5 years agoVersion bump to 5.5.1rc1 5.5.1rc1
Andreas Steffen [Tue, 11 Oct 2016 17:21:36 +0000 (19:21 +0200)]
Version bump to 5.5.1rc1

5 years agoMerge branch 'cache-crls'
Andreas Steffen [Tue, 11 Oct 2016 15:19:29 +0000 (17:19 +0200)]
Merge branch 'cache-crls'

5 years agoSave both base and delta CRLs to disk
Andreas Steffen [Fri, 30 Sep 2016 06:05:20 +0000 (08:05 +0200)]
Save both base and delta CRLs to disk

5 years agovici: strongswan.conf cache_crls = yes saves fetched CRLs to disk
Andreas Steffen [Tue, 27 Sep 2016 12:42:08 +0000 (14:42 +0200)]
vici: strongswan.conf cache_crls = yes saves fetched CRLs to disk

5 years agomem-cred: Support storing a delta CRL together with its base
Tobias Brunner [Fri, 7 Oct 2016 08:56:06 +0000 (10:56 +0200)]
mem-cred: Support storing a delta CRL together with its base

So far every "newer" CRL (higher serial or by date) replaced an existing
"older" CRL.  This meant that delta CRLs replaced an existing base CRL
and that base CRLs weren't added if a delta CRL was already stored.  So
the base had to be re-fetched every time after a delta CRL was added.

With this change one delta CRL to the latest base may be stored.  A newer
delta CRL will replace an existing delta CRL (but not its base, older
base CRLs are removed, though).  And a newer base will replace the existing
base and optional delta CRL.

5 years agorevocation: Cache valid CRL also if certificate is revoked
Tobias Brunner [Mon, 3 Oct 2016 10:40:24 +0000 (12:40 +0200)]
revocation: Cache valid CRL also if certificate is revoked

5 years agopki: Don't remove zero bytes in CRL serials anymore
Tobias Brunner [Mon, 3 Oct 2016 10:15:10 +0000 (12:15 +0200)]
pki: Don't remove zero bytes in CRL serials anymore

This was added a few years ago because pki --signcrl once encoded serials
incorrectly as eight byte blobs.  But still ensure we have can handle
overflows in case the serial is encoded incorrectly without zero-prefix.

5 years agopki: Use serial of base CRL for delta CRLs
Tobias Brunner [Mon, 3 Oct 2016 10:10:40 +0000 (12:10 +0200)]
pki: Use serial of base CRL for delta CRLs

According to RFC 5280 delta CRLs and complete CRLs MUST share one
numbering sequence.

5 years agoopenssl: Fix AES-GCM with BoringSSL
Tobias Brunner [Tue, 11 Oct 2016 08:54:06 +0000 (10:54 +0200)]
openssl: Fix AES-GCM with BoringSSL

BoringSSL only supports a limited list of (hard-coded) algorithms via
EVP_get_cipherbyname(), which does not include AES-GCM.  While BoringSSL
deprecated these functions they are also supported by OpenSSL (in BoringSSL
a completely new interface for AEADs was added, which OpenSSL currently does
not support).

5 years agoandroid: Identifiers for SHA2-base RSA signature schemes got renamed
Tobias Brunner [Mon, 10 Oct 2016 15:52:35 +0000 (17:52 +0200)]
android: Identifiers for SHA2-base RSA signature schemes got renamed

Fixes: 40f2589abfc8 ("gmp: Support of SHA-3 RSA signatures")

5 years agoandroid: MGF1 implementation was moved to a plugin
Tobias Brunner [Mon, 10 Oct 2016 15:48:01 +0000 (17:48 +0200)]
android: MGF1 implementation was moved to a plugin

Fixes: 188b190a70c9 ("mgf1: Refactored MGF1 as an XOF")

5 years agoldap: Fix crash in case of empty LDAP response for CRL fetch
Yannick CANN [Thu, 6 Oct 2016 13:40:47 +0000 (15:40 +0200)]
ldap: Fix crash in case of empty LDAP response for CRL fetch

In case of an empty LDAP result during a CRL fetch (for example, due to
a wrong filter attribute in the LDAP URI, or invalid LDAP configuration),
the call to ldap_result2error() with NULL value for "entry" lead to
a crash.

Closes strongswan/strongswan#52.

5 years agolibimcv: Add Debian 8.6 to database
Tobias Brunner [Wed, 5 Oct 2016 13:53:32 +0000 (15:53 +0200)]
libimcv: Add Debian 8.6 to database

5 years agotask-manager: Only trigger retransmit cleared alert if there was at least one retransmit
Tobias Brunner [Tue, 4 Oct 2016 15:44:14 +0000 (17:44 +0200)]
task-manager: Only trigger retransmit cleared alert if there was at least one retransmit

The counter is already increased when sending the original message.

Fixes: bd71ba0ffb03 ("task-manager: Add retransmit cleared alert")

5 years agoMerge branch 'proposal-checks'
Tobias Brunner [Wed, 5 Oct 2016 12:58:41 +0000 (14:58 +0200)]
Merge branch 'proposal-checks'

Adds checks for proposals parsed from strings.  For instance, the presence
of DH, PRF and encryption algorithms for IKE are now enforced and AEAD and
regular encryption algorithms are not allowed in the same proposal anymore.
Also fixed is the mapping of the aes*gmac keywords to an integrity algorithm
in AH proposals.

5 years agounit-tests: Enable optional logging in libcharon unit tests
Tobias Brunner [Wed, 5 Oct 2016 12:22:37 +0000 (14:22 +0200)]
unit-tests: Enable optional logging in libcharon unit tests

5 years agounit-tests: Add more tests for proposal creation
Tobias Brunner [Tue, 4 Oct 2016 10:01:36 +0000 (12:01 +0200)]
unit-tests: Add more tests for proposal creation

5 years agoproposal: Correctly add AES-GMAC for AH proposals
Tobias Brunner [Tue, 4 Oct 2016 09:58:28 +0000 (11:58 +0200)]
proposal: Correctly add AES-GMAC for AH proposals

We parse aes*gmac as encryption algorithm, which we have to map to an
integrity algorithm.  We also make sure we remove all other encryption
algorithms and ensure there is an integrity algorithm.

5 years agoproposal: Enforce separate proposals for AEAD and classic encryption algorithms
Tobias Brunner [Tue, 4 Oct 2016 09:57:30 +0000 (11:57 +0200)]
proposal: Enforce separate proposals for AEAD and classic encryption algorithms

5 years agoproposal: Make sure there is a PRF defined in IKE proposals
Tobias Brunner [Tue, 4 Oct 2016 08:58:18 +0000 (10:58 +0200)]
proposal: Make sure there is a PRF defined in IKE proposals

But filter PRFs from ESP proposals.

5 years agoproposal: Make DH groups mandatory in IKE proposals parsed from strings
Tobias Brunner [Wed, 13 Jul 2016 10:37:29 +0000 (12:37 +0200)]
proposal: Make DH groups mandatory in IKE proposals parsed from strings

References #2051.

5 years agoikev2: Respond with NO_PROPOSAL_CHOSEN if proposal without DH group was selected
Tobias Brunner [Wed, 13 Jul 2016 10:24:39 +0000 (12:24 +0200)]
ikev2: Respond with NO_PROPOSAL_CHOSEN if proposal without DH group was selected

Fixes #2051.

5 years agotesting: Remove ikev2/default-keys scenario
Tobias Brunner [Wed, 5 Oct 2016 10:25:29 +0000 (12:25 +0200)]
testing: Remove ikev2/default-keys scenario

No default keys are generated anymore.

5 years agokernel-netlink: Consider RTA_SRC when looking for a source address
Tobias Brunner [Tue, 23 Aug 2016 10:48:37 +0000 (12:48 +0200)]
kernel-netlink: Consider RTA_SRC when looking for a source address

5 years agoMerge branch 'priv-key-any'
Tobias Brunner [Wed, 5 Oct 2016 09:36:11 +0000 (11:36 +0200)]
Merge branch 'priv-key-any'

Adds the ability to parse KEY_ANY keys via the pkcs1 and openssl plugins.
This is then used in the pki utility, where private keys may now be
loaded via `priv` keyword instead of having to specify the type of the key
explicitly.  And swanctl can load any type of key from the swanctl/private

5 years agoswanctl: Add 'private' directory/section to load any type of private key
Tobias Brunner [Fri, 30 Sep 2016 13:16:42 +0000 (15:16 +0200)]
swanctl: Add 'private' directory/section to load any type of private key

5 years agopki: Add generic 'priv' key type that loads any type of private key
Tobias Brunner [Wed, 31 Aug 2016 15:57:12 +0000 (17:57 +0200)]
pki: Add generic 'priv' key type that loads any type of private key

5 years agoopenssl: Add a generic private key loader
Tobias Brunner [Thu, 22 Sep 2016 14:21:22 +0000 (16:21 +0200)]
openssl: Add a generic private key loader

5 years agopkcs1: Support building of KEY_ANY private keys
Tobias Brunner [Wed, 31 Aug 2016 15:34:00 +0000 (17:34 +0200)]
pkcs1: Support building of KEY_ANY private keys

We try to detect the type of key by parsing the basic structure of the
passed ASN.1 blob.

5 years agopki: Drop -priv suffix to specify private key types
Tobias Brunner [Wed, 31 Aug 2016 13:08:09 +0000 (15:08 +0200)]
pki: Drop -priv suffix to specify private key types

5 years agoikev2: Only add NAT-D notifies to DPDs as initiator
Tobias Brunner [Fri, 30 Sep 2016 08:24:54 +0000 (10:24 +0200)]
ikev2: Only add NAT-D notifies to DPDs as initiator

If a responder is natted it will usually be a static NAT (unless it's a
mediated connection) in which case adding these notifies makes not much
sense (if the initiator's NAT mapping had changed the responder wouldn't
be able to reach it anyway).  It's also problematic as some clients refuse
to respond to DPDs if they contain such notifies.

Fixes #2126.

5 years agopkcs11: Look for the CKA_ID of the cert if it doesn't match the subjectKeyId
Raphael Geissert [Wed, 31 Aug 2016 11:22:38 +0000 (13:22 +0200)]
pkcs11: Look for the CKA_ID of the cert if it doesn't match the subjectKeyId

charon-nm fails to find the private key when its CKA_ID doesn't match the
subjectKeyIdentifier of the X.509 certificate.  In such cases, the private
key builder now falls back to enumerating all the certificates, looking for
one that matches the supplied subjectKeyIdentifier.  It then uses the CKA_ID
of that certificate to find the corresponding private key.

It effectively means that PKCS#11 tokens where the only identifier to relate
the certificate, the public key, and the private key is the CKA_ID are now
supported by charon-nm.

Fixes #490.

5 years agonm: Make global CA directory configurable
Tobias Brunner [Wed, 31 Aug 2016 16:08:38 +0000 (18:08 +0200)]
nm: Make global CA directory configurable

5 years agoMerge branch 'ikev1-rekey-deletion'
Tobias Brunner [Tue, 4 Oct 2016 08:15:11 +0000 (10:15 +0200)]
Merge branch 'ikev1-rekey-deletion'

Sends a DELETE when rekeyed IKE_SAs are deleted. This fixes issues with
peers (e.g. Cisco) that continue to send DPDs on the old SA and then
delete all SAs if no response is received.  But since the DELETE could get
dropped this might not fix the issue in all cases.

Also, when terminating an IKE_SA DELETES for all CHILD_SAs are now sent
before sending one for the IKE_SA and destroying it.

Fixes #2090.

5 years agoikev1: Activate task to delete the IKE_SA in state IKE_REKEYING
Tobias Brunner [Thu, 25 Aug 2016 07:56:45 +0000 (09:56 +0200)]
ikev1: Activate task to delete the IKE_SA in state IKE_REKEYING

It does not have any CHILD_SAs attached at that point.

5 years agoikev1: Delete Quick Mode SAs before the ISAKMP SA
Tobias Brunner [Thu, 25 Aug 2016 07:54:17 +0000 (09:54 +0200)]
ikev1: Delete Quick Mode SAs before the ISAKMP SA

After the ISAKMP_DELETE task has been executed the IKE_SA is destroyed
so we wouldn't be able to send deletes for the Quick Mode SAs.

5 years agoikev1: Send DELETE for rekeyed IKE_SAs
Tobias Brunner [Mon, 22 Aug 2016 10:26:05 +0000 (12:26 +0200)]
ikev1: Send DELETE for rekeyed IKE_SAs

If we silently delete the IKE_SA the other peer might still use it even
if only to send DPDs.  If we don't answer to DPDs that might result in the
deletion of the new IKE_SA too.

5 years agostarter: Install an empty ipsec.secrets file
Tobias Brunner [Tue, 27 Sep 2016 08:08:15 +0000 (10:08 +0200)]
starter: Install an empty ipsec.secrets file

5 years agostarter: Don't generate a key/certificate if ipsec.secrets does not exist
Tobias Brunner [Tue, 27 Sep 2016 08:07:37 +0000 (10:07 +0200)]
starter: Don't generate a key/certificate if ipsec.secrets does not exist

5 years agowatcher: Avoid allocations due to enumerators
Tobias Brunner [Thu, 14 Jul 2016 16:28:42 +0000 (18:28 +0200)]
watcher: Avoid allocations due to enumerators

Since the FD set could get rebuilt quite often this change avoids having
to allocate memory just to enumerate the registered FDs.

5 years agoMerge branch 'enable-fragmentation'
Tobias Brunner [Tue, 4 Oct 2016 08:09:03 +0000 (10:09 +0200)]
Merge branch 'enable-fragmentation'

This enables IKE fragmentation by default. And also increases the
default fragment size to 1280 bytes (the default for IPv6).

5 years agovici: Enable IKE fragmentation by default
Tobias Brunner [Mon, 18 Jul 2016 13:26:16 +0000 (15:26 +0200)]
vici: Enable IKE fragmentation by default

5 years agostarter: Enable IKE fragmentation by default
Tobias Brunner [Mon, 18 Jul 2016 13:25:45 +0000 (15:25 +0200)]
starter: Enable IKE fragmentation by default

5 years agoike: Set default IKE fragment size to 1280
Tobias Brunner [Mon, 18 Jul 2016 13:01:07 +0000 (15:01 +0200)]
ike: Set default IKE fragment size to 1280

This is the minimum size an IPv6 implementation must support.  This makes
it the default for IPv4 too, which presumably is also generally routable
(otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).

5 years agoMerge commit 'derived-keys'
Tobias Brunner [Tue, 4 Oct 2016 08:02:12 +0000 (10:02 +0200)]
Merge commit 'derived-keys'

Adds new listener hooks that work similar to the existing ike|child_keys
hooks but receive the derived IKE and CHILD_SA keys.

5 years agoikev2: Send derived CHILD_SA keys to the bus
Tobias Brunner [Wed, 14 Sep 2016 13:59:32 +0000 (15:59 +0200)]
ikev2: Send derived CHILD_SA keys to the bus

5 years agoikev2: Send derived IKE_SA keys to bus
Tobias Brunner [Wed, 14 Sep 2016 13:42:11 +0000 (15:42 +0200)]
ikev2: Send derived IKE_SA keys to bus

5 years agoikev1: Send derived CHILD_SA keys to the bus
Tobias Brunner [Wed, 14 Sep 2016 13:57:21 +0000 (15:57 +0200)]
ikev1: Send derived CHILD_SA keys to the bus

5 years agoikev1: Send derived IKE_SA keys to bus
Tobias Brunner [Wed, 14 Sep 2016 13:40:36 +0000 (15:40 +0200)]
ikev1: Send derived IKE_SA keys to bus

5 years agobus: Add new hooks for derived IKE_SA and CHILD_SA keys
Tobias Brunner [Wed, 14 Sep 2016 10:07:33 +0000 (12:07 +0200)]
bus: Add new hooks for derived IKE_SA and CHILD_SA keys

5 years agonm: Remove dummy TUN device
Tobias Brunner [Tue, 20 Sep 2016 09:45:16 +0000 (11:45 +0200)]
nm: Remove dummy TUN device

Recent NM releases don't insist on getting a device back from VPN

5 years agonm: Fix comment in service file in /etc/NetworkManager/VPN
Tobias Brunner [Mon, 19 Sep 2016 13:03:10 +0000 (15:03 +0200)]
nm: Fix comment in service file in /etc/NetworkManager/VPN

5 years agonm: Remove generated service file in `make clean`
Tobias Brunner [Mon, 19 Sep 2016 12:56:51 +0000 (14:56 +0200)]
nm: Remove generated service file in `make clean`

5 years agonm: Don't add generated AppStream metadata to tarball
Tobias Brunner [Mon, 19 Sep 2016 12:53:19 +0000 (14:53 +0200)]
nm: Don't add generated AppStream metadata to tarball

5 years agobus: Fix maximum log levels when mixing log/vlog implementing loggers
Tobias Brunner [Thu, 22 Sep 2016 13:51:09 +0000 (15:51 +0200)]
bus: Fix maximum log levels when mixing log/vlog implementing loggers

The maximum would not get set correctly when a logger is removed and the
first remaining logger in the list (the one with the highest log level) does
e.g. only implement vlog() while there are other loggers that implement log().
This would result in only max_vlevel getting set correctly while max_level
would incorrectly get set to -1 so that log() would not get called for any
of the loggers anymore.

References #574.

5 years agokernel-netlink: Pass zero mark to kernel if mask is set
Tobias Brunner [Mon, 29 Aug 2016 14:39:18 +0000 (16:39 +0200)]
kernel-netlink: Pass zero mark to kernel if mask is set

The kernel will apply the mask to the mark on the packet and then
compare it to the configured mark.  So to match only unmarked packets we
have to be able to set 0/0xffffffff.

5 years agokernel-netlink: Support configuring XFRM policy hashing thresholds
Tobias Brunner [Wed, 21 Sep 2016 08:16:00 +0000 (10:16 +0200)]
kernel-netlink: Support configuring XFRM policy hashing thresholds

If the number of flows over a gateway exceeds the flow cache size of the Linux
kernel, policy lookup gets very expensive. Policies covering more than a single
address don't get hash-indexed by default, which results in wasting most of
the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use.
Starting with several hundred policies the overhead gets inacceptable.

Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet
to perform indexed lookup. With correctly chosen netbits, this can completely
eliminate the performance impact of policy lookups, freeing the resources
for ESP crypto.

WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a
NULL pointer dereference if a socket policy is installed while hash thresholds
are changed.  And because the hashtable rebuild triggered by the threshold
change that causes this is scheduled it might also happen if the socket
policies are seemingly installed after setting the thresholds.
The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when
rebuilding hash tables") - is included since 4.8 (and might get backported).
As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled
to replace the socket policies that allow IKE traffic with port specific
bypass policies.

5 years agoinclude: Update xfrm.h to Linux v4.3
Martin Willi [Mon, 7 Dec 2015 09:55:25 +0000 (10:55 +0100)]
include: Update xfrm.h to Linux v4.3

We strip the newly introduced <linux/in6.h> include, as this clashes with the
<netinet/in6.h> include.

5 years agoMerge branch 'fwd-out-policies-optional'
Tobias Brunner [Wed, 28 Sep 2016 15:57:57 +0000 (17:57 +0200)]
Merge branch 'fwd-out-policies-optional'

This makes the FWD policies in the out direction  optional (disabled by
default).  They may be enabled (e.g. if conflicting drop policies are
used) via the policies_fwd_out swanctl.conf option.

5 years agochild-sa: Only install outbound FWD policies if explicitly configured
Tobias Brunner [Thu, 18 Aug 2016 13:09:08 +0000 (15:09 +0200)]
child-sa: Only install outbound FWD policies if explicitly configured

They are only required if drop policies would otherwise prevent
forwarding traffic.  This reduces the number of policies and avoids
conflicts e.g. with SPD hash thresholds.

5 years agotesting: Enable outbound FWD policies in swanctl/manual-prio scenario
Tobias Brunner [Thu, 18 Aug 2016 15:09:15 +0000 (17:09 +0200)]
testing: Enable outbound FWD policies in swanctl/manual-prio scenario

5 years agovici: Make installation of outbound FWD policies configurable
Tobias Brunner [Thu, 18 Aug 2016 14:22:51 +0000 (16:22 +0200)]
vici: Make installation of outbound FWD policies configurable

5 years agochild-cfg: Add setting that controls whether outbound FWD policies are installed
Tobias Brunner [Thu, 18 Aug 2016 14:11:34 +0000 (16:11 +0200)]
child-cfg: Add setting that controls whether outbound FWD policies are installed

5 years agokernel-netlink: Update cached reqid when updating policies
Tobias Brunner [Thu, 18 Aug 2016 11:00:41 +0000 (13:00 +0200)]
kernel-netlink: Update cached reqid when updating policies

5 years agotesting: Added swanctl/net2net-multicast scenario
Andreas Steffen [Tue, 27 Sep 2016 09:45:00 +0000 (11:45 +0200)]
testing: Added swanctl/net2net-multicast scenario

5 years agotesting: Added ikev2/net2net-multicast scenario
Andreas Steffen [Wed, 13 Jul 2016 21:50:51 +0000 (23:50 +0200)]
testing: Added ikev2/net2net-multicast scenario

5 years agotravis: Use a more recent OS X image
Tobias Brunner [Fri, 23 Sep 2016 08:08:13 +0000 (10:08 +0200)]
travis: Use a more recent OS X image

Using the xcode8 image does not work currently (libcurl is not found).

5 years agoVersion bump to 5.5.1dr5 5.5.1dr5
Andreas Steffen [Thu, 22 Sep 2016 15:36:37 +0000 (17:36 +0200)]
Version bump to 5.5.1dr5

5 years agotesting: Added swanctl/net2net-sha3-rsa-cert and swanctl/rw-eap-tls-sha3-rsa scenarios
Andreas Steffen [Thu, 22 Sep 2016 12:28:36 +0000 (14:28 +0200)]
testing: Added swanctl/net2net-sha3-rsa-cert and swanctl/rw-eap-tls-sha3-rsa scenarios

5 years agogmp: Support of SHA-3 RSA signatures
Andreas Steffen [Thu, 22 Sep 2016 06:50:43 +0000 (08:50 +0200)]
gmp: Support of SHA-3 RSA signatures

5 years agobliss sampler unit-test: Fixed enumeration type
Andreas Steffen [Thu, 22 Sep 2016 08:46:39 +0000 (10:46 +0200)]
bliss sampler unit-test: Fixed enumeration type

5 years agobliss: bliss_sampler expects XOF type
Andreas Steffen [Thu, 22 Sep 2016 07:23:47 +0000 (09:23 +0200)]
bliss: bliss_sampler expects XOF type

5 years agounit-tests: MGF1 tests depend on an XOF implementation not just a hash function
Tobias Brunner [Wed, 21 Sep 2016 16:36:28 +0000 (18:36 +0200)]
unit-tests: MGF1 tests depend on an XOF implementation not just a hash function

If the mgf1 plugin was not enabled (e.g. with the default configure
options) the tests failed.

5 years agoVersion bump to 5.5.1dr4 5.5.1dr4
Andreas Steffen [Wed, 21 Sep 2016 12:14:42 +0000 (14:14 +0200)]
Version bump to 5.5.1dr4

5 years agomgf1: Refactored MGF1 as an XOF
Andreas Steffen [Tue, 20 Sep 2016 20:01:07 +0000 (22:01 +0200)]
mgf1: Refactored MGF1 as an XOF

5 years agoleak-detective: Fix compile warning due to unused variable if LD is disabled
Tobias Brunner [Tue, 20 Sep 2016 15:24:52 +0000 (17:24 +0200)]
leak-detective: Fix compile warning due to unused variable if LD is disabled

5 years agoMerge branch 'testing-leak-detective'
Tobias Brunner [Tue, 20 Sep 2016 14:26:58 +0000 (16:26 +0200)]
Merge branch 'testing-leak-detective'

Test scenarios now fail if any leaks are detected by the leak detective.
Several leaks found this way have been fixed.

5 years agoleak-detective: Whitelist thread ID getter
Tobias Brunner [Tue, 13 Sep 2016 15:28:21 +0000 (17:28 +0200)]
leak-detective: Whitelist thread ID getter

In case an external thread calls into our code and logs messages, a thread
object is allocated that will never be released.  Even if we try to clean
up the object via thread value destructor there is no guarantee that the
thread actually terminates before we check for leaks, which seems to be the
case for the Ada Tasking threads.

5 years agocharon-tkm: Build C code with debug information
Tobias Brunner [Tue, 13 Sep 2016 15:17:09 +0000 (17:17 +0200)]
charon-tkm: Build C code with debug information

5 years agoleak-detective: Whitelist functions of the Ada runtime related to Tasking
Tobias Brunner [Tue, 13 Sep 2016 14:28:01 +0000 (16:28 +0200)]
leak-detective: Whitelist functions of the Ada runtime related to Tasking

5 years agocharon-tkm: Free name of the PID file
Tobias Brunner [Tue, 13 Sep 2016 14:27:12 +0000 (16:27 +0200)]
charon-tkm: Free name of the PID file

5 years agocharon-tkm: Deinitialize tkm before libstrongswan
Tobias Brunner [Tue, 13 Sep 2016 14:24:30 +0000 (16:24 +0200)]
charon-tkm: Deinitialize tkm before libstrongswan

In particular because of leak-detective.

5 years agoleak-detective: Whitelist some glib/libsoup functions
Tobias Brunner [Tue, 13 Sep 2016 13:38:43 +0000 (15:38 +0200)]
leak-detective: Whitelist some glib/libsoup functions

Some of these are pretty broad, so maybe an alternative option is to
not use the soup plugin in the openssl-ikev2/rw-suite-b* scenarios.  But
the plugin is not tested anywhere else so lets go with this for now.

5 years agotesting: Use curl instead of soup plugin in libipsec/rw-suite-b scenario
Tobias Brunner [Tue, 13 Sep 2016 13:34:02 +0000 (15:34 +0200)]
testing: Use curl instead of soup plugin in libipsec/rw-suite-b scenario

The soup plugin is already used in the openssl-ikev2/rw-suite-b*

5 years agoeap-peap: Fix memory leaks when handling tunneled methods
Tobias Brunner [Tue, 13 Sep 2016 12:27:54 +0000 (14:27 +0200)]
eap-peap: Fix memory leaks when handling tunneled methods

5 years agoipseckey: Properly free enumerated certificates
Tobias Brunner [Tue, 13 Sep 2016 12:19:59 +0000 (14:19 +0200)]
ipseckey: Properly free enumerated certificates

5 years agoipseckey: Properly free public key after creating certificate
Tobias Brunner [Tue, 13 Sep 2016 12:15:41 +0000 (14:15 +0200)]
ipseckey: Properly free public key after creating certificate

5 years agodnscert: Properly free enumerated certificates
Tobias Brunner [Tue, 13 Sep 2016 12:13:47 +0000 (14:13 +0200)]
dnscert: Properly free enumerated certificates

5 years agounbound: Avoid unnecessary cloning of RR list that caused a memory leak
Tobias Brunner [Tue, 13 Sep 2016 12:12:49 +0000 (14:12 +0200)]
unbound: Avoid unnecessary cloning of RR list that caused a memory leak

5 years agounbound: Fix memory leak
Tobias Brunner [Tue, 13 Sep 2016 12:12:29 +0000 (14:12 +0200)]
unbound: Fix memory leak

5 years agopool: Fix (known) memory leak when querying leases
Tobias Brunner [Tue, 13 Sep 2016 10:33:27 +0000 (12:33 +0200)]
pool: Fix (known) memory leak when querying leases

5 years agoleak-detective: Whitelist leak in libldap
Tobias Brunner [Tue, 13 Sep 2016 10:27:33 +0000 (12:27 +0200)]
leak-detective: Whitelist leak in libldap

5 years agotesting: Fix totals if post test checks fail
Tobias Brunner [Tue, 13 Sep 2016 10:26:55 +0000 (12:26 +0200)]
testing: Fix totals if post test checks fail

5 years agotesting: Log leaks and fail tests if any are detected
Tobias Brunner [Tue, 13 Sep 2016 09:50:09 +0000 (11:50 +0200)]
testing: Log leaks and fail tests if any are detected

5 years agoleak-detective: Optionally write report to a log file
Tobias Brunner [Tue, 13 Sep 2016 08:06:28 +0000 (10:06 +0200)]
leak-detective: Optionally write report to a log file

5 years agovici: Fix indention of flush_certs() method in Python bindings
Tobias Brunner [Tue, 20 Sep 2016 11:26:03 +0000 (13:26 +0200)]
vici: Fix indention of flush_certs() method in Python bindings

5 years agotravis: Run 32-bit Windows build on precise (12.04) image
Tobias Brunner [Tue, 20 Sep 2016 12:30:22 +0000 (14:30 +0200)]
travis: Run 32-bit Windows build on precise (12.04) image

That's required due to a bug in MinGW 3.1.0 that's shipped with trusty.

5 years agotravis: Properly pass back result of make
Tobias Brunner [Tue, 20 Sep 2016 11:19:33 +0000 (13:19 +0200)]
travis: Properly pass back result of make

Fixes: 4e8f5a189cce ("travis: Add apidoc check")

5 years agotravis: Don't disable connmark and forecast plugins anymore
Tobias Brunner [Tue, 20 Sep 2016 09:51:59 +0000 (11:51 +0200)]
travis: Don't disable connmark and forecast plugins anymore

They build fine on Ubuntu 14.04.

5 years agoMerge branch 'maemo-bye-bye'
Tobias Brunner [Thu, 15 Sep 2016 16:35:53 +0000 (18:35 +0200)]
Merge branch 'maemo-bye-bye'

Removes the code and helper files related to the unused and unmaintained
Maemo port.