Merge tag 'v5.1.0-1' into sid

tag strongSwan 5.1.0-1

5 files changed, 10 insertions, 208 deletions

diff --git a/debian/patches/01_fix-manpages.patch b/debian/patches/01_fix-manpages.patch
index c3b689bd9..656882939 100644
--- a/debian/patches/01_fix-manpages.patch
+++ b/debian/patches/01_fix-manpages.patch
@@ -1,7 +1,5 @@
-Index: strongswan/src/_updown/_updown.8
-===================================================================
---- strongswan.orig/src/_updown/_updown.8	2012-06-28 20:48:14.337158901 +0200
-+++ strongswan/src/_updown/_updown.8	2012-06-29 11:25:55.897696373 +0200
+--- a/src/_updown/_updown.8
++++ b/src/_updown/_updown.8
 @@ -1,6 +1,6 @@
  .TH _UPDOWN 8 "27 Apr 2006"
  .SH NAME
@@ -10,10 +8,8 @@ Index: strongswan/src/_updown/_updown.8
  .SH SYNOPSIS
  .I _updown
  is invoked by pluto when it has brought up a new connection. This script
-Index: strongswan/src/_updown_espmark/_updown_espmark.8
-===================================================================
---- strongswan.orig/src/_updown_espmark/_updown_espmark.8	2012-06-28 20:48:14.337158901 +0200
-+++ strongswan/src/_updown_espmark/_updown_espmark.8	2012-06-29 11:26:18.517907016 +0200
+--- a/src/_updown_espmark/_updown_espmark.8
++++ b/src/_updown_espmark/_updown_espmark.8
 @@ -1,6 +1,6 @@
  .TH _UPDOWN_ESPMARK 8 "7 Apr 2005"
  .SH NAME
@@ -22,10 +18,8 @@ Index: strongswan/src/_updown_espmark/_updown_espmark.8
  .SH SYNOPSIS
  .I _updown_espmark
  is invoked by pluto when it has brought up a new connection. This script
-Index: strongswan/src/openac/openac.8
-===================================================================
---- strongswan.orig/src/openac/openac.8	2012-06-28 20:48:14.473160290 +0200
-+++ strongswan/src/openac/openac.8	2012-06-29 11:26:38.854096394 +0200
+--- a/src/openac/openac.8
++++ b/src/openac/openac.8
 @@ -1,6 +1,6 @@
  .TH IPSEC_OPENAC 8 "22 September 2007"
  .SH NAME
@@ -34,13 +28,11 @@ Index: strongswan/src/openac/openac.8
  .SH SYNOPSIS
  .B ipsec
  .B openac
-Index: strongswan/src/scepclient/scepclient.8
-===================================================================
---- strongswan.orig/src/scepclient/scepclient.8	2012-06-28 20:48:14.497160535 +0200
-+++ strongswan/src/scepclient/scepclient.8	2012-06-29 11:27:01.934311341 +0200
+--- a/src/scepclient/scepclient.8
++++ b/src/scepclient/scepclient.8
 @@ -1,7 +1,7 @@
- .\" 
- .TH "IPSEC_SCEPCLIENT" "8" "29 September 2005" "Jan Hutter, Martin Willi" ""
+ .\"
+ .TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" ""
  .SH "NAME"
 -ipsec scepclient \- Client for the SCEP protocol
 +ipsec_scepclient \- Client for the SCEP protocol
diff --git a/debian/patches/02_add-LICENSE.patch b/debian/patches/02_add-LICENSE.patch
deleted file mode 100644
index 60e2536c2..000000000
--- a/debian/patches/02_add-LICENSE.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Index: strongswan/LICENSE
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ strongswan/LICENSE	2012-06-29 15:32:05.809212661 +0200
-@@ -0,0 +1,47 @@
-+Except for code in the blowfish, des, md4 and md5 plugins (see below) the
-+following terms apply:
-+
-+For copyright information see the headers of individual source files.
-+
-+This program is free software; you can redistribute it and/or modify it under
-+the terms of the GNU General Public License as published by the Free Software
-+Foundation; either version 2 of the License, or (at your option) any later
-+version.
-+
-+This program is distributed in the hope that it will be useful, but WITHOUT ANY
-+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-+PARTICULAR PURPOSE. See the GNU General Public License for more details.
-+
-+You should have received a copy of the GNU General Public License along with
-+this program; if not, see <http://www.gnu.org/licenses>.
-+
-+Linking strongSwan statically or dynamically with other modules is making a
-+combined work based on strongSwan. Thus, the terms and conditions of the GNU
-+General Public License cover the whole combination.
-+
-+In addition, as a special exception, the copyright holders of strongSwan give
-+you permission to combine strongSwan with free software programs or libraries
-+that are released under the GNU LGPL and with code included in the standard
-+release of the OpenSSL project's OpenSSL library under the OpenSSL or SSLeay
-+licenses (or modified versions of such code, with unchanged license). You may
-+copy and distribute such a system following the terms of the GNU GPL for
-+strongSwan and the licenses of the other code concerned, provided that you
-+include the source code of that other code when and as the GNU GPL requires
-+distribution of source code.
-+
-+Note that people who make modified versions of strongSwan are not obligated to
-+grant this special exception for their modified versions; it is their choice
-+whether to do so. The GNU General Public License gives permission to release a
-+modified version without this exception; this exception also makes it possible
-+to release a modified version which carries forward this exception.
-+
-+
-+The DES implementation in the des plugin and the Blowfish implementation in the
-+blowfish plugin are under a BSD style license, see
-+src/libstrongswan/plugins/des and src/libstrongswan/plugins/blowfish.
-+Note that these parts have an advertising clause in it.
-+
-+The MD4 and MD5 implementations in the md4 and md5 plugins are from RSA Data
-+Security Inc., so this package must include the following phrase:
-+"derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm".
-+
diff --git a/debian/patches/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch b/debian/patches/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
deleted file mode 100644
index 68cf1c3bf..000000000
--- a/debian/patches/03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 49e918021b16f2be8650f3aa24c464a829758b26 Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Mon, 25 Jun 2012 16:02:20 +0200
-Subject: [PATCH 2/2] Pass "lo" as faked tundev to NM, as it now needs a valid
- interface since 0.9
-
----
- src/libcharon/plugins/nm/nm_service.c |    7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
-
---- a/src/libcharon/plugins/nm/nm_service.c
-+++ b/src/libcharon/plugins/nm/nm_service.c
-@@ -89,11 +89,12 @@ static void signal_ipv4_config(NMVPNPlug
- 	me = ike_sa->get_my_host(ike_sa);
- 	handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
- 
--	/* NM requires a tundev, but netkey does not use one. Passing an invalid
--	 * iface makes NM complain, but it accepts it without fiddling on eth0. */
-+	/* NM requires a tundev, but netkey does not use one. Passing the physical
-+	 * interface does not work, as NM fiddles around with it. Passing the
-+	 * loopback seems to work, though... */
- 	val = g_slice_new0 (GValue);
- 	g_value_init (val, G_TYPE_STRING);
--	g_value_set_string (val, "none");
-+	g_value_set_string (val, "lo");
- 	g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
- 
- 	val = g_slice_new0(GValue);
diff --git a/debian/patches/04-Fixed-IPv6-source-address-lookup.patch b/debian/patches/04-Fixed-IPv6-source-address-lookup.patch
deleted file mode 100644
index 91eac4094..000000000
--- a/debian/patches/04-Fixed-IPv6-source-address-lookup.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 7beb31aae4e231f95366dc2ef83888e197bc693c Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 18 Jun 2012 12:01:10 +0200
-Subject: [PATCH] Fixed IPv6 source address lookup
-
-Because Linux kernels prior to 3.0 do not support RTA_PREFSRC for
-IPv6 routes we didn't use NLM_F_DUMP to get all routes.
-Still routes installed with policies are installed also for IPv6.
-So since only one route is returned without DUMP, and we ignore
-all routes from our own routing table, no source address was found
-during roaming if DST of the installed route included the IKE peer.
-
-With newer kernels we can now use DUMP as we did for IPv4 already,
-for older kernels we do so if our own routes are installed in a
-separate routing table, otherwise we still use GET.
----
- .../plugins/kernel_netlink/kernel_netlink_net.c    |   48 ++++++++++++++++++--
- 1 file changed, 43 insertions(+), 5 deletions(-)
-
-Index: strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
-===================================================================
---- strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c	2012-06-28 21:16:07.000000000 +0200
-+++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c	2012-07-02 17:10:51.224474221 +0200
-@@ -38,6 +38,7 @@
-  */
- 
- #include <sys/socket.h>
-+#include <sys/utsname.h>
- #include <linux/netlink.h>
- #include <linux/rtnetlink.h>
- #include <unistd.h>
-@@ -183,6 +184,11 @@
- 	bool install_virtual_ip;
- 
- 	/**
-+	 * whether preferred source addresses can be specified for IPv6 routes
-+	 */
-+	bool rta_prefsrc_for_ipv6;
-+
-+	/**
- 	 * list with routing tables to be excluded from route lookup
- 	 */
- 	linked_list_t *rt_exclude;
-@@ -869,11 +875,11 @@
- 
- 	hdr = (struct nlmsghdr*)request;
- 	hdr->nlmsg_flags = NLM_F_REQUEST;
--	if (dest->get_family(dest) == AF_INET)
--	{
--		/* We dump all addresses for IPv4, as we want to ignore IPsec specific
--		 * routes installed by us. But the kernel does not return source
--		 * addresses in a IPv6 dump, so fall back to get() for v6 routes. */
-+	if (dest->get_family(dest) == AF_INET || this->rta_prefsrc_for_ipv6 ||
-+		this->routing_table)
-+	{	/* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
-+		 * as we want to ignore routes with virtual IPs we cannot use DUMP
-+		 * if these routes are not installed in a separate table */
- 		hdr->nlmsg_flags |= NLM_F_ROOT | NLM_F_DUMP;
- 	}
- 	hdr->nlmsg_type = RTM_GETROUTE;
-@@ -1443,6 +1449,36 @@
- 	return this->socket->send_ack(this->socket, hdr);
- }
- 
-+/**
-+ * check for kernel features (currently only via version number)
-+ */
-+static void check_kernel_features(private_kernel_netlink_net_t *this)
-+{
-+	struct utsname utsname;
-+	int a, b, c;
-+
-+	if (uname(&utsname) == 0)
-+	{
-+		switch(sscanf(utsname.release, "%d.%d.%d", &a, &b, &c))
-+		{
-+			case 3:
-+				if (a == 2)
-+				{
-+					DBG2(DBG_KNL, "detected Linux %d.%d.%d, no support for "
-+						 "RTA_PREFSRC for IPv6 routes", a, b, c);
-+					break;
-+				}
-+				/* fall-through */
-+			case 2:
-+				/* only 3.x+ uses two part version numbers */
-+				this->rta_prefsrc_for_ipv6 = TRUE;
-+				break;
-+			default:
-+				break;
-+		}
-+	}
-+}
-+
- METHOD(kernel_net_t, destroy, void,
- 	private_kernel_netlink_net_t *this)
- {
-@@ -1509,6 +1545,8 @@
- 	);
- 	timerclear(&this->last_roam);
- 
-+	check_kernel_features(this);
-+
- 	exclude = lib->settings->get_str(lib->settings,
- 					"%s.ignore_routing_tables", NULL, hydra->daemon);
- 	if (exclude)
diff --git a/debian/patches/series b/debian/patches/series
index 29c60134c..2cf256b6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1 @@
 01_fix-manpages.patch
-02_add-LICENSE.patch
-03_Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch
-04-Fixed-IPv6-source-address-lookup.patch
-0001-Check-return-value-of-ECDSA_Verify-correctly.patch