diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2015-07-28 11:33:38 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2015-07-28 11:35:47 +0300 |
| commit | fc1ceeb02b3e149645205e67bcc009e742140590 (patch) | |
| tree | b559837b40485a7c0f77ce6459c03f131191283d | |
| parent | c3aa1460dbeb4e1e10972fc00314d7a80413707e (diff) | |
| download | aports-fc1ceeb02b3e149645205e67bcc009e742140590.tar.bz2 aports-fc1ceeb02b3e149645205e67bcc009e742140590.tar.xz | |
main/strongswan: cherry-pick upstream fixes
also fixes a minor memory leak in patch 1001 (the offending hunk is
now just deleted, as other upstream commits fixed the issue it tried
to address)
33 files changed, 1872 insertions, 193 deletions
diff --git a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch new file mode 100644 index 0000000000..c756f9d3e8 --- /dev/null +++ b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch @@ -0,0 +1,169 @@ +From 856ea64129cdc7ee56969524d7abaaae08c22c6a Mon Sep 17 00:00:00 2001 +From: Martin Willi <martin@revosec.ch> +Date: Thu, 2 Jul 2015 09:10:21 +0200 +Subject: [PATCH] vici: Asynchronize debug logging + +The vici logger uses the listener_t.log() callback to raise vici events. + +When doing so, it holds the bus lock as reader while acquiring the vici socket +mutex (1). If at the same time the vici socket enables a writer, that thread +tries to lock the watcher mutex (2). The watcher thread uses debugging while +holding the lock, i.e. acquires the bus read lock (3). + +(1) bus.rlock -> vici.lock! +(2) vici.lock -> watcher.lock! +(3) watcher.lock -> bus.rlock! + +This all actually would resolve just fine, as we have a shared read lock on the +bus. However, under Windows we seem to have a strict writer preference when +acquiring the rwlock (4). This results in blocking read locks until any pending +write lock can be fulfilled, and makes the constellation deadlock. The relevant +threads are: + +Thread (1) +6 0x71313d25 in wait_ at threading/windows/mutex.c:137 +7 0x7054c8a2 in find_entry at vici_socket.c:201 +8 0x7054d690 in send_ at vici_socket.c:624 +9 0x7054f6c1 in send_op at vici_dispatcher.c:119 +10 0x705502c1 in raise_event at vici_dispatcher.c:469 +12 0x704c3878 in log_cb at bus/bus.c:332 +13 0x712c7c3a in invoke_function at collections/linked_list.c:414 +14 0x704c3a63 in vlog at bus/bus.c:400 +15 0x704c3b36 in log_ at bus/bus.c:430 +18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664 +20 0x704f5430 in process_message at sa/ike_sa.c:1369 +21 0x704e3823 in execute at processing/jobs/process_message_job.c:74 +22 0x712e629f in process_job at processing/processor.c:235 + +Thread (2) +4 0x71313b61 in lock at threading/windows/mutex.c:66 +5 0x712e81fd in add at processing/watcher.c:441 +6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213 +7 0x712e1b4d in on_write at networking/streams/stream.c:237 +8 0x7054d606 in _cb_enable_writer at vici_socket.c:609 +9 0x712e5e34 in execute at processing/jobs/callback_job.c:77 +10 0x712e629f in process_job at processing/processor.c:235 + +Thread (3) +3 0x71313f38 in read_lock at threading/windows/rwlock.c:74 +4 0x704c3971 in vlog at bus/bus.c:373 +5 0x704cc156 in dbg_bus at daemon.c:126 +6 0x712e7bf9 in watch at processing/watcher.c:316 +7 0x712e5e34 in execute at processing/jobs/callback_job.c:77 +8 0x712e629f in process_job at processing/processor.c:235 + +Thread (4) +3 0x71313f70 in write_lock at threading/windows/rwlock.c:82 +4 0x704c378b in remove_logger at bus/bus.c:290 +5 0x704cb284 in listener_unregister at control/controller.c:166 +6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558 +8 0x704cb94e in initiate at control/controller.c:435 +9 0x70553996 in _cb_initiate at vici_control.c:187 +12 0x7054d200 in _cb_process_queue at vici_socket.c:508 +13 0x712e5e34 in execute at processing/jobs/callback_job.c:77 +14 0x712e629f in process_job at processing/processor.c:235 + +To avoid such a situation, we dissolve the (1) lock sequence. It's actually +never good practice to acquire shared locks during bus hooks, as it is +problematic if we raise bus events while holding the lock. We do so by +raising vici events for log message asynchronously, but of curse must keep +log order as is using a synchronized queue. +--- + src/libcharon/plugins/vici/vici_logger.c | 48 +++++++++++++++++++++++++++++++- + 1 file changed, 47 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c +index cffd65b..6d3584e 100644 +--- a/src/libcharon/plugins/vici/vici_logger.c ++++ b/src/libcharon/plugins/vici/vici_logger.c +@@ -18,6 +18,7 @@ + + #include <daemon.h> + #include <threading/mutex.h> ++#include <processing/jobs/callback_job.h> + + typedef struct private_vici_logger_t private_vici_logger_t; + +@@ -42,11 +43,54 @@ struct private_vici_logger_t { + int recursive; + + /** ++ * List of messages to raise async events ++ */ ++ linked_list_t *queue; ++ ++ /** + * Mutex to synchronize logging + */ + mutex_t *mutex; + }; + ++/** ++ * Async callback to raise events for queued messages ++ */ ++static job_requeue_t raise_events(private_vici_logger_t *this) ++{ ++ vici_message_t *message; ++ u_int count; ++ ++ this->mutex->lock(this->mutex); ++ count = this->queue->get_count(this->queue); ++ this->queue->remove_first(this->queue, (void**)&message); ++ this->mutex->unlock(this->mutex); ++ ++ if (count > 0) ++ { ++ this->dispatcher->raise_event(this->dispatcher, "log", 0, message); ++ } ++ if (count > 1) ++ { ++ return JOB_REQUEUE_DIRECT; ++ } ++ return JOB_REQUEUE_NONE; ++} ++ ++/** ++ * Queue a message for async processing ++ */ ++static void queue_messsage(private_vici_logger_t *this, vici_message_t *message) ++{ ++ this->queue->insert_last(this->queue, message); ++ if (this->queue->get_count(this->queue) == 1) ++ { ++ lib->processor->queue_job(lib->processor, (job_t*) ++ callback_job_create((callback_job_cb_t)raise_events, ++ this, NULL, NULL)); ++ } ++} ++ + METHOD(logger_t, log_, void, + private_vici_logger_t *this, debug_t group, level_t level, int thread, + ike_sa_t* ike_sa, const char *msg) +@@ -75,7 +119,7 @@ METHOD(logger_t, log_, void, + message = builder->finalize(builder); + if (message) + { +- this->dispatcher->raise_event(this->dispatcher, "log", 0, message); ++ queue_messsage(this, message); + } + } + this->recursive--; +@@ -101,6 +145,7 @@ METHOD(vici_logger_t, destroy, void, + private_vici_logger_t *this) + { + manage_commands(this, FALSE); ++ this->queue->destroy_offset(this->queue, offsetof(vici_message_t, destroy)); + this->mutex->destroy(this->mutex); + free(this); + } +@@ -121,6 +166,7 @@ vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher) + .destroy = _destroy, + }, + .dispatcher = dispatcher, ++ .queue = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + ); + +-- +2.4.6 + diff --git a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch new file mode 100644 index 0000000000..ff79e322ec --- /dev/null +++ b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch @@ -0,0 +1,67 @@ +From 65579569adfa0e2c9602ee250f4554169ba5a87d Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 11 Jun 2015 15:07:07 +0200 +Subject: [PATCH] host: Properly handle NULL in + host_create_from_string[_and_family] + +--- + src/libstrongswan/networking/host.c | 4 ++++ + src/libstrongswan/tests/suites/test_host.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c +index 07da3ef..2e464b0 100644 +--- a/src/libstrongswan/networking/host.c ++++ b/src/libstrongswan/networking/host.c +@@ -354,6 +354,10 @@ host_t *host_create_from_string_and_family(char *string, int family, + struct sockaddr_in6 v6; + } addr; + ++ if (!string) ++ { ++ return NULL; ++ } + if (streq(string, "%any")) + { + return host_create_any_port(family ? family : AF_INET, port); +diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c +index 7161b2c..5cb8013 100644 +--- a/src/libstrongswan/tests/suites/test_host.c ++++ b/src/libstrongswan/tests/suites/test_host.c +@@ -104,6 +104,9 @@ START_TEST(test_create_from_string_v4) + { + host_t *host; + ++ host = host_create_from_string(NULL, 500); ++ ck_assert(!host); ++ + host = host_create_from_string("%any", 500); + verify_any(host, AF_INET, 500); + host->destroy(host); +@@ -196,6 +199,7 @@ static void test_create_from_string_and_family_addr(char *string, chunk_t addr, + + START_TEST(test_create_from_string_and_family_v4) + { ++ test_create_from_string_and_family_any(NULL, AF_INET, AF_UNSPEC); + test_create_from_string_and_family_any("%any", AF_INET, AF_INET); + test_create_from_string_and_family_any("%any4", AF_INET, AF_INET); + test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET); +@@ -210,6 +214,7 @@ END_TEST + + START_TEST(test_create_from_string_and_family_v6) + { ++ test_create_from_string_and_family_any(NULL, AF_INET6, AF_UNSPEC); + test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6); + test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6); + test_create_from_string_and_family_any("::", AF_INET6, AF_INET6); +@@ -224,6 +229,7 @@ END_TEST + + START_TEST(test_create_from_string_and_family_other) + { ++ test_create_from_string_and_family_any(NULL, AF_UNSPEC, AF_UNSPEC); + test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET); + test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET); + test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET); +-- +2.4.6 + diff --git a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch new file mode 100644 index 0000000000..c17141460a --- /dev/null +++ b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch @@ -0,0 +1,91 @@ +From 390ae7a2c2f899122e722241cb261f53dfc81b9a Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Wed, 8 Jul 2015 15:28:46 +0200 +Subject: [PATCH] ike-sa-manager: Safely access the RNG instance with an rwlock + +Threads might still be allocating SPIs (e.g. triggered by an acquire or +an inbound message) while the main thread calls flush(). If there is a +context switch right after such a thread successfully checked this->rng +in get_spi() and the main thread destroys the RNG instance right then, +that worker thread will cause a segmentation fault when it continues and +attempts to call get_bytes(). + +Fixes #1014. +--- + src/libcharon/sa/ike_sa_manager.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index 938f784..987260d 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -1,7 +1,7 @@ + /* + * Copyright (C) 2005-2011 Martin Willi + * Copyright (C) 2011 revosec AG +- * Copyright (C) 2008-2012 Tobias Brunner ++ * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * +@@ -384,6 +384,11 @@ struct private_ike_sa_manager_t { + rng_t *rng; + + /** ++ * Lock to access the RNG instance ++ */ ++ rwlock_t *rng_lock; ++ ++ /** + * reuse existing IKE_SAs in checkout_by_config + */ + bool reuse_ikesa; +@@ -943,12 +948,14 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) + { + u_int64_t spi; + +- if (this->rng && +- this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) ++ this->rng_lock->read_lock(this->rng_lock); ++ if (!this->rng || ++ !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + { +- return spi; ++ spi = 0; + } +- return 0; ++ this->rng_lock->unlock(this->rng_lock); ++ return spi; + } + + /** +@@ -2055,8 +2062,10 @@ METHOD(ike_sa_manager_t, flush, void, + charon->bus->set_sa(charon->bus, NULL); + unlock_all_segments(this); + ++ this->rng_lock->write_lock(this->rng_lock); + this->rng->destroy(this->rng); + this->rng = NULL; ++ this->rng_lock->unlock(this->rng_lock); + } + + METHOD(ike_sa_manager_t, destroy, void, +@@ -2081,6 +2090,7 @@ METHOD(ike_sa_manager_t, destroy, void, + free(this->connected_peers_segments); + free(this->init_hashes_segments); + ++ this->rng_lock->destroy(this->rng_lock); + free(this); + } + +@@ -2138,6 +2148,7 @@ ike_sa_manager_t *ike_sa_manager_create() + free(this); + return NULL; + } ++ this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + + this->ikesa_limit = lib->settings->get_int(lib->settings, + "%s.ikesa_limit", 0, lib->ns); +-- +2.4.6 + diff --git a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch new file mode 100644 index 0000000000..0cf63a3f76 --- /dev/null +++ b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch @@ -0,0 +1,106 @@ +From 6bfa66069304c1fc1345b4e72762a3b1a80e4338 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 11 Jun 2015 15:42:54 +0200 +Subject: [PATCH] ike-cfg: Add helper function to determine address family of + IP addresses + +All configured static addresses (hostnames, ranges or subnets are not +considered) must be of the same family, otherwise AF_UNSPEC is returned. +--- + src/libcharon/config/ike_cfg.c | 47 ++++++++++++++++++++++++++++++++++++++++++ + src/libcharon/config/ike_cfg.h | 13 +++++++++++- + 2 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c +index 9464ceb..dee9e4c 100644 +--- a/src/libcharon/config/ike_cfg.c ++++ b/src/libcharon/config/ike_cfg.c +@@ -1,4 +1,5 @@ + /* ++ * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil +@@ -513,6 +514,52 @@ static void parse_addresses(char *str, linked_list_t *hosts, + /** + * Described in header. + */ ++int ike_cfg_get_family(ike_cfg_t *cfg, bool local) ++{ ++ private_ike_cfg_t *this = (private_ike_cfg_t*)cfg; ++ enumerator_t *enumerator; ++ host_t *host; ++ char *str; ++ int family = AF_UNSPEC; ++ ++ if (local) ++ { ++ enumerator = this->my_hosts->create_enumerator(this->my_hosts); ++ } ++ else ++ { ++ enumerator = this->other_hosts->create_enumerator(this->other_hosts); ++ } ++ while (enumerator->enumerate(enumerator, &str)) ++ { ++ if (streq(str, "%any")) ++ { /* ignore %any as its family is undetermined */ ++ continue; ++ } ++ host = host_create_from_string(str, 0); ++ if (host) ++ { ++ if (family == AF_UNSPEC) ++ { ++ family = host->get_family(host); ++ } ++ else if (family != host->get_family(host)) ++ { ++ /* more than one address family defined */ ++ family = AF_UNSPEC; ++ host->destroy(host); ++ break; ++ } ++ } ++ DESTROY_IF(host); ++ } ++ enumerator->destroy(enumerator); ++ return family; ++} ++ ++/** ++ * Described in header. ++ */ + ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, + char *me, u_int16_t my_port, + char *other, u_int16_t other_port, +diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h +index adfcabf..62f5b74 100644 +--- a/src/libcharon/config/ike_cfg.h ++++ b/src/libcharon/config/ike_cfg.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2012 Tobias Brunner ++ * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil +@@ -254,4 +254,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, + char *other, u_int16_t other_port, + fragmentation_t fragmentation, u_int8_t dscp); + ++/** ++ * Determine the address family of the local or remtoe address(es). If multiple ++ * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are ++ * not though). ++ * ++ * @param local TRUE to check local addresses, FALSE for remote ++ * @return address family of address(es) if distinct ++ */ ++int ike_cfg_get_family(ike_cfg_t *this, bool local); ++ ++ + #endif /** IKE_CFG_H_ @}*/ +-- +2.4.6 + diff --git a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch new file mode 100644 index 0000000000..7114d6247a --- /dev/null +++ b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch @@ -0,0 +1,48 @@ +From a11048adee0aeab8af10259f406363d7cc6beccc Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 11 Jun 2015 15:10:29 +0200 +Subject: [PATCH] ike: Use address family of local address when resolving + remote host + +If static local addresses are configured we should use their address family +as a hint when resolving the remote address. +We don't do this if %any is configured as this might break existing +configurations (%any4 and %any6 are however used as hint). +--- + src/libcharon/sa/ike_sa.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 3aafa4c..0c13c58 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2006-2014 Tobias Brunner ++ * Copyright (C) 2006-2015 Tobias Brunner + * Copyright (C) 2006 Daniel Roethlisberger + * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005 Jan Hutter +@@ -1200,6 +1200,19 @@ static void resolve_hosts(private_ike_sa_t *this) + break; + } + ++ /* if an IP address is set locally, use the same family to resolve remote */ ++ if (family == AF_UNSPEC && !this->remote_host) ++ { ++ if (this->local_host) ++ { ++ family = this->local_host->get_family(this->local_host); ++ } ++ else ++ { ++ family = ike_cfg_get_family(this->ike_cfg, TRUE); ++ } ++ } ++ + if (this->remote_host) + { + host = this->remote_host->clone(this->remote_host); +-- +2.4.6 + diff --git a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch new file mode 100644 index 0000000000..411bc58df9 --- /dev/null +++ b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch @@ -0,0 +1,37 @@ +From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 10 Jul 2015 10:23:02 +0200 +Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to + %any + +In some situations it might be valid for a host that configures +right=%any to reestablish or reauthenticate an IKE_SA. Using %any would +immediately abort the initiation causing the new SA to fail (which +might already have the existing CHILD_SAs assigned). + +Fixes #1027. +--- + src/libcharon/sa/ike_sa.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 0c13c58..752a756 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this) + } + if (host) + { +- set_other_host(this, host); ++ if (!host->is_anyaddr(host) || ++ this->other_host->is_anyaddr(this->other_host)) ++ { /* don't set to %any if we currently have an address, but the ++ * address family might have changed */ ++ set_other_host(this, host); ++ } + } + + if (this->local_host) +-- +2.4.6 + diff --git a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch new file mode 100644 index 0000000000..f7517568c0 --- /dev/null +++ b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch @@ -0,0 +1,33 @@ +From 773fcb1605d413997450b59d114a1c035910cc58 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 9 Jul 2015 14:34:19 +0200 +Subject: [PATCH] trap-manager: Properly check-in IKE_SA if initiating fails + +This basically reverts f4e822c1b422 ("trap-manager: don't check-in +nonexisting IKE_SA if acquire fails"). As checkout_by_config() could +return an already existing and established IKE_SA we have to properly +destroy it, for instance, in case other threads are waiting to check +it out. checkin_and_destroy() should handle the case of a new SA +properly (it produces a log message on level 1, though). +--- + src/libcharon/sa/trap_manager.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index d6ff3c8..3a70bd1 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -377,8 +377,8 @@ METHOD(trap_manager_t, acquire, void, + } + else + { +- ike_sa->destroy(ike_sa); +- charon->bus->set_sa(charon->bus, NULL); ++ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ++ ike_sa); + } + } + peer->destroy(peer); +-- +2.4.6 + diff --git a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch new file mode 100644 index 0000000000..1dea7b1391 --- /dev/null +++ b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch @@ -0,0 +1,260 @@ +From a229bdce625338117966a53efd0475b2c7c84566 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 9 Jul 2015 12:00:56 +0200 +Subject: [PATCH] trap-manager: Changed how acquires we acted on are tracked + +This fixes potential race conditions in case complete() or flush() is +executed before or concurrently with a thread that handles an acquire. +It will also simplify tracking multiple acquires created for the same +trap policy in the future. + +Also fixes the behavior in some error situations. +--- + src/libcharon/sa/trap_manager.c | 122 ++++++++++++++++++++++++++++------------ + 1 file changed, 86 insertions(+), 36 deletions(-) + +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index 3a70bd1..83b6d6a 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2011-2013 Tobias Brunner ++ * Copyright (C) 2011-2015 Tobias Brunner + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * +@@ -18,10 +18,10 @@ + + #include <hydra.h> + #include <daemon.h> ++#include <threading/mutex.h> + #include <threading/rwlock.h> + #include <collections/linked_list.h> + +- + typedef struct private_trap_manager_t private_trap_manager_t; + typedef struct trap_listener_t trap_listener_t; + +@@ -67,6 +67,16 @@ struct private_trap_manager_t { + trap_listener_t listener; + + /** ++ * list of acquires we currently handle ++ */ ++ linked_list_t *acquires; ++ ++ /** ++ * mutex for list of acquires ++ */ ++ mutex_t *mutex; ++ ++ /** + * Whether to ignore traffic selectors from acquires + */ + bool ignore_acquire_ts; +@@ -80,23 +90,45 @@ typedef struct { + char *name; + /** ref to peer_cfg to initiate */ + peer_cfg_t *peer_cfg; +- /** ref to instanciated CHILD_SA */ ++ /** ref to instantiated CHILD_SA (i.e the trap policy) */ + child_sa_t *child_sa; +- /** TRUE if an acquire is pending */ +- bool pending; ++} entry_t; ++ ++/** ++ * A handled acquire ++ */ ++typedef struct { + /** pending IKE_SA connecting upon acquire */ + ike_sa_t *ike_sa; +-} entry_t; ++ /** reqid of pending trap policy */ ++ u_int32_t reqid; ++} acquire_t; + + /** + * actually uninstall and destroy an installed entry + */ +-static void destroy_entry(entry_t *entry) ++static void destroy_entry(entry_t *this) ++{ ++ this->child_sa->destroy(this->child_sa); ++ this->peer_cfg->destroy(this->peer_cfg); ++ free(this->name); ++ free(this); ++} ++ ++/** ++ * destroy a cached acquire entry ++ */ ++static void destroy_acquire(acquire_t *this) + { +- entry->child_sa->destroy(entry->child_sa); +- entry->peer_cfg->destroy(entry->peer_cfg); +- free(entry->name); +- free(entry); ++ free(this); ++} ++ ++/** ++ * match an acquire entry by reqid ++ */ ++static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid) ++{ ++ return this->reqid == *reqid; + } + + METHOD(trap_manager_t, install, u_int32_t, +@@ -314,6 +346,7 @@ METHOD(trap_manager_t, acquire, void, + { + enumerator_t *enumerator; + entry_t *entry, *found = NULL; ++ acquire_t *acquire; + peer_cfg_t *peer; + child_cfg_t *child; + ike_sa_t *ike_sa; +@@ -337,16 +370,29 @@ METHOD(trap_manager_t, acquire, void, + this->lock->unlock(this->lock); + return; + } +- if (!cas_bool(&found->pending, FALSE, TRUE)) ++ reqid = found->child_sa->get_reqid(found->child_sa); ++ ++ this->mutex->lock(this->mutex); ++ if (this->acquires->find_first(this->acquires, (void*)acquire_by_reqid, ++ (void**)&acquire, &reqid) == SUCCESS) + { + DBG1(DBG_CFG, "ignoring acquire, connection attempt pending"); ++ this->mutex->unlock(this->mutex); + this->lock->unlock(this->lock); + return; + } ++ else ++ { ++ INIT(acquire, ++ .reqid = reqid, ++ ); ++ this->acquires->insert_last(this->acquires, acquire); ++ } ++ this->mutex->unlock(this->mutex); ++ + peer = found->peer_cfg->get_ref(found->peer_cfg); + child = found->child_sa->get_config(found->child_sa); + child = child->get_ref(child); +- reqid = found->child_sa->get_reqid(found->child_sa); + /* don't hold the lock while checking out the IKE_SA */ + this->lock->unlock(this->lock); + +@@ -363,16 +409,13 @@ METHOD(trap_manager_t, acquire, void, + * have a single TS that we can establish in a Quick Mode. */ + src = dst = NULL; + } ++ ++ this->mutex->lock(this->mutex); ++ acquire->ike_sa = ike_sa; ++ this->mutex->unlock(this->mutex); ++ + if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME) + { +- /* make sure the entry is still there */ +- this->lock->read_lock(this->lock); +- if (this->traps->find_first(this->traps, NULL, +- (void**)&found) == SUCCESS) +- { +- found->ike_sa = ike_sa; +- } +- this->lock->unlock(this->lock); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + else +@@ -381,6 +424,14 @@ METHOD(trap_manager_t, acquire, void, + ike_sa); + } + } ++ else ++ { ++ this->mutex->lock(this->mutex); ++ this->acquires->remove(this->acquires, acquire, NULL); ++ this->mutex->unlock(this->mutex); ++ destroy_acquire(acquire); ++ child->destroy(child); ++ } + peer->destroy(peer); + } + +@@ -391,26 +442,25 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa) + { + enumerator_t *enumerator; +- entry_t *entry; ++ acquire_t *acquire; + +- this->lock->read_lock(this->lock); +- enumerator = this->traps->create_enumerator(this->traps); +- while (enumerator->enumerate(enumerator, &entry)) ++ this->mutex->lock(this->mutex); ++ enumerator = this->acquires->create_enumerator(this->acquires); ++ while (enumerator->enumerate(enumerator, &acquire)) + { +- if (entry->ike_sa != ike_sa) ++ if (!acquire->ike_sa || acquire->ike_sa != ike_sa) + { + continue; + } +- if (child_sa && child_sa->get_reqid(child_sa) != +- entry->child_sa->get_reqid(entry->child_sa)) ++ if (child_sa && child_sa->get_reqid(child_sa) != acquire->reqid) + { + continue; + } +- entry->ike_sa = NULL; +- entry->pending = FALSE; ++ this->acquires->remove_at(this->acquires, enumerator); ++ destroy_acquire(acquire); + } + enumerator->destroy(enumerator); +- this->lock->unlock(this->lock); ++ this->mutex->unlock(this->mutex); + } + + METHOD(listener_t, ike_state_change, bool, +@@ -444,14 +494,10 @@ METHOD(listener_t, child_state_change, bool, + METHOD(trap_manager_t, flush, void, + private_trap_manager_t *this) + { +- linked_list_t *traps; +- /* since destroying the CHILD_SA results in events which require a read +- * lock we cannot destroy the list while holding the write lock */ + this->lock->write_lock(this->lock); +- traps = this->traps; ++ this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->traps = linked_list_create(); + this->lock->unlock(this->lock); +- traps->destroy_function(traps, (void*)destroy_entry); + } + + METHOD(trap_manager_t, destroy, void, +@@ -459,6 +505,8 @@ METHOD(trap_manager_t, destroy, void, + { + charon->bus->remove_listener(charon->bus, &this->listener.listener); + this->traps->destroy_function(this->traps, (void*)destroy_entry); ++ this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); ++ this->mutex->destroy(this->mutex); + this->lock->destroy(this->lock); + free(this); + } +@@ -488,6 +536,8 @@ trap_manager_t *trap_manager_create(void) + }, + }, + .traps = linked_list_create(), ++ .acquires = linked_list_create(), ++ .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .ignore_acquire_ts = lib->settings->get_bool(lib->settings, + "%s.ignore_acquire_ts", FALSE, lib->ns), +-- +2.4.6 + diff --git a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch new file mode 100644 index 0000000000..60a28724c8 --- /dev/null +++ b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch @@ -0,0 +1,118 @@ +From 12b3cdba7689113558f58a5265827f3086852bae Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 13 Jul 2015 13:20:14 +0200 +Subject: [PATCH] trap-manager: Resolve race conditions between flush() and + install() + +When flush() is called there might be threads in install() waiting for +trap policies to get installed (without holding the lock). We have to +wait until they updated the entries with the respective CHILD_SAs before +destroying the list. + +We also have to prevent further trap policy installations (and wait until +threads in install() are really finished), otherwise we might end up +destroying CHILD_SA objects after the kernel interface implementations +have already been unloaded (avoiding this is the whole point of calling +flush() before unloading the plugins). +--- + src/libcharon/sa/trap_manager.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index 83b6d6a..424d9e7 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -20,8 +20,11 @@ + #include <daemon.h> + #include <threading/mutex.h> + #include <threading/rwlock.h> ++#include <threading/rwlock_condvar.h> + #include <collections/linked_list.h> + ++#define INSTALL_DISABLED ((u_int)~0) ++ + typedef struct private_trap_manager_t private_trap_manager_t; + typedef struct trap_listener_t trap_listener_t; + +@@ -77,6 +80,16 @@ struct private_trap_manager_t { + mutex_t *mutex; + + /** ++ * number of threads currently installing trap policies, or INSTALL_DISABLED ++ */ ++ u_int installing; ++ ++ /** ++ * condvar to signal trap policy installation ++ */ ++ rwlock_condvar_t *condvar; ++ ++ /** + * Whether to ignore traffic selectors from acquires + */ + bool ignore_acquire_ts; +@@ -171,6 +184,11 @@ METHOD(trap_manager_t, install, u_int32_t, + } + + this->lock->write_lock(this->lock); ++ if (this->installing == INSTALL_DISABLED) ++ { /* flush() has been called */ ++ this->lock->unlock(this->lock); ++ return 0; ++ } + enumerator = this->traps->create_enumerator(this->traps); + while (enumerator->enumerate(enumerator, &entry)) + { +@@ -204,6 +222,7 @@ METHOD(trap_manager_t, install, u_int32_t, + .peer_cfg = peer->get_ref(peer), + ); + this->traps->insert_first(this->traps, entry); ++ this->installing++; + /* don't hold lock while creating CHILD_SA and installing policies */ + this->lock->unlock(this->lock); + +@@ -252,6 +271,11 @@ METHOD(trap_manager_t, install, u_int32_t, + { + destroy_entry(found); + } ++ this->lock->write_lock(this->lock); ++ /* do this at the end, so entries created temporarily are also destroyed */ ++ this->installing--; ++ this->condvar->signal(this->condvar); ++ this->lock->unlock(this->lock); + return reqid; + } + +@@ -495,8 +519,13 @@ METHOD(trap_manager_t, flush, void, + private_trap_manager_t *this) + { + this->lock->write_lock(this->lock); ++ while (this->installing) ++ { ++ this->condvar->wait(this->condvar, this->lock); ++ } + this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->traps = linked_list_create(); ++ this->installing = INSTALL_DISABLED; + this->lock->unlock(this->lock); + } + +@@ -506,6 +535,7 @@ METHOD(trap_manager_t, destroy, void, + charon->bus->remove_listener(charon->bus, &this->listener.listener); + this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); ++ this->condvar->destroy(this->condvar); + this->mutex->destroy(this->mutex); + this->lock->destroy(this->lock); + free(this); +@@ -539,6 +569,7 @@ trap_manager_t *trap_manager_create(void) + .acquires = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ++ .condvar = rwlock_condvar_create(), + .ignore_acquire_ts = lib->settings->get_bool(lib->settings, + "%s.ignore_acquire_ts", FALSE, lib->ns), + ); +-- +2.4.6 + diff --git a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch new file mode 100644 index 0000000000..6fa2c339f2 --- /dev/null +++ b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch @@ -0,0 +1,112 @@ +From f3d39666e0d62fb9a790b72ee7ae2b9255b21cdd Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:35:21 +0200 +Subject: [PATCH] shunt-manager: Add a lock to safely access the list of shunt + policies + +--- + src/libcharon/sa/shunt_manager.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c +index 73e1abb..434bace 100644 +--- a/src/libcharon/sa/shunt_manager.c ++++ b/src/libcharon/sa/shunt_manager.c +@@ -1,4 +1,5 @@ + /* ++ * Copyright (C) 2015 Tobias Brunner + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * +@@ -20,7 +21,6 @@ + #include <threading/rwlock.h> + #include <collections/linked_list.h> + +- + typedef struct private_shunt_manager_t private_shunt_manager_t; + + /** +@@ -37,6 +37,11 @@ struct private_shunt_manager_t { + * Installed shunts, as child_cfg_t + */ + linked_list_t *shunts; ++ ++ /** ++ * Lock to safely access the list of shunts ++ */ ++ rwlock_t *lock; + }; + + /** +@@ -120,6 +125,7 @@ METHOD(shunt_manager_t, install, bool, + bool found = FALSE; + + /* check if not already installed */ ++ this->lock->write_lock(this->lock); + enumerator = this->shunts->create_enumerator(this->shunts); + while (enumerator->enumerate(enumerator, &child_cfg)) + { +@@ -130,14 +136,15 @@ METHOD(shunt_manager_t, install, bool, + } + } + enumerator->destroy(enumerator); +- + if (found) + { + DBG1(DBG_CFG, "shunt %N policy '%s' already installed", + ipsec_mode_names, child->get_mode(child), child->get_name(child)); ++ this->lock->unlock(this->lock); + return TRUE; + } + this->shunts->insert_last(this->shunts, child->get_ref(child)); ++ this->lock->unlock(this->lock); + + return install_shunt_policy(child); + } +@@ -215,6 +222,7 @@ METHOD(shunt_manager_t, uninstall, bool, + enumerator_t *enumerator; + child_cfg_t *child, *found = NULL; + ++ this->lock->write_lock(this->lock); + enumerator = this->shunts->create_enumerator(this->shunts); + while (enumerator->enumerate(enumerator, &child)) + { +@@ -226,6 +234,7 @@ METHOD(shunt_manager_t, uninstall, bool, + } + } + enumerator->destroy(enumerator); ++ this->lock->unlock(this->lock); + + if (!found) + { +@@ -239,7 +248,10 @@ METHOD(shunt_manager_t, uninstall, bool, + METHOD(shunt_manager_t, create_enumerator, enumerator_t*, + private_shunt_manager_t *this) + { +- return this->shunts->create_enumerator(this->shunts); ++ this->lock->read_lock(this->lock); ++ return enumerator_create_cleaner( ++ this->shunts->create_enumerator(this->shunts), ++ (void*)this->lock->unlock, this->lock); + } + + METHOD(shunt_manager_t, destroy, void, +@@ -253,6 +265,7 @@ METHOD(shunt_manager_t, destroy, void, + child->destroy(child); + } + this->shunts->destroy(this->shunts); ++ this->lock->destroy(this->lock); + free(this); + } + +@@ -271,6 +284,7 @@ shunt_manager_t *shunt_manager_create() + .destroy = _destroy, + }, + .shunts = linked_list_create(), ++ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +-- +2.4.6 + diff --git a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch new file mode 100644 index 0000000000..f8af98c62f --- /dev/null +++ b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch @@ -0,0 +1,43 @@ +From 616ff9a2369fd250a2b9e8d2a00f37e2e8d3a2f3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:50:32 +0200 +Subject: [PATCH] shunt-manager: Remove stored entries if installation fails + +--- + src/libcharon/sa/shunt_manager.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c +index 434bace..2e42e7e 100644 +--- a/src/libcharon/sa/shunt_manager.c ++++ b/src/libcharon/sa/shunt_manager.c +@@ -122,7 +122,7 @@ METHOD(shunt_manager_t, install, bool, + { + enumerator_t *enumerator; + child_cfg_t *child_cfg; +- bool found = FALSE; ++ bool found = FALSE, success; + + /* check if not already installed */ + this->lock->write_lock(this->lock); +@@ -146,7 +146,16 @@ METHOD(shunt_manager_t, install, bool, + this->shunts->insert_last(this->shunts, child->get_ref(child)); + this->lock->unlock(this->lock); + +- return install_shunt_policy(child); ++ success = install_shunt_policy(child); ++ ++ if (!success) ++ { ++ this->lock->write_lock(this->lock); ++ this->shunts->remove(this->shunts, child, NULL); ++ this->lock->unlock(this->lock); ++ child->destroy(child); ++ } ++ return success; + } + + /** +-- +2.4.6 + diff --git a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch new file mode 100644 index 0000000000..3aa6b561bc --- /dev/null +++ b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch @@ -0,0 +1,153 @@ +From bc36530670cbbe2362053f1604f67e481afd336c Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:55:36 +0200 +Subject: [PATCH] shunt-manager: Add flush() method to properly uninstall + shunts + +This will allow us to uninstall shunts before unloading the +kernel-interface plugins. +--- + src/libcharon/sa/shunt_manager.c | 44 ++++++++++++++++++++++++++++++++++++---- + src/libcharon/sa/shunt_manager.h | 6 ++++++ + 2 files changed, 46 insertions(+), 4 deletions(-) + +diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c +index 2e42e7e..1a98443 100644 +--- a/src/libcharon/sa/shunt_manager.c ++++ b/src/libcharon/sa/shunt_manager.c +@@ -19,8 +19,11 @@ + #include <hydra.h> + #include <daemon.h> + #include <threading/rwlock.h> ++#include <threading/rwlock_condvar.h> + #include <collections/linked_list.h> + ++#define INSTALL_DISABLED ((u_int)~0) ++ + typedef struct private_shunt_manager_t private_shunt_manager_t; + + /** +@@ -42,6 +45,16 @@ struct private_shunt_manager_t { + * Lock to safely access the list of shunts + */ + rwlock_t *lock; ++ ++ /** ++ * Number of threads currently installing shunts, or INSTALL_DISABLED ++ */ ++ u_int installing; ++ ++ /** ++ * Condvar to signal shunt installation ++ */ ++ rwlock_condvar_t *condvar; + }; + + /** +@@ -126,6 +139,11 @@ METHOD(shunt_manager_t, install, bool, + + /* check if not already installed */ + this->lock->write_lock(this->lock); ++ if (this->installing == INSTALL_DISABLED) ++ { /* flush() has been called */ ++ this->lock->unlock(this->lock); ++ return FALSE; ++ } + enumerator = this->shunts->create_enumerator(this->shunts); + while (enumerator->enumerate(enumerator, &child_cfg)) + { +@@ -144,17 +162,20 @@ METHOD(shunt_manager_t, install, bool, + return TRUE; + } + this->shunts->insert_last(this->shunts, child->get_ref(child)); ++ this->installing++; + this->lock->unlock(this->lock); + + success = install_shunt_policy(child); + ++ this->lock->write_lock(this->lock); + if (!success) + { +- this->lock->write_lock(this->lock); + this->shunts->remove(this->shunts, child, NULL); +- this->lock->unlock(this->lock); + child->destroy(child); + } ++ this->installing--; ++ this->condvar->signal(this->condvar); ++ this->lock->unlock(this->lock); + return success; + } + +@@ -263,18 +284,31 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*, + (void*)this->lock->unlock, this->lock); + } + +-METHOD(shunt_manager_t, destroy, void, ++METHOD(shunt_manager_t, flush, void, + private_shunt_manager_t *this) + { + child_cfg_t *child; + ++ this->lock->write_lock(this->lock); ++ while (this->installing) ++ { ++ this->condvar->wait(this->condvar, this->lock); ++ } + while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS) + { + uninstall_shunt_policy(child); + child->destroy(child); + } +- this->shunts->destroy(this->shunts); ++ this->installing = INSTALL_DISABLED; ++ this->lock->unlock(this->lock); ++} ++ ++METHOD(shunt_manager_t, destroy, void, ++ private_shunt_manager_t *this) ++{ ++ this->shunts->destroy_offset(this->shunts, offsetof(child_cfg_t, destroy)); + this->lock->destroy(this->lock); ++ this->condvar->destroy(this->condvar); + free(this); + } + +@@ -290,10 +324,12 @@ shunt_manager_t *shunt_manager_create() + .install = _install, + .uninstall = _uninstall, + .create_enumerator = _create_enumerator, ++ .flush = _flush, + .destroy = _destroy, + }, + .shunts = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ++ .condvar = rwlock_condvar_create(), + ); + + return &this->public; +diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h +index 28a795d..c43f5db 100644 +--- a/src/libcharon/sa/shunt_manager.h ++++ b/src/libcharon/sa/shunt_manager.h +@@ -1,4 +1,5 @@ + /* ++ * Copyright (C) 2015 Tobias Brunner + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * +@@ -56,6 +57,11 @@ struct shunt_manager_t { + enumerator_t* (*create_enumerator)(shunt_manager_t *this); + + /** ++ * Clear any installed shunt. ++ */ ++ void (*flush)(shunt_manager_t *this); ++ ++ /** + * Destroy a shunt_manager_t. + */ + void (*destroy)(shunt_manager_t *this); +-- +2.4.6 + diff --git a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch new file mode 100644 index 0000000000..9d3be529b7 --- /dev/null +++ b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch @@ -0,0 +1,27 @@ +From c04345d5edbbc4c37027cdfc21dba85d03e312af Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:56:33 +0200 +Subject: [PATCH] daemon: Flush shunts before unloading plugins + +--- + src/libcharon/daemon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c +index b1b8f57..316be76 100644 +--- a/src/libcharon/daemon.c ++++ b/src/libcharon/daemon.c +@@ -462,6 +462,10 @@ static void destroy(private_daemon_t *this) + { + this->public.traps->flush(this->public.traps); + } ++ if (this->public.shunts) ++ { ++ this->public.shunts->flush(this->public.shunts); ++ } + if (this->public.sender) + { + this->public.sender->flush(this->public.sender); +-- +2.4.6 + diff --git a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch new file mode 100644 index 0000000000..56038b46f1 --- /dev/null +++ b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch @@ -0,0 +1,105 @@ +From 86d20b0b40066590f5e26d1f9aca21cc0cba97e1 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 15 Jun 2015 11:46:33 +0200 +Subject: [PATCH] ike-rekey: Reset IKE_SA on the bus after destroying new + IKE_SA + +The destroy() method sets the IKE_SA on the bus to NULL, we reset it to +the current IKE_SA so any events and log messages that follow happen in +the correct context. + +A practical example where this is problematic is a DH group mismatch, +which causes the first CREATE_CHILD_SA exchange to fail. Because the SA +was not reset previously, the message() hook for the CREATE_CHILD_SA +response, for instance, was triggered outside the context of an IKE_SA, +that is, the ike_sa parameter was NULL, which is definitely not expected +by several plugins. + +Fixes #862. +--- + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +index 1855517..1dfdc05 100644 +--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +@@ -116,7 +116,6 @@ static void establish_new(private_ike_rekey_t *this) + lib->processor->queue_job(lib->processor, job); + } + this->new_sa = NULL; +- /* set threads active IKE_SA after checkin */ + charon->bus->set_sa(charon->bus, this->ike_sa); + } + } +@@ -335,15 +334,13 @@ METHOD(task_t, process_i, status_t, + { + charon->ike_sa_manager->checkin( + charon->ike_sa_manager, this->new_sa); +- /* set threads active IKE_SA after checkin */ +- charon->bus->set_sa(charon->bus, this->ike_sa); + } ++ charon->bus->set_sa(charon->bus, this->ike_sa); + this->new_sa = NULL; + establish_new(other); + return SUCCESS; + } + } +- /* set threads active IKE_SA after checkin */ + charon->bus->set_sa(charon->bus, this->ike_sa); + } + +@@ -372,9 +369,13 @@ METHOD(ike_rekey_t, collide, void, + this->collision = other; + } + +-METHOD(task_t, migrate, void, +- private_ike_rekey_t *this, ike_sa_t *ike_sa) ++/** ++ * Cleanup the task ++ */ ++static void cleanup(private_ike_rekey_t *this) + { ++ ike_sa_t *cur_sa; ++ + if (this->ike_init) + { + this->ike_init->task.destroy(&this->ike_init->task); +@@ -383,9 +384,16 @@ METHOD(task_t, migrate, void, + { + this->ike_delete->task.destroy(&this->ike_delete->task); + } ++ cur_sa = charon->bus->get_sa(charon->bus); + DESTROY_IF(this->new_sa); ++ charon->bus->set_sa(charon->bus, cur_sa); + DESTROY_IF(this->collision); ++} + ++METHOD(task_t, migrate, void, ++ private_ike_rekey_t *this, ike_sa_t *ike_sa) ++{ ++ cleanup(); + this->collision = NULL; + this->ike_sa = ike_sa; + this->new_sa = NULL; +@@ -396,16 +404,7 @@ METHOD(task_t, migrate, void, + METHOD(task_t, destroy, void, + private_ike_rekey_t *this) + { +- if (this->ike_init) +- { +- this->ike_init->task.destroy(&this->ike_init->task); +- } +- if (this->ike_delete) +- { +- this->ike_delete->task.destroy(&this->ike_delete->task); +- } +- DESTROY_IF(this->new_sa); +- DESTROY_IF(this->collision); ++ cleanup(); + free(this); + } + +-- +2.4.6 + diff --git a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch new file mode 100644 index 0000000000..9aa06d9256 --- /dev/null +++ b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch @@ -0,0 +1,31 @@ +From 2efcc9586714fd3ae26fe6ff57ea1b9ee09a58ea Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 15 Jun 2015 11:52:16 +0200 +Subject: [PATCH] ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA + response + +Even when there is no error the CREATE_CHILD_SA response should be sent +in the context of the existing IKE_SA. +--- + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +index 1dfdc05..4133c93 100644 +--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +@@ -228,9 +228,10 @@ METHOD(task_t, build_r, status_t, + + if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED) + { ++ charon->bus->set_sa(charon->bus, this->ike_sa); + return SUCCESS; + } +- ++ charon->bus->set_sa(charon->bus, this->ike_sa); + this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); + + /* rekeying successful, delete the IKE_SA using a subtask */ +-- +2.4.6 + diff --git a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch new file mode 100644 index 0000000000..e17cf30cd9 --- /dev/null +++ b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch @@ -0,0 +1,34 @@ +From 81f1aa8dc375a84d9f0dc3e4027f2aebf6d03b18 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 15:20:01 +0200 +Subject: [PATCH] ike-rekey: Fix cleanup() call + +--- + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +index 4133c93..eaba04e 100644 +--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +@@ -394,7 +394,7 @@ static void cleanup(private_ike_rekey_t *this) + METHOD(task_t, migrate, void, + private_ike_rekey_t *this, ike_sa_t *ike_sa) + { +- cleanup(); ++ cleanup(this); + this->collision = NULL; + this->ike_sa = ike_sa; + this->new_sa = NULL; +@@ -405,7 +405,7 @@ METHOD(task_t, migrate, void, + METHOD(task_t, destroy, void, + private_ike_rekey_t *this) + { +- cleanup(); ++ cleanup(this); + free(this); + } + +-- +2.4.6 + diff --git a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch new file mode 100644 index 0000000000..3b773d02aa --- /dev/null +++ b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch @@ -0,0 +1,27 @@ +From faebdeac8eafad7b5c2109d5a9ce0af41dbf315c Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 19:37:41 +0200 +Subject: [PATCH] ike: Fix memory leak if remote address is kept + +--- + src/libcharon/sa/ike_sa.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 752a756..6ffbd55 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -1230,6 +1230,10 @@ static void resolve_hosts(private_ike_sa_t *this) + * address family might have changed */ + set_other_host(this, host); + } ++ else ++ { ++ host->destroy(host); ++ } + } + + if (this->local_host) +-- +2.4.6 + diff --git a/main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch index a7c02749f6..945f1da2b0 100644 --- a/main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +++ b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch @@ -27,5 +27,5 @@ index b0e3103..809d0f4 100644 DBG1(DBG_KNL, "netlink response exceeds buffer size"); return 0; -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch index 0bd694782f..410e15b0c4 100644 --- a/main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +++ b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch @@ -55,5 +55,5 @@ index 809d0f4..ddb2254 100644 { DBG1(DBG_KNL, "unable to create netlink socket"); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch new file mode 100644 index 0000000000..e7897c17c6 --- /dev/null +++ b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch @@ -0,0 +1,24 @@ +From 36d77e36bb1556bebe0f98c06a757b123caef940 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Jul 2015 11:48:53 +0200 +Subject: [PATCH] ike: Also track initiating IKE_SAs as half-open + +--- + src/libcharon/sa/ike_sa_manager.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index 987260d..51b7f2c 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void, + put_half_open(this, entry); + } + else if (!entry->half_open && +- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) && + ike_sa->get_state(ike_sa) == IKE_CONNECTING) + { + /* this is a new half-open SA */ +-- +2.4.6 + diff --git a/main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch index 525c6e7528..fbc54c11c4 100644 --- a/main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch +++ b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch @@ -1,4 +1,4 @@ -From af94ce1106470cc1c66a7b038d1d4552785f2670 Mon Sep 17 00:00:00 2001 +From 0d6412ab81fbf0376cc99e9419de417e58dc0e72 Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tobias@strongswan.org> Date: Thu, 16 Jul 2015 17:21:54 +0200 Subject: [PATCH] controller: Optionally adhere to init limits also when @@ -19,8 +19,7 @@ Subject: [PATCH] controller: Optionally adhere to init limits also when src/libcharon/plugins/vici/vici_control.c | 4 +- .../processing/jobs/initiate_mediation_job.c | 4 +- src/libcharon/processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa_manager.c | 1 - - 16 files changed, 71 insertions(+), 21 deletions(-) + 15 files changed, 71 insertions(+), 20 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 2c0b7b9..0c6a504 100644 @@ -313,18 +312,6 @@ index 981473b..5e88ac2 100644 break; case ACTION_ROUTE: DBG1(DBG_JOB, "start action: route '%s'", name); -diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 987260d..51b7f2c 100644 ---- a/src/libcharon/sa/ike_sa_manager.c -+++ b/src/libcharon/sa/ike_sa_manager.c -@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void, - put_half_open(this, entry); - } - else if (!entry->half_open && -- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - ike_sa->get_state(ike_sa) == IKE_CONNECTING) - { - /* this is a new half-open SA */ -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch index feb471a400..d6cc090718 100644 --- a/main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +++ b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch @@ -1,4 +1,4 @@ -From e18f39025363224790d64e5b4eaa1c268f95b528 Mon Sep 17 00:00:00 2001 +From f3b6de5afdc48550680c12359154eb18a5812ecb Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tobias@strongswan.org> Date: Thu, 16 Jul 2015 17:51:40 +0200 Subject: [PATCH] vici: Add get_bool() convenience getter for VICI messages @@ -166,5 +166,5 @@ index 1a89cf8..7f357b8 100644 * * @param def default value if not found -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch index 2ff236b06c..f904af30be 100644 --- a/main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch +++ b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch @@ -1,4 +1,4 @@ -From 364a0b4922fb1dbbc584b341e945bf1b91d1d689 Mon Sep 17 00:00:00 2001 +From 2d4671feca3d2d17bfa2d846cc170478f18a8fcc Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tobias@strongswan.org> Date: Thu, 16 Jul 2015 17:56:16 +0200 Subject: [PATCH] vici: Optionally check limits when initiating connections @@ -61,5 +61,5 @@ index e568239..88574f8 100644 default: return send_reply(this, "establishing CHILD_SA '%s' failed", child); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch b/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch new file mode 100644 index 0000000000..666355757f --- /dev/null +++ b/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch @@ -0,0 +1,96 @@ +From e0189de4c7b8df5cb61c7b0e771dcc5534e9cc06 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Jul 2015 11:53:58 +0200 +Subject: [PATCH] ike: Adhere to IKE_SA limit when checking out by config + +This prevents new SAs from getting created if we hit the global IKE_SA +limit (we still allow checkout_new(), which is used for rekeying). +--- + src/libcharon/sa/ike_sa_manager.c | 63 ++++++++++++++++++++------------------- + 1 file changed, 33 insertions(+), 30 deletions(-) + +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index 51b7f2c..20b6e50 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -1346,44 +1346,47 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + + DBG2(DBG_MGR, "checkout IKE_SA by config"); + +- if (!this->reuse_ikesa) +- { /* IKE_SA reuse disable by config */ +- ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); +- charon->bus->set_sa(charon->bus, ike_sa); +- return ike_sa; +- } +- +- enumerator = create_table_enumerator(this); +- while (enumerator->enumerate(enumerator, &entry, &segment)) ++ if (this->reuse_ikesa) + { +- if (!wait_for_entry(this, entry, segment)) ++ enumerator = create_table_enumerator(this); ++ while (enumerator->enumerate(enumerator, &entry, &segment)) + { +- continue; +- } +- if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) +- { /* skip IKE_SAs which are not usable */ +- continue; +- } +- +- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); +- if (current_peer && current_peer->equals(current_peer, peer_cfg)) +- { +- current_ike = current_peer->get_ike_cfg(current_peer); +- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) ++ if (!wait_for_entry(this, entry, segment)) + { +- entry->checked_out = TRUE; +- ike_sa = entry->ike_sa; +- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", +- ike_sa->get_unique_id(ike_sa), +- current_peer->get_name(current_peer)); +- break; ++ continue; ++ } ++ if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) ++ { /* skip IKE_SAs which are not usable */ ++ continue; ++ } ++ current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); ++ if (current_peer && current_peer->equals(current_peer, peer_cfg)) ++ { ++ current_ike = current_peer->get_ike_cfg(current_peer); ++ if (current_ike->equals(current_ike, ++ peer_cfg->get_ike_cfg(peer_cfg))) ++ { ++ entry->checked_out = TRUE; ++ ike_sa = entry->ike_sa; ++ DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", ++ ike_sa->get_unique_id(ike_sa), ++ current_peer->get_name(current_peer)); ++ break; ++ } + } + } ++ enumerator->destroy(enumerator); + } +- enumerator->destroy(enumerator); + + if (!ike_sa) +- { /* no IKE_SA using such a config, hand out a new */ ++ { /* no IKE_SA using such a config, or reuse disabled, hand out a new */ ++ if (this->ikesa_limit && ++ this->public.get_count(&this->public) >= this->ikesa_limit) ++ { ++ DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)", ++ this->ikesa_limit); ++ return NULL; ++ } + ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); + } + charon->bus->set_sa(charon->bus, ike_sa); +-- +2.4.6 + diff --git a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch new file mode 100644 index 0000000000..4a837486e7 --- /dev/null +++ b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch @@ -0,0 +1,46 @@ +From 470b58d897338c89c83f416808cf1ccac38fe028 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Jul 2015 14:08:09 +0200 +Subject: [PATCH] ikev1: Assign different job priorities for inbound IKEv1 + messages + +--- + src/libcharon/processing/jobs/process_message_job.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c +index a6795e7..31f048d 100644 +--- a/src/libcharon/processing/jobs/process_message_job.c ++++ b/src/libcharon/processing/jobs/process_message_job.c +@@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t, + { + case IKE_AUTH: + /* IKE auth is rather expensive and often blocking, low priority */ ++ case AGGRESSIVE: ++ case ID_PROT: ++ /* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth) ++ * MM is similar, but stretched out more */ + return JOB_PRIO_LOW; + case INFORMATIONAL: ++ case INFORMATIONAL_V1: + /* INFORMATIONALs are inexpensive, for DPD we should have low + * reaction times */ + return JOB_PRIO_HIGH; + case IKE_SA_INIT: +- case CREATE_CHILD_SA: +- default: + /* IKE_SA_INIT is expensive, but we will drop them in the receiver + * if we are overloaded */ ++ case CREATE_CHILD_SA: ++ case QUICK_MODE: ++ /* these may require DH, but if not they are relatively cheap */ ++ case TRANSACTION: ++ /* these are mostly cheap, however, if XAuth via RADIUS is used ++ * they may block */ ++ default: + return JOB_PRIO_MEDIUM; + } + } +-- +2.4.6 + diff --git a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch new file mode 100644 index 0000000000..630151b406 --- /dev/null +++ b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch @@ -0,0 +1,68 @@ +From 944e99d57243fb42ccb2be475c8386a0c4c116f4 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 11:18:53 +0200 +Subject: [PATCH] printf-hook-builtin: Fix invalid memory access + +When precision is given for a string, we must not run unbounded +strlen() as it will read beyond the given length. It might even cause +a crash if the given pointer is near end of heap or mapping. + +Fixes numerous valgrind errors such as: + +==19215== Invalid read of size 1 +==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853) +==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084) +==19215== by 0x52CE464: dntoa (identification.c:337) +==19215== by 0x52CE464: identification_printf_hook (identification.c:837) +==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) +==19215== by 0x57040EB: vlog (bus.c:388) +==19215== by 0x570427D: log_ (bus.c:430) +==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) +==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) +==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) +==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) +==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) +==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) +==19215== by 0x52C3125: load_feature (plugin_loader.c:716) +==19215== by 0x52C3125: load_provided (plugin_loader.c:778) +==19215== by 0x52C3A20: load_features (plugin_loader.c:799) +==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) +==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd +==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296) +==19215== by 0x52CD198: chunk_printable (chunk.c:759) +==19215== by 0x52CE442: dntoa (identification.c:334) +==19215== by 0x52CE442: identification_printf_hook (identification.c:837) +==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) +==19215== by 0x57040EB: vlog (bus.c:388) +==19215== by 0x570427D: log_ (bus.c:430) +==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) +==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) +==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) +==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) +==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) +==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) +==19215== by 0x52C3125: load_feature (plugin_loader.c:716) +==19215== by 0x52C3125: load_provided (plugin_loader.c:778) +==19215== by 0x52C3A20: load_features (plugin_loader.c:799) +==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) +--- + src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +index 466c673..af54940 100644 +--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c ++++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +@@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) + /* String */ + sarg = va_arg(ap, const char *); + sarg = sarg ? sarg : "(null)"; +- slen = strlen(sarg); ++ slen = prec != -1 ? strnlen(sarg, prec) ++ : strlen(sarg); + goto is_string; + } + case 'm': +-- +2.4.6 + diff --git a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch index b0c65223a2..e246c04294 100644 --- a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -1,4 +1,4 @@ -From 9afff74c4bd8abadfd248f36cf9f8206928d3dc6 Mon Sep 17 00:00:00 2001 +From 82c26f6c6c8dc8de620cdb6b191f04451ddedd11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Wed, 27 Aug 2014 16:05:21 +0300 Subject: [PATCH] charon: add optional source and remote overrides for initiate @@ -15,21 +15,20 @@ and is a prerequisite for dmvpn support. Signed-off-by: Timo Teräs <timo.teras@iki.fi> --- - src/charon-cmd/cmd/cmd_connection.c | 2 +- - src/charon-nm/nm/nm_service.c | 2 +- - src/libcharon/control/controller.c | 43 ++++++++++++++- - src/libcharon/control/controller.h | 3 ++ - src/libcharon/plugins/maemo/maemo_service.c | 2 +- - src/libcharon/plugins/stroke/stroke_control.c | 5 +- - src/libcharon/plugins/vici/vici_config.c | 2 +- - src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++++---- - src/libcharon/processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa.c | 4 ++ - src/libcharon/sa/ike_sa_manager.c | 60 ++++++++++++++++++--- - src/libcharon/sa/ike_sa_manager.h | 8 ++- - src/libcharon/sa/trap_manager.c | 3 +- - src/swanctl/commands/initiate.c | 40 +++++++++++++- - 15 files changed, 213 insertions(+), 28 deletions(-) + src/charon-cmd/cmd/cmd_connection.c | 2 +- + src/charon-nm/nm/nm_service.c | 2 +- + src/libcharon/control/controller.c | 43 +++++++++++++++- + src/libcharon/control/controller.h | 3 ++ + src/libcharon/plugins/maemo/maemo_service.c | 2 +- + src/libcharon/plugins/stroke/stroke_control.c | 5 +- + src/libcharon/plugins/vici/vici_config.c | 2 +- + src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++++++---- + src/libcharon/processing/jobs/start_action_job.c | 2 +- + src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++++++- + src/libcharon/sa/ike_sa_manager.h | 8 ++- + src/libcharon/sa/trap_manager.c | 3 +- + src/swanctl/commands/initiate.c | 40 ++++++++++++++- + 13 files changed, 203 insertions(+), 23 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 0c6a504..dc4eca3 100644 @@ -206,10 +205,10 @@ index 0125d17..72c806c 100644 switch (status) { diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index dfea2ab..233af4c 100644 +index b6950f3..600b83f 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c -@@ -1558,7 +1558,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, +@@ -1584,7 +1584,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), @@ -219,7 +218,7 @@ index dfea2ab..233af4c 100644 case ACTION_ROUTE: DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 88574f8..d37e11f 100644 +index 88574f8..55f667b 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -13,6 +13,28 @@ @@ -341,23 +340,8 @@ index 5e88ac2..7043332 100644 break; case ACTION_ROUTE: DBG1(DBG_JOB, "start action: route '%s'", name); -diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c -index 3aafa4c..dcd54a1 100644 ---- a/src/libcharon/sa/ike_sa.c -+++ b/src/libcharon/sa/ike_sa.c -@@ -1208,6 +1208,10 @@ static void resolve_hosts(private_ike_sa_t *this) - else - { - host = this->ike_cfg->resolve_other(this->ike_cfg, family); -+ if (host->is_anyaddr(host)) -+ { -+ host = NULL; -+ } - } - if (host) - { diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 987260d..2f44f7c 100644 +index 20b6e50..ccce3de 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -16,6 +16,28 @@ @@ -389,7 +373,7 @@ index 987260d..2f44f7c 100644 #include <string.h> #include "ike_sa_manager.h" -@@ -1335,16 +1357,28 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, +@@ -1335,7 +1357,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, } METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, @@ -399,12 +383,9 @@ index 987260d..2f44f7c 100644 { enumerator_t *enumerator; entry_t *entry; -- ike_sa_t *ike_sa = NULL; -+ ike_sa_t *ike_sa; - peer_cfg_t *current_peer; +@@ -1344,7 +1367,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, ike_cfg_t *current_ike; u_int segment; -+ bool matched = FALSE; - DBG2(DBG_MGR, "checkout IKE_SA by config"); + if (my_host && my_host->get_port(my_host) == 0) @@ -419,42 +400,28 @@ index 987260d..2f44f7c 100644 + DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H", + peer_cfg->get_name(peer_cfg), my_host, other_host); - if (!this->reuse_ikesa) - { /* IKE_SA reuse disable by config */ -@@ -1365,14 +1399,24 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - continue; - } - -- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); -+ ike_sa = entry->ike_sa; -+ if (my_host && !my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa))) -+ { -+ continue; -+ } -+ if (other_host && !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa))) -+ { -+ continue; -+ } + if (this->reuse_ikesa) + { +@@ -1359,6 +1392,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + { /* skip IKE_SAs which are not usable */ + continue; + } + -+ current_peer = ike_sa->get_peer_cfg(ike_sa); - if (current_peer && current_peer->equals(current_peer, peer_cfg)) - { - current_ike = current_peer->get_ike_cfg(current_peer); - if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) ++ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa))) ++ { ++ continue; ++ } ++ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa))) ++ { ++ continue; ++ } ++ + current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); + if (current_peer && current_peer->equals(current_peer, peer_cfg)) { - entry->checked_out = TRUE; -- ike_sa = entry->ike_sa; -+ matched = TRUE; - DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", - ike_sa->get_unique_id(ike_sa), - current_peer->get_name(current_peer)); -@@ -1382,9 +1426,13 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - } - enumerator->destroy(enumerator); - -- if (!ike_sa) -+ if (!matched) - { /* no IKE_SA using such a config, hand out a new */ +@@ -1388,6 +1431,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + return NULL; + } ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); + if (my_host || other_host) + { @@ -493,10 +460,10 @@ index f259d8e..5a69083 100644 /** * Check for duplicates of the given IKE_SA. diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index d6ff3c8..eeb188e 100644 +index 424d9e7..62a70f5 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c -@@ -351,7 +351,8 @@ METHOD(trap_manager_t, acquire, void, +@@ -421,7 +421,8 @@ METHOD(trap_manager_t, acquire, void, this->lock->unlock(this->lock); ike_sa = charon->ike_sa_manager->checkout_by_config( @@ -586,5 +553,5 @@ index eb7b6ad..706fa57 100644 {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch index e8853d9ccc..7737220643 100644 --- a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch +++ b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch @@ -1,4 +1,4 @@ -From c1a33f1b826536a90951be611de9804a3a524b32 Mon Sep 17 00:00:00 2001 +From dde551360cbe9ac09f1cd2d01047131c6332c576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 30 Apr 2015 12:08:13 +0300 Subject: [PATCH] vici: send certificates for ike-sa events @@ -102,5 +102,5 @@ index d94d760..3d461f7 100644 b->begin_section(b, child_sa->get_name(child_sa)); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch index 95d67eff50..a52450306c 100644 --- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +++ b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch @@ -1,4 +1,4 @@ -From 9a695f579173f087c9e72620fa70d6e28171e1f9 Mon Sep 17 00:00:00 2001 +From b8b84525b8c8c9e5cc1d1409a89347bb8869f893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 30 Apr 2015 10:58:15 +0300 Subject: [PATCH] vici: add support rekeying events, and individual sa state @@ -209,5 +209,5 @@ index 3d461f7..ade181c 100644 .destroy = _destroy, }, -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1004-vici-support-asynchronous-initiation.patch b/main/strongswan/1004-vici-support-asynchronous-initiation.patch index 5c99482796..dc95bde749 100644 --- a/main/strongswan/1004-vici-support-asynchronous-initiation.patch +++ b/main/strongswan/1004-vici-support-asynchronous-initiation.patch @@ -1,4 +1,4 @@ -From 4564b52fdbb6e588398178e607023fbac2819da8 Mon Sep 17 00:00:00 2001 +From 21efa8dbe5aab423b452277d6aa70f9c14e2f440 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 28 May 2015 13:06:51 +0300 Subject: [PATCH] vici: support asynchronous initiation @@ -12,7 +12,7 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi> 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index d37e11f..66478fd 100644 +index 55f667b..da2b68f 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -187,7 +187,7 @@ CALLBACK(initiate, vici_message_t*, @@ -43,5 +43,5 @@ index d37e11f..66478fd 100644 case SUCCESS: msg = send_reply(this, NULL); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1005-ikev1-message-priorities.patch b/main/strongswan/1005-ikev1-message-priorities.patch deleted file mode 100644 index f7bb7ac691..0000000000 --- a/main/strongswan/1005-ikev1-message-priorities.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c -index a6795e7..bb77b3d 100644 ---- a/src/libcharon/processing/jobs/process_message_job.c -+++ b/src/libcharon/processing/jobs/process_message_job.c -@@ -90,14 +90,20 @@ METHOD(job_t, get_priority, job_priority_t, - switch (this->message->get_exchange_type(this->message)) - { - case IKE_AUTH: -+ case ID_PROT: -+ case AUTH_ONLY: -+ case AGGRESSIVE: - /* IKE auth is rather expensive and often blocking, low priority */ - return JOB_PRIO_LOW; - case INFORMATIONAL: -+ case INFORMATIONAL_V1: -+ case TRANSACTION: - /* INFORMATIONALs are inexpensive, for DPD we should have low - * reaction times */ - return JOB_PRIO_HIGH; - case IKE_SA_INIT: - case CREATE_CHILD_SA: -+ case QUICK_MODE: - default: - /* IKE_SA_INIT is expensive, but we will drop them in the receiver - * if we are overloaded */ diff --git a/main/strongswan/1006-fix-printf-strlen.patch b/main/strongswan/1006-fix-printf-strlen.patch deleted file mode 100644 index ad5948d24a..0000000000 --- a/main/strongswan/1006-fix-printf-strlen.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -index 466c673..219c7bd 100644 ---- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -@@ -843,14 +843,14 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) - /* String */ - sarg = va_arg(ap, const char *); - sarg = sarg ? sarg : "(null)"; -- slen = strlen(sarg); -+ slen = prec ? strnlen(sarg, prec) : strlen(sarg); - goto is_string; - } - case 'm': - { - /* glibc error string */ - sarg = strerror(errno); -- slen = strlen(sarg); -+ slen = prec ? strnlen(sarg, prec) : strlen(sarg); - goto is_string; - } - is_string: diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 965fd3c17a..4192088aa3 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.3.2 _pkgver=${pkgver//_rc/rc} -pkgrel=6 +pkgrel=7 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -16,17 +16,36 @@ makedepends="$depends_dev linux-headers" install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-dbg" source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 - 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch - 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch - 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch - 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch - 0005-vici-Optionally-check-limits-when-initiating-connect.patch + 0001-vici-Asynchronize-debug-logging.patch + 0002-host-Properly-handle-NULL-in-host_create_from_string.patch + 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch + 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch + 0004-ike-Use-address-family-of-local-address-when-resolvi.patch + 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch + 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch + 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch + 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch + 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch + 0010-shunt-manager-Remove-stored-entries-if-installation-.patch + 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch + 0012-daemon-Flush-shunts-before-unloading-plugins.patch + 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch + 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch + 0015-ike-rekey-Fix-cleanup-call.patch + 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch + 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch + 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch + 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch + 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch + 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch + 0204-vici-Optionally-check-limits-when-initiating-connect.patch + 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch + 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch + 0401-printf-hook-builtin-Fix-invalid-memory-access.patch 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1002-vici-send-certificates-for-ike-sa-events.patch 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch 1004-vici-support-asynchronous-initiation.patch - 1005-ikev1-message-priorities.patch - 1006-fix-printf-strlen.patch 2001-support-gre-key-in-ikev1.patch strongswan.initd @@ -111,47 +130,104 @@ package() { } md5sums="fab014be1477ef4ebf9a765e10f8802c strongswan-5.3.2.tar.bz2 -eb8d38dbf918e5f3adfd55f8ace7aeb1 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -53982788f8ab0962193f695da30a8a94 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -c46a4f2b21a83988512f6108e154620b 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch -8b5ea458119df0c1ecee181c0f7f7c57 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -0f8316631df321caad6c9b6b5c0b6e5c 0005-vici-Optionally-check-limits-when-initiating-connect.patch -b7244e10364e6348665048b9eec43cc6 1001-charon-add-optional-source-and-remote-overrides-for-.patch -4970959a1722b4139e7a22a2d93e866d 1002-vici-send-certificates-for-ike-sa-events.patch -89f7d85291d6a82230e5337cfa071a67 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -aac217481a1a8ae68719771039c27354 1004-vici-support-asynchronous-initiation.patch -3accc4500255622cb14844e7111e2932 1005-ikev1-message-priorities.patch -9b6175216c1761305f2048d9d88865a0 1006-fix-printf-strlen.patch +78960bec9b1d3be2db9bfe8d73347ceb 0001-vici-Asynchronize-debug-logging.patch +f05c992e0c79a254fe8dfe3989d29ae6 0002-host-Properly-handle-NULL-in-host_create_from_string.patch +5d2720f3b0f9ae4632703c8638e29088 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +413d0409a1232de61d61e99d7e57c2f5 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +0660bab646fc9dbf99a5f9485e570b0e 0004-ike-Use-address-family-of-local-address-when-resolvi.patch +30ac430b88cdfb23546a3ac1a6247d6c 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +de114c8e0f0fb84aaef46b55b912c7df 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +a99f6c1cc578b17e9c69378869942ffd 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +e7e8b6171239f3462f8f6739fcfdc56b 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +400a514e50a378265a0ec1cff46f1f02 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +551d01ca98e3e8b6bfea54938c576ec6 0010-shunt-manager-Remove-stored-entries-if-installation-.patch +b5f4a1a5cd7e5f10e9487a23078bcbab 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +65341200450445191b67914df2629fe6 0012-daemon-Flush-shunts-before-unloading-plugins.patch +1ea2d1a97aa37bac24a1ec9b1ce7c985 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +054b28fd78fccb20b993ec2679f98bc6 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +6b57da364f1222eb2a8eda8f146c784b 0015-ike-rekey-Fix-cleanup-call.patch +0941f8e871fff5ab8c984830d23b35a1 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +d97c846c00c60a35925662ba551495df 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +d73abf4c9c3354120152144e7985d428 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +c3f86cc9b0866f2e748f40d3058a5b14 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +55feb2633c42927672113e44465fd824 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +d57e117d13da147910e2ae09219d2492 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +8e79293070086233035a93322b935048 0204-vici-Optionally-check-limits-when-initiating-connect.patch +c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +9b607cf38cff83547368d82fa34d716f 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch +06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch +1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch +b0f2d10bc3dc89f3bba28fead6687311 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd 7962a720ebef6892d80a3cbdab72c204 charon.initd" sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 -bce611d5f3d773589c6a751aec7fbaab39c8926134cab6fe2d5586639244bdc0 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -4e1f76a76278c7621ca860156c25dfda90a7d9010b6426a9fd7c74c190166043 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -fb7478cad812e40134f5796c5faea4f939a71c4676efe9d17573041b696a61c7 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch -31f8e5c1f451ed14045072cd13f2085c39f064403f264d12fb2f75aa5e996f5a 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -a5601aa4ce0be4ac74f482817fd64c60e4986781271a2ed354806bbcbcd2223b 0005-vici-Optionally-check-limits-when-initiating-connect.patch -a3d471cbcc9481264352ca029b70ad8f85fab15495a4aef3cbb209fc19765436 1001-charon-add-optional-source-and-remote-overrides-for-.patch -baa8ee13f207f5e89b34b759c355e48ed79138fabcd9af841692afb15cf8b61f 1002-vici-send-certificates-for-ike-sa-events.patch -e0de13d4fc6d66e33973696d62b4a45cd63b5fa6c477891e7651102c2bc3a4d7 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -295476ace69d36f1059c48afb99ec5180086710146a6e10c28c7eed96759a976 1004-vici-support-asynchronous-initiation.patch -0e814067bf47e9b4a0127b5197ea321e1398b1bc8e0635d576898fc977233d67 1005-ikev1-message-priorities.patch -2b5d384a73373e16dc8bf75e55149173de00f454fe0de1b65296e73e68275042 1006-fix-printf-strlen.patch +37da81cde0afd5b2d025a62b36020ff4739bccc086bcfd1528e461534b99e1e8 0001-vici-Asynchronize-debug-logging.patch +ee88c4636efb8e06ff66e50e82b5de5a2f49a2b60042b157b09c110332db1f2c 0002-host-Properly-handle-NULL-in-host_create_from_string.patch +442b721d4ee156e5bb8167f4f5831abe727d8440b26f0ba91a32f21eade14305 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +28fb9b57d5c02ae2b10e283f13de4d7257913a44ce68e287f73144d4fe2c0972 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +e8e967357a6741df02b80fcd75729044179549e24623d483c1f4ee603a83152b 0004-ike-Use-address-family-of-local-address-when-resolvi.patch +a246364122d40ef70091cdf86ea16413a20f3461e137f8209c58959dfaf09396 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +79861e897dd8e973d2426f083079adb74cc3c281b1c891eb6fbf7e569f0b74f4 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +a9f59b91d3ac04fd52684fd4143545452368d65af9f6026020ba95eae114c103 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +1b463d03b3ce0cf5223bacb08155b69c1c362fa311b1af20cb79b392ac6a233e 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +3679e3f63a72c1f32b67ab71f60f8922384cbdeb916beca779bc7776db0332fe 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +cd1d28855c13c9544c6f4caa619a00226d8c84cc75c3e88f962ebea9736619ad 0010-shunt-manager-Remove-stored-entries-if-installation-.patch +ce95459cea9eaa4d7f1695e10f99ca886d428843ada8134e8f337dce957cdda0 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +b8b82e4b99c70cd76b09a2c7d6144e1e572bee6b4c821fcf7338d1692e1843cb 0012-daemon-Flush-shunts-before-unloading-plugins.patch +2c4a898a4b17e196acc44947f4b48688649d29ac15c0d19e14d664bf0d9f0274 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +a1b61e2aafcd502c8398bfefd556dfb1429d862faecc5d6c0c843e7da215abf3 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +ef5f7d38483909ae3aff5e474ac6f5f20804645ead6a6108f2534408434023ff 0015-ike-rekey-Fix-cleanup-call.patch +257931d4443a4ed2284bf8872e73ab1e93c0d69f490e1b9b3bb2b12210cec677 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +130db52dea23eae4081bf25c5ef050f9dfbaa4e7e99dc0a623fdfc991eb4c5c7 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +16a41ef4cf25e3432c8a61aa34ac12d6eccd5796d921c75d72570d4f9fda2717 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +ab4042b193a68d3ff771be006fdea81eb786fee7b7c4c8c24aa60ef3372de9c8 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +7aac3748cabf9293701924b6e6a3f0bb74c4d4302a019eb8012af48473f35b67 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +3060dd59d44de1f6e7b82146db4b09c3fd80869c75e9a31823bcbdd9f66ac923 0204-vici-Optionally-check-limits-when-initiating-connect.patch +6ee2826d8f2acf4010886b9990c4fe1f1be99e869144f3dd3705e38184300ca1 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch +d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch +b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch +c0b39aaaf97f3797ef327a465e1468aa166044875b194e899999dc7c0723fc4c 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 -5ec6fd6160a55d7313f8dd3315a353d426f98ea57d167e73e97bff25ca175d2848f7ea0956cb2ec9cbca24f2be1dc0c1b1d123ee947f64baa6dfc712d04e77e1 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -ee5dc2d2c719895e69d9a0324b48d43b4b86122eb8848143db7a4a629e79d594deeb4a000a429c85a31552358e9e1e2a7de8a1917c6ebb075a77281f074e0740 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -7da65c2f5459811e4c6a1643d42eca0dedd206335a0127277a6f11cf15a75a2a546848219065517d065016639ffa2e2b40f275cca7083adc3ee545f3e051e050 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch -4192aa916c5018046a21bb2d94e82ae35a81f4f462107f81b2f1b0a95372f212411852768d34ec3937c141570789b8ac1a1734552b0a07cac96a085fe28bc848 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -4a36a0c9c456537e6b71975e6947a15a0fdcda875454ded4d23f9d1073c9258b901d7a4116786f63a590f30725cc41c23eca414e0757f240cc4f4eb8e56cb285 0005-vici-Optionally-check-limits-when-initiating-connect.patch -4cfe0b15a28b600b51be2ae270d303a65854756e30d60d8d897e0106f77ba7e05ec1625cc7cfafce54443bcb8c72ded09aa759f2540589afea491c81a05e65f0 1001-charon-add-optional-source-and-remote-overrides-for-.patch -142e3207aa3646a82ed1831635ef16003b86625f763927d56e074aeb5d6d04f108a21f713f877afc48119ee3df784af727e5bee8dddf0671dc2a6058f9708af4 1002-vici-send-certificates-for-ike-sa-events.patch -1781b8de169d0d41f8cb4d63c0b85b1e9eae2d52935d3753a876e8fee542ab58933be11c36f2a230233144c94c12c1d7641dbb58c89481e27d889e7f17fad87e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -aaf0701a4564fdce9d4422e8c33ea704142e371392cb7fa552cf0c71cb00d0dbd5901c21e45fadc23798cfdb95066da9d24b2f2b9b037761e670ee30f4b93b35 1004-vici-support-asynchronous-initiation.patch -bd4c9575d2aebbae48d49ef5e3fcfa0c0366c8d100a0190706b5fff7332ab34ca5f862ba8a3fe9cdcf9996371b554ab0f6561e16d57d6e425497ab015e46299a 1005-ikev1-message-priorities.patch -dd9d873d63ae9ed47bc61b122e33be406498ca707c53560c704b87b986904f1fbfe6f293df6a6f79a0359ff9b3686fcf26e91624eb73d8139b4afe1bd26f7798 1006-fix-printf-strlen.patch +d3135206f61496d0877b22c52c0f4246d17777935a4277bfc6e7ca8b69fb2754a52fed7e8691292df91745c00fa0d597f11cd866bb4ee91453c0e252ba77eef8 0001-vici-Asynchronize-debug-logging.patch +87ab03664dddf30ed1ae1a1e1fc2a22715a0e74b220f316937cf0f86a5b9c38262fd8a9ad62aa1866405d0bf552d33a62621c8b91634e6bd3c7967b6e7955894 0002-host-Properly-handle-NULL-in-host_create_from_string.patch +8f16ab691c7e778894f0fc8889ac9be8813da27e09fb304443e9053f2ed384ccd3976d7956f762136c94c870dabe808d3f97116f4573bb0df74299f1da34d643 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +dbb5454e32cea4e671fdb109e2252536d2f8ee97097a45ad280010de7d6b7fedeb40c0418ae2af45a4393b98ac6badd9072846259be6ca823f056919fcd3b985 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +73dcb7874aadcf641051cef91d83158fa8a1c664c094d131fcd5ad9d1c5d00abec5a75dd92780fabf2c0690079aad73275af885a83c8791c62025593fa7af61c 0004-ike-Use-address-family-of-local-address-when-resolvi.patch +8e3636933b7ee3eddb28b9797e3da21c494e470067bc6996509bd28a9894e037fa7575d68fb717247762dc468543b67d965745370cb1335b1f9fbc6bdf260f6e 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +e970869f5552557d18133bb279b98a81b7d12a6656bddccfcfbdb2b2dc80ad90cc4d1d63135b3682ccb26c83408790c792de9d64056a97c1b7df16f0b159d179 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +65a20b7d059770786c5912811db8692ab9c03a3527f83d0d23e14db4da8c64c3ed43de7a04ba1cf2a794551471ee9456e70f723b0bb4599792a668edea1f6e77 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +e5bd98af84b248642fb6206497c7d2fca7e42362632171e271a8a715179d10f3590eb25a7b38c9fbc058c82d657668c01e9b98d8ef1f422d0887e710342eff36 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +c4a30bbff90c2ef59e9bebb64d336bddde811f0ffba3dcef423dc71a17e98be26192f8aa8654702e9a2cdc9dbfc8ec960fbf1a126c411efef6f95dc1a19c518e 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +6e11b006b4fd0c6d000ff301ce18170bf9540f567ada2eb23f0f1c705be8d0f9299364313249cef5528858e75c10ba9d65315c941b49cb12ae07808d3b6e1faa 0010-shunt-manager-Remove-stored-entries-if-installation-.patch +2a5503558dcfe654335d9b6b7056e9888b2304389bb76369b8222d54add6c8a9895ab175701eeb636c42f0df53d1078fdae7a9f11167fc2beadad82de68b0e4c 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +4e3ac34b2ecca6c1eefd9354a96a1a1fe7499571d2c5756c1cc889c23e125073517c6af57047de5b96bbc6acf9c6bb8c677df4206633f67551336fa8e62c77fb 0012-daemon-Flush-shunts-before-unloading-plugins.patch +f643be8dbc32c27f2c31ac91612ae7d2f1a34e9387257d1247cd8c7fb8e5b9c58fc0b8448dd692723a6f7f2ac4d4629ffa2c440c40f5f1bfb550f1cc526b3916 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +bd161f1d4fa2881c8c07c2b7bccc0b9f06a99b12203d00329c8295f8a5ebe49f6cf27eca286ddd3c9e443fe132c64cae6849d691ddeda49b5fe716aebc73441e 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +3f8c5ed171eb7c99218005b038ff0e0bc23841aab76cb97fbb7b8a3091b9f5ba318bd23c347de42bd969ac599f3d5f1b6bcf5110d5e23643858b24a719374f50 0015-ike-rekey-Fix-cleanup-call.patch +bdc74e2b6f91e94aa0041927ff5cf3f2f5d67d5d37a0c389a2b6328919bd9f2f0376957676fd359009117a1d01cd06ecfadb7151bd7875c1df5cb82e159a378a 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +2d667eeba6d567008d8fe27d4dafa9a913c7aafa096258d7b5c95e2d8428e9dc8a40ace9e729a3d323e8d639d2ae3dae945904f90a39076c5ca5ddba7d70a0b6 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +539bfec16350c035f7ce2f3551b52ba2e22c75146a6c1494f4b25ec283f2245b7a03be9470c0e0cd3e6fc368bcf1bda60ce8166928737ab396e6cf88ffafaf79 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88ab1635ba30f9ff0ca9945aa264b3213561548648d64eb25ae 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +9a2cb61c55a03977fc4bce42fdf043706498c86d69ea094852735b2ef525fbc0f81bad33aad7afc29ef301f3e2146746b56f458980529057e05007e0bab7b972 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +95e3544a87bf503ed17059298ec6330501f39a2210e583fed59c5d03ef25b8d8227317016bf0181e49c87a7e36e1d902b0b24bda184d2166f3ad5b79166ce0dd 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +055b7769b0f587a77585ccf8e44c30fdf0981a1418f8e426eb696cfde671ac0013b355fdfb9e73ed3605c97a3a8c5f8ac38a2a0a137a5b87f9d6491752254543 0204-vici-Optionally-check-limits-when-initiating-connect.patch +6b01e9810566e4f928fa72f01b5fa6cdbddaf1045433cb5b73b5a3d1cd73260ff195709e4d46384c2aa6540e4e62ad9021d9cad19b2061bc0153581e74cf2d0e 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +8788fb376eaf57d9f277cac785db08578de3992e2484e7ab21ec044bc91000565ecb2adae4d2632f43ca6ed76519fd4422d86a3ba07a499594fbd7a61298458c 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch +2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch +ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch +1ea845551c7da2a7817e34508b0da3f3f0bba879f3b95d08c8db0a6b32adaf50363556daa6ee2e0f11c1ee6c41077d39ba54dbd40e457a02a991add19fe115ef 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch 723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" |