strongswan.git
6 years agounit-tests: Add test suite for streams and services
Martin Willi [Wed, 16 Oct 2013 13:51:12 +0000 (15:51 +0200)]
unit-tests: Add test suite for streams and services

6 years agounit-tests: Add a few test cases for watcher
Martin Willi [Wed, 16 Oct 2013 11:45:48 +0000 (13:45 +0200)]
unit-tests: Add a few test cases for watcher

6 years agounit-tests: Support testing multi-threaded code
Martin Willi [Wed, 16 Oct 2013 13:49:58 +0000 (15:49 +0200)]
unit-tests: Support testing multi-threaded code

6 years agounit-tests: Use a home-brew thread barrier to remove pthread dependency
Martin Willi [Mon, 21 Oct 2013 09:38:29 +0000 (11:38 +0200)]
unit-tests: Use a home-brew thread barrier to remove pthread dependency

6 years agounit-tests: Show how many test vectors have failed on test failure
Martin Willi [Tue, 5 Nov 2013 09:13:36 +0000 (10:13 +0100)]
unit-tests: Show how many test vectors have failed on test failure

6 years agounit-tests: Skip fmemopen() based printf() tests if not available
Martin Willi [Tue, 15 Oct 2013 16:15:29 +0000 (18:15 +0200)]
unit-tests: Skip fmemopen() based printf() tests if not available

6 years agounit-tests: Avoid name clash with clone() from <sched.h>
Martin Willi [Tue, 22 Oct 2013 16:21:01 +0000 (18:21 +0200)]
unit-tests: Avoid name clash with clone() from <sched.h>

6 years agounit-tests: Fix a compiler warning in identification tests
Martin Willi [Tue, 15 Oct 2013 13:15:45 +0000 (15:15 +0200)]
unit-tests: Fix a compiler warning in identification tests

6 years agounit-tests: Clean up memory in new asn1 unit tests
Martin Willi [Mon, 4 Nov 2013 11:13:08 +0000 (12:13 +0100)]
unit-tests: Clean up memory in new asn1 unit tests

Test runner checks for leaks when leak detective is enabled.

6 years agounit-tests: Pass linked_list->invoke* varargs as uintptr_t
Martin Willi [Thu, 17 Oct 2013 15:05:38 +0000 (17:05 +0200)]
unit-tests: Pass linked_list->invoke* varargs as uintptr_t

Passing integers of unspecified length may result in passing an integer shorter
than uintptr_t. When reading them back, we might get more data than passed,
resulting in a failure.

6 years agounit-tests: Initialize backtracing before printing any backtraces
Martin Willi [Wed, 16 Oct 2013 10:24:21 +0000 (12:24 +0200)]
unit-tests: Initialize backtracing before printing any backtraces

6 years agothread: Note that tread_cancellation_point temporarily activates cancelability
Martin Willi [Wed, 23 Oct 2013 13:50:17 +0000 (15:50 +0200)]
thread: Note that tread_cancellation_point temporarily activates cancelability

6 years agobacktrace: Support backtracing even if library is not initialized
Martin Willi [Wed, 16 Oct 2013 10:32:15 +0000 (12:32 +0200)]
backtrace: Support backtracing even if library is not initialized

But of course backtracing must be initialized anyway using backtrace_init().

6 years agounit-tests: Enable libstrongswan tests even if --enable-unit-tests not set
Martin Willi [Mon, 4 Nov 2013 10:26:33 +0000 (11:26 +0100)]
unit-tests: Enable libstrongswan tests even if --enable-unit-tests not set

As we don't depend on the check framework anymore, we can enable the unit tests
by default. These are built/executed with "make check" only, so it makes no
sense to disable them.

6 years agoautomake: Don't use parallel test harness being the default with automake 1.13
Martin Willi [Mon, 4 Nov 2013 10:59:11 +0000 (11:59 +0100)]
automake: Don't use parallel test harness being the default with automake 1.13

We have no need for the parallel test harness, and we prefer to have the output
of make check on the console

6 years agounit-tests: Implement testing framework without "check"
Martin Willi [Mon, 14 Oct 2013 18:29:06 +0000 (20:29 +0200)]
unit-tests: Implement testing framework without "check"

6 years agoleak-detective: Call {gm,local}time_r() to allocate static buffer
Martin Willi [Wed, 6 Nov 2013 09:10:49 +0000 (10:10 +0100)]
leak-detective: Call {gm,local}time_r() to allocate static buffer

On OS X Mavericks, these functions use a static allocation and are hard
to whitelist using other means.

6 years agoleak-detective: Register OS X specific hooks just once
Martin Willi [Wed, 6 Nov 2013 09:09:04 +0000 (10:09 +0100)]
leak-detective: Register OS X specific hooks just once

If we initialize libstrongswan more than once in the same process, we may
not register the hooks twice.

6 years agoleak-detective: Reset leak list during cleanup
Martin Willi [Wed, 16 Oct 2013 09:16:41 +0000 (11:16 +0200)]
leak-detective: Reset leak list during cleanup

This resets leak detective state should it get created/destroyed more than once.

6 years agoleak-detective: Use callback functions to report leaks and usage information
Martin Willi [Wed, 16 Oct 2013 08:37:38 +0000 (10:37 +0200)]
leak-detective: Use callback functions to report leaks and usage information

This is more flexible than printing reports to a FILE.

6 years agounit-tests: Move test suites to its own subfolder
Martin Willi [Mon, 14 Oct 2013 14:44:27 +0000 (16:44 +0200)]
unit-tests: Move test suites to its own subfolder

6 years agoikev2: Properly free DH secret in case of errors during IKE key derivation
Tobias Brunner [Wed, 6 Nov 2013 09:20:48 +0000 (10:20 +0100)]
ikev2: Properly free DH secret in case of errors during IKE key derivation

Fixes #437.

6 years agounit-tests: completed asn1_suite
Andreas Steffen [Mon, 4 Nov 2013 17:35:25 +0000 (18:35 +0100)]
unit-tests: completed asn1_suite

6 years agoUpdated test_runner.h with new suites
Andreas Steffen [Sun, 3 Nov 2013 20:34:42 +0000 (21:34 +0100)]
Updated test_runner.h with new suites

6 years agounit-tests: 100% function coverage for asn1.c
Andreas Steffen [Sun, 3 Nov 2013 16:40:51 +0000 (17:40 +0100)]
unit-tests: 100% function coverage for asn1.c

6 years agounit-tests: 12 asn1 functions tested
Andreas Steffen [Sat, 2 Nov 2013 20:20:04 +0000 (21:20 +0100)]
unit-tests: 12 asn1 functions tested

6 years agoSome minor refactoring in asn1.c
Andreas Steffen [Sat, 2 Nov 2013 20:17:46 +0000 (21:17 +0100)]
Some minor refactoring in asn1.c

6 years agoDo not free zero-length integer
Andreas Steffen [Sat, 2 Nov 2013 01:11:32 +0000 (02:11 +0100)]
Do not free zero-length integer

6 years agounit-tests: Added tests for pen_type_t
Andreas Steffen [Fri, 1 Nov 2013 21:29:29 +0000 (22:29 +0100)]
unit-tests: Added tests for pen_type_t

6 years agoAdded IFOM_CAPABILITY notify message type
Andreas Steffen [Fri, 1 Nov 2013 13:07:11 +0000 (14:07 +0100)]
Added IFOM_CAPABILITY notify message type

6 years agoUpdated copyright statement
Andreas Steffen [Fri, 1 Nov 2013 12:46:58 +0000 (13:46 +0100)]
Updated copyright statement

6 years agocharon-xpc: Set AUTH_RULE_IDENTITY_LOOSE on responder config
Martin Willi [Fri, 1 Nov 2013 11:05:48 +0000 (12:05 +0100)]
charon-xpc: Set AUTH_RULE_IDENTITY_LOOSE on responder config

This allows the server to use a different IKE identity as long as the
configured hostname is contained in the certificate.

6 years agoike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
Martin Willi [Fri, 1 Nov 2013 10:28:53 +0000 (11:28 +0100)]
ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying

Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().

6 years agoAdded security info on CVE-2013-6075 and CVE-2013-6076 5.1.1
Andreas Steffen [Thu, 31 Oct 2013 21:11:11 +0000 (22:11 +0100)]
Added security info on CVE-2013-6075 and CVE-2013-6076

6 years agoikev1: Properly initialize list of fragments in case fragment ID is 0
Volker Rümelin [Fri, 11 Oct 2013 07:38:24 +0000 (09:38 +0200)]
ikev1: Properly initialize list of fragments in case fragment ID is 0

Fixes CVE-2013-6076.

6 years agoidentification: Properly check length before comparing for binary DN equality
Martin Willi [Mon, 7 Oct 2013 12:21:57 +0000 (14:21 +0200)]
identification: Properly check length before comparing for binary DN equality

Fixes CVE-2013-6075.

6 years agounit-tests: Additionally do reverse match checking with empty identities
Martin Willi [Tue, 8 Oct 2013 13:43:50 +0000 (15:43 +0200)]
unit-tests: Additionally do reverse match checking with empty identities

6 years agounit-tests: Test matching against some empty data identities
Martin Willi [Tue, 8 Oct 2013 12:49:45 +0000 (14:49 +0200)]
unit-tests: Test matching against some empty data identities

6 years agounit-tests: Test for equality against some empty data identities
Martin Willi [Tue, 8 Oct 2013 12:34:41 +0000 (14:34 +0200)]
unit-tests: Test for equality against some empty data identities

6 years agounit-tests: Let identity equality test fail if a->equals(b) != b->equals(a)
Martin Willi [Tue, 8 Oct 2013 12:33:12 +0000 (14:33 +0200)]
unit-tests: Let identity equality test fail if a->equals(b) != b->equals(a)

6 years agoPB-TNC PDP_REFERRAL message doesn't have to be in RESULT batch
Andreas Steffen [Thu, 31 Oct 2013 11:01:47 +0000 (12:01 +0100)]
PB-TNC PDP_REFERRAL message doesn't have to be in RESULT batch

6 years agoVersion bump to 5.1.1
Andreas Steffen [Thu, 31 Oct 2013 08:42:15 +0000 (09:42 +0100)]
Version bump to 5.1.1

6 years agoAdded test-driver to .gitignore
Andreas Steffen [Wed, 30 Oct 2013 19:47:44 +0000 (20:47 +0100)]
Added test-driver to .gitignore

6 years agoEncrypt carol's PKCS#8 private key in openssl-ikve2/rw-suite-b-128|192 scenarios
Andreas Steffen [Wed, 30 Oct 2013 19:46:32 +0000 (20:46 +0100)]
Encrypt carol's PKCS#8 private key in openssl-ikve2/rw-suite-b-128|192 scenarios

6 years agoupdown: fix segfault when interface name can't be resolved
Ansis Atteka [Wed, 30 Oct 2013 02:48:51 +0000 (19:48 -0700)]
updown: fix segfault when interface name can't be resolved

The child_updown() function sets up environment variables to the updown
script. Sometimes call to hydra->kernel_interface->get_interface() could
fail and iface variable could be left uninitialized. This patch fixes
this issue by passing "unknown" as interface name.

Here is the stacktrace:

0  0x00007fa90791f445 in raise () from /lib/x86_64-linux-gnu/libc.so.6
1  0x00007fa907922bab in abort () from /lib/x86_64-linux-gnu/libc.so.6
2  0x0000000000401ed7 in segv_handler (signal=11) at charon.c:183
3  <signal handler called>
4  0x00007fa90793221f in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
5  0x00007fa9079f0580 in __vsnprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6
6  0x00007fa9079f04c8 in __snprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6
7  0x00007fa8f9b95b86 in snprintf (
    __fmt=0x7fa8f9b961b8 "2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='%s%s%s' PLUTO_CONNECTION='%s' PLUTO_INTERFACE='%s' PLUTO_REQID='%u' PLUTO_ME='%H' PLUTO_MY_ID='%Y' PLUTO_MY_CLIENT='%H/%u' PLUTO_MY_PORT='%u' PLUTO_MY_PROTOCOL='%u"..., __n=1024, __s=0x7fa8f7923440 "2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-host' PLUTO_CONNECTION='remote-40.0.0.40' PLUTO_INTERFACE='\367\250\177")
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:65
8  child_updown (this=0x8486b0, ike_sa=0x7fa8e4005f80, child_sa=0x7fa8d4008290, up=true) at updown_listener.c:308
9  0x00007fa907ecc11c in ?? () from /usr/lib/strongswan/libcharon.so.0
10 0x00007fa907ef89bf in ?? () from /usr/lib/strongswan/libcharon.so.0
11 0x00007fa907ef2fc8 in ?? () from /usr/lib/strongswan/libcharon.so.0
12 0x00007fa907ee84ff in ?? () from /usr/lib/strongswan/libcharon.so.0
13 0x00007fa907ee3067 in ?? () from /usr/lib/strongswan/libcharon.so.0
14 0x00007fa90835e8fb in ?? () from /usr/lib/strongswan/libstrongswan.so.0
15 0x00007fa908360d30 in ?? () from /usr/lib/strongswan/libstrongswan.so.0
16 0x00007fa907cade9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
17 0x00007fa9079db4bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
18 0x0000000000000000 in ?? ()

Signed-Off-By: Ansis Atteka <aatteka@nicira.com>
6 years agodebian: build debug symbol package
Ansis Atteka [Fri, 25 Oct 2013 22:42:10 +0000 (15:42 -0700)]
debian: build debug symbol package

Before this patch all debug symbols were stripped off and simply
discarded.  GDB without debug symbols is barely usable, but at
the same time distributing binaries with debug symbols would
drastically increase strongswan/libstrongswan package size.

Instead of discarding debug symbols, it would be better to strip
them off into a dedicated debian package.  So that, if needed, one
could still install them and use GDB.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
6 years agoipsec: Updated ipsec(8)
Tobias Brunner [Tue, 29 Oct 2013 16:19:57 +0000 (17:19 +0100)]
ipsec: Updated ipsec(8)

6 years agoipsec: Remove unused distro.txt
Tobias Brunner [Tue, 29 Oct 2013 15:34:10 +0000 (16:34 +0100)]
ipsec: Remove unused distro.txt

6 years agoutils: Include stdio.h for fmemopen() replacement
Tobias Brunner [Tue, 29 Oct 2013 15:18:35 +0000 (16:18 +0100)]
utils: Include stdio.h for fmemopen() replacement

This might now be required because Vstr is not necessarily required
anymore, which means stdio.h might not be pulled in by prinf_hook.h.

6 years agoUse exact mask when calling umask(2)
Tobias Brunner [Tue, 29 Oct 2013 14:16:22 +0000 (15:16 +0100)]
Use exact mask when calling umask(2)

Due to the previous negation the high bits of the mask were set, which
at least some versions of the Android build system prevent with a compile-time
check.

6 years agowhitelist: Read multiple commands until client closes connection
Martin Willi [Tue, 29 Oct 2013 13:11:41 +0000 (14:11 +0100)]
whitelist: Read multiple commands until client closes connection

This restores the same behavior we had before e11c02c8, and fixes the whitelist
add/remove-from command.

6 years agolibtnccs: Add dummy entry to pb_tnc_tcg_msg_infos
Tobias Brunner [Tue, 29 Oct 2013 12:36:15 +0000 (13:36 +0100)]
libtnccs: Add dummy entry to pb_tnc_tcg_msg_infos

That's required because the first message type in pb_tnc_tcg_msg_type_t
is 1 not 0.

6 years agoswid: Properly clean up after reading SWID tag
Tobias Brunner [Tue, 29 Oct 2013 12:14:37 +0000 (13:14 +0100)]
swid: Properly clean up after reading SWID tag

6 years agoman: strongswan.conf(5) updated
Tobias Brunner [Tue, 29 Oct 2013 10:45:25 +0000 (11:45 +0100)]
man: strongswan.conf(5) updated

6 years agoFixed some typos
Tobias Brunner [Tue, 29 Oct 2013 09:07:03 +0000 (10:07 +0100)]
Fixed some typos

6 years agocharon-xpc: Load missing eap-md5 plugin after enabling it
Martin Willi [Mon, 28 Oct 2013 14:13:54 +0000 (15:13 +0100)]
charon-xpc: Load missing eap-md5 plugin after enabling it

6 years agocharon-xpc: Disable warnings about deprecated functions
Martin Willi [Mon, 28 Oct 2013 13:40:49 +0000 (14:40 +0100)]
charon-xpc: Disable warnings about deprecated functions

This avoids all the deprecated warnings when using OpenSSL functins.

6 years agocharon-xpc: Avoid -all_load linker flag
Martin Willi [Mon, 28 Oct 2013 13:39:35 +0000 (14:39 +0100)]
charon-xpc: Avoid -all_load linker flag

This seems to be not required anymore with the LLVM 5 toolchain.

6 years agocharon-xpc: Properly xpc_retain() connections we xpc_release()
Martin Willi [Mon, 28 Oct 2013 13:29:07 +0000 (14:29 +0100)]
charon-xpc: Properly xpc_retain() connections we xpc_release()

6 years agocharon-xpc: Properly cast SA identifier to uintptr representation
Martin Willi [Mon, 28 Oct 2013 13:00:22 +0000 (14:00 +0100)]
charon-xpc: Properly cast SA identifier to uintptr representation

6 years agocharon-xpc: Don’t build against libvstr anymore
Martin Willi [Mon, 28 Oct 2013 12:38:44 +0000 (13:38 +0100)]
charon-xpc: Don’t build against libvstr anymore

We now have our own printf backend and use it instead of Vstr.

6 years agocharon-xpc: Build with EAP-MD5 support
Martin Willi [Mon, 28 Oct 2013 12:36:01 +0000 (13:36 +0100)]
charon-xpc: Build with EAP-MD5 support

6 years agoutils: Fix check for fmemopen() fallback implementation
Martin Willi [Thu, 24 Oct 2013 13:58:28 +0000 (15:58 +0200)]
utils: Fix check for fmemopen() fallback implementation

6 years agounit-tests: Set sa_len in sockaddr template data, if required
Martin Willi [Thu, 24 Oct 2013 13:27:28 +0000 (15:27 +0200)]
unit-tests: Set sa_len in sockaddr template data, if required

6 years agoprintf-hook-builtin: Don't rely on isinf() return value signedness
Martin Willi [Thu, 24 Oct 2013 13:17:30 +0000 (15:17 +0200)]
printf-hook-builtin: Don't rely on isinf() return value signedness

Many systems don't return a negative value for negative infinities; so do
a separate check.

6 years agowatcher: Rebuild fdset when select() fails
Martin Willi [Thu, 24 Oct 2013 13:07:43 +0000 (15:07 +0200)]
watcher: Rebuild fdset when select() fails

This should make sure we refresh the fdset if a user closes an FD it just
removed. Some selects() seem to complain about the bad FD before signaling the
notification pipe.

6 years agorwlock: Disable thread cancelability while waiting in (fallback) rwlock
Martin Willi [Thu, 24 Oct 2013 12:46:14 +0000 (14:46 +0200)]
rwlock: Disable thread cancelability while waiting in (fallback) rwlock

An rwlock wait is not a thread cancellation point. As a canceled thread
would not have released the mutex, the rwlock would have been left in unusable
state.

6 years agorwlock: Don't use buggy pthread_rwlock on OS X
Martin Willi [Thu, 24 Oct 2013 11:45:31 +0000 (13:45 +0200)]
rwlock: Don't use buggy pthread_rwlock on OS X

Recursive read locks don't seem to work properly, at least on 10.9.

6 years agoutils: Provide a fmemopen(3) fallback using BSD funopen()
Martin Willi [Thu, 24 Oct 2013 09:49:32 +0000 (11:49 +0200)]
utils: Provide a fmemopen(3) fallback using BSD funopen()

6 years agoFixed sql/net2net-route-pem scenario evaluation 5.1.1rc1
Andreas Steffen [Wed, 23 Oct 2013 20:23:47 +0000 (22:23 +0200)]
Fixed sql/net2net-route-pem scenario evaluation

6 years agoAdded some example Debian SWID tags
Andreas Steffen [Wed, 23 Oct 2013 20:12:12 +0000 (22:12 +0200)]
Added some example Debian SWID tags

6 years agoAdded Brainpool ECP support to NEWS
Andreas Steffen [Wed, 23 Oct 2013 19:11:22 +0000 (21:11 +0200)]
Added Brainpool ECP support to NEWS

6 years agoAdded two Brainpool IKEv2 scenarios
Andreas Steffen [Wed, 23 Oct 2013 19:08:18 +0000 (21:08 +0200)]
Added two Brainpool IKEv2 scenarios

6 years agopki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB
Tobias Brunner [Tue, 22 Oct 2013 12:35:13 +0000 (14:35 +0200)]
pki: Replace BUILD_FROM_FD with passing a chunk via BUILD_BLOB

This allows more than one builder to try parsing the data read from STDIN.

6 years agochunk: Add helper function to create a chunk from data read from a file descriptor
Tobias Brunner [Tue, 22 Oct 2013 12:22:35 +0000 (14:22 +0200)]
chunk: Add helper function to create a chunk from data read from a file descriptor

6 years agosemaphore: Support cancellation in wait functions of semaphore fallback
Martin Willi [Wed, 23 Oct 2013 14:05:40 +0000 (16:05 +0200)]
semaphore: Support cancellation in wait functions of semaphore fallback

Semaphore wait functions should be a thread cancellation point, but did
not properly release the mutex in the fallback implementation.

6 years agorwlock: Re-acquire rwlock even if condvar wait times out
Martin Willi [Tue, 22 Oct 2013 16:36:44 +0000 (18:36 +0200)]
rwlock: Re-acquire rwlock even if condvar wait times out

A caller expects that the associated rwlock is held, whether the condvar
gets signaled or the wait times out.

6 years agoUpdated and split data.sql
Andreas Steffen [Tue, 22 Oct 2013 22:26:02 +0000 (00:26 +0200)]
Updated and split data.sql

6 years agoAdapted recipe and patches to freeradius-2.2.1
Andreas Steffen [Tue, 22 Oct 2013 08:09:24 +0000 (10:09 +0200)]
Adapted recipe and patches to freeradius-2.2.1

6 years agoSupport Ubuntu 13.10 measurements
Andreas Steffen [Mon, 21 Oct 2013 19:33:30 +0000 (21:33 +0200)]
Support Ubuntu 13.10 measurements

6 years agocheck it specified IF-TNCCS protocol is enabled
Andreas Steffen [Mon, 21 Oct 2013 19:03:53 +0000 (21:03 +0200)]
check it specified IF-TNCCS protocol is enabled

6 years agokernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution
Tobias Brunner [Fri, 18 Oct 2013 07:38:01 +0000 (09:38 +0200)]
kernel-netlink: Check existence of linux/fib_rules.h, don't include it in distribution

This reverts commit b0761f1f0a5abd225edc291c8285f99a538e6a66.

6 years agoMerge branch 'icmp'
Tobias Brunner [Thu, 17 Oct 2013 14:57:48 +0000 (16:57 +0200)]
Merge branch 'icmp'

Improves handling of ICMP[v6] traffic selectors that specify message type and
code.

Fixes #421.

6 years agoipsec.conf.5: Note about ICMP[v6] message type/code added
Tobias Brunner [Mon, 14 Oct 2013 15:10:16 +0000 (17:10 +0200)]
ipsec.conf.5: Note about ICMP[v6] message type/code added

6 years agoupdown: Properly configure ICMP[v6] message type and code in firewall rules
Tobias Brunner [Thu, 17 Oct 2013 14:29:30 +0000 (16:29 +0200)]
updown: Properly configure ICMP[v6] message type and code in firewall rules

6 years agoupdown: Pass ICMP[v6] message type and code to updown script
Tobias Brunner [Mon, 14 Oct 2013 15:08:09 +0000 (17:08 +0200)]
updown: Pass ICMP[v6] message type and code to updown script

The type is passed in $PLUTO_MY_PORT and the code in $PLUTO_PEER_PORT.

6 years agokernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel
Tobias Brunner [Tue, 15 Oct 2013 12:26:51 +0000 (14:26 +0200)]
kernel-pfkey: Install ICMP[v6] type/code as expected by the Linux kernel

6 years agokernel-netlink: Convert ports in acquires to ICMP[v6] type and code
Tobias Brunner [Tue, 15 Oct 2013 15:59:26 +0000 (17:59 +0200)]
kernel-netlink: Convert ports in acquires to ICMP[v6] type and code

6 years agokernel-netlink: Properly install policies with ICMP[v6] types and codes
Tobias Brunner [Mon, 14 Oct 2013 15:00:18 +0000 (17:00 +0200)]
kernel-netlink: Properly install policies with ICMP[v6] types and codes

6 years agotraffic-selector: Print ICMP[v6] message type and code in a more readable way
Tobias Brunner [Mon, 14 Oct 2013 14:53:42 +0000 (16:53 +0200)]
traffic-selector: Print ICMP[v6] message type and code in a more readable way

6 years agotraffic-selector: Store ICMP[v6] message type and code properly
Tobias Brunner [Mon, 14 Oct 2013 14:52:20 +0000 (16:52 +0200)]
traffic-selector: Store ICMP[v6] message type and code properly

We now store them as defined in RFC 4301, section 4.4.1.1.

6 years agotraffic-selector: Move class to its own Doxygen group
Tobias Brunner [Tue, 15 Oct 2013 08:04:04 +0000 (10:04 +0200)]
traffic-selector: Move class to its own Doxygen group

6 years agoMerge branch 'ecc-brainpool'
Tobias Brunner [Thu, 17 Oct 2013 14:56:31 +0000 (16:56 +0200)]
Merge branch 'ecc-brainpool'

Adds support for ECC Brainpool curves for DH exchanges.

6 years agoproposal: Add ECC Brainpool DH groups to the default proposal
Tobias Brunner [Fri, 13 Sep 2013 09:29:40 +0000 (11:29 +0200)]
proposal: Add ECC Brainpool DH groups to the default proposal

6 years agoopenssl: Add workaround if ECC Brainpool curves are not defined
Tobias Brunner [Thu, 17 Oct 2013 11:31:17 +0000 (13:31 +0200)]
openssl: Add workaround if ECC Brainpool curves are not defined

6 years agoopenssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL
Tobias Brunner [Thu, 17 Oct 2013 11:28:30 +0000 (13:28 +0200)]
openssl: Add support for ECC Brainpool curves for DH, if defined by OpenSSL

OpenSSL does not include them in releases before 1.0.2.

6 years agoecc: Added ECC Brainpool ECDH groups as registered with IANA
Andreas Steffen [Mon, 9 Sep 2013 07:36:04 +0000 (09:36 +0200)]
ecc: Added ECC Brainpool ECDH groups as registered with IANA

6 years agounit-tests: Make test for bio_writer_t more portable
Tobias Brunner [Fri, 11 Oct 2013 23:56:24 +0000 (01:56 +0200)]
unit-tests: Make test for bio_writer_t more portable

6 years agolibipsec: Don't print ciphertext with ICV in log message
Tobias Brunner [Thu, 17 Oct 2013 09:36:32 +0000 (11:36 +0200)]
libipsec: Don't print ciphertext with ICV in log message

6 years agolibipsec: Properly calculate padding length especially for AES-GCM
Tobias Brunner [Fri, 11 Oct 2013 23:09:53 +0000 (01:09 +0200)]
libipsec: Properly calculate padding length especially for AES-GCM