.appveyor.yml

@@ -30,8 +30,8 @@ install:
       IF "%IMG%" == "2019" set OPENSSL=OpenSSL-v111
       set OPENSSL_DIR=/c/%OPENSSL%-%TEST%
       C:\%OPENSSL%-%TEST%\bin\openssl.exe version -a
-  # newer versions of msys2 don't provide autotools or gperf via base-devel anymore
-  - IF "%IMG%" == "2019" %MSYS_SH% --login -c ". /etc/profile && pacman --noconfirm -S --needed autotools gperf"
+  # newer versions of msys2 don't provide autotools via base-devel anymore
+  - IF "%IMG%" == "2019" %MSYS_SH% --login -c ". /etc/profile && pacman --noconfirm -S --needed autotools"
 
 build_script:
   - '%MSYS_SH% --login -c ". /etc/profile && cd $APPVEYOR_BUILD_FOLDER && ./scripts/test.sh deps"'

.cirrus.yml

@@ -1,11 +1,11 @@
-freebsd_task:
+task:
   matrix:
-    - name: FreeBSD 14.2
+    - name: FreeBSD 13.0
       freebsd_instance:
-        image_family: freebsd-14-2
-    - name: FreeBSD 13.4
+        image_family: freebsd-13-0
+    - name: FreeBSD 12.3
       freebsd_instance:
-        image_family: freebsd-13-4
+        image_family: freebsd-12-3
 
   env:
     TESTS_REDUCED_KEYLENGTHS: yes
@@ -16,18 +16,3 @@ freebsd_task:
 
   install_script: ./scripts/test.sh deps
   script: ./scripts/test.sh
-
-alpine_task:
-  container:
-    image: alpine:latest
-
-  env:
-    TESTS_REDUCED_KEYLENGTHS: yes
-    TESTS_NO_IPV6: yes
-    LEAK_DETECTIVE: no
-    MONOLITHIC: no
-    TEST: alpine
-    OS_NAME: alpine
-
-  install_script: ./scripts/test.sh deps
-  script: ./scripts/test.sh

.codecov.yml

@@ -1,3 +1,3 @@
 ignore:
-  - "**/suites/"
-  - "**/tests/"
+  - "*/suites/*"
+  - "*/tests/*"

.github/ISSUE_TEMPLATE/bug_report.md

@@ -2,7 +2,6 @@
 name: "🐛 Bug report"
 about: Report a reproducible bug or regression
 labels: bug, new
-type: Bug
 ---
 
 <!--

.github/ISSUE_TEMPLATE/feature_request.md

@@ -2,7 +2,6 @@
 name: Feature request
 about: Suggest an idea for this project
 labels: enhancement, new
-type: Feature
 ---
 
 <!--

.github/actions/default/action.yml

@@ -5,6 +5,9 @@ runs:
     - name: "Install Dependencies"
       run: ./scripts/test.sh deps
       shell: bash
+    - name: "Install Python Dependencies"
+      run: ./scripts/test.sh pydeps
+      shell: bash
     - name: "Build Dependencies"
       run: ./scripts/test.sh build-deps
       shell: bash

.github/active-transforms/botan

@@ -1,102 +0,0 @@
-AES_ECB[botan]
-AES_ECB[botan]
-AES_ECB[botan]
-AES_CBC[botan]
-AES_CBC[botan]
-AES_CBC[botan]
-AES_CFB[botan]
-AES_CFB[botan]
-AES_CFB[botan]
-AES_GCM_16[botan]
-AES_GCM_16[botan]
-AES_GCM_16[botan]
-AES_GCM_12[botan]
-AES_GCM_12[botan]
-AES_GCM_12[botan]
-AES_GCM_8[botan]
-AES_GCM_8[botan]
-AES_GCM_8[botan]
-AES_CCM_16[botan]
-AES_CCM_16[botan]
-AES_CCM_16[botan]
-AES_CCM_12[botan]
-AES_CCM_12[botan]
-AES_CCM_12[botan]
-AES_CCM_8[botan]
-AES_CCM_8[botan]
-AES_CCM_8[botan]
-CHACHA20_POLY1305[botan]
-HMAC_SHA1_96[botan]
-HMAC_SHA1_96[hmac]
-HMAC_SHA1_128[botan]
-HMAC_SHA1_128[hmac]
-HMAC_SHA1_160[botan]
-HMAC_SHA1_160[hmac]
-HMAC_SHA2_256_128[botan]
-HMAC_SHA2_256_128[hmac]
-HMAC_SHA2_256_256[botan]
-HMAC_SHA2_256_256[hmac]
-HMAC_SHA2_384_192[botan]
-HMAC_SHA2_384_192[hmac]
-HMAC_SHA2_384_384[botan]
-HMAC_SHA2_384_384[hmac]
-HMAC_SHA2_512_256[botan]
-HMAC_SHA2_512_256[hmac]
-HMAC_SHA2_512_512[botan]
-HMAC_SHA2_512_512[hmac]
-HMAC_MD5_96[hmac]
-HMAC_MD5_128[hmac]
-HASH_MD5[botan]
-HASH_SHA1[botan]
-HASH_SHA2_224[botan]
-HASH_SHA2_256[botan]
-HASH_SHA2_384[botan]
-HASH_SHA2_512[botan]
-HASH_SHA3_224[botan]
-HASH_SHA3_256[botan]
-HASH_SHA3_384[botan]
-HASH_SHA3_512[botan]
-HASH_IDENTITY[botan]
-PRF_HMAC_SHA1[botan]
-PRF_HMAC_SHA1[hmac]
-PRF_HMAC_SHA2_256[botan]
-PRF_HMAC_SHA2_256[hmac]
-PRF_HMAC_SHA2_384[botan]
-PRF_HMAC_SHA2_384[hmac]
-PRF_HMAC_SHA2_512[botan]
-PRF_HMAC_SHA2_512[hmac]
-PRF_HMAC_MD5[hmac]
-KDF_PRF[botan]
-KDF_PRF_PLUS[botan]
-DRBG_CTR_AES256[drbg]
-DRBG_CTR_AES128[drbg]
-DRBG_CTR_AES192[drbg]
-DRBG_HMAC_SHA1[drbg]
-DRBG_HMAC_SHA256[drbg]
-DRBG_HMAC_SHA384[drbg]
-DRBG_HMAC_SHA512[drbg]
-RNG_WEAK[botan]
-RNG_STRONG[botan]
-RNG_TRUE[botan]
-MODP_3072[botan]
-MODP_4096[botan]
-MODP_6144[botan]
-MODP_8192[botan]
-MODP_2048[botan]
-MODP_2048_224[botan]
-MODP_2048_256[botan]
-MODP_1536[botan]
-MODP_1024[botan]
-MODP_1024_160[botan]
-MODP_768[botan]
-MODP_CUSTOM[botan]
-ECP_256[botan]
-ECP_384[botan]
-ECP_521[botan]
-ECP_256_BP[botan]
-ECP_384_BP[botan]
-ECP_512_BP[botan]
-CURVE_25519[botan]
-ML_KEM_512[botan]
-ML_KEM_768[botan]
-ML_KEM_1024[botan]

.github/active-transforms/gcrypt

@@ -1,81 +0,0 @@
-AES_CTR[gcrypt]
-AES_CTR[gcrypt]
-AES_CTR[gcrypt]
-AES_CBC[gcrypt]
-AES_CBC[gcrypt]
-AES_CBC[gcrypt]
-AES_ECB[gcrypt]
-AES_ECB[gcrypt]
-AES_ECB[gcrypt]
-AES_CFB[gcrypt]
-AES_CFB[gcrypt]
-AES_CFB[gcrypt]
-BLOWFISH_CBC[gcrypt]
-CAMELLIA_CTR[gcrypt]
-CAMELLIA_CTR[gcrypt]
-CAMELLIA_CTR[gcrypt]
-CAMELLIA_CBC[gcrypt]
-CAMELLIA_CBC[gcrypt]
-CAMELLIA_CBC[gcrypt]
-CAST_CBC[gcrypt]
-3DES_CBC[gcrypt]
-DES_CBC[gcrypt]
-DES_ECB[gcrypt]
-SERPENT_CBC[gcrypt]
-SERPENT_CBC[gcrypt]
-SERPENT_CBC[gcrypt]
-TWOFISH_CBC[gcrypt]
-TWOFISH_CBC[gcrypt]
-AES_GCM_8[gcm]
-AES_GCM_8[gcm]
-AES_GCM_8[gcm]
-AES_GCM_12[gcm]
-AES_GCM_12[gcm]
-AES_GCM_12[gcm]
-AES_GCM_16[gcm]
-AES_GCM_16[gcm]
-AES_GCM_16[gcm]
-HMAC_SHA1_96[hmac]
-HMAC_SHA1_128[hmac]
-HMAC_SHA1_160[hmac]
-HMAC_MD5_96[hmac]
-HMAC_MD5_128[hmac]
-HMAC_SHA2_256_128[hmac]
-HMAC_SHA2_256_256[hmac]
-HMAC_SHA2_384_192[hmac]
-HMAC_SHA2_384_384[hmac]
-HMAC_SHA2_512_256[hmac]
-HMAC_SHA2_512_512[hmac]
-HASH_MD4[gcrypt]
-HASH_MD5[gcrypt]
-HASH_SHA1[gcrypt]
-HASH_SHA2_224[gcrypt]
-HASH_SHA2_256[gcrypt]
-HASH_SHA2_384[gcrypt]
-HASH_SHA2_512[gcrypt]
-HASH_IDENTITY[curve25519]
-PRF_HMAC_SHA1[hmac]
-PRF_HMAC_MD5[hmac]
-PRF_HMAC_SHA2_256[hmac]
-PRF_HMAC_SHA2_384[hmac]
-PRF_HMAC_SHA2_512[hmac]
-KDF_PRF[kdf]
-KDF_PRF_PLUS[kdf]
-RNG_WEAK[gcrypt]
-RNG_STRONG[gcrypt]
-RNG_STRONG[random]
-RNG_TRUE[gcrypt]
-RNG_TRUE[random]
-MODP_3072[gcrypt]
-MODP_4096[gcrypt]
-MODP_6144[gcrypt]
-MODP_8192[gcrypt]
-MODP_2048[gcrypt]
-MODP_2048_224[gcrypt]
-MODP_2048_256[gcrypt]
-MODP_1536[gcrypt]
-MODP_1024[gcrypt]
-MODP_1024_160[gcrypt]
-MODP_768[gcrypt]
-MODP_CUSTOM[gcrypt]
-CURVE_25519[curve25519]

.github/active-transforms/openssl

@@ -1,108 +0,0 @@
-AES_ECB[openssl]
-AES_ECB[openssl]
-AES_ECB[openssl]
-AES_CBC[openssl]
-AES_CBC[openssl]
-AES_CBC[openssl]
-AES_CTR[openssl]
-AES_CTR[openssl]
-AES_CTR[openssl]
-AES_CFB[openssl]
-AES_CFB[openssl]
-AES_CFB[openssl]
-CAMELLIA_CBC[openssl]
-CAMELLIA_CBC[openssl]
-CAMELLIA_CBC[openssl]
-CAMELLIA_CTR[openssl]
-CAMELLIA_CTR[openssl]
-CAMELLIA_CTR[openssl]
-CAST_CBC[openssl]
-BLOWFISH_CBC[openssl]
-3DES_CBC[openssl]
-DES_CBC[openssl]
-DES_ECB[openssl]
-NULL[openssl]
-AES_GCM_16[openssl]
-AES_GCM_16[openssl]
-AES_GCM_16[openssl]
-AES_GCM_12[openssl]
-AES_GCM_12[openssl]
-AES_GCM_12[openssl]
-AES_GCM_8[openssl]
-AES_GCM_8[openssl]
-AES_GCM_8[openssl]
-AES_CCM_16[openssl]
-AES_CCM_16[openssl]
-AES_CCM_16[openssl]
-AES_CCM_12[openssl]
-AES_CCM_12[openssl]
-AES_CCM_12[openssl]
-AES_CCM_8[openssl]
-AES_CCM_8[openssl]
-AES_CCM_8[openssl]
-CHACHA20_POLY1305[openssl]
-HMAC_MD5_96[openssl]
-HMAC_MD5_128[openssl]
-HMAC_SHA1_96[openssl]
-HMAC_SHA1_128[openssl]
-HMAC_SHA1_160[openssl]
-HMAC_SHA2_256_128[openssl]
-HMAC_SHA2_256_256[openssl]
-HMAC_SHA2_384_192[openssl]
-HMAC_SHA2_384_384[openssl]
-HMAC_SHA2_512_256[openssl]
-HMAC_SHA2_512_512[openssl]
-HASH_MD4[openssl]
-HASH_MD5[openssl]
-HASH_SHA1[openssl]
-HASH_SHA2_224[openssl]
-HASH_SHA2_256[openssl]
-HASH_SHA2_384[openssl]
-HASH_SHA2_512[openssl]
-HASH_SHA3_224[openssl]
-HASH_SHA3_256[openssl]
-HASH_SHA3_384[openssl]
-HASH_SHA3_512[openssl]
-HASH_IDENTITY[openssl]
-PRF_KEYED_SHA1[openssl]
-PRF_HMAC_MD5[openssl]
-PRF_HMAC_SHA1[openssl]
-PRF_HMAC_SHA2_256[openssl]
-PRF_HMAC_SHA2_384[openssl]
-PRF_HMAC_SHA2_512[openssl]
-XOF_SHAKE128[openssl]
-XOF_SHAKE256[openssl]
-KDF_PRF[openssl]
-KDF_PRF_PLUS[openssl]
-DRBG_CTR_AES256[drbg]
-DRBG_CTR_AES128[drbg]
-DRBG_CTR_AES192[drbg]
-DRBG_HMAC_SHA1[drbg]
-DRBG_HMAC_SHA256[drbg]
-DRBG_HMAC_SHA384[drbg]
-DRBG_HMAC_SHA512[drbg]
-RNG_WEAK[openssl]
-RNG_STRONG[openssl]
-MODP_3072[openssl]
-MODP_4096[openssl]
-MODP_6144[openssl]
-MODP_8192[openssl]
-MODP_2048[openssl]
-MODP_2048_224[openssl]
-MODP_2048_256[openssl]
-MODP_1536[openssl]
-MODP_1024[openssl]
-MODP_1024_160[openssl]
-MODP_768[openssl]
-MODP_CUSTOM[openssl]
-ECP_256[openssl]
-ECP_384[openssl]
-ECP_521[openssl]
-ECP_224[openssl]
-ECP_192[openssl]
-ECP_256_BP[openssl]
-ECP_384_BP[openssl]
-ECP_512_BP[openssl]
-ECP_224_BP[openssl]
-CURVE_25519[openssl]
-CURVE_448[openssl]

.github/active-transforms/openssl-3

@@ -1,111 +0,0 @@
-AES_ECB[openssl]
-AES_ECB[openssl]
-AES_ECB[openssl]
-AES_CBC[openssl]
-AES_CBC[openssl]
-AES_CBC[openssl]
-AES_CTR[openssl]
-AES_CTR[openssl]
-AES_CTR[openssl]
-AES_CFB[openssl]
-AES_CFB[openssl]
-AES_CFB[openssl]
-CAMELLIA_CBC[openssl]
-CAMELLIA_CBC[openssl]
-CAMELLIA_CBC[openssl]
-CAMELLIA_CTR[openssl]
-CAMELLIA_CTR[openssl]
-CAMELLIA_CTR[openssl]
-CAST_CBC[openssl]
-BLOWFISH_CBC[openssl]
-3DES_CBC[openssl]
-DES_CBC[openssl]
-DES_ECB[openssl]
-NULL[openssl]
-AES_GCM_16[openssl]
-AES_GCM_16[openssl]
-AES_GCM_16[openssl]
-AES_GCM_12[openssl]
-AES_GCM_12[openssl]
-AES_GCM_12[openssl]
-AES_GCM_8[openssl]
-AES_GCM_8[openssl]
-AES_GCM_8[openssl]
-AES_CCM_16[openssl]
-AES_CCM_16[openssl]
-AES_CCM_16[openssl]
-AES_CCM_12[openssl]
-AES_CCM_12[openssl]
-AES_CCM_12[openssl]
-AES_CCM_8[openssl]
-AES_CCM_8[openssl]
-AES_CCM_8[openssl]
-CHACHA20_POLY1305[openssl]
-HMAC_MD5_96[openssl]
-HMAC_MD5_128[openssl]
-HMAC_SHA1_96[openssl]
-HMAC_SHA1_128[openssl]
-HMAC_SHA1_160[openssl]
-HMAC_SHA2_256_128[openssl]
-HMAC_SHA2_256_256[openssl]
-HMAC_SHA2_384_192[openssl]
-HMAC_SHA2_384_384[openssl]
-HMAC_SHA2_512_256[openssl]
-HMAC_SHA2_512_512[openssl]
-HASH_MD4[openssl]
-HASH_MD5[openssl]
-HASH_SHA1[openssl]
-HASH_SHA2_224[openssl]
-HASH_SHA2_256[openssl]
-HASH_SHA2_384[openssl]
-HASH_SHA2_512[openssl]
-HASH_SHA3_224[openssl]
-HASH_SHA3_256[openssl]
-HASH_SHA3_384[openssl]
-HASH_SHA3_512[openssl]
-HASH_IDENTITY[openssl]
-PRF_KEYED_SHA1[openssl]
-PRF_HMAC_MD5[openssl]
-PRF_HMAC_SHA1[openssl]
-PRF_HMAC_SHA2_256[openssl]
-PRF_HMAC_SHA2_384[openssl]
-PRF_HMAC_SHA2_512[openssl]
-XOF_SHAKE128[openssl]
-XOF_SHAKE256[openssl]
-KDF_PRF[openssl]
-KDF_PRF_PLUS[openssl]
-DRBG_CTR_AES256[drbg]
-DRBG_CTR_AES128[drbg]
-DRBG_CTR_AES192[drbg]
-DRBG_HMAC_SHA1[drbg]
-DRBG_HMAC_SHA256[drbg]
-DRBG_HMAC_SHA384[drbg]
-DRBG_HMAC_SHA512[drbg]
-RNG_WEAK[openssl]
-RNG_STRONG[openssl]
-MODP_3072[openssl]
-MODP_4096[openssl]
-MODP_6144[openssl]
-MODP_8192[openssl]
-MODP_2048[openssl]
-MODP_2048_224[openssl]
-MODP_2048_256[openssl]
-MODP_1536[openssl]
-MODP_1024[openssl]
-MODP_1024_160[openssl]
-MODP_768[openssl]
-MODP_CUSTOM[openssl]
-ML_KEM_512[openssl]
-ML_KEM_768[openssl]
-ML_KEM_1024[openssl]
-ECP_256[openssl]
-ECP_384[openssl]
-ECP_521[openssl]
-ECP_224[openssl]
-ECP_192[openssl]
-ECP_256_BP[openssl]
-ECP_384_BP[openssl]
-ECP_512_BP[openssl]
-ECP_224_BP[openssl]
-CURVE_25519[openssl]
-CURVE_448[openssl]

.github/active-transforms/openssl-awslc

@@ -1,98 +0,0 @@
-AES_ECB[openssl]
-AES_ECB[openssl]
-AES_ECB[openssl]
-AES_CBC[openssl]
-AES_CBC[openssl]
-AES_CBC[openssl]
-AES_CTR[openssl]
-AES_CTR[openssl]
-AES_CTR[openssl]
-AES_CFB[openssl]
-AES_CFB[openssl]
-AES_CFB[openssl]
-BLOWFISH_CBC[openssl]
-3DES_CBC[openssl]
-DES_CBC[openssl]
-DES_ECB[openssl]
-NULL[openssl]
-AES_GCM_16[openssl]
-AES_GCM_16[openssl]
-AES_GCM_16[openssl]
-AES_GCM_12[openssl]
-AES_GCM_12[openssl]
-AES_GCM_12[openssl]
-AES_GCM_8[openssl]
-AES_GCM_8[openssl]
-AES_GCM_8[openssl]
-AES_CCM_16[openssl]
-AES_CCM_16[openssl]
-AES_CCM_16[openssl]
-AES_CCM_12[openssl]
-AES_CCM_12[openssl]
-AES_CCM_12[openssl]
-AES_CCM_8[openssl]
-AES_CCM_8[openssl]
-AES_CCM_8[openssl]
-CHACHA20_POLY1305[openssl]
-HMAC_MD5_96[openssl]
-HMAC_MD5_128[openssl]
-HMAC_SHA1_96[openssl]
-HMAC_SHA1_128[openssl]
-HMAC_SHA1_160[openssl]
-HMAC_SHA2_256_128[openssl]
-HMAC_SHA2_256_256[openssl]
-HMAC_SHA2_384_192[openssl]
-HMAC_SHA2_384_384[openssl]
-HMAC_SHA2_512_256[openssl]
-HMAC_SHA2_512_512[openssl]
-HASH_MD4[openssl]
-HASH_MD5[openssl]
-HASH_SHA1[openssl]
-HASH_SHA2_224[openssl]
-HASH_SHA2_256[openssl]
-HASH_SHA2_384[openssl]
-HASH_SHA2_512[openssl]
-HASH_SHA3_224[openssl]
-HASH_SHA3_256[openssl]
-HASH_SHA3_384[openssl]
-HASH_SHA3_512[openssl]
-HASH_IDENTITY[openssl]
-PRF_KEYED_SHA1[openssl]
-PRF_HMAC_MD5[openssl]
-PRF_HMAC_SHA1[openssl]
-PRF_HMAC_SHA2_256[openssl]
-PRF_HMAC_SHA2_384[openssl]
-PRF_HMAC_SHA2_512[openssl]
-XOF_SHAKE128[openssl]
-XOF_SHAKE256[openssl]
-KDF_PRF[openssl]
-KDF_PRF_PLUS[openssl]
-DRBG_CTR_AES256[drbg]
-DRBG_CTR_AES128[drbg]
-DRBG_CTR_AES192[drbg]
-DRBG_HMAC_SHA1[drbg]
-DRBG_HMAC_SHA256[drbg]
-DRBG_HMAC_SHA384[drbg]
-DRBG_HMAC_SHA512[drbg]
-RNG_WEAK[openssl]
-RNG_STRONG[openssl]
-MODP_3072[openssl]
-MODP_4096[openssl]
-MODP_6144[openssl]
-MODP_8192[openssl]
-MODP_2048[openssl]
-MODP_2048_224[openssl]
-MODP_2048_256[openssl]
-MODP_1536[openssl]
-MODP_1024[openssl]
-MODP_1024_160[openssl]
-MODP_768[openssl]
-MODP_CUSTOM[openssl]
-ML_KEM_512[openssl]
-ML_KEM_768[openssl]
-ML_KEM_1024[openssl]
-ECP_256[openssl]
-ECP_384[openssl]
-ECP_521[openssl]
-ECP_224[openssl]
-CURVE_25519[openssl]

.github/active-transforms/wolfssl

@@ -1,103 +0,0 @@
-AES_ECB[wolfssl]
-AES_ECB[wolfssl]
-AES_ECB[wolfssl]
-AES_CTR[wolfssl]
-AES_CTR[wolfssl]
-AES_CTR[wolfssl]
-AES_CBC[wolfssl]
-AES_CBC[wolfssl]
-AES_CBC[wolfssl]
-AES_CFB[wolfssl]
-AES_CFB[wolfssl]
-AES_CFB[wolfssl]
-CAMELLIA_CBC[wolfssl]
-CAMELLIA_CBC[wolfssl]
-CAMELLIA_CBC[wolfssl]
-3DES_CBC[wolfssl]
-DES_CBC[wolfssl]
-DES_ECB[wolfssl]
-NULL[wolfssl]
-AES_GCM_16[wolfssl]
-AES_GCM_16[wolfssl]
-AES_GCM_16[wolfssl]
-AES_GCM_12[wolfssl]
-AES_GCM_12[wolfssl]
-AES_GCM_12[wolfssl]
-AES_GCM_8[wolfssl]
-AES_GCM_8[wolfssl]
-AES_GCM_8[wolfssl]
-AES_CCM_16[wolfssl]
-AES_CCM_16[wolfssl]
-AES_CCM_16[wolfssl]
-AES_CCM_12[wolfssl]
-AES_CCM_12[wolfssl]
-AES_CCM_12[wolfssl]
-AES_CCM_8[wolfssl]
-AES_CCM_8[wolfssl]
-AES_CCM_8[wolfssl]
-CHACHA20_POLY1305[wolfssl]
-HMAC_MD5_96[wolfssl]
-HMAC_MD5_128[wolfssl]
-HMAC_SHA1_96[wolfssl]
-HMAC_SHA1_128[wolfssl]
-HMAC_SHA1_160[wolfssl]
-HMAC_SHA2_256_128[wolfssl]
-HMAC_SHA2_256_256[wolfssl]
-HMAC_SHA2_384_192[wolfssl]
-HMAC_SHA2_384_384[wolfssl]
-HMAC_SHA2_512_256[wolfssl]
-HMAC_SHA2_512_512[wolfssl]
-HASH_MD5[wolfssl]
-HASH_SHA1[wolfssl]
-HASH_SHA2_224[wolfssl]
-HASH_SHA2_256[wolfssl]
-HASH_SHA2_384[wolfssl]
-HASH_SHA2_512[wolfssl]
-HASH_SHA3_224[wolfssl]
-HASH_SHA3_256[wolfssl]
-HASH_SHA3_384[wolfssl]
-HASH_SHA3_512[wolfssl]
-HASH_IDENTITY[wolfssl]
-PRF_KEYED_SHA1[wolfssl]
-PRF_HMAC_MD5[wolfssl]
-PRF_HMAC_SHA1[wolfssl]
-PRF_HMAC_SHA2_256[wolfssl]
-PRF_HMAC_SHA2_384[wolfssl]
-PRF_HMAC_SHA2_512[wolfssl]
-XOF_SHAKE256[wolfssl]
-KDF_PRF[wolfssl]
-KDF_PRF_PLUS[wolfssl]
-DRBG_CTR_AES256[drbg]
-DRBG_CTR_AES128[drbg]
-DRBG_CTR_AES192[drbg]
-DRBG_HMAC_SHA1[drbg]
-DRBG_HMAC_SHA256[drbg]
-DRBG_HMAC_SHA384[drbg]
-DRBG_HMAC_SHA512[drbg]
-RNG_WEAK[wolfssl]
-RNG_STRONG[wolfssl]
-ECP_256[wolfssl]
-ECP_384[wolfssl]
-ECP_521[wolfssl]
-ECP_224[wolfssl]
-ECP_256_BP[wolfssl]
-ECP_384_BP[wolfssl]
-ECP_512_BP[wolfssl]
-ECP_224_BP[wolfssl]
-MODP_3072[wolfssl]
-MODP_4096[wolfssl]
-MODP_6144[wolfssl]
-MODP_8192[wolfssl]
-MODP_2048[wolfssl]
-MODP_2048_224[wolfssl]
-MODP_2048_256[wolfssl]
-MODP_1536[wolfssl]
-MODP_1024[wolfssl]
-MODP_1024_160[wolfssl]
-MODP_768[wolfssl]
-MODP_CUSTOM[wolfssl]
-ML_KEM_512[wolfssl]
-ML_KEM_768[wolfssl]
-ML_KEM_1024[wolfssl]
-CURVE_25519[wolfssl]
-CURVE_448[wolfssl]

.github/codeql/cpp-queries/chunk_from_chars.ql

@@ -10,7 +10,8 @@
  * @precision very-high
  */
 import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
+import DataFlow::PathGraph
+import semmle.code.cpp.dataflow.DataFlow
 
 class ChunkFromChars extends Expr {
   ChunkFromChars() {
@@ -22,30 +23,29 @@ class ChunkFromChars extends Expr {
   }
 }
 
-module ChunkFromCharsConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
+class ChunkFromCharsUsage extends DataFlow::Configuration {
+  ChunkFromCharsUsage() { this = "ChunkFromCharsUsage" }
+
+  override predicate isSource(DataFlow::Node source) {
     source.asExpr() instanceof ChunkFromChars
   }
 
-  predicate isSink(DataFlow::Node sink) {
+  override predicate isSink(DataFlow::Node sink) {
     exists(sink.asExpr())
   }
 
-  predicate isBarrierOut(DataFlow::Node node) {
+  override predicate isBarrierOut(DataFlow::Node node) {
     /* don't track beyond function calls */
     exists(FunctionCall fc | node.asExpr().getParent*() = fc)
   }
 }
 
-module ChunkFromCharsFlow = DataFlow::Global<ChunkFromCharsConfig>;
-import ChunkFromCharsFlow::PathGraph
-
 BlockStmt enclosingBlock(BlockStmt b) {
   result = b.getEnclosingBlock()
 }
 
-from ChunkFromCharsFlow::PathNode source, ChunkFromCharsFlow::PathNode sink
+from ChunkFromCharsUsage usage, DataFlow::PathNode source, DataFlow::PathNode sink
 where
-  ChunkFromCharsFlow::flowPath(source, sink)
+  usage.hasFlowPath(source, sink)
   and not source.getNode().asExpr().getEnclosingBlock() = enclosingBlock*(sink.getNode().asExpr().getEnclosingBlock())
 select source, source, sink, "Invalid use of chunk_from_chars() result in sibling/parent block."

.github/workflows/android.yml

@@ -2,10 +2,6 @@ name: Android
 
 on: [push, pull_request]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -22,7 +18,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   android:
     needs: pre-check
@@ -30,39 +26,28 @@ jobs:
     runs-on: ubuntu-latest
     env:
       TEST: android
-      # since the NDK might be newly installed, we have to use this to avoid cache misses
+      # since the NDK is newly installed every time, we have to use this to avoid cache misses
       CCACHE_COMPILERCHECK: content
     steps:
-      - uses: actions/checkout@v4
-      # make sure the NDK we reference is installed and exported so we can use it to build OpenSSL
+      # we currently don't specify a specific NDK version in our gradle files,
+      # so we load the version the Gradle Plugin uses as default but which is
+      # not installed anymore in the image
       - name: Install NDK
-        id: ndk-install
-        run: |
-          NDK_VERSION=$(grep "ndkVersion" src/frontends/android/app/build.gradle | sed -e 's/.*"\(.*\)"/\1/')
-          echo Using NDK ${NDK_VERSION}
-          yes | ${ANDROID_HOME}/cmdline-tools/latest/bin/sdkmanager --install "ndk;${NDK_VERSION}"
-          echo "ANDROID_NDK_ROOT=${ANDROID_HOME}/ndk/${NDK_VERSION}" >> "$GITHUB_OUTPUT"
-      - uses: actions/cache@v4
+        run: yes | sudo ${ANDROID_HOME}/tools/bin/sdkmanager --install 'ndk;21.4.7075529'
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/ccache
           key: ccache-android-${{ github.sha }}
           restore-keys: |
             ccache-android-
-      # necessary for newer versions of the Gradle plugin
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin'
-          java-version: 17
-          cache: 'gradle'
       - run: |
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
       - uses: ./.github/actions/default
-        env:
-          ANDROID_NDK_ROOT: ${{ steps.ndk-install.outputs.ANDROID_NDK_ROOT }}
       - run: ccache -s
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: Lint Results
           path: src/frontends/android/app/build/reports/lint-results*.xml

.github/workflows/codeql.yml

@@ -2,10 +2,6 @@ name: "CodeQL"
 
 on: [push, pull_request]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -23,7 +19,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   analyze:
     needs: pre-check
@@ -38,20 +34,20 @@ jobs:
       matrix:
         language: [ 'cpp', 'python', 'ruby' ]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         config-file: ./.github/codeql/config.yml
 
     - if: matrix.language == 'python' || matrix.language == 'ruby'
       name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v2
 
     # this follows the steps of the Linux workflow
     - if: matrix.language == 'cpp'
-      uses: actions/cache@v4
+      uses: actions/cache@v3
       with:
         path: ~/.cache/ccache
         key: ccache-ubuntu-latest-gcc-codeql-${{ github.sha }}
@@ -73,6 +69,6 @@ jobs:
       run: ccache -s
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v2
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/linux.yml

@@ -2,10 +2,6 @@ name: Linux
 
 on: [push, pull_request]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   # this test case does not actually test anything but tries to access system
   # directories that might be inaccessible on build hosts
@@ -25,12 +21,12 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   latest:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         test: [ all, default, printf-builtin ]
@@ -49,12 +45,6 @@ jobs:
           - test: coverage
           - test: dist
           - test: nm
-          - test: no-dbg
-          - test: no-dbg
-            compiler: clang
-          - test: no-testable-ke
-          - test: no-testable-ke
-            compiler: clang
           - test: fuzzing
             compiler: clang
             monolithic: yes
@@ -64,8 +54,8 @@ jobs:
       CC: ${{ matrix.compiler || 'gcc' }}
       TEST: ${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/ccache
           # with regards to ccache, monolithic builds don't differ from regular
@@ -83,47 +73,38 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ success() && matrix.test == 'coverage' }}
-        uses: codecov/codecov-action@v4
-        with:
-          disable_search: true
-          fail_ci_if_error: true
-          file: coverage/coverage.cleaned.info
-          token: ${{ secrets.CODECOV_TOKEN }}
-          verbose: true
+        run: bash <(curl -s https://codecov.io/bash)
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: Logs ${{ github.job }}
           path: config.log
           retention-days: 5
 
-  crypto:
+  crypto-plugins:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        test: [ botan, wolfssl, openssl, openssl-3, openssl-awslc, gcrypt ]
-        os: [ ubuntu-latest, ubuntu-22.04 ]
+        os: [ ubuntu-latest, ubuntu-20.04 ]
+        test: [ botan, wolfssl, openssl, openssl-3, gcrypt ]
         leak-detective: [ no, yes ]
         exclude:
-          # test custom-built libs only on the latest platform
-          - os: ubuntu-22.04
+          # test custom-built libs only on one platform
+          - os: ubuntu-20.04
             test: botan
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
             test: wolfssl
-          - os: ubuntu-22.04
+          - os: ubuntu-20.04
             test: openssl-3
-          - os: ubuntu-22.04
-            test: openssl-awslc
     env:
       LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
       CC: ${{ matrix.compiler || 'gcc' }}
       TEST: ${{ matrix.test }}
-      ACTIVE_TRANSFORMS_REF: .github/active-transforms/${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
           # path is different on newer systems
           path: |
@@ -139,20 +120,10 @@ jobs:
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
-          echo "TESTS_ACTIVE_TRANSFORMS=$HOME/active-transforms.log" >> $GITHUB_ENV
       - uses: ./.github/actions/default
-      - name: Upload active transforms
-        uses: actions/upload-artifact@v4
-        with:
-          name: active-transforms-${{ matrix.test }}-${{ matrix.os }}-${{ matrix.leak-detective }}
-          path: ${{ env.TESTS_ACTIVE_TRANSFORMS }}
-          retention-days: 5
-      - name: Verify active transforms
-        run: |
-          test ! -f $ACTIVE_TRANSFORMS_REF || diff -u --color=always $ACTIVE_TRANSFORMS_REF $TESTS_ACTIVE_TRANSFORMS
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: Logs ${{ github.job }}
           path: config.log
@@ -164,7 +135,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ ubuntu-22.04 ]
+        os: [ ubuntu-20.04, ubuntu-18.04 ]
         test: [ all, nm ]
         compiler: [ gcc, clang ]
         exclude:
@@ -175,13 +146,10 @@ jobs:
       CC: ${{ matrix.compiler || 'gcc' }}
       TEST: ${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
-          # path is different on newer systems
-          path: |
-            ~/.cache/ccache
-            ~/.ccache
+          path: ~/.ccache
           key: ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-${{ github.sha }}
           restore-keys: |
             ccache-${{ matrix.os }}-${{ env.CC }}-${{ matrix.test }}-
@@ -193,7 +161,7 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: Logs ${{ github.job }}
           path: config.log

.github/workflows/macos.yml

@@ -2,10 +2,6 @@ name: macOS
 
 on: [push, pull_request]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   TESTS_REDUCED_KEYLENGTHS: yes
   CCACHE_BASEDIR: ${{ github.workspace }}
@@ -22,28 +18,23 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   macos:
-    strategy:
-      matrix:
-        os: [macos-latest, macos-14]
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
-    runs-on: ${{ matrix.os }}
+    runs-on: macos-latest
     timeout-minutes: 20
     env:
       TEST: macos
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
           path: ~/Library/Caches/ccache
           key: ccache-${{ runner.os }}-${{ github.sha }}
           restore-keys: |
             ccache-${{ runner.os }}-
-      # workaround for conflict between Python installed in the image and via brew
-      - run: find /usr/local/bin -lname '*/Library/Frameworks/Python.framework/*' -delete -print
       - run: |
           brew install ccache
           echo "PATH=$(brew --prefix)/opt/ccache/libexec:$PATH" >> $GITHUB_ENV
@@ -51,7 +42,7 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: Logs ${{ github.job }}
           path: config.log

.github/workflows/sonarcloud.yml

@@ -2,10 +2,6 @@ name: SonarCloud
 
 on: [push]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -21,7 +17,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   sonarcloud:
     needs: pre-check
@@ -30,13 +26,14 @@ jobs:
     env:
       TEST: sonarcloud
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: actions/cache@v4
+      - uses: actions/cache@v3
         with:
           path: |
             ~/.cache/ccache
+            ~/.sonar-cache
           key: ccache-sonarcloud-${{ github.sha }}
           restore-keys: |
             ccache-sonarcloud-
@@ -44,17 +41,24 @@ jobs:
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
-      - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v6.0.0
-      - run: |
-          echo "BUILD_WRAPPER_OUT_DIR=$HOME/bw-output" >> $GITHUB_ENV
-      - uses: ./.github/actions/default
-      - uses: SonarSource/sonarqube-scan-action@v6.0.0
+      # using SonarSource/sonarcloud-github-action is currently not recommended
+      # for C builds, so we follow the "any CI" instructions
+      - name: Install sonar-scanner
         env:
+          SONAR_SCANNER_VERSION: 4.6.2.2472
+        run: |
+          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
+          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
+          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
+          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
+          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
+          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_NUMBER: ${{ github.run_id }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        with:
-          args: >
-            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT }}
-            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
-            -Dsonar.cfamily.threads=2
-            -Dsonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
+          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
+          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
+        uses: ./.github/actions/default
       - run: ccache -s

.github/workflows/tkm.yml

@@ -2,10 +2,6 @@ name: TKM
 
 on: [push, pull_request]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   CCACHE_DIR: ${{ github.workspace }}/.ccache
   CCACHE_CONTAINER: /root/.ccache
@@ -22,7 +18,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   tkm:
     needs: pre-check
@@ -31,8 +27,8 @@ jobs:
     env:
       TEST: tkm
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
           path: ${{ env.CCACHE_DIR }}
           key: ccache-tkm-${{ github.sha }}

.github/workflows/windows.yml

@@ -2,10 +2,6 @@ name: Windows
 
 on: [push, pull_request]
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
 env:
   TESTS_REDUCED_KEYLENGTHS: yes
   CCACHE_BASEDIR: ${{ github.workspace }}
@@ -25,7 +21,7 @@ jobs:
       - id: skip-check
         uses: fkirc/skip-duplicate-actions@master
         with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
 
   cross-compile:
     needs: pre-check
@@ -38,8 +34,8 @@ jobs:
       OS_NAME: linux
       TEST: ${{ matrix.test }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/ccache
           key: ccache-${{ runner.os }}-${{ matrix.test }}-${{ github.sha }}
@@ -52,7 +48,7 @@ jobs:
       - uses: ./.github/actions/default
       - run: ccache -s
       - if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: Logs ${{ github.job }}
           path: config.log

.gitignore

@@ -27,7 +27,6 @@ libtool
 y.tab.[ch]
 lex.yy.c
 *keywords.c
-!proposal_keywords.c
 plugin_constructors.c
 Doxyfile
 apidoc/
@@ -39,7 +38,6 @@ fuzzing-corpora/
 *.tar.bz2
 *.tar.gz
 .DS_Store
-._.DS_Store
 coverage/
 *.gcno
 *.gcda
@@ -55,4 +53,3 @@ coverage/
 /*.includes
 test-driver
 nbproject/
-*.[si]

Android.mk

@@ -17,8 +17,11 @@ strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
 	pkcs1 pkcs8 pem xcbc hmac kdf kernel-netlink socket-default android-dns \
 	stroke eap-identity eap-mschapv2 eap-md5 eap-gtc
 
+strongswan_STARTER_PLUGINS := kernel-netlink
+
 # list of all plugins - used to enable them with the function below
-strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS))
+strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \
+	$(strongswan_STARTER_PLUGINS))
 
 include $(LOCAL_PATH)/Android.common.mk
 

CONTRIBUTING.md

@@ -1,3 +1,3 @@
-Please refer to the [developer documentation](https://docs.strongswan.org/docs/latest/devs/devs.html)
+Please refer to the [developer documentation](https://docs.strongswan.org/docs/5.9/devs/devs.html)
 in our documentation for details regarding **code style** and
-[**contribution requirements**](https://docs.strongswan.org/docs/latest/devs/contributions.html).
+[**contribution requirements**](https://docs.strongswan.org/docs/5.9/devs/contributions.html).

HACKING

@@ -14,6 +14,7 @@ the code, you need the following tools:
     - autoconf
     - libtool
     - pkg-config
+    - gettext
     - perl
     - python
     - lex/flex

INSTALL

@@ -144,4 +144,4 @@ Contents
 
     For a more up-to-date list of recommended modules refer to:
 
-      * https://docs.strongswan.org/docs/latest/install/kernelModules.html
+      * https://docs.strongswan.org/docs/5.9/install/kernelModules.html

Makefile.am

@@ -65,11 +65,10 @@ cov-reset: cov-reset-common
 cov-report:
 		@mkdir $(top_builddir)/coverage
 		lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
-			 --rc branch_coverage=1
+			 --rc lcov_branch_coverage=1
 		lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \
-			 '*proposal_keywords_static.*' \
 			 -o $(abs_top_builddir)/coverage/coverage.cleaned.info \
-			 --rc branch_coverage=1
+			 --rc lcov_branch_coverage=1
 		genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
 				-t "$(PACKAGE_STRING)" \
 				-o $(top_builddir)/coverage/html \

NEWS

@@ -1,302 +1,3 @@
-strongswan-6.0.2
-----------------
-
-- Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+).
-
-- Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+).
-
-- POSIX regular expressions can be used to match remote identities.
-
-- Switching configs based on EAP-Identities is supported. Setting
-  `remote.eap_id` now always initiates an EAP-Identity exchange.
-
-- On Linux, sequence numbers from acquires are used when installing SAs. This
-  allows handling narrowing properly.
-
-- During rekeying, the narrowed traffic selectors are now proposed instead of
-  the configured ones.
-
-- The default AH/ESP proposals contain all supported key exchange methods plus
-  `none` to make PFS optional and accept proposals of older peers.
-
-- GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance
-  if the esp4|6_offload modules are loaded.
-
-- charon-nm sets the VPN connection as persistent, preventing NetworkManager
-  from tearing down the connection if the network connectivity changes.
-
-- ML-KEM is supported via OpenSSL 3.5+.
-
-- The wolfssl plugin is now compatible to wolfSSL's FIPS module.
-
-- The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported
-  anymore.
-
-- The long defunct uci plugin has been removed.
-
-- Log messages by watcher_t are now logged in a separate log group (`wch`).
-
-
-strongswan-6.0.1
-----------------
-
-- The ha plugin supports IKE and Child SAs with multiple key exchanges.
-  Incomplete IKE_SAs are now destroyed during a failover.
-
-- The new `interface_receive` option for the dhcp plugin allows binding the
-  receive socket to a different interface than the send socket. Also fixed a
-  regression if the DHCP server is running on the same host.
-
-- The new `source` option for the eap-radius plugin allows sending RADIUS
-  messages from a specific IP address.
-
-- Self-signed root CAs without policies are now excluded from policy validation.
-
-- Inbound traffic on IPsec SAs is now ignored when sending DPDs unless
-  UDP-encapsulation is used.
-
-- Send IKE_SA_INIT from NAT-T socket if not connecting to port 500.
-
-- Local traffic selectors can be configured for charon-nm. Its default
-  retransmission settings have been set to those of the Android app.
-
-- The vici Python wheel is now built via `build` frontend instead of calling
-  setup.py directly if --enable-python-wheels is used (the option to build eggs
-  has been removed). There is no option to automatically install the wheel (use
-  pip instead) and the --enable-python-eggs-install option has been removed.
-
-
-strongswan-6.0.0
-----------------
-
-- Support of multiple post-quantum (and classic) key exchanges using the
-  IKE_INTERMEDIATE exchange (RFC 9242) and the Additional Key Exchange
-  transform types 1..7 (RFC 9370).
-
-- ML-KEM is provided by the botan, wolfssl, openssl (only via AWS-LC) and the
-  new ml plugins.
-
-- Handling of CHILD_SA rekey collisions has been improved, which makes CHILD_SAs
-  properly trackable via chiled_rekey() hook.
-
-- The behavior when reloading or unloading connections that include `start` in
-  their `start_action` has been improved.
-
-- The default identity is now the subject DN instead of the IP address if a
-  certificate is available.
-
-- The file logger supports logging as JSON objects and can add timestamps
-  in microseconds.
-
-- The cert-enroll script now supports three generations of CA certificates.
-
-- charon-nm uses a different routing table than the regular IKE daemon to avoid
-  conflicts if both are running.
-
-- AF_VSOCK sockets are supported on Linux to communicate with a daemon that runs
-  in a VM.
-
-- TUN devices can properly handle IPv6 addresses.
-
-- For compatibility with older SCEP implementations, challenge passwords in
-  PKCS#10 containers are again encoded as PrintableString if possible.
-
-- The legacy stroke plugin is no longer enabled by default.
-
-- The openssl plugin is now enabled by default, while the following crypto
-  plugins are no longer enabled by default: aes, curve25519, des, fips-prf, gmp,
-  hmac, md5, pkcs12, rc2, sha1, sha2.
-
-- The following deprecated plugins have been removed: bliss, newhope, ntru.
-
-- charon.make_before_break is now enabled by default.
-
-
-strongswan-5.9.14
------------------
-
-- Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows
-  peers to request and send OCSP responses directly in IKEv2.
-
-- Validation of X.509 name constraints in the constraints plugin has been
-  refactored to align with RFC 5280.
-
-- The dhcp plugin has been ported to FreeBSD/macOS.
-
-- The openssl plugin is now compatible with AWS-LC.
-
-- Overflows of unique identifiers (e.g. Netlink sequence numbers or reqids) are
-  now handled gracefully.
-
-- Updated the pkcs11.h header based on the latest OpenSC version in order to
-  include new algorithm and struct definitions for the pkcs11 plugin.
-  Added support for PSS padding in smartcard-based RSA signatures using either
-  on-chip or external data hashing.
-
-- Added keyid and certid handles in the pki --ocsp command so that keys and/or
-  certificates can be stored on a smartcard or in a TPM 2.0 device.
-
-- Fail SA installation on Linux if replay protection is disabled while ESN is
-  enabled, which the kernel currently doesn't support.
-
-
-strongswan-5.9.13
------------------
-
-- Fixes a regression with handling OCSP error responses and adds a new
-  option to specify the length of nonces in OCSP requests.  Also adds some
-  other improvements for OCSP handling and fuzzers for OCSP
-  requests/responses.
-
-
-strongswan-5.9.12
------------------
-
-- Fixed a vulnerability in charon-tkm related to processing DH public values
-  that can lead to a buffer overflow and potentially remote code execution.
-  This vulnerability has been registered as CVE-2023-41913.
-
-- The new `pki --ocsp` command produces OCSP responses based on certificate
-  status information provided by plugins.
-
-  Two sources are currently available, the openxpki plugin that directly
-  accesses the OpenXPKI database and the `--index` argument, which reads
-  certificate status information from OpenSSL-style index.txt files.
-
-- The cert-enroll script handles the initial enrollment of an X.509 host
-  certificate with a PKI server via the EST or SCEP protocols.
-
-  Run as a systemd timer or via a crontab entry the script daily checks the
-  expiration date of the host certificate. When a given deadline is reached,
-  the host certificate is automatically renewed via EST or SCEP re-enrollment
-  based on the possession of the old private key and the matching certificate.
-
-- The --priv argument for charon-cmd allows using any type of private key.
-
-- Support for nameConstraints of type iPAddress has been added (the openssl
-  plugin previously didn't support nameConstraints at all).
-
-- SANs of type uniformResourceIdentifier can now be encoded in certificates.
-
-- Password-less PKCS#12 and PKCS#8 files are supported.
-
-- A new global option allows preventing peers from authenticating with trusted
-  end-entity certificates (i.e. local certificates).
-
-- ECDSA public keys that encode curve parameters explicitly are now rejected by
-  all plugins that support ECDSA.
-
-- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
-  also use the name in connection.interface-name.
-
-- The resolve plugin tries to maintain the order of installed DNS servers.
-
-- The kernel-libipsec plugin always installs routes even if no address is found
-  in the local traffic selectors.
-
-- Increased the default receive buffer size for Netlink sockets to 8 MiB and
-  simplified its configuration.
-
-- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
-  always generating a hash of the subjectPublicKey.
-
-- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
-  timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
-  unrelated traffic selectors.
-
-- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
-  instead callbacks are always invoked even if only errors are signaled.
-
-- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
-  handling invalid messages.
-
-- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
-
-- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
-  CHILD_SA is not found during rekeying.
-
-- The testing environment is now based on Debian 12 (bookworm), by default.
-
-
-strongswan-5.9.11
------------------
-
-- A deadlock in the vici plugin has been fixed that could get triggered when
-  multiple connections were initiated/terminated concurrently and control-log
-  events were raised by the watcher_t component.
-
-- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
-  encoded (even if it's a CA), or a CA certificate without keyUsage extension.
-
-- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
-
-- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
-  openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
-
-- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
-  earlier that was introduced with 5.9.10.
-
-- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
-
-- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
-  gained support for trap policies.
-
-- The dhcp plugin uses an alternate method to determine the source address
-  for unicast DHCP requests that's not affected by interface filtering.
-
-- Certificate and trust chain selection as initiator has been improved in case
-  the local trust chain is incomplete and an unrelated certreq is received.
-
-- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
-
-- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
-  policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
-
-- Stale OCSP responses are now replace in-place in the certificate cache.
-
-- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.
-
-
-strongswan-5.9.10
------------------
-
-- Fixed a vulnerability related to certificate verification in TLS-based EAP
-  methods that leads to an authentication bypass followed by an expired pointer
-  dereference that results in a denial of service and possibly even remote code
-  execution.
-  This vulnerability has been registered as CVE-2023-26463.
-
-- Added support for full packet hardware offload for IPsec SAs and policies with
-  Linux 6.2 kernels to the kernel-netlink plugin.
-
-- TLS-based EAP methods now use the standardized key derivation when used
-  with TLS 1.3.
-
-- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
-  implementing the "protected success indication".
-
-- With the `prefer` value for the `childless` setting, initiators will create
-  a childless IKE_SA if the responder supports the extension.
-
-- Routes via XFRM interfaces can optionally be installed automatically by
-  enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
-
-- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
-  issues with name resolution if they are supported by the kernel.
-
-- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
-  PKCS#10 certificate signing request.
-
-- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
-  (replace them completely, or adding/removing specific flags).
-
-- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
-  IPsec SAs instead of the policies.
-
-- For libcurl with MultiSSL support, the curl plugin provides an option to
-  select the SSL/TLS backend.
-
-
 strongswan-5.9.9
 ----------------
 
@@ -476,7 +177,7 @@ strongswan-5.9.4
   salt lengths.
   This vulnerability has been registered as CVE-2021-41990.
 
-- Fixed a denial-of-service vulnerability in the in-memory certificate cache
+- Fixed a denial-of-service vulnerabililty in the in-memory certificate cache
   if certificates are replaced and a very large random value caused an integer
   overflow.
   This vulnerability has been registered as CVE-2021-41991.
@@ -1888,7 +1589,7 @@ strongswan-5.0.3
   PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
 
 - The charon systime-fix plugin can disable certificate lifetime checks on
-  embedded systems if the system time is obviously out of sync after boot-up.
+  embedded systems if the system time is obviously out of sync after bootup.
   Certificates lifetimes get checked once the system time gets sane, closing
   or reauthenticating connections using expired certificates.
 

README.md

@@ -566,7 +566,7 @@ to generate a traditional 3072 bit RSA key and store it in binary DER format.
 As an alternative a **TPM 2.0** *Trusted Platform Module* available on every
 recent Intel platform could be used as a virtual smartcard to securely store an
 RSA or ECDSA private key. For details, refer to the TPM 2.0
-[HOWTO](https://docs.strongswan.org/docs/latest/tpm/tpm2.html).
+[HOWTO](https://docs.strongswan.org/docs/5.9/tpm/tpm2.html).
 
 In a next step the command
 

conf/Makefile.am

@@ -16,7 +16,6 @@ options = \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
-	options/iptfs.opt \
 	options/manager.opt \
 	options/medsrv.opt \
 	options/pki.opt \
@@ -32,6 +31,7 @@ plugins = \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
+	plugins/bliss.opt \
 	plugins/botan.opt \
 	plugins/bypass-lan.opt \
 	plugins/certexpire.opt \
@@ -77,8 +77,8 @@ plugins = \
 	plugins/kernel-pfroute.opt \
 	plugins/load-tester.opt \
 	plugins/lookip.opt \
+	plugins/ntru.opt \
 	plugins/openssl.opt \
-	plugins/openxpki.opt \
 	plugins/osx-attr.opt \
 	plugins/p-cscf.opt \
 	plugins/pkcs11.opt \

conf/format-options.py

@@ -55,6 +55,14 @@ man pages) the following format can be used:
 
 full.section.name.include files/to/include
 	Description of this include statement
+
+Dots in section/option names may be escaped with a backslash.  For instance,
+with the following section description
+
+charon.filelog./var/log/daemon\.log {}
+	Section to define logging into /var/log/daemon.log
+
+/var/log/daemon.log will be the name of the last section.
 """
 
 import sys
@@ -66,10 +74,10 @@ from functools import cmp_to_key, total_ordering
 @total_ordering
 class ConfigOption:
 	"""Representing a configuration option or described section in strongswan.conf"""
-	def __init__(self, fullname, default = None, section = False, commented = False, include = False):
-		self.path = fullname.split('.')
-		self.name = self.path[-1]
-		self.fullname = fullname
+	def __init__(self, path, default = None, section = False, commented = False, include = False):
+		self.path = path
+		self.name = path[-1]
+		self.fullname = '.'.join(path)
 		self.default = default
 		self.section = section
 		self.commented = commented
@@ -133,7 +141,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), m.group('default'),
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, m.group('default'),
 										  commented = not m.group('assign'))
 			return
 		# section definition
@@ -141,7 +150,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), section = True,
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, section = True,
 										  commented = m.group('comment'))
 			return
 		# include definition
@@ -149,7 +159,8 @@ class Parser:
 		if m:
 			if self.__current:
 				self.__add_option(self.__current)
-			self.__current = ConfigOption(m.group('name'), m.group('pattern'), include = True)
+			path = self.__split_name(m.group('name'))
+			self.__current = ConfigOption(path, m.group('pattern'), include = True)
 			return
 		# paragraph separator
 		m = re.match(r'^\s*$', line)
@@ -160,6 +171,10 @@ class Parser:
 		if m and self.__current:
 			self.__current.add(m.group('text'))
 
+	def __split_name(self, name):
+		"""Split the given full name in a list of section/option names"""
+		return [x.replace('\.', '.') for x in re.split(r'(?<!\\)\.', name)]
+
 	def __add_option(self, option):
 		"""Adds the given option to the abstract storage"""
 		option.desc = [desc for desc in option.desc if len(desc)]
@@ -179,14 +194,12 @@ class Parser:
 		"""Searches/Creates the option (section) based on a list of section names"""
 		option = None
 		options = self.options
-		fullname = ""
-		for name in path:
-			fullname += '.' + name if len(fullname) else name
+		for i, name in enumerate(path, 1):
 			option = next((x for x in options if x.name == name and x.section), None)
 			if not option:
 				if not create:
 					break
-				option = ConfigOption(fullname, section = True)
+				option = ConfigOption(path[:i], section = True)
 				options.append(option)
 				if self.sort:
 					options.sort()
@@ -195,7 +208,7 @@ class Parser:
 
 	def get_option(self, name):
 		"""Retrieves the option with the given name"""
-		return self.__get_option(name.split('.'))
+		return self.__get_option(self.__split_name(name))
 
 class TagReplacer:
 	"""Replaces formatting tags in text"""
@@ -241,7 +254,6 @@ class GroffTagReplacer(TagReplacer):
 			if not punct:
 				punct = ''
 			text = re.sub(r'[\r\n\t]', ' ', m.group('text'))
-			text = re.sub(r'"', '""', text)
 			return '{0}.R{1} "{2}" "{3}" "{4}"\n'.format(nl, format, brack, text, punct)
 		return replacer
 
@@ -306,8 +318,7 @@ class ManFormatter:
 	def __groffize(self, text):
 		"""Encode text as groff text"""
 		text = self.__tags.replace(text)
-		text = re.sub(r'\\(?!-)', '\\[rs]', text)
-		text = re.sub(r'(?<!\\)-', '\\-', text)
+		text = re.sub(r'(?<!\\)-', r'\\-', text)
 		# remove any leading whitespace
 		return re.sub(r'^\s+', '', text, flags = re.MULTILINE)
 

conf/options/charon-logging.opt

@@ -26,18 +26,8 @@ charon.filelog.<name>.flush_line = no
 	Enabling this option disables block buffering and enables line buffering.
 
 charon.filelog.<name>.ike_name = no
-	Add the connection name and a unique numerical identifier for the current
-	IKE_SA to each log entry if available.
-
-charon.filelog.<name>.json = no
-	If enabled, each log entry is written to the file as a JSON object.
-
-	Enables writing each log entry as a JSON object to the file. The properties
-	are "time" (if `time_format` is set), "thread", "group", "level" and "msg".
-	Newlines, double quotes and backslashes are escaped in the latter. If
-	`ike_name` is enabled, "ikesa-uniqueid" and "ikesa-name" are added to the
-	object if available. The `log_level` option does not apply if this is
-	enabled.
+	Prefix each log entry with the connection name and a unique numerical
+	identifier for each IKE_SA.
 
 charon.filelog.<name>.log_level = no
 	Add the log level of each message after the subsystem (e.g. [IKE2]).
@@ -46,10 +36,9 @@ charon.filelog.<name>.time_format
 	Prefix each log entry with a timestamp. The option accepts a format string
 	as passed to **strftime**(3).
 
-charon.filelog.<name>.time_precision =
-	Add the milliseconds (_ms_) or microseconds (_us_) within the current second
-	after the timestamp (separated by a dot, so _time_format_ should end
-	with %S or %T). By default, nothing is added.
+charon.filelog.<name>.time_add_ms = no
+	Adds the milliseconds within the current second after the timestamp
+	(separated by a dot, so _time_format_ should end with %S or %T).
 
 charon.syslog {}
 	Section to define syslog loggers, see LOGGER CONFIGURATION in

conf/options/charon-nm.opt

@@ -1,55 +1,3 @@
-charon-nm {}
-	Section with settings specific to the NetworkManager backend `charon-nm`.
-	Settings from the `charon` section are not inherited, but many can be used
-	here as well. Defaults for some settings are chosen very deliberately and
-	should only be changed in case of conflicts.
-
 charon-nm.ca_dir = <default>
 	Directory from which to load CA certificates if no certificate is
 	configured.
-
-charon-nm.install_virtual_ip_on = lo
-	Interface on which virtual IP addresses are installed. Note that NM
-	also installs the virtual IPs on the XFRM interface.
-
-charon-nm.mtu = 1400
-	MTU for XFRM interfaces created by the NM plugin.
-
-charon-nm.port = 0
-	Source port when sending packets to port 500. Defaults to an ephemeral
-	port. May be set to 500 if firewall rules require a static port.
-
-charon-nm.port_nat_t = 0
-	Source port when sending packets to port 4500 or a custom server port.
-	Defaults to an ephemeral port. May be set to e.g. 4500 if firewall rules
-	require a static port.
-
-charon-nm.retransmit_base = 1.4
-	Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
-	in **strongswan.conf**(5). Default retransmission settings for charon-nm are
-	deliberately lower to fail and possibly reestablish SAs more quickly.
-
-charon-nm.retransmit_timeout = 2.0
-	Timeout in seconds before sending first retransmit.
-
-charon-nm.retransmit_tries = 3
-	Number of times to retransmit a packet before giving up.
-
-charon-nm.routing_table = 210
-	Table where routes via XFRM interface are installed. Should be different
-	than the table used for the regular IKE daemon due to the mark.
-
-charon-nm.routing_table_prio = 210
-	Priority of the routing table. Higher than the default priority used for the
-	regular IKE daemon.
-
-charon-nm.plugins.kernel-netlink.fwmark = !210
-	Make packets with this mark ignore the routing table. Must be the same mark
-	set in charon-nm.plugins.socket-default.fwmark.
-
-charon-nm.plugins.socket-default.fwmark = 210
-	Mark applied to IKE and ESP packets to ignore the routing table and avoid
-	routing loops when using XFRM interfaces.
-
-charon-nm.syslog.daemon.default = 1
-	Default to logging via syslog's daemon facility on level 1.

conf/options/charon.opt

@@ -38,8 +38,8 @@ charon.cert_cache = yes
 charon.cache_crls = no
 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
 	be saved under a unique file name derived from the public key of the
-	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
-	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
+	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+	**/etc/swanctl/x509crl** (vici), respectively.
 
 charon.check_current_path = no
 	Whether to use DPD to check if the current path still works after any
@@ -154,16 +154,8 @@ charon.fragment_size = 1280
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
 	when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
 	to 1280 (use 0 for address family specific default values, which uses a
-	lower value for IPv4).  Unless overridden, this limit is used for both IPv4
-	and IPv6 if specified.
-
-charon.fragment_size_v4 = charon.fragment_size
-	Maximum size (complete IPv4 datagram size in bytes) of a sent IKE fragment
-	when using proprietary IKEv1 or standardized IKEv2 fragmentation.
-
-charon.fragment_size_v6 = charon.fragment_size
-	Maximum size (complete IPv6 datagram size in bytes) of a sent IKE fragment
-	when using proprietary IKEv1 or standardized IKEv2 fragmentation.
+	lower value for IPv4).  If specified this limit is used for both IPv4 and
+	IPv6.
 
 charon.group
 	Name of the group the daemon changes to after startup.
@@ -291,7 +283,7 @@ charon.max_ikev1_exchanges = 3
 charon.max_packet = 10000
 	Maximum packet size accepted by charon.
 
-charon.make_before_break = yes
+charon.make_before_break = no
 	Initiate IKEv2 reauthentication with a make-before-break scheme.
 
 	Initiate IKEv2 reauthentication with a make-before-break instead of a
@@ -310,13 +302,6 @@ charon.nbns1
 charon.nbns2
 	WINS servers assigned to peer via configuration payload (CP).
 
-charon.ocsp_nonce_len = 32
-	Length of nonces in OCSP requests (1-32).
-
-	Length of nonces in OCSP requests. According to RFC 8954, valid values are
-	between 1 and 32, with new clients required to use 32. Some servers might
-	not support that so lowering the value to e.g. 16 might be necessary.
-
 charon.port = 500
 	UDP port used locally. If set to 0 a random port will be allocated.
 
@@ -387,10 +372,6 @@ charon.receive_delay_request = yes
 charon.receive_delay_type = 0
 	Specific IKEv2 message type to delay, 0 for any.
 
-charon.reject_trusted_end_entity = no
-	Reject peers that use trusted end-entity certificates (i.e. local
-	certificates).
-
 charon.replay_window = 32
 	Size of the AH/ESP replay window, in packets.
 

conf/options/iptfs.opt

@@ -1,38 +0,0 @@
-charon.iptfs {}
-	Global settings for IP-TFS (RFC 9347). The Linux kernel supports this mode
-	since 6.14. However, it currently only supports aggregation/fragmentation of
-	tunneled IP packets in ESP/AGGFRAG packets. It doesn't yet support other
-	IP-TFS features like sending packets at a constant rate or congestion control.
-
-charon.iptfs.drop_time = 1000000
-	Time in microseconds to wait for out-of-order packets when processing
-	inbound traffic.
-
-charon.iptfs.reorder_window = 3
-	Number of packets that may arrive out of order when processing inbound
-	traffic.
-
-charon.iptfs.init_delay = 0
-	Time in microseconds to wait for subsequent packets to aggregate together
-	when sending outbound traffic. Only relevant if no packets are already
-	queued to be sent.
-
-charon.iptfs.max_queue_size = 1048576
-	Maximum number of bytes allowed to be queued for sending on the tunnel
-	(default 1 MiB). If the queue is full, packets are dropped.
-
-charon.iptfs.packet_size = 0
-	Maximum outer packet size (layer 3) when sending packets. The default of 0
-	will use the PMTU as packet size. Note that the kernel currently doesn't
-	pad smaller packets.
-
-charon.iptfs.accept_fragments = yes
-	Whether fragments of inner packets across multiple AGGFRAG payloads are
-	accepted. This is an IKEv2 option, so if the peer doesn't adhere to this
-	request and still sends such fragments, they will be processed by the
-	kernel.
-
-charon.iptfs.dont_frag = no
-	Force disabling fragmenting inner packets across multiple AGGFRAG payloads
-	when sending outbound traffic (fragmentation is automatically disabled if
-	the peer indicates that it doesn't support handling such packets).

conf/plugins/bliss.opt

@@ -0,0 +1,2 @@
+charon.plugins.bliss.use_bliss_b = yes
+	Use the enhanced BLISS-B key generation and signature algorithm.

conf/plugins/curl.opt

@@ -1,11 +1,3 @@
 charon.plugins.curl.redir = -1
 	Maximum number of redirects followed by the plugin, set to 0 to disable
 	following redirects, set to -1 for no limit.
-
-charon.plugins.curl.tls_backend =
-	The SSL/TLS backend to configure in curl if multiple are available.
-
-	The SSL/TLS backend to configure in curl if multiple are available (requires
-	libcurl 7.56 or newer). A list of available options is logged on level 2 if
-	nothing is configured. Similar but on level 1 if the selected backend isn't
-	available.

conf/plugins/dhcp.opt

@@ -36,13 +36,3 @@ charon.plugins.dhcp.interface
 	Interface name the plugin uses for address allocation. The default is to
 	bind to any (0.0.0.0) and let the system decide which way to route the
 	packets to the DHCP server.
-
-charon.plugins.dhcp.interface_receive = charon.plugins.dhcp.interface
-	Interface name the plugin uses to bind its receive socket.
-
-	Interface name the plugin uses to bind its receive socket. The default is
-	to use the same interface as the send socket. Set it to the empty string
-	to avoid binding the receive socket to any interface while the send socket
-	is bound to one. If the	server runs on the same host and the send socket is
-	bound to an interface, it might be necessary to set this to `lo` or the
-	empty string.

conf/plugins/eap-peap.opt

@@ -11,8 +11,7 @@ charon.plugins.eap-peap.phase2_method = mschapv2
 	Phase2 EAP client authentication method.
 
 charon.plugins.eap-peap.phase2_piggyback = no
-	Phase2 EAP Identity request piggybacked by server onto TLS Finished message,
-	relevant only if TLS 1.2 or earlier is negotiated.
+	Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
 
 charon.plugins.eap-peap.phase2_tnc = no
 	Start phase2 EAP TNC protocol after successful client authentication.

conf/plugins/eap-radius.opt

@@ -84,9 +84,6 @@ charon.plugins.eap-radius.secret =
 charon.plugins.eap-radius.server =
 	IP/Hostname of RADIUS server.
 
-charon.plugins.eap-radius.source =
-	Optional specific source IP to use.
-
 charon.plugins.eap-radius.retransmit_base = 1.4
 	Base to use for calculating exponential back off.
 
@@ -99,12 +96,12 @@ charon.plugins.eap-radius.retransmit_tries = 4
 charon.plugins.eap-radius.servers {}
 	Section to specify multiple RADIUS servers.
 
-	Section to specify multiple RADIUS servers. The **source**,
-	**nas_identifier**,	**secret**, **sockets** and **port** (or **auth_port**)
-	options can be specified for each server. A server's IP/Hostname can be
-	configured using the **address** option. The **acct_port** [1813] option can
-	be used to specify the port used for RADIUS accounting. For each RADIUS
-	server a priority can be specified using the **preference** [0] option. The
+	Section to specify multiple RADIUS servers. The **nas_identifier**,
+	**secret**, **sockets** and **port** (or **auth_port**) options can be
+	specified for each server. A server's IP/Hostname can be configured using
+	the **address** option. The **acct_port** [1813] option can be used to
+	specify the port used for RADIUS accounting. For each RADIUS server a
+	priority can be specified using the **preference** [0] option. The
 	retransmission time for each server can set set using **retransmit_base**,
 	**retransmit_timeout** and **retransmit_tries**.
 

conf/plugins/kernel-libipsec.opt

@@ -5,10 +5,3 @@ charon.plugins.kernel-libipsec.allow_peer_ts = no
 	installed for such traffic (via TUN device) usually prevents further IKE
 	traffic. The fwmark options for the _kernel-netlink_ and _socket-default_
 	plugins can be used to circumvent that problem.
-
-charon.plugins.kernel-libipsec.fwmark = charon.plugins.socket-default.fwmark
-	Firewall mark to set on outbound raw ESP packets.
-
-charon.plugins.kernel-libipsec.raw_esp = no
-	Whether to send and receive ESP packets without UDP encapsulation if
-	supported on this platform and no NAT is detected.

conf/plugins/kernel-netlink.opt

@@ -1,6 +1,14 @@
 charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
 	Buffer size for received Netlink messages.
 
+charon.plugins.kernel-netlink.force_receive_buffer_size = no
+	Force maximum Netlink receive buffer on Netlink socket.
+
+	If the maximum Netlink socket receive buffer in bytes set by
+	_receive_buffer_size_ exceeds the system-wide maximum from
+	/proc/sys/net/core/rmem_max, this option can be used to override the limit.
+	Enabling this option requires special privileges (CAP_NET_ADMIN).
+
 charon.plugins.kernel-netlink.fwmark =
 	Firewall mark to set on the routing rule that directs traffic to our routing
 	table.
@@ -20,16 +28,6 @@ charon.plugins.kernel-netlink.hw_offload_feature_interface = lo
 	cannot be used to obtain the appropriate feature flag, this option can
 	be used to specify an alternative interface for offload feature detection.
 
-charon.plugins.kernel-netlink.install_routes_xfrmi = no
-	Whether to install routes for SAs that reference XFRM interfaces.
-
-	Whether routes via XFRM interfaces are automatically installed for SAs that
-	reference such an interface via _if_id_out_.  If the traffic selectors
-	include the IKE traffic to the peer, this requires special care (e.g.
-	installing bypass policies and/or routes, or setting a mark on the IKE
-	socket and excluding such packets from the configured routing table via
-	_fwmark_ option).
-
 charon.plugins.kernel-netlink.mss = 0
 	MSS to set on installed routes, 0 to disable.
 
@@ -66,16 +64,14 @@ charon.plugins.kernel-netlink.process_rules = no
 	currently only useful if the kernel based route lookup is used (i.e. if
 	route installation is disabled or an inverted fwmark match is configured).
 
-charon.plugins.kernel-netlink.receive_buffer_size = 8388608
+charon.plugins.kernel-netlink.receive_buffer_size = 0
 	Maximum Netlink socket receive buffer in bytes.
 
 	Maximum Netlink socket receive buffer in bytes. This value controls how many
-	bytes of Netlink messages can be queued to a Netlink socket. If set to 0,
-	the default from /proc/sys/net/core/rmem_default will apply. Note that the
-	kernel doubles the configured value to account for overhead. To exceed the
-	system-wide	maximum from /proc/sys/net/core/rmem_max, special privileges
-	(CAP_NET_ADMIN) are necessary, otherwise, the kernel silently caps the
-	value.
+	bytes of Netlink messages can be received on a Netlink socket. The default
+	value is set by /proc/sys/net/core/rmem_default. The specified value cannot
+	exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
+	_force_receive_buffer_size_	is enabled.
 
 charon.plugins.kernel-netlink.roam_events = yes
 	Whether to trigger roam events when interfaces, addresses or routes change.

conf/plugins/ntru.opt

@@ -0,0 +1,4 @@
+charon.plugins.ntru.parameter_set = optimum
+	The following parameter sets are available: **x9_98_speed**,
+	**x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not
+	being part of the X9.98 standard but having the best performance.

conf/plugins/openxpki.opt

@@ -1,4 +0,0 @@
-charon.plugins.openxpki.database =
-	Database URI connecting to the OpenXPKI **certificate** database. If it
-	contains a password, make sure to adjust the permissions of the config
-	file accordingly.

conf/plugins/pkcs11.opt

@@ -30,8 +30,3 @@ charon.plugins.pkcs11.use_pubkey = no
 
 charon.plugins.pkcs11.use_rng = no
 	Whether the PKCS#11 modules should be used as RNG.
-
-charon.plugins.pkcs11.use_rsa_pss_hashers = no
-	Whether the PKCS#11 modules should try to use internal hashing for RSA-PSS
-	signatures (some PKCS#11 libraries don't implement internal hashing
-	in conjunction with RSA-PSS correctly).

conf/plugins/unbound.opt

@@ -1,7 +1,7 @@
 charon.plugins.unbound.resolv_conf = /etc/resolv.conf
 	File to read DNS resolver configuration from.
 
-charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
+charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
 	File to read DNSSEC trust anchors from (usually root zone KSK).
 
 	File to read DNSSEC trust anchors from (usually root zone KSK). The format

conf/strongswan.conf.5.tail.in

@@ -458,7 +458,6 @@ The variables used above are configured as follows:
 .na
 ${piddir}               @piddir@
 ${prefix}               @prefix@
-${sysconfdir}           @sysconfdir@
 ${random_device}        @random_device@
 ${urandom_device}       @urandom_device@
 .ad
@@ -468,19 +467,18 @@ ${urandom_device}       @urandom_device@
 .
 .nf
 .na
-@sysconfdir@/strongswan.conf       configuration file
-@sysconfdir@/strongswan.d/         directory containing included config snippets
-@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
+/etc/strongswan.conf       configuration file
+/etc/strongswan.d/         directory containing included config snippets
+/etc/strongswan.d/charon/  plugin specific config snippets
 .ad
 .fi
 .
 .SH SEE ALSO
-\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
 \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
 
 .SH HISTORY
 Written for the
-.UR https://www.strongswan.org
+.UR http://www.strongswan.org
 strongSwan project
 .UE
 by Tobias Brunner, Andreas Steffen and Martin Willi.

configure.ac

@@ -20,7 +20,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[6.0.3dr1])
+AC_INIT([strongSwan],[5.9.9])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -33,18 +33,21 @@ AM_INIT_AUTOMAKE(m4_esyscmd([
 	esac
 ]))
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
-AC_CONFIG_MACRO_DIRS([m4/config m4/macros])
+AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
 AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
 AC_DISABLE_STATIC
 PKG_PROG_PKG_CONFIG
 
+m4_include(m4/macros/split-package-version.m4)
 SPLIT_PACKAGE_VERSION
 
 # =================================
 #  check --enable-xxx & --with-xxx
 # =================================
 
+m4_include(m4/macros/with.m4)
+
 ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
 ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
 ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
@@ -67,7 +70,7 @@ ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
 ARG_WITH_SET([printf-hooks],         [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
 ARG_WITH_SET([rubygemdir],           ["gem environment gemdir"], [path to install ruby gems to])
-ARG_WITH_SET([testable-ke],          [yes], [make key exchange implementations testable by providing a set_seed() method])
+ARG_WITH_SET([pythoneggdir],         ["main site-packages directory"], [path to install python eggs to to])
 
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@@ -126,38 +129,42 @@ fi
 # convert script name to uppercase
 AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
 
+m4_include(m4/macros/enable-disable.m4)
+
 # crypto plugins
-ARG_ENABL_SET([aes],            [enable AES software implementation plugin.])
+ARG_DISBL_SET([aes],            [disable AES software implementation plugin.])
 ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
+ARG_ENABL_SET([bliss],          [enable BLISS software implementation plugin.])
 ARG_ENABL_SET([blowfish],       [enable Blowfish software implementation plugin.])
 ARG_ENABL_SET([botan],          [enables the Botan crypto plugin.])
 ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([chapoly],        [enables the ChaCha20/Poly1305 AEAD plugin.])
 ARG_DISBL_SET([cmac],           [disable CMAC crypto implementation plugin.])
 ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
-ARG_ENABL_SET([des],            [enable DES/3DES software implementation plugin.])
+ARG_DISBL_SET([des],            [disable DES/3DES software implementation plugin.])
 ARG_DISBL_SET([drbg],           [disable the NIST Deterministic Random Bit Generator plugin.])
-ARG_ENABL_SET([fips-prf],       [enable FIPS PRF software implementation plugin.])
-ARG_ENABL_SET([gcm],            [enable the GCM AEAD wrapper crypto plugin.])
+ARG_DISBL_SET([fips-prf],       [disable FIPS PRF software implementation plugin.])
+ARG_DISBL_SET([gcm],            [disable the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
-ARG_ENABL_SET([gmp],            [enable GNU MP (libgmp) based crypto implementation plugin.])
-ARG_ENABL_SET([curve25519],     [enable Curve25519 Diffie-Hellman plugin.])
-ARG_ENABL_SET([hmac],           [enable HMAC crypto implementation plugin.])
+ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_DISBL_SET([curve25519],     [disable Curve25519 Diffie-Hellman plugin.])
+ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
 ARG_DISBL_SET([kdf],            [disable KDF (prf+) implementation plugin.])
 ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
-ARG_ENABL_SET([md5],            [enable MD5 software implementation plugin.])
+ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
 ARG_ENABL_SET([mgf1],           [enable the MGF1 software implementation plugin.])
-ARG_ENABL_SET([ml],             [enable Module-Lattice-based crypto (ML-KEM) plugin.])
+ARG_ENABL_SET([newhope],        [enable New Hope crypto plugin.])
 ARG_DISBL_SET([nonce],          [disable nonce generation plugin.])
-ARG_DISBL_SET([openssl],        [disable the OpenSSL crypto plugin.])
+ARG_ENABL_SET([ntru],           [enables the NTRU crypto plugin.])
+ARG_ENABL_SET([openssl],        [enables the OpenSSL crypto plugin.])
 ARG_ENABL_SET([wolfssl],        [enables the wolfSSL crypto plugin.])
 ARG_ENABL_SET([padlock],        [enables VIA Padlock crypto plugin.])
 ARG_DISBL_SET([random],         [disable RNG implementation on top of /dev/(u)random.])
-ARG_ENABL_SET([rc2],            [enable RC2 software implementation plugin.])
+ARG_DISBL_SET([rc2],            [disable RC2 software implementation plugin.])
 ARG_ENABL_SET([rdrand],         [enable Intel RDRAND random generator plugin.])
 ARG_ENABL_SET([aesni],          [enable Intel AES-NI crypto plugin.])
-ARG_ENABL_SET([sha1],           [enable SHA1 software implementation plugin.])
-ARG_ENABL_SET([sha2],           [enable SHA256/SHA384/SHA512 software implementation plugin.])
+ARG_DISBL_SET([sha1],           [disable SHA1 software implementation plugin.])
+ARG_DISBL_SET([sha2],           [disable SHA256/SHA384/SHA512 software implementation plugin.])
 ARG_ENABL_SET([sha3],           [enable SHA3_224/SHA3_256/SHA3_384/SHA3_512 software implementation plugin.])
 ARG_DISBL_SET([xcbc],           [disable xcbc crypto implementation plugin.])
 # encoding/decoding plugins
@@ -167,11 +174,10 @@ ARG_DISBL_SET([pgp],            [disable PGP key decoding plugin.])
 ARG_DISBL_SET([pkcs1],          [disable PKCS1 key decoding plugin.])
 ARG_DISBL_SET([pkcs7],          [disable PKCS7 container support plugin.])
 ARG_DISBL_SET([pkcs8],          [disable PKCS8 private key decoding plugin.])
-ARG_ENABL_SET([pkcs12],         [enable PKCS12 container support plugin.])
+ARG_DISBL_SET([pkcs12],         [disable PKCS12 container support plugin.])
 ARG_DISBL_SET([pubkey],         [disable RAW public key support plugin.])
 ARG_DISBL_SET([sshkey],         [disable SSH key decoding plugin.])
 ARG_DISBL_SET([x509],           [disable X509 certificate implementation plugin.])
-ARG_ENABL_SET([openxpki],       [enable OCSP responder accessing OpenXPKI certificate database.])
 # fetcher/resolver plugins
 ARG_ENABL_SET([curl],           [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
 ARG_ENABL_SET([files],          [enable simple file:// URI fetcher.])
@@ -230,9 +236,10 @@ ARG_DISBL_SET([socket-default], [disable default socket implementation for charo
 ARG_ENABL_SET([socket-dynamic], [enable dynamic socket implementation for charon])
 ARG_ENABL_SET([socket-win],     [enable Winsock2 based socket implementation for charon])
 # configuration/control plugins
-ARG_ENABL_SET([stroke],         [enable the stroke configuration backend.])
+ARG_DISBL_SET([stroke],         [disable charons stroke configuration backend.])
 ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
 ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
+ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_DISBL_SET([vici],           [disable strongSwan IKE generic IPC interface plugin.])
 # attribute provider/consumer plugins
 ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
@@ -300,7 +307,6 @@ ARG_ENABL_SET([svc],            [enable charon Windows service.])
 ARG_ENABL_SET([systemd],        [enable systemd specific IKE daemon charon-systemd.])
 ARG_DISBL_SET([swanctl],        [disable swanctl configuration and control tool.])
 ARG_ENABL_SET([tkm],            [enable Trusted Key Manager support.])
-ARG_ENABL_SET([cert-enroll],    [enable automatic certificate enrollment via EST or SCEP.])
 # optional features
 ARG_ENABL_SET([bfd-backtraces], [use binutils libbfd to resolve backtraces for memory leaks and segfaults.])
 ARG_ENABL_SET([dbghelp-backtraces],[use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults.])
@@ -312,14 +318,13 @@ ARG_ENABL_SET([mediation],      [enable IKEv2 Mediation Extension.])
 ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
 ARG_ENABL_SET([ruby-gems],      [enable build of provided ruby gems.])
 ARG_ENABL_SET([ruby-gems-install],[enable installation of provided ruby gems.])
-ARG_ENABL_SET([python-wheels],  [enable build of provided python wheels.])
-ARG_ENABL_SET([python-eggs],    [legacy alias for --enable-python-wheels.])
+ARG_ENABL_SET([python-eggs],    [enable build of provided python eggs.])
+ARG_ENABL_SET([python-eggs-install],[enable installation of provided python eggs.])
 ARG_ENABL_SET([perl-cpan],      [enable build of provided perl CPAN module.])
 ARG_ENABL_SET([perl-cpan-install],[enable installation of provided CPAN module.])
 ARG_ENABL_SET([selinux],        [enable SELinux support for labeled IPsec.])
 ARG_ENABL_SET([tss-trousers],   [enable the use of the TrouSerS Trusted Software Stack])
 ARG_ENABL_SET([tss-tss2],       [enable the use of the TSS 2.0 Trusted Software Stack])
-ARG_ENABL_SET([cert-enroll-timer],[enable installation of cert-enroll as a systemd timer.])
 
 # compile options
 ARG_ENABL_SET([asan],           [enable build with AddressSanitizer (ASan).])
@@ -462,10 +467,6 @@ if test x$fips_prf = xtrue; then
 	fi
 fi
 
-if test x$pkcs12 = xtrue; then
-	rc2=true;
-fi
-
 if test x$swanctl = xtrue; then
 	vici=true
 fi
@@ -491,8 +492,8 @@ if test x$ruby_gems_install = xtrue; then
 	ruby_gems=true
 fi
 
-if test x$python_eggs = xtrue; then
-	python_wheels=true
+if test x$python_eggs_install = xtrue; then
+	python_eggs=true
 fi
 
 if test x$perl_cpan_install = xtrue; then
@@ -507,41 +508,24 @@ if test x$tpm = xtrue; then
 	tss_tss2=true
 fi
 
-if test x$gmp = xtrue; then
+if test x$gmp = xtrue -o x$ntru = xtrue -o x$bliss = xtrue; then
 	mgf1=true
 fi
 
-if test x$stroke = xtrue -o x$vici = xtrue; then
+if test x$stroke = xtrue; then
 	counters=true
 fi
 
-if test x$cert_enroll = xtrue; then
-	pki=true
-fi
-
 if test x$kdf = xfalse; then
-	openssl_hkdf=false
-	if test x$openssl = xtrue; then
-		AC_MSG_CHECKING(for OpenSSL >= 3.0 for HKDF)
-		AC_COMPILE_IFELSE(
-			[AC_LANG_PROGRAM(
-				[[#include <openssl/opensslv.h>]],
-				[[#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_IS_AWSLC)
-					#error OpenSSL version unusable
-				  #endif]])],
-			[AC_MSG_RESULT([yes]); openssl_hkdf=true],
-			[AC_MSG_RESULT([no])]
-		)
-	fi
 	if test x$aesni = xtrue -o x$cmac = xtrue -o x$xcbc = xtrue; then
 		AC_MSG_WARN(m4_normalize([
 			kdf plugin is required for possible use of PRF_AES128_XCBC/CMAC
 			by one of these plugins: aesni, cmac, xcbc]))
 		kdf=true
-	elif test x$botan = xfalse -a x$openssl_hkdf = xfalse -a x$wolfssl = xfalse; then
+	elif test x$botan = xfalse -a x$openssl = xfalse -a x$wolfssl = xfalse; then
 		AC_MSG_WARN(m4_normalize([
 			kdf plugin is required because none of the following plugins is
-			enabled or usable: botan, openssl, wolfssl]))
+			enabled: botan, openssl, wolfssl]))
 		kdf=true
 	fi
 fi
@@ -604,10 +588,6 @@ AC_LINK_IFELSE(
 AC_SUBST(ATOMICLIB)
 
 LIBS=$saved_LIBS
-
-# Some platforms require explicit linking to use POSIX regular expressions
-AC_SEARCH_LIBS([regcomp], [regex], [AC_DEFINE([HAVE_REGEX], [], [have regcomp() etc.])])
-
 # ------------------------------------------------------
 
 AC_MSG_CHECKING(for dladdr)
@@ -726,11 +706,6 @@ AC_CHECK_HEADERS([netinet/ip6.h linux/fib_rules.h], [], [],
 	#include <sys/types.h>
 	#include <netinet/in.h>
 ])
-AC_CHECK_HEADERS([linux/vm_sockets.h], [have_vm_sockets=true], [],
-[
-	#include <sys/socket.h>
-])
-AM_CONDITIONAL(USE_VM_SOCKETS, [test "x$have_vm_sockets" = xtrue])
 
 AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [],
 [
@@ -769,7 +744,7 @@ AC_COMPILE_IFELSE(
 		  #include <sys/types.h>
 		  #include <sys/socket.h>
 		  #include <netinet/in.h>]],
-		[[struct in6_pktinfo pi = {};
+		[[struct in6_pktinfo pi;
 		  if (pi.ipi6_ifindex)
 		  {
 		    return 0;
@@ -1044,7 +1019,7 @@ if test x$unbound = xtrue; then
 fi
 
 if test x$soup = xtrue; then
-	PKG_CHECK_MODULES(soup, [libsoup-3.0])
+	PKG_CHECK_MODULES(soup, [libsoup-2.4])
 	AC_SUBST(soup_CFLAGS)
 	AC_SUBST(soup_LIBS)
 fi
@@ -1055,16 +1030,14 @@ if test x$xml = xtrue; then
 	AC_SUBST(xml_LIBS)
 fi
 
-if test x$systemd = xtrue -o x$cert_enroll_timer = xtrue; then
+if test x$systemd = xtrue; then
 	AC_MSG_CHECKING([for systemd system unit directory])
 	if test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno; then
 		AC_MSG_RESULT([$systemdsystemunitdir])
 	else
 		AC_MSG_ERROR([not found (try --with-systemdsystemunitdir)])
 	fi
-fi
 
-if test x$systemd = xtrue; then
 	PKG_CHECK_MODULES(systemd, [libsystemd >= 209],
 		[AC_SUBST(systemd_CFLAGS)
 		 AC_SUBST(systemd_LIBS)],
@@ -1196,7 +1169,7 @@ if test x$openssl = xtrue; then
 	if test "x$windows" = xtrue; then
 		openssl_lib=eay32
 		AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"],
-			[openssl_lib=""],[$DLLIB])
+			[AC_MSG_RESULT([no]);openssl_lib=""],[$DLLIB])
 	fi
 	if test -z "$openssl_lib"; then
 		openssl_lib=crypto
@@ -1234,10 +1207,15 @@ if test x$botan = xtrue; then
 	AC_SUBST(botan_LIBS)
 	saved_LIBS=$LIBS
 	LIBS="$botan_LIBS"
-	AC_CHECK_FUNCS(botan_rng_init_custom botan_pubkey_ecc_key_used_explicit_encoding)
+	AC_CHECK_FUNCS(botan_rng_init_custom)
 	LIBS=$saved_LIBS
 fi
 
+if test x$uci = xtrue; then
+	AC_CHECK_LIB([uci],[uci_alloc_context],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
+	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
+fi
+
 if test x$android_dns = xtrue; then
 	AC_CHECK_LIB([cutils],[property_get],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
 	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
@@ -1345,10 +1323,6 @@ if test x$unwind_backtraces = xtrue; then
 	AC_SUBST(UNWINDLIB)
 fi
 
-if test "x$testable_ke" = xyes; then
-	AC_DEFINE([TESTABLE_KE], [1], [Define to 1 if key exchange methods should be testable.])
-fi
-
 AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno])
 if test x$dev_headers = xyes; then
 	dev_headers="$includedir/strongswan"
@@ -1372,7 +1346,7 @@ if test x$coverage = xtrue; then
 		AC_MSG_ERROR([genhtml not found])
 	fi
 
-	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage -fprofile-update=atomic"
+	COVERAGE_CFLAGS="-fprofile-arcs -ftest-coverage"
 	COVERAGE_LDFLAGS="-fprofile-arcs"
 	AC_SUBST(COVERAGE_CFLAGS)
 	AC_SUBST(COVERAGE_LDFLAGS)
@@ -1438,12 +1412,24 @@ if test x$ruby_gems = xtrue; then
 fi
 AM_CONDITIONAL(RUBY_GEMS_INSTALL, [test "x$ruby_gems_install" = xtrue])
 
-if test x$python_wheels = xtrue; then
+if test x$python_eggs = xtrue; then
 	PYTHON_PACKAGE_VERSION=`echo "$PACKAGE_VERSION" | $SED 's/dr/.dev/'`
 	AC_SUBST([PYTHON_PACKAGE_VERSION])
+	if test x$python_eggs_install = xtrue; then
+		AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+		if test x$EASY_INSTALL = x; then
+			AC_MSG_ERROR(Python easy_install not found)
+		fi
+	fi
+	if test "x$pythoneggdir" = "xmain site-packages directory"; then
+		AC_SUBST(PYTHONEGGINSTALLDIR, "")
+	else
+		AC_SUBST(PYTHONEGGINSTALLDIR, "--install-dir $pythoneggdir")
+	fi
 	AC_PATH_PROG([TOX], [tox], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 	AC_PATH_PROG([PY_TEST], [py.test], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
 fi
+AM_CONDITIONAL(PYTHON_EGGS_INSTALL, [test "x$python_eggs_install" = xtrue])
 
 AM_CONDITIONAL(PERL_CPAN_INSTALL, [test "x$perl_cpan_install" = xtrue])
 
@@ -1515,8 +1501,11 @@ CFLAGS="$WARN_CFLAGS $CFLAGS"
 #  collect plugin list for strongSwan components
 # ===============================================
 
+m4_include(m4/macros/add-plugin.m4)
+
 # plugin lists for all components
 charon_plugins=
+starter_plugins=
 pool_plugins=
 attest_plugins=
 pki_plugins=
@@ -1556,7 +1545,7 @@ ADD_PLUGIN([random],               [s charon pki scripts manager medsrv attest n
 ADD_PLUGIN([nonce],                [s charon nm cmd aikgen])
 ADD_PLUGIN([x509],                 [s charon pki scripts attest nm cmd aikgen fuzz])
 ADD_PLUGIN([revocation],           [s charon pki nm cmd])
-ADD_PLUGIN([constraints],          [s charon pki nm cmd])
+ADD_PLUGIN([constraints],          [s charon nm cmd])
 ADD_PLUGIN([acert],                [s charon])
 ADD_PLUGIN([pubkey],               [s charon pki cmd aikgen])
 ADD_PLUGIN([pkcs1],                [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
@@ -1588,25 +1577,26 @@ ADD_PLUGIN([kdf],                  [s charon pki scripts nm cmd])
 ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
 ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
 ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
-ADD_PLUGIN([ml],                   [s charon scripts nm cmd])
+ADD_PLUGIN([ntru],                 [s charon scripts nm cmd])
 ADD_PLUGIN([drbg],                 [s charon pki scripts nm cmd])
+ADD_PLUGIN([newhope],              [s charon scripts nm cmd])
+ADD_PLUGIN([bliss],                [s charon pki scripts nm cmd])
 ADD_PLUGIN([curl],                 [s charon pki scripts nm cmd])
 ADD_PLUGIN([files],                [s charon pki scripts nm cmd])
 ADD_PLUGIN([winhttp],              [s charon pki scripts])
 ADD_PLUGIN([soup],                 [s charon pki scripts nm cmd])
-ADD_PLUGIN([mysql],                [s charon pki pool manager medsrv attest])
-ADD_PLUGIN([sqlite],               [s charon pki pool manager medsrv attest])
-ADD_PLUGIN([openxpki],             [s pki])
+ADD_PLUGIN([mysql],                [s charon pool manager medsrv attest])
+ADD_PLUGIN([sqlite],               [s charon pool manager medsrv attest])
 ADD_PLUGIN([attr],                 [c charon])
 ADD_PLUGIN([attr-sql],             [c charon])
 ADD_PLUGIN([load-tester],          [c charon])
 ADD_PLUGIN([kernel-libipsec],      [c charon cmd])
 ADD_PLUGIN([kernel-wfp],           [c charon])
 ADD_PLUGIN([kernel-iph],           [c charon])
-ADD_PLUGIN([kernel-pfkey],         [c charon nm cmd])
-ADD_PLUGIN([kernel-pfroute],       [c charon nm cmd])
-ADD_PLUGIN([kernel-netlink],       [c charon nm cmd])
-ADD_PLUGIN([selinux],              [c charon nm cmd])
+ADD_PLUGIN([kernel-pfkey],         [c charon starter nm cmd])
+ADD_PLUGIN([kernel-pfroute],       [c charon starter nm cmd])
+ADD_PLUGIN([kernel-netlink],       [c charon starter nm cmd])
+ADD_PLUGIN([selinux],              [c charon starter nm cmd])
 ADD_PLUGIN([resolve],              [c charon cmd])
 ADD_PLUGIN([save-keys],            [c])
 ADD_PLUGIN([socket-default],       [c charon nm cmd])
@@ -1670,11 +1660,13 @@ ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
 ADD_PLUGIN([radattr],              [c charon])
+ADD_PLUGIN([uci],                  [c charon])
 ADD_PLUGIN([addrblock],            [c charon])
 ADD_PLUGIN([unity],                [c charon])
 ADD_PLUGIN([counters],             [c charon])
 
 AC_SUBST(charon_plugins)
+AC_SUBST(starter_plugins)
 AC_SUBST(pool_plugins)
 AC_SUBST(attest_plugins)
 AC_SUBST(pki_plugins)
@@ -1730,7 +1722,6 @@ AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue)
 AM_CONDITIONAL(USE_PKCS7, test x$pkcs7 = xtrue)
 AM_CONDITIONAL(USE_PKCS8, test x$pkcs8 = xtrue)
 AM_CONDITIONAL(USE_PKCS12, test x$pkcs12 = xtrue)
-AM_CONDITIONAL(USE_OPENXPKI, test x$openxpki = xtrue)
 AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue)
 AM_CONDITIONAL(USE_DNSKEY, test x$dnskey = xtrue)
 AM_CONDITIONAL(USE_SSHKEY, test x$sshkey = xtrue)
@@ -1755,8 +1746,10 @@ AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
 AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
+AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
+AM_CONDITIONAL(USE_NEWHOPE, test x$newhope = xtrue)
+AM_CONDITIONAL(USE_BLISS, test x$bliss = xtrue)
 AM_CONDITIONAL(USE_DRBG, test x$drbg = xtrue)
-AM_CONDITIONAL(USE_ML, test x$ml = xtrue)
 
 #  charon plugins
 # ----------------
@@ -1764,6 +1757,7 @@ AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_VICI, test x$vici = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
+AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
 AM_CONDITIONAL(USE_P_CSCF, test x$p_cscf = xtrue)
 AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
@@ -1850,7 +1844,6 @@ AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
 AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
 AM_CONDITIONAL(USE_COUNTERS, test x$counters = xtrue)
 AM_CONDITIONAL(USE_SELINUX, test x$selinux = xtrue)
-AM_CONDITIONAL(USE_PF_HANDLER, test x$dhcp = xtrue -o x$farp = xtrue)
 
 #  other options
 # ---------------
@@ -1874,6 +1867,7 @@ AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
 AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
 AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
+AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
 AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
 AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
 AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
@@ -1901,10 +1895,8 @@ AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
 AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
 AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
 AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno)
-AM_CONDITIONAL(USE_CERT_ENROLL, test x$cert_enroll = xtrue)
-AM_CONDITIONAL(USE_CERT_ENROLL_TIMER, test x$cert_enroll_timer = xtrue)
 AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue)
-AM_CONDITIONAL(USE_PYTHON_WHEELS, test x$python_wheels = xtrue)
+AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue)
 AM_CONDITIONAL(USE_PERL_CPAN, test x$perl_cpan = xtrue)
 AM_CONDITIONAL(USE_TOX, test "x$TOX" != x)
 AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x -a "x$TOX" = x)
@@ -1949,16 +1941,14 @@ strongswan_options=
 
 AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
 AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
-AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging iptfs"])
+AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
 AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
 AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"])
-AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv imv_policy_manager"])
-AM_COND_IF([USE_IMC_SWIMA], [strongswan_options=${strongswan_options}" sw-collector"])
+AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"])
 AM_COND_IF([USE_IMV_SWIMA], [strongswan_options=${strongswan_options}" sec-updater"])
 AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"])
 AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"])
 AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"])
-AM_COND_IF([USE_NM], [strongswan_options=${strongswan_options}" charon-nm"])
 AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"])
 AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"])
 AM_COND_IF([USE_SYSTEMD], [strongswan_options=${strongswan_options}" charon-systemd"])
@@ -1980,6 +1970,8 @@ AC_CONFIG_FILES([
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
+	src/libstrongswan/math/libnttfft/Makefile
+	src/libstrongswan/math/libnttfft/tests/Makefile
 	src/libstrongswan/plugins/aes/Makefile
 	src/libstrongswan/plugins/cmac/Makefile
 	src/libstrongswan/plugins/des/Makefile
@@ -2010,7 +2002,6 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/pkcs7/Makefile
 	src/libstrongswan/plugins/pkcs8/Makefile
 	src/libstrongswan/plugins/pkcs12/Makefile
-	src/libstrongswan/plugins/openxpki/Makefile
 	src/libstrongswan/plugins/pgp/Makefile
 	src/libstrongswan/plugins/dnskey/Makefile
 	src/libstrongswan/plugins/sshkey/Makefile
@@ -2037,7 +2028,11 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/gcm/Makefile
 	src/libstrongswan/plugins/af_alg/Makefile
 	src/libstrongswan/plugins/drbg/Makefile
-	src/libstrongswan/plugins/ml/Makefile
+	src/libstrongswan/plugins/ntru/Makefile
+	src/libstrongswan/plugins/bliss/Makefile
+	src/libstrongswan/plugins/bliss/tests/Makefile
+	src/libstrongswan/plugins/newhope/Makefile
+	src/libstrongswan/plugins/newhope/tests/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libstrongswan/tests/Makefile
 	src/libipsec/Makefile
@@ -2118,6 +2113,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/medcli/Makefile
 	src/libcharon/plugins/addrblock/Makefile
 	src/libcharon/plugins/unity/Makefile
+	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/kernel_netlink/Makefile
 	src/libcharon/plugins/kernel_pfkey/Makefile
@@ -2173,7 +2169,6 @@ AC_CONFIG_FILES([
 	src/sw-collector/Makefile
 	src/sec-updater/Makefile
 	src/swanctl/Makefile
-	src/cert-enroll/Makefile
 	src/xfrmi/Makefile
 	scripts/Makefile
 	testing/Makefile
@@ -2197,7 +2192,6 @@ AC_CONFIG_FILES([
 	src/pki/man/pki---gen.1
 	src/pki/man/pki---issue.1
 	src/pki/man/pki---keyid.1
-	src/pki/man/pki---ocsp.1
 	src/pki/man/pki---pkcs12.1
 	src/pki/man/pki---pkcs7.1
 	src/pki/man/pki---print.1
@@ -2214,7 +2208,6 @@ AC_CONFIG_FILES([
 	src/pt-tls-client/pt-tls-client.1
 	src/sw-collector/sw-collector.8
 	src/sec-updater/sec-updater.8
-	src/cert-enroll/cert-enroll.8
 ])
 
 AC_OUTPUT

fuzz/.gitignore

@@ -1,7 +1,5 @@
 fuzz_certs
 fuzz_crls
-fuzz_ocsp_req
-fuzz_ocsp_rsp
 fuzz_ids
 fuzz_pa_tnc
 fuzz_pb_tnc

fuzz/Makefile.am

@@ -11,7 +11,7 @@ AM_CPPFLAGS = @CPPFLAGS@ \
 
 fuzz_ldflags = ${libfuzzer} \
 	$(top_builddir)/src/libstrongswan/.libs/libstrongswan.a \
-	-Wl,-Bstatic -lcrypto -Wl,-Bdynamic \
+	-Wl,-Bstatic -lgmp -Wl,-Bdynamic \
 	@FUZZING_LDFLAGS@
 
 pa_tnc_ldflags = \
@@ -25,8 +25,7 @@ pb_tnc_ldflags = \
 	$(top_builddir)/src/libtncif/.libs/libtncif.a \
 	$(fuzz_ldflags)
 
-FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_ocsp_req fuzz_ocsp_rsp \
-	fuzz_ids fuzz_pa_tnc fuzz_pb_tnc
+FUZZ_TARGETS=fuzz_certs fuzz_crls fuzz_ids fuzz_pa_tnc fuzz_pb_tnc
 
 all-local: $(FUZZ_TARGETS)
 
@@ -38,12 +37,6 @@ fuzz_certs: fuzz_certs.c ${libfuzzer}
 fuzz_crls: fuzz_crls.c ${libfuzzer}
 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
 
-fuzz_ocsp_req: fuzz_ocsp_req.c ${libfuzzer}
-	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
-
-fuzz_ocsp_rsp: fuzz_ocsp_rsp.c ${libfuzzer}
-	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
-
 fuzz_ids: fuzz_ids.c ${libfuzzer}
 	$(CC) $(AM_CPPFLAGS) $(CFLAGS) -o $@ $< $(fuzz_ldflags)
 

fuzz/fuzz_ocsp_req.c

@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2023 Tobias Brunner
- *
- * Copyright (C) secunet Security Networks AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <utils/debug.h>
-
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
-{
-	certificate_t *cert;
-	chunk_t chunk;
-
-	dbg_default_set_level(-1);
-	library_init(NULL, "fuzz_ocsp_req");
-	plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
-	if (!lib->plugins->load(lib->plugins, PLUGINS))
-	{
-		return 1;
-	}
-
-	chunk = chunk_create((u_char*)buf, len);
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST,
-							  BUILD_BLOB, chunk, BUILD_END);
-	DESTROY_IF(cert);
-
-	lib->plugins->unload(lib->plugins);
-	library_deinit();
-	return 0;
-}

fuzz/fuzz_ocsp_rsp.c

@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2023 Tobias Brunner
- *
- * Copyright (C) secunet Security Networks AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <utils/debug.h>
-
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
-{
-	certificate_t *cert;
-	chunk_t chunk;
-
-	dbg_default_set_level(-1);
-	library_init(NULL, "fuzz_ocsp_rsp");
-	plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS);
-	if (!lib->plugins->load(lib->plugins, PLUGINS))
-	{
-		return 1;
-	}
-
-	chunk = chunk_create((u_char*)buf, len);
-	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE,
-							  BUILD_BLOB, chunk, BUILD_END);
-	DESTROY_IF(cert);
-
-	lib->plugins->unload(lib->plugins);
-	library_deinit();
-	return 0;
-}

init/Makefile.am

@@ -2,12 +2,10 @@
 SUBDIRS =
 
 if USE_LEGACY_SYSTEMD
-if USE_FILE_CONFIG
 if USE_CHARON
   SUBDIRS += systemd-starter
 endif
 endif
-endif
 
 if USE_SYSTEMD
 if USE_SWANCTL

init/systemd-starter/strongswan-starter.service.in

@@ -1,7 +1,6 @@
 [Unit]
 Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
 After=syslog.target network-online.target
-Wants=syslog.target network-online.target
 
 [Service]
 ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork

init/systemd/strongswan.service.in

@@ -1,7 +1,6 @@
 [Unit]
 Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
 After=network-online.target
-Wants=network-online.target
 
 [Service]
 Type=notify

m4/macros/host-cpu-c-abi.m4

@@ -1,532 +0,0 @@
-# host-cpu-c-abi.m4
-# serial 20
-dnl Copyright (C) 2002-2025 Free Software Foundation, Inc.
-dnl This file is free software; the Free Software Foundation
-dnl gives unlimited permission to copy and/or distribute it,
-dnl with or without modifications, as long as this notice is preserved.
-dnl This file is offered as-is, without any warranty.
-
-dnl From Bruno Haible and Sam Steingold.
-
-dnl Sets the HOST_CPU variable to the canonical name of the CPU.
-dnl Sets the HOST_CPU_C_ABI variable to the canonical name of the CPU with its
-dnl C language ABI (application binary interface).
-dnl Also defines __${HOST_CPU}__ and __${HOST_CPU_C_ABI}__ as C macros in
-dnl config.h.
-dnl
-dnl This canonical name can be used to select a particular assembly language
-dnl source file that will interoperate with C code on the given host.
-dnl
-dnl For example:
-dnl * 'i386' and 'sparc' are different canonical names, because code for i386
-dnl   will not run on SPARC CPUs and vice versa. They have different
-dnl   instruction sets.
-dnl * 'sparc' and 'sparc64' are different canonical names, because code for
-dnl   'sparc' and code for 'sparc64' cannot be linked together: 'sparc' code
-dnl   contains 32-bit instructions, whereas 'sparc64' code contains 64-bit
-dnl   instructions. A process on a SPARC CPU can be in 32-bit mode or in 64-bit
-dnl   mode, but not both.
-dnl * 'mips' and 'mipsn32' are different canonical names, because they use
-dnl   different argument passing and return conventions for C functions, and
-dnl   although the instruction set of 'mips' is a large subset of the
-dnl   instruction set of 'mipsn32'.
-dnl * 'mipsn32' and 'mips64' are different canonical names, because they use
-dnl   different sizes for the C types like 'int' and 'void *', and although
-dnl   the instruction sets of 'mipsn32' and 'mips64' are the same.
-dnl * The same canonical name is used for different endiannesses. You can
-dnl   determine the endianness through preprocessor symbols:
-dnl   - 'arm': test __ARMEL__.
-dnl   - 'mips', 'mipsn32', 'mips64': test _MIPSEB vs. _MIPSEL.
-dnl   - 'powerpc64': test __BIG_ENDIAN__ vs. __LITTLE_ENDIAN__.
-dnl * The same name 'i386' is used for CPUs of type i386, i486, i586
-dnl   (Pentium), AMD K7, Pentium II, Pentium IV, etc., because
-dnl   - Instructions that do not exist on all of these CPUs (cmpxchg,
-dnl     MMX, SSE, SSE2, 3DNow! etc.) are not frequently used. If your
-dnl     assembly language source files use such instructions, you will
-dnl     need to make the distinction.
-dnl   - Speed of execution of the common instruction set is reasonable across
-dnl     the entire family of CPUs. If you have assembly language source files
-dnl     that are optimized for particular CPU types (like GNU gmp has), you
-dnl     will need to make the distinction.
-dnl   See <https://en.wikipedia.org/wiki/X86_instruction_listings>.
-AC_DEFUN([gl_HOST_CPU_C_ABI],
-[
-  AC_REQUIRE([AC_CANONICAL_HOST])
-  AC_REQUIRE([gl_C_ASM])
-  AC_CACHE_CHECK([host CPU and C ABI], [gl_cv_host_cpu_c_abi],
-    [case "$host_cpu" in
-
-changequote(,)dnl
-       i[34567]86 )
-changequote([,])dnl
-         gl_cv_host_cpu_c_abi=i386
-         ;;
-
-       x86_64 )
-         # On x86_64 systems, the C compiler may be generating code in one of
-         # these ABIs:
-         # - 64-bit instruction set, 64-bit pointers, 64-bit 'long': x86_64.
-         # - 64-bit instruction set, 64-bit pointers, 32-bit 'long': x86_64
-         #   with native Windows (mingw, MSVC).
-         # - 64-bit instruction set, 32-bit pointers, 32-bit 'long': x86_64-x32.
-         # - 32-bit instruction set, 32-bit pointers, 32-bit 'long': i386.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if (defined __x86_64__ || defined __amd64__ \
-                     || defined _M_X64 || defined _M_AMD64)
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [AC_COMPILE_IFELSE(
-              [AC_LANG_SOURCE(
-                 [[#if defined __ILP32__ || defined _ILP32
-                    int ok;
-                   #else
-                    error fail
-                   #endif
-                 ]])],
-              [gl_cv_host_cpu_c_abi=x86_64-x32],
-              [gl_cv_host_cpu_c_abi=x86_64])],
-           [gl_cv_host_cpu_c_abi=i386])
-         ;;
-
-changequote(,)dnl
-       alphaev[4-8] | alphaev56 | alphapca5[67] | alphaev6[78] )
-changequote([,])dnl
-         gl_cv_host_cpu_c_abi=alpha
-         ;;
-
-       arm* | aarch64 )
-         # Assume arm with EABI.
-         # On arm64 systems, the C compiler may be generating code in one of
-         # these ABIs:
-         # - aarch64 instruction set, 64-bit pointers, 64-bit 'long': arm64.
-         # - aarch64 instruction set, 32-bit pointers, 32-bit 'long': arm64-ilp32.
-         # - 32-bit instruction set, 32-bit pointers, 32-bit 'long': arm or armhf.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#ifdef __aarch64__
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [AC_COMPILE_IFELSE(
-              [AC_LANG_SOURCE(
-                [[#if defined __ILP32__ || defined _ILP32
-                   int ok;
-                  #else
-                   error fail
-                  #endif
-                ]])],
-              [gl_cv_host_cpu_c_abi=arm64-ilp32],
-              [gl_cv_host_cpu_c_abi=arm64])],
-           [# Don't distinguish little-endian and big-endian arm, since they
-            # don't require different machine code for simple operations and
-            # since the user can distinguish them through the preprocessor
-            # defines __ARMEL__ vs. __ARMEB__.
-            # But distinguish arm which passes floating-point arguments and
-            # return values in integer registers (r0, r1, ...) - this is
-            # gcc -mfloat-abi=soft or gcc -mfloat-abi=softfp - from arm which
-            # passes them in float registers (s0, s1, ...) and double registers
-            # (d0, d1, ...) - this is gcc -mfloat-abi=hard. GCC 4.6 or newer
-            # sets the preprocessor defines __ARM_PCS (for the first case) and
-            # __ARM_PCS_VFP (for the second case), but older GCC does not.
-            echo 'double ddd; void func (double dd) { ddd = dd; }' > conftest.c
-            # Look for a reference to the register d0 in the .s file.
-            AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS $gl_c_asm_opt conftest.c) >/dev/null 2>&1
-            if LC_ALL=C grep 'd0,' conftest.$gl_asmext >/dev/null; then
-              gl_cv_host_cpu_c_abi=armhf
-            else
-              gl_cv_host_cpu_c_abi=arm
-            fi
-            rm -fr conftest*
-           ])
-         ;;
-
-       hppa1.0 | hppa1.1 | hppa2.0* | hppa64 )
-         # On hppa, the C compiler may be generating 32-bit code or 64-bit
-         # code. In the latter case, it defines _LP64 and __LP64__.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#ifdef __LP64__
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [gl_cv_host_cpu_c_abi=hppa64],
-           [gl_cv_host_cpu_c_abi=hppa])
-         ;;
-
-       ia64* )
-         # On ia64 on HP-UX, the C compiler may be generating 64-bit code or
-         # 32-bit code. In the latter case, it defines _ILP32.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#ifdef _ILP32
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [gl_cv_host_cpu_c_abi=ia64-ilp32],
-           [gl_cv_host_cpu_c_abi=ia64])
-         ;;
-
-       mips* )
-         # We should also check for (_MIPS_SZPTR == 64), but gcc keeps this
-         # at 32.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if defined _MIPS_SZLONG && (_MIPS_SZLONG == 64)
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [gl_cv_host_cpu_c_abi=mips64],
-           [# In the n32 ABI, _ABIN32 is defined, _ABIO32 is not defined (but
-            # may later get defined by <sgidefs.h>), and _MIPS_SIM == _ABIN32.
-            # In the 32 ABI, _ABIO32 is defined, _ABIN32 is not defined (but
-            # may later get defined by <sgidefs.h>), and _MIPS_SIM == _ABIO32.
-            AC_COMPILE_IFELSE(
-              [AC_LANG_SOURCE(
-                 [[#if (_MIPS_SIM == _ABIN32)
-                    int ok;
-                   #else
-                    error fail
-                   #endif
-                 ]])],
-              [gl_cv_host_cpu_c_abi=mipsn32],
-              [gl_cv_host_cpu_c_abi=mips])])
-         ;;
-
-       powerpc* )
-         # Different ABIs are in use on AIX vs. Mac OS X vs. Linux,*BSD.
-         # No need to distinguish them here; the caller may distinguish
-         # them based on the OS.
-         # On powerpc64 systems, the C compiler may still be generating
-         # 32-bit code. And on powerpc-ibm-aix systems, the C compiler may
-         # be generating 64-bit code.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if defined __powerpc64__ || defined __LP64__
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [# On powerpc64, there are two ABIs on Linux: The AIX compatible
-            # one and the ELFv2 one. The latter defines _CALL_ELF=2.
-            AC_COMPILE_IFELSE(
-              [AC_LANG_SOURCE(
-                 [[#if defined _CALL_ELF && _CALL_ELF == 2
-                    int ok;
-                   #else
-                    error fail
-                   #endif
-                 ]])],
-              [gl_cv_host_cpu_c_abi=powerpc64-elfv2],
-              [gl_cv_host_cpu_c_abi=powerpc64])
-           ],
-           [gl_cv_host_cpu_c_abi=powerpc])
-         ;;
-
-       rs6000 )
-         gl_cv_host_cpu_c_abi=powerpc
-         ;;
-
-       riscv32 | riscv64 )
-         # There are 2 architectures (with variants): rv32* and rv64*.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if __riscv_xlen == 64
-                  int ok;
-                #else
-                  error fail
-                #endif
-              ]])],
-           [cpu=riscv64],
-           [cpu=riscv32])
-         # There are 6 ABIs: ilp32, ilp32f, ilp32d, lp64, lp64f, lp64d.
-         # Size of 'long' and 'void *':
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if defined __LP64__
-                  int ok;
-                #else
-                  error fail
-                #endif
-              ]])],
-           [main_abi=lp64],
-           [main_abi=ilp32])
-         # Float ABIs:
-         # __riscv_float_abi_double:
-         #   'float' and 'double' are passed in floating-point registers.
-         # __riscv_float_abi_single:
-         #   'float' are passed in floating-point registers.
-         # __riscv_float_abi_soft:
-         #   No values are passed in floating-point registers.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if defined __riscv_float_abi_double
-                  int ok;
-                #else
-                  error fail
-                #endif
-              ]])],
-           [float_abi=d],
-           [AC_COMPILE_IFELSE(
-              [AC_LANG_SOURCE(
-                 [[#if defined __riscv_float_abi_single
-                     int ok;
-                   #else
-                     error fail
-                   #endif
-                 ]])],
-              [float_abi=f],
-              [float_abi=''])
-           ])
-         gl_cv_host_cpu_c_abi="${cpu}-${main_abi}${float_abi}"
-         ;;
-
-       s390* )
-         # On s390x, the C compiler may be generating 64-bit (= s390x) code
-         # or 31-bit (= s390) code.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if defined __LP64__ || defined __s390x__
-                  int ok;
-                #else
-                  error fail
-                #endif
-              ]])],
-           [gl_cv_host_cpu_c_abi=s390x],
-           [gl_cv_host_cpu_c_abi=s390])
-         ;;
-
-       sparc | sparc64 )
-         # UltraSPARCs running Linux have `uname -m` = "sparc64", but the
-         # C compiler still generates 32-bit code.
-         AC_COMPILE_IFELSE(
-           [AC_LANG_SOURCE(
-              [[#if defined __sparcv9 || defined __arch64__
-                 int ok;
-                #else
-                 error fail
-                #endif
-              ]])],
-           [gl_cv_host_cpu_c_abi=sparc64],
-           [gl_cv_host_cpu_c_abi=sparc])
-         ;;
-
-       *)
-         gl_cv_host_cpu_c_abi="$host_cpu"
-         ;;
-     esac
-    ])
-
-  dnl In most cases, $HOST_CPU and $HOST_CPU_C_ABI are the same.
-  HOST_CPU=`echo "$gl_cv_host_cpu_c_abi" | sed -e 's/-.*//'`
-  HOST_CPU_C_ABI="$gl_cv_host_cpu_c_abi"
-  AC_SUBST([HOST_CPU])
-  AC_SUBST([HOST_CPU_C_ABI])
-
-  # This was
-  #   AC_DEFINE_UNQUOTED([__${HOST_CPU}__])
-  #   AC_DEFINE_UNQUOTED([__${HOST_CPU_C_ABI}__])
-  # earlier, but KAI C++ 3.2d doesn't like this.
-  sed -e 's/-/_/g' >> confdefs.h <<EOF
-#ifndef __${HOST_CPU}__
-#define __${HOST_CPU}__ 1
-#endif
-#ifndef __${HOST_CPU_C_ABI}__
-#define __${HOST_CPU_C_ABI}__ 1
-#endif
-EOF
-  AH_TOP([/* CPU and C ABI indicator */
-#ifndef __i386__
-#undef __i386__
-#endif
-#ifndef __x86_64_x32__
-#undef __x86_64_x32__
-#endif
-#ifndef __x86_64__
-#undef __x86_64__
-#endif
-#ifndef __alpha__
-#undef __alpha__
-#endif
-#ifndef __arm__
-#undef __arm__
-#endif
-#ifndef __armhf__
-#undef __armhf__
-#endif
-#ifndef __arm64_ilp32__
-#undef __arm64_ilp32__
-#endif
-#ifndef __arm64__
-#undef __arm64__
-#endif
-#ifndef __hppa__
-#undef __hppa__
-#endif
-#ifndef __hppa64__
-#undef __hppa64__
-#endif
-#ifndef __ia64_ilp32__
-#undef __ia64_ilp32__
-#endif
-#ifndef __ia64__
-#undef __ia64__
-#endif
-#ifndef __loongarch32__
-#undef __loongarch32__
-#endif
-#ifndef __loongarch64__
-#undef __loongarch64__
-#endif
-#ifndef __m68k__
-#undef __m68k__
-#endif
-#ifndef __mips__
-#undef __mips__
-#endif
-#ifndef __mipsn32__
-#undef __mipsn32__
-#endif
-#ifndef __mips64__
-#undef __mips64__
-#endif
-#ifndef __powerpc__
-#undef __powerpc__
-#endif
-#ifndef __powerpc64__
-#undef __powerpc64__
-#endif
-#ifndef __powerpc64_elfv2__
-#undef __powerpc64_elfv2__
-#endif
-#ifndef __riscv32__
-#undef __riscv32__
-#endif
-#ifndef __riscv64__
-#undef __riscv64__
-#endif
-#ifndef __riscv32_ilp32__
-#undef __riscv32_ilp32__
-#endif
-#ifndef __riscv32_ilp32f__
-#undef __riscv32_ilp32f__
-#endif
-#ifndef __riscv32_ilp32d__
-#undef __riscv32_ilp32d__
-#endif
-#ifndef __riscv64_ilp32__
-#undef __riscv64_ilp32__
-#endif
-#ifndef __riscv64_ilp32f__
-#undef __riscv64_ilp32f__
-#endif
-#ifndef __riscv64_ilp32d__
-#undef __riscv64_ilp32d__
-#endif
-#ifndef __riscv64_lp64__
-#undef __riscv64_lp64__
-#endif
-#ifndef __riscv64_lp64f__
-#undef __riscv64_lp64f__
-#endif
-#ifndef __riscv64_lp64d__
-#undef __riscv64_lp64d__
-#endif
-#ifndef __s390__
-#undef __s390__
-#endif
-#ifndef __s390x__
-#undef __s390x__
-#endif
-#ifndef __sh__
-#undef __sh__
-#endif
-#ifndef __sparc__
-#undef __sparc__
-#endif
-#ifndef __sparc64__
-#undef __sparc64__
-#endif
-])
-
-])
-
-
-dnl Sets the HOST_CPU_C_ABI_32BIT variable to 'yes' if the C language ABI
-dnl (application binary interface) is a 32-bit one, to 'no' if it is a 64-bit
-dnl one.
-dnl This is a simplified variant of gl_HOST_CPU_C_ABI.
-AC_DEFUN([gl_HOST_CPU_C_ABI_32BIT],
-[
-  AC_REQUIRE([AC_CANONICAL_HOST])
-  AC_CACHE_CHECK([32-bit host C ABI], [gl_cv_host_cpu_c_abi_32bit],
-    [case "$host_cpu" in
-
-       # CPUs that only support a 32-bit ABI.
-       arc \
-       | bfin \
-       | cris* \
-       | csky \
-       | epiphany \
-       | ft32 \
-       | h8300 \
-       | m68k \
-       | microblaze | microblazeel \
-       | nds32 | nds32le | nds32be \
-       | nios2 | nios2eb | nios2el \
-       | or1k* \
-       | or32 \
-       | sh | sh[1234] | sh[1234]e[lb] \
-       | tic6x \
-       | xtensa* )
-         gl_cv_host_cpu_c_abi_32bit=yes
-         ;;
-
-       # CPUs that only support a 64-bit ABI.
-changequote(,)dnl
-       alpha | alphaev[4-8] | alphaev56 | alphapca5[67] | alphaev6[78] \
-       | mmix )
-changequote([,])dnl
-         gl_cv_host_cpu_c_abi_32bit=no
-         ;;
-
-       *)
-         if test -n "$gl_cv_host_cpu_c_abi"; then
-           dnl gl_HOST_CPU_C_ABI has already been run. Use its result.
-           case "$gl_cv_host_cpu_c_abi" in
-             i386 | x86_64-x32 | arm | armhf | arm64-ilp32 | hppa | ia64-ilp32 | loongarch32 | mips | mipsn32 | powerpc | riscv*-ilp32* | s390 | sparc)
-               gl_cv_host_cpu_c_abi_32bit=yes ;;
-             x86_64 | alpha | arm64 | aarch64c | hppa64 | ia64 | loongarch64 | mips64 | powerpc64 | powerpc64-elfv2 | riscv*-lp64* | s390x | sparc64 )
-               gl_cv_host_cpu_c_abi_32bit=no ;;
-             *)
-               gl_cv_host_cpu_c_abi_32bit=unknown ;;
-           esac
-         else
-           gl_cv_host_cpu_c_abi_32bit=unknown
-         fi
-         if test $gl_cv_host_cpu_c_abi_32bit = unknown; then
-           AC_COMPILE_IFELSE(
-             [AC_LANG_SOURCE(
-                [[int test_pointer_size[sizeof (void *) - 5];
-                ]])],
-             [gl_cv_host_cpu_c_abi_32bit=no],
-             [gl_cv_host_cpu_c_abi_32bit=yes])
-         fi
-         ;;
-     esac
-    ])
-
-  HOST_CPU_C_ABI_32BIT="$gl_cv_host_cpu_c_abi_32bit"
-])

m4/macros/lib-prefix.m4

@@ -1,334 +0,0 @@
-# lib-prefix.m4
-# serial 23
-dnl Copyright (C) 2001-2005, 2008-2025 Free Software Foundation, Inc.
-dnl This file is free software; the Free Software Foundation
-dnl gives unlimited permission to copy and/or distribute it,
-dnl with or without modifications, as long as this notice is preserved.
-dnl This file is offered as-is, without any warranty.
-
-dnl From Bruno Haible.
-
-dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed
-dnl to access previously installed libraries. The basic assumption is that
-dnl a user will want packages to use other packages he previously installed
-dnl with the same --prefix option.
-dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate
-dnl libraries, but is otherwise very convenient.
-AC_DEFUN([AC_LIB_PREFIX],
-[
-  AC_BEFORE([$0], [AC_LIB_LINKFLAGS])
-  AC_REQUIRE([AC_PROG_CC])
-  AC_REQUIRE([AC_CANONICAL_HOST])
-  AC_REQUIRE([AC_LIB_PREPARE_MULTILIB])
-  AC_REQUIRE([AC_LIB_PREPARE_PREFIX])
-  dnl By default, look in $includedir and $libdir.
-  use_additional=yes
-  AC_LIB_WITH_FINAL_PREFIX([
-    eval additional_includedir=\"$includedir\"
-    eval additional_libdir=\"$libdir\"
-  ])
-  AC_ARG_WITH([lib-prefix],
-[[  --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
-  --without-lib-prefix    don't search for libraries in includedir and libdir]],
-[
-    if test "X$withval" = "Xno"; then
-      use_additional=no
-    else
-      if test "X$withval" = "X"; then
-        AC_LIB_WITH_FINAL_PREFIX([
-          eval additional_includedir=\"$includedir\"
-          eval additional_libdir=\"$libdir\"
-        ])
-      else
-        additional_includedir="$withval/include"
-        additional_libdir="$withval/$acl_libdirstem"
-      fi
-    fi
-])
-  if test $use_additional = yes; then
-    dnl Potentially add $additional_includedir to $CPPFLAGS.
-    dnl But don't add it
-    dnl   1. if it's the standard /usr/include,
-    dnl   2. if it's already present in $CPPFLAGS,
-    dnl   3. if it's /usr/local/include and we are using GCC on Linux,
-    dnl   4. if it doesn't exist as a directory.
-    if test "X$additional_includedir" != "X/usr/include"; then
-      haveit=
-      for x in $CPPFLAGS; do
-        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
-        if test "X$x" = "X-I$additional_includedir"; then
-          haveit=yes
-          break
-        fi
-      done
-      if test -z "$haveit"; then
-        if test "X$additional_includedir" = "X/usr/local/include"; then
-          if test -n "$GCC"; then
-            case $host_os in
-              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
-            esac
-          fi
-        fi
-        if test -z "$haveit"; then
-          if test -d "$additional_includedir"; then
-            dnl Really add $additional_includedir to $CPPFLAGS.
-            CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
-          fi
-        fi
-      fi
-    fi
-    dnl Potentially add $additional_libdir to $LDFLAGS.
-    dnl But don't add it
-    dnl   1. if it's the standard /usr/lib,
-    dnl   2. if it's already present in $LDFLAGS,
-    dnl   3. if it's /usr/local/lib and we are using GCC on Linux,
-    dnl   4. if it doesn't exist as a directory.
-    if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
-      haveit=
-      for x in $LDFLAGS; do
-        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
-        if test "X$x" = "X-L$additional_libdir"; then
-          haveit=yes
-          break
-        fi
-      done
-      if test -z "$haveit"; then
-        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
-          if test -n "$GCC"; then
-            case $host_os in
-              linux*) haveit=yes;;
-            esac
-          fi
-        fi
-        if test -z "$haveit"; then
-          if test -d "$additional_libdir"; then
-            dnl Really add $additional_libdir to $LDFLAGS.
-            LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
-          fi
-        fi
-      fi
-    fi
-  fi
-])
-
-dnl AC_LIB_PREPARE_PREFIX creates variables acl_final_prefix,
-dnl acl_final_exec_prefix, containing the values to which $prefix and
-dnl $exec_prefix will expand at the end of the configure script.
-AC_DEFUN([AC_LIB_PREPARE_PREFIX],
-[
-  dnl Unfortunately, prefix and exec_prefix get only finally determined
-  dnl at the end of configure.
-  if test "X$prefix" = "XNONE"; then
-    acl_final_prefix="$ac_default_prefix"
-  else
-    acl_final_prefix="$prefix"
-  fi
-  if test "X$exec_prefix" = "XNONE"; then
-    acl_final_exec_prefix='${prefix}'
-  else
-    acl_final_exec_prefix="$exec_prefix"
-  fi
-  acl_saved_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
-  prefix="$acl_saved_prefix"
-])
-
-dnl AC_LIB_WITH_FINAL_PREFIX([statement]) evaluates statement, with the
-dnl variables prefix and exec_prefix bound to the values they will have
-dnl at the end of the configure script.
-AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX],
-[
-  acl_saved_prefix="$prefix"
-  prefix="$acl_final_prefix"
-  acl_saved_exec_prefix="$exec_prefix"
-  exec_prefix="$acl_final_exec_prefix"
-  $1
-  exec_prefix="$acl_saved_exec_prefix"
-  prefix="$acl_saved_prefix"
-])
-
-dnl AC_LIB_PREPARE_MULTILIB creates
-dnl - a function acl_is_expected_elfclass, that tests whether standard input
-dnl;   has a 32-bit or 64-bit ELF header, depending on the host CPU ABI,
-dnl - 3 variables acl_libdirstem, acl_libdirstem2, acl_libdirstem3, containing
-dnl   the basename of the libdir to try in turn, either "lib" or "lib64" or
-dnl   "lib/64" or "lib32" or "lib/sparcv9" or "lib/amd64" or similar.
-AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
-[
-  dnl There is no formal standard regarding lib, lib32, and lib64.
-  dnl On most glibc systems, the current practice is that on a system supporting
-  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
-  dnl $prefix/lib64 and 32-bit libraries go under $prefix/lib. However, on
-  dnl Arch Linux based distributions, it's the opposite: 32-bit libraries go
-  dnl under $prefix/lib32 and 64-bit libraries go under $prefix/lib.
-  dnl We determine the compiler's default mode by looking at the compiler's
-  dnl library search path. If at least one of its elements ends in /lib64 or
-  dnl points to a directory whose absolute pathname ends in /lib64, we use that
-  dnl for 64-bit ABIs. Similarly for 32-bit ABIs. Otherwise we use the default,
-  dnl namely "lib".
-  dnl On Solaris systems, the current practice is that on a system supporting
-  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
-  dnl $prefix/lib/64 (which is a symlink to either $prefix/lib/sparcv9 or
-  dnl $prefix/lib/amd64) and 32-bit libraries go under $prefix/lib.
-  AC_REQUIRE([AC_CANONICAL_HOST])
-  AC_REQUIRE([gl_HOST_CPU_C_ABI_32BIT])
-
-  AC_CACHE_CHECK([for ELF binary format], [gl_cv_elf],
-    [AC_EGREP_CPP([Extensible Linking Format],
-       [#if defined __ELF__ || (defined __linux__ && (defined __EDG__ || defined __SUNPRO_C))
-        Extensible Linking Format
-        #endif
-       ],
-       [gl_cv_elf=yes],
-       [gl_cv_elf=no])
-    ])
-  if test $gl_cv_elf = yes; then
-    # Extract the ELF class of a file (5th byte) in decimal.
-    # Cf. https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#File_header
-    if od -A x < /dev/null >/dev/null 2>/dev/null; then
-      # Use POSIX od.
-      func_elfclass ()
-      {
-        od -A n -t d1 -j 4 -N 1
-      }
-    else
-      # Use BSD hexdump.
-      func_elfclass ()
-      {
-        dd bs=1 count=1 skip=4 2>/dev/null | hexdump -e '1/1 "%3d "'
-        echo
-      }
-    fi
-    # Use 'expr', not 'test', to compare the values of func_elfclass, because on
-    # Solaris 11 OpenIndiana and Solaris 11 OmniOS, the result is 001 or 002,
-    # not 1 or 2.
-changequote(,)dnl
-    case $HOST_CPU_C_ABI_32BIT in
-      yes)
-        # 32-bit ABI.
-        acl_is_expected_elfclass ()
-        {
-          expr "`func_elfclass | sed -e 's/[ 	]//g'`" = 1 > /dev/null
-        }
-        ;;
-      no)
-        # 64-bit ABI.
-        acl_is_expected_elfclass ()
-        {
-          expr "`func_elfclass | sed -e 's/[ 	]//g'`" = 2 > /dev/null
-        }
-        ;;
-      *)
-        # Unknown.
-        acl_is_expected_elfclass ()
-        {
-          :
-        }
-        ;;
-    esac
-changequote([,])dnl
-  else
-    acl_is_expected_elfclass ()
-    {
-      :
-    }
-  fi
-
-  dnl Allow the user to override the result by setting acl_cv_libdirstems.
-  AC_CACHE_CHECK([for the common suffixes of directories in the library search path],
-    [acl_cv_libdirstems],
-    [dnl Try 'lib' first, because that's the default for libdir in GNU, see
-     dnl <https://www.gnu.org/prep/standards/html_node/Directory-Variables.html>.
-     acl_libdirstem=lib
-     acl_libdirstem2=
-     acl_libdirstem3=
-     case "$host_os" in
-       solaris*)
-         dnl See Solaris 10 Software Developer Collection > Solaris 64-bit Developer's Guide > The Development Environment
-         dnl <https://docs.oracle.com/cd/E19253-01/816-5138/dev-env/index.html>.
-         dnl "Portable Makefiles should refer to any library directories using the 64 symbolic link."
-         dnl But we want to recognize the sparcv9 or amd64 subdirectory also if the
-         dnl symlink is missing, so we set acl_libdirstem2 too.
-         if test $HOST_CPU_C_ABI_32BIT = no; then
-           acl_libdirstem2=lib/64
-           case "$host_cpu" in
-             sparc*)        acl_libdirstem3=lib/sparcv9 ;;
-             i*86 | x86_64) acl_libdirstem3=lib/amd64 ;;
-           esac
-         fi
-         ;;
-       netbsd*)
-         dnl On NetBSD/sparc64, there is a 'sparc' subdirectory that contains
-         dnl 32-bit libraries.
-         if test $HOST_CPU_C_ABI_32BIT != no; then
-           case "$host_cpu" in
-             sparc*) acl_libdirstem2=lib/sparc ;;
-           esac
-         fi
-         ;;
-       *)
-         dnl If $CC generates code for a 32-bit ABI, the libraries are
-         dnl surely under $prefix/lib or $prefix/lib32, not $prefix/lib64.
-         dnl Similarly, if $CC generates code for a 64-bit ABI, the libraries
-         dnl are surely under $prefix/lib or $prefix/lib64, not $prefix/lib32.
-         dnl Find the compiler's search path. However, non-system compilers
-         dnl sometimes have odd library search paths. But we can't simply invoke
-         dnl '/usr/bin/gcc -print-search-dirs' because that would not take into
-         dnl account the -m32/-m31 or -m64 options from the $CC or $CFLAGS.
-         searchpath=`(LC_ALL=C $CC $CPPFLAGS $CFLAGS -print-search-dirs) 2>/dev/null \
-                     | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
-         if test $HOST_CPU_C_ABI_32BIT != no; then
-           # 32-bit or unknown ABI.
-           if test -d /usr/lib32; then
-             acl_libdirstem2=lib32
-           fi
-         fi
-         if test $HOST_CPU_C_ABI_32BIT != yes; then
-           # 64-bit or unknown ABI.
-           if test -d /usr/lib64; then
-             acl_libdirstem3=lib64
-           fi
-         fi
-         if test -n "$searchpath"; then
-           acl_saved_IFS="${IFS= 	}"; IFS=":"
-           for searchdir in $searchpath; do
-             if test -d "$searchdir"; then
-               case "$searchdir" in
-                 */lib32/ | */lib32 ) acl_libdirstem2=lib32 ;;
-                 */lib64/ | */lib64 ) acl_libdirstem3=lib64 ;;
-                 */../ | */.. )
-                   # Better ignore directories of this form. They are misleading.
-                   ;;
-                 *) searchdir=`cd "$searchdir" && pwd`
-                    case "$searchdir" in
-                      */lib32 ) acl_libdirstem2=lib32 ;;
-                      */lib64 ) acl_libdirstem3=lib64 ;;
-                    esac ;;
-               esac
-             fi
-           done
-           IFS="$acl_saved_IFS"
-           if test $HOST_CPU_C_ABI_32BIT = yes; then
-             # 32-bit ABI.
-             acl_libdirstem3=
-           fi
-           if test $HOST_CPU_C_ABI_32BIT = no; then
-             # 64-bit ABI.
-             acl_libdirstem2=
-           fi
-         fi
-         ;;
-     esac
-     test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
-     test -n "$acl_libdirstem3" || acl_libdirstem3="$acl_libdirstem"
-     acl_cv_libdirstems="$acl_libdirstem,$acl_libdirstem2,$acl_libdirstem3"
-    ])
-  dnl Decompose acl_cv_libdirstems into acl_libdirstem, acl_libdirstem2, and
-  dnl acl_libdirstem3.
-changequote(,)dnl
-  acl_libdirstem=`echo "$acl_cv_libdirstems" | sed -e 's/,.*//'`
-  acl_libdirstem2=`echo "$acl_cv_libdirstems" | sed -e 's/^[^,]*,//' -e 's/,.*//'`
-  acl_libdirstem3=`echo "$acl_cv_libdirstems" | sed -e 's/^[^,]*,[^,]*,//' -e 's/,.*//'`
-changequote([,])dnl
-])

man/ipsec.conf.5.in

@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
 .BR leftcert " = <path>"
 the path to the left participant's X.509 certificate. The file can be encoded
 either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
+Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
 are accepted. By default
 .B leftcert
 sets
@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
 the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
 respectively.
 Also accepted is the path to a file containing the public key in PEM, DER or SSH
-encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
+encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
 are accepted.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
 .SH "CA SECTIONS"
 These are optional sections that can be used to assign special
 parameters to a Certification Authority (CA). Because the daemons
-automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
 there is no need to explicitly add them with a CA section, unless you
 want to assign special parameters (like a CRL) to a CA.
 .TP
@@ -1235,7 +1235,7 @@ currently can have either the value
 .TP
 .BR cacert " = <path>"
 defines a path to the CA certificate either relative to
-\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
+\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
 .br
 A value in the form
 .B %smartcard[<slot nr>[@<module>]]:<keyid>
@@ -1284,7 +1284,7 @@ section are:
 .BR cachecrls " = yes | " no
 if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
 be cached in
-.I @sysconfdir@/ipsec.d/crls/
+.I /etc/ipsec.d/crls/
 under a unique file name derived from the certification authority's public key.
 .TP
 .BR charondebug " = <debug list>"
@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
 
 .SH FILES
 .nf
-@sysconfdir@/ipsec.conf
-@sysconfdir@/ipsec.d/aacerts
-@sysconfdir@/ipsec.d/acerts
-@sysconfdir@/ipsec.d/cacerts
-@sysconfdir@/ipsec.d/certs
-@sysconfdir@/ipsec.d/crls
+/etc/ipsec.conf
+/etc/ipsec.d/aacerts
+/etc/ipsec.d/acerts
+/etc/ipsec.d/cacerts
+/etc/ipsec.d/certs
+/etc/ipsec.d/crls
 
 .SH SEE ALSO
 strongswan.conf(5), ipsec.secrets(5), ipsec(8)

man/ipsec.secrets.5.in

@@ -15,7 +15,7 @@ Here is an example.
 .LP
 .RS
 .nf
-# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
 
 : RSA moonKey.pem
@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
 .TQ
 .B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
-\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
+\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
 can be used which then causes the daemon to ask the user for the password
@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
 .TP
 .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
 For the PKCS#12 file both absolute paths or paths relative to
-\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
 can be used which then causes the daemon to ask the user for the password
@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
-@sysconfdir@/ipsec.secrets
+/etc/ipsec.secrets
 .SH SEE ALSO
 ipsec.conf(5), strongswan.conf(5), ipsec(8)
 .br

scripts/.gitignore

@@ -17,4 +17,3 @@ thread_analysis
 tls_test
 timeattack
 os_info
-nist_kem_kat

scripts/Makefile.am

@@ -7,7 +7,7 @@ AM_CPPFLAGS = \
 
 noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \
 	thread_analysis dh_speed pubkey_speed crypt_burn hash_burn fetch \
-	dnssec malloc_speed aes-test settings-test timeattack nist_kem_kat
+	dnssec malloc_speed aes-test settings-test timeattack
 
 if USE_TLS
   noinst_PROGRAMS += tls_test
@@ -31,7 +31,6 @@ malloc_speed_SOURCES = malloc_speed.c
 fetch_SOURCES = fetch.c
 dnssec_SOURCES = dnssec.c
 timeattack_SOURCES = timeattack.c
-nist_kem_kat_SOURCES = nist_kem_kat.c
 
 id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -47,7 +46,6 @@ dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB)
-nist_kem_kat_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 
 if USE_IMCV
   AM_CPPFLAGS += -I$(top_srcdir)/src/libimcv

scripts/dh_speed.c

@@ -1,5 +1,4 @@
 /*
- * Copyright (C) 2023-2024 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
  *
  * Copyright (C) secunet Security Networks AG
@@ -24,10 +23,34 @@
 
 static void usage()
 {
-	printf("usage: dh_speed plugins rounds ke1 [ke2 [...]]\n");
+	printf("usage: dh_speed plugins rounds group1 [group2 [...]]\n");
 	exit(1);
 }
 
+struct {
+	char *name;
+	key_exchange_method_t group;
+} groups[] = {
+	{"modp768",			MODP_768_BIT},
+	{"modp1024",		MODP_1024_BIT},
+	{"modp1024s160",	MODP_1024_160},
+	{"modp1536",		MODP_1536_BIT},
+	{"modp2048",		MODP_2048_BIT},
+	{"modp2048s224",	MODP_2048_224},
+	{"modp2048s256",	MODP_2048_256},
+	{"modp3072",		MODP_3072_BIT},
+	{"modp4096",		MODP_4096_BIT},
+	{"modp6144",		MODP_6144_BIT},
+	{"modp8192",		MODP_8192_BIT},
+	{"ecp256",			ECP_256_BIT},
+	{"ecp384",			ECP_384_BIT},
+	{"ecp521",			ECP_521_BIT},
+	{"ecp192",			ECP_192_BIT},
+	{"ecp224",			ECP_224_BIT},
+	{"curve25519",		CURVE_25519},
+	{"curve448",		CURVE_448},
+};
+
 static void start_timing(struct timespec *start)
 {
 	clock_gettime(CLOCK_THREAD_CPUTIME_ID, start);
@@ -42,71 +65,61 @@ static double end_timing(struct timespec *start)
 			(end.tv_sec - start->tv_sec) * 1.0;
 }
 
-static void run_test(key_exchange_method_t method, int rounds)
+static void run_test(key_exchange_method_t group, int rounds)
 {
-	key_exchange_t *l[rounds], *r[rounds];
-	chunk_t lpublic[rounds], rpublic[rounds], lsecret[rounds], rsecret[rounds];
+	key_exchange_t *l[rounds], *r;
+	chunk_t chunk, chunks[rounds], lsecrets[rounds], rsecrets[rounds];
 	struct timespec timing;
 	int round;
 
-	r[0] = lib->crypto->create_ke(lib->crypto, method);
-	if (!r[0])
+	r = lib->crypto->create_ke(lib->crypto, group);
+	if (!r)
 	{
-		fprintf(stderr, "skipping %N, not supported\n", key_exchange_method_names,
-				method);
+		printf("skipping %N, not supported\n", key_exchange_method_names,
+			   group);
 		return;
 	}
-	for (round = 1; round < rounds; round++)
-	{
-		r[round] = lib->crypto->create_ke(lib->crypto, method);
-	}
 
-	/* make sure to use the method call order documented in the
-	 * key_exchange_t header file */
-
-	printf("%N:\t", key_exchange_method_names, method);
+	printf("%N:\t", key_exchange_method_names, group);
 
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
-		l[round] = lib->crypto->create_ke(lib->crypto, method);
-		assert(l[round]->get_public_key(l[round], &lpublic[round]));
+		l[round] = lib->crypto->create_ke(lib->crypto, group);
+		assert(l[round]->get_public_key(l[round], &chunks[round]));
 	}
 	printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
 
-	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
-		assert(r[round]->set_public_key(r[round], lpublic[round]));
-		assert(r[round]->get_public_key(r[round], &rpublic[round]));
-		assert(r[round]->get_shared_secret(r[round], &rsecret[round]));
+		assert(r->set_public_key(r, chunks[round]));
+		assert(r->get_shared_secret(r, &rsecrets[round]));
+		chunk_free(&chunks[round]);
 	}
-	printf(" | S = A^b/s: %8.1f", rounds / end_timing(&timing));
 
+	assert(r->get_public_key(r, &chunk));
 	start_timing(&timing);
 	for (round = 0; round < rounds; round++)
 	{
-		assert(l[round]->set_public_key(l[round], rpublic[round]));
-		assert(l[round]->get_shared_secret(l[round], &lsecret[round]));
+		assert(l[round]->set_public_key(l[round], chunk));
+		assert(l[round]->get_shared_secret(l[round], &lsecrets[round]));
 	}
 	printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
+	chunk_free(&chunk);
 
 	for (round = 0; round < rounds; round++)
 	{
-		assert(chunk_equals(rsecret[round], lsecret[round]));
-		chunk_free(&lsecret[round]);
-		chunk_free(&rsecret[round]);
-		chunk_free(&lpublic[round]);
-		chunk_free(&rpublic[round]);
+		assert(chunk_equals(rsecrets[round], lsecrets[round]));
+		free(lsecrets[round].ptr);
+		free(rsecrets[round].ptr);
 		l[round]->destroy(l[round]);
-		r[round]->destroy(r[round]);
 	}
+	r->destroy(r);
 }
 
 int main(int argc, char *argv[])
 {
-	const proposal_token_t *token;
-	int rounds, i;
+	int rounds, i, j;
 
 	if (argc < 4)
 	{
@@ -121,19 +134,20 @@ int main(int argc, char *argv[])
 
 	for (i = 3; i < argc; i++)
 	{
-		token = lib->proposal->get_token(lib->proposal, argv[i]);
-		if (!token)
-		{
-			fprintf(stderr, "KE method '%s' not found\n", argv[i]);
-			return 1;
-		}
-		else if (token->type != KEY_EXCHANGE_METHOD)
-		{
-			fprintf(stderr, "'%s' is not a KE method\n", argv[i]);
-			return 1;
-		}
+		bool found = FALSE;
 
-		run_test(token->algorithm, rounds);
+		for (j = 0; j < countof(groups); j++)
+		{
+			if (streq(groups[j].name, argv[i]))
+			{
+				run_test(groups[j].group, rounds);
+				found = TRUE;
+			}
+		}
+		if (!found)
+		{
+			printf("group %s not found\n", argv[i]);
+		}
 	}
 	return 0;
 }

scripts/dh_speed.sh

@@ -24,17 +24,8 @@ modptest "gcrypt"
 echo "testing openssl"
 modptest "openssl"
 $DIR/dh_speed "openssl" 300 ecp192 ecp192 ecp224 ecp256 ecp384 ecp521 | tail -n 5
-$DIR/dh_speed "openssl" 300 ecp224bp ecp224bp ecp256bp ecp384bp ecp512bp | tail -n 4
-$DIR/dh_speed "openssl" 300 curve25519 curve25519 curve448 | tail -n 2
-
-echo "testing wolfssl"
-modptest "wolfssl"
-$DIR/dh_speed "wolfssl" 300 ecp224 ecp224 ecp256 ecp384 ecp521 | tail -n 4
-$DIR/dh_speed "wolfssl" 300 ecp224bp ecp224bp ecp256bp ecp384bp ecp512bp | tail -n 4
-$DIR/dh_speed "wolfssl" 300 curve25519 curve25519 curve448 | tail -n 2
 
 echo "testing botan"
 modptest "botan"
 $DIR/dh_speed "botan" 300 ecp256 ecp256 ecp384 ecp521 | tail -n 3
-$DIR/dh_speed "botan" 300 ecp256bp ecp256bp ecp384bp ecp512bp | tail -n 3
 $DIR/dh_speed "botan" 300 curve25519 curve25519 | tail -n 1

scripts/nist_kem_kat.c

@@ -1,189 +0,0 @@
-/*
- * Copyright (C) 2019-2020 Andreas Steffen
- *
- * Copyright (C) secunet Security Networks AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <errno.h>
-
-#include <library.h>
-
-static void usage(FILE *out, char *name)
-{
-	fprintf(out, "Convert NIST KEM KAT file into struct\n");
-	fprintf(out, "%s [OPTIONS]\n\n", name);
-	fprintf(out, "Options:\n");
-	fprintf(out, "  -h, --help          print this help.\n");
-	fprintf(out, "  -m, --method        KEM method.\n");
-	fprintf(out, "  -c, --count         number of structs (default 4).\n");
-	fprintf(out, "  -i, --in=FILE       request file (default STDIN).\n");
-	fprintf(out, "  -o, --out=FILE      response file (default STDOUT).\n");
-	fprintf(out, "\n");
-}
-
-int main(int argc, char *argv[])
-{
-	FILE *in = stdin;
-	FILE *out = stdout;
-	char line[90000], *method = "", *pos, *eol, *param, *value;
-	size_t param_len, value_len;
-	int count = 4, n;
-
-	library_init(NULL, "nist-kem-kat");
-	atexit(library_deinit);
-
-	while (true)
-	{
-		struct option long_opts[] = {
-			{"help",	no_argument,		NULL,	'h' },
-			{"method",	required_argument,	NULL,	'm' },
-			{"count",	required_argument,	NULL,	'c' },
-			{"in",		required_argument,	NULL,	'i' },
-			{"out",		required_argument,	NULL,	'o' },
-			{0,0,0,0 },
-		};
-		switch (getopt_long(argc, argv, "h:m:c:i:o:", long_opts, NULL))
-		{
-			case EOF:
-				break;
-			case 'h':
-				usage(stdout, argv[0]);
-				return 0;
-			case 'm':
-				method = optarg;
-				continue;
-			case 'c':
-				count = atoi(optarg);
-				continue;
-			case 'i':
-				in = fopen(optarg, "r");
-				if (!in)
-				{
-					fprintf(stderr, "failed to open '%s': %s\n", optarg,
-							strerror(errno));
-					usage(stderr, argv[0]);
-					return 1;
-				}
-				continue;
-			case 'o':
-				out = fopen(optarg, "w");
-				if (!out)
-				{
-					fprintf(stderr, "failed to open '%s': %s\n", optarg,
-							strerror(errno));
-					usage(stderr, argv[0]);
-					return 1;
-				}
-				continue;
-			default:
-				usage(stderr, argv[0]);
-				return 1;
-		}
-		break;
-	}
-
-	while (fgets(line, sizeof(line), in))
-	{
-		pos = strchr(line, '=');
-		if (!pos)
-		{
-			continue;
-		}
-
-		/*remove preceding whitespace from value */
-		value = pos + 1;
-		eol = strchr(value, '\n');
-		if (!eol)
-		{
-			fprintf(stderr, "eol not found\n");
-			break;
-		}
-		value_len = eol - value;
-		while (value_len && *value == ' ')
-		{
-			value++;
-			value_len--;
-		}
-
-		/* remove trailing whitespace from param */
-		param = line;
-		param_len = pos - line;
-		while (param_len && *(--pos) == ' ')
-		{
-			param_len--;
-		}
-		param[param_len] = '\0';
-
-		if (streq(param, "sk"))
-		{
-			continue;
-		}
-
-		if (streq(param, "count"))
-		{
-			if (count == 0)
-			{
-				break;
-			}
-			fprintf(out, "/** count = %.*s */\n", (int)value_len, value);
-			fprintf(out, "{\n");
-			fprintf(out, "\t.method = %s,\n", method);
-			count--;
-		}
-		else
-		{
-			fprintf(out, "\t.%s = chunk_from_chars(", param);
-			n = 0;
-
-			while (value_len > 1)
-			{
-				if (n > 0)
-				{
-					fprintf(out, ",");
-					if (n % 100 == 0)
-					{
-						fprintf(out, " /* %d */\n", n);
-					}
-				}
-				if (n % 10 == 0)
-				{
-					fprintf(out, "\n\t\t");
-				}
-				fprintf(out, "0x%.2s", value);
-				value += 2;
-				value_len -= 2;
-				n++;
-			}
-			fprintf(out, "),\n");
-			if (streq(param, "ss"))
-			{
-				fprintf(out, "},\n");
-			}
-		}
-	}
-
-	if (in != stdin)
-	{
-		fclose(in);
-	}
-	if (out != stdout)
-	{
-		fclose(out);
-	}
-	return 0;
-}

scripts/pubkey_speed.c

@@ -128,7 +128,7 @@ int main(int argc, char *argv[])
 			printf("creating signature failed\n");
 			exit(1);
 		}
-	}
+	};
 	printf("sign()/s: %8.1f   ", rounds / end_timing(&timing));
 
 	public = private->get_public_key(private);

scripts/test.sh

@@ -4,7 +4,7 @@
 build_botan()
 {
 	# same revision used in the build recipe of the testing environment
-	BOTAN_REV=3.7.1
+	BOTAN_REV=2.19.3
 	BOTAN_DIR=$DEPS_BUILD_DIR/botan
 
 	if test -d "$BOTAN_DIR"; then
@@ -21,17 +21,15 @@ build_botan()
 		BOTAN_CONFIG="--without-os-features=threads
 					  --disable-modules=locking_allocator"
 	fi
-	# disable some larger modules we don't need for the tests and deprecated
-	# ones, except for MD5, which we need for TLS 1.0/1.1
+	# disable some larger modules we don't need for the tests
 	BOTAN_CONFIG="$BOTAN_CONFIG --disable-modules=pkcs11,tls,x509,xmss
-				  --disable-deprecated-features --enable-modules=md5
 				  --prefix=$DEPS_PREFIX"
 
 	git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
 	cd $BOTAN_DIR &&
 	git checkout -qf $BOTAN_REV &&
-	./configure.py --amalgamation $BOTAN_CONFIG &&
-	make -j$(nproc) libs >/dev/null &&
+	python ./configure.py --amalgamation $BOTAN_CONFIG &&
+	make -j4 libs >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@@ -39,7 +37,7 @@ build_botan()
 
 build_wolfssl()
 {
-	WOLFSSL_REV=v5.8.2-stable
+	WOLFSSL_REV=v5.5.4-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 
 	if test -d "$WOLFSSL_DIR"; then
@@ -49,22 +47,21 @@ build_wolfssl()
 	echo "$ build_wolfssl()"
 
 	WOLFSSL_CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DES_ECB -DHAVE_AES_ECB \
-					-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8 \
-					-DRSA_MIN_SIZE=1024"
+					-DHAVE_ECC_BRAINPOOL -DWOLFSSL_MIN_AUTH_TAG_SZ=8"
 	WOLFSSL_CONFIG="--prefix=$DEPS_PREFIX
 					--disable-crypttests --disable-examples
-					--enable-aesccm --enable-aesctr --enable-aescfb --enable-camellia
+					--enable-aesccm --enable-aesctr --enable-camellia
 					--enable-curve25519 --enable-curve448 --enable-des3
 					--enable-ecccustcurves --enable-ed25519 --enable-ed448
-					--enable-keygen --enable-mlkem --with-max-rsa-bits=8192
-					--enable-md4 --enable-rsapss --enable-sha3 --enable-shake256"
+					--enable-heapmath --enable-keygen --enable-md4
+					--enable-rsapss --enable-sha3 --enable-shake256"
 
 	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
 	cd $WOLFSSL_DIR &&
 	git checkout -qf $WOLFSSL_REV &&
 	./autogen.sh &&
 	./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
-	make -j$(nproc) >/dev/null &&
+	make -j4 >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@@ -72,7 +69,7 @@ build_wolfssl()
 
 build_tss2()
 {
-	TSS2_REV=3.2.3
+	TSS2_REV=3.2.1
 	TSS2_PKG=tpm2-tss-$TSS2_REV
 	TSS2_DIR=$DEPS_BUILD_DIR/$TSS2_PKG
 	TSS2_SRC=https://github.com/tpm2-software/tpm2-tss/releases/download/$TSS2_REV/$TSS2_PKG.tar.gz
@@ -86,7 +83,7 @@ build_tss2()
 	curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
 	cd $TSS2_DIR &&
 	./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
-	make -j$(nproc) >/dev/null &&
+	make -j4 >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@@ -94,63 +91,31 @@ build_tss2()
 
 build_openssl()
 {
-	SSL_REV=openssl-3.6.0
-	SSL_DIR=$DEPS_BUILD_DIR/openssl
+	SSL_REV=3.0.7
+	SSL_PKG=openssl-$SSL_REV
+	SSL_DIR=$DEPS_BUILD_DIR/$SSL_PKG
+	SSL_SRC=https://www.openssl.org/source/$SSL_PKG.tar.gz
 	SSL_INS=$DEPS_PREFIX/ssl
-	SSL_OPT="-d shared no-dtls no-ssl3 no-zlib no-idea no-psk
+	SSL_OPT="-d shared no-dtls no-ssl3 no-zlib no-idea no-psk no-srp
 			 no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
 
 	if test -d "$SSL_DIR"; then
 		return
 	fi
 
+	# insist on compiling with gcc and debug information as symbols are otherwise not found
 	if test "$LEAK_DETECTIVE" = "yes"; then
-		# insist on compiling with gcc and debug information as symbols are
-		# otherwise not found, but we can disable SRP (see below)
-		SSL_OPT="$SSL_OPT no-srp CC=gcc -d"
-	elif test "$CC" != "clang"; then
-		# when using ASan with clang, llvm-symbolizer is used to resolve symbols
-		# and this tool links libcurl, which in turn requires SRP, so we can
-		# only disable it when not building with clang
-		SSL_OPT="$SSL_OPT no-srp"
+		SSL_OPT="$SSL_OPT CC=gcc -d"
 	fi
 
 	echo "$ build_openssl()"
 
-	git clone https://github.com/openssl/openssl.git --depth 1 -b $SSL_REV $SSL_DIR || exit $?
-
-	if [ "$TEST" = "android" ]; then
-		OPENSSL_SRC=${SSL_DIR} \
-		NO_DOCKER=1 src/frontends/android/openssl/build.sh || exit $?
-	else
-		cd $SSL_DIR &&
-		./config --prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib $SSL_OPT &&
-		make -j$(nproc) >/dev/null &&
-		sudo make install_sw >/dev/null &&
-		sudo ldconfig || exit $?
-		cd -
-	fi
-}
-
-build_awslc()
-{
-	LC_REV=1.61.1
-	LC_PKG=aws-lc-$LC_REV
-	LC_DIR=$DEPS_BUILD_DIR/$LC_PKG
-	LC_SRC=https://github.com/aws/aws-lc/archive/refs/tags/v${LC_REV}.tar.gz
-	LC_BUILD=$LC_DIR/build
-	LC_INS=$DEPS_PREFIX/ssl
-
-	mkdir -p $LC_BUILD
-
-	echo "$ build_awslc()"
-
-	curl -L $LC_SRC | tar xz -C $DEPS_BUILD_DIR || exit $?
-
-	cd $LC_BUILD &&
-	cmake -GNinja -DCMAKE_INSTALL_PREFIX=$LC_INS .. &&
-	ninja &&
-	sudo ninja install || exit $?
+	curl -L $SSL_SRC | tar xz -C $DEPS_BUILD_DIR &&
+	cd $SSL_DIR &&
+	./config --prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib $SSL_OPT &&
+	make -j4 >/dev/null &&
+	sudo make install_sw >/dev/null &&
+	sudo ldconfig || exit $?
 	cd -
 }
 
@@ -160,14 +125,7 @@ use_custom_openssl()
 	export LDFLAGS="$LDFLAGS -L$DEPS_PREFIX/ssl/lib"
 	export LD_LIBRARY_PATH="$DEPS_PREFIX/ssl/lib:$LD_LIBRARY_PATH"
 	if test "$1" = "build-deps"; then
-		case "$TEST" in
-			openssl-awslc)
-				build_awslc
-				;;
-			*)
-				build_openssl
-				;;
-		esac
+		build_openssl
 	fi
 }
 
@@ -179,7 +137,7 @@ system_uses_openssl3()
 
 prepare_system_openssl()
 {
-	# On systems that ship OpenSSL 3 (e.g. Ubuntu 22.04+), we require debug
+	# On systems that ship OpenSSL 3 (e.g. Ubuntu 22.04), we require debug
 	# symbols to whitelist leaks
 	if test "$1" = "deps"; then
 		echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted
@@ -187,24 +145,19 @@ prepare_system_openssl()
 			deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted" | \
 			sudo tee -a /etc/apt/sources.list.d/ddebs.list
 		sudo apt-get install -qq ubuntu-dbgsym-keyring
-		if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "24.04" ]; then
-			DEPS="$DEPS libssl3t64-dbgsym"
-		else
-			DEPS="$DEPS libssl3-dbgsym"
-		fi
+		DEPS="$DEPS libssl3-dbgsym"
 	fi
 	if test "$LEAK_DETECTIVE" = "yes"; then
 		# make sure we can properly whitelist functions with leak detective
 		DEPS="$DEPS binutils-dev"
 		CONFIG="$CONFIG --enable-bfd-backtraces"
-	elif [ "$ID" = "ubuntu" -a "$VERSION_ID" != "24.04" ]; then
+	else
 		# with ASan we have to use the (extremely) slow stack unwind as the
 		# shipped version of the library is built with -fomit-frame-pointer
 		export ASAN_OPTIONS=fast_unwind_on_malloc=0
 	fi
 }
 
-: ${SRC_DIR=$PWD}
 : ${BUILD_DIR=$PWD}
 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
 : ${DEPS_PREFIX=/usr/local}
@@ -225,43 +178,38 @@ case "$TEST" in
 default)
 	# should be the default, but lets make sure
 	CONFIG="--with-printf-hooks=glibc"
-	if system_uses_openssl3; then
-		prepare_system_openssl $1
-	fi
 	;;
 openssl*)
-	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem --enable-drbg"
-	export TESTS_PLUGINS="test-vectors openssl! pem drbg"
+	CONFIG="--disable-defaults --enable-pki --enable-openssl --enable-pem"
+	export TESTS_PLUGINS="test-vectors openssl! pem"
 	DEPS="libssl-dev"
 	if test "$TEST" = "openssl-3"; then
 		DEPS=""
 		use_custom_openssl $1
-	elif test "$TEST" = "openssl-awslc"; then
-		DEPS="cmake ninja-build golang"
-		use_custom_openssl $1
 	elif system_uses_openssl3; then
 		prepare_system_openssl $1
-	else
-		# the kdf plugin is necessary to build against older OpenSSL versions
-		TESTS_PLUGINS="$TESTS_PLUGINS kdf"
 	fi
 	;;
 gcrypt)
 	CONFIG="--disable-defaults --enable-pki --enable-gcrypt --enable-random --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-gcm --enable-hmac --enable-kdf -enable-curve25519 --enable-x509 --enable-constraints"
 	export TESTS_PLUGINS="test-vectors gcrypt! random pem pkcs1 pkcs8 gcm hmac kdf curve25519 x509 constraints"
-	DEPS="libgcrypt20-dev"
+	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "18.04" ]; then
+		DEPS="libgcrypt11-dev"
+	else
+		DEPS="libgcrypt20-dev"
+	fi
 	;;
 botan)
-	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem --enable-hmac --enable-x509 --enable-constraints --enable-drbg"
-	export TESTS_PLUGINS="test-vectors botan! pem hmac x509 constraints drbg"
+	CONFIG="--disable-defaults --enable-pki --enable-botan --enable-pem --enable-hmac --enable-x509 --enable-constraints"
+	export TESTS_PLUGINS="test-vectors botan! pem hmac x509 constraints"
 	DEPS=""
 	if test "$1" = "build-deps"; then
 		build_botan
 	fi
 	;;
 wolfssl)
-	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-x509 --enable-constraints --enable-drbg"
-	export TESTS_PLUGINS="test-vectors wolfssl! pem pkcs1 pkcs8 x509 constraints drbg"
+	CONFIG="--disable-defaults --enable-pki --enable-wolfssl --enable-pem --enable-pkcs1 --enable-pkcs8 --enable-x509 --enable-constraints"
+	export TESTS_PLUGINS="test-vectors wolfssl! pem pkcs1 pkcs8 x509 constraints"
 	# build with custom options to enable all the features the plugin supports
 	DEPS=""
 	if test "$1" = "build-deps"; then
@@ -270,63 +218,46 @@ wolfssl)
 	;;
 printf-builtin)
 	CONFIG="--with-printf-hooks=builtin"
-	if system_uses_openssl3; then
-		prepare_system_openssl $1
-	fi
 	;;
-all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
+all|codeql|coverage|sonarcloud)
+	if [ "$TEST" = "sonarcloud" ]; then
+		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
+			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
+				 "environment variables are required to run this test"
+			exit 1
+		fi
+	fi
 	if [ "$TEST" = "codeql" ]; then
 		# don't run tests, only analyze built code
 		TARGET=
 	fi
-	if [ "$TEST" = "no-dbg" ]; then
-		CFLAGS="$CFLAGS -DDEBUG_LEVEL=-1"
-	fi
 	CONFIG="--enable-all --disable-android-dns --disable-android-log
 			--disable-kernel-pfroute --disable-keychain
 			--disable-lock-profiler --disable-padlock --disable-fuzzing
-			--disable-osx-attr --disable-tkm
+			--disable-osx-attr --disable-tkm --disable-uci
 			--disable-unwind-backtraces
 			--disable-svc --disable-dbghelp-backtraces --disable-socket-win
-			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp"
+			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp
+			--disable-python-eggs-install"
 	# not enabled on the build server
 	CONFIG="$CONFIG --disable-af-alg"
 	if test "$TEST" != "coverage"; then
 		CONFIG="$CONFIG --disable-coverage"
 	else
+		# not actually required but configure checks for it
 		DEPS="$DEPS lcov"
-		TARGET="coverage"
 	fi
-	if [ "$TEST" = "no-testable-ke" ]; then
-		CONFIG="$CONFIG --without-testable-ke"
-	fi
-	DEPS="$DEPS libcurl4-gnutls-dev libsoup-3.0-dev libunbound-dev libldns-dev
+	DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
 		  libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
 		  libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
-		  libgcrypt20-dev libjson-c-dev libtspi-dev libsystemd-dev
-		  libselinux1-dev libiptc-dev ruby-rubygems python3-build tox"
-	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "22.04" -a "$1" = "build-deps" ]; then
-		# python3-build is broken on 22.04 with venv (https://bugs.launchpad.net/ubuntu/+source/python-build/+bug/1992108)
-		# while installing python3-virtualenv should help, it doesn't. as even
-		# after uninstalling python3-venv, build prefers the latter
-		sudo python3 -m pip install --upgrade build
-	fi
-	if [ "$TEST" = "alpine" ]; then
-		# override the whole list for alpine
-		DEPS="git gmp-dev openldap-dev curl-dev ldns-dev unbound-dev libsoup3-dev
-			  libxml2-dev tpm2-tss-dev tpm2-tss-sys mariadb-dev wolfssl-dev
-			  libgcrypt-dev botan3-dev pcsc-lite-dev networkmanager-dev
-			  linux-pam-dev iptables-dev libselinux-dev binutils-dev libunwind-dev
-			  ruby py3-setuptools py3-build py3-tox"
-		# musl does not provide backtrace(), so use libunwind
-		CONFIG="$CONFIG --enable-unwind-backtraces"
-		# alpine doesn't have systemd
-		CONFIG="$CONFIG --disable-systemd --disable-cert-enroll-timer"
-		# no TrouSerS either
-		CONFIG="$CONFIG --disable-tss-trousers --disable-aikgen"
-		# and no Clearsilver
-		CONFIG="$CONFIG --disable-fast --disable-manager --disable-medsrv"
+		  libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev
+		  libselinux1-dev"
+	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "18.04" ]; then
+		DEPS="$DEPS iptables-dev python3-setuptools"
+	else
+		DEPS="$DEPS libiptc-dev"
 	fi
+	PYDEPS="tox"
 	if test "$1" = "build-deps"; then
 		build_botan
 		build_wolfssl
@@ -340,7 +271,6 @@ win*)
 			--enable-constraints --enable-revocation --enable-pem --enable-pkcs1
 			--enable-pkcs8 --enable-x509 --enable-pubkey --enable-acert
 			--enable-eap-tnc --enable-eap-ttls --enable-eap-identity
-			--enable-eap-radius
 			--enable-updown --enable-ext-auth --enable-libipsec --enable-pkcs11
 			--enable-tnccs-20 --enable-imc-attestation --enable-imv-attestation
 			--enable-imc-os --enable-imv-os --enable-tnc-imv --enable-tnc-imc
@@ -350,16 +280,17 @@ win*)
 	if test "$APPVEYOR" != "True"; then
 		TARGET=
 	else
-		CONFIG="$CONFIG --enable-openssl"
-		CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
-		LDFLAGS="-L$OPENSSL_DIR/lib"
 		case "$IMG" in
-		2015)
-			# gcc/ld might be too old to find libeay32 via .lib instead of .dll
-			LDFLAGS="-L$OPENSSL_DIR"
+		2015|2017)
+			# old OpenSSL versions don't provide HKDF
+			CONFIG="$CONFIG --enable-kdf"
 			;;
 		esac
+		CONFIG="$CONFIG --enable-openssl"
+		CFLAGS="$CFLAGS -I$OPENSSL_DIR/include"
+		LDFLAGS="-L$OPENSSL_DIR"
 		export LDFLAGS
+
 	fi
 	CFLAGS="$CFLAGS -mno-ms-bitfields"
 	DEPS="gcc-mingw-w64-base"
@@ -377,8 +308,9 @@ win*)
 	esac
 	;;
 android)
-	if test "$1" = "build-deps"; then
-		build_openssl
+	if test "$1" = "deps"; then
+		git clone https://github.com/strongswan/boringssl.git -b ndk-static \
+			src/frontends/android/app/src/main/jni/openssl
 	fi
 	TARGET=distdir
 	;;
@@ -388,19 +320,19 @@ macos)
 	# use the same options as in the Homebrew Formula
 	CONFIG="--disable-defaults --enable-charon --enable-cmd --enable-constraints
 			--enable-curl --enable-eap-gtc --enable-eap-identity
-			--enable-eap-md5 --enable-eap-mschapv2 --enable-eap-peap
-			--enable-dhcp --enable-farp --enable-ikev1 --enable-ikev2
-			--enable-kernel-libipsec --enable-kernel-pfkey
+			--enable-eap-md5 --enable-eap-mschapv2 --enable-farp --enable-ikev1
+			--enable-ikev2 --enable-kernel-libipsec --enable-kernel-pfkey
 			--enable-kernel-pfroute --enable-nonce --enable-openssl
 			--enable-osx-attr --enable-pem --enable-pgp --enable-pkcs1
-			--enable-pkcs8 --enable-pkcs11 --enable-pki --enable-pubkey
-			--enable-revocation --enable-socket-default --enable-sshkey
-			--enable-stroke --enable-swanctl --enable-unity --enable-updown
-			--enable-x509 --enable-xauth-generic --enable-drbg"
-	DEPS="automake autoconf libtool bison gperf pkgconf openssl@3 curl"
+			--enable-pkcs8 --enable-pki --enable-pubkey --enable-revocation
+			--enable-socket-default --enable-sshkey --enable-stroke
+			--enable-swanctl --enable-unity --enable-updown
+			--enable-x509 --enable-xauth-generic"
+	DEPS="automake autoconf libtool bison gettext openssl@1.1 curl"
 	BREW_PREFIX=$(brew --prefix)
 	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
-	for pkg in openssl@3 curl
+	export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
+	for pkg in openssl@1.1 curl
 	do
 		PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
 		CPPFLAGS="-I$BREW_PREFIX/opt/$pkg/include $CPPFLAGS"
@@ -453,11 +385,7 @@ fuzzing)
 	;;
 nm)
 	DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
-	ORIG_SRC_DIR="$SRC_DIR"
-	SRC_DIR="$ORIG_SRC_DIR/src/frontends/gnome"
-	if [ "$ORIG_SRC_DIR" = "$BUILD_DIR" ]; then
-		BUILD_DIR="$SRC_DIR"
-	fi
+	cd src/frontends/gnome
 	# don't run ./configure with ./autogen.sh
 	export NOCONFIGURE=1
 	;;
@@ -479,12 +407,8 @@ case "$1" in
 deps)
 	case "$OS_NAME" in
 	linux)
-		sudo apt-get update -y && \
-		sudo apt-get install -y automake autoconf libtool pkgconf bison flex gperf $DEPS
-		;;
-	alpine)
-		apk add --no-cache build-base automake autoconf libtool pkgconfig && \
-		apk add --no-cache bison flex gperf tzdata $DEPS
+		sudo apt-get update -qq && \
+		sudo apt-get install -qq bison flex gperf gettext $DEPS
 		;;
 	macos)
 		brew update && \
@@ -492,11 +416,15 @@ deps)
 		;;
 	freebsd)
 		pkg install -y automake autoconf libtool pkgconf && \
-		pkg install -y bison flex gperf $DEPS
+		pkg install -y bison flex gperf gettext $DEPS
 		;;
 	esac
 	exit $?
 	;;
+pydeps)
+	test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
+	exit $?
+	;;
 build-deps)
 	exit
 	;;
@@ -512,28 +440,24 @@ CONFIG="$CONFIG
 	--enable-leak-detective=${LEAK_DETECTIVE-no}"
 
 case "$TEST" in
-	alpine|codeql|coverage|freebsd|fuzzing|sonarcloud|win*)
+	codeql|coverage|freebsd|fuzzing|sonarcloud|win*)
 		# don't use AddressSanitizer if it's not available or causes conflicts
 		CONFIG="$CONFIG --disable-asan"
 		;;
 	*)
-		if [ "$LEAK_DETECTIVE" != "yes" ]; then
-			CONFIG="$CONFIG --enable-asan"
-		else
+		if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "18.04" ]; then
+			# the libstdc++ workaround for libbotan doesn't work on Ubuntu 18.04
 			CONFIG="$CONFIG --disable-asan"
+		elif [ "$LEAK_DETECTIVE" != "yes" ]; then
+			CONFIG="$CONFIG --enable-asan"
 		fi
 		;;
 esac
 
-cd $SRC_DIR
-if [ ! -f ./configure ]; then
-	echo "$ ./autogen.sh"
-	./autogen.sh || exit $?
-fi
-
-cd $BUILD_DIR
+echo "$ ./autogen.sh"
+./autogen.sh || exit $?
 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
-CC="$CC" CFLAGS="$CFLAGS" $SRC_DIR/configure $CONFIG || exit $?
+CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
 
 case "$TEST" in
 apidoc)
@@ -548,10 +472,10 @@ case "$TEST" in
 sonarcloud)
 	# without target, coverage is currently not supported anyway because
 	# sonarqube only supports gcov, not lcov
-	build-wrapper-linux-x86-64 --out-dir $BUILD_WRAPPER_OUT_DIR make -j$(nproc) || exit $?
+	build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
 	;;
 *)
-	make -j$(nproc) $TARGET || exit $?
+	make -j4 $TARGET || exit $?
 	;;
 esac
 
@@ -563,9 +487,23 @@ apidoc)
 	fi
 	rm make.warnings
 	;;
+sonarcloud)
+	sonar-scanner \
+		-Dsonar.host.url=https://sonarcloud.io \
+		-Dsonar.projectKey=${SONAR_PROJECT} \
+		-Dsonar.organization=${SONAR_ORGANIZATION} \
+		-Dsonar.login=${SONAR_TOKEN} \
+		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
+		-Dsonar.sources=. \
+		-Dsonar.cfamily.threads=2 \
+		-Dsonar.cfamily.cache.enabled=true \
+		-Dsonar.cfamily.cache.path=$HOME/.sonar-cache \
+		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
+	rm -r bw-output .scannerwork
+	;;
 android)
 	rm -r strongswan-*
-	cd $SRC_DIR/src/frontends/android
+	cd src/frontends/android
 	echo "$ ./gradlew build"
 	NDK_CCACHE=ccache ./gradlew build --info || exit $?
 	;;
@@ -573,7 +511,6 @@ android)
 	;;
 esac
 
-cd $SRC_DIR
 # ensure there are no unignored build artifacts (or other changes) in the Git repo
 unclean="$(git status --porcelain)"
 if test -n "$unclean"; then

sonar-project.properties

@@ -1,5 +1,3 @@
-sonar.sources=.
-
 # exclude these files completely
 sonar.exclusions=\
 	src/manager/templates/static/jquery.js, \
@@ -31,25 +29,14 @@ sonar.issue.ignore.allfile.a2.fileRegexp=made by GNU Bison
 sonar.issue.ignore.allfile.a3.fileRegexp=produced by gperf
 
 # ignore some rules
-sonar.issue.ignore.multicriteria=m1,m2,m3,m4,m5,m6,m7
-# Multiple variables should not be declared on the same line
-sonar.issue.ignore.multicriteria.m1.ruleKey=c:S1659
+sonar.issue.ignore.multicriteria=m1,m2,m3,m4,m5
+sonar.issue.ignore.multicriteria.m1.ruleKey=c:SingleDeclarationPerStatement
 sonar.issue.ignore.multicriteria.m1.resourceKey=**/*
-# Functions should not be defined with a variable number of arguments
-sonar.issue.ignore.multicriteria.m2.ruleKey=c:S923
+sonar.issue.ignore.multicriteria.m2.ruleKey=c:FunctionEllipsis
 sonar.issue.ignore.multicriteria.m2.resourceKey=**/*
-# Function names should be used either as a call with a parameter list or with the "&" operator
 sonar.issue.ignore.multicriteria.m3.ruleKey=c:S936
 sonar.issue.ignore.multicriteria.m3.resourceKey=**/*
-# Unused function parameters should be removed
 sonar.issue.ignore.multicriteria.m4.ruleKey=c:S1172
 sonar.issue.ignore.multicriteria.m4.resourceKey=**/*
-# Single line comments should start with "--"
 sonar.issue.ignore.multicriteria.m5.ruleKey=plsql:SingleLineCommentsSyntaxCheck
 sonar.issue.ignore.multicriteria.m5.resourceKey=**/*
-# User-defined types should not be passed as variadic arguments
-sonar.issue.ignore.multicriteria.m6.ruleKey=c:S5270
-sonar.issue.ignore.multicriteria.m6.resourceKey=**/*
-# Loop variables should be declared in the minimal possible scope
-sonar.issue.ignore.multicriteria.m7.ruleKey=c:S5955
-sonar.issue.ignore.multicriteria.m7.resourceKey=**/*

src/Makefile.am

@@ -142,7 +142,3 @@ endif
 if USE_LIBTPMTSS
   SUBDIRS += tpm_extendpcr
 endif
-
-if USE_CERT_ENROLL
-  SUBDIRS += cert-enroll
-endif

src/cert-enroll/.gitignore

@@ -1,5 +0,0 @@
-cert-enroll
-cert-enroll.8
-cert-enroll.service
-cert-install-swanctl
-cert-install-ipsec

src/cert-enroll/Makefile.am

@@ -1,61 +0,0 @@
-REPLACE_TARGETS = \
-	cert-enroll \
-	cert-install-swanctl \
-	cert-install-ipsec \
-	cert-enroll.service
-
-$(REPLACE_TARGETS) : Makefile
-	$(AM_V_GEN) \
-	sed \
-	-e "s:@SYSCONFDIR@:$(sysconfdir):" \
-	-e "s:@SBINDIR@:$(sbindir):" \
-	-e "s:@BINDIR@:$(bindir):" \
-	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
-	$(srcdir)/$@.in > $@
-
-sbin_SCRIPTS = cert-enroll
-
-cert-enroll : cert-enroll.in
-
-cert_enrolldir = $(sysconfdir)/cert-enroll.d
-cert_enroll_DATA = cert-enroll.conf
-
-install-data-local:
-	test -e "$(DESTDIR)$(cert_enrolldir)/cert-install.d" || \
-	$(INSTALL) -d "$(DESTDIR)$(cert_enrolldir)/cert-install.d" || true
-
-cert_install_availabledir = $(sysconfdir)/cert-enroll.d/cert-install-available
-cert_install_available_DATA = \
-	cert-install-ssl \
-	cert-install-sssd \
-	cert-install-ldaputils \
-	cert-install-cockpit \
-	cert-install-dirsrv \
-	cert-install-lighttpd \
-	cert-install-openxpki \
-	cert-install-gitea \
-	cert-install-ipsec \
-	cert-install-swanctl
-
-cert-install-swanctl : cert-install-swanctl.in
-
-cert-install-ipsec : cert-install-ipsec.in
-
-EXTRA_DIST = \
-	cert-enroll.conf cert-enroll.in cert-enroll.service.in cert-enroll.timer \
-	cert-install-cockpit cert-install-dirsrv cert-install-gitea \
-	cert-install-ipsec.in cert-install-ldaputils cert-install-lighttpd \
-	cert-install-openxpki cert-install-ssl cert-install-sssd \
-	cert-install-swanctl.in
-
-man8_MANS = cert-enroll.8
-
-CLEANFILES = cert-enroll cert-install-swanctl cert-install-ipsec
-
-if USE_CERT_ENROLL_TIMER
-systemdsystemunit_DATA = cert-enroll.service cert-enroll.timer
-
-cert-enroll.service : cert-enroll.service.in
-
-CLEANFILES += cert-enroll.service
-endif

src/cert-enroll/cert-enroll.8.in

@@ -1,86 +0,0 @@
-.TH CERT-ENROLL 8 "2023-09-01" "@PACKAGE_VERSION@" "strongSwan"
-.
-.SH "NAME"
-.
-cert-enroll \- Requests X.509 certificates from a PKI via EST or SCEP protocols
-.
-.SH "SYNOPSIS"
-.
-.SY "cert-enroll"
-.OP \-c "file
-.OP \-i "directory"
-.YS
-.
-.SY "cert-enroll"
-.B \-h
-.YS
-.
-.SH "DESCRIPTION"
-.
-.B cert-enroll
-uses the strongSwan
-.BR pki
-command to request an initial X.509 certificate from a PKI server using either
-the EST (Enrollment over Secure Transport) or the SCEP (Simple Certificate
-Enrollment Protocol) certificate enrollment protocol. After having received the
-host certificate, its expiration date can be monitored periodically and a new
-certificate will be automatically requested when a predefined deadline of
-remaining validity days is reached. The availability of new CA certificates is
-also monitored periodically. The generated RSA or EDCSA private key, the
-downloaded X.509 certificate and the current set of CA certificates can then be
-installed in specific places on the host via a selection of installation scripts.
-.
-.SH "OPTIONS"
-.
-.TP
-.B "\-h"
-Prints usage information and a short summary of the available commands.
-.TP
-.BI "\-c " file
-Path to the optional local configuration file that can be used to overwrite
-parameters in the default configuration file
-@sysconfdir@/cert-enroll.d/cert-enroll.conf.
-Defaults to @sysconfdir@/cert-enroll.d/cert-enroll.conf.local.
-.TP
-.BI "\-i " directory
-Path to the installation script directory. Defaults to
-@sysconfdir@/cert-enroll.d/cert-install.d. This directory will contain dynamic
-links to selected installation scripts available in the
-@sysconfdir@/cert-enroll.d/cert-install-available directory.
-.
-.SH "CONFIGURATION"
-.
-The configuration parameters for the
-.BR cert-enroll
-script are defined in
-.BR cert-enroll.conf.
-and selected parameters can be overwritten with the local configuration file
-.BR cert-enroll.conf.local.
-.
-.SH FILES
-.
-.nf
-.na
-@sysconfdir@/cert-enroll/cert-enroll.conf         default configuration file
-.ad
-.fi
-.nf
-.na
-@sysconfdir@/cert-enroll/cert-enroll.conf.local   optional local configuration file
-.ad
-.fi
-.nf
-.na
-@sysconfdir@/cert-enroll/cert-install.d           default installation script directory
-.ad
-.fi
-.nf
-.na
-@sysconfdir@/cert-enroll/cert-install-available   selection of available installation scripts
-.ad
-.fi
-.nf
-.na
-/root/certificates/                       default certificate directory
-.ad
-.fi

src/cert-enroll/cert-enroll.conf

@@ -1,81 +0,0 @@
-#!/bin/bash
-# Global configuration file for the strongSwan cert-enroll script
-#
-# This default configuration file should not be edited as the changes
-# might get overwritten by software updates. If you just want to adapt
-# a few parameters, do this in a 'cert-enroll.conf.local' file which
-# will overload the corresponding default values.
-
-# Minimum number of days when a new certificate will be requested
-: ${MIN_DAYS=42}
-
-# Interval in days for checking CA certificate changes
-: ${CA_CHECK_INTERVAL=7}
-
-# Directory where the certificates and keys will be stored
-: ${CERTDIR=/root/certificates}
-
-# Key and certificate names
-: ${HOSTKEY=key.pem}
-: ${HOSTCERT=cert.pem}
-: ${CERTREQ=req.pem}
-: ${CAOUT=cacert}
-: ${ROOTCA=$CAOUT.pem}
-: ${OLDROOTCA=$CAOUT-old.pem}
-: ${OLDERROOTCA=$CAOUT-older.pem}
-: ${SUBCA=$CAOUT-1.pem}
-: ${OLDSUBCA=$CAOUT-1-old.pem}
-: ${OLDERSUBCA=$CAOUT-1-older.pem}
-: ${RAOUT=racert}
-: ${RACERT=$RAOUT.pem}
-
-# TLS root CA certificate required by EST
-# (might also be a Let's Encrypt or other third party root CA certificate)
-: ${TLSROOTCA=$CERTDIR/$ROOTCA}
-
-# Private key type (either "ECDSA", "RSA", "ED25519" or "ED448")
-: ${KEYTYPE=ECDSA}
-
-# RSA private key size in bits
-: ${RSA_SIZE=3072}
-
-# ECDSA private key size in bits
-: ${ECDSA_SIZE=256}
-
-# User group to be assigned to the private key (used by cert-install-ssl)
-: ${USER_GROUP=systemd-journal-upload}
-
-# Systemd service using the private key (used by cert-install-ssl)
-: ${SERVICE=systemd-journal-upload}
-
-# Fully Qualified Domain Name and Distinguished Name
-: ${FQDN=`hostname`}
-: ${DN="C=CH, O=Example Company, CN=$FQDN"}
-
-# Subject Alternative Name (SAN)
-: ${SAN=--san $FQDN}
-
-# Optional additional Subject Alternative Names (fill in and uncomment)
-: ${ADD_SANS=()}
-# ADD_SANS+=(--san )
-
-# Certificate profile (one of "client", "server", "dual" or "ocsp")
-: ${PROFILE=dual}
-
-# Enrollment protocol (either "EST" or "SCEP")
-: ${PROTOCOL=EST}
-
-# Protocol for fetching CA certificates (either "EST" or "SCEP")
-: ${CA_PROTOCOL=$PROTOCOL}
-
-# URL of the EST enrollment server
-: ${EST_URL=https://pki.example.com}
-
-# URL of the SCEP enrollment server
-: ${SCEP_URL=http://pki.example.com/scep}
-
-# Maximum poll time in seconds for EST enrollment process
-: ${EST_MAX_POLL_TIME=28800}
-
-# Maximum poll time in seconds for SCEP enrollment process
-: ${SCEP_MAX_POLL_TIME=28800}

src/cert-enroll/cert-enroll.in

@@ -1,422 +0,0 @@
-#!/bin/bash
-# Enroll or re-enroll X.509 certificates via EST or SCEP protocols using
-# the strongSwan pki tool. Install the certificates via the install scripts
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set default configuration and installation scripts
-#
-CONFIG_DIR="@SYSCONFDIR@/cert-enroll.d"
-CONFIG_SCRIPT="$CONFIG_DIR/cert-enroll.conf"
-CONFIG_SCRIPT_LOCAL="$CONFIG_DIR/cert-enroll.conf.local"
-INSTALL_SCRIPT_DIR="$CONFIG_DIR/cert-install.d"
-
-##############################################################################
-# Parse optional arguments
-#
-function help()
-{
-  echo "Usage:"
-  echo "cert-enroll [-c filename] [-i directory]"
-  echo "Options:"
-  echo "  -h   print usage information"
-  echo "  -c   local configuration file, defaults to $CONFIG_SCRIPT_LOCAL"
-  echo "  -i   installation script directory,  defaults to $INSTALL_SCRIPT_DIR"
-}
-
-while getopts "c:i:h" opt
-do
-  case "$opt" in
-  c)
-    CONFIG_SCRIPT_LOCAL=${OPTARG}
-    ;;
-  i)
-    INSTALL_SCRIPT_DIR=${OPTARG}
-    ;;
-  h)
-    help; exit 0
-    ;;
-  esac
-done
-
-##############################################################################
-# Set optional local configuration parameters, overwriting default parameters
-#
-if [ -f $CONFIG_SCRIPT_LOCAL ]
-then
-  . $CONFIG_SCRIPT_LOCAL
-fi
-
-##############################################################################
-# Set default configuration parameters
-#
-if [ -f $CONFIG_SCRIPT ]
-then
-  . $CONFIG_SCRIPT
-elif [ -f $CONFIG_SCRIPT_LOCAL ]
-then
-  echo "Warning: default configuration file '$CONFIG_SCRIPT' not found," \
-       "depending on local configuration '$CONFIG_SCRIPT_LOCAL' only"
-else
-  echo "Error: neither '$CONFIG_SCRIPT' nor '$CONFIG_SCRIPT_LOCAL'" \
-       "configuration files found"
-  exit 1
-fi
-
-# Path to the strongSwan pki command
-PKI="@BINDIR@/pki"
-
-##############################################################################
-# Define some local functions
-#
-function gen_private_key()
-{
-  status=0
-  $PKI --gen --type $key_type --size $size --outform pem > "$1" || status=$?
-  if [ $status -ne 0 -o ! -s $1 ]
-  then
-    echo "Error: generation of $size bit $KEYTYPE private key failed"
-    exit 1
-  fi
-  chmod 600 $1
-  echo "  generated $size bit $KEYTYPE private key '$1'"
-}
-
-function gen_cert_request()
-{
-  status=0
-  $PKI --req --in "$1/$HOSTKEY" --type $in_type --dn "$DN" \
-	     $SAN "${ADD_SANS[@]}" \
-             --profile $PROFILE --outform pem > "$1/$CERTREQ" || status=$?
-
-  if [ $status -ne 0 -o ! -s $1 ]
-  then
-    echo "Error: generation of PKCS#10 certificate request failed"
-    exit 1
-  fi
-  chmod 600 $1
-  echo "  generated PKCS#10 certificate request"
-}
-
-function get_ca_certs()
-{
-  cd $1
-  status=0
-  if [ $CA_PROTOCOL == "EST" ]
-  then
-    $PKI --estca --url $EST_URL --cacert $TLSROOTCA --caout $CAOUT \
-                 --outform pem --force || status=$?
-    if [ $status -ne 0 -o ! -s $ROOTCA -o ! -s $SUBCA ]
-    then
-      echo "Error: download of CA certificates via EST failed"
-      exit 1
-    fi
-    echo "  downloaded CA certificates via EST"
-  else
-    $PKI --scepca --url $SCEP_URL --caout $CAOUT --raout $RAOUT \
-                  --outform pem --force || status=$?
-    if [ $status -ne 0 -o ! -s $ROOTCA -o ! -s $SUBCA -o ! -s $RACERT ]
-    then
-      echo "Error: download of CA or RA certificates via SCEP failed"
-      exit 1
-    fi
-    echo "  downloaded CA and RA certificates via SCEP"
-  fi
-  cd $CERTDIR
-}
-
-function check_ca_certs()
-{
-  get_ca_certs "$CERTDIR/new"
-
-  ROOTCA_CHANGED=0
-  cmp -s $ROOTCA new/$ROOTCA || ROOTCA_CHANGED=$?
-  if [ $ROOTCA_CHANGED -ne 0 ]
-  then
-    echo "Warning: '$ROOTCA' has changed"
-    if [ -s old/$ROOTCA ]
-    then
-      mv old/$ROOTCA older
-    fi
-    mv $ROOTCA old
-    mv new/$ROOTCA .
-  fi
-
-  SUBCA_CHANGED=0
-  cmp -s $SUBCA new/$SUBCA || SUBCA_CHANGED=$?
-  if [ $SUBCA_CHANGED -ne 0 ]
-  then
-    echo "Warning: '$SUBCA' has changed"
-    if [ -s old/$SUBCA ]
-    then
-      mv old/$SUBCA older
-    fi
-    mv $SUBCA old
-    mv new/$SUBCA .
-  fi
-
-  if [ $CA_PROTOCOL == "SCEP" ]
-  then
-    mv new/$RACERT .
-  fi
-
-  if [ $ROOTCA_CHANGED -eq 0 -a $SUBCA_CHANGED -eq 0 ]
-  then
-    echo "Ok: '$ROOTCA' and '$SUBCA' are unchanged"
-    rm new/$ROOTCA new/$SUBCA
-    return 0
-  else
-    return 1
-  fi
-}
-
-function install_certs()
-{
-  for script in $INSTALL_SCRIPT_DIR/*
-  do
-    status=0
-    echo "  executing '$script'"
-    KEYTYPE="$KEYTYPE" CERTDIR="$CERTDIR" HOSTKEY="$HOSTKEY" \
-    HOSTCERT="$HOSTCERT" ROOTCA="$ROOTCA" SUBCA="$SUBCA" \
-    OLDROOTCA="$OLDROOTCA" OLDSUBCA="$OLDSUBCA" \
-    OLDERROOTCA="$OLDERROOTCA" OLDERSUBCA="$OLDERSUBCA" \
-    USER_GROUP="$USER_GROUP" SERVICE="$SERVICE" \
-    /bin/bash $script || status=$?
-    if [ $status -ne 0 ]
-    then
-      echo "Error: executing '$script' failed"
-    fi
-  done
-}
-
-##############################################################################
-# SCEP certificate enrollment protocol requires RSA
-#
-if [ $PROTOCOL == "SCEP" -a $KEYTYPE != "RSA" ]
-then
-  echo "Warning: the SCEP protocol does not support $KEYTYPE keys," \
-       "switched to RSA key"
-  KEYTYPE="RSA"
-fi
-
-##############################################################################
-# Select key size
-#
-case $KEYTYPE in
-
-
-  RSA)
-    key_type="rsa"
-    in_type="rsa"
-    size=$RSA_SIZE
-    ;;
-
-  ECDSA)
-    key_type="ecdsa"
-    in_type="ecdsa"
-    size=$ECDSA_SIZE
-    ;;
-
-  ED25519)
-    key_type="ed25519"
-    in_type="priv"
-    size="256"
-    ;;
-
-  ED448)
-    key_type="ed448"
-    in_type="priv"
-    size="456"
-    ;;
-
-  *)
-    echo "Error: $KEYTYPE key type unknown"
-    exit 1
-    ;;
-
-esac
-
-##############################################################################
-# Create and change into certificates directory
-#
-mkdir -p $CERTDIR/new $CERTDIR/old $CERTDIR/older
-cd $CERTDIR
-echo "  changed into the '$CERTDIR' directory"
-
-#############################################################################
-# Fetch the CA certificates with the selected enrollment protocol if possible
-#
-if [ $CA_PROTOCOL == "EST" -a ! -s $TLSROOTCA ]
-then
-  echo "  no TLS root CA certificate for EST available," \
-       "revert to SCEP CA protocol"
-  CA_PROTOCOL="SCEP"
-fi
-
-##############################################################################
-# Check if non-empty certificate already exists
-#
-if [ -s $HOSTCERT ]
-then
-##############################################################################
-# Determine the remaining validity of the certificate in days
-#
-  DAYS=$($PKI --print --in $HOSTCERT | awk '/not after/ {
-    if (($7 == "ok") && ($11 == "days)")) {
-      print $10
-    } else {
-      printf("0")
-    }
-  }' -)
-
-  if [ $DAYS -ge $MIN_DAYS ]
-  then
-    echo "Ok: validity of '$HOSTCERT' is $DAYS days," \
-         "more than the minimum of $MIN_DAYS days"
-    if [ $(expr $DAYS % $CA_CHECK_INTERVAL) -eq 0 ]
-    then
-      check_ca_certs && exit 0
-      # update CA certificates if any of them changed
-      install_certs
-    fi
-    exit 0
-  fi
-  echo "Warning: validity of '$HOSTCERT' is only $DAYS days," \
-       "less than the minimum of $MIN_DAYS days"
-
-##############################################################################
-# Check if non-empty private key already exists
-#
-  if [ -s "new/$HOSTKEY" ]
-  then
-    echo "Warning: 'new/$HOSTKEY' already exists," \
-	 "resuming $PROTOCOL re-enrollment"
-  else
-##############################################################################
-# Generate new private key
-#
-    gen_private_key "new/$HOSTKEY"
-  fi
-##############################################################################
-# Get and check CA and RA certificates via SCEP or EST
-#
-  check_ca_certs
-
-##############################################################################
-# Re-enroll certificate via SCEP or EST
-#
-  status=0
-  if [ $PROTOCOL == "SCEP" ]
-  then
-    $PKI --scep --url $SCEP_URL --in new/$HOSTKEY --key $HOSTKEY \
-                --cert $HOSTCERT --dn "$DN" $SAN "${ADD_SANS[@]}" \
-                --cacert-sig $SUBCA --cacert-enc $RACERT --cacert $ROOTCA \
-                --maxpolltime $SCEP_MAX_POLL_TIME --profile $PROFILE \
-                --outform pem > new/$HOSTCERT || status=$?
-  else
-    gen_cert_request "$CERTDIR/new"
-    $PKI --est --url $EST_URL --in new/$CERTREQ --cacert $ROOTCA \
-               --cacert $SUBCA --cacert $TLSROOTCA --key $HOSTKEY \
-               --cert $HOSTCERT --maxpolltime $EST_MAX_POLL_TIME \
-               --outform pem > new/$HOSTCERT || status=$?
-  fi
-
-  if [ $status -ne 0 -o ! -s $HOSTCERT ]
-  then
-    echo "Error: re-enrollment via $PROTOCOL failed"
-    exit 1
-  fi
-  echo "Ok: successfully re-enrolled '$HOSTCERT' via $PROTOCOL"
-
-##############################################################################
-# Replace old key and certificate
-#
-  mv $HOSTKEY $HOSTCERT old
-  mv new/$HOSTKEY new/$HOSTCERT .
-  if [ $PROTOCOL == "EST" ]
-  then
-    mv $CERTREQ old
-    mv new/$CERTREQ .
-  fi
-  echo "  replaced old '$HOSTKEY' and '$HOSTCERT'"
-
-##############################################################################
-# Install keys and certificates
-#
-  install_certs
-  exit 0
-else
-##############################################################################
-# No certificate exists yet
-#
-  echo "  '$HOSTCERT' doesn't exist yet"
-
-##############################################################################
-# Check if non-empty private key already exists
-#
-  if [ -s "$HOSTKEY" ]
-  then
-    echo "Warning: '$HOSTKEY' already exists, resuming $PROTOCOL enrollment"
-  else
-##############################################################################
-# Generate private key
-#
-    gen_private_key "$HOSTKEY"
-  fi
-##############################################################################
-# Get CA and RA certificates via SCEP
-#
-  get_ca_certs "$CERTDIR"
-
-##############################################################################
-# Enroll certificate via SCEP or EST
-#
-  status=0
-  if [ $PROTOCOL == "SCEP" ]
-  then
-    $PKI --scep --url $SCEP_URL --in $HOSTKEY --dn "$DN" $SAN "${ADD_SANS[@]}" \
-                --cacert-sig $SUBCA --cacert-enc $RACERT --cacert $ROOTCA \
-                --profile $PROFILE --maxpolltime $SCEP_MAX_POLL_TIME \
-                --outform pem > $HOSTCERT || status=$?
-  else
-    gen_cert_request "$CERTDIR"
-    $PKI --est --url $EST_URL --in $CERTREQ \
-               --cacert $ROOTCA --cacert $SUBCA --cacert $TLSROOTCA \
-               --maxpolltime $EST_MAX_POLL_TIME \
-               --outform pem > $HOSTCERT || status=$?
-  fi
-
-  if [ $status -ne 0 -o ! -s $HOSTCERT ]
-  then
-    echo "Error: enrollment via $PROTOCOL failed"
-    exit 1
-  fi
-  echo "Ok: successfully enrolled '$HOSTCERT' via $PROTOCOL"
-
-##############################################################################
-# Install keys and certificates
-#
-  install_certs
-  exit 0
-fi

src/cert-enroll/cert-enroll.service.in

@@ -1,9 +0,0 @@
-[Unit]
-Description=X.509 certificate checking (re-enrollment if necessary)
-Documentation=man:cert-enroll(8)
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=@SBINDIR@/cert-enroll
-SuccessExitStatus=1

src/cert-enroll/cert-enroll.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=daily check of the remaining X.509 certificate lifetime
-Documentation=man:cert-enroll(8)
-
-[Timer]
-# The cert-enroll script should be run once a day.
-OnCalendar=*-*-* 02:00:00
-RandomizedDelaySec=7200
-Persistent=true
-
-[Install]
-WantedBy=timers.target

src/cert-enroll/cert-install-cockpit

@@ -1,50 +0,0 @@
-#!/bin/bash
-# Install the generated key and certificate as TLS credentials for the Cockpit 
-# management interface.
-#
-# Copyright (C) 2024 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set local paths 
-#
-
-# Path to the cockpit credentials 
-COCKPIT="/etc/cockpit/ws-certs.d"
-
-##############################################################################
-# Change into the certificates directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install the private key and certificate
-#
-cp $HOSTKEY  $COCKPIT/ldap.key
-cp $HOSTCERT $COCKPIT/ldap.crt
-
-##############################################################################
-# Restart the cockpit systemd service
-#
-/usr/bin/systemctl restart cockpit.service
-exit 0
-

src/cert-enroll/cert-install-dirsrv

@@ -1,113 +0,0 @@
-#!/bin/bash
-# Install the private key, the server certificate and the CA certificates in
-# the NSS key (key4.db) and certificate (cert9.db) databases used by the 389
-# directory server to identify itself via TLS. 
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set some local paths 
-#
-
-# Path to the NSS directory 
-NSS_DIR="/etc/dirsrv/slapd-localhost"
-
-# Path to openssl command
-OPENSSL=/usr/bin/openssl
-
-# Path to certutil command
-CERTUTIL=/usr/bin/certutil
-
-# Path to pk12util command
-PK12UTIL=/usr/bin/pk12util
-
-# Path to dsctl command
-DSCTL=/usr/sbin/dsctl
-
-##############################################################################
-# Go to the NSS directory, create a new build subdirectory and change into it
-#
-rm -r -f $NSS_DIR/build && mkdir $NSS_DIR/build && cd $NSS_DIR/build
-
-##############################################################################
-# Generate a new random password into passwd.txt and also store it in pin.txt 
-#
-$OPENSSL rand -base64 48 > passwd.txt
-
-echo "Internal (Software) Token:$(cat passwd.txt)" > pin.txt 
-
-chmod 600 passwd.txt pin.txt
-
-##############################################################################
-# Pack the private key and host certificate into a PKCS#12 container 
-#
-$OPENSSL pkcs12 -export -name "Server-Cert" -passout file:passwd.txt \
-                -in $CERTDIR/$HOSTCERT -inkey $CERTDIR/$HOSTKEY \
-                -out Server-Cert.p12
-
-##############################################################################
-# Create a new password-protected NSS store and import the PKCS#12 file  
-#
-$CERTUTIL -d . -N -f passwd.txt
-$PK12UTIL -d . -i Server-Cert.p12 -w passwd.txt -k passwd.txt 
-  
-##############################################################################
-# Install the CA certificates
-#
-$CERTUTIL -d . -A -t "CT,," -n "Root CA" -i $CERTDIR/$ROOTCA \
-          -f passwd.txt
-$CERTUTIL -d . -A -t "CT,," -n "Sub CA"  -i $CERTDIR/$SUBCA \
-          -f passwd.txt
-if [ -s $CERTDIR/old/$ROOTCA ]
-then
-  $CERTUTIL -d . -A -t "CT,," -n "Old Root CA" -i $CERTDIR/old/$ROOTCA \
-            -f passwd.txt
-fi
-if [ -s $CERTDIR/old/$SUBCA ]
-then
-  $CERTUTIL -d . -A -t "CT,," -n "Old Sub CA" -i $CERTDIR/old/$SUBCA \
-            -f passwd.txt
-fi
-if [ -s $CERTDIR/older/$ROOTCA ]
-then
-  $CERTUTIL -d . -A -t "CT,," -n "Older Root CA" -i $CERTDIR/older/$ROOTCA \
-            -f passwd.txt
-fi
-if [ -s $CERTDIR/older/$SUBCA ]
-then
-  $CERTUTIL -d . -A -t "CT,," -n "Older Sub CA" -i $CERTDIR/older/$SUBCA \
-            -f passwd.txt
-fi
- 
-##############################################################################
-# Move the generated credentials to the correct place and delete the build dir 
-#
-mv key4.db cert9.db passwd.txt pin.txt ..
-
-rm -r $NSS_DIR/build
-
-##############################################################################
-# Restart the 389 directory server
-#
-$DSCTL localhost restart
-exit 0

src/cert-enroll/cert-install-gitea

@@ -1,49 +0,0 @@
-#!/bin/bash
-# Install the generated key and certificate as TLS credentials for the Gitea
-# web server.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set local paths 
-#
-
-# Path to the Gitea credentials 
-GITEA="/var/lib/gitea/custom"
-
-##############################################################################
-# Change into the certificates directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install the private key and certificate
-#
-cp $HOSTKEY $HOSTCERT $GITEA/
-
-##############################################################################
-# Restart the gitea systemd service
-#
-/usr/bin/systemctl restart gitea.service
-exit 0
-

src/cert-enroll/cert-install-ipsec.in

@@ -1,81 +0,0 @@
-#!/bin/bash
-# Install the generated key as well as host an CA certificates on a host running
-# strongSwan via the legacy ipsec command line tool.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set some local paths
-#
-
-# Path to the strongSwan ipsec command
-IPSEC="@SBINDIR@/@IPSEC_SCRIPT@"
-
-# Path to the strongSwan ipsec.d directory
-IPSECDIR="@SYSCONFDIR@/ipsec.d"
-
-##############################################################################
-# Change into the certificates directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install the private key
-#
-cp $HOSTKEY $IPSECDIR/private
-
-##############################################################################
-# Install the certificate
-#
-cp $HOSTCERT $IPSECDIR/certs
-
-##############################################################################
-# Install the CA certificates
-#
-cp $ROOTCA $SUBCA $IPSECDIR/cacerts
-if [ -s old/$ROOTCA ]
-then
-  cp old/$ROOTCA $IPSECDIR/cacerts/$OLDROOTCA
-fi
-if [ -s old/$SUBCA ]
-then
-  cp old/$SUBCA $IPSECDIR/cacerts/$OLDSUBCA
-fi
-if [ -s older/$ROOTCA ]
-then
-  cp older/$ROOTCA $IPSECDIR/cacerts/$OLDERROOTCA
-fi
-if [ -s older/$SUBCA ]
-then
-  cp older/$SUBCA $IPSECDIR/cacerts/$OLDERSUBCA
-fi
-
-##############################################################################
-# Reload the strongSwan charon daemon if it is running
-#
-if [ -e /var/run/charon.pid ]
-then
-  $IPSEC rereadall
-  $IPSEC reload
-fi
-exit 0

src/cert-enroll/cert-install-ldaputils

@@ -1,64 +0,0 @@
-#!/bin/bash
-# Concatenate the present and past CA certificates into a single TLS_CACERT
-# file defined by ldap.conf so that the ldap-utils can verify the LDAP server
-# certificate.
-#
-# Copyright (C) 2024 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set some local paths
-#
-
-# Path to the LDAP configuration file
-LDAP_CONF="/etc/ldap/ldap.conf"
-
-# Extract or set path to the LDAP TLS CA cert directory
-LDAP_TLS_CACERTS=$(awk '/TLS_CACERT/ {print $2}' $LDAP_CONF)
-
-##############################################################################
-# Change into the certificate directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Concatenate the CA certificates into a single file
-#
-cat $ROOTCA $SUBCA > $LDAP_TLS_CACERTS
-if [ -s old/$ROOTCA ]
-then
-  cat old/$ROOTCA >> $LDAP_TLS_CACERTS
-fi
-if [ -s old/$SUBCA ]
-then
-  cat old/$SUBCA >> $LDAP_TLS_CACERTS
-fi
-if [ -s older/$ROOTCA ]
-then
-  cat older/$ROOTCA >> $LDAP_TLS_CACERTS
-fi
-if [ -s older/$SUBCA ]
-then
-  cat older/$SUBCA >> $LDAP_TLS_CACERTS
-fi
-
-exit 0

src/cert-enroll/cert-install-lighttpd

@@ -1,48 +0,0 @@
-#!/bin/bash
-# Install the generated key and certificate as TLS credentials for a web server
-# based based on the lighttpd daemon.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Change into the certificates directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install the web server's TLS key and certificate in single file
-#
-cat $HOSTKEY $HOSTCERT > /etc/lighttpd/https-cert.pem
-
-##############################################################################
-# Restart the lighttpd daemon
-#
-test -f /usr/bin/systemctl && /usr/bin/systemctl list-unit-files lighttpd.service | \
-  grep -q "lighttpd.service enabled" && status=$? || status=$?
-if [ $status -eq 0 ]
-then
-  /usr/bin/systemctl restart lighttpd.service
-else
-  /etc/init.d/lighttpd reload
-fi
-exit 0

src/cert-enroll/cert-install-openxpki

@@ -1,74 +0,0 @@
-#!/bin/bash
-# Install the generated key and host certificate as well as the CA certificates
-# as TLS credentials for the Apache2-based OpenXPKI web server.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set local paths
-#
-
-# Path to the OpenXPKI TLS credentials
-OPENXPKI_TLS="/etc/openxpki/tls"
-
-##############################################################################
-# Change into the certificates directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install the private key and certificate
-#
-cp $HOSTKEY  $OPENXPKI_TLS/private/openxpki.pem
-cp $HOSTCERT $OPENXPKI_TLS/endentity/openxpki.crt
-
-##############################################################################
-# Install and rehash the CA certificates
-#
-cp $ROOTCA $SUBCA $OPENXPKI_TLS/chain
-if [ -s old/$ROOTCA ]
-then
-  cp old/$ROOTCA $OPENXPKI_TLS/chain/$OLDROOTCA
-fi
-if [ -s old/$SUBCA ]
-then
-  cp old/$SUBCA $OPENXPKI_TLS/chain/$OLDSUBCA
-fi
-if [ -s older/$ROOTCA ]
-then
-  cp older/$ROOTCA $OPENXPKI_TLS/chain/$OLDERROOTCA
-fi
-if [ -s older/$SUBCA ]
-then
-  cp older/$SUBCA $OPENXPKI_TLS/chain/$OLDERSUBCA
-fi
-
-rm -f $OPENXPKI_TLS/chain/*.0
-
-/usr/bin/openssl rehash $OPENXPKI_TLS/chain
-
-##############################################################################
-# Restart the apache2 systemd service
-#
-/usr/bin/systemctl restart apache2.service
-exit 0

src/cert-enroll/cert-install-ssl

@@ -1,69 +0,0 @@
-#!/bin/bash
-# Install the generated key, host certificate and associated CA certificates
-# as credentials for a TLS-protected client-server connection.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set local paths
-#
-
-# Path to the SSL credentials directory
-SSL_DIR="/etc/ssl/$USER_GROUP"
-
-##############################################################################
-# Create a credentials directory with given user group settings
-#
-mkdir -p $SSL_DIR
-chgrp $USER_GROUP $SSL_DIR
-chmod g+s $SSL_DIR
-cp $CERTDIR/{$HOSTKEY,$HOSTCERT} $SSL_DIR
-chmod g+r $SSL_DIR/$HOSTKEY
-
-cat $CERTDIR/{$ROOTCA,$SUBCA} > $SSL_DIR/trusted.pem
-if [ -s $CERTDIR/old/$ROOTCA ]
-then
-  cat $CERTDIR/old/$ROOTCA >> $SSL_DIR/trusted.pem
-fi
-if [ -s $CERTDIR/old/$SUBCA ]
-then
-  cat $CERTDIR/old/$SUBCA  >> $SSL_DIR/trusted.pem
-fi
-if [ -s $CERTDIR/older/$ROOTCA ]
-then
-  cat $CERTDIR/older/$ROOTCA >> $SSL_DIR/trusted.pem
-fi
-if [ -s $CERTDIR/older/$SUBCA ]
-then
-  cat $CERTDIR/older/$SUBCA  >> $SSL_DIR/trusted.pem
-fi
-
-##############################################################################
-# Restart the systemd service if it is active
-#
-
-if /usr/bin/systemctl -q is-active $SERVICE
-then
-  /usr/bin/systemctl restart $SERVICE
-fi
-exit 0

src/cert-enroll/cert-install-sssd

@@ -1,78 +0,0 @@
-#!/bin/bash
-# Install the present and past CA certificates in the ldap_tls_cacertdir
-# directory defined by sssd.conf, followed by the execution of the
-# openssl_rehash command in that directory so that the SSSD daemon can verify
-# the LDAP server certificate.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set some local paths
-#
-
-# Path to the SSSD configuration file
-SSSD_CONF="/etc/sssd/sssd.conf"
-
-# Extract or set path to the LDAP TLS CA cert directory
-LDAP_TLS_CACERTDIR=$(awk '/ldap_tls_cacertdir/ {print $3}' $SSSD_CONF)
-
-##############################################################################
-# Change into the certificate directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install and rehash the CA certificates
-#
-cp $ROOTCA $SUBCA $LDAP_TLS_CACERTDIR
-if [ -s old/$ROOTCA ]
-then
-  cp old/$ROOTCA $LDAP_TLS_CACERTDIR/$OLDROOTCA
-fi
-if [ -s old/$SUBCA ]
-then
-  cp old/$SUBCA $LDAP_TLS_CACERTDIR/$OLDSUBCA
-fi
-if [ -s older/$ROOTCA ]
-then
-  cp older/$ROOTCA $LDAP_TLS_CACERTDIR/$OLDERROOTCA
-fi
-if [ -s older/$SUBCA ]
-then
-  cp older/$SUBCA $LDAP_TLS_CACERTDIR/$OLDERSUBCA
-fi
-
-rm -f $LDAP_TLS_CACERTDIR/*.0
-
-/usr/bin/openssl rehash $LDAP_TLS_CACERTDIR
-
-##############################################################################
-# Restart the SSSD daemon
-#
-if [ -f /usr/bin/systemctl ]
-then
-  /usr/bin/systemctl restart sssd.service
-else
-  /etc/init.d/sssd restart
-fi
-exit 0

src/cert-enroll/cert-install-swanctl.in

@@ -1,89 +0,0 @@
-#!/bin/bash
-# Install the generated key and certificates on the host running strongSwan
-# as a systemd service and managed via the swanctl command line tool.
-#
-# Copyright (C) 2023 Andreas Steffen
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-set -e
-
-##############################################################################
-# Set some local paths
-#
-
-# Path to the strongSwan swanctl command
-SWANCTL="@SBINDIR@/swanctl"
-
-# Path to the strongSwan swanctl directory
-SWANCTLDIR="@SYSCONFDIR@/swanctl"
-
-##############################################################################
-# Change to the certificate directory
-#
-cd $CERTDIR
-
-##############################################################################
-# Install the private key
-#
-if [ $KEYTYPE == "RSA" ]
-then
-  cp $HOSTKEY ${SWANCTLDIR}/rsa
-elif [ $KEYTYPE == "ECDSA" ]
-then
-  cp $HOSTKEY ${SWANCTLDIR}/ecdsa
-else
-  cp $HOSTKEY ${SWANCTLDIR}/private
-fi
-
-##############################################################################
-# Install the certificate
-#
-cp $HOSTCERT ${SWANCTLDIR}/x509
-
-##############################################################################
-# Install the CA certificates
-#
-cp $ROOTCA $SUBCA ${SWANCTLDIR}/x509ca
-if [ -s old/$ROOTCA ]
-then
-  cp old/$ROOTCA ${SWANCTLDIR}/x509ca/$OLDROOTCA
-fi
-if [ -s old/$SUBCA ]
-then
-  cp old/$SUBCA ${SWANCTLDIR}/x509ca/$OLDSUBCA
-fi
-if [ -s older/$ROOTCA ]
-then
-  cp older/$ROOTCA ${SWANCTLDIR}/x509ca/$OLDERROOTCA
-fi
-if [ -s older/$SUBCA ]
-then
-  cp older/$SUBCA ${SWANCTLDIR}/x509ca/$OLDERSUBCA
-fi
-
-##############################################################################
-# Reload the strongswan systemd service if it is running
-#
-if /usr/bin/systemctl -q is-active strongswan.service
-then
-  $SWANCTL --load-creds --noprompt
-  $SWANCTL --load-conns
-fi
-exit 0

src/charon-cmd/charon-cmd.8.in

@@ -95,10 +95,6 @@ options can be used.
 .TP
 .BI "\-\-rsa " path
 RSA private key to use for authentication (if a password is required, it will
-be requested on demand). For other key types use \fI\-\-priv\fR.
-.TP
-.BI "\-\-priv " path
-Private key to use for authentication (if a password is required, it will
 be requested on demand).
 .TP
 .BI "\-\-p12 " path

src/charon-cmd/cmd/cmd_connection.c

@@ -170,7 +170,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 		case PROF_V1_XAUTH_AM:
 		case PROF_V1_XAUTH_PSK_AM:
 		case PROF_V1_HYBRID_AM:
-			peer.options |= OPT_IKEV1_AGGRESSIVE;
+			peer.aggressive = TRUE;
 			/* FALL */
 		case PROF_V1_PUB:
 		case PROF_V1_XAUTH:
@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
 	child_cfg = create_child_cfg(this, peer_cfg);
 
 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-				controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS)
+								controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
 	{
 		terminate(pid);
 	}
@@ -499,7 +499,6 @@ METHOD(cmd_connection_t, handle, bool,
 			this->xautheap = arg;
 			break;
 		case CMD_OPT_RSA:
-		case CMD_OPT_PRIV:
 		case CMD_OPT_AGENT:
 		case CMD_OPT_PKCS12:
 			this->key_seen = TRUE;
@@ -585,7 +584,7 @@ cmd_connection_t *cmd_connection_create()
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio(
 			(callback_job_cb_t)initiate, this, NULL,
-			callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 
 	return &this->public;
 }

src/charon-cmd/cmd/cmd_creds.c

@@ -71,7 +71,6 @@ static shared_key_t* callback_shared(private_cmd_creds_t *this,
 								id_match_t *match_me, id_match_t *match_other)
 {
 	shared_key_t *shared;
-	linked_list_t *owners;
 	char *label, *pwd = NULL;
 
 	if (type == this->prompted)
@@ -114,16 +113,7 @@ static shared_key_t* callback_shared(private_cmd_creds_t *this,
 	shared = shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
 	memwipe(pwd, strlen(pwd));
 	/* cache password in case it is required more than once */
-	owners = linked_list_create();
-	if (me)
-	{
-		owners->insert_last(owners, me->clone(me));
-	}
-	if (other && other->get_type(other) != ID_ANY)
-	{
-		owners->insert_last(owners, other->clone(other));
-	}
-	this->creds->add_shared_list(this->creds, shared, owners);
+	this->creds->add_shared(this->creds, shared, NULL);
 	return shared->get_ref(shared);
 }
 
@@ -247,9 +237,6 @@ METHOD(cmd_creds_t, handle, bool,
 		case CMD_OPT_RSA:
 			load_key(this, KEY_RSA, arg);
 			break;
-		case CMD_OPT_PRIV:
-			load_key(this, KEY_ANY, arg);
-			break;
 		case CMD_OPT_PKCS12:
 			load_pkcs12(this, arg);
 			break;

src/charon-cmd/cmd/cmd_options.c

@@ -43,8 +43,6 @@ cmd_option_t cmd_options[CMD_OPT_COUNT] = {
 	  "certificate for authentication or trust chain validation", {}},
 	{ CMD_OPT_RSA, "rsa", required_argument, "path",
 	  "RSA private key to use for authentication", {}},
-	{ CMD_OPT_PRIV, "priv", required_argument, "path",
-	  "Private key to use for authentication", {}},
 	{ CMD_OPT_PKCS12, "p12", required_argument, "path",
 	  "PKCS#12 file with private key and certificates to use for ", {
 		"authentication and trust chain validation"

src/charon-cmd/cmd/cmd_options.h

@@ -40,7 +40,6 @@ enum cmd_option_type_t {
 	CMD_OPT_REMOTE_IDENTITY,
 	CMD_OPT_CERT,
 	CMD_OPT_RSA,
-	CMD_OPT_PRIV,
 	CMD_OPT_PKCS12,
 	CMD_OPT_AGENT,
 	CMD_OPT_LOCAL_TS,

src/charon-nm/charon-nm.c

@@ -195,40 +195,6 @@ int main(int argc, char *argv[])
 	lib->settings->set_default_str(lib->settings, "charon-nm.port", "0");
 	lib->settings->set_default_str(lib->settings, "charon-nm.port_nat_t", "0");
 
-	/* install VIPs on lo as NM might modify the physical interface (this seems
-	 * to affect IPv6 in particular), it actually installs the VIPs on the
-	 * passed device again, but since that happens after we require them for
-	 * installing routes, we install them ourselves too */
-	lib->settings->set_default_str(lib->settings,
-								   "charon-nm.install_virtual_ip_on", "lo");
-
-	/* install routes via XFRM interfaces, if we can use them */
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.plugins.kernel-netlink.install_routes_xfrmi", "yes");
-	/* use a separate routing table to avoid conflicts with regular charon */
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.routing_table", "210");
-	/* use the same value as priority (higher than charon's default) */
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.routing_table_prio", "210");
-	/* bypass IKE/ESP from these routes in case traffic selectors conflict */
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.plugins.socket-default.fwmark", "210");
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.plugins.kernel-netlink.fwmark", "!210");
-
-	/* trigger a DPD to verify the current path is working */
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.check_current_path", "yes");
-
-	/* fail more quickly so users don't have to wait too long for a new SA */
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.retransmit_tries", "3");
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.retransmit_timeout", "2.0");
-	lib->settings->set_default_str(lib->settings,
-				"charon-nm.retransmit_base", "1.4");
-
 	DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
 	if (lib->integrity)
 	{

src/charon-nm/nm/nm_backend.c

@@ -78,8 +78,7 @@ static job_requeue_t run(nm_backend_t *this)
 /**
  * Cancel the GLib Main Event Loop
  */
-CALLBACK(cancel, bool,
-	nm_backend_t *this)
+static bool cancel(nm_backend_t *this)
 {
 	if (this->loop)
 	{
@@ -153,7 +152,7 @@ static bool nm_backend_init()
 
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
-				NULL, cancel, JOB_PRIO_CRITICAL));
+				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
 	return TRUE;
 }
 

src/charon-nm/nm/nm_handler.c

@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
 		.public = {
 			.handler = {
 				.handle = _handle,
-				.release = (void*)nop,
+				.release = nop,
 				.create_attribute_enumerator = _create_attribute_enumerator,
 			},
 			.create_enumerator = _create_enumerator,

src/charon-nm/nm/nm_service.c

@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2017 Lubomir Rintel
- * Copyright (C) 2013-2023 Tobias Brunner
+ *
+ * Copyright (C) 2013-2020 Tobias Brunner
  * Copyright (C) 2008-2009 Martin Willi
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,10 +15,6 @@
  * for more details.
  */
 
-#include <stdio.h>
-#include <inttypes.h>
-#include <net/if.h>
-
 #include "nm_service.h"
 
 #include <daemon.h>
@@ -26,9 +23,8 @@
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
 #include <networking/tun_device.h>
-#include <plugins/kernel_netlink/kernel_netlink_xfrmi.h>
 
-#define XFRMI_DEFAULT_MTU 1400
+#include <stdio.h>
 
 /**
  * Private data of NMStrongswanPlugin
@@ -44,13 +40,7 @@ typedef struct {
 	nm_creds_t *creds;
 	/* attribute handler for DNS/NBNS server information */
 	nm_handler_t *handler;
-	/* manager for XFRM interfaces, if supported */
-	kernel_netlink_xfrmi_t *xfrmi_manager;
-	/* interface ID of XFRM interface */
-	uint32_t xfrmi_id;
-	/* name of XFRM interface if one is used */
-	char *xfrmi;
-	/* dummy TUN device if not using XFRM interface */
+	/* dummy TUN device */
 	tun_device_t *tun;
 	/* name of the connection */
 	char *name;
@@ -117,83 +107,6 @@ static GVariant* handler_to_variant(nm_handler_t *handler, char *variant_type,
 	return g_variant_builder_end (&builder);
 }
 
-/**
- * Destroy any allocated XFRM or TUN interface
- */
-static void delete_interface(NMStrongswanPluginPrivate *priv)
-{
-	if (priv->xfrmi)
-	{
-		priv->xfrmi_manager->delete(priv->xfrmi_manager, priv->xfrmi);
-		free(priv->xfrmi);
-		priv->xfrmi = NULL;
-	}
-	if (priv->tun)
-	{
-		priv->tun->destroy(priv->tun);
-		priv->tun = NULL;
-	}
-}
-
-/**
- * Create an XFRM or TUN interface
- */
-static void create_interface(NMStrongswanPluginPrivate *priv,
-							 const char *interface_name)
-{
-	if (priv->xfrmi_manager)
-	{
-		char name[IFNAMSIZ];
-		int mtu;
-
-		/* allocate a random interface ID */
-		priv->xfrmi_id = random();
-
-		if (interface_name)
-		{	/* use the preferred interface name if one is provided */
-			snprintf(name, sizeof(name), "%s", interface_name);
-		}
-		else
-		{
-			/* use the interface ID to get a unique name, fine if it's cut off */
-			snprintf(name, sizeof(name), "nm-xfrm-%" PRIu32, priv->xfrmi_id);
-		}
-
-		mtu = lib->settings->get_int(lib->settings, "charon-nm.mtu",
-									 XFRMI_DEFAULT_MTU);
-
-		if (priv->xfrmi_manager->create(priv->xfrmi_manager, name,
-										priv->xfrmi_id, NULL, mtu))
-		{
-			priv->xfrmi = strdup(name);
-		}
-		else
-		{
-			priv->xfrmi_id = 0;
-		}
-	}
-	if (!priv->xfrmi)
-	{	/* use a TUN device as fallback */
-		priv->tun = tun_device_create(NULL);
-	}
-
-	if (priv->xfrmi)
-	{
-		DBG1(DBG_CFG, "created XFRM interface %s for NetworkManager connection "
-			 "%s", priv->xfrmi, priv->name);
-	}
-	else if (priv->tun)
-	{
-		DBG1(DBG_CFG, "created TUN device %s for NetworkManager connection "
-			 "%s", priv->tun->get_name(priv->tun), priv->name);
-	}
-	else
-	{
-		DBG1(DBG_CFG, "failed to create XFRM or dummy TUN device, might affect "
-			 "DNS server installation negatively");
-	}
-}
-
 /**
  * Signal IP config to NM, set connection as established
  */
@@ -214,22 +127,17 @@ static void signal_ip_config(NMVpnServicePlugin *plugin,
 
 	handler = priv->handler;
 
-	/* we can reconnect automatically if interfaces change */
-	g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CAN_PERSIST,
-						   g_variant_new_boolean (TRUE));
-
-	/* NM apparently requires to know the gateway (it uses it to install a
-	 * direct route via physical interface if conflicting routes are passed) */
+	/* NM apparently requires to know the gateway */
 	other = ike_sa->get_other_host(ike_sa);
 	g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY,
 						   host_to_variant(other));
 
-	if (priv->xfrmi)
-	{
-		g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV,
-							   g_variant_new_string (priv->xfrmi));
-	}
-	else if (priv->tun)
+	/* systemd-resolved requires a device to properly install DNS servers, but
+	 * Netkey does not use one.  Passing the physical interface is not ideal,
+	 * as NM fiddles around with it and systemd-resolved likes a separate
+	 * device. So we pass a dummy TUN device along for NM etc. to play with...
+	 */
+	if (priv->tun)
 	{
 		g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV,
 							   g_variant_new_string (priv->tun->get_name(priv->tun)));
@@ -276,16 +184,18 @@ static void signal_ip_config(NMVpnServicePlugin *plugin,
 							   host_to_variant(vip4));
 		g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX,
 							   g_variant_new_uint32 (vip4->get_address(vip4).len * 8));
-		g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
-							   handler_to_variant(handler, "au", INTERNAL_IP4_DNS));
-		g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
-							   handler_to_variant(handler, "au", INTERNAL_IP4_NBNS));
 
-		/* prevent NM from changing the default route, as we set our own routes
-		 * in a separate routing table
+		/* prevent NM from changing the default route. we set our own route in our
+		 * own routing table
 		 */
 		g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT,
 							   g_variant_new_boolean (TRUE));
+
+		g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
+							   handler_to_variant(handler, "au", INTERNAL_IP4_DNS));
+
+		g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
+							   handler_to_variant(handler, "au", INTERNAL_IP4_NBNS));
 	}
 
 	if (vip6)
@@ -294,12 +204,11 @@ static void signal_ip_config(NMVpnServicePlugin *plugin,
 							   host_to_variant(vip6));
 		g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX,
 							   g_variant_new_uint32 (vip6->get_address(vip6).len * 8));
+		g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT,
+							   g_variant_new_boolean (TRUE));
 		g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS,
 							   handler_to_variant(handler, "aay", INTERNAL_IP6_DNS));
 		/* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
-
-		g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT,
-							   g_variant_new_boolean (TRUE));
 	}
 
 	ip4config = g_variant_builder_end (&ip4builder);
@@ -678,51 +587,6 @@ static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv,
 	return TRUE;
 }
 
-/**
- * Add traffic selectors to the given config, optionally parse them from a
- * semicolon-separated list.
- */
-static bool add_traffic_selectors(child_cfg_t *child_cfg, bool local,
-								  const char *list, GError **err)
-{
-	enumerator_t *enumerator;
-	traffic_selector_t *ts;
-	char *token;
-
-	if (list && strlen(list))
-	{
-		enumerator = enumerator_create_token(list, ";", "");
-		while (enumerator->enumerate(enumerator, &token))
-		{
-			ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
-			if (!ts)
-			{
-				g_set_error(err, NM_VPN_PLUGIN_ERROR,
-							NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
-							"Invalid %s traffic selector '%s'.",
-							local ? "local" : "remote", token);
-				enumerator->destroy(enumerator);
-				return FALSE;
-			}
-			child_cfg->add_traffic_selector(child_cfg, local, ts);
-		}
-		enumerator->destroy(enumerator);
-	}
-	else if (local)
-	{
-		ts = traffic_selector_create_dynamic(0, 0, 65535);
-		child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
-	}
-	else
-	{
-		ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
-		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-		ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
-		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
-	}
-	return TRUE;
-}
-
 /**
  * Connect function called from NM via DBUS
  */
@@ -741,6 +605,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 	ike_cfg_t *ike_cfg;
 	peer_cfg_t *peer_cfg;
 	child_cfg_t *child_cfg;
+	traffic_selector_t *ts;
 	ike_sa_t *ike_sa;
 	auth_cfg_t *auth;
 	certificate_t *cert = NULL;
@@ -781,15 +646,20 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 												NM_TYPE_SETTING_CONNECTION));
 	vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
 												NM_TYPE_SETTING_VPN));
-	free(priv->name);
+	if (priv->name)
+	{
+		free(priv->name);
+	}
 	priv->name = strdup(nm_setting_connection_get_id(conn));
 	DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
 		 priv->name);
-	DBG3(DBG_CFG, "%s",
-		 nm_setting_to_string(NM_SETTING(conn)));
 	DBG4(DBG_CFG, "%s",
 		 nm_setting_to_string(NM_SETTING(vpn)));
-
+	if (!priv->tun)
+	{
+		DBG1(DBG_CFG, "failed to create dummy TUN device, might affect DNS "
+			 "server installation negatively");
+	}
 	ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address");
 	if (!ike.remote || !*ike.remote)
 	{
@@ -949,23 +819,6 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 	auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
 	peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
-	/* systemd-resolved requires a device to properly install DNS servers, but
-	 * Netkey does not require one.  Passing the physical interface is not ideal,
-	 * as NM fiddles around with it and systemd-resolved likes a separate
-	 * device. So we pass either an XFRM interface or a dummy TUN device along
-	 * for NM etc. to play with...
-	 */
-	delete_interface(priv);
-	create_interface(priv, nm_setting_connection_get_interface_name(conn));
-	if (priv->xfrmi_id)
-	{	/* set the same mark as for IKE packets on the ESP packets so no routing
-		 * loop is created if the TS covers the VPN server's IP */
-		mark_from_string(lib->settings->get_str(lib->settings,
-							"charon-nm.plugins.socket-default.fwmark", NULL),
-						 MARK_OP_NONE, &child.set_mark_out);
-		child.if_id_in = child.if_id_out = priv->xfrmi_id;
-	}
-
 	child_cfg = child_cfg_create(priv->name, &child);
 	str = nm_setting_vpn_get_data_item(vpn, "esp");
 	if (proposal && str && strlen(str))
@@ -993,22 +846,36 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 		child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
 		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
 	}
-
-	str = nm_setting_vpn_get_data_item(vpn, "local-ts");
-	if (!add_traffic_selectors(child_cfg, TRUE, str, err))
-	{
-		child_cfg->destroy(child_cfg);
-		peer_cfg->destroy(peer_cfg);
-		return FALSE;
-	}
+	ts = traffic_selector_create_dynamic(0, 0, 65535);
+	child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
 	str = nm_setting_vpn_get_data_item(vpn, "remote-ts");
-	if (!add_traffic_selectors(child_cfg, FALSE, str, err))
+	if (str && strlen(str))
 	{
-		child_cfg->destroy(child_cfg);
-		peer_cfg->destroy(peer_cfg);
-		return FALSE;
+		enumerator = enumerator_create_token(str, ";", "");
+		while (enumerator->enumerate(enumerator, &str))
+		{
+			ts = traffic_selector_create_from_cidr((char*)str, 0, 0, 65535);
+			if (!ts)
+			{
+				g_set_error(err, NM_VPN_PLUGIN_ERROR,
+							NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+							"Invalid remote traffic selector.");
+				enumerator->destroy(enumerator);
+				child_cfg->destroy(child_cfg);
+				peer_cfg->destroy(peer_cfg);
+				return FALSE;
+			}
+			child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+		}
+		enumerator->destroy(enumerator);
+	}
+	else
+	{
+		ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+		ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
+		child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
 	}
-
 	peer_cfg->add_child_cfg(peer_cfg, child_cfg);
 
 	/**
@@ -1122,7 +989,7 @@ static gboolean do_disconnect(gpointer plugin)
 	NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
 	enumerator_t *enumerator;
 	ike_sa_t *ike_sa;
-	u_int id = 0;
+	u_int id;
 
 	/* our ike_sa pointer might be invalid, lookup sa */
 	enumerator = charon->controller->create_ike_sa_enumerator(
@@ -1132,27 +999,20 @@ static gboolean do_disconnect(gpointer plugin)
 		if (priv->ike_sa == ike_sa)
 		{
 			id = ike_sa->get_unique_id(ike_sa);
-			break;
+			enumerator->destroy(enumerator);
+			charon->controller->terminate_ike(charon->controller, id, FALSE,
+											  controller_cb_empty, NULL, 0);
+
+			/* clear secrets as we are asked for new secrets (where we'd find
+			 * the cached secrets from earlier connections) before we clear
+			 * them in connect() */
+			priv->creds->clear(priv->creds);
+			return FALSE;
 		}
 	}
 	enumerator->destroy(enumerator);
 
-	if (id)
-	{
-		charon->controller->terminate_ike(charon->controller, id, FALSE,
-									controller_cb_empty, NULL, LEVEL_SILENT, 0);
-	}
-	else
-	{
-		g_debug("Connection not found.");
-	}
-
-	/* clear secrets as we are asked for new secrets (where we'd find the cached
-	 * secrets from earlier connections) before we clear them in connect() */
-	priv->creds->clear(priv->creds);
-
-	/* delete any allocated interface */
-	delete_interface(priv);
+	g_debug("Connection not found.");
 	return FALSE;
 }
 
@@ -1184,7 +1044,8 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 	priv->listener.ike_reestablish_pre = _ike_reestablish_pre;
 	priv->listener.ike_reestablish_post = _ike_reestablish_post;
 	charon->bus->add_listener(charon->bus, &priv->listener);
-	priv->xfrmi_manager = lib->get(lib, KERNEL_NETLINK_XFRMI_MANAGER);
+	priv->tun = tun_device_create(NULL);
+	priv->name = NULL;
 }
 
 /**
@@ -1197,8 +1058,11 @@ static void nm_strongswan_plugin_dispose(GObject *obj)
 
 	plugin = NM_STRONGSWAN_PLUGIN(obj);
 	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
-	delete_interface(priv);
-	free(priv->name);
+	if (priv->tun)
+	{
+		priv->tun->destroy(priv->tun);
+		priv->tun = NULL;
+	}
 	G_OBJECT_CLASS (nm_strongswan_plugin_parent_class)->dispose (obj);
 }
 

src/charon-svc/charon-svc.c

@@ -81,7 +81,7 @@ static void print_version()
 	if (GetVersionEx((LPOSVERSIONINFO)&osvie))
 	{
 		DBG1(DBG_DMN, "Starting IKE service %s (strongSwan %s, "
-			 "Windows %s %d.%d.%d (SP %d.%d))", SERVICE_NAME, VERSION,
+			 "Windows %s %d.%d.%d (SP %d.%d)", SERVICE_NAME, VERSION,
 			 osvie.wProductType == VER_NT_WORKSTATION ? "Client" : "Server",
 			 osvie.dwMajorVersion, osvie.dwMinorVersion, osvie.dwBuildNumber,
 			 osvie.wServicePackMajor, osvie.wServicePackMinor);

src/charon-systemd/charon-systemd.c

@@ -368,9 +368,6 @@ int main(int argc, char *argv[])
 
 	charon->load_loggers(charon);
 
-	DBG1(DBG_DMN, "Starting charon-systemd IKE daemon (strongSwan "VERSION", "
-		 "%s %s, %s)", utsname.sysname, utsname.release, utsname.machine);
-
 	if (!charon->initialize(charon,
 			lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns)))
 	{

src/charon-tkm/src/charon-tkm.c

@@ -37,7 +37,7 @@
 
 #include "tkm.h"
 #include "tkm_nonceg.h"
-#include "tkm_key_exchange.h"
+#include "tkm_diffie_hellman.h"
 #include "tkm_keymat.h"
 #include "tkm_listener.h"
 #include "tkm_kernel_ipsec.h"
@@ -318,9 +318,9 @@ int main(int argc, char *argv[])
 	lib->plugins->add_static_features(lib->plugins, "tkm-backend", features,
 			countof(features), TRUE, NULL, NULL);
 
-	if (!register_ke_mapping())
+	if (!register_dh_mapping())
 	{
-		DBG1(DBG_DMN, "no KE group mapping defined - aborting %s", dmn_name);
+		DBG1(DBG_DMN, "no DH group mapping defined - aborting %s", dmn_name);
 		goto deinit;
 	}
 
@@ -410,7 +410,7 @@ int main(int argc, char *argv[])
 	lib->encoding->remove_encoder(lib->encoding, tkm_encoder_encode);
 
 deinit:
-	destroy_ke_mapping();
+	destroy_dh_mapping();
 	destroy_ca_mapping();
 	libcharon_deinit();
 	tkm_deinit();

src/charon-tkm/src/ees/ees_callbacks.c

@@ -25,9 +25,7 @@
 
 void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
 {
-	kernel_acquire_data_t data = {
-		.cpu = CPU_ID_MAX,
-	};
+	kernel_acquire_data_t data = {};
 
 	DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id);
 	charon->kernel->acquire(charon->kernel, sp_id, &data);

src/charon-tkm/src/tkm/tkm.c

@@ -83,10 +83,9 @@ bool tkm_init()
 	}
 
 	/* get limits from tkm */
-	if (ike_tkm_limits(&max_requests, &limits[TKM_CTX_NONCE], &limits[TKM_CTX_KE],
+	if (ike_tkm_limits(&max_requests, &limits[TKM_CTX_NONCE], &limits[TKM_CTX_DH],
 					   &limits[TKM_CTX_CC], &limits[TKM_CTX_AE],
-					   &limits[TKM_CTX_ISA], &limits[TKM_CTX_ESA],
-					   &limits[TKM_CTX_BLOB]) != TKM_OK)
+					   &limits[TKM_CTX_ISA], &limits[TKM_CTX_ESA]) != TKM_OK)
 	{
 		ees_server_finalize();
 		tkmlib_final();

src/charon-tkm/src/tkm/tkm_diffie_hellman.c

@@ -20,110 +20,87 @@
 
 #include "tkm.h"
 #include "tkm_utils.h"
-#include "tkm_key_exchange.h"
+#include "tkm_diffie_hellman.h"
 
 #include <daemon.h>
 #include <collections/hashtable.h>
 
-typedef struct private_tkm_key_exchange_t private_tkm_key_exchange_t;
+typedef struct private_tkm_diffie_hellman_t private_tkm_diffie_hellman_t;
 
-static hashtable_t *method_map = NULL;
+static hashtable_t *group_map = NULL;
 
 /**
- * Private data of a tkm_key_exchange_t object.
+ * Private data of a tkm_diffie_hellman_t object.
  */
-struct private_tkm_key_exchange_t {
+struct private_tkm_diffie_hellman_t {
 
 	/**
-	 * Public tkm_key_exchange_t interface.
+	 * Public tkm_diffie_hellman_t interface.
 	 */
-	tkm_key_exchange_t public;
+	tkm_diffie_hellman_t public;
 
 	/**
-	 * Key exchange method identifier.
+	 * Diffie-Hellman group number.
 	 */
-	key_exchange_method_t method;
+	key_exchange_method_t group;
 
 	/**
-	 * Key exchange algorithm ID corresponding to method.
+	 * Diffie-Hellman public value.
 	 */
-	uint64_t kea_id;
+	dh_pubvalue_type pubvalue;
 
 	/**
 	 * Context id.
 	 */
-	ke_id_type context_id;
+	dh_id_type context_id;
 
 };
 
 METHOD(key_exchange_t, get_public_key, bool,
-	private_tkm_key_exchange_t *this, chunk_t *value)
+	private_tkm_diffie_hellman_t *this, chunk_t *value)
 {
-	blob_id_type pubvalue_id;
-	blob_length_type pubvalue_length;
-	bool ret = FALSE;
-
-	pubvalue_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_BLOB);
-	if (pubvalue_id)
-	{
-		ret = ike_ke_get(this->context_id, this->kea_id, pubvalue_id,
-						 &pubvalue_length) == TKM_OK &&
-			  blob_to_chunk(pubvalue_id, pubvalue_length, value);
-
-		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_BLOB, pubvalue_id);
-	}
-	return ret;
+	sequence_to_chunk(this->pubvalue.data, this->pubvalue.size, value);
+	return TRUE;
 }
 
 METHOD(key_exchange_t, get_shared_secret, bool,
-	private_tkm_key_exchange_t *this, chunk_t *secret)
+	private_tkm_diffie_hellman_t *this, chunk_t *secret)
 {
 	*secret = chunk_empty;
 	return TRUE;
 }
 
+
 METHOD(key_exchange_t, set_public_key, bool,
-	private_tkm_key_exchange_t *this, chunk_t value)
+	private_tkm_diffie_hellman_t *this, chunk_t value)
 {
-	blob_id_type pubvalue_id;
-	bool ret = FALSE;
+	dh_pubvalue_type othervalue;
+	othervalue.size = value.len;
+	memcpy(&othervalue.data, value.ptr, value.len);
 
-	if (!key_exchange_verify_pubkey(this->method, value))
-	{
-		return FALSE;
-	}
-
-	pubvalue_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_BLOB);
-	if (pubvalue_id)
-	{
-		ret = chunk_to_blob(pubvalue_id, &value) &&
-		      ike_ke_set(this->context_id, this->kea_id, pubvalue_id) == TKM_OK;
-
-		tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_BLOB, pubvalue_id);
-	}
-	return ret;
+	return ike_dh_generate_key(this->context_id, othervalue) == TKM_OK;
 }
 
 METHOD(key_exchange_t, get_method, key_exchange_method_t,
-	private_tkm_key_exchange_t *this)
+	private_tkm_diffie_hellman_t *this)
 {
-	return this->method;
+	return this->group;
 }
 
 METHOD(key_exchange_t, destroy, void,
-	private_tkm_key_exchange_t *this)
+	private_tkm_diffie_hellman_t *this)
 {
-	if (ike_ke_reset(this->context_id) != TKM_OK)
+	if (ike_dh_reset(this->context_id) != TKM_OK)
 	{
-		DBG1(DBG_LIB, "failed to reset KE context %d", this->context_id);
+		DBG1(DBG_LIB, "failed to reset DH context %d", this->context_id);
 	}
 
-	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_KE, this->context_id);
+	tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_DH, this->context_id);
 	free(this);
 }
 
-METHOD(tkm_key_exchange_t, get_id, ke_id_type,
-	private_tkm_key_exchange_t *this)
+METHOD(tkm_diffie_hellman_t, get_id, dh_id_type,
+	private_tkm_diffie_hellman_t *this)
 {
 	return this->context_id;
 }
@@ -142,7 +119,7 @@ static bool equals(void *key, void *other_key)
 /*
  * Described in header.
  */
-int register_ke_mapping()
+int register_dh_mapping()
 {
 	int count, i;
 	char *iana_id_str, *tkm_id_str;
@@ -155,7 +132,7 @@ int register_ke_mapping()
 						   (hashtable_equals_t)equals, 16);
 
 	enumerator = lib->settings->create_key_value_enumerator(lib->settings,
-															"%s.ke_mapping",
+															"%s.dh_mapping",
 															lib->ns);
 
 	while (enumerator->enumerate(enumerator, &iana_id_str, &tkm_id_str))
@@ -171,7 +148,7 @@ int register_ke_mapping()
 
 	count = map->get_count(map);
 	plugin_feature_t f[count + 1];
-	f[0] = PLUGIN_REGISTER(KE, tkm_key_exchange_create);
+	f[0] = PLUGIN_REGISTER(KE, tkm_diffie_hellman_create);
 
 	i = 1;
 	enumerator = map->create_enumerator(map);
@@ -182,12 +159,12 @@ int register_ke_mapping()
 	}
 	enumerator->destroy(enumerator);
 
-	lib->plugins->add_static_features(lib->plugins, "tkm-ke", f, countof(f),
+	lib->plugins->add_static_features(lib->plugins, "tkm-dh", f, countof(f),
 									  TRUE, NULL, NULL);
 
 	if (count > 0)
 	{
-		method_map = map;
+		group_map = map;
 	}
 	else
 	{
@@ -200,33 +177,32 @@ int register_ke_mapping()
 /*
  * Described in header.
  */
-void destroy_ke_mapping()
+void destroy_dh_mapping()
 {
 	enumerator_t *enumerator;
 	char *key, *value;
 
-	if (method_map)
+	if (group_map)
 	{
-		enumerator = method_map->create_enumerator(method_map);
+		enumerator = group_map->create_enumerator(group_map);
 		while (enumerator->enumerate(enumerator, &key, &value))
 		{
 			free(key);
 			free(value);
 		}
 		enumerator->destroy(enumerator);
-		method_map->destroy(method_map);
-		method_map = NULL;
+		group_map->destroy(group_map);
 	}
 }
 
 /*
  * Described in header.
  */
-tkm_key_exchange_t *tkm_key_exchange_create(key_exchange_method_t method)
+tkm_diffie_hellman_t *tkm_diffie_hellman_create(key_exchange_method_t group)
 {
-	private_tkm_key_exchange_t *this;
+	private_tkm_diffie_hellman_t *this;
 
-	if (!method_map)
+	if (!group_map)
 	{
 		return NULL;
 	}
@@ -242,8 +218,8 @@ tkm_key_exchange_t *tkm_key_exchange_create(key_exchange_method_t method)
 			},
 			.get_id = _get_id,
 		},
-		.method = method,
-		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_KE),
+		.group = group,
+		.context_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_DH),
 	);
 
 	if (!this->context_id)
@@ -252,14 +228,18 @@ tkm_key_exchange_t *tkm_key_exchange_create(key_exchange_method_t method)
 		return NULL;
 	}
 
-	uint64_t *kea_id_ptr = method_map->get(method_map, &method);
-	if (!kea_id_ptr)
+	uint64_t *dha_id = group_map->get(group_map, &group);
+	if (!dha_id)
 	{
 		free(this);
 		return NULL;
 	}
 
-	this->kea_id = *kea_id_ptr;
+	if (ike_dh_create(this->context_id, *dha_id, &this->pubvalue) != TKM_OK)
+	{
+		free(this);
+		return NULL;
+	}
 
 	return &this->public;
 }