github: Use provided actions for SonarQube installation and scan

Also switch to the cloud cache (which doesn't seem to work either way
anyway).

.github/workflows/sonarcloud.yml

@@ -33,7 +33,6 @@ jobs:
         with:
           path: |
             ~/.cache/ccache
-            ~/.sonar-cache
           key: ccache-sonarcloud-${{ github.sha }}
           restore-keys: |
             ccache-sonarcloud-
@@ -41,24 +40,17 @@ jobs:
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
-      # using SonarSource/sonarcloud-github-action is currently not recommended
-      # for C builds, so we follow the "any CI" instructions
-      - name: Install sonar-scanner
+      - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v4
+      - run: |
+          echo "BUILD_WRAPPER_OUT_DIR=$HOME/bw-output" >> $GITHUB_ENV
+      - uses: ./.github/actions/default
+      - uses: SonarSource/sonarqube-scan-action@v4
         env:
-          SONAR_SCANNER_VERSION: 5.0.1.3006
-        run: |
-          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
-          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
-          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
-          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
-          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
-          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
-          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
-      - env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BUILD_NUMBER: ${{ github.run_id }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
-          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
-        uses: ./.github/actions/default
+        with:
+          args: >
+            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT }}
+            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
+            -Dsonar.cfamily.threads=2
+            -Dsonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
       - run: ccache -s

scripts/test.sh

@@ -37,7 +37,7 @@ build_botan()
 
 build_wolfssl()
 {
-	WOLFSSL_REV=v5.8.0-stable
+	WOLFSSL_REV=v5.8.2-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 
 	if test -d "$WOLFSSL_DIR"; then
@@ -273,13 +273,6 @@ printf-builtin)
 	fi
 	;;
 all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
-	if [ "$TEST" = "sonarcloud" ]; then
-		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
-			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
-				 "environment variables are required to run this test"
-			exit 1
-		fi
-	fi
 	if [ "$TEST" = "codeql" ]; then
 		# don't run tests, only analyze built code
 		TARGET=
@@ -552,7 +545,7 @@ case "$TEST" in
 sonarcloud)
 	# without target, coverage is currently not supported anyway because
 	# sonarqube only supports gcov, not lcov
-	build-wrapper-linux-x86-64 --out-dir bw-output make -j$(nproc) || exit $?
+	build-wrapper-linux-x86-64 --out-dir $BUILD_WRAPPER_OUT_DIR make -j$(nproc) || exit $?
 	;;
 *)
 	make -j$(nproc) $TARGET || exit $?
@@ -567,20 +560,6 @@ apidoc)
 	fi
 	rm make.warnings
 	;;
-sonarcloud)
-	sonar-scanner \
-		-Dsonar.host.url=https://sonarcloud.io \
-		-Dsonar.projectKey=${SONAR_PROJECT} \
-		-Dsonar.organization=${SONAR_ORGANIZATION} \
-		-Dsonar.token=${SONAR_TOKEN} \
-		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
-		-Dsonar.sources=. \
-		-Dsonar.cfamily.threads=2 \
-		-Dsonar.cfamily.analysisCache.mode=fs \
-		-Dsonar.cfamily.analysisCache.path=$HOME/.sonar-cache \
-		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
-	rm -r bw-output .scannerwork
-	;;
 android)
 	rm -r strongswan-*
 	cd $SRC_DIR/src/frontends/android

sonar-project.properties

@@ -1,3 +1,5 @@
+sonar.sources=.
+
 # exclude these files completely
 sonar.exclusions=\
 	src/manager/templates/static/jquery.js, \

src/frontends/gnome/NEWS

@@ -1,3 +1,9 @@
+NetworkManager-strongswan-1.6.3
+-------------------------------
+
+- Fix configure/linker issue when not using GNU libtool
+- Update URL in metainfo
+
 NetworkManager-strongswan-1.6.2
 -------------------------------
 

src/frontends/gnome/configure.ac

@@ -1,6 +1,6 @@
 AC_PREREQ([2.69])
 
-AC_INIT([NetworkManager-strongswan],[1.6.2],[info@strongswan.org],[NetworkManager-strongswan])
+AC_INIT([NetworkManager-strongswan],[1.6.3],[info@strongswan.org],[NetworkManager-strongswan])
 AM_INIT_AUTOMAKE([subdir-objects])
 AM_MAINTAINER_MODE
 

src/libcharon/plugins/certexpire/certexpire_export.c

@@ -106,7 +106,7 @@ struct private_certexpire_export_t {
  */
 typedef struct {
 	/** certificate subject as subjectAltName or CN of a DN */
-	char id[128];
+	char id[256];
 	/** list of expiration dates, 0 if no certificate */
 	time_t expire[MAX_TRUSTCHAIN_LENGTH];
 } entry_t;

src/libcharon/plugins/whitelist/whitelist_control.c

@@ -92,19 +92,51 @@ static void list(private_whitelist_control_t *this,
 	stream->write_all(stream, &msg, sizeof(msg));
 }
 
+/**
+ * Information about a client connection.
+ */
+typedef struct {
+	private_whitelist_control_t *this;
+	whitelist_msg_t msg;
+	size_t read;
+} whitelist_conn_t;
+
 /**
  * Dispatch a received message
  */
-static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
+CALLBACK(on_read, bool,
+	whitelist_conn_t *conn, stream_t *stream)
 {
+	private_whitelist_control_t *this = conn->this;
 	identification_t *id;
-	whitelist_msg_t msg;
+	ssize_t len;
 
-	while (stream->read_all(stream, &msg, sizeof(msg)))
+	while (TRUE)
 	{
-		msg.id[sizeof(msg.id) - 1] = 0;
-		id = identification_create_from_string(msg.id);
-		switch (ntohl(msg.type))
+		while (conn->read < sizeof(conn->msg))
+		{
+			len = stream->read(stream, (char*)&conn->msg + conn->read,
+							   sizeof(conn->msg) - conn->read, FALSE);
+			if (len <= 0)
+			{
+				if (errno == EWOULDBLOCK)
+				{
+					return TRUE;
+				}
+				if (len != 0)
+				{
+					DBG1(DBG_CFG, "whitelist socket error: %s", strerror(errno));
+				}
+				stream->destroy(stream);
+				free(conn);
+				return FALSE;
+			}
+			conn->read += len;
+		}
+
+		conn->msg.id[sizeof(conn->msg.id) - 1] = 0;
+		id = identification_create_from_string(conn->msg.id);
+		switch (ntohl(conn->msg.type))
 		{
 			case WHITELIST_ADD:
 				this->listener->add(this->listener, id);
@@ -129,9 +161,22 @@ static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
 				break;
 		}
 		id->destroy(id);
+		conn->read = 0;
 	}
 
-	return FALSE;
+	return TRUE;
+}
+
+CALLBACK(on_accept, bool,
+	private_whitelist_control_t *this, stream_t *stream)
+{
+	whitelist_conn_t *conn;
+
+	INIT(conn,
+		.this = this,
+	);
+	stream->on_read(stream, on_read, conn);
+	return TRUE;
 }
 
 METHOD(whitelist_control_t, destroy, void,

src/libcharon/plugins/whitelist/whitelist_msg.h

@@ -53,7 +53,7 @@ struct whitelist_msg_t {
 	/** message type */
 	int type;
 	/** null terminated identity */
-	char id[128];
+	char id[256];
 } __attribute__((packed));
 
 #endif /** WHITELIST_MSG_H_ @}*/

src/libstrongswan/plugins/ml/Makefile.am

@@ -17,3 +17,5 @@ libstrongswan_ml_la_SOURCES = \
 	ml_plugin.h ml_plugin.c \
 	ml_poly.c ml_poly.h \
 	ml_utils.c ml_utils.h
+
+libstrongswan_ml_la_LDFLAGS = -module -avoid-version

src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c

@@ -84,6 +84,11 @@ struct private_diffie_hellman_t {
 	 * Shared secret
 	 */
 	chunk_t shared_secret;
+
+	/**
+	 * RNG used for key generation and blinding with curve25519
+	 */
+	WC_RNG rng;
 };
 
 #ifdef HAVE_CURVE25519
@@ -289,6 +294,7 @@ METHOD(key_exchange_t, destroy, void,
 #endif
 	}
 	chunk_clear(&this->shared_secret);
+	wc_FreeRng(&this->rng);
 	free(this);
 }
 
@@ -298,7 +304,6 @@ METHOD(key_exchange_t, destroy, void,
 key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 {
 	private_diffie_hellman_t *this;
-	WC_RNG rng;
 	int ret = -1;
 
 	INIT(this,
@@ -309,7 +314,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 		.group = group,
 	);
 
-	if (wc_InitRng(&rng) != 0)
+	if (wc_InitRng(&this->rng) != 0)
 	{
 		DBG1(DBG_LIB, "initializing a random number generator failed");
 		destroy(this);
@@ -325,7 +330,6 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 #ifdef TESTABLE_KE
 		this->public.set_seed = _set_seed_25519;
 #endif
-
 		if (wc_curve25519_init(&this->key.key25519) != 0 ||
 			wc_curve25519_init(&this->pub.key25519) != 0)
 		{
@@ -333,7 +337,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 			destroy(this);
 			return NULL;
 		}
-		ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE,
+		ret = wc_curve25519_make_key(&this->rng, CURVE25519_KEYSIZE,
 									 &this->key.key25519);
 #endif
 	}
@@ -354,13 +358,14 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 			destroy(this);
 			return NULL;
 		}
-		ret = wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &this->key.key448);
+		ret = wc_curve448_make_key(&this->rng, CURVE448_KEY_SIZE,
+								   &this->key.key448);
 #endif
 	}
-	wc_FreeRng(&rng);
 	if (ret != 0)
 	{
-		DBG1(DBG_LIB, "making a key failed");
+		DBG1(DBG_LIB, "making %N key failed", key_exchange_method_names,
+			 this->group);
 		destroy(this);
 		return NULL;
 	}

testing/scripts/recipes/012_wolfssl.mk

@@ -2,7 +2,7 @@
 
 PKG = wolfssl
 SRC = https://github.com/wolfSSL/$(PKG).git
-REV = v5.8.0-stable
+REV = v5.8.2-stable
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)