strongswan.git
6 years agoNEWS: leak-detective improvements
Martin Willi [Thu, 18 Jul 2013 13:13:49 +0000 (15:13 +0200)]
NEWS: leak-detective improvements

6 years agoNEWS: add keychain plugin
Martin Willi [Thu, 18 Jul 2013 13:07:00 +0000 (15:07 +0200)]
NEWS: add keychain plugin

6 years agoautoconf: replace autogen.sh custom script with a call to autoreconf -i
Martin Willi [Thu, 18 Jul 2013 10:01:18 +0000 (12:01 +0200)]
autoconf: replace autogen.sh custom script with a call to autoreconf -i

6 years agoautomake: replace INCLUDES by AM_CPPFLAGS
Martin Willi [Wed, 17 Jul 2013 12:45:39 +0000 (14:45 +0200)]
automake: replace INCLUDES by AM_CPPFLAGS

INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.

6 years agoautoconf: rename configure.in to configure.ac
Martin Willi [Wed, 17 Jul 2013 12:04:41 +0000 (14:04 +0200)]
autoconf: rename configure.in to configure.ac

configure.ac has been the recommended name for autoconf input for several
years now. Newer autotools start to complain about the configure.in, so we
finally change it.

6 years agoeap-sim-pcsc: fix compiler warning
Martin Willi [Thu, 18 Jul 2013 12:55:05 +0000 (14:55 +0200)]
eap-sim-pcsc: fix compiler warning

6 years agonm: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:21:17 +0000 (14:21 +0200)]
nm: omit deprecated g_type_init() when using >= GLIB 2.36

6 years agosoup: omit deprecated g_type_init() when using >= GLIB 2.36
Martin Willi [Thu, 18 Jul 2013 12:19:37 +0000 (14:19 +0200)]
soup: omit deprecated g_type_init() when using >= GLIB 2.36

6 years agolibfast: cancel thread if it fails to accept fcgi sessions
Martin Willi [Wed, 20 Feb 2013 14:21:51 +0000 (15:21 +0100)]
libfast: cancel thread if it fails to accept fcgi sessions

6 years agolibfast: add a fast_ prefix to all classes, avoiding namespace clashes
Martin Willi [Wed, 17 Jul 2013 09:50:45 +0000 (11:50 +0200)]
libfast: add a fast_ prefix to all classes, avoiding namespace clashes

6 years agoMerge branch 'charon-xpc'
Martin Willi [Thu, 18 Jul 2013 10:18:32 +0000 (12:18 +0200)]
Merge branch 'charon-xpc'

Implement a charon daemon controlled by the Apple specific XPC mechanism,
acting as a backend for a yet to build unprivileged GUI. The keychain plugin
coming with this merge provides certificates from the OS X keychain service.

6 years agoxpc: allow easy copy & pase of ./configure instructions
Martin Willi [Wed, 26 Jun 2013 08:37:19 +0000 (10:37 +0200)]
xpc: allow easy copy & pase of ./configure instructions

6 years agoxpc: use -idirafter to build against openssl headers from /usr/include
Martin Willi [Wed, 29 May 2013 12:50:47 +0000 (14:50 +0200)]
xpc: use -idirafter to build against openssl headers from /usr/include

6 years agoxpc: forward some risen alerts over XPC to App
Martin Willi [Mon, 27 May 2013 12:47:27 +0000 (14:47 +0200)]
xpc: forward some risen alerts over XPC to App

6 years agoxpc: enable close_ike_on_child_failure
Martin Willi [Mon, 27 May 2013 12:08:39 +0000 (14:08 +0200)]
xpc: enable close_ike_on_child_failure

6 years agoxpc: send a "connecting" event when establishing a connection starts
Martin Willi [Wed, 22 May 2013 15:22:47 +0000 (17:22 +0200)]
xpc: send a "connecting" event when establishing a connection starts

6 years agoxpc: use osx-attr plugin to install configuration attributes
Martin Willi [Wed, 15 May 2013 14:04:43 +0000 (16:04 +0200)]
xpc: use osx-attr plugin to install configuration attributes

6 years agoxpc: update README with new events, markdown style fixes
Martin Willi [Fri, 3 May 2013 16:35:11 +0000 (18:35 +0200)]
xpc: update README with new events, markdown style fixes

6 years agoxpc: send child_updown events over XPC channel
Martin Willi [Thu, 2 May 2013 16:11:47 +0000 (18:11 +0200)]
xpc: send child_updown events over XPC channel

6 years agoxpc: support termination of IKE_SAs using XPC RPC on connection channel
Martin Willi [Thu, 2 May 2013 15:45:58 +0000 (17:45 +0200)]
xpc: support termination of IKE_SAs using XPC RPC on connection channel

6 years agoxpc: move XPC RPC reply creation to command dispatching
Martin Willi [Thu, 2 May 2013 14:43:44 +0000 (16:43 +0200)]
xpc: move XPC RPC reply creation to command dispatching

6 years agoxpc: terminate daemon when last XPC connection to App gone
Martin Willi [Thu, 2 May 2013 12:40:23 +0000 (14:40 +0200)]
xpc: terminate daemon when last XPC connection to App gone

6 years agoxpc: fix some refcounting issues related to XPC connections
Martin Willi [Thu, 2 May 2013 12:28:19 +0000 (14:28 +0200)]
xpc: fix some refcounting issues related to XPC connections

6 years agoxpc: no need to clear channel table, they are bound to IKE_SA lifetime
Martin Willi [Thu, 2 May 2013 11:58:22 +0000 (13:58 +0200)]
xpc: no need to clear channel table, they are bound to IKE_SA lifetime

6 years agoxpc: add support for logging over XPC channels
Martin Willi [Fri, 3 May 2013 14:55:22 +0000 (16:55 +0200)]
xpc: add support for logging over XPC channels

6 years agoxpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)
Martin Willi [Thu, 2 May 2013 09:58:43 +0000 (11:58 +0200)]
xpc: don't warn about pointer signedness mismatch (-Wno-pointer-sign)

6 years agoxpc: add a description of the basic XPC protocol to README
Martin Willi [Thu, 2 May 2013 09:22:51 +0000 (11:22 +0200)]
xpc: add a description of the basic XPC protocol to README

6 years agoxpc: use the same XPC message "type" mechanism on Mach service as on channels
Martin Willi [Thu, 2 May 2013 08:54:55 +0000 (10:54 +0200)]
xpc: use the same XPC message "type" mechanism on Mach service as on channels

6 years agoxpc: ask App for passwords using connection specific channel
Martin Willi [Thu, 2 May 2013 08:36:37 +0000 (10:36 +0200)]
xpc: ask App for passwords using connection specific channel

6 years agoxpc: use IKE_SA specific XPC return channels for further communication
Martin Willi [Fri, 3 May 2013 14:53:29 +0000 (16:53 +0200)]
xpc: use IKE_SA specific XPC return channels for further communication

6 years agoxpc: don't send certificate requests, there are too many when using keychain
Martin Willi [Wed, 1 May 2013 09:06:11 +0000 (11:06 +0200)]
xpc: don't send certificate requests, there are too many when using keychain

6 years agoxpc: build with support for the keychain plugin
Martin Willi [Fri, 3 May 2013 14:51:29 +0000 (16:51 +0200)]
xpc: build with support for the keychain plugin

6 years agoxpc: add support for initiate simple IKEv2 EAP connections
Martin Willi [Fri, 26 Apr 2013 13:17:36 +0000 (15:17 +0200)]
xpc: add support for initiate simple IKEv2 EAP connections

6 years agoxpc: move dispatching to dedicated class, using dedicated thread
Martin Willi [Fri, 3 May 2013 14:24:05 +0000 (16:24 +0200)]
xpc: move dispatching to dedicated class, using dedicated thread

6 years agoxpc: use non-inlining variant of vstr, compiler does not like it
Martin Willi [Fri, 26 Apr 2013 12:32:32 +0000 (14:32 +0200)]
xpc: use non-inlining variant of vstr, compiler does not like it

6 years agoxpc: add Xcode project for a charon controlled through XPC
Martin Willi [Wed, 24 Apr 2013 08:38:19 +0000 (10:38 +0200)]
xpc: add Xcode project for a charon controlled through XPC

6 years agosyslog: setlogmask() to include LOG_INFO
Martin Willi [Wed, 15 May 2013 08:36:08 +0000 (10:36 +0200)]
syslog: setlogmask() to include LOG_INFO

LOG_INFO seems to be excluded by default on some systems (OS X).

6 years agokeychain: flush certificate cache after reloading System keychain
Martin Willi [Wed, 1 May 2013 09:14:16 +0000 (11:14 +0200)]
keychain: flush certificate cache after reloading System keychain

6 years agokeychain: monitor changes in the system keychain, reload when necessary
Martin Willi [Wed, 1 May 2013 08:38:46 +0000 (10:38 +0200)]
keychain: monitor changes in the system keychain, reload when necessary

6 years agokeychain: use SearchCopyNext keychain enumeration for System certs as well
Martin Willi [Wed, 1 May 2013 08:37:49 +0000 (10:37 +0200)]
keychain: use SearchCopyNext keychain enumeration for System certs as well

SecItemCopyMatching seems to be problematic regarding memory management. And
as there does not seem to be a good alternative to enumerate the System Roots
keychain using the SecItemCopyMatching API, we stick to the deprecated
enumeration functions for now.

6 years agokeychain: load certificates from System Roots Keychain
Martin Willi [Tue, 30 Apr 2013 13:33:42 +0000 (15:33 +0200)]
keychain: load certificates from System Roots Keychain

6 years agokeychain: load certificates only once during startup, improving performance
Martin Willi [Tue, 30 Apr 2013 12:50:48 +0000 (14:50 +0200)]
keychain: load certificates only once during startup, improving performance

6 years agokeychain: support on-the-fly enumeration of trusted/untrusted certificates
Martin Willi [Tue, 30 Apr 2013 09:59:01 +0000 (11:59 +0200)]
keychain: support on-the-fly enumeration of trusted/untrusted certificates

6 years agokeychain: add a stub for a credential plugin using OS X Keychain Services
Martin Willi [Mon, 29 Apr 2013 09:19:57 +0000 (11:19 +0200)]
keychain: add a stub for a credential plugin using OS X Keychain Services

6 years agocredmgr: stop querying for secrets once we get a perfect match
Martin Willi [Thu, 2 May 2013 08:07:36 +0000 (10:07 +0200)]
credmgr: stop querying for secrets once we get a perfect match

6 years agocredmgr: don't use pointers for id_match_t enum values
Martin Willi [Thu, 2 May 2013 08:03:57 +0000 (10:03 +0200)]
credmgr: don't use pointers for id_match_t enum values

6 years agoopenssl: parse X.509 extended key usage from extension parsing loop
Martin Willi [Tue, 30 Apr 2013 09:55:38 +0000 (11:55 +0200)]
openssl: parse X.509 extended key usage from extension parsing loop

Otherwise parsing gets aborted if unknown critical extensions are handled as
error.

6 years agoopenssl: show which critical X.509 extension is not supported
Martin Willi [Tue, 30 Apr 2013 09:46:11 +0000 (11:46 +0200)]
openssl: show which critical X.509 extension is not supported

6 years agohashtable: add common hashtable hash/equals functions for pointer/string keys
Martin Willi [Wed, 1 May 2013 10:13:28 +0000 (12:13 +0200)]
hashtable: add common hashtable hash/equals functions for pointer/string keys

6 years agothread: implicitly create thread_t if an external thread calls thread_current()
Martin Willi [Fri, 26 Apr 2013 14:59:34 +0000 (16:59 +0200)]
thread: implicitly create thread_t if an external thread calls thread_current()

6 years agoike: Fix reestablishing SAs if no child-creating tasks are queued
Tobias Brunner [Thu, 18 Jul 2013 08:12:20 +0000 (10:12 +0200)]
ike: Fix reestablishing SAs if no child-creating tasks are queued

6 years agoike-sa: uninstall CHILD_SAs before removing virtual IPs
Martin Willi [Thu, 18 Jul 2013 08:31:52 +0000 (10:31 +0200)]
ike-sa: uninstall CHILD_SAs before removing virtual IPs

a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.

6 years agounity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were received
Tobias Brunner [Mon, 15 Jul 2013 13:17:06 +0000 (15:17 +0200)]
unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were received

6 years agounity: Allow UNITY_LOCAL_LAN to be longer than 8 bytes
Tobias Brunner [Mon, 15 Jul 2013 13:15:59 +0000 (15:15 +0200)]
unity: Allow UNITY_LOCAL_LAN to be longer than 8 bytes

6 years agounity: Fix memory leak in provider
Tobias Brunner [Mon, 15 Jul 2013 13:12:35 +0000 (15:12 +0200)]
unity: Fix memory leak in provider

6 years agoipsec.conf.5: closeaction is now supported for IKEv1
Tobias Brunner [Wed, 17 Jul 2013 16:18:57 +0000 (18:18 +0200)]
ipsec.conf.5: closeaction is now supported for IKEv1

6 years agoikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer
Tobias Brunner [Thu, 4 Jul 2013 17:14:44 +0000 (19:14 +0200)]
ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peer

We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any
CHILD_SA requires it.

6 years agoike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
Tobias Brunner [Wed, 3 Jul 2013 16:28:37 +0000 (18:28 +0200)]
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA

6 years agoikev1: Support closeaction of CHILD_SA.
Oliver Smith [Fri, 28 Jun 2013 16:41:19 +0000 (09:41 -0700)]
ikev1: Support closeaction of CHILD_SA.

When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.

6 years agoMerge branch 'kernel-pfroute-mobility'
Tobias Brunner [Wed, 17 Jul 2013 15:49:26 +0000 (17:49 +0200)]
Merge branch 'kernel-pfroute-mobility'

This improves the behavior of the kernel-pfroute plugin (and sometimes
the kernel-pfkey plugin) in case of mobility, mostly when used as as
client but also as gateway, if clients are mobile.

6 years agokernel-pfroute: Ignore IP address changes if address is %any
Tobias Brunner [Wed, 10 Jul 2013 14:28:55 +0000 (16:28 +0200)]
kernel-pfroute: Ignore IP address changes if address is %any

6 years agokernel-pfroute: Properly enumerate sockaddrs in interface messages
Tobias Brunner [Wed, 10 Jul 2013 14:08:56 +0000 (16:08 +0200)]
kernel-pfroute: Properly enumerate sockaddrs in interface messages

The ifa_msghdr and rt_msghdr structs are not compatible (at least not on
FreeBSD).

6 years agokernel-pfroute: Provide name of interfaces on which virtual IPs are installed
Tobias Brunner [Wed, 10 Jul 2013 13:37:35 +0000 (15:37 +0200)]
kernel-pfroute: Provide name of interfaces on which virtual IPs are installed

6 years agokernel-pfroute: Ignore virtual IPs in address map
Tobias Brunner [Wed, 10 Jul 2013 13:29:38 +0000 (15:29 +0200)]
kernel-pfroute: Ignore virtual IPs in address map

As the virtual flag is set after the address has been added to the map,
we make sure we ignore virtual IPs when doing lookups.

6 years agokernel-pfroute: Make sure source addresses are not virtual and usable
Tobias Brunner [Wed, 10 Jul 2013 13:02:48 +0000 (15:02 +0200)]
kernel-pfroute: Make sure source addresses are not virtual and usable

It seems we sometimes get the virtual IP as source (with
rightsubnet=0.0.0.0/0) even if the exclude route is already
installed.  Might be a timing issue because shortly afterwards the
lookup seems to succeed.

6 years agokernel-pfroute: Don't report an error when trying to reinstall a route
Tobias Brunner [Wed, 10 Jul 2013 10:38:21 +0000 (12:38 +0200)]
kernel-pfroute: Don't report an error when trying to reinstall a route

6 years agokernel-pfkey: Provide interface name when installing exclude route
Tobias Brunner [Wed, 10 Jul 2013 10:21:58 +0000 (12:21 +0200)]
kernel-pfkey: Provide interface name when installing exclude route

6 years agokernel-pfroute: Reinstall routes on interface/address changes
Tobias Brunner [Wed, 10 Jul 2013 10:14:19 +0000 (12:14 +0200)]
kernel-pfroute: Reinstall routes on interface/address changes

6 years agokernel-pfroute: Trigger a roam event if a new interface appears
Tobias Brunner [Wed, 10 Jul 2013 09:57:31 +0000 (11:57 +0200)]
kernel-pfroute: Trigger a roam event if a new interface appears

6 years agokernel-pfroute: Use ref_get() to allocate sequence numbers
Tobias Brunner [Wed, 10 Jul 2013 09:42:00 +0000 (11:42 +0200)]
kernel-pfroute: Use ref_get() to allocate sequence numbers

6 years agokernel-pfroute: Make time that is waited for VIPs to appear configurable
Tobias Brunner [Wed, 10 Jul 2013 09:31:56 +0000 (11:31 +0200)]
kernel-pfroute: Make time that is waited for VIPs to appear configurable

One second might be too short for IPs to appear/disappear, especially on
virtualized hosts.

6 years agokernel-pfroute: Retry route lookup without source address on failure
Tobias Brunner [Wed, 10 Jul 2013 09:22:57 +0000 (11:22 +0200)]
kernel-pfroute: Retry route lookup without source address on failure

The known source address might be gone resulting in an error, making
learning a new source address impossible.

6 years agokernel-pfkey: Remove latest IPsec SA mapping when deleting a policy
Tobias Brunner [Wed, 10 Jul 2013 09:08:01 +0000 (11:08 +0200)]
kernel-pfkey: Remove latest IPsec SA mapping when deleting a policy

If IPsec SAs are rekeyed due to an address change (e.g. because
update_sa is not supported) the exact same policy with the same reqid
will be installed, but with different addresses.  After the rekeying the
old SA and its policies are removed, using the first matching mapping
breaks the mapping between the policies and the new SA (at least on
FreeBSD, the Linux kernel might only use the reqid for this).  Using the
oldest matching SA is still an approximation but it solves the above
issue.

6 years agokernel-pfkey: Correctly handle IPSEC_PROTO_ANY in an acquire
Tobias Brunner [Wed, 10 Jul 2013 08:56:08 +0000 (10:56 +0200)]
kernel-pfkey: Correctly handle IPSEC_PROTO_ANY in an acquire

6 years agolinked-list: Remove barely used has_more() method
Tobias Brunner [Tue, 16 Jul 2013 13:25:51 +0000 (15:25 +0200)]
linked-list: Remove barely used has_more() method

This required some refactoring when handling encrypted payloads.

Also changed log messages so that "encrypted payload" is logged instead
of "encryption payload" (even if we internally still call it that) as
that's the name used in RFC 5996.

6 years agolinked-list: Don't require an argument for the item when enumerating
Tobias Brunner [Tue, 16 Jul 2013 12:46:43 +0000 (14:46 +0200)]
linked-list: Don't require an argument for the item when enumerating

6 years agolinked-list: Remove unused clone_function() method
Tobias Brunner [Tue, 16 Jul 2013 10:07:00 +0000 (12:07 +0200)]
linked-list: Remove unused clone_function() method

6 years agolinked-list: Remove barely used find_last() method
Tobias Brunner [Tue, 16 Jul 2013 10:00:57 +0000 (12:00 +0200)]
linked-list: Remove barely used find_last() method

6 years agolinked-list: Remove unused replace() method
Tobias Brunner [Tue, 16 Jul 2013 09:53:30 +0000 (11:53 +0200)]
linked-list: Remove unused replace() method

Its functionality can be replicated by calling insert_before() followed
by remove_at().  Not the other way around, though, because remove_at()
changes the enumerator position.

6 years agoMerge branch 'array'
Martin Willi [Wed, 17 Jul 2013 15:28:18 +0000 (17:28 +0200)]
Merge branch 'array'

Introduces a new lightweight array collection having minimal memory overhead.
The new class replaces various linked lists that are used during the full
lifetime of an SA, reducing memory requirements by about 5KB or more per tunnel.

6 years agochild-sa: refactor proxy transport mode address lookup
Martin Willi [Wed, 17 Jul 2013 08:28:45 +0000 (10:28 +0200)]
child-sa: refactor proxy transport mode address lookup

6 years agochild-sa: replace traffic selector lists by arrays
Martin Willi [Wed, 17 Jul 2013 08:08:19 +0000 (10:08 +0200)]
child-sa: replace traffic selector lists by arrays

Saves up to another 0.5KB of memory per CHILD_SA.

6 years agochild-sa: replace get_traffic_selectors() with create_ts_enumerator()
Martin Willi [Wed, 17 Jul 2013 08:01:22 +0000 (10:01 +0200)]
child-sa: replace get_traffic_selectors() with create_ts_enumerator()

Not directly returning a linked list allows us to change the internals of
the CHILD_SA transparently.

6 years agoikev2: replace linked lists by arrays in task manager
Martin Willi [Thu, 11 Jul 2013 15:20:48 +0000 (17:20 +0200)]
ikev2: replace linked lists by arrays in task manager

Eliminates another three lists, 0.5KB per IKE_SA.

6 years agoauth-cfg: use array instead of linked list
Martin Willi [Thu, 11 Jul 2013 14:54:15 +0000 (16:54 +0200)]
auth-cfg: use array instead of linked list

Saves another 4 linked lists (1KB) per IKE_SA

6 years agoproposal: use array to store proposal list
Martin Willi [Thu, 11 Jul 2013 14:36:10 +0000 (16:36 +0200)]
proposal: use array to store proposal list

Removes another two linked lists (0.5KB) of memory per IKE/CHILD_SA pair.

6 years agoproposal: use a single list to store all transforms
Martin Willi [Wed, 10 Jul 2013 12:16:46 +0000 (14:16 +0200)]
proposal: use a single list to store all transforms

Beside that it makes the code actually simpler, it reduces the number of lists
stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.

6 years agoike-sa: use arrays instead of linked lists in long lived collections
Martin Willi [Thu, 11 Jul 2013 13:58:15 +0000 (15:58 +0200)]
ike-sa: use arrays instead of linked lists in long lived collections

This saves about 1.5KB of memory per IKE_SA.

6 years agounit-tests: implement tests for array collection
Martin Willi [Thu, 11 Jul 2013 13:09:30 +0000 (15:09 +0200)]
unit-tests: implement tests for array collection

6 years agoarray: introduce an array collection storing elements very efficiently
Martin Willi [Thu, 11 Jul 2013 09:44:33 +0000 (11:44 +0200)]
array: introduce an array collection storing elements very efficiently

Currently we use the very versatile linked-list collection to store elements
with variable count. This is fine, but very inefficient: Due to the many
methods in the linked list, on 64-bit platforms an empty list alone is more
than 200 bytes. As we currently have about 50 lists per IKE_SA/CHILD_SA pair,
this takes up to 10KB just for managing the empty lists. This is about the
half of memory used by an IKE_SA/CHILD_SA pair, and obviously way too much.

The new array type is not an object, but a collection of functions on an
abstract type.

The following lists are per IKE_SA and should be considered for a replacement
with more efficient arrays (this uses load-testers on-demand created dynamic
configurations, other scenarios have different lists):

14 -> ike_sa_create() @ src/libcharon/sa/ike_sa.c:2198
10 -> auth_cfg_create() @ src/libstrongswan/credentials/auth_cfg.c:1088
 6 -> task_manager_v2_create() @ src/libcharon/sa/ikev2/task_manager_v2.c:1505
 6 -> proposal_create() @ src/libcharon/config/proposal.c:592
 5 -> peer_cfg_create() @ src/libcharon/config/peer_cfg.c:657
 4 -> child_sa_create() @ src/libcharon/sa/child_sa.c:1090
 2 -> child_cfg_create() @ src/libcharon/config/child_cfg.c:536
 1 -> ike_cfg_create() @ src/libcharon/config/ike_cfg.c:330
 1 -> put_connected_peers() @ src/libcharon/sa/ike_sa_manager.c:854

6 years agokernel-libipsec: Log error if no local address is found when installing routes
Tobias Brunner [Mon, 15 Jul 2013 12:37:31 +0000 (14:37 +0200)]
kernel-libipsec: Log error if no local address is found when installing routes

6 years agodumm: Sort templates by name
Tobias Brunner [Mon, 15 Jul 2013 12:37:05 +0000 (14:37 +0200)]
dumm: Sort templates by name

6 years agotesting: Don't load certificates explicitly and delete CA certificates in PKCS#12...
Tobias Brunner [Mon, 15 Jul 2013 09:19:27 +0000 (11:19 +0200)]
testing: Don't load certificates explicitly and delete CA certificates in PKCS#12 scenarios

Certificates are now properly extracted from PKCS#12 files.

6 years agostroke: Add certificates extracted from PKCS#12 files to correct credential set
Tobias Brunner [Mon, 15 Jul 2013 08:59:13 +0000 (10:59 +0200)]
stroke: Add certificates extracted from PKCS#12 files to correct credential set

Only keys and shared secrets are moved from the temporary credential set after
loading all secrets.

6 years agopkcs12: Add plugin dependencies with soft dependencies on the most common algorithms
Tobias Brunner [Mon, 15 Jul 2013 08:48:19 +0000 (10:48 +0200)]
pkcs12: Add plugin dependencies with soft dependencies on the most common algorithms

6 years agoleak-detective: remove hdr entry when reallocating zero bytes
Martin Willi [Fri, 12 Jul 2013 17:58:02 +0000 (19:58 +0200)]
leak-detective: remove hdr entry when reallocating zero bytes

6 years agoleak-detective: print total of allocated/leaked bytes in usage/report
Martin Willi [Fri, 12 Jul 2013 17:57:17 +0000 (19:57 +0200)]
leak-detective: print total of allocated/leaked bytes in usage/report

6 years agodumm: add include for in.h, if_bridge.h now uses struct in6_addr
Martin Willi [Fri, 12 Jul 2013 16:19:32 +0000 (18:19 +0200)]
dumm: add include for in.h, if_bridge.h now uses struct in6_addr

6 years agoRecognize critical IssuingDistributionPoint CRL extension
Andreas Steffen [Fri, 12 Jul 2013 07:00:47 +0000 (09:00 +0200)]
Recognize critical IssuingDistributionPoint CRL extension

6 years agoOverride policy recommendation in enforcement
Andreas Steffen [Thu, 11 Jul 2013 08:34:00 +0000 (10:34 +0200)]
Override policy recommendation in enforcement