With newer OpenSSL builds, the DLL files contain parts of the version
number and the architecture in their name, e.g. for OpenSSL 1.1.1 the
DLL for libcrypto is called libcrypto-1_1-x64.dll. So referencing that
directly could be kinda tricky. And by using `-lcrypto` we therefore
didn't link those DLLs but the OpenSSL version installed by msys2.
Since the latter ships OpenSSL 3 since January and the VS 2019 image
was updated recently, our builds broke as we used the headers from
the 1.1.1 installation but then tried to link OpenSSL 3.
Luckily, in the lib/ directory of the OpenSSL installation, there is a
libcrypto.lib file, which is an import library (containing the symbols
and a reference to the DLL). We can use that to link the right library
via `-lcrypto`.
With the old OpenSSL 1.0.2 build on the VS 2015 image, there is also
such a .lib file but it seems the linker is too old or otherwise incapable
of finding the DLL. But since the DLL is just called libeay32.dll there,
we use that directly and don't reference the lib/ dir.
Also removed a superfluous AC_MSG_RESULT() if libeay32 isn't found.
The gcm plugin has been added to the default plugins and all
certificate types are loaded to allow the libtls socket unit
tests to run with the strongSwan default plugins.
The "ipsec scepclient" tool has been removed and replaced by the
pki subcommands "pki --scep" and "pki --scepca" which implement the
new SCEP RFC 8894 standard that was released in September 2020 and
which supports trusted "certificate renewal" based on the existing
client certificate.
Setting -Werror in CFLAGS passed to configure is not ideal as that affects
all the checks performed by the script.
This caused an issue with newer versions of Autoconf and the AC_PROG_LEX
macro that insisted on finding a lexer library. But due to warnings from
the generated test lexer (misleading indentation) that got turned into
errors no library was found (none would have been necessary), so LEX was
not set and no lexers were built.
With this option enabled, we add -Werror to CFLAGS after all tests ran.
It also enables additional warnings via -Wextra.
The option is auto-enabled when building from the repository.
This ensures the plugin is available if AES-based PRFs could get used or
none of the third-party crypto plugins is enabled and it's required for
HMAC-based PRFs as well.
References strongswan/strongswan#1026
mallinfo() is deprecated because it uses `int` for the members of the
returned struct, whereas mallinfo2() uses `size_t`. It's available
since glibc 2.33.
After establishing an IKE_SA, we check if any of its child configs
define generic SELinux labels and install trap policies for them if
necessary narrowed to the current (virtual) IPs.
