Remove patches included upstream

* debian/patches:
  - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
  - CVE-2015-4171_enforce_remote_auth dropped as well.

4 files changed, 3 insertions, 195 deletions

diff --git a/debian/changelog b/debian/changelog
index 959138ed7..6788815d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 strongswan (5.3.2-1) UNRELEASED; urgency=medium
 
   * New upstream release.
+  * debian/patches:
+    - 05_ivgen-allow-reusing-same-message-id-twice dropped, included upstream.
+    - CVE-2015-4171_enforce_remote_auth dropped as well.
 
  -- Yves-Alexis Perez <corsac@debian.org>  Mon, 08 Jun 2015 15:55:45 +0200
 
diff --git a/debian/patches/05_ivgen-allow-reusing-same-message-id-twice.patch b/debian/patches/05_ivgen-allow-reusing-same-message-id-twice.patch
deleted file mode 100644
index a61ba7aff..000000000
--- a/debian/patches/05_ivgen-allow-reusing-same-message-id-twice.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 63e5db4154c8f69be592c4b9fdc8947777f8ab02 Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Tue, 2 Jun 2015 14:08:42 +0200
-Subject: [PATCH] ivgen: Allow reusing the same message ID twice in sequential
- IV gen
-
-We use the message ID and fragment number as IV generator. As IKEv2 uses
-distinct message ID counters for actively and passively initiated exchanges,
-each IV would be used twice. As we explicitly reject such message IDs since
-d0ed1079, original-responder initiated exchanges fail with counter mode ciphers.
-
-This commit separates IV space in two halves for sequential IVs, and
-automatically assigns once reused sequence numbers to the second half.
-
- #980.
----
- src/libstrongswan/crypto/iv/iv_gen_seq.c |   32 +++++++++++++++++++++++-------
- 1 file changed, 25 insertions(+), 7 deletions(-)
-
-diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.c b/src/libstrongswan/crypto/iv/iv_gen_seq.c
-index 4de1374..9f99c51 100644
---- a/src/libstrongswan/crypto/iv/iv_gen_seq.c
-+++ b/src/libstrongswan/crypto/iv/iv_gen_seq.c
-@@ -19,6 +19,7 @@
-  * Magic value for the initial IV state
-  */
- #define SEQ_IV_INIT_STATE (~(u_int64_t)0)
-+#define SEQ_IV_HIGH_MASK (1ULL << 63)
- 
- typedef struct private_iv_gen_t private_iv_gen_t;
- 
-@@ -33,9 +34,14 @@ struct private_iv_gen_t {
- 	iv_gen_t public;
- 
- 	/**
--	 * Previously passed sequence number to enforce uniqueness
-+	 * Previously passed sequence number in lower space to enforce uniqueness
- 	 */
--	u_int64_t prev;
-+	u_int64_t prevl;
-+
-+	/**
-+	 * Previously passed sequence number in upper space to enforce uniqueness
-+	 */
-+	u_int64_t prevh;
- 
- 	/**
- 	 * Salt to mask counter
-@@ -57,15 +63,26 @@ METHOD(iv_gen_t, get_iv, bool,
- 	{
- 		return FALSE;
- 	}
--	if (this->prev != SEQ_IV_INIT_STATE && seq <= this->prev)
-+	if (this->prevl != SEQ_IV_INIT_STATE && seq <= this->prevl)
- 	{
--		return FALSE;
-+		seq |= SEQ_IV_HIGH_MASK;
-+		if (this->prevh != SEQ_IV_INIT_STATE && seq <= this->prevh)
-+		{
-+			return FALSE;
-+		}
- 	}
--	if (seq == SEQ_IV_INIT_STATE)
-+	if ((seq | SEQ_IV_HIGH_MASK) == SEQ_IV_INIT_STATE)
- 	{
- 		return FALSE;
- 	}
--	this->prev = seq;
-+	if (seq & SEQ_IV_HIGH_MASK)
-+	{
-+		this->prevh = seq;
-+	}
-+	else
-+	{
-+		this->prevl = seq;
-+	}
- 	if (len > sizeof(u_int64_t))
- 	{
- 		len = sizeof(u_int64_t);
-@@ -107,7 +124,8 @@ iv_gen_t *iv_gen_seq_create()
- 			.allocate_iv = _allocate_iv,
- 			.destroy = _destroy,
- 		},
--		.prev = SEQ_IV_INIT_STATE,
-+		.prevl = SEQ_IV_INIT_STATE,
-+		.prevh = SEQ_IV_INIT_STATE,
- 	);
- 
- 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
--- 
-1.7.9.5
-
diff --git a/debian/patches/CVE-2015-4171_enforce_remote_auth.patch b/debian/patches/CVE-2015-4171_enforce_remote_auth.patch
deleted file mode 100644
index 506a55f6f..000000000
--- a/debian/patches/CVE-2015-4171_enforce_remote_auth.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From ca1a65cc6aef2e037b529574783b7c571d1d82a9 Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@strongswan.org>
-Date: Wed, 3 Jun 2015 10:52:34 +0200
-Subject: [PATCH] ikev2: Enforce remote authentication config before proceeding
- with own authentication
-
-Previously the constraints in the authentication configuration of an
-initiator were enforced only after all authentication rounds were
-complete.  This posed a problem if an initiator used EAP or PSK
-authentication while the responder was authenticated with a certificate
-and if a rogue server was able to authenticate itself with a valid
-certificate issued by any CA the initiator trusted.
-
-Because any constraints for the responder's identity (rightid) or other
-aspects of the authentication (e.g. rightca) the initiator had were not
-enforced until the initiator itself finished its authentication such a rogue
-responder was able to acquire usernames and password hashes from the client.
-And if a client supported EAP-GTC it was even possible to trick it into
-sending plaintext passwords.
-
-This patch enforces the configured constraints right after the responder's
-authentication successfully finished for each round and before the initiator
-starts with its own authentication.
-
-Fixes CVE-2015-4171.
----
- src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++
- 1 file changed, 44 insertions(+)
-
-diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
-index bf747a49edde..2554496c1916 100644
---- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
-+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
-@@ -112,6 +112,11 @@ struct private_ike_auth_t {
- 	 * received an INITIAL_CONTACT?
- 	 */
- 	bool initial_contact;
-+
-+	/**
-+	 * Is EAP acceptable, did we strictly authenticate peer?
-+	 */
-+	bool eap_acceptable;
- };
- 
- /**
-@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this,
- 	message->destroy(message);
- }
- 
-+/**
-+ * Check if strict constraint fullfillment required to continue current auth
-+ */
-+static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
-+{
-+	auth_cfg_t *cfg;
-+
-+	if (this->eap_acceptable)
-+	{
-+		return FALSE;
-+	}
-+
-+	cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-+	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
-+	{
-+		case AUTH_CLASS_EAP:
-+			if (mutual_eap && this->my_auth)
-+			{
-+				this->eap_acceptable = TRUE;
-+				return !this->my_auth->is_mutual(this->my_auth);
-+			}
-+			return TRUE;
-+		case AUTH_CLASS_PSK:
-+			return TRUE;
-+		case AUTH_CLASS_PUBKEY:
-+		case AUTH_CLASS_ANY:
-+		default:
-+			return FALSE;
-+	}
-+}
-+
- METHOD(task_t, process_i, status_t,
- 	private_ike_auth_t *this, message_t *message)
- {
-@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t,
- 		}
- 	}
- 
-+	if (require_strict(this, mutual_eap))
-+	{
-+		if (!update_cfg_candidates(this, TRUE))
-+		{
-+			goto peer_auth_failed;
-+		}
-+	}
-+
- 	if (this->my_auth)
- 	{
- 		switch (this->my_auth->process(this->my_auth, message))
--- 
-1.9.1
-
diff --git a/debian/patches/series b/debian/patches/series
index c2bce201f..6d7cc1dfa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,3 @@
 01_fix-manpages.patch
 03_systemd-service.patch
 04_disable-libtls-tests.patch
-05_ivgen-allow-reusing-same-message-id-twice.patch
-CVE-2015-4171_enforce_remote_auth.patch