strongswan: Update to 5.3.0

Enable support for CCM and CTR
2026-04-27 19:23:24 +02:00 · 2015-03-31 00:55:21 +02:00
parent 5b3bd19f31
commit 23e591db40
5 changed files with 0 additions and 158 deletions
--- a/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch
+++ b/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch
@@ -1,35 +0,0 @@
 commit 650a3ad5151958b99a95836fb8b84b8aa18da1be
 Author: Tobias Brunner <tobias@strongswan.org>
 Date:   Wed Feb 25 08:09:11 2015 +0100
    ike-sa-manager: Make sure the message ID of initial messages is 0
    It is mandated by the RFCs and it is expected by the task managers.
    Initial messages with invalid MID will be treated like regular messages,
    so no IKE_SA will be created for them.  Instead, if the responder SPI is 0
    no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
    If an SPI is set and we do find an SA, then we either ignore the message
    because the MID is unexpected, or because we don't allow initial messages
    on established connections.
    There is one exception, though, if an attacker can slip in an IKE_SA_INIT
    with both SPIs set before the client's IKE_AUTH is handled by the server,
    it does get processed (see next commit).
    References #816.
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
 index d0cbd47..5e2b925 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
 	DBG2(DBG_MGR, "checkout IKE_SA by message");
 -	if (id->get_responder_spi(id) == 0)
 +	if (id->get_responder_spi(id) == 0 &&
 +		message->get_message_id(message) == 0)
 	{
 		if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
 		{
--- a/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch
+++ b/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch
@@ -1,42 +0,0 @@
 commit dd0ebb54837298c869389d36a0b42eefdb893dd6
 Author: Tobias Brunner <tobias@strongswan.org>
 Date:   Wed Feb 25 08:30:33 2015 +0100
    ikev2: Only accept initial messages in specific states
    The previous code allowed an attacker to slip in an IKE_SA_INIT with
    both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
    References #816.
 diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
 index be84e71..540d4dc 100644
 --- a/src/libcharon/sa/ikev2/task_manager_v2.c
 +++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
 	{
 		if (mid == this->responding.mid)
 		{
 -			/* reject initial messages once established */
 -			if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
 -				msg->get_exchange_type(msg) == IKE_AUTH)
 +			/* reject initial messages if not received in specific states */
 +			if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
 +				 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
 +				(msg->get_exchange_type(msg) == IKE_AUTH &&
 +				 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
 			{
 -				if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
 -					this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
 -				{
 -					DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
 -						 exchange_type_names, msg->get_exchange_type(msg));
 -					return FAILED;
 -				}
 +				DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
 +					 exchange_type_names, msg->get_exchange_type(msg),
 +					 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
 +				return FAILED;
 			}
 			if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
 			{	/* with MOBIKE, we do no implicit updates */
--- a/src/patches/strongswan-5.2.2-issue-816-eb25190.patch
+++ b/src/patches/strongswan-5.2.2-issue-816-eb25190.patch
@@ -1,31 +0,0 @@
 commit eb251906298b529fa53b8a99746a9a7a9f318dd5
 Author: Tobias Brunner <tobias@strongswan.org>
 Date:   Wed Feb 25 08:18:58 2015 +0100
    ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
    This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
    does not have message ID 0") because it allowed to close any IKE_SA by
    sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
    of that SA.
    The next commit will prevent SAs from getting created for IKE_SA_INIT messages
    with invalid MID.
    Fixes #816.
 diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
 index 48266aa..be84e71 100644
 --- a/src/libcharon/sa/ikev2/task_manager_v2.c
 +++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1355,10 +1355,6 @@ METHOD(task_manager_t, process_message, status_t,
 		{
 			DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
 				 mid, this->responding.mid);
 -			if (msg->get_exchange_type(msg) == IKE_SA_INIT)
 -			{	/* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
 -				return DESTROY_ME;
 -			}
 		}
 	}
 	else
--- a/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch
+++ b/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch
@@ -1,50 +0,0 @@
 From cd2c30a56ec9bdab8b3923851509f27a4fd6f537 Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Tue, 10 Feb 2015 19:03:44 +0100
 Subject: [PATCH] ikev1: Set protocol ID and SPIs in INITIAL-CONTACT
 notification payloads
 The payload we sent before is not compliant with RFC 2407 and thus some
 peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error).
 #819
 ---
 src/libcharon/sa/ikev1/tasks/main_mode.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
 index 5065e70..3ea4a2a 100644
 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c
 +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -213,6 +213,10 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
 {
 	identification_t *idr;
 	host_t *host;
 +	notify_payload_t *notify;
 +	ike_sa_id_t *ike_sa_id;
 +	u_int64_t spi_i, spi_r;
 +	chunk_t spi;
 	idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
 	if (idr && !idr->contains_wildcards(idr))
@@ -224,8 +228,15 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
 			if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
 										idi, idr, host->get_family(host)))
 			{
 -				message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
 -									chunk_empty);
 +				notify = notify_payload_create_from_protocol_and_type(
 +								PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
 +				ike_sa_id = this->ike_sa->get_id(this->ike_sa);
 +				spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
 +				spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
 +				spi = chunk_cata("cc", chunk_from_thing(spi_i),
 +								 chunk_from_thing(spi_r));
 +				notify->set_spi_data(notify, spi);
 +				message->add_payload(message, (payload_t*)notify);
 			}
 		}
 	}
 -- 
 1.7.9.5
--- a/src/patches/strongswan-5.0.2_ipfire.patch
+++ b/src/patches/strongswan-5.0.2_ipfire.patch