etc/strongswan.d/charon.conf
etc/strongswan.d/charon/aes.conf
etc/strongswan.d/charon/attr.conf
+etc/strongswan.d/charon/ccm.conf
etc/strongswan.d/charon/cmac.conf
etc/strongswan.d/charon/constraints.conf
+etc/strongswan.d/charon/ctr.conf
etc/strongswan.d/charon/curl.conf
etc/strongswan.d/charon/des.conf
etc/strongswan.d/charon/dhcp.conf
#usr/lib/ipsec/plugins
usr/lib/ipsec/plugins/libstrongswan-aes.so
usr/lib/ipsec/plugins/libstrongswan-attr.so
+usr/lib/ipsec/plugins/libstrongswan-ccm.so
usr/lib/ipsec/plugins/libstrongswan-cmac.so
usr/lib/ipsec/plugins/libstrongswan-constraints.so
+usr/lib/ipsec/plugins/libstrongswan-ctr.so
usr/lib/ipsec/plugins/libstrongswan-curl.so
usr/lib/ipsec/plugins/libstrongswan-dhcp.so
usr/lib/ipsec/plugins/libstrongswan-des.so
#usr/share/strongswan/templates/config/plugins
#usr/share/strongswan/templates/config/plugins/aes.conf
#usr/share/strongswan/templates/config/plugins/attr.conf
+#usr/share/strongswan/templates/config/plugins/ccm.conf
#usr/share/strongswan/templates/config/plugins/cmac.conf
#usr/share/strongswan/templates/config/plugins/constraints.conf
+#usr/share/strongswan/templates/config/plugins/ctr.conf
#usr/share/strongswan/templates/config/plugins/curl.conf
#usr/share/strongswan/templates/config/plugins/des.conf
#usr/share/strongswan/templates/config/plugins/dhcp.conf
include Config
-VER = 5.2.2
+VER = 5.3.0
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 7ee1a33060b2bde35be0f6d78a1d26d0
+$(DL_FILE)_MD5 = c52d4228231c2025d9c320d0e9990327
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-eb25190.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh
cd $(DIR_APP) && ./configure \
--enable-farp \
--enable-openssl \
--enable-gcrypt \
+ --enable-ccm \
+ --enable-ctr \
--enable-gcm \
--enable-xauth-eap \
--enable-xauth-noauth \
+++ /dev/null
-commit 650a3ad5151958b99a95836fb8b84b8aa18da1be
-Author: Tobias Brunner <tobias@strongswan.org>
-Date: Wed Feb 25 08:09:11 2015 +0100
-
- ike-sa-manager: Make sure the message ID of initial messages is 0
-
- It is mandated by the RFCs and it is expected by the task managers.
-
- Initial messages with invalid MID will be treated like regular messages,
- so no IKE_SA will be created for them. Instead, if the responder SPI is 0
- no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
- If an SPI is set and we do find an SA, then we either ignore the message
- because the MID is unexpected, or because we don't allow initial messages
- on established connections.
-
- There is one exception, though, if an attacker can slip in an IKE_SA_INIT
- with both SPIs set before the client's IKE_AUTH is handled by the server,
- it does get processed (see next commit).
-
- References #816.
-
-diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index d0cbd47..5e2b925 100644
---- a/src/libcharon/sa/ike_sa_manager.c
-+++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
-
- DBG2(DBG_MGR, "checkout IKE_SA by message");
-
-- if (id->get_responder_spi(id) == 0)
-+ if (id->get_responder_spi(id) == 0 &&
-+ message->get_message_id(message) == 0)
- {
- if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
- {
+++ /dev/null
-commit dd0ebb54837298c869389d36a0b42eefdb893dd6
-Author: Tobias Brunner <tobias@strongswan.org>
-Date: Wed Feb 25 08:30:33 2015 +0100
-
- ikev2: Only accept initial messages in specific states
-
- The previous code allowed an attacker to slip in an IKE_SA_INIT with
- both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
-
- References #816.
-
-diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
-index be84e71..540d4dc 100644
---- a/src/libcharon/sa/ikev2/task_manager_v2.c
-+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
-@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
- {
- if (mid == this->responding.mid)
- {
-- /* reject initial messages once established */
-- if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
-- msg->get_exchange_type(msg) == IKE_AUTH)
-+ /* reject initial messages if not received in specific states */
-+ if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
-+ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
-+ (msg->get_exchange_type(msg) == IKE_AUTH &&
-+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
- {
-- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
-- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
-- {
-- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
-- exchange_type_names, msg->get_exchange_type(msg));
-- return FAILED;
-- }
-+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
-+ exchange_type_names, msg->get_exchange_type(msg),
-+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
-+ return FAILED;
- }
- if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
- { /* with MOBIKE, we do no implicit updates */
+++ /dev/null
-commit eb251906298b529fa53b8a99746a9a7a9f318dd5
-Author: Tobias Brunner <tobias@strongswan.org>
-Date: Wed Feb 25 08:18:58 2015 +0100
-
- ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
-
- This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
- does not have message ID 0") because it allowed to close any IKE_SA by
- sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
- of that SA.
-
- The next commit will prevent SAs from getting created for IKE_SA_INIT messages
- with invalid MID.
-
- Fixes #816.
-
-diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
-index 48266aa..be84e71 100644
---- a/src/libcharon/sa/ikev2/task_manager_v2.c
-+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
-@@ -1355,10 +1355,6 @@ METHOD(task_manager_t, process_message, status_t,
- {
- DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
- mid, this->responding.mid);
-- if (msg->get_exchange_type(msg) == IKE_SA_INIT)
-- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
-- return DESTROY_ME;
-- }
- }
- }
- else
+++ /dev/null
-From cd2c30a56ec9bdab8b3923851509f27a4fd6f537 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 10 Feb 2015 19:03:44 +0100
-Subject: [PATCH] ikev1: Set protocol ID and SPIs in INITIAL-CONTACT
- notification payloads
-
-The payload we sent before is not compliant with RFC 2407 and thus some
-peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error).
-
- #819
----
- src/libcharon/sa/ikev1/tasks/main_mode.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
-index 5065e70..3ea4a2a 100644
---- a/src/libcharon/sa/ikev1/tasks/main_mode.c
-+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
-@@ -213,6 +213,10 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
- {
- identification_t *idr;
- host_t *host;
-+ notify_payload_t *notify;
-+ ike_sa_id_t *ike_sa_id;
-+ u_int64_t spi_i, spi_r;
-+ chunk_t spi;
-
- idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
- if (idr && !idr->contains_wildcards(idr))
-@@ -224,8 +228,15 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
- if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
- idi, idr, host->get_family(host)))
- {
-- message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
-- chunk_empty);
-+ notify = notify_payload_create_from_protocol_and_type(
-+ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
-+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
-+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
-+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
-+ spi = chunk_cata("cc", chunk_from_thing(spi_i),
-+ chunk_from_thing(spi_r));
-+ notify->set_spi_data(notify, spi);
-+ message->add_payload(message, (payload_t*)notify);
- }
- }
- }
---
-1.7.9.5
-
---- a/src/_updown/_updown.in
-+++ b/src/_updown/_updown.in
-@@ -178,6 +178,29 @@
- ;;
- esac
+--- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000
++++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000
+@@ -122,6 +122,29 @@
+ # address family.
+ #
+function ip_encode() {
+ local IFS=.
+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+}
+
- # utility functions for route manipulation
- # Meddling with this stuff should not be necessary and requires great care.
- uproute() {
-@@ -407,12 +430,12 @@
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
+ export PATH
+@@ -232,12 +255,12 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
#
# allow IPIP traffic because of the implicit SA created by the kernel if
# IPComp is used (for small inbound packets that are not compressed)
-@@ -428,10 +451,10 @@
+@@ -253,10 +276,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
fi
fi
;;
-@@ -439,12 +462,12 @@
+@@ -264,12 +287,12 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
#
# IPIP exception teardown
if [ -n "$PLUTO_IPCOMP" ]
-@@ -459,10 +482,10 @@
+@@ -284,10 +307,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
fi
fi
;;
-@@ -472,24 +495,24 @@
+@@ -297,24 +320,24 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
fi
#
# allow IPIP traffic because of the implicit SA created by the kernel if
-@@ -497,7 +520,7 @@
+@@ -322,7 +345,7 @@
# INPUT is correct here even for forwarded traffic.
if [ -n "$PLUTO_IPCOMP" ]
then
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -507,12 +530,51 @@
+@@ -332,12 +355,51 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
;;
down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
-@@ -520,34 +582,34 @@
+@@ -345,34 +407,34 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
-@@ -557,12 +619,51 @@
+@@ -382,12 +444,51 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
;;
#
# IPv6
-@@ -597,10 +698,10 @@
+@@ -412,10 +513,10 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -621,10 +722,10 @@
+@@ -436,10 +537,10 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -647,10 +748,10 @@
+@@ -462,10 +563,10 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -659,10 +760,10 @@
+@@ -474,10 +575,10 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -686,11 +787,11 @@
+@@ -501,11 +602,11 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -700,11 +801,11 @@
+@@ -515,11 +616,11 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then