Backport a couple of commits from master, that will be present in 5.3.4:

- dff2d05bb9 [1]: kernel-pfKey: Enable AES-CTR - 04f22cdabc [2]: VICI: add NAT information Bump PORTREVISION [1] dff2d05bb9 [2] 04f22cdabc PR: 204398 Approved by: maintainer Obtained from: pfSense Sponsored by: Rubicon Communications (Netgate)
svn path=/head/; revision=401115
2025-01-08 06:48:28 +00:00 · 2015-11-09 16:56:08 +00:00 · 2015-11-09 16:56:08 +00:00 · effa54ec4c · 2021-03-31 03:12:20 +00:00
commit effa54ec4c
parent 5d1d758120
3 changed files with 95 additions and 1 deletions
--- a/security/strongswan/Makefile
+++ b/security/strongswan/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	strongswan
 PORTVERSION=	5.3.3
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://download.strongswan.org/ \
 		http://download2.strongswan.org/
--- a/security/strongswan/files/patch-backport-04f22cdabc.diff
+++ b/security/strongswan/files/patch-backport-04f22cdabc.diff
@ -0,0 +1,67 @@
+From 04f22cdabc1c97d38692f95392429839f0fa90d1 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 9 Nov 2015 11:39:54 +0100
+Subject: [PATCH] vici: Add NAT information when listing IKE_SAs
+
+The `nat-local` and `nat-remote` keys contain information on the NAT
+status of the local and remote IKE endpoints, respectively.  If a
+responder did not detect a NAT but is configured to fake a NAT situation
+this is indicated by `nat-fake` (if an initiator fakes a NAT situation
+`nat-local` is set).  If any NAT is detected or faked `nat-any` is set.
+
+Closes strongswan/strongswan#16.
+---
+ src/libcharon/plugins/vici/README.md    |  4 ++++
+ src/libcharon/plugins/vici/vici_query.c | 17 +++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
+index e20e8ab..51a17e2 100644
+--- src/libcharon/plugins/vici/README.md
+++ src/libcharon/plugins/vici/README.md
+@@ -587,6 +587,10 @@ command.
+ 			initiator = <yes, if initiator of IKE_SA>
+ 			initiator-spi = <hex encoded initiator SPI / cookie>
+ 			responder-spi = <hex encoded responder SPI / cookie>
+			nat-local = <yes, if local endpoint is behind a NAT>
+			nat-remote = <yes, if remote endpoint is behind a NAT>
+			nat-fake = <yes, if NAT situation has been faked as responder>
+			nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
+ 			encr-alg = <IKE encryption algorithm string>
+ 			encr-keysize = <key size for encr-alg, if applicable>
+ 			integ-alg = <IKE integrity algorithm string>
+diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
+index 98d264f..265a17e 100644
+--- src/libcharon/plugins/vici/vici_query.c
+++ src/libcharon/plugins/vici/vici_query.c
+@@ -222,6 +222,18 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b,
+ }
+ 
+ /**
+ * Add an IKE_SA condition to the given builder
+ */
+static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa,
+						  char *key, ike_condition_t cond)
+{
+	if (ike_sa->has_condition(ike_sa, cond))
+	{
+		b->add_kv(b, key, "yes");
+	}
+}
+
+/**
+  * List details of an IKE_SA
+  */
+ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -265,6 +277,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id));
+ 	b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id));
+ 
+	add_condition(b, ike_sa, "nat-local", COND_NAT_HERE);
+	add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE);
+	add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE);
+	add_condition(b, ike_sa, "nat-any", COND_NAT_ANY);
+
+ 	proposal = ike_sa->get_proposal(ike_sa);
+ 	if (proposal)
+ 	{
--- a/security/strongswan/files/patch-backport-dff2d05bb9.diff
+++ b/security/strongswan/files/patch-backport-dff2d05bb9.diff
@ -0,0 +1,27 @@
+From dff2d05bb9bec684b3b2efdafc9a47219550bbe1 Mon Sep 17 00:00:00 2001
+From: Renato Botelho <garga@FreeBSD.org>
+Date: Fri, 6 Nov 2015 17:07:38 -0200
+Subject: [PATCH] kernel-pfkey: Enable ENCR_AES_CTR when it's available
+
+Obtained-from:	pfSense
+Sponsored-by:	Rubicon Communications (Netgate)
+Closes strongswan/strongswan#17.
+---
+ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+index 5027e17..0df6fb5 100644
+--- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+@@ -843,7 +843,9 @@ static kernel_algorithm_t encryption_algs[] = {
+ /*	{ENCR_DES_IV32,				0							}, */
+ 	{ENCR_NULL,					SADB_EALG_NULL				},
+ 	{ENCR_AES_CBC,				SADB_X_EALG_AESCBC			},
+-/*	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			}, */
+#ifdef SADB_X_EALG_AESCTR
+	{ENCR_AES_CTR,				SADB_X_EALG_AESCTR			},
+#endif
+ /*  {ENCR_AES_CCM_ICV8,			SADB_X_EALG_AES_CCM_ICV8	}, */
+ /*	{ENCR_AES_CCM_ICV12,		SADB_X_EALG_AES_CCM_ICV12	}, */
+ /*	{ENCR_AES_CCM_ICV16,		SADB_X_EALG_AES_CCM_ICV16	}, */