aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/strongswan/0001-vici-Asynchronize-debug-logging.patch169
-rw-r--r--main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch67
-rw-r--r--main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch91
-rw-r--r--main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch106
-rw-r--r--main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch48
-rw-r--r--main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch37
-rw-r--r--main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch33
-rw-r--r--main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch260
-rw-r--r--main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch118
-rw-r--r--main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch112
-rw-r--r--main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch43
-rw-r--r--main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch153
-rw-r--r--main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch27
-rw-r--r--main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch105
-rw-r--r--main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch31
-rw-r--r--main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch34
-rw-r--r--main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch27
-rw-r--r--main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch22
-rw-r--r--main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch31
-rw-r--r--main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch59
-rw-r--r--main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch40
-rw-r--r--main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch24
-rw-r--r--main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch317
-rw-r--r--main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch170
-rw-r--r--main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch65
-rw-r--r--main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch46
-rw-r--r--main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch68
-rw-r--r--main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch30
-rw-r--r--main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch69
-rw-r--r--main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch95
-rw-r--r--main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch92
-rw-r--r--main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch44
-rw-r--r--main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch (renamed from main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch)100
-rw-r--r--main/strongswan/1004-vici-support-asynchronous-initiation.patch8
-rw-r--r--main/strongswan/2001-support-gre-key-in-ikev1.patch38
-rw-r--r--main/strongswan/APKBUILD173
36 files changed, 175 insertions, 2777 deletions
diff --git a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch
deleted file mode 100644
index c756f9d3e8..0000000000
--- a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-From 856ea64129cdc7ee56969524d7abaaae08c22c6a Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Thu, 2 Jul 2015 09:10:21 +0200
-Subject: [PATCH] vici: Asynchronize debug logging
-
-The vici logger uses the listener_t.log() callback to raise vici events.
-
-When doing so, it holds the bus lock as reader while acquiring the vici socket
-mutex (1). If at the same time the vici socket enables a writer, that thread
-tries to lock the watcher mutex (2). The watcher thread uses debugging while
-holding the lock, i.e. acquires the bus read lock (3).
-
-(1) bus.rlock -> vici.lock!
-(2) vici.lock -> watcher.lock!
-(3) watcher.lock -> bus.rlock!
-
-This all actually would resolve just fine, as we have a shared read lock on the
-bus. However, under Windows we seem to have a strict writer preference when
-acquiring the rwlock (4). This results in blocking read locks until any pending
-write lock can be fulfilled, and makes the constellation deadlock. The relevant
-threads are:
-
-Thread (1)
-6 0x71313d25 in wait_ at threading/windows/mutex.c:137
-7 0x7054c8a2 in find_entry at vici_socket.c:201
-8 0x7054d690 in send_ at vici_socket.c:624
-9 0x7054f6c1 in send_op at vici_dispatcher.c:119
-10 0x705502c1 in raise_event at vici_dispatcher.c:469
-12 0x704c3878 in log_cb at bus/bus.c:332
-13 0x712c7c3a in invoke_function at collections/linked_list.c:414
-14 0x704c3a63 in vlog at bus/bus.c:400
-15 0x704c3b36 in log_ at bus/bus.c:430
-18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664
-20 0x704f5430 in process_message at sa/ike_sa.c:1369
-21 0x704e3823 in execute at processing/jobs/process_message_job.c:74
-22 0x712e629f in process_job at processing/processor.c:235
-
-Thread (2)
-4 0x71313b61 in lock at threading/windows/mutex.c:66
-5 0x712e81fd in add at processing/watcher.c:441
-6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213
-7 0x712e1b4d in on_write at networking/streams/stream.c:237
-8 0x7054d606 in _cb_enable_writer at vici_socket.c:609
-9 0x712e5e34 in execute at processing/jobs/callback_job.c:77
-10 0x712e629f in process_job at processing/processor.c:235
-
-Thread (3)
-3 0x71313f38 in read_lock at threading/windows/rwlock.c:74
-4 0x704c3971 in vlog at bus/bus.c:373
-5 0x704cc156 in dbg_bus at daemon.c:126
-6 0x712e7bf9 in watch at processing/watcher.c:316
-7 0x712e5e34 in execute at processing/jobs/callback_job.c:77
-8 0x712e629f in process_job at processing/processor.c:235
-
-Thread (4)
-3 0x71313f70 in write_lock at threading/windows/rwlock.c:82
-4 0x704c378b in remove_logger at bus/bus.c:290
-5 0x704cb284 in listener_unregister at control/controller.c:166
-6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558
-8 0x704cb94e in initiate at control/controller.c:435
-9 0x70553996 in _cb_initiate at vici_control.c:187
-12 0x7054d200 in _cb_process_queue at vici_socket.c:508
-13 0x712e5e34 in execute at processing/jobs/callback_job.c:77
-14 0x712e629f in process_job at processing/processor.c:235
-
-To avoid such a situation, we dissolve the (1) lock sequence. It's actually
-never good practice to acquire shared locks during bus hooks, as it is
-problematic if we raise bus events while holding the lock. We do so by
-raising vici events for log message asynchronously, but of curse must keep
-log order as is using a synchronized queue.
----
- src/libcharon/plugins/vici/vici_logger.c | 48 +++++++++++++++++++++++++++++++-
- 1 file changed, 47 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c
-index cffd65b..6d3584e 100644
---- a/src/libcharon/plugins/vici/vici_logger.c
-+++ b/src/libcharon/plugins/vici/vici_logger.c
-@@ -18,6 +18,7 @@
-
- #include <daemon.h>
- #include <threading/mutex.h>
-+#include <processing/jobs/callback_job.h>
-
- typedef struct private_vici_logger_t private_vici_logger_t;
-
-@@ -42,11 +43,54 @@ struct private_vici_logger_t {
- int recursive;
-
- /**
-+ * List of messages to raise async events
-+ */
-+ linked_list_t *queue;
-+
-+ /**
- * Mutex to synchronize logging
- */
- mutex_t *mutex;
- };
-
-+/**
-+ * Async callback to raise events for queued messages
-+ */
-+static job_requeue_t raise_events(private_vici_logger_t *this)
-+{
-+ vici_message_t *message;
-+ u_int count;
-+
-+ this->mutex->lock(this->mutex);
-+ count = this->queue->get_count(this->queue);
-+ this->queue->remove_first(this->queue, (void**)&message);
-+ this->mutex->unlock(this->mutex);
-+
-+ if (count > 0)
-+ {
-+ this->dispatcher->raise_event(this->dispatcher, "log", 0, message);
-+ }
-+ if (count > 1)
-+ {
-+ return JOB_REQUEUE_DIRECT;
-+ }
-+ return JOB_REQUEUE_NONE;
-+}
-+
-+/**
-+ * Queue a message for async processing
-+ */
-+static void queue_messsage(private_vici_logger_t *this, vici_message_t *message)
-+{
-+ this->queue->insert_last(this->queue, message);
-+ if (this->queue->get_count(this->queue) == 1)
-+ {
-+ lib->processor->queue_job(lib->processor, (job_t*)
-+ callback_job_create((callback_job_cb_t)raise_events,
-+ this, NULL, NULL));
-+ }
-+}
-+
- METHOD(logger_t, log_, void,
- private_vici_logger_t *this, debug_t group, level_t level, int thread,
- ike_sa_t* ike_sa, const char *msg)
-@@ -75,7 +119,7 @@ METHOD(logger_t, log_, void,
- message = builder->finalize(builder);
- if (message)
- {
-- this->dispatcher->raise_event(this->dispatcher, "log", 0, message);
-+ queue_messsage(this, message);
- }
- }
- this->recursive--;
-@@ -101,6 +145,7 @@ METHOD(vici_logger_t, destroy, void,
- private_vici_logger_t *this)
- {
- manage_commands(this, FALSE);
-+ this->queue->destroy_offset(this->queue, offsetof(vici_message_t, destroy));
- this->mutex->destroy(this->mutex);
- free(this);
- }
-@@ -121,6 +166,7 @@ vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher)
- .destroy = _destroy,
- },
- .dispatcher = dispatcher,
-+ .queue = linked_list_create(),
- .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
- );
-
---
-2.4.6
-
diff --git a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch
deleted file mode 100644
index ff79e322ec..0000000000
--- a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 65579569adfa0e2c9602ee250f4554169ba5a87d Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 11 Jun 2015 15:07:07 +0200
-Subject: [PATCH] host: Properly handle NULL in
- host_create_from_string[_and_family]
-
----
- src/libstrongswan/networking/host.c | 4 ++++
- src/libstrongswan/tests/suites/test_host.c | 6 ++++++
- 2 files changed, 10 insertions(+)
-
-diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
-index 07da3ef..2e464b0 100644
---- a/src/libstrongswan/networking/host.c
-+++ b/src/libstrongswan/networking/host.c
-@@ -354,6 +354,10 @@ host_t *host_create_from_string_and_family(char *string, int family,
- struct sockaddr_in6 v6;
- } addr;
-
-+ if (!string)
-+ {
-+ return NULL;
-+ }
- if (streq(string, "%any"))
- {
- return host_create_any_port(family ? family : AF_INET, port);
-diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c
-index 7161b2c..5cb8013 100644
---- a/src/libstrongswan/tests/suites/test_host.c
-+++ b/src/libstrongswan/tests/suites/test_host.c
-@@ -104,6 +104,9 @@ START_TEST(test_create_from_string_v4)
- {
- host_t *host;
-
-+ host = host_create_from_string(NULL, 500);
-+ ck_assert(!host);
-+
- host = host_create_from_string("%any", 500);
- verify_any(host, AF_INET, 500);
- host->destroy(host);
-@@ -196,6 +199,7 @@ static void test_create_from_string_and_family_addr(char *string, chunk_t addr,
-
- START_TEST(test_create_from_string_and_family_v4)
- {
-+ test_create_from_string_and_family_any(NULL, AF_INET, AF_UNSPEC);
- test_create_from_string_and_family_any("%any", AF_INET, AF_INET);
- test_create_from_string_and_family_any("%any4", AF_INET, AF_INET);
- test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET);
-@@ -210,6 +214,7 @@ END_TEST
-
- START_TEST(test_create_from_string_and_family_v6)
- {
-+ test_create_from_string_and_family_any(NULL, AF_INET6, AF_UNSPEC);
- test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6);
- test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6);
- test_create_from_string_and_family_any("::", AF_INET6, AF_INET6);
-@@ -224,6 +229,7 @@ END_TEST
-
- START_TEST(test_create_from_string_and_family_other)
- {
-+ test_create_from_string_and_family_any(NULL, AF_UNSPEC, AF_UNSPEC);
- test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET);
- test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET);
- test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET);
---
-2.4.6
-
diff --git a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
deleted file mode 100644
index c17141460a..0000000000
--- a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 390ae7a2c2f899122e722241cb261f53dfc81b9a Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Wed, 8 Jul 2015 15:28:46 +0200
-Subject: [PATCH] ike-sa-manager: Safely access the RNG instance with an rwlock
-
-Threads might still be allocating SPIs (e.g. triggered by an acquire or
-an inbound message) while the main thread calls flush(). If there is a
-context switch right after such a thread successfully checked this->rng
-in get_spi() and the main thread destroys the RNG instance right then,
-that worker thread will cause a segmentation fault when it continues and
-attempts to call get_bytes().
-
-Fixes #1014.
----
- src/libcharon/sa/ike_sa_manager.c | 21 ++++++++++++++++-----
- 1 file changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 938f784..987260d 100644
---- a/src/libcharon/sa/ike_sa_manager.c
-+++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1,7 +1,7 @@
- /*
- * Copyright (C) 2005-2011 Martin Willi
- * Copyright (C) 2011 revosec AG
-- * Copyright (C) 2008-2012 Tobias Brunner
-+ * Copyright (C) 2008-2015 Tobias Brunner
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
- *
-@@ -384,6 +384,11 @@ struct private_ike_sa_manager_t {
- rng_t *rng;
-
- /**
-+ * Lock to access the RNG instance
-+ */
-+ rwlock_t *rng_lock;
-+
-+ /**
- * reuse existing IKE_SAs in checkout_by_config
- */
- bool reuse_ikesa;
-@@ -943,12 +948,14 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
- {
- u_int64_t spi;
-
-- if (this->rng &&
-- this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
-+ this->rng_lock->read_lock(this->rng_lock);
-+ if (!this->rng ||
-+ !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
- {
-- return spi;
-+ spi = 0;
- }
-- return 0;
-+ this->rng_lock->unlock(this->rng_lock);
-+ return spi;
- }
-
- /**
-@@ -2055,8 +2062,10 @@ METHOD(ike_sa_manager_t, flush, void,
- charon->bus->set_sa(charon->bus, NULL);
- unlock_all_segments(this);
-
-+ this->rng_lock->write_lock(this->rng_lock);
- this->rng->destroy(this->rng);
- this->rng = NULL;
-+ this->rng_lock->unlock(this->rng_lock);
- }
-
- METHOD(ike_sa_manager_t, destroy, void,
-@@ -2081,6 +2090,7 @@ METHOD(ike_sa_manager_t, destroy, void,
- free(this->connected_peers_segments);
- free(this->init_hashes_segments);
-
-+ this->rng_lock->destroy(this->rng_lock);
- free(this);
- }
-
-@@ -2138,6 +2148,7 @@ ike_sa_manager_t *ike_sa_manager_create()
- free(this);
- return NULL;
- }
-+ this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
-
- this->ikesa_limit = lib->settings->get_int(lib->settings,
- "%s.ikesa_limit", 0, lib->ns);
---
-2.4.6
-
diff --git a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
deleted file mode 100644
index 0cf63a3f76..0000000000
--- a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 6bfa66069304c1fc1345b4e72762a3b1a80e4338 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 11 Jun 2015 15:42:54 +0200
-Subject: [PATCH] ike-cfg: Add helper function to determine address family of
- IP addresses
-
-All configured static addresses (hostnames, ranges or subnets are not
-considered) must be of the same family, otherwise AF_UNSPEC is returned.
----
- src/libcharon/config/ike_cfg.c | 47 ++++++++++++++++++++++++++++++++++++++++++
- src/libcharon/config/ike_cfg.h | 13 +++++++++++-
- 2 files changed, 59 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
-index 9464ceb..dee9e4c 100644
---- a/src/libcharon/config/ike_cfg.c
-+++ b/src/libcharon/config/ike_cfg.c
-@@ -1,4 +1,5 @@
- /*
-+ * Copyright (C) 2012-2015 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
-@@ -513,6 +514,52 @@ static void parse_addresses(char *str, linked_list_t *hosts,
- /**
- * Described in header.
- */
-+int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
-+{
-+ private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
-+ enumerator_t *enumerator;
-+ host_t *host;
-+ char *str;
-+ int family = AF_UNSPEC;
-+
-+ if (local)
-+ {
-+ enumerator = this->my_hosts->create_enumerator(this->my_hosts);
-+ }
-+ else
-+ {
-+ enumerator = this->other_hosts->create_enumerator(this->other_hosts);
-+ }
-+ while (enumerator->enumerate(enumerator, &str))
-+ {
-+ if (streq(str, "%any"))
-+ { /* ignore %any as its family is undetermined */
-+ continue;
-+ }
-+ host = host_create_from_string(str, 0);
-+ if (host)
-+ {
-+ if (family == AF_UNSPEC)
-+ {
-+ family = host->get_family(host);
-+ }
-+ else if (family != host->get_family(host))
-+ {
-+ /* more than one address family defined */
-+ family = AF_UNSPEC;
-+ host->destroy(host);
-+ break;
-+ }
-+ }
-+ DESTROY_IF(host);
-+ }
-+ enumerator->destroy(enumerator);
-+ return family;
-+}
-+
-+/**
-+ * Described in header.
-+ */
- ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
- char *me, u_int16_t my_port,
- char *other, u_int16_t other_port,
-diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
-index adfcabf..62f5b74 100644
---- a/src/libcharon/config/ike_cfg.h
-+++ b/src/libcharon/config/ike_cfg.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2012 Tobias Brunner
-+ * Copyright (C) 2012-2015 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
- * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
-@@ -254,4 +254,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
- char *other, u_int16_t other_port,
- fragmentation_t fragmentation, u_int8_t dscp);
-
-+/**
-+ * Determine the address family of the local or remtoe address(es). If multiple
-+ * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
-+ * not though).
-+ *
-+ * @param local TRUE to check local addresses, FALSE for remote
-+ * @return address family of address(es) if distinct
-+ */
-+int ike_cfg_get_family(ike_cfg_t *this, bool local);
-+
-+
- #endif /** IKE_CFG_H_ @}*/
---
-2.4.6
-
diff --git a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch
deleted file mode 100644
index 7114d6247a..0000000000
--- a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From a11048adee0aeab8af10259f406363d7cc6beccc Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 11 Jun 2015 15:10:29 +0200
-Subject: [PATCH] ike: Use address family of local address when resolving
- remote host
-
-If static local addresses are configured we should use their address family
-as a hint when resolving the remote address.
-We don't do this if %any is configured as this might break existing
-configurations (%any4 and %any6 are however used as hint).
----
- src/libcharon/sa/ike_sa.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
-index 3aafa4c..0c13c58 100644
---- a/src/libcharon/sa/ike_sa.c
-+++ b/src/libcharon/sa/ike_sa.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2006-2014 Tobias Brunner
-+ * Copyright (C) 2006-2015 Tobias Brunner
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2009 Martin Willi
- * Copyright (C) 2005 Jan Hutter
-@@ -1200,6 +1200,19 @@ static void resolve_hosts(private_ike_sa_t *this)
- break;
- }
-
-+ /* if an IP address is set locally, use the same family to resolve remote */
-+ if (family == AF_UNSPEC && !this->remote_host)
-+ {
-+ if (this->local_host)
-+ {
-+ family = this->local_host->get_family(this->local_host);
-+ }
-+ else
-+ {
-+ family = ike_cfg_get_family(this->ike_cfg, TRUE);
-+ }
-+ }
-+
- if (this->remote_host)
- {
- host = this->remote_host->clone(this->remote_host);
---
-2.4.6
-
diff --git a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
deleted file mode 100644
index 411bc58df9..0000000000
--- a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 10 Jul 2015 10:23:02 +0200
-Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to
- %any
-
-In some situations it might be valid for a host that configures
-right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
-immediately abort the initiation causing the new SA to fail (which
-might already have the existing CHILD_SAs assigned).
-
-Fixes #1027.
----
- src/libcharon/sa/ike_sa.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
-index 0c13c58..752a756 100644
---- a/src/libcharon/sa/ike_sa.c
-+++ b/src/libcharon/sa/ike_sa.c
-@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this)
- }
- if (host)
- {
-- set_other_host(this, host);
-+ if (!host->is_anyaddr(host) ||
-+ this->other_host->is_anyaddr(this->other_host))
-+ { /* don't set to %any if we currently have an address, but the
-+ * address family might have changed */
-+ set_other_host(this, host);
-+ }
- }
-
- if (this->local_host)
---
-2.4.6
-
diff --git a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
deleted file mode 100644
index f7517568c0..0000000000
--- a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 773fcb1605d413997450b59d114a1c035910cc58 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 9 Jul 2015 14:34:19 +0200
-Subject: [PATCH] trap-manager: Properly check-in IKE_SA if initiating fails
-
-This basically reverts f4e822c1b422 ("trap-manager: don't check-in
-nonexisting IKE_SA if acquire fails"). As checkout_by_config() could
-return an already existing and established IKE_SA we have to properly
-destroy it, for instance, in case other threads are waiting to check
-it out. checkin_and_destroy() should handle the case of a new SA
-properly (it produces a log message on level 1, though).
----
- src/libcharon/sa/trap_manager.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index d6ff3c8..3a70bd1 100644
---- a/src/libcharon/sa/trap_manager.c
-+++ b/src/libcharon/sa/trap_manager.c
-@@ -377,8 +377,8 @@ METHOD(trap_manager_t, acquire, void,
- }
- else
- {
-- ike_sa->destroy(ike_sa);
-- charon->bus->set_sa(charon->bus, NULL);
-+ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-+ ike_sa);
- }
- }
- peer->destroy(peer);
---
-2.4.6
-
diff --git a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
deleted file mode 100644
index 1dea7b1391..0000000000
--- a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
+++ /dev/null
@@ -1,260 +0,0 @@
-From a229bdce625338117966a53efd0475b2c7c84566 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 9 Jul 2015 12:00:56 +0200
-Subject: [PATCH] trap-manager: Changed how acquires we acted on are tracked
-
-This fixes potential race conditions in case complete() or flush() is
-executed before or concurrently with a thread that handles an acquire.
-It will also simplify tracking multiple acquires created for the same
-trap policy in the future.
-
-Also fixes the behavior in some error situations.
----
- src/libcharon/sa/trap_manager.c | 122 ++++++++++++++++++++++++++++------------
- 1 file changed, 86 insertions(+), 36 deletions(-)
-
-diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 3a70bd1..83b6d6a 100644
---- a/src/libcharon/sa/trap_manager.c
-+++ b/src/libcharon/sa/trap_manager.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2011-2013 Tobias Brunner
-+ * Copyright (C) 2011-2015 Tobias Brunner
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
-@@ -18,10 +18,10 @@
-
- #include <hydra.h>
- #include <daemon.h>
-+#include <threading/mutex.h>
- #include <threading/rwlock.h>
- #include <collections/linked_list.h>
-
--
- typedef struct private_trap_manager_t private_trap_manager_t;
- typedef struct trap_listener_t trap_listener_t;
-
-@@ -67,6 +67,16 @@ struct private_trap_manager_t {
- trap_listener_t listener;
-
- /**
-+ * list of acquires we currently handle
-+ */
-+ linked_list_t *acquires;
-+
-+ /**
-+ * mutex for list of acquires
-+ */
-+ mutex_t *mutex;
-+
-+ /**
- * Whether to ignore traffic selectors from acquires
- */
- bool ignore_acquire_ts;
-@@ -80,23 +90,45 @@ typedef struct {
- char *name;
- /** ref to peer_cfg to initiate */
- peer_cfg_t *peer_cfg;
-- /** ref to instanciated CHILD_SA */
-+ /** ref to instantiated CHILD_SA (i.e the trap policy) */
- child_sa_t *child_sa;
-- /** TRUE if an acquire is pending */
-- bool pending;
-+} entry_t;
-+
-+/**
-+ * A handled acquire
-+ */
-+typedef struct {
- /** pending IKE_SA connecting upon acquire */
- ike_sa_t *ike_sa;
--} entry_t;
-+ /** reqid of pending trap policy */
-+ u_int32_t reqid;
-+} acquire_t;
-
- /**
- * actually uninstall and destroy an installed entry
- */
--static void destroy_entry(entry_t *entry)
-+static void destroy_entry(entry_t *this)
-+{
-+ this->child_sa->destroy(this->child_sa);
-+ this->peer_cfg->destroy(this->peer_cfg);
-+ free(this->name);
-+ free(this);
-+}
-+
-+/**
-+ * destroy a cached acquire entry
-+ */
-+static void destroy_acquire(acquire_t *this)
- {
-- entry->child_sa->destroy(entry->child_sa);
-- entry->peer_cfg->destroy(entry->peer_cfg);
-- free(entry->name);
-- free(entry);
-+ free(this);
-+}
-+
-+/**
-+ * match an acquire entry by reqid
-+ */
-+static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid)
-+{
-+ return this->reqid == *reqid;
- }
-
- METHOD(trap_manager_t, install, u_int32_t,
-@@ -314,6 +346,7 @@ METHOD(trap_manager_t, acquire, void,
- {
- enumerator_t *enumerator;
- entry_t *entry, *found = NULL;
-+ acquire_t *acquire;
- peer_cfg_t *peer;
- child_cfg_t *child;
- ike_sa_t *ike_sa;
-@@ -337,16 +370,29 @@ METHOD(trap_manager_t, acquire, void,
- this->lock->unlock(this->lock);
- return;
- }
-- if (!cas_bool(&found->pending, FALSE, TRUE))
-+ reqid = found->child_sa->get_reqid(found->child_sa);
-+
-+ this->mutex->lock(this->mutex);
-+ if (this->acquires->find_first(this->acquires, (void*)acquire_by_reqid,
-+ (void**)&acquire, &reqid) == SUCCESS)
- {
- DBG1(DBG_CFG, "ignoring acquire, connection attempt pending");
-+ this->mutex->unlock(this->mutex);
- this->lock->unlock(this->lock);
- return;
- }
-+ else
-+ {
-+ INIT(acquire,
-+ .reqid = reqid,
-+ );
-+ this->acquires->insert_last(this->acquires, acquire);
-+ }
-+ this->mutex->unlock(this->mutex);
-+
- peer = found->peer_cfg->get_ref(found->peer_cfg);
- child = found->child_sa->get_config(found->child_sa);
- child = child->get_ref(child);
-- reqid = found->child_sa->get_reqid(found->child_sa);
- /* don't hold the lock while checking out the IKE_SA */
- this->lock->unlock(this->lock);
-
-@@ -363,16 +409,13 @@ METHOD(trap_manager_t, acquire, void,
- * have a single TS that we can establish in a Quick Mode. */
- src = dst = NULL;
- }
-+
-+ this->mutex->lock(this->mutex);
-+ acquire->ike_sa = ike_sa;
-+ this->mutex->unlock(this->mutex);
-+
- if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
- {
-- /* make sure the entry is still there */
-- this->lock->read_lock(this->lock);
-- if (this->traps->find_first(this->traps, NULL,
-- (void**)&found) == SUCCESS)
-- {
-- found->ike_sa = ike_sa;
-- }
-- this->lock->unlock(this->lock);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- }
- else
-@@ -381,6 +424,14 @@ METHOD(trap_manager_t, acquire, void,
- ike_sa);
- }
- }
-+ else
-+ {
-+ this->mutex->lock(this->mutex);
-+ this->acquires->remove(this->acquires, acquire, NULL);
-+ this->mutex->unlock(this->mutex);
-+ destroy_acquire(acquire);
-+ child->destroy(child);
-+ }
- peer->destroy(peer);
- }
-
-@@ -391,26 +442,25 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa,
- child_sa_t *child_sa)
- {
- enumerator_t *enumerator;
-- entry_t *entry;
-+ acquire_t *acquire;
-
-- this->lock->read_lock(this->lock);
-- enumerator = this->traps->create_enumerator(this->traps);
-- while (enumerator->enumerate(enumerator, &entry))
-+ this->mutex->lock(this->mutex);
-+ enumerator = this->acquires->create_enumerator(this->acquires);
-+ while (enumerator->enumerate(enumerator, &acquire))
- {
-- if (entry->ike_sa != ike_sa)
-+ if (!acquire->ike_sa || acquire->ike_sa != ike_sa)
- {
- continue;
- }
-- if (child_sa && child_sa->get_reqid(child_sa) !=
-- entry->child_sa->get_reqid(entry->child_sa))
-+ if (child_sa && child_sa->get_reqid(child_sa) != acquire->reqid)
- {
- continue;
- }
-- entry->ike_sa = NULL;
-- entry->pending = FALSE;
-+ this->acquires->remove_at(this->acquires, enumerator);
-+ destroy_acquire(acquire);
- }
- enumerator->destroy(enumerator);
-- this->lock->unlock(this->lock);
-+ this->mutex->unlock(this->mutex);
- }
-
- METHOD(listener_t, ike_state_change, bool,
-@@ -444,14 +494,10 @@ METHOD(listener_t, child_state_change, bool,
- METHOD(trap_manager_t, flush, void,
- private_trap_manager_t *this)
- {
-- linked_list_t *traps;
-- /* since destroying the CHILD_SA results in events which require a read
-- * lock we cannot destroy the list while holding the write lock */
- this->lock->write_lock(this->lock);
-- traps = this->traps;
-+ this->traps->destroy_function(this->traps, (void*)destroy_entry);
- this->traps = linked_list_create();
- this->lock->unlock(this->lock);
-- traps->destroy_function(traps, (void*)destroy_entry);
- }
-
- METHOD(trap_manager_t, destroy, void,
-@@ -459,6 +505,8 @@ METHOD(trap_manager_t, destroy, void,
- {
- charon->bus->remove_listener(charon->bus, &this->listener.listener);
- this->traps->destroy_function(this->traps, (void*)destroy_entry);
-+ this->acquires->destroy_function(this->acquires, (void*)destroy_acquire);
-+ this->mutex->destroy(this->mutex);
- this->lock->destroy(this->lock);
- free(this);
- }
-@@ -488,6 +536,8 @@ trap_manager_t *trap_manager_create(void)
- },
- },
- .traps = linked_list_create(),
-+ .acquires = linked_list_create(),
-+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
- .ignore_acquire_ts = lib->settings->get_bool(lib->settings,
- "%s.ignore_acquire_ts", FALSE, lib->ns),
---
-2.4.6
-
diff --git a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
deleted file mode 100644
index 60a28724c8..0000000000
--- a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 12b3cdba7689113558f58a5265827f3086852bae Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 13 Jul 2015 13:20:14 +0200
-Subject: [PATCH] trap-manager: Resolve race conditions between flush() and
- install()
-
-When flush() is called there might be threads in install() waiting for
-trap policies to get installed (without holding the lock). We have to
-wait until they updated the entries with the respective CHILD_SAs before
-destroying the list.
-
-We also have to prevent further trap policy installations (and wait until
-threads in install() are really finished), otherwise we might end up
-destroying CHILD_SA objects after the kernel interface implementations
-have already been unloaded (avoiding this is the whole point of calling
-flush() before unloading the plugins).
----
- src/libcharon/sa/trap_manager.c | 31 +++++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 83b6d6a..424d9e7 100644
---- a/src/libcharon/sa/trap_manager.c
-+++ b/src/libcharon/sa/trap_manager.c
-@@ -20,8 +20,11 @@
- #include <daemon.h>
- #include <threading/mutex.h>
- #include <threading/rwlock.h>
-+#include <threading/rwlock_condvar.h>
- #include <collections/linked_list.h>
-
-+#define INSTALL_DISABLED ((u_int)~0)
-+
- typedef struct private_trap_manager_t private_trap_manager_t;
- typedef struct trap_listener_t trap_listener_t;
-
-@@ -77,6 +80,16 @@ struct private_trap_manager_t {
- mutex_t *mutex;
-
- /**
-+ * number of threads currently installing trap policies, or INSTALL_DISABLED
-+ */
-+ u_int installing;
-+
-+ /**
-+ * condvar to signal trap policy installation
-+ */
-+ rwlock_condvar_t *condvar;
-+
-+ /**
- * Whether to ignore traffic selectors from acquires
- */
- bool ignore_acquire_ts;
-@@ -171,6 +184,11 @@ METHOD(trap_manager_t, install, u_int32_t,
- }
-
- this->lock->write_lock(this->lock);
-+ if (this->installing == INSTALL_DISABLED)
-+ { /* flush() has been called */
-+ this->lock->unlock(this->lock);
-+ return 0;
-+ }
- enumerator = this->traps->create_enumerator(this->traps);
- while (enumerator->enumerate(enumerator, &entry))
- {
-@@ -204,6 +222,7 @@ METHOD(trap_manager_t, install, u_int32_t,
- .peer_cfg = peer->get_ref(peer),
- );
- this->traps->insert_first(this->traps, entry);
-+ this->installing++;
- /* don't hold lock while creating CHILD_SA and installing policies */
- this->lock->unlock(this->lock);
-
-@@ -252,6 +271,11 @@ METHOD(trap_manager_t, install, u_int32_t,
- {
- destroy_entry(found);
- }
-+ this->lock->write_lock(this->lock);
-+ /* do this at the end, so entries created temporarily are also destroyed */
-+ this->installing--;
-+ this->condvar->signal(this->condvar);
-+ this->lock->unlock(this->lock);
- return reqid;
- }
-
-@@ -495,8 +519,13 @@ METHOD(trap_manager_t, flush, void,
- private_trap_manager_t *this)
- {
- this->lock->write_lock(this->lock);
-+ while (this->installing)
-+ {
-+ this->condvar->wait(this->condvar, this->lock);
-+ }
- this->traps->destroy_function(this->traps, (void*)destroy_entry);
- this->traps = linked_list_create();
-+ this->installing = INSTALL_DISABLED;
- this->lock->unlock(this->lock);
- }
-
-@@ -506,6 +535,7 @@ METHOD(trap_manager_t, destroy, void,
- charon->bus->remove_listener(charon->bus, &this->listener.listener);
- this->traps->destroy_function(this->traps, (void*)destroy_entry);
- this->acquires->destroy_function(this->acquires, (void*)destroy_acquire);
-+ this->condvar->destroy(this->condvar);
- this->mutex->destroy(this->mutex);
- this->lock->destroy(this->lock);
- free(this);
-@@ -539,6 +569,7 @@ trap_manager_t *trap_manager_create(void)
- .acquires = linked_list_create(),
- .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-+ .condvar = rwlock_condvar_create(),
- .ignore_acquire_ts = lib->settings->get_bool(lib->settings,
- "%s.ignore_acquire_ts", FALSE, lib->ns),
- );
---
-2.4.6
-
diff --git a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
deleted file mode 100644
index 6fa2c339f2..0000000000
--- a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From f3d39666e0d62fb9a790b72ee7ae2b9255b21cdd Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Jul 2015 16:35:21 +0200
-Subject: [PATCH] shunt-manager: Add a lock to safely access the list of shunt
- policies
-
----
- src/libcharon/sa/shunt_manager.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
-index 73e1abb..434bace 100644
---- a/src/libcharon/sa/shunt_manager.c
-+++ b/src/libcharon/sa/shunt_manager.c
-@@ -1,4 +1,5 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
- * Copyright (C) 2011 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
-@@ -20,7 +21,6 @@
- #include <threading/rwlock.h>
- #include <collections/linked_list.h>
-
--
- typedef struct private_shunt_manager_t private_shunt_manager_t;
-
- /**
-@@ -37,6 +37,11 @@ struct private_shunt_manager_t {
- * Installed shunts, as child_cfg_t
- */
- linked_list_t *shunts;
-+
-+ /**
-+ * Lock to safely access the list of shunts
-+ */
-+ rwlock_t *lock;
- };
-
- /**
-@@ -120,6 +125,7 @@ METHOD(shunt_manager_t, install, bool,
- bool found = FALSE;
-
- /* check if not already installed */
-+ this->lock->write_lock(this->lock);
- enumerator = this->shunts->create_enumerator(this->shunts);
- while (enumerator->enumerate(enumerator, &child_cfg))
- {
-@@ -130,14 +136,15 @@ METHOD(shunt_manager_t, install, bool,
- }
- }
- enumerator->destroy(enumerator);
--
- if (found)
- {
- DBG1(DBG_CFG, "shunt %N policy '%s' already installed",
- ipsec_mode_names, child->get_mode(child), child->get_name(child));
-+ this->lock->unlock(this->lock);
- return TRUE;
- }
- this->shunts->insert_last(this->shunts, child->get_ref(child));
-+ this->lock->unlock(this->lock);
-
- return install_shunt_policy(child);
- }
-@@ -215,6 +222,7 @@ METHOD(shunt_manager_t, uninstall, bool,
- enumerator_t *enumerator;
- child_cfg_t *child, *found = NULL;
-
-+ this->lock->write_lock(this->lock);
- enumerator = this->shunts->create_enumerator(this->shunts);
- while (enumerator->enumerate(enumerator, &child))
- {
-@@ -226,6 +234,7 @@ METHOD(shunt_manager_t, uninstall, bool,
- }
- }
- enumerator->destroy(enumerator);
-+ this->lock->unlock(this->lock);
-
- if (!found)
- {
-@@ -239,7 +248,10 @@ METHOD(shunt_manager_t, uninstall, bool,
- METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
- private_shunt_manager_t *this)
- {
-- return this->shunts->create_enumerator(this->shunts);
-+ this->lock->read_lock(this->lock);
-+ return enumerator_create_cleaner(
-+ this->shunts->create_enumerator(this->shunts),
-+ (void*)this->lock->unlock, this->lock);
- }
-
- METHOD(shunt_manager_t, destroy, void,
-@@ -253,6 +265,7 @@ METHOD(shunt_manager_t, destroy, void,
- child->destroy(child);
- }
- this->shunts->destroy(this->shunts);
-+ this->lock->destroy(this->lock);
- free(this);
- }
-
-@@ -271,6 +284,7 @@ shunt_manager_t *shunt_manager_create()
- .destroy = _destroy,
- },
- .shunts = linked_list_create(),
-+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
- );
-
- return &this->public;
---
-2.4.6
-
diff --git a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch
deleted file mode 100644
index f8af98c62f..0000000000
--- a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 616ff9a2369fd250a2b9e8d2a00f37e2e8d3a2f3 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Jul 2015 16:50:32 +0200
-Subject: [PATCH] shunt-manager: Remove stored entries if installation fails
-
----
- src/libcharon/sa/shunt_manager.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
-index 434bace..2e42e7e 100644
---- a/src/libcharon/sa/shunt_manager.c
-+++ b/src/libcharon/sa/shunt_manager.c
-@@ -122,7 +122,7 @@ METHOD(shunt_manager_t, install, bool,
- {
- enumerator_t *enumerator;
- child_cfg_t *child_cfg;
-- bool found = FALSE;
-+ bool found = FALSE, success;
-
- /* check if not already installed */
- this->lock->write_lock(this->lock);
-@@ -146,7 +146,16 @@ METHOD(shunt_manager_t, install, bool,
- this->shunts->insert_last(this->shunts, child->get_ref(child));
- this->lock->unlock(this->lock);
-
-- return install_shunt_policy(child);
-+ success = install_shunt_policy(child);
-+
-+ if (!success)
-+ {
-+ this->lock->write_lock(this->lock);
-+ this->shunts->remove(this->shunts, child, NULL);
-+ this->lock->unlock(this->lock);
-+ child->destroy(child);
-+ }
-+ return success;
- }
-
- /**
---
-2.4.6
-
diff --git a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
deleted file mode 100644
index 3aa6b561bc..0000000000
--- a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From bc36530670cbbe2362053f1604f67e481afd336c Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Jul 2015 16:55:36 +0200
-Subject: [PATCH] shunt-manager: Add flush() method to properly uninstall
- shunts
-
-This will allow us to uninstall shunts before unloading the
-kernel-interface plugins.
----
- src/libcharon/sa/shunt_manager.c | 44 ++++++++++++++++++++++++++++++++++++----
- src/libcharon/sa/shunt_manager.h | 6 ++++++
- 2 files changed, 46 insertions(+), 4 deletions(-)
-
-diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
-index 2e42e7e..1a98443 100644
---- a/src/libcharon/sa/shunt_manager.c
-+++ b/src/libcharon/sa/shunt_manager.c
-@@ -19,8 +19,11 @@
- #include <hydra.h>
- #include <daemon.h>
- #include <threading/rwlock.h>
-+#include <threading/rwlock_condvar.h>
- #include <collections/linked_list.h>
-
-+#define INSTALL_DISABLED ((u_int)~0)
-+
- typedef struct private_shunt_manager_t private_shunt_manager_t;
-
- /**
-@@ -42,6 +45,16 @@ struct private_shunt_manager_t {
- * Lock to safely access the list of shunts
- */
- rwlock_t *lock;
-+
-+ /**
-+ * Number of threads currently installing shunts, or INSTALL_DISABLED
-+ */
-+ u_int installing;
-+
-+ /**
-+ * Condvar to signal shunt installation
-+ */
-+ rwlock_condvar_t *condvar;
- };
-
- /**
-@@ -126,6 +139,11 @@ METHOD(shunt_manager_t, install, bool,
-
- /* check if not already installed */
- this->lock->write_lock(this->lock);
-+ if (this->installing == INSTALL_DISABLED)
-+ { /* flush() has been called */
-+ this->lock->unlock(this->lock);
-+ return FALSE;
-+ }
- enumerator = this->shunts->create_enumerator(this->shunts);
- while (enumerator->enumerate(enumerator, &child_cfg))
- {
-@@ -144,17 +162,20 @@ METHOD(shunt_manager_t, install, bool,
- return TRUE;
- }
- this->shunts->insert_last(this->shunts, child->get_ref(child));
-+ this->installing++;
- this->lock->unlock(this->lock);
-
- success = install_shunt_policy(child);
-
-+ this->lock->write_lock(this->lock);
- if (!success)
- {
-- this->lock->write_lock(this->lock);
- this->shunts->remove(this->shunts, child, NULL);
-- this->lock->unlock(this->lock);
- child->destroy(child);
- }
-+ this->installing--;
-+ this->condvar->signal(this->condvar);
-+ this->lock->unlock(this->lock);
- return success;
- }
-
-@@ -263,18 +284,31 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
- (void*)this->lock->unlock, this->lock);
- }
-
--METHOD(shunt_manager_t, destroy, void,
-+METHOD(shunt_manager_t, flush, void,
- private_shunt_manager_t *this)
- {
- child_cfg_t *child;
-
-+ this->lock->write_lock(this->lock);
-+ while (this->installing)
-+ {
-+ this->condvar->wait(this->condvar, this->lock);
-+ }
- while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS)
- {
- uninstall_shunt_policy(child);
- child->destroy(child);
- }
-- this->shunts->destroy(this->shunts);
-+ this->installing = INSTALL_DISABLED;
-+ this->lock->unlock(this->lock);
-+}
-+
-+METHOD(shunt_manager_t, destroy, void,
-+ private_shunt_manager_t *this)
-+{
-+ this->shunts->destroy_offset(this->shunts, offsetof(child_cfg_t, destroy));
- this->lock->destroy(this->lock);
-+ this->condvar->destroy(this->condvar);
- free(this);
- }
-
-@@ -290,10 +324,12 @@ shunt_manager_t *shunt_manager_create()
- .install = _install,
- .uninstall = _uninstall,
- .create_enumerator = _create_enumerator,
-+ .flush = _flush,
- .destroy = _destroy,
- },
- .shunts = linked_list_create(),
- .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
-+ .condvar = rwlock_condvar_create(),
- );
-
- return &this->public;
-diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
-index 28a795d..c43f5db 100644
---- a/src/libcharon/sa/shunt_manager.h
-+++ b/src/libcharon/sa/shunt_manager.h
-@@ -1,4 +1,5 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
- * Copyright (C) 2011 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
-@@ -56,6 +57,11 @@ struct shunt_manager_t {
- enumerator_t* (*create_enumerator)(shunt_manager_t *this);
-
- /**
-+ * Clear any installed shunt.
-+ */
-+ void (*flush)(shunt_manager_t *this);
-+
-+ /**
- * Destroy a shunt_manager_t.
- */
- void (*destroy)(shunt_manager_t *this);
---
-2.4.6
-
diff --git a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch
deleted file mode 100644
index 9d3be529b7..0000000000
--- a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c04345d5edbbc4c37027cdfc21dba85d03e312af Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Jul 2015 16:56:33 +0200
-Subject: [PATCH] daemon: Flush shunts before unloading plugins
-
----
- src/libcharon/daemon.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
-index b1b8f57..316be76 100644
---- a/src/libcharon/daemon.c
-+++ b/src/libcharon/daemon.c
-@@ -462,6 +462,10 @@ static void destroy(private_daemon_t *this)
- {
- this->public.traps->flush(this->public.traps);
- }
-+ if (this->public.shunts)
-+ {
-+ this->public.shunts->flush(this->public.shunts);
-+ }
- if (this->public.sender)
- {
- this->public.sender->flush(this->public.sender);
---
-2.4.6
-
diff --git a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
deleted file mode 100644
index 56038b46f1..0000000000
--- a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 86d20b0b40066590f5e26d1f9aca21cc0cba97e1 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 15 Jun 2015 11:46:33 +0200
-Subject: [PATCH] ike-rekey: Reset IKE_SA on the bus after destroying new
- IKE_SA
-
-The destroy() method sets the IKE_SA on the bus to NULL, we reset it to
-the current IKE_SA so any events and log messages that follow happen in
-the correct context.
-
-A practical example where this is problematic is a DH group mismatch,
-which causes the first CREATE_CHILD_SA exchange to fail. Because the SA
-was not reset previously, the message() hook for the CREATE_CHILD_SA
-response, for instance, was triggered outside the context of an IKE_SA,
-that is, the ike_sa parameter was NULL, which is definitely not expected
-by several plugins.
-
-Fixes #862.
----
- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 31 +++++++++++++++----------------
- 1 file changed, 15 insertions(+), 16 deletions(-)
-
-diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-index 1855517..1dfdc05 100644
---- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-@@ -116,7 +116,6 @@ static void establish_new(private_ike_rekey_t *this)
- lib->processor->queue_job(lib->processor, job);
- }
- this->new_sa = NULL;
-- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
- }
-@@ -335,15 +334,13 @@ METHOD(task_t, process_i, status_t,
- {
- charon->ike_sa_manager->checkin(
- charon->ike_sa_manager, this->new_sa);
-- /* set threads active IKE_SA after checkin */
-- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
-+ charon->bus->set_sa(charon->bus, this->ike_sa);
- this->new_sa = NULL;
- establish_new(other);
- return SUCCESS;
- }
- }
-- /* set threads active IKE_SA after checkin */
- charon->bus->set_sa(charon->bus, this->ike_sa);
- }
-
-@@ -372,9 +369,13 @@ METHOD(ike_rekey_t, collide, void,
- this->collision = other;
- }
-
--METHOD(task_t, migrate, void,
-- private_ike_rekey_t *this, ike_sa_t *ike_sa)
-+/**
-+ * Cleanup the task
-+ */
-+static void cleanup(private_ike_rekey_t *this)
- {
-+ ike_sa_t *cur_sa;
-+
- if (this->ike_init)
- {
- this->ike_init->task.destroy(&this->ike_init->task);
-@@ -383,9 +384,16 @@ METHOD(task_t, migrate, void,
- {
- this->ike_delete->task.destroy(&this->ike_delete->task);
- }
-+ cur_sa = charon->bus->get_sa(charon->bus);
- DESTROY_IF(this->new_sa);
-+ charon->bus->set_sa(charon->bus, cur_sa);
- DESTROY_IF(this->collision);
-+}
-
-+METHOD(task_t, migrate, void,
-+ private_ike_rekey_t *this, ike_sa_t *ike_sa)
-+{
-+ cleanup();
- this->collision = NULL;
- this->ike_sa = ike_sa;
- this->new_sa = NULL;
-@@ -396,16 +404,7 @@ METHOD(task_t, migrate, void,
- METHOD(task_t, destroy, void,
- private_ike_rekey_t *this)
- {
-- if (this->ike_init)
-- {
-- this->ike_init->task.destroy(&this->ike_init->task);
-- }
-- if (this->ike_delete)
-- {
-- this->ike_delete->task.destroy(&this->ike_delete->task);
-- }
-- DESTROY_IF(this->new_sa);
-- DESTROY_IF(this->collision);
-+ cleanup();
- free(this);
- }
-
---
-2.4.6
-
diff --git a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
deleted file mode 100644
index 9aa06d9256..0000000000
--- a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2efcc9586714fd3ae26fe6ff57ea1b9ee09a58ea Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 15 Jun 2015 11:52:16 +0200
-Subject: [PATCH] ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA
- response
-
-Even when there is no error the CREATE_CHILD_SA response should be sent
-in the context of the existing IKE_SA.
----
- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-index 1dfdc05..4133c93 100644
---- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-@@ -228,9 +228,10 @@ METHOD(task_t, build_r, status_t,
-
- if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
- {
-+ charon->bus->set_sa(charon->bus, this->ike_sa);
- return SUCCESS;
- }
--
-+ charon->bus->set_sa(charon->bus, this->ike_sa);
- this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
-
- /* rekeying successful, delete the IKE_SA using a subtask */
---
-2.4.6
-
diff --git a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch
deleted file mode 100644
index e17cf30cd9..0000000000
--- a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 81f1aa8dc375a84d9f0dc3e4027f2aebf6d03b18 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 27 Jul 2015 15:20:01 +0200
-Subject: [PATCH] ike-rekey: Fix cleanup() call
-
----
- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-index 4133c93..eaba04e 100644
---- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
-@@ -394,7 +394,7 @@ static void cleanup(private_ike_rekey_t *this)
- METHOD(task_t, migrate, void,
- private_ike_rekey_t *this, ike_sa_t *ike_sa)
- {
-- cleanup();
-+ cleanup(this);
- this->collision = NULL;
- this->ike_sa = ike_sa;
- this->new_sa = NULL;
-@@ -405,7 +405,7 @@ METHOD(task_t, migrate, void,
- METHOD(task_t, destroy, void,
- private_ike_rekey_t *this)
- {
-- cleanup();
-+ cleanup(this);
- free(this);
- }
-
---
-2.4.6
-
diff --git a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
deleted file mode 100644
index 3b773d02aa..0000000000
--- a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From faebdeac8eafad7b5c2109d5a9ce0af41dbf315c Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 27 Jul 2015 19:37:41 +0200
-Subject: [PATCH] ike: Fix memory leak if remote address is kept
-
----
- src/libcharon/sa/ike_sa.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
-index 752a756..6ffbd55 100644
---- a/src/libcharon/sa/ike_sa.c
-+++ b/src/libcharon/sa/ike_sa.c
-@@ -1230,6 +1230,10 @@ static void resolve_hosts(private_ike_sa_t *this)
- * address family might have changed */
- set_other_host(this, host);
- }
-+ else
-+ {
-+ host->destroy(host);
-+ }
- }
-
- if (this->local_host)
---
-2.4.6
-
diff --git a/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch b/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch
deleted file mode 100644
index 63f120d284..0000000000
--- a/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 1ce32c9cdcb1cfacd4c8389402a24c4ed7cf0109 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 31 Jul 2015 11:20:24 +0200
-Subject: [PATCH] kernel-netlink: Unlock mutex in del_policy() if mark can't be
- added to message
-
----
- src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index a6cf977..e0f1dd7 100644
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -2562,6 +2562,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t,
-
- if (!add_mark(hdr, sizeof(request), mark))
- {
-+ this->mutex->unlock(this->mutex);
- return FAILED;
- }
-
diff --git a/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
deleted file mode 100644
index 945f1da2b0..0000000000
--- a/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From e0e3b6d92b37ba6633a9cd7f0ed2bd3ce56fdcc0 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 16 Jul 2015 11:43:44 +0200
-Subject: [PATCH] kernel-netlink: Actually verify if the netlink message
- exceeds the buffer size
-
-It might equal it and that's fine. With MSG_TRUNC we get the actual
-message size and can only report an error if we haven't received the
-complete message.
----
- src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-index b0e3103..809d0f4 100644
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-@@ -185,8 +185,8 @@ static ssize_t read_msg(private_netlink_socket_t *this,
- return -1;
- }
- }
-- len = recv(this->socket, buf, buflen, block ? 0 : MSG_DONTWAIT);
-- if (len == buflen)
-+ len = recv(this->socket, buf, buflen, (block ? 0 : MSG_DONTWAIT)|MSG_TRUNC);
-+ if (len > buflen)
- {
- DBG1(DBG_KNL, "netlink response exceeds buffer size");
- return 0;
---
-2.4.6
-
diff --git a/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
deleted file mode 100644
index 410e15b0c4..0000000000
--- a/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 7e40d9705de5e94ff64684573c573deb97950b5e Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 16 Jul 2015 11:50:22 +0200
-Subject: [PATCH] kernel-netlink: Use the PAGE_SIZE as default for the netlink
- receive buffer
-
-The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to
-the PAGE_SIZE if it is lower than 8192 or to that value otherwise.
-
-In some cases (e.g. for dump messages) the kernel might use up to 16k
-for messages, which might require increasing this value.
----
- conf/plugins/kernel-netlink.opt | 2 +-
- src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c | 12 +++++++++++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
-index 4338a5f..6adefd8 100644
---- a/conf/plugins/kernel-netlink.opt
-+++ b/conf/plugins/kernel-netlink.opt
-@@ -1,4 +1,4 @@
--charon.plugins.kernel-netlink.buflen = 4096
-+charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
- Buffer size for received Netlink messages.
-
- charon.plugins.kernel-netlink.fwmark =
-diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-index 809d0f4..ddb2254 100644
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-@@ -571,7 +571,7 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
- .protocol = protocol,
- .names = names,
- .buflen = lib->settings->get_int(lib->settings,
-- "%s.plugins.kernel-netlink.buflen", 4096, lib->ns),
-+ "%s.plugins.kernel-netlink.buflen", 0, lib->ns),
- .timeout = lib->settings->get_int(lib->settings,
- "%s.plugins.kernel-netlink.timeout", 0, lib->ns),
- .retries = lib->settings->get_int(lib->settings,
-@@ -582,6 +582,16 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
- .parallel = parallel,
- );
-
-+ if (!this->buflen)
-+ {
-+ long pagesize = sysconf(_SC_PAGESIZE);
-+ if (pagesize == -1)
-+ {
-+ pagesize = 4096;
-+ }
-+ /* base this on NLMSG_GOODSIZE */
-+ this->buflen = min(pagesize, 8192);
-+ }
- if (this->socket == -1)
- {
- DBG1(DBG_KNL, "unable to create netlink socket");
---
-2.4.6
-
diff --git a/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch b/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
deleted file mode 100644
index 134ce64060..0000000000
--- a/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From cd83d5c5e51db6c903496369f6edc74901703eb7 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Wed, 3 Jun 2015 17:31:30 +0200
-Subject: [PATCH] kernel-netlink: When adding a policy do an update if it
- already exists
-
-This may be the case when SAs are reestablished after a crash of the
-IKE daemon.
----
- src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index f22e07d..e41c10a 100644
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -2057,6 +2057,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
- ipsec_sa_t *ipsec = mapping->sa;
- struct xfrm_userpolicy_info *policy_info;
- struct nlmsghdr *hdr;
-+ status_t status;
- int i;
-
- /* clone the policy so we are able to check it out again later */
-@@ -2151,7 +2152,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
- }
- this->mutex->unlock(this->mutex);
-
-- if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
-+ status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
-+ if (status == ALREADY_DONE && !update)
-+ {
-+ DBG1(DBG_KNL, "policy already exists, try to update it");
-+ hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
-+ status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr);
-+ }
-+ if (status != SUCCESS)
- {
- return FAILED;
- }
diff --git a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
deleted file mode 100644
index e7897c17c6..0000000000
--- a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 36d77e36bb1556bebe0f98c06a757b123caef940 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 17 Jul 2015 11:48:53 +0200
-Subject: [PATCH] ike: Also track initiating IKE_SAs as half-open
-
----
- src/libcharon/sa/ike_sa_manager.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 987260d..51b7f2c 100644
---- a/src/libcharon/sa/ike_sa_manager.c
-+++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void,
- put_half_open(this, entry);
- }
- else if (!entry->half_open &&
-- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
- ike_sa->get_state(ike_sa) == IKE_CONNECTING)
- {
- /* this is a new half-open SA */
---
-2.4.6
-
diff --git a/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
deleted file mode 100644
index fbc54c11c4..0000000000
--- a/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
+++ /dev/null
@@ -1,317 +0,0 @@
-From 0d6412ab81fbf0376cc99e9419de417e58dc0e72 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 16 Jul 2015 17:21:54 +0200
-Subject: [PATCH] controller: Optionally adhere to init limits also when
- initiating IKE_SAs
-
----
- src/charon-cmd/cmd/cmd_connection.c | 2 +-
- src/conftest/actions.c | 2 +-
- src/libcharon/control/controller.c | 54 ++++++++++++++++++++--
- src/libcharon/control/controller.h | 5 +-
- .../plugins/load_tester/load_tester_control.c | 2 +-
- .../plugins/load_tester/load_tester_plugin.c | 2 +-
- src/libcharon/plugins/medcli/medcli_config.c | 2 +-
- src/libcharon/plugins/smp/smp.c | 2 +-
- src/libcharon/plugins/stroke/stroke_control.c | 4 +-
- src/libcharon/plugins/uci/uci_control.c | 2 +-
- src/libcharon/plugins/vici/vici_config.c | 2 +-
- src/libcharon/plugins/vici/vici_control.c | 4 +-
- .../processing/jobs/initiate_mediation_job.c | 4 +-
- src/libcharon/processing/jobs/start_action_job.c | 2 +-
- 15 files changed, 71 insertions(+), 20 deletions(-)
-
-diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 2c0b7b9..0c6a504 100644
---- a/src/charon-cmd/cmd/cmd_connection.c
-+++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -434,7 +434,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
- child_cfg = create_child_cfg(this, peer_cfg);
-
- if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-- controller_cb_empty, NULL, 0) != SUCCESS)
-+ controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
- {
- terminate(pid);
- }
-diff --git a/src/conftest/actions.c b/src/conftest/actions.c
-index 474672c..256b63d 100644
---- a/src/conftest/actions.c
-+++ b/src/conftest/actions.c
-@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config)
- {
- DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
- charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-- NULL, NULL, 0);
-+ NULL, NULL, 0, FALSE);
- }
- else
- {
-diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index fd8349e..097f5ac 100644
---- a/src/libcharon/control/controller.c
-+++ b/src/libcharon/control/controller.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2011-2012 Tobias Brunner
-+ * Copyright (C) 2011-2015 Tobias Brunner
- * Copyright (C) 2007-2011 Martin Willi
- * Copyright (C) 2011 revosec AG
- * Hochschule fuer Technik Rapperswil
-@@ -116,6 +116,11 @@ struct interface_listener_t {
- * spinlock to update the IKE_SA handle properly
- */
- spinlock_t *lock;
-+
-+ /**
-+ * whether to check limits
-+ */
-+ bool limits;
- };
-
-
-@@ -358,7 +363,6 @@ METHOD(job_t, initiate_execute, job_requeue_t,
- listener->child_cfg->destroy(listener->child_cfg);
- peer_cfg->destroy(peer_cfg);
- listener->status = FAILED;
-- /* release listener */
- listener_done(listener);
- return JOB_REQUEUE_NONE;
- }
-@@ -372,6 +376,49 @@ METHOD(job_t, initiate_execute, job_requeue_t,
- }
- peer_cfg->destroy(peer_cfg);
-
-+ if (listener->limits && ike_sa->get_state(ike_sa) == IKE_CREATED)
-+ { /* only check if we are not reusing an IKE_SA */
-+ u_int half_open, limit_half_open, limit_job_load;
-+
-+ half_open = charon->ike_sa_manager->get_half_open_count(
-+ charon->ike_sa_manager, NULL);
-+ limit_half_open = lib->settings->get_int(lib->settings,
-+ "%s.init_limit_half_open", 0, lib->ns);
-+ limit_job_load = lib->settings->get_int(lib->settings,
-+ "%s.init_limit_job_load", 0, lib->ns);
-+ if (limit_half_open && half_open >= limit_half_open)
-+ {
-+ DBG1(DBG_IKE, "abort IKE_SA initiation, half open IKE_SA count of "
-+ "%d exceeds limit of %d", half_open, limit_half_open);
-+ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
-+ ike_sa);
-+ listener->child_cfg->destroy(listener->child_cfg);
-+ listener->status = INVALID_STATE;
-+ listener_done(listener);
-+ return JOB_REQUEUE_NONE;
-+ }
-+ if (limit_job_load)
-+ {
-+ u_int jobs = 0, i;
-+
-+ for (i = 0; i < JOB_PRIO_MAX; i++)
-+ {
-+ jobs += lib->processor->get_job_load(lib->processor, i);
-+ }
-+ if (jobs > limit_job_load)
-+ {
-+ DBG1(DBG_IKE, "abort IKE_SA initiation, job load of %d exceeds "
-+ "limit of %d", jobs, limit_job_load);
-+ charon->ike_sa_manager->checkin_and_destroy(
-+ charon->ike_sa_manager, ike_sa);
-+ listener->child_cfg->destroy(listener->child_cfg);
-+ listener->status = INVALID_STATE;
-+ listener_done(listener);
-+ return JOB_REQUEUE_NONE;
-+ }
-+ }
-+ }
-+
- if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
- {
- if (!listener->logger.callback)
-@@ -391,7 +438,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
-
- METHOD(controller_t, initiate, status_t,
- private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-- controller_cb_t callback, void *param, u_int timeout)
-+ controller_cb_t callback, void *param, u_int timeout, bool limits)
- {
- interface_job_t *job;
- status_t status;
-@@ -414,6 +461,7 @@ METHOD(controller_t, initiate, status_t,
- .child_cfg = child_cfg,
- .peer_cfg = peer_cfg,
- .lock = spinlock_create(),
-+ .limits = limits,
- },
- .public = {
- .execute = _initiate_execute,
-diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index 02f4ebb..5ffeac5 100644
---- a/src/libcharon/control/controller.h
-+++ b/src/libcharon/control/controller.h
-@@ -82,15 +82,18 @@ struct controller_t {
- * @param cb logging callback
- * @param param parameter to include in each call of cb
- * @param timeout timeout in ms to wait for callbacks, 0 to disable
-+ * @param limits whether to check limits regarding IKE_SA initiation
- * @return
- * - SUCCESS, if CHILD_SA established
- * - FAILED, if setup failed
- * - NEED_MORE, if callback returned FALSE
- * - OUT_OF_RES if timed out
-+ * - INVALID_STATE if limits prevented initiation
- */
- status_t (*initiate)(controller_t *this,
- peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-- controller_cb_t callback, void *param, u_int timeout);
-+ controller_cb_t callback, void *param, u_int timeout,
-+ bool limits);
-
- /**
- * Terminate an IKE_SA and all of its CHILD_SAs.
-diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
-index 5f089f5..24076d4 100644
---- a/src/libcharon/plugins/load_tester/load_tester_control.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
-@@ -239,7 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
-
- switch (charon->controller->initiate(charon->controller,
- peer_cfg, child_cfg->get_ref(child_cfg),
-- (void*)initiate_cb, listener, 0))
-+ (void*)initiate_cb, listener, 0, FALSE))
- {
- case NEED_MORE:
- /* Callback returns FALSE once it got track of this IKE_SA.
-diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-index e684f22..c7380b9 100644
---- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-@@ -152,7 +152,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
-
- charon->controller->initiate(charon->controller,
- peer_cfg, child_cfg->get_ref(child_cfg),
-- NULL, NULL, 0);
-+ NULL, NULL, 0, FALSE);
- if (s)
- {
- sleep(s);
-diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
-index 1fb57b9..25b1383 100644
---- a/src/libcharon/plugins/medcli/medcli_config.c
-+++ b/src/libcharon/plugins/medcli/medcli_config.c
-@@ -314,7 +314,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
- peer_cfg->get_ref(peer_cfg);
- enumerator->destroy(enumerator);
- charon->controller->initiate(charon->controller,
-- peer_cfg, child_cfg, NULL, NULL, 0);
-+ peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
- }
- else
- {
-diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
-index 04bf382..2aa061f 100644
---- a/src/libcharon/plugins/smp/smp.c
-+++ b/src/libcharon/plugins/smp/smp.c
-@@ -488,7 +488,7 @@ static void request_control_initiate(xmlTextReaderPtr reader,
- {
- status = charon->controller->initiate(charon->controller,
- peer, child, (controller_cb_t)xml_callback,
-- writer, 0);
-+ writer, 0, FALSE);
- }
- else
- {
-diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
-index 0084fbf..0125d17 100644
---- a/src/libcharon/plugins/stroke/stroke_control.c
-+++ b/src/libcharon/plugins/stroke/stroke_control.c
-@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
- if (msg->output_verbosity < 0)
- {
- charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-- NULL, NULL, 0);
-+ NULL, NULL, 0, FALSE);
- }
- else
- {
-@@ -118,7 +118,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
-
- status = charon->controller->initiate(charon->controller,
- peer_cfg, child_cfg, (controller_cb_t)stroke_log,
-- &info, this->timeout);
-+ &info, this->timeout, FALSE);
- switch (status)
- {
- case SUCCESS:
-diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
-index cebc389..a7d26e6 100644
---- a/src/libcharon/plugins/uci/uci_control.c
-+++ b/src/libcharon/plugins/uci/uci_control.c
-@@ -147,7 +147,7 @@ static void initiate(private_uci_control_t *this, char *name)
- if (enumerator->enumerate(enumerator, &child_cfg) &&
- charon->controller->initiate(charon->controller, peer_cfg,
- child_cfg->get_ref(child_cfg),
-- controller_cb_empty, NULL, 0) == SUCCESS)
-+ controller_cb_empty, NULL, 0, FALSE) == SUCCESS)
- {
- write_fifo(this, "connection '%s' established\n", name);
- }
-diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index d232599..dfea2ab 100644
---- a/src/libcharon/plugins/vici/vici_config.c
-+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -1558,7 +1558,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
- DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
- charon->controller->initiate(charon->controller,
- peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
-- NULL, NULL, 0);
-+ NULL, NULL, 0, FALSE);
- break;
- case ACTION_ROUTE:
- DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 01d5036..e568239 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -184,8 +184,8 @@ CALLBACK(initiate, vici_message_t*,
- {
- return send_reply(this, "CHILD_SA config '%s' not found", child);
- }
-- switch (charon->controller->initiate(charon->controller,
-- peer_cfg, child_cfg, (controller_cb_t)log_vici, &log, timeout))
-+ switch (charon->controller->initiate(charon->controller, peer_cfg,
-+ child_cfg, (controller_cb_t)log_vici, &log, timeout, FALSE))
- {
- case SUCCESS:
- return send_reply(this, NULL);
-diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
-index 17ab830..5b5fb9d 100644
---- a/src/libcharon/processing/jobs/initiate_mediation_job.c
-+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
-@@ -119,8 +119,8 @@ METHOD(job_t, initiate, job_requeue_t,
- /* we need an additional reference because initiate consumes one */
- mediation_cfg->get_ref(mediation_cfg);
-
-- if (charon->controller->initiate(charon->controller, mediation_cfg,
-- NULL, (controller_cb_t)initiate_callback, this, 0) != SUCCESS)
-+ if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
-+ (controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS)
- {
- mediation_cfg->destroy(mediation_cfg);
- mediated_cfg->destroy(mediated_cfg);
-diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
-index 981473b..5e88ac2 100644
---- a/src/libcharon/processing/jobs/start_action_job.c
-+++ b/src/libcharon/processing/jobs/start_action_job.c
-@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t,
- charon->controller->initiate(charon->controller,
- peer_cfg->get_ref(peer_cfg),
- child_cfg->get_ref(child_cfg),
-- NULL, NULL, 0);
-+ NULL, NULL, 0, FALSE);
- break;
- case ACTION_ROUTE:
- DBG1(DBG_JOB, "start action: route '%s'", name);
---
-2.4.6
-
diff --git a/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
deleted file mode 100644
index d6cc090718..0000000000
--- a/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From f3b6de5afdc48550680c12359154eb18a5812ecb Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 16 Jul 2015 17:51:40 +0200
-Subject: [PATCH] vici: Add get_bool() convenience getter for VICI messages
-
----
- src/libcharon/plugins/vici/suites/test_message.c | 31 ++++++++++++++++++
- src/libcharon/plugins/vici/vici_message.c | 40 ++++++++++++++++++++++++
- src/libcharon/plugins/vici/vici_message.h | 23 ++++++++++++++
- 3 files changed, 94 insertions(+)
-
-diff --git a/src/libcharon/plugins/vici/suites/test_message.c b/src/libcharon/plugins/vici/suites/test_message.c
-index e76d273..045e34f 100644
---- a/src/libcharon/plugins/vici/suites/test_message.c
-+++ b/src/libcharon/plugins/vici/suites/test_message.c
-@@ -1,4 +1,7 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
-+ * Hochschule fuer Technik Rapperswil
-+ *
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
-@@ -355,6 +358,33 @@ START_TEST(test_get_int)
- }
- END_TEST
-
-+START_TEST(test_get_bool)
-+{
-+ vici_message_t *m;
-+
-+ m = build_getter_msg();
-+
-+ ck_assert(m->get_bool(m, TRUE, "key1"));
-+ ck_assert(m->get_bool(m, FALSE, "key1"));
-+
-+ ck_assert(m->get_bool(m, TRUE, "section1.key2"));
-+ ck_assert(m->get_bool(m, TRUE, "section1.section2.key3"));
-+ ck_assert(m->get_bool(m, TRUE, "section1.key4"));
-+ ck_assert(m->get_bool(m, TRUE, "key5"));
-+ ck_assert(m->get_bool(m, TRUE, "nonexistent"));
-+ ck_assert(m->get_bool(m, TRUE, "n.o.n.e.x.i.s.t.e.n.t"));
-+
-+ ck_assert(!m->get_bool(m, FALSE, "section1.key2"));
-+ ck_assert(!m->get_bool(m, FALSE, "section1.section2.key3"));
-+ ck_assert(!m->get_bool(m, FALSE, "section1.key4"));
-+ ck_assert(!m->get_bool(m, FALSE, "key5"));
-+ ck_assert(!m->get_bool(m, FALSE, "nonexistent"));
-+ ck_assert(!m->get_bool(m, FALSE, "n.o.n.e.x.i.s.t.e.n.t"));
-+
-+ m->destroy(m);
-+}
-+END_TEST
-+
- START_TEST(test_get_value)
- {
- vici_message_t *m;
-@@ -400,6 +430,7 @@ Suite *message_suite_create()
- tc = tcase_create("convenience getters");
- tcase_add_test(tc, test_get_str);
- tcase_add_test(tc, test_get_int);
-+ tcase_add_test(tc, test_get_bool);
- tcase_add_test(tc, test_get_value);
- suite_add_tcase(s, tc);
-
-diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c
-index e79fbc8..fb6e8a1 100644
---- a/src/libcharon/plugins/vici/vici_message.c
-+++ b/src/libcharon/plugins/vici/vici_message.c
-@@ -1,4 +1,7 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
-+ * Hochschule fuer Technik Rapperswil
-+ *
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
-@@ -385,6 +388,41 @@ METHOD(vici_message_t, get_int, int,
- return val;
- }
-
-+METHOD(vici_message_t, vget_bool, bool,
-+ private_vici_message_t *this, bool def, char *fmt, va_list args)
-+{
-+ chunk_t value;
-+ bool found;
-+ char buf[16];
-+
-+ found = find_value(this, &value, fmt, args);
-+ if (found)
-+ {
-+ if (value.len == 0)
-+ {
-+ return def;
-+ }
-+ if (chunk_printable(value, NULL, 0))
-+ {
-+ snprintf(buf, sizeof(buf), "%.*s", (int)value.len, value.ptr);
-+ return settings_value_as_bool(buf, def);
-+ }
-+ }
-+ return def;
-+}
-+
-+METHOD(vici_message_t, get_bool, bool,
-+ private_vici_message_t *this, bool def, char *fmt, ...)
-+{
-+ va_list args;
-+ bool val;
-+
-+ va_start(args, fmt);
-+ val = vget_bool(this, def, fmt, args);
-+ va_end(args);
-+ return val;
-+}
-+
- METHOD(vici_message_t, vget_value, chunk_t,
- private_vici_message_t *this, chunk_t def, char *fmt, va_list args)
- {
-@@ -633,6 +671,8 @@ vici_message_t *vici_message_create_from_data(chunk_t data, bool cleanup)
- .vget_str = _vget_str,
- .get_int = _get_int,
- .vget_int = _vget_int,
-+ .get_bool = _get_bool,
-+ .vget_bool = _vget_bool,
- .get_value = _get_value,
- .vget_value = _vget_value,
- .get_encoding = _get_encoding,
-diff --git a/src/libcharon/plugins/vici/vici_message.h b/src/libcharon/plugins/vici/vici_message.h
-index 1a89cf8..7f357b8 100644
---- a/src/libcharon/plugins/vici/vici_message.h
-+++ b/src/libcharon/plugins/vici/vici_message.h
-@@ -1,4 +1,7 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
-+ * Hochschule fuer Technik Rapperswil
-+ *
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
-@@ -138,6 +141,26 @@ struct vici_message_t {
- int (*vget_int)(vici_message_t *this, int def, char *fmt, va_list args);
-
- /**
-+ * Get the value of a key/value pair as boolean.
-+ *
-+ * @param def default value if not found
-+ * @param fmt printf style format string for key, with sections
-+ * @param ... arguments to fmt string
-+ * @return value
-+ */
-+ bool (*get_bool)(vici_message_t *this, bool def, char *fmt, ...);
-+
-+ /**
-+ * Get the value of a key/value pair as boolean, va_list variant
-+ *
-+ * @param def default value if not found
-+ * @param fmt printf style format string for key, with sections
-+ * @param args arguments to fmt string
-+ * @return value
-+ */
-+ bool (*vget_bool)(vici_message_t *this, bool def, char *fmt, va_list args);
-+
-+ /**
- * Get the raw value of a key/value pair.
- *
- * @param def default value if not found
---
-2.4.6
-
diff --git a/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch
deleted file mode 100644
index f904af30be..0000000000
--- a/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 2d4671feca3d2d17bfa2d846cc170478f18a8fcc Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Thu, 16 Jul 2015 17:56:16 +0200
-Subject: [PATCH] vici: Optionally check limits when initiating connections
-
-If the init-limits parameter is set (disabled by default) init limits
-will be checked and might prevent new SAs from getting initiated.
----
- src/libcharon/plugins/vici/README.md | 1 +
- src/libcharon/plugins/vici/vici_control.c | 7 ++++++-
- 2 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
-index 0ce4271..71356fb 100644
---- a/src/libcharon/plugins/vici/README.md
-+++ b/src/libcharon/plugins/vici/README.md
-@@ -259,6 +259,7 @@ Initiates an SA while streaming _control-log_ events.
- {
- child = <CHILD_SA configuration name to initiate>
- timeout = <timeout in seconds before returning>
-+ init-limits = <whether limits may prevent initiating the CHILD_SA>
- loglevel = <loglevel to issue "control-log" events for>
- } => {
- success = <yes or no>
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index e568239..88574f8 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -163,6 +163,7 @@ CALLBACK(initiate, vici_message_t*,
- peer_cfg_t *peer_cfg;
- char *child;
- u_int timeout;
-+ bool limits;
- log_info_t log = {
- .dispatcher = this->dispatcher,
- .id = id,
-@@ -170,6 +171,7 @@ CALLBACK(initiate, vici_message_t*,
-
- child = request->get_str(request, NULL, "child");
- timeout = request->get_int(request, 0, "timeout");
-+ limits = request->get_bool(request, FALSE, "init-limits");
- log.level = request->get_int(request, 1, "loglevel");
-
- if (!child)
-@@ -185,13 +187,16 @@ CALLBACK(initiate, vici_message_t*,
- return send_reply(this, "CHILD_SA config '%s' not found", child);
- }
- switch (charon->controller->initiate(charon->controller, peer_cfg,
-- child_cfg, (controller_cb_t)log_vici, &log, timeout, FALSE))
-+ child_cfg, (controller_cb_t)log_vici, &log, timeout, limits))
- {
- case SUCCESS:
- return send_reply(this, NULL);
- case OUT_OF_RES:
- return send_reply(this, "CHILD_SA '%s' not established after %dms",
- child, timeout);
-+ case INVALID_STATE:
-+ return send_reply(this, "establishing CHILD_SA '%s' not possible "
-+ "at the moment due to limits", child);
- case FAILED:
- default:
- return send_reply(this, "establishing CHILD_SA '%s' failed", child);
---
-2.4.6
-
diff --git a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
deleted file mode 100644
index 4a837486e7..0000000000
--- a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 470b58d897338c89c83f416808cf1ccac38fe028 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 17 Jul 2015 14:08:09 +0200
-Subject: [PATCH] ikev1: Assign different job priorities for inbound IKEv1
- messages
-
----
- src/libcharon/processing/jobs/process_message_job.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
-index a6795e7..31f048d 100644
---- a/src/libcharon/processing/jobs/process_message_job.c
-+++ b/src/libcharon/processing/jobs/process_message_job.c
-@@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t,
- {
- case IKE_AUTH:
- /* IKE auth is rather expensive and often blocking, low priority */
-+ case AGGRESSIVE:
-+ case ID_PROT:
-+ /* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth)
-+ * MM is similar, but stretched out more */
- return JOB_PRIO_LOW;
- case INFORMATIONAL:
-+ case INFORMATIONAL_V1:
- /* INFORMATIONALs are inexpensive, for DPD we should have low
- * reaction times */
- return JOB_PRIO_HIGH;
- case IKE_SA_INIT:
-- case CREATE_CHILD_SA:
-- default:
- /* IKE_SA_INIT is expensive, but we will drop them in the receiver
- * if we are overloaded */
-+ case CREATE_CHILD_SA:
-+ case QUICK_MODE:
-+ /* these may require DH, but if not they are relatively cheap */
-+ case TRANSACTION:
-+ /* these are mostly cheap, however, if XAuth via RADIUS is used
-+ * they may block */
-+ default:
- return JOB_PRIO_MEDIUM;
- }
- }
---
-2.4.6
-
diff --git a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch
deleted file mode 100644
index 630151b406..0000000000
--- a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 944e99d57243fb42ccb2be475c8386a0c4c116f4 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 27 Jul 2015 11:18:53 +0200
-Subject: [PATCH] printf-hook-builtin: Fix invalid memory access
-
-When precision is given for a string, we must not run unbounded
-strlen() as it will read beyond the given length. It might even cause
-a crash if the given pointer is near end of heap or mapping.
-
-Fixes numerous valgrind errors such as:
-
-==19215== Invalid read of size 1
-==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853)
-==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084)
-==19215== by 0x52CE464: dntoa (identification.c:337)
-==19215== by 0x52CE464: identification_printf_hook (identification.c:837)
-==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
-==19215== by 0x57040EB: vlog (bus.c:388)
-==19215== by 0x570427D: log_ (bus.c:430)
-==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
-==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
-==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
-==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
-==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
-==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
-==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
-==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
-==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
-==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
-==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd
-==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296)
-==19215== by 0x52CD198: chunk_printable (chunk.c:759)
-==19215== by 0x52CE442: dntoa (identification.c:334)
-==19215== by 0x52CE442: identification_printf_hook (identification.c:837)
-==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
-==19215== by 0x57040EB: vlog (bus.c:388)
-==19215== by 0x570427D: log_ (bus.c:430)
-==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
-==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
-==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
-==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
-==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
-==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
-==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
-==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
-==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
-==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
----
- src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
-index 466c673..af54940 100644
---- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
-+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
-@@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap)
- /* String */
- sarg = va_arg(ap, const char *);
- sarg = sarg ? sarg : "(null)";
-- slen = strlen(sarg);
-+ slen = prec != -1 ? strnlen(sarg, prec)
-+ : strlen(sarg);
- goto is_string;
- }
- case 'm':
---
-2.4.6
-
diff --git a/main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch b/main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
deleted file mode 100644
index 7f6e176624..0000000000
--- a/main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 78bab0b68254accb48f08c5110a904a0dedabc60 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 28 Jul 2015 15:10:17 +0200
-Subject: [PATCH] child-create: Fix crash when retrying CHILD_SA rekeying due
- to a DH group mismatch
-
-If the responder declines our KE payload during a CHILD_SA rekeying migrate()
-is called to reuse the child-create task. But the child-rekey task then
-calls the same method again.
-
-Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()")
----
- src/libcharon/sa/ikev2/tasks/child_create.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
-index e0f930c..ee5086f 100644
---- a/src/libcharon/sa/ikev2/tasks/child_create.c
-+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
-@@ -1596,6 +1596,7 @@ METHOD(task_t, migrate, void,
- this->tsi = NULL;
- this->tsr = NULL;
- this->dh = NULL;
-+ this->nonceg = NULL;
- this->child_sa = NULL;
- this->mode = MODE_TUNNEL;
- this->ipcomp = IPCOMP_NONE;
---
-2.5.0
-
diff --git a/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch b/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch
deleted file mode 100644
index a1b696a50c..0000000000
--- a/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From ce1f82060c037eebf0da6de164215d9a06b92c5b Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 31 Jul 2015 16:51:35 +0200
-Subject: [PATCH] child-sa: Fix refcounting of allocated reqids
-
-During a rekeying we want to reuse the current reqid, but if the new SA
-does not allocate it via kernel-interface the state there will disappear
-when the old SA is destroyed after the rekeying. When the IKE_SA is
-later reauthenticated with make-before-break reatuhentication the new
-CHILD_SAs there will get new reqids as no existing state is found in the
-kernel-interface.
-
-Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
----
- src/libcharon/sa/child_sa.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
-index 94cf07c..73f2ec9 100644
---- a/src/libcharon/sa/child_sa.c
-+++ b/src/libcharon/sa/child_sa.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2006-2011 Tobias Brunner
-+ * Copyright (C) 2006-2015 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
- * Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005 Jan Hutter
-@@ -106,6 +106,11 @@ struct private_child_sa_t {
- */
- bool reqid_allocated;
-
-+ /**
-+ * Is the reqid statically configured
-+ */
-+ bool static_reqid;
-+
- /*
- * Unique CHILD_SA identifier
- */
-@@ -698,7 +703,7 @@ METHOD(child_sa_t, install, status_t,
- this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
- &esn, NULL);
-
-- if (!this->reqid_allocated && !this->reqid)
-+ if (!this->reqid_allocated && !this->static_reqid)
- {
- status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
- my_ts, other_ts, this->mark_in, this->mark_out,
-@@ -826,7 +831,7 @@ METHOD(child_sa_t, add_policies, status_t,
- traffic_selector_t *my_ts, *other_ts;
- status_t status = SUCCESS;
-
-- if (!this->reqid_allocated && !this->reqid)
-+ if (!this->reqid_allocated && !this->static_reqid)
- {
- /* trap policy, get or confirm reqid */
- status = hydra->kernel_interface->alloc_reqid(
-@@ -1305,6 +1310,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
- this->reqid = charon->traps->find_reqid(charon->traps, config);
- }
- }
-+ else
-+ {
-+ this->static_reqid = TRUE;
-+ }
-
- /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
- if (config->get_mode(config) == MODE_TRANSPORT &&
diff --git a/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch b/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
deleted file mode 100644
index 2c9a1db4fd..0000000000
--- a/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 7c7f85a0fd7e6f90c19d797304410da3925a9f96 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 3 Aug 2015 13:55:36 +0200
-Subject: [PATCH] auth-cfg: Similar to certificates matching one CA should be
- enough
-
-Not sure if defining multiple CA constraints and enforcing _all_ of them,
-that is, the previous behavior, makes even sense. To ensure a very specific
-chain it should be enough to define the last intermediate CA. On the
-other hand, the ability to define multiple CAs could simplify configuration.
-
-This can currently only be used with swanctl/VICI based configs as `rightca`
-only takes a single DN.
----
- src/libstrongswan/credentials/auth_cfg.c | 35 ++++++++++++++++++--------------
- 1 file changed, 20 insertions(+), 15 deletions(-)
-
-diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
-index 0ca45a1..9b57631 100644
---- a/src/libstrongswan/credentials/auth_cfg.c
-+++ b/src/libstrongswan/credentials/auth_cfg.c
-@@ -514,9 +514,10 @@ METHOD(auth_cfg_t, complies, bool,
- private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
- {
- enumerator_t *e1, *e2;
-- bool success = TRUE, group_match = FALSE, cert_match = FALSE;
-+ bool success = TRUE, group_match = FALSE;
-+ bool ca_match = FALSE, cert_match = FALSE;
- identification_t *require_group = NULL;
-- certificate_t *require_cert = NULL;
-+ certificate_t *require_ca = NULL, *require_cert = NULL;
- signature_scheme_t scheme = SIGN_UNKNOWN;
- u_int strength = 0;
- auth_rule_t t1, t2;
-@@ -531,26 +532,21 @@ METHOD(auth_cfg_t, complies, bool,
- case AUTH_RULE_CA_CERT:
- case AUTH_RULE_IM_CERT:
- {
-- certificate_t *c1, *c2;
-+ certificate_t *cert;
-
-- c1 = (certificate_t*)value;
-+ /* for CA certs, a match of a single cert is sufficient */
-+ require_ca = (certificate_t*)value;
-
-- success = FALSE;
- e2 = create_enumerator(this);
-- while (e2->enumerate(e2, &t2, &c2))
-+ while (e2->enumerate(e2, &t2, &cert))
- {
- if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
-- c1->equals(c1, c2))
-+ cert->equals(cert, require_ca))
- {
-- success = TRUE;
-+ ca_match = TRUE;
- }
- }
- e2->destroy(e2);
-- if (!success && log_error)
-- {
-- DBG1(DBG_CFG, "constraint check failed: peer not "
-- "authenticated by CA '%Y'.", c1->get_subject(c1));
-- }
- break;
- }
- case AUTH_RULE_SUBJECT_CERT:
-@@ -853,13 +849,22 @@ METHOD(auth_cfg_t, complies, bool,
- }
- return FALSE;
- }
--
-+ if (require_ca && !ca_match)
-+ {
-+ if (log_error)
-+ {
-+ DBG1(DBG_CFG, "constraint check failed: peer not "
-+ "authenticated by CA '%Y'",
-+ require_ca->get_subject(require_ca));
-+ }
-+ return FALSE;
-+ }
- if (require_cert && !cert_match)
- {
- if (log_error)
- {
- DBG1(DBG_CFG, "constraint check failed: peer not "
-- "authenticated with peer cert '%Y'.",
-+ "authenticated with peer cert '%Y'",
- require_cert->get_subject(require_cert));
- }
- return FALSE;
---
-2.5.0
-
diff --git a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch
index e246c04294..3f61be6584 100644
--- a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch
+++ b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch
@@ -1,6 +1,6 @@
-From 82c26f6c6c8dc8de620cdb6b191f04451ddedd11 Mon Sep 17 00:00:00 2001
+From 6bc204df6722a9c3726d95fc3b34353e7ce9bd3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Wed, 27 Aug 2014 16:05:21 +0300
+Date: Mon, 21 Sep 2015 13:41:58 +0300
Subject: [PATCH] charon: add optional source and remote overrides for initiate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -26,9 +26,9 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
src/libcharon/processing/jobs/start_action_job.c | 2 +-
src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++++++-
src/libcharon/sa/ike_sa_manager.h | 8 ++-
- src/libcharon/sa/trap_manager.c | 3 +-
+ src/libcharon/sa/trap_manager.c | 46 +++++++----------
src/swanctl/commands/initiate.c | 40 ++++++++++++++-
- 13 files changed, 203 insertions(+), 23 deletions(-)
+ 13 files changed, 220 insertions(+), 49 deletions(-)
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 0c6a504..dc4eca3 100644
@@ -57,7 +57,7 @@ index fc7e899..4f4461a 100644
{
peer_cfg->destroy(peer_cfg);
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 097f5ac..9c3b45b 100644
+index 6dd54b4..d0524a5 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -15,6 +15,28 @@
@@ -205,10 +205,10 @@ index 0125d17..72c806c 100644
switch (status)
{
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index b6950f3..600b83f 100644
+index ea6d295..5537ed9 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -1584,7 +1584,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+@@ -1589,7 +1589,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
charon->controller->initiate(charon->controller,
peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
@@ -218,7 +218,7 @@ index b6950f3..600b83f 100644
case ACTION_ROUTE:
DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 88574f8..55f667b 100644
+index 752007c..174bae4 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -13,6 +13,28 @@
@@ -341,7 +341,7 @@ index 5e88ac2..7043332 100644
case ACTION_ROUTE:
DBG1(DBG_JOB, "start action: route '%s'", name);
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 20b6e50..ccce3de 100644
+index 9a613a6..9fa615a 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -16,6 +16,28 @@
@@ -373,7 +373,7 @@ index 20b6e50..ccce3de 100644
#include <string.h>
#include "ike_sa_manager.h"
-@@ -1335,7 +1357,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
+@@ -1358,7 +1380,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
}
METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -383,7 +383,7 @@ index 20b6e50..ccce3de 100644
{
enumerator_t *enumerator;
entry_t *entry;
-@@ -1344,7 +1367,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1367,7 +1390,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
ike_cfg_t *current_ike;
u_int segment;
@@ -402,7 +402,7 @@ index 20b6e50..ccce3de 100644
if (this->reuse_ikesa)
{
-@@ -1359,6 +1392,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1382,6 +1415,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
{ /* skip IKE_SAs which are not usable */
continue;
}
@@ -419,7 +419,7 @@ index 20b6e50..ccce3de 100644
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
if (current_peer && current_peer->equals(current_peer, peer_cfg))
{
-@@ -1388,6 +1431,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1411,6 +1454,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
return NULL;
}
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
@@ -431,7 +431,7 @@ index 20b6e50..ccce3de 100644
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index f259d8e..5a69083 100644
+index 3ea928e..151ab22 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -83,7 +83,8 @@ struct ike_sa_manager_t {
@@ -460,16 +460,70 @@ index f259d8e..5a69083 100644
/**
* Check for duplicates of the given IKE_SA.
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 424d9e7..62a70f5 100644
+index 63505c9..442919f 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
-@@ -421,7 +421,8 @@ METHOD(trap_manager_t, acquire, void,
+@@ -401,7 +401,7 @@ METHOD(trap_manager_t, acquire, void,
+ peer_cfg_t *peer;
+ child_cfg_t *child;
+ ike_sa_t *ike_sa;
+- host_t *host;
++ host_t *host, *my_host = NULL, *other_host = NULL;
+ bool wildcard, ignore = FALSE;
+
+ this->lock->read_lock(this->lock);
+@@ -477,36 +477,28 @@ METHOD(trap_manager_t, acquire, void,
this->lock->unlock(this->lock);
- ike_sa = charon->ike_sa_manager->checkout_by_config(
+ if (wildcard)
+- { /* the peer config would match IKE_SAs with other peers */
+- ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+- peer->get_ike_version(peer), TRUE);
+- if (ike_sa)
+- {
+- ike_cfg_t *ike_cfg;
+- u_int16_t port;
+- u_int8_t mask;
+-
+- ike_sa->set_peer_cfg(ike_sa, peer);
+- ike_cfg = ike_sa->get_ike_cfg(ike_sa);
++ {
++ ike_cfg_t *ike_cfg;
++ u_int16_t port;
++ u_int8_t mask;
+
+- port = ike_cfg->get_other_port(ike_cfg);
+- dst->to_subnet(dst, &host, &mask);
+- host->set_port(host, port);
+- ike_sa->set_other_host(ike_sa, host);
++ ike_sa->set_peer_cfg(ike_sa, peer);
++ ike_cfg = ike_sa->get_ike_cfg(ike_sa);
+
+- port = ike_cfg->get_my_port(ike_cfg);
+- src->to_subnet(src, &host, &mask);
+- host->set_port(host, port);
+- ike_sa->set_my_host(ike_sa, host);
++ port = ike_cfg->get_other_port(ike_cfg);
++ dst->to_subnet(dst, &other_host, &mask);
++ other_host->set_port(other_host, port);
+
+- charon->bus->set_sa(charon->bus, ike_sa);
+- }
+- }
+- else
+- {
+- ike_sa = charon->ike_sa_manager->checkout_by_config(
- charon->ike_sa_manager, peer);
++ port = ike_cfg->get_my_port(ike_cfg);
++ src->to_subnet(src, &my_host, &mask);
++ my_host->set_port(my_host, port);
+ }
++ ike_sa = charon->ike_sa_manager->checkout_by_config(
+ charon->ike_sa_manager, peer,
-+ NULL, NULL);
++ my_host, other_host);
++ DESTROY_IF(my_host);
++ DESTROY_IF(other_host);
++
if (ike_sa)
{
if (ike_sa->get_peer_cfg(ike_sa) == NULL)
@@ -553,5 +607,5 @@ index eb7b6ad..706fa57 100644
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
--
-2.4.6
+2.5.3
diff --git a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch
index 7737220643..8caabd063c 100644
--- a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch
+++ b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch
@@ -1,6 +1,6 @@
-From dde551360cbe9ac09f1cd2d01047131c6332c576 Mon Sep 17 00:00:00 2001
+From 2a175cc40c5754b803ccfe3f641b438f54b569ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Thu, 30 Apr 2015 12:08:13 +0300
+Date: Mon, 21 Sep 2015 13:42:05 +0300
Subject: [PATCH] vici: send certificates for ike-sa events
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -8,11 +8,11 @@ Content-Transfer-Encoding: 8bit
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
- src/libcharon/plugins/vici/vici_query.c | 42 +++++++++++++++++++++++++++++----
- 1 file changed, 38 insertions(+), 4 deletions(-)
+ src/libcharon/plugins/vici/vici_query.c | 48 ++++++++++++++++++++++++++++-----
+ 1 file changed, 41 insertions(+), 7 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index d94d760..3d461f7 100644
+index 98d264f..5245afc 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -225,13 +225,15 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b,
@@ -83,17 +83,30 @@ index d94d760..3d461f7 100644
b->begin_section(b, "child-sas");
csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1055,7 +1089,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1063,7 +1097,7 @@ METHOD(listener_t, ike_updown, bool,
+ }
- b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
- list_ike(this, b, ike_sa, now);
+ list_ike(this, b, ike_sa, now, up);
- b->begin_section(b, "child-sas");
b->end_section(b);
- b->end_section(b);
-@@ -1081,7 +1115,7 @@ METHOD(listener_t, child_updown, bool,
+
+ this->dispatcher->raise_event(this->dispatcher,
+@@ -1088,10 +1122,10 @@ METHOD(listener_t, ike_rekey, bool,
b = vici_builder_create();
+ b->begin_section(b, old->get_name(old));
+ b->begin_section(b, "old");
+- list_ike(this, b, old, now);
++ list_ike(this, b, old, now, TRUE);
+ b->end_section(b);
+ b->begin_section(b, "new");
+- list_ike(this, b, new, now);
++ list_ike(this, b, new, now, TRUE);
+ b->end_section(b);
+ b->end_section(b);
+
+@@ -1121,7 +1155,7 @@ METHOD(listener_t, child_updown, bool,
+ }
b->begin_section(b, ike_sa->get_name(ike_sa));
- list_ike(this, b, ike_sa, now);
@@ -101,6 +114,15 @@ index d94d760..3d461f7 100644
b->begin_section(b, "child-sas");
b->begin_section(b, child_sa->get_name(child_sa));
+@@ -1153,7 +1187,7 @@ METHOD(listener_t, child_rekey, bool,
+ b = vici_builder_create();
+
+ b->begin_section(b, ike_sa->get_name(ike_sa));
+- list_ike(this, b, ike_sa, now);
++ list_ike(this, b, ike_sa, now, TRUE);
+ b->begin_section(b, "child-sas");
+
+ b->begin_section(b, old->get_name(old));
--
-2.4.6
+2.5.3
diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch
index c42b40d2d3..ac739eafae 100644
--- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+++ b/main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch
@@ -1,8 +1,7 @@
-From 728f1a0afc45264715ee7a77d5ce6614cec42863 Mon Sep 17 00:00:00 2001
+From 6ca8cf5415f8a984d281a1b5115df34c26ef9057 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Thu, 30 Apr 2015 10:58:15 +0300
-Subject: [PATCH] vici: add support rekeying events, and individual sa state
- changes
+Date: Mon, 21 Sep 2015 13:42:11 +0300
+Subject: [PATCH] vici: add support for individual sa state changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -11,22 +10,21 @@ Useful for monitoring and tracking full SA.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
- src/libcharon/plugins/vici/vici_query.c | 176 ++++++++++++++++++++++++++++++++
- 1 file changed, 176 insertions(+)
+ src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++++++++++
+ 1 file changed, 105 insertions(+)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 3d461f7..316c698 100644
+index 5245afc..71fbf54 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1065,7 +1065,17 @@ static void manage_commands(private_vici_query_t *this, bool reg)
- this->dispatcher->manage_event(this->dispatcher, "list-conn", reg);
+@@ -1066,8 +1066,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
-+ this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
+ this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
+ this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
+ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
-+ this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg);
+ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg);
@@ -36,42 +34,10 @@ index 3d461f7..316c698 100644
manage_command(this, "list-sas", list_sas, reg);
manage_command(this, "list-policies", list_policies, reg);
manage_command(this, "list-conns", list_conns, reg);
-@@ -1100,6 +1110,77 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1135,6 +1143,45 @@ METHOD(listener_t, ike_rekey, bool,
return TRUE;
}
-+METHOD(listener_t, ike_rekey, bool,
-+ private_vici_query_t *this, ike_sa_t *old, ike_sa_t *new)
-+{
-+ vici_builder_t *b;
-+ time_t now;
-+
-+ if (!this->dispatcher->has_event_listeners(this->dispatcher, "ike-rekey"))
-+ {
-+ return TRUE;
-+ }
-+
-+ now = time_monotonic(NULL);
-+
-+ b = vici_builder_create();
-+ b->begin_section(b, old->get_name(old));
-+ list_ike(this, b, old, now, TRUE);
-+ b->begin_section(b, "child-sas");
-+ b->end_section(b);
-+ b->end_section(b);
-+
-+ b->begin_section(b, new->get_name(new));
-+ list_ike(this, b, new, now, TRUE);
-+ b->begin_section(b, "child-sas");
-+ b->end_section(b);
-+ b->end_section(b);
-+
-+ this->dispatcher->raise_event(this->dispatcher,
-+ "ike-rekey", 0, b->finalize(b));
-+
-+ return TRUE;
-+}
-+
+METHOD(listener_t, ike_state_change, bool,
+ private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
@@ -114,45 +80,10 @@ index 3d461f7..316c698 100644
METHOD(listener_t, child_updown, bool,
private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
{
-@@ -1131,6 +1212,97 @@ METHOD(listener_t, child_updown, bool,
+@@ -1210,6 +1257,62 @@ METHOD(listener_t, child_rekey, bool,
return TRUE;
}
-+METHOD(listener_t, child_rekey, bool,
-+ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *old, child_sa_t *new)
-+{
-+ vici_builder_t *b;
-+ time_t now;
-+
-+ if (!this->dispatcher->has_event_listeners(this->dispatcher, "child-rekey"))
-+ {
-+ return TRUE;
-+ }
-+
-+ now = time_monotonic(NULL);
-+ b = vici_builder_create();
-+
-+ b->begin_section(b, ike_sa->get_name(ike_sa));
-+ list_ike(this, b, ike_sa, now, TRUE);
-+ b->begin_section(b, "child-sas");
-+
-+ b->begin_section(b, old->get_name(old));
-+ list_child(this, b, old, now);
-+ b->end_section(b);
-+
-+ b->begin_section(b, new->get_name(new));
-+ list_child(this, b, new, now);
-+ b->end_section(b);
-+
-+ b->end_section(b);
-+ b->end_section(b);
-+
-+ this->dispatcher->raise_event(this->dispatcher,
-+ "child-rekey", 0, b->finalize(b));
-+
-+ return TRUE;
-+}
-+
+METHOD(listener_t, child_state_change, bool,
+ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
+{
@@ -212,18 +143,17 @@ index 3d461f7..316c698 100644
METHOD(vici_query_t, destroy, void,
private_vici_query_t *this)
{
-@@ -1149,7 +1321,11 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
- .public = {
+@@ -1229,8 +1332,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
.listener = {
.ike_updown = _ike_updown,
-+ .ike_rekey = _ike_rekey,
+ .ike_rekey = _ike_rekey,
+ .ike_state_change = _ike_state_change,
.child_updown = _child_updown,
-+ .child_rekey = _child_rekey,
+ .child_rekey = _child_rekey,
+ .child_state_change = _child_state_change,
},
.destroy = _destroy,
},
--
-2.5.0
+2.5.3
diff --git a/main/strongswan/1004-vici-support-asynchronous-initiation.patch b/main/strongswan/1004-vici-support-asynchronous-initiation.patch
index dc95bde749..b7d351a735 100644
--- a/main/strongswan/1004-vici-support-asynchronous-initiation.patch
+++ b/main/strongswan/1004-vici-support-asynchronous-initiation.patch
@@ -1,6 +1,6 @@
-From 21efa8dbe5aab423b452277d6aa70f9c14e2f440 Mon Sep 17 00:00:00 2001
+From 69f5bad1039df91c3d459b5a599b03e8852aca65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Thu, 28 May 2015 13:06:51 +0300
+Date: Mon, 21 Sep 2015 13:42:15 +0300
Subject: [PATCH] vici: support asynchronous initiation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -12,7 +12,7 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 55f667b..da2b68f 100644
+index 174bae4..5a83cb1 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -187,7 +187,7 @@ CALLBACK(initiate, vici_message_t*,
@@ -43,5 +43,5 @@ index 55f667b..da2b68f 100644
case SUCCESS:
msg = send_reply(this, NULL);
--
-2.4.6
+2.5.3
diff --git a/main/strongswan/2001-support-gre-key-in-ikev1.patch b/main/strongswan/2001-support-gre-key-in-ikev1.patch
index 72cdd8b825..9c1d9e0d8d 100644
--- a/main/strongswan/2001-support-gre-key-in-ikev1.patch
+++ b/main/strongswan/2001-support-gre-key-in-ikev1.patch
@@ -1,6 +1,6 @@
-From f69e2daf4c4ccc57c14fd73d6b7320c5359758c8 Mon Sep 17 00:00:00 2001
+From 8addb45c033b13f3063ece56823a925c2b8bf9a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 13 Jul 2015 14:03:49 +0300
+Date: Mon, 21 Sep 2015 13:42:18 +0300
Subject: [PATCH] support gre key in ikev1
this implements gre key negotiation in ikev1 similarly to the
@@ -205,10 +205,10 @@ index df1d075..7558e91 100644
#endif /** ID_PAYLOAD_H_ @}*/
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
-index 55ec7cd..87a1d08 100644
+index f717194..cde175f 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
-@@ -1032,6 +1032,11 @@ static bool parse_protoport(char *token, u_int16_t *from_port,
+@@ -1049,6 +1049,11 @@ static bool parse_protoport(char *token, u_int16_t *from_port,
*from_port = 0xffff;
*to_port = 0;
}
@@ -234,10 +234,10 @@ index 227d24b..7749d8c 100644
}
first = FALSE;
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index 3c4e3ec..9495d4d 100644
+index 5537ed9..70c83d4 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -586,8 +586,13 @@ CALLBACK(parse_ts, bool,
+@@ -596,8 +596,13 @@ CALLBACK(parse_ts, bool,
}
else if (*port && !streq(port, "any"))
{
@@ -254,10 +254,10 @@ index 3c4e3ec..9495d4d 100644
from = to = ntohs(svc->s_port);
}
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
-index 96edfd8..c0830dd 100644
+index d6a3f2c..8533112 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
-@@ -536,9 +536,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
+@@ -541,9 +541,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
{
id_payload_t *id_payload;
@@ -269,7 +269,7 @@ index 96edfd8..c0830dd 100644
message->add_payload(message, &id_payload->payload_interface);
}
-@@ -549,7 +549,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+@@ -554,7 +554,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
{
traffic_selector_t *tsi = NULL, *tsr = NULL;
enumerator_t *enumerator;
@@ -278,7 +278,7 @@ index 96edfd8..c0830dd 100644
payload_t *payload;
host_t *hsi, *hsr;
bool first = TRUE;
-@@ -559,20 +559,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+@@ -564,20 +564,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
{
if (payload->get_type(payload) == PLV1_ID)
{
@@ -306,10 +306,10 @@ index 96edfd8..c0830dd 100644
/* create host2host selectors if ID payloads missing */
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index f22e07d..e43df3f 100644
+index 605476e..ef94c26 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -743,7 +743,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+@@ -745,7 +745,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
ts2ports(dst, &sel.dport, &sel.dport_mask);
ts2ports(src, &sel.sport, &sel.sport_mask);
@@ -328,8 +328,8 @@ index f22e07d..e43df3f 100644
+ else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
(sel.dport || sel.sport))
{
- /* the ICMP type is encoded in the most significant 8 bits and the ICMP
-@@ -767,7 +778,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ /* the kernel expects the ICMP type and code in the source and
+@@ -769,7 +780,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
{
u_char *addr;
u_int8_t prefixlen;
@@ -338,7 +338,7 @@ index f22e07d..e43df3f 100644
host_t *host = NULL;
if (src)
-@@ -776,7 +787,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+@@ -778,7 +789,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
prefixlen = sel->prefixlen_s;
if (sel->sport_mask)
{
@@ -347,7 +347,7 @@ index f22e07d..e43df3f 100644
}
}
else
-@@ -785,14 +796,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+@@ -787,14 +798,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
prefixlen = sel->prefixlen_d;
if (sel->dport_mask)
{
@@ -379,7 +379,7 @@ index f22e07d..e43df3f 100644
}
/* The Linux 2.6 kernel does not set the selector's family field,
* so as a kludge we additionally test the prefix length.
-@@ -809,7 +833,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+@@ -811,7 +835,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
if (host)
{
return traffic_selector_create_from_subnet(host, prefixlen,
@@ -389,7 +389,7 @@ index f22e07d..e43df3f 100644
return NULL;
}
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
-index 3b7f8c5..c593a3f 100644
+index 6686324..776c765 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -209,6 +209,14 @@ static int print_icmp(printf_hook_data_t *data, u_int16_t port)
@@ -503,5 +503,5 @@ index cf9a286..d458c68 100644
*
* If protocol is ICMP or ICMPv6 the ports are interpreted as follows: If they
--
-2.4.5
+2.5.3
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index 97d9ed342b..1c196e24ca 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -1,9 +1,9 @@
# Contributor: Jesse Young <jlyo@jlyo.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=strongswan
-pkgver=5.3.2
+pkgver=5.3.3
_pkgver=${pkgver//_rc/rc}
-pkgrel=10
+pkgrel=0
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
@@ -16,40 +16,10 @@ makedepends="$depends_dev linux-headers python"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg"
source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
- 0001-vici-Asynchronize-debug-logging.patch
- 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
- 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
- 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
- 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
- 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
- 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
- 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
- 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
- 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
- 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
- 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
- 0012-daemon-Flush-shunts-before-unloading-plugins.patch
- 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
- 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
- 0015-ike-rekey-Fix-cleanup-call.patch
- 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
- 0017-kernel-netlink-unlock-mutex-in-del-policy.patch
- 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
- 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
- 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
- 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
- 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
- 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
- 0204-vici-Optionally-check-limits-when-initiating-connect.patch
0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
- 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
- 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
- 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
- 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
- 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
1001-charon-add-optional-source-and-remote-overrides-for-.patch
1002-vici-send-certificates-for-ike-sa-events.patch
- 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+ 1003-vici-add-support-for-individual-sa-state-changes.patch
1004-vici-support-asynchronous-initiation.patch
2001-support-gre-key-in-ikev1.patch
@@ -62,9 +32,18 @@ prepare() {
cd "$srcdir/$pkgname-$_pkgver"
for i in $source; do
case $i in
- *.patch) msg $i; patch -Np1 -i "$srcdir"/$i || return 1;;
+ *.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;;
esac
done
+
+ if [ -n "$_err" ]; then
+ error "The following patches failed:"
+ for i in $_err; do
+ echo " $i"
+ done
+ return 1
+ fi
+
# the headers they ship conflicts with the real thing.
rm -r src/include/linux
}
@@ -132,120 +111,30 @@ package() {
install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon" || return 1
}
-md5sums="fab014be1477ef4ebf9a765e10f8802c strongswan-5.3.2.tar.bz2
-78960bec9b1d3be2db9bfe8d73347ceb 0001-vici-Asynchronize-debug-logging.patch
-f05c992e0c79a254fe8dfe3989d29ae6 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
-5d2720f3b0f9ae4632703c8638e29088 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
-413d0409a1232de61d61e99d7e57c2f5 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
-0660bab646fc9dbf99a5f9485e570b0e 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
-30ac430b88cdfb23546a3ac1a6247d6c 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
-de114c8e0f0fb84aaef46b55b912c7df 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
-a99f6c1cc578b17e9c69378869942ffd 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
-e7e8b6171239f3462f8f6739fcfdc56b 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
-400a514e50a378265a0ec1cff46f1f02 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
-551d01ca98e3e8b6bfea54938c576ec6 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
-b5f4a1a5cd7e5f10e9487a23078bcbab 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
-65341200450445191b67914df2629fe6 0012-daemon-Flush-shunts-before-unloading-plugins.patch
-1ea2d1a97aa37bac24a1ec9b1ce7c985 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
-054b28fd78fccb20b993ec2679f98bc6 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
-6b57da364f1222eb2a8eda8f146c784b 0015-ike-rekey-Fix-cleanup-call.patch
-0941f8e871fff5ab8c984830d23b35a1 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
-be62ce82080a0b7325709d6fbe0b9e46 0017-kernel-netlink-unlock-mutex-in-del-policy.patch
-d97c846c00c60a35925662ba551495df 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
-d73abf4c9c3354120152144e7985d428 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
-0800173ace99e4f835365350142cf198 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
-c3f86cc9b0866f2e748f40d3058a5b14 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
-55feb2633c42927672113e44465fd824 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
-d57e117d13da147910e2ae09219d2492 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
-8e79293070086233035a93322b935048 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+md5sums="5a25f3d1c31a77ef44d14a2e7b3eaad0 strongswan-5.3.3.tar.bz2
c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
-9b607cf38cff83547368d82fa34d716f 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
-c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
-2d191d850683a6ed34f171ed64b643f0 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
-b361ef4d3ed853620febc2117b4aa6cf 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
-d4f9141b0e63a1af35df04d970e27af7 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
-06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch
-1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch
-41a343863ffc1259c8a64771cd85c724 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
-ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch
-b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch
+d75b757fa44738dbdc5bcc8c60c9780d 1001-charon-add-optional-source-and-remote-overrides-for-.patch
+4dfadf6fcb74c95c7360e33a416fb0d8 1002-vici-send-certificates-for-ike-sa-events.patch
+ada5c5fda3aa5cd5b797feff3cba4b5d 1003-vici-add-support-for-individual-sa-state-changes.patch
+366d0ee2ed135d9364e6449b56ac596a 1004-vici-support-asynchronous-initiation.patch
+ccb77ee342e1b3108a49262549bbbf36 2001-support-gre-key-in-ikev1.patch
85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd
7962a720ebef6892d80a3cbdab72c204 charon.initd"
-sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2
-37da81cde0afd5b2d025a62b36020ff4739bccc086bcfd1528e461534b99e1e8 0001-vici-Asynchronize-debug-logging.patch
-ee88c4636efb8e06ff66e50e82b5de5a2f49a2b60042b157b09c110332db1f2c 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
-442b721d4ee156e5bb8167f4f5831abe727d8440b26f0ba91a32f21eade14305 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
-28fb9b57d5c02ae2b10e283f13de4d7257913a44ce68e287f73144d4fe2c0972 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
-e8e967357a6741df02b80fcd75729044179549e24623d483c1f4ee603a83152b 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
-a246364122d40ef70091cdf86ea16413a20f3461e137f8209c58959dfaf09396 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
-79861e897dd8e973d2426f083079adb74cc3c281b1c891eb6fbf7e569f0b74f4 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
-a9f59b91d3ac04fd52684fd4143545452368d65af9f6026020ba95eae114c103 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
-1b463d03b3ce0cf5223bacb08155b69c1c362fa311b1af20cb79b392ac6a233e 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
-3679e3f63a72c1f32b67ab71f60f8922384cbdeb916beca779bc7776db0332fe 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
-cd1d28855c13c9544c6f4caa619a00226d8c84cc75c3e88f962ebea9736619ad 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
-ce95459cea9eaa4d7f1695e10f99ca886d428843ada8134e8f337dce957cdda0 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
-b8b82e4b99c70cd76b09a2c7d6144e1e572bee6b4c821fcf7338d1692e1843cb 0012-daemon-Flush-shunts-before-unloading-plugins.patch
-2c4a898a4b17e196acc44947f4b48688649d29ac15c0d19e14d664bf0d9f0274 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
-a1b61e2aafcd502c8398bfefd556dfb1429d862faecc5d6c0c843e7da215abf3 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
-ef5f7d38483909ae3aff5e474ac6f5f20804645ead6a6108f2534408434023ff 0015-ike-rekey-Fix-cleanup-call.patch
-257931d4443a4ed2284bf8872e73ab1e93c0d69f490e1b9b3bb2b12210cec677 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
-02a230822398be1cf04a362163bee03f4c4edd4eb1b622fba8a93f5dcb2fb06d 0017-kernel-netlink-unlock-mutex-in-del-policy.patch
-130db52dea23eae4081bf25c5ef050f9dfbaa4e7e99dc0a623fdfc991eb4c5c7 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
-16a41ef4cf25e3432c8a61aa34ac12d6eccd5796d921c75d72570d4f9fda2717 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
-4b9f8d087ef7e6f9c46fa0d5d687dd99fdbfbef1e871ef451a156474282cfefe 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
-ab4042b193a68d3ff771be006fdea81eb786fee7b7c4c8c24aa60ef3372de9c8 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
-f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
-7aac3748cabf9293701924b6e6a3f0bb74c4d4302a019eb8012af48473f35b67 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
-3060dd59d44de1f6e7b82146db4b09c3fd80869c75e9a31823bcbdd9f66ac923 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+sha256sums="39d2e8f572a57a77dda8dd8bdaf2ee47ad3cefeb86bbb840d594aa75f00f33e2 strongswan-5.3.3.tar.bz2
6ee2826d8f2acf4010886b9990c4fe1f1be99e869144f3dd3705e38184300ca1 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
-d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
-74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
-6eec00bdb7778a51d04157ec640394959d599f3b8cef6bad0d875658cace99ea 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
-a558247c9b6eeabfa2a677440a3e25a0841171347484d624c6c4668f9064b67d 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
-b591c93065a018cf79f8f39041a196b2142c5de0bda6b8eed2590be993329266 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
-d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch
-b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch
-811a0b67311546ec5371ce4322b1f69886be7754875c2522ebaeff08713bd26e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
-cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch
-ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch
+47152a8d54c8ae75ea6e1d7c3c7695fb2e6eb48d24e80b13c25589a6570e3977 1001-charon-add-optional-source-and-remote-overrides-for-.patch
+e70a78f8efa29d3a428d6393cd7c59a36acfdf676b51897d14b495c236a1996c 1002-vici-send-certificates-for-ike-sa-events.patch
+f814519a0476477620f06d8bde0fd16f9094ee79807c0cbe4eb6d45034b5ff7d 1003-vici-add-support-for-individual-sa-state-changes.patch
+f4415bd1a68311fca2a4159b74aa7c2577c6500db7f323bfc684a9dfba7c6450 1004-vici-support-asynchronous-initiation.patch
+bbdbc73ba6cafaaab1ea303eec6d026ebb50ecd12b7c32be0b4dfeaf8ae24245 2001-support-gre-key-in-ikev1.patch
ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd
97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd"
-sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2
-d3135206f61496d0877b22c52c0f4246d17777935a4277bfc6e7ca8b69fb2754a52fed7e8691292df91745c00fa0d597f11cd866bb4ee91453c0e252ba77eef8 0001-vici-Asynchronize-debug-logging.patch
-87ab03664dddf30ed1ae1a1e1fc2a22715a0e74b220f316937cf0f86a5b9c38262fd8a9ad62aa1866405d0bf552d33a62621c8b91634e6bd3c7967b6e7955894 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
-8f16ab691c7e778894f0fc8889ac9be8813da27e09fb304443e9053f2ed384ccd3976d7956f762136c94c870dabe808d3f97116f4573bb0df74299f1da34d643 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
-dbb5454e32cea4e671fdb109e2252536d2f8ee97097a45ad280010de7d6b7fedeb40c0418ae2af45a4393b98ac6badd9072846259be6ca823f056919fcd3b985 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
-73dcb7874aadcf641051cef91d83158fa8a1c664c094d131fcd5ad9d1c5d00abec5a75dd92780fabf2c0690079aad73275af885a83c8791c62025593fa7af61c 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
-8e3636933b7ee3eddb28b9797e3da21c494e470067bc6996509bd28a9894e037fa7575d68fb717247762dc468543b67d965745370cb1335b1f9fbc6bdf260f6e 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
-e970869f5552557d18133bb279b98a81b7d12a6656bddccfcfbdb2b2dc80ad90cc4d1d63135b3682ccb26c83408790c792de9d64056a97c1b7df16f0b159d179 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
-65a20b7d059770786c5912811db8692ab9c03a3527f83d0d23e14db4da8c64c3ed43de7a04ba1cf2a794551471ee9456e70f723b0bb4599792a668edea1f6e77 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
-e5bd98af84b248642fb6206497c7d2fca7e42362632171e271a8a715179d10f3590eb25a7b38c9fbc058c82d657668c01e9b98d8ef1f422d0887e710342eff36 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
-c4a30bbff90c2ef59e9bebb64d336bddde811f0ffba3dcef423dc71a17e98be26192f8aa8654702e9a2cdc9dbfc8ec960fbf1a126c411efef6f95dc1a19c518e 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
-6e11b006b4fd0c6d000ff301ce18170bf9540f567ada2eb23f0f1c705be8d0f9299364313249cef5528858e75c10ba9d65315c941b49cb12ae07808d3b6e1faa 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
-2a5503558dcfe654335d9b6b7056e9888b2304389bb76369b8222d54add6c8a9895ab175701eeb636c42f0df53d1078fdae7a9f11167fc2beadad82de68b0e4c 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
-4e3ac34b2ecca6c1eefd9354a96a1a1fe7499571d2c5756c1cc889c23e125073517c6af57047de5b96bbc6acf9c6bb8c677df4206633f67551336fa8e62c77fb 0012-daemon-Flush-shunts-before-unloading-plugins.patch
-f643be8dbc32c27f2c31ac91612ae7d2f1a34e9387257d1247cd8c7fb8e5b9c58fc0b8448dd692723a6f7f2ac4d4629ffa2c440c40f5f1bfb550f1cc526b3916 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
-bd161f1d4fa2881c8c07c2b7bccc0b9f06a99b12203d00329c8295f8a5ebe49f6cf27eca286ddd3c9e443fe132c64cae6849d691ddeda49b5fe716aebc73441e 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
-3f8c5ed171eb7c99218005b038ff0e0bc23841aab76cb97fbb7b8a3091b9f5ba318bd23c347de42bd969ac599f3d5f1b6bcf5110d5e23643858b24a719374f50 0015-ike-rekey-Fix-cleanup-call.patch
-bdc74e2b6f91e94aa0041927ff5cf3f2f5d67d5d37a0c389a2b6328919bd9f2f0376957676fd359009117a1d01cd06ecfadb7151bd7875c1df5cb82e159a378a 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
-459bfd98c7cbb54bb6b7e95403eb1d62e290ce8ca04f164a49bac8684f8c1c9d4ab88a051e7a0a88fba1b3a5a030cba1aa5b4960a71c1726dbbc512be401cd40 0017-kernel-netlink-unlock-mutex-in-del-policy.patch
-2d667eeba6d567008d8fe27d4dafa9a913c7aafa096258d7b5c95e2d8428e9dc8a40ace9e729a3d323e8d639d2ae3dae945904f90a39076c5ca5ddba7d70a0b6 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
-539bfec16350c035f7ce2f3551b52ba2e22c75146a6c1494f4b25ec283f2245b7a03be9470c0e0cd3e6fc368bcf1bda60ce8166928737ab396e6cf88ffafaf79 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
-a3488021316606e1fdaadfacc86ec8e9bcb741d3ac063498a64594214d97e0193270101388f61e118ec29ccfb8c6314a9fa6f3f8832a4cd8fe6b3f3445529b00 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch
-b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88ab1635ba30f9ff0ca9945aa264b3213561548648d64eb25ae 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
-9a2cb61c55a03977fc4bce42fdf043706498c86d69ea094852735b2ef525fbc0f81bad33aad7afc29ef301f3e2146746b56f458980529057e05007e0bab7b972 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
-95e3544a87bf503ed17059298ec6330501f39a2210e583fed59c5d03ef25b8d8227317016bf0181e49c87a7e36e1d902b0b24bda184d2166f3ad5b79166ce0dd 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
-055b7769b0f587a77585ccf8e44c30fdf0981a1418f8e426eb696cfde671ac0013b355fdfb9e73ed3605c97a3a8c5f8ac38a2a0a137a5b87f9d6491752254543 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+sha512sums="469b32635bb4c60af1fa5ee535bea5abcd91081c7d482baa861e3951e4aab00783620698b5eade82d9a77aea4ab60d2a00fbf7e9e8760feeffb67c517756169f strongswan-5.3.3.tar.bz2
6b01e9810566e4f928fa72f01b5fa6cdbddaf1045433cb5b73b5a3d1cd73260ff195709e4d46384c2aa6540e4e62ad9021d9cad19b2061bc0153581e74cf2d0e 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
-8788fb376eaf57d9f277cac785db08578de3992e2484e7ab21ec044bc91000565ecb2adae4d2632f43ca6ed76519fd4422d86a3ba07a499594fbd7a61298458c 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
-86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
-f0dfb8aee6fd456d5d330d9a1212842ecd7f88b9b76bb1667dacdbbb2c38369fa089df6ce13c6363735012f653df91b4bbb082a970a11ec63e6a2d14ca2b0ec2 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch
-dad393b5d8b5152d7544a42818c446098b748cf4114b544d0bcf6a039c5f9f266ac850f6725b58d653186dcd23cae8a9db627f245412ad1cd3b5a4ccadc90825 0601-child-sa-fix-refcounting-of-allocated-reqids.patch
-bc31b3fa089e594e7989e6cb095eb144cfdad55f991729235fda98e010bf715f5efb4b65f2ef2fd12bbc2d5c48e40f6010554bff43b30c7978402247114263e0 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch
-2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch
-ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch
-98b46369adcbe86635a83779ed54b192c67ef34310a42f0c131f3ce50f2d46e3135caefeece6993a9ac92abba1a38854b128f4687dec0eb30b108788386688ea 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
-e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch
-723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch
+0daa63c1da1d84a02b6f675b2ba246c30de537a2494e43bceb13eb201ca9c90644493cf5b85d522b4ccdb57928978fb65b4d44a43ecd2648376c8fdc1cd8bc2d 1001-charon-add-optional-source-and-remote-overrides-for-.patch
+3cf83b588e4bc1ae20956f940f5f92357cbcc0bdcf7bf1b5984b64e09ae16b4871e836a1503fee8f6f55a4dbd0a47f39c75b3d4ed5fd52b71dd41bea15964d28 1002-vici-send-certificates-for-ike-sa-events.patch
+00dbbd8ea9a434de13f1bb74b7cd2d64a97fbefa7ff943ba138282d02d3860e1363ca4fded0d24c215dc5678f13af16242b61ed192d3b7935e2d747f9aafdf61 1003-vici-add-support-for-individual-sa-state-changes.patch
+fbfb4a2740d98d633a6ba946eb1a6b3ecc1dd924989bb94f23b34e5525471b11f735c82f0e8ce56441f836866d6e86c2c34f9bfe83689cd34f814dab6641c107 1004-vici-support-asynchronous-initiation.patch
+0e554a6117f51a564a1b269c9ed2f2858d22ef61df483e2eb09997a3075444deb10df9d0cc8b9ddbe2bb2f740640860c21b1492a9ec28657844fa9c41b822bfc 2001-support-gre-key-in-ikev1.patch
b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd
6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd"