6 years agotesting: use a decent PSK
Andreas Steffen [Sat, 30 May 2015 14:56:41 +0000 (16:56 +0200)]
testing: use a decent PSK

6 years agotesting: Added ha/active-passive scenario
Andreas Steffen [Sat, 30 May 2015 14:48:17 +0000 (16:48 +0200)]
testing: Added ha/active-passive scenario

6 years agoAdded 5.3.1 caption to NEWS 5.3.1rc1
Andreas Steffen [Thu, 28 May 2015 04:26:43 +0000 (06:26 +0200)]
Added 5.3.1 caption to NEWS

6 years agoha: Document tunnel parameter
Tobias Brunner [Wed, 27 May 2015 10:59:39 +0000 (12:59 +0200)]
ha: Document tunnel parameter

6 years agoha: Skip SA for sync messages when resyncing HA segments
Tobias Brunner [Tue, 26 May 2015 13:43:46 +0000 (15:43 +0200)]
ha: Skip SA for sync messages when resyncing HA segments

6 years agoha: Move plugin initialization from constructor to plugin callback
Tobias Brunner [Tue, 26 May 2015 10:47:17 +0000 (12:47 +0200)]
ha: Move plugin initialization from constructor to plugin callback

This fixes support for the secret option, as otherwise the kernel interface
is not registered yet when the trap policy is installed.

6 years agolibtls: As client, reject DH exchanges using primes smaller than 1024 bit
Martin Willi [Wed, 20 May 2015 08:56:23 +0000 (10:56 +0200)]
libtls: As client, reject DH exchanges using primes smaller than 1024 bit

While the server signs the ephemeral DH parameters, it can be tricked to its
lowest supported DH group by a man-in-the-middle:

While we at least use 2048-bit DH groups as server, the client accepts any
DH prime the server sends. If it supports export ciphers, only a 512-bit prime
may be used.

As TLS does not define nor negotiate a DH group for cipher suites, the client
actually must accept what the server offers. To avoid downgrades to weak
DH groups, we must reject what we consider insecure. We set this limit to
1024-bit primes. While this breaks compatibility with TLS servers using weaker
primes, this is what we expect servers at least use. Most browser vendors use
the same limit in a similar fix.

6 years agoCheck for NULL installed packages enumerator
Andreas Steffen [Sun, 24 May 2015 09:15:36 +0000 (11:15 +0200)]
Check for NULL installed packages enumerator

6 years agoFixed os_info path in strongswan.conf
Andreas Steffen [Sun, 24 May 2015 09:13:51 +0000 (11:13 +0200)]
Fixed os_info path in strongswan.conf

6 years agoList attribute request entries also during build
Andreas Steffen [Sun, 24 May 2015 07:17:29 +0000 (09:17 +0200)]
List attribute request entries also during build

6 years agotesting: Include iperf and htop in base image
Tobias Brunner [Fri, 22 May 2015 11:30:10 +0000 (13:30 +0200)]
testing: Include iperf and htop in base image

6 years agostroke: Dynamically resize stroke messages
Tobias Brunner [Wed, 20 May 2015 16:21:15 +0000 (18:21 +0200)]
stroke: Dynamically resize stroke messages

The maximum size of a stroke message is currently 64k due to the 2 byte
length field.

Fixes #943.

6 years agovici: Explicitly disable --user-install when installing Ruby Gem
Tobias Brunner [Tue, 31 Mar 2015 08:51:22 +0000 (10:51 +0200)]
vici: Explicitly disable --user-install when installing Ruby Gem

Only one of `--user-install` and `--install-dir` may be set and if
`--user-install` is the default on a system installation will fail
unless we disable it explicitly.

Fixes #914.

6 years agovici: Make installation of Ruby Gem and Python Egg optional
Tobias Brunner [Thu, 21 May 2015 09:05:05 +0000 (11:05 +0200)]
vici: Make installation of Ruby Gem and Python Egg optional

Installing them might not work well when building distro packages (e.g.
with DESTDIR installs).  It might be easier to install them later with a
script in the distro package.

When building from source on the local system it could still be useful to
install the packages directly, which can be enabled with separate configure

The main problem with DESTDIR installations of the Python Egg is that
easy_install creates or modifies a file called easy-install.pth in the
installation directory.  So it's not actually possible to simply copy
the results in DESTDIR over to the actual system as that file would have
to be merged with any existing one.

Fixes #914.

6 years agovici: Support out-of-tree build of Python Egg
Tobias Brunner [Tue, 31 Mar 2015 13:40:30 +0000 (15:40 +0200)]
vici: Support out-of-tree build of Python Egg

We also don't require to exist during cleanup, as e.g. with
make distcheck the source directory is not writable when the build directory
is cleaned, so can't be created (to just get removed again anyway
if VICI and the Python Eggs haven't been enabled previously).

6 years agoikev1: When a reauth is detected explicitly delete the old IKE_SA
Tobias Brunner [Tue, 12 May 2015 14:59:20 +0000 (16:59 +0200)]
ikev1: When a reauth is detected explicitly delete the old IKE_SA

Instead of just implicitly destroying the old SA we properly delete it to
notify the other peer (if the other peer keeps the SA up after the
reauthentication and sends DPDs it might consider us dead even though the
new SA is up, that seems to be the case with racoon).  We delay the DELETE
a bit to give the other peer time to get the new SA fully established.

Since DELETE messages are not retransmitted it is still possible that
the other peer misses that we deleted the SA.

6 years agoMerge branch 'accounting-fixes'
Tobias Brunner [Thu, 21 May 2015 13:40:05 +0000 (15:40 +0200)]
Merge branch 'accounting-fixes'

This fixes the usage stats reported via RADIUS Accounting in several
corner cases (e.g. with interim updates while rekeying a CHILD_SA).

Fixes #891.

6 years agolibipsec: Insert SAs first, so latest SA with the same reqid gets used
Tobias Brunner [Fri, 27 Mar 2015 13:49:38 +0000 (14:49 +0100)]
libipsec: Insert SAs first, so latest SA with the same reqid gets used

This was useful for testing purposes of RADIUS accounting, but OS kernels
generally will use the latest SA, so we do the same.

6 years agoeap-radius: Keep track of stats for SAs migrated during IKEv1 reauthentication
Tobias Brunner [Wed, 25 Mar 2015 17:20:01 +0000 (18:20 +0100)]
eap-radius: Keep track of stats for SAs migrated during IKEv1 reauthentication

6 years agoikev1: Trigger children_migrate event if CHILD_SAs are adopted
Tobias Brunner [Wed, 25 Mar 2015 17:11:22 +0000 (18:11 +0100)]
ikev1: Trigger children_migrate event if CHILD_SAs are adopted

6 years agobus: Add new hook called when IKEv1 CHILD_SAs are migrated to a new IKE_SA
Tobias Brunner [Wed, 25 Mar 2015 17:05:57 +0000 (18:05 +0100)]
bus: Add new hook called when IKEv1 CHILD_SAs are migrated to a new IKE_SA

The interface is currently not very nice, but if we ever were able to
safely checkout multiple SAs concurrently we could add something similar
to ike_rekey() and call that when we detect a reauthentication.

6 years agoeap-radius: Remove cache entries for expired SAs during ike/child_rekey
Tobias Brunner [Wed, 25 Mar 2015 15:47:24 +0000 (16:47 +0100)]
eap-radius: Remove cache entries for expired SAs during ike/child_rekey

6 years agoeap-radius: Add cache for usage stats of expired/rekeyed SAs
Tobias Brunner [Tue, 24 Mar 2015 16:38:49 +0000 (17:38 +0100)]
eap-radius: Add cache for usage stats of expired/rekeyed SAs

There are several situations that the previous code didn't handle that
well, for example, interim updates during rekeying (until the rekeyed SA
was deleted the numbers were too high, then suddenly dropped afterwards),
or rekeying for IKEv1 in general because rekeyed IPsec SAs stay installed
until they expire (so if they were still around when the IKE_SA was
terminated, the reported numbers in the Stop message were too high).

If intermediate updates are not used the cache entries for rekeyed
CHILD_SA will accumulate, we can't clean them up as we don't get
child_updown() events for them.

6 years agolibradius: Verify message ID of RADIUS responses
Tobias Brunner [Wed, 15 Apr 2015 16:03:42 +0000 (18:03 +0200)]
libradius: Verify message ID of RADIUS responses

If we sent retransmits for a message and didn't receive a response it might
still arrive later.  Such a message will be queued on the socket.  The next
read will then return not the expected response but the one for the earlier
request.  For this message the verification will fail and the message gets
discarded.  But with the earlier code the actual response was never received.
Instead, a subsequent request resulted in the same failure and so on.

Fixes #838.

6 years agokernel-netlink: Ignore unusable routes
Tobias Brunner [Thu, 9 Apr 2015 12:43:07 +0000 (14:43 +0200)]
kernel-netlink: Ignore unusable routes

6 years agokernel-netlink: Make buffer size for received Netlink messages configurable
Tobias Brunner [Tue, 14 Apr 2015 07:56:10 +0000 (09:56 +0200)]
kernel-netlink: Make buffer size for received Netlink messages configurable

6 years agotesting: Don't check parent dir (and subdirs) when downloading OpenSSL packages
Tobias Brunner [Thu, 21 May 2015 07:32:37 +0000 (09:32 +0200)]
testing: Don't check parent dir (and subdirs) when downloading OpenSSL packages

6 years agoExempt ignored PA-TNC attributes from error handling
Andreas Steffen [Tue, 19 May 2015 20:54:00 +0000 (22:54 +0200)]
Exempt ignored PA-TNC attributes from error handling

6 years agotesting: Fix kernel download URL for kernel versions != 4.x
Tobias Brunner [Tue, 19 May 2015 14:59:35 +0000 (16:59 +0200)]
testing: Fix kernel download URL for kernel versions != 4.x

6 years agoman: Clarification of ah keyword description
Adrian-Ken Rueegsegger [Tue, 19 May 2015 11:26:28 +0000 (13:26 +0200)]
man: Clarification of ah keyword description

6 years agostarter: Ensure the daemon executable exists when starting up
Tobias Brunner [Tue, 5 May 2015 16:11:50 +0000 (18:11 +0200)]
starter: Ensure the daemon executable exists when starting up

The only purpose of starter is to control the IKE daemon, so we
terminate it if the daemon executable is not found (e.g. because
DAEMON_NAME is incorrect).

This removes the charonstart setting (it was not actually configurable

6 years agostarter: Remove START_CHARON compile flag
Tobias Brunner [Tue, 5 May 2015 15:50:27 +0000 (17:50 +0200)]
starter: Remove START_CHARON compile flag

Since the removal of pluto this is quite superfluous. The flag itself
might be useful to avoid starting charon if the executable does not
exist for some reason (e.g. if DAEMON_NAME is incorrect).

6 years agocharon-nm: Disable leak-detective in charon-nm
Tobias Brunner [Tue, 5 May 2015 15:52:34 +0000 (17:52 +0200)]
charon-nm: Disable leak-detective in charon-nm

It segfaults immediately if it is enabled, at least on Ubuntu 14.04.

6 years agotesting: Fix URL to TNC@FHH project in scenario descriptions
Tobias Brunner [Tue, 5 May 2015 09:48:13 +0000 (11:48 +0200)]
testing: Fix URL to TNC@FHH project in scenario descriptions

6 years agotesting: Update TKM assert strings
Reto Buerki [Tue, 5 May 2015 08:08:35 +0000 (10:08 +0200)]
testing: Update TKM assert strings

6 years agotesting: Update alog to version 0.3.1
Reto Buerki [Tue, 5 May 2015 07:29:21 +0000 (09:29 +0200)]
testing: Update alog to version 0.3.1

6 years agotesting: Update tkm to version 0.1.2
Reto Buerki [Tue, 5 May 2015 07:27:37 +0000 (09:27 +0200)]
testing: Update tkm to version 0.1.2

6 years agotesting: Update tkm-rpc to version 0.2
Reto Buerki [Tue, 5 May 2015 07:26:57 +0000 (09:26 +0200)]
testing: Update tkm-rpc to version 0.2

6 years agochild-create: Destroy nonceg in migrate()
Tobias Brunner [Tue, 5 May 2015 07:51:19 +0000 (09:51 +0200)]
child-create: Destroy nonceg in migrate()

Since another nonce gets allocated later (if any was allocated already)
this would have resulted in a leaked nonce context ID when used in charon-tkm.

6 years agochild-create: Fix error handling if nonceg can't be created
Tobias Brunner [Tue, 5 May 2015 07:49:45 +0000 (09:49 +0200)]
child-create: Fix error handling if nonceg can't be created

As with ike-init we can't return NULL in the task constructor.

6 years agoike-init: Fix error handling if nonceg can't be created
Tobias Brunner [Tue, 5 May 2015 07:39:11 +0000 (09:39 +0200)]
ike-init: Fix error handling if nonceg can't be created

Returning FAILED in the constructor is wrong, but returning NULL doesn't work
either as it's currently assumed tasks always can be created.
Therefore, delay this check until we actually try to allocate a nonce.

6 years agoike-init: Fix compiler warning
Tobias Brunner [Tue, 5 May 2015 07:37:42 +0000 (09:37 +0200)]
ike-init: Fix compiler warning

6 years agoswanctl: Fix --uri option
Martin Willi [Tue, 5 May 2015 08:37:34 +0000 (10:37 +0200)]
swanctl: Fix --uri option

As we now pass the vici connection to the command dispatcher callback, we can't
parse the --uri option to create the connection from the same callback. Instead
pre-process the common command options in a separate loop, and ignore the same
options while processing the actual command.

6 years agoMerge branch 'tkm-fixes'
Tobias Brunner [Mon, 4 May 2015 16:19:13 +0000 (18:19 +0200)]
Merge branch 'tkm-fixes'

This fixes several issues with charon-tkm (e.g. nonce context ID leaks during
rekey collisions).

6 years agocharon-tkm: Also store local SPI in SAD
Adrian-Ken Rueegsegger [Tue, 21 Apr 2015 14:34:06 +0000 (16:34 +0200)]
charon-tkm: Also store local SPI in SAD

6 years agoike-init: Make nonceg a member of ike_init struct
Reto Buerki [Thu, 23 Apr 2015 09:19:24 +0000 (11:19 +0200)]
ike-init: Make nonceg a member of ike_init struct

This allows to control the life-cycle of a nonce in the context of the
ike init task. In the TKM use-case the nonce generator cannot be
destroyed before the ike init task is finalized, otherwise the created
nonce is detected as stale.

6 years agochild-create: Make nonceg a member of child_create struct
Reto Buerki [Thu, 23 Apr 2015 06:46:18 +0000 (08:46 +0200)]
child-create: Make nonceg a member of child_create struct

This allows to control the life-cycle of a nonce in the context of the
child create task. In the TKM use-case, it is required to reset the
nonce context if the created nonce is not consumed. This happens if the
child SA negotiation fails and it is detected before the SA is
established via the TKM kernel plugin (i.e. rekey collision).

6 years agocharon-tkm: Reset stale nonce contexts
Reto Buerki [Thu, 23 Apr 2015 07:41:12 +0000 (09:41 +0200)]
charon-tkm: Reset stale nonce contexts

If the nonce generator detects a stale nonce upon destroy(), it resets
the context in the TKM and releases associated resources in the ID
manager and chunk map.

Also, do not acquire the nonce context ID in tkm_nonceg_create function
but rather when the nonce is actually created by get_nonce().

The nonces created with get_nonce must also be registered in the chunk map.

6 years agocharon-tkm: Drop unneeded nonceg get_id function
Reto Buerki [Thu, 23 Apr 2015 08:06:49 +0000 (10:06 +0200)]
charon-tkm: Drop unneeded nonceg get_id function

6 years agocharon-tkm: Remove ESA nonce mappings from chunk map
Adrian-Ken Rueegsegger [Wed, 22 Apr 2015 14:37:23 +0000 (16:37 +0200)]
charon-tkm: Remove ESA nonce mappings from chunk map

6 years agocharon-tkm: Drop obsolete TKM_LIMIT define
Reto Buerki [Wed, 22 Apr 2015 13:52:43 +0000 (15:52 +0200)]
charon-tkm: Drop obsolete TKM_LIMIT define

6 years agocharon-tkm: Select other ESA if any is present upon deletion
Adrian-Ken Rueegsegger [Wed, 8 Apr 2015 16:56:23 +0000 (18:56 +0200)]
charon-tkm: Select other ESA if any is present upon deletion

In the case that multiple ESAs exist (e.g. rekey collision) for a
security policy, make sure to select one of the remaining ESAs.

6 years agocharon-tkm: Add get_other_esa_id function to TKM kernel SAD
Adrian-Ken Rueegsegger [Wed, 8 Apr 2015 16:54:54 +0000 (18:54 +0200)]
charon-tkm: Add get_other_esa_id function to TKM kernel SAD

The function gets the ESA id for another entry associated with the same
security policy as the specified ESA.

6 years agocharon-tkm: Only skip creation of first child SA
Adrian-Ken Rueegsegger [Wed, 8 Apr 2015 16:11:20 +0000 (18:11 +0200)]
charon-tkm: Only skip creation of first child SA

Use the new is_first boolean parameter of the
ALERT_KEEP_ON_CHILD_SA_FAILURE alert to determine if the failure was
caused by the first CHILD SA.

6 years agoAdd bool param to ALERT_KEEP_ON_CHILD_SA_FAILURE alert
Adrian-Ken Rueegsegger [Wed, 8 Apr 2015 16:06:51 +0000 (18:06 +0200)]
Add bool param to ALERT_KEEP_ON_CHILD_SA_FAILURE alert

The parameter indicates if the alert is raised upon failure to establish
the first CHILD SA of an IKE SA.

6 years agocharon-tkm: Fix SAD insertion when adding ESA
Adrian-Ken Rueegsegger [Wed, 8 Apr 2015 17:52:44 +0000 (19:52 +0200)]
charon-tkm: Fix SAD insertion when adding ESA

Commit f5fc592 added the reqid to the SAD. The insert call swapped the
order of the esa_id and reqid parameters.

6 years agovici: Default to certificate subject for identity
Timo Teräs [Wed, 29 Apr 2015 15:13:19 +0000 (18:13 +0300)]
vici: Default to certificate subject for identity

If id is not specified and certificate authentication is used, use the
certificate subject name as identity. Simplifies configuration as in most cases
this is the right thing to do.

Signed-off-by: Timo Teräs <>
6 years agoswanctl: Implement monitoring of IKE_SA and CHILD_SA changes
Timo Teräs [Wed, 29 Apr 2015 15:13:18 +0000 (18:13 +0300)]
swanctl: Implement monitoring of IKE_SA and CHILD_SA changes

Signed-off-by: Timo Teräs <>
6 years agovici: Add support for ike_sa and child_sa updown notifications
Timo Teräs [Wed, 29 Apr 2015 15:13:17 +0000 (18:13 +0300)]
vici: Add support for ike_sa and child_sa updown notifications

Useful for monitoring and management purposes.

Signed-off-by: Timo Teräs <>
6 years agovici: Add function to test if an event should be generated
Timo Teräs [Wed, 29 Apr 2015 15:13:16 +0000 (18:13 +0300)]
vici: Add function to test if an event should be generated

Useful to avoid generating vici messages if they are not needed and their
generation is heavy operation.

Signed-off-by: Timo Teräs <>
6 years agoswanctl: Add missing unit in install-time log
Romain Francoise [Sat, 2 May 2015 19:10:56 +0000 (21:10 +0200)]
swanctl: Add missing unit in install-time log

6 years agoinit: Don't build/install legacy systemd service if charon isn't built
Romain Francoise [Fri, 1 May 2015 20:24:38 +0000 (22:24 +0200)]
init: Don't build/install legacy systemd service if charon isn't built

If the user configures the build to only include charon-systemd the
"legacy" systemd service isn't useful, so skip its generation and

6 years agocrypt-burn: free() associated data after test
Martin Willi [Mon, 4 May 2015 11:24:33 +0000 (13:24 +0200)]
crypt-burn: free() associated data after test

6 years agotesting: Updated carol's certificate from research CA and dave's certificate from... 5.3.1dr1
Andreas Steffen [Sun, 26 Apr 2015 14:52:06 +0000 (16:52 +0200)]
testing: Updated carol's certificate from research CA and dave's certificate from sales CA

6 years agotesting: Wait for DH crypto tests to complete
Andreas Steffen [Sun, 26 Apr 2015 09:51:49 +0000 (11:51 +0200)]
testing: Wait for DH crypto tests to complete

6 years agoimv_policy_manager: Added capability to execute an allow or block shell command string
Andreas Steffen [Sun, 26 Apr 2015 08:55:24 +0000 (10:55 +0200)]
imv_policy_manager: Added capability to execute an allow or block shell command string

6 years agotesting: Migration of KVM framework to Linux 4.x kernel
Andreas Steffen [Sat, 25 Apr 2015 16:05:00 +0000 (18:05 +0200)]
testing: Migration of KVM framework to Linux 4.x kernel

6 years agoVersion bump to 5.3.1dr1
Andreas Steffen [Fri, 24 Apr 2015 09:35:42 +0000 (11:35 +0200)]
Version bump to 5.3.1dr1

6 years agoFixed PB-TNC directionality debug message
Andreas Steffen [Fri, 24 Apr 2015 09:16:16 +0000 (11:16 +0200)]
Fixed PB-TNC directionality debug message

6 years agoike-vendor: Add some Microsoft vendor IDs
Tobias Brunner [Tue, 21 Apr 2015 13:29:46 +0000 (15:29 +0200)]
ike-vendor: Add some Microsoft vendor IDs

6 years agoapidoc: Fix rebuild in out-of-tree builds
Tobias Brunner [Mon, 20 Apr 2015 15:40:52 +0000 (17:40 +0200)]
apidoc: Fix rebuild in out-of-tree builds

6 years agoleak-detective: Use passed callback to report leaks
Tobias Brunner [Mon, 20 Apr 2015 09:19:52 +0000 (11:19 +0200)]
leak-detective: Use passed callback to report leaks

This prevented `stroke memusage` from reporting the leaks on the
console.  Instead, they were sent to the callbacks set up by libstrongswan.

Fixes a426851f6362 ("leak-detective: Use callback functions to report
leaks and usage information").

6 years agoopenssl: Don't refer to EVP_des_ecb() if OpenSSL is built without DES support
Tobias Brunner [Fri, 17 Apr 2015 15:34:22 +0000 (17:34 +0200)]
openssl: Don't refer to EVP_des_ecb() if OpenSSL is built without DES support

While DES-ECB is not registered by the plugin in this case (so the
function will never actually be called), the compiler still warns
about the implicitly declared function.

6 years agoapidoc: Fix make target dependency find precedence
Martin Willi [Thu, 16 Apr 2015 15:10:42 +0000 (17:10 +0200)]
apidoc: Fix make target dependency find precedence

6 years agoMerge branch 'utils-split'
Martin Willi [Thu, 16 Apr 2015 14:50:27 +0000 (16:50 +0200)]
Merge branch 'utils-split'

Split up the almighty utils.[ch] to separate files in the utils/utils subfolder.
These are not meant to include manually, but bring back some order to all
this functionality included through utils.h.

Additionally give some love to apidoc generation.

6 years agoapidoc: Conditionally run doxygen if any header/Markdown files have changed
Martin Willi [Thu, 16 Apr 2015 12:37:16 +0000 (14:37 +0200)]
apidoc: Conditionally run doxygen if any header/Markdown files have changed

6 years agoapidoc: Set QUIET to YES, suppressing any parsing/generating status output
Martin Willi [Thu, 16 Apr 2015 11:19:59 +0000 (13:19 +0200)]
apidoc: Set QUIET to YES, suppressing any parsing/generating status output

As WARNING messages still get printed, this makes spotting any warnings much

6 years agoapidoc: Enable documentation of static functions
Martin Willi [Thu, 16 Apr 2015 11:14:06 +0000 (13:14 +0200)]
apidoc: Enable documentation of static functions

As we scan for header files only, this does not affect any local functions,
but documents any static inlines we define in header files.

6 years agostrerror: Move to its own Doxygen subgroup
Martin Willi [Wed, 15 Apr 2015 15:06:57 +0000 (17:06 +0200)]
strerror: Move to its own Doxygen subgroup

6 years agoutils: Clean up includes
Martin Willi [Wed, 15 Apr 2015 15:03:47 +0000 (17:03 +0200)]
utils: Clean up includes

6 years agoalign: Move min/max/padding/alignment functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:59:25 +0000 (16:59 +0200)]
align: Move min/max/padding/alignment functions to separate files

6 years agotime: Move time related functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:52:19 +0000 (16:52 +0200)]
time: Move time related functions to separate files

6 years agoobject: Move OO programming helper macros to a separate header file
Martin Willi [Wed, 15 Apr 2015 14:38:33 +0000 (16:38 +0200)]
object: Move OO programming helper macros to a separate header file

6 years agostatus: Move status_t type and functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:34:23 +0000 (16:34 +0200)]
status: Move status_t type and functions to separate files

6 years agopath: Move path related utility functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:29:18 +0000 (16:29 +0200)]
path: Move path related utility functions to separate files

6 years agotty: Move tty related functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:20:29 +0000 (16:20 +0200)]
tty: Move tty related functions to separate files

6 years agomemory: Move memory manipulation related functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:15:32 +0000 (16:15 +0200)]
memory: Move memory manipulation related functions to separate files

6 years agostring: Move string related utility functions to separate files
Martin Willi [Wed, 15 Apr 2015 14:05:54 +0000 (16:05 +0200)]
string: Move string related utility functions to separate files

6 years agobyteorder: Move byte order related functions to separate header file
Martin Willi [Wed, 15 Apr 2015 13:58:32 +0000 (15:58 +0200)]
byteorder: Move byte order related functions to separate header file

6 years agotypes: Use generic type definitions to separate header file
Martin Willi [Wed, 15 Apr 2015 13:55:33 +0000 (15:55 +0200)]
types: Use generic type definitions to separate header file

6 years agoatomics: Move atomics/recounting support to separate files
Martin Willi [Wed, 15 Apr 2015 13:48:17 +0000 (15:48 +0200)]
atomics: Move atomics/recounting support to separate files

6 years agounit-tests: Further increase the test vector testing timeout
Martin Willi [Thu, 16 Apr 2015 08:15:13 +0000 (10:15 +0200)]
unit-tests: Further increase the test vector testing timeout

Some build bots running make check seem to have longer for the DH testing.

6 years agotest-vectors: Define test vector symbols as extern
Martin Willi [Thu, 16 Apr 2015 07:38:14 +0000 (09:38 +0200)]
test-vectors: Define test vector symbols as extern

We don't actually define a vector, but only prototype the test vector
implemented in a different file. GCC uses the correct symbol during testing,
but clang correctly complains about duplicated symbols during linking.

6 years agoFix years in some copyright statements
Tobias Brunner [Thu, 16 Apr 2015 07:21:00 +0000 (09:21 +0200)]
Fix years in some copyright statements

6 years agoaesni: Fix doxygen groups
Martin Willi [Wed, 15 Apr 2015 15:29:56 +0000 (17:29 +0200)]
aesni: Fix doxygen groups

6 years agoMerge branch 'dh-test-vectors'
Martin Willi [Wed, 15 Apr 2015 12:44:33 +0000 (14:44 +0200)]
Merge branch 'dh-test-vectors'

Add a Diffie-Hellman backend test method, a set of test vectors and implement
testing of the gmp, openssl and gcrypt DH backend.

6 years agokernel-netlink: Don't mangle verbosity during test initialization
Martin Willi [Tue, 14 Apr 2015 07:34:09 +0000 (09:34 +0200)]
kernel-netlink: Don't mangle verbosity during test initialization

We now properly manage thread verbosity in the test framework, and don't need
to silence thread spawning messages.

6 years agounit-tests: Set test verbosity just after test suite loading
Martin Willi [Tue, 14 Apr 2015 07:26:17 +0000 (09:26 +0200)]
unit-tests: Set test verbosity just after test suite loading

We see any plugin startup messages during suite configuration, where
initialization is called once to query plugin features. No need to be verbose
and show these messages once again in the first test.

6 years agocrypto-factory: Remove obsolete transform testing functions
Martin Willi [Mon, 13 Apr 2015 16:25:27 +0000 (18:25 +0200)]
crypto-factory: Remove obsolete transform testing functions

6 years agounit-tests: Use progressive testing of transforms with test vectors
Martin Willi [Mon, 13 Apr 2015 16:23:58 +0000 (18:23 +0200)]
unit-tests: Use progressive testing of transforms with test vectors

This allows us to show which transform from which plugin failed. Also, we use
the new cleanup handler functionality that allows proper deinitialization on
failure or timeout.