Don't add a selector to tunnel mode SAs, these might serve multiple
traffic selectors but with only one selector on the SA only the traffic
matching the first one would actually get tunneled.
The kernel implicitly creates an IPIP SA if an IPComp SA is installed.
This SA is used inbound for small packets that are not compressed.
Since the addresses are different (they are the tunnel addresses not
those of the tunneled traffic) additional rules are required if the
traffic selector does not cover the tunnel addresses (e.g. due to a NAT).
For SAs with multiple traffic selectors duplicate rules will get installed.
Either due to a change in Ubuntu 13.10 or GCC 4.8 -Wno-format has no
effect if -Wformat-security is enabled (which it is on Ubuntu) so we
also disable the latter by default.
When changing async callbacks on streams, we have to make sure the watcher
callback is not currently active and has temporarily disabled callbacks. This
could have been the case, as we didn't explicitly removed any pending
watcher registration if both callbacks are NULL.
By enforcing the watcher unregistration, we are sure the watcher callback is
not active and currently is not mangling the callback hooks. This should make
sure we avoid any races for the callback variables.
In certain situations it is desirable to bind the send/receive sockets
for the DHCP address allocation to a particular interface. With this
patch the strongswan.conf option charon.plugins.dhcp.interface can be
used to restrict the DHCP communication to a configurable interface.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
If a proposal string cannot be matched to a token using strcmp (e.g. if
you want to register a whole class of algorithms containing their ID,
like my_alg_2342), you can use the provided function to register a
parser that transforms the given string into a proposal token.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf) and allows the access of the task manager in
child_state_change hook.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
The hook data counts remaining buffer bytes, not used ones. Counting them
correctly fixes a crash for long hexdumps.
Further, print_in_hook() must return the number of bytes that would have been
written, not the actually written bytes. This is important, as we allocate a
dynamic buffer in bus that relies on the exact byte count. Fixes long hexdumps
that got truncated.
The two constants overflow time_t on i386 (they also produced a compiler
warning without type suffix) so the comparison with TIME_32_BIT_SIGNED_MAX
did not work as intended.
Fixes#477.
Our SipHash-2-4 implementation returns the result in host order, while
the test vectors are little-endian. Use a custom comparison function to
account for this.
Fixes#478.
The cast to a bool* cut of the actual value on big-endian systems
if bool was shorter than int because the bool argument to printf gets
promoted to an int.
Fixes#479.