Try solve upstream conflict #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…'t supported Fixes: 49769ff ("pkcs11: Support RSA-PSS signatures")
…or all backends Only the vici plugin previously set OCSP_SEND_REPLY explicitly, all other backends would have defaulted to OCSP_SEND_BOTH. References #2016
The previous option caused such requests to be enabled if not explicitly disabled, which only the vici plugin did, for all other backends requests would have been sent. References #2016
Wireshark has shown the following error dialogue because the identifier was incorrect [1]: Error loading table 'ESP SAs': esp_sa:18: invalid value: TripleDes-CBC [RFC2451] [1] https://github.com/wireshark/wireshark/blob/3757f42e5f0a8ee6b14a117a2fd99af759a31d98/epan/dissectors/packet-ipsec.c#L203 Closes #2013
…ntention Fixes: 5d91d8c ("Check rng return value when generating SPIs in ike_sa_manager_t") Signed-off-by: Thomas Egerer <[email protected]>
musl's headers define a lot of networking structs. For some, the definition in the Linux UAPI headers is then suppressed by e.g. __UAPI_DEF_ETHHDR. Since we included musl's net/ethernet.h, which includes netinet/if_ether.h that defines `struct ethhdr` (and the above constant), **after** we include linux/if_ether.h, there was a compilation error because the struct was defined multiple times. However, simply moving that include doesn't fix the problem because for ARP-specific structs the Linux headers don't provide __UAPI_DEF* checks. So instead of directly including the linux/ headers, we include those provided by the C library. For glibc these usually just include the Linux headers, but for musl this allows them to define the struct directly. We also need to move if.h and add packet.h, which define other structs (or include headers that do so) that we use. Fixes: 187c72d ("dhcp: Port the plugin to FreeBSD/macOS")
Same issue as described in the previous commit. Fixes: 187c72d ("dhcp: Port the plugin to FreeBSD/macOS")
This won't work for monolithic builds because the plugin and the executable are built before libstrongswan.
With GCC 13, the compiler apparently applies new aliasing optimizations when compiled with -O2 and without -fno-strict-aliasing. This caused the application of the second padding bit, where the state was accessed via uint8_t[], to be moved before the loop that absorbs the buffer into the state, where the state is accessed via uint64_t[], resulting in incorrect output. By only accessing the state via uint64_t[] here the compiler won't reorder the instructions.
This is a patch from the OpenWrt package sources necessary to adapt to changes from 2008 that abstracted the option datatype (added a list type). Signed-off-by: Noel Kuntze <[email protected]> Reviewed-by: Philip Prindeville <[email protected]>
…bled There are definitions of RNG in <wolfssl/wolfcrypt/settings.h> and <wolfssl/wolfcrypt/random.h> that play havoc with the literal RNG being used in the expansions of PLUGIN_*(RNG, ...) when ##-concatenated to build the enum value FEATURE_RNG. The #undef in wolfssl_cmmon.h only had an effect if wolfSSL was built with EdDSA or FIPS enabled, otherwise, the headers that define RNG were not pulled in before it. Signed-off-by: Philip Prindeville <[email protected]>
Since the script and action have issues with the directory structure, we upload the lcov results instead.
We explicitly pass the final .info file prepared with lcov, so there is no need to search for other files (that then won't work anyway). The search also finds the uncleaned .info file, which includes the test code. The latter should have gotten ignored anyway, but the patterns are apparently not correct anymore. So fixing that as well just to be sure.
…y pools References #2205
If a base address is configured, we don't expect the pool to be empty, so reject the creation (e.g. with the broadcast address as base). References #2205
If somebody copies our .gitignore and tries to import the source code, the proposal_keywords.c file will not be added as it's ignored by the `*keywords.c` pattern we use to ignore gperf-generated source files. Closes #2014
Signed-off-by: Thomas Egerer <[email protected]>
These allow, for instance, a vici client on a host to communicate with an IKE daemon running in a VM. Signed-off-by: Thomas Egerer <[email protected]>
…ertificates References #2523
If the lifetime of an issuing or sub CA is twice the lifetime of the end entity certificates issued by it and the renewal cycle of the issuing CAs is a little shorter than the validity of the end entity certificates then three generations of CA certificates have to be handled by the cert-enroll scripts.
Both variables `inbound_installed` and `outbound_state` are used in `child_sa_t::destroy()` to determine whether inbound and outbound state have to be deleted. They are assigned prior to the call to `kernel_interface_t::add_sa()`. As this call may fail, the destructor may try to delete a state which it has not been added. By making the assignment of these variables dependent on the success of the state addition, we can make sure, a `child_sa_t::destroy()` only deletes states it has added. Also removed the redundant checks for `my_spi` and `other_spi` being set along with the check for the above flags. It seems that when the flags are set, the SPIs *must* be set. Signed-off-by: Thomas Egerer <[email protected]>
We don't use versions that don't support this anymore and sometimes the detection didn't work properly and a run without it would get started.
… parallel This is a bit quicker than doing this with separate SSH calls for each host sequentially (up to half a second per test).
In particular the swanctl calls all take a while and this allows doing them in parallel if multiple hosts are involved. This reduces the runtime of each test by 1-3 seconds.
Makes it easier to compare multiple runs against each other.
There are a lot of files without patterns and running them all through sed is quite slow. Using grep first makes this quicker (about 0.5s per test). Ignoring PEM files is also helpful.
This is a bit faster than two sequential calls.
…ailable Fixes: a2fba6d ("file-logger: Add option to log messages as JSON objects")
If a migrate of a child-create occurs then labels_i and labels_r are freed, but the pointers are left set. If the task is subsequently destroyed without being reused, then both of these will be double freed. Fix this by setting labels_i and labels_r to NULL in the migrate method after freeing, similar to other fields that are freed. Closes #2552 Fixes: f9b895b ("child-create: Add support to handle security labels")
The previous approach had two drawbacks: First, it caused duplicate public keys because when the `certificate_t` object was created and added to the credential set it had no subject assigned yet. So it defaulted to the key ID. However, all previously loaded keys had their subject already changed to an identity, so there never was a match and new objects were always added whenever a config with raw public keys was loaded. Second, the subject was replaced in a way that's not thread-safe on an object that's already shared in the public credential set. So other threads could potentially access the `identification_t` object that's destroyed during that process. References #853 Closes #2561
If not properly used (i.e. before sharing the object), this was not thread-safe. So better remove it and force users to create immutable objects.
Directly calling setup.py is deprecated (apparently has been for a while, but now we get large warnings). Direct installation is also discouraged. So this removes that option. The built wheel (the old egg format is not used/built anymore) can be installed manually in a venv or the like.
Some scenarios disable route installation and if they are executed before any scenarios that don't, there won't be a rule for table 220 and we get "FIB table does not exist" errors.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.