Martin Willi [Mon, 7 Jul 2014 13:49:04 +0000 (15:49 +0200)]
settings: Be more strict in converting settings to specific data types
As the behavior was inconsistent for empty strings or strings with characters
appended to a number, testing the code failed on some platforms. The new rules
are more strict, returning the default if additional characters or an empty
string was found for a setting.
Martin Willi [Mon, 7 Jul 2014 13:27:19 +0000 (15:27 +0200)]
enumerator: Enumerate glob(3) matches using gl_pathc
While glob should return a NULL terminated gl_pathv when having no matches,
at least on OS X this is not true when using GLOB_DOOFFS. Rely on the
number of matches returned in gl_pathc, which seems to be more reliable in
error cases.
Martin Willi [Fri, 4 Jul 2014 08:14:13 +0000 (10:14 +0200)]
kernel-netlink: Rename algorithm identifier from cast128 to cast5
Even if the XFRM identifier was named cast128 in the kernel before 2.6.31, it
actually never worked, because there is no such crypto algorithm.
The identifier has been changed to cast5 in
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=245acb87
to make it work, so we should use that.
Martin Willi [Tue, 1 Jul 2014 08:33:25 +0000 (10:33 +0200)]
gcrypt: Use predefined pthread locking functions instead of custom hooks
Starting with libgcrypt 1.6, it seems that custom locking functions are not
supported anymore. Instead, the user has to select from one of the pre-defined
set of locking functions.
Given that we have a proper threading abstraction API with optional profiling
on all platforms, this is somewhat annoying. However, there does not seem to be
a way to use custom functions, and we have no other choice than using the
provided macro magic to support all libgcrypt versions.
Martin Willi [Wed, 25 Jun 2014 14:06:59 +0000 (16:06 +0200)]
windows: Include <sys/stat.h> explicitly before overloading memset()/memcpy()
fstat() in newer MinGWs is defined as non-static inline. With our new static
inline memset()/memcpy() overloads, this raises a warning. To avoid it,
explicitly include <sys/stat.h> once before defining these overloads.
Martin Willi [Tue, 24 Jun 2014 12:43:38 +0000 (14:43 +0200)]
charon: Set CLOEXEC flag on daemon PID file and /dev/(u)random source FDs
On Fedora, SELinux complains about these open file descriptors when the
updown script invokes iptables. While it seems difficult to set the flag
on all file descriptors, this at least fixes those covered by the SELinux
policy.
As these two cases are in code executed while the daemon is still single
threaded, we avoid the use of atomic but not fully portable fdopen("e") or
open(O_CLOEXEC) calls.
Tobias Brunner [Tue, 24 Jun 2014 12:52:42 +0000 (14:52 +0200)]
utils: Add wrappers for memcpy(3), memmove(3) and memset(3)
These wrappers guarantee that calls to these functions are noops if the
number of bytes is 0, as calling them with NULL pointers is undefined
according to the C standard, even if the number of bytes is 0 (most
implementations probably ignore the pointers anyway in this case, but
lets make sure).
Tobias Brunner [Fri, 20 Jun 2014 14:22:15 +0000 (16:22 +0200)]
Merge branch 'algorithm-order'
Restores the behavior we had before 2e22333fb (except for RNGs), that is,
algorithms are stored in the registration order again. Which is not optimal
as we must rely on plugins to register them in a sensible order, but ordering
them by identifier definitely caused weaker algorithms to be proposed first
in the default proposal, which was even worse.
Tobias Brunner [Fri, 20 Jun 2014 06:51:07 +0000 (08:51 +0200)]
kernel-netlink: Install virtual IPv6 addresses as deprecated
This should prevent the kernel's IPv6 source address selection algorithm
from using this address unless it is forced to by our source route.
This is helpful if split tunneling is used.
Tobias Brunner [Thu, 19 Jun 2014 12:24:48 +0000 (14:24 +0200)]
Merge branch 'passthrough-policies-priority'
Introduces a new priority class for policies, which allows us to install
passthrough policies with a strictly higher priority than IPsec
policies, which was not the case previously depending on the traffic
selectors.
Tobias Brunner [Thu, 19 Jun 2014 12:04:33 +0000 (14:04 +0200)]
Merge branch 'ipsec.conf-parser'
Replaces the ipsec.conf parser in starter. The new parser is also based
on flex/bison but it simply returns key/value collections of all sections.
It already resolves also= and allows overriding options in all included
sections (not only %default), options set in included section can also
be cleared again (key=). It provides other improvements too, like quoted
strings (with escape sequences), unlimited includes and better
whitespace/comment handling.