aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* android: Only apply app filter on Android 5 and newerTobias Brunner2017-09-041-1/+2
|
* android: Catch OutOfMemoryError when importing profilesTobias Brunner2017-09-041-1/+9
| | | | | Not sure if this is actually caused because e.g. the file is too large or due to some encoding issue.
* android: Catch NullPointerException when parsing invalid certificatesTobias Brunner2017-09-041-16/+25
|
* android: Catch NullPointerException when calling VpnService.prepare()Tobias Brunner2017-09-041-0/+6
| | | | According to the Play Console this occurs occasionally.
* imv-os: Updated security update evaluationAndreas Steffen2017-09-014-35/+36
|
* libimcv: Updated database schemeAndreas Steffen2017-09-011-5/+11
|
* sec-updater: Checks for security updatesAndreas Steffen2017-09-019-362/+267
| | | | | | sec-updater checks for security updates and backports in Debian/ Ubuntu repositories and sets the security flags in the strongTNC policy database accordingly.
* imv-attestation: Fixed file hash measurementsAndreas Steffen2017-09-014-37/+119
| | | | | | The introduction of file versions broke file hash measurements. This has been fixed by using a generic product versions having an empty package name.
* ike-cfg: Fix memory leak when checking for configured addressTobias Brunner2017-08-291-0/+1
|
* sw-collector.8: Some cleanupsAndreas Steffen2017-08-251-9/+9
|
* kernel-netlink: Set usable state whenever an interface appearsTobias Brunner2017-08-231-2/+2
| | | | | | | | If an interface is renamed we already have an entry (based on the ifindex) allocated but previously only set the usable state once based on the original name. Fixes #2403.
* libimcv: Updated Android.mk after move of swid-gen(-info)Tobias Brunner2017-08-211-0/+2
|
* traffic-selector: Use single buffer for both address familiesTobias Brunner2017-08-172-159/+102
| | | | | | | | The generic field of size 0 in the union that was used previously triggered index-out-of-bounds errors with the UBSAN sanitizer that's used on OSS-Fuzz. Since the two family specific union members don't really provide any advantage, we can just use a single buffer for both families to avoid the errors.
* plugin-loader: Move indent variables into !USE_FUZZING blockTobias Brunner2017-08-151-2/+2
| | | | This avoids compile errors on Travis.
* charon-tkm: Build fix for kernel SAD testsAdrian-Ken Rueegsegger2017-08-141-2/+2
| | | | | Commit 7729577... added a flag to the get_esa_id function but the unit tests were not adjusted.
* gmp: Fix RSA signature verification for m >= nTobias Brunner2017-08-141-3/+9
| | | | | | | | By definition, m must be <= n-1, we didn't enforce that and because mpz_export() returns NULL if the passed value is zero a crash could have been triggered with m == n. Fixes CVE-2017-11185.
* sw-collector: Moved info class to libimcvAndreas Steffen2017-08-097-74/+72
|
* libimcv: Cast chunk length to int when printing as stringTobias Brunner2017-08-082-2/+4
|
* sw-collector: Cast chunk length to int when printing as stringTobias Brunner2017-08-081-7/+7
|
* sw-collector: Fix memory leak after failing to open DBTobias Brunner2017-08-081-0/+1
|
* sw-collector: Use correct variable to report failure to open history fileTobias Brunner2017-08-081-4/+5
|
* imv-database: Improve performance by creating file_hashes indexAndreas Steffen2017-08-071-0/+2
|
* sw-collector: Add missing Doxygen groupTobias Brunner2017-08-073-3/+5
| | | | Fix location of two classes.
* libimcv: Add missing Doxgen group for SWIMA-related classesTobias Brunner2017-08-072-1/+4
| | | | Fix location of swima_error_t.
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-0711-15/+15
|
* kernel-netlink: Wipe buffer used to read Netlink messagesTobias Brunner2017-08-071-2/+12
| | | | | | | | | When querying SAs the keys will end up in this buffer (the allocated messages that are returned are already wiped). The kernel also returns XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish this here as we only see the response. References #2388.
* sha2: Write final hash directly to output bufferTobias Brunner2017-08-071-56/+26
| | | | | | This avoids having the last output in internal memory that's not wiped. References #2388.
* prf-plus: Wipe seed and internal bufferTobias Brunner2017-08-071-2/+2
| | | | | | | The buffer contains key material we handed out last and the seed can contain the DH secret. References #2388.
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-074-10/+46
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* trap-manager: Don't require that remote is resolvable during installationTobias Brunner2017-08-071-10/+49
| | | | | | | | Initiation might later fail, of course, but we don't really require an IP address when installing, that is, unless the remote traffic selector is dynamic. As that would result in installing a 0.0.0.0/0 remote TS which is not ideal when a single IP is expected as remote.
* child-create: Don't log CHILD_SA initiation until we know the unique IDTobias Brunner2017-08-071-11/+13
|
* child-rekey: Add CHILD_SA name and unique ID to collision log messagesTobias Brunner2017-08-071-8/+13
|
* child-sa: Suppress CHILD_SA state changes if there is no changeTobias Brunner2017-08-071-6/+9
|
* charon-tkm: Call esa_reset() when the inbound SA is deletedTobias Brunner2017-08-074-16/+40
| | | | | | | | | After a rekeying the outbound SA and policy is deleted immediately, however, the inbound SA is not removed until a few seconds later, so delayed packets can still be processed. This adds a flag to get_esa_id() that specifies the location of the given SPI.
* charon-tkm: Remove unused get_other_esa_id() methodTobias Brunner2017-08-073-101/+0
|
* child-rekey: Don't install outbound SA in case of lost collisionsTobias Brunner2017-08-074-46/+123
| | | | | | | This splits the SA installation also on the initiator, so we can avoid installing the outbound SA if we lost a rekey collision, which might have caused traffic loss depending on the timing of the DELETEs that are sent in both directions.
* bus: Don't trigger child_updown() for rekeyed CHILD_SAsTobias Brunner2017-08-071-1/+4
| | | | We don't trigger it either when they are deleted individually.
* charon-tkm: Don't select new outbound SA until the policy is installedTobias Brunner2017-08-071-22/+40
| | | | | | | | | This tries to avoid packet loss during rekeying by delaying the usage of the new outbound IKE_SA until the old one is deleted. Note that esa_select() is a no-op in the current TKM implementation. And the implementation also doesn't benefit from the delayed deletion of the inbound SA as it calls esa_reset() when the outbound SA is deleted.
* charon-tkm: Claim to support SPIs on policiesTobias Brunner2017-08-071-0/+7
| | | | | This fixes rekeying as the delayed installation of the outbound SA caused the nonce context to be expired already.
* child-sa: Install outbound SA immediately if kernel supports SPIs on policiesTobias Brunner2017-08-073-26/+47
|
* child-sa: Use flags to track installation of outbound SA and policies separatelyTobias Brunner2017-08-073-29/+46
|
* kernel-netlink: Set SPI on outbound policyTobias Brunner2017-08-071-4/+10
| | | | | This should cause the right SA to get used if there are multiple outbound SAs and the policies are installed properly.
* kernel-interface: Not all kernel interfaces support SPIs on policiesTobias Brunner2017-08-071-0/+2
|
* swid-gen: Share SWID generator between sw-collector, imc-swima and imc-swidAndreas Steffen2017-08-0411-430/+552
|
* sw-collector: Added --full optionAndreas Steffen2017-08-032-28/+107
|
* sw-collector: Added --installed/removed optionsAndreas Steffen2017-08-035-43/+109
|
* unit-tests: Double escape backslashes in Windows paths in settings testTobias Brunner2017-07-281-2/+6
| | | | | That's required when these are used as include paths in settings file strings.
* unit-tests: Stringify direction in message asserts earlyTobias Brunner2017-07-281-6/+6
| | | | x86_64-w64-mingw32-gcc on Windows requires this.
* unit-tests: iv_gen_seq has a dependency on RNG_STRONGTobias Brunner2017-07-281-1/+1
| | | | We currently don't have an RNG in Windows builds.
* peer-cfg: Use an rwlock instead of a mutex to safely access child-cfgsTobias Brunner2017-07-271-15/+15
| | | | | | | | | | If multiple threads want to enumerate child-cfgs and potentially lock other locks (e.g. check out IKE_SAs) while doing so a deadlock could be caused (as was the case with VICI configs with start_action=start). It should also improve performance for roadwarrior connections and lots of clients connecting concurrently. Fixes #2374.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-28 01:13:28 +0000