From 6fb9681c24360c0c531e18215673e2ba83c53879 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 28 Oct 2013 21:00:03 +0100
Subject: [PATCH 1/4] strongswan: Update to 5.1.1rc1.

---
 lfs/strongswan | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/strongswan b/lfs/strongswan
index 1aed31fec..b2c362e39 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.1.1dr4
+VER        = 5.1.1rc1
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -46,7 +46,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 05899faa9b8a8f253474af809b283ef9
+$(DL_FILE)_MD5 = 69826b6a6103ae705c48b3f33b4dd3d5
 
 install : $(TARGET)
 
@@ -94,7 +94,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--enable-eap-identity \
 		$(PADLOCK)
 
-	cd $(DIR_APP) && make $(MAKETUNING) LDFLAGS="-lrt"
+	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 
 	# Remove all library files we don't want or need.

From ec985733a532fb257e75fd75a10746fe9c8cfb80 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 7 Nov 2013 20:56:43 +0100
Subject: [PATCH 2/4] strongswan: Update to 5.1.1.

---
 config/rootfiles/common/i586/strongswan-padlock |  1 +
 config/rootfiles/common/strongswan              |  1 +
 lfs/strongswan                                  | 15 ++++++++++-----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/i586/strongswan-padlock b/config/rootfiles/common/i586/strongswan-padlock
index 02aa457d3..4ebfc75b9 100644
--- a/config/rootfiles/common/i586/strongswan-padlock
+++ b/config/rootfiles/common/i586/strongswan-padlock
@@ -1 +1,2 @@
 usr/lib/ipsec/plugins/libstrongswan-padlock.so
+usr/lib/ipsec/plugins/libstrongswan-rdrand.so
diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan
index 0994d07e6..d045c312c 100644
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -75,6 +75,7 @@ usr/lib/ipsec/plugins/libstrongswan-sha2.so
 usr/lib/ipsec/plugins/libstrongswan-socket-default.so
 usr/lib/ipsec/plugins/libstrongswan-sshkey.so
 usr/lib/ipsec/plugins/libstrongswan-stroke.so
+usr/lib/ipsec/plugins/libstrongswan-unity.so
 usr/lib/ipsec/plugins/libstrongswan-updown.so
 usr/lib/ipsec/plugins/libstrongswan-x509.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
diff --git a/lfs/strongswan b/lfs/strongswan
index b2c362e39..701e3c571 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.1.1rc1
+VER        = 5.1.1
 
 THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -33,9 +33,13 @@ DIR_APP    = $(DIR_SRC)/strongswan-$(VER)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
 ifeq "$(MACHINE)" "i586"
-	PADLOCK = --enable-padlock
+	CONFIGURE_OPTIONS = \
+		--enable-padlock \
+		--enable-rdrand
 else
-	PADLOCK = --disable-padlock
+	CONFIGURE_OPTIONS = \
+		--disable-padlock \
+		--disable-rdrand
 endif
 
 ###############################################################################
@@ -46,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 69826b6a6103ae705c48b3f33b4dd3d5
+$(DL_FILE)_MD5 = e3af3d493d22286be3cd794533a8966a
 
 install : $(TARGET)
 
@@ -92,7 +96,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--enable-eap-peap \
 		--enable-eap-mschapv2 \
 		--enable-eap-identity \
-		$(PADLOCK)
+		--enable-unity \
+		$(CONFIGURE_OPTIONS)
 
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install

From c648458609b87478266e691429131ed2c8d70f9a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 13 Nov 2013 00:25:27 +0100
Subject: [PATCH 3/4] strongswan: Delay sending DPD packets after rekeying.

---
 lfs/strongswan                               |  1 +
 src/patches/strongswan-5.1.1-delay-dpd.patch | 35 ++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 src/patches/strongswan-5.1.1-delay-dpd.patch

diff --git a/lfs/strongswan b/lfs/strongswan
index 701e3c571..c7abf7a4d 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -82,6 +82,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.1.1-delay-dpd.patch
 
 	cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh
 	cd $(DIR_APP) && ./configure \
diff --git a/src/patches/strongswan-5.1.1-delay-dpd.patch b/src/patches/strongswan-5.1.1-delay-dpd.patch
new file mode 100644
index 000000000..db3d6647f
--- /dev/null
+++ b/src/patches/strongswan-5.1.1-delay-dpd.patch
@@ -0,0 +1,35 @@
+From b76e96e2ef4d56c863b36c8d3c39e3c2efcf4a7c Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Fri, 1 Nov 2013 11:28:53 +0100
+Subject: [PATCH] ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
+
+Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
+is perfectly valid. For short(er) DPD delays, this leads to the situation where
+we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
+Avoid that DPD by resetting the INBOUND timestamp during set_state().
+---
+ src/libcharon/sa/ike_sa.c |    8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
+index 0282087..d482f8b 100644
+--- a/src/libcharon/sa/ike_sa.c
++++ b/src/libcharon/sa/ike_sa.c
+@@ -687,6 +687,14 @@ METHOD(ike_sa_t, set_state, void,
+ 					DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
+ 				}
+ 				trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
++				if (trigger_dpd)
++				{
++					/* Some peers delay the DELETE after rekeying an IKE_SA.
++					 * If this delay is longer than our DPD delay, we would
++					 * send a DPD request here. The IKE_SA is not ready to do
++					 * so yet, so prevent that. */
++					this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
++				}
+ 			}
+ 			break;
+ 		}
+-- 
+1.7.4.1
+

From 1a386bb9d8765a04651f54348d0d1e01d9950235 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Wed, 13 Nov 2013 13:39:35 +0100
Subject: [PATCH 4/4] samba: update to 3.6.20.

These are security releases in order to address CVE-2013-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475
(ACLs are not checked on opening an alternate data stream on
a file or directory) and CVE-2013-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476
(Private key in key.pem world readable).
---
 lfs/samba | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/samba b/lfs/samba
index 0171627a4..aa635d150 100644
--- a/lfs/samba
+++ b/lfs/samba
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.6.18
+VER        = 3.6.20
 
 THISAPP    = samba-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 52
+PAK_VER    = 54
 
 DEPS       = "cups"
 
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = c7eec3e83fe4c4750240a8a0a214bbd4
+$(DL_FILE)_MD5 = 3f1b60c681845ce6828a1abe5aacf671
 
 install : $(TARGET)