.github/workflows/sonarcloud.yml

@@ -33,6 +33,7 @@ jobs:
         with:
           path: |
             ~/.cache/ccache
+            ~/.sonar-cache
           key: ccache-sonarcloud-${{ github.sha }}
           restore-keys: |
             ccache-sonarcloud-
@@ -40,17 +41,24 @@ jobs:
           sudo apt-get install -qq ccache
           echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
           ccache -z
-      - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v4
-      - run: |
-          echo "BUILD_WRAPPER_OUT_DIR=$HOME/bw-output" >> $GITHUB_ENV
-      - uses: ./.github/actions/default
-      - uses: SonarSource/sonarqube-scan-action@v4
+      # using SonarSource/sonarcloud-github-action is currently not recommended
+      # for C builds, so we follow the "any CI" instructions
+      - name: Install sonar-scanner
         env:
+          SONAR_SCANNER_VERSION: 5.0.1.3006
+        run: |
+          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
+          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
+          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
+          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
+          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
+          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_NUMBER: ${{ github.run_id }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        with:
-          args: >
-            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT }}
-            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
-            -Dsonar.cfamily.threads=2
-            -Dsonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
+          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
+          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
+        uses: ./.github/actions/default
       - run: ccache -s

scripts/test.sh

@@ -37,7 +37,7 @@ build_botan()
 
 build_wolfssl()
 {
-	WOLFSSL_REV=v5.8.2-stable
+	WOLFSSL_REV=v5.8.0-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 
 	if test -d "$WOLFSSL_DIR"; then
@@ -273,6 +273,13 @@ printf-builtin)
 	fi
 	;;
 all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
+	if [ "$TEST" = "sonarcloud" ]; then
+		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
+			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
+				 "environment variables are required to run this test"
+			exit 1
+		fi
+	fi
 	if [ "$TEST" = "codeql" ]; then
 		# don't run tests, only analyze built code
 		TARGET=
@@ -545,7 +552,7 @@ case "$TEST" in
 sonarcloud)
 	# without target, coverage is currently not supported anyway because
 	# sonarqube only supports gcov, not lcov
-	build-wrapper-linux-x86-64 --out-dir $BUILD_WRAPPER_OUT_DIR make -j$(nproc) || exit $?
+	build-wrapper-linux-x86-64 --out-dir bw-output make -j$(nproc) || exit $?
 	;;
 *)
 	make -j$(nproc) $TARGET || exit $?
@@ -560,6 +567,20 @@ apidoc)
 	fi
 	rm make.warnings
 	;;
+sonarcloud)
+	sonar-scanner \
+		-Dsonar.host.url=https://sonarcloud.io \
+		-Dsonar.projectKey=${SONAR_PROJECT} \
+		-Dsonar.organization=${SONAR_ORGANIZATION} \
+		-Dsonar.token=${SONAR_TOKEN} \
+		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
+		-Dsonar.sources=. \
+		-Dsonar.cfamily.threads=2 \
+		-Dsonar.cfamily.analysisCache.mode=fs \
+		-Dsonar.cfamily.analysisCache.path=$HOME/.sonar-cache \
+		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
+	rm -r bw-output .scannerwork
+	;;
 android)
 	rm -r strongswan-*
 	cd $SRC_DIR/src/frontends/android

sonar-project.properties

@@ -1,5 +1,3 @@
-sonar.sources=.
-
 # exclude these files completely
 sonar.exclusions=\
 	src/manager/templates/static/jquery.js, \

src/frontends/gnome/NEWS

@@ -1,9 +1,3 @@
-NetworkManager-strongswan-1.6.3
--------------------------------
-
-- Fix configure/linker issue when not using GNU libtool
-- Update URL in metainfo
-
 NetworkManager-strongswan-1.6.2
 -------------------------------
 

src/frontends/gnome/configure.ac

@@ -1,6 +1,6 @@
 AC_PREREQ([2.69])
 
-AC_INIT([NetworkManager-strongswan],[1.6.3],[info@strongswan.org],[NetworkManager-strongswan])
+AC_INIT([NetworkManager-strongswan],[1.6.2],[info@strongswan.org],[NetworkManager-strongswan])
 AM_INIT_AUTOMAKE([subdir-objects])
 AM_MAINTAINER_MODE
 

src/libcharon/plugins/certexpire/certexpire_export.c

@@ -106,7 +106,7 @@ struct private_certexpire_export_t {
  */
 typedef struct {
 	/** certificate subject as subjectAltName or CN of a DN */
-	char id[256];
+	char id[128];
 	/** list of expiration dates, 0 if no certificate */
 	time_t expire[MAX_TRUSTCHAIN_LENGTH];
 } entry_t;

src/libcharon/plugins/whitelist/whitelist_control.c

@@ -92,51 +92,19 @@ static void list(private_whitelist_control_t *this,
 	stream->write_all(stream, &msg, sizeof(msg));
 }
 
-/**
- * Information about a client connection.
- */
-typedef struct {
-	private_whitelist_control_t *this;
-	whitelist_msg_t msg;
-	size_t read;
-} whitelist_conn_t;
-
 /**
  * Dispatch a received message
  */
-CALLBACK(on_read, bool,
-	whitelist_conn_t *conn, stream_t *stream)
+static bool on_accept(private_whitelist_control_t *this, stream_t *stream)
 {
-	private_whitelist_control_t *this = conn->this;
 	identification_t *id;
-	ssize_t len;
+	whitelist_msg_t msg;
 
-	while (TRUE)
+	while (stream->read_all(stream, &msg, sizeof(msg)))
 	{
-		while (conn->read < sizeof(conn->msg))
-		{
-			len = stream->read(stream, (char*)&conn->msg + conn->read,
-							   sizeof(conn->msg) - conn->read, FALSE);
-			if (len <= 0)
-			{
-				if (errno == EWOULDBLOCK)
-				{
-					return TRUE;
-				}
-				if (len != 0)
-				{
-					DBG1(DBG_CFG, "whitelist socket error: %s", strerror(errno));
-				}
-				stream->destroy(stream);
-				free(conn);
-				return FALSE;
-			}
-			conn->read += len;
-		}
-
-		conn->msg.id[sizeof(conn->msg.id) - 1] = 0;
-		id = identification_create_from_string(conn->msg.id);
-		switch (ntohl(conn->msg.type))
+		msg.id[sizeof(msg.id) - 1] = 0;
+		id = identification_create_from_string(msg.id);
+		switch (ntohl(msg.type))
 		{
 			case WHITELIST_ADD:
 				this->listener->add(this->listener, id);
@@ -161,22 +129,9 @@ CALLBACK(on_read, bool,
 				break;
 		}
 		id->destroy(id);
-		conn->read = 0;
 	}
 
-	return TRUE;
-}
-
-CALLBACK(on_accept, bool,
-	private_whitelist_control_t *this, stream_t *stream)
-{
-	whitelist_conn_t *conn;
-
-	INIT(conn,
-		.this = this,
-	);
-	stream->on_read(stream, on_read, conn);
-	return TRUE;
+	return FALSE;
 }
 
 METHOD(whitelist_control_t, destroy, void,

src/libcharon/plugins/whitelist/whitelist_msg.h

@@ -53,7 +53,7 @@ struct whitelist_msg_t {
 	/** message type */
 	int type;
 	/** null terminated identity */
-	char id[256];
+	char id[128];
 } __attribute__((packed));
 
 #endif /** WHITELIST_MSG_H_ @}*/

src/libstrongswan/plugins/ml/Makefile.am

@@ -17,5 +17,3 @@ libstrongswan_ml_la_SOURCES = \
 	ml_plugin.h ml_plugin.c \
 	ml_poly.c ml_poly.h \
 	ml_utils.c ml_utils.h
-
-libstrongswan_ml_la_LDFLAGS = -module -avoid-version

src/libstrongswan/plugins/wolfssl/wolfssl_x_diffie_hellman.c

@@ -84,11 +84,6 @@ struct private_diffie_hellman_t {
 	 * Shared secret
 	 */
 	chunk_t shared_secret;
-
-	/**
-	 * RNG used for key generation and blinding with curve25519
-	 */
-	WC_RNG rng;
 };
 
 #ifdef HAVE_CURVE25519
@@ -294,7 +289,6 @@ METHOD(key_exchange_t, destroy, void,
 #endif
 	}
 	chunk_clear(&this->shared_secret);
-	wc_FreeRng(&this->rng);
 	free(this);
 }
 
@@ -304,6 +298,7 @@ METHOD(key_exchange_t, destroy, void,
 key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 {
 	private_diffie_hellman_t *this;
+	WC_RNG rng;
 	int ret = -1;
 
 	INIT(this,
@@ -314,7 +309,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 		.group = group,
 	);
 
-	if (wc_InitRng(&this->rng) != 0)
+	if (wc_InitRng(&rng) != 0)
 	{
 		DBG1(DBG_LIB, "initializing a random number generator failed");
 		destroy(this);
@@ -330,6 +325,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 #ifdef TESTABLE_KE
 		this->public.set_seed = _set_seed_25519;
 #endif
+
 		if (wc_curve25519_init(&this->key.key25519) != 0 ||
 			wc_curve25519_init(&this->pub.key25519) != 0)
 		{
@@ -337,7 +333,7 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 			destroy(this);
 			return NULL;
 		}
-		ret = wc_curve25519_make_key(&this->rng, CURVE25519_KEYSIZE,
+		ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE,
 									 &this->key.key25519);
 #endif
 	}
@@ -358,14 +354,13 @@ key_exchange_t *wolfssl_x_diffie_hellman_create(key_exchange_method_t group)
 			destroy(this);
 			return NULL;
 		}
-		ret = wc_curve448_make_key(&this->rng, CURVE448_KEY_SIZE,
-								   &this->key.key448);
+		ret = wc_curve448_make_key(&rng, CURVE448_KEY_SIZE, &this->key.key448);
 #endif
 	}
+	wc_FreeRng(&rng);
 	if (ret != 0)
 	{
-		DBG1(DBG_LIB, "making %N key failed", key_exchange_method_names,
-			 this->group);
+		DBG1(DBG_LIB, "making a key failed");
 		destroy(this);
 		return NULL;
 	}

testing/scripts/recipes/012_wolfssl.mk

@@ -2,7 +2,7 @@
 
 PKG = wolfssl
 SRC = https://github.com/wolfSSL/$(PKG).git
-REV = v5.8.2-stable
+REV = v5.8.0-stable
 
 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)