8 years agoprocessor: Flush pending jobs during cancel(), not destroy
Martin Willi [Tue, 11 Feb 2014 14:41:49 +0000 (15:41 +0100)]
processor: Flush pending jobs during cancel(), not destroy

During shutdown, cancel queued jobs earlier to avoid having cleanup functions
accessing infrastructure not available anymore, for example watcher.

8 years agoutils: Provide a CALLBACK macro, similar to METHOD, but for void* callbacks
Martin Willi [Wed, 22 Jan 2014 15:55:27 +0000 (16:55 +0100)]
utils: Provide a CALLBACK macro, similar to METHOD, but for void* callbacks

Using the same mechanism as the METHOD macro, the CALLBACK macro defines
a hybrid function signature. It strictly uses a weak void* for the first
function parameter, in contrast to the dynamic METHOD object "this" type.

8 years agotravis: --disable-aikgen in "all" tests
Martin Willi [Wed, 7 May 2014 12:11:35 +0000 (14:11 +0200)]
travis: --disable-aikgen in "all" tests

aikgen has a hard dependency on TrouSerS, which we currently don't have in the
travis build.

8 years agoUpdated NEWS for 5.2.0dr2 release 5.2.0dr2
Andreas Steffen [Sun, 4 May 2014 19:37:05 +0000 (21:37 +0200)]
Updated NEWS for 5.2.0dr2 release

8 years agoutils: Enable __atomic* built-ins based on the GCC version
Tobias Brunner [Fri, 2 May 2014 15:58:26 +0000 (17:58 +0200)]
utils: Enable __atomic* built-ins based on the GCC version

This solves a problem with GNAT when compiling charon-tkm as __atomic*
built-ins are only provided in GCC 4.7 and newer.

Currently GNAT 4.6 and GCC 4.7.2 is shipped with Debian wheezy (stable),
as used in the testing environment.  So while the configure script correctly
detected the __atomic* built-ins, and defined HAVE_GCC_ATOMIC_OPERATIONS,
this define turned out to be incorrect when charon-tkm was later built
with GNAT.

8 years agoaikgen generates AIK private/public key pairs
Andreas Steffen [Fri, 2 May 2014 18:10:53 +0000 (20:10 +0200)]
aikgen generates AIK private/public key pairs

aikgen outputs a binary AIK private key blob and the AIK public key.
Optionally the Identity Request encrypted with the public key of
the Privacy CA can be output.

8 years agoAdded PUBKEY_RSA_MODULUS encoding type
Andreas Steffen [Fri, 2 May 2014 17:50:43 +0000 (19:50 +0200)]
Added PUBKEY_RSA_MODULUS encoding type

8 years agoExtended Ubuntu 14.04 database build
Andreas Steffen [Thu, 1 May 2014 20:16:34 +0000 (22:16 +0200)]
Extended Ubuntu 14.04 database build

8 years agoMoved BIOS and IMA measurement lists into classes of their own
Andreas Steffen [Thu, 1 May 2014 20:13:06 +0000 (22:13 +0200)]
Moved BIOS and IMA measurement lists into classes of their own

8 years agoAdded NEWS for 5.2.0dr2
Andreas Steffen [Thu, 1 May 2014 15:00:42 +0000 (17:00 +0200)]
Added NEWS for 5.2.0dr2

8 years agoFixed typo
Andreas Steffen [Thu, 1 May 2014 15:00:04 +0000 (17:00 +0200)]
Fixed typo

8 years agoUse global status variable for IMA runtime
Andreas Steffen [Thu, 1 May 2014 14:58:59 +0000 (16:58 +0200)]
Use global status variable for IMA runtime

8 years agoSimilar statistics for packages and file measurements
Andreas Steffen [Wed, 30 Apr 2014 15:23:20 +0000 (17:23 +0200)]
Similar statistics for packages and file measurements

8 years agoUpdated to Ubuntu 14.04
Andreas Steffen [Wed, 30 Apr 2014 13:46:37 +0000 (15:46 +0200)]
Updated to Ubuntu 14.04

8 years agoUpdated ITA-IMA finalize messages
Andreas Steffen [Tue, 29 Apr 2014 16:57:55 +0000 (18:57 +0200)]
Updated ITA-IMA finalize messages

8 years agoImplemented IMA-NG support
Andreas Steffen [Mon, 28 Apr 2014 08:02:06 +0000 (10:02 +0200)]
Implemented IMA-NG support

8 years agoMerge branch 'unit-tests'
Martin Willi [Wed, 30 Apr 2014 15:23:07 +0000 (17:23 +0200)]
Merge branch 'unit-tests'

Bring some minor improvements to unit testing, including more flexible

8 years agounit-tests: Document the supported env variables
Martin Willi [Thu, 13 Feb 2014 07:59:28 +0000 (08:59 +0100)]
unit-tests: Document the supported env variables

8 years agounit-tests: Support strongswan.conf defined plugin list and base directory
Thomas Egerer [Thu, 13 Feb 2014 07:55:13 +0000 (08:55 +0100)]
unit-tests: Support strongswan.conf defined plugin list and base directory

tests.load and tests.plugindir to allow the specification of the plugins
to be loaded and the directory to load them from.

Signed-off-by: Thomas Egerer <>
8 years agounit-tests: Allow configuration of libstrongswan via config
Thomas Egerer [Thu, 13 Feb 2014 07:54:08 +0000 (08:54 +0100)]
unit-tests: Allow configuration of libstrongswan via config

By setting the environment variable TESTS_STRONGSWAN_CONF, the unit tests can
be asked to load a configuration file, thus enabling the tester to make use of
the usual configuration settings.

Signed-off-by: Thomas Egerer <>
8 years agounit-tests: Add a ck_assert_chunk_eq() convenience macro
Martin Willi [Tue, 11 Feb 2014 12:55:56 +0000 (13:55 +0100)]
unit-tests: Add a ck_assert_chunk_eq() convenience macro

8 years agounit-tests: Silence a literal signedness warning raised by GCC 4.6.3
Martin Willi [Thu, 13 Feb 2014 10:41:16 +0000 (11:41 +0100)]
unit-tests: Silence a literal signedness warning raised by GCC 4.6.3

8 years agosqlite: Allow query arguments to be freed before starting the enumeration
Tobias Brunner [Wed, 30 Apr 2014 07:30:17 +0000 (09:30 +0200)]
sqlite: Allow query arguments to be freed before starting the enumeration

By marking the string/blob arguments as transient, SQLite will copy and
free them automatically.

8 years agoVersion bump to 5.2.0dr2
Andreas Steffen [Sun, 27 Apr 2014 17:15:11 +0000 (19:15 +0200)]
Version bump to 5.2.0dr2

8 years agoImproved finalize messages in ITA-IMA component
Andreas Steffen [Sun, 27 Apr 2014 17:13:15 +0000 (19:13 +0200)]
Improved finalize messages in ITA-IMA component

8 years agochild-cfg: Fix removal of redundant traffic selectors
Tobias Brunner [Fri, 25 Apr 2014 16:58:55 +0000 (18:58 +0200)]
child-cfg: Fix removal of redundant traffic selectors

We have to make sure we compare every selected traffic selector with every
other in the list.

Fixes #577.

8 years agoandroid: New release based on 5.1.3
Tobias Brunner [Fri, 25 Apr 2014 12:38:46 +0000 (14:38 +0200)]
android: New release based on 5.1.3

Also links OpenSSL statically and doesn't limit the number of packets
during EAP-TTLS.

8 years agolibcharon: Added AEAD sources of libtls to
Tobias Brunner [Fri, 25 Apr 2014 12:26:01 +0000 (14:26 +0200)]
libcharon: Added AEAD sources of libtls to

8 years agolibimcv: Updated
Tobias Brunner [Fri, 25 Apr 2014 12:19:09 +0000 (14:19 +0200)]
libimcv: Updated

8 years agoandroid: Use static version of libcrypto
Tobias Brunner [Thu, 27 Mar 2014 17:04:18 +0000 (18:04 +0100)]
android: Use static version of libcrypto

System.loadLibrary() searches in system directories first (at least in
recent releases), that is, our own build wouldn't actually get used.

8 years agotun-device: Use SIOCAIFADDR to set IP address on FreeBSD 10
Tobias Brunner [Fri, 25 Apr 2014 09:28:52 +0000 (11:28 +0200)]
tun-device: Use SIOCAIFADDR to set IP address on FreeBSD 10

FreeBSD 10 deprecated the SIOCSIFADDR etc. commands, so we use this
newer command to set the address and netmask.  A destination address
is now also required.

Fixes #566.

8 years agoMerge branch 'atomic-ref'
Tobias Brunner [Thu, 24 Apr 2014 15:55:25 +0000 (17:55 +0200)]
Merge branch 'atomic-ref'

Adds support for GCC's __atomic* built-ins and improves the performance
of logging (for ignored log levels) and half-open IKE_SA checking under
high loads.

Also fixes two potential race conditions in the load-tester plugin.

8 years agobus: Add a fast-path if log messages don't have to be logged
Tobias Brunner [Thu, 17 Apr 2014 08:47:32 +0000 (10:47 +0200)]
bus: Add a fast-path if log messages don't have to be logged

For some rwlock_t implementations acquiring the read lock could be quite
expensive even if there are no writers (e.g. because the implementation
requires acquiring a mutex to check for writers) particularly if the
lock is highly contended, like it is for the vlog() method.

8 years agoload-tester: Fix race condition issuing same SPI
Christophe Gouault [Tue, 8 Apr 2014 15:11:14 +0000 (17:11 +0200)]
load-tester: Fix race condition issuing same SPI

Due to an unprotected incrementation, two load-tester initiators occasionally
use the same SPI under high load, and hence generate 2 IPsec SAs with the same
identifier. The responder IPsec stack will refuse to configure the second SA.

Use an atomic incrementation to avoid this race condition.

Signed-off-by: Christophe Gouault <>
8 years agoload-tester: Fix race condition issuing same identity
Christophe Gouault [Tue, 8 Apr 2014 15:11:13 +0000 (17:11 +0200)]
load-tester: Fix race condition issuing same identity

Due to an unprotected incrementation, two load-tester initiators occasionally
use the same identifier under high load. The responder typically drops one of
the connections.

Use an atomic incrementation to avoid this race condition.

Signed-off-by: Christophe Gouault <>
8 years agoike-sa-manager: Improve scalability of half-open IKE_SA checking
Tobias Brunner [Fri, 11 Apr 2014 14:23:39 +0000 (16:23 +0200)]
ike-sa-manager: Improve scalability of half-open IKE_SA checking

This patch is based on one by Christoph Gouault.

Currently, to count the total number of half_open IKE_SAs,
get_half_open_count sums up the count of each segment in the SA hash
table (acquiring a lock for each segment).  This procedure does not scale
well when the number of segments increases, as the method is called for
each new negotiation.

Instead, lets maintain a global atomic counter.

This optimization allows the use of big values for charon.ikesa_table_size
and charon.ikesa_table_segments.

8 years agoutils: Use GCC's __atomic built-ins if available
Tobias Brunner [Fri, 11 Apr 2014 14:07:32 +0000 (16:07 +0200)]
utils: Use GCC's __atomic built-ins if available

These are available since GCC 4.7 and will eventually replace the __sync
operations.  They support the memory model defined by C++11. For instance,
by using __ATOMIC_RELAXED for some operations on the reference counters we
can avoid memory barriers, which are required by __sync operations (whose
memory model essentially is __ATOMIC_SEQ_CST).

8 years agoutils: Add ref_cur() to retrieve the current value of a reference counter
Tobias Brunner [Fri, 11 Apr 2014 13:13:22 +0000 (15:13 +0200)]
utils: Add ref_cur() to retrieve the current value of a reference counter

On many architectures it is safe to read the value directly (those
using cache coherency protocols, and with atomic loads for 32-bit
values) but it is not if that's not the case or if we ever decide to
make refcount_t 64-bit (load not atomic on x86).

So make sure the operation is actually atomic and that users do not
have to care about the size of refcount_t.

8 years agotesting: Added pfkey/compress test case
Tobias Brunner [Tue, 22 Apr 2014 14:27:41 +0000 (16:27 +0200)]
testing: Added pfkey/compress test case

8 years agokernel-pfkey: Added IPComp support
Francois ten Krooden [Tue, 22 Apr 2014 13:34:41 +0000 (15:34 +0200)]
kernel-pfkey: Added IPComp support

- get_cpi function was implemented to retrieve a CPI from the kernel.
- add_sa/update_sa/del_sa were updated to accommodate for IPComp SA.
- Updated add_policy_internal to update the SPD to support IPComp.

8 years agopackages: New Debian network-manager-strongswan release
Martin Willi [Thu, 24 Apr 2014 13:45:30 +0000 (15:45 +0200)]
packages: New Debian network-manager-strongswan release

8 years agopackages: Hand over network-manager-strongswan debian package maintenance
Martin Willi [Thu, 24 Apr 2014 13:40:56 +0000 (15:40 +0200)]
packages: Hand over network-manager-strongswan debian package maintenance

8 years agopackages: Use charon-nm in network-manager-strongswan debian package
Martin Willi [Thu, 24 Apr 2014 13:34:50 +0000 (15:34 +0200)]
packages: Use charon-nm in network-manager-strongswan debian package

8 years agonm: Bump NetworkManager plugin version to 1.3.1
Martin Willi [Thu, 24 Apr 2014 13:38:21 +0000 (15:38 +0200)]
nm: Bump NetworkManager plugin version to 1.3.1

8 years now fetches Ubuntu 14.04 security updates
Andreas Steffen [Thu, 24 Apr 2014 07:08:07 +0000 (09:08 +0200)] now fetches Ubuntu 14.04 security updates

8 years agoMerge branch 'reauth-collision'
Martin Willi [Thu, 17 Apr 2014 08:14:49 +0000 (10:14 +0200)]
Merge branch 'reauth-collision'

Fixes two collisions between IKE_SA re-authentication and CHILD_SA rekeying.

8 years agoike: Delay actively initiated reauthentication when other exchanges in progress
Martin Willi [Thu, 10 Apr 2014 09:31:17 +0000 (11:31 +0200)]
ike: Delay actively initiated reauthentication when other exchanges in progress

If any other IKE or CHILD_SA operation takes places, we should not start
initiating reauthentication to avoid any potential races.

8 years agoikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SA
Martin Willi [Thu, 10 Apr 2014 09:25:32 +0000 (11:25 +0200)]
ikev2: Reject CHILD_SA creation/rekeying while deleting an IKE_SA

If one peer starts reauthentication by deleting the IKE_SA, while the other
starts CHILD_SA rekeying, we run in a race condition. To avoid it, temporarily
reject the rekey attempt while we are in the IKE_SA deleting state.

RFC 4306/5996 is not exactly clear about this collision, but it should be safe
to reject CHILD_SA rekeying during this stage, as the reauth will re-trigger the
CHILD_SA. For non-rekeying CHILD_SA creations, it's up to the peer to retry
establishing the CHILD_SA on the reauthenticated IKE_SA.

8 years agoikev2: Apply extensions and conditions before starting rekeying
Martin Willi [Thu, 10 Apr 2014 08:24:34 +0000 (10:24 +0200)]
ikev2: Apply extensions and conditions before starting rekeying

The extensions and conditions apply to the rekeyed IKE_SA as well, so we should
migrate them. Especially when using algorithms from private space, we need
EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.

8 years agoikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeying
Martin Willi [Thu, 10 Apr 2014 08:21:32 +0000 (10:21 +0200)]
ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeying

8 years agoikev1: Add an option to accept unencrypted ID/HASH payloads
Martin Willi [Mon, 14 Apr 2014 12:42:27 +0000 (14:42 +0200)]
ikev1: Add an option to accept unencrypted ID/HASH payloads

Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in
unencrypted form, probably to allow PSK lookup based on the ID payloads. We
by default reject that, but accept it if the
charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf.

Initial patch courtesy of Paul Stewart.

8 years agoikev2: Fix reauthentication if peer assigns a different virtual IP
Tobias Brunner [Tue, 15 Apr 2014 14:00:47 +0000 (16:00 +0200)]
ikev2: Fix reauthentication if peer assigns a different virtual IP

Before this change a reqid set on the create_child_t task was used as
indicator of the CHILD_SA being rekeyed.  Only if that was not the case
would the local traffic selector be changed to|::/0 (as we
don't know which virtual IP the gateway will eventually assign).
On the other hand, in case of a rekeying the VIP is expected to remain
the same, so the local TS would simply equal the VIP.

Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid
set.  Which meant that the local TS would contain the previously
assigned VIP, basically rendering the gateway unable to assign a
different VIP to the client as the resulting TS would not match
the client's proposal anymore.

Fixes #553.

8 years agoAdded NEWS for 5.2.0dr1 5.2.0dr1
Andreas Steffen [Tue, 15 Apr 2014 08:04:27 +0000 (10:04 +0200)]
Added NEWS for 5.2.0dr1

8 years agoHandle tag separators
Andreas Steffen [Tue, 15 Apr 2014 06:55:11 +0000 (08:55 +0200)]
Handle tag separators

8 years agoRenewed expired user certificate
Andreas Steffen [Mon, 14 Apr 2014 20:52:26 +0000 (22:52 +0200)]
Renewed expired user certificate

8 years agoUpdated SWID scenarios
Andreas Steffen [Mon, 14 Apr 2014 09:26:08 +0000 (11:26 +0200)]
Updated SWID scenarios

8 years agoswid_generator software-id does not generate empty lines any more
Andreas Steffen [Mon, 14 Apr 2014 09:25:41 +0000 (11:25 +0200)]
swid_generator software-id does not generate empty lines any more

8 years agoAdded result information to TPMRA workitems
Andreas Steffen [Sat, 12 Apr 2014 08:56:16 +0000 (10:56 +0200)]
Added result information to TPMRA workitems

On the occasion got rid of complicated functional component stuff

8 years agoIndicate IMV in assessment log statement
Andreas Steffen [Fri, 11 Apr 2014 14:58:08 +0000 (16:58 +0200)]
Indicate IMV in assessment log statement

8 years agoImplemented segmented SWID tag attributes on IMV side
Andreas Steffen [Fri, 11 Apr 2014 14:30:55 +0000 (16:30 +0200)]
Implemented segmented SWID tag attributes on IMV side

8 years agoUse python-based swidGenerator to generated SWID tags
Andreas Steffen [Thu, 10 Apr 2014 08:25:39 +0000 (10:25 +0200)]
Use python-based swidGenerator to generated SWID tags

8 years agoUpdated imv database templates
Andreas Steffen [Mon, 7 Apr 2014 13:17:32 +0000 (15:17 +0200)]
Updated imv database templates

8 years agoOptimized PTS measurements
Andreas Steffen [Sun, 6 Apr 2014 05:18:28 +0000 (07:18 +0200)]
Optimized PTS measurements

8 years agoUse cached pid for product-based package access
Andreas Steffen [Sat, 5 Apr 2014 14:11:13 +0000 (16:11 +0200)]
Use cached pid for product-based package access

8 years agoMake Attestation IMV independent of OS IMV
Andreas Steffen [Sat, 5 Apr 2014 13:38:06 +0000 (15:38 +0200)]
Make Attestation IMV independent of OS IMV

8 years agoSeparated IMV session management from IMV policy database
Andreas Steffen [Fri, 4 Apr 2014 21:00:40 +0000 (23:00 +0200)]
Separated IMV session management from IMV policy database

8 years agoRenamed the AIK public key parameter to imc-attestation.aik_pubkey
Andreas Steffen [Wed, 2 Apr 2014 04:54:16 +0000 (06:54 +0200)]
Renamed the AIK public key parameter to imc-attestation.aik_pubkey

8 years agoImplemented configurable Device ID in OS IMC
Andreas Steffen [Mon, 31 Mar 2014 11:00:40 +0000 (13:00 +0200)]
Implemented configurable Device ID in OS IMC

8 years agoVersion bump to 5.2.0dr1
Andreas Steffen [Tue, 15 Apr 2014 07:20:38 +0000 (09:20 +0200)]
Version bump to 5.2.0dr1

8 years agoVersion bump to 5.1.3 5.1.3
Andreas Steffen [Mon, 14 Apr 2014 13:18:38 +0000 (15:18 +0200)]
Version bump to 5.1.3

8 years agoNEWS: Added info about CVE-2014-2338
Tobias Brunner [Mon, 14 Apr 2014 11:32:36 +0000 (13:32 +0200)]
NEWS: Added info about CVE-2014-2338

8 years agoikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs
Martin Willi [Thu, 20 Feb 2014 15:08:43 +0000 (16:08 +0100)]
ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs

Prevents a responder peer to trick us into established state by starting
IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.

Fixes CVE-2014-2338.

8 years agoeap-mschapv2: Fix potential leaks in case of invalid messages from servers
Tobias Brunner [Wed, 9 Apr 2014 16:04:33 +0000 (18:04 +0200)]
eap-mschapv2: Fix potential leaks in case of invalid messages from servers

8 years agopts: Make sure the complete AIK blob has been read
Tobias Brunner [Wed, 9 Apr 2014 15:47:32 +0000 (17:47 +0200)]
pts: Make sure the complete AIK blob has been read

8 years agoattr: Don't shift the 32-bit netmask by 32
Tobias Brunner [Wed, 9 Apr 2014 15:09:55 +0000 (17:09 +0200)]
attr: Don't shift the 32-bit netmask by 32

This is undefined behavior as per the C99 standard (sentence 1185):

 "If the value of the right operand is negative or is greater or equal
  to the width of the promoted left operand, the behavior is undefined."

Apparently shifts may be done modulo the width on some platforms so
a shift by 32 would not shift at all.

8 years agonm: Fix NULL-pointer dereference when handling TUN device failure
Tobias Brunner [Wed, 9 Apr 2014 14:35:46 +0000 (16:35 +0200)]
nm: Fix NULL-pointer dereference when handling TUN device failure

8 years agox509: Don't include authKeyIdentifier in self-signed certificates
Tobias Brunner [Wed, 9 Apr 2014 13:28:54 +0000 (15:28 +0200)]
x509: Don't include authKeyIdentifier in self-signed certificates

As the comment indicates this was the intention in
d7be2906433a7dcfefc1fd732587865688dbfe1b all along.

8 years agox509: Initialize certs when building optionalSignature for OCSP requests
Tobias Brunner [Wed, 9 Apr 2014 13:18:13 +0000 (15:18 +0200)]
x509: Initialize certs when building optionalSignature for OCSP requests

8 years agostroke: Fix memory leak when printing unknown AC group OIDs
Tobias Brunner [Wed, 9 Apr 2014 14:05:55 +0000 (16:05 +0200)]
stroke: Fix memory leak when printing unknown AC group OIDs

8 years agopki: Fix memory leak when printing unknown AC group OIDs
Tobias Brunner [Wed, 9 Apr 2014 13:53:35 +0000 (15:53 +0200)]
pki: Fix memory leak when printing unknown AC group OIDs

8 years agopki: Removed extra continue statement
Tobias Brunner [Wed, 9 Apr 2014 13:12:27 +0000 (15:12 +0200)]
pki: Removed extra continue statement

8 years agoAdded support for msSmartcardLogon EKU
Andreas Steffen [Tue, 8 Apr 2014 11:09:03 +0000 (13:09 +0200)]
Added support for msSmartcardLogon EKU

8 years agoAdded some more OIDs
Andreas Steffen [Tue, 8 Apr 2014 09:32:30 +0000 (11:32 +0200)]
Added some more OIDs

8 years agoInitialize m1 to suppress compiler warning
Andreas Steffen [Mon, 7 Apr 2014 11:29:39 +0000 (13:29 +0200)]
Initialize m1 to suppress compiler warning

8 years agoFixed another dirname/basename refactoring bug.
Andreas Steffen [Sun, 6 Apr 2014 15:54:55 +0000 (17:54 +0200)]
Fixed another dirname/basename refactoring bug.

file was freed before use.

8 years agoFixed dirname/basename refactoring bug.
Andreas Steffen [Sun, 6 Apr 2014 15:26:52 +0000 (17:26 +0200)]
Fixed dirname/basename refactoring bug.

 Variables used in a database query have to be kept until the end of the enumeration

8 years agoAdded SHA3 OIDs
Andreas Steffen [Fri, 4 Apr 2014 21:44:55 +0000 (23:44 +0200)]
Added SHA3 OIDs

8 years agoFixed pretest script in tnc/tnccs-20-pt-tls scenario
Andreas Steffen [Fri, 4 Apr 2014 21:04:54 +0000 (23:04 +0200)]
Fixed pretest script in tnc/tnccs-20-pt-tls scenario

8 years agoike-cfg: Properly compare IKE proposals for equality 5.1.3rc1
Tobias Brunner [Wed, 2 Apr 2014 13:06:56 +0000 (15:06 +0200)]
ike-cfg: Properly compare IKE proposals for equality

8 years agoleak-detective: LEAK_DETECTIVE_DISABLE completely disables LD
Tobias Brunner [Tue, 1 Apr 2014 08:30:13 +0000 (10:30 +0200)]
leak-detective: LEAK_DETECTIVE_DISABLE completely disables LD

If lib->leak_detective is non-null some code parts (e.g. the plugin
loader) assume LD is actually used.

8 years agotesting: Run 'conntrack -F' before all test scenarios
Tobias Brunner [Tue, 2 Jul 2013 12:01:38 +0000 (14:01 +0200)]
testing: Run 'conntrack -F' before all test scenarios

This prevents failures due to remaining conntrack entries.

8 years agounit-tests: Verify two bytes at once when testing chunk_clear()
Tobias Brunner [Wed, 2 Apr 2014 09:50:11 +0000 (11:50 +0200)]
unit-tests: Verify two bytes at once when testing chunk_clear()

This reduces the chances of arbitrary test failures if the memory area
already got overwritten.

8 years agoMerge branch 'tls-unit-tests'
Martin Willi [Tue, 1 Apr 2014 12:53:28 +0000 (14:53 +0200)]
Merge branch 'tls-unit-tests'

Add some initial unit-tests to libtls, testing all supported cipher suites
against self, both with and without client authentication, for all supported
TLS versions.

8 years agotls: Add a test case to check correct enum name mapping of cipher suites
Martin Willi [Tue, 25 Mar 2014 08:25:14 +0000 (09:25 +0100)]
tls: Add a test case to check correct enum name mapping of cipher suites

8 years agotls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0
Martin Willi [Mon, 24 Mar 2014 17:01:00 +0000 (18:01 +0100)]
tls: Add socket based tests testing all supported suites with TLS 1.2/1.1/1.0

8 years agotls: Remove superfluous initializers in TLS AEAD implementations
Martin Willi [Tue, 1 Apr 2014 09:45:45 +0000 (11:45 +0200)]
tls: Remove superfluous initializers in TLS AEAD implementations

8 years agotls: Support a maximum TLS version to negotiate using TLS socket abstraction
Martin Willi [Tue, 25 Mar 2014 09:12:51 +0000 (10:12 +0100)]
tls: Support a maximum TLS version to negotiate using TLS socket abstraction

8 years agotls: Support a null encryption flag on TLS socket abstraction
Martin Willi [Tue, 25 Mar 2014 09:19:41 +0000 (10:19 +0100)]
tls: Support a null encryption flag on TLS socket abstraction

8 years agotls: Introduce a generic TLS purpose that accepts NULL encryption ciphers
Martin Willi [Tue, 25 Mar 2014 08:49:04 +0000 (09:49 +0100)]
tls: Introduce a generic TLS purpose that accepts NULL encryption ciphers

8 years agotls: Export a function to list supported TLS cipher suites
Martin Willi [Mon, 24 Mar 2014 13:28:50 +0000 (14:28 +0100)]
tls: Export a function to list supported TLS cipher suites