Date: Mon, 9 Nov 2015 16:56:08 +0000 (UTC) From: Renato Botelho <garga@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r401115 - in head/security/strongswan: . files Message-ID: <201511091656.tA9Gu8pP064466@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: garga Date: Mon Nov 9 16:56:08 2015 New Revision: 401115 URL: https://svnweb.freebsd.org/changeset/ports/401115 Log: Backport a couple of commits from master, that will be present in 5.3.4: - dff2d05bb9 [1]: kernel-pfKey: Enable AES-CTR - 04f22cdabc [2]: VICI: add NAT information Bump PORTREVISION [1] https://github.com/strongswan/strongswan/commit/dff2d05bb9bec684b3b2efdafc9a47219550bbe1 [2] https://github.com/strongswan/strongswan/commit/04f22cdabc1c97d38692f95392429839f0fa90d1 PR: 204398 Approved by: maintainer Obtained from: pfSense Sponsored by: Rubicon Communications (Netgate) Added: head/security/strongswan/files/patch-backport-04f22cdabc.diff (contents, props changed) head/security/strongswan/files/patch-backport-dff2d05bb9.diff (contents, props changed) Modified: head/security/strongswan/Makefile Modified: head/security/strongswan/Makefile ============================================================================== --- head/security/strongswan/Makefile Mon Nov 9 16:29:04 2015 (r401114) +++ head/security/strongswan/Makefile Mon Nov 9 16:56:08 2015 (r401115) @@ -3,7 +3,7 @@ PORTNAME= strongswan PORTVERSION= 5.3.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://download.strongswan.org/ \ http://download2.strongswan.org/ Added: head/security/strongswan/files/patch-backport-04f22cdabc.diff ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/strongswan/files/patch-backport-04f22cdabc.diff Mon Nov 9 16:56:08 2015 (r401115) @@ -0,0 +1,67 @@ +From 04f22cdabc1c97d38692f95392429839f0fa90d1 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Mon, 9 Nov 2015 11:39:54 +0100 +Subject: [PATCH] vici: Add NAT information when listing IKE_SAs + +The `nat-local` and `nat-remote` keys contain information on the NAT +status of the local and remote IKE endpoints, respectively. If a +responder did not detect a NAT but is configured to fake a NAT situation +this is indicated by `nat-fake` (if an initiator fakes a NAT situation +`nat-local` is set). If any NAT is detected or faked `nat-any` is set. + +Closes strongswan/strongswan#16. +--- + src/libcharon/plugins/vici/README.md | 4 ++++ + src/libcharon/plugins/vici/vici_query.c | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md +index e20e8ab..51a17e2 100644 +--- src/libcharon/plugins/vici/README.md ++++ src/libcharon/plugins/vici/README.md +@@ -587,6 +587,10 @@ command. + initiator = <yes, if initiator of IKE_SA> + initiator-spi = <hex encoded initiator SPI / cookie> + responder-spi = <hex encoded responder SPI / cookie> ++ nat-local = <yes, if local endpoint is behind a NAT> ++ nat-remote = <yes, if remote endpoint is behind a NAT> ++ nat-fake = <yes, if NAT situation has been faked as responder> ++ nat-any = <yes, if any endpoint is behind a NAT (also if faked)> + encr-alg = <IKE encryption algorithm string> + encr-keysize = <key size for encr-alg, if applicable> + integ-alg = <IKE integrity algorithm string> +diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c +index 98d264f..265a17e 100644 +--- src/libcharon/plugins/vici/vici_query.c ++++ src/libcharon/plugins/vici/vici_query.c +@@ -222,6 +222,18 @@ static void list_task_queue(private_vici_query_t *this, vici_builder_t *b, + } + + /** ++ * Add an IKE_SA condition to the given builder ++ */ ++static void add_condition(vici_builder_t *b, ike_sa_t *ike_sa, ++ char *key, ike_condition_t cond) ++{ ++ if (ike_sa->has_condition(ike_sa, cond)) ++ { ++ b->add_kv(b, key, "yes"); ++ } ++} ++ ++/** + * List details of an IKE_SA + */ + static void list_ike(private_vici_query_t *this, vici_builder_t *b, +@@ -265,6 +277,11 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, + b->add_kv(b, "initiator-spi", "%.16"PRIx64, id->get_initiator_spi(id)); + b->add_kv(b, "responder-spi", "%.16"PRIx64, id->get_responder_spi(id)); + ++ add_condition(b, ike_sa, "nat-local", COND_NAT_HERE); ++ add_condition(b, ike_sa, "nat-remote", COND_NAT_THERE); ++ add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE); ++ add_condition(b, ike_sa, "nat-any", COND_NAT_ANY); ++ + proposal = ike_sa->get_proposal(ike_sa); + if (proposal) + { Added: head/security/strongswan/files/patch-backport-dff2d05bb9.diff ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/strongswan/files/patch-backport-dff2d05bb9.diff Mon Nov 9 16:56:08 2015 (r401115) @@ -0,0 +1,27 @@ +From dff2d05bb9bec684b3b2efdafc9a47219550bbe1 Mon Sep 17 00:00:00 2001 +From: Renato Botelho <garga@FreeBSD.org> +Date: Fri, 6 Nov 2015 17:07:38 -0200 +Subject: [PATCH] kernel-pfkey: Enable ENCR_AES_CTR when it's available + +Obtained-from: pfSense +Sponsored-by: Rubicon Communications (Netgate) +Closes strongswan/strongswan#17. +--- + src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +index 5027e17..0df6fb5 100644 +--- src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c ++++ src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +@@ -843,7 +843,9 @@ static kernel_algorithm_t encryption_algs[] = { + /* {ENCR_DES_IV32, 0 }, */ + {ENCR_NULL, SADB_EALG_NULL }, + {ENCR_AES_CBC, SADB_X_EALG_AESCBC }, +-/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */ ++#ifdef SADB_X_EALG_AESCTR ++ {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, ++#endif + /* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */ + /* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */ + /* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511091656.tA9Gu8pP064466>