7 years agoCheck that valid OCSP responses are received in the ikev2/ocsp-multi-level scenario
Andreas Steffen [Mon, 24 Mar 2014 22:57:55 +0000 (23:57 +0100)]
Check that valid OCSP responses are received in the ikev2/ocsp-multi-level scenario

7 years agoUpdated expired certificates issued by the Research and Sales Intermediate CAs
Andreas Steffen [Mon, 24 Mar 2014 22:38:45 +0000 (23:38 +0100)]
Updated expired certificates issued by the Research and Sales Intermediate CAs

7 years agoRenewed revoked Research CA certificate 5.1.3dr1
Andreas Steffen [Sat, 22 Mar 2014 14:16:15 +0000 (15:16 +0100)]
Renewed revoked Research CA certificate

7 years agounit-test: added missing TEST_FUNCTION macros
Andreas Steffen [Sat, 22 Mar 2014 09:26:02 +0000 (10:26 +0100)]
unit-test: added missing TEST_FUNCTION macros

7 years agoAdded openssl-ikev2/net2net-pgp-v3 scenario
Andreas Steffen [Thu, 20 Mar 2014 17:21:36 +0000 (18:21 +0100)]
Added openssl-ikev2/net2net-pgp-v3 scenario

7 years agoopenssl: Add default fallback when calculating fingerprints of RSA keys
Tobias Brunner [Fri, 14 Mar 2014 16:33:22 +0000 (17:33 +0100)]
openssl: Add default fallback when calculating fingerprints of RSA keys

We still try to calculate these directly as it can avoid a dependency on
the pkcs1 or other plugins.  But for e.g. PGPv3 keys we need to delegate the
actual fingerprint calculation to the pgp plugin.

7 years agoCompleted integration of ntru_crypto library into ntru plugin
Andreas Steffen [Sat, 22 Mar 2014 08:50:39 +0000 (09:50 +0100)]
Completed integration of ntru_crypto library into ntru plugin

7 years agoMerge branch 'travis-ci'
Tobias Brunner [Thu, 20 Mar 2014 17:49:03 +0000 (18:49 +0100)]
Merge branch 'travis-ci'

Adds a config file and build script for Travis CI. Makes the unit tests
buildable with Clang, and test vectors are now actually verified when
the unit tests are executed.

Also adds options to run only selected test suites and to increase the debug
level during unit tests.

The --enable/disable configure options have been reordered and grouped, and
an option to enable all the features has been added (plus an option to
select a specific printf-hook implementation).

7 years agotravis: Use parallel build
Tobias Brunner [Tue, 18 Mar 2014 14:25:56 +0000 (15:25 +0100)]
travis: Use parallel build

Not sure if 4 jobs is optimal, but according to the docs each build host
has 1.5 virtual cores available (although "getconf _NPROCESSORS_ONLN"
returns 32, which is probably the number of real cores underneath), so
more jobs might not actually reduce the build time much more.

7 years agocrypto-tester: Don't fail if key size is not supported
Tobias Brunner [Fri, 14 Mar 2014 08:56:23 +0000 (09:56 +0100)]
crypto-tester: Don't fail if key size is not supported

The Blowfish and Twofish implementations provided by the gcrypt plugin
only support specific key lengths, which we don't know when testing
against vectors (either during unit tests or during algorithm
registration).  The on_create test with a specific key length will be
skipped anyway, so there is no point in treating this failure differently.

7 years agounit-tests: Add an option to increase the verbosity when running tests
Tobias Brunner [Fri, 14 Mar 2014 08:41:50 +0000 (09:41 +0100)]
unit-tests: Add an option to increase the verbosity when running tests

The TESTS_VERBOSITY option takes an integer from -1 to 4 that sets the
default debug level.

7 years agounit-tests: Add an option to run only a subset of all test suites
Tobias Brunner [Fri, 14 Mar 2014 08:35:50 +0000 (09:35 +0100)]
unit-tests: Add an option to run only a subset of all test suites

The TESTS_SUITES environment variable can contain a comma separated list
of names of test suites to run.

7 years agounit-tests: Actually verify registered algorithms against test vectors
Tobias Brunner [Thu, 13 Mar 2014 15:03:05 +0000 (16:03 +0100)]
unit-tests: Actually verify registered algorithms against test vectors

Previously, the {ns}.crypto_test.on_add option had to be enabled to
actually test the algorithms, which we can't enforce for the tests in
the test_runner as the option is already read when the crypto factory
is initialized.  Even so, we wouldn't want to do this for every unit
test, which would be the result of enabling that option.

7 years agotravis: Add tests for builtin printf hook implementation
Tobias Brunner [Mon, 3 Mar 2014 17:44:29 +0000 (18:44 +0100)]
travis: Add tests for builtin printf hook implementation

We can't test Vstr as it does not properly handle negative int arguments
for custom format callbacks, so some of the enum tests would fail.

7 years agoconfigure: Add an option to select a specific printf hook implementation
Tobias Brunner [Mon, 3 Mar 2014 17:18:47 +0000 (18:18 +0100)]
configure: Add an option to select a specific printf hook implementation

7 years agotravis: Install dependencies for each test dynamically
Tobias Brunner [Sat, 1 Mar 2014 07:49:52 +0000 (08:49 +0100)]
travis: Install dependencies for each test dynamically

Since the installation of all packages alone takes several minutes this
should speed up some test cases.

7 years agotravis: Enable clang build
Tobias Brunner [Sat, 1 Mar 2014 07:40:22 +0000 (08:40 +0100)]
travis: Enable clang build

But build the distribution only once.

7 years agounit-tests: Use TEST_FUNCTION macro in ntru tests
Tobias Brunner [Sat, 1 Mar 2014 07:39:50 +0000 (08:39 +0100)]
unit-tests: Use TEST_FUNCTION macro in ntru tests

7 years agounit-tests: Implement registered functions without __builtin_apply()
Tobias Brunner [Sat, 1 Mar 2014 07:35:59 +0000 (08:35 +0100)]
unit-tests: Implement registered functions without __builtin_apply()

This makes the tests work with clang, which does not implement said

7 years agounit-tests: Call functions with TEST_ prefix in ntru test
Tobias Brunner [Fri, 28 Feb 2014 16:15:47 +0000 (17:15 +0100)]
unit-tests: Call functions with TEST_ prefix in ntru test

7 years agounit-tests: Prefix imported testable functions with TEST_
Tobias Brunner [Fri, 28 Feb 2014 16:13:33 +0000 (17:13 +0100)]
unit-tests: Prefix imported testable functions with TEST_

This avoids any clashes with existing functions in the monolithic build.

7 years agounit-tests: Change how hashtable for testable functions is created
Tobias Brunner [Fri, 28 Feb 2014 16:08:39 +0000 (17:08 +0100)]
unit-tests: Change how hashtable for testable functions is created

Because GCC does not adhere to the priorities defined for constructors
when building with --enable-monolithic (not sure if it was just luck
that it worked in non-monolithic mode - anyway, it's not very portable)
function registration would fail because the hashtable would not be
created yet.

7 years agoAdd Travis CI config and build script
Tobias Brunner [Wed, 26 Feb 2014 16:49:07 +0000 (17:49 +0100)]
Add Travis CI config and build script

7 years agoconfigure: Add an option to enable all optional features/plugins
Tobias Brunner [Thu, 27 Feb 2014 15:28:00 +0000 (16:28 +0100)]
configure: Add an option to enable all optional features/plugins

This has probably no real practical use, but it simplifies testing.

7 years agoconfigure: Reorder and group feature options
Tobias Brunner [Thu, 27 Feb 2014 14:37:01 +0000 (15:37 +0100)]
configure: Reorder and group feature options

7 years agounit-tests: Generate weak keys with gcrypt plugin (but quickly)
Tobias Brunner [Thu, 27 Feb 2014 13:07:06 +0000 (14:07 +0100)]
unit-tests: Generate weak keys with gcrypt plugin (but quickly)

7 years agotnc-pdp: Fix monolithic build
Tobias Brunner [Thu, 27 Feb 2014 16:00:09 +0000 (17:00 +0100)]
tnc-pdp: Fix monolithic build

7 years agoplugin-feature: Hash only the actually used feature argument
Tobias Brunner [Thu, 20 Mar 2014 12:42:57 +0000 (13:42 +0100)]
plugin-feature: Hash only the actually used feature argument

Clang does not initialize padding in union members so hashing the
complete "arg" union could lead to different hashes if the hashed
plugin_feature_t does not have static storage duration.

Fixes #549.

7 years agoAdded TPMRA workitem support for [dummy] Trusted Boot measurements
Andreas Steffen [Wed, 19 Mar 2014 19:26:31 +0000 (20:26 +0100)]
Added TPMRA workitem support for [dummy] Trusted Boot measurements

7 years agopki: When dispatching commands, don't look beyond non-null-terminated array
Martin Willi [Wed, 19 Mar 2014 08:34:41 +0000 (09:34 +0100)]
pki: When dispatching commands, don't look beyond non-null-terminated array

7 years agopki: Check length of commands array before accessing command in --help
Martin Willi [Tue, 11 Mar 2014 18:02:16 +0000 (19:02 +0100)]
pki: Check length of commands array before accessing command in --help

As --help is counted as command as well, the array is not null-terminated
and we have to check for MAX_COMMANDS.

Fixes #550.

7 years agocharon-nm: No additional secrets are required once a password has been entered
Tobias Brunner [Tue, 18 Mar 2014 13:49:14 +0000 (14:49 +0100)]
charon-nm: No additional secrets are required once a password has been entered

Recent versions of NM will call need_secrets() as long as it returns TRUE,
but then fail as the number of calls is limited by an assert.

Fixes #547.

7 years agoarray: Fix removal of elements in the second half of an array
Tobias Brunner [Tue, 18 Mar 2014 13:42:44 +0000 (14:42 +0100)]
array: Fix removal of elements in the second half of an array

Memory beyond the end of the array was moved when array elements in the
second half of an array were removed.

Fixes #548.

7 years agoplugin-loader: Properly initialize modular plugin list if no plugins are enabled
Tobias Brunner [Tue, 18 Mar 2014 09:53:11 +0000 (10:53 +0100)]
plugin-loader: Properly initialize modular plugin list if no plugins are enabled

7 years agoImplemented ntru_private_key class
Andreas Steffen [Tue, 18 Mar 2014 09:03:16 +0000 (10:03 +0100)]
Implemented ntru_private_key class

7 years ago11 bits are needed to encode a maximum index of 1086
Andreas Steffen [Sat, 15 Mar 2014 18:22:16 +0000 (19:22 +0100)]
11 bits are needed to encode a maximum index of 1086

7 years agoMerged libstrongswan options into charon section
Andreas Steffen [Sat, 15 Mar 2014 13:07:02 +0000 (14:07 +0100)]
Merged libstrongswan options into charon section

7 years agostrongswan.conf is not needed on RADIUS server alice
Andreas Steffen [Sat, 15 Mar 2014 13:06:34 +0000 (14:06 +0100)]
strongswan.conf is not needed on RADIUS server alice

7 years agotnc-ifmap: Get a reference to the client cert as it is also used in an auth config
Tobias Brunner [Mon, 10 Mar 2014 13:31:42 +0000 (14:31 +0100)]
tnc-ifmap: Get a reference to the client cert as it is also used in an auth config

7 years agoVersion bump to 5.1.3dr1
Andreas Steffen [Fri, 7 Mar 2014 20:55:46 +0000 (21:55 +0100)]
Version bump to 5.1.3dr1

7 years agoDisable mandatory ECP support for attestion
Andreas Steffen [Fri, 7 Mar 2014 20:54:51 +0000 (21:54 +0100)]
Disable mandatory ECP support for attestion

7 years agoRefactored NTRU parameter set selection
Andreas Steffen [Fri, 7 Mar 2014 16:25:42 +0000 (17:25 +0100)]
Refactored NTRU parameter set selection

7 years agoRefactored ntru_param_sets
Andreas Steffen [Fri, 7 Mar 2014 14:43:42 +0000 (15:43 +0100)]
Refactored ntru_param_sets

7 years agothread: Properly clean up meta data of main thread
Tobias Brunner [Fri, 7 Mar 2014 17:27:22 +0000 (18:27 +0100)]
thread: Properly clean up meta data of main thread

7 years agosettings: Log all errors on level 1
Tobias Brunner [Tue, 4 Mar 2014 12:30:09 +0000 (13:30 +0100)]
settings: Log all errors on level 1

Closes #539.

7 years agosettings: Avoid conf file parsing beyond allocated buffer
Thomas Egerer [Thu, 27 Feb 2014 08:45:08 +0000 (09:45 +0100)]
settings: Avoid conf file parsing beyond allocated buffer

A valgrind analysis of libstrongswan revealed an invalid read of 1 in
the function starts_with(). A more thorough analysis proved this to be
true and showed that with a specially crafted config file (e.g. a single
'#'-character not followed by a newline), the parser might even
interpret the random memory contents following the allocated buffer as
part of the configuration file.
The way the parser is designed, it must be able to skip an inserted
'\0' and continue parsing. Since it is not able to skip two '\0'
characters, the 'fix' of allocating two more bytes than the size of the
parsed file and setting them to '\0' seems to be a safe bet.

Signed-off-by: Thomas Egerer <>
7 years agoconfigure: Fix autoreconf with older autotools
Tobias Brunner [Mon, 3 Mar 2014 16:14:26 +0000 (17:14 +0100)]
configure: Fix autoreconf with older autotools

Older autoconf versions (e.g. on CentOS 6.5) produce an empty else block
for the removed empty argument, which the shell then trips over when
executing ./configure.

Fixes #536.

7 years agoOptimize ntru_poly constructors some more 5.1.2
Andreas Steffen [Thu, 27 Feb 2014 22:06:51 +0000 (23:06 +0100)]
Optimize ntru_poly constructors some more

7 years agoVersion bump to 5.1.2
Andreas Steffen [Thu, 27 Feb 2014 21:46:52 +0000 (22:46 +0100)]
Version bump to 5.1.2

7 years agoOptimized initialisation of indices
Andreas Steffen [Thu, 27 Feb 2014 21:39:47 +0000 (22:39 +0100)]
Optimized initialisation of indices

7 years agoAdded get_array() method to ntru_poly_t class
Andreas Steffen [Thu, 27 Feb 2014 21:08:22 +0000 (22:08 +0100)]
Added get_array() method to ntru_poly_t class

7 years agoDefined ntru_poly_create_from_seed() and ntru_poly_create_from_data() constructors...
Andreas Steffen [Thu, 27 Feb 2014 19:36:17 +0000 (20:36 +0100)]
Defined ntru_poly_create_from_seed() and ntru_poly_create_from_data() constructors and built some unit tests for the latter)

7 years agoOptimized use of temporary arrays in polynomial multiplication
Andreas Steffen [Thu, 27 Feb 2014 14:22:48 +0000 (15:22 +0100)]
Optimized use of temporary arrays in polynomial multiplication

7 years agoImplement ring multiplication method
Andreas Steffen [Wed, 26 Feb 2014 22:36:09 +0000 (23:36 +0100)]
Implement ring multiplication method

7 years agoconf: Fix out-of-tree build from distribution
Tobias Brunner [Thu, 27 Feb 2014 10:40:32 +0000 (11:40 +0100)]
conf: Fix out-of-tree build from distribution

It worked from the repository, where strongswan.conf.5.main is generated
in the build dir, but not from the distribution where it is located in
the source dir, so explicitly create it in the source dir.

7 years agoutils: Add memrchr(3) replacement for platforms that don't support it
Tobias Brunner [Tue, 25 Feb 2014 11:45:38 +0000 (12:45 +0100)]
utils: Add memrchr(3) replacement for platforms that don't support it

For instance, on Mac OS X memrchr(3) is not provided by the C library.

7 years agoMerge branch 'dirname'
Tobias Brunner [Mon, 24 Feb 2014 11:04:24 +0000 (12:04 +0100)]
Merge branch 'dirname'

Fixes the incorrect usage of dirname(3) in settings_t and stroke_cred_t,
and adds thread-safe variants of dirname(3) and basename(3).

7 years agolibpts: Use path_base|dirname()
Tobias Brunner [Mon, 24 Feb 2014 10:26:46 +0000 (11:26 +0100)]
libpts: Use path_base|dirname()

7 years agoconftest: Use path_dirname()
Tobias Brunner [Mon, 24 Feb 2014 10:19:05 +0000 (11:19 +0100)]
conftest: Use path_dirname()

7 years agostroke: Use thread-safe dirname(3)
Tobias Brunner [Fri, 21 Feb 2014 17:49:16 +0000 (18:49 +0100)]
stroke: Use thread-safe dirname(3)

7 years agosettings: Use thread-safe dirname(3)
Tobias Brunner [Fri, 21 Feb 2014 17:48:55 +0000 (18:48 +0100)]
settings: Use thread-safe dirname(3)

7 years agoutils: Add thread-safe variants of dirname(3) and basename(3)
Tobias Brunner [Fri, 21 Feb 2014 17:44:15 +0000 (18:44 +0100)]
utils: Add thread-safe variants of dirname(3) and basename(3)

7 years agoutils: Move thread-safe strerror replacement to a separate file
Tobias Brunner [Fri, 21 Feb 2014 16:31:14 +0000 (17:31 +0100)]
utils: Move thread-safe strerror replacement to a separate file

For some utils _GNU_SOURCE might be needed but that conflicts with the
signature of strerror_r(3).

7 years agostroke: Use dirname(3) correctly
Tobias Brunner [Fri, 21 Feb 2014 13:59:33 +0000 (14:59 +0100)]
stroke: Use dirname(3) correctly

7 years agosettings: Use dirname(3) correctly
Tobias Brunner [Fri, 21 Feb 2014 13:58:01 +0000 (14:58 +0100)]
settings: Use dirname(3) correctly

dirname(3) may return a pointer to a statically allocated buffer.
So freeing the returned value can result to undefined behavior. This was
noticed on FreeBSD where it caused very strange crashes.

It is also not thread-safe, which will be addressed later.

7 years agoUse logical AND function
Andreas Steffen [Sun, 23 Feb 2014 15:44:14 +0000 (16:44 +0100)]
Use logical AND function

7 years agopki: Make cmds array static, ensuring that it is zero-initialized
Martin Willi [Thu, 20 Feb 2014 10:20:45 +0000 (11:20 +0100)]
pki: Make cmds array static, ensuring that it is zero-initialized

As pki --help relies on a zero-terminated array, make the actually non-public
cmds array static to ensure initialization.

7 years agoindex limit can be easily computed
Andreas Steffen [Wed, 19 Feb 2014 19:18:18 +0000 (20:18 +0100)]
index limit can be easily computed

7 years agouclibc only defines strndup(3) if _GNU_SOURCE is defined
Tobias Brunner [Wed, 19 Feb 2014 15:09:41 +0000 (16:09 +0100)]
uclibc only defines strndup(3) if _GNU_SOURCE is defined

References #516.

7 years agosshkey: uclibc only defines fmemopen(3) if _GNU_SOURCE is defined
Tobias Brunner [Wed, 19 Feb 2014 14:48:06 +0000 (15:48 +0100)]
sshkey: uclibc only defines fmemopen(3) if _GNU_SOURCE is defined

Fixes #516.

7 years agocoverage: Apparently not all shells can expand {src,scripts}
Tobias Brunner [Wed, 19 Feb 2014 11:41:56 +0000 (12:41 +0100)]
coverage: Apparently not all shells can expand {src,scripts}

One example is ash.

7 years agopki: Fix minor resource leak on failure to read the private key in --req 5.1.2rc2
Tobias Brunner [Tue, 18 Feb 2014 12:48:13 +0000 (13:48 +0100)]
pki: Fix minor resource leak on failure to read the private key in --req

7 years agostroke: Use proper modifiers to print size_t arguments
Tobias Brunner [Tue, 18 Feb 2014 12:25:26 +0000 (13:25 +0100)]
stroke: Use proper modifiers to print size_t arguments

7 years agoCreated ntru_poly class for sparse trinary polynomials
Andreas Steffen [Tue, 18 Feb 2014 15:17:18 +0000 (16:17 +0100)]
Created ntru_poly class for sparse trinary polynomials

7 years agoandroid: Don't limit number to packets during EAP-TTLS
Tobias Brunner [Mon, 2 Dec 2013 18:59:39 +0000 (19:59 +0100)]
android: Don't limit number to packets during EAP-TTLS

7 years agolookip: Properly return from disconnect callback job
Tobias Brunner [Tue, 18 Feb 2014 10:20:36 +0000 (11:20 +0100)]
lookip: Properly return from disconnect callback job

References #518.

7 years agoDoxygen: Sort group names alphabetically
Tobias Brunner [Tue, 18 Feb 2014 09:45:51 +0000 (10:45 +0100)]
Doxygen: Sort group names alphabetically

7 years agoFixed some typos
Tobias Brunner [Tue, 18 Feb 2014 09:35:02 +0000 (10:35 +0100)]
Fixed some typos

7 years agoplugin-loader: Escape <ns> in comment as Doxygen sees this as XML tag
Tobias Brunner [Tue, 18 Feb 2014 09:18:54 +0000 (10:18 +0100)]
plugin-loader: Escape <ns> in comment as Doxygen sees this as XML tag

7 years agounit-tests: Ignore tests not test_runner
Tobias Brunner [Tue, 18 Feb 2014 09:09:30 +0000 (10:09 +0100)]
unit-tests: Ignore tests not test_runner

7 years agoconf: Ignore generated strongswan.conf.5.main
Tobias Brunner [Tue, 18 Feb 2014 09:08:54 +0000 (10:08 +0100)]
conf: Ignore generated strongswan.conf.5.main

7 years agoAdded ikev2/lookip scenario
Andreas Steffen [Mon, 17 Feb 2014 11:04:21 +0000 (12:04 +0100)]
Added ikev2/lookip scenario

7 years agoVersion bump to 5.1.2rc2
Andreas Steffen [Mon, 17 Feb 2014 11:02:23 +0000 (12:02 +0100)]
Version bump to 5.1.2rc2

7 years agolookip: Disconnect asynchronously to avoid dead-locking watcher unregistration
Martin Willi [Mon, 17 Feb 2014 08:44:14 +0000 (09:44 +0100)]
lookip: Disconnect asynchronously to avoid dead-locking watcher unregistration

While it really would be desirable to allow stream destruction during on_read()
callbacks, this does not work anymore since e49b2998. Until we have a proper
solution for this issue, use asynchronous disconnects for the only user doing

Fixes #518.

7 years agoFixed a minor vulnerability in which a malformed ASN.1 length field could cause a... 5.1.2rc1
Andreas Steffen [Fri, 14 Feb 2014 14:06:57 +0000 (15:06 +0100)]
Fixed a minor vulnerability in which a malformed ASN.1 length field could cause a crash of the charon daemon if the verbose debug level 3 (raw hex dump) for the asn subsystem is enabled.

7 years agoconf: Fix installation on FreeBSD
Tobias Brunner [Thu, 13 Feb 2014 12:50:12 +0000 (13:50 +0100)]
conf: Fix installation on FreeBSD

Apparently, the -t option for install is not portable.

7 years creates /etc/pts/dists directory if it doesn't exist yet
Andreas Steffen [Thu, 13 Feb 2014 12:21:39 +0000 (13:21 +0100)] creates /etc/pts/dists directory if it doesn't exist yet

7 years agoNEWS: Add strongswan.conf changes and IPComp fixes
Tobias Brunner [Thu, 13 Feb 2014 10:45:29 +0000 (11:45 +0100)]
NEWS: Add strongswan.conf changes and IPComp fixes

7 years agoconf: The use of $^ is not portable
Tobias Brunner [Thu, 13 Feb 2014 10:15:42 +0000 (11:15 +0100)]
conf: The use of $^ is not portable

Generating strongswan.conf.5.main in a subshell gets the file
properly written to the builddir in out-of-tree builds.

7 years agoprintf-hook-glibc: printf.h on FreeBSD 10 does not include stdargs.h
Tobias Brunner [Thu, 13 Feb 2014 09:45:26 +0000 (10:45 +0100)]
printf-hook-glibc: printf.h on FreeBSD 10 does not include stdargs.h

7 years agoarray: Fix compilation on FreeBSD
Tobias Brunner [Thu, 13 Feb 2014 09:41:22 +0000 (10:41 +0100)]
array: Fix compilation on FreeBSD

7 years agoMerge branch 'modular-load'
Tobias Brunner [Wed, 12 Feb 2014 14:24:47 +0000 (15:24 +0100)]
Merge branch 'modular-load'

Introduces a new configuration file layout. strongswan.conf is now only
very simple and mainly includes the config snippets from the strongswan.d
and strongswan.d/charon directories (the latter containing snippets for
individual plugins).

Config snippets with commented defaults are generated for all currently
defined settings and are installed if they don't exist yet and the
respective plugin/component is enabled.  Similarly, the strongswan.conf(5)
man page, which documents all these settings, is automatically generated
from the same source.
The config snippets are also installed in $prefix/share/strongswan so
existing files can be compared to the most current defaults.

As an alternative to the non-extensible charon.load option, the plugins
to load can now be determined via the respective charon.plugins.<name>.load
setting.  This functionality is enabled by the new default strongswan.conf
file (via the charon.load_modular option) and the load setting in the
generated config snippets of all enabled plugins.  The load setting
optionally takes a numeric priority value that allows reordering the
plugins (plugins with the same priority are ordered according to the
default plugin order).

Additionally, all settings that were formerly defined in library
specific "global" sections are now application specific.  For instance,
instead of configuring libstrongswan.plugins.random.random and affecting
charon, charon-cmd, pki, basically every application using libstrongswan,
the option can now be set individually for each application (e.g.
pki.plugins.random.random to affect only pki).  The old options are still
supported though, which actually allows to define defaults for all
applications in the libstrongswan section.

The libtls options are mapped to <app>.tls. The libimcv and libtnccs options
are mapped to <app>.imcv and <app>.tnc, respectively (while their plugin's
options are now under <app>.plugins together with all the others).

Fixes #475.

7 years agoconf: Install config files world-readable but warn about permissions for certain...
Tobias Brunner [Wed, 12 Feb 2014 14:16:57 +0000 (15:16 +0100)]
conf: Install config files world-readable but warn about permissions for certain options

7 years agoconf: Document variables and config files/dirs
Tobias Brunner [Mon, 10 Feb 2014 09:55:07 +0000 (10:55 +0100)]
conf: Document variables and config files/dirs

7 years agoAdd Python and pkg-config as requirements to HACKING
Tobias Brunner [Mon, 10 Feb 2014 09:21:33 +0000 (10:21 +0100)]
Add Python and pkg-config as requirements to HACKING

pkg-config is probably installed on most systems by default, but e.g. not
on Cygwin.

7 years agoconf: Only install config snippets for enabled components
Tobias Brunner [Fri, 7 Feb 2014 13:46:25 +0000 (14:46 +0100)]
conf: Only install config snippets for enabled components

7 years agoconf: Document options of other programs
Tobias Brunner [Fri, 7 Feb 2014 15:20:39 +0000 (16:20 +0100)]
conf: Document options of other programs

7 years agoconf: Document options of plugins in libpts
Tobias Brunner [Fri, 7 Feb 2014 13:44:19 +0000 (14:44 +0100)]
conf: Document options of plugins in libpts

7 years agolibpts: Move settings to <ns>.plugins with fallback to libimcv
Tobias Brunner [Fri, 7 Feb 2014 13:42:37 +0000 (14:42 +0100)]
libpts: Move settings to <ns>.plugins with fallback to libimcv

7 years agoconf: Document libimcv options
Tobias Brunner [Fri, 7 Feb 2014 13:20:53 +0000 (14:20 +0100)]
conf: Document libimcv options