strongswan.git
3 years agotravis: Add apidoc check
Tobias Brunner [Thu, 30 Jun 2016 08:34:54 +0000 (10:34 +0200)]
travis: Add apidoc check

This requires at least Ubuntu 14.04 (the Doxygen version in 12.04 has some
issues with our Doxyfile and prints lots of warnings).

3 years agotravis: Use Trusty beta image
Tobias Brunner [Thu, 25 Aug 2016 12:04:22 +0000 (14:04 +0200)]
travis: Use Trusty beta image

3 years agonm: Updated NEWS
Tobias Brunner [Mon, 5 Sep 2016 14:01:25 +0000 (16:01 +0200)]
nm: Updated NEWS

3 years agoMerge branch 'nm-1.2'
Tobias Brunner [Mon, 5 Sep 2016 13:41:51 +0000 (15:41 +0200)]
Merge branch 'nm-1.2'

Provides fixes and changes for compatibility with current NM releases.

Closes strongswan/strongswan#15.
Fixes #797.

3 years agonm: Pass external gateway to NM
Tobias Brunner [Mon, 5 Sep 2016 12:34:07 +0000 (14:34 +0200)]
nm: Pass external gateway to NM

This seems to be required by newer versions.

3 years agonm: Update auth-dialog
Tobias Brunner [Mon, 5 Sep 2016 08:58:16 +0000 (10:58 +0200)]
nm: Update auth-dialog

This updates the auth dialog so that passwords are properly retrieved
(e.g. for the nm-applet).  It also adds support for external UI mode and
properly handles secret flags.

3 years agonm: Enforce min. length for PSKs in backend
Tobias Brunner [Mon, 5 Sep 2016 08:54:07 +0000 (10:54 +0200)]
nm: Enforce min. length for PSKs in backend

3 years agonm: Add minimum length constraint for PSK passwords in connection editor
Tobias Brunner [Thu, 21 Apr 2016 15:46:02 +0000 (17:46 +0200)]
nm: Add minimum length constraint for PSK passwords in connection editor

We already have this restriction in the auth-dialog.

3 years agonm: Bump minor version to 1.4.0
Lubomir Rintel [Wed, 21 Oct 2015 11:06:42 +0000 (13:06 +0200)]
nm: Bump minor version to 1.4.0

This is probably a good idea to do to signal there's significant changes in
dependencies to the distro package maintainers with libnm port and associated
changes.

3 years agonm: Bump to GTK+ 3.0
Lubomir Rintel [Wed, 21 Oct 2015 11:04:14 +0000 (13:04 +0200)]
nm: Bump to GTK+ 3.0

It's been released years ago; we depend on newer stuff than that now.

3 years agonm: Replace libgnomeui with libnma for password dialog
Lubomir Rintel [Wed, 21 Oct 2015 09:29:25 +0000 (11:29 +0200)]
nm: Replace libgnomeui with libnma for password dialog

libgnomeui is long deprecated.

There's one functional difference: the choice to save the passwords is gone.
The password flags and saved password should be set in the preferences dialog,
but this commit does not fix that.

3 years agonm: Grey out the unneeded authentication options
Lubomir Rintel [Tue, 29 Mar 2016 20:33:30 +0000 (22:33 +0200)]
nm: Grey out the unneeded authentication options

Hiding and showing the items is not ideal, since it leaves the spacing
in place and the layout gets really messy.

3 years agonm: Add a widget for setting a password
Lubomir Rintel [Tue, 29 Mar 2016 18:07:04 +0000 (20:07 +0200)]
nm: Add a widget for setting a password

It was only possible to set the password from the authentication dialog,
which is not ideal; as it requires a connection attempt.

This adds an input entry along with a primary icon from libnma/libnm-gtk
which allows selecting the backend and flags for the password (system, session
agent, always ask or empty).

3 years agonm: Port to libnm
Lubomir Rintel [Wed, 21 Oct 2015 09:23:57 +0000 (11:23 +0200)]
nm: Port to libnm

3 years agonm: Check for libnm
Lubomir Rintel [Wed, 21 Oct 2015 08:56:23 +0000 (10:56 +0200)]
nm: Check for libnm

libnm replaces libnm-glib. This will make sense with port to libnm and is done
to reduce line noise in that commit.

3 years agonm: Build two plugin binaries from the single source
Lubomir Rintel [Wed, 21 Oct 2015 08:36:54 +0000 (10:36 +0200)]
nm: Build two plugin binaries from the single source

They're both the same now. We'll port the new one to libnm in follow-up commits.

NetworkManager 1.2 (which is currently versioned as 1.1.0) is going to bring
some new ABI while still supporting the old one. There's new VPN service and
UI plugin APIs in libnm.

There's one difficulty though -- the connection editor 1.2 will be linked
against libnm and a new libnma library it will provide (as opposed to
libnm-glib and libnm-gtk), thus will be incapable of loading of property
plugins that are linked with the old libraries (due to glib type system
limitations).

However, we must not break support for other connection editors (GNOME control
center, older versions of nm-connection-editor, etc.) therefore we need
to build two versions of the property plugin. NetworkManager 1.2's libnm will
provide a shim that makes it easy.

3 years agoMerge branch 'nm-updates'
Tobias Brunner [Mon, 5 Sep 2016 13:33:40 +0000 (15:33 +0200)]
Merge branch 'nm-updates'

Provides several fixes and cleanups for the NM build (does not include
fixes for recent NM versions).

Closes strongswan/strongswan#39.

3 years agonm: Version bumb to 1.3.2
Tobias Brunner [Wed, 6 Apr 2016 16:20:12 +0000 (18:20 +0200)]
nm: Version bumb to 1.3.2

3 years agonm: Remove incorrect top-level GtkWindow
Tobias Brunner [Wed, 6 Apr 2016 16:18:29 +0000 (18:18 +0200)]
nm: Remove incorrect top-level GtkWindow

Fixes #1013.

3 years agonm: Replace libgnomekeyring with libsecret
Lubomir Rintel [Tue, 29 Mar 2016 17:33:26 +0000 (19:33 +0200)]
nm: Replace libgnomekeyring with libsecret

The former is deprecated and the newer API is nicer anyway.

3 years agonm: Drop useless calls to AC_SUBST
Lubomir Rintel [Wed, 21 Oct 2015 08:54:18 +0000 (10:54 +0200)]
nm: Drop useless calls to AC_SUBST

PKG_CHECK_MODULES does the substitutions.

3 years agonm: Drop some unneeded dependencies
Lubomir Rintel [Wed, 21 Oct 2015 10:35:59 +0000 (12:35 +0200)]
nm: Drop some unneeded dependencies

3 years agonm: Install the .name file into /usr/lib/NetworkManager/VPN
Lubomir Rintel [Fri, 23 Oct 2015 09:29:42 +0000 (11:29 +0200)]
nm: Install the .name file into /usr/lib/NetworkManager/VPN

It's the preferred location for system-provided plugins.

A compatible file in /etc is still kept. Also, the compatibility /etc
file needs to use a full path due to a bug in GNOME Shell.

The full path to a arch-dependent file in a supposedly arch-independent
file is a sin and a multilib violation in some distributions. However.
some pre-release versions of NetworkManager-1.2 as shipped by
distributions require a full path. Let's keep a configure-time option
for that.

3 years agonm: Automatically determine NM plugin directory
Tobias Brunner [Fri, 29 Jul 2016 16:22:19 +0000 (18:22 +0200)]
nm: Automatically determine NM plugin directory

3 years agonm: Automatically determine path to the auth dialog
Lubomir Rintel [Sat, 23 Apr 2016 08:51:43 +0000 (10:51 +0200)]
nm: Automatically determine path to the auth dialog

3 years agonm: Don't do <deny send_interface="..." /> in dbus service file
Lubomir Rintel [Sat, 16 Apr 2016 18:39:45 +0000 (20:39 +0200)]
nm: Don't do <deny send_interface="..." /> in dbus service file

It does more than intended; apart from denying messages to that
particular interface it also denies all messages non-qualified with an
interface globally. This blocks messages completely unrelated to
strongSwan's VPN plugin, such as NetworkManager communication with the
VPN plugins.

From the dbus-daemon manual:

  Be careful with send_interface/receive_interface, because the
  interface field in messages is optional. In particular, do NOT
  specify <deny send_interface="org.foo.Bar"/>! This will cause
  no-interface messages to be blocked for all services, which is
  almost certainly not what you intended. Always use rules of the form:

  <deny send_interface="org.foo.Bar" send_destination="org.foo.Service"/>

We can just safely remove those rules, since we're sufficiently
protected by the send_destination matches and method calls are
disallowed by default anyway.

Closes strongswan/strongswan#42.

3 years agonm: Move the D-Bus policy to charon-nm
Lubomir Rintel [Wed, 21 Oct 2015 10:55:03 +0000 (12:55 +0200)]
nm: Move the D-Bus policy to charon-nm

It's needed for useful use of charon-nm, unlike the GUI.

3 years agonm: Add AppStream metadata
Lubomir Rintel [Thu, 14 Apr 2016 11:59:34 +0000 (13:59 +0200)]
nm: Add AppStream metadata

This will ensure the strongSwan NetworkManager plugin will be easily
installable from the app stores such as GNOME Software.

Closes strongswan/strongswan#41.

3 years agopt-tls-client: Added support of ECDSA keys
Andreas Steffen [Wed, 31 Aug 2016 15:06:47 +0000 (17:06 +0200)]
pt-tls-client: Added support of ECDSA keys

3 years agolibimcv: No need to load AIK pubkey if AIK certificate is available
Andreas Steffen [Wed, 31 Aug 2016 14:12:47 +0000 (16:12 +0200)]
libimcv: No need to load AIK pubkey if AIK certificate is available

3 years agoswanctl: Document how DH groups in CHILD_SA proposals are applied
Tobias Brunner [Wed, 31 Aug 2016 09:44:11 +0000 (11:44 +0200)]
swanctl: Document how DH groups in CHILD_SA proposals are applied

References #1039.

3 years agoman: Update description of the esp keyword
Tobias Brunner [Wed, 31 Aug 2016 09:38:38 +0000 (11:38 +0200)]
man: Update description of the esp keyword

Clarifies how DH groups are applied, updates the proposal selection
description and ESN can now also be configured for IKEv1.

References #1039.

3 years agopadlock: Use builtin bswap32() to fix compilation on FreeBSD
Tobias Brunner [Wed, 31 Aug 2016 08:51:24 +0000 (10:51 +0200)]
padlock: Use builtin bswap32() to fix compilation on FreeBSD

Fixes #591.

3 years agotesting: Try to properly abort a test run after CTRL-C
Tobias Brunner [Tue, 30 Aug 2016 13:30:49 +0000 (15:30 +0200)]
testing: Try to properly abort a test run after CTRL-C

The run is aborted after the current scenario.  Depending on which
command was interrupted it might be necessary to press CTRL-C multiple
times (e.g. if a later command depends on the interrupted one).

This should fix HTML files and get us some proper console output after
the run.

3 years agotesting: Report number of tests per subdirectory in main index
Tobias Brunner [Mon, 29 Aug 2016 17:15:24 +0000 (19:15 +0200)]
testing: Report number of tests per subdirectory in main index

3 years agotesting: Mount and serve testresults from the host
Tobias Brunner [Thu, 21 Jul 2016 13:04:24 +0000 (15:04 +0200)]
testing: Mount and serve testresults from the host

This avoids having to copy testresults, makes results of cancelled runs
browsable (runs may actually be followed live) and preserves old results
when rebuilding guest images (e.g. when using the build-strongswan script).
The number of consecutive test runs without any intermittent rebuild of the
guest images is also not limited by the image size anymore.

3 years agotesting: Create a symlink to the testresults under a known path when starting the...
Tobias Brunner [Thu, 21 Jul 2016 13:02:20 +0000 (15:02 +0200)]
testing: Create a symlink to the testresults under a known path when starting the environment

3 years agotesting: Serve images in testresults via mod_rewrite and not a symlink
Tobias Brunner [Thu, 21 Jul 2016 13:01:00 +0000 (15:01 +0200)]
testing: Serve images in testresults via mod_rewrite and not a symlink

3 years agoconf: Extend description of charon.plugins.kernel-netlink.xfrm_acq_expires
Tobias Brunner [Thu, 21 Jul 2016 15:24:00 +0000 (17:24 +0200)]
conf: Extend description of charon.plugins.kernel-netlink.xfrm_acq_expires

3 years agoproposal: Use proper list to get function pointer when adding custom parser
Thomas Egerer [Wed, 24 Feb 2016 18:09:37 +0000 (19:09 +0100)]
proposal: Use proper list to get function pointer when adding custom parser

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agoandroid: Add missing xof.c file
Tobias Brunner [Mon, 29 Aug 2016 08:42:00 +0000 (10:42 +0200)]
android: Add missing xof.c file

Fixes #2093.

3 years agoxof: Add header to dev headers
Tobias Brunner [Mon, 29 Aug 2016 08:40:59 +0000 (10:40 +0200)]
xof: Add header to dev headers

3 years agoVersion bump to 5.5.1dr2 5.5.1dr2
Andreas Steffen [Fri, 26 Aug 2016 20:55:41 +0000 (22:55 +0200)]
Version bump to 5.5.1dr2

3 years agoconfigure: Improve check for built-in __atomic_* functions
Tobias Brunner [Wed, 20 Jul 2016 09:01:17 +0000 (11:01 +0200)]
configure: Improve check for built-in __atomic_* functions

With AC_SEARCH_LIBS() we don't succeed if the searched function is a
built-in as the check uses the wrong signature so the built-in will not
be applied (the warning issued by GCC is "conflicting types for built-in
function '...'").  So even if not required, libatomic will be linked if
it is found, which could be problematic if compiling on a separate host
and the target host does not have libatomic installed.

Also, some tests showed that it's more likely that __atomic_and_fetch()
requires linking libatomic than __atomic_load_n() does.

References #1533.

3 years agotravis: Add a workaround for a bug regarding libtool installed via Homebrew
Tobias Brunner [Wed, 24 Aug 2016 08:50:28 +0000 (10:50 +0200)]
travis: Add a workaround for a bug regarding libtool installed via Homebrew

3 years agoikev1: Don't require AH mapping for integrity algorithm when generating proposal
Thomas Egerer [Mon, 4 Jul 2016 09:10:53 +0000 (11:10 +0200)]
ikev1: Don't require AH mapping for integrity algorithm when generating proposal

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agolibtpmtss: TCTI finalization call changed
Andreas Steffen [Thu, 25 Aug 2016 11:22:34 +0000 (13:22 +0200)]
libtpmtss: TCTI finalization call changed

3 years agoconf: aikpub2.opt added to Makefile.am
Andreas Steffen [Wed, 24 Aug 2016 12:41:10 +0000 (14:41 +0200)]
conf: aikpub2.opt added to Makefile.am

3 years agopki: Allow to load CRLs from files in --verify
Tobias Brunner [Thu, 18 Aug 2016 16:07:21 +0000 (18:07 +0200)]
pki: Allow to load CRLs from files in --verify

3 years agoikev1: Ignore the last two bytes of the Cisco Unity vendor ID
Tobias Brunner [Tue, 23 Aug 2016 14:47:05 +0000 (16:47 +0200)]
ikev1: Ignore the last two bytes of the Cisco Unity vendor ID

These seem to indicate the major and minor version of the protocol, like
e.g. for the DPD vendor ID.  Some implementations seem to send versions
other than 1.0 so we just ignore these for now when checking for known
vendor IDs.

Fixes #2088.

3 years agoutils: Fix definition of BYTE_ORDER with MinGW
Tobias Brunner [Tue, 23 Aug 2016 12:27:09 +0000 (14:27 +0200)]
utils: Fix definition of BYTE_ORDER with MinGW

3 years agoikev1: Accept more than one certificate payload in aggressive mode
Tobias Brunner [Wed, 17 Aug 2016 08:26:01 +0000 (10:26 +0200)]
ikev1: Accept more than one certificate payload in aggressive mode

Fixes #2085.

3 years agotesting: Virtual IPs went missing
Andreas Steffen [Tue, 16 Aug 2016 15:18:17 +0000 (17:18 +0200)]
testing: Virtual IPs went missing

3 years agounit-tests: Removed unused variable
Andreas Steffen [Thu, 11 Aug 2016 15:01:33 +0000 (17:01 +0200)]
unit-tests: Removed unused variable

3 years agoVersion bump to 5.5.1dr1 5.5.1dr1
Andreas Steffen [Wed, 10 Aug 2016 16:11:53 +0000 (18:11 +0200)]
Version bump to 5.5.1dr1

3 years agoMerge branch 'newhope'
Andreas Steffen [Wed, 10 Aug 2016 14:23:04 +0000 (16:23 +0200)]
Merge branch 'newhope'

3 years agotesting: Added swanctl/rw-newhope-bliss scenario
Andreas Steffen [Wed, 10 Aug 2016 13:14:26 +0000 (15:14 +0200)]
testing: Added swanctl/rw-newhope-bliss scenario

3 years agotesting: Add chapoly, ntru and newhope plugins to crypto and integrity tests
Andreas Steffen [Wed, 10 Aug 2016 12:34:27 +0000 (14:34 +0200)]
testing: Add chapoly, ntru and newhope plugins to crypto and integrity tests

3 years agotesting: Added ikev2/rw-newhope-bliss scenario
Andreas Steffen [Wed, 10 Aug 2016 12:19:32 +0000 (14:19 +0200)]
testing: Added ikev2/rw-newhope-bliss scenario

3 years agounit-tests: Created newhope unit-tests
Andreas Steffen [Tue, 9 Aug 2016 18:58:00 +0000 (20:58 +0200)]
unit-tests: Created newhope unit-tests

3 years agoCreated newhope plugin implementing the New Hope key exchange algorithm
Andreas Steffen [Tue, 26 Jul 2016 09:32:22 +0000 (11:32 +0200)]
Created newhope plugin implementing the New Hope key exchange algorithm

3 years agoxof: Added ChaCha20 stream as XOF
Andreas Steffen [Wed, 3 Aug 2016 12:46:08 +0000 (14:46 +0200)]
xof: Added ChaCha20 stream as XOF

3 years agoutils: Defined uletoh16() and htole16()
Andreas Steffen [Wed, 3 Aug 2016 12:45:01 +0000 (14:45 +0200)]
utils: Defined uletoh16() and htole16()

3 years agointegrity-test: Added ntru_param_sets to read-only segment
Andreas Steffen [Mon, 25 Jul 2016 11:49:59 +0000 (13:49 +0200)]
integrity-test: Added ntru_param_sets to read-only segment

3 years agointegrity-test: Added bliss_param_sets to read-only segment
Andreas Steffen [Mon, 25 Jul 2016 10:41:43 +0000 (12:41 +0200)]
integrity-test: Added bliss_param_sets to read-only segment

3 years agointegrity-test: check code and ro segments of libnttfft
Andreas Steffen [Mon, 25 Jul 2016 10:17:49 +0000 (12:17 +0200)]
integrity-test: check code and ro segments of libnttfft

3 years agoCreated libnttfft
Andreas Steffen [Sun, 24 Jul 2016 17:57:54 +0000 (19:57 +0200)]
Created libnttfft

This makes Number Theoretic Transforms (NTT) based on the efficient
Fast-Fourier-Transform (FFT) available to multiple plugins.

3 years agoShare twiddle factors table between 512 and 1024 point FFT
Andreas Steffen [Fri, 22 Jul 2016 15:20:23 +0000 (17:20 +0200)]
Share twiddle factors table between 512 and 1024 point FFT

3 years agoImplemented FFT with n = 1024 and q = 11289 using Montgomery arithmetic
Andreas Steffen [Fri, 22 Jul 2016 14:42:49 +0000 (16:42 +0200)]
Implemented FFT with n = 1024 and q = 11289 using Montgomery arithmetic

3 years agobliss: Implemented FFT with fast Montgomery arithmetic
Andreas Steffen [Fri, 22 Jul 2016 09:36:59 +0000 (11:36 +0200)]
bliss: Implemented FFT with fast Montgomery arithmetic

3 years agoxof: Implemented SHAKE128 and SHAKE256 Extended Output Functions
Andreas Steffen [Thu, 28 Jul 2016 12:46:56 +0000 (14:46 +0200)]
xof: Implemented SHAKE128 and SHAKE256 Extended Output Functions

3 years agoxof: Defined Extended Output Functions
Andreas Steffen [Thu, 28 Jul 2016 12:42:42 +0000 (14:42 +0200)]
xof: Defined Extended Output Functions

3 years agovici: Increased various string buffers to BUF_LEN (512 bytes)
Andreas Steffen [Fri, 29 Jul 2016 10:34:40 +0000 (12:34 +0200)]
vici: Increased various string buffers to BUF_LEN (512 bytes)

3 years agointegrity-test: Added charon-systemd
Andreas Steffen [Fri, 29 Jul 2016 10:33:32 +0000 (12:33 +0200)]
integrity-test: Added charon-systemd

3 years agoAdded SHA-3 signature OIDs
Andreas Steffen [Tue, 26 Jul 2016 11:34:45 +0000 (13:34 +0200)]
Added SHA-3 signature OIDs

3 years agolibcharon: Add exchange_tests to .gitignore
Tobias Brunner [Mon, 25 Jul 2016 12:01:26 +0000 (14:01 +0200)]
libcharon: Add exchange_tests to .gitignore

3 years agounit-tests: Decreased loop count of FFT speed test to 10'000
Andreas Steffen [Fri, 22 Jul 2016 19:27:42 +0000 (21:27 +0200)]
unit-tests: Decreased loop count of FFT speed test to 10'000

3 years agounit-tests: Added bliss_fft_speed test
Andreas Steffen [Fri, 22 Jul 2016 09:58:10 +0000 (11:58 +0200)]
unit-tests: Added bliss_fft_speed test

3 years agoMerge branch 'tss2-sapi'
Andreas Steffen [Wed, 20 Jul 2016 09:26:45 +0000 (11:26 +0200)]
Merge branch 'tss2-sapi'

3 years agolibtpmtss: Use pkconfig to configure TSS 2.0 includes and libraries
Andreas Steffen [Mon, 18 Jul 2016 14:20:58 +0000 (16:20 +0200)]
libtpmtss: Use pkconfig to configure TSS 2.0 includes and libraries

3 years agoike1: Flush active queue when queueing a delete of the IKE_SA
Tobias Brunner [Tue, 28 Jun 2016 10:22:10 +0000 (12:22 +0200)]
ike1: Flush active queue when queueing a delete of the IKE_SA

By aborting the active task we don't have to wait for potential
retransmits if the other peer does not respond to the current task.
Since IKEv1 has no sequential message IDs and INFORMATIONALs are no real
exchanges this should not be a problem.

Fixes #1537
References #429, #1410
Closes strongswan/strongswan#48

3 years agoVersion bump to 5.5.0 5.5.0
Andreas Steffen [Wed, 13 Jul 2016 11:26:16 +0000 (13:26 +0200)]
Version bump to 5.5.0

3 years agoNEWS: Some updates for the 5.5.0 release
Tobias Brunner [Mon, 11 Jul 2016 13:42:51 +0000 (15:42 +0200)]
NEWS: Some updates for the 5.5.0 release

3 years agoFixed some typos, courtesy of codespell
Tobias Brunner [Wed, 29 Jun 2016 14:14:17 +0000 (16:14 +0200)]
Fixed some typos, courtesy of codespell

3 years agotesting: Remove obsolete openssl-fips recipe
Tobias Brunner [Wed, 29 Jun 2016 12:39:06 +0000 (14:39 +0200)]
testing: Remove obsolete openssl-fips recipe

This was only required when we initially started and OpenSSL was built
from sources, which was changed with b97dd59ba841 ("install FIPS-aware
OpenSSL Debian packages").

3 years agoRevert "testing: Only load selected plugins in swanctl"
Tobias Brunner [Fri, 1 Jul 2016 15:18:11 +0000 (17:18 +0200)]
Revert "testing: Only load selected plugins in swanctl"

This reverts commit dee01d019ba9743b2784b417155601d10c173a66.

Thanks to 505c31870162 ("leak-detective: Try to properly free
allocations after deinitialization") this is not required anymore.

3 years agoVersion bump to 5.5.0rc1 5.5.0rc1
Andreas Steffen [Thu, 30 Jun 2016 14:28:28 +0000 (16:28 +0200)]
Version bump to 5.5.0rc1

3 years agoimcv: Added EFI HCRTM event
Andreas Steffen [Thu, 30 Jun 2016 14:20:00 +0000 (16:20 +0200)]
imcv: Added EFI HCRTM event

3 years agotesting: Version bump to 4.6.3 kernel and strongSwan 5.5.0
Andreas Steffen [Thu, 30 Jun 2016 14:18:38 +0000 (16:18 +0200)]
testing: Version bump to 4.6.3 kernel and strongSwan 5.5.0

3 years agoaikgen: Fix computation of key ID of the AIK public key
Tobias Brunner [Thu, 30 Jun 2016 10:56:41 +0000 (12:56 +0200)]
aikgen: Fix computation of key ID of the AIK public key

We don't have direct access to the modulus and exponent of the key anymore.

3 years agolibtpmtss: Define missing Doxygen group and fix some comments
Tobias Brunner [Thu, 30 Jun 2016 08:56:25 +0000 (10:56 +0200)]
libtpmtss: Define missing Doxygen group and fix some comments

3 years agolibimcv: Fix Doxygen comment
Tobias Brunner [Thu, 30 Jun 2016 08:54:45 +0000 (10:54 +0200)]
libimcv: Fix Doxygen comment

3 years agotesting: Add ikev1/net2net-esn scenario
Tobias Brunner [Tue, 21 Jun 2016 08:40:33 +0000 (10:40 +0200)]
testing: Add ikev1/net2net-esn scenario

3 years agoikev1: Add support for extended sequence numbers
Thomas Egerer [Mon, 20 Jun 2016 16:19:51 +0000 (18:19 +0200)]
ikev1: Add support for extended sequence numbers

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
3 years agoplugin-loader: Allow selective modification of the default plugin list
Tobias Brunner [Tue, 21 Jun 2016 09:12:18 +0000 (11:12 +0200)]
plugin-loader: Allow selective modification of the default plugin list

This change allows selectively modifying the default plugin list by setting
the `load` setting of individual plugins (e.g. to disable them or to change
their priority) without enabling charon.load_modular and having to configure
a section and a load statement for every plugin.

3 years agoMerge branch 'openssl-1.1.0'
Tobias Brunner [Wed, 29 Jun 2016 09:10:07 +0000 (11:10 +0200)]
Merge branch 'openssl-1.1.0'

This adds support for OpenSSL 1.1.0.  Several APIs have changed and it makes
all types opaque, which requires using new getter/setter functions.  For older
versions fallbacks are provided.

3 years agoleak-detective: Try to properly free allocations after deinitialization
Tobias Brunner [Mon, 27 Jun 2016 16:04:39 +0000 (18:04 +0200)]
leak-detective: Try to properly free allocations after deinitialization

If a function we whitelist allocates memory while leak detective is enabled
but only frees it after LD has already been disabled, free() will get called
with invalid pointers (not pointing to the actually allocated memory by LD),
which will cause checks in the C library to fail and the program to crash.
This tries to detect such cases and calling free with the correct pointer.

3 years agoopenssl: Whitelist OPENSSL_init_crypto() and others in leak detective
Tobias Brunner [Mon, 27 Jun 2016 15:44:57 +0000 (17:44 +0200)]
openssl: Whitelist OPENSSL_init_crypto() and others in leak detective

Lots of static data is allocated in this function, which isn't freed until
the library is unloaded (we can't call OPENSSL_cleanup() as initialization
would fail when calling it again later).  When enabling the leak
detective the test runner eventually crashes as all the data allocated during
initialization has an invalid size when freed after leak detective has been
unloaded.

3 years agoopenssl: Update GCM/crypter API to OpenSSL 1.1.0
Tobias Brunner [Mon, 27 Jun 2016 15:33:58 +0000 (17:33 +0200)]
openssl: Update GCM/crypter API to OpenSSL 1.1.0

3 years agoopenssl: Update HMAC API to OpenSSL 1.1.0
Tobias Brunner [Mon, 27 Jun 2016 15:31:31 +0000 (17:31 +0200)]
openssl: Update HMAC API to OpenSSL 1.1.0