The gcm plugin has been added to the default plugins and all
certificate types are loaded to allow the libtls socket unit
tests to run with the strongSwan default plugins.
The "ipsec scepclient" tool has been removed and replaced by the
pki subcommands "pki --scep" and "pki --scepca" which implement the
new SCEP RFC 8894 standard that was released in September 2020 and
which supports trusted "certificate renewal" based on the existing
client certificate.
Setting -Werror in CFLAGS passed to configure is not ideal as that affects
all the checks performed by the script.
This caused an issue with newer versions of Autoconf and the AC_PROG_LEX
macro that insisted on finding a lexer library. But due to warnings from
the generated test lexer (misleading indentation) that got turned into
errors no library was found (none would have been necessary), so LEX was
not set and no lexers were built.
With this option enabled, we add -Werror to CFLAGS after all tests ran.
It also enables additional warnings via -Wextra.
The option is auto-enabled when building from the repository.
This ensures the plugin is available if AES-based PRFs could get used or
none of the third-party crypto plugins is enabled and it's required for
HMAC-based PRFs as well.
References strongswan/strongswan#1026
mallinfo() is deprecated because it uses `int` for the members of the
returned struct, whereas mallinfo2() uses `size_t`. It's available
since glibc 2.33.
After establishing an IKE_SA, we check if any of its child configs
define generic SELinux labels and install trap policies for them if
necessary narrowed to the current (virtual) IPs.
