If a PKCS#11 library/token doesn't provide one or more attributes via
C_GetAttributeValue(), we get back CKR_ATTRIBUTE_TYPE_INVALID (similar
for protected attributes where CKR_ATTRIBUTE_SENSITIVE is returned).
This is not an error as the spec demands that all attributes have been
processed with the unavailable attributes having set their length
field to CK_UNAVAILABLE_INFORMATION.
We use this to handle the CKA_TRUSTED attribute, which some tokens
apparently don't support. We previously used a version check to remove
the attribute from the call but even the latest spec doesn't make the
attribute mandatory (it's just in a list of "common" attributes for
CKO_CERTIFICATE objects, without a default value), so there are current
tokens that don't support it and prevent us from enumerating certificates.
Depending on how CLOCK_MONOTONIC is implemented, time_monotonic() might
return 0 within 1 second after the system is started. If that's the
case, we just default to 0 for now to avoid a crash (doesn't "hide" the
system time, but it's only the uptime anyway in this case).
Closesstrongswan/strongswan#435.
This now includes all key material derived for IKE_SAs in the order
defined in the RFC:
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr}
= prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
For some that are followed by unknown data (e.g. detailed version
information) we only do a prefix match.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
Closesstrongswan/strongswan#393.
For documentation purposes the new folders ikev1-algs, ikev2-algs,
ikev1-multi-ca and ikev2-multi-ca have been created. Most of the
test cases have now been converted to the vici interface. The
remaining legacy stroke scenarios yet to be converted have been put
into the ikev2-stroke-bye folder.
For documentation purposes some legacy stroke scenarios will be kept
in the ikev1-stroke, ikev2-stroke and ipv6-stroke folders.
The values of `yytext` and `yyleng` might not be properly defined when
the error function is called (in particular if the lexer reached EOF).
While this might just cause non-printable characters in the output, it
could actually lead to a crash depending on where `yytext` points.
Closesstrongswan/strongswan#346.
It might not exist on all platforms and according to the man page:
The kvm wrapper script is used to provide compatibility with old
qemu-kvm package which has been merged into qemu as of version 1.3.
The script executes
qemu-system-x86_64 -enable-kvm
passing all other command-line arguments to the qemu binary.
Closesstrongswan/strongswan#385.
This should give us the best performance and feature set on modern
hardware (in particular when compared to code2duo, which e.g. does not allow
nested virtualization).
Closesstrongswan/strongswan#340.
While CCM is available in earlier versions, we only use it with
OpenSSL 1.1.0 and newer because the generic control variables are not
available before and we default to GCM for them.
Closesstrongswan/strongswan#353.
On 18.04, setuptools was apparently pulled in by python-pip but is not
by python3-pip and on Ubuntu 16.04 there is an issue with tox when
installed via pip3 (syntax error in one of the dependencies) and with
pip that dependency is not even available.
That's because forks are currently not allowed to be analyzed by LGTM (unlike
with SonarCloud) so this check can't actually be successful for forks even if
variables are defined.
References strongswan/strongswan#328.
The nm test can only be done on Ubuntu 18.04 as the required libraries
are not available on newer systems.
Switch to pip3 to install tox (the only Python dependency we use).
Closesstrongswan/strongswan#327.
The lint version used on our GitHub build hosts reported these errors:
Error: Value must be ≥ 0 [Range]
db.update(TABLE_VPNPROFILE, values, KEY_ID + " = " + cursor.getLong(cursor.getColumnIndex(KEY_ID)), null);
That's because get*() expect a valid index >= 0 but getColumnIndex()
can return -1 if the column name doesn't exist.
Stefan Berghofer