diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index 5aedf5c0dba7..d05e9f8f80cb 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -3,7 +3,7 @@ PORTNAME= strongswan PORTVERSION= 5.3.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://download.strongswan.org/ \ http://download2.strongswan.org/ diff --git a/security/strongswan/files/patch-backport-04f22cdabc.diff b/security/strongswan/files/patch-backport-04f22cdabc.diff new file mode 100644 index 000000000000..a68cbe7bd2e6 --- /dev/null +++ b/security/strongswan/files/patch-backport-04f22cdabc.diff @@ -0,0 +1,67 @@ +From 04f22cdabc1c97d38692f95392429839f0fa90d1 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 9 Nov 2015 11:39:54 +0100 +Subject: [PATCH] vici: Add NAT information when listing IKE_SAs + +The `nat-local` and `nat-remote` keys contain information on the NAT +status of the local and remote IKE endpoints, respectively. If a +responder did not detect a NAT but is configured to fake a NAT situation +this is indicated by `nat-fake` (if an initiator fakes a NAT situation +`nat-local` is set). If any NAT is detected or faked `nat-any` is set. + +Closes strongswan/strongswan#16. +--- + src/libcharon/plugins/vici/README.md | 4 ++++ + src/libcharon/plugins/vici/vici_query.c | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md +index e20e8ab..51a17e2 100644 +--- src/libcharon/plugins/vici/README.md ++++ src/libcharon/plugins/vici/README.md +@@ -587,6 +587,10 @@ command. + initiator = + initiator-spi = + responder-spi = ++ nat-local = ++ nat-remote = ++ nat-fake = ++ nat-any = + encr-alg = + encr-keysize = + integ-alg = +diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c +index 98d264f..265a17e 100644 +--- src/libcharon/plugins/vici/vici_query.c ++++ src/libcharon/plugins/vici/vici_query.c +@@ -222,6 +222,18 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b, + } + + /** ++ * Add an IKE_SA condition to the given builder ++ */ ++static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa, ++ char *key, ike_condition_t cond) ++{ ++ if (ike_sa->has_condition(ike_sa, cond)) ++ { ++ b->add_kv(b, key, "yes"); ++ } ++} ++ ++/** + * List details of an IKE_SA + */ + static void list_ike(private_vici_query_t *this, vici_builder_t *b, +@@ -265,6 +277,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, + b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id)); + b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id)); + ++ add_condition(b, ike_sa, "nat-local", COND_NAT_HERE); ++ add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE); ++ add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE); ++ add_condition(b, ike_sa, "nat-any", COND_NAT_ANY); ++ + proposal = ike_sa->get_proposal(ike_sa); + if (proposal) + { diff --git a/security/strongswan/files/patch-backport-dff2d05bb9.diff b/security/strongswan/files/patch-backport-dff2d05bb9.diff new file mode 100644 index 000000000000..c9a0de226a5f --- /dev/null +++ b/security/strongswan/files/patch-backport-dff2d05bb9.diff @@ -0,0 +1,27 @@ +From dff2d05bb9bec684b3b2efdafc9a47219550bbe1 Mon Sep 17 00:00:00 2001 +From: Renato Botelho +Date: Fri, 6 Nov 2015 17:07:38 -0200 +Subject: [PATCH] kernel-pfkey: Enable ENCR_AES_CTR when it's available + +Obtained-from: pfSense +Sponsored-by: Rubicon Communications (Netgate) +Closes strongswan/strongswan#17. +--- + src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +index 5027e17..0df6fb5 100644 +--- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c ++++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +@@ -843,7 +843,9 @@ static kernel_algorithm_t encryption_algs[] = { + /* {ENCR_DES_IV32, 0 }, */ + {ENCR_NULL, SADB_EALG_NULL }, + {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, +-/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ ++#ifdef SADB_X_EALG_AESCTR ++ {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, ++#endif + /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ + /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ + /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */