| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Just rely on the default proposals by charon if nothing is defined. The
hard-coded IKE proposal used curve25519, which depends on an optional
plugin (while enabled by default it might still not be loaded, or, like
on Debian, shipped in an optional package). With charon's default
proposal only loaded algorithms are proposed for IKE avoiding this issue.
|
| |
|
|
|
|
|
| |
The order of arguments in X509_CRL_get0_signature() is not the same as that
of X509_get0_signature().
Fixes: 989ba4b6cd16 ("openssl: Update CRL API to OpenSSL 1.1.0")
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
gperf is not actually a build dependency as the generated files are
shipped in the tarball. So the type depends on the gperf version on
the host that ran gperf and created the tarball, which might not be
the same as that on the actual build host, and gperf might not even
be installed there, leaving the type undetermined.
Fixes: e0e43229736a ("configure: Detect type of length parameter for gperf generated function")
|
| | |
|
| |
|
|
|
| |
draft-ietf-sacm-nea-swima-patnc-01 changes some SWIMA attribute
names.
|
| |
|
|
|
|
|
| |
It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.
|
| | |
|
| |
|
|
|
| |
Since 3.1 gperf uses size_t for the length parameter instead of an
unsigned int.
|
| |
|
|
|
|
|
|
|
| |
Recent releases of glibc don't include the full stdint.h header in some
network headers included by utils.h. So uintptr_t might not be defined.
Since we use fixed width integers, including the latter, all over the place
we make sure the complete file is included.
Fixes #2425.
|
| | |
|
| |
|
|
| |
We don't need to access this as uint32_t so just cast it to a char*.
|
| |
|
|
|
|
| |
The value of DHCP_OPTEND is 255. When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes compilation with -Werror when using Clang 4.0 (but not 3.9)
and possibly prevents undefined behavior.
According to the C standard the following applies to the second
parameter of the va_start() macro (subclause 7.16.1.4, paragraph 4):
The parameter parmN is the identifier of the rightmost parameter
in the variable parameter list in the function definition (the
one just before the ...). If the parameter parmN is declared with
the register storage class, with a function or array type, or with
a type that is not compatible with the type that results after
application of the default argument promotions, the behavior is
undefined.
Because bool is usually just 1 byte and therefore smaller than int (i.e.
the result of default argument promotion) its use as last argument before
... might result in undefined behavior. This theoretically can also
apply to enums as a compiler may use a smaller base type than int.
Since Clang 3.9 (currently in use on Travis by default) a warning is
issued about this, however, that version did not yet compare the actual
size of the argument's type, causing warnings where they are not
warranted (basically for all cases where enum types are used for the
last argument). This was apparently fixed with Clang 4.0, which only
warns about this use of bool with va_start(), which makes sense.
|
| |
|
|
|
|
| |
They now match the dh_constructor_t signature. This is a follow up for
the changes merged with b668bf3f9ec1 and should fix use of MODP_CUSTOM on
Apple's ARM64 platform.
|
| |
|
|
| |
Fixes: 50e4aeb22f49 ("libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()")
|
| |
|
|
| |
Fixes: 305c4aa82cb0 ("plugin-loader: Optionally use RTLD_NOW with dlopen()")
|
| | |
|
| |
|
|
|
|
| |
Some Android versions seem to reject routes that use multicast addresses.
Fixes #2420.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This causes problems e.g. on Android where we handle the alert (and
reestablish the IKE_SA) even though it usually is no problem if the
peer retries with the requested group. We don't consider it as a
failure on the initiator either.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an IPsec SA is actually replaced with a rekeying its entry in the
manager is freed. That means that when the hard expire is triggered a
new entry might be found at the cached pointer location. So we have
to make sure we trigger the expire only if we found the right SA.
We could use SPI and addresses for the lookup, but this here requires
a bit less memory and is just a small change. Another option would be to
somehow cancel the queued job, but our scheduler doesn't allow that at
the moment.
Fixes #2399.
|
| |
|
|
|
|
| |
We don't attempt to parse the transport headers for fragments, not even
for the initial fragment (it's not guaranteed they contain the header,
depending on the number and type of extension headers).
|
| |
|
|
|
| |
Only attempt to parse the transport header of an IPv4 packet if it's
not fragmented or the first fragment.
|
| |
|
|
|
|
| |
Since we are also releasing the ESA ID we have to make sure that the ESA
context is reset and in a clean state in order for it to be actually
reusable.
|
| | |
|
| |
|
|
|
|
| |
Use new reference counting feature of ID manager for AE contexts and
only perform reset if count is zero. Also, do not pass on AE ID as every
IKE SA must decrement AE ID count once it is not used any longer.
|
| | |
|
| |
|
|
|
| |
The function acquires a reference to the given context reference id for
a specific context kind.
|
| |
|
|
| |
This is in preparation of making context ids refcountable.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
sec-updater downloads the deb package files from security updates from
a given linux repository and uses the swid_generator command to
derive a SWID tag. The SWID tag is then imported into strongTNC
using the manage.py importswid command.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case we send retransmits for an IKE_SA_INIT where we propose a DH
group the responder will reject we might later receive delayed responses
that either contain INVALID_KE_PAYLOAD notifies with the group we already
use or, if we retransmitted an IKE_SA_INIT with the requested group but
then had to restart again, a KE payload with a group different from the
one we proposed. So far we didn't change the initiator SPI when
restarting the connection, i.e. these delayed responses were processed
and might have caused fatal errors due to a failed DH negotiation or
because of the internal retry counter in the ike-init task. Changing
the initiator SPI avoids that as we won't process the delayed responses
anymore that caused this confusion.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
BoringSSL does not support OpenSSL's OCSP API.
|
| |
|
|
| |
That's required for OCSP verification.
|
| | |
|
| |
|
|
| |
Fixes #2405.
|
| | |
|
| | |
|
