If a unit test times out while generating a private key (e.g. because of
a lack of entropy), this avoids a deadlock by still releasing the read
lock that'd prevent acquiring the write lock when plugins are unloaded.
Closesstrongswan/strongswan#2850
Was apparently forgotten when support was added to the attr plugin
with 98a3ba8a5a16 ("attr: Add p-cscf keyword for P-CSCF server addresses").
For consistency, using an underscore like the `split*` options and not a
dash like in the attr plugin.
References strongswan/strongswan#2396
Apparently, some clients (e.g. native Android) just send an empty
EAP-Identity response. We silently ignored that previously and then
used the IKE identity for the actual EAP method. This change tries to
do something similar (i.e. don't fail if the response is empty), but by
assuming the IKE identity as EAP-Identity, we match that and possibly
can switch configs.
Closesstrongswan/strongswan#2833
Fixes: 2f2e4abe3c52 ("ikev2: Add support to switch peer configs based on EAP-Identities")
Avoid generating versioned shared objects which would need to be
installed along with the version-independent symlink by specifying
"-avoid-version" in the libtool LDFLAGS for the plugin. Avoid any
unwanted surprises by also specifying the "-module" option, making the
LDFLAGS consistent with all other libstrongswan plugins.
Closesstrongswan/strongswan#2844
Use watcher and non-blocking I/O for client connections to avoid issues
with clients that stay connected for a long time.
Closesstrongswan/strongswan#2827
This now adds some state (basically a message buffer), but simplifies
error handling as we don't have to handle two potential failure paths
and could avoid some potential issues by still calling the blocking
read_all().
It also fixes a memory leak when clients disconnect.
Performing a stream read_all call (which is a blocking read) from
within the accept callback has the issue that if a whitelist client is
still connected whilst a shutdown of the charon deamon is triggered
then that shutdown won't complete gracefully due to the accept task
never exiting.
So fix shutting down gracefully by using the socket watcher rather than
a blocking read upon connection accept. Fall back to a blocking read
for partial messages to avoid the complexity associated (i.e. storing
state) for incomplete reads, which shouldn't block and cause the
original problem if the client only sends whole messages.
With a long delay, the retransmit might not get sent before further tests
are evaluated on faster machines, while more retransmits should still allow
the scenario to succeed on slower ones.
Setting the salt to NULL now fails, so we set it to hash length's zeroes,
which is the default value for HKDF-Extract if no salt is passed.
Fixesstrongswan/strongswan#2828
This copies the AC_SEARCH_LIBS check from the main strongSwan
configure.ac.
When building networkmanager-strongswan with slibtool if fails.
ld: cannot find none: No such file or directory
ld: cannot find required: No such file or directory
This is because configure.ac uses AC_SEARCH_LIBS to find dlopen which
sets the value of $ac_cv_search_dlopen to 'none required' which then
gets set in DL_LIBS and passed to slibtool.
With GNU libtool it silently ignores the unknown arguments.
Gentoo issue: https://bugs.gentoo.org/914100Closesstrongswan/strongswan#2141
Signed-off-by: orbea <orbea@riseup.net>
Also removed on Play so the app does not show up when people search
for these keywords (they tend to not read the actual description and
then are surprised that neither protocol is supported).
We now support OpenSSL's implementation in the openssl plugin. This
makes sure our plugin is used on at least one of the hosts if we ever
switch to an OpenSSL version that supports ML-KEM.
In the ikev2/rw-mlkem scenario the logic is reversed. There the ml plugin
is preferred on moon to test the responder side (and carol for the
initiator) and dave will switch to OpenSSL if it ever provides ML-KEM.
As mentioned in 0f141fb095a41a9fdfe5c111269eb643dc643494, we can't
really whitelist the "leaks" in GLib, so don't even try to do anything
with libsoup3.x.
