From bffeca85f0d7cf485aeabb17dd0d40735fe2b2ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?author=20Timo=20Ter=C3=A4s=20timo=2Eteras=40iki=2Efi=20144?= =?UTF-8?q?2826138=20+0300?= Date: Mon, 21 Sep 2015 12:02:18 +0300 Subject: main/strongswan: upgrade to 5.3.3 remove upstreamed patches; rebase the rest --- .../0001-vici-Asynchronize-debug-logging.patch | 169 ----------- ...ly-handle-NULL-in-host_create_from_string.patch | 67 ----- ...ger-Safely-access-the-RNG-instance-with-a.patch | 91 ------ ...-helper-function-to-determine-address-fam.patch | 106 ------- ...ress-family-of-local-address-when-resolvi.patch | 48 ---- ...ck-to-the-current-remote-IP-if-it-resolve.patch | 37 --- ...r-Properly-check-in-IKE_SA-if-initiating-.patch | 33 --- ...r-Changed-how-acquires-we-acted-on-are-tr.patch | 260 ----------------- ...r-Resolve-race-conditions-between-flush-a.patch | 118 -------- ...er-Add-a-lock-to-safely-access-the-list-o.patch | 112 -------- ...er-Remove-stored-entries-if-installation-.patch | 43 --- ...er-Add-flush-method-to-properly-uninstall.patch | 153 ---------- ...mon-Flush-shunts-before-unloading-plugins.patch | 27 -- ...eset-IKE_SA-on-the-bus-after-destroying-n.patch | 105 ------- ...eset-IKE_SA-on-bus-before-sending-CREATE_.patch | 31 -- .../0015-ike-rekey-Fix-cleanup-call.patch | 34 --- ...Fix-memory-leak-if-remote-address-is-kept.patch | 27 -- ...kernel-netlink-unlock-mutex-in-del-policy.patch | 22 -- ...ink-Actually-verify-if-the-netlink-messag.patch | 31 -- ...ink-Use-the-PAGE_SIZE-as-default-for-the-.patch | 59 ---- ...ink-when-adding-policy-do-an-update-if-it.patch | 40 --- ...lso-track-initiating-IKE_SAs-as-half-open.patch | 24 -- ...Optionally-adhere-to-init-limits-also-whe.patch | 317 --------------------- ...t_bool-convenience-getter-for-VICI-messag.patch | 170 ----------- ...ally-check-limits-when-initiating-connect.patch | 65 ----- ...n-different-job-priorities-for-inbound-IK.patch | 46 --- ...tf-hook-builtin-Fix-invalid-memory-access.patch | 68 ----- ...e-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch | 30 -- ...ld-sa-fix-refcounting-of-allocated-reqids.patch | 69 ----- ...milar-to-certificates-matching-one-CA-sho.patch | 95 ------ ...optional-source-and-remote-overrides-for-.patch | 92 ++++-- ...-vici-send-certificates-for-ike-sa-events.patch | 44 ++- ...d-support-for-individual-sa-state-changes.patch | 159 +++++++++++ ...pport-rekeying-events-and-individual-sa-s.patch | 229 --------------- ...1004-vici-support-asynchronous-initiation.patch | 8 +- .../strongswan/2001-support-gre-key-in-ikev1.patch | 38 +-- main/strongswan/APKBUILD | 173 ++--------- 37 files changed, 319 insertions(+), 2921 deletions(-) delete mode 100644 main/strongswan/0001-vici-Asynchronize-debug-logging.patch delete mode 100644 main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch delete mode 100644 main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch delete mode 100644 main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch delete mode 100644 main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch delete mode 100644 main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch delete mode 100644 main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch delete mode 100644 main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch delete mode 100644 main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch delete mode 100644 main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch delete mode 100644 main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch delete mode 100644 main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch delete mode 100644 main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch delete mode 100644 main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch delete mode 100644 main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch delete mode 100644 main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch delete mode 100644 main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch delete mode 100644 main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch delete mode 100644 main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch delete mode 100644 main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch delete mode 100644 main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch delete mode 100644 main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch delete mode 100644 main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch delete mode 100644 main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch delete mode 100644 main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch delete mode 100644 main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch delete mode 100644 main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch delete mode 100644 main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch delete mode 100644 main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch delete mode 100644 main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch create mode 100644 main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch delete mode 100644 main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch (limited to 'main/strongswan') diff --git a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch deleted file mode 100644 index c756f9d3e8..0000000000 --- a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch +++ /dev/null @@ -1,169 +0,0 @@ -From 856ea64129cdc7ee56969524d7abaaae08c22c6a Mon Sep 17 00:00:00 2001 -From: Martin Willi -Date: Thu, 2 Jul 2015 09:10:21 +0200 -Subject: [PATCH] vici: Asynchronize debug logging - -The vici logger uses the listener_t.log() callback to raise vici events. - -When doing so, it holds the bus lock as reader while acquiring the vici socket -mutex (1). If at the same time the vici socket enables a writer, that thread -tries to lock the watcher mutex (2). The watcher thread uses debugging while -holding the lock, i.e. acquires the bus read lock (3). - -(1) bus.rlock -> vici.lock! -(2) vici.lock -> watcher.lock! -(3) watcher.lock -> bus.rlock! - -This all actually would resolve just fine, as we have a shared read lock on the -bus. However, under Windows we seem to have a strict writer preference when -acquiring the rwlock (4). This results in blocking read locks until any pending -write lock can be fulfilled, and makes the constellation deadlock. The relevant -threads are: - -Thread (1) -6 0x71313d25 in wait_ at threading/windows/mutex.c:137 -7 0x7054c8a2 in find_entry at vici_socket.c:201 -8 0x7054d690 in send_ at vici_socket.c:624 -9 0x7054f6c1 in send_op at vici_dispatcher.c:119 -10 0x705502c1 in raise_event at vici_dispatcher.c:469 -12 0x704c3878 in log_cb at bus/bus.c:332 -13 0x712c7c3a in invoke_function at collections/linked_list.c:414 -14 0x704c3a63 in vlog at bus/bus.c:400 -15 0x704c3b36 in log_ at bus/bus.c:430 -18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664 -20 0x704f5430 in process_message at sa/ike_sa.c:1369 -21 0x704e3823 in execute at processing/jobs/process_message_job.c:74 -22 0x712e629f in process_job at processing/processor.c:235 - -Thread (2) -4 0x71313b61 in lock at threading/windows/mutex.c:66 -5 0x712e81fd in add at processing/watcher.c:441 -6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213 -7 0x712e1b4d in on_write at networking/streams/stream.c:237 -8 0x7054d606 in _cb_enable_writer at vici_socket.c:609 -9 0x712e5e34 in execute at processing/jobs/callback_job.c:77 -10 0x712e629f in process_job at processing/processor.c:235 - -Thread (3) -3 0x71313f38 in read_lock at threading/windows/rwlock.c:74 -4 0x704c3971 in vlog at bus/bus.c:373 -5 0x704cc156 in dbg_bus at daemon.c:126 -6 0x712e7bf9 in watch at processing/watcher.c:316 -7 0x712e5e34 in execute at processing/jobs/callback_job.c:77 -8 0x712e629f in process_job at processing/processor.c:235 - -Thread (4) -3 0x71313f70 in write_lock at threading/windows/rwlock.c:82 -4 0x704c378b in remove_logger at bus/bus.c:290 -5 0x704cb284 in listener_unregister at control/controller.c:166 -6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558 -8 0x704cb94e in initiate at control/controller.c:435 -9 0x70553996 in _cb_initiate at vici_control.c:187 -12 0x7054d200 in _cb_process_queue at vici_socket.c:508 -13 0x712e5e34 in execute at processing/jobs/callback_job.c:77 -14 0x712e629f in process_job at processing/processor.c:235 - -To avoid such a situation, we dissolve the (1) lock sequence. It's actually -never good practice to acquire shared locks during bus hooks, as it is -problematic if we raise bus events while holding the lock. We do so by -raising vici events for log message asynchronously, but of curse must keep -log order as is using a synchronized queue. ---- - src/libcharon/plugins/vici/vici_logger.c | 48 +++++++++++++++++++++++++++++++- - 1 file changed, 47 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c -index cffd65b..6d3584e 100644 ---- a/src/libcharon/plugins/vici/vici_logger.c -+++ b/src/libcharon/plugins/vici/vici_logger.c -@@ -18,6 +18,7 @@ - - #include - #include -+#include - - typedef struct private_vici_logger_t private_vici_logger_t; - -@@ -42,11 +43,54 @@ struct private_vici_logger_t { - int recursive; - - /** -+ * List of messages to raise async events -+ */ -+ linked_list_t *queue; -+ -+ /** - * Mutex to synchronize logging - */ - mutex_t *mutex; - }; - -+/** -+ * Async callback to raise events for queued messages -+ */ -+static job_requeue_t raise_events(private_vici_logger_t *this) -+{ -+ vici_message_t *message; -+ u_int count; -+ -+ this->mutex->lock(this->mutex); -+ count = this->queue->get_count(this->queue); -+ this->queue->remove_first(this->queue, (void**)&message); -+ this->mutex->unlock(this->mutex); -+ -+ if (count > 0) -+ { -+ this->dispatcher->raise_event(this->dispatcher, "log", 0, message); -+ } -+ if (count > 1) -+ { -+ return JOB_REQUEUE_DIRECT; -+ } -+ return JOB_REQUEUE_NONE; -+} -+ -+/** -+ * Queue a message for async processing -+ */ -+static void queue_messsage(private_vici_logger_t *this, vici_message_t *message) -+{ -+ this->queue->insert_last(this->queue, message); -+ if (this->queue->get_count(this->queue) == 1) -+ { -+ lib->processor->queue_job(lib->processor, (job_t*) -+ callback_job_create((callback_job_cb_t)raise_events, -+ this, NULL, NULL)); -+ } -+} -+ - METHOD(logger_t, log_, void, - private_vici_logger_t *this, debug_t group, level_t level, int thread, - ike_sa_t* ike_sa, const char *msg) -@@ -75,7 +119,7 @@ METHOD(logger_t, log_, void, - message = builder->finalize(builder); - if (message) - { -- this->dispatcher->raise_event(this->dispatcher, "log", 0, message); -+ queue_messsage(this, message); - } - } - this->recursive--; -@@ -101,6 +145,7 @@ METHOD(vici_logger_t, destroy, void, - private_vici_logger_t *this) - { - manage_commands(this, FALSE); -+ this->queue->destroy_offset(this->queue, offsetof(vici_message_t, destroy)); - this->mutex->destroy(this->mutex); - free(this); - } -@@ -121,6 +166,7 @@ vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher) - .destroy = _destroy, - }, - .dispatcher = dispatcher, -+ .queue = linked_list_create(), - .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), - ); - --- -2.4.6 - diff --git a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch deleted file mode 100644 index ff79e322ec..0000000000 --- a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 65579569adfa0e2c9602ee250f4554169ba5a87d Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 11 Jun 2015 15:07:07 +0200 -Subject: [PATCH] host: Properly handle NULL in - host_create_from_string[_and_family] - ---- - src/libstrongswan/networking/host.c | 4 ++++ - src/libstrongswan/tests/suites/test_host.c | 6 ++++++ - 2 files changed, 10 insertions(+) - -diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c -index 07da3ef..2e464b0 100644 ---- a/src/libstrongswan/networking/host.c -+++ b/src/libstrongswan/networking/host.c -@@ -354,6 +354,10 @@ host_t *host_create_from_string_and_family(char *string, int family, - struct sockaddr_in6 v6; - } addr; - -+ if (!string) -+ { -+ return NULL; -+ } - if (streq(string, "%any")) - { - return host_create_any_port(family ? family : AF_INET, port); -diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c -index 7161b2c..5cb8013 100644 ---- a/src/libstrongswan/tests/suites/test_host.c -+++ b/src/libstrongswan/tests/suites/test_host.c -@@ -104,6 +104,9 @@ START_TEST(test_create_from_string_v4) - { - host_t *host; - -+ host = host_create_from_string(NULL, 500); -+ ck_assert(!host); -+ - host = host_create_from_string("%any", 500); - verify_any(host, AF_INET, 500); - host->destroy(host); -@@ -196,6 +199,7 @@ static void test_create_from_string_and_family_addr(char *string, chunk_t addr, - - START_TEST(test_create_from_string_and_family_v4) - { -+ test_create_from_string_and_family_any(NULL, AF_INET, AF_UNSPEC); - test_create_from_string_and_family_any("%any", AF_INET, AF_INET); - test_create_from_string_and_family_any("%any4", AF_INET, AF_INET); - test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET); -@@ -210,6 +214,7 @@ END_TEST - - START_TEST(test_create_from_string_and_family_v6) - { -+ test_create_from_string_and_family_any(NULL, AF_INET6, AF_UNSPEC); - test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6); - test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6); - test_create_from_string_and_family_any("::", AF_INET6, AF_INET6); -@@ -224,6 +229,7 @@ END_TEST - - START_TEST(test_create_from_string_and_family_other) - { -+ test_create_from_string_and_family_any(NULL, AF_UNSPEC, AF_UNSPEC); - test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET); - test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET); - test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET); --- -2.4.6 - diff --git a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch deleted file mode 100644 index c17141460a..0000000000 --- a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 390ae7a2c2f899122e722241cb261f53dfc81b9a Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Wed, 8 Jul 2015 15:28:46 +0200 -Subject: [PATCH] ike-sa-manager: Safely access the RNG instance with an rwlock - -Threads might still be allocating SPIs (e.g. triggered by an acquire or -an inbound message) while the main thread calls flush(). If there is a -context switch right after such a thread successfully checked this->rng -in get_spi() and the main thread destroys the RNG instance right then, -that worker thread will cause a segmentation fault when it continues and -attempts to call get_bytes(). - -Fixes #1014. ---- - src/libcharon/sa/ike_sa_manager.c | 21 ++++++++++++++++----- - 1 file changed, 16 insertions(+), 5 deletions(-) - -diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 938f784..987260d 100644 ---- a/src/libcharon/sa/ike_sa_manager.c -+++ b/src/libcharon/sa/ike_sa_manager.c -@@ -1,7 +1,7 @@ - /* - * Copyright (C) 2005-2011 Martin Willi - * Copyright (C) 2011 revosec AG -- * Copyright (C) 2008-2012 Tobias Brunner -+ * Copyright (C) 2008-2015 Tobias Brunner - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * -@@ -384,6 +384,11 @@ struct private_ike_sa_manager_t { - rng_t *rng; - - /** -+ * Lock to access the RNG instance -+ */ -+ rwlock_t *rng_lock; -+ -+ /** - * reuse existing IKE_SAs in checkout_by_config - */ - bool reuse_ikesa; -@@ -943,12 +948,14 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) - { - u_int64_t spi; - -- if (this->rng && -- this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) -+ this->rng_lock->read_lock(this->rng_lock); -+ if (!this->rng || -+ !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) - { -- return spi; -+ spi = 0; - } -- return 0; -+ this->rng_lock->unlock(this->rng_lock); -+ return spi; - } - - /** -@@ -2055,8 +2062,10 @@ METHOD(ike_sa_manager_t, flush, void, - charon->bus->set_sa(charon->bus, NULL); - unlock_all_segments(this); - -+ this->rng_lock->write_lock(this->rng_lock); - this->rng->destroy(this->rng); - this->rng = NULL; -+ this->rng_lock->unlock(this->rng_lock); - } - - METHOD(ike_sa_manager_t, destroy, void, -@@ -2081,6 +2090,7 @@ METHOD(ike_sa_manager_t, destroy, void, - free(this->connected_peers_segments); - free(this->init_hashes_segments); - -+ this->rng_lock->destroy(this->rng_lock); - free(this); - } - -@@ -2138,6 +2148,7 @@ ike_sa_manager_t *ike_sa_manager_create() - free(this); - return NULL; - } -+ this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - - this->ikesa_limit = lib->settings->get_int(lib->settings, - "%s.ikesa_limit", 0, lib->ns); --- -2.4.6 - diff --git a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch deleted file mode 100644 index 0cf63a3f76..0000000000 --- a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 6bfa66069304c1fc1345b4e72762a3b1a80e4338 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 11 Jun 2015 15:42:54 +0200 -Subject: [PATCH] ike-cfg: Add helper function to determine address family of - IP addresses - -All configured static addresses (hostnames, ranges or subnets are not -considered) must be of the same family, otherwise AF_UNSPEC is returned. ---- - src/libcharon/config/ike_cfg.c | 47 ++++++++++++++++++++++++++++++++++++++++++ - src/libcharon/config/ike_cfg.h | 13 +++++++++++- - 2 files changed, 59 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c -index 9464ceb..dee9e4c 100644 ---- a/src/libcharon/config/ike_cfg.c -+++ b/src/libcharon/config/ike_cfg.c -@@ -1,4 +1,5 @@ - /* -+ * Copyright (C) 2012-2015 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil -@@ -513,6 +514,52 @@ static void parse_addresses(char *str, linked_list_t *hosts, - /** - * Described in header. - */ -+int ike_cfg_get_family(ike_cfg_t *cfg, bool local) -+{ -+ private_ike_cfg_t *this = (private_ike_cfg_t*)cfg; -+ enumerator_t *enumerator; -+ host_t *host; -+ char *str; -+ int family = AF_UNSPEC; -+ -+ if (local) -+ { -+ enumerator = this->my_hosts->create_enumerator(this->my_hosts); -+ } -+ else -+ { -+ enumerator = this->other_hosts->create_enumerator(this->other_hosts); -+ } -+ while (enumerator->enumerate(enumerator, &str)) -+ { -+ if (streq(str, "%any")) -+ { /* ignore %any as its family is undetermined */ -+ continue; -+ } -+ host = host_create_from_string(str, 0); -+ if (host) -+ { -+ if (family == AF_UNSPEC) -+ { -+ family = host->get_family(host); -+ } -+ else if (family != host->get_family(host)) -+ { -+ /* more than one address family defined */ -+ family = AF_UNSPEC; -+ host->destroy(host); -+ break; -+ } -+ } -+ DESTROY_IF(host); -+ } -+ enumerator->destroy(enumerator); -+ return family; -+} -+ -+/** -+ * Described in header. -+ */ - ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, - char *me, u_int16_t my_port, - char *other, u_int16_t other_port, -diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h -index adfcabf..62f5b74 100644 ---- a/src/libcharon/config/ike_cfg.h -+++ b/src/libcharon/config/ike_cfg.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2012 Tobias Brunner -+ * Copyright (C) 2012-2015 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil -@@ -254,4 +254,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, - char *other, u_int16_t other_port, - fragmentation_t fragmentation, u_int8_t dscp); - -+/** -+ * Determine the address family of the local or remtoe address(es). If multiple -+ * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are -+ * not though). -+ * -+ * @param local TRUE to check local addresses, FALSE for remote -+ * @return address family of address(es) if distinct -+ */ -+int ike_cfg_get_family(ike_cfg_t *this, bool local); -+ -+ - #endif /** IKE_CFG_H_ @}*/ --- -2.4.6 - diff --git a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch deleted file mode 100644 index 7114d6247a..0000000000 --- a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a11048adee0aeab8af10259f406363d7cc6beccc Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 11 Jun 2015 15:10:29 +0200 -Subject: [PATCH] ike: Use address family of local address when resolving - remote host - -If static local addresses are configured we should use their address family -as a hint when resolving the remote address. -We don't do this if %any is configured as this might break existing -configurations (%any4 and %any6 are however used as hint). ---- - src/libcharon/sa/ike_sa.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c -index 3aafa4c..0c13c58 100644 ---- a/src/libcharon/sa/ike_sa.c -+++ b/src/libcharon/sa/ike_sa.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2006-2014 Tobias Brunner -+ * Copyright (C) 2006-2015 Tobias Brunner - * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005-2009 Martin Willi - * Copyright (C) 2005 Jan Hutter -@@ -1200,6 +1200,19 @@ static void resolve_hosts(private_ike_sa_t *this) - break; - } - -+ /* if an IP address is set locally, use the same family to resolve remote */ -+ if (family == AF_UNSPEC && !this->remote_host) -+ { -+ if (this->local_host) -+ { -+ family = this->local_host->get_family(this->local_host); -+ } -+ else -+ { -+ family = ike_cfg_get_family(this->ike_cfg, TRUE); -+ } -+ } -+ - if (this->remote_host) - { - host = this->remote_host->clone(this->remote_host); --- -2.4.6 - diff --git a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch deleted file mode 100644 index 411bc58df9..0000000000 --- a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 10 Jul 2015 10:23:02 +0200 -Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to - %any - -In some situations it might be valid for a host that configures -right=%any to reestablish or reauthenticate an IKE_SA. Using %any would -immediately abort the initiation causing the new SA to fail (which -might already have the existing CHILD_SAs assigned). - -Fixes #1027. ---- - src/libcharon/sa/ike_sa.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c -index 0c13c58..752a756 100644 ---- a/src/libcharon/sa/ike_sa.c -+++ b/src/libcharon/sa/ike_sa.c -@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this) - } - if (host) - { -- set_other_host(this, host); -+ if (!host->is_anyaddr(host) || -+ this->other_host->is_anyaddr(this->other_host)) -+ { /* don't set to %any if we currently have an address, but the -+ * address family might have changed */ -+ set_other_host(this, host); -+ } - } - - if (this->local_host) --- -2.4.6 - diff --git a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch deleted file mode 100644 index f7517568c0..0000000000 --- a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 773fcb1605d413997450b59d114a1c035910cc58 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 9 Jul 2015 14:34:19 +0200 -Subject: [PATCH] trap-manager: Properly check-in IKE_SA if initiating fails - -This basically reverts f4e822c1b422 ("trap-manager: don't check-in -nonexisting IKE_SA if acquire fails"). As checkout_by_config() could -return an already existing and established IKE_SA we have to properly -destroy it, for instance, in case other threads are waiting to check -it out. checkin_and_destroy() should handle the case of a new SA -properly (it produces a log message on level 1, though). ---- - src/libcharon/sa/trap_manager.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index d6ff3c8..3a70bd1 100644 ---- a/src/libcharon/sa/trap_manager.c -+++ b/src/libcharon/sa/trap_manager.c -@@ -377,8 +377,8 @@ METHOD(trap_manager_t, acquire, void, - } - else - { -- ike_sa->destroy(ike_sa); -- charon->bus->set_sa(charon->bus, NULL); -+ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, -+ ike_sa); - } - } - peer->destroy(peer); --- -2.4.6 - diff --git a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch deleted file mode 100644 index 1dea7b1391..0000000000 --- a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +++ /dev/null @@ -1,260 +0,0 @@ -From a229bdce625338117966a53efd0475b2c7c84566 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 9 Jul 2015 12:00:56 +0200 -Subject: [PATCH] trap-manager: Changed how acquires we acted on are tracked - -This fixes potential race conditions in case complete() or flush() is -executed before or concurrently with a thread that handles an acquire. -It will also simplify tracking multiple acquires created for the same -trap policy in the future. - -Also fixes the behavior in some error situations. ---- - src/libcharon/sa/trap_manager.c | 122 ++++++++++++++++++++++++++++------------ - 1 file changed, 86 insertions(+), 36 deletions(-) - -diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index 3a70bd1..83b6d6a 100644 ---- a/src/libcharon/sa/trap_manager.c -+++ b/src/libcharon/sa/trap_manager.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2011-2013 Tobias Brunner -+ * Copyright (C) 2011-2015 Tobias Brunner - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * -@@ -18,10 +18,10 @@ - - #include - #include -+#include - #include - #include - -- - typedef struct private_trap_manager_t private_trap_manager_t; - typedef struct trap_listener_t trap_listener_t; - -@@ -67,6 +67,16 @@ struct private_trap_manager_t { - trap_listener_t listener; - - /** -+ * list of acquires we currently handle -+ */ -+ linked_list_t *acquires; -+ -+ /** -+ * mutex for list of acquires -+ */ -+ mutex_t *mutex; -+ -+ /** - * Whether to ignore traffic selectors from acquires - */ - bool ignore_acquire_ts; -@@ -80,23 +90,45 @@ typedef struct { - char *name; - /** ref to peer_cfg to initiate */ - peer_cfg_t *peer_cfg; -- /** ref to instanciated CHILD_SA */ -+ /** ref to instantiated CHILD_SA (i.e the trap policy) */ - child_sa_t *child_sa; -- /** TRUE if an acquire is pending */ -- bool pending; -+} entry_t; -+ -+/** -+ * A handled acquire -+ */ -+typedef struct { - /** pending IKE_SA connecting upon acquire */ - ike_sa_t *ike_sa; --} entry_t; -+ /** reqid of pending trap policy */ -+ u_int32_t reqid; -+} acquire_t; - - /** - * actually uninstall and destroy an installed entry - */ --static void destroy_entry(entry_t *entry) -+static void destroy_entry(entry_t *this) -+{ -+ this->child_sa->destroy(this->child_sa); -+ this->peer_cfg->destroy(this->peer_cfg); -+ free(this->name); -+ free(this); -+} -+ -+/** -+ * destroy a cached acquire entry -+ */ -+static void destroy_acquire(acquire_t *this) - { -- entry->child_sa->destroy(entry->child_sa); -- entry->peer_cfg->destroy(entry->peer_cfg); -- free(entry->name); -- free(entry); -+ free(this); -+} -+ -+/** -+ * match an acquire entry by reqid -+ */ -+static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid) -+{ -+ return this->reqid == *reqid; - } - - METHOD(trap_manager_t, install, u_int32_t, -@@ -314,6 +346,7 @@ METHOD(trap_manager_t, acquire, void, - { - enumerator_t *enumerator; - entry_t *entry, *found = NULL; -+ acquire_t *acquire; - peer_cfg_t *peer; - child_cfg_t *child; - ike_sa_t *ike_sa; -@@ -337,16 +370,29 @@ METHOD(trap_manager_t, acquire, void, - this->lock->unlock(this->lock); - return; - } -- if (!cas_bool(&found->pending, FALSE, TRUE)) -+ reqid = found->child_sa->get_reqid(found->child_sa); -+ -+ this->mutex->lock(this->mutex); -+ if (this->acquires->find_first(this->acquires, (void*)acquire_by_reqid, -+ (void**)&acquire, &reqid) == SUCCESS) - { - DBG1(DBG_CFG, "ignoring acquire, connection attempt pending"); -+ this->mutex->unlock(this->mutex); - this->lock->unlock(this->lock); - return; - } -+ else -+ { -+ INIT(acquire, -+ .reqid = reqid, -+ ); -+ this->acquires->insert_last(this->acquires, acquire); -+ } -+ this->mutex->unlock(this->mutex); -+ - peer = found->peer_cfg->get_ref(found->peer_cfg); - child = found->child_sa->get_config(found->child_sa); - child = child->get_ref(child); -- reqid = found->child_sa->get_reqid(found->child_sa); - /* don't hold the lock while checking out the IKE_SA */ - this->lock->unlock(this->lock); - -@@ -363,16 +409,13 @@ METHOD(trap_manager_t, acquire, void, - * have a single TS that we can establish in a Quick Mode. */ - src = dst = NULL; - } -+ -+ this->mutex->lock(this->mutex); -+ acquire->ike_sa = ike_sa; -+ this->mutex->unlock(this->mutex); -+ - if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME) - { -- /* make sure the entry is still there */ -- this->lock->read_lock(this->lock); -- if (this->traps->find_first(this->traps, NULL, -- (void**)&found) == SUCCESS) -- { -- found->ike_sa = ike_sa; -- } -- this->lock->unlock(this->lock); - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); - } - else -@@ -381,6 +424,14 @@ METHOD(trap_manager_t, acquire, void, - ike_sa); - } - } -+ else -+ { -+ this->mutex->lock(this->mutex); -+ this->acquires->remove(this->acquires, acquire, NULL); -+ this->mutex->unlock(this->mutex); -+ destroy_acquire(acquire); -+ child->destroy(child); -+ } - peer->destroy(peer); - } - -@@ -391,26 +442,25 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa) - { - enumerator_t *enumerator; -- entry_t *entry; -+ acquire_t *acquire; - -- this->lock->read_lock(this->lock); -- enumerator = this->traps->create_enumerator(this->traps); -- while (enumerator->enumerate(enumerator, &entry)) -+ this->mutex->lock(this->mutex); -+ enumerator = this->acquires->create_enumerator(this->acquires); -+ while (enumerator->enumerate(enumerator, &acquire)) - { -- if (entry->ike_sa != ike_sa) -+ if (!acquire->ike_sa || acquire->ike_sa != ike_sa) - { - continue; - } -- if (child_sa && child_sa->get_reqid(child_sa) != -- entry->child_sa->get_reqid(entry->child_sa)) -+ if (child_sa && child_sa->get_reqid(child_sa) != acquire->reqid) - { - continue; - } -- entry->ike_sa = NULL; -- entry->pending = FALSE; -+ this->acquires->remove_at(this->acquires, enumerator); -+ destroy_acquire(acquire); - } - enumerator->destroy(enumerator); -- this->lock->unlock(this->lock); -+ this->mutex->unlock(this->mutex); - } - - METHOD(listener_t, ike_state_change, bool, -@@ -444,14 +494,10 @@ METHOD(listener_t, child_state_change, bool, - METHOD(trap_manager_t, flush, void, - private_trap_manager_t *this) - { -- linked_list_t *traps; -- /* since destroying the CHILD_SA results in events which require a read -- * lock we cannot destroy the list while holding the write lock */ - this->lock->write_lock(this->lock); -- traps = this->traps; -+ this->traps->destroy_function(this->traps, (void*)destroy_entry); - this->traps = linked_list_create(); - this->lock->unlock(this->lock); -- traps->destroy_function(traps, (void*)destroy_entry); - } - - METHOD(trap_manager_t, destroy, void, -@@ -459,6 +505,8 @@ METHOD(trap_manager_t, destroy, void, - { - charon->bus->remove_listener(charon->bus, &this->listener.listener); - this->traps->destroy_function(this->traps, (void*)destroy_entry); -+ this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); -+ this->mutex->destroy(this->mutex); - this->lock->destroy(this->lock); - free(this); - } -@@ -488,6 +536,8 @@ trap_manager_t *trap_manager_create(void) - }, - }, - .traps = linked_list_create(), -+ .acquires = linked_list_create(), -+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - .ignore_acquire_ts = lib->settings->get_bool(lib->settings, - "%s.ignore_acquire_ts", FALSE, lib->ns), --- -2.4.6 - diff --git a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch deleted file mode 100644 index 60a28724c8..0000000000 --- a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 12b3cdba7689113558f58a5265827f3086852bae Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 13 Jul 2015 13:20:14 +0200 -Subject: [PATCH] trap-manager: Resolve race conditions between flush() and - install() - -When flush() is called there might be threads in install() waiting for -trap policies to get installed (without holding the lock). We have to -wait until they updated the entries with the respective CHILD_SAs before -destroying the list. - -We also have to prevent further trap policy installations (and wait until -threads in install() are really finished), otherwise we might end up -destroying CHILD_SA objects after the kernel interface implementations -have already been unloaded (avoiding this is the whole point of calling -flush() before unloading the plugins). ---- - src/libcharon/sa/trap_manager.c | 31 +++++++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index 83b6d6a..424d9e7 100644 ---- a/src/libcharon/sa/trap_manager.c -+++ b/src/libcharon/sa/trap_manager.c -@@ -20,8 +20,11 @@ - #include - #include - #include -+#include - #include - -+#define INSTALL_DISABLED ((u_int)~0) -+ - typedef struct private_trap_manager_t private_trap_manager_t; - typedef struct trap_listener_t trap_listener_t; - -@@ -77,6 +80,16 @@ struct private_trap_manager_t { - mutex_t *mutex; - - /** -+ * number of threads currently installing trap policies, or INSTALL_DISABLED -+ */ -+ u_int installing; -+ -+ /** -+ * condvar to signal trap policy installation -+ */ -+ rwlock_condvar_t *condvar; -+ -+ /** - * Whether to ignore traffic selectors from acquires - */ - bool ignore_acquire_ts; -@@ -171,6 +184,11 @@ METHOD(trap_manager_t, install, u_int32_t, - } - - this->lock->write_lock(this->lock); -+ if (this->installing == INSTALL_DISABLED) -+ { /* flush() has been called */ -+ this->lock->unlock(this->lock); -+ return 0; -+ } - enumerator = this->traps->create_enumerator(this->traps); - while (enumerator->enumerate(enumerator, &entry)) - { -@@ -204,6 +222,7 @@ METHOD(trap_manager_t, install, u_int32_t, - .peer_cfg = peer->get_ref(peer), - ); - this->traps->insert_first(this->traps, entry); -+ this->installing++; - /* don't hold lock while creating CHILD_SA and installing policies */ - this->lock->unlock(this->lock); - -@@ -252,6 +271,11 @@ METHOD(trap_manager_t, install, u_int32_t, - { - destroy_entry(found); - } -+ this->lock->write_lock(this->lock); -+ /* do this at the end, so entries created temporarily are also destroyed */ -+ this->installing--; -+ this->condvar->signal(this->condvar); -+ this->lock->unlock(this->lock); - return reqid; - } - -@@ -495,8 +519,13 @@ METHOD(trap_manager_t, flush, void, - private_trap_manager_t *this) - { - this->lock->write_lock(this->lock); -+ while (this->installing) -+ { -+ this->condvar->wait(this->condvar, this->lock); -+ } - this->traps->destroy_function(this->traps, (void*)destroy_entry); - this->traps = linked_list_create(); -+ this->installing = INSTALL_DISABLED; - this->lock->unlock(this->lock); - } - -@@ -506,6 +535,7 @@ METHOD(trap_manager_t, destroy, void, - charon->bus->remove_listener(charon->bus, &this->listener.listener); - this->traps->destroy_function(this->traps, (void*)destroy_entry); - this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); -+ this->condvar->destroy(this->condvar); - this->mutex->destroy(this->mutex); - this->lock->destroy(this->lock); - free(this); -@@ -539,6 +569,7 @@ trap_manager_t *trap_manager_create(void) - .acquires = linked_list_create(), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), -+ .condvar = rwlock_condvar_create(), - .ignore_acquire_ts = lib->settings->get_bool(lib->settings, - "%s.ignore_acquire_ts", FALSE, lib->ns), - ); --- -2.4.6 - diff --git a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch deleted file mode 100644 index 6fa2c339f2..0000000000 --- a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +++ /dev/null @@ -1,112 +0,0 @@ -From f3d39666e0d62fb9a790b72ee7ae2b9255b21cdd Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 14 Jul 2015 16:35:21 +0200 -Subject: [PATCH] shunt-manager: Add a lock to safely access the list of shunt - policies - ---- - src/libcharon/sa/shunt_manager.c | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c -index 73e1abb..434bace 100644 ---- a/src/libcharon/sa/shunt_manager.c -+++ b/src/libcharon/sa/shunt_manager.c -@@ -1,4 +1,5 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2011 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * -@@ -20,7 +21,6 @@ - #include - #include - -- - typedef struct private_shunt_manager_t private_shunt_manager_t; - - /** -@@ -37,6 +37,11 @@ struct private_shunt_manager_t { - * Installed shunts, as child_cfg_t - */ - linked_list_t *shunts; -+ -+ /** -+ * Lock to safely access the list of shunts -+ */ -+ rwlock_t *lock; - }; - - /** -@@ -120,6 +125,7 @@ METHOD(shunt_manager_t, install, bool, - bool found = FALSE; - - /* check if not already installed */ -+ this->lock->write_lock(this->lock); - enumerator = this->shunts->create_enumerator(this->shunts); - while (enumerator->enumerate(enumerator, &child_cfg)) - { -@@ -130,14 +136,15 @@ METHOD(shunt_manager_t, install, bool, - } - } - enumerator->destroy(enumerator); -- - if (found) - { - DBG1(DBG_CFG, "shunt %N policy '%s' already installed", - ipsec_mode_names, child->get_mode(child), child->get_name(child)); -+ this->lock->unlock(this->lock); - return TRUE; - } - this->shunts->insert_last(this->shunts, child->get_ref(child)); -+ this->lock->unlock(this->lock); - - return install_shunt_policy(child); - } -@@ -215,6 +222,7 @@ METHOD(shunt_manager_t, uninstall, bool, - enumerator_t *enumerator; - child_cfg_t *child, *found = NULL; - -+ this->lock->write_lock(this->lock); - enumerator = this->shunts->create_enumerator(this->shunts); - while (enumerator->enumerate(enumerator, &child)) - { -@@ -226,6 +234,7 @@ METHOD(shunt_manager_t, uninstall, bool, - } - } - enumerator->destroy(enumerator); -+ this->lock->unlock(this->lock); - - if (!found) - { -@@ -239,7 +248,10 @@ METHOD(shunt_manager_t, uninstall, bool, - METHOD(shunt_manager_t, create_enumerator, enumerator_t*, - private_shunt_manager_t *this) - { -- return this->shunts->create_enumerator(this->shunts); -+ this->lock->read_lock(this->lock); -+ return enumerator_create_cleaner( -+ this->shunts->create_enumerator(this->shunts), -+ (void*)this->lock->unlock, this->lock); - } - - METHOD(shunt_manager_t, destroy, void, -@@ -253,6 +265,7 @@ METHOD(shunt_manager_t, destroy, void, - child->destroy(child); - } - this->shunts->destroy(this->shunts); -+ this->lock->destroy(this->lock); - free(this); - } - -@@ -271,6 +284,7 @@ shunt_manager_t *shunt_manager_create() - .destroy = _destroy, - }, - .shunts = linked_list_create(), -+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - ); - - return &this->public; --- -2.4.6 - diff --git a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch deleted file mode 100644 index f8af98c62f..0000000000 --- a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 616ff9a2369fd250a2b9e8d2a00f37e2e8d3a2f3 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 14 Jul 2015 16:50:32 +0200 -Subject: [PATCH] shunt-manager: Remove stored entries if installation fails - ---- - src/libcharon/sa/shunt_manager.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c -index 434bace..2e42e7e 100644 ---- a/src/libcharon/sa/shunt_manager.c -+++ b/src/libcharon/sa/shunt_manager.c -@@ -122,7 +122,7 @@ METHOD(shunt_manager_t, install, bool, - { - enumerator_t *enumerator; - child_cfg_t *child_cfg; -- bool found = FALSE; -+ bool found = FALSE, success; - - /* check if not already installed */ - this->lock->write_lock(this->lock); -@@ -146,7 +146,16 @@ METHOD(shunt_manager_t, install, bool, - this->shunts->insert_last(this->shunts, child->get_ref(child)); - this->lock->unlock(this->lock); - -- return install_shunt_policy(child); -+ success = install_shunt_policy(child); -+ -+ if (!success) -+ { -+ this->lock->write_lock(this->lock); -+ this->shunts->remove(this->shunts, child, NULL); -+ this->lock->unlock(this->lock); -+ child->destroy(child); -+ } -+ return success; - } - - /** --- -2.4.6 - diff --git a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch deleted file mode 100644 index 3aa6b561bc..0000000000 --- a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +++ /dev/null @@ -1,153 +0,0 @@ -From bc36530670cbbe2362053f1604f67e481afd336c Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 14 Jul 2015 16:55:36 +0200 -Subject: [PATCH] shunt-manager: Add flush() method to properly uninstall - shunts - -This will allow us to uninstall shunts before unloading the -kernel-interface plugins. ---- - src/libcharon/sa/shunt_manager.c | 44 ++++++++++++++++++++++++++++++++++++---- - src/libcharon/sa/shunt_manager.h | 6 ++++++ - 2 files changed, 46 insertions(+), 4 deletions(-) - -diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c -index 2e42e7e..1a98443 100644 ---- a/src/libcharon/sa/shunt_manager.c -+++ b/src/libcharon/sa/shunt_manager.c -@@ -19,8 +19,11 @@ - #include - #include - #include -+#include - #include - -+#define INSTALL_DISABLED ((u_int)~0) -+ - typedef struct private_shunt_manager_t private_shunt_manager_t; - - /** -@@ -42,6 +45,16 @@ struct private_shunt_manager_t { - * Lock to safely access the list of shunts - */ - rwlock_t *lock; -+ -+ /** -+ * Number of threads currently installing shunts, or INSTALL_DISABLED -+ */ -+ u_int installing; -+ -+ /** -+ * Condvar to signal shunt installation -+ */ -+ rwlock_condvar_t *condvar; - }; - - /** -@@ -126,6 +139,11 @@ METHOD(shunt_manager_t, install, bool, - - /* check if not already installed */ - this->lock->write_lock(this->lock); -+ if (this->installing == INSTALL_DISABLED) -+ { /* flush() has been called */ -+ this->lock->unlock(this->lock); -+ return FALSE; -+ } - enumerator = this->shunts->create_enumerator(this->shunts); - while (enumerator->enumerate(enumerator, &child_cfg)) - { -@@ -144,17 +162,20 @@ METHOD(shunt_manager_t, install, bool, - return TRUE; - } - this->shunts->insert_last(this->shunts, child->get_ref(child)); -+ this->installing++; - this->lock->unlock(this->lock); - - success = install_shunt_policy(child); - -+ this->lock->write_lock(this->lock); - if (!success) - { -- this->lock->write_lock(this->lock); - this->shunts->remove(this->shunts, child, NULL); -- this->lock->unlock(this->lock); - child->destroy(child); - } -+ this->installing--; -+ this->condvar->signal(this->condvar); -+ this->lock->unlock(this->lock); - return success; - } - -@@ -263,18 +284,31 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*, - (void*)this->lock->unlock, this->lock); - } - --METHOD(shunt_manager_t, destroy, void, -+METHOD(shunt_manager_t, flush, void, - private_shunt_manager_t *this) - { - child_cfg_t *child; - -+ this->lock->write_lock(this->lock); -+ while (this->installing) -+ { -+ this->condvar->wait(this->condvar, this->lock); -+ } - while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS) - { - uninstall_shunt_policy(child); - child->destroy(child); - } -- this->shunts->destroy(this->shunts); -+ this->installing = INSTALL_DISABLED; -+ this->lock->unlock(this->lock); -+} -+ -+METHOD(shunt_manager_t, destroy, void, -+ private_shunt_manager_t *this) -+{ -+ this->shunts->destroy_offset(this->shunts, offsetof(child_cfg_t, destroy)); - this->lock->destroy(this->lock); -+ this->condvar->destroy(this->condvar); - free(this); - } - -@@ -290,10 +324,12 @@ shunt_manager_t *shunt_manager_create() - .install = _install, - .uninstall = _uninstall, - .create_enumerator = _create_enumerator, -+ .flush = _flush, - .destroy = _destroy, - }, - .shunts = linked_list_create(), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), -+ .condvar = rwlock_condvar_create(), - ); - - return &this->public; -diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h -index 28a795d..c43f5db 100644 ---- a/src/libcharon/sa/shunt_manager.h -+++ b/src/libcharon/sa/shunt_manager.h -@@ -1,4 +1,5 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2011 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * -@@ -56,6 +57,11 @@ struct shunt_manager_t { - enumerator_t* (*create_enumerator)(shunt_manager_t *this); - - /** -+ * Clear any installed shunt. -+ */ -+ void (*flush)(shunt_manager_t *this); -+ -+ /** - * Destroy a shunt_manager_t. - */ - void (*destroy)(shunt_manager_t *this); --- -2.4.6 - diff --git a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch deleted file mode 100644 index 9d3be529b7..0000000000 --- a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c04345d5edbbc4c37027cdfc21dba85d03e312af Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 14 Jul 2015 16:56:33 +0200 -Subject: [PATCH] daemon: Flush shunts before unloading plugins - ---- - src/libcharon/daemon.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c -index b1b8f57..316be76 100644 ---- a/src/libcharon/daemon.c -+++ b/src/libcharon/daemon.c -@@ -462,6 +462,10 @@ static void destroy(private_daemon_t *this) - { - this->public.traps->flush(this->public.traps); - } -+ if (this->public.shunts) -+ { -+ this->public.shunts->flush(this->public.shunts); -+ } - if (this->public.sender) - { - this->public.sender->flush(this->public.sender); --- -2.4.6 - diff --git a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch deleted file mode 100644 index 56038b46f1..0000000000 --- a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 86d20b0b40066590f5e26d1f9aca21cc0cba97e1 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 15 Jun 2015 11:46:33 +0200 -Subject: [PATCH] ike-rekey: Reset IKE_SA on the bus after destroying new - IKE_SA - -The destroy() method sets the IKE_SA on the bus to NULL, we reset it to -the current IKE_SA so any events and log messages that follow happen in -the correct context. - -A practical example where this is problematic is a DH group mismatch, -which causes the first CREATE_CHILD_SA exchange to fail. Because the SA -was not reset previously, the message() hook for the CREATE_CHILD_SA -response, for instance, was triggered outside the context of an IKE_SA, -that is, the ike_sa parameter was NULL, which is definitely not expected -by several plugins. - -Fixes #862. ---- - src/libcharon/sa/ikev2/tasks/ike_rekey.c | 31 +++++++++++++++---------------- - 1 file changed, 15 insertions(+), 16 deletions(-) - -diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c -index 1855517..1dfdc05 100644 ---- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c -+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c -@@ -116,7 +116,6 @@ static void establish_new(private_ike_rekey_t *this) - lib->processor->queue_job(lib->processor, job); - } - this->new_sa = NULL; -- /* set threads active IKE_SA after checkin */ - charon->bus->set_sa(charon->bus, this->ike_sa); - } - } -@@ -335,15 +334,13 @@ METHOD(task_t, process_i, status_t, - { - charon->ike_sa_manager->checkin( - charon->ike_sa_manager, this->new_sa); -- /* set threads active IKE_SA after checkin */ -- charon->bus->set_sa(charon->bus, this->ike_sa); - } -+ charon->bus->set_sa(charon->bus, this->ike_sa); - this->new_sa = NULL; - establish_new(other); - return SUCCESS; - } - } -- /* set threads active IKE_SA after checkin */ - charon->bus->set_sa(charon->bus, this->ike_sa); - } - -@@ -372,9 +369,13 @@ METHOD(ike_rekey_t, collide, void, - this->collision = other; - } - --METHOD(task_t, migrate, void, -- private_ike_rekey_t *this, ike_sa_t *ike_sa) -+/** -+ * Cleanup the task -+ */ -+static void cleanup(private_ike_rekey_t *this) - { -+ ike_sa_t *cur_sa; -+ - if (this->ike_init) - { - this->ike_init->task.destroy(&this->ike_init->task); -@@ -383,9 +384,16 @@ METHOD(task_t, migrate, void, - { - this->ike_delete->task.destroy(&this->ike_delete->task); - } -+ cur_sa = charon->bus->get_sa(charon->bus); - DESTROY_IF(this->new_sa); -+ charon->bus->set_sa(charon->bus, cur_sa); - DESTROY_IF(this->collision); -+} - -+METHOD(task_t, migrate, void, -+ private_ike_rekey_t *this, ike_sa_t *ike_sa) -+{ -+ cleanup(); - this->collision = NULL; - this->ike_sa = ike_sa; - this->new_sa = NULL; -@@ -396,16 +404,7 @@ METHOD(task_t, migrate, void, - METHOD(task_t, destroy, void, - private_ike_rekey_t *this) - { -- if (this->ike_init) -- { -- this->ike_init->task.destroy(&this->ike_init->task); -- } -- if (this->ike_delete) -- { -- this->ike_delete->task.destroy(&this->ike_delete->task); -- } -- DESTROY_IF(this->new_sa); -- DESTROY_IF(this->collision); -+ cleanup(); - free(this); - } - --- -2.4.6 - diff --git a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch deleted file mode 100644 index 9aa06d9256..0000000000 --- a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2efcc9586714fd3ae26fe6ff57ea1b9ee09a58ea Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 15 Jun 2015 11:52:16 +0200 -Subject: [PATCH] ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA - response - -Even when there is no error the CREATE_CHILD_SA response should be sent -in the context of the existing IKE_SA. ---- - src/libcharon/sa/ikev2/tasks/ike_rekey.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c -index 1dfdc05..4133c93 100644 ---- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c -+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c -@@ -228,9 +228,10 @@ METHOD(task_t, build_r, status_t, - - if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED) - { -+ charon->bus->set_sa(charon->bus, this->ike_sa); - return SUCCESS; - } -- -+ charon->bus->set_sa(charon->bus, this->ike_sa); - this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); - - /* rekeying successful, delete the IKE_SA using a subtask */ --- -2.4.6 - diff --git a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch deleted file mode 100644 index e17cf30cd9..0000000000 --- a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 81f1aa8dc375a84d9f0dc3e4027f2aebf6d03b18 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 27 Jul 2015 15:20:01 +0200 -Subject: [PATCH] ike-rekey: Fix cleanup() call - ---- - src/libcharon/sa/ikev2/tasks/ike_rekey.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c -index 4133c93..eaba04e 100644 ---- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c -+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c -@@ -394,7 +394,7 @@ static void cleanup(private_ike_rekey_t *this) - METHOD(task_t, migrate, void, - private_ike_rekey_t *this, ike_sa_t *ike_sa) - { -- cleanup(); -+ cleanup(this); - this->collision = NULL; - this->ike_sa = ike_sa; - this->new_sa = NULL; -@@ -405,7 +405,7 @@ METHOD(task_t, migrate, void, - METHOD(task_t, destroy, void, - private_ike_rekey_t *this) - { -- cleanup(); -+ cleanup(this); - free(this); - } - --- -2.4.6 - diff --git a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch deleted file mode 100644 index 3b773d02aa..0000000000 --- a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +++ /dev/null @@ -1,27 +0,0 @@ -From faebdeac8eafad7b5c2109d5a9ce0af41dbf315c Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 27 Jul 2015 19:37:41 +0200 -Subject: [PATCH] ike: Fix memory leak if remote address is kept - ---- - src/libcharon/sa/ike_sa.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c -index 752a756..6ffbd55 100644 ---- a/src/libcharon/sa/ike_sa.c -+++ b/src/libcharon/sa/ike_sa.c -@@ -1230,6 +1230,10 @@ static void resolve_hosts(private_ike_sa_t *this) - * address family might have changed */ - set_other_host(this, host); - } -+ else -+ { -+ host->destroy(host); -+ } - } - - if (this->local_host) --- -2.4.6 - diff --git a/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch b/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch deleted file mode 100644 index 63f120d284..0000000000 --- a/main/strongswan/0017-kernel-netlink-unlock-mutex-in-del-policy.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 1ce32c9cdcb1cfacd4c8389402a24c4ed7cf0109 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 31 Jul 2015 11:20:24 +0200 -Subject: [PATCH] kernel-netlink: Unlock mutex in del_policy() if mark can't be - added to message - ---- - src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -index a6cf977..e0f1dd7 100644 ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -@@ -2562,6 +2562,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, - - if (!add_mark(hdr, sizeof(request), mark)) - { -+ this->mutex->unlock(this->mutex); - return FAILED; - } - diff --git a/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch deleted file mode 100644 index 945f1da2b0..0000000000 --- a/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e0e3b6d92b37ba6633a9cd7f0ed2bd3ce56fdcc0 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 16 Jul 2015 11:43:44 +0200 -Subject: [PATCH] kernel-netlink: Actually verify if the netlink message - exceeds the buffer size - -It might equal it and that's fine. With MSG_TRUNC we get the actual -message size and can only report an error if we haven't received the -complete message. ---- - src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -index b0e3103..809d0f4 100644 ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -@@ -185,8 +185,8 @@ static ssize_t read_msg(private_netlink_socket_t *this, - return -1; - } - } -- len = recv(this->socket, buf, buflen, block ? 0 : MSG_DONTWAIT); -- if (len == buflen) -+ len = recv(this->socket, buf, buflen, (block ? 0 : MSG_DONTWAIT)|MSG_TRUNC); -+ if (len > buflen) - { - DBG1(DBG_KNL, "netlink response exceeds buffer size"); - return 0; --- -2.4.6 - diff --git a/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch deleted file mode 100644 index 410e15b0c4..0000000000 --- a/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 7e40d9705de5e94ff64684573c573deb97950b5e Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 16 Jul 2015 11:50:22 +0200 -Subject: [PATCH] kernel-netlink: Use the PAGE_SIZE as default for the netlink - receive buffer - -The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to -the PAGE_SIZE if it is lower than 8192 or to that value otherwise. - -In some cases (e.g. for dump messages) the kernel might use up to 16k -for messages, which might require increasing this value. ---- - conf/plugins/kernel-netlink.opt | 2 +- - src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c | 12 +++++++++++- - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt -index 4338a5f..6adefd8 100644 ---- a/conf/plugins/kernel-netlink.opt -+++ b/conf/plugins/kernel-netlink.opt -@@ -1,4 +1,4 @@ --charon.plugins.kernel-netlink.buflen = 4096 -+charon.plugins.kernel-netlink.buflen = - Buffer size for received Netlink messages. - - charon.plugins.kernel-netlink.fwmark = -diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -index 809d0f4..ddb2254 100644 ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c -@@ -571,7 +571,7 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, - .protocol = protocol, - .names = names, - .buflen = lib->settings->get_int(lib->settings, -- "%s.plugins.kernel-netlink.buflen", 4096, lib->ns), -+ "%s.plugins.kernel-netlink.buflen", 0, lib->ns), - .timeout = lib->settings->get_int(lib->settings, - "%s.plugins.kernel-netlink.timeout", 0, lib->ns), - .retries = lib->settings->get_int(lib->settings, -@@ -582,6 +582,16 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names, - .parallel = parallel, - ); - -+ if (!this->buflen) -+ { -+ long pagesize = sysconf(_SC_PAGESIZE); -+ if (pagesize == -1) -+ { -+ pagesize = 4096; -+ } -+ /* base this on NLMSG_GOODSIZE */ -+ this->buflen = min(pagesize, 8192); -+ } - if (this->socket == -1) - { - DBG1(DBG_KNL, "unable to create netlink socket"); --- -2.4.6 - diff --git a/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch b/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch deleted file mode 100644 index 134ce64060..0000000000 --- a/main/strongswan/0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch +++ /dev/null @@ -1,40 +0,0 @@ -From cd83d5c5e51db6c903496369f6edc74901703eb7 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Wed, 3 Jun 2015 17:31:30 +0200 -Subject: [PATCH] kernel-netlink: When adding a policy do an update if it - already exists - -This may be the case when SAs are reestablished after a crash of the -IKE daemon. ---- - src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -index f22e07d..e41c10a 100644 ---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -@@ -2057,6 +2057,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, - ipsec_sa_t *ipsec = mapping->sa; - struct xfrm_userpolicy_info *policy_info; - struct nlmsghdr *hdr; -+ status_t status; - int i; - - /* clone the policy so we are able to check it out again later */ -@@ -2151,7 +2152,14 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this, - } - this->mutex->unlock(this->mutex); - -- if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) -+ status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); -+ if (status == ALREADY_DONE && !update) -+ { -+ DBG1(DBG_KNL, "policy already exists, try to update it"); -+ hdr->nlmsg_type = XFRM_MSG_UPDPOLICY; -+ status = this->socket_xfrm->send_ack(this->socket_xfrm, hdr); -+ } -+ if (status != SUCCESS) - { - return FAILED; - } diff --git a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch deleted file mode 100644 index e7897c17c6..0000000000 --- a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 36d77e36bb1556bebe0f98c06a757b123caef940 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 17 Jul 2015 11:48:53 +0200 -Subject: [PATCH] ike: Also track initiating IKE_SAs as half-open - ---- - src/libcharon/sa/ike_sa_manager.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 987260d..51b7f2c 100644 ---- a/src/libcharon/sa/ike_sa_manager.c -+++ b/src/libcharon/sa/ike_sa_manager.c -@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void, - put_half_open(this, entry); - } - else if (!entry->half_open && -- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - ike_sa->get_state(ike_sa) == IKE_CONNECTING) - { - /* this is a new half-open SA */ --- -2.4.6 - diff --git a/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch deleted file mode 100644 index fbc54c11c4..0000000000 --- a/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +++ /dev/null @@ -1,317 +0,0 @@ -From 0d6412ab81fbf0376cc99e9419de417e58dc0e72 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 16 Jul 2015 17:21:54 +0200 -Subject: [PATCH] controller: Optionally adhere to init limits also when - initiating IKE_SAs - ---- - src/charon-cmd/cmd/cmd_connection.c | 2 +- - src/conftest/actions.c | 2 +- - src/libcharon/control/controller.c | 54 ++++++++++++++++++++-- - src/libcharon/control/controller.h | 5 +- - .../plugins/load_tester/load_tester_control.c | 2 +- - .../plugins/load_tester/load_tester_plugin.c | 2 +- - src/libcharon/plugins/medcli/medcli_config.c | 2 +- - src/libcharon/plugins/smp/smp.c | 2 +- - src/libcharon/plugins/stroke/stroke_control.c | 4 +- - src/libcharon/plugins/uci/uci_control.c | 2 +- - src/libcharon/plugins/vici/vici_config.c | 2 +- - src/libcharon/plugins/vici/vici_control.c | 4 +- - .../processing/jobs/initiate_mediation_job.c | 4 +- - src/libcharon/processing/jobs/start_action_job.c | 2 +- - 15 files changed, 71 insertions(+), 20 deletions(-) - -diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c -index 2c0b7b9..0c6a504 100644 ---- a/src/charon-cmd/cmd/cmd_connection.c -+++ b/src/charon-cmd/cmd/cmd_connection.c -@@ -434,7 +434,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) - child_cfg = create_child_cfg(this, peer_cfg); - - if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- controller_cb_empty, NULL, 0) != SUCCESS) -+ controller_cb_empty, NULL, 0, FALSE) != SUCCESS) - { - terminate(pid); - } -diff --git a/src/conftest/actions.c b/src/conftest/actions.c -index 474672c..256b63d 100644 ---- a/src/conftest/actions.c -+++ b/src/conftest/actions.c -@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config) - { - DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config); - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0); -+ NULL, NULL, 0, FALSE); - } - else - { -diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c -index fd8349e..097f5ac 100644 ---- a/src/libcharon/control/controller.c -+++ b/src/libcharon/control/controller.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2011-2012 Tobias Brunner -+ * Copyright (C) 2011-2015 Tobias Brunner - * Copyright (C) 2007-2011 Martin Willi - * Copyright (C) 2011 revosec AG - * Hochschule fuer Technik Rapperswil -@@ -116,6 +116,11 @@ struct interface_listener_t { - * spinlock to update the IKE_SA handle properly - */ - spinlock_t *lock; -+ -+ /** -+ * whether to check limits -+ */ -+ bool limits; - }; - - -@@ -358,7 +363,6 @@ METHOD(job_t, initiate_execute, job_requeue_t, - listener->child_cfg->destroy(listener->child_cfg); - peer_cfg->destroy(peer_cfg); - listener->status = FAILED; -- /* release listener */ - listener_done(listener); - return JOB_REQUEUE_NONE; - } -@@ -372,6 +376,49 @@ METHOD(job_t, initiate_execute, job_requeue_t, - } - peer_cfg->destroy(peer_cfg); - -+ if (listener->limits && ike_sa->get_state(ike_sa) == IKE_CREATED) -+ { /* only check if we are not reusing an IKE_SA */ -+ u_int half_open, limit_half_open, limit_job_load; -+ -+ half_open = charon->ike_sa_manager->get_half_open_count( -+ charon->ike_sa_manager, NULL); -+ limit_half_open = lib->settings->get_int(lib->settings, -+ "%s.init_limit_half_open", 0, lib->ns); -+ limit_job_load = lib->settings->get_int(lib->settings, -+ "%s.init_limit_job_load", 0, lib->ns); -+ if (limit_half_open && half_open >= limit_half_open) -+ { -+ DBG1(DBG_IKE, "abort IKE_SA initiation, half open IKE_SA count of " -+ "%d exceeds limit of %d", half_open, limit_half_open); -+ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, -+ ike_sa); -+ listener->child_cfg->destroy(listener->child_cfg); -+ listener->status = INVALID_STATE; -+ listener_done(listener); -+ return JOB_REQUEUE_NONE; -+ } -+ if (limit_job_load) -+ { -+ u_int jobs = 0, i; -+ -+ for (i = 0; i < JOB_PRIO_MAX; i++) -+ { -+ jobs += lib->processor->get_job_load(lib->processor, i); -+ } -+ if (jobs > limit_job_load) -+ { -+ DBG1(DBG_IKE, "abort IKE_SA initiation, job load of %d exceeds " -+ "limit of %d", jobs, limit_job_load); -+ charon->ike_sa_manager->checkin_and_destroy( -+ charon->ike_sa_manager, ike_sa); -+ listener->child_cfg->destroy(listener->child_cfg); -+ listener->status = INVALID_STATE; -+ listener_done(listener); -+ return JOB_REQUEUE_NONE; -+ } -+ } -+ } -+ - if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS) - { - if (!listener->logger.callback) -@@ -391,7 +438,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, - - METHOD(controller_t, initiate, status_t, - private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, -- controller_cb_t callback, void *param, u_int timeout) -+ controller_cb_t callback, void *param, u_int timeout, bool limits) - { - interface_job_t *job; - status_t status; -@@ -414,6 +461,7 @@ METHOD(controller_t, initiate, status_t, - .child_cfg = child_cfg, - .peer_cfg = peer_cfg, - .lock = spinlock_create(), -+ .limits = limits, - }, - .public = { - .execute = _initiate_execute, -diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h -index 02f4ebb..5ffeac5 100644 ---- a/src/libcharon/control/controller.h -+++ b/src/libcharon/control/controller.h -@@ -82,15 +82,18 @@ struct controller_t { - * @param cb logging callback - * @param param parameter to include in each call of cb - * @param timeout timeout in ms to wait for callbacks, 0 to disable -+ * @param limits whether to check limits regarding IKE_SA initiation - * @return - * - SUCCESS, if CHILD_SA established - * - FAILED, if setup failed - * - NEED_MORE, if callback returned FALSE - * - OUT_OF_RES if timed out -+ * - INVALID_STATE if limits prevented initiation - */ - status_t (*initiate)(controller_t *this, - peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, -- controller_cb_t callback, void *param, u_int timeout); -+ controller_cb_t callback, void *param, u_int timeout, -+ bool limits); - - /** - * Terminate an IKE_SA and all of its CHILD_SAs. -diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c -index 5f089f5..24076d4 100644 ---- a/src/libcharon/plugins/load_tester/load_tester_control.c -+++ b/src/libcharon/plugins/load_tester/load_tester_control.c -@@ -239,7 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io) - - switch (charon->controller->initiate(charon->controller, - peer_cfg, child_cfg->get_ref(child_cfg), -- (void*)initiate_cb, listener, 0)) -+ (void*)initiate_cb, listener, 0, FALSE)) - { - case NEED_MORE: - /* Callback returns FALSE once it got track of this IKE_SA. -diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c -index e684f22..c7380b9 100644 ---- a/src/libcharon/plugins/load_tester/load_tester_plugin.c -+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c -@@ -152,7 +152,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this) - - charon->controller->initiate(charon->controller, - peer_cfg, child_cfg->get_ref(child_cfg), -- NULL, NULL, 0); -+ NULL, NULL, 0, FALSE); - if (s) - { - sleep(s); -diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c -index 1fb57b9..25b1383 100644 ---- a/src/libcharon/plugins/medcli/medcli_config.c -+++ b/src/libcharon/plugins/medcli/medcli_config.c -@@ -314,7 +314,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg) - peer_cfg->get_ref(peer_cfg); - enumerator->destroy(enumerator); - charon->controller->initiate(charon->controller, -- peer_cfg, child_cfg, NULL, NULL, 0); -+ peer_cfg, child_cfg, NULL, NULL, 0, FALSE); - } - else - { -diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c -index 04bf382..2aa061f 100644 ---- a/src/libcharon/plugins/smp/smp.c -+++ b/src/libcharon/plugins/smp/smp.c -@@ -488,7 +488,7 @@ static void request_control_initiate(xmlTextReaderPtr reader, - { - status = charon->controller->initiate(charon->controller, - peer, child, (controller_cb_t)xml_callback, -- writer, 0); -+ writer, 0, FALSE); - } - else - { -diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c -index 0084fbf..0125d17 100644 ---- a/src/libcharon/plugins/stroke/stroke_control.c -+++ b/src/libcharon/plugins/stroke/stroke_control.c -@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - if (msg->output_verbosity < 0) - { - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, -- NULL, NULL, 0); -+ NULL, NULL, 0, FALSE); - } - else - { -@@ -118,7 +118,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - - status = charon->controller->initiate(charon->controller, - peer_cfg, child_cfg, (controller_cb_t)stroke_log, -- &info, this->timeout); -+ &info, this->timeout, FALSE); - switch (status) - { - case SUCCESS: -diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c -index cebc389..a7d26e6 100644 ---- a/src/libcharon/plugins/uci/uci_control.c -+++ b/src/libcharon/plugins/uci/uci_control.c -@@ -147,7 +147,7 @@ static void initiate(private_uci_control_t *this, char *name) - if (enumerator->enumerate(enumerator, &child_cfg) && - charon->controller->initiate(charon->controller, peer_cfg, - child_cfg->get_ref(child_cfg), -- controller_cb_empty, NULL, 0) == SUCCESS) -+ controller_cb_empty, NULL, 0, FALSE) == SUCCESS) - { - write_fifo(this, "connection '%s' established\n", name); - } -diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index d232599..dfea2ab 100644 ---- a/src/libcharon/plugins/vici/vici_config.c -+++ b/src/libcharon/plugins/vici/vici_config.c -@@ -1558,7 +1558,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, - DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), -- NULL, NULL, 0); -+ NULL, NULL, 0, FALSE); - break; - case ACTION_ROUTE: - DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); -diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 01d5036..e568239 100644 ---- a/src/libcharon/plugins/vici/vici_control.c -+++ b/src/libcharon/plugins/vici/vici_control.c -@@ -184,8 +184,8 @@ CALLBACK(initiate, vici_message_t*, - { - return send_reply(this, "CHILD_SA config '%s' not found", child); - } -- switch (charon->controller->initiate(charon->controller, -- peer_cfg, child_cfg, (controller_cb_t)log_vici, &log, timeout)) -+ switch (charon->controller->initiate(charon->controller, peer_cfg, -+ child_cfg, (controller_cb_t)log_vici, &log, timeout, FALSE)) - { - case SUCCESS: - return send_reply(this, NULL); -diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c -index 17ab830..5b5fb9d 100644 ---- a/src/libcharon/processing/jobs/initiate_mediation_job.c -+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c -@@ -119,8 +119,8 @@ METHOD(job_t, initiate, job_requeue_t, - /* we need an additional reference because initiate consumes one */ - mediation_cfg->get_ref(mediation_cfg); - -- if (charon->controller->initiate(charon->controller, mediation_cfg, -- NULL, (controller_cb_t)initiate_callback, this, 0) != SUCCESS) -+ if (charon->controller->initiate(charon->controller, mediation_cfg, NULL, -+ (controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS) - { - mediation_cfg->destroy(mediation_cfg); - mediated_cfg->destroy(mediated_cfg); -diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c -index 981473b..5e88ac2 100644 ---- a/src/libcharon/processing/jobs/start_action_job.c -+++ b/src/libcharon/processing/jobs/start_action_job.c -@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t, - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), - child_cfg->get_ref(child_cfg), -- NULL, NULL, 0); -+ NULL, NULL, 0, FALSE); - break; - case ACTION_ROUTE: - DBG1(DBG_JOB, "start action: route '%s'", name); --- -2.4.6 - diff --git a/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch deleted file mode 100644 index d6cc090718..0000000000 --- a/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +++ /dev/null @@ -1,170 +0,0 @@ -From f3b6de5afdc48550680c12359154eb18a5812ecb Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 16 Jul 2015 17:51:40 +0200 -Subject: [PATCH] vici: Add get_bool() convenience getter for VICI messages - ---- - src/libcharon/plugins/vici/suites/test_message.c | 31 ++++++++++++++++++ - src/libcharon/plugins/vici/vici_message.c | 40 ++++++++++++++++++++++++ - src/libcharon/plugins/vici/vici_message.h | 23 ++++++++++++++ - 3 files changed, 94 insertions(+) - -diff --git a/src/libcharon/plugins/vici/suites/test_message.c b/src/libcharon/plugins/vici/suites/test_message.c -index e76d273..045e34f 100644 ---- a/src/libcharon/plugins/vici/suites/test_message.c -+++ b/src/libcharon/plugins/vici/suites/test_message.c -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2014 Martin Willi - * Copyright (C) 2014 revosec AG - * -@@ -355,6 +358,33 @@ START_TEST(test_get_int) - } - END_TEST - -+START_TEST(test_get_bool) -+{ -+ vici_message_t *m; -+ -+ m = build_getter_msg(); -+ -+ ck_assert(m->get_bool(m, TRUE, "key1")); -+ ck_assert(m->get_bool(m, FALSE, "key1")); -+ -+ ck_assert(m->get_bool(m, TRUE, "section1.key2")); -+ ck_assert(m->get_bool(m, TRUE, "section1.section2.key3")); -+ ck_assert(m->get_bool(m, TRUE, "section1.key4")); -+ ck_assert(m->get_bool(m, TRUE, "key5")); -+ ck_assert(m->get_bool(m, TRUE, "nonexistent")); -+ ck_assert(m->get_bool(m, TRUE, "n.o.n.e.x.i.s.t.e.n.t")); -+ -+ ck_assert(!m->get_bool(m, FALSE, "section1.key2")); -+ ck_assert(!m->get_bool(m, FALSE, "section1.section2.key3")); -+ ck_assert(!m->get_bool(m, FALSE, "section1.key4")); -+ ck_assert(!m->get_bool(m, FALSE, "key5")); -+ ck_assert(!m->get_bool(m, FALSE, "nonexistent")); -+ ck_assert(!m->get_bool(m, FALSE, "n.o.n.e.x.i.s.t.e.n.t")); -+ -+ m->destroy(m); -+} -+END_TEST -+ - START_TEST(test_get_value) - { - vici_message_t *m; -@@ -400,6 +430,7 @@ Suite *message_suite_create() - tc = tcase_create("convenience getters"); - tcase_add_test(tc, test_get_str); - tcase_add_test(tc, test_get_int); -+ tcase_add_test(tc, test_get_bool); - tcase_add_test(tc, test_get_value); - suite_add_tcase(s, tc); - -diff --git a/src/libcharon/plugins/vici/vici_message.c b/src/libcharon/plugins/vici/vici_message.c -index e79fbc8..fb6e8a1 100644 ---- a/src/libcharon/plugins/vici/vici_message.c -+++ b/src/libcharon/plugins/vici/vici_message.c -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2014 Martin Willi - * Copyright (C) 2014 revosec AG - * -@@ -385,6 +388,41 @@ METHOD(vici_message_t, get_int, int, - return val; - } - -+METHOD(vici_message_t, vget_bool, bool, -+ private_vici_message_t *this, bool def, char *fmt, va_list args) -+{ -+ chunk_t value; -+ bool found; -+ char buf[16]; -+ -+ found = find_value(this, &value, fmt, args); -+ if (found) -+ { -+ if (value.len == 0) -+ { -+ return def; -+ } -+ if (chunk_printable(value, NULL, 0)) -+ { -+ snprintf(buf, sizeof(buf), "%.*s", (int)value.len, value.ptr); -+ return settings_value_as_bool(buf, def); -+ } -+ } -+ return def; -+} -+ -+METHOD(vici_message_t, get_bool, bool, -+ private_vici_message_t *this, bool def, char *fmt, ...) -+{ -+ va_list args; -+ bool val; -+ -+ va_start(args, fmt); -+ val = vget_bool(this, def, fmt, args); -+ va_end(args); -+ return val; -+} -+ - METHOD(vici_message_t, vget_value, chunk_t, - private_vici_message_t *this, chunk_t def, char *fmt, va_list args) - { -@@ -633,6 +671,8 @@ vici_message_t *vici_message_create_from_data(chunk_t data, bool cleanup) - .vget_str = _vget_str, - .get_int = _get_int, - .vget_int = _vget_int, -+ .get_bool = _get_bool, -+ .vget_bool = _vget_bool, - .get_value = _get_value, - .vget_value = _vget_value, - .get_encoding = _get_encoding, -diff --git a/src/libcharon/plugins/vici/vici_message.h b/src/libcharon/plugins/vici/vici_message.h -index 1a89cf8..7f357b8 100644 ---- a/src/libcharon/plugins/vici/vici_message.h -+++ b/src/libcharon/plugins/vici/vici_message.h -@@ -1,4 +1,7 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner -+ * Hochschule fuer Technik Rapperswil -+ * - * Copyright (C) 2014 Martin Willi - * Copyright (C) 2014 revosec AG - * -@@ -138,6 +141,26 @@ struct vici_message_t { - int (*vget_int)(vici_message_t *this, int def, char *fmt, va_list args); - - /** -+ * Get the value of a key/value pair as boolean. -+ * -+ * @param def default value if not found -+ * @param fmt printf style format string for key, with sections -+ * @param ... arguments to fmt string -+ * @return value -+ */ -+ bool (*get_bool)(vici_message_t *this, bool def, char *fmt, ...); -+ -+ /** -+ * Get the value of a key/value pair as boolean, va_list variant -+ * -+ * @param def default value if not found -+ * @param fmt printf style format string for key, with sections -+ * @param args arguments to fmt string -+ * @return value -+ */ -+ bool (*vget_bool)(vici_message_t *this, bool def, char *fmt, va_list args); -+ -+ /** - * Get the raw value of a key/value pair. - * - * @param def default value if not found --- -2.4.6 - diff --git a/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch deleted file mode 100644 index f904af30be..0000000000 --- a/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2d4671feca3d2d17bfa2d846cc170478f18a8fcc Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 16 Jul 2015 17:56:16 +0200 -Subject: [PATCH] vici: Optionally check limits when initiating connections - -If the init-limits parameter is set (disabled by default) init limits -will be checked and might prevent new SAs from getting initiated. ---- - src/libcharon/plugins/vici/README.md | 1 + - src/libcharon/plugins/vici/vici_control.c | 7 ++++++- - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md -index 0ce4271..71356fb 100644 ---- a/src/libcharon/plugins/vici/README.md -+++ b/src/libcharon/plugins/vici/README.md -@@ -259,6 +259,7 @@ Initiates an SA while streaming _control-log_ events. - { - child = - timeout = -+ init-limits = - loglevel = - } => { - success = -diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index e568239..88574f8 100644 ---- a/src/libcharon/plugins/vici/vici_control.c -+++ b/src/libcharon/plugins/vici/vici_control.c -@@ -163,6 +163,7 @@ CALLBACK(initiate, vici_message_t*, - peer_cfg_t *peer_cfg; - char *child; - u_int timeout; -+ bool limits; - log_info_t log = { - .dispatcher = this->dispatcher, - .id = id, -@@ -170,6 +171,7 @@ CALLBACK(initiate, vici_message_t*, - - child = request->get_str(request, NULL, "child"); - timeout = request->get_int(request, 0, "timeout"); -+ limits = request->get_bool(request, FALSE, "init-limits"); - log.level = request->get_int(request, 1, "loglevel"); - - if (!child) -@@ -185,13 +187,16 @@ CALLBACK(initiate, vici_message_t*, - return send_reply(this, "CHILD_SA config '%s' not found", child); - } - switch (charon->controller->initiate(charon->controller, peer_cfg, -- child_cfg, (controller_cb_t)log_vici, &log, timeout, FALSE)) -+ child_cfg, (controller_cb_t)log_vici, &log, timeout, limits)) - { - case SUCCESS: - return send_reply(this, NULL); - case OUT_OF_RES: - return send_reply(this, "CHILD_SA '%s' not established after %dms", - child, timeout); -+ case INVALID_STATE: -+ return send_reply(this, "establishing CHILD_SA '%s' not possible " -+ "at the moment due to limits", child); - case FAILED: - default: - return send_reply(this, "establishing CHILD_SA '%s' failed", child); --- -2.4.6 - diff --git a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch deleted file mode 100644 index 4a837486e7..0000000000 --- a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 470b58d897338c89c83f416808cf1ccac38fe028 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 17 Jul 2015 14:08:09 +0200 -Subject: [PATCH] ikev1: Assign different job priorities for inbound IKEv1 - messages - ---- - src/libcharon/processing/jobs/process_message_job.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c -index a6795e7..31f048d 100644 ---- a/src/libcharon/processing/jobs/process_message_job.c -+++ b/src/libcharon/processing/jobs/process_message_job.c -@@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t, - { - case IKE_AUTH: - /* IKE auth is rather expensive and often blocking, low priority */ -+ case AGGRESSIVE: -+ case ID_PROT: -+ /* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth) -+ * MM is similar, but stretched out more */ - return JOB_PRIO_LOW; - case INFORMATIONAL: -+ case INFORMATIONAL_V1: - /* INFORMATIONALs are inexpensive, for DPD we should have low - * reaction times */ - return JOB_PRIO_HIGH; - case IKE_SA_INIT: -- case CREATE_CHILD_SA: -- default: - /* IKE_SA_INIT is expensive, but we will drop them in the receiver - * if we are overloaded */ -+ case CREATE_CHILD_SA: -+ case QUICK_MODE: -+ /* these may require DH, but if not they are relatively cheap */ -+ case TRANSACTION: -+ /* these are mostly cheap, however, if XAuth via RADIUS is used -+ * they may block */ -+ default: - return JOB_PRIO_MEDIUM; - } - } --- -2.4.6 - diff --git a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch deleted file mode 100644 index 630151b406..0000000000 --- a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 944e99d57243fb42ccb2be475c8386a0c4c116f4 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 27 Jul 2015 11:18:53 +0200 -Subject: [PATCH] printf-hook-builtin: Fix invalid memory access - -When precision is given for a string, we must not run unbounded -strlen() as it will read beyond the given length. It might even cause -a crash if the given pointer is near end of heap or mapping. - -Fixes numerous valgrind errors such as: - -==19215== Invalid read of size 1 -==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853) -==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084) -==19215== by 0x52CE464: dntoa (identification.c:337) -==19215== by 0x52CE464: identification_printf_hook (identification.c:837) -==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) -==19215== by 0x57040EB: vlog (bus.c:388) -==19215== by 0x570427D: log_ (bus.c:430) -==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) -==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) -==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) -==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) -==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) -==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) -==19215== by 0x52C3125: load_feature (plugin_loader.c:716) -==19215== by 0x52C3125: load_provided (plugin_loader.c:778) -==19215== by 0x52C3A20: load_features (plugin_loader.c:799) -==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) -==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd -==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296) -==19215== by 0x52CD198: chunk_printable (chunk.c:759) -==19215== by 0x52CE442: dntoa (identification.c:334) -==19215== by 0x52CE442: identification_printf_hook (identification.c:837) -==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) -==19215== by 0x57040EB: vlog (bus.c:388) -==19215== by 0x570427D: log_ (bus.c:430) -==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) -==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) -==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) -==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) -==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) -==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) -==19215== by 0x52C3125: load_feature (plugin_loader.c:716) -==19215== by 0x52C3125: load_provided (plugin_loader.c:778) -==19215== by 0x52C3A20: load_features (plugin_loader.c:799) -==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) ---- - src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -index 466c673..af54940 100644 ---- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -@@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) - /* String */ - sarg = va_arg(ap, const char *); - sarg = sarg ? sarg : "(null)"; -- slen = strlen(sarg); -+ slen = prec != -1 ? strnlen(sarg, prec) -+ : strlen(sarg); - goto is_string; - } - case 'm': --- -2.4.6 - diff --git a/main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch b/main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch deleted file mode 100644 index 7f6e176624..0000000000 --- a/main/strongswan/0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 78bab0b68254accb48f08c5110a904a0dedabc60 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 28 Jul 2015 15:10:17 +0200 -Subject: [PATCH] child-create: Fix crash when retrying CHILD_SA rekeying due - to a DH group mismatch - -If the responder declines our KE payload during a CHILD_SA rekeying migrate() -is called to reuse the child-create task. But the child-rekey task then -calls the same method again. - -Fixes: 32df0d81fb46 ("child-create: Destroy nonceg in migrate()") ---- - src/libcharon/sa/ikev2/tasks/child_create.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c -index e0f930c..ee5086f 100644 ---- a/src/libcharon/sa/ikev2/tasks/child_create.c -+++ b/src/libcharon/sa/ikev2/tasks/child_create.c -@@ -1596,6 +1596,7 @@ METHOD(task_t, migrate, void, - this->tsi = NULL; - this->tsr = NULL; - this->dh = NULL; -+ this->nonceg = NULL; - this->child_sa = NULL; - this->mode = MODE_TUNNEL; - this->ipcomp = IPCOMP_NONE; --- -2.5.0 - diff --git a/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch b/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch deleted file mode 100644 index a1b696a50c..0000000000 --- a/main/strongswan/0601-child-sa-fix-refcounting-of-allocated-reqids.patch +++ /dev/null @@ -1,69 +0,0 @@ -From ce1f82060c037eebf0da6de164215d9a06b92c5b Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 31 Jul 2015 16:51:35 +0200 -Subject: [PATCH] child-sa: Fix refcounting of allocated reqids - -During a rekeying we want to reuse the current reqid, but if the new SA -does not allocate it via kernel-interface the state there will disappear -when the old SA is destroyed after the rekeying. When the IKE_SA is -later reauthenticated with make-before-break reatuhentication the new -CHILD_SAs there will get new reqids as no existing state is found in the -kernel-interface. - -Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config") ---- - src/libcharon/sa/child_sa.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c -index 94cf07c..73f2ec9 100644 ---- a/src/libcharon/sa/child_sa.c -+++ b/src/libcharon/sa/child_sa.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2006-2011 Tobias Brunner -+ * Copyright (C) 2006-2015 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi - * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005 Jan Hutter -@@ -106,6 +106,11 @@ struct private_child_sa_t { - */ - bool reqid_allocated; - -+ /** -+ * Is the reqid statically configured -+ */ -+ bool static_reqid; -+ - /* - * Unique CHILD_SA identifier - */ -@@ -698,7 +703,7 @@ METHOD(child_sa_t, install, status_t, - this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, - &esn, NULL); - -- if (!this->reqid_allocated && !this->reqid) -+ if (!this->reqid_allocated && !this->static_reqid) - { - status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, - my_ts, other_ts, this->mark_in, this->mark_out, -@@ -826,7 +831,7 @@ METHOD(child_sa_t, add_policies, status_t, - traffic_selector_t *my_ts, *other_ts; - status_t status = SUCCESS; - -- if (!this->reqid_allocated && !this->reqid) -+ if (!this->reqid_allocated && !this->static_reqid) - { - /* trap policy, get or confirm reqid */ - status = hydra->kernel_interface->alloc_reqid( -@@ -1305,6 +1310,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, - this->reqid = charon->traps->find_reqid(charon->traps, config); - } - } -+ else -+ { -+ this->static_reqid = TRUE; -+ } - - /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ - if (config->get_mode(config) == MODE_TRANSPORT && diff --git a/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch b/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch deleted file mode 100644 index 2c9a1db4fd..0000000000 --- a/main/strongswan/0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 7c7f85a0fd7e6f90c19d797304410da3925a9f96 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 3 Aug 2015 13:55:36 +0200 -Subject: [PATCH] auth-cfg: Similar to certificates matching one CA should be - enough - -Not sure if defining multiple CA constraints and enforcing _all_ of them, -that is, the previous behavior, makes even sense. To ensure a very specific -chain it should be enough to define the last intermediate CA. On the -other hand, the ability to define multiple CAs could simplify configuration. - -This can currently only be used with swanctl/VICI based configs as `rightca` -only takes a single DN. ---- - src/libstrongswan/credentials/auth_cfg.c | 35 ++++++++++++++++++-------------- - 1 file changed, 20 insertions(+), 15 deletions(-) - -diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c -index 0ca45a1..9b57631 100644 ---- a/src/libstrongswan/credentials/auth_cfg.c -+++ b/src/libstrongswan/credentials/auth_cfg.c -@@ -514,9 +514,10 @@ METHOD(auth_cfg_t, complies, bool, - private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) - { - enumerator_t *e1, *e2; -- bool success = TRUE, group_match = FALSE, cert_match = FALSE; -+ bool success = TRUE, group_match = FALSE; -+ bool ca_match = FALSE, cert_match = FALSE; - identification_t *require_group = NULL; -- certificate_t *require_cert = NULL; -+ certificate_t *require_ca = NULL, *require_cert = NULL; - signature_scheme_t scheme = SIGN_UNKNOWN; - u_int strength = 0; - auth_rule_t t1, t2; -@@ -531,26 +532,21 @@ METHOD(auth_cfg_t, complies, bool, - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - { -- certificate_t *c1, *c2; -+ certificate_t *cert; - -- c1 = (certificate_t*)value; -+ /* for CA certs, a match of a single cert is sufficient */ -+ require_ca = (certificate_t*)value; - -- success = FALSE; - e2 = create_enumerator(this); -- while (e2->enumerate(e2, &t2, &c2)) -+ while (e2->enumerate(e2, &t2, &cert)) - { - if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && -- c1->equals(c1, c2)) -+ cert->equals(cert, require_ca)) - { -- success = TRUE; -+ ca_match = TRUE; - } - } - e2->destroy(e2); -- if (!success && log_error) -- { -- DBG1(DBG_CFG, "constraint check failed: peer not " -- "authenticated by CA '%Y'.", c1->get_subject(c1)); -- } - break; - } - case AUTH_RULE_SUBJECT_CERT: -@@ -853,13 +849,22 @@ METHOD(auth_cfg_t, complies, bool, - } - return FALSE; - } -- -+ if (require_ca && !ca_match) -+ { -+ if (log_error) -+ { -+ DBG1(DBG_CFG, "constraint check failed: peer not " -+ "authenticated by CA '%Y'", -+ require_ca->get_subject(require_ca)); -+ } -+ return FALSE; -+ } - if (require_cert && !cert_match) - { - if (log_error) - { - DBG1(DBG_CFG, "constraint check failed: peer not " -- "authenticated with peer cert '%Y'.", -+ "authenticated with peer cert '%Y'", - require_cert->get_subject(require_cert)); - } - return FALSE; --- -2.5.0 - diff --git a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch index e246c04294..3f61be6584 100644 --- a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -1,6 +1,6 @@ -From 82c26f6c6c8dc8de620cdb6b191f04451ddedd11 Mon Sep 17 00:00:00 2001 +From 6bc204df6722a9c3726d95fc3b34353e7ce9bd3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Wed, 27 Aug 2014 16:05:21 +0300 +Date: Mon, 21 Sep 2015 13:41:58 +0300 Subject: [PATCH] charon: add optional source and remote overrides for initiate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -26,9 +26,9 @@ Signed-off-by: Timo Teräs src/libcharon/processing/jobs/start_action_job.c | 2 +- src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++++++- src/libcharon/sa/ike_sa_manager.h | 8 ++- - src/libcharon/sa/trap_manager.c | 3 +- + src/libcharon/sa/trap_manager.c | 46 +++++++---------- src/swanctl/commands/initiate.c | 40 ++++++++++++++- - 13 files changed, 203 insertions(+), 23 deletions(-) + 13 files changed, 220 insertions(+), 49 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 0c6a504..dc4eca3 100644 @@ -57,7 +57,7 @@ index fc7e899..4f4461a 100644 { peer_cfg->destroy(peer_cfg); diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c -index 097f5ac..9c3b45b 100644 +index 6dd54b4..d0524a5 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -15,6 +15,28 @@ @@ -205,10 +205,10 @@ index 0125d17..72c806c 100644 switch (status) { diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index b6950f3..600b83f 100644 +index ea6d295..5537ed9 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c -@@ -1584,7 +1584,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, +@@ -1589,7 +1589,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), @@ -218,7 +218,7 @@ index b6950f3..600b83f 100644 case ACTION_ROUTE: DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 88574f8..55f667b 100644 +index 752007c..174bae4 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -13,6 +13,28 @@ @@ -341,7 +341,7 @@ index 5e88ac2..7043332 100644 case ACTION_ROUTE: DBG1(DBG_JOB, "start action: route '%s'", name); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 20b6e50..ccce3de 100644 +index 9a613a6..9fa615a 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -16,6 +16,28 @@ @@ -373,7 +373,7 @@ index 20b6e50..ccce3de 100644 #include #include "ike_sa_manager.h" -@@ -1335,7 +1357,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, +@@ -1358,7 +1380,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, } METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, @@ -383,7 +383,7 @@ index 20b6e50..ccce3de 100644 { enumerator_t *enumerator; entry_t *entry; -@@ -1344,7 +1367,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +@@ -1367,7 +1390,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, ike_cfg_t *current_ike; u_int segment; @@ -402,7 +402,7 @@ index 20b6e50..ccce3de 100644 if (this->reuse_ikesa) { -@@ -1359,6 +1392,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +@@ -1382,6 +1415,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, { /* skip IKE_SAs which are not usable */ continue; } @@ -419,7 +419,7 @@ index 20b6e50..ccce3de 100644 current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); if (current_peer && current_peer->equals(current_peer, peer_cfg)) { -@@ -1388,6 +1431,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, +@@ -1411,6 +1454,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, return NULL; } ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); @@ -431,7 +431,7 @@ index 20b6e50..ccce3de 100644 charon->bus->set_sa(charon->bus, ike_sa); return ike_sa; diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h -index f259d8e..5a69083 100644 +index 3ea928e..151ab22 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -83,7 +83,8 @@ struct ike_sa_manager_t { @@ -460,16 +460,70 @@ index f259d8e..5a69083 100644 /** * Check for duplicates of the given IKE_SA. diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index 424d9e7..62a70f5 100644 +index 63505c9..442919f 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c -@@ -421,7 +421,8 @@ METHOD(trap_manager_t, acquire, void, +@@ -401,7 +401,7 @@ METHOD(trap_manager_t, acquire, void, + peer_cfg_t *peer; + child_cfg_t *child; + ike_sa_t *ike_sa; +- host_t *host; ++ host_t *host, *my_host = NULL, *other_host = NULL; + bool wildcard, ignore = FALSE; + + this->lock->read_lock(this->lock); +@@ -477,36 +477,28 @@ METHOD(trap_manager_t, acquire, void, this->lock->unlock(this->lock); - ike_sa = charon->ike_sa_manager->checkout_by_config( + if (wildcard) +- { /* the peer config would match IKE_SAs with other peers */ +- ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, +- peer->get_ike_version(peer), TRUE); +- if (ike_sa) +- { +- ike_cfg_t *ike_cfg; +- u_int16_t port; +- u_int8_t mask; +- +- ike_sa->set_peer_cfg(ike_sa, peer); +- ike_cfg = ike_sa->get_ike_cfg(ike_sa); ++ { ++ ike_cfg_t *ike_cfg; ++ u_int16_t port; ++ u_int8_t mask; + +- port = ike_cfg->get_other_port(ike_cfg); +- dst->to_subnet(dst, &host, &mask); +- host->set_port(host, port); +- ike_sa->set_other_host(ike_sa, host); ++ ike_sa->set_peer_cfg(ike_sa, peer); ++ ike_cfg = ike_sa->get_ike_cfg(ike_sa); + +- port = ike_cfg->get_my_port(ike_cfg); +- src->to_subnet(src, &host, &mask); +- host->set_port(host, port); +- ike_sa->set_my_host(ike_sa, host); ++ port = ike_cfg->get_other_port(ike_cfg); ++ dst->to_subnet(dst, &other_host, &mask); ++ other_host->set_port(other_host, port); + +- charon->bus->set_sa(charon->bus, ike_sa); +- } +- } +- else +- { +- ike_sa = charon->ike_sa_manager->checkout_by_config( - charon->ike_sa_manager, peer); ++ port = ike_cfg->get_my_port(ike_cfg); ++ src->to_subnet(src, &my_host, &mask); ++ my_host->set_port(my_host, port); + } ++ ike_sa = charon->ike_sa_manager->checkout_by_config( + charon->ike_sa_manager, peer, -+ NULL, NULL); ++ my_host, other_host); ++ DESTROY_IF(my_host); ++ DESTROY_IF(other_host); ++ if (ike_sa) { if (ike_sa->get_peer_cfg(ike_sa) == NULL) @@ -553,5 +607,5 @@ index eb7b6ad..706fa57 100644 {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, -- -2.4.6 +2.5.3 diff --git a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch index 7737220643..8caabd063c 100644 --- a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch +++ b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch @@ -1,6 +1,6 @@ -From dde551360cbe9ac09f1cd2d01047131c6332c576 Mon Sep 17 00:00:00 2001 +From 2a175cc40c5754b803ccfe3f641b438f54b569ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Thu, 30 Apr 2015 12:08:13 +0300 +Date: Mon, 21 Sep 2015 13:42:05 +0300 Subject: [PATCH] vici: send certificates for ike-sa events MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -8,11 +8,11 @@ Content-Transfer-Encoding: 8bit Signed-off-by: Timo Teräs --- - src/libcharon/plugins/vici/vici_query.c | 42 +++++++++++++++++++++++++++++---- - 1 file changed, 38 insertions(+), 4 deletions(-) + src/libcharon/plugins/vici/vici_query.c | 48 ++++++++++++++++++++++++++++----- + 1 file changed, 41 insertions(+), 7 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index d94d760..3d461f7 100644 +index 98d264f..5245afc 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -225,13 +225,15 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b, @@ -83,17 +83,30 @@ index d94d760..3d461f7 100644 b->begin_section(b, "child-sas"); csas = ike_sa->create_child_sa_enumerator(ike_sa); -@@ -1055,7 +1089,7 @@ METHOD(listener_t, ike_updown, bool, +@@ -1063,7 +1097,7 @@ METHOD(listener_t, ike_updown, bool, + } - b = vici_builder_create(); b->begin_section(b, ike_sa->get_name(ike_sa)); - list_ike(this, b, ike_sa, now); + list_ike(this, b, ike_sa, now, up); - b->begin_section(b, "child-sas"); b->end_section(b); - b->end_section(b); -@@ -1081,7 +1115,7 @@ METHOD(listener_t, child_updown, bool, + + this->dispatcher->raise_event(this->dispatcher, +@@ -1088,10 +1122,10 @@ METHOD(listener_t, ike_rekey, bool, b = vici_builder_create(); + b->begin_section(b, old->get_name(old)); + b->begin_section(b, "old"); +- list_ike(this, b, old, now); ++ list_ike(this, b, old, now, TRUE); + b->end_section(b); + b->begin_section(b, "new"); +- list_ike(this, b, new, now); ++ list_ike(this, b, new, now, TRUE); + b->end_section(b); + b->end_section(b); + +@@ -1121,7 +1155,7 @@ METHOD(listener_t, child_updown, bool, + } b->begin_section(b, ike_sa->get_name(ike_sa)); - list_ike(this, b, ike_sa, now); @@ -101,6 +114,15 @@ index d94d760..3d461f7 100644 b->begin_section(b, "child-sas"); b->begin_section(b, child_sa->get_name(child_sa)); +@@ -1153,7 +1187,7 @@ METHOD(listener_t, child_rekey, bool, + b = vici_builder_create(); + + b->begin_section(b, ike_sa->get_name(ike_sa)); +- list_ike(this, b, ike_sa, now); ++ list_ike(this, b, ike_sa, now, TRUE); + b->begin_section(b, "child-sas"); + + b->begin_section(b, old->get_name(old)); -- -2.4.6 +2.5.3 diff --git a/main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch b/main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch new file mode 100644 index 0000000000..ac739eafae --- /dev/null +++ b/main/strongswan/1003-vici-add-support-for-individual-sa-state-changes.patch @@ -0,0 +1,159 @@ +From 6ca8cf5415f8a984d281a1b5115df34c26ef9057 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= +Date: Mon, 21 Sep 2015 13:42:11 +0300 +Subject: [PATCH] vici: add support for individual sa state changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Useful for monitoring and tracking full SA. + +Signed-off-by: Timo Teräs +--- + src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++++++++++ + 1 file changed, 105 insertions(+) + +diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c +index 5245afc..71fbf54 100644 +--- a/src/libcharon/plugins/vici/vici_query.c ++++ b/src/libcharon/plugins/vici/vici_query.c +@@ -1066,8 +1066,16 @@ static void manage_commands(private_vici_query_t *this, bool reg) + this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); ++ this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg); ++ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg); + this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg); ++ this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg); + manage_command(this, "list-sas", list_sas, reg); + manage_command(this, "list-policies", list_policies, reg); + manage_command(this, "list-conns", list_conns, reg); +@@ -1135,6 +1143,45 @@ METHOD(listener_t, ike_rekey, bool, + return TRUE; + } + ++METHOD(listener_t, ike_state_change, bool, ++ private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) ++{ ++ char *event; ++ vici_builder_t *b; ++ time_t now; ++ ++ switch (state) ++ { ++ case IKE_ESTABLISHED: ++ event = "ike-state-established"; ++ break; ++ case IKE_DESTROYING: ++ event = "ike-state-destroying"; ++ break; ++ default: ++ return TRUE; ++ } ++ ++ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) ++ { ++ return TRUE; ++ } ++ ++ now = time_monotonic(NULL); ++ ++ b = vici_builder_create(); ++ b->begin_section(b, ike_sa->get_name(ike_sa)); ++ list_ike(this, b, ike_sa, now, state != IKE_DESTROYING); ++ b->begin_section(b, "child-sas"); ++ b->end_section(b); ++ b->end_section(b); ++ ++ this->dispatcher->raise_event(this->dispatcher, ++ event, 0, b->finalize(b)); ++ ++ return TRUE; ++} ++ + METHOD(listener_t, child_updown, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) + { +@@ -1210,6 +1257,62 @@ METHOD(listener_t, child_rekey, bool, + return TRUE; + } + ++METHOD(listener_t, child_state_change, bool, ++ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) ++{ ++ char *event; ++ vici_builder_t *b; ++ time_t now; ++ ++ switch (state) ++ { ++ case CHILD_INSTALLING: ++ event = "child-state-installing"; ++ break; ++ case CHILD_INSTALLED: ++ event = "child-state-installed"; ++ break; ++ case CHILD_UPDATING: ++ event = "child-state-updating"; ++ break; ++ case CHILD_REKEYING: ++ event = "child-state-rekeying"; ++ break; ++ case CHILD_REKEYED: ++ event = "child-state-rekeyed"; ++ break; ++ case CHILD_DESTROYING: ++ event = "child-state-destroying"; ++ break; ++ default: ++ return TRUE; ++ } ++ ++ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) ++ { ++ return TRUE; ++ } ++ ++ now = time_monotonic(NULL); ++ ++ b = vici_builder_create(); ++ b->begin_section(b, ike_sa->get_name(ike_sa)); ++ list_ike(this, b, ike_sa, now, state != CHILD_DESTROYING); ++ b->begin_section(b, "child-sas"); ++ ++ b->begin_section(b, child_sa->get_name(child_sa)); ++ list_child(this, b, child_sa, now); ++ b->end_section(b); ++ ++ b->end_section(b); ++ b->end_section(b); ++ ++ this->dispatcher->raise_event(this->dispatcher, ++ event, 0, b->finalize(b)); ++ ++ return TRUE; ++} ++ + METHOD(vici_query_t, destroy, void, + private_vici_query_t *this) + { +@@ -1229,8 +1332,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) + .listener = { + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, ++ .ike_state_change = _ike_state_change, + .child_updown = _child_updown, + .child_rekey = _child_rekey, ++ .child_state_change = _child_state_change, + }, + .destroy = _destroy, + }, +-- +2.5.3 + diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch deleted file mode 100644 index c42b40d2d3..0000000000 --- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 728f1a0afc45264715ee7a77d5ce6614cec42863 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Thu, 30 Apr 2015 10:58:15 +0300 -Subject: [PATCH] vici: add support rekeying events, and individual sa state - changes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Useful for monitoring and tracking full SA. - -Signed-off-by: Timo Teräs ---- - src/libcharon/plugins/vici/vici_query.c | 176 ++++++++++++++++++++++++++++++++ - 1 file changed, 176 insertions(+) - -diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index 3d461f7..316c698 100644 ---- a/src/libcharon/plugins/vici/vici_query.c -+++ b/src/libcharon/plugins/vici/vici_query.c -@@ -1065,7 +1065,17 @@ static void manage_commands(private_vici_query_t *this, bool reg) - this->dispatcher->manage_event(this->dispatcher, "list-conn", reg); - this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); - this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); -+ this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); -+ this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg); -+ this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg); - this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg); -+ this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg); - manage_command(this, "list-sas", list_sas, reg); - manage_command(this, "list-policies", list_policies, reg); - manage_command(this, "list-conns", list_conns, reg); -@@ -1100,6 +1110,77 @@ METHOD(listener_t, ike_updown, bool, - return TRUE; - } - -+METHOD(listener_t, ike_rekey, bool, -+ private_vici_query_t *this, ike_sa_t *old, ike_sa_t *new) -+{ -+ vici_builder_t *b; -+ time_t now; -+ -+ if (!this->dispatcher->has_event_listeners(this->dispatcher, "ike-rekey")) -+ { -+ return TRUE; -+ } -+ -+ now = time_monotonic(NULL); -+ -+ b = vici_builder_create(); -+ b->begin_section(b, old->get_name(old)); -+ list_ike(this, b, old, now, TRUE); -+ b->begin_section(b, "child-sas"); -+ b->end_section(b); -+ b->end_section(b); -+ -+ b->begin_section(b, new->get_name(new)); -+ list_ike(this, b, new, now, TRUE); -+ b->begin_section(b, "child-sas"); -+ b->end_section(b); -+ b->end_section(b); -+ -+ this->dispatcher->raise_event(this->dispatcher, -+ "ike-rekey", 0, b->finalize(b)); -+ -+ return TRUE; -+} -+ -+METHOD(listener_t, ike_state_change, bool, -+ private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) -+{ -+ char *event; -+ vici_builder_t *b; -+ time_t now; -+ -+ switch (state) -+ { -+ case IKE_ESTABLISHED: -+ event = "ike-state-established"; -+ break; -+ case IKE_DESTROYING: -+ event = "ike-state-destroying"; -+ break; -+ default: -+ return TRUE; -+ } -+ -+ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) -+ { -+ return TRUE; -+ } -+ -+ now = time_monotonic(NULL); -+ -+ b = vici_builder_create(); -+ b->begin_section(b, ike_sa->get_name(ike_sa)); -+ list_ike(this, b, ike_sa, now, state != IKE_DESTROYING); -+ b->begin_section(b, "child-sas"); -+ b->end_section(b); -+ b->end_section(b); -+ -+ this->dispatcher->raise_event(this->dispatcher, -+ event, 0, b->finalize(b)); -+ -+ return TRUE; -+} -+ - METHOD(listener_t, child_updown, bool, - private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) - { -@@ -1131,6 +1212,97 @@ METHOD(listener_t, child_updown, bool, - return TRUE; - } - -+METHOD(listener_t, child_rekey, bool, -+ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *old, child_sa_t *new) -+{ -+ vici_builder_t *b; -+ time_t now; -+ -+ if (!this->dispatcher->has_event_listeners(this->dispatcher, "child-rekey")) -+ { -+ return TRUE; -+ } -+ -+ now = time_monotonic(NULL); -+ b = vici_builder_create(); -+ -+ b->begin_section(b, ike_sa->get_name(ike_sa)); -+ list_ike(this, b, ike_sa, now, TRUE); -+ b->begin_section(b, "child-sas"); -+ -+ b->begin_section(b, old->get_name(old)); -+ list_child(this, b, old, now); -+ b->end_section(b); -+ -+ b->begin_section(b, new->get_name(new)); -+ list_child(this, b, new, now); -+ b->end_section(b); -+ -+ b->end_section(b); -+ b->end_section(b); -+ -+ this->dispatcher->raise_event(this->dispatcher, -+ "child-rekey", 0, b->finalize(b)); -+ -+ return TRUE; -+} -+ -+METHOD(listener_t, child_state_change, bool, -+ private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) -+{ -+ char *event; -+ vici_builder_t *b; -+ time_t now; -+ -+ switch (state) -+ { -+ case CHILD_INSTALLING: -+ event = "child-state-installing"; -+ break; -+ case CHILD_INSTALLED: -+ event = "child-state-installed"; -+ break; -+ case CHILD_UPDATING: -+ event = "child-state-updating"; -+ break; -+ case CHILD_REKEYING: -+ event = "child-state-rekeying"; -+ break; -+ case CHILD_REKEYED: -+ event = "child-state-rekeyed"; -+ break; -+ case CHILD_DESTROYING: -+ event = "child-state-destroying"; -+ break; -+ default: -+ return TRUE; -+ } -+ -+ if (!this->dispatcher->has_event_listeners(this->dispatcher, event)) -+ { -+ return TRUE; -+ } -+ -+ now = time_monotonic(NULL); -+ -+ b = vici_builder_create(); -+ b->begin_section(b, ike_sa->get_name(ike_sa)); -+ list_ike(this, b, ike_sa, now, state != CHILD_DESTROYING); -+ b->begin_section(b, "child-sas"); -+ -+ b->begin_section(b, child_sa->get_name(child_sa)); -+ list_child(this, b, child_sa, now); -+ b->end_section(b); -+ -+ b->end_section(b); -+ b->end_section(b); -+ -+ this->dispatcher->raise_event(this->dispatcher, -+ event, 0, b->finalize(b)); -+ -+ return TRUE; -+} -+ - METHOD(vici_query_t, destroy, void, - private_vici_query_t *this) - { -@@ -1149,7 +1321,11 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) - .public = { - .listener = { - .ike_updown = _ike_updown, -+ .ike_rekey = _ike_rekey, -+ .ike_state_change = _ike_state_change, - .child_updown = _child_updown, -+ .child_rekey = _child_rekey, -+ .child_state_change = _child_state_change, - }, - .destroy = _destroy, - }, --- -2.5.0 - diff --git a/main/strongswan/1004-vici-support-asynchronous-initiation.patch b/main/strongswan/1004-vici-support-asynchronous-initiation.patch index dc95bde749..b7d351a735 100644 --- a/main/strongswan/1004-vici-support-asynchronous-initiation.patch +++ b/main/strongswan/1004-vici-support-asynchronous-initiation.patch @@ -1,6 +1,6 @@ -From 21efa8dbe5aab423b452277d6aa70f9c14e2f440 Mon Sep 17 00:00:00 2001 +From 69f5bad1039df91c3d459b5a599b03e8852aca65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Thu, 28 May 2015 13:06:51 +0300 +Date: Mon, 21 Sep 2015 13:42:15 +0300 Subject: [PATCH] vici: support asynchronous initiation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -12,7 +12,7 @@ Signed-off-by: Timo Teräs 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 55f667b..da2b68f 100644 +index 174bae4..5a83cb1 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -187,7 +187,7 @@ CALLBACK(initiate, vici_message_t*, @@ -43,5 +43,5 @@ index 55f667b..da2b68f 100644 case SUCCESS: msg = send_reply(this, NULL); -- -2.4.6 +2.5.3 diff --git a/main/strongswan/2001-support-gre-key-in-ikev1.patch b/main/strongswan/2001-support-gre-key-in-ikev1.patch index 72cdd8b825..9c1d9e0d8d 100644 --- a/main/strongswan/2001-support-gre-key-in-ikev1.patch +++ b/main/strongswan/2001-support-gre-key-in-ikev1.patch @@ -1,6 +1,6 @@ -From f69e2daf4c4ccc57c14fd73d6b7320c5359758c8 Mon Sep 17 00:00:00 2001 +From 8addb45c033b13f3063ece56823a925c2b8bf9a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Mon, 13 Jul 2015 14:03:49 +0300 +Date: Mon, 21 Sep 2015 13:42:18 +0300 Subject: [PATCH] support gre key in ikev1 this implements gre key negotiation in ikev1 similarly to the @@ -205,10 +205,10 @@ index df1d075..7558e91 100644 #endif /** ID_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c -index 55ec7cd..87a1d08 100644 +index f717194..cde175f 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c -@@ -1032,6 +1032,11 @@ static bool parse_protoport(char *token, u_int16_t *from_port, +@@ -1049,6 +1049,11 @@ static bool parse_protoport(char *token, u_int16_t *from_port, *from_port = 0xffff; *to_port = 0; } @@ -234,10 +234,10 @@ index 227d24b..7749d8c 100644 } first = FALSE; diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index 3c4e3ec..9495d4d 100644 +index 5537ed9..70c83d4 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c -@@ -586,8 +586,13 @@ CALLBACK(parse_ts, bool, +@@ -596,8 +596,13 @@ CALLBACK(parse_ts, bool, } else if (*port && !streq(port, "any")) { @@ -254,10 +254,10 @@ index 3c4e3ec..9495d4d 100644 from = to = ntohs(svc->s_port); } diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c -index 96edfd8..c0830dd 100644 +index d6a3f2c..8533112 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c -@@ -536,9 +536,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message) +@@ -541,9 +541,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message) { id_payload_t *id_payload; @@ -269,7 +269,7 @@ index 96edfd8..c0830dd 100644 message->add_payload(message, &id_payload->payload_interface); } -@@ -549,7 +549,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) +@@ -554,7 +554,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) { traffic_selector_t *tsi = NULL, *tsr = NULL; enumerator_t *enumerator; @@ -278,7 +278,7 @@ index 96edfd8..c0830dd 100644 payload_t *payload; host_t *hsi, *hsr; bool first = TRUE; -@@ -559,20 +559,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) +@@ -564,20 +564,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message) { if (payload->get_type(payload) == PLV1_ID) { @@ -306,10 +306,10 @@ index 96edfd8..c0830dd 100644 /* create host2host selectors if ID payloads missing */ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -index f22e07d..e43df3f 100644 +index 605476e..ef94c26 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c -@@ -743,7 +743,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, +@@ -745,7 +745,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, ts2subnet(src, &sel.saddr, &sel.prefixlen_s); ts2ports(dst, &sel.dport, &sel.dport_mask); ts2ports(src, &sel.sport, &sel.sport_mask); @@ -328,8 +328,8 @@ index f22e07d..e43df3f 100644 + else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) && (sel.dport || sel.sport)) { - /* the ICMP type is encoded in the most significant 8 bits and the ICMP -@@ -767,7 +778,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) + /* the kernel expects the ICMP type and code in the source and +@@ -769,7 +780,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) { u_char *addr; u_int8_t prefixlen; @@ -338,7 +338,7 @@ index f22e07d..e43df3f 100644 host_t *host = NULL; if (src) -@@ -776,7 +787,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) +@@ -778,7 +789,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) prefixlen = sel->prefixlen_s; if (sel->sport_mask) { @@ -347,7 +347,7 @@ index f22e07d..e43df3f 100644 } } else -@@ -785,14 +796,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) +@@ -787,14 +798,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) prefixlen = sel->prefixlen_d; if (sel->dport_mask) { @@ -379,7 +379,7 @@ index f22e07d..e43df3f 100644 } /* The Linux 2.6 kernel does not set the selector's family field, * so as a kludge we additionally test the prefix length. -@@ -809,7 +833,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) +@@ -811,7 +835,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src) if (host) { return traffic_selector_create_from_subnet(host, prefixlen, @@ -389,7 +389,7 @@ index f22e07d..e43df3f 100644 return NULL; } diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c -index 3b7f8c5..c593a3f 100644 +index 6686324..776c765 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -209,6 +209,14 @@ static int print_icmp(printf_hook_data_t *data, u_int16_t port) @@ -503,5 +503,5 @@ index cf9a286..d458c68 100644 * * If protocol is ICMP or ICMPv6 the ports are interpreted as follows: If they -- -2.4.5 +2.5.3 diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 97d9ed342b..1c196e24ca 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -1,9 +1,9 @@ # Contributor: Jesse Young # Maintainer: Natanael Copa pkgname=strongswan -pkgver=5.3.2 +pkgver=5.3.3 _pkgver=${pkgver//_rc/rc} -pkgrel=10 +pkgrel=0 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -16,40 +16,10 @@ makedepends="$depends_dev linux-headers python" install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-dbg" source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 - 0001-vici-Asynchronize-debug-logging.patch - 0002-host-Properly-handle-NULL-in-host_create_from_string.patch - 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch - 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch - 0004-ike-Use-address-family-of-local-address-when-resolvi.patch - 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch - 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch - 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch - 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch - 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch - 0010-shunt-manager-Remove-stored-entries-if-installation-.patch - 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch - 0012-daemon-Flush-shunts-before-unloading-plugins.patch - 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch - 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch - 0015-ike-rekey-Fix-cleanup-call.patch - 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch - 0017-kernel-netlink-unlock-mutex-in-del-policy.patch - 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch - 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch - 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch - 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch - 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch - 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch - 0204-vici-Optionally-check-limits-when-initiating-connect.patch 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch - 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch - 0401-printf-hook-builtin-Fix-invalid-memory-access.patch - 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch - 0601-child-sa-fix-refcounting-of-allocated-reqids.patch - 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1002-vici-send-certificates-for-ike-sa-events.patch - 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch + 1003-vici-add-support-for-individual-sa-state-changes.patch 1004-vici-support-asynchronous-initiation.patch 2001-support-gre-key-in-ikev1.patch @@ -62,9 +32,18 @@ prepare() { cd "$srcdir/$pkgname-$_pkgver" for i in $source; do case $i in - *.patch) msg $i; patch -Np1 -i "$srcdir"/$i || return 1;; + *.patch) msg $i; patch -Np1 -i "$srcdir"/$i || _err="$_err $i" ;; esac done + + if [ -n "$_err" ]; then + error "The following patches failed:" + for i in $_err; do + echo " $i" + done + return 1 + fi + # the headers they ship conflicts with the real thing. rm -r src/include/linux } @@ -132,120 +111,30 @@ package() { install -m755 -D "$srcdir/charon.initd" "$pkgdir/etc/init.d/charon" || return 1 } -md5sums="fab014be1477ef4ebf9a765e10f8802c strongswan-5.3.2.tar.bz2 -78960bec9b1d3be2db9bfe8d73347ceb 0001-vici-Asynchronize-debug-logging.patch -f05c992e0c79a254fe8dfe3989d29ae6 0002-host-Properly-handle-NULL-in-host_create_from_string.patch -5d2720f3b0f9ae4632703c8638e29088 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch -413d0409a1232de61d61e99d7e57c2f5 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch -0660bab646fc9dbf99a5f9485e570b0e 0004-ike-Use-address-family-of-local-address-when-resolvi.patch -30ac430b88cdfb23546a3ac1a6247d6c 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch -de114c8e0f0fb84aaef46b55b912c7df 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch -a99f6c1cc578b17e9c69378869942ffd 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch -e7e8b6171239f3462f8f6739fcfdc56b 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch -400a514e50a378265a0ec1cff46f1f02 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch -551d01ca98e3e8b6bfea54938c576ec6 0010-shunt-manager-Remove-stored-entries-if-installation-.patch -b5f4a1a5cd7e5f10e9487a23078bcbab 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch -65341200450445191b67914df2629fe6 0012-daemon-Flush-shunts-before-unloading-plugins.patch -1ea2d1a97aa37bac24a1ec9b1ce7c985 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch -054b28fd78fccb20b993ec2679f98bc6 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch -6b57da364f1222eb2a8eda8f146c784b 0015-ike-rekey-Fix-cleanup-call.patch -0941f8e871fff5ab8c984830d23b35a1 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch -be62ce82080a0b7325709d6fbe0b9e46 0017-kernel-netlink-unlock-mutex-in-del-policy.patch -d97c846c00c60a35925662ba551495df 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -d73abf4c9c3354120152144e7985d428 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -0800173ace99e4f835365350142cf198 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch -c3f86cc9b0866f2e748f40d3058a5b14 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch -55feb2633c42927672113e44465fd824 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch -d57e117d13da147910e2ae09219d2492 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -8e79293070086233035a93322b935048 0204-vici-Optionally-check-limits-when-initiating-connect.patch +md5sums="5a25f3d1c31a77ef44d14a2e7b3eaad0 strongswan-5.3.3.tar.bz2 c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch -9b607cf38cff83547368d82fa34d716f 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch -c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch -2d191d850683a6ed34f171ed64b643f0 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch -b361ef4d3ed853620febc2117b4aa6cf 0601-child-sa-fix-refcounting-of-allocated-reqids.patch -d4f9141b0e63a1af35df04d970e27af7 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch -06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch -1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch -41a343863ffc1259c8a64771cd85c724 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch -b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch +d75b757fa44738dbdc5bcc8c60c9780d 1001-charon-add-optional-source-and-remote-overrides-for-.patch +4dfadf6fcb74c95c7360e33a416fb0d8 1002-vici-send-certificates-for-ike-sa-events.patch +ada5c5fda3aa5cd5b797feff3cba4b5d 1003-vici-add-support-for-individual-sa-state-changes.patch +366d0ee2ed135d9364e6449b56ac596a 1004-vici-support-asynchronous-initiation.patch +ccb77ee342e1b3108a49262549bbbf36 2001-support-gre-key-in-ikev1.patch 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd 7962a720ebef6892d80a3cbdab72c204 charon.initd" -sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 -37da81cde0afd5b2d025a62b36020ff4739bccc086bcfd1528e461534b99e1e8 0001-vici-Asynchronize-debug-logging.patch -ee88c4636efb8e06ff66e50e82b5de5a2f49a2b60042b157b09c110332db1f2c 0002-host-Properly-handle-NULL-in-host_create_from_string.patch -442b721d4ee156e5bb8167f4f5831abe727d8440b26f0ba91a32f21eade14305 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch -28fb9b57d5c02ae2b10e283f13de4d7257913a44ce68e287f73144d4fe2c0972 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch -e8e967357a6741df02b80fcd75729044179549e24623d483c1f4ee603a83152b 0004-ike-Use-address-family-of-local-address-when-resolvi.patch -a246364122d40ef70091cdf86ea16413a20f3461e137f8209c58959dfaf09396 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch -79861e897dd8e973d2426f083079adb74cc3c281b1c891eb6fbf7e569f0b74f4 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch -a9f59b91d3ac04fd52684fd4143545452368d65af9f6026020ba95eae114c103 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch -1b463d03b3ce0cf5223bacb08155b69c1c362fa311b1af20cb79b392ac6a233e 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch -3679e3f63a72c1f32b67ab71f60f8922384cbdeb916beca779bc7776db0332fe 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch -cd1d28855c13c9544c6f4caa619a00226d8c84cc75c3e88f962ebea9736619ad 0010-shunt-manager-Remove-stored-entries-if-installation-.patch -ce95459cea9eaa4d7f1695e10f99ca886d428843ada8134e8f337dce957cdda0 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch -b8b82e4b99c70cd76b09a2c7d6144e1e572bee6b4c821fcf7338d1692e1843cb 0012-daemon-Flush-shunts-before-unloading-plugins.patch -2c4a898a4b17e196acc44947f4b48688649d29ac15c0d19e14d664bf0d9f0274 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch -a1b61e2aafcd502c8398bfefd556dfb1429d862faecc5d6c0c843e7da215abf3 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch -ef5f7d38483909ae3aff5e474ac6f5f20804645ead6a6108f2534408434023ff 0015-ike-rekey-Fix-cleanup-call.patch -257931d4443a4ed2284bf8872e73ab1e93c0d69f490e1b9b3bb2b12210cec677 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch -02a230822398be1cf04a362163bee03f4c4edd4eb1b622fba8a93f5dcb2fb06d 0017-kernel-netlink-unlock-mutex-in-del-policy.patch -130db52dea23eae4081bf25c5ef050f9dfbaa4e7e99dc0a623fdfc991eb4c5c7 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -16a41ef4cf25e3432c8a61aa34ac12d6eccd5796d921c75d72570d4f9fda2717 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -4b9f8d087ef7e6f9c46fa0d5d687dd99fdbfbef1e871ef451a156474282cfefe 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch -ab4042b193a68d3ff771be006fdea81eb786fee7b7c4c8c24aa60ef3372de9c8 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch -f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch -7aac3748cabf9293701924b6e6a3f0bb74c4d4302a019eb8012af48473f35b67 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -3060dd59d44de1f6e7b82146db4b09c3fd80869c75e9a31823bcbdd9f66ac923 0204-vici-Optionally-check-limits-when-initiating-connect.patch +sha256sums="39d2e8f572a57a77dda8dd8bdaf2ee47ad3cefeb86bbb840d594aa75f00f33e2 strongswan-5.3.3.tar.bz2 6ee2826d8f2acf4010886b9990c4fe1f1be99e869144f3dd3705e38184300ca1 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch -d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch -74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch -6eec00bdb7778a51d04157ec640394959d599f3b8cef6bad0d875658cace99ea 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch -a558247c9b6eeabfa2a677440a3e25a0841171347484d624c6c4668f9064b67d 0601-child-sa-fix-refcounting-of-allocated-reqids.patch -b591c93065a018cf79f8f39041a196b2142c5de0bda6b8eed2590be993329266 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch -d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch -b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch -811a0b67311546ec5371ce4322b1f69886be7754875c2522ebaeff08713bd26e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch -ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch +47152a8d54c8ae75ea6e1d7c3c7695fb2e6eb48d24e80b13c25589a6570e3977 1001-charon-add-optional-source-and-remote-overrides-for-.patch +e70a78f8efa29d3a428d6393cd7c59a36acfdf676b51897d14b495c236a1996c 1002-vici-send-certificates-for-ike-sa-events.patch +f814519a0476477620f06d8bde0fd16f9094ee79807c0cbe4eb6d45034b5ff7d 1003-vici-add-support-for-individual-sa-state-changes.patch +f4415bd1a68311fca2a4159b74aa7c2577c6500db7f323bfc684a9dfba7c6450 1004-vici-support-asynchronous-initiation.patch +bbdbc73ba6cafaaab1ea303eec6d026ebb50ecd12b7c32be0b4dfeaf8ae24245 2001-support-gre-key-in-ikev1.patch ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" -sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 -d3135206f61496d0877b22c52c0f4246d17777935a4277bfc6e7ca8b69fb2754a52fed7e8691292df91745c00fa0d597f11cd866bb4ee91453c0e252ba77eef8 0001-vici-Asynchronize-debug-logging.patch -87ab03664dddf30ed1ae1a1e1fc2a22715a0e74b220f316937cf0f86a5b9c38262fd8a9ad62aa1866405d0bf552d33a62621c8b91634e6bd3c7967b6e7955894 0002-host-Properly-handle-NULL-in-host_create_from_string.patch -8f16ab691c7e778894f0fc8889ac9be8813da27e09fb304443e9053f2ed384ccd3976d7956f762136c94c870dabe808d3f97116f4573bb0df74299f1da34d643 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch -dbb5454e32cea4e671fdb109e2252536d2f8ee97097a45ad280010de7d6b7fedeb40c0418ae2af45a4393b98ac6badd9072846259be6ca823f056919fcd3b985 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch -73dcb7874aadcf641051cef91d83158fa8a1c664c094d131fcd5ad9d1c5d00abec5a75dd92780fabf2c0690079aad73275af885a83c8791c62025593fa7af61c 0004-ike-Use-address-family-of-local-address-when-resolvi.patch -8e3636933b7ee3eddb28b9797e3da21c494e470067bc6996509bd28a9894e037fa7575d68fb717247762dc468543b67d965745370cb1335b1f9fbc6bdf260f6e 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch -e970869f5552557d18133bb279b98a81b7d12a6656bddccfcfbdb2b2dc80ad90cc4d1d63135b3682ccb26c83408790c792de9d64056a97c1b7df16f0b159d179 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch -65a20b7d059770786c5912811db8692ab9c03a3527f83d0d23e14db4da8c64c3ed43de7a04ba1cf2a794551471ee9456e70f723b0bb4599792a668edea1f6e77 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch -e5bd98af84b248642fb6206497c7d2fca7e42362632171e271a8a715179d10f3590eb25a7b38c9fbc058c82d657668c01e9b98d8ef1f422d0887e710342eff36 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch -c4a30bbff90c2ef59e9bebb64d336bddde811f0ffba3dcef423dc71a17e98be26192f8aa8654702e9a2cdc9dbfc8ec960fbf1a126c411efef6f95dc1a19c518e 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch -6e11b006b4fd0c6d000ff301ce18170bf9540f567ada2eb23f0f1c705be8d0f9299364313249cef5528858e75c10ba9d65315c941b49cb12ae07808d3b6e1faa 0010-shunt-manager-Remove-stored-entries-if-installation-.patch -2a5503558dcfe654335d9b6b7056e9888b2304389bb76369b8222d54add6c8a9895ab175701eeb636c42f0df53d1078fdae7a9f11167fc2beadad82de68b0e4c 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch -4e3ac34b2ecca6c1eefd9354a96a1a1fe7499571d2c5756c1cc889c23e125073517c6af57047de5b96bbc6acf9c6bb8c677df4206633f67551336fa8e62c77fb 0012-daemon-Flush-shunts-before-unloading-plugins.patch -f643be8dbc32c27f2c31ac91612ae7d2f1a34e9387257d1247cd8c7fb8e5b9c58fc0b8448dd692723a6f7f2ac4d4629ffa2c440c40f5f1bfb550f1cc526b3916 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch -bd161f1d4fa2881c8c07c2b7bccc0b9f06a99b12203d00329c8295f8a5ebe49f6cf27eca286ddd3c9e443fe132c64cae6849d691ddeda49b5fe716aebc73441e 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch -3f8c5ed171eb7c99218005b038ff0e0bc23841aab76cb97fbb7b8a3091b9f5ba318bd23c347de42bd969ac599f3d5f1b6bcf5110d5e23643858b24a719374f50 0015-ike-rekey-Fix-cleanup-call.patch -bdc74e2b6f91e94aa0041927ff5cf3f2f5d67d5d37a0c389a2b6328919bd9f2f0376957676fd359009117a1d01cd06ecfadb7151bd7875c1df5cb82e159a378a 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch -459bfd98c7cbb54bb6b7e95403eb1d62e290ce8ca04f164a49bac8684f8c1c9d4ab88a051e7a0a88fba1b3a5a030cba1aa5b4960a71c1726dbbc512be401cd40 0017-kernel-netlink-unlock-mutex-in-del-policy.patch -2d667eeba6d567008d8fe27d4dafa9a913c7aafa096258d7b5c95e2d8428e9dc8a40ace9e729a3d323e8d639d2ae3dae945904f90a39076c5ca5ddba7d70a0b6 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -539bfec16350c035f7ce2f3551b52ba2e22c75146a6c1494f4b25ec283f2245b7a03be9470c0e0cd3e6fc368bcf1bda60ce8166928737ab396e6cf88ffafaf79 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -a3488021316606e1fdaadfacc86ec8e9bcb741d3ac063498a64594214d97e0193270101388f61e118ec29ccfb8c6314a9fa6f3f8832a4cd8fe6b3f3445529b00 0103-kernel-netlink-when-adding-policy-do-an-update-if-it.patch -b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88ab1635ba30f9ff0ca9945aa264b3213561548648d64eb25ae 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch -9a2cb61c55a03977fc4bce42fdf043706498c86d69ea094852735b2ef525fbc0f81bad33aad7afc29ef301f3e2146746b56f458980529057e05007e0bab7b972 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch -95e3544a87bf503ed17059298ec6330501f39a2210e583fed59c5d03ef25b8d8227317016bf0181e49c87a7e36e1d902b0b24bda184d2166f3ad5b79166ce0dd 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -055b7769b0f587a77585ccf8e44c30fdf0981a1418f8e426eb696cfde671ac0013b355fdfb9e73ed3605c97a3a8c5f8ac38a2a0a137a5b87f9d6491752254543 0204-vici-Optionally-check-limits-when-initiating-connect.patch +sha512sums="469b32635bb4c60af1fa5ee535bea5abcd91081c7d482baa861e3951e4aab00783620698b5eade82d9a77aea4ab60d2a00fbf7e9e8760feeffb67c517756169f strongswan-5.3.3.tar.bz2 6b01e9810566e4f928fa72f01b5fa6cdbddaf1045433cb5b73b5a3d1cd73260ff195709e4d46384c2aa6540e4e62ad9021d9cad19b2061bc0153581e74cf2d0e 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch -8788fb376eaf57d9f277cac785db08578de3992e2484e7ab21ec044bc91000565ecb2adae4d2632f43ca6ed76519fd4422d86a3ba07a499594fbd7a61298458c 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch -86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch -f0dfb8aee6fd456d5d330d9a1212842ecd7f88b9b76bb1667dacdbbb2c38369fa089df6ce13c6363735012f653df91b4bbb082a970a11ec63e6a2d14ca2b0ec2 0501-child-create-Fix-crash-when-retrying-CHILD_SA-rekeyi.patch -dad393b5d8b5152d7544a42818c446098b748cf4114b544d0bcf6a039c5f9f266ac850f6725b58d653186dcd23cae8a9db627f245412ad1cd3b5a4ccadc90825 0601-child-sa-fix-refcounting-of-allocated-reqids.patch -bc31b3fa089e594e7989e6cb095eb144cfdad55f991729235fda98e010bf715f5efb4b65f2ef2fd12bbc2d5c48e40f6010554bff43b30c7978402247114263e0 0701-auth-cfg-Similar-to-certificates-matching-one-CA-sho.patch -2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch -ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch -98b46369adcbe86635a83779ed54b192c67ef34310a42f0c131f3ce50f2d46e3135caefeece6993a9ac92abba1a38854b128f4687dec0eb30b108788386688ea 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch -723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch +0daa63c1da1d84a02b6f675b2ba246c30de537a2494e43bceb13eb201ca9c90644493cf5b85d522b4ccdb57928978fb65b4d44a43ecd2648376c8fdc1cd8bc2d 1001-charon-add-optional-source-and-remote-overrides-for-.patch +3cf83b588e4bc1ae20956f940f5f92357cbcc0bdcf7bf1b5984b64e09ae16b4871e836a1503fee8f6f55a4dbd0a47f39c75b3d4ed5fd52b71dd41bea15964d28 1002-vici-send-certificates-for-ike-sa-events.patch +00dbbd8ea9a434de13f1bb74b7cd2d64a97fbefa7ff943ba138282d02d3860e1363ca4fded0d24c215dc5678f13af16242b61ed192d3b7935e2d747f9aafdf61 1003-vici-add-support-for-individual-sa-state-changes.patch +fbfb4a2740d98d633a6ba946eb1a6b3ecc1dd924989bb94f23b34e5525471b11f735c82f0e8ce56441f836866d6e86c2c34f9bfe83689cd34f814dab6641c107 1004-vici-support-asynchronous-initiation.patch +0e554a6117f51a564a1b269c9ed2f2858d22ef61df483e2eb09997a3075444deb10df9d0cc8b9ddbe2bb2f740640860c21b1492a9ec28657844fa9c41b822bfc 2001-support-gre-key-in-ikev1.patch b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" -- cgit v1.2.3