aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* vici: Add some convenience getters on messageMartin Willi2014-05-073-1/+337
|
* vici: Raise events with an optional identifier for specific connectionsMartin Willi2014-05-074-9/+14
|
* vici: Invoke dispatcher outside of connection log, allowing events from commandsMartin Willi2014-05-071-4/+13
|
* vici: Add a query class, currently implementing a list-sas commandMartin Willi2014-05-074-1/+440
|
* vici: Add a libvici low-level client libraryMartin Willi2014-05-076-0/+1413
|
* vici: Provide a command dispatcher handling request and event registrationMartin Willi2014-05-079-128/+1105
|
* vici: Add a fully asynchronous IPC socket segmenting messages on/from streamMartin Willi2014-05-078-0/+1538
|
* vici: Add a test runner for pluginMartin Willi2014-05-074-0/+87
|
* vici: Add a plugin stub for the "Versatile IKE Control Interface" pluginMartin Willi2014-05-074-0/+152
|
* mem-cred: Replace existing equal shared keys during add_shared()Martin Willi2014-05-071-3/+56
|
* mem-cred: Replace existing equal private keys during add_key()Martin Willi2014-05-071-0/+17
|
* watcher: Don't wait for running callback once watcher thread cancelledMartin Willi2014-05-071-1/+8
| | | | | | | | During shutdown, waiting for callbacks might never complete, as queued callbacks might not get executed under certain conditions. Not the clean fix, but works good enough for now. Seen on Windows in vici tests.
* watcher: Avoid queueing multiple watcher callbacks at the same timeMartin Willi2014-05-071-1/+8
| | | | | | | | | While we don't add FDs with an active callback to the watched FDSET, we still can get notifications for callbacks active due the asynchronous processing of the same. To avoid queue multiple callbacks, we check for queued callbacks before activating new ones.
* processor: Flush pending jobs during cancel(), not destroyMartin Willi2014-05-071-1/+11
| | | | | During shutdown, cancel queued jobs earlier to avoid having cleanup functions accessing infrastructure not available anymore, for example watcher.
* utils: Provide a CALLBACK macro, similar to METHOD, but for void* callbacksMartin Willi2014-05-071-0/+13
| | | | | | Using the same mechanism as the METHOD macro, the CALLBACK macro defines a hybrid function signature. It strictly uses a weak void* for the first function parameter, in contrast to the dynamic METHOD object "this" type.
* utils: Enable __atomic* built-ins based on the GCC versionTobias Brunner2014-05-041-0/+7
| | | | | | | | | | | This solves a problem with GNAT when compiling charon-tkm as __atomic* built-ins are only provided in GCC 4.7 and newer. Currently GNAT 4.6 and GCC 4.7.2 is shipped with Debian wheezy (stable), as used in the testing environment. So while the configure script correctly detected the __atomic* built-ins, and defined HAVE_GCC_ATOMIC_OPERATIONS, this define turned out to be incorrect when charon-tkm was later built with GNAT.
* aikgen generates AIK private/public key pairsAndreas Steffen2014-05-035-1/+579
| | | | | | aikgen outputs a binary AIK private key blob and the AIK public key. Optionally the Identity Request encrypted with the public key of the Privacy CA can be output.
* Added PUBKEY_RSA_MODULUS encoding typeAndreas Steffen2014-05-022-12/+37
|
* Extended Ubuntu 14.04 database buildAndreas Steffen2014-05-021-15/+24
|
* Moved BIOS and IMA measurement lists into classes of their ownAndreas Steffen2014-05-026-381/+717
|
* Fixed typoAndreas Steffen2014-05-011-1/+1
|
* Use global status variable for IMA runtimeAndreas Steffen2014-05-011-2/+1
|
* Similar statistics for packages and file measurementsAndreas Steffen2014-05-011-1/+1
|
* Updated build_database.sh to Ubuntu 14.04Andreas Steffen2014-05-011-215/+74
|
* Updated ITA-IMA finalize messagesAndreas Steffen2014-05-012-6/+6
|
* Implemented IMA-NG supportAndreas Steffen2014-05-014-119/+425
|
* unit-tests: Document the supported env variablesMartin Willi2014-04-301-1/+7
|
* unit-tests: Support strongswan.conf defined plugin list and base directoryThomas Egerer2014-04-301-2/+8
| | | | | | | tests.load and tests.plugindir to allow the specification of the plugins to be loaded and the directory to load them from. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Allow configuration of libstrongswan via configThomas Egerer2014-04-301-10/+14
| | | | | | | | By setting the environment variable TESTS_STRONGSWAN_CONF, the unit tests can be asked to load a configuration file, thus enabling the tester to make use of the usual configuration settings. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* unit-tests: Add a ck_assert_chunk_eq() convenience macroMartin Willi2014-04-301-0/+18
|
* unit-tests: Silence a literal signedness warning raised by GCC 4.6.3Martin Willi2014-04-301-2/+2
|
* sqlite: Allow query arguments to be freed before starting the enumerationTobias Brunner2014-04-301-2/+4
| | | | | By marking the string/blob arguments as transient, SQLite will copy and free them automatically.
* Improved finalize messages in ITA-IMA componentAndreas Steffen2014-04-271-14/+21
|
* child-cfg: Fix removal of redundant traffic selectorsTobias Brunner2014-04-251-1/+1
| | | | | | | We have to make sure we compare every selected traffic selector with every other in the list. Fixes #577.
* android: New release based on 5.1.3Tobias Brunner2014-04-252-3/+3
| | | | | Also links OpenSSL statically and doesn't limit the number of packets during EAP-TTLS.
* libcharon: Added AEAD sources of libtls to Android.mkTobias Brunner2014-04-251-0/+1
|
* libimcv: Updated Android.mkTobias Brunner2014-04-251-0/+3
|
* android: Use static version of libcryptoTobias Brunner2014-04-252-2/+1
| | | | | System.loadLibrary() searches in system directories first (at least in recent releases), that is, our own build wouldn't actually get used.
* tun-device: Use SIOCAIFADDR to set IP address on FreeBSD 10Tobias Brunner2014-04-251-2/+90
| | | | | | | | FreeBSD 10 deprecated the SIOCSIFADDR etc. commands, so we use this newer command to set the address and netmask. A destination address is now also required. Fixes #566.
* bus: Add a fast-path if log messages don't have to be loggedTobias Brunner2014-04-241-7/+53
| | | | | | | For some rwlock_t implementations acquiring the read lock could be quite expensive even if there are no writers (e.g. because the implementation requires acquiring a mutex to check for writers) particularly if the lock is highly contended, like it is for the vlog() method.
* load-tester: Fix race condition issuing same SPIChristophe Gouault2014-04-241-2/+2
| | | | | | | | | | Due to an unprotected incrementation, two load-tester initiators occasionally use the same SPI under high load, and hence generate 2 IPsec SAs with the same identifier. The responder IPsec stack will refuse to configure the second SA. Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* load-tester: Fix race condition issuing same identityChristophe Gouault2014-04-241-2/+2
| | | | | | | | | | Due to an unprotected incrementation, two load-tester initiators occasionally use the same identifier under high load. The responder typically drops one of the connections. Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
* ike-sa-manager: Improve scalability of half-open IKE_SA checkingTobias Brunner2014-04-241-7/+8
| | | | | | | | | | | | | | | This patch is based on one by Christoph Gouault. Currently, to count the total number of half_open IKE_SAs, get_half_open_count sums up the count of each segment in the SA hash table (acquiring a lock for each segment). This procedure does not scale well when the number of segments increases, as the method is called for each new negotiation. Instead, lets maintain a global atomic counter. This optimization allows the use of big values for charon.ikesa_table_size and charon.ikesa_table_segments.
* utils: Use GCC's __atomic built-ins if availableTobias Brunner2014-04-242-3/+22
| | | | | | | | These are available since GCC 4.7 and will eventually replace the __sync operations. They support the memory model defined by C++11. For instance, by using __ATOMIC_RELAXED for some operations on the reference counters we can avoid memory barriers, which are required by __sync operations (whose memory model essentially is __ATOMIC_SEQ_CST).
* utils: Add ref_cur() to retrieve the current value of a reference counterTobias Brunner2014-04-242-3/+24
| | | | | | | | | | On many architectures it is safe to read the value directly (those using cache coherency protocols, and with atomic loads for 32-bit values) but it is not if that's not the case or if we ever decide to make refcount_t 64-bit (load not atomic on x86). So make sure the operation is actually atomic and that users do not have to care about the size of refcount_t.
* kernel-pfkey: Added IPComp supportFrancois ten Krooden2014-04-241-19/+138
| | | | | | - get_cpi function was implemented to retrieve a CPI from the kernel. - add_sa/update_sa/del_sa were updated to accommodate for IPComp SA. - Updated add_policy_internal to update the SPD to support IPComp.
* nm: Bump NetworkManager plugin version to 1.3.1Martin Willi2014-04-242-1/+7
|
* pacman.sh now fetches Ubuntu 14.04 security updatesAndreas Steffen2014-04-241-1/+22
|
* ike: Delay actively initiated reauthentication when other exchanges in progressMartin Willi2014-04-171-2/+47
| | | | | If any other IKE or CHILD_SA operation takes places, we should not start initiating reauthentication to avoid any potential races.
* ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SAMartin Willi2014-04-171-0/+6
| | | | | | | | | | | If one peer starts reauthentication by deleting the IKE_SA, while the other starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily reject the rekey attempt while we are in the IKE_SA deleting state. RFC 4306/5996 is not exactly clear about this collision, but it should be safe to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry establishing the CHILD_SA on the reauthenticated IKE_SA.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 06:37:08 +0000