strongswan.git
6 years agowatcher: Rebuild fdset when select() fails
Martin Willi [Thu, 24 Oct 2013 13:07:43 +0000 (15:07 +0200)]
watcher: Rebuild fdset when select() fails

This should make sure we refresh the fdset if a user closes an FD it just
removed. Some selects() seem to complain about the bad FD before signaling the
notification pipe.

6 years agorwlock: Disable thread cancelability while waiting in (fallback) rwlock
Martin Willi [Thu, 24 Oct 2013 12:46:14 +0000 (14:46 +0200)]
rwlock: Disable thread cancelability while waiting in (fallback) rwlock

An rwlock wait is not a thread cancellation point. As a canceled thread
would not have released the mutex, the rwlock would have been left in unusable
state.

6 years agorwlock: Don't use buggy pthread_rwlock on OS X
Martin Willi [Thu, 24 Oct 2013 11:45:31 +0000 (13:45 +0200)]
rwlock: Don't use buggy pthread_rwlock on OS X

Recursive read locks don't seem to work properly, at least on 10.9.

6 years agoutils: Provide a fmemopen(3) fallback using BSD funopen()
Martin Willi [Thu, 24 Oct 2013 09:49:32 +0000 (11:49 +0200)]
utils: Provide a fmemopen(3) fallback using BSD funopen()

6 years agoFixed sql/net2net-route-pem scenario evaluation 5.1.1rc1
Andreas Steffen [Wed, 23 Oct 2013 20:23:47 +0000 (22:23 +0200)]
Fixed sql/net2net-route-pem scenario evaluation

6 years agoAdded some example Debian SWID tags
Andreas Steffen [Wed, 23 Oct 2013 20:12:12 +0000 (22:12 +0200)]
Added some example Debian SWID tags

6 years agoAdded Brainpool ECP support to NEWS
Andreas Steffen [Wed, 23 Oct 2013 19:11:22 +0000 (21:11 +0200)]
Added Brainpool ECP support to NEWS

6 years agoAdded two Brainpool IKEv2 scenarios
Andreas Steffen [Wed, 23 Oct 2013 19:08:18 +0000 (21:08 +0200)]
Added two Brainpool IKEv2 scenarios

6 years agopki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB
Tobias Brunner [Tue, 22 Oct 2013 12:35:13 +0000 (14:35 +0200)]
pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB

This allows more than one builder to try parsing the data read from STDIN.

6 years agochunk: Add helper function to create a chunk from data read from a file descriptor
Tobias Brunner [Tue, 22 Oct 2013 12:22:35 +0000 (14:22 +0200)]
chunk: Add helper function to create a chunk from data read from a file descriptor

6 years agosemaphore: Support cancellation in wait functions of semaphore fallback
Martin Willi [Wed, 23 Oct 2013 14:05:40 +0000 (16:05 +0200)]
semaphore: Support cancellation in wait functions of semaphore fallback

Semaphore wait functions should be a thread cancellation point, but did
not properly release the mutex in the fallback implementation.

6 years agorwlock: Re-acquire rwlock even if condvar wait times out
Martin Willi [Tue, 22 Oct 2013 16:36:44 +0000 (18:36 +0200)]
rwlock: Re-acquire rwlock even if condvar wait times out

A caller expects that the associated rwlock is held, whether the condvar
gets signaled or the wait times out.

6 years agoUpdated and split data.sql
Andreas Steffen [Tue, 22 Oct 2013 22:26:02 +0000 (00:26 +0200)]
Updated and split data.sql

6 years agoAdapted recipe and patches to freeradius-2.2.1
Andreas Steffen [Tue, 22 Oct 2013 08:09:24 +0000 (10:09 +0200)]
Adapted recipe and patches to freeradius-2.2.1

6 years agoSupport Ubuntu 13.10 measurements
Andreas Steffen [Mon, 21 Oct 2013 19:33:30 +0000 (21:33 +0200)]
Support Ubuntu 13.10 measurements

6 years agocheck it specified IF-TNCCS protocol is enabled
Andreas Steffen [Mon, 21 Oct 2013 19:03:53 +0000 (21:03 +0200)]
check it specified IF-TNCCS protocol is enabled

6 years agokernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution
Tobias Brunner [Fri, 18 Oct 2013 07:38:01 +0000 (09:38 +0200)]
kernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution

This reverts commit b0761f1f0a5abd225edc291c8285f99a538e6a66.

6 years agoMerge branch 'icmp'
Tobias Brunner [Thu, 17 Oct 2013 14:57:48 +0000 (16:57 +0200)]
Merge branch 'icmp'

Improves handling of ICMP[v6] traffic selectors that specify message type and
code.

Fixes #421.

6 years agoipsec.conf.5: Note about ICMP[v6] message type/code added
Tobias Brunner [Mon, 14 Oct 2013 15:10:16 +0000 (17:10 +0200)]
ipsec.conf.5: Note about ICMP[v6] message type/code added

6 years agoupdown: Properly configure ICMP[v6] message type and code in firewall rules
Tobias Brunner [Thu, 17 Oct 2013 14:29:30 +0000 (16:29 +0200)]
updown: Properly configure ICMP[v6] message type and code in firewall rules

6 years agoupdown: Pass ICMP[v6] message type and code to updown script
Tobias Brunner [Mon, 14 Oct 2013 15:08:09 +0000 (17:08 +0200)]
updown: Pass ICMP[v6] message type and code to updown script

The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.

6 years agokernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel
Tobias Brunner [Tue, 15 Oct 2013 12:26:51 +0000 (14:26 +0200)]
kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel

6 years agokernel-netlink: Convert ports in acquires to ICMP[v6] type and code
Tobias Brunner [Tue, 15 Oct 2013 15:59:26 +0000 (17:59 +0200)]
kernel-netlink: Convert ports in acquires to ICMP[v6] type and code

6 years agokernel-netlink: Properly install policies with ICMP[v6] types and codes
Tobias Brunner [Mon, 14 Oct 2013 15:00:18 +0000 (17:00 +0200)]
kernel-netlink: Properly install policies with ICMP[v6] types and codes

6 years agotraffic-selector: Print ICMP[v6] message type and code in a more readable way
Tobias Brunner [Mon, 14 Oct 2013 14:53:42 +0000 (16:53 +0200)]
traffic-selector: Print ICMP[v6] message type and code in a more readable way

6 years agotraffic-selector: Store ICMP[v6] message type and code properly
Tobias Brunner [Mon, 14 Oct 2013 14:52:20 +0000 (16:52 +0200)]
traffic-selector: Store ICMP[v6] message type and code properly

We now store them as defined in RFC 4301, section 4.4.1.1.

6 years agotraffic-selector: Move class to its own Doxygen group
Tobias Brunner [Tue, 15 Oct 2013 08:04:04 +0000 (10:04 +0200)]
traffic-selector: Move class to its own Doxygen group

6 years agoMerge branch 'ecc-brainpool'
Tobias Brunner [Thu, 17 Oct 2013 14:56:31 +0000 (16:56 +0200)]
Merge branch 'ecc-brainpool'

Adds support for ECC Brainpool curves for DH exchanges.

6 years agoproposal: Add ECC Brainpool DH groups to the default proposal
Tobias Brunner [Fri, 13 Sep 2013 09:29:40 +0000 (11:29 +0200)]
proposal: Add ECC Brainpool DH groups to the default proposal

6 years agoopenssl: Add workaround if ECC Brainpool curves are not defined
Tobias Brunner [Thu, 17 Oct 2013 11:31:17 +0000 (13:31 +0200)]
openssl: Add workaround if ECC Brainpool curves are not defined

6 years agoopenssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
Tobias Brunner [Thu, 17 Oct 2013 11:28:30 +0000 (13:28 +0200)]
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL

OpenSSL does not include them in releases before 1.0.2.

6 years agoecc: Added ECC Brainpool ECDH groups as registered with IANA
Andreas Steffen [Mon, 9 Sep 2013 07:36:04 +0000 (09:36 +0200)]
ecc: Added ECC Brainpool ECDH groups as registered with IANA

6 years agounit-tests: Make test for bio_writer_t more portable
Tobias Brunner [Fri, 11 Oct 2013 23:56:24 +0000 (01:56 +0200)]
unit-tests: Make test for bio_writer_t more portable

6 years agolibipsec: Don't print ciphertext with ICV in log message
Tobias Brunner [Thu, 17 Oct 2013 09:36:32 +0000 (11:36 +0200)]
libipsec: Don't print ciphertext with ICV in log message

6 years agolibipsec: Properly calculate padding length especially for AES-GCM
Tobias Brunner [Fri, 11 Oct 2013 23:09:53 +0000 (01:09 +0200)]
libipsec: Properly calculate padding length especially for AES-GCM

6 years agoutils: Add utility function to calculate padding length
Tobias Brunner [Fri, 11 Oct 2013 23:01:06 +0000 (01:01 +0200)]
utils: Add utility function to calculate padding length

6 years agostroke: Reuse reqids of established CHILD_SAs when routing connections
Tobias Brunner [Thu, 19 Sep 2013 08:59:20 +0000 (10:59 +0200)]
stroke: Reuse reqids of established CHILD_SAs when routing connections

6 years agotrap-manager: Make sure a config is not trapped twice
Tobias Brunner [Thu, 19 Sep 2013 08:53:05 +0000 (10:53 +0200)]
trap-manager: Make sure a config is not trapped twice

6 years agoDoxygen fixes
Tobias Brunner [Tue, 15 Oct 2013 09:16:09 +0000 (11:16 +0200)]
Doxygen fixes

6 years agoSet recommendation in the case of PCR measurement failures
Andreas Steffen [Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)]
Set recommendation in the case of PCR measurement failures

6 years agoAdd linux/fip_rules.h to include files
Andreas Steffen [Sun, 13 Oct 2013 18:51:10 +0000 (20:51 +0200)]
Add linux/fip_rules.h to include files

6 years agoRevert refactoring which broke CentOS build
Andreas Steffen [Sun, 13 Oct 2013 17:56:04 +0000 (19:56 +0200)]
Revert refactoring which broke CentOS build

6 years agoIncrease debug level in libipsec/rw-suite-b scenario
Andreas Steffen [Fri, 11 Oct 2013 19:34:59 +0000 (21:34 +0200)]
Increase debug level in libipsec/rw-suite-b scenario

6 years agoUse bold font to display key size
Andreas Steffen [Fri, 11 Oct 2013 19:23:10 +0000 (21:23 +0200)]
Use bold font to display key size

6 years agoAdded swid_directory option
Andreas Steffen [Fri, 11 Oct 2013 18:59:24 +0000 (20:59 +0200)]
Added swid_directory option

6 years agoAdded tnc/tnccs-11-supplicant scenario
Andreas Steffen [Fri, 11 Oct 2013 18:18:59 +0000 (20:18 +0200)]
Added tnc/tnccs-11-supplicant scenario

6 years agoDefine aaa.strongswan.org in /etc/hosts
Andreas Steffen [Fri, 11 Oct 2013 18:16:59 +0000 (20:16 +0200)]
Define aaa.strongswan.org in /etc/hosts

6 years agotesting: Add libipsec/host2host-cert scenario
Tobias Brunner [Fri, 11 Oct 2013 16:04:48 +0000 (18:04 +0200)]
testing: Add libipsec/host2host-cert scenario

6 years agochecksum: The pool utility was moved to its own directory
Tobias Brunner [Fri, 11 Oct 2013 15:33:19 +0000 (17:33 +0200)]
checksum: The pool utility was moved to its own directory

6 years agoccm: Add missing comma in get_iv_gen method signature
Tobias Brunner [Fri, 11 Oct 2013 15:26:57 +0000 (17:26 +0200)]
ccm: Add missing comma in get_iv_gen method signature

6 years agoiv-gen: Add missing header files to Makefile.am
Tobias Brunner [Fri, 11 Oct 2013 15:22:30 +0000 (17:22 +0200)]
iv-gen: Add missing header files to Makefile.am

6 years agoNEWS: Updates for the recent merges
Tobias Brunner [Fri, 11 Oct 2013 14:20:41 +0000 (16:20 +0200)]
NEWS: Updates for the recent merges

6 years agoMerge branch 'iv-gen'
Tobias Brunner [Fri, 11 Oct 2013 13:55:49 +0000 (15:55 +0200)]
Merge branch 'iv-gen'

Modularizes the generation of initialization vectors, which allows to use
different methods depending on the algorithms.  For instance for AES-GCM
sequential IVs are now used instead of the earlier random IVs, which are
still used for other algorithms e.g. AES-CBC.

6 years agoiv_gen: Mask sequential IVs with a random salt
Tobias Brunner [Mon, 5 Aug 2013 14:24:40 +0000 (16:24 +0200)]
iv_gen: Mask sequential IVs with a random salt

This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.

6 years agoiv_gen: Provide external sequence number (IKE, ESP)
Tobias Brunner [Mon, 5 Aug 2013 13:41:45 +0000 (15:41 +0200)]
iv_gen: Provide external sequence number (IKE, ESP)

This prevents duplicate sequential IVs in case of a HA failover.

6 years agoipsec: Use IV generator to encrypt ESP messages
Tobias Brunner [Mon, 5 Aug 2013 12:59:10 +0000 (14:59 +0200)]
ipsec: Use IV generator to encrypt ESP messages

6 years agoikev2: Use IV generator to encrypt encrypted payload
Tobias Brunner [Mon, 5 Aug 2013 12:55:51 +0000 (14:55 +0200)]
ikev2: Use IV generator to encrypt encrypted payload

6 years agoiv_gen: aead_t implementations provide an IV generator
Tobias Brunner [Mon, 5 Aug 2013 12:52:30 +0000 (14:52 +0200)]
iv_gen: aead_t implementations provide an IV generator

6 years agoiv_gen: Add IV generator that allocates IVs sequentially
Tobias Brunner [Mon, 5 Aug 2013 12:43:50 +0000 (14:43 +0200)]
iv_gen: Add IV generator that allocates IVs sequentially

6 years agoiv_gen: Add IV generator that allocates IVs randomly
Tobias Brunner [Mon, 5 Aug 2013 12:19:43 +0000 (14:19 +0200)]
iv_gen: Add IV generator that allocates IVs randomly

Uses RNG_WEAK as the code currently does elsewhere to allocate IVs.

6 years agocrypto: Add generic interface for IV generators
Tobias Brunner [Mon, 5 Aug 2013 12:10:47 +0000 (14:10 +0200)]
crypto: Add generic interface for IV generators

6 years agoapidoc: Move mac_prf to prf Doxygen group
Tobias Brunner [Mon, 5 Aug 2013 12:09:43 +0000 (14:09 +0200)]
apidoc: Move mac_prf to prf Doxygen group

6 years agoMerge branch 'radius-unity'
Tobias Brunner [Fri, 11 Oct 2013 13:52:36 +0000 (15:52 +0200)]
Merge branch 'radius-unity'

Adds support for Cisco Unity specific RADIUS attributes.

References #383.

6 years agoeap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK
Tobias Brunner [Mon, 19 Aug 2013 11:31:55 +0000 (13:31 +0200)]
eap-radius: Forward RAT_FRAMED_IP_NETMASK as INTERNAL_IP4_NETMASK

6 years agoeap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes
Tobias Brunner [Fri, 16 Aug 2013 13:25:33 +0000 (15:25 +0200)]
eap-radius: Forward UNITY_SPLIT_INCLUDE or UNITY_LOCAL_LAN attributes

Depending on the value of the CVPN3000-IPSec-Split-Tunneling-Policy(55)
radius attribute, the subnets in the CVPN3000-IPSec-Split-Tunnel-List(27)
attribute are sent in either a UNITY_SPLIT_INCLUDE (if the value is 1)
or a UNITY_LOCAL_LAN (if the value is 2).

So if the following attributes would be configured for a RADIUS user

  CVPN3000-IPSec-Split-Tunnel-List := "10.0.1.0/255.255.255.0,10.0.2.0/255.255.255.0"
  CVPN3000-IPSec-Split-Tunneling-Policy := 1

A UNITY_SPLIT_INCLUDE configuration payload containing these two subnets
would be sent to the client during the ModeCfg exchange.

6 years agoeap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes
Tobias Brunner [Fri, 16 Aug 2013 11:41:22 +0000 (13:41 +0200)]
eap-radius: Forward UNITY_DEF_DOMAIN and UNITY_SPLITDNS_NAME attributes

The contents of the CVPN3000-IPSec-Default-Domain(28) and
CVPN3000-IPSec-Split-DNS-Names(29) radius attributes are forwarded in
the corresponding Unity configuration attributes.

6 years agoMerge branch 'dnscert'
Tobias Brunner [Fri, 11 Oct 2013 13:46:09 +0000 (15:46 +0200)]
Merge branch 'dnscert'

The new dnscert plugin adds support for authentication via CERT resource
records that are protected with DNSSEC.

6 years agotesting: Add ikev2/net2net-dnscert scenario
Tobias Brunner [Thu, 26 Sep 2013 16:28:48 +0000 (18:28 +0200)]
testing: Add ikev2/net2net-dnscert scenario

6 years agotesting: Provide moon's and sun's certificate as CERT RR
Tobias Brunner [Thu, 26 Sep 2013 16:16:10 +0000 (18:16 +0200)]
testing: Provide moon's and sun's certificate as CERT RR

6 years agotesting: Enable dnscert plugin
Tobias Brunner [Thu, 26 Sep 2013 15:01:11 +0000 (17:01 +0200)]
testing: Enable dnscert plugin

6 years agotesting: Load testing.conf.local from the same directory as testing.conf
Tobias Brunner [Thu, 26 Sep 2013 15:00:21 +0000 (17:00 +0200)]
testing: Load testing.conf.local from the same directory as testing.conf

6 years agodnscert: Add DNS CERT support for pubkey authentication
Ruslan N. Marchenko [Fri, 30 Aug 2013 15:51:12 +0000 (17:51 +0200)]
dnscert: Add DNS CERT support for pubkey authentication

Add DNSSEC protected CERT RR delivered certificate authentication.
The new dnscert plugin is based on the ipseckey plugin and relies on the
existing PEM decoder as well as x509 and PGP parsers.  As such the plugin
expects PEM encoded PKIX(x509) or PGP(GPG) certificate payloads.

The plugin is targeted to improve interoperability with Racoon, which
supports this type of authentication, ignoring in-stream certificates
and using only DNS provided certificates for FQDN IDs.

6 years agoipseckey: Properly handle failure to create a certificate
Tobias Brunner [Thu, 29 Aug 2013 13:58:48 +0000 (15:58 +0200)]
ipseckey: Properly handle failure to create a certificate

Also, try the next key (if available) if parsing an IPSECKEY failed.

6 years agoipseckey: Refactor creation of certificate enumerator
Tobias Brunner [Thu, 29 Aug 2013 13:47:05 +0000 (15:47 +0200)]
ipseckey: Refactor creation of certificate enumerator

Reduces nesting and fixes a memory leak (rrsig_enum).

6 years agoipseckey: Depend on plugin features to create public key and certificate objects
Tobias Brunner [Thu, 29 Aug 2013 13:25:23 +0000 (15:25 +0200)]
ipseckey: Depend on plugin features to create public key and certificate objects

6 years agounbound: Add support for DLV (DNSSEC Lookaside Validation)
Tobias Brunner [Thu, 29 Aug 2013 07:04:36 +0000 (09:04 +0200)]
unbound: Add support for DLV (DNSSEC Lookaside Validation)

Fixes #392.

6 years agoMerge branch 'fwmarks'
Tobias Brunner [Fri, 11 Oct 2013 13:33:06 +0000 (15:33 +0200)]
Merge branch 'fwmarks'

Allows setting a mark on outbound packets and the routing rule
installed by charon.  With those settings it is possible to setup
tunnels with kernel-libipsec where the remote peer is part of the remote
traffic selector.

The following example settings in strongswan.conf show how this can be
configured:

charon {
    plugins {
        kernel-netlink {
            fwmark = !0x42
        }
        socket-default {
            fwmark = 0x42
        }
        kernel-libipsec {
            allow_peer_ts = yes
        }
    }
}

To make it work it is necessary to set

  net.ipv4.conf.all.rp_filter

appropriately, otherwise the kernel drops the packets.

References #380.

6 years agokernel-libipsec: Don't ignore policies of type != POLICY_IPSEC
Tobias Brunner [Thu, 10 Oct 2013 13:41:29 +0000 (15:41 +0200)]
kernel-libipsec: Don't ignore policies of type != POLICY_IPSEC

This actually broke rekeying due to the DROP policies that are
temporarily added, which broke the refcount as the ignored policies
were not ignored in del_policy() (the type is not known there).

6 years agokernel-libipsec: Add an option to allow remote TS to match the IKE peer
Tobias Brunner [Tue, 13 Aug 2013 15:10:00 +0000 (17:10 +0200)]
kernel-libipsec: Add an option to allow remote TS to match the IKE peer

Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.

It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.

6 years agosocket-default: Allow setting firewall mark on outbound packets
Tobias Brunner [Tue, 13 Aug 2013 14:58:33 +0000 (16:58 +0200)]
socket-default: Allow setting firewall mark on outbound packets

6 years agokernel-netlink: Allow setting firewall marks on routing rule
Tobias Brunner [Tue, 13 Aug 2013 14:53:06 +0000 (16:53 +0200)]
kernel-netlink: Allow setting firewall marks on routing rule

6 years agoipsec_types: Add utility function to parse mark_t from strings
Tobias Brunner [Tue, 13 Aug 2013 13:15:45 +0000 (15:15 +0200)]
ipsec_types: Add utility function to parse mark_t from strings

6 years agoMerge branch 'database-transactions'
Tobias Brunner [Fri, 11 Oct 2013 13:29:30 +0000 (15:29 +0200)]
Merge branch 'database-transactions'

This adds support for transactions to the database_t interface and the two
current implementations.

The pool utility is also moved to its own directory in src/.

6 years agoattr-sql: Use a serializable transaction when inserting identities
Tobias Brunner [Thu, 10 Oct 2013 09:02:16 +0000 (11:02 +0200)]
attr-sql: Use a serializable transaction when inserting identities

6 years agodatabase: Add support for serializable transactions
Tobias Brunner [Thu, 10 Oct 2013 08:58:40 +0000 (10:58 +0200)]
database: Add support for serializable transactions

6 years agosql: Don't use MyISAM engine and set collation/charset for all tables
Tobias Brunner [Fri, 6 Sep 2013 12:09:32 +0000 (14:09 +0200)]
sql: Don't use MyISAM engine and set collation/charset for all tables

The MyISAM engine doesn't support transactions.

6 years agopool: Change transaction handling
Tobias Brunner [Fri, 6 Sep 2013 09:29:17 +0000 (11:29 +0200)]
pool: Change transaction handling

6 years agopool: Move the pool utility to its own directory in src
Tobias Brunner [Thu, 5 Sep 2013 16:00:48 +0000 (18:00 +0200)]
pool: Move the pool utility to its own directory in src

6 years agoattr-sql: Handle concurrent insertion of identities
Tobias Brunner [Fri, 13 Sep 2013 11:25:49 +0000 (13:25 +0200)]
attr-sql: Handle concurrent insertion of identities

If the same identity is added concurrently by two threads (or by the
pool utility) INSERT might fail even though the SELECT was unsuccessful
before.

We are currently not able to lock the identities table in a portable way
(something like SELECT ... FOR UPDATE on MySQL).

6 years agoattr-sql: Don't use database transactions in create_attribute_enumerator
Tobias Brunner [Thu, 5 Sep 2013 15:03:11 +0000 (17:03 +0200)]
attr-sql: Don't use database transactions in create_attribute_enumerator

There could, of course, be race conditions when enumerating the attributes,
but those probably don't matter (e.g. missing an attribute that was
concurrently added).

Transactions are more intended to revert multiple changes if anything
fails in the process.

6 years agosqlite: Implement transaction handling
Tobias Brunner [Thu, 5 Sep 2013 14:50:23 +0000 (16:50 +0200)]
sqlite: Implement transaction handling

6 years agomysql: Implement transaction handling
Tobias Brunner [Thu, 5 Sep 2013 14:46:24 +0000 (16:46 +0200)]
mysql: Implement transaction handling

6 years agodatabase: Add interface to handle transactions
Tobias Brunner [Fri, 6 Sep 2013 06:16:39 +0000 (08:16 +0200)]
database: Add interface to handle transactions

6 years agomysql: Ensure connections are properly released in multi-threaded environments
Tobias Brunner [Thu, 5 Sep 2013 13:33:24 +0000 (15:33 +0200)]
mysql: Ensure connections are properly released in multi-threaded environments

6 years agocrypto-factory: Try next available RNG implementation if constructor fails
Tobias Brunner [Thu, 3 Oct 2013 08:24:59 +0000 (10:24 +0200)]
crypto-factory: Try next available RNG implementation if constructor fails

6 years agocrypto-factory: Order entries by algorithm identifier and (optionally) speed
Tobias Brunner [Thu, 3 Oct 2013 08:23:30 +0000 (10:23 +0200)]
crypto-factory: Order entries by algorithm identifier and (optionally) speed

6 years agoRemove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for...
Tobias Brunner [Thu, 3 Oct 2013 08:14:49 +0000 (10:14 +0200)]
Remove HASH_PREFERRED, usages are replaced with HASH_SHA1, which is required for IKEv2 anyway

6 years agovstr: Forward actual field width
Tobias Brunner [Fri, 11 Oct 2013 11:57:05 +0000 (13:57 +0200)]
vstr: Forward actual field width

fmt_field_width is a flag that indicates if a field width
is defined in obj_field_width.

6 years agounit-tests: support testing when leak-detective has not been enabled
Martin Willi [Tue, 25 Jun 2013 15:09:07 +0000 (17:09 +0200)]
unit-tests: support testing when leak-detective has not been enabled

6 years agoNEWS: Updates for the ah, libipsec-usestats and printf-hook merges
Martin Willi [Fri, 11 Oct 2013 09:40:02 +0000 (11:40 +0200)]
NEWS: Updates for the ah, libipsec-usestats and printf-hook merges