If the peer successfully rekeyed the SA it gets marked as IKE_REKEYED
and it remains until the peer deletes it (or a timeout). There is no
point in rekeying such SAs again.
IKE_REKEYING will be relevant if we have multi-KE rekeyings and are
waiting for followup key exchanges for a passive rekeying.
This avoids the use of a variable length array, which should probably
be avoided in general due to potential performance, portability and
security issues (not in this particular case, though).
Closesstrongswan/strongswan#1095
The compiler warned that a dangling pointer might be used because `name`,
which is returned from the function via `ima_name`, might point into the
locally determined `uri`. Determining the URI outside and passing it to
the function fixes this.
GCC assumes this->b is zero (or may be zero) and spits out the following
warning (or error with -Werror):
src/libstrongswan/plugins/fips_prf/fips_prf.c:124:12: error: array subscript 18446744073709551615 is above array bounds of ‘uint8_t[<U8090>]’ {aka ‘unsigned char[<U8090>]’} [-Werror=array-bounds]
124 | one[this->b - 1] = 0x01;
| ~~~^~~~~~~~~~~~~
Even though the assignment of `removed` to `out_row` is tied to the
`found_removed` flag, which is only set if `removed` is set, the
compiler complains that it may be used uninitialized.
GCC 12 produces weird code when a callback is called directly (e.g.
parse_bool() via parse_option() in vici_config.c). Instead of the actual
pointer, it explicitly passes 0 as first argument, which likely causes
a segmentation fault. It doesn't happen when called indirectly via
function pointer that has void* as first argument, which this patch
kinda replicates for direct calls to avoid the issue.
Closesstrongswan/strongswan#1053
These only apply to the usage reports that are available via
`stroke memusage`, not to leak reports when executables are terminated,
which always include all non-whitelisted leaks.
This should make it clearer to what the log messages generated by
verify_trust_chain() are related (in particular if building the chain
fails or the cert has expired).
The TCG TNC IF-M Segmentation standard was implemented based on a
draft version. The attribute names are updated to comply with the
final TCG IF-M Segmentation Specification Version 1.0 Rev. 5
dated 4 April 2016
Adds support for GTK 4. Two versions of the UI are built as shared
objects, the plugin dynamically loads and instantiates the appropriate one
based on the determined GTK version.
Closesstrongswan/strongswan#961
GTK4 does not support buttons at the bottom, so we put them in a header
bar, which is the preferred layout by current desktop environments. And
while it doesn't look ideal on older desktops, it also works with GTK3
and changing it avoids having to maintain multiple UI files.
Note that this layout is not supported by glade, so we generally can't
use it to edit the GUI anymore (it also doesn't support GTK4 in general).
Remove outbound SA and policy of rekeyed CHILD_SA since only one is valid.
Otherwise, during update-SA job (when NAT mapping changed), CHILD_SA are
updated and installed one by one, leaving a window where old SAs are being
used. There are also circumstances where the new SA is not processed last.
Closesstrongswan/strongswan#1041
This ensures the plugin is available if AES-based PRFs could get used or
none of the third-party crypto plugins is enabled and it's required for
HMAC-based PRFs as well.
References strongswan/strongswan#1026
