| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
in the set
Fixes #1213.
|
| |
|
|
| |
The __NR_ constants are also defined in the Android headers.
|
| |
|
|
|
| |
Apparently, not available on Mac OS X 10.10 Yosemite. We don't provide
this on Windows.
|
| |
|
|
|
|
|
|
|
|
| |
Since the textual representation for a CRL is now standardized
in RFC 7468 one could argue that we should accept that too, even
though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to
be in DER format. But in particular for file URIs enforcing that
seems inconvenient.
Fixes #1203.
|
| |
|
|
|
|
|
| |
For file:// URIs the code is 0 on success. We now do the same libcurl
would do with CURLOPT_FAILONERROR enabled.
Fixes #1203.
|
| |
|
|
|
|
| |
This is particularly important for single valued rules (e.g.
identities). When copying values this is already handled correctly
by the enumerator and add().
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This can be useful when writing custom plugins as typos or missing
linker flags that result in unresolved symbols in the shared object
could otherwise cause late crashes. In particular, if such a symbol
is used in a code path that is rarely executed. During development
and testing using RTLD_NOW instead of RTLD_LAZY will prevent the
plugin from getting loaded and makes the error visible immediately.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We don't need an IV for NULL encryption, so we wouldn't technically need
an IV generator. But some of the code currently relies on an IV
generator to be present. So we don't have to change that code and
handle IV size == 0 specially we use the new NULL IV generator, which
handles this transparently to the existing code.
Before 3c81cb6fc322 ("aead: Create AEAD using traditional transforms
with an explicit IV generator") iv_gen_rand_t was used for NULL
encryption, which would work too but this way it's clearer.
|
| |
|
|
|
| |
This does not actually allocate an IV and only accepts requests
for size == 0.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If -1 was returned on the first call to read() `done` got SIZE_MAX
and the function returned TRUE even though no actual random data had
been allocated.
Fixes #1156.
|
| |
|
|
|
|
|
| |
This is basically the same call, but it has the advantage of being
supported by FreeBSD's valgrind, which sigwait() is not.
References #1106.
|
| |
|
|
|
|
|
|
| |
If OpenSSL is compiled with OPENSSL_NO_DEPRECATED some of the headers
we include don't include openssl/bn.h anymore. Therefore, we have to
explicitly include it ourselves where we use BN_* functions.
Fixes #1113.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This properly detects prefixes encoded as ranges.
|
| |
|
|
|
| |
Basically the same as e79b0e07e4ab. EAP_RADIUS is also a virtual method
that will identify itself as a different EAP method later.
|
| | |
|
| | |
|
| |
|
|
|
| |
We now store the actual method on the auth config, which won't match
anymore if rightauth=eap-dynamic is configured.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Not sure if defining multiple CA constraints and enforcing _all_ of them,
i.e. the previous behavior, makes even sense. To ensure a very specific
chain it should be enough to define the last intermediate CA. On the
other hand, the ability to define multiple CAs could simplify configuration.
This can currently only be used with swanctl/VICI based configs as `rightca`
only takes a single DN.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Vendor specific EAP methods may be registered with:
PLUGIN_CALLBACK(eap_method_register, <constructor>),
PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>),
Same for client implementations via EAP_PEER_VENDOR.
References #969.
|
| |
|
|
|
| |
Not all POSIX compatible systems might provide it yet. If not, we close
the lowest FD to close and hope it gets reused by opendir().
|
| |
|
|
|
|
|
| |
This avoids any allocations, since calling malloc() after fork() is
potentially unsafe.
Fixes #990.
|
| |
|
|
|
|
|
|
|
|
| |
Calling malloc() after fork() is potentially unsafe, so we should avoid
it if possible. opendir() will still require an allocation but that's
less than the variant using the enumerator wrapper, thus, decreasing
the conflict potential. This way we can also avoid closing the
FD for the enumerated directory itself.
References #990.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
When strings in RDNs contain characters outside the character set for
PrintableString use UTF8String as the passed string is most likely in
that encoding (RFC 5280 actually recommends to use only those two
string types).
|
| |
|
|
|
|
|
| |
Compared to hashing the encoding we can ignore string types of RDNs when
hashing DNs, making hash() compatible to equals() that does the same.
Fixes #991.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some tokens/libraries seem to prefix all numbers with zero bytes even
if not necessary (e.g. the default exponent 0x010001). If we don't fix
that, the fingerprints calculated based on the retrieved values will be
incorrect.
Even if the pkcs1 plugin can properly handle numbers that are not in
two's complement since a81bd670b086 ("Added PUBKEY_RSA_MODULUS
encoding type") we prefix them with zero if necessary as other encoders
might expect them in two's complement.
Fixes #1012.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When precision is given for a string, we must not run unbounded
strlen() as it will read beyond the given length. It might even cause
a crash if the given pointer is near end of heap or mapping.
Fixes numerous valgrind errors such as:
==19215== Invalid read of size 1
==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853)
==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084)
==19215== by 0x52CE464: dntoa (identification.c:337)
==19215== by 0x52CE464: identification_printf_hook (identification.c:837)
==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
==19215== by 0x57040EB: vlog (bus.c:388)
==19215== by 0x570427D: log_ (bus.c:430)
==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd
==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296)
==19215== by 0x52CD198: chunk_printable (chunk.c:759)
==19215== by 0x52CE442: dntoa (identification.c:334)
==19215== by 0x52CE442: identification_printf_hook (identification.c:837)
==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
==19215== by 0x57040EB: vlog (bus.c:388)
==19215== by 0x570427D: log_ (bus.c:430)
==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Unterminated strings are now an error.
|
| | |
|
