diff -Nru strongswan-5.9.8/Android.common.mk strongswan-5.9.11/Android.common.mk --- strongswan-5.9.8/Android.common.mk 2022-10-03 14:18:23.000000000 +0000 +++ strongswan-5.9.11/Android.common.mk 2023-06-12 05:51:00.000000000 +0000 @@ -26,5 +26,5 @@ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.9.8" +strongswan_VERSION := "5.9.11" diff -Nru strongswan-5.9.8/Android.mk strongswan-5.9.11/Android.mk --- strongswan-5.9.8/Android.mk 2022-09-06 19:15:43.000000000 +0000 +++ strongswan-5.9.11/Android.mk 2023-03-27 21:00:49.000000000 +0000 @@ -17,11 +17,8 @@ pkcs1 pkcs8 pem xcbc hmac kdf kernel-netlink socket-default android-dns \ stroke eap-identity eap-mschapv2 eap-md5 eap-gtc -strongswan_STARTER_PLUGINS := kernel-netlink - # list of all plugins - used to enable them with the function below -strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS) \ - $(strongswan_STARTER_PLUGINS)) +strongswan_PLUGINS := $(sort $(strongswan_CHARON_PLUGINS)) include $(LOCAL_PATH)/Android.common.mk diff -Nru strongswan-5.9.8/compile strongswan-5.9.11/compile --- strongswan-5.9.8/compile 2020-09-13 17:49:57.000000000 +0000 +++ strongswan-5.9.11/compile 2023-03-27 21:06:21.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff -Nru strongswan-5.9.8/conf/Makefile.in strongswan-5.9.11/conf/Makefile.in --- strongswan-5.9.8/conf/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/conf/Makefile.in 2023-06-12 05:50:37.000000000 +0000 @@ -386,7 +386,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/conf/options/charon.conf strongswan-5.9.11/conf/options/charon.conf --- strongswan-5.9.8/conf/options/charon.conf 2022-09-07 04:40:10.000000000 +0000 +++ strongswan-5.9.11/conf/options/charon.conf 2023-03-27 21:07:50.000000000 +0000 @@ -14,8 +14,8 @@ # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP # should be saved under a unique file name derived from the public key of - # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or - # /etc/swanctl/x509crl (vici), respectively. + # the Certification Authority (CA) to ${sysconfdir}/ipsec.d/crls (stroke) or + # ${sysconfdir}/swanctl/x509crl (vici), respectively. # cache_crls = no # Whether relations in validated certificate chains should be cached in @@ -225,6 +225,9 @@ # Size of the AH/ESP replay window, in packets. # replay_window = 32 + # Value of the first reqid to be automatically assigned to a CHILD_SA. + # reqid_base = 1 + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION # in strongswan.conf(5). # retransmit_base = 1.8 @@ -245,7 +248,7 @@ # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if # DNS resolution failed), 0 to disable retries. - # retry_initiate_interval = 0 + # retry_initiate_interval = 0s # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). # reuse_ikesa = yes diff -Nru strongswan-5.9.8/conf/options/charon-nm.conf strongswan-5.9.11/conf/options/charon-nm.conf --- strongswan-5.9.8/conf/options/charon-nm.conf 2020-09-13 18:16:06.000000000 +0000 +++ strongswan-5.9.11/conf/options/charon-nm.conf 2023-03-27 21:07:50.000000000 +0000 @@ -4,5 +4,8 @@ # configured. # ca_dir = + # MTU for XFRM interfaces created by the NM plugin. + # mtu = 1400 + } diff -Nru strongswan-5.9.8/conf/options/charon-nm.opt strongswan-5.9.11/conf/options/charon-nm.opt --- strongswan-5.9.8/conf/options/charon-nm.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/options/charon-nm.opt 2023-03-27 21:00:49.000000000 +0000 @@ -1,3 +1,6 @@ charon-nm.ca_dir = Directory from which to load CA certificates if no certificate is configured. + +charon-nm.mtu = 1400 + MTU for XFRM interfaces created by the NM plugin. diff -Nru strongswan-5.9.8/conf/options/charon.opt strongswan-5.9.11/conf/options/charon.opt --- strongswan-5.9.8/conf/options/charon.opt 2022-09-06 19:16:34.000000000 +0000 +++ strongswan-5.9.11/conf/options/charon.opt 2023-03-27 21:00:49.000000000 +0000 @@ -38,8 +38,8 @@ charon.cache_crls = no Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the - Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or - **/etc/swanctl/x509crl** (vici), respectively. + Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or + **${sysconfdir}/swanctl/x509crl** (vici), respectively. charon.check_current_path = no Whether to use DPD to check if the current path still works after any @@ -375,6 +375,9 @@ charon.replay_window = 32 Size of the AH/ESP replay window, in packets. +charon.reqid_base = 1 + Value of the first reqid to be automatically assigned to a CHILD_SA. + charon.retransmit_base = 1.8 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in **strongswan.conf**(5). @@ -392,7 +395,7 @@ charon.retransmit_limit = 0 Upper limit in seconds for calculated retransmission timeout (0 to disable). -charon.retry_initiate_interval = 0 +charon.retry_initiate_interval = 0s Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries. diff -Nru strongswan-5.9.8/conf/plugins/curl.conf strongswan-5.9.11/conf/plugins/curl.conf --- strongswan-5.9.8/conf/plugins/curl.conf 2022-08-24 07:33:51.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/curl.conf 2023-06-03 04:50:30.000000000 +0000 @@ -8,5 +8,8 @@ # following redirects, set to -1 for no limit. # redir = -1 + # The SSL/TLS backend to configure in curl if multiple are available. + # tls_backend = + } diff -Nru strongswan-5.9.8/conf/plugins/curl.opt strongswan-5.9.11/conf/plugins/curl.opt --- strongswan-5.9.8/conf/plugins/curl.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/curl.opt 2023-03-27 21:00:49.000000000 +0000 @@ -1,3 +1,11 @@ charon.plugins.curl.redir = -1 Maximum number of redirects followed by the plugin, set to 0 to disable following redirects, set to -1 for no limit. + +charon.plugins.curl.tls_backend = + The SSL/TLS backend to configure in curl if multiple are available. + + The SSL/TLS backend to configure in curl if multiple are available (requires + libcurl 7.56 or newer). A list of available options is logged on level 2 if + nothing is configured. Similar but on level 1 if the selected backend isn't + available. diff -Nru strongswan-5.9.8/conf/plugins/eap-peap.conf strongswan-5.9.11/conf/plugins/eap-peap.conf --- strongswan-5.9.8/conf/plugins/eap-peap.conf 2022-08-24 07:33:51.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/eap-peap.conf 2023-06-03 04:50:30.000000000 +0000 @@ -17,7 +17,7 @@ # phase2_method = mschapv2 # Phase2 EAP Identity request piggybacked by server onto TLS Finished - # message. + # message, relevant only if TLS 1.2 or earlier is negotiated. # phase2_piggyback = no # Start phase2 EAP TNC protocol after successful client authentication. diff -Nru strongswan-5.9.8/conf/plugins/eap-peap.opt strongswan-5.9.11/conf/plugins/eap-peap.opt --- strongswan-5.9.8/conf/plugins/eap-peap.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/eap-peap.opt 2023-03-27 21:00:49.000000000 +0000 @@ -11,7 +11,8 @@ Phase2 EAP client authentication method. charon.plugins.eap-peap.phase2_piggyback = no - Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + Phase2 EAP Identity request piggybacked by server onto TLS Finished message, + relevant only if TLS 1.2 or earlier is negotiated. charon.plugins.eap-peap.phase2_tnc = no Start phase2 EAP TNC protocol after successful client authentication. diff -Nru strongswan-5.9.8/conf/plugins/eap-radius.conf strongswan-5.9.11/conf/plugins/eap-radius.conf --- strongswan-5.9.8/conf/plugins/eap-radius.conf 2022-08-24 07:33:51.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/eap-radius.conf 2023-06-03 04:50:30.000000000 +0000 @@ -9,7 +9,7 @@ # Interval in seconds for interim RADIUS accounting updates, if not # specified by the RADIUS server in the Access-Accept message. - # accounting_interval = 0 + # accounting_interval = 0s # If enabled, accounting is disabled unless an IKE_SA has at least one # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. diff -Nru strongswan-5.9.8/conf/plugins/eap-radius.opt strongswan-5.9.11/conf/plugins/eap-radius.opt --- strongswan-5.9.8/conf/plugins/eap-radius.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/eap-radius.opt 2023-03-27 21:00:49.000000000 +0000 @@ -5,7 +5,7 @@ Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. -charon.plugins.eap-radius.accounting_interval = 0 +charon.plugins.eap-radius.accounting_interval = 0s Interval in seconds for interim RADIUS accounting updates, if not specified by the RADIUS server in the Access-Accept message. diff -Nru strongswan-5.9.8/conf/plugins/kernel-libipsec.conf strongswan-5.9.11/conf/plugins/kernel-libipsec.conf --- strongswan-5.9.8/conf/plugins/kernel-libipsec.conf 2022-08-24 07:33:52.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/kernel-libipsec.conf 2023-06-08 11:32:52.000000000 +0000 @@ -3,9 +3,16 @@ # Allow that the remote traffic selector equals the IKE peer. # allow_peer_ts = no + # Firewall mark to set on outbound raw ESP packets. + # fwmark = charon.plugins.socket-default.fwmark + # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes + # Whether to send and receive ESP packets without UDP encapsulation if + # supported on this platform and no NAT is detected. + # raw_esp = no + } diff -Nru strongswan-5.9.8/conf/plugins/kernel-libipsec.opt strongswan-5.9.11/conf/plugins/kernel-libipsec.opt --- strongswan-5.9.8/conf/plugins/kernel-libipsec.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/kernel-libipsec.opt 2023-06-08 10:35:17.000000000 +0000 @@ -5,3 +5,10 @@ installed for such traffic (via TUN device) usually prevents further IKE traffic. The fwmark options for the _kernel-netlink_ and _socket-default_ plugins can be used to circumvent that problem. + +charon.plugins.kernel-libipsec.fwmark = charon.plugins.socket-default.fwmark + Firewall mark to set on outbound raw ESP packets. + +charon.plugins.kernel-libipsec.raw_esp = no + Whether to send and receive ESP packets without UDP encapsulation if + supported on this platform and no NAT is detected. diff -Nru strongswan-5.9.8/conf/plugins/kernel-netlink.conf strongswan-5.9.11/conf/plugins/kernel-netlink.conf --- strongswan-5.9.8/conf/plugins/kernel-netlink.conf 2022-08-24 07:33:52.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/kernel-netlink.conf 2023-06-03 04:50:31.000000000 +0000 @@ -16,6 +16,9 @@ # Whether to ignore errors potentially resulting from a retransmission. # ignore_retransmit_errors = no + # Whether to install routes for SAs that reference XFRM interfaces. + # install_routes_xfrmi = no + # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes diff -Nru strongswan-5.9.8/conf/plugins/kernel-netlink.opt strongswan-5.9.11/conf/plugins/kernel-netlink.opt --- strongswan-5.9.8/conf/plugins/kernel-netlink.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/kernel-netlink.opt 2023-03-27 21:00:49.000000000 +0000 @@ -28,6 +28,16 @@ cannot be used to obtain the appropriate feature flag, this option can be used to specify an alternative interface for offload feature detection. +charon.plugins.kernel-netlink.install_routes_xfrmi = no + Whether to install routes for SAs that reference XFRM interfaces. + + Whether routes via XFRM interfaces are automatically installed for SAs that + reference such an interface via _if_id_out_. If the traffic selectors + include the IKE traffic to the peer, this requires special care (e.g. + installing bypass policies and/or routes, or setting a mark on the IKE + socket and excluding such packets from the configured routing table via + _fwmark_ option). + charon.plugins.kernel-netlink.mss = 0 MSS to set on installed routes, 0 to disable. diff -Nru strongswan-5.9.8/conf/plugins/resolve.conf strongswan-5.9.11/conf/plugins/resolve.conf --- strongswan-5.9.8/conf/plugins/resolve.conf 2022-08-24 07:33:52.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/resolve.conf 2023-06-03 04:50:31.000000000 +0000 @@ -1,6 +1,6 @@ resolve { - # File where to add DNS server entries. + # File where to add DNS server entries if not using resolvconf(8). # file = /etc/resolv.conf # Whether to load the plugin. Can also be an integer to increase the @@ -9,8 +9,11 @@ resolvconf { - # Prefix used for interface names sent to resolvconf(8). - # iface_prefix = lo.inet.ipsec. + # Interface name/protocol sent to resolvconf(8). + # iface = lo.ipsec + + # Path/command for resolvconf(8). + # path = /sbin/resolvconf } diff -Nru strongswan-5.9.8/conf/plugins/resolve.opt strongswan-5.9.11/conf/plugins/resolve.opt --- strongswan-5.9.8/conf/plugins/resolve.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/resolve.opt 2023-03-27 21:00:49.000000000 +0000 @@ -1,11 +1,20 @@ charon.plugins.resolve.file = /etc/resolv.conf - File where to add DNS server entries. + File where to add DNS server entries if not using resolvconf(8). -charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec. - Prefix used for interface names sent to resolvconf(8). +charon.plugins.resolve.resolvconf.iface = lo.ipsec + Interface name/protocol sent to resolvconf(8). - Prefix used for interface names sent to **resolvconf**(8). The nameserver - address is appended to this prefix to make it unique. The result has to be - a valid interface name according to the rules defined by resolvconf. Also, - it should have a high priority according to the order defined in - **interface-order**(5). + The interface name and protocol sent to **resolvconf**(8). This has to be a + valid interface name according to the rules defined by resolvconf. Also, it + should have a high priority according to the order defined in + **interface-order**(5) if relevant on the system. + +charon.plugins.resolve.resolvconf.path = /sbin/resolvconf + Path/command for resolvconf(8). + + Path/command for **resolvconf**(8). The command is executed by a shell, so + "resolvconf" will work if it's in $PATH of the daemon. + + If not configured, **resolvconf**(8) will be used if found at the default + location. Otherwise, the file in _charon.plugins.resolve.file_ will be + modified directly. diff -Nru strongswan-5.9.8/conf/plugins/unbound.conf strongswan-5.9.11/conf/plugins/unbound.conf --- strongswan-5.9.8/conf/plugins/unbound.conf 2022-08-24 07:33:52.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/unbound.conf 2023-06-03 04:50:31.000000000 +0000 @@ -11,7 +11,7 @@ # resolv_conf = /etc/resolv.conf # File to read DNSSEC trust anchors from (usually root zone KSK). - # trust_anchors = /etc/ipsec.d/dnssec.keys + # trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys } diff -Nru strongswan-5.9.8/conf/plugins/unbound.opt strongswan-5.9.11/conf/plugins/unbound.opt --- strongswan-5.9.8/conf/plugins/unbound.opt 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/plugins/unbound.opt 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ charon.plugins.unbound.resolv_conf = /etc/resolv.conf File to read DNS resolver configuration from. -charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys +charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys File to read DNSSEC trust anchors from (usually root zone KSK). File to read DNSSEC trust anchors from (usually root zone KSK). The format diff -Nru strongswan-5.9.8/conf/strongswan.conf.5.head.in strongswan-5.9.11/conf/strongswan.conf.5.head.in --- strongswan-5.9.8/conf/strongswan.conf.5.head.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/strongswan.conf.5.head.in 2023-03-27 21:00:49.000000000 +0000 @@ -59,6 +59,27 @@ .PP Indentation is optional, you may use tabs or spaces. +.SH NUMBER FORMATS +Options that define an integer value can be specified as decimal (the default) +or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted). +Locale-dependent strings (e.g. the thousands separator of the current locale) +may also be accepted in locales other than "C". +.PP +Options that define a floating-point value can be specified as decimal (the +default) or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted). +The radix character (decimal separator) in either case is locale-dependent, +usually ".". + +.SH TIME FORMATS +Unless stated otherwise, options that define a time are specified in seconds. +The "s", "m", "h" and "d" suffixes may be used to automatically convert values +given in seconds, minutes, hours or days (for instance, instead of configuring +a rekey time of 4 hours as "14400" seconds, "4h" may be used). +.PP +There are some global options that don't accept these suffixes as they are +configured as integer values in seconds or milliseconds, or even as +floating-point numbers (e.g. the retransmission timeout). Options that accept +the suffixes have a corresponding default value. .SH REFERENCING OTHER SECTIONS It is possible to inherit settings and sections from another section. This diff -Nru strongswan-5.9.8/conf/strongswan.conf.5.main strongswan-5.9.11/conf/strongswan.conf.5.main --- strongswan-5.9.8/conf/strongswan.conf.5.main 2022-10-03 14:18:39.000000000 +0000 +++ strongswan-5.9.11/conf/strongswan.conf.5.main 2023-06-08 11:32:52.000000000 +0000 @@ -60,9 +60,9 @@ Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to -.RB "" "/etc/ipsec.d/crls" "" +.RB "" "${sysconfdir}/ipsec.d/crls" "" (stroke) or -.RB "" "/etc/swanctl/x509crl" "" +.RB "" "${sysconfdir}/swanctl/x509crl" "" (vici), respectively. .TP @@ -596,6 +596,13 @@ following redirects, set to \-1 for no limit. .TP +.BR charon.plugins.curl.tls_backend " []" +The SSL/TLS backend to configure in curl if multiple are available (requires +libcurl 7.56 or newer). A list of available options is logged on level 2 if +nothing is configured. Similar but on level 1 if the selected backend isn't +available. + +.TP .BR charon.plugins.dhcp.force_server_address " [no]" Always use the configured server address. This might be helpful if the DHCP server runs on the same host as strongSwan, and the DHCP daemon does not listen @@ -693,7 +700,8 @@ .TP .BR charon.plugins.eap-peap.phase2_piggyback " [no]" -Phase2 EAP Identity request piggybacked by server onto TLS Finished message. +Phase2 EAP Identity request piggybacked by server onto TLS Finished message, +relevant only if TLS 1.2 or earlier is negotiated. .TP .BR charon.plugins.eap-peap.phase2_tnc " [no]" @@ -712,7 +720,7 @@ Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. .TP -.BR charon.plugins.eap-radius.accounting_interval " [0]" +.BR charon.plugins.eap-radius.accounting_interval " [0s]" Interval in seconds for interim RADIUS accounting updates, if not specified by the RADIUS server in the Access\-Accept message. @@ -1067,6 +1075,15 @@ to circumvent that problem. .TP +.BR charon.plugins.kernel-libipsec.fwmark " [charon.plugins.socket-default.fwmark]" +Firewall mark to set on outbound raw ESP packets. + +.TP +.BR charon.plugins.kernel-libipsec.raw_esp " [no]" +Whether to send and receive ESP packets without UDP encapsulation if supported +on this platform and no NAT is detected. + +.TP .BR charon.plugins.kernel-netlink.buflen " []" Buffer size for received Netlink messages. @@ -1098,6 +1115,18 @@ Whether to ignore errors potentially resulting from a retransmission. .TP +.BR charon.plugins.kernel-netlink.install_routes_xfrmi " [no]" +Whether routes via XFRM interfaces are automatically installed for SAs that +reference such an interface via +.RI "" "if_id_out" "." +If the traffic selectors include +the IKE traffic to the peer, this requires special care (e.g. installing bypass +policies and/or routes, or setting a mark on the IKE socket and excluding such +packets from the configured routing table via +.RI "" "fwmark" "" +option). + +.TP .BR charon.plugins.kernel-netlink.mss " [0]" MSS to set on installed routes, 0 to disable. @@ -1533,18 +1562,32 @@ .TP .BR charon.plugins.resolve.file " [/etc/resolv.conf]" -File where to add DNS server entries. +File where to add DNS server entries if not using resolvconf(8). .TP -.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" -Prefix used for interface names sent to +.BR charon.plugins.resolve.resolvconf.iface " [lo.ipsec]" +The interface name and protocol sent to .RB "" "resolvconf" "(8)." -The nameserver -address is appended to this prefix to make it unique. The result has to be a +This has to be a valid interface name according to the rules defined by resolvconf. Also, it should have a high priority according to the order defined in -.RB "" "interface\-order" "(5)." +.RB "" "interface\-order" "(5)" +if relevant on the system. + +.TP +.BR charon.plugins.resolve.resolvconf.path " [/sbin/resolvconf]" +Path/command for +.RB "" "resolvconf" "(8)." +The command is executed by a shell, so +"resolvconf" will work if it's in $PATH of the daemon. +If not configured, +.RB "" "resolvconf" "(8)" +will be used if found at the default +location. Otherwise, the file in +.RI "" "charon.plugins.resolve.file" "" +will be modified +directly. .TP .BR charon.plugins.revocation.enable_crl " [yes]" @@ -1833,7 +1876,7 @@ File to read DNS resolver configuration from. .TP -.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" +.BR charon.plugins.unbound.trust_anchors " [${sysconfdir}/ipsec.d/dnssec.keys]" File to read DNSSEC trust anchors from (usually root zone KSK). The format of the file is the standard DNS Zone file format, anchors can be stored as DS or DNSKEY entries in the file. @@ -1977,6 +2020,10 @@ Size of the AH/ESP replay window, in packets. .TP +.BR charon.reqid_base " [1]" +Value of the first reqid to be automatically assigned to a CHILD_SA. + +.TP .BR charon.retransmit_base " [1.8]" Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in .RB "" "strongswan.conf" "(5)." @@ -2000,7 +2047,7 @@ Number of times to retransmit a packet before giving up. .TP -.BR charon.retry_initiate_interval " [0]" +.BR charon.retry_initiate_interval " [0s]" Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries. @@ -2208,6 +2255,10 @@ Directory from which to load CA certificates if no certificate is configured. .TP +.BR charon-nm.mtu " [1400]" +MTU for XFRM interfaces created by the NM plugin. + +.TP .B charon-systemd.journal .br Section to configure native systemd journal logger, very similar to the syslog diff -Nru strongswan-5.9.8/conf/strongswan.conf.5.tail.in strongswan-5.9.11/conf/strongswan.conf.5.tail.in --- strongswan-5.9.8/conf/strongswan.conf.5.tail.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/conf/strongswan.conf.5.tail.in 2023-03-27 21:00:49.000000000 +0000 @@ -458,6 +458,7 @@ .na ${piddir} @piddir@ ${prefix} @prefix@ +${sysconfdir} @sysconfdir@ ${random_device} @random_device@ ${urandom_device} @urandom_device@ .ad @@ -467,18 +468,19 @@ . .nf .na -/etc/strongswan.conf configuration file -/etc/strongswan.d/ directory containing included config snippets -/etc/strongswan.d/charon/ plugin specific config snippets +@sysconfdir@/strongswan.conf configuration file +@sysconfdir@/strongswan.d/ directory containing included config snippets +@sysconfdir@/strongswan.d/charon/ plugin specific config snippets .ad .fi . .SH SEE ALSO +\fBswanctl.conf\fR(5), \fBswanctl\fR(8), \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) .SH HISTORY Written for the -.UR http://www.strongswan.org +.UR https://www.strongswan.org strongSwan project .UE by Tobias Brunner, Andreas Steffen and Martin Willi. diff -Nru strongswan-5.9.8/config.guess strongswan-5.9.11/config.guess --- strongswan-5.9.8/config.guess 2020-09-13 17:52:45.000000000 +0000 +++ strongswan-5.9.11/config.guess 2023-03-27 21:06:21.000000000 +0000 @@ -1,12 +1,14 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2018 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. -timestamp='2018-02-24' +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2022-01-09' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -27,11 +29,19 @@ # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess +# https://git.savannah.gnu.org/cgit/config.git/plain/config.guess # # Please send patches to . +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + + me=`echo "$0" | sed -e 's,.*/,,'` usage="\ @@ -50,7 +60,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2018 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -84,7 +94,8 @@ exit 1 fi -trap 'exit 1' 1 2 15 +# Just in case it came from the environment. +GUESS= # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires @@ -96,73 +107,90 @@ # Portable tmp directory creation inspired by the Autoconf team. -set_cc_for_build=' -trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; -trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; -: ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || - { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || - { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || - { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; -dummy=$tmp/dummy ; -tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; -case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > "$dummy.c" ; - for c in cc gcc c89 c99 ; do - if ($c -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then - CC_FOR_BUILD="$c"; break ; - fi ; - done ; - if test x"$CC_FOR_BUILD" = x ; then - CC_FOR_BUILD=no_compiler_found ; - fi - ;; - ,,*) CC_FOR_BUILD=$CC ;; - ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ; set_cc_for_build= ;' +tmp= +# shellcheck disable=SC2172 +trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 + +set_cc_for_build() { + # prevent multiple calls if $tmp is already set + test "$tmp" && return 0 + : "${TMPDIR=/tmp}" + # shellcheck disable=SC2039,SC3028 + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } + dummy=$tmp/dummy + case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in + ,,) echo "int x;" > "$dummy.c" + for driver in cc gcc c89 c99 ; do + if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then + CC_FOR_BUILD=$driver + break + fi + done + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; + esac +} # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then +if test -f /.attbin/uname ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown -UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "$UNAME_SYSTEM" in +case $UNAME_SYSTEM in Linux|GNU|GNU/*) - # If the system lacks a compiler, then just pick glibc. - # We could probably try harder. - LIBC=gnu + LIBC=unknown - eval "$set_cc_for_build" + set_cc_for_build cat <<-EOF > "$dummy.c" #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc - #else + #elif defined(__GLIBC__) LIBC=gnu + #else + #include + /* First heuristic to detect musl libc. */ + #ifdef __DEFINED_va_list + LIBC=musl + #endif #endif EOF - eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`" + cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "$cc_set_libc" - # If ldd exists, use it to detect musl libc. - if command -v ldd >/dev/null && \ - ldd --version 2>&1 | grep -q ^musl - then - LIBC=musl + # Second heuristic to detect musl libc. + if [ "$LIBC" = unknown ] && + command -v ldd >/dev/null && + ldd --version 2>&1 | grep -q ^musl; then + LIBC=musl + fi + + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + if [ "$LIBC" = unknown ]; then + LIBC=gnu fi ;; esac # Note: order is significant - the case branches are not exclusive. -case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in +case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, @@ -174,12 +202,12 @@ # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". - sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ - "/sbin/$sysctl" 2>/dev/null || \ - "/usr/sbin/$sysctl" 2>/dev/null || \ + /sbin/sysctl -n hw.machine_arch 2>/dev/null || \ + /usr/sbin/sysctl -n hw.machine_arch 2>/dev/null || \ echo unknown)` - case "$UNAME_MACHINE_ARCH" in + case $UNAME_MACHINE_ARCH in + aarch64eb) machine=aarch64_be-unknown ;; armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; @@ -188,18 +216,18 @@ earmv*) arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` - machine="${arch}${endian}"-unknown + machine=${arch}${endian}-unknown ;; - *) machine="$UNAME_MACHINE_ARCH"-unknown ;; + *) machine=$UNAME_MACHINE_ARCH-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently (or will in the future) and ABI. - case "$UNAME_MACHINE_ARCH" in + case $UNAME_MACHINE_ARCH in earm*) os=netbsdelf ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval "$set_cc_for_build" + set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then @@ -215,7 +243,7 @@ ;; esac # Determine ABI tags. - case "$UNAME_MACHINE_ARCH" in + case $UNAME_MACHINE_ARCH in earm*) expr='s/^earmv[0-9]/-eabi/;s/eb$//' abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` @@ -226,7 +254,7 @@ # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. - case "$UNAME_VERSION" in + case $UNAME_VERSION in Debian*) release='-gnu' ;; @@ -237,45 +265,57 @@ # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "$machine-${os}${release}${abi}" - exit ;; + GUESS=$machine-${os}${release}${abi-} + ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` - echo "$UNAME_MACHINE_ARCH"-unknown-bitrig"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE_ARCH-unknown-bitrig$UNAME_RELEASE + ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` - echo "$UNAME_MACHINE_ARCH"-unknown-openbsd"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE_ARCH-unknown-openbsd$UNAME_RELEASE + ;; + *:SecBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/SecBSD.//'` + GUESS=$UNAME_MACHINE_ARCH-unknown-secbsd$UNAME_RELEASE + ;; *:LibertyBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` - echo "$UNAME_MACHINE_ARCH"-unknown-libertybsd"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE_ARCH-unknown-libertybsd$UNAME_RELEASE + ;; *:MidnightBSD:*:*) - echo "$UNAME_MACHINE"-unknown-midnightbsd"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-unknown-midnightbsd$UNAME_RELEASE + ;; *:ekkoBSD:*:*) - echo "$UNAME_MACHINE"-unknown-ekkobsd"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-unknown-ekkobsd$UNAME_RELEASE + ;; *:SolidBSD:*:*) - echo "$UNAME_MACHINE"-unknown-solidbsd"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-unknown-solidbsd$UNAME_RELEASE + ;; + *:OS108:*:*) + GUESS=$UNAME_MACHINE-unknown-os108_$UNAME_RELEASE + ;; macppc:MirBSD:*:*) - echo powerpc-unknown-mirbsd"$UNAME_RELEASE" - exit ;; + GUESS=powerpc-unknown-mirbsd$UNAME_RELEASE + ;; *:MirBSD:*:*) - echo "$UNAME_MACHINE"-unknown-mirbsd"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-unknown-mirbsd$UNAME_RELEASE + ;; *:Sortix:*:*) - echo "$UNAME_MACHINE"-unknown-sortix - exit ;; + GUESS=$UNAME_MACHINE-unknown-sortix + ;; + *:Twizzler:*:*) + GUESS=$UNAME_MACHINE-unknown-twizzler + ;; *:Redox:*:*) - echo "$UNAME_MACHINE"-unknown-redox - exit ;; + GUESS=$UNAME_MACHINE-unknown-redox + ;; mips:OSF1:*.*) - echo mips-dec-osf1 - exit ;; + GUESS=mips-dec-osf1 + ;; alpha:OSF1:*:*) + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + trap '' 0 case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` @@ -289,7 +329,7 @@ # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` - case "$ALPHA_CPU_TYPE" in + case $ALPHA_CPU_TYPE in "EV4 (21064)") UNAME_MACHINE=alpha ;; "EV4.5 (21064)") @@ -326,117 +366,121 @@ # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo "$UNAME_MACHINE"-dec-osf"`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`" - # Reset EXIT trap before exiting to avoid spurious non-zero exit code. - exitcode=$? - trap '' 0 - exit $exitcode ;; + OSF_REL=`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + GUESS=$UNAME_MACHINE-dec-osf$OSF_REL + ;; Amiga*:UNIX_System_V:4.0:*) - echo m68k-unknown-sysv4 - exit ;; + GUESS=m68k-unknown-sysv4 + ;; *:[Aa]miga[Oo][Ss]:*:*) - echo "$UNAME_MACHINE"-unknown-amigaos - exit ;; + GUESS=$UNAME_MACHINE-unknown-amigaos + ;; *:[Mm]orph[Oo][Ss]:*:*) - echo "$UNAME_MACHINE"-unknown-morphos - exit ;; + GUESS=$UNAME_MACHINE-unknown-morphos + ;; *:OS/390:*:*) - echo i370-ibm-openedition - exit ;; + GUESS=i370-ibm-openedition + ;; *:z/VM:*:*) - echo s390-ibm-zvmoe - exit ;; + GUESS=s390-ibm-zvmoe + ;; *:OS400:*:*) - echo powerpc-ibm-os400 - exit ;; + GUESS=powerpc-ibm-os400 + ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix"$UNAME_RELEASE" - exit ;; + GUESS=arm-acorn-riscix$UNAME_RELEASE + ;; arm*:riscos:*:*|arm*:RISCOS:*:*) - echo arm-unknown-riscos - exit ;; + GUESS=arm-unknown-riscos + ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) - echo hppa1.1-hitachi-hiuxmpp - exit ;; + GUESS=hppa1.1-hitachi-hiuxmpp + ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. - if test "`(/bin/universe) 2>/dev/null`" = att ; then - echo pyramid-pyramid-sysv3 - else - echo pyramid-pyramid-bsd - fi - exit ;; + case `(/bin/universe) 2>/dev/null` in + att) GUESS=pyramid-pyramid-sysv3 ;; + *) GUESS=pyramid-pyramid-bsd ;; + esac + ;; NILE*:*:*:dcosx) - echo pyramid-pyramid-svr4 - exit ;; + GUESS=pyramid-pyramid-svr4 + ;; DRS?6000:unix:4.0:6*) - echo sparc-icl-nx6 - exit ;; + GUESS=sparc-icl-nx6 + ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in - sparc) echo sparc-icl-nx7; exit ;; - esac ;; + sparc) GUESS=sparc-icl-nx7 ;; + esac + ;; s390x:SunOS:*:*) - echo "$UNAME_MACHINE"-ibm-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=$UNAME_MACHINE-ibm-solaris2$SUN_REL + ;; sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-hal-solaris2$SUN_REL + ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-sun-solaris2$SUN_REL + ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) - echo i386-pc-auroraux"$UNAME_RELEASE" - exit ;; + GUESS=i386-pc-auroraux$UNAME_RELEASE + ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) - eval "$set_cc_for_build" + set_cc_for_build SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH=x86_64 fi fi - echo "$SUN_ARCH"-pc-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=$SUN_ARCH-pc-solaris2$SUN_REL + ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=sparc-sun-solaris3$SUN_REL + ;; sun4*:SunOS:*:*) - case "`/usr/bin/arch -k`" in + case `/usr/bin/arch -k` in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos"`echo "$UNAME_RELEASE"|sed -e 's/-/_/'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'` + GUESS=sparc-sun-sunos$SUN_REL + ;; sun3*:SunOS:*:*) - echo m68k-sun-sunos"$UNAME_RELEASE" - exit ;; + GUESS=m68k-sun-sunos$UNAME_RELEASE + ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 - case "`/bin/arch`" in + case `/bin/arch` in sun3) - echo m68k-sun-sunos"$UNAME_RELEASE" + GUESS=m68k-sun-sunos$UNAME_RELEASE ;; sun4) - echo sparc-sun-sunos"$UNAME_RELEASE" + GUESS=sparc-sun-sunos$UNAME_RELEASE ;; esac - exit ;; + ;; aushp:SunOS:*:*) - echo sparc-auspex-sunos"$UNAME_RELEASE" - exit ;; + GUESS=sparc-auspex-sunos$UNAME_RELEASE + ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor @@ -446,43 +490,43 @@ # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint"$UNAME_RELEASE" - exit ;; + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint"$UNAME_RELEASE" - exit ;; + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint"$UNAME_RELEASE" - exit ;; + GUESS=m68k-atari-mint$UNAME_RELEASE + ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint"$UNAME_RELEASE" - exit ;; + GUESS=m68k-milan-mint$UNAME_RELEASE + ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint"$UNAME_RELEASE" - exit ;; + GUESS=m68k-hades-mint$UNAME_RELEASE + ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint"$UNAME_RELEASE" - exit ;; + GUESS=m68k-unknown-mint$UNAME_RELEASE + ;; m68k:machten:*:*) - echo m68k-apple-machten"$UNAME_RELEASE" - exit ;; + GUESS=m68k-apple-machten$UNAME_RELEASE + ;; powerpc:machten:*:*) - echo powerpc-apple-machten"$UNAME_RELEASE" - exit ;; + GUESS=powerpc-apple-machten$UNAME_RELEASE + ;; RISC*:Mach:*:*) - echo mips-dec-mach_bsd4.3 - exit ;; + GUESS=mips-dec-mach_bsd4.3 + ;; RISC*:ULTRIX:*:*) - echo mips-dec-ultrix"$UNAME_RELEASE" - exit ;; + GUESS=mips-dec-ultrix$UNAME_RELEASE + ;; VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix"$UNAME_RELEASE" - exit ;; + GUESS=vax-dec-ultrix$UNAME_RELEASE + ;; 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix"$UNAME_RELEASE" - exit ;; + GUESS=clipper-intergraph-clix$UNAME_RELEASE + ;; mips:*:*:UMIPS | mips:*:*:RISCos) - eval "$set_cc_for_build" + set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include /* for printf() prototype */ @@ -508,78 +552,79 @@ dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } - echo mips-mips-riscos"$UNAME_RELEASE" - exit ;; + GUESS=mips-mips-riscos$UNAME_RELEASE + ;; Motorola:PowerMAX_OS:*:*) - echo powerpc-motorola-powermax - exit ;; + GUESS=powerpc-motorola-powermax + ;; Motorola:*:4.3:PL8-*) - echo powerpc-harris-powermax - exit ;; + GUESS=powerpc-harris-powermax + ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) - echo powerpc-harris-powermax - exit ;; + GUESS=powerpc-harris-powermax + ;; Night_Hawk:Power_UNIX:*:*) - echo powerpc-harris-powerunix - exit ;; + GUESS=powerpc-harris-powerunix + ;; m88k:CX/UX:7*:*) - echo m88k-harris-cxux7 - exit ;; + GUESS=m88k-harris-cxux7 + ;; m88k:*:4*:R4*) - echo m88k-motorola-sysv4 - exit ;; + GUESS=m88k-motorola-sysv4 + ;; m88k:*:3*:R3*) - echo m88k-motorola-sysv3 - exit ;; + GUESS=m88k-motorola-sysv3 + ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ] + if test "$UNAME_PROCESSOR" = mc88100 || test "$UNAME_PROCESSOR" = mc88110 then - if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \ - [ "$TARGET_BINARY_INTERFACE"x = x ] + if test "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx || \ + test "$TARGET_BINARY_INTERFACE"x = x then - echo m88k-dg-dgux"$UNAME_RELEASE" + GUESS=m88k-dg-dgux$UNAME_RELEASE else - echo m88k-dg-dguxbcs"$UNAME_RELEASE" + GUESS=m88k-dg-dguxbcs$UNAME_RELEASE fi else - echo i586-dg-dgux"$UNAME_RELEASE" + GUESS=i586-dg-dgux$UNAME_RELEASE fi - exit ;; + ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) - echo m88k-dolphin-sysv3 - exit ;; + GUESS=m88k-dolphin-sysv3 + ;; M88*:*:R3*:*) # Delta 88k system running SVR3 - echo m88k-motorola-sysv3 - exit ;; + GUESS=m88k-motorola-sysv3 + ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) - echo m88k-tektronix-sysv3 - exit ;; + GUESS=m88k-tektronix-sysv3 + ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) - echo m68k-tektronix-bsd - exit ;; + GUESS=m68k-tektronix-bsd + ;; *:IRIX*:*:*) - echo mips-sgi-irix"`echo "$UNAME_RELEASE"|sed -e 's/-/_/g'`" - exit ;; + IRIX_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/g'` + GUESS=mips-sgi-irix$IRIX_REL + ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. - echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id - exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + GUESS=romp-ibm-aix # uname -m gives an 8 hex-code CPU id + ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) - echo i386-ibm-aix - exit ;; + GUESS=i386-ibm-aix + ;; ia64:AIX:*:*) - if [ -x /usr/bin/oslevel ] ; then + if test -x /usr/bin/oslevel ; then IBM_REV=`/usr/bin/oslevel` else - IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" + IBM_REV=$UNAME_VERSION.$UNAME_RELEASE fi - echo "$UNAME_MACHINE"-ibm-aix"$IBM_REV" - exit ;; + GUESS=$UNAME_MACHINE-ibm-aix$IBM_REV + ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval "$set_cc_for_build" + set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #include @@ -593,16 +638,16 @@ EOF if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then - echo "$SYSTEM_NAME" + GUESS=$SYSTEM_NAME else - echo rs6000-ibm-aix3.2.5 + GUESS=rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then - echo rs6000-ibm-aix3.2.4 + GUESS=rs6000-ibm-aix3.2.4 else - echo rs6000-ibm-aix3.2 + GUESS=rs6000-ibm-aix3.2 fi - exit ;; + ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then @@ -610,57 +655,57 @@ else IBM_ARCH=powerpc fi - if [ -x /usr/bin/lslpp ] ; then - IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | + if test -x /usr/bin/lslpp ; then + IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | \ awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else - IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" + IBM_REV=$UNAME_VERSION.$UNAME_RELEASE fi - echo "$IBM_ARCH"-ibm-aix"$IBM_REV" - exit ;; + GUESS=$IBM_ARCH-ibm-aix$IBM_REV + ;; *:AIX:*:*) - echo rs6000-ibm-aix - exit ;; + GUESS=rs6000-ibm-aix + ;; ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) - echo romp-ibm-bsd4.4 - exit ;; + GUESS=romp-ibm-bsd4.4 + ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd"$UNAME_RELEASE" # 4.3 with uname added to - exit ;; # report: romp-ibm BSD 4.3 + GUESS=romp-ibm-bsd$UNAME_RELEASE # 4.3 with uname added to + ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) - echo rs6000-bull-bosx - exit ;; + GUESS=rs6000-bull-bosx + ;; DPX/2?00:B.O.S.:*:*) - echo m68k-bull-sysv3 - exit ;; + GUESS=m68k-bull-sysv3 + ;; 9000/[34]??:4.3bsd:1.*:*) - echo m68k-hp-bsd - exit ;; + GUESS=m68k-hp-bsd + ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) - echo m68k-hp-bsd4.4 - exit ;; + GUESS=m68k-hp-bsd4.4 + ;; 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` - case "$UNAME_MACHINE" in + HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` + case $UNAME_MACHINE in 9000/31?) HP_ARCH=m68000 ;; 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) - if [ -x /usr/bin/getconf ]; then + if test -x /usr/bin/getconf; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "$sc_cpu_version" in + case $sc_cpu_version in 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 - case "$sc_kernel_bits" in + case $sc_kernel_bits in 32) HP_ARCH=hppa2.0n ;; 64) HP_ARCH=hppa2.0w ;; '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi - if [ "$HP_ARCH" = "" ]; then - eval "$set_cc_for_build" + if test "$HP_ARCH" = ""; then + set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE @@ -698,9 +743,9 @@ test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ "$HP_ARCH" = hppa2.0w ] + if test "$HP_ARCH" = hppa2.0w then - eval "$set_cc_for_build" + set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler @@ -719,14 +764,14 @@ HP_ARCH=hppa64 fi fi - echo "$HP_ARCH"-hp-hpux"$HPUX_REV" - exit ;; + GUESS=$HP_ARCH-hp-hpux$HPUX_REV + ;; ia64:HP-UX:*:*) - HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux"$HPUX_REV" - exit ;; + HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` + GUESS=ia64-hp-hpux$HPUX_REV + ;; 3050*:HI-UX:*:*) - eval "$set_cc_for_build" + set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #include int @@ -754,36 +799,36 @@ EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } - echo unknown-hitachi-hiuxwe2 - exit ;; + GUESS=unknown-hitachi-hiuxwe2 + ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) - echo hppa1.1-hp-bsd - exit ;; + GUESS=hppa1.1-hp-bsd + ;; 9000/8??:4.3bsd:*:*) - echo hppa1.0-hp-bsd - exit ;; + GUESS=hppa1.0-hp-bsd + ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) - echo hppa1.0-hp-mpeix - exit ;; + GUESS=hppa1.0-hp-mpeix + ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) - echo hppa1.1-hp-osf - exit ;; + GUESS=hppa1.1-hp-osf + ;; hp8??:OSF1:*:*) - echo hppa1.0-hp-osf - exit ;; + GUESS=hppa1.0-hp-osf + ;; i*86:OSF1:*:*) - if [ -x /usr/sbin/sysversion ] ; then - echo "$UNAME_MACHINE"-unknown-osf1mk + if test -x /usr/sbin/sysversion ; then + GUESS=$UNAME_MACHINE-unknown-osf1mk else - echo "$UNAME_MACHINE"-unknown-osf1 + GUESS=$UNAME_MACHINE-unknown-osf1 fi - exit ;; + ;; parisc*:Lites*:*:*) - echo hppa1.1-hp-lites - exit ;; + GUESS=hppa1.1-hp-lites + ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) - echo c1-convex-bsd - exit ;; + GUESS=c1-convex-bsd + ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd @@ -791,17 +836,18 @@ fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) - echo c34-convex-bsd - exit ;; + GUESS=c34-convex-bsd + ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) - echo c38-convex-bsd - exit ;; + GUESS=c38-convex-bsd + ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) - echo c4-convex-bsd - exit ;; + GUESS=c4-convex-bsd + ;; CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' - exit ;; + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=ymp-cray-unicos$CRAY_REL + ;; CRAY*[A-Z]90:*:*:*) echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ @@ -809,103 +855,129 @@ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) - echo t90-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' - exit ;; + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=t90-cray-unicos$CRAY_REL + ;; CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' - exit ;; + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=alphaev5-cray-unicosmk$CRAY_REL + ;; CRAY*SV1:*:*:*) - echo sv1-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' - exit ;; + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=sv1-cray-unicos$CRAY_REL + ;; *:UNICOS/mp:*:*) - echo craynv-cray-unicosmp"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' - exit ;; + CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` + GUESS=craynv-cray-unicosmp$CRAY_REL + ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; + GUESS=${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} + ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` - echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; + GUESS=sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} + ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo "$UNAME_MACHINE"-pc-bsdi"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-pc-bsdi$UNAME_RELEASE + ;; sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi"$UNAME_RELEASE" - exit ;; + GUESS=sparc-unknown-bsdi$UNAME_RELEASE + ;; *:BSD/OS:*:*) - echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-unknown-bsdi$UNAME_RELEASE + ;; + arm:FreeBSD:*:*) + UNAME_PROCESSOR=`uname -p` + set_cc_for_build + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabi + else + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabihf + fi + ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` - case "$UNAME_PROCESSOR" in + case $UNAME_PROCESSOR in amd64) UNAME_PROCESSOR=x86_64 ;; i386) UNAME_PROCESSOR=i586 ;; esac - echo "$UNAME_PROCESSOR"-unknown-freebsd"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" - exit ;; + FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL + ;; i*:CYGWIN*:*) - echo "$UNAME_MACHINE"-pc-cygwin - exit ;; + GUESS=$UNAME_MACHINE-pc-cygwin + ;; *:MINGW64*:*) - echo "$UNAME_MACHINE"-pc-mingw64 - exit ;; + GUESS=$UNAME_MACHINE-pc-mingw64 + ;; *:MINGW*:*) - echo "$UNAME_MACHINE"-pc-mingw32 - exit ;; + GUESS=$UNAME_MACHINE-pc-mingw32 + ;; *:MSYS*:*) - echo "$UNAME_MACHINE"-pc-msys - exit ;; + GUESS=$UNAME_MACHINE-pc-msys + ;; i*:PW*:*) - echo "$UNAME_MACHINE"-pc-pw32 - exit ;; + GUESS=$UNAME_MACHINE-pc-pw32 + ;; + *:SerenityOS:*:*) + GUESS=$UNAME_MACHINE-pc-serenity + ;; *:Interix*:*) - case "$UNAME_MACHINE" in + case $UNAME_MACHINE in x86) - echo i586-pc-interix"$UNAME_RELEASE" - exit ;; + GUESS=i586-pc-interix$UNAME_RELEASE + ;; authenticamd | genuineintel | EM64T) - echo x86_64-unknown-interix"$UNAME_RELEASE" - exit ;; + GUESS=x86_64-unknown-interix$UNAME_RELEASE + ;; IA64) - echo ia64-unknown-interix"$UNAME_RELEASE" - exit ;; + GUESS=ia64-unknown-interix$UNAME_RELEASE + ;; esac ;; i*:UWIN*:*) - echo "$UNAME_MACHINE"-pc-uwin - exit ;; + GUESS=$UNAME_MACHINE-pc-uwin + ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) - echo x86_64-unknown-cygwin - exit ;; + GUESS=x86_64-pc-cygwin + ;; prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" - exit ;; + SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` + GUESS=powerpcle-unknown-solaris2$SUN_REL + ;; *:GNU:*:*) # the GNU system - echo "`echo "$UNAME_MACHINE"|sed -e 's,[-/].*$,,'`-unknown-$LIBC`echo "$UNAME_RELEASE"|sed -e 's,/.*$,,'`" - exit ;; + GNU_ARCH=`echo "$UNAME_MACHINE" | sed -e 's,[-/].*$,,'` + GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's,/.*$,,'` + GUESS=$GNU_ARCH-unknown-$LIBC$GNU_REL + ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC" - exit ;; - i*86:Minix:*:*) - echo "$UNAME_MACHINE"-pc-minix - exit ;; + GNU_SYS=`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"` + GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC + ;; + *:Minix:*:*) + GUESS=$UNAME_MACHINE-unknown-minix + ;; aarch64:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; @@ -916,187 +988,225 @@ esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC=gnulibc1 ; fi - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; - arc:Linux:*:* | arceb:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + arc:Linux:*:* | arceb:Linux:*:* | arc32:Linux:*:* | arc64:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; arm*:Linux:*:*) - eval "$set_cc_for_build" + set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabi + GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabi else - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabihf + GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabihf fi fi - exit ;; + ;; avr32*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; cris:Linux:*:*) - echo "$UNAME_MACHINE"-axis-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-axis-linux-$LIBC + ;; crisv32:Linux:*:*) - echo "$UNAME_MACHINE"-axis-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-axis-linux-$LIBC + ;; e2k:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; frv:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; hexagon:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; i*86:Linux:*:*) - echo "$UNAME_MACHINE"-pc-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-pc-linux-$LIBC + ;; ia64:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; k1om:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; m32r*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; m68*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; mips:Linux:*:* | mips64:Linux:*:*) - eval "$set_cc_for_build" + set_cc_for_build + IS_GLIBC=0 + test x"${LIBC}" = xgnu && IS_GLIBC=1 sed 's/^ //' << EOF > "$dummy.c" #undef CPU - #undef ${UNAME_MACHINE} - #undef ${UNAME_MACHINE}el + #undef mips + #undef mipsel + #undef mips64 + #undef mips64el + #if ${IS_GLIBC} && defined(_ABI64) + LIBCABI=gnuabi64 + #else + #if ${IS_GLIBC} && defined(_ABIN32) + LIBCABI=gnuabin32 + #else + LIBCABI=${LIBC} + #endif + #endif + + #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa64r6 + #else + #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 + CPU=mipsisa32r6 + #else + #if defined(__mips64) + CPU=mips64 + #else + CPU=mips + #endif + #endif + #endif + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=${UNAME_MACHINE}el + MIPS_ENDIAN=el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=${UNAME_MACHINE} + MIPS_ENDIAN= #else - CPU= + MIPS_ENDIAN= #endif #endif EOF - eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU'`" - test "x$CPU" != x && { echo "$CPU-unknown-linux-$LIBC"; exit; } + cc_set_vars=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'` + eval "$cc_set_vars" + test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } ;; mips64el:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; openrisc*:Linux:*:*) - echo or1k-unknown-linux-"$LIBC" - exit ;; + GUESS=or1k-unknown-linux-$LIBC + ;; or32:Linux:*:* | or1k*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; padre:Linux:*:*) - echo sparc-unknown-linux-"$LIBC" - exit ;; + GUESS=sparc-unknown-linux-$LIBC + ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-"$LIBC" - exit ;; + GUESS=hppa64-unknown-linux-$LIBC + ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-"$LIBC" ;; - PA8*) echo hppa2.0-unknown-linux-"$LIBC" ;; - *) echo hppa-unknown-linux-"$LIBC" ;; + PA7*) GUESS=hppa1.1-unknown-linux-$LIBC ;; + PA8*) GUESS=hppa2.0-unknown-linux-$LIBC ;; + *) GUESS=hppa-unknown-linux-$LIBC ;; esac - exit ;; + ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-"$LIBC" - exit ;; + GUESS=powerpc64-unknown-linux-$LIBC + ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-"$LIBC" - exit ;; + GUESS=powerpc-unknown-linux-$LIBC + ;; ppc64le:Linux:*:*) - echo powerpc64le-unknown-linux-"$LIBC" - exit ;; + GUESS=powerpc64le-unknown-linux-$LIBC + ;; ppcle:Linux:*:*) - echo powerpcle-unknown-linux-"$LIBC" - exit ;; - riscv32:Linux:*:* | riscv64:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=powerpcle-unknown-linux-$LIBC + ;; + riscv32:Linux:*:* | riscv32be:Linux:*:* | riscv64:Linux:*:* | riscv64be:Linux:*:*) + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; s390:Linux:*:* | s390x:Linux:*:*) - echo "$UNAME_MACHINE"-ibm-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-ibm-linux-$LIBC + ;; sh64*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; sh*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; tile*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; vax:Linux:*:*) - echo "$UNAME_MACHINE"-dec-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-dec-linux-$LIBC + ;; x86_64:Linux:*:*) - if objdump -f /bin/sh | grep -q elf32-x86-64; then - echo "$UNAME_MACHINE"-pc-linux-"$LIBC"x32 - else - echo "$UNAME_MACHINE"-pc-linux-"$LIBC" + set_cc_for_build + LIBCABI=$LIBC + if test "$CC_FOR_BUILD" != no_compiler_found; then + if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_X32 >/dev/null + then + LIBCABI=${LIBC}x32 + fi fi - exit ;; + GUESS=$UNAME_MACHINE-pc-linux-$LIBCABI + ;; xtensa*:Linux:*:*) - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. - echo i386-sequent-sysv4 - exit ;; + GUESS=i386-sequent-sysv4 + ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. - echo "$UNAME_MACHINE"-pc-sysv4.2uw"$UNAME_VERSION" - exit ;; + GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION + ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. - echo "$UNAME_MACHINE"-pc-os2-emx - exit ;; + GUESS=$UNAME_MACHINE-pc-os2-emx + ;; i*86:XTS-300:*:STOP) - echo "$UNAME_MACHINE"-unknown-stop - exit ;; + GUESS=$UNAME_MACHINE-unknown-stop + ;; i*86:atheos:*:*) - echo "$UNAME_MACHINE"-unknown-atheos - exit ;; + GUESS=$UNAME_MACHINE-unknown-atheos + ;; i*86:syllable:*:*) - echo "$UNAME_MACHINE"-pc-syllable - exit ;; + GUESS=$UNAME_MACHINE-pc-syllable + ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) - echo i386-unknown-lynxos"$UNAME_RELEASE" - exit ;; + GUESS=i386-unknown-lynxos$UNAME_RELEASE + ;; i*86:*DOS:*:*) - echo "$UNAME_MACHINE"-pc-msdosdjgpp - exit ;; + GUESS=$UNAME_MACHINE-pc-msdosdjgpp + ;; i*86:*:4.*:*) UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo "$UNAME_MACHINE"-univel-sysv"$UNAME_REL" + GUESS=$UNAME_MACHINE-univel-sysv$UNAME_REL else - echo "$UNAME_MACHINE"-pc-sysv"$UNAME_REL" + GUESS=$UNAME_MACHINE-pc-sysv$UNAME_REL fi - exit ;; + ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in @@ -1104,12 +1214,12 @@ *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac - echo "$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}{$UNAME_VERSION}" - exit ;; + GUESS=$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 @@ -1119,11 +1229,11 @@ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 - echo "$UNAME_MACHINE"-pc-sco"$UNAME_REL" + GUESS=$UNAME_MACHINE-pc-sco$UNAME_REL else - echo "$UNAME_MACHINE"-pc-sysv32 + GUESS=$UNAME_MACHINE-pc-sysv32 fi - exit ;; + ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about @@ -1131,31 +1241,31 @@ # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. - echo i586-pc-msdosdjgpp - exit ;; + GUESS=i586-pc-msdosdjgpp + ;; Intel:Mach:3*:*) - echo i386-pc-mach3 - exit ;; + GUESS=i386-pc-mach3 + ;; paragon:*:*:*) - echo i860-intel-osf1 - exit ;; + GUESS=i860-intel-osf1 + ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv"$UNAME_RELEASE" # Stardent Vistra i860-SVR4 + GUESS=i860-stardent-sysv$UNAME_RELEASE # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv"$UNAME_RELEASE" # Unknown i860-SVR4 + GUESS=i860-unknown-sysv$UNAME_RELEASE # Unknown i860-SVR4 fi - exit ;; + ;; mini*:CTIX:SYS*5:*) # "miniframe" - echo m68010-convergent-sysv - exit ;; + GUESS=m68010-convergent-sysv + ;; mc68k:UNIX:SYSTEM5:3.51m) - echo m68k-convergent-sysv - exit ;; + GUESS=m68k-convergent-sysv + ;; M680?0:D-NIX:5.3:*) - echo m68k-diab-dnix - exit ;; + GUESS=m68k-diab-dnix + ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) @@ -1180,249 +1290,404 @@ /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos"$UNAME_RELEASE" - exit ;; + GUESS=m68k-unknown-lynxos$UNAME_RELEASE + ;; mc68030:UNIX_System_V:4.*:*) - echo m68k-atari-sysv4 - exit ;; + GUESS=m68k-atari-sysv4 + ;; TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos"$UNAME_RELEASE" - exit ;; + GUESS=sparc-unknown-lynxos$UNAME_RELEASE + ;; rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos"$UNAME_RELEASE" - exit ;; + GUESS=rs6000-unknown-lynxos$UNAME_RELEASE + ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) - echo powerpc-unknown-lynxos"$UNAME_RELEASE" - exit ;; + GUESS=powerpc-unknown-lynxos$UNAME_RELEASE + ;; SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv"$UNAME_RELEASE" - exit ;; + GUESS=mips-dde-sysv$UNAME_RELEASE + ;; RM*:ReliantUNIX-*:*:*) - echo mips-sni-sysv4 - exit ;; + GUESS=mips-sni-sysv4 + ;; RM*:SINIX-*:*:*) - echo mips-sni-sysv4 - exit ;; + GUESS=mips-sni-sysv4 + ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo "$UNAME_MACHINE"-sni-sysv4 + GUESS=$UNAME_MACHINE-sni-sysv4 else - echo ns32k-sni-sysv + GUESS=ns32k-sni-sysv fi - exit ;; + ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says - echo i586-unisys-sysv4 - exit ;; + GUESS=i586-unisys-sysv4 + ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm - echo hppa1.1-stratus-sysv4 - exit ;; + GUESS=hppa1.1-stratus-sysv4 + ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. - echo i860-stratus-sysv4 - exit ;; + GUESS=i860-stratus-sysv4 + ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. - echo "$UNAME_MACHINE"-stratus-vos - exit ;; + GUESS=$UNAME_MACHINE-stratus-vos + ;; *:VOS:*:*) # From Paul.Green@stratus.com. - echo hppa1.1-stratus-vos - exit ;; + GUESS=hppa1.1-stratus-vos + ;; mc68*:A/UX:*:*) - echo m68k-apple-aux"$UNAME_RELEASE" - exit ;; + GUESS=m68k-apple-aux$UNAME_RELEASE + ;; news*:NEWS-OS:6*:*) - echo mips-sony-newsos6 - exit ;; + GUESS=mips-sony-newsos6 + ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) - if [ -d /usr/nec ]; then - echo mips-nec-sysv"$UNAME_RELEASE" + if test -d /usr/nec; then + GUESS=mips-nec-sysv$UNAME_RELEASE else - echo mips-unknown-sysv"$UNAME_RELEASE" + GUESS=mips-unknown-sysv$UNAME_RELEASE fi - exit ;; + ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. - echo powerpc-be-beos - exit ;; + GUESS=powerpc-be-beos + ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. - echo powerpc-apple-beos - exit ;; + GUESS=powerpc-apple-beos + ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. - echo i586-pc-beos - exit ;; + GUESS=i586-pc-beos + ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. - echo i586-pc-haiku - exit ;; + GUESS=i586-pc-haiku + ;; x86_64:Haiku:*:*) - echo x86_64-unknown-haiku - exit ;; + GUESS=x86_64-unknown-haiku + ;; SX-4:SUPER-UX:*:*) - echo sx4-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sx4-nec-superux$UNAME_RELEASE + ;; SX-5:SUPER-UX:*:*) - echo sx5-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sx5-nec-superux$UNAME_RELEASE + ;; SX-6:SUPER-UX:*:*) - echo sx6-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sx6-nec-superux$UNAME_RELEASE + ;; SX-7:SUPER-UX:*:*) - echo sx7-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sx7-nec-superux$UNAME_RELEASE + ;; SX-8:SUPER-UX:*:*) - echo sx8-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sx8-nec-superux$UNAME_RELEASE + ;; SX-8R:SUPER-UX:*:*) - echo sx8r-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sx8r-nec-superux$UNAME_RELEASE + ;; SX-ACE:SUPER-UX:*:*) - echo sxace-nec-superux"$UNAME_RELEASE" - exit ;; + GUESS=sxace-nec-superux$UNAME_RELEASE + ;; Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody"$UNAME_RELEASE" - exit ;; + GUESS=powerpc-apple-rhapsody$UNAME_RELEASE + ;; *:Rhapsody:*:*) - echo "$UNAME_MACHINE"-apple-rhapsody"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-apple-rhapsody$UNAME_RELEASE + ;; + arm64:Darwin:*:*) + GUESS=aarch64-apple-darwin$UNAME_RELEASE + ;; *:Darwin:*:*) - UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - eval "$set_cc_for_build" - if test "$UNAME_PROCESSOR" = unknown ; then - UNAME_PROCESSOR=powerpc - fi - if test "`echo "$UNAME_RELEASE" | sed -e 's/\..*//'`" -le 10 ; then - if [ "$CC_FOR_BUILD" != no_compiler_found ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac - fi - # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc - if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_PPC >/dev/null - then - UNAME_PROCESSOR=powerpc - fi + UNAME_PROCESSOR=`uname -p` + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + if command -v xcode-select > /dev/null 2> /dev/null && \ + ! xcode-select --print-path > /dev/null 2> /dev/null ; then + # Avoid executing cc if there is no toolchain installed as + # cc will be a stub that puts up a graphical alert + # prompting the user to install developer tools. + CC_FOR_BUILD=no_compiler_found + else + set_cc_for_build + fi + if test "$CC_FOR_BUILD" != no_compiler_found; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc fi elif test "$UNAME_PROCESSOR" = i386 ; then - # Avoid executing cc on OS X 10.9, as it ships with a stub - # that puts up a graphical alert prompting to install - # developer tools. Any system running Mac OS X 10.7 or - # later (Darwin 11 and later) is required to have a 64-bit - # processor. This is not true of the ARM version of Darwin - # that Apple uses in portable devices. - UNAME_PROCESSOR=x86_64 + # uname -m returns i386 or x86_64 + UNAME_PROCESSOR=$UNAME_MACHINE fi - echo "$UNAME_PROCESSOR"-apple-darwin"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_PROCESSOR-apple-darwin$UNAME_RELEASE + ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo "$UNAME_PROCESSOR"-"$UNAME_MACHINE"-nto-qnx"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_PROCESSOR-$UNAME_MACHINE-nto-qnx$UNAME_RELEASE + ;; *:QNX:*:4*) - echo i386-pc-qnx - exit ;; + GUESS=i386-pc-qnx + ;; NEO-*:NONSTOP_KERNEL:*:*) - echo neo-tandem-nsk"$UNAME_RELEASE" - exit ;; + GUESS=neo-tandem-nsk$UNAME_RELEASE + ;; NSE-*:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk"$UNAME_RELEASE" - exit ;; + GUESS=nse-tandem-nsk$UNAME_RELEASE + ;; NSR-*:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk"$UNAME_RELEASE" - exit ;; + GUESS=nsr-tandem-nsk$UNAME_RELEASE + ;; NSV-*:NONSTOP_KERNEL:*:*) - echo nsv-tandem-nsk"$UNAME_RELEASE" - exit ;; + GUESS=nsv-tandem-nsk$UNAME_RELEASE + ;; NSX-*:NONSTOP_KERNEL:*:*) - echo nsx-tandem-nsk"$UNAME_RELEASE" - exit ;; + GUESS=nsx-tandem-nsk$UNAME_RELEASE + ;; *:NonStop-UX:*:*) - echo mips-compaq-nonstopux - exit ;; + GUESS=mips-compaq-nonstopux + ;; BS2000:POSIX*:*:*) - echo bs2000-siemens-sysv - exit ;; + GUESS=bs2000-siemens-sysv + ;; DS/*:UNIX_System_V:*:*) - echo "$UNAME_MACHINE"-"$UNAME_SYSTEM"-"$UNAME_RELEASE" - exit ;; + GUESS=$UNAME_MACHINE-$UNAME_SYSTEM-$UNAME_RELEASE + ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = 386; then + if test "${cputype-}" = 386; then UNAME_MACHINE=i386 - else - UNAME_MACHINE="$cputype" + elif test "x${cputype-}" != x; then + UNAME_MACHINE=$cputype fi - echo "$UNAME_MACHINE"-unknown-plan9 - exit ;; + GUESS=$UNAME_MACHINE-unknown-plan9 + ;; *:TOPS-10:*:*) - echo pdp10-unknown-tops10 - exit ;; + GUESS=pdp10-unknown-tops10 + ;; *:TENEX:*:*) - echo pdp10-unknown-tenex - exit ;; + GUESS=pdp10-unknown-tenex + ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) - echo pdp10-dec-tops20 - exit ;; + GUESS=pdp10-dec-tops20 + ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) - echo pdp10-xkl-tops20 - exit ;; + GUESS=pdp10-xkl-tops20 + ;; *:TOPS-20:*:*) - echo pdp10-unknown-tops20 - exit ;; + GUESS=pdp10-unknown-tops20 + ;; *:ITS:*:*) - echo pdp10-unknown-its - exit ;; + GUESS=pdp10-unknown-its + ;; SEI:*:*:SEIUX) - echo mips-sei-seiux"$UNAME_RELEASE" - exit ;; + GUESS=mips-sei-seiux$UNAME_RELEASE + ;; *:DragonFly:*:*) - echo "$UNAME_MACHINE"-unknown-dragonfly"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" - exit ;; + DRAGONFLY_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` + GUESS=$UNAME_MACHINE-unknown-dragonfly$DRAGONFLY_REL + ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` - case "$UNAME_MACHINE" in - A*) echo alpha-dec-vms ; exit ;; - I*) echo ia64-dec-vms ; exit ;; - V*) echo vax-dec-vms ; exit ;; + case $UNAME_MACHINE in + A*) GUESS=alpha-dec-vms ;; + I*) GUESS=ia64-dec-vms ;; + V*) GUESS=vax-dec-vms ;; esac ;; *:XENIX:*:SysV) - echo i386-pc-xenix - exit ;; + GUESS=i386-pc-xenix + ;; i*86:skyos:*:*) - echo "$UNAME_MACHINE"-pc-skyos"`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'`" - exit ;; + SKYOS_REL=`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'` + GUESS=$UNAME_MACHINE-pc-skyos$SKYOS_REL + ;; i*86:rdos:*:*) - echo "$UNAME_MACHINE"-pc-rdos - exit ;; - i*86:AROS:*:*) - echo "$UNAME_MACHINE"-pc-aros - exit ;; + GUESS=$UNAME_MACHINE-pc-rdos + ;; + i*86:Fiwix:*:*) + GUESS=$UNAME_MACHINE-pc-fiwix + ;; + *:AROS:*:*) + GUESS=$UNAME_MACHINE-unknown-aros + ;; x86_64:VMkernel:*:*) - echo "$UNAME_MACHINE"-unknown-esx - exit ;; + GUESS=$UNAME_MACHINE-unknown-esx + ;; amd64:Isilon\ OneFS:*:*) - echo x86_64-unknown-onefs - exit ;; + GUESS=x86_64-unknown-onefs + ;; + *:Unleashed:*:*) + GUESS=$UNAME_MACHINE-unknown-unleashed$UNAME_RELEASE + ;; esac +# Do we have a guess based on uname results? +if test "x$GUESS" != x; then + echo "$GUESS" + exit +fi + +# No uname command or uname output not recognized. +set_cc_for_build +cat > "$dummy.c" < +#include +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#include +#if defined(_SIZE_T_) || defined(SIGLOST) +#include +#endif +#endif +#endif +main () +{ +#if defined (sony) +#if defined (MIPSEB) + /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, + I don't know.... */ + printf ("mips-sony-bsd\n"); exit (0); +#else +#include + printf ("m68k-sony-newsos%s\n", +#ifdef NEWSOS4 + "4" +#else + "" +#endif + ); exit (0); +#endif +#endif + +#if defined (NeXT) +#if !defined (__ARCHITECTURE__) +#define __ARCHITECTURE__ "m68k" +#endif + int version; + version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; + if (version < 4) + printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); + else + printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); + exit (0); +#endif + +#if defined (MULTIMAX) || defined (n16) +#if defined (UMAXV) + printf ("ns32k-encore-sysv\n"); exit (0); +#else +#if defined (CMU) + printf ("ns32k-encore-mach\n"); exit (0); +#else + printf ("ns32k-encore-bsd\n"); exit (0); +#endif +#endif +#endif + +#if defined (__386BSD__) + printf ("i386-pc-bsd\n"); exit (0); +#endif + +#if defined (sequent) +#if defined (i386) + printf ("i386-sequent-dynix\n"); exit (0); +#endif +#if defined (ns32000) + printf ("ns32k-sequent-dynix\n"); exit (0); +#endif +#endif + +#if defined (_SEQUENT_) + struct utsname un; + + uname(&un); + if (strncmp(un.version, "V2", 2) == 0) { + printf ("i386-sequent-ptx2\n"); exit (0); + } + if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ + printf ("i386-sequent-ptx1\n"); exit (0); + } + printf ("i386-sequent-ptx\n"); exit (0); +#endif + +#if defined (vax) +#if !defined (ultrix) +#include +#if defined (BSD) +#if BSD == 43 + printf ("vax-dec-bsd4.3\n"); exit (0); +#else +#if BSD == 199006 + printf ("vax-dec-bsd4.3reno\n"); exit (0); +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#endif +#else + printf ("vax-dec-bsd\n"); exit (0); +#endif +#else +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname un; + uname (&un); + printf ("vax-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("vax-dec-ultrix\n"); exit (0); +#endif +#endif +#endif +#if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) +#if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) +#if defined(_SIZE_T_) || defined(SIGLOST) + struct utsname *un; + uname (&un); + printf ("mips-dec-ultrix%s\n", un.release); exit (0); +#else + printf ("mips-dec-ultrix\n"); exit (0); +#endif +#endif +#endif + +#if defined (alliant) && defined (i860) + printf ("i860-alliant-bsd\n"); exit (0); +#endif + + exit (1); +} +EOF + +$CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`"$dummy"` && + { echo "$SYSTEM_NAME"; exit; } + +# Apollos put the system type in the environment. +test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } + echo "$0: unable to guess system type" >&2 -case "$UNAME_MACHINE:$UNAME_SYSTEM" in +case $UNAME_MACHINE:$UNAME_SYSTEM in mips:Linux | mips64:Linux) # If we got here on MIPS GNU/Linux, output extra information. cat >&2 <&2 <&2 exit 1 ;; *local*) @@ -110,1223 +119,1186 @@ exit 1;; esac -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ - kopensolaris*-gnu* | cloudabi*-eabi* | \ - storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - android-linux) - os=-linux-android - basic_machine=`echo "$1" | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown - ;; - *) - basic_machine=`echo "$1" | sed 's/-[^-]*$//'` - if [ "$basic_machine" != "$1" ] - then os=`echo "$1" | sed 's/.*-/-/'` - else os=; fi - ;; -esac - -### Let's recognize common machines as not being operating systems so -### that things like config.sub decstation-3100 work. We also -### recognize some manufacturers as not being operating systems, so we -### can provide default operating systems below. -case $os in - -sun*os*) - # Prevent following clause from handling this invalid input. - ;; - -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ - -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ - -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze*) - os= - basic_machine=$1 - ;; - -bluegene*) - os=-cnk - ;; - -sim | -cisco | -oki | -wec | -winbond) - os= - basic_machine=$1 - ;; - -scout) - ;; - -wrs) - os=-vxworks - basic_machine=$1 - ;; - -chorusos*) - os=-chorusos - basic_machine=$1 - ;; - -chorusrdb) - os=-chorusrdb - basic_machine=$1 - ;; - -hiux*) - os=-hiuxwe2 - ;; - -sco6) - os=-sco5v6 - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -sco5) - os=-sco3.2v5 - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -sco4) - os=-sco3.2v4 - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2.[4-9]*) - os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2v[4-9]*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -sco5v6*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -sco*) - os=-sco3.2v2 - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -udk*) - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -isc) - os=-isc2.2 - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -clix*) - basic_machine=clipper-intergraph - ;; - -isc*) - basic_machine=`echo "$1" | sed -e 's/86-.*/86-pc/'` - ;; - -lynx*178) - os=-lynxos178 - ;; - -lynx*5) - os=-lynxos5 +# Split fields of configuration type +# shellcheck disable=SC2162 +saved_IFS=$IFS +IFS="-" read field1 field2 field3 field4 <&2 + exit 1 ;; - -lynx*) - os=-lynxos + *-*-*-*) + basic_machine=$field1-$field2 + basic_os=$field3-$field4 ;; - -ptx*) - basic_machine=`echo "$1" | sed -e 's/86-.*/86-sequent/'` + *-*-*) + # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two + # parts + maybe_os=$field2-$field3 + case $maybe_os in + nto-qnx* | linux-* | uclinux-uclibc* \ + | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ + | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ + | storm-chaos* | os2-emx* | rtmk-nova*) + basic_machine=$field1 + basic_os=$maybe_os + ;; + android-linux) + basic_machine=$field1-unknown + basic_os=linux-android + ;; + *) + basic_machine=$field1-$field2 + basic_os=$field3 + ;; + esac ;; - -psos*) - os=-psos + *-*) + # A lone config we happen to match not fitting any pattern + case $field1-$field2 in + decstation-3100) + basic_machine=mips-dec + basic_os= + ;; + *-*) + # Second component is usually, but not always the OS + case $field2 in + # Prevent following clause from handling this valid os + sun*os*) + basic_machine=$field1 + basic_os=$field2 + ;; + zephyr*) + basic_machine=$field1-unknown + basic_os=$field2 + ;; + # Manufacturers + dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ + | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ + | unicom* | ibm* | next | hp | isi* | apollo | altos* \ + | convergent* | ncr* | news | 32* | 3600* | 3100* \ + | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ + | ultra | tti* | harris | dolphin | highlevel | gould \ + | cbm | ns | masscomp | apple | axis | knuth | cray \ + | microblaze* | sim | cisco \ + | oki | wec | wrs | winbond) + basic_machine=$field1-$field2 + basic_os= + ;; + *) + basic_machine=$field1 + basic_os=$field2 + ;; + esac + ;; + esac ;; - -mint | -mint[0-9]*) - basic_machine=m68k-atari - os=-mint + *) + # Convert single-component short-hands not valid as part of + # multi-component configurations. + case $field1 in + 386bsd) + basic_machine=i386-pc + basic_os=bsd + ;; + a29khif) + basic_machine=a29k-amd + basic_os=udi + ;; + adobe68k) + basic_machine=m68010-adobe + basic_os=scout + ;; + alliant) + basic_machine=fx80-alliant + basic_os= + ;; + altos | altos3068) + basic_machine=m68k-altos + basic_os= + ;; + am29k) + basic_machine=a29k-none + basic_os=bsd + ;; + amdahl) + basic_machine=580-amdahl + basic_os=sysv + ;; + amiga) + basic_machine=m68k-unknown + basic_os= + ;; + amigaos | amigados) + basic_machine=m68k-unknown + basic_os=amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + basic_os=sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + basic_os=sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + basic_os=bsd + ;; + aros) + basic_machine=i386-pc + basic_os=aros + ;; + aux) + basic_machine=m68k-apple + basic_os=aux + ;; + balance) + basic_machine=ns32k-sequent + basic_os=dynix + ;; + blackfin) + basic_machine=bfin-unknown + basic_os=linux + ;; + cegcc) + basic_machine=arm-unknown + basic_os=cegcc + ;; + convex-c1) + basic_machine=c1-convex + basic_os=bsd + ;; + convex-c2) + basic_machine=c2-convex + basic_os=bsd + ;; + convex-c32) + basic_machine=c32-convex + basic_os=bsd + ;; + convex-c34) + basic_machine=c34-convex + basic_os=bsd + ;; + convex-c38) + basic_machine=c38-convex + basic_os=bsd + ;; + cray) + basic_machine=j90-cray + basic_os=unicos + ;; + crds | unos) + basic_machine=m68k-crds + basic_os= + ;; + da30) + basic_machine=m68k-da30 + basic_os= + ;; + decstation | pmax | pmin | dec3100 | decstatn) + basic_machine=mips-dec + basic_os= + ;; + delta88) + basic_machine=m88k-motorola + basic_os=sysv3 + ;; + dicos) + basic_machine=i686-pc + basic_os=dicos + ;; + djgpp) + basic_machine=i586-pc + basic_os=msdosdjgpp + ;; + ebmon29k) + basic_machine=a29k-amd + basic_os=ebmon + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + basic_os=ose + ;; + gmicro) + basic_machine=tron-gmicro + basic_os=sysv + ;; + go32) + basic_machine=i386-pc + basic_os=go32 + ;; + h8300hms) + basic_machine=h8300-hitachi + basic_os=hms + ;; + h8300xray) + basic_machine=h8300-hitachi + basic_os=xray + ;; + h8500hms) + basic_machine=h8500-hitachi + basic_os=hms + ;; + harris) + basic_machine=m88k-harris + basic_os=sysv3 + ;; + hp300 | hp300hpux) + basic_machine=m68k-hp + basic_os=hpux + ;; + hp300bsd) + basic_machine=m68k-hp + basic_os=bsd + ;; + hppaosf) + basic_machine=hppa1.1-hp + basic_os=osf + ;; + hppro) + basic_machine=hppa1.1-hp + basic_os=proelf + ;; + i386mach) + basic_machine=i386-mach + basic_os=mach + ;; + isi68 | isi) + basic_machine=m68k-isi + basic_os=sysv + ;; + m68knommu) + basic_machine=m68k-unknown + basic_os=linux + ;; + magnum | m3230) + basic_machine=mips-mips + basic_os=sysv + ;; + merlin) + basic_machine=ns32k-utek + basic_os=sysv + ;; + mingw64) + basic_machine=x86_64-pc + basic_os=mingw64 + ;; + mingw32) + basic_machine=i686-pc + basic_os=mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + basic_os=mingw32ce + ;; + monitor) + basic_machine=m68k-rom68k + basic_os=coff + ;; + morphos) + basic_machine=powerpc-unknown + basic_os=morphos + ;; + moxiebox) + basic_machine=moxie-unknown + basic_os=moxiebox + ;; + msdos) + basic_machine=i386-pc + basic_os=msdos + ;; + msys) + basic_machine=i686-pc + basic_os=msys + ;; + mvs) + basic_machine=i370-ibm + basic_os=mvs + ;; + nacl) + basic_machine=le32-unknown + basic_os=nacl + ;; + ncr3000) + basic_machine=i486-ncr + basic_os=sysv4 + ;; + netbsd386) + basic_machine=i386-pc + basic_os=netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + basic_os=linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + basic_os=newsos + ;; + news1000) + basic_machine=m68030-sony + basic_os=newsos + ;; + necv70) + basic_machine=v70-nec + basic_os=sysv + ;; + nh3000) + basic_machine=m68k-harris + basic_os=cxux + ;; + nh[45]000) + basic_machine=m88k-harris + basic_os=cxux + ;; + nindy960) + basic_machine=i960-intel + basic_os=nindy + ;; + mon960) + basic_machine=i960-intel + basic_os=mon960 + ;; + nonstopux) + basic_machine=mips-compaq + basic_os=nonstopux + ;; + os400) + basic_machine=powerpc-ibm + basic_os=os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + basic_os=ose + ;; + os68k) + basic_machine=m68k-none + basic_os=os68k + ;; + paragon) + basic_machine=i860-intel + basic_os=osf + ;; + parisc) + basic_machine=hppa-unknown + basic_os=linux + ;; + psp) + basic_machine=mipsallegrexel-sony + basic_os=psp + ;; + pw32) + basic_machine=i586-unknown + basic_os=pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + basic_os=rdos + ;; + rdos32) + basic_machine=i386-pc + basic_os=rdos + ;; + rom68k) + basic_machine=m68k-rom68k + basic_os=coff + ;; + sa29200) + basic_machine=a29k-amd + basic_os=udi + ;; + sei) + basic_machine=mips-sei + basic_os=seiux + ;; + sequent) + basic_machine=i386-sequent + basic_os= + ;; + sps7) + basic_machine=m68k-bull + basic_os=sysv2 + ;; + st2000) + basic_machine=m68k-tandem + basic_os= + ;; + stratus) + basic_machine=i860-stratus + basic_os=sysv4 + ;; + sun2) + basic_machine=m68000-sun + basic_os= + ;; + sun2os3) + basic_machine=m68000-sun + basic_os=sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + basic_os=sunos4 + ;; + sun3) + basic_machine=m68k-sun + basic_os= + ;; + sun3os3) + basic_machine=m68k-sun + basic_os=sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + basic_os=sunos4 + ;; + sun4) + basic_machine=sparc-sun + basic_os= + ;; + sun4os3) + basic_machine=sparc-sun + basic_os=sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + basic_os=sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + basic_os=solaris2 + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + basic_os= + ;; + sv1) + basic_machine=sv1-cray + basic_os=unicos + ;; + symmetry) + basic_machine=i386-sequent + basic_os=dynix + ;; + t3e) + basic_machine=alphaev5-cray + basic_os=unicos + ;; + t90) + basic_machine=t90-cray + basic_os=unicos + ;; + toad1) + basic_machine=pdp10-xkl + basic_os=tops20 + ;; + tpf) + basic_machine=s390x-ibm + basic_os=tpf + ;; + udi29k) + basic_machine=a29k-amd + basic_os=udi + ;; + ultra3) + basic_machine=a29k-nyu + basic_os=sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + basic_os=none + ;; + vaxv) + basic_machine=vax-dec + basic_os=sysv + ;; + vms) + basic_machine=vax-dec + basic_os=vms + ;; + vsta) + basic_machine=i386-pc + basic_os=vsta + ;; + vxworks960) + basic_machine=i960-wrs + basic_os=vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + basic_os=vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + basic_os=vxworks + ;; + xbox) + basic_machine=i686-pc + basic_os=mingw32 + ;; + ymp) + basic_machine=ymp-cray + basic_os=unicos + ;; + *) + basic_machine=$1 + basic_os= + ;; + esac ;; esac -# Decode aliases for certain CPU-COMPANY combinations. +# Decode 1-component or ad-hoc basic machines case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ - | aarch64 | aarch64_be \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | am33_2.0 \ - | arc | arceb \ - | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ - | avr | avr32 \ - | ba \ - | be32 | be64 \ - | bfin \ - | c4x | c8051 | clipper \ - | d10v | d30v | dlx | dsp16xx \ - | e2k | epiphany \ - | fido | fr30 | frv | ft32 \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | hexagon \ - | i370 | i860 | i960 | ia16 | ia64 \ - | ip2k | iq2000 \ - | k1om \ - | le32 | le64 \ - | lm32 \ - | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ - | mips64octeon | mips64octeonel \ - | mips64orion | mips64orionel \ - | mips64r5900 | mips64r5900el \ - | mips64vr | mips64vrel \ - | mips64vr4100 | mips64vr4100el \ - | mips64vr4300 | mips64vr4300el \ - | mips64vr5000 | mips64vr5000el \ - | mips64vr5900 | mips64vr5900el \ - | mipsisa32 | mipsisa32el \ - | mipsisa32r2 | mipsisa32r2el \ - | mipsisa32r6 | mipsisa32r6el \ - | mipsisa64 | mipsisa64el \ - | mipsisa64r2 | mipsisa64r2el \ - | mipsisa64r6 | mipsisa64r6el \ - | mipsisa64sb1 | mipsisa64sb1el \ - | mipsisa64sr71k | mipsisa64sr71kel \ - | mipsr5900 | mipsr5900el \ - | mipstx39 | mipstx39el \ - | mn10200 | mn10300 \ - | moxie \ - | mt \ - | msp430 \ - | nds32 | nds32le | nds32be \ - | nios | nios2 | nios2eb | nios2el \ - | ns16k | ns32k \ - | open8 | or1k | or1knd | or32 \ - | pdp10 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle \ - | pru \ - | pyramid \ - | riscv32 | riscv64 \ - | rl78 | rx \ - | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ - | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu \ - | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ - | ubicom32 \ - | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ - | visium \ - | wasm32 \ - | x86 | xc16x | xstormy16 | xtensa \ - | z8k | z80) - basic_machine=$basic_machine-unknown - ;; - c54x) - basic_machine=tic54x-unknown - ;; - c55x) - basic_machine=tic55x-unknown - ;; - c6x) - basic_machine=tic6x-unknown - ;; - leon|leon[3-9]) - basic_machine=sparc-$basic_machine - ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) - basic_machine=$basic_machine-unknown - os=-none + # Here we handle the default manufacturer of certain CPU types. It is in + # some cases the only manufacturer, in others, it is the most popular. + w89k) + cpu=hppa1.1 + vendor=winbond ;; - m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65) + op50n) + cpu=hppa1.1 + vendor=oki ;; - ms1) - basic_machine=mt-unknown + op60c) + cpu=hppa1.1 + vendor=oki ;; - - strongarm | thumb | xscale) - basic_machine=arm-unknown + ibm*) + cpu=i370 + vendor=ibm ;; - xgate) - basic_machine=$basic_machine-unknown - os=-none + orion105) + cpu=clipper + vendor=highlevel ;; - xscaleeb) - basic_machine=armeb-unknown + mac | mpw | mac-mpw) + cpu=m68k + vendor=apple ;; - - xscaleel) - basic_machine=armel-unknown + pmac | pmac-mpw) + cpu=powerpc + vendor=apple ;; - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i*86 | x86_64) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`"$1"\': machine \`"$basic_machine"\' not recognized 1>&2 - exit 1 - ;; - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ - | aarch64-* | aarch64_be-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* | avr32-* \ - | ba-* \ - | be32-* | be64-* \ - | bfin-* | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | c8051-* | clipper-* | craynv-* | cydra-* \ - | d10v-* | d30v-* | dlx-* \ - | e2k-* | elxsi-* \ - | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | hexagon-* \ - | i*86-* | i860-* | i960-* | ia16-* | ia64-* \ - | ip2k-* | iq2000-* \ - | k1om-* \ - | le32-* | le64-* \ - | lm32-* \ - | m32c-* | m32r-* | m32rle-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ - | microblaze-* | microblazeel-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ - | mips64octeon-* | mips64octeonel-* \ - | mips64orion-* | mips64orionel-* \ - | mips64r5900-* | mips64r5900el-* \ - | mips64vr-* | mips64vrel-* \ - | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* \ - | mips64vr5000-* | mips64vr5000el-* \ - | mips64vr5900-* | mips64vr5900el-* \ - | mipsisa32-* | mipsisa32el-* \ - | mipsisa32r2-* | mipsisa32r2el-* \ - | mipsisa32r6-* | mipsisa32r6el-* \ - | mipsisa64-* | mipsisa64el-* \ - | mipsisa64r2-* | mipsisa64r2el-* \ - | mipsisa64r6-* | mipsisa64r6el-* \ - | mipsisa64sb1-* | mipsisa64sb1el-* \ - | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipsr5900-* | mipsr5900el-* \ - | mipstx39-* | mipstx39el-* \ - | mmix-* \ - | mt-* \ - | msp430-* \ - | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* | nios2eb-* | nios2el-* \ - | none-* | np1-* | ns16k-* | ns32k-* \ - | open8-* \ - | or1k*-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ - | pru-* \ - | pyramid-* \ - | riscv32-* | riscv64-* \ - | rl78-* | romp-* | rs6000-* | rx-* \ - | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ - | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ - | tahoe-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile*-* \ - | tron-* \ - | ubicom32-* \ - | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ - | vax-* \ - | visium-* \ - | wasm32-* \ - | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* \ - | xstormy16-* | xtensa*-* \ - | ymp-* \ - | z8k-* | z80-*) - ;; - # Recognize the basic CPU types without company name, with glob match. - xtensa*) - basic_machine=$basic_machine-unknown - ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. - 386bsd) - basic_machine=i386-pc - os=-bsd - ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att + cpu=m68000 + vendor=att ;; 3b*) - basic_machine=we32k-att - ;; - a29khif) - basic_machine=a29k-amd - os=-udi - ;; - abacus) - basic_machine=abacus-unknown - ;; - adobe68k) - basic_machine=m68010-adobe - os=-scout - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amd64) - basic_machine=x86_64-pc - ;; - amd64-*) - basic_machine=x86_64-`echo "$basic_machine" | sed 's/^[^-]*-//'` - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-unknown - ;; - amigaos | amigados) - basic_machine=m68k-unknown - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-unknown - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - apollo68bsd) - basic_machine=m68k-apollo - os=-bsd - ;; - aros) - basic_machine=i386-pc - os=-aros - ;; - asmjs) - basic_machine=asmjs-unknown - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - blackfin) - basic_machine=bfin-unknown - os=-linux - ;; - blackfin-*) - basic_machine=bfin-`echo "$basic_machine" | sed 's/^[^-]*-//'` - os=-linux + cpu=we32k + vendor=att ;; bluegene*) - basic_machine=powerpc-ibm - os=-cnk - ;; - c54x-*) - basic_machine=tic54x-`echo "$basic_machine" | sed 's/^[^-]*-//'` - ;; - c55x-*) - basic_machine=tic55x-`echo "$basic_machine" | sed 's/^[^-]*-//'` - ;; - c6x-*) - basic_machine=tic6x-`echo "$basic_machine" | sed 's/^[^-]*-//'` - ;; - c90) - basic_machine=c90-cray - os=-unicos - ;; - cegcc) - basic_machine=arm-unknown - os=-cegcc - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | j90) - basic_machine=j90-cray - os=-unicos - ;; - craynv) - basic_machine=craynv-cray - os=-unicosmp - ;; - cr16 | cr16-*) - basic_machine=cr16-unknown - os=-elf - ;; - crds | unos) - basic_machine=m68k-crds - ;; - crisv32 | crisv32-* | etraxfs*) - basic_machine=crisv32-axis - ;; - cris | cris-* | etrax*) - basic_machine=cris-axis - ;; - crx) - basic_machine=crx-unknown - os=-elf - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec + cpu=powerpc + vendor=ibm + basic_os=cnk ;; decsystem10* | dec10*) - basic_machine=pdp10-dec - os=-tops10 + cpu=pdp10 + vendor=dec + basic_os=tops10 ;; decsystem20* | dec20*) - basic_machine=pdp10-dec - os=-tops20 + cpu=pdp10 + vendor=dec + basic_os=tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola - ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dicos) - basic_machine=i686-pc - os=-dicos - ;; - djgpp) - basic_machine=i586-pc - os=-msdosdjgpp - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx + cpu=m68k + vendor=motorola ;; dpx2*) - basic_machine=m68k-bull - os=-sysv3 - ;; - e500v[12]) - basic_machine=powerpc-unknown - os=$os"spe" - ;; - e500v[12]-*) - basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'` - os=$os"spe" - ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd + cpu=m68k + vendor=bull + basic_os=sysv3 ;; encore | umax | mmax) - basic_machine=ns32k-encore + cpu=ns32k + vendor=encore ;; - es1800 | OSE68k | ose68k | ose | OSE) - basic_machine=m68k-ericsson - os=-ose + elxsi) + cpu=elxsi + vendor=elxsi + basic_os=${basic_os:-bsd} ;; fx2800) - basic_machine=i860-alliant + cpu=i860 + vendor=alliant ;; genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - go32) - basic_machine=i386-pc - os=-go32 + cpu=ns32k + vendor=ns ;; h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - h8300xray) - basic_machine=h8300-hitachi - os=-xray - ;; - h8500hms) - basic_machine=h8500-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp + cpu=m68000 + vendor=hp ;; hp9k3[2-9][0-9]) - basic_machine=m68k-hp + cpu=m68k + vendor=hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppaosf) - basic_machine=hppa1.1-hp - os=-osf - ;; - hppro) - basic_machine=hppa1.1-hp - os=-proelf - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm + cpu=hppa1.0 + vendor=hp ;; i*86v32) - basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` - os=-sysv32 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv32 ;; i*86v4*) - basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` - os=-sysv4 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv4 ;; i*86v) - basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` - os=-sysv + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=sysv ;; i*86sol2) - basic_machine=`echo "$1" | sed -e 's/86.*/86-pc/'` - os=-solaris2 - ;; - i386mach) - basic_machine=i386-mach - os=-mach - ;; - vsta) - basic_machine=i386-unknown - os=-vsta + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + basic_os=solaris2 + ;; + j90 | j90-cray) + cpu=j90 + vendor=cray + basic_os=${basic_os:-unicos} ;; iris | iris4d) - basic_machine=mips-sgi - case $os in - -irix*) + cpu=mips + vendor=sgi + case $basic_os in + irix*) ;; *) - os=-irix4 + basic_os=irix4 ;; esac ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - leon-*|leon[3-9]-*) - basic_machine=sparc-`echo "$basic_machine" | sed 's/-.*//'` - ;; - m68knommu) - basic_machine=m68k-unknown - os=-linux - ;; - m68knommu-*) - basic_machine=m68k-`echo "$basic_machine" | sed 's/^[^-]*-//'` - os=-linux - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - microblaze*) - basic_machine=microblaze-xilinx - ;; - mingw64) - basic_machine=x86_64-pc - os=-mingw64 - ;; - mingw32) - basic_machine=i686-pc - os=-mingw32 - ;; - mingw32ce) - basic_machine=arm-unknown - os=-mingw32ce - ;; miniframe) - basic_machine=m68000-convergent - ;; - *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) - basic_machine=m68k-atari - os=-mint + cpu=m68000 + vendor=convergent ;; - mips3*-*) - basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'` - ;; - mips3*) - basic_machine=`echo "$basic_machine" | sed -e 's/mips3/mips64/'`-unknown - ;; - monitor) - basic_machine=m68k-rom68k - os=-coff - ;; - morphos) - basic_machine=powerpc-unknown - os=-morphos - ;; - moxiebox) - basic_machine=moxie-unknown - os=-moxiebox - ;; - msdos) - basic_machine=i386-pc - os=-msdos - ;; - ms1-*) - basic_machine=`echo "$basic_machine" | sed -e 's/ms1-/mt-/'` - ;; - msys) - basic_machine=i686-pc - os=-msys - ;; - mvs) - basic_machine=i370-ibm - os=-mvs - ;; - nacl) - basic_machine=le32-unknown - os=-nacl - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - netbsd386) - basic_machine=i386-unknown - os=-netbsd - ;; - netwinder) - basic_machine=armv4l-rebel - os=-linux - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos + *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) + cpu=m68k + vendor=atari + basic_os=mint ;; news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - necv70) - basic_machine=v70-nec - os=-sysv + cpu=mips + vendor=sony + basic_os=newsos ;; next | m*-next) - basic_machine=m68k-next - case $os in - -nextstep* ) + cpu=m68k + vendor=next + case $basic_os in + openstep*) + ;; + nextstep*) ;; - -ns2*) - os=-nextstep2 + ns2*) + basic_os=nextstep2 ;; *) - os=-nextstep3 + basic_os=nextstep3 ;; esac ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - mon960) - basic_machine=i960-intel - os=-mon960 - ;; - nonstopux) - basic_machine=mips-compaq - os=-nonstopux - ;; np1) - basic_machine=np1-gould - ;; - neo-tandem) - basic_machine=neo-tandem - ;; - nse-tandem) - basic_machine=nse-tandem - ;; - nsr-tandem) - basic_machine=nsr-tandem - ;; - nsv-tandem) - basic_machine=nsv-tandem - ;; - nsx-tandem) - basic_machine=nsx-tandem + cpu=np1 + vendor=gould ;; op50n-* | op60c-*) - basic_machine=hppa1.1-oki - os=-proelf - ;; - openrisc | openrisc-*) - basic_machine=or32-unknown - ;; - os400) - basic_machine=powerpc-ibm - os=-os400 - ;; - OSE68000 | ose68000) - basic_machine=m68000-ericsson - os=-ose - ;; - os68k) - basic_machine=m68k-none - os=-os68k + cpu=hppa1.1 + vendor=oki + basic_os=proelf ;; pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - parisc) - basic_machine=hppa-unknown - os=-linux - ;; - parisc-*) - basic_machine=hppa-`echo "$basic_machine" | sed 's/^[^-]*-//'` - os=-linux + cpu=hppa1.1 + vendor=hitachi + basic_os=hiuxwe2 ;; pbd) - basic_machine=sparc-tti + cpu=sparc + vendor=tti ;; pbb) - basic_machine=m68k-tti + cpu=m68k + vendor=tti ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 + pc532) + cpu=ns32k + vendor=pc532 ;; - pc98) - basic_machine=i386-pc + pn) + cpu=pn + vendor=gould ;; - pc98-*) - basic_machine=i386-`echo "$basic_machine" | sed 's/^[^-]*-//'` + power) + cpu=power + vendor=ibm ;; - pentium | p5 | k5 | k6 | nexgen | viac3) - basic_machine=i586-pc + ps2) + cpu=i386 + vendor=ibm ;; - pentiumpro | p6 | 6x86 | athlon | athlon_*) - basic_machine=i686-pc + rm[46]00) + cpu=mips + vendor=siemens ;; - pentiumii | pentium2 | pentiumiii | pentium3) - basic_machine=i686-pc + rtpc | rtpc-*) + cpu=romp + vendor=ibm ;; - pentium4) - basic_machine=i786-pc + sde) + cpu=mipsisa32 + vendor=sde + basic_os=${basic_os:-elf} ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo "$basic_machine" | sed 's/^[^-]*-//'` + simso-wrs) + cpu=sparclite + vendor=wrs + basic_os=vxworks ;; - pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'` + tower | tower-32) + cpu=m68k + vendor=ncr ;; - pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) - basic_machine=i686-`echo "$basic_machine" | sed 's/^[^-]*-//'` + vpp*|vx|vx-*) + cpu=f301 + vendor=fujitsu ;; - pentium4-*) - basic_machine=i786-`echo "$basic_machine" | sed 's/^[^-]*-//'` + w65) + cpu=w65 + vendor=wdc ;; - pn) - basic_machine=pn-gould + w89k-*) + cpu=hppa1.1 + vendor=winbond + basic_os=proelf ;; - power) basic_machine=power-ibm + none) + cpu=none + vendor=none ;; - ppc | ppcbe) basic_machine=powerpc-unknown + leon|leon[3-9]) + cpu=sparc + vendor=$basic_machine ;; - ppc-* | ppcbe-*) - basic_machine=powerpc-`echo "$basic_machine" | sed 's/^[^-]*-//'` + leon-*|leon[3-9]-*) + cpu=sparc + vendor=`echo "$basic_machine" | sed 's/-.*//'` ;; - ppcle | powerpclittle) - basic_machine=powerpcle-unknown + + *-*) + # shellcheck disable=SC2162 + saved_IFS=$IFS + IFS="-" read cpu vendor <&2 - exit 1 + # Recognize the canonical CPU types that are allowed with any + # company name. + case $cpu in + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ + | abacus \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ + | alphapca5[67] | alpha64pca5[67] \ + | am33_2.0 \ + | amdgcn \ + | arc | arceb | arc32 | arc64 \ + | arm | arm[lb]e | arme[lb] | armv* \ + | avr | avr32 \ + | asmjs \ + | ba \ + | be32 | be64 \ + | bfin | bpf | bs2000 \ + | c[123]* | c30 | [cjt]90 | c4x \ + | c8051 | clipper | craynv | csky | cydra \ + | d10v | d30v | dlx | dsp16xx \ + | e2k | elxsi | epiphany \ + | f30[01] | f700 | fido | fr30 | frv | ft32 | fx80 \ + | h8300 | h8500 \ + | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ + | i370 | i*86 | i860 | i960 | ia16 | ia64 \ + | ip2k | iq2000 \ + | k1om \ + | le32 | le64 \ + | lm32 \ + | loongarch32 | loongarch64 | loongarchx32 \ + | m32c | m32r | m32rle \ + | m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k \ + | m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \ + | m88110 | m88k | maxq | mb | mcore | mep | metag \ + | microblaze | microblazeel \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64eb | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r3 | mipsisa32r3el \ + | mipsisa32r5 | mipsisa32r5el \ + | mipsisa32r6 | mipsisa32r6el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r3 | mipsisa64r3el \ + | mipsisa64r5 | mipsisa64r5el \ + | mipsisa64r6 | mipsisa64r6el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ + | mipstx39 | mipstx39el \ + | mmix \ + | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nds32 | nds32le | nds32be \ + | nfp \ + | nios | nios2 | nios2eb | nios2el \ + | none | np1 | ns16k | ns32k | nvptx \ + | open8 \ + | or1k* \ + | or32 \ + | orion \ + | picochip \ + | pdp10 | pdp11 | pj | pjl | pn | power \ + | powerpc | powerpc64 | powerpc64le | powerpcle | powerpcspe \ + | pru \ + | pyramid \ + | riscv | riscv32 | riscv32be | riscv64 | riscv64be \ + | rl78 | romp | rs6000 | rx \ + | s390 | s390x \ + | score \ + | sh | shl \ + | sh[1234] | sh[24]a | sh[24]ae[lb] | sh[23]e | she[lb] | sh[lb]e \ + | sh[1234]e[lb] | sh[12345][lb]e | sh[23]ele | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet \ + | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v | sv1 | sx* \ + | spu \ + | tahoe \ + | thumbv7* \ + | tic30 | tic4x | tic54x | tic55x | tic6x | tic80 \ + | tron \ + | ubicom32 \ + | v70 | v850 | v850e | v850e1 | v850es | v850e2 | v850e2v3 \ + | vax \ + | visium \ + | w65 \ + | wasm32 | wasm64 \ + | we32k \ + | x86 | x86_64 | xc16x | xgate | xps100 \ + | xstormy16 | xtensa* \ + | ymp \ + | z8k | z80) + ;; + + *) + echo Invalid configuration \`"$1"\': machine \`"$cpu-$vendor"\' not recognized 1>&2 + exit 1 + ;; + esac ;; esac # Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo "$basic_machine" | sed 's/digital.*/dec/'` +case $vendor in + digital*) + vendor=dec ;; - *-commodore*) - basic_machine=`echo "$basic_machine" | sed 's/commodore.*/cbm/'` + commodore*) + vendor=cbm ;; *) ;; @@ -1334,203 +1306,215 @@ # Decode manufacturer-specific aliases for certain operating systems. -if [ x"$os" != x"" ] +if test x$basic_os != x then + +# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just +# set os. +case $basic_os in + gnu/linux*) + kernel=linux + os=`echo "$basic_os" | sed -e 's|gnu/linux|gnu|'` + ;; + os2-emx) + kernel=os2 + os=`echo "$basic_os" | sed -e 's|os2-emx|emx|'` + ;; + nto-qnx*) + kernel=nto + os=`echo "$basic_os" | sed -e 's|nto-qnx|qnx|'` + ;; + *-*) + # shellcheck disable=SC2162 + saved_IFS=$IFS + IFS="-" read kernel os <&2 - exit 1 + # No normalization, but not necessarily accepted, that comes below. ;; esac + else # Here we handle the default operating systems that come with various machines. @@ -1543,258 +1527,363 @@ # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. -case $basic_machine in +kernel= +case $cpu-$vendor in score-*) - os=-elf + os=elf ;; spu-*) - os=-elf + os=elf ;; *-acorn) - os=-riscix1.2 + os=riscix1.2 ;; arm*-rebel) - os=-linux + kernel=linux + os=gnu ;; arm*-semi) - os=-aout + os=aout ;; c4x-* | tic4x-*) - os=-coff + os=coff ;; c8051-*) - os=-elf + os=elf + ;; + clipper-intergraph) + os=clix ;; hexagon-*) - os=-elf + os=elf ;; tic54x-*) - os=-coff + os=coff ;; tic55x-*) - os=-coff + os=coff ;; tic6x-*) - os=-coff + os=coff ;; # This must come before the *-dec entry. pdp10-*) - os=-tops20 + os=tops20 ;; pdp11-*) - os=-none + os=none ;; *-dec | vax-*) - os=-ultrix4.2 + os=ultrix4.2 ;; m68*-apollo) - os=-domain + os=domain ;; i386-sun) - os=-sunos4.0.2 + os=sunos4.0.2 ;; m68000-sun) - os=-sunos3 + os=sunos3 ;; m68*-cisco) - os=-aout + os=aout ;; mep-*) - os=-elf + os=elf ;; mips*-cisco) - os=-elf + os=elf ;; mips*-*) - os=-elf + os=elf ;; or32-*) - os=-coff + os=coff ;; *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 + os=sysv3 ;; sparc-* | *-sun) - os=-sunos4.1.1 + os=sunos4.1.1 ;; pru-*) - os=-elf + os=elf ;; *-be) - os=-beos + os=beos ;; *-ibm) - os=-aix + os=aix ;; *-knuth) - os=-mmixware + os=mmixware ;; *-wec) - os=-proelf + os=proelf ;; *-winbond) - os=-proelf + os=proelf ;; *-oki) - os=-proelf + os=proelf ;; *-hp) - os=-hpux + os=hpux ;; *-hitachi) - os=-hiux + os=hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv + os=sysv ;; *-cbm) - os=-amigaos + os=amigaos ;; *-dg) - os=-dgux + os=dgux ;; *-dolphin) - os=-sysv3 + os=sysv3 ;; m68k-ccur) - os=-rtu + os=rtu ;; m88k-omron*) - os=-luna + os=luna ;; *-next) - os=-nextstep + os=nextstep ;; *-sequent) - os=-ptx + os=ptx ;; *-crds) - os=-unos + os=unos ;; *-ns) - os=-genix + os=genix ;; i370-*) - os=-mvs + os=mvs ;; *-gould) - os=-sysv + os=sysv ;; *-highlevel) - os=-bsd + os=bsd ;; *-encore) - os=-bsd + os=bsd ;; *-sgi) - os=-irix + os=irix ;; *-siemens) - os=-sysv4 + os=sysv4 ;; *-masscomp) - os=-rtu + os=rtu ;; f30[01]-fujitsu | f700-fujitsu) - os=-uxpv + os=uxpv ;; *-rom68k) - os=-coff + os=coff ;; *-*bug) - os=-coff + os=coff ;; *-apple) - os=-macos + os=macos ;; *-atari*) - os=-mint + os=mint + ;; + *-wrs) + os=vxworks ;; *) - os=-none + os=none ;; esac + fi +# Now, validate our (potentially fixed-up) OS. +case $os in + # Sometimes we do "kernel-libc", so those need to count as OSes. + musl* | newlib* | relibc* | uclibc*) + ;; + # Likewise for "kernel-abi" + eabi* | gnueabi*) + ;; + # VxWorks passes extra cpu info in the 4th filed. + simlinux | simwindows | spe) + ;; + # Now accept the basic system types. + # The portable systems comes first. + # Each alternative MUST end in a * to match a version number. + gnu* | android* | bsd* | mach* | minix* | genix* | ultrix* | irix* \ + | *vms* | esix* | aix* | cnk* | sunos | sunos[34]* \ + | hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \ + | sym* | plan9* | psp* | sim* | xray* | os68k* | v88r* \ + | hiux* | abug | nacl* | netware* | windows* \ + | os9* | macos* | osx* | ios* \ + | mpw* | magic* | mmixware* | mon960* | lnews* \ + | amigaos* | amigados* | msdos* | newsos* | unicos* | aof* \ + | aos* | aros* | cloudabi* | sortix* | twizzler* \ + | nindy* | vxsim* | vxworks* | ebmon* | hms* | mvs* \ + | clix* | riscos* | uniplus* | iris* | isc* | rtu* | xenix* \ + | mirbsd* | netbsd* | dicos* | openedition* | ose* \ + | bitrig* | openbsd* | secbsd* | solidbsd* | libertybsd* | os108* \ + | ekkobsd* | freebsd* | riscix* | lynxos* | os400* \ + | bosx* | nextstep* | cxux* | aout* | elf* | oabi* \ + | ptx* | coff* | ecoff* | winnt* | domain* | vsta* \ + | udi* | lites* | ieee* | go32* | aux* | hcos* \ + | chorusrdb* | cegcc* | glidix* | serenity* \ + | cygwin* | msys* | pe* | moss* | proelf* | rtems* \ + | midipix* | mingw32* | mingw64* | mint* \ + | uxpv* | beos* | mpeix* | udk* | moxiebox* \ + | interix* | uwin* | mks* | rhapsody* | darwin* \ + | openstep* | oskit* | conix* | pw32* | nonstopux* \ + | storm-chaos* | tops10* | tenex* | tops20* | its* \ + | os2* | vos* | palmos* | uclinux* | nucleus* | morphos* \ + | scout* | superux* | sysv* | rtmk* | tpf* | windiss* \ + | powermax* | dnix* | nx6 | nx7 | sei* | dragonfly* \ + | skyos* | haiku* | rdos* | toppers* | drops* | es* \ + | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ + | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ + | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \ + | fiwix* ) + ;; + # This one is extra strict with allowed versions + sco3.2v2 | sco3.2v[4-9]* | sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + ;; + none) + ;; + *) + echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2 + exit 1 + ;; +esac + +# As a final step for OS-related things, validate the OS-kernel combination +# (given a valid OS), if there is a kernel. +case $kernel-$os in + linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \ + | linux-musl* | linux-relibc* | linux-uclibc* ) + ;; + uclinux-uclibc* ) + ;; + -dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* ) + # These are just libc implementations, not actual OSes, and thus + # require a kernel. + echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2 + exit 1 + ;; + kfreebsd*-gnu* | kopensolaris*-gnu*) + ;; + vxworks-simlinux | vxworks-simwindows | vxworks-spe) + ;; + nto-qnx*) + ;; + os2-emx) + ;; + *-eabi* | *-gnueabi*) + ;; + -*) + # Blank kernel with real OS is always fine. + ;; + *-*) + echo "Invalid configuration \`$1': Kernel \`$kernel' not known to work with OS \`$os'." 1>&2 + exit 1 + ;; +esac + # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) - case $os in - -riscix*) +case $vendor in + unknown) + case $cpu-$os in + *-riscix*) vendor=acorn ;; - -sunos*) + *-sunos*) vendor=sun ;; - -cnk*|-aix*) + *-cnk* | *-aix*) vendor=ibm ;; - -beos*) + *-beos*) vendor=be ;; - -hpux*) + *-hpux*) vendor=hp ;; - -mpeix*) + *-mpeix*) vendor=hp ;; - -hiux*) + *-hiux*) vendor=hitachi ;; - -unos*) + *-unos*) vendor=crds ;; - -dgux*) + *-dgux*) vendor=dg ;; - -luna*) + *-luna*) vendor=omron ;; - -genix*) + *-genix*) vendor=ns ;; - -mvs* | -opened*) + *-clix*) + vendor=intergraph + ;; + *-mvs* | *-opened*) + vendor=ibm + ;; + *-os400*) vendor=ibm ;; - -os400*) + s390-* | s390x-*) vendor=ibm ;; - -ptx*) + *-ptx*) vendor=sequent ;; - -tpf*) + *-tpf*) vendor=ibm ;; - -vxsim* | -vxworks* | -windiss*) + *-vxsim* | *-vxworks* | *-windiss*) vendor=wrs ;; - -aux*) + *-aux*) vendor=apple ;; - -hms*) + *-hms*) vendor=hitachi ;; - -mpw* | -macos*) + *-mpw* | *-macos*) vendor=apple ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + *-*mint | *-mint[0-9]* | *-*MiNT | *-MiNT[0-9]*) vendor=atari ;; - -vos*) + *-vos*) vendor=stratus ;; esac - basic_machine=`echo "$basic_machine" | sed "s/unknown/$vendor/"` ;; esac -echo "$basic_machine$os" +echo "$cpu-$vendor-${kernel:+$kernel-}$os" exit # Local variables: -# eval: (add-hook 'write-file-functions 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff -Nru strongswan-5.9.8/configure strongswan-5.9.11/configure --- strongswan-5.9.8/configure 2022-10-03 14:18:11.000000000 +0000 +++ strongswan-5.9.11/configure 2023-06-12 05:50:46.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for strongSwan 5.9.8. +# Generated by GNU Autoconf 2.71 for strongSwan 5.9.11. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.9.8' -PACKAGE_STRING='strongSwan 5.9.8' +PACKAGE_VERSION='5.9.11' +PACKAGE_STRING='strongSwan 5.9.11' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1084,7 +1084,6 @@ pki_plugins attest_plugins pool_plugins -starter_plugins charon_plugins GIT_VERSION PERL_CPAN_INSTALL_FALSE @@ -2171,7 +2170,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.9.8 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.9.11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2242,7 +2241,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.9.8:";; + short | recursive ) echo "Configuration of strongSwan 5.9.11:";; esac cat <<\_ACEOF @@ -2760,7 +2759,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.9.8 +strongSwan configure 5.9.11 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -3228,7 +3227,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.9.8, which was +It was created by strongSwan $as_me 5.9.11, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -4497,7 +4496,7 @@ # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.9.8' + VERSION='5.9.11' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -14588,11 +14587,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin[91]*) + 10.0,*86*-darwin8*|10.0,*-darwin[912]*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.[012][,.]*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; @@ -23915,8 +23914,7 @@ then : LIBS="$LIBS" else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 -printf "%s\n" "no" >&6; };openssl_lib="" + openssl_lib="" fi fi @@ -25837,7 +25835,6 @@ # plugin lists for all components charon_plugins= -starter_plugins= pool_plugins= attest_plugins= pki_plugins= @@ -26535,7 +26532,6 @@ if test x$kernel_pfkey = xtrue; then c_plugins=${c_plugins}" kernel-pfkey" charon_plugins=${charon_plugins}" kernel-pfkey" - starter_plugins=${starter_plugins}" kernel-pfkey" nm_plugins=${nm_plugins}" kernel-pfkey" cmd_plugins=${cmd_plugins}" kernel-pfkey" @@ -26544,7 +26540,6 @@ if test x$kernel_pfroute = xtrue; then c_plugins=${c_plugins}" kernel-pfroute" charon_plugins=${charon_plugins}" kernel-pfroute" - starter_plugins=${starter_plugins}" kernel-pfroute" nm_plugins=${nm_plugins}" kernel-pfroute" cmd_plugins=${cmd_plugins}" kernel-pfroute" @@ -26553,7 +26548,6 @@ if test x$kernel_netlink = xtrue; then c_plugins=${c_plugins}" kernel-netlink" charon_plugins=${charon_plugins}" kernel-netlink" - starter_plugins=${starter_plugins}" kernel-netlink" nm_plugins=${nm_plugins}" kernel-netlink" cmd_plugins=${cmd_plugins}" kernel-netlink" @@ -26562,7 +26556,6 @@ if test x$selinux = xtrue; then c_plugins=${c_plugins}" selinux" charon_plugins=${charon_plugins}" selinux" - starter_plugins=${starter_plugins}" selinux" nm_plugins=${nm_plugins}" selinux" cmd_plugins=${cmd_plugins}" selinux" @@ -27010,7 +27003,6 @@ - # ====================== # set Makefile.am vars # ====================== @@ -30148,7 +30140,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.9.8, which was +This file was extended by strongSwan $as_me 5.9.11, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30216,7 +30208,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -strongSwan config.status 5.9.8 +strongSwan config.status 5.9.11 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -Nru strongswan-5.9.8/configure.ac strongswan-5.9.11/configure.ac --- strongswan-5.9.8/configure.ac 2022-10-03 14:15:35.000000000 +0000 +++ strongswan-5.9.11/configure.ac 2023-06-12 05:49:11.000000000 +0000 @@ -20,7 +20,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.9.8]) +AC_INIT([strongSwan],[5.9.11]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -1169,7 +1169,7 @@ if test "x$windows" = xtrue; then openssl_lib=eay32 AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"], - [AC_MSG_RESULT([no]);openssl_lib=""],[$DLLIB]) + [openssl_lib=""],[$DLLIB]) fi if test -z "$openssl_lib"; then openssl_lib=crypto @@ -1505,7 +1505,6 @@ # plugin lists for all components charon_plugins= -starter_plugins= pool_plugins= attest_plugins= pki_plugins= @@ -1593,10 +1592,10 @@ ADD_PLUGIN([kernel-libipsec], [c charon cmd]) ADD_PLUGIN([kernel-wfp], [c charon]) ADD_PLUGIN([kernel-iph], [c charon]) -ADD_PLUGIN([kernel-pfkey], [c charon starter nm cmd]) -ADD_PLUGIN([kernel-pfroute], [c charon starter nm cmd]) -ADD_PLUGIN([kernel-netlink], [c charon starter nm cmd]) -ADD_PLUGIN([selinux], [c charon starter nm cmd]) +ADD_PLUGIN([kernel-pfkey], [c charon nm cmd]) +ADD_PLUGIN([kernel-pfroute], [c charon nm cmd]) +ADD_PLUGIN([kernel-netlink], [c charon nm cmd]) +ADD_PLUGIN([selinux], [c charon nm cmd]) ADD_PLUGIN([resolve], [c charon cmd]) ADD_PLUGIN([save-keys], [c]) ADD_PLUGIN([socket-default], [c charon nm cmd]) @@ -1666,7 +1665,6 @@ ADD_PLUGIN([counters], [c charon]) AC_SUBST(charon_plugins) -AC_SUBST(starter_plugins) AC_SUBST(pool_plugins) AC_SUBST(attest_plugins) AC_SUBST(pki_plugins) diff -Nru strongswan-5.9.8/debian/changelog strongswan-5.9.11/debian/changelog --- strongswan-5.9.8/debian/changelog 2023-03-06 14:00:58.000000000 +0000 +++ strongswan-5.9.11/debian/changelog 2023-06-23 17:05:18.000000000 +0000 @@ -1,3 +1,58 @@ +strongswan (5.9.11-1ubuntu1) mantic; urgency=medium + + * Merge with Debian unstable (LP: #2018113). Remaining changes: + - d/control: strongswan-starter hard-depends on strongswan-charon, + therefore bump the dependency from Recommends to Depends. At the same + time avoid a circular dependency by dropping + strongswan-charon->strongswan-starter from Depends to Recommends as the + binaries can work without the services but not vice versa. + - re-add post-quantum encryption algorithm (NTRU) (LP #1863749) + + d/control: mention plugins in package description + + d/rules: enable ntru at build time + + d/libstrongswan-extra-plugins.install: ship config and shared objects + - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887) + + d/control: update libcharon-extra-plugins description. + + d/libcharon-extra-plugins.install: install .so and conf files. + + d/rules: add plugins to the configuration arguments. + - Remove conf files of plugins removed from libcharon-extra-plugins + + The conf file of the following plugins were removed: eap-aka-3gpp2, + eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym, + eap-simaka-reauth, eap-simaka-sql, xauth-noauth. + + Created d/libcharon-extra-plugins.maintscript to handle the removals + properly. + - d/t/{control,host-to-host,utils}: new host-to-host test + (LP #1999525) + - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl + (LP #1999935) + * Dropped: + - SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With + Incorrect Refcount + + debian/patches/CVE-2023-26463.patch: fix authentication bypass and + expired pointer dereference in src/libtls/tls_server.c. + + CVE-2023-26463 + [Fixed upstream in 5.9.10] + + -- Andreas Hasenack Fri, 23 Jun 2023 14:05:18 -0300 + +strongswan (5.9.11-1) unstable; urgency=medium + + * New upstream version 5.9.10 + * d/patches: 0005-libtls-Fix-authentication-bypass-and-expired-pointer + dropped, included upstream + * New upstream version 5.9.11 + * d/patches: rebase against new upstream + + -- Yves-Alexis Perez Sun, 18 Jun 2023 11:53:15 +0200 + +strongswan (5.9.8-4) unstable; urgency=medium + + * d/patches: libtls-Fix-authentication-bypass-and-expired-pointer added. + Fix authentication bypass and use-after-free in libtls (CVE-2023-26463) + * d/control: replace lsb-base dependency by sysvinit-utils + * d/control: update standards version to 4.6.2 + + -- Yves-Alexis Perez Sun, 26 Feb 2023 09:40:09 +0100 + strongswan (5.9.8-3ubuntu4) lunar; urgency=medium * d/t/utils: also give `cloud-init status --wait` the same amount of diff -Nru strongswan-5.9.8/debian/control strongswan-5.9.11/debian/control --- strongswan-5.9.8/debian/control 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/control 2023-06-23 17:05:18.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Ubuntu Developers XSBC-Original-Maintainer: strongSwan Maintainers Uploaders: Yves-Alexis Perez -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/debian/strongswan Vcs-Git: https://salsa.debian.org/debian/strongswan.git Build-Depends: bison, @@ -214,7 +214,7 @@ Pre-Depends: ${misc:Pre-Depends} Depends: adduser, libstrongswan (= ${binary:Version}), - lsb-base (>= 3.0-6), + sysvinit-utils (>= 3.05-3), strongswan-charon, ${misc:Depends}, ${shlibs:Depends} diff -Nru strongswan-5.9.8/debian/patches/CVE-2023-26463.patch strongswan-5.9.11/debian/patches/CVE-2023-26463.patch --- strongswan-5.9.8/debian/patches/CVE-2023-26463.patch 2023-03-03 14:27:39.000000000 +0000 +++ strongswan-5.9.11/debian/patches/CVE-2023-26463.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,48 +0,0 @@ -From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 17 Feb 2023 15:07:20 +0100 -Subject: [PATCH] libtls: Fix authentication bypass and expired pointer - dereference - -`public` is returned, but previously only if a trusted key was found. -We obviously don't want to return untrusted keys. However, since the -reference is released after determining the key type, the returned -object also doesn't have the correct refcount. - -So when the returned reference is released after verifying the TLS -signature, the public key object is actually destroyed. The certificate -object then points to an expired pointer, which is dereferenced once it -itself is destroyed after the authentication is complete. Depending on -whether the pointer is valid (i.e. points to memory allocated to the -process) and what was allocated there after the public key was freed, -this could result in a segmentation fault or even code execution. - -Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") -Fixes: CVE-2023-26463 ---- - src/libtls/tls_server.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c -index c9c300917dd6..573893f2efb5 100644 ---- a/src/libtls/tls_server.c -+++ b/src/libtls/tls_server.c -@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) - cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); - if (cert) - { -- public = cert->get_public_key(cert); -- if (public) -+ current = cert->get_public_key(cert); -+ if (current) - { -- key_type = public->get_type(public); -- public->destroy(public); -+ key_type = current->get_type(current); -+ current->destroy(current); - } - enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - key_type, id, peer_auth, TRUE); --- -2.25.1 - diff -Nru strongswan-5.9.8/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch strongswan-5.9.11/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch --- strongswan-5.9.8/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch 2022-11-25 13:07:31.000000000 +0000 +++ strongswan-5.9.11/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch 2023-06-23 17:04:07.000000000 +0000 @@ -7,15 +7,15 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/plugins/kernel-libipsec.conf b/conf/plugins/kernel-libipsec.conf -index 3411be2..6352003 100644 +index e9834da..89c3c5e 100644 --- a/conf/plugins/kernel-libipsec.conf +++ b/conf/plugins/kernel-libipsec.conf -@@ -5,7 +5,7 @@ kernel-libipsec { +@@ -8,7 +8,7 @@ kernel-libipsec { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. - load = yes + load = no - } - + # Whether to send and receive ESP packets without UDP encapsulation if + # supported on this platform and no NAT is detected. diff -Nru strongswan-5.9.8/debian/patches/series strongswan-5.9.11/debian/patches/series --- strongswan-5.9.8/debian/patches/series 2023-03-03 14:27:39.000000000 +0000 +++ strongswan-5.9.11/debian/patches/series 2023-06-23 17:04:07.000000000 +0000 @@ -2,4 +2,3 @@ 03_systemd-service.patch 04_disable-libtls-tests.patch dont-load-kernel-libipsec-plugin-by-default.patch -CVE-2023-26463.patch diff -Nru strongswan-5.9.8/debian/po/cs.po strongswan-5.9.11/debian/po/cs.po --- strongswan-5.9.8/debian/po/cs.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/cs.po 2023-06-23 17:05:18.000000000 +0000 @@ -13,7 +13,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-28 14:42+0100\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" diff -Nru strongswan-5.9.8/debian/po/da.po strongswan-5.9.11/debian/po/da.po --- strongswan-5.9.8/debian/po/da.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/da.po 2023-06-23 17:05:18.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-06 12:42+0000\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" diff -Nru strongswan-5.9.8/debian/po/de.po strongswan-5.9.11/debian/po/de.po --- strongswan-5.9.8/debian/po/de.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/de.po 2023-06-23 17:05:18.000000000 +0000 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: strongswan 4.4.0-1\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-11-02 15:40+0100\n" "Last-Translator: Helge Kreutzmann \n" "Language-Team: German \n" diff -Nru strongswan-5.9.8/debian/po/es.po strongswan-5.9.11/debian/po/es.po --- strongswan-5.9.8/debian/po/es.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/es.po 2023-06-23 17:05:18.000000000 +0000 @@ -31,7 +31,7 @@ msgstr "" "Project-Id-Version: strongswan 4.4.1-5\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-12-17 17:19-0300\n" "Last-Translator: Matías Bellone \n" "Language-Team: Debian l10n Spanish \n" diff -Nru strongswan-5.9.8/debian/po/eu.po strongswan-5.9.11/debian/po/eu.po --- strongswan-5.9.8/debian/po/eu.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/eu.po 2023-06-23 17:05:18.000000000 +0000 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: strongswan_4.4.1-5.1_eu\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-15 21:41+0200\n" "Last-Translator: Iñaki Larrañaga Murgoitio \n" "Language-Team: Basque \n" diff -Nru strongswan-5.9.8/debian/po/fi.po strongswan-5.9.11/debian/po/fi.po --- strongswan-5.9.8/debian/po/fi.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/fi.po 2023-06-23 17:05:18.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2009-05-25 14:49+0100\n" "Last-Translator: Esko Arajärvi \n" "Language-Team: Finnish \n" diff -Nru strongswan-5.9.8/debian/po/fr.po strongswan-5.9.11/debian/po/fr.po --- strongswan-5.9.8/debian/po/fr.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/fr.po 2023-06-23 17:05:18.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2010-06-24 22:17+0200\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" diff -Nru strongswan-5.9.8/debian/po/gl.po strongswan-5.9.11/debian/po/gl.po --- strongswan-5.9.8/debian/po/gl.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/gl.po 2023-06-23 17:05:18.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: templates_[kI6655]\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2009-05-25 14:50+0100\n" "Last-Translator: marce villarino \n" "Language-Team: Galician \n" diff -Nru strongswan-5.9.8/debian/po/it.po strongswan-5.9.11/debian/po/it.po --- strongswan-5.9.8/debian/po/it.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/it.po 2023-06-23 17:05:18.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-11-09 13:41+0200\n" "Last-Translator: Beatrice Torracca \n" "Language-Team: Italian \n" diff -Nru strongswan-5.9.8/debian/po/ja.po strongswan-5.9.11/debian/po/ja.po --- strongswan-5.9.8/debian/po/ja.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/ja.po 2023-06-23 17:05:18.000000000 +0000 @@ -16,7 +16,7 @@ msgstr "" "Project-Id-Version: strongswan 4.4.1-4\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-02-07 21:28+0900\n" "Last-Translator: Hideki Yamane \n" "Language-Team: Japanese \n" diff -Nru strongswan-5.9.8/debian/po/nb.po strongswan-5.9.11/debian/po/nb.po --- strongswan-5.9.8/debian/po/nb.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/nb.po 2023-06-23 17:05:18.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: nb\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-06 17:37+0200\n" "Last-Translator: Bjørn Steensrud \n" "Language-Team: Norwegian BokmÃ¥l \n" diff -Nru strongswan-5.9.8/debian/po/nl.po strongswan-5.9.11/debian/po/nl.po --- strongswan-5.9.8/debian/po/nl.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/nl.po 2023-06-23 17:05:18.000000000 +0000 @@ -10,7 +10,7 @@ msgstr "" "Project-Id-Version: strongswan 4.5.0-1\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2014-09-24 18:39+0200\n" "Last-Translator: Frans Spiesschaert \n" "Language-Team: Debian Dutch l10n Team \n" diff -Nru strongswan-5.9.8/debian/po/pl.po strongswan-5.9.11/debian/po/pl.po --- strongswan-5.9.8/debian/po/pl.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/pl.po 2023-06-23 17:05:18.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2012-01-31 15:36+0100\n" "Last-Translator: MichaÅ‚ KuÅ‚ach \n" "Language-Team: Polish \n" diff -Nru strongswan-5.9.8/debian/po/pt_BR.po strongswan-5.9.11/debian/po/pt_BR.po --- strongswan-5.9.8/debian/po/pt_BR.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/pt_BR.po 2023-06-23 17:05:18.000000000 +0000 @@ -9,7 +9,7 @@ msgstr "" "Project-Id-Version: strongswan 5.1.3-4\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2014-06-25 18:13-0300\n" "Last-Translator: Adriano Rafael Gomes \n" "Language-Team: Brazilian Portuguese \n" "Language-Team: Portuguese \n" diff -Nru strongswan-5.9.8/debian/po/ru.po strongswan-5.9.11/debian/po/ru.po --- strongswan-5.9.8/debian/po/ru.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/ru.po 2023-06-23 17:05:18.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: strongswan 5.1.0-1\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-07 19:08+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" diff -Nru strongswan-5.9.8/debian/po/sv.po strongswan-5.9.11/debian/po/sv.po --- strongswan-5.9.8/debian/po/sv.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/sv.po 2023-06-23 17:05:18.000000000 +0000 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: strongswan_sv\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-07 09:05+0100\n" "Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" diff -Nru strongswan-5.9.8/debian/po/templates.pot strongswan-5.9.11/debian/po/templates.pot --- strongswan-5.9.8/debian/po/templates.pot 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/templates.pot 2023-06-23 17:05:18.000000000 +0000 @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" diff -Nru strongswan-5.9.8/debian/po/tr.po strongswan-5.9.11/debian/po/tr.po --- strongswan-5.9.8/debian/po/tr.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/tr.po 2023-06-23 17:05:18.000000000 +0000 @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: strongswan\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2013-10-24 11:17+0200\n" "Last-Translator: Atila KOÇ \n" "Language-Team: Türkçe \n" diff -Nru strongswan-5.9.8/debian/po/vi.po strongswan-5.9.11/debian/po/vi.po --- strongswan-5.9.8/debian/po/vi.po 2022-12-16 18:39:19.000000000 +0000 +++ strongswan-5.9.11/debian/po/vi.po 2023-06-23 17:05:18.000000000 +0000 @@ -6,7 +6,7 @@ msgstr "" "Project-Id-Version: strongswan 4.4.0-1\n" "Report-Msgid-Bugs-To: strongswan@packages.debian.org\n" -"POT-Creation-Date: 2022-11-03 18:18+0100\n" +"POT-Creation-Date: 2023-06-18 11:53+0200\n" "PO-Revision-Date: 2010-10-03 19:22+1030\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" diff -Nru strongswan-5.9.8/depcomp strongswan-5.9.11/depcomp --- strongswan-5.9.8/depcomp 2020-09-13 17:49:57.000000000 +0000 +++ strongswan-5.9.11/depcomp 2023-03-27 21:06:21.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff -Nru strongswan-5.9.8/Doxyfile.in strongswan-5.9.11/Doxyfile.in --- strongswan-5.9.8/Doxyfile.in 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/Doxyfile.in 2023-05-06 07:16:02.000000000 +0000 @@ -222,12 +222,6 @@ ALIASES = -# This tag can be used to specify a number of word-keyword mappings (TCL only). -# A mapping has the form "name=value". For example adding "class=itcl::class" -# will allow you to use the command class in the itcl::class meaning. - -TCL_SUBST = - # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources # only. Doxygen will then generate output that is more tailored for C. For # instance, some of the names that are used will be different. The list of all @@ -978,13 +972,6 @@ ALPHABETICAL_INDEX = YES -# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in -# which the alphabetical index list will be split. -# Minimum value: 1, maximum value: 20, default value: 5. -# This tag requires that the tag ALPHABETICAL_INDEX is set to YES. - -COLS_IN_ALPHA_INDEX = 5 - # In case all classes in a project start with a common prefix, all classes will # be put under the same header in the alphabetical index. The IGNORE_PREFIX tag # can be used to specify a prefix (or a list of prefixes) that should be ignored @@ -1466,7 +1453,7 @@ # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. -SEARCHENGINE = NO +SEARCHENGINE = YES # When the SERVER_BASED_SEARCH tag is enabled the search engine will be # implemented using a web server instead of a web client using Javascript. There @@ -1583,7 +1570,7 @@ # The default value is: a4. # This tag requires that the tag GENERATE_LATEX is set to YES. -PAPER_TYPE = a4wide +PAPER_TYPE = a4 # The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names # that should be included in the LaTeX output. To get the times font for diff -Nru strongswan-5.9.8/fuzz/Makefile.am strongswan-5.9.11/fuzz/Makefile.am --- strongswan-5.9.8/fuzz/Makefile.am 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/fuzz/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -53,7 +53,7 @@ check: all for f in $(FUZZ_TARGETS); do \ corpus=$${f#fuzz_}; \ - ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ + ./$$f $(FUZZING_CORPORA)/$${corpus}/* || exit 1; \ crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ - test ! -d $${crashes} || ./$$f $${crashes}/*; \ + test ! -d $${crashes} || ./$$f $${crashes}/* || exit 1; \ done diff -Nru strongswan-5.9.8/fuzz/Makefile.in strongswan-5.9.11/fuzz/Makefile.in --- strongswan-5.9.8/fuzz/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/fuzz/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -403,7 +403,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -782,9 +781,9 @@ check: all for f in $(FUZZ_TARGETS); do \ corpus=$${f#fuzz_}; \ - ./$$f $(FUZZING_CORPORA)/$${corpus}/*; \ + ./$$f $(FUZZING_CORPORA)/$${corpus}/* || exit 1; \ crashes=$(FUZZING_CORPORA)/$${corpus}-crash; \ - test ! -d $${crashes} || ./$$f $${crashes}/*; \ + test ! -d $${crashes} || ./$$f $${crashes}/* || exit 1; \ done # Tell versions [3.59,3.63) of GNU make to not export all variables. diff -Nru strongswan-5.9.8/init/Makefile.in strongswan-5.9.11/init/Makefile.in --- strongswan-5.9.8/init/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/init/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -408,7 +408,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/init/systemd/Makefile.in strongswan-5.9.11/init/systemd/Makefile.in --- strongswan-5.9.8/init/systemd/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/init/systemd/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -378,7 +378,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/init/systemd-starter/Makefile.in strongswan-5.9.11/init/systemd-starter/Makefile.in --- strongswan-5.9.8/init/systemd-starter/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/init/systemd-starter/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -378,7 +378,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/install-sh strongswan-5.9.11/install-sh --- strongswan-5.9.8/install-sh 2020-09-13 17:49:57.000000000 +0000 +++ strongswan-5.9.11/install-sh 2023-03-27 21:06:21.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to bug-automake@gnu.org. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *[2367][2367]) mkdir_umask=$umask;; - .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; - - *[0-7]) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ fi posix_mkdir=false - case $umask in - *[123567][0-7][0-7]) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ then : else - # The umask is ridiculous, or mkdir does not conform to POSIX, + # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. @@ -411,7 +416,7 @@ prefixes= else if $posix_mkdir; then - (umask=$mkdir_umask && + (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 @@ -451,7 +456,18 @@ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. - (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + (umask $cp_umask && + { test -z "$stripcmd" || { + # Create $dsttmp read-write so that cp doesn't create it read-only, + # which would cause strip to fail. + if test -z "$doit"; then + : >"$dsttmp" # No need to fork-exec 'touch'. + else + $doit touch "$dsttmp" + fi + } + } && + $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # @@ -477,6 +493,13 @@ then rm -f "$dsttmp" else + # If $backupsuffix is set, and the file being installed + # already exists, attempt a backup. Don't worry if it fails, + # e.g., if mv doesn't support -f. + if test -n "$backupsuffix" && test -f "$dst"; then + $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null + fi + # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || @@ -491,9 +514,9 @@ # file should still install successfully. { test ! -f "$dst" || - $doit $rmcmd -f "$dst" 2>/dev/null || + $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && - { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 diff -Nru strongswan-5.9.8/ltmain.sh strongswan-5.9.11/ltmain.sh --- strongswan-5.9.8/ltmain.sh 2020-09-13 17:50:39.000000000 +0000 +++ strongswan-5.9.11/ltmain.sh 2023-03-27 21:06:16.000000000 +0000 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-14" +VERSION="2.4.6 Debian-2.4.6-15build2" package_revision=2.4.6 @@ -2141,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-14 + version: $progname $scriptversion Debian-2.4.6-15build2 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` diff -Nru strongswan-5.9.8/m4/config/libtool.m4 strongswan-5.9.11/m4/config/libtool.m4 --- strongswan-5.9.8/m4/config/libtool.m4 2020-09-13 17:50:39.000000000 +0000 +++ strongswan-5.9.11/m4/config/libtool.m4 2023-03-27 21:06:16.000000000 +0000 @@ -1071,11 +1071,11 @@ # to the OS version, if on x86, and 10.4, the deployment # target defaults to 10.4. Don't you love it? case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin[[91]]*) + 10.0,*86*-darwin8*|10.0,*-darwin[[912]]*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; 10.[[012]][[,.]]*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) + 10.*|11.*) _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; diff -Nru strongswan-5.9.8/Makefile.in strongswan-5.9.11/Makefile.in --- strongswan-5.9.8/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/Makefile.in 2023-06-12 05:50:37.000000000 +0000 @@ -462,7 +462,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/man/ipsec.conf.5.in strongswan-5.9.11/man/ipsec.conf.5.in --- strongswan-5.9.8/man/ipsec.conf.5.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/man/ipsec.conf.5.in 2023-03-27 21:00:49.000000000 +0000 @@ -690,7 +690,7 @@ .BR leftcert " = " the path to the left participant's X.509 certificate. The file can be encoded either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP +Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP are accepted. By default .B leftcert sets @@ -871,7 +871,7 @@ the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format, respectively. Also accepted is the path to a file containing the public key in PEM, DER or SSH -encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP +encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP are accepted. .TP .BR leftsendcert " = never | no | " ifasked " | always | yes" @@ -1219,7 +1219,7 @@ .SH "CA SECTIONS" These are optional sections that can be used to assign special parameters to a Certification Authority (CA). Because the daemons -automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP, +automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP, there is no need to explicitly add them with a CA section, unless you want to assign special parameters (like a CRL) to a CA. .TP @@ -1235,7 +1235,7 @@ .TP .BR cacert " = " defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. +\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path. .br A value in the form .B %smartcard[[@]]: @@ -1284,7 +1284,7 @@ .BR cachecrls " = yes | " no if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will be cached in -.I /etc/ipsec.d/crls/ +.I @sysconfdir@/ipsec.d/crls/ under a unique file name derived from the certification authority's public key. .TP .BR charondebug " = " @@ -1463,12 +1463,12 @@ .SH FILES .nf -/etc/ipsec.conf -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls +@sysconfdir@/ipsec.conf +@sysconfdir@/ipsec.d/aacerts +@sysconfdir@/ipsec.d/acerts +@sysconfdir@/ipsec.d/cacerts +@sysconfdir@/ipsec.d/certs +@sysconfdir@/ipsec.d/crls .SH SEE ALSO strongswan.conf(5), ipsec.secrets(5), ipsec(8) diff -Nru strongswan-5.9.8/man/ipsec.secrets.5.in strongswan-5.9.11/man/ipsec.secrets.5.in --- strongswan-5.9.8/man/ipsec.secrets.5.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/man/ipsec.secrets.5.in 2023-03-27 21:00:49.000000000 +0000 @@ -15,7 +15,7 @@ .LP .RS .nf -# /etc/ipsec.secrets - strongSwan IPsec secrets file +# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" : RSA moonKey.pem @@ -140,7 +140,7 @@ .TQ .B : ECDSA [ | %prompt ] For the private key file both absolute paths or paths relative to -\fI/etc/ipsec.d/private\fP are accepted. If the private key file is +\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase .B %prompt can be used which then causes the daemon to ask the user for the password @@ -148,7 +148,7 @@ .TP .B : P12 [ | %prompt ] For the PKCS#12 file both absolute paths or paths relative to -\fI/etc/ipsec.d/private\fP are accepted. If the container is +\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase .B %prompt can be used which then causes the daemon to ask the user for the password @@ -182,7 +182,7 @@ .LP .SH FILES -/etc/ipsec.secrets +@sysconfdir@/ipsec.secrets .SH SEE ALSO ipsec.conf(5), strongswan.conf(5), ipsec(8) .br diff -Nru strongswan-5.9.8/man/Makefile.in strongswan-5.9.11/man/Makefile.in --- strongswan-5.9.8/man/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/man/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -384,7 +384,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/missing strongswan-5.9.11/missing --- strongswan-5.9.8/missing 2020-09-13 17:49:57.000000000 +0000 +++ strongswan-5.9.11/missing 2023-03-27 21:06:21.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify diff -Nru strongswan-5.9.8/NEWS strongswan-5.9.11/NEWS --- strongswan-5.9.8/NEWS 2022-10-03 14:14:38.000000000 +0000 +++ strongswan-5.9.11/NEWS 2023-06-08 10:35:17.000000000 +0000 @@ -1,3 +1,101 @@ +strongswan-5.9.11 +----------------- + +- A deadlock in the vici plugin has been fixed that could get triggered when + multiple connections were initiated/terminated concurrently and control-log + events were raised by the watcher_t component. + +- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit + encoded (even if it's a CA), or a CA certificate without keyUsage extension. + +- Optional CA labels in EST server URIs are supported by `pki --est/estca`. + +- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and + openssl plugins, which allows verifying RSA-PSS and ECDSA signatures. + +- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or + earlier that was introduced with 5.9.10. + +- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2. + +- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and + gained support for trap policies. + +- The dhcp plugin uses an alternate method to determine the source address + for unicast DHCP requests that's not affected by interface filtering. + +- Certificate and trust chain selection as initiator has been improved in case + the local trust chain is incomplete and an unrelated certreq is received. + +- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin. + +- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass + policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer. + +- Stale OCSP responses are now replace in-place in the certificate cache. + +- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`. + + +strongswan-5.9.10 +----------------- + +- Fixed a vulnerability related to certificate verification in TLS-based EAP + methods that leads to an authentication bypass followed by an expired pointer + dereference that results in a denial of service and possibly even remote code + execution. + This vulnerability has been registered as CVE-2023-26463. + +- Added support for full packet hardware offload for IPsec SAs and policies with + Linux 6.2 kernels to the kernel-netlink plugin. + +- TLS-based EAP methods now use the standardized key derivation when used + with TLS 1.3. + +- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by + implementing the "protected success indication". + +- With the `prefer` value for the `childless` setting, initiators will create + a childless IKE_SA if the responder supports the extension. + +- Routes via XFRM interfaces can optionally be installed automatically by + enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. + +- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid + issues with name resolution if they are supported by the kernel. + +- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the + PKCS#10 certificate signing request. + +- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them + (replace them completely, or adding/removing specific flags). + +- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the + IPsec SAs instead of the policies. + +- For libcurl with MultiSSL support, the curl plugin provides an option to + select the SSL/TLS backend. + + +strongswan-5.9.9 +---------------- + +- The charon.reqid_base setting allows specifying the first reqid that's + automatically assigned to a CHILD_SA. + +- The path/command for resolvconf(8) used by the resolve plugin is now + configurable. + +- The resolve plugin doesn't generate unique interface names for name servers + anymore. Instead, all available name servers are associated with a single, + configurable interface name. + +- Serial numbers of certificates and CRLs are now always returned in canonical + form (i.e. without leading zeros). + +- The kernel-netlink plugin now logs extended ACK error/warning messages. + + strongswan-5.9.8 ---------------- diff -Nru strongswan-5.9.8/scripts/dh_speed.c strongswan-5.9.11/scripts/dh_speed.c --- strongswan-5.9.8/scripts/dh_speed.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/scripts/dh_speed.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2009 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -23,34 +24,10 @@ static void usage() { - printf("usage: dh_speed plugins rounds group1 [group2 [...]]\n"); + printf("usage: dh_speed plugins rounds ke1 [ke2 [...]]\n"); exit(1); } -struct { - char *name; - key_exchange_method_t group; -} groups[] = { - {"modp768", MODP_768_BIT}, - {"modp1024", MODP_1024_BIT}, - {"modp1024s160", MODP_1024_160}, - {"modp1536", MODP_1536_BIT}, - {"modp2048", MODP_2048_BIT}, - {"modp2048s224", MODP_2048_224}, - {"modp2048s256", MODP_2048_256}, - {"modp3072", MODP_3072_BIT}, - {"modp4096", MODP_4096_BIT}, - {"modp6144", MODP_6144_BIT}, - {"modp8192", MODP_8192_BIT}, - {"ecp256", ECP_256_BIT}, - {"ecp384", ECP_384_BIT}, - {"ecp521", ECP_521_BIT}, - {"ecp192", ECP_192_BIT}, - {"ecp224", ECP_224_BIT}, - {"curve25519", CURVE_25519}, - {"curve448", CURVE_448}, -}; - static void start_timing(struct timespec *start) { clock_gettime(CLOCK_THREAD_CPUTIME_ID, start); @@ -65,61 +42,67 @@ (end.tv_sec - start->tv_sec) * 1.0; } -static void run_test(key_exchange_method_t group, int rounds) +static void run_test(key_exchange_method_t method, int rounds) { - key_exchange_t *l[rounds], *r; - chunk_t chunk, chunks[rounds], lsecrets[rounds], rsecrets[rounds]; + key_exchange_t *l[rounds], *r[rounds]; + chunk_t lpublic[rounds], rpublic[rounds], lsecret[rounds], rsecret[rounds]; struct timespec timing; int round; - r = lib->crypto->create_ke(lib->crypto, group); - if (!r) + r[0] = lib->crypto->create_ke(lib->crypto, method); + if (!r[0]) { - printf("skipping %N, not supported\n", key_exchange_method_names, - group); + fprintf(stderr, "skipping %N, not supported\n", key_exchange_method_names, + method); return; } + assert(r[0]->get_public_key(r[0], &rpublic[0])); + for (round = 1; round < rounds; round++) + { + r[round] = lib->crypto->create_ke(lib->crypto, method); + assert(r[round]->get_public_key(r[round], &rpublic[round])); + } - printf("%N:\t", key_exchange_method_names, group); + printf("%N:\t", key_exchange_method_names, method); start_timing(&timing); for (round = 0; round < rounds; round++) { - l[round] = lib->crypto->create_ke(lib->crypto, group); - assert(l[round]->get_public_key(l[round], &chunks[round])); + l[round] = lib->crypto->create_ke(lib->crypto, method); + assert(l[round]->get_public_key(l[round], &lpublic[round])); } printf("A = g^a/s: %8.1f", rounds / end_timing(&timing)); for (round = 0; round < rounds; round++) { - assert(r->set_public_key(r, chunks[round])); - assert(r->get_shared_secret(r, &rsecrets[round])); - chunk_free(&chunks[round]); + assert(r[round]->set_public_key(r[round], lpublic[round])); + assert(r[round]->get_shared_secret(r[round], &rsecret[round])); + chunk_free(&lpublic[round]); } - assert(r->get_public_key(r, &chunk)); start_timing(&timing); for (round = 0; round < rounds; round++) { - assert(l[round]->set_public_key(l[round], chunk)); - assert(l[round]->get_shared_secret(l[round], &lsecrets[round])); + assert(l[round]->set_public_key(l[round], rpublic[round])); + assert(l[round]->get_shared_secret(l[round], &lsecret[round])); } printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing)); - chunk_free(&chunk); for (round = 0; round < rounds; round++) { - assert(chunk_equals(rsecrets[round], lsecrets[round])); - free(lsecrets[round].ptr); - free(rsecrets[round].ptr); + assert(chunk_equals(rsecret[round], lsecret[round])); + chunk_free(&lsecret[round]); + chunk_free(&rsecret[round]); + chunk_free(&rpublic[round]); l[round]->destroy(l[round]); + r[round]->destroy(r[round]); } - r->destroy(r); } int main(int argc, char *argv[]) { - int rounds, i, j; + const proposal_token_t *token; + int rounds, i; if (argc < 4) { @@ -134,20 +117,19 @@ for (i = 3; i < argc; i++) { - bool found = FALSE; - - for (j = 0; j < countof(groups); j++) + token = lib->proposal->get_token(lib->proposal, argv[i]); + if (!token) { - if (streq(groups[j].name, argv[i])) - { - run_test(groups[j].group, rounds); - found = TRUE; - } + fprintf(stderr, "KE method '%s' not found\n", argv[i]); + return 1; } - if (!found) + else if (token->type != KEY_EXCHANGE_METHOD) { - printf("group %s not found\n", argv[i]); + fprintf(stderr, "'%s' is not a KE method\n", argv[i]); + return 1; } + + run_test(token->algorithm, rounds); } return 0; } diff -Nru strongswan-5.9.8/scripts/Makefile.in strongswan-5.9.11/scripts/Makefile.in --- strongswan-5.9.8/scripts/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/scripts/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -508,7 +508,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/scripts/pubkey_speed.c strongswan-5.9.11/scripts/pubkey_speed.c --- strongswan-5.9.8/scripts/pubkey_speed.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/scripts/pubkey_speed.c 2023-03-27 21:00:49.000000000 +0000 @@ -20,12 +20,12 @@ #include #include -void start_timing(struct timespec *start) +static void start_timing(struct timespec *start) { clock_gettime(CLOCK_THREAD_CPUTIME_ID, start); } -double end_timing(struct timespec *start) +static double end_timing(struct timespec *start) { struct timespec end; diff -Nru strongswan-5.9.8/src/aikgen/Makefile.in strongswan-5.9.11/src/aikgen/Makefile.in --- strongswan-5.9.8/src/aikgen/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/aikgen/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -400,7 +400,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/charon/Makefile.in strongswan-5.9.11/src/charon/Makefile.in --- strongswan-5.9.8/src/charon/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/charon/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -403,7 +403,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/charon-cmd/cmd/cmd_connection.c strongswan-5.9.11/src/charon-cmd/cmd/cmd_connection.c --- strongswan-5.9.8/src/charon-cmd/cmd/cmd_connection.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/charon-cmd/cmd/cmd_connection.c 2023-05-06 07:16:02.000000000 +0000 @@ -439,7 +439,7 @@ child_cfg = create_child_cfg(this, peer_cfg); if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - controller_cb_empty, NULL, 0, FALSE) != SUCCESS) + controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS) { terminate(pid); } diff -Nru strongswan-5.9.8/src/charon-cmd/Makefile.in strongswan-5.9.11/src/charon-cmd/Makefile.in --- strongswan-5.9.8/src/charon-cmd/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/charon-cmd/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -439,7 +439,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/charon-nm/charon-nm.c strongswan-5.9.11/src/charon-nm/charon-nm.c --- strongswan-5.9.8/src/charon-nm/charon-nm.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/charon-nm/charon-nm.c 2023-03-27 21:00:49.000000000 +0000 @@ -195,6 +195,22 @@ lib->settings->set_default_str(lib->settings, "charon-nm.port", "0"); lib->settings->set_default_str(lib->settings, "charon-nm.port_nat_t", "0"); + /* install VIPs on lo as NM might modify the physical interface (this seems + * to affect IPv6 in particular), it actually installs the VIPs on the + * passed device again, but since that happens after we require them for + * installing routes, we install them ourselves too */ + lib->settings->set_default_str(lib->settings, + "charon-nm.install_virtual_ip_on", "lo"); + + /* install routes via XFRM interfaces, if we can use them */ + lib->settings->set_default_str(lib->settings, + "charon-nm.plugins.kernel-netlink.install_routes_xfrmi", "yes"); + /* bypass IKE traffic from these routes in case traffic selectors conflict */ + lib->settings->set_default_str(lib->settings, + "charon-nm.plugins.socket-default.fwmark", "220"); + lib->settings->set_default_str(lib->settings, + "charon-nm.plugins.kernel-netlink.fwmark", "!220"); + DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")"); if (lib->integrity) { diff -Nru strongswan-5.9.8/src/charon-nm/Makefile.in strongswan-5.9.11/src/charon-nm/Makefile.in --- strongswan-5.9.8/src/charon-nm/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/charon-nm/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/charon-nm/nm/nm_service.c strongswan-5.9.11/src/charon-nm/nm/nm_service.c --- strongswan-5.9.8/src/charon-nm/nm/nm_service.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/charon-nm/nm/nm_service.c 2023-05-06 07:16:02.000000000 +0000 @@ -1,7 +1,6 @@ /* * Copyright (C) 2017 Lubomir Rintel - * - * Copyright (C) 2013-2020 Tobias Brunner + * Copyright (C) 2013-2023 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +14,10 @@ * for more details. */ +#include +#include +#include + #include "nm_service.h" #include @@ -23,8 +26,9 @@ #include #include #include +#include -#include +#define XFRMI_DEFAULT_MTU 1400 /** * Private data of NMStrongswanPlugin @@ -40,7 +44,13 @@ nm_creds_t *creds; /* attribute handler for DNS/NBNS server information */ nm_handler_t *handler; - /* dummy TUN device */ + /* manager for XFRM interfaces, if supported */ + kernel_netlink_xfrmi_t *xfrmi_manager; + /* interface ID of XFRM interface */ + uint32_t xfrmi_id; + /* name of XFRM interface if one is used */ + char *xfrmi; + /* dummy TUN device if not using XFRM interface */ tun_device_t *tun; /* name of the connection */ char *name; @@ -108,6 +118,24 @@ } /** + * Destroy any allocated XFRM or TUN interface + */ +static void delete_interface(NMStrongswanPluginPrivate *priv) +{ + if (priv->xfrmi) + { + priv->xfrmi_manager->delete(priv->xfrmi_manager, priv->xfrmi); + free(priv->xfrmi); + priv->xfrmi = NULL; + } + if (priv->tun) + { + priv->tun->destroy(priv->tun); + priv->tun = NULL; + } +} + +/** * Signal IP config to NM, set connection as established */ static void signal_ip_config(NMVpnServicePlugin *plugin, @@ -127,21 +155,54 @@ handler = priv->handler; - /* NM apparently requires to know the gateway */ + /* NM apparently requires to know the gateway (it uses it to install a + * direct route via physical interface if conflicting routes are passed) */ other = ike_sa->get_other_host(ike_sa); g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY, host_to_variant(other)); /* systemd-resolved requires a device to properly install DNS servers, but - * Netkey does not use one. Passing the physical interface is not ideal, + * Netkey does not require one. Passing the physical interface is not ideal, * as NM fiddles around with it and systemd-resolved likes a separate - * device. So we pass a dummy TUN device along for NM etc. to play with... + * device. So we pass either an XFRM interface or a dummy TUN device along + * for NM etc. to play with... */ - if (priv->tun) + delete_interface(priv); + if (priv->xfrmi_manager && priv->xfrmi_id) + { + char name[IFNAMSIZ]; + int mtu; + + /* use the interface ID to get a unique name, fine if it's cut off */ + snprintf(name, sizeof(name), "nm-xfrm-%" PRIu32, priv->xfrmi_id); + mtu = lib->settings->get_int(lib->settings, "charon-nm.mtu", + XFRMI_DEFAULT_MTU); + + if (priv->xfrmi_manager->create(priv->xfrmi_manager, name, + priv->xfrmi_id, NULL, mtu)) + { + priv->xfrmi = strdup(name); + } + } + if (!priv->xfrmi) + { + priv->tun = tun_device_create(NULL); + } + if (priv->xfrmi) + { + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV, + g_variant_new_string (priv->xfrmi)); + } + else if (priv->tun) { g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV, g_variant_new_string (priv->tun->get_name(priv->tun))); } + else + { + DBG1(DBG_CFG, "failed to create XFRM or dummy TUN device, might affect " + "DNS server installation negatively"); + } /* pass the first virtual IPs we got or use the physical IP */ enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); @@ -184,18 +245,16 @@ host_to_variant(vip4)); g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, g_variant_new_uint32 (vip4->get_address(vip4).len * 8)); - - /* prevent NM from changing the default route. we set our own route in our - * own routing table - */ - g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, - g_variant_new_boolean (TRUE)); - g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS, handler_to_variant(handler, "au", INTERNAL_IP4_DNS)); - g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS, handler_to_variant(handler, "au", INTERNAL_IP4_NBNS)); + + /* prevent NM from changing the default route, as we set our own routes + * in a separate routing table + */ + g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, + g_variant_new_boolean (TRUE)); } if (vip6) @@ -204,11 +263,12 @@ host_to_variant(vip6)); g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX, g_variant_new_uint32 (vip6->get_address(vip6).len * 8)); - g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT, - g_variant_new_boolean (TRUE)); g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS, handler_to_variant(handler, "aay", INTERNAL_IP6_DNS)); /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */ + + g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT, + g_variant_new_boolean (TRUE)); } ip4config = g_variant_builder_end (&ip4builder); @@ -646,6 +706,11 @@ NM_TYPE_SETTING_CONNECTION)); vpn = NM_SETTING_VPN(nm_connection_get_setting(connection, NM_TYPE_SETTING_VPN)); + if (priv->xfrmi_manager) + { + /* allocate a random interface ID */ + priv->xfrmi_id = random(); + } if (priv->name) { free(priv->name); @@ -655,11 +720,6 @@ priv->name); DBG4(DBG_CFG, "%s", nm_setting_to_string(NM_SETTING(vpn))); - if (!priv->tun) - { - DBG1(DBG_CFG, "failed to create dummy TUN device, might affect DNS " - "server installation negatively"); - } ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address"); if (!ike.remote || !*ike.remote) { @@ -989,7 +1049,7 @@ NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); enumerator_t *enumerator; ike_sa_t *ike_sa; - u_int id; + u_int id = 0; /* our ike_sa pointer might be invalid, lookup sa */ enumerator = charon->controller->create_ike_sa_enumerator( @@ -999,20 +1059,27 @@ if (priv->ike_sa == ike_sa) { id = ike_sa->get_unique_id(ike_sa); - enumerator->destroy(enumerator); - charon->controller->terminate_ike(charon->controller, id, FALSE, - controller_cb_empty, NULL, 0); - - /* clear secrets as we are asked for new secrets (where we'd find - * the cached secrets from earlier connections) before we clear - * them in connect() */ - priv->creds->clear(priv->creds); - return FALSE; + break; } } enumerator->destroy(enumerator); - g_debug("Connection not found."); + if (id) + { + charon->controller->terminate_ike(charon->controller, id, FALSE, + controller_cb_empty, NULL, LEVEL_SILENT, 0); + } + else + { + g_debug("Connection not found."); + } + + /* clear secrets as we are asked for new secrets (where we'd find the cached + * secrets from earlier connections) before we clear them in connect() */ + priv->creds->clear(priv->creds); + + /* delete any allocated interface */ + delete_interface(priv); return FALSE; } @@ -1044,8 +1111,7 @@ priv->listener.ike_reestablish_pre = _ike_reestablish_pre; priv->listener.ike_reestablish_post = _ike_reestablish_post; charon->bus->add_listener(charon->bus, &priv->listener); - priv->tun = tun_device_create(NULL); - priv->name = NULL; + priv->xfrmi_manager = lib->get(lib, KERNEL_NETLINK_XFRMI_MANAGER); } /** @@ -1058,11 +1124,7 @@ plugin = NM_STRONGSWAN_PLUGIN(obj); priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); - if (priv->tun) - { - priv->tun->destroy(priv->tun); - priv->tun = NULL; - } + delete_interface(priv); G_OBJECT_CLASS (nm_strongswan_plugin_parent_class)->dispose (obj); } diff -Nru strongswan-5.9.8/src/charon-svc/Makefile.in strongswan-5.9.11/src/charon-svc/Makefile.in --- strongswan-5.9.8/src/charon-svc/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/charon-svc/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -400,7 +400,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/charon-systemd/charon-systemd.c strongswan-5.9.11/src/charon-systemd/charon-systemd.c --- strongswan-5.9.8/src/charon-systemd/charon-systemd.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/charon-systemd/charon-systemd.c 2023-05-06 07:16:02.000000000 +0000 @@ -368,6 +368,9 @@ charon->load_loggers(charon); + DBG1(DBG_DMN, "Starting charon-systemd IKE daemon (strongSwan "VERSION", " + "%s %s, %s)", utsname.sysname, utsname.release, utsname.machine); + if (!charon->initialize(charon, lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns))) { diff -Nru strongswan-5.9.8/src/charon-systemd/Makefile.in strongswan-5.9.11/src/charon-systemd/Makefile.in --- strongswan-5.9.8/src/charon-systemd/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/charon-systemd/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -404,7 +404,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/charon-tkm/Makefile.am strongswan-5.9.11/src/charon-tkm/Makefile.am --- strongswan-5.9.8/src/charon-tkm/Makefile.am 2022-03-11 11:01:49.000000000 +0000 +++ strongswan-5.9.11/src/charon-tkm/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -27,9 +27,12 @@ PLUGINS = \ kernel-netlink \ pem \ + pkcs1 \ + random \ + sha1 \ socket-default \ - openssl \ - vici + vici \ + x509 all: build_charon diff -Nru strongswan-5.9.8/src/charon-tkm/Makefile.in strongswan-5.9.11/src/charon-tkm/Makefile.in --- strongswan-5.9.8/src/charon-tkm/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/charon-tkm/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -348,7 +348,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -407,9 +406,12 @@ PLUGINS = \ kernel-netlink \ pem \ + pkcs1 \ + random \ + sha1 \ socket-default \ - openssl \ - vici + vici \ + x509 EXTRA_DIST = build_charon.gpr build_common.gpr build_tests.gpr src tests all: all-am diff -Nru strongswan-5.9.8/src/charon-tkm/src/ehandler/eh_callbacks.c strongswan-5.9.11/src/charon-tkm/src/ehandler/eh_callbacks.c --- strongswan-5.9.8/src/charon-tkm/src/ehandler/eh_callbacks.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/charon-tkm/src/ehandler/eh_callbacks.c 2023-03-27 21:00:49.000000000 +0000 @@ -24,6 +24,6 @@ void charon_terminate(char *msg) { DBG1(DBG_DMN, "critical TKM error, terminating!"); - DBG1(DBG_DMN, msg); + DBG1(DBG_DMN, "%s", msg); kill(0, SIGTERM); } diff -Nru strongswan-5.9.8/src/checksum/Makefile.in strongswan-5.9.11/src/checksum/Makefile.in --- strongswan-5.9.8/src/checksum/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/checksum/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -475,7 +475,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/conftest/actions.c strongswan-5.9.11/src/conftest/actions.c --- strongswan-5.9.8/src/conftest/actions.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/conftest/actions.c 2023-05-06 07:16:02.000000000 +0000 @@ -66,7 +66,7 @@ { DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config); charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - NULL, NULL, 0, FALSE); + NULL, NULL, 0, 0, FALSE); } else { @@ -211,7 +211,7 @@ { DBG1(DBG_CFG, "closing IKE_SA '%s'", config); charon->controller->terminate_ike(charon->controller, id, FALSE, NULL, - NULL, 0); + NULL, 0, 0); } else { @@ -251,7 +251,7 @@ { DBG1(DBG_CFG, "closing CHILD_SA '%s'", config); charon->controller->terminate_child(charon->controller, id, - NULL, NULL, 0); + NULL, NULL, 0, 0); } else { diff -Nru strongswan-5.9.8/src/conftest/hooks/force_cookie.c strongswan-5.9.11/src/conftest/hooks/force_cookie.c --- strongswan-5.9.8/src/conftest/hooks/force_cookie.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/conftest/hooks/force_cookie.c 2023-06-08 10:35:17.000000000 +0000 @@ -48,12 +48,13 @@ if (payload->get_type(payload) == PLV2_NOTIFY) { notify_payload_t *notify = (notify_payload_t*)payload; - chunk_t data; if (notify->get_notify_type(notify) == COOKIE) { - data = notify->get_notification_data(notify); +#if DEBUG_LEVEL >= 1 + chunk_t data = notify->get_notification_data(notify); DBG1(DBG_CFG, "received COOKIE: %#B", &data); +#endif has_cookie = TRUE; break; } diff -Nru strongswan-5.9.8/src/conftest/hooks/log_id.c strongswan-5.9.11/src/conftest/hooks/log_id.c --- strongswan-5.9.8/src/conftest/hooks/log_id.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/conftest/hooks/log_id.c 2023-06-08 10:35:17.000000000 +0000 @@ -35,6 +35,7 @@ private_log_id_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain) { +#if DEBUG_LEVEL >= 1 if (incoming && plain) { enumerator_t *enumerator; @@ -62,6 +63,9 @@ enumerator->destroy(enumerator); } return TRUE; +#else + return FALSE; +#endif } METHOD(hook_t, destroy, void, diff -Nru strongswan-5.9.8/src/conftest/hooks/log_ke.c strongswan-5.9.11/src/conftest/hooks/log_ke.c --- strongswan-5.9.8/src/conftest/hooks/log_ke.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/conftest/hooks/log_ke.c 2023-06-08 10:35:17.000000000 +0000 @@ -35,6 +35,7 @@ private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain) { +#if DEBUG_LEVEL >= 1 if (incoming && plain) { enumerator_t *enumerator; @@ -54,6 +55,9 @@ enumerator->destroy(enumerator); } return TRUE; +#else + return FALSE; +#endif } METHOD(hook_t, destroy, void, diff -Nru strongswan-5.9.8/src/conftest/hooks/log_ts.c strongswan-5.9.11/src/conftest/hooks/log_ts.c --- strongswan-5.9.8/src/conftest/hooks/log_ts.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/conftest/hooks/log_ts.c 2023-06-08 10:35:17.000000000 +0000 @@ -35,6 +35,7 @@ private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain) { +#if DEBUG_LEVEL >= 1 if (incoming && plain) { enumerator_t *enumerator; @@ -77,6 +78,9 @@ enumerator->destroy(enumerator); } return TRUE; +#else + return FALSE; +#endif } METHOD(hook_t, destroy, void, diff -Nru strongswan-5.9.8/src/conftest/Makefile.in strongswan-5.9.11/src/conftest/Makefile.in --- strongswan-5.9.8/src/conftest/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/conftest/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/include/linux/netlink.h strongswan-5.9.11/src/include/linux/netlink.h --- strongswan-5.9.8/src/include/linux/netlink.h 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/include/linux/netlink.h 2023-03-27 21:00:49.000000000 +0000 @@ -67,6 +67,14 @@ #define NLM_F_CREATE 0x400 /* Create, if it does not exist */ #define NLM_F_APPEND 0x800 /* Add to end of list */ +/* Modifiers to DELETE request */ +#define NLM_F_NONREC 0x100 /* Do not delete recursively */ +#define NLM_F_BULK 0x200 /* Delete multiple objects */ + +/* Flags for ACK message */ +#define NLM_F_CAPPED 0x100 /* request was capped */ +#define NLM_F_ACK_TLVS 0x200 /* extended ACK TVLs were included */ + /* 4.4BSD ADD NLM_F_CREATE|NLM_F_EXCL 4.4BSD CHANGE NLM_F_REPLACE @@ -99,6 +107,45 @@ struct nlmsgerr { int error; struct nlmsghdr msg; + /* + * followed by the message contents unless NETLINK_CAP_ACK was set + * or the ACK indicates success (error == 0) + * message length is aligned with NLMSG_ALIGN() + */ + /* + * followed by TLVs defined in enum nlmsgerr_attrs + * if NETLINK_EXT_ACK was set + */ +}; + +/** + * enum nlmsgerr_attrs - nlmsgerr attributes + * @NLMSGERR_ATTR_UNUSED: unused + * @NLMSGERR_ATTR_MSG: error message string (string) + * @NLMSGERR_ATTR_OFFS: offset of the invalid attribute in the original + * message, counting from the beginning of the header (u32) + * @NLMSGERR_ATTR_COOKIE: arbitrary subsystem specific cookie to + * be used - in the success case - to identify a created + * object or operation or similar (binary) + * @NLMSGERR_ATTR_POLICY: policy for a rejected attribute + * @NLMSGERR_ATTR_MISS_TYPE: type of a missing required attribute, + * %NLMSGERR_ATTR_MISS_NEST will not be present if the attribute was + * missing at the message level + * @NLMSGERR_ATTR_MISS_NEST: offset of the nest where attribute was missing + * @__NLMSGERR_ATTR_MAX: number of attributes + * @NLMSGERR_ATTR_MAX: highest attribute number + */ +enum nlmsgerr_attrs { + NLMSGERR_ATTR_UNUSED, + NLMSGERR_ATTR_MSG, + NLMSGERR_ATTR_OFFS, + NLMSGERR_ATTR_COOKIE, + NLMSGERR_ATTR_POLICY, + NLMSGERR_ATTR_MISS_TYPE, + NLMSGERR_ATTR_MISS_NEST, + + __NLMSGERR_ATTR_MAX, + NLMSGERR_ATTR_MAX = __NLMSGERR_ATTR_MAX - 1 }; #define NETLINK_ADD_MEMBERSHIP 1 @@ -110,6 +157,8 @@ #define NETLINK_TX_RING 7 #define NETLINK_LISTEN_ALL_NSID 8 #define NETLINK_LIST_MEMBERSHIPS 9 +#define NETLINK_CAP_ACK 10 +#define NETLINK_EXT_ACK 11 struct nl_pktinfo { __u32 group; diff -Nru strongswan-5.9.8/src/include/linux/xfrm.h strongswan-5.9.11/src/include/linux/xfrm.h --- strongswan-5.9.8/src/include/linux/xfrm.h 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/include/linux/xfrm.h 2023-03-27 21:00:49.000000000 +0000 @@ -288,7 +288,7 @@ XFRMA_ETIMER_THRESH, XFRMA_SRCADDR, /* xfrm_address_t */ XFRMA_COADDR, /* xfrm_address_t */ - XFRMA_LASTUSED, /* unsigned long */ + XFRMA_LASTUSED, /* __u64 */ XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ XFRMA_MIGRATE, XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ @@ -503,6 +503,7 @@ }; #define XFRM_OFFLOAD_IPV6 1 #define XFRM_OFFLOAD_INBOUND 2 +#define XFRM_OFFLOAD_PACKET 4 #ifndef __KERNEL__ /* backwards compatibility for userspace */ diff -Nru strongswan-5.9.8/src/include/Makefile.in strongswan-5.9.11/src/include/Makefile.in --- strongswan-5.9.8/src/include/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/include/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -348,7 +348,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/ipsec/_ipsec.8 strongswan-5.9.11/src/ipsec/_ipsec.8 --- strongswan-5.9.8/src/ipsec/_ipsec.8 2022-08-01 10:01:34.000000000 +0000 +++ strongswan-5.9.11/src/ipsec/_ipsec.8 2023-06-03 04:50:26.000000000 +0000 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.9.7" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.9.11dr3" "strongSwan" . .SH NAME . diff -Nru strongswan-5.9.8/src/ipsec/_ipsec.8.in strongswan-5.9.11/src/ipsec/_ipsec.8.in --- strongswan-5.9.8/src/ipsec/_ipsec.8.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/ipsec/_ipsec.8.in 2023-03-27 21:00:49.000000000 +0000 @@ -145,25 +145,25 @@ .TP .BI "listcacerts [" --utc ] returns a list of X.509 Certification Authority (CA) certificates that were -loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP directory or received via the IKE protocol. . .TP .BI "listaacerts [" --utc ] returns a list of X.509 Authorization Authority (AA) certificates that were -loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP +loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP directory. . .TP .BI "listocspcerts [" --utc ] returns a list of X.509 OCSP Signer certificates that were either loaded -locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP directory or were sent by an OCSP server. . .TP .BI "listacerts [" --utc ] returns a list of X.509 Attribute certificates that were loaded locally by -the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory. . .TP .BI "listgroups [" --utc ] @@ -179,7 +179,7 @@ .TP .BI "listcrls [" --utc ] returns a list of Certificate Revocation Lists (CRLs) that were either loaded -by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from an HTTP- or LDAP-based CRL distribution point. . .TP @@ -211,7 +211,7 @@ .TP .B "rereadcacerts" removes previously loaded CA certificates, reads all certificate files -contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list +contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list of Certification Authority (CA) certificates. This does not affect certificates explicitly defined in a .BR ipsec.conf (5) @@ -220,23 +220,23 @@ .TP .B "rereadaacerts" removes previously loaded AA certificates, reads all certificate files -contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list +contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list of Authorization Authority (AA) certificates. . .TP .B "rereadocspcerts" -reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP +reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP directory and adds them to the list of OCSP signer certificates. . .TP .B "rereadacerts" -reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory and adds them to the list of attribute certificates. . .TP .B "rereadcrls" reads all Certificate Revocation Lists (CRLs) contained in the -\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. +\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs. . .TP .B "rereadall" diff -Nru strongswan-5.9.8/src/ipsec/Makefile.am strongswan-5.9.11/src/ipsec/Makefile.am --- strongswan-5.9.8/src/ipsec/Makefile.am 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/ipsec/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -10,6 +10,7 @@ -e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \ -e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ + -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ $(srcdir)/$@.in > $@ _ipsec : _ipsec.in diff -Nru strongswan-5.9.8/src/ipsec/Makefile.in strongswan-5.9.11/src/ipsec/Makefile.in --- strongswan-5.9.8/src/ipsec/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/ipsec/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -381,7 +381,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -706,6 +705,7 @@ -e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \ -e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ + -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ $(srcdir)/$@.in > $@ _ipsec : _ipsec.in diff -Nru strongswan-5.9.8/src/libcharon/config/backend_manager.c strongswan-5.9.11/src/libcharon/config/backend_manager.c --- strongswan-5.9.8/src/libcharon/config/backend_manager.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/config/backend_manager.c 2023-06-08 10:35:17.000000000 +0000 @@ -196,7 +196,6 @@ ike_version_t version) { ike_cfg_t *current; - char *my_addr, *other_addr; enumerator_t *enumerator; ike_data_t *data; linked_list_t *configs; @@ -218,8 +217,10 @@ while (enumerator->enumerate(enumerator, ¤t)) { - my_addr = current->get_my_addr(current); - other_addr = current->get_other_addr(current); +#if DEBUG_LEVEL >= 2 + char *my_addr = current->get_my_addr(current); + char *other_addr = current->get_other_addr(current); +#endif match = get_ike_match(current, me, other, version); DBG3(DBG_CFG, "ike config match: %d (%s...%s %N)", match, my_addr, other_addr, ike_version_names, current->get_version(current)); @@ -249,7 +250,6 @@ linked_list_t *configs; ike_match_entry_t *entry; ike_cfg_t *found = NULL; - char *my_addr, *other_addr; DBG2(DBG_CFG, "looking for an %N config for %H...%H", ike_version_names, version, me, other); @@ -258,11 +258,9 @@ if (configs->get_first(configs, (void**)&entry) == SUCCESS) { found = entry->cfg->get_ref(entry->cfg); - - my_addr = found->get_my_addr(found); - other_addr = found->get_other_addr(found); DBG2(DBG_CFG, "found matching ike config: %s...%s with prio %d", - my_addr, other_addr, entry->match); + found->get_my_addr(found), found->get_other_addr(found), + entry->match); } ike_match_entry_list_destroy(configs); @@ -295,8 +293,7 @@ auth_cfg_t *auth; identification_t *candidate; id_match_t match = ID_MATCH_NONE; - char *where = local ? "local" : "remote"; - chunk_t data; + char *where DBG_UNUSED = local ? "local" : "remote"; if (!id) { @@ -326,9 +323,11 @@ } enumerator->destroy(enumerator); - data = id->get_encoding(id); +#if DEBUG_LEVEL >= 3 + chunk_t data = id->get_encoding(id); DBG3(DBG_CFG, " %s id match: %d (%N: %#B)", where, match, id_type_names, id->get_type(id), &data); +#endif return match; } @@ -452,14 +451,12 @@ ike_cfg_match_t match_ike; id_match_t match_peer_me, match_peer_other; match_entry_t *entry; - char *my_addr, *other_addr; match_ike = get_ike_match(ike_cfg, me, other, version); - my_addr = ike_cfg->get_my_addr(ike_cfg); - other_addr = ike_cfg->get_other_addr(ike_cfg); DBG3(DBG_CFG, "peer config \"%s\", ike match: %d (%s...%s %N)", - cfg->get_name(cfg), match_ike, my_addr, other_addr, - ike_version_names, ike_cfg->get_version(ike_cfg)); + cfg->get_name(cfg), match_ike, ike_cfg->get_my_addr(ike_cfg), + ike_cfg->get_other_addr(ike_cfg), ike_version_names, + ike_cfg->get_version(ike_cfg)); if (!match_ike) { diff -Nru strongswan-5.9.8/src/libcharon/config/child_cfg.c strongswan-5.9.11/src/libcharon/config/child_cfg.c --- strongswan-5.9.8/src/libcharon/config/child_cfg.c 2022-07-19 10:14:11.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/config/child_cfg.c 2023-03-27 21:00:49.000000000 +0000 @@ -435,7 +435,7 @@ return rekey; } jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1; - return rekey - jitter * (random() / (RAND_MAX + 1.0)); + return rekey - (uint64_t)(min(jitter, rekey) * (random() / (RAND_MAX + 1.0))); } #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter) diff -Nru strongswan-5.9.8/src/libcharon/config/child_cfg.h strongswan-5.9.11/src/libcharon/config/child_cfg.h --- strongswan-5.9.8/src/libcharon/config/child_cfg.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/config/child_cfg.h 2023-05-06 07:16:02.000000000 +0000 @@ -281,8 +281,8 @@ * * @param labels list of labels to match * @param log FALSE to avoid logging details about the selection - * @param label[out] selected label or NULL if no label necessary - * @param exact[out] TRUE if there was an exact match + * @param[out] label selected label or NULL if no label necessary + * @param[out] exact TRUE if there was an exact match * @return FALSE on failure */ bool (*select_label)(child_cfg_t *this, linked_list_t *labels, bool log, diff -Nru strongswan-5.9.8/src/libcharon/config/ike_cfg.h strongswan-5.9.11/src/libcharon/config/ike_cfg.h --- strongswan-5.9.8/src/libcharon/config/ike_cfg.h 2022-07-26 18:48:35.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/config/ike_cfg.h 2023-03-27 21:00:49.000000000 +0000 @@ -68,6 +68,8 @@ enum childless_t { /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */ CHILDLESS_ALLOW, + /** Initiate childless IKE_SAs if supported, allow them as responder */ + CHILDLESS_PREFER, /** Don't accept childless IKE_SAs as responder, don't initiate them */ CHILDLESS_NEVER, /** Only accept the creation of childless IKE_SAs (also as responder) */ diff -Nru strongswan-5.9.8/src/libcharon/control/controller.c strongswan-5.9.11/src/libcharon/control/controller.c --- strongswan-5.9.8/src/libcharon/control/controller.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/control/controller.c 2023-05-06 07:16:02.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2019 Tobias Brunner + * Copyright (C) 2011-2023 Tobias Brunner * Copyright (C) 2007-2011 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -57,6 +57,11 @@ interface_listener_t *listener; /** + * Maximum log level to pass to callback + */ + level_t max_level; + + /** * interface callback (listener gets redirected to here) */ controller_cb_t callback; @@ -228,7 +233,7 @@ target = this->listener->ike_sa; this->listener->lock->unlock(this->listener->lock); - if (target == ike_sa) + if (target && target == ike_sa) { if (!this->callback(this->param, group, level, ike_sa, message)) { @@ -241,9 +246,7 @@ METHOD(logger_t, listener_get_level, level_t, interface_logger_t *this, debug_t group) { - /* in order to allow callback listeners to decide what they want to log - * we request any log message, but only if we actually want logging */ - return this->callback == controller_cb_empty ? LEVEL_SILENT : LEVEL_PRIVATE; + return this->max_level; } METHOD(job_t, get_priority_medium, job_priority_t, @@ -475,9 +478,13 @@ if (ike_sa->initiate(ike_sa, listener->child_cfg, NULL) == SUCCESS) { - if (!listener->logger.callback) - { + if (!listener->logger.callback || + (!listener->child_cfg && + ike_sa->get_state(ike_sa) != IKE_CONNECTING)) + { /* immediately return if we don't block or after re-initiating an + * existing IKE_SA childless */ listener->status = SUCCESS; + listener_done(listener); } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } @@ -492,7 +499,8 @@ METHOD(controller_t, initiate, status_t, private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, - controller_cb_t callback, void *param, u_int timeout, bool limits) + controller_cb_t callback, void *param, level_t max_level, u_int timeout, + bool limits) { interface_job_t *job; status_t status; @@ -508,6 +516,7 @@ .log = _listener_log, .get_level = _listener_get_level, }, + .max_level = max_level, .callback = callback, .param = param, }, @@ -583,7 +592,7 @@ METHOD(controller_t, terminate_ike, status_t, controller_t *this, uint32_t unique_id, bool force, - controller_cb_t callback, void *param, u_int timeout) + controller_cb_t callback, void *param, level_t max_level, u_int timeout) { interface_job_t *job; status_t status; @@ -598,6 +607,7 @@ .log = _listener_log, .get_level = _listener_get_level, }, + .max_level = max_level, .callback = callback, .param = param, }, @@ -684,7 +694,7 @@ METHOD(controller_t, terminate_child, status_t, controller_t *this, uint32_t unique_id, - controller_cb_t callback, void *param, u_int timeout) + controller_cb_t callback, void *param, level_t max_level, u_int timeout) { interface_job_t *job; status_t status; @@ -700,6 +710,7 @@ .log = _listener_log, .get_level = _listener_get_level, }, + .max_level = max_level, .callback = callback, .param = param, }, diff -Nru strongswan-5.9.8/src/libcharon/control/controller.h strongswan-5.9.11/src/libcharon/control/controller.h --- strongswan-5.9.8/src/libcharon/control/controller.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/control/controller.h 2023-05-06 07:16:02.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2007 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -82,6 +83,7 @@ * @param child_cfg optional child_cfg to set up CHILD_SA from * @param cb logging callback * @param param parameter to include in each call of cb + * @param max_level maximum log level for which cb is invoked * @param timeout timeout in ms to wait for callbacks, 0 to disable * @param limits whether to check limits regarding IKE_SA initiation * @return @@ -93,8 +95,8 @@ */ status_t (*initiate)(controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, - controller_cb_t callback, void *param, u_int timeout, - bool limits); + controller_cb_t callback, void *param, + level_t max_level, u_int timeout, bool limits); /** * Terminate an IKE_SA and all of its CHILD_SAs. @@ -110,6 +112,7 @@ * retransmits are sent until then * @param cb logging callback * @param param parameter to include in each call of cb + * @param max_level maximum log level for which cb is invoked * @param timeout timeout in ms to wait for callbacks, 0 to disable * @return * - SUCCESS, if CHILD_SA terminated @@ -119,7 +122,7 @@ */ status_t (*terminate_ike)(controller_t *this, uint32_t unique_id, bool force, controller_cb_t callback, void *param, - u_int timeout); + level_t max_level, u_int timeout); /** * Terminate a CHILD_SA. @@ -130,6 +133,7 @@ * @param unique_id CHILD_SA unique ID to terminate * @param cb logging callback * @param param parameter to include in each call of cb + * @param max_level maximum log level for which cb is invoked * @param timeout timeout in ms to wait for callbacks, 0 to disable * @return * - SUCCESS, if CHILD_SA terminated @@ -139,7 +143,7 @@ */ status_t (*terminate_child)(controller_t *this, uint32_t unique_id, controller_cb_t callback, void *param, - u_int timeout); + level_t max_level, u_int timeout); /** * Destroy a controller_t instance. diff -Nru strongswan-5.9.8/src/libcharon/encoding/generator.c strongswan-5.9.11/src/libcharon/encoding/generator.c --- strongswan-5.9.8/src/libcharon/encoding/generator.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/encoding/generator.c 2023-06-08 10:35:17.000000000 +0000 @@ -442,21 +442,20 @@ METHOD(generator_t, generate_payload, void, private_generator_t *this, payload_t *payload) { - int i, offset_start, rule_count; + int i, rule_count; encoding_rule_t *rules; - payload_type_t payload_type; - - this->data_struct = payload; - payload_type = payload->get_type(payload); - - offset_start = this->out_position - this->buffer; +#if DEBUG_LEVEL >= 2 + int offset_start = this->out_position - this->buffer; +#endif if (this->debug) { DBG2(DBG_ENC, "generating payload of type %N", - payload_type_names, payload_type); + payload_type_names, payload->get_type(payload)); } + this->data_struct = payload; + /* each payload has its own encoding rules */ rule_count = payload->get_encoding_rules(payload, &rules); @@ -559,7 +558,7 @@ if (this->debug) { DBG2(DBG_ENC, "generating %N payload finished", - payload_type_names, payload_type); + payload_type_names, payload->get_type(payload)); DBG3(DBG_ENC, "generated data for this payload %b", this->buffer + offset_start, (u_int)(this->out_position - this->buffer - offset_start)); diff -Nru strongswan-5.9.8/src/libcharon/encoding/message.c strongswan-5.9.11/src/libcharon/encoding/message.c --- strongswan-5.9.8/src/libcharon/encoding/message.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/encoding/message.c 2023-06-08 10:35:17.000000000 +0000 @@ -1270,6 +1270,7 @@ return notify; } +#if DEBUG_LEVEL >= 1 /** * get a string representation of the message */ @@ -1472,6 +1473,7 @@ snprintf(pos, len, " ]"); return buf; } +#endif METHOD(message_t, disable_sort, void, private_message_t *this) @@ -1668,7 +1670,6 @@ enumerator_t *enumerator; aead_t *aead = NULL; chunk_t hash = chunk_empty; - char str[BUF_LEN]; ike_header_t *ike_header; payload_t *payload, *next; bool encrypting = FALSE; @@ -1739,7 +1740,10 @@ enumerator->destroy(enumerator); } +#if DEBUG_LEVEL >= 1 + char str[BUF_LEN]; DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str))); +#endif if (keymat) { @@ -2627,7 +2631,6 @@ private_message_t *this, keymat_t *keymat) { status_t status = SUCCESS; - char str[BUF_LEN]; DBG2(DBG_ENC, "parsing body of message, first payload is %N", payload_type_names, this->first_payload); @@ -2665,7 +2668,10 @@ return status; } +#if DEBUG_LEVEL >= 1 + char str[BUF_LEN]; DBG1(DBG_ENC, "parsed %s", get_string(this, str, sizeof(str))); +#endif if (keymat && keymat->get_version(keymat) == IKEV1) { @@ -2856,7 +2862,6 @@ enumerator_t *enumerator; chunk_t data; uint16_t total, num; - size_t len; status_t status; if (!this->frag) @@ -2938,7 +2943,8 @@ /* we report the length of the complete IKE message when splitting, do the * same here, so add the IKEv2 header len to the reassembled payload data */ - len = 28; +#if DEBUG_LEVEL >= 1 + size_t len = 28; enumerator = create_payload_enumerator(this); while (enumerator->enumerate(enumerator, &payload)) { @@ -2948,6 +2954,8 @@ DBG1(DBG_ENC, "received fragment #%hu of %hu, reassembled fragmented IKE " "message (%zu bytes)", num, total, len); +#endif /* DEBUG_LEVEL */ + return SUCCESS; } diff -Nru strongswan-5.9.8/src/libcharon/kernel/kernel_interface.c strongswan-5.9.11/src/libcharon/kernel/kernel_interface.c --- strongswan-5.9.8/src/libcharon/kernel/kernel_interface.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/kernel/kernel_interface.c 2023-03-27 21:00:49.000000000 +0000 @@ -116,6 +116,11 @@ linked_list_t *listeners; /** + * Reqid to assign next + */ + uint32_t next_reqid; + + /** * Reqid entries indexed by reqids */ hashtable_t *reqids; @@ -373,9 +378,7 @@ mark_t mark_in, mark_t mark_out, uint32_t if_id_in, uint32_t if_id_out, sec_label_t *label, uint32_t *reqid) { - static uint32_t counter = 0; reqid_entry_t *entry = NULL, *tmpl; - status_t status = SUCCESS; INIT(tmpl, .local = array_from_ts_list(local_ts), @@ -415,7 +418,13 @@ entry = tmpl; if (!array_remove(this->released_reqids, ARRAY_HEAD, &entry->reqid)) { - entry->reqid = ++counter; + if (!this->next_reqid) + { + this->mutex->unlock(this->mutex); + reqid_entry_destroy(entry); + return OUT_OF_RES; + } + entry->reqid = this->next_reqid++; } this->reqids_by_ts->put(this->reqids_by_ts, entry, entry); this->reqids->put(this->reqids, entry, entry); @@ -425,7 +434,7 @@ entry->refs++; this->mutex->unlock(this->mutex); - return status; + return SUCCESS; } METHOD(kernel_interface_t, release_reqid, status_t, @@ -1105,6 +1114,8 @@ (hashtable_equals_t)equals_reqid, 8), .reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts, (hashtable_equals_t)equals_reqid_by_ts, 8), + .next_reqid = lib->settings->get_int(lib->settings, "%s.reqid_base", 1, + lib->ns) ?: 1, ); ifaces = lib->settings->get_str(lib->settings, diff -Nru strongswan-5.9.8/src/libcharon/kernel/kernel_interface.h strongswan-5.9.11/src/libcharon/kernel/kernel_interface.h --- strongswan-5.9.8/src/libcharon/kernel/kernel_interface.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/kernel/kernel_interface.h 2023-03-27 21:00:49.000000000 +0000 @@ -79,6 +79,8 @@ KERNEL_NO_POLICY_UPDATES = (1<<3), /** IPsec backend supports installing SPIs on policies */ KERNEL_POLICY_SPI = (1<<4), + /** IPsec backend reports use time per SA via query_sa() */ + KERNEL_SA_USE_TIME = (1<<5), }; /** @@ -147,7 +149,8 @@ * @param if_id_out outbound interface ID on SA * @param label security label (usually the one on the policy, not SA) * @param reqid allocated reqid - * @return SUCCESS if reqid allocated + * @return SUCCESS if reqid allocated, OUT_OF_RES if no reqid is + * available due to an overflow */ status_t (*alloc_reqid)(kernel_interface_t *this, linked_list_t *local_ts, linked_list_t *remote_ts, @@ -201,7 +204,11 @@ kernel_ipsec_update_sa_t *data); /** - * Query the number of bytes processed by an SA from the SAD. + * Query the number of bytes and packets processed by an SA from the SAD. + * + * Some implementations may also return the last use time (as indicated by + * get_features()). This is a monotonic timestamp as returned by + * time_monotonic(). * * @param id data identifying this SA * @param data data to query the SA @@ -246,11 +253,12 @@ * Query the use time of a policy. * * The use time of a policy is the time the policy was used - * for the last time. + * for the last time. This is a monotonic timestamp as returned by + * time_monotonic(). * * @param id data identifying this policy * @param data data to query the policy - * @param[out] use_time the monotonic timestamp of this SA's last use + * @param[out] use_time the monotonic timestamp of this policy's last use * @return SUCCESS if operation completed */ status_t (*query_policy)(kernel_interface_t *this, diff -Nru strongswan-5.9.8/src/libcharon/kernel/kernel_ipsec.h strongswan-5.9.11/src/libcharon/kernel/kernel_ipsec.h --- strongswan-5.9.8/src/libcharon/kernel/kernel_ipsec.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/kernel/kernel_ipsec.h 2023-03-27 21:00:49.000000000 +0000 @@ -95,7 +95,7 @@ uint16_t cpi; /** TRUE to enable UDP encapsulation for NAT traversal */ bool encap; - /** no (disabled), yes (enabled), auto (enabled if supported) */ + /** HW offload mode */ hw_offload_t hw_offload; /** Mark the SA should apply to packets after processing */ mark_t mark; @@ -180,6 +180,8 @@ policy_priority_t prio; /** Manually-set priority (automatic if set to 0) */ uint32_t manual_prio; + /** HW offload mode */ + hw_offload_t hw_offload; /** Source address of the SA(s) tied to this policy */ host_t *src; /** Destination address of the SA(s) tied to this policy */ @@ -267,7 +269,11 @@ kernel_ipsec_update_sa_t *data); /** - * Query the number of bytes processed by an SA from the SAD. + * Query the number of bytes and packets processed by an SA from the SAD. + * + * Some implementations may also return the last use time (as indicated by + * get_features()). This is a monotonic timestamp as returned by + * time_monotonic(). * * @param id data identifying this SA * @param data data to query the SA @@ -312,12 +318,11 @@ * Query the use time of a policy. * * The use time of a policy is the time the policy was used for the last - * time. It is not the system time, but a monotonic timestamp as returned - * by time_monotonic. + * time. This is a monotonic timestamp as returned by time_monotonic(). * * @param id data identifying this policy * @param data data to query the policy - * @param[out] use_time the monotonic timestamp of this SA's last use + * @param[out] use_time the monotonic timestamp of this policy's last use * @return SUCCESS if operation completed */ status_t (*query_policy)(kernel_ipsec_t *this, diff -Nru strongswan-5.9.8/src/libcharon/Makefile.in strongswan-5.9.11/src/libcharon/Makefile.in --- strongswan-5.9.8/src/libcharon/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -1146,7 +1146,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/addrblock/Makefile.in strongswan-5.9.11/src/libcharon/plugins/addrblock/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/addrblock/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/addrblock/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/android_dns/Makefile.in strongswan-5.9.11/src/libcharon/plugins/android_dns/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/android_dns/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/android_dns/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/android_log/Makefile.in strongswan-5.9.11/src/libcharon/plugins/android_log/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/android_log/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/android_log/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/attr/Makefile.in strongswan-5.9.11/src/libcharon/plugins/attr/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/attr/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/attr/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/attr_sql/Makefile.in strongswan-5.9.11/src/libcharon/plugins/attr_sql/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/attr_sql/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/attr_sql/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/bypass_lan/Makefile.in strongswan-5.9.11/src/libcharon/plugins/bypass_lan/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/bypass_lan/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/bypass_lan/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/certexpire/Makefile.in strongswan-5.9.11/src/libcharon/plugins/certexpire/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/certexpire/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/certexpire/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/connmark/Makefile.in strongswan-5.9.11/src/libcharon/plugins/connmark/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/connmark/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/connmark/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/counters/Makefile.in strongswan-5.9.11/src/libcharon/plugins/counters/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/counters/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/counters/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/coupling/Makefile.in strongswan-5.9.11/src/libcharon/plugins/coupling/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/coupling/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/coupling/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/dhcp/dhcp_socket.c strongswan-5.9.11/src/libcharon/plugins/dhcp/dhcp_socket.c --- strongswan-5.9.8/src/libcharon/plugins/dhcp/dhcp_socket.c 2022-07-23 13:48:43.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/dhcp/dhcp_socket.c 2023-06-08 10:35:17.000000000 +0000 @@ -111,6 +111,11 @@ * Force configured destination address */ bool force_dst; + + /** + * Source IP if destination address is unicast + */ + struct sockaddr_in src; }; /** @@ -202,7 +207,6 @@ identification_t *identity; dhcp_option_t *option; int optlen = 0, remaining; - host_t *src; uint32_t id; memset(dhcp, 0, sizeof(*dhcp)); @@ -219,14 +223,8 @@ } else { - /* act as relay agent */ - src = charon->kernel->get_source_addr(charon->kernel, this->dst, NULL); - if (src) - { - memcpy(&dhcp->gateway_address, src->get_address(src).ptr, - sizeof(dhcp->gateway_address)); - src->destroy(src); - } + memcpy(&dhcp->gateway_address, &this->src.sin_addr, + sizeof(dhcp->gateway_address)); } identity = transaction->get_identity(transaction); @@ -306,13 +304,14 @@ { dhcp_option_t *option; dhcp_t dhcp; - chunk_t mac; int optlen; optlen = prepare_dhcp(this, transaction, DHCP_DISCOVER, &dhcp); - mac = chunk_from_thing(dhcp.client_hw_addr); +#if DEBUG_LEVEL >= 1 + chunk_t mac = chunk_from_thing(dhcp.client_hw_addr); DBG1(DBG_CFG, "sending DHCP DISCOVER for %#B to %H", &mac, this->dst); +#endif option = (dhcp_option_t*)&dhcp.options[optlen]; option->type = DHCP_PARAM_REQ_LIST; @@ -736,6 +735,7 @@ .s_addr = INADDR_ANY, }, }; + socklen_t addr_len; char *iface; int on = 1, rcvbuf = 0; struct sock_filter dhcp_filter_code[] = { @@ -887,6 +887,25 @@ destroy(this); return NULL; } + } + if (!is_broadcast(this->dst)) + { + if (connect(this->send, this->dst->get_sockaddr(this->dst), + *this->dst->get_sockaddr_len(this->dst)) < 0) + { + DBG1(DBG_CFG, "unable to connect DHCP send socket: %s", + strerror(errno)); + destroy(this); + return NULL; + } + addr_len = sizeof(this->src); + if (getsockname(this->send, &this->src, &addr_len) < 0) + { + DBG1(DBG_CFG, "unable to determine source address for DHCP: %s", + strerror(errno)); + destroy(this); + return NULL; + } } lib->watcher->add(lib->watcher, this->receive, WATCHER_READ, diff -Nru strongswan-5.9.8/src/libcharon/plugins/dhcp/Makefile.in strongswan-5.9.11/src/libcharon/plugins/dhcp/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/dhcp/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/dhcp/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/dnscert/Makefile.in strongswan-5.9.11/src/libcharon/plugins/dnscert/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/dnscert/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/dnscert/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/duplicheck/Makefile.in strongswan-5.9.11/src/libcharon/plugins/duplicheck/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/duplicheck/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/duplicheck/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -443,7 +443,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_aka/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_aka/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_aka/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_aka/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_aka_3gpp/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_aka_3gpp/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_aka_3gpp/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_aka_3gpp/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -444,7 +444,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_aka_3gpp/tests/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -429,7 +429,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -438,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_dynamic/eap_dynamic.c strongswan-5.9.11/src/libcharon/plugins/eap_dynamic/eap_dynamic.c --- strongswan-5.9.8/src/libcharon/plugins/eap_dynamic/eap_dynamic.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_dynamic/eap_dynamic.c 2023-06-08 10:35:17.000000000 +0000 @@ -118,7 +118,7 @@ { eap_vendor_type_t *entry; linked_list_t *outer = this->types, *inner = this->other_types; - char *who = "peer"; + char *who DBG_UNUSED = "peer"; if (this->other_types && this->prefer_peer) { diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_dynamic/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_dynamic/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_dynamic/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_dynamic/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_gtc/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_gtc/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_gtc/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_gtc/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_identity/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_identity/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_identity/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_identity/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_md5/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_md5/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_md5/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_md5/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c strongswan-5.9.11/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c --- strongswan-5.9.8/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c 2023-06-08 10:35:17.000000000 +0000 @@ -661,6 +661,7 @@ return utf16; } +#if DEBUG_LEVEL >= 1 /** * sanitize a string for printing */ @@ -678,6 +679,7 @@ } return str; } +#endif /* DEBUG_LEVEL */ /** * Returns a chunk of just the username part of the given user identity. @@ -966,7 +968,7 @@ eap_mschapv2_header_t *eap; chunk_t data; char *message, *token, *msg = NULL; - int message_len, error = 0; + int message_len, error DBG_UNUSED = 0; chunk_t challenge = chunk_empty; data = in->get_data(in); diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_mschapv2/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_mschapv2/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_mschapv2/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_mschapv2/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap.c strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap.c --- strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap.c 2023-03-27 21:00:49.000000000 +0000 @@ -181,6 +181,11 @@ free(this); return NULL; } + if (is_server) + { + eap_peap_server_t *server = (eap_peap_server_t*)application; + server->set_tls(server, tls); + } return &this->public; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap_peer.c strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap_peer.c --- strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap_peer.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap_peer.c 2023-06-08 10:35:17.000000000 +0000 @@ -191,7 +191,7 @@ { chunk_t data; eap_code_t code; - eap_type_t type; + eap_type_t type DBG_UNUSED; pen_t vendor; if (this->out) diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap_server.c strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap_server.c --- strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap_server.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap_server.c 2023-06-08 10:35:17.000000000 +0000 @@ -43,6 +43,11 @@ identification_t *peer; /** + * TLS connection + */ + tls_t *tls; + + /** * Current EAP-PEAP phase2 state */ bool start_phase2; @@ -338,19 +343,22 @@ { chunk_t data; eap_code_t code; - eap_type_t type; + eap_type_t type DBG_UNUSED; pen_t vendor; - if (this->ph2_method == NULL && this->start_phase2 && this->start_phase2_id) - { - /* - * Start Phase 2 with an EAP Identity request either piggybacked right - * onto the TLS Finished payload or delayed after the reception of an - * empty EAP Acknowledge message. + if (!this->ph2_method && this->start_phase2 && + (this->start_phase2_id || + this->tls->get_version_max(this->tls) >= TLS_1_3)) + { + /* for TLS < 1.3, either start Phase 2 with an EAP Identity request + * piggybacked right onto the TLS Finished payload or delayed after the + * reception of an empty EAP Acknowledge message. with TLS 1.3, Phase 2 + * is always started immediately as the client finishes the handshake + * after the server */ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, 0, EAP_SERVER, this->server, this->peer); - if (this->ph2_method == NULL) + if (!this->ph2_method) { DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_IDENTITY); @@ -393,6 +401,12 @@ return INVALID_STATE; } +METHOD(eap_peap_server_t, set_tls, void, + private_eap_peap_server_t *this, tls_t *tls) +{ + this->tls = tls; +} + METHOD(tls_application_t, destroy, void, private_eap_peap_server_t *this) { @@ -420,6 +434,7 @@ .build = _build, .destroy = _destroy, }, + .set_tls = _set_tls, }, .server = server->clone(server), .peer = peer->clone(peer), diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap_server.h strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap_server.h --- strongswan-5.9.8/src/libcharon/plugins/eap_peap/eap_peap_server.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_peap/eap_peap_server.h 2023-03-27 21:00:49.000000000 +0000 @@ -24,6 +24,7 @@ typedef struct eap_peap_server_t eap_peap_server_t; +#include "tls.h" #include "tls_application.h" #include @@ -38,6 +39,14 @@ * Implements the TLS application data handler. */ tls_application_t application; + + /** + * Set a reference to the parent TLS connection this application is + * assigned to. + * + * @param tls TLS connection + */ + void (*set_tls)(eap_peap_server_t *this, tls_t *tls); }; /** diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_peap/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_peap/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_peap/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_peap/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_radius/eap_radius_accounting.c strongswan-5.9.11/src/libcharon/plugins/eap_radius/eap_radius_accounting.c --- strongswan-5.9.8/src/libcharon/plugins/eap_radius/eap_radius_accounting.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_radius/eap_radius_accounting.c 2023-03-27 21:00:49.000000000 +0000 @@ -554,7 +554,7 @@ /** * Clean up interim data */ -void destroy_interim_data(interim_data_t *this) +static void destroy_interim_data(interim_data_t *this) { this->id->destroy(this->id); free(this); diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_radius/eap_radius.c strongswan-5.9.11/src/libcharon/plugins/eap_radius/eap_radius.c --- strongswan-5.9.8/src/libcharon/plugins/eap_radius/eap_radius.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_radius/eap_radius.c 2023-06-08 10:35:17.000000000 +0000 @@ -334,7 +334,7 @@ { enumerator_t *enumerator; int type; - uint8_t tunnel_tag; + uint8_t tunnel_tag DBG_UNUSED; uint32_t tunnel_type; chunk_t filter_id = chunk_empty, data; bool is_esp_tunnel = FALSE; diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_radius/eap_radius_dae.c strongswan-5.9.11/src/libcharon/plugins/eap_radius/eap_radius_dae.c --- strongswan-5.9.8/src/libcharon/plugins/eap_radius/eap_radius_dae.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_radius/eap_radius_dae.c 2023-03-27 21:00:49.000000000 +0000 @@ -18,9 +18,6 @@ #include -#include -#include -#include #include #include diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_radius/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_radius/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_radius/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_radius/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -441,7 +441,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_sim/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_sim/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_sim/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_sim/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -438,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_simaka_reauth/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_simaka_reauth/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_simaka_reauth/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_simaka_reauth/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_simaka_sql/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_simaka_sql/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_simaka_sql/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_simaka_sql/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_sim_file/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_sim_file/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_sim_file/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_sim_file/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -438,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_sim_pcsc/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_sim_pcsc/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_sim_pcsc/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_sim_pcsc/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_tls/eap_tls.c strongswan-5.9.11/src/libcharon/plugins/eap_tls/eap_tls.c --- strongswan-5.9.8/src/libcharon/plugins/eap_tls/eap_tls.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_tls/eap_tls.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2010 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -34,9 +35,20 @@ eap_tls_t public; /** - * TLS stack, wrapped by EAP helper + * TLS stack, wrapped by EAP helper below + */ + tls_t *tls; + + /** + * EAP helper */ tls_eap_t *tls_eap; + + /** + * Whether the "protected success indication" has been sent/received with + * TLS 1.3 + */ + bool indication_sent_received; }; /** Maximum number of EAP-TLS messages/fragments allowed */ @@ -84,10 +96,19 @@ METHOD(eap_method_t, get_msk, status_t, private_eap_tls_t *this, chunk_t *msk) { - *msk = this->tls_eap->get_msk(this->tls_eap); - if (msk->len) + if (this->tls->get_version_max(this->tls) < TLS_1_3 || + this->indication_sent_received) { - return SUCCESS; + *msk = this->tls_eap->get_msk(this->tls_eap); + if (msk->len) + { + return SUCCESS; + } + } + else + { + DBG1(DBG_TLS, "missing protected success indication for EAP-TLS with " + "%N", tls_version_names, this->tls->get_version_max(this->tls)); } return FAILED; } @@ -124,16 +145,142 @@ } /** + * Application to send/process the "protected success indication" with TLS 1.3 + * as specified in RFC 9190 + */ +typedef struct { + + /** + * Public interface + */ + tls_application_t public; + + /** + * Reference to the EAP-TLS object + */ + private_eap_tls_t *this; + + /** + * Whether the server sent the indication + */ + bool indication_sent; + +} eap_tls_app_t; + +METHOD(tls_application_t, server_process, status_t, + eap_tls_app_t *app, bio_reader_t *reader) +{ + /* we don't expect any data from the client, the empty response to our + * indication is handled as ACK in tls_eap_t */ + DBG1(DBG_TLS, "peer sent unexpected TLS data"); + return FAILED; +} + +METHOD(tls_application_t, server_build, status_t, + eap_tls_app_t *app, bio_writer_t *writer) +{ + if (app->this->indication_sent_received) + { + return SUCCESS; + } + if (app->this->tls->get_version_max(app->this->tls) >= TLS_1_3) + { + /* build() is called twice when sending the indication, return the same + * status but data only once */ + if (app->indication_sent) + { + app->this->indication_sent_received = TRUE; + } + else + { /* send a single 0x00 */ + DBG2(DBG_TLS, "sending protected success indication via TLS"); + writer->write_uint8(writer, 0); + app->indication_sent = TRUE; + } + } + else + { + /* with earlier TLS versions, return INVALID_STATE without data to send + * the final handshake messages (returning SUCCESS immediately would + * prevent that) */ + app->this->indication_sent_received = TRUE; + } + return INVALID_STATE; +} + +METHOD(tls_application_t, client_process, status_t, + eap_tls_app_t *app, bio_reader_t *reader) +{ + uint8_t indication; + + if (app->this->tls->get_version_max(app->this->tls) < TLS_1_3 || + app->this->indication_sent_received) + { + DBG1(DBG_TLS, "peer sent unexpected TLS data"); + return FAILED; + } + if (!reader->read_uint8(reader, &indication) || indication != 0) + { + DBG1(DBG_TLS, "received incorrect protected success indication via TLS"); + return FAILED; + } + DBG2(DBG_TLS, "received protected success indication via TLS"); + app->this->indication_sent_received = TRUE; + return NEED_MORE; +} + +METHOD(tls_application_t, client_build, status_t, + eap_tls_app_t *app, bio_writer_t *writer) +{ + if (app->this->tls->get_version_max(app->this->tls) < TLS_1_3 || + app->this->indication_sent_received) + { /* trigger an empty response/ACK */ + return INVALID_STATE; + } + return FAILED; +} + +METHOD(tls_application_t, app_destroy, void, + eap_tls_app_t *this) +{ + free(this); +} + +/** + * Create the server/peer implementation to handle the "protected success + * indication" with TLS 1.3 + */ +tls_application_t *eap_tls_app_create(private_eap_tls_t *this, bool is_server) +{ + eap_tls_app_t *app; + + INIT(app, + .public = { + .process = _client_process, + .build = _client_build, + .destroy = _app_destroy, + }, + .this = this, + ); + if (is_server) + { + app->public.process = _server_process; + app->public.build = _server_build; + } + return &app->public; +} + +/** * Generic private constructor */ static eap_tls_t *eap_tls_create(identification_t *server, identification_t *peer, bool is_server) { private_eap_tls_t *this; + tls_application_t *app; size_t frag_size; int max_msg_count; bool include_length; - tls_t *tls; INIT(this, .public = { @@ -159,9 +306,11 @@ lib->ns); include_length = lib->settings->get_bool(lib->settings, "%s.plugins.eap-tls.include_length", TRUE, lib->ns); - tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL, NULL, 0); - this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count, - include_length); + app = eap_tls_app_create(this, is_server); + this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, app, + NULL, 0); + this->tls_eap = tls_eap_create(EAP_TLS, this->tls, frag_size, max_msg_count, + include_length); if (!this->tls_eap) { free(this); diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_tls/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_tls/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_tls/Makefile.in 2022-10-03 14:18:05.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_tls/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_tnc/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_tnc/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_tnc/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_tnc/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c strongswan-5.9.11/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c --- strongswan-5.9.8/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c 2023-06-08 10:35:17.000000000 +0000 @@ -79,7 +79,7 @@ pen_t vendor, received_vendor; uint16_t eap_len; size_t eap_pos = 0; - bool concatenated = FALSE; + bool concatenated DBG_UNUSED = FALSE; do { @@ -239,9 +239,6 @@ private_eap_ttls_peer_t *this, bio_writer_t *writer) { chunk_t data; - eap_code_t code; - eap_type_t type; - pen_t vendor; if (this->method == NULL && this->start_phase2) { @@ -261,11 +258,13 @@ if (this->out) { - code = this->out->get_code(this->out); - type = this->out->get_type(this->out, &vendor); +#if DEBUG_LEVEL >= 1 + pen_t vendor; + eap_code_t code = this->out->get_code(this->out); + eap_type_t type = this->out->get_type(this->out, &vendor); DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]", - eap_code_short_names, code, eap_type_short_names, type); - + eap_code_short_names, code, eap_type_short_names, type); +#endif /* get the raw EAP message data */ data = this->out->get_data(this->out); this->avp->build(this->avp, writer, data); diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_ttls/eap_ttls_server.c strongswan-5.9.11/src/libcharon/plugins/eap_ttls/eap_ttls_server.c --- strongswan-5.9.8/src/libcharon/plugins/eap_ttls/eap_ttls_server.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_ttls/eap_ttls_server.c 2023-06-08 10:35:17.000000000 +0000 @@ -308,9 +308,6 @@ private_eap_ttls_server_t *this, bio_writer_t *writer) { chunk_t data; - eap_code_t code; - eap_type_t type; - pen_t vendor; if (this->method == NULL && this->start_phase2 && lib->settings->get_bool(lib->settings, @@ -333,10 +330,13 @@ if (this->out) { - code = this->out->get_code(this->out); - type = this->out->get_type(this->out, &vendor); +#if DEBUG_LEVEL >= 1 + pen_t vendor; + eap_code_t code = this->out->get_code(this->out); + eap_type_t type = this->out->get_type(this->out, &vendor); DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]", - eap_code_short_names, code, eap_type_short_names, type); + eap_code_short_names, code, eap_type_short_names, type); +#endif /* get the raw EAP message data */ data = this->out->get_data(this->out); diff -Nru strongswan-5.9.8/src/libcharon/plugins/eap_ttls/Makefile.in strongswan-5.9.11/src/libcharon/plugins/eap_ttls/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/eap_ttls/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/eap_ttls/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -438,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/error_notify/error_notify.c strongswan-5.9.11/src/libcharon/plugins/error_notify/error_notify.c --- strongswan-5.9.8/src/libcharon/plugins/error_notify/error_notify.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/error_notify/error_notify.c 2023-03-27 21:00:49.000000000 +0000 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include diff -Nru strongswan-5.9.8/src/libcharon/plugins/error_notify/Makefile.in strongswan-5.9.11/src/libcharon/plugins/error_notify/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/error_notify/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/error_notify/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -444,7 +444,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/ext_auth/Makefile.in strongswan-5.9.11/src/libcharon/plugins/ext_auth/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/ext_auth/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ext_auth/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/farp/farp_spoofer.c strongswan-5.9.11/src/libcharon/plugins/farp/farp_spoofer.c --- strongswan-5.9.8/src/libcharon/plugins/farp/farp_spoofer.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/farp/farp_spoofer.c 2023-03-27 21:00:49.000000000 +0000 @@ -411,7 +411,6 @@ farp_handler_t *handler, int fd, watcher_event_t event) { struct bpf_hdr *bh; - struct ether_header *eh; arp_t *a; host_t *lcl, *rmt; uint8_t *p = handler->bufdat; @@ -428,7 +427,6 @@ while (p < handler->bufdat + n) { bh = (struct bpf_hdr*)p; - eh = (struct ether_header*)(p + bh->bh_hdrlen); a = (arp_t*)(p + bh->bh_hdrlen + sizeof(struct ether_header)); lcl = host_create_from_chunk(AF_INET, chunk_create(a->sender_ip, 4), 0); diff -Nru strongswan-5.9.8/src/libcharon/plugins/farp/Makefile.in strongswan-5.9.11/src/libcharon/plugins/farp/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/farp/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/farp/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/forecast/forecast_forwarder.c strongswan-5.9.11/src/libcharon/plugins/forecast/forecast_forwarder.c --- strongswan-5.9.8/src/libcharon/plugins/forecast/forecast_forwarder.c 2022-07-19 10:14:11.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/forecast/forecast_forwarder.c 2023-06-08 10:35:17.000000000 +0000 @@ -162,7 +162,7 @@ struct iphdr hdr; char data[2048]; } buf; - char *type; + char *type DBG_UNUSED; ssize_t len; u_int mark, origin = 0; host_t *src, *dst; diff -Nru strongswan-5.9.8/src/libcharon/plugins/forecast/Makefile.in strongswan-5.9.11/src/libcharon/plugins/forecast/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/forecast/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/forecast/Makefile.in 2023-06-12 05:50:39.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/ha/ha_child.c strongswan-5.9.11/src/libcharon/plugins/ha/ha_child.c --- strongswan-5.9.8/src/libcharon/plugins/ha/ha_child.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ha/ha_child.c 2023-06-08 10:35:17.000000000 +0000 @@ -60,7 +60,6 @@ linked_list_t *local_ts, *remote_ts; enumerator_t *enumerator; traffic_selector_t *ts; - u_int seg_i, seg_o; if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa)) { /* do not sync SA between nodes */ @@ -127,6 +126,9 @@ } enumerator->destroy(enumerator); +#if DEBUG_LEVEL >= 1 + u_int seg_i, seg_o; + seg_i = this->kernel->get_segment_spi(this->kernel, ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE)); seg_o = this->kernel->get_segment_spi(this->kernel, @@ -136,6 +138,7 @@ child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); +#endif /* DEBUG_LEVEL */ local_ts->destroy(local_ts); remote_ts->destroy(remote_ts); diff -Nru strongswan-5.9.8/src/libcharon/plugins/ha/ha_dispatcher.c strongswan-5.9.11/src/libcharon/plugins/ha/ha_dispatcher.c --- strongswan-5.9.8/src/libcharon/plugins/ha/ha_dispatcher.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ha/ha_dispatcher.c 2023-06-08 10:35:17.000000000 +0000 @@ -658,7 +658,6 @@ uint8_t mode = MODE_TUNNEL, ipcomp = 0; uint16_t encr = 0, integ = 0, len = 0, dh_grp = 0; uint16_t esn = NO_EXT_SEQ_NUMBERS; - u_int seg_i, seg_o; chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty; chunk_t encr_i, integ_i, encr_r, integ_r; linked_list_t *local_ts, *remote_ts; @@ -858,16 +857,20 @@ return; } +#if DEBUG_LEVEL >= 1 + u_int seg_i, seg_o; + seg_i = this->kernel->get_segment_spi(this->kernel, ike_sa->get_my_host(ike_sa), inbound_spi); seg_o = this->kernel->get_segment_spi(this->kernel, ike_sa->get_other_host(ike_sa), outbound_spi); - DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R === %#R " "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), local_ts, remote_ts, seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); +#endif /* DEBUG_LEVEL */ + child_sa->install_policies(child_sa); local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy)); remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy)); diff -Nru strongswan-5.9.8/src/libcharon/plugins/ha/Makefile.in strongswan-5.9.11/src/libcharon/plugins/ha/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/ha/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ha/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -439,7 +439,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/ipseckey/ipseckey.c strongswan-5.9.11/src/libcharon/plugins/ipseckey/ipseckey.c --- strongswan-5.9.8/src/libcharon/plugins/ipseckey/ipseckey.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ipseckey/ipseckey.c 2023-04-19 02:21:27.000000000 +0000 @@ -207,4 +207,3 @@ reader->destroy(reader); return &this->public; } - diff -Nru strongswan-5.9.8/src/libcharon/plugins/ipseckey/ipseckey_cred.c strongswan-5.9.11/src/libcharon/plugins/ipseckey/ipseckey_cred.c --- strongswan-5.9.8/src/libcharon/plugins/ipseckey/ipseckey_cred.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ipseckey/ipseckey_cred.c 2023-04-19 02:21:27.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2013-2023 Tobias Brunner * Copyright (C) 2012 Reto Guadagnini * * Copyright (C) secunet Security Networks AG @@ -22,6 +22,8 @@ #include "ipseckey_cred.h" #include "ipseckey.h" +#include +#include #include typedef struct private_ipseckey_cred_t private_ipseckey_cred_t; @@ -69,13 +71,17 @@ ipseckey_t *cur_ipseckey; public_key_t *public; rr_t *cur_rr; - chunk_t key; + chunk_t key, parsed_key; VA_ARGS_VGET(args, cert); /* Get the next supported IPSECKEY using the inner enumerator. */ while (this->inner->enumerate(this->inner, &cur_rr)) { + key_type_t type = KEY_ANY; + builder_part_t subtype = BUILD_BLOB_DNSKEY; + int curve = 0; + cur_ipseckey = ipseckey_create_frm_rr(cur_rr); if (!cur_ipseckey) @@ -84,7 +90,62 @@ continue; } - if (cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA) + key = parsed_key = cur_ipseckey->get_public_key(cur_ipseckey); + + switch (cur_ipseckey->get_algorithm(cur_ipseckey)) + { + case IPSECKEY_ALGORITHM_RSA: + type = KEY_RSA; + break; + case IPSECKEY_ALGORITHM_ECDSA: + /* the format in RFC 8005 is defined as the algorithm-specific + * part of the encoding defined in RFC 6605 (i.e. everything + * after the first four octets), which in turn is the + * uncompressed curve point Q i.e. "x | y". as RFC 6605 has + * different algorithm identifiers for P-256 and P-384 but + * RFC 8005 does not, we don't have an identifier for the curve. + * but since only two curves are currently specified for DNSSEC, + * we guess the curve from the key's length */ + if (key.len == 64) + { + curve = OID_PRIME256V1; + } + else if (key.len == 96) + { + curve = OID_SECT384R1; + } + if (curve) + { + type = KEY_ECDSA; + subtype = BUILD_BLOB_ASN1_DER; + /* we currently can only parse complete subjectPublicKeyInfo + * structures for ECDSA keys */ + key = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_EC_PUBLICKEY), + asn1_build_known_oid(curve)), + asn1_bitstring("m", + chunk_cat("cc", chunk_from_chars(0x04), key))); + } + break; + case IPSECKEY_ALGORITHM_EDDSA: + /* similar to ECDSA, we don't know the exact type, so we use the + * key length again */ + subtype = BUILD_EDDSA_PUB; + if (key.len == 32) + { + type = KEY_ED25519; + } + else if (key.len == 57) + { + type = KEY_ED448; + } + break; + default: + break; + } + + if (type == KEY_ANY) { DBG1(DBG_CFG, " unsupported IPSECKEY algorithm, skipping"); cur_ipseckey->destroy(cur_ipseckey); @@ -93,10 +154,12 @@ /* wrap the key of the IPSECKEY in a certificate and return this * certificate */ - key = cur_ipseckey->get_public_key(cur_ipseckey); - public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, - BUILD_BLOB_DNSKEY, key, - BUILD_END); + public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type, + subtype, key, BUILD_END); + if (key.ptr != parsed_key.ptr) + { + chunk_free(&key); + } cur_ipseckey->destroy(cur_ipseckey); if (!public) { diff -Nru strongswan-5.9.8/src/libcharon/plugins/ipseckey/ipseckey.h strongswan-5.9.11/src/libcharon/plugins/ipseckey/ipseckey.h --- strongswan-5.9.8/src/libcharon/plugins/ipseckey/ipseckey.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ipseckey/ipseckey.h 2023-04-19 02:21:27.000000000 +0000 @@ -52,6 +52,10 @@ IPSECKEY_ALGORITHM_DSA = 1, /** RSA key */ IPSECKEY_ALGORITHM_RSA = 2, + /** ECDSA key (RFC 8005) */ + IPSECKEY_ALGORITHM_ECDSA = 3, + /** EdDSA key (RFC 9373) */ + IPSECKEY_ALGORITHM_EDDSA = 4, }; /** diff -Nru strongswan-5.9.8/src/libcharon/plugins/ipseckey/Makefile.in strongswan-5.9.11/src/libcharon/plugins/ipseckey/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/ipseckey/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/ipseckey/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_iph/Makefile.in strongswan-5.9.11/src/libcharon/plugins/kernel_iph/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/kernel_iph/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_iph/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,351 @@ +/* + * Copyright (C) 2023 Tobias Brunner + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* for struct in6_pktinfo */ +#define _GNU_SOURCE + +#include "kernel_libipsec_esp_handler.h" + +#ifdef __linux__ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +typedef struct private_kernel_libipsec_esp_handler_t private_kernel_libipsec_esp_handler_t; + +/** + * Private data + */ +struct private_kernel_libipsec_esp_handler_t { + + /** + * Public interface + */ + kernel_libipsec_esp_handler_t public; + + /** + * Queue for outbound ESP packets (esp_packet_t*) + */ + blocking_queue_t *queue; + + /** + * Socket to send/receive IPv4 ESP packets + */ + int skt_v4; + + /** + * Socket to send/receive IPv6 ESP packets + */ + int skt_v6; +}; + +METHOD(kernel_libipsec_esp_handler_t, send_, void, + private_kernel_libipsec_esp_handler_t *this, esp_packet_t *packet) +{ + this->queue->enqueue(this->queue, packet); +} + +CALLBACK(send_esp, job_requeue_t, + private_kernel_libipsec_esp_handler_t *this) +{ + packet_t *packet; + host_t *source, *destination; + chunk_t data; + struct msghdr msg = {}; + struct cmsghdr *cmsg; + struct iovec iov; + char ancillary[64] = {}; + ssize_t len; + int skt; + + packet = (packet_t*)this->queue->dequeue(this->queue); + + data = packet->get_data(packet); + source = packet->get_source(packet); + destination = packet->get_destination(packet); + DBG2(DBG_NET, "sending raw ESP packet: from %H to %H (%zu data bytes)", + source, destination, data.len); + + /* the port of the destination address acts as protocol selector for RAW + * sockets, for IPv4 the kernel ignores it, for IPv6 it does not and + * complains if it isn't zero or doesn't match the one set on the socket */ + destination->set_port(destination, 0); + + msg.msg_name = destination->get_sockaddr(destination); + msg.msg_namelen = *destination->get_sockaddr_len(destination); + iov.iov_base = data.ptr; + iov.iov_len = data.len; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_flags = 0; + msg.msg_control = ancillary; + + if (source->get_family(source) == AF_INET) + { + struct in_pktinfo *pktinfo; + const struct sockaddr_in *sin; + + msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = IPPROTO_IP; + cmsg->cmsg_type = IP_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + + pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); + sin = (struct sockaddr_in*)source->get_sockaddr(source); + memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr)); + skt = this->skt_v4; + } + else + { + struct in6_pktinfo *pktinfo; + const struct sockaddr_in6 *sin; + + msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_PKTINFO; + cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + + pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); + sin = (struct sockaddr_in6*)source->get_sockaddr(source); + memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr)); + skt = this->skt_v6; + } + + len = sendmsg(skt, &msg, 0); + if (len != data.len) + { + DBG1(DBG_KNL, "error writing to ESP socket: %s", strerror(errno)); + } + packet->destroy(packet); + return JOB_REQUEUE_DIRECT; +} + +CALLBACK(receive_esp, bool, + private_kernel_libipsec_esp_handler_t *this, int fd, watcher_event_t event) +{ + char buf[2048]; + struct msghdr msg; + struct cmsghdr *cmsg; + struct iovec iov; + char ancillary[64]; + union { + struct sockaddr_in in4; + struct sockaddr_in6 in6; + } src; + host_t *source, *destination = NULL; + packet_t *packet; + chunk_t data; + ssize_t len; + + msg.msg_name = &src; + msg.msg_namelen = sizeof(src); + iov.iov_base = buf; + iov.iov_len = sizeof(buf); + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = ancillary; + msg.msg_controllen = sizeof(ancillary); + msg.msg_flags = 0; + + len = recvmsg(fd, &msg, MSG_DONTWAIT|MSG_TRUNC); + if (len < 0) + { + if (errno != EAGAIN && errno != EWOULDBLOCK) + { + DBG1(DBG_KNL, "receiving from ESP socket failed: %s", + strerror(errno)); + } + return TRUE; + } + else if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_KNL, "ESP packet with length %zd exceeds buffer size of %zu", + len, sizeof(buf)); + return TRUE; + } + data = chunk_create(buf, len); + /* skip the IP header returned by IPv4 raw sockets */ + if (fd == this->skt_v4) + { + data = chunk_skip(data, sizeof(struct iphdr)); + } + + for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; cmsg = CMSG_NXTHDR(&msg, cmsg)) + { + if (cmsg->cmsg_level == IPPROTO_IP && + cmsg->cmsg_type == IP_PKTINFO) + { + const struct in_pktinfo *pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg); + struct sockaddr_in dst = { + .sin_family = AF_INET, + }; + + memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr)); + destination = host_create_from_sockaddr((sockaddr_t*)&dst); + } + else if (cmsg->cmsg_level == IPPROTO_IPV6 && + cmsg->cmsg_type == IPV6_PKTINFO) + { + const struct in6_pktinfo *pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg); + struct sockaddr_in6 dst = { + .sin6_family = AF_INET6, + }; + + memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr)); + destination = host_create_from_sockaddr((sockaddr_t*)&dst); + } + if (destination) + { + break; + } + } + if (!destination) + { + DBG1(DBG_KNL, "error reading destination IP address for ESP packet"); + return TRUE; + } + source = host_create_from_sockaddr((sockaddr_t*)&src); + DBG2(DBG_NET, "received raw ESP packet: from %#H to %#H (%zu data bytes)", + source, destination, data.len); + + packet = packet_create(); + packet->set_source(packet, source); + packet->set_destination(packet, destination); + packet->set_data(packet, chunk_clone(data)); + ipsec->processor->queue_inbound(ipsec->processor, + esp_packet_create_from_packet(packet)); + return TRUE; +} + +METHOD(kernel_libipsec_esp_handler_t, destroy, void, + private_kernel_libipsec_esp_handler_t *this) +{ + if (this->skt_v4 >= 0) + { + lib->watcher->remove(lib->watcher, this->skt_v4); + close(this->skt_v4); + } + if (this->skt_v6 >= 0) + { + lib->watcher->remove(lib->watcher, this->skt_v6); + close(this->skt_v6); + } + this->queue->destroy_offset(this->queue, offsetof(esp_packet_t, destroy)); + free(this); +} + +/** + * Create a RAW socket for the given address family + */ +static int create_socket(int family) +{ + const char *fwmark; + mark_t mark; + int skt, on = 1; + + skt = socket(family, SOCK_RAW, IPPROTO_ESP); + if (skt == -1) + { + DBG1(DBG_KNL, "opening RAW socket for ESP failed: %s", strerror(errno)); + return -1; + } + if (setsockopt(skt, family == AF_INET ? IPPROTO_IP : IPPROTO_IPV6, + family == AF_INET ? IP_PKTINFO : IPV6_RECVPKTINFO, + &on, sizeof(on)) == -1) + { + DBG1(DBG_KNL, "unable to set PKTINFO on ESP socket: %s", + strerror(errno)); + close(skt); + return -1; + } + fwmark = lib->settings->get_str(lib->settings, + "%s.plugins.kernel-libipsec.fwmark", + lib->settings->get_str(lib->settings, + "%s.plugins.socket-default.fwmark", NULL, lib->ns), + lib->ns); + if (fwmark && mark_from_string(fwmark, MARK_OP_NONE, &mark) && + setsockopt(skt, SOL_SOCKET, SO_MARK, &mark.value, sizeof(mark.value)) < 0) + { + DBG1(DBG_KNL, "unable to set SO_MARK on ESP socket: %s", + strerror(errno)); + } + return skt; +} + +/* + * Described in header + */ +kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create() +{ + private_kernel_libipsec_esp_handler_t *this; + + if (!lib->caps->keep(lib->caps, CAP_NET_RAW)) + { /* required to open SOCK_RAW sockets and according to capabilities(7) + * it is also required to use the socket */ + DBG1(DBG_KNL, "kernel-libipsec requires CAP_NET_RAW capability to send " + "and receive ESP packets without UDP encapsulation"); + return NULL; + } + + INIT(this, + .public = { + .send = _send_, + .destroy = _destroy, + }, + .queue = blocking_queue_create(), + .skt_v4 = create_socket(AF_INET), + .skt_v6 = create_socket(AF_INET6), + ); + + if (this->skt_v4 == -1 && this->skt_v6 == -1) + { + destroy(this); + return NULL; + } + if (this->skt_v4 >= 0) + { + lib->watcher->add(lib->watcher, this->skt_v4, WATCHER_READ, + receive_esp, this); + } + if (this->skt_v6 >= 0) + { + lib->watcher->add(lib->watcher, this->skt_v6, WATCHER_READ, + receive_esp, this); + } + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create(send_esp, this, NULL, + (callback_job_cancel_t)return_false)); + return &this->public; +} + +#else /* __linux__ */ + +kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create() +{ + return NULL; +} + +#endif /* __linux__ */ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.h strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.h --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.h 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.h 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2023 Tobias Brunner + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_libipsec_esp_handler kernel_libipsec_esp_handler + * @{ @ingroup kernel_libipsec + */ + +#ifndef KERNEL_LIBIPSEC_ESP_HANDLER_H_ +#define KERNEL_LIBIPSEC_ESP_HANDLER_H_ + +#include + +typedef struct kernel_libipsec_esp_handler_t kernel_libipsec_esp_handler_t; + +/** + * Class that sends and receives raw ESP packets. + */ +struct kernel_libipsec_esp_handler_t { + + /** + * Send the given ESP packet without UDP encapsulation. + * + * @param packet ESP packet to send + */ + void (*send)(kernel_libipsec_esp_handler_t *this, esp_packet_t *packet); + + /** + * Destroy the given instance. + */ + void (*destroy)(kernel_libipsec_esp_handler_t *this); +}; + +/** + * Create a kernel_libipsec_esp_handler_t instance. + * + * @return created instance, NULL if not supported + */ +kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create(); + +#endif /** KERNEL_LIBIPSEC_ESP_HANDLER_H_ @}*/ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c 2023-06-08 10:35:17.000000000 +0000 @@ -56,6 +56,11 @@ * Whether the remote TS may equal the IKE peer */ bool allow_peer_ts; + + /** + * Whether UDP encapsulation is required + */ + bool require_encap; }; typedef struct exclude_route_t exclude_route_t; @@ -228,10 +233,21 @@ charon->kernel->expire(charon->kernel, protocol, spi, dst, hard); } +/** + * Acquire callback + */ +static void acquire(uint32_t reqid) +{ + kernel_acquire_data_t data = {}; + + charon->kernel->acquire(charon->kernel, reqid, &data); +} + METHOD(kernel_ipsec_t, get_features, kernel_feature_t, private_kernel_libipsec_ipsec_t *this) { - return KERNEL_REQUIRE_UDP_ENCAPSULATION | KERNEL_ESP_V3_TFC; + return KERNEL_ESP_V3_TFC | KERNEL_SA_USE_TIME | + (this->require_encap ? KERNEL_REQUIRE_UDP_ENCAPSULATION : 0); } METHOD(kernel_ipsec_t, get_spi, status_t, @@ -252,6 +268,12 @@ private_kernel_libipsec_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data) { + if (this->require_encap && !data->encap) + { + DBG1(DBG_ESP, "failed to add SAD entry: only UDP encapsulation is " + "supported"); + return FAILED; + } return ipsec->sas->add_sa(ipsec->sas, id->src, id->dst, id->spi, id->proto, data->reqid, id->mark, data->tfc, data->lifetime, data->enc_alg, data->enc_key, data->int_alg, data->int_key, @@ -680,12 +702,14 @@ }, .ipsec_listener = { .expire = expire, + .acquire = acquire, }, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .policies = linked_list_create(), .excludes = linked_list_create(), .allow_peer_ts = lib->settings->get_bool(lib->settings, "%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, lib->ns), + .require_encap = !lib->get(lib, "kernel-libipsec-esp-handler"), ); ipsec->events->register_listener(ipsec->events, &this->ipsec_listener); diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_plugin.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -17,6 +17,7 @@ #include "kernel_libipsec_plugin.h" #include "kernel_libipsec_ipsec.h" #include "kernel_libipsec_router.h" +#include "kernel_libipsec_esp_handler.h" #include #include @@ -45,6 +46,11 @@ * Packet router */ kernel_libipsec_router_t *router; + + /** + * Raw ESP handler + */ + kernel_libipsec_esp_handler_t *esp_handler; }; METHOD(plugin_t, get_name, char*, @@ -92,6 +98,11 @@ lib->set(lib, "kernel-libipsec-tun", NULL); this->tun->destroy(this->tun); } + if (this->esp_handler) + { + lib->set(lib, "kernel-libipsec-esp-handler", NULL); + this->esp_handler->destroy(this->esp_handler); + } libipsec_deinit(); free(this); } @@ -146,5 +157,17 @@ /* set TUN device as default to install VIPs */ lib->settings->set_str(lib->settings, "%s.install_virtual_ip_on", this->tun->get_name(this->tun), lib->ns); + + if (lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-libipsec.raw_esp", FALSE, lib->ns)) + { + this->esp_handler = kernel_libipsec_esp_handler_create(); + if (!this->esp_handler) + { + DBG1(DBG_KNL, "only UDP-encapsulated ESP packets supported by " + "kernel-libipsec on this platform"); + } + lib->set(lib, "kernel-libipsec-esp-handler", this->esp_handler); + } return &this->public.plugin; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c 2023-06-08 10:35:17.000000000 +0000 @@ -18,6 +18,7 @@ #include #include "kernel_libipsec_router.h" +#include "kernel_libipsec_esp_handler.h" #include #include @@ -76,6 +77,11 @@ * Pipe to signal handle_plain() about changes regarding TUN devices */ int notify[2]; + + /** + * ESP handler to send raw ESP packets + */ + kernel_libipsec_esp_handler_t *esp_handler; }; /** @@ -94,28 +100,32 @@ return a->addr->ip_equals(a->addr, b->addr); } -/** - * Outbound callback - */ -static void send_esp(void *data, esp_packet_t *packet) +CALLBACK(send_esp, void, + private_kernel_libipsec_router_t *this, esp_packet_t *packet, bool encap) { - charon->sender->send_no_marker(charon->sender, (packet_t*)packet); + if (encap) + { + charon->sender->send_no_marker(charon->sender, (packet_t*)packet); + } + else if (this->esp_handler) + { + this->esp_handler->send(this->esp_handler, packet); + } + else + { /* shouldn't happen as UDP encap is forced without ESP handler */ + packet->destroy(packet); + } } -/** - * Receiver callback - */ -static void receiver_esp_cb(void *data, packet_t *packet) +CALLBACK(receiver_esp_cb, void, + void *data, packet_t *packet) { ipsec->processor->queue_inbound(ipsec->processor, esp_packet_create_from_packet(packet)); } -/** - * Inbound callback - */ -static void deliver_plain(private_kernel_libipsec_router_t *this, - ip_packet_t *packet) +CALLBACK(deliver_plain, void, + private_kernel_libipsec_router_t *this, ip_packet_t *packet) { tun_device_t *tun; tun_entry_t *entry, lookup = { @@ -292,12 +302,9 @@ METHOD(kernel_libipsec_router_t, destroy, void, private_kernel_libipsec_router_t *this) { - charon->receiver->del_esp_cb(charon->receiver, - (receiver_esp_cb_t)receiver_esp_cb); - ipsec->processor->unregister_outbound(ipsec->processor, - (ipsec_outbound_cb_t)send_esp); - ipsec->processor->unregister_inbound(ipsec->processor, - (ipsec_inbound_cb_t)deliver_plain); + charon->receiver->del_esp_cb(charon->receiver, receiver_esp_cb); + ipsec->processor->unregister_outbound(ipsec->processor, send_esp); + ipsec->processor->unregister_inbound(ipsec->processor, deliver_plain); charon->kernel->remove_listener(charon->kernel, &this->public.listener); this->lock->destroy(this->lock); this->tuns->destroy(this->tuns); @@ -333,7 +340,8 @@ }, .tun = { .tun = lib->get(lib, "kernel-libipsec-tun"), - } + }, + .esp_handler = lib->get(lib, "kernel-libipsec-esp-handler"), ); if (pipe(this->notify) != 0 || @@ -351,11 +359,9 @@ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); charon->kernel->add_listener(charon->kernel, &this->public.listener); - ipsec->processor->register_outbound(ipsec->processor, send_esp, NULL); - ipsec->processor->register_inbound(ipsec->processor, - (ipsec_inbound_cb_t)deliver_plain, this); - charon->receiver->add_esp_cb(charon->receiver, - (receiver_esp_cb_t)receiver_esp_cb, NULL); + ipsec->processor->register_outbound(ipsec->processor, send_esp, this); + ipsec->processor->register_inbound(ipsec->processor, deliver_plain, this); + charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL); lib->processor->queue_job(lib->processor, (job_t*)callback_job_create((callback_job_cb_t)handle_plain, this, NULL, (callback_job_cancel_t)return_false)); diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/Makefile.am strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/Makefile.am --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/Makefile.am 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/Makefile.am 2023-06-08 10:35:17.000000000 +0000 @@ -15,7 +15,8 @@ libstrongswan_kernel_libipsec_la_SOURCES = \ kernel_libipsec_plugin.h kernel_libipsec_plugin.c \ kernel_libipsec_ipsec.h kernel_libipsec_ipsec.c \ - kernel_libipsec_router.h kernel_libipsec_router.c + kernel_libipsec_router.h kernel_libipsec_router.c \ + kernel_libipsec_esp_handler.h kernel_libipsec_esp_handler.c libstrongswan_kernel_libipsec_la_LIBADD = $(top_builddir)/src/libipsec/libipsec.la diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/Makefile.in strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/kernel_libipsec/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_libipsec/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -140,7 +140,7 @@ $(top_builddir)/src/libipsec/libipsec.la am_libstrongswan_kernel_libipsec_la_OBJECTS = \ kernel_libipsec_plugin.lo kernel_libipsec_ipsec.lo \ - kernel_libipsec_router.lo + kernel_libipsec_router.lo kernel_libipsec_esp_handler.lo libstrongswan_kernel_libipsec_la_OBJECTS = \ $(am_libstrongswan_kernel_libipsec_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -169,7 +169,8 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/kernel_libipsec_ipsec.Plo \ +am__depfiles_remade = ./$(DEPDIR)/kernel_libipsec_esp_handler.Plo \ + ./$(DEPDIR)/kernel_libipsec_ipsec.Plo \ ./$(DEPDIR)/kernel_libipsec_plugin.Plo \ ./$(DEPDIR)/kernel_libipsec_router.Plo am__mv = mv -f @@ -437,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -482,7 +482,8 @@ libstrongswan_kernel_libipsec_la_SOURCES = \ kernel_libipsec_plugin.h kernel_libipsec_plugin.c \ kernel_libipsec_ipsec.h kernel_libipsec_ipsec.c \ - kernel_libipsec_router.h kernel_libipsec_router.c + kernel_libipsec_router.h kernel_libipsec_router.c \ + kernel_libipsec_esp_handler.h kernel_libipsec_esp_handler.c libstrongswan_kernel_libipsec_la_LIBADD = $(top_builddir)/src/libipsec/libipsec.la libstrongswan_kernel_libipsec_la_LDFLAGS = -module -avoid-version @@ -575,6 +576,7 @@ distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_esp_handler.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_ipsec.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_plugin.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_libipsec_router.Plo@am__quote@ # am--include-marker @@ -742,7 +744,8 @@ clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/kernel_libipsec_ipsec.Plo + -rm -f ./$(DEPDIR)/kernel_libipsec_esp_handler.Plo + -rm -f ./$(DEPDIR)/kernel_libipsec_ipsec.Plo -rm -f ./$(DEPDIR)/kernel_libipsec_plugin.Plo -rm -f ./$(DEPDIR)/kernel_libipsec_router.Plo -rm -f Makefile @@ -790,7 +793,8 @@ installcheck-am: maintainer-clean: maintainer-clean-am - -rm -f ./$(DEPDIR)/kernel_libipsec_ipsec.Plo + -rm -f ./$(DEPDIR)/kernel_libipsec_esp_handler.Plo + -rm -f ./$(DEPDIR)/kernel_libipsec_ipsec.Plo -rm -f ./$(DEPDIR)/kernel_libipsec_plugin.Plo -rm -f ./$(DEPDIR)/kernel_libipsec_router.Plo -rm -f Makefile diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c 2022-09-17 15:42:38.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2019 Tobias Brunner + * Copyright (C) 2006-2023 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2008-2016 Andreas Steffen * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -62,6 +63,7 @@ #include "kernel_netlink_ipsec.h" #include "kernel_netlink_shared.h" +#include "kernel_netlink_xfrmi.h" #include #include @@ -109,11 +111,6 @@ #define XFRM_LIMIT(x) ((x) == 0 ? XFRM_INF : (x)) /** - * Create ORable bitfield of XFRM NL groups - */ -#define XFRMNLGRP(x) (1<<(XFRMNLGRP_##x-1)) - -/** * Returns a pointer to the first rtattr following the nlmsghdr *nlh and the * 'usual' netlink data x like 'struct xfrm_usersa_info' */ @@ -342,9 +339,19 @@ netlink_socket_t *socket_xfrm; /** + * XFRM interface manager + */ + kernel_netlink_xfrmi_t *xfrmi; + + /** * Netlink xfrm socket to receive acquire and expire events */ - int socket_xfrm_events; + netlink_event_socket_t *socket_xfrm_events; + + /** + * Whether the kernel reports the last use time on SAs + */ + bool sa_lastused; /** * Whether to install routes along policies @@ -352,6 +359,11 @@ bool install_routes; /** + * Whether to install routes via XFRM interfaces + */ + bool install_routes_xfrmi; + + /** * Whether to set protocol and ports on selector installed with transport * mode IPsec SAs */ @@ -363,11 +375,35 @@ bool policy_update; /** - * Installed port based IKE bypass policies, as bypass_t + * Whether to use port-based policies instead of socket policies for the + * IKE sockets/ports + */ + bool port_bypass; + + /** + * Installed port-based IKE bypass policies, as bypass_t + * + * If they are potentially offloaded, the offload mutex has to be locked + * when modifying it */ array_t *bypass; /** + * Interfaces that potentially support HW offloading, as offload_iface_t + */ + hashtable_t *offload_interfaces; + + /** + * Mutex to safely access the interfaces and bypasses + */ + mutex_t *offload_mutex; + + /** + * Netlink routing socket to receive link events + */ + netlink_event_socket_t *socket_link_events; + + /** * Custom priority calculation function */ uint32_t (*get_priority)(kernel_ipsec_policy_id_t *id, @@ -392,6 +428,9 @@ /** Optional mark */ uint32_t if_id; + /** Optional HW offload */ + hw_offload_t hw_offload; + /** Description of this SA */ ipsec_sa_cfg_t cfg; @@ -408,7 +447,8 @@ chunk_hash_inc(sa->dst->get_address(sa->dst), chunk_hash_inc(chunk_from_thing(sa->mark), chunk_hash_inc(chunk_from_thing(sa->if_id), - chunk_hash(chunk_from_thing(sa->cfg)))))); + chunk_hash_inc(chunk_from_thing(sa->hw_offload), + chunk_hash(chunk_from_thing(sa->cfg))))))); } /** @@ -421,6 +461,7 @@ sa->mark.value == other_sa->mark.value && sa->mark.mask == other_sa->mark.mask && sa->if_id == other_sa->if_id && + sa->hw_offload == other_sa->hw_offload && ipsec_sa_cfg_equals(&sa->cfg, &other_sa->cfg); } @@ -429,7 +470,8 @@ */ static ipsec_sa_t *ipsec_sa_create(private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, mark_t mark, - uint32_t if_id, ipsec_sa_cfg_t *cfg) + uint32_t if_id, hw_offload_t hw_offload, + ipsec_sa_cfg_t *cfg) { ipsec_sa_t *sa, *found; INIT(sa, @@ -437,6 +479,7 @@ .dst = dst, .mark = mark, .if_id = if_id, + .hw_offload = hw_offload, .cfg = *cfg, ); found = this->sas->get(this->sas, sa); @@ -511,7 +554,7 @@ static policy_sa_t *policy_sa_create(private_kernel_netlink_ipsec_t *this, policy_dir_t dir, policy_type_t type, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, mark_t mark, - uint32_t if_id, ipsec_sa_cfg_t *cfg) + uint32_t if_id, hw_offload_t hw_offload, ipsec_sa_cfg_t *cfg) { policy_sa_t *policy; @@ -529,7 +572,7 @@ INIT(policy, .priority = 0); } policy->type = type; - policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, cfg); + policy->sa = ipsec_sa_create(this, src, dst, mark, if_id, hw_offload, cfg); return policy; } @@ -1104,73 +1147,35 @@ } } -/** - * Receives events from kernel - */ -static bool receive_events(private_kernel_netlink_ipsec_t *this, int fd, - watcher_event_t event) +CALLBACK(receive_events, void, + private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) { - char response[netlink_get_buflen()]; - struct nlmsghdr *hdr = (struct nlmsghdr*)response; - struct sockaddr_nl addr; - socklen_t addr_len = sizeof(addr); - int len; - - len = recvfrom(this->socket_xfrm_events, response, sizeof(response), - MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len); - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return TRUE; - case EAGAIN: - /* no data ready, select again */ - return TRUE; - default: - DBG1(DBG_KNL, "unable to receive from XFRM event socket: %s " - "(%d)", strerror(errno), errno); - sleep(1); - return TRUE; - } - } - - if (addr.nl_pid != 0) - { /* not from kernel. not interested, try another one */ - return TRUE; - } - - while (NLMSG_OK(hdr, len)) + switch (hdr->nlmsg_type) { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_ACQUIRE: - process_acquire(this, hdr); - break; - case XFRM_MSG_EXPIRE: - process_expire(this, hdr); - break; - case XFRM_MSG_MIGRATE: - process_migrate(this, hdr); - break; - case XFRM_MSG_MAPPING: - process_mapping(this, hdr); - break; - default: - DBG1(DBG_KNL, "received unknown event from XFRM event " - "socket: %d", hdr->nlmsg_type); - break; - } - hdr = NLMSG_NEXT(hdr, len); + case XFRM_MSG_ACQUIRE: + process_acquire(this, hdr); + break; + case XFRM_MSG_EXPIRE: + process_expire(this, hdr); + break; + case XFRM_MSG_MIGRATE: + process_migrate(this, hdr); + break; + case XFRM_MSG_MAPPING: + process_mapping(this, hdr); + break; + default: + DBG1(DBG_KNL, "received unknown event from XFRM event " + "socket: %d", hdr->nlmsg_type); + break; } - return TRUE; } METHOD(kernel_ipsec_t, get_features, kernel_feature_t, private_kernel_netlink_ipsec_t *this) { - return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI; + return KERNEL_ESP_V3_TFC | KERNEL_POLICY_SPI | + (this->sa_lastused ? KERNEL_SA_USE_TIME : 0); } /** @@ -1217,9 +1222,7 @@ } case NLMSG_ERROR: { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", - strerror(-err->error), -err->error); + netlink_log_error(hdr, "allocating SPI failed"); break; } default: @@ -1391,7 +1394,7 @@ /** * Check if kernel supports HW offload and determine feature flag */ -static void netlink_find_offload_feature(const char *ifname) +static bool netlink_find_offload_feature(const char *ifname) { struct ethtool_sset_info *sset_info; struct ethtool_gstrings *cmd = NULL; @@ -1403,7 +1406,7 @@ query_socket = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (query_socket < 0) { - return; + return FALSE; } /* determine number of device features */ @@ -1455,10 +1458,11 @@ free(sset_info); free(cmd); close(query_socket); + return netlink_hw_offload.supported; } /** - * Check if interface supported HW offload + * Check if interface supports HW offload */ static bool netlink_detect_offload(const char *ifname) { @@ -1499,11 +1503,6 @@ ret = TRUE; } } - - if (!ret) - { - DBG1(DBG_KNL, "HW offload is not supported by device"); - } free(cmd); close(query_socket); return ret; @@ -1511,8 +1510,9 @@ #else -static void netlink_find_offload_feature(const char *ifname) +static bool netlink_find_offload_feature(const char *ifname) { + return FALSE; } static bool netlink_detect_offload(const char *ifname) @@ -1523,53 +1523,66 @@ #endif /** - * There are 3 HW offload configuration values: - * 1. HW_OFFLOAD_NO : Do not configure HW offload. - * 2. HW_OFFLOAD_YES : Configure HW offload. - * Fail SA addition if offload is not supported. - * 3. HW_OFFLOAD_AUTO : Configure HW offload if supported by the kernel - * and device. - * Do not fail SA addition otherwise. - */ -static bool config_hw_offload(kernel_ipsec_sa_id_t *id, - kernel_ipsec_add_sa_t *data, struct nlmsghdr *hdr, - int buflen) + * Add a HW offload attribute to the given message, return it if it was added. + * + * There are 4 HW offload configuration values: + * 1. HW_OFFLOAD_NO : Do not configure HW offload. + * 2. HW_OFFLOAD_CRYPTO : Configure crypto HW offload. + * Fail SA addition if crypto offload is not supported. + * 3. HW_OFFLOAD_PACKET : Configure packet HW offload. + * Fail SA addition if packet offload is not supported. + * 4. HW_OFFLOAD_AUTO : Configure packet HW offload if supported by the kernel + * and device. If not, configure crypto HW offload if + * supported by the kernel and device. + * Do not fail SA addition if offload is not supported. + */ +static bool add_hw_offload(struct nlmsghdr *hdr, int buflen, host_t *local, + char *interface, hw_offload_t hw_offload, + struct xfrm_user_offload **offload) { - host_t *local = data->inbound ? id->dst : id->src; - struct xfrm_user_offload *offload; - bool hw_offload_yes, ret = FALSE; char *ifname; + bool ret; - /* do Ipsec configuration without offload */ - if (data->hw_offload == HW_OFFLOAD_NO) + /* do IPsec configuration without offload */ + if (hw_offload == HW_OFFLOAD_NO) { return TRUE; } - hw_offload_yes = (data->hw_offload == HW_OFFLOAD_YES); + /* unless offloading is forced, we return TRUE even if we fail */ + ret = (hw_offload == HW_OFFLOAD_AUTO); - if (!charon->kernel->get_interface(charon->kernel, local, &ifname)) + if (!local || local->is_anyaddr(local) || + !charon->kernel->get_interface(charon->kernel, local, &ifname)) { - return !hw_offload_yes; + if (!interface || !interface[0]) + { + return ret; + } + ifname = strdup(interface); } /* check if interface supports hw_offload */ if (!netlink_detect_offload(ifname)) { - ret = !hw_offload_yes; + DBG1(DBG_KNL, "HW offload is not supported by device %s", ifname); goto out; } /* activate HW offload */ - offload = netlink_reserve(hdr, buflen, - XFRMA_OFFLOAD_DEV, sizeof(*offload)); - if (!offload) + *offload = netlink_reserve(hdr, buflen, + XFRMA_OFFLOAD_DEV, sizeof(**offload)); + if (!(*offload)) { - ret = !hw_offload_yes; goto out; } - offload->ifindex = if_nametoindex(ifname); - offload->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0; + (*offload)->ifindex = if_nametoindex(ifname); + + if (hw_offload == HW_OFFLOAD_PACKET || + hw_offload == HW_OFFLOAD_AUTO) + { + (*offload)->flags |= XFRM_OFFLOAD_PACKET; + } ret = TRUE; @@ -1578,6 +1591,63 @@ return ret; } +/** + * Add a HW offload attribute to the given SA-related message. + */ +static bool add_hw_offload_sa(struct nlmsghdr *hdr, int buflen, + kernel_ipsec_sa_id_t *id, + kernel_ipsec_add_sa_t *data, + struct xfrm_user_offload **offload) +{ + host_t *local = data->inbound ? id->dst : id->src; + + if (!add_hw_offload(hdr, buflen, local, NULL, data->hw_offload, offload)) + { + return FALSE; + } + else if (*offload) + { + (*offload)->flags |= data->inbound ? XFRM_OFFLOAD_INBOUND : 0; + } + return TRUE; +} + +/** + * Add a HW offload attribuet to the given policy-related message. + */ +static bool add_hw_offload_policy(struct nlmsghdr *hdr, int buflen, + policy_entry_t *policy, + policy_sa_t *mapping, + struct xfrm_user_offload **offload) +{ + ipsec_sa_t *ipsec = mapping->sa; + host_t *local = ipsec->src; + char ifname[IFNAMSIZ] = ""; + + /* only packet offloading is supported for policies, which we try to use + * in automatic mode */ + if (ipsec->hw_offload != HW_OFFLOAD_PACKET && + ipsec->hw_offload != HW_OFFLOAD_AUTO) + { + return TRUE; + } + + switch (policy->direction) + { + case POLICY_FWD: + /* FWD policies are not offloaded, they are enforced by the kernel */ + return TRUE; + case POLICY_IN: + local = ipsec->dst; + break; + } + if (policy->sel.ifindex) + { + if_indextoname(policy->sel.ifindex, ifname); + } + return add_hw_offload(hdr, buflen, local, ifname, ipsec->hw_offload, offload); +} + METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data) @@ -1587,6 +1657,7 @@ char markstr[32] = ""; struct nlmsghdr *hdr; struct xfrm_usersa_info *sa; + struct xfrm_user_offload *offload = NULL; uint16_t icv_size = 64, ipcomp = data->ipcomp; ipsec_mode_t mode = data->mode, original_mode = data->mode; traffic_selector_t *first_src_ts, *first_dst_ts; @@ -2009,7 +2080,7 @@ } DBG2(DBG_KNL, " HW offload: %N", hw_offload_names, data->hw_offload); - if (!config_hw_offload(id, data, hdr, sizeof(request))) + if (!add_hw_offload_sa(hdr, sizeof(request), id, data, &offload)) { DBG1(DBG_KNL, "failed to configure HW offload"); goto failed; @@ -2017,6 +2088,16 @@ } status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + + if (status != SUCCESS && offload && data->hw_offload == HW_OFFLOAD_AUTO) + { + DBG1(DBG_KNL, "failed to install SA with %N HW offload, trying with " + "%N HW offload", hw_offload_names, HW_OFFLOAD_PACKET, + hw_offload_names, HW_OFFLOAD_CRYPTO); + offload->flags &= ~XFRM_OFFLOAD_PACKET; + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + } + if (status == NOT_FOUND && data->update) { DBG1(DBG_KNL, "allocated SPI not found anymore, try to add SAD entry"); @@ -2099,9 +2180,8 @@ } case NLMSG_ERROR: { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying replay state from SAD entry " - "failed: %s (%d)", strerror(-err->error), -err->error); + netlink_log_error(hdr, "querying replay state from SAD " + "entry failed"); break; } default: @@ -2148,10 +2228,33 @@ free(out); } +/** + * Get the last used time of an SA if provided by the kernel + */ +static bool get_lastused(struct nlmsghdr *hdr, uint64_t *lastused) +{ + struct rtattr *rta; + size_t rtasize; + + rta = XFRM_RTA(hdr, struct xfrm_usersa_info); + rtasize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info); + while (RTA_OK(rta, rtasize)) + { + if (rta->rta_type == XFRMA_LASTUSED && + RTA_PAYLOAD(rta) == sizeof(*lastused)) + { + *lastused = *(uint64_t*)RTA_DATA(rta); + return TRUE; + } + rta = RTA_NEXT(rta, rtasize); + } + return FALSE; +} + METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_netlink_ipsec_t *this, kernel_ipsec_sa_id_t *id, kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets, - time_t *time) + time_t *use_time) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -2201,11 +2304,7 @@ } case NLMSG_ERROR: { - struct nlmsgerr *err = NLMSG_DATA(hdr); - - DBG1(DBG_KNL, "querying SAD entry with SPI %.8x%s failed: " - "%s (%d)", ntohl(id->spi), markstr, - strerror(-err->error), -err->error); + netlink_log_error(hdr, "querying SAD entry failed"); break; } default: @@ -2233,11 +2332,20 @@ { *packets = sa->curlft.packets; } - if (time) - { /* curlft contains an "use" time, but that contains a timestamp - * of the first use, not the last. Last use time must be queried - * on the policy on Linux */ - *time = 0; + if (use_time) + { + uint64_t lastused = 0; + + /* curlft.use_time contains the timestamp of the SA's first use, not + * the last, but we might get the last use time in an attribute */ + if (this->sa_lastused && get_lastused(hdr, &lastused)) + { + *use_time = time_monotonic(NULL) - (time(NULL) - lastused); + } + else + { + *use_time = 0; + } } status = SUCCESS; } @@ -2391,9 +2499,7 @@ } case NLMSG_ERROR: { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); + netlink_log_error(hdr, "querying SAD entry failed"); break; } default: @@ -2636,6 +2742,30 @@ } /** + * Find an XFRM interface with the given ID + */ +static bool find_xfrmi(private_kernel_netlink_ipsec_t *this, uint32_t target, + char **if_name) +{ + enumerator_t *enumerator; + char *name; + uint32_t if_id; + + enumerator = this->xfrmi->create_enumerator(this->xfrmi); + while (enumerator->enumerate(enumerator, &name, &if_id, NULL, NULL)) + { + if (if_id == target) + { + *if_name = strdup(name); + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + return FALSE; +} + +/** * Install a route for the given policy if enabled and required */ static void install_route(private_kernel_netlink_ipsec_t *this, @@ -2664,9 +2794,15 @@ if (!ipsec->dst->is_anyaddr(ipsec->dst)) { - route->gateway = charon->kernel->get_nexthop(charon->kernel, - ipsec->dst, -1, ipsec->src, - &route->if_name); + /* if if_ids are used, install a route via XFRM interface if any, + * otherwise install the route via the interface we reach the peer */ + if (!policy->if_id || !this->xfrmi || + !find_xfrmi(this, policy->if_id, &route->if_name)) + { + route->gateway = charon->kernel->get_nexthop(charon->kernel, + ipsec->dst, -1, ipsec->src, + &route->if_name); + } } else { /* for shunt policies */ @@ -2754,6 +2890,7 @@ policy_entry_t clone; ipsec_sa_t *ipsec = mapping->sa; struct xfrm_userpolicy_info *policy_info; + struct xfrm_user_offload *offload = NULL; struct nlmsghdr *hdr; status_t status; int i; @@ -2867,9 +3004,26 @@ policy_change_done(this, policy); return FAILED; } + /* make sure this is the last attribute added to the message */ + if (!add_hw_offload_policy(hdr, sizeof(request), policy, mapping, &offload)) + { + policy_change_done(this, policy); + return FAILED; + } this->mutex->unlock(this->mutex); status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + + if (status != SUCCESS && offload && mapping->sa->hw_offload == HW_OFFLOAD_AUTO) + { + DBG1(DBG_KNL, "failed to install SA with %N HW offload, trying without " + "offload", hw_offload_names, HW_OFFLOAD_PACKET); + /* the kernel only allows offloading with packet offload and rejects + * the attribute if that flag is not set, so remove it again */ + hdr->nlmsg_len -= RTA_ALIGN(RTA_LENGTH(sizeof(*offload))); + status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); + } + if (status == ALREADY_DONE && !update) { DBG1(DBG_KNL, "policy already exists, try to update it"); @@ -2887,12 +3041,12 @@ * - this is an outbound policy (to just get one for each child) * - routing is not disabled via strongswan.conf * - the selector is not for a specific protocol/port - * - no XFRM interface ID is configured + * - routes via XFRM interfaces are enabled or no interface ID is configured * - we are in tunnel/BEET mode or install a bypass policy */ if (policy->direction == POLICY_OUT && this->install_routes && !policy->sel.proto && !policy->sel.dport && !policy->sel.sport && - !policy->if_id) + (this->install_routes_xfrmi || !policy->if_id)) { if (mapping->type == POLICY_PASS || (mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT)) @@ -2913,8 +3067,8 @@ enumerator_t *enumerator; bool found = FALSE, update = TRUE; char markstr[32] = "", labelstr[128] = ""; - uint32_t cur_priority = 0; - int use_count; + uint32_t cur_priority DBG_UNUSED = 0; + int use_count DBG_UNUSED; /* create a policy */ INIT(policy, @@ -2957,7 +3111,7 @@ /* cache the assigned IPsec SA */ assigned_sa = policy_sa_create(this, id->dir, data->type, data->src, data->dst, id->src_ts, id->dst_ts, id->mark, - id->if_id, data->sa); + id->if_id, data->hw_offload, data->sa); assigned_sa->auto_priority = get_priority(policy, data->prio, id->interface); assigned_sa->priority = this->get_priority ? this->get_priority(id, data) : data->manual_prio; @@ -3086,9 +3240,7 @@ } case NLMSG_ERROR: { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying policy failed: %s (%d)", - strerror(-err->error), -err->error); + netlink_log_error(hdr, "querying policy failed"); break; } default: @@ -3134,12 +3286,13 @@ struct nlmsghdr *hdr; struct xfrm_userpolicy_id *policy_id; bool is_installed = TRUE; - uint32_t priority, auto_priority, cur_priority; + uint32_t priority, auto_priority, cur_priority DBG_UNUSED; ipsec_sa_t assigned_sa = { .src = data->src, .dst = data->dst, .mark = id->mark, .if_id = id->if_id, + .hw_offload = data->hw_offload, .cfg = *data->sa, }; char markstr[32] = "", labelstr[128] = ""; @@ -3374,6 +3527,44 @@ } /** + * Keep track of interface and its offload support + */ +typedef struct { + + /** + * Interface index + */ + int ifindex; + + /** + * Name of the interface + */ + char ifname[IFNAMSIZ]; + + /** + * Interface flags + */ + u_int flags; + + /** + * Offload state + */ + enum { + /** Offload support unknown */ + IFACE_OFFLOAD_UNKNOWN, + /** No offload supported */ + IFACE_OFFLOAD_NONE, + /** Interface supports at least crypto offload */ + IFACE_OFFLOAD_DETECTED, + /** Interface supports crypto offload, but no packet and policy offload */ + IFACE_OFFLOAD_CRYPTO, + /** Packet and policy offload supported */ + IFACE_OFFLOAD_PACKET, + } offload; + +} offload_iface_t; + +/** * Port based IKE bypass policy */ typedef struct { @@ -3386,13 +3577,16 @@ } bypass_t; /** - * Add or remove a bypass policy from/to kernel + * Add or remove a bypass policy from/to kernel. If an interface is given, + * the policy is tried to be offloaded to that interface. */ static bool manage_bypass(private_kernel_netlink_ipsec_t *this, - int type, policy_dir_t dir, bypass_t *bypass) + int type, policy_dir_t dir, bypass_t *bypass, + char *ifname) { netlink_buf_t request; struct xfrm_selector *sel; + struct xfrm_user_offload *offload = NULL; struct nlmsghdr *hdr; memset(&request, 0, sizeof(request)); @@ -3418,6 +3612,13 @@ policy->lft.hard_packet_limit = XFRM_INF; sel = &policy->sel; + + if (ifname && + !add_hw_offload(hdr, sizeof(request), NULL, ifname, + HW_OFFLOAD_PACKET, &offload)) + { + return FALSE; + } } else /* XFRM_MSG_DELPOLICY */ { @@ -3443,14 +3644,137 @@ sel->sport = bypass->port; sel->sport_mask = 0xffff; } + if (ifname) + { + sel->ifindex = if_nametoindex(ifname); + } return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS; } +CALLBACK(remove_port_bypass, void, + bypass_t *bypass, int idx, void *user) +{ + private_kernel_netlink_ipsec_t *this = user; + enumerator_t *enumerator; + offload_iface_t *iface; + + if (this->port_bypass) + { + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass, NULL); + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass, NULL); + } + if (this->offload_interfaces) + { + enumerator = this->offload_interfaces->create_enumerator(this->offload_interfaces); + while (enumerator->enumerate(enumerator, NULL, &iface)) + { + if (iface->offload == IFACE_OFFLOAD_PACKET && + iface->flags & IFF_UP) + { + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass, + iface->ifname); + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass, + iface->ifname); + } + } + enumerator->destroy(enumerator); + } +} + /** - * Bypass socket using a port-based bypass policy + * Bypass socket using a port-based bypass policy, optionally offloaded to a + * given interface */ static bool add_port_bypass(private_kernel_netlink_ipsec_t *this, - int fd, int family) + bypass_t *bypass, char *ifname) +{ + if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, bypass, ifname)) + { + return FALSE; + } + if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, bypass, ifname)) + { + manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass, ifname); + return FALSE; + } + return TRUE; +} + +/** + * Offload the given port-based bypass policy to the given interface if possible. + * + * offload_mutex is assumed to be locked. + */ +static bool offload_bypass_iface(private_kernel_netlink_ipsec_t *this, + bypass_t *bypass, offload_iface_t *iface) +{ + if ((iface->offload == IFACE_OFFLOAD_DETECTED || + iface->offload == IFACE_OFFLOAD_PACKET)) + { + if (add_port_bypass(this, bypass, iface->ifname)) + { + iface->offload = IFACE_OFFLOAD_PACKET; + return TRUE; + } + else if (iface->offload == IFACE_OFFLOAD_DETECTED) + { + iface->offload = IFACE_OFFLOAD_CRYPTO; + } + } + return FALSE; +} + +/** + * Offload all known port-based bypass policies to the given interface. + * + * offload_mutex is assumed to be locked. + */ +static void offload_bypasses(private_kernel_netlink_ipsec_t *this, + offload_iface_t *iface) +{ + enumerator_t *enumerator; + bypass_t *bypass; + + enumerator = array_create_enumerator(this->bypass); + while (enumerator->enumerate(enumerator, &bypass)) + { + if (!offload_bypass_iface(this, bypass, iface)) + { /* could indicate a failure but generally means that the interface + * does not support offloading */ + break; + } + } + enumerator->destroy(enumerator); +} + +/** + * Offload a new port-based bypass policy to all known interfaces. + * + * offload_mutex is assumed to be locked. + */ +static void offload_bypass(private_kernel_netlink_ipsec_t *this, + bypass_t *bypass) +{ + enumerator_t *enumerator; + offload_iface_t *iface; + + enumerator = this->offload_interfaces->create_enumerator(this->offload_interfaces); + while (enumerator->enumerate(enumerator, NULL, &iface)) + { + if (iface->flags & IFF_UP) + { + offload_bypass_iface(this, bypass, iface); + } + } + enumerator->destroy(enumerator); +} + +/** + * Offload a bypass policy on supported hardware if the kernel supports it and + * optionally install a port-based bypass policy in software. + */ +static bool add_and_offload_port_bypass(private_kernel_netlink_ipsec_t *this, + int fd, int family) { union { struct sockaddr sa; @@ -3486,39 +3810,38 @@ return FALSE; } - if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass)) + if (this->port_bypass && + !add_port_bypass(this, &bypass, NULL)) { return FALSE; } - if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass)) + if (this->offload_interfaces) { - manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass); - return FALSE; + this->offload_mutex->lock(this->offload_mutex); + offload_bypass(this, &bypass); + /* store it even if no policy was offloaded because an interface that + * supports offloading might get activated later */ + array_insert_create_value(&this->bypass, sizeof(bypass_t), + ARRAY_TAIL, &bypass); + this->offload_mutex->unlock(this->offload_mutex); + } + else + { + array_insert_create_value(&this->bypass, sizeof(bypass_t), + ARRAY_TAIL, &bypass); } - array_insert(this->bypass, ARRAY_TAIL, &bypass); - return TRUE; } -/** - * Remove installed port based bypass policy - */ -static void remove_port_bypass(bypass_t *bypass, int idx, - private_kernel_netlink_ipsec_t *this) -{ - manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass); - manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass); -} - METHOD(kernel_ipsec_t, bypass_socket, bool, private_kernel_netlink_ipsec_t *this, int fd, int family) { - if (lib->settings->get_bool(lib->settings, - "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns)) + if ((this->offload_interfaces || this->port_bypass) && + !add_and_offload_port_bypass(this, fd, family)) { - return add_port_bypass(this, fd, family); + return FALSE; } - return add_socket_bypass(this, fd, family); + return this->port_bypass || add_socket_bypass(this, fd, family); } METHOD(kernel_ipsec_t, enable_udp_decap, bool, @@ -3534,30 +3857,166 @@ return TRUE; } +CALLBACK(receive_link_events, void, + private_kernel_netlink_ipsec_t *this, struct nlmsghdr *hdr) +{ + struct ifinfomsg *msg = NLMSG_DATA(hdr); + struct rtattr *rta = IFLA_RTA(msg); + size_t rtasize = IFLA_PAYLOAD (hdr); + offload_iface_t *iface = NULL; + char *name = NULL; + + if (hdr->nlmsg_type != RTM_NEWLINK && + hdr->nlmsg_type != RTM_DELLINK) + { + return; + } + + while (RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case IFLA_IFNAME: + name = RTA_DATA(rta); + break; + } + rta = RTA_NEXT(rta, rtasize); + } + if (!name) + { + return; + } + + this->offload_mutex->lock(this->offload_mutex); + if (hdr->nlmsg_type == RTM_NEWLINK) + { + iface = this->offload_interfaces->get(this->offload_interfaces, + (void*)(uintptr_t)msg->ifi_index); + if (!iface) + { + INIT(iface, + .ifindex = msg->ifi_index + ); + this->offload_interfaces->put(this->offload_interfaces, + (void*)(uintptr_t)msg->ifi_index, + iface); + } + /* update name in case an interface is renamed */ + strncpy(iface->ifname, name, IFNAMSIZ-1); + iface->ifname[IFNAMSIZ-1] = '\0'; + + if (iface->offload == IFACE_OFFLOAD_UNKNOWN) + { + if (netlink_detect_offload(iface->ifname)) + { + iface->offload = IFACE_OFFLOAD_DETECTED; + } + else + { + iface->offload = IFACE_OFFLOAD_NONE; + } + } + + /* if an interface is activated or newly detected, try to offload known + * IKE bypass policies. we don't have to do anything if the interface + * goes down as the kernel automatically removes the state it has for + * offloaded policies */ + if (!(iface->flags & IFF_UP) && (msg->ifi_flags & IFF_UP)) + { + offload_bypasses(this, iface); + } + iface->flags = msg->ifi_flags; + } + else + { + iface = this->offload_interfaces->remove(this->offload_interfaces, + (void*)(uintptr_t)msg->ifi_index); + free(iface); + } + this->offload_mutex->unlock(this->offload_mutex); +} + +/** + * Enumerate all interfaces and check if they support offloading + */ +static bool init_offload_interfaces(private_kernel_netlink_ipsec_t *this) +{ + netlink_buf_t request; + netlink_socket_t *socket; + struct nlmsghdr *out, *current, *in; + struct rtgenmsg *msg; + size_t len; + + socket = netlink_socket_create(NETLINK_ROUTE, NULL, FALSE); + if (!socket) + { + return FALSE; + } + + memset(&request, 0, sizeof(request)); + + in = &request.hdr; + in->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; + in->nlmsg_type = RTM_GETLINK; + in->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)); + + msg = NLMSG_DATA(in); + msg->rtgen_family = AF_UNSPEC; + + if (socket->send(socket, in, &out, &len) != SUCCESS) + { + socket->destroy(socket); + return FALSE; + } + + current = out; + while (NLMSG_OK(current, len)) + { + receive_link_events(this, current); + current = NLMSG_NEXT(current, len); + } + free(out); + socket->destroy(socket); + return TRUE; +} + METHOD(kernel_ipsec_t, destroy, void, private_kernel_netlink_ipsec_t *this) { enumerator_t *enumerator; policy_entry_t *policy; + offload_iface_t *iface; - array_destroy_function(this->bypass, - (array_callback_t)remove_port_bypass, this); - if (this->socket_xfrm_events > 0) + DESTROY_IF(this->socket_link_events); + DESTROY_IF(this->socket_xfrm_events); + array_destroy_function(this->bypass, remove_port_bypass, this); + if (this->xfrmi) { - lib->watcher->remove(lib->watcher, this->socket_xfrm_events); - close(this->socket_xfrm_events); + lib->set(lib, KERNEL_NETLINK_XFRMI_MANAGER, NULL); + kernel_netlink_xfrmi_destroy(this->xfrmi); } DESTROY_IF(this->socket_xfrm); enumerator = this->policies->create_enumerator(this->policies); - while (enumerator->enumerate(enumerator, &policy, &policy)) + while (enumerator->enumerate(enumerator, NULL, &policy)) { policy_entry_destroy(this, policy); } enumerator->destroy(enumerator); this->policies->destroy(this->policies); this->sas->destroy(this->sas); + if (this->offload_interfaces) + { + enumerator = this->offload_interfaces->create_enumerator(this->offload_interfaces); + while (enumerator->enumerate(enumerator, NULL, &iface)) + { + free(iface); + } + enumerator->destroy(enumerator); + this->offload_interfaces->destroy(this->offload_interfaces); + } this->condvar->destroy(this->condvar); this->mutex->destroy(this->mutex); + DESTROY_IF(this->offload_mutex); free(this); } @@ -3609,9 +4068,7 @@ } case NLMSG_ERROR: { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "getting SPD hash threshold failed: %s (%d)", - strerror(-err->error), -err->error); + netlink_log_error(hdr, "getting SPD hash threshold failed"); break; } default: @@ -3665,13 +4122,37 @@ } } +/** + * Check for kernel features (currently only via version number) + */ +static void check_kernel_features(private_kernel_netlink_ipsec_t *this) +{ + struct utsname utsname; + int a, b, c; + + if (uname(&utsname) == 0) + { + switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c)) + { + case 2: + case 3: + /* before 6.2 the kernel only provided the last used time for + * specific outbound IPv6 SAs */ + this->sa_lastused = a > 6 || (a == 6 && b >= 2); + break; + default: + break; + } + } +} + /* * Described in header. */ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() { private_kernel_netlink_ipsec_t *this; - bool register_for_events = TRUE; + uint32_t groups; INIT(this, .public = { @@ -3697,24 +4178,26 @@ (hashtable_equals_t)policy_equals, 32), .sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash, (hashtable_equals_t)ipsec_sa_equals, 32), - .bypass = array_create(sizeof(bypass_t), 0), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), .get_priority = dlsym(RTLD_DEFAULT, "kernel_netlink_get_priority_custom"), .policy_update = lib->settings->get_bool(lib->settings, - "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns), + "%s.plugins.kernel-netlink.policy_update", + FALSE, lib->ns), .install_routes = lib->settings->get_bool(lib->settings, - "%s.install_routes", TRUE, lib->ns), + "%s.install_routes", TRUE, lib->ns), + .install_routes_xfrmi = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.install_routes_xfrmi", + FALSE, lib->ns), .proto_port_transport = lib->settings->get_bool(lib->settings, "%s.plugins.kernel-netlink.set_proto_port_transport_sa", FALSE, lib->ns), + .port_bypass = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns), ); - if (streq(lib->ns, "starter")) - { /* starter has no threads, so we do not register for kernel events */ - register_for_events = FALSE; - } + check_kernel_features(this); this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names, lib->settings->get_bool(lib->settings, @@ -3728,38 +4211,38 @@ setup_spd_hash_thresh(this, "ipv4", XFRMA_SPD_IPV4_HTHRESH, 32); setup_spd_hash_thresh(this, "ipv6", XFRMA_SPD_IPV6_HTHRESH, 128); - if (register_for_events) + groups = nl_group(XFRMNLGRP_ACQUIRE) | nl_group(XFRMNLGRP_EXPIRE) | + nl_group(XFRMNLGRP_MIGRATE) | nl_group(XFRMNLGRP_MAPPING); + this->socket_xfrm_events = netlink_event_socket_create(NETLINK_XFRM, groups, + receive_events, this); + if (!this->socket_xfrm_events) { - struct sockaddr_nl addr; - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; + destroy(this); + return NULL; + } - /* create and bind XFRM socket for ACQUIRE, EXPIRE, MIGRATE & MAPPING */ - this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); - if (this->socket_xfrm_events <= 0) - { - DBG1(DBG_KNL, "unable to create XFRM event socket: %s (%d)", - strerror(errno), errno); - destroy(this); - return NULL; - } - addr.nl_groups = XFRMNLGRP(ACQUIRE) | XFRMNLGRP(EXPIRE) | - XFRMNLGRP(MIGRATE) | XFRMNLGRP(MAPPING); - if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr))) + if (netlink_find_offload_feature(lib->settings->get_str(lib->settings, + "%s.plugins.kernel-netlink.hw_offload_feature_interface", + "lo", lib->ns))) + { + this->offload_interfaces = hashtable_create(hashtable_hash_ptr, + hashtable_equals_ptr, 8); + this->offload_mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->socket_link_events = netlink_event_socket_create(NETLINK_ROUTE, + nl_group(RTNLGRP_LINK), + receive_link_events, this); + if (!this->socket_link_events || + !init_offload_interfaces(this)) { - DBG1(DBG_KNL, "unable to bind XFRM event socket: %s (%d)", - strerror(errno), errno); destroy(this); return NULL; } - lib->watcher->add(lib->watcher, this->socket_xfrm_events, WATCHER_READ, - (watcher_cb_t)receive_events, this); } - netlink_find_offload_feature(lib->settings->get_str(lib->settings, - "%s.plugins.kernel-netlink.hw_offload_feature_interface", - "lo", lib->ns)); - + this->xfrmi = kernel_netlink_xfrmi_create(TRUE); + if (this->xfrmi) + { + lib->set(lib, KERNEL_NETLINK_XFRMI_MANAGER, this->xfrmi); + } return &this->public; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c 2022-09-17 15:42:38.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c 2023-03-27 21:00:49.000000000 +0000 @@ -79,9 +79,6 @@ #define ROUTING_TABLE_PRIO 0 #endif -/** multicast groups (for groups > 31 setsockopt has to be used) */ -#define nl_group(group) (1 << (group - 1)) - ENUM(rt_msg_names, RTM_NEWLINK, RTM_GETRULE, "RTM_NEWLINK", "RTM_DELLINK", @@ -343,9 +340,9 @@ netlink_socket_t *socket; /** - * Netlink rt socket to receive address change events + * Netlink rt event socket */ - int socket_events; + netlink_event_socket_t *socket_events; /** * earliest time of the next roam event @@ -1451,76 +1448,36 @@ #endif } -/** - * Receives events from kernel - */ -static bool receive_events(private_kernel_netlink_net_t *this, int fd, - watcher_event_t event) +CALLBACK(receive_events, void, + private_kernel_netlink_net_t *this, struct nlmsghdr *hdr) { - char response[netlink_get_buflen()]; - struct nlmsghdr *hdr = (struct nlmsghdr*)response; - struct sockaddr_nl addr; - socklen_t addr_len = sizeof(addr); - int len; - - len = recvfrom(this->socket_events, response, sizeof(response), - MSG_DONTWAIT, (struct sockaddr*)&addr, &addr_len); - if (len < 0) - { - switch (errno) - { - case EINTR: - /* interrupted, try again */ - return TRUE; - case EAGAIN: - /* no data ready, select again */ - return TRUE; - default: - DBG1(DBG_KNL, "unable to receive from RT event socket %s (%d)", - strerror(errno), errno); - sleep(1); - return TRUE; - } - } - - if (addr.nl_pid != 0) - { /* not from kernel. not interested, try another one */ - return TRUE; - } - - while (NLMSG_OK(hdr, len)) + switch (hdr->nlmsg_type) { - /* looks good so far, dispatch netlink message */ - switch (hdr->nlmsg_type) - { - case RTM_NEWADDR: - case RTM_DELADDR: - process_addr(this, hdr, TRUE); - break; - case RTM_NEWLINK: - case RTM_DELLINK: - process_link(this, hdr, TRUE); - break; - case RTM_NEWROUTE: - case RTM_DELROUTE: - if (this->process_route) - { - process_route(this, hdr); - } - break; - case RTM_NEWRULE: - case RTM_DELRULE: - if (this->process_rules) - { - process_rule(this, hdr); - } - break; - default: - break; - } - hdr = NLMSG_NEXT(hdr, len); + case RTM_NEWADDR: + case RTM_DELADDR: + process_addr(this, hdr, TRUE); + break; + case RTM_NEWLINK: + case RTM_DELLINK: + process_link(this, hdr, TRUE); + break; + case RTM_NEWROUTE: + case RTM_DELROUTE: + if (this->process_route) + { + process_route(this, hdr); + } + break; + case RTM_NEWRULE: + case RTM_DELRULE: + if (this->process_rules) + { + process_rule(this, hdr); + } + break; + default: + break; } - return TRUE; } /** enumerator over addresses */ @@ -3056,11 +3013,7 @@ manage_rule(this, RTM_DELRULE, AF_INET6, this->routing_table, this->routing_table_prio); } - if (this->socket_events > 0) - { - lib->watcher->remove(lib->watcher, this->socket_events); - close(this->socket_events); - } + DESTROY_IF(this->socket_events); enumerator = this->routes->ht.create_enumerator(&this->routes->ht); while (enumerator->enumerate(enumerator, NULL, (void**)&route)) { @@ -3096,7 +3049,7 @@ { private_kernel_netlink_net_t *this; enumerator_t *enumerator; - bool register_for_events = TRUE; + uint32_t groups; char *exclude; INIT(this, @@ -3168,11 +3121,6 @@ return NULL; } - if (streq(lib->ns, "starter")) - { /* starter has no threads, so we do not register for kernel events */ - register_for_events = FALSE; - } - exclude = lib->settings->get_str(lib->settings, "%s.ignore_routing_tables", NULL, lib->ns); if (exclude) @@ -3194,45 +3142,25 @@ enumerator->destroy(enumerator); } - if (register_for_events) + groups = nl_group(RTNLGRP_IPV4_IFADDR) | + nl_group(RTNLGRP_IPV6_IFADDR) | + nl_group(RTNLGRP_LINK); + if (this->process_route) + { + groups |= nl_group(RTNLGRP_IPV4_ROUTE) | + nl_group(RTNLGRP_IPV6_ROUTE); + } + if (this->process_rules) + { + groups |= nl_group(RTNLGRP_IPV4_RULE) | + nl_group(RTNLGRP_IPV6_RULE); + } + this->socket_events = netlink_event_socket_create(NETLINK_ROUTE, groups, + receive_events, this); + if (!this->socket_events) { - struct sockaddr_nl addr; - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - - /* create and bind RT socket for events (address/interface/route changes) */ - this->socket_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - if (this->socket_events < 0) - { - DBG1(DBG_KNL, "unable to create RT event socket: %s (%d)", - strerror(errno), errno); - destroy(this); - return NULL; - } - addr.nl_groups = nl_group(RTNLGRP_IPV4_IFADDR) | - nl_group(RTNLGRP_IPV6_IFADDR) | - nl_group(RTNLGRP_LINK); - if (this->process_route) - { - addr.nl_groups |= nl_group(RTNLGRP_IPV4_ROUTE) | - nl_group(RTNLGRP_IPV6_ROUTE); - } - if (this->process_rules) - { - addr.nl_groups |= nl_group(RTNLGRP_IPV4_RULE) | - nl_group(RTNLGRP_IPV6_RULE); - } - if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr))) - { - DBG1(DBG_KNL, "unable to bind RT event socket: %s (%d)", - strerror(errno), errno); - destroy(this); - return NULL; - } - - lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ, - (watcher_cb_t)receive_events, this); + destroy(this); + return NULL; } if (init_address_list(this) != SUCCESS) diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_plugin.c 2023-06-08 10:35:17.000000000 +0000 @@ -56,15 +56,17 @@ METHOD(plugin_t, reload, bool, private_kernel_netlink_plugin_t *this) { + retransmission_t settings; u_int timeout; FILE *f; f = fopen("/proc/sys/net/core/xfrm_acq_expires", "w"); if (f) { + retransmission_parse_default(&settings); timeout = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.xfrm_acq_expires", - task_manager_total_retransmit_timeout(), lib->ns); + retransmission_timeout_total(&settings), lib->ns); fprintf(f, "%u", timeout); fclose(f); } diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,6 @@ /* + * Copyright (C) 2008-2023 Tobias Brunner * Copyright (C) 2014 Martin Willi - * Copyright (C) 2008-2020 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -52,7 +52,13 @@ #include #include +/* some older versions of socket.h don't define this yet */ +#ifndef SOL_NETLINK +#define SOL_NETLINK 270 +#endif + typedef struct private_netlink_socket_t private_netlink_socket_t; +typedef struct private_netlink_event_socket_t private_netlink_event_socket_t; /** * Private variables and functions of netlink_socket_t class. @@ -121,6 +127,37 @@ }; /** + * Private data of netlink_event_socket_t class + */ +struct private_netlink_event_socket_t { + + /** + * Public interface + */ + netlink_event_socket_t public; + + /** + * Registered callback + */ + netlink_event_cb_t cb; + + /** + * User data to pass to callback + */ + void *user; + + /** + * Netlink socket + */ + int socket; + + /** + * Buffer size for received Netlink messages + */ + u_int buflen; +}; + +/** * #definable hook to simulate request message loss */ #ifdef NETLINK_MSG_LOSS_HOOK @@ -322,7 +359,7 @@ if (this->names) { - DBG3(DBG_KNL, "sending %N %u: %b", this->names, in->nlmsg_type, + DBG4(DBG_KNL, "sending %N %u: %b", this->names, in->nlmsg_type, (u_int)seq, in, in->nlmsg_len); } @@ -389,7 +426,7 @@ { if (this->names) { - DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type, + DBG4(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type, hdr->nlmsg_seq, hdr, hdr->nlmsg_len); } memcpy(ptr, hdr, hdr->nlmsg_len); @@ -535,7 +572,7 @@ { case NLMSG_ERROR: { - struct nlmsgerr* err = NLMSG_DATA(hdr); + struct nlmsgerr *err = NLMSG_DATA(hdr); if (err->error) { @@ -549,11 +586,11 @@ free(out); return NOT_FOUND; } - DBG1(DBG_KNL, "received netlink error: %s (%d)", - strerror(-err->error), -err->error); + netlink_log_error(hdr, NULL); free(out); return FAILED; } + netlink_log_error(hdr, NULL); free(out); return SUCCESS; } @@ -620,7 +657,7 @@ .nl_family = AF_NETLINK, }; bool force_buf = FALSE; - int rcvbuf_size = 0; + int on = 1, rcvbuf_size = 0; INIT(this, .public = { @@ -659,6 +696,15 @@ destroy(this); return NULL; } + + /* don't echo back the request payload in error messages, might not be + * supported by older kernels, so don't check the result */ + ignore_result(setsockopt(this->socket, SOL_NETLINK, NETLINK_CAP_ACK, &on, + sizeof(on))); + /* enable extended ACK attributes, might not be supported by older kernels */ + ignore_result(setsockopt(this->socket, SOL_NETLINK, NETLINK_EXT_ACK, &on, + sizeof(on))); + rcvbuf_size = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.receive_buffer_size", rcvbuf_size, lib->ns); @@ -686,6 +732,92 @@ return &this->public; } +CALLBACK(watch_event, bool, + private_netlink_event_socket_t *this, int fd, watcher_event_t event) +{ + char buf[this->buflen]; + struct nlmsghdr *hdr = (struct nlmsghdr*)buf; + struct sockaddr_nl addr; + socklen_t addr_len = sizeof(addr); + int len; + + len = recvfrom(this->socket, buf, sizeof(buf), MSG_DONTWAIT, + (struct sockaddr*)&addr, &addr_len); + if (len < 0) + { + if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINTR) + { + DBG1(DBG_KNL, "netlink event read error: %s", strerror(errno)); + } + return TRUE; + } + else if (addr.nl_pid != 0) + { /* ignore non-kernel messages */ + return TRUE; + } + + while (NLMSG_OK(hdr, len)) + { + this->cb(this->user, hdr); + hdr = NLMSG_NEXT(hdr, len); + } + return TRUE; +} + +METHOD(netlink_event_socket_t, destroy_event, void, + private_netlink_event_socket_t *this) +{ + if (this->socket != -1) + { + lib->watcher->remove(lib->watcher, this->socket); + close(this->socket); + } + free(this); +} + +/* + * Described in header + */ +netlink_event_socket_t *netlink_event_socket_create(int protocol, uint32_t groups, + netlink_event_cb_t cb, void *user) +{ + private_netlink_event_socket_t *this; + struct sockaddr_nl addr = { + .nl_family = AF_NETLINK, + .nl_groups = groups, + }; + + INIT(this, + .public = { + .destroy = _destroy_event, + }, + .cb = cb, + .user = user, + .buflen = netlink_get_buflen(), + ); + + this->socket = socket(AF_NETLINK, SOCK_RAW, protocol); + if (this->socket == -1) + { + DBG1(DBG_KNL, "unable to create netlink event socket: %s (%d)", + strerror(errno), errno); + destroy_event(this); + return NULL; + } + + if (bind(this->socket, (struct sockaddr*)&addr, sizeof(addr))) + { + DBG1(DBG_KNL, "unable to bind netlink event socket: %s (%d)", + strerror(errno), errno); + destroy_event(this); + return NULL; + } + + lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch_event, this); + + return &this->public; +} + /* * Described in header */ @@ -767,6 +899,69 @@ } /* + * Described in header + */ +void netlink_log_error(struct nlmsghdr *hdr, const char *prefix) +{ + struct nlmsgerr *err = NLMSG_DATA(hdr); + struct rtattr *rta; + size_t offset, rtasize; + const char *msg = NULL; + bool is_error = err->error != 0; + + if (!prefix) + { + prefix = is_error ? "received netlink error" + : "received netlink warning"; + } + + if (hdr->nlmsg_flags & NLM_F_ACK_TLVS) + { + /* skip the headers, and the request payload for older kernels that + * don't support omitting it */ + offset = sizeof(*err); + if (!(hdr->nlmsg_flags & NLM_F_CAPPED)) + { + offset += err->msg.nlmsg_len - NLMSG_HDRLEN; + } + + rta = (struct rtattr*)(NLMSG_DATA(hdr) + NLMSG_ALIGN(offset)); + rtasize = NLMSG_PAYLOAD(hdr, offset); + while (RTA_OK(rta, rtasize)) + { + if (rta->rta_type == NLMSGERR_ATTR_MSG) + { + msg = RTA_DATA(rta); + /* sanity check, strings from the kernel should be terminated */ + if (!RTA_PAYLOAD(rta) || msg[RTA_PAYLOAD(rta)-1] != '\0') + { + msg = NULL; + } + break; + } + rta = RTA_NEXT(rta, rtasize); + } + } + + if (msg && *msg) + { + if (is_error) + { + DBG1(DBG_KNL, "%s: %s (%d)", prefix, msg, -err->error); + } + else + { + DBG2(DBG_KNL, "%s: %s", prefix, msg); + } + } + else if (is_error) + { + DBG1(DBG_KNL, "%s: %s (%d)", prefix, strerror(-err->error), + -err->error); + } +} + +/* * Described in header */ void route_entry_destroy(route_entry_t *this) diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.h 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2020 Tobias Brunner + * Copyright (C) 2008-2023 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -40,7 +40,16 @@ u_char bytes[KERNEL_NETLINK_BUFSIZE]; } netlink_buf_t __attribute__((aligned(RTA_ALIGNTO))); +/** + * Callback function for netlink events. + * + * @param user user data, as passed to constructor + * @param hdr received netlink message + */ +typedef void (*netlink_event_cb_t)(void *user, struct nlmsghdr *hdr); + typedef struct netlink_socket_t netlink_socket_t; +typedef struct netlink_event_socket_t netlink_event_socket_t; /** * Wrapper around a netlink socket. @@ -81,6 +90,45 @@ bool parallel); /** + * Wrapper around a bound netlink event socket. + */ +struct netlink_event_socket_t { + + /** + * Destroy the event socket. + */ + void (*destroy)(netlink_event_socket_t *this); +}; + +/** + * Create a netlink_event_socket_t object. + * + * @param protocol protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE) + * @param groups event groups to bind (use nl_group()) + * @param cb callback to invoke for each event + * @param user user data passed to callback + */ +netlink_event_socket_t *netlink_event_socket_create(int protocol, uint32_t groups, + netlink_event_cb_t cb, void *user); + +/** + * Helper to create bitmask for Netlink multicast groups. + * + * For groups > 31, setsockopt() with NETLINK_ADD_MEMBERSHIP has to be used, + * which is currently not supported by the event socket. + */ +static inline uint32_t nl_group(uint32_t group) +{ + if (group > 31) + { + DBG1(DBG_KNL, "netlink multicast group %d currently not supported", + group); + return 0; + } + return group ? (1 << (group - 1)) : 0; +} + +/** * Creates an rtattr and adds it to the given netlink message. * * @param hdr netlink message @@ -122,7 +170,17 @@ * @param len length of RTA data * @return buffer to len bytes of attribute data, NULL on error */ -void* netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len); +void *netlink_reserve(struct nlmsghdr *hdr, int buflen, int type, int len); + +/** + * Log extended ACK error/warning message in a NLMSG_ERROR message. In error + * messages (i.e. error != 0), the generic error message is logged if no + * extended ACK message is available. + * + * @param hdr netlink message + * @param prefix optional prefix to add before error message + */ +void netlink_log_error(struct nlmsghdr *hdr, const char *prefix); /** * Determine buffer size for received messages (e.g. events). diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.c strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.c 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.c 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,445 @@ +/* + * Copyright (C) 2019-2023 Tobias Brunner + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "kernel_netlink_xfrmi.h" +#include "kernel_netlink_shared.h" + +#ifndef IFLA_XFRM_MAX +enum { + IFLA_XFRM_UNSPEC, + IFLA_XFRM_LINK, + IFLA_XFRM_IF_ID, + __IFLA_XFRM_MAX +}; +#define IFLA_XFRM_MAX (__IFLA_XFRM_MAX - 1) +#endif + +typedef struct private_kernel_netlink_xfrmi_t private_kernel_netlink_xfrmi_t; + +/** + * Private data + */ +struct private_kernel_netlink_xfrmi_t { + + /** + * Public interface + */ + kernel_netlink_xfrmi_t public; + + /** + * Netlink socket + */ + netlink_socket_t *socket; +}; + +/** + * "up" the interface with the given name + */ +static bool interface_up(private_kernel_netlink_xfrmi_t *this, char *name) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct ifinfomsg *msg; + + memset(&request, 0, sizeof(request)); + + hdr = &request.hdr; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = RTM_SETLINK; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + + msg = NLMSG_DATA(hdr); + msg->ifi_family = AF_UNSPEC; + msg->ifi_change |= IFF_UP; + msg->ifi_flags |= IFF_UP; + + netlink_add_attribute(hdr, IFLA_IFNAME, chunk_from_str(name), + sizeof(request)); + + if (this->socket->send_ack(this->socket, hdr) != SUCCESS) + { + DBG1(DBG_KNL, "failed to bring up XFRM interface '%s'", name); + return FALSE; + } + return TRUE; +} + +METHOD(kernel_netlink_xfrmi_t, create, bool, + private_kernel_netlink_xfrmi_t *this, char *name, uint32_t if_id, + char *phys, uint32_t mtu) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct ifinfomsg *msg; + struct rtattr *linkinfo, *info_data; + uint32_t ifindex = 0; + + if (phys) + { + ifindex = if_nametoindex(phys); + if (!ifindex) + { + DBG1(DBG_KNL, "physical interface '%s' not found", phys); + return FALSE; + } + } + + memset(&request, 0, sizeof(request)); + + hdr = &request.hdr; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL; + hdr->nlmsg_type = RTM_NEWLINK; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + + msg = NLMSG_DATA(hdr); + msg->ifi_family = AF_UNSPEC; + + netlink_add_attribute(hdr, IFLA_IFNAME, chunk_from_str(name), + sizeof(request)); + if (mtu) + { + netlink_add_attribute(hdr, IFLA_MTU, chunk_from_thing(mtu), + sizeof(request)); + } + + linkinfo = netlink_nested_start(hdr, sizeof(request), IFLA_LINKINFO); + + netlink_add_attribute(hdr, IFLA_INFO_KIND, chunk_from_str("xfrm"), + sizeof(request)); + + info_data = netlink_nested_start(hdr, sizeof(request), IFLA_INFO_DATA); + + netlink_add_attribute(hdr, IFLA_XFRM_IF_ID, chunk_from_thing(if_id), + sizeof(request)); + if (ifindex) + { + netlink_add_attribute(hdr, IFLA_XFRM_LINK, chunk_from_thing(ifindex), + sizeof(request)); + } + + netlink_nested_end(hdr, info_data); + netlink_nested_end(hdr, linkinfo); + + switch (this->socket->send_ack(this->socket, hdr)) + { + case SUCCESS: + return interface_up(this, name); + case ALREADY_DONE: + DBG1(DBG_KNL, "XFRM interface '%s' already exists", name); + break; + default: + DBG1(DBG_KNL, "failed to create XFRM interface '%s'", name); + break; + } + return FALSE; +} + +/** enumerator over XFRM interfaces */ +typedef struct { + /** public interface */ + enumerator_t public; + /** message from the kernel */ + struct nlmsghdr *msg; + /** current message from the kernel */ + struct nlmsghdr *current; + /** remaining length */ + size_t len; + /** current physical interface (if any) */ + char phys[IFNAMSIZ]; +} interface_enumerator_t; + +METHOD(enumerator_t, destroy_enumerator, void, + interface_enumerator_t *this) +{ + free(this->msg); + free(this); +} + +/** + * Parse attributes nested in IFLA_INFO_DATA + */ +static void parse_info_data(struct rtattr *rta, size_t rtasize, bool *has_phys, + char *phys, uint32_t *if_id) +{ + uint32_t ifindex; + + while (RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case IFLA_XFRM_IF_ID: + if (RTA_PAYLOAD(rta) == sizeof(*if_id)) + { + *if_id = *(uint32_t*)RTA_DATA(rta); + } + break; + case IFLA_XFRM_LINK: + if (RTA_PAYLOAD(rta) == sizeof(ifindex)) + { + ifindex = *(uint32_t*)RTA_DATA(rta); + if (ifindex) + { + if_indextoname(ifindex, phys); + *has_phys = TRUE; + } + } + break; + default: + break; + } + rta = RTA_NEXT(rta, rtasize); + } +} + +/** + * Parse attributes nested in IFLA_LINKINFO + */ +static void parse_linkinfo(struct rtattr *rta, size_t rtasize, bool *type_match, + bool *has_phys, char *phys, uint32_t *if_id) +{ + while (RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case IFLA_INFO_KIND: + *type_match = streq("xfrm", RTA_DATA(rta)); + break; + case IFLA_INFO_DATA: + parse_info_data(RTA_DATA(rta), RTA_PAYLOAD(rta), has_phys, + phys, if_id); + break; + default: + break; + } + rta = RTA_NEXT(rta, rtasize); + } +} + +METHOD(enumerator_t, enumerate, bool, + interface_enumerator_t *this, va_list args) +{ + char **name; + uint32_t *if_id, *mtu; + char **phys; + + VA_ARGS_VGET(args, name, if_id, phys, mtu); + + if (!this->current) + { + this->current = this->msg; + } + else + { + this->current = NLMSG_NEXT(this->current, this->len); + } + + while (NLMSG_OK(this->current, this->len)) + { + switch (this->current->nlmsg_type) + { + case NLMSG_DONE: + break; + case RTM_NEWLINK: + { + struct ifinfomsg *msg = NLMSG_DATA(this->current); + struct rtattr *rta = IFLA_RTA(msg); + size_t rtasize = IFLA_PAYLOAD(this->current); + bool type_match = FALSE, has_phys = FALSE; + + *name = NULL; + + while (RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case IFLA_IFNAME: + *name = RTA_DATA(rta); + break; + case IFLA_MTU: + if (mtu && RTA_PAYLOAD(rta) == sizeof(*mtu)) + { + *mtu = *(uint32_t*)RTA_DATA(rta); + } + break; + case IFLA_LINKINFO: + parse_linkinfo(RTA_DATA(rta), RTA_PAYLOAD(rta), + &type_match, &has_phys, this->phys, + if_id); + break; + default: + break; + } + rta = RTA_NEXT(rta, rtasize); + } + if (*name && type_match) + { + if (phys) + { + *phys = has_phys ? this->phys : NULL; + } + return TRUE; + } + /* fall-through */ + } + default: + this->current = NLMSG_NEXT(this->current, this->len); + continue; + } + break; + } + return FALSE; +} + +METHOD(kernel_netlink_xfrmi_t, create_enumerator, enumerator_t*, + private_kernel_netlink_xfrmi_t *this) +{ + netlink_buf_t request; + struct nlmsghdr *hdr, *out; + struct ifinfomsg *msg; + struct rtattr *linkinfo; + size_t len; + interface_enumerator_t *enumerator; + + memset(&request, 0, sizeof(request)); + + hdr = &request.hdr; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; + hdr->nlmsg_type = RTM_GETLINK; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + + msg = NLMSG_DATA(hdr); + msg->ifi_family = AF_UNSPEC; + + /* if the kernel doesn't know the type we set here, it will just return all + * interfaces, so we filter the type ourselves too in the callback */ + linkinfo = netlink_nested_start(hdr, sizeof(request), IFLA_LINKINFO); + + netlink_add_attribute(hdr, IFLA_INFO_KIND, chunk_from_str("xfrm"), + sizeof(request)); + + netlink_nested_end(hdr, linkinfo); + + if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS) + { + DBG2(DBG_KNL, "enumerating XFRM interfaces failed"); + return enumerator_create_empty(); + } + + INIT(enumerator, + .public = { + .enumerate = enumerator_enumerate_default, + .venumerate = _enumerate, + .destroy = _destroy_enumerator, + }, + .msg = out, + .len = len, + ); + return &enumerator->public; +} + +METHOD(kernel_netlink_xfrmi_t, delete, bool, + private_kernel_netlink_xfrmi_t *this, char *name) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct ifinfomsg *msg; + struct rtattr *linkinfo; + + memset(&request, 0, sizeof(request)); + + hdr = &request.hdr; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; + hdr->nlmsg_type = RTM_DELLINK; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); + + msg = NLMSG_DATA(hdr); + msg->ifi_family = AF_UNSPEC; + + netlink_add_attribute(hdr, IFLA_IFNAME, chunk_from_str(name), + sizeof(request)); + + /* the type doesn't seem to matter, but let's still set it */ + linkinfo = netlink_nested_start(hdr, sizeof(request), IFLA_LINKINFO); + + netlink_add_attribute(hdr, IFLA_INFO_KIND, chunk_from_str("xfrm"), + sizeof(request)); + + netlink_nested_end(hdr, linkinfo); + + switch (this->socket->send_ack(this->socket, hdr)) + { + case SUCCESS: + return TRUE; + case NOT_FOUND: + DBG1(DBG_KNL, "XFRM interface '%s' not found to delete", name); + break; + default: + DBG1(DBG_KNL, "failed to delete XFRM interface '%s'", name); + break; + } + return FALSE; +} + +void kernel_netlink_xfrmi_destroy(kernel_netlink_xfrmi_t *pub) +{ + private_kernel_netlink_xfrmi_t *this = (private_kernel_netlink_xfrmi_t*)pub; + + this->socket->destroy(this->socket); + free(this); +} + +/* + * Described in header + */ +kernel_netlink_xfrmi_t *kernel_netlink_xfrmi_create(bool test) +{ + private_kernel_netlink_xfrmi_t *this; + char name[IFNAMSIZ] = {}; + uint32_t if_id; + + INIT(this, + .public = { + .create = _create, + .create_enumerator = _create_enumerator, + .delete = _delete, + }, + .socket = netlink_socket_create(NETLINK_ROUTE, NULL, FALSE), + ); + + if (!this->socket) + { + free(this); + return NULL; + } + if (test) + { + /* try to create an XFRM interface to see if the kernel supports it, use + * a random ID and name for the test to avoid conflicts */ + if_id = random(); + snprintf(name, sizeof(name), "xfrmi-test-%u", if_id); + + if (!create(this, name, if_id, NULL, 0)) + { + kernel_netlink_xfrmi_destroy(&this->public); + return NULL; + } + DBG2(DBG_KNL, "XFRM interfaces supported by kernel"); + delete(this, name); + } + return &this->public; +} diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.h strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.h --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.h 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/kernel_netlink_xfrmi.h 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2022-2023 Tobias Brunner + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup kernel_netlink_xfrmi kernel_netlink_xfrmi + * @{ @ingroup kernel_netlink + */ + +#ifndef KERNEL_NETLINK_XFRMI_H_ +#define KERNEL_NETLINK_XFRMI_H_ + +#include + +#define KERNEL_NETLINK_XFRMI_MANAGER "kernel-netlink-xfrmi" + +typedef struct kernel_netlink_xfrmi_t kernel_netlink_xfrmi_t; + +/** + * Simple manager for XFRM interfaces. An instance can be retrieved via + * lib::get() under the key "kernel-netlink-xfrmi" if the kernel-netlink plugin + * is loaded and XFRM interfaces are supported by the kernel. + */ +struct kernel_netlink_xfrmi_t { + + /** + * Creates an XFRM interface with the given name, interface ID and + * optional underlying physical interface and MTU. + * + * @param name name of the XFRM interface + * @param if_id interface ID (has to match SAs/policies) + * @param phys name of the underlying physical interface (optional) + * @param mtu MTU of the interface (optional, 0 for default) + * @return TRUE if interface was successfully created + */ + bool (*create)(kernel_netlink_xfrmi_t *this, char *name, uint32_t if_id, + char *phys, uint32_t mtu); + + /** + * Enumerate existing XFRM interfaces. + * + * @return enumerator over (char *name, uint32_t if_id, + * char *phys, u_int mtu) + */ + enumerator_t *(*create_enumerator)(kernel_netlink_xfrmi_t *this); + + /** + * Deletes the XFRM interface with the given name. + * + * @note This deletes any type of interface with the given name. + * + * @param name name of the XFRM interface + * @return TRUE if interface was successfully deleted + */ + bool (*delete)(kernel_netlink_xfrmi_t *this, char *name); +}; + +/** + * Create the manager. + * + * @param test test if XFRM interfaces can be created (requires CAP_NET_ADMIN) + * @return kernel_netlink_xfrmi_t instance, or NULL if test failed + */ +kernel_netlink_xfrmi_t *kernel_netlink_xfrmi_create(bool test); + +/** + * Destroy the given manager. Not a method in the interface above to prevent + * users from destroying the manager. + */ +void kernel_netlink_xfrmi_destroy(kernel_netlink_xfrmi_t *this); + +#endif /** KERNEL_NETLINK_XFRMI_H_ @}*/ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/Makefile.am strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/Makefile.am --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/Makefile.am 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -18,7 +18,8 @@ kernel_netlink_plugin.h kernel_netlink_plugin.c \ kernel_netlink_ipsec.h kernel_netlink_ipsec.c \ kernel_netlink_net.h kernel_netlink_net.c \ - kernel_netlink_shared.h kernel_netlink_shared.c + kernel_netlink_shared.h kernel_netlink_shared.c \ + kernel_netlink_xfrmi.h kernel_netlink_xfrmi.c libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB) diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/Makefile.in strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/kernel_netlink/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_netlink/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -143,7 +143,7 @@ libstrongswan_kernel_netlink_la_DEPENDENCIES = $(am__DEPENDENCIES_1) am_libstrongswan_kernel_netlink_la_OBJECTS = kernel_netlink_plugin.lo \ kernel_netlink_ipsec.lo kernel_netlink_net.lo \ - kernel_netlink_shared.lo + kernel_netlink_shared.lo kernel_netlink_xfrmi.lo libstrongswan_kernel_netlink_la_OBJECTS = \ $(am_libstrongswan_kernel_netlink_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -191,6 +191,7 @@ ./$(DEPDIR)/kernel_netlink_shared.Plo \ ./$(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po \ ./$(DEPDIR)/kernel_netlink_tests-tests.Po \ + ./$(DEPDIR)/kernel_netlink_xfrmi.Plo \ suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -481,7 +482,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -529,7 +529,8 @@ kernel_netlink_plugin.h kernel_netlink_plugin.c \ kernel_netlink_ipsec.h kernel_netlink_ipsec.c \ kernel_netlink_net.h kernel_netlink_net.c \ - kernel_netlink_shared.h kernel_netlink_shared.c + kernel_netlink_shared.h kernel_netlink_shared.c \ + kernel_netlink_xfrmi.h kernel_netlink_xfrmi.c libstrongswan_kernel_netlink_la_LIBADD = $(DLLIB) libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version @@ -666,6 +667,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_tests-tests.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_xfrmi.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po@am__quote@ # am--include-marker $(am__depfiles_remade): @@ -976,6 +978,7 @@ -rm -f ./$(DEPDIR)/kernel_netlink_shared.Plo -rm -f ./$(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po -rm -f ./$(DEPDIR)/kernel_netlink_tests-tests.Po + -rm -f ./$(DEPDIR)/kernel_netlink_xfrmi.Plo -rm -f suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ @@ -1028,6 +1031,7 @@ -rm -f ./$(DEPDIR)/kernel_netlink_shared.Plo -rm -f ./$(DEPDIR)/kernel_netlink_tests-kernel_netlink_shared.Po -rm -f ./$(DEPDIR)/kernel_netlink_tests-tests.Po + -rm -f ./$(DEPDIR)/kernel_netlink_xfrmi.Plo -rm -f suites/$(DEPDIR)/kernel_netlink_tests-test_socket.Po -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c strongswan-5.9.11/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2022-09-17 15:42:38.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c 2023-06-08 10:35:17.000000000 +0000 @@ -1659,6 +1659,16 @@ return SUCCESS; } +METHOD(kernel_ipsec_t, get_features, kernel_feature_t, + private_kernel_pfkey_ipsec_t *this) +{ +#ifdef __APPLE__ + return KERNEL_SA_USE_TIME; +#else + return 0; +#endif +} + METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) @@ -1969,7 +1979,7 @@ } #ifndef SADB_X_EXT_NEW_ADDRESS_SRC /* we can't update the SA if any of the ip addresses have changed. - * that's because we can't use SADB_UPDATE and by deleting and readding the + * that's because we can't use SADB_UPDATE and by deleting and re-adding the * SA the sequence numbers would get lost */ if (!id->src->ip_equals(id->src, data->new_src) || !id->dst->ip_equals(id->dst, data->new_dst)) @@ -2198,9 +2208,9 @@ /* OS X uses the "last" time of use in usetime */ *time = response.lft_current->sadb_lifetime_usetime; #else /* !__APPLE__ */ - /* on Linux, sadb_lifetime_usetime is set to the "first" time of use, - * which is actually correct according to PF_KEY. We have to query - * policies for the last usetime. */ + /* on Linux and FreeBSD, sadb_lifetime_usetime is set to the "first" + * time of use, which is actually correct according to PF_KEY. We have + * to query policies for the last usetime. */ *time = 0; #endif /* !__APPLE__ */ } @@ -3303,12 +3313,12 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() { private_kernel_pfkey_ipsec_t *this; - bool register_for_events = TRUE; int rcv_buffer; INIT(this, .public = { .interface = { + .get_features = _get_features, .get_spi = _get_spi, .get_cpi = _get_cpi, .add_sa = _add_sa, @@ -3339,11 +3349,6 @@ FALSE, lib->ns), ); - if (streq(lib->ns, "starter")) - { /* starter has no threads, so we do not register for kernel events */ - register_for_events = FALSE; - } - /* create a PF_KEY socket to communicate with the kernel */ this->socket = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); if (this->socket <= 0) @@ -3353,41 +3358,38 @@ return NULL; } - if (register_for_events) + /* create a PF_KEY socket for ACQUIRE & EXPIRE */ + this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); + if (this->socket_events <= 0) { - /* create a PF_KEY socket for ACQUIRE & EXPIRE */ - this->socket_events = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); - if (this->socket_events <= 0) - { - DBG1(DBG_KNL, "unable to create PF_KEY event socket"); - destroy(this); - return NULL; - } + DBG1(DBG_KNL, "unable to create PF_KEY event socket"); + destroy(this); + return NULL; + } - rcv_buffer = lib->settings->get_int(lib->settings, + rcv_buffer = lib->settings->get_int(lib->settings, "%s.plugins.kernel-pfkey.events_buffer_size", 0, lib->ns); - if (rcv_buffer > 0) - { - if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF, - &rcv_buffer, sizeof(rcv_buffer)) == -1) - { - DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY " - "event socket: %s", strerror(errno)); - } - } - - /* register the event socket */ - if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS || - register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS) + if (rcv_buffer > 0) + { + if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF, + &rcv_buffer, sizeof(rcv_buffer)) == -1) { - DBG1(DBG_KNL, "unable to register PF_KEY event socket"); - destroy(this); - return NULL; + DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY " + "event socket: %s", strerror(errno)); } + } - lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ, - (watcher_cb_t)receive_events, this); + /* register the event socket */ + if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS || + register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS) + { + DBG1(DBG_KNL, "unable to register PF_KEY event socket"); + destroy(this); + return NULL; } + lib->watcher->add(lib->watcher, this->socket_events, WATCHER_READ, + (watcher_cb_t)receive_events, this); + return &this->public; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_pfkey/Makefile.in strongswan-5.9.11/src/libcharon/plugins/kernel_pfkey/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/kernel_pfkey/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_pfkey/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c strongswan-5.9.11/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c 2023-03-27 21:00:49.000000000 +0000 @@ -2114,21 +2114,9 @@ destroy(this); return NULL; } + lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, + (watcher_cb_t)receive_events, this); - if (streq(lib->ns, "starter")) - { - /* starter has no threads, so we do not register for kernel events */ - if (shutdown(this->socket, SHUT_RD) != 0) - { - DBG1(DBG_KNL, "closing read end of PF_ROUTE socket failed: %s", - strerror(errno)); - } - } - else - { - lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, - (watcher_cb_t)receive_events, this); - } if (init_address_list(this) != SUCCESS) { DBG1(DBG_KNL, "unable to get interface list"); diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_pfroute/Makefile.in strongswan-5.9.11/src/libcharon/plugins/kernel_pfroute/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/kernel_pfroute/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_pfroute/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c strongswan-5.9.11/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c --- strongswan-5.9.8/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c 2023-03-27 21:00:49.000000000 +0000 @@ -2492,7 +2492,8 @@ * Add a bypass policy for a specific UDP port */ static bool add_bypass(private_kernel_wfp_ipsec_t *this, - int family, uint16_t port, bool inbound, UINT64 *luid) + int family, uint16_t port, bool inbound, bool tunnel, + UINT64 *luid) { FWPM_FILTER_CONDITION0 *cond, *conds = NULL; int count = 0; @@ -2525,6 +2526,11 @@ return FALSE; } + if (tunnel) + { + filter.subLayerKey = FWPM_SUBLAYER_IPSEC_TUNNEL; + } + cond = append_condition(&conds, &count); cond->fieldKey = FWPM_CONDITION_IP_PROTOCOL; cond->matchType = FWP_MATCH_EQUAL; @@ -2558,8 +2564,8 @@ SOCKADDR_IN in; SOCKADDR_IN6 in6; } saddr; - int addrlen = sizeof(saddr); - UINT64 filter_out, filter_in = 0; + int addrlen = sizeof(saddr), i; + UINT64 filters[4] = { 0 }; uint16_t port; if (getsockname(fd, &saddr.sa, &addrlen) == SOCKET_ERROR) @@ -2578,19 +2584,26 @@ return FALSE; } - if (!add_bypass(this, family, port, TRUE, &filter_in) || - !add_bypass(this, family, port, FALSE, &filter_out)) + if (!add_bypass(this, family, port, TRUE, FALSE, &filters[0]) || + !add_bypass(this, family, port, TRUE, TRUE, &filters[1]) || + !add_bypass(this, family, port, FALSE, FALSE, &filters[2]) || + !add_bypass(this, family, port, FALSE, TRUE, &filters[3])) { - if (filter_in) + for (i = 0; i < countof(filters); i++) { - FwpmFilterDeleteById0(this->handle, filter_in); + if (filters[i]) + { + FwpmFilterDeleteById0(this->handle, filters[i]); + } } return FALSE; } this->mutex->lock(this->mutex); - array_insert(this->bypass, ARRAY_TAIL, &filter_in); - array_insert(this->bypass, ARRAY_TAIL, &filter_out); + for (i = 0; i < countof(filters); i++) + { + array_insert(this->bypass, ARRAY_TAIL, &filters[i]); + } this->mutex->unlock(this->mutex); return TRUE; diff -Nru strongswan-5.9.8/src/libcharon/plugins/kernel_wfp/Makefile.in strongswan-5.9.11/src/libcharon/plugins/kernel_wfp/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/kernel_wfp/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/kernel_wfp/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -444,7 +444,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/led/Makefile.in strongswan-5.9.11/src/libcharon/plugins/led/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/led/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/led/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/load_tester/load_tester_control.c strongswan-5.9.11/src/libcharon/plugins/load_tester/load_tester_control.c --- strongswan-5.9.8/src/libcharon/plugins/load_tester/load_tester_control.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/load_tester/load_tester_control.c 2023-05-06 07:16:02.000000000 +0000 @@ -239,8 +239,8 @@ enumerator->destroy(enumerator); switch (charon->controller->initiate(charon->controller, - peer_cfg, child_cfg->get_ref(child_cfg), - (void*)initiate_cb, listener, 0, FALSE)) + peer_cfg, child_cfg->get_ref(child_cfg), + (void*)initiate_cb, listener, LEVEL_CTRL, 0, FALSE)) { case NEED_MORE: /* Callback returns FALSE once it got track of this IKE_SA. diff -Nru strongswan-5.9.8/src/libcharon/plugins/load_tester/load_tester_plugin.c strongswan-5.9.11/src/libcharon/plugins/load_tester/load_tester_plugin.c --- strongswan-5.9.8/src/libcharon/plugins/load_tester/load_tester_plugin.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/load_tester/load_tester_plugin.c 2023-05-06 07:16:02.000000000 +0000 @@ -152,7 +152,7 @@ charon->controller->initiate(charon->controller, peer_cfg, child_cfg->get_ref(child_cfg), - NULL, NULL, 0, FALSE); + NULL, NULL, 0, 0, FALSE); if (s) { sleep(s); diff -Nru strongswan-5.9.8/src/libcharon/plugins/load_tester/Makefile.in strongswan-5.9.11/src/libcharon/plugins/load_tester/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/load_tester/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/load_tester/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -450,7 +450,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/lookip/lookip.c strongswan-5.9.11/src/libcharon/plugins/lookip/lookip.c --- strongswan-5.9.8/src/libcharon/plugins/lookip/lookip.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/lookip/lookip.c 2023-03-27 21:00:49.000000000 +0000 @@ -22,6 +22,7 @@ #include #include #include +#include #include #include #include diff -Nru strongswan-5.9.8/src/libcharon/plugins/lookip/Makefile.in strongswan-5.9.11/src/libcharon/plugins/lookip/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/lookip/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/lookip/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -441,7 +441,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/medcli/Makefile.in strongswan-5.9.11/src/libcharon/plugins/medcli/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/medcli/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/medcli/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/medcli/medcli_config.c strongswan-5.9.11/src/libcharon/plugins/medcli/medcli_config.c --- strongswan-5.9.8/src/libcharon/plugins/medcli/medcli_config.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/medcli/medcli_config.c 2023-05-06 07:16:02.000000000 +0000 @@ -349,8 +349,8 @@ child_cfg->get_ref(child_cfg); peer_cfg->get_ref(peer_cfg); enumerator->destroy(enumerator); - charon->controller->initiate(charon->controller, - peer_cfg, child_cfg, NULL, NULL, 0, FALSE); + charon->controller->initiate(charon->controller, peer_cfg, child_cfg, + NULL, NULL, 0, 0, FALSE); } else { diff -Nru strongswan-5.9.8/src/libcharon/plugins/medsrv/Makefile.in strongswan-5.9.11/src/libcharon/plugins/medsrv/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/medsrv/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/medsrv/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/osx_attr/Makefile.in strongswan-5.9.11/src/libcharon/plugins/osx_attr/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/osx_attr/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/osx_attr/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/p_cscf/Makefile.in strongswan-5.9.11/src/libcharon/plugins/p_cscf/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/p_cscf/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/p_cscf/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/radattr/Makefile.in strongswan-5.9.11/src/libcharon/plugins/radattr/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/radattr/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/radattr/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/radattr/radattr_listener.c strongswan-5.9.11/src/libcharon/plugins/radattr/radattr_listener.c --- strongswan-5.9.8/src/libcharon/plugins/radattr/radattr_listener.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/radattr/radattr_listener.c 2023-06-08 10:35:17.000000000 +0000 @@ -60,7 +60,7 @@ static void print_radius_attributes(private_radattr_listener_t *this, message_t *message) { - radius_attribute_type_t type; + radius_attribute_type_t type DBG_UNUSED; enumerator_t *enumerator; notify_payload_t *notify; payload_t *payload; diff -Nru strongswan-5.9.8/src/libcharon/plugins/resolve/Makefile.in strongswan-5.9.11/src/libcharon/plugins/resolve/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/resolve/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/resolve/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/resolve/resolve_handler.c strongswan-5.9.11/src/libcharon/plugins/resolve/resolve_handler.c --- strongswan-5.9.8/src/libcharon/plugins/resolve/resolve_handler.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/resolve/resolve_handler.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2016 Tobias Brunner + * Copyright (C) 2012-2022 Tobias Brunner * Copyright (C) 2009 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -29,8 +29,8 @@ /* path to resolvconf executable */ #define RESOLVCONF_EXEC "/sbin/resolvconf" -/* default prefix used for resolvconf interfaces (should have high prio) */ -#define RESOLVCONF_PREFIX "lo.inet.ipsec." +/* default interface/protocol used for resolvconf (should have high prio) */ +#define RESOLVCONF_IFACE "lo.ipsec" typedef struct private_resolve_handler_t private_resolve_handler_t; @@ -50,14 +50,14 @@ char *file; /** - * Use resolvconf instead of writing directly to resolv.conf + * Path/command for resolvconf(8) */ - bool use_resolvconf; + char *resolvconf; /** - * Prefix to be used for interface names sent to resolvconf + * Interface name sent to resolvconf */ - char *iface_prefix; + char *iface; /** * Mutex to access file exclusively @@ -184,32 +184,33 @@ } /** - * Add or remove the given nameserver by invoking resolvconf. + * Install the given nameservers by invoking resolvconf. If the array is empty, + * remove the config. */ -static bool invoke_resolvconf(private_resolve_handler_t *this, host_t *addr, - bool install) +static bool invoke_resolvconf(private_resolve_handler_t *this, array_t *servers) { process_t *process; + dns_server_t *dns; FILE *shell; - int in, out, retval; - - /* we use the nameserver's IP address as part of the interface name to - * make them unique */ - process = process_start_shell(NULL, install ? &in : NULL, &out, NULL, - "2>&1 %s %s %s%H", RESOLVCONF_EXEC, - install ? "-a" : "-d", this->iface_prefix, addr); + int in, out, retval, i; + process = process_start_shell(NULL, array_count(servers) ? &in : NULL, &out, + NULL, "2>&1 %s %s %s", this->resolvconf, + array_count(servers) ? "-a" : "-d", this->iface); if (!process) { return FALSE; } - if (install) + if (array_count(servers)) { shell = fdopen(in, "w"); if (shell) { - DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr); - fprintf(shell, "nameserver %H\n", addr); + for (i = 0; i < array_count(servers); i++) + { + array_get(servers, i, &dns); + fprintf(shell, "nameserver %H\n", dns->server); + } fclose(shell); } else @@ -222,7 +223,7 @@ } else { - DBG1(DBG_IKE, "removing DNS server %H via resolvconf", addr); + DBG1(DBG_IKE, "removing DNS servers via resolvconf"); } shell = fdopen(out, "r"); if (shell) @@ -255,15 +256,7 @@ { close(out); } - if (!process->wait(process, &retval) || retval != EXIT_SUCCESS) - { - if (install) - { /* revert changes when installing fails */ - invoke_resolvconf(this, addr, FALSE); - return FALSE; - } - } - return TRUE; + return process->wait(process, &retval) && retval == EXIT_SUCCESS; } METHOD(attribute_handler_t, handle, bool, @@ -295,22 +288,27 @@ this->mutex->lock(this->mutex); if (array_bsearch(this->servers, addr, dns_server_find, &found) == -1) { - if (this->use_resolvconf) + INIT(found, + .server = addr->clone(addr), + .refcount = 1, + ); + array_insert_create(&this->servers, ARRAY_TAIL, found); + array_sort(this->servers, dns_server_sort, NULL); + + if (this->resolvconf) { - handled = invoke_resolvconf(this, addr, TRUE); + DBG1(DBG_IKE, "installing DNS server %H via resolvconf", addr); + handled = invoke_resolvconf(this, this->servers); } else { handled = write_nameserver(this, addr); } - if (handled) + if (!handled) { - INIT(found, - .server = addr->clone(addr), - .refcount = 1, - ); - array_insert_create(&this->servers, ARRAY_TAIL, found); - array_sort(this->servers, dns_server_sort, NULL); + array_remove(this->servers, ARRAY_TAIL, NULL); + found->server->destroy(found->server); + free(found); } } else @@ -362,17 +360,19 @@ } else { - if (this->use_resolvconf) + array_remove(this->servers, idx, NULL); + found->server->destroy(found->server); + free(found); + + if (this->resolvconf) { - invoke_resolvconf(this, addr, FALSE); + DBG1(DBG_IKE, "removing DNS server %H via resolvconf", addr); + invoke_resolvconf(this, this->servers); } else { remove_nameserver(this, addr); } - array_remove(this->servers, idx, NULL); - found->server->destroy(found->server); - free(found); } } this->mutex->unlock(this->mutex); @@ -483,17 +483,30 @@ .destroy = _destroy, }, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .file = lib->settings->get_str(lib->settings, "%s.plugins.resolve.file", - RESOLV_CONF, lib->ns), + .file = lib->settings->get_str(lib->settings, + "%s.plugins.resolve.file", RESOLV_CONF, lib->ns), + .resolvconf = lib->settings->get_str(lib->settings, + "%s.plugins.resolve.resolvconf.path", + NULL, lib->ns), + .iface = lib->settings->get_str(lib->settings, + "%s.plugins.resolve.resolvconf.iface", + lib->settings->get_str(lib->settings, + "%s.plugins.resolve.resolvconf.iface_prefix", + RESOLVCONF_IFACE, lib->ns), lib->ns), ); - if (stat(RESOLVCONF_EXEC, &st) == 0) + if (!this->resolvconf && stat(RESOLVCONF_EXEC, &st) == 0) { - this->use_resolvconf = TRUE; - this->iface_prefix = lib->settings->get_str(lib->settings, - "%s.plugins.resolve.resolvconf.iface_prefix", - RESOLVCONF_PREFIX, lib->ns); + this->resolvconf = RESOLVCONF_EXEC; } + if (this->resolvconf) + { + DBG1(DBG_CFG, "using '%s' to install DNS servers", this->resolvconf); + } + else + { + DBG1(DBG_CFG, "install DNS servers in '%s'", this->file); + } return &this->public; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/save_keys/Makefile.in strongswan-5.9.11/src/libcharon/plugins/save_keys/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/save_keys/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/save_keys/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/save_keys/save_keys_listener.c strongswan-5.9.11/src/libcharon/plugins/save_keys/save_keys_listener.c --- strongswan-5.9.8/src/libcharon/plugins/save_keys/save_keys_listener.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/save_keys/save_keys_listener.c 2023-06-08 10:35:17.000000000 +0000 @@ -420,7 +420,7 @@ if (this->path && (this->ike || this->esp)) { - char *keys = "IKE"; + char *keys DBG_UNUSED = "IKE"; if (this->ike && this->esp) { diff -Nru strongswan-5.9.8/src/libcharon/plugins/selinux/Makefile.in strongswan-5.9.11/src/libcharon/plugins/selinux/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/selinux/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/selinux/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/selinux/selinux_listener.c strongswan-5.9.11/src/libcharon/plugins/selinux/selinux_listener.c --- strongswan-5.9.8/src/libcharon/plugins/selinux/selinux_listener.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/selinux/selinux_listener.c 2023-06-08 10:35:17.000000000 +0000 @@ -92,13 +92,14 @@ static bool install_generic_trap(ike_sa_t *ike_sa, child_sa_t *child_sa) { linked_list_t *local, *remote; - sec_label_t *label; bool success; - label = child_sa->get_label(child_sa); +#if DEBUG_LEVEL >= 1 + sec_label_t *label = child_sa->get_label(child_sa); DBG1(DBG_IKE, "installing trap %s{%d} with generic security label '%s'", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), label->get_string(label)); +#endif local = ike_sa_get_dynamic_hosts(ike_sa, TRUE); remote = ike_sa_get_dynamic_hosts(ike_sa, FALSE); @@ -169,12 +170,13 @@ { while (array_remove(entry->traps, ARRAY_TAIL, &child_sa)) { +#if DEBUG_LEVEL >= 1 sec_label_t *label = child_sa->get_label(child_sa); - DBG1(DBG_IKE, "uninstalling trap %s{%d} with generic security " "label '%s'", child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa), label->get_string(label)); +#endif charon->traps->remove_external(charon->traps, child_sa); child_sa->destroy(child_sa); } diff -Nru strongswan-5.9.8/src/libcharon/plugins/smp/Makefile.in strongswan-5.9.11/src/libcharon/plugins/smp/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/smp/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/smp/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/smp/smp.c strongswan-5.9.11/src/libcharon/plugins/smp/smp.c --- strongswan-5.9.8/src/libcharon/plugins/smp/smp.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/smp/smp.c 2023-05-06 07:16:02.000000000 +0000 @@ -423,13 +423,13 @@ { status = charon->controller->terminate_ike( charon->controller, id, FALSE, - (controller_cb_t)xml_callback, writer, 0); + (controller_cb_t)xml_callback, writer, LEVEL_CTRL, 0); } else { status = charon->controller->terminate_child( charon->controller, id, - (controller_cb_t)xml_callback, writer, 0); + (controller_cb_t)xml_callback, writer, LEVEL_CTRL, 0); } /* */ xmlTextWriterEndElement(writer); @@ -495,7 +495,7 @@ { status = charon->controller->initiate(charon->controller, peer, child, (controller_cb_t)xml_callback, - writer, 0, FALSE); + writer, LEVEL_CTRL, 0, FALSE); } else { diff -Nru strongswan-5.9.8/src/libcharon/plugins/socket_default/Makefile.in strongswan-5.9.11/src/libcharon/plugins/socket_default/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/socket_default/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/socket_default/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/socket_dynamic/Makefile.in strongswan-5.9.11/src/libcharon/plugins/socket_dynamic/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/socket_dynamic/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/socket_dynamic/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/socket_win/Makefile.in strongswan-5.9.11/src/libcharon/plugins/socket_win/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/socket_win/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/socket_win/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/sql/Makefile.in strongswan-5.9.11/src/libcharon/plugins/sql/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/sql/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/sql/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/stroke/Makefile.in strongswan-5.9.11/src/libcharon/plugins/stroke/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/stroke/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/stroke/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -440,7 +440,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/stroke/stroke_control.c strongswan-5.9.11/src/libcharon/plugins/stroke/stroke_control.c --- strongswan-5.9.8/src/libcharon/plugins/stroke/stroke_control.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/stroke/stroke_control.c 2023-05-06 07:16:02.000000000 +0000 @@ -109,7 +109,7 @@ if (msg->output_verbosity < 0) { charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - NULL, NULL, 0, FALSE); + NULL, NULL, 0, 0, FALSE); } else { @@ -118,7 +118,7 @@ status = charon->controller->initiate(charon->controller, peer_cfg, child_cfg, (controller_cb_t)stroke_log, - &info, this->timeout, FALSE); + &info, msg->output_verbosity, this->timeout, FALSE); switch (status) { case SUCCESS: @@ -312,25 +312,26 @@ if (child) { status = charon->controller->terminate_child(charon->controller, id, - (controller_cb_t)stroke_log, &info, this->timeout); + (controller_cb_t)stroke_log, &info, + msg->output_verbosity, this->timeout); } else { status = charon->controller->terminate_ike(charon->controller, id, - FALSE, (controller_cb_t)stroke_log, &info, - this->timeout); + FALSE, (controller_cb_t)stroke_log, &info, + msg->output_verbosity, this->timeout); } report_terminate_status(this, status, out, id, child); } else if (child) { charon->controller->terminate_child(charon->controller, id, - NULL, NULL, 0); + NULL, NULL, 0, 0); } else { charon->controller->terminate_ike(charon->controller, id, FALSE, - NULL, NULL, 0); + NULL, NULL, 0, 0); } } diff -Nru strongswan-5.9.8/src/libcharon/plugins/systime_fix/Makefile.in strongswan-5.9.11/src/libcharon/plugins/systime_fix/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/systime_fix/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/systime_fix/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/systime_fix/systime_fix_plugin.c strongswan-5.9.11/src/libcharon/plugins/systime_fix/systime_fix_plugin.c --- strongswan-5.9.8/src/libcharon/plugins/systime_fix/systime_fix_plugin.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/systime_fix/systime_fix_plugin.c 2023-06-08 10:35:17.000000000 +0000 @@ -145,7 +145,7 @@ { enumerator_t *enumerator; ike_sa_t *ike_sa; - char *action; + char *action DBG_UNUSED; job_t *job; if (time(NULL) < this->threshold) @@ -204,7 +204,7 @@ struct tm tm = { .tm_mday = 1, }; - char *str, *fmt, buf[32]; + char *str, *fmt; fmt = lib->settings->get_str(lib->settings, "%s.plugins.%s.threshold_format", "%Y", lib->ns, get_name(this)); @@ -234,8 +234,11 @@ return FALSE; } +#if DEBUG_LEVEL >= 1 + char buf[32]; DBG1(DBG_CFG, "enabling %s, threshold: %s", get_name(this), asctime_r(&tm, buf)); +#endif this->validator = systime_fix_validator_create(this->threshold); return TRUE; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/tnc_ifmap/Makefile.in strongswan-5.9.11/src/libcharon/plugins/tnc_ifmap/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/tnc_ifmap/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/tnc_ifmap/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -441,7 +441,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c strongswan-5.9.11/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c --- strongswan-5.9.8/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_renew_session_job.c 2023-06-08 10:35:17.000000000 +0000 @@ -54,13 +54,10 @@ METHOD(job_t, execute, job_requeue_t, private_tnc_ifmap_renew_session_job_t *this) { - char *session_id; - if (this->ifmap->orphaned(this->ifmap)) { - session_id = this->ifmap->get_session_id(this->ifmap); DBG2(DBG_TNC, "removing orphaned ifmap renewSession job for '%s'", - session_id); + this->ifmap->get_session_id(this->ifmap)); return JOB_REQUEUE_NONE; } else diff -Nru strongswan-5.9.8/src/libcharon/plugins/tnc_pdp/Makefile.in strongswan-5.9.11/src/libcharon/plugins/tnc_pdp/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/tnc_pdp/Makefile.in 2022-10-03 14:18:06.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/tnc_pdp/Makefile.in 2023-06-12 05:50:40.000000000 +0000 @@ -439,7 +439,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/uci/Makefile.in strongswan-5.9.11/src/libcharon/plugins/uci/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/uci/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/uci/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/uci/uci_control.c strongswan-5.9.11/src/libcharon/plugins/uci/uci_control.c --- strongswan-5.9.8/src/libcharon/plugins/uci/uci_control.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/uci/uci_control.c 2023-05-06 07:16:02.000000000 +0000 @@ -147,8 +147,8 @@ enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); if (enumerator->enumerate(enumerator, &child_cfg) && charon->controller->initiate(charon->controller, peer_cfg, - child_cfg->get_ref(child_cfg), - controller_cb_empty, NULL, 0, FALSE) == SUCCESS) + child_cfg->get_ref(child_cfg), controller_cb_empty, + NULL, LEVEL_SILENT, 0, FALSE) == SUCCESS) { write_fifo(this, "connection '%s' established\n", name); } @@ -182,7 +182,8 @@ id = ike_sa->get_unique_id(ike_sa); enumerator->destroy(enumerator); charon->controller->terminate_ike(charon->controller, id, FALSE, - controller_cb_empty, NULL, 0); + controller_cb_empty, NULL, + LEVEL_SILENT, 0); write_fifo(this, "connection '%s' terminated\n", name); return; } diff -Nru strongswan-5.9.8/src/libcharon/plugins/unity/Makefile.in strongswan-5.9.11/src/libcharon/plugins/unity/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/unity/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/unity/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/updown/Makefile.in strongswan-5.9.11/src/libcharon/plugins/updown/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/updown/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/updown/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/libvici.c strongswan-5.9.11/src/libcharon/plugins/vici/libvici.c --- strongswan-5.9.8/src/libcharon/plugins/vici/libvici.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/libvici.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2014 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -66,6 +67,10 @@ int error; /** wait state */ wait_state_t wait; + /** callback if connection closed */ + vici_close_cb_t on_close; + /** user data for above callback */ + void *on_close_user; }; /** @@ -118,6 +123,10 @@ static bool read_error(vici_conn_t *conn, int err) { conn->error = err; + if (err == ECONNRESET && conn->on_close) + { + conn->on_close(conn->on_close_user); + } return wait_result(conn, WAIT_READ_ERROR); } @@ -210,6 +219,10 @@ { return TRUE; } + if (!hlen) + { + errno = ECONNRESET; + } return read_error(conn, errno); } if (hlen < sizeof(len)) @@ -744,6 +757,12 @@ return ret; } +void vici_on_close(vici_conn_t *conn, vici_close_cb_t cb, void *user) +{ + conn->on_close = cb; + conn->on_close_user = user; +} + void vici_init() { library_init(NULL, "vici"); diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/libvici.h strongswan-5.9.11/src/libcharon/plugins/vici/libvici.h --- strongswan-5.9.8/src/libcharon/plugins/vici/libvici.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/libvici.h 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2014 Martin Willi * * libvici.h is MIT-licensed to simplify reuse, but please note that libvici.c @@ -78,6 +79,8 @@ * To register or unregister for asynchronous event messages vici_register() is * used. The registered callback gets invoked by an asynchronous thread. To * parse the event message, the vici_parse*() functions can be used. + * To get notified if the connection is closed by the vici service while waiting + * for event messages, vici_on_close() may be used. */ #ifndef LIBVICI_H_ @@ -161,6 +164,13 @@ typedef int (*vici_parse_section_cb_t)(void *user, vici_res_t *res, char *name); /** + * Callback function invoked if the connection is closed by the vici service. + * + * @param user user data, as passed to vici_on_close() + */ +typedef void (*vici_close_cb_t)(void *user); + +/** * Open a new vici connection. * * On error, NULL is returned and errno is set appropriately. @@ -459,6 +469,19 @@ int vici_register(vici_conn_t *conn, char *name, vici_event_cb_t cb, void *user); /** + * (Un-)Register a callback that's invoked if the connection is closed by the + * vici service. + * + * Primarily useful when listening for events via vici_register(). The callback + * gets invoked by a different thread from the libstrongswan thread pool. + * + * @param conn connection context + * @param cb callback function to register, NULL to unregister + * @param user user data passed to callback invocation + */ +void vici_on_close(vici_conn_t *conn, vici_close_cb_t cb, void *user); + +/** * Initialize libvici before first time use. */ void vici_init(); diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/Makefile.in strongswan-5.9.11/src/libcharon/plugins/vici/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/vici/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -546,7 +546,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/perl/Makefile.in strongswan-5.9.11/src/libcharon/plugins/vici/perl/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/vici/perl/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/perl/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -348,7 +348,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/Makefile.am strongswan-5.9.11/src/libcharon/plugins/vici/python/Makefile.am --- strongswan-5.9.8/src/libcharon/plugins/vici/python/Makefile.am 2022-09-17 15:42:38.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -4,9 +4,9 @@ tox.sh \ test/__init__.py \ test/test_protocol.py \ + test/test_session.py \ vici/__init__.py \ vici/command_wrappers.py \ - vici/compat.py \ vici/exception.py \ vici/protocol.py \ vici/session.py diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/Makefile.in strongswan-5.9.11/src/libcharon/plugins/vici/python/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/vici/python/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -371,7 +371,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -409,9 +408,9 @@ tox.sh \ test/__init__.py \ test/test_protocol.py \ + test/test_session.py \ vici/__init__.py \ vici/command_wrappers.py \ - vici/compat.py \ vici/exception.py \ vici/protocol.py \ vici/session.py diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/setup.py.in strongswan-5.9.11/src/libcharon/plugins/vici/python/setup.py.in --- strongswan-5.9.8/src/libcharon/plugins/vici/python/setup.py.in 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/setup.py.in 2023-03-27 21:00:49.000000000 +0000 @@ -20,11 +20,12 @@ "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Natural Language :: English", - "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", "Topic :: Security", "Topic :: Software Development :: Libraries", ] diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/test/test_protocol.py strongswan-5.9.11/src/libcharon/plugins/vici/python/test/test_protocol.py --- strongswan-5.9.8/src/libcharon/plugins/vici/python/test/test_protocol.py 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/test/test_protocol.py 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,7 @@ import pytest +import socket -from vici.protocol import Packet, Message, FiniteStream +from vici.protocol import Packet, Message, FiniteStream, Transport from vici.exception import DeserializationException @@ -142,3 +143,26 @@ assert deserialized_message["key1"] == b"value1" assert deserialized_section["sub-section"]["key2"] == b"value2" assert deserialized_section["list1"] == [b"item1", b"item2"] + + +class TestTransport(object): + + def interconnect(self): + c, s = socket.socketpair(socket.AF_UNIX) + return Transport(c), Transport(s) + + def test_sendrecv(self): + c, s = self.interconnect() + c.send(b"foo") + assert s.receive() == b"foo" + s.send(b"foobarbaz") + s.send(b"") + assert c.receive() == b"foobarbaz" + assert c.receive() == b"" + + def test_timeout(self): + c, s = self.interconnect() + c.send(b"foo") + assert s.receive(timeout=1) == b"foo" + with pytest.raises(socket.timeout): + s.receive(timeout=0.1) diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/test/test_session.py strongswan-5.9.11/src/libcharon/plugins/vici/python/test/test_session.py --- strongswan-5.9.8/src/libcharon/plugins/vici/python/test/test_session.py 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/test/test_session.py 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,100 @@ +import pytest +import socket +import struct +from collections import OrderedDict + +from vici.session import Session +from vici.protocol import Transport, Packet, Message, FiniteStream +from vici.exception import DeserializationException + + +class MockedServer(object): + + def __init__(self, sock): + self.transport = Transport(sock) + + def send(self, kind, name=None, message=None): + if name is None: + payload = struct.pack("!B", kind) + else: + name = name.encode("UTF-8") + payload = struct.pack("!BB", kind, len(name)) + name + if message is not None: + payload += Message.serialize(message) + self.transport.send(payload) + + def recv(self): + stream = FiniteStream(self.transport.receive()) + kind, length = struct.unpack("!BB", stream.read(2)) + name = stream.read(length) + data = stream.read() + if len(data): + return kind, name, Message.deserialize(data) + return kind, name + + +class TestSession(object): + + events = [ + OrderedDict([('event', b'1')]), + OrderedDict([('event', b'2')]), + OrderedDict([('event', b'3')]), + ] + + def interconnect(self): + c, s = socket.socketpair(socket.AF_UNIX) + return Session(c), MockedServer(s) + + def test_request(self): + c, s = self.interconnect() + + s.send(Packet.CMD_RESPONSE) + assert c.request("doit") == {} + assert s.recv() == (Packet.CMD_REQUEST, b"doit") + + s.send(Packet.CMD_RESPONSE, message={"hey": b"hou"}) + assert c.request("heyhou") == {"hey": b"hou"} + assert s.recv() == (Packet.CMD_REQUEST, b"heyhou") + + def test_streamed(self): + c, s = self.interconnect() + + s.send(Packet.EVENT_CONFIRM) + for e in self.events: + s.send(Packet.EVENT, name="stream", message=e) + s.send(Packet.CMD_RESPONSE) + s.send(Packet.EVENT_CONFIRM) + + assert list(c.streamed_request("streamit", "stream")) == self.events + assert s.recv() == (Packet.EVENT_REGISTER, b"stream") + assert s.recv() == (Packet.CMD_REQUEST, b"streamit") + assert s.recv() == (Packet.EVENT_UNREGISTER, b"stream") + + def test_timeout(self): + c, s = self.interconnect() + + s.send(Packet.EVENT_CONFIRM) + s.send(Packet.EVENT_CONFIRM) + for e in self.events: + s.send(Packet.EVENT, name="event", message=e) + + r = [] + i = 0 + for name, msg in c.listen(["xyz", "event"], timeout=0.1): + if name is None: + i += 1 + if i > 2: + s.send(Packet.EVENT, name="event", message={"late": b'1'}) + s.send(Packet.EVENT_CONFIRM) + s.send(Packet.EVENT_CONFIRM) + break + else: + assert name == b"event" + r.append(msg) + + assert s.recv() == (Packet.EVENT_REGISTER, b"xyz") + assert s.recv() == (Packet.EVENT_REGISTER, b"event") + assert s.recv() == (Packet.EVENT_UNREGISTER, b"xyz") + assert s.recv() == (Packet.EVENT_UNREGISTER, b"event") + + assert r == self.events diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/tox.ini strongswan-5.9.11/src/libcharon/plugins/vici/python/tox.ini --- strongswan-5.9.8/src/libcharon/plugins/vici/python/tox.ini 2021-09-27 09:54:08.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/tox.ini 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ [tox] -envlist = py27, py36, py37, py38, py39 +envlist = py36, py37, py38, py39, py310, py311 [testenv] deps = @@ -7,10 +7,6 @@ pytest-pycodestyle commands = pytest --pycodestyle -[testenv:py{27}] -deps = pytest -commands = pytest - [pycodestyle] max-line-length = 80 show-source = True diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/vici/compat.py strongswan-5.9.11/src/libcharon/plugins/vici/python/vici/compat.py --- strongswan-5.9.8/src/libcharon/plugins/vici/python/vici/compat.py 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/vici/compat.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -# Help functions for compatibility between python version 2 and 3 - - -# From http://legacy.python.org/dev/peps/pep-0469 -try: - dict.iteritems -except AttributeError: - # python 3 - def iteritems(d): - return iter(d.items()) -else: - # python 2 - def iteritems(d): - return d.iteritems() diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/vici/protocol.py strongswan-5.9.11/src/libcharon/plugins/vici/python/vici/protocol.py --- strongswan-5.9.8/src/libcharon/plugins/vici/python/vici/protocol.py 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/vici/protocol.py 2023-03-27 21:00:49.000000000 +0000 @@ -5,10 +5,12 @@ from collections import namedtuple from collections import OrderedDict -from .compat import iteritems from .exception import DeserializationException +RECV_TIMEOUT_DEFAULT = object() + + class Transport(object): HEADER_LENGTH = 4 MAX_SEGMENT = 512 * 1024 @@ -19,8 +21,8 @@ def send(self, packet): self.socket.sendall(struct.pack("!I", len(packet)) + packet) - def receive(self): - raw_length = self._recvall(self.HEADER_LENGTH) + def receive(self, timeout=RECV_TIMEOUT_DEFAULT): + raw_length = self._recvall(self.HEADER_LENGTH, timeout) length, = struct.unpack("!I", raw_length) payload = self._recvall(length) return payload @@ -29,14 +31,21 @@ self.socket.shutdown(socket.SHUT_RDWR) self.socket.close() - def _recvall(self, count): + def _recvall(self, count, timeout=RECV_TIMEOUT_DEFAULT): """Ensure to read count bytes from the socket""" data = b"" - while len(data) < count: - buf = self.socket.recv(count - len(data)) - if not buf: - raise socket.error('Connection closed') - data += buf + old_timeout = self.socket.gettimeout() + if timeout is not RECV_TIMEOUT_DEFAULT: + self.socket.settimeout(timeout) + try: + while len(data) < count: + buf = self.socket.recv(count - len(data)) + self.socket.settimeout(None) + if not buf: + raise socket.error('Connection closed') + data += buf + finally: + self.socket.settimeout(old_timeout) return data @@ -121,7 +130,7 @@ def serialize_dict(d): segment = bytes() - for key, value in iteritems(d): + for key, value in d.items(): if isinstance(value, dict): segment += ( encode_named_type(cls.SECTION_START, key) diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/python/vici/session.py strongswan-5.9.11/src/libcharon/plugins/vici/python/vici/session.py --- strongswan-5.9.8/src/libcharon/plugins/vici/python/vici/session.py 2021-03-07 10:20:21.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/python/vici/session.py 2023-05-06 07:16:02.000000000 +0000 @@ -1,15 +1,38 @@ import socket +import platform from .exception import SessionException, CommandException, EventUnknownException -from .protocol import Transport, Packet, Message +from .protocol import Transport, Packet, Message, RECV_TIMEOUT_DEFAULT from .command_wrappers import CommandWrappers class Session(CommandWrappers, object): def __init__(self, sock=None): + """Establish a session with an IKE daemon. + + By default, the session will connect to the `/var/run/charon.vici` Unix + domain socket. + + If there is a need to connect a socket in another location or set + specific settings on the socket (like a timeout), create and connect + a socket and pass it to the `sock` parameter. + + .. note:: + + In case a timeout is set on the socket, the internal read code + will temporarily disable it after receiving the first byte to avoid + partial read corruptions. + + :param sock: socket connected to the IKE daemon (optional) + :type sock: socket.socket + """ if sock is None: - sock = socket.socket(socket.AF_UNIX) - sock.connect("/var/run/charon.vici") + if platform.system() == "Windows": + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect('127.0.0.1', 4502) + else: + sock = socket.socket(socket.AF_UNIX) + sock.connect("/var/run/charon.vici") self.transport = Transport(sock) def _communicate(self, packet): @@ -40,7 +63,9 @@ raise EventUnknownException( "Unknown event type '{event}'".format(event=event_type) ) - elif response.response_type != Packet.EVENT_CONFIRM: + while response.response_type == Packet.EVENT: + response = Packet.parse(self.transport.receive()) + if response.response_type != Packet.EVENT_CONFIRM: raise SessionException( "Unexpected response type {type}, " "expected '{confirm}' (EVENT_CONFIRM)".format( @@ -139,11 +164,19 @@ ) ) - def listen(self, event_types): + def listen(self, event_types, timeout=RECV_TIMEOUT_DEFAULT): """Register and listen for the given events. + If a timeout is given, the generator produces a (None, None) tuple + if no event has been received for that time. This allows the caller + to either abort by breaking from the generator, or perform periodic + tasks while staying registered within listen(), and then continue + waiting for more events. + :param event_types: event types to register :type event_types: list + :param timeout: timeout to wait for events, in fractions of a second + :type timeout: float :return: generator for streamed event responses as (event_type, dict) :rtype: generator """ @@ -152,7 +185,11 @@ try: while True: - response = Packet.parse(self.transport.receive()) + try: + response = Packet.parse(self.transport.receive(timeout)) + except socket.timeout: + yield None, None + continue if response.response_type == Packet.EVENT: try: msg = Message.deserialize(response.payload) diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/ruby/Makefile.in strongswan-5.9.11/src/libcharon/plugins/vici/ruby/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/vici/ruby/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/ruby/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -348,7 +348,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/vici_authority.c strongswan-5.9.11/src/libcharon/plugins/vici/vici_authority.c --- strongswan-5.9.8/src/libcharon/plugins/vici/vici_authority.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/vici_authority.c 2023-06-08 10:35:17.000000000 +0000 @@ -429,12 +429,11 @@ static void log_authority_data(authority_t *authority) { enumerator_t *enumerator; - identification_t *subject; bool first = TRUE; char *uri; - subject = authority->cert->get_subject(authority->cert); - DBG2(DBG_CFG, " cacert = %Y", subject); + DBG2(DBG_CFG, " cacert = %Y", + authority->cert->get_subject(authority->cert)); enumerator = authority->crl_uris->create_enumerator(authority->crl_uris); while (enumerator->enumerate(enumerator, &uri)) diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/vici_config.c strongswan-5.9.11/src/libcharon/plugins/vici/vici_config.c --- strongswan-5.9.8/src/libcharon/plugins/vici/vici_config.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/vici_config.c 2023-06-08 10:35:17.000000000 +0000 @@ -520,7 +520,7 @@ */ static void log_child_data(child_data_t *data, char *name) { - child_cfg_create_t *cfg = &data->cfg; + child_cfg_create_t *cfg DBG_UNUSED = &data->cfg; #define has_opt(opt) ({ (cfg->options & (opt)) == (opt); }) DBG2(DBG_CFG, " child %s:", name); @@ -1040,9 +1040,11 @@ action_t *out, chunk_t v) { enum_map_t map[] = { - { "no", HW_OFFLOAD_NO }, - { "yes", HW_OFFLOAD_YES }, - { "auto", HW_OFFLOAD_AUTO }, + { "no", HW_OFFLOAD_NO }, + { "yes", HW_OFFLOAD_CRYPTO }, + { "crypto", HW_OFFLOAD_CRYPTO }, + { "packet", HW_OFFLOAD_PACKET }, + { "auto", HW_OFFLOAD_AUTO }, }; int d; @@ -1641,6 +1643,7 @@ { enum_map_t map[] = { { "allow", CHILDLESS_ALLOW }, + { "prefer", CHILDLESS_PREFER }, { "never", CHILDLESS_NEVER }, { "force", CHILDLESS_FORCE }, }; @@ -1981,18 +1984,52 @@ */ static void check_lifetimes(lifetime_cfg_t *lft) { + /* if no soft lifetime specified, set a default or base it on the hard lifetime */ + if (lft->time.rekey == LFT_UNDEFINED) + { + if (lft->time.life != LFT_UNDEFINED) + { + lft->time.rekey = lft->time.life / 1.1; + } + else + { + lft->time.rekey = LFT_DEFAULT_CHILD_REKEY_TIME; + } + } + if (lft->bytes.rekey == LFT_UNDEFINED) + { + if (lft->bytes.life != LFT_UNDEFINED) + { + lft->bytes.rekey = lft->bytes.life / 1.1; + } + else + { + lft->bytes.rekey = LFT_DEFAULT_CHILD_REKEY_BYTES; + } + } + if (lft->packets.rekey == LFT_UNDEFINED) + { + if (lft->packets.life != LFT_UNDEFINED) + { + lft->packets.rekey = lft->packets.life / 1.1; + } + else + { + lft->packets.rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS; + } + } /* if no hard lifetime specified, add one at soft lifetime + 10% */ if (lft->time.life == LFT_UNDEFINED) { - lft->time.life = lft->time.rekey * 110 / 100; + lft->time.life = lft->time.rekey * 1.1; } if (lft->bytes.life == LFT_UNDEFINED) { - lft->bytes.life = lft->bytes.rekey * 110 / 100; + lft->bytes.life = lft->bytes.rekey * 1.1; } if (lft->packets.life == LFT_UNDEFINED) { - lft->packets.life = lft->packets.rekey * 110 / 100; + lft->packets.life = lft->packets.rekey * 1.1; } /* if no rand time defined, use difference of hard and soft */ if (lft->time.jitter == LFT_UNDEFINED) @@ -2026,17 +2063,17 @@ .mode = MODE_TUNNEL, .lifetime = { .time = { - .rekey = LFT_DEFAULT_CHILD_REKEY_TIME, + .rekey = LFT_UNDEFINED, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, .bytes = { - .rekey = LFT_DEFAULT_CHILD_REKEY_BYTES, + .rekey = LFT_UNDEFINED, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, .packets = { - .rekey = LFT_DEFAULT_CHILD_REKEY_PACKETS, + .rekey = LFT_UNDEFINED, .life = LFT_UNDEFINED, .jitter = LFT_UNDEFINED, }, @@ -2215,7 +2252,7 @@ DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), - NULL, NULL, 0, FALSE); + NULL, NULL, 0, 0, FALSE); } } @@ -2311,7 +2348,7 @@ { DBG1(DBG_CFG, "closing '%s' #%u", name, id); charon->controller->terminate_child(charon->controller, - id, NULL, NULL, 0); + id, NULL, NULL, 0, 0); } array_destroy(ids); } @@ -2321,7 +2358,7 @@ { DBG1(DBG_CFG, "closing IKE_SA #%u", id); charon->controller->terminate_ike(charon->controller, id, - FALSE, NULL, NULL, 0); + FALSE, NULL, NULL, 0, 0); } array_destroy(ikeids); } @@ -2567,8 +2604,8 @@ #ifdef ME if (peer.mediation && peer.mediated_by) { - DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection " - "at the same time, config discarded"); + request->reply = create_reply("a mediation connection cannot be a " + "mediated connection at the same time"); free_peer_data(&peer); return FALSE; } @@ -2579,23 +2616,23 @@ else if (peer.mediated_by) { /* fallback to remote identity of first auth round if peer_id is not * given explicitly */ - auth_cfg_t *cfg; + auth_data_t *auth; if (!peer.peer_id && - peer.remote->get_first(peer.remote, (void**)&cfg) == SUCCESS) + peer.remote->get_first(peer.remote, (void**)&auth) == SUCCESS) { - peer.peer_id = cfg->get(cfg, AUTH_RULE_IDENTITY); + peer.peer_id = auth->cfg->get(auth->cfg, AUTH_RULE_IDENTITY); if (peer.peer_id) { peer.peer_id = peer.peer_id->clone(peer.peer_id); } - else - { - DBG1(DBG_CFG, "mediation peer missing for mediated connection, " - "config discarded"); - free_peer_data(&peer); - return FALSE; - } + } + if (!peer.peer_id) + { + request->reply = create_reply("mediation peer or remote identity " + "missing for mediated connection"); + free_peer_data(&peer); + return FALSE; } } #endif /* ME */ diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/vici_control.c strongswan-5.9.11/src/libcharon/plugins/vici/vici_control.c --- strongswan-5.9.8/src/libcharon/plugins/vici/vici_control.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/vici_control.c 2023-05-06 07:16:02.000000000 +0000 @@ -209,8 +209,8 @@ { return send_reply(this, "%s config '%s' not found", type, sa); } - switch (charon->controller->initiate(charon->controller, peer_cfg, - child_cfg, log_cb, &log, timeout, limits)) + switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, + log_cb, &log, log.level, timeout, limits)) { case SUCCESS: return send_reply(this, NULL); @@ -226,11 +226,32 @@ } } +/** + * Format the given SA filter parameters for logging. + */ +static inline void format_sa_selector(char *buf, size_t len, char *name, + u_int id) +{ + if (name && id) + { + snprintf(buf, len, "'%s' #%d", name, id); + } + else if (name) + { + snprintf(buf, len, "'%s'", name); + } + else if (id) + { + snprintf(buf, len, "#%d", id); + } +} + CALLBACK(terminate, vici_message_t*, private_vici_control_t *this, char *name, u_int id, vici_message_t *request) { enumerator_t *enumerator, *isas, *csas; char *child, *ike, *errmsg = NULL; + char child_sel[BUF_LEN] = "", ike_sel[BUF_LEN] = ""; u_int child_id, ike_id, current, *del, done = 0; bool force; int timeout; @@ -257,22 +278,13 @@ return send_reply(this, "missing terminate selector"); } - if (ike_id) - { - DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id); - } - if (child_id) - { - DBG1(DBG_CFG, "vici terminate CHILD_SA #%d", child_id); - } - if (ike) - { - DBG1(DBG_CFG, "vici terminate IKE_SA '%s'", ike); - } - if (child) - { - DBG1(DBG_CFG, "vici terminate CHILD_SA '%s'", child); - } + format_sa_selector(child_sel, sizeof(child_sel), child, child_id); + format_sa_selector(ike_sel, sizeof(ike_sel), ike, ike_id); + + DBG1(DBG_CFG, "vici terminate%s%s%s%s%s", + child_sel[0] ? " CHILD_SA " : "", child_sel, + child_sel[0] && ike_sel[0] ? " of" : "", + ike_sel[0] ? " IKE_SA ": "", ike_sel); if (timeout >= 0) { @@ -328,7 +340,7 @@ if (child || child_id) { if (charon->controller->terminate_child(charon->controller, *del, - log_cb, &log, timeout) == SUCCESS) + log_cb, &log, log.level, timeout) == SUCCESS) { done++; } @@ -336,7 +348,7 @@ else { if (charon->controller->terminate_ike(charon->controller, *del, force, - log_cb, &log, timeout) == SUCCESS) + log_cb, &log, log.level, timeout) == SUCCESS) { done++; } @@ -376,6 +388,7 @@ { enumerator_t *isas, *csas; char *child, *ike, *errmsg = NULL; + char child_sel[BUF_LEN] = "", ike_sel[BUF_LEN] = ""; u_int child_id, ike_id, found = 0; ike_sa_t *ike_sa; child_sa_t *child_sa; @@ -393,22 +406,13 @@ return send_reply(this, "missing rekey selector"); } - if (ike_id) - { - DBG1(DBG_CFG, "vici rekey IKE_SA #%d", ike_id); - } - if (child_id) - { - DBG1(DBG_CFG, "vici rekey CHILD_SA #%d", child_id); - } - if (ike) - { - DBG1(DBG_CFG, "vici rekey IKE_SA '%s'", ike); - } - if (child) - { - DBG1(DBG_CFG, "vici rekey CHILD_SA '%s'", child); - } + format_sa_selector(child_sel, sizeof(child_sel), child, child_id); + format_sa_selector(ike_sel, sizeof(ike_sel), ike, ike_id); + + DBG1(DBG_CFG, "vici rekey%s%s%s%s%s", + child_sel[0] ? " CHILD_SA " : "", child_sel, + child_sel[0] && ike_sel[0] ? " of" : "", + ike_sel[0] ? " IKE_SA ": "", ike_sel); isas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE); while (isas->enumerate(isas, &ike_sa)) diff -Nru strongswan-5.9.8/src/libcharon/plugins/vici/vici_socket.c strongswan-5.9.11/src/libcharon/plugins/vici/vici_socket.c --- strongswan-5.9.8/src/libcharon/plugins/vici/vici_socket.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/vici/vici_socket.c 2023-05-06 07:16:02.000000000 +0000 @@ -127,6 +127,8 @@ int readers; /** any users writing over this connection? */ int writers; + /** any users using this connection at all? */ + int users; /** condvar to wait for usage */ condvar_t *cond; } entry_t; @@ -211,6 +213,7 @@ { entry->writers++; } + entry->users++; found = entry; break; } @@ -240,7 +243,7 @@ if (entry->id == id) { candidate = TRUE; - if (entry->readers || entry->writers) + if (entry->readers || entry->writers || entry->users) { entry->cond->wait(entry->cond, this->mutex); break; @@ -273,6 +276,7 @@ { entry->writers--; } + entry->users--; entry->cond->signal(entry->cond); this->mutex->unlock(this->mutex); } @@ -401,7 +405,7 @@ if (!ret && errmsg[0]) { - DBG1(DBG_CFG, errmsg); + DBG1(DBG_CFG, "%s", errmsg); } } @@ -557,7 +561,7 @@ if (!ret && errmsg[0]) { - DBG1(DBG_CFG, errmsg); + DBG1(DBG_CFG, "%s", errmsg); } } @@ -583,6 +587,7 @@ .queue = array_create(sizeof(chunk_t), 0), .cond = condvar_create(CONDVAR_TYPE_DEFAULT), .readers = 1, + .users = 1, ); this->mutex->lock(this->mutex); @@ -606,11 +611,13 @@ { entry_t *entry; - entry = find_entry(sel->this, NULL, sel->id, FALSE, TRUE); + /* we don't modify the in- or outbound queue, so don't lock the entry in + * reader or writer mode */ + entry = find_entry(sel->this, NULL, sel->id, FALSE, FALSE); if (entry) { entry->stream->on_write(entry->stream, on_write, sel->this); - put_entry(sel->this, entry, FALSE, TRUE); + put_entry(sel->this, entry, FALSE, FALSE); } return JOB_REQUEUE_NONE; } @@ -674,7 +681,7 @@ if (!ret && errmsg[0]) { - DBG1(DBG_CFG, errmsg); + DBG1(DBG_CFG, "%s", errmsg); } } diff -Nru strongswan-5.9.8/src/libcharon/plugins/whitelist/Makefile.in strongswan-5.9.11/src/libcharon/plugins/whitelist/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/whitelist/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/whitelist/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -443,7 +443,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/xauth_eap/Makefile.in strongswan-5.9.11/src/libcharon/plugins/xauth_eap/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/xauth_eap/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/xauth_eap/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/xauth_generic/Makefile.in strongswan-5.9.11/src/libcharon/plugins/xauth_generic/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/xauth_generic/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/xauth_generic/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/xauth_noauth/Makefile.in strongswan-5.9.11/src/libcharon/plugins/xauth_noauth/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/xauth_noauth/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/xauth_noauth/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/plugins/xauth_pam/Makefile.in strongswan-5.9.11/src/libcharon/plugins/xauth_pam/Makefile.in --- strongswan-5.9.8/src/libcharon/plugins/xauth_pam/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/plugins/xauth_pam/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/processing/jobs/initiate_mediation_job.c strongswan-5.9.11/src/libcharon/processing/jobs/initiate_mediation_job.c --- strongswan-5.9.8/src/libcharon/processing/jobs/initiate_mediation_job.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/processing/jobs/initiate_mediation_job.c 2023-05-06 07:16:02.000000000 +0000 @@ -138,7 +138,8 @@ mediation_cfg->get_ref(mediation_cfg); if (charon->controller->initiate(charon->controller, mediation_cfg, NULL, - (controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS) + (controller_cb_t)initiate_callback, this, LEVEL_CTRL, + 0, FALSE) != SUCCESS) { mediation_cfg->destroy(mediation_cfg); mediated_cfg->destroy(mediated_cfg); diff -Nru strongswan-5.9.8/src/libcharon/processing/jobs/start_action_job.c strongswan-5.9.11/src/libcharon/processing/jobs/start_action_job.c --- strongswan-5.9.8/src/libcharon/processing/jobs/start_action_job.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/processing/jobs/start_action_job.c 2023-05-06 07:16:02.000000000 +0000 @@ -84,7 +84,7 @@ charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), - NULL, NULL, 0, FALSE); + NULL, NULL, 0, 0, FALSE); } } children->destroy(children); diff -Nru strongswan-5.9.8/src/libcharon/sa/child_sa.c strongswan-5.9.11/src/libcharon/sa/child_sa.c --- strongswan-5.9.8/src/libcharon/sa/child_sa.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/child_sa.c 2023-03-27 21:00:49.000000000 +0000 @@ -276,7 +276,7 @@ uint64_t my_usepackets; /** - * last number of outbound bytes + * last number of outbound packets */ uint64_t other_usepackets; }; @@ -759,19 +759,19 @@ private_child_sa_t *this, bool inbound, time_t *time, uint64_t *bytes, uint64_t *packets) { - if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED) + status_t status = NOT_SUPPORTED; + bool sa_use_time; + + sa_use_time = charon->kernel->get_features(charon->kernel) & KERNEL_SA_USE_TIME; + + if (bytes || packets || sa_use_time) { - /* there was traffic since last update or the kernel interface - * does not support querying the number of usebytes. - */ - if (time) - { - if (!update_usetime(this, inbound) && !bytes && !packets) - { - /* if policy query did not yield a usetime, query SAs instead */ - update_usebytes(this, inbound); - } - } + status = update_usebytes(this, inbound); + } + if (time && !sa_use_time && status != FAILED) + { /* query policies only if last use time is not available from SAs and + * there was either traffic or querying the SA wasn't supported */ + update_usetime(this, inbound); } if (time) { @@ -1094,6 +1094,7 @@ .type = type, .prio = priority, .manual_prio = manual_prio, + .hw_offload = this->config->get_hw_offload(this->config), .src = other_addr, .dst = my_addr, .sa = my_sa, @@ -1131,6 +1132,7 @@ .type = type, .prio = priority, .manual_prio = manual_prio, + .hw_offload = this->config->get_hw_offload(this->config), .src = my_addr, .dst = other_addr, .sa = other_sa, @@ -1206,6 +1208,7 @@ .type = type, .prio = priority, .manual_prio = manual_prio, + .hw_offload = this->config->get_hw_offload(this->config), .src = other_addr, .dst = my_addr, .sa = my_sa, @@ -1242,6 +1245,7 @@ .type = type, .prio = priority, .manual_prio = manual_prio, + .hw_offload = this->config->get_hw_offload(this->config), .src = my_addr, .dst = other_addr, .sa = other_sa, diff -Nru strongswan-5.9.8/src/libcharon/sa/ike_sa.c strongswan-5.9.11/src/libcharon/sa/ike_sa.c --- strongswan-5.9.8/src/libcharon/sa/ike_sa.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ike_sa.c 2023-06-08 10:35:17.000000000 +0000 @@ -1541,19 +1541,17 @@ #endif /* ME */ ) { - char *addr; - - addr = this->ike_cfg->get_other_addr(this->ike_cfg); if (!this->retry_initiate_interval) { DBG1(DBG_IKE, "unable to resolve %s, initiate aborted", - addr); + this->ike_cfg->get_other_addr(this->ike_cfg)); DESTROY_IF(child_cfg); charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED); return DESTROY_ME; } DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds", - addr, this->retry_initiate_interval); + this->ike_cfg->get_other_addr(this->ike_cfg), + this->retry_initiate_interval); defer_initiate = TRUE; } @@ -1965,13 +1963,13 @@ if (!has_condition(this, COND_ORIGINAL_INITIATOR) && !ike_sa_can_reauthenticate(&this->public)) { - time_t del, now; - - del = this->stats[STAT_DELETE]; - now = time_monotonic(NULL); +#if DEBUG_LEVEL >= 1 + time_t del = this->stats[STAT_DELETE]; + time_t now = time_monotonic(NULL); DBG1(DBG_IKE, "initiator did not reauthenticate as requested, IKE_SA " "%s[%d] will timeout in %V", get_name(this), this->unique_id, &now, &del); +#endif return FAILED; } DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]", diff -Nru strongswan-5.9.8/src/libcharon/sa/ike_sa_manager.c strongswan-5.9.11/src/libcharon/sa/ike_sa_manager.c --- strongswan-5.9.8/src/libcharon/sa/ike_sa_manager.c 2022-09-20 09:07:33.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ike_sa_manager.c 2023-05-06 07:16:02.000000000 +0000 @@ -1778,8 +1778,8 @@ return FALSE; } - /* the hashtable row and segment are determined by the local SPI as - * initiator, so if we change it the row and segment derived from it might + /* The hashtable row and segment are determined by the local SPI as + * initiator, so if we change it, the row and segment derived from it might * change as well. This could be a problem for threads waiting for the * entry (in particular those enumerating entries to check them out by * unique ID or name). In order to avoid having to drive them out and thus @@ -1796,7 +1796,49 @@ "%.16"PRIx64, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), be64toh(spi), be64toh(new_spi)); - ike_sa_id->set_initiator_spi(ike_sa_id, new_spi); + /* when reauthenticating an IKEv1 SA, we have to migrate children again that + * were adopted previously */ + if (ike_sa->get_version(ike_sa) == IKEV1 && + ike_sa->get_child_count(ike_sa)) + { + enumerator_t *enumerator; + child_sa_t *child_sa; + ike_sa_id_t *new_id; + + /* release the segment lock while triggering events and migrating + * children, the IKE_SA is already checked out by our thread */ + unlock_single_segment(this, segment); + + /* do this before updating the ID on the current IKE_SA so listeners can + * migrate children too */ + new_id = ike_sa_id->clone(ike_sa_id); + new_id->set_initiator_spi(new_id, new_spi); + charon->bus->children_migrate(charon->bus, new_id, + ike_sa->get_unique_id(ike_sa)); + new_id->destroy(new_id); + + /* update the ID so the CHILD_SA manager can migrate entries */ + ike_sa_id->set_initiator_spi(ike_sa_id, new_spi); + + enumerator = ike_sa->create_child_sa_enumerator(ike_sa); + while (enumerator->enumerate(enumerator, &child_sa)) + { + charon->child_sa_manager->remove(charon->child_sa_manager, + child_sa); + charon->child_sa_manager->add(charon->child_sa_manager, + child_sa, ike_sa); + } + enumerator->destroy(enumerator); + + charon->bus->children_migrate(charon->bus, NULL, 0); + + /* no need for another lookup, our entry is already checked out */ + lock_single_segment(this, segment); + } + else + { + ike_sa_id->set_initiator_spi(ike_sa_id, new_spi); + } entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa_id); entry->condvar->signal(entry->condvar); diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev1/keymat_v1.c strongswan-5.9.11/src/libcharon/sa/ikev1/keymat_v1.c --- strongswan-5.9.8/src/libcharon/sa/ikev1/keymat_v1.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev1/keymat_v1.c 2023-06-08 10:35:17.000000000 +0000 @@ -799,7 +799,7 @@ uint32_t mid, mid_n; chunk_t data = chunk_empty, *n_i, *n_r; bool add_message = TRUE; - char *name = "Hash"; + char *name DBG_UNUSED = "Hash"; if (!this->prf) { /* no keys derived yet */ diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev1/task_manager_v1.c strongswan-5.9.11/src/libcharon/sa/ikev1/task_manager_v1.c --- strongswan-5.9.8/src/libcharon/sa/ikev1/task_manager_v1.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev1/task_manager_v1.c 2023-06-08 10:35:17.000000000 +0000 @@ -196,37 +196,9 @@ message_t *queued; /** - * Number of times we retransmit messages before giving up + * Retransmision settings. */ - u_int retransmit_tries; - - /** - * Maximum number of tries possible with current retransmission settings - * before overflowing the range of uint32_t, which we use for the timeout. - * Note that UINT32_MAX milliseconds equal nearly 50 days, so that doesn't - * make much sense without retransmit_limit anyway. - */ - u_int retransmit_tries_max; - - /** - * Retransmission timeout - */ - double retransmit_timeout; - - /** - * Base to calculate retransmission timeout - */ - double retransmit_base; - - /** - * Jitter to apply to calculated retransmit timeout (in percent) - */ - u_int retransmit_jitter; - - /** - * Limit retransmit timeout to this value - */ - uint32_t retransmit_limit; + retransmission_t retransmit; /** * Sequence number for sending DPD requests @@ -364,30 +336,16 @@ u_int mid, u_int retransmitted, array_t *packets) { packet_t *packet; - uint32_t t = UINT32_MAX, max_jitter; + uint32_t t; array_get(packets, 0, &packet); - if (retransmitted > this->retransmit_tries) + if (retransmitted > this->retransmit.tries) { DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1); charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet); return DESTROY_ME; } - if (!this->retransmit_tries_max || - retransmitted <= this->retransmit_tries_max) - { - t = (uint32_t)(this->retransmit_timeout * 1000.0 * - pow(this->retransmit_base, retransmitted)); - } - if (this->retransmit_limit) - { - t = min(t, this->retransmit_limit); - } - if (this->retransmit_jitter) - { - max_jitter = (t / 100.0) * this->retransmit_jitter; - t -= max_jitter * (random() / (RAND_MAX + 1.0)); - } + t = retransmission_timeout(&this->retransmit, retransmitted, TRUE); if (retransmitted) { DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u", @@ -1893,10 +1851,9 @@ if (t == 0) { /* use the same timeout as a retransmitting IKE message would have */ - for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++) + for (retransmit = 0; retransmit <= this->retransmit.tries; retransmit++) { - t += (uint32_t)(this->retransmit_timeout * 1000.0 * - pow(this->retransmit_base, retransmit)); + t += retransmission_timeout(&this->retransmit, retransmit, FALSE); } } /* compensate for the already elapsed dpd delay */ @@ -2132,16 +2089,6 @@ .queued_tasks = linked_list_create(), .active_tasks = linked_list_create(), .passive_tasks = linked_list_create(), - .retransmit_tries = lib->settings->get_int(lib->settings, - "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns), - .retransmit_timeout = lib->settings->get_double(lib->settings, - "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns), - .retransmit_base = lib->settings->get_double(lib->settings, - "%s.retransmit_base", RETRANSMIT_BASE, lib->ns), - .retransmit_jitter = min(lib->settings->get_int(lib->settings, - "%s.retransmit_jitter", 0, lib->ns), RETRANSMIT_JITTER_MAX), - .retransmit_limit = lib->settings->get_int(lib->settings, - "%s.retransmit_limit", 0, lib->ns) * 1000, ); if (!this->rng) @@ -2159,11 +2106,7 @@ } this->dpd_send &= 0x7FFFFFFF; - if (this->retransmit_base > 1) - { /* based on 1000 * timeout * base^try */ - this->retransmit_tries_max = log(UINT32_MAX/ - (1000.0 * this->retransmit_timeout))/ - log(this->retransmit_base); - } + retransmission_parse_default(&this->retransmit); + return &this->public; } diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev1/tasks/mode_config.c strongswan-5.9.11/src/libcharon/sa/ikev1/tasks/mode_config.c --- strongswan-5.9.8/src/libcharon/sa/ikev1/tasks/mode_config.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev1/tasks/mode_config.c 2023-06-08 10:35:17.000000000 +0000 @@ -335,7 +335,7 @@ chunk_t value; cp_payload_t *cp; peer_cfg_t *config; - identification_t *id; + identification_t *id DBG_UNUSED; linked_list_t *pools, *migrated, *vips; host_t *any4, *any6, *found; char *name; @@ -491,7 +491,7 @@ chunk_t value; cp_payload_t *cp; peer_cfg_t *config; - identification_t *id; + identification_t *id DBG_UNUSED; linked_list_t *vips, *pools, *migrated; host_t *requested, *found; diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c strongswan-5.9.11/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c --- strongswan-5.9.8/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c 2023-06-08 10:35:17.000000000 +0000 @@ -156,7 +156,7 @@ identification_t *id; pen_t vendor; eap_payload_t *out; - char *action; + char *action DBG_UNUSED; auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); @@ -641,11 +641,12 @@ } if (this->require_mutual && !this->method->is_mutual(this->method)) { /* we require mutual authentication due to EAP-only */ +#if DEBUG_LEVEL >= 1 pen_t vendor; - DBG1(DBG_IKE, "EAP-only authentication requires a mutual and " "MSK deriving EAP method, but %N is not", eap_type_names, this->method->get_type(this->method, &vendor)); +#endif return FAILED; } return SUCCESS; diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c strongswan-5.9.11/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c --- strongswan-5.9.8/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c 2022-09-30 09:13:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c 2023-06-08 10:35:17.000000000 +0000 @@ -371,11 +371,13 @@ { if (params->scheme == SIGN_RSA_EMSA_PSS) { +#if DEBUG_LEVEL >= 1 rsa_pss_params_t *pss = params->params; DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N_SALT_%zd " "%s", id, signature_scheme_names, params->scheme, hash_algorithm_short_names_upper, pss->hash, pss->salt_len, status == SUCCESS ? "successful" : "failed"); +#endif } else { @@ -573,7 +575,7 @@ key_type_t key_type = KEY_ECDSA; signature_params_t *params; status_t status = NOT_FOUND; - const char *reason = "unsupported"; + const char *reason DBG_UNUSED = "unsupported"; bool online; auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH); @@ -647,10 +649,12 @@ } else if (params->scheme == SIGN_RSA_EMSA_PSS) { +#if DEBUG_LEVEL >= 1 rsa_pss_params_t *pss = params->params; DBG1(DBG_IKE, "authentication of '%Y' with %N_%N_SALT_%zd " "successful", id, signature_scheme_names, params->scheme, hash_algorithm_short_names_upper, pss->hash, pss->salt_len); +#endif } else { diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev2/task_manager_v2.c strongswan-5.9.11/src/libcharon/sa/ikev2/task_manager_v2.c --- strongswan-5.9.8/src/libcharon/sa/ikev2/task_manager_v2.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev2/task_manager_v2.c 2023-06-08 10:35:17.000000000 +0000 @@ -165,37 +165,9 @@ bool reset; /** - * Number of times we retransmit messages before giving up + * Retransmission settings. */ - u_int retransmit_tries; - - /** - * Maximum number of tries possible with current retransmission settings - * before overflowing the range of uint32_t, which we use for the timeout. - * Note that UINT32_MAX milliseconds equal nearly 50 days, so that doesn't - * make much sense without retransmit_limit anyway. - */ - u_int retransmit_tries_max; - - /** - * Retransmission timeout - */ - double retransmit_timeout; - - /** - * Base to calculate retransmission timeout - */ - double retransmit_base; - - /** - * Jitter to apply to calculated retransmit timeout (in percent) - */ - u_int retransmit_jitter; - - /** - * Limit retransmit timeout to this value - */ - uint32_t retransmit_limit; + retransmission_t retransmit; /** * Use make-before-break instead of break-before-make reauth? @@ -358,7 +330,7 @@ if (message_id == this->initiating.mid && array_count(this->initiating.packets)) { - uint32_t timeout = UINT32_MAX, max_jitter; + uint32_t timeout; job_t *job; enumerator_t *enumerator; packet_t *packet; @@ -384,7 +356,7 @@ if (!mobike || !mobike->is_probing(mobike)) { - if (this->initiating.retransmitted > this->retransmit_tries) + if (this->initiating.retransmitted > this->retransmit.tries) { DBG1(DBG_IKE, "giving up after %d retransmits", this->initiating.retransmitted - 1); @@ -392,21 +364,8 @@ packet); return DESTROY_ME; } - if (!this->retransmit_tries_max || - this->initiating.retransmitted <= this->retransmit_tries_max) - { - timeout = (uint32_t)(this->retransmit_timeout * 1000.0 * - pow(this->retransmit_base, this->initiating.retransmitted)); - } - if (this->retransmit_limit) - { - timeout = min(timeout, this->retransmit_limit); - } - if (this->retransmit_jitter) - { - max_jitter = (timeout / 100.0) * this->retransmit_jitter; - timeout -= max_jitter * (random() / (RAND_MAX + 1.0)); - } + timeout = retransmission_timeout(&this->retransmit, + this->initiating.retransmitted, TRUE); if (this->initiating.retransmitted) { DBG1(DBG_IKE, "retransmit %d of request with message ID %d", @@ -2625,25 +2584,11 @@ .queued_tasks = array_create(0, 0), .active_tasks = array_create(0, 0), .passive_tasks = array_create(0, 0), - .retransmit_tries = lib->settings->get_int(lib->settings, - "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns), - .retransmit_timeout = lib->settings->get_double(lib->settings, - "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns), - .retransmit_base = lib->settings->get_double(lib->settings, - "%s.retransmit_base", RETRANSMIT_BASE, lib->ns), - .retransmit_jitter = min(lib->settings->get_int(lib->settings, - "%s.retransmit_jitter", 0, lib->ns), RETRANSMIT_JITTER_MAX), - .retransmit_limit = lib->settings->get_int(lib->settings, - "%s.retransmit_limit", 0, lib->ns) * 1000, .make_before_break = lib->settings->get_bool(lib->settings, "%s.make_before_break", FALSE, lib->ns), ); - if (this->retransmit_base > 1) - { /* based on 1000 * timeout * base^try */ - this->retransmit_tries_max = log(UINT32_MAX/ - (1000.0 * this->retransmit_timeout))/ - log(this->retransmit_base); - } + retransmission_parse_default(&this->retransmit); + return &this->public; } diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev2/tasks/child_create.c strongswan-5.9.11/src/libcharon/sa/ikev2/tasks/child_create.c --- strongswan-5.9.8/src/libcharon/sa/ikev2/tasks/child_create.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev2/tasks/child_create.c 2023-06-08 10:35:17.000000000 +0000 @@ -495,7 +495,6 @@ bool no_dh, bool ike_auth) { status_t status, status_i, status_o; - child_sa_outbound_state_t out_state; chunk_t nonce_i, nonce_r; chunk_t encr_i = chunk_empty, encr_r = chunk_empty; chunk_t integ_i = chunk_empty, integ_r = chunk_empty; @@ -779,11 +778,14 @@ charon->bus->child_keys(charon->bus, this->child_sa, this->initiator, this->dh, nonce_i, nonce_r); +#if DEBUG_LEVEL >= 0 + child_sa_outbound_state_t out_state; + + out_state = this->child_sa->get_outbound_state(this->child_sa); my_ts = linked_list_create_from_enumerator( this->child_sa->create_ts_enumerator(this->child_sa, TRUE)); other_ts = linked_list_create_from_enumerator( this->child_sa->create_ts_enumerator(this->child_sa, FALSE)); - out_state = this->child_sa->get_outbound_state(this->child_sa); DBG0(DBG_IKE, "%sCHILD_SA %s{%d} established " "with SPIs %.8x_i %.8x_o and TS %#R === %#R", @@ -796,6 +798,7 @@ my_ts->destroy(my_ts); other_ts->destroy(other_ts); +#endif this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); this->ike_sa->add_child_sa(this->ike_sa, this->child_sa); @@ -1044,7 +1047,8 @@ /* with SELinux, we prefer not to create a CHILD_SA when we only have * the generic label available. if the peer does not support it, * creating the SA will most likely fail */ - if (policy == CHILDLESS_FORCE || + if (policy == CHILDLESS_PREFER || + policy == CHILDLESS_FORCE || generic_label_only(this)) { return NEED_MORE; @@ -1128,13 +1132,13 @@ { if (generic_label_only(this)) { - sec_label_t *label; - - label = this->config->get_label(this->config); +#if DEBUG_LEVEL >= 1 + sec_label_t *label = this->config->get_label(this->config); DBG1(DBG_IKE, "not establishing CHILD_SA %s{%d} with generic " "label '%s'", this->child_sa->get_name(this->child_sa), this->child_sa->get_unique_id(this->child_sa), label->get_string(label)); +#endif return TRUE; } return FALSE; diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev2/tasks/ike_config.c strongswan-5.9.11/src/libcharon/sa/ikev2/tasks/ike_config.c --- strongswan-5.9.8/src/libcharon/sa/ikev2/tasks/ike_config.c 2022-09-26 08:32:37.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev2/tasks/ike_config.c 2023-06-08 10:35:17.000000000 +0000 @@ -353,7 +353,7 @@ chunk_t value; cp_payload_t *cp = NULL; peer_cfg_t *config; - identification_t *id; + identification_t *id DBG_UNUSED; linked_list_t *vips, *pools; host_t *requested; diff -Nru strongswan-5.9.8/src/libcharon/sa/ikev2/tasks/ike_init.c strongswan-5.9.11/src/libcharon/sa/ikev2/tasks/ike_init.c --- strongswan-5.9.8/src/libcharon/sa/ikev2/tasks/ike_init.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/ikev2/tasks/ike_init.c 2023-06-08 10:35:17.000000000 +0000 @@ -1035,7 +1035,7 @@ case INVALID_KE_PAYLOAD: { chunk_t data; - key_exchange_method_t bad_group; + key_exchange_method_t bad_group DBG_UNUSED; bad_group = this->dh_group; data = notify->get_notification_data(notify); diff -Nru strongswan-5.9.8/src/libcharon/sa/redirect_manager.h strongswan-5.9.11/src/libcharon/sa/redirect_manager.h --- strongswan-5.9.8/src/libcharon/sa/redirect_manager.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/redirect_manager.h 2023-05-06 07:16:02.000000000 +0000 @@ -57,7 +57,7 @@ * IKE_SA_INIT message. * * @param ike_sa IKE_SA for which this is called - * @param gateway[out] new IKE gateway (IP or FQDN) + * @param[out] gateway new IKE gateway (IP or FQDN) * @return TRUE if client should be redirected, FALSE otherwise */ bool (*redirect_on_init)(redirect_manager_t *this, ike_sa_t *ike_sa, @@ -69,7 +69,7 @@ * when the server authenticates itself. * * @param ike_sa IKE_SA for which this is called - * @param gateway[out] new IKE gateway (IP or FQDN) + * @param[out] gateway new IKE gateway (IP or FQDN) * @return TRUE if client should be redirected, FALSE otherwise */ bool (*redirect_on_auth)(redirect_manager_t *this, ike_sa_t *ike_sa, diff -Nru strongswan-5.9.8/src/libcharon/sa/redirect_provider.h strongswan-5.9.11/src/libcharon/sa/redirect_provider.h --- strongswan-5.9.8/src/libcharon/sa/redirect_provider.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/redirect_provider.h 2023-05-06 07:16:02.000000000 +0000 @@ -38,7 +38,7 @@ * IKE_SA_INIT message. * * @param ike_sa IKE_SA for which this is called - * @param gateway[out] new IKE gateway (IP or FQDN) + * @param[out] gateway new IKE gateway (IP or FQDN) * @return TRUE if client should be redirected, FALSE otherwise */ bool (*redirect_on_init)(redirect_provider_t *this, ike_sa_t *ike_sa, @@ -50,7 +50,7 @@ * server authenticates itself. * * @param ike_sa IKE_SA for which this is called - * @param gateway[out] new IKE gateway (IP or FQDN) + * @param[out] gateway new IKE gateway (IP or FQDN) * @return TRUE if client should be redirected, FALSE otherwise */ bool (*redirect_on_auth)(redirect_provider_t *this, ike_sa_t *ike_sa, diff -Nru strongswan-5.9.8/src/libcharon/sa/shunt_manager.c strongswan-5.9.11/src/libcharon/sa/shunt_manager.c --- strongswan-5.9.8/src/libcharon/sa/shunt_manager.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/shunt_manager.c 2023-03-27 21:00:49.000000000 +0000 @@ -95,6 +95,7 @@ policy_type_t policy_type; policy_priority_t policy_prio; status_t status = SUCCESS; + hw_offload_t hw_offload; uint32_t manual_prio; char *interface; bool fwd_out; @@ -125,6 +126,7 @@ hosts->destroy(hosts); manual_prio = child->get_manual_prio(child); + hw_offload = child->get_hw_offload(child); interface = child->get_interface(child); fwd_out = child->has_option(child, OPT_FWD_OUT_POLICIES); @@ -157,6 +159,7 @@ .type = policy_type, .prio = policy_prio, .manual_prio = manual_prio, + .hw_offload = hw_offload, .src = host_any, .dst = host_any, .sa = &sa, diff -Nru strongswan-5.9.8/src/libcharon/sa/task_manager.c strongswan-5.9.11/src/libcharon/sa/task_manager.c --- strongswan-5.9.8/src/libcharon/sa/task_manager.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/task_manager.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Tobias Brunner + * Copyright (C) 2011-2023 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -21,39 +21,64 @@ #include /* - * See header + * Described in header */ -u_int task_manager_total_retransmit_timeout() +void retransmission_parse_default(retransmission_t *settings) { - double timeout, base, limit = 0, total = 0; - int tries, max_tries = 0, i; + settings->timeout = lib->settings->get_double(lib->settings, + "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns); + settings->base = lib->settings->get_double(lib->settings, + "%s.retransmit_base", RETRANSMIT_BASE, lib->ns); + settings->jitter = min(lib->settings->get_int(lib->settings, + "%s.retransmit_jitter", 0, lib->ns), RETRANSMIT_JITTER_MAX); + settings->limit = lib->settings->get_int(lib->settings, + "%s.retransmit_limit", 0, lib->ns) * 1000; + settings->tries = lib->settings->get_int(lib->settings, + "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns); + + if (settings->base > 1) + { /* based on 1000 * timeout * base^try */ + settings->max_tries = log(UINT32_MAX/ + (1000.0 * settings->timeout))/ + log(settings->base); + } +} - tries = lib->settings->get_int(lib->settings, "%s.retransmit_tries", - RETRANSMIT_TRIES, lib->ns); - base = lib->settings->get_double(lib->settings, "%s.retransmit_base", - RETRANSMIT_BASE, lib->ns); - timeout = lib->settings->get_double(lib->settings, "%s.retransmit_timeout", - RETRANSMIT_TIMEOUT, lib->ns); - limit = lib->settings->get_double(lib->settings, "%s.retransmit_limit", - 0, lib->ns); +/* + * Described in header + */ +uint32_t retransmission_timeout(retransmission_t *settings, u_int try, + bool randomize) +{ + double timeout = UINT32_MAX, max_jitter; - if (base > 1) + if (!settings->max_tries || try <= settings->max_tries) + { + timeout = settings->timeout * 1000.0 * pow(settings->base, try); + } + if (settings->limit) { - max_tries = log(UINT32_MAX/(1000.0 * timeout))/log(base); + timeout = min(timeout, settings->limit); } + if (randomize && settings->jitter) + { + max_jitter = (timeout / 100.0) * settings->jitter; + timeout -= max_jitter * (random() / (RAND_MAX + 1.0)); + } + return (uint32_t)timeout; +} + +/* + * Described in header + */ +u_int retransmission_timeout_total(retransmission_t *settings) +{ + double total = 0; + int i; - for (i = 0; i <= tries; i++) + for (i = 0; i <= settings->tries; i++) { - double interval = UINT32_MAX/1000.0; - if (max_tries && i <= max_tries) - { - interval = timeout * pow(base, i); - } - if (limit) - { - interval = min(interval, limit); - } - total += interval; + total += retransmission_timeout(settings, i, FALSE) / 1000.0; } return (u_int)total; } @@ -80,4 +105,3 @@ } return NULL; } - diff -Nru strongswan-5.9.8/src/libcharon/sa/task_manager.h strongswan-5.9.11/src/libcharon/sa/task_manager.h --- strongswan-5.9.8/src/libcharon/sa/task_manager.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/sa/task_manager.h 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2018 Tobias Brunner + * Copyright (C) 2013-2023 Tobias Brunner * Copyright (C) 2006 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -25,6 +25,7 @@ typedef struct task_manager_t task_manager_t; typedef enum task_queue_t task_queue_t; +typedef struct retransmission_t retransmission_t; #include @@ -64,6 +65,49 @@ #define ROUTABILITY_CHECK_TRIES 10 /** + * Retransmission settings. + * + * See retransmission_timeout() for details on the calculation. + */ +struct retransmission_t { + + /** + * Timeout in seconds. + */ + double timeout; + + /** + * Base that's raised to the power of the retransmission try to calculate + * the timeout. + */ + double base; + + /** + * Limit for the calculated timeout (in ms). + */ + uint32_t limit; + + /** + * Maximum jitter to apply to calculated timeout (in percent). A random + * amount of that value will be subtracted from the calculated timeout. + */ + u_int jitter; + + /** + * Number of tries. + */ + u_int tries; + + /** + * Maximum number of tries possible with current retransmission settings + * before overflowing the range of uint32_t, which we use for the timeout. + * Note that UINT32_MAX milliseconds equal nearly 50 days, so using a high + * number of retransmits doesn't make much sense without `limit` anyway. + */ + u_int max_tries; +}; + +/** * Type of task queues the task manager uses to handle tasks */ enum task_queue_t { @@ -88,24 +132,8 @@ * For the initial IKE_SA setup, several tasks are queued: One for the * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup * and maybe one for virtual IP assignment. - * The task manager is also responsible for retransmission. It uses a backoff - * algorithm. The timeout is calculated using - * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try). - * When try reaches RETRANSMIT_TRIES, retransmission is given up. - * - * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us: - * @verbatim - | relative | absolute - --------------------------------------------------------- - 4s * (1.8 ** 0) = 4s 4s - 4s * (1.8 ** 1) = 7s 11s - 4s * (1.8 ** 2) = 13s 24s - 4s * (1.8 ** 3) = 23s 47s - 4s * (1.8 ** 4) = 42s 89s - 4s * (1.8 ** 5) = 76s 165s - - @endverbatim - * The peer is considered dead after 2min 45s when no reply comes in. + * The task manager is also responsible for retransmission (see + * retransmission_timeout() for details). */ struct task_manager_t { @@ -305,15 +333,55 @@ }; /** - * Calculate total timeout of the retransmission mechanism. + * Parse the default retransmission settings. + * + * @param settings retransmission settings that are filled in + */ +void retransmission_parse_default(retransmission_t *settings); + +/** + * Calculate the retransmission timeout in ms based on the given settings and + * try. + * + * An exponential backoff algorithm is used. The timeout for each retransmit + * is calculated as follows: min(timeout * (base ** try), limit) + * From the result a random value (of at most jitter percent) is optionally + * subtracted. + * + * Using an initial timeout of 4s, a base of 1.8, and 5 tries gives us: + * @verbatim + | relative | absolute + --------------------------------------------------------- + 4s * (1.8 ** 0) = 4s 4s + 4s * (1.8 ** 1) = 7s 11s + 4s * (1.8 ** 2) = 13s 24s + 4s * (1.8 ** 3) = 23s 47s + 4s * (1.8 ** 4) = 42s 89s + 4s * (1.8 ** 5) = 76s 165s + + @endverbatim + * So the peer is considered dead after 2min 45s when no reply is received. + * + * @param settings retransmission settings + * @param try zero-based try to send a packet + * @param randomize whether to apply jitter + * @return timeout for next retransmit in ms + */ +uint32_t retransmission_timeout(retransmission_t *settings, u_int try, + bool randomize); + +/** + * Calculate total timeout in s for the given retransmission settings (ignoring + * jitter). * - * This is affected by modifications of retransmit_base, retransmit_timeout, - * retransmit_limit or retransmit_tries. The resulting value can then be used - * e.g. in kernel plugins to set the system's acquire timeout properly. + * This is affected by modifications of base, timeout, limit and tries. The + * resulting value can then be used e.g. in kernel plugins to set the system's + * acquire timeout properly. * + * @param settings retransmission settings * @return calculated total retransmission timeout in seconds */ -u_int task_manager_total_retransmit_timeout(); +u_int retransmission_timeout_total(retransmission_t *settings); /** * Create a task manager instance for the correct IKE version. diff -Nru strongswan-5.9.8/src/libcharon/tests/Makefile.in strongswan-5.9.11/src/libcharon/tests/Makefile.in --- strongswan-5.9.8/src/libcharon/tests/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/tests/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -476,7 +476,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libcharon/tests/suites/test_childless.c strongswan-5.9.11/src/libcharon/tests/suites/test_childless.c --- strongswan-5.9.8/src/libcharon/tests/suites/test_childless.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libcharon/tests/suites/test_childless.c 2023-03-27 21:00:49.000000000 +0000 @@ -27,9 +27,13 @@ */ START_TEST(test_regular) { + childless_t childless[] = { + CHILDLESS_FORCE, + CHILDLESS_PREFER, + }; exchange_test_sa_conf_t conf = { .initiator = { - .childless = CHILDLESS_FORCE, + .childless = childless[_i], .esp = "aes128-sha256-modp3072", }, .responder = { @@ -281,7 +285,7 @@ s = suite_create("childless"); tc = tcase_create("initiation"); - tcase_add_test(tc, test_regular); + tcase_add_loop_test(tc, test_regular, 0, 2); tcase_add_test(tc, test_regular_manual); suite_add_tcase(s, tc); diff -Nru strongswan-5.9.8/src/libfast/Makefile.in strongswan-5.9.11/src/libfast/Makefile.in --- strongswan-5.9.8/src/libfast/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libfast/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -438,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/generic/generic_attr_bool.c strongswan-5.9.11/src/libimcv/generic/generic_attr_bool.c --- strongswan-5.9.8/src/libimcv/generic/generic_attr_bool.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/generic/generic_attr_bool.c 2023-06-08 10:35:17.000000000 +0000 @@ -121,7 +121,7 @@ METHOD(pa_tnc_attr_t, process, status_t, private_generic_attr_bool_t *this, uint32_t *offset) { - enum_name_t *pa_attr_names; + enum_name_t *pa_attr_names DBG_UNUSED; bio_reader_t *reader; uint32_t status; diff -Nru strongswan-5.9.8/src/libimcv/generic/generic_attr_chunk.c strongswan-5.9.11/src/libimcv/generic/generic_attr_chunk.c --- strongswan-5.9.8/src/libimcv/generic/generic_attr_chunk.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/generic/generic_attr_chunk.c 2023-06-08 10:35:17.000000000 +0000 @@ -96,7 +96,7 @@ METHOD(pa_tnc_attr_t, process, status_t, private_generic_attr_chunk_t *this, uint32_t *offset) { - enum_name_t *pa_attr_names; + enum_name_t *pa_attr_names DBG_UNUSED; *offset = 0; if (this->value.len < this->length) diff -Nru strongswan-5.9.8/src/libimcv/generic/generic_attr_string.c strongswan-5.9.11/src/libimcv/generic/generic_attr_string.c --- strongswan-5.9.8/src/libimcv/generic/generic_attr_string.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/generic/generic_attr_string.c 2023-06-08 10:35:17.000000000 +0000 @@ -91,7 +91,7 @@ METHOD(pa_tnc_attr_t, process, status_t, private_generic_attr_string_t *this, uint32_t *offset) { - enum_name_t *pa_attr_names; + enum_name_t *pa_attr_names DBG_UNUSED; u_char *pos; *offset = 0; diff -Nru strongswan-5.9.8/src/libimcv/imc/imc_agent.c strongswan-5.9.11/src/libimcv/imc/imc_agent.c --- strongswan-5.9.8/src/libimcv/imc/imc_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/imc/imc_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -346,7 +346,7 @@ { TNC_ConnectionID conn_id; char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL; - bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE; + bool has_long = FALSE, has_excl = FALSE, has_soh DBG_UNUSED = FALSE; uint32_t max_msg_len; conn_id = state->get_connection_id(state); diff -Nru strongswan-5.9.8/src/libimcv/imc/imc_msg.c strongswan-5.9.11/src/libimcv/imc/imc_msg.c --- strongswan-5.9.8/src/libimcv/imc/imc_msg.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/imc/imc_msg.c 2023-06-08 10:35:17.000000000 +0000 @@ -254,7 +254,6 @@ enumerator_t *enumerator; pa_tnc_attr_t *attr; pen_type_t attr_type; - chunk_t msg; bool first = TRUE; if (this->state->has_long(this->state)) @@ -282,8 +281,10 @@ this->agent->get_name(this->agent), this->connection_id); } - msg = this->pa_msg->get_encoding(this->pa_msg); +#if DEBUG_LEVEL >= 3 + chunk_t msg = this->pa_msg->get_encoding(this->pa_msg); DBG3(DBG_IMC, "%B", &msg); +#endif switch (this->pa_msg->process(this->pa_msg)) { @@ -522,7 +523,7 @@ { ietf_attr_remediation_instr_t *attr_cast; pen_type_t parameters_type; - chunk_t parameters, string, lang_code; + chunk_t parameters DBG_UNUSED, string DBG_UNUSED, lang_code; attr_cast = (ietf_attr_remediation_instr_t*)attr; parameters_type = attr_cast->get_parameters_type(attr_cast); diff -Nru strongswan-5.9.8/src/libimcv/imv/imv_agent.c strongswan-5.9.11/src/libimcv/imv/imv_agent.c --- strongswan-5.9.8/src/libimcv/imv/imv_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/imv/imv_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -413,7 +413,7 @@ { TNC_ConnectionID conn_id; char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL; - bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE; + bool has_long = FALSE, has_excl = FALSE, has_soh DBG_UNUSED = FALSE; linked_list_t *ar_identities; imv_session_t *session; uint32_t max_msg_len; diff -Nru strongswan-5.9.8/src/libimcv/imv/imv_msg.c strongswan-5.9.11/src/libimcv/imv/imv_msg.c --- strongswan-5.9.8/src/libimcv/imv/imv_msg.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/imv/imv_msg.c 2023-06-08 10:35:17.000000000 +0000 @@ -293,7 +293,6 @@ linked_list_t *non_fatal_types; enumerator_t *enumerator; pa_tnc_attr_t *attr; - chunk_t msg; if (this->state->has_long(this->state)) { @@ -320,8 +319,10 @@ this->agent->get_name(this->agent), this->connection_id); } - msg = this->pa_msg->get_encoding(this->pa_msg); +#if DEBUG_LEVEL >= 3 + chunk_t msg = this->pa_msg->get_encoding(this->pa_msg); DBG3(DBG_IMV, "%B", &msg); +#endif switch (this->pa_msg->process(this->pa_msg)) { diff -Nru strongswan-5.9.8/src/libimcv/imv/imv_session_manager.c strongswan-5.9.11/src/libimcv/imv/imv_session_manager.c --- strongswan-5.9.8/src/libimcv/imv/imv_session_manager.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/imv/imv_session_manager.c 2023-06-08 10:35:17.000000000 +0000 @@ -50,7 +50,6 @@ linked_list_t *ar_identities) { enumerator_t *enumerator; - tncif_identity_t *tnc_id; imv_session_t *current, *session = NULL; this->mutex->lock(this->mutex); @@ -77,6 +76,8 @@ } /* Output list of Access Requestor identities */ +#if DEBUG_LEVEL >= 2 + tncif_identity_t *tnc_id; enumerator = ar_identities->create_enumerator(ar_identities); while (enumerator->enumerate(enumerator, &tnc_id)) { @@ -103,6 +104,7 @@ TNC_Authentication_names, tcg_auth_type); } enumerator->destroy(enumerator); +#endif /* DEBUG_LEVEL */ /* create a new session entry */ session = imv_session_create(conn_id, ar_identities); diff -Nru strongswan-5.9.8/src/libimcv/Makefile.in strongswan-5.9.11/src/libimcv/Makefile.in --- strongswan-5.9.8/src/libimcv/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -698,7 +698,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/pa_tnc/pa_tnc_msg.c strongswan-5.9.11/src/libimcv/pa_tnc/pa_tnc_msg.c --- strongswan-5.9.8/src/libimcv/pa_tnc/pa_tnc_msg.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pa_tnc/pa_tnc_msg.c 2023-06-08 10:35:17.000000000 +0000 @@ -277,13 +277,10 @@ { ietf_attr_pa_tnc_error_t *error_attr; pen_type_t error_code, *non_fatal_type; - chunk_t msg_info; - uint32_t offset; bool fatal_current_error = TRUE; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); - msg_info = error_attr->get_msg_info(error_attr); /* skip errors from non-IETF namespaces and non PA-TNC msg errors */ if (error_code.vendor_id != PEN_IETF || @@ -291,15 +288,17 @@ { continue; } +#if DEBUG_LEVEL >= 1 + chunk_t msg_info = error_attr->get_msg_info(error_attr); DBG1(DBG_TNC, "received PA-TNC error '%N' concerning message " "0x%08x/0x%08x", pa_tnc_error_code_names, error_code.type, untoh32(msg_info.ptr), untoh32(msg_info.ptr + 4)); - +#endif switch (error_code.type) { case PA_ERROR_INVALID_PARAMETER: - offset = error_attr->get_offset(error_attr); - DBG1(DBG_TNC, " occurred at offset of %u bytes", offset); + DBG1(DBG_TNC, " occurred at offset of %u bytes", + error_attr->get_offset(error_attr)); break; case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: unsupported_type = diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_attestation/imc_attestation.c strongswan-5.9.11/src/libimcv/plugins/imc_attestation/imc_attestation.c --- strongswan-5.9.8/src/libimcv/plugins/imc_attestation/imc_attestation.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_attestation/imc_attestation.c 2023-06-08 10:35:17.000000000 +0000 @@ -174,19 +174,18 @@ { ietf_attr_pa_tnc_error_t *error_attr; pen_type_t error_code; - chunk_t msg_info; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); if (error_code.vendor_id == PEN_TCG) { - msg_info = error_attr->get_msg_info(error_attr); - +#if DEBUG_LEVEL >= 1 + chunk_t msg_info = error_attr->get_msg_info(error_attr); DBG1(DBG_IMC, "received TCG-PTS error '%N'", pts_error_code_names, error_code.type); DBG1(DBG_IMC, "error information: %B", &msg_info); - +#endif /* DEBUG_LEVEL */ result = TNC_RESULT_FATAL; } } diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_attestation/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imc_attestation/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imc_attestation/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_attestation/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_hcd/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imc_hcd/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imc_hcd/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_hcd/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -429,7 +429,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_os/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imc_os/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imc_os/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_os/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -429,7 +429,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_scanner/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imc_scanner/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imc_scanner/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_scanner/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_swima/imc_swima.c strongswan-5.9.11/src/libimcv/plugins/imc_swima/imc_swima.c --- strongswan-5.9.8/src/libimcv/plugins/imc_swima/imc_swima.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_swima/imc_swima.c 2023-06-08 10:35:17.000000000 +0000 @@ -229,7 +229,7 @@ size_t msg_len = 64; char error_msg[msg_len], *id_str; bool collect_inventory = TRUE; - int items; + int items DBG_UNUSED; collector = swima_collector_create(); id_str = sw_id_only ? " ID" : ""; diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_swima/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imc_swima/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imc_swima/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_swima/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-11.swidtag strongswan-5.9.11/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-11.swidtag --- strongswan-5.9.8/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-11.swidtag 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-11.swidtag 2023-06-12 05:51:05.000000000 +0000 @@ -0,0 +1,11 @@ + + + + diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-8.swidtag strongswan-5.9.11/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-8.swidtag --- strongswan-5.9.8/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-8.swidtag 2022-10-03 14:18:33.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-9-8.swidtag 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ - - - - diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_test/imc_test.c strongswan-5.9.11/src/libimcv/plugins/imc_test/imc_test.c --- strongswan-5.9.8/src/libimcv/plugins/imc_test/imc_test.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_test/imc_test.c 2023-06-08 10:35:17.000000000 +0000 @@ -293,19 +293,19 @@ } if (attr_type.type == ITA_ATTR_COMMAND) { - ita_attr_command_t *ita_attr; - - ita_attr = (ita_attr_command_t*)attr; +#if DEBUG_LEVEL >= 1 + ita_attr_command_t *ita_attr = (ita_attr_command_t*)attr; DBG1(DBG_IMC, "received command '%s'", ita_attr->get_command(ita_attr)); +#endif } else if (attr_type.type == ITA_ATTR_DUMMY) { - ita_attr_dummy_t *ita_attr; - - ita_attr = (ita_attr_dummy_t*)attr; +#if DEBUG_LEVEL >= 1 + ita_attr_dummy_t *ita_attr = (ita_attr_dummy_t*)attr; DBG1(DBG_IMC, "received dummy attribute value (%d bytes)", ita_attr->get_size(ita_attr)); +#endif } } enumerator->destroy(enumerator); diff -Nru strongswan-5.9.8/src/libimcv/plugins/imc_test/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imc_test/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imc_test/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imc_test/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -429,7 +429,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_attestation/attest_db.c strongswan-5.9.11/src/libimcv/plugins/imv_attestation/attest_db.c --- strongswan-5.9.8/src/libimcv/plugins/imv_attestation/attest_db.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_attestation/attest_db.c 2023-03-27 21:00:49.000000000 +0000 @@ -181,7 +181,7 @@ }; -char* print_cfn(pts_comp_func_name_t *cfn) +static char* print_cfn(pts_comp_func_name_t *cfn) { static char buf[BUF_LEN]; char flags[8]; diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c strongswan-5.9.11/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c --- strongswan-5.9.8/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_attestation/imv_attestation_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -206,19 +206,18 @@ { ietf_attr_pa_tnc_error_t *error_attr; pen_type_t error_code; - chunk_t msg_info; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); if (error_code.vendor_id == PEN_TCG) { - msg_info = error_attr->get_msg_info(error_attr); - +#if DEBUG_LEVEL >= 1 + chunk_t msg_info = error_attr->get_msg_info(error_attr); DBG1(DBG_IMV, "received TCG-PTS error '%N'", pts_error_code_names, error_code.type); DBG1(DBG_IMV, "error information: %B", &msg_info); - +#endif /* DEBUG_LEVEL */ /* TPM 2.0 doesn't return TPM Version Information */ if (error_code.type != TCG_PTS_TPM_VERS_NOT_SUPPORTED) { diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_attestation/imv_attestation_process.c strongswan-5.9.11/src/libimcv/plugins/imv_attestation/imv_attestation_process.c --- strongswan-5.9.8/src/libimcv/plugins/imv_attestation/imv_attestation_process.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_attestation/imv_attestation_process.c 2023-06-08 10:35:17.000000000 +0000 @@ -228,7 +228,7 @@ TNC_IMV_Action_Recommendation rec; tcg_pts_attr_file_meas_t *attr_cast; uint16_t request_id; - int arg_int, file_count; + int arg_int, file_count DBG_UNUSED; pts_meas_algorithms_t algo; pts_file_meas_t *measurements; imv_workitem_t *workitem, *found = NULL; @@ -364,6 +364,7 @@ } case TCG_PTS_UNIX_FILE_META: { +#if DEBUG_LEVEL >= 1 tcg_pts_attr_file_meta_t *attr_cast; int file_count; pts_file_meta_t *metadata; @@ -395,6 +396,7 @@ &created, utc, &modified, utc, &accessed, utc); } e->destroy(e); +#endif /* DEBUG_LEVEL */ break; } case TCG_PTS_SIMPLE_COMP_EVID: diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_attestation/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imv_attestation/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imv_attestation/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_attestation/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -447,7 +447,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c strongswan-5.9.11/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c --- strongswan-5.9.8/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -175,7 +175,7 @@ imv_msg_t *out_msg; imv_hcd_state_t *hcd_state; pa_tnc_attr_t *attr; - enum_name_t *pa_subtype_names; + enum_name_t *pa_subtype_names DBG_UNUSED; pen_type_t type, msg_type; TNC_Result result; bool fatal_error = FALSE, assessment = FALSE; @@ -220,6 +220,7 @@ { case IETF_ATTR_FORWARDING_ENABLED: { +#if DEBUG_LEVEL >= 2 ietf_attr_fwd_enabled_t *attr_cast; os_fwd_status_t fwd_status; @@ -227,12 +228,14 @@ fwd_status = attr_cast->get_status(attr_cast); DBG2(DBG_IMV, " %N: %N", ietf_attr_names, type.type, os_fwd_status_names, fwd_status); +#endif /* DEBUG_LEVEL */ state->set_action_flags(state, IMV_HCD_ATTR_FORWARDING_ENABLED); break; } case IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED: { +#if DEBUG_LEVEL >= 2 generic_attr_bool_t *attr_cast; bool status; @@ -240,6 +243,7 @@ status = attr_cast->get_status(attr_cast); DBG2(DBG_IMV, " %N: %s", ietf_attr_names, type.type, status ? "yes" : "no"); +#endif /* DEBUG_LEVEL */ state->set_action_flags(state, IMV_HCD_ATTR_DEFAULT_PWD_ENABLED); break; @@ -265,49 +269,47 @@ case PWG_HCD_USER_APP_NAME: case PWG_HCD_USER_APP_STRING_VERSION: { - chunk_t value; - - value = attr->get_value(attr); +#if DEBUG_LEVEL >= 2 + chunk_t value = attr->get_value(attr); DBG2(DBG_IMV, " %N: %.*s", pwg_attr_names, type.type, - value.len, value.ptr); + (int)value.len, value.ptr); +#endif /* DEBUG_LEVEL */ break; } case PWG_HCD_FIRMWARE_PATCHES: case PWG_HCD_RESIDENT_APP_PATCHES: case PWG_HCD_USER_APP_PATCHES: { - chunk_t value; - size_t len; - - value = attr->get_value(attr); - len = value.len; +#if DEBUG_LEVEL >= 2 + chunk_t value = attr->get_value(attr); /* remove any trailing LF from patches string */ - if (len && (value.ptr[len - 1] == '\n')) + if (value.len && (value.ptr[value.len - 1] == '\n')) { - len--; + value.len--; } DBG2(DBG_IMV, " %N:%s%.*s", pwg_attr_names, type.type, - len ? "\n" : " ", len, value.ptr); + value.len ? "\n" : " ", (int)value.len, value.ptr); +#endif /* DEBUG_LEVEL */ break; } case PWG_HCD_FIRMWARE_VERSION: case PWG_HCD_RESIDENT_APP_VERSION: case PWG_HCD_USER_APP_VERSION: { - chunk_t value; - - value = attr->get_value(attr); +#if DEBUG_LEVEL >= 2 + chunk_t value = attr->get_value(attr); DBG2(DBG_IMV, " %N: %#B", pwg_attr_names, type.type, &value); +#endif /* DEBUG_LEVEL */ break; } case PWG_HCD_CERTIFICATION_STATE: case PWG_HCD_CONFIGURATION_STATE: { - chunk_t value; - - value = attr->get_value(attr); +#if DEBUG_LEVEL >= 2 + chunk_t value = attr->get_value(attr); DBG2(DBG_IMV, " %N: %B", pwg_attr_names, type.type, &value); +#endif /* DEBUG_LEVEL */ break; } case PWG_HCD_DEFAULT_PWD_ENABLED: @@ -332,6 +334,7 @@ } case PWG_HCD_FORWARDING_ENABLED: { +#if DEBUG_LEVEL >= 2 ietf_attr_fwd_enabled_t *attr_cast; os_fwd_status_t fwd_status; @@ -339,11 +342,13 @@ fwd_status = attr_cast->get_status(attr_cast); DBG2(DBG_IMV, " %N: %N", pwg_attr_names, type.type, os_fwd_status_names, fwd_status); +#endif /* DEBUG_LEVEL */ break; } case PWG_HCD_VENDOR_SMI_CODE: { +#if DEBUG_LEVEL >= 2 pwg_attr_vendor_smi_code_t *attr_cast; uint32_t smi_code; @@ -351,6 +356,7 @@ smi_code = attr_cast->get_vendor_smi_code(attr_cast); DBG2(DBG_IMV, " %N: 0x%06x (%u)", pwg_attr_names, type.type, smi_code, smi_code); +#endif /* DEBUG_LEVEL */ break; } default: @@ -590,7 +596,7 @@ imv_state_t *state; imv_hcd_state_t* hcd_state; imv_hcd_handshake_state_t handshake_state; - enum_name_t *pa_subtype_names; + enum_name_t *pa_subtype_names DBG_UNUSED; bool missing = FALSE; uint32_t received; int i; diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_hcd/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imv_hcd/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imv_hcd/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_hcd/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -429,7 +429,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_os/imv_os_agent.c strongswan-5.9.11/src/libimcv/plugins/imv_os/imv_os_agent.c --- strongswan-5.9.8/src/libimcv/plugins/imv_os/imv_os_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_os/imv_os_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -250,20 +250,17 @@ } case IETF_ATTR_OPERATIONAL_STATUS: { - ietf_attr_op_status_t *attr_cast; - op_status_t op_status; - op_result_t op_result; - time_t last_boot; - state->set_action_flags(state, IMV_OS_ATTR_OPERATIONAL_STATUS); - attr_cast = (ietf_attr_op_status_t*)attr; - op_status = attr_cast->get_status(attr_cast); - op_result = attr_cast->get_result(attr_cast); - last_boot = attr_cast->get_last_use(attr_cast); +#if DEBUG_LEVEL >= 1 + ietf_attr_op_status_t *attr_cast = (ietf_attr_op_status_t*)attr; + op_status_t op_status = attr_cast->get_status(attr_cast); + op_result_t op_result = attr_cast->get_result(attr_cast); + time_t last_boot = attr_cast->get_last_use(attr_cast); DBG1(DBG_IMV, "operational status: %N, result: %N", op_status_names, op_status, op_result_names, op_result); DBG1(DBG_IMV, "last boot: %T", &last_boot, TRUE); +#endif /* DEBUG_LEVEL */ break; } case IETF_ATTR_FORWARDING_ENABLED: diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_os/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imv_os/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imv_os/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_os/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_scanner/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imv_scanner/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imv_scanner/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_scanner/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_swima/imv_swima_agent.c strongswan-5.9.11/src/libimcv/plugins/imv_swima/imv_swima_agent.c --- strongswan-5.9.8/src/libimcv/plugins/imv_swima/imv_swima_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_swima/imv_swima_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -134,7 +134,7 @@ enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { - uint32_t request_id = 0, last_eid, eid_epoch; + uint32_t request_id = 0, last_eid DBG_UNUSED, eid_epoch; swima_inventory_t *inventory; swima_events_t *events; pen_type_t type; diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_swima/imv_swima_state.c strongswan-5.9.11/src/libimcv/plugins/imv_swima/imv_swima_state.c --- strongswan-5.9.8/src/libimcv/plugins/imv_swima/imv_swima_state.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_swima/imv_swima_state.c 2023-06-08 10:35:17.000000000 +0000 @@ -312,7 +312,7 @@ private_imv_swima_state_t *this, swima_inventory_t *inventory) { chunk_t sw_id, sw_locator; - uint32_t record_id; + uint32_t record_id DBG_UNUSED; char *sw_id_str; json_object *jstring; swima_record_t *sw_record; diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_swima/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imv_swima/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imv_swima/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_swima/Makefile.in 2023-06-12 05:50:41.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_test/imv_test_agent.c strongswan-5.9.11/src/libimcv/plugins/imv_test/imv_test_agent.c --- strongswan-5.9.8/src/libimcv/plugins/imv_test/imv_test_agent.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_test/imv_test_agent.c 2023-06-08 10:35:17.000000000 +0000 @@ -163,11 +163,11 @@ } else if (attr_type.type == ITA_ATTR_DUMMY) { - ita_attr_dummy_t *ita_attr; - - ita_attr = (ita_attr_dummy_t*)attr; +#if DEBUG_LEVEL >= 1 + ita_attr_dummy_t *ita_attr = (ita_attr_dummy_t*)attr; DBG1(DBG_IMV, "received dummy attribute value (%d bytes)", ita_attr->get_size(ita_attr)); +#endif } } enumerator->destroy(enumerator); diff -Nru strongswan-5.9.8/src/libimcv/plugins/imv_test/Makefile.in strongswan-5.9.11/src/libimcv/plugins/imv_test/Makefile.in --- strongswan-5.9.8/src/libimcv/plugins/imv_test/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/plugins/imv_test/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libimcv/pts/components/ita/ita_comp_ima.c strongswan-5.9.11/src/libimcv/pts/components/ita/ita_comp_ima.c --- strongswan-5.9.8/src/libimcv/pts/components/ita/ita_comp_ima.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/components/ita/ita_comp_ima.c 2023-06-08 10:35:17.000000000 +0000 @@ -964,7 +964,7 @@ METHOD(pts_component_t, destroy, void, pts_ita_comp_ima_t *this) { - int count; + int count DBG_UNUSED; if (ref_put(&this->ref)) { diff -Nru strongswan-5.9.8/src/libimcv/pts/components/ita/ita_comp_tboot.c strongswan-5.9.11/src/libimcv/pts/components/ita/ita_comp_tboot.c --- strongswan-5.9.8/src/libimcv/pts/components/ita/ita_comp_tboot.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/components/ita/ita_comp_tboot.c 2023-06-08 10:35:17.000000000 +0000 @@ -192,8 +192,8 @@ pts_comp_evidence_t *evidence) { bool has_pcr_info; - uint32_t extended_pcr, vid, name; - enum_name_t *names; + uint32_t extended_pcr, vid, name DBG_UNUSED; + enum_name_t *names DBG_UNUSED; pts_meas_algorithms_t algo; pts_pcr_transform_t transform; pts_pcr_t *pcrs; @@ -312,9 +312,9 @@ METHOD(pts_component_t, destroy, void, pts_ita_comp_tboot_t *this) { - int count; - uint32_t vid, name; - enum_name_t *names; + int count DBG_UNUSED; + uint32_t vid, name DBG_UNUSED; + enum_name_t *names DBG_UNUSED; if (ref_put(&this->ref)) { diff -Nru strongswan-5.9.8/src/libimcv/pts/components/pts_comp_func_name.c strongswan-5.9.11/src/libimcv/pts/components/pts_comp_func_name.c --- strongswan-5.9.8/src/libimcv/pts/components/pts_comp_func_name.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/components/pts_comp_func_name.c 2023-06-08 10:35:17.000000000 +0000 @@ -107,7 +107,7 @@ { enum_name_t *names, *types; char flags[8]; - int type; + int type DBG_UNUSED; names = imcv_pts_components->get_comp_func_names(imcv_pts_components, this->vid); diff -Nru strongswan-5.9.8/src/libimcv/pts/pts.c strongswan-5.9.11/src/libimcv/pts/pts.c --- strongswan-5.9.8/src/libimcv/pts/pts.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/pts.c 2023-06-08 10:35:17.000000000 +0000 @@ -798,7 +798,6 @@ private_pts_t *this, tpm_quote_mode_t *quote_mode, tpm_tss_quote_info_t **quote_info, chunk_t *quote_sig) { - chunk_t pcr_value, pcr_computed; hash_algorithm_t hash_alg; uint32_t pcr, pcr_sel = 0; enumerator_t *enumerator; @@ -810,14 +809,16 @@ enumerator = this->pcrs->create_enumerator(this->pcrs); while (enumerator->enumerate(enumerator, &pcr)) { +#if DEBUG_LEVEL >= 2 + chunk_t pcr_value; if (this->tpm->read_pcr(this->tpm, pcr, &pcr_value, hash_alg)) { - pcr_computed = this->pcrs->get(this->pcrs, pcr); + chunk_t pcr_computed = this->pcrs->get(this->pcrs, pcr); DBG2(DBG_PTS, "PCR %2d %#B %s", pcr, &pcr_value, chunk_equals(pcr_value, pcr_computed) ? "ok" : "differs"); chunk_free(&pcr_value); - }; - + } +#endif /* add PCR to selection list */ pcr_sel |= (1 << pcr); } diff -Nru strongswan-5.9.8/src/libimcv/pts/pts_dh_group.c strongswan-5.9.11/src/libimcv/pts/pts_dh_group.c --- strongswan-5.9.8/src/libimcv/pts/pts_dh_group.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/pts_dh_group.c 2023-06-08 10:35:17.000000000 +0000 @@ -26,43 +26,40 @@ enumerator_t *enumerator; key_exchange_method_t dh_group; const char *plugin_name; - char format1[] = " %s PTS DH group %N[%s] available"; - char format2[] = " %s PTS DH group %N not available"; *dh_groups = PTS_DH_GROUP_NONE; enumerator = lib->crypto->create_ke_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &dh_group, &plugin_name)) { - if (dh_group == MODP_1024_BIT) - { - *dh_groups |= PTS_DH_GROUP_IKE2; - DBG2(DBG_PTS, format1, "optional ", key_exchange_method_names, - dh_group, plugin_name); - } - else if (dh_group == MODP_1536_BIT) - { - *dh_groups |= PTS_DH_GROUP_IKE5; - DBG2(DBG_PTS, format1, "optional ", key_exchange_method_names, - dh_group, plugin_name); - } - else if (dh_group == MODP_2048_BIT) - { - *dh_groups |= PTS_DH_GROUP_IKE14; - DBG2(DBG_PTS, format1, "optional ", key_exchange_method_names, - dh_group, plugin_name); - } - else if (dh_group == ECP_256_BIT) + pts_dh_group_t mapped = PTS_DH_GROUP_NONE; + + switch (dh_group) { - *dh_groups |= PTS_DH_GROUP_IKE19; - DBG2(DBG_PTS, format1, "mandatory", key_exchange_method_names, - dh_group, plugin_name); + case MODP_1024_BIT: + mapped = PTS_DH_GROUP_IKE2; + break; + case MODP_1536_BIT: + mapped = PTS_DH_GROUP_IKE5; + break; + case MODP_2048_BIT: + mapped = PTS_DH_GROUP_IKE14; + break; + case ECP_256_BIT: + mapped = PTS_DH_GROUP_IKE19; + break; + case ECP_384_BIT: + mapped = PTS_DH_GROUP_IKE20; + break; + default: + break; } - else if (dh_group == ECP_384_BIT) + if (mapped != PTS_DH_GROUP_NONE) { - *dh_groups |= PTS_DH_GROUP_IKE20; - DBG2(DBG_PTS, format1, "optional ", key_exchange_method_names, - dh_group, plugin_name); + *dh_groups |= mapped; + DBG2(DBG_PTS, " %s PTS DH group %N[%s] available", + mapped == PTS_DH_GROUP_IKE19 ? "mandatory" : "optional ", + key_exchange_method_names, dh_group, plugin_name); } } enumerator->destroy(enumerator); @@ -79,8 +76,8 @@ } if (mandatory_dh_groups) { - DBG1(DBG_PTS, format2, "mandatory", key_exchange_method_names, - ECP_256_BIT); + DBG1(DBG_PTS, " mandatory PTS DH group %N[%s] available", + key_exchange_method_names, ECP_256_BIT); return FALSE; } diff -Nru strongswan-5.9.8/src/libimcv/pts/pts_ima_bios_list.c strongswan-5.9.11/src/libimcv/pts/pts_ima_bios_list.c --- strongswan-5.9.8/src/libimcv/pts/pts_ima_bios_list.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/pts_ima_bios_list.c 2023-06-08 10:35:17.000000000 +0000 @@ -201,11 +201,10 @@ pts_meas_algorithms_t algo) { private_pts_ima_bios_list_t *this; - uint32_t pcr, ev_type, event_type, event_len, seek_len, count = 1; + uint32_t pcr, event_type, event_len, seek_len, count = 1; uint32_t buf_len = 8192; uint8_t event_buf[buf_len]; hash_algorithm_t hash_alg; - chunk_t event; bios_entry_t *entry; struct stat st; ssize_t res; @@ -276,10 +275,12 @@ { break; } - ev_type = (event_type < EV_EFI_EVENT_BASE) ? - event_type : event_type - EV_EFI_OFFSET; +#if DEBUG_LEVEL >= 2 + uint32_t ev_type = (event_type < EV_EFI_EVENT_BASE) ? + event_type : event_type - EV_EFI_OFFSET; DBG2(DBG_PTS, "%3u %2u %N (%u bytes)", count, pcr, event_type_names, - ev_type, event_len); + ev_type, event_len); +#endif seek_len = (event_len > buf_len) ? event_len - buf_len : 0; event_len -= seek_len; @@ -310,8 +311,7 @@ default: break; } - event = chunk_create(event_buf, event_len); - DBG3(DBG_PTS,"%B", &event); + DBG3(DBG_PTS, "%b", event_buf, event_len); if (seek_len > 0 && lseek(fd, seek_len, SEEK_CUR) == -1) { diff -Nru strongswan-5.9.8/src/libimcv/pts/pts_ima_event_list.c strongswan-5.9.11/src/libimcv/pts/pts_ima_event_list.c --- strongswan-5.9.8/src/libimcv/pts/pts_ima_event_list.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/pts_ima_event_list.c 2023-06-08 10:35:17.000000000 +0000 @@ -139,7 +139,7 @@ size_t hash_size; char type[IMA_TYPE_LEN_MAX]; char algo_digest[IMA_ALGO_DIGEST_LEN_MAX]; - char *pos, *error = ""; + char *pos, *error DBG_UNUSED = ""; struct stat st; ssize_t res; bool ima_ng; diff -Nru strongswan-5.9.8/src/libimcv/pts/pts_meas_algo.c strongswan-5.9.11/src/libimcv/pts/pts_meas_algo.c --- strongswan-5.9.8/src/libimcv/pts/pts_meas_algo.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/pts/pts_meas_algo.c 2023-06-08 10:35:17.000000000 +0000 @@ -34,6 +34,8 @@ "SHA1"); ENUM_END(pts_meas_algorithm_names, PTS_MEAS_ALGO_SHA1); +#define ALG_UNAVAIL " %s PTS measurement algorithm %N not available" + /** * Described in header. */ @@ -42,48 +44,51 @@ enumerator_t *enumerator; hash_algorithm_t hash_alg; const char *plugin_name; - char format1[] = " %s PTS measurement algorithm %N[%s] available"; - char format2[] = " %s PTS measurement algorithm %N not available"; *algorithms = 0; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name)) { - if (hash_alg == HASH_SHA1) - { - *algorithms |= PTS_MEAS_ALGO_SHA1; - DBG2(DBG_PTS, format1, "mandatory", hash_algorithm_names, hash_alg, - plugin_name); - } - else if (hash_alg == HASH_SHA256) - { - *algorithms |= PTS_MEAS_ALGO_SHA256; - DBG2(DBG_PTS, format1, "mandatory", hash_algorithm_names, hash_alg, - plugin_name); - } - else if (hash_alg == HASH_SHA384) + pts_meas_algorithms_t mapped = 0; + bool mandatory DBG_UNUSED = FALSE; + + switch (hash_alg) { - *algorithms |= PTS_MEAS_ALGO_SHA384; - DBG2(DBG_PTS, format1, "optional ", hash_algorithm_names, hash_alg, - plugin_name); + case HASH_SHA1: + mapped = PTS_MEAS_ALGO_SHA1; + mandatory = TRUE; + break; + case HASH_SHA256: + mapped = PTS_MEAS_ALGO_SHA256; + mandatory = TRUE; + break; + case HASH_SHA384: + mapped = PTS_MEAS_ALGO_SHA384; + break; + case HASH_SHA512: + mapped = PTS_MEAS_ALGO_SHA512; + break; + default: + break; } - else if (hash_alg == HASH_SHA512) + if (mapped) { - *algorithms |= PTS_MEAS_ALGO_SHA512; - DBG2(DBG_PTS, format1, "optional ", hash_algorithm_names, hash_alg, - plugin_name); + *algorithms |= mapped; + DBG2(DBG_PTS, " %s PTS measurement algorithm %N[%s] available", + mandatory ? "mandatory" : "optional ", hash_algorithm_names, + hash_alg, plugin_name); } } enumerator->destroy(enumerator); if (!(*algorithms & PTS_MEAS_ALGO_SHA512)) { - DBG1(DBG_PTS, format2, "optional ", hash_algorithm_names, HASH_SHA512); + DBG1(DBG_PTS, ALG_UNAVAIL, "optional ", hash_algorithm_names, HASH_SHA512); } if (!(*algorithms & PTS_MEAS_ALGO_SHA384)) { - DBG1(DBG_PTS, format2, "optional ", hash_algorithm_names, HASH_SHA384); + DBG1(DBG_PTS, ALG_UNAVAIL, "optional ", hash_algorithm_names, HASH_SHA384); } if ((*algorithms & PTS_MEAS_ALGO_SHA1) && (*algorithms & PTS_MEAS_ALGO_SHA256)) @@ -92,11 +97,11 @@ } if (!(*algorithms & PTS_MEAS_ALGO_SHA256)) { - DBG1(DBG_PTS, format2, "mandatory", hash_algorithm_names, HASH_SHA256); + DBG1(DBG_PTS, ALG_UNAVAIL, "mandatory", hash_algorithm_names, HASH_SHA256); } if (!(*algorithms & PTS_MEAS_ALGO_SHA1)) { - DBG1(DBG_PTS, format2, "mandatory", hash_algorithm_names, HASH_SHA1); + DBG1(DBG_PTS, ALG_UNAVAIL, "mandatory", hash_algorithm_names, HASH_SHA1); } return FALSE; } diff -Nru strongswan-5.9.8/src/libimcv/suites/test_imcv_swima.c strongswan-5.9.11/src/libimcv/suites/test_imcv_swima.c --- strongswan-5.9.8/src/libimcv/suites/test_imcv_swima.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/suites/test_imcv_swima.c 2023-06-08 10:35:17.000000000 +0000 @@ -1000,9 +1000,9 @@ swima_events_t *events; swima_record_t *sw_record; swima_event_t *sw_event; - chunk_t sw_id, sw_locator, swid_tag; + chunk_t sw_id DBG_UNUSED, sw_locator, swid_tag DBG_UNUSED; enumerator_t *enumerator; - uint8_t source_id; + uint8_t source_id DBG_UNUSED; int item = 0, items; targets = swima_inventory_create(); diff -Nru strongswan-5.9.8/src/libimcv/tcg/pts/tcg_pts_attr_simple_comp_evid.c strongswan-5.9.11/src/libimcv/tcg/pts/tcg_pts_attr_simple_comp_evid.c --- strongswan-5.9.8/src/libimcv/tcg/pts/tcg_pts_attr_simple_comp_evid.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libimcv/tcg/pts/tcg_pts_attr_simple_comp_evid.c 2023-03-27 21:00:49.000000000 +0000 @@ -159,7 +159,7 @@ /** * Convert time_t to Simple Component Evidence UTS string format */ -void measurement_time_to_utc(time_t measurement_time, chunk_t *utc_time) +static void measurement_time_to_utc(time_t measurement_time, chunk_t *utc_time) { struct tm t; @@ -260,7 +260,7 @@ /** * Convert Simple Component Evidence UTS string format to time_t */ -bool measurement_time_from_utc(time_t *measurement_time, chunk_t utc_time) +static bool measurement_time_from_utc(time_t *measurement_time, chunk_t utc_time) { int tm_year, tm_mon, tm_day, tm_hour, tm_min, tm_sec; int tm_leap_4, tm_leap_100, tm_leap_400, tm_leap; diff -Nru strongswan-5.9.8/src/libipsec/esp_packet.c strongswan-5.9.11/src/libipsec/esp_packet.c --- strongswan-5.9.8/src/libipsec/esp_packet.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/esp_packet.c 2023-06-08 10:35:17.000000000 +0000 @@ -185,8 +185,8 @@ static bool remove_padding(private_esp_packet_t *this, chunk_t plaintext) { uint8_t next_header, pad_length; - chunk_t padding, payload; bio_reader_t *reader; + chunk_t padding; reader = bio_reader_create(plaintext); if (!reader->read_uint8_end(reader, &next_header) || @@ -209,11 +209,13 @@ return FALSE; } this->next_header = next_header; - payload = this->payload->get_encoding(this->payload); +#if DEBUG_LEVEL >= 3 + chunk_t encoding = this->payload->get_encoding(this->payload); DBG3(DBG_ESP, "ESP payload:\n payload %B\n padding %B\n " - "padding length = %hhu, next header = %hhu", &payload, &padding, + "padding length = %hhu, next header = %hhu", &encoding, &padding, pad_length, this->next_header); +#endif return TRUE; failed: diff -Nru strongswan-5.9.8/src/libipsec/ipsec_event_listener.h strongswan-5.9.11/src/libipsec/ipsec_event_listener.h --- strongswan-5.9.8/src/libipsec/ipsec_event_listener.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_event_listener.h 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2013 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -25,6 +25,7 @@ typedef struct ipsec_event_listener_t ipsec_event_listener_t; #include +#include /** * Listener interface for IPsec events @@ -42,6 +43,13 @@ * @param hard TRUE if this is a hard expire, FALSE otherwise */ void (*expire)(uint8_t protocol, uint32_t spi, host_t *dst, bool hard); + + /** + * Called when no IPsec SA is found for an outbound policy + * + * @param reqid reqid of the policy for which to acquire an SA + */ + void (*acquire)(uint32_t reqid); }; #endif /** IPSEC_EVENT_LISTENER_H_ @}*/ diff -Nru strongswan-5.9.8/src/libipsec/ipsec_event_relay.c strongswan-5.9.11/src/libipsec/ipsec_event_relay.c --- strongswan-5.9.8/src/libipsec/ipsec_event_relay.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_event_relay.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2013 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -63,33 +63,30 @@ */ enum { IPSEC_EVENT_EXPIRE, + IPSEC_EVENT_ACQUIRE, } type; /** - * Protocol of the SA - */ - uint8_t protocol; - - /** - * SPI of the SA, if any - */ - uint32_t spi; - - /** - * SA destination address - */ - host_t *dst; - - /** - * Additional data for specific event types + * Data for specific event types */ union { struct { + /** Protocol of the SA */ + uint8_t protocol; + /** SPI of the SA */ + uint32_t spi; + /** SA destination address */ + host_t *dst; /** TRUE in case of a hard expire */ bool hard; } expire; + struct { + /** Reqid of the SA */ + uint32_t reqid; + } acquire; + } data; } ipsec_event_t; @@ -99,7 +96,14 @@ */ static void ipsec_event_destroy(ipsec_event_t *event) { - event->dst->destroy(event->dst); + switch (event->type) + { + case IPSEC_EVENT_EXPIRE: + event->data.expire.dst->destroy(event->data.expire.dst); + break; + case IPSEC_EVENT_ACQUIRE: + break; + } free(event); } @@ -123,10 +127,18 @@ case IPSEC_EVENT_EXPIRE: if (current->expire) { - current->expire(event->protocol, event->spi, event->dst, + current->expire(event->data.expire.protocol, + event->data.expire.spi, + event->data.expire.dst, event->data.expire.hard); } break; + case IPSEC_EVENT_ACQUIRE: + if (current->acquire) + { + current->acquire(event->data.acquire.reqid); + } + break; } } enumerator->destroy(enumerator); @@ -143,11 +155,11 @@ INIT(event, .type = IPSEC_EVENT_EXPIRE, - .protocol = protocol, - .spi = spi, - .dst = dst->clone(dst), .data = { .expire = { + .protocol = protocol, + .spi = spi, + .dst = dst->clone(dst), .hard = hard, }, }, @@ -155,6 +167,22 @@ this->queue->enqueue(this->queue, event); } +METHOD(ipsec_event_relay_t, acquire, void, + private_ipsec_event_relay_t *this, uint32_t reqid) +{ + ipsec_event_t *event; + + INIT(event, + .type = IPSEC_EVENT_ACQUIRE, + .data = { + .acquire = { + .reqid = reqid, + }, + }, + ); + this->queue->enqueue(this->queue, event); +} + METHOD(ipsec_event_relay_t, register_listener, void, private_ipsec_event_relay_t *this, ipsec_event_listener_t *listener) { @@ -190,6 +218,7 @@ INIT(this, .public = { .expire = _expire, + .acquire = _acquire, .register_listener = _register_listener, .unregister_listener = _unregister_listener, .destroy = _destroy, diff -Nru strongswan-5.9.8/src/libipsec/ipsec_event_relay.h strongswan-5.9.11/src/libipsec/ipsec_event_relay.h --- strongswan-5.9.8/src/libipsec/ipsec_event_relay.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_event_relay.h 2023-06-08 10:35:17.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2013 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -48,6 +49,13 @@ host_t *dst, bool hard); /** + * Raise an acquire event. + * + * @param reqid reqid of the policy for which to acquire an SA + */ + void (*acquire)(ipsec_event_relay_t *this, uint32_t reqid); + + /** * Register a listener to events raised by this manager * * @param listener the listener to register diff -Nru strongswan-5.9.8/src/libipsec/ipsec_processor.c strongswan-5.9.11/src/libipsec/ipsec_processor.c --- strongswan-5.9.8/src/libipsec/ipsec_processor.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_processor.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -169,12 +169,12 @@ * Send an ESP packet using the registered outbound callback */ static void send_outbound(private_ipsec_processor_t *this, - esp_packet_t *packet) + esp_packet_t *packet, bool encap) { this->lock->read_lock(this->lock); if (this->outbound.cb) { - this->outbound.cb(this->outbound.data, packet); + this->outbound.cb(this->outbound.data, packet, encap); } else { @@ -194,6 +194,7 @@ ip_packet_t *packet; ipsec_sa_t *sa; host_t *src, *dst; + bool acquire = FALSE, encap = FALSE; packet = (ip_packet_t*)this->outbound_queue->dequeue(this->outbound_queue); @@ -208,11 +209,22 @@ } sa = ipsec->sas->checkout_by_reqid(ipsec->sas, policy->get_reqid(policy), - FALSE); + FALSE, &acquire); if (!sa) - { /* TODO-IPSEC: send an acquire to upper layer */ - DBG1(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, " - "dropping packet", policy->get_reqid(policy)); + { + if (acquire) + { + DBG1(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, " + "dropping packet and triggering acquire", + policy->get_reqid(policy)); + ipsec->events->acquire(ipsec->events, policy->get_reqid(policy)); + } + else + { + DBG2(DBG_ESP, "could not find an outbound IPsec SA for reqid {%u}, " + "dropping packet while acquire is pending", + policy->get_reqid(policy)); + } packet->destroy(packet); policy->destroy(policy); return JOB_REQUEUE_DIRECT; @@ -230,9 +242,10 @@ return JOB_REQUEUE_DIRECT; } sa->update_usestats(sa, packet->get_encoding(packet).len); + encap = sa->get_encap(sa); ipsec->sas->checkin(ipsec->sas, sa); policy->destroy(policy); - send_outbound(this, esp_packet); + send_outbound(this, esp_packet, encap); return JOB_REQUEUE_DIRECT; } diff -Nru strongswan-5.9.8/src/libipsec/ipsec_processor.h strongswan-5.9.11/src/libipsec/ipsec_processor.h --- strongswan-5.9.8/src/libipsec/ipsec_processor.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_processor.h 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -43,8 +43,10 @@ * * @param data data supplied during registration of the callback * @param packet ESP packet to send + * @param encap TRUE to send the packet with UDP encapsulation */ -typedef void (*ipsec_outbound_cb_t)(void *data, esp_packet_t *packet); +typedef void (*ipsec_outbound_cb_t)(void *data, esp_packet_t *packet, + bool encap); /** * IPsec processor diff -Nru strongswan-5.9.8/src/libipsec/ipsec_sa.c strongswan-5.9.11/src/libipsec/ipsec_sa.c --- strongswan-5.9.8/src/libipsec/ipsec_sa.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_sa.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -70,6 +70,11 @@ ipsec_mode_t mode; /** + * TRUE if UDP encapsulation should be used when sending + */ + bool encap; + + /** * TRUE if extended sequence numbers are used */ bool esn; @@ -133,6 +138,18 @@ this->dst = addr->clone(addr); } +METHOD(ipsec_sa_t, get_encap, bool, + private_ipsec_sa_t *this) +{ + return this->encap; +} + +METHOD(ipsec_sa_t, set_encap, void, + private_ipsec_sa_t *this, bool encap) +{ + this->encap = encap; +} + METHOD(ipsec_sa_t, get_spi, uint32_t, private_ipsec_sa_t *this) { @@ -285,11 +302,6 @@ DBG1(DBG_ESP, " IPsec SA: protocol not supported"); return NULL; } - if (!encap) - { - DBG1(DBG_ESP, " IPsec SA: only UDP encapsulation is supported"); - return NULL; - } if (esn) { DBG1(DBG_ESP, " IPsec SA: ESN not supported"); @@ -313,6 +325,8 @@ .get_destination = _get_destination, .set_source = _set_source, .set_destination = _set_destination, + .get_encap = _get_encap, + .set_encap = _set_encap, .get_spi = _get_spi, .get_reqid = _get_reqid, .get_protocol = _get_protocol, @@ -333,6 +347,7 @@ .protocol = protocol, .reqid = reqid, .mode = mode, + .encap = encap, .esn = esn, .inbound = inbound, ); diff -Nru strongswan-5.9.8/src/libipsec/ipsec_sa.h strongswan-5.9.11/src/libipsec/ipsec_sa.h --- strongswan-5.9.8/src/libipsec/ipsec_sa.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_sa.h 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -67,6 +67,20 @@ void (*set_destination)(ipsec_sa_t *this, host_t *addr); /** + * Get whether UDP encapsulation should be used for this SA + * + * @return TRUE if encapsulation should be used, FALSE otherwise + */ + bool (*get_encap)(ipsec_sa_t *this); + + /** + * Set whether UDP encapsulation should be used for this SA + * + * @param encap TRUE if encapsulation should be used, FALSE otherwise + */ + void (*set_encap)(ipsec_sa_t *this, bool encap); + + /** * Get the SPI for this SA * * @return SPI of this SA diff -Nru strongswan-5.9.8/src/libipsec/ipsec_sa_mgr.c strongswan-5.9.11/src/libipsec/ipsec_sa_mgr.c --- strongswan-5.9.8/src/libipsec/ipsec_sa_mgr.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_sa_mgr.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -27,6 +27,12 @@ #include #include +/** + * Timeout in seconds for acquires for the same reqid (i.e. the interval used + * to trigger acquires while no SA is established). + */ +#define ACQUIRE_TIMEOUT 10 + typedef struct private_ipsec_sa_mgr_t private_ipsec_sa_mgr_t; /** @@ -50,6 +56,11 @@ hashtable_t *allocated_spis; /** + * Pending acquires (uint32_t => acquire_entry_t) + */ + hashtable_t *acquires; + + /** * Mutex used to synchronize access to the SA manager */ mutex_t *mutex; @@ -90,7 +101,7 @@ */ bool awaits_deletion; -} ipsec_sa_entry_t; +} ipsec_sa_entry_t; /** * Helper struct for expiration events @@ -119,15 +130,32 @@ } ipsec_sa_expired_t; -/* - * Used for the hash table of allocated SPIs +/** + * Struct to keep track of acquires */ -static bool spi_equals(uint32_t *spi, uint32_t *other_spi) +typedef struct { + + /** + * Reqid of this acquire + */ + uint32_t reqid; + + /** + * Time the entry was created or updated + */ + time_t triggered; + +} acquire_entry_t; + +/** + * Used for the hash table of allocated SPIs and pending acquires + */ +static bool uint32_equals(const uint32_t *spi, const uint32_t *other_spi) { return *spi == *other_spi; } -static u_int spi_hash(uint32_t *spi) +static u_int uint32_hash(const uint32_t *spi) { return chunk_hash(chunk_from_thing(*spi)); } @@ -474,7 +502,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t, private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint32_t spi, - uint8_t protocol, uint32_t reqid, mark_t mark, uint32_t tfc, + uint8_t protocol, uint32_t reqid, mark_t mark, uint32_t tfc, lifetime_cfg_t *lifetime, uint16_t enc_alg, chunk_t enc_key, uint16_t int_alg, chunk_t int_key, ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi, bool initiator, bool encap, bool esn, bool inbound, @@ -508,6 +536,10 @@ spi_alloc = this->allocated_spis->remove(this->allocated_spis, &spi); free(spi_alloc); } + if (!inbound) + { /* remove any acquires for outbound SAs */ + free(this->acquires->remove(this->acquires, &reqid)); + } if (this->sas->find_first(this->sas, match_entry_by_spi_src_dst_cb, NULL, spi, src, dst)) @@ -536,13 +568,6 @@ DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", ntohl(spi), src, dst, new_src, new_dst); - if (!new_encap) - { - DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP " - "encapsulation"); - return NOT_SUPPORTED; - } - this->mutex->lock(this->mutex); if (this->sas->find_first(this->sas, match_entry_by_spi_src_dst_cb, (void**)&entry, spi, src, dst) && @@ -550,6 +575,7 @@ { entry->sa->set_source(entry->sa, new_src); entry->sa->set_destination(entry->sa, new_dst); + entry->sa->set_encap(entry->sa, new_encap); /* checkin the entry */ entry->locked = FALSE; entry->condvar->signal(entry->condvar); @@ -620,8 +646,53 @@ return FAILED; } +/** + * Remove all acquires + */ +static void flush_acquires(private_ipsec_sa_mgr_t *this) +{ + enumerator_t *enumerator; + acquire_entry_t *entry; + + DBG2(DBG_ESP, "flushing acquires"); + enumerator = this->acquires->create_enumerator(this->acquires); + while (enumerator->enumerate(enumerator, NULL, (void**)&entry)) + { + this->acquires->remove_at(this->acquires, enumerator); + DBG2(DBG_ESP, " removed acquire for reqid {%u}", entry->reqid); + free(entry); + } + enumerator->destroy(enumerator); +} + +/** + * Check whether an acquire should be sent for the given reqid. + */ +static bool check_acquire(private_ipsec_sa_mgr_t *this, uint32_t reqid) +{ + acquire_entry_t *entry; + time_t now; + + now = time_monotonic(NULL); + + entry = this->acquires->get(this->acquires, &reqid); + if (!entry) + { + INIT(entry, + .reqid = reqid, + ); + this->acquires->put(this->acquires, &entry->reqid, entry); + } + else if (now - entry->triggered <= ACQUIRE_TIMEOUT) + { + return FALSE; + } + entry->triggered = now; + return TRUE; +} + METHOD(ipsec_sa_mgr_t, checkout_by_reqid, ipsec_sa_t*, - private_ipsec_sa_mgr_t *this, uint32_t reqid, bool inbound) + private_ipsec_sa_mgr_t *this, uint32_t reqid, bool inbound, bool *acquire) { ipsec_sa_entry_t *entry; ipsec_sa_t *sa = NULL; @@ -633,6 +704,10 @@ { sa = entry->sa; } + if (!sa && acquire) + { + *acquire = !inbound && check_acquire(this, reqid); + } this->mutex->unlock(this->mutex); return sa; } @@ -687,9 +762,11 @@ this->mutex->lock(this->mutex); flush_entries(this); flush_allocated_spis(this); + flush_acquires(this); this->mutex->unlock(this->mutex); this->allocated_spis->destroy(this->allocated_spis); + this->acquires->destroy(this->acquires); this->sas->destroy(this->sas); this->mutex->destroy(this->mutex); @@ -719,8 +796,10 @@ }, .sas = linked_list_create(), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .allocated_spis = hashtable_create((hashtable_hash_t)spi_hash, - (hashtable_equals_t)spi_equals, 16), + .allocated_spis = hashtable_create((hashtable_hash_t)uint32_hash, + (hashtable_equals_t)uint32_equals, 16), + .acquires = hashtable_create((hashtable_hash_t)uint32_hash, + (hashtable_equals_t)uint32_equals, 16), ); return &this->public; diff -Nru strongswan-5.9.8/src/libipsec/ipsec_sa_mgr.h strongswan-5.9.11/src/libipsec/ipsec_sa_mgr.h --- strongswan-5.9.8/src/libipsec/ipsec_sa_mgr.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/ipsec_sa_mgr.h 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * @@ -174,12 +174,17 @@ * Since other threads may be waiting for a checked out SA, it should be * checked in as soon as possible after use. * + * If no matching outbound SA is found, acquire indicates if an acquire + * should be sent for the given reqid. + * * @param reqid reqid of the SA * @param inbound TRUE for an inbound SA, FALSE for an outbound SA + * @param[out] acquire TRUE if an acquire should be triggered, FALSE if one + * is already pending or an SA was found * @return the matching IPsec SA, or NULL if none is found */ ipsec_sa_t *(*checkout_by_reqid)(ipsec_sa_mgr_t *this, uint32_t reqid, - bool inbound); + bool inbound, bool *acquire); /** * Checkin an SA after use. diff -Nru strongswan-5.9.8/src/libipsec/Makefile.in strongswan-5.9.11/src/libipsec/Makefile.in --- strongswan-5.9.8/src/libipsec/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -478,7 +478,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libipsec/tests/Makefile.in strongswan-5.9.11/src/libipsec/tests/Makefile.in --- strongswan-5.9.8/src/libipsec/tests/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libipsec/tests/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -427,7 +427,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libpttls/Makefile.in strongswan-5.9.11/src/libpttls/Makefile.in --- strongswan-5.9.8/src/libpttls/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libpttls/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libradius/Makefile.am strongswan-5.9.11/src/libradius/Makefile.am --- strongswan-5.9.8/src/libradius/Makefile.am 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/libradius/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -9,6 +9,10 @@ libradius_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la -lm +if USE_WINDOWS + libradius_la_LIBADD += -lws2_32 +endif + libradius_la_SOURCES = \ radius_message.h radius_message.c \ radius_socket.h radius_socket.c \ diff -Nru strongswan-5.9.8/src/libradius/Makefile.in strongswan-5.9.11/src/libradius/Makefile.in --- strongswan-5.9.8/src/libradius/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libradius/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -88,6 +88,7 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@USE_WINDOWS_TRUE@am__append_1 = -lws2_32 subdir = src/libradius ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -136,8 +137,10 @@ } am__installdirs = "$(DESTDIR)$(ipseclibdir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) +am__DEPENDENCIES_1 = libradius_la_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) am_libradius_la_OBJECTS = radius_message.lo radius_socket.lo \ radius_client.lo radius_config.lo libradius_la_OBJECTS = $(am_libradius_la_OBJECTS) @@ -428,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -467,9 +469,9 @@ -no-undefined ipseclib_LTLIBRARIES = libradius.la -libradius_la_LIBADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la -lm - +libradius_la_LIBADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la -lm \ + $(am__append_1) libradius_la_SOURCES = \ radius_message.h radius_message.c \ radius_socket.h radius_socket.c \ diff -Nru strongswan-5.9.8/src/libradius/radius_client.c strongswan-5.9.11/src/libradius/radius_client.c --- strongswan-5.9.8/src/libradius/radius_client.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libradius/radius_client.c 2023-06-08 10:35:17.000000000 +0000 @@ -84,7 +84,6 @@ { radius_socket_t *socket; radius_message_t *res; - chunk_t data; /* add our NAS-Identifier */ req->add(req, RAT_NAS_IDENTIFIER, @@ -104,8 +103,10 @@ DBG1(DBG_CFG, "received RADIUS %N from server '%s'", radius_message_code_names, res->get_code(res), this->config->get_name(this->config)); - data = res->get_encoding(res); +#if DEBUG_LEVEL >= 3 + chunk_t data = res->get_encoding(res); DBG3(DBG_CFG, "%B", &data); +#endif save_state(this, res); if (res->get_code(res) == RMC_ACCESS_ACCEPT) diff -Nru strongswan-5.9.8/src/libsimaka/Makefile.in strongswan-5.9.11/src/libsimaka/Makefile.in --- strongswan-5.9.8/src/libsimaka/Makefile.in 2022-10-03 14:18:07.000000000 +0000 +++ strongswan-5.9.11/src/libsimaka/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libsimaka/simaka_manager.c strongswan-5.9.11/src/libsimaka/simaka_manager.c --- strongswan-5.9.8/src/libsimaka/simaka_manager.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libsimaka/simaka_manager.c 2023-06-08 10:35:17.000000000 +0000 @@ -314,6 +314,7 @@ this->lock->unlock(this->lock); return TRUE; } + tried++; } enumerator->destroy(enumerator); this->lock->unlock(this->lock); diff -Nru strongswan-5.9.8/src/libstrongswan/asn1/asn1.c strongswan-5.9.11/src/libstrongswan/asn1/asn1.c --- strongswan-5.9.8/src/libstrongswan/asn1/asn1.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/asn1/asn1.c 2023-06-08 10:35:17.000000000 +0000 @@ -548,9 +548,10 @@ case ASN1_UTCTIME: case ASN1_GENERALIZEDTIME: { +#if DEBUG_LEVEL >= 2 time_t time = asn1_to_time(&object, type); - DBG2(DBG_ASN, " '%T'", &time, TRUE); +#endif } return; default: @@ -648,18 +649,27 @@ if (asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE) { - DBG2(DBG_ASN, "L%d - algorithmIdentifier:", level0); + if (level0 >= 0) + { + DBG2(DBG_ASN, "L%d - algorithmIdentifier:", level0); + } if (asn1_unwrap(&blob, &object) == ASN1_OID) { - DBG2(DBG_ASN, "L%d - algorithm:", level0+1); - asn1_debug_simple_object(object, ASN1_OID, FALSE); + if (level0 >= 0) + { + DBG2(DBG_ASN, "L%d - algorithm:", level0+1); + asn1_debug_simple_object(object, ASN1_OID, FALSE); + } alg = asn1_known_oid(object); if (blob.len) { - DBG2(DBG_ASN, "L%d - parameters:", level0+1); - DBG3(DBG_ASN, "%B", &blob); + if (level0 >= 0) + { + DBG2(DBG_ASN, "L%d - parameters:", level0+1); + DBG3(DBG_ASN, "%B", &blob); + } if (parameters) { *parameters = blob; diff -Nru strongswan-5.9.8/src/libstrongswan/asn1/asn1.h strongswan-5.9.11/src/libstrongswan/asn1/asn1.h --- strongswan-5.9.8/src/libstrongswan/asn1/asn1.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/asn1/asn1.h 2023-04-19 02:21:27.000000000 +0000 @@ -163,7 +163,7 @@ * Parses an ASN.1 algorithmIdentifier object * * @param blob ASN.1 coded blob - * @param level0 top-most level offset + * @param level0 top-most level offset (-1 to suppress log messages) * @param params returns optional [ASN.1 coded] parameters * @return known OID index or OID_UNKNOWN */ diff -Nru strongswan-5.9.8/src/libstrongswan/asn1/asn1_parser.c strongswan-5.9.11/src/libstrongswan/asn1/asn1_parser.c --- strongswan-5.9.8/src/libstrongswan/asn1/asn1_parser.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/asn1/asn1_parser.c 2023-06-08 10:35:17.000000000 +0000 @@ -89,7 +89,7 @@ { chunk_t *blob, *blob1, blob_ori; u_char *start_ptr; - u_int level; + u_int level DBG_UNUSED; asn1Object_t obj; *object = chunk_empty; diff -Nru strongswan-5.9.8/src/libstrongswan/collections/linked_list.c strongswan-5.9.11/src/libstrongswan/collections/linked_list.c --- strongswan-5.9.8/src/libstrongswan/collections/linked_list.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/collections/linked_list.c 2023-03-27 21:00:49.000000000 +0000 @@ -62,7 +62,7 @@ /** * Creates an empty linked list object. */ -element_t *element_create(void *value) +static element_t *element_create(void *value) { element_t *this; INIT(this, diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/auth_cfg.c strongswan-5.9.11/src/libstrongswan/credentials/auth_cfg.c --- strongswan-5.9.8/src/libstrongswan/credentials/auth_cfg.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/auth_cfg.c 2023-06-08 10:35:17.000000000 +0000 @@ -821,7 +821,6 @@ signature_params_t *ike_scheme = NULL, *scheme = NULL; u_int strength = 0; auth_rule_t t1, t2; - char *key_type; void *value; e1 = constraints->create_enumerator(constraints); @@ -1110,6 +1109,8 @@ * public key strength */ if (success && strength) { + char *key_type DBG_UNUSED; + e2 = create_enumerator(this); while (e2->enumerate(e2, &t2, &strength)) { diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/certificates/certificate.c strongswan-5.9.11/src/libstrongswan/credentials/certificates/certificate.c --- strongswan-5.9.8/src/libstrongswan/credentials/certificates/certificate.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/certificates/certificate.c 2023-06-08 10:35:17.000000000 +0000 @@ -48,7 +48,7 @@ bool certificate_is_newer(certificate_t *this, certificate_t *other) { time_t this_update, that_update; - char *type = "certificate"; + char *type DBG_UNUSED = "certificate"; bool newer; if (this->get_type(this) == CERT_X509_CRL) diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/certificates/certificate_printer.c strongswan-5.9.11/src/libstrongswan/credentials/certificates/certificate_printer.c --- strongswan-5.9.8/src/libstrongswan/credentials/certificates/certificate_printer.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/certificates/certificate_printer.c 2023-05-29 17:57:51.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015 Andreas Steffen + * Copyright (C) 2015-2022 Andreas Steffen * Copyright (C) 2010 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -85,7 +85,7 @@ x509_policy_mapping_t *mapping; FILE *f = this->f; - chunk = chunk_skip_zero(x509->get_serial(x509)); + chunk = x509->get_serial(x509); fprintf(f, " serial: %#B\n", &chunk); first = TRUE; @@ -341,12 +341,11 @@ x509_cdp_t *cdp; FILE *f = this->f; - chunk = chunk_skip_zero(crl->get_serial(crl)); + chunk = crl->get_serial(crl); fprintf(f, " serial: %#B\n", &chunk); if (crl->is_delta_crl(crl, &chunk)) { - chunk = chunk_skip_zero(chunk); fprintf(f, " delta CRL: for serial %#B\n", &chunk); } chunk = crl->get_authKeyIdentifier(crl); @@ -388,7 +387,6 @@ enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) { - chunk = chunk_skip_zero(chunk); fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc, crl_reason_names, reason); } @@ -408,7 +406,7 @@ bool first = TRUE; FILE *f = this->f; - chunk = chunk_skip_zero(ac->get_serial(ac)); + chunk = ac->get_serial(ac); fprintf(f, " serial: %#B\n", &chunk); id = ac->get_holderIssuer(ac); @@ -416,7 +414,7 @@ { fprintf(f, " hissuer: \"%Y\"\n", id); } - chunk = chunk_skip_zero(ac->get_holderSerial(ac)); + chunk = ac->get_holderSerial(ac); if (chunk.ptr) { fprintf(f, " hserial: %#B\n", &chunk); @@ -507,7 +505,6 @@ { fprintf(f, " "); } - serialNumber = chunk_skip_zero(serialNumber); switch (status) { diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/certificates/crl.h strongswan-5.9.11/src/libstrongswan/credentials/certificates/crl.h --- strongswan-5.9.8/src/libstrongswan/credentials/certificates/crl.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/certificates/crl.h 2023-06-12 05:47:41.000000000 +0000 @@ -1,6 +1,6 @@ /* * Copyright (C) 2008 Martin Willi - * Copyright (C) 2006 Andreas Steffen + * Copyright (C) 2006-2022 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -24,6 +24,7 @@ #define CRL_H_ typedef struct crl_t crl_t; +typedef struct crl_revoked_t crl_revoked_t; typedef enum crl_reason_t crl_reason_t; #include @@ -62,6 +63,27 @@ extern enum_name_t *crl_reason_names; /** + * Entry for a revoked certificate + */ +struct crl_revoked_t { + + /** + * Serial of the revoked certificate + */ + chunk_t serial; + + /** + * Date of revocation + */ + time_t date; + + /** + * Reason for revocation + */ + crl_reason_t reason; +}; + +/** * X509 certificate revocation list (CRL) interface definition. */ struct crl_t { diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/credential_factory.c strongswan-5.9.11/src/libstrongswan/credentials/credential_factory.c --- strongswan-5.9.8/src/libstrongswan/credentials/credential_factory.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/credential_factory.c 2023-06-08 10:35:17.000000000 +0000 @@ -119,7 +119,7 @@ void *construct = NULL; int failures = 0; uintptr_t level; - enum_name_t *names; + enum_name_t *names DBG_UNUSED; switch (type) { diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/credential_manager.c strongswan-5.9.11/src/libstrongswan/credentials/credential_manager.c --- strongswan-5.9.8/src/libstrongswan/credentials/credential_manager.c 2022-10-03 14:14:38.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/credential_manager.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015-2022 Tobias Brunner + * Copyright (C) 2015-2023 Tobias Brunner * Copyright (C) 2007 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -1114,61 +1114,55 @@ } /** - * build a trustchain from subject up to a trust anchor in trusted + * Build a trust chain for subject, optionally only up to one of the CA + * certificates in auth. Returns whether one of the anchors was found. */ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, - certificate_t *subject, auth_cfg_t *auth) + certificate_t *subject, auth_cfg_t *auth, + bool *found_anchor) { certificate_t *issuer, *current; auth_cfg_t *trustchain; int pathlen = 0; - bool has_anchor; + + *found_anchor = FALSE; trustchain = auth_cfg_create(); - has_anchor = auth->get(auth, AUTH_RULE_CA_CERT) != NULL; + /* immediately return for self-signed certificates */ + if (issued_by(this, subject, subject, NULL)) + { + return trustchain; + } current = subject->get_ref(subject); - while (TRUE) + for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { - if (auth_contains_cacert(auth, current)) - { - trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); - return trustchain; - } - if (subject == current) - { - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current); - } - else - { - if (!has_anchor && issued_by(this, current, current, NULL)) - { /* If no trust anchor specified, accept any CA */ - trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); - return trustchain; - } - trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); - } - if (pathlen++ > MAX_TRUST_PATH_LEN) - { - break; - } issuer = get_issuer_cert(this, current, FALSE, NULL); if (!issuer) - { - if (!has_anchor) - { /* If no trust anchor specified, accept incomplete chains */ - return trustchain; - } + { /* return the incomplete trust chain */ break; } - if (has_anchor && issuer->equals(issuer, current)) - { - issuer->destroy(issuer); + if (auth_contains_cacert(auth, issuer)) + { /* stop if we find one of the anchors */ + trustchain->add(trustchain, AUTH_RULE_CA_CERT, issuer); + *found_anchor = TRUE; break; } - current = issuer; + if (issued_by(this, issuer, issuer, NULL)) + { /* trust chain is complete */ + trustchain->add(trustchain, AUTH_RULE_CA_CERT, issuer); + break; + } + trustchain->add(trustchain, AUTH_RULE_IM_CERT, issuer); + current->destroy(current); + current = issuer->get_ref(issuer); } - trustchain->destroy(trustchain); - return NULL; + current->destroy(current); + if (pathlen > MAX_TRUST_PATH_LEN) + { + trustchain->destroy(trustchain); + return NULL; + } + return trustchain; } /** @@ -1225,9 +1219,10 @@ { enumerator_t *enumerator; certificate_t *cert; - private_key_t *private = NULL; - auth_cfg_t *trustchain; + private_key_t *private = NULL, *first_private = NULL; + auth_cfg_t *trustchain, *first_trustchain = NULL; auth_rule_t rule; + bool has_anchor, found_anchor; /* check if this is a lookup by key ID, and do it if so */ if (id && id->get_type(id) == ID_KEY_ID) @@ -1241,7 +1236,10 @@ if (auth) { - /* try to find a trustchain with one of the configured subject certs */ + has_anchor = auth->get(auth, AUTH_RULE_CA_CERT) != NULL; + + /* try to find a trust chain with one of the configured subject certs, + * prefer one with any given anchor */ enumerator = auth->create_enumerator(auth); while (enumerator->enumerate(enumerator, &rule, &cert)) { @@ -1250,13 +1248,24 @@ private = get_private_by_cert(this, cert, type); if (private) { - trustchain = build_trustchain(this, cert, auth); + trustchain = build_trustchain(this, cert, auth, &found_anchor); if (trustchain) { - auth->merge(auth, trustchain, FALSE); - prefer_cert(auth, cert->get_ref(cert)); + if (!has_anchor || found_anchor) + { + auth->merge(auth, trustchain, FALSE); + prefer_cert(auth, cert->get_ref(cert)); + trustchain->destroy(trustchain); + break; + } + else if (!first_private) + { + first_private = private; + first_trustchain = trustchain; + private = NULL; + continue; + } trustchain->destroy(trustchain); - break; } private->destroy(private); private = NULL; @@ -1264,62 +1273,66 @@ } } enumerator->destroy(enumerator); - if (private) - { - return private; - } - /* if none yielded a trustchain, enforce the first configured cert */ - cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (cert) + /* if no certificates are configured, try to find one based on the + * identity, preferably with any of the given anchors */ + if (!private && !first_private) { - private = get_private_by_cert(this, cert, type); - if (private) + enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) { - trustchain = build_trustchain(this, cert, auth); - if (trustchain) + private = get_private_by_cert(this, cert, type); + if (private) { - auth->merge(auth, trustchain, FALSE); - trustchain->destroy(trustchain); + trustchain = build_trustchain(this, cert, auth, &found_anchor); + if (trustchain) + { + if (!has_anchor || found_anchor) + { + auth->merge(auth, trustchain, FALSE); + prefer_cert(auth, cert->get_ref(cert)); + trustchain->destroy(trustchain); + break; + } + else if (!first_private) + { + /* add this certificate, if we end up choosing a + * different one, it gets replaced above */ + auth->add(auth, AUTH_RULE_SUBJECT_CERT, + cert->get_ref(cert)); + first_private = private; + first_trustchain = trustchain; + private = NULL; + continue; + } + trustchain->destroy(trustchain); + } + private->destroy(private); + private = NULL; } - return private; } + enumerator->destroy(enumerator); } - /* try to build a trust chain for each certificate found */ - enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); - while (enumerator->enumerate(enumerator, &cert)) + /* fall back to the first configured or found private key */ + if (!private && first_private) { - private = get_private_by_cert(this, cert, type); - if (private) - { - trustchain = build_trustchain(this, cert, auth); - if (trustchain) - { - auth->merge(auth, trustchain, FALSE); - trustchain->destroy(trustchain); - break; - } - private->destroy(private); - private = NULL; - } + auth->merge(auth, first_trustchain, FALSE); + private = first_private->get_ref(first_private); } - enumerator->destroy(enumerator); + DESTROY_IF(first_private); + DESTROY_IF(first_trustchain); } - - /* if no valid trustchain was found, fall back to the first usable cert */ - if (!private) + else { + /* if we have no config, use the first usable cert with the given + * identity */ enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); while (enumerator->enumerate(enumerator, &cert)) { private = get_private_by_cert(this, cert, type); if (private) { - if (auth) - { - auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert)); - } break; } } diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/sets/callback_cred.h strongswan-5.9.11/src/libstrongswan/credentials/sets/callback_cred.h --- strongswan-5.9.8/src/libstrongswan/credentials/sets/callback_cred.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/sets/callback_cred.h 2023-03-27 21:00:49.000000000 +0000 @@ -29,6 +29,7 @@ /** * Callback function to get shared keys. * + * @param data data passed to the constructor * @param type type of requested shared key * @param me own identity * @param other other identity diff -Nru strongswan-5.9.8/src/libstrongswan/credentials/sets/cert_cache.c strongswan-5.9.11/src/libstrongswan/credentials/sets/cert_cache.c --- strongswan-5.9.8/src/libstrongswan/credentials/sets/cert_cache.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/credentials/sets/cert_cache.c 2023-04-21 14:33:30.000000000 +0000 @@ -23,6 +23,7 @@ #include #include #include +#include /** cache size, a power of 2 for fast modulo */ #define CACHE_SIZE 32 @@ -128,6 +129,55 @@ } } } + else if (subject->get_type(subject) == CERT_X509_OCSP_RESPONSE) + { + ocsp_response_t *response, *cached_response; + enumerator_t *e, *e1; + chunk_t serial, serial_cached; + + response = (ocsp_response_t*)subject; + + /* we only check OCSP responses containing one single response */ + e = response->create_response_enumerator(response); + if (e->enumerate(e, &serial, NULL, NULL, NULL) && + !e->enumerate(e, NULL, NULL, NULL, NULL)) + { + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[i]; + + if (rel->subject && + rel->subject->get_type(rel->subject) == CERT_X509_OCSP_RESPONSE && + rel->lock->try_write_lock(rel->lock)) + { + /* double-check having lock */ + if (rel->subject->get_type(rel->subject) == CERT_X509_OCSP_RESPONSE && + rel->issuer->equals(rel->issuer, issuer) && + certificate_is_newer(subject, rel->subject)) + { + cached_response = (ocsp_response_t*)rel->subject; + + e1 = cached_response->create_response_enumerator(cached_response); + if (e1->enumerate(e1, &serial_cached, NULL, NULL, NULL) && + !e1->enumerate(e1, NULL, NULL, NULL, NULL) && + chunk_equals(serial_cached, serial)) + { + e1->destroy(e1); + e->destroy(e); + rel->subject->destroy(rel->subject); + rel->subject = subject->get_ref(subject); + signature_params_destroy(rel->scheme); + rel->scheme = signature_params_clone(scheme); + return rel->lock->unlock(rel->lock); + } + e1->destroy(e1); + } + rel->lock->unlock(rel->lock); + } + } + } + e->destroy(e); + } /* check for a unused relation slot first */ for (i = 0; i < CACHE_SIZE; i++) diff -Nru strongswan-5.9.8/src/libstrongswan/crypto/crypto_tester.c strongswan-5.9.11/src/libstrongswan/crypto/crypto_tester.c --- strongswan-5.9.8/src/libstrongswan/crypto/crypto_tester.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/crypto/crypto_tester.c 2023-06-08 10:35:17.000000000 +0000 @@ -110,6 +110,7 @@ int bench_size; }; +#if DEBUG_LEVEL >= 1 /** * Get the name of a test vector, if available */ @@ -125,6 +126,7 @@ #endif return "unknown"; } +#endif #if defined(CLOCK_THREAD_CPUTIME_ID) && defined(HAVE_CLOCK_GETTIME) diff -Nru strongswan-5.9.8/src/libstrongswan/ipsec/ipsec_types.c strongswan-5.9.11/src/libstrongswan/ipsec/ipsec_types.c --- strongswan-5.9.8/src/libstrongswan/ipsec/ipsec_types.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/ipsec/ipsec_types.c 2023-03-27 21:00:49.000000000 +0000 @@ -40,7 +40,8 @@ ENUM(hw_offload_names, HW_OFFLOAD_NO, HW_OFFLOAD_AUTO, "no", - "yes", + "crypto", + "packet", "auto", ); diff -Nru strongswan-5.9.8/src/libstrongswan/ipsec/ipsec_types.h strongswan-5.9.11/src/libstrongswan/ipsec/ipsec_types.h --- strongswan-5.9.8/src/libstrongswan/ipsec/ipsec_types.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/ipsec/ipsec_types.h 2023-03-27 21:00:49.000000000 +0000 @@ -125,8 +125,9 @@ */ enum hw_offload_t { HW_OFFLOAD_NO = 0, - HW_OFFLOAD_YES = 1, - HW_OFFLOAD_AUTO = 2, + HW_OFFLOAD_CRYPTO = 1, + HW_OFFLOAD_PACKET = 2, + HW_OFFLOAD_AUTO = 3, }; /** diff -Nru strongswan-5.9.8/src/libstrongswan/Makefile.in strongswan-5.9.11/src/libstrongswan/Makefile.in --- strongswan-5.9.8/src/libstrongswan/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -1060,7 +1060,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/math/libnttfft/Makefile.in strongswan-5.9.11/src/libstrongswan/math/libnttfft/Makefile.in --- strongswan-5.9.8/src/libstrongswan/math/libnttfft/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/math/libnttfft/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -425,7 +425,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/math/libnttfft/tests/Makefile.in strongswan-5.9.11/src/libstrongswan/math/libnttfft/tests/Makefile.in --- strongswan-5.9.8/src/libstrongswan/math/libnttfft/tests/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/math/libnttfft/tests/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -429,7 +429,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/acert/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/acert/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/acert/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/acert/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/aes/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/aes/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/aes/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/aes/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_cmac.c strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_cmac.c --- strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_cmac.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_cmac.c 2023-03-27 21:00:49.000000000 +0000 @@ -305,10 +305,10 @@ free_align(this); } -/* - * Described in header +/** + * Create a generic mac_t object using AESNI CMAC */ -mac_t *aesni_cmac_create(encryption_algorithm_t algo, size_t key_size) +static mac_t *aesni_cmac_create(encryption_algorithm_t algo, size_t key_size) { private_mac_t *this; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_cmac.h strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_cmac.h --- strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_cmac.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_cmac.h 2023-03-27 21:00:49.000000000 +0000 @@ -27,14 +27,6 @@ #include /** - * Create a generic mac_t object using AESNI CMAC. - * - * @param algo underlying encryption algorithm - * @param key_size size of encryption key, in bytes - */ -mac_t *aesni_cmac_create(encryption_algorithm_t algo, size_t key_size); - -/** * Creates a new prf_t object based AESNI CMAC. * * @param algo algorithm to implement diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_xcbc.c strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_xcbc.c --- strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_xcbc.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_xcbc.c 2023-03-27 21:00:49.000000000 +0000 @@ -301,10 +301,10 @@ free_align(this); } -/* - * Described in header +/** + * Create a generic mac_t object using AESNI XCBC */ -mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size) +static mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size) { private_aesni_mac_t *this; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_xcbc.h strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_xcbc.h --- strongswan-5.9.8/src/libstrongswan/plugins/aesni/aesni_xcbc.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/aesni/aesni_xcbc.h 2023-03-27 21:00:49.000000000 +0000 @@ -27,14 +27,6 @@ #include /** - * Create a generic mac_t object using AESNI XCBC - * - * @param algo underlying encryption algorithm - * @param key_size size of encryption key, in bytes - */ -mac_t *aesni_xcbc_create(encryption_algorithm_t algo, size_t key_size); - -/** * Creates a new prf_t object based AESNI XCBC. * * @param algo algorithm to implement diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/aesni/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/aesni/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/aesni/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/aesni/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/af_alg/af_alg_signer.c strongswan-5.9.11/src/libstrongswan/plugins/af_alg/af_alg_signer.c --- strongswan-5.9.8/src/libstrongswan/plugins/af_alg/af_alg_signer.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/af_alg/af_alg_signer.c 2023-03-27 21:00:49.000000000 +0000 @@ -174,7 +174,7 @@ af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo) { private_af_alg_signer_t *this; - size_t block_size, key_size; + size_t block_size, key_size = 0; char *name; block_size = lookup_alg(algo, &name, &key_size); diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/af_alg/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/af_alg/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/af_alg/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/af_alg/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/agent/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/agent/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/agent/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/agent/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/bliss/bliss_private_key.c strongswan-5.9.11/src/libstrongswan/plugins/bliss/bliss_private_key.c --- strongswan-5.9.8/src/libstrongswan/plugins/bliss/bliss_private_key.c 2022-09-20 09:07:33.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/bliss/bliss_private_key.c 2023-06-08 10:35:17.000000000 +0000 @@ -186,7 +186,7 @@ int32_t scalar, norm, ui; int16_t *ud, *uz2d, *z2d, value; int i, n; - double mean1 = 0, mean2 = 0, sigma1 = 0, sigma2 = 0; + double mean1 = 0, mean2 = 0, sigma1 DBG_UNUSED = 0, sigma2 DBG_UNUSED = 0; bool accepted, positive, success = FALSE, use_bliss_b; /* Initialize signature */ @@ -907,7 +907,7 @@ { uint8_t seed_buf[32]; uint8_t *f, *g; - uint32_t l2_norm, nks; + uint32_t l2_norm DBG_UNUSED, nks; int i, n; chunk_t seed; size_t seed_len; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/bliss/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/bliss/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/bliss/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/bliss/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -465,7 +465,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/bliss/tests/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/bliss/tests/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/bliss/tests/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/bliss/tests/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -440,7 +440,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/blowfish/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/blowfish/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/blowfish/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/blowfish/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/botan/botan_diffie_hellman.c strongswan-5.9.11/src/libstrongswan/plugins/botan/botan_diffie_hellman.c --- strongswan-5.9.8/src/libstrongswan/plugins/botan/botan_diffie_hellman.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/botan/botan_diffie_hellman.c 2023-03-27 21:00:49.000000000 +0000 @@ -80,7 +80,7 @@ /** * Load a DH private key */ -bool load_private_key(private_botan_diffie_hellman_t *this, chunk_t value) +static bool load_private_key(private_botan_diffie_hellman_t *this, chunk_t value) { botan_mp_t xa; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/botan/botan_util.c strongswan-5.9.11/src/libstrongswan/plugins/botan/botan_util.c --- strongswan-5.9.8/src/libstrongswan/plugins/botan/botan_util.c 2022-09-20 09:07:33.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/botan/botan_util.c 2023-04-19 02:21:27.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2018 Tobias Brunner + * Copyright (C) 2018-2023 Tobias Brunner * Copyright (C) 2018 Andreas Steffen * * Copyright (C) 2018 René Korthaus @@ -80,13 +80,45 @@ } } +/** + * Encode the given RSA public key parameter as chunk. + */ +static bool encode_rsa_field(botan_pubkey_t pubkey, const char *name, + chunk_t *chunk) +{ + botan_mp_t val = NULL; + size_t len = 0; + + if (botan_mp_init(&val) || + botan_pubkey_get_field(val, pubkey, name) || + botan_mp_num_bytes(val, &len) || !len) + { + botan_mp_destroy(val); + return FALSE; + } + + *chunk = chunk_alloc(len); + if (botan_mp_to_bin(val, chunk->ptr)) + { + botan_mp_destroy(val); + chunk_free(chunk); + return FALSE; + } + botan_mp_destroy(val); + return TRUE; +} + /* * Described in header */ bool botan_get_encoding(botan_pubkey_t pubkey, cred_encoding_type_t type, chunk_t *encoding) { - bool success = TRUE; + chunk_t asn1_encoding, n = chunk_empty, e = chunk_empty; + cred_encoding_part_t part = CRED_PART_END; + char algo[8]; + size_t len = sizeof(algo); + bool success = FALSE; encoding->len = 0; if (botan_pubkey_export(pubkey, NULL, &encoding->len, @@ -104,15 +136,43 @@ return FALSE; } - if (type != PUBKEY_SPKI_ASN1_DER) + if (type == PUBKEY_SPKI_ASN1_DER) { - chunk_t asn1_encoding = *encoding; + return TRUE; + } - success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - CRED_PART_ECDSA_PUB_ASN1_DER, - asn1_encoding, CRED_PART_END); + asn1_encoding = *encoding; + if (botan_pubkey_algo_name(pubkey, algo, &len)) + { chunk_free(&asn1_encoding); + return FALSE; + } + + if (streq(algo, "RSA") && + encode_rsa_field(pubkey, "n", &n) && + encode_rsa_field(pubkey, "e", &e)) + { + success = lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_RSA_PUB_ASN1_DER, asn1_encoding, + CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); + } + else + { + if (streq(algo, "ECDSA")) + { + part = CRED_PART_ECDSA_PUB_ASN1_DER; + } + else if (streq(algo, "Ed25519")) + { + part = CRED_PART_EDDSA_PUB_ASN1_DER; + } + success = lib->encoding->encode(lib->encoding, type, NULL, encoding, + part, asn1_encoding, CRED_PART_END); } + chunk_free(&asn1_encoding); + chunk_free(&n); + chunk_free(&e); return success; } diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/botan/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/botan/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/botan/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/botan/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -452,7 +452,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/ccm/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/ccm/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/ccm/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/ccm/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/chapoly/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/chapoly/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/chapoly/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/chapoly/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -449,7 +449,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/cmac/cmac.c strongswan-5.9.11/src/libstrongswan/plugins/cmac/cmac.c --- strongswan-5.9.8/src/libstrongswan/plugins/cmac/cmac.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/cmac/cmac.c 2023-03-27 21:00:49.000000000 +0000 @@ -310,10 +310,10 @@ free(this); } -/* - * Described in header +/** + * Create a generic mac_t object */ -mac_t *cmac_create(encryption_algorithm_t algo, size_t key_size) +static mac_t *cmac_create(encryption_algorithm_t algo, size_t key_size) { private_mac_t *this; crypter_t *crypter; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/cmac/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/cmac/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/cmac/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/cmac/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/constraints/constraints_validator.c strongswan-5.9.11/src/libstrongswan/plugins/constraints/constraints_validator.c --- strongswan-5.9.8/src/libstrongswan/plugins/constraints/constraints_validator.c 2022-10-03 14:14:38.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/constraints/constraints_validator.c 2023-06-08 10:35:17.000000000 +0000 @@ -352,7 +352,7 @@ */ static bool check_policy(x509_t *subject, x509_t *issuer) { - certificate_t *cert = (certificate_t*)subject; + certificate_t *cert DBG_UNUSED = (certificate_t*)subject; x509_policy_mapping_t *mapping; x509_cert_policy_t *policy; enumerator_t *enumerator; @@ -485,7 +485,7 @@ { enumerator_t *enumerator, *mappings; x509_policy_mapping_t *mapping; - certificate_t *cert; + certificate_t *cert DBG_UNUSED; x509_t *x509; bool valid = TRUE; @@ -514,7 +514,7 @@ { enumerator_t *enumerator, *policies; x509_cert_policy_t *policy; - certificate_t *cert; + certificate_t *cert DBG_UNUSED; x509_t *x509; bool valid = TRUE; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/constraints/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/constraints/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/constraints/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/constraints/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/ctr/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/ctr/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/ctr/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/ctr/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/curl/curl_plugin.c strongswan-5.9.11/src/libstrongswan/plugins/curl/curl_plugin.c --- strongswan-5.9.8/src/libstrongswan/plugins/curl/curl_plugin.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/curl/curl_plugin.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2008 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -60,7 +61,9 @@ static void add_feature_with_ssl(private_curl_plugin_t *this, const char *ssl, char *proto, plugin_feature_t f) { - /* http://curl.haxx.se/libcurl/c/libcurl-tutorial.html#Multi-threading */ + /* according to https://curl.se/libcurl/c/threadsafe.html there is only an + * issue with thread-safety with older versions of OpenSSL (<= 1.0.2) and + * GnuTLS (< 1.6.0), so we just accept all other SSL backends */ if (strpfx(ssl, "OpenSSL") || strpfx(ssl, "LibreSSL")) { add_feature(this, f); @@ -71,15 +74,9 @@ add_feature(this, f); add_feature(this, PLUGIN_DEPENDS(CUSTOM, "gcrypt-threading")); } - else if (strpfx(ssl, "NSS") || - strpfx(ssl, "BoringSSL")) - { - add_feature(this, f); - } else { - DBG1(DBG_LIB, "curl SSL backend '%s' not supported, %s disabled", - ssl, proto); + add_feature(this, f); } } @@ -156,6 +153,60 @@ free(this); } +#if LIBCURL_VERSION_NUM >= 0x073800 +/** + * Configure a specific SSL backend if multiple are available + */ +static void set_ssl_backend() +{ + const curl_ssl_backend **avail; + char *backend, buf[BUF_LEN] = ""; + int i, len = 0, added; + + backend = lib->settings->get_str(lib->settings, "%s.plugins.curl.tls_backend", + NULL, lib->ns); + switch (curl_global_sslset(-1, backend, &avail)) + { + case CURLSSLSET_UNKNOWN_BACKEND: + for (i = 0; avail[i]; i++) + { + added = snprintf(buf + len, sizeof(buf) - len, " %s", + avail[i]->name); + if (added < sizeof(buf) - len) + { + len += added; + } + } + if (backend) + { + DBG1(DBG_LIB, "unsupported TLS backend '%s' in libcurl, " + "available:%s", backend, buf); + } + else + { + DBG2(DBG_LIB, "available TLS backends in libcurl:%s", buf); + } + break; + case CURLSSLSET_NO_BACKENDS: + if (backend) + { + DBG1(DBG_LIB, "unable to set TLS backend '%s', libcurl was " + "built without TLS support", backend); + } + break; + case CURLSSLSET_TOO_LATE: + if (backend) + { + DBG1(DBG_LIB, "unable to set TLS backend '%s' in libcurl, " + "already set", backend); + } + break; + case CURLSSLSET_OK: + break; + } +} +#endif + /* * see header file */ @@ -174,6 +225,10 @@ }, ); +#if LIBCURL_VERSION_NUM >= 0x073800 + set_ssl_backend(); +#endif + res = curl_global_init(CURL_GLOBAL_SSL); if (res != CURLE_OK) { diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/curl/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/curl/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/curl/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/curl/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/curve25519/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/curve25519/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/curve25519/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/curve25519/Makefile.in 2023-06-12 05:50:42.000000000 +0000 @@ -444,7 +444,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/des/des_crypter.c strongswan-5.9.11/src/libstrongswan/plugins/des/des_crypter.c --- strongswan-5.9.8/src/libstrongswan/plugins/des/des_crypter.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/des/des_crypter.c 2023-03-27 21:00:49.000000000 +0000 @@ -531,13 +531,6 @@ PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \ } -#ifndef NOPROTO -void fcrypt_body(DES_LONG *out,des_key_schedule ks, - DES_LONG Eswap0, DES_LONG Eswap1); -#else -void fcrypt_body(); -#endif - static const DES_LONG des_skb[8][64]={ { /* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ 0x00000000L,0x00000010L,0x20000000L,0x20000010L, diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/des/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/des/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/des/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/des/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/dnskey/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/dnskey/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/dnskey/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/dnskey/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/drbg/drbg_hmac.c strongswan-5.9.11/src/libstrongswan/plugins/drbg/drbg_hmac.c --- strongswan-5.9.8/src/libstrongswan/plugins/drbg/drbg_hmac.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/drbg/drbg_hmac.c 2023-06-08 10:35:17.000000000 +0000 @@ -158,7 +158,6 @@ private_drbg_hmac_t *this, uint32_t len, uint8_t *out) { size_t delta; - chunk_t output; if (len > MAX_DRBG_BYTES) { @@ -179,7 +178,9 @@ { return FALSE; } - output = chunk_create(out, len); +#if DEBUG_LEVEL >= 4 + chunk_t output = chunk_create(out, len); +#endif while (len) { @@ -192,7 +193,7 @@ len -= delta; out += delta; } - DBG4(DBG_LIB, "HMAC_DRBG Out: %B", &output); + DBG4(DBG_LIB, "HMAC_DRBG out: %B", &output); if (!update(this, chunk_empty)) { diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/drbg/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/drbg/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/drbg/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/drbg/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/files/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/files/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/files/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/files/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/fips_prf/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/fips_prf/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/fips_prf/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/fips_prf/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/gcm/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/gcm/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/gcm/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/gcm/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/gcrypt/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/gcrypt/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/gcrypt/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/gcrypt/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -438,7 +438,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/gmp/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/gmp/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/gmp/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/gmp/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/hmac/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/hmac/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/hmac/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/hmac/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/kdf/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/kdf/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/kdf/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/kdf/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/keychain/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/keychain/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/keychain/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/keychain/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/ldap/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/ldap/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/ldap/Makefile.in 2022-10-03 14:18:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/ldap/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/md4/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/md4/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/md4/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/md4/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/md5/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/md5/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/md5/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/md5/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/mgf1/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/mgf1/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/mgf1/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/mgf1/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/mysql/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/mysql/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/mysql/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/mysql/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/newhope/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/newhope/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/newhope/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/newhope/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -441,7 +441,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/newhope/tests/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/newhope/tests/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/newhope/tests/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/newhope/tests/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/nonce/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/nonce/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/nonce/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/nonce/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/ntru/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/ntru/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/ntru/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/ntru/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/openssl/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -461,7 +461,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_crl.c strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_crl.c --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_crl.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_crl.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,7 @@ /* * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2010 Martin Willi + * Copyright (C) 2022 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -230,7 +231,7 @@ METHOD(crl_t, get_serial, chunk_t, private_openssl_crl_t *this) { - return this->serial; + return chunk_skip_zero(this->serial); } METHOD(crl_t, is_delta_crl, bool, @@ -240,7 +241,7 @@ { if (base_crl) { - *base_crl = this->base; + *base_crl = chunk_skip_zero(this->base); } return TRUE; } @@ -302,7 +303,7 @@ return FALSE; } x509 = (x509_t*)issuer; - if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) + if (!(x509->get_flags(x509) & X509_CRL_SIGN)) { return FALSE; } diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_pkcs7.c strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_pkcs7.c --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_pkcs7.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_pkcs7.c 2023-06-08 10:35:17.000000000 +0000 @@ -213,7 +213,8 @@ /** * Verify signerInfo signature */ -static auth_cfg_t *verify_signature(CMS_SignerInfo *si, int hash_oid) +static auth_cfg_t *verify_signature(CMS_SignerInfo *si, + signature_params_t *sig_alg) { enumerator_t *enumerator; public_key_t *key; @@ -249,7 +250,8 @@ /* TODO: find a better way to access and verify the signature */ sig = openssl_asn1_str2chunk(si->signature); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, - KEY_RSA, serial, FALSE); + key_type_from_signature_scheme(sig_alg->scheme), + serial, FALSE); while (enumerator->enumerate(enumerator, &cert, &auth)) { if (issuer->equals(issuer, cert->get_issuer(cert))) @@ -257,7 +259,7 @@ key = cert->get_public_key(cert); if (key) { - if (key->verify(key, signature_scheme_from_oid(hash_oid), NULL, + if (key->verify(key, sig_alg->scheme, sig_alg->params, attrs, sig)) { found = auth->clone(auth); @@ -340,6 +342,8 @@ { CMS_SignerInfo *si; X509_ALGOR *digest, *sig; + signature_params_t sig_alg = {}; + chunk_t sig_scheme; int hash_oid; /* clean up previous round */ @@ -350,12 +354,24 @@ CMS_SignerInfo_get0_algs(si, NULL, NULL, &digest, &sig); hash_oid = openssl_asn1_known_oid(digest->algorithm); - if (openssl_asn1_known_oid(sig->algorithm) != OID_RSA_ENCRYPTION) + if (openssl_asn1_known_oid(sig->algorithm) == OID_RSA_ENCRYPTION) { - DBG1(DBG_LIB, "only RSA digest encryption supported"); - continue; + /* derive the signature scheme from the digest algorithm + * for the classic PKCS#7 RSA mechanism */ + sig_alg.scheme = signature_scheme_from_oid(hash_oid); } - this->auth = verify_signature(si, hash_oid); + else + { + sig_scheme = openssl_i2chunk(X509_ALGOR, sig); + if (!signature_params_parse(sig_scheme, 0, &sig_alg)) + { + free(sig_scheme.ptr); + continue; + } + free(sig_scheme.ptr); + } + this->auth = verify_signature(si, &sig_alg); + signature_params_clear(&sig_alg); if (!this->auth) { DBG1(DBG_LIB, "unable to verify pkcs7 attributes signature"); diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_plugin.c strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_plugin.c --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_plugin.c 2022-07-19 10:14:11.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_plugin.c 2023-06-08 10:35:17.000000000 +0000 @@ -654,13 +654,6 @@ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521), #endif #endif /* OPENSSL_NO_ECDSA */ -#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH) - PLUGIN_REGISTER(KE, openssl_x_diffie_hellman_create), - /* available since 1.1.0a, but we require 1.1.1 features */ - PLUGIN_PROVIDE(KE, CURVE_25519), - /* available since 1.1.1 */ - PLUGIN_PROVIDE(KE, CURVE_448), -#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_ECDH */ #if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_EC) /* EdDSA private/public key loading */ PLUGIN_REGISTER(PUBKEY, openssl_ed_public_key_load, TRUE), @@ -706,7 +699,17 @@ #endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_NO_ECDH */ }; - static plugin_feature_t f[countof(f_base) + countof(f_ecdh)] = {}; + static plugin_feature_t f_xdh[] = { +#if OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(OPENSSL_NO_ECDH) + /* define them here, so we can add them after the EC DH groups */ + PLUGIN_REGISTER(KE, openssl_x_diffie_hellman_create), + /* available since 1.1.0a, but we require 1.1.1 features */ + PLUGIN_PROVIDE(KE, CURVE_25519), + /* available since 1.1.1 */ + PLUGIN_PROVIDE(KE, CURVE_448), +#endif /* OPENSSL_VERSION_NUMBER && !OPENSSL_NO_ECDH */ + }; + static plugin_feature_t f[countof(f_base) + countof(f_ecdh) + countof(f_xdh)] = {}; static int count = 0; if (!count) @@ -715,6 +718,7 @@ #ifndef OPENSSL_NO_ECDH add_ecdh_features(f, f_ecdh, countof(f_ecdh), &count); #endif + plugin_features_add(f, f_xdh, countof(f_xdh), &count); } *features = f; return count; @@ -829,6 +833,7 @@ if (!fips) { DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); + destroy(this); return NULL; } /* explicitly load the base provider containing encoding functions */ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h 2023-03-27 21:00:49.000000000 +0000 @@ -73,17 +73,4 @@ */ private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key, bool engine); -/** - * Connect to a RSA private key on a smartcard. - * - * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN - * arguments. - * - * @param type type of the key, must be KEY_RSA - * @param args builder_part_t argument list - * @return loaded key, NULL on failure - */ -openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, - va_list args); - #endif /** OPENSSL_RSA_PRIVATE_KEY_H_ @}*/ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_util.c strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_util.c --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_util.c 2022-09-20 09:07:33.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_util.c 2023-03-27 21:00:49.000000000 +0000 @@ -132,51 +132,6 @@ /** * Described in header. */ -bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash) -{ - EVP_MD_CTX *ctx; - bool ret = FALSE; - const EVP_MD *hasher = EVP_get_digestbynid(hash_type); - if (!hasher) - { - return FALSE; - } - - ctx = EVP_MD_CTX_create(); - if (!ctx) - { - goto error; - } - - if (!EVP_DigestInit_ex(ctx, hasher, NULL)) - { - goto error; - } - - if (!EVP_DigestUpdate(ctx, data.ptr, data.len)) - { - goto error; - } - - *hash = chunk_alloc(EVP_MD_size(hasher)); - if (!EVP_DigestFinal_ex(ctx, hash->ptr, NULL)) - { - chunk_free(hash); - goto error; - } - - ret = TRUE; -error: - if (ctx) - { - EVP_MD_CTX_destroy(ctx); - } - return ret; -} - -/** - * Described in header. - */ bool openssl_bn_cat(const int len, const BIGNUM *a, const BIGNUM *b, chunk_t *chunk) { diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_util.h strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_util.h --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_util.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_util.h 2023-03-27 21:00:49.000000000 +0000 @@ -58,18 +58,6 @@ bool openssl_fingerprint(EVP_PKEY *key, cred_encoding_type_t type, chunk_t *fp); /** - * Creates a hash of a given type of a chunk of data. - * - * Note: this function allocates memory for the hash - * - * @param hash_type NID of the hash - * @param data the chunk of data to hash - * @param hash chunk that contains the hash - * @return TRUE on success, FALSE otherwise - */ -bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash); - -/** * Concatenates two bignums into a chunk, thereby enforcing the length of * a single BIGNUM, if necessary, by pre-pending it with zeros. * diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_x509.c strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_x509.c --- strongswan-5.9.8/src/libstrongswan/plugins/openssl/openssl_x509.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/openssl/openssl_x509.c 2023-03-27 21:00:49.000000000 +0000 @@ -687,9 +687,6 @@ { ASN1_BIT_STRING *usage; - /* to be compliant with RFC 4945 specific KUs have to be included */ - this->flags &= ~X509_IKE_COMPLIANT; - usage = X509V3_EXT_d2i(ext); if (usage) { @@ -1013,11 +1010,9 @@ static bool parse_extensions(private_openssl_x509_t *this) { const STACK_OF(X509_EXTENSION) *extensions; + bool key_usage_parsed = FALSE; int i, num; - /* unless we see a keyUsage extension we are compliant with RFC 4945 */ - this->flags |= X509_IKE_COMPLIANT; - extensions = X509_get0_extensions(this->x509); if (extensions) { @@ -1051,6 +1046,7 @@ break; case NID_key_usage: ok = parse_keyUsage_ext(this, ext); + key_usage_parsed = TRUE; break; case NID_ext_key_usage: ok = parse_extKeyUsage_ext(this, ext); @@ -1084,6 +1080,16 @@ } } } + if (!key_usage_parsed) + { + /* we are compliant with RFC 4945 without keyUsage extension */ + this->flags |= X509_IKE_COMPLIANT; + /* allow CA certificates without keyUsage extension to sign CRLs */ + if (this->flags & X509_CA) + { + this->flags |= X509_CRL_SIGN; + } + } return TRUE; } diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/padlock/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/padlock/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/padlock/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/padlock/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pem/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pem/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pem/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pem/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pgp/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pgp/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pgp/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pgp/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pkcs1/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pkcs1/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pkcs1/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pkcs1/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pkcs11/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pkcs11/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pkcs11/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pkcs11/Makefile.in 2023-06-12 05:50:43.000000000 +0000 @@ -440,7 +440,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pkcs12/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pkcs12/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pkcs12/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pkcs12/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pkcs7/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pkcs7/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pkcs7/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pkcs7/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -439,7 +439,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c strongswan-5.9.11/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c --- strongswan-5.9.8/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c 2022-10-03 08:43:43.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pkcs7/pkcs7_signed_data.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2012 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -86,9 +87,9 @@ identification_t *issuer; /** - * EncryptedDigest + * Signature */ - chunk_t encrypted_digest; + chunk_t signature; /** * Digesting algorithm OID @@ -96,21 +97,22 @@ int digest_alg; /** - * Public key encryption algorithm OID + * Signature algorithm */ - int enc_alg; + signature_params_t sig_alg; } signerinfo_t; /** * Destroy a signerinfo_t entry */ -void signerinfo_destroy(signerinfo_t *this) +static void signerinfo_destroy(signerinfo_t *this) { DESTROY_IF(this->attributes); DESTROY_IF(this->serial); DESTROY_IF(this->issuer); - free(this->encrypted_digest.ptr); + signature_params_clear(&this->sig_alg); + free(this->signature.ptr); free(this); } @@ -142,8 +144,8 @@ { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT | ASN1_OBJ }, /* 19 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ - { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */ - { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */ + { 3, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */ + { 3, "signature", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */ { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */ @@ -159,8 +161,8 @@ #define PKCS7_SERIAL_NUMBER 17 #define PKCS7_DIGEST_ALGORITHM 18 #define PKCS7_AUTH_ATTRIBUTES 19 -#define PKCS7_DIGEST_ENC_ALGORITHM 21 -#define PKCS7_ENCRYPTED_DIGEST 22 +#define PKCS7_SIGNATURE_ALGORITHM 21 +#define PKCS7_SIGNATURE 22 METHOD(container_t, get_type, container_type_t, private_pkcs7_signed_data_t *this) @@ -188,7 +190,6 @@ signature_enumerator_t *this, va_list args) { signerinfo_t *info; - signature_scheme_t scheme; hash_algorithm_t algorithm; enumerator_t *enumerator; certificate_t *cert; @@ -206,25 +207,20 @@ DESTROY_IF(this->auth); this->auth = NULL; - scheme = signature_scheme_from_oid(info->digest_alg); - if (scheme == SIGN_UNKNOWN) - { - DBG1(DBG_LIB, "unsupported signature scheme"); - continue; - } if (!info->attributes) { DBG1(DBG_LIB, "no authenticatedAttributes object found"); continue; } - if (info->enc_alg != OID_RSA_ENCRYPTION) + if (info->sig_alg.scheme == SIGN_UNKNOWN) { - DBG1(DBG_LIB, "only RSA digest encryption supported"); + DBG1(DBG_LIB, "unsupported signature scheme"); continue; } enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, - KEY_RSA, info->serial, FALSE); + key_type_from_signature_scheme(info->sig_alg.scheme), + info->serial, FALSE); while (enumerator->enumerate(enumerator, &cert, &auth)) { if (info->issuer->equals(info->issuer, cert->get_issuer(cert))) @@ -233,8 +229,8 @@ if (key) { chunk = info->attributes->get_encoding(info->attributes); - if (key->verify(key, scheme, NULL, chunk, - info->encrypted_digest)) + if (key->verify(key, info->sig_alg.scheme, + info->sig_alg.params, chunk, info->signature)) { this->auth = auth->clone(auth); key->destroy(key); @@ -409,7 +405,7 @@ { asn1_parser_t *parser; chunk_t object; - int objectID, version; + int objectID; signerinfo_t *info = NULL; bool success = FALSE; @@ -422,8 +418,7 @@ switch (objectID) { case PKCS7_VERSION: - version = object.len ? (int)*object.ptr : 0; - DBG2(DBG_LIB, " v%d", version); + DBG2(DBG_LIB, " v%d", object.len ? (int)*object.ptr : 0); break; case PKCS7_CONTENT_INFO: this->content = lib->creds->create(lib->creds, @@ -448,13 +443,11 @@ case PKCS7_SIGNER_INFO: INIT(info, .digest_alg = OID_UNKNOWN, - .enc_alg = OID_UNKNOWN, ); this->signerinfos->insert_last(this->signerinfos, info); break; case PKCS7_SIGNER_INFO_VERSION: - version = object.len ? (int)*object.ptr : 0; - DBG2(DBG_LIB, " v%d", version); + DBG2(DBG_LIB, " v%d", object.len ? (int)*object.ptr : 0); break; case PKCS7_ISSUER: info->issuer = identification_create_from_encoding( @@ -474,12 +467,22 @@ info->digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL); break; - case PKCS7_DIGEST_ENC_ALGORITHM: - info->enc_alg = asn1_parse_algorithmIdentifier(object, - level, NULL); + case PKCS7_SIGNATURE_ALGORITHM: + if (!signature_params_parse(object, level, &info->sig_alg)) + { + if (asn1_parse_algorithmIdentifier(object, -1, + NULL) == OID_RSA_ENCRYPTION && + info->digest_alg != OID_UNKNOWN) + { + /* derive the signature scheme from the digest algorithm + * for the classic PKCS#7 RSA mechanism */ + info->sig_alg.scheme = signature_scheme_from_oid( + info->digest_alg); + } + } break; - case PKCS7_ENCRYPTED_DIGEST: - info->encrypted_digest = chunk_clone(object); + case PKCS7_SIGNATURE: + info->signature = chunk_clone(object); break; } } diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pkcs8/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pkcs8/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pkcs8/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pkcs8/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/plugin_loader.c strongswan-5.9.11/src/libstrongswan/plugins/plugin_loader.c --- strongswan-5.9.8/src/libstrongswan/plugins/plugin_loader.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/plugin_loader.c 2023-06-08 10:35:17.000000000 +0000 @@ -755,10 +755,11 @@ { bool soft = provided->feature[i].kind == FEATURE_SDEPEND; -#ifndef USE_FUZZING +#if !defined(USE_FUZZING) && DEBUG_LEVEL >= 1 char *name, *provide, *depend; +#if DEBUG_LEVEL >= 3 int indent = level * 2; - +#endif name = provided->entry->plugin->get_name(provided->entry->plugin); provide = plugin_feature_get_string(&provided->feature[0]); depend = plugin_feature_get_string(&provided->feature[i]); @@ -779,7 +780,7 @@ } free(provide); free(depend); -#endif /* !USE_FUZZING */ +#endif /* !USE_FUZZING && DEBUG_LEVEL */ if (soft) { /* it's ok if we can't resolve soft dependencies */ @@ -809,7 +810,7 @@ return; } -#ifndef USE_FUZZING +#if !defined(USE_FUZZING) && DEBUG_LEVEL >= 1 char *name, *provide; name = provided->entry->plugin->get_name(provided->entry->plugin); @@ -825,7 +826,7 @@ provide, name); } free(provide); -#endif /* !USE_FUZZING */ +#endif /* !USE_FUZZING && DEBUG_LEVEL */ } else { /* TODO: we could check the current level and set a different flag when @@ -845,13 +846,12 @@ provided_feature_t *provided, int level) { - if (provided->loaded || provided->failed) { return; } -#ifndef USE_FUZZING +#if !defined(USE_FUZZING) && DEBUG_LEVEL >= 3 char *name, *provide; int indent = level * 2; @@ -872,7 +872,7 @@ { return; } -#endif /* USE_FUZZING */ +#endif /* USE_FUZZING && DEBUG_LEVEL */ provided->loading = TRUE; load_feature(this, provided, level + 1); diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/pubkey/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/pubkey/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/pubkey/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/pubkey/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/random/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/random/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/random/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/random/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/rc2/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/rc2/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/rc2/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/rc2/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/rdrand/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/rdrand/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/rdrand/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/rdrand/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/revocation/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/revocation/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/revocation/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/revocation/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/revocation/revocation_validator.c strongswan-5.9.11/src/libstrongswan/plugins/revocation/revocation_validator.c --- strongswan-5.9.8/src/libstrongswan/plugins/revocation/revocation_validator.c 2022-10-03 14:14:38.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/revocation/revocation_validator.c 2023-06-08 10:35:17.000000000 +0000 @@ -1,7 +1,7 @@ /* * Copyright (C) 2015-2018 Tobias Brunner * Copyright (C) 2010 Martin Willi - * Copyright (C) 2009 Andreas Steffen + * Copyright (C) 2009-2022 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -138,7 +138,8 @@ /** * check the signature of an OCSP response */ -static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca) +static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca, + bool cached) { certificate_t *issuer, *subject; identification_t *responder; @@ -177,8 +178,11 @@ found = TRUE; if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL)) { - DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", - issuer->get_subject(issuer)); + if (!cached) + { + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + } verified = TRUE; break; } @@ -204,8 +208,11 @@ found = TRUE; if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL)) { - DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", - issuer->get_subject(issuer)); + if (!cached) + { + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + } verified = TRUE; break; } @@ -219,7 +226,7 @@ lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); wrapper->destroy(wrapper); - if (!found) + if (!found && !cached) { DBG1(DBG_CFG, "ocsp response verification failed, " "no signer certificate '%Y' found", responder); @@ -232,7 +239,7 @@ */ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, x509_t *subject, x509_t *issuer, - cert_validation_t *valid, bool cache) + cert_validation_t *valid, bool cached) { ocsp_response_t *response; time_t revocation, this_update, next_update, valid_until; @@ -242,7 +249,7 @@ response = (ocsp_response_t*)cand; /* check ocsp signature */ - if (!verify_ocsp(response, &issuer->interface)) + if (!verify_ocsp(response, &issuer->interface, cached)) { cand->destroy(cand); return best; @@ -263,7 +270,11 @@ default: case VALIDATION_FAILED: /* candidate unusable, does not contain our cert */ - DBG1(DBG_CFG, " ocsp response contains no status on our certificate"); + if (!cached) + { + DBG1(DBG_CFG, " ocsp response contains no status on our " + "certificate"); + } cand->destroy(cand); return best; } @@ -278,7 +289,7 @@ DBG1(DBG_CFG, " ocsp response is valid: until %T", &valid_until, FALSE); *valid = VALIDATION_GOOD; - if (cache) + if (!cached) { /* cache non-stale only, stale certs get refetched */ lib->credmgr->cache_cert(lib->credmgr, best); } @@ -322,7 +333,7 @@ while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); + best = get_better_ocsp(current, best, subject, issuer, &valid, TRUE); if (best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached ocsp response"); @@ -350,7 +361,7 @@ if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, FALSE); if (best && valid != VALIDATION_STALE) { break; @@ -373,7 +384,7 @@ if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, FALSE); if (best && valid != VALIDATION_STALE) { break; @@ -534,11 +545,11 @@ return best; } - subject_serial = chunk_skip_zero(subject->get_serial(subject)); + subject_serial = subject->get_serial(subject); enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { - if (chunk_equals(subject_serial, chunk_skip_zero(serial))) + if (chunk_equals(subject_serial, serial)) { if (reason != CRL_REASON_CERTIFICATE_HOLD) { @@ -672,7 +683,8 @@ u_int timeout) { cert_validation_t valid = VALIDATION_SKIPPED; - certificate_t *best = NULL, *current, *cissuer = (certificate_t*)issuer; + certificate_t *best = NULL, *current; + certificate_t *cissuer DBG_UNUSED = (certificate_t*)issuer; enumerator_t *enumerator; identification_t *id; x509_cdp_t *cdp; @@ -741,7 +753,7 @@ auth_cfg_t *auth, u_int timeout) { cert_validation_t valid = VALIDATION_SKIPPED; - certificate_t *best = NULL, *cissuer = (certificate_t*)issuer; + certificate_t *best = NULL, *cissuer DBG_UNUSED = (certificate_t*)issuer; identification_t *id; x509_cdp_t *cdp; bool uri_found = FALSE; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sha1/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/sha1/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/sha1/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sha1/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sha1/sha1_hasher.c strongswan-5.9.11/src/libstrongswan/plugins/sha1/sha1_hasher.c --- strongswan-5.9.8/src/libstrongswan/plugins/sha1/sha1_hasher.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sha1/sha1_hasher.c 2023-03-27 21:00:49.000000000 +0000 @@ -2,8 +2,8 @@ * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * - * Ported from Steve Reid's implementation - * "SHA1 in C" found in strongSwan. + * Ported from Steve Reid's 100% public domain + * implementation "SHA-1 in C". * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sha2/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/sha2/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/sha2/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sha2/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sha3/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/sha3/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/sha3/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sha3/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/soup/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/soup/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/soup/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/soup/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -432,7 +432,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sqlite/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/sqlite/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/sqlite/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sqlite/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sqlite/sqlite_plugin.c strongswan-5.9.11/src/libstrongswan/plugins/sqlite/sqlite_plugin.c --- strongswan-5.9.8/src/libstrongswan/plugins/sqlite/sqlite_plugin.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sqlite/sqlite_plugin.c 2023-06-08 10:35:17.000000000 +0000 @@ -62,7 +62,9 @@ plugin_t *sqlite_plugin_create() { private_sqlite_plugin_t *this; +#if SQLITE_VERSION_NUMBER >= 3005000 && DEBUG_LEVEL >= 2 int threadsafe = 0; +#endif INIT(this, .public = { @@ -74,7 +76,7 @@ }, ); -#if SQLITE_VERSION_NUMBER >= 3005000 +#if SQLITE_VERSION_NUMBER >= 3005000 && DEBUG_LEVEL >= 2 threadsafe = sqlite3_threadsafe(); #endif DBG2(DBG_LIB, "using SQLite %s, thread safety %d", diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/sshkey/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/sshkey/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/sshkey/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/sshkey/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/test_vectors/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/test_vectors/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/test_vectors/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/test_vectors/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -497,7 +497,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/unbound/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/unbound/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/unbound/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/unbound/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -435,7 +435,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/winhttp/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/winhttp/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/winhttp/Makefile.in 2022-10-03 14:18:09.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/winhttp/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -455,7 +455,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/wolfssl_common.h strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/wolfssl_common.h --- strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/wolfssl_common.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/wolfssl_common.h 2023-03-27 21:00:49.000000000 +0000 @@ -47,20 +47,18 @@ /* PARSE_ERROR is an enum entry in wolfSSL - not used in this plugin */ #define PARSE_ERROR WOLFSSL_PARSE_ERROR -/* Remap unused enums from the OpenSSL compatibility layer to avoid conflicts */ -#define ASN1_BOOLEAN REMAP_ASN1_BOOLEAN -#define ASN1_OID REMAP_ASN1_OID -#define ASN1_INTEGER REMAP_ASN1_INTEGER -#define ASN1_BIT_STRING REMAP_ASN1_BIT_STRING -#define ASN1_IA5STRING REMAP_ASN1_IA5STRING -#define ASN1_OCTET_STRING REMAP_ASN1_OCTET_STRING -#define ASN1_UTCTIME REMAP_ASN1_UTCTIME -#define ASN1_GENERALIZEDTIME REMAP_ASN1_GENERALIZEDTIME - #ifndef WOLFSSL_USER_SETTINGS #include #endif -#include + +/* Disable inclusion of the wolfSSL OpenSSL compatibility layer header (if + * configured) as it is not used by the plugin and causes conflicts */ +#define WOLFSSL_OPENSSL_H_ + +#if defined(HAVE_FIPS) && \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) + #include +#endif /* Special type used to handle EdDSA keys depending on config options */ #if defined(HAVE_ED25519) || defined(HAVE_ED448) @@ -82,15 +80,6 @@ #undef PARSE_ERROR -#undef ASN1_BOOLEAN -#undef ASN1_OID -#undef ASN1_INTEGER -#undef ASN1_BIT_STRING -#undef ASN1_IA5STRING -#undef ASN1_OCTET_STRING -#undef ASN1_UTCTIME -#undef ASN1_GENERALIZEDTIME - /* Eliminate macro conflicts */ #undef RNG diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c --- strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c 2023-03-27 21:00:49.000000000 +0000 @@ -31,6 +31,12 @@ #include +#if defined(ECC_TIMING_RESISTANT) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5))) + #define USE_RNG_FOR_TIMING_RESISTANCE +#endif + typedef struct private_wolfssl_ec_diffie_hellman_t private_wolfssl_ec_diffie_hellman_t; /** @@ -203,13 +209,14 @@ static bool compute_shared_key(private_wolfssl_ec_diffie_hellman_t *this) { word32 len; -#ifdef ECC_TIMING_RESISTANT +#ifdef USE_RNG_FOR_TIMING_RESISTANCE WC_RNG rng; if (wc_InitRng(&rng) != 0) { return FALSE; } + if (wc_ecc_set_rng(&this->key, &rng) != 0) { wc_FreeRng(&rng); @@ -225,13 +232,13 @@ { DBG1(DBG_LIB, "ECDH shared secret computation failed"); chunk_clear(&this->shared_secret); -#ifdef ECC_TIMING_RESISTANT +#ifdef USE_RNG_FOR_TIMING_RESISTANCE wc_FreeRng(&rng); #endif return FALSE; } this->shared_secret.len = len; -#ifdef ECC_TIMING_RESISTANT +#ifdef USE_RNG_FOR_TIMING_RESISTANCE wc_FreeRng(&rng); #endif return TRUE; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c --- strongswan-5.9.8/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c 2022-07-19 10:14:11.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c 2023-03-27 21:00:49.000000000 +0000 @@ -21,10 +21,11 @@ * THE SOFTWARE. */ +#include "wolfssl_common.h" + #include #include -#include "wolfssl_common.h" #include "wolfssl_plugin.h" #include "wolfssl_aead.h" #include "wolfssl_crypter.h" @@ -44,6 +45,8 @@ #include "wolfssl_x_diffie_hellman.h" #include "wolfssl_xof.h" +#include + #ifndef FIPS_MODE #define FIPS_MODE 0 #endif diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/x509/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/x509/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_ac.c strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_ac.c --- strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_ac.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_ac.c 2023-06-08 10:35:17.000000000 +0000 @@ -2,7 +2,7 @@ * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler * Copyright (C) 2003 Martin Berner, Lukas Suter - * Copyright (C) 2002-2017 Andreas Steffen + * Copyright (C) 2002-2022 Andreas Steffen * Copyright (C) 2009 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -335,12 +335,12 @@ { { 0, "AttributeCertificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ { 1, "AttributeCertificateInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ - { 2, "version", ASN1_INTEGER, ASN1_DEF | + { 2, "version", ASN1_INTEGER, ASN1_DEF | ASN1_BODY }, /* 2 */ - { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */ - { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */ - { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ - { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */ + { 2, "holder", ASN1_SEQUENCE, ASN1_NONE }, /* 3 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 4 */ + { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ + { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 6 */ { 4, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | ASN1_BODY }, /* 7 */ { 4, "end opt", ASN1_EOC, ASN1_END }, /* 8 */ @@ -348,44 +348,44 @@ { 3, "entityName", ASN1_CONTEXT_C_1, ASN1_OPT | ASN1_OBJ }, /* 10 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ - { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */ - { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */ - { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + { 3, "objectDigestInfo", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 12 */ + { 4, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 13 */ + { 4, "otherObjectTypeID", ASN1_OID, ASN1_OPT | ASN1_BODY }, /* 14 */ { 4, "end opt", ASN1_EOC, ASN1_END }, /* 15 */ { 4, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 16 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 17 */ - { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */ - { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT | + { 2, "v2Form", ASN1_CONTEXT_C_0, ASN1_NONE }, /* 18 */ + { 3, "issuerName", ASN1_SEQUENCE, ASN1_OPT | ASN1_OBJ }, /* 19 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */ - { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */ - { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */ - { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */ - { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */ + { 3, "baseCertificateID", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 21 */ + { 4, "issuerSerial", ASN1_SEQUENCE, ASN1_NONE }, /* 22 */ + { 5, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 23 */ + { 5, "serial", ASN1_INTEGER, ASN1_BODY }, /* 24 */ { 5, "issuerUID", ASN1_BIT_STRING, ASN1_OPT | ASN1_BODY }, /* 25 */ { 5, "end opt", ASN1_EOC, ASN1_END }, /* 26 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 27 */ { 3, "objectDigestInfo", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 28 */ - { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */ - { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */ - { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT | + { 4, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 29 */ + { 5, "digestedObjectType", ASN1_ENUMERATED, ASN1_BODY }, /* 30 */ + { 5, "otherObjectTypeID", ASN1_OID, ASN1_OPT | ASN1_BODY }, /* 31 */ { 5, "end opt", ASN1_EOC, ASN1_END }, /* 32 */ { 5, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 33 */ { 3, "end opt", ASN1_EOC, ASN1_END }, /* 34 */ - { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */ - { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */ - { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */ - { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */ - { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */ - { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */ + { 2, "signature", ASN1_EOC, ASN1_RAW }, /* 35 */ + { 2, "serialNumber", ASN1_INTEGER, ASN1_BODY }, /* 36 */ + { 2, "attrCertValidityPeriod", ASN1_SEQUENCE, ASN1_NONE }, /* 37 */ + { 3, "notBeforeTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 38 */ + { 3, "notAfterTime", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 39 */ + { 2, "attributes", ASN1_SEQUENCE, ASN1_LOOP }, /* 40 */ { 3, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 41 */ { 4, "type", ASN1_OID, ASN1_BODY }, /* 42 */ { 4, "values", ASN1_SET, ASN1_LOOP }, /* 43 */ { 5, "value", ASN1_EOC, ASN1_RAW }, /* 44 */ - { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */ + { 4, "end loop", ASN1_EOC, ASN1_END }, /* 45 */ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 46 */ { 2, "extensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 47 */ { 3, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 48 */ @@ -429,7 +429,6 @@ int extn_oid = OID_UNKNOWN; signature_params_t sig_alg = {}; bool success = FALSE; - bool critical; parser = asn1_parser_create(acObjects, this->encoding); @@ -461,7 +460,7 @@ break; case AC_OBJ_HOLDER_SERIAL: this->holderSerial = identification_create_from_encoding( - ID_KEY_ID, object); + ID_KEY_ID, chunk_skip_zero(object)); break; case AC_OBJ_ENTITY_NAME: if (!parse_directoryName(object, level, TRUE, @@ -529,8 +528,8 @@ extn_oid = asn1_known_oid(object); break; case AC_OBJ_CRITICAL: - critical = object.len && *object.ptr; - DBG2(DBG_ASN, " %s",(critical)?"TRUE":"FALSE"); + DBG2(DBG_ASN, " %s", + object.len && *object.ptr ? "TRUE" : "FALSE"); break; case AC_OBJ_EXTN_VALUE: { @@ -600,13 +599,16 @@ x509_t* x509 = (x509_t*)this->holderCert; identification_t *issuer, *subject; + this->holderSerial = identification_create_from_encoding( + ID_KEY_ID, x509->get_serial(x509)); + issuer = this->holderCert->get_issuer(this->holderCert); subject = this->holderCert->get_subject(this->holderCert); return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_CONTEXT_C_0, "mm", build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)), - asn1_simple_object(ASN1_INTEGER, x509->get_serial(x509))), + asn1_integer("c", x509->get_serial(x509))), build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject))); } @@ -725,8 +727,8 @@ } authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1, issuer->get_encoding(issuer)); - authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2, - x509->get_serial(x509)); + authorityCertSerialNumber = asn1_integer("c", x509->get_serial(x509)); + authorityCertSerialNumber.ptr[0] = ASN1_CONTEXT_S_2; return asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), asn1_wrap(ASN1_OCTET_STRING, "m", @@ -759,7 +761,7 @@ build_holder(this), build_v2_form(this), sig_scheme, - asn1_simple_object(ASN1_INTEGER, this->serialNumber), + asn1_integer("c", this->serialNumber), build_attr_cert_validity(this), build_attributes(this), build_extensions(this)); @@ -808,7 +810,7 @@ METHOD(ac_t, get_serial, chunk_t, private_x509_ac_t *this) { - return this->serialNumber; + return chunk_skip_zero(this->serialNumber); } METHOD(ac_t, get_holderSerial, chunk_t, diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_cert.c strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_cert.c --- strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_cert.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_cert.c 2023-03-27 21:00:49.000000000 +0000 @@ -2,7 +2,7 @@ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss * Copyright (C) 2002 Mario Strasser - * Copyright (C) 2000-2017 Andreas Steffen + * Copyright (C) 2000-2022 Andreas Steffen * Copyright (C) 2006-2009 Martin Willi * Copyright (C) 2008-2017 Tobias Brunner * @@ -715,9 +715,6 @@ KU_DECIPHER_ONLY = 8, }; - /* to be compliant with RFC 4945 specific KUs have to be included */ - this->flags &= ~X509_IKE_COMPLIANT; - if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len) { int bit, byte, unused = blob.ptr[0]; @@ -769,10 +766,9 @@ #define EXT_KEY_USAGE_PURPOSE_ID 1 /** - * Extracts extendedKeyUsage OIDs + * Extracts extendedKeyUsage OIDs (shared with x509_pkcs10.c) */ -static bool parse_extendedKeyUsage(chunk_t blob, int level0, - private_x509_cert_t *this) +bool x509_parse_eku_extension(chunk_t blob, int level0, x509_flag_t *flags) { asn1_parser_t *parser; chunk_t object; @@ -789,19 +785,19 @@ switch (asn1_known_oid(object)) { case OID_SERVER_AUTH: - this->flags |= X509_SERVER_AUTH; + *flags |= X509_SERVER_AUTH; break; case OID_CLIENT_AUTH: - this->flags |= X509_CLIENT_AUTH; + *flags |= X509_CLIENT_AUTH; break; case OID_IKE_INTERMEDIATE: - this->flags |= X509_IKE_INTERMEDIATE; + *flags |= X509_IKE_INTERMEDIATE; break; case OID_OCSP_SIGNING: - this->flags |= X509_OCSP_SIGNER; + *flags |= X509_OCSP_SIGNER; break; case OID_MS_SMARTCARD_LOGON: - this->flags |= X509_MS_SMARTCARD_LOGON; + *flags |= X509_MS_SMARTCARD_LOGON; break; default: break; @@ -1392,14 +1388,11 @@ int objectID; int extn_oid = OID_UNKNOWN; signature_params_t sig_alg = {}; + bool critical = FALSE, key_usage_parsed = FALSE; bool success = FALSE; - bool critical = FALSE; parser = asn1_parser_create(certObjects, this->encoding); - /* unless we see a keyUsage extension we are compliant with RFC 4945 */ - this->flags |= X509_IKE_COMPLIANT; - while (parser->iterate(parser, &objectID, &object)) { u_int level = parser->get_level(parser)+1; @@ -1514,9 +1507,10 @@ break; case OID_KEY_USAGE: parse_keyUsage(object, this); + key_usage_parsed = TRUE; break; case OID_EXTENDED_KEY_USAGE: - if (!parse_extendedKeyUsage(object, level, this)) + if (!x509_parse_eku_extension(object, level, &this->flags)) { goto end; } @@ -1611,6 +1605,17 @@ { hasher_t *hasher; + if (!key_usage_parsed) + { + /* we are compliant with RFC 4945 without keyUsage extension */ + this->flags |= X509_IKE_COMPLIANT; + /* allow CA certificates without keyUsage extension to sign CRLs */ + if (this->flags & X509_CA) + { + this->flags |= X509_CRL_SIGN; + } + } + /* check if the certificate is self-signed */ if (this->public.interface.interface.issued_by( &this->public.interface.interface, @@ -1848,7 +1853,7 @@ METHOD(x509_t, get_serial, chunk_t, private_x509_cert_t *this) { - return this->serialNumber; + return chunk_skip_zero(this->serialNumber); } METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, @@ -2041,7 +2046,7 @@ /** * Build a generalName from an id */ -chunk_t build_generalName(identification_t *id) +static chunk_t build_generalName(identification_t *id) { int context; @@ -2208,6 +2213,50 @@ } /** + * Generate an extendedKeyUsage X.509v3 extension (shared with x509_pkcs10.c) + */ +chunk_t x509_generate_eku_extension(x509_flag_t flags) +{ + chunk_t extendedKeyUsage = chunk_empty, ocspSigning = chunk_empty; + chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; + chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty; + + if (flags & X509_SERVER_AUTH) + { + serverAuth = asn1_build_known_oid(OID_SERVER_AUTH); + } + if (flags & X509_CLIENT_AUTH) + { + clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH); + } + if (flags & X509_IKE_INTERMEDIATE) + { + ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE); + } + if (flags & X509_OCSP_SIGNER) + { + ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING); + } + if (flags & X509_MS_SMARTCARD_LOGON) + { + msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON); + } + + if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr || + ocspSigning.ptr || msSmartcardLogon.ptr) + { + extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_EXTENDED_KEY_USAGE), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "mmmmm", + serverAuth, clientAuth, ikeIntermediate, + ocspSigning, msSmartcardLogon))); + } + + return extendedKeyUsage; +} + +/** * Generate and sign a new certificate */ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, @@ -2215,18 +2264,15 @@ { const chunk_t keyUsageCrlSign = chunk_from_chars(0x01, 0x02); const chunk_t keyUsageCertSignCrlSign = chunk_from_chars(0x01, 0x06); - chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; - chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; - chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty; + chunk_t extensions = chunk_empty, certPolicies = chunk_empty; chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty; chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty; chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty; chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; - chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty; chunk_t ipAddrBlocks = chunk_empty, sig_scheme = chunk_empty; - chunk_t criticalExtension = chunk_empty; + chunk_t criticalExtension = chunk_empty, extendedKeyUsage = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; hasher_t *hasher; @@ -2350,37 +2396,7 @@ } /* add extendedKeyUsage flags */ - if (cert->flags & X509_SERVER_AUTH) - { - serverAuth = asn1_build_known_oid(OID_SERVER_AUTH); - } - if (cert->flags & X509_CLIENT_AUTH) - { - clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH); - } - if (cert->flags & X509_IKE_INTERMEDIATE) - { - ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE); - } - if (cert->flags & X509_OCSP_SIGNER) - { - ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING); - } - if (cert->flags & X509_MS_SMARTCARD_LOGON) - { - msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON); - } - - if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr || - ocspSigning.ptr || msSmartcardLogon.ptr) - { - extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(OID_EXTENDED_KEY_USAGE), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "mmmmm", - serverAuth, clientAuth, ikeIntermediate, - ocspSigning, msSmartcardLogon))); - } + extendedKeyUsage = x509_generate_eku_extension(cert->flags); /* add subjectKeyIdentifier to CA and OCSP signer certificates */ if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN)) diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_crl.c strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_crl.c --- strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_crl.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_crl.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ /* * Copyright (C) 2014-2017 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2017 Andreas Steffen + * Copyright (C) 2017-2022 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -19,7 +19,6 @@ #include "x509_crl.h" typedef struct private_x509_crl_t private_x509_crl_t; -typedef struct revoked_t revoked_t; #include @@ -33,26 +32,6 @@ #include /** - * entry for a revoked certificate - */ -struct revoked_t { - /** - * serial of the revoked certificate - */ - chunk_t serial; - - /** - * date of revocation - */ - time_t date; - - /** - * reason for revocation - */ - crl_reason_t reason; -}; - -/** * private data of x509_crl */ struct private_x509_crl_t { @@ -98,7 +77,7 @@ time_t nextUpdate; /** - * list of revoked certificates as revoked_t + * list of revoked certificates as crl_revoked_t */ linked_list_t *revoked; @@ -235,7 +214,7 @@ signature_params_t sig_alg = {}; bool success = FALSE; bool critical = FALSE; - revoked_t *revoked = NULL; + crl_revoked_t *revoked = NULL; parser = asn1_parser_create(crlObjects, this->encoding); @@ -273,7 +252,7 @@ userCertificate = object; break; case CRL_OBJ_REVOCATION_DATE: - revoked = malloc_thing(revoked_t); + revoked = malloc_thing(crl_revoked_t); revoked->serial = chunk_clone(userCertificate); revoked->date = asn1_parse_time(object, level); revoked->reason = CRL_REASON_UNSPECIFIED; @@ -385,7 +364,7 @@ CALLBACK(filter, bool, void *data, enumerator_t *orig, va_list args) { - revoked_t *revoked; + crl_revoked_t *revoked; crl_reason_t *reason; chunk_t *serial; time_t *date; @@ -396,7 +375,7 @@ { if (serial) { - *serial = revoked->serial; + *serial = chunk_skip_zero(revoked->serial); } if (date) { @@ -414,7 +393,7 @@ METHOD(crl_t, get_serial, chunk_t, private_x509_crl_t *this) { - return this->crlNumber; + return chunk_skip_zero(this->crlNumber); } METHOD(crl_t, get_authKeyIdentifier, chunk_t, @@ -430,7 +409,7 @@ { if (base_crl) { - *base_crl = this->baseCrlNumber; + *base_crl = chunk_skip_zero(this->baseCrlNumber); } return TRUE; } @@ -483,12 +462,12 @@ x509_t *x509 = (x509_t*)issuer; chunk_t keyid = chunk_empty; - /* check if issuer is an X.509 CA certificate */ + /* check if issuer is an X.509 certificate with cRLSign keyUsage bit set */ if (issuer->get_type(issuer) != CERT_X509) { return FALSE; } - if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) + if (!(x509->get_flags(x509) & X509_CRL_SIGN)) { return FALSE; } @@ -593,7 +572,7 @@ /** * Destroy a revoked_t entry */ -static void revoked_destroy(revoked_t *revoked) +static void revoked_destroy(crl_revoked_t *revoked) { free(revoked->serial.ptr); free(revoked); @@ -701,7 +680,7 @@ */ static void read_revoked(private_x509_crl_t *crl, enumerator_t *enumerator) { - revoked_t *revoked; + crl_revoked_t *revoked; chunk_t serial; time_t date; crl_reason_t reason; @@ -841,7 +820,7 @@ */ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) { - hash_algorithm_t digest_alg = HASH_SHA1; + hash_algorithm_t digest_alg = HASH_SHA256; private_x509_crl_t *crl; certificate_t *cert = NULL; private_key_t *key = NULL; @@ -883,7 +862,7 @@ case BUILD_BASE_CRL: crl->baseCrlNumber = va_arg(args, chunk_t); crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber); - break; + continue; case BUILD_CRL_DISTRIBUTION_POINTS: { enumerator_t *enumerator; diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_ocsp_request.c strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_ocsp_request.c --- strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_ocsp_request.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_ocsp_request.c 2023-06-12 05:47:41.000000000 +0000 @@ -1,7 +1,7 @@ /* * Copyright (C) 2017-2019 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007-2014 Andreas Steffen + * Copyright (C) 2007-2022 Andreas Steffen * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * * Copyright (C) secunet Security Networks AG @@ -133,7 +133,7 @@ asn1_algorithmIdentifier(OID_SHA1), asn1_simple_object(ASN1_OCTET_STRING, issuerNameHash), asn1_simple_object(ASN1_OCTET_STRING, issuerKeyHash), - asn1_simple_object(ASN1_INTEGER, serialNumber))); + asn1_integer("c", serialNumber))); } /** diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_ocsp_response.c strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_ocsp_response.c --- strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_ocsp_response.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_ocsp_response.c 2023-06-12 05:47:41.000000000 +0000 @@ -1,7 +1,7 @@ /* * Copyright (C) 2017-2019 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007-2015 Andreas Steffen + * Copyright (C) 2007-2022 Andreas Steffen * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * * Copyright (C) secunet Security Networks AG @@ -370,7 +370,7 @@ response->issuerKeyHash = object; break; case SINGLE_RESPONSE_SERIAL_NUMBER: - response->serialNumber = object; + response->serialNumber = chunk_skip_zero(object); break; case SINGLE_RESPONSE_CERT_STATUS_GOOD: response->status = VALIDATION_GOOD; @@ -528,7 +528,6 @@ u_int responses_level = level0; certificate_t *cert; bool success = FALSE; - bool critical; parser = asn1_parser_create(basicResponseObjects, blob); parser->set_top_level(parser, level0); @@ -573,8 +572,8 @@ extn_oid = asn1_known_oid(object); break; case BASIC_RESPONSE_CRITICAL: - critical = object.len && *object.ptr; - DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE"); + DBG2(DBG_ASN, " %s", + object.len && *object.ptr ? "TRUE" : "FALSE"); break; case BASIC_RESPONSE_EXT_VALUE: if (extn_oid == OID_NONCE && diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_pkcs10.c strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_pkcs10.c --- strongswan-5.9.8/src/libstrongswan/plugins/x509/x509_pkcs10.c 2022-10-01 14:51:49.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/x509/x509_pkcs10.c 2023-06-08 10:35:17.000000000 +0000 @@ -78,6 +78,11 @@ chunk_t certTypeExt; /** + * extendedKeyUsage flags + */ + x509_flag_t flags; + + /** * Signature scheme */ signature_params_t *scheme; @@ -110,6 +115,10 @@ linked_list_t *list); extern chunk_t x509_build_subjectAltNames(linked_list_t *list); +extern bool x509_parse_eku_extension(chunk_t blob, int level0, x509_flag_t *flags); + +extern chunk_t x509_generate_eku_extension(x509_flag_t flags); + METHOD(certificate_t, get_type, certificate_type_t, private_x509_pkcs10_t *this) { @@ -238,30 +247,31 @@ METHOD(pkcs10_t, get_flags, x509_flag_t, private_x509_pkcs10_t *this) { - x509_flag_t flags = X509_NONE; - char *profile; + if (this->certTypeExt.len > 0) + { + char *profile; - profile = strndup(this->certTypeExt.ptr, this->certTypeExt.len); + profile = strndup(this->certTypeExt.ptr, this->certTypeExt.len); - if (strcaseeq(profile, "server")) - { - flags |= X509_SERVER_AUTH; - } - else if (strcaseeq(profile, "client")) - { - flags |= X509_CLIENT_AUTH; - } - else if (strcaseeq(profile, "dual")) - { - flags |= (X509_SERVER_AUTH | X509_CLIENT_AUTH); - } - else if (strcaseeq(profile, "ocsp")) - { - flags |= X509_OCSP_SIGNER; + if (strcaseeq(profile, "server")) + { + this->flags |= X509_SERVER_AUTH; + } + else if (strcaseeq(profile, "client")) + { + this->flags |= X509_CLIENT_AUTH; + } + else if (strcaseeq(profile, "dual")) + { + this->flags |= (X509_SERVER_AUTH | X509_CLIENT_AUTH); + } + else if (strcaseeq(profile, "ocsp")) + { + this->flags |= X509_OCSP_SIGNER; + } + free(profile); } - free(profile); - - return flags; + return this->flags; } METHOD(pkcs10_t, create_subjectAltName_enumerator, enumerator_t*, @@ -279,6 +289,7 @@ chunk_t key_info, subjectAltNames, attributes; chunk_t extensionRequest = chunk_empty, certTypeExt = chunk_empty; chunk_t challengePassword = chunk_empty, sig_scheme = chunk_empty; + chunk_t extendedKeyUsage = chunk_empty; identification_t *subject; subject = cert->subject; @@ -322,13 +333,17 @@ )); } + /* encode extendedKeyUsage flags */ + extendedKeyUsage = x509_generate_eku_extension(cert->flags); + /* encode extensionRequest attribute */ if (subjectAltNames.ptr || certTypeExt.ptr) { extensionRequest = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_EXTENSION_REQUEST), asn1_wrap(ASN1_SET, "m", - asn1_wrap(ASN1_SEQUENCE, "mm", subjectAltNames, certTypeExt) + asn1_wrap(ASN1_SEQUENCE, "mmm", + subjectAltNames, certTypeExt, extendedKeyUsage) )); } @@ -415,7 +430,6 @@ int objectID; int extn_oid = OID_UNKNOWN; bool success = FALSE; - bool critical; parser = asn1_parser_create(extensionRequestObjects, blob); parser->set_top_level(parser, level0); @@ -430,8 +444,8 @@ extn_oid = asn1_known_oid(object); break; case PKCS10_EXTN_CRITICAL: - critical = object.len && *object.ptr; - DBG2(DBG_ASN, " %s", critical ? "TRUE" : "FALSE"); + DBG2(DBG_ASN, " %s", + object.len && *object.ptr ? "TRUE" : "FALSE"); break; case PKCS10_EXTN_VALUE: { @@ -452,6 +466,12 @@ } this->certTypeExt = object; break; + case OID_EXTENDED_KEY_USAGE: + if (!x509_parse_eku_extension(object, level, &this->flags)) + { + goto end; + } + break; default: break; } @@ -769,6 +789,9 @@ case BUILD_CERT_TYPE_EXT: cert->certTypeExt = chunk_clone(va_arg(args, chunk_t)); continue; + case BUILD_X509_FLAG: + cert->flags |= va_arg(args, x509_flag_t); + continue; case BUILD_SIGNATURE_SCHEME: cert->scheme = va_arg(args, signature_params_t*); cert->scheme = signature_params_clone(cert->scheme); diff -Nru strongswan-5.9.8/src/libstrongswan/plugins/xcbc/Makefile.in strongswan-5.9.11/src/libstrongswan/plugins/xcbc/Makefile.in --- strongswan-5.9.8/src/libstrongswan/plugins/xcbc/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/plugins/xcbc/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libstrongswan/processing/watcher.c strongswan-5.9.11/src/libstrongswan/processing/watcher.c --- strongswan-5.9.8/src/libstrongswan/processing/watcher.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/processing/watcher.c 2023-05-06 07:16:02.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2023 Tobias Brunner * Copyright (C) 2013 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -153,6 +153,8 @@ * Data we pass on for an async notification */ typedef struct { + /** triggering entry */ + entry_t *entry; /** file descriptor */ int fd; /** event type */ @@ -168,20 +170,27 @@ } notify_data_t; /** - * Notify watcher thread about changes + * Notify watcher thread about changes and unlock mutex */ -static void update(private_watcher_t *this) +static void update_and_unlock(private_watcher_t *this) { char buf[1] = { 'u' }; + int error = 0; this->pending = TRUE; if (this->notify[1] != -1) { if (write(this->notify[1], buf, sizeof(buf)) == -1) { - DBG1(DBG_JOB, "notifying watcher failed: %s", strerror(errno)); + error = errno; } } + this->mutex->unlock(this->mutex); + + if (error) + { + DBG1(DBG_JOB, "notifying watcher failed: %s", strerror(error)); + } } /** @@ -213,19 +222,23 @@ { private_watcher_t *this = data->this; entry_t *entry, *prev = NULL; + watcher_event_t updated = 0; + bool removed = FALSE; /* reactivate the disabled entry */ this->mutex->lock(this->mutex); for (entry = this->fds; entry; prev = entry, entry = entry->next) { - if (entry->fd == data->fd) + if (entry == data->entry) { if (!data->keep) { entry->events &= ~data->event; + updated = entry->events; if (!entry->events) { remove_entry(this, entry, prev); + removed = TRUE; break; } } @@ -233,10 +246,26 @@ break; } } - update(this); this->condvar->broadcast(this->condvar); - this->mutex->unlock(this->mutex); + update_and_unlock(this); + if (removed) + { + DBG3(DBG_JOB, "removed fd %d[%s%s%s] from watcher after callback", data->fd, + data->event & WATCHER_READ ? "r" : "", + data->event & WATCHER_WRITE ? "w" : "", + data->event & WATCHER_EXCEPT ? "e" : ""); + } + else if (updated) + { + DBG3(DBG_JOB, "updated fd %d[%s%s%s] to %d[%s%s%s] after callback", data->fd, + (updated | data->event) & WATCHER_READ ? "r" : "", + (updated | data->event) & WATCHER_WRITE ? "w" : "", + (updated | data->event) & WATCHER_EXCEPT ? "e" : "", data->fd, + updated & WATCHER_READ ? "r" : "", + updated & WATCHER_WRITE ? "w" : "", + updated & WATCHER_EXCEPT ? "e" : ""); + } free(data); } @@ -250,6 +279,7 @@ /* get a copy of entry for async job, but with specific event */ INIT(data, + .entry = entry, .fd = entry->fd, .event = event, .cb = entry->cb, @@ -258,7 +288,7 @@ .this = this, ); - /* deactivate entry, so we can select() other FDs even if the async + /* deactivate entry, so we can poll() other FDs even if the async * processing did not handle the event yet */ entry->in_callback++; @@ -326,6 +356,30 @@ return FALSE; } +#if DEBUG_LEVEL >= 2 +#define reset_log(buf, pos, len) ({ buf[0] = '\0'; pos = buf; len = sizeof(buf); }) +#define reset_event_log(buf, pos) ({ pos = buf; }) +#define end_event_log(pos) ({ *pos = '\0'; }) +#define log_event(pos, ev) ({ *pos++ = ev; }) +#define log_fd(pos, len, fd, ev) ({ \ + if (ev[0]) \ + { \ + int _add = snprintf(pos, len, " %d[%s]", fd, ev); \ + if (_add >= 0 && _add < len) \ + { \ + pos += _add; \ + len -= _add; \ + } \ + } \ +}) +#else +#define reset_event_log(...) ({}) +#define end_event_log(...) ({}) +#define log_event(...) ({}) +#define reset_log(...) ({}) +#define log_fd(...) ({}) +#endif + /** * Dispatching function */ @@ -334,7 +388,12 @@ entry_t *entry; struct pollfd *pfd; int count = 0, res; - bool rebuild = FALSE; +#if DEBUG_LEVEL >= 2 + char logbuf[BUF_LEN], *logpos, eventbuf[4], *eventpos; + int loglen; +#endif + + reset_log(logbuf, logpos, loglen); this->mutex->lock(this->mutex); @@ -361,27 +420,37 @@ { pfd[count].fd = entry->fd; pfd[count].events = 0; + reset_event_log(eventbuf, eventpos); if (entry->events & WATCHER_READ) { - DBG3(DBG_JOB, " watching %d for reading", entry->fd); + log_event(eventpos, 'r'); pfd[count].events |= POLLIN; } if (entry->events & WATCHER_WRITE) { - DBG3(DBG_JOB, " watching %d for writing", entry->fd); + log_event(eventpos, 'w'); pfd[count].events |= POLLOUT; } if (entry->events & WATCHER_EXCEPT) { - DBG3(DBG_JOB, " watching %d for exceptions", entry->fd); + log_event(eventpos, 'e'); pfd[count].events |= POLLERR; } + end_event_log(eventpos); + log_fd(logpos, loglen, entry->fd, eventbuf); count++; } } this->mutex->unlock(this->mutex); - while (!rebuild) +#if DEBUG_LEVEL >= 3 + if (logbuf[0]) + { + DBG3(DBG_JOB, "observing fds:%s", logbuf); + } +#endif + + while (TRUE) { int revents; char buf[1]; @@ -389,7 +458,7 @@ ssize_t len; job_t *job; - DBG2(DBG_JOB, "watcher going to poll() %d fds", count); + DBG2(DBG_JOB, "watcher is observing %d fds", count-1); thread_cleanup_push((void*)activate_all, this); old = thread_cancelability(TRUE); @@ -423,39 +492,49 @@ } this->pending = FALSE; DBG2(DBG_JOB, "watcher got notification, rebuilding"); - return JOB_REQUEUE_DIRECT; + break; } + reset_log(logbuf, logpos, loglen); this->mutex->lock(this->mutex); for (entry = this->fds; entry; entry = entry->next) { if (entry->in_callback) { - rebuild = TRUE; - break; + continue; } + reset_event_log(eventbuf, eventpos); revents = find_revents(pfd, count, entry->fd); if (entry_ready(entry, WATCHER_EXCEPT, revents)) { - DBG2(DBG_JOB, "watched FD %d has exception", entry->fd); + log_event(eventpos, 'e'); notify(this, entry, WATCHER_EXCEPT); } else { if (entry_ready(entry, WATCHER_READ, revents)) { - DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd); + log_event(eventpos, 'r'); notify(this, entry, WATCHER_READ); } if (entry_ready(entry, WATCHER_WRITE, revents)) { - DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd); + log_event(eventpos, 'w'); notify(this, entry, WATCHER_WRITE); } } + end_event_log(eventpos); + log_fd(logpos, loglen, entry->fd, eventbuf); } this->mutex->unlock(this->mutex); +#if DEBUG_LEVEL >= 2 + if (logbuf[0]) + { + DBG2(DBG_JOB, "events on fds:%s", logbuf); + } +#endif + if (this->jobs->get_count(this->jobs)) { while (this->jobs->remove_first(this->jobs, @@ -464,7 +543,7 @@ lib->processor->execute_job(lib->processor, job); } /* we temporarily disable a notified FD, rebuild FDSET */ - return JOB_REQUEUE_DIRECT; + break; } } else @@ -473,7 +552,7 @@ { /* complain only if no pending updates */ DBG1(DBG_JOB, "watcher poll() error: %s", strerror(errno)); } - return JOB_REQUEUE_DIRECT; + break; } } return JOB_REQUEUE_DIRECT; @@ -492,27 +571,33 @@ .data = data, ); + DBG3(DBG_JOB, "adding fd %d[%s%s%s] to watcher", fd, + events & WATCHER_READ ? "r" : "", + events & WATCHER_WRITE ? "w" : "", + events & WATCHER_EXCEPT ? "e" : ""); + this->mutex->lock(this->mutex); add_entry(this, entry); if (this->state == WATCHER_STOPPED) { this->state = WATCHER_QUEUED; + this->mutex->unlock(this->mutex); + lib->processor->queue_job(lib->processor, (job_t*)callback_job_create_with_prio((void*)watch, this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); } else { - update(this); + update_and_unlock(this); } - this->mutex->unlock(this->mutex); } METHOD(watcher_t, remove_, void, private_watcher_t *this, int fd) { entry_t *entry, *prev = NULL; - bool found = FALSE; + watcher_event_t found = 0; this->mutex->lock(this->mutex); while (TRUE) @@ -529,8 +614,8 @@ is_in_callback = TRUE; break; } + found |= entry->events; entry = remove_entry(this, entry, prev); - found = TRUE; continue; } prev = entry; @@ -544,9 +629,17 @@ } if (found) { - update(this); + update_and_unlock(this); + + DBG3(DBG_JOB, "removed fd %d[%s%s%s] from watcher", fd, + found & WATCHER_READ ? "r" : "", + found & WATCHER_WRITE ? "w" : "", + found & WATCHER_EXCEPT ? "e" : ""); + } + else + { + this->mutex->unlock(this->mutex); } - this->mutex->unlock(this->mutex); } METHOD(watcher_t, get_state, watcher_state_t, diff -Nru strongswan-5.9.8/src/libstrongswan/processing/watcher.h strongswan-5.9.11/src/libstrongswan/processing/watcher.h --- strongswan-5.9.8/src/libstrongswan/processing/watcher.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/processing/watcher.h 2023-05-06 07:16:02.000000000 +0000 @@ -38,7 +38,7 @@ * re-enable the event, while the data read can be processed in another * asynchronous job. * - * On Linux, even if select() marks an FD as "ready", a subsequent read/write + * On Linux, even if poll() marks an FD as "ready", a subsequent read/write * can block. It is therefore highly recommended to use non-blocking I/O * and handle EAGAIN/EWOULDBLOCK gracefully. * @@ -71,7 +71,7 @@ }; /** - * Watch multiple file descriptors using select(). + * Watch multiple file descriptors using poll(). */ struct watcher_t { diff -Nru strongswan-5.9.8/src/libstrongswan/tests/Makefile.am strongswan-5.9.11/src/libstrongswan/tests/Makefile.am --- strongswan-5.9.8/src/libstrongswan/tests/Makefile.am 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -48,6 +48,8 @@ suites/test_rsa_oaep_sha512.c \ suites/test_certpolicy.c \ suites/test_certnames.c \ + suites/test_serial_gen.c \ + suites/test_serial_parse.c \ suites/test_host.c \ suites/test_auth_cfg.c \ suites/test_hasher.c \ diff -Nru strongswan-5.9.8/src/libstrongswan/tests/Makefile.in strongswan-5.9.11/src/libstrongswan/tests/Makefile.in --- strongswan-5.9.8/src/libstrongswan/tests/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -154,6 +154,8 @@ suites/libstrongswan_tests-test_rsa_oaep_sha512.$(OBJEXT) \ suites/libstrongswan_tests-test_certpolicy.$(OBJEXT) \ suites/libstrongswan_tests-test_certnames.$(OBJEXT) \ + suites/libstrongswan_tests-test_serial_gen.$(OBJEXT) \ + suites/libstrongswan_tests-test_serial_parse.$(OBJEXT) \ suites/libstrongswan_tests-test_host.$(OBJEXT) \ suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \ suites/libstrongswan_tests-test_hasher.$(OBJEXT) \ @@ -240,6 +242,8 @@ suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha384.Po \ suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha512.Po \ suites/$(DEPDIR)/libstrongswan_tests-test_rsa_pkcs1.Po \ + suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Po \ + suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Po \ suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po \ suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po \ suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po \ @@ -535,7 +539,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -611,6 +614,8 @@ suites/test_rsa_oaep_sha512.c \ suites/test_certpolicy.c \ suites/test_certnames.c \ + suites/test_serial_gen.c \ + suites/test_serial_parse.c \ suites/test_host.c \ suites/test_auth_cfg.c \ suites/test_hasher.c \ @@ -764,6 +769,10 @@ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_certnames.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_serial_gen.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_serial_parse.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_host.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT): \ @@ -860,6 +869,8 @@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha384.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha512.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa_pkcs1.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po@am__quote@ # am--include-marker @@ -1333,6 +1344,34 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi` +suites/libstrongswan_tests-test_serial_gen.o: suites/test_serial_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_serial_gen.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Tpo -c -o suites/libstrongswan_tests-test_serial_gen.o `test -f 'suites/test_serial_gen.c' || echo '$(srcdir)/'`suites/test_serial_gen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_serial_gen.c' object='suites/libstrongswan_tests-test_serial_gen.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_serial_gen.o `test -f 'suites/test_serial_gen.c' || echo '$(srcdir)/'`suites/test_serial_gen.c + +suites/libstrongswan_tests-test_serial_gen.obj: suites/test_serial_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_serial_gen.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Tpo -c -o suites/libstrongswan_tests-test_serial_gen.obj `if test -f 'suites/test_serial_gen.c'; then $(CYGPATH_W) 'suites/test_serial_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_serial_gen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_serial_gen.c' object='suites/libstrongswan_tests-test_serial_gen.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_serial_gen.obj `if test -f 'suites/test_serial_gen.c'; then $(CYGPATH_W) 'suites/test_serial_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_serial_gen.c'; fi` + +suites/libstrongswan_tests-test_serial_parse.o: suites/test_serial_parse.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_serial_parse.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Tpo -c -o suites/libstrongswan_tests-test_serial_parse.o `test -f 'suites/test_serial_parse.c' || echo '$(srcdir)/'`suites/test_serial_parse.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_serial_parse.c' object='suites/libstrongswan_tests-test_serial_parse.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_serial_parse.o `test -f 'suites/test_serial_parse.c' || echo '$(srcdir)/'`suites/test_serial_parse.c + +suites/libstrongswan_tests-test_serial_parse.obj: suites/test_serial_parse.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_serial_parse.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Tpo -c -o suites/libstrongswan_tests-test_serial_parse.obj `if test -f 'suites/test_serial_parse.c'; then $(CYGPATH_W) 'suites/test_serial_parse.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_serial_parse.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_serial_parse.c' object='suites/libstrongswan_tests-test_serial_parse.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_serial_parse.obj `if test -f 'suites/test_serial_parse.c'; then $(CYGPATH_W) 'suites/test_serial_parse.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_serial_parse.c'; fi` + suites/libstrongswan_tests-test_host.o: suites/test_host.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo -c -o suites/libstrongswan_tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_host.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_host.Po @@ -1884,6 +1923,8 @@ -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha384.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha512.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_rsa_pkcs1.Po + -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Po + -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po @@ -1981,6 +2022,8 @@ -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha384.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_rsa_oaep_sha512.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_rsa_pkcs1.Po + -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_serial_gen.Po + -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_serial_parse.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po -rm -f suites/$(DEPDIR)/libstrongswan_tests-test_stream.Po diff -Nru strongswan-5.9.8/src/libstrongswan/tests/suites/test_asn1.c strongswan-5.9.11/src/libstrongswan/tests/suites/test_asn1.c --- strongswan-5.9.8/src/libstrongswan/tests/suites/test_asn1.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/suites/test_asn1.c 2023-04-19 02:21:27.000000000 +0000 @@ -81,11 +81,11 @@ parameters = chunk_empty; if (i == 2) { - alg = asn1_parse_algorithmIdentifier(algid, 0, NULL); + alg = asn1_parse_algorithmIdentifier(algid, _i, NULL); } else { - alg = asn1_parse_algorithmIdentifier(algid, 0, ¶meters); + alg = asn1_parse_algorithmIdentifier(algid, _i, ¶meters); if (test[i].empty) { ck_assert(parameters.len == 0 && parameters.ptr == NULL); @@ -824,7 +824,7 @@ suite_add_tcase(s, tc); tc = tcase_create("parse_algorithmIdentifier"); - tcase_add_test(tc, test_asn1_parse_algorithmIdentifier); + tcase_add_loop_test(tc, test_asn1_parse_algorithmIdentifier, -1, 1); suite_add_tcase(s, tc); tc = tcase_create("known_oid"); diff -Nru strongswan-5.9.8/src/libstrongswan/tests/suites/test_enum.c strongswan-5.9.11/src/libstrongswan/tests/suites/test_enum.c --- strongswan-5.9.8/src/libstrongswan/tests/suites/test_enum.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/suites/test_enum.c 2023-03-27 21:00:49.000000000 +0000 @@ -86,6 +86,13 @@ "OVERFLOWFLAGLONGNAME10", "OVERFLOWFLAGLONGNAME11", "OVERFLOWFLAGLONGNAME12"); /******************************************************************************* + * add_enum_names + */ + +ENUM_EXT(e1, 65000, 65001, "CONT65000", "CONT65001"); +ENUM_EXT(e2, 62000, 62001, "CONT62000", "CONT62001"); + +/******************************************************************************* * enum_to_name */ @@ -172,6 +179,15 @@ {FALSE, 0, "asdf"}, {FALSE, 0, ""}, {FALSE, 0, NULL}, +}, enum_tests_ext[] = { + {TRUE, CONT1, "CONT1"}, + {TRUE, 62000, "CONT62000"}, + {TRUE, 62001, "CONT62001"}, + {TRUE, 65000, "CONT65000"}, + {TRUE, 65001, "CONT65001"}, + {FALSE, 0, "CONT64000"}, + {FALSE, 0, ""}, + {FALSE, 0, NULL}, }; START_TEST(test_enum_from_name_cont) @@ -196,6 +212,23 @@ } END_TEST +START_TEST(test_enum_from_name_ext) +{ + int val = 0; + bool found; + + enum_add_enum_names(test_enum_cont_names, e1); + enum_add_enum_names(test_enum_cont_names, e2); + + found = enum_from_name(test_enum_cont_names, enum_tests_ext[_i].str, &val); + ck_assert(enum_tests_ext[_i].found == found); + ck_assert_int_eq(val, enum_tests_ext[_i].val); + + enum_remove_enum_names(test_enum_cont_names, e1); + enum_remove_enum_names(test_enum_cont_names, e2); +} +END_TEST + /******************************************************************************* * enum_printf_hook */ @@ -441,6 +474,51 @@ } END_TEST +START_TEST(test_enum_printf_hook_add_enum_names) +{ + char buf[128]; + + enum_add_enum_names(test_enum_cont_names, e1); + snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, 65001); + ck_assert_str_eq("CONT65001", buf); + + enum_add_enum_names(test_enum_cont_names, e2); + snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, 62001); + ck_assert_str_eq("CONT62001", buf); + + /* adding the same list repeatedly should not result in an infinite loop */ + enum_add_enum_names(test_enum_cont_names, e2); + snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, 62001); + ck_assert_str_eq("CONT62001", buf); + + /* can also be defined inside a function as long as the same function is + * adding and removing it */ + ENUM_EXT(e3, 64000, 64001, "CONT64000", "CONT64001"); + enum_add_enum_names(test_enum_cont_names, e3); + snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, 64000); + ck_assert_str_eq("CONT64000", buf); + + snprintf(buf, sizeof(buf), "%N, %N, %N", test_enum_cont_names, 62001, + test_enum_cont_names, 65000, test_enum_cont_names, 64000); + ck_assert_str_eq("CONT62001, CONT65000, CONT64000", buf); + + enum_remove_enum_names(test_enum_cont_names, e2); + snprintf(buf, sizeof(buf), "%N, %N, %N", test_enum_cont_names, 62001, + test_enum_cont_names, 65000, test_enum_cont_names, 64000); + ck_assert_str_eq("(62001), CONT65000, CONT64000", buf); + + enum_remove_enum_names(test_enum_cont_names, e3); + snprintf(buf, sizeof(buf), "%N, %N, %N", test_enum_cont_names, 62001, + test_enum_cont_names, 65000, test_enum_cont_names, 64000); + ck_assert_str_eq("(62001), CONT65000, (64000)", buf); + + enum_remove_enum_names(test_enum_cont_names, e1); + snprintf(buf, sizeof(buf), "%N, %N, %N", test_enum_cont_names, 62001, + test_enum_cont_names, 65000, test_enum_cont_names, 64000); + ck_assert_str_eq("(62001), (65000), (64000)", buf); +} +END_TEST + Suite *enum_suite_create() { Suite *s; @@ -456,6 +534,7 @@ tc = tcase_create("enum_from_name"); tcase_add_loop_test(tc, test_enum_from_name_cont, 0, countof(enum_tests_cont)); tcase_add_loop_test(tc, test_enum_from_name_split, 0, countof(enum_tests_split)); + tcase_add_loop_test(tc, test_enum_from_name_ext, 0, countof(enum_tests_ext)); suite_add_tcase(s, tc); tc = tcase_create("enum_flags_to_string"); @@ -478,6 +557,7 @@ tcase_add_loop_test(tc, test_enum_printf_hook_flags_overflow, 0, countof(printf_tests_flags_overflow)); tcase_add_loop_test(tc, test_enum_printf_hook_flags_noflagenum, 0, countof(printf_tests_flags_noflagenum)); tcase_add_test(tc, test_enum_printf_hook_width); + tcase_add_test(tc, test_enum_printf_hook_add_enum_names); suite_add_tcase(s, tc); return s; diff -Nru strongswan-5.9.8/src/libstrongswan/tests/suites/test_serial_gen.c strongswan-5.9.11/src/libstrongswan/tests/suites/test_serial_gen.c --- strongswan-5.9.8/src/libstrongswan/tests/suites/test_serial_gen.c 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/suites/test_serial_gen.c 2023-06-12 05:47:41.000000000 +0000 @@ -0,0 +1,708 @@ +/* + * Copyright (C) 2022 Andreas Steffen, strongSec GmbH + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include +#include +#include + +#include + +/** + * RSA private key, so we don't have to generate one + */ +static char keydata[] = { + 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24, + 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d, + 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf, + 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f, + 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27, + 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad, + 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63, + 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71, + 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01, + 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5, + 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4, + 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb, + 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f, + 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93, + 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88, + 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4, + 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd, + 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b, + 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21, + 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee, + 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7, + 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4, + 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54, + 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9, + 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7, + 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61, + 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef, + 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6, + 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08, + 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65, + 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e, + 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e, + 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d, + 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02, + 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b, + 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71, + 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda, + 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02, + 0x49,0xe8, +}; + +/** + * Issue a certificate with a given serial number + */ +static certificate_t* create_cert(chunk_t serial) +{ + private_key_t *privkey; + public_key_t *pubkey; + certificate_t *cert; + identification_t *id; + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata), + BUILD_END); + ck_assert(privkey); + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey); + id = identification_create_from_string("C=CH, O=strongSwan, CN=test"); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_SIGNING_KEY, privkey, + BUILD_PUBLIC_KEY, pubkey, + BUILD_SUBJECT, id, + BUILD_SERIAL, serial, + BUILD_END); + ck_assert(cert); + id->destroy(id); + privkey->destroy(privkey); + pubkey->destroy(pubkey); + + return cert; +} + +CALLBACK(filter, bool, + void *data, enumerator_t *orig, va_list args) +{ + crl_revoked_t *revoked; + crl_reason_t *reason; + chunk_t *serial; + time_t *date; + + VA_ARGS_VGET(args, serial, date, reason); + + if (orig->enumerate(orig, &revoked)) + { + *serial = revoked->serial; + *date = revoked->date; + *reason = revoked->reason; + return TRUE; + } + return FALSE; +} + +/** + * Revoke a certificate with a given serial number + */ +static certificate_t* create_crl(chunk_t serial, certificate_t *cert) +{ + private_key_t *privkey; + certificate_t *crl; + linked_list_t *list; + enumerator_t *enumerator; + crl_revoked_t *revoked; + time_t date = time(NULL); + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata), + BUILD_END); + ck_assert(privkey); + + INIT(revoked, + .serial = serial, + .reason = CRL_REASON_KEY_COMPROMISE, + .date = date + ); + list = linked_list_create(); + list->insert_last(list, revoked); + + enumerator = enumerator_create_filter(list->create_enumerator(list), + filter, NULL, NULL); + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_SIGNING_KEY, privkey, + BUILD_NOT_BEFORE_TIME, date, + BUILD_NOT_AFTER_TIME, date + 30 * 24 * 3600, + BUILD_SIGNING_CERT, cert, + BUILD_REVOKED_ENUMERATOR, enumerator, + BUILD_SERIAL, serial, + BUILD_BASE_CRL, serial, + BUILD_END); + ck_assert(crl); + enumerator->destroy(enumerator); + list->destroy(list); + free(revoked); + privkey->destroy(privkey); + + return crl; +} + +/** + * Create an OCSP request for a given serial number + */ +static certificate_t* create_ocsp_request(certificate_t *cert) +{ + certificate_t *ocsp_req; + + ocsp_req = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, + BUILD_CA_CERT, cert, + BUILD_CERT, cert, + BUILD_END); + + ck_assert(ocsp_req); + + return ocsp_req; +} + +/** + * Parse an ASN.1 encoded OCSP response + */ +static certificate_t* parse_ocsp_response(chunk_t encoding) +{ + certificate_t *ocsp_rsp; + + ocsp_rsp = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, + BUILD_BLOB_ASN1_DER, encoding, + BUILD_END); + ck_assert(ocsp_rsp); + + return ocsp_rsp; +} + +/** + * Issue an attribute certificate with a given serial number + */ +static certificate_t* create_acert(chunk_t serial, certificate_t *cert) +{ + private_key_t *privkey; + public_key_t *pubkey; + certificate_t *acert; + linked_list_t *groups = linked_list_create(); + time_t date = time(NULL); + + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata), + BUILD_END); + ck_assert(privkey); + pubkey = privkey->get_public_key(privkey); + ck_assert(pubkey); + groups->insert_last(groups, "research"); + acert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_AC, + BUILD_NOT_BEFORE_TIME, date, + BUILD_NOT_AFTER_TIME, date + 30 * 24 * 3600, + BUILD_CERT, cert, + BUILD_SERIAL, serial, + BUILD_AC_GROUP_STRINGS, groups, + BUILD_SIGNING_CERT, cert, + BUILD_SIGNING_KEY, privkey, + BUILD_END); + ck_assert(acert); + groups->destroy(groups); + privkey->destroy(privkey); + pubkey->destroy(pubkey); + + return acert; +} + +/** + * Parse an ASN.1 encoded attribute certificate + */ +static certificate_t* parse_acert(chunk_t encoding) +{ + certificate_t *acert; + + acert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC, + BUILD_BLOB_ASN1_DER, encoding, + BUILD_END); + ck_assert(acert); + + return acert; +} + +typedef struct { + chunk_t serial; + chunk_t serial_asn1; +} serial_number_t; + +static serial_number_t serial_numbers[] = { + { chunk_from_chars(0x00), + chunk_from_chars(0x01,0x00) }, + { chunk_from_chars(0x01), + chunk_from_chars(0x01,0x01) }, + { chunk_from_chars(0x7f), + chunk_from_chars(0x01,0x7f) }, + { chunk_from_chars(0x80), + chunk_from_chars(0x02,0x00,0x80) }, + { chunk_from_chars(0xff), + chunk_from_chars(0x02,0x00,0xff) }, + { chunk_from_chars(0x01,0x00), + chunk_from_chars(0x02,0x01,0x00) }, + { chunk_from_chars(0x7f,0xff), + chunk_from_chars(0x02,0x7f,0xff) }, + { chunk_from_chars(0x80,0x00), + chunk_from_chars(0x03,0x00,0x80,0x00) }, + { chunk_from_chars(0xff,0xff), + chunk_from_chars(0x03,0x00,0xff,0xff) }, + { chunk_from_chars(0x01,0x00,0x00), + chunk_from_chars(0x03,0x01,0x00,0x00) }, + { chunk_from_chars(0x7f,0xff,0xff), + chunk_from_chars(0x03,0x7f,0xff,0xff) }, + { chunk_from_chars(0x80,0x00,0x00), + chunk_from_chars(0x04,0x00,0x80,0x00,0x00) }, + { chunk_from_chars(0xff,0xff,0xff), + chunk_from_chars(0x04,0x00,0xff,0xff,0xff) }, + { chunk_from_chars(0x01,0x00,0x00,0x00), + chunk_from_chars(0x04,0x01,0x00,0x00,0x00) }, + { chunk_from_chars(0x7f,0xff,0xff,0xff), + chunk_from_chars(0x04,0x7f,0xff,0xff,0xff) }, + { chunk_from_chars(0x80,0x00,0x00,0x00), + chunk_from_chars(0x05,0x00,0x80,0x00,0x00,0x00) }, + { chunk_from_chars(0xff,0xff,0xff,0xff), + chunk_from_chars(0x05,0x00,0xff,0xff,0xff,0xff) }, +}; + +static chunk_t ocsp_responses[] = { + chunk_from_chars( + 0x30,0x82,0x01,0x85,0x0a,0x01,0x00,0xa0,0x82,0x01,0x7e,0x30,0x82,0x01,0x7a,0x06, + 0x09,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,0x04,0x82,0x01,0x6b,0x30,0x82, + 0x01,0x67,0x30,0x81,0xd1,0xa1,0x33,0x30,0x31,0x31,0x0b,0x30,0x09,0x06,0x03,0x55, + 0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13, + 0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0d,0x30,0x0b,0x06, + 0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65,0x73,0x74,0x18,0x0f,0x32,0x30,0x32,0x32, + 0x31,0x31,0x32,0x32,0x30,0x39,0x31,0x36,0x34,0x37,0x5a,0x30,0x64,0x30,0x62,0x30, + 0x3a,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14,0xbd,0x25, + 0xa0,0xdf,0xc3,0x21,0xf2,0xd8,0xed,0x19,0x63,0x0a,0x4b,0x90,0x6d,0xc3,0x0f,0xe7, + 0x79,0x20,0x04,0x14,0xe2,0x6d,0x1e,0xdf,0x83,0x8e,0xa2,0x1f,0xc3,0x00,0xdd,0x44, + 0x6f,0x8a,0x4d,0x70,0x0c,0x02,0xe3,0x1f,0x02,0x01,0x7f,0x80,0x00,0x18,0x0f,0x32, + 0x30,0x32,0x32,0x31,0x31,0x32,0x32,0x30,0x39,0x31,0x36,0x34,0x37,0x5a,0xa0,0x11, + 0x18,0x0f,0x32,0x30,0x32,0x32,0x31,0x31,0x32,0x32,0x31,0x39,0x31,0x36,0x34,0x37, + 0x5a,0xa1,0x23,0x30,0x21,0x30,0x1f,0x06,0x09,0x2b,0x06,0x01,0x05,0x05,0x07,0x30, + 0x01,0x02,0x04,0x12,0x04,0x10,0x86,0x45,0x82,0x11,0xe6,0x62,0x43,0x83,0xbc,0x01, + 0xe4,0x5c,0x48,0x87,0xcd,0x2e,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d, + 0x01,0x01,0x0b,0x05,0x00,0x03,0x81,0x81,0x00,0x42,0x32,0xa9,0x24,0x97,0x8c,0xc5, + 0x35,0x37,0xe7,0x14,0xf0,0x84,0x7e,0x69,0xf1,0x99,0xf8,0xf0,0x02,0x7d,0xe4,0xd8, + 0x25,0x78,0x65,0x86,0x40,0xf6,0x30,0xc1,0x50,0x57,0x16,0x13,0xe9,0xe5,0xbc,0xa9, + 0xbb,0x87,0xce,0xb8,0x0d,0x35,0x5d,0xad,0x68,0x3b,0x34,0x9f,0x82,0x2b,0xe5,0x1f, + 0xcc,0xd5,0x54,0x8a,0xe3,0xd7,0xed,0xc9,0x7d,0xb6,0x50,0xd2,0xcb,0xc2,0xff,0x03, + 0x24,0x8c,0xcf,0x49,0x40,0xd4,0x7f,0xcb,0xc0,0x20,0x75,0x78,0x45,0xb8,0x50,0x3c, + 0x84,0xdd,0xdc,0xb7,0xfc,0xcd,0x64,0xc3,0x81,0xc6,0xb6,0xcd,0xc5,0xe9,0xc4,0x70, + 0x31,0x30,0x7c,0xff,0x93,0xc3,0x9d,0x55,0x7b,0x32,0x77,0x53,0x07,0x45,0xc2,0x80, + 0x7b,0x9b,0xfb,0x0e,0x45,0x27,0xf2,0xc5,0x16), + chunk_from_chars( + 0x30,0x82,0x01,0x9c,0x0a,0x01,0x00,0xa0,0x82,0x01,0x95,0x30,0x82,0x01,0x91,0x06, + 0x09,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,0x04,0x82,0x01,0x82,0x30,0x82, + 0x01,0x7e,0x30,0x81,0xe8,0xa1,0x33,0x30,0x31,0x31,0x0b,0x30,0x09,0x06,0x03,0x55, + 0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13, + 0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0d,0x30,0x0b,0x06, + 0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65,0x73,0x74,0x18,0x0f,0x32,0x30,0x32,0x32, + 0x31,0x31,0x32,0x32,0x30,0x39,0x32,0x32,0x32,0x34,0x5a,0x30,0x7b,0x30,0x79,0x30, + 0x3b,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14,0xbd,0x25, + 0xa0,0xdf,0xc3,0x21,0xf2,0xd8,0xed,0x19,0x63,0x0a,0x4b,0x90,0x6d,0xc3,0x0f,0xe7, + 0x79,0x20,0x04,0x14,0xe2,0x6d,0x1e,0xdf,0x83,0x8e,0xa2,0x1f,0xc3,0x00,0xdd,0x44, + 0x6f,0x8a,0x4d,0x70,0x0c,0x02,0xe3,0x1f,0x02,0x02,0x00,0x80,0xa1,0x16,0x18,0x0f, + 0x32,0x30,0x32,0x32,0x31,0x31,0x31,0x35,0x31,0x38,0x34,0x30,0x35,0x34,0x5a,0xa0, + 0x03,0x0a,0x01,0x01,0x18,0x0f,0x32,0x30,0x32,0x32,0x31,0x31,0x32,0x32,0x30,0x39, + 0x32,0x32,0x32,0x34,0x5a,0xa0,0x11,0x18,0x0f,0x32,0x30,0x32,0x32,0x31,0x31,0x32, + 0x32,0x31,0x39,0x32,0x32,0x32,0x34,0x5a,0xa1,0x23,0x30,0x21,0x30,0x1f,0x06,0x09, + 0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,0x04,0x12,0x04,0x10,0xf2,0x47,0xbd, + 0xd2,0xdd,0x6d,0x58,0xba,0xa4,0x6f,0xa5,0xed,0x31,0xb1,0x37,0x89,0x30,0x0d,0x06, + 0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x81,0x81,0x00, + 0x17,0x96,0x3b,0x5a,0x4d,0x4e,0x90,0x8a,0xdf,0xe9,0x2b,0x1c,0x48,0x15,0x5d,0x8e, + 0xed,0xf0,0xa6,0x42,0x3a,0x9c,0x71,0xd9,0x6a,0xa6,0xc1,0xfd,0xef,0xe8,0x0a,0xa1, + 0x61,0x46,0xe4,0x04,0x5c,0x64,0xaf,0x47,0x95,0xdd,0x4c,0xba,0x8e,0x53,0xf6,0x9b, + 0xbc,0x16,0xcb,0xeb,0xfe,0x80,0x6a,0x70,0x54,0x10,0x59,0x40,0x5b,0xa0,0x2b,0xb3, + 0x62,0x27,0x9e,0x5d,0xd2,0xd6,0x15,0x2a,0x9d,0xa3,0xb1,0xcb,0x44,0x09,0xd8,0x29, + 0xb5,0x55,0xd9,0x63,0x86,0xd5,0xb3,0x3c,0x4b,0x78,0x14,0x5a,0x27,0x37,0x3a,0x28, + 0xd8,0xae,0x69,0x51,0x2e,0x7d,0xf1,0x06,0xc1,0xac,0x4e,0x5d,0x25,0x7a,0xd2,0xf4, + 0x41,0xfd,0x9f,0xbf,0x05,0xc1,0x70,0xa5,0x3f,0x7a,0x53,0x06,0x85,0x7b,0xeb,0x94) +}; + +START_TEST(test_gen_serial_numbers) +{ + chunk_t encoding, serial, serial_asn1; + certificate_t *cert, *crl, *ocsp_req, *acert, *acert1; + enumerator_t *enumerator; + crl_t *x509_crl; + x509_t *x509; + ac_t *ac; + size_t offset; + u_char *pos; + + /** + * Use serial number with canonical encoding (no leading zeroes) + */ + + /* create X.509 certificate */ + cert = create_cert(serial_numbers[_i].serial); + + /* retrieve configured serial number */ + x509 = (x509_t*)cert; + ck_assert_chunk_eq(x509->get_serial(x509), serial_numbers[_i].serial); + + /* the ASN.1 TLV (Type-Length-Value) encoding of an X.509 certificate is + * + * 0 "x509", ASN1_SEQUENCE + * 1 "tbsCertificate", ASN1_SEQUENCE + * 2 "DEFAULT v1", ASN1_CONTEXT_C_0 + * 3 "version", ASN1_INTEGER + * 4 "serialNumber", ASN1_INTEGER + * ... + * + * The one octet length field of the serialNumber (4) is at + * pos = 4 (TL0) + 4 (TL1) + 2 (TL2) + 3 (TLV3) + 1 (T4) = 14 + */ + ck_assert(cert->get_encoding(cert, CERT_ASN1_DER, &encoding)); + DBG2(DBG_LIB, "cert: %B", &encoding); + + /* check ASN.1 integer encoding of serial number */ + pos = encoding.ptr + 14; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + chunk_free(&encoding); + + /* create X.509 crl */ + crl = create_crl(serial_numbers[_i].serial, cert); + + /* retrieve configured serial number */ + x509_crl = (crl_t*)crl; + ck_assert_chunk_eq(x509_crl->get_serial(x509_crl), serial_numbers[_i].serial); + + enumerator = x509_crl->create_enumerator(x509_crl); + ck_assert(enumerator->enumerate(enumerator, &serial, NULL, NULL)); + ck_assert_chunk_eq(serial, serial_numbers[_i].serial); + enumerator->destroy(enumerator); + + /* retrieve configured base crl number */ + ck_assert(x509_crl->is_delta_crl(x509_crl, &serial)); + ck_assert_chunk_eq(x509_crl->get_serial(x509_crl), serial_numbers[_i].serial); + + /* the ASN.1 TLV (Type-Length-Value) encoding of an X.509 crl is + * + * 0 "certificateList", ASN1_SEQUENCE + * 1 "tbsCertList", ASN1_SEQUENCE + * 2 "version", ASN1_INTEGER + * 3 "signature", ASN1_SEQUENCE + * 4 "issuer", ASN1_SEQUENCE + * 5 "thisUpdate" ASN1_UTCTIME + * 6 "nextUpdate" ASN1_UTCTIME + * 7 "revokedCertificates", ASN1_SEQUENCE + * 8 "certList", ASN1_SEQUENCE + * 9 "userCertificate", ASN1_INTEGER + * 10 "revocationDate", ASN1_UTCTIME + * 11 "crlEntryExtensions", ASN1_SEQUENCE + * 12 "optional extensions", ASN1_CONTEXT_C_0 + * 13 "crlExtensions", ASN1_SEQUENCE + * 14 "extension", ASN1_SEQUENCE + * 15 "extnID", ASN1_OID + * 16 "critical", ASN1_BOOLEAN + * 17 "extnValue", ASN1_OCTET_STRING + * 18 "authorityKeyIdentifier", ASN1_SEQUENCE + * 19 "extension", ASN1_SEQUENCE + * 20 "extnID", ASN1_OID + * 21 "critical", ASN1_BOOLEAN + * 22 "extnValue", ASN1_OCTET_STRING + * 23 "crlNumber" ASN1_INTEGER + * 24 "extension", ASN1_SEQUENCE + * 25 "extnID", ASN1_OID + * 26 "critical", ASN1_BOOLEAN + * 27 "extnValue", ASN1_OCTET_STRING + * 28 "baseCrlNumber" ASN1_INTEGER + * ... + * + * The one octet length field of the revoked userCertificate (9) is at + * pos = 4 (TL0) + 3 (TL1) + 3 (TLV2) + 15 (TLV3) + 51 (TLV4) + 15 (TLV5) + + * 15 (TLV6) + 2 (TL7) + 2 (TL8) + 1 (T9) = 111 + * + * The one octet length field of the crlNumber extension (19) is at + * offset = pos - 1 (T9) + *L8 + 2 (TL12) + 2 (TL13) + 33 (TLV14) + 1 (T19) + * = 110 + *L8 + 38 + * + * The one octet length field of the crlNumber (23) is at + * pos = offset + 1 (L19) + 5 (TLV20) + 0 (TLV21) + 2 (TL22) + 1 (T23) + * = offset + 9 + * + * The one octet length field of the baseCrlNumber (28) is at + * pos = offset + 1 (L19) + *L19 + 2 (TL24) + 5 (TLV25) + 3 (TLV26) + * + 2 (TL27) + 1 (T28) + * = offset + *L19 + 14 + */ + ck_assert(crl->get_encoding(crl, CERT_ASN1_DER, &encoding)); + DBG2(DBG_LIB, "crl: %B", &encoding); + + /* check ASN.1 integer encoding of revoked number */ + pos = encoding.ptr + 111; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* check ASN.1 integer encoding of crlNumber */ + offset = 110 + encoding.ptr[109] + 38; + pos = encoding.ptr + offset + 9; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* check ASN.1 integer encoding of baseCrlNumber */ + pos = encoding.ptr + offset + encoding.ptr[offset] + 14; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + chunk_free(&encoding); + + /* create ocsp request */ + ocsp_req = create_ocsp_request(cert); + + /* the ASN.1 TLV (Type-Length-Value) encoding of an OCSP request is + * + * 0 "OCSPRequest", ASN1_SEQUENCE + * 1 "tbsRequest", ASN1_SEQUENCE + * 2 "requestList", ASN1_SEQUENCE + * 3 "request", ASN1_SEQUENCE + * 4 "reqCert", ASN1_SEQUENCE, + * 5 "hashAlgorithm", ASN1_SEQUENCE + * 6 "issuerNameHash", ASN1_OCTET STRING + * 7 "issuerKeyHash", ASN1_OCTET STRING + * 8 "serialNumber", ASN1_INTEGER + * ... + * + * The one octet length field of the serialNumber (8) is at + * pos = 3 (TL0) + 3 (TL1) + 2 (TL2) + 2 (TL3) + 2 (TL4) + 11 (TLV5) + + 22 (TLV6) + 22 (TLV7) + 1 (T8) = 68 + */ + ck_assert(ocsp_req->get_encoding(ocsp_req, CERT_ASN1_DER, &encoding)); + DBG2(DBG_LIB, "ocsp request: %B", &encoding); + + /* check ASN.1 integer encoding of requested serial number */ + pos = encoding.ptr + 68; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + chunk_free(&encoding); + + /* test ocsp response */ + if (_i == 2 || _i == 3) + { + certificate_t *ocsp_rsp; + ocsp_response_t *ocsp_resp; + cert_validation_t status; + crl_reason_t revocation_reason; + time_t revocation_time, this_update, next_update; + enumerator_t *enumerator; + + ocsp_rsp = parse_ocsp_response(ocsp_responses[_i-2]); + ocsp_resp = (ocsp_response_t*)ocsp_rsp; + + status = ocsp_resp->get_status(ocsp_resp, x509, x509, &revocation_time, + &revocation_reason, &this_update, &next_update); + if (_i == 2) + { + ck_assert(status == VALIDATION_GOOD); + } + else + { + ck_assert(status == VALIDATION_REVOKED); + ck_assert(revocation_reason == CRL_REASON_KEY_COMPROMISE); + } + + enumerator = ocsp_resp->create_response_enumerator(ocsp_resp); + ck_assert(enumerator->enumerate(enumerator, &serial, &status, + &revocation_time, &revocation_reason)); + ck_assert_chunk_eq(serial, serial_numbers[_i].serial); + if (_i == 2) + { + ck_assert(status == VALIDATION_GOOD); + } + else + { + ck_assert(status == VALIDATION_REVOKED); + ck_assert(revocation_reason == CRL_REASON_KEY_COMPROMISE); + } + enumerator->destroy(enumerator); + + ocsp_rsp->destroy(ocsp_rsp); + } + + /* create attribute certificate */ + acert = create_acert(serial_numbers[_i].serial, cert); + + /* retrieve configured serial number */ + ac = (ac_t*)acert; + ck_assert_chunk_eq(ac->get_serial(ac), serial_numbers[_i].serial); + + /* retrieve configured holderSerial number */ + ck_assert_chunk_eq(ac->get_holderSerial(ac), serial_numbers[_i].serial); + + /* the ASN.1 TLV (Type-Length-Value) encoding of an attribute certificate is + * + * 0 "AttributeCertificate", ASN1_SEQUENCE + * 1 "AttributeCertificateInfo", ASN1_SEQUENCE + * 2 "version", ASN1_INTEGER + * 3 "holder", ASN1_SEQUENCE + * 4 "baseCertificateID", ASN1_CONTEXT_C_0 + * 5 "issuer", ASN1_SEQUENCE + * 6 "serial", ASN1_INTEGER + * 7 "issuerUID", ASN1_BIT_STRING + * 8 "entityName", ASN1_CONTEXT_C_1 + * 9 "objectDigestInfo", ASN1_CONTEXT_C_2 + * 10 "v2Form", ASN1_CONTEXT_C_0 + * 11 "signature", ASN1_SEQUENCE + * 12 "serialNumber" ASN1_INTEGER + * 13 "attrCertValidityPeriod", ASN1_SEQUENCE + * 14 "attributes", ASN1_SEQUENCE + * 15 "extensions", ASN1_SEQUENCE + * 16 "extension", ASN1_SEQUENCE + * 17 "extnID", ASN1_OID + * 18 "critical", ASN1_BOOLEAN + * 19 "extnValue", ASN1_OCTET_STRING + * 20 "authorityKeyIdentifier", ASN1_SEQUENCE + * 21 "keyIdentifier", ASN1_CONTEXT_S_0 + * 22 "authorityCertIssuer", ASN1_CONTEXT_C_1 + * 23 "authorityCertSerialNumber", ASN1_CONTEXT_S_2 + * ... + * + * The one octet length field of the holder serial number (6) is at + * pos = 4 (TL0) + 4 (TL1) + 3 (TLV2) + 2 (TL3) + 2 (TL4) + 55 (TLV5) + + * 1 (T6) = 71 + * + * The one octet length field of the serialNumber (12) is at + * offset = 4 (TL0) + 4 (TL1) + 3 (TLV2) + 2 (TL3) + *L3 + 57 (TLV10) + + * 15 (TLV11) + 1 (T12) + * = 13 + *L3 + 73 + * + * The one octet length field of the authorityCertSerialNumber (23) is at + * pos = offset + *L12 + 1 (L12) + 36 (TLV13) + 30 (TLV14) + 2 (TL15) + * + 2 (TL16) + 5 (TLV17) + 0 (TLV18) + 2 (TL19) + 2 (TL20) + * + 22 (TLV21) + 55 (TLV22) + 1 (T23) + * pos = offset + *L12 + 158 + */ + ck_assert(acert->get_encoding(acert, CERT_ASN1_DER, &encoding)); + DBG2(DBG_LIB, "acert: %B", &encoding); + + /* check ASN.1 integer encoding of holder serial number */ + pos = encoding.ptr + 71; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* check ASN.1 integer encoding of the AC serialNumber */ + offset = 13 + encoding.ptr[12] + 73; + pos = encoding.ptr + offset; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* check ASN.1 integer encoding of serial number */ + pos = encoding.ptr + offset + encoding.ptr[offset] + 158; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* parse ASN.1 encoded attribute certificate */ + acert1 = parse_acert(encoding); + ac = (ac_t*)acert1; + + /* check serial number */ + ck_assert_chunk_eq(ac->get_serial(ac), serial_numbers[_i].serial); + + /* check holderSerial number */ + ck_assert_chunk_eq(ac->get_holderSerial(ac), serial_numbers[_i].serial); + chunk_free(&encoding); + + cert->destroy(cert); + crl->destroy(crl); + ocsp_req->destroy(ocsp_req); + acert->destroy(acert); + acert1->destroy(acert1); + + /** + * Use serial number with two's complement encoding + */ + + serial = chunk_skip(serial_numbers[_i].serial_asn1, 1); + + /* create certificate */ + cert = create_cert(serial); + + /* retrieve configured serial number */ + x509 = (x509_t*)cert; + ck_assert_chunk_eq(x509->get_serial(x509), serial_numbers[_i].serial); + + /* check ASN.1 integer encoding */ + ck_assert(cert->get_encoding(cert, CERT_ASN1_DER, &encoding)); + pos = encoding.ptr + 14; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + chunk_free(&encoding); + + /* create crl */ + crl = create_crl(serial, cert); + + /* retrieve configured serial number */ + x509_crl = (crl_t*)crl; + ck_assert_chunk_eq(x509_crl->get_serial(x509_crl), serial_numbers[_i].serial); + + enumerator = x509_crl->create_enumerator(x509_crl); + if (enumerator->enumerate(enumerator, &serial, NULL, NULL)) + { + ck_assert_chunk_eq(serial, serial_numbers[_i].serial); + } + enumerator->destroy(enumerator); + + /* check ASN.1 integer encoding of revoked number */ + ck_assert(crl->get_encoding(crl, CERT_ASN1_DER, &encoding)); + pos = encoding.ptr + 111; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* check ASN.1 integer encoding of crlNumber */ + offset = 110 + encoding.ptr[109] + 38; + pos = encoding.ptr + offset + 9; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + + /* check ASN.1 integer encoding of baseCrlNumber */ + pos = encoding.ptr + offset + encoding.ptr[offset] + 14; + serial_asn1 = chunk_create(pos, 1 + *pos); + ck_assert_chunk_eq(serial_asn1, serial_numbers[_i].serial_asn1); + chunk_free(&encoding); + + cert->destroy(cert); + crl->destroy(crl); +} +END_TEST + +Suite *serial_gen_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("serial_gen"); + + tc = tcase_create("generate serial numbers"); + tcase_add_loop_test(tc, test_gen_serial_numbers, 0, countof(serial_numbers)); + suite_add_tcase(s, tc); + + return s; +} diff -Nru strongswan-5.9.8/src/libstrongswan/tests/suites/test_serial_parse.c strongswan-5.9.11/src/libstrongswan/tests/suites/test_serial_parse.c --- strongswan-5.9.8/src/libstrongswan/tests/suites/test_serial_parse.c 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/suites/test_serial_parse.c 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,272 @@ +/* + * Copyright (C) 2022 Andreas Steffen, strongSec GmbH + * + * Copyright (C) secunet Security Networks AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include +#include + +static certificate_t* parse_cert(chunk_t encoding) +{ + certificate_t *cert; + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, encoding, + BUILD_END); + ck_assert(cert); + + return cert; +} + +static certificate_t* parse_crl(chunk_t encoding) +{ + certificate_t *crl; + + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_BLOB_ASN1_DER, encoding, + BUILD_END); + ck_assert(crl); + + return crl; +} + +typedef struct { + chunk_t serial; + chunk_t cert_encoding; + chunk_t crl_encoding; +} serial_number_t; + +static serial_number_t serial_numbers[] = { + { chunk_from_chars(0x00), + chunk_from_chars( + 0x30,0x82,0x01,0xD6,0x30,0x82,0x01,0x3F,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x00, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30, + 0x31,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F,0x6E,0x67,0x53, + 0x77,0x61,0x6E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65, + 0x73,0x74,0x30,0x1E,0x17,0x0D,0x32,0x32,0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37, + 0x34,0x34,0x5A,0x17,0x0D,0x32,0x33,0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34, + 0x34,0x5A,0x30,0x31,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43, + 0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F, + 0x6E,0x67,0x53,0x77,0x61,0x6E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x03,0x13, + 0x04,0x74,0x65,0x73,0x74,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, + 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81, + 0x81,0x00,0xB1,0x9B,0xD4,0x51,0x24,0xFC,0x56,0x1D,0x3D,0xFB,0xA2,0xEA,0x37,0x02, + 0x70,0x72,0x87,0x84,0x2F,0x3B,0x2D,0x6E,0x22,0xEF,0x3F,0x37,0x04,0xB2,0x6F,0xB7, + 0xE7,0xD8,0x58,0x05,0xDE,0x34,0xBF,0x99,0xE6,0x40,0x7A,0x56,0xA7,0x73,0xF5,0x98, + 0xCB,0xB0,0x37,0x90,0x5E,0xD1,0x3F,0xF4,0x73,0x50,0x7F,0x53,0x8E,0xF1,0x04,0x25, + 0xB4,0x77,0x22,0x4E,0x8A,0x9D,0x27,0x8F,0x6F,0xAF,0x59,0xBD,0xB0,0x0F,0xF0,0xAA, + 0x11,0x94,0x66,0x16,0x10,0x58,0xAD,0x77,0xA1,0xAC,0x58,0xB4,0xD0,0x0D,0xBC,0x11, + 0xE0,0xC0,0xE9,0x29,0xDC,0x42,0x63,0x01,0x23,0x4F,0x28,0x41,0x6D,0x34,0x9E,0x0C, + 0x4A,0xC8,0x62,0x83,0xB5,0x71,0x71,0x0B,0x51,0xC0,0x4C,0x37,0xD4,0x68,0x19,0x52, + 0x9A,0x8B,0x02,0x03,0x01,0x00,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x81,0x81,0x00,0x0D,0x3E,0x13,0x3D,0x58,0x72, + 0x90,0x21,0x06,0x29,0xBD,0xA5,0x06,0x87,0x67,0x80,0x2C,0xE0,0x61,0xF5,0x66,0x76, + 0x63,0xAB,0x97,0xD5,0x45,0x9B,0x2B,0x3C,0x6B,0xA7,0xB0,0xB4,0x31,0x52,0xC6,0xD9, + 0x72,0xFC,0xC5,0x37,0xE5,0xFF,0xD0,0x80,0x63,0x09,0xD2,0x1E,0xC1,0x77,0x92,0xCC, + 0x07,0x08,0x5D,0xD0,0x30,0x67,0x9A,0x6B,0x82,0x19,0x89,0x0E,0x10,0xC7,0xA4,0xA7, + 0x7C,0x96,0x76,0x8C,0x72,0xDB,0x73,0x13,0x49,0xE5,0x8B,0xAC,0x0B,0x1E,0xEB,0x31, + 0x74,0xEB,0xE4,0xA0,0x5D,0x49,0x9A,0x76,0x3C,0xA5,0xEF,0x55,0xE2,0x32,0x25,0x1A, + 0xE3,0x05,0x37,0xAC,0xFF,0x9F,0x94,0x92,0xE6,0x0E,0x53,0xC0,0xFC,0x52,0xB8,0xD0, + 0xFA,0x66,0x0B,0xCE,0xCA,0x88,0x66,0x3B,0x83,0x48), + chunk_from_chars( + 0x30,0x82,0x01,0x5D,0x30,0x81,0xC7,0x02,0x01,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86, + 0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x31,0x31,0x0B,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F,0x6E,0x67,0x53,0x77,0x61,0x6E,0x31,0x0D,0x30, + 0x0B,0x06,0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65,0x73,0x74,0x17,0x0D,0x32,0x32, + 0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A,0x17,0x0D,0x32,0x32,0x31, + 0x32,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A,0x30,0x22,0x30,0x20,0x02,0x01, + 0x00,0x17,0x0D,0x32,0x32,0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A, + 0x30,0x0C,0x30,0x0A,0x06,0x03,0x55,0x1D,0x15,0x04,0x03,0x0A,0x01,0x01,0xA0,0x3E, + 0x30,0x3C,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE2, + 0x6D,0x1E,0xDF,0x83,0x8E,0xA2,0x1F,0xC3,0x00,0xDD,0x44,0x6F,0x8A,0x4D,0x70,0x0C, + 0x02,0xE3,0x1F,0x30,0x0A,0x06,0x03,0x55,0x1D,0x14,0x04,0x03,0x02,0x01,0x00,0x30, + 0x0D,0x06,0x03,0x55,0x1D,0x1B,0x01,0x01,0xFF,0x04,0x03,0x02,0x01,0x00,0x30,0x0D, + 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x81,0x81, + 0x00,0x35,0x72,0x26,0x38,0x87,0x21,0xA2,0x5C,0xED,0x5C,0x04,0xD9,0x49,0xC0,0xB6, + 0x75,0x7C,0x5A,0xEA,0x46,0x6E,0x1E,0xED,0x3C,0x9B,0x41,0x31,0x37,0x3F,0xAA,0xE7, + 0x16,0x39,0x17,0x48,0x5F,0x84,0x48,0x6F,0xA4,0xF6,0x9D,0x79,0xDE,0xC3,0xE9,0x82, + 0x87,0xEE,0xD4,0xD0,0x2F,0xBF,0x8B,0x74,0x1E,0xA7,0x21,0x63,0xB6,0x5A,0x39,0xFF, + 0xDE,0xD0,0x6E,0xE3,0xB5,0x3B,0x0C,0x42,0x46,0x97,0x43,0x2E,0x6B,0x4D,0xF8,0x54, + 0x59,0x8F,0xD8,0x72,0xB3,0xB0,0x29,0xCB,0x56,0xA7,0x8A,0x01,0xD6,0xEA,0xE0,0x69, + 0xF7,0x36,0xC4,0x06,0xE6,0x05,0xC0,0x10,0xD2,0xB7,0x43,0x46,0xCC,0x8A,0x53,0xA1, + 0xA6,0xD3,0x88,0x73,0x53,0x29,0x10,0xC2,0xC6,0xCE,0x24,0xC3,0xCE,0x14,0xED,0xB0, + 0x64) + }, + { chunk_from_chars(0x7f), + chunk_from_chars( + 0x30,0x82,0x01,0xD6,0x30,0x82,0x01,0x3F,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x7F, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30, + 0x31,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F,0x6E,0x67,0x53, + 0x77,0x61,0x6E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65, + 0x73,0x74,0x30,0x1E,0x17,0x0D,0x32,0x32,0x31,0x31,0x31,0x38,0x31,0x33,0x30,0x37, + 0x32,0x31,0x5A,0x17,0x0D,0x32,0x33,0x31,0x31,0x31,0x38,0x31,0x33,0x30,0x37,0x32, + 0x31,0x5A,0x30,0x31,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43, + 0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F, + 0x6E,0x67,0x53,0x77,0x61,0x6E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x03,0x13, + 0x04,0x74,0x65,0x73,0x74,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, + 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81, + 0x81,0x00,0xB1,0x9B,0xD4,0x51,0x24,0xFC,0x56,0x1D,0x3D,0xFB,0xA2,0xEA,0x37,0x02, + 0x70,0x72,0x87,0x84,0x2F,0x3B,0x2D,0x6E,0x22,0xEF,0x3F,0x37,0x04,0xB2,0x6F,0xB7, + 0xE7,0xD8,0x58,0x05,0xDE,0x34,0xBF,0x99,0xE6,0x40,0x7A,0x56,0xA7,0x73,0xF5,0x98, + 0xCB,0xB0,0x37,0x90,0x5E,0xD1,0x3F,0xF4,0x73,0x50,0x7F,0x53,0x8E,0xF1,0x04,0x25, + 0xB4,0x77,0x22,0x4E,0x8A,0x9D,0x27,0x8F,0x6F,0xAF,0x59,0xBD,0xB0,0x0F,0xF0,0xAA, + 0x11,0x94,0x66,0x16,0x10,0x58,0xAD,0x77,0xA1,0xAC,0x58,0xB4,0xD0,0x0D,0xBC,0x11, + 0xE0,0xC0,0xE9,0x29,0xDC,0x42,0x63,0x01,0x23,0x4F,0x28,0x41,0x6D,0x34,0x9E,0x0C, + 0x4A,0xC8,0x62,0x83,0xB5,0x71,0x71,0x0B,0x51,0xC0,0x4C,0x37,0xD4,0x68,0x19,0x52, + 0x9A,0x8B,0x02,0x03,0x01,0x00,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x81,0x81,0x00,0xA4,0x92,0x32,0x35,0xD2,0xC7, + 0x67,0x12,0x1E,0x5E,0x7C,0x0C,0x08,0x92,0x95,0xEE,0xD4,0x43,0x59,0xEF,0x0C,0x0A, + 0x73,0x2C,0xB4,0x6C,0xB6,0x4A,0x98,0x85,0xD5,0xA2,0x96,0x6B,0x90,0xBA,0xB7,0xC2, + 0x67,0x5F,0x0D,0xCD,0x9E,0xB3,0x5B,0xDE,0xA0,0xF4,0x5C,0x49,0x80,0x66,0x7B,0x33, + 0x08,0x7F,0xCB,0x65,0xE6,0xCB,0x4F,0x50,0x59,0x16,0x23,0xEA,0xB6,0x70,0xFD,0x98, + 0xD3,0x65,0x2A,0x94,0x65,0x2E,0x77,0x93,0x48,0x99,0x12,0xC3,0x95,0xDE,0x56,0xA8, + 0xFE,0x33,0x1E,0x36,0x62,0x29,0x0A,0x5A,0x07,0xF9,0x19,0xF6,0x04,0x86,0xB5,0x43, + 0x2C,0x49,0x4B,0xC2,0x98,0x3F,0x96,0x95,0x61,0x96,0xF8,0x22,0x4C,0xFB,0x45,0x41, + 0x27,0x06,0x0E,0x44,0x36,0x19,0x7F,0x51,0x96,0x20), + chunk_from_chars( + 0x30,0x82,0x01,0x5D,0x30,0x81,0xC7,0x02,0x01,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86, + 0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x31,0x31,0x0B,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F,0x6E,0x67,0x53,0x77,0x61,0x6E,0x31,0x0D,0x30, + 0x0B,0x06,0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65,0x73,0x74,0x17,0x0D,0x32,0x32, + 0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A,0x17,0x0D,0x32,0x32,0x31, + 0x32,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A,0x30,0x22,0x30,0x20,0x02,0x01, + 0x7F,0x17,0x0D,0x32,0x32,0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A, + 0x30,0x0C,0x30,0x0A,0x06,0x03,0x55,0x1D,0x15,0x04,0x03,0x0A,0x01,0x01,0xA0,0x3E, + 0x30,0x3C,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE2, + 0x6D,0x1E,0xDF,0x83,0x8E,0xA2,0x1F,0xC3,0x00,0xDD,0x44,0x6F,0x8A,0x4D,0x70,0x0C, + 0x02,0xE3,0x1F,0x30,0x0A,0x06,0x03,0x55,0x1D,0x14,0x04,0x03,0x02,0x01,0x7F,0x30, + 0x0D,0x06,0x03,0x55,0x1D,0x1B,0x01,0x01,0xFF,0x04,0x03,0x02,0x01,0x7F,0x30,0x0D, + 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x81,0x81, + 0x00,0x00,0x93,0xAD,0x02,0x09,0x74,0x97,0x3C,0xBE,0x82,0x3D,0x39,0xCC,0xD0,0x55, + 0x8F,0xBA,0xE4,0xB5,0x53,0x83,0xF0,0x11,0x29,0xE8,0x2B,0x77,0x8D,0xC5,0xA2,0x0F, + 0x86,0x31,0x87,0x4D,0xAA,0x4B,0x78,0x44,0xFB,0x42,0xDB,0x81,0xC7,0xF0,0xA6,0x65, + 0x68,0x36,0xC9,0x2D,0x37,0xA7,0x1C,0x23,0xD3,0xA4,0x75,0x85,0x0B,0x09,0xF1,0x1E, + 0x24,0x19,0xB7,0xEE,0x5A,0x89,0x1C,0xF9,0x98,0xE7,0x6F,0xB8,0xF2,0x9A,0xB2,0x5E, + 0xC5,0x47,0xE3,0x6D,0x50,0x9D,0x13,0x61,0x85,0x71,0x0A,0xF2,0xF3,0xBC,0x03,0xE6, + 0xB8,0x1F,0x32,0x92,0x4C,0x95,0x31,0xF0,0xF4,0x85,0x41,0x97,0x1F,0x43,0xC7,0x51, + 0xD9,0x90,0xBE,0xA6,0xE5,0x06,0x92,0xEF,0xF6,0x81,0xC7,0xD4,0xB3,0xF7,0x1B,0xA3, + 0x1C), + }, + { chunk_from_chars(0x80), + chunk_from_chars( + 0x30,0x82,0x01,0xD7,0x30,0x82,0x01,0x40,0xA0,0x03,0x02,0x01,0x02,0x02,0x02,0x00, + 0x80,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00, + 0x30,0x31,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31, + 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F,0x6E,0x67, + 0x53,0x77,0x61,0x6E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x03,0x13,0x04,0x74, + 0x65,0x73,0x74,0x30,0x1E,0x17,0x0D,0x32,0x32,0x31,0x31,0x31,0x38,0x31,0x33,0x30, + 0x37,0x32,0x31,0x5A,0x17,0x0D,0x32,0x33,0x31,0x31,0x31,0x38,0x31,0x33,0x30,0x37, + 0x32,0x31,0x5A,0x30,0x31,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x73,0x74,0x72, + 0x6F,0x6E,0x67,0x53,0x77,0x61,0x6E,0x31,0x0D,0x30,0x0B,0x06,0x03,0x55,0x04,0x03, + 0x13,0x04,0x74,0x65,0x73,0x74,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48, + 0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02, + 0x81,0x81,0x00,0xB1,0x9B,0xD4,0x51,0x24,0xFC,0x56,0x1D,0x3D,0xFB,0xA2,0xEA,0x37, + 0x02,0x70,0x72,0x87,0x84,0x2F,0x3B,0x2D,0x6E,0x22,0xEF,0x3F,0x37,0x04,0xB2,0x6F, + 0xB7,0xE7,0xD8,0x58,0x05,0xDE,0x34,0xBF,0x99,0xE6,0x40,0x7A,0x56,0xA7,0x73,0xF5, + 0x98,0xCB,0xB0,0x37,0x90,0x5E,0xD1,0x3F,0xF4,0x73,0x50,0x7F,0x53,0x8E,0xF1,0x04, + 0x25,0xB4,0x77,0x22,0x4E,0x8A,0x9D,0x27,0x8F,0x6F,0xAF,0x59,0xBD,0xB0,0x0F,0xF0, + 0xAA,0x11,0x94,0x66,0x16,0x10,0x58,0xAD,0x77,0xA1,0xAC,0x58,0xB4,0xD0,0x0D,0xBC, + 0x11,0xE0,0xC0,0xE9,0x29,0xDC,0x42,0x63,0x01,0x23,0x4F,0x28,0x41,0x6D,0x34,0x9E, + 0x0C,0x4A,0xC8,0x62,0x83,0xB5,0x71,0x71,0x0B,0x51,0xC0,0x4C,0x37,0xD4,0x68,0x19, + 0x52,0x9A,0x8B,0x02,0x03,0x01,0x00,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, + 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x81,0x81,0x00,0x54,0xC6,0x85,0x31,0x85, + 0x17,0x86,0xCB,0xFF,0x63,0x09,0x2A,0x90,0xDD,0x2C,0xC8,0x7E,0xD7,0x8B,0xE0,0x37, + 0xF7,0x2D,0xE2,0xCF,0x7E,0x57,0x26,0x4C,0x1D,0x3D,0x57,0xF0,0x6D,0x0D,0x18,0xA3, + 0xAB,0x49,0xD3,0x4E,0x08,0x70,0x4D,0xAE,0x05,0xF7,0xC5,0x47,0x99,0x89,0xFA,0xCA, + 0x15,0x36,0x3F,0xDA,0xA7,0x64,0xEE,0xE6,0x1C,0x6E,0x6E,0x9D,0x39,0x61,0xCB,0x5E, + 0x8F,0xAD,0x5C,0x90,0xD6,0xAE,0xCD,0xE9,0xBB,0x62,0xB9,0xCB,0x0E,0x51,0xDD,0x27, + 0xAF,0xF3,0xE2,0xD0,0xAC,0x9E,0x99,0x55,0xB5,0x2F,0x46,0x99,0xDB,0x2F,0xEC,0x23, + 0x76,0x0E,0x82,0xE3,0xA7,0xC3,0xF6,0xA2,0x61,0x32,0xC7,0x1F,0xD6,0x22,0x9B,0xFA, + 0xD8,0xFD,0x8F,0xB2,0xB7,0x6B,0x71,0xF0,0x92,0x1F,0x44), + chunk_from_chars( + 0x30,0x82,0x01,0x60,0x30,0x81,0xCA,0x02,0x01,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86, + 0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x31,0x31,0x0B,0x30,0x09,0x06, + 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x13,0x0A,0x73,0x74,0x72,0x6F,0x6E,0x67,0x53,0x77,0x61,0x6E,0x31,0x0D,0x30, + 0x0B,0x06,0x03,0x55,0x04,0x03,0x13,0x04,0x74,0x65,0x73,0x74,0x17,0x0D,0x32,0x32, + 0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A,0x17,0x0D,0x32,0x32,0x31, + 0x32,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34,0x5A,0x30,0x23,0x30,0x21,0x02,0x02, + 0x00,0x80,0x17,0x0D,0x32,0x32,0x31,0x31,0x32,0x30,0x31,0x30,0x31,0x37,0x34,0x34, + 0x5A,0x30,0x0C,0x30,0x0A,0x06,0x03,0x55,0x1D,0x15,0x04,0x03,0x0A,0x01,0x01,0xA0, + 0x40,0x30,0x3E,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14, + 0xE2,0x6D,0x1E,0xDF,0x83,0x8E,0xA2,0x1F,0xC3,0x00,0xDD,0x44,0x6F,0x8A,0x4D,0x70, + 0x0C,0x02,0xE3,0x1F,0x30,0x0B,0x06,0x03,0x55,0x1D,0x14,0x04,0x04,0x02,0x02,0x00, + 0x80,0x30,0x0E,0x06,0x03,0x55,0x1D,0x1B,0x01,0x01,0xFF,0x04,0x04,0x02,0x02,0x00, + 0x80,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00, + 0x03,0x81,0x81,0x00,0x7D,0x98,0x63,0x80,0x7B,0x43,0xE6,0x56,0xCD,0x59,0x0E,0xEC, + 0xD7,0x45,0x93,0xE5,0xD1,0x97,0x3E,0x47,0x87,0xFD,0x6F,0x8D,0x10,0xB0,0xDA,0x7C, + 0x5D,0xDC,0x0B,0x1B,0xC8,0x63,0x5D,0x8D,0x02,0xDE,0xD0,0xC7,0xBB,0xE4,0x50,0xEA, + 0xA7,0x2E,0x06,0xBC,0xF2,0x36,0x8D,0x7A,0xA2,0xE5,0x67,0x0F,0x03,0x9A,0x75,0x1D, + 0x18,0x0E,0x57,0x39,0x86,0xF3,0xEF,0x29,0xED,0xDE,0x24,0x50,0x9E,0x1F,0xC7,0x90, + 0x51,0x95,0xA0,0xD5,0x11,0x5E,0x96,0x0A,0xA5,0x4A,0x4D,0xFE,0x97,0xE4,0x1A,0xEA, + 0xC3,0x56,0x2A,0x21,0xA6,0x6E,0xE5,0xBA,0xAC,0x70,0xA5,0xE5,0x90,0x9A,0x3C,0x36, + 0xFF,0xD6,0x8B,0xC2,0x09,0x19,0xF4,0x21,0x68,0x50,0xEC,0x83,0xF8,0xF6,0xB5,0x24, + 0x8F,0x2B,0x77,0xB2) + } +}; + +START_TEST(test_parse_serial_numbers) +{ + enumerator_t *enumerator; + certificate_t *cert, *crl; + crl_t *x509_crl; + x509_t *x509; + chunk_t serial; + + /* parse ASN.1 DER encoded certificate */ + cert = parse_cert(serial_numbers[_i].cert_encoding); + + /* check parsed serial number */ + x509 = (x509_t*)cert; + ck_assert_chunk_eq(x509->get_serial(x509), serial_numbers[_i].serial); + cert->destroy(cert); + + /* parse ASN.1 DER encoded crl */ + crl = parse_crl(serial_numbers[_i].crl_encoding); + + /* check parsed serial number */ + x509_crl = (crl_t*)crl; + ck_assert_chunk_eq(x509_crl->get_serial(x509_crl), serial_numbers[_i].serial); + + enumerator = x509_crl->create_enumerator(x509_crl); + if (enumerator->enumerate(enumerator, &serial, NULL, NULL)) + { + ck_assert_chunk_eq(serial, serial_numbers[_i].serial); + } + enumerator->destroy(enumerator); + + crl->destroy(crl); +} +END_TEST + +Suite *serial_parse_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("serial_parse"); + + tc = tcase_create("parse serial numbers"); + tcase_add_loop_test(tc, test_parse_serial_numbers, 0, countof(serial_numbers)); + suite_add_tcase(s, tc); + + return s; +} diff -Nru strongswan-5.9.8/src/libstrongswan/tests/tests.h strongswan-5.9.11/src/libstrongswan/tests/tests.h --- strongswan-5.9.8/src/libstrongswan/tests/tests.h 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/tests/tests.h 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,6 @@ /* * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2022 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -42,6 +43,8 @@ TEST_SUITE_DEPEND(rsa_oaep_sha512_suite_create, PRIVKEY_DECRYPT, ENCRYPT_RSA_OAEP_SHA512) TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509) TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509) +TEST_SUITE_DEPEND(serial_gen_suite_create, CERT_ENCODE, CERT_X509) +TEST_SUITE(serial_parse_suite_create) TEST_SUITE(host_suite_create) TEST_SUITE(printf_suite_create) TEST_SUITE(auth_cfg_suite_create) diff -Nru strongswan-5.9.8/src/libstrongswan/threading/thread.c strongswan-5.9.11/src/libstrongswan/threading/thread.c --- strongswan-5.9.8/src/libstrongswan/threading/thread.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/threading/thread.c 2023-03-27 21:00:49.000000000 +0000 @@ -306,7 +306,11 @@ /** * Main function wrapper for threads. + * + * Excluded from AddressSanitizer because some newer versions have an issue that + * causes an "AddressSanitizer CHECK failed" error for canceled threads. */ +ADDRESS_SANITIZER_EXCLUDE static void *thread_main(private_thread_t *this) { void *res; diff -Nru strongswan-5.9.8/src/libstrongswan/threading/windows/thread.c strongswan-5.9.11/src/libstrongswan/threading/windows/thread.c --- strongswan-5.9.8/src/libstrongswan/threading/windows/thread.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/threading/windows/thread.c 2023-03-27 21:00:49.000000000 +0000 @@ -637,6 +637,12 @@ private_thread_t *this; bool old; + /* ignore this if called for the thread that called threads_deinit() */ + if (!threads_lock) + { + return; + } + old = set_leak_detective(FALSE); threads_lock->lock(threads_lock); @@ -698,5 +704,6 @@ destroy(this); threads_lock->destroy(threads_lock); + threads_lock = NULL; threads->destroy(threads); } diff -Nru strongswan-5.9.8/src/libstrongswan/utils/backtrace.c strongswan-5.9.11/src/libstrongswan/utils/backtrace.c --- strongswan-5.9.8/src/libstrongswan/utils/backtrace.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/backtrace.c 2023-03-27 21:00:49.000000000 +0000 @@ -15,23 +15,20 @@ */ #define _GNU_SOURCE +#include #ifdef HAVE_BACKTRACE -# include +#include #endif /* HAVE_BACKTRACE */ + +#ifdef WIN32 +#include +#include #ifdef HAVE_DBGHELP -# include -# include -# include +#include #endif /* HAVE_DBGHELP */ -#include -#include "backtrace.h" - -#include - -#ifdef WIN32 -# include +#include /* missing in MinGW */ #ifdef WIN64 #ifndef GetModuleInformation @@ -47,6 +44,10 @@ #endif /* WIN64 */ #endif +#include "backtrace.h" + +#include + typedef struct private_backtrace_t private_backtrace_t; /** @@ -97,6 +98,9 @@ va_end(args); } +#if ((defined(HAVE_BACKTRACE) || defined(HAVE_LIBUNWIND_H)) && \ + defined(HAVE_DLADDR)) || defined(WIN32) + /** * Same as tty_escape_get(), but for a potentially NULL FILE* */ @@ -109,6 +113,8 @@ return ""; } +#endif /* HAVE_BACKTRACE/HAVE_LIBUNWIND_H/WIN32 */ + #ifdef HAVE_DBGHELP #include @@ -201,10 +207,16 @@ bfd_entry_t *entry; /** backtrace address */ bfd_vma vma; - /** stream to log to */ - FILE *file; - /** TRUE if complete */ + /** TRUE if address found */ bool found; + /** optional stream to log to */ + FILE *file; + /** optional list of function names to match */ + char **list; + /** optional number of names in list */ + int count; + /** TRUE if found function name is in list */ + bool in_list; } bfd_find_data_t; /** @@ -231,6 +243,15 @@ } /** + * Do not print internal errors by libbfd as we get quite a lot of + * "DWARF error: could not find variable specification" messages when running + * against Ubuntu 20.04's libcrypto (same with addr2line and still in 22.10). + */ +void suppress_bfd_errors (const char *fmt, va_list args) +{ +} + +/** * See header. */ void backtrace_init() @@ -239,6 +260,7 @@ bfds = hashtable_create((hashtable_hash_t)bfd_hash, (hashtable_equals_t)bfd_equals, 8); bfd_mutex = mutex_create(MUTEX_TYPE_DEFAULT); + bfd_set_error_handler(suppress_bfd_errors); } /** @@ -273,39 +295,56 @@ const char *function; char fbuf[512] = "", sbuf[512] = ""; u_int line; + int i; - if (!data->found || (get_section_flags(abfd, section) & SEC_ALLOC) != 0) + if (data->found || (get_section_flags(abfd, section) & SEC_ALLOC) == 0) + { + return; + } + vma = get_section_vma(abfd, section); + if (data->vma < vma) { - vma = get_section_vma(abfd, section); - if (data->vma >= vma) + return; + } + size = get_section_size(section); + if (data->vma >= vma + size) + { + return; + } + + data->found = bfd_find_nearest_line(abfd, section, data->entry->syms, + data->vma - vma, &source, &function, + &line); + if (!data->found) + { + return; + } + if (data->count && function) + { + for (i = 0; i < data->count; i++) { - size = get_section_size(section); - if (data->vma < vma + size) + if (streq(function, data->list[i])) { - data->found = bfd_find_nearest_line(abfd, section, - data->entry->syms, data->vma - vma, - &source, &function, &line); - if (data->found) - { - if (source || function) - { - if (function) - { - snprintf(fbuf, sizeof(fbuf), "%s%s() ", - esc(data->file, TTY_FG_BLUE), function); - } - if (source) - { - snprintf(sbuf, sizeof(sbuf), "%s@ %s:%d", - esc(data->file, TTY_FG_GREEN), source, line); - } - println(data->file, " -> %s%s%s", fbuf, sbuf, - esc(data->file, TTY_FG_DEF)); - } - } + data->in_list = TRUE; + break; } } } + else if (data->file && (source || function)) + { + if (function) + { + snprintf(fbuf, sizeof(fbuf), "%s%s() ", + esc(data->file, TTY_FG_BLUE), function); + } + if (source) + { + snprintf(sbuf, sizeof(sbuf), "%s@ %s:%d", + esc(data->file, TTY_FG_GREEN), source, line); + } + println(data->file, " -> %s%s%s", fbuf, sbuf, + esc(data->file, TTY_FG_DEF)); + } } /** @@ -374,15 +413,11 @@ } /** - * Print the source file with line number to file, libbfd variant + * Lookup the given address */ -static void print_sourceline(FILE *file, char *filename, void *ptr, void *base) +static void lookup_addr(char *filename, bfd_find_data_t *data) { bfd_entry_t *entry; - bfd_find_data_t data = { - .file = file, - .vma = (uintptr_t)ptr, - }; bool old = FALSE; bfd_mutex->lock(bfd_mutex); @@ -393,8 +428,8 @@ entry = get_bfd_entry(filename); if (entry) { - data.entry = entry; - bfd_map_over_sections(entry->abfd, (void*)find_addr, &data); + data->entry = entry; + bfd_map_over_sections(entry->abfd, (void*)find_addr, data); } if (lib && lib->leak_detective) { @@ -403,11 +438,42 @@ bfd_mutex->unlock(bfd_mutex); } +/** + * Print the source file with line number to file, libbfd variant + */ +static void print_sourceline(FILE *file, char *filename, void *ptr, void *base) +{ + bfd_find_data_t data = { + .file = file, + .vma = (uintptr_t)ptr, + }; + + lookup_addr(filename, &data); +} + +/** + * Check if the function name of the source line is in the given list + */ +static bool contains_function_bfd(char *filename, void *ptr, char *list[], + int count) +{ + bfd_find_data_t data = { + .vma = (uintptr_t)ptr, + .list = list, + .count = count, + }; + + lookup_addr(filename, &data); + return data.in_list; +} + #else /* !HAVE_BFD_H */ void backtrace_init() {} void backtrace_deinit() {} +#if defined(HAVE_BACKTRACE) || defined(HAVE_LIBUNWIND_H) || defined(WIN32) + /** * Print the source file with line number to file, slow addr2line variant */ @@ -444,6 +510,8 @@ } } +#endif /* HAVE_BACKTRACE/HAVE_LIBUNWIND_H/WIN32 */ + #endif /* HAVE_BFD_H */ #else /* !HAVE_DLADDR && !HAVE_DBGHELP */ @@ -572,7 +640,7 @@ #endif /* HAVE_BFD_H */ } else -#endif /* HAVE_DLADDR/HAVE_DBGHELP */ +#endif /* HAVE_DLADDR/HAVE_DBGHELP/WIN32 */ { #ifdef HAVE_BACKTRACE if (!strings) @@ -609,15 +677,34 @@ { Dl_info info; - if (dladdr(this->frames[i], &info) && info.dli_sname) + if (dladdr(this->frames[i], &info)) { - for (j = 0; j < count; j++) + if (info.dli_sname) { - if (streq(info.dli_sname, function[j])) + for (j = 0; j < count; j++) + { + if (streq(info.dli_sname, function[j])) + { + return TRUE; + } + } + } +#ifdef HAVE_BFD_H + else if (info.dli_fname[0]) + { + void *ptr = this->frames[i]; + + if (strstr(info.dli_fname, ".so")) + { + ptr = (void*)(this->frames[i] - info.dli_fbase); + } + if (contains_function_bfd((char*)info.dli_fname, ptr, + function, count)) { return TRUE; } } +#endif /* HAVE_BFD_H */ } } #elif defined(HAVE_DBGHELP) diff -Nru strongswan-5.9.8/src/libstrongswan/utils/compat/windows.h strongswan-5.9.11/src/libstrongswan/utils/compat/windows.h --- strongswan-5.9.8/src/libstrongswan/utils/compat/windows.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/compat/windows.h 2023-03-27 21:00:49.000000000 +0000 @@ -366,7 +366,7 @@ /** * recvfrom(2) with support for MSG_DONTWAIT */ -#define sendto windows_send +#define sendto windows_sendto ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen); diff -Nru strongswan-5.9.8/src/libstrongswan/utils/debug.h strongswan-5.9.11/src/libstrongswan/utils/debug.h --- strongswan-5.9.8/src/libstrongswan/utils/debug.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/debug.h 2023-06-08 10:35:17.000000000 +0000 @@ -140,6 +140,11 @@ # define DBG4(...) {} #endif +/** mark variables that are only used in DBG statements */ +#ifndef DBG_UNUSED +# define DBG_UNUSED __attribute__((unused)) +#endif + /** dbg function hook, uses dbg_default() by default */ extern void (*dbg) (debug_t group, level_t level, char *fmt, ...); diff -Nru strongswan-5.9.8/src/libstrongswan/utils/enum.c strongswan-5.9.11/src/libstrongswan/utils/enum.c --- strongswan-5.9.8/src/libstrongswan/utils/enum.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/enum.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,5 @@ /* + * Copyright (C) 2023 Tobias Brunner * Copyright (C) 2006 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -23,6 +24,49 @@ #include "enum.h" +/* + * Described in header + */ +void enum_add_enum_names(enum_name_t *e, enum_name_t *names) +{ + if (e) + { + do + { + if (!e->next) + { + e->next = names; + break; + } + else if (e->next == names) + { + break; + } + } + while ((e = e->next)); + } +} + +/* + * Described in header + */ +void enum_remove_enum_names(enum_name_t *e, enum_name_t *names) +{ + if (e) + { + do + { + if (e->next == names) + { + e->next = names->next; + names->next = NULL; + break; + } + } + while ((e = e->next)); + } +} + /** * See header. */ diff -Nru strongswan-5.9.8/src/libstrongswan/utils/enum.h strongswan-5.9.11/src/libstrongswan/utils/enum.h --- strongswan-5.9.8/src/libstrongswan/utils/enum.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/enum.h 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2019 Tobias Brunner + * Copyright (C) 2009-2023 Tobias Brunner * Copyright (C) 2006-2008 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -141,6 +141,41 @@ ENUM_FLAG_MAGIC, { unset, __VA_ARGS__ }}; ENUM_END(name, last) /** + * Define a static enum name that can be added and removed to an existing list + * via enum_add_enum_names() and enum_remove_enum_names(), respectively. + * + * @param name name of the static enum_name element + * @param first enum value of the first enum string + * @param last enum value of the last enum string + * @param ... a list of strings + */ +#define ENUM_EXT(name, first, last, ...) \ + ENUM_BEGIN(name, first, last, __VA_ARGS__); static ENUM_END(name, last) + +/** + * Register enum names for additional enum values with an existing enum name. + * + * @note Must be called while running single-threaded, e.g. when plugins and + * their features are loaded. Use enum_remove_enum_names() to remove the names + * during deinitialization. + * + * @param e enum names to add new names to + * @param names additional enum names + */ +void enum_add_enum_names(enum_name_t *e, enum_name_t *names); + +/** + * Remove previously registered enum names. + * + * @note Must be called while running single-threaded, e.g. when plugins and + * their features are unloaded. + * + * @param e enum names to remove previously added names from + * @param names additional enum names to remove + */ +void enum_remove_enum_names(enum_name_t *e, enum_name_t *names); + +/** * Convert a enum value to its string representation. * * @param e enum names for this enum value diff -Nru strongswan-5.9.8/src/libstrongswan/utils/leak_detective.c strongswan-5.9.11/src/libstrongswan/utils/leak_detective.c --- strongswan-5.9.8/src/libstrongswan/utils/leak_detective.c 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/leak_detective.c 2023-05-06 07:16:02.000000000 +0000 @@ -541,6 +541,7 @@ "tzset", "_IO_file_doallocate", "selinux_check_access", + "on_exit", /* ignore dlopen, as we do not dlclose to get proper leak reports */ "dlopen", "dlerror", @@ -599,6 +600,7 @@ "RAND_DRBG_get0_private", "RAND_DRBG_get0_public", /* OpenSSL 3.0 caches even more static stuff */ + "evp_generic_fetch_from_prov", "ERR_set_debug", "ERR_set_error", "EVP_DigestSignInit", @@ -611,6 +613,7 @@ "EVP_CIPHER_fetch", "EVP_KDF_fetch", "EVP_KEYEXCH_fetch", + "EVP_KEYMGMT_do_all_provided", "EVP_KEYMGMT_fetch", "EVP_MAC_fetch", "EVP_MD_fetch", diff -Nru strongswan-5.9.8/src/libstrongswan/utils/lexparser.h strongswan-5.9.11/src/libstrongswan/utils/lexparser.h --- strongswan-5.9.8/src/libstrongswan/utils/lexparser.h 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/lexparser.h 2023-03-27 21:00:49.000000000 +0000 @@ -60,11 +60,6 @@ err_t extract_value(chunk_t *value, chunk_t *line); /** - * extracts a name: value pair from a text line - */ -err_t extract_name_value(chunk_t *name, chunk_t *value, chunk_t *line); - -/** * extracts a parameter: value from a text line */ err_t extract_parameter_value(chunk_t *name, chunk_t *value, chunk_t *line); diff -Nru strongswan-5.9.8/src/libstrongswan/utils/utils.c strongswan-5.9.11/src/libstrongswan/utils/utils.c --- strongswan-5.9.8/src/libstrongswan/utils/utils.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/utils.c 2023-03-27 21:00:49.000000000 +0000 @@ -111,6 +111,14 @@ sigint_cond->destroy(sigint_cond); } +/** + * Windows variant + */ +void send_sigint() +{ + handler(CTRL_C_EVENT); +} + #else /* !WIN32 */ /** @@ -131,6 +139,14 @@ } } +/** + * Unix variant + */ +void send_sigint() +{ + kill(0, SIGINT); +} + #ifndef HAVE_SIGWAITINFO int sigwaitinfo(const sigset_t *set, void *info) { diff -Nru strongswan-5.9.8/src/libstrongswan/utils/utils.h strongswan-5.9.11/src/libstrongswan/utils/utils.h --- strongswan-5.9.8/src/libstrongswan/utils/utils.h 2022-09-17 15:42:38.000000000 +0000 +++ strongswan-5.9.11/src/libstrongswan/utils/utils.h 2023-03-27 21:00:49.000000000 +0000 @@ -237,6 +237,12 @@ */ void wait_sigint(); +/** + * Portable function to send a SIGINT/SIGTERM (or equivalent) to the current + * process to exit the above function. + */ +void send_sigint(); + #ifndef HAVE_CLOSEFROM /** * Close open file descriptors greater than or equal to lowfd. diff -Nru strongswan-5.9.8/src/libtls/Makefile.in strongswan-5.9.11/src/libtls/Makefile.in --- strongswan-5.9.8/src/libtls/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtls/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -491,7 +491,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtls/tests/Makefile.in strongswan-5.9.11/src/libtls/tests/Makefile.in --- strongswan-5.9.8/src/libtls/tests/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tests/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -431,7 +431,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtls/tls.c strongswan-5.9.11/src/libtls/tls.c --- strongswan-5.9.8/src/libtls/tls.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tls.c 2023-03-27 21:00:49.000000000 +0000 @@ -569,7 +569,11 @@ METHOD(tls_t, get_eap_msk, chunk_t, private_tls_t *this) { - return this->crypto->get_eap_msk(this->crypto); + if (this->handshake->finished(this->handshake)) + { + return this->crypto->get_eap_msk(this->crypto); + } + return chunk_empty; } METHOD(tls_t, get_auth, auth_cfg_t*, diff -Nru strongswan-5.9.8/src/libtls/tls_crypto.c strongswan-5.9.11/src/libtls/tls_crypto.c --- strongswan-5.9.8/src/libtls/tls_crypto.c 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tls_crypto.c 2023-03-27 21:00:49.000000000 +0000 @@ -2312,11 +2312,27 @@ /* EAP-MSK */ if (this->msk_label) { + uint8_t type; + + switch (this->tls->get_purpose(this->tls)) + { + case TLS_PURPOSE_EAP_TLS: + type = EAP_TLS; + break; + case TLS_PURPOSE_EAP_PEAP: + type = EAP_PEAP; + break; + case TLS_PURPOSE_EAP_TTLS: + type = EAP_TTLS; + break; + default: + return FALSE; + } /* because the length is encoded when expanding key material, we - * request the same number of bytes as FreeRADIUS (the first 64 for - * the MSK, the next for the EMSK, which we just ignore) */ - if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty, - this->handshake, 128, &this->msk)) + * request MSK and EMSK even if we don't use the latter */ + if (!this->hkdf->export(this->hkdf, "EXPORTER_EAP_TLS_Key_Material", + chunk_from_thing(type), this->handshake, 128, + &this->msk)) { return FALSE; } diff -Nru strongswan-5.9.8/src/libtls/tls_eap.c strongswan-5.9.11/src/libtls/tls_eap.c --- strongswan-5.9.8/src/libtls/tls_eap.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tls_eap.c 2023-06-08 10:35:17.000000000 +0000 @@ -210,7 +210,7 @@ eap_tls_packet_t *pkt; size_t len, reclen, msg_len_offset; status_t status; - char *kind; + char *kind DBG_UNUSED; if (this->is_server) { @@ -369,6 +369,9 @@ } else { + /* note that with TLS 1.3 the client sends an empty EAP packet after the + * server sent the "protected success indication" over the TLS + * connection, which is interpreted here as an ACK packet */ if (in.len == sizeof(eap_tls_packet_t)) { DBG2(DBG_TLS, "received %N acknowledgment packet", diff -Nru strongswan-5.9.8/src/libtls/tls_fragmentation.c strongswan-5.9.11/src/libtls/tls_fragmentation.c --- strongswan-5.9.8/src/libtls/tls_fragmentation.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tls_fragmentation.c 2023-06-08 10:35:17.000000000 +0000 @@ -230,7 +230,6 @@ while (reader->remaining(reader)) { status_t status; - chunk_t data; if (reader->remaining(reader) > TLS_MAX_FRAGMENT_LEN) { @@ -238,8 +237,10 @@ this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); return NEED_MORE; } - data = reader->peek(reader); +#if DEBUG_LEVEL >= 3 + chunk_t data = reader->peek(reader); DBG3(DBG_TLS, "%B", &data); +#endif status = this->application->process(this->application, reader); switch (status) { diff -Nru strongswan-5.9.8/src/libtls/tls_peer.c strongswan-5.9.11/src/libtls/tls_peer.c --- strongswan-5.9.8/src/libtls/tls_peer.c 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tls_peer.c 2023-06-08 10:35:17.000000000 +0000 @@ -1112,7 +1112,7 @@ METHOD(tls_handshake_t, process, status_t, private_tls_peer_t *this, tls_handshake_type_t type, bio_reader_t *reader) { - tls_handshake_type_t expected; + tls_handshake_type_t expected DBG_UNUSED; if (this->tls->get_version_max(this->tls) < TLS_1_3) { diff -Nru strongswan-5.9.8/src/libtls/tls_server.c strongswan-5.9.11/src/libtls/tls_server.c --- strongswan-5.9.8/src/libtls/tls_server.c 2022-09-06 19:15:43.000000000 +0000 +++ strongswan-5.9.11/src/libtls/tls_server.c 2023-06-08 10:35:17.000000000 +0000 @@ -183,11 +183,11 @@ cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); if (cert) { - public = cert->get_public_key(cert); - if (public) + current = cert->get_public_key(cert); + if (current) { - key_type = public->get_type(public); - public->destroy(public); + key_type = current->get_type(current); + current->destroy(current); } enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, key_type, id, peer_auth, TRUE); @@ -1042,7 +1042,7 @@ METHOD(tls_handshake_t, process, status_t, private_tls_server_t *this, tls_handshake_type_t type, bio_reader_t *reader) { - tls_handshake_type_t expected; + tls_handshake_type_t expected DBG_UNUSED; if (this->tls->get_version_max(this->tls) < TLS_1_3) { diff -Nru strongswan-5.9.8/src/libtnccs/Makefile.in strongswan-5.9.11/src/libtnccs/Makefile.in --- strongswan-5.9.8/src/libtnccs/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/Makefile.in 2023-06-12 05:50:44.000000000 +0000 @@ -490,7 +490,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_11/Makefile.in strongswan-5.9.11/src/libtnccs/plugins/tnccs_11/Makefile.in --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_11/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_11/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -454,7 +454,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_11/tnccs_11.c strongswan-5.9.11/src/libtnccs/plugins/tnccs_11/tnccs_11.c --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_11/tnccs_11.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_11/tnccs_11.c 2023-06-08 10:35:17.000000000 +0000 @@ -277,15 +277,15 @@ } case TNCCS_MSG_ERROR: { - tnccs_error_msg_t *err_msg; +#if DEBUG_LEVEL >= 1 + tnccs_error_msg_t *err_msg = (tnccs_error_msg_t*)msg; tnccs_error_type_t error_type; char *error_msg; - err_msg = (tnccs_error_msg_t*)msg; error_msg = err_msg->get_message(err_msg, &error_type); DBG1(DBG_TNC, "received '%N' TNCCS-Error: %s", tnccs_error_type_names, error_type, error_msg); - +#endif /* we assume that all errors are fatal */ this->fatal_error = TRUE; break; @@ -305,6 +305,7 @@ } case TNCCS_MSG_REASON_STRINGS: { +#if DEBUG_LEVEL >= 2 tnccs_reason_strings_msg_t *reason_msg; chunk_t reason_string, reason_lang; @@ -314,6 +315,7 @@ reason_string.ptr); DBG2(DBG_TNC, "language code is '%.*s'", (int)reason_lang.len, reason_lang.ptr); +#endif break; } default: diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c strongswan-5.9.11/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c 2023-06-08 10:35:17.000000000 +0000 @@ -141,9 +141,7 @@ METHOD(pb_tnc_batch_t, add_msg, bool, private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg) { - enum_name_t *msg_type_names; chunk_t msg_value; - pen_type_t msg_type; size_t msg_len; msg->build(msg); @@ -157,7 +155,10 @@ } this->batch_len += msg_len; - msg_type = msg->get_type(msg); +#if DEBUG_LEVEL >= 2 + pen_type_t msg_type = msg->get_type(msg); + enum_name_t *msg_type_names; + switch (msg_type.vendor_id) { default: @@ -173,6 +174,7 @@ } DBG2(DBG_TNC, "adding %N/%N message", pen_names, msg_type.vendor_id, msg_type_names, msg_type.type); +#endif this->messages->insert_last(this->messages, msg); return TRUE; } @@ -329,7 +331,7 @@ uint32_t vendor_id, msg_type, msg_len, offset; chunk_t data, msg_value; bool noskip_flag; - enum_name_t *msg_type_names; + enum_name_t *msg_type_names DBG_UNUSED; pen_type_t msg_pen_type; status_t status; diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_20/Makefile.in strongswan-5.9.11/src/libtnccs/plugins/tnccs_20/Makefile.in --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_20/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_20/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -465,7 +465,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c strongswan-5.9.11/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c 2023-06-08 10:35:17.000000000 +0000 @@ -274,6 +274,7 @@ } case PB_MSG_ASSESSMENT_RESULT: { +#if DEBUG_LEVEL >= 1 pb_assessment_result_msg_t *assess_msg; uint32_t result; @@ -281,6 +282,7 @@ result = assess_msg->get_assessment_result(assess_msg); DBG1(DBG_TNC, "PB-TNC assessment result is '%N'", TNC_IMV_Evaluation_Result_names, result); +#endif break; } case PB_MSG_ACCESS_RECOMMENDATION: @@ -312,7 +314,7 @@ { pb_remediation_parameters_msg_t *rem_msg; pen_type_t parameters_type; - chunk_t parameters, string, lang_code; + chunk_t parameters DBG_UNUSED, string DBG_UNUSED, lang_code; rem_msg = (pb_remediation_parameters_msg_t*)msg; parameters_type = rem_msg->get_parameters_type(rem_msg); @@ -347,6 +349,7 @@ break; case PB_MSG_REASON_STRING: { +#if DEBUG_LEVEL >= 1 pb_reason_string_msg_t *reason_msg; chunk_t reason_string, language_code; @@ -356,6 +359,7 @@ DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]", (int)reason_string.len, reason_string.ptr, (int)language_code.len, language_code.ptr); +#endif break; } default: diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_dynamic/Makefile.in strongswan-5.9.11/src/libtnccs/plugins/tnccs_dynamic/Makefile.in --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_dynamic/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_dynamic/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c strongswan-5.9.11/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c --- strongswan-5.9.8/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c 2023-03-27 21:00:49.000000000 +0000 @@ -85,7 +85,7 @@ * defined by section 3.5 "Interoperability with older IF-TNCCS versions" of * the TCG TNC IF-TNCCS TLV Bindings Version 2.0 standard. */ -tnccs_type_t determine_tnccs_protocol(char version) +static tnccs_type_t determine_tnccs_protocol(char version) { switch (version) { diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnc_imc/Makefile.in strongswan-5.9.11/src/libtnccs/plugins/tnc_imc/Makefile.in --- strongswan-5.9.8/src/libtnccs/plugins/tnc_imc/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnc_imc/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -437,7 +437,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnc_imv/Makefile.in strongswan-5.9.11/src/libtnccs/plugins/tnc_imv/Makefile.in --- strongswan-5.9.8/src/libtnccs/plugins/tnc_imv/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnc_imv/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -439,7 +439,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/plugins/tnc_tnccs/Makefile.in strongswan-5.9.11/src/libtnccs/plugins/tnc_tnccs/Makefile.in --- strongswan-5.9.8/src/libtnccs/plugins/tnc_tnccs/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/plugins/tnc_tnccs/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -436,7 +436,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtnccs/tnc/tnccs/tnccs.h strongswan-5.9.11/src/libtnccs/tnc/tnccs/tnccs.h --- strongswan-5.9.8/src/libtnccs/tnc/tnccs/tnccs.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtnccs/tnc/tnccs/tnccs.h 2023-03-27 21:00:49.000000000 +0000 @@ -169,8 +169,9 @@ /** * Callback function adding a message to a TNCCS batch * + * @param tnccs TNCCS context * @param imc_id ID of IMC or TNC_IMCID_ANY - * @param imc_id ID of IMV or TNC_IMVID_ANY + * @param imv_id ID of IMV or TNC_IMVID_ANY * @param msg_flags message flags * @param msg message to be added * @param msg_len message length @@ -178,7 +179,7 @@ * @param msg_subtype message subtype * @return return code */ -typedef TNC_Result (*tnccs_send_message_t)(tnccs_t* tncss, +typedef TNC_Result (*tnccs_send_message_t)(tnccs_t* tnccs, TNC_IMCID imc_id, TNC_IMVID imv_id, TNC_UInt32 msg_flags, diff -Nru strongswan-5.9.8/src/libtncif/Makefile.in strongswan-5.9.11/src/libtncif/Makefile.in --- strongswan-5.9.8/src/libtncif/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtncif/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -399,7 +399,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtpmtss/Makefile.in strongswan-5.9.11/src/libtpmtss/Makefile.in --- strongswan-5.9.8/src/libtpmtss/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtpmtss/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -484,7 +484,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtpmtss/plugins/tpm/Makefile.in strongswan-5.9.11/src/libtpmtss/plugins/tpm/Makefile.in --- strongswan-5.9.8/src/libtpmtss/plugins/tpm/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/libtpmtss/plugins/tpm/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/libtpmtss/tpm_tss_trousers.c strongswan-5.9.11/src/libtpmtss/tpm_tss_trousers.c --- strongswan-5.9.8/src/libtpmtss/tpm_tss_trousers.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtpmtss/tpm_tss_trousers.c 2023-06-08 10:35:17.000000000 +0000 @@ -124,7 +124,6 @@ uint32_t version_len; TSS_RESULT result; - TPM_CAP_VERSION_INFO *info; result = Tspi_Context_Create(&this->hContext); if (result != TSS_SUCCESS) @@ -159,12 +158,14 @@ return FALSE; } - info = (TPM_CAP_VERSION_INFO *)version_ptr; +#if DEBUG_LEVEL > 2 + TPM_CAP_VERSION_INFO *info = (TPM_CAP_VERSION_INFO *)version_ptr; DBG2(DBG_PTS, "TPM Version Info: Chip Version: %u.%u.%u.%u, " "Spec Level: %u, Errata Rev: %u, Vendor ID: %.4s", info->version.major, info->version.minor, info->version.revMajor, info->version.revMinor, untoh16(&info->specLevel), info->errataRev, info->tpmVendorID); +#endif this->version_info = chunk_clone(chunk_create(version_ptr, version_len)); @@ -466,7 +467,7 @@ uint32_t version_info_size, pcr; aik_t *aik; chunk_t aik_blob = chunk_empty; - chunk_t quote_chunk, pcr_digest; + chunk_t quote_chunk DBG_UNUSED, pcr_digest; enumerator_t *enumerator; bool success = FALSE; diff -Nru strongswan-5.9.8/src/libtpmtss/tpm_tss_tss2_session.c strongswan-5.9.11/src/libtpmtss/tpm_tss_tss2_session.c --- strongswan-5.9.8/src/libtpmtss/tpm_tss_tss2_session.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtpmtss/tpm_tss_tss2_session.c 2023-06-08 10:35:17.000000000 +0000 @@ -82,7 +82,7 @@ /** * Convert TPM2_ALG_ID to PRF algorithm */ -pseudo_random_function_t prf_alg_from_tpm_alg_id(TPM2_ALG_ID alg) +static pseudo_random_function_t prf_alg_from_tpm_alg_id(TPM2_ALG_ID alg) { switch (alg) { @@ -133,7 +133,7 @@ hasher_t *hasher; pseudo_random_function_t prf_alg; prf_t *prf; - chunk_t data, cp_hash, cp_hmac, nonce_caller, nonce_tpm, session_attributes; + chunk_t data, cp_hash, nonce_caller, nonce_tpm, session_attributes; bool success; uint32_t rval; @@ -233,8 +233,8 @@ DBG1(DBG_PTS, "cpHmac computation failed"); return FALSE; } - cp_hmac = chunk_create(cmd.auths[0].hmac.buffer, cmd.auths[0].hmac.size); - DBG2(DBG_PTS, LABEL "cpHmac: %B", &cp_hmac); + DBG2(DBG_PTS, LABEL "cpHmac: %b", cmd.auths[0].hmac.buffer, + cmd.auths[0].hmac.size); rval = Tss2_Sys_SetCmdAuths(this->sys_context, &cmd); if (rval != TSS2_RC_SUCCESS) @@ -319,7 +319,7 @@ prf_t *prf; crypter_t *crypter; chunk_t kdf_label = chunk_from_chars('C','F','B', 0x00); - chunk_t data, rp_hash, rp_hmac, nonce_caller, nonce_tpm, session_attributes; + chunk_t data, rp_hash, nonce_caller, nonce_tpm, session_attributes; chunk_t key_mat, aes_key, aes_iv; bool success; uint32_t rval; @@ -410,8 +410,7 @@ DBG1(DBG_PTS, "computation of rpHmac failed"); return FALSE; } - rp_hmac = chunk_create(rpHmac.buffer, rpHmac.size); - DBG2(DBG_PTS, LABEL "rpHMAC: %B", &rp_hmac); + DBG2(DBG_PTS, LABEL "rpHMAC: %b", rpHmac.buffer, rpHmac.size); /* verify rpHmac */ if (!memeq(rsp.auths[0].hmac.buffer, rpHmac.buffer, rpHmac.size)) diff -Nru strongswan-5.9.8/src/libtpmtss/tpm_tss_tss2_v2.c strongswan-5.9.11/src/libtpmtss/tpm_tss_tss2_v2.c --- strongswan-5.9.8/src/libtpmtss/tpm_tss_tss2_v2.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/libtpmtss/tpm_tss_tss2_v2.c 2023-06-08 10:35:17.000000000 +0000 @@ -536,8 +536,8 @@ /** * read the public key portion of a TSS 2.0 key from NVRAM */ -bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle, - TPM2B_PUBLIC *public) +static bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle, + TPM2B_PUBLIC *public) { uint32_t rval; @@ -664,6 +664,8 @@ DBG1(DBG_PTS, LABEL "unsupported key type"); return chunk_empty; } + +#if DEBUG_LEVEL >= 1 if (public.publicArea.objectAttributes & TPMA_OBJECT_SIGN_ENCRYPT) { TPMT_ASYM_SCHEME *s; @@ -682,6 +684,7 @@ tpm_alg_id_names, s->algorithm, tpm_alg_id_names, s->mode, s->keyBits.sym); } +#endif return aik_pubkey; } diff -Nru strongswan-5.9.8/src/Makefile.in strongswan-5.9.11/src/Makefile.in --- strongswan-5.9.8/src/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -447,7 +447,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/manager/Makefile.in strongswan-5.9.11/src/manager/Makefile.in --- strongswan-5.9.8/src/manager/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/manager/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -455,7 +455,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/medsrv/controller/peer_controller.c strongswan-5.9.11/src/medsrv/controller/peer_controller.c --- strongswan-5.9.8/src/medsrv/controller/peer_controller.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/medsrv/controller/peer_controller.c 2023-03-27 21:00:49.000000000 +0000 @@ -202,7 +202,7 @@ /** * pem encode a public key into an allocated string */ -char* pem_encode(chunk_t der) +static char* pem_encode(chunk_t der) { static const char *begin = "-----BEGIN PUBLIC KEY-----\n"; static const char *end = "-----END PUBLIC KEY-----"; diff -Nru strongswan-5.9.8/src/medsrv/Makefile.in strongswan-5.9.11/src/medsrv/Makefile.in --- strongswan-5.9.8/src/medsrv/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/medsrv/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -441,7 +441,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/pki/commands/acert.c strongswan-5.9.11/src/pki/commands/acert.c --- strongswan-5.9.8/src/pki/commands/acert.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/acert.c 2023-04-19 02:21:27.000000000 +0000 @@ -64,11 +64,7 @@ } continue; case 'R': - if (streq(arg, "pss")) - { - pss = TRUE; - } - else if (!streq(arg, "pkcs1")) + if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; diff -Nru strongswan-5.9.8/src/pki/commands/est.c strongswan-5.9.11/src/pki/commands/est.c --- strongswan-5.9.8/src/pki/commands/est.c 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/est.c 2023-06-08 10:35:17.000000000 +0000 @@ -32,7 +32,7 @@ */ static int est() { - char *arg, *url = NULL, *file = NULL, *error = NULL; + char *arg, *url = NULL, *label = NULL, *file = NULL, *error = NULL; char *client_cert_file = NULL, *client_key_file = NULL; char *keyid = NULL, *certid = NULL, *user_pass = NULL; cred_encoding_type_t form = CERT_ASN1_DER; @@ -60,6 +60,9 @@ case 'u': /* --url */ url = arg; continue; + case 'l': /* --label */ + label = arg; + continue; case 'i': /* --in */ file = arg; continue; @@ -256,7 +259,7 @@ est_op = EST_SIMPLE_REENROLL; } - est_tls = est_tls_create(url, client_cert, user_pass); + est_tls = est_tls_create(url, label, client_cert, user_pass); if (!est_tls) { DBG1(DBG_APP, "TLS connection to EST server was not established"); @@ -304,7 +307,7 @@ DBG1(DBG_APP, " going to sleep for %d seconds", poll_interval); sleep(poll_interval); - est_tls = est_tls_create(url, client_cert, user_pass); + est_tls = est_tls_create(url, label, client_cert, user_pass); if (!est_tls) { DBG1(DBG_APP, "TLS connection to EST server was not established"); @@ -354,14 +357,16 @@ command_register((command_t) { est, 'E', "est", "Enroll an X.509 certificate with an EST server", - {"--url url [--in file] [--cacert file]+ [-userpass username:password]", - "[--cert file|--certid hex --key file|--keyid hex] [--interval time]", + {"--url url [--label label] [--in file] --cacert file", + "[--cert file|--certid hex --key file|--keyid hex]", + "[--userpass username:password] [--interval time]", "[--maxpolltime time] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"url", 'u', 1, "URL of the EST server"}, + {"label", 'l', 1, "label in the EST server path"}, {"in", 'i', 1, "PKCS#10 input file, default: stdin"}, - {"cacert", 'C', 1, "CA certificate"}, + {"cacert", 'C', 1, "CA certificate(s)"}, {"cert", 'c', 1, "old certificate about to be renewed"}, {"certid", 'X', 1, "smartcard or TPM certificate object handle" }, {"key", 'k', 1, "old private key about to be replaced"}, diff -Nru strongswan-5.9.8/src/pki/commands/estca.c strongswan-5.9.11/src/pki/commands/estca.c --- strongswan-5.9.8/src/pki/commands/estca.c 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/estca.c 2023-06-08 10:35:17.000000000 +0000 @@ -32,7 +32,7 @@ certificate_t *cacert; mem_cred_t *creds = NULL; est_tls_t *est_tls; - char *arg, *error = NULL, *url = NULL, *caout = NULL; + char *arg, *error = NULL, *url = NULL, *label = NULL, *caout = NULL; bool force = FALSE, success; u_int http_code = 0; status_t status = 1; @@ -50,6 +50,9 @@ case 'u': /* --url */ url = arg; continue; + case 'l': /* --label */ + label = arg; + continue; case 'C': /* --cacert */ cacert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, arg, BUILD_END); @@ -87,7 +90,7 @@ return command_usage("--url is required"); } - est_tls = est_tls_create(url, NULL, NULL); + est_tls = est_tls_create(url, label, NULL, NULL); if (!est_tls) { DBG1(DBG_APP, "TLS connection to EST server was not established"); @@ -128,12 +131,14 @@ { command_register((command_t) { estca, 'e', "estca", - "get CA certificate[s] from a EST server", - {"--url url [--cacert file]+ [--caout file] [--outform der|pem] [--force]"}, + "get CA certificate[s] from an EST server", + {"--url url [--label label] --cacert file [--caout file]", + "[--outform der|pem] [--force]"}, { {"help", 'h', 0, "show usage information"}, - {"url", 'u', 1, "URL of the SCEP server"}, - {"cacert", 'C', 1, "TLS CA certificate"}, + {"url", 'u', 1, "URL of the EST server"}, + {"label", 'l', 1, "label in the EST server path"}, + {"cacert", 'C', 1, "TLS CA certificate(s)"}, {"caout", 'c', 1, "CA certificate [template]"}, {"outform", 'f', 1, "encoding of stored certificates, default: der"}, {"force", 'F', 0, "force overwrite of existing files"}, diff -Nru strongswan-5.9.8/src/pki/commands/issue.c strongswan-5.9.11/src/pki/commands/issue.c --- strongswan-5.9.8/src/pki/commands/issue.c 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/issue.c 2023-04-19 02:21:27.000000000 +0000 @@ -56,6 +56,37 @@ } /** + * Parse (extended) key usage flag and add it to the given set + */ +static void parse_flag(char *arg, x509_flag_t *flags) +{ + if (streq(arg, "serverAuth")) + { + *flags |= X509_SERVER_AUTH; + } + else if (streq(arg, "clientAuth")) + { + *flags |= X509_CLIENT_AUTH; + } + else if (streq(arg, "ikeIntermediate")) + { + *flags |= X509_IKE_INTERMEDIATE; + } + else if (streq(arg, "crlSign")) + { + *flags |= X509_CRL_SIGN; + } + else if (streq(arg, "ocspSigning")) + { + *flags |= X509_OCSP_SIGNER; + } + else if (streq(arg, "msSmartcardLogon")) + { + *flags |= X509_MS_SMARTCARD_LOGON; + } +} + +/** * Issue a certificate using a CA certificate and key */ static int issue() @@ -81,7 +112,7 @@ chunk_t critical_extension_oid = chunk_empty; time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60; char *datenb = NULL, *datena = NULL, *dateform = NULL; - x509_flag_t flags = 0; + x509_flag_t flags = 0, flags_add = 0, flags_rem = 0; x509_t *x509; x509_cdp_t *cdp = NULL; x509_cert_policy_t *policy = NULL; @@ -154,11 +185,7 @@ } continue; case 'R': - if (streq(arg, "pss")) - { - pss = TRUE; - } - else if (!streq(arg, "pkcs1")) + if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; @@ -291,29 +318,17 @@ inhibit_any = atoi(arg); continue; case 'e': - if (streq(arg, "serverAuth")) - { - flags |= X509_SERVER_AUTH; - } - else if (streq(arg, "clientAuth")) + if (strpfx(arg, "+")) { - flags |= X509_CLIENT_AUTH; + parse_flag(&arg[1], &flags_add); } - else if (streq(arg, "ikeIntermediate")) + else if (strpfx(arg, "-")) { - flags |= X509_IKE_INTERMEDIATE; + parse_flag(&arg[1], &flags_rem); } - else if (streq(arg, "crlSign")) + else { - flags |= X509_CRL_SIGN; - } - else if (streq(arg, "ocspSigning")) - { - flags |= X509_OCSP_SIGNER; - } - else if (streq(arg, "msSmartcardLogon")) - { - flags |= X509_MS_SMARTCARD_LOGON; + parse_flag(arg, &flags); } continue; case 'f': @@ -482,8 +497,11 @@ } req = (pkcs10_t*)cert_req; - /* Add Extended Key Usage (EKU) flags */ - flags |= req->get_flags(req); + /* Add Extended Key Usage (EKU) flags if not overridden */ + if (!flags) + { + flags = req->get_flags(req); + } /* Add subjectAltNames from PKCS#10 certificate request */ enumerator = req->create_subjectAltName_enumerator(req); @@ -542,6 +560,9 @@ error = "no signature scheme found"; goto end; } + /* add and/or remove flags */ + flags |= flags_add; + flags &= ~flags_rem; cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, diff -Nru strongswan-5.9.8/src/pki/commands/pkcs7.c strongswan-5.9.11/src/pki/commands/pkcs7.c --- strongswan-5.9.8/src/pki/commands/pkcs7.c 2022-07-19 10:14:11.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/pkcs7.c 2023-06-12 05:47:41.000000000 +0000 @@ -151,7 +151,8 @@ /** * Sign data into PKCS#7 signed-data */ -static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key) +static int sign(chunk_t chunk, certificate_t *cert, private_key_t *key, + hash_algorithm_t digest, signature_params_t *scheme) { container_t *container; chunk_t encoding; @@ -162,6 +163,8 @@ BUILD_BLOB, chunk, BUILD_SIGNING_CERT, cert, BUILD_SIGNING_KEY, key, + BUILD_SIGNATURE_SCHEME, scheme, + BUILD_DIGEST_ALG, digest, BUILD_END); if (container) { @@ -171,6 +174,7 @@ free(encoding.ptr); } container->destroy(container); + res = 0; } return res; } @@ -196,6 +200,7 @@ free(encoding.ptr); } container->destroy(container); + res = 0; } return res; } @@ -277,12 +282,14 @@ */ static int pkcs7() { - char *arg, *file = NULL; + char *arg, *file = NULL, *error = NULL; private_key_t *key = NULL; certificate_t *cert = NULL; chunk_t data = chunk_empty; + hash_algorithm_t digest = HASH_UNKNOWN; + signature_params_t *scheme = NULL; mem_cred_t *creds; - int res = 1; + int res = 0; FILE *in; enum { OP_NONE, @@ -292,6 +299,8 @@ OP_DECRYPT, OP_SHOW, } op = OP_NONE; + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + lib->ns); creds = mem_cred_create(); @@ -300,8 +309,7 @@ switch (command_getopt(&arg)) { case 'h': - creds->destroy(creds); - return command_usage(NULL); + goto usage; case 'i': file = arg; continue; @@ -342,12 +350,12 @@ continue; case 'k': key = lib->creds->create(lib->creds, - CRED_PRIVATE_KEY, KEY_RSA, + CRED_PRIVATE_KEY, KEY_ANY, BUILD_FROM_FILE, arg, BUILD_END); if (!key) { - fprintf(stderr, "parsing private key failed\n"); - goto end; + error = "parsing private key failed"; + goto usage; } creds->add_key(creds, key); continue; @@ -357,17 +365,31 @@ BUILD_FROM_FILE, arg, BUILD_END); if (!cert) { - fprintf(stderr, "parsing certificate failed\n"); - goto end; + error = "parsing certificate failed"; + goto usage; } creds->add_cert(creds, TRUE, cert); continue; + case 'g': + if (!enum_from_name(hash_algorithm_short_names, arg, &digest)) + { + error = "invalid --digest type"; + goto usage; + } + continue; + case 'R': + if (!parse_rsa_padding(arg, &pss)) + { + error = "invalid RSA padding"; + goto usage; + } + continue; case EOF: break; default: invalid: - creds->destroy(creds); - return command_usage("invalid --pkcs7 option"); + error = "invalid --pkcs7 option"; + goto usage; } break; } @@ -388,12 +410,12 @@ if (!data.len) { - fprintf(stderr, "reading input failed!\n"); + error = "reading input failed"; goto end; } if (op != OP_SHOW && !cert) { - fprintf(stderr, "requiring a certificate!\n"); + error = "requiring a certificate"; goto end; } @@ -404,11 +426,21 @@ case OP_SIGN: if (!key) { - fprintf(stderr, "signing requires a private key\n"); - res = 1; + error = "signing requires a private key"; break; } - res = sign(data, cert, key); + scheme = get_signature_scheme(key, digest, pss); + if (!scheme) + { + error = "no signature scheme found"; + break; + } + if (digest == HASH_UNKNOWN) + { + digest = hasher_from_signature_scheme(scheme->scheme, + scheme->params); + } + res = sign(data, cert, key, digest, scheme); break; case OP_VERIFY: res = verify(data); @@ -420,7 +452,6 @@ if (!key) { fprintf(stderr, "decryption requires a private key\n"); - res = 1; break; } res = decrypt(data); @@ -435,9 +466,19 @@ lib->credmgr->remove_local_set(lib->credmgr, &creds->set); end: + signature_params_destroy(scheme); creds->destroy(creds); free(data.ptr); + if (error) + { + fprintf(stderr, "%s\n", error); + return 1; + } return res; + +usage: + creds->destroy(creds); + return command_usage(error); } /** @@ -448,17 +489,21 @@ command_register((command_t) { pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions", {"--sign|--verify|--encrypt|--decrypt|--show", - "[--in file] [--cert file]+ [--key file]"}, + "[--in file] [--cert file]+ [--key file]", + "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", + "[--rsa-padding pkcs1|pss]"}, { - {"help", 'h', 0, "show usage information"}, - {"sign", 's', 0, "create PKCS#7 signed-data"}, - {"verify", 'u', 0, "verify PKCS#7 signed-data"}, - {"encrypt", 'e', 0, "create PKCS#7 enveloped-data"}, - {"decrypt", 'd', 0, "decrypt PKCS#7 enveloped-data"}, - {"show", 'p', 0, "show info about PKCS#7, print certificates"}, - {"in", 'i', 1, "input file, default: stdin"}, - {"key", 'k', 1, "path to private key for sign/decrypt"}, - {"cert", 'c', 1, "path to certificate for sign/verify/encrypt"}, + {"help", 'h', 0, "show usage information"}, + {"sign", 's', 0, "create PKCS#7 signed-data"}, + {"verify", 'u', 0, "verify PKCS#7 signed-data"}, + {"encrypt", 'e', 0, "create PKCS#7 enveloped-data"}, + {"decrypt", 'd', 0, "decrypt PKCS#7 enveloped-data"}, + {"show", 'p', 0, "show info about PKCS#7, print certificates"}, + {"in", 'i', 1, "input file, default: stdin"}, + {"key", 'k', 1, "path to private key for sign/decrypt"}, + {"cert", 'c', 1, "path to certificate for sign/verify/encrypt"}, + {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, } }); } diff -Nru strongswan-5.9.8/src/pki/commands/req.c strongswan-5.9.11/src/pki/commands/req.c --- strongswan-5.9.8/src/pki/commands/req.c 2022-09-02 04:21:44.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/req.c 2023-04-19 02:21:27.000000000 +0000 @@ -43,6 +43,7 @@ chunk_t encoding = chunk_empty; chunk_t challenge_password = chunk_empty; chunk_t cert_type_ext = chunk_empty; + x509_flag_t flags = 0; char *arg; bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, lib->ns); @@ -78,6 +79,24 @@ goto usage; } continue; + case 'e': + if (streq(arg, "serverAuth")) + { + flags |= X509_SERVER_AUTH; + } + else if (streq(arg, "clientAuth")) + { + flags |= X509_CLIENT_AUTH; + } + else if (streq(arg, "ocspSigning")) + { + flags |= X509_OCSP_SIGNER; + } + else if (streq(arg, "msSmartcardLogon")) + { + flags |= X509_MS_SMARTCARD_LOGON; + } + continue; case 'g': /* --digest */ if (!enum_from_name(hash_algorithm_short_names, arg, &digest)) { @@ -86,12 +105,7 @@ } continue; case 'R': /* --rsa-padding */ - if (streq(arg, "pss")) - { - - pss = TRUE; - } - else if (!streq(arg, "pkcs1")) + if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; @@ -213,6 +227,7 @@ BUILD_SUBJECT, id, BUILD_SUBJECT_ALTNAMES, san, BUILD_CHALLENGE_PWD, challenge_password, + BUILD_X509_FLAG, flags, BUILD_CERT_TYPE_EXT, cert_type_ext, BUILD_SIGNATURE_SCHEME, scheme, BUILD_END); @@ -264,6 +279,7 @@ "create a PKCS#10 certificate request", {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]", " --oldreq file|--dn distinguished-name [--san subjectAltName]+", + "[--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+", "[--profile server|client|dual|ocsp] [--password challengePassword]", "[--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", "[--rsa-padding pkcs1|pss] [--outform der|pem]"}, @@ -275,6 +291,7 @@ {"oldreq", 'o', 1, "old certificate request to be used as a template"}, {"dn", 'd', 1, "subject distinguished name"}, {"san", 'a', 1, "subjectAltName to include in cert request"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"profile", 'P', 1, "certificate profile name to include in cert request"}, {"password", 'p', 1, "challengePassword to include in cert request"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, diff -Nru strongswan-5.9.8/src/pki/commands/scep.c strongswan-5.9.11/src/pki/commands/scep.c --- strongswan-5.9.8/src/pki/commands/scep.c 2022-10-03 08:43:43.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/scep.c 2023-06-08 10:35:17.000000000 +0000 @@ -162,15 +162,7 @@ } continue; case 'R': /* --rsa-padding */ - if (streq(arg, "pss")) - { - pss = TRUE; - } - else if (streq(arg, "pkcs1")) - { - pss = FALSE; - } - else + if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; @@ -223,21 +215,23 @@ if (client_cert_file && !client_key_file) { - error = "--oldkey is required if --oldcert is set"; + error = "--key is required if --cert is set"; goto usage; } - if (!dn) + if (!dn && !client_cert_file) { - error = "--dn is required"; + error = "--dn is required if --cert is not set"; goto usage; } - - subject = identification_create_from_string(dn); - if (subject->get_type(subject) != ID_DER_ASN1_DN) + else if (dn) { - DBG1(DBG_APP, "supplied --dn is not a distinguished name"); - goto err; + subject = identification_create_from_string(dn); + if (subject->get_type(subject) != ID_DER_ASN1_DN) + { + DBG1(DBG_APP, "supplied --dn is not a distinguished name"); + goto err; + } } /* load RSA private key from file or stdin */ @@ -337,43 +331,19 @@ } DBG2(DBG_APP, "HTTP POST %ssupported", http_post ? "" : "not "); - scheme = get_signature_scheme(private, digest_alg, pss); - if (!scheme) - { - DBG1(DBG_APP, "no signature scheme found"); - goto err; - } - - /* generate PKCS#10 certificate request */ - pkcs10 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, - BUILD_SIGNING_KEY, private, - BUILD_SUBJECT, subject, - BUILD_SUBJECT_ALTNAMES, san, - BUILD_CHALLENGE_PWD, challenge_password, - BUILD_CERT_TYPE_EXT, cert_type, - BUILD_SIGNATURE_SCHEME, scheme, - BUILD_END); - if (!pkcs10) - { - DBG1(DBG_APP, "generating certificate request failed"); - goto err; - } - - /* generate PKCS#10 encoding */ - if (!pkcs10->get_encoding(pkcs10, CERT_ASN1_DER, &pkcs10_encoding)) + if (!scep_generate_transaction_id(public, &transID, &serialNumber)) { - DBG1(DBG_APP, "encoding certificate request failed"); - pkcs10->destroy(pkcs10); + DBG1(DBG_APP, "generating transaction ID failed"); goto err; } - pkcs10->destroy(pkcs10); + DBG1(DBG_APP, "transaction ID: %.*s", (int)transID.len, transID.ptr); - if (!scep_generate_transaction_id(public, &transID, &serialNumber)) + scheme = get_signature_scheme(private, digest_alg, pss); + if (!scheme) { - DBG1(DBG_APP, "generating transaction ID failed"); + DBG1(DBG_APP, "no signature scheme found"); goto err; } - DBG1(DBG_APP, "transaction ID: %.*s", (int)transID.len, transID.ptr); if (client_cert_file) { @@ -409,6 +379,12 @@ x509_signer->destroy(x509_signer); goto err; } + + if (!subject) + { + subject = x509_signer->get_subject(x509_signer); + subject = subject->clone(subject); + } } else { @@ -443,6 +419,30 @@ client_creds->add_cert(client_creds, FALSE, x509_signer); client_creds->add_key(client_creds, priv_signer); + /* generate PKCS#10 certificate request */ + pkcs10 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST, + BUILD_SIGNING_KEY, private, + BUILD_SUBJECT, subject, + BUILD_SUBJECT_ALTNAMES, san, + BUILD_CHALLENGE_PWD, challenge_password, + BUILD_CERT_TYPE_EXT, cert_type, + BUILD_SIGNATURE_SCHEME, scheme, + BUILD_END); + if (!pkcs10) + { + DBG1(DBG_APP, "generating certificate request failed"); + goto err; + } + + /* generate PKCS#10 encoding */ + if (!pkcs10->get_encoding(pkcs10, CERT_ASN1_DER, &pkcs10_encoding)) + { + DBG1(DBG_APP, "encoding certificate request failed"); + pkcs10->destroy(pkcs10); + goto err; + } + pkcs10->destroy(pkcs10); + /* load CA or RA certificate used for encryption */ x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, ca_enc_file, BUILD_END); @@ -630,17 +630,17 @@ command_register((command_t) { scep, 'S', "scep", "Enroll an X.509 certificate with a SCEP server", - {"--url url [--in file] --dn distinguished-name [--san subjectAltName]+", + {"--url url [--in file] [--dn distinguished-name] [--san subjectAltName]+", "[--profile profile] [--password password]", " --cacert-enc file --cacert-sig file [--cacert file]+", - " --oldcert file --oldkey file] [--cipher aes|des3]", + " --cert file --key file] [--cipher aes|des3]", "[--digest sha256|sha384|sha512|sha224|sha1] [--rsa-padding pkcs1|pss]", "[--interval time] [--maxpolltime time] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"url", 'u', 1, "URL of the SCEP server"}, {"in", 'i', 1, "RSA private key input file, default: stdin"}, - {"dn", 'd', 1, "subject distinguished name"}, + {"dn", 'd', 1, "subject distinguished name (optional if --cert is given)"}, {"san", 'a', 1, "subjectAltName to include in cert request"}, {"profile", 'P', 1, "certificate profile name to include in cert request"}, {"password", 'p', 1, "challengePassword to include in cert request"}, diff -Nru strongswan-5.9.8/src/pki/commands/self.c strongswan-5.9.11/src/pki/commands/self.c --- strongswan-5.9.8/src/pki/commands/self.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/self.c 2023-04-19 02:21:27.000000000 +0000 @@ -129,11 +129,7 @@ } continue; case 'R': - if (streq(arg, "pss")) - { - pss = TRUE; - } - else if (!streq(arg, "pkcs1")) + if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; diff -Nru strongswan-5.9.8/src/pki/commands/signcrl.c strongswan-5.9.11/src/pki/commands/signcrl.c --- strongswan-5.9.8/src/pki/commands/signcrl.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/pki/commands/signcrl.c 2023-06-12 05:47:41.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017-2019 Andreas Steffen + * Copyright (C) 2017-2022 Andreas Steffen * Copyright (C) 2010 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -28,21 +28,12 @@ /** - * Entry for a revoked certificate - */ -typedef struct { - chunk_t serial; - crl_reason_t reason; - time_t date; -} revoked_t; - -/** * Add a revocation to the list */ static void add_revoked(linked_list_t *list, chunk_t serial, crl_reason_t reason, time_t date) { - revoked_t *revoked; + crl_revoked_t *revoked; INIT(revoked, .serial = chunk_clone(serial), @@ -55,7 +46,7 @@ /** * Destroy a reason entry */ -static void revoked_destroy(revoked_t *revoked) +static void revoked_destroy(crl_revoked_t *revoked) { free(revoked->serial.ptr); free(revoked); @@ -64,7 +55,7 @@ CALLBACK(filter, bool, void *data, enumerator_t *orig, va_list args) { - revoked_t *revoked; + crl_revoked_t *revoked; crl_reason_t *reason; chunk_t *serial; time_t *date; @@ -155,11 +146,7 @@ } continue; case 'R': - if (streq(arg, "pss")) - { - pss = TRUE; - } - else if (!streq(arg, "pkcs1")) + if (!parse_rsa_padding(arg, &pss)) { error = "invalid RSA padding"; goto usage; diff -Nru strongswan-5.9.8/src/pki/est/est_tls.c strongswan-5.9.11/src/pki/est/est_tls.c --- strongswan-5.9.8/src/pki/est/est_tls.c 2022-09-30 09:13:45.000000000 +0000 +++ strongswan-5.9.11/src/pki/est/est_tls.c 2023-04-19 02:21:27.000000000 +0000 @@ -18,6 +18,7 @@ #include #include #include +#include #include "est_tls.h" @@ -81,6 +82,11 @@ char *http_path; /** + * Label string used for http requests + */ + char *http_label; + + /** * Optional base64-encoded for http basic authentication */ chunk_t user_pass; @@ -108,13 +114,13 @@ data = chunk_to_base64(in, NULL); len = asprintf(&http_header, - "POST %s/.well-known/est/%s HTTP/1.1\r\n" + "POST %s/.well-known/est%s%s HTTP/1.1\r\n" "Host: %s\r\n" "%s" "Content-Type: %s\r\n" "Content-Length: %d\r\n" "\r\n", - this->http_path, operations[op], this->http_host, http_auth, + this->http_path, this->http_label, operations[op], this->http_host, http_auth, request_types[op], (int)data.len); if (len > 0) { @@ -128,11 +134,11 @@ else /* create HTTP GET request */ { len = asprintf(&http_header, - "GET %s/.well-known/est/%s HTTP/1.1\r\n" + "GET %s/.well-known/est%s%s HTTP/1.1\r\n" "Host: %s\r\n" "%s" "\r\n", - this->http_path, operations[op], this->http_host, http_auth); + this->http_path, this->http_label, operations[op], this->http_host, http_auth); if (len > 0) { request = chunk_create(http_header, len); @@ -193,7 +199,6 @@ return (*http_code < 300); } - METHOD(est_tls_t, request, bool, private_est_tls_t *this, est_op_t op, chunk_t in, chunk_t *out, u_int *http_code, u_int *retry_after) @@ -201,7 +206,7 @@ chunk_t http = chunk_empty, data = chunk_empty, response; u_int content_len; char buf[1024]; - int len; + int i, len; /* initialize output variables */ *out = chunk_empty; @@ -272,6 +277,15 @@ } } + for (i = 0, len = 0; i < data.len; i++) + { + if (!isspace(data.ptr[i])) + { + data.ptr[len++] = data.ptr[i]; + } + } + data.len = len; + *out = chunk_from_base64(data, NULL); chunk_free(&data); } @@ -289,11 +303,12 @@ } chunk_clear(&this->user_pass); free(this->http_host); + free(this->http_label); free(this->http_path); free(this); } -static bool est_tls_init(private_est_tls_t *this, char *uri, +static bool est_tls_init(private_est_tls_t *this, char *uri, char *label, certificate_t *client_cert) { identification_t *client_id = NULL, *server_id = NULL; @@ -321,6 +336,16 @@ *path_str = '\0'; } + /* ensure sure label starts and ends with '/' character */ + if (!label || !label[0] || + asprintf(&this->http_label, "%s%s%s", + label[0] == '/' ? "" : "/", + label, + label[strlen(label) - 1] == '/' ? "" : "/") < 0) + { + this->http_label = strdup("/"); + } + /* duplicate string since we are going to manipulate it */ host_str = strdup(uri); @@ -392,7 +417,7 @@ /** * See header */ -est_tls_t *est_tls_create(char *uri, certificate_t *client_cert, char *user_pass) +est_tls_t *est_tls_create(char *uri, char *label, certificate_t *client_cert, char *user_pass) { private_est_tls_t *this; @@ -408,7 +433,7 @@ this->user_pass = chunk_to_base64(chunk_from_str(user_pass), NULL); } - if (!est_tls_init(this, uri, client_cert)) + if (!est_tls_init(this, uri, label, client_cert)) { destroy(this); return NULL; diff -Nru strongswan-5.9.8/src/pki/est/est_tls.h strongswan-5.9.11/src/pki/est/est_tls.h --- strongswan-5.9.8/src/pki/est/est_tls.h 2022-08-26 10:19:17.000000000 +0000 +++ strongswan-5.9.11/src/pki/est/est_tls.h 2023-04-19 02:21:27.000000000 +0000 @@ -70,10 +70,11 @@ * Create a est_tls instance. * * @param uri URI (https://...) + * @param label Optional EST server label * @param client_cert Optional client certificate * @param user_pass Optional username:password for HTTP Basic Authentication */ -est_tls_t *est_tls_create(char *uri, certificate_t *client_cert, +est_tls_t *est_tls_create(char *uri, char *label, certificate_t *client_cert, char *user_pass); #endif /** EST_TLS_H_ @}*/ diff -Nru strongswan-5.9.8/src/pki/Makefile.in strongswan-5.9.11/src/pki/Makefile.in --- strongswan-5.9.8/src/pki/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/pki/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -464,7 +464,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/pki/man/Makefile.in strongswan-5.9.11/src/pki/man/Makefile.in --- strongswan-5.9.8/src/pki/man/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -392,7 +392,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/pki/man/pki---est.1.in strongswan-5.9.11/src/pki/man/pki---est.1.in --- strongswan-5.9.8/src/pki/man/pki---est.1.in 2022-09-30 09:13:45.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/pki---est.1.in 2023-06-08 10:35:17.000000000 +0000 @@ -7,13 +7,13 @@ .SH "SYNOPSIS" . .SY pki\ \-\-est -.BI\-\-\-url\~ url +.BI \-\-\-url\~ url +.OP \-\-label label .OP \-\-in file .BI \-\-cacert\~ file .RB [ \-\-cert .IR file | \fB\-\-certid\fR -.IR hex ] -.RB [ \-\-key +.IB hex\~ \-\-key .IR file | \fB\-\-keyid\fR .IR hex ] .OP \-\-userpass username:password @@ -61,6 +61,9 @@ .BI "\-u, \-\-url " url URL of the EST server. .TP +.BI "\-l, \-\-label " label +Label in the EST server path. +.TP .BI "\-i, \-\-in " file PKCS#10 certificate request. If not given, the certificate request is read from \fISTDIN\fR. @@ -114,8 +117,8 @@ .B NOTE: For a successful HTTPS connection, trust must be established into the EST server certificate. The TLS trust chain including the root CA certificate and -optionally intermediate CA certificates must be given using [multiple] -.B --cacert* +optionally intermediate CA certificates must be given using multiple +.B --cacert options. .P The diff -Nru strongswan-5.9.8/src/pki/man/pki---estca.1.in strongswan-5.9.11/src/pki/man/pki---estca.1.in --- strongswan-5.9.8/src/pki/man/pki---estca.1.in 2022-08-27 07:51:17.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/pki---estca.1.in 2023-06-08 10:35:17.000000000 +0000 @@ -7,8 +7,9 @@ .SH "SYNOPSIS" . .SY pki\ \-\-estca -.BI\-\-\-url\~ url -.BI\-\-\-cacert\~ file +.BI \-\-url\~ url +.OP \-\-label label +.BI \-\-cacert\~ file .OP \-\-caout file .OP \-\-outform encoding .OP \-\-force @@ -47,6 +48,9 @@ .BI "\-u, \-\-url " url URL of the SCEP server. .TP +.BI "\-l, \-\-label " label +Label in the EST server path. +.TP .BI "\-C, \-\-cacert " file CA certificate in the trust chain used for EST TLS server signature verification. Can be used multiple times. @@ -88,7 +92,7 @@ .B NOTE: For a successful HTTPS connection, trust must be established into the EST server certificate. The TLS trust chain including the root CA certificate and optionally -intermediate CA certificates must be given using [multiple] +intermediate CA certificates must be given using multiple .B --cacert options. .P diff -Nru strongswan-5.9.8/src/pki/man/pki---issue.1.in strongswan-5.9.11/src/pki/man/pki---issue.1.in --- strongswan-5.9.8/src/pki/man/pki---issue.1.in 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/pki---issue.1.in 2023-03-27 21:00:49.000000000 +0000 @@ -125,7 +125,10 @@ .TP .BI "\-e, \-\-flag " flag Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, -\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times. +\fIcrlSign\fR, \fIocspSigning\fR or \fImsSmartcardLogon\fR. Can be used multiple +times. Without modifiers, this overrides flags from PKCS#10 certificate +requests. Prefixing a flag with \fI+\fR adds it to the set of flags read from +the request, prefixing it with \fI-\fR removes it from that set. .TP .BI "\-g, \-\-digest " digest Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, diff -Nru strongswan-5.9.8/src/pki/man/pki---pkcs7.1.in strongswan-5.9.11/src/pki/man/pki---pkcs7.1.in --- strongswan-5.9.8/src/pki/man/pki---pkcs7.1.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/pki---pkcs7.1.in 2023-04-19 02:21:27.000000000 +0000 @@ -1,4 +1,4 @@ -.TH "PKI \-\-PKCS7" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +.TH "PKI \-\-PKCS7" 1 "2023-03-30" "@PACKAGE_VERSION@" "strongSwan" . .SH "NAME" . @@ -11,6 +11,8 @@ .OP \-\-in file .OP \-\-cert file .OP \-\-key file +.OP \-\-digest digest +.OP \-\-rsa\-padding padding .OP \-\-debug level .YS . @@ -73,6 +75,15 @@ and .BR \-\-encrypt. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is +determined based on the type and size of the signature key. +.TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults +to \fIpkcs1\fR. . .SH "SEE ALSO" . diff -Nru strongswan-5.9.8/src/pki/man/pki---req.1.in strongswan-5.9.11/src/pki/man/pki---req.1.in --- strongswan-5.9.8/src/pki/man/pki---req.1.in 2022-09-02 04:21:44.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/pki---req.1.in 2023-03-27 21:00:49.000000000 +0000 @@ -14,6 +14,7 @@ .BI \-\-dn\~ distinguished-name .OP \-\-san subjectAltName .OP \-\-profile profile +.OP \-\-flag flag .OP \-\-password password .OP \-\-digest digest .OP \-\-rsa\-padding padding @@ -91,6 +92,11 @@ translated into corresponding Extended Key Usage (EKU) flags in the generated X.509 certificate. .TP +.BI "\-e, \-\-flag " flag +Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, +\fIocspSigning\fR or \fImsSmartcardLogon\fR. Can be used multiple times. Adds an +X.509v3 EKU extension containing these flags to the certificate request. +.TP .BI "\-p, \-\-password " password The challengePassword to include in the certificate request. .TP diff -Nru strongswan-5.9.8/src/pki/man/pki---scep.1.in strongswan-5.9.11/src/pki/man/pki---scep.1.in --- strongswan-5.9.8/src/pki/man/pki---scep.1.in 2022-08-27 07:47:08.000000000 +0000 +++ strongswan-5.9.11/src/pki/man/pki---scep.1.in 2023-06-08 10:35:17.000000000 +0000 @@ -9,7 +9,7 @@ .SY pki\ \-\-scep .BI\-\-\-url\~ url .OP \-\-in file -.BI \-\-dn\~ distinguished-name +.OP \-\-dn\~ distinguished-name .OP \-\-san subjectAltName .OP \-\-profile profile .OP \-\-password password @@ -70,7 +70,7 @@ RSA private key. If not given the key is read from \fISTDIN\fR. .TP .BI "\-d, \-\-dn " distinguished-name -Subject distinguished name (DN). Required. +Subject distinguished name (DN). Required unless \-\-cert is given. .TP .BI "\-a, \-\-san " subjectAltName subjectAltName extension to include in request. Can be used multiple times. diff -Nru strongswan-5.9.8/src/pki/pki.c strongswan-5.9.11/src/pki/pki.c --- strongswan-5.9.8/src/pki/pki.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/pki/pki.c 2023-04-19 02:21:27.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2018 Tobias Brunner + * Copyright (C) 2012-2023 Tobias Brunner * Copyright (C) 2009 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -238,6 +238,26 @@ #endif } +/* + * Described in header + */ +bool parse_rsa_padding(char *padding, bool *pss) +{ + if (streq(padding, "pss")) + { + *pss = TRUE; + } + else if (streq(padding, "pkcs1")) + { + *pss = FALSE; + } + else + { + return FALSE; + } + return TRUE; +} + /** * Determine a default hash algorithm for the given key */ diff -Nru strongswan-5.9.8/src/pki/pki_cert.c strongswan-5.9.11/src/pki/pki_cert.c --- strongswan-5.9.8/src/pki/pki_cert.c 2022-09-16 06:02:39.000000000 +0000 +++ strongswan-5.9.11/src/pki/pki_cert.c 2023-06-08 10:35:17.000000000 +0000 @@ -34,7 +34,7 @@ CERT_TYPE_RA } pki_cert_type_t; -static char *cert_type_label[] = { "Root CA", "Sub CA", "RA" }; +static char *cert_type_label[] DBG_UNUSED = { "Root CA", "Sub CA", "RA" }; /** * Determine certificate type based on X.509 certificate flags @@ -73,7 +73,7 @@ char digest_buf[HASH_SIZE_SHA256]; char base64_buf[HASH_SIZE_SHA256]; chunk_t cert_digest = {digest_buf, HASH_SIZE_SHA256}; - chunk_t cert_id, serial, encoding = chunk_empty; + chunk_t cert_id DBG_UNUSED, serial DBG_UNUSED, encoding = chunk_empty; x509_t *x509; bool success = FALSE; @@ -207,8 +207,7 @@ bool force) { chunk_t encoding = chunk_empty; - time_t until; - bool written, valid; + bool written; if (path) { @@ -240,12 +239,14 @@ path = "stdout"; } - valid = cert->get_validity(cert, NULL, NULL, &until); +#if DEBUG_LEVEL >= 1 + time_t until; + bool valid = cert->get_validity(cert, NULL, NULL, &until); DBG1(DBG_APP, "%s cert is %strusted, %s %T, %s'%s'", cert_type_label[cert_type], trusted ? "" : "un", valid ? "valid until" : "invalid since", &until, FALSE, path ? "written to " : "", path ? path : "not written"); - +#endif return TRUE; } @@ -466,16 +467,15 @@ x509_t *x509 = (x509_t*)cert; certificate_t *cert_found = NULL; enumerator_t *certs; - chunk_t serial; - time_t from, until; - bool trusted, valid; + bool trusted DBG_UNUSED; if (!(x509->get_flags(x509) & X509_CA)) { DBG1(DBG_APP, "Issued certificate \"%Y\"", cert->get_subject(cert)); - serial = x509->get_serial(x509); +#if DEBUG_LEVEL >= 1 + chunk_t serial = x509->get_serial(x509); DBG1(DBG_APP, " serial: %#B", &serial); - +#endif if (stored) { DBG1(DBG_APP, "multiple certs received, only first stored"); @@ -490,12 +490,14 @@ (cert_found == cert); certs->destroy(certs); - valid = cert->get_validity(cert, NULL, &from, &until); +#if DEBUG_LEVEL >= 1 + time_t from, until; + bool valid = cert->get_validity(cert, NULL, &from, &until); DBG1(DBG_APP, "Issued certificate is %strusted, " "valid from %T until %T (currently %svalid)", trusted ? "" : "not ", &from, FALSE, &until, FALSE, valid ? "" : "not "); - +#endif if (!cert->get_encoding(cert, form, &cert_encoding)) { DBG1(DBG_APP, "encoding certificate failed"); diff -Nru strongswan-5.9.8/src/pki/pki.h strongswan-5.9.11/src/pki/pki.h --- strongswan-5.9.8/src/pki/pki.h 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/pki/pki.h 2023-04-19 02:21:27.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2015-2023 Tobias Brunner * Copyright (C) 2009 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -59,6 +59,15 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc); /** + * Parse RSA padding configuration. + * + * @param padding input string to parse + * @param pss set to TRUE if PSS padding should be used, FALSE otherwise + * @return TRUE if successfully parsed + */ +bool parse_rsa_padding(char *padding, bool *pss); + +/** * Determine the signature scheme and parameters for the given private key and * hash algorithm and whether to use PSS padding for RSA. * diff -Nru strongswan-5.9.8/src/pki/scep/scep.c strongswan-5.9.11/src/pki/scep/scep.c --- strongswan-5.9.8/src/pki/scep/scep.c 2022-10-03 08:43:43.000000000 +0000 +++ strongswan-5.9.11/src/pki/scep/scep.c 2023-06-08 10:35:17.000000000 +0000 @@ -38,7 +38,7 @@ static const char *pkiStatus_values[] = { "0", "2", "3" }; -static const char *pkiStatus_names[] = { +static const char *pkiStatus_names[] DBG_UNUSED = { "SUCCESS", "FAILURE", "PENDING", @@ -47,7 +47,7 @@ static const char *msgType_values[] = { "3", "17", "19", "20", "21", "22" }; -static const char *msgType_names[] = { +static const char *msgType_names[] DBG_UNUSED = { "CertRep", "RenewalReq", "PKCSReq", @@ -57,7 +57,7 @@ "Unknown" }; -static const char *failInfo_reasons[] = { +static const char *failInfo_reasons[] DBG_UNUSED = { "badAlg - unrecognized or unsupported algorithm identifier", "badMessageCheck - integrity check failed", "badRequest - transaction not permitted or supported", @@ -395,8 +395,8 @@ /** * Extract X.501 attributes */ -void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator, - scep_attributes_t *attrs) +static void extract_attributes(pkcs7_t *pkcs7, enumerator_t *enumerator, + scep_attributes_t *attrs) { chunk_t attr; diff -Nru strongswan-5.9.8/src/pki/scep/scep.h strongswan-5.9.11/src/pki/scep/scep.h --- strongswan-5.9.8/src/pki/scep/scep.h 2022-10-03 08:43:43.000000000 +0000 +++ strongswan-5.9.11/src/pki/scep/scep.h 2023-03-27 21:00:49.000000000 +0000 @@ -75,17 +75,17 @@ /* SCEP CA Capabilities */ typedef enum { - SCEP_CAPS_AES = 0, - SCEP_CAPS_DES3 = 1, - SCEP_CAPS_SHA256 = 2, - SCEP_CAPS_SHA384 = 3, - SCEP_CAPS_SHA512 = 4, - SCEP_CAPS_SHA224 = 5, - SCEP_CAPS_SHA1 = 6, - SCEP_CAPS_POSTPKIOPERATION = 7, - SCEP_CAPS_SCEPSTANDARD = 8, - SCEP_CAPS_GETNEXTCACERT = 9, - SCEP_CAPS_RENEWAL = 10 + SCEP_CAPS_AES = (1<<0), + SCEP_CAPS_DES3 = (1<<1), + SCEP_CAPS_SHA256 = (1<<2), + SCEP_CAPS_SHA384 = (1<<3), + SCEP_CAPS_SHA512 = (1<<4), + SCEP_CAPS_SHA224 = (1<<5), + SCEP_CAPS_SHA1 = (1<<6), + SCEP_CAPS_POSTPKIOPERATION = (1<<7), + SCEP_CAPS_SCEPSTANDARD = (1<<8), + SCEP_CAPS_GETNEXTCACERT = (1<<9), + SCEP_CAPS_RENEWAL = (1<<10), } scep_caps_t; extern const scep_attributes_t empty_scep_attributes; diff -Nru strongswan-5.9.8/src/pool/Makefile.in strongswan-5.9.11/src/pool/Makefile.in --- strongswan-5.9.8/src/pool/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/pool/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -434,7 +434,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/pt-tls-client/Makefile.in strongswan-5.9.11/src/pt-tls-client/Makefile.in --- strongswan-5.9.8/src/pt-tls-client/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/pt-tls-client/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -433,7 +433,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/sec-updater/Makefile.in strongswan-5.9.11/src/sec-updater/Makefile.in --- strongswan-5.9.8/src/sec-updater/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/sec-updater/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -430,7 +430,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/sec-updater/sec-updater.c strongswan-5.9.11/src/sec-updater/sec-updater.c --- strongswan-5.9.8/src/sec-updater/sec-updater.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/sec-updater/sec-updater.c 2023-06-08 10:35:17.000000000 +0000 @@ -173,7 +173,7 @@ while (e->enumerate(e, &vid, &release, &sec_flag)) { char command[BUF_LEN]; - char found_char = ' '; + char found_char DBG_UNUSED = ' '; bool update_version = FALSE; if (streq(version, release)) diff -Nru strongswan-5.9.8/src/starter/Android.mk strongswan-5.9.11/src/starter/Android.mk --- strongswan-5.9.8/src/starter/Android.mk 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/starter/Android.mk 2023-03-27 21:00:49.000000000 +0000 @@ -18,8 +18,7 @@ $(strongswan_PATH)/src/stroke LOCAL_CFLAGS := $(strongswan_CFLAGS) \ - -DIPSEC_SCRIPT='"ipsec"' \ - -DPLUGINS='"$(strongswan_STARTER_PLUGINS)"' + -DIPSEC_SCRIPT='"ipsec"' LOCAL_MODULE := starter diff -Nru strongswan-5.9.8/src/starter/Makefile.am strongswan-5.9.11/src/starter/Makefile.am --- strongswan-5.9.8/src/starter/Makefile.am 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/starter/Makefile.am 2023-03-27 21:00:49.000000000 +0000 @@ -24,7 +24,6 @@ -DIPSEC_SCRIPT=\"${ipsec_script}\" \ -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" \ - -DPLUGINS=\""${starter_plugins}\"" \ -DDEBUG AM_CFLAGS = \ diff -Nru strongswan-5.9.8/src/starter/Makefile.in strongswan-5.9.11/src/starter/Makefile.in --- strongswan-5.9.8/src/starter/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/starter/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -478,7 +478,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ @@ -529,8 +528,7 @@ -DIPSEC_EAPDIR=\"${eapdir}\" \ -DIPSEC_SCRIPT=\"${ipsec_script}\" \ -DDEV_RANDOM=\"${random_device}\" \ - -DDEV_URANDOM=\"${urandom_device}\" \ - -DPLUGINS=\""${starter_plugins}\"" -DDEBUG $(am__append_1) + -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) AM_CFLAGS = \ @COVERAGE_CFLAGS@ diff -Nru strongswan-5.9.8/src/starter/parser/conf_parser.c strongswan-5.9.11/src/starter/parser/conf_parser.c --- strongswan-5.9.8/src/starter/parser/conf_parser.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/starter/parser/conf_parser.c 2023-03-27 21:00:49.000000000 +0000 @@ -83,14 +83,14 @@ char *value; } setting_t; -int setting_find(const void *a, const void *b) +static int setting_find(const void *a, const void *b) { const char *key = a; const setting_t *setting = b; return strcmp(key, setting->key); } -int setting_sort(const void *a, const void *b, void *user) +static int setting_sort(const void *a, const void *b, void *user) { const setting_t *sa = a, *sb = b; return strcmp(sa->key, sb->key); diff -Nru strongswan-5.9.8/src/starter/tests/Makefile.in strongswan-5.9.11/src/starter/tests/Makefile.in --- strongswan-5.9.8/src/starter/tests/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/starter/tests/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -428,7 +428,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/stroke/Makefile.in strongswan-5.9.11/src/stroke/Makefile.in --- strongswan-5.9.8/src/stroke/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/stroke/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -402,7 +402,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/swanctl/commands/list_sas.c strongswan-5.9.11/src/swanctl/commands/list_sas.c --- strongswan-5.9.8/src/swanctl/commands/list_sas.c 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/commands/list_sas.c 2023-03-27 21:00:49.000000000 +0000 @@ -452,10 +452,19 @@ return 0; } +CALLBACK(close_cb, void, + int *ret) +{ + fprintf(stderr, "connection closed\n"); + *ret = ECONNRESET; + send_sigint(); +} + static int monitor_sas(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; char *arg; + int ret = 0; while (TRUE) { @@ -476,6 +485,9 @@ } break; } + + vici_on_close(conn, close_cb, &ret); + if (vici_register(conn, "ike-updown", list_cb, &format) != 0) { fprintf(stderr, "registering for IKE_SAs failed: %s\n", @@ -491,9 +503,11 @@ wait_sigint(); - fprintf(stderr, "disconnecting...\n"); - - return 0; + if (!ret) + { + fprintf(stderr, "disconnecting...\n"); + } + return ret; } /** diff -Nru strongswan-5.9.8/src/swanctl/Makefile.in strongswan-5.9.11/src/swanctl/Makefile.in --- strongswan-5.9.8/src/swanctl/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -469,7 +469,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/swanctl/swanctl.conf strongswan-5.9.11/src/swanctl/swanctl.conf --- strongswan-5.9.8/src/swanctl/swanctl.conf 2022-04-29 07:57:03.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/swanctl.conf 2023-03-27 21:07:49.000000000 +0000 @@ -50,7 +50,7 @@ # Use IKE UDP datagram fragmentation (yes, accept, no or force). # fragmentation = yes - # Use childless IKE_SA initiation (allow, force or never). + # Use childless IKE_SA initiation (allow, prefer, force or never). # childless = allow # Send certificate requests payloads (yes or no). @@ -338,10 +338,10 @@ # processed them. # set_mark_out = 0/0x00000000 - # Inbound XFRM interface ID. + # Inbound XFRM interface ID (32-bit unsigned integer). # if_id_in = 0 - # Outbound XFRM interface ID. + # Outbound XFRM interface ID (32-bit unsigned integer). # if_id_out = 0 # Optional security label (e.g. SELinux context), IKEv2 only. diff -Nru strongswan-5.9.8/src/swanctl/swanctl.conf.5.head.in strongswan-5.9.11/src/swanctl/swanctl.conf.5.head.in --- strongswan-5.9.8/src/swanctl/swanctl.conf.5.head.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/swanctl.conf.5.head.in 2023-03-27 21:00:49.000000000 +0000 @@ -6,20 +6,11 @@ .BR swanctl (8) tool to load configurations and credentials into the strongSwan IKE daemon. -For a description of the basic file syntax, including how to reference sections -or split the configuration in multiple files by including other files, refer to +For a description of the basic file syntax, including number/time formats, or how +to reference sections or split the configuration in multiple files by including +other files, refer to .BR strongswan.conf (5). -.SH TIME FORMATS -For all options that define a time, the time is specified in seconds. The -.RI "" "s" "," -.RI "" "m" "," -.RI "" "h" "" -and -.RI "" "d" "" -suffixes explicitly define the units for seconds, minutes, hours and days, -respectively. - .SH SETTINGS The following settings can be used to configure connections, credentials and pools. diff -Nru strongswan-5.9.8/src/swanctl/swanctl.conf.5.main strongswan-5.9.11/src/swanctl/swanctl.conf.5.main --- strongswan-5.9.8/src/swanctl/swanctl.conf.5.main 2022-04-29 07:57:03.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/swanctl.conf.5.main 2023-03-27 21:07:49.000000000 +0000 @@ -194,26 +194,35 @@ .TP .BR connections..childless " [allow]" -Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values are +Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first CHILD_SA +created with a separate CREATE_CHILD_SA exchange (e.g. to use an independent DH +exchange for all CHILD_SAs). Acceptable values are .RI "" "allow" "" (the default), +.RI "" "prefer" "," .RI "" "force" "" and .RI "" "never" "." If set to .RI "" "allow" "," -responders will -accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT response) -while initiators continue to create regular IKE_SAs with the first CHILD_SA -created during IKE_AUTH, unless the IKE_SA is initiated explicitly without any -children (which will fail if the responder does not support or has disabled this -extension). If set to +responders will accept +childless IKE_SAs (as indicated via notify in the IKE_SA_INIT response) while +initiators continue to create regular IKE_SAs with the first CHILD_SA created +during IKE_AUTH, unless the IKE_SA is initiated explicitly without any children +(which will fail if the responder does not support or has disabled this +extension). The effect of +.RI "" "prefer" "" +is the same as +.RI "" "allow" "" +on responders, but as +initiator a childless IKE_SA is initiated if the responder supports it. If set +to .RI "" "force" "," -only childless initiation is accepted and the -first CHILD_SA is created with a separate CREATE_CHILD_SA exchange (e.g. to use -an independent DH exchange for all CHILD_SAs). Finally, setting the option to +only childless initiation is accepted in either role. Finally, +setting the option to .RI "" "never" "" -disables support for childless IKE_SAs as responder. +disables support for childless IKE_SAs as +responder. .TP .BR connections..send_certreq " [yes]" @@ -359,11 +368,27 @@ XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details. +The special value +.RI "" "%unique" "" +allocates a unique interface ID per IKE_SA, which is +inherited by all its CHILD_SAs (unless overridden there), beyond that the value +.RI "" "%unique\-dir" "" +assigns a different unique interface ID for each direction +(in/out). + .TP .BR connections..if_id_out " [0]" XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details. +The special value +.RI "" "%unique" "" +allocates a unique interface ID per IKE_SA, which is +inherited by all its CHILD_SAs (unless overridden there), beyond that the value +.RI "" "%unique\-dir" "" +assigns a different unique interface ID for each direction +(in/out). + .TP .BR connections..mediation " [no]" Whether this connection is a mediation connection, that is, whether this @@ -1327,13 +1352,19 @@ .TP .BR connections..children..hw_offload " [no]" Enable hardware offload for this CHILD_SA, if supported by the IPsec -implementation. The value -.RI "" "yes" "" -enforces offloading and the installation will -fail if it's not supported by either kernel or device. The value +implementation. The values +.RI "" "crypto" "" +or +.RI "" "packet" "" +enforce crypto or full packet +offloading and the installation will fail if the selected mode is not supported +by either kernel or device. On Linux, +.RI "" "packet" "" +also offloads policies, including +trap policies. The value .RI "" "auto" "" -enables offloading, if it's supported, but the installation does not fail -otherwise. +enables full packet or crypto offloading, if +either is supported, but the installation does not fail otherwise. .TP .BR connections..children..copy_df " [yes]" diff -Nru strongswan-5.9.8/src/swanctl/swanctl.conf.5.tail.in strongswan-5.9.11/src/swanctl/swanctl.conf.5.tail.in --- strongswan-5.9.8/src/swanctl/swanctl.conf.5.tail.in 2020-09-13 17:44:03.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/swanctl.conf.5.tail.in 2023-03-27 21:00:49.000000000 +0000 @@ -2,7 +2,7 @@ . .nf .na -/etc/swanctl/swanctl.conf configuration file +@sysconfdir@/swanctl/swanctl.conf configuration file .ad .fi . diff -Nru strongswan-5.9.8/src/swanctl/swanctl.opt strongswan-5.9.11/src/swanctl/swanctl.opt --- strongswan-5.9.8/src/swanctl/swanctl.opt 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/src/swanctl/swanctl.opt 2023-03-27 21:00:49.000000000 +0000 @@ -169,19 +169,21 @@ irrespective of the value of this option (even when set to _no_). connections..childless = allow - Use childless IKE_SA initiation (_allow_, _force_ or _never_). + Use childless IKE_SA initiation (_allow_, _prefer_, _force_ or _never_). - Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values - are _allow_ (the default), _force_ and _never_. If set to _allow_, - responders will accept childless IKE_SAs (as indicated via notify in the - IKE_SA_INIT response) while initiators continue to create regular IKE_SAs - with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is - initiated explicitly without any children (which will fail if the responder - does not support or has disabled this extension). If set to _force_, only - childless initiation is accepted and the first CHILD_SA is created with a - separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange - for all CHILD_SAs). Finally, setting the option to _never_ disables support - for childless IKE_SAs as responder. + Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first + CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an + independent DH exchange for all CHILD_SAs). Acceptable values are _allow_ + (the default), _prefer_, _force_ and _never_. If set to _allow_, responders + will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT + response) while initiators continue to create regular IKE_SAs with the first + CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly + without any children (which will fail if the responder does not support or + has disabled this extension). The effect of _prefer_ is the same as _allow_ + on responders, but as initiator a childless IKE_SA is initiated if the + responder supports it. If set to _force_, only childless initiation is + accepted in either role. Finally, setting the option to _never_ disables + support for childless IKE_SAs as responder. connections..send_certreq = yes Send certificate requests payloads (_yes_ or _no_). @@ -301,12 +303,22 @@ XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details. + The special value _%unique_ allocates a unique interface ID per IKE_SA, + which is inherited by all its CHILD_SAs (unless overridden there), beyond + that the value _%unique-dir_ assigns a different unique interface ID for + each direction (in/out). + connections..if_id_out = 0 Default outbound XFRM interface ID for children. XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details. + The special value _%unique_ allocates a unique interface ID per IKE_SA, + which is inherited by all its CHILD_SAs (unless overridden there), beyond + that the value _%unique-dir_ assigns a different unique interface ID for + each direction (in/out). + connections..mediation = no Whether this connection is a mediation connection. @@ -992,7 +1004,7 @@ requires at least Linux 4.19. connections..children..if_id_in = 0 - Inbound XFRM interface ID. + Inbound XFRM interface ID (32-bit unsigned integer). XFRM interface ID set on inbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same @@ -1001,7 +1013,7 @@ interface ID for each CHILD_SA direction (in/out). connections..children..if_id_out = 0 - Outbound XFRM interface ID. + Outbound XFRM interface ID (32-bit unsigned integer). XFRM interface ID set on outbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same @@ -1061,10 +1073,12 @@ implementation. Enable hardware offload for this CHILD_SA, if supported by the IPsec - implementation. The value _yes_ enforces offloading and the installation - will fail if it's not supported by either kernel or device. The value _auto_ - enables offloading, if it's supported, but the installation does not fail - otherwise. + implementation. The values _crypto_ or _packet_ enforce crypto or full + packet offloading and the installation will fail if the selected mode is not + supported by either kernel or device. On Linux, _packet_ also offloads + policies, including trap policies. The value _auto_ enables full packet + or crypto offloading, if either is supported, but the installation does not + fail otherwise. connections..children..copy_df = yes Whether to copy the DF bit to the outer IPv4 header in tunnel mode. diff -Nru strongswan-5.9.8/src/sw-collector/Makefile.in strongswan-5.9.11/src/sw-collector/Makefile.in --- strongswan-5.9.8/src/sw-collector/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/sw-collector/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -442,7 +442,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/sw-collector/sw-collector.c strongswan-5.9.11/src/sw-collector/sw-collector.c --- strongswan-5.9.8/src/sw-collector/sw-collector.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/sw-collector/sw-collector.c 2023-06-08 10:35:17.000000000 +0000 @@ -451,7 +451,7 @@ { enumerator_t *e; char *name, *package, *version; - uint32_t sw_id, count = 0, installed_count = 0, removed_count, installed; + uint32_t sw_id, count = 0, installed_count = 0, installed; e = db->create_sw_enumerator(db, type, NULL); if (!e) @@ -467,14 +467,14 @@ } count++; } - removed_count = count - installed_count; e->destroy(e); switch (type) { case SW_QUERY_ALL: DBG1(DBG_IMC, "retrieved %u software identities with %u installed " - "and %u removed", count, installed_count, removed_count); + "and %u removed", count, installed_count, + count - installed_count); break; case SW_QUERY_INSTALLED: DBG1(DBG_IMC, "retrieved %u installed software identities", count); @@ -629,7 +629,7 @@ char *package, *arch, *version; char package_filter[BUF_LEN]; - int res, count = 0; + int res, count DBG_UNUSED = 0; int status = EXIT_SUCCESS; enumerator_t *enumerator; diff -Nru strongswan-5.9.8/src/sw-collector/sw_collector_db.c strongswan-5.9.11/src/sw-collector/sw_collector_db.c --- strongswan-5.9.8/src/sw-collector/sw_collector_db.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/sw-collector/sw_collector_db.c 2023-03-27 21:00:49.000000000 +0000 @@ -315,7 +315,7 @@ /** * Determine file creation data and convert it into RFC 3339 format */ -bool get_file_creation_date(char *pathname, char *timestamp) +static bool get_file_creation_date(char *pathname, char *timestamp) { struct stat st; struct tm ct; diff -Nru strongswan-5.9.8/src/tpm_extendpcr/Makefile.in strongswan-5.9.11/src/tpm_extendpcr/Makefile.in --- strongswan-5.9.8/src/tpm_extendpcr/Makefile.in 2022-10-03 14:18:10.000000000 +0000 +++ strongswan-5.9.11/src/tpm_extendpcr/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -400,7 +400,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/_updown/Makefile.in strongswan-5.9.11/src/_updown/Makefile.in --- strongswan-5.9.8/src/_updown/Makefile.in 2022-10-03 14:18:04.000000000 +0000 +++ strongswan-5.9.11/src/_updown/Makefile.in 2023-06-12 05:50:38.000000000 +0000 @@ -378,7 +378,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/xfrmi/Makefile.in strongswan-5.9.11/src/xfrmi/Makefile.in --- strongswan-5.9.8/src/xfrmi/Makefile.in 2022-10-03 14:18:11.000000000 +0000 +++ strongswan-5.9.11/src/xfrmi/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -400,7 +400,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/src/xfrmi/xfrmi.c strongswan-5.9.11/src/xfrmi/xfrmi.c --- strongswan-5.9.8/src/xfrmi/xfrmi.c 2022-06-29 13:00:45.000000000 +0000 +++ strongswan-5.9.11/src/xfrmi/xfrmi.c 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2019 Tobias Brunner + * Copyright (C) 2019-2023 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -19,222 +19,46 @@ #include #include #include -#include -#include -#include "kernel_netlink_shared.h" - -#ifndef IFLA_XFRM_MAX -enum { - IFLA_XFRM_UNSPEC, - IFLA_XFRM_LINK, - IFLA_XFRM_IF_ID, - __IFLA_XFRM_MAX -}; -#define IFLA_XFRM_MAX (__IFLA_XFRM_MAX - 1) -#endif +#include "kernel_netlink_xfrmi.h" /** - * Create an XFRM interface with the given ID and underlying interface + * Default MTU */ -static int add_xfrm_interface(char *name, uint32_t xfrm_id, uint32_t ifindex) -{ - netlink_buf_t request; - struct nlmsghdr *hdr; - struct ifinfomsg *msg; - struct rtattr *linkinfo, *info_data; - netlink_socket_t *socket; - int status = 1; - - socket = netlink_socket_create(NETLINK_ROUTE, NULL, FALSE); - if (!socket) - { - return 1; - } - - memset(&request, 0, sizeof(request)); - - hdr = &request.hdr; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL; - hdr->nlmsg_type = RTM_NEWLINK; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); - - msg = NLMSG_DATA(hdr); - msg->ifi_family = AF_UNSPEC; - - netlink_add_attribute(hdr, IFLA_IFNAME, chunk_from_str(name), - sizeof(request)); - - linkinfo = netlink_nested_start(hdr, sizeof(request), IFLA_LINKINFO); - - netlink_add_attribute(hdr, IFLA_INFO_KIND, chunk_from_str("xfrm"), - sizeof(request)); - - info_data = netlink_nested_start(hdr, sizeof(request), IFLA_INFO_DATA); - - netlink_add_attribute(hdr, IFLA_XFRM_IF_ID, chunk_from_thing(xfrm_id), - sizeof(request)); - netlink_add_attribute(hdr, IFLA_XFRM_LINK, chunk_from_thing(ifindex), - sizeof(request)); - - netlink_nested_end(hdr, info_data); - netlink_nested_end(hdr, linkinfo); - - switch (socket->send_ack(socket, hdr)) - { - case SUCCESS: - status = 0; - break; - case ALREADY_DONE: - fprintf(stderr, "XFRM interface already exists\n"); - break; - default: - fprintf(stderr, "failed to create XFRM interface\n"); - break; - } - - socket->destroy(socket); - return status; -} +#define XFRMI_DEFAULT_MTU 1400 /** - * Parse attributes nested in IFLA_INFO_DATA + * Manager for XFRM interfaces */ -static void parse_info_data(struct rtattr *rta, size_t rtasize, char *phys, - uint32_t *if_id) -{ - uint32_t ifindex; - - while (RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case IFLA_XFRM_IF_ID: - if (RTA_PAYLOAD(rta) == sizeof(*if_id)) - { - *if_id = *(uint32_t*)RTA_DATA(rta); - } - break; - case IFLA_XFRM_LINK: - if (RTA_PAYLOAD(rta) == sizeof(ifindex)) - { - ifindex = *(uint32_t*)RTA_DATA(rta); - if_indextoname(ifindex, phys); - } - break; - default: - break; - } - rta = RTA_NEXT(rta, rtasize); - } -} +static kernel_netlink_xfrmi_t *manager; /** - * Parse attributes nested in IFLA_LINKINFO + * Destroy the allocated manager */ -static void parse_linkinfo(struct rtattr *rta, size_t rtasize, char *phys, - uint32_t *if_id) +static void destroy_manager() { - while (RTA_OK(rta, rtasize)) + if (manager) { - switch (rta->rta_type) - { - case IFLA_INFO_DATA: - parse_info_data(RTA_DATA(rta), RTA_PAYLOAD(rta), phys, if_id); - break; - default: - break; - } - rta = RTA_NEXT(rta, rtasize); + kernel_netlink_xfrmi_destroy(manager); } } /** * List all installed XFRM interfaces */ -static int list_xfrm_interfaces() +static void list_xfrm_interfaces(kernel_netlink_xfrmi_t *manager) { - netlink_buf_t request; - struct nlmsghdr *hdr, *out, *current; - struct ifinfomsg *msg; - struct rtattr *linkinfo; - netlink_socket_t *socket; - size_t len; - int status = 0; + enumerator_t *enumerator; + char *name, *dev; + uint32_t xfrm_id, mtu; - socket = netlink_socket_create(NETLINK_ROUTE, NULL, FALSE); - if (!socket) + enumerator = manager->create_enumerator(manager); + while (enumerator->enumerate(enumerator, &name, &xfrm_id, &dev, &mtu)) { - return 1; - } - - memset(&request, 0, sizeof(request)); - - hdr = &request.hdr; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; - hdr->nlmsg_type = RTM_GETLINK; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg)); - - msg = NLMSG_DATA(hdr); - msg->ifi_family = AF_UNSPEC; - - linkinfo = netlink_nested_start(hdr, sizeof(request), IFLA_LINKINFO); - - netlink_add_attribute(hdr, IFLA_INFO_KIND, chunk_from_str("xfrm"), - sizeof(request)); - - netlink_nested_end(hdr, linkinfo); - - if (socket->send(socket, hdr, &out, &len) != SUCCESS) - { - return FAILED; - } - current = out; - while (NLMSG_OK(current, len)) - { - switch (current->nlmsg_type) - { - case NLMSG_DONE: - break; - case RTM_NEWLINK: - msg = NLMSG_DATA(current); - struct rtattr *rta = IFLA_RTA(msg); - size_t rtasize = IFLA_PAYLOAD(current); - char *name = NULL, phys[IF_NAMESIZE] = {}; - uint32_t if_id = 0; - - while (RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case IFLA_IFNAME: - name = RTA_DATA(rta); - break; - case IFLA_LINKINFO: - parse_linkinfo(RTA_DATA(rta), RTA_PAYLOAD(rta), - phys, &if_id); - break; - default: - break; - } - rta = RTA_NEXT(rta, rtasize); - } - if (name) - { - printf("%2u: %-16s dev %-8s if_id 0x%.8x [%u]\n", - msg->ifi_index, name, phys, if_id, if_id); - } - /* fall through */ - default: - current = NLMSG_NEXT(current, len); - continue; - } - break; + printf("%2u: %-16s dev %-12s if_id 0x%.8x [%10u] mtu %u\n", + if_nametoindex(name), name, dev ?: "-", xfrm_id, xfrm_id, mtu); } - free(out); - - socket->destroy(socket); - return status; + enumerator->destroy(enumerator); } static void usage(FILE *out, char *name) @@ -247,19 +71,22 @@ fprintf(out, " -l, --list list XFRM interfaces.\n"); fprintf(out, " -n, --name=NAME name of the XFRM interface.\n"); fprintf(out, " -i, --id=ID optional numeric XFRM ID.\n"); - fprintf(out, " -d, --dev=DEVICE underlying physical interface.\n"); + fprintf(out, " -d, --dev=DEVICE optional underlying physical interface.\n"); + fprintf(out, " -m, --mtu=MTU optional MTU, default: 1400 (use 0 for kernel default).\n"); fprintf(out, "\n"); } int main(int argc, char *argv[]) { char *name = NULL, *dev = NULL, *end; - uint32_t xfrm_id = 0; - u_int ifindex; + uint32_t xfrm_id = 0, mtu = XFRMI_DEFAULT_MTU; library_init(NULL, "xfrmi"); atexit(library_deinit); + manager = kernel_netlink_xfrmi_create(FALSE); + atexit(destroy_manager); + while (true) { struct option long_opts[] = { @@ -269,9 +96,10 @@ {"name", required_argument, NULL, 'n' }, {"id", required_argument, NULL, 'i' }, {"dev", required_argument, NULL, 'd' }, + {"mtu", required_argument, NULL, 'm' }, {0,0,0,0 }, }; - switch (getopt_long(argc, argv, "hvln:i:d:", long_opts, NULL)) + switch (getopt_long(argc, argv, "hvln:i:d:m:", long_opts, NULL)) { case EOF: break; @@ -279,7 +107,7 @@ usage(stdout, argv[0]); return 0; case 'l': - list_xfrm_interfaces(); + list_xfrm_interfaces(manager); return 0; case 'v': dbg_default_set_level(atoi(optarg)); @@ -300,24 +128,26 @@ case 'd': dev = optarg; continue; + case 'm': + errno = 0; + mtu = strtoul(optarg, &end, 0); + if (errno || *end) + { + fprintf(stderr, "invalid MTU: %s\n", + errno ? strerror(errno) : end); + return 1; + } + continue; default: usage(stderr, argv[0]); return 1; } break; } - - if (!name || !dev) + if (!name) { - fprintf(stderr, "please specify a name and a physical interface\n"); + fprintf(stderr, "please specify a name\n"); return 1; } - ifindex = if_nametoindex(dev); - if (!ifindex) - { - fprintf(stderr, "physical interface %s not found\n", dev); - return 1; - } - - return add_xfrm_interface(name, xfrm_id, ifindex); + return !manager->create(manager, name, xfrm_id, dev, mtu); } diff -Nru strongswan-5.9.8/.tarball-git-version strongswan-5.9.11/.tarball-git-version --- strongswan-5.9.8/.tarball-git-version 2022-10-03 14:18:41.000000000 +0000 +++ strongswan-5.9.11/.tarball-git-version 2023-06-12 05:51:12.000000000 +0000 @@ -1 +1 @@ -5.9.8 +5.9.11 diff -Nru strongswan-5.9.8/testing/config/kernel/config-6.0 strongswan-5.9.11/testing/config/kernel/config-6.0 --- strongswan-5.9.8/testing/config/kernel/config-6.0 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/config/kernel/config-6.0 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,3180 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 6.0.3 Kernel Configuration +# +CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0" +CONFIG_CC_IS_GCC=y +CONFIG_GCC_VERSION=110200 +CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23800 +CONFIG_LD_IS_BFD=y +CONFIG_LD_VERSION=23800 +CONFIG_LLD_VERSION=0 +CONFIG_CC_CAN_LINK=y +CONFIG_CC_CAN_LINK_STATIC=y +CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y +CONFIG_CC_HAS_ASM_INLINE=y +CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y +CONFIG_PAHOLE_VERSION=0 +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_TABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +# CONFIG_COMPILE_TEST is not set +# CONFIG_WERROR is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_BUILD_SALT="" +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_HAVE_KERNEL_ZSTD=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +# CONFIG_KERNEL_ZSTD is not set +CONFIG_DEFAULT_INIT="" +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +# CONFIG_WATCH_QUEUE is not set +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_HARDIRQS_SW_RESEND=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +CONFIG_GENERIC_IRQ_RESERVATION_MODE=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +# end of IRQ subsystem + +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_INIT=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y +CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_CONTEXT_TRACKING=y +CONFIG_CONTEXT_TRACKING_IDLE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US=100 +# end of Timers subsystem + +CONFIG_BPF=y +CONFIG_HAVE_EBPF_JIT=y +CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y + +# +# BPF subsystem +# +# CONFIG_BPF_SYSCALL is not set +# end of BPF subsystem + +CONFIG_PREEMPT_BUILD=y +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_PREEMPT_COUNT=y +CONFIG_PREEMPTION=y +CONFIG_PREEMPT_DYNAMIC=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set +# CONFIG_PSI is not set +# end of CPU/Task time and stats accounting + +# +# RCU Subsystem +# +CONFIG_TREE_RCU=y +CONFIG_PREEMPT_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TREE_SRCU=y +CONFIG_RCU_STALL_COMMON=y +CONFIG_RCU_NEED_SEGCBLIST=y +# end of RCU Subsystem + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +# CONFIG_IKHEADERS is not set +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y + +# +# Scheduler features +# +# end of Scheduler features + +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_CC_HAS_INT128=y +CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" +CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +# CONFIG_CGROUP_FAVOR_DYNMODS is not set +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_MISC is not set +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +CONFIG_TIME_NS=y +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +CONFIG_NET_NS=y +# CONFIG_CHECKPOINT_RESTORE is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_BOOT_CONFIG is not set +CONFIG_INITRAMFS_PRESERVE_MTIME=y +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_IO_URING=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_RSEQ=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +# end of Kernel Performance Events And Counters + +# CONFIG_PROFILING is not set +# end of General setup + +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_NR_GPIO=1024 +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_CC_HAS_SANE_STACKPROTECTOR=y + +# +# Processor type and features +# +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_X86_CPU_RESCTRL is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_IA32_FEAT_CTL=y +CONFIG_X86_VMX_FEATURE_NAMES=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_HYGON=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_CPU_SUP_ZHAOXIN=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +CONFIG_NR_CPUS_RANGE_BEGIN=1 +CONFIG_NR_CPUS_RANGE_END=1 +CONFIG_NR_CPUS_DEFAULT=1 +CONFIG_NR_CPUS=1 +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +CONFIG_PERF_EVENTS_AMD_UNCORE=y +# CONFIG_PERF_EVENTS_AMD_BRS is not set +# end of Performance monitoring + +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +CONFIG_X86_IOPL_IOPERM=y +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +# CONFIG_MICROCODE_LATE_LOADING is not set +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_X86_DIRECT_GBPAGES=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_X86_UMIP=y +CONFIG_CC_HAS_IBT=y +# CONFIG_X86_KERNEL_IBT is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_X86_INTEL_TSX_MODE_OFF=y +# CONFIG_X86_INTEL_TSX_MODE_ON is not set +# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set +# CONFIG_EFI is not set +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_LEGACY_VSYSCALL_XONLY=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +# CONFIG_STRICT_SIGALTSTACK_SIZE is not set +CONFIG_HAVE_LIVEPATCH=y +# end of Processor type and features + +CONFIG_CC_HAS_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_SLS is not set +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_USERSPACE_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ARCH_SUPPORTS_ACPI=y +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SPCR_TABLE=y +# CONFIG_ACPI_FPDT is not set +CONFIG_ACPI_LPIT=y +CONFIG_ACPI_SLEEP=y +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +# CONFIG_ACPI_VIDEO is not set +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_TAD is not set +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_ACPI_DPTF is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_ACPI_PFRUT is not set +# CONFIG_PMIC_OPREGION is not set +CONFIG_X86_PM_TIMER=y + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set +# end of CPU Frequency scaling + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_CPU_IDLE_GOV_TEO is not set +# end of CPU Idle + +# CONFIG_INTEL_IDLE is not set +# end of Power management and ACPI options + +# +# Bus options (PCI etc.) +# +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# end of Bus options (PCI etc.) + +# +# Binary Emulations +# +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32_ABI is not set +# end of Binary Emulations + +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +CONFIG_AS_AVX512=y +CONFIG_AS_SHA1_NI=y +CONFIG_AS_SHA256_NI=y +CONFIG_AS_TPAUSE=y + +# +# General architecture-dependent options +# +CONFIG_CRASH_CORE=y +CONFIG_GENERIC_ENTRY=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_STATIC_CALL_SELFTEST is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y +CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y +CONFIG_HAVE_NMI=y +CONFIG_TRACE_IRQFLAGS_SUPPORT=y +CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_ARCH_WANTS_NO_INSTR=y +CONFIG_HAVE_ASM_MODVERSIONS=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_RSEQ=y +CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y +CONFIG_MMU_GATHER_MERGE_VMAS=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set +CONFIG_HAVE_ARCH_STACKLEAK=y +CONFIG_HAVE_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y +CONFIG_LTO_NONE=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING_USER=y +CONFIG_HAVE_CONTEXT_TRACKING_USER_OFFSTACK=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_MOVE_PUD=y +CONFIG_HAVE_MOVE_PMD=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_HUGE_VMALLOC=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y +CONFIG_SOFTIRQ_ON_OWN_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_PAGE_SIZE_LESS_THAN_64KB=y +CONFIG_PAGE_SIZE_LESS_THAN_256KB=y +CONFIG_HAVE_OBJTOOL=y +CONFIG_HAVE_JUMP_LABEL_HACK=y +CONFIG_HAVE_NOINSTR_HACK=y +CONFIG_HAVE_NOINSTR_VALIDATION=y +CONFIG_HAVE_UACCESS_VALIDATION=y +CONFIG_HAVE_STACK_VALIDATION=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +# CONFIG_COMPAT_32BIT_TIME is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y +CONFIG_RANDOMIZE_KSTACK_OFFSET=y +# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +CONFIG_HAVE_STATIC_CALL=y +CONFIG_HAVE_STATIC_CALL_INLINE=y +CONFIG_HAVE_PREEMPT_DYNAMIC=y +CONFIG_HAVE_PREEMPT_DYNAMIC_CALL=y +CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y +CONFIG_ARCH_HAS_ELFCORE_COMPAT=y +CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y +CONFIG_DYNAMIC_SIGFRAME=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# end of GCOV-based kernel profiling + +CONFIG_HAVE_GCC_PLUGINS=y +# end of General architecture-dependent options + +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_BLOCK=y +CONFIG_BLOCK_LEGACY_AUTOLOAD=y +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_CGROUP_IOLATENCY is not set +# CONFIG_BLK_CGROUP_IOCOST is not set +# CONFIG_BLK_CGROUP_IOPRIO is not set +# CONFIG_BLK_SED_OPAL is not set +# CONFIG_BLK_INLINE_ENCRYPTION is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +# end of Partition Types + +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y +CONFIG_BLK_PM=y + +# +# IO Schedulers +# +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +# end of IO Schedulers + +CONFIG_ASN1=y +CONFIG_UNINLINE_SPIN_UNLOCK=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y +CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y +CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y +CONFIG_FREEZER=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# end of Executable file formats + +# +# Memory Management options +# +CONFIG_SWAP=y +# CONFIG_ZSWAP is not set + +# +# SLAB allocator options +# +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_SLAB_FREELIST_HARDENED is not set +# end of SLAB allocator options + +# CONFIG_SHUFFLE_PAGE_ALLOCATOR is not set +CONFIG_COMPAT_BRK=y +CONFIG_SPARSEMEM=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_FAST_GUP=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_MEMORY_HOTPLUG=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_MHP_MEMMAP_ON_MEMORY=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_PAGE_REPORTING=y +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ARCH_WANTS_THP_SWAP=y +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_NEED_PER_CPU_KM=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +# CONFIG_CMA is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y +CONFIG_ARCH_HAS_PTE_DEVMAP=y +CONFIG_ZONE_DMA=y +CONFIG_ZONE_DMA32=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +CONFIG_VM_EVENT_COUNTERS=y +# CONFIG_PERCPU_STATS is not set + +# +# GUP_TEST needs to have DEBUG_FS enabled +# +CONFIG_ARCH_HAS_PTE_SPECIAL=y +CONFIG_SECRETMEM=y +# CONFIG_ANON_VMA_NAME is not set +# CONFIG_USERFAULTFD is not set + +# +# Data Access Monitoring +# +# CONFIG_DAMON is not set +# end of Data Access Monitoring +# end of Memory Management options + +CONFIG_NET=y +CONFIG_NET_INGRESS=y +CONFIG_NET_EGRESS=y +CONFIG_SKB_EXTENSIONS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +CONFIG_UNIX_SCM=y +CONFIG_AF_UNIX_OOB=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +# CONFIG_TLS_DEVICE is not set +# CONFIG_TLS_TOE is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_INTERFACE=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_AH=y +CONFIG_XFRM_ESP=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_XFRM_ESPINTCP=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_ESPINTCP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_ESPINTCP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_IPV6_RPL_LWTUNNEL is not set +# CONFIG_IPV6_IOAM6_LWTUNNEL is not set +# CONFIG_MPTCP is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_EGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_FAMILY_ARP=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +# CONFIG_NETFILTER_NETLINK_OSF is not set +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CONNTRACK_LABELS is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +# end of Core Netfilter Configuration + +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_TPROXY_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y +# end of IP: Netfilter Configuration + +# +# IPv6: Netfilter Configuration +# +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_TPROXY_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +# CONFIG_IP6_NF_MATCH_SRH is not set +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +# end of IPv6: Netfilter Configuration + +CONFIG_NF_DEFRAG_IPV6=y +# CONFIG_NF_CONNTRACK_BRIDGE is not set +# CONFIG_BPFILTER is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_QRTR is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# end of Network testing +# end of Networking options + +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +CONFIG_STREAM_PARSER=y +# CONFIG_MCTP is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_FD=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +CONFIG_NET_SOCK_MSG=y +CONFIG_FAILOVER=y +CONFIG_ETHTOOL_NETLINK=y + +# +# Device Drivers +# +CONFIG_HAVE_EISA=y +# CONFIG_EISA is not set +CONFIG_HAVE_PCI=y +CONFIG_PCI=y +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCIEASPM=y +CONFIG_PCIEASPM_DEFAULT=y +# CONFIG_PCIEASPM_POWERSAVE is not set +# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set +# CONFIG_PCIEASPM_PERFORMANCE is not set +# CONFIG_PCIE_PTM is not set +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_STUB is not set +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_HOTPLUG_PCI is not set + +# +# PCI controller drivers +# +# CONFIG_VMD is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT_HOST is not set +# CONFIG_PCI_MESON is not set +# end of DesignWare PCI Core Support + +# +# Mobiveil PCIe Core Support +# +# end of Mobiveil PCIe Core Support + +# +# Cadence PCIe controllers support +# +# end of Cadence PCIe controllers support +# end of PCI controller drivers + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set +# end of PCI Endpoint + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +# end of PCI switch controller drivers + +# CONFIG_CXL_BUS is not set +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +# CONFIG_DEVTMPFS_SAFE is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER is not set +# CONFIG_FW_LOADER_COMPRESS is not set +CONFIG_FW_CACHE=y +# CONFIG_FW_UPLOAD is not set +# end of Firmware loader + +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y +# end of Generic Driver Options + +# +# Bus devices +# +# CONFIG_MHI_BUS is not set +# CONFIG_MHI_BUS_EP is not set +# end of Bus devices + +# CONFIG_CONNECTOR is not set + +# +# Firmware Drivers +# + +# +# ARM System Control and Management Interface Protocol +# +# end of ARM System Control and Management Interface Protocol + +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_SYSFB_SIMPLEFB is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# Tegra firmware driver +# +# end of Tegra firmware driver +# end of Firmware Drivers + +# CONFIG_GNSS is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_ZRAM is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_UBLK is not set + +# +# NVME Support +# +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set +# end of NVME Support + +# +# Misc devices +# +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_DW_XDATA_PCIE is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_XILINX_SDFEC is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# end of EEPROM support + +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# +# end of Texas Instruments shared transport line discipline + +# +# Altera FPGA firmware download module (requires I2C) +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_BCM_VK is not set +# CONFIG_MISC_ALCOR_PCI is not set +# CONFIG_MISC_RTSX_PCI is not set +# CONFIG_HABANA_AI is not set +# CONFIG_PVPANIC is not set +# end of Misc devices + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# end of SCSI device support + +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_TARGET_CORE is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# end of IEEE 1394 (FireWire) support + +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_WIREGUARD is not set +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_BAREUDP is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ASIX=y +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_CX_ECAT is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_SYSTEMPORT is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +CONFIG_NET_VENDOR_CORTINA=y +CONFIG_NET_VENDOR_DAVICOM=y +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_ENGLEDER=y +# CONFIG_TSNEP is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_FUNGIBLE=y +# CONFIG_FUN_ETH is not set +CONFIG_NET_VENDOR_GOOGLE=y +# CONFIG_GVE is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_I825XX=y +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_ICE is not set +# CONFIG_FM10K is not set +# CONFIG_IGC is not set +CONFIG_NET_VENDOR_WANGXUN=y +# CONFIG_TXGBE is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_LITEX=y +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +# CONFIG_OCTEON_EP is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MICROCHIP=y +# CONFIG_LAN743X is not set +CONFIG_NET_VENDOR_MICROSEMI=y +CONFIG_NET_VENDOR_MICROSOFT=y +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NI=y +# CONFIG_NI_XGE_MANAGEMENT_ENET is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETERION=y +# CONFIG_S2IO is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_VENDOR_PACKET_ENGINES=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_PENSANDO=y +# CONFIG_IONIC is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_SOCIONEXT=y +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_PHY_SEL is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VERTEXCOM=y +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_XILINX=y +# CONFIG_XILINX_EMACLITE is not set +# CONFIG_XILINX_AXI_EMAC is not set +# CONFIG_XILINX_LL_TEMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +# CONFIG_MDIO_DEVICE is not set + +# +# PCS device drivers +# +# end of PCS device drivers + +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_MICROCHIP=y +CONFIG_WLAN_VENDOR_PURELIFI=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_SILABS=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y +# CONFIG_WAN is not set + +# +# Wireless WAN +# +# CONFIG_WWAN is not set +# end of Wireless WAN + +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +CONFIG_NET_FAILOVER=y +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +CONFIG_INPUT_FF_MEMLESS=y +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set +CONFIG_INPUT_VIVALDIFMAP=y + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set +# end of Hardware I/O ports +# end of Input device support + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +CONFIG_LDISC_AUTOLOAD=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_LANTIQ is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_FSL_LINFLEXUART is not set +# CONFIG_SERIAL_SPRD is not set +# end of Serial drivers + +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_N_GSM is not set +# CONFIG_NOZOMI is not set +# CONFIG_NULL_TTY is not set +CONFIG_HVC_DRIVER=y +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +CONFIG_HW_RANDOM=y +# CONFIG_HW_RANDOM_TIMERIOMEM is not set +CONFIG_HW_RANDOM_INTEL=y +CONFIG_HW_RANDOM_AMD=y +# CONFIG_HW_RANDOM_BA431 is not set +# CONFIG_HW_RANDOM_VIA is not set +CONFIG_HW_RANDOM_VIRTIO=y +# CONFIG_HW_RANDOM_XIPHERA is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +CONFIG_DEVMEM=y +# CONFIG_NVRAM is not set +CONFIG_DEVPORT=y +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +# CONFIG_XILLYBUS is not set +# CONFIG_RANDOM_TRUST_CPU is not set +# CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices + +# +# I2C support +# +# CONFIG_I2C is not set +# end of I2C support + +# CONFIG_I3C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set +CONFIG_PTP_1588_CLOCK_OPTIONAL=y + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# end of PTP clock support + +# CONFIG_PINCTRL is not set +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +CONFIG_POWER_SUPPLY_HWMON=y +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_SAMSUNG_SDI is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_BATTERY_GOLDFISH is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_AS370 is not set +# CONFIG_SENSORS_AXI_FAN_CONTROL is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_CORSAIR_CPRO is not set +# CONFIG_SENSORS_CORSAIR_PSU is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_MR75203 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SY7636A is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +# CONFIG_SENSORS_ASUS_EC is not set +CONFIG_THERMAL=y +# CONFIG_THERMAL_NETLINK is not set +# CONFIG_THERMAL_STATISTICS is not set +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_WRITABLE_TRIPS=y +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +CONFIG_THERMAL_GOV_USER_SPACE=y +# CONFIG_THERMAL_EMULATION is not set + +# +# Intel thermal drivers +# +# CONFIG_INTEL_POWERCLAMP is not set +CONFIG_X86_THERMAL_VECTOR=y +CONFIG_X86_PKG_TEMP_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# end of ACPI INT340X thermal drivers + +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_INTEL_TCC_COOLING is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_INTEL_HFI_THERMAL is not set +# end of Intel thermal drivers + +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_MADERA is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_INTEL_PMC_BXT is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TQMX86 is not set +# CONFIG_MFD_VX855 is not set +# end of Multifunction device drivers + +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +# CONFIG_LIRC is not set +CONFIG_RC_MAP=y +CONFIG_RC_DECODERS=y +# CONFIG_IR_IMON_DECODER is not set +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +# CONFIG_IR_RCMM_DECODER is not set +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_RC_DEVICES is not set + +# +# CEC support +# +# CONFIG_MEDIA_CEC_SUPPORT is not set +# end of CEC support + +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ARM devices +# +# end of ARM devices + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# end of Frame buffer Devices + +# +# Backlight & LCD device support +# +CONFIG_LCD_CLASS_DEVICE=y +# CONFIG_LCD_PLATFORM is not set +CONFIG_BACKLIGHT_CLASS_DEVICE=y +# CONFIG_BACKLIGHT_APPLE is not set +# CONFIG_BACKLIGHT_QCOM_WLED is not set +# CONFIG_BACKLIGHT_SAHARA is not set +# end of Backlight & LCD device support + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +# end of Console display driver support +# end of Graphics support + +CONFIG_SOUND=y +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +# CONFIG_HID_COUGAR is not set +# CONFIG_HID_MACALLY is not set +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_GLORIOUS is not set +# CONFIG_HID_VIVALDI is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_VIEWSONIC is not set +# CONFIG_HID_XIAOMI is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_JABRA is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MALTRON is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_REDRAGON=y +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_RAZER is not set +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SEMITEK is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEAM is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_TOPRE is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set +# end of Special HID drivers + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +# end of Intel ISH HID support + +# +# AMD SFH HID Support +# +# CONFIG_AMD_SFH_HID is not set +# end of AMD SFH HID Support +# end of HID support + +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_NOP_USB_XCEIV is not set +# end of USB Physical Layer drivers + +# CONFIG_USB_GADGET is not set +# CONFIG_TYPEC is not set +# CONFIG_USB_ROLE_SWITCH is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_DMABUF_HEAPS is not set +# end of DMABUF options + +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VFIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO_ANCHOR=y +CONFIG_VIRTIO=y +CONFIG_VIRTIO_PCI_LIB=y +CONFIG_VIRTIO_PCI_LIB_LEGACY=y +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set +# CONFIG_VDPA is not set +CONFIG_VHOST_MENU=y +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set + +# +# Microsoft Hyper-V guest support +# +# end of Microsoft Hyper-V guest support + +# CONFIG_GREYBUS is not set +# CONFIG_COMEDI is not set +# CONFIG_STAGING is not set +# CONFIG_CHROME_PLATFORMS is not set +# CONFIG_MELLANOX_PLATFORM is not set +CONFIG_SURFACE_PLATFORMS=y +# CONFIG_SURFACE_GPE is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACPI_WMI is not set +# CONFIG_ACERHDF is not set +# CONFIG_ACER_WIRELESS is not set +# CONFIG_AMD_HSMP is not set +# CONFIG_ADV_SWBUTTON is not set +# CONFIG_APPLE_GMUX is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_X86_PLATFORM_DRIVERS_DELL is not set +# CONFIG_FUJITSU_LAPTOP is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_WIRELESS_HOTKEY is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_ATOMISP2_PM is not set +# CONFIG_INTEL_SAR_INT1092 is not set +# CONFIG_INTEL_PMC_CORE is not set + +# +# Intel Speed Select Technology interface support +# +# CONFIG_INTEL_SPEED_SELECT_INTERFACE is not set +# end of Intel Speed Select Technology interface support + +# +# Intel Uncore Frequency Control +# +# CONFIG_INTEL_UNCORE_FREQ_CONTROL is not set +# end of Intel Uncore Frequency Control + +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_INTEL_VSEC is not set +# CONFIG_SAMSUNG_LAPTOP is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_PANASONIC_LAPTOP is not set +# CONFIG_SYSTEM76_ACPI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_SCU_PCI is not set +# CONFIG_INTEL_SCU_PLATFORM is not set +# CONFIG_SIEMENS_SIMATIC_IPC is not set +# CONFIG_WINMATE_FM07_KEYS is not set +# CONFIG_P2SB is not set +CONFIG_HAVE_CLK=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y +# CONFIG_XILINX_VCU is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# end of Clock Source drivers + +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# end of Generic IOMMU Pagetable Support + +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set +# CONFIG_VIRTIO_IOMMU is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set +# end of Remoteproc drivers + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_VIRTIO is not set +# end of Rpmsg drivers + +# CONFIG_SOUNDWIRE is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# +# end of Amlogic SoC drivers + +# +# Broadcom SoC drivers +# +# end of Broadcom SoC drivers + +# +# NXP/Freescale QorIQ SoC drivers +# +# end of NXP/Freescale QorIQ SoC drivers + +# +# fujitsu SoC drivers +# +# end of fujitsu SoC drivers + +# +# i.MX SoC drivers +# +# end of i.MX SoC drivers + +# +# Enable LiteX SoC Builder specific drivers +# +# end of Enable LiteX SoC Builder specific drivers + +# +# Qualcomm SoC drivers +# +# end of Qualcomm SoC drivers + +# CONFIG_SOC_TI is not set + +# +# Xilinx SoC drivers +# +# end of Xilinx SoC drivers +# end of SOC (System On Chip) specific Drivers + +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_PWM is not set + +# +# IRQ chip support +# +# end of IRQ chip support + +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_USB_LGM_PHY is not set +# CONFIG_PHY_CAN_TRANSCEIVER is not set + +# +# PHY drivers for Broadcom platforms +# +# CONFIG_BCM_KONA_USB2_PHY is not set +# end of PHY drivers for Broadcom platforms + +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_PHY_INTEL_LGM_EMMC is not set +# end of PHY Subsystem + +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# end of Performance monitor support + +# CONFIG_RAS is not set +# CONFIG_USB4 is not set + +# +# Android +# +# CONFIG_ANDROID_BINDER_IPC is not set +# end of Android + +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set + +# +# HW tracing support +# +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# end of HW tracing support + +# CONFIG_FPGA is not set +# CONFIG_TEE is not set +# CONFIG_SIOX is not set +# CONFIG_SLIMBUS is not set +# CONFIG_INTERCONNECT is not set +# CONFIG_COUNTER is not set +# CONFIG_PECI is not set +# CONFIG_HTE is not set +# end of Device Drivers + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_VALIDATE_FS_PARSER=y +CONFIG_FS_IOMAP=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +# CONFIG_FS_VERITY is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +CONFIG_AUTOFS_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +CONFIG_NETFS_SUPPORT=y +# CONFIG_NETFS_STATS is not set +# CONFIG_FSCACHE is not set +# end of Caches + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set +# end of CD-ROM/DVD Filesystems + +# +# DOS/FAT/EXFAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_EXFAT_FS is not set +# CONFIG_NTFS_FS is not set +# CONFIG_NTFS3_FS is not set +# end of DOS/FAT/EXFAT/NT Filesystems + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_PROC_PID_ARCH_STATUS=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_TMPFS_INODE64 is not set +# CONFIG_HUGETLBFS is not set +CONFIG_ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y +CONFIG_MEMFD_CREATE=y +CONFIG_ARCH_HAS_GIGANTIC_PAGE=y +# CONFIG_CONFIGFS_FS is not set +# end of Pseudo filesystems + +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +# CONFIG_EROFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_SMB_SERVER is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set +# CONFIG_UNICODE is not set +CONFIG_IO_WQ=y +# end of File systems + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_KEYS_REQUEST_CACHE is not set +# CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_BIG_KEYS is not set +# CONFIG_TRUSTED_KEYS is not set +# CONFIG_ENCRYPTED_KEYS is not set +# CONFIG_KEY_DH_OPERATIONS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_LSM="yama,loadpin,safesetid,integrity" + +# +# Kernel hardening options +# + +# +# Memory initialization +# +CONFIG_INIT_STACK_NONE=y +# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set +# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set +CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y +# CONFIG_ZERO_CALL_USED_REGS is not set +# end of Memory initialization + +CONFIG_RANDSTRUCT_NONE=y +# end of Kernel hardening options +# end of Security options + +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_SKCIPHER=y +CONFIG_CRYPTO_SKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_SIMD=y + +# +# Public-key cryptography +# +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=y +# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set +CONFIG_CRYPTO_ECC=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_ECDSA=y +# CONFIG_CRYPTO_ECRDSA is not set +CONFIG_CRYPTO_SM2=y +CONFIG_CRYPTO_CURVE25519=y +CONFIG_CRYPTO_CURVE25519_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +# CONFIG_CRYPTO_AEGIS128 is not set +# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +# CONFIG_CRYPTO_CFB is not set +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_OFB=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set +CONFIG_CRYPTO_NHPOLY1305=y +CONFIG_CRYPTO_NHPOLY1305_SSE2=y +CONFIG_CRYPTO_NHPOLY1305_AVX2=y +CONFIG_CRYPTO_ADIANTUM=y +# CONFIG_CRYPTO_HCTR2 is not set +# CONFIG_CRYPTO_ESSIV is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_XXHASH is not set +CONFIG_CRYPTO_BLAKE2B=y +CONFIG_CRYPTO_BLAKE2S_X86=y +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +# CONFIG_CRYPTO_POLYVAL_CLMUL_NI is not set +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +# CONFIG_CRYPTO_SM3_GENERIC is not set +CONFIG_CRYPTO_SM3_AVX_X86_64=y +# CONFIG_CRYPTO_STREEBOG is not set +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +# CONFIG_CRYPTO_ARIA is not set +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_SM4=y +# CONFIG_CRYPTO_SM4_GENERIC is not set +CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y +# CONFIG_CRYPTO_ZSTD is not set + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y +CONFIG_CRYPTO_STATS=y +CONFIG_CRYPTO_HASH_INFO=y +# CONFIG_CRYPTO_HW is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_FIPS_SIGNATURE_SELFTEST is not set + +# +# Certificates for signature checking +# +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +# end of Certificates for signature checking + +# +# Library routines +# +# CONFIG_PACKING is not set +CONFIG_BITREVERSE=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +# CONFIG_CORDIC is not set +# CONFIG_PRIME_NUMBERS is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y +CONFIG_CRYPTO_LIB_CURVE25519=y +CONFIG_CRYPTO_LIB_DES=y +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y +CONFIG_CRYPTO_LIB_POLY1305=y +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y +CONFIG_CRYPTO_LIB_SHA1=y +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_LIB_MEMNEQ=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +# CONFIG_CRC64_ROCKSOFT is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC64 is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DMA_OPS=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_SWIOTLB=y +# CONFIG_DMA_API_DEBUG is not set +CONFIG_SGL_ALLOC=y +CONFIG_IOMMU_HELPER=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +CONFIG_HAVE_GENERIC_VDSO=y +CONFIG_GENERIC_GETTIMEOFDAY=y +CONFIG_GENERIC_VDSO_TIME_NS=y +CONFIG_SG_POOL=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_ARCH_HAS_COPY_MC=y +CONFIG_ARCH_STACKWALK=y +CONFIG_SBITMAP=y +# end of Library routines + +# +# Kernel hacking +# + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +# CONFIG_PRINTK_CALLER is not set +# CONFIG_STACKTRACE_BUILD_ID is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set +# CONFIG_DYNAMIC_DEBUG is not set +# CONFIG_DYNAMIC_DEBUG_CORE is not set +CONFIG_SYMBOLIC_ERRNAME=y +CONFIG_DEBUG_BUGVERBOSE=y +# end of printk and dmesg options + +CONFIG_DEBUG_KERNEL=y +CONFIG_DEBUG_MISC=y + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +CONFIG_AS_HAS_NON_CONST_LEB128=y +# CONFIG_DEBUG_INFO_NONE is not set +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_DEBUG_INFO_DWARF5 is not set +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_COMPRESSED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_HEADERS_INSTALL is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_OBJTOOL=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# end of Compile-time checks and compiler options + +# +# Generic Kernel Debugging Instruments +# +# CONFIG_MAGIC_SYSRQ is not set +# CONFIG_DEBUG_FS is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN is not set +CONFIG_HAVE_ARCH_KCSAN=y +CONFIG_HAVE_KCSAN_COMPILER=y +# CONFIG_KCSAN is not set +# end of Generic Kernel Debugging Instruments + +# +# Networking Debugging +# +# CONFIG_NET_DEV_REFCNT_TRACKER is not set +# CONFIG_NET_NS_REFCNT_TRACKER is not set +# CONFIG_DEBUG_NET is not set +# end of Networking Debugging + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_DEBUG_SLAB is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_PAGE_TABLE_CHECK is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_ARCH_HAS_DEBUG_WX=y +# CONFIG_DEBUG_WX is not set +CONFIG_GENERIC_PTDUMP=y +# CONFIG_DEBUG_OBJECTS is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VM_PGTABLE is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y +# CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is not set +CONFIG_HAVE_ARCH_KASAN=y +CONFIG_HAVE_ARCH_KASAN_VMALLOC=y +CONFIG_CC_HAS_KASAN_GENERIC=y +CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y +# CONFIG_KASAN is not set +CONFIG_HAVE_ARCH_KFENCE=y +# CONFIG_KFENCE is not set +# end of Memory Debugging + +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Oops, Lockups and Hangs +# +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +# CONFIG_WQ_WATCHDOG is not set +# end of Debug Oops, Lockups and Hangs + +# +# Scheduler Debugging +# +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# end of Scheduler Debugging + +# CONFIG_DEBUG_TIMEKEEPING is not set +CONFIG_DEBUG_PREEMPT=y + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +CONFIG_LOCK_DEBUGGING_SUPPORT=y +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_RWSEMS is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_SCF_TORTURE_TEST is not set +# CONFIG_CSD_LOCK_WAIT_DEBUG is not set +# end of Lock Debugging (spinlocks, mutexes, etc...) + +# CONFIG_DEBUG_IRQFLAGS is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set + +# +# Debug kernel data structures +# +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PLIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# end of Debug kernel data structures + +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_RCU_SCALE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_REF_SCALE_TEST is not set +CONFIG_RCU_CPU_STALL_TIMEOUT=21 +CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0 +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# end of RCU Debugging + +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_RETHOOK=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_OBJTOOL_MCOUNT=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_PREEMPT_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_OSNOISE_TRACER is not set +# CONFIG_TIMERLAT_TRACER is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_SYNTH_EVENTS is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set + +# +# x86 Debugging +# +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +# CONFIG_CPA_DEBUG is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set +# end of x86 Debugging + +# +# Kernel Testing and Coverage +# +# CONFIG_KUNIT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +CONFIG_ARCH_HAS_KCOV=y +CONFIG_CC_HAS_SANCOV_TRACE_PC=y +# CONFIG_KCOV is not set +CONFIG_RUNTIME_TESTING_MENU=y +# CONFIG_TEST_MIN_HEAP is not set +# CONFIG_TEST_DIV64 is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_TEST_REF_TRACKER is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_REED_SOLOMON_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_STRING_SELFTEST is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_STRSCPY is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_SCANF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_XARRAY is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_SIPHASH is not set +# CONFIG_TEST_IDA is not set +# CONFIG_FIND_BIT_BENCHMARK is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_TEST_MEMCAT_P is not set +# CONFIG_TEST_MEMINIT is not set +# CONFIG_TEST_FREE_PAGES is not set +# CONFIG_TEST_FPU is not set +# CONFIG_TEST_CLOCKSOURCE_WATCHDOG is not set +CONFIG_ARCH_USE_MEMTEST=y +# CONFIG_MEMTEST is not set +# end of Kernel Testing and Coverage +# end of Kernel hacking diff -Nru strongswan-5.9.8/testing/config/kernel/config-6.1 strongswan-5.9.11/testing/config/kernel/config-6.1 --- strongswan-5.9.8/testing/config/kernel/config-6.1 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/config/kernel/config-6.1 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,3225 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 6.1.1 Kernel Configuration +# +CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0" +CONFIG_CC_IS_GCC=y +CONFIG_GCC_VERSION=110300 +CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23800 +CONFIG_LD_IS_BFD=y +CONFIG_LD_VERSION=23800 +CONFIG_LLD_VERSION=0 +CONFIG_CC_CAN_LINK=y +CONFIG_CC_CAN_LINK_STATIC=y +CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y +CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y +CONFIG_CC_HAS_ASM_INLINE=y +CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y +CONFIG_PAHOLE_VERSION=0 +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_TABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +# CONFIG_COMPILE_TEST is not set +# CONFIG_WERROR is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_BUILD_SALT="" +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_HAVE_KERNEL_ZSTD=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +# CONFIG_KERNEL_ZSTD is not set +CONFIG_DEFAULT_INIT="" +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +# CONFIG_WATCH_QUEUE is not set +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_HARDIRQS_SW_RESEND=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_IRQ_MSI_IOMMU=y +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +CONFIG_GENERIC_IRQ_RESERVATION_MODE=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +# end of IRQ subsystem + +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_INIT=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y +CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_CONTEXT_TRACKING=y +CONFIG_CONTEXT_TRACKING_IDLE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US=100 +# end of Timers subsystem + +CONFIG_BPF=y +CONFIG_HAVE_EBPF_JIT=y +CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y + +# +# BPF subsystem +# +# CONFIG_BPF_SYSCALL is not set +# end of BPF subsystem + +CONFIG_PREEMPT_BUILD=y +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_PREEMPT_COUNT=y +CONFIG_PREEMPTION=y +CONFIG_PREEMPT_DYNAMIC=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set +# CONFIG_PSI is not set +# end of CPU/Task time and stats accounting + +# +# RCU Subsystem +# +CONFIG_TREE_RCU=y +CONFIG_PREEMPT_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TREE_SRCU=y +CONFIG_RCU_STALL_COMMON=y +CONFIG_RCU_NEED_SEGCBLIST=y +# end of RCU Subsystem + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +# CONFIG_IKHEADERS is not set +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y + +# +# Scheduler features +# +# end of Scheduler features + +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_CC_HAS_INT128=y +CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" +CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +# CONFIG_CGROUP_FAVOR_DYNMODS is not set +CONFIG_MEMCG=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_MISC is not set +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +CONFIG_TIME_NS=y +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +CONFIG_NET_NS=y +# CONFIG_CHECKPOINT_RESTORE is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_BOOT_CONFIG is not set +CONFIG_INITRAMFS_PRESERVE_MTIME=y +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_LD_ORPHAN_WARN=y +CONFIG_SYSCTL=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_IO_URING=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_RSEQ=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +# end of Kernel Performance Events And Counters + +# CONFIG_PROFILING is not set +# end of General setup + +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_NR_GPIO=1024 +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_CC_HAS_SANE_STACKPROTECTOR=y + +# +# Processor type and features +# +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_X86_CPU_RESCTRL is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_IA32_FEAT_CTL=y +CONFIG_X86_VMX_FEATURE_NAMES=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_HYGON=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_CPU_SUP_ZHAOXIN=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +CONFIG_NR_CPUS_RANGE_BEGIN=1 +CONFIG_NR_CPUS_RANGE_END=1 +CONFIG_NR_CPUS_DEFAULT=1 +CONFIG_NR_CPUS=1 +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +CONFIG_PERF_EVENTS_AMD_UNCORE=y +# CONFIG_PERF_EVENTS_AMD_BRS is not set +# end of Performance monitoring + +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +CONFIG_X86_IOPL_IOPERM=y +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +# CONFIG_MICROCODE_LATE_LOADING is not set +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_X86_DIRECT_GBPAGES=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_X86_UMIP=y +CONFIG_CC_HAS_IBT=y +# CONFIG_X86_KERNEL_IBT is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_X86_INTEL_TSX_MODE_OFF=y +# CONFIG_X86_INTEL_TSX_MODE_ON is not set +# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set +# CONFIG_EFI is not set +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_LEGACY_VSYSCALL_XONLY=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +# CONFIG_STRICT_SIGALTSTACK_SIZE is not set +CONFIG_HAVE_LIVEPATCH=y +# end of Processor type and features + +CONFIG_CC_HAS_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_SLS is not set +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_USERSPACE_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ARCH_SUPPORTS_ACPI=y +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SPCR_TABLE=y +# CONFIG_ACPI_FPDT is not set +CONFIG_ACPI_LPIT=y +CONFIG_ACPI_SLEEP=y +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_TAD is not set +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_ACPI_DPTF is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_ACPI_PFRUT is not set +# CONFIG_PMIC_OPREGION is not set +CONFIG_X86_PM_TIMER=y + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set +# end of CPU Frequency scaling + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_CPU_IDLE_GOV_TEO is not set +# end of CPU Idle + +# CONFIG_INTEL_IDLE is not set +# end of Power management and ACPI options + +# +# Bus options (PCI etc.) +# +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# end of Bus options (PCI etc.) + +# +# Binary Emulations +# +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32_ABI is not set +# end of Binary Emulations + +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +CONFIG_AS_AVX512=y +CONFIG_AS_SHA1_NI=y +CONFIG_AS_SHA256_NI=y +CONFIG_AS_TPAUSE=y + +# +# General architecture-dependent options +# +CONFIG_CRASH_CORE=y +CONFIG_GENERIC_ENTRY=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_STATIC_CALL_SELFTEST is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y +CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y +CONFIG_HAVE_NMI=y +CONFIG_TRACE_IRQFLAGS_SUPPORT=y +CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_ARCH_WANTS_NO_INSTR=y +CONFIG_HAVE_ASM_MODVERSIONS=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_RSEQ=y +CONFIG_HAVE_RUST=y +CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y +CONFIG_MMU_GATHER_MERGE_VMAS=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set +CONFIG_HAVE_ARCH_STACKLEAK=y +CONFIG_HAVE_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y +CONFIG_LTO_NONE=y +CONFIG_ARCH_SUPPORTS_CFI_CLANG=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING_USER=y +CONFIG_HAVE_CONTEXT_TRACKING_USER_OFFSTACK=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_MOVE_PUD=y +CONFIG_HAVE_MOVE_PMD=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_HUGE_VMALLOC=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y +CONFIG_SOFTIRQ_ON_OWN_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_PAGE_SIZE_LESS_THAN_64KB=y +CONFIG_PAGE_SIZE_LESS_THAN_256KB=y +CONFIG_HAVE_OBJTOOL=y +CONFIG_HAVE_JUMP_LABEL_HACK=y +CONFIG_HAVE_NOINSTR_HACK=y +CONFIG_HAVE_NOINSTR_VALIDATION=y +CONFIG_HAVE_UACCESS_VALIDATION=y +CONFIG_HAVE_STACK_VALIDATION=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +# CONFIG_COMPAT_32BIT_TIME is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y +CONFIG_RANDOMIZE_KSTACK_OFFSET=y +# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +CONFIG_HAVE_STATIC_CALL=y +CONFIG_HAVE_STATIC_CALL_INLINE=y +CONFIG_HAVE_PREEMPT_DYNAMIC=y +CONFIG_HAVE_PREEMPT_DYNAMIC_CALL=y +CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y +CONFIG_ARCH_HAS_ELFCORE_COMPAT=y +CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y +CONFIG_DYNAMIC_SIGFRAME=y +CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# end of GCOV-based kernel profiling + +CONFIG_HAVE_GCC_PLUGINS=y +# end of General architecture-dependent options + +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_BLOCK=y +CONFIG_BLOCK_LEGACY_AUTOLOAD=y +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_CGROUP_IOLATENCY is not set +# CONFIG_BLK_CGROUP_IOCOST is not set +# CONFIG_BLK_CGROUP_IOPRIO is not set +# CONFIG_BLK_SED_OPAL is not set +# CONFIG_BLK_INLINE_ENCRYPTION is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +# end of Partition Types + +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y +CONFIG_BLK_PM=y + +# +# IO Schedulers +# +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +# end of IO Schedulers + +CONFIG_ASN1=y +CONFIG_UNINLINE_SPIN_UNLOCK=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y +CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y +CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y +CONFIG_FREEZER=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# end of Executable file formats + +# +# Memory Management options +# +CONFIG_SWAP=y +# CONFIG_ZSWAP is not set + +# +# SLAB allocator options +# +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_SLAB_FREELIST_HARDENED is not set +# end of SLAB allocator options + +# CONFIG_SHUFFLE_PAGE_ALLOCATOR is not set +CONFIG_COMPAT_BRK=y +CONFIG_SPARSEMEM=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_FAST_GUP=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_MEMORY_HOTPLUG=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_MHP_MEMMAP_ON_MEMORY=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_PAGE_REPORTING=y +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ARCH_WANTS_THP_SWAP=y +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_NEED_PER_CPU_KM=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +# CONFIG_CMA is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y +CONFIG_ARCH_HAS_PTE_DEVMAP=y +CONFIG_ZONE_DMA=y +CONFIG_ZONE_DMA32=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +CONFIG_VM_EVENT_COUNTERS=y +# CONFIG_PERCPU_STATS is not set + +# +# GUP_TEST needs to have DEBUG_FS enabled +# +CONFIG_ARCH_HAS_PTE_SPECIAL=y +CONFIG_SECRETMEM=y +# CONFIG_ANON_VMA_NAME is not set +# CONFIG_USERFAULTFD is not set +# CONFIG_LRU_GEN is not set + +# +# Data Access Monitoring +# +# CONFIG_DAMON is not set +# end of Data Access Monitoring +# end of Memory Management options + +CONFIG_NET=y +CONFIG_NET_INGRESS=y +CONFIG_NET_EGRESS=y +CONFIG_SKB_EXTENSIONS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +CONFIG_UNIX_SCM=y +CONFIG_AF_UNIX_OOB=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +# CONFIG_TLS_DEVICE is not set +# CONFIG_TLS_TOE is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_INTERFACE=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_AH=y +CONFIG_XFRM_ESP=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_XFRM_ESPINTCP=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_ESPINTCP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_TABLE_PERTURB_ORDER=16 +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_ESPINTCP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_IPV6_RPL_LWTUNNEL is not set +# CONFIG_IPV6_IOAM6_LWTUNNEL is not set +# CONFIG_MPTCP is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_EGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_FAMILY_ARP=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +# CONFIG_NETFILTER_NETLINK_OSF is not set +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CONNTRACK_LABELS is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +# end of Core Netfilter Configuration + +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_TPROXY_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y +# end of IP: Netfilter Configuration + +# +# IPv6: Netfilter Configuration +# +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_TPROXY_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +# CONFIG_IP6_NF_MATCH_SRH is not set +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +# end of IPv6: Netfilter Configuration + +CONFIG_NF_DEFRAG_IPV6=y +# CONFIG_NF_CONNTRACK_BRIDGE is not set +# CONFIG_BPFILTER is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_LLC2 is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_QRTR is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# end of Network testing +# end of Networking options + +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +CONFIG_STREAM_PARSER=y +# CONFIG_MCTP is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_FD=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +CONFIG_NET_SOCK_MSG=y +CONFIG_FAILOVER=y +CONFIG_ETHTOOL_NETLINK=y + +# +# Device Drivers +# +CONFIG_HAVE_EISA=y +# CONFIG_EISA is not set +CONFIG_HAVE_PCI=y +CONFIG_PCI=y +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCIEASPM=y +CONFIG_PCIEASPM_DEFAULT=y +# CONFIG_PCIEASPM_POWERSAVE is not set +# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set +# CONFIG_PCIEASPM_PERFORMANCE is not set +# CONFIG_PCIE_PTM is not set +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_STUB is not set +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_HOTPLUG_PCI is not set + +# +# PCI controller drivers +# +# CONFIG_VMD is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT_HOST is not set +# CONFIG_PCI_MESON is not set +# end of DesignWare PCI Core Support + +# +# Mobiveil PCIe Core Support +# +# end of Mobiveil PCIe Core Support + +# +# Cadence PCIe controllers support +# +# end of Cadence PCIe controllers support +# end of PCI controller drivers + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set +# end of PCI Endpoint + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +# end of PCI switch controller drivers + +# CONFIG_CXL_BUS is not set +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +# CONFIG_DEVTMPFS_SAFE is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER is not set +# CONFIG_FW_LOADER_COMPRESS is not set +CONFIG_FW_CACHE=y +# CONFIG_FW_UPLOAD is not set +# end of Firmware loader + +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y +# end of Generic Driver Options + +# +# Bus devices +# +# CONFIG_MHI_BUS is not set +# CONFIG_MHI_BUS_EP is not set +# end of Bus devices + +# CONFIG_CONNECTOR is not set + +# +# Firmware Drivers +# + +# +# ARM System Control and Management Interface Protocol +# +# end of ARM System Control and Management Interface Protocol + +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_SYSFB_SIMPLEFB is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# Tegra firmware driver +# +# end of Tegra firmware driver +# end of Firmware Drivers + +# CONFIG_GNSS is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_ZRAM is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_UBLK is not set + +# +# NVME Support +# +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set +# end of NVME Support + +# +# Misc devices +# +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_DW_XDATA_PCIE is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_XILINX_SDFEC is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# end of EEPROM support + +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# +# end of Texas Instruments shared transport line discipline + +# +# Altera FPGA firmware download module (requires I2C) +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_BCM_VK is not set +# CONFIG_MISC_ALCOR_PCI is not set +# CONFIG_MISC_RTSX_PCI is not set +# CONFIG_HABANA_AI is not set +# CONFIG_UACCE is not set +# CONFIG_PVPANIC is not set +# end of Misc devices + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# end of SCSI device support + +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_TARGET_CORE is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# end of IEEE 1394 (FireWire) support + +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_WIREGUARD is not set +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_BAREUDP is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ASIX=y +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_CX_ECAT is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_SYSTEMPORT is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +CONFIG_NET_VENDOR_CORTINA=y +CONFIG_NET_VENDOR_DAVICOM=y +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_ENGLEDER=y +# CONFIG_TSNEP is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_FUNGIBLE=y +# CONFIG_FUN_ETH is not set +CONFIG_NET_VENDOR_GOOGLE=y +# CONFIG_GVE is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_I825XX=y +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_ICE is not set +# CONFIG_FM10K is not set +# CONFIG_IGC is not set +CONFIG_NET_VENDOR_WANGXUN=y +# CONFIG_NGBE is not set +# CONFIG_TXGBE is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_LITEX=y +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +# CONFIG_OCTEON_EP is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MICROCHIP=y +# CONFIG_LAN743X is not set +CONFIG_NET_VENDOR_MICROSEMI=y +CONFIG_NET_VENDOR_MICROSOFT=y +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NI=y +# CONFIG_NI_XGE_MANAGEMENT_ENET is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETERION=y +# CONFIG_S2IO is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_VENDOR_PACKET_ENGINES=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_PENSANDO=y +# CONFIG_IONIC is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_SOCIONEXT=y +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_PHY_SEL is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VERTEXCOM=y +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_XILINX=y +# CONFIG_XILINX_EMACLITE is not set +# CONFIG_XILINX_AXI_EMAC is not set +# CONFIG_XILINX_LL_TEMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +# CONFIG_PSE_CONTROLLER is not set +# CONFIG_MDIO_DEVICE is not set + +# +# PCS device drivers +# +# end of PCS device drivers + +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_MICROCHIP=y +CONFIG_WLAN_VENDOR_PURELIFI=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_SILABS=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y +# CONFIG_WAN is not set + +# +# Wireless WAN +# +# CONFIG_WWAN is not set +# end of Wireless WAN + +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +CONFIG_NET_FAILOVER=y +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +CONFIG_INPUT_FF_MEMLESS=y +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set +CONFIG_INPUT_VIVALDIFMAP=y + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set +# end of Hardware I/O ports +# end of Input device support + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +CONFIG_LDISC_AUTOLOAD=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_LANTIQ is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_FSL_LINFLEXUART is not set +# CONFIG_SERIAL_SPRD is not set +# end of Serial drivers + +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_N_GSM is not set +# CONFIG_NOZOMI is not set +# CONFIG_NULL_TTY is not set +CONFIG_HVC_DRIVER=y +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +CONFIG_HW_RANDOM=y +# CONFIG_HW_RANDOM_TIMERIOMEM is not set +CONFIG_HW_RANDOM_INTEL=y +CONFIG_HW_RANDOM_AMD=y +# CONFIG_HW_RANDOM_BA431 is not set +# CONFIG_HW_RANDOM_VIA is not set +CONFIG_HW_RANDOM_VIRTIO=y +# CONFIG_HW_RANDOM_XIPHERA is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +CONFIG_DEVMEM=y +# CONFIG_NVRAM is not set +CONFIG_DEVPORT=y +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +# CONFIG_XILLYBUS is not set +# CONFIG_RANDOM_TRUST_CPU is not set +# CONFIG_RANDOM_TRUST_BOOTLOADER is not set +# end of Character devices + +# +# I2C support +# +# CONFIG_I2C is not set +# end of I2C support + +# CONFIG_I3C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set +CONFIG_PTP_1588_CLOCK_OPTIONAL=y + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# end of PTP clock support + +# CONFIG_PINCTRL is not set +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +CONFIG_POWER_SUPPLY_HWMON=y +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_SAMSUNG_SDI is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_BATTERY_GOLDFISH is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_AS370 is not set +# CONFIG_SENSORS_AXI_FAN_CONTROL is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_CORSAIR_CPRO is not set +# CONFIG_SENSORS_CORSAIR_PSU is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_MR75203 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +# CONFIG_SENSORS_ASUS_EC is not set +CONFIG_THERMAL=y +# CONFIG_THERMAL_NETLINK is not set +# CONFIG_THERMAL_STATISTICS is not set +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_WRITABLE_TRIPS=y +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +CONFIG_THERMAL_GOV_USER_SPACE=y +# CONFIG_THERMAL_EMULATION is not set + +# +# Intel thermal drivers +# +# CONFIG_INTEL_POWERCLAMP is not set +CONFIG_X86_THERMAL_VECTOR=y +CONFIG_X86_PKG_TEMP_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# end of ACPI INT340X thermal drivers + +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_INTEL_TCC_COOLING is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_INTEL_HFI_THERMAL is not set +# end of Intel thermal drivers + +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_MADERA is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_INTEL_PMC_BXT is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TQMX86 is not set +# CONFIG_MFD_VX855 is not set +# end of Multifunction device drivers + +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +# CONFIG_LIRC is not set +CONFIG_RC_MAP=y +CONFIG_RC_DECODERS=y +# CONFIG_IR_IMON_DECODER is not set +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +# CONFIG_IR_RCMM_DECODER is not set +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_RC_DEVICES is not set + +# +# CEC support +# +# CONFIG_MEDIA_CEC_SUPPORT is not set +# end of CEC support + +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ARM devices +# +# end of ARM devices + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# end of Frame buffer Devices + +# +# Backlight & LCD device support +# +CONFIG_LCD_CLASS_DEVICE=y +# CONFIG_LCD_PLATFORM is not set +CONFIG_BACKLIGHT_CLASS_DEVICE=y +# CONFIG_BACKLIGHT_APPLE is not set +# CONFIG_BACKLIGHT_QCOM_WLED is not set +# CONFIG_BACKLIGHT_SAHARA is not set +# end of Backlight & LCD device support + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +# end of Console display driver support +# end of Graphics support + +CONFIG_SOUND=y +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +# CONFIG_HID_COUGAR is not set +# CONFIG_HID_MACALLY is not set +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_GLORIOUS is not set +# CONFIG_HID_VIVALDI is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_VIEWSONIC is not set +# CONFIG_HID_VRC2 is not set +# CONFIG_HID_XIAOMI is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_JABRA is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MALTRON is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_REDRAGON=y +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PXRC is not set +# CONFIG_HID_RAZER is not set +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SEMITEK is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEAM is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_TOPRE is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set +# end of Special HID drivers + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +# end of Intel ISH HID support + +# +# AMD SFH HID Support +# +# CONFIG_AMD_SFH_HID is not set +# end of AMD SFH HID Support +# end of HID support + +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_NOP_USB_XCEIV is not set +# end of USB Physical Layer drivers + +# CONFIG_USB_GADGET is not set +# CONFIG_TYPEC is not set +# CONFIG_USB_ROLE_SWITCH is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_DMABUF_HEAPS is not set +# end of DMABUF options + +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VFIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO_ANCHOR=y +CONFIG_VIRTIO=y +CONFIG_VIRTIO_PCI_LIB=y +CONFIG_VIRTIO_PCI_LIB_LEGACY=y +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set +# CONFIG_VDPA is not set +CONFIG_VHOST_MENU=y +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set + +# +# Microsoft Hyper-V guest support +# +# end of Microsoft Hyper-V guest support + +# CONFIG_GREYBUS is not set +# CONFIG_COMEDI is not set +# CONFIG_STAGING is not set +# CONFIG_CHROME_PLATFORMS is not set +# CONFIG_MELLANOX_PLATFORM is not set +CONFIG_SURFACE_PLATFORMS=y +# CONFIG_SURFACE_GPE is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACPI_WMI is not set +# CONFIG_ACERHDF is not set +# CONFIG_ACER_WIRELESS is not set +# CONFIG_AMD_PMF is not set +# CONFIG_AMD_HSMP is not set +# CONFIG_ADV_SWBUTTON is not set +# CONFIG_APPLE_GMUX is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_X86_PLATFORM_DRIVERS_DELL is not set +# CONFIG_FUJITSU_LAPTOP is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_WIRELESS_HOTKEY is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_ATOMISP2_PM is not set +# CONFIG_INTEL_SAR_INT1092 is not set +# CONFIG_INTEL_PMC_CORE is not set + +# +# Intel Speed Select Technology interface support +# +# CONFIG_INTEL_SPEED_SELECT_INTERFACE is not set +# end of Intel Speed Select Technology interface support + +# +# Intel Uncore Frequency Control +# +# CONFIG_INTEL_UNCORE_FREQ_CONTROL is not set +# end of Intel Uncore Frequency Control + +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_INTEL_VSEC is not set +# CONFIG_SAMSUNG_LAPTOP is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_PANASONIC_LAPTOP is not set +# CONFIG_SYSTEM76_ACPI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_SCU_PCI is not set +# CONFIG_INTEL_SCU_PLATFORM is not set +# CONFIG_SIEMENS_SIMATIC_IPC is not set +# CONFIG_WINMATE_FM07_KEYS is not set +# CONFIG_P2SB is not set +CONFIG_HAVE_CLK=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y +# CONFIG_XILINX_VCU is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# end of Clock Source drivers + +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_IOVA=y +CONFIG_IOMMU_API=y +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# end of Generic IOMMU Pagetable Support + +# CONFIG_IOMMU_DEFAULT_DMA_STRICT is not set +CONFIG_IOMMU_DEFAULT_DMA_LAZY=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set +CONFIG_IOMMU_DMA=y +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set +# CONFIG_VIRTIO_IOMMU is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set +# end of Remoteproc drivers + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_VIRTIO is not set +# end of Rpmsg drivers + +# CONFIG_SOUNDWIRE is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# +# end of Amlogic SoC drivers + +# +# Broadcom SoC drivers +# +# end of Broadcom SoC drivers + +# +# NXP/Freescale QorIQ SoC drivers +# +# end of NXP/Freescale QorIQ SoC drivers + +# +# fujitsu SoC drivers +# +# end of fujitsu SoC drivers + +# +# i.MX SoC drivers +# +# end of i.MX SoC drivers + +# +# Enable LiteX SoC Builder specific drivers +# +# end of Enable LiteX SoC Builder specific drivers + +# +# Qualcomm SoC drivers +# +# end of Qualcomm SoC drivers + +# CONFIG_SOC_TI is not set + +# +# Xilinx SoC drivers +# +# end of Xilinx SoC drivers +# end of SOC (System On Chip) specific Drivers + +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_PWM is not set + +# +# IRQ chip support +# +# end of IRQ chip support + +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_USB_LGM_PHY is not set +# CONFIG_PHY_CAN_TRANSCEIVER is not set + +# +# PHY drivers for Broadcom platforms +# +# CONFIG_BCM_KONA_USB2_PHY is not set +# end of PHY drivers for Broadcom platforms + +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_PHY_INTEL_LGM_EMMC is not set +# end of PHY Subsystem + +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# end of Performance monitor support + +# CONFIG_RAS is not set +# CONFIG_USB4 is not set + +# +# Android +# +# CONFIG_ANDROID_BINDER_IPC is not set +# end of Android + +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set + +# +# HW tracing support +# +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# end of HW tracing support + +# CONFIG_FPGA is not set +# CONFIG_TEE is not set +# CONFIG_SIOX is not set +# CONFIG_SLIMBUS is not set +# CONFIG_INTERCONNECT is not set +# CONFIG_COUNTER is not set +# CONFIG_PECI is not set +# CONFIG_HTE is not set +# end of Device Drivers + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_VALIDATE_FS_PARSER=y +CONFIG_FS_IOMAP=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +# CONFIG_FS_VERITY is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +CONFIG_AUTOFS_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +CONFIG_NETFS_SUPPORT=y +# CONFIG_NETFS_STATS is not set +# CONFIG_FSCACHE is not set +# end of Caches + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set +# end of CD-ROM/DVD Filesystems + +# +# DOS/FAT/EXFAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_EXFAT_FS is not set +# CONFIG_NTFS_FS is not set +# CONFIG_NTFS3_FS is not set +# end of DOS/FAT/EXFAT/NT Filesystems + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_PROC_PID_ARCH_STATUS=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_TMPFS_INODE64 is not set +# CONFIG_HUGETLBFS is not set +CONFIG_ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y +CONFIG_MEMFD_CREATE=y +CONFIG_ARCH_HAS_GIGANTIC_PAGE=y +# CONFIG_CONFIGFS_FS is not set +# end of Pseudo filesystems + +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +# CONFIG_EROFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_SMB_SERVER is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set +# CONFIG_UNICODE is not set +CONFIG_IO_WQ=y +# end of File systems + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_KEYS_REQUEST_CACHE is not set +# CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_BIG_KEYS is not set +# CONFIG_TRUSTED_KEYS is not set +# CONFIG_ENCRYPTED_KEYS is not set +# CONFIG_KEY_DH_OPERATIONS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_LSM="yama,loadpin,safesetid,integrity" + +# +# Kernel hardening options +# + +# +# Memory initialization +# +CONFIG_INIT_STACK_NONE=y +# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set +# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set +CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y +# CONFIG_ZERO_CALL_USED_REGS is not set +# end of Memory initialization + +CONFIG_RANDSTRUCT_NONE=y +# end of Kernel hardening options +# end of Security options + +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_SKCIPHER=y +CONFIG_CRYPTO_SKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_SIMD=y +# end of Crypto core or helper + +# +# Public-key cryptography +# +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=y +# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set +CONFIG_CRYPTO_ECC=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_ECDSA=y +# CONFIG_CRYPTO_ECRDSA is not set +CONFIG_CRYPTO_SM2=y +CONFIG_CRYPTO_CURVE25519=y +# end of Public-key cryptography + +# +# Block ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARIA=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_DES=y +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SM4=y +# CONFIG_CRYPTO_SM4_GENERIC is not set +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +# end of Block ciphers + +# +# Length-preserving ciphers and modes +# +CONFIG_CRYPTO_ADIANTUM=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CBC=y +# CONFIG_CRYPTO_CFB is not set +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +# CONFIG_CRYPTO_HCTR2 is not set +# CONFIG_CRYPTO_KEYWRAP is not set +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_OFB=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_NHPOLY1305=y +# end of Length-preserving ciphers and modes + +# +# AEAD (authenticated encryption with associated data) ciphers +# +# CONFIG_CRYPTO_AEGIS128 is not set +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y +# CONFIG_CRYPTO_ESSIV is not set +# end of AEAD (authenticated encryption with associated data) ciphers + +# +# Hashes, digests, and MACs +# +CONFIG_CRYPTO_BLAKE2B=y +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_SHA1=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +# CONFIG_CRYPTO_SM3_GENERIC is not set +# CONFIG_CRYPTO_STREEBOG is not set +# CONFIG_CRYPTO_VMAC is not set +CONFIG_CRYPTO_WP512=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_XXHASH is not set +# end of Hashes, digests, and MACs + +# +# CRCs (cyclic redundancy checks) +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +# end of CRCs (cyclic redundancy checks) + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y +# CONFIG_CRYPTO_ZSTD is not set +# end of Compression + +# +# Random number generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +# end of Random number generation + +# +# Userspace interface +# +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y +CONFIG_CRYPTO_STATS=y +# end of Userspace interface + +CONFIG_CRYPTO_HASH_INFO=y + +# +# Accelerated Cryptographic Algorithms for CPU (x86) +# +CONFIG_CRYPTO_CURVE25519_X86=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y +CONFIG_CRYPTO_ARIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set +CONFIG_CRYPTO_NHPOLY1305_SSE2=y +CONFIG_CRYPTO_NHPOLY1305_AVX2=y +CONFIG_CRYPTO_BLAKE2S_X86=y +# CONFIG_CRYPTO_POLYVAL_CLMUL_NI is not set +CONFIG_CRYPTO_POLY1305_X86_64=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +CONFIG_CRYPTO_SM3_AVX_X86_64=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# end of Accelerated Cryptographic Algorithms for CPU (x86) + +# CONFIG_CRYPTO_HW is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_FIPS_SIGNATURE_SELFTEST is not set + +# +# Certificates for signature checking +# +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +# end of Certificates for signature checking + +# +# Library routines +# +# CONFIG_PACKING is not set +CONFIG_BITREVERSE=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +# CONFIG_CORDIC is not set +# CONFIG_PRIME_NUMBERS is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_UTILS=y +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y +CONFIG_CRYPTO_LIB_CURVE25519=y +CONFIG_CRYPTO_LIB_DES=y +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y +CONFIG_CRYPTO_LIB_POLY1305=y +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y +CONFIG_CRYPTO_LIB_SHA1=y +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +# CONFIG_CRC64_ROCKSOFT is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC64 is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DMA_OPS=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_SWIOTLB=y +# CONFIG_DMA_API_DEBUG is not set +CONFIG_SGL_ALLOC=y +CONFIG_IOMMU_HELPER=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +CONFIG_HAVE_GENERIC_VDSO=y +CONFIG_GENERIC_GETTIMEOFDAY=y +CONFIG_GENERIC_VDSO_TIME_NS=y +CONFIG_SG_POOL=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_ARCH_HAS_COPY_MC=y +CONFIG_ARCH_STACKWALK=y +CONFIG_SBITMAP=y +# end of Library routines + +# +# Kernel hacking +# + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +# CONFIG_PRINTK_CALLER is not set +# CONFIG_STACKTRACE_BUILD_ID is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set +# CONFIG_DYNAMIC_DEBUG is not set +# CONFIG_DYNAMIC_DEBUG_CORE is not set +CONFIG_SYMBOLIC_ERRNAME=y +CONFIG_DEBUG_BUGVERBOSE=y +# end of printk and dmesg options + +CONFIG_DEBUG_KERNEL=y +CONFIG_DEBUG_MISC=y + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +CONFIG_AS_HAS_NON_CONST_LEB128=y +# CONFIG_DEBUG_INFO_NONE is not set +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_DEBUG_INFO_DWARF5 is not set +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_COMPRESSED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_HEADERS_INSTALL is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_OBJTOOL=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# end of Compile-time checks and compiler options + +# +# Generic Kernel Debugging Instruments +# +# CONFIG_MAGIC_SYSRQ is not set +# CONFIG_DEBUG_FS is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN is not set +CONFIG_HAVE_ARCH_KCSAN=y +CONFIG_HAVE_KCSAN_COMPILER=y +# CONFIG_KCSAN is not set +# end of Generic Kernel Debugging Instruments + +# +# Networking Debugging +# +# CONFIG_NET_DEV_REFCNT_TRACKER is not set +# CONFIG_NET_NS_REFCNT_TRACKER is not set +# CONFIG_DEBUG_NET is not set +# end of Networking Debugging + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_DEBUG_SLAB is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_PAGE_TABLE_CHECK is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_ARCH_HAS_DEBUG_WX=y +# CONFIG_DEBUG_WX is not set +CONFIG_GENERIC_PTDUMP=y +# CONFIG_DEBUG_OBJECTS is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VM_PGTABLE is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y +# CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is not set +CONFIG_HAVE_ARCH_KASAN=y +CONFIG_HAVE_ARCH_KASAN_VMALLOC=y +CONFIG_CC_HAS_KASAN_GENERIC=y +CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y +# CONFIG_KASAN is not set +CONFIG_HAVE_ARCH_KFENCE=y +# CONFIG_KFENCE is not set +CONFIG_HAVE_ARCH_KMSAN=y +# end of Memory Debugging + +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Oops, Lockups and Hangs +# +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +# CONFIG_WQ_WATCHDOG is not set +# end of Debug Oops, Lockups and Hangs + +# +# Scheduler Debugging +# +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# end of Scheduler Debugging + +# CONFIG_DEBUG_TIMEKEEPING is not set +CONFIG_DEBUG_PREEMPT=y + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +CONFIG_LOCK_DEBUGGING_SUPPORT=y +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_RWSEMS is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_SCF_TORTURE_TEST is not set +# CONFIG_CSD_LOCK_WAIT_DEBUG is not set +# end of Lock Debugging (spinlocks, mutexes, etc...) + +# CONFIG_DEBUG_IRQFLAGS is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set + +# +# Debug kernel data structures +# +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PLIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_DEBUG_MAPLE_TREE is not set +# end of Debug kernel data structures + +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_RCU_SCALE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_REF_SCALE_TEST is not set +CONFIG_RCU_CPU_STALL_TIMEOUT=21 +CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0 +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# end of RCU Debugging + +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_RETHOOK=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y +CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_OBJTOOL_MCOUNT=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_PREEMPT_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_OSNOISE_TRACER is not set +# CONFIG_TIMERLAT_TRACER is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_SYNTH_EVENTS is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set + +# +# x86 Debugging +# +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +# CONFIG_CPA_DEBUG is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set +# end of x86 Debugging + +# +# Kernel Testing and Coverage +# +# CONFIG_KUNIT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +CONFIG_ARCH_HAS_KCOV=y +CONFIG_CC_HAS_SANCOV_TRACE_PC=y +# CONFIG_KCOV is not set +CONFIG_RUNTIME_TESTING_MENU=y +# CONFIG_TEST_MIN_HEAP is not set +# CONFIG_TEST_DIV64 is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_TEST_REF_TRACKER is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_REED_SOLOMON_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_STRING_SELFTEST is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_STRSCPY is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_SCANF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_XARRAY is not set +# CONFIG_TEST_MAPLE_TREE is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_SIPHASH is not set +# CONFIG_TEST_IDA is not set +# CONFIG_FIND_BIT_BENCHMARK is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_TEST_MEMCAT_P is not set +# CONFIG_TEST_MEMINIT is not set +# CONFIG_TEST_FREE_PAGES is not set +# CONFIG_TEST_FPU is not set +# CONFIG_TEST_CLOCKSOURCE_WATCHDOG is not set +CONFIG_ARCH_USE_MEMTEST=y +# CONFIG_MEMTEST is not set +# end of Kernel Testing and Coverage + +# +# Rust hacking +# +# end of Rust hacking +# end of Kernel hacking diff -Nru strongswan-5.9.8/testing/config/kernel/config-6.2 strongswan-5.9.11/testing/config/kernel/config-6.2 --- strongswan-5.9.8/testing/config/kernel/config-6.2 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/config/kernel/config-6.2 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,3246 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 6.2.0 Kernel Configuration +# +CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0" +CONFIG_CC_IS_GCC=y +CONFIG_GCC_VERSION=110300 +CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=23800 +CONFIG_LD_IS_BFD=y +CONFIG_LD_VERSION=23800 +CONFIG_LLD_VERSION=0 +CONFIG_CC_CAN_LINK=y +CONFIG_CC_CAN_LINK_STATIC=y +CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y +CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y +CONFIG_CC_HAS_ASM_INLINE=y +CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y +CONFIG_PAHOLE_VERSION=0 +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_TABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +# CONFIG_COMPILE_TEST is not set +# CONFIG_WERROR is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_BUILD_SALT="" +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_HAVE_KERNEL_ZSTD=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +# CONFIG_KERNEL_ZSTD is not set +CONFIG_DEFAULT_INIT="" +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +# CONFIG_WATCH_QUEUE is not set +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_HARDIRQS_SW_RESEND=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_IRQ_MSI_IOMMU=y +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +CONFIG_GENERIC_IRQ_RESERVATION_MODE=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +# end of IRQ subsystem + +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_INIT=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y +CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_CONTEXT_TRACKING=y +CONFIG_CONTEXT_TRACKING_IDLE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_CLOCKSOURCE_WATCHDOG_MAX_SKEW_US=100 +# end of Timers subsystem + +CONFIG_BPF=y +CONFIG_HAVE_EBPF_JIT=y +CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y + +# +# BPF subsystem +# +# CONFIG_BPF_SYSCALL is not set +# end of BPF subsystem + +CONFIG_PREEMPT_BUILD=y +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_PREEMPT_COUNT=y +CONFIG_PREEMPTION=y +CONFIG_PREEMPT_DYNAMIC=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set +# CONFIG_PSI is not set +# end of CPU/Task time and stats accounting + +# +# RCU Subsystem +# +CONFIG_TREE_RCU=y +CONFIG_PREEMPT_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TREE_SRCU=y +CONFIG_RCU_STALL_COMMON=y +CONFIG_RCU_NEED_SEGCBLIST=y +# end of RCU Subsystem + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +# CONFIG_IKHEADERS is not set +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y + +# +# Scheduler features +# +# end of Scheduler features + +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_CC_HAS_INT128=y +CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" +CONFIG_GCC11_NO_ARRAY_BOUNDS=y +CONFIG_GCC12_NO_ARRAY_BOUNDS=y +CONFIG_CC_NO_ARRAY_BOUNDS=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +# CONFIG_CGROUP_FAVOR_DYNMODS is not set +CONFIG_MEMCG=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_MISC is not set +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +CONFIG_TIME_NS=y +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +CONFIG_NET_NS=y +# CONFIG_CHECKPOINT_RESTORE is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_BOOT_CONFIG is not set +CONFIG_INITRAMFS_PRESERVE_MTIME=y +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_LD_ORPHAN_WARN=y +CONFIG_LD_ORPHAN_WARN_LEVEL="warn" +CONFIG_SYSCTL=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_IO_URING=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_SELFTEST is not set +# CONFIG_KALLSYMS_ALL is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_RSEQ=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +# end of Kernel Performance Events And Counters + +# CONFIG_PROFILING is not set +# end of General setup + +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_CC_HAS_SANE_STACKPROTECTOR=y + +# +# Processor type and features +# +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_X86_CPU_RESCTRL is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_IA32_FEAT_CTL=y +CONFIG_X86_VMX_FEATURE_NAMES=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_HYGON=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_CPU_SUP_ZHAOXIN=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +CONFIG_NR_CPUS_RANGE_BEGIN=1 +CONFIG_NR_CPUS_RANGE_END=1 +CONFIG_NR_CPUS_DEFAULT=1 +CONFIG_NR_CPUS=1 +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +CONFIG_PERF_EVENTS_AMD_UNCORE=y +# CONFIG_PERF_EVENTS_AMD_BRS is not set +# end of Performance monitoring + +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +CONFIG_X86_IOPL_IOPERM=y +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +# CONFIG_MICROCODE_LATE_LOADING is not set +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_X86_DIRECT_GBPAGES=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_X86_UMIP=y +CONFIG_CC_HAS_IBT=y +# CONFIG_X86_KERNEL_IBT is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_X86_INTEL_TSX_MODE_OFF=y +# CONFIG_X86_INTEL_TSX_MODE_ON is not set +# CONFIG_X86_INTEL_TSX_MODE_AUTO is not set +# CONFIG_EFI is not set +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +CONFIG_LEGACY_VSYSCALL_XONLY=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +# CONFIG_STRICT_SIGALTSTACK_SIZE is not set +CONFIG_HAVE_LIVEPATCH=y +# end of Processor type and features + +CONFIG_CC_HAS_SLS=y +CONFIG_CC_HAS_RETURN_THUNK=y +CONFIG_CC_HAS_ENTRY_PADDING=y +CONFIG_FUNCTION_PADDING_CFI=11 +CONFIG_FUNCTION_PADDING_BYTES=16 +CONFIG_CALL_PADDING=y +CONFIG_HAVE_CALL_THUNKS=y +CONFIG_CALL_THUNKS=y +CONFIG_PREFIX_SYMBOLS=y +CONFIG_SPECULATION_MITIGATIONS=y +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CALL_DEPTH_TRACKING=y +# CONFIG_CALL_THUNKS_DEBUG is not set +CONFIG_CPU_IBPB_ENTRY=y +CONFIG_CPU_IBRS_ENTRY=y +# CONFIG_SLS is not set +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_USERSPACE_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ARCH_SUPPORTS_ACPI=y +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SPCR_TABLE=y +# CONFIG_ACPI_FPDT is not set +CONFIG_ACPI_LPIT=y +CONFIG_ACPI_SLEEP=y +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_TAD is not set +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_ACPI_DPTF is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_ACPI_PFRUT is not set +# CONFIG_ACPI_FFH is not set +# CONFIG_PMIC_OPREGION is not set +CONFIG_X86_PM_TIMER=y + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set +# end of CPU Frequency scaling + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_CPU_IDLE_GOV_TEO is not set +# end of CPU Idle + +# CONFIG_INTEL_IDLE is not set +# end of Power management and ACPI options + +# +# Bus options (PCI etc.) +# +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# end of Bus options (PCI etc.) + +# +# Binary Emulations +# +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32_ABI is not set +# end of Binary Emulations + +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +CONFIG_AS_AVX512=y +CONFIG_AS_SHA1_NI=y +CONFIG_AS_SHA256_NI=y +CONFIG_AS_TPAUSE=y + +# +# General architecture-dependent options +# +CONFIG_CRASH_CORE=y +CONFIG_GENERIC_ENTRY=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_STATIC_CALL_SELFTEST is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y +CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y +CONFIG_HAVE_NMI=y +CONFIG_TRACE_IRQFLAGS_SUPPORT=y +CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_ARCH_WANTS_NO_INSTR=y +CONFIG_HAVE_ASM_MODVERSIONS=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_RSEQ=y +CONFIG_HAVE_RUST=y +CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y +CONFIG_MMU_GATHER_MERGE_VMAS=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_ARCH_HAS_NMI_SAFE_THIS_CPU_OPS=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set +CONFIG_HAVE_ARCH_STACKLEAK=y +CONFIG_HAVE_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y +CONFIG_LTO_NONE=y +CONFIG_ARCH_SUPPORTS_CFI_CLANG=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING_USER=y +CONFIG_HAVE_CONTEXT_TRACKING_USER_OFFSTACK=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_MOVE_PUD=y +CONFIG_HAVE_MOVE_PMD=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_HUGE_VMALLOC=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y +CONFIG_SOFTIRQ_ON_OWN_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_PAGE_SIZE_LESS_THAN_64KB=y +CONFIG_PAGE_SIZE_LESS_THAN_256KB=y +CONFIG_HAVE_OBJTOOL=y +CONFIG_HAVE_JUMP_LABEL_HACK=y +CONFIG_HAVE_NOINSTR_HACK=y +CONFIG_HAVE_NOINSTR_VALIDATION=y +CONFIG_HAVE_UACCESS_VALIDATION=y +CONFIG_HAVE_STACK_VALIDATION=y +CONFIG_HAVE_RELIABLE_STACKTRACE=y +# CONFIG_COMPAT_32BIT_TIME is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y +CONFIG_RANDOMIZE_KSTACK_OFFSET=y +# CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +CONFIG_HAVE_STATIC_CALL=y +CONFIG_HAVE_STATIC_CALL_INLINE=y +CONFIG_HAVE_PREEMPT_DYNAMIC=y +CONFIG_HAVE_PREEMPT_DYNAMIC_CALL=y +CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y +CONFIG_ARCH_HAS_ELFCORE_COMPAT=y +CONFIG_ARCH_HAS_PARANOID_L1D_FLUSH=y +CONFIG_DYNAMIC_SIGFRAME=y +CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# end of GCOV-based kernel profiling + +CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_FUNCTION_ALIGNMENT_4B=y +CONFIG_FUNCTION_ALIGNMENT_16B=y +CONFIG_FUNCTION_ALIGNMENT=16 +# end of General architecture-dependent options + +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_BLOCK=y +CONFIG_BLOCK_LEGACY_AUTOLOAD=y +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_CGROUP_IOLATENCY is not set +# CONFIG_BLK_CGROUP_IOCOST is not set +# CONFIG_BLK_CGROUP_IOPRIO is not set +# CONFIG_BLK_SED_OPAL is not set +# CONFIG_BLK_INLINE_ENCRYPTION is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +# end of Partition Types + +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y +CONFIG_BLK_PM=y + +# +# IO Schedulers +# +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +# end of IO Schedulers + +CONFIG_ASN1=y +CONFIG_UNINLINE_SPIN_UNLOCK=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y +CONFIG_ARCH_HAS_SYNC_CORE_BEFORE_USERMODE=y +CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y +CONFIG_FREEZER=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# end of Executable file formats + +# +# Memory Management options +# +CONFIG_SWAP=y +# CONFIG_ZSWAP is not set + +# +# SLAB allocator options +# +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_SLAB_FREELIST_HARDENED is not set +# end of SLAB allocator options + +# CONFIG_SHUFFLE_PAGE_ALLOCATOR is not set +CONFIG_COMPAT_BRK=y +CONFIG_SPARSEMEM=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_FAST_GUP=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_MEMORY_HOTPLUG=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_MHP_MEMMAP_ON_MEMORY=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_PAGE_REPORTING=y +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ARCH_WANTS_THP_SWAP=y +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_NEED_PER_CPU_KM=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +# CONFIG_CMA is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y +CONFIG_ARCH_HAS_PTE_DEVMAP=y +CONFIG_ZONE_DMA=y +CONFIG_ZONE_DMA32=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +CONFIG_VM_EVENT_COUNTERS=y +# CONFIG_PERCPU_STATS is not set + +# +# GUP_TEST needs to have DEBUG_FS enabled +# +CONFIG_ARCH_HAS_PTE_SPECIAL=y +CONFIG_SECRETMEM=y +# CONFIG_ANON_VMA_NAME is not set +# CONFIG_USERFAULTFD is not set +# CONFIG_LRU_GEN is not set + +# +# Data Access Monitoring +# +# CONFIG_DAMON is not set +# end of Data Access Monitoring +# end of Memory Management options + +CONFIG_NET=y +CONFIG_NET_INGRESS=y +CONFIG_NET_EGRESS=y +CONFIG_SKB_EXTENSIONS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +CONFIG_UNIX_SCM=y +CONFIG_AF_UNIX_OOB=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +# CONFIG_TLS_DEVICE is not set +# CONFIG_TLS_TOE is not set +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_INTERFACE=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_AH=y +CONFIG_XFRM_ESP=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_XFRM_ESPINTCP=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_ESPINTCP=y +CONFIG_INET_IPCOMP=y +CONFIG_INET_TABLE_PERTURB_ORDER=16 +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_ESPINTCP=y +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_IPV6_RPL_LWTUNNEL is not set +# CONFIG_IPV6_IOAM6_LWTUNNEL is not set +# CONFIG_MPTCP is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_EGRESS=y +CONFIG_NETFILTER_NETLINK=y +CONFIG_NETFILTER_FAMILY_ARP=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +# CONFIG_NETFILTER_NETLINK_OSF is not set +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_SYSLOG=y +CONFIG_NETFILTER_CONNCOUNT=y +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CONNTRACK_LABELS is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +# end of Core Netfilter Configuration + +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_TPROXY_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y +# end of IP: Netfilter Configuration + +# +# IPv6: Netfilter Configuration +# +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_TPROXY_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +# CONFIG_IP6_NF_MATCH_SRH is not set +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +# end of IPv6: Netfilter Configuration + +CONFIG_NF_DEFRAG_IPV6=y +# CONFIG_NF_CONNTRACK_BRIDGE is not set +# CONFIG_BPFILTER is not set +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_LLC2 is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_QRTR is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# end of Network testing +# end of Networking options + +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +CONFIG_STREAM_PARSER=y +# CONFIG_MCTP is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_FD=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +CONFIG_NET_SOCK_MSG=y +CONFIG_FAILOVER=y +CONFIG_ETHTOOL_NETLINK=y + +# +# Device Drivers +# +CONFIG_HAVE_EISA=y +# CONFIG_EISA is not set +CONFIG_HAVE_PCI=y +CONFIG_PCI=y +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCIEASPM=y +CONFIG_PCIEASPM_DEFAULT=y +# CONFIG_PCIEASPM_POWERSAVE is not set +# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set +# CONFIG_PCIEASPM_PERFORMANCE is not set +# CONFIG_PCIE_PTM is not set +CONFIG_PCI_MSI=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_STUB is not set +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_HOTPLUG_PCI is not set + +# +# PCI controller drivers +# +# CONFIG_VMD is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT_HOST is not set +# CONFIG_PCI_MESON is not set +# end of DesignWare PCI Core Support + +# +# Mobiveil PCIe Core Support +# +# end of Mobiveil PCIe Core Support + +# +# Cadence PCIe controllers support +# +# end of Cadence PCIe controllers support +# end of PCI controller drivers + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set +# end of PCI Endpoint + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +# end of PCI switch controller drivers + +# CONFIG_CXL_BUS is not set +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +# CONFIG_DEVTMPFS_SAFE is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER is not set +# CONFIG_FW_LOADER_COMPRESS is not set +CONFIG_FW_CACHE=y +# CONFIG_FW_UPLOAD is not set +# end of Firmware loader + +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y +# end of Generic Driver Options + +# +# Bus devices +# +# CONFIG_MHI_BUS is not set +# CONFIG_MHI_BUS_EP is not set +# end of Bus devices + +# CONFIG_CONNECTOR is not set + +# +# Firmware Drivers +# + +# +# ARM System Control and Management Interface Protocol +# +# end of ARM System Control and Management Interface Protocol + +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_SYSFB_SIMPLEFB is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# Tegra firmware driver +# +# end of Tegra firmware driver +# end of Firmware Drivers + +# CONFIG_GNSS is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_ZRAM is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_UBLK is not set + +# +# NVME Support +# +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set +# CONFIG_NVME_TCP is not set +# end of NVME Support + +# +# Misc devices +# +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_DW_XDATA_PCIE is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_XILINX_SDFEC is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# end of EEPROM support + +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# +# end of Texas Instruments shared transport line discipline + +# +# Altera FPGA firmware download module (requires I2C) +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_BCM_VK is not set +# CONFIG_MISC_ALCOR_PCI is not set +# CONFIG_MISC_RTSX_PCI is not set +# CONFIG_HABANA_AI is not set +# CONFIG_UACCE is not set +# CONFIG_PVPANIC is not set +# end of Misc devices + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# end of SCSI device support + +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_TARGET_CORE is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# end of IEEE 1394 (FireWire) support + +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_WIREGUARD is not set +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_IPVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_BAREUDP is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ASIX=y +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_CX_ECAT is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_SYSTEMPORT is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +CONFIG_NET_VENDOR_CORTINA=y +CONFIG_NET_VENDOR_DAVICOM=y +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_ENGLEDER=y +# CONFIG_TSNEP is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_FUNGIBLE=y +# CONFIG_FUN_ETH is not set +CONFIG_NET_VENDOR_GOOGLE=y +# CONFIG_GVE is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_I825XX=y +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_ICE is not set +# CONFIG_FM10K is not set +# CONFIG_IGC is not set +CONFIG_NET_VENDOR_WANGXUN=y +# CONFIG_NGBE is not set +# CONFIG_TXGBE is not set +# CONFIG_JME is not set +CONFIG_NET_VENDOR_LITEX=y +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +# CONFIG_OCTEON_EP is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MICROCHIP=y +# CONFIG_LAN743X is not set +# CONFIG_VCAP is not set +CONFIG_NET_VENDOR_MICROSEMI=y +CONFIG_NET_VENDOR_MICROSOFT=y +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +CONFIG_NET_VENDOR_NI=y +# CONFIG_NI_XGE_MANAGEMENT_ENET is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETERION=y +# CONFIG_S2IO is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_VENDOR_PACKET_ENGINES=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_PENSANDO=y +# CONFIG_IONIC is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_SOCIONEXT=y +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_PHY_SEL is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VERTEXCOM=y +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_XILINX=y +# CONFIG_XILINX_EMACLITE is not set +# CONFIG_XILINX_AXI_EMAC is not set +# CONFIG_XILINX_LL_TEMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_PHYLIB is not set +# CONFIG_PSE_CONTROLLER is not set +# CONFIG_MDIO_DEVICE is not set + +# +# PCS device drivers +# +# end of PCS device drivers + +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_MICROCHIP=y +CONFIG_WLAN_VENDOR_PURELIFI=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_SILABS=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y +# CONFIG_WAN is not set + +# +# Wireless WAN +# +# CONFIG_WWAN is not set +# end of Wireless WAN + +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +CONFIG_NET_FAILOVER=y +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +CONFIG_INPUT_FF_MEMLESS=y +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set +CONFIG_INPUT_VIVALDIFMAP=y + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set +# end of Hardware I/O ports +# end of Input device support + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +CONFIG_LEGACY_TIOCSTI=y +CONFIG_LDISC_AUTOLOAD=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_LANTIQ is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_FSL_LINFLEXUART is not set +# CONFIG_SERIAL_SPRD is not set +# end of Serial drivers + +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_N_GSM is not set +# CONFIG_NOZOMI is not set +# CONFIG_NULL_TTY is not set +CONFIG_HVC_DRIVER=y +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +CONFIG_HW_RANDOM=y +# CONFIG_HW_RANDOM_TIMERIOMEM is not set +CONFIG_HW_RANDOM_INTEL=y +CONFIG_HW_RANDOM_AMD=y +# CONFIG_HW_RANDOM_BA431 is not set +# CONFIG_HW_RANDOM_VIA is not set +CONFIG_HW_RANDOM_VIRTIO=y +# CONFIG_HW_RANDOM_XIPHERA is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +CONFIG_DEVMEM=y +# CONFIG_NVRAM is not set +CONFIG_DEVPORT=y +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +# CONFIG_XILLYBUS is not set +# end of Character devices + +# +# I2C support +# +# CONFIG_I2C is not set +# end of I2C support + +# CONFIG_I3C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set +CONFIG_PTP_1588_CLOCK_OPTIONAL=y + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# end of PTP clock support + +# CONFIG_PINCTRL is not set +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +CONFIG_POWER_SUPPLY_HWMON=y +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_SAMSUNG_SDI is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_BATTERY_GOLDFISH is not set +CONFIG_HWMON=y +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_AS370 is not set +# CONFIG_SENSORS_AXI_FAN_CONTROL is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_CORSAIR_CPRO is not set +# CONFIG_SENSORS_CORSAIR_PSU is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_MR75203 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_OXP is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +# CONFIG_SENSORS_ASUS_EC is not set +CONFIG_THERMAL=y +# CONFIG_THERMAL_NETLINK is not set +# CONFIG_THERMAL_STATISTICS is not set +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_WRITABLE_TRIPS=y +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +CONFIG_THERMAL_GOV_USER_SPACE=y +# CONFIG_THERMAL_EMULATION is not set + +# +# Intel thermal drivers +# +# CONFIG_INTEL_POWERCLAMP is not set +CONFIG_X86_THERMAL_VECTOR=y +CONFIG_X86_PKG_TEMP_THERMAL=y +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# end of ACPI INT340X thermal drivers + +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_INTEL_TCC_COOLING is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_INTEL_HFI_THERMAL is not set +# end of Intel thermal drivers + +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_MADERA is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_INTEL_PMC_BXT is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TQMX86 is not set +# CONFIG_MFD_VX855 is not set +# end of Multifunction device drivers + +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +# CONFIG_LIRC is not set +CONFIG_RC_MAP=y +CONFIG_RC_DECODERS=y +# CONFIG_IR_IMON_DECODER is not set +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +# CONFIG_IR_RCMM_DECODER is not set +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_RC_DEVICES is not set + +# +# CEC support +# +# CONFIG_MEDIA_CEC_SUPPORT is not set +# end of CEC support + +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ARM devices +# +# end of ARM devices + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# end of Frame buffer Devices + +# +# Backlight & LCD device support +# +CONFIG_LCD_CLASS_DEVICE=y +# CONFIG_LCD_PLATFORM is not set +CONFIG_BACKLIGHT_CLASS_DEVICE=y +# CONFIG_BACKLIGHT_APPLE is not set +# CONFIG_BACKLIGHT_QCOM_WLED is not set +# CONFIG_BACKLIGHT_SAHARA is not set +# end of Backlight & LCD device support + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +# end of Console display driver support +# end of Graphics support + +CONFIG_SOUND=y +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +# CONFIG_HID_COUGAR is not set +# CONFIG_HID_MACALLY is not set +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_GLORIOUS is not set +# CONFIG_HID_VIVALDI is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_VIEWSONIC is not set +# CONFIG_HID_VRC2 is not set +# CONFIG_HID_XIAOMI is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_JABRA is not set +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MALTRON is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_REDRAGON=y +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PXRC is not set +# CONFIG_HID_RAZER is not set +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SEMITEK is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEAM is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_TOPRE is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set +# end of Special HID drivers + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +# end of Intel ISH HID support + +# +# AMD SFH HID Support +# +# CONFIG_AMD_SFH_HID is not set +# end of AMD SFH HID Support +# end of HID support + +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +# CONFIG_USB_ULPI_BUS is not set +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB dual-mode controller drivers +# + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_NOP_USB_XCEIV is not set +# end of USB Physical Layer drivers + +# CONFIG_USB_GADGET is not set +# CONFIG_TYPEC is not set +# CONFIG_USB_ROLE_SWITCH is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_DMABUF_HEAPS is not set +# end of DMABUF options + +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VFIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO_ANCHOR=y +CONFIG_VIRTIO=y +CONFIG_VIRTIO_PCI_LIB=y +CONFIG_VIRTIO_PCI_LIB_LEGACY=y +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set +# CONFIG_VDPA is not set +CONFIG_VHOST_MENU=y +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set + +# +# Microsoft Hyper-V guest support +# +# end of Microsoft Hyper-V guest support + +# CONFIG_GREYBUS is not set +# CONFIG_COMEDI is not set +# CONFIG_STAGING is not set +# CONFIG_CHROME_PLATFORMS is not set +# CONFIG_MELLANOX_PLATFORM is not set +CONFIG_SURFACE_PLATFORMS=y +# CONFIG_SURFACE_GPE is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACPI_WMI is not set +# CONFIG_ACERHDF is not set +# CONFIG_ACER_WIRELESS is not set +# CONFIG_AMD_PMF is not set +# CONFIG_AMD_HSMP is not set +# CONFIG_ADV_SWBUTTON is not set +# CONFIG_APPLE_GMUX is not set +# CONFIG_ASUS_LAPTOP is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_X86_PLATFORM_DRIVERS_DELL is not set +# CONFIG_FUJITSU_LAPTOP is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_GPD_POCKET_FAN is not set +# CONFIG_X86_PLATFORM_DRIVERS_HP is not set +# CONFIG_WIRELESS_HOTKEY is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_ATOMISP2_PM is not set +# CONFIG_INTEL_SAR_INT1092 is not set +# CONFIG_INTEL_PMC_CORE is not set + +# +# Intel Speed Select Technology interface support +# +# CONFIG_INTEL_SPEED_SELECT_INTERFACE is not set +# end of Intel Speed Select Technology interface support + +# +# Intel Uncore Frequency Control +# +# CONFIG_INTEL_UNCORE_FREQ_CONTROL is not set +# end of Intel Uncore Frequency Control + +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_INTEL_VSEC is not set +# CONFIG_SAMSUNG_LAPTOP is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_PANASONIC_LAPTOP is not set +# CONFIG_SYSTEM76_ACPI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_SCU_PCI is not set +# CONFIG_INTEL_SCU_PLATFORM is not set +# CONFIG_SIEMENS_SIMATIC_IPC is not set +# CONFIG_WINMATE_FM07_KEYS is not set +# CONFIG_P2SB is not set +CONFIG_HAVE_CLK=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y +# CONFIG_XILINX_VCU is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# end of Clock Source drivers + +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_IOVA=y +CONFIG_IOMMU_API=y +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# end of Generic IOMMU Pagetable Support + +# CONFIG_IOMMU_DEFAULT_DMA_STRICT is not set +CONFIG_IOMMU_DEFAULT_DMA_LAZY=y +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set +CONFIG_IOMMU_DMA=y +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IOMMUFD is not set +# CONFIG_IRQ_REMAP is not set +# CONFIG_VIRTIO_IOMMU is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set +# end of Remoteproc drivers + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_VIRTIO is not set +# end of Rpmsg drivers + +# CONFIG_SOUNDWIRE is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# +# end of Amlogic SoC drivers + +# +# Broadcom SoC drivers +# +# end of Broadcom SoC drivers + +# +# NXP/Freescale QorIQ SoC drivers +# +# end of NXP/Freescale QorIQ SoC drivers + +# +# fujitsu SoC drivers +# +# end of fujitsu SoC drivers + +# +# i.MX SoC drivers +# +# end of i.MX SoC drivers + +# +# Enable LiteX SoC Builder specific drivers +# +# end of Enable LiteX SoC Builder specific drivers + +# +# Qualcomm SoC drivers +# +# end of Qualcomm SoC drivers + +# CONFIG_SOC_TI is not set + +# +# Xilinx SoC drivers +# +# end of Xilinx SoC drivers +# end of SOC (System On Chip) specific Drivers + +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_PWM is not set + +# +# IRQ chip support +# +# end of IRQ chip support + +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_USB_LGM_PHY is not set +# CONFIG_PHY_CAN_TRANSCEIVER is not set + +# +# PHY drivers for Broadcom platforms +# +# CONFIG_BCM_KONA_USB2_PHY is not set +# end of PHY drivers for Broadcom platforms + +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_PHY_INTEL_LGM_EMMC is not set +# end of PHY Subsystem + +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# end of Performance monitor support + +# CONFIG_RAS is not set +# CONFIG_USB4 is not set + +# +# Android +# +# CONFIG_ANDROID_BINDER_IPC is not set +# end of Android + +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set + +# +# HW tracing support +# +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# end of HW tracing support + +# CONFIG_FPGA is not set +# CONFIG_TEE is not set +# CONFIG_SIOX is not set +# CONFIG_SLIMBUS is not set +# CONFIG_INTERCONNECT is not set +# CONFIG_COUNTER is not set +# CONFIG_PECI is not set +# CONFIG_HTE is not set +# end of Device Drivers + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_VALIDATE_FS_PARSER=y +CONFIG_FS_IOMAP=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +# CONFIG_FS_VERITY is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +CONFIG_AUTOFS_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +CONFIG_NETFS_SUPPORT=y +# CONFIG_NETFS_STATS is not set +# CONFIG_FSCACHE is not set +# end of Caches + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set +# end of CD-ROM/DVD Filesystems + +# +# DOS/FAT/EXFAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_EXFAT_FS is not set +# CONFIG_NTFS_FS is not set +# CONFIG_NTFS3_FS is not set +# end of DOS/FAT/EXFAT/NT Filesystems + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_PROC_PID_ARCH_STATUS=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_TMPFS_INODE64 is not set +# CONFIG_HUGETLBFS is not set +CONFIG_ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y +CONFIG_MEMFD_CREATE=y +CONFIG_ARCH_HAS_GIGANTIC_PAGE=y +# CONFIG_CONFIGFS_FS is not set +# end of Pseudo filesystems + +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +# CONFIG_EROFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_SMB_SERVER is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set +# CONFIG_UNICODE is not set +CONFIG_IO_WQ=y +# end of File systems + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_KEYS_REQUEST_CACHE is not set +# CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_BIG_KEYS is not set +# CONFIG_TRUSTED_KEYS is not set +# CONFIG_ENCRYPTED_KEYS is not set +# CONFIG_KEY_DH_OPERATIONS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_LSM="yama,loadpin,safesetid,integrity" + +# +# Kernel hardening options +# + +# +# Memory initialization +# +CONFIG_INIT_STACK_NONE=y +# CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not set +# CONFIG_INIT_ON_FREE_DEFAULT_ON is not set +CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y +# CONFIG_ZERO_CALL_USED_REGS is not set +# end of Memory initialization + +CONFIG_RANDSTRUCT_NONE=y +# end of Kernel hardening options +# end of Security options + +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_SKCIPHER=y +CONFIG_CRYPTO_SKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_SIMD=y +# end of Crypto core or helper + +# +# Public-key cryptography +# +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=y +# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set +CONFIG_CRYPTO_ECC=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_ECDSA=y +# CONFIG_CRYPTO_ECRDSA is not set +CONFIG_CRYPTO_SM2=y +CONFIG_CRYPTO_CURVE25519=y +# end of Public-key cryptography + +# +# Block ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARIA=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_DES=y +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SM4=y +# CONFIG_CRYPTO_SM4_GENERIC is not set +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +# end of Block ciphers + +# +# Length-preserving ciphers and modes +# +CONFIG_CRYPTO_ADIANTUM=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CBC=y +# CONFIG_CRYPTO_CFB is not set +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +# CONFIG_CRYPTO_HCTR2 is not set +# CONFIG_CRYPTO_KEYWRAP is not set +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_OFB=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_NHPOLY1305=y +# end of Length-preserving ciphers and modes + +# +# AEAD (authenticated encryption with associated data) ciphers +# +# CONFIG_CRYPTO_AEGIS128 is not set +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y +# CONFIG_CRYPTO_ESSIV is not set +# end of AEAD (authenticated encryption with associated data) ciphers + +# +# Hashes, digests, and MACs +# +CONFIG_CRYPTO_BLAKE2B=y +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_SHA1=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +# CONFIG_CRYPTO_SM3_GENERIC is not set +# CONFIG_CRYPTO_STREEBOG is not set +# CONFIG_CRYPTO_VMAC is not set +CONFIG_CRYPTO_WP512=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_XXHASH is not set +# end of Hashes, digests, and MACs + +# +# CRCs (cyclic redundancy checks) +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +# end of CRCs (cyclic redundancy checks) + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y +# CONFIG_CRYPTO_ZSTD is not set +# end of Compression + +# +# Random number generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +# end of Random number generation + +# +# Userspace interface +# +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y +CONFIG_CRYPTO_STATS=y +# end of Userspace interface + +CONFIG_CRYPTO_HASH_INFO=y + +# +# Accelerated Cryptographic Algorithms for CPU (x86) +# +CONFIG_CRYPTO_CURVE25519_X86=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y +CONFIG_CRYPTO_ARIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +# CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 is not set +CONFIG_CRYPTO_NHPOLY1305_SSE2=y +CONFIG_CRYPTO_NHPOLY1305_AVX2=y +CONFIG_CRYPTO_BLAKE2S_X86=y +# CONFIG_CRYPTO_POLYVAL_CLMUL_NI is not set +CONFIG_CRYPTO_POLY1305_X86_64=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +CONFIG_CRYPTO_SM3_AVX_X86_64=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# end of Accelerated Cryptographic Algorithms for CPU (x86) + +# CONFIG_CRYPTO_HW is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_FIPS_SIGNATURE_SELFTEST is not set + +# +# Certificates for signature checking +# +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +# end of Certificates for signature checking + +# +# Library routines +# +# CONFIG_PACKING is not set +CONFIG_BITREVERSE=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +# CONFIG_CORDIC is not set +# CONFIG_PRIME_NUMBERS is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_ARCH_USE_SYM_ANNOTATIONS=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_UTILS=y +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=y +CONFIG_CRYPTO_LIB_GF128MUL=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=y +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=y +CONFIG_CRYPTO_LIB_CHACHA=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519=y +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=y +CONFIG_CRYPTO_LIB_CURVE25519=y +CONFIG_CRYPTO_LIB_DES=y +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=y +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y +CONFIG_CRYPTO_LIB_POLY1305=y +CONFIG_CRYPTO_LIB_CHACHA20POLY1305=y +CONFIG_CRYPTO_LIB_SHA1=y +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +# CONFIG_CRC64_ROCKSOFT is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC64 is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DMA_OPS=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_SWIOTLB=y +# CONFIG_DMA_API_DEBUG is not set +CONFIG_SGL_ALLOC=y +CONFIG_IOMMU_HELPER=y +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +CONFIG_HAVE_GENERIC_VDSO=y +CONFIG_GENERIC_GETTIMEOFDAY=y +CONFIG_GENERIC_VDSO_TIME_NS=y +CONFIG_SG_POOL=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_ARCH_HAS_COPY_MC=y +CONFIG_ARCH_STACKWALK=y +CONFIG_SBITMAP=y +# end of Library routines + +# +# Kernel hacking +# + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +# CONFIG_PRINTK_CALLER is not set +# CONFIG_STACKTRACE_BUILD_ID is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set +# CONFIG_DYNAMIC_DEBUG is not set +# CONFIG_DYNAMIC_DEBUG_CORE is not set +CONFIG_SYMBOLIC_ERRNAME=y +CONFIG_DEBUG_BUGVERBOSE=y +# end of printk and dmesg options + +CONFIG_DEBUG_KERNEL=y +CONFIG_DEBUG_MISC=y + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +CONFIG_AS_HAS_NON_CONST_LEB128=y +# CONFIG_DEBUG_INFO_NONE is not set +CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_DEBUG_INFO_DWARF5 is not set +# CONFIG_DEBUG_INFO_REDUCED is not set +CONFIG_DEBUG_INFO_COMPRESSED_NONE=y +# CONFIG_DEBUG_INFO_COMPRESSED_ZLIB is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_HEADERS_INSTALL is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_OBJTOOL=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# end of Compile-time checks and compiler options + +# +# Generic Kernel Debugging Instruments +# +# CONFIG_MAGIC_SYSRQ is not set +# CONFIG_DEBUG_FS is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN is not set +CONFIG_HAVE_ARCH_KCSAN=y +CONFIG_HAVE_KCSAN_COMPILER=y +# CONFIG_KCSAN is not set +# end of Generic Kernel Debugging Instruments + +# +# Networking Debugging +# +# CONFIG_NET_DEV_REFCNT_TRACKER is not set +# CONFIG_NET_NS_REFCNT_TRACKER is not set +# CONFIG_DEBUG_NET is not set +# end of Networking Debugging + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_DEBUG_SLAB is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_PAGE_TABLE_CHECK is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +CONFIG_ARCH_HAS_DEBUG_WX=y +# CONFIG_DEBUG_WX is not set +CONFIG_GENERIC_PTDUMP=y +# CONFIG_DEBUG_OBJECTS is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VM_PGTABLE is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y +# CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP is not set +CONFIG_HAVE_ARCH_KASAN=y +CONFIG_HAVE_ARCH_KASAN_VMALLOC=y +CONFIG_CC_HAS_KASAN_GENERIC=y +CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y +# CONFIG_KASAN is not set +CONFIG_HAVE_ARCH_KFENCE=y +# CONFIG_KFENCE is not set +CONFIG_HAVE_ARCH_KMSAN=y +# end of Memory Debugging + +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Oops, Lockups and Hangs +# +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +# CONFIG_WQ_WATCHDOG is not set +# end of Debug Oops, Lockups and Hangs + +# +# Scheduler Debugging +# +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHEDSTATS is not set +# end of Scheduler Debugging + +# CONFIG_DEBUG_TIMEKEEPING is not set +CONFIG_DEBUG_PREEMPT=y + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +CONFIG_LOCK_DEBUGGING_SUPPORT=y +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_RWSEMS is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_SCF_TORTURE_TEST is not set +# CONFIG_CSD_LOCK_WAIT_DEBUG is not set +# end of Lock Debugging (spinlocks, mutexes, etc...) + +# CONFIG_DEBUG_IRQFLAGS is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set + +# +# Debug kernel data structures +# +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PLIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_DEBUG_MAPLE_TREE is not set +# end of Debug kernel data structures + +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_RCU_SCALE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_REF_SCALE_TEST is not set +CONFIG_RCU_CPU_STALL_TIMEOUT=21 +CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0 +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# end of RCU Debugging + +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_RETHOOK=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y +CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_OBJTOOL_MCOUNT=y +CONFIG_HAVE_OBJTOOL_NOP_MCOUNT=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_HAVE_BUILDTIME_MCOUNT_SORT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_PREEMPT_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_OSNOISE_TRACER is not set +# CONFIG_TIMERLAT_TRACER is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_SYNTH_EVENTS is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set + +# +# x86 Debugging +# +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +# CONFIG_CPA_DEBUG is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set +# end of x86 Debugging + +# +# Kernel Testing and Coverage +# +# CONFIG_KUNIT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +CONFIG_ARCH_HAS_KCOV=y +CONFIG_CC_HAS_SANCOV_TRACE_PC=y +# CONFIG_KCOV is not set +CONFIG_RUNTIME_TESTING_MENU=y +# CONFIG_TEST_MIN_HEAP is not set +# CONFIG_TEST_DIV64 is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_TEST_REF_TRACKER is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_REED_SOLOMON_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_STRING_SELFTEST is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_SCANF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_XARRAY is not set +# CONFIG_TEST_MAPLE_TREE is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_IDA is not set +# CONFIG_FIND_BIT_BENCHMARK is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_TEST_MEMCAT_P is not set +# CONFIG_TEST_MEMINIT is not set +# CONFIG_TEST_FREE_PAGES is not set +# CONFIG_TEST_FPU is not set +# CONFIG_TEST_CLOCKSOURCE_WATCHDOG is not set +CONFIG_ARCH_USE_MEMTEST=y +# CONFIG_MEMTEST is not set +# end of Kernel Testing and Coverage + +# +# Rust hacking +# +# end of Rust hacking +# end of Kernel hacking diff -Nru strongswan-5.9.8/testing/hosts/winnetou/etc/ca/index.txt.template strongswan-5.9.11/testing/hosts/winnetou/etc/ca/index.txt.template --- strongswan-5.9.8/testing/hosts/winnetou/etc/ca/index.txt.template 2021-05-21 07:45:28.000000000 +0000 +++ strongswan-5.9.11/testing/hosts/winnetou/etc/ca/index.txt.template 2023-03-27 21:00:49.000000000 +0000 @@ -5,7 +5,7 @@ V EE_EXPIRATION 05 unknown /C=CH/O=strongSwan Project/OU=Sales/CN=alice@strongswan.org V EE_EXPIRATION 06 unknown /C=CH/O=strongSwan Project/CN=venus.strongswan.org V EE_EXPIRATION 07 unknown /C=CH/O=strongSwan Project/OU=Research/CN=bob@strongswan.org -R EE_EXPIRATION REVOCATION,keyCompromise 08 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org +R EE_EXPIRATION REVOCATION,keyCompromise 88 unknown /C=CH/O=strongSwan Project/OU=Research/CN=carol@strongswan.org V EE_EXPIRATION 09 unknown /C=CH/O=strongSwan Project/OU=Research/serialNumber=002/CN=carol@strongswan.org R IM_EXPIRATION REVOCATION,CACompromise 0A unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA V IM_EXPIRATION 0B unknown /C=CH/O=strongSwan Project/OU=Research/CN=Research CA diff -Nru strongswan-5.9.8/testing/Makefile.in strongswan-5.9.11/testing/Makefile.in --- strongswan-5.9.8/testing/Makefile.in 2022-10-03 14:18:11.000000000 +0000 +++ strongswan-5.9.11/testing/Makefile.in 2023-06-12 05:50:45.000000000 +0000 @@ -348,7 +348,6 @@ soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ -starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ diff -Nru strongswan-5.9.8/testing/scripts/build-certs-chroot strongswan-5.9.11/testing/scripts/build-certs-chroot --- strongswan-5.9.8/testing/scripts/build-certs-chroot 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/testing/scripts/build-certs-chroot 2023-03-27 21:00:49.000000000 +0000 @@ -428,7 +428,7 @@ TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" CN="carol@strongswan.org" -SERIAL="08" +SERIAL="88" mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} diff -Nru strongswan-5.9.8/testing/scripts/build-guestkernel strongswan-5.9.11/testing/scripts/build-guestkernel --- strongswan-5.9.8/testing/scripts/build-guestkernel 2021-05-21 07:45:28.000000000 +0000 +++ strongswan-5.9.11/testing/scripts/build-guestkernel 2023-03-27 21:00:49.000000000 +0000 @@ -21,7 +21,7 @@ if [[ $KERNELPATCH && ! -f "$KERNELPATCH" ]] then - url=http://download.strongswan.org/uml/$KERNELPATCH + url=https://download.strongswan.org/testing/$KERNELPATCH log_action "Downloading $url" execute "wget -q $url" fi @@ -37,8 +37,9 @@ then log_action "Applying kernel patch" bzcat $KERNELPATCH | patch -d $KERNELDIR -p1 >>$LOGFILE 2>&1 - log_status $? - [ $? -eq 0 ] || exit 1 + status=$? + log_status $status + [ $status -eq 0 ] || exit 1 fi fi cd $KERNELDIR diff -Nru strongswan-5.9.8/testing/scripts/recipes/011_botan.mk strongswan-5.9.11/testing/scripts/recipes/011_botan.mk --- strongswan-5.9.8/testing/scripts/recipes/011_botan.mk 2022-03-11 11:01:49.000000000 +0000 +++ strongswan-5.9.11/testing/scripts/recipes/011_botan.mk 2023-03-27 21:00:49.000000000 +0000 @@ -2,7 +2,7 @@ PKG = botan SRC = https://github.com/randombit/$(PKG).git -REV = 2.19.1 +REV = 2.19.3 NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) diff -Nru strongswan-5.9.8/testing/scripts/recipes/012_wolfssl.mk strongswan-5.9.11/testing/scripts/recipes/012_wolfssl.mk --- strongswan-5.9.8/testing/scripts/recipes/012_wolfssl.mk 2022-09-30 09:13:45.000000000 +0000 +++ strongswan-5.9.11/testing/scripts/recipes/012_wolfssl.mk 2023-04-19 02:21:27.000000000 +0000 @@ -2,7 +2,7 @@ PKG = wolfssl SRC = https://github.com/wolfSSL/$(PKG).git -REV = v5.5.1-stable +REV = v5.6.0-stable NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) @@ -27,8 +27,8 @@ --enable-ecccustcurves \ --enable-ed25519 \ --enable-ed448 \ - --enable-heapmath \ --enable-keygen \ + --enable-max-rsa-bits=8192 \ --enable-md4 \ --enable-rsapss \ --enable-sha3 \ diff -Nru strongswan-5.9.8/testing/scripts/recipes/013_strongswan.mk strongswan-5.9.11/testing/scripts/recipes/013_strongswan.mk --- strongswan-5.9.8/testing/scripts/recipes/013_strongswan.mk 2022-07-19 12:14:08.000000000 +0000 +++ strongswan-5.9.11/testing/scripts/recipes/013_strongswan.mk 2023-03-28 14:11:01.000000000 +0000 @@ -3,7 +3,7 @@ PV = $(SWANVERSION) PKG = strongswan-$(PV) TAR = $(PKG).tar.bz2 -SRC = http://download.strongswan.org/$(TAR) +SRC = https://download.strongswan.org/$(TAR) # can be passed to load sources from a directory instead of a tarball ifneq ($(origin SRCDIR), undefined) diff -Nru strongswan-5.9.8/testing/scripts/recipes/014_swid_generator.mk strongswan-5.9.11/testing/scripts/recipes/014_swid_generator.mk --- strongswan-5.9.8/testing/scripts/recipes/014_swid_generator.mk 2021-09-27 09:55:09.000000000 +0000 +++ strongswan-5.9.11/testing/scripts/recipes/014_swid_generator.mk 2023-03-28 14:26:01.000000000 +0000 @@ -17,4 +17,4 @@ @touch $@ install: .$(PKG)-unpacked-$(REV) - cd $(DIR) && python3 setup.py install + cd $(DIR) && SETUPTOOLS_USE_DISTUTILS=stdlib python3 setup.py install diff -Nru strongswan-5.9.8/testing/testing.conf strongswan-5.9.11/testing/testing.conf --- strongswan-5.9.8/testing/testing.conf 2022-10-03 14:16:26.000000000 +0000 +++ strongswan-5.9.11/testing/testing.conf 2023-06-12 05:49:40.000000000 +0000 @@ -24,14 +24,14 @@ : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -: ${KERNELVERSION=5.19.11} +: ${KERNELVERSION=6.2.16} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} -: ${KERNELCONFIG=$DIR/../config/kernel/config-5.19} -: ${KERNELPATCH=ha-5.15-abicompat.patch.bz2} +: ${KERNELCONFIG=$DIR/../config/kernel/config-6.2} +: ${KERNELPATCH=ha-6.1-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.9.8} +: ${SWANVERSION=5.9.11} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,10 +1,12 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -16,5 +16,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 } diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -20,3 +20,7 @@ } } } + +libtls { + version_max = 1.3 +} diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,10 +1,12 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -16,5 +16,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 } diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -19,3 +19,7 @@ } } } + +libtls { + version_max = 1.3 +} diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt strongswan-5.9.11/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-sim-only-radius/description.txt 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ The roadwarriors carol and dave set up a connection to gateway moon. -At the outset the gateway does not send an AUTH payload thus signalling +At the outset the gateway does not send an AUTH payload thus signaling a mutual EAP-only authentication.

Next the clients use the GSM Subscriber Identity Module (EAP-SIM) diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/description.txt strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/description.txt --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/description.txt 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/description.txt 2023-03-27 21:00:49.000000000 +0000 @@ -2,3 +2,6 @@ The strong mutual authentication of both peers is based on EAP-TLS only (without a separate IKEv2 authentication), using TLS client and server certificates, respectively. +
+The roadwarrior dave doesn't have the appropriate CA certificate installed +and, therefore, doesn't trust gateway moon's certificate and rejects it. diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,8 +1,12 @@ carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::no issuer certificate found for \"C=CH, O=strongSwan Project, CN=moon.strongswan.org\"::YES +dave::cat /var/log/daemon.log::no TLS public key found for server 'C=CH, O=strongSwan Project, CN=moon.strongswan.org'::YES +dave::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::NO moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TLS failed for peer C=CH, O=strongSwan Project, OU=Accounting, CN=dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=C=CH, O=strongSwan Project, CN=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -14,3 +14,7 @@ } } } + +libtls { + version_max = 1.3 +} diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-tls updown + + multiple_authentication=no + syslog { + daemon { + tls = 2 + } + } +} diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/dave/etc/swanctl/swanctl.conf 2023-03-27 21:00:49.000000000 +0000 @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = daveCert.pem + } + remote { + auth = eap-tls + id = "C=CH, O=strongSwan Project, CN=moon.strongswan.org" + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -16,5 +16,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 } diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/posttest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/posttest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/posttest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/posttest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,7 @@ +dave::systemctl stop strongswan carol::swanctl --terminate --ike home carol::systemctl stop strongswan moon::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/pretest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/pretest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/pretest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/pretest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,12 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +dave::rm /etc/swanctl/x509ca/* moon::systemctl start strongswan carol::systemctl start strongswan +dave::systemctl start strongswan moon::expect-connection rw-eap carol::expect-connection home +dave::expect-connection home carol::swanctl --initiate --child home 2> /dev/null +dave::swanctl --initiate --child home 2> /dev/null diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/test.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/test.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-only/test.conf 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-only/test.conf 2023-03-27 21:00:49.000000000 +0000 @@ -5,11 +5,11 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice carol moon" +VIRTHOSTS="alice carol dave moon" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="a-m-c-w-d.png" # Guest instances on which tcpdump is to be started # @@ -18,7 +18,7 @@ # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" # charon controlled by swanctl # diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-sha3-rsa/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,4 +1,6 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -5,9 +5,10 @@ } charon-systemd { - load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici + load = random nonce md5 sha1 sha2 sha3 aes hmac gcm kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -5,5 +5,9 @@ } charon-systemd { - load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici + load = random nonce md5 sha1 sha2 sha3 aes hmac gcm kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici +} + +libtls { + version_max = 1.3 } diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat strongswan-5.9.11/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,10 +1,12 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_256_GCM_SHA384::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -16,5 +16,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 } diff -Nru strongswan-5.9.8/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -19,3 +19,7 @@ } } } + +libtls { + version_max = 1.3 +} diff -Nru strongswan-5.9.8/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt strongswan-5.9.11/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt --- strongswan-5.9.8/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt 2021-06-24 08:11:12.000000000 +0000 +++ strongswan-5.9.11/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/description.txt 2023-03-27 21:00:49.000000000 +0000 @@ -1,5 +1,5 @@ The roadwarriors carol and dave set up a connection to gateway moon. -At the outset the gateway does not send an AUTH payload thus signalling +At the outset the gateway does not send an AUTH payload thus signaling a mutual EAP-only authentication.

Next the clients use the GSM Subscriber Identity Module (EAP-SIM) diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/description.txt strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/description.txt --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/description.txt 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/description.txt 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,11 @@ +A connection between the hosts moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. In this scenario, UDP encapsulation +isn't enforced by the plugin as sending of raw ESP packets is enabled. +Firewall marks are used to make the direct ESP connection possible and +still allow IKE traffic to flow freely between the two hosts. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both host-to-host tunnel and firewall, +moon pings sun. diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/evaltest.dat strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/evaltest.dat --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/evaltest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/evaltest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,5 @@ +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,24 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + + multiple_authentication = no + + plugins { + kernel-netlink { + fwmark = !0x42 + } + socket-default { + fwmark = 0x42 + } + kernel-libipsec { + allow_peer_ts = yes + raw_esp = yes + } + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/moon/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-host) + iptables -I OUTPUT 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I INPUT 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-host) + iptables -D OUTPUT -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D INPUT -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,24 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + + multiple_authentication = no + + plugins { + kernel-netlink { + fwmark = !0x42 + } + socket-default { + fwmark = 0x42 + } + kernel-libipsec { + allow_peer_ts = yes + raw_esp = yes + } + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,26 @@ +connections { + + host-host { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + updown = /etc/updown + esp_proposals = aes128-sha256-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/hosts/sun/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-host) + iptables -I OUTPUT 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I INPUT 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-host) + iptables -D OUTPUT -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D INPUT -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/posttest.dat strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/posttest.dat --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/posttest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/posttest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike host-host 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system +sun::sysctl --pattern net.ipv4.conf.all.rp_filter --system diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/pretest.dat strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/pretest.dat --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/pretest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/pretest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,9 @@ +moon::sysctl -w net.ipv4.conf.all.rp_filter=2 +sun::sysctl -w net.ipv4.conf.all.rp_filter=2 +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +sun::expect-connection host-host +moon::expect-connection host-host +moon::swanctl --initiate --child host-host 2> /dev/null diff -Nru strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/test.conf strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/test.conf --- strongswan-5.9.8/testing/tests/libipsec/host2host-cert-raw/test.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/host2host-cert-raw/test.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/description.txt strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/description.txt --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/description.txt 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/description.txt 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,14 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. +

+This scenario is mainly to test how fragmented IPv6 packets are handled (e.g. determining +the protocol via IPv6 extension headers). Three pings are required due to PMTUD, the first +is rejected by moon, so alice adjusts the MTU. The second gets through, +but the response is rejected by sun, so bob will adjust the MTU. The third +finally is successful. diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/evaltest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,5 @@ +alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES +moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1:\:/16\[ipv6-icmp]] remote-ts=\[fec2:\:/16\[ipv6-icmp]]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2:\:/16\[ipv6-icmp]] remote-ts=\[fec1:\:/16\[ipv6-icmp]]::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16[ipv6-icmp] + remote_ts = fec2::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/moon/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,603 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the reqid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_IF_ID_IN +# is an optional XFRM interface ID set on the inbound IPsec SA +# +# PLUTO_IF_ID_OUT +# is an optional XFRM interface ID set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16[ipv6-icmp] + remote_ts = fec1::0/16[ipv6-icmp] + + updown = /etc/updown + esp_proposals = aes256gcm128-ecp384 + } + } + version = 2 + mobike = no + proposals = aes256-sha384-ecp384 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/hosts/sun/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,603 @@ +#!/bin/sh +# default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the reqid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_SOURCEIP +# PLUTO_PEER_SOURCEIP4_$i +# PLUTO_PEER_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP sent to an initiator, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_IF_ID_IN +# is an optional XFRM interface ID set on the inbound IPsec SA +# +# PLUTO_IF_ID_OUT +# is an optional XFRM interface ID set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# comment to disable logging VPN connections to syslog +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older release?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete release?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/posttest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/posttest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/posttest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/posttest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,9 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/pretest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/pretest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/pretest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/pretest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/test.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/test.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip4/test.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip4/test.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/description.txt 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,11 @@ +An IPv6 ESP tunnel connection between the gateways moon and sun is set up. +It connects the two IPv6 subnets hiding behind their respective gateways. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. In this scenario, UDP encapsulation +isn't enforced by the plugin as sending of raw ESP packets is enabled. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon sends an IPv6 ICMP request to client bob behind sun +using the ping6 command. diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/evaltest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,5 @@ +alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org.*: icmp_seq=1::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,36 @@ +connections { + + gw-gw { + local_addrs = fec0::1 + remote_addrs = fec0::2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = fec1::0/16 + remote_ts = fec2::0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} \ No newline at end of file diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/moon/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client-v6) + ip6tables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client-v6) + ip6tables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici ker_nel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,37 @@ +connections { + + gw-gw { + local_addrs = fec0::2 + remote_addrs = fec0::1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = fec2::0/16 + remote_ts = fec1::0/16 + + updown = /etc/updown + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} + +authorities { + strongswan { + cacert = strongswanCert.pem + crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl + } +} \ No newline at end of file diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/hosts/sun/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client-v6) + ip6tables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client-v6) + ip6tables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + ip6tables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/posttest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,11 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +alice::"ip route del fec2:\:/16 via fec1:\:1" +moon::"ip route del fec2:\:/16 via fec0:\:2" +sun::"ip route del fec1:\:/16 via fec0:\:1" +bob::"ip route del fec1:\:/16 via fec2:\:1" +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/ip6tables.flush +sun::ip6tables-restore < /etc/ip6tables.flush diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/pretest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.drop +sun::iptables-restore < /etc/iptables.drop +moon::ip6tables-restore < /etc/ip6tables.rules +sun::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec2:\:/16 via fec1:\:1" +moon::"ip route add fec2:\:/16 via fec0:\:2" +sun::"ip route add fec1:\:/16 via fec0:\:1" +bob::"ip route add fec1:\:/16 via fec2:\:1" +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ip6-in-ip6-raw/test.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/description.txt strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/description.txt --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/description.txt 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/description.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates and the kernel-libipsec -plugin is used for userland IPsec ESP encryption. -

-Upon the successful establishment of the IPsec tunnel, an updown script automatically -inserts iptables-based firewall rules that let pass the traffic tunneled via the -ipsec0 tun interface. In order to test both tunnel and firewall, client alice -behind gateway moon pings client bob located behind gateway sun. -

-This scenario is mainly to test how fragmented IPv6 packets are handled (e.g. determining -the protocol via IPv6 extension headers). Three pings are required due to PMTUD, the first -is rejected by moon, so alice adjusts the MTU. The second gets through, -but the response is rejected by sun, so bob will adjust the MTU. The third -finally is successful. diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/evaltest.dat 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -alice::ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org::8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3::YES -moon ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1::/16\[ipv6-icmp]] remote-ts=\[fec2::/16\[ipv6-icmp]]::YES -sun ::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2::/16\[ipv6-icmp]] remote-ts=\[fec1::/16\[ipv6-icmp]]::YES -sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown - multiple_authentication = no -} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -connections { - - gw-gw { - local_addrs = 192.168.0.1 - remote_addrs = 192.168.0.2 - - local { - auth = pubkey - certs = moonCert.pem - id = moon.strongswan.org - } - remote { - auth = pubkey - id = sun.strongswan.org - } - children { - net-net { - local_ts = fec1::0/16[ipv6-icmp] - remote_ts = fec2::0/16[ipv6-icmp] - - updown = /etc/updown - esp_proposals = aes256gcm128-ecp384 - } - } - version = 2 - mobike = no - proposals = aes256-sha384-ecp384 - } -} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/moon/etc/updown 1970-01-01 00:00:00.000000000 +0000 @@ -1,603 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the reqid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_IF_ID_IN -# is an optional XFRM interface ID set on the inbound IPsec SA -# -# PLUTO_IF_ID_OUT -# is an optional XFRM interface ID set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon-systemd { - load = random nonce pem pkcs1 x509 openssl curl revocation vici kernel-libipsec kernel-netlink socket-default updown - multiple_authentication = no -} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -connections { - - gw-gw { - local_addrs = 192.168.0.2 - remote_addrs = 192.168.0.1 - - local { - auth = pubkey - certs = sunCert.pem - id = sun.strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - net-net { - local_ts = fec2::0/16[ipv6-icmp] - remote_ts = fec1::0/16[ipv6-icmp] - - updown = /etc/updown - esp_proposals = aes256gcm128-ecp384 - } - } - version = 2 - mobike = no - proposals = aes256-sha384-ecp384 - } -} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/hosts/sun/etc/updown 1970-01-01 00:00:00.000000000 +0000 @@ -1,603 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the reqid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_IF_ID_IN -# is an optional XFRM interface ID set on the inbound IPsec SA -# -# PLUTO_IF_ID_OUT -# is an optional XFRM interface ID set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/posttest.dat 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -alice::"ip route del fec2:\:/16 via fec1:\:1" -moon::"ip route del fec2:\:/16 via fec0:\:2" -sun::"ip route del fec1:\:/16 via fec0:\:1" -bob::"ip route del fec1:\:/16 via fec2:\:1" -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/pretest.dat 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -alice::"ip route add fec2:\:/16 via fec1:\:1" -moon::"ip route add fec2:\:/16 via fec0:\:2" -sun::"ip route add fec1:\:/16 via fec0:\:1" -bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection gw-gw -sun::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/test.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/test.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-ipv6/test.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-ipv6/test.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1 diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/description.txt strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/description.txt --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/description.txt 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/description.txt 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and the kernel-libipsec +plugin is used for userland IPsec ESP encryption. In this scenario, UDP encapsulation +isn't enforced by the plugin as sending of raw ESP packets is enabled. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/evaltest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/evaltest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/evaltest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/evaltest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,5 @@ +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/moon/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client) + iptables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client) + iptables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici ker_nel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-libipsec { + raw_esp = yes + } + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /etc/updown + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/hosts/sun/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client) + iptables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client) + iptables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/posttest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/posttest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/posttest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/posttest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/pretest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/pretest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/pretest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/pretest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/test.conf strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/test.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-cert-raw/test.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-cert-raw/test.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/description.txt strongswan-5.9.11/testing/tests/libipsec/net2net-trap/description.txt --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/description.txt 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/description.txt 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,11 @@ +A tunnel that will connect the subnets behind the gateways moon +and sun, respectively, is preconfigured by installing a trap policy +on gateway moon by means of the setting start_action = trap in swanctl.conf. +A subsequent ping issued by client alice behind gateway moon to +bob located behind gateway sun triggers an acquire and +leads to the automatic establishment of the subnet-to-subnet tunnel. +

+Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +ipsec0 tun interface. In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun. diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/evaltest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-trap/evaltest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/evaltest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/evaltest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,8 @@ +moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +moon::cat /var/log/daemon.log::could not find an outbound IPsec SA for reqid {1}, dropping packet and triggering acquire::YES +moon::cat /var/log/daemon.log::creating acquire job for policy with reqid {1}::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/moon/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/moon/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/moon/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/moon/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/moon/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/moon/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + start_action = trap + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/moon/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/moon/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/moon/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/moon/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client) + iptables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client) + iptables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/sun/etc/strongswan.conf strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/sun/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/sun/etc/strongswan.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/sun/etc/strongswan.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/sun/etc/swanctl/swanctl.conf strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/sun/etc/swanctl/swanctl.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/sun/etc/swanctl/swanctl.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/sun/etc/swanctl/swanctl.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,30 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + start_action = none + updown = /etc/updown + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + proposals = aes128-sha256-x25519 + } +} diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/hosts/sun/etc/updown 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/hosts/sun/etc/updown 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,59 @@ +#!/bin/sh + +TUN_NAME=ipsec0 + +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi +fi + +case "$PLUTO_VERB" in +up-client) + iptables -I FORWARD 1 -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-client) + iptables -D FORWARD -o $TUN_NAME -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $TUN_NAME -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +esac diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/posttest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-trap/posttest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/posttest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/posttest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/pretest.dat strongswan-5.9.11/testing/tests/libipsec/net2net-trap/pretest.dat --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/pretest.dat 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/pretest.dat 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +# allow traffic from local subnet via TUN device before SA is up +moon::iptables -I FORWARD -o ipsec0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +alice::ping -c 3 -W 1 -i 0.2 PH_IP_BOB diff -Nru strongswan-5.9.8/testing/tests/libipsec/net2net-trap/test.conf strongswan-5.9.11/testing/tests/libipsec/net2net-trap/test.conf --- strongswan-5.9.8/testing/tests/libipsec/net2net-trap/test.conf 1970-01-01 00:00:00.000000000 +0000 +++ strongswan-5.9.11/testing/tests/libipsec/net2net-trap/test.conf 2023-06-08 10:35:17.000000000 +0000 @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff -Nru strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/updown 2023-03-27 21:00:49.000000000 +0000 @@ -6,8 +6,8 @@ case "${PLUTO_VERB}" in up-client) - /usr/local/libexec/ipsec/xfrmi -n "${IF_NAME_OUT}" -i "${PLUTO_IF_ID_OUT}" -d eth0 - /usr/local/libexec/ipsec/xfrmi -n "${IF_NAME_IN}" -i "${PLUTO_IF_ID_IN}" -d eth0 + ip link add "${IF_NAME_OUT}" type xfrm if_id "${PLUTO_IF_ID_OUT}" dev eth0 + ip link add "${IF_NAME_IN}" type xfrm if_id "${PLUTO_IF_ID_IN}" dev eth0 ip link set "${IF_NAME_OUT}" up ip link set "${IF_NAME_IN}" up ip route add 10.1.0.0/16 dev "${IF_NAME_OUT}" diff -Nru strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi/pretest.dat strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi/pretest.dat --- strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi/pretest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi/pretest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon-out -d eth0 -i 1337 -moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon-in -d eth0 -i 42 +moon::ip link add xfrm-moon-out type xfrm dev eth0 if_id 1337 +moon::ip link add xfrm-moon-in type xfrm dev eth0 if_id 42 moon::ip link set xfrm-moon-out up moon::ip link set xfrm-moon-in up moon::ip route add 10.2.0.0/16 dev xfrm-moon-out diff -Nru strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py --- strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py 2021-09-27 09:55:09.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py 2023-03-27 21:00:49.000000000 +0000 @@ -27,10 +27,10 @@ if up: logger.info("add XFRM interfaces %s and %s", ifname_in, ifname_out) - subprocess.call(["/usr/local/libexec/ipsec/xfrmi", "-n", ifname_out, - "-i", str(if_id_out), "-d", "eth0"]) - subprocess.call(["/usr/local/libexec/ipsec/xfrmi", "-n", ifname_in, - "-i", str(if_id_in), "-d", "eth0"]) + subprocess.call(["ip", "link", "add", ifname_out, "type", "xfrm", + "if_id", str(if_id_out), "dev", "eth0"]) + subprocess.call(["ip", "link", "add", ifname_in, "type", "xfrm", + "if_id", str(if_id_in), "dev", "eth0"]) subprocess.call(["ip", "link", "set", ifname_out, "up"]) subprocess.call(["ip", "link", "set", ifname_in, "up"]) subprocess.call(["iptables", "-A", "FORWARD", "-o", ifname_out, diff -Nru strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-ike/pretest.dat strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-ike/pretest.dat --- strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-ike/pretest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-ike/pretest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon-out -d eth0 -i 1337 -moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon-in -d eth0 -i 42 +moon::ip link add xfrm-moon-out type xfrm dev eth0 if_id 1337 +moon::ip link add xfrm-moon-in type xfrm dev eth0 if_id 42 moon::ip link set xfrm-moon-out up moon::ip link set xfrm-moon-in up moon::ip route add 10.2.0.0/16 dev xfrm-moon-out diff -Nru strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown --- strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/updown 2023-03-27 21:00:49.000000000 +0000 @@ -4,7 +4,7 @@ case "${PLUTO_VERB}" in up-client) - /usr/local/libexec/ipsec/xfrmi -n "${IF_NAME}" -i "${PLUTO_IF_ID_IN}" -d eth0 + ip link add "${IF_NAME}" type xfrm if_id "${PLUTO_IF_ID_IN}" dev eth0 ip link set "${IF_NAME}" up ip route add 10.1.0.0/16 dev "${IF_NAME}" iptables -A FORWARD -i "${IF_NAME}" -j ACCEPT diff -Nru strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat --- strongswan-5.9.8/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/net2net-xfrmi-netns/pretest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,6 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon -i 42 -d eth0 +moon::ip link add xfrm-moon type xfrm if_id 42 dev eth0 moon::ip link set xfrm-moon up moon::ip route add 10.2.0.0/16 dev xfrm-moon moon::iptables -A FORWARD -i xfrm-moon -j ACCEPT diff -Nru strongswan-5.9.8/testing/tests/route-based/rw-shared-xfrmi/pretest.dat strongswan-5.9.11/testing/tests/route-based/rw-shared-xfrmi/pretest.dat --- strongswan-5.9.8/testing/tests/route-based/rw-shared-xfrmi/pretest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/route-based/rw-shared-xfrmi/pretest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ moon::iptables-restore < /etc/iptables.rules carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules -moon::/usr/local/libexec/ipsec/xfrmi -n xfrm-moon -i 42 -d eth0 +moon::ip link add xfrm-moon type xfrm if_id 42 dev eth0 moon::ip link set xfrm-moon up moon::ip route add 10.3.0.0/28 dev xfrm-moon moon::iptables -A FORWARD -i xfrm-moon -j ACCEPT diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-11/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-11/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-11/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-11/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no @@ -19,7 +19,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown multiple_authentication = no @@ -25,7 +25,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no @@ -14,7 +14,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown multiple_authentication = no @@ -21,7 +21,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-block/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20-block/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-block/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-block/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no @@ -19,7 +19,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no @@ -24,5 +24,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no @@ -14,7 +14,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no @@ -21,7 +21,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,9 +1,11 @@ dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES dave:: cat /var/log/daemon.log::collected ... SW records::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES carol::cat /var/log/daemon.log::collected ... SW ID records::YES carol::cat /var/log/daemon.log::strongswan.org__strongSwan.*swidtag::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite syslog { daemon { @@ -42,3 +42,7 @@ } } } + +libtls { + version_max = 1.3 +} \ No newline at end of file diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown syslog { daemon { @@ -24,5 +24,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -20,7 +20,8 @@ } libtls { - suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -23,7 +23,8 @@ } libtls { - suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac gcm curve25519 kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown multiple_authentication = no @@ -20,7 +20,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac gcm curve25519 kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite multiple_authentication = no @@ -23,7 +23,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-tls/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-20-tls/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-tls/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-tls/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp curve25519 hmac gcm kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown multiple_authentication = no @@ -14,7 +14,8 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp curve25519 hmac gcm kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown multiple_authentication = no @@ -21,5 +21,6 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-dynamic/evaltest.dat strongswan-5.9.11/testing/tests/tnc/tnccs-dynamic/evaltest.dat --- strongswan-5.9.8/testing/tests/tnc/tnccs-dynamic/evaltest.dat 2021-06-03 10:28:10.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-dynamic/evaltest.dat 2023-03-27 21:00:49.000000000 +0000 @@ -1,6 +1,8 @@ +carol::cat /var/log/daemon.log::negotiated TLS 1.3 using suite TLS_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown multiple_authentication=no integrity_test = yes @@ -19,8 +19,9 @@ } } -ilibtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +libtls { + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256 } libimcv { diff -Nru strongswan-5.9.8/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf strongswan-5.9.11/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf --- strongswan-5.9.8/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf 2022-04-29 06:45:57.000000000 +0000 +++ strongswan-5.9.11/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf 2023-03-27 21:00:49.000000000 +0000 @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon-systemd { - load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown + load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac gcm curve25519 kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown multiple_authentication=no integrity_test = yes @@ -26,6 +26,7 @@ } libtls { - suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + version_max = 1.3 + suites = TLS_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 } diff -Nru strongswan-5.9.8/ylwrap strongswan-5.9.11/ylwrap --- strongswan-5.9.8/ylwrap 2020-09-13 17:50:02.000000000 +0000 +++ strongswan-5.9.11/ylwrap 2023-03-27 21:06:24.000000000 +0000 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # # Written by Tom Tromey . #