This adds support for the new "packet" hardware offload feature that's
added to the Linux kernel with 6.2. In this mode, the device handles
the complete framing of the ESP packet as well as the policy checks,
in addition to the crypto.
For the IKE sockets, port-based bypass policies are automatically
offloaded to devices that support it.
Closesstrongswan/strongswan#1462
While this uses the same mechanism, it's not necessary to explicitly
enable port_bypass, the regular socket policies work fine to bypass any
software policies.
Keep the kdf plugin because of AES-XCBC (and CAMELLIA-XCBC, which is now
supported due to OpenSSL). Other plugins like fips-prf, pubkey or pkcs8
were never actually used by the app. The random plugin might have been
necessary with early versions.
The build script requires the paths to the NDK and OpenSSL sources.
It runs the build in a Docker container, by default. But if the required
tools are installed on the system (currently jq, make and perl) it can
also be run directly on the system by defining NO_DOCKER.
A relatively recent version of the NDK is required (the pre-built
toolchains are required).
If libcurl is built with MultiSSL support (not the case for e.g.
Debian/Ubuntu, which ship separate, conflicting libraries), this allows
selecting the SSL/TLS backend libcurl uses.
Only older versions of OpenSSL and GnuTLS need special treatment, so we
now accept all other backends (e.g. "(SecureTransport) OpenSSL/1.1.1s"
on macOS).
Whenever we remove support for the affected versions of the mentioned
libraries, we can remove the corresponding *-threading plugin feature
and the code here.
While the kernel defines it since 2005 (2.6.14), some older versions of
socket.h shipped with C libraries might not. In particular, glibc only
added it with 2.24 in 2016.
Closesstrongswan/strongswan#1503
The Python versions installed in the system image in
`/Library/Frameworks/Python.framework/` have symlinks in `/usr/local/bin/`
that conflict with symlinks that `brew` tries to create, which causes
errors like these:
==> Pouring python@3.11--3.11.1.monterey.bottle.tar.gz
Error: The `brew link` step did not complete successfully
The formula built, but is not symlinked into /usr/local
Could not symlink bin/2to3-3.11
Target /usr/local/bin/2to3-3.11
already exists. You may want to remove it:
rm '/usr/local/bin/2to3-3.11'
To force the link and overwrite all conflicting files:
brew link --overwrite python@3.11
To list all files that would be deleted:
brew link --overwrite --dry-run python@3.11
Possible conflicting files are:
/usr/local/bin/2to3-3.11 -> /Library/Frameworks/Python.framework/Versions/3.11/bin/2to3-3.11
/usr/local/bin/idle3.11 -> /Library/Frameworks/Python.framework/Versions/3.11/bin/idle3.11
/usr/local/bin/pydoc3.11 -> /Library/Frameworks/Python.framework/Versions/3.11/bin/pydoc3.11
/usr/local/bin/python3.11 -> /Library/Frameworks/Python.framework/Versions/3.11/bin/python3.11
/usr/local/bin/python3.11-config -> /Library/Frameworks/Python.framework/Versions/3.11/bin/python3.11-config
Since the changes to the DH implementations that were merged with
30faf04e92dc ("Merge branch 'multi-ke-backport'"), most implementations
don't support deriving different shared secrets for the same private key
by calling set_public_key() with another public key anymore (some prevent
it explicitly, but reusing DH private keys is not something we want to
support anyway). So we can't reuse the DH object on one side for every
round.
