main/strongswan: additional fixes

- python is needed to prepare config file templates, ref #4484
- three cherry-picks from upstream git master and merge pending branches
- add patch to fix connection authentication when multiple CAs are allowed

5 files changed, 201 insertions, 1 deletions

diff --git a/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch b/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch
new file mode 100644
index 0000000000..63f120d284
--- /dev/null
+++ b/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch
@@ -0,0 +1,22 @@
+From 1ce32c9cdcb1cfacd4c8389402a24c4ed7cf0109 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 31 Jul 2015 11:20:24 +0200
+Subject: [PATCH] kernel-netlink: Unlock mutex in del_policy() if mark can't be
+ added to message
+
+---
+ src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index a6cf977..e0f1dd7 100644
+--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -2562,6 +2562,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
+ 
+ 	if (!add_mark(hdr, sizeof(request), mark))
+ 	{
++		this->mutex->unlock(this->mutex);
+ 		return FAILED;
+ 	}
+ 
diff --git a/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch b/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
new file mode 100644
index 0000000000..134ce64060
--- /dev/null
+++ b/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
@@ -0,0 +1,40 @@
+From cd83d5c5e51db6c903496369f6edc74901703eb7 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Wed, 3 Jun 2015 17:31:30 +0200
+Subject: [PATCH] kernel-netlink: When adding a policy do an update if it
+ already exists
+
+This may be the case when SAs are reestablished after a crash of the
+IKE daemon.
+---
+ src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index f22e07d..e41c10a 100644
+--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -2057,6 +2057,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
+ 	ipsec_sa_t *ipsec = mapping->sa;
+ 	struct xfrm_userpolicy_info *policy_info;
+ 	struct nlmsghdr *hdr;
++	status_t status;
+ 	int i;
+ 
+ 	/* clone the policy so we are able to check it out again later */
+@@ -2151,7 +2152,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
+ 	}
+ 	this->mutex->unlock(this->mutex);
+ 
+-	if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
++	status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
++	if (status == ALREADY_DONE && !update)
++	{
++		DBG1(DBG_KNL, "policy already exists, try to update it");
++		hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
++		status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
++	}
++	if (status != SUCCESS)
+ 	{
+ 		return FAILED;
+ 	}
diff --git a/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch b/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch
new file mode 100644
index 0000000000..a1b696a50c
--- /dev/null
+++ b/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch
@@ -0,0 +1,69 @@
+From ce1f82060c037eebf0da6de164215d9a06b92c5b Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 31 Jul 2015 16:51:35 +0200
+Subject: [PATCH] child-sa: Fix refcounting of allocated reqids
+
+During a rekeying we want to reuse the current reqid, but if the new SA
+does not allocate it via kernel-interface the state there will disappear
+when the old SA is destroyed after the rekeying.  When the IKE_SA is
+later reauthenticated with make-before-break reatuhentication the new
+CHILD_SAs there will get new reqids as no existing state is found in the
+kernel-interface.
+
+Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
+---
+ src/libcharon/sa/child_sa.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
+index 94cf07c..73f2ec9 100644
+--- a/src/libcharon/sa/child_sa.c
++++ b/src/libcharon/sa/child_sa.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2006-2011 Tobias Brunner
++ * Copyright (C) 2006-2015 Tobias Brunner
+  * Copyright (C) 2005-2008 Martin Willi
+  * Copyright (C) 2006 Daniel Roethlisberger
+  * Copyright (C) 2005 Jan Hutter
+@@ -106,6 +106,11 @@ struct private_child_sa_t {
+ 	 */
+ 	bool reqid_allocated;
+ 
++	/**
++	 * Is the reqid statically configured
++	 */
++	bool static_reqid;
++
+ 	/*
+ 	 * Unique CHILD_SA identifier
+ 	 */
+@@ -698,7 +703,7 @@ METHOD(child_sa_t, install, status_t,
+ 	this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
+ 								  &esn, NULL);
+ 
+-	if (!this->reqid_allocated && !this->reqid)
++	if (!this->reqid_allocated && !this->static_reqid)
+ 	{
+ 		status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
+ 							my_ts, other_ts, this->mark_in, this->mark_out,
+@@ -826,7 +831,7 @@ METHOD(child_sa_t, add_policies, status_t,
+ 	traffic_selector_t *my_ts, *other_ts;
+ 	status_t status = SUCCESS;
+ 
+-	if (!this->reqid_allocated && !this->reqid)
++	if (!this->reqid_allocated && !this->static_reqid)
+ 	{
+ 		/* trap policy, get or confirm reqid */
+ 		status = hydra->kernel_interface->alloc_reqid(
+@@ -1305,6 +1310,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
+ 			this->reqid = charon->traps->find_reqid(charon->traps, config);
+ 		}
+ 	}
++	else
++	{
++		this->static_reqid = TRUE;
++	}
+ 
+ 	/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
+ 	if (config->get_mode(config) == MODE_TRANSPORT &&
diff --git a/main/strongswan/2002-fix-multiple-cacerts.patch b/main/strongswan/2002-fix-multiple-cacerts.patch
new file mode 100644
index 0000000000..07a6de929e
--- /dev/null
+++ b/main/strongswan/2002-fix-multiple-cacerts.patch
@@ -0,0 +1,53 @@
+diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
+index 0ca45a1..64155a0 100644
+--- a/src/libstrongswan/credentials/auth_cfg.c
++++ b/src/libstrongswan/credentials/auth_cfg.c
+@@ -515,6 +515,7 @@ METHOD(auth_cfg_t, complies, bool,
+ {
+ 	enumerator_t *e1, *e2;
+ 	bool success = TRUE, group_match = FALSE, cert_match = FALSE;
++	bool require_ca = FALSE, ca_match = FALSE;
+ 	identification_t *require_group = NULL;
+ 	certificate_t *require_cert = NULL;
+ 	signature_scheme_t scheme = SIGN_UNKNOWN;
+@@ -535,22 +536,17 @@ METHOD(auth_cfg_t, complies, bool,
+ 
+ 				c1 = (certificate_t*)value;
+ 
+-				success = FALSE;
++				require_ca = TRUE;
+ 				e2 = create_enumerator(this);
+ 				while (e2->enumerate(e2, &t2, &c2))
+ 				{
+ 					if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+ 						c1->equals(c1, c2))
+ 					{
+-						success = TRUE;
++						ca_match = TRUE;
+ 					}
+ 				}
+ 				e2->destroy(e2);
+-				if (!success && log_error)
+-				{
+-					DBG1(DBG_CFG, "constraint check failed: peer not "
+-						 "authenticated by CA '%Y'.", c1->get_subject(c1));
+-				}
+ 				break;
+ 			}
+ 			case AUTH_RULE_SUBJECT_CERT:
+@@ -844,6 +840,15 @@ METHOD(auth_cfg_t, complies, bool,
+ 		e2->destroy(e2);
+ 	}
+ 
++	if (require_ca && !ca_match)
++	{
++		if (log_error)
++		{
++			DBG1(DBG_CFG, "constraint check failed: no matching CA found");
++		}
++		return FALSE;
++	}
++
+ 	if (require_group && !group_match)
+ 	{
+ 		if (log_error)
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index 8992b7d431..a1a36b0923 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -12,7 +12,7 @@ pkggroups="ipsec"
 license="GPL-2 RSA-MD5 RSA-PKCS11 DES"
 depends="iproute2 openssl"
 depends_dev="sqlite-dev openssl-dev curl-dev gmp-dev libcap-dev"
-makedepends="$depends_dev linux-headers"
+makedepends="$depends_dev linux-headers python"
 install="$pkgname.pre-install"
 subpackages="$pkgname-doc $pkgname-dbg"
 source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
@@ -33,8 +33,10 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
 	0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
 	0015-ike-rekey-Fix-cleanup-call.patch
 	0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+	0017-kernel-netlink-unlock-mutex-in-del-policy.patch
 	0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
 	0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+	0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
 	0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
 	0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
 	0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
@@ -43,11 +45,13 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
 	0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
 	0401-printf-hook-builtin-Fix-invalid-memory-access.patch
 	0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
+	0601-child-sa-fix-refcounting-of-allocated-reqids.patch
 	1001-charon-add-optional-source-and-remote-overrides-for-.patch
 	1002-vici-send-certificates-for-ike-sa-events.patch
 	1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
 	1004-vici-support-asynchronous-initiation.patch
 	2001-support-gre-key-in-ikev1.patch
+	2002-fix-multiple-cacerts.patch
 
 	strongswan.initd
 	charon.initd"
@@ -148,8 +152,10 @@ b5f4a1a5cd7e5f10e9487a23078bcbab  0011-shunt-manager-Add-flush-method-to-properl
 054b28fd78fccb20b993ec2679f98bc6  0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
 6b57da364f1222eb2a8eda8f146c784b  0015-ike-rekey-Fix-cleanup-call.patch
 0941f8e871fff5ab8c984830d23b35a1  0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+be62ce82080a0b7325709d6fbe0b9e46  0017-kernel-netlink-unlock-mutex-in-del-policy.patch
 d97c846c00c60a35925662ba551495df  0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
 d73abf4c9c3354120152144e7985d428  0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+0800173ace99e4f835365350142cf198  0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
 c3f86cc9b0866f2e748f40d3058a5b14  0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
 55feb2633c42927672113e44465fd824  0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
 d57e117d13da147910e2ae09219d2492  0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
@@ -158,11 +164,13 @@ c46165934687326a26ec9153a34e2227  0205-ike-Adhere-to-IKE_SA-limit-when-checking-
 9b607cf38cff83547368d82fa34d716f  0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
 c7c0338de6dc4993cb8cb71238fd13dc  0401-printf-hook-builtin-Fix-invalid-memory-access.patch
 2d191d850683a6ed34f171ed64b643f0  0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
+b361ef4d3ed853620febc2117b4aa6cf  0601-child-sa-fix-refcounting-of-allocated-reqids.patch
 06607758b690f2db961d84e26ee7d6ea  1001-charon-add-optional-source-and-remote-overrides-for-.patch
 1aae491acf4739d871a64cd4481551f6  1002-vici-send-certificates-for-ike-sa-events.patch
 b0f2d10bc3dc89f3bba28fead6687311  1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
 ca53b3df714aa588af99d4f720c4318b  1004-vici-support-asynchronous-initiation.patch
 b9f874287c35cce075b761087c28ab50  2001-support-gre-key-in-ikev1.patch
+0aecbf5f7b900f272151363db1a00846  2002-fix-multiple-cacerts.patch
 85ebc1b6c6b9c0c6640d8136e97da8e1  strongswan.initd
 7962a720ebef6892d80a3cbdab72c204  charon.initd"
 sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225  strongswan-5.3.2.tar.bz2
@@ -183,8 +191,10 @@ b8b82e4b99c70cd76b09a2c7d6144e1e572bee6b4c821fcf7338d1692e1843cb  0012-daemon-Fl
 a1b61e2aafcd502c8398bfefd556dfb1429d862faecc5d6c0c843e7da215abf3  0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
 ef5f7d38483909ae3aff5e474ac6f5f20804645ead6a6108f2534408434023ff  0015-ike-rekey-Fix-cleanup-call.patch
 257931d4443a4ed2284bf8872e73ab1e93c0d69f490e1b9b3bb2b12210cec677  0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+02a230822398be1cf04a362163bee03f4c4edd4eb1b622fba8a93f5dcb2fb06d  0017-kernel-netlink-unlock-mutex-in-del-policy.patch
 130db52dea23eae4081bf25c5ef050f9dfbaa4e7e99dc0a623fdfc991eb4c5c7  0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
 16a41ef4cf25e3432c8a61aa34ac12d6eccd5796d921c75d72570d4f9fda2717  0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+4b9f8d087ef7e6f9c46fa0d5d687dd99fdbfbef1e871ef451a156474282cfefe  0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
 ab4042b193a68d3ff771be006fdea81eb786fee7b7c4c8c24aa60ef3372de9c8  0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
 f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d  0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
 7aac3748cabf9293701924b6e6a3f0bb74c4d4302a019eb8012af48473f35b67  0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
@@ -193,11 +203,13 @@ f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d  0202-controlle
 d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b  0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
 74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6  0401-printf-hook-builtin-Fix-invalid-memory-access.patch
 6eec00bdb7778a51d04157ec640394959d599f3b8cef6bad0d875658cace99ea  0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
+a558247c9b6eeabfa2a677440a3e25a0841171347484d624c6c4668f9064b67d  0601-child-sa-fix-refcounting-of-allocated-reqids.patch
 d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc  1001-charon-add-optional-source-and-remote-overrides-for-.patch
 b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34  1002-vici-send-certificates-for-ike-sa-events.patch
 c0b39aaaf97f3797ef327a465e1468aa166044875b194e899999dc7c0723fc4c  1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
 cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1  1004-vici-support-asynchronous-initiation.patch
 ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18  2001-support-gre-key-in-ikev1.patch
+fe0f3503c3b42af23a98cec4d0eeb9ab7aae0dc35c70ce9c533307a89fb3ee79  2002-fix-multiple-cacerts.patch
 ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f  strongswan.initd
 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73  charon.initd"
 sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68  strongswan-5.3.2.tar.bz2
@@ -218,8 +230,10 @@ f643be8dbc32c27f2c31ac91612ae7d2f1a34e9387257d1247cd8c7fb8e5b9c58fc0b8448dd69272
 bd161f1d4fa2881c8c07c2b7bccc0b9f06a99b12203d00329c8295f8a5ebe49f6cf27eca286ddd3c9e443fe132c64cae6849d691ddeda49b5fe716aebc73441e  0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
 3f8c5ed171eb7c99218005b038ff0e0bc23841aab76cb97fbb7b8a3091b9f5ba318bd23c347de42bd969ac599f3d5f1b6bcf5110d5e23643858b24a719374f50  0015-ike-rekey-Fix-cleanup-call.patch
 bdc74e2b6f91e94aa0041927ff5cf3f2f5d67d5d37a0c389a2b6328919bd9f2f0376957676fd359009117a1d01cd06ecfadb7151bd7875c1df5cb82e159a378a  0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+459bfd98c7cbb54bb6b7e95403eb1d62e290ce8ca04f164a49bac8684f8c1c9d4ab88a051e7a0a88fba1b3a5a030cba1aa5b4960a71c1726dbbc512be401cd40  0017-kernel-netlink-unlock-mutex-in-del-policy.patch
 2d667eeba6d567008d8fe27d4dafa9a913c7aafa096258d7b5c95e2d8428e9dc8a40ace9e729a3d323e8d639d2ae3dae945904f90a39076c5ca5ddba7d70a0b6  0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
 539bfec16350c035f7ce2f3551b52ba2e22c75146a6c1494f4b25ec283f2245b7a03be9470c0e0cd3e6fc368bcf1bda60ce8166928737ab396e6cf88ffafaf79  0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+a3488021316606e1fdaadfacc86ec8e9bcb741d3ac063498a64594214d97e0193270101388f61e118ec29ccfb8c6314a9fa6f3f8832a4cd8fe6b3f3445529b00  0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
 b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88ab1635ba30f9ff0ca9945aa264b3213561548648d64eb25ae  0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
 9a2cb61c55a03977fc4bce42fdf043706498c86d69ea094852735b2ef525fbc0f81bad33aad7afc29ef301f3e2146746b56f458980529057e05007e0bab7b972  0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
 95e3544a87bf503ed17059298ec6330501f39a2210e583fed59c5d03ef25b8d8227317016bf0181e49c87a7e36e1d902b0b24bda184d2166f3ad5b79166ce0dd  0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
@@ -228,10 +242,12 @@ b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88a
 8788fb376eaf57d9f277cac785db08578de3992e2484e7ab21ec044bc91000565ecb2adae4d2632f43ca6ed76519fd4422d86a3ba07a499594fbd7a61298458c  0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
 86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834  0401-printf-hook-builtin-Fix-invalid-memory-access.patch
 f0dfb8aee6fd456d5d330d9a1212842ecd7f88b9b76bb1667dacdbbb2c38369fa089df6ce13c6363735012f653df91b4bbb082a970a11ec63e6a2d14ca2b0ec2  0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
+dad393b5d8b5152d7544a42818c446098b748cf4114b544d0bcf6a039c5f9f266ac850f6725b58d653186dcd23cae8a9db627f245412ad1cd3b5a4ccadc90825  0601-child-sa-fix-refcounting-of-allocated-reqids.patch
 2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d  1001-charon-add-optional-source-and-remote-overrides-for-.patch
 ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881  1002-vici-send-certificates-for-ike-sa-events.patch
 1ea845551c7da2a7817e34508b0da3f3f0bba879f3b95d08c8db0a6b32adaf50363556daa6ee2e0f11c1ee6c41077d39ba54dbd40e457a02a991add19fe115ef  1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
 e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6  1004-vici-support-asynchronous-initiation.patch
 723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771  2001-support-gre-key-in-ikev1.patch
+845f414f84984a044f493fd2b4e0deea5e0244938500b5d61f34b7c4ab7896792abf3685d6bf04f28c68261ce8103d1dd14aee82bd9f303ddac8aae24c7ab33a  2002-fix-multiple-cacerts.patch
 b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64  strongswan.initd
 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79  charon.initd"