Adds support for GTK 4. Two versions of the UI are built as shared
objects, the plugin dynamically loads and instantiates the appropriate one
based on the determined GTK version.
Closesstrongswan/strongswan#961
GTK4 does not support buttons at the bottom, so we put them in a header
bar, which is the preferred layout by current desktop environments. And
while it doesn't look ideal on older desktops, it also works with GTK3
and changing it avoids having to maintain multiple UI files.
Note that this layout is not supported by glade, so we generally can't
use it to edit the GUI anymore (it also doesn't support GTK4 in general).
Remove outbound SA and policy of rekeyed CHILD_SA since only one is valid.
Otherwise, during update-SA job (when NAT mapping changed), CHILD_SA are
updated and installed one by one, leaving a window where old SAs are being
used. There are also circumstances where the new SA is not processed last.
Closesstrongswan/strongswan#1041
This ensures the plugin is available if AES-based PRFs could get used or
none of the third-party crypto plugins is enabled and it's required for
HMAC-based PRFs as well.
References strongswan/strongswan#1026
A recent security fix for Git added a fatal error if the directory that
contains the .git directory is not owned by the user that runs git in
that directory tree:
Determine strongSwan version fatal: unsafe repository ('...' is owned by someone else)
To avoid this, we call the git commands as owner of the source
directory (the script has to run as root, so this is no problem).
The user/group ID and name is now also determined via `stat(1)` so it
directly depends on the actual source dir and should work even when not
using sudo.
mallinfo() is deprecated because it uses `int` for the members of the
returned struct, whereas mallinfo2() uses `size_t`. It's available
since glibc 2.33.
The external-id parameter takes an int32 and the generated run_id was
apparently not valid lately, resulting in undocumented 404 errors when
submitting patches (the API endpoint probably doesn't like negative numbers
because the last accepted id was 2059658094, rejected ids were e.g.
2167472705 or 2168792083).
More of this code was already removed with previous commits.
While versions < 1.1.1 are not officially supported anymore, 1.0.2 might
still be in use because before 3.x that was the latest version with
official FIPS support (OpenSSL apparently also provides extended commercial
support for it).
The old API has been deprecated with OpenSSL 3 and direct access to the
state isn't possible via EVP API. In the future we might just remove this
implementation but we'd probably have to implement EAP-AKA' first, which
uses HMAC-SHA-256 with IKEv2's prf+ construct to derive keys instead
of this weird construct (plus what fips-prf builds around it) that's used
by EAP-AKA.
This modularizes the IKEv2 key derivation, which makes certification (e.g.
FIPS) easier because it allows the two steps (PRF/prf+) to be implemented
by already certified third-party libraries.
For the existing third-party libraries, the two KDFs are implemented via
the respective library's HKDF implementation. A generic implementation,
based on existing PRFs, is provided by the new kdf plugin.
