Brunner2014-10-141-6/+2
|
* swanctl: Fix man page build on FreeBSDTobias Brunner2014-10-141-1/+1
| | | | | BSD make seems to only evaluate $< for certain rules (like the suffix rule used to generate the config template).
* thread: Test for pending cancellation requests before select()ing on OS XMartin Willi2014-10-141-0/+28
| | | | | | This fixes some vici test cases on OS X, where the test thread tries to cancel the watcher thread during cleanup, but fails as select() does not honor the pre-issued cancellation request.
* vici: Return default value for get_int() if message value is empty stringMartin Willi2014-10-142-1/+5
| | | | | This is the behavior of some strtol() implementations, and it makes sense, so force it.
* process: Don't use the shells built-in echo in testsMartin Willi2014-10-141-1/+1
| | | | On OS X, the /bin/sh built-in echo does not support -n.
* process: Don't use absolute path names for true/false/cat in unit testsMartin Willi2014-10-141-4/+10
| | | | | But use the (builtin) shell commands instead, as on OS X true/false are under /usr/bin.
* kernel-pfroute: Check for RTM_IFANNOUNCE availabilityMartin Willi2014-10-141-0/+10
| | | | This message is not available on OS X.
* process: Include missing <signal.h> for raise(3)Martin Willi2014-10-141-0/+1
| | | | Fixes OS X build.
* ip-packet: Fix removal of TFC padding for IPv6Tobias Brunner2014-10-141-1/+1
| | | | | | The IPv6 length field denotes the payload length after the 40 bytes header. Fixes: 293515f95cf5 ("libipsec: remove extra RFC4303 TFC padding appended to inner payload")
* vici: Add vici.gemspec.in and vici.rb to distributionTobias Brunner2014-10-141-0/+2
|
* android: Implement get_contracts() method in IMC state objectTobias Brunner2014-10-141-0/+14
|
* android: libpts does not exist anymore, don't attempt to load itTobias Brunner2014-10-141-1/+0
|
* android: Update receive_message() to new imc_msg_t.receive() signatureTobias Brunner2014-10-131-2/+4
|
* libimcv: Add fallback if IPSEC_SCRIPT is not definedTobias Brunner2014-10-131-0/+4
| | | | This is the case on Android.
* libimcv: Updated Android.mk to latest Makefile.amTobias Brunner2014-10-132-0/+4
|
* android: Remove references to libptsTobias Brunner2014-10-133-8/+2
|
* libimcv: Remove reference to libptsTobias Brunner2014-10-131-1/+0
|
* libimcv: Fix Doxygen comments after merging libpts into libimcvTobias Brunner2014-10-1313-14/+20
|
* watcher: Doxygen comment fixedTobias Brunner2014-10-131-1/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-05 03:10:40 +0000