8 years agoGenerated new test certificates
Andreas Steffen [Thu, 28 Aug 2014 19:34:40 +0000 (21:34 +0200)]
Generated new test certificates

8 years agoha: Don't adopt IKEv1 children when building without IKEv1 support
Martin Willi [Thu, 28 Aug 2014 08:16:51 +0000 (10:16 +0200)]
ha: Don't adopt IKEv1 children when building without IKEv1 support

The adopt_children_job_create() function is not available when IKEv1 support
is disabled. Fixes uncommon builds using --enable-ha --disable-ikev1.

Fixes #690.

8 years agotesting: Make sure the kernel exists when starting
Tobias Brunner [Mon, 25 Aug 2014 08:58:46 +0000 (10:58 +0200)]
testing: Make sure the kernel exists when starting

8 years agounity: Do not bump TS to as initiator when no Split-Include received
Martin Willi [Mon, 4 Aug 2014 08:38:08 +0000 (10:38 +0200)]
unity: Do not bump TS to as initiator when no Split-Include received

When having the unity plugin enabled and both peers send the Unity Vendor ID,
we proposed as traffic selector, even if no Split-Include has been
received on the SA. This can break compatibility with some responders, as
they don't narrow the TS themselves, but expect the configured TS.

8 years agounity: Handle narrowing according to roles in the IKE_SA
Tobias Brunner [Thu, 17 Jul 2014 15:24:43 +0000 (17:24 +0200)]
unity: Handle narrowing according to roles in the IKE_SA

Since the narrow hook types reflect the roles in the Quick Mode exchange
the plugin behaved incorrectly if the server initiated the CHILD_SA

8 years agoMerge branch 'push-mode-reauth'
Martin Willi [Mon, 25 Aug 2014 07:57:05 +0000 (09:57 +0200)]
Merge branch 'push-mode-reauth'

Fixes IKEv1 re-authentication when using push mode by reassigning the same
IP lease to the client.

8 years agoikev1: Defer Mode Config push after CHILD adoption when using XAuth
Martin Willi [Mon, 7 Jul 2014 09:10:43 +0000 (11:10 +0200)]
ikev1: Defer Mode Config push after CHILD adoption when using XAuth

8 years agoikev1: Defer Mode Config push after CHILD adoption and reauth detection
Martin Willi [Mon, 7 Jul 2014 08:42:11 +0000 (10:42 +0200)]
ikev1: Defer Mode Config push after CHILD adoption and reauth detection

When an initiator starts reauthentication on a connection that uses push
mode to assign a virtual IP, we can't execute the Mode Config before releasing
the virtual IP. Otherwise we would request a new and different lease, which
the client probably can't handle. Defer Mode Config execution, so the same IP
gets first released then reassigned during reauthentication.

8 years agoikev1: Extend adopt_children_job by task queuing, executed after adoption
Martin Willi [Mon, 7 Jul 2014 08:36:35 +0000 (10:36 +0200)]
ikev1: Extend adopt_children_job by task queuing, executed after adoption

8 years agoikev1: Accept Quick Mode DELETES while Quick Mode rekeying is active
Martin Willi [Fri, 11 Jul 2014 09:59:01 +0000 (11:59 +0200)]
ikev1: Accept Quick Mode DELETES while Quick Mode rekeying is active

If a peer immediately sends DELETE messages when completing Quick Mode rekeying,
the third Quick Mode message and the DELETE are sent simultaneously. This
implies that DELETE messages may arrive before the completing third Quick Mode

Handle this case by ignoring the DELETE INFORMATIONAL in Quick Mode and let
the delete task handle it.

8 years agoutils: Check if the parameter passed to countof() is actually an array type
Martin Willi [Fri, 4 Jul 2014 12:37:58 +0000 (14:37 +0200)]
utils: Check if the parameter passed to countof() is actually an array type

This should avoid errors such as the one fixed with 118b2879.

8 years agoutils: Add some initial build time assertion macros
Martin Willi [Fri, 4 Jul 2014 12:35:27 +0000 (14:35 +0200)]
utils: Add some initial build time assertion macros

These are useful to assert constants during build time. We evaluate the
expression to 0 when valid, so we can safely use the evaluated value.

8 years agostarter: Do not close all file descriptors after fork()
Martin Willi [Fri, 11 Jul 2014 12:40:56 +0000 (14:40 +0200)]
starter: Do not close all file descriptors after fork()

As we use libstrongswan and expect that it still works after the fork, we
can't just closefrom() all file descriptors. Watcher, for example, uses
a pipe to notify FDSET changes, which must be kept open.

Reverts 652ddf5ce2fad08f6569096dd56a821500cc5ba4.

8 years agoike-sa-manager: Use transient hasher for IKE_SA_INIT hash calculation
Christophe Gouault [Fri, 11 Jul 2014 11:40:25 +0000 (13:40 +0200)]
ike-sa-manager: Use transient hasher for IKE_SA_INIT hash calculation

To check if a received IKE_SA_INIT request is a new request or a
retransmit, charon maintains hashes of the pending IKE_SA_INIT

However, the hash calculation is not reentrant because a single hasher
is used for the whole IKE SA manager. It leads to bogus calculations
under high load and hence dropped messages on responder
(IkeInInvalidSpi incremented).

Don't share a single hasher in the IKE SA manager, create a transient
one whenever a message must be hashed.

Signed-off-by: Christophe Gouault <>
8 years agodiffie-hellman: Explicitly initialize DH exponent sizes during initialization
Martin Willi [Wed, 16 Jul 2014 14:44:24 +0000 (16:44 +0200)]
diffie-hellman: Explicitly initialize DH exponent sizes during initialization

To avoid any race conditions when multiple threads call and initialize
diffie_hellman_get_params(), explicitly examine the optimum DH exponent size
during library initialization.

Fixes #655.

8 years agokernel-pfroute: Fix kernel response handling
Tobias Brunner [Tue, 19 Aug 2014 09:08:33 +0000 (11:08 +0200)]
kernel-pfroute: Fix kernel response handling

The condvar is signaled for every handled message received from the
kernel not only for replies (this changed with 2a2d7a4dc8).  This may
cause segfaults because this->reply is not set when the waiting thread is
woken due to an IP address change.

Since this->reply is only set when it is actually the expected reply (and
only one request is sent at a time, thanks to c9a323c1d9) we only have
to make sure the reply is there (and clear it once we handled it).

Using separate condvars could also be an option in the future.

8 years agoconfigure: Add additional includes when checking for linux/fib_rules.h
Tobias Brunner [Mon, 11 Aug 2014 16:38:20 +0000 (18:38 +0200)]
configure: Add additional includes when checking for linux/fib_rules.h

This seems to be required on Cent OS 6.5.

8 years agostarter: Wait indefinitely for charon when using --attach-gdb
Martin Willi [Fri, 8 Aug 2014 08:28:58 +0000 (10:28 +0200)]
starter: Wait indefinitely for charon when using --attach-gdb

This makes sure the user has time to set break points etc. before it runs
charon under gdb.

8 years agostarter: Don't monitor child if debugger is attached
Thomas Egerer [Thu, 7 Aug 2014 16:05:46 +0000 (18:05 +0200)]
starter: Don't monitor child if debugger is attached

Signed-off-by: Thomas Egerer <>
8 years agoAdded Debian 7.6 to IMV database
Andreas Steffen [Wed, 6 Aug 2014 06:04:42 +0000 (08:04 +0200)]
Added Debian 7.6 to IMV database

8 years agounused os_info_t object removed
Andreas Steffen [Wed, 6 Aug 2014 05:55:54 +0000 (07:55 +0200)]
unused os_info_t object removed

8 years agoUpdated to 3.13.0-32-generic Ubuntu kernel
Andreas Steffen [Wed, 6 Aug 2014 05:54:57 +0000 (07:54 +0200)]
Updated to 3.13.0-32-generic Ubuntu kernel

8 years agoimv-swid: Use pkg-config to check for libjson-c
Tobias Brunner [Wed, 30 Jul 2014 14:01:41 +0000 (16:01 +0200)]
imv-swid: Use pkg-config to check for libjson-c

The package/library is called libjson-c on recent distributions.
Some like Ubuntu 14.04 provide symlinks with the old name but these
will eventually disappear.  Using pkg-config allows us to easily check
for it (with a fallback) and configure the proper compiler flags.

Fixes #663.

8 years agodns-proxy: Don't use proxy socket if we fail to bypass it
Tobias Brunner [Wed, 30 Jul 2014 07:48:08 +0000 (09:48 +0200)]
dns-proxy: Don't use proxy socket if we fail to bypass it

This will result in an infinite loop as packets sent over that socket
will again pass through the TUN device and the DNS proxy.

Apparently, bypassing fails when airplane mode is enabled.

Fixes #662.

8 years agoswanctl: Fix documentation of options for send_cert setting
Tobias Brunner [Mon, 28 Jul 2014 08:37:09 +0000 (10:37 +0200)]
swanctl: Fix documentation of options for send_cert setting

8 years agoandroid: New release after adding certificate import, DNS proxy and GUI changes
Tobias Brunner [Tue, 22 Jul 2014 09:34:09 +0000 (11:34 +0200)]
android: New release after adding certificate import, DNS proxy and GUI changes

8 years agoMerge branch 'android-dns-proxy'
Tobias Brunner [Tue, 22 Jul 2014 09:10:59 +0000 (11:10 +0200)]
Merge branch 'android-dns-proxy'

Adds a DNS proxy feature that uses VPN-protected sockets to resolve the
VPN gateway's hostname while reestablishing the IKE_SA, which is
required because we keep the TUN device up to avoid leaking plaintext

The TUN device is recreated without DNS servers before reestablishing in
case the VPN server pushed DNS servers to the client that are only
reachable via VPN.

Fixes #622.

8 years agoandroid: For keyingtries > 0 notify the GUI if the limit is reached when reestablishing
Tobias Brunner [Thu, 17 Jul 2014 13:39:29 +0000 (15:39 +0200)]
android: For keyingtries > 0 notify the GUI if the limit is reached when reestablishing

The IKE_SA is destroyed anyway, so letting the GUI remain in
"connecting" state would be incorrect.

We still use keyingtries=0 for now, though. And we still abort after the
first failed attempt initially, in case there is a configuration error.

8 years agoandroid: Terminate IKE_SA if initial IKE_SA_INIT fails
Tobias Brunner [Thu, 17 Jul 2014 13:22:29 +0000 (15:22 +0200)]
android: Terminate IKE_SA if initial IKE_SA_INIT fails

Since VpnStateService.disconnect() is now not called until the error
dialog is dismissed the daemon would continue to try connecting.
So while the error dialog is shown the connection might actually be
successfully established in the background, which is not intended.

This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of
the second connection attempt (due to keyingtries=0).

8 years agoandroid: Only allow DNS queries for the configured hostname
Tobias Brunner [Wed, 16 Jul 2014 14:20:00 +0000 (16:20 +0200)]
android: Only allow DNS queries for the configured hostname

8 years agoandroid: Add optional filter functionality to DNS proxy
Tobias Brunner [Wed, 16 Jul 2014 14:17:28 +0000 (16:17 +0200)]
android: Add optional filter functionality to DNS proxy

If specified only queries for a list of allowed host names will be

8 years agoandroid: Recreate the TUN device without DNS when reestablishing IKE_SAs
Tobias Brunner [Wed, 16 Jul 2014 12:01:12 +0000 (14:01 +0200)]
android: Recreate the TUN device without DNS when reestablishing IKE_SAs

This enables DNS resolution while reestablishing if the VPN gateway pushed
DNS servers to the client that are only reachable via VPN.

8 years agoandroid: Add method to BuilderAdapter to re-establish without DNS-related data
Tobias Brunner [Wed, 16 Jul 2014 11:54:57 +0000 (13:54 +0200)]
android: Add method to BuilderAdapter to re-establish without DNS-related data

Non-DNS data is cached in the BuilderAdapter so the TUN device can be
recreated easily (since the CHILD_SA is gone we couldn't actually gather
that information).

8 years agoandroid: Use DNS proxy when reestablishing IKE_SAs
Tobias Brunner [Wed, 16 Jul 2014 11:11:10 +0000 (13:11 +0200)]
android: Use DNS proxy when reestablishing IKE_SAs

8 years agobus: Add ike_reestablish_pre hook, called before DNS resolution
Tobias Brunner [Wed, 16 Jul 2014 10:38:44 +0000 (12:38 +0200)]
bus: Add ike_reestablish_pre hook, called before DNS resolution

The old hook is renamed to ike_reestablish_post and is now also called
when the initiation of the new IKE_SA failed.

8 years agoandroid: Add DNS proxy implementation
Tobias Brunner [Tue, 15 Jul 2014 15:52:43 +0000 (17:52 +0200)]
android: Add DNS proxy implementation

This class proxies DNS requests over VPN-protected UDP sockets.
It is not really Android specific and might be useful for
kernel-libipsec or libipsec in general too, so we could maybe move it later
to libipsec (might need some portability work).

8 years agoip_packet: Add function to easily encode UDP packets
Tobias Brunner [Tue, 15 Jul 2014 15:32:25 +0000 (17:32 +0200)]
ip_packet: Add function to easily encode UDP packets

8 years agoip_packet: Apply transport protocol ports when encoding IP packet
Tobias Brunner [Tue, 15 Jul 2014 15:19:48 +0000 (17:19 +0200)]
ip_packet: Apply transport protocol ports when encoding IP packet

8 years agoip_packet: Add getter for IP payload
Tobias Brunner [Tue, 15 Jul 2014 11:51:49 +0000 (13:51 +0200)]
ip_packet: Add getter for IP payload

8 years agoip_packet: Allow creation of IP packets from data
Tobias Brunner [Tue, 15 Jul 2014 16:02:06 +0000 (18:02 +0200)]
ip_packet: Allow creation of IP packets from data

8 years agochunk: Add function to calculate Internet Checksums according to RFC 1071
Tobias Brunner [Tue, 15 Jul 2014 11:14:46 +0000 (13:14 +0200)]
chunk: Add function to calculate Internet Checksums according to RFC 1071

8 years agoip_packet: Parse ports from TCP and UDP headers
Tobias Brunner [Mon, 14 Jul 2014 15:33:17 +0000 (17:33 +0200)]
ip_packet: Parse ports from TCP and UDP headers

8 years agoMerge branch 'android-state-updates'
Tobias Brunner [Tue, 22 Jul 2014 08:57:57 +0000 (10:57 +0200)]
Merge branch 'android-state-updates'

The GUI reflects the state of the IKE daemon more closely by switching
back to the "connecting" state when the IKE_SA or CHILD_SA is down and
is getting reestablished.

Fixes #616.

8 years agoandroid: Delay disconnecting on errors until user dismisses them
Tobias Brunner [Mon, 14 Jul 2014 13:43:06 +0000 (15:43 +0200)]
android: Delay disconnecting on errors until user dismisses them

If e.g. reauthentication fails we don't want to close the TUN device
until the user acknowledged the error and is thus aware of the failure.

8 years agoandroid: Set CHILD_STATE_DOWN when the IKE_SA gets reestablished
Tobias Brunner [Mon, 14 Jul 2014 13:10:49 +0000 (15:10 +0200)]
android: Set CHILD_STATE_DOWN when the IKE_SA gets reestablished

8 years agoandroid: Set CHILD_STATE_DOWN whenever the CHILD_SA goes down
Tobias Brunner [Mon, 14 Jul 2014 13:08:24 +0000 (15:08 +0200)]
android: Set CHILD_STATE_DOWN whenever the CHILD_SA goes down

No matter what triggers it.  We also don't close the TUN device, but we
might handle that differently in the future to allow reestablishing the
IKE_SA if host names have to be re-resolved via DNS.

8 years agoandroid: Change to CONNECTING state if CHILD_SA goes down
Tobias Brunner [Mon, 14 Jul 2014 13:06:40 +0000 (15:06 +0200)]
android: Change to CONNECTING state if CHILD_SA goes down

Unless we are disconnecting.  This currently triggers the connecting
dialog, perhaps just updating the status text would do too (when switching

8 years agoMerge branch 'android-cert-import'
Tobias Brunner [Tue, 22 Jul 2014 08:51:32 +0000 (10:51 +0200)]
Merge branch 'android-cert-import'

Adds support to import CA and server certificate directly in the app.
On Android 4.4 and newer the SAF allows users to easily browse for such
files, on older systems they have to open them from file manager or the
download app (only works if the MIME type is correctly detected).

Also adds support for ECDSA keys on recent Android systems.

8 years agoandroid: Do not use deprecated TwoLineListItem
Tobias Brunner [Mon, 14 Jul 2014 12:24:31 +0000 (14:24 +0200)]
android: Do not use deprecated TwoLineListItem

8 years agoandroid: Add support for ECDSA private keys
Tobias Brunner [Tue, 8 Jul 2014 11:56:54 +0000 (13:56 +0200)]
android: Add support for ECDSA private keys

With 4.4.4 these work fine now.

8 years agoandroid: Show a confirmation dialog before importing certificates
Tobias Brunner [Thu, 5 Jun 2014 17:06:34 +0000 (19:06 +0200)]
android: Show a confirmation dialog before importing certificates

Since the import activity can be triggered by any other app on the
system we shouldn't just import every certificate we get.

Also, in some situations (e.g. if no passphrase has been set yet for the
system-wide certificate store) we are the only application that can open
certificate files.  So if a user clicked on a certificate file she would
just get a confirmation Toast about a successful import, with no indication
whatsoever where the certificate was actually imported.  The new dialog
shows the app icon to indicate that strongSwan is involved.

8 years agoandroid: Use Storage Access Framework to import certificates
Tobias Brunner [Sat, 31 May 2014 14:49:01 +0000 (16:49 +0200)]
android: Use Storage Access Framework to import certificates

Thanks to the SAF, introduced with Android 4.4, browsing and opening
files on the system is very easy to implement.

On older systems the menu option is removed.

8 years agoandroid: Add activity to import certificate files
Tobias Brunner [Fri, 30 May 2014 18:16:57 +0000 (20:16 +0200)]
android: Add activity to import certificate files

Such files can e.g. be opened from the Download view, if they are
associated with one of the supported mime-types.

8 years agoandroid: Imported certificates may be clicked to delete them
Tobias Brunner [Fri, 30 May 2014 17:52:40 +0000 (19:52 +0200)]
android: Imported certificates may be clicked to delete them

8 years agoandroid: Reload CA certificates without AsyncTask
Tobias Brunner [Fri, 30 May 2014 16:44:08 +0000 (18:44 +0200)]
android: Reload CA certificates without AsyncTask

We already use loaders in the GUI that can handle this asynchronously.

8 years agoandroid: Change how CA certificate reloads are initiated
Tobias Brunner [Fri, 30 May 2014 16:21:11 +0000 (18:21 +0200)]
android: Change how CA certificate reloads are initiated

8 years agoandroid: Add option to reload CA certificates to TrustedCertificatesActivity
Tobias Brunner [Fri, 30 May 2014 15:50:46 +0000 (17:50 +0200)]
android: Add option to reload CA certificates to TrustedCertificatesActivity

8 years agoandroid: Replace option to reload CA certificates with CA certificate view
Tobias Brunner [Fri, 30 May 2014 15:46:15 +0000 (17:46 +0200)]
android: Replace option to reload CA certificates with CA certificate view

The reload option will be added there.

8 years agoandroid: Only close TrustedCertificatesActivity on click when selecting a certificate
Tobias Brunner [Fri, 30 May 2014 15:40:24 +0000 (17:40 +0200)]
android: Only close TrustedCertificatesActivity on click when selecting a certificate

8 years agoandroid: Set action when using TrustedCertificatesActivity to select a certificate
Tobias Brunner [Fri, 30 May 2014 15:34:49 +0000 (17:34 +0200)]
android: Set action when using TrustedCertificatesActivity to select a certificate

8 years agoandroid: Allow selection of local certificates
Tobias Brunner [Fri, 30 May 2014 14:15:25 +0000 (16:15 +0200)]
android: Allow selection of local certificates

8 years agoandroid: Change how CA certificates from different sources are accessed
Tobias Brunner [Wed, 11 Jun 2014 12:48:08 +0000 (14:48 +0200)]
android: Change how CA certificates from different sources are accessed

8 years agoandroid: Cache certificates from multiple KeyStores
Tobias Brunner [Fri, 30 May 2014 13:13:50 +0000 (15:13 +0200)]
android: Cache certificates from multiple KeyStores

Including the new local one.

8 years agoandroid: Register local certificate store provider when the app is initialized
Tobias Brunner [Fri, 30 May 2014 11:45:31 +0000 (13:45 +0200)]
android: Register local certificate store provider when the app is initialized

8 years agoandroid: Add Provider for the local certificate store
Tobias Brunner [Fri, 30 May 2014 11:45:02 +0000 (13:45 +0200)]
android: Add Provider for the local certificate store

8 years agoandroid: Add KeyStoreSpi implementation that uses LocalCertificateStore
Tobias Brunner [Fri, 30 May 2014 11:30:35 +0000 (13:30 +0200)]
android: Add KeyStoreSpi implementation that uses LocalCertificateStore

8 years agoandroid: Add local certificate store
Tobias Brunner [Fri, 30 May 2014 11:28:16 +0000 (13:28 +0200)]
android: Add local certificate store

The class manages certificates stored in files within the app's
private data directory.

8 years agoandroid: Move TrustedCertificateEntry to a new package
Tobias Brunner [Fri, 30 May 2014 10:40:53 +0000 (12:40 +0200)]
android: Move TrustedCertificateEntry to a new package

8 years agoandroid: Subclass Application to provide static access to the application context
Tobias Brunner [Fri, 30 May 2014 10:35:54 +0000 (12:35 +0200)]
android: Subclass Application to provide static access to the application context

8 years agoandroid: Target latest SDK version
Tobias Brunner [Fri, 30 May 2014 10:34:46 +0000 (12:34 +0200)]
android: Target latest SDK version

8 years agoandroid: Add utility method to convert a byte array to a hex string
Tobias Brunner [Fri, 30 May 2014 09:08:35 +0000 (11:08 +0200)]
android: Add utility method to convert a byte array to a hex string

8 years agoandroid: Remove unused hash argument from getTrustedCertificates()
Tobias Brunner [Fri, 30 May 2014 09:22:19 +0000 (11:22 +0200)]
android: Remove unused hash argument from getTrustedCertificates()

8 years agoandroid: Use correct tag to define category for CREATE_SHORTCUT intent-filter
Tobias Brunner [Fri, 30 May 2014 09:03:25 +0000 (11:03 +0200)]
android: Use correct tag to define category for CREATE_SHORTCUT intent-filter

8 years agostarter: Fix memory leaks and warn if conn/ca sections are ignored due to parse errors
Tobias Brunner [Fri, 18 Jul 2014 15:12:09 +0000 (17:12 +0200)]
starter: Fix memory leaks and warn if conn/ca sections are ignored due to parse errors

8 years agoreceiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2
Martin Willi [Thu, 17 Jul 2014 07:32:22 +0000 (09:32 +0200)]
receiver: Send a single INVALID_MAJOR_VERSION notify for IKE version > 2

We sent both a notify using IKEv1 and IKEv2. This is a little more aggressive
than required, RFC 5996 says we "SHOULD send an unauthenticated Notify
message of type INVALID_MAJOR_VERSION containing the highest (closest) version
number it supports".

Fixes #657.

8 years agoVersion bump to 5.2.1dr1
Andreas Steffen [Wed, 16 Jul 2014 13:59:56 +0000 (15:59 +0200)]
Version bump to 5.2.1dr1

8 years agoDetermine type of unsupported PA-TNC attribute in error message
Andreas Steffen [Wed, 16 Jul 2014 13:56:09 +0000 (15:56 +0200)]
Determine type of unsupported PA-TNC attribute in error message

8 years agoReplaced Tag File Path by Instance ID field
Andreas Steffen [Mon, 14 Jul 2014 18:38:11 +0000 (20:38 +0200)]
Replaced Tag File Path by Instance ID field

This update reflects the latest changes in the TCG TNC
SWID Messages and Attributes for IF-M specification

8 years agoman: Document where left|rightsigkey searches for public key files
Tobias Brunner [Mon, 14 Jul 2014 08:53:11 +0000 (10:53 +0200)]
man: Document where left|rightsigkey searches for public key files

8 years agoswanctl: Fix the swanctl.conf cacerts option name in the manpage and template
Martin Willi [Mon, 14 Jul 2014 07:18:47 +0000 (09:18 +0200)]
swanctl: Fix the swanctl.conf cacerts option name in the manpage and template

8 years agoUpdated URL to swidGenerator in recipe 5.2.0
Andreas Steffen [Wed, 9 Jul 2014 13:08:18 +0000 (15:08 +0200)]
Updated URL to swidGenerator in recipe

8 years agodumm: Undefine _GNU_SOURCE before including <ruby.h>, as it usually redefines it
Martin Willi [Wed, 9 Jul 2014 08:53:36 +0000 (10:53 +0200)]
dumm: Undefine _GNU_SOURCE before including <ruby.h>, as it usually redefines it

8 years agoVersion bump to 5.2.0
Andreas Steffen [Tue, 8 Jul 2014 13:24:22 +0000 (15:24 +0200)]
Version bump to 5.2.0

8 years agoNEWS: Updated URL to swidGenerator
Tobias Brunner [Mon, 7 Jul 2014 14:19:56 +0000 (16:19 +0200)]
NEWS: Updated URL to swidGenerator

8 years agosettings: Allow spaces in time settings before the optional unit
Martin Willi [Mon, 7 Jul 2014 13:53:49 +0000 (15:53 +0200)]
settings: Allow spaces in time settings before the optional unit

8 years agosettings: Be more strict in converting settings to specific data types
Martin Willi [Mon, 7 Jul 2014 13:49:04 +0000 (15:49 +0200)]
settings: Be more strict in converting settings to specific data types

As the behavior was inconsistent for empty strings or strings with characters
appended to a number, testing the code failed on some platforms. The new rules
are more strict, returning the default if additional characters or an empty
string was found for a setting.

8 years agoutils: Undefine mem{cpy,move,set} if set before defining them
Martin Willi [Mon, 7 Jul 2014 12:48:11 +0000 (14:48 +0200)]
utils: Undefine mem{cpy,move,set} if set before defining them

Some platforms, such as OS X, use macros for these functions. Undefine them
to avoid compiler warnings.

8 years agoenumerator: Enumerate glob(3) matches using gl_pathc
Martin Willi [Mon, 7 Jul 2014 13:27:19 +0000 (15:27 +0200)]
enumerator: Enumerate glob(3) matches using gl_pathc

While glob should return a NULL terminated gl_pathv when having no matches,
at least on OS X this is not true when using GLOB_DOOFFS. Rely on the
number of matches returned in gl_pathc, which seems to be more reliable in
error cases.

8 years agoxauth-pam: Add workaround for null-terminated passwords
Tobias Brunner [Mon, 7 Jul 2014 09:12:30 +0000 (11:12 +0200)]
xauth-pam: Add workaround for null-terminated passwords

Fixes #631.

8 years agokernel-netlink: Rename algorithm identifier from cast128 to cast5
Martin Willi [Fri, 4 Jul 2014 08:14:13 +0000 (10:14 +0200)]
kernel-netlink: Rename algorithm identifier from cast128 to cast5

Even if the XFRM identifier was named cast128 in the kernel before 2.6.31, it
actually never worked, because there is no such crypto algorithm.

The identifier has been changed to cast5 in
to make it work, so we should use that.

Fixes #633.

8 years agowinhttp: Do not use countof() on pointer argument
Tobias Brunner [Wed, 2 Jul 2014 10:08:16 +0000 (12:08 +0200)]
winhttp: Do not use countof() on pointer argument

8 years agooptionsfrom: Properly handle errors when determining file size
Tobias Brunner [Wed, 2 Jul 2014 10:03:36 +0000 (12:03 +0200)]
optionsfrom: Properly handle errors when determining file size

8 years agowindows: Fix off-by-one error in strerror_s_extended()
Tobias Brunner [Wed, 2 Jul 2014 09:59:01 +0000 (11:59 +0200)]
windows: Fix off-by-one error in strerror_s_extended()

8 years agowindows: accept() socket handle could theoretically be 0
Tobias Brunner [Wed, 2 Jul 2014 09:54:40 +0000 (11:54 +0200)]
windows: accept() socket handle could theoretically be 0

8 years agowindows: Close correct socket when opening second socket fails in socketpair()
Tobias Brunner [Wed, 2 Jul 2014 09:51:37 +0000 (11:51 +0200)]
windows: Close correct socket when opening second socket fails in socketpair()

8 years agowindows: Make sure the string returned from ReadConsole() is null terminated
Tobias Brunner [Wed, 2 Jul 2014 09:49:34 +0000 (11:49 +0200)]
windows: Make sure the string returned from ReadConsole() is null terminated

8 years agowindows: Remove useless assignment in put_thread()
Tobias Brunner [Wed, 2 Jul 2014 09:41:14 +0000 (11:41 +0200)]
windows: Remove useless assignment in put_thread()

8 years agobacktrace: Remove name checks after SymFromAddr() calls
Tobias Brunner [Wed, 2 Jul 2014 09:31:56 +0000 (11:31 +0200)]
backtrace: Remove name checks after SymFromAddr() calls

The Name member is an array whose address is always defined.

8 years agopts: Avoid integer overflow when reading file names in the old IMA format
Tobias Brunner [Tue, 1 Jul 2014 10:37:25 +0000 (12:37 +0200)]
pts: Avoid integer overflow when reading file names in the old IMA format

8 years agoimv-attestation: Avoid memory leak when skipping unsupported work items
Tobias Brunner [Tue, 1 Jul 2014 10:31:07 +0000 (12:31 +0200)]
imv-attestation: Avoid memory leak when skipping unsupported work items