Lubomir Rintel [Fri, 23 Oct 2015 09:29:42 +0000 (11:29 +0200)]
nm: Install the .name file into /usr/lib/NetworkManager/VPN
It's the preferred location for system-provided plugins.
A compatible file in /etc is still kept. Also, the compatibility /etc
file needs to use a full path due to a bug in GNOME Shell.
The full path to a arch-dependent file in a supposedly arch-independent
file is a sin and a multilib violation in some distributions. However.
some pre-release versions of NetworkManager-1.2 as shipped by
distributions require a full path. Let's keep a configure-time option
for that.
nm: Don't do <deny send_interface="..." /> in dbus service file
It does more than intended; apart from denying messages to that
particular interface it also denies all messages non-qualified with an
interface globally. This blocks messages completely unrelated to
strongSwan's VPN plugin, such as NetworkManager communication with the
VPN plugins.
From the dbus-daemon manual:
Be careful with send_interface/receive_interface, because the
interface field in messages is optional. In particular, do NOT
specify <deny send_interface="org.foo.Bar"/>! This will cause
no-interface messages to be blocked for all services, which is
almost certainly not what you intended. Always use rules of the form:
We can just safely remove those rules, since we're sufficiently
protected by the send_destination matches and method calls are
disallowed by default anyway.
Tobias Brunner [Tue, 30 Aug 2016 13:30:49 +0000 (15:30 +0200)]
testing: Try to properly abort a test run after CTRL-C
The run is aborted after the current scenario. Depending on which
command was interrupted it might be necessary to press CTRL-C multiple
times (e.g. if a later command depends on the interrupted one).
This should fix HTML files and get us some proper console output after
the run.
testing: Mount and serve testresults from the host
This avoids having to copy testresults, makes results of cancelled runs
browsable (runs may actually be followed live) and preserves old results
when rebuilding guest images (e.g. when using the build-strongswan script).
The number of consecutive test runs without any intermittent rebuild of the
guest images is also not limited by the image size anymore.
configure: Improve check for built-in __atomic_* functions
With AC_SEARCH_LIBS() we don't succeed if the searched function is a
built-in as the check uses the wrong signature so the built-in will not
be applied (the warning issued by GCC is "conflicting types for built-in
function '...'"). So even if not required, libatomic will be linked if
it is found, which could be problematic if compiling on a separate host
and the target host does not have libatomic installed.
Also, some tests showed that it's more likely that __atomic_and_fetch()
requires linking libatomic than __atomic_load_n() does.
Tobias Brunner [Tue, 23 Aug 2016 14:47:05 +0000 (16:47 +0200)]
ikev1: Ignore the last two bytes of the Cisco Unity vendor ID
These seem to indicate the major and minor version of the protocol, like
e.g. for the DPD vendor ID. Some implementations seem to send versions
other than 1.0 so we just ignore these for now when checking for known
vendor IDs.
Tobias Brunner [Tue, 28 Jun 2016 10:22:10 +0000 (12:22 +0200)]
ike1: Flush active queue when queueing a delete of the IKE_SA
By aborting the active task we don't have to wait for potential
retransmits if the other peer does not respond to the current task.
Since IKEv1 has no sequential message IDs and INFORMATIONALs are no real
exchanges this should not be a problem.
Tobias Brunner [Wed, 29 Jun 2016 12:39:06 +0000 (14:39 +0200)]
testing: Remove obsolete openssl-fips recipe
This was only required when we initially started and OpenSSL was built
from sources, which was changed with b97dd59ba841 ("install FIPS-aware
OpenSSL Debian packages").
Tobias Brunner [Tue, 21 Jun 2016 09:12:18 +0000 (11:12 +0200)]
plugin-loader: Allow selective modification of the default plugin list
This change allows selectively modifying the default plugin list by setting
the `load` setting of individual plugins (e.g. to disable them or to change
their priority) without enabling charon.load_modular and having to configure
a section and a load statement for every plugin.
Tobias Brunner [Wed, 29 Jun 2016 09:10:07 +0000 (11:10 +0200)]
Merge branch 'openssl-1.1.0'
This adds support for OpenSSL 1.1.0. Several APIs have changed and it makes
all types opaque, which requires using new getter/setter functions. For older
versions fallbacks are provided.
Tobias Brunner [Mon, 27 Jun 2016 16:04:39 +0000 (18:04 +0200)]
leak-detective: Try to properly free allocations after deinitialization
If a function we whitelist allocates memory while leak detective is enabled
but only frees it after LD has already been disabled, free() will get called
with invalid pointers (not pointing to the actually allocated memory by LD),
which will cause checks in the C library to fail and the program to crash.
This tries to detect such cases and calling free with the correct pointer.
Tobias Brunner [Mon, 27 Jun 2016 15:44:57 +0000 (17:44 +0200)]
openssl: Whitelist OPENSSL_init_crypto() and others in leak detective
Lots of static data is allocated in this function, which isn't freed until
the library is unloaded (we can't call OPENSSL_cleanup() as initialization
would fail when calling it again later). When enabling the leak
detective the test runner eventually crashes as all the data allocated during
initialization has an invalid size when freed after leak detective has been
unloaded.
Tobias Brunner [Mon, 27 Jun 2016 14:56:22 +0000 (16:56 +0200)]
openssl: Update CRL API to OpenSSL 1.1.0
There is currently no way to compare the outer and inner algorithms
encoded in a parsed CRL. X509_CRL_verify() does not seem to check that
either, though (unlike X509_verify()).
projects / thirdparty / strongswan.git / log
