Calling malloc() after fork() is potentially unsafe, so we should avoid
it if possible. opendir() will still require an allocation but that's
less than the variant using the enumerator wrapper, thus, decreasing
the conflict potential. This way we can also avoid closing the
FD for the enumerated directory itself.
References #990.
When strings in RDNs contain characters outside the character set for
PrintableString use UTF8String as the passed string is most likely in
that encoding (RFC 5280 actually recommends to use only those two
string types).
Compared to hashing the encoding we can ignore string types of RDNs when
hashing DNs, making hash() compatible to equals() that does the same.
Fixes#991.
When precision is given for a string, we must not run unbounded
strlen() as it will read beyond the given length. It might even cause
a crash if the given pointer is near end of heap or mapping.
Fixes numerous valgrind errors such as:
==19215== Invalid read of size 1
==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853)
==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084)
==19215== by 0x52CE464: dntoa (identification.c:337)
==19215== by 0x52CE464: identification_printf_hook (identification.c:837)
==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
==19215== by 0x57040EB: vlog (bus.c:388)
==19215== by 0x570427D: log_ (bus.c:430)
==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd
==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296)
==19215== by 0x52CD198: chunk_printable (chunk.c:759)
==19215== by 0x52CE442: dntoa (identification.c:334)
==19215== by 0x52CE442: identification_printf_hook (identification.c:837)
==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
==19215== by 0x57040EB: vlog (bus.c:388)
==19215== by 0x570427D: log_ (bus.c:430)
==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
As it turns out, getpwnam_r, getgrnam_r, and friends will return
ERANGE if _any_ user or group on the system is larger than will fit
into the scratch buffer you pass to them.
This reworks the resolve_uid and resolve_gid methods plus
init_supplementary_groups to use a variable-size buffer that is grown
until the results fit.
Based on a patch by Evan Broder.
Closesstrongswan/strongswan#12.
This prevented `stroke memusage` from reporting the leaks on the
console. Instead, they were sent to the callbacks set up by libstrongswan.
Fixes a426851f63 ("leak-detective: Use callback functions to report
leaks and usage information").
gcry_check_version() does not free statically allocated resources. However,
we can't whitelist it in some versions, as it is not a resolvable symbol name.
Instead, whitelist our own plugin constructor function.
While we could use posix_memalign(3), that is not fully portable. Further, it
might be difficult on some platforms to properly catch it in leak-detective,
which results in invalid free()s when releasing such memory.
We instead use a simple wrapper, which allocates larger data, and saves the
padding size in the allocated header. This requires that memory is released
using a dedicated function.
To reduce the risk of invalid free() when working on corrupted data, we fill up
all the padding with the padding length, and verify it during free_align().
While they usually are not included in a normal strongSwan build, the XPC
header indirectly defines these Mach types. To build charon-xpc, which uses
both XPC and strongSwan includes, we have to redefine these types.
To make accept/recvmsg cancelable, we wrap them with poll. As poll itself
does not honor pending cancellations when entering the function, we use our
variant that checks for pending cancellation requests before entering poll().
fstat() in newer MinGWs is defined as non-static inline. With our new static
inline memset()/memcpy() overloads, this raises a warning. To avoid it,
explicitly include <sys/stat.h> once before defining these overloads.
These wrappers guarantee that calls to these functions are noops if the
number of bytes is 0, as calling them with NULL pointers is undefined
according to the C standard, even if the number of bytes is 0 (most
implementations probably ignore the pointers anyway in this case, but
lets make sure).
While Winsock provides many Posix compatibility functions, they do not set
errno, but use WSAGetLastError() for error reporting. The wrapped functions
derive an errno from WSAGetLastError() on failure.
Instead of using weak symbols, we use dlsym() on Windows to find an arbitrary
symbol in libtest to detect its linkage. Instead of creating the associated
hashtable in the test runner, we maintain it in libstrongswan, making it
significantly simpler.
Due to the removal of pthread_once, we manually create the seed for
chunk_hash(). With the new testable functions interface, this won't work for
the hashtable initiated using __attribute__((constructor)). Enforce seeding
before creating that hashtable.