diff options
author | Timo Teräs <timo.teras@iki.fi> | 2015-07-28 11:33:38 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2015-07-28 11:35:47 +0300 |
commit | fc1ceeb02b3e149645205e67bcc009e742140590 (patch) | |
tree | b559837b40485a7c0f77ce6459c03f131191283d /main/strongswan | |
parent | c3aa1460dbeb4e1e10972fc00314d7a80413707e (diff) | |
download | aports-fc1ceeb02b3e149645205e67bcc009e742140590.tar.bz2 aports-fc1ceeb02b3e149645205e67bcc009e742140590.tar.xz |
main/strongswan: cherry-pick upstream fixes
also fixes a minor memory leak in patch 1001 (the offending hunk is
now just deleted, as other upstream commits fixed the issue it tried
to address)
Diffstat (limited to 'main/strongswan')
33 files changed, 1872 insertions, 193 deletions
diff --git a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch new file mode 100644 index 000000000..c756f9d3e --- /dev/null +++ b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch @@ -0,0 +1,169 @@ +From 856ea64129cdc7ee56969524d7abaaae08c22c6a Mon Sep 17 00:00:00 2001 +From: Martin Willi <martin@revosec.ch> +Date: Thu, 2 Jul 2015 09:10:21 +0200 +Subject: [PATCH] vici: Asynchronize debug logging + +The vici logger uses the listener_t.log() callback to raise vici events. + +When doing so, it holds the bus lock as reader while acquiring the vici socket +mutex (1). If at the same time the vici socket enables a writer, that thread +tries to lock the watcher mutex (2). The watcher thread uses debugging while +holding the lock, i.e. acquires the bus read lock (3). + +(1) bus.rlock -> vici.lock! +(2) vici.lock -> watcher.lock! +(3) watcher.lock -> bus.rlock! + +This all actually would resolve just fine, as we have a shared read lock on the +bus. However, under Windows we seem to have a strict writer preference when +acquiring the rwlock (4). This results in blocking read locks until any pending +write lock can be fulfilled, and makes the constellation deadlock. The relevant +threads are: + +Thread (1) +6 0x71313d25 in wait_ at threading/windows/mutex.c:137 +7 0x7054c8a2 in find_entry at vici_socket.c:201 +8 0x7054d690 in send_ at vici_socket.c:624 +9 0x7054f6c1 in send_op at vici_dispatcher.c:119 +10 0x705502c1 in raise_event at vici_dispatcher.c:469 +12 0x704c3878 in log_cb at bus/bus.c:332 +13 0x712c7c3a in invoke_function at collections/linked_list.c:414 +14 0x704c3a63 in vlog at bus/bus.c:400 +15 0x704c3b36 in log_ at bus/bus.c:430 +18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664 +20 0x704f5430 in process_message at sa/ike_sa.c:1369 +21 0x704e3823 in execute at processing/jobs/process_message_job.c:74 +22 0x712e629f in process_job at processing/processor.c:235 + +Thread (2) +4 0x71313b61 in lock at threading/windows/mutex.c:66 +5 0x712e81fd in add at processing/watcher.c:441 +6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213 +7 0x712e1b4d in on_write at networking/streams/stream.c:237 +8 0x7054d606 in _cb_enable_writer at vici_socket.c:609 +9 0x712e5e34 in execute at processing/jobs/callback_job.c:77 +10 0x712e629f in process_job at processing/processor.c:235 + +Thread (3) +3 0x71313f38 in read_lock at threading/windows/rwlock.c:74 +4 0x704c3971 in vlog at bus/bus.c:373 +5 0x704cc156 in dbg_bus at daemon.c:126 +6 0x712e7bf9 in watch at processing/watcher.c:316 +7 0x712e5e34 in execute at processing/jobs/callback_job.c:77 +8 0x712e629f in process_job at processing/processor.c:235 + +Thread (4) +3 0x71313f70 in write_lock at threading/windows/rwlock.c:82 +4 0x704c378b in remove_logger at bus/bus.c:290 +5 0x704cb284 in listener_unregister at control/controller.c:166 +6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558 +8 0x704cb94e in initiate at control/controller.c:435 +9 0x70553996 in _cb_initiate at vici_control.c:187 +12 0x7054d200 in _cb_process_queue at vici_socket.c:508 +13 0x712e5e34 in execute at processing/jobs/callback_job.c:77 +14 0x712e629f in process_job at processing/processor.c:235 + +To avoid such a situation, we dissolve the (1) lock sequence. It's actually +never good practice to acquire shared locks during bus hooks, as it is +problematic if we raise bus events while holding the lock. We do so by +raising vici events for log message asynchronously, but of curse must keep +log order as is using a synchronized queue. +--- + src/libcharon/plugins/vici/vici_logger.c | 48 +++++++++++++++++++++++++++++++- + 1 file changed, 47 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c +index cffd65b..6d3584e 100644 +--- a/src/libcharon/plugins/vici/vici_logger.c ++++ b/src/libcharon/plugins/vici/vici_logger.c +@@ -18,6 +18,7 @@ + + #include <daemon.h> + #include <threading/mutex.h> ++#include <processing/jobs/callback_job.h> + + typedef struct private_vici_logger_t private_vici_logger_t; + +@@ -42,11 +43,54 @@ struct private_vici_logger_t { + int recursive; + + /** ++ * List of messages to raise async events ++ */ ++ linked_list_t *queue; ++ ++ /** + * Mutex to synchronize logging + */ + mutex_t *mutex; + }; + ++/** ++ * Async callback to raise events for queued messages ++ */ ++static job_requeue_t raise_events(private_vici_logger_t *this) ++{ ++ vici_message_t *message; ++ u_int count; ++ ++ this->mutex->lock(this->mutex); ++ count = this->queue->get_count(this->queue); ++ this->queue->remove_first(this->queue, (void**)&message); ++ this->mutex->unlock(this->mutex); ++ ++ if (count > 0) ++ { ++ this->dispatcher->raise_event(this->dispatcher, "log", 0, message); ++ } ++ if (count > 1) ++ { ++ return JOB_REQUEUE_DIRECT; ++ } ++ return JOB_REQUEUE_NONE; ++} ++ ++/** ++ * Queue a message for async processing ++ */ ++static void queue_messsage(private_vici_logger_t *this, vici_message_t *message) ++{ ++ this->queue->insert_last(this->queue, message); ++ if (this->queue->get_count(this->queue) == 1) ++ { ++ lib->processor->queue_job(lib->processor, (job_t*) ++ callback_job_create((callback_job_cb_t)raise_events, ++ this, NULL, NULL)); ++ } ++} ++ + METHOD(logger_t, log_, void, + private_vici_logger_t *this, debug_t group, level_t level, int thread, + ike_sa_t* ike_sa, const char *msg) +@@ -75,7 +119,7 @@ METHOD(logger_t, log_, void, + message = builder->finalize(builder); + if (message) + { +- this->dispatcher->raise_event(this->dispatcher, "log", 0, message); ++ queue_messsage(this, message); + } + } + this->recursive--; +@@ -101,6 +145,7 @@ METHOD(vici_logger_t, destroy, void, + private_vici_logger_t *this) + { + manage_commands(this, FALSE); ++ this->queue->destroy_offset(this->queue, offsetof(vici_message_t, destroy)); + this->mutex->destroy(this->mutex); + free(this); + } +@@ -121,6 +166,7 @@ vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher) + .destroy = _destroy, + }, + .dispatcher = dispatcher, ++ .queue = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + ); + +-- +2.4.6 + diff --git a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch new file mode 100644 index 000000000..ff79e322e --- /dev/null +++ b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch @@ -0,0 +1,67 @@ +From 65579569adfa0e2c9602ee250f4554169ba5a87d Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 11 Jun 2015 15:07:07 +0200 +Subject: [PATCH] host: Properly handle NULL in + host_create_from_string[_and_family] + +--- + src/libstrongswan/networking/host.c | 4 ++++ + src/libstrongswan/tests/suites/test_host.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c +index 07da3ef..2e464b0 100644 +--- a/src/libstrongswan/networking/host.c ++++ b/src/libstrongswan/networking/host.c +@@ -354,6 +354,10 @@ host_t *host_create_from_string_and_family(char *string, int family, + struct sockaddr_in6 v6; + } addr; + ++ if (!string) ++ { ++ return NULL; ++ } + if (streq(string, "%any")) + { + return host_create_any_port(family ? family : AF_INET, port); +diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c +index 7161b2c..5cb8013 100644 +--- a/src/libstrongswan/tests/suites/test_host.c ++++ b/src/libstrongswan/tests/suites/test_host.c +@@ -104,6 +104,9 @@ START_TEST(test_create_from_string_v4) + { + host_t *host; + ++ host = host_create_from_string(NULL, 500); ++ ck_assert(!host); ++ + host = host_create_from_string("%any", 500); + verify_any(host, AF_INET, 500); + host->destroy(host); +@@ -196,6 +199,7 @@ static void test_create_from_string_and_family_addr(char *string, chunk_t addr, + + START_TEST(test_create_from_string_and_family_v4) + { ++ test_create_from_string_and_family_any(NULL, AF_INET, AF_UNSPEC); + test_create_from_string_and_family_any("%any", AF_INET, AF_INET); + test_create_from_string_and_family_any("%any4", AF_INET, AF_INET); + test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET); +@@ -210,6 +214,7 @@ END_TEST + + START_TEST(test_create_from_string_and_family_v6) + { ++ test_create_from_string_and_family_any(NULL, AF_INET6, AF_UNSPEC); + test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6); + test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6); + test_create_from_string_and_family_any("::", AF_INET6, AF_INET6); +@@ -224,6 +229,7 @@ END_TEST + + START_TEST(test_create_from_string_and_family_other) + { ++ test_create_from_string_and_family_any(NULL, AF_UNSPEC, AF_UNSPEC); + test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET); + test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET); + test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET); +-- +2.4.6 + diff --git a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch new file mode 100644 index 000000000..c17141460 --- /dev/null +++ b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch @@ -0,0 +1,91 @@ +From 390ae7a2c2f899122e722241cb261f53dfc81b9a Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Wed, 8 Jul 2015 15:28:46 +0200 +Subject: [PATCH] ike-sa-manager: Safely access the RNG instance with an rwlock + +Threads might still be allocating SPIs (e.g. triggered by an acquire or +an inbound message) while the main thread calls flush(). If there is a +context switch right after such a thread successfully checked this->rng +in get_spi() and the main thread destroys the RNG instance right then, +that worker thread will cause a segmentation fault when it continues and +attempts to call get_bytes(). + +Fixes #1014. +--- + src/libcharon/sa/ike_sa_manager.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index 938f784..987260d 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -1,7 +1,7 @@ + /* + * Copyright (C) 2005-2011 Martin Willi + * Copyright (C) 2011 revosec AG +- * Copyright (C) 2008-2012 Tobias Brunner ++ * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * +@@ -384,6 +384,11 @@ struct private_ike_sa_manager_t { + rng_t *rng; + + /** ++ * Lock to access the RNG instance ++ */ ++ rwlock_t *rng_lock; ++ ++ /** + * reuse existing IKE_SAs in checkout_by_config + */ + bool reuse_ikesa; +@@ -943,12 +948,14 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) + { + u_int64_t spi; + +- if (this->rng && +- this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) ++ this->rng_lock->read_lock(this->rng_lock); ++ if (!this->rng || ++ !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + { +- return spi; ++ spi = 0; + } +- return 0; ++ this->rng_lock->unlock(this->rng_lock); ++ return spi; + } + + /** +@@ -2055,8 +2062,10 @@ METHOD(ike_sa_manager_t, flush, void, + charon->bus->set_sa(charon->bus, NULL); + unlock_all_segments(this); + ++ this->rng_lock->write_lock(this->rng_lock); + this->rng->destroy(this->rng); + this->rng = NULL; ++ this->rng_lock->unlock(this->rng_lock); + } + + METHOD(ike_sa_manager_t, destroy, void, +@@ -2081,6 +2090,7 @@ METHOD(ike_sa_manager_t, destroy, void, + free(this->connected_peers_segments); + free(this->init_hashes_segments); + ++ this->rng_lock->destroy(this->rng_lock); + free(this); + } + +@@ -2138,6 +2148,7 @@ ike_sa_manager_t *ike_sa_manager_create() + free(this); + return NULL; + } ++ this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + + this->ikesa_limit = lib->settings->get_int(lib->settings, + "%s.ikesa_limit", 0, lib->ns); +-- +2.4.6 + diff --git a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch new file mode 100644 index 000000000..0cf63a3f7 --- /dev/null +++ b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch @@ -0,0 +1,106 @@ +From 6bfa66069304c1fc1345b4e72762a3b1a80e4338 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 11 Jun 2015 15:42:54 +0200 +Subject: [PATCH] ike-cfg: Add helper function to determine address family of + IP addresses + +All configured static addresses (hostnames, ranges or subnets are not +considered) must be of the same family, otherwise AF_UNSPEC is returned. +--- + src/libcharon/config/ike_cfg.c | 47 ++++++++++++++++++++++++++++++++++++++++++ + src/libcharon/config/ike_cfg.h | 13 +++++++++++- + 2 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c +index 9464ceb..dee9e4c 100644 +--- a/src/libcharon/config/ike_cfg.c ++++ b/src/libcharon/config/ike_cfg.c +@@ -1,4 +1,5 @@ + /* ++ * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil +@@ -513,6 +514,52 @@ static void parse_addresses(char *str, linked_list_t *hosts, + /** + * Described in header. + */ ++int ike_cfg_get_family(ike_cfg_t *cfg, bool local) ++{ ++ private_ike_cfg_t *this = (private_ike_cfg_t*)cfg; ++ enumerator_t *enumerator; ++ host_t *host; ++ char *str; ++ int family = AF_UNSPEC; ++ ++ if (local) ++ { ++ enumerator = this->my_hosts->create_enumerator(this->my_hosts); ++ } ++ else ++ { ++ enumerator = this->other_hosts->create_enumerator(this->other_hosts); ++ } ++ while (enumerator->enumerate(enumerator, &str)) ++ { ++ if (streq(str, "%any")) ++ { /* ignore %any as its family is undetermined */ ++ continue; ++ } ++ host = host_create_from_string(str, 0); ++ if (host) ++ { ++ if (family == AF_UNSPEC) ++ { ++ family = host->get_family(host); ++ } ++ else if (family != host->get_family(host)) ++ { ++ /* more than one address family defined */ ++ family = AF_UNSPEC; ++ host->destroy(host); ++ break; ++ } ++ } ++ DESTROY_IF(host); ++ } ++ enumerator->destroy(enumerator); ++ return family; ++} ++ ++/** ++ * Described in header. ++ */ + ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, + char *me, u_int16_t my_port, + char *other, u_int16_t other_port, +diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h +index adfcabf..62f5b74 100644 +--- a/src/libcharon/config/ike_cfg.h ++++ b/src/libcharon/config/ike_cfg.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2012 Tobias Brunner ++ * Copyright (C) 2012-2015 Tobias Brunner + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil +@@ -254,4 +254,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, + char *other, u_int16_t other_port, + fragmentation_t fragmentation, u_int8_t dscp); + ++/** ++ * Determine the address family of the local or remtoe address(es). If multiple ++ * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are ++ * not though). ++ * ++ * @param local TRUE to check local addresses, FALSE for remote ++ * @return address family of address(es) if distinct ++ */ ++int ike_cfg_get_family(ike_cfg_t *this, bool local); ++ ++ + #endif /** IKE_CFG_H_ @}*/ +-- +2.4.6 + diff --git a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch new file mode 100644 index 000000000..7114d6247 --- /dev/null +++ b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch @@ -0,0 +1,48 @@ +From a11048adee0aeab8af10259f406363d7cc6beccc Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 11 Jun 2015 15:10:29 +0200 +Subject: [PATCH] ike: Use address family of local address when resolving + remote host + +If static local addresses are configured we should use their address family +as a hint when resolving the remote address. +We don't do this if %any is configured as this might break existing +configurations (%any4 and %any6 are however used as hint). +--- + src/libcharon/sa/ike_sa.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 3aafa4c..0c13c58 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2006-2014 Tobias Brunner ++ * Copyright (C) 2006-2015 Tobias Brunner + * Copyright (C) 2006 Daniel Roethlisberger + * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005 Jan Hutter +@@ -1200,6 +1200,19 @@ static void resolve_hosts(private_ike_sa_t *this) + break; + } + ++ /* if an IP address is set locally, use the same family to resolve remote */ ++ if (family == AF_UNSPEC && !this->remote_host) ++ { ++ if (this->local_host) ++ { ++ family = this->local_host->get_family(this->local_host); ++ } ++ else ++ { ++ family = ike_cfg_get_family(this->ike_cfg, TRUE); ++ } ++ } ++ + if (this->remote_host) + { + host = this->remote_host->clone(this->remote_host); +-- +2.4.6 + diff --git a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch new file mode 100644 index 000000000..411bc58df --- /dev/null +++ b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch @@ -0,0 +1,37 @@ +From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 10 Jul 2015 10:23:02 +0200 +Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to + %any + +In some situations it might be valid for a host that configures +right=%any to reestablish or reauthenticate an IKE_SA. Using %any would +immediately abort the initiation causing the new SA to fail (which +might already have the existing CHILD_SAs assigned). + +Fixes #1027. +--- + src/libcharon/sa/ike_sa.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 0c13c58..752a756 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this) + } + if (host) + { +- set_other_host(this, host); ++ if (!host->is_anyaddr(host) || ++ this->other_host->is_anyaddr(this->other_host)) ++ { /* don't set to %any if we currently have an address, but the ++ * address family might have changed */ ++ set_other_host(this, host); ++ } + } + + if (this->local_host) +-- +2.4.6 + diff --git a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch new file mode 100644 index 000000000..f7517568c --- /dev/null +++ b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch @@ -0,0 +1,33 @@ +From 773fcb1605d413997450b59d114a1c035910cc58 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 9 Jul 2015 14:34:19 +0200 +Subject: [PATCH] trap-manager: Properly check-in IKE_SA if initiating fails + +This basically reverts f4e822c1b422 ("trap-manager: don't check-in +nonexisting IKE_SA if acquire fails"). As checkout_by_config() could +return an already existing and established IKE_SA we have to properly +destroy it, for instance, in case other threads are waiting to check +it out. checkin_and_destroy() should handle the case of a new SA +properly (it produces a log message on level 1, though). +--- + src/libcharon/sa/trap_manager.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index d6ff3c8..3a70bd1 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -377,8 +377,8 @@ METHOD(trap_manager_t, acquire, void, + } + else + { +- ike_sa->destroy(ike_sa); +- charon->bus->set_sa(charon->bus, NULL); ++ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ++ ike_sa); + } + } + peer->destroy(peer); +-- +2.4.6 + diff --git a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch new file mode 100644 index 000000000..1dea7b139 --- /dev/null +++ b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch @@ -0,0 +1,260 @@ +From a229bdce625338117966a53efd0475b2c7c84566 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Thu, 9 Jul 2015 12:00:56 +0200 +Subject: [PATCH] trap-manager: Changed how acquires we acted on are tracked + +This fixes potential race conditions in case complete() or flush() is +executed before or concurrently with a thread that handles an acquire. +It will also simplify tracking multiple acquires created for the same +trap policy in the future. + +Also fixes the behavior in some error situations. +--- + src/libcharon/sa/trap_manager.c | 122 ++++++++++++++++++++++++++++------------ + 1 file changed, 86 insertions(+), 36 deletions(-) + +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index 3a70bd1..83b6d6a 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2011-2013 Tobias Brunner ++ * Copyright (C) 2011-2015 Tobias Brunner + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * +@@ -18,10 +18,10 @@ + + #include <hydra.h> + #include <daemon.h> ++#include <threading/mutex.h> + #include <threading/rwlock.h> + #include <collections/linked_list.h> + +- + typedef struct private_trap_manager_t private_trap_manager_t; + typedef struct trap_listener_t trap_listener_t; + +@@ -67,6 +67,16 @@ struct private_trap_manager_t { + trap_listener_t listener; + + /** ++ * list of acquires we currently handle ++ */ ++ linked_list_t *acquires; ++ ++ /** ++ * mutex for list of acquires ++ */ ++ mutex_t *mutex; ++ ++ /** + * Whether to ignore traffic selectors from acquires + */ + bool ignore_acquire_ts; +@@ -80,23 +90,45 @@ typedef struct { + char *name; + /** ref to peer_cfg to initiate */ + peer_cfg_t *peer_cfg; +- /** ref to instanciated CHILD_SA */ ++ /** ref to instantiated CHILD_SA (i.e the trap policy) */ + child_sa_t *child_sa; +- /** TRUE if an acquire is pending */ +- bool pending; ++} entry_t; ++ ++/** ++ * A handled acquire ++ */ ++typedef struct { + /** pending IKE_SA connecting upon acquire */ + ike_sa_t *ike_sa; +-} entry_t; ++ /** reqid of pending trap policy */ ++ u_int32_t reqid; ++} acquire_t; + + /** + * actually uninstall and destroy an installed entry + */ +-static void destroy_entry(entry_t *entry) ++static void destroy_entry(entry_t *this) ++{ ++ this->child_sa->destroy(this->child_sa); ++ this->peer_cfg->destroy(this->peer_cfg); ++ free(this->name); ++ free(this); ++} ++ ++/** ++ * destroy a cached acquire entry ++ */ ++static void destroy_acquire(acquire_t *this) + { +- entry->child_sa->destroy(entry->child_sa); +- entry->peer_cfg->destroy(entry->peer_cfg); +- free(entry->name); +- free(entry); ++ free(this); ++} ++ ++/** ++ * match an acquire entry by reqid ++ */ ++static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid) ++{ ++ return this->reqid == *reqid; + } + + METHOD(trap_manager_t, install, u_int32_t, +@@ -314,6 +346,7 @@ METHOD(trap_manager_t, acquire, void, + { + enumerator_t *enumerator; + entry_t *entry, *found = NULL; ++ acquire_t *acquire; + peer_cfg_t *peer; + child_cfg_t *child; + ike_sa_t *ike_sa; +@@ -337,16 +370,29 @@ METHOD(trap_manager_t, acquire, void, + this->lock->unlock(this->lock); + return; + } +- if (!cas_bool(&found->pending, FALSE, TRUE)) ++ reqid = found->child_sa->get_reqid(found->child_sa); ++ ++ this->mutex->lock(this->mutex); ++ if (this->acquires->find_first(this->acquires, (void*)acquire_by_reqid, ++ (void**)&acquire, &reqid) == SUCCESS) + { + DBG1(DBG_CFG, "ignoring acquire, connection attempt pending"); ++ this->mutex->unlock(this->mutex); + this->lock->unlock(this->lock); + return; + } ++ else ++ { ++ INIT(acquire, ++ .reqid = reqid, ++ ); ++ this->acquires->insert_last(this->acquires, acquire); ++ } ++ this->mutex->unlock(this->mutex); ++ + peer = found->peer_cfg->get_ref(found->peer_cfg); + child = found->child_sa->get_config(found->child_sa); + child = child->get_ref(child); +- reqid = found->child_sa->get_reqid(found->child_sa); + /* don't hold the lock while checking out the IKE_SA */ + this->lock->unlock(this->lock); + +@@ -363,16 +409,13 @@ METHOD(trap_manager_t, acquire, void, + * have a single TS that we can establish in a Quick Mode. */ + src = dst = NULL; + } ++ ++ this->mutex->lock(this->mutex); ++ acquire->ike_sa = ike_sa; ++ this->mutex->unlock(this->mutex); ++ + if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME) + { +- /* make sure the entry is still there */ +- this->lock->read_lock(this->lock); +- if (this->traps->find_first(this->traps, NULL, +- (void**)&found) == SUCCESS) +- { +- found->ike_sa = ike_sa; +- } +- this->lock->unlock(this->lock); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + else +@@ -381,6 +424,14 @@ METHOD(trap_manager_t, acquire, void, + ike_sa); + } + } ++ else ++ { ++ this->mutex->lock(this->mutex); ++ this->acquires->remove(this->acquires, acquire, NULL); ++ this->mutex->unlock(this->mutex); ++ destroy_acquire(acquire); ++ child->destroy(child); ++ } + peer->destroy(peer); + } + +@@ -391,26 +442,25 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa) + { + enumerator_t *enumerator; +- entry_t *entry; ++ acquire_t *acquire; + +- this->lock->read_lock(this->lock); +- enumerator = this->traps->create_enumerator(this->traps); +- while (enumerator->enumerate(enumerator, &entry)) ++ this->mutex->lock(this->mutex); ++ enumerator = this->acquires->create_enumerator(this->acquires); ++ while (enumerator->enumerate(enumerator, &acquire)) + { +- if (entry->ike_sa != ike_sa) ++ if (!acquire->ike_sa || acquire->ike_sa != ike_sa) + { + continue; + } +- if (child_sa && child_sa->get_reqid(child_sa) != +- entry->child_sa->get_reqid(entry->child_sa)) ++ if (child_sa && child_sa->get_reqid(child_sa) != acquire->reqid) + { + continue; + } +- entry->ike_sa = NULL; +- entry->pending = FALSE; ++ this->acquires->remove_at(this->acquires, enumerator); ++ destroy_acquire(acquire); + } + enumerator->destroy(enumerator); +- this->lock->unlock(this->lock); ++ this->mutex->unlock(this->mutex); + } + + METHOD(listener_t, ike_state_change, bool, +@@ -444,14 +494,10 @@ METHOD(listener_t, child_state_change, bool, + METHOD(trap_manager_t, flush, void, + private_trap_manager_t *this) + { +- linked_list_t *traps; +- /* since destroying the CHILD_SA results in events which require a read +- * lock we cannot destroy the list while holding the write lock */ + this->lock->write_lock(this->lock); +- traps = this->traps; ++ this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->traps = linked_list_create(); + this->lock->unlock(this->lock); +- traps->destroy_function(traps, (void*)destroy_entry); + } + + METHOD(trap_manager_t, destroy, void, +@@ -459,6 +505,8 @@ METHOD(trap_manager_t, destroy, void, + { + charon->bus->remove_listener(charon->bus, &this->listener.listener); + this->traps->destroy_function(this->traps, (void*)destroy_entry); ++ this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); ++ this->mutex->destroy(this->mutex); + this->lock->destroy(this->lock); + free(this); + } +@@ -488,6 +536,8 @@ trap_manager_t *trap_manager_create(void) + }, + }, + .traps = linked_list_create(), ++ .acquires = linked_list_create(), ++ .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .ignore_acquire_ts = lib->settings->get_bool(lib->settings, + "%s.ignore_acquire_ts", FALSE, lib->ns), +-- +2.4.6 + diff --git a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch new file mode 100644 index 000000000..60a28724c --- /dev/null +++ b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch @@ -0,0 +1,118 @@ +From 12b3cdba7689113558f58a5265827f3086852bae Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 13 Jul 2015 13:20:14 +0200 +Subject: [PATCH] trap-manager: Resolve race conditions between flush() and + install() + +When flush() is called there might be threads in install() waiting for +trap policies to get installed (without holding the lock). We have to +wait until they updated the entries with the respective CHILD_SAs before +destroying the list. + +We also have to prevent further trap policy installations (and wait until +threads in install() are really finished), otherwise we might end up +destroying CHILD_SA objects after the kernel interface implementations +have already been unloaded (avoiding this is the whole point of calling +flush() before unloading the plugins). +--- + src/libcharon/sa/trap_manager.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c +index 83b6d6a..424d9e7 100644 +--- a/src/libcharon/sa/trap_manager.c ++++ b/src/libcharon/sa/trap_manager.c +@@ -20,8 +20,11 @@ + #include <daemon.h> + #include <threading/mutex.h> + #include <threading/rwlock.h> ++#include <threading/rwlock_condvar.h> + #include <collections/linked_list.h> + ++#define INSTALL_DISABLED ((u_int)~0) ++ + typedef struct private_trap_manager_t private_trap_manager_t; + typedef struct trap_listener_t trap_listener_t; + +@@ -77,6 +80,16 @@ struct private_trap_manager_t { + mutex_t *mutex; + + /** ++ * number of threads currently installing trap policies, or INSTALL_DISABLED ++ */ ++ u_int installing; ++ ++ /** ++ * condvar to signal trap policy installation ++ */ ++ rwlock_condvar_t *condvar; ++ ++ /** + * Whether to ignore traffic selectors from acquires + */ + bool ignore_acquire_ts; +@@ -171,6 +184,11 @@ METHOD(trap_manager_t, install, u_int32_t, + } + + this->lock->write_lock(this->lock); ++ if (this->installing == INSTALL_DISABLED) ++ { /* flush() has been called */ ++ this->lock->unlock(this->lock); ++ return 0; ++ } + enumerator = this->traps->create_enumerator(this->traps); + while (enumerator->enumerate(enumerator, &entry)) + { +@@ -204,6 +222,7 @@ METHOD(trap_manager_t, install, u_int32_t, + .peer_cfg = peer->get_ref(peer), + ); + this->traps->insert_first(this->traps, entry); ++ this->installing++; + /* don't hold lock while creating CHILD_SA and installing policies */ + this->lock->unlock(this->lock); + +@@ -252,6 +271,11 @@ METHOD(trap_manager_t, install, u_int32_t, + { + destroy_entry(found); + } ++ this->lock->write_lock(this->lock); ++ /* do this at the end, so entries created temporarily are also destroyed */ ++ this->installing--; ++ this->condvar->signal(this->condvar); ++ this->lock->unlock(this->lock); + return reqid; + } + +@@ -495,8 +519,13 @@ METHOD(trap_manager_t, flush, void, + private_trap_manager_t *this) + { + this->lock->write_lock(this->lock); ++ while (this->installing) ++ { ++ this->condvar->wait(this->condvar, this->lock); ++ } + this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->traps = linked_list_create(); ++ this->installing = INSTALL_DISABLED; + this->lock->unlock(this->lock); + } + +@@ -506,6 +535,7 @@ METHOD(trap_manager_t, destroy, void, + charon->bus->remove_listener(charon->bus, &this->listener.listener); + this->traps->destroy_function(this->traps, (void*)destroy_entry); + this->acquires->destroy_function(this->acquires, (void*)destroy_acquire); ++ this->condvar->destroy(this->condvar); + this->mutex->destroy(this->mutex); + this->lock->destroy(this->lock); + free(this); +@@ -539,6 +569,7 @@ trap_manager_t *trap_manager_create(void) + .acquires = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ++ .condvar = rwlock_condvar_create(), + .ignore_acquire_ts = lib->settings->get_bool(lib->settings, + "%s.ignore_acquire_ts", FALSE, lib->ns), + ); +-- +2.4.6 + diff --git a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch new file mode 100644 index 000000000..6fa2c339f --- /dev/null +++ b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch @@ -0,0 +1,112 @@ +From f3d39666e0d62fb9a790b72ee7ae2b9255b21cdd Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:35:21 +0200 +Subject: [PATCH] shunt-manager: Add a lock to safely access the list of shunt + policies + +--- + src/libcharon/sa/shunt_manager.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c +index 73e1abb..434bace 100644 +--- a/src/libcharon/sa/shunt_manager.c ++++ b/src/libcharon/sa/shunt_manager.c +@@ -1,4 +1,5 @@ + /* ++ * Copyright (C) 2015 Tobias Brunner + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * +@@ -20,7 +21,6 @@ + #include <threading/rwlock.h> + #include <collections/linked_list.h> + +- + typedef struct private_shunt_manager_t private_shunt_manager_t; + + /** +@@ -37,6 +37,11 @@ struct private_shunt_manager_t { + * Installed shunts, as child_cfg_t + */ + linked_list_t *shunts; ++ ++ /** ++ * Lock to safely access the list of shunts ++ */ ++ rwlock_t *lock; + }; + + /** +@@ -120,6 +125,7 @@ METHOD(shunt_manager_t, install, bool, + bool found = FALSE; + + /* check if not already installed */ ++ this->lock->write_lock(this->lock); + enumerator = this->shunts->create_enumerator(this->shunts); + while (enumerator->enumerate(enumerator, &child_cfg)) + { +@@ -130,14 +136,15 @@ METHOD(shunt_manager_t, install, bool, + } + } + enumerator->destroy(enumerator); +- + if (found) + { + DBG1(DBG_CFG, "shunt %N policy '%s' already installed", + ipsec_mode_names, child->get_mode(child), child->get_name(child)); ++ this->lock->unlock(this->lock); + return TRUE; + } + this->shunts->insert_last(this->shunts, child->get_ref(child)); ++ this->lock->unlock(this->lock); + + return install_shunt_policy(child); + } +@@ -215,6 +222,7 @@ METHOD(shunt_manager_t, uninstall, bool, + enumerator_t *enumerator; + child_cfg_t *child, *found = NULL; + ++ this->lock->write_lock(this->lock); + enumerator = this->shunts->create_enumerator(this->shunts); + while (enumerator->enumerate(enumerator, &child)) + { +@@ -226,6 +234,7 @@ METHOD(shunt_manager_t, uninstall, bool, + } + } + enumerator->destroy(enumerator); ++ this->lock->unlock(this->lock); + + if (!found) + { +@@ -239,7 +248,10 @@ METHOD(shunt_manager_t, uninstall, bool, + METHOD(shunt_manager_t, create_enumerator, enumerator_t*, + private_shunt_manager_t *this) + { +- return this->shunts->create_enumerator(this->shunts); ++ this->lock->read_lock(this->lock); ++ return enumerator_create_cleaner( ++ this->shunts->create_enumerator(this->shunts), ++ (void*)this->lock->unlock, this->lock); + } + + METHOD(shunt_manager_t, destroy, void, +@@ -253,6 +265,7 @@ METHOD(shunt_manager_t, destroy, void, + child->destroy(child); + } + this->shunts->destroy(this->shunts); ++ this->lock->destroy(this->lock); + free(this); + } + +@@ -271,6 +284,7 @@ shunt_manager_t *shunt_manager_create() + .destroy = _destroy, + }, + .shunts = linked_list_create(), ++ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +-- +2.4.6 + diff --git a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch new file mode 100644 index 000000000..f8af98c62 --- /dev/null +++ b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch @@ -0,0 +1,43 @@ +From 616ff9a2369fd250a2b9e8d2a00f37e2e8d3a2f3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:50:32 +0200 +Subject: [PATCH] shunt-manager: Remove stored entries if installation fails + +--- + src/libcharon/sa/shunt_manager.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c +index 434bace..2e42e7e 100644 +--- a/src/libcharon/sa/shunt_manager.c ++++ b/src/libcharon/sa/shunt_manager.c +@@ -122,7 +122,7 @@ METHOD(shunt_manager_t, install, bool, + { + enumerator_t *enumerator; + child_cfg_t *child_cfg; +- bool found = FALSE; ++ bool found = FALSE, success; + + /* check if not already installed */ + this->lock->write_lock(this->lock); +@@ -146,7 +146,16 @@ METHOD(shunt_manager_t, install, bool, + this->shunts->insert_last(this->shunts, child->get_ref(child)); + this->lock->unlock(this->lock); + +- return install_shunt_policy(child); ++ success = install_shunt_policy(child); ++ ++ if (!success) ++ { ++ this->lock->write_lock(this->lock); ++ this->shunts->remove(this->shunts, child, NULL); ++ this->lock->unlock(this->lock); ++ child->destroy(child); ++ } ++ return success; + } + + /** +-- +2.4.6 + diff --git a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch new file mode 100644 index 000000000..3aa6b561b --- /dev/null +++ b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch @@ -0,0 +1,153 @@ +From bc36530670cbbe2362053f1604f67e481afd336c Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:55:36 +0200 +Subject: [PATCH] shunt-manager: Add flush() method to properly uninstall + shunts + +This will allow us to uninstall shunts before unloading the +kernel-interface plugins. +--- + src/libcharon/sa/shunt_manager.c | 44 ++++++++++++++++++++++++++++++++++++---- + src/libcharon/sa/shunt_manager.h | 6 ++++++ + 2 files changed, 46 insertions(+), 4 deletions(-) + +diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c +index 2e42e7e..1a98443 100644 +--- a/src/libcharon/sa/shunt_manager.c ++++ b/src/libcharon/sa/shunt_manager.c +@@ -19,8 +19,11 @@ + #include <hydra.h> + #include <daemon.h> + #include <threading/rwlock.h> ++#include <threading/rwlock_condvar.h> + #include <collections/linked_list.h> + ++#define INSTALL_DISABLED ((u_int)~0) ++ + typedef struct private_shunt_manager_t private_shunt_manager_t; + + /** +@@ -42,6 +45,16 @@ struct private_shunt_manager_t { + * Lock to safely access the list of shunts + */ + rwlock_t *lock; ++ ++ /** ++ * Number of threads currently installing shunts, or INSTALL_DISABLED ++ */ ++ u_int installing; ++ ++ /** ++ * Condvar to signal shunt installation ++ */ ++ rwlock_condvar_t *condvar; + }; + + /** +@@ -126,6 +139,11 @@ METHOD(shunt_manager_t, install, bool, + + /* check if not already installed */ + this->lock->write_lock(this->lock); ++ if (this->installing == INSTALL_DISABLED) ++ { /* flush() has been called */ ++ this->lock->unlock(this->lock); ++ return FALSE; ++ } + enumerator = this->shunts->create_enumerator(this->shunts); + while (enumerator->enumerate(enumerator, &child_cfg)) + { +@@ -144,17 +162,20 @@ METHOD(shunt_manager_t, install, bool, + return TRUE; + } + this->shunts->insert_last(this->shunts, child->get_ref(child)); ++ this->installing++; + this->lock->unlock(this->lock); + + success = install_shunt_policy(child); + ++ this->lock->write_lock(this->lock); + if (!success) + { +- this->lock->write_lock(this->lock); + this->shunts->remove(this->shunts, child, NULL); +- this->lock->unlock(this->lock); + child->destroy(child); + } ++ this->installing--; ++ this->condvar->signal(this->condvar); ++ this->lock->unlock(this->lock); + return success; + } + +@@ -263,18 +284,31 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*, + (void*)this->lock->unlock, this->lock); + } + +-METHOD(shunt_manager_t, destroy, void, ++METHOD(shunt_manager_t, flush, void, + private_shunt_manager_t *this) + { + child_cfg_t *child; + ++ this->lock->write_lock(this->lock); ++ while (this->installing) ++ { ++ this->condvar->wait(this->condvar, this->lock); ++ } + while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS) + { + uninstall_shunt_policy(child); + child->destroy(child); + } +- this->shunts->destroy(this->shunts); ++ this->installing = INSTALL_DISABLED; ++ this->lock->unlock(this->lock); ++} ++ ++METHOD(shunt_manager_t, destroy, void, ++ private_shunt_manager_t *this) ++{ ++ this->shunts->destroy_offset(this->shunts, offsetof(child_cfg_t, destroy)); + this->lock->destroy(this->lock); ++ this->condvar->destroy(this->condvar); + free(this); + } + +@@ -290,10 +324,12 @@ shunt_manager_t *shunt_manager_create() + .install = _install, + .uninstall = _uninstall, + .create_enumerator = _create_enumerator, ++ .flush = _flush, + .destroy = _destroy, + }, + .shunts = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ++ .condvar = rwlock_condvar_create(), + ); + + return &this->public; +diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h +index 28a795d..c43f5db 100644 +--- a/src/libcharon/sa/shunt_manager.h ++++ b/src/libcharon/sa/shunt_manager.h +@@ -1,4 +1,5 @@ + /* ++ * Copyright (C) 2015 Tobias Brunner + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * +@@ -56,6 +57,11 @@ struct shunt_manager_t { + enumerator_t* (*create_enumerator)(shunt_manager_t *this); + + /** ++ * Clear any installed shunt. ++ */ ++ void (*flush)(shunt_manager_t *this); ++ ++ /** + * Destroy a shunt_manager_t. + */ + void (*destroy)(shunt_manager_t *this); +-- +2.4.6 + diff --git a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch new file mode 100644 index 000000000..9d3be529b --- /dev/null +++ b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch @@ -0,0 +1,27 @@ +From c04345d5edbbc4c37027cdfc21dba85d03e312af Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Jul 2015 16:56:33 +0200 +Subject: [PATCH] daemon: Flush shunts before unloading plugins + +--- + src/libcharon/daemon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c +index b1b8f57..316be76 100644 +--- a/src/libcharon/daemon.c ++++ b/src/libcharon/daemon.c +@@ -462,6 +462,10 @@ static void destroy(private_daemon_t *this) + { + this->public.traps->flush(this->public.traps); + } ++ if (this->public.shunts) ++ { ++ this->public.shunts->flush(this->public.shunts); ++ } + if (this->public.sender) + { + this->public.sender->flush(this->public.sender); +-- +2.4.6 + diff --git a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch new file mode 100644 index 000000000..56038b46f --- /dev/null +++ b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch @@ -0,0 +1,105 @@ +From 86d20b0b40066590f5e26d1f9aca21cc0cba97e1 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 15 Jun 2015 11:46:33 +0200 +Subject: [PATCH] ike-rekey: Reset IKE_SA on the bus after destroying new + IKE_SA + +The destroy() method sets the IKE_SA on the bus to NULL, we reset it to +the current IKE_SA so any events and log messages that follow happen in +the correct context. + +A practical example where this is problematic is a DH group mismatch, +which causes the first CREATE_CHILD_SA exchange to fail. Because the SA +was not reset previously, the message() hook for the CREATE_CHILD_SA +response, for instance, was triggered outside the context of an IKE_SA, +that is, the ike_sa parameter was NULL, which is definitely not expected +by several plugins. + +Fixes #862. +--- + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +index 1855517..1dfdc05 100644 +--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +@@ -116,7 +116,6 @@ static void establish_new(private_ike_rekey_t *this) + lib->processor->queue_job(lib->processor, job); + } + this->new_sa = NULL; +- /* set threads active IKE_SA after checkin */ + charon->bus->set_sa(charon->bus, this->ike_sa); + } + } +@@ -335,15 +334,13 @@ METHOD(task_t, process_i, status_t, + { + charon->ike_sa_manager->checkin( + charon->ike_sa_manager, this->new_sa); +- /* set threads active IKE_SA after checkin */ +- charon->bus->set_sa(charon->bus, this->ike_sa); + } ++ charon->bus->set_sa(charon->bus, this->ike_sa); + this->new_sa = NULL; + establish_new(other); + return SUCCESS; + } + } +- /* set threads active IKE_SA after checkin */ + charon->bus->set_sa(charon->bus, this->ike_sa); + } + +@@ -372,9 +369,13 @@ METHOD(ike_rekey_t, collide, void, + this->collision = other; + } + +-METHOD(task_t, migrate, void, +- private_ike_rekey_t *this, ike_sa_t *ike_sa) ++/** ++ * Cleanup the task ++ */ ++static void cleanup(private_ike_rekey_t *this) + { ++ ike_sa_t *cur_sa; ++ + if (this->ike_init) + { + this->ike_init->task.destroy(&this->ike_init->task); +@@ -383,9 +384,16 @@ METHOD(task_t, migrate, void, + { + this->ike_delete->task.destroy(&this->ike_delete->task); + } ++ cur_sa = charon->bus->get_sa(charon->bus); + DESTROY_IF(this->new_sa); ++ charon->bus->set_sa(charon->bus, cur_sa); + DESTROY_IF(this->collision); ++} + ++METHOD(task_t, migrate, void, ++ private_ike_rekey_t *this, ike_sa_t *ike_sa) ++{ ++ cleanup(); + this->collision = NULL; + this->ike_sa = ike_sa; + this->new_sa = NULL; +@@ -396,16 +404,7 @@ METHOD(task_t, migrate, void, + METHOD(task_t, destroy, void, + private_ike_rekey_t *this) + { +- if (this->ike_init) +- { +- this->ike_init->task.destroy(&this->ike_init->task); +- } +- if (this->ike_delete) +- { +- this->ike_delete->task.destroy(&this->ike_delete->task); +- } +- DESTROY_IF(this->new_sa); +- DESTROY_IF(this->collision); ++ cleanup(); + free(this); + } + +-- +2.4.6 + diff --git a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch new file mode 100644 index 000000000..9aa06d925 --- /dev/null +++ b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch @@ -0,0 +1,31 @@ +From 2efcc9586714fd3ae26fe6ff57ea1b9ee09a58ea Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 15 Jun 2015 11:52:16 +0200 +Subject: [PATCH] ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA + response + +Even when there is no error the CREATE_CHILD_SA response should be sent +in the context of the existing IKE_SA. +--- + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +index 1dfdc05..4133c93 100644 +--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +@@ -228,9 +228,10 @@ METHOD(task_t, build_r, status_t, + + if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED) + { ++ charon->bus->set_sa(charon->bus, this->ike_sa); + return SUCCESS; + } +- ++ charon->bus->set_sa(charon->bus, this->ike_sa); + this->ike_sa->set_state(this->ike_sa, IKE_REKEYING); + + /* rekeying successful, delete the IKE_SA using a subtask */ +-- +2.4.6 + diff --git a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch new file mode 100644 index 000000000..e17cf30cd --- /dev/null +++ b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch @@ -0,0 +1,34 @@ +From 81f1aa8dc375a84d9f0dc3e4027f2aebf6d03b18 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 15:20:01 +0200 +Subject: [PATCH] ike-rekey: Fix cleanup() call + +--- + src/libcharon/sa/ikev2/tasks/ike_rekey.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +index 4133c93..eaba04e 100644 +--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c ++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c +@@ -394,7 +394,7 @@ static void cleanup(private_ike_rekey_t *this) + METHOD(task_t, migrate, void, + private_ike_rekey_t *this, ike_sa_t *ike_sa) + { +- cleanup(); ++ cleanup(this); + this->collision = NULL; + this->ike_sa = ike_sa; + this->new_sa = NULL; +@@ -405,7 +405,7 @@ METHOD(task_t, migrate, void, + METHOD(task_t, destroy, void, + private_ike_rekey_t *this) + { +- cleanup(); ++ cleanup(this); + free(this); + } + +-- +2.4.6 + diff --git a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch new file mode 100644 index 000000000..3b773d02a --- /dev/null +++ b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch @@ -0,0 +1,27 @@ +From faebdeac8eafad7b5c2109d5a9ce0af41dbf315c Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 19:37:41 +0200 +Subject: [PATCH] ike: Fix memory leak if remote address is kept + +--- + src/libcharon/sa/ike_sa.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c +index 752a756..6ffbd55 100644 +--- a/src/libcharon/sa/ike_sa.c ++++ b/src/libcharon/sa/ike_sa.c +@@ -1230,6 +1230,10 @@ static void resolve_hosts(private_ike_sa_t *this) + * address family might have changed */ + set_other_host(this, host); + } ++ else ++ { ++ host->destroy(host); ++ } + } + + if (this->local_host) +-- +2.4.6 + diff --git a/main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch index a7c02749f..945f1da2b 100644 --- a/main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +++ b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch @@ -27,5 +27,5 @@ index b0e3103..809d0f4 100644 DBG1(DBG_KNL, "netlink response exceeds buffer size"); return 0; -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch index 0bd694782..410e15b0c 100644 --- a/main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +++ b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch @@ -55,5 +55,5 @@ index 809d0f4..ddb2254 100644 { DBG1(DBG_KNL, "unable to create netlink socket"); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch new file mode 100644 index 000000000..e7897c17c --- /dev/null +++ b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch @@ -0,0 +1,24 @@ +From 36d77e36bb1556bebe0f98c06a757b123caef940 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Jul 2015 11:48:53 +0200 +Subject: [PATCH] ike: Also track initiating IKE_SAs as half-open + +--- + src/libcharon/sa/ike_sa_manager.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index 987260d..51b7f2c 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void, + put_half_open(this, entry); + } + else if (!entry->half_open && +- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) && + ike_sa->get_state(ike_sa) == IKE_CONNECTING) + { + /* this is a new half-open SA */ +-- +2.4.6 + diff --git a/main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch index 525c6e752..fbc54c11c 100644 --- a/main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch +++ b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch @@ -1,4 +1,4 @@ -From af94ce1106470cc1c66a7b038d1d4552785f2670 Mon Sep 17 00:00:00 2001 +From 0d6412ab81fbf0376cc99e9419de417e58dc0e72 Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tobias@strongswan.org> Date: Thu, 16 Jul 2015 17:21:54 +0200 Subject: [PATCH] controller: Optionally adhere to init limits also when @@ -19,8 +19,7 @@ Subject: [PATCH] controller: Optionally adhere to init limits also when src/libcharon/plugins/vici/vici_control.c | 4 +- .../processing/jobs/initiate_mediation_job.c | 4 +- src/libcharon/processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa_manager.c | 1 - - 16 files changed, 71 insertions(+), 21 deletions(-) + 15 files changed, 71 insertions(+), 20 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 2c0b7b9..0c6a504 100644 @@ -313,18 +312,6 @@ index 981473b..5e88ac2 100644 break; case ACTION_ROUTE: DBG1(DBG_JOB, "start action: route '%s'", name); -diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 987260d..51b7f2c 100644 ---- a/src/libcharon/sa/ike_sa_manager.c -+++ b/src/libcharon/sa/ike_sa_manager.c -@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void, - put_half_open(this, entry); - } - else if (!entry->half_open && -- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - ike_sa->get_state(ike_sa) == IKE_CONNECTING) - { - /* this is a new half-open SA */ -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch index feb471a40..d6cc09071 100644 --- a/main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +++ b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch @@ -1,4 +1,4 @@ -From e18f39025363224790d64e5b4eaa1c268f95b528 Mon Sep 17 00:00:00 2001 +From f3b6de5afdc48550680c12359154eb18a5812ecb Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tobias@strongswan.org> Date: Thu, 16 Jul 2015 17:51:40 +0200 Subject: [PATCH] vici: Add get_bool() convenience getter for VICI messages @@ -166,5 +166,5 @@ index 1a89cf8..7f357b8 100644 * * @param def default value if not found -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch index 2ff236b06..f904af30b 100644 --- a/main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch +++ b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch @@ -1,4 +1,4 @@ -From 364a0b4922fb1dbbc584b341e945bf1b91d1d689 Mon Sep 17 00:00:00 2001 +From 2d4671feca3d2d17bfa2d846cc170478f18a8fcc Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tobias@strongswan.org> Date: Thu, 16 Jul 2015 17:56:16 +0200 Subject: [PATCH] vici: Optionally check limits when initiating connections @@ -61,5 +61,5 @@ index e568239..88574f8 100644 default: return send_reply(this, "establishing CHILD_SA '%s' failed", child); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch b/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch new file mode 100644 index 000000000..666355757 --- /dev/null +++ b/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch @@ -0,0 +1,96 @@ +From e0189de4c7b8df5cb61c7b0e771dcc5534e9cc06 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Jul 2015 11:53:58 +0200 +Subject: [PATCH] ike: Adhere to IKE_SA limit when checking out by config + +This prevents new SAs from getting created if we hit the global IKE_SA +limit (we still allow checkout_new(), which is used for rekeying). +--- + src/libcharon/sa/ike_sa_manager.c | 63 ++++++++++++++++++++------------------- + 1 file changed, 33 insertions(+), 30 deletions(-) + +diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c +index 51b7f2c..20b6e50 100644 +--- a/src/libcharon/sa/ike_sa_manager.c ++++ b/src/libcharon/sa/ike_sa_manager.c +@@ -1346,44 +1346,47 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + + DBG2(DBG_MGR, "checkout IKE_SA by config"); + +- if (!this->reuse_ikesa) +- { /* IKE_SA reuse disable by config */ +- ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); +- charon->bus->set_sa(charon->bus, ike_sa); +- return ike_sa; +- } +- +- enumerator = create_table_enumerator(this); +- while (enumerator->enumerate(enumerator, &entry, &segment)) ++ if (this->reuse_ikesa) + { +- if (!wait_for_entry(this, entry, segment)) ++ enumerator = create_table_enumerator(this); ++ while (enumerator->enumerate(enumerator, &entry, &segment)) + { +- continue; +- } +- if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) +- { /* skip IKE_SAs which are not usable */ +- continue; +- } +- +- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); +- if (current_peer && current_peer->equals(current_peer, peer_cfg)) +- { +- current_ike = current_peer->get_ike_cfg(current_peer); +- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) ++ if (!wait_for_entry(this, entry, segment)) + { +- entry->checked_out = TRUE; +- ike_sa = entry->ike_sa; +- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", +- ike_sa->get_unique_id(ike_sa), +- current_peer->get_name(current_peer)); +- break; ++ continue; ++ } ++ if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) ++ { /* skip IKE_SAs which are not usable */ ++ continue; ++ } ++ current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); ++ if (current_peer && current_peer->equals(current_peer, peer_cfg)) ++ { ++ current_ike = current_peer->get_ike_cfg(current_peer); ++ if (current_ike->equals(current_ike, ++ peer_cfg->get_ike_cfg(peer_cfg))) ++ { ++ entry->checked_out = TRUE; ++ ike_sa = entry->ike_sa; ++ DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", ++ ike_sa->get_unique_id(ike_sa), ++ current_peer->get_name(current_peer)); ++ break; ++ } + } + } ++ enumerator->destroy(enumerator); + } +- enumerator->destroy(enumerator); + + if (!ike_sa) +- { /* no IKE_SA using such a config, hand out a new */ ++ { /* no IKE_SA using such a config, or reuse disabled, hand out a new */ ++ if (this->ikesa_limit && ++ this->public.get_count(&this->public) >= this->ikesa_limit) ++ { ++ DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)", ++ this->ikesa_limit); ++ return NULL; ++ } + ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); + } + charon->bus->set_sa(charon->bus, ike_sa); +-- +2.4.6 + diff --git a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch new file mode 100644 index 000000000..4a837486e --- /dev/null +++ b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch @@ -0,0 +1,46 @@ +From 470b58d897338c89c83f416808cf1ccac38fe028 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 17 Jul 2015 14:08:09 +0200 +Subject: [PATCH] ikev1: Assign different job priorities for inbound IKEv1 + messages + +--- + src/libcharon/processing/jobs/process_message_job.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c +index a6795e7..31f048d 100644 +--- a/src/libcharon/processing/jobs/process_message_job.c ++++ b/src/libcharon/processing/jobs/process_message_job.c +@@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t, + { + case IKE_AUTH: + /* IKE auth is rather expensive and often blocking, low priority */ ++ case AGGRESSIVE: ++ case ID_PROT: ++ /* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth) ++ * MM is similar, but stretched out more */ + return JOB_PRIO_LOW; + case INFORMATIONAL: ++ case INFORMATIONAL_V1: + /* INFORMATIONALs are inexpensive, for DPD we should have low + * reaction times */ + return JOB_PRIO_HIGH; + case IKE_SA_INIT: +- case CREATE_CHILD_SA: +- default: + /* IKE_SA_INIT is expensive, but we will drop them in the receiver + * if we are overloaded */ ++ case CREATE_CHILD_SA: ++ case QUICK_MODE: ++ /* these may require DH, but if not they are relatively cheap */ ++ case TRANSACTION: ++ /* these are mostly cheap, however, if XAuth via RADIUS is used ++ * they may block */ ++ default: + return JOB_PRIO_MEDIUM; + } + } +-- +2.4.6 + diff --git a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch new file mode 100644 index 000000000..630151b40 --- /dev/null +++ b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch @@ -0,0 +1,68 @@ +From 944e99d57243fb42ccb2be475c8386a0c4c116f4 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 27 Jul 2015 11:18:53 +0200 +Subject: [PATCH] printf-hook-builtin: Fix invalid memory access + +When precision is given for a string, we must not run unbounded +strlen() as it will read beyond the given length. It might even cause +a crash if the given pointer is near end of heap or mapping. + +Fixes numerous valgrind errors such as: + +==19215== Invalid read of size 1 +==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853) +==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084) +==19215== by 0x52CE464: dntoa (identification.c:337) +==19215== by 0x52CE464: identification_printf_hook (identification.c:837) +==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) +==19215== by 0x57040EB: vlog (bus.c:388) +==19215== by 0x570427D: log_ (bus.c:430) +==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) +==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) +==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) +==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) +==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) +==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) +==19215== by 0x52C3125: load_feature (plugin_loader.c:716) +==19215== by 0x52C3125: load_provided (plugin_loader.c:778) +==19215== by 0x52C3A20: load_features (plugin_loader.c:799) +==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) +==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd +==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296) +==19215== by 0x52CD198: chunk_printable (chunk.c:759) +==19215== by 0x52CE442: dntoa (identification.c:334) +==19215== by 0x52CE442: identification_printf_hook (identification.c:837) +==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010) +==19215== by 0x57040EB: vlog (bus.c:388) +==19215== by 0x570427D: log_ (bus.c:430) +==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416) +==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537) +==19215== by 0xA846A95: load_certs (stroke_cred.c:1353) +==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475) +==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782) +==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53) +==19215== by 0x52C3125: load_feature (plugin_loader.c:716) +==19215== by 0x52C3125: load_provided (plugin_loader.c:778) +==19215== by 0x52C3A20: load_features (plugin_loader.c:799) +==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159) +--- + src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +index 466c673..af54940 100644 +--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c ++++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c +@@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) + /* String */ + sarg = va_arg(ap, const char *); + sarg = sarg ? sarg : "(null)"; +- slen = strlen(sarg); ++ slen = prec != -1 ? strnlen(sarg, prec) ++ : strlen(sarg); + goto is_string; + } + case 'm': +-- +2.4.6 + diff --git a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch index b0c65223a..e246c0429 100644 --- a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -1,4 +1,4 @@ -From 9afff74c4bd8abadfd248f36cf9f8206928d3dc6 Mon Sep 17 00:00:00 2001 +From 82c26f6c6c8dc8de620cdb6b191f04451ddedd11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Wed, 27 Aug 2014 16:05:21 +0300 Subject: [PATCH] charon: add optional source and remote overrides for initiate @@ -15,21 +15,20 @@ and is a prerequisite for dmvpn support. Signed-off-by: Timo Teräs <timo.teras@iki.fi> --- - src/charon-cmd/cmd/cmd_connection.c | 2 +- - src/charon-nm/nm/nm_service.c | 2 +- - src/libcharon/control/controller.c | 43 ++++++++++++++- - src/libcharon/control/controller.h | 3 ++ - src/libcharon/plugins/maemo/maemo_service.c | 2 +- - src/libcharon/plugins/stroke/stroke_control.c | 5 +- - src/libcharon/plugins/vici/vici_config.c | 2 +- - src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++++---- - src/libcharon/processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa.c | 4 ++ - src/libcharon/sa/ike_sa_manager.c | 60 ++++++++++++++++++--- - src/libcharon/sa/ike_sa_manager.h | 8 ++- - src/libcharon/sa/trap_manager.c | 3 +- - src/swanctl/commands/initiate.c | 40 +++++++++++++- - 15 files changed, 213 insertions(+), 28 deletions(-) + src/charon-cmd/cmd/cmd_connection.c | 2 +- + src/charon-nm/nm/nm_service.c | 2 +- + src/libcharon/control/controller.c | 43 +++++++++++++++- + src/libcharon/control/controller.h | 3 ++ + src/libcharon/plugins/maemo/maemo_service.c | 2 +- + src/libcharon/plugins/stroke/stroke_control.c | 5 +- + src/libcharon/plugins/vici/vici_config.c | 2 +- + src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++++++---- + src/libcharon/processing/jobs/start_action_job.c | 2 +- + src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++++++- + src/libcharon/sa/ike_sa_manager.h | 8 ++- + src/libcharon/sa/trap_manager.c | 3 +- + src/swanctl/commands/initiate.c | 40 ++++++++++++++- + 13 files changed, 203 insertions(+), 23 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c index 0c6a504..dc4eca3 100644 @@ -206,10 +205,10 @@ index 0125d17..72c806c 100644 switch (status) { diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index dfea2ab..233af4c 100644 +index b6950f3..600b83f 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c -@@ -1558,7 +1558,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, +@@ -1584,7 +1584,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); charon->controller->initiate(charon->controller, peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), @@ -219,7 +218,7 @@ index dfea2ab..233af4c 100644 case ACTION_ROUTE: DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index 88574f8..d37e11f 100644 +index 88574f8..55f667b 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -13,6 +13,28 @@ @@ -341,23 +340,8 @@ index 5e88ac2..7043332 100644 break; case ACTION_ROUTE: DBG1(DBG_JOB, "start action: route '%s'", name); -diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c -index 3aafa4c..dcd54a1 100644 ---- a/src/libcharon/sa/ike_sa.c -+++ b/src/libcharon/sa/ike_sa.c -@@ -1208,6 +1208,10 @@ static void resolve_hosts(private_ike_sa_t *this) - else - { - host = this->ike_cfg->resolve_other(this->ike_cfg, family); -+ if (host->is_anyaddr(host)) -+ { -+ host = NULL; -+ } - } - if (host) - { diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 987260d..2f44f7c 100644 +index 20b6e50..ccce3de 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -16,6 +16,28 @@ @@ -389,7 +373,7 @@ index 987260d..2f44f7c 100644 #include <string.h> #include "ike_sa_manager.h" -@@ -1335,16 +1357,28 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, +@@ -1335,7 +1357,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, } METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, @@ -399,12 +383,9 @@ index 987260d..2f44f7c 100644 { enumerator_t *enumerator; entry_t *entry; -- ike_sa_t *ike_sa = NULL; -+ ike_sa_t *ike_sa; - peer_cfg_t *current_peer; +@@ -1344,7 +1367,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, ike_cfg_t *current_ike; u_int segment; -+ bool matched = FALSE; - DBG2(DBG_MGR, "checkout IKE_SA by config"); + if (my_host && my_host->get_port(my_host) == 0) @@ -419,42 +400,28 @@ index 987260d..2f44f7c 100644 + DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H", + peer_cfg->get_name(peer_cfg), my_host, other_host); - if (!this->reuse_ikesa) - { /* IKE_SA reuse disable by config */ -@@ -1365,14 +1399,24 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - continue; - } - -- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); -+ ike_sa = entry->ike_sa; -+ if (my_host && !my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa))) -+ { -+ continue; -+ } -+ if (other_host && !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa))) -+ { -+ continue; -+ } + if (this->reuse_ikesa) + { +@@ -1359,6 +1392,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + { /* skip IKE_SAs which are not usable */ + continue; + } + -+ current_peer = ike_sa->get_peer_cfg(ike_sa); - if (current_peer && current_peer->equals(current_peer, peer_cfg)) - { - current_ike = current_peer->get_ike_cfg(current_peer); - if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) ++ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa))) ++ { ++ continue; ++ } ++ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa))) ++ { ++ continue; ++ } ++ + current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); + if (current_peer && current_peer->equals(current_peer, peer_cfg)) { - entry->checked_out = TRUE; -- ike_sa = entry->ike_sa; -+ matched = TRUE; - DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", - ike_sa->get_unique_id(ike_sa), - current_peer->get_name(current_peer)); -@@ -1382,9 +1426,13 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - } - enumerator->destroy(enumerator); - -- if (!ike_sa) -+ if (!matched) - { /* no IKE_SA using such a config, hand out a new */ +@@ -1388,6 +1431,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + return NULL; + } ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); + if (my_host || other_host) + { @@ -493,10 +460,10 @@ index f259d8e..5a69083 100644 /** * Check for duplicates of the given IKE_SA. diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c -index d6ff3c8..eeb188e 100644 +index 424d9e7..62a70f5 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c -@@ -351,7 +351,8 @@ METHOD(trap_manager_t, acquire, void, +@@ -421,7 +421,8 @@ METHOD(trap_manager_t, acquire, void, this->lock->unlock(this->lock); ike_sa = charon->ike_sa_manager->checkout_by_config( @@ -586,5 +553,5 @@ index eb7b6ad..706fa57 100644 {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch index e8853d9cc..773722064 100644 --- a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch +++ b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch @@ -1,4 +1,4 @@ -From c1a33f1b826536a90951be611de9804a3a524b32 Mon Sep 17 00:00:00 2001 +From dde551360cbe9ac09f1cd2d01047131c6332c576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 30 Apr 2015 12:08:13 +0300 Subject: [PATCH] vici: send certificates for ike-sa events @@ -102,5 +102,5 @@ index d94d760..3d461f7 100644 b->begin_section(b, child_sa->get_name(child_sa)); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch index 95d67eff5..a52450306 100644 --- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +++ b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch @@ -1,4 +1,4 @@ -From 9a695f579173f087c9e72620fa70d6e28171e1f9 Mon Sep 17 00:00:00 2001 +From b8b84525b8c8c9e5cc1d1409a89347bb8869f893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 30 Apr 2015 10:58:15 +0300 Subject: [PATCH] vici: add support rekeying events, and individual sa state @@ -209,5 +209,5 @@ index 3d461f7..ade181c 100644 .destroy = _destroy, }, -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1004-vici-support-asynchronous-initiation.patch b/main/strongswan/1004-vici-support-asynchronous-initiation.patch index 5c9948279..dc95bde74 100644 --- a/main/strongswan/1004-vici-support-asynchronous-initiation.patch +++ b/main/strongswan/1004-vici-support-asynchronous-initiation.patch @@ -1,4 +1,4 @@ -From 4564b52fdbb6e588398178e607023fbac2819da8 Mon Sep 17 00:00:00 2001 +From 21efa8dbe5aab423b452277d6aa70f9c14e2f440 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Thu, 28 May 2015 13:06:51 +0300 Subject: [PATCH] vici: support asynchronous initiation @@ -12,7 +12,7 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi> 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c -index d37e11f..66478fd 100644 +index 55f667b..da2b68f 100644 --- a/src/libcharon/plugins/vici/vici_control.c +++ b/src/libcharon/plugins/vici/vici_control.c @@ -187,7 +187,7 @@ CALLBACK(initiate, vici_message_t*, @@ -43,5 +43,5 @@ index d37e11f..66478fd 100644 case SUCCESS: msg = send_reply(this, NULL); -- -2.4.5 +2.4.6 diff --git a/main/strongswan/1005-ikev1-message-priorities.patch b/main/strongswan/1005-ikev1-message-priorities.patch deleted file mode 100644 index f7bb7ac69..000000000 --- a/main/strongswan/1005-ikev1-message-priorities.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c -index a6795e7..bb77b3d 100644 ---- a/src/libcharon/processing/jobs/process_message_job.c -+++ b/src/libcharon/processing/jobs/process_message_job.c -@@ -90,14 +90,20 @@ METHOD(job_t, get_priority, job_priority_t, - switch (this->message->get_exchange_type(this->message)) - { - case IKE_AUTH: -+ case ID_PROT: -+ case AUTH_ONLY: -+ case AGGRESSIVE: - /* IKE auth is rather expensive and often blocking, low priority */ - return JOB_PRIO_LOW; - case INFORMATIONAL: -+ case INFORMATIONAL_V1: -+ case TRANSACTION: - /* INFORMATIONALs are inexpensive, for DPD we should have low - * reaction times */ - return JOB_PRIO_HIGH; - case IKE_SA_INIT: - case CREATE_CHILD_SA: -+ case QUICK_MODE: - default: - /* IKE_SA_INIT is expensive, but we will drop them in the receiver - * if we are overloaded */ diff --git a/main/strongswan/1006-fix-printf-strlen.patch b/main/strongswan/1006-fix-printf-strlen.patch deleted file mode 100644 index ad5948d24..000000000 --- a/main/strongswan/1006-fix-printf-strlen.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -index 466c673..219c7bd 100644 ---- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c -@@ -843,14 +843,14 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap) - /* String */ - sarg = va_arg(ap, const char *); - sarg = sarg ? sarg : "(null)"; -- slen = strlen(sarg); -+ slen = prec ? strnlen(sarg, prec) : strlen(sarg); - goto is_string; - } - case 'm': - { - /* glibc error string */ - sarg = strerror(errno); -- slen = strlen(sarg); -+ slen = prec ? strnlen(sarg, prec) : strlen(sarg); - goto is_string; - } - is_string: diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 965fd3c17..4192088aa 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.3.2 _pkgver=${pkgver//_rc/rc} -pkgrel=6 +pkgrel=7 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -16,17 +16,36 @@ makedepends="$depends_dev linux-headers" install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-dbg" source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 - 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch - 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch - 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch - 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch - 0005-vici-Optionally-check-limits-when-initiating-connect.patch + 0001-vici-Asynchronize-debug-logging.patch + 0002-host-Properly-handle-NULL-in-host_create_from_string.patch + 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch + 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch + 0004-ike-Use-address-family-of-local-address-when-resolvi.patch + 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch + 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch + 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch + 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch + 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch + 0010-shunt-manager-Remove-stored-entries-if-installation-.patch + 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch + 0012-daemon-Flush-shunts-before-unloading-plugins.patch + 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch + 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch + 0015-ike-rekey-Fix-cleanup-call.patch + 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch + 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch + 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch + 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch + 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch + 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch + 0204-vici-Optionally-check-limits-when-initiating-connect.patch + 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch + 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch + 0401-printf-hook-builtin-Fix-invalid-memory-access.patch 1001-charon-add-optional-source-and-remote-overrides-for-.patch 1002-vici-send-certificates-for-ike-sa-events.patch 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch 1004-vici-support-asynchronous-initiation.patch - 1005-ikev1-message-priorities.patch - 1006-fix-printf-strlen.patch 2001-support-gre-key-in-ikev1.patch strongswan.initd @@ -111,47 +130,104 @@ package() { } md5sums="fab014be1477ef4ebf9a765e10f8802c strongswan-5.3.2.tar.bz2 -eb8d38dbf918e5f3adfd55f8ace7aeb1 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -53982788f8ab0962193f695da30a8a94 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -c46a4f2b21a83988512f6108e154620b 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch -8b5ea458119df0c1ecee181c0f7f7c57 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -0f8316631df321caad6c9b6b5c0b6e5c 0005-vici-Optionally-check-limits-when-initiating-connect.patch -b7244e10364e6348665048b9eec43cc6 1001-charon-add-optional-source-and-remote-overrides-for-.patch -4970959a1722b4139e7a22a2d93e866d 1002-vici-send-certificates-for-ike-sa-events.patch -89f7d85291d6a82230e5337cfa071a67 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -aac217481a1a8ae68719771039c27354 1004-vici-support-asynchronous-initiation.patch -3accc4500255622cb14844e7111e2932 1005-ikev1-message-priorities.patch -9b6175216c1761305f2048d9d88865a0 1006-fix-printf-strlen.patch +78960bec9b1d3be2db9bfe8d73347ceb 0001-vici-Asynchronize-debug-logging.patch +f05c992e0c79a254fe8dfe3989d29ae6 0002-host-Properly-handle-NULL-in-host_create_from_string.patch +5d2720f3b0f9ae4632703c8638e29088 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +413d0409a1232de61d61e99d7e57c2f5 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +0660bab646fc9dbf99a5f9485e570b0e 0004-ike-Use-address-family-of-local-address-when-resolvi.patch +30ac430b88cdfb23546a3ac1a6247d6c 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +de114c8e0f0fb84aaef46b55b912c7df 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +a99f6c1cc578b17e9c69378869942ffd 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +e7e8b6171239f3462f8f6739fcfdc56b 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +400a514e50a378265a0ec1cff46f1f02 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +551d01ca98e3e8b6bfea54938c576ec6 0010-shunt-manager-Remove-stored-entries-if-installation-.patch +b5f4a1a5cd7e5f10e9487a23078bcbab 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +65341200450445191b67914df2629fe6 0012-daemon-Flush-shunts-before-unloading-plugins.patch +1ea2d1a97aa37bac24a1ec9b1ce7c985 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +054b28fd78fccb20b993ec2679f98bc6 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +6b57da364f1222eb2a8eda8f146c784b 0015-ike-rekey-Fix-cleanup-call.patch +0941f8e871fff5ab8c984830d23b35a1 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +d97c846c00c60a35925662ba551495df 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +d73abf4c9c3354120152144e7985d428 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +c3f86cc9b0866f2e748f40d3058a5b14 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +55feb2633c42927672113e44465fd824 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +d57e117d13da147910e2ae09219d2492 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +8e79293070086233035a93322b935048 0204-vici-Optionally-check-limits-when-initiating-connect.patch +c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +9b607cf38cff83547368d82fa34d716f 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch +06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch +1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch +b0f2d10bc3dc89f3bba28fead6687311 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd 7962a720ebef6892d80a3cbdab72c204 charon.initd" sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2 -bce611d5f3d773589c6a751aec7fbaab39c8926134cab6fe2d5586639244bdc0 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -4e1f76a76278c7621ca860156c25dfda90a7d9010b6426a9fd7c74c190166043 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -fb7478cad812e40134f5796c5faea4f939a71c4676efe9d17573041b696a61c7 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch -31f8e5c1f451ed14045072cd13f2085c39f064403f264d12fb2f75aa5e996f5a 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -a5601aa4ce0be4ac74f482817fd64c60e4986781271a2ed354806bbcbcd2223b 0005-vici-Optionally-check-limits-when-initiating-connect.patch -a3d471cbcc9481264352ca029b70ad8f85fab15495a4aef3cbb209fc19765436 1001-charon-add-optional-source-and-remote-overrides-for-.patch -baa8ee13f207f5e89b34b759c355e48ed79138fabcd9af841692afb15cf8b61f 1002-vici-send-certificates-for-ike-sa-events.patch -e0de13d4fc6d66e33973696d62b4a45cd63b5fa6c477891e7651102c2bc3a4d7 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -295476ace69d36f1059c48afb99ec5180086710146a6e10c28c7eed96759a976 1004-vici-support-asynchronous-initiation.patch -0e814067bf47e9b4a0127b5197ea321e1398b1bc8e0635d576898fc977233d67 1005-ikev1-message-priorities.patch -2b5d384a73373e16dc8bf75e55149173de00f454fe0de1b65296e73e68275042 1006-fix-printf-strlen.patch +37da81cde0afd5b2d025a62b36020ff4739bccc086bcfd1528e461534b99e1e8 0001-vici-Asynchronize-debug-logging.patch +ee88c4636efb8e06ff66e50e82b5de5a2f49a2b60042b157b09c110332db1f2c 0002-host-Properly-handle-NULL-in-host_create_from_string.patch +442b721d4ee156e5bb8167f4f5831abe727d8440b26f0ba91a32f21eade14305 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +28fb9b57d5c02ae2b10e283f13de4d7257913a44ce68e287f73144d4fe2c0972 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +e8e967357a6741df02b80fcd75729044179549e24623d483c1f4ee603a83152b 0004-ike-Use-address-family-of-local-address-when-resolvi.patch +a246364122d40ef70091cdf86ea16413a20f3461e137f8209c58959dfaf09396 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +79861e897dd8e973d2426f083079adb74cc3c281b1c891eb6fbf7e569f0b74f4 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +a9f59b91d3ac04fd52684fd4143545452368d65af9f6026020ba95eae114c103 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +1b463d03b3ce0cf5223bacb08155b69c1c362fa311b1af20cb79b392ac6a233e 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +3679e3f63a72c1f32b67ab71f60f8922384cbdeb916beca779bc7776db0332fe 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +cd1d28855c13c9544c6f4caa619a00226d8c84cc75c3e88f962ebea9736619ad 0010-shunt-manager-Remove-stored-entries-if-installation-.patch +ce95459cea9eaa4d7f1695e10f99ca886d428843ada8134e8f337dce957cdda0 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +b8b82e4b99c70cd76b09a2c7d6144e1e572bee6b4c821fcf7338d1692e1843cb 0012-daemon-Flush-shunts-before-unloading-plugins.patch +2c4a898a4b17e196acc44947f4b48688649d29ac15c0d19e14d664bf0d9f0274 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +a1b61e2aafcd502c8398bfefd556dfb1429d862faecc5d6c0c843e7da215abf3 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +ef5f7d38483909ae3aff5e474ac6f5f20804645ead6a6108f2534408434023ff 0015-ike-rekey-Fix-cleanup-call.patch +257931d4443a4ed2284bf8872e73ab1e93c0d69f490e1b9b3bb2b12210cec677 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +130db52dea23eae4081bf25c5ef050f9dfbaa4e7e99dc0a623fdfc991eb4c5c7 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +16a41ef4cf25e3432c8a61aa34ac12d6eccd5796d921c75d72570d4f9fda2717 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +ab4042b193a68d3ff771be006fdea81eb786fee7b7c4c8c24aa60ef3372de9c8 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +7aac3748cabf9293701924b6e6a3f0bb74c4d4302a019eb8012af48473f35b67 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +3060dd59d44de1f6e7b82146db4b09c3fd80869c75e9a31823bcbdd9f66ac923 0204-vici-Optionally-check-limits-when-initiating-connect.patch +6ee2826d8f2acf4010886b9990c4fe1f1be99e869144f3dd3705e38184300ca1 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch +d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch +b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch +c0b39aaaf97f3797ef327a465e1468aa166044875b194e899999dc7c0723fc4c 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2 -5ec6fd6160a55d7313f8dd3315a353d426f98ea57d167e73e97bff25ca175d2848f7ea0956cb2ec9cbca24f2be1dc0c1b1d123ee947f64baa6dfc712d04e77e1 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch -ee5dc2d2c719895e69d9a0324b48d43b4b86122eb8848143db7a4a629e79d594deeb4a000a429c85a31552358e9e1e2a7de8a1917c6ebb075a77281f074e0740 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch -7da65c2f5459811e4c6a1643d42eca0dedd206335a0127277a6f11cf15a75a2a546848219065517d065016639ffa2e2b40f275cca7083adc3ee545f3e051e050 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch -4192aa916c5018046a21bb2d94e82ae35a81f4f462107f81b2f1b0a95372f212411852768d34ec3937c141570789b8ac1a1734552b0a07cac96a085fe28bc848 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch -4a36a0c9c456537e6b71975e6947a15a0fdcda875454ded4d23f9d1073c9258b901d7a4116786f63a590f30725cc41c23eca414e0757f240cc4f4eb8e56cb285 0005-vici-Optionally-check-limits-when-initiating-connect.patch -4cfe0b15a28b600b51be2ae270d303a65854756e30d60d8d897e0106f77ba7e05ec1625cc7cfafce54443bcb8c72ded09aa759f2540589afea491c81a05e65f0 1001-charon-add-optional-source-and-remote-overrides-for-.patch -142e3207aa3646a82ed1831635ef16003b86625f763927d56e074aeb5d6d04f108a21f713f877afc48119ee3df784af727e5bee8dddf0671dc2a6058f9708af4 1002-vici-send-certificates-for-ike-sa-events.patch -1781b8de169d0d41f8cb4d63c0b85b1e9eae2d52935d3753a876e8fee542ab58933be11c36f2a230233144c94c12c1d7641dbb58c89481e27d889e7f17fad87e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch -aaf0701a4564fdce9d4422e8c33ea704142e371392cb7fa552cf0c71cb00d0dbd5901c21e45fadc23798cfdb95066da9d24b2f2b9b037761e670ee30f4b93b35 1004-vici-support-asynchronous-initiation.patch -bd4c9575d2aebbae48d49ef5e3fcfa0c0366c8d100a0190706b5fff7332ab34ca5f862ba8a3fe9cdcf9996371b554ab0f6561e16d57d6e425497ab015e46299a 1005-ikev1-message-priorities.patch -dd9d873d63ae9ed47bc61b122e33be406498ca707c53560c704b87b986904f1fbfe6f293df6a6f79a0359ff9b3686fcf26e91624eb73d8139b4afe1bd26f7798 1006-fix-printf-strlen.patch +d3135206f61496d0877b22c52c0f4246d17777935a4277bfc6e7ca8b69fb2754a52fed7e8691292df91745c00fa0d597f11cd866bb4ee91453c0e252ba77eef8 0001-vici-Asynchronize-debug-logging.patch +87ab03664dddf30ed1ae1a1e1fc2a22715a0e74b220f316937cf0f86a5b9c38262fd8a9ad62aa1866405d0bf552d33a62621c8b91634e6bd3c7967b6e7955894 0002-host-Properly-handle-NULL-in-host_create_from_string.patch +8f16ab691c7e778894f0fc8889ac9be8813da27e09fb304443e9053f2ed384ccd3976d7956f762136c94c870dabe808d3f97116f4573bb0df74299f1da34d643 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch +dbb5454e32cea4e671fdb109e2252536d2f8ee97097a45ad280010de7d6b7fedeb40c0418ae2af45a4393b98ac6badd9072846259be6ca823f056919fcd3b985 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch +73dcb7874aadcf641051cef91d83158fa8a1c664c094d131fcd5ad9d1c5d00abec5a75dd92780fabf2c0690079aad73275af885a83c8791c62025593fa7af61c 0004-ike-Use-address-family-of-local-address-when-resolvi.patch +8e3636933b7ee3eddb28b9797e3da21c494e470067bc6996509bd28a9894e037fa7575d68fb717247762dc468543b67d965745370cb1335b1f9fbc6bdf260f6e 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch +e970869f5552557d18133bb279b98a81b7d12a6656bddccfcfbdb2b2dc80ad90cc4d1d63135b3682ccb26c83408790c792de9d64056a97c1b7df16f0b159d179 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch +65a20b7d059770786c5912811db8692ab9c03a3527f83d0d23e14db4da8c64c3ed43de7a04ba1cf2a794551471ee9456e70f723b0bb4599792a668edea1f6e77 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch +e5bd98af84b248642fb6206497c7d2fca7e42362632171e271a8a715179d10f3590eb25a7b38c9fbc058c82d657668c01e9b98d8ef1f422d0887e710342eff36 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch +c4a30bbff90c2ef59e9bebb64d336bddde811f0ffba3dcef423dc71a17e98be26192f8aa8654702e9a2cdc9dbfc8ec960fbf1a126c411efef6f95dc1a19c518e 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch +6e11b006b4fd0c6d000ff301ce18170bf9540f567ada2eb23f0f1c705be8d0f9299364313249cef5528858e75c10ba9d65315c941b49cb12ae07808d3b6e1faa 0010-shunt-manager-Remove-stored-entries-if-installation-.patch +2a5503558dcfe654335d9b6b7056e9888b2304389bb76369b8222d54add6c8a9895ab175701eeb636c42f0df53d1078fdae7a9f11167fc2beadad82de68b0e4c 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch +4e3ac34b2ecca6c1eefd9354a96a1a1fe7499571d2c5756c1cc889c23e125073517c6af57047de5b96bbc6acf9c6bb8c677df4206633f67551336fa8e62c77fb 0012-daemon-Flush-shunts-before-unloading-plugins.patch +f643be8dbc32c27f2c31ac91612ae7d2f1a34e9387257d1247cd8c7fb8e5b9c58fc0b8448dd692723a6f7f2ac4d4629ffa2c440c40f5f1bfb550f1cc526b3916 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch +bd161f1d4fa2881c8c07c2b7bccc0b9f06a99b12203d00329c8295f8a5ebe49f6cf27eca286ddd3c9e443fe132c64cae6849d691ddeda49b5fe716aebc73441e 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch +3f8c5ed171eb7c99218005b038ff0e0bc23841aab76cb97fbb7b8a3091b9f5ba318bd23c347de42bd969ac599f3d5f1b6bcf5110d5e23643858b24a719374f50 0015-ike-rekey-Fix-cleanup-call.patch +bdc74e2b6f91e94aa0041927ff5cf3f2f5d67d5d37a0c389a2b6328919bd9f2f0376957676fd359009117a1d01cd06ecfadb7151bd7875c1df5cb82e159a378a 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch +2d667eeba6d567008d8fe27d4dafa9a913c7aafa096258d7b5c95e2d8428e9dc8a40ace9e729a3d323e8d639d2ae3dae945904f90a39076c5ca5ddba7d70a0b6 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch +539bfec16350c035f7ce2f3551b52ba2e22c75146a6c1494f4b25ec283f2245b7a03be9470c0e0cd3e6fc368bcf1bda60ce8166928737ab396e6cf88ffafaf79 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch +b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88ab1635ba30f9ff0ca9945aa264b3213561548648d64eb25ae 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch +9a2cb61c55a03977fc4bce42fdf043706498c86d69ea094852735b2ef525fbc0f81bad33aad7afc29ef301f3e2146746b56f458980529057e05007e0bab7b972 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch +95e3544a87bf503ed17059298ec6330501f39a2210e583fed59c5d03ef25b8d8227317016bf0181e49c87a7e36e1d902b0b24bda184d2166f3ad5b79166ce0dd 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch +055b7769b0f587a77585ccf8e44c30fdf0981a1418f8e426eb696cfde671ac0013b355fdfb9e73ed3605c97a3a8c5f8ac38a2a0a137a5b87f9d6491752254543 0204-vici-Optionally-check-limits-when-initiating-connect.patch +6b01e9810566e4f928fa72f01b5fa6cdbddaf1045433cb5b73b5a3d1cd73260ff195709e4d46384c2aa6540e4e62ad9021d9cad19b2061bc0153581e74cf2d0e 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +8788fb376eaf57d9f277cac785db08578de3992e2484e7ab21ec044bc91000565ecb2adae4d2632f43ca6ed76519fd4422d86a3ba07a499594fbd7a61298458c 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch +86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch +2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch +ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch +1ea845551c7da2a7817e34508b0da3f3f0bba879f3b95d08c8db0a6b32adaf50363556daa6ee2e0f11c1ee6c41077d39ba54dbd40e457a02a991add19fe115ef 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch +e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch 723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" |