| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
fgetc() returns an int and EOF is usually -1 so when this gets casted to
a char the result depends on whether `char` means `signed char` or
`unsigned char` (the C standard does not specify it). If it is unsigned
then its value is 0xff so the comparison with EOF will fail as that is an
implicit signed int.
|
| | |
|
| |
|
|
|
|
|
|
| |
Newer versions of GCC are too "smart" and replace a call to malloc(X)
followed by a call to memset(0,X) with a call co calloc(), which obviously
results in an infinite loop when it does that in our own calloc()
implementation. Using `volatile` for the variable storing the total size
prevents the optimization and we actually call malloc().
|
| | |
|
| |
|
|
|
| |
Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.
|
| | |
|
| |
|
|
|
|
| |
Some of these are also understood by BoringSSL.
Fixes #1510.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This fixes DNS server installation if make-before-break reauthentication
is used as there the new SA and DNS server is installed before it then
is removed again when the old IKE_SA is torn down.
|
| |
|
|
| |
This allows us to capture output written to stderr/stdout.
|
| |
|
|
|
|
| |
If running resolvconf fails handle() fails release() is not called, which
might leave an interface file on the system (or depending on which script
called by resolvconf actually failed even the installed DNS server).
|
| | |
|
| | |
|
| |
|
|
|
| |
This is the direction we actually need routes in and makes the code
easier to read.
|
| |
|
|
| |
are in the selector
|
| |
|
|
|
|
|
|
|
| |
are in the selector
We don't need them for drop policies and they might even mess with other
routes we install. Routes for policies with protocol/ports in the
selector will always be too broad and might conflict with other routes
we install.
|
| |
|
|
|
| |
An exception is if the local address is virtual, in which case we want
the route to be via TUN device.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Using the source address to determine the interface is not correct for
net-to-net shunts between two interfaces on which the host has IP addresses
for each subnet.
|
| | |
|
| |
|
|
|
| |
The returned name should be the interface over which the destination
address/net is reachable.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other threads are free to add/update/delete other policies.
This tries to prevent race conditions caused by releasing the mutex while
sending messages to the kernel. For instance, if break-before-make
reauthentication is used and one thread on the responder is delayed in
deleting the policies that another thread is concurrently adding for the
new SA. This could have resulted in no policies being installed
eventually.
Fixes #1400.
|
| | |
|
| | |
|
| |
|
|
| |
#1467.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
memeq() is currently used to compare these but if there is padding that
is not initialized the same for two instances the comparison fails.
Using this function ensures the objects are compared correctly.
|
| |
|
|
|
|
|
|
|
|
|
| |
If a pseudonym changed a new entry was added to the table storing
permanent identity objects (that are used as keys in the other table).
However, the old mapping was not removed while replacing the mapping in
the pseudonym table caused the old pseudonym to get destroyed. This
eventually caused crashes when a new pseudonym had the same hash value as
such a defunct entry and keys had to be compared.
Fixes strongswan/strongswan#46.
|
| |
|
|
|
|
| |
If two CHILD_SAs with mark=%unique are created concurrently they could
otherwise end up with either the same mark or different marks in both
directions.
|
| |
|
|
|
|
|
|
|
| |
This is the case for the IKE_SA_INIT and the initial IKEv1 messages, which
are pre-generated in tasks as at least parts of it are used to generate
the AUTH payload. The IKE_SA_INIT message will never be fragmented, but
the IKEv1 messages might be, so we can't just call generate_message().
Fixes #1478.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
| |
This fixes authentication with tokens that require the PIN for every
signature.
Fixes #1369.
|
| |
|
|
|
|
|
| |
If a local authentication failure occurs in IKEv1 we delete the IKE_SA, which
we don't want the controller to detect as success.
Fixes #1449.
|
| |
|
|
|
|
|
|
|
|
| |
Some peers send an INITIAL_CONTACT notify after they received our XAuth
username. The XAuth task waiting for the third XAuth message handles
this incorrectly and closes the IKE_SA as no configuration payloads are
contained in the message. We queue the INFORMATIONAL until the XAuth
exchange is complete to avoid this issue.
Fixes #1434.
|
| |
|
|
|
|
| |
identities
References #1380.
|
| |
|
|
| |
Fixes #1380.
|
| |
|
|
|
|
|
| |
The correct encoding got lost in bdec2e4f5291 ("refactored openac and
its attribute certificate factory").
Fixes #1370.
|
| | |
|
| |
|
|
|
|
| |
If the af-alg plugin is enabled, but kernel support is missing, we get
an error line during startup for each probed algorithm. This is way too
verbose, so just skip probing if AF_ALG is unsupported.
|
| |
|
|
| |
This fixes the out-of-tree build.
|
| |
|
|
| |
Fixes #1442.
|
| |
|
|
| |
package
|
| | |
|
