github: Use provided actions for SonarQube installation and scan

Also switch to the cloud cache (which doesn't seem to work either way anyway).
certexpire: Double size of internal buffer for identities
2025-08-16 00:00:25 -04:00 · 2025-08-05 10:27:32 +02:00 · 2025-07-23 18:50:53 +02:00 · 2025-07-23 18:50:33 +02:00 · 2025-07-19 12:11:29 +02:00 · 2025-07-19 12:10:25 +02:00
21 changed files with 109 additions and 69 deletions
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -93,14 +93,14 @@ jobs:
          path: config.log
          retention-days: 5

-  crypto-plugins:
+  crypto:
    needs: pre-check
    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [ ubuntu-latest, ubuntu-22.04 ]
        test: [ botan, wolfssl, openssl, openssl-3, openssl-awslc, gcrypt ]
+        os: [ ubuntu-latest, ubuntu-22.04 ]
        leak-detective: [ no, yes ]
        exclude:
          # test custom-built libs only on the latest platform
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@ -33,7 +33,6 @@ jobs:
        with:
          path: |
            ~/.cache/ccache
-            ~/.sonar-cache
          key: ccache-sonarcloud-${{ github.sha }}
          restore-keys: |
            ccache-sonarcloud-
@ -41,24 +40,17 @@ jobs:
          sudo apt-get install -qq ccache
          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
          ccache -z
-      # using SonarSource/sonarcloud-github-action is currently not recommended
-      # for C builds, so we follow the "any CI" instructions
-      - name: Install sonar-scanner
+      - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v4
+      - run: |
+          echo "BUILD_WRAPPER_OUT_DIR=$HOME/bw-output" >> $GITHUB_ENV
+      - uses: ./.github/actions/default
+      - uses: SonarSource/sonarqube-scan-action@v4
        env:
-          SONAR_SCANNER_VERSION: 5.0.1.3006
-        run: |
-          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
-          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
-          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
-          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
-          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
-          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
-          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
-      - env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BUILD_NUMBER: ${{ github.run_id }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
-          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
-        uses: ./.github/actions/default
+        with:
+          args: >
+            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT }}
+            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
+            -Dsonar.cfamily.threads=2
+            -Dsonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
      - run: ccache -s
--- a/Doxyfile.in
+++ b/Doxyfile.in
@ -2376,6 +2376,7 @@ INCLUDE_FILE_PATTERNS  =
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.

 PREDEFINED             = LEAK_DETECTIVE \
+						 TESTABLE_KE \
                         __attribute__(x)=

 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
--- a/configure.ac
+++ b/configure.ac
@ -20,7 +20,7 @@
 #  initialize & set some vars
 # ============================

-AC_INIT([strongSwan],[6.0.2rc1])
+AC_INIT([strongSwan],[6.0.2])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -37,7 +37,7 @@ build_botan()

 build_wolfssl()
 {
-	WOLFSSL_REV=v5.8.0-stable
+	WOLFSSL_REV=v5.8.2-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl

 	if test -d "$WOLFSSL_DIR"; then
@ -273,13 +273,6 @@ printf-builtin)
 	fi
 	;;
 all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
-	if [ "$TEST" = "sonarcloud" ]; then
-		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
-			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
-				 "environment variables are required to run this test"
-			exit 1
-		fi
-	fi
 	if [ "$TEST" = "codeql" ]; then
 		# don't run tests, only analyze built code
 		TARGET=
@ -552,7 +545,7 @@ case "$TEST" in
 sonarcloud)
 	# without target, coverage is currently not supported anyway because
 	# sonarqube only supports gcov, not lcov
-	build-wrapper-linux-x86-64 --out-dir bw-output make -j$(nproc) || exit $?
+	build-wrapper-linux-x86-64 --out-dir $BUILD_WRAPPER_OUT_DIR make -j$(nproc) || exit $?
 	;;
 *)
 	make -j$(nproc) $TARGET || exit $?
@ -567,20 +560,6 @@ apidoc)
 	fi
 	rm make.warnings
 	;;
-sonarcloud)
-	sonar-scanner \
-		-Dsonar.host.url=https://sonarcloud.io \
-		-Dsonar.projectKey=${SONAR_PROJECT} \
-		-Dsonar.organization=${SONAR_ORGANIZATION} \
-		-Dsonar.token=${SONAR_TOKEN} \
-		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
-		-Dsonar.sources=. \
-		-Dsonar.cfamily.threads=2 \
-		-Dsonar.cfamily.analysisCache.mode=fs \
-		-Dsonar.cfamily.analysisCache.path=$HOME/.sonar-cache \
-		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
-	rm -r bw-output .scannerwork
-	;;
 android)
 	rm -r strongswan-*
 	cd $SRC_DIR/src/frontends/android
--- a/sonar-project.properties
+++ b/sonar-project.properties
@ -1,3 +1,5 @@
+sonar.sources=.
+
 # exclude these files completely
 sonar.exclusions=\
 	src/manager/templates/static/jquery.js, \
--- a/src/frontends/gnome/NEWS
+++ b/src/frontends/gnome/NEWS
@ -1,3 +1,9 @@
+NetworkManager-strongswan-1.6.3
+-------------------------------
+
+- Fix configure/linker issue when not using GNU libtool
+- Update URL in metainfo
+
 NetworkManager-strongswan-1.6.2
 -------------------------------

--- a/src/frontends/gnome/configure.ac
+++ b/src/frontends/gnome/configure.ac
@ -1,6 +1,6 @@
 AC_PREREQ([2.69])

-AC_INIT([NetworkManager-strongswan],[1.6.2],[info@strongswan.org],[NetworkManager-strongswan])
+AC_INIT([NetworkManager-strongswan],[1.6.3],[info@strongswan.org],[NetworkManager-strongswan])
 AM_INIT_AUTOMAKE([subdir-objects])
 AM_MAINTAINER_MODE

--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@ -300,7 +300,7 @@ linked_list_t *child_cfg_select_ts(child_cfg_t *cfg, bool local,

 	/* force replacing non-dynamic TS to the IPs in transport mode, but only
 	 * when proposing as initiator */
-	force = supplied && is_transport_mode(this);
+	force = !supplied && is_transport_mode(this);

 	result = ts->select(ts, supplied, hosts, force, &narrowed);
 	if (narrowed)
--- a/src/libcharon/plugins/certexpire/certexpire_export.c
+++ b/src/libcharon/plugins/certexpire/certexpire_export.c
@ -106,7 +106,7 @@ struct private_certexpire_export_t {
 */
 typedef struct {
 	/** certificate subject as subjectAltName or CN of a DN */
-	char id[128];
+	char id[256];
 	/** list of expiration dates, 0 if no certificate */
 	time_t expire[MAX_TRUSTCHAIN_LENGTH];
 } entry_t;
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@ -2091,7 +2091,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 		 * checks it marks them "checksum ok" so OA isn't needed. */

 		/* if the remote port is set to 0 for UDP-encapsulated per-CPU SAs, we
-		 * increase the treshold for mapping changes as it gets otherwise
+		 * increase the threshold for mapping changes as it gets otherwise
 		 * triggered with every packet */
 		if (data->inbound && !id->src->get_port(id->src) &&
 			!add_uint32(hdr, sizeof(request), XFRMA_MTIMER_THRESH, UINT32_MAX))
--- a/src/libcharon/plugins/whitelist/whitelist_control.c
+++ b/src/libcharon/plugins/whitelist/whitelist_control.c
@ -92,19 +92,51 @@ static void list(private_whitelist_control_t *this,
 	stream->write_all(stream, &msg, sizeof(msg));
 }

+/**
+ * Information about a client connection.
+ */
+typedef struct {
+	private_whitelist_control_t *this;
+	whitelist_msg_t msg;
+	size_t read;
+} whitelist_conn_t;
+
 /**
 * Dispatch a received message
 */
-static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
+CALLBACK(on_read, bool,
+	whitelist_conn_t *conn, stream_t *stream)
 {
+	private_whitelist_control_t *this = conn->this;
 	identification_t *id;
-	whitelist_msg_t msg;
+	ssize_t len;

-	while (stream->read_all(stream, &msg, sizeof(msg)))
+	while (TRUE)
 	{
-		msg.id[sizeof(msg.id) - 1] = 0;
-		id = identification_create_from_string(msg.id);
-		switch (ntohl(msg.type))
+		while (conn->read < sizeof(conn->msg))
+		{
+			len = stream->read(stream, (char*)&conn->msg + conn->read,
+							   sizeof(conn->msg) - conn->read, FALSE);
+			if (len <= 0)
+			{
+				if (errno == EWOULDBLOCK)
+				{
+					return TRUE;
+				}
+				if (len != 0)
+				{
+					DBG1(DBG_CFG, "whitelist socket error: %s", strerror(errno));
+				}
+				stream->destroy(stream);
+				free(conn);
+				return FALSE;
+			}
+			conn->read += len;
+		}
+
+		conn->msg.id[sizeof(conn->msg.id) - 1] = 0;
+		id = identification_create_from_string(conn->msg.id);
+		switch (ntohl(conn->msg.type))
 		{
 			case WHITELIST_ADD:
 				this->listener->add(this->listener, id);
@ -129,9 +161,22 @@ static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
 				break;
 		}
 		id->destroy(id);
+		conn->read = 0;
 	}

-	return FALSE;
+	return TRUE;
+}
+
+CALLBACK(on_accept, bool,
+	private_whitelist_control_t *this, stream_t *stream)
+{
+	whitelist_conn_t *conn;
+
+	INIT(conn,
+		.this = this,
+	);
+	stream->on_read(stream, on_read, conn);
+	return TRUE;
 }

 METHOD(whitelist_control_t, destroy, void,
--- a/src/libcharon/plugins/whitelist/whitelist_msg.h
+++ b/src/libcharon/plugins/whitelist/whitelist_msg.h
@ -53,7 +53,7 @@ struct whitelist_msg_t {
 	/** message type */
 	int type;
 	/** null terminated identity */
-	char id[128];
+	char id[256];
 } __attribute__((packed));

 #endif /** WHITELIST_MSG_H_ @}*/
--- a/src/libstrongswan/crypto/proposal/proposal.c
+++ b/src/libstrongswan/crypto/proposal/proposal.c
@ -1016,7 +1016,7 @@ proposal_t *proposal_create(protocol_id_t protocol, uint8_t number)
 }

 /**
- * Add supporte KE methods to proposal
+ * Add supported KE methods to proposal
 */
 static void add_supported_ke_methods(private_proposal_t *this)
 {
--- a/src/libstrongswan/plugins/ml/Makefile.am
+++ b/src/libstrongswan/plugins/ml/Makefile.am
@ -17,3 +17,5 @@ libstrongswan_ml_la_SOURCES = \
 	ml_plugin.h ml_plugin.c \
 	ml_poly.c ml_poly.h \
 	ml_utils.c ml_utils.h
+
+libstrongswan_ml_la_LDFLAGS = -module -avoid-version
--- a/src/libstrongswan/plugins/openssl/openssl_kdf.c
+++ b/src/libstrongswan/plugins/openssl/openssl_kdf.c
@ -201,6 +201,14 @@ kdf_t *openssl_kdf_create(key_derivation_function_t algo, va_list args)
 		.key = chunk_clone(chunk_from_str("00000000000000000000000000000000")),
 	);

+	/* also generate a salt (as if none was provided, i.e. zeroes of hash length)
+	 * as OpenSSL 3.5.1+ won't accept NULL anymore */
+	if (algo == KDF_PRF && this->hasher)
+	{
+		this->salt = chunk_copy_pad(chunk_alloc(get_length(this)),
+									chunk_empty, 0);
+	}
+
 	if (!this->hasher ||
 		!get_bytes(this, algo == KDF_PRF ? get_length(this) : sizeof(buf), buf))
 	{
--- a/src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c
@ -84,6 +84,11 @@ struct private_diffie_hellman_t {
 	 * Shared secret
 	 */
 	chunk_t shared_secret;
+
+	/**
+	 * RNG used for key generation and blinding with curve25519
+	 */
+	WC_RNG rng;
 };

 #ifdef HAVE_CURVE25519
@ -289,6 +294,7 @@ METHOD(key_exchange_t, destroy, void,
 #endif
 	}
 	chunk_clear(&this->shared_secret);
+	wc_FreeRng(&this->rng);
 	free(this);
 }

@ -298,7 +304,6 @@ METHOD(key_exchange_t, destroy, void,
 key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 {
 	private_diffie_hellman_t *this;
-	WC_RNG rng;
 	int ret = -1;

 	INIT(this,
@ -309,7 +314,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 		.group = group,
 	);

-	if (wc_InitRng(&rng) != 0)
+	if (wc_InitRng(&this->rng) != 0)
 	{
 		DBG1(DBG_LIB, "initializing a random number generator failed");
 		destroy(this);
@ -325,7 +330,6 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 #ifdef TESTABLE_KE
 		this->public.set_seed = _set_seed_25519;
 #endif
-
 		if (wc_curve25519_init(&this->key.key25519) != 0 ||
 			wc_curve25519_init(&this->pub.key25519) != 0)
 		{
@ -333,7 +337,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 			destroy(this);
 			return NULL;
 		}
-		ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE,
+		ret = wc_curve25519_make_key(&this->rng, CURVE25519_KEYSIZE,
 									 &this->key.key25519);
 #endif
 	}
@ -354,13 +358,14 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 			destroy(this);
 			return NULL;
 		}
-		ret = wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &this->key.key448);
+		ret = wc_curve448_make_key(&this->rng, CURVE448_KEY_SIZE,
+								   &this->key.key448);
 #endif
 	}
-	wc_FreeRng(&rng);
 	if (ret != 0)
 	{
-		DBG1(DBG_LIB, "making a key failed");
+		DBG1(DBG_LIB, "making %N key failed", key_exchange_method_names,
+			 this->group);
 		destroy(this);
 		return NULL;
 	}
--- a/testing/scripts/recipes/012_wolfssl.mk
+++ b/testing/scripts/recipes/012_wolfssl.mk
@ -2,7 +2,7 @@

 PKG = wolfssl
 SRC = https://github.com/wolfSSL/$(PKG).git
-REV = v5.8.0-stable
+REV = v5.8.2-stable

 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)

--- a/testing/testing.conf
+++ b/testing/testing.conf
@ -31,7 +31,7 @@ fi
 : ${KERNELPATCH=ha-6.14-abicompat.patch.bz2}

 # strongSwan version used in tests
-: ${SWANVERSION=6.0.2rc1}
+: ${SWANVERSION=6.0.2}

 # Build directory where the guest kernel and images will be built
 : ${BUILDDIR=$TESTDIR/build}
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
@ -2,5 +2,5 @@

 charon {
  load = random nonce openssl pem pkcs1 curl revocation vici kernel-netlink socket-default
-  retransmit_timeout = 4.0
+  retransmit_tries = 6
 }
--- a/testing/tests/ikev2/net2net-route-narrow/description.txt
+++ b/testing/tests/ikev2/net2net-route-narrow/description.txt
@ -1,5 +1,5 @@
 A trap policy on gateway <b>sun</b> will trigger SAs to gateway <b>moon</b>
-that connec the subnets behind the two gateways. Based on the received traffic
+that connect the subnets behind the two gateways. Based on the received traffic
 selector from the triggering packet, gateway <b>moon</b> narrows down the
 traffic selectors to one of two options.
 Subsequent pings issued by client <b>bob</b> behind gateway <b>sun</b> to
Author	SHA1	Message	Date
Tobias Brunner	2560146204	github: Use provided actions for SonarQube installation and scan Also switch to the cloud cache (which doesn't seem to work either way anyway).	2025-08-05 10:27:32 +02:00
Tobias Brunner	ff06159099	certexpire: Double size of internal buffer for identities The error-notify, lookip, and whitelist (previous commit) plugins already use the same buffer size for identities.	2025-07-23 18:50:53 +02:00
seantywork	ae2e0b6cf2	whitelist: Double the length of the id field in the messages Closes strongswan/strongswan#2842	2025-07-23 18:50:33 +02:00
Tobias Brunner	6c813ddc13	Use wolfSSL 5.8.2 for tests	2025-07-19 12:11:29 +02:00
Tobias Brunner	011c346b00	wolfssl: Store RNG on object for curve25519 5.8.2 enables blinding for curve25519 by default, so the RNG set when making the key is also used later on.	2025-07-19 12:10:25 +02:00
Rob Shearman	1b62e88980	ml: Disable versioning for shared object Avoid generating versioned shared objects which would need to be installed along with the version-independent symlink by specifying "-avoid-version" in the libtool LDFLAGS for the plugin. Avoid any unwanted surprises by also specifying the "-module" option, making the LDFLAGS consistent with all other libstrongswan plugins. Closes strongswan/strongswan#2844	2025-07-18 16:30:50 +02:00
Tobias Brunner	58c567da74	Merge branch 'whitelist-watcher' Use watcher and non-blocking I/O for client connections to avoid issues with clients that stay connected for a long time. Closes strongswan/strongswan#2827	2025-07-18 16:16:17 +02:00
Tobias Brunner	85ebf6abd4	whitelist: Add error handling to socket reads and fix a memory leak This now adds some state (basically a message buffer), but simplifies error handling as we don't have to handle two potential failure paths and could avoid some potential issues by still calling the blocking read_all(). It also fixes a memory leak when clients disconnect.	2025-07-18 12:07:45 +02:00
Rob Shearman	412231eecd	whitelist: Use a watcher for control socket reading rather than blocking Performing a stream read_all call (which is a blocking read) from within the accept callback has the issue that if a whitelist client is still connected whilst a shutdown of the charon deamon is triggered then that shutdown won't complete gracefully due to the accept task never exiting. So fix shutting down gracefully by using the socket watcher rather than a blocking read upon connection accept. Fall back to a blocking read for partial messages to avoid the complexity associated (i.e. storing state) for incomplete reads, which shouldn't block and cause the original problem if the client only sends whole messages.	2025-07-15 14:50:56 +02:00
Tobias Brunner	e98ea89d99	nm: Version bump to 1.6.3	2025-07-14 11:01:14 +02:00
Andreas Steffen	23eb1e0945	Version bump to 6.0.2	2025-07-13 09:56:49 +02:00
Tobias Brunner	4c54550352	testing: Use alternative approach for retransmits in ikev1/dpd-restart scenario With a long delay, the retransmit might not get sent before further tests are evaluated on faster machines, while more retransmits should still allow the scenario to succeed on slower ones.	2025-07-11 14:15:40 +02:00
Tobias Brunner	bab415ec0a	child-cfg: Actually force narrowing TS in transport mode only as initiator Closes strongswan/strongswan#2830 Fixes: ad1ad2159f0b ("child-cfg: Use traffic selector list")	2025-07-11 14:15:06 +02:00
Tobias Brunner	43b805b2da	openssl: Don't allocate salt if PRF/hash is unknown This can happen if e.g. AES-XCBC is selected. Fixes: 2dbeecfc029b ("openssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1")	2025-07-11 11:47:51 +02:00
Tobias Brunner	2c32412594	github: Shorten name for crypto-plugin job and reverse matrix arguments This gives us more readable names in the UI. Instead of crypto-plugins (ubuntu-latest, b... crypto-plugins (ubuntu-latest, b... crypto-plugins (ubuntu-latest, ... crypto-plugins (ubuntu-latest, ... crypto-plugins (ubuntu-latest, o... crypto-plugins (ubuntu-latest, o... we now get crypto (botan, ubuntu-latest, no) crypto (botan, ubuntu-latest, yes) crypto (wolfssl, ubuntu-latest, no) crypto (wolfssl, ubuntu-latest, yes) crypto (openssl, ubuntu-latest, no) crypto (openssl, ubuntu-latest, yes)	2025-07-10 19:23:02 +02:00
Tobias Brunner	2dbeecfc02	openssl: Fix testing KDF_PRF in the constructor with OpenSSL 3.5.1 Setting the salt to NULL now fails, so we set it to hash length's zeroes, which is the default value for HKDF-Extract if no salt is passed. Fixes strongswan/strongswan#2828	2025-07-10 19:22:22 +02:00
Tobias Brunner	a8c2d125f1	Doxyfile: Don't hide set_seed() method	2025-07-08 13:13:06 +02:00
Tobias Brunner	f88d824114	Fixed some typos, courtesy of codespell	2025-07-08 10:54:49 +02:00