aboutsummaryrefslogtreecommitdiffstats
path: root/main/strongswan
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2015-07-28 11:33:38 +0300
committerTimo Teräs <timo.teras@iki.fi>2015-07-28 11:35:47 +0300
commitfc1ceeb02b3e149645205e67bcc009e742140590 (patch)
treeb559837b40485a7c0f77ce6459c03f131191283d /main/strongswan
parentc3aa1460dbeb4e1e10972fc00314d7a80413707e (diff)
downloadaports-fc1ceeb02b3e149645205e67bcc009e742140590.tar.bz2
aports-fc1ceeb02b3e149645205e67bcc009e742140590.tar.xz
main/strongswan: cherry-pick upstream fixes
also fixes a minor memory leak in patch 1001 (the offending hunk is now just deleted, as other upstream commits fixed the issue it tried to address)
Diffstat (limited to 'main/strongswan')
-rw-r--r--main/strongswan/0001-vici-Asynchronize-debug-logging.patch169
-rw-r--r--main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch67
-rw-r--r--main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch91
-rw-r--r--main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch106
-rw-r--r--main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch48
-rw-r--r--main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch37
-rw-r--r--main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch33
-rw-r--r--main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch260
-rw-r--r--main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch118
-rw-r--r--main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch112
-rw-r--r--main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch43
-rw-r--r--main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch153
-rw-r--r--main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch27
-rw-r--r--main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch105
-rw-r--r--main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch31
-rw-r--r--main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch34
-rw-r--r--main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch27
-rw-r--r--main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch (renamed from main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch)2
-rw-r--r--main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch (renamed from main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch)2
-rw-r--r--main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch24
-rw-r--r--main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch (renamed from main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch)19
-rw-r--r--main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch (renamed from main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch)4
-rw-r--r--main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch (renamed from main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch)4
-rw-r--r--main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch96
-rw-r--r--main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch46
-rw-r--r--main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch68
-rw-r--r--main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch121
-rw-r--r--main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch4
-rw-r--r--main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch4
-rw-r--r--main/strongswan/1004-vici-support-asynchronous-initiation.patch6
-rw-r--r--main/strongswan/1005-ikev1-message-priorities.patch25
-rw-r--r--main/strongswan/1006-fix-printf-strlen.patch21
-rw-r--r--main/strongswan/APKBUILD158
33 files changed, 1872 insertions, 193 deletions
diff --git a/main/strongswan/0001-vici-Asynchronize-debug-logging.patch b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch
new file mode 100644
index 000000000..c756f9d3e
--- /dev/null
+++ b/main/strongswan/0001-vici-Asynchronize-debug-logging.patch
@@ -0,0 +1,169 @@
+From 856ea64129cdc7ee56969524d7abaaae08c22c6a Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Thu, 2 Jul 2015 09:10:21 +0200
+Subject: [PATCH] vici: Asynchronize debug logging
+
+The vici logger uses the listener_t.log() callback to raise vici events.
+
+When doing so, it holds the bus lock as reader while acquiring the vici socket
+mutex (1). If at the same time the vici socket enables a writer, that thread
+tries to lock the watcher mutex (2). The watcher thread uses debugging while
+holding the lock, i.e. acquires the bus read lock (3).
+
+(1) bus.rlock -> vici.lock!
+(2) vici.lock -> watcher.lock!
+(3) watcher.lock -> bus.rlock!
+
+This all actually would resolve just fine, as we have a shared read lock on the
+bus. However, under Windows we seem to have a strict writer preference when
+acquiring the rwlock (4). This results in blocking read locks until any pending
+write lock can be fulfilled, and makes the constellation deadlock. The relevant
+threads are:
+
+Thread (1)
+6 0x71313d25 in wait_ at threading/windows/mutex.c:137
+7 0x7054c8a2 in find_entry at vici_socket.c:201
+8 0x7054d690 in send_ at vici_socket.c:624
+9 0x7054f6c1 in send_op at vici_dispatcher.c:119
+10 0x705502c1 in raise_event at vici_dispatcher.c:469
+12 0x704c3878 in log_cb at bus/bus.c:332
+13 0x712c7c3a in invoke_function at collections/linked_list.c:414
+14 0x704c3a63 in vlog at bus/bus.c:400
+15 0x704c3b36 in log_ at bus/bus.c:430
+18 0x70508f1f in process_response at sa/ikev2/task_manager_v2.c:664
+20 0x704f5430 in process_message at sa/ike_sa.c:1369
+21 0x704e3823 in execute at processing/jobs/process_message_job.c:74
+22 0x712e629f in process_job at processing/processor.c:235
+
+Thread (2)
+4 0x71313b61 in lock at threading/windows/mutex.c:66
+5 0x712e81fd in add at processing/watcher.c:441
+6 0x712e1ab9 in add_watcher at networking/streams/stream.c:213
+7 0x712e1b4d in on_write at networking/streams/stream.c:237
+8 0x7054d606 in _cb_enable_writer at vici_socket.c:609
+9 0x712e5e34 in execute at processing/jobs/callback_job.c:77
+10 0x712e629f in process_job at processing/processor.c:235
+
+Thread (3)
+3 0x71313f38 in read_lock at threading/windows/rwlock.c:74
+4 0x704c3971 in vlog at bus/bus.c:373
+5 0x704cc156 in dbg_bus at daemon.c:126
+6 0x712e7bf9 in watch at processing/watcher.c:316
+7 0x712e5e34 in execute at processing/jobs/callback_job.c:77
+8 0x712e629f in process_job at processing/processor.c:235
+
+Thread (4)
+3 0x71313f70 in write_lock at threading/windows/rwlock.c:82
+4 0x704c378b in remove_logger at bus/bus.c:290
+5 0x704cb284 in listener_unregister at control/controller.c:166
+6 0x713136cd in thread_cleanup_pop at threading/windows/thread.c:558
+8 0x704cb94e in initiate at control/controller.c:435
+9 0x70553996 in _cb_initiate at vici_control.c:187
+12 0x7054d200 in _cb_process_queue at vici_socket.c:508
+13 0x712e5e34 in execute at processing/jobs/callback_job.c:77
+14 0x712e629f in process_job at processing/processor.c:235
+
+To avoid such a situation, we dissolve the (1) lock sequence. It's actually
+never good practice to acquire shared locks during bus hooks, as it is
+problematic if we raise bus events while holding the lock. We do so by
+raising vici events for log message asynchronously, but of curse must keep
+log order as is using a synchronized queue.
+---
+ src/libcharon/plugins/vici/vici_logger.c | 48 +++++++++++++++++++++++++++++++-
+ 1 file changed, 47 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c
+index cffd65b..6d3584e 100644
+--- a/src/libcharon/plugins/vici/vici_logger.c
++++ b/src/libcharon/plugins/vici/vici_logger.c
+@@ -18,6 +18,7 @@
+
+ #include <daemon.h>
+ #include <threading/mutex.h>
++#include <processing/jobs/callback_job.h>
+
+ typedef struct private_vici_logger_t private_vici_logger_t;
+
+@@ -42,11 +43,54 @@ struct private_vici_logger_t {
+ int recursive;
+
+ /**
++ * List of messages to raise async events
++ */
++ linked_list_t *queue;
++
++ /**
+ * Mutex to synchronize logging
+ */
+ mutex_t *mutex;
+ };
+
++/**
++ * Async callback to raise events for queued messages
++ */
++static job_requeue_t raise_events(private_vici_logger_t *this)
++{
++ vici_message_t *message;
++ u_int count;
++
++ this->mutex->lock(this->mutex);
++ count = this->queue->get_count(this->queue);
++ this->queue->remove_first(this->queue, (void**)&message);
++ this->mutex->unlock(this->mutex);
++
++ if (count > 0)
++ {
++ this->dispatcher->raise_event(this->dispatcher, "log", 0, message);
++ }
++ if (count > 1)
++ {
++ return JOB_REQUEUE_DIRECT;
++ }
++ return JOB_REQUEUE_NONE;
++}
++
++/**
++ * Queue a message for async processing
++ */
++static void queue_messsage(private_vici_logger_t *this, vici_message_t *message)
++{
++ this->queue->insert_last(this->queue, message);
++ if (this->queue->get_count(this->queue) == 1)
++ {
++ lib->processor->queue_job(lib->processor, (job_t*)
++ callback_job_create((callback_job_cb_t)raise_events,
++ this, NULL, NULL));
++ }
++}
++
+ METHOD(logger_t, log_, void,
+ private_vici_logger_t *this, debug_t group, level_t level, int thread,
+ ike_sa_t* ike_sa, const char *msg)
+@@ -75,7 +119,7 @@ METHOD(logger_t, log_, void,
+ message = builder->finalize(builder);
+ if (message)
+ {
+- this->dispatcher->raise_event(this->dispatcher, "log", 0, message);
++ queue_messsage(this, message);
+ }
+ }
+ this->recursive--;
+@@ -101,6 +145,7 @@ METHOD(vici_logger_t, destroy, void,
+ private_vici_logger_t *this)
+ {
+ manage_commands(this, FALSE);
++ this->queue->destroy_offset(this->queue, offsetof(vici_message_t, destroy));
+ this->mutex->destroy(this->mutex);
+ free(this);
+ }
+@@ -121,6 +166,7 @@ vici_logger_t *vici_logger_create(vici_dispatcher_t *dispatcher)
+ .destroy = _destroy,
+ },
+ .dispatcher = dispatcher,
++ .queue = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
+ );
+
+--
+2.4.6
+
diff --git a/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch
new file mode 100644
index 000000000..ff79e322e
--- /dev/null
+++ b/main/strongswan/0002-host-Properly-handle-NULL-in-host_create_from_string.patch
@@ -0,0 +1,67 @@
+From 65579569adfa0e2c9602ee250f4554169ba5a87d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 11 Jun 2015 15:07:07 +0200
+Subject: [PATCH] host: Properly handle NULL in
+ host_create_from_string[_and_family]
+
+---
+ src/libstrongswan/networking/host.c | 4 ++++
+ src/libstrongswan/tests/suites/test_host.c | 6 ++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
+index 07da3ef..2e464b0 100644
+--- a/src/libstrongswan/networking/host.c
++++ b/src/libstrongswan/networking/host.c
+@@ -354,6 +354,10 @@ host_t *host_create_from_string_and_family(char *string, int family,
+ struct sockaddr_in6 v6;
+ } addr;
+
++ if (!string)
++ {
++ return NULL;
++ }
+ if (streq(string, "%any"))
+ {
+ return host_create_any_port(family ? family : AF_INET, port);
+diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c
+index 7161b2c..5cb8013 100644
+--- a/src/libstrongswan/tests/suites/test_host.c
++++ b/src/libstrongswan/tests/suites/test_host.c
+@@ -104,6 +104,9 @@ START_TEST(test_create_from_string_v4)
+ {
+ host_t *host;
+
++ host = host_create_from_string(NULL, 500);
++ ck_assert(!host);
++
+ host = host_create_from_string("%any", 500);
+ verify_any(host, AF_INET, 500);
+ host->destroy(host);
+@@ -196,6 +199,7 @@ static void test_create_from_string_and_family_addr(char *string, chunk_t addr,
+
+ START_TEST(test_create_from_string_and_family_v4)
+ {
++ test_create_from_string_and_family_any(NULL, AF_INET, AF_UNSPEC);
+ test_create_from_string_and_family_any("%any", AF_INET, AF_INET);
+ test_create_from_string_and_family_any("%any4", AF_INET, AF_INET);
+ test_create_from_string_and_family_any("0.0.0.0", AF_INET, AF_INET);
+@@ -210,6 +214,7 @@ END_TEST
+
+ START_TEST(test_create_from_string_and_family_v6)
+ {
++ test_create_from_string_and_family_any(NULL, AF_INET6, AF_UNSPEC);
+ test_create_from_string_and_family_any("%any", AF_INET6, AF_INET6);
+ test_create_from_string_and_family_any("%any6", AF_INET6, AF_INET6);
+ test_create_from_string_and_family_any("::", AF_INET6, AF_INET6);
+@@ -224,6 +229,7 @@ END_TEST
+
+ START_TEST(test_create_from_string_and_family_other)
+ {
++ test_create_from_string_and_family_any(NULL, AF_UNSPEC, AF_UNSPEC);
+ test_create_from_string_and_family_any("%any", AF_UNSPEC, AF_INET);
+ test_create_from_string_and_family_any("%any4", AF_UNSPEC, AF_INET);
+ test_create_from_string_and_family_any("0.0.0.0", AF_UNSPEC, AF_INET);
+--
+2.4.6
+
diff --git a/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
new file mode 100644
index 000000000..c17141460
--- /dev/null
+++ b/main/strongswan/0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
@@ -0,0 +1,91 @@
+From 390ae7a2c2f899122e722241cb261f53dfc81b9a Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Wed, 8 Jul 2015 15:28:46 +0200
+Subject: [PATCH] ike-sa-manager: Safely access the RNG instance with an rwlock
+
+Threads might still be allocating SPIs (e.g. triggered by an acquire or
+an inbound message) while the main thread calls flush(). If there is a
+context switch right after such a thread successfully checked this->rng
+in get_spi() and the main thread destroys the RNG instance right then,
+that worker thread will cause a segmentation fault when it continues and
+attempts to call get_bytes().
+
+Fixes #1014.
+---
+ src/libcharon/sa/ike_sa_manager.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index 938f784..987260d 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1,7 +1,7 @@
+ /*
+ * Copyright (C) 2005-2011 Martin Willi
+ * Copyright (C) 2011 revosec AG
+- * Copyright (C) 2008-2012 Tobias Brunner
++ * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+@@ -384,6 +384,11 @@ struct private_ike_sa_manager_t {
+ rng_t *rng;
+
+ /**
++ * Lock to access the RNG instance
++ */
++ rwlock_t *rng_lock;
++
++ /**
+ * reuse existing IKE_SAs in checkout_by_config
+ */
+ bool reuse_ikesa;
+@@ -943,12 +948,14 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this)
+ {
+ u_int64_t spi;
+
+- if (this->rng &&
+- this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
++ this->rng_lock->read_lock(this->rng_lock);
++ if (!this->rng ||
++ !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
+ {
+- return spi;
++ spi = 0;
+ }
+- return 0;
++ this->rng_lock->unlock(this->rng_lock);
++ return spi;
+ }
+
+ /**
+@@ -2055,8 +2062,10 @@ METHOD(ike_sa_manager_t, flush, void,
+ charon->bus->set_sa(charon->bus, NULL);
+ unlock_all_segments(this);
+
++ this->rng_lock->write_lock(this->rng_lock);
+ this->rng->destroy(this->rng);
+ this->rng = NULL;
++ this->rng_lock->unlock(this->rng_lock);
+ }
+
+ METHOD(ike_sa_manager_t, destroy, void,
+@@ -2081,6 +2090,7 @@ METHOD(ike_sa_manager_t, destroy, void,
+ free(this->connected_peers_segments);
+ free(this->init_hashes_segments);
+
++ this->rng_lock->destroy(this->rng_lock);
+ free(this);
+ }
+
+@@ -2138,6 +2148,7 @@ ike_sa_manager_t *ike_sa_manager_create()
+ free(this);
+ return NULL;
+ }
++ this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+ this->ikesa_limit = lib->settings->get_int(lib->settings,
+ "%s.ikesa_limit", 0, lib->ns);
+--
+2.4.6
+
diff --git a/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
new file mode 100644
index 000000000..0cf63a3f7
--- /dev/null
+++ b/main/strongswan/0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
@@ -0,0 +1,106 @@
+From 6bfa66069304c1fc1345b4e72762a3b1a80e4338 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 11 Jun 2015 15:42:54 +0200
+Subject: [PATCH] ike-cfg: Add helper function to determine address family of
+ IP addresses
+
+All configured static addresses (hostnames, ranges or subnets are not
+considered) must be of the same family, otherwise AF_UNSPEC is returned.
+---
+ src/libcharon/config/ike_cfg.c | 47 ++++++++++++++++++++++++++++++++++++++++++
+ src/libcharon/config/ike_cfg.h | 13 +++++++++++-
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
+index 9464ceb..dee9e4c 100644
+--- a/src/libcharon/config/ike_cfg.c
++++ b/src/libcharon/config/ike_cfg.c
+@@ -1,4 +1,5 @@
+ /*
++ * Copyright (C) 2012-2015 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+@@ -513,6 +514,52 @@ static void parse_addresses(char *str, linked_list_t *hosts,
+ /**
+ * Described in header.
+ */
++int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
++{
++ private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
++ enumerator_t *enumerator;
++ host_t *host;
++ char *str;
++ int family = AF_UNSPEC;
++
++ if (local)
++ {
++ enumerator = this->my_hosts->create_enumerator(this->my_hosts);
++ }
++ else
++ {
++ enumerator = this->other_hosts->create_enumerator(this->other_hosts);
++ }
++ while (enumerator->enumerate(enumerator, &str))
++ {
++ if (streq(str, "%any"))
++ { /* ignore %any as its family is undetermined */
++ continue;
++ }
++ host = host_create_from_string(str, 0);
++ if (host)
++ {
++ if (family == AF_UNSPEC)
++ {
++ family = host->get_family(host);
++ }
++ else if (family != host->get_family(host))
++ {
++ /* more than one address family defined */
++ family = AF_UNSPEC;
++ host->destroy(host);
++ break;
++ }
++ }
++ DESTROY_IF(host);
++ }
++ enumerator->destroy(enumerator);
++ return family;
++}
++
++/**
++ * Described in header.
++ */
+ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
+ char *me, u_int16_t my_port,
+ char *other, u_int16_t other_port,
+diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
+index adfcabf..62f5b74 100644
+--- a/src/libcharon/config/ike_cfg.h
++++ b/src/libcharon/config/ike_cfg.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2012 Tobias Brunner
++ * Copyright (C) 2012-2015 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+@@ -254,4 +254,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
+ char *other, u_int16_t other_port,
+ fragmentation_t fragmentation, u_int8_t dscp);
+
++/**
++ * Determine the address family of the local or remtoe address(es). If multiple
++ * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
++ * not though).
++ *
++ * @param local TRUE to check local addresses, FALSE for remote
++ * @return address family of address(es) if distinct
++ */
++int ike_cfg_get_family(ike_cfg_t *this, bool local);
++
++
+ #endif /** IKE_CFG_H_ @}*/
+--
+2.4.6
+
diff --git a/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch
new file mode 100644
index 000000000..7114d6247
--- /dev/null
+++ b/main/strongswan/0004-ike-Use-address-family-of-local-address-when-resolvi.patch
@@ -0,0 +1,48 @@
+From a11048adee0aeab8af10259f406363d7cc6beccc Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 11 Jun 2015 15:10:29 +0200
+Subject: [PATCH] ike: Use address family of local address when resolving
+ remote host
+
+If static local addresses are configured we should use their address family
+as a hint when resolving the remote address.
+We don't do this if %any is configured as this might break existing
+configurations (%any4 and %any6 are however used as hint).
+---
+ src/libcharon/sa/ike_sa.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
+index 3aafa4c..0c13c58 100644
+--- a/src/libcharon/sa/ike_sa.c
++++ b/src/libcharon/sa/ike_sa.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2006-2014 Tobias Brunner
++ * Copyright (C) 2006-2015 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+@@ -1200,6 +1200,19 @@ static void resolve_hosts(private_ike_sa_t *this)
+ break;
+ }
+
++ /* if an IP address is set locally, use the same family to resolve remote */
++ if (family == AF_UNSPEC && !this->remote_host)
++ {
++ if (this->local_host)
++ {
++ family = this->local_host->get_family(this->local_host);
++ }
++ else
++ {
++ family = ike_cfg_get_family(this->ike_cfg, TRUE);
++ }
++ }
++
+ if (this->remote_host)
+ {
+ host = this->remote_host->clone(this->remote_host);
+--
+2.4.6
+
diff --git a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
new file mode 100644
index 000000000..411bc58df
--- /dev/null
+++ b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
@@ -0,0 +1,37 @@
+From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 10 Jul 2015 10:23:02 +0200
+Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to
+ %any
+
+In some situations it might be valid for a host that configures
+right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
+immediately abort the initiation causing the new SA to fail (which
+might already have the existing CHILD_SAs assigned).
+
+Fixes #1027.
+---
+ src/libcharon/sa/ike_sa.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
+index 0c13c58..752a756 100644
+--- a/src/libcharon/sa/ike_sa.c
++++ b/src/libcharon/sa/ike_sa.c
+@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this)
+ }
+ if (host)
+ {
+- set_other_host(this, host);
++ if (!host->is_anyaddr(host) ||
++ this->other_host->is_anyaddr(this->other_host))
++ { /* don't set to %any if we currently have an address, but the
++ * address family might have changed */
++ set_other_host(this, host);
++ }
+ }
+
+ if (this->local_host)
+--
+2.4.6
+
diff --git a/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
new file mode 100644
index 000000000..f7517568c
--- /dev/null
+++ b/main/strongswan/0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
@@ -0,0 +1,33 @@
+From 773fcb1605d413997450b59d114a1c035910cc58 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Jul 2015 14:34:19 +0200
+Subject: [PATCH] trap-manager: Properly check-in IKE_SA if initiating fails
+
+This basically reverts f4e822c1b422 ("trap-manager: don't check-in
+nonexisting IKE_SA if acquire fails"). As checkout_by_config() could
+return an already existing and established IKE_SA we have to properly
+destroy it, for instance, in case other threads are waiting to check
+it out. checkin_and_destroy() should handle the case of a new SA
+properly (it produces a log message on level 1, though).
+---
+ src/libcharon/sa/trap_manager.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
+index d6ff3c8..3a70bd1 100644
+--- a/src/libcharon/sa/trap_manager.c
++++ b/src/libcharon/sa/trap_manager.c
+@@ -377,8 +377,8 @@ METHOD(trap_manager_t, acquire, void,
+ }
+ else
+ {
+- ike_sa->destroy(ike_sa);
+- charon->bus->set_sa(charon->bus, NULL);
++ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
++ ike_sa);
+ }
+ }
+ peer->destroy(peer);
+--
+2.4.6
+
diff --git a/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
new file mode 100644
index 000000000..1dea7b139
--- /dev/null
+++ b/main/strongswan/0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
@@ -0,0 +1,260 @@
+From a229bdce625338117966a53efd0475b2c7c84566 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Jul 2015 12:00:56 +0200
+Subject: [PATCH] trap-manager: Changed how acquires we acted on are tracked
+
+This fixes potential race conditions in case complete() or flush() is
+executed before or concurrently with a thread that handles an acquire.
+It will also simplify tracking multiple acquires created for the same
+trap policy in the future.
+
+Also fixes the behavior in some error situations.
+---
+ src/libcharon/sa/trap_manager.c | 122 ++++++++++++++++++++++++++++------------
+ 1 file changed, 86 insertions(+), 36 deletions(-)
+
+diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
+index 3a70bd1..83b6d6a 100644
+--- a/src/libcharon/sa/trap_manager.c
++++ b/src/libcharon/sa/trap_manager.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2011-2013 Tobias Brunner
++ * Copyright (C) 2011-2015 Tobias Brunner
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+@@ -18,10 +18,10 @@
+
+ #include <hydra.h>
+ #include <daemon.h>
++#include <threading/mutex.h>
+ #include <threading/rwlock.h>
+ #include <collections/linked_list.h>
+
+-
+ typedef struct private_trap_manager_t private_trap_manager_t;
+ typedef struct trap_listener_t trap_listener_t;
+
+@@ -67,6 +67,16 @@ struct private_trap_manager_t {
+ trap_listener_t listener;
+
+ /**
++ * list of acquires we currently handle
++ */
++ linked_list_t *acquires;
++
++ /**
++ * mutex for list of acquires
++ */
++ mutex_t *mutex;
++
++ /**
+ * Whether to ignore traffic selectors from acquires
+ */
+ bool ignore_acquire_ts;
+@@ -80,23 +90,45 @@ typedef struct {
+ char *name;
+ /** ref to peer_cfg to initiate */
+ peer_cfg_t *peer_cfg;
+- /** ref to instanciated CHILD_SA */
++ /** ref to instantiated CHILD_SA (i.e the trap policy) */
+ child_sa_t *child_sa;
+- /** TRUE if an acquire is pending */
+- bool pending;
++} entry_t;
++
++/**
++ * A handled acquire
++ */
++typedef struct {
+ /** pending IKE_SA connecting upon acquire */
+ ike_sa_t *ike_sa;
+-} entry_t;
++ /** reqid of pending trap policy */
++ u_int32_t reqid;
++} acquire_t;
+
+ /**
+ * actually uninstall and destroy an installed entry
+ */
+-static void destroy_entry(entry_t *entry)
++static void destroy_entry(entry_t *this)
++{
++ this->child_sa->destroy(this->child_sa);
++ this->peer_cfg->destroy(this->peer_cfg);
++ free(this->name);
++ free(this);
++}
++
++/**
++ * destroy a cached acquire entry
++ */
++static void destroy_acquire(acquire_t *this)
+ {
+- entry->child_sa->destroy(entry->child_sa);
+- entry->peer_cfg->destroy(entry->peer_cfg);
+- free(entry->name);
+- free(entry);
++ free(this);
++}
++
++/**
++ * match an acquire entry by reqid
++ */
++static bool acquire_by_reqid(acquire_t *this, u_int32_t *reqid)
++{
++ return this->reqid == *reqid;
+ }
+
+ METHOD(trap_manager_t, install, u_int32_t,
+@@ -314,6 +346,7 @@ METHOD(trap_manager_t, acquire, void,
+ {
+ enumerator_t *enumerator;
+ entry_t *entry, *found = NULL;
++ acquire_t *acquire;
+ peer_cfg_t *peer;
+ child_cfg_t *child;
+ ike_sa_t *ike_sa;
+@@ -337,16 +370,29 @@ METHOD(trap_manager_t, acquire, void,
+ this->lock->unlock(this->lock);
+ return;
+ }
+- if (!cas_bool(&found->pending, FALSE, TRUE))
++ reqid = found->child_sa->get_reqid(found->child_sa);
++
++ this->mutex->lock(this->mutex);
++ if (this->acquires->find_first(this->acquires, (void*)acquire_by_reqid,
++ (void**)&acquire, &reqid) == SUCCESS)
+ {
+ DBG1(DBG_CFG, "ignoring acquire, connection attempt pending");
++ this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
+ return;
+ }
++ else
++ {
++ INIT(acquire,
++ .reqid = reqid,
++ );
++ this->acquires->insert_last(this->acquires, acquire);
++ }
++ this->mutex->unlock(this->mutex);
++
+ peer = found->peer_cfg->get_ref(found->peer_cfg);
+ child = found->child_sa->get_config(found->child_sa);
+ child = child->get_ref(child);
+- reqid = found->child_sa->get_reqid(found->child_sa);
+ /* don't hold the lock while checking out the IKE_SA */
+ this->lock->unlock(this->lock);
+
+@@ -363,16 +409,13 @@ METHOD(trap_manager_t, acquire, void,
+ * have a single TS that we can establish in a Quick Mode. */
+ src = dst = NULL;
+ }
++
++ this->mutex->lock(this->mutex);
++ acquire->ike_sa = ike_sa;
++ this->mutex->unlock(this->mutex);
++
+ if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
+ {
+- /* make sure the entry is still there */
+- this->lock->read_lock(this->lock);
+- if (this->traps->find_first(this->traps, NULL,
+- (void**)&found) == SUCCESS)
+- {
+- found->ike_sa = ike_sa;
+- }
+- this->lock->unlock(this->lock);
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+ }
+ else
+@@ -381,6 +424,14 @@ METHOD(trap_manager_t, acquire, void,
+ ike_sa);
+ }
+ }
++ else
++ {
++ this->mutex->lock(this->mutex);
++ this->acquires->remove(this->acquires, acquire, NULL);
++ this->mutex->unlock(this->mutex);
++ destroy_acquire(acquire);
++ child->destroy(child);
++ }
+ peer->destroy(peer);
+ }
+
+@@ -391,26 +442,25 @@ static void complete(private_trap_manager_t *this, ike_sa_t *ike_sa,
+ child_sa_t *child_sa)
+ {
+ enumerator_t *enumerator;
+- entry_t *entry;
++ acquire_t *acquire;
+
+- this->lock->read_lock(this->lock);
+- enumerator = this->traps->create_enumerator(this->traps);
+- while (enumerator->enumerate(enumerator, &entry))
++ this->mutex->lock(this->mutex);
++ enumerator = this->acquires->create_enumerator(this->acquires);
++ while (enumerator->enumerate(enumerator, &acquire))
+ {
+- if (entry->ike_sa != ike_sa)
++ if (!acquire->ike_sa || acquire->ike_sa != ike_sa)
+ {
+ continue;
+ }
+- if (child_sa && child_sa->get_reqid(child_sa) !=
+- entry->child_sa->get_reqid(entry->child_sa))
++ if (child_sa && child_sa->get_reqid(child_sa) != acquire->reqid)
+ {
+ continue;
+ }
+- entry->ike_sa = NULL;
+- entry->pending = FALSE;
++ this->acquires->remove_at(this->acquires, enumerator);
++ destroy_acquire(acquire);
+ }
+ enumerator->destroy(enumerator);
+- this->lock->unlock(this->lock);
++ this->mutex->unlock(this->mutex);
+ }
+
+ METHOD(listener_t, ike_state_change, bool,
+@@ -444,14 +494,10 @@ METHOD(listener_t, child_state_change, bool,
+ METHOD(trap_manager_t, flush, void,
+ private_trap_manager_t *this)
+ {
+- linked_list_t *traps;
+- /* since destroying the CHILD_SA results in events which require a read
+- * lock we cannot destroy the list while holding the write lock */
+ this->lock->write_lock(this->lock);
+- traps = this->traps;
++ this->traps->destroy_function(this->traps, (void*)destroy_entry);
+ this->traps = linked_list_create();
+ this->lock->unlock(this->lock);
+- traps->destroy_function(traps, (void*)destroy_entry);
+ }
+
+ METHOD(trap_manager_t, destroy, void,
+@@ -459,6 +505,8 @@ METHOD(trap_manager_t, destroy, void,
+ {
+ charon->bus->remove_listener(charon->bus, &this->listener.listener);
+ this->traps->destroy_function(this->traps, (void*)destroy_entry);
++ this->acquires->destroy_function(this->acquires, (void*)destroy_acquire);
++ this->mutex->destroy(this->mutex);
+ this->lock->destroy(this->lock);
+ free(this);
+ }
+@@ -488,6 +536,8 @@ trap_manager_t *trap_manager_create(void)
+ },
+ },
+ .traps = linked_list_create(),
++ .acquires = linked_list_create(),
++ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .ignore_acquire_ts = lib->settings->get_bool(lib->settings,
+ "%s.ignore_acquire_ts", FALSE, lib->ns),
+--
+2.4.6
+
diff --git a/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
new file mode 100644
index 000000000..60a28724c
--- /dev/null
+++ b/main/strongswan/0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
@@ -0,0 +1,118 @@
+From 12b3cdba7689113558f58a5265827f3086852bae Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 13 Jul 2015 13:20:14 +0200
+Subject: [PATCH] trap-manager: Resolve race conditions between flush() and
+ install()
+
+When flush() is called there might be threads in install() waiting for
+trap policies to get installed (without holding the lock). We have to
+wait until they updated the entries with the respective CHILD_SAs before
+destroying the list.
+
+We also have to prevent further trap policy installations (and wait until
+threads in install() are really finished), otherwise we might end up
+destroying CHILD_SA objects after the kernel interface implementations
+have already been unloaded (avoiding this is the whole point of calling
+flush() before unloading the plugins).
+---
+ src/libcharon/sa/trap_manager.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
+index 83b6d6a..424d9e7 100644
+--- a/src/libcharon/sa/trap_manager.c
++++ b/src/libcharon/sa/trap_manager.c
+@@ -20,8 +20,11 @@
+ #include <daemon.h>
+ #include <threading/mutex.h>
+ #include <threading/rwlock.h>
++#include <threading/rwlock_condvar.h>
+ #include <collections/linked_list.h>
+
++#define INSTALL_DISABLED ((u_int)~0)
++
+ typedef struct private_trap_manager_t private_trap_manager_t;
+ typedef struct trap_listener_t trap_listener_t;
+
+@@ -77,6 +80,16 @@ struct private_trap_manager_t {
+ mutex_t *mutex;
+
+ /**
++ * number of threads currently installing trap policies, or INSTALL_DISABLED
++ */
++ u_int installing;
++
++ /**
++ * condvar to signal trap policy installation
++ */
++ rwlock_condvar_t *condvar;
++
++ /**
+ * Whether to ignore traffic selectors from acquires
+ */
+ bool ignore_acquire_ts;
+@@ -171,6 +184,11 @@ METHOD(trap_manager_t, install, u_int32_t,
+ }
+
+ this->lock->write_lock(this->lock);
++ if (this->installing == INSTALL_DISABLED)
++ { /* flush() has been called */
++ this->lock->unlock(this->lock);
++ return 0;
++ }
+ enumerator = this->traps->create_enumerator(this->traps);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+@@ -204,6 +222,7 @@ METHOD(trap_manager_t, install, u_int32_t,
+ .peer_cfg = peer->get_ref(peer),
+ );
+ this->traps->insert_first(this->traps, entry);
++ this->installing++;
+ /* don't hold lock while creating CHILD_SA and installing policies */
+ this->lock->unlock(this->lock);
+
+@@ -252,6 +271,11 @@ METHOD(trap_manager_t, install, u_int32_t,
+ {
+ destroy_entry(found);
+ }
++ this->lock->write_lock(this->lock);
++ /* do this at the end, so entries created temporarily are also destroyed */
++ this->installing--;
++ this->condvar->signal(this->condvar);
++ this->lock->unlock(this->lock);
+ return reqid;
+ }
+
+@@ -495,8 +519,13 @@ METHOD(trap_manager_t, flush, void,
+ private_trap_manager_t *this)
+ {
+ this->lock->write_lock(this->lock);
++ while (this->installing)
++ {
++ this->condvar->wait(this->condvar, this->lock);
++ }
+ this->traps->destroy_function(this->traps, (void*)destroy_entry);
+ this->traps = linked_list_create();
++ this->installing = INSTALL_DISABLED;
+ this->lock->unlock(this->lock);
+ }
+
+@@ -506,6 +535,7 @@ METHOD(trap_manager_t, destroy, void,
+ charon->bus->remove_listener(charon->bus, &this->listener.listener);
+ this->traps->destroy_function(this->traps, (void*)destroy_entry);
+ this->acquires->destroy_function(this->acquires, (void*)destroy_acquire);
++ this->condvar->destroy(this->condvar);
+ this->mutex->destroy(this->mutex);
+ this->lock->destroy(this->lock);
+ free(this);
+@@ -539,6 +569,7 @@ trap_manager_t *trap_manager_create(void)
+ .acquires = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
++ .condvar = rwlock_condvar_create(),
+ .ignore_acquire_ts = lib->settings->get_bool(lib->settings,
+ "%s.ignore_acquire_ts", FALSE, lib->ns),
+ );
+--
+2.4.6
+
diff --git a/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
new file mode 100644
index 000000000..6fa2c339f
--- /dev/null
+++ b/main/strongswan/0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
@@ -0,0 +1,112 @@
+From f3d39666e0d62fb9a790b72ee7ae2b9255b21cdd Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Jul 2015 16:35:21 +0200
+Subject: [PATCH] shunt-manager: Add a lock to safely access the list of shunt
+ policies
+
+---
+ src/libcharon/sa/shunt_manager.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
+index 73e1abb..434bace 100644
+--- a/src/libcharon/sa/shunt_manager.c
++++ b/src/libcharon/sa/shunt_manager.c
+@@ -1,4 +1,5 @@
+ /*
++ * Copyright (C) 2015 Tobias Brunner
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+@@ -20,7 +21,6 @@
+ #include <threading/rwlock.h>
+ #include <collections/linked_list.h>
+
+-
+ typedef struct private_shunt_manager_t private_shunt_manager_t;
+
+ /**
+@@ -37,6 +37,11 @@ struct private_shunt_manager_t {
+ * Installed shunts, as child_cfg_t
+ */
+ linked_list_t *shunts;
++
++ /**
++ * Lock to safely access the list of shunts
++ */
++ rwlock_t *lock;
+ };
+
+ /**
+@@ -120,6 +125,7 @@ METHOD(shunt_manager_t, install, bool,
+ bool found = FALSE;
+
+ /* check if not already installed */
++ this->lock->write_lock(this->lock);
+ enumerator = this->shunts->create_enumerator(this->shunts);
+ while (enumerator->enumerate(enumerator, &child_cfg))
+ {
+@@ -130,14 +136,15 @@ METHOD(shunt_manager_t, install, bool,
+ }
+ }
+ enumerator->destroy(enumerator);
+-
+ if (found)
+ {
+ DBG1(DBG_CFG, "shunt %N policy '%s' already installed",
+ ipsec_mode_names, child->get_mode(child), child->get_name(child));
++ this->lock->unlock(this->lock);
+ return TRUE;
+ }
+ this->shunts->insert_last(this->shunts, child->get_ref(child));
++ this->lock->unlock(this->lock);
+
+ return install_shunt_policy(child);
+ }
+@@ -215,6 +222,7 @@ METHOD(shunt_manager_t, uninstall, bool,
+ enumerator_t *enumerator;
+ child_cfg_t *child, *found = NULL;
+
++ this->lock->write_lock(this->lock);
+ enumerator = this->shunts->create_enumerator(this->shunts);
+ while (enumerator->enumerate(enumerator, &child))
+ {
+@@ -226,6 +234,7 @@ METHOD(shunt_manager_t, uninstall, bool,
+ }
+ }
+ enumerator->destroy(enumerator);
++ this->lock->unlock(this->lock);
+
+ if (!found)
+ {
+@@ -239,7 +248,10 @@ METHOD(shunt_manager_t, uninstall, bool,
+ METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
+ private_shunt_manager_t *this)
+ {
+- return this->shunts->create_enumerator(this->shunts);
++ this->lock->read_lock(this->lock);
++ return enumerator_create_cleaner(
++ this->shunts->create_enumerator(this->shunts),
++ (void*)this->lock->unlock, this->lock);
+ }
+
+ METHOD(shunt_manager_t, destroy, void,
+@@ -253,6 +265,7 @@ METHOD(shunt_manager_t, destroy, void,
+ child->destroy(child);
+ }
+ this->shunts->destroy(this->shunts);
++ this->lock->destroy(this->lock);
+ free(this);
+ }
+
+@@ -271,6 +284,7 @@ shunt_manager_t *shunt_manager_create()
+ .destroy = _destroy,
+ },
+ .shunts = linked_list_create(),
++ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ );
+
+ return &this->public;
+--
+2.4.6
+
diff --git a/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch
new file mode 100644
index 000000000..f8af98c62
--- /dev/null
+++ b/main/strongswan/0010-shunt-manager-Remove-stored-entries-if-installation-.patch
@@ -0,0 +1,43 @@
+From 616ff9a2369fd250a2b9e8d2a00f37e2e8d3a2f3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Jul 2015 16:50:32 +0200
+Subject: [PATCH] shunt-manager: Remove stored entries if installation fails
+
+---
+ src/libcharon/sa/shunt_manager.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
+index 434bace..2e42e7e 100644
+--- a/src/libcharon/sa/shunt_manager.c
++++ b/src/libcharon/sa/shunt_manager.c
+@@ -122,7 +122,7 @@ METHOD(shunt_manager_t, install, bool,
+ {
+ enumerator_t *enumerator;
+ child_cfg_t *child_cfg;
+- bool found = FALSE;
++ bool found = FALSE, success;
+
+ /* check if not already installed */
+ this->lock->write_lock(this->lock);
+@@ -146,7 +146,16 @@ METHOD(shunt_manager_t, install, bool,
+ this->shunts->insert_last(this->shunts, child->get_ref(child));
+ this->lock->unlock(this->lock);
+
+- return install_shunt_policy(child);
++ success = install_shunt_policy(child);
++
++ if (!success)
++ {
++ this->lock->write_lock(this->lock);
++ this->shunts->remove(this->shunts, child, NULL);
++ this->lock->unlock(this->lock);
++ child->destroy(child);
++ }
++ return success;
+ }
+
+ /**
+--
+2.4.6
+
diff --git a/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
new file mode 100644
index 000000000..3aa6b561b
--- /dev/null
+++ b/main/strongswan/0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
@@ -0,0 +1,153 @@
+From bc36530670cbbe2362053f1604f67e481afd336c Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Jul 2015 16:55:36 +0200
+Subject: [PATCH] shunt-manager: Add flush() method to properly uninstall
+ shunts
+
+This will allow us to uninstall shunts before unloading the
+kernel-interface plugins.
+---
+ src/libcharon/sa/shunt_manager.c | 44 ++++++++++++++++++++++++++++++++++++----
+ src/libcharon/sa/shunt_manager.h | 6 ++++++
+ 2 files changed, 46 insertions(+), 4 deletions(-)
+
+diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
+index 2e42e7e..1a98443 100644
+--- a/src/libcharon/sa/shunt_manager.c
++++ b/src/libcharon/sa/shunt_manager.c
+@@ -19,8 +19,11 @@
+ #include <hydra.h>
+ #include <daemon.h>
+ #include <threading/rwlock.h>
++#include <threading/rwlock_condvar.h>
+ #include <collections/linked_list.h>
+
++#define INSTALL_DISABLED ((u_int)~0)
++
+ typedef struct private_shunt_manager_t private_shunt_manager_t;
+
+ /**
+@@ -42,6 +45,16 @@ struct private_shunt_manager_t {
+ * Lock to safely access the list of shunts
+ */
+ rwlock_t *lock;
++
++ /**
++ * Number of threads currently installing shunts, or INSTALL_DISABLED
++ */
++ u_int installing;
++
++ /**
++ * Condvar to signal shunt installation
++ */
++ rwlock_condvar_t *condvar;
+ };
+
+ /**
+@@ -126,6 +139,11 @@ METHOD(shunt_manager_t, install, bool,
+
+ /* check if not already installed */
+ this->lock->write_lock(this->lock);
++ if (this->installing == INSTALL_DISABLED)
++ { /* flush() has been called */
++ this->lock->unlock(this->lock);
++ return FALSE;
++ }
+ enumerator = this->shunts->create_enumerator(this->shunts);
+ while (enumerator->enumerate(enumerator, &child_cfg))
+ {
+@@ -144,17 +162,20 @@ METHOD(shunt_manager_t, install, bool,
+ return TRUE;
+ }
+ this->shunts->insert_last(this->shunts, child->get_ref(child));
++ this->installing++;
+ this->lock->unlock(this->lock);
+
+ success = install_shunt_policy(child);
+
++ this->lock->write_lock(this->lock);
+ if (!success)
+ {
+- this->lock->write_lock(this->lock);
+ this->shunts->remove(this->shunts, child, NULL);
+- this->lock->unlock(this->lock);
+ child->destroy(child);
+ }
++ this->installing--;
++ this->condvar->signal(this->condvar);
++ this->lock->unlock(this->lock);
+ return success;
+ }
+
+@@ -263,18 +284,31 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
+ (void*)this->lock->unlock, this->lock);
+ }
+
+-METHOD(shunt_manager_t, destroy, void,
++METHOD(shunt_manager_t, flush, void,
+ private_shunt_manager_t *this)
+ {
+ child_cfg_t *child;
+
++ this->lock->write_lock(this->lock);
++ while (this->installing)
++ {
++ this->condvar->wait(this->condvar, this->lock);
++ }
+ while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS)
+ {
+ uninstall_shunt_policy(child);
+ child->destroy(child);
+ }
+- this->shunts->destroy(this->shunts);
++ this->installing = INSTALL_DISABLED;
++ this->lock->unlock(this->lock);
++}
++
++METHOD(shunt_manager_t, destroy, void,
++ private_shunt_manager_t *this)
++{
++ this->shunts->destroy_offset(this->shunts, offsetof(child_cfg_t, destroy));
+ this->lock->destroy(this->lock);
++ this->condvar->destroy(this->condvar);
+ free(this);
+ }
+
+@@ -290,10 +324,12 @@ shunt_manager_t *shunt_manager_create()
+ .install = _install,
+ .uninstall = _uninstall,
+ .create_enumerator = _create_enumerator,
++ .flush = _flush,
+ .destroy = _destroy,
+ },
+ .shunts = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
++ .condvar = rwlock_condvar_create(),
+ );
+
+ return &this->public;
+diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
+index 28a795d..c43f5db 100644
+--- a/src/libcharon/sa/shunt_manager.h
++++ b/src/libcharon/sa/shunt_manager.h
+@@ -1,4 +1,5 @@
+ /*
++ * Copyright (C) 2015 Tobias Brunner
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+@@ -56,6 +57,11 @@ struct shunt_manager_t {
+ enumerator_t* (*create_enumerator)(shunt_manager_t *this);
+
+ /**
++ * Clear any installed shunt.
++ */
++ void (*flush)(shunt_manager_t *this);
++
++ /**
+ * Destroy a shunt_manager_t.
+ */
+ void (*destroy)(shunt_manager_t *this);
+--
+2.4.6
+
diff --git a/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch
new file mode 100644
index 000000000..9d3be529b
--- /dev/null
+++ b/main/strongswan/0012-daemon-Flush-shunts-before-unloading-plugins.patch
@@ -0,0 +1,27 @@
+From c04345d5edbbc4c37027cdfc21dba85d03e312af Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Jul 2015 16:56:33 +0200
+Subject: [PATCH] daemon: Flush shunts before unloading plugins
+
+---
+ src/libcharon/daemon.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
+index b1b8f57..316be76 100644
+--- a/src/libcharon/daemon.c
++++ b/src/libcharon/daemon.c
+@@ -462,6 +462,10 @@ static void destroy(private_daemon_t *this)
+ {
+ this->public.traps->flush(this->public.traps);
+ }
++ if (this->public.shunts)
++ {
++ this->public.shunts->flush(this->public.shunts);
++ }
+ if (this->public.sender)
+ {
+ this->public.sender->flush(this->public.sender);
+--
+2.4.6
+
diff --git a/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
new file mode 100644
index 000000000..56038b46f
--- /dev/null
+++ b/main/strongswan/0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
@@ -0,0 +1,105 @@
+From 86d20b0b40066590f5e26d1f9aca21cc0cba97e1 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 15 Jun 2015 11:46:33 +0200
+Subject: [PATCH] ike-rekey: Reset IKE_SA on the bus after destroying new
+ IKE_SA
+
+The destroy() method sets the IKE_SA on the bus to NULL, we reset it to
+the current IKE_SA so any events and log messages that follow happen in
+the correct context.
+
+A practical example where this is problematic is a DH group mismatch,
+which causes the first CREATE_CHILD_SA exchange to fail. Because the SA
+was not reset previously, the message() hook for the CREATE_CHILD_SA
+response, for instance, was triggered outside the context of an IKE_SA,
+that is, the ike_sa parameter was NULL, which is definitely not expected
+by several plugins.
+
+Fixes #862.
+---
+ src/libcharon/sa/ikev2/tasks/ike_rekey.c | 31 +++++++++++++++----------------
+ 1 file changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+index 1855517..1dfdc05 100644
+--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+@@ -116,7 +116,6 @@ static void establish_new(private_ike_rekey_t *this)
+ lib->processor->queue_job(lib->processor, job);
+ }
+ this->new_sa = NULL;
+- /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+ }
+@@ -335,15 +334,13 @@ METHOD(task_t, process_i, status_t,
+ {
+ charon->ike_sa_manager->checkin(
+ charon->ike_sa_manager, this->new_sa);
+- /* set threads active IKE_SA after checkin */
+- charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
++ charon->bus->set_sa(charon->bus, this->ike_sa);
+ this->new_sa = NULL;
+ establish_new(other);
+ return SUCCESS;
+ }
+ }
+- /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+
+@@ -372,9 +369,13 @@ METHOD(ike_rekey_t, collide, void,
+ this->collision = other;
+ }
+
+-METHOD(task_t, migrate, void,
+- private_ike_rekey_t *this, ike_sa_t *ike_sa)
++/**
++ * Cleanup the task
++ */
++static void cleanup(private_ike_rekey_t *this)
+ {
++ ike_sa_t *cur_sa;
++
+ if (this->ike_init)
+ {
+ this->ike_init->task.destroy(&this->ike_init->task);
+@@ -383,9 +384,16 @@ METHOD(task_t, migrate, void,
+ {
+ this->ike_delete->task.destroy(&this->ike_delete->task);
+ }
++ cur_sa = charon->bus->get_sa(charon->bus);
+ DESTROY_IF(this->new_sa);
++ charon->bus->set_sa(charon->bus, cur_sa);
+ DESTROY_IF(this->collision);
++}
+
++METHOD(task_t, migrate, void,
++ private_ike_rekey_t *this, ike_sa_t *ike_sa)
++{
++ cleanup();
+ this->collision = NULL;
+ this->ike_sa = ike_sa;
+ this->new_sa = NULL;
+@@ -396,16 +404,7 @@ METHOD(task_t, migrate, void,
+ METHOD(task_t, destroy, void,
+ private_ike_rekey_t *this)
+ {
+- if (this->ike_init)
+- {
+- this->ike_init->task.destroy(&this->ike_init->task);
+- }
+- if (this->ike_delete)
+- {
+- this->ike_delete->task.destroy(&this->ike_delete->task);
+- }
+- DESTROY_IF(this->new_sa);
+- DESTROY_IF(this->collision);
++ cleanup();
+ free(this);
+ }
+
+--
+2.4.6
+
diff --git a/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
new file mode 100644
index 000000000..9aa06d925
--- /dev/null
+++ b/main/strongswan/0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
@@ -0,0 +1,31 @@
+From 2efcc9586714fd3ae26fe6ff57ea1b9ee09a58ea Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 15 Jun 2015 11:52:16 +0200
+Subject: [PATCH] ike-rekey: Reset IKE_SA on bus before sending CREATE_CHILD_SA
+ response
+
+Even when there is no error the CREATE_CHILD_SA response should be sent
+in the context of the existing IKE_SA.
+---
+ src/libcharon/sa/ikev2/tasks/ike_rekey.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+index 1dfdc05..4133c93 100644
+--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+@@ -228,9 +228,10 @@ METHOD(task_t, build_r, status_t,
+
+ if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
+ {
++ charon->bus->set_sa(charon->bus, this->ike_sa);
+ return SUCCESS;
+ }
+-
++ charon->bus->set_sa(charon->bus, this->ike_sa);
+ this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+
+ /* rekeying successful, delete the IKE_SA using a subtask */
+--
+2.4.6
+
diff --git a/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch
new file mode 100644
index 000000000..e17cf30cd
--- /dev/null
+++ b/main/strongswan/0015-ike-rekey-Fix-cleanup-call.patch
@@ -0,0 +1,34 @@
+From 81f1aa8dc375a84d9f0dc3e4027f2aebf6d03b18 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 27 Jul 2015 15:20:01 +0200
+Subject: [PATCH] ike-rekey: Fix cleanup() call
+
+---
+ src/libcharon/sa/ikev2/tasks/ike_rekey.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+index 4133c93..eaba04e 100644
+--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
++++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+@@ -394,7 +394,7 @@ static void cleanup(private_ike_rekey_t *this)
+ METHOD(task_t, migrate, void,
+ private_ike_rekey_t *this, ike_sa_t *ike_sa)
+ {
+- cleanup();
++ cleanup(this);
+ this->collision = NULL;
+ this->ike_sa = ike_sa;
+ this->new_sa = NULL;
+@@ -405,7 +405,7 @@ METHOD(task_t, migrate, void,
+ METHOD(task_t, destroy, void,
+ private_ike_rekey_t *this)
+ {
+- cleanup();
++ cleanup(this);
+ free(this);
+ }
+
+--
+2.4.6
+
diff --git a/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
new file mode 100644
index 000000000..3b773d02a
--- /dev/null
+++ b/main/strongswan/0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
@@ -0,0 +1,27 @@
+From faebdeac8eafad7b5c2109d5a9ce0af41dbf315c Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 27 Jul 2015 19:37:41 +0200
+Subject: [PATCH] ike: Fix memory leak if remote address is kept
+
+---
+ src/libcharon/sa/ike_sa.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
+index 752a756..6ffbd55 100644
+--- a/src/libcharon/sa/ike_sa.c
++++ b/src/libcharon/sa/ike_sa.c
+@@ -1230,6 +1230,10 @@ static void resolve_hosts(private_ike_sa_t *this)
+ * address family might have changed */
+ set_other_host(this, host);
+ }
++ else
++ {
++ host->destroy(host);
++ }
+ }
+
+ if (this->local_host)
+--
+2.4.6
+
diff --git a/main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
index a7c02749f..945f1da2b 100644
--- a/main/strongswan/0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
+++ b/main/strongswan/0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
@@ -27,5 +27,5 @@ index b0e3103..809d0f4 100644
DBG1(DBG_KNL, "netlink response exceeds buffer size");
return 0;
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
index 0bd694782..410e15b0c 100644
--- a/main/strongswan/0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+++ b/main/strongswan/0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
@@ -55,5 +55,5 @@ index 809d0f4..ddb2254 100644
{
DBG1(DBG_KNL, "unable to create netlink socket");
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
new file mode 100644
index 000000000..e7897c17c
--- /dev/null
+++ b/main/strongswan/0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
@@ -0,0 +1,24 @@
+From 36d77e36bb1556bebe0f98c06a757b123caef940 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Jul 2015 11:48:53 +0200
+Subject: [PATCH] ike: Also track initiating IKE_SAs as half-open
+
+---
+ src/libcharon/sa/ike_sa_manager.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index 987260d..51b7f2c 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void,
+ put_half_open(this, entry);
+ }
+ else if (!entry->half_open &&
+- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+ ike_sa->get_state(ike_sa) == IKE_CONNECTING)
+ {
+ /* this is a new half-open SA */
+--
+2.4.6
+
diff --git a/main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
index 525c6e752..fbc54c11c 100644
--- a/main/strongswan/0003-controller-Optionally-adhere-to-init-limits-also-whe.patch
+++ b/main/strongswan/0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
@@ -1,4 +1,4 @@
-From af94ce1106470cc1c66a7b038d1d4552785f2670 Mon Sep 17 00:00:00 2001
+From 0d6412ab81fbf0376cc99e9419de417e58dc0e72 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 16 Jul 2015 17:21:54 +0200
Subject: [PATCH] controller: Optionally adhere to init limits also when
@@ -19,8 +19,7 @@ Subject: [PATCH] controller: Optionally adhere to init limits also when
src/libcharon/plugins/vici/vici_control.c | 4 +-
.../processing/jobs/initiate_mediation_job.c | 4 +-
src/libcharon/processing/jobs/start_action_job.c | 2 +-
- src/libcharon/sa/ike_sa_manager.c | 1 -
- 16 files changed, 71 insertions(+), 21 deletions(-)
+ 15 files changed, 71 insertions(+), 20 deletions(-)
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 2c0b7b9..0c6a504 100644
@@ -313,18 +312,6 @@ index 981473b..5e88ac2 100644
break;
case ACTION_ROUTE:
DBG1(DBG_JOB, "start action: route '%s'", name);
-diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 987260d..51b7f2c 100644
---- a/src/libcharon/sa/ike_sa_manager.c
-+++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1570,7 +1570,6 @@ METHOD(ike_sa_manager_t, checkin, void,
- put_half_open(this, entry);
- }
- else if (!entry->half_open &&
-- !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
- ike_sa->get_state(ike_sa) == IKE_CONNECTING)
- {
- /* this is a new half-open SA */
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
index feb471a40..d6cc09071 100644
--- a/main/strongswan/0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
+++ b/main/strongswan/0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
@@ -1,4 +1,4 @@
-From e18f39025363224790d64e5b4eaa1c268f95b528 Mon Sep 17 00:00:00 2001
+From f3b6de5afdc48550680c12359154eb18a5812ecb Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 16 Jul 2015 17:51:40 +0200
Subject: [PATCH] vici: Add get_bool() convenience getter for VICI messages
@@ -166,5 +166,5 @@ index 1a89cf8..7f357b8 100644
*
* @param def default value if not found
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch
index 2ff236b06..f904af30b 100644
--- a/main/strongswan/0005-vici-Optionally-check-limits-when-initiating-connect.patch
+++ b/main/strongswan/0204-vici-Optionally-check-limits-when-initiating-connect.patch
@@ -1,4 +1,4 @@
-From 364a0b4922fb1dbbc584b341e945bf1b91d1d689 Mon Sep 17 00:00:00 2001
+From 2d4671feca3d2d17bfa2d846cc170478f18a8fcc Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 16 Jul 2015 17:56:16 +0200
Subject: [PATCH] vici: Optionally check limits when initiating connections
@@ -61,5 +61,5 @@ index e568239..88574f8 100644
default:
return send_reply(this, "establishing CHILD_SA '%s' failed", child);
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch b/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
new file mode 100644
index 000000000..666355757
--- /dev/null
+++ b/main/strongswan/0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
@@ -0,0 +1,96 @@
+From e0189de4c7b8df5cb61c7b0e771dcc5534e9cc06 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Jul 2015 11:53:58 +0200
+Subject: [PATCH] ike: Adhere to IKE_SA limit when checking out by config
+
+This prevents new SAs from getting created if we hit the global IKE_SA
+limit (we still allow checkout_new(), which is used for rekeying).
+---
+ src/libcharon/sa/ike_sa_manager.c | 63 ++++++++++++++++++++-------------------
+ 1 file changed, 33 insertions(+), 30 deletions(-)
+
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index 51b7f2c..20b6e50 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1346,44 +1346,47 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+
+ DBG2(DBG_MGR, "checkout IKE_SA by config");
+
+- if (!this->reuse_ikesa)
+- { /* IKE_SA reuse disable by config */
+- ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+- charon->bus->set_sa(charon->bus, ike_sa);
+- return ike_sa;
+- }
+-
+- enumerator = create_table_enumerator(this);
+- while (enumerator->enumerate(enumerator, &entry, &segment))
++ if (this->reuse_ikesa)
+ {
+- if (!wait_for_entry(this, entry, segment))
++ enumerator = create_table_enumerator(this);
++ while (enumerator->enumerate(enumerator, &entry, &segment))
+ {
+- continue;
+- }
+- if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+- { /* skip IKE_SAs which are not usable */
+- continue;
+- }
+-
+- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+- if (current_peer && current_peer->equals(current_peer, peer_cfg))
+- {
+- current_ike = current_peer->get_ike_cfg(current_peer);
+- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
++ if (!wait_for_entry(this, entry, segment))
+ {
+- entry->checked_out = TRUE;
+- ike_sa = entry->ike_sa;
+- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
+- ike_sa->get_unique_id(ike_sa),
+- current_peer->get_name(current_peer));
+- break;
++ continue;
++ }
++ if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
++ { /* skip IKE_SAs which are not usable */
++ continue;
++ }
++ current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
++ if (current_peer && current_peer->equals(current_peer, peer_cfg))
++ {
++ current_ike = current_peer->get_ike_cfg(current_peer);
++ if (current_ike->equals(current_ike,
++ peer_cfg->get_ike_cfg(peer_cfg)))
++ {
++ entry->checked_out = TRUE;
++ ike_sa = entry->ike_sa;
++ DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
++ ike_sa->get_unique_id(ike_sa),
++ current_peer->get_name(current_peer));
++ break;
++ }
+ }
+ }
++ enumerator->destroy(enumerator);
+ }
+- enumerator->destroy(enumerator);
+
+ if (!ike_sa)
+- { /* no IKE_SA using such a config, hand out a new */
++ { /* no IKE_SA using such a config, or reuse disabled, hand out a new */
++ if (this->ikesa_limit &&
++ this->public.get_count(&this->public) >= this->ikesa_limit)
++ {
++ DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)",
++ this->ikesa_limit);
++ return NULL;
++ }
+ ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+ }
+ charon->bus->set_sa(charon->bus, ike_sa);
+--
+2.4.6
+
diff --git a/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
new file mode 100644
index 000000000..4a837486e
--- /dev/null
+++ b/main/strongswan/0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
@@ -0,0 +1,46 @@
+From 470b58d897338c89c83f416808cf1ccac38fe028 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Jul 2015 14:08:09 +0200
+Subject: [PATCH] ikev1: Assign different job priorities for inbound IKEv1
+ messages
+
+---
+ src/libcharon/processing/jobs/process_message_job.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
+index a6795e7..31f048d 100644
+--- a/src/libcharon/processing/jobs/process_message_job.c
++++ b/src/libcharon/processing/jobs/process_message_job.c
+@@ -91,16 +91,26 @@ METHOD(job_t, get_priority, job_priority_t,
+ {
+ case IKE_AUTH:
+ /* IKE auth is rather expensive and often blocking, low priority */
++ case AGGRESSIVE:
++ case ID_PROT:
++ /* AM is basically IKE_SA_INIT/IKE_AUTH combined (without EAP/XAuth)
++ * MM is similar, but stretched out more */
+ return JOB_PRIO_LOW;
+ case INFORMATIONAL:
++ case INFORMATIONAL_V1:
+ /* INFORMATIONALs are inexpensive, for DPD we should have low
+ * reaction times */
+ return JOB_PRIO_HIGH;
+ case IKE_SA_INIT:
+- case CREATE_CHILD_SA:
+- default:
+ /* IKE_SA_INIT is expensive, but we will drop them in the receiver
+ * if we are overloaded */
++ case CREATE_CHILD_SA:
++ case QUICK_MODE:
++ /* these may require DH, but if not they are relatively cheap */
++ case TRANSACTION:
++ /* these are mostly cheap, however, if XAuth via RADIUS is used
++ * they may block */
++ default:
+ return JOB_PRIO_MEDIUM;
+ }
+ }
+--
+2.4.6
+
diff --git a/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch
new file mode 100644
index 000000000..630151b40
--- /dev/null
+++ b/main/strongswan/0401-printf-hook-builtin-Fix-invalid-memory-access.patch
@@ -0,0 +1,68 @@
+From 944e99d57243fb42ccb2be475c8386a0c4c116f4 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 27 Jul 2015 11:18:53 +0200
+Subject: [PATCH] printf-hook-builtin: Fix invalid memory access
+
+When precision is given for a string, we must not run unbounded
+strlen() as it will read beyond the given length. It might even cause
+a crash if the given pointer is near end of heap or mapping.
+
+Fixes numerous valgrind errors such as:
+
+==19215== Invalid read of size 1
+==19215== at 0x52D36C6: builtin_vsnprintf (printf_hook_builtin.c:853)
+==19215== by 0x52D40A8: builtin_snprintf (printf_hook_builtin.c:1084)
+==19215== by 0x52CE464: dntoa (identification.c:337)
+==19215== by 0x52CE464: identification_printf_hook (identification.c:837)
+==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
+==19215== by 0x57040EB: vlog (bus.c:388)
+==19215== by 0x570427D: log_ (bus.c:430)
+==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
+==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
+==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
+==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
+==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
+==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
+==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
+==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
+==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
+==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
+==19215== Address 0x50cdb42 is 0 bytes after a block of size 2 alloc'd
+==19215== at 0x4C919FE: malloc (vg_replace_malloc.c:296)
+==19215== by 0x52CD198: chunk_printable (chunk.c:759)
+==19215== by 0x52CE442: dntoa (identification.c:334)
+==19215== by 0x52CE442: identification_printf_hook (identification.c:837)
+==19215== by 0x52D3DAA: builtin_vsnprintf (printf_hook_builtin.c:1010)
+==19215== by 0x57040EB: vlog (bus.c:388)
+==19215== by 0x570427D: log_ (bus.c:430)
+==19215== by 0xA8445D3: load_x509_ca (stroke_cred.c:416)
+==19215== by 0xA8445D3: load_certdir (stroke_cred.c:537)
+==19215== by 0xA846A95: load_certs (stroke_cred.c:1353)
+==19215== by 0xA846A95: stroke_cred_create (stroke_cred.c:1475)
+==19215== by 0xA84073E: stroke_socket_create (stroke_socket.c:782)
+==19215== by 0xA83F27C: register_stroke (stroke_plugin.c:53)
+==19215== by 0x52C3125: load_feature (plugin_loader.c:716)
+==19215== by 0x52C3125: load_provided (plugin_loader.c:778)
+==19215== by 0x52C3A20: load_features (plugin_loader.c:799)
+==19215== by 0x52C3A20: load_plugins (plugin_loader.c:1159)
+---
+ src/libstrongswan/utils/printf_hook/printf_hook_builtin.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
+index 466c673..af54940 100644
+--- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
++++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
+@@ -843,7 +843,8 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap)
+ /* String */
+ sarg = va_arg(ap, const char *);
+ sarg = sarg ? sarg : "(null)";
+- slen = strlen(sarg);
++ slen = prec != -1 ? strnlen(sarg, prec)
++ : strlen(sarg);
+ goto is_string;
+ }
+ case 'm':
+--
+2.4.6
+
diff --git a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch
index b0c65223a..e246c0429 100644
--- a/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch
+++ b/main/strongswan/1001-charon-add-optional-source-and-remote-overrides-for-.patch
@@ -1,4 +1,4 @@
-From 9afff74c4bd8abadfd248f36cf9f8206928d3dc6 Mon Sep 17 00:00:00 2001
+From 82c26f6c6c8dc8de620cdb6b191f04451ddedd11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Wed, 27 Aug 2014 16:05:21 +0300
Subject: [PATCH] charon: add optional source and remote overrides for initiate
@@ -15,21 +15,20 @@ and is a prerequisite for dmvpn support.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
- src/charon-cmd/cmd/cmd_connection.c | 2 +-
- src/charon-nm/nm/nm_service.c | 2 +-
- src/libcharon/control/controller.c | 43 ++++++++++++++-
- src/libcharon/control/controller.h | 3 ++
- src/libcharon/plugins/maemo/maemo_service.c | 2 +-
- src/libcharon/plugins/stroke/stroke_control.c | 5 +-
- src/libcharon/plugins/vici/vici_config.c | 2 +-
- src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++++----
- src/libcharon/processing/jobs/start_action_job.c | 2 +-
- src/libcharon/sa/ike_sa.c | 4 ++
- src/libcharon/sa/ike_sa_manager.c | 60 ++++++++++++++++++---
- src/libcharon/sa/ike_sa_manager.h | 8 ++-
- src/libcharon/sa/trap_manager.c | 3 +-
- src/swanctl/commands/initiate.c | 40 +++++++++++++-
- 15 files changed, 213 insertions(+), 28 deletions(-)
+ src/charon-cmd/cmd/cmd_connection.c | 2 +-
+ src/charon-nm/nm/nm_service.c | 2 +-
+ src/libcharon/control/controller.c | 43 +++++++++++++++-
+ src/libcharon/control/controller.h | 3 ++
+ src/libcharon/plugins/maemo/maemo_service.c | 2 +-
+ src/libcharon/plugins/stroke/stroke_control.c | 5 +-
+ src/libcharon/plugins/vici/vici_config.c | 2 +-
+ src/libcharon/plugins/vici/vici_control.c | 63 ++++++++++++++++++++----
+ src/libcharon/processing/jobs/start_action_job.c | 2 +-
+ src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.h | 8 ++-
+ src/libcharon/sa/trap_manager.c | 3 +-
+ src/swanctl/commands/initiate.c | 40 ++++++++++++++-
+ 13 files changed, 203 insertions(+), 23 deletions(-)
diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
index 0c6a504..dc4eca3 100644
@@ -206,10 +205,10 @@ index 0125d17..72c806c 100644
switch (status)
{
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index dfea2ab..233af4c 100644
+index b6950f3..600b83f 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -1558,7 +1558,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+@@ -1584,7 +1584,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
charon->controller->initiate(charon->controller,
peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
@@ -219,7 +218,7 @@ index dfea2ab..233af4c 100644
case ACTION_ROUTE:
DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 88574f8..d37e11f 100644
+index 88574f8..55f667b 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -13,6 +13,28 @@
@@ -341,23 +340,8 @@ index 5e88ac2..7043332 100644
break;
case ACTION_ROUTE:
DBG1(DBG_JOB, "start action: route '%s'", name);
-diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
-index 3aafa4c..dcd54a1 100644
---- a/src/libcharon/sa/ike_sa.c
-+++ b/src/libcharon/sa/ike_sa.c
-@@ -1208,6 +1208,10 @@ static void resolve_hosts(private_ike_sa_t *this)
- else
- {
- host = this->ike_cfg->resolve_other(this->ike_cfg, family);
-+ if (host->is_anyaddr(host))
-+ {
-+ host = NULL;
-+ }
- }
- if (host)
- {
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 987260d..2f44f7c 100644
+index 20b6e50..ccce3de 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -16,6 +16,28 @@
@@ -389,7 +373,7 @@ index 987260d..2f44f7c 100644
#include <string.h>
#include "ike_sa_manager.h"
-@@ -1335,16 +1357,28 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
+@@ -1335,7 +1357,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
}
METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -399,12 +383,9 @@ index 987260d..2f44f7c 100644
{
enumerator_t *enumerator;
entry_t *entry;
-- ike_sa_t *ike_sa = NULL;
-+ ike_sa_t *ike_sa;
- peer_cfg_t *current_peer;
+@@ -1344,7 +1367,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
ike_cfg_t *current_ike;
u_int segment;
-+ bool matched = FALSE;
- DBG2(DBG_MGR, "checkout IKE_SA by config");
+ if (my_host && my_host->get_port(my_host) == 0)
@@ -419,42 +400,28 @@ index 987260d..2f44f7c 100644
+ DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
+ peer_cfg->get_name(peer_cfg), my_host, other_host);
- if (!this->reuse_ikesa)
- { /* IKE_SA reuse disable by config */
-@@ -1365,14 +1399,24 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- continue;
- }
-
-- current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
-+ ike_sa = entry->ike_sa;
-+ if (my_host && !my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)))
-+ {
-+ continue;
-+ }
-+ if (other_host && !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
-+ {
-+ continue;
-+ }
+ if (this->reuse_ikesa)
+ {
+@@ -1359,6 +1392,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ { /* skip IKE_SAs which are not usable */
+ continue;
+ }
+
-+ current_peer = ike_sa->get_peer_cfg(ike_sa);
- if (current_peer && current_peer->equals(current_peer, peer_cfg))
- {
- current_ike = current_peer->get_ike_cfg(current_peer);
- if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
++ if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
++ {
++ continue;
++ }
++ if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
++ {
++ continue;
++ }
++
+ current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ if (current_peer && current_peer->equals(current_peer, peer_cfg))
{
- entry->checked_out = TRUE;
-- ike_sa = entry->ike_sa;
-+ matched = TRUE;
- DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
- ike_sa->get_unique_id(ike_sa),
- current_peer->get_name(current_peer));
-@@ -1382,9 +1426,13 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- }
- enumerator->destroy(enumerator);
-
-- if (!ike_sa)
-+ if (!matched)
- { /* no IKE_SA using such a config, hand out a new */
+@@ -1388,6 +1431,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ return NULL;
+ }
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+ if (my_host || other_host)
+ {
@@ -493,10 +460,10 @@ index f259d8e..5a69083 100644
/**
* Check for duplicates of the given IKE_SA.
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index d6ff3c8..eeb188e 100644
+index 424d9e7..62a70f5 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
-@@ -351,7 +351,8 @@ METHOD(trap_manager_t, acquire, void,
+@@ -421,7 +421,8 @@ METHOD(trap_manager_t, acquire, void,
this->lock->unlock(this->lock);
ike_sa = charon->ike_sa_manager->checkout_by_config(
@@ -586,5 +553,5 @@ index eb7b6ad..706fa57 100644
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch
index e8853d9cc..773722064 100644
--- a/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch
+++ b/main/strongswan/1002-vici-send-certificates-for-ike-sa-events.patch
@@ -1,4 +1,4 @@
-From c1a33f1b826536a90951be611de9804a3a524b32 Mon Sep 17 00:00:00 2001
+From dde551360cbe9ac09f1cd2d01047131c6332c576 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 30 Apr 2015 12:08:13 +0300
Subject: [PATCH] vici: send certificates for ike-sa events
@@ -102,5 +102,5 @@ index d94d760..3d461f7 100644
b->begin_section(b, child_sa->get_name(child_sa));
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
index 95d67eff5..a52450306 100644
--- a/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+++ b/main/strongswan/1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
@@ -1,4 +1,4 @@
-From 9a695f579173f087c9e72620fa70d6e28171e1f9 Mon Sep 17 00:00:00 2001
+From b8b84525b8c8c9e5cc1d1409a89347bb8869f893 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 30 Apr 2015 10:58:15 +0300
Subject: [PATCH] vici: add support rekeying events, and individual sa state
@@ -209,5 +209,5 @@ index 3d461f7..ade181c 100644
.destroy = _destroy,
},
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/1004-vici-support-asynchronous-initiation.patch b/main/strongswan/1004-vici-support-asynchronous-initiation.patch
index 5c9948279..dc95bde74 100644
--- a/main/strongswan/1004-vici-support-asynchronous-initiation.patch
+++ b/main/strongswan/1004-vici-support-asynchronous-initiation.patch
@@ -1,4 +1,4 @@
-From 4564b52fdbb6e588398178e607023fbac2819da8 Mon Sep 17 00:00:00 2001
+From 21efa8dbe5aab423b452277d6aa70f9c14e2f440 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 28 May 2015 13:06:51 +0300
Subject: [PATCH] vici: support asynchronous initiation
@@ -12,7 +12,7 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index d37e11f..66478fd 100644
+index 55f667b..da2b68f 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -187,7 +187,7 @@ CALLBACK(initiate, vici_message_t*,
@@ -43,5 +43,5 @@ index d37e11f..66478fd 100644
case SUCCESS:
msg = send_reply(this, NULL);
--
-2.4.5
+2.4.6
diff --git a/main/strongswan/1005-ikev1-message-priorities.patch b/main/strongswan/1005-ikev1-message-priorities.patch
deleted file mode 100644
index f7bb7ac69..000000000
--- a/main/strongswan/1005-ikev1-message-priorities.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c
-index a6795e7..bb77b3d 100644
---- a/src/libcharon/processing/jobs/process_message_job.c
-+++ b/src/libcharon/processing/jobs/process_message_job.c
-@@ -90,14 +90,20 @@ METHOD(job_t, get_priority, job_priority_t,
- switch (this->message->get_exchange_type(this->message))
- {
- case IKE_AUTH:
-+ case ID_PROT:
-+ case AUTH_ONLY:
-+ case AGGRESSIVE:
- /* IKE auth is rather expensive and often blocking, low priority */
- return JOB_PRIO_LOW;
- case INFORMATIONAL:
-+ case INFORMATIONAL_V1:
-+ case TRANSACTION:
- /* INFORMATIONALs are inexpensive, for DPD we should have low
- * reaction times */
- return JOB_PRIO_HIGH;
- case IKE_SA_INIT:
- case CREATE_CHILD_SA:
-+ case QUICK_MODE:
- default:
- /* IKE_SA_INIT is expensive, but we will drop them in the receiver
- * if we are overloaded */
diff --git a/main/strongswan/1006-fix-printf-strlen.patch b/main/strongswan/1006-fix-printf-strlen.patch
deleted file mode 100644
index ad5948d24..000000000
--- a/main/strongswan/1006-fix-printf-strlen.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
-index 466c673..219c7bd 100644
---- a/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
-+++ b/src/libstrongswan/utils/printf_hook/printf_hook_builtin.c
-@@ -843,14 +843,14 @@ int builtin_vsnprintf(char *buffer, size_t n, const char *format, va_list ap)
- /* String */
- sarg = va_arg(ap, const char *);
- sarg = sarg ? sarg : "(null)";
-- slen = strlen(sarg);
-+ slen = prec ? strnlen(sarg, prec) : strlen(sarg);
- goto is_string;
- }
- case 'm':
- {
- /* glibc error string */
- sarg = strerror(errno);
-- slen = strlen(sarg);
-+ slen = prec ? strnlen(sarg, prec) : strlen(sarg);
- goto is_string;
- }
- is_string:
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD
index 965fd3c17..4192088aa 100644
--- a/main/strongswan/APKBUILD
+++ b/main/strongswan/APKBUILD
@@ -3,7 +3,7 @@
pkgname=strongswan
pkgver=5.3.2
_pkgver=${pkgver//_rc/rc}
-pkgrel=6
+pkgrel=7
pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
url="http://www.strongswan.org/"
arch="all"
@@ -16,17 +16,36 @@ makedepends="$depends_dev linux-headers"
install="$pkgname.pre-install"
subpackages="$pkgname-doc $pkgname-dbg"
source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2
- 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
- 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
- 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch
- 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
- 0005-vici-Optionally-check-limits-when-initiating-connect.patch
+ 0001-vici-Asynchronize-debug-logging.patch
+ 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
+ 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
+ 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
+ 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
+ 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
+ 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
+ 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
+ 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
+ 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
+ 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
+ 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
+ 0012-daemon-Flush-shunts-before-unloading-plugins.patch
+ 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
+ 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
+ 0015-ike-rekey-Fix-cleanup-call.patch
+ 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+ 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
+ 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+ 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
+ 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
+ 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
+ 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+ 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+ 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
+ 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
1001-charon-add-optional-source-and-remote-overrides-for-.patch
1002-vici-send-certificates-for-ike-sa-events.patch
1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
1004-vici-support-asynchronous-initiation.patch
- 1005-ikev1-message-priorities.patch
- 1006-fix-printf-strlen.patch
2001-support-gre-key-in-ikev1.patch
strongswan.initd
@@ -111,47 +130,104 @@ package() {
}
md5sums="fab014be1477ef4ebf9a765e10f8802c strongswan-5.3.2.tar.bz2
-eb8d38dbf918e5f3adfd55f8ace7aeb1 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
-53982788f8ab0962193f695da30a8a94 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
-c46a4f2b21a83988512f6108e154620b 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch
-8b5ea458119df0c1ecee181c0f7f7c57 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
-0f8316631df321caad6c9b6b5c0b6e5c 0005-vici-Optionally-check-limits-when-initiating-connect.patch
-b7244e10364e6348665048b9eec43cc6 1001-charon-add-optional-source-and-remote-overrides-for-.patch
-4970959a1722b4139e7a22a2d93e866d 1002-vici-send-certificates-for-ike-sa-events.patch
-89f7d85291d6a82230e5337cfa071a67 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
-aac217481a1a8ae68719771039c27354 1004-vici-support-asynchronous-initiation.patch
-3accc4500255622cb14844e7111e2932 1005-ikev1-message-priorities.patch
-9b6175216c1761305f2048d9d88865a0 1006-fix-printf-strlen.patch
+78960bec9b1d3be2db9bfe8d73347ceb 0001-vici-Asynchronize-debug-logging.patch
+f05c992e0c79a254fe8dfe3989d29ae6 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
+5d2720f3b0f9ae4632703c8638e29088 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
+413d0409a1232de61d61e99d7e57c2f5 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
+0660bab646fc9dbf99a5f9485e570b0e 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
+30ac430b88cdfb23546a3ac1a6247d6c 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
+de114c8e0f0fb84aaef46b55b912c7df 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
+a99f6c1cc578b17e9c69378869942ffd 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
+e7e8b6171239f3462f8f6739fcfdc56b 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
+400a514e50a378265a0ec1cff46f1f02 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
+551d01ca98e3e8b6bfea54938c576ec6 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
+b5f4a1a5cd7e5f10e9487a23078bcbab 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
+65341200450445191b67914df2629fe6 0012-daemon-Flush-shunts-before-unloading-plugins.patch
+1ea2d1a97aa37bac24a1ec9b1ce7c985 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
+054b28fd78fccb20b993ec2679f98bc6 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
+6b57da364f1222eb2a8eda8f146c784b 0015-ike-rekey-Fix-cleanup-call.patch
+0941f8e871fff5ab8c984830d23b35a1 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+d97c846c00c60a35925662ba551495df 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
+d73abf4c9c3354120152144e7985d428 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+c3f86cc9b0866f2e748f40d3058a5b14 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
+55feb2633c42927672113e44465fd824 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
+d57e117d13da147910e2ae09219d2492 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
+8e79293070086233035a93322b935048 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+c46165934687326a26ec9153a34e2227 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+9b607cf38cff83547368d82fa34d716f 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
+c7c0338de6dc4993cb8cb71238fd13dc 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
+06607758b690f2db961d84e26ee7d6ea 1001-charon-add-optional-source-and-remote-overrides-for-.patch
+1aae491acf4739d871a64cd4481551f6 1002-vici-send-certificates-for-ike-sa-events.patch
+b0f2d10bc3dc89f3bba28fead6687311 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+ca53b3df714aa588af99d4f720c4318b 1004-vici-support-asynchronous-initiation.patch
b9f874287c35cce075b761087c28ab50 2001-support-gre-key-in-ikev1.patch
85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd
7962a720ebef6892d80a3cbdab72c204 charon.initd"
sha256sums="a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225 strongswan-5.3.2.tar.bz2
-bce611d5f3d773589c6a751aec7fbaab39c8926134cab6fe2d5586639244bdc0 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
-4e1f76a76278c7621ca860156c25dfda90a7d9010b6426a9fd7c74c190166043 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
-fb7478cad812e40134f5796c5faea4f939a71c4676efe9d17573041b696a61c7 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch
-31f8e5c1f451ed14045072cd13f2085c39f064403f264d12fb2f75aa5e996f5a 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
-a5601aa4ce0be4ac74f482817fd64c60e4986781271a2ed354806bbcbcd2223b 0005-vici-Optionally-check-limits-when-initiating-connect.patch
-a3d471cbcc9481264352ca029b70ad8f85fab15495a4aef3cbb209fc19765436 1001-charon-add-optional-source-and-remote-overrides-for-.patch
-baa8ee13f207f5e89b34b759c355e48ed79138fabcd9af841692afb15cf8b61f 1002-vici-send-certificates-for-ike-sa-events.patch
-e0de13d4fc6d66e33973696d62b4a45cd63b5fa6c477891e7651102c2bc3a4d7 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
-295476ace69d36f1059c48afb99ec5180086710146a6e10c28c7eed96759a976 1004-vici-support-asynchronous-initiation.patch
-0e814067bf47e9b4a0127b5197ea321e1398b1bc8e0635d576898fc977233d67 1005-ikev1-message-priorities.patch
-2b5d384a73373e16dc8bf75e55149173de00f454fe0de1b65296e73e68275042 1006-fix-printf-strlen.patch
+37da81cde0afd5b2d025a62b36020ff4739bccc086bcfd1528e461534b99e1e8 0001-vici-Asynchronize-debug-logging.patch
+ee88c4636efb8e06ff66e50e82b5de5a2f49a2b60042b157b09c110332db1f2c 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
+442b721d4ee156e5bb8167f4f5831abe727d8440b26f0ba91a32f21eade14305 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
+28fb9b57d5c02ae2b10e283f13de4d7257913a44ce68e287f73144d4fe2c0972 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
+e8e967357a6741df02b80fcd75729044179549e24623d483c1f4ee603a83152b 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
+a246364122d40ef70091cdf86ea16413a20f3461e137f8209c58959dfaf09396 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
+79861e897dd8e973d2426f083079adb74cc3c281b1c891eb6fbf7e569f0b74f4 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
+a9f59b91d3ac04fd52684fd4143545452368d65af9f6026020ba95eae114c103 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
+1b463d03b3ce0cf5223bacb08155b69c1c362fa311b1af20cb79b392ac6a233e 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
+3679e3f63a72c1f32b67ab71f60f8922384cbdeb916beca779bc7776db0332fe 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
+cd1d28855c13c9544c6f4caa619a00226d8c84cc75c3e88f962ebea9736619ad 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
+ce95459cea9eaa4d7f1695e10f99ca886d428843ada8134e8f337dce957cdda0 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
+b8b82e4b99c70cd76b09a2c7d6144e1e572bee6b4c821fcf7338d1692e1843cb 0012-daemon-Flush-shunts-before-unloading-plugins.patch
+2c4a898a4b17e196acc44947f4b48688649d29ac15c0d19e14d664bf0d9f0274 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
+a1b61e2aafcd502c8398bfefd556dfb1429d862faecc5d6c0c843e7da215abf3 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
+ef5f7d38483909ae3aff5e474ac6f5f20804645ead6a6108f2534408434023ff 0015-ike-rekey-Fix-cleanup-call.patch
+257931d4443a4ed2284bf8872e73ab1e93c0d69f490e1b9b3bb2b12210cec677 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+130db52dea23eae4081bf25c5ef050f9dfbaa4e7e99dc0a623fdfc991eb4c5c7 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
+16a41ef4cf25e3432c8a61aa34ac12d6eccd5796d921c75d72570d4f9fda2717 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+ab4042b193a68d3ff771be006fdea81eb786fee7b7c4c8c24aa60ef3372de9c8 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
+f81bb1934c67263e0fcb75ffa449f7d663a17ffacc4d76d233acaed54e13b10d 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
+7aac3748cabf9293701924b6e6a3f0bb74c4d4302a019eb8012af48473f35b67 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
+3060dd59d44de1f6e7b82146db4b09c3fd80869c75e9a31823bcbdd9f66ac923 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+6ee2826d8f2acf4010886b9990c4fe1f1be99e869144f3dd3705e38184300ca1 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+d5e0fa9012e5d4f35b5fe903fe555019c639000f75cd269acd73126f2105149b 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
+74a12c42d63d6e9e920afc976b287144118c79740743beec769e5a9f239acac6 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
+d2f05dc1d3e921358ca2ba8c7c68cbfa3eca3fdc108fd2b89311d8b25ff6f4bc 1001-charon-add-optional-source-and-remote-overrides-for-.patch
+b2a6f23ede01b2d24ff973dc6c1466dc5600df259eb35d3ea6efa9a4e322ae34 1002-vici-send-certificates-for-ike-sa-events.patch
+c0b39aaaf97f3797ef327a465e1468aa166044875b194e899999dc7c0723fc4c 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+cd0de223af1f831232b2339de4ec6f902bf8fbd826aed85aa70aedfb961b1ea1 1004-vici-support-asynchronous-initiation.patch
ec58de15c3856a2fd9ea003b7e78a7434dad54f9a4c54d499b09a6eef3761d18 2001-support-gre-key-in-ikev1.patch
ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd
97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd"
sha512sums="60b17645c00769d497f4cea2229b41a217c29fe1109b58be256a0d4a6ccf4765348b9eb89466539c2528756344c2fa969f25ea1cd8856d56c5d55aa78e632e68 strongswan-5.3.2.tar.bz2
-5ec6fd6160a55d7313f8dd3315a353d426f98ea57d167e73e97bff25ca175d2848f7ea0956cb2ec9cbca24f2be1dc0c1b1d123ee947f64baa6dfc712d04e77e1 0001-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
-ee5dc2d2c719895e69d9a0324b48d43b4b86122eb8848143db7a4a629e79d594deeb4a000a429c85a31552358e9e1e2a7de8a1917c6ebb075a77281f074e0740 0002-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
-7da65c2f5459811e4c6a1643d42eca0dedd206335a0127277a6f11cf15a75a2a546848219065517d065016639ffa2e2b40f275cca7083adc3ee545f3e051e050 0003-controller-Optionally-adhere-to-init-limits-also-whe.patch
-4192aa916c5018046a21bb2d94e82ae35a81f4f462107f81b2f1b0a95372f212411852768d34ec3937c141570789b8ac1a1734552b0a07cac96a085fe28bc848 0004-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
-4a36a0c9c456537e6b71975e6947a15a0fdcda875454ded4d23f9d1073c9258b901d7a4116786f63a590f30725cc41c23eca414e0757f240cc4f4eb8e56cb285 0005-vici-Optionally-check-limits-when-initiating-connect.patch
-4cfe0b15a28b600b51be2ae270d303a65854756e30d60d8d897e0106f77ba7e05ec1625cc7cfafce54443bcb8c72ded09aa759f2540589afea491c81a05e65f0 1001-charon-add-optional-source-and-remote-overrides-for-.patch
-142e3207aa3646a82ed1831635ef16003b86625f763927d56e074aeb5d6d04f108a21f713f877afc48119ee3df784af727e5bee8dddf0671dc2a6058f9708af4 1002-vici-send-certificates-for-ike-sa-events.patch
-1781b8de169d0d41f8cb4d63c0b85b1e9eae2d52935d3753a876e8fee542ab58933be11c36f2a230233144c94c12c1d7641dbb58c89481e27d889e7f17fad87e 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
-aaf0701a4564fdce9d4422e8c33ea704142e371392cb7fa552cf0c71cb00d0dbd5901c21e45fadc23798cfdb95066da9d24b2f2b9b037761e670ee30f4b93b35 1004-vici-support-asynchronous-initiation.patch
-bd4c9575d2aebbae48d49ef5e3fcfa0c0366c8d100a0190706b5fff7332ab34ca5f862ba8a3fe9cdcf9996371b554ab0f6561e16d57d6e425497ab015e46299a 1005-ikev1-message-priorities.patch
-dd9d873d63ae9ed47bc61b122e33be406498ca707c53560c704b87b986904f1fbfe6f293df6a6f79a0359ff9b3686fcf26e91624eb73d8139b4afe1bd26f7798 1006-fix-printf-strlen.patch
+d3135206f61496d0877b22c52c0f4246d17777935a4277bfc6e7ca8b69fb2754a52fed7e8691292df91745c00fa0d597f11cd866bb4ee91453c0e252ba77eef8 0001-vici-Asynchronize-debug-logging.patch
+87ab03664dddf30ed1ae1a1e1fc2a22715a0e74b220f316937cf0f86a5b9c38262fd8a9ad62aa1866405d0bf552d33a62621c8b91634e6bd3c7967b6e7955894 0002-host-Properly-handle-NULL-in-host_create_from_string.patch
+8f16ab691c7e778894f0fc8889ac9be8813da27e09fb304443e9053f2ed384ccd3976d7956f762136c94c870dabe808d3f97116f4573bb0df74299f1da34d643 0002-ike-sa-manager-Safely-access-the-RNG-instance-with-a.patch
+dbb5454e32cea4e671fdb109e2252536d2f8ee97097a45ad280010de7d6b7fedeb40c0418ae2af45a4393b98ac6badd9072846259be6ca823f056919fcd3b985 0003-ike-cfg-Add-helper-function-to-determine-address-fam.patch
+73dcb7874aadcf641051cef91d83158fa8a1c664c094d131fcd5ad9d1c5d00abec5a75dd92780fabf2c0690079aad73275af885a83c8791c62025593fa7af61c 0004-ike-Use-address-family-of-local-address-when-resolvi.patch
+8e3636933b7ee3eddb28b9797e3da21c494e470067bc6996509bd28a9894e037fa7575d68fb717247762dc468543b67d965745370cb1335b1f9fbc6bdf260f6e 0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
+e970869f5552557d18133bb279b98a81b7d12a6656bddccfcfbdb2b2dc80ad90cc4d1d63135b3682ccb26c83408790c792de9d64056a97c1b7df16f0b159d179 0006-trap-manager-Properly-check-in-IKE_SA-if-initiating-.patch
+65a20b7d059770786c5912811db8692ab9c03a3527f83d0d23e14db4da8c64c3ed43de7a04ba1cf2a794551471ee9456e70f723b0bb4599792a668edea1f6e77 0007-trap-manager-Changed-how-acquires-we-acted-on-are-tr.patch
+e5bd98af84b248642fb6206497c7d2fca7e42362632171e271a8a715179d10f3590eb25a7b38c9fbc058c82d657668c01e9b98d8ef1f422d0887e710342eff36 0008-trap-manager-Resolve-race-conditions-between-flush-a.patch
+c4a30bbff90c2ef59e9bebb64d336bddde811f0ffba3dcef423dc71a17e98be26192f8aa8654702e9a2cdc9dbfc8ec960fbf1a126c411efef6f95dc1a19c518e 0009-shunt-manager-Add-a-lock-to-safely-access-the-list-o.patch
+6e11b006b4fd0c6d000ff301ce18170bf9540f567ada2eb23f0f1c705be8d0f9299364313249cef5528858e75c10ba9d65315c941b49cb12ae07808d3b6e1faa 0010-shunt-manager-Remove-stored-entries-if-installation-.patch
+2a5503558dcfe654335d9b6b7056e9888b2304389bb76369b8222d54add6c8a9895ab175701eeb636c42f0df53d1078fdae7a9f11167fc2beadad82de68b0e4c 0011-shunt-manager-Add-flush-method-to-properly-uninstall.patch
+4e3ac34b2ecca6c1eefd9354a96a1a1fe7499571d2c5756c1cc889c23e125073517c6af57047de5b96bbc6acf9c6bb8c677df4206633f67551336fa8e62c77fb 0012-daemon-Flush-shunts-before-unloading-plugins.patch
+f643be8dbc32c27f2c31ac91612ae7d2f1a34e9387257d1247cd8c7fb8e5b9c58fc0b8448dd692723a6f7f2ac4d4629ffa2c440c40f5f1bfb550f1cc526b3916 0013-ike-rekey-Reset-IKE_SA-on-the-bus-after-destroying-n.patch
+bd161f1d4fa2881c8c07c2b7bccc0b9f06a99b12203d00329c8295f8a5ebe49f6cf27eca286ddd3c9e443fe132c64cae6849d691ddeda49b5fe716aebc73441e 0014-ike-rekey-Reset-IKE_SA-on-bus-before-sending-CREATE_.patch
+3f8c5ed171eb7c99218005b038ff0e0bc23841aab76cb97fbb7b8a3091b9f5ba318bd23c347de42bd969ac599f3d5f1b6bcf5110d5e23643858b24a719374f50 0015-ike-rekey-Fix-cleanup-call.patch
+bdc74e2b6f91e94aa0041927ff5cf3f2f5d67d5d37a0c389a2b6328919bd9f2f0376957676fd359009117a1d01cd06ecfadb7151bd7875c1df5cb82e159a378a 0016-ike-Fix-memory-leak-if-remote-address-is-kept.patch
+2d667eeba6d567008d8fe27d4dafa9a913c7aafa096258d7b5c95e2d8428e9dc8a40ace9e729a3d323e8d639d2ae3dae945904f90a39076c5ca5ddba7d70a0b6 0101-kernel-netlink-Actually-verify-if-the-netlink-messag.patch
+539bfec16350c035f7ce2f3551b52ba2e22c75146a6c1494f4b25ec283f2245b7a03be9470c0e0cd3e6fc368bcf1bda60ce8166928737ab396e6cf88ffafaf79 0102-kernel-netlink-Use-the-PAGE_SIZE-as-default-for-the-.patch
+b81fed84f361862c618fdfd9b2993dac3bcb4b298d806523ee9c8f47b1f5b0b679426eaeed8bc88ab1635ba30f9ff0ca9945aa264b3213561548648d64eb25ae 0201-ike-Also-track-initiating-IKE_SAs-as-half-open.patch
+9a2cb61c55a03977fc4bce42fdf043706498c86d69ea094852735b2ef525fbc0f81bad33aad7afc29ef301f3e2146746b56f458980529057e05007e0bab7b972 0202-controller-Optionally-adhere-to-init-limits-also-whe.patch
+95e3544a87bf503ed17059298ec6330501f39a2210e583fed59c5d03ef25b8d8227317016bf0181e49c87a7e36e1d902b0b24bda184d2166f3ad5b79166ce0dd 0203-vici-Add-get_bool-convenience-getter-for-VICI-messag.patch
+055b7769b0f587a77585ccf8e44c30fdf0981a1418f8e426eb696cfde671ac0013b355fdfb9e73ed3605c97a3a8c5f8ac38a2a0a137a5b87f9d6491752254543 0204-vici-Optionally-check-limits-when-initiating-connect.patch
+6b01e9810566e4f928fa72f01b5fa6cdbddaf1045433cb5b73b5a3d1cd73260ff195709e4d46384c2aa6540e4e62ad9021d9cad19b2061bc0153581e74cf2d0e 0205-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
+8788fb376eaf57d9f277cac785db08578de3992e2484e7ab21ec044bc91000565ecb2adae4d2632f43ca6ed76519fd4422d86a3ba07a499594fbd7a61298458c 0301-ikev1-Assign-different-job-priorities-for-inbound-IK.patch
+86f244b3d8b35e8b9e25692554b7e8711bc663843e316e8895b340b3bd567c38543d24367250c93910b5d9462a2901bfc7717b5e3824f4682b4c736d33450834 0401-printf-hook-builtin-Fix-invalid-memory-access.patch
+2522571163b1d6de0aae2e2c1c2db69c52c3ff76e27a383e8a01e0933a0c0a06212168b1356308d6fd548aa7416d88ecd2bcfc79d3391ff17e6c799e83c5f88d 1001-charon-add-optional-source-and-remote-overrides-for-.patch
+ccf60c52d75b3f2eff719fbac1403eb141029651fccf2a1927ec4dffc0ccdc49c061a4971c38a0f37a32b2a53aa79422e17f3f993c48ebbcd07840a867c15881 1002-vici-send-certificates-for-ike-sa-events.patch
+1ea845551c7da2a7817e34508b0da3f3f0bba879f3b95d08c8db0a6b32adaf50363556daa6ee2e0f11c1ee6c41077d39ba54dbd40e457a02a991add19fe115ef 1003-vici-add-support-rekeying-events-and-individual-sa-s.patch
+e65579093692ca58314245d1dd3e5b4bdbff0603e5dc7baf3f80d7d9f415f62ae1656ef67da8a36efdec58235b6b1862d63c13991f1e5fefc02d8ee39d6dc9b6 1004-vici-support-asynchronous-initiation.patch
723aad9269ae7da54b1d551b290c80951c3b779737353fa845c00d190c9ef6c6bc406d8ed22254a27844985b7ffaa12b99acce91ec0b192caf639c81b06bf771 2001-support-gre-key-in-ikev1.patch
b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd
6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd"