From 8029c2a899b3b70e5e35f8461daddc288b9abe75 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 22 Sep 2016 14:47:47 +0100
Subject: [PATCH] strongswan: Update to 5.5.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/strongswan            | 40 +++++++++----
 lfs/strongswan                                |  5 +-
 ...nt-when-deleting-redundant-CHILD_SAs.patch | 56 -------------------
 3 files changed, 30 insertions(+), 71 deletions(-)
 delete mode 100644 src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch

diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan
index f51cc3a9cd..f81a9c861a 100644
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -40,7 +40,6 @@ etc/strongswan.d/charon/kernel-netlink.conf
 etc/strongswan.d/charon/md5.conf
 etc/strongswan.d/charon/nonce.conf
 etc/strongswan.d/charon/openssl.conf
-#etc/strongswan.d/charon/padlock.conf
 etc/strongswan.d/charon/pem.conf
 etc/strongswan.d/charon/pgp.conf
 etc/strongswan.d/charon/pkcs1.conf
@@ -58,6 +57,7 @@ etc/strongswan.d/charon/socket-default.conf
 etc/strongswan.d/charon/sshkey.conf
 etc/strongswan.d/charon/stroke.conf
 etc/strongswan.d/charon/updown.conf
+etc/strongswan.d/charon/vici.conf
 etc/strongswan.d/charon/x509.conf
 etc/strongswan.d/charon/xauth-eap.conf
 etc/strongswan.d/charon/xauth-generic.conf
@@ -66,6 +66,21 @@ etc/strongswan.d/charon/xcbc.conf
 etc/strongswan.d/pki.conf
 etc/strongswan.d/scepclient.conf
 etc/strongswan.d/starter.conf
+etc/strongswan.d/swanctl.conf
+#etc/swanctl
+etc/swanctl/bliss
+etc/swanctl/ecdsa
+etc/swanctl/pkcs12
+etc/swanctl/pkcs8
+etc/swanctl/pubkey
+etc/swanctl/rsa
+etc/swanctl/swanctl.conf
+etc/swanctl/x509
+etc/swanctl/x509aa
+etc/swanctl/x509ac
+etc/swanctl/x509ca
+etc/swanctl/x509crl
+etc/swanctl/x509ocsp
 usr/bin/pki
 #usr/lib/ipsec
 #usr/lib/ipsec/libcharon.a
@@ -73,11 +88,6 @@ usr/bin/pki
 usr/lib/ipsec/libcharon.so
 usr/lib/ipsec/libcharon.so.0
 usr/lib/ipsec/libcharon.so.0.0.0
-#usr/lib/ipsec/libhydra.a
-#usr/lib/ipsec/libhydra.la
-usr/lib/ipsec/libhydra.so
-usr/lib/ipsec/libhydra.so.0
-usr/lib/ipsec/libhydra.so.0.0.0
 #usr/lib/ipsec/libradius.a
 #usr/lib/ipsec/libradius.la
 usr/lib/ipsec/libradius.so
@@ -93,6 +103,11 @@ usr/lib/ipsec/libstrongswan.so.0.0.0
 usr/lib/ipsec/libtls.so
 usr/lib/ipsec/libtls.so.0
 usr/lib/ipsec/libtls.so.0.0.0
+#usr/lib/ipsec/libvici.a
+#usr/lib/ipsec/libvici.la
+usr/lib/ipsec/libvici.so
+usr/lib/ipsec/libvici.so.0
+usr/lib/ipsec/libvici.so.0.0.0
 #usr/lib/ipsec/plugins
 usr/lib/ipsec/plugins/libstrongswan-aes.so
 usr/lib/ipsec/plugins/libstrongswan-attr.so
@@ -101,8 +116,8 @@ usr/lib/ipsec/plugins/libstrongswan-cmac.so
 usr/lib/ipsec/plugins/libstrongswan-constraints.so
 usr/lib/ipsec/plugins/libstrongswan-ctr.so
 usr/lib/ipsec/plugins/libstrongswan-curl.so
-usr/lib/ipsec/plugins/libstrongswan-dhcp.so
 usr/lib/ipsec/plugins/libstrongswan-des.so
+usr/lib/ipsec/plugins/libstrongswan-dhcp.so
 usr/lib/ipsec/plugins/libstrongswan-dnskey.so
 usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
 usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so
@@ -120,7 +135,6 @@ usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
 usr/lib/ipsec/plugins/libstrongswan-md5.so
 usr/lib/ipsec/plugins/libstrongswan-nonce.so
 usr/lib/ipsec/plugins/libstrongswan-openssl.so
-#usr/lib/ipsec/plugins/libstrongswan-padlock.so
 usr/lib/ipsec/plugins/libstrongswan-pem.so
 usr/lib/ipsec/plugins/libstrongswan-pgp.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
@@ -130,7 +144,6 @@ usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
 usr/lib/ipsec/plugins/libstrongswan-pubkey.so
 usr/lib/ipsec/plugins/libstrongswan-random.so
 usr/lib/ipsec/plugins/libstrongswan-rc2.so
-#usr/lib/ipsec/plugins/libstrongswan-rdrand.so
 usr/lib/ipsec/plugins/libstrongswan-resolve.so
 usr/lib/ipsec/plugins/libstrongswan-revocation.so
 usr/lib/ipsec/plugins/libstrongswan-sha1.so
@@ -139,6 +152,7 @@ usr/lib/ipsec/plugins/libstrongswan-socket-default.so
 usr/lib/ipsec/plugins/libstrongswan-sshkey.so
 usr/lib/ipsec/plugins/libstrongswan-stroke.so
 usr/lib/ipsec/plugins/libstrongswan-updown.so
+usr/lib/ipsec/plugins/libstrongswan-vici.so
 usr/lib/ipsec/plugins/libstrongswan-x509.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
@@ -152,6 +166,7 @@ usr/libexec/ipsec/scepclient
 usr/libexec/ipsec/starter
 usr/libexec/ipsec/stroke
 usr/sbin/ipsec
+usr/sbin/swanctl
 #usr/share/man/man1/pki---acert.1
 #usr/share/man/man1/pki---dn.1
 #usr/share/man/man1/pki---gen.1
@@ -168,10 +183,10 @@ usr/sbin/ipsec
 #usr/share/man/man5/ipsec.conf.5
 #usr/share/man/man5/ipsec.secrets.5
 #usr/share/man/man5/strongswan.conf.5
-#usr/share/man/man8/_updown.8
+#usr/share/man/man5/swanctl.conf.5
 #usr/share/man/man8/ipsec.8
-#usr/share/man/man8/openac.8
 #usr/share/man/man8/scepclient.8
+#usr/share/man/man8/swanctl.8
 #usr/share/strongswan
 #usr/share/strongswan/templates
 #usr/share/strongswan/templates/config
@@ -202,7 +217,6 @@ usr/sbin/ipsec
 #usr/share/strongswan/templates/config/plugins/md5.conf
 #usr/share/strongswan/templates/config/plugins/nonce.conf
 #usr/share/strongswan/templates/config/plugins/openssl.conf
-#usr/share/strongswan/templates/config/plugins/padlock.conf
 #usr/share/strongswan/templates/config/plugins/pem.conf
 #usr/share/strongswan/templates/config/plugins/pgp.conf
 #usr/share/strongswan/templates/config/plugins/pkcs1.conf
@@ -220,6 +234,7 @@ usr/sbin/ipsec
 #usr/share/strongswan/templates/config/plugins/sshkey.conf
 #usr/share/strongswan/templates/config/plugins/stroke.conf
 #usr/share/strongswan/templates/config/plugins/updown.conf
+#usr/share/strongswan/templates/config/plugins/vici.conf
 #usr/share/strongswan/templates/config/plugins/x509.conf
 #usr/share/strongswan/templates/config/plugins/xauth-eap.conf
 #usr/share/strongswan/templates/config/plugins/xauth-generic.conf
@@ -232,3 +247,4 @@ usr/sbin/ipsec
 #usr/share/strongswan/templates/config/strongswan.d/pki.conf
 #usr/share/strongswan/templates/config/strongswan.d/scepclient.conf
 #usr/share/strongswan/templates/config/strongswan.d/starter.conf
+#usr/share/strongswan/templates/config/strongswan.d/swanctl.conf
diff --git a/lfs/strongswan b/lfs/strongswan
index c6d655bb24..17c1a01cf4 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.3.5
+VER        = 5.5.0
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = a2f9ea185f27e7f8413d4cd2ee61efe4
+$(DL_FILE)_MD5 = a96fa7eb6c62b40143dadb064b6bd586
 
 install : $(TARGET)
 
@@ -79,7 +79,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch
 
 	cd $(DIR_APP) && ./configure \
 		--prefix="/usr" \
diff --git a/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch b/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch
deleted file mode 100644
index 27b6f069e2..0000000000
--- a/src/patches/strongswan-child-rekey-Suppress-updown-event-when-deleting-redundant-CHILD_SAs.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 0e32cbc0bc8fce3319491db360fb23b16561ec58 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 15 Dec 2015 17:15:32 +0100
-Subject: [PATCH] child-rekey: Suppress updown event when deleting redundant
- CHILD_SAs
-
-When handling a rekey collision we might have to delete an already
-installed redundant CHILD_SA (or expect the other peer to do so).  We don't
-want to trigger updown events for these as we don't during rekeying.
-
-Instead of setting the state to CHILD_REKEYING we could maybe use
-CHILD_REKEYED, which we currently only use for IKEv1, and set it for
-all CHILD_SAs we delete or expect the other peer to delete.  Would need
-a small change in child-delete too.  Or we could introduce a new state.
-
- #853.
----
- src/libcharon/sa/ikev2/tasks/child_rekey.c |   11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
-index c7a8a13..6f0c2b2 100644
---- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
-+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
-@@ -279,11 +279,15 @@ static child_sa_t *handle_collision(private_child_rekey_t *this)
- 			/* don't touch child other created, it has already been deleted */
- 			if (!this->other_child_destroyed)
- 			{
--				/* disable close action for the redundand child */
-+				/* disable close action and updown event for redundant child */
- 				child_sa = other->child_create->get_child(other->child_create);
- 				if (child_sa)
- 				{
- 					child_sa->set_close_action(child_sa, ACTION_NONE);
-+					if (child_sa->get_state(child_sa) != CHILD_REKEYING)
-+					{
-+						child_sa->set_state(child_sa, CHILD_REKEYING);
-+					}
- 				}
- 			}
- 		}
-@@ -372,6 +376,11 @@ METHOD(task_t, process_i, status_t,
- 	{
- 		return SUCCESS;
- 	}
-+	/* disable updown event for redundant CHILD_SA */
-+	if (to_delete->get_state(to_delete) != CHILD_REKEYING)
-+	{
-+		to_delete->set_state(to_delete, CHILD_REKEYING);
-+	}
- 	spi = to_delete->get_spi(to_delete, TRUE);
- 	protocol = to_delete->get_protocol(to_delete);
- 
--- 
-1.7.9.5
-
-- 
2.39.5