The log level was incorrectly set to the same value for all groups.
Fixes: dac15e03c8 ("bus: Fix maximum log levels when mixing log/vlog
implementing loggers")
Fix for "Permission denied (you must be root)" error when calling
iptc_init(), which opens a RAW socket to communicate with the kernel,
when built with "--with-capabilities=libcap".
Closes strongswan/strongswan#53.
Fixes#2157.
A wrong variable is used (route instead of best), so much that the
returned interface belongs to the last seen route instead of the best
choice route.
get_route() may therefore return mismatching interface and gateway.
Fixes: 66e9165bc6 ("kernel-netlink: Return outbound interface in get_nexthop()")
Signed-off-by: Christophe Gouault <christophe.gouault@6wind.com>
So far every "newer" CRL (higher serial or by date) replaced an existing
"older" CRL. This meant that delta CRLs replaced an existing base CRL
and that base CRLs weren't added if a delta CRL was already stored. So
the base had to be re-fetched every time after a delta CRL was added.
With this change one delta CRL to the latest base may be stored. A newer
delta CRL will replace an existing delta CRL (but not its base, older
base CRLs are removed, though). And a newer base will replace the existing
base and optional delta CRL.
This was added a few years ago because pki --signcrl once encoded serials
incorrectly as eight byte blobs. But still ensure we have can handle
overflows in case the serial is encoded incorrectly without zero-prefix.
BoringSSL only supports a limited list of (hard-coded) algorithms via
EVP_get_cipherbyname(), which does not include AES-GCM. While BoringSSL
deprecated these functions they are also supported by OpenSSL (in BoringSSL
a completely new interface for AEADs was added, which OpenSSL currently does
not support).
In case of an empty LDAP result during a CRL fetch (for example, due to
a wrong filter attribute in the LDAP URI, or invalid LDAP configuration),
the call to ldap_result2error() with NULL value for "entry" lead to
a crash.
Closesstrongswan/strongswan#52.
Adds checks for proposals parsed from strings. For instance, the presence
of DH, PRF and encryption algorithms for IKE are now enforced and AEAD and
regular encryption algorithms are not allowed in the same proposal anymore.
Also fixed is the mapping of the aes*gmac keywords to an integrity algorithm
in AH proposals.
We parse aes*gmac as encryption algorithm, which we have to map to an
integrity algorithm. We also make sure we remove all other encryption
algorithms and ensure there is an integrity algorithm.