forked from strongswan/strongswan
-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try solve upstream conflict #2
Open
highland0971
wants to merge
1,365
commits into
highland0971:master
Choose a base branch
from
strongswan:master
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since the script and action have issues with the directory structure, we upload the lcov results instead.
We explicitly pass the final .info file prepared with lcov, so there is no need to search for other files (that then won't work anyway). The search also finds the uncleaned .info file, which includes the test code. The latter should have gotten ignored anyway, but the patterns are apparently not correct anymore. So fixing that as well just to be sure.
…y pools References #2205
If a base address is configured, we don't expect the pool to be empty, so reject the creation (e.g. with the broadcast address as base). References #2205
If somebody copies our .gitignore and tries to import the source code, the proposal_keywords.c file will not be added as it's ignored by the `*keywords.c` pattern we use to ignore gperf-generated source files. Closes #2014
Signed-off-by: Thomas Egerer <[email protected]>
These allow, for instance, a vici client on a host to communicate with an IKE daemon running in a VM. Signed-off-by: Thomas Egerer <[email protected]>
Can be useful if the CID inside the VM is not known. The \htmlonly\endhtmlonly hack is used to avoid compiler warnings due to /* inside a block comment.
As recommended by RFC 2985, section 5.4.1: ChallengePassword attribute values generated in accordance with this version of this document SHOULD use the PrintableString encoding whenever possible. If internationalization issues make this impossible, the UTF8String alternative SHOULD be used. Even though the RFC continues with PKCS #9-attribute processing systems MUST be able to recognize and process all string types in DirectoryString values. there might be older SCEP server implementations that don't accept UTF8String-encoded passwords. In particular because previous versions of PKCS#9 defined this attribute's type as a CHOICE between PrintableString and T61String. References #1831
The libraries were previously shipped with the -dev package.
If the regular daemon is running, it creates an unconditional routing rule for the routing table. The rule that charon-nm tries to create, which excludes marked IKE/ESP traffic to avoid a routing loop, then can't be installed and we'd end up with said loop. Closes #2230
Instead of just adding the offset internally, this way the reported base address is always the first assignable address (e.g. for 192.168.0.0/24 vs. 192.168.0.1/24). Closes #2264
OpenSSH defaults have changed and scp stopped to work with newer versions. There are 2 options to fix it, either use -O (legacy scp protocol) with scp, or enable the sftp subsystem in the SSH server config. This fix uses the second variant. Closes #2310 Signed-off-by: Maxim Uvarov <[email protected]>
Errors in load-testconfig are hidden due to not checking scp return code and mute all errors. Add -e to trap script on any errors in this script. References #2310 Signed-off-by: Maxim Uvarov <[email protected]>
Fixes: 2b11764 ("mem-pool: Adjust the base address if it's the network ID")
…ignatures Looks like a cipher suite without DHE was selected previously. Could be a side-effect of dc10857 ("testing: Remove unnecessary FreeRADIUS dh_file option as recommended in the log").
This change avoids a "variable 'got' might be clobbered by 'longjmp' or 'vfork'" warning with -Wextra.
The number of elements is the first argument, their size the second. The previous code triggered the following warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument
The empty array of rules for `assert_message_empty()` and the resulting size 0 triggers warnings like these: allocation of insufficient size '0' for type 'listener_message_rule_t' with size '12' Using calloc() with `nmemb` set to 0 triggers the same warning.
Not sure what changed, but without this setting, ND packets would not get through to other hosts connected to the same bridge.
The IKE_SA might be busy with a different task while a request to terminate it is getting queued, we don't want to use such an IKE_SA to initiate new CHILD_SAs as these tasks will get lost once the IKE_SA is terminated.
The previous approach had two drawbacks: First, it caused duplicate public keys because when the `certificate_t` object was created and added to the credential set it had no subject assigned yet. So it defaulted to the key ID. However, all previously loaded keys had their subject already changed to an identity, so there never was a match and new objects were always added whenever a config with raw public keys was loaded. Second, the subject was replaced in a way that's not thread-safe on an object that's already shared in the public credential set. So other threads could potentially access the `identification_t` object that's destroyed during that process. References #853 Closes #2561
If not properly used (i.e. before sharing the object), this was not thread-safe. So better remove it and force users to create immutable objects.
Directly calling setup.py is deprecated (apparently has been for a while, but now we get large warnings). Direct installation is also discouraged. So this removes that option. The built wheel (the old egg format is not used/built anymore) can be installed manually in a venv or the like.
Some scenarios disable route installation and if they are executed before any scenarios that don't, there won't be a rule for table 220 and we get "FIB table does not exist" errors.
…y validation Self-signed trust anchors are not part of the certificate path validation according to RFC 8280, section 6.1: When the trust anchor is provided in the form of a self-signed certificate, this self-signed certificate is not included as part of the prospective certification path. But policies in them could still be used, as stated in section 6.2: Where a CA distributes self-signed certificates to specify trust anchor information, certificate extensions can be used to specify recommended inputs to path validation. For example, a policy constraints extension could be included in the self-signed certificate to indicate that paths beginning with this trust anchor should be trusted only for the specified policies. [...] Implementations that use self-signed certificates to specify trust anchor information are free to process or ignore such information. So unconditionally enforcing that self-signed root certificates contain the policies is probably too strict. Often they won't contain the extension at all. With this change, we allow that but still enforce the policies in case such a certificate contains them. The other policy-related constraints are also enforced still should they be contained. Closes #2601
On Ubuntu 24.04, llvm-symbolizer-18, which is used to resolve symbols in backtraces, links libcurl.so.4 for some reason. And that in turn requires SRP. If our custom build doesn't provide it, we get stuff like this /usr/bin/llvm-symbolizer-18: symbol lookup error: /lib/x86_64-linux-gnu/libcurl.so.4: undefined symbol: SSL_CTX_set_srp_password, version OPENSSL_3.0.0 and the symbols are not resolved and can't be whitelisted. This also makes sure ASan is actually disabled if our own leak-detective is used.
On the Ubuntu 24.04 image, this causes the /home/runner/.config/.android directory to be owned by root, which lets the build fail later.
Newer versions of AddressSanitizer (e.g. in Ubuntu 24.04) will report this now as stack-use-after-return.
The lines in the gperf-generated proposal_keywords_static.c are now mapped to the (much shorter) .txt source file, which causes mismatches like these: genhtml: ERROR: no data for line:190, TLA:GNC, file:/home/runner/work/strongswan/strongswan/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt We could ignore "unmapped" errors in genhtml, but since the file is generated anyway, we can also exclude it from the results and still get such errors in case this happens for other files. Another alternative would be to remove the `#line` macros in the generated file. Then the coverage of the actual C file would get reported (but again, it's generated, so there isn't much value in it). Also updated the branch coverage option as the one with `lcov_` prefix is deprecated.
Useless and causes a compiler warning/error: error: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C23, conflicting with a subsequent declaration [-Werror,-Wdeprecated-non-prototype]
This avoids the following warning/error: tnc_imv_manager.c:244:39: error: passing arguments to 'tnc_imv_recommendations_create' without a prototype is deprecated in all versions of C and is not supported in C23 [-Werror,-Wdeprecated-non-prototype] 244 | return tnc_imv_recommendations_create(this->imvs); | ^
Newer versions of clang complain here.
…etc. This only works if plugins are built monolithically and linked statically. Closes #2615
…oups and nonces Also enables the `kdf` plugin automatically if building against an older version of OpenSSL. Closes #2602 Co-authored-by: Tobias Brunner <[email protected]>
Also add the official description for the other ignored rules.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.