Created attachment 252270 [details] pfkeyv2.h SADB_EXT_MAX updated to cater for Apple and FreeBSD The ENUM definition for the sadb_ext_type_names‘s last value (SADB_EXT_MAX) only caters for Linux (0..25). In the case of FreeBSD and Apple, these values range from 0..28 and 0..35 respectively. Thus during compilation and error is thrown that the array size is initialized to a negative number (see below) kernel_pfkey_ipsec.c:721:1: error: array size is negative 721 | ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX, … ../../../../src/libstrongswan/utils/enum.h:121:2: note: expanded from macro 'ENUM' 121 | ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../../../../src/libstrongswan/utils/enum.h:84:3: note: expanded from macro 'ENUM_BEGIN' 84 | BUILD_ASSERT(((last)-(first)+1) == countof(((char*[]){__VA_ARGS__}))), \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../../../../src/libstrongswan/utils/utils.h:104:38: note: expanded from macro 'BUILD_ASSERT' 104 | #define BUILD_ASSERT(x) (sizeof(char[(x) ? 0 : -1])) I have included a patch that solves the bug by updating the SADB_EXT_MAX in pfkeyv2.h depending on which OS it is built on. I have also submitted the patch to strongSwan and wait feedback from them.
Initial assessment of the bug was incorrect and the patch won't fix anything. The pfkeyv2.h in the base was updated to cater for hardware offloading and the SADB_EXT_MAX updated to 31 while the ENUM in the kernel_pfkey_ipsec.c still uses the original list. Fix should be to add the additional definitions to the list with compile-time flags (ifdefs) as to whether it should be enabled.
I was told that the issue was fixed upstream. In particular (but probably not only) by the commit a7f617ab3328153939cb757a5cf9001071ef8720.
Created attachment 253564 [details] patch to fix build on -current Here is a port’s patch: build tested on 13.3 and -current. The "make makepatch" updated all existing files header, this is why they were modified too.
Could the maintainer gives his feedback about this patch ?
The patch to fix on current seems to be correct. We received the same feedback/solution from the strongSwan team.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=825afe0bb41d967ab082d4b658333aafe9cbecc6 commit 825afe0bb41d967ab082d4b658333aafe9cbecc6 Author: Olivier Cochard <olivier@FreeBSD.org> AuthorDate: 2024-09-30 11:52:57 +0000 Commit: Olivier Cochard <olivier@FreeBSD.org> CommitDate: 2024-09-30 11:59:00 +0000 security/strongswan: fix build on current Backport upstream commit a7f617ab3328153939cb757a5cf9001071ef8720 PR: 280435 Approved by: kwf@nanoteq.com (maintainer) security/strongswan/files/patch-conf_Makefile.in | 4 ++-- ...aron_plugins_kernel__pfkey_kernel__pfkey__ipsec.c (new) | 14 ++++++++++++++ .../strongswan/files/patch-src_libcharon_plugins_smp_smp.c | 6 +++--- ...tch-src_libstrongswan_plugins_openssl_openssl__plugin.c | 4 ++-- .../files/patch-src_libstrongswan_utils_utils_byteorder.h | 4 ++-- security/strongswan/files/patch-src_starter_Makefile.in | 4 ++-- security/strongswan/files/patch-src_swanctl_Makefile.in | 4 ++-- 7 files changed, 27 insertions(+), 13 deletions(-)
Thanks!