3 years agosignature-params: Use helper to build MGF1 algorithmIdentifier
Tobias Brunner [Mon, 2 Oct 2017 14:10:40 +0000 (16:10 +0200)]
signature-params: Use helper to build MGF1 algorithmIdentifier

3 years agoasn1: Add helper function to create algorithmIdentifier with parameters
Tobias Brunner [Mon, 2 Oct 2017 14:08:46 +0000 (16:08 +0200)]
asn1: Add helper function to create algorithmIdentifier with parameters

3 years agoikev2: Verify RSASSA-PSS signatures via RFC 7427 signature auth
Tobias Brunner [Mon, 2 Oct 2017 13:57:17 +0000 (15:57 +0200)]
ikev2: Verify RSASSA-PSS signatures via RFC 7427 signature auth

3 years agokeymat_v2: Pass/receive signature schemes as signature_param_t objects
Tobias Brunner [Mon, 16 Oct 2017 14:41:55 +0000 (16:41 +0200)]
keymat_v2: Pass/receive signature schemes as signature_param_t objects

3 years agoauth-cfg: Parse rsa/pss auth tokens
Tobias Brunner [Fri, 13 Oct 2017 13:32:29 +0000 (15:32 +0200)]
auth-cfg: Parse rsa/pss auth tokens

3 years agoauth-cfg: Store signature schemes as signature_params_t objects
Tobias Brunner [Fri, 13 Oct 2017 13:02:02 +0000 (15:02 +0200)]
auth-cfg: Store signature schemes as signature_params_t objects

Due to circular references the hasher_from_signature_scheme() helper
does not take a signature_params_t object.

3 years agocertificate: Return signature scheme and parameters from issued_by() method
Tobias Brunner [Fri, 13 Oct 2017 12:33:43 +0000 (14:33 +0200)]
certificate: Return signature scheme and parameters from issued_by() method

This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.

3 years agosignature-params: Add helper struct for signature scheme and parameters
Tobias Brunner [Tue, 10 Oct 2017 13:52:19 +0000 (15:52 +0200)]
signature-params: Add helper struct for signature scheme and parameters

3 years agoandroid: Add support for creating RSASSA-PSS signatures via JNI
Tobias Brunner [Tue, 26 Sep 2017 16:35:59 +0000 (18:35 +0200)]
android: Add support for creating RSASSA-PSS signatures via JNI

3 years agounit-tests: Add RSA-PSS signature tests with specific salts
Tobias Brunner [Tue, 26 Sep 2017 14:46:42 +0000 (16:46 +0200)]
unit-tests: Add RSA-PSS signature tests with specific salts

3 years agogcrypt: Add support for static salts when signing with RSA-PSS
Tobias Brunner [Tue, 26 Sep 2017 14:44:44 +0000 (16:44 +0200)]
gcrypt: Add support for static salts when signing with RSA-PSS

3 years agogmp: Add support for static salts when signing with RSA-PSS
Tobias Brunner [Tue, 26 Sep 2017 14:44:02 +0000 (16:44 +0200)]
gmp: Add support for static salts when signing with RSA-PSS

3 years agosignature-params: Optionally pass a specific salt value when signing
Tobias Brunner [Tue, 26 Sep 2017 13:02:04 +0000 (15:02 +0200)]
signature-params: Optionally pass a specific salt value when signing

3 years agounit-tests: Warn if we skip RSA tests due to dependencies
Tobias Brunner [Tue, 26 Sep 2017 12:57:40 +0000 (14:57 +0200)]
unit-tests: Warn if we skip RSA tests due to dependencies

3 years agounit-tests: Add ability to issue a warning message for a test case
Tobias Brunner [Tue, 26 Sep 2017 12:55:14 +0000 (14:55 +0200)]
unit-tests: Add ability to issue a warning message for a test case

This way we can warn if we e.g. skipped actually doing something due to
dependencies (otherwise the test case would just appear to have succeeded).

3 years agomgf1: Add support for SHA-224/384 based MGF1
Tobias Brunner [Mon, 25 Sep 2017 16:17:54 +0000 (18:17 +0200)]
mgf1: Add support for SHA-224/384 based MGF1

3 years agoxof: Add identifiers for MGF1 XOFs based on SHA-224/384
Tobias Brunner [Mon, 25 Sep 2017 16:15:35 +0000 (18:15 +0200)]
xof: Add identifiers for MGF1 XOFs based on SHA-224/384

3 years agogmp: Use helper to determine XOF type
Tobias Brunner [Mon, 25 Sep 2017 16:07:58 +0000 (18:07 +0200)]
gmp: Use helper to determine XOF type

3 years agoxof: Add helper to determine MGF1 XOF type from hash algorithm
Tobias Brunner [Mon, 25 Sep 2017 16:06:40 +0000 (18:06 +0200)]
xof: Add helper to determine MGF1 XOF type from hash algorithm

3 years agogcrypt: Add support for RSA-PSS signatures
Tobias Brunner [Mon, 25 Sep 2017 12:50:20 +0000 (14:50 +0200)]
gcrypt: Add support for RSA-PSS signatures

For salt lengths other than 20 this requires 0bd8137e68c2 ("cipher:
Add option to specify salt length for PSS verification."), which was
included in libgcrypt 1.7.0 (for Ubuntu requires 17.04).  As that makes
it pretty much useless for us (SHA-1 is a MUST NOT), we require that version
to even provide the feature.

3 years agogcrypt: Register supported RSA signature/verification schemes
Tobias Brunner [Mon, 25 Sep 2017 12:30:45 +0000 (14:30 +0200)]
gcrypt: Register supported RSA signature/verification schemes

3 years agoconfigure: Enable mgf1 plugin if gmp plugin is enabled
Tobias Brunner [Sat, 23 Sep 2017 14:32:03 +0000 (16:32 +0200)]
configure: Enable mgf1 plugin if gmp plugin is enabled

3 years agogmp: Add support for RSASSA-PSS signature verification
Tobias Brunner [Sat, 23 Sep 2017 14:25:20 +0000 (16:25 +0200)]
gmp: Add support for RSASSA-PSS signature verification

3 years agogmp: Add support for RSASSA-PSS signature creation
Tobias Brunner [Sat, 23 Sep 2017 13:33:11 +0000 (15:33 +0200)]
gmp: Add support for RSASSA-PSS signature creation

3 years agounit-tests: Add FIPS 186-4 RSASSA-PSS test vectors
Tobias Brunner [Sat, 23 Sep 2017 11:36:32 +0000 (13:36 +0200)]
unit-tests: Add FIPS 186-4 RSASSA-PSS test vectors

Since not all implementations allow setting a specific salt value when
generating signatures (e.g. OpenSSL doesn't), we are often limited to
only using the test vectors with salt length of 0.

We also exclude test vectors with SHA-1, SHA-224 and SHA-384.

3 years agounit-tests: Create and verify some RSA PSS signatures
Tobias Brunner [Sat, 23 Sep 2017 08:49:09 +0000 (10:49 +0200)]
unit-tests: Create and verify some RSA PSS signatures

3 years agoopenssl: Add support for verifying RSASSA-PSS signatures
Tobias Brunner [Sat, 23 Sep 2017 08:39:14 +0000 (10:39 +0200)]
openssl: Add support for verifying RSASSA-PSS signatures

3 years agoopenssl: Add support for creating RSASSA-PSS signatures
Tobias Brunner [Sat, 23 Sep 2017 08:01:57 +0000 (10:01 +0200)]
openssl: Add support for creating RSASSA-PSS signatures

3 years agoopenssl: Add helper to determine EVP_MD from hash_algorithm_t
Tobias Brunner [Sat, 23 Sep 2017 08:12:36 +0000 (10:12 +0200)]
openssl: Add helper to determine EVP_MD from hash_algorithm_t

3 years agounit-tests: Add FIPS 186-4 RSA test vectors
Tobias Brunner [Fri, 22 Sep 2017 17:37:54 +0000 (19:37 +0200)]
unit-tests: Add FIPS 186-4 RSA test vectors

Excluding SHA-224 and the stuff from FIPS 186-2 (SHA-1, 1024 bit keys).

3 years agogcrypt: Determine missing RSA private key parameters
Tobias Brunner [Fri, 22 Sep 2017 17:10:39 +0000 (19:10 +0200)]
gcrypt: Determine missing RSA private key parameters

We only need n, e, and d.  The primes p and q and the coefficient
for the Chinese remainder algorithm can be determined from these.

3 years agogmp: Determine missing RSA private key parameters
Tobias Brunner [Fri, 22 Sep 2017 15:49:00 +0000 (17:49 +0200)]
gmp: Determine missing RSA private key parameters

We only need n, e, and d.  The parameters for the Chinese remainder
algorithm and even p and q can be determined from these.

3 years agoopenssl: Add functions to determine missing RSA private key parameters
Tobias Brunner [Fri, 22 Sep 2017 13:47:11 +0000 (15:47 +0200)]
openssl: Add functions to determine missing RSA private key parameters

We only need n, e, and d.  The parameters for the Chinese remainder
algorithm and even p and q can be determined from these.

3 years agosignature-params: Add functions to parse/build ASN.1 RSASSA-PSS params
Tobias Brunner [Wed, 20 Sep 2017 13:21:51 +0000 (15:21 +0200)]
signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params

3 years agohasher: Add function to determine length of hashes
Tobias Brunner [Fri, 22 Sep 2017 07:46:14 +0000 (09:46 +0200)]
hasher: Add function to determine length of hashes

3 years agoasn1: Add function to generate an ASN.1 integer from an uint64_t
Tobias Brunner [Wed, 20 Sep 2017 13:00:42 +0000 (15:00 +0200)]
asn1: Add function to generate an ASN.1 integer from an uint64_t

3 years agoasn1: Add OID for MGF1
Tobias Brunner [Tue, 19 Sep 2017 16:45:49 +0000 (18:45 +0200)]
asn1: Add OID for MGF1

3 years agosignature-params: Add struct for RSASSA-PSS parameters
Tobias Brunner [Tue, 19 Sep 2017 16:21:37 +0000 (18:21 +0200)]
signature-params: Add struct for RSASSA-PSS parameters

3 years agoprivate-key: Add optional parameters argument to sign() method
Tobias Brunner [Tue, 19 Sep 2017 15:26:58 +0000 (17:26 +0200)]
private-key: Add optional parameters argument to sign() method

3 years agopublic-key: Add optional parameters argument to verify() method
Tobias Brunner [Tue, 19 Sep 2017 15:15:18 +0000 (17:15 +0200)]
public-key: Add optional parameters argument to verify() method

3 years agopublic-key: Add RSASSA-PSS signature scheme identifier
Tobias Brunner [Tue, 19 Sep 2017 11:40:48 +0000 (13:40 +0200)]
public-key: Add RSASSA-PSS signature scheme identifier

3 years agoasn1: Add OID for RSASSA-PSS
Tobias Brunner [Tue, 19 Sep 2017 10:10:36 +0000 (12:10 +0200)]
asn1: Add OID for RSASSA-PSS

3 years agoikev2: Don't use SHA-1 for RFC 7427 signature authentication
Tobias Brunner [Tue, 19 Sep 2017 09:10:09 +0000 (11:10 +0200)]
ikev2: Don't use SHA-1 for RFC 7427 signature authentication

RFC 8247 demoted it to MUST NOT.

References #2427.

3 years agoproposal: Remove MODP-1024 from default IKE proposal
Tobias Brunner [Tue, 19 Sep 2017 09:04:37 +0000 (11:04 +0200)]
proposal: Remove MODP-1024 from default IKE proposal

RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.

References #2427.

3 years agoproposal: Remove MD5 from default IKE proposal
Tobias Brunner [Tue, 19 Sep 2017 09:01:04 +0000 (11:01 +0200)]
proposal: Remove MD5 from default IKE proposal

RFC 8247 demoted MD5 to MUST NOT.

References #2427.

3 years agoproposal: Remove deprecated algorithms from default ESP and AH proposals
Tobias Brunner [Mon, 23 Oct 2017 13:33:02 +0000 (15:33 +0200)]
proposal: Remove deprecated algorithms from default ESP and AH proposals

This removes algorithms that were deprecated by RFC 8221 (3DES, BF, MD5)
from the default proposals for ESP and AH.

References #8247.

3 years agoconfigure: Fix check for libtpmtss to build it only when needed
Martin Willi [Tue, 17 Oct 2017 12:04:27 +0000 (14:04 +0200)]
configure: Fix check for libtpmtss to build it only when needed

Testing for x$tpm always yields true, hence libtpmtss is built even if it
is unneeded. Properly test against xtrue as we do in all other tests.

3 years agopool: Destroy enumerator before deleting existing pool
Tobias Brunner [Mon, 6 Nov 2017 09:29:56 +0000 (10:29 +0100)]
pool: Destroy enumerator before deleting existing pool

The MySQL client doesn't like overlapping queries on the same
connection, so we make sure to destroy the enumerator used to check for
an existing pool before deleting it when --replace is used.

3 years agokernel-pfkey: Support anti-replay windows > 2k
Tobias Brunner [Tue, 7 Nov 2017 13:26:14 +0000 (14:26 +0100)]
kernel-pfkey: Support anti-replay windows > 2k

FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.

Fixes #2461.

3 years agokernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD
Tobias Brunner [Fri, 3 Nov 2017 08:37:44 +0000 (09:37 +0100)]
kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs on FreeBSD

The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.

Fixes #2457.

3 years agoMerge branch 'vici-counters'
Tobias Brunner [Wed, 8 Nov 2017 15:28:49 +0000 (16:28 +0100)]
Merge branch 'vici-counters'

Refactors the IKE event counters feature of the stroke plugin into a separate
plugin, which allows to publish the numbers also via vici/swanctl.

3 years agoswanctl: Add --counters command
Tobias Brunner [Thu, 24 Aug 2017 15:44:45 +0000 (17:44 +0200)]
swanctl: Add --counters command

3 years agovici: Add 'get|reset-counters' commands
Tobias Brunner [Thu, 24 Aug 2017 15:41:37 +0000 (17:41 +0200)]
vici: Add 'get|reset-counters' commands

3 years agocounters: Move IKE event counter collection from stroke to a separate plugin
Tobias Brunner [Thu, 24 Aug 2017 15:02:37 +0000 (17:02 +0200)]
counters: Move IKE event counter collection from stroke to a separate plugin

3 years agosystime-fix: Add timeout option to stop waiting for valid system time
Tobias Brunner [Tue, 26 Sep 2017 08:32:04 +0000 (10:32 +0200)]
systime-fix: Add timeout option to stop waiting for valid system time

A certificate check is forced once the timeout is reached even if the
system time appears to be invalid.

3 years agoandroid: Add log message if failed to retrieve user certificate encoding
Tobias Brunner [Fri, 22 Sep 2017 06:41:10 +0000 (08:41 +0200)]
android: Add log message if failed to retrieve user certificate encoding

3 years agotesting: Fix output matching of lease time in ipsec pool utility
Tobias Brunner [Thu, 2 Nov 2017 10:32:52 +0000 (11:32 +0100)]
testing: Fix output matching of lease time in ipsec pool utility

3 years agoshunt-mananger: Make outbound FWD shunt policies optional
Tobias Brunner [Wed, 25 Oct 2017 11:24:01 +0000 (13:24 +0200)]
shunt-mananger: Make outbound FWD shunt policies optional

3 years agoike: Do not send initial contact only for UNIQUE_NEVER
Thomas Egerer [Wed, 25 Oct 2017 08:45:02 +0000 (10:45 +0200)]
ike: Do not send initial contact only for UNIQUE_NEVER

Signed-off-by: Thomas Egerer <>
3 years agopkcs11: Call C_Finalize() to cancel jobs waiting in C_WaitForSlotEvent()
Tobias Brunner [Fri, 6 Oct 2017 12:51:37 +0000 (14:51 +0200)]
pkcs11: Call C_Finalize() to cancel jobs waiting in C_WaitForSlotEvent()

This is not ideal as the call to C_Finalize() should be the last one via
the PKCS#11 API.  Since the order in which jobs are canceled is undefined
we can't be sure there is no other thread still using the library (it could
even be the canceled job that still handles a previous slot event).
According to PKCS#11 the behavior of C_Finalize() is undefined while other
threads still make calls over the API.

However, canceling the thread, as done previously, could also be problematic
as PKCS#11 libraries could hold locks while in the C_WaitForSlotEvent() call,
which might not get released properly when the thread is just canceled,
and which then might cause later calls to other API functions to block.

Fixes #2437.

3 years agopool: Make pool timeout configurable in other units than hours
Tobias Brunner [Thu, 17 Aug 2017 13:21:19 +0000 (15:21 +0200)]
pool: Make pool timeout configurable in other units than hours

3 years agoutils: Add helper function to parse time spans from strings
Tobias Brunner [Thu, 17 Aug 2017 13:04:14 +0000 (15:04 +0200)]
utils: Add helper function to parse time spans from strings

3 years agoasn1: Add additional OIDs seen in certificate DNs
Tobias Brunner [Wed, 18 Oct 2017 14:44:04 +0000 (16:44 +0200)]
asn1: Add additional OIDs seen in certificate DNs

3 years agoscripts: Add -d option to oid2der to decode DER encoded OIDs
Tobias Brunner [Wed, 18 Oct 2017 14:28:04 +0000 (16:28 +0200)]
scripts: Add -d option to oid2der to decode DER encoded OIDs

3 years agoman: Fix documentation of inbound mark behavior in ipsec.conf(5)
Tobias Brunner [Wed, 23 Aug 2017 09:41:50 +0000 (11:41 +0200)]
man: Fix documentation of inbound mark behavior in ipsec.conf(5)

3 years agovici: Make setting mark on inbound SA configurable
Tobias Brunner [Wed, 23 Aug 2017 09:25:52 +0000 (11:25 +0200)]
vici: Make setting mark on inbound SA configurable

3 years agochild-cfg: Optionally set mark on inbound SA
Tobias Brunner [Wed, 23 Aug 2017 09:22:50 +0000 (11:22 +0200)]
child-cfg: Optionally set mark on inbound SA

3 years agoeap-radius: Optionally send Class attributes in RADIUS accounting messages
Tobias Brunner [Mon, 23 Oct 2017 10:08:17 +0000 (12:08 +0200)]
eap-radius: Optionally send Class attributes in RADIUS accounting messages

If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.

Fixes #2451.

3 years agoikev2: Abort make-before-break reauth if we don't find children to recreate
Tobias Brunner [Tue, 26 Sep 2017 09:31:15 +0000 (11:31 +0200)]
ikev2: Abort make-before-break reauth if we don't find children to recreate

We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.

References #2430.

3 years agoopenssl: Also load EC keys from an ENGINE
Tobias Brunner [Wed, 6 Sep 2017 08:41:37 +0000 (10:41 +0200)]
openssl: Also load EC keys from an ENGINE

3 years agolibcharon: Added Cisco FlexVPN Supported VID
Andreas Steffen [Fri, 27 Oct 2017 18:14:43 +0000 (20:14 +0200)]
libcharon: Added Cisco FlexVPN Supported VID

3 years agounit-tests: Fix "using integer constants in boolean context" warning
Tobias Brunner [Mon, 23 Oct 2017 12:38:00 +0000 (14:38 +0200)]
unit-tests: Fix "using integer constants in boolean context" warning

This warning has been seen in GCC 7.x with -Wall, however, because == has
higher precedence than ?: the code was actually not correct.

3 years agostreams: Remove registered systemd stream service
Tobias Brunner [Wed, 18 Oct 2017 07:25:15 +0000 (09:25 +0200)]
streams: Remove registered systemd stream service

Fixes: 59db98fb941c ("stream: Add basic stream service for systemd sockets")

3 years agostreams: Named systemd sockets are only supported since systemd v227
Tobias Brunner [Thu, 12 Oct 2017 16:40:15 +0000 (18:40 +0200)]
streams: Named systemd sockets are only supported since systemd v227

3 years agostarter: Add the correct keywords header file to EXTRA_DIST
Tobias Brunner [Wed, 11 Oct 2017 16:10:46 +0000 (18:10 +0200)]
starter: Add the correct keywords header file to EXTRA_DIST

The fix for gperf in 0ae19f0ced8d added the generated header to
EXTRA_DIST but that's already added to the distribution because it is
contained in *_SOURCES, what was not added, though, was the file.

Also fixes the reference to the header file in the .c rule here and for
stroke in out-of-tree builds.

Fixes: 0ae19f0ced8d ("configure: Fix gperf length parameter determination")

3 years agowatcher: Don't notify watcher if removed FD was not found
Tobias Brunner [Thu, 7 Sep 2017 07:51:49 +0000 (09:51 +0200)]
watcher: Don't notify watcher if removed FD was not found

This can happen if a stream is used blocking exclusively (the FD is
never registered with watcher, but is removed in the stream's destructor
just in case it ever was - doing this conditionally would require an
additional flag in streams).  There may be no thread reading from
the read end of the notify pipe (e.g. in starter), causing the write
to the notify pipe to block after it's full.  Anyway, doing a relatively
expensive FD update is unnecessary if there were no changes.

Fixes #1453.

3 years agostream: Add basic stream service for systemd sockets
aszlig [Wed, 30 Aug 2017 00:36:34 +0000 (02:36 +0200)]
stream: Add basic stream service for systemd sockets

This allows systemd socket activation by passing URIs such as systemd://foo
to plugins such as VICI.

For example setting charon.plugins.vici.socket = systemd://vici, a
systemd socket file descriptor with the name "vici" will be picked up.

So these would be the corresponding unit options:



The implementation currently is very basic and right now only the first
file descriptor for a particular identifier is picked up if there are
multiple socket units with the same FileDescriptorName.

Signed-off-by: aszlig <>
Closes strongswan/strongswan#79.

3 years agostarter: Don't define any hard-coded proposal strings
Tobias Brunner [Wed, 30 Aug 2017 13:15:31 +0000 (15:15 +0200)]
starter: Don't define any hard-coded proposal strings

Just rely on the default proposals by charon if nothing is defined. The
hard-coded IKE proposal used curve25519, which depends on an optional
plugin (while enabled by default it might still not be loaded, or, like
on Debian, shipped in an optional package). With charon's default
proposal only loaded algorithms are proposed for IKE avoiding this issue.

3 years agoconfigure: Also check for libcrypto on Windows
Tobias Brunner [Wed, 30 Aug 2017 10:30:02 +0000 (12:30 +0200)]
configure: Also check for libcrypto on Windows

With OpenSSL 1.1.0 the library is now named libcrypto too on Windows.
Check for libeay32 first so we don't link against the build environment's
version of OpenSSL instead of the native one that might be available.

3 years agoopenssl: Fix call of X509_CRL_get0_signature() with OpenSSL 1.1.0
Tobias Brunner [Fri, 6 Oct 2017 13:26:19 +0000 (15:26 +0200)]
openssl: Fix call of X509_CRL_get0_signature() with OpenSSL 1.1.0

The order of arguments in X509_CRL_get0_signature() is not the same as that
of X509_get0_signature().

Fixes: 989ba4b6cd16 ("openssl: Update CRL API to OpenSSL 1.1.0")

3 years agokernel-netlink: Add strings for newer XFRM attribute types
Tobias Brunner [Fri, 6 Oct 2017 14:41:09 +0000 (16:41 +0200)]
kernel-netlink: Add strings for newer XFRM attribute types

3 years agoconfigure: Fix gperf length parameter determination
Tobias Brunner [Tue, 26 Sep 2017 10:23:36 +0000 (12:23 +0200)]
configure: Fix gperf length parameter determination

gperf is not actually a build dependency as the generated files are
shipped in the tarball.  So the type depends on the gperf version on
the host that ran gperf and created the tarball, which might not be
the same as that on the actual build host, and gperf might not even
be installed there, leaving the type undetermined.

Fixes: e0e43229736a ("configure: Detect type of length parameter for gperf generated function")

3 years agolibimcv: Renamed SW Request to SWIMA Request
Andreas Steffen [Wed, 27 Sep 2017 08:01:56 +0000 (10:01 +0200)]
libimcv: Renamed SW Request to SWIMA Request

3 years agoVersion bump to 5.6.1dr3 5.6.1dr3
Andreas Steffen [Tue, 26 Sep 2017 20:43:38 +0000 (22:43 +0200)]
Version bump to 5.6.1dr3

3 years agoSWIMA attribute name changes
Andreas Steffen [Sat, 23 Sep 2017 13:22:52 +0000 (15:22 +0200)]
SWIMA attribute name changes

draft-ietf-sacm-nea-swima-patnc-01 changes some SWIMA attribute

3 years agokernel-pfroute: Delay call to if_indextoname(3) when handling RTM_IFINFO
Tobias Brunner [Mon, 28 Aug 2017 17:12:16 +0000 (19:12 +0200)]
kernel-pfroute: Delay call to if_indextoname(3) when handling RTM_IFINFO

It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.

3 years agocontroller: Consider any IKE_SA destruction as success when terminating
Tobias Brunner [Mon, 14 Aug 2017 09:14:38 +0000 (11:14 +0200)]
controller: Consider any IKE_SA destruction as success when terminating

3 years agoconfigure: Detect type of length parameter for gperf generated function
Tobias Brunner [Mon, 18 Sep 2017 15:57:05 +0000 (17:57 +0200)]
configure: Detect type of length parameter for gperf generated function

Since 3.1 gperf uses size_t for the length parameter instead of an
unsigned int.

3 years agoutils: Include stdint.h
Tobias Brunner [Thu, 14 Sep 2017 09:59:30 +0000 (11:59 +0200)]
utils: Include stdint.h

Recent releases of glibc don't include the full stdint.h header in some
network headers included by utils.h.  So uintptr_t might not be defined.
Since we use fixed width integers, including the latter, all over the place
we make sure the complete file is included.

Fixes #2425.

3 years agosec-updater: Make sure `success` is initialized
Tobias Brunner [Thu, 14 Sep 2017 17:25:42 +0000 (19:25 +0200)]
sec-updater: Make sure `success` is initialized

3 years agodhcp: Fix warning regarding unaligned pointer value due to packed struct
Tobias Brunner [Thu, 14 Sep 2017 17:33:07 +0000 (19:33 +0200)]
dhcp: Fix warning regarding unaligned pointer value due to packed struct

We don't need to access this as uint32_t so just cast it to a char*.

3 years agodhcp: Don't use signed char for DHCP options
Tobias Brunner [Thu, 14 Sep 2017 17:11:10 +0000 (19:11 +0200)]
dhcp: Don't use signed char for DHCP options

The value of DHCP_OPTEND is 255.  When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.

3 years agoimv-agent: Fix get_attribute() call for preferred language
Tobias Brunner [Thu, 14 Sep 2017 16:27:13 +0000 (18:27 +0200)]
imv-agent: Fix get_attribute() call for preferred language

3 years agobliss: Fix compile error of unit tests due to uninitialized variable
Tobias Brunner [Thu, 14 Sep 2017 16:04:38 +0000 (18:04 +0200)]
bliss: Fix compile error of unit tests due to uninitialized variable

3 years agotravis: Use Clang 4.0 instead of 3.9 due to va_start() warnings
Tobias Brunner [Thu, 14 Sep 2017 13:33:59 +0000 (15:33 +0200)]
travis: Use Clang 4.0 instead of 3.9 due to va_start() warnings

This is a follow up on the issue documented in the previous commit.

To build with -Werror and Clang 3.9 we'd have to change all enum arguments
that are used as last argument before ... to e.g. u_int, which affects
quite a lot of places (crypto-factory, MODP_CUSTOM constructors, auth-cfg,
bus, vici-builder, vici-message).  Besides that it doesn't look as nice
it also seems a bit too much hassle just to cater to the whims of a
particular version of one compiler, so we just don't build with that
version on Travis and use 4.0 instead.

3 years agosettings: Fix possible undefined behavior with va_start() and bool
Tobias Brunner [Thu, 14 Sep 2017 13:31:00 +0000 (15:31 +0200)]
settings: Fix possible undefined behavior with va_start() and bool

This fixes compilation with -Werror when using Clang 4.0 (but not 3.9)
and possibly prevents undefined behavior.

According to the C standard the following applies to the second
parameter of the va_start() macro (subclause, paragraph 4):

  The parameter parmN is the identifier of the rightmost parameter
  in the variable parameter list in the function definition (the
  one just before the ...). If the parameter parmN is declared with
  the register storage class, with a function or array type, or with
  a type that is not compatible with the type that results after
  application of the default argument promotions, the behavior is

Because bool is usually just 1 byte and therefore smaller than int (i.e.
the result of default argument promotion) its use as last argument before
... might result in undefined behavior.  This theoretically can also
apply to enums as a compiler may use a smaller base type than int.

Since Clang 3.9 (currently in use on Travis by default) a warning is
issued about this, however, that version did not yet compare the actual
size of the argument's type, causing warnings where they are not
warranted (basically for all cases where enum types are used for the
last argument).  This was apparently fixed with Clang 4.0, which only
warns about this use of bool with va_start(), which makes sense.

3 years agoDefine MODP_CUSTOM constructors as variadic functions
Tobias Brunner [Thu, 14 Sep 2017 12:03:08 +0000 (14:03 +0200)]
Define MODP_CUSTOM constructors as variadic functions

They now match the dh_constructor_t signature.  This is a follow up for
the changes merged with b668bf3f9ec1 and should fix use of MODP_CUSTOM on
Apple's ARM64 platform.

3 years agolibtnccs: Correctly read dlopen_use_rtld_now option
Tobias Brunner [Thu, 14 Sep 2017 16:07:08 +0000 (18:07 +0200)]
libtnccs: Correctly read dlopen_use_rtld_now option

Fixes: 50e4aeb22f49 ("libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()")

3 years agoplugin-loader: Correctly read dlopen_use_rtld_now option
Tobias Brunner [Thu, 14 Sep 2017 10:43:54 +0000 (12:43 +0200)]
plugin-loader: Correctly read dlopen_use_rtld_now option

Fixes: 305c4aa82cb0 ("plugin-loader: Optionally use RTLD_NOW with dlopen()")

3 years agoandroid: New release after adding delta CRL support and some bug fixes
Tobias Brunner [Mon, 18 Sep 2017 09:04:46 +0000 (11:04 +0200)]
android: New release after adding delta CRL support and some bug fixes